From c1343b3278cdf99533b7902744d15969f9d6fdc1 Mon Sep 17 00:00:00 2001
From: Yves-Alexis Perez <corsac@debian.org>
Date: Wed, 2 Jan 2013 14:18:20 +0100
Subject: Imported Upstream version 5.0.1

---
 man/Makefile.am          |   2 +
 man/Makefile.in          |  14 +-
 man/ipsec.conf.5         | 676 ++++++++++++++++-------------------------------
 man/ipsec.conf.5.in      | 676 ++++++++++++++++-------------------------------
 man/strongswan.conf.5    | 250 +++++++++++++-----
 man/strongswan.conf.5.in | 250 +++++++++++++-----
 6 files changed, 847 insertions(+), 1021 deletions(-)

(limited to 'man')

diff --git a/man/Makefile.am b/man/Makefile.am
index a74a901b8..ea04303bd 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -7,5 +7,7 @@ SUFFIXES = .in
 .in:
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	-e "s:@DEV_URANDOM@:$(urandom_device):" \
+	-e "s:@DEV_RANDOM@:$(random_device):" \
 	$(srcdir)/$@.in > $@
 
diff --git a/man/Makefile.in b/man/Makefile.in
index a38cf70ba..b1c54dcd1 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -49,6 +49,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
@@ -87,6 +88,7 @@ AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
@@ -181,11 +183,14 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -202,11 +207,12 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -222,6 +228,7 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
 p_plugins = @p_plugins@
@@ -231,7 +238,6 @@ pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -510,6 +516,8 @@ uninstall-man: uninstall-man5
 .in:
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	-e "s:@DEV_URANDOM@:$(urandom_device):" \
+	-e "s:@DEV_RANDOM@:$(random_device):" \
 	$(srcdir)/$@.in > $@
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index 0a7f8bfe5..83ebc223c 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2011-12-14" "4.6.4" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.0.1rc1" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -172,9 +172,9 @@ keying, rekeying, and general control.
 The path to control the connection is called 'ISAKMP SA' in IKEv1
 and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
 level data path, is called 'IPsec SA' or 'Child SA'.
-strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
-all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
-protocol.
+strongSwan previously used two separate keying daemons, \fIpluto\fP and
+\fIcharon\fP. This manual does not discuss \fIpluto\fP options anymore, but
+only \fIcharon\fP that since strongSwan 5.0 supports both IKEv1 and IKEv2.
 .PP
 To avoid trivial editing of the configuration file to suit it to each system
 involved in a connection,
@@ -233,21 +233,14 @@ defines the identity of the AAA backend used during IKEv2 EAP authentication.
 This is required if the EAP client uses a method that verifies the server
 identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
 .TP
+.BR aggressive " = yes | " no
+whether to use IKEv1 Aggressive or Main Mode (the default).
+.TP
 .BR also " = <name>"
 includes conn section
 .BR <name> .
 .TP
-.BR auth " = " esp " | ah"
-whether authentication should be done as part of
-ESP encryption, or separately using the AH protocol;
-acceptable values are
-.B esp
-(the default) and
-.BR ah .
-.br
-The IKEv2 daemon currently supports ESP only.
-.TP
-.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | secret | never | xauthpsk | xauthrsasig"
 how the two security gateways should authenticate each other;
 acceptable values are
 .B psk
@@ -268,17 +261,12 @@ IKEv1 additionally supports the values
 .B xauthpsk
 and
 .B xauthrsasig
-that will enable eXtended Authentication (XAuth) in addition to IKEv1 main mode
-based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
-This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
+that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
+based on shared secrets or digital RSA signatures, respectively.
+This parameter is deprecated, as two peers do not need to agree on an
+authentication method in IKEv2. Use the
 .B leftauth
-parameter instead to define authentication methods in IKEv2.
+parameter instead to define authentication methods.
 .TP
 .BR auto " = " ignore " | add | route | start"
 what operation, if any, should be done automatically at IPsec startup;
@@ -295,18 +283,25 @@ loads a connection without starting it.
 loads a connection and installs kernel traps. If traffic is detected between
 .B leftsubnet
 and
-.B rightsubnet
-, a connection is established.
+.BR rightsubnet ,
+a connection is established.
 .B start
 loads a connection and brings it up immediately.
 .B ignore
-ignores the connection. This is equal to delete a connection from the config
+ignores the connection. This is equal to deleting a connection from the config
 file.
-Relevant only locally, other end need not agree on it
-(but in general, for an intended-to-be-permanent connection,
-both ends should use
-.B auto=start
-to ensure that any reboot causes immediate renegotiation).
+Relevant only locally, other end need not agree on it.
+.TP
+.BR closeaction " = " none " | clear | hold | restart"
+defines the action to take if the remote peer unexpectedly closes a CHILD_SA
+(see
+.B dpdaction
+for meaning of values).
+A
+.B closeaction should not be
+used if the peer uses reauthentication or uniquids checking, as these events
+might trigger the defined action when not desired. Currently not supported with
+IKEv1.
 .TP
 .BR compress " = yes | " no
 whether IPComp compression of content is proposed on the connection
@@ -318,12 +313,11 @@ and
 .B no
 (the default). A value of
 .B yes
-causes IPsec to propose both compressed and uncompressed,
+causes the daemon to propose both compressed and uncompressed,
 and prefer compressed.
 A value of
 .B no
-prevents IPsec from proposing compression;
-a proposal to compress will still be accepted.
+prevents the daemon from proposing or accepting compression.
 .TP
 .BR dpdaction " = " none " | clear | hold | restart"
 controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
@@ -341,16 +335,9 @@ put in the hold state
 .RB ( hold )
 or restarted
 .RB ( restart ).
-For IKEv1, the default is
-.B none
-which disables the active sending of R_U_THERE notifications.
-Nevertheless pluto will always send the DPD Vendor ID during connection set up
-in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. For IKEv2,
+The default is
 .B none
-does't make sense, since all messages are used to detect dead peers. If specified,
-it has the same meaning as the default
-.RB ( clear ).
+which disables the active sending of DPD messages.
 .TP
 .BR dpddelay " = " 30s " | <time>"
 defines the period time interval with which R_U_THERE messages/INFORMATIONAL
@@ -359,58 +346,17 @@ received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
 messages and uses only standard messages (such as those to rekey) to detect
 dead peers.
 .TP
-.BR dpdtimeout " = " 150s " | <time>"
+.BR dpdtimeout " = " 150s " | <time>
 defines the timeout interval, after which all connections to a peer are deleted
 in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
-See
-.IR strongswan.conf (5)
-for a description of the IKEv2 retransmission timeout.
-.TP
-.BR closeaction " = " none " | clear | hold | restart"
-defines the action to take if the remote peer unexpectedly closes a CHILD_SA
-(IKEv2 only, see dpdaction for meaning of values). A closeaction should not be
-used if the peer uses reauthentication or uniquids checking, as these events
-might trigger a closeaction when not desired.
 .TP
 .BR inactivity " = <time>"
 defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic. Currently supported in IKEv2 connections only.
-.TP
-.BR eap " = aka | ... | radius | ... | <type> | <type>-<vendor>
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B peap
-for EAP-PEAPv0,
-.B radius
-for the EAP-RADIUS proxy,
-.B sim
-for EAP-SIM,
-.B tls
-for EAP-TLS, and
-.B ttls
-for EAP-TTLSv0.
-Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
+not send or receive any traffic.
 .TP
 .BR eap_identity " = <id>"
-defines the identity the client uses to reply to a EAP Identity request.
+defines the identity the client uses to reply to an EAP Identity request.
 If defined on the EAP server, the defined identity will be used as peer
 identity during EAP authentication. The special value
 .B %identity
@@ -425,15 +371,15 @@ The notation is
 .BR encryption-integrity[-dhgroup][-esnmode] .
 .br
 Defaults to
-.BR aes128-sha1,3des-sha1
-for IKEv1.  The IKEv2 daemon adds its extensive default proposal to this default
+.BR aes128-sha1,3des-sha1 .
+The daemon adds its extensive default proposal to this default
 or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
 .br
 .BR Note :
-As a responder both daemons accept the first supported proposal received from
+As a responder the daemon accepts the first supported proposal received from
 the peer. In order to restrict a responder to only accept specific cipher
 suites, the strict flag
 .RB ( ! ,
@@ -441,8 +387,8 @@ exclamation mark) can be used, e.g: aes256-sha512-modp4096!
 .br
 If
 .B dh-group
-is specified, CHILD_SA setup and rekeying include a separate Diffie-Hellman
-exchange (IKEv2 only).  Valid values for
+is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
+Diffie-Hellman exchange.  Valid values for
 .B esnmode
 (IKEv2 only) are
 .B esn
@@ -455,7 +401,7 @@ the default is
 .BR forceencaps " = yes | " no
 force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
-encapsulate packets, NAT detection payloads are faked (IKEv2 only).
+encapsulate packets, NAT detection payloads are faked.
 .TP
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
@@ -467,18 +413,18 @@ In IKEv2, multiple algorithms and proposals may be included, such as
 aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
 .br
 Defaults to
-.B aes128-sha1-modp2048,3des-sha1-modp1536
-for IKEv1.  The IKEv2 daemon adds its extensive default proposal to this
+.BR aes128-sha1-modp2048,3des-sha1-modp1536 .
+The daemon adds its extensive default proposal to this
 default or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
 .br
 .BR Note :
-As a responder both daemons accept the first supported proposal received from
+As a responder the daemon accepts the first supported proposal received from
 the peer.  In order to restrict a responder to only accept specific cipher
 suites, the strict flag
-.BR ( ! ,
+.RB ( ! ,
 exclamation mark) can be used, e.g: aes256-sha512-modp4096!
 .TP
 .BR ikelifetime " = " 3h " | <time>"
@@ -486,8 +432,8 @@ how long the keying channel of a connection (ISAKMP or IKE SA)
 should last before being renegotiated. Also see EXPIRY/REKEY below.
 .TP
 .BR installpolicy " = " yes " | no"
-decides whether IPsec policies are installed in the kernel by the IKEv2
-charon daemon for a given connection. Allows peaceful cooperation e.g. with
+decides whether IPsec policies are installed in the kernel by the charon daemon
+for a given connection. Allows peaceful cooperation e.g. with
 the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
 Acceptable values are
 .B yes
@@ -495,21 +441,10 @@ Acceptable values are
 .BR no .
 .TP
 .BR keyexchange " = " ike " | ikev1 | ikev2"
-method of key exchange;
-which protocol should be used to initialize the connection. Connections marked with
-.B ikev1
-are initiated with pluto, those marked with
-.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
-.B keyexchange
-setting. Starting with strongSwan 4.5 the default value
+which key exchange protocol should be used to initiate the connection.
+Connections marked with
 .B ike
-is a synonym for
-.BR ikev2 ,
-whereas in older strongSwan releases
-.B ikev1
-was assumed.
+use IKEv2 when initiating, but accept any protocol version when responding.
 .TP
 .BR keyingtries " = " 3 " | <number> | %forever"
 how many attempts (a whole number or \fB%forever\fP) should be made to
@@ -524,45 +459,23 @@ Relevant only locally, other end need not agree on it.
 synonym for
 .BR lifetime .
 .TP
-.BR left " = <ip address> | <fqdn> | %defaultroute | " %any
+.BR left " = <ip address> | <fqdn> | " %any
 (required)
 the IP address of the left participant's public-network interface
 or one of several magic values.
-If it is
-.BR %defaultroute ,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time and
-during configuration update).
-Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.
-The prefix
-.B  %
-in front of a fully-qualified domain name or an IP address will implicitly set
-.B leftallowany=yes.
-If the domain name cannot be resolved into an IP address at IPsec startup or
-update time then
-.B left=%any
-and
-.B leftallowany=no
-will be assumed.
-
-In case of an IKEv2 connection, the value
+The value
 .B %any
-for the local endpoint signifies an address to be filled in (by automatic
-keying) during negotiation. If the local peer initiates the connection setup
-the routing table will be queried to determine the correct local IP address.
+(the default) for the local endpoint signifies an address to be filled in (by
+automatic keying) during negotiation. If the local peer initiates the
+connection setup the routing table will be queried to determine the correct
+local IP address.
 In case the local peer is responding to a connection setup then any IP address
 that is assigned to a local interface will be accepted.
-.br
-Note that specifying
-.B %any
-for the local endpoint is not supported by the IKEv1 pluto daemon.
+
+The prefix
+.B %
+in front of a fully-qualified domain name or an IP address will implicitly set
+.BR leftallowany =yes.
 
 If
 .B %any
@@ -574,35 +487,37 @@ is used in that case.
 .TP
 .BR leftallowany " = yes | " no
 a modifier for
-.B left
-, making it behave as
+.BR left ,
+making it behave as
 .B %any
-although a concrete IP address has been assigned.
-Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
-startup or update time.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
+although a concrete IP address or domain name has been assigned.
 .TP
 .BR leftauth " = <auth method>"
 Authentication method to use locally (left) or require from the remote (right)
 side.
-This parameter is supported in IKEv2 only. Acceptable values are
+Acceptable values are
 .B pubkey
 for public key authentication (RSA/ECDSA),
 .B psk
-for pre-shared key authentication and
+for pre-shared key authentication,
 .B eap
-to (require the) use of the Extensible Authentication Protocol.
+to (require the) use of the Extensible Authentication Protocol in IKEv2, and
+.B xauth
+for IKEv1 eXtended Authentication.
 To require a trustchain public key strength for the remote side, specify the
-key type followed by the strength in bits (for example
-.BR rsa-2048
+key type followed by the minimum strength in bits (for example
+.BR ecdsa-384
 or
-.BR ecdsa-256 ).
+.BR rsa-2048-ecdsa-256 ).
+To limit the acceptable set of hashing algorithms for trustchain validation,
+append hash algorithms to
+.BR pubkey
+or a key strength definition (for example
+.BR pubkey-sha1-sha256
+or
+.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
 For
-.B eap,
+.BR eap ,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
 .BR eap-gtc ,
@@ -611,25 +526,41 @@ an optional EAP method can be appended. Currently defined methods are
 .BR eap-peap ,
 .BR eap-sim ,
 .BR eap-tls ,
+.BR eap-ttls ,
+.BR eap-dynamic ,
 and
-.BR eap-ttls .
+.BR eap-radius .
 Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
 EAP methods are defined in the form
 .B eap-type-vendor
 .RB "(e.g. " eap-7-12345 ).
+For
+.B xauth,
+an XAuth authentication backend can be specified, such as
+.B xauth-generic
+or
+.BR xauth-eap .
+If XAuth is used in
+.BR leftauth ,
+Hybrid authentication is used. For traditional XAuth authentication, define
+XAuth in
+.BR lefauth2 .
 .TP
 .BR leftauth2 " = <auth method>"
 Same as
 .BR leftauth ,
-but defines an additional authentication exchange. IKEv2 supports multiple
+but defines an additional authentication exchange. In IKEv1, only XAuth can be
+used in the second authentication round. IKEv2 supports multiple complete
 authentication rounds using "Multiple Authentication Exchanges" defined
-in RFC4739. This allows, for example, separated authentication
-of host and user (IKEv2 only).
+in RFC 4739. This allows, for example, separated authentication
+of host and user.
 .TP
 .BR leftca " = <issuer dn> | %same"
 the distinguished name of a certificate authority which is required to
 lie in the trust path going from the left participant's certificate up
 to the root certification authority.
+.B %same
+means that the value configured for the right participant should be reused.
 .TP
 .BR leftca2 " = <issuer dn> | %same"
 Same as
@@ -644,9 +575,7 @@ are accepted. By default
 .B leftcert
 sets
 .B leftid
-to the distinguished name of the certificate's subject and
-.B leftca
-to the distinguished name of the certificate's issuer.
+to the distinguished name of the certificate's subject.
 The left participant's ID can be overridden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
@@ -657,8 +586,17 @@ Same as
 but for the second authentication round (IKEv2 only).
 .TP
 .BR leftcertpolicy " = <OIDs>"
-Comma separated list of certificate policy OIDs the peers certificate must have.
-OIDs are specified using the numerical dotted representation (IKEv2 only).
+Comma separated list of certificate policy OIDs the peer's certificate must
+have.
+OIDs are specified using the numerical dotted representation.
+.TP
+.BR leftdns " = <servers>"
+Comma separated list of DNS server addresses to exchange as configuration
+attributes. On the initiator, a server is a fixed IPv4/IPv6 address, or
+.BR %config4 / %config6
+to request attributes without an address. On the responder,
+only fixed IPv4/IPv6 addresses are allowed and define DNS servers assigned
+to the client.
 .TP
 .BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
@@ -683,8 +621,7 @@ tunnels established with IPsec are exempted from it
 so that packets can flow unchanged through the tunnels.
 (This means that all subnets connected in this manner must have
 distinct, non-overlapping subnet address blocks.)
-This is done by the default \fBipsec _updown\fR script (see
-.IR pluto (8)).
+This is done by the default \fBipsec _updown\fR script.
 
 In situations calling for more control,
 it may be preferable for the user to supply his own
@@ -696,12 +633,13 @@ which makes the appropriate adjustments for his system.
 a comma separated list of group names. If the
 .B leftgroups
 parameter is present then the peer must be a member of at least one
-of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
-been issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts/\fP.
-.br
-Attribute certificates are not supported in IKEv2 yet.
+of the groups defined by the parameter.
+.TP
+.BR leftgroups2 " = <group list>"
+Same as
+.B leftgroups,
+but for the second authentication round defined with
+.B leftauth2.
 .TP
 .BR lefthostaccess " = yes | " no
 inserts a pair of INPUT and OUTPUT iptables rules using the default
@@ -717,10 +655,25 @@ and
 .BR leftid " = <id>"
 how the left participant should be identified for authentication;
 defaults to
-.BR left .
-Can be an IP address or a fully-qualified domain name preceded by
-.B @
-(which is used as a literal string and not resolved).
+.B left
+or the subject of the certificate configured with
+.BR leftcert .
+Can be an IP address, a fully-qualified domain name, an email address, or
+a keyid. If
+.B leftcert
+is configured the identity has to be confirmed by the certificate.
+
+For IKEv2 and
+.B rightid
+the prefix
+.B %
+in front of the identity prevents the daemon from sending IDr in its IKE_AUTH
+request and will allow it to verify the configured identity against the subject
+and subjectAltNames contained in the responder's certificate (otherwise it is
+only compared with the IDr returned by the responder).  The IDr sent by the
+initiator might otherwise prevent the responder from finding a config if it
+has configured a different value for
+.BR leftid .
 .TP
 .BR leftid2 " = <id>"
 identity to use for a second authentication for the left participant
@@ -728,19 +681,11 @@ identity to use for a second authentication for the left participant
 .BR leftid .
 .TP
 .BR leftikeport " = <port>"
-UDP port the left participant uses for IKE communication. Currently supported in
-IKEv2 connections only. If unspecified, port 500 is used with the port floating
+UDP port the left participant uses for IKE communication.
+If unspecified, port 500 is used with the port floating
 to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
 different from the default additionally requires a socket implementation that
-listens to this port.
-.TP
-.BR leftnexthop " = %direct | %defaultroute | <ip address> | <fqdn>"
-this parameter is usually not needed any more because the NETKEY IPsec stack
-does not require explicit routing entries for the traffic to be tunneled. If
-.B leftsourceip
-is used with IKEv1 then
-.B leftnexthop
-must still be set in order for the source routes to work properly.
+listens on this port.
 .TP
 .BR leftprotoport " = <protocol>/<port>"
 restrict the traffic selector to a single protocol and/or port.
@@ -750,29 +695,19 @@ or
 .B leftprotoport=6/80
 or
 .B leftprotoport=udp
-.TP
-.BR leftrsasigkey " = " %cert " | <raw rsa public key>"
-the left participant's
-public key for RSA signature authentication,
-in RFC 2537 format using
-.IR ttodata (3)
-encoding.
-The magic value
-.B %none
-means the same as not specifying a value (useful to override a default).
-The value
-.B %cert
-(the default)
-means that the key is extracted from a certificate.
-The identity used for the left participant
-must be a specific host, not
+or
+.BR leftprotoport=/53 .
+Instead of omitting either value
 .B %any
-or another magic value.
-.B Caution:
-if two connection descriptions
-specify different public keys for the same
-.BR leftid ,
-confusion and madness will ensue.
+can be used to the same effect, e.g.
+.B leftprotoport=udp/%any
+or
+.BR leftprotoport=%any/53 .
+.TP
+.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
+the left participant's public key for RSA signature authentication, in RFC 2537
+format using hex (0x prefix) or base64 (0s prefix) encoding. Also accepted is
+the path to a file containing the public key in PEM or DER encoding.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
@@ -787,20 +722,25 @@ and
 the latter meaning that the peer must send a certificate request payload in
 order to get a certificate in return.
 .TP
-.BR leftsourceip " = %config | %cfg | %modeconfig | %modecfg | <ip address>"
-The internal source IP to use in a tunnel, also known as virtual IP. If the
-value is one of the synonyms
+.BR leftsourceip " = %config4 | %config6 | <ip address>"
+Comma separated list of internal source IPs to use in a tunnel, also known as
+virtual IP. If the value is one of the synonyms
 .BR %config ,
 .BR %cfg ,
 .BR %modeconfig ,
 or
 .BR %modecfg ,
-an address is requested from the peer. In IKEv2, a statically defined address
-is also requested, since the server may change it.
+an address (from the tunnel address family) is requested from the peer. With
+.B %config4
+and
+.B %config6
+an address of the given address family will be requested explicitly.
+If an IP address is configured, it will be requested from the responder,
+which is free to respond with a different address.
 .TP
 .BR rightsourceip " = %config | <network>/<netmask> | %poolname"
-The internal source IP to use in a tunnel for the remote peer. If the
-value is
+Comma separated list of internal source IPs to use in a tunnel for the remote
+peer. If the value is
 .B %config
 on the responder side, the initiator must propose an address which is then
 echoed back. Also supported are address pools expressed as
@@ -813,16 +753,12 @@ private subnet behind the left participant, expressed as
 \fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
 signifying that the left end of the connection goes to the left participant
-only. When using IKEv2, the configured subnet of the peers may differ, the
-protocol narrows it to the greatest common subnet. Further, IKEv2 supports
-multiple subnets separated by commas. IKEv1 only interprets the first subnet
-of such a definition.
-.TP
-.BR leftsubnetwithin " = <ip subnet>"
-the peer can propose any subnet or single IP address that fits within the
-range defined by
-.BR leftsubnetwithin.
-Not relevant for IKEv2, as subnets are narrowed.
+only. Configured subnets of the peers may differ, the protocol narrows it to
+the greatest common subnet. In IKEv1, this may lead to problems with other
+implementations, make sure to configure identical subnets in such
+configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
+interprets the first subnet of such a definition, unless the Cisco Unity
+extension plugin is enabled.
 .TP
 .BR leftupdown " = <path>"
 what ``updown'' script to run to adjust routing and/or firewalling
@@ -832,20 +768,15 @@ changes (default
 May include positional parameters separated by white space
 (although this requires enclosing the whole string in quotes);
 including shell metacharacters is unwise.
-See
-.IR pluto (8)
-for details.
-Relevant only locally, other end need not agree on it. IKEv2 uses the updown
+Relevant only locally, other end need not agree on it. Charon uses the updown
 script to insert firewall rules only, since routing has been implemented
-directly into charon.
+directly into the daemon.
 .TP
 .BR lifebytes " = <number>"
-the number of bytes transmitted over an IPsec SA before it expires (IKEv2
-only).
+the number of bytes transmitted over an IPsec SA before it expires.
 .TP
 .BR lifepackets " = <number>"
-the number of packets transmitted over an IPsec SA before it expires (IKEv2
-only).
+the number of packets transmitted over an IPsec SA before it expires.
 .TP
 .BR lifetime " = " 1h " | <time>"
 how long a particular instance of a connection
@@ -877,12 +808,12 @@ which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
 .BR marginbytes " = <number>"
 how many bytes before IPsec SA expiry (see
 .BR lifebytes )
-should attempts to negotiate a replacement begin (IKEv2 only).
+should attempts to negotiate a replacement begin.
 .TP
 .BR marginpackets " = <number>"
 how many packets before IPsec SA expiry (see
 .BR lifepackets )
-should attempts to negotiate a replacement begin (IKEv2 only).
+should attempts to negotiate a replacement begin.
 .TP
 .BR margintime " = " 9m " | <time>"
 how long before connection expiry or keying-channel expiry
@@ -921,7 +852,7 @@ enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
 .BR no .
 If set to
 .BR no ,
-the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
+the charon daemon will not actively propose MOBIKE as initiator and
 ignore the MOBIKE_SUPPORTED notify as responder.
 .TP
 .BR modeconfig " = push | " pull
@@ -931,29 +862,8 @@ Accepted values are
 and
 .B pull
 (the default).
-Currently relevant for IKEv1 only since IKEv2 always uses the configuration
-payload in pull mode. Cisco VPN gateways usually operate in
-.B push
-mode.
-.TP
-.BR pfs " = " yes " | no"
-whether Perfect Forward Secrecy of keys is desired on the connection's
-keying channel
-(with PFS, penetration of the key-exchange protocol
-does not compromise keys negotiated earlier);
-acceptable values are
-.B yes
-(the default)
-and
-.BR no.
-IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
-PFS is enforced by defining a Diffie-Hellman modp group in the
-.B esp
-parameter.
-.TP
-.BR pfsgroup " = <modp group>"
-defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
-differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
+Push mode is currently not supported in charon, hence this parameter has no
+effect.
 .TP
 .BR reauth " = " yes " | no"
 whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
@@ -973,11 +883,12 @@ and
 .BR no .
 The two ends need not agree, but while a value of
 .B no
-prevents pluto/charon from requesting renegotiation,
+prevents charon from requesting renegotiation,
 it does not prevent responding to renegotiation requested from the other end,
 so
 .B no
-will be largely ineffective unless both ends agree on it.
+will be largely ineffective unless both ends agree on it. Also see
+.BR reauth .
 .TP
 .BR rekeyfuzz " = " 100% " | <percentage>"
 maximum percentage by which
@@ -1035,11 +946,7 @@ signifying the special Mobile IPv6 transport proxy mode;
 .BR passthrough ,
 signifying that no IPsec processing should be done at all;
 .BR drop ,
-signifying that packets should be discarded; and
-.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned
-.RB ( reject
-is currently not supported by the NETKEY stack of the Linux 2.6 kernel).
+signifying that packets should be discarded.
 .TP
 .BR xauth " = " client " | server"
 specifies the role in the XAuth protocol if activated by
@@ -1116,8 +1023,6 @@ synonym for
 .BR crluri2 " = <uri>"
 defines an alternative CRL distribution point (ldap, http, or file URI)
 .TP
-.BR ldaphost " = <hostname>"
-defines an ldap host. Currently used by IKEv1 only.
 .TP
 .BR ocspuri " = <uri>"
 defines an OCSP URI.
@@ -1127,11 +1032,11 @@ synonym for
 .B ocspuri.
 .TP
 .BR ocspuri2 " = <uri>"
-defines an alternative OCSP URI. Currently used by IKEv2 only.
+defines an alternative OCSP URI.
 .TP
 .BR certuribase " = <uri>"
 defines the base URI for the Hash and URL feature supported by IKEv2.
-Instead of exchanging complete certificates, IKEv2 allows to send an URI
+Instead of exchanging complete certificates, IKEv2 allows one to send an URI
 that resolves to the DER encoded certificate. The certificate URIs are built
 by appending the SHA1 hash of the DER encoded certificates to this base URI.
 .SH "CONFIG SECTIONS"
@@ -1140,48 +1045,34 @@ At present, the only
 section known to the IPsec software is the one named
 .BR setup ,
 which contains information used when the software is being started.
-Here's an example:
-.PP
-.ne 8
-.nf
-.ft B
-.ta 1c
-config setup
-	plutodebug=all
-	crlcheckinterval=10m
-	strictcrlpolicy=yes
-.ft
-.fi
-.PP
-Parameters are optional unless marked ``(required)''.
 The currently-accepted
 .I parameter
 names in a
 .B config
 .B setup
-section affecting both daemons are:
+section are:
 .TP
 .BR cachecrls " = yes | " no
-certificate revocation lists (CRLs) fetched via http or ldap will be cached in
-\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
-authority's public key.
-Accepted values are
-.B yes
-and
-.B no
-(the default). Only relevant for IKEv1, as CRLs are always cached in IKEv2.
-.TP
-.BR charonstart " = " yes " | no"
-whether to start the IKEv2 charon daemon or not.
-The default is
-.B yes
-if starter was compiled with IKEv2 support.
+if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
+be cached in
+.I /etc/ipsec.d/crls/
+under a unique file name derived from the certification authority's public key.
 .TP
-.BR plutostart " = " yes " | no"
-whether to start the IKEv1 pluto daemon or not.
-The default is
-.B yes
-if starter was compiled with IKEv1 support.
+.BR charondebug " = <debug list>"
+how much charon debugging output should be logged.
+A comma separated list containing type/level-pairs may
+be specified, e.g:
+.B dmn 3, ike 1, net -1.
+Acceptable values for types are
+.B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls,
+.B tnc, imc, imv, pts
+and the level is one of
+.B -1, 0, 1, 2, 3, 4
+(for silent, audit, control, controlmore, raw, private).  By default, the level
+is set to
+.B 1
+for all types.  For more flexibility see LOGGER CONFIGURATION in
+.IR strongswan.conf (5).
 .TP
 .BR strictcrlpolicy " = yes | ifuri | " no
 defines if a fresh CRL must be available in order for the peer authentication
@@ -1194,146 +1085,35 @@ if at least one CRL URI is defined and to
 .B no
 if no URI is known.
 .TP
-.BR uniqueids " = " yes " | no | replace | keep"
+.BR uniqueids " = " yes " | no | never | replace | keep"
 whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
+with any new IKE_SA using an ID deemed to replace all old ones using that ID;
 acceptable values are
 .B yes
-(the default)
+(the default),
+.B no
 and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
+.BR never .
+Participant IDs normally \fIare\fR unique, so a new IKE_SA using the same ID is
+almost invariably intended to replace an old one. The difference between
+.B no
+and
+.B never
+is that the daemon will replace old IKE_SAs when receiving an INITIAL_CONTACT
+notify if the option is
+.B no
+but will ignore these notifies if
+.B never
+is configured.
+The daemon also accepts the value
 .B replace
 which is identical to
 .B yes
 and the value
 .B keep
 to reject new IKE_SA setups and keep the duplicate established earlier.
-.PP
-The following
-.B config section
-parameters are used by the IKEv1 Pluto daemon only:
-.TP
-.BR crlcheckinterval " = " 0s " | <time>"
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
-.BR keep_alive " = " 20s " | <time>"
-interval in seconds between NAT keep alive packets, the default being 20 seconds.
-.TP
-.BR nat_traversal " = yes | " no
-activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
-being able of floating to udp/4500 if a NAT situation is detected.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-Used by IKEv1 only, NAT traversal is always being active in IKEv2.
-.TP
-.BR nocrsend " = yes | " no
-no certificate request payloads will be sent.
-.TP
-.BR pkcs11initargs " = <args>"
-non-standard argument string for PKCS#11 C_Initialize() function;
-required by NSS softoken.
-.TP
-.BR pkcs11module " = <args>"
-defines the path to a dynamically loadable PKCS #11 library.
-.TP
-.BR pkcs11keepstate " = yes | " no
-PKCS #11 login sessions will be kept during the whole lifetime of the keying
-daemon. Useful with pin-pad smart card readers.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.BR pkcs11proxy " = yes | " no
-Pluto will act as a PKCS #11 proxy accessible via the whack interface.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.BR plutodebug " = " none " | <debug list> | all"
-how much pluto debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names without the
-.B \-\-debug\-
-prefix,
-separated by white space) are enabled;
-for details on available debugging types, see
-.IR pluto (8).
-.TP
-.BR plutostderrlog " = <file>"
-Pluto will not use syslog, but rather log to stderr, and redirect stderr
-to <file>.
-.TP
-.BR postpluto " = <command>"
-shell command to run after starting pluto
-(e.g., to remove a decrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.BR prepluto " = <command>"
-shell command to run before starting pluto
-(e.g., to decrypt an encrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.BR virtual_private " = <networks>"
-defines private networks using a wildcard notation.
-.PP
-The following
-.B config section
-parameters are used by the IKEv2 charon daemon only:
-.TP
-.BR charondebug " = <debug list>"
-how much charon debugging output should be logged.
-A comma separated list containing type/level-pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, tls, tnc, imc, imv, pts
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private).  By default, the level
-is set to
-.B 1
-for all types.  For more flexibility see LOGGER CONFIGURATION in
-.IR strongswan.conf (5).
 
-.SH IKEv2 EXPIRY/REKEY
+.SH SA EXPIRY/REKEY
 The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
 after a specific amount of time. For IPsec SAs this can also happen after a
 specified number of transmitted packets or transmitted bytes. The following
@@ -1419,12 +1199,8 @@ time equals zero and, thus, rekeying gets disabled.
 /etc/ipsec.d/crls
 
 .SH SEE ALSO
-strongswan.conf(5), ipsec.secrets(5), ipsec(8), pluto(8)
+strongswan.conf(5), ipsec.secrets(5), ipsec(8)
 .SH HISTORY
 Originally written for the FreeS/WAN project by Henry Spencer.
 Updated and extended for the strongSwan project <http://www.strongswan.org> by
 Tobias Brunner, Andreas Steffen and Martin Willi.
-.SH BUGS
-.PP
-If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
-will fail.
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index ab255304d..f4d7ed1d6 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2011-12-14" "@IPSEC_VERSION@" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -172,9 +172,9 @@ keying, rekeying, and general control.
 The path to control the connection is called 'ISAKMP SA' in IKEv1
 and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
 level data path, is called 'IPsec SA' or 'Child SA'.
-strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
-all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
-protocol.
+strongSwan previously used two separate keying daemons, \fIpluto\fP and
+\fIcharon\fP. This manual does not discuss \fIpluto\fP options anymore, but
+only \fIcharon\fP that since strongSwan 5.0 supports both IKEv1 and IKEv2.
 .PP
 To avoid trivial editing of the configuration file to suit it to each system
 involved in a connection,
@@ -233,21 +233,14 @@ defines the identity of the AAA backend used during IKEv2 EAP authentication.
 This is required if the EAP client uses a method that verifies the server
 identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
 .TP
+.BR aggressive " = yes | " no
+whether to use IKEv1 Aggressive or Main Mode (the default).
+.TP
 .BR also " = <name>"
 includes conn section
 .BR <name> .
 .TP
-.BR auth " = " esp " | ah"
-whether authentication should be done as part of
-ESP encryption, or separately using the AH protocol;
-acceptable values are
-.B esp
-(the default) and
-.BR ah .
-.br
-The IKEv2 daemon currently supports ESP only.
-.TP
-.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | secret | never | xauthpsk | xauthrsasig"
 how the two security gateways should authenticate each other;
 acceptable values are
 .B psk
@@ -268,17 +261,12 @@ IKEv1 additionally supports the values
 .B xauthpsk
 and
 .B xauthrsasig
-that will enable eXtended Authentication (XAuth) in addition to IKEv1 main mode
-based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
-This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
+that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
+based on shared secrets or digital RSA signatures, respectively.
+This parameter is deprecated, as two peers do not need to agree on an
+authentication method in IKEv2. Use the
 .B leftauth
-parameter instead to define authentication methods in IKEv2.
+parameter instead to define authentication methods.
 .TP
 .BR auto " = " ignore " | add | route | start"
 what operation, if any, should be done automatically at IPsec startup;
@@ -295,18 +283,25 @@ loads a connection without starting it.
 loads a connection and installs kernel traps. If traffic is detected between
 .B leftsubnet
 and
-.B rightsubnet
-, a connection is established.
+.BR rightsubnet ,
+a connection is established.
 .B start
 loads a connection and brings it up immediately.
 .B ignore
-ignores the connection. This is equal to delete a connection from the config
+ignores the connection. This is equal to deleting a connection from the config
 file.
-Relevant only locally, other end need not agree on it
-(but in general, for an intended-to-be-permanent connection,
-both ends should use
-.B auto=start
-to ensure that any reboot causes immediate renegotiation).
+Relevant only locally, other end need not agree on it.
+.TP
+.BR closeaction " = " none " | clear | hold | restart"
+defines the action to take if the remote peer unexpectedly closes a CHILD_SA
+(see
+.B dpdaction
+for meaning of values).
+A
+.B closeaction should not be
+used if the peer uses reauthentication or uniquids checking, as these events
+might trigger the defined action when not desired. Currently not supported with
+IKEv1.
 .TP
 .BR compress " = yes | " no
 whether IPComp compression of content is proposed on the connection
@@ -318,12 +313,11 @@ and
 .B no
 (the default). A value of
 .B yes
-causes IPsec to propose both compressed and uncompressed,
+causes the daemon to propose both compressed and uncompressed,
 and prefer compressed.
 A value of
 .B no
-prevents IPsec from proposing compression;
-a proposal to compress will still be accepted.
+prevents the daemon from proposing or accepting compression.
 .TP
 .BR dpdaction " = " none " | clear | hold | restart"
 controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
@@ -341,16 +335,9 @@ put in the hold state
 .RB ( hold )
 or restarted
 .RB ( restart ).
-For IKEv1, the default is
-.B none
-which disables the active sending of R_U_THERE notifications.
-Nevertheless pluto will always send the DPD Vendor ID during connection set up
-in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. For IKEv2,
+The default is
 .B none
-does't make sense, since all messages are used to detect dead peers. If specified,
-it has the same meaning as the default
-.RB ( clear ).
+which disables the active sending of DPD messages.
 .TP
 .BR dpddelay " = " 30s " | <time>"
 defines the period time interval with which R_U_THERE messages/INFORMATIONAL
@@ -359,58 +346,17 @@ received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
 messages and uses only standard messages (such as those to rekey) to detect
 dead peers.
 .TP
-.BR dpdtimeout " = " 150s " | <time>"
+.BR dpdtimeout " = " 150s " | <time>
 defines the timeout interval, after which all connections to a peer are deleted
 in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
-See
-.IR strongswan.conf (5)
-for a description of the IKEv2 retransmission timeout.
-.TP
-.BR closeaction " = " none " | clear | hold | restart"
-defines the action to take if the remote peer unexpectedly closes a CHILD_SA
-(IKEv2 only, see dpdaction for meaning of values). A closeaction should not be
-used if the peer uses reauthentication or uniquids checking, as these events
-might trigger a closeaction when not desired.
 .TP
 .BR inactivity " = <time>"
 defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic. Currently supported in IKEv2 connections only.
-.TP
-.BR eap " = aka | ... | radius | ... | <type> | <type>-<vendor>
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B peap
-for EAP-PEAPv0,
-.B radius
-for the EAP-RADIUS proxy,
-.B sim
-for EAP-SIM,
-.B tls
-for EAP-TLS, and
-.B ttls
-for EAP-TTLSv0.
-Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
+not send or receive any traffic.
 .TP
 .BR eap_identity " = <id>"
-defines the identity the client uses to reply to a EAP Identity request.
+defines the identity the client uses to reply to an EAP Identity request.
 If defined on the EAP server, the defined identity will be used as peer
 identity during EAP authentication. The special value
 .B %identity
@@ -425,15 +371,15 @@ The notation is
 .BR encryption-integrity[-dhgroup][-esnmode] .
 .br
 Defaults to
-.BR aes128-sha1,3des-sha1
-for IKEv1.  The IKEv2 daemon adds its extensive default proposal to this default
+.BR aes128-sha1,3des-sha1 .
+The daemon adds its extensive default proposal to this default
 or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
 .br
 .BR Note :
-As a responder both daemons accept the first supported proposal received from
+As a responder the daemon accepts the first supported proposal received from
 the peer. In order to restrict a responder to only accept specific cipher
 suites, the strict flag
 .RB ( ! ,
@@ -441,8 +387,8 @@ exclamation mark) can be used, e.g: aes256-sha512-modp4096!
 .br
 If
 .B dh-group
-is specified, CHILD_SA setup and rekeying include a separate Diffie-Hellman
-exchange (IKEv2 only).  Valid values for
+is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
+Diffie-Hellman exchange.  Valid values for
 .B esnmode
 (IKEv2 only) are
 .B esn
@@ -455,7 +401,7 @@ the default is
 .BR forceencaps " = yes | " no
 force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
-encapsulate packets, NAT detection payloads are faked (IKEv2 only).
+encapsulate packets, NAT detection payloads are faked.
 .TP
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
@@ -467,18 +413,18 @@ In IKEv2, multiple algorithms and proposals may be included, such as
 aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
 .br
 Defaults to
-.B aes128-sha1-modp2048,3des-sha1-modp1536
-for IKEv1.  The IKEv2 daemon adds its extensive default proposal to this
+.BR aes128-sha1-modp2048,3des-sha1-modp1536 .
+The daemon adds its extensive default proposal to this
 default or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
 .br
 .BR Note :
-As a responder both daemons accept the first supported proposal received from
+As a responder the daemon accepts the first supported proposal received from
 the peer.  In order to restrict a responder to only accept specific cipher
 suites, the strict flag
-.BR ( ! ,
+.RB ( ! ,
 exclamation mark) can be used, e.g: aes256-sha512-modp4096!
 .TP
 .BR ikelifetime " = " 3h " | <time>"
@@ -486,8 +432,8 @@ how long the keying channel of a connection (ISAKMP or IKE SA)
 should last before being renegotiated. Also see EXPIRY/REKEY below.
 .TP
 .BR installpolicy " = " yes " | no"
-decides whether IPsec policies are installed in the kernel by the IKEv2
-charon daemon for a given connection. Allows peaceful cooperation e.g. with
+decides whether IPsec policies are installed in the kernel by the charon daemon
+for a given connection. Allows peaceful cooperation e.g. with
 the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
 Acceptable values are
 .B yes
@@ -495,21 +441,10 @@ Acceptable values are
 .BR no .
 .TP
 .BR keyexchange " = " ike " | ikev1 | ikev2"
-method of key exchange;
-which protocol should be used to initialize the connection. Connections marked with
-.B ikev1
-are initiated with pluto, those marked with
-.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
-.B keyexchange
-setting. Starting with strongSwan 4.5 the default value
+which key exchange protocol should be used to initiate the connection.
+Connections marked with
 .B ike
-is a synonym for
-.BR ikev2 ,
-whereas in older strongSwan releases
-.B ikev1
-was assumed.
+use IKEv2 when initiating, but accept any protocol version when responding.
 .TP
 .BR keyingtries " = " 3 " | <number> | %forever"
 how many attempts (a whole number or \fB%forever\fP) should be made to
@@ -524,45 +459,23 @@ Relevant only locally, other end need not agree on it.
 synonym for
 .BR lifetime .
 .TP
-.BR left " = <ip address> | <fqdn> | %defaultroute | " %any
+.BR left " = <ip address> | <fqdn> | " %any
 (required)
 the IP address of the left participant's public-network interface
 or one of several magic values.
-If it is
-.BR %defaultroute ,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time and
-during configuration update).
-Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.
-The prefix
-.B  %
-in front of a fully-qualified domain name or an IP address will implicitly set
-.B leftallowany=yes.
-If the domain name cannot be resolved into an IP address at IPsec startup or
-update time then
-.B left=%any
-and
-.B leftallowany=no
-will be assumed.
-
-In case of an IKEv2 connection, the value
+The value
 .B %any
-for the local endpoint signifies an address to be filled in (by automatic
-keying) during negotiation. If the local peer initiates the connection setup
-the routing table will be queried to determine the correct local IP address.
+(the default) for the local endpoint signifies an address to be filled in (by
+automatic keying) during negotiation. If the local peer initiates the
+connection setup the routing table will be queried to determine the correct
+local IP address.
 In case the local peer is responding to a connection setup then any IP address
 that is assigned to a local interface will be accepted.
-.br
-Note that specifying
-.B %any
-for the local endpoint is not supported by the IKEv1 pluto daemon.
+
+The prefix
+.B %
+in front of a fully-qualified domain name or an IP address will implicitly set
+.BR leftallowany =yes.
 
 If
 .B %any
@@ -574,35 +487,37 @@ is used in that case.
 .TP
 .BR leftallowany " = yes | " no
 a modifier for
-.B left
-, making it behave as
+.BR left ,
+making it behave as
 .B %any
-although a concrete IP address has been assigned.
-Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
-startup or update time.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
+although a concrete IP address or domain name has been assigned.
 .TP
 .BR leftauth " = <auth method>"
 Authentication method to use locally (left) or require from the remote (right)
 side.
-This parameter is supported in IKEv2 only. Acceptable values are
+Acceptable values are
 .B pubkey
 for public key authentication (RSA/ECDSA),
 .B psk
-for pre-shared key authentication and
+for pre-shared key authentication,
 .B eap
-to (require the) use of the Extensible Authentication Protocol.
+to (require the) use of the Extensible Authentication Protocol in IKEv2, and
+.B xauth
+for IKEv1 eXtended Authentication.
 To require a trustchain public key strength for the remote side, specify the
-key type followed by the strength in bits (for example
-.BR rsa-2048
+key type followed by the minimum strength in bits (for example
+.BR ecdsa-384
 or
-.BR ecdsa-256 ).
+.BR rsa-2048-ecdsa-256 ).
+To limit the acceptable set of hashing algorithms for trustchain validation,
+append hash algorithms to
+.BR pubkey
+or a key strength definition (for example
+.BR pubkey-sha1-sha256
+or
+.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
 For
-.B eap,
+.BR eap ,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
 .BR eap-gtc ,
@@ -611,25 +526,41 @@ an optional EAP method can be appended. Currently defined methods are
 .BR eap-peap ,
 .BR eap-sim ,
 .BR eap-tls ,
+.BR eap-ttls ,
+.BR eap-dynamic ,
 and
-.BR eap-ttls .
+.BR eap-radius .
 Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
 EAP methods are defined in the form
 .B eap-type-vendor
 .RB "(e.g. " eap-7-12345 ).
+For
+.B xauth,
+an XAuth authentication backend can be specified, such as
+.B xauth-generic
+or
+.BR xauth-eap .
+If XAuth is used in
+.BR leftauth ,
+Hybrid authentication is used. For traditional XAuth authentication, define
+XAuth in
+.BR lefauth2 .
 .TP
 .BR leftauth2 " = <auth method>"
 Same as
 .BR leftauth ,
-but defines an additional authentication exchange. IKEv2 supports multiple
+but defines an additional authentication exchange. In IKEv1, only XAuth can be
+used in the second authentication round. IKEv2 supports multiple complete
 authentication rounds using "Multiple Authentication Exchanges" defined
-in RFC4739. This allows, for example, separated authentication
-of host and user (IKEv2 only).
+in RFC 4739. This allows, for example, separated authentication
+of host and user.
 .TP
 .BR leftca " = <issuer dn> | %same"
 the distinguished name of a certificate authority which is required to
 lie in the trust path going from the left participant's certificate up
 to the root certification authority.
+.B %same
+means that the value configured for the right participant should be reused.
 .TP
 .BR leftca2 " = <issuer dn> | %same"
 Same as
@@ -644,9 +575,7 @@ are accepted. By default
 .B leftcert
 sets
 .B leftid
-to the distinguished name of the certificate's subject and
-.B leftca
-to the distinguished name of the certificate's issuer.
+to the distinguished name of the certificate's subject.
 The left participant's ID can be overridden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
@@ -657,8 +586,17 @@ Same as
 but for the second authentication round (IKEv2 only).
 .TP
 .BR leftcertpolicy " = <OIDs>"
-Comma separated list of certificate policy OIDs the peers certificate must have.
-OIDs are specified using the numerical dotted representation (IKEv2 only).
+Comma separated list of certificate policy OIDs the peer's certificate must
+have.
+OIDs are specified using the numerical dotted representation.
+.TP
+.BR leftdns " = <servers>"
+Comma separated list of DNS server addresses to exchange as configuration
+attributes. On the initiator, a server is a fixed IPv4/IPv6 address, or
+.BR %config4 / %config6
+to request attributes without an address. On the responder,
+only fixed IPv4/IPv6 addresses are allowed and define DNS servers assigned
+to the client.
 .TP
 .BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
@@ -683,8 +621,7 @@ tunnels established with IPsec are exempted from it
 so that packets can flow unchanged through the tunnels.
 (This means that all subnets connected in this manner must have
 distinct, non-overlapping subnet address blocks.)
-This is done by the default \fBipsec _updown\fR script (see
-.IR pluto (8)).
+This is done by the default \fBipsec _updown\fR script.
 
 In situations calling for more control,
 it may be preferable for the user to supply his own
@@ -696,12 +633,13 @@ which makes the appropriate adjustments for his system.
 a comma separated list of group names. If the
 .B leftgroups
 parameter is present then the peer must be a member of at least one
-of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
-been issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts/\fP.
-.br
-Attribute certificates are not supported in IKEv2 yet.
+of the groups defined by the parameter.
+.TP
+.BR leftgroups2 " = <group list>"
+Same as
+.B leftgroups,
+but for the second authentication round defined with
+.B leftauth2.
 .TP
 .BR lefthostaccess " = yes | " no
 inserts a pair of INPUT and OUTPUT iptables rules using the default
@@ -717,10 +655,25 @@ and
 .BR leftid " = <id>"
 how the left participant should be identified for authentication;
 defaults to
-.BR left .
-Can be an IP address or a fully-qualified domain name preceded by
-.B @
-(which is used as a literal string and not resolved).
+.B left
+or the subject of the certificate configured with
+.BR leftcert .
+Can be an IP address, a fully-qualified domain name, an email address, or
+a keyid. If
+.B leftcert
+is configured the identity has to be confirmed by the certificate.
+
+For IKEv2 and
+.B rightid
+the prefix
+.B %
+in front of the identity prevents the daemon from sending IDr in its IKE_AUTH
+request and will allow it to verify the configured identity against the subject
+and subjectAltNames contained in the responder's certificate (otherwise it is
+only compared with the IDr returned by the responder).  The IDr sent by the
+initiator might otherwise prevent the responder from finding a config if it
+has configured a different value for
+.BR leftid .
 .TP
 .BR leftid2 " = <id>"
 identity to use for a second authentication for the left participant
@@ -728,19 +681,11 @@ identity to use for a second authentication for the left participant
 .BR leftid .
 .TP
 .BR leftikeport " = <port>"
-UDP port the left participant uses for IKE communication. Currently supported in
-IKEv2 connections only. If unspecified, port 500 is used with the port floating
+UDP port the left participant uses for IKE communication.
+If unspecified, port 500 is used with the port floating
 to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
 different from the default additionally requires a socket implementation that
-listens to this port.
-.TP
-.BR leftnexthop " = %direct | %defaultroute | <ip address> | <fqdn>"
-this parameter is usually not needed any more because the NETKEY IPsec stack
-does not require explicit routing entries for the traffic to be tunneled. If
-.B leftsourceip
-is used with IKEv1 then
-.B leftnexthop
-must still be set in order for the source routes to work properly.
+listens on this port.
 .TP
 .BR leftprotoport " = <protocol>/<port>"
 restrict the traffic selector to a single protocol and/or port.
@@ -750,29 +695,19 @@ or
 .B leftprotoport=6/80
 or
 .B leftprotoport=udp
-.TP
-.BR leftrsasigkey " = " %cert " | <raw rsa public key>"
-the left participant's
-public key for RSA signature authentication,
-in RFC 2537 format using
-.IR ttodata (3)
-encoding.
-The magic value
-.B %none
-means the same as not specifying a value (useful to override a default).
-The value
-.B %cert
-(the default)
-means that the key is extracted from a certificate.
-The identity used for the left participant
-must be a specific host, not
+or
+.BR leftprotoport=/53 .
+Instead of omitting either value
 .B %any
-or another magic value.
-.B Caution:
-if two connection descriptions
-specify different public keys for the same
-.BR leftid ,
-confusion and madness will ensue.
+can be used to the same effect, e.g.
+.B leftprotoport=udp/%any
+or
+.BR leftprotoport=%any/53 .
+.TP
+.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
+the left participant's public key for RSA signature authentication, in RFC 2537
+format using hex (0x prefix) or base64 (0s prefix) encoding. Also accepted is
+the path to a file containing the public key in PEM or DER encoding.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
@@ -787,20 +722,25 @@ and
 the latter meaning that the peer must send a certificate request payload in
 order to get a certificate in return.
 .TP
-.BR leftsourceip " = %config | %cfg | %modeconfig | %modecfg | <ip address>"
-The internal source IP to use in a tunnel, also known as virtual IP. If the
-value is one of the synonyms
+.BR leftsourceip " = %config4 | %config6 | <ip address>"
+Comma separated list of internal source IPs to use in a tunnel, also known as
+virtual IP. If the value is one of the synonyms
 .BR %config ,
 .BR %cfg ,
 .BR %modeconfig ,
 or
 .BR %modecfg ,
-an address is requested from the peer. In IKEv2, a statically defined address
-is also requested, since the server may change it.
+an address (from the tunnel address family) is requested from the peer. With
+.B %config4
+and
+.B %config6
+an address of the given address family will be requested explicitly.
+If an IP address is configured, it will be requested from the responder,
+which is free to respond with a different address.
 .TP
 .BR rightsourceip " = %config | <network>/<netmask> | %poolname"
-The internal source IP to use in a tunnel for the remote peer. If the
-value is
+Comma separated list of internal source IPs to use in a tunnel for the remote
+peer. If the value is
 .B %config
 on the responder side, the initiator must propose an address which is then
 echoed back. Also supported are address pools expressed as
@@ -813,16 +753,12 @@ private subnet behind the left participant, expressed as
 \fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
 signifying that the left end of the connection goes to the left participant
-only. When using IKEv2, the configured subnet of the peers may differ, the
-protocol narrows it to the greatest common subnet. Further, IKEv2 supports
-multiple subnets separated by commas. IKEv1 only interprets the first subnet
-of such a definition.
-.TP
-.BR leftsubnetwithin " = <ip subnet>"
-the peer can propose any subnet or single IP address that fits within the
-range defined by
-.BR leftsubnetwithin.
-Not relevant for IKEv2, as subnets are narrowed.
+only. Configured subnets of the peers may differ, the protocol narrows it to
+the greatest common subnet. In IKEv1, this may lead to problems with other
+implementations, make sure to configure identical subnets in such
+configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
+interprets the first subnet of such a definition, unless the Cisco Unity
+extension plugin is enabled.
 .TP
 .BR leftupdown " = <path>"
 what ``updown'' script to run to adjust routing and/or firewalling
@@ -832,20 +768,15 @@ changes (default
 May include positional parameters separated by white space
 (although this requires enclosing the whole string in quotes);
 including shell metacharacters is unwise.
-See
-.IR pluto (8)
-for details.
-Relevant only locally, other end need not agree on it. IKEv2 uses the updown
+Relevant only locally, other end need not agree on it. Charon uses the updown
 script to insert firewall rules only, since routing has been implemented
-directly into charon.
+directly into the daemon.
 .TP
 .BR lifebytes " = <number>"
-the number of bytes transmitted over an IPsec SA before it expires (IKEv2
-only).
+the number of bytes transmitted over an IPsec SA before it expires.
 .TP
 .BR lifepackets " = <number>"
-the number of packets transmitted over an IPsec SA before it expires (IKEv2
-only).
+the number of packets transmitted over an IPsec SA before it expires.
 .TP
 .BR lifetime " = " 1h " | <time>"
 how long a particular instance of a connection
@@ -877,12 +808,12 @@ which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
 .BR marginbytes " = <number>"
 how many bytes before IPsec SA expiry (see
 .BR lifebytes )
-should attempts to negotiate a replacement begin (IKEv2 only).
+should attempts to negotiate a replacement begin.
 .TP
 .BR marginpackets " = <number>"
 how many packets before IPsec SA expiry (see
 .BR lifepackets )
-should attempts to negotiate a replacement begin (IKEv2 only).
+should attempts to negotiate a replacement begin.
 .TP
 .BR margintime " = " 9m " | <time>"
 how long before connection expiry or keying-channel expiry
@@ -921,7 +852,7 @@ enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
 .BR no .
 If set to
 .BR no ,
-the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
+the charon daemon will not actively propose MOBIKE as initiator and
 ignore the MOBIKE_SUPPORTED notify as responder.
 .TP
 .BR modeconfig " = push | " pull
@@ -931,29 +862,8 @@ Accepted values are
 and
 .B pull
 (the default).
-Currently relevant for IKEv1 only since IKEv2 always uses the configuration
-payload in pull mode. Cisco VPN gateways usually operate in
-.B push
-mode.
-.TP
-.BR pfs " = " yes " | no"
-whether Perfect Forward Secrecy of keys is desired on the connection's
-keying channel
-(with PFS, penetration of the key-exchange protocol
-does not compromise keys negotiated earlier);
-acceptable values are
-.B yes
-(the default)
-and
-.BR no.
-IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
-PFS is enforced by defining a Diffie-Hellman modp group in the
-.B esp
-parameter.
-.TP
-.BR pfsgroup " = <modp group>"
-defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
-differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
+Push mode is currently not supported in charon, hence this parameter has no
+effect.
 .TP
 .BR reauth " = " yes " | no"
 whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
@@ -973,11 +883,12 @@ and
 .BR no .
 The two ends need not agree, but while a value of
 .B no
-prevents pluto/charon from requesting renegotiation,
+prevents charon from requesting renegotiation,
 it does not prevent responding to renegotiation requested from the other end,
 so
 .B no
-will be largely ineffective unless both ends agree on it.
+will be largely ineffective unless both ends agree on it. Also see
+.BR reauth .
 .TP
 .BR rekeyfuzz " = " 100% " | <percentage>"
 maximum percentage by which
@@ -1035,11 +946,7 @@ signifying the special Mobile IPv6 transport proxy mode;
 .BR passthrough ,
 signifying that no IPsec processing should be done at all;
 .BR drop ,
-signifying that packets should be discarded; and
-.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned
-.RB ( reject
-is currently not supported by the NETKEY stack of the Linux 2.6 kernel).
+signifying that packets should be discarded.
 .TP
 .BR xauth " = " client " | server"
 specifies the role in the XAuth protocol if activated by
@@ -1116,8 +1023,6 @@ synonym for
 .BR crluri2 " = <uri>"
 defines an alternative CRL distribution point (ldap, http, or file URI)
 .TP
-.BR ldaphost " = <hostname>"
-defines an ldap host. Currently used by IKEv1 only.
 .TP
 .BR ocspuri " = <uri>"
 defines an OCSP URI.
@@ -1127,11 +1032,11 @@ synonym for
 .B ocspuri.
 .TP
 .BR ocspuri2 " = <uri>"
-defines an alternative OCSP URI. Currently used by IKEv2 only.
+defines an alternative OCSP URI.
 .TP
 .BR certuribase " = <uri>"
 defines the base URI for the Hash and URL feature supported by IKEv2.
-Instead of exchanging complete certificates, IKEv2 allows to send an URI
+Instead of exchanging complete certificates, IKEv2 allows one to send an URI
 that resolves to the DER encoded certificate. The certificate URIs are built
 by appending the SHA1 hash of the DER encoded certificates to this base URI.
 .SH "CONFIG SECTIONS"
@@ -1140,48 +1045,34 @@ At present, the only
 section known to the IPsec software is the one named
 .BR setup ,
 which contains information used when the software is being started.
-Here's an example:
-.PP
-.ne 8
-.nf
-.ft B
-.ta 1c
-config setup
-	plutodebug=all
-	crlcheckinterval=10m
-	strictcrlpolicy=yes
-.ft
-.fi
-.PP
-Parameters are optional unless marked ``(required)''.
 The currently-accepted
 .I parameter
 names in a
 .B config
 .B setup
-section affecting both daemons are:
+section are:
 .TP
 .BR cachecrls " = yes | " no
-certificate revocation lists (CRLs) fetched via http or ldap will be cached in
-\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
-authority's public key.
-Accepted values are
-.B yes
-and
-.B no
-(the default). Only relevant for IKEv1, as CRLs are always cached in IKEv2.
-.TP
-.BR charonstart " = " yes " | no"
-whether to start the IKEv2 charon daemon or not.
-The default is
-.B yes
-if starter was compiled with IKEv2 support.
+if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
+be cached in
+.I /etc/ipsec.d/crls/
+under a unique file name derived from the certification authority's public key.
 .TP
-.BR plutostart " = " yes " | no"
-whether to start the IKEv1 pluto daemon or not.
-The default is
-.B yes
-if starter was compiled with IKEv1 support.
+.BR charondebug " = <debug list>"
+how much charon debugging output should be logged.
+A comma separated list containing type/level-pairs may
+be specified, e.g:
+.B dmn 3, ike 1, net -1.
+Acceptable values for types are
+.B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls,
+.B tnc, imc, imv, pts
+and the level is one of
+.B -1, 0, 1, 2, 3, 4
+(for silent, audit, control, controlmore, raw, private).  By default, the level
+is set to
+.B 1
+for all types.  For more flexibility see LOGGER CONFIGURATION in
+.IR strongswan.conf (5).
 .TP
 .BR strictcrlpolicy " = yes | ifuri | " no
 defines if a fresh CRL must be available in order for the peer authentication
@@ -1194,146 +1085,35 @@ if at least one CRL URI is defined and to
 .B no
 if no URI is known.
 .TP
-.BR uniqueids " = " yes " | no | replace | keep"
+.BR uniqueids " = " yes " | no | never | replace | keep"
 whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
+with any new IKE_SA using an ID deemed to replace all old ones using that ID;
 acceptable values are
 .B yes
-(the default)
+(the default),
+.B no
 and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
+.BR never .
+Participant IDs normally \fIare\fR unique, so a new IKE_SA using the same ID is
+almost invariably intended to replace an old one. The difference between
+.B no
+and
+.B never
+is that the daemon will replace old IKE_SAs when receiving an INITIAL_CONTACT
+notify if the option is
+.B no
+but will ignore these notifies if
+.B never
+is configured.
+The daemon also accepts the value
 .B replace
 which is identical to
 .B yes
 and the value
 .B keep
 to reject new IKE_SA setups and keep the duplicate established earlier.
-.PP
-The following
-.B config section
-parameters are used by the IKEv1 Pluto daemon only:
-.TP
-.BR crlcheckinterval " = " 0s " | <time>"
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
-.BR keep_alive " = " 20s " | <time>"
-interval in seconds between NAT keep alive packets, the default being 20 seconds.
-.TP
-.BR nat_traversal " = yes | " no
-activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
-being able of floating to udp/4500 if a NAT situation is detected.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-Used by IKEv1 only, NAT traversal is always being active in IKEv2.
-.TP
-.BR nocrsend " = yes | " no
-no certificate request payloads will be sent.
-.TP
-.BR pkcs11initargs " = <args>"
-non-standard argument string for PKCS#11 C_Initialize() function;
-required by NSS softoken.
-.TP
-.BR pkcs11module " = <args>"
-defines the path to a dynamically loadable PKCS #11 library.
-.TP
-.BR pkcs11keepstate " = yes | " no
-PKCS #11 login sessions will be kept during the whole lifetime of the keying
-daemon. Useful with pin-pad smart card readers.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.BR pkcs11proxy " = yes | " no
-Pluto will act as a PKCS #11 proxy accessible via the whack interface.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.BR plutodebug " = " none " | <debug list> | all"
-how much pluto debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names without the
-.B \-\-debug\-
-prefix,
-separated by white space) are enabled;
-for details on available debugging types, see
-.IR pluto (8).
-.TP
-.BR plutostderrlog " = <file>"
-Pluto will not use syslog, but rather log to stderr, and redirect stderr
-to <file>.
-.TP
-.BR postpluto " = <command>"
-shell command to run after starting pluto
-(e.g., to remove a decrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.BR prepluto " = <command>"
-shell command to run before starting pluto
-(e.g., to decrypt an encrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.BR virtual_private " = <networks>"
-defines private networks using a wildcard notation.
-.PP
-The following
-.B config section
-parameters are used by the IKEv2 charon daemon only:
-.TP
-.BR charondebug " = <debug list>"
-how much charon debugging output should be logged.
-A comma separated list containing type/level-pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, tls, tnc, imc, imv, pts
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private).  By default, the level
-is set to
-.B 1
-for all types.  For more flexibility see LOGGER CONFIGURATION in
-.IR strongswan.conf (5).
 
-.SH IKEv2 EXPIRY/REKEY
+.SH SA EXPIRY/REKEY
 The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
 after a specific amount of time. For IPsec SAs this can also happen after a
 specified number of transmitted packets or transmitted bytes. The following
@@ -1419,12 +1199,8 @@ time equals zero and, thus, rekeying gets disabled.
 /etc/ipsec.d/crls
 
 .SH SEE ALSO
-strongswan.conf(5), ipsec.secrets(5), ipsec(8), pluto(8)
+strongswan.conf(5), ipsec.secrets(5), ipsec(8)
 .SH HISTORY
 Originally written for the FreeS/WAN project by Henry Spencer.
 Updated and extended for the strongSwan project <http://www.strongswan.org> by
 Tobias Brunner, Andreas Steffen and Martin Willi.
-.SH BUGS
-.PP
-If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
-will fail.
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index e56e786e0..16b9f245a 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2011-07-26" "4.6.4" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2012-05-01" "5.0.1" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -138,6 +138,9 @@ Plugins to load in ipsec attest tool
 .BR charon.block_threshold " [5]"
 Maximum number of half-open IKE_SAs for a single peer IP
 .TP
+.BR charon.cisco_unity " [no]
+Send Cisco Unity vendor ID payload (IKEv1 only)
+.TP
 .BR charon.close_ike_on_child_failure " [no]"
 Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
 .TP
@@ -156,7 +159,10 @@ Enable Denial of Service protection using cookies and aggressiveness checks
 Section to define file loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.flush_auth_cfg " [no]"
-
+If enabled objects used during authentication (certificates, identities etc.)
+are released to free memory once an IKE_SA is established.
+Enabling this might conflict with plugins that later need access to e.g. the
+used certificates.
 .TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
@@ -164,8 +170,13 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .BR charon.hash_and_url " [no]"
 Enable hash and URL support
 .TP
+.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
+If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared
+keys, which is discouraged due to security concerns (offline attacks on the
+openly transmitted hash of the PSK)
+.TP
 .BR charon.ignore_routing_tables
-A list of routing tables to be excluded from route lookup
+A space-separated list of routing tables to be excluded from route lookups
 .TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
@@ -190,6 +201,19 @@ Install routes into a separate routing table for established IPsec tunnels
 .BR charon.install_virtual_ip " [yes]"
 Install virtual IP addresses
 .TP
+.BR charon.install_virtual_ip_on
+The name of the interface on which virtual IP addresses should be installed.
+If not specified the addresses will be installed on the outbound interface.
+.TP
+.BR charon.interfaces_ignore
+A comma-separated list of network interfaces that should be ignored, if
+.B charon.interfaces_use
+is specified this option has no effect.
+.TP
+.BR charon.interfaces_use
+A comma-separated list of network interfaces that should be used by charon.
+All other interfaces are ignored.
+.TP
 .BR charon.keep_alive " [20s]"
 NAT keep alive interval
 .TP
@@ -207,11 +231,20 @@ Enable multiple authentication exchanges (RFC 4739)
 .BR charon.nbns2
 WINS servers assigned to peer via configuration payload (CP)
 .TP
+.BR charon.port " [500]"
+UDP port used locally. If set to 0 a random port will be allocated.
+.TP
+.BR charon.port_nat_t " [4500]"
+UDP port used locally in case of NAT-T. If set to 0 a random port will be
+allocated.  Has to be different from
+.BR charon.port ,
+otherwise a random port will be allocated.
+.TP
 .BR charon.process_route " [yes]"
 Process RTM_NEWROUTE and RTM_DELROUTE events
 .TP
 .BR charon.receive_delay " [0]"
-Delay for receiving packets, to simulate larger RTT
+Delay in ms for receiving packets, to simulate larger RTT
 .TP
 .BR charon.receive_delay_response " [yes]"
 Delay response messages
@@ -234,6 +267,10 @@ Timeout in seconds before sending first retransmit
 .BR charon.retransmit_tries " [5]"
 Number of times to retransmit a packet before giving up
 .TP
+.BR charon.retry_initiate_interval " [0]"
+Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+failed), 0 to disable retries.
+.TP
 .BR charon.reuse_ikesa " [yes]
 Initiate CHILD_SA within existing IKE_SAs
 .TP
@@ -244,7 +281,7 @@ Numerical routing table to install routes to
 Priority of the routing table
 .TP
 .BR charon.send_delay " [0]"
-Delay for sending packets, to simulate larger RTT
+Delay in ms for sending packets, to simulate larger RTT
 .TP
 .BR charon.send_delay_response " [yes]"
 Delay response messages
@@ -265,13 +302,51 @@ Section to define syslog loggers, see LOGGER CONFIGURATION
 Number of worker threads in charon
 .SS charon.plugins subsection
 .TP
-.BR charon.plugins.android.loglevel " [1]"
+.BR charon.plugins.android_log.loglevel " [1]"
 Loglevel for logging to Android specific logger
 .TP
 .BR charon.plugins.attr
 Section to specify arbitrary attributes that are assigned to a peer via
 configuration payload (CP)
 .TP
+.BR charon.plugins.certexpire.csv.cron
+Cron style string specifying CSV export times
+.TP
+.BR charon.plugins.certexpire.csv.local
+strftime(3) format string for the CSV file name to export local certificates to
+.TP
+.BR charon.plugins.certexpire.csv.remote
+strftime(3) format string for the CSV file name to export remote certificates to
+.TP
+.BR charon.plugins.certexpire.csv.separator " [,]"
+CSV field separator
+.TP
+.BR charon.plugins.certexpire.csv.empty_string
+String to use in empty intermediate CA fields
+.TP
+.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
+strftime(3) format string to export expiration dates as
+.TP
+.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
+Use a fixed intermediate CA field count
+.TP
+.BR charon.plugins.coupling.file
+File to store coupling list to
+.TP
+.BR charon.plugins.coupling.hash " [sha1]"
+Hashing algorithm to fingerprint coupled certificates
+.TP
+.BR charon.plugins.coupling.max " [1]"
+Maximum number of coupling entries to create
+.TP
+.BR charon.plugins.dhcp.force_server_address " [no]"
+Always use the configured server address. This might be helpful if the DHCP
+server runs on the same host as strongSwan, and the DHCP daemon does not listen
+on the loopback interface.  In that case the server cannot be reached via
+unicast (or even 255.255.255.255) as that would be routed via loopback.
+Setting this option to yes and configuring the local broadcast address (e.g.
+192.168.0.255) as server address might work.
+.TP
 .BR charon.plugins.dhcp.identity_lease " [no]"
 Derive user-defined MAC address from hash of IKEv2 identity
 .TP
@@ -279,7 +354,7 @@ Derive user-defined MAC address from hash of IKEv2 identity
 DHCP server unicast or broadcast IP address
 .TP
 .BR charon.plugins.duplicheck.enable " [yes]"
-enable loaded duplicheck plugin
+Enable duplicheck plugin (if loaded)
 .TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
@@ -287,15 +362,24 @@ enable loaded duplicheck plugin
 .BR charon.plugins.eap-aka-3ggp2.seq_check
 
 .TP
-.BR charon.plugins.eap-gtc.pam_service " [login]"
-PAM service to be used for authentication
-
+.BR charon.plugins.eap-dynamic.preferred
+The preferred EAP method(s) to be used.  If it is not given the first
+registered method will be used initially.  If a comma separated list is given
+the methods are tried in the given order before trying the rest of the
+registered methods.
+.TP
+.BR charon.plugins.eap-dynamic.prefer_user " [no]"
+If enabled the EAP methods proposed in an EAP-Nak message sent by the peer are
+preferred over the methods registered locally.
+.TP
+.BR charon.plugins.eap-gtc.backend " [pam]"
+XAuth backend to be used for credential verification
 .TP
 .BR charon.plugins.eap-peap.fragment_size " [1024]"
 Maximum size of an EAP-PEAP packet
 .TP
 .BR charon.plugins.eap-peap.max_message_count " [32]"
-Maximum number of processed EAP-PEAP packets
+Maximum number of processed EAP-PEAP packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-peap.include_length " [no]"
 Include length in non-fragmented EAP-PEAP packets
@@ -311,7 +395,6 @@ Start phase2 EAP TNC protocol after successful client authentication
 .TP
 .BR charon.plugins.eap-peap.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
-
 .TP
 .BR charon.plugins.eap-radius.accounting " [no]"
 Send RADIUS accounting information to RADIUS servers.
@@ -325,6 +408,18 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.dae.enable " [no]"
+Enables support for the Dynamic Authorization Extension (RFC 5176)
+.TP
+.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
+Address to listen for DAE messages from the RADIUS server
+.TP
+.BR charon.plugins.eap-radius.dae.port " [3799]"
+Port to listen for DAE requests
+.TP
+.BR charon.plugins.eap-radius.dae.secret
+Shared secret used to verify/sign DAE messages
+.TP
 .BR charon.plugins.eap-radius.eap_start " [no]"
 Send EAP-Start instead of EAP-Identity to start RADIUS conversation
 .TP
@@ -341,6 +436,18 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.forward.ike_to_radius
+RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
+name or attribute number, a colon can be used to specify vendor-specific
+attributes, e.g. Reply-Message, or 11, or 36906:12).
+.TP
+.BR charon.plugins.eap-radius.forward.radius_to_ike
+Same as
+.B charon.plugins.eap-radius.forward.ike_to_radius
+but from RADIUS to
+IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+attributes.
+.TP
 .BR charon.plugins.eap-radius.id_prefix
 Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
 EAP method
@@ -364,10 +471,15 @@ Section to specify multiple RADIUS servers. The
 .B sockets
 and
 .B port
+(or
+.BR auth_port )
 options can be specified for each server. A server's IP/Hostname can be
 configured using the
 .B address
-option. For each RADIUS server a priority can be specified using the
+option. The
+.BR acct_port " [1813]"
+option can be used to specify the port used for RADIUS accounting.
+For each RADIUS server a priority can be specified using the
 .BR preference " [0]"
 option.
 .TP
@@ -380,32 +492,29 @@ Number of sockets (ports) to use, increase for high load
 .BR charon.plugins.eap-simaka-sql.database
 
 .TP
-.BR charon.plugins.eap-simaka-sql.remove_used
+.BR charon.plugins.eap-simaka-sql.remove_used " [no]"
 
 .TP
 .BR charon.plugins.eap-tls.fragment_size " [1024]"
 Maximum size of an EAP-TLS packet
 .TP
 .BR charon.plugins.eap-tls.max_message_count " [32]"
-Maximum number of processed EAP-TLS packets
+Maximum number of processed EAP-TLS packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-tls.include_length " [yes]"
 Include length in non-fragmented EAP-TLS packets
 .TP
-.BR charon.plugins.eap-tnc.fragment_size " [50000]"
-Maximum size of an EAP-TNC packet
-.TP
 .BR charon.plugins.eap-tnc.max_message_count " [10]"
-Maximum number of processed EAP-TNC packets
+Maximum number of processed EAP-TNC packets (0 = no limit)
 .TP
-.BR charon.plugins.eap-tnc.include_length " [yes]"
-Include length in non-fragmented EAP-TNC packets
+.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]"
+IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic)
 .TP
 .BR charon.plugins.eap-ttls.fragment_size " [1024]"
 Maximum size of an EAP-TTLS packet
 .TP
 .BR charon.plugins.eap-ttls.max_message_count " [32]"
-Maximum number of processed EAP-TTLS packets
+Maximum number of processed EAP-TTLS packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-ttls.include_length " [yes]"
 Include length in non-fragmented EAP-TTLS packets
@@ -467,6 +576,13 @@ Set MTU of ipsecN device
 .BR charon.plugins.load-tester
 Section to configure the load-tester plugin, see LOAD TESTS
 .TP
+.BR charon.plugins.radattr.dir
+Directory where RADIUS attributes are stored in client-ID specific files.
+.TP
+.BR charon.plugins.radattr.message_id " [-1]"
+Attributes are added to all IKE_AUTH messages by default (-1), or only to the
+IKE_AUTH message with the given IKEv2 message ID.
+.TP
 .BR charon.plugins.resolve.file " [/etc/resolv.conf]"
 File where to add DNS server entries
 .TP
@@ -476,6 +592,9 @@ is appended to this prefix to make it unique.  The result has to be a valid
 interface name according to the rules defined by resolvconf.  Also, it should
 have a high priority according to the order defined in interface-order(5).
 .TP
+.BR charon.plugins.socket-default.set_source " [yes]"
+Set source address on outbound packets, if possible.
+.TP
 .BR charon.plugins.sql.database
 Database URI for charons SQL plugin
 .TP
@@ -489,6 +608,15 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.tnccs-11.max_message_size " [45000]"
+Maximum size of a PA-TNC message (XML & Base64 encoding)
+.TP
+.BR charon.plugins.tnccs-20.max_batch_size " [65522]"
+Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
+.TP
+.BR charon.plugins.tnccs-20.max_message_size " [65490]"
+Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
+.TP
 .BR charon.plugins.tnc-ifmap.device_name
 Unique name of strongSwan as a PEP and/or PDP device
 .TP
@@ -520,12 +648,26 @@ RADIUS server port the strongSwan PDP is listening on
 Shared RADIUS secret between strongSwan PDP and NAS
 .TP
 .BR charon.plugins.tnc-pdp.server
-name of the strongSwan PDP as contained in the AAA certificate
+Name of the strongSwan PDP as contained in the AAA certificate
+.TP
+.BR charon.plugins.updown.dns_handler " [no]"
+Whether the updown script should handle DNS serves assigned via IKEv1 Mode
+Config or IKEv2 Config Payloads (if enabled they can't be handled by other
+plugins, like resolve)
 .TP
 .BR charon.plugins.whitelist.enable " [yes]"
-enable loaded whitelist plugin
+Enable loaded whitelist plugin
+.TP
+.BR charon.plugins.xauth-eap.backend " [radius]"
+EAP plugin to be used as backend for XAuth credential verification
+.TP
+.BR charon.plugins.xauth-pam.pam_service " [login]"
+PAM service to be used for authentication
 .SS libstrongswan section
 .TP
+.BR libstrongswan.cert_cache " [yes]"
+Whether relations in validated certificate chains should be cached in memory
+.TP
 .BR libstrongswan.crypto_test.bench " [no]"
 
 .TP
@@ -560,6 +702,9 @@ Check daemon, libstrongswan and plugin integrity at startup
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
 .TP
+.BR libstrongswan.leak_detective.usage_threshold " [10240]"
+Threshold in bytes for leaks to be reported (0 to report all)
+.TP
 .BR libstrongswan.processor.priority_threads
 Subsection to configure the number of reserved threads per priority class
 see JOB PRIORITY MANAGEMENT
@@ -569,7 +714,7 @@ Discard certificates with unsupported or unknown critical extensions
 .SS libstrongswan.plugins subsection
 .TP
 .BR libstrongswan.plugins.attr-sql.database
-Database URI for attr-sql plugin used by charon and pluto
+Database URI for attr-sql plugin used by charon
 .TP
 .BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
 Enable logging of SQL IP pool leases
@@ -599,12 +744,21 @@ keys not stored on tokens
 .TP
 .BR libstrongswan.plugins.pkcs11.use_rng " [no]"
 Whether the PKCS#11 modules should be used as RNG
+.TP
+.BR libstrongswan.plugins.random.random " [/dev/random]"
+File to read random bytes from, instead of /dev/random
+.TP
+.BR libstrongswan.plugins.random.urandom " [/dev/urandom]"
+File to read pseudo random bytes from, instead of /dev/urandom
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
 TNC IMC/IMV configuration directory
 .SS libimcv section
 .TP
+.BR libimcv.assessment_result " [yes]"
+Whether IMVs send a standard IETF Assessment Result attribute
+.TP
 .BR libimcv.debug_level " [1]"
 Debug level for a stand-alone libimcv library
 .TP
@@ -663,6 +817,9 @@ Number of additional IMC IDs
 .BR libimcv.plugins.imc-test.command " [none]"
 Command to be sent to the Test IMV
 .TP
+.BR libimcv.plugins.imc-test.dummy_size " [0]"
+Size of dummy attribute to be sent to the Test IMV (0 = disabled)
+.TP
 .BR libimcv.plugins.imc-test.retry " [no]"
 Do a handshake retry
 .TP
@@ -749,34 +906,6 @@ Plugins to load in ipsec openac tool
 .TP
 .BR pki.load
 Plugins to load in ipsec pki tool
-.SS pluto section
-.TP
-.BR pluto.dns1
-.TQ
-.BR pluto.dns2
-DNS servers assigned to peer via Mode Config
-.TP
-.BR pluto.load
-Plugins to load in IKEv1 pluto daemon
-.TP
-.BR pluto.nbns1
-.TQ
-.BR pluto.nbns2
-WINS servers assigned to peer via Mode Config
-.TP
-.BR pluto.threads " [4]"
-Number of worker threads in pluto
-.SS pluto.plugins section
-.TP
-.BR pluto.plugins.attr
-Section to specify arbitrary attributes that are assigned to a peer via
-Mode Config
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
-Number of ipsecN devices
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
-Set MTU of ipsecN device
 .SS pool section
 .TP
 .BR pool.load
@@ -791,7 +920,7 @@ Plugins to load in ipsec scepclient tool
 Plugins to load in starter
 .TP
 .BR starter.load_warning " [yes]"
-Disable charon/pluto plugin load option warning
+Disable charon plugin load option warning
 
 .SH LOGGER CONFIGURATION
 The options described below provide a much more flexible way to configure
@@ -897,6 +1026,9 @@ Packet encoding/decoding encryption/decryption operations
 .B tls
 libtls library messages
 .TP
+.B esp
+libipsec library messages
+.TP
 .B lib
 libstrongwan library messages
 .TP
@@ -1104,7 +1236,7 @@ it within 30 seconds. Under high load, a higher value might be required.
 
 .SH LOAD TESTS
 To do stability testing and performance optimizations, the IKEv2 daemon charon
-provides the load-tester plugin. This plugin allows to setup thousands of
+provides the load-tester plugin. This plugin allows one to setup thousands of
 tunnels concurrently against the daemon itself or a remote host.
 .PP
 .B WARNING:
@@ -1211,7 +1343,7 @@ implementation called modpnull. By setting
 	proposal = aes128-sha1-modpnull
 .EE
 this wicked fast DH implementation is used. It does not provide any security
-at all, but allows to run tests without DH calculation overhead.
+at all, but allows one to run tests without DH calculation overhead.
 .SS Examples
 .PP
 In the simplest case, the daemon initiates IKE_SAs against itself using the
@@ -1255,9 +1387,9 @@ value if your box can not handle that much load, or decrease it to put more
 load on it. If the daemon starts retransmitting messages your box probably can
 not handle all connection attempts.
 .PP
-The plugin also allows to test against a remote host. This might help to test
-against a real world configuration. A connection setup to do stress testing of
-a gateway might look like this:
+The plugin also allows one to test against a remote host. This might help to
+test against a real world configuration. A connection setup to do stress
+testing of a gateway might look like this:
 .PP
 .EX
 	charon {
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 05493ec75..217d7d739 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2011-07-26" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2012-05-01" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -138,6 +138,9 @@ Plugins to load in ipsec attest tool
 .BR charon.block_threshold " [5]"
 Maximum number of half-open IKE_SAs for a single peer IP
 .TP
+.BR charon.cisco_unity " [no]
+Send Cisco Unity vendor ID payload (IKEv1 only)
+.TP
 .BR charon.close_ike_on_child_failure " [no]"
 Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
 .TP
@@ -156,7 +159,10 @@ Enable Denial of Service protection using cookies and aggressiveness checks
 Section to define file loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.flush_auth_cfg " [no]"
-
+If enabled objects used during authentication (certificates, identities etc.)
+are released to free memory once an IKE_SA is established.
+Enabling this might conflict with plugins that later need access to e.g. the
+used certificates.
 .TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
@@ -164,8 +170,13 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .BR charon.hash_and_url " [no]"
 Enable hash and URL support
 .TP
+.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
+If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared
+keys, which is discouraged due to security concerns (offline attacks on the
+openly transmitted hash of the PSK)
+.TP
 .BR charon.ignore_routing_tables
-A list of routing tables to be excluded from route lookup
+A space-separated list of routing tables to be excluded from route lookups
 .TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
@@ -190,6 +201,19 @@ Install routes into a separate routing table for established IPsec tunnels
 .BR charon.install_virtual_ip " [yes]"
 Install virtual IP addresses
 .TP
+.BR charon.install_virtual_ip_on
+The name of the interface on which virtual IP addresses should be installed.
+If not specified the addresses will be installed on the outbound interface.
+.TP
+.BR charon.interfaces_ignore
+A comma-separated list of network interfaces that should be ignored, if
+.B charon.interfaces_use
+is specified this option has no effect.
+.TP
+.BR charon.interfaces_use
+A comma-separated list of network interfaces that should be used by charon.
+All other interfaces are ignored.
+.TP
 .BR charon.keep_alive " [20s]"
 NAT keep alive interval
 .TP
@@ -207,11 +231,20 @@ Enable multiple authentication exchanges (RFC 4739)
 .BR charon.nbns2
 WINS servers assigned to peer via configuration payload (CP)
 .TP
+.BR charon.port " [500]"
+UDP port used locally. If set to 0 a random port will be allocated.
+.TP
+.BR charon.port_nat_t " [4500]"
+UDP port used locally in case of NAT-T. If set to 0 a random port will be
+allocated.  Has to be different from
+.BR charon.port ,
+otherwise a random port will be allocated.
+.TP
 .BR charon.process_route " [yes]"
 Process RTM_NEWROUTE and RTM_DELROUTE events
 .TP
 .BR charon.receive_delay " [0]"
-Delay for receiving packets, to simulate larger RTT
+Delay in ms for receiving packets, to simulate larger RTT
 .TP
 .BR charon.receive_delay_response " [yes]"
 Delay response messages
@@ -234,6 +267,10 @@ Timeout in seconds before sending first retransmit
 .BR charon.retransmit_tries " [5]"
 Number of times to retransmit a packet before giving up
 .TP
+.BR charon.retry_initiate_interval " [0]"
+Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+failed), 0 to disable retries.
+.TP
 .BR charon.reuse_ikesa " [yes]
 Initiate CHILD_SA within existing IKE_SAs
 .TP
@@ -244,7 +281,7 @@ Numerical routing table to install routes to
 Priority of the routing table
 .TP
 .BR charon.send_delay " [0]"
-Delay for sending packets, to simulate larger RTT
+Delay in ms for sending packets, to simulate larger RTT
 .TP
 .BR charon.send_delay_response " [yes]"
 Delay response messages
@@ -265,13 +302,51 @@ Section to define syslog loggers, see LOGGER CONFIGURATION
 Number of worker threads in charon
 .SS charon.plugins subsection
 .TP
-.BR charon.plugins.android.loglevel " [1]"
+.BR charon.plugins.android_log.loglevel " [1]"
 Loglevel for logging to Android specific logger
 .TP
 .BR charon.plugins.attr
 Section to specify arbitrary attributes that are assigned to a peer via
 configuration payload (CP)
 .TP
+.BR charon.plugins.certexpire.csv.cron
+Cron style string specifying CSV export times
+.TP
+.BR charon.plugins.certexpire.csv.local
+strftime(3) format string for the CSV file name to export local certificates to
+.TP
+.BR charon.plugins.certexpire.csv.remote
+strftime(3) format string for the CSV file name to export remote certificates to
+.TP
+.BR charon.plugins.certexpire.csv.separator " [,]"
+CSV field separator
+.TP
+.BR charon.plugins.certexpire.csv.empty_string
+String to use in empty intermediate CA fields
+.TP
+.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
+strftime(3) format string to export expiration dates as
+.TP
+.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
+Use a fixed intermediate CA field count
+.TP
+.BR charon.plugins.coupling.file
+File to store coupling list to
+.TP
+.BR charon.plugins.coupling.hash " [sha1]"
+Hashing algorithm to fingerprint coupled certificates
+.TP
+.BR charon.plugins.coupling.max " [1]"
+Maximum number of coupling entries to create
+.TP
+.BR charon.plugins.dhcp.force_server_address " [no]"
+Always use the configured server address. This might be helpful if the DHCP
+server runs on the same host as strongSwan, and the DHCP daemon does not listen
+on the loopback interface.  In that case the server cannot be reached via
+unicast (or even 255.255.255.255) as that would be routed via loopback.
+Setting this option to yes and configuring the local broadcast address (e.g.
+192.168.0.255) as server address might work.
+.TP
 .BR charon.plugins.dhcp.identity_lease " [no]"
 Derive user-defined MAC address from hash of IKEv2 identity
 .TP
@@ -279,7 +354,7 @@ Derive user-defined MAC address from hash of IKEv2 identity
 DHCP server unicast or broadcast IP address
 .TP
 .BR charon.plugins.duplicheck.enable " [yes]"
-enable loaded duplicheck plugin
+Enable duplicheck plugin (if loaded)
 .TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
@@ -287,15 +362,24 @@ enable loaded duplicheck plugin
 .BR charon.plugins.eap-aka-3ggp2.seq_check
 
 .TP
-.BR charon.plugins.eap-gtc.pam_service " [login]"
-PAM service to be used for authentication
-
+.BR charon.plugins.eap-dynamic.preferred
+The preferred EAP method(s) to be used.  If it is not given the first
+registered method will be used initially.  If a comma separated list is given
+the methods are tried in the given order before trying the rest of the
+registered methods.
+.TP
+.BR charon.plugins.eap-dynamic.prefer_user " [no]"
+If enabled the EAP methods proposed in an EAP-Nak message sent by the peer are
+preferred over the methods registered locally.
+.TP
+.BR charon.plugins.eap-gtc.backend " [pam]"
+XAuth backend to be used for credential verification
 .TP
 .BR charon.plugins.eap-peap.fragment_size " [1024]"
 Maximum size of an EAP-PEAP packet
 .TP
 .BR charon.plugins.eap-peap.max_message_count " [32]"
-Maximum number of processed EAP-PEAP packets
+Maximum number of processed EAP-PEAP packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-peap.include_length " [no]"
 Include length in non-fragmented EAP-PEAP packets
@@ -311,7 +395,6 @@ Start phase2 EAP TNC protocol after successful client authentication
 .TP
 .BR charon.plugins.eap-peap.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
-
 .TP
 .BR charon.plugins.eap-radius.accounting " [no]"
 Send RADIUS accounting information to RADIUS servers.
@@ -325,6 +408,18 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.dae.enable " [no]"
+Enables support for the Dynamic Authorization Extension (RFC 5176)
+.TP
+.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
+Address to listen for DAE messages from the RADIUS server
+.TP
+.BR charon.plugins.eap-radius.dae.port " [3799]"
+Port to listen for DAE requests
+.TP
+.BR charon.plugins.eap-radius.dae.secret
+Shared secret used to verify/sign DAE messages
+.TP
 .BR charon.plugins.eap-radius.eap_start " [no]"
 Send EAP-Start instead of EAP-Identity to start RADIUS conversation
 .TP
@@ -341,6 +436,18 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.forward.ike_to_radius
+RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
+name or attribute number, a colon can be used to specify vendor-specific
+attributes, e.g. Reply-Message, or 11, or 36906:12).
+.TP
+.BR charon.plugins.eap-radius.forward.radius_to_ike
+Same as
+.B charon.plugins.eap-radius.forward.ike_to_radius
+but from RADIUS to
+IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+attributes.
+.TP
 .BR charon.plugins.eap-radius.id_prefix
 Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
 EAP method
@@ -364,10 +471,15 @@ Section to specify multiple RADIUS servers. The
 .B sockets
 and
 .B port
+(or
+.BR auth_port )
 options can be specified for each server. A server's IP/Hostname can be
 configured using the
 .B address
-option. For each RADIUS server a priority can be specified using the
+option. The
+.BR acct_port " [1813]"
+option can be used to specify the port used for RADIUS accounting.
+For each RADIUS server a priority can be specified using the
 .BR preference " [0]"
 option.
 .TP
@@ -380,32 +492,29 @@ Number of sockets (ports) to use, increase for high load
 .BR charon.plugins.eap-simaka-sql.database
 
 .TP
-.BR charon.plugins.eap-simaka-sql.remove_used
+.BR charon.plugins.eap-simaka-sql.remove_used " [no]"
 
 .TP
 .BR charon.plugins.eap-tls.fragment_size " [1024]"
 Maximum size of an EAP-TLS packet
 .TP
 .BR charon.plugins.eap-tls.max_message_count " [32]"
-Maximum number of processed EAP-TLS packets
+Maximum number of processed EAP-TLS packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-tls.include_length " [yes]"
 Include length in non-fragmented EAP-TLS packets
 .TP
-.BR charon.plugins.eap-tnc.fragment_size " [50000]"
-Maximum size of an EAP-TNC packet
-.TP
 .BR charon.plugins.eap-tnc.max_message_count " [10]"
-Maximum number of processed EAP-TNC packets
+Maximum number of processed EAP-TNC packets (0 = no limit)
 .TP
-.BR charon.plugins.eap-tnc.include_length " [yes]"
-Include length in non-fragmented EAP-TNC packets
+.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]"
+IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic)
 .TP
 .BR charon.plugins.eap-ttls.fragment_size " [1024]"
 Maximum size of an EAP-TTLS packet
 .TP
 .BR charon.plugins.eap-ttls.max_message_count " [32]"
-Maximum number of processed EAP-TTLS packets
+Maximum number of processed EAP-TTLS packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-ttls.include_length " [yes]"
 Include length in non-fragmented EAP-TTLS packets
@@ -467,6 +576,13 @@ Set MTU of ipsecN device
 .BR charon.plugins.load-tester
 Section to configure the load-tester plugin, see LOAD TESTS
 .TP
+.BR charon.plugins.radattr.dir
+Directory where RADIUS attributes are stored in client-ID specific files.
+.TP
+.BR charon.plugins.radattr.message_id " [-1]"
+Attributes are added to all IKE_AUTH messages by default (-1), or only to the
+IKE_AUTH message with the given IKEv2 message ID.
+.TP
 .BR charon.plugins.resolve.file " [/etc/resolv.conf]"
 File where to add DNS server entries
 .TP
@@ -476,6 +592,9 @@ is appended to this prefix to make it unique.  The result has to be a valid
 interface name according to the rules defined by resolvconf.  Also, it should
 have a high priority according to the order defined in interface-order(5).
 .TP
+.BR charon.plugins.socket-default.set_source " [yes]"
+Set source address on outbound packets, if possible.
+.TP
 .BR charon.plugins.sql.database
 Database URI for charons SQL plugin
 .TP
@@ -489,6 +608,15 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.tnccs-11.max_message_size " [45000]"
+Maximum size of a PA-TNC message (XML & Base64 encoding)
+.TP
+.BR charon.plugins.tnccs-20.max_batch_size " [65522]"
+Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
+.TP
+.BR charon.plugins.tnccs-20.max_message_size " [65490]"
+Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
+.TP
 .BR charon.plugins.tnc-ifmap.device_name
 Unique name of strongSwan as a PEP and/or PDP device
 .TP
@@ -520,12 +648,26 @@ RADIUS server port the strongSwan PDP is listening on
 Shared RADIUS secret between strongSwan PDP and NAS
 .TP
 .BR charon.plugins.tnc-pdp.server
-name of the strongSwan PDP as contained in the AAA certificate
+Name of the strongSwan PDP as contained in the AAA certificate
+.TP
+.BR charon.plugins.updown.dns_handler " [no]"
+Whether the updown script should handle DNS serves assigned via IKEv1 Mode
+Config or IKEv2 Config Payloads (if enabled they can't be handled by other
+plugins, like resolve)
 .TP
 .BR charon.plugins.whitelist.enable " [yes]"
-enable loaded whitelist plugin
+Enable loaded whitelist plugin
+.TP
+.BR charon.plugins.xauth-eap.backend " [radius]"
+EAP plugin to be used as backend for XAuth credential verification
+.TP
+.BR charon.plugins.xauth-pam.pam_service " [login]"
+PAM service to be used for authentication
 .SS libstrongswan section
 .TP
+.BR libstrongswan.cert_cache " [yes]"
+Whether relations in validated certificate chains should be cached in memory
+.TP
 .BR libstrongswan.crypto_test.bench " [no]"
 
 .TP
@@ -560,6 +702,9 @@ Check daemon, libstrongswan and plugin integrity at startup
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
 .TP
+.BR libstrongswan.leak_detective.usage_threshold " [10240]"
+Threshold in bytes for leaks to be reported (0 to report all)
+.TP
 .BR libstrongswan.processor.priority_threads
 Subsection to configure the number of reserved threads per priority class
 see JOB PRIORITY MANAGEMENT
@@ -569,7 +714,7 @@ Discard certificates with unsupported or unknown critical extensions
 .SS libstrongswan.plugins subsection
 .TP
 .BR libstrongswan.plugins.attr-sql.database
-Database URI for attr-sql plugin used by charon and pluto
+Database URI for attr-sql plugin used by charon
 .TP
 .BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
 Enable logging of SQL IP pool leases
@@ -599,12 +744,21 @@ keys not stored on tokens
 .TP
 .BR libstrongswan.plugins.pkcs11.use_rng " [no]"
 Whether the PKCS#11 modules should be used as RNG
+.TP
+.BR libstrongswan.plugins.random.random " [@DEV_RANDOM@]"
+File to read random bytes from, instead of @DEV_RANDOM@
+.TP
+.BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
+File to read pseudo random bytes from, instead of @DEV_URANDOM@
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
 TNC IMC/IMV configuration directory
 .SS libimcv section
 .TP
+.BR libimcv.assessment_result " [yes]"
+Whether IMVs send a standard IETF Assessment Result attribute
+.TP
 .BR libimcv.debug_level " [1]"
 Debug level for a stand-alone libimcv library
 .TP
@@ -663,6 +817,9 @@ Number of additional IMC IDs
 .BR libimcv.plugins.imc-test.command " [none]"
 Command to be sent to the Test IMV
 .TP
+.BR libimcv.plugins.imc-test.dummy_size " [0]"
+Size of dummy attribute to be sent to the Test IMV (0 = disabled)
+.TP
 .BR libimcv.plugins.imc-test.retry " [no]"
 Do a handshake retry
 .TP
@@ -749,34 +906,6 @@ Plugins to load in ipsec openac tool
 .TP
 .BR pki.load
 Plugins to load in ipsec pki tool
-.SS pluto section
-.TP
-.BR pluto.dns1
-.TQ
-.BR pluto.dns2
-DNS servers assigned to peer via Mode Config
-.TP
-.BR pluto.load
-Plugins to load in IKEv1 pluto daemon
-.TP
-.BR pluto.nbns1
-.TQ
-.BR pluto.nbns2
-WINS servers assigned to peer via Mode Config
-.TP
-.BR pluto.threads " [4]"
-Number of worker threads in pluto
-.SS pluto.plugins section
-.TP
-.BR pluto.plugins.attr
-Section to specify arbitrary attributes that are assigned to a peer via
-Mode Config
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
-Number of ipsecN devices
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
-Set MTU of ipsecN device
 .SS pool section
 .TP
 .BR pool.load
@@ -791,7 +920,7 @@ Plugins to load in ipsec scepclient tool
 Plugins to load in starter
 .TP
 .BR starter.load_warning " [yes]"
-Disable charon/pluto plugin load option warning
+Disable charon plugin load option warning
 
 .SH LOGGER CONFIGURATION
 The options described below provide a much more flexible way to configure
@@ -897,6 +1026,9 @@ Packet encoding/decoding encryption/decryption operations
 .B tls
 libtls library messages
 .TP
+.B esp
+libipsec library messages
+.TP
 .B lib
 libstrongwan library messages
 .TP
@@ -1104,7 +1236,7 @@ it within 30 seconds. Under high load, a higher value might be required.
 
 .SH LOAD TESTS
 To do stability testing and performance optimizations, the IKEv2 daemon charon
-provides the load-tester plugin. This plugin allows to setup thousands of
+provides the load-tester plugin. This plugin allows one to setup thousands of
 tunnels concurrently against the daemon itself or a remote host.
 .PP
 .B WARNING:
@@ -1211,7 +1343,7 @@ implementation called modpnull. By setting
 	proposal = aes128-sha1-modpnull
 .EE
 this wicked fast DH implementation is used. It does not provide any security
-at all, but allows to run tests without DH calculation overhead.
+at all, but allows one to run tests without DH calculation overhead.
 .SS Examples
 .PP
 In the simplest case, the daemon initiates IKE_SAs against itself using the
@@ -1255,9 +1387,9 @@ value if your box can not handle that much load, or decrease it to put more
 load on it. If the daemon starts retransmitting messages your box probably can
 not handle all connection attempts.
 .PP
-The plugin also allows to test against a remote host. This might help to test
-against a real world configuration. A connection setup to do stress testing of
-a gateway might look like this:
+The plugin also allows one to test against a remote host. This might help to
+test against a real world configuration. A connection setup to do stress
+testing of a gateway might look like this:
 .PP
 .EX
 	charon {
-- 
cgit v1.2.3


From 7585facf05d927eb6df3929ce09ed5e60d905437 Mon Sep 17 00:00:00 2001
From: Yves-Alexis Perez <corsac@debian.org>
Date: Thu, 7 Feb 2013 13:27:27 +0100
Subject: Imported Upstream version 5.0.2

---
 Android.common.mk                                  |    2 +-
 Android.mk                                         |    3 +-
 Makefile.in                                        |   91 +-
 NEWS                                               |   51 +
 TODO                                               |   26 +-
 aclocal.m4                                         |   90 +-
 config.guess                                       |  258 +-
 config.h.in                                        |   12 +
 config.sub                                         |  209 +-
 configure                                          | 3577 +++++++----
 configure.in                                       |   73 +-
 depcomp                                            |   74 +-
 init/Makefile.in                                   |   24 +-
 init/systemd/Makefile.in                           |   34 +-
 install-sh                                         |   29 +-
 ltmain.sh                                          | 4016 ++++++++----
 m4/config/libtool.m4                               | 2236 ++++---
 m4/config/ltoptions.m4                             |   32 +-
 m4/config/ltversion.m4                             |   12 +-
 m4/config/lt~obsolete.m4                           |   12 +-
 man/Makefile.in                                    |   34 +-
 man/ipsec.conf.5                                   |   55 +-
 man/ipsec.conf.5.in                                |   53 +-
 man/ipsec.secrets.5                                |   33 +-
 man/ipsec.secrets.5.in                             |   31 +-
 man/strongswan.conf.5                              |  110 +-
 man/strongswan.conf.5.in                           |  110 +-
 missing                                            |   53 +-
 scripts/Makefile.in                                |   50 +-
 scripts/dh_speed.c                                 |    2 +-
 scripts/fetch.c                                    |    2 +-
 scripts/key2keyid.c                                |    2 +-
 scripts/keyid2sql.c                                |    2 +-
 scripts/pubkey_speed.c                             |    2 +-
 scripts/tls_test.c                                 |    4 +-
 src/Makefile.in                                    |   24 +-
 src/_copyright/Makefile.in                         |   26 +-
 src/_updown/Makefile.in                            |   38 +-
 src/_updown_espmark/Makefile.in                    |   38 +-
 src/charon-nm/Makefile.in                          |   26 +-
 src/charon-nm/charon-nm.c                          |   28 +-
 src/charon-nm/nm/nm_backend.c                      |    3 +
 src/charon-nm/nm/nm_service.c                      |    9 +-
 src/charon/Makefile.in                             |   26 +-
 src/charon/charon.c                                |  157 +-
 src/checksum/Makefile.in                           |   34 +-
 src/checksum/checksum_builder.c                    |    2 +-
 src/conftest/Makefile.in                           |   26 +-
 src/conftest/README                                |    9 +-
 src/conftest/config.c                              |   34 +-
 src/conftest/conftest.c                            |   57 +-
 src/conftest/conftest.h                            |    5 +
 src/conftest/hooks/reset_seq.c                     |   77 +-
 src/dumm/Makefile.am                               |    2 +-
 src/dumm/Makefile.in                               |   40 +-
 src/dumm/bridge.c                                  |    4 +-
 src/dumm/bridge.h                                  |    2 +-
 src/dumm/cowfs.c                                   |    4 +-
 src/dumm/dumm.c                                    |    4 +-
 src/dumm/dumm.h                                    |    2 +-
 src/dumm/ext/dumm.c                                |   11 +-
 src/dumm/guest.c                                   |    4 +-
 src/dumm/guest.h                                   |    2 +-
 src/dumm/iface.c                                   |    4 +-
 src/dumm/iface.h                                   |    4 +-
 src/dumm/irdumm.c                                  |    4 +
 src/dumm/main.c                                    |    2 +-
 src/dumm/mconsole.c                                |    2 +-
 src/include/Makefile.in                            |   24 +-
 src/ipsec/Makefile.in                              |   38 +-
 src/ipsec/_ipsec.8                                 |    6 +-
 src/ipsec/_ipsec.8.in                              |    4 +
 src/ipsec/_ipsec.in                                |    4 +-
 src/libcharon/Android.mk                           |    1 +
 src/libcharon/Makefile.am                          |   15 +
 src/libcharon/Makefile.in                          |  143 +-
 src/libcharon/bus/bus.c                            |    5 +
 src/libcharon/bus/bus.h                            |   42 +-
 src/libcharon/bus/listeners/file_logger.c          |  106 +-
 src/libcharon/bus/listeners/file_logger.h          |   29 +-
 src/libcharon/bus/listeners/sys_logger.c           |   32 +-
 src/libcharon/bus/listeners/sys_logger.h           |   11 +-
 src/libcharon/config/backend.h                     |    2 +-
 src/libcharon/config/backend_manager.c             |   69 +-
 src/libcharon/config/backend_manager.h             |    5 +-
 src/libcharon/config/child_cfg.c                   |    4 +-
 src/libcharon/config/ike_cfg.c                     |   39 +-
 src/libcharon/config/ike_cfg.h                     |   59 +-
 src/libcharon/config/peer_cfg.c                    |   21 +-
 src/libcharon/config/peer_cfg.h                    |   23 +-
 src/libcharon/config/proposal.c                    |   91 +-
 src/libcharon/config/proposal.h                    |    8 +-
 src/libcharon/daemon.c                             |  395 +-
 src/libcharon/daemon.h                             |   34 +-
 src/libcharon/encoding/generator.c                 |    2 +-
 src/libcharon/encoding/message.c                   |   28 +-
 src/libcharon/encoding/message.h                   |    4 +-
 src/libcharon/encoding/parser.c                    |    2 +-
 src/libcharon/encoding/payloads/cert_payload.c     |   18 +
 src/libcharon/encoding/payloads/cert_payload.h     |   14 +-
 src/libcharon/encoding/payloads/certreq_payload.h  |    2 +-
 src/libcharon/encoding/payloads/cp_payload.c       |    2 +-
 src/libcharon/encoding/payloads/cp_payload.h       |    2 +-
 src/libcharon/encoding/payloads/eap_payload.c      |    8 +-
 .../encoding/payloads/encryption_payload.c         |    2 +-
 src/libcharon/encoding/payloads/fragment_payload.c |  225 +
 src/libcharon/encoding/payloads/fragment_payload.h |   94 +
 src/libcharon/encoding/payloads/id_payload.c       |    5 +-
 src/libcharon/encoding/payloads/ike_header.h       |    2 +-
 src/libcharon/encoding/payloads/ke_payload.h       |    2 +-
 src/libcharon/encoding/payloads/notify_payload.h   |    2 +-
 src/libcharon/encoding/payloads/payload.c          |   60 +-
 src/libcharon/encoding/payloads/payload.h          |   17 +-
 .../encoding/payloads/proposal_substructure.c      |   36 +-
 .../encoding/payloads/proposal_substructure.h      |   24 +-
 src/libcharon/encoding/payloads/sa_payload.c       |   10 +-
 src/libcharon/encoding/payloads/sa_payload.h       |   10 +-
 .../payloads/traffic_selector_substructure.c       |    2 +-
 .../payloads/traffic_selector_substructure.h       |    2 +-
 .../encoding/payloads/transform_substructure.c     |    2 +-
 .../encoding/payloads/transform_substructure.h     |    2 +-
 src/libcharon/encoding/payloads/ts_payload.c       |    2 +-
 src/libcharon/encoding/payloads/ts_payload.h       |    2 +-
 src/libcharon/network/receiver.c                   |    3 +-
 src/libcharon/network/receiver.h                   |    4 +-
 src/libcharon/network/sender.c                     |    6 +-
 src/libcharon/network/sender.h                     |    2 +-
 src/libcharon/network/socket.h                     |    4 +-
 src/libcharon/network/socket_manager.c             |    2 +-
 src/libcharon/plugins/addrblock/Makefile.in        |   32 +-
 .../plugins/addrblock/addrblock_validator.c        |    2 +-
 src/libcharon/plugins/android/Makefile.in          |   32 +-
 src/libcharon/plugins/android/android_handler.c    |    3 +-
 src/libcharon/plugins/android/android_service.c    |    6 +-
 src/libcharon/plugins/android_log/Makefile.in      |   32 +-
 src/libcharon/plugins/certexpire/Makefile.in       |   32 +-
 src/libcharon/plugins/certexpire/certexpire_cron.c |    2 +-
 .../plugins/certexpire/certexpire_export.c         |    4 +-
 .../plugins/certexpire/certexpire_export.h         |    2 +-
 src/libcharon/plugins/coupling/Makefile.in         |   32 +-
 src/libcharon/plugins/dhcp/Makefile.in             |   32 +-
 src/libcharon/plugins/dhcp/dhcp_provider.c         |    2 +-
 src/libcharon/plugins/dhcp/dhcp_socket.c           |    2 +-
 src/libcharon/plugins/dhcp/dhcp_transaction.c      |    2 +-
 src/libcharon/plugins/dhcp/dhcp_transaction.h      |    2 +-
 src/libcharon/plugins/duplicheck/Makefile.in       |   34 +-
 .../plugins/duplicheck/duplicheck_listener.c       |    3 +-
 .../plugins/duplicheck/duplicheck_notify.c         |    2 +-
 src/libcharon/plugins/eap_aka/Makefile.in          |   32 +-
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |   32 +-
 src/libcharon/plugins/eap_dynamic/Makefile.in      |   32 +-
 src/libcharon/plugins/eap_gtc/Makefile.in          |   32 +-
 src/libcharon/plugins/eap_identity/Makefile.in     |   32 +-
 src/libcharon/plugins/eap_md5/Makefile.in          |   32 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |   32 +-
 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c  |    2 +-
 src/libcharon/plugins/eap_peap/Makefile.in         |   32 +-
 src/libcharon/plugins/eap_peap/eap_peap_avp.c      |    4 +-
 src/libcharon/plugins/eap_peap/eap_peap_peer.c     |    2 +-
 src/libcharon/plugins/eap_peap/eap_peap_server.c   |    2 +-
 src/libcharon/plugins/eap_radius/Makefile.in       |   32 +-
 src/libcharon/plugins/eap_radius/eap_radius.c      |   21 +-
 .../plugins/eap_radius/eap_radius_accounting.c     |   25 +-
 .../plugins/eap_radius/eap_radius_forward.c        |    4 +-
 src/libcharon/plugins/eap_sim/Makefile.in          |   32 +-
 src/libcharon/plugins/eap_sim_file/Makefile.in     |   32 +-
 .../plugins/eap_sim_file/eap_sim_file_triplets.c   |    2 +-
 .../plugins/eap_sim_file/eap_sim_file_triplets.h   |    2 +-
 src/libcharon/plugins/eap_sim_pcsc/Makefile.in     |   32 +-
 .../plugins/eap_simaka_pseudonym/Makefile.in       |   32 +-
 .../eap_simaka_pseudonym_card.c                    |    2 +-
 .../eap_simaka_pseudonym_provider.c                |    4 +-
 .../plugins/eap_simaka_reauth/Makefile.in          |   32 +-
 .../eap_simaka_reauth/eap_simaka_reauth_card.c     |    2 +-
 .../eap_simaka_reauth/eap_simaka_reauth_provider.c |    2 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |   32 +-
 src/libcharon/plugins/eap_tls/Makefile.in          |   32 +-
 src/libcharon/plugins/eap_tnc/Makefile.in          |   32 +-
 src/libcharon/plugins/eap_tnc/eap_tnc.c            |    2 +-
 src/libcharon/plugins/eap_ttls/Makefile.in         |   32 +-
 src/libcharon/plugins/eap_ttls/eap_ttls_avp.c      |    2 +-
 src/libcharon/plugins/eap_ttls/eap_ttls_peer.c     |    2 +-
 src/libcharon/plugins/eap_ttls/eap_ttls_server.c   |    2 +-
 src/libcharon/plugins/error_notify/Makefile.am     |   23 +
 src/libcharon/plugins/error_notify/Makefile.in     |  698 ++
 src/libcharon/plugins/error_notify/error_notify.c  |   62 +
 .../plugins/error_notify/error_notify_listener.c   |  203 +
 .../plugins/error_notify/error_notify_listener.h   |   51 +
 .../plugins/error_notify/error_notify_msg.h        |   66 +
 .../plugins/error_notify/error_notify_plugin.c     |   83 +
 .../plugins/error_notify/error_notify_plugin.h     |   42 +
 .../plugins/error_notify/error_notify_socket.c     |  213 +
 .../plugins/error_notify/error_notify_socket.h     |   59 +
 src/libcharon/plugins/farp/Makefile.in             |   32 +-
 src/libcharon/plugins/farp/farp_listener.c         |    2 +-
 src/libcharon/plugins/farp/farp_listener.h         |    2 +-
 src/libcharon/plugins/ha/Makefile.in               |   32 +-
 src/libcharon/plugins/ha/ha_attribute.c            |    2 +-
 src/libcharon/plugins/ha/ha_cache.c                |    4 +-
 src/libcharon/plugins/ha/ha_cache.h                |    2 +-
 src/libcharon/plugins/ha/ha_message.h              |    2 +-
 src/libcharon/plugins/ha/ha_segments.c             |    2 +-
 src/libcharon/plugins/ha/ha_socket.c               |    2 +-
 src/libcharon/plugins/ha/ha_tunnel.c               |    6 +-
 src/libcharon/plugins/led/Makefile.in              |   32 +-
 src/libcharon/plugins/load_tester/Makefile.am      |    7 +-
 src/libcharon/plugins/load_tester/Makefile.in      |  139 +-
 src/libcharon/plugins/load_tester/load_tester.c    |  104 +
 .../plugins/load_tester/load_tester_config.c       |  353 +-
 .../plugins/load_tester/load_tester_config.h       |    7 +
 .../plugins/load_tester/load_tester_control.c      |  383 ++
 .../plugins/load_tester/load_tester_control.h      |   47 +
 .../plugins/load_tester/load_tester_creds.c        |  163 +-
 .../plugins/load_tester/load_tester_listener.c     |   20 +-
 .../plugins/load_tester/load_tester_listener.h     |    6 +-
 .../plugins/load_tester/load_tester_plugin.c       |   11 +-
 src/libcharon/plugins/lookip/Makefile.am           |   21 +
 src/libcharon/plugins/lookip/Makefile.in           |  693 ++
 src/libcharon/plugins/lookip/lookip.c              |  261 +
 src/libcharon/plugins/lookip/lookip_listener.c     |  327 +
 src/libcharon/plugins/lookip/lookip_listener.h     |   88 +
 src/libcharon/plugins/lookip/lookip_msg.h          |   96 +
 src/libcharon/plugins/lookip/lookip_plugin.c       |   83 +
 src/libcharon/plugins/lookip/lookip_plugin.h       |   42 +
 src/libcharon/plugins/lookip/lookip_socket.c       |  461 ++
 src/libcharon/plugins/lookip/lookip_socket.h       |   44 +
 src/libcharon/plugins/maemo/Makefile.in            |   36 +-
 src/libcharon/plugins/maemo/maemo_service.c        |    6 +-
 src/libcharon/plugins/medcli/Makefile.in           |   32 +-
 src/libcharon/plugins/medcli/medcli_config.c       |   45 +-
 src/libcharon/plugins/medcli/medcli_creds.c        |    2 +-
 src/libcharon/plugins/medsrv/Makefile.in           |   32 +-
 src/libcharon/plugins/medsrv/medsrv_config.c       |   10 +-
 src/libcharon/plugins/medsrv/medsrv_creds.c        |    2 +-
 src/libcharon/plugins/radattr/Makefile.in          |   32 +-
 src/libcharon/plugins/smp/Makefile.in              |   32 +-
 src/libcharon/plugins/socket_default/Makefile.in   |   32 +-
 src/libcharon/plugins/socket_dynamic/Makefile.in   |   32 +-
 .../plugins/socket_dynamic/socket_dynamic_socket.c |    2 +-
 src/libcharon/plugins/sql/Makefile.in              |   32 +-
 src/libcharon/plugins/sql/sql_config.c             |   10 +-
 src/libcharon/plugins/sql/sql_logger.c             |    3 +-
 src/libcharon/plugins/stroke/Makefile.am           |    1 +
 src/libcharon/plugins/stroke/Makefile.in           |   37 +-
 src/libcharon/plugins/stroke/stroke_attribute.c    |    2 +-
 src/libcharon/plugins/stroke/stroke_ca.c           |    2 +-
 src/libcharon/plugins/stroke/stroke_config.c       |   51 +-
 src/libcharon/plugins/stroke/stroke_counter.c      |  254 +
 src/libcharon/plugins/stroke/stroke_counter.h      |  104 +
 src/libcharon/plugins/stroke/stroke_cred.c         |  241 +-
 src/libcharon/plugins/stroke/stroke_cred.h         |    2 +-
 src/libcharon/plugins/stroke/stroke_handler.c      |    2 +-
 src/libcharon/plugins/stroke/stroke_list.c         |    2 +-
 src/libcharon/plugins/stroke/stroke_socket.c       |   35 +-
 src/libcharon/plugins/tnc_ifmap/Makefile.in        |   32 +-
 .../plugins/tnc_ifmap/tnc_ifmap_listener.c         |    2 +-
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c   |    8 +-
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h   |    8 +-
 src/libcharon/plugins/tnc_imc/Makefile.in          |   32 +-
 src/libcharon/plugins/tnc_imc/tnc_imc.c            |  102 +-
 src/libcharon/plugins/tnc_imc/tnc_imc.h            |   26 +-
 .../plugins/tnc_imc/tnc_imc_bind_function.c        |    2 +-
 src/libcharon/plugins/tnc_imc/tnc_imc_manager.c    |  113 +-
 src/libcharon/plugins/tnc_imv/Makefile.in          |   32 +-
 src/libcharon/plugins/tnc_imv/tnc_imv.c            |   82 +-
 src/libcharon/plugins/tnc_imv/tnc_imv.h            |   26 +-
 .../plugins/tnc_imv/tnc_imv_bind_function.c        |    2 +-
 src/libcharon/plugins/tnc_imv/tnc_imv_manager.c    |  116 +-
 .../plugins/tnc_imv/tnc_imv_recommendations.c      |    4 +-
 .../plugins/tnc_imv/tnc_imv_recommendations.h      |    2 +-
 src/libcharon/plugins/tnc_pdp/Makefile.in          |   32 +-
 src/libcharon/plugins/tnc_pdp/tnc_pdp.c            |    2 +-
 .../plugins/tnc_pdp/tnc_pdp_connections.c          |    4 +-
 src/libcharon/plugins/tnc_tnccs/Makefile.in        |   32 +-
 .../plugins/tnc_tnccs/tnc_tnccs_manager.c          |   12 +-
 src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c |    2 +-
 src/libcharon/plugins/tnccs_11/Makefile.in         |   32 +-
 src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c |    4 +-
 .../plugins/tnccs_11/messages/imc_imv_msg.c        |    2 +-
 .../plugins/tnccs_11/messages/tnccs_error_msg.c    |    4 +-
 .../plugins/tnccs_11/messages/tnccs_msg.c          |    2 +-
 .../plugins/tnccs_11/messages/tnccs_msg.h          |    2 +-
 .../messages/tnccs_preferred_language_msg.c        |    2 +-
 .../tnccs_11/messages/tnccs_reason_strings_msg.c   |    2 +-
 .../tnccs_11/messages/tnccs_recommendation_msg.c   |    2 +-
 .../messages/tnccs_tncs_contact_info_msg.c         |    2 +-
 src/libcharon/plugins/tnccs_11/tnccs_11.c          |    2 +-
 src/libcharon/plugins/tnccs_20/Makefile.in         |   32 +-
 .../plugins/tnccs_20/batch/pb_tnc_batch.c          |   14 +-
 .../messages/pb_access_recommendation_msg.c        |    4 +-
 .../tnccs_20/messages/pb_assessment_result_msg.c   |    4 +-
 .../plugins/tnccs_20/messages/pb_error_msg.c       |    4 +-
 .../tnccs_20/messages/pb_language_preference_msg.c |    2 +-
 .../plugins/tnccs_20/messages/pb_pa_msg.c          |    2 +-
 .../tnccs_20/messages/pb_reason_string_msg.c       |    2 +-
 .../messages/pb_remediation_parameters_msg.c       |    2 +-
 .../plugins/tnccs_20/messages/pb_tnc_msg.h         |    2 +-
 .../tnccs_20/state_machine/pb_tnc_state_machine.c  |    2 +-
 src/libcharon/plugins/tnccs_20/tnccs_20.c          |   55 +-
 src/libcharon/plugins/tnccs_dynamic/Makefile.in    |   32 +-
 .../plugins/tnccs_dynamic/tnccs_dynamic.c          |    4 +-
 src/libcharon/plugins/uci/Makefile.in              |   32 +-
 src/libcharon/plugins/uci/uci_config.c             |   42 +-
 src/libcharon/plugins/uci/uci_parser.h             |    2 +-
 src/libcharon/plugins/unit_tester/Makefile.in      |   32 +-
 .../plugins/unit_tester/tests/test_enumerator.c    |    2 +-
 .../plugins/unit_tester/tests/test_hashtable.c     |    2 +-
 .../plugins/unit_tester/tests/test_med_db.c        |    2 +-
 .../plugins/unit_tester/tests/test_mysql.c         |    2 +-
 .../plugins/unit_tester/tests/test_sqlite.c        |    2 +-
 src/libcharon/plugins/unity/Makefile.in            |   32 +-
 src/libcharon/plugins/unity/unity_handler.c        |    6 +-
 src/libcharon/plugins/unity/unity_provider.c       |   37 +-
 src/libcharon/plugins/updown/Makefile.in           |   32 +-
 src/libcharon/plugins/updown/updown_handler.c      |    2 +-
 src/libcharon/plugins/updown/updown_listener.c     |   22 +-
 src/libcharon/plugins/whitelist/Makefile.in        |   34 +-
 .../plugins/whitelist/whitelist_listener.c         |    2 +-
 src/libcharon/plugins/xauth_eap/Makefile.in        |   32 +-
 src/libcharon/plugins/xauth_generic/Makefile.in    |   32 +-
 src/libcharon/plugins/xauth_pam/Makefile.in        |   32 +-
 src/libcharon/processing/jobs/delete_ike_sa_job.c  |    1 +
 src/libcharon/processing/jobs/dpd_timeout_job.c    |    1 +
 src/libcharon/processing/jobs/mediation_job.h      |    2 +-
 src/libcharon/processing/jobs/migrate_job.h        |    2 +-
 .../processing/jobs/process_message_job.c          |    5 +-
 src/libcharon/processing/jobs/update_sa_job.h      |    2 +-
 src/libcharon/sa/child_sa.c                        |   11 +-
 src/libcharon/sa/eap/eap_manager.c                 |    2 +-
 src/libcharon/sa/ike_sa.c                          |   43 +-
 src/libcharon/sa/ike_sa.h                          |   17 +-
 src/libcharon/sa/ike_sa_manager.c                  |   95 +-
 src/libcharon/sa/ikev1/keymat_v1.c                 |    2 +-
 src/libcharon/sa/ikev1/phase1.c                    |    4 +-
 src/libcharon/sa/ikev1/task_manager_v1.c           |  355 +-
 src/libcharon/sa/ikev1/tasks/aggressive_mode.c     |    6 +-
 src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c     |  155 +-
 src/libcharon/sa/ikev1/tasks/isakmp_natd.c         |   41 +-
 src/libcharon/sa/ikev1/tasks/isakmp_vendor.c       |  174 +-
 src/libcharon/sa/ikev1/tasks/main_mode.c           |    6 +-
 src/libcharon/sa/ikev1/tasks/quick_mode.c          |  103 +-
 src/libcharon/sa/ikev2/connect_manager.c           |    2 +-
 src/libcharon/sa/ikev2/mediation_manager.c         |    2 +-
 src/libcharon/sa/ikev2/task_manager_v2.c           |   25 +-
 src/libcharon/sa/ikev2/tasks/child_create.c        |   11 +-
 src/libcharon/sa/ikev2/tasks/ike_auth.c            |   19 +-
 src/libcharon/sa/ikev2/tasks/ike_cert_pre.c        |  253 +-
 src/libcharon/sa/ikev2/tasks/ike_config.c          |    2 +
 src/libcharon/sa/ikev2/tasks/ike_init.c            |    7 +-
 src/libcharon/sa/ikev2/tasks/ike_mobike.h          |    2 +-
 src/libcharon/sa/shunt_manager.c                   |    2 +-
 src/libcharon/sa/shunt_manager.h                   |    2 +-
 src/libcharon/sa/trap_manager.c                    |   82 +-
 src/libcharon/sa/trap_manager.h                    |    2 +-
 src/libcharon/sa/xauth/xauth_manager.c             |    2 +-
 src/libfast/Makefile.in                            |   36 +-
 src/libfast/dispatcher.c                           |    6 +-
 src/libfast/request.c                              |    2 +-
 src/libfast/session.c                              |    2 +-
 src/libfast/smtp.c                                 |    2 +-
 src/libhydra/Makefile.in                           |   32 +-
 src/libhydra/attributes/attribute_handler.h        |    4 +-
 src/libhydra/attributes/attribute_manager.c        |    4 +-
 src/libhydra/attributes/attribute_provider.h       |    4 +-
 src/libhydra/attributes/attributes.h               |    2 +-
 src/libhydra/attributes/mem_pool.c                 |    6 +-
 src/libhydra/attributes/mem_pool.h                 |    2 +-
 src/libhydra/hydra.c                               |   32 +-
 src/libhydra/hydra.h                               |    3 +
 src/libhydra/kernel/kernel_interface.c             |   13 +-
 src/libhydra/kernel/kernel_interface.h             |   15 +-
 src/libhydra/kernel/kernel_ipsec.h                 |    2 +-
 src/libhydra/kernel/kernel_listener.h              |    2 +-
 src/libhydra/kernel/kernel_net.h                   |   17 +-
 src/libhydra/plugins/attr/Makefile.in              |   32 +-
 src/libhydra/plugins/attr/attr_provider.c          |    4 +-
 src/libhydra/plugins/attr_sql/Makefile.in          |   34 +-
 src/libhydra/plugins/attr_sql/attr_sql_plugin.c    |    2 +-
 src/libhydra/plugins/attr_sql/pool.c               |    4 +-
 src/libhydra/plugins/attr_sql/pool_attributes.c    |    2 +-
 src/libhydra/plugins/attr_sql/sql_attribute.c      |    2 +-
 src/libhydra/plugins/kernel_klips/Makefile.in      |   32 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.c      |    4 +-
 src/libhydra/plugins/kernel_netlink/Makefile.in    |   32 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |   47 +-
 .../plugins/kernel_netlink/kernel_netlink_net.c    |   83 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.c |    2 +-
 src/libhydra/plugins/kernel_pfkey/Makefile.in      |   32 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |    8 +-
 src/libhydra/plugins/kernel_pfroute/Makefile.in    |   32 +-
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |   21 +-
 src/libhydra/plugins/resolve/Makefile.in           |   32 +-
 src/libhydra/plugins/resolve/resolve_handler.c     |    2 +-
 src/libimcv/Makefile.am                            |   30 +-
 src/libimcv/Makefile.in                            |  224 +-
 src/libimcv/ietf/ietf_attr.c                       |   32 +-
 src/libimcv/ietf/ietf_attr_assess_result.c         |    4 +-
 src/libimcv/ietf/ietf_attr_attr_request.c          |   14 +-
 src/libimcv/ietf/ietf_attr_attr_request.h          |    2 +-
 src/libimcv/ietf/ietf_attr_default_pwd_enabled.c   |  222 +
 src/libimcv/ietf/ietf_attr_default_pwd_enabled.h   |   63 +
 src/libimcv/ietf/ietf_attr_fwd_enabled.c           |  221 +
 src/libimcv/ietf/ietf_attr_fwd_enabled.h           |   64 +
 src/libimcv/ietf/ietf_attr_installed_packages.c    |  335 +
 src/libimcv/ietf/ietf_attr_installed_packages.h    |   73 +
 src/libimcv/ietf/ietf_attr_numeric_version.c       |  282 +
 src/libimcv/ietf/ietf_attr_numeric_version.h       |   84 +
 src/libimcv/ietf/ietf_attr_op_status.c             |  314 +
 src/libimcv/ietf/ietf_attr_op_status.h             |  107 +
 src/libimcv/ietf/ietf_attr_pa_tnc_error.c          |   10 +-
 src/libimcv/ietf/ietf_attr_pa_tnc_error.h          |    7 -
 src/libimcv/ietf/ietf_attr_port_filter.c           |   16 +-
 src/libimcv/ietf/ietf_attr_product_info.c          |   30 +-
 src/libimcv/ietf/ietf_attr_product_info.h          |    6 +-
 src/libimcv/ietf/ietf_attr_remediation_instr.c     |  363 ++
 src/libimcv/ietf/ietf_attr_remediation_instr.h     |  109 +
 src/libimcv/ietf/ietf_attr_string_version.c        |  300 +
 src/libimcv/ietf/ietf_attr_string_version.h        |   67 +
 src/libimcv/imc/imc_agent.c                        |  272 +-
 src/libimcv/imc/imc_agent.h                        |   79 +-
 src/libimcv/imc/imc_msg.c                          |  457 ++
 src/libimcv/imc/imc_msg.h                          |  149 +
 src/libimcv/imcv.c                                 |    8 +-
 src/libimcv/imv/imv_agent.c                        |  506 +-
 src/libimcv/imv/imv_agent.h                        |  119 +-
 src/libimcv/imv/imv_lang_string.c                  |   73 +
 src/libimcv/imv/imv_lang_string.h                  |   67 +
 src/libimcv/imv/imv_msg.c                          |  429 ++
 src/libimcv/imv/imv_msg.h                          |  163 +
 src/libimcv/imv/imv_reason_string.c                |   95 +
 src/libimcv/imv/imv_reason_string.h                |   64 +
 src/libimcv/imv/imv_remediation_string.c           |  209 +
 src/libimcv/imv/imv_remediation_string.h           |   72 +
 src/libimcv/imv/imv_state.h                        |   23 +-
 src/libimcv/ita/ita_attr.c                         |   17 +-
 src/libimcv/ita/ita_attr.h                         |    4 +
 src/libimcv/ita/ita_attr_angel.c                   |  159 +
 src/libimcv/ita/ita_attr_angel.h                   |   56 +
 src/libimcv/ita/ita_attr_command.c                 |   11 +-
 src/libimcv/ita/ita_attr_dummy.c                   |    6 +-
 src/libimcv/ita/ita_attr_get_settings.c            |  264 +
 src/libimcv/ita/ita_attr_get_settings.h            |   66 +
 src/libimcv/ita/ita_attr_settings.c                |  326 +
 src/libimcv/ita/ita_attr_settings.h                |   67 +
 src/libimcv/os_info/os_info.c                      |  606 ++
 src/libimcv/os_info/os_info.h                      |  153 +
 src/libimcv/pa_tnc/pa_tnc_attr_manager.c           |    8 +-
 src/libimcv/pa_tnc/pa_tnc_msg.c                    |   38 +-
 src/libimcv/pa_tnc/pa_tnc_msg.h                    |    2 +-
 src/libimcv/plugins/imc_os/Makefile.am             |   15 +
 src/libimcv/plugins/imc_os/Makefile.in             |  620 ++
 src/libimcv/plugins/imc_os/imc_os.c                |  585 ++
 src/libimcv/plugins/imc_os/imc_os_state.c          |  162 +
 src/libimcv/plugins/imc_os/imc_os_state.h          |   48 +
 src/libimcv/plugins/imc_scanner/Makefile.in        |   32 +-
 src/libimcv/plugins/imc_scanner/imc_scanner.c      |  210 +-
 .../plugins/imc_scanner/imc_scanner_state.c        |    6 +-
 src/libimcv/plugins/imc_test/Makefile.in           |   32 +-
 src/libimcv/plugins/imc_test/imc_test.c            |  186 +-
 src/libimcv/plugins/imc_test/imc_test_state.c      |   11 +-
 src/libimcv/plugins/imv_os/Makefile.am             |   24 +
 src/libimcv/plugins/imv_os/Makefile.in             |  684 ++
 src/libimcv/plugins/imv_os/imv_os.c                |  590 ++
 src/libimcv/plugins/imv_os/imv_os_database.c       |  311 +
 src/libimcv/plugins/imv_os/imv_os_database.h       |   80 +
 src/libimcv/plugins/imv_os/imv_os_state.c          |  621 ++
 src/libimcv/plugins/imv_os/imv_os_state.h          |  164 +
 src/libimcv/plugins/imv_os/pacman.c                |  498 ++
 src/libimcv/plugins/imv_os/pacman.sh               |   40 +
 src/libimcv/plugins/imv_scanner/Makefile.in        |   32 +-
 src/libimcv/plugins/imv_scanner/imv_scanner.c      |  194 +-
 .../plugins/imv_scanner/imv_scanner_state.c        |  161 +-
 .../plugins/imv_scanner/imv_scanner_state.h        |    4 +-
 src/libimcv/plugins/imv_test/Makefile.in           |   32 +-
 src/libimcv/plugins/imv_test/imv_test.c            |  177 +-
 src/libimcv/plugins/imv_test/imv_test_state.c      |   88 +-
 src/libipsec/Makefile.in                           |   32 +-
 src/libipsec/esp_context.c                         |    2 +-
 src/libipsec/esp_packet.c                          |    2 +-
 src/libipsec/esp_packet.h                          |    4 +-
 src/libipsec/ip_packet.c                           |    2 +-
 src/libipsec/ip_packet.h                           |    4 +-
 src/libipsec/ipsec.c                               |    2 +-
 src/libipsec/ipsec_event_relay.c                   |    6 +-
 src/libipsec/ipsec_policy.c                        |    2 +-
 src/libipsec/ipsec_policy.h                        |    2 +-
 src/libipsec/ipsec_policy_mgr.c                    |    4 +-
 src/libipsec/ipsec_policy_mgr.h                    |    4 +-
 src/libipsec/ipsec_processor.c                     |    8 +-
 src/libipsec/ipsec_sa.c                            |   18 +-
 src/libipsec/ipsec_sa.h                            |   16 +-
 src/libipsec/ipsec_sa_mgr.c                        |   75 +-
 src/libipsec/ipsec_sa_mgr.h                        |   23 +-
 src/libpts/Makefile.am                             |    8 +-
 src/libpts/Makefile.in                             |   46 +-
 src/libpts/libpts.c                                |    2 +-
 src/libpts/plugins/imc_attestation/Makefile.in     |   32 +-
 .../plugins/imc_attestation/imc_attestation.c      |  166 +-
 .../imc_attestation/imc_attestation_process.c      |   53 +-
 .../imc_attestation/imc_attestation_process.h      |    5 +-
 .../imc_attestation/imc_attestation_state.c        |   14 +-
 src/libpts/plugins/imv_attestation/Makefile.in     |   34 +-
 src/libpts/plugins/imv_attestation/attest.c        |   51 +-
 src/libpts/plugins/imv_attestation/attest_db.c     |  339 +-
 src/libpts/plugins/imv_attestation/attest_db.h     |   47 +-
 src/libpts/plugins/imv_attestation/attest_usage.c  |   31 +-
 .../plugins/imv_attestation/build-database.sh      |    2 +-
 src/libpts/plugins/imv_attestation/data.sql        |    2 +-
 .../plugins/imv_attestation/imv_attestation.c      |  276 +-
 .../imv_attestation/imv_attestation_build.c        |   32 +-
 .../imv_attestation/imv_attestation_build.h        |    6 +-
 .../imv_attestation/imv_attestation_process.c      |   24 +-
 .../imv_attestation/imv_attestation_process.h      |    7 +-
 .../imv_attestation/imv_attestation_state.c        |  164 +-
 .../imv_attestation/imv_attestation_state.h        |   25 +-
 src/libpts/plugins/imv_attestation/tables.sql      |   51 +
 src/libpts/pts/components/ita/ita_comp_ima.c       |   16 +-
 src/libpts/pts/components/ita/ita_comp_tboot.c     |    8 +-
 src/libpts/pts/components/ita/ita_comp_tgrub.c     |    8 +-
 src/libpts/pts/components/pts_comp_evidence.c      |    4 +-
 src/libpts/pts/components/pts_comp_func_name.c     |    2 +-
 src/libpts/pts/components/pts_component_manager.c  |   10 +-
 src/libpts/pts/pts.c                               |  198 +-
 src/libpts/pts/pts.h                               |    7 +-
 src/libpts/pts/pts_creds.c                         |    2 +-
 src/libpts/pts/pts_database.c                      |   10 +-
 src/libpts/pts/pts_dh_group.c                      |    4 +-
 src/libpts/pts/pts_file_meas.c                     |    8 +-
 src/libpts/pts/pts_file_meta.c                     |    4 +-
 src/libpts/pts/pts_meas_algo.c                     |    4 +-
 src/libpts/pts/pts_pcr.c                           |    2 +-
 src/libpts/tcg/tcg_pts_attr_aik.c                  |    6 +-
 src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c      |    8 +-
 src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c  |    8 +-
 src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c |    8 +-
 src/libpts/tcg/tcg_pts_attr_file_meas.c            |   38 +-
 src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c      |    6 +-
 src/libpts/tcg/tcg_pts_attr_get_aik.c              |    4 +-
 src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c |    6 +-
 src/libpts/tcg/tcg_pts_attr_meas_algo.c            |    8 +-
 src/libpts/tcg/tcg_pts_attr_proto_caps.c           |    8 +-
 src/libpts/tcg/tcg_pts_attr_req_file_meas.c        |   23 +-
 src/libpts/tcg/tcg_pts_attr_req_file_meta.c        |   27 +-
 src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c   |   12 +-
 src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c     |   36 +-
 src/libpts/tcg/tcg_pts_attr_simple_evid_final.c    |   34 +-
 src/libpts/tcg/tcg_pts_attr_tpm_version_info.c     |    6 +-
 src/libpts/tcg/tcg_pts_attr_unix_file_meta.c       |   28 +-
 src/libradius/Makefile.in                          |   32 +-
 src/libradius/radius_client.c                      |    6 +-
 src/libradius/radius_config.c                      |    2 +-
 src/libradius/radius_message.c                     |    2 +-
 src/libradius/radius_socket.c                      |    2 +-
 src/libradius/radius_socket.h                      |    2 +-
 src/libsimaka/Makefile.in                          |   32 +-
 src/libsimaka/simaka_crypto.c                      |    4 +-
 src/libsimaka/simaka_manager.c                     |    4 +-
 src/libsimaka/simaka_manager.h                     |    2 +-
 src/libsimaka/simaka_message.c                     |    4 +-
 src/libsimaka/simaka_message.h                     |    2 +-
 src/libstrongswan/Android.mk                       |   18 +-
 src/libstrongswan/Makefile.am                      |   49 +-
 src/libstrongswan/Makefile.in                      |  471 +-
 src/libstrongswan/asn1/asn1.c                      |    2 +-
 src/libstrongswan/asn1/asn1_parser.c               |    2 +-
 src/libstrongswan/asn1/oid.c                       |   72 +-
 src/libstrongswan/asn1/oid.h                       |   32 +-
 src/libstrongswan/asn1/oid.txt                     |    2 +
 src/libstrongswan/bio/bio_reader.c                 |    2 +-
 src/libstrongswan/bio/bio_writer.h                 |    7 +-
 src/libstrongswan/chunk.c                          |  690 --
 src/libstrongswan/chunk.h                          |  318 -
 src/libstrongswan/collections/blocking_queue.c     |  129 +
 src/libstrongswan/collections/blocking_queue.h     |   97 +
 src/libstrongswan/collections/enumerator.c         |  560 ++
 src/libstrongswan/collections/enumerator.h         |  159 +
 src/libstrongswan/collections/hashtable.c          |  444 ++
 src/libstrongswan/collections/hashtable.h          |  138 +
 src/libstrongswan/collections/linked_list.c        |  615 ++
 src/libstrongswan/collections/linked_list.h        |  319 +
 src/libstrongswan/credentials/auth_cfg.c           |    4 +-
 src/libstrongswan/credentials/auth_cfg.h           |    2 +-
 src/libstrongswan/credentials/builder.c            |    6 +
 src/libstrongswan/credentials/builder.h            |   14 +-
 .../credentials/certificates/certificate.c         |    2 +-
 src/libstrongswan/credentials/certificates/crl.c   |    2 +-
 .../credentials/certificates/pkcs10.h              |    2 +-
 src/libstrongswan/credentials/certificates/x509.h  |    2 +-
 .../credentials/containers/container.c             |   23 +
 .../credentials/containers/container.h             |   93 +
 src/libstrongswan/credentials/containers/pkcs7.h   |   63 +
 src/libstrongswan/credentials/cred_encoding.c      |    4 +-
 src/libstrongswan/credentials/credential_factory.c |   25 +-
 src/libstrongswan/credentials/credential_factory.h |    5 +
 src/libstrongswan/credentials/credential_manager.c |    4 +-
 src/libstrongswan/credentials/credential_manager.h |    2 +-
 .../credentials/ietf_attributes/ietf_attributes.c  |    2 +-
 src/libstrongswan/credentials/keys/shared_key.h    |    2 +-
 .../credentials/sets/auth_cfg_wrapper.c            |    2 +-
 src/libstrongswan/credentials/sets/cert_cache.c    |    2 +-
 src/libstrongswan/credentials/sets/mem_cred.c      |    2 +-
 src/libstrongswan/credentials/sets/mem_cred.h      |    2 +-
 src/libstrongswan/crypto/aead.c                    |    2 +-
 src/libstrongswan/crypto/crypto_factory.c          |    4 +-
 src/libstrongswan/crypto/crypto_factory.h          |    1 +
 src/libstrongswan/crypto/crypto_tester.c           |    4 +-
 src/libstrongswan/crypto/nonce_gen.h               |    4 +-
 src/libstrongswan/crypto/pkcs7.c                   | 1061 ----
 src/libstrongswan/crypto/pkcs7.h                   |  178 -
 src/libstrongswan/crypto/pkcs9.c                   |  369 --
 src/libstrongswan/crypto/pkcs9.h                   |   92 -
 .../crypto/proposal/proposal_keywords.c            |    2 +-
 .../crypto/proposal/proposal_keywords_static.c     |  198 +-
 .../crypto/proposal/proposal_keywords_static.txt   |    8 +
 src/libstrongswan/crypto/transform.h               |    2 +-
 src/libstrongswan/database/database.h              |    2 +-
 src/libstrongswan/database/database_factory.c      |    2 +-
 src/libstrongswan/debug.c                          |  112 -
 src/libstrongswan/debug.h                          |  154 -
 src/libstrongswan/eap/eap.c                        |    2 +-
 src/libstrongswan/enum.c                           |   79 -
 src/libstrongswan/enum.h                           |  136 -
 src/libstrongswan/fetcher/fetcher.h                |    2 +-
 src/libstrongswan/fetcher/fetcher_manager.c        |    4 +-
 src/libstrongswan/integrity_checker.c              |  321 -
 src/libstrongswan/integrity_checker.h              |  110 -
 src/libstrongswan/library.c                        |   39 +-
 src/libstrongswan/library.h                        |   29 +-
 src/libstrongswan/networking/host.c                |  597 ++
 src/libstrongswan/networking/host.h                |  231 +
 src/libstrongswan/networking/host_resolver.c       |  351 +
 src/libstrongswan/networking/host_resolver.h       |   60 +
 src/libstrongswan/networking/packet.c              |  163 +
 src/libstrongswan/networking/packet.h              |  121 +
 src/libstrongswan/networking/tun_device.c          |  461 ++
 src/libstrongswan/networking/tun_device.h          |  112 +
 src/libstrongswan/pen/pen.c                        |   16 +-
 src/libstrongswan/pen/pen.h                        |    5 +
 src/libstrongswan/plugins/aes/Makefile.in          |   32 +-
 src/libstrongswan/plugins/af_alg/Makefile.in       |   32 +-
 src/libstrongswan/plugins/af_alg/af_alg_ops.c      |    2 +-
 src/libstrongswan/plugins/agent/Makefile.in        |   32 +-
 .../plugins/agent/agent_private_key.c              |    4 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |   32 +-
 src/libstrongswan/plugins/ccm/Makefile.in          |   32 +-
 src/libstrongswan/plugins/cmac/Makefile.in         |   32 +-
 src/libstrongswan/plugins/cmac/cmac.c              |    2 +-
 src/libstrongswan/plugins/constraints/Makefile.in  |   32 +-
 .../plugins/constraints/constraints_validator.c    |    4 +-
 src/libstrongswan/plugins/ctr/Makefile.in          |   32 +-
 src/libstrongswan/plugins/curl/Makefile.in         |   32 +-
 src/libstrongswan/plugins/curl/curl_fetcher.c      |    2 +-
 src/libstrongswan/plugins/curl/curl_plugin.c       |    2 +-
 src/libstrongswan/plugins/des/Makefile.in          |   32 +-
 src/libstrongswan/plugins/dnskey/Makefile.in       |   32 +-
 src/libstrongswan/plugins/dnskey/dnskey_builder.c  |    2 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |   32 +-
 src/libstrongswan/plugins/fips_prf/fips_prf.c      |    2 +-
 src/libstrongswan/plugins/gcm/Makefile.in          |   32 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |   32 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c  |    2 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_dh.c       |    2 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c   |    2 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c   |    2 +-
 .../plugins/gcrypt/gcrypt_rsa_private_key.c        |    2 +-
 .../plugins/gcrypt/gcrypt_rsa_public_key.c         |    2 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |   32 +-
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c |    2 +-
 .../plugins/gmp/gmp_rsa_private_key.c              |  309 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |    4 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |   32 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |   32 +-
 src/libstrongswan/plugins/ldap/ldap_fetcher.c      |    2 +-
 src/libstrongswan/plugins/md4/Makefile.in          |   32 +-
 src/libstrongswan/plugins/md5/Makefile.in          |   32 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |   32 +-
 src/libstrongswan/plugins/mysql/mysql_database.c   |    6 +-
 src/libstrongswan/plugins/mysql/mysql_plugin.c     |    2 +-
 src/libstrongswan/plugins/nonce/Makefile.in        |   32 +-
 src/libstrongswan/plugins/nonce/nonce_nonceg.c     |    2 +-
 src/libstrongswan/plugins/openssl/Makefile.am      |    1 +
 src/libstrongswan/plugins/openssl/Makefile.in      |   36 +-
 src/libstrongswan/plugins/openssl/openssl_crl.c    |    4 +-
 .../plugins/openssl/openssl_diffie_hellman.c       |    2 +-
 .../plugins/openssl/openssl_ec_diffie_hellman.c    |    2 +-
 .../plugins/openssl/openssl_ec_private_key.c       |    2 +-
 .../plugins/openssl/openssl_ec_public_key.c        |    2 +-
 src/libstrongswan/plugins/openssl/openssl_pkcs7.c  |  790 +++
 src/libstrongswan/plugins/openssl/openssl_pkcs7.h  |   37 +
 src/libstrongswan/plugins/openssl/openssl_plugin.c |    7 +-
 src/libstrongswan/plugins/openssl/openssl_rng.c    |    2 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |    2 +-
 .../plugins/openssl/openssl_rsa_public_key.c       |    2 +-
 src/libstrongswan/plugins/openssl/openssl_util.c   |    2 +-
 src/libstrongswan/plugins/openssl/openssl_x509.c   |    8 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |   32 +-
 src/libstrongswan/plugins/padlock/padlock_plugin.c |    2 +-
 src/libstrongswan/plugins/pem/Makefile.in          |   32 +-
 src/libstrongswan/plugins/pem/pem_builder.c        |    9 +-
 src/libstrongswan/plugins/pgp/Makefile.in          |   32 +-
 src/libstrongswan/plugins/pgp/pgp_builder.c        |    4 +-
 src/libstrongswan/plugins/pgp/pgp_cert.c           |    2 +-
 src/libstrongswan/plugins/pgp/pgp_encoder.c        |    2 +-
 src/libstrongswan/plugins/pgp/pgp_utils.c          |    2 +-
 src/libstrongswan/plugins/pkcs1/Makefile.in        |   32 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_builder.c    |    2 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c    |    2 +-
 src/libstrongswan/plugins/pkcs11/Makefile.in       |   32 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_creds.c    |  114 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_creds.h    |   12 +
 src/libstrongswan/plugins/pkcs11/pkcs11_dh.c       |    2 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c   |    2 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_library.c  |    7 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_library.h  |    8 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_manager.c  |    4 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c   |   42 +-
 .../plugins/pkcs11/pkcs11_private_key.c            |   78 +-
 .../plugins/pkcs11/pkcs11_public_key.c             |   20 +-
 .../plugins/pkcs11/pkcs11_public_key.h             |   13 +
 src/libstrongswan/plugins/pkcs11/pkcs11_rng.c      |    2 +-
 src/libstrongswan/plugins/pkcs7/Makefile.am        |   20 +
 src/libstrongswan/plugins/pkcs7/Makefile.in        |  641 ++
 src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c |  273 +
 src/libstrongswan/plugins/pkcs7/pkcs7_attributes.h |   79 +
 src/libstrongswan/plugins/pkcs7/pkcs7_data.c       |  156 +
 src/libstrongswan/plugins/pkcs7/pkcs7_data.h       |   46 +
 .../plugins/pkcs7/pkcs7_enveloped_data.c           |  613 ++
 .../plugins/pkcs7/pkcs7_enveloped_data.h           |   44 +
 src/libstrongswan/plugins/pkcs7/pkcs7_generic.c    |  126 +
 src/libstrongswan/plugins/pkcs7/pkcs7_generic.h    |   38 +
 src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c     |   84 +
 src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h     |   42 +
 .../plugins/pkcs7/pkcs7_signed_data.c              |  678 ++
 .../plugins/pkcs7/pkcs7_signed_data.h              |   44 +
 src/libstrongswan/plugins/pkcs8/Makefile.in        |   32 +-
 src/libstrongswan/plugins/pkcs8/pkcs8_builder.c    |    2 +-
 src/libstrongswan/plugins/plugin_feature.c         |   27 +-
 src/libstrongswan/plugins/plugin_feature.h         |   11 +
 src/libstrongswan/plugins/plugin_loader.c          |    8 +-
 src/libstrongswan/plugins/plugin_loader.h          |    2 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |   32 +-
 src/libstrongswan/plugins/pubkey/pubkey_cert.c     |    2 +-
 src/libstrongswan/plugins/random/Makefile.in       |   32 +-
 src/libstrongswan/plugins/random/random_plugin.c   |    2 +-
 src/libstrongswan/plugins/random/random_rng.c      |    2 +-
 src/libstrongswan/plugins/rdrand/Makefile.am       |   16 +
 src/libstrongswan/plugins/rdrand/Makefile.in       |  632 ++
 src/libstrongswan/plugins/rdrand/rdrand_plugin.c   |  137 +
 src/libstrongswan/plugins/rdrand/rdrand_plugin.h   |   42 +
 src/libstrongswan/plugins/rdrand/rdrand_rng.c      |  442 ++
 src/libstrongswan/plugins/rdrand/rdrand_rng.h      |   47 +
 src/libstrongswan/plugins/revocation/Makefile.in   |   32 +-
 .../plugins/revocation/revocation_validator.c      |    2 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |   32 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |   32 +-
 src/libstrongswan/plugins/soup/Makefile.in         |   32 +-
 src/libstrongswan/plugins/soup/soup_fetcher.c      |    2 +-
 src/libstrongswan/plugins/soup/soup_plugin.c       |    3 +
 src/libstrongswan/plugins/sqlite/Makefile.in       |   32 +-
 src/libstrongswan/plugins/sqlite/sqlite_database.c |    7 +-
 src/libstrongswan/plugins/test_vectors/Makefile.in |   32 +-
 .../plugins/test_vectors/test_vectors/rng.c        |    2 +-
 src/libstrongswan/plugins/x509/Makefile.in         |   32 +-
 src/libstrongswan/plugins/x509/x509_ac.c           |    4 +-
 src/libstrongswan/plugins/x509/x509_cert.c         |    8 +-
 src/libstrongswan/plugins/x509/x509_crl.c          |    4 +-
 src/libstrongswan/plugins/x509/x509_ocsp_request.c |    4 +-
 .../plugins/x509/x509_ocsp_response.c              |    4 +-
 src/libstrongswan/plugins/x509/x509_pkcs10.c       |    4 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |   32 +-
 src/libstrongswan/plugins/xcbc/xcbc.c              |    2 +-
 src/libstrongswan/printf_hook.c                    |  511 --
 src/libstrongswan/printf_hook.h                    |  247 -
 src/libstrongswan/processing/jobs/callback_job.c   |    2 +-
 src/libstrongswan/processing/processor.c           |    4 +-
 src/libstrongswan/processing/scheduler.c           |    2 +-
 src/libstrongswan/selectors/traffic_selector.c     |   21 +-
 src/libstrongswan/selectors/traffic_selector.h     |   15 +-
 src/libstrongswan/settings.c                       | 1227 ----
 src/libstrongswan/settings.h                       |  313 -
 src/libstrongswan/threading/mutex.c                |   10 +-
 src/libstrongswan/threading/rwlock.c               |    9 +-
 src/libstrongswan/threading/spinlock.c             |   24 +-
 src/libstrongswan/threading/thread.c               |    4 +-
 src/libstrongswan/utils.c                          |  571 --
 src/libstrongswan/utils.h                          |  683 --
 src/libstrongswan/utils/backtrace.c                |    2 +-
 src/libstrongswan/utils/blocking_queue.c           |  129 -
 src/libstrongswan/utils/blocking_queue.h           |   97 -
 src/libstrongswan/utils/capabilities.c             |    2 +-
 src/libstrongswan/utils/chunk.c                    |  690 ++
 src/libstrongswan/utils/chunk.h                    |  318 +
 src/libstrongswan/utils/debug.c                    |  112 +
 src/libstrongswan/utils/debug.h                    |  154 +
 src/libstrongswan/utils/enum.c                     |   81 +
 src/libstrongswan/utils/enum.h                     |  136 +
 src/libstrongswan/utils/enumerator.c               |  560 --
 src/libstrongswan/utils/enumerator.h               |  159 -
 src/libstrongswan/utils/hashtable.c                |  444 --
 src/libstrongswan/utils/hashtable.h                |  138 -
 src/libstrongswan/utils/host.c                     |  616 --
 src/libstrongswan/utils/host.h                     |  220 -
 src/libstrongswan/utils/identification.h           |    4 +-
 src/libstrongswan/utils/integrity_checker.c        |  321 +
 src/libstrongswan/utils/integrity_checker.h        |  110 +
 src/libstrongswan/utils/leak_detective.c           |    4 +-
 src/libstrongswan/utils/linked_list.c              |  615 --
 src/libstrongswan/utils/linked_list.h              |  319 -
 src/libstrongswan/utils/optionsfrom.c              |   16 +-
 src/libstrongswan/utils/packet.c                   |  163 -
 src/libstrongswan/utils/packet.h                   |  121 -
 src/libstrongswan/utils/printf_hook.c              |  511 ++
 src/libstrongswan/utils/printf_hook.h              |  247 +
 src/libstrongswan/utils/settings.c                 | 1227 ++++
 src/libstrongswan/utils/settings.h                 |  313 +
 src/libstrongswan/utils/tun_device.c               |  461 --
 src/libstrongswan/utils/tun_device.h               |  112 -
 src/libstrongswan/utils/utils.c                    |  570 ++
 src/libstrongswan/utils/utils.h                    |  699 ++
 src/libtls/Makefile.in                             |   36 +-
 src/libtls/tls.c                                   |    2 +-
 src/libtls/tls_alert.c                             |    4 +-
 src/libtls/tls_cache.c                             |    6 +-
 src/libtls/tls_crypto.c                            |    3 +-
 src/libtls/tls_eap.c                               |    2 +-
 src/libtls/tls_fragmentation.c                     |    2 +-
 src/libtls/tls_peer.c                              |    3 +-
 src/libtls/tls_protection.c                        |    2 +-
 src/libtls/tls_server.c                            |    2 +-
 src/libtls/tls_socket.c                            |    2 +-
 src/libtnccs/Makefile.in                           |   32 +-
 src/libtnccs/tnc/imc/imc_manager.h                 |   26 +-
 src/libtnccs/tnc/imv/imv_manager.h                 |   25 +-
 src/libtnccs/tnc/tnc.c                             |   52 +-
 src/libtnccs/tnc/tnccs/tnccs_manager.c             |    2 +-
 src/libtncif/Makefile.in                           |   26 +-
 src/libtncif/tncif_pa_subtypes.c                   |    7 +-
 src/libtncif/tncif_pa_subtypes.h                   |    1 -
 src/manager/Makefile.in                            |   60 +-
 src/manager/gateway.h                              |    4 +-
 src/manager/main.c                                 |    2 +-
 src/manager/manager.c                              |    2 +-
 src/manager/storage.h                              |    2 +-
 src/manager/xml.h                                  |    2 +-
 src/medsrv/Makefile.in                             |   48 +-
 src/medsrv/controller/peer_controller.c            |    2 +-
 src/medsrv/filter/auth_filter.c                    |    2 +-
 src/medsrv/main.c                                  |    2 +-
 src/openac/Makefile.in                             |   36 +-
 src/openac/openac.c                                |    2 +-
 src/pki/Makefile.am                                |    1 +
 src/pki/Makefile.in                                |   44 +-
 src/pki/command.c                                  |    2 +-
 src/pki/commands/gen.c                             |   57 +-
 src/pki/commands/issue.c                           |    4 +-
 src/pki/commands/pkcs7.c                           |  462 ++
 src/pki/commands/req.c                             |    2 +-
 src/pki/commands/self.c                            |    2 +-
 src/pki/commands/signcrl.c                         |    4 +-
 src/pki/pki.c                                      |    2 +-
 src/scepclient/Makefile.in                         |   36 +-
 src/scepclient/scep.c                              |  198 +-
 src/scepclient/scep.h                              |    7 +-
 src/scepclient/scepclient.c                        |  116 +-
 src/starter/Makefile.in                            |   40 +-
 src/starter/args.c                                 |   10 +-
 src/starter/confread.c                             |    4 +-
 src/starter/confread.h                             |   10 +-
 src/starter/invokecharon.c                         |    2 +-
 src/starter/keywords.c                             |  302 +-
 src/starter/keywords.h                             |    1 +
 src/starter/keywords.txt                           |    1 +
 src/starter/klips.c                                |    2 +-
 src/starter/netkey.c                               |    2 +-
 src/starter/parser.c                               |  471 +-
 src/starter/parser.h                               |   14 +-
 src/starter/parser.y                               |    2 +-
 src/starter/starter.c                              |   15 +-
 src/starter/starterstroke.c                        |   13 +-
 src/starter/starterstroke.h                        |    1 +
 src/stroke/Makefile.in                             |   26 +-
 src/stroke/stroke.c                                |   10 +-
 src/stroke/stroke_keywords.c                       |  101 +-
 src/stroke/stroke_keywords.h                       |    1 +
 src/stroke/stroke_keywords.txt                     |    1 +
 src/stroke/stroke_msg.h                            |    5 +-
 testing/INSTALL                                    |  145 -
 testing/Makefile.am                                |   13 +-
 testing/Makefile.in                                |   45 +-
 testing/README                                     |  170 +-
 testing/config/kernel/config-3.5                   | 1817 ++++++
 testing/config/kernel/config-3.6                   | 1830 ++++++
 testing/config/kvm/alice.xml                       |   70 +
 testing/config/kvm/bob.xml                         |   64 +
 testing/config/kvm/carol.xml                       |   64 +
 testing/config/kvm/dave.xml                        |   64 +
 testing/config/kvm/moon.xml                        |   70 +
 testing/config/kvm/sun.xml                         |   70 +
 testing/config/kvm/venus.xml                       |   64 +
 testing/config/kvm/vnet1.xml                       |   11 +
 testing/config/kvm/vnet2.xml                       |   11 +
 testing/config/kvm/vnet3.xml                       |   11 +
 testing/config/kvm/winnetou.xml                    |   64 +
 testing/do-tests                                   |  791 +++
 testing/do-tests.in                                |  799 ---
 testing/hosts/alice/etc/conf.d/hostname            |    1 -
 testing/hosts/alice/etc/conf.d/net                 |   12 -
 testing/hosts/alice/etc/freeradius/clients.conf    |    4 +
 testing/hosts/alice/etc/freeradius/dictionary      |   32 +
 testing/hosts/alice/etc/freeradius/radiusd.conf    |  120 +
 testing/hosts/alice/etc/hostname                   |    1 +
 testing/hosts/alice/etc/init.d/iptables            |   74 -
 testing/hosts/alice/etc/init.d/net.eth0            | 1124 ----
 testing/hosts/alice/etc/init.d/net.eth1            | 1124 ----
 testing/hosts/alice/etc/init.d/radiusd             |   64 -
 testing/hosts/alice/etc/ipsec.conf                 |    2 +-
 testing/hosts/alice/etc/network/interfaces         |   20 +
 testing/hosts/alice/etc/runlevels/default/net.eth0 | 1124 ----
 testing/hosts/bob/etc/conf.d/hostname              |    1 -
 testing/hosts/bob/etc/conf.d/net                   |   10 -
 testing/hosts/bob/etc/hostname                     |    1 +
 testing/hosts/bob/etc/init.d/iptables              |   74 -
 testing/hosts/bob/etc/init.d/net.eth0              | 1124 ----
 testing/hosts/bob/etc/ipsec.conf                   |    0
 testing/hosts/bob/etc/network/interfaces           |   12 +
 testing/hosts/bob/etc/runlevels/default/net.eth0   | 1124 ----
 testing/hosts/carol/etc/conf.d/hostname            |    1 -
 testing/hosts/carol/etc/conf.d/net                 |   10 -
 testing/hosts/carol/etc/hostname                   |    1 +
 testing/hosts/carol/etc/init.d/iptables            |   77 -
 testing/hosts/carol/etc/init.d/net.eth0            | 1124 ----
 testing/hosts/carol/etc/ipsec.conf                 |    4 +-
 testing/hosts/carol/etc/network/interfaces         |   12 +
 testing/hosts/carol/etc/runlevels/default/net.eth0 | 1124 ----
 testing/hosts/dave/etc/conf.d/hostname             |    1 -
 testing/hosts/dave/etc/conf.d/net                  |   10 -
 testing/hosts/dave/etc/hostname                    |    1 +
 testing/hosts/dave/etc/init.d/iptables             |   77 -
 testing/hosts/dave/etc/init.d/net.eth0             | 1124 ----
 testing/hosts/dave/etc/ipsec.conf                  |    4 +-
 testing/hosts/dave/etc/network/interfaces          |   12 +
 testing/hosts/dave/etc/runlevels/default/net.eth0  | 1124 ----
 testing/hosts/default/etc/default/slapd            |   45 +
 testing/hosts/default/etc/fstab                    |    1 +
 testing/hosts/default/etc/ip6tables.flush          |   15 +
 testing/hosts/default/etc/ip6tables.rules          |   39 +
 testing/hosts/default/etc/iptables.drop            |   12 +
 testing/hosts/default/etc/iptables.flush           |   21 +
 testing/hosts/default/etc/iptables.rules           |   28 +
 testing/hosts/default/etc/profile.d/coredumps.sh   |    5 +
 testing/hosts/default/etc/rsyslog.conf             |  125 +
 testing/hosts/default/etc/security/limits.conf     |   58 +
 testing/hosts/default/etc/ssh/sshd_config          |   13 +
 testing/hosts/default/etc/sysctl.conf              |   62 +
 testing/hosts/default/root/.ssh/config             |    3 +
 .../hosts/default/usr/local/bin/expect-connection  |   27 +
 testing/hosts/moon/etc/conf.d/hostname             |    1 -
 testing/hosts/moon/etc/conf.d/net                  |   12 -
 testing/hosts/moon/etc/hostname                    |    1 +
 testing/hosts/moon/etc/init.d/iptables             |   80 -
 testing/hosts/moon/etc/init.d/net.eth0             | 1124 ----
 testing/hosts/moon/etc/init.d/net.eth1             | 1124 ----
 testing/hosts/moon/etc/ipsec.conf                  |    8 +-
 testing/hosts/moon/etc/network/interfaces          |   21 +
 testing/hosts/moon/etc/rc.local                    |   20 +
 testing/hosts/moon/etc/runlevels/default/net.eth0  | 1124 ----
 testing/hosts/moon/etc/runlevels/default/net.eth1  | 1124 ----
 testing/hosts/ssh_host_rsa_key.pub                 |    1 -
 testing/hosts/sun/etc/conf.d/hostname              |    1 -
 testing/hosts/sun/etc/conf.d/net                   |   14 -
 testing/hosts/sun/etc/hostname                     |    1 +
 testing/hosts/sun/etc/init.d/iptables              |   80 -
 testing/hosts/sun/etc/init.d/net.eth0              | 1124 ----
 testing/hosts/sun/etc/init.d/net.eth1              | 1124 ----
 testing/hosts/sun/etc/ipsec.conf                   |    6 +-
 testing/hosts/sun/etc/network/interfaces           |   21 +
 testing/hosts/sun/etc/runlevels/default/net.eth0   | 1124 ----
 testing/hosts/sun/etc/runlevels/default/net.eth1   | 1124 ----
 testing/hosts/venus/etc/conf.d/hostname            |    1 -
 testing/hosts/venus/etc/conf.d/net                 |   10 -
 testing/hosts/venus/etc/hostname                   |    1 +
 testing/hosts/venus/etc/init.d/iptables            |   74 -
 testing/hosts/venus/etc/init.d/net.eth0            | 1124 ----
 testing/hosts/venus/etc/ipsec.conf                 |    2 +-
 testing/hosts/venus/etc/network/interfaces         |   12 +
 testing/hosts/venus/etc/runlevels/default/net.eth0 | 1124 ----
 .../etc/apache2/conf.d/testresults-as-text         |    1 +
 testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt |   22 -
 .../hosts/winnetou/etc/apache2/conf/ssl/server.crt |   24 -
 .../hosts/winnetou/etc/apache2/conf/ssl/server.key |   27 -
 .../etc/apache2/modules.d/00_mod_mime.conf         |   61 -
 .../etc/apache2/sites-enabled/001-ocsp_vhost       |   54 +
 .../etc/apache2/vhosts.d/01_ocsp_vhost.conf        |   52 -
 testing/hosts/winnetou/etc/conf.d/hostname         |    1 -
 testing/hosts/winnetou/etc/conf.d/net              |   10 -
 testing/hosts/winnetou/etc/conf.d/slapd            |    8 -
 testing/hosts/winnetou/etc/init.d/apache2          |  121 -
 testing/hosts/winnetou/etc/init.d/net.eth0         | 1124 ----
 testing/hosts/winnetou/etc/init.d/slapd            |   25 -
 testing/hosts/winnetou/etc/ldap/ldif.txt           |   39 +
 testing/hosts/winnetou/etc/ldap/slapd.conf         |   23 +
 testing/hosts/winnetou/etc/network/interfaces      |   12 +
 testing/hosts/winnetou/etc/openldap/ldif.txt       |   40 -
 testing/hosts/winnetou/etc/openldap/slapd.conf     |   68 -
 testing/hosts/winnetou/etc/openssl/generate-crl    |   18 +-
 testing/hosts/winnetou/etc/openssl/index.html      |    4 +-
 testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi   |    8 +-
 .../winnetou/etc/openssl/research/ocsp/ocsp.cgi    |    8 +-
 .../hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi |    8 +-
 .../hosts/winnetou/etc/runlevels/default/apache2   |  121 -
 .../hosts/winnetou/etc/runlevels/default/net.eth0  | 1124 ----
 testing/make-testing                               |   84 +-
 testing/scripts/build-baseimage                    |   79 +
 testing/scripts/build-guestimages                  |   65 +
 testing/scripts/build-guestkernel                  |   49 +
 testing/scripts/build-hostconfig                   |  122 -
 testing/scripts/build-rootimage                    |   67 +
 testing/scripts/build-sshkeys                      |   86 -
 testing/scripts/build-umlhostfs                    |   78 -
 testing/scripts/build-umlkernel                    |  130 -
 testing/scripts/build-umlrootfs                    |  451 --
 testing/scripts/function.sh                        |  208 +-
 testing/scripts/gstart-umls                        |  126 -
 testing/scripts/install-shared                     |   38 -
 testing/scripts/kstart-umls                        |  126 -
 testing/scripts/load-testconfig                    |   17 +-
 testing/scripts/recipes/001_libtnc.mk              |   31 +
 testing/scripts/recipes/002_tnc-fhh.mk             |   28 +
 testing/scripts/recipes/003_freeradius.mk          |   44 +
 testing/scripts/recipes/004_iptables.mk            |   37 +
 testing/scripts/recipes/005_strongswan.mk          |   87 +
 .../scripts/recipes/patches/freeradius-avp-size    |   18 +
 .../recipes/patches/freeradius-eap-sim-identity    |   30 +
 testing/scripts/recipes/patches/freeradius-tnc-fhh | 6687 ++++++++++++++++++++
 .../scripts/recipes/patches/iptables-xfrm-hooks    |   61 +
 testing/scripts/restore-defaults                   |   23 +-
 testing/scripts/shutdown-umls                      |   38 -
 testing/scripts/start-bridges                      |   64 -
 testing/scripts/start-umls                         |  117 -
 testing/scripts/stop-bridges                       |   49 -
 testing/scripts/xstart-umls                        |  126 -
 testing/ssh_config                                 |    3 +-
 testing/start-testing                              |  129 +-
 testing/stop-testing                               |   70 +-
 testing/testing.conf                               |  220 +-
 testing/tests/af-alg/alg-camellia/evaltest.dat     |    2 +-
 testing/tests/af-alg/alg-camellia/posttest.dat     |    4 +-
 testing/tests/af-alg/alg-camellia/pretest.dat      |    4 +-
 testing/tests/af-alg/alg-camellia/test.conf        |   10 +-
 testing/tests/af-alg/rw-cert/evaltest.dat          |    4 +-
 testing/tests/af-alg/rw-cert/posttest.dat          |    6 +-
 testing/tests/af-alg/rw-cert/pretest.dat           |    6 +-
 testing/tests/af-alg/rw-cert/test.conf             |   10 +-
 .../tests/gcrypt-ikev1/alg-serpent/evaltest.dat    |    2 +-
 testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat |    1 -
 testing/tests/gcrypt-ikev1/alg-serpent/test.conf   |   10 +-
 .../tests/gcrypt-ikev1/alg-twofish/evaltest.dat    |    2 +-
 testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat |    1 -
 testing/tests/gcrypt-ikev1/alg-twofish/test.conf   |   10 +-
 .../tests/gcrypt-ikev2/alg-camellia/evaltest.dat   |    2 +-
 .../tests/gcrypt-ikev2/alg-camellia/posttest.dat   |    4 +-
 .../tests/gcrypt-ikev2/alg-camellia/pretest.dat    |    4 +-
 testing/tests/gcrypt-ikev2/alg-camellia/test.conf  |   10 +-
 testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat    |    4 +-
 testing/tests/gcrypt-ikev2/rw-cert/posttest.dat    |    6 +-
 testing/tests/gcrypt-ikev2/rw-cert/pretest.dat     |    6 +-
 testing/tests/gcrypt-ikev2/rw-cert/test.conf       |   10 +-
 testing/tests/ha/both-active/evaltest.dat          |    4 +-
 .../ha/both-active/hosts/alice/etc/init.d/iptables |  104 -
 .../ha/both-active/hosts/alice/etc/iptables.rules  |   50 +
 .../ha/both-active/hosts/moon/etc/init.d/iptables  |  104 -
 .../ha/both-active/hosts/moon/etc/iptables.rules   |   50 +
 testing/tests/ha/both-active/posttest.dat          |   10 +-
 testing/tests/ha/both-active/pretest.dat           |   10 +-
 testing/tests/ha/both-active/test.conf             |   10 +-
 testing/tests/ike/rw-cert/evaltest.dat             |    4 +-
 testing/tests/ike/rw-cert/pretest.dat              |    1 -
 testing/tests/ike/rw-cert/test.conf                |   10 +-
 testing/tests/ike/rw_v1-net_v2/evaltest.dat        |    4 +-
 testing/tests/ike/rw_v1-net_v2/pretest.dat         |    2 -
 testing/tests/ike/rw_v1-net_v2/test.conf           |   10 +-
 testing/tests/ikev1/alg-3des-md5/evaltest.dat      |    6 +-
 testing/tests/ikev1/alg-3des-md5/posttest.dat      |    4 +-
 testing/tests/ikev1/alg-3des-md5/pretest.dat       |    4 +-
 testing/tests/ikev1/alg-3des-md5/test.conf         |   10 +-
 testing/tests/ikev1/alg-blowfish/evaltest.dat      |    4 +-
 testing/tests/ikev1/alg-blowfish/posttest.dat      |    6 +-
 testing/tests/ikev1/alg-blowfish/pretest.dat       |    6 +-
 testing/tests/ikev1/alg-blowfish/test.conf         |   10 +-
 testing/tests/ikev1/alg-modp-subgroup/evaltest.dat |    4 +-
 testing/tests/ikev1/alg-modp-subgroup/posttest.dat |    6 +-
 testing/tests/ikev1/alg-modp-subgroup/pretest.dat  |    6 +-
 testing/tests/ikev1/alg-modp-subgroup/test.conf    |   10 +-
 testing/tests/ikev1/alg-sha256/evaltest.dat        |    6 +-
 testing/tests/ikev1/alg-sha256/posttest.dat        |    4 +-
 testing/tests/ikev1/alg-sha256/pretest.dat         |    4 +-
 testing/tests/ikev1/alg-sha256/test.conf           |   10 +-
 testing/tests/ikev1/alg-sha384/evaltest.dat        |    6 +-
 testing/tests/ikev1/alg-sha384/posttest.dat        |    4 +-
 testing/tests/ikev1/alg-sha384/pretest.dat         |    4 +-
 testing/tests/ikev1/alg-sha384/test.conf           |   10 +-
 testing/tests/ikev1/alg-sha512/evaltest.dat        |    6 +-
 testing/tests/ikev1/alg-sha512/posttest.dat        |    4 +-
 testing/tests/ikev1/alg-sha512/pretest.dat         |    4 +-
 testing/tests/ikev1/alg-sha512/test.conf           |   10 +-
 testing/tests/ikev1/compress/pretest.dat           |    1 -
 testing/tests/ikev1/compress/test.conf             |   10 +-
 testing/tests/ikev1/config-payload/evaltest.dat    |    4 +-
 testing/tests/ikev1/config-payload/posttest.dat    |    6 +-
 testing/tests/ikev1/config-payload/pretest.dat     |    6 +-
 testing/tests/ikev1/config-payload/test.conf       |   10 +-
 testing/tests/ikev1/double-nat-net/evaltest.dat    |    6 +-
 .../double-nat-net/hosts/bob/etc/iptables.rules    |   24 +
 testing/tests/ikev1/double-nat-net/posttest.dat    |    4 +-
 testing/tests/ikev1/double-nat-net/pretest.dat     |    7 +-
 testing/tests/ikev1/double-nat-net/test.conf       |   10 +-
 testing/tests/ikev1/double-nat/evaltest.dat        |    6 +-
 .../ikev1/double-nat/hosts/bob/etc/iptables.rules  |   24 +
 testing/tests/ikev1/double-nat/posttest.dat        |    4 +-
 testing/tests/ikev1/double-nat/pretest.dat         |    6 +-
 testing/tests/ikev1/double-nat/test.conf           |   10 +-
 testing/tests/ikev1/dpd-clear/test.conf            |   10 +-
 testing/tests/ikev1/dpd-restart/test.conf          |   10 +-
 testing/tests/ikev1/dynamic-initiator/evaltest.dat |    2 +-
 testing/tests/ikev1/dynamic-initiator/posttest.dat |    4 +-
 testing/tests/ikev1/dynamic-initiator/pretest.dat  |    6 +-
 testing/tests/ikev1/dynamic-initiator/test.conf    |   10 +-
 testing/tests/ikev1/dynamic-responder/evaltest.dat |    2 +-
 testing/tests/ikev1/dynamic-responder/posttest.dat |    4 +-
 testing/tests/ikev1/dynamic-responder/pretest.dat  |    6 +-
 testing/tests/ikev1/dynamic-responder/test.conf    |   10 +-
 testing/tests/ikev1/dynamic-two-peers/evaltest.dat |    4 +-
 testing/tests/ikev1/dynamic-two-peers/posttest.dat |    6 +-
 testing/tests/ikev1/dynamic-two-peers/pretest.dat  |    6 +-
 testing/tests/ikev1/dynamic-two-peers/test.conf    |   10 +-
 testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat   |    2 +-
 testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat   |    4 +-
 testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat    |    4 +-
 testing/tests/ikev1/esp-alg-aes-ccm/test.conf      |   10 +-
 testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat   |    2 +-
 testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat   |    4 +-
 testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat    |    4 +-
 testing/tests/ikev1/esp-alg-aes-ctr/test.conf      |   10 +-
 testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat   |    2 +-
 testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat   |    4 +-
 testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat    |    4 +-
 testing/tests/ikev1/esp-alg-aes-gcm/test.conf      |   10 +-
 testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat  |    2 +-
 testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat  |    4 +-
 testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat   |    4 +-
 testing/tests/ikev1/esp-alg-aes-gmac/test.conf     |   10 +-
 testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat  |    6 +-
 testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat   |    1 -
 testing/tests/ikev1/esp-alg-aes-xcbc/test.conf     |   10 +-
 testing/tests/ikev1/esp-alg-null/evaltest.dat      |    2 +-
 testing/tests/ikev1/esp-alg-null/posttest.dat      |    4 +-
 testing/tests/ikev1/esp-alg-null/pretest.dat       |    4 +-
 testing/tests/ikev1/esp-alg-null/test.conf         |   10 +-
 testing/tests/ikev1/host2host-cert/evaltest.dat    |    2 +-
 testing/tests/ikev1/host2host-cert/posttest.dat    |    4 +-
 testing/tests/ikev1/host2host-cert/pretest.dat     |    4 +-
 testing/tests/ikev1/host2host-cert/test.conf       |   10 +-
 .../tests/ikev1/host2host-transport/evaltest.dat   |    2 +-
 .../tests/ikev1/host2host-transport/posttest.dat   |    4 +-
 .../tests/ikev1/host2host-transport/pretest.dat    |    4 +-
 testing/tests/ikev1/host2host-transport/test.conf  |   10 +-
 testing/tests/ikev1/ip-pool-db/evaltest.dat        |    4 +-
 testing/tests/ikev1/ip-pool-db/posttest.dat        |    6 +-
 testing/tests/ikev1/ip-pool-db/pretest.dat         |    6 +-
 testing/tests/ikev1/ip-pool-db/test.conf           |   10 +-
 testing/tests/ikev1/ip-pool/evaltest.dat           |    4 +-
 testing/tests/ikev1/ip-pool/posttest.dat           |    6 +-
 testing/tests/ikev1/ip-pool/pretest.dat            |    6 +-
 testing/tests/ikev1/ip-pool/test.conf              |   10 +-
 .../tests/ikev1/multi-level-ca-cr-init/pretest.dat |    1 -
 .../tests/ikev1/multi-level-ca-cr-init/test.conf   |   10 +-
 .../tests/ikev1/multi-level-ca-cr-resp/pretest.dat |    1 -
 .../tests/ikev1/multi-level-ca-cr-resp/test.conf   |   10 +-
 testing/tests/ikev1/multi-level-ca/pretest.dat     |    1 -
 testing/tests/ikev1/multi-level-ca/test.conf       |   10 +-
 testing/tests/ikev1/nat-rw/evaltest.dat            |   14 +-
 .../ikev1/nat-rw/hosts/sun/etc/iptables.rules      |   24 +
 testing/tests/ikev1/nat-rw/posttest.dat            |    6 +-
 testing/tests/ikev1/nat-rw/pretest.dat             |    7 +-
 testing/tests/ikev1/nat-rw/test.conf               |   10 +-
 testing/tests/ikev1/nat-virtual-ip/description.txt |    6 +
 testing/tests/ikev1/nat-virtual-ip/evaltest.dat    |    8 +
 .../tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts |   70 +
 .../ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf |   22 +
 .../ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown |  152 +
 .../nat-virtual-ip/hosts/moon/etc/strongswan.conf  |    6 +
 .../ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf  |   22 +
 .../nat-virtual-ip/hosts/sun/etc/strongswan.conf   |    6 +
 testing/tests/ikev1/nat-virtual-ip/posttest.dat    |    6 +
 testing/tests/ikev1/nat-virtual-ip/pretest.dat     |    8 +
 testing/tests/ikev1/nat-virtual-ip/test.conf       |   21 +
 testing/tests/ikev1/net2net-cert/evaltest.dat      |    2 +-
 testing/tests/ikev1/net2net-cert/posttest.dat      |    4 +-
 testing/tests/ikev1/net2net-cert/pretest.dat       |    4 +-
 testing/tests/ikev1/net2net-cert/test.conf         |   10 +-
 testing/tests/ikev1/net2net-psk-fail/posttest.dat  |    4 +-
 testing/tests/ikev1/net2net-psk-fail/pretest.dat   |    4 +-
 testing/tests/ikev1/net2net-psk-fail/test.conf     |   10 +-
 testing/tests/ikev1/net2net-psk/evaltest.dat       |    2 +-
 testing/tests/ikev1/net2net-psk/posttest.dat       |    4 +-
 testing/tests/ikev1/net2net-psk/pretest.dat        |    4 +-
 testing/tests/ikev1/net2net-psk/test.conf          |   10 +-
 testing/tests/ikev1/protoport-dual/evaltest.dat    |    4 +-
 testing/tests/ikev1/protoport-dual/posttest.dat    |    4 +-
 testing/tests/ikev1/protoport-dual/pretest.dat     |    4 +-
 testing/tests/ikev1/protoport-dual/test.conf       |   10 +-
 .../tests/ikev1/rw-cert-aggressive/evaltest.dat    |    4 +-
 .../tests/ikev1/rw-cert-aggressive/posttest.dat    |    6 +-
 testing/tests/ikev1/rw-cert-aggressive/pretest.dat |    6 +-
 testing/tests/ikev1/rw-cert-aggressive/test.conf   |   10 +-
 testing/tests/ikev1/rw-cert-unity/evaltest.dat     |    2 +-
 testing/tests/ikev1/rw-cert-unity/test.conf        |   10 +-
 testing/tests/ikev1/rw-cert/evaltest.dat           |    4 +-
 testing/tests/ikev1/rw-cert/posttest.dat           |    6 +-
 testing/tests/ikev1/rw-cert/pretest.dat            |    6 +-
 testing/tests/ikev1/rw-cert/test.conf              |   10 +-
 testing/tests/ikev1/rw-psk-aggressive/evaltest.dat |    4 +-
 testing/tests/ikev1/rw-psk-aggressive/posttest.dat |    6 +-
 testing/tests/ikev1/rw-psk-aggressive/pretest.dat  |    6 +-
 testing/tests/ikev1/rw-psk-aggressive/test.conf    |   10 +-
 testing/tests/ikev1/rw-psk-fqdn/evaltest.dat       |    4 +-
 testing/tests/ikev1/rw-psk-fqdn/posttest.dat       |    6 +-
 testing/tests/ikev1/rw-psk-fqdn/pretest.dat        |    6 +-
 testing/tests/ikev1/rw-psk-fqdn/test.conf          |   10 +-
 testing/tests/ikev1/rw-psk-ipv4/evaltest.dat       |    4 +-
 testing/tests/ikev1/rw-psk-ipv4/posttest.dat       |    6 +-
 testing/tests/ikev1/rw-psk-ipv4/pretest.dat        |    6 +-
 testing/tests/ikev1/rw-psk-ipv4/test.conf          |   10 +-
 testing/tests/ikev1/virtual-ip/evaltest.dat        |   12 +-
 testing/tests/ikev1/virtual-ip/posttest.dat        |    6 +-
 testing/tests/ikev1/virtual-ip/pretest.dat         |    6 +-
 testing/tests/ikev1/virtual-ip/test.conf           |   10 +-
 .../tests/ikev1/xauth-id-psk-config/evaltest.dat   |    4 +-
 .../tests/ikev1/xauth-id-psk-config/posttest.dat   |    6 +-
 .../tests/ikev1/xauth-id-psk-config/pretest.dat    |    6 +-
 testing/tests/ikev1/xauth-id-psk-config/test.conf  |   10 +-
 .../ikev1/xauth-id-rsa-aggressive/evaltest.dat     |    4 +-
 .../ikev1/xauth-id-rsa-aggressive/posttest.dat     |    6 +-
 .../ikev1/xauth-id-rsa-aggressive/pretest.dat      |    6 +-
 .../tests/ikev1/xauth-id-rsa-aggressive/test.conf  |   10 +-
 .../tests/ikev1/xauth-id-rsa-config/evaltest.dat   |    4 +-
 .../tests/ikev1/xauth-id-rsa-config/posttest.dat   |    6 +-
 .../tests/ikev1/xauth-id-rsa-config/pretest.dat    |    6 +-
 testing/tests/ikev1/xauth-id-rsa-config/test.conf  |   10 +-
 .../tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat   |    4 +-
 .../tests/ikev1/xauth-id-rsa-hybrid/posttest.dat   |    6 +-
 .../tests/ikev1/xauth-id-rsa-hybrid/pretest.dat    |    6 +-
 testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf  |   10 +-
 testing/tests/ikev1/xauth-psk/evaltest.dat         |    4 +-
 testing/tests/ikev1/xauth-psk/posttest.dat         |    6 +-
 testing/tests/ikev1/xauth-psk/pretest.dat          |    6 +-
 testing/tests/ikev1/xauth-psk/test.conf            |   10 +-
 .../ikev1/xauth-rsa-eap-md5-radius/evaltest.dat    |    2 +-
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   43 +
 .../hosts/alice/etc/freeradius/users               |    1 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |    5 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 -
 .../hosts/alice/etc/raddb/sites-available/default  |   44 -
 .../hosts/alice/etc/raddb/users                    |    1 -
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../ikev1/xauth-rsa-eap-md5-radius/posttest.dat    |    6 +-
 .../ikev1/xauth-rsa-eap-md5-radius/pretest.dat     |    6 +-
 .../tests/ikev1/xauth-rsa-eap-md5-radius/test.conf |   12 +-
 testing/tests/ikev1/xauth-rsa/evaltest.dat         |    4 +-
 testing/tests/ikev1/xauth-rsa/posttest.dat         |    6 +-
 testing/tests/ikev1/xauth-rsa/pretest.dat          |    6 +-
 testing/tests/ikev1/xauth-rsa/test.conf            |   10 +-
 testing/tests/ikev2/after-2038-certs/evaltest.dat  |    2 +-
 testing/tests/ikev2/after-2038-certs/posttest.dat  |    4 +-
 testing/tests/ikev2/after-2038-certs/pretest.dat   |    4 +-
 testing/tests/ikev2/after-2038-certs/test.conf     |   10 +-
 testing/tests/ikev2/alg-3des-md5/evaltest.dat      |    6 +-
 testing/tests/ikev2/alg-3des-md5/posttest.dat      |    4 +-
 testing/tests/ikev2/alg-3des-md5/pretest.dat       |    4 +-
 testing/tests/ikev2/alg-3des-md5/test.conf         |   10 +-
 testing/tests/ikev2/alg-aes-ccm/evaltest.dat       |    2 +-
 testing/tests/ikev2/alg-aes-ccm/posttest.dat       |    4 +-
 testing/tests/ikev2/alg-aes-ccm/pretest.dat        |    4 +-
 testing/tests/ikev2/alg-aes-ccm/test.conf          |   10 +-
 testing/tests/ikev2/alg-aes-ctr/evaltest.dat       |    2 +-
 testing/tests/ikev2/alg-aes-ctr/posttest.dat       |    4 +-
 testing/tests/ikev2/alg-aes-ctr/pretest.dat        |    4 +-
 testing/tests/ikev2/alg-aes-ctr/test.conf          |   10 +-
 testing/tests/ikev2/alg-aes-gcm/evaltest.dat       |    2 +-
 testing/tests/ikev2/alg-aes-gcm/posttest.dat       |    4 +-
 testing/tests/ikev2/alg-aes-gcm/pretest.dat        |    4 +-
 testing/tests/ikev2/alg-aes-gcm/test.conf          |   10 +-
 testing/tests/ikev2/alg-aes-xcbc/evaltest.dat      |    6 +-
 testing/tests/ikev2/alg-aes-xcbc/posttest.dat      |    4 +-
 testing/tests/ikev2/alg-aes-xcbc/pretest.dat       |    4 +-
 testing/tests/ikev2/alg-aes-xcbc/test.conf         |   10 +-
 testing/tests/ikev2/alg-blowfish/evaltest.dat      |    4 +-
 testing/tests/ikev2/alg-blowfish/posttest.dat      |    6 +-
 testing/tests/ikev2/alg-blowfish/pretest.dat       |    6 +-
 testing/tests/ikev2/alg-blowfish/test.conf         |   10 +-
 testing/tests/ikev2/alg-modp-subgroup/evaltest.dat |    4 +-
 testing/tests/ikev2/alg-modp-subgroup/posttest.dat |    6 +-
 testing/tests/ikev2/alg-modp-subgroup/pretest.dat  |    6 +-
 testing/tests/ikev2/alg-modp-subgroup/test.conf    |   10 +-
 testing/tests/ikev2/alg-sha256-96/evaltest.dat     |    6 +-
 testing/tests/ikev2/alg-sha256-96/posttest.dat     |    4 +-
 testing/tests/ikev2/alg-sha256-96/pretest.dat      |    4 +-
 testing/tests/ikev2/alg-sha256-96/test.conf        |   10 +-
 testing/tests/ikev2/alg-sha256/evaltest.dat        |    6 +-
 testing/tests/ikev2/alg-sha256/posttest.dat        |    4 +-
 testing/tests/ikev2/alg-sha256/pretest.dat         |    4 +-
 testing/tests/ikev2/alg-sha256/test.conf           |   10 +-
 testing/tests/ikev2/alg-sha384/evaltest.dat        |    6 +-
 testing/tests/ikev2/alg-sha384/posttest.dat        |    4 +-
 testing/tests/ikev2/alg-sha384/pretest.dat         |    4 +-
 testing/tests/ikev2/alg-sha384/test.conf           |   10 +-
 testing/tests/ikev2/alg-sha512/evaltest.dat        |    6 +-
 testing/tests/ikev2/alg-sha512/posttest.dat        |    4 +-
 testing/tests/ikev2/alg-sha512/pretest.dat         |    4 +-
 testing/tests/ikev2/alg-sha512/test.conf           |   10 +-
 testing/tests/ikev2/any-interface/pretest.dat      |    2 -
 testing/tests/ikev2/any-interface/test.conf        |   10 +-
 testing/tests/ikev2/compress/pretest.dat           |    1 -
 testing/tests/ikev2/compress/test.conf             |   10 +-
 .../ikev2/config-payload-swapped/evaltest.dat      |    4 +-
 .../ikev2/config-payload-swapped/posttest.dat      |    6 +-
 .../tests/ikev2/config-payload-swapped/pretest.dat |    6 +-
 .../tests/ikev2/config-payload-swapped/test.conf   |   10 +-
 testing/tests/ikev2/config-payload/evaltest.dat    |    4 +-
 testing/tests/ikev2/config-payload/posttest.dat    |    6 +-
 testing/tests/ikev2/config-payload/pretest.dat     |    6 +-
 testing/tests/ikev2/config-payload/test.conf       |   10 +-
 .../tests/ikev2/critical-extension/posttest.dat    |    4 +-
 testing/tests/ikev2/critical-extension/pretest.dat |    4 +-
 testing/tests/ikev2/critical-extension/test.conf   |   10 +-
 testing/tests/ikev2/crl-from-cache/test.conf       |   10 +-
 .../ikev2/crl-ldap/hosts/carol/etc/init.d/iptables |   77 -
 .../ikev2/crl-ldap/hosts/carol/etc/iptables.rules  |   28 +
 .../ikev2/crl-ldap/hosts/moon/etc/init.d/iptables  |   80 -
 .../ikev2/crl-ldap/hosts/moon/etc/iptables.rules   |   28 +
 testing/tests/ikev2/crl-ldap/posttest.dat          |    4 +-
 testing/tests/ikev2/crl-ldap/pretest.dat           |    4 +-
 testing/tests/ikev2/crl-ldap/test.conf             |   10 +-
 testing/tests/ikev2/crl-revoked/test.conf          |   10 +-
 testing/tests/ikev2/crl-to-cache/test.conf         |   10 +-
 testing/tests/ikev2/default-keys/description.txt   |    6 +-
 testing/tests/ikev2/default-keys/evaltest.dat      |    2 +-
 .../default-keys/hosts/moon/etc/init.d/iptables    |   82 -
 .../default-keys/hosts/moon/etc/iptables.rules     |   30 +
 testing/tests/ikev2/default-keys/posttest.dat      |    4 +-
 testing/tests/ikev2/default-keys/pretest.dat       |   11 +-
 testing/tests/ikev2/default-keys/test.conf         |   10 +-
 testing/tests/ikev2/dhcp-dynamic/evaltest.dat      |   12 +-
 .../dhcp-dynamic/hosts/moon/etc/init.d/iptables    |   91 -
 .../dhcp-dynamic/hosts/moon/etc/iptables.rules     |   39 +
 .../dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf   |   14 +
 .../ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf  |   14 -
 .../dhcp-dynamic/hosts/venus/etc/dnsmasq.conf      |    6 +-
 .../dhcp-dynamic/hosts/venus/etc/init.d/dhcpd      |   24 -
 testing/tests/ikev2/dhcp-dynamic/posttest.dat      |    8 +-
 testing/tests/ikev2/dhcp-dynamic/pretest.dat       |   12 +-
 testing/tests/ikev2/dhcp-dynamic/test.conf         |   10 +-
 .../tests/ikev2/dhcp-static-client-id/evaltest.dat |   12 +-
 .../hosts/moon/etc/init.d/iptables                 |   91 -
 .../hosts/moon/etc/iptables.rules                  |   39 +
 .../hosts/venus/etc/dhcp/dhcpd.conf                |   24 +
 .../hosts/venus/etc/dhcpd.conf                     |   25 -
 .../hosts/venus/etc/dnsmasq.conf                   |    6 +-
 .../hosts/venus/etc/init.d/dhcpd                   |   24 -
 .../tests/ikev2/dhcp-static-client-id/posttest.dat |    8 +-
 .../tests/ikev2/dhcp-static-client-id/pretest.dat  |   12 +-
 .../tests/ikev2/dhcp-static-client-id/test.conf    |   10 +-
 testing/tests/ikev2/dhcp-static-mac/evaltest.dat   |   12 +-
 .../dhcp-static-mac/hosts/moon/etc/init.d/iptables |   91 -
 .../dhcp-static-mac/hosts/moon/etc/iptables.rules  |   39 +
 .../hosts/venus/etc/dhcp/dhcpd.conf                |   24 +
 .../dhcp-static-mac/hosts/venus/etc/dhcpd.conf     |   25 -
 .../dhcp-static-mac/hosts/venus/etc/dnsmasq.conf   |    6 +-
 .../dhcp-static-mac/hosts/venus/etc/init.d/dhcpd   |   24 -
 testing/tests/ikev2/dhcp-static-mac/posttest.dat   |    8 +-
 testing/tests/ikev2/dhcp-static-mac/pretest.dat    |   12 +-
 testing/tests/ikev2/dhcp-static-mac/test.conf      |   10 +-
 testing/tests/ikev2/double-nat-net/evaltest.dat    |    6 +-
 .../double-nat-net/hosts/bob/etc/iptables.rules    |   24 +
 testing/tests/ikev2/double-nat-net/posttest.dat    |    4 +-
 testing/tests/ikev2/double-nat-net/pretest.dat     |    7 +-
 testing/tests/ikev2/double-nat-net/test.conf       |   10 +-
 testing/tests/ikev2/double-nat/evaltest.dat        |    6 +-
 .../ikev2/double-nat/hosts/bob/etc/iptables.rules  |   24 +
 testing/tests/ikev2/double-nat/posttest.dat        |    4 +-
 testing/tests/ikev2/double-nat/pretest.dat         |    6 +-
 testing/tests/ikev2/double-nat/test.conf           |   10 +-
 testing/tests/ikev2/dpd-clear/test.conf            |   10 +-
 testing/tests/ikev2/dpd-hold/test.conf             |   10 +-
 testing/tests/ikev2/dpd-restart/test.conf          |   10 +-
 testing/tests/ikev2/dynamic-initiator/evaltest.dat |    2 +-
 testing/tests/ikev2/dynamic-initiator/posttest.dat |    6 +-
 testing/tests/ikev2/dynamic-initiator/pretest.dat  |    6 +-
 testing/tests/ikev2/dynamic-initiator/test.conf    |   10 +-
 testing/tests/ikev2/dynamic-two-peers/evaltest.dat |    4 +-
 testing/tests/ikev2/dynamic-two-peers/posttest.dat |    6 +-
 testing/tests/ikev2/dynamic-two-peers/pretest.dat  |    6 +-
 testing/tests/ikev2/dynamic-two-peers/test.conf    |   10 +-
 testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat  |    2 +-
 testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat  |    4 +-
 testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat   |    4 +-
 testing/tests/ikev2/esp-alg-aes-gmac/test.conf     |   10 +-
 testing/tests/ikev2/esp-alg-md5-128/evaltest.dat   |    6 +-
 testing/tests/ikev2/esp-alg-md5-128/posttest.dat   |    4 +-
 testing/tests/ikev2/esp-alg-md5-128/pretest.dat    |    4 +-
 testing/tests/ikev2/esp-alg-md5-128/test.conf      |   10 +-
 testing/tests/ikev2/esp-alg-null/evaltest.dat      |    2 +-
 testing/tests/ikev2/esp-alg-null/posttest.dat      |    4 +-
 testing/tests/ikev2/esp-alg-null/pretest.dat       |    4 +-
 testing/tests/ikev2/esp-alg-null/test.conf         |   10 +-
 testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat  |    6 +-
 testing/tests/ikev2/esp-alg-sha1-160/posttest.dat  |    4 +-
 testing/tests/ikev2/esp-alg-sha1-160/pretest.dat   |    4 +-
 testing/tests/ikev2/esp-alg-sha1-160/test.conf     |   10 +-
 testing/tests/ikev2/farp/evaltest.dat              |   12 +-
 testing/tests/ikev2/farp/posttest.dat              |    6 +-
 testing/tests/ikev2/farp/pretest.dat               |    6 +-
 testing/tests/ikev2/farp/test.conf                 |   10 +-
 testing/tests/ikev2/force-udp-encaps/evaltest.dat  |    6 +-
 .../force-udp-encaps/hosts/sun/etc/init.d/iptables |   76 -
 .../force-udp-encaps/hosts/sun/etc/iptables.rules  |   24 +
 testing/tests/ikev2/force-udp-encaps/posttest.dat  |    4 +-
 testing/tests/ikev2/force-udp-encaps/pretest.dat   |    5 +-
 testing/tests/ikev2/force-udp-encaps/test.conf     |   10 +-
 testing/tests/ikev2/host2host-cert/evaltest.dat    |    2 +-
 testing/tests/ikev2/host2host-cert/posttest.dat    |    4 +-
 testing/tests/ikev2/host2host-cert/pretest.dat     |    4 +-
 testing/tests/ikev2/host2host-cert/test.conf       |   10 +-
 testing/tests/ikev2/host2host-swapped/evaltest.dat |    2 +-
 testing/tests/ikev2/host2host-swapped/posttest.dat |    4 +-
 testing/tests/ikev2/host2host-swapped/pretest.dat  |    4 +-
 testing/tests/ikev2/host2host-swapped/test.conf    |   10 +-
 .../tests/ikev2/host2host-transport/evaltest.dat   |    2 +-
 .../tests/ikev2/host2host-transport/posttest.dat   |    4 +-
 .../tests/ikev2/host2host-transport/pretest.dat    |    4 +-
 testing/tests/ikev2/host2host-transport/test.conf  |   10 +-
 .../tests/ikev2/inactivity-timeout/evaltest.dat    |    4 +-
 .../tests/ikev2/inactivity-timeout/posttest.dat    |    3 +-
 testing/tests/ikev2/inactivity-timeout/pretest.dat |    5 +-
 testing/tests/ikev2/inactivity-timeout/test.conf   |   10 +-
 testing/tests/ikev2/ip-pool-db/evaltest.dat        |    4 +-
 testing/tests/ikev2/ip-pool-db/posttest.dat        |    6 +-
 testing/tests/ikev2/ip-pool-db/pretest.dat         |    6 +-
 testing/tests/ikev2/ip-pool-db/test.conf           |   10 +-
 testing/tests/ikev2/ip-pool-wish/evaltest.dat      |    4 +-
 testing/tests/ikev2/ip-pool-wish/posttest.dat      |    6 +-
 testing/tests/ikev2/ip-pool-wish/pretest.dat       |    6 +-
 testing/tests/ikev2/ip-pool-wish/test.conf         |   10 +-
 testing/tests/ikev2/ip-pool/evaltest.dat           |    8 +-
 testing/tests/ikev2/ip-pool/posttest.dat           |    6 +-
 testing/tests/ikev2/ip-pool/pretest.dat            |    6 +-
 testing/tests/ikev2/ip-pool/test.conf              |   10 +-
 testing/tests/ikev2/ip-split-pools-db/test.conf    |   10 +-
 testing/tests/ikev2/ip-two-pools-db/evaltest.dat   |    8 +-
 .../hosts/alice/etc/init.d/iptables                |   78 -
 .../ip-two-pools-db/hosts/moon/etc/init.d/iptables |   91 -
 .../ip-two-pools-db/hosts/moon/etc/iptables.rules  |   43 +
 .../hosts/venus/etc/init.d/iptables                |   78 -
 testing/tests/ikev2/ip-two-pools-db/posttest.dat   |   10 +-
 testing/tests/ikev2/ip-two-pools-db/pretest.dat    |   10 +-
 testing/tests/ikev2/ip-two-pools-db/test.conf      |   10 +-
 .../tests/ikev2/ip-two-pools-mixed/evaltest.dat    |    4 +-
 .../hosts/alice/etc/init.d/iptables                |   78 -
 .../hosts/moon/etc/init.d/iptables                 |   91 -
 .../hosts/moon/etc/iptables.rules                  |   43 +
 .../tests/ikev2/ip-two-pools-mixed/posttest.dat    |    6 +-
 testing/tests/ikev2/ip-two-pools-mixed/pretest.dat |    6 +-
 testing/tests/ikev2/ip-two-pools-mixed/test.conf   |   10 +-
 testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat |    2 +-
 testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat |    1 -
 testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat  |    1 -
 testing/tests/ikev2/ip-two-pools-v4v6/test.conf    |   10 +-
 testing/tests/ikev2/ip-two-pools/evaltest.dat      |    8 +-
 .../ip-two-pools/hosts/alice/etc/init.d/iptables   |   78 -
 .../ip-two-pools/hosts/moon/etc/init.d/iptables    |   91 -
 .../ip-two-pools/hosts/moon/etc/iptables.rules     |   43 +
 testing/tests/ikev2/ip-two-pools/posttest.dat      |    6 +-
 testing/tests/ikev2/ip-two-pools/pretest.dat       |    6 +-
 testing/tests/ikev2/ip-two-pools/test.conf         |   10 +-
 testing/tests/ikev2/mobike-nat/evaltest.dat        |    6 +-
 .../mobike-nat/hosts/alice/etc/init.d/iptables     |   87 -
 .../ikev2/mobike-nat/hosts/alice/etc/ipsec.conf    |    2 +-
 .../mobike-nat/hosts/alice/etc/iptables.rules      |   38 +
 .../ikev2/mobike-nat/hosts/sun/etc/init.d/iptables |   84 -
 .../ikev2/mobike-nat/hosts/sun/etc/iptables.rules  |   32 +
 testing/tests/ikev2/mobike-nat/posttest.dat        |    4 +-
 testing/tests/ikev2/mobike-nat/pretest.dat         |    9 +-
 testing/tests/ikev2/mobike-nat/test.conf           |   10 +-
 testing/tests/ikev2/mobike-virtual-ip/evaltest.dat |   10 +-
 .../hosts/alice/etc/init.d/iptables                |   87 -
 .../mobike-virtual-ip/hosts/alice/etc/ipsec.conf   |    2 +-
 .../hosts/alice/etc/iptables.rules                 |   38 +
 .../hosts/sun/etc/init.d/iptables                  |   84 -
 .../mobike-virtual-ip/hosts/sun/etc/ipsec.conf     |    2 +-
 .../mobike-virtual-ip/hosts/sun/etc/iptables.rules |   32 +
 testing/tests/ikev2/mobike-virtual-ip/posttest.dat |    4 +-
 testing/tests/ikev2/mobike-virtual-ip/pretest.dat  |    9 +-
 testing/tests/ikev2/mobike-virtual-ip/test.conf    |   10 +-
 testing/tests/ikev2/mobike/evaltest.dat            |   14 +-
 .../ikev2/mobike/hosts/alice/etc/init.d/iptables   |   87 -
 .../tests/ikev2/mobike/hosts/alice/etc/ipsec.conf  |    2 +-
 .../ikev2/mobike/hosts/alice/etc/iptables.rules    |   38 +
 .../ikev2/mobike/hosts/sun/etc/init.d/iptables     |   90 -
 .../tests/ikev2/mobike/hosts/sun/etc/ipsec.conf    |    2 +-
 .../ikev2/mobike/hosts/sun/etc/iptables.rules      |   32 +
 testing/tests/ikev2/mobike/posttest.dat            |    4 +-
 testing/tests/ikev2/mobike/pretest.dat             |    9 +-
 testing/tests/ikev2/mobike/test.conf               |   10 +-
 .../ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat    |    4 +-
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/modules/sim_files   |    3 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   61 +
 .../hosts/alice/etc/freeradius/triplets.dat        |    6 +
 .../hosts/alice/etc/freeradius/users               |    0
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |    5 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  123 -
 .../hosts/alice/etc/raddb/sites-available/default  |   62 -
 .../hosts/alice/etc/raddb/triplets.dat             |    7 -
 .../hosts/alice/etc/raddb/users                    |    0
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../ikev2/mult-auth-rsa-eap-sim-id/posttest.dat    |    5 +-
 .../ikev2/mult-auth-rsa-eap-sim-id/pretest.dat     |   13 +-
 .../tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf |   14 +-
 .../tests/ikev2/multi-level-ca-cr-init/pretest.dat |    1 -
 .../tests/ikev2/multi-level-ca-cr-init/test.conf   |   10 +-
 .../tests/ikev2/multi-level-ca-cr-resp/pretest.dat |    1 -
 .../tests/ikev2/multi-level-ca-cr-resp/test.conf   |   10 +-
 .../hosts/moon/etc/init.d/iptables                 |   80 -
 .../hosts/moon/etc/iptables.rules                  |   28 +
 .../tests/ikev2/multi-level-ca-ldap/posttest.dat   |    2 +-
 .../tests/ikev2/multi-level-ca-ldap/pretest.dat    |    2 +-
 testing/tests/ikev2/multi-level-ca-ldap/test.conf  |   10 +-
 .../tests/ikev2/multi-level-ca-loop/pretest.dat    |    1 -
 testing/tests/ikev2/multi-level-ca-loop/test.conf  |   10 +-
 .../tests/ikev2/multi-level-ca-pathlen/pretest.dat |    1 -
 .../tests/ikev2/multi-level-ca-pathlen/test.conf   |   10 +-
 .../tests/ikev2/multi-level-ca-revoked/test.conf   |   10 +-
 .../tests/ikev2/multi-level-ca-strict/pretest.dat  |    1 -
 .../tests/ikev2/multi-level-ca-strict/test.conf    |   10 +-
 testing/tests/ikev2/multi-level-ca/pretest.dat     |    1 -
 testing/tests/ikev2/multi-level-ca/test.conf       |   10 +-
 testing/tests/ikev2/nat-rw-mark/description.txt    |    2 +-
 testing/tests/ikev2/nat-rw-mark/evaltest.dat       |   20 +-
 .../ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules |   24 +
 .../ikev2/nat-rw-mark/hosts/sun/etc/mark_updown    |   16 +-
 testing/tests/ikev2/nat-rw-mark/posttest.dat       |    9 +-
 testing/tests/ikev2/nat-rw-mark/pretest.dat        |   19 +-
 testing/tests/ikev2/nat-rw-mark/test.conf          |   10 +-
 testing/tests/ikev2/nat-rw-psk/evaltest.dat        |    8 +-
 .../ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules  |   24 +
 testing/tests/ikev2/nat-rw-psk/posttest.dat        |    6 +-
 testing/tests/ikev2/nat-rw-psk/pretest.dat         |    7 +-
 testing/tests/ikev2/nat-rw-psk/test.conf           |   10 +-
 testing/tests/ikev2/nat-rw/evaltest.dat            |   14 +-
 .../ikev2/nat-rw/hosts/sun/etc/iptables.rules      |   24 +
 testing/tests/ikev2/nat-rw/posttest.dat            |    6 +-
 testing/tests/ikev2/nat-rw/pretest.dat             |    7 +-
 testing/tests/ikev2/nat-rw/test.conf               |   10 +-
 testing/tests/ikev2/nat-virtual-ip/evaltest.dat    |    2 +-
 testing/tests/ikev2/nat-virtual-ip/posttest.dat    |    4 +-
 testing/tests/ikev2/nat-virtual-ip/pretest.dat     |    5 +-
 testing/tests/ikev2/nat-virtual-ip/test.conf       |   10 +-
 testing/tests/ikev2/net2net-cert/evaltest.dat      |    2 +-
 testing/tests/ikev2/net2net-cert/posttest.dat      |    4 +-
 testing/tests/ikev2/net2net-cert/pretest.dat       |    4 +-
 testing/tests/ikev2/net2net-cert/test.conf         |   10 +-
 testing/tests/ikev2/net2net-esn/posttest.dat       |    4 +-
 testing/tests/ikev2/net2net-esn/pretest.dat        |    4 +-
 testing/tests/ikev2/net2net-esn/test.conf          |   10 +-
 testing/tests/ikev2/net2net-pgp-v3/evaltest.dat    |    2 +-
 testing/tests/ikev2/net2net-pgp-v3/posttest.dat    |    4 +-
 testing/tests/ikev2/net2net-pgp-v3/pretest.dat     |    4 +-
 testing/tests/ikev2/net2net-pgp-v3/test.conf       |   10 +-
 testing/tests/ikev2/net2net-pgp-v4/evaltest.dat    |    2 +-
 testing/tests/ikev2/net2net-pgp-v4/posttest.dat    |    4 +-
 testing/tests/ikev2/net2net-pgp-v4/pretest.dat     |    4 +-
 testing/tests/ikev2/net2net-pgp-v4/test.conf       |   10 +-
 testing/tests/ikev2/net2net-psk-dscp/evaltest.dat  |    4 +-
 testing/tests/ikev2/net2net-psk-dscp/posttest.dat  |    4 +-
 testing/tests/ikev2/net2net-psk-dscp/pretest.dat   |    4 +-
 testing/tests/ikev2/net2net-psk-dscp/test.conf     |   10 +-
 testing/tests/ikev2/net2net-psk-fail/posttest.dat  |    4 +-
 testing/tests/ikev2/net2net-psk-fail/pretest.dat   |    4 +-
 testing/tests/ikev2/net2net-psk-fail/test.conf     |   10 +-
 testing/tests/ikev2/net2net-psk/evaltest.dat       |    2 +-
 .../ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets |    2 +-
 testing/tests/ikev2/net2net-psk/posttest.dat       |    4 +-
 testing/tests/ikev2/net2net-psk/pretest.dat        |    4 +-
 testing/tests/ikev2/net2net-psk/test.conf          |   10 +-
 testing/tests/ikev2/net2net-pubkey/evaltest.dat    |    2 +-
 testing/tests/ikev2/net2net-pubkey/posttest.dat    |    4 +-
 testing/tests/ikev2/net2net-pubkey/pretest.dat     |    4 +-
 testing/tests/ikev2/net2net-pubkey/test.conf       |   10 +-
 testing/tests/ikev2/net2net-rfc3779/evaltest.dat   |    6 +-
 testing/tests/ikev2/net2net-rfc3779/posttest.dat   |    4 +-
 testing/tests/ikev2/net2net-rfc3779/pretest.dat    |    4 +-
 testing/tests/ikev2/net2net-rfc3779/test.conf      |   10 +-
 testing/tests/ikev2/net2net-route/evaltest.dat     |    2 +-
 testing/tests/ikev2/net2net-route/posttest.dat     |    4 +-
 testing/tests/ikev2/net2net-route/pretest.dat      |    4 +-
 testing/tests/ikev2/net2net-route/test.conf        |   10 +-
 testing/tests/ikev2/net2net-rsa/evaltest.dat       |    2 +-
 testing/tests/ikev2/net2net-rsa/posttest.dat       |    4 +-
 testing/tests/ikev2/net2net-rsa/pretest.dat        |    4 +-
 testing/tests/ikev2/net2net-rsa/test.conf          |   10 +-
 testing/tests/ikev2/net2net-same-nets/evaltest.dat |    4 +-
 .../net2net-same-nets/hosts/sun/etc/mark_updown    |   24 +-
 testing/tests/ikev2/net2net-same-nets/posttest.dat |    4 +-
 testing/tests/ikev2/net2net-same-nets/pretest.dat  |    4 +-
 testing/tests/ikev2/net2net-same-nets/test.conf    |   10 +-
 testing/tests/ikev2/net2net-start/evaltest.dat     |    2 +-
 testing/tests/ikev2/net2net-start/posttest.dat     |    4 +-
 testing/tests/ikev2/net2net-start/pretest.dat      |    4 +-
 testing/tests/ikev2/net2net-start/test.conf        |   10 +-
 .../hosts/winnetou/etc/openssl/ocsp/ocsp.cgi       |    8 +-
 testing/tests/ikev2/ocsp-local-cert/test.conf      |   10 +-
 testing/tests/ikev2/ocsp-multi-level/pretest.dat   |    1 -
 testing/tests/ikev2/ocsp-multi-level/test.conf     |   10 +-
 .../hosts/winnetou/etc/openssl/ocsp/ocsp.cgi       |    8 +-
 testing/tests/ikev2/ocsp-no-signer-cert/test.conf  |   10 +-
 testing/tests/ikev2/ocsp-revoked/test.conf         |   10 +-
 .../hosts/winnetou/etc/openssl/ocsp/ocsp.cgi       |    8 +-
 testing/tests/ikev2/ocsp-root-cert/test.conf       |   10 +-
 testing/tests/ikev2/ocsp-signer-cert/test.conf     |   10 +-
 testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat  |    1 -
 testing/tests/ikev2/ocsp-strict-ifuri/test.conf    |   10 +-
 .../hosts/winnetou/etc/openssl/ocsp/ocsp.cgi       |   10 +-
 testing/tests/ikev2/ocsp-timeouts-good/test.conf   |   10 +-
 .../tests/ikev2/ocsp-timeouts-unknown/test.conf    |   10 +-
 .../hosts/winnetou/etc/openssl/ocsp/ocsp.cgi       |    8 +-
 testing/tests/ikev2/ocsp-untrusted-cert/test.conf  |   10 +-
 testing/tests/ikev2/protoport-dual/evaltest.dat    |    4 +-
 testing/tests/ikev2/protoport-dual/posttest.dat    |    4 +-
 testing/tests/ikev2/protoport-dual/pretest.dat     |    4 +-
 testing/tests/ikev2/protoport-dual/test.conf       |   10 +-
 testing/tests/ikev2/protoport-route/evaltest.dat   |    4 +-
 testing/tests/ikev2/protoport-route/posttest.dat   |    4 +-
 testing/tests/ikev2/protoport-route/pretest.dat    |    4 +-
 testing/tests/ikev2/protoport-route/test.conf      |   10 +-
 testing/tests/ikev2/reauth-early/evaltest.dat      |    2 +-
 testing/tests/ikev2/reauth-early/posttest.dat      |    4 +-
 testing/tests/ikev2/reauth-early/pretest.dat       |    4 +-
 testing/tests/ikev2/reauth-early/test.conf         |   10 +-
 testing/tests/ikev2/reauth-late/evaltest.dat       |    2 +-
 testing/tests/ikev2/reauth-late/posttest.dat       |    4 +-
 testing/tests/ikev2/reauth-late/pretest.dat        |    4 +-
 testing/tests/ikev2/reauth-late/test.conf          |   10 +-
 testing/tests/ikev2/rw-cert/evaltest.dat           |    4 +-
 testing/tests/ikev2/rw-cert/posttest.dat           |    6 +-
 testing/tests/ikev2/rw-cert/pretest.dat            |    6 +-
 testing/tests/ikev2/rw-cert/test.conf              |   10 +-
 testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat |    2 +-
 testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat |    4 +-
 testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat  |    4 +-
 testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf    |   10 +-
 testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat    |    2 +-
 testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat    |    4 +-
 testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat     |    4 +-
 testing/tests/ikev2/rw-eap-aka-rsa/test.conf       |   10 +-
 testing/tests/ikev2/rw-eap-dynamic/evaltest.dat    |    4 +-
 testing/tests/ikev2/rw-eap-dynamic/posttest.dat    |    6 +-
 testing/tests/ikev2/rw-eap-dynamic/pretest.dat     |    6 +-
 testing/tests/ikev2/rw-eap-dynamic/test.conf       |   10 +-
 .../ikev2/rw-eap-md5-class-radius/description.txt  |    9 +
 .../ikev2/rw-eap-md5-class-radius/evaltest.dat     |   26 +
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   42 +
 .../hosts/alice/etc/freeradius/users               |    4 +
 .../hosts/carol/etc/ipsec.conf                     |   29 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../hosts/dave/etc/ipsec.conf                      |   29 +
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    5 +
 .../hosts/moon/etc/ipsec.conf                      |   33 +
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../hosts/moon/etc/strongswan.conf                 |   12 +
 .../ikev2/rw-eap-md5-class-radius/posttest.dat     |    7 +
 .../ikev2/rw-eap-md5-class-radius/pretest.dat      |   13 +
 .../tests/ikev2/rw-eap-md5-class-radius/test.conf  |   26 +
 .../tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat  |    8 +-
 .../tests/ikev2/rw-eap-md5-id-prompt/posttest.dat  |    4 +-
 .../tests/ikev2/rw-eap-md5-id-prompt/pretest.dat   |    4 +-
 testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf |   10 +-
 .../tests/ikev2/rw-eap-md5-id-radius/evaltest.dat  |    2 +-
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   42 +
 .../hosts/alice/etc/freeradius/users               |    1 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |    5 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 -
 .../hosts/alice/etc/raddb/sites-available/default  |   43 -
 .../hosts/alice/etc/raddb/users                    |    1 -
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../tests/ikev2/rw-eap-md5-id-radius/posttest.dat  |    6 +-
 .../tests/ikev2/rw-eap-md5-id-radius/pretest.dat   |    6 +-
 testing/tests/ikev2/rw-eap-md5-id-radius/test.conf |   12 +-
 testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat |    2 +-
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   43 +
 .../hosts/alice/etc/freeradius/users               |    1 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |    5 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 -
 .../hosts/alice/etc/raddb/sites-available/default  |   44 -
 .../rw-eap-md5-radius/hosts/alice/etc/raddb/users  |    1 -
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 testing/tests/ikev2/rw-eap-md5-radius/posttest.dat |    6 +-
 testing/tests/ikev2/rw-eap-md5-radius/pretest.dat  |    6 +-
 testing/tests/ikev2/rw-eap-md5-radius/test.conf    |   12 +-
 testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat    |    2 +-
 testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat    |    4 +-
 testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat     |    4 +-
 testing/tests/ikev2/rw-eap-md5-rsa/test.conf       |   10 +-
 .../ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat      |    6 +-
 .../ikev2/rw-eap-mschapv2-id-rsa/posttest.dat      |    4 +-
 .../tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat |    4 +-
 .../tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf   |   10 +-
 testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat   |    2 +-
 testing/tests/ikev2/rw-eap-peap-md5/posttest.dat   |    6 +-
 testing/tests/ikev2/rw-eap-peap-md5/pretest.dat    |    6 +-
 testing/tests/ikev2/rw-eap-peap-md5/test.conf      |   10 +-
 .../tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat  |    2 +-
 .../tests/ikev2/rw-eap-peap-mschapv2/posttest.dat  |    6 +-
 .../tests/ikev2/rw-eap-peap-mschapv2/pretest.dat   |    6 +-
 testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf |   10 +-
 .../tests/ikev2/rw-eap-peap-radius/evaltest.dat    |    2 +-
 .../hosts/alice/etc/freeradius/eap.conf            |   18 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   43 +
 .../etc/freeradius/sites-available/inner-tunnel    |   32 +
 .../hosts/alice/etc/freeradius/users               |    2 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |   18 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 -
 .../hosts/alice/etc/raddb/sites-available/default  |   44 -
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 -
 .../rw-eap-peap-radius/hosts/alice/etc/raddb/users |    2 -
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../tests/ikev2/rw-eap-peap-radius/posttest.dat    |    8 +-
 testing/tests/ikev2/rw-eap-peap-radius/pretest.dat |    8 +-
 testing/tests/ikev2/rw-eap-peap-radius/test.conf   |   12 +-
 .../tests/ikev2/rw-eap-sim-id-radius/evaltest.dat  |    2 +-
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/modules/sim_files   |    3 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   42 +
 .../hosts/alice/etc/freeradius/triplets.dat        |    3 +
 .../hosts/alice/etc/freeradius/users               |    0
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |    5 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  123 -
 .../hosts/alice/etc/raddb/sites-available/default  |   43 -
 .../hosts/alice/etc/raddb/triplets.dat             |    3 -
 .../hosts/alice/etc/raddb/users                    |    0
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../tests/ikev2/rw-eap-sim-id-radius/posttest.dat  |    6 +-
 .../tests/ikev2/rw-eap-sim-id-radius/pretest.dat   |    8 +-
 testing/tests/ikev2/rw-eap-sim-id-radius/test.conf |   12 +-
 .../ikev2/rw-eap-sim-only-radius/evaltest.dat      |    4 +-
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/modules/sim_files   |    3 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   43 +
 .../hosts/alice/etc/freeradius/triplets.dat        |    6 +
 .../hosts/alice/etc/freeradius/users               |    0
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |    5 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  123 -
 .../hosts/alice/etc/raddb/sites-available/default  |   44 -
 .../hosts/alice/etc/raddb/triplets.dat             |    7 -
 .../hosts/alice/etc/raddb/users                    |    0
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../ikev2/rw-eap-sim-only-radius/posttest.dat      |    8 +-
 .../tests/ikev2/rw-eap-sim-only-radius/pretest.dat |   10 +-
 .../tests/ikev2/rw-eap-sim-only-radius/test.conf   |   12 +-
 testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat |    4 +-
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   61 +
 .../hosts/alice/etc/freeradius/triplets.dat        |    6 +
 .../hosts/alice/etc/freeradius/users               |    0
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |    5 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  123 -
 .../hosts/alice/etc/raddb/sites-available/default  |   62 -
 .../hosts/alice/etc/raddb/triplets.dat             |    7 -
 .../rw-eap-sim-radius/hosts/alice/etc/raddb/users  |    0
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 testing/tests/ikev2/rw-eap-sim-radius/posttest.dat |    8 +-
 testing/tests/ikev2/rw-eap-sim-radius/pretest.dat  |   16 +-
 testing/tests/ikev2/rw-eap-sim-radius/test.conf    |   10 +-
 testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat    |    2 +-
 testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat    |    4 +-
 testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat     |    4 +-
 testing/tests/ikev2/rw-eap-sim-rsa/test.conf       |   10 +-
 .../tests/ikev2/rw-eap-tls-fragments/evaltest.dat  |    2 +-
 .../tests/ikev2/rw-eap-tls-fragments/posttest.dat  |    4 +-
 .../tests/ikev2/rw-eap-tls-fragments/pretest.dat   |    4 +-
 testing/tests/ikev2/rw-eap-tls-fragments/test.conf |   10 +-
 testing/tests/ikev2/rw-eap-tls-only/evaltest.dat   |    2 +-
 testing/tests/ikev2/rw-eap-tls-only/posttest.dat   |    4 +-
 testing/tests/ikev2/rw-eap-tls-only/pretest.dat    |    4 +-
 testing/tests/ikev2/rw-eap-tls-only/test.conf      |   10 +-
 testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat |    2 +-
 .../hosts/alice/etc/freeradius/eap.conf            |   13 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   41 +
 .../hosts/alice/etc/freeradius/users               |    1 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |   13 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 -
 .../hosts/alice/etc/raddb/sites-available/default  |   42 -
 .../rw-eap-tls-radius/hosts/alice/etc/raddb/users  |    1 -
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 testing/tests/ikev2/rw-eap-tls-radius/posttest.dat |    6 +-
 testing/tests/ikev2/rw-eap-tls-radius/pretest.dat  |    6 +-
 testing/tests/ikev2/rw-eap-tls-radius/test.conf    |   12 +-
 testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat  |    2 +-
 testing/tests/ikev2/rw-eap-ttls-only/posttest.dat  |    6 +-
 testing/tests/ikev2/rw-eap-ttls-only/pretest.dat   |   10 +-
 testing/tests/ikev2/rw-eap-ttls-only/test.conf     |   10 +-
 .../rw-eap-ttls-phase2-piggyback/evaltest.dat      |    2 +-
 .../rw-eap-ttls-phase2-piggyback/posttest.dat      |    6 +-
 .../ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat |    6 +-
 .../ikev2/rw-eap-ttls-phase2-piggyback/test.conf   |   10 +-
 .../tests/ikev2/rw-eap-ttls-radius/evaltest.dat    |    2 +-
 .../hosts/alice/etc/freeradius/eap.conf            |   18 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   43 +
 .../etc/freeradius/sites-available/inner-tunnel    |   32 +
 .../hosts/alice/etc/freeradius/users               |    2 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |   18 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 -
 .../hosts/alice/etc/raddb/sites-available/default  |   44 -
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 -
 .../rw-eap-ttls-radius/hosts/alice/etc/raddb/users |    2 -
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../tests/ikev2/rw-eap-ttls-radius/posttest.dat    |    8 +-
 testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat |    8 +-
 testing/tests/ikev2/rw-eap-ttls-radius/test.conf   |   12 +-
 testing/tests/ikev2/rw-hash-and-url/evaltest.dat   |    4 +-
 testing/tests/ikev2/rw-hash-and-url/posttest.dat   |    6 +-
 testing/tests/ikev2/rw-hash-and-url/pretest.dat    |    6 +-
 testing/tests/ikev2/rw-hash-and-url/test.conf      |   10 +-
 testing/tests/ikev2/rw-mark-in-out/description.txt |    4 +-
 testing/tests/ikev2/rw-mark-in-out/evaltest.dat    |    6 +-
 .../rw-mark-in-out/hosts/alice/etc/init.d/iptables |   77 -
 .../ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown |   16 +-
 .../rw-mark-in-out/hosts/venus/etc/init.d/iptables |   77 -
 testing/tests/ikev2/rw-mark-in-out/posttest.dat    |    6 +-
 testing/tests/ikev2/rw-mark-in-out/pretest.dat     |   15 +-
 testing/tests/ikev2/rw-mark-in-out/test.conf       |   10 +-
 testing/tests/ikev2/rw-pkcs8/evaltest.dat          |    4 +-
 testing/tests/ikev2/rw-pkcs8/posttest.dat          |    6 +-
 testing/tests/ikev2/rw-pkcs8/pretest.dat           |    6 +-
 testing/tests/ikev2/rw-pkcs8/test.conf             |   10 +-
 testing/tests/ikev2/rw-psk-fqdn/evaltest.dat       |    4 +-
 testing/tests/ikev2/rw-psk-fqdn/posttest.dat       |    6 +-
 testing/tests/ikev2/rw-psk-fqdn/pretest.dat        |    6 +-
 testing/tests/ikev2/rw-psk-fqdn/test.conf          |   10 +-
 testing/tests/ikev2/rw-psk-ipv4/evaltest.dat       |   12 +-
 .../rw-psk-ipv4/hosts/carol/etc/ipsec.secrets      |    2 +-
 .../ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets |    2 +-
 .../ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets |    4 +-
 testing/tests/ikev2/rw-psk-ipv4/posttest.dat       |    6 +-
 testing/tests/ikev2/rw-psk-ipv4/pretest.dat        |    6 +-
 testing/tests/ikev2/rw-psk-ipv4/test.conf          |   10 +-
 testing/tests/ikev2/rw-psk-no-idr/evaltest.dat     |    4 +-
 testing/tests/ikev2/rw-psk-no-idr/posttest.dat     |    6 +-
 testing/tests/ikev2/rw-psk-no-idr/pretest.dat      |    6 +-
 testing/tests/ikev2/rw-psk-no-idr/test.conf        |   10 +-
 testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat  |    6 +-
 testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat  |    6 +-
 testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat   |    6 +-
 testing/tests/ikev2/rw-psk-rsa-mixed/test.conf     |   10 +-
 testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat  |    4 +-
 testing/tests/ikev2/rw-psk-rsa-split/posttest.dat  |    6 +-
 testing/tests/ikev2/rw-psk-rsa-split/pretest.dat   |    6 +-
 testing/tests/ikev2/rw-psk-rsa-split/test.conf     |   10 +-
 .../tests/ikev2/rw-radius-accounting/evaltest.dat  |    6 +-
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   42 +
 .../hosts/alice/etc/freeradius/users               |    1 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/eap.conf                 |    5 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 -
 .../hosts/alice/etc/raddb/sites-available/default  |   43 -
 .../hosts/alice/etc/raddb/users                    |    1 -
 .../hosts/moon/etc/init.d/iptables                 |   88 -
 .../hosts/moon/etc/iptables.rules                  |   36 +
 .../tests/ikev2/rw-radius-accounting/posttest.dat  |    9 +-
 .../tests/ikev2/rw-radius-accounting/pretest.dat   |    8 +-
 testing/tests/ikev2/rw-radius-accounting/test.conf |   12 +-
 testing/tests/ikev2/rw-whitelist/evaltest.dat      |    4 +-
 testing/tests/ikev2/rw-whitelist/posttest.dat      |    6 +-
 testing/tests/ikev2/rw-whitelist/pretest.dat       |    6 +-
 testing/tests/ikev2/rw-whitelist/test.conf         |   10 +-
 testing/tests/ikev2/shunt-policies/evaltest.dat    |   20 +-
 .../shunt-policies/hosts/moon/etc/init.d/iptables  |   84 -
 .../ikev2/shunt-policies/hosts/moon/etc/ipsec.conf |    2 +-
 .../shunt-policies/hosts/moon/etc/iptables.rules   |   32 +
 testing/tests/ikev2/shunt-policies/posttest.dat    |    4 +-
 testing/tests/ikev2/shunt-policies/pretest.dat     |    4 +-
 testing/tests/ikev2/shunt-policies/test.conf       |   10 +-
 testing/tests/ikev2/strong-keys-certs/evaltest.dat |    4 +-
 testing/tests/ikev2/strong-keys-certs/posttest.dat |    6 +-
 testing/tests/ikev2/strong-keys-certs/pretest.dat  |    6 +-
 testing/tests/ikev2/strong-keys-certs/test.conf    |   10 +-
 testing/tests/ikev2/two-certs/evaltest.dat         |    4 +-
 .../ikev2/two-certs/hosts/carol/etc/ipsec.conf     |    4 +-
 .../ikev2/two-certs/hosts/moon/etc/ipsec.conf      |    4 +-
 testing/tests/ikev2/two-certs/posttest.dat         |    4 +-
 testing/tests/ikev2/two-certs/pretest.dat          |    4 +-
 testing/tests/ikev2/two-certs/test.conf            |   10 +-
 .../tests/ikev2/virtual-ip-override/posttest.dat   |    6 +-
 .../tests/ikev2/virtual-ip-override/pretest.dat    |    6 +-
 testing/tests/ikev2/virtual-ip-override/test.conf  |   10 +-
 testing/tests/ikev2/virtual-ip/evaltest.dat        |   12 +-
 testing/tests/ikev2/virtual-ip/posttest.dat        |    6 +-
 testing/tests/ikev2/virtual-ip/pretest.dat         |    6 +-
 testing/tests/ikev2/virtual-ip/test.conf           |   10 +-
 testing/tests/ikev2/wildcards/pretest.dat          |    1 -
 testing/tests/ikev2/wildcards/test.conf            |   10 +-
 .../host2host-ikev1/hosts/moon/etc/init.d/iptables |  108 -
 .../host2host-ikev1/hosts/sun/etc/init.d/iptables  |  108 -
 testing/tests/ipv6/host2host-ikev1/posttest.dat    |    6 +-
 testing/tests/ipv6/host2host-ikev1/pretest.dat     |   10 +-
 testing/tests/ipv6/host2host-ikev1/test.conf       |   10 +-
 .../host2host-ikev2/hosts/moon/etc/init.d/iptables |  104 -
 .../host2host-ikev2/hosts/sun/etc/init.d/iptables  |  104 -
 testing/tests/ipv6/host2host-ikev2/posttest.dat    |    6 +-
 testing/tests/ipv6/host2host-ikev2/pretest.dat     |   10 +-
 testing/tests/ipv6/host2host-ikev2/test.conf       |   10 +-
 .../net2net-ikev1/hosts/moon/etc/init.d/iptables   |  108 -
 .../net2net-ikev1/hosts/sun/etc/init.d/iptables    |  108 -
 testing/tests/ipv6/net2net-ikev1/posttest.dat      |    6 +-
 testing/tests/ipv6/net2net-ikev1/pretest.dat       |   10 +-
 testing/tests/ipv6/net2net-ikev1/test.conf         |   10 +-
 .../net2net-ikev2/hosts/moon/etc/init.d/iptables   |  104 -
 .../net2net-ikev2/hosts/sun/etc/init.d/iptables    |  104 -
 testing/tests/ipv6/net2net-ikev2/posttest.dat      |    6 +-
 testing/tests/ipv6/net2net-ikev2/pretest.dat       |   10 +-
 testing/tests/ipv6/net2net-ikev2/test.conf         |   10 +-
 .../ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat     |    2 +-
 .../hosts/moon/etc/init.d/iptables                 |  108 -
 .../hosts/sun/etc/init.d/iptables                  |  108 -
 .../ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat     |    6 +-
 .../ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat      |   10 +-
 .../tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf  |   10 +-
 .../ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat     |    2 +-
 .../hosts/moon/etc/init.d/iptables                 |  104 -
 .../hosts/sun/etc/init.d/iptables                  |  104 -
 .../ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat     |    6 +-
 .../ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat      |   10 +-
 .../tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf  |   10 +-
 .../hosts/moon/etc/init.d/iptables                 |  104 -
 .../hosts/moon/etc/ip6tables.rules                 |   20 +
 .../hosts/sun/etc/init.d/iptables                  |  108 -
 .../hosts/sun/etc/ip6tables.rules                  |   20 +
 .../ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat     |   10 +-
 .../ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat      |   14 +-
 .../tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf  |   10 +-
 .../hosts/moon/etc/init.d/iptables                 |  104 -
 .../hosts/moon/etc/ip6tables.rules                 |   20 +
 .../hosts/sun/etc/init.d/iptables                  |  108 -
 .../hosts/sun/etc/ip6tables.rules                  |   20 +
 .../ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat     |   10 +-
 .../ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat      |   14 +-
 .../tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf  |   10 +-
 .../hosts/moon/etc/init.d/iptables                 |  104 -
 .../hosts/sun/etc/init.d/iptables                  |  104 -
 .../tests/ipv6/net2net-rfc3779-ikev2/posttest.dat  |    6 +-
 .../tests/ipv6/net2net-rfc3779-ikev2/pretest.dat   |   10 +-
 testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf |   10 +-
 .../ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables  |  104 -
 .../ipv6/rw-ikev1/hosts/dave/etc/init.d/iptables   |  104 -
 .../ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables   |  108 -
 testing/tests/ipv6/rw-ikev1/posttest.dat           |    9 +-
 testing/tests/ipv6/rw-ikev1/pretest.dat            |   14 +-
 testing/tests/ipv6/rw-ikev1/test.conf              |   10 +-
 .../ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables  |  104 -
 .../ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables   |  104 -
 .../ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables   |  104 -
 testing/tests/ipv6/rw-ikev2/posttest.dat           |    9 +-
 testing/tests/ipv6/rw-ikev2/pretest.dat            |   14 +-
 testing/tests/ipv6/rw-ikev2/test.conf              |   10 +-
 .../hosts/carol/etc/init.d/iptables                |   96 -
 .../hosts/carol/etc/ip6tables.rules                |   20 +
 .../hosts/dave/etc/init.d/iptables                 |   96 -
 .../hosts/dave/etc/ip6tables.rules                 |   20 +
 .../hosts/moon/etc/init.d/iptables                 |  104 -
 .../hosts/moon/etc/ip6tables.rules                 |   20 +
 .../tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat    |    9 +-
 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat |   14 +-
 .../rw-ip6-in-ip4-ikev1/description.txt            |   10 -
 .../rw-ip6-in-ip4-ikev1/evaltest.dat               |   15 -
 .../rw-ip6-in-ip4-ikev1/posttest.dat               |    7 -
 .../rw-ip6-in-ip4-ikev1/pretest.dat                |   11 -
 .../rw-ip6-in-ip4-ikev1/test.conf                  |   21 -
 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf   |   10 +-
 .../hosts/carol/etc/init.d/iptables                |   96 -
 .../hosts/carol/etc/ip6tables.rules                |   20 +
 .../hosts/dave/etc/init.d/iptables                 |   96 -
 .../hosts/dave/etc/ip6tables.rules                 |   20 +
 .../hosts/moon/etc/init.d/iptables                 |  104 -
 .../hosts/moon/etc/ip6tables.rules                 |   20 +
 .../tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat    |    9 +-
 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat |   14 +-
 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf   |   10 +-
 .../rw-psk-ikev1/hosts/carol/etc/init.d/iptables   |  100 -
 .../rw-psk-ikev1/hosts/dave/etc/init.d/iptables    |  100 -
 .../rw-psk-ikev1/hosts/moon/etc/init.d/iptables    |  100 -
 testing/tests/ipv6/rw-psk-ikev1/posttest.dat       |    9 +-
 testing/tests/ipv6/rw-psk-ikev1/pretest.dat        |   14 +-
 testing/tests/ipv6/rw-psk-ikev1/test.conf          |   10 +-
 .../rw-psk-ikev2/hosts/carol/etc/init.d/iptables   |  100 -
 .../rw-psk-ikev2/hosts/dave/etc/init.d/iptables    |  100 -
 .../rw-psk-ikev2/hosts/moon/etc/init.d/iptables    |  100 -
 testing/tests/ipv6/rw-psk-ikev2/posttest.dat       |    9 +-
 testing/tests/ipv6/rw-psk-ikev2/pretest.dat        |   14 +-
 testing/tests/ipv6/rw-psk-ikev2/test.conf          |   10 +-
 .../hosts/carol/etc/init.d/iptables                |  104 -
 .../hosts/dave/etc/init.d/iptables                 |  104 -
 .../hosts/moon/etc/init.d/iptables                 |  104 -
 testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat   |    9 +-
 testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat    |   14 +-
 testing/tests/ipv6/rw-rfc3779-ikev2/test.conf      |   10 +-
 .../transport-ikev1/hosts/moon/etc/init.d/iptables |  108 -
 .../transport-ikev1/hosts/sun/etc/init.d/iptables  |  108 -
 testing/tests/ipv6/transport-ikev1/posttest.dat    |    6 +-
 testing/tests/ipv6/transport-ikev1/pretest.dat     |   10 +-
 testing/tests/ipv6/transport-ikev1/test.conf       |   10 +-
 .../transport-ikev2/hosts/moon/etc/init.d/iptables |  104 -
 .../transport-ikev2/hosts/sun/etc/init.d/iptables  |  104 -
 testing/tests/ipv6/transport-ikev2/posttest.dat    |    6 +-
 testing/tests/ipv6/transport-ikev2/pretest.dat     |   10 +-
 testing/tests/ipv6/transport-ikev2/test.conf       |   10 +-
 .../tests/openssl-ikev1/alg-camellia/evaltest.dat  |    2 +-
 .../tests/openssl-ikev1/alg-camellia/posttest.dat  |    4 +-
 .../tests/openssl-ikev1/alg-camellia/pretest.dat   |    4 +-
 testing/tests/openssl-ikev1/alg-camellia/test.conf |   10 +-
 .../tests/openssl-ikev1/alg-ecp-high/evaltest.dat  |    4 +-
 .../tests/openssl-ikev1/alg-ecp-high/posttest.dat  |    6 +-
 .../tests/openssl-ikev1/alg-ecp-high/pretest.dat   |    6 +-
 testing/tests/openssl-ikev1/alg-ecp-high/test.conf |   10 +-
 .../tests/openssl-ikev1/alg-ecp-low/evaltest.dat   |    4 +-
 .../tests/openssl-ikev1/alg-ecp-low/posttest.dat   |    6 +-
 .../tests/openssl-ikev1/alg-ecp-low/pretest.dat    |    6 +-
 testing/tests/openssl-ikev1/alg-ecp-low/test.conf  |   10 +-
 .../tests/openssl-ikev1/ecdsa-certs/evaltest.dat   |    4 +-
 .../tests/openssl-ikev1/ecdsa-certs/posttest.dat   |    6 +-
 .../tests/openssl-ikev1/ecdsa-certs/pretest.dat    |    6 +-
 testing/tests/openssl-ikev1/ecdsa-certs/test.conf  |   10 +-
 .../tests/openssl-ikev2/alg-blowfish/evaltest.dat  |    4 +-
 .../tests/openssl-ikev2/alg-blowfish/posttest.dat  |    6 +-
 .../tests/openssl-ikev2/alg-blowfish/pretest.dat   |    6 +-
 testing/tests/openssl-ikev2/alg-blowfish/test.conf |   10 +-
 .../tests/openssl-ikev2/alg-camellia/evaltest.dat  |    2 +-
 .../tests/openssl-ikev2/alg-camellia/posttest.dat  |    4 +-
 .../tests/openssl-ikev2/alg-camellia/pretest.dat   |    4 +-
 testing/tests/openssl-ikev2/alg-camellia/test.conf |   10 +-
 .../tests/openssl-ikev2/alg-ecp-high/evaltest.dat  |    4 +-
 .../tests/openssl-ikev2/alg-ecp-high/posttest.dat  |    6 +-
 .../tests/openssl-ikev2/alg-ecp-high/pretest.dat   |    6 +-
 testing/tests/openssl-ikev2/alg-ecp-high/test.conf |   10 +-
 .../tests/openssl-ikev2/alg-ecp-low/evaltest.dat   |    4 +-
 .../tests/openssl-ikev2/alg-ecp-low/posttest.dat   |    6 +-
 .../tests/openssl-ikev2/alg-ecp-low/pretest.dat    |    6 +-
 testing/tests/openssl-ikev2/alg-ecp-low/test.conf  |   10 +-
 .../openssl-ikev2/critical-extension/posttest.dat  |    4 +-
 .../openssl-ikev2/critical-extension/pretest.dat   |    4 +-
 .../openssl-ikev2/critical-extension/test.conf     |   10 +-
 .../tests/openssl-ikev2/ecdsa-certs/evaltest.dat   |    4 +-
 .../tests/openssl-ikev2/ecdsa-certs/posttest.dat   |    6 +-
 .../tests/openssl-ikev2/ecdsa-certs/pretest.dat    |    6 +-
 testing/tests/openssl-ikev2/ecdsa-certs/test.conf  |   10 +-
 .../tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat   |    4 +-
 .../tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat   |    6 +-
 .../tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat    |    6 +-
 testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf  |   10 +-
 testing/tests/openssl-ikev2/rw-cert/evaltest.dat   |    4 +-
 testing/tests/openssl-ikev2/rw-cert/posttest.dat   |    6 +-
 testing/tests/openssl-ikev2/rw-cert/pretest.dat    |    6 +-
 testing/tests/openssl-ikev2/rw-cert/test.conf      |   10 +-
 .../openssl-ikev2/rw-eap-tls-only/evaltest.dat     |    2 +-
 .../openssl-ikev2/rw-eap-tls-only/posttest.dat     |    4 +-
 .../openssl-ikev2/rw-eap-tls-only/pretest.dat      |    4 +-
 .../tests/openssl-ikev2/rw-eap-tls-only/test.conf  |   10 +-
 testing/tests/p2pnat/behind-same-nat/evaltest.dat  |    4 +-
 .../hosts/alice/etc/init.d/iptables                |   78 -
 .../behind-same-nat/hosts/alice/etc/iptables.rules |   28 +
 .../hosts/carol/etc/init.d/iptables                |   77 -
 .../behind-same-nat/hosts/carol/etc/iptables.rules |   24 +
 .../hosts/venus/etc/init.d/iptables                |   78 -
 .../behind-same-nat/hosts/venus/etc/iptables.rules |   28 +
 testing/tests/p2pnat/behind-same-nat/posttest.dat  |    8 +-
 testing/tests/p2pnat/behind-same-nat/pretest.dat   |   12 +-
 testing/tests/p2pnat/behind-same-nat/test.conf     |   10 +-
 testing/tests/p2pnat/medsrv-psk/evaltest.dat       |    4 +-
 .../medsrv-psk/hosts/alice/etc/init.d/iptables     |   74 -
 .../medsrv-psk/hosts/alice/etc/iptables.rules      |   24 +
 .../p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules |   24 +
 .../medsrv-psk/hosts/carol/etc/init.d/iptables     |   77 -
 .../medsrv-psk/hosts/carol/etc/iptables.rules      |   24 +
 testing/tests/p2pnat/medsrv-psk/posttest.dat       |   10 +-
 testing/tests/p2pnat/medsrv-psk/pretest.dat        |   14 +-
 testing/tests/p2pnat/medsrv-psk/test.conf          |   10 +-
 testing/tests/pfkey/alg-aes-xcbc/evaltest.dat      |    6 +-
 testing/tests/pfkey/alg-aes-xcbc/posttest.dat      |    4 +-
 testing/tests/pfkey/alg-aes-xcbc/pretest.dat       |    4 +-
 testing/tests/pfkey/alg-aes-xcbc/test.conf         |   10 +-
 testing/tests/pfkey/alg-sha384/evaltest.dat        |    6 +-
 testing/tests/pfkey/alg-sha384/posttest.dat        |    4 +-
 testing/tests/pfkey/alg-sha384/pretest.dat         |    4 +-
 testing/tests/pfkey/alg-sha384/test.conf           |   10 +-
 testing/tests/pfkey/alg-sha512/evaltest.dat        |    6 +-
 testing/tests/pfkey/alg-sha512/posttest.dat        |    4 +-
 testing/tests/pfkey/alg-sha512/pretest.dat         |    4 +-
 testing/tests/pfkey/alg-sha512/test.conf           |   10 +-
 testing/tests/pfkey/esp-alg-null/evaltest.dat      |    2 +-
 testing/tests/pfkey/esp-alg-null/posttest.dat      |    4 +-
 testing/tests/pfkey/esp-alg-null/pretest.dat       |    4 +-
 testing/tests/pfkey/esp-alg-null/test.conf         |   10 +-
 .../tests/pfkey/host2host-transport/evaltest.dat   |    2 +-
 .../tests/pfkey/host2host-transport/posttest.dat   |    4 +-
 .../tests/pfkey/host2host-transport/pretest.dat    |    4 +-
 testing/tests/pfkey/host2host-transport/test.conf  |   10 +-
 testing/tests/pfkey/nat-rw/evaltest.dat            |    8 +-
 .../pfkey/nat-rw/hosts/sun/etc/iptables.rules      |   24 +
 testing/tests/pfkey/nat-rw/posttest.dat            |    6 +-
 testing/tests/pfkey/nat-rw/pretest.dat             |    7 +-
 testing/tests/pfkey/nat-rw/test.conf               |   10 +-
 testing/tests/pfkey/net2net-route/evaltest.dat     |    2 +-
 testing/tests/pfkey/net2net-route/posttest.dat     |    4 +-
 testing/tests/pfkey/net2net-route/pretest.dat      |    4 +-
 testing/tests/pfkey/net2net-route/test.conf        |   10 +-
 testing/tests/pfkey/protoport-dual/evaltest.dat    |    4 +-
 testing/tests/pfkey/protoport-dual/posttest.dat    |    4 +-
 testing/tests/pfkey/protoport-dual/pretest.dat     |    4 +-
 testing/tests/pfkey/protoport-dual/test.conf       |   10 +-
 testing/tests/pfkey/protoport-route/evaltest.dat   |    4 +-
 testing/tests/pfkey/protoport-route/posttest.dat   |    4 +-
 testing/tests/pfkey/protoport-route/pretest.dat    |    4 +-
 testing/tests/pfkey/protoport-route/test.conf      |   10 +-
 testing/tests/pfkey/rw-cert/evaltest.dat           |    4 +-
 testing/tests/pfkey/rw-cert/posttest.dat           |    6 +-
 testing/tests/pfkey/rw-cert/pretest.dat            |    6 +-
 testing/tests/pfkey/rw-cert/test.conf              |   10 +-
 testing/tests/pfkey/shunt-policies/evaltest.dat    |   20 +-
 .../shunt-policies/hosts/moon/etc/init.d/iptables  |   84 -
 .../shunt-policies/hosts/moon/etc/iptables.rules   |   32 +
 testing/tests/pfkey/shunt-policies/posttest.dat    |    4 +-
 testing/tests/pfkey/shunt-policies/pretest.dat     |    4 +-
 testing/tests/pfkey/shunt-policies/test.conf       |   10 +-
 testing/tests/sql/ip-pool-db-expired/evaltest.dat  |    4 +-
 testing/tests/sql/ip-pool-db-expired/posttest.dat  |    6 +-
 testing/tests/sql/ip-pool-db-expired/pretest.dat   |    6 +-
 testing/tests/sql/ip-pool-db-expired/test.conf     |   10 +-
 testing/tests/sql/ip-pool-db-restart/evaltest.dat  |    4 +-
 testing/tests/sql/ip-pool-db-restart/posttest.dat  |    6 +-
 testing/tests/sql/ip-pool-db-restart/pretest.dat   |    6 +-
 testing/tests/sql/ip-pool-db-restart/test.conf     |   10 +-
 testing/tests/sql/ip-pool-db/evaltest.dat          |    4 +-
 testing/tests/sql/ip-pool-db/posttest.dat          |    6 +-
 testing/tests/sql/ip-pool-db/pretest.dat           |    6 +-
 testing/tests/sql/ip-pool-db/test.conf             |   10 +-
 .../tests/sql/ip-split-pools-db-restart/test.conf  |   10 +-
 testing/tests/sql/ip-split-pools-db/test.conf      |   10 +-
 testing/tests/sql/multi-level-ca/evaltest.dat      |    4 +-
 testing/tests/sql/multi-level-ca/posttest.dat      |    6 +-
 testing/tests/sql/multi-level-ca/pretest.dat       |    6 +-
 testing/tests/sql/multi-level-ca/test.conf         |   10 +-
 testing/tests/sql/net2net-cert/evaltest.dat        |    2 +-
 testing/tests/sql/net2net-cert/posttest.dat        |    4 +-
 testing/tests/sql/net2net-cert/pretest.dat         |    4 +-
 testing/tests/sql/net2net-cert/test.conf           |   10 +-
 testing/tests/sql/net2net-psk/evaltest.dat         |    2 +-
 testing/tests/sql/net2net-psk/posttest.dat         |    4 +-
 testing/tests/sql/net2net-psk/pretest.dat          |    4 +-
 testing/tests/sql/net2net-psk/test.conf            |   10 +-
 testing/tests/sql/net2net-route-pem/evaltest.dat   |    4 +-
 testing/tests/sql/net2net-route-pem/posttest.dat   |    4 +-
 testing/tests/sql/net2net-route-pem/pretest.dat    |    4 +-
 testing/tests/sql/net2net-route-pem/test.conf      |   10 +-
 testing/tests/sql/net2net-start-pem/evaltest.dat   |    4 +-
 testing/tests/sql/net2net-start-pem/posttest.dat   |    4 +-
 testing/tests/sql/net2net-start-pem/pretest.dat    |    4 +-
 testing/tests/sql/net2net-start-pem/test.conf      |   10 +-
 testing/tests/sql/rw-cert/evaltest.dat             |    4 +-
 testing/tests/sql/rw-cert/posttest.dat             |    6 +-
 testing/tests/sql/rw-cert/pretest.dat              |    6 +-
 testing/tests/sql/rw-cert/test.conf                |   10 +-
 testing/tests/sql/rw-eap-aka-rsa/evaltest.dat      |    2 +-
 testing/tests/sql/rw-eap-aka-rsa/posttest.dat      |    4 +-
 testing/tests/sql/rw-eap-aka-rsa/pretest.dat       |    4 +-
 testing/tests/sql/rw-eap-aka-rsa/test.conf         |   10 +-
 testing/tests/sql/rw-psk-ipv4/evaltest.dat         |    4 +-
 testing/tests/sql/rw-psk-ipv4/posttest.dat         |    6 +-
 testing/tests/sql/rw-psk-ipv4/pretest.dat          |    6 +-
 testing/tests/sql/rw-psk-ipv4/test.conf            |   10 +-
 .../rw-psk-ipv6/hosts/carol/etc/init.d/iptables    |  107 -
 .../sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules |   16 +
 .../sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables |  107 -
 .../sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules  |   16 +
 .../sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables |  107 -
 .../sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules  |   16 +
 testing/tests/sql/rw-psk-ipv6/posttest.dat         |    9 +-
 testing/tests/sql/rw-psk-ipv6/pretest.dat          |    9 +-
 testing/tests/sql/rw-psk-ipv6/test.conf            |   10 +-
 testing/tests/sql/rw-psk-rsa-split/evaltest.dat    |    4 +-
 testing/tests/sql/rw-psk-rsa-split/posttest.dat    |    6 +-
 testing/tests/sql/rw-psk-rsa-split/pretest.dat     |    6 +-
 testing/tests/sql/rw-psk-rsa-split/test.conf       |   10 +-
 testing/tests/sql/rw-rsa-keyid/evaltest.dat        |    4 +-
 testing/tests/sql/rw-rsa-keyid/posttest.dat        |    6 +-
 testing/tests/sql/rw-rsa-keyid/pretest.dat         |    6 +-
 testing/tests/sql/rw-rsa-keyid/test.conf           |   10 +-
 testing/tests/sql/rw-rsa/evaltest.dat              |    4 +-
 testing/tests/sql/rw-rsa/posttest.dat              |    6 +-
 testing/tests/sql/rw-rsa/pretest.dat               |    6 +-
 testing/tests/sql/rw-rsa/test.conf                 |   10 +-
 testing/tests/sql/shunt-policies/evaltest.dat      |   20 +-
 .../shunt-policies/hosts/moon/etc/init.d/iptables  |   84 -
 .../shunt-policies/hosts/moon/etc/iptables.rules   |   32 +
 testing/tests/sql/shunt-policies/posttest.dat      |    4 +-
 testing/tests/sql/shunt-policies/pretest.dat       |    4 +-
 testing/tests/sql/shunt-policies/test.conf         |   10 +-
 testing/tests/tnc/tnccs-11-fhh/evaltest.dat        |   12 +-
 testing/tests/tnc/tnccs-11-fhh/posttest.dat        |    6 +-
 testing/tests/tnc/tnccs-11-fhh/pretest.dat         |    6 +-
 testing/tests/tnc/tnccs-11-fhh/test.conf           |   12 +-
 .../tests/tnc/tnccs-11-radius-block/evaltest.dat   |    4 +-
 .../hosts/alice/etc/freeradius/eap.conf            |   25 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   43 +
 .../etc/freeradius/sites-available/inner-tunnel    |   32 +
 .../freeradius/sites-available/inner-tunnel-second |   23 +
 .../hosts/alice/etc/freeradius/users               |    2 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/dictionary               |    2 -
 .../hosts/alice/etc/raddb/dictionary.tnc           |    5 -
 .../hosts/alice/etc/raddb/eap.conf                 |   25 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 -
 .../hosts/alice/etc/raddb/sites-available/default  |   44 -
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 -
 .../etc/raddb/sites-available/inner-tunnel-second  |   23 -
 .../hosts/alice/etc/raddb/users                    |    2 -
 .../hosts/moon/etc/init.d/iptables                 |   84 -
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../tests/tnc/tnccs-11-radius-block/posttest.dat   |    8 +-
 .../tests/tnc/tnccs-11-radius-block/pretest.dat    |   10 +-
 testing/tests/tnc/tnccs-11-radius-block/test.conf  |   12 +-
 testing/tests/tnc/tnccs-11-radius/evaltest.dat     |   12 +-
 .../hosts/alice/etc/freeradius/eap.conf            |   25 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   43 +
 .../etc/freeradius/sites-available/inner-tunnel    |   32 +
 .../freeradius/sites-available/inner-tunnel-second |   36 +
 .../hosts/alice/etc/freeradius/users               |    2 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/dictionary               |    2 -
 .../hosts/alice/etc/raddb/dictionary.tnc           |    5 -
 .../tnccs-11-radius/hosts/alice/etc/raddb/eap.conf |   25 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 -
 .../hosts/alice/etc/raddb/sites-available/default  |   44 -
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 -
 .../etc/raddb/sites-available/inner-tunnel-second  |   36 -
 .../tnccs-11-radius/hosts/alice/etc/raddb/users    |    2 -
 .../tnccs-11-radius/hosts/moon/etc/init.d/iptables |   84 -
 .../tnccs-11-radius/hosts/moon/etc/iptables.rules  |   32 +
 testing/tests/tnc/tnccs-11-radius/posttest.dat     |    8 +-
 testing/tests/tnc/tnccs-11-radius/pretest.dat      |   10 +-
 testing/tests/tnc/tnccs-11-radius/test.conf        |   12 +-
 testing/tests/tnc/tnccs-11/evaltest.dat            |   12 +-
 testing/tests/tnc/tnccs-11/posttest.dat            |    6 +-
 testing/tests/tnc/tnccs-11/pretest.dat             |    6 +-
 testing/tests/tnc/tnccs-11/test.conf               |   12 +-
 testing/tests/tnc/tnccs-20-block/evaltest.dat      |    4 +-
 testing/tests/tnc/tnccs-20-block/posttest.dat      |    6 +-
 testing/tests/tnc/tnccs-20-block/pretest.dat       |    6 +-
 testing/tests/tnc/tnccs-20-block/test.conf         |   12 +-
 .../tests/tnc/tnccs-20-client-retry/evaltest.dat   |   12 +-
 .../tests/tnc/tnccs-20-client-retry/posttest.dat   |    6 +-
 .../tests/tnc/tnccs-20-client-retry/pretest.dat    |    6 +-
 testing/tests/tnc/tnccs-20-client-retry/test.conf  |   12 +-
 testing/tests/tnc/tnccs-20-fhh/evaltest.dat        |   12 +-
 testing/tests/tnc/tnccs-20-fhh/posttest.dat        |    6 +-
 testing/tests/tnc/tnccs-20-fhh/pretest.dat         |    6 +-
 testing/tests/tnc/tnccs-20-fhh/test.conf           |   12 +-
 testing/tests/tnc/tnccs-20-os/description.txt      |   23 +
 testing/tests/tnc/tnccs-20-os/evaltest.dat         |   19 +
 .../tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf     |   23 +
 .../tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets  |    3 +
 .../tnccs-20-os/hosts/carol/etc/strongswan.conf    |   19 +
 .../tnc/tnccs-20-os/hosts/carol/etc/tnc_config     |    3 +
 .../tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf      |   23 +
 .../tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets   |    3 +
 .../tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf |   26 +
 .../tnc/tnccs-20-os/hosts/dave/etc/tnc_config      |    3 +
 .../tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf      |   34 +
 .../tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets   |    6 +
 .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf |   24 +
 .../tnc/tnccs-20-os/hosts/moon/etc/tnc_config      |    3 +
 testing/tests/tnc/tnccs-20-os/posttest.dat         |    7 +
 testing/tests/tnc/tnccs-20-os/pretest.dat          |   14 +
 testing/tests/tnc/tnccs-20-os/test.conf            |   26 +
 testing/tests/tnc/tnccs-20-pdp/evaltest.dat        |   12 +-
 .../tnccs-20-pdp/hosts/moon/etc/init.d/iptables    |   84 -
 .../tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules |   32 +
 testing/tests/tnc/tnccs-20-pdp/posttest.dat        |    6 +-
 testing/tests/tnc/tnccs-20-pdp/pretest.dat         |    6 +-
 testing/tests/tnc/tnccs-20-pdp/test.conf           |   12 +-
 .../tests/tnc/tnccs-20-server-retry/evaltest.dat   |   12 +-
 .../tests/tnc/tnccs-20-server-retry/posttest.dat   |    6 +-
 .../tests/tnc/tnccs-20-server-retry/pretest.dat    |    6 +-
 testing/tests/tnc/tnccs-20-server-retry/test.conf  |   12 +-
 testing/tests/tnc/tnccs-20-tls/evaltest.dat        |   12 +-
 testing/tests/tnc/tnccs-20-tls/posttest.dat        |    6 +-
 testing/tests/tnc/tnccs-20-tls/pretest.dat         |    6 +-
 testing/tests/tnc/tnccs-20-tls/test.conf           |   12 +-
 testing/tests/tnc/tnccs-20/evaltest.dat            |   12 +-
 .../tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf  |    2 +-
 .../tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf   |    2 +-
 .../tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf   |    2 +-
 testing/tests/tnc/tnccs-20/posttest.dat            |    6 +-
 testing/tests/tnc/tnccs-20/pretest.dat             |    6 +-
 testing/tests/tnc/tnccs-20/test.conf               |   12 +-
 testing/tests/tnc/tnccs-dynamic/evaltest.dat       |   12 +-
 testing/tests/tnc/tnccs-dynamic/posttest.dat       |    6 +-
 testing/tests/tnc/tnccs-dynamic/pretest.dat        |    6 +-
 testing/tests/tnc/tnccs-dynamic/test.conf          |   12 +-
 ylwrap                                             |   34 +-
 2372 files changed, 71145 insertions(+), 64085 deletions(-)
 mode change 100755 => 100644 ltmain.sh
 create mode 100644 src/libcharon/encoding/payloads/fragment_payload.c
 create mode 100644 src/libcharon/encoding/payloads/fragment_payload.h
 create mode 100644 src/libcharon/plugins/error_notify/Makefile.am
 create mode 100644 src/libcharon/plugins/error_notify/Makefile.in
 create mode 100644 src/libcharon/plugins/error_notify/error_notify.c
 create mode 100644 src/libcharon/plugins/error_notify/error_notify_listener.c
 create mode 100644 src/libcharon/plugins/error_notify/error_notify_listener.h
 create mode 100644 src/libcharon/plugins/error_notify/error_notify_msg.h
 create mode 100644 src/libcharon/plugins/error_notify/error_notify_plugin.c
 create mode 100644 src/libcharon/plugins/error_notify/error_notify_plugin.h
 create mode 100644 src/libcharon/plugins/error_notify/error_notify_socket.c
 create mode 100644 src/libcharon/plugins/error_notify/error_notify_socket.h
 create mode 100644 src/libcharon/plugins/load_tester/load_tester.c
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_control.c
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_control.h
 create mode 100644 src/libcharon/plugins/lookip/Makefile.am
 create mode 100644 src/libcharon/plugins/lookip/Makefile.in
 create mode 100644 src/libcharon/plugins/lookip/lookip.c
 create mode 100644 src/libcharon/plugins/lookip/lookip_listener.c
 create mode 100644 src/libcharon/plugins/lookip/lookip_listener.h
 create mode 100644 src/libcharon/plugins/lookip/lookip_msg.h
 create mode 100644 src/libcharon/plugins/lookip/lookip_plugin.c
 create mode 100644 src/libcharon/plugins/lookip/lookip_plugin.h
 create mode 100644 src/libcharon/plugins/lookip/lookip_socket.c
 create mode 100644 src/libcharon/plugins/lookip/lookip_socket.h
 create mode 100644 src/libcharon/plugins/stroke/stroke_counter.c
 create mode 100644 src/libcharon/plugins/stroke/stroke_counter.h
 create mode 100644 src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
 create mode 100644 src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
 create mode 100644 src/libimcv/ietf/ietf_attr_fwd_enabled.c
 create mode 100644 src/libimcv/ietf/ietf_attr_fwd_enabled.h
 create mode 100644 src/libimcv/ietf/ietf_attr_installed_packages.c
 create mode 100644 src/libimcv/ietf/ietf_attr_installed_packages.h
 create mode 100644 src/libimcv/ietf/ietf_attr_numeric_version.c
 create mode 100644 src/libimcv/ietf/ietf_attr_numeric_version.h
 create mode 100644 src/libimcv/ietf/ietf_attr_op_status.c
 create mode 100644 src/libimcv/ietf/ietf_attr_op_status.h
 create mode 100644 src/libimcv/ietf/ietf_attr_remediation_instr.c
 create mode 100644 src/libimcv/ietf/ietf_attr_remediation_instr.h
 create mode 100644 src/libimcv/ietf/ietf_attr_string_version.c
 create mode 100644 src/libimcv/ietf/ietf_attr_string_version.h
 create mode 100644 src/libimcv/imc/imc_msg.c
 create mode 100644 src/libimcv/imc/imc_msg.h
 create mode 100644 src/libimcv/imv/imv_lang_string.c
 create mode 100644 src/libimcv/imv/imv_lang_string.h
 create mode 100644 src/libimcv/imv/imv_msg.c
 create mode 100644 src/libimcv/imv/imv_msg.h
 create mode 100644 src/libimcv/imv/imv_reason_string.c
 create mode 100644 src/libimcv/imv/imv_reason_string.h
 create mode 100644 src/libimcv/imv/imv_remediation_string.c
 create mode 100644 src/libimcv/imv/imv_remediation_string.h
 create mode 100644 src/libimcv/ita/ita_attr_angel.c
 create mode 100644 src/libimcv/ita/ita_attr_angel.h
 create mode 100644 src/libimcv/ita/ita_attr_get_settings.c
 create mode 100644 src/libimcv/ita/ita_attr_get_settings.h
 create mode 100644 src/libimcv/ita/ita_attr_settings.c
 create mode 100644 src/libimcv/ita/ita_attr_settings.h
 create mode 100644 src/libimcv/os_info/os_info.c
 create mode 100644 src/libimcv/os_info/os_info.h
 create mode 100644 src/libimcv/plugins/imc_os/Makefile.am
 create mode 100644 src/libimcv/plugins/imc_os/Makefile.in
 create mode 100644 src/libimcv/plugins/imc_os/imc_os.c
 create mode 100644 src/libimcv/plugins/imc_os/imc_os_state.c
 create mode 100644 src/libimcv/plugins/imc_os/imc_os_state.h
 create mode 100644 src/libimcv/plugins/imv_os/Makefile.am
 create mode 100644 src/libimcv/plugins/imv_os/Makefile.in
 create mode 100644 src/libimcv/plugins/imv_os/imv_os.c
 create mode 100644 src/libimcv/plugins/imv_os/imv_os_database.c
 create mode 100644 src/libimcv/plugins/imv_os/imv_os_database.h
 create mode 100644 src/libimcv/plugins/imv_os/imv_os_state.c
 create mode 100644 src/libimcv/plugins/imv_os/imv_os_state.h
 create mode 100644 src/libimcv/plugins/imv_os/pacman.c
 create mode 100755 src/libimcv/plugins/imv_os/pacman.sh
 delete mode 100644 src/libstrongswan/chunk.c
 delete mode 100644 src/libstrongswan/chunk.h
 create mode 100644 src/libstrongswan/collections/blocking_queue.c
 create mode 100644 src/libstrongswan/collections/blocking_queue.h
 create mode 100644 src/libstrongswan/collections/enumerator.c
 create mode 100644 src/libstrongswan/collections/enumerator.h
 create mode 100644 src/libstrongswan/collections/hashtable.c
 create mode 100644 src/libstrongswan/collections/hashtable.h
 create mode 100644 src/libstrongswan/collections/linked_list.c
 create mode 100644 src/libstrongswan/collections/linked_list.h
 create mode 100644 src/libstrongswan/credentials/containers/container.c
 create mode 100644 src/libstrongswan/credentials/containers/container.h
 create mode 100644 src/libstrongswan/credentials/containers/pkcs7.h
 delete mode 100644 src/libstrongswan/crypto/pkcs7.c
 delete mode 100644 src/libstrongswan/crypto/pkcs7.h
 delete mode 100644 src/libstrongswan/crypto/pkcs9.c
 delete mode 100644 src/libstrongswan/crypto/pkcs9.h
 delete mode 100644 src/libstrongswan/debug.c
 delete mode 100644 src/libstrongswan/debug.h
 delete mode 100644 src/libstrongswan/enum.c
 delete mode 100644 src/libstrongswan/enum.h
 delete mode 100644 src/libstrongswan/integrity_checker.c
 delete mode 100644 src/libstrongswan/integrity_checker.h
 create mode 100644 src/libstrongswan/networking/host.c
 create mode 100644 src/libstrongswan/networking/host.h
 create mode 100644 src/libstrongswan/networking/host_resolver.c
 create mode 100644 src/libstrongswan/networking/host_resolver.h
 create mode 100644 src/libstrongswan/networking/packet.c
 create mode 100644 src/libstrongswan/networking/packet.h
 create mode 100644 src/libstrongswan/networking/tun_device.c
 create mode 100644 src/libstrongswan/networking/tun_device.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_pkcs7.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_pkcs7.h
 create mode 100644 src/libstrongswan/plugins/pkcs7/Makefile.am
 create mode 100644 src/libstrongswan/plugins/pkcs7/Makefile.in
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_attributes.h
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_data.c
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_data.h
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.h
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_generic.h
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.h
 create mode 100644 src/libstrongswan/plugins/rdrand/Makefile.am
 create mode 100644 src/libstrongswan/plugins/rdrand/Makefile.in
 create mode 100644 src/libstrongswan/plugins/rdrand/rdrand_plugin.c
 create mode 100644 src/libstrongswan/plugins/rdrand/rdrand_plugin.h
 create mode 100644 src/libstrongswan/plugins/rdrand/rdrand_rng.c
 create mode 100644 src/libstrongswan/plugins/rdrand/rdrand_rng.h
 delete mode 100644 src/libstrongswan/printf_hook.c
 delete mode 100644 src/libstrongswan/printf_hook.h
 delete mode 100644 src/libstrongswan/settings.c
 delete mode 100644 src/libstrongswan/settings.h
 delete mode 100644 src/libstrongswan/utils.c
 delete mode 100644 src/libstrongswan/utils.h
 delete mode 100644 src/libstrongswan/utils/blocking_queue.c
 delete mode 100644 src/libstrongswan/utils/blocking_queue.h
 create mode 100644 src/libstrongswan/utils/chunk.c
 create mode 100644 src/libstrongswan/utils/chunk.h
 create mode 100644 src/libstrongswan/utils/debug.c
 create mode 100644 src/libstrongswan/utils/debug.h
 create mode 100644 src/libstrongswan/utils/enum.c
 create mode 100644 src/libstrongswan/utils/enum.h
 delete mode 100644 src/libstrongswan/utils/enumerator.c
 delete mode 100644 src/libstrongswan/utils/enumerator.h
 delete mode 100644 src/libstrongswan/utils/hashtable.c
 delete mode 100644 src/libstrongswan/utils/hashtable.h
 delete mode 100644 src/libstrongswan/utils/host.c
 delete mode 100644 src/libstrongswan/utils/host.h
 create mode 100644 src/libstrongswan/utils/integrity_checker.c
 create mode 100644 src/libstrongswan/utils/integrity_checker.h
 delete mode 100644 src/libstrongswan/utils/linked_list.c
 delete mode 100644 src/libstrongswan/utils/linked_list.h
 delete mode 100644 src/libstrongswan/utils/packet.c
 delete mode 100644 src/libstrongswan/utils/packet.h
 create mode 100644 src/libstrongswan/utils/printf_hook.c
 create mode 100644 src/libstrongswan/utils/printf_hook.h
 create mode 100644 src/libstrongswan/utils/settings.c
 create mode 100644 src/libstrongswan/utils/settings.h
 delete mode 100644 src/libstrongswan/utils/tun_device.c
 delete mode 100644 src/libstrongswan/utils/tun_device.h
 create mode 100644 src/libstrongswan/utils/utils.c
 create mode 100644 src/libstrongswan/utils/utils.h
 create mode 100644 src/pki/commands/pkcs7.c
 delete mode 100644 testing/INSTALL
 create mode 100644 testing/config/kernel/config-3.5
 create mode 100644 testing/config/kernel/config-3.6
 create mode 100644 testing/config/kvm/alice.xml
 create mode 100644 testing/config/kvm/bob.xml
 create mode 100644 testing/config/kvm/carol.xml
 create mode 100644 testing/config/kvm/dave.xml
 create mode 100644 testing/config/kvm/moon.xml
 create mode 100644 testing/config/kvm/sun.xml
 create mode 100644 testing/config/kvm/venus.xml
 create mode 100644 testing/config/kvm/vnet1.xml
 create mode 100644 testing/config/kvm/vnet2.xml
 create mode 100644 testing/config/kvm/vnet3.xml
 create mode 100644 testing/config/kvm/winnetou.xml
 create mode 100755 testing/do-tests
 delete mode 100755 testing/do-tests.in
 delete mode 100644 testing/hosts/alice/etc/conf.d/hostname
 delete mode 100644 testing/hosts/alice/etc/conf.d/net
 create mode 100644 testing/hosts/alice/etc/freeradius/clients.conf
 create mode 100644 testing/hosts/alice/etc/freeradius/dictionary
 create mode 100644 testing/hosts/alice/etc/freeradius/radiusd.conf
 create mode 100644 testing/hosts/alice/etc/hostname
 delete mode 100755 testing/hosts/alice/etc/init.d/iptables
 delete mode 100755 testing/hosts/alice/etc/init.d/net.eth0
 delete mode 100755 testing/hosts/alice/etc/init.d/net.eth1
 delete mode 100755 testing/hosts/alice/etc/init.d/radiusd
 mode change 100755 => 100644 testing/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/hosts/alice/etc/network/interfaces
 delete mode 100755 testing/hosts/alice/etc/runlevels/default/net.eth0
 delete mode 100644 testing/hosts/bob/etc/conf.d/hostname
 delete mode 100644 testing/hosts/bob/etc/conf.d/net
 create mode 100644 testing/hosts/bob/etc/hostname
 delete mode 100755 testing/hosts/bob/etc/init.d/iptables
 delete mode 100755 testing/hosts/bob/etc/init.d/net.eth0
 mode change 100755 => 100644 testing/hosts/bob/etc/ipsec.conf
 create mode 100644 testing/hosts/bob/etc/network/interfaces
 delete mode 100755 testing/hosts/bob/etc/runlevels/default/net.eth0
 delete mode 100644 testing/hosts/carol/etc/conf.d/hostname
 delete mode 100644 testing/hosts/carol/etc/conf.d/net
 create mode 100644 testing/hosts/carol/etc/hostname
 delete mode 100755 testing/hosts/carol/etc/init.d/iptables
 delete mode 100755 testing/hosts/carol/etc/init.d/net.eth0
 mode change 100755 => 100644 testing/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/hosts/carol/etc/network/interfaces
 delete mode 100755 testing/hosts/carol/etc/runlevels/default/net.eth0
 delete mode 100644 testing/hosts/dave/etc/conf.d/hostname
 delete mode 100644 testing/hosts/dave/etc/conf.d/net
 create mode 100644 testing/hosts/dave/etc/hostname
 delete mode 100755 testing/hosts/dave/etc/init.d/iptables
 delete mode 100755 testing/hosts/dave/etc/init.d/net.eth0
 mode change 100755 => 100644 testing/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/hosts/dave/etc/network/interfaces
 delete mode 100755 testing/hosts/dave/etc/runlevels/default/net.eth0
 create mode 100644 testing/hosts/default/etc/default/slapd
 create mode 100644 testing/hosts/default/etc/fstab
 create mode 100644 testing/hosts/default/etc/ip6tables.flush
 create mode 100644 testing/hosts/default/etc/ip6tables.rules
 create mode 100644 testing/hosts/default/etc/iptables.drop
 create mode 100644 testing/hosts/default/etc/iptables.flush
 create mode 100644 testing/hosts/default/etc/iptables.rules
 create mode 100644 testing/hosts/default/etc/profile.d/coredumps.sh
 create mode 100644 testing/hosts/default/etc/rsyslog.conf
 create mode 100644 testing/hosts/default/etc/security/limits.conf
 create mode 100644 testing/hosts/default/etc/ssh/sshd_config
 create mode 100644 testing/hosts/default/etc/sysctl.conf
 create mode 100644 testing/hosts/default/root/.ssh/config
 create mode 100755 testing/hosts/default/usr/local/bin/expect-connection
 delete mode 100644 testing/hosts/moon/etc/conf.d/hostname
 delete mode 100644 testing/hosts/moon/etc/conf.d/net
 create mode 100644 testing/hosts/moon/etc/hostname
 delete mode 100755 testing/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/hosts/moon/etc/init.d/net.eth0
 delete mode 100755 testing/hosts/moon/etc/init.d/net.eth1
 mode change 100755 => 100644 testing/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/hosts/moon/etc/network/interfaces
 create mode 100755 testing/hosts/moon/etc/rc.local
 delete mode 100755 testing/hosts/moon/etc/runlevels/default/net.eth0
 delete mode 100755 testing/hosts/moon/etc/runlevels/default/net.eth1
 delete mode 100644 testing/hosts/ssh_host_rsa_key.pub
 delete mode 100644 testing/hosts/sun/etc/conf.d/hostname
 delete mode 100644 testing/hosts/sun/etc/conf.d/net
 create mode 100644 testing/hosts/sun/etc/hostname
 delete mode 100755 testing/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/hosts/sun/etc/init.d/net.eth0
 delete mode 100755 testing/hosts/sun/etc/init.d/net.eth1
 mode change 100755 => 100644 testing/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/hosts/sun/etc/network/interfaces
 delete mode 100755 testing/hosts/sun/etc/runlevels/default/net.eth0
 delete mode 100755 testing/hosts/sun/etc/runlevels/default/net.eth1
 delete mode 100644 testing/hosts/venus/etc/conf.d/hostname
 delete mode 100644 testing/hosts/venus/etc/conf.d/net
 create mode 100644 testing/hosts/venus/etc/hostname
 delete mode 100755 testing/hosts/venus/etc/init.d/iptables
 delete mode 100755 testing/hosts/venus/etc/init.d/net.eth0
 mode change 100755 => 100644 testing/hosts/venus/etc/ipsec.conf
 create mode 100644 testing/hosts/venus/etc/network/interfaces
 delete mode 100755 testing/hosts/venus/etc/runlevels/default/net.eth0
 create mode 100644 testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
 delete mode 100644 testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt
 delete mode 100644 testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt
 delete mode 100644 testing/hosts/winnetou/etc/apache2/conf/ssl/server.key
 delete mode 100644 testing/hosts/winnetou/etc/apache2/modules.d/00_mod_mime.conf
 create mode 100644 testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost
 delete mode 100644 testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf
 delete mode 100644 testing/hosts/winnetou/etc/conf.d/hostname
 delete mode 100644 testing/hosts/winnetou/etc/conf.d/net
 delete mode 100644 testing/hosts/winnetou/etc/conf.d/slapd
 delete mode 100755 testing/hosts/winnetou/etc/init.d/apache2
 delete mode 100755 testing/hosts/winnetou/etc/init.d/net.eth0
 delete mode 100755 testing/hosts/winnetou/etc/init.d/slapd
 create mode 100644 testing/hosts/winnetou/etc/ldap/ldif.txt
 create mode 100644 testing/hosts/winnetou/etc/ldap/slapd.conf
 create mode 100644 testing/hosts/winnetou/etc/network/interfaces
 delete mode 100644 testing/hosts/winnetou/etc/openldap/ldif.txt
 delete mode 100644 testing/hosts/winnetou/etc/openldap/slapd.conf
 delete mode 100755 testing/hosts/winnetou/etc/runlevels/default/apache2
 delete mode 100755 testing/hosts/winnetou/etc/runlevels/default/net.eth0
 create mode 100755 testing/scripts/build-baseimage
 create mode 100755 testing/scripts/build-guestimages
 create mode 100755 testing/scripts/build-guestkernel
 delete mode 100755 testing/scripts/build-hostconfig
 create mode 100755 testing/scripts/build-rootimage
 delete mode 100755 testing/scripts/build-sshkeys
 delete mode 100755 testing/scripts/build-umlhostfs
 delete mode 100755 testing/scripts/build-umlkernel
 delete mode 100755 testing/scripts/build-umlrootfs
 delete mode 100755 testing/scripts/gstart-umls
 delete mode 100755 testing/scripts/install-shared
 delete mode 100755 testing/scripts/kstart-umls
 create mode 100644 testing/scripts/recipes/001_libtnc.mk
 create mode 100644 testing/scripts/recipes/002_tnc-fhh.mk
 create mode 100644 testing/scripts/recipes/003_freeradius.mk
 create mode 100644 testing/scripts/recipes/004_iptables.mk
 create mode 100644 testing/scripts/recipes/005_strongswan.mk
 create mode 100644 testing/scripts/recipes/patches/freeradius-avp-size
 create mode 100644 testing/scripts/recipes/patches/freeradius-eap-sim-identity
 create mode 100644 testing/scripts/recipes/patches/freeradius-tnc-fhh
 create mode 100644 testing/scripts/recipes/patches/iptables-xfrm-hooks
 delete mode 100755 testing/scripts/shutdown-umls
 delete mode 100755 testing/scripts/start-bridges
 delete mode 100755 testing/scripts/start-umls
 delete mode 100755 testing/scripts/stop-bridges
 delete mode 100755 testing/scripts/xstart-umls
 mode change 100755 => 100644 testing/testing.conf
 delete mode 100755 testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
 create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/iptables.rules
 delete mode 100755 testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules
 create mode 100644 testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules
 create mode 100644 testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules
 create mode 100644 testing/tests/ikev1/nat-virtual-ip/description.txt
 create mode 100644 testing/tests/ikev1/nat-virtual-ip/evaltest.dat
 create mode 100644 testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts
 create mode 100644 testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
 create mode 100644 testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/nat-virtual-ip/posttest.dat
 create mode 100644 testing/tests/ikev1/nat-virtual-ip/pretest.dat
 create mode 100644 testing/tests/ikev1/nat-virtual-ip/test.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
 delete mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf
 delete mode 100755 testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
 delete mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf
 delete mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf
 delete mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
 delete mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
 delete mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf
 delete mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
 create mode 100644 testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
 delete mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
 delete mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
 delete mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
 delete mode 100755 testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
 delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
 create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
 delete mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
 delete mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
 delete mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
 delete mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules
 delete mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
 delete mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules
 delete mode 100755 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-ikev1/hosts/dave/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/init.d/iptables
 create mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules
 delete mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/init.d/iptables
 create mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules
 delete mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
 delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/description.txt
 delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/evaltest.dat
 delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/posttest.dat
 delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/pretest.dat
 delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/test.conf
 delete mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/init.d/iptables
 create mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules
 delete mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/init.d/iptables
 create mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules
 delete mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
 delete mode 100755 testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables
 create mode 100644 testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules
 delete mode 100755 testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables
 create mode 100644 testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules
 delete mode 100755 testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables
 create mode 100644 testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules
 delete mode 100755 testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables
 create mode 100644 testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules
 create mode 100644 testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules
 delete mode 100755 testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables
 create mode 100644 testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules
 create mode 100644 testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules
 delete mode 100755 testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables
 create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules
 delete mode 100755 testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables
 create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules
 delete mode 100755 testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules
 delete mode 100755 testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
 create mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
 create mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
 delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
 delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
 delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
 delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
 create mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
 create mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
 delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
 delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
 delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
 delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
 delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users
 delete mode 100755 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/tnc/tnccs-20-os/description.txt
 create mode 100644 testing/tests/tnc/tnccs-20-os/evaltest.dat
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config
 create mode 100644 testing/tests/tnc/tnccs-20-os/posttest.dat
 create mode 100644 testing/tests/tnc/tnccs-20-os/pretest.dat
 create mode 100644 testing/tests/tnc/tnccs-20-os/test.conf
 delete mode 100755 testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
 create mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules

(limited to 'man')

diff --git a/Android.common.mk b/Android.common.mk
index ed12758cb..9824242d7 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -15,5 +15,5 @@ add_plugin = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.0.1"
+strongswan_VERSION := "5.0.2"
 
diff --git a/Android.mk b/Android.mk
index 663b363cf..0b8da5b8d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -22,7 +22,7 @@ strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \
 
 ifneq ($(strongswan_BUILD_SCEPCLIENT),)
 # plugins loaded by scepclient
-strongswan_SCEPCLIENT_PLUGINS := openssl curl fips-prf random pkcs1 pem
+strongswan_SCEPCLIENT_PLUGINS := openssl curl fips-prf random pkcs1 pkcs7 pem
 endif
 
 strongswan_STARTER_PLUGINS := kernel-netlink
@@ -67,6 +67,7 @@ strongswan_CFLAGS := \
 	-DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY \
 	-DHAVE_IPSEC_MODE_BEET \
 	-DHAVE_IPSEC_DIR_FWD \
+	-DOPENSSL_NO_CMS \
 	-DOPENSSL_NO_EC \
 	-DOPENSSL_NO_ECDSA \
 	-DOPENSSL_NO_ECDH \
diff --git a/Makefile.in b/Makefile.in
index 497abc834..2b952cc52 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -90,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(config_includedir)"
 HEADERS = $(nodist_config_include_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
@@ -104,9 +110,11 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
 am__remove_distdir = \
-  { test ! -d "$(distdir)" \
-    || { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
-         && rm -fr "$(distdir)"; }; }
+  if test -d "$(distdir)"; then \
+    find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
+      && rm -rf "$(distdir)" \
+      || { sleep 5 && rm -rf "$(distdir)"; }; \
+  else :; fi
 am__relativize = \
   dir0=`pwd`; \
   sed_first='s,^\([^/]*\)/.*$$,\1,'; \
@@ -135,6 +143,8 @@ am__relativize = \
 DIST_ARCHIVES = $(distdir).tar.gz
 GZIP_ENV = --best
 distuninstallcheck_listfiles = find . -type f -print
+am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
+  | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
 distcleancheck_listfiles = find . -type f -print
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
@@ -155,6 +165,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -182,6 +193,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -209,6 +221,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -221,6 +234,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -274,7 +288,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -333,7 +346,7 @@ all: $(BUILT_SOURCES) config.h
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
 .SUFFIXES:
-am--refresh:
+am--refresh: Makefile
 	@:
 $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
@@ -369,10 +382,8 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 
 config.h: stamp-h1
-	@if test ! -f $@; then \
-	  rm -f stamp-h1; \
-	  $(MAKE) $(AM_MAKEFLAGS) stamp-h1; \
-	else :; fi
+	@if test ! -f $@; then rm -f stamp-h1; else :; fi
+	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) stamp-h1; else :; fi
 
 stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
 	@rm -f stamp-h1
@@ -412,9 +423,7 @@ uninstall-nodist_config_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nodist_config_include_HEADERS)'; test -n "$(config_includedir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(config_includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(config_includedir)" && rm -f $$files
+	dir='$(DESTDIR)$(config_includedir)'; $(am__uninstall_files_from_dir)
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
@@ -623,7 +632,11 @@ dist-gzip: distdir
 	$(am__remove_distdir)
 
 dist-bzip2: distdir
-	tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
+	tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
+	$(am__remove_distdir)
+
+dist-lzip: distdir
+	tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
 	$(am__remove_distdir)
 
 dist-lzma: distdir
@@ -631,7 +644,7 @@ dist-lzma: distdir
 	$(am__remove_distdir)
 
 dist-xz: distdir
-	tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
+	tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
 	$(am__remove_distdir)
 
 dist-tarZ: distdir
@@ -662,6 +675,8 @@ distcheck: dist
 	  bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
 	*.tar.lzma*) \
 	  lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
+	*.tar.lz*) \
+	  lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
 	*.tar.xz*) \
 	  xz -dc $(distdir).tar.xz | $(am__untar) ;;\
 	*.tar.Z*) \
@@ -681,6 +696,7 @@ distcheck: dist
 	  && am__cwd=`pwd` \
 	  && $(am__cd) $(distdir)/_build \
 	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
+	    $(AM_DISTCHECK_CONFIGURE_FLAGS) \
 	    $(DISTCHECK_CONFIGURE_FLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
@@ -709,8 +725,16 @@ distcheck: dist
 	  list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
 	  sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
 distuninstallcheck:
-	@$(am__cd) '$(distuninstallcheck_dir)' \
-	&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
+	@test -n '$(distuninstallcheck_dir)' || { \
+	  echo 'ERROR: trying to run $@ with an empty' \
+	       '$$(distuninstallcheck_dir)' >&2; \
+	  exit 1; \
+	}; \
+	$(am__cd) '$(distuninstallcheck_dir)' || { \
+	  echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
+	  exit 1; \
+	}; \
+	test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
 	   || { echo "ERROR: files left after uninstall:" ; \
 	        if test -n "$(DESTDIR)"; then \
 	          echo "  (check DESTDIR support)"; \
@@ -746,10 +770,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -841,14 +870,14 @@ uninstall-am: uninstall-nodist_config_includeHEADERS
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am am--refresh check check-am clean clean-generic \
 	clean-libtool clean-local ctags ctags-recursive dist dist-all \
-	dist-bzip2 dist-gzip dist-lzma dist-shar dist-tarZ dist-xz \
-	dist-zip distcheck distclean distclean-generic distclean-hdr \
-	distclean-libtool distclean-tags distcleancheck distdir \
-	distuninstallcheck dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-nodist_config_includeHEADERS install-pdf \
+	dist-bzip2 dist-gzip dist-lzip dist-lzma dist-shar dist-tarZ \
+	dist-xz dist-zip distcheck distclean distclean-generic \
+	distclean-hdr distclean-libtool distclean-tags distcleancheck \
+	distdir distuninstallcheck dvi dvi-am html html-am info \
+	info-am install install-am install-data install-data-am \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-html install-html-am install-info install-info-am \
+	install-man install-nodist_config_includeHEADERS install-pdf \
 	install-pdf-am install-ps install-ps-am install-strip \
 	installcheck installcheck-am installdirs installdirs-am \
 	maintainer-clean maintainer-clean-generic mostlyclean \
diff --git a/NEWS b/NEWS
index e207dd6c6..95f7e1c60 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,54 @@
+strongswan-5.0.2
+----------------
+
+- Implemented all IETF Standard PA-TNC attributes and an OS IMC/IMV
+  pair using them to transfer operating system information.
+
+- The new "ipsec listcounters" command prints a list of global counter values
+  about received and sent IKE messages and rekeyings.
+
+- A new lookip plugin can perform fast lookup of tunnel information using a
+  clients virtual IP and can send notifications about established or deleted
+  tunnels. The "ipsec lookip" command can be used to query such information
+  or receive notifications.
+
+- The new error-notify plugin catches some common error conditions and allows
+  an external application to receive notifications for them over a UNIX socket.
+
+- IKE proposals can now use a PRF algorithm different to that defined for
+  integrity protection. If an algorithm with a "prf" prefix is defined
+  explicitly (such as prfsha1 or prfsha256), no implicit PRF algorithm based on
+  the integrity algorithm is added to the proposal.
+
+- The pkcs11 plugin can now load leftcert certificates from a smartcard for a
+  specific ipsec.conf conn section and cacert CA certificates for a specific ca
+  section.
+
+- The load-tester plugin gained additional options for certificate generation
+  and can load keys and multiple CA certificates from external files. It can
+  install a dedicated outer IP address for each tunnel and tunnel initiation
+  batches can be triggered and monitored externally using the
+  "ipsec load-tester" tool.
+
+- PKCS#7 container parsing has been modularized, and the openssl plugin
+  gained an alternative implementation to decrypt and verify such files.
+  In contrast to our own DER parser, OpenSSL can handle BER files, which is
+  required for interoperability of our scepclient with EJBCA.
+
+- Support for the proprietary IKEv1 fragmentation extension has been added.
+  Fragments are always handled on receipt but only sent if supported by the peer
+  and if enabled with the new fragmentation ipsec.conf option.
+
+- IKEv1 in charon can now parse certificates received in PKCS#7 containers and
+  supports NAT traversal as used by Windows clients. Patches courtesy of
+  Volker Rümelin.
+
+- The new rdrand plugin provides a high quality / high performance random
+  source using the Intel rdrand instruction found on Ivy Bridge processors.
+
+- The integration test environment was updated and now uses KVM and reproducible
+  guest images based on Debian.
+
 strongswan-5.0.1
 ----------------
 
diff --git a/TODO b/TODO
index 458384a8d..186d4d02b 100644
--- a/TODO
+++ b/TODO
@@ -2,31 +2,7 @@
                   strongSwan - TODO
                  ----------------------
 
-This is a TODO list we should keep in mind. A roadmap of the strongSwan
-project is available online at:
+A roadmap of the strongSwan project is available online at:
 
         http://wiki.strongswan.org/projects/strongswan/roadmap
 
-Certificate support
--------------------
-- synchronized CRL fetcher
-- Smartcard interface
-- Attribute certificates
-
-Stroke interface
-----------------
-- add a Rekey-Counter for SAs in "statusall"
-- ipsec statusall bytecount
-
-Misc
-----
-- Address pool/backend for virtual IP assignement
-
-libstrongswan stuff
--------------------
-- Header installation support (#include <strongswan/strongswan.h>?)
-- object style for leak detective, include an API
-- Cleanup/Refactor PEM/ASN1 stuff
-- replace file reads through chunk_read
-- rewrite lexparser in object-oriented style
-
diff --git a/aclocal.m4 b/aclocal.m4
index 9d68d0d80..b27ee7bab 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,7 +1,8 @@
-# generated automatically by aclocal 1.11.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.11.3 -*- Autoconf -*-
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-# 2005, 2006, 2007, 2008, 2009  Free Software Foundation, Inc.
+# 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
+# Inc.
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -13,8 +14,8 @@
 
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.67],,
-[m4_warning([this file was generated for autoconf 2.67.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.68],,
+[m4_warning([this file was generated for autoconf 2.68.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
@@ -272,7 +273,8 @@ sixtyfour bits
 # ----------------------------------
 AC_DEFUN([PKG_PROG_PKG_CONFIG],
 [m4_pattern_forbid([^_?PKG_[A-Z_]+$])
-m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
+m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
+m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
 AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
 AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
 AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
@@ -318,7 +320,8 @@ m4_define([_PKG_CONFIG],
     pkg_cv_[]$1="$$1"
  elif test -n "$PKG_CONFIG"; then
     PKG_CHECK_EXISTS([$3],
-                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
+                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes ],
 		     [pkg_failed=yes])
  else
     pkg_failed=untried
@@ -366,9 +369,9 @@ if test $pkg_failed = yes; then
    	AC_MSG_RESULT([no])
         _PKG_SHORT_ERRORS_SUPPORTED
         if test $_pkg_short_errors_supported = yes; then
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "$2" 2>&1`
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
         else 
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors "$2" 2>&1`
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
@@ -381,7 +384,7 @@ $$1_PKG_ERRORS
 Consider adjusting the PKG_CONFIG_PATH environment variable if you
 installed software in a non-standard prefix.
 
-_PKG_TEXT])dnl
+_PKG_TEXT])[]dnl
         ])
 elif test $pkg_failed = untried; then
      	AC_MSG_RESULT([no])
@@ -392,7 +395,7 @@ path to pkg-config.
 
 _PKG_TEXT
 
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.])dnl
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
         ])
 else
 	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
@@ -402,12 +405,15 @@ else
 fi[]dnl
 ])# PKG_CHECK_MODULES
 
-# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008, 2011 Free Software
+# Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_AUTOMAKE_VERSION(VERSION)
 # ----------------------------
 # Automake X.Y traces this macro to ensure aclocal.m4 has been
@@ -417,7 +423,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
 [am__api_version='1.11'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.11.1], [],
+m4_if([$1], [1.11.3], [],
       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
 
@@ -433,19 +439,21 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.11.1])dnl
+[AM_AUTOMAKE_VERSION([1.11.3])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
 
 # AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
 
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets
 # $ac_aux_dir to `$srcdir/foo'.  In other projects, it is set to
 # `$srcdir', `$srcdir/..', or `$srcdir/../..'.
@@ -527,14 +535,14 @@ AC_CONFIG_COMMANDS_PRE(
 Usually this means the macro was only invoked conditionally.]])
 fi])])
 
-# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009
-# Free Software Foundation, Inc.
+# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009,
+# 2010, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 10
+# serial 12
 
 # There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
 # written in clear, in which case automake, when reading aclocal.m4,
@@ -574,6 +582,7 @@ AC_CACHE_CHECK([dependency style of $depcc],
   # instance it was reported that on HP-UX the gcc test will end up
   # making a dummy file named `D' -- because `-MD' means `put the output
   # in D'.
+  rm -rf conftest.dir
   mkdir conftest.dir
   # Copy depcomp to subdir because otherwise we won't find it if we're
   # using a relative directory.
@@ -638,7 +647,7 @@ AC_CACHE_CHECK([dependency style of $depcc],
 	break
       fi
       ;;
-    msvisualcpp | msvcmsys)
+    msvc7 | msvc7msys | msvisualcpp | msvcmsys)
       # This compiler won't grok `-c -o', but also, the minuso test has
       # not run yet.  These depmodes are late enough in the game, and
       # so weak that their functioning should not be impacted.
@@ -703,10 +712,13 @@ AC_DEFUN([AM_DEP_TRACK],
 if test "x$enable_dependency_tracking" != xno; then
   am_depcomp="$ac_aux_dir/depcomp"
   AMDEPBACKSLASH='\'
+  am__nodep='_no'
 fi
 AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno])
 AC_SUBST([AMDEPBACKSLASH])dnl
 _AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl
+AC_SUBST([am__nodep])dnl
+_AM_SUBST_NOTMAKE([am__nodep])dnl
 ])
 
 # Generate code to set up dependency tracking.              -*- Autoconf -*-
@@ -928,12 +940,15 @@ for _am_header in $config_headers :; do
 done
 echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
 
-# Copyright (C) 2001, 2003, 2005, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2008, 2011 Free Software Foundation,
+# Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_PROG_INSTALL_SH
 # ------------------
 # Define $install_sh.
@@ -1065,12 +1080,15 @@ else
 fi
 ])
 
-# Copyright (C) 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# Copyright (C) 2003, 2004, 2005, 2006, 2011 Free Software Foundation,
+# Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_PROG_MKDIR_P
 # ---------------
 # Check for `mkdir -p'.
@@ -1093,13 +1111,14 @@ esac
 
 # Helper functions for option handling.                     -*- Autoconf -*-
 
-# Copyright (C) 2001, 2002, 2003, 2005, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2002, 2003, 2005, 2008, 2010 Free Software
+# Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 4
+# serial 5
 
 # _AM_MANGLE_OPTION(NAME)
 # -----------------------
@@ -1107,13 +1126,13 @@ AC_DEFUN([_AM_MANGLE_OPTION],
 [[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])])
 
 # _AM_SET_OPTION(NAME)
-# ------------------------------
+# --------------------
 # Set option NAME.  Presently that only means defining a flag for this option.
 AC_DEFUN([_AM_SET_OPTION],
 [m4_define(_AM_MANGLE_OPTION([$1]), 1)])
 
 # _AM_SET_OPTIONS(OPTIONS)
-# ----------------------------------
+# ------------------------
 # OPTIONS is a space-separated list of Automake options.
 AC_DEFUN([_AM_SET_OPTIONS],
 [m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])])
@@ -1124,12 +1143,14 @@ AC_DEFUN([_AM_SET_OPTIONS],
 AC_DEFUN([_AM_IF_OPTION],
 [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
 
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_RUN_LOG(COMMAND)
 # -------------------
 # Run COMMAND, save the exit status in ac_status, and log it.
@@ -1206,12 +1227,14 @@ Check your system clock])
 fi
 AC_MSG_RESULT(yes)])
 
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_PROG_INSTALL_STRIP
 # ---------------------
 # One issue with vendor `install' (even GNU) is that you can't
@@ -1234,13 +1257,13 @@ fi
 INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 AC_SUBST([INSTALL_STRIP_PROGRAM])])
 
-# Copyright (C) 2006, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2006, 2008, 2010 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 2
+# serial 3
 
 # _AM_SUBST_NOTMAKE(VARIABLE)
 # ---------------------------
@@ -1249,13 +1272,13 @@ AC_SUBST([INSTALL_STRIP_PROGRAM])])
 AC_DEFUN([_AM_SUBST_NOTMAKE])
 
 # AM_SUBST_NOTMAKE(VARIABLE)
-# ---------------------------
+# --------------------------
 # Public sister of _AM_SUBST_NOTMAKE.
 AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
 
 # Check how to create a tarball.                            -*- Autoconf -*-
 
-# Copyright (C) 2004, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2004, 2005, 2012 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -1277,10 +1300,11 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
 # a tarball read from stdin.
 #     $(am__untar) < result.tar
 AC_DEFUN([_AM_PROG_TAR],
-[# Always define AMTAR for backward compatibility.
-AM_MISSING_PROG([AMTAR], [tar])
+[# Always define AMTAR for backward compatibility.  Yes, it's still used
+# in the wild :-(  We should find a proper way to deprecate it ...
+AC_SUBST([AMTAR], ['$${TAR-tar}'])
 m4_if([$1], [v7],
-     [am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'],
+     [am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'],
      [m4_case([$1], [ustar],, [pax],,
               [m4_fatal([Unknown tar format])])
 AC_MSG_CHECKING([how to create a $1 tar archive])
diff --git a/config.guess b/config.guess
index c2246a4f7..d622a44e5 100755
--- a/config.guess
+++ b/config.guess
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
-#   Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
+#   2011, 2012 Free Software Foundation, Inc.
 
-timestamp='2009-12-30'
+timestamp='2012-02-10'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -17,9 +17,7 @@ timestamp='2009-12-30'
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -57,8 +55,8 @@ GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
-Software Foundation, Inc.
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
+Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
 case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     *:NetBSD:*:*)
 	# NetBSD (nbsd) targets should (where applicable) match one or
-	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
 	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
 	# switched to ELF, *-*-netbsd* would select the old
 	# object file format.  This provides both forward
@@ -181,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		fi
 		;;
 	    *)
-	        os=netbsd
+		os=netbsd
 		;;
 	esac
 	# The OS release
@@ -224,7 +222,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
 		;;
 	*5.*)
-	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
 		;;
 	esac
 	# According to Compaq, /usr/sbin/psrinfo has been available on
@@ -270,7 +268,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# A Xn.n version is an unreleased experimental baselevel.
 	# 1.2 uses "1.2" for uname -r.
 	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	exit ;;
+	# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
+	exitcode=$?
+	trap '' 0
+	exit $exitcode ;;
     Alpha\ *:Windows_NT*:*)
 	# How do we know it's Interix rather than the generic POSIX subsystem?
 	# Should we change UNAME_MACHINE based on the output of uname instead
@@ -296,7 +297,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	echo s390-ibm-zvmoe
 	exit ;;
     *:OS400:*:*)
-        echo powerpc-ibm-os400
+	echo powerpc-ibm-os400
 	exit ;;
     arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
 	echo arm-acorn-riscix${UNAME_RELEASE}
@@ -395,23 +396,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     # MiNT.  But MiNT is downward compatible to TOS, so this should
     # be no problem.
     atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
+	echo m68k-atari-mint${UNAME_RELEASE}
 	exit ;;
     atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
 	echo m68k-atari-mint${UNAME_RELEASE}
-        exit ;;
+	exit ;;
     *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
+	echo m68k-atari-mint${UNAME_RELEASE}
 	exit ;;
     milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
-        echo m68k-milan-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-milan-mint${UNAME_RELEASE}
+	exit ;;
     hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
-        echo m68k-hades-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-hades-mint${UNAME_RELEASE}
+	exit ;;
     *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
-        echo m68k-unknown-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-unknown-mint${UNAME_RELEASE}
+	exit ;;
     m68k:machten:*:*)
 	echo m68k-apple-machten${UNAME_RELEASE}
 	exit ;;
@@ -481,8 +482,8 @@ EOF
 	echo m88k-motorola-sysv3
 	exit ;;
     AViiON:dgux:*:*)
-        # DG/UX returns AViiON for all architectures
-        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	# DG/UX returns AViiON for all architectures
+	UNAME_PROCESSOR=`/usr/bin/uname -p`
 	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
 	then
 	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
@@ -495,7 +496,7 @@ EOF
 	else
 	    echo i586-dg-dgux${UNAME_RELEASE}
 	fi
- 	exit ;;
+	exit ;;
     M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
 	echo m88k-dolphin-sysv3
 	exit ;;
@@ -552,7 +553,7 @@ EOF
 		echo rs6000-ibm-aix3.2
 	fi
 	exit ;;
-    *:AIX:*:[456])
+    *:AIX:*:[4567])
 	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
 	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
 		IBM_ARCH=rs6000
@@ -595,52 +596,52 @@ EOF
 	    9000/[678][0-9][0-9])
 		if [ -x /usr/bin/getconf ]; then
 		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
-                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
-                    case "${sc_cpu_version}" in
-                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
-                      532)                      # CPU_PA_RISC2_0
-                        case "${sc_kernel_bits}" in
-                          32) HP_ARCH="hppa2.0n" ;;
-                          64) HP_ARCH="hppa2.0w" ;;
+		    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+		    case "${sc_cpu_version}" in
+		      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+		      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+		      532)                      # CPU_PA_RISC2_0
+			case "${sc_kernel_bits}" in
+			  32) HP_ARCH="hppa2.0n" ;;
+			  64) HP_ARCH="hppa2.0w" ;;
 			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
-                        esac ;;
-                    esac
+			esac ;;
+		    esac
 		fi
 		if [ "${HP_ARCH}" = "" ]; then
 		    eval $set_cc_for_build
-		    sed 's/^              //' << EOF >$dummy.c
+		    sed 's/^		//' << EOF >$dummy.c
 
-              #define _HPUX_SOURCE
-              #include <stdlib.h>
-              #include <unistd.h>
+		#define _HPUX_SOURCE
+		#include <stdlib.h>
+		#include <unistd.h>
 
-              int main ()
-              {
-              #if defined(_SC_KERNEL_BITS)
-                  long bits = sysconf(_SC_KERNEL_BITS);
-              #endif
-                  long cpu  = sysconf (_SC_CPU_VERSION);
+		int main ()
+		{
+		#if defined(_SC_KERNEL_BITS)
+		    long bits = sysconf(_SC_KERNEL_BITS);
+		#endif
+		    long cpu  = sysconf (_SC_CPU_VERSION);
 
-                  switch (cpu)
-              	{
-              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
-              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0:
-              #if defined(_SC_KERNEL_BITS)
-              	    switch (bits)
-              		{
-              		case 64: puts ("hppa2.0w"); break;
-              		case 32: puts ("hppa2.0n"); break;
-              		default: puts ("hppa2.0"); break;
-              		} break;
-              #else  /* !defined(_SC_KERNEL_BITS) */
-              	    puts ("hppa2.0"); break;
-              #endif
-              	default: puts ("hppa1.0"); break;
-              	}
-                  exit (0);
-              }
+		    switch (cpu)
+			{
+			case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+			case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+			case CPU_PA_RISC2_0:
+		#if defined(_SC_KERNEL_BITS)
+			    switch (bits)
+				{
+				case 64: puts ("hppa2.0w"); break;
+				case 32: puts ("hppa2.0n"); break;
+				default: puts ("hppa2.0"); break;
+				} break;
+		#else  /* !defined(_SC_KERNEL_BITS) */
+			    puts ("hppa2.0"); break;
+		#endif
+			default: puts ("hppa1.0"); break;
+			}
+		    exit (0);
+		}
 EOF
 		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
 		    test -z "$HP_ARCH" && HP_ARCH=hppa
@@ -731,22 +732,22 @@ EOF
 	exit ;;
     C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
 	echo c1-convex-bsd
-        exit ;;
+	exit ;;
     C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
 	if getsysinfo -f scalar_acc
 	then echo c32-convex-bsd
 	else echo c2-convex-bsd
 	fi
-        exit ;;
+	exit ;;
     C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
 	echo c34-convex-bsd
-        exit ;;
+	exit ;;
     C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
 	echo c38-convex-bsd
-        exit ;;
+	exit ;;
     C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
 	echo c4-convex-bsd
-        exit ;;
+	exit ;;
     CRAY*Y-MP:*:*:*)
 	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
 	exit ;;
@@ -770,14 +771,14 @@ EOF
 	exit ;;
     F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
 	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
-        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-        exit ;;
+	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+	echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
     5000:UNIX_System_V:4.*:*)
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
-        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+	echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
 	exit ;;
     i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
 	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
@@ -789,13 +790,12 @@ EOF
 	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
 	exit ;;
     *:FreeBSD:*:*)
-	case ${UNAME_MACHINE} in
-	    pc98)
-		echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	UNAME_PROCESSOR=`/usr/bin/uname -p`
+	case ${UNAME_PROCESSOR} in
 	    amd64)
 		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
 	    *)
-		echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+		echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
 	esac
 	exit ;;
     i*:CYGWIN*:*)
@@ -804,15 +804,18 @@ EOF
     *:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
 	exit ;;
+    i*:MSYS*:*)
+	echo ${UNAME_MACHINE}-pc-msys
+	exit ;;
     i*:windows32*:*)
-    	# uname -m includes "-pc" on this system.
-    	echo ${UNAME_MACHINE}-mingw32
+	# uname -m includes "-pc" on this system.
+	echo ${UNAME_MACHINE}-mingw32
 	exit ;;
     i*:PW*:*)
 	echo ${UNAME_MACHINE}-pc-pw32
 	exit ;;
     *:Interix*:*)
-    	case ${UNAME_MACHINE} in
+	case ${UNAME_MACHINE} in
 	    x86)
 		echo i586-pc-interix${UNAME_RELEASE}
 		exit ;;
@@ -858,6 +861,13 @@ EOF
     i*86:Minix:*:*)
 	echo ${UNAME_MACHINE}-pc-minix
 	exit ;;
+    aarch64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    aarch64_be:Linux:*:*)
+	UNAME_MACHINE=aarch64_be
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     alpha:Linux:*:*)
 	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
 	  EV5)   UNAME_MACHINE=alphaev5 ;;
@@ -867,7 +877,7 @@ EOF
 	  EV6)   UNAME_MACHINE=alphaev6 ;;
 	  EV67)  UNAME_MACHINE=alphaev67 ;;
 	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
+	esac
 	objdump --private-headers /bin/sh | grep -q ld.so.1
 	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
 	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
@@ -879,20 +889,29 @@ EOF
 	then
 	    echo ${UNAME_MACHINE}-unknown-linux-gnu
 	else
-	    echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+	    if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
+		| grep -q __ARM_PCS_VFP
+	    then
+		echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+	    else
+		echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
+	    fi
 	fi
 	exit ;;
     avr32*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     cris:Linux:*:*)
-	echo cris-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-gnu
 	exit ;;
     crisv32:Linux:*:*)
-	echo crisv32-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-gnu
 	exit ;;
     frv:Linux:*:*)
-    	echo frv-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    hexagon:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     i*86:Linux:*:*)
 	LIBC=gnu
@@ -934,7 +953,7 @@ EOF
 	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
 	;;
     or32:Linux:*:*)
-	echo or32-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     padre:Linux:*:*)
 	echo sparc-unknown-linux-gnu
@@ -960,7 +979,7 @@ EOF
 	echo ${UNAME_MACHINE}-ibm-linux
 	exit ;;
     sh64*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     sh*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
@@ -968,14 +987,17 @@ EOF
     sparc:Linux:*:* | sparc64:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
+    tile*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     vax:Linux:*:*)
 	echo ${UNAME_MACHINE}-dec-linux-gnu
 	exit ;;
     x86_64:Linux:*:*)
-	echo x86_64-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     xtensa*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     i*86:DYNIX/ptx:4*:*)
 	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@@ -984,11 +1006,11 @@ EOF
 	echo i386-sequent-sysv4
 	exit ;;
     i*86:UNIX_SV:4.2MP:2.*)
-        # Unixware is an offshoot of SVR4, but it has its own version
-        # number series starting with 2...
-        # I am not positive that other SVR4 systems won't match this,
+	# Unixware is an offshoot of SVR4, but it has its own version
+	# number series starting with 2...
+	# I am not positive that other SVR4 systems won't match this,
 	# I just have to hope.  -- rms.
-        # Use sysv4.2uw... so that sysv4* matches it.
+	# Use sysv4.2uw... so that sysv4* matches it.
 	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
 	exit ;;
     i*86:OS/2:*:*)
@@ -1020,7 +1042,7 @@ EOF
 	fi
 	exit ;;
     i*86:*:5:[678]*)
-    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	# UnixWare 7.x, OpenUNIX and OpenServer 6.
 	case `/bin/uname -X | grep "^Machine"` in
 	    *486*)	     UNAME_MACHINE=i486 ;;
 	    *Pentium)	     UNAME_MACHINE=i586 ;;
@@ -1048,13 +1070,13 @@ EOF
 	exit ;;
     pc:*:*:*)
 	# Left here for compatibility:
-        # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i586.
+	# uname -m prints for DJGPP always 'pc', but it prints nothing about
+	# the processor, so we play safe by assuming i586.
 	# Note: whatever this is, it MUST be the same as what config.sub
 	# prints for the "djgpp" host, or else GDB configury will decide that
 	# this is a cross-build.
 	echo i586-pc-msdosdjgpp
-        exit ;;
+	exit ;;
     Intel:Mach:3*:*)
 	echo i386-pc-mach3
 	exit ;;
@@ -1089,8 +1111,8 @@ EOF
 	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
 	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
     3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
-        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-          && { echo i486-ncr-sysv4; exit; } ;;
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4; exit; } ;;
     NCR*:*:4.2:* | MPRAS*:*:4.2:*)
 	OS_REL='.3'
 	test -r /etc/.relid \
@@ -1133,10 +1155,10 @@ EOF
 		echo ns32k-sni-sysv
 	fi
 	exit ;;
-    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
-                      # says <Richard.M.Bartel@ccMail.Census.GOV>
-        echo i586-unisys-sysv4
-        exit ;;
+    PENTIUM:*:4.0*:*)	# Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+			# says <Richard.M.Bartel@ccMail.Census.GOV>
+	echo i586-unisys-sysv4
+	exit ;;
     *:UNIX_System_V:4*:FTX*)
 	# From Gerald Hewes <hewes@openmarket.com>.
 	# How about differentiating between stratus architectures? -djm
@@ -1162,11 +1184,11 @@ EOF
 	exit ;;
     R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
 	if [ -d /usr/nec ]; then
-	        echo mips-nec-sysv${UNAME_RELEASE}
+		echo mips-nec-sysv${UNAME_RELEASE}
 	else
-	        echo mips-unknown-sysv${UNAME_RELEASE}
+		echo mips-unknown-sysv${UNAME_RELEASE}
 	fi
-        exit ;;
+	exit ;;
     BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
 	echo powerpc-be-beos
 	exit ;;
@@ -1231,6 +1253,9 @@ EOF
     *:QNX:*:4*)
 	echo i386-pc-qnx
 	exit ;;
+    NEO-?:NONSTOP_KERNEL:*:*)
+	echo neo-tandem-nsk${UNAME_RELEASE}
+	exit ;;
     NSE-?:NONSTOP_KERNEL:*:*)
 	echo nse-tandem-nsk${UNAME_RELEASE}
 	exit ;;
@@ -1276,13 +1301,13 @@ EOF
 	echo pdp10-unknown-its
 	exit ;;
     SEI:*:*:SEIUX)
-        echo mips-sei-seiux${UNAME_RELEASE}
+	echo mips-sei-seiux${UNAME_RELEASE}
 	exit ;;
     *:DragonFly:*:*)
 	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
 	exit ;;
     *:*VMS:*:*)
-    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	UNAME_MACHINE=`(uname -p) 2>/dev/null`
 	case "${UNAME_MACHINE}" in
 	    A*) echo alpha-dec-vms ; exit ;;
 	    I*) echo ia64-dec-vms ; exit ;;
@@ -1300,6 +1325,9 @@ EOF
     i*86:AROS:*:*)
 	echo ${UNAME_MACHINE}-pc-aros
 	exit ;;
+    x86_64:VMkernel:*:*)
+	echo ${UNAME_MACHINE}-unknown-esx
+	exit ;;
 esac
 
 #echo '(No uname command or uname output not recognized.)' 1>&2
@@ -1322,11 +1350,11 @@ main ()
 #include <sys/param.h>
   printf ("m68k-sony-newsos%s\n",
 #ifdef NEWSOS4
-          "4"
+	"4"
 #else
-	  ""
+	""
 #endif
-         ); exit (0);
+	); exit (0);
 #endif
 #endif
 
diff --git a/config.h.in b/config.h.in
index 74893a7a4..3965ed25c 100644
--- a/config.h.in
+++ b/config.h.in
@@ -148,6 +148,12 @@
 /* Define to 1 if you have the `pthread_rwlock_init' function. */
 #undef HAVE_PTHREAD_RWLOCK_INIT
 
+/* Define to 1 if you have the `pthread_spin_init' function. */
+#undef HAVE_PTHREAD_SPIN_INIT
+
+/* Define to 1 if you have the `rb_errinfo' function. */
+#undef HAVE_RB_ERRINFO
+
 /* have netlink RTA_TABLE defined */
 #undef HAVE_RTA_TABLE
 
@@ -254,6 +260,9 @@
 /* Define to 1 if strerror_r returns char *. */
 #undef STRERROR_R_CHAR_P
 
+/* use TrouSerS library libtspi as TSS implementation */
+#undef TSS_TROUSERS
+
 /* support for IKEv1 protocol */
 #undef USE_IKEV1
 
@@ -281,3 +290,6 @@
 /* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
    `char[]'. */
 #undef YYTEXT_POINTER
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+#undef size_t
diff --git a/config.sub b/config.sub
index c2d125724..c894da455 100755
--- a/config.sub
+++ b/config.sub
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
-#   Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
+#   2011, 2012 Free Software Foundation, Inc.
 
-timestamp='2010-01-22'
+timestamp='2012-02-10'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -21,9 +21,7 @@ timestamp='2010-01-22'
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -76,8 +74,8 @@ version="\
 GNU config.sub ($timestamp)
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
-Software Foundation, Inc.
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
+Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -124,13 +122,18 @@ esac
 # Here we must recognize all the valid KERNEL-OS combinations.
 maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
-  nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \
-  uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \
+  nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
+  linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
+  knetbsd*-gnu* | netbsd*-gnu* | \
   kopensolaris*-gnu* | \
   storm-chaos* | os2-emx* | rtmk-nova*)
     os=-$maybe_os
     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
     ;;
+  android-linux)
+    os=-linux-android
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
+    ;;
   *)
     basic_machine=`echo $1 | sed 's/-[^-]*$//'`
     if [ $basic_machine != $1 ]
@@ -157,8 +160,8 @@ case $os in
 		os=
 		basic_machine=$1
 		;;
-        -bluegene*)
-	        os=-cnk
+	-bluegene*)
+		os=-cnk
 		;;
 	-sim | -cisco | -oki | -wec | -winbond)
 		os=
@@ -174,10 +177,10 @@ case $os in
 		os=-chorusos
 		basic_machine=$1
 		;;
- 	-chorusrdb)
- 		os=-chorusrdb
+	-chorusrdb)
+		os=-chorusrdb
 		basic_machine=$1
- 		;;
+		;;
 	-hiux*)
 		os=-hiuxwe2
 		;;
@@ -246,17 +249,22 @@ case $basic_machine in
 	# Some are omitted here because they have special meanings below.
 	1750a | 580 \
 	| a29k \
+	| aarch64 | aarch64_be \
 	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
 	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
 	| am33_2.0 \
 	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
+        | be32 | be64 \
 	| bfin \
 	| c4x | clipper \
 	| d10v | d30v | dlx | dsp16xx \
+	| epiphany \
 	| fido | fr30 | frv \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| hexagon \
 	| i370 | i860 | i960 | ia64 \
 	| ip2k | iq2000 \
+	| le32 | le64 \
 	| lm32 \
 	| m32c | m32r | m32rle | m68000 | m68k | m88k \
 	| maxq | mb | microblaze | mcore | mep | metag \
@@ -282,29 +290,39 @@ case $basic_machine in
 	| moxie \
 	| mt \
 	| msp430 \
+	| nds32 | nds32le | nds32be \
 	| nios | nios2 \
 	| ns16k | ns32k \
+	| open8 \
 	| or32 \
 	| pdp10 | pdp11 | pj | pjl \
-	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| powerpc | powerpc64 | powerpc64le | powerpcle \
 	| pyramid \
-	| rx \
+	| rl78 | rx \
 	| score \
 	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
 	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
 	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
-	| spu | strongarm \
-	| tahoe | thumb | tic4x | tic80 | tron \
+	| spu \
+	| tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
 	| ubicom32 \
-	| v850 | v850e \
+	| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
 	| we32k \
-	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| x86 | xc16x | xstormy16 | xtensa \
 	| z8k | z80)
 		basic_machine=$basic_machine-unknown
 		;;
-	m6811 | m68hc11 | m6812 | m68hc12 | picochip)
-		# Motorola 68HC11/12.
+	c54x)
+		basic_machine=tic54x-unknown
+		;;
+	c55x)
+		basic_machine=tic55x-unknown
+		;;
+	c6x)
+		basic_machine=tic6x-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip)
 		basic_machine=$basic_machine-unknown
 		os=-none
 		;;
@@ -314,6 +332,21 @@ case $basic_machine in
 		basic_machine=mt-unknown
 		;;
 
+	strongarm | thumb | xscale)
+		basic_machine=arm-unknown
+		;;
+	xgate)
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	xscaleeb)
+		basic_machine=armeb-unknown
+		;;
+
+	xscaleel)
+		basic_machine=armel-unknown
+		;;
+
 	# We use `pc' rather than `unknown'
 	# because (1) that's what they normally are, and
 	# (2) the word "unknown" tends to confuse beginning users.
@@ -328,21 +361,25 @@ case $basic_machine in
 	# Recognize the basic CPU types with company name.
 	580-* \
 	| a29k-* \
+	| aarch64-* | aarch64_be-* \
 	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
 	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
 	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
 	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
 	| avr-* | avr32-* \
+	| be32-* | be64-* \
 	| bfin-* | bs2000-* \
-	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* \
 	| clipper-* | craynv-* | cydra-* \
 	| d10v-* | d30v-* | dlx-* \
 	| elxsi-* \
 	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
 	| h8300-* | h8500-* \
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| hexagon-* \
 	| i*86-* | i860-* | i960-* | ia64-* \
 	| ip2k-* | iq2000-* \
+	| le32-* | le64-* \
 	| lm32-* \
 	| m32c-* | m32r-* | m32rle-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
@@ -368,26 +405,29 @@ case $basic_machine in
 	| mmix-* \
 	| mt-* \
 	| msp430-* \
+	| nds32-* | nds32le-* | nds32be-* \
 	| nios-* | nios2-* \
 	| none-* | np1-* | ns16k-* | ns32k-* \
+	| open8-* \
 	| orion-* \
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
-	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
 	| pyramid-* \
-	| romp-* | rs6000-* | rx-* \
+	| rl78-* | romp-* | rs6000-* | rx-* \
 	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
 	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
 	| sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
-	| tahoe-* | thumb-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
+	| tahoe-* \
 	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
-	| tile-* | tilegx-* \
+	| tile*-* \
 	| tron-* \
 	| ubicom32-* \
-	| v850-* | v850e-* | vax-* \
+	| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
+	| vax-* \
 	| we32k-* \
-	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| x86-* | x86_64-* | xc16x-* | xps100-* \
 	| xstormy16-* | xtensa*-* \
 	| ymp-* \
 	| z8k-* | z80-*)
@@ -412,7 +452,7 @@ case $basic_machine in
 		basic_machine=a29k-amd
 		os=-udi
 		;;
-    	abacus)
+	abacus)
 		basic_machine=abacus-unknown
 		;;
 	adobe68k)
@@ -482,11 +522,20 @@ case $basic_machine in
 		basic_machine=powerpc-ibm
 		os=-cnk
 		;;
+	c54x-*)
+		basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c55x-*)
+		basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c6x-*)
+		basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	c90)
 		basic_machine=c90-cray
 		os=-unicos
 		;;
-        cegcc)
+	cegcc)
 		basic_machine=arm-unknown
 		os=-cegcc
 		;;
@@ -518,7 +567,7 @@ case $basic_machine in
 		basic_machine=craynv-cray
 		os=-unicosmp
 		;;
-	cr16)
+	cr16 | cr16-*)
 		basic_machine=cr16-unknown
 		os=-elf
 		;;
@@ -676,7 +725,6 @@ case $basic_machine in
 	i370-ibm* | ibm*)
 		basic_machine=i370-ibm
 		;;
-# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
 	i*86v32)
 		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
 		os=-sysv32
@@ -734,7 +782,7 @@ case $basic_machine in
 		basic_machine=ns32k-utek
 		os=-sysv
 		;;
-        microblaze)
+	microblaze)
 		basic_machine=microblaze-xilinx
 		;;
 	mingw32)
@@ -773,10 +821,18 @@ case $basic_machine in
 	ms1-*)
 		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
 		;;
+	msys)
+		basic_machine=i386-pc
+		os=-msys
+		;;
 	mvs)
 		basic_machine=i370-ibm
 		os=-mvs
 		;;
+	nacl)
+		basic_machine=le32-unknown
+		os=-nacl
+		;;
 	ncr3000)
 		basic_machine=i486-ncr
 		os=-sysv4
@@ -841,6 +897,12 @@ case $basic_machine in
 	np1)
 		basic_machine=np1-gould
 		;;
+	neo-tandem)
+		basic_machine=neo-tandem
+		;;
+	nse-tandem)
+		basic_machine=nse-tandem
+		;;
 	nsr-tandem)
 		basic_machine=nsr-tandem
 		;;
@@ -923,9 +985,10 @@ case $basic_machine in
 		;;
 	power)	basic_machine=power-ibm
 		;;
-	ppc)	basic_machine=powerpc-unknown
+	ppc | ppcbe)	basic_machine=powerpc-unknown
 		;;
-	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+	ppc-* | ppcbe-*)
+		basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
 	ppcle | powerpclittle | ppc-le | powerpc-little)
 		basic_machine=powerpcle-unknown
@@ -1019,6 +1082,9 @@ case $basic_machine in
 		basic_machine=i860-stratus
 		os=-sysv4
 		;;
+	strongarm-* | thumb-*)
+		basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	sun2)
 		basic_machine=m68000-sun
 		;;
@@ -1075,25 +1141,8 @@ case $basic_machine in
 		basic_machine=t90-cray
 		os=-unicos
 		;;
-	tic54x | c54x*)
-		basic_machine=tic54x-unknown
-		os=-coff
-		;;
-	tic55x | c55x*)
-		basic_machine=tic55x-unknown
-		os=-coff
-		;;
-	tic6x | c6x*)
-		basic_machine=tic6x-unknown
-		os=-coff
-		;;
-        # This must be matched before tile*.
-        tilegx*)
-		basic_machine=tilegx-unknown
-		os=-linux-gnu
-		;;
 	tile*)
-		basic_machine=tile-unknown
+		basic_machine=$basic_machine-unknown
 		os=-linux-gnu
 		;;
 	tx39)
@@ -1163,6 +1212,9 @@ case $basic_machine in
 	xps | xps100)
 		basic_machine=xps100-honeywell
 		;;
+	xscale-* | xscalee[bl]-*)
+		basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'`
+		;;
 	ymp)
 		basic_machine=ymp-cray
 		os=-unicos
@@ -1260,11 +1312,11 @@ esac
 if [ x"$os" != x"" ]
 then
 case $os in
-        # First match some system type aliases
-        # that might get confused with valid system types.
+	# First match some system type aliases
+	# that might get confused with valid system types.
 	# -solaris* is a basic system type, with this one exception.
-        -auroraux)
-	        os=-auroraux
+	-auroraux)
+		os=-auroraux
 		;;
 	-solaris1 | -solaris1.*)
 		os=`echo $os | sed -e 's|solaris1|sunos4|'`
@@ -1300,8 +1352,9 @@ case $os in
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
 	      | -chorusos* | -chorusrdb* | -cegcc* \
-	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \
+	      | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-android* \
+	      | -linux-newlib* | -linux-uclibc* \
 	      | -uxpv* | -beos* | -mpeix* | -udk* \
 	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
 	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
@@ -1348,7 +1401,7 @@ case $os in
 	-opened*)
 		os=-openedition
 		;;
-        -os400*)
+	-os400*)
 		os=-os400
 		;;
 	-wince*)
@@ -1397,7 +1450,7 @@ case $os in
 	-sinix*)
 		os=-sysv4
 		;;
-        -tpf*)
+	-tpf*)
 		os=-tpf
 		;;
 	-triton*)
@@ -1442,8 +1495,8 @@ case $os in
 	-dicos*)
 		os=-dicos
 		;;
-        -nacl*)
-	        ;;
+	-nacl*)
+		;;
 	-none)
 		;;
 	*)
@@ -1466,10 +1519,10 @@ else
 # system, and we'll never get to this point.
 
 case $basic_machine in
-        score-*)
+	score-*)
 		os=-elf
 		;;
-        spu-*)
+	spu-*)
 		os=-elf
 		;;
 	*-acorn)
@@ -1481,8 +1534,17 @@ case $basic_machine in
 	arm*-semi)
 		os=-aout
 		;;
-        c4x-* | tic4x-*)
-        	os=-coff
+	c4x-* | tic4x-*)
+		os=-coff
+		;;
+	tic54x-*)
+		os=-coff
+		;;
+	tic55x-*)
+		os=-coff
+		;;
+	tic6x-*)
+		os=-coff
 		;;
 	# This must come before the *-dec entry.
 	pdp10-*)
@@ -1502,14 +1564,11 @@ case $basic_machine in
 		;;
 	m68000-sun)
 		os=-sunos3
-		# This also exists in the configure program, but was not the
-		# default.
-		# os=-sunos4
 		;;
 	m68*-cisco)
 		os=-aout
 		;;
-        mep-*)
+	mep-*)
 		os=-elf
 		;;
 	mips*-cisco)
@@ -1536,7 +1595,7 @@ case $basic_machine in
 	*-ibm)
 		os=-aix
 		;;
-    	*-knuth)
+	*-knuth)
 		os=-mmixware
 		;;
 	*-wec)
diff --git a/configure b/configure
index 73023d5e0..7424477b3 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.67 for strongSwan 5.0.1.
+# Generated by GNU Autoconf 2.68 for strongSwan 5.0.2.
 #
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -89,6 +89,7 @@ fi
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
+as_myself=
 case $0 in #((
   *[\\/]* ) as_myself=$0 ;;
   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -171,7 +172,15 @@ test x\$exitcode = x0 || exit 1"
   as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
   eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
   test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
-test \$(( 1 + 1 )) = 2 || exit 1"
+test \$(( 1 + 1 )) = 2 || exit 1
+
+  test -n \"\${ZSH_VERSION+set}\${BASH_VERSION+set}\" || (
+    ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+    ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO
+    ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO
+    PATH=/empty FPATH=/empty; export PATH FPATH
+    test \"X\`printf %s \$ECHO\`\" = \"X\$ECHO\" \\
+      || test \"X\`print -r -- \$ECHO\`\" = \"X\$ECHO\" ) || exit 1"
   if (eval "$as_required") 2>/dev/null; then :
   as_have_required=yes
 else
@@ -214,11 +223,18 @@ IFS=$as_save_IFS
   # We cannot yet assume a decent shell, so we have to provide a
 	# neutralization value for shells without unset; and this also
 	# works around shells that cannot unset nonexistent variables.
+	# Preserve -v and -x to the replacement shell.
 	BASH_ENV=/dev/null
 	ENV=/dev/null
 	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
 	export CONFIG_SHELL
-	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+	case $- in # ((((
+	  *v*x* | *x*v* ) as_opts=-vx ;;
+	  *v* ) as_opts=-v ;;
+	  *x* ) as_opts=-x ;;
+	  * ) as_opts= ;;
+	esac
+	exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
 fi
 
     if test x$as_have_required = xno; then :
@@ -525,155 +541,8 @@ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 # Sed expression to map a string onto a valid variable name.
 as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
-
-
-# Check that we are running under the correct shell.
 SHELL=${CONFIG_SHELL-/bin/sh}
 
-case X$lt_ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$lt_ECHO" | sed 's,\\\\\$\\$0,'$0','`
-  ;;
-esac
-
-ECHO=${lt_ECHO-echo}
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $ECHO works!
-  :
-else
-  # Restart under the correct shell.
-  exec $SHELL "$0" --no-reexec ${1+"$@"}
-fi
-
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<_LT_EOF
-$*
-_LT_EOF
-  exit 0
-fi
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$lt_ECHO"; then
-  if test "X${echo_test_string+set}" != Xset; then
-    # find a string as large as possible, as long as the shell can cope with it
-    for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
-      # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-      if { echo_test_string=`eval $cmd`; } 2>/dev/null &&
-	 { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null
-      then
-        break
-      fi
-    done
-  fi
-
-  if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-     echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-     test "X$echo_testing_string" = "X$echo_test_string"; then
-    :
-  else
-    # The Solaris, AIX, and Digital Unix default echo programs unquote
-    # backslashes.  This makes it impossible to quote backslashes using
-    #   echo "$something" | sed 's/\\/\\\\/g'
-    #
-    # So, first we look for a working echo in the user's PATH.
-
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for dir in $PATH /usr/ucb; do
-      IFS="$lt_save_ifs"
-      if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-         test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        ECHO="$dir/echo"
-        break
-      fi
-    done
-    IFS="$lt_save_ifs"
-
-    if test "X$ECHO" = Xecho; then
-      # We didn't find a better echo, so look for alternatives.
-      if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        # This shell has a builtin print -r that does the trick.
-        ECHO='print -r'
-      elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } &&
-	   test "X$CONFIG_SHELL" != X/bin/ksh; then
-        # If we have ksh, try running configure again with it.
-        ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-        export ORIGINAL_CONFIG_SHELL
-        CONFIG_SHELL=/bin/ksh
-        export CONFIG_SHELL
-        exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"}
-      else
-        # Try using printf.
-        ECHO='printf %s\n'
-        if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-	   echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	  # Cool, printf works
-	  :
-        elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	  export CONFIG_SHELL
-	  SHELL="$CONFIG_SHELL"
-	  export SHELL
-	  ECHO="$CONFIG_SHELL $0 --fallback-echo"
-        elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  ECHO="$CONFIG_SHELL $0 --fallback-echo"
-        else
-	  # maybe with a smaller string...
-	  prev=:
-
-	  for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
-	    if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null
-	    then
-	      break
-	    fi
-	    prev="$cmd"
-	  done
-
-	  if test "$prev" != 'sed 50q "$0"'; then
-	    echo_test_string=`eval $prev`
-	    export echo_test_string
-	    exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"}
-	  else
-	    # Oops.  We lost completely, so just stick with echo.
-	    ECHO=echo
-	  fi
-        fi
-      fi
-    fi
-  fi
-fi
-
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-lt_ECHO=$ECHO
-if test "X$lt_ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then
-   lt_ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo"
-fi
-
-
-
 
 test -n "$DJDIR" || exec 7<&0 </dev/null
 exec 6>&1
@@ -698,8 +567,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.0.1'
-PACKAGE_STRING='strongSwan 5.0.1'
+PACKAGE_VERSION='5.0.2'
+PACKAGE_STRING='strongSwan 5.0.2'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -745,6 +614,8 @@ LTLIBOBJS
 LIBOBJS
 MONOLITHIC_FALSE
 MONOLITHIC_TRUE
+USE_TROUSERS_FALSE
+USE_TROUSERS_TRUE
 USE_PTS_FALSE
 USE_PTS_TRUE
 USE_IMCV_FALSE
@@ -837,6 +708,10 @@ USE_IMV_ATTESTATION_FALSE
 USE_IMV_ATTESTATION_TRUE
 USE_IMC_ATTESTATION_FALSE
 USE_IMC_ATTESTATION_TRUE
+USE_IMV_OS_FALSE
+USE_IMV_OS_TRUE
+USE_IMC_OS_FALSE
+USE_IMC_OS_TRUE
 USE_IMV_SCANNER_FALSE
 USE_IMV_SCANNER_TRUE
 USE_IMC_SCANNER_FALSE
@@ -913,6 +788,10 @@ USE_LED_FALSE
 USE_LED_TRUE
 USE_CERTEXPIRE_FALSE
 USE_CERTEXPIRE_TRUE
+USE_ERROR_NOTIFY_FALSE
+USE_ERROR_NOTIFY_TRUE
+USE_LOOKIP_FALSE
+USE_LOOKIP_TRUE
 USE_WHITELIST_FALSE
 USE_WHITELIST_TRUE
 USE_HA_FALSE
@@ -979,6 +858,8 @@ USE_PGP_FALSE
 USE_PGP_TRUE
 USE_PKCS8_FALSE
 USE_PKCS8_TRUE
+USE_PKCS7_FALSE
+USE_PKCS7_TRUE
 USE_PKCS1_FALSE
 USE_PKCS1_TRUE
 USE_PUBKEY_FALSE
@@ -993,6 +874,8 @@ USE_NONCE_FALSE
 USE_NONCE_TRUE
 USE_RANDOM_FALSE
 USE_RANDOM_TRUE
+USE_RDRAND_FALSE
+USE_RDRAND_TRUE
 USE_GMP_FALSE
 USE_GMP_TRUE
 USE_FIPS_PRF_FALSE
@@ -1049,6 +932,7 @@ MYSQLCFLAG
 MYSQLLIB
 MYSQLCONFIG
 clearsilver_LIBS
+RUBYLIB
 RUBYINCLUDE
 RUBY
 gtk_LIBS
@@ -1077,9 +961,11 @@ OTOOL
 LIPO
 NMEDIT
 DSYMUTIL
-lt_ECHO
+MANIFEST_TOOL
 RANLIB
+ac_ct_AR
 AR
+DLLTOOL
 OBJDUMP
 LN_S
 NM
@@ -1103,6 +989,7 @@ build
 am__fastdepCC_FALSE
 am__fastdepCC_TRUE
 CCDEPMODE
+am__nodep
 AMDEPBACKSLASH
 AMDEP_FALSE
 AMDEP_TRUE
@@ -1219,6 +1106,7 @@ with_linux_headers
 with_routing_table
 with_routing_table_prio
 with_ipsec_script
+with_tss
 with_capabilities
 with_mpz_powm_sec
 with_dev_headers
@@ -1239,6 +1127,7 @@ enable_sha1
 enable_sha2
 enable_fips_prf
 enable_gmp
+enable_rdrand
 enable_random
 enable_nonce
 enable_x509
@@ -1246,6 +1135,7 @@ enable_revocation
 enable_constraints
 enable_pubkey
 enable_pkcs1
+enable_pkcs7
 enable_pkcs8
 enable_pgp
 enable_dnskey
@@ -1298,6 +1188,8 @@ enable_imc_test
 enable_imv_test
 enable_imc_scanner
 enable_imv_scanner
+enable_imc_os
+enable_imv_os
 enable_imc_attestation
 enable_imv_attestation
 enable_kernel_netlink
@@ -1342,6 +1234,8 @@ enable_maemo
 enable_nm
 enable_ha
 enable_whitelist
+enable_lookip
+enable_error_notify
 enable_certexpire
 enable_led
 enable_duplicheck
@@ -1357,6 +1251,7 @@ enable_static
 with_pic
 enable_fast_install
 with_gnu_ld
+with_sysroot
 enable_libtool_lock
 '
       ac_precious_vars='build_alias
@@ -1791,7 +1686,7 @@ Try \`$0 --help' for more information"
     $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
     expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
-    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+    : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}"
     ;;
 
   esac
@@ -1929,7 +1824,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.0.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.0.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1999,7 +1894,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.0.1:";;
+     short | recursive ) echo "Configuration of strongSwan 5.0.2:";;
    esac
   cat <<\_ACEOF
 
@@ -2024,6 +1919,7 @@ Optional Features:
   --disable-fips-prf      disable FIPS PRF software implementation plugin.
   --disable-gmp           disable GNU MP (libgmp) based crypto implementation
                           plugin.
+  --enable-rdrand         enable Intel RDRAND random generator plugin.
   --disable-random        disable RNG implementation on top of /dev/(u)random.
   --disable-nonce         disable nonce generation plugin.
   --disable-x509          disable X509 certificate implementation plugin.
@@ -2031,6 +1927,7 @@ Optional Features:
   --disable-constraints   disable advanced X509 constraint checking plugin.
   --disable-pubkey        disable RAW public key support plugin.
   --disable-pkcs1         disable PKCS1 key decoding plugin.
+  --disable-pkcs7         disable PKCS7 container support plugin.
   --disable-pkcs8         disable PKCS8 private key decoding plugin.
   --disable-pgp           disable PGP key decoding plugin.
   --disable-dnskey        disable DNS RR key decoding plugin.
@@ -2094,6 +1991,8 @@ Optional Features:
   --enable-imv-test       enable IMV test module.
   --enable-imc-scanner    enable IMC port scanner module.
   --enable-imv-scanner    enable IMV port scanner module.
+  --enable-imc-os         enable IMC operating system module.
+  --enable-imv-os         enable IMV operating system module.
   --enable-imc-attestation
                           enable IMC attestation module.
   --enable-imv-attestation
@@ -2149,6 +2048,9 @@ Optional Features:
   --enable-nm             enable NetworkManager backend.
   --enable-ha             enable high availability cluster plugin.
   --enable-whitelist      enable peer identity whitelisting plugin.
+  --enable-lookip         enable fast virtual IP lookup and notification
+                          plugin.
+  --enable-error-notify   enable error notification plugin.
   --enable-certexpire     enable CSV export of expiration dates of used
                           certificates.
   --enable-led            enable plugin to control LEDs on IKEv2 activity
@@ -2211,6 +2113,9 @@ Optional Packages:
                           set priority for IPsec routing table (default: 220).
   --with-ipsec-script=arg change the name of the ipsec script (default:
                           ipsec).
+  --with-tss=arg          set implementation of the Trusted Computing Group's
+                          Software Stack (TSS). Currently the only supported
+                          value is "trousers" (default: no).
   --with-capabilities=arg set capability dropping library. Currently supported
                           values are "libcap" and "native" (default: no).
   --with-mpz_powm_sec=arg use the more side-channel resistant mpz_powm_sec in
@@ -2233,9 +2138,11 @@ Optional Packages:
                           default 4500). Set to 0 to allocate randomly.
   --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib
   --without-lib-prefix    don't search for libraries in includedir and libdir
-  --with-pic              try to use only PIC/non-PIC objects [default=use
+  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
                           both]
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
+  --with-sysroot=DIR Search for dependent libraries within DIR
+                        (or the compiler's sysroot if not specified).
 
 Some influential environment variables:
   PKG_CONFIG  path to pkg-config utility
@@ -2251,8 +2158,9 @@ Some influential environment variables:
   CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
               you have headers in a nonstandard directory <include dir>
   CPP         C preprocessor
-  YACC        The `Yet Another C Compiler' implementation to use. Defaults to
-              the first program found out of: `bison -y', `byacc', `yacc'.
+  YACC        The `Yet Another Compiler Compiler' implementation to use.
+              Defaults to the first program found out of: `bison -y', `byacc',
+              `yacc'.
   YFLAGS      The list of arguments that will be passed by default to $YACC.
               This script will default YFLAGS to the empty string to avoid a
               default value of `-d' given by some make applications.
@@ -2341,8 +2249,8 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.0.1
-generated by GNU Autoconf 2.67
+strongSwan configure 5.0.2
+generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
@@ -2388,7 +2296,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_retval=1
 fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_compile
@@ -2425,7 +2333,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
     ac_retval=1
 fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_cpp
@@ -2467,7 +2375,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
        ac_retval=$ac_status
 fi
   rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_run
@@ -2481,7 +2389,7 @@ ac_fn_c_check_header_compile ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2499,7 +2407,7 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_header_compile
 
@@ -2544,7 +2452,7 @@ fi
   # interfere with the next link command; also delete a directory that is
   # left behind by Apple's compiler.  We do this before executing the actions.
   rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_link
@@ -2557,7 +2465,7 @@ ac_fn_c_check_func ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2612,7 +2520,7 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_func
 
@@ -2625,7 +2533,7 @@ ac_fn_c_check_type ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   eval "$3=no"
@@ -2666,7 +2574,7 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_type
 
@@ -2681,7 +2589,7 @@ ac_fn_c_check_decl ()
   as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'`
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5
 $as_echo_n "checking whether $as_decl_name is declared... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2712,7 +2620,7 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_decl
 
@@ -2724,10 +2632,10 @@ $as_echo "$ac_res" >&6; }
 ac_fn_c_check_header_mongrel ()
 {
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  if eval "test \"\${$3+set}\"" = set; then :
+  if eval \${$3+:} false; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 fi
 eval ac_res=\$$3
@@ -2790,7 +2698,7 @@ $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
 esac
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   eval "$3=\$ac_header_compiler"
@@ -2799,7 +2707,7 @@ eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
 fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_header_mongrel
 
@@ -2812,7 +2720,7 @@ ac_fn_c_check_member ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
 $as_echo_n "checking for $2.$3... " >&6; }
-if eval "test \"\${$4+set}\"" = set; then :
+if eval \${$4+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2856,15 +2764,15 @@ fi
 eval ac_res=\$$4
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_member
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.0.1, which was
-generated by GNU Autoconf 2.67.  Invocation command line was
+It was created by strongSwan $as_me 5.0.2, which was
+generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
 
@@ -3122,7 +3030,7 @@ $as_echo "$as_me: loading site script $ac_site_file" >&6;}
       || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "failed to load site script $ac_site_file
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
   fi
 done
 
@@ -3259,7 +3167,7 @@ ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5
 $as_echo_n "checking for a BSD-compatible install... " >&6; }
 if test -z "$INSTALL"; then
-if test "${ac_cv_path_install+set}" = set; then :
+if ${ac_cv_path_install+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -3346,11 +3254,11 @@ am_lf='
 '
 case `pwd` in
   *[\\\"\#\$\&\'\`$am_lf]*)
-    as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5 ;;
+    as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5;;
 esac
 case $srcdir in
   *[\\\"\#\$\&\'\`$am_lf\ \	]*)
-    as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5 ;;
+    as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5;;
 esac
 
 # Do `set' in a subshell so we don't clobber the current shell's
@@ -3436,7 +3344,7 @@ if test "$cross_compiling" != no; then
 set dummy ${ac_tool_prefix}strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then :
+if ${ac_cv_prog_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$STRIP"; then
@@ -3476,7 +3384,7 @@ if test -z "$ac_cv_prog_STRIP"; then
 set dummy strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then :
+if ${ac_cv_prog_ac_ct_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_STRIP"; then
@@ -3529,7 +3437,7 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5
 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; }
 if test -z "$MKDIR_P"; then
-  if test "${ac_cv_path_mkdir+set}" = set; then :
+  if ${ac_cv_path_mkdir+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -3580,7 +3488,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AWK+set}" = set; then :
+if ${ac_cv_prog_AWK+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AWK"; then
@@ -3620,7 +3528,7 @@ done
 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; }
 set x ${MAKE-make}
 ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
-if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\"" = set; then :
+if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat >conftest.make <<\_ACEOF
@@ -3678,7 +3586,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.0.1'
+ VERSION='5.0.2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3708,9 +3616,9 @@ MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
 
 # We need awk for the "check" target.  The system "awk" is bad on
 # some platforms.
-# Always define AMTAR for backward compatibility.
-
-AMTAR=${AMTAR-"${am_missing_run}tar"}
+# Always define AMTAR for backward compatibility.  Yes, it's still used
+# in the wild :-(  We should find a proper way to deprecate it ...
+AMTAR='$${TAR-tar}'
 
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to create a ustar tar archive" >&5
@@ -3786,7 +3694,7 @@ do
 done
 rm -rf conftest.dir
 
-if test "${am_cv_prog_tar_ustar+set}" = set; then :
+if ${am_cv_prog_tar_ustar+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   am_cv_prog_tar_ustar=$_am_tool
@@ -3811,13 +3719,14 @@ $as_echo "#define CONFIG_H_INCLUDED /**/" >>confdefs.h
 
 
 
+
 if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
 	if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
 set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_PKG_CONFIG+set}" = set; then :
+if ${ac_cv_path_PKG_CONFIG+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $PKG_CONFIG in
@@ -3860,7 +3769,7 @@ if test -z "$ac_cv_path_PKG_CONFIG"; then
 set dummy pkg-config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then :
+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $ac_pt_PKG_CONFIG in
@@ -4108,6 +4017,16 @@ fi
 
 
 
+# Check whether --with-tss was given.
+if test "${with_tss+set}" = set; then :
+  withval=$with_tss; tss="$withval"
+else
+  tss=no
+
+fi
+
+
+
 # Check whether --with-capabilities was given.
 if test "${with_capabilities+set}" = set; then :
   withval=$with_capabilities; capabilities="$withval"
@@ -4434,6 +4353,21 @@ else
 fi
 
 
+# Check whether --enable-rdrand was given.
+if test "${enable_rdrand+set}" = set; then :
+  enableval=$enable_rdrand; rdrand_given=true
+		if test x$enableval = xyes; then
+			rdrand=true
+		 else
+			rdrand=false
+		fi
+else
+  rdrand=false
+		rdrand_given=false
+
+fi
+
+
 # Check whether --enable-random was given.
 if test "${enable_random+set}" = set; then :
   enableval=$enable_random; random_given=true
@@ -4539,6 +4473,21 @@ else
 fi
 
 
+# Check whether --enable-pkcs7 was given.
+if test "${enable_pkcs7+set}" = set; then :
+  enableval=$enable_pkcs7; pkcs7_given=true
+		if test x$enableval = xyes; then
+			pkcs7=true
+		 else
+			pkcs7=false
+		fi
+else
+  pkcs7=true
+		pkcs7_given=false
+
+fi
+
+
 # Check whether --enable-pkcs8 was given.
 if test "${enable_pkcs8+set}" = set; then :
   enableval=$enable_pkcs8; pkcs8_given=true
@@ -5319,6 +5268,36 @@ else
 fi
 
 
+# Check whether --enable-imc-os was given.
+if test "${enable_imc_os+set}" = set; then :
+  enableval=$enable_imc_os; imc_os_given=true
+		if test x$enableval = xyes; then
+			imc_os=true
+		 else
+			imc_os=false
+		fi
+else
+  imc_os=false
+		imc_os_given=false
+
+fi
+
+
+# Check whether --enable-imv-os was given.
+if test "${enable_imv_os+set}" = set; then :
+  enableval=$enable_imv_os; imv_os_given=true
+		if test x$enableval = xyes; then
+			imv_os=true
+		 else
+			imv_os=false
+		fi
+else
+  imv_os=false
+		imv_os_given=false
+
+fi
+
+
 # Check whether --enable-imc-attestation was given.
 if test "${enable_imc_attestation+set}" = set; then :
   enableval=$enable_imc_attestation; imc_attestation_given=true
@@ -5979,6 +5958,36 @@ else
 fi
 
 
+# Check whether --enable-lookip was given.
+if test "${enable_lookip+set}" = set; then :
+  enableval=$enable_lookip; lookip_given=true
+		if test x$enableval = xyes; then
+			lookip=true
+		 else
+			lookip=false
+		fi
+else
+  lookip=false
+		lookip_given=false
+
+fi
+
+
+# Check whether --enable-error-notify was given.
+if test "${enable_error_notify+set}" = set; then :
+  enableval=$enable_error_notify; error_notify_given=true
+		if test x$enableval = xyes; then
+			error_notify=true
+		 else
+			error_notify=false
+		fi
+else
+  error_notify=false
+		error_notify_given=false
+
+fi
+
+
 # Check whether --enable-certexpire was given.
 if test "${enable_certexpire+set}" = set; then :
   enableval=$enable_certexpire; certexpire_given=true
@@ -6114,7 +6123,7 @@ if test -n "$ac_tool_prefix"; then
 set dummy ${ac_tool_prefix}gcc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6154,7 +6163,7 @@ if test -z "$ac_cv_prog_CC"; then
 set dummy gcc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_CC"; then
@@ -6207,7 +6216,7 @@ if test -z "$CC"; then
 set dummy ${ac_tool_prefix}cc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6247,7 +6256,7 @@ if test -z "$CC"; then
 set dummy cc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6306,7 +6315,7 @@ if test -z "$CC"; then
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6350,7 +6359,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_CC"; then
@@ -6405,7 +6414,7 @@ fi
 test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "no acceptable C compiler found in \$PATH
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 
 # Provide some information about the compiler.
 $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
@@ -6520,7 +6529,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error 77 "C compiler cannot create executables
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@@ -6563,7 +6572,7 @@ else
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 fi
 rm -f conftest conftest$ac_cv_exeext
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
@@ -6622,7 +6631,7 @@ $as_echo "$ac_try_echo"; } >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "cannot run C compiled programs.
 If you meant to cross compile, use \`--host'.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
     fi
   fi
 fi
@@ -6633,7 +6642,7 @@ rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
 ac_clean_files=$ac_clean_files_save
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
 $as_echo_n "checking for suffix of object files... " >&6; }
-if test "${ac_cv_objext+set}" = set; then :
+if ${ac_cv_objext+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -6674,7 +6683,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "cannot compute suffix of object files: cannot compile
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 fi
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
@@ -6684,7 +6693,7 @@ OBJEXT=$ac_cv_objext
 ac_objext=$OBJEXT
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
-if test "${ac_cv_c_compiler_gnu+set}" = set; then :
+if ${ac_cv_c_compiler_gnu+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -6721,7 +6730,7 @@ ac_test_CFLAGS=${CFLAGS+set}
 ac_save_CFLAGS=$CFLAGS
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
 $as_echo_n "checking whether $CC accepts -g... " >&6; }
-if test "${ac_cv_prog_cc_g+set}" = set; then :
+if ${ac_cv_prog_cc_g+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_save_c_werror_flag=$ac_c_werror_flag
@@ -6799,7 +6808,7 @@ else
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
-if test "${ac_cv_prog_cc_c89+set}" = set; then :
+if ${ac_cv_prog_cc_c89+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_cv_prog_cc_c89=no
@@ -6945,6 +6954,7 @@ fi
 if test "x$enable_dependency_tracking" != xno; then
   am_depcomp="$ac_aux_dir/depcomp"
   AMDEPBACKSLASH='\'
+  am__nodep='_no'
 fi
  if test "x$enable_dependency_tracking" != xno; then
   AMDEP_TRUE=
@@ -6960,7 +6970,7 @@ depcc="$CC"   am_compiler_list=
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5
 $as_echo_n "checking dependency style of $depcc... " >&6; }
-if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then :
+if ${am_cv_CC_dependencies_compiler_type+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
@@ -6969,6 +6979,7 @@ else
   # instance it was reported that on HP-UX the gcc test will end up
   # making a dummy file named `D' -- because `-MD' means `put the output
   # in D'.
+  rm -rf conftest.dir
   mkdir conftest.dir
   # Copy depcomp to subdir because otherwise we won't find it if we're
   # using a relative directory.
@@ -7028,7 +7039,7 @@ else
 	break
       fi
       ;;
-    msvisualcpp | msvcmsys)
+    msvc7 | msvc7msys | msvisualcpp | msvcmsys)
       # This compiler won't grok `-c -o', but also, the minuso test has
       # not run yet.  These depmodes are late enough in the game, and
       # so weak that their functioning should not be impacted.
@@ -7089,7 +7100,7 @@ $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5
 $as_echo_n "checking build system type... " >&6; }
-if test "${ac_cv_build+set}" = set; then :
+if ${ac_cv_build+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_build_alias=$build_alias
@@ -7105,7 +7116,7 @@ fi
 $as_echo "$ac_cv_build" >&6; }
 case $ac_cv_build in
 *-*-*) ;;
-*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5 ;;
+*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;;
 esac
 build=$ac_cv_build
 ac_save_IFS=$IFS; IFS='-'
@@ -7123,7 +7134,7 @@ case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5
 $as_echo_n "checking host system type... " >&6; }
-if test "${ac_cv_host+set}" = set; then :
+if ${ac_cv_host+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test "x$host_alias" = x; then
@@ -7138,7 +7149,7 @@ fi
 $as_echo "$ac_cv_host" >&6; }
 case $ac_cv_host in
 *-*-*) ;;
-*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5 ;;
+*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;;
 esac
 host=$ac_cv_host
 ac_save_IFS=$IFS; IFS='-'
@@ -7167,7 +7178,7 @@ if test -n "$CPP" && test -d "$CPP"; then
   CPP=
 fi
 if test -z "$CPP"; then
-  if test "${ac_cv_prog_CPP+set}" = set; then :
+  if ${ac_cv_prog_CPP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
       # Double quotes because CPP needs to be expanded
@@ -7283,7 +7294,7 @@ else
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 fi
 
 ac_ext=c
@@ -7295,7 +7306,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
 $as_echo_n "checking for grep that handles long lines and -e... " >&6; }
-if test "${ac_cv_path_GREP+set}" = set; then :
+if ${ac_cv_path_GREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$GREP"; then
@@ -7358,7 +7369,7 @@ $as_echo "$ac_cv_path_GREP" >&6; }
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
 $as_echo_n "checking for egrep... " >&6; }
-if test "${ac_cv_path_EGREP+set}" = set; then :
+if ${ac_cv_path_EGREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
@@ -7431,7 +7442,7 @@ $as_echo "$ac_cv_path_EGREP" >&6; }
     solaris*)
                                     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for 64-bit host" >&5
 $as_echo_n "checking for 64-bit host... " >&6; }
-if test "${gl_cv_solaris_64bit+set}" = set; then :
+if ${gl_cv_solaris_64bit+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -7618,7 +7629,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
 $as_echo_n "checking for ANSI C header files... " >&6; }
-if test "${ac_cv_header_stdc+set}" = set; then :
+if ${ac_cv_header_stdc+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -7747,7 +7758,7 @@ done
 
  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5
 $as_echo_n "checking whether byte ordering is bigendian... " >&6; }
-if test "${ac_cv_c_bigendian+set}" = set; then :
+if ${ac_cv_c_bigendian+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_cv_c_bigendian=unknown
@@ -7966,7 +7977,7 @@ $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h
      ;; #(
    *)
      as_fn_error $? "unknown endianness
- presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5  ;;
+ presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;;
  esac
 
 
@@ -7980,8 +7991,8 @@ esac
 
 
 
-macro_version='2.2.6b'
-macro_revision='1.3017'
+macro_version='2.4.2'
+macro_revision='1.3337'
 
 
 
@@ -7997,9 +8008,78 @@ macro_revision='1.3017'
 
 ltmain="$ac_aux_dir/ltmain.sh"
 
+# Backslashify metacharacters that are still active within
+# double-quoted strings.
+sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\(["`\\]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to print strings" >&5
+$as_echo_n "checking how to print strings... " >&6; }
+# Test print first, because it will be a builtin if present.
+if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \
+   test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='print -r --'
+elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='printf %s\n'
+else
+  # Use this function as a fallback that always works.
+  func_fallback_echo ()
+  {
+    eval 'cat <<_LTECHO_EOF
+$1
+_LTECHO_EOF'
+  }
+  ECHO='func_fallback_echo'
+fi
+
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO ""
+}
+
+case "$ECHO" in
+  printf*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: printf" >&5
+$as_echo "printf" >&6; } ;;
+  print*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: print -r" >&5
+$as_echo "print -r" >&6; } ;;
+  *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: cat" >&5
+$as_echo "cat" >&6; } ;;
+esac
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5
 $as_echo_n "checking for a sed that does not truncate output... " >&6; }
-if test "${ac_cv_path_SED+set}" = set; then :
+if ${ac_cv_path_SED+:} false; then :
   $as_echo_n "(cached) " >&6
 else
             ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/
@@ -8081,7 +8161,7 @@ Xsed="$SED -e 1s/^X//"
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5
 $as_echo_n "checking for fgrep... " >&6; }
-if test "${ac_cv_path_FGREP+set}" = set; then :
+if ${ac_cv_path_FGREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1
@@ -8212,7 +8292,7 @@ else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5
 $as_echo_n "checking for non-GNU ld... " >&6; }
 fi
-if test "${lt_cv_path_LD+set}" = set; then :
+if ${lt_cv_path_LD+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$LD"; then
@@ -8252,7 +8332,7 @@ fi
 test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5
 $as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; }
-if test "${lt_cv_prog_gnu_ld+set}" = set; then :
+if ${lt_cv_prog_gnu_ld+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   # I'd rather use --version here, but apparently some GNU lds only accept -v.
@@ -8279,7 +8359,7 @@ with_gnu_ld=$lt_cv_prog_gnu_ld
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD- or MS-compatible name lister (nm)" >&5
 $as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; }
-if test "${lt_cv_path_NM+set}" = set; then :
+if ${lt_cv_path_NM+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$NM"; then
@@ -8332,14 +8412,17 @@ if test "$lt_cv_path_NM" != "no"; then
   NM="$lt_cv_path_NM"
 else
   # Didn't find any BSD compatible name lister, look for dumpbin.
-  if test -n "$ac_tool_prefix"; then
-  for ac_prog in "dumpbin -symbols" "link -dump -symbols"
+  if test -n "$DUMPBIN"; then :
+    # Let the user override the test.
+  else
+    if test -n "$ac_tool_prefix"; then
+  for ac_prog in dumpbin "link -dump"
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_DUMPBIN+set}" = set; then :
+if ${ac_cv_prog_DUMPBIN+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$DUMPBIN"; then
@@ -8377,13 +8460,13 @@ fi
 fi
 if test -z "$DUMPBIN"; then
   ac_ct_DUMPBIN=$DUMPBIN
-  for ac_prog in "dumpbin -symbols" "link -dump -symbols"
+  for ac_prog in dumpbin "link -dump"
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then :
+if ${ac_cv_prog_ac_ct_DUMPBIN+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_DUMPBIN"; then
@@ -8432,6 +8515,15 @@ esac
   fi
 fi
 
+    case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in
+    *COFF*)
+      DUMPBIN="$DUMPBIN -symbols"
+      ;;
+    *)
+      DUMPBIN=:
+      ;;
+    esac
+  fi
 
   if test "$DUMPBIN" != ":"; then
     NM="$DUMPBIN"
@@ -8446,18 +8538,18 @@ test -z "$NM" && NM=nm
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking the name lister ($NM) interface" >&5
 $as_echo_n "checking the name lister ($NM) interface... " >&6; }
-if test "${lt_cv_nm_interface+set}" = set; then :
+if ${lt_cv_nm_interface+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:8454: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:8457: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:8460: output\"" >&5)
+  (eval echo "\"\$as_me:$LINENO: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -8481,7 +8573,7 @@ fi
 # find the maximum length of command line arguments
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking the maximum length of command line arguments" >&5
 $as_echo_n "checking the maximum length of command line arguments... " >&6; }
-if test "${lt_cv_sys_max_cmd_len+set}" = set; then :
+if ${lt_cv_sys_max_cmd_len+:} false; then :
   $as_echo_n "(cached) " >&6
 else
     i=0
@@ -8514,6 +8606,11 @@ else
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
+  mint*)
+    # On MiNT this can take a long time and run out of memory.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
   amigaos*)
     # On AmigaOS with pdksh, this test takes hours, literally.
     # So we just punt and use a minimum line length of 8192.
@@ -8539,6 +8636,11 @@ else
     lt_cv_sys_max_cmd_len=196608
     ;;
 
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
   osf*)
     # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
     # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@@ -8578,8 +8680,8 @@ else
       # If test is not a shell built-in, we'll probably end up computing a
       # maximum length that is only half of the actual maximum length, but
       # we can't tell.
-      while { test "X"`$SHELL $0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \
-	         = "XX$teststring$teststring"; } >/dev/null 2>&1 &&
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
+	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
         i=`expr $i + 1`
@@ -8621,8 +8723,8 @@ $as_echo_n "checking whether the shell understands some XSI constructs... " >&6;
 # Try some XSI features
 xsi_shell=no
 ( _lt_dummy="a/b/c"
-  test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \
-      = c,a/b,, \
+  test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \
+      = c,a/b,b/c, \
     && eval 'test $(( 1 + 1 )) -eq 2 \
     && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
   && xsi_shell=yes
@@ -8671,9 +8773,83 @@ esac
 
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to $host format" >&5
+$as_echo_n "checking how to convert $build file names to $host format... " >&6; }
+if ${lt_cv_to_host_file_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32
+        ;;
+    esac
+    ;;
+  *-*-cygwin* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_noop
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin
+        ;;
+    esac
+    ;;
+  * ) # unhandled hosts (and "normal" native builds)
+    lt_cv_to_host_file_cmd=func_convert_file_noop
+    ;;
+esac
+
+fi
+
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_host_file_cmd" >&5
+$as_echo "$lt_cv_to_host_file_cmd" >&6; }
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to toolchain format" >&5
+$as_echo_n "checking how to convert $build file names to toolchain format... " >&6; }
+if ${lt_cv_to_tool_file_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  #assume ordinary cross tools, or native build.
+lt_cv_to_tool_file_cmd=func_convert_file_noop
+case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32
+        ;;
+    esac
+    ;;
+esac
+
+fi
+
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_tool_file_cmd" >&5
+$as_echo "$lt_cv_to_tool_file_cmd" >&6; }
+
+
+
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5
 $as_echo_n "checking for $LD option to reload object files... " >&6; }
-if test "${lt_cv_ld_reload_flag+set}" = set; then :
+if ${lt_cv_ld_reload_flag+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_ld_reload_flag='-r'
@@ -8687,6 +8863,11 @@ case $reload_flag in
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
 case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    if test "$GCC" != yes; then
+      reload_cmds=false
+    fi
+    ;;
   darwin*)
     if test "$GCC" = yes; then
       reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
@@ -8709,7 +8890,7 @@ if test -n "$ac_tool_prefix"; then
 set dummy ${ac_tool_prefix}objdump; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OBJDUMP+set}" = set; then :
+if ${ac_cv_prog_OBJDUMP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OBJDUMP"; then
@@ -8749,7 +8930,7 @@ if test -z "$ac_cv_prog_OBJDUMP"; then
 set dummy objdump; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then :
+if ${ac_cv_prog_ac_ct_OBJDUMP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OBJDUMP"; then
@@ -8808,7 +8989,7 @@ test -z "$OBJDUMP" && OBJDUMP=objdump
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to recognize dependent libraries" >&5
 $as_echo_n "checking how to recognize dependent libraries... " >&6; }
-if test "${lt_cv_deplibs_check_method+set}" = set; then :
+if ${lt_cv_deplibs_check_method+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_file_magic_cmd='$MAGIC_CMD'
@@ -8850,16 +9031,18 @@ mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
   # func_win32_libid shell function, so use a weaker test based on 'objdump',
   # unless we find 'file', for example because we are cross-compiling.
-  if ( file / ) >/dev/null 2>&1; then
+  # func_win32_libid assumes BSD nm, so disallow it if using MS dumpbin.
+  if ( test "$lt_cv_nm_interface" = "BSD nm" && file / ) >/dev/null 2>&1; then
     lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
     lt_cv_file_magic_cmd='func_win32_libid'
   else
-    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    # Keep this pattern in sync with the one in func_win32_libid.
+    lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)'
     lt_cv_file_magic_cmd='$OBJDUMP -f'
   fi
   ;;
 
-cegcc)
+cegcc*)
   # use the weaker test based on 'objdump'. See mingw*.
   lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
@@ -8889,6 +9072,10 @@ gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
+haiku*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
 hpux10.20* | hpux11*)
   lt_cv_file_magic_cmd=/usr/bin/file
   case $host_cpu in
@@ -8897,11 +9084,11 @@ hpux10.20* | hpux11*)
     lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
     ;;
   hppa*64*)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]'
     lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
     ;;
   *)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9]\.[0-9]) shared library'
     lt_cv_file_magic_test_file=/usr/lib/libc.sl
     ;;
   esac
@@ -8922,7 +9109,7 @@ irix5* | irix6* | nonstopux*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -9004,6 +9191,21 @@ esac
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_deplibs_check_method" >&5
 $as_echo "$lt_cv_deplibs_check_method" >&6; }
+
+file_magic_glob=
+want_nocaseglob=no
+if test "$build" = "$host"; then
+  case $host_os in
+  mingw* | pw32*)
+    if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then
+      want_nocaseglob=yes
+    else
+      file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[\1]\/[\1]\/g;/g"`
+    fi
+    ;;
+  esac
+fi
+
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
 test -z "$deplibs_check_method" && deplibs_check_method=unknown
@@ -9017,18 +9219,28 @@ test -z "$deplibs_check_method" && deplibs_check_method=unknown
 
 
 
+
+
+
+
+
+
+
+
+
+
 
 
 if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ar; ac_word=$2
+  # Extract the first word of "${ac_tool_prefix}dlltool", so it can be a program name with args.
+set dummy ${ac_tool_prefix}dlltool; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AR+set}" = set; then :
+if ${ac_cv_prog_DLLTOOL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
-  if test -n "$AR"; then
-  ac_cv_prog_AR="$AR" # Let the user override the test.
+  if test -n "$DLLTOOL"; then
+  ac_cv_prog_DLLTOOL="$DLLTOOL" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -9037,7 +9249,7 @@ do
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_AR="${ac_tool_prefix}ar"
+    ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -9047,10 +9259,10 @@ IFS=$as_save_IFS
 
 fi
 fi
-AR=$ac_cv_prog_AR
-if test -n "$AR"; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5
-$as_echo "$AR" >&6; }
+DLLTOOL=$ac_cv_prog_DLLTOOL
+if test -n "$DLLTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DLLTOOL" >&5
+$as_echo "$DLLTOOL" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
@@ -9058,17 +9270,17 @@ fi
 
 
 fi
-if test -z "$ac_cv_prog_AR"; then
-  ac_ct_AR=$AR
-  # Extract the first word of "ar", so it can be a program name with args.
-set dummy ar; ac_word=$2
+if test -z "$ac_cv_prog_DLLTOOL"; then
+  ac_ct_DLLTOOL=$DLLTOOL
+  # Extract the first word of "dlltool", so it can be a program name with args.
+set dummy dlltool; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_AR+set}" = set; then :
+if ${ac_cv_prog_ac_ct_DLLTOOL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
-  if test -n "$ac_ct_AR"; then
-  ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
+  if test -n "$ac_ct_DLLTOOL"; then
+  ac_cv_prog_ac_ct_DLLTOOL="$ac_ct_DLLTOOL" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -9077,7 +9289,7 @@ do
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_AR="ar"
+    ac_cv_prog_ac_ct_DLLTOOL="dlltool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -9087,17 +9299,17 @@ IFS=$as_save_IFS
 
 fi
 fi
-ac_ct_AR=$ac_cv_prog_ac_ct_AR
-if test -n "$ac_ct_AR"; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5
-$as_echo "$ac_ct_AR" >&6; }
+ac_ct_DLLTOOL=$ac_cv_prog_ac_ct_DLLTOOL
+if test -n "$ac_ct_DLLTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DLLTOOL" >&5
+$as_echo "$ac_ct_DLLTOOL" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
-  if test "x$ac_ct_AR" = x; then
-    AR="false"
+  if test "x$ac_ct_DLLTOOL" = x; then
+    DLLTOOL="false"
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
@@ -9105,14 +9317,13 @@ yes:)
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
-    AR=$ac_ct_AR
+    DLLTOOL=$ac_ct_DLLTOOL
   fi
 else
-  AR="$ac_cv_prog_AR"
+  DLLTOOL="$ac_cv_prog_DLLTOOL"
 fi
 
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
+test -z "$DLLTOOL" && DLLTOOL=dlltool
 
 
 
@@ -9123,21 +9334,229 @@ test -z "$AR_FLAGS" && AR_FLAGS=cru
 
 
 
-
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
-set dummy ${ac_tool_prefix}strip; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to associate runtime and link libraries" >&5
+$as_echo_n "checking how to associate runtime and link libraries... " >&6; }
+if ${lt_cv_sharedlib_from_linklib_cmd+:} false; then :
   $as_echo_n "(cached) " >&6
 else
-  if test -n "$STRIP"; then
-  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
+  lt_cv_sharedlib_from_linklib_cmd='unknown'
+
+case $host_os in
+cygwin* | mingw* | pw32* | cegcc*)
+  # two different shell functions defined in ltmain.sh
+  # decide which to use based on capabilities of $DLLTOOL
+  case `$DLLTOOL --help 2>&1` in
+  *--identify-strict*)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib
+    ;;
+  *)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback
+    ;;
+  esac
+  ;;
+*)
+  # fallback: assume linklib IS sharedlib
+  lt_cv_sharedlib_from_linklib_cmd="$ECHO"
+  ;;
+esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sharedlib_from_linklib_cmd" >&5
+$as_echo "$lt_cv_sharedlib_from_linklib_cmd" >&6; }
+sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd
+test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO
+
+
+
+
+
+
+
+if test -n "$ac_tool_prefix"; then
+  for ac_prog in ar
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_AR+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$AR"; then
+  ac_cv_prog_AR="$AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_AR="$ac_tool_prefix$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+AR=$ac_cv_prog_AR
+if test -n "$AR"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5
+$as_echo "$AR" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+    test -n "$AR" && break
+  done
+fi
+if test -z "$AR"; then
+  ac_ct_AR=$AR
+  for ac_prog in ar
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_AR+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_AR"; then
+  ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_AR="$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_AR=$ac_cv_prog_ac_ct_AR
+if test -n "$ac_ct_AR"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5
+$as_echo "$ac_ct_AR" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$ac_ct_AR" && break
+done
+
+  if test "x$ac_ct_AR" = x; then
+    AR="false"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    AR=$ac_ct_AR
+  fi
+fi
+
+: ${AR=ar}
+: ${AR_FLAGS=cru}
+
+
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for archiver @FILE support" >&5
+$as_echo_n "checking for archiver @FILE support... " >&6; }
+if ${lt_cv_ar_at_file+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_ar_at_file=no
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  echo conftest.$ac_objext > conftest.lst
+      lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&5'
+      { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5
+  (eval $lt_ar_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+      if test "$ac_status" -eq 0; then
+	# Ensure the archiver fails upon bogus file names.
+	rm -f conftest.$ac_objext libconftest.a
+	{ { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5
+  (eval $lt_ar_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+	if test "$ac_status" -ne 0; then
+          lt_cv_ar_at_file=@
+        fi
+      fi
+      rm -f conftest.* libconftest.a
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ar_at_file" >&5
+$as_echo "$lt_cv_ar_at_file" >&6; }
+
+if test "x$lt_cv_ar_at_file" = xno; then
+  archiver_list_spec=
+else
+  archiver_list_spec=$lt_cv_ar_at_file
+fi
+
+
+
+
+
+
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_STRIP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
@@ -9169,7 +9588,7 @@ if test -z "$ac_cv_prog_STRIP"; then
 set dummy strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then :
+if ${ac_cv_prog_ac_ct_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_STRIP"; then
@@ -9228,7 +9647,7 @@ if test -n "$ac_tool_prefix"; then
 set dummy ${ac_tool_prefix}ranlib; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_RANLIB+set}" = set; then :
+if ${ac_cv_prog_RANLIB+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$RANLIB"; then
@@ -9268,7 +9687,7 @@ if test -z "$ac_cv_prog_RANLIB"; then
 set dummy ranlib; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then :
+if ${ac_cv_prog_ac_ct_RANLIB+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_RANLIB"; then
@@ -9330,15 +9749,27 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
     ;;
   *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
     ;;
   esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
 
+case $host_os in
+  darwin*)
+    lock_old_archive_extraction=yes ;;
+  *)
+    lock_old_archive_extraction=no ;;
+esac
+
+
+
+
+
+
 
 
 
@@ -9385,7 +9816,7 @@ compiler=$CC
 # Check for command to grab the raw symbol name followed by C symbol from nm.
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking command to parse $NM output from $compiler object" >&5
 $as_echo_n "checking command to parse $NM output from $compiler object... " >&6; }
-if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then :
+if ${lt_cv_sys_global_symbol_pipe+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -9446,8 +9877,8 @@ esac
 lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
 
 # Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (void *) \&\2},/p'"
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\)[ ]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\)[ ]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
 
 # Handle CRLF in mingw tool chain
 opt_cr=
@@ -9471,6 +9902,7 @@ for ac_symprfx in "" "_"; do
     # which start with @ or ?.
     lt_cv_sys_global_symbol_pipe="$AWK '"\
 "     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@@ -9483,6 +9915,7 @@ for ac_symprfx in "" "_"; do
   else
     lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[	 ]\($symcode$symcode*\)[	 ][	 ]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
   fi
+  lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'"
 
   # Check to see that the pipe works correctly.
   pipe_works=no
@@ -9508,8 +9941,8 @@ _LT_EOF
   test $ac_status = 0; }; then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\""; } >&5
-  (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
+    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5
+  (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; } && test -s "$nlist"; then
@@ -9524,6 +9957,18 @@ _LT_EOF
       if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
 	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
 	  cat <<_LT_EOF > conftest.$ac_ext
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
+/* DATA imports from DLLs on WIN32 con't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT_DLSYM_CONST
+#elif defined(__osf__)
+/* This system does not cope well with relocations in const data.  */
+# define LT_DLSYM_CONST
+#else
+# define LT_DLSYM_CONST const
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -9535,7 +9980,7 @@ _LT_EOF
 	  cat <<_LT_EOF >> conftest.$ac_ext
 
 /* The mapping between symbol names and symbols.  */
-const struct {
+LT_DLSYM_CONST struct {
   const char *name;
   void       *address;
 }
@@ -9561,8 +10006,8 @@ static const void *lt_preloaded_setup() {
 _LT_EOF
 	  # Now try linking the two files.
 	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
+	  lt_globsym_save_LIBS=$LIBS
+	  lt_globsym_save_CFLAGS=$CFLAGS
 	  LIBS="conftstm.$ac_objext"
 	  CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag"
 	  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5
@@ -9572,8 +10017,8 @@ _LT_EOF
   test $ac_status = 0; } && test -s conftest${ac_exeext}; then
 	    pipe_works=yes
 	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
+	  LIBS=$lt_globsym_save_LIBS
+	  CFLAGS=$lt_globsym_save_CFLAGS
 	else
 	  echo "cannot find nm_test_func in $nlist" >&5
 	fi
@@ -9610,6 +10055,15 @@ else
 $as_echo "ok" >&6; }
 fi
 
+# Response file support.
+if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+  nm_file_list_spec='@'
+elif $NM --help 2>/dev/null | grep '[@]FILE' >/dev/null; then
+  nm_file_list_spec='@'
+fi
+
+
+
 
 
 
@@ -9627,6 +10081,46 @@ fi
 
 
 
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sysroot" >&5
+$as_echo_n "checking for sysroot... " >&6; }
+
+# Check whether --with-sysroot was given.
+if test "${with_sysroot+set}" = set; then :
+  withval=$with_sysroot;
+else
+  with_sysroot=no
+fi
+
+
+lt_sysroot=
+case ${with_sysroot} in #(
+ yes)
+   if test "$GCC" = yes; then
+     lt_sysroot=`$CC --print-sysroot 2>/dev/null`
+   fi
+   ;; #(
+ /*)
+   lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"`
+   ;; #(
+ no|'')
+   ;; #(
+ *)
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${with_sysroot}" >&5
+$as_echo "${with_sysroot}" >&6; }
+   as_fn_error $? "The sysroot must be an absolute path." "$LINENO" 5
+   ;;
+esac
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${lt_sysroot:-no}" >&5
+$as_echo "${lt_sysroot:-no}" >&6; }
+
 
 
 
@@ -9662,7 +10156,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 9665 "configure"' > conftest.$ac_ext
+  echo '#line '$LINENO' "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9756,7 +10250,7 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
   CFLAGS="$CFLAGS -belf"
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler needs -belf" >&5
 $as_echo_n "checking whether the C compiler needs -belf... " >&6; }
-if test "${lt_cv_cc_needs_belf+set}" = set; then :
+if ${lt_cv_cc_needs_belf+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_ext=c
@@ -9797,7 +10291,7 @@ $as_echo "$lt_cv_cc_needs_belf" >&6; }
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
-sparc*-*solaris*)
+*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
@@ -9808,7 +10302,20 @@ sparc*-*solaris*)
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
+        case $host in
+        i?86-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD="${LD-ld}_sol2"
+        fi
+        ;;
       *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@@ -9824,6 +10331,123 @@ esac
 
 need_locks="$enable_libtool_lock"
 
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}mt", so it can be a program name with args.
+set dummy ${ac_tool_prefix}mt; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_MANIFEST_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$MANIFEST_TOOL"; then
+  ac_cv_prog_MANIFEST_TOOL="$MANIFEST_TOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+MANIFEST_TOOL=$ac_cv_prog_MANIFEST_TOOL
+if test -n "$MANIFEST_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANIFEST_TOOL" >&5
+$as_echo "$MANIFEST_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_MANIFEST_TOOL"; then
+  ac_ct_MANIFEST_TOOL=$MANIFEST_TOOL
+  # Extract the first word of "mt", so it can be a program name with args.
+set dummy mt; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_MANIFEST_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_MANIFEST_TOOL"; then
+  ac_cv_prog_ac_ct_MANIFEST_TOOL="$ac_ct_MANIFEST_TOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_MANIFEST_TOOL="mt"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_MANIFEST_TOOL=$ac_cv_prog_ac_ct_MANIFEST_TOOL
+if test -n "$ac_ct_MANIFEST_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_MANIFEST_TOOL" >&5
+$as_echo "$ac_ct_MANIFEST_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_MANIFEST_TOOL" = x; then
+    MANIFEST_TOOL=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    MANIFEST_TOOL=$ac_ct_MANIFEST_TOOL
+  fi
+else
+  MANIFEST_TOOL="$ac_cv_prog_MANIFEST_TOOL"
+fi
+
+test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $MANIFEST_TOOL is a manifest tool" >&5
+$as_echo_n "checking if $MANIFEST_TOOL is a manifest tool... " >&6; }
+if ${lt_cv_path_mainfest_tool+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_path_mainfest_tool=no
+  echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&5
+  $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out
+  cat conftest.err >&5
+  if $GREP 'Manifest Tool' conftest.out > /dev/null; then
+    lt_cv_path_mainfest_tool=yes
+  fi
+  rm -f conftest*
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_mainfest_tool" >&5
+$as_echo "$lt_cv_path_mainfest_tool" >&6; }
+if test "x$lt_cv_path_mainfest_tool" != xyes; then
+  MANIFEST_TOOL=:
+fi
+
+
+
+
+
 
   case $host_os in
     rhapsody* | darwin*)
@@ -9832,7 +10456,7 @@ need_locks="$enable_libtool_lock"
 set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_DSYMUTIL+set}" = set; then :
+if ${ac_cv_prog_DSYMUTIL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$DSYMUTIL"; then
@@ -9872,7 +10496,7 @@ if test -z "$ac_cv_prog_DSYMUTIL"; then
 set dummy dsymutil; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then :
+if ${ac_cv_prog_ac_ct_DSYMUTIL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_DSYMUTIL"; then
@@ -9924,7 +10548,7 @@ fi
 set dummy ${ac_tool_prefix}nmedit; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_NMEDIT+set}" = set; then :
+if ${ac_cv_prog_NMEDIT+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$NMEDIT"; then
@@ -9964,7 +10588,7 @@ if test -z "$ac_cv_prog_NMEDIT"; then
 set dummy nmedit; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then :
+if ${ac_cv_prog_ac_ct_NMEDIT+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_NMEDIT"; then
@@ -10016,7 +10640,7 @@ fi
 set dummy ${ac_tool_prefix}lipo; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_LIPO+set}" = set; then :
+if ${ac_cv_prog_LIPO+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$LIPO"; then
@@ -10056,7 +10680,7 @@ if test -z "$ac_cv_prog_LIPO"; then
 set dummy lipo; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then :
+if ${ac_cv_prog_ac_ct_LIPO+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_LIPO"; then
@@ -10108,7 +10732,7 @@ fi
 set dummy ${ac_tool_prefix}otool; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OTOOL+set}" = set; then :
+if ${ac_cv_prog_OTOOL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OTOOL"; then
@@ -10148,7 +10772,7 @@ if test -z "$ac_cv_prog_OTOOL"; then
 set dummy otool; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then :
+if ${ac_cv_prog_ac_ct_OTOOL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OTOOL"; then
@@ -10200,7 +10824,7 @@ fi
 set dummy ${ac_tool_prefix}otool64; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OTOOL64+set}" = set; then :
+if ${ac_cv_prog_OTOOL64+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OTOOL64"; then
@@ -10240,7 +10864,7 @@ if test -z "$ac_cv_prog_OTOOL64"; then
 set dummy otool64; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then :
+if ${ac_cv_prog_ac_ct_OTOOL64+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OTOOL64"; then
@@ -10315,7 +10939,7 @@ fi
 
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -single_module linker flag" >&5
 $as_echo_n "checking for -single_module linker flag... " >&6; }
-if test "${lt_cv_apple_cc_single_mod+set}" = set; then :
+if ${lt_cv_apple_cc_single_mod+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_apple_cc_single_mod=no
@@ -10331,7 +10955,13 @@ else
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
         _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&5
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&5
@@ -10342,9 +10972,10 @@ else
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5
 $as_echo "$lt_cv_apple_cc_single_mod" >&6; }
+
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5
 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; }
-if test "${lt_cv_ld_exported_symbols_list+set}" = set; then :
+if ${lt_cv_ld_exported_symbols_list+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_ld_exported_symbols_list=no
@@ -10374,6 +11005,41 @@ rm -f core conftest.err conftest.$ac_objext \
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5
 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5
+$as_echo_n "checking for -force_load linker flag... " >&6; }
+if ${lt_cv_ld_force_load+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_ld_force_load=no
+      cat > conftest.c << _LT_EOF
+int forced_loaded() { return 2;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5
+      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5
+      echo "$AR cru libconftest.a conftest.o" >&5
+      $AR cru libconftest.a conftest.o 2>&5
+      echo "$RANLIB libconftest.a" >&5
+      $RANLIB libconftest.a 2>&5
+      cat > conftest.c << _LT_EOF
+int main() { return 0;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5
+      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
+      _lt_result=$?
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&5
+      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
+	lt_cv_ld_force_load=yes
+      else
+	cat conftest.err >&5
+      fi
+        rm -f conftest.err libconftest.a conftest conftest.c
+        rm -rf conftest.dSYM
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_force_load" >&5
+$as_echo "$lt_cv_ld_force_load" >&6; }
     case $host_os in
     rhapsody* | darwin1.[012])
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
@@ -10401,7 +11067,7 @@ $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
     else
       _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
     fi
-    if test "$DSYMUTIL" != ":"; then
+    if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then
       _lt_dsymutil='~$DSYMUTIL $lib || :'
     else
       _lt_dsymutil=
@@ -10413,7 +11079,7 @@ for ac_header in dlfcn.h
 do :
   ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default
 "
-if test "x$ac_cv_header_dlfcn_h" = x""yes; then :
+if test "x$ac_cv_header_dlfcn_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_DLFCN_H 1
 _ACEOF
@@ -10424,6 +11090,8 @@ done
 
 
 
+
+
 # Set options
 
 
@@ -10499,7 +11167,22 @@ fi
 
 # Check whether --with-pic was given.
 if test "${with_pic+set}" = set; then :
-  withval=$with_pic; pic_mode="$withval"
+  withval=$with_pic; lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for lt_pkg in $withval; do
+	IFS="$lt_save_ifs"
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
 else
   pic_mode=default
 fi
@@ -10570,6 +11253,11 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 
 
 
+
+
+
+
+
 
 
 
@@ -10597,7 +11285,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for objdir" >&5
 $as_echo_n "checking for objdir... " >&6; }
-if test "${lt_cv_objdir+set}" = set; then :
+if ${lt_cv_objdir+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   rm -f .libs 2>/dev/null
@@ -10606,34 +11294,21 @@ if test -d .libs; then
   lt_cv_objdir=.libs
 else
   # MS-DOS does not allow filenames that begin with a dot.
-  lt_cv_objdir=_libs
-fi
-rmdir .libs 2>/dev/null
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_objdir" >&5
-$as_echo "$lt_cv_objdir" >&6; }
-objdir=$lt_cv_objdir
-
-
-
-
-
-cat >>confdefs.h <<_ACEOF
-#define LT_OBJDIR "$lt_cv_objdir/"
-_ACEOF
-
-
-
-
-
-
-
-
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_objdir" >&5
+$as_echo "$lt_cv_objdir" >&6; }
+objdir=$lt_cv_objdir
 
 
 
 
 
+cat >>confdefs.h <<_ACEOF
+#define LT_OBJDIR "$lt_cv_objdir/"
+_ACEOF
 
 
 
@@ -10650,23 +11325,6 @@ aix3*)
   ;;
 esac
 
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\(["`\\]\)/\\\1/g'
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to delay expansion of an escaped single quote.
-delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
 # Global variables:
 ofile=libtool
 can_build_shared=yes
@@ -10695,7 +11353,7 @@ for cc_temp in $compiler""; do
     *) break;;
   esac
 done
-cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"`
 
 
 # Only perform the check for file, if the check method requires it
@@ -10705,7 +11363,7 @@ file_magic*)
   if test "$file_magic_cmd" = '$MAGIC_CMD'; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${ac_tool_prefix}file" >&5
 $as_echo_n "checking for ${ac_tool_prefix}file... " >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then :
+if ${lt_cv_path_MAGIC_CMD+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $MAGIC_CMD in
@@ -10771,7 +11429,7 @@ if test -z "$lt_cv_path_MAGIC_CMD"; then
   if test -n "$ac_tool_prefix"; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for file" >&5
 $as_echo_n "checking for file... " >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then :
+if ${lt_cv_path_MAGIC_CMD+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $MAGIC_CMD in
@@ -10904,11 +11562,16 @@ if test -n "$compiler"; then
 lt_prog_compiler_no_builtin_flag=
 
 if test "$GCC" = yes; then
-  lt_prog_compiler_no_builtin_flag=' -fno-builtin'
+  case $cc_basename in
+  nvcc*)
+    lt_prog_compiler_no_builtin_flag=' -Xcompiler -fno-builtin' ;;
+  *)
+    lt_prog_compiler_no_builtin_flag=' -fno-builtin' ;;
+  esac
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
 $as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; }
-if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then :
+if ${lt_cv_prog_compiler_rtti_exceptions+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_rtti_exceptions=no
@@ -10924,15 +11587,15 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10927: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10931: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
      $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
      if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_rtti_exceptions=yes
@@ -10961,8 +11624,6 @@ fi
 lt_prog_compiler_pic=
 lt_prog_compiler_static=
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5
-$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
 
   if test "$GCC" = yes; then
     lt_prog_compiler_wl='-Wl,'
@@ -11010,6 +11671,12 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_pic='-fno-common'
       ;;
 
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      lt_prog_compiler_static=
+      ;;
+
     hpux*)
       # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
       # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
@@ -11052,6 +11719,15 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_pic='-fPIC'
       ;;
     esac
+
+    case $cc_basename in
+    nvcc*) # Cuda Compiler Driver 2.2
+      lt_prog_compiler_wl='-Xlinker '
+      if test -n "$lt_prog_compiler_pic"; then
+        lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic"
+      fi
+      ;;
+    esac
   else
     # PORTME Check for flag to pass linker flags through the system compiler.
     case $host_os in
@@ -11114,7 +11790,13 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
 	lt_prog_compiler_pic='--shared'
 	lt_prog_compiler_static='--static'
 	;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
+      nagfor*)
+	# NAG Fortran compiler
+	lt_prog_compiler_wl='-Wl,-Wl,,'
+	lt_prog_compiler_pic='-PIC'
+	lt_prog_compiler_static='-Bstatic'
+	;;
+      pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
         # Portland Group compilers (*not* the Pentium gcc compiler,
 	# which looks to be a dead project)
 	lt_prog_compiler_wl='-Wl,'
@@ -11126,25 +11808,40 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
         # All Alpha code is PIC.
         lt_prog_compiler_static='-non_shared'
         ;;
-      xl*)
-	# IBM XL C 8.0/Fortran 10.1 on PPC
+      xl* | bgxl* | bgf* | mpixl*)
+	# IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene
 	lt_prog_compiler_wl='-Wl,'
 	lt_prog_compiler_pic='-qpic'
 	lt_prog_compiler_static='-qstaticlink'
 	;;
       *)
 	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl=''
+	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl='-Qoption ld '
+	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  lt_prog_compiler_pic='-KPIC'
 	  lt_prog_compiler_static='-Bstatic'
 	  lt_prog_compiler_wl='-Wl,'
 	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  lt_prog_compiler_pic='-KPIC'
+        *Intel*\ [CF]*Compiler*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fPIC'
+	  lt_prog_compiler_static='-static'
+	  ;;
+	*Portland\ Group*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fpic'
 	  lt_prog_compiler_static='-Bstatic'
-	  lt_prog_compiler_wl=''
 	  ;;
 	esac
 	;;
@@ -11176,7 +11873,7 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_pic='-KPIC'
       lt_prog_compiler_static='-Bstatic'
       case $cc_basename in
-      f77* | f90* | f95*)
+      f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
 	lt_prog_compiler_wl='-Qoption ld ';;
       *)
 	lt_prog_compiler_wl='-Wl,';;
@@ -11233,13 +11930,17 @@ case $host_os in
     lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
     ;;
 esac
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_prog_compiler_pic" >&5
-$as_echo "$lt_prog_compiler_pic" >&6; }
-
-
-
-
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5
+$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
+if ${lt_cv_prog_compiler_pic+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler_pic=$lt_prog_compiler_pic
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic" >&5
+$as_echo "$lt_cv_prog_compiler_pic" >&6; }
+lt_prog_compiler_pic=$lt_cv_prog_compiler_pic
 
 #
 # Check to make sure the PIC flag actually works.
@@ -11247,7 +11948,7 @@ $as_echo "$lt_prog_compiler_pic" >&6; }
 if test -n "$lt_prog_compiler_pic"; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
 $as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; }
-if test "${lt_cv_prog_compiler_pic_works+set}" = set; then :
+if ${lt_cv_prog_compiler_pic_works+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_pic_works=no
@@ -11263,15 +11964,15 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11266: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:11270: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
      $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
      if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_pic_works=yes
@@ -11300,13 +12001,18 @@ fi
 
 
 
+
+
+
+
+
 #
 # Check to make sure the static flag actually works.
 #
 wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler static flag $lt_tmp_static_flag works" >&5
 $as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; }
-if test "${lt_cv_prog_compiler_static_works+set}" = set; then :
+if ${lt_cv_prog_compiler_static_works+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_static_works=no
@@ -11319,7 +12025,7 @@ else
      if test -s conftest.err; then
        # Append any errors to the config.log.
        cat conftest.err 1>&5
-       $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
        $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
        if diff conftest.exp conftest.er2 >/dev/null; then
          lt_cv_prog_compiler_static_works=yes
@@ -11349,7 +12055,7 @@ fi
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5
 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then :
+if ${lt_cv_prog_compiler_c_o+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_c_o=no
@@ -11368,16 +12074,16 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11371: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:11375: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
      $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
      if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_c_o=yes
@@ -11404,7 +12110,7 @@ $as_echo "$lt_cv_prog_compiler_c_o" >&6; }
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5
 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then :
+if ${lt_cv_prog_compiler_c_o+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_c_o=no
@@ -11423,16 +12129,16 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11426: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:11430: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
      $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
      if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_c_o=yes
@@ -11498,7 +12204,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   hardcode_direct=no
   hardcode_direct_absolute=no
   hardcode_libdir_flag_spec=
-  hardcode_libdir_flag_spec_ld=
   hardcode_libdir_separator=
   hardcode_minus_L=no
   hardcode_shlibpath_var=unsupported
@@ -11542,13 +12247,39 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   openbsd*)
     with_gnu_ld=no
     ;;
-  linux* | k*bsd*-gnu)
+  linux* | k*bsd*-gnu | gnu*)
     link_all_deplibs=no
     ;;
   esac
 
   ld_shlibs=yes
+
+  # On some targets, GNU ld is compatible enough with the native linker
+  # that we're better off using the native interface for both.
+  lt_use_gnu_ld_interface=no
   if test "$with_gnu_ld" = yes; then
+    case $host_os in
+      aix*)
+	# The AIX port of GNU ld has always aspired to compatibility
+	# with the native linker.  However, as the warning in the GNU ld
+	# block says, versions before 2.19.5* couldn't really create working
+	# shared libraries, regardless of the interface used.
+	case `$LD -v 2>&1` in
+	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
+	  *\ \(GNU\ Binutils\)\ 2.[2-9]*) ;;
+	  *\ \(GNU\ Binutils\)\ [3-9]*) ;;
+	  *)
+	    lt_use_gnu_ld_interface=yes
+	    ;;
+	esac
+	;;
+      *)
+	lt_use_gnu_ld_interface=yes
+	;;
+    esac
+  fi
+
+  if test "$lt_use_gnu_ld_interface" = yes; then
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
@@ -11582,11 +12313,12 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
 	ld_shlibs=no
 	cat <<_LT_EOF 1>&2
 
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** Warning: the GNU linker, at least up to release 2.19, is reported
 *** to be unable to reliably create shared libraries on AIX.
 *** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
+*** really care for shared libraries, you may want to install binutils
+*** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
+*** You will then need to restart the configuration process.
 
 _LT_EOF
       fi
@@ -11622,10 +12354,12 @@ _LT_EOF
       # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
       # as there is no search path for DLLs.
       hardcode_libdir_flag_spec='-L$libdir'
+      export_dynamic_flag_spec='${wl}--export-all-symbols'
       allow_undefined_flag=unsupported
       always_export_symbols=no
       enable_shared_with_static_runtimes=yes
-      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.* //'\'' | sort | uniq > $export_symbols'
+      exclude_expsyms='[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'
 
       if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
         archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
@@ -11643,6 +12377,11 @@ _LT_EOF
       fi
       ;;
 
+    haiku*)
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      link_all_deplibs=yes
+      ;;
+
     interix[3-9]*)
       hardcode_direct=no
       hardcode_shlibpath_var=no
@@ -11668,15 +12407,16 @@ _LT_EOF
       if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
 	 && test "$tmp_diet" = no
       then
-	tmp_addflag=
+	tmp_addflag=' $pic_flag'
 	tmp_sharedflag='-shared'
 	case $cc_basename,$host_cpu in
         pgcc*)				# Portland Group C compiler
-	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag'
 	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	pgf77* | pgf90* | pgf95* | pgfortran*)
+					# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag -Mnomain' ;;
 	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
 	  tmp_addflag=' -i_dynamic' ;;
@@ -11687,13 +12427,17 @@ _LT_EOF
 	lf95*)				# Lahey Fortran 8.1
 	  whole_archive_flag_spec=
 	  tmp_sharedflag='--shared' ;;
-	xl[cC]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
+	xl[cC]* | bgxl[cC]* | mpixl[cC]*) # IBM XL C 8.0 on PPC (deal with xlf below)
 	  tmp_sharedflag='-qmkshrobj'
 	  tmp_addflag= ;;
+	nvcc*)	# Cuda Compiler Driver 2.2
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
+	  compiler_needs_object=yes
+	  ;;
 	esac
 	case `$CC -V 2>&1 | sed 5q` in
 	*Sun\ C*)			# Sun C 5.9
-	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  compiler_needs_object=yes
 	  tmp_sharedflag='-G' ;;
 	*Sun\ F*)			# Sun Fortran 8.3
@@ -11709,17 +12453,16 @@ _LT_EOF
         fi
 
 	case $cc_basename in
-	xlf*)
+	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
-	  hardcode_libdir_flag_spec=
-	  hardcode_libdir_flag_spec_ld='-rpath $libdir'
-	  archive_cmds='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib'
+	  hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+	  archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
 	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
 	      echo "local: *; };" >> $output_objdir/$libname.ver~
-	      $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	      $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
 	  fi
 	  ;;
 	esac
@@ -11733,8 +12476,8 @@ _LT_EOF
 	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
       else
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       fi
       ;;
 
@@ -11752,8 +12495,8 @@ _LT_EOF
 
 _LT_EOF
       elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	ld_shlibs=no
       fi
@@ -11799,8 +12542,8 @@ _LT_EOF
 
     *)
       if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	ld_shlibs=no
       fi
@@ -11840,8 +12583,10 @@ _LT_EOF
       else
 	# If we're using GNU nm, then we don't want the "-C" option.
 	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	# Also, AIX nm treats weak defined symbols like other global
+	# defined symbols, whereas GNU nm marks them as "W".
 	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	else
 	  export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	fi
@@ -11929,7 +12674,13 @@ _LT_EOF
 	allow_undefined_flag='-berok'
         # Determine the default libpath from the value encoded in an
         # empty executable.
-        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+        if test "${lt_cv_aix_libpath+set}" = set; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  if ${lt_cv_aix_libpath_+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -11942,25 +12693,32 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+  lt_aix_libpath_sed='
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }'
+  lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_="/usr/lib:/lib"
+  fi
+
+fi
+
+  aix_libpath=$lt_cv_aix_libpath_
+fi
 
         hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-        archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+        archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
       else
 	if test "$host_cpu" = ia64; then
 	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
@@ -11969,7 +12727,13 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	else
 	 # Determine the default libpath from the value encoded in an
 	 # empty executable.
-	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+	 if test "${lt_cv_aix_libpath+set}" = set; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  if ${lt_cv_aix_libpath_+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -11982,30 +12746,42 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+  lt_aix_libpath_sed='
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }'
+  lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_="/usr/lib:/lib"
+  fi
+
+fi
+
+  aix_libpath=$lt_cv_aix_libpath_
+fi
 
 	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
 	  # Warning - without using the other run time loading flags,
 	  # -berok will link without error, but may produce a broken library.
 	  no_undefined_flag=' ${wl}-bernotok'
 	  allow_undefined_flag=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec='$convenience'
+	  if test "$with_gnu_ld" = yes; then
+	    # We only use this code for GNU lds that support --whole-archive.
+	    whole_archive_flag_spec='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	  else
+	    # Exported symbols can be pulled into shared objects from archives
+	    whole_archive_flag_spec='$convenience'
+	  fi
 	  archive_cmds_need_lc=yes
 	  # This is similar to how AIX traditionally builds its shared libraries.
 	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
@@ -12037,20 +12813,64 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Microsoft Visual C++.
       # hardcode_libdir_flag_spec is actually meaningless, as there is
       # no search path for DLLs.
-      hardcode_libdir_flag_spec=' '
-      allow_undefined_flag=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_from_new_cmds='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes=yes
+      case $cc_basename in
+      cl*)
+	# Native MSVC
+	hardcode_libdir_flag_spec=' '
+	allow_undefined_flag=unsupported
+	always_export_symbols=yes
+	file_list_spec='@'
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	archive_cmds='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
+	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	    sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
+	  else
+	    sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
+	  fi~
+	  $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+	  linknames='
+	# The linker will not automatically build a static lib if we build a DLL.
+	# _LT_TAGVAR(old_archive_from_new_cmds, )='true'
+	enable_shared_with_static_runtimes=yes
+	exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+	export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+	# Don't use ranlib
+	old_postinstall_cmds='chmod 644 $oldlib'
+	postlink_cmds='lt_outputfile="@OUTPUT@"~
+	  lt_tool_outputfile="@TOOL_OUTPUT@"~
+	  case $lt_outputfile in
+	    *.exe|*.EXE) ;;
+	    *)
+	      lt_outputfile="$lt_outputfile.exe"
+	      lt_tool_outputfile="$lt_tool_outputfile.exe"
+	      ;;
+	  esac~
+	  if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
+	    $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+	    $RM "$lt_outputfile.manifest";
+	  fi'
+	;;
+      *)
+	# Assume MSVC wrapper
+	hardcode_libdir_flag_spec=' '
+	allow_undefined_flag=unsupported
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	archive_cmds='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames='
+	# The linker will automatically build a .lib file if we build a DLL.
+	old_archive_from_new_cmds='true'
+	# FIXME: Should let the user specify the lib program.
+	old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
+	enable_shared_with_static_runtimes=yes
+	;;
+      esac
       ;;
 
     darwin* | rhapsody*)
@@ -12060,7 +12880,12 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
   hardcode_direct=no
   hardcode_automatic=yes
   hardcode_shlibpath_var=unsupported
-  whole_archive_flag_spec=''
+  if test "$lt_cv_ld_force_load" = "yes"; then
+    whole_archive_flag_spec='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+
+  else
+    whole_archive_flag_spec=''
+  fi
   link_all_deplibs=yes
   allow_undefined_flag="$_lt_dar_allow_undefined"
   case $cc_basename in
@@ -12068,7 +12893,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
      *) _lt_dar_can_shared=$GCC ;;
   esac
   if test "$_lt_dar_can_shared" = "yes"; then
-    output_verbose_link_cmd=echo
+    output_verbose_link_cmd=func_echo_all
     archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
     module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
     archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
@@ -12086,10 +12911,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var=no
       ;;
 
-    freebsd1*)
-      ld_shlibs=no
-      ;;
-
     # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
     # support.  Future versions do this automatically, but an explicit c++rt0.o
     # does not break anything, and helps significantly (at the cost of a little
@@ -12102,7 +12923,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
+    freebsd2.*)
       archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       hardcode_direct=yes
       hardcode_minus_L=yes
@@ -12111,7 +12932,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
     freebsd* | dragonfly*)
-      archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
       hardcode_libdir_flag_spec='-R$libdir'
       hardcode_direct=yes
       hardcode_shlibpath_var=no
@@ -12119,7 +12940,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
     hpux9*)
       if test "$GCC" = yes; then
-	archive_cmds='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+	archive_cmds='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       else
 	archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       fi
@@ -12134,14 +12955,13 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
+	archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
       else
 	archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
       fi
       if test "$with_gnu_ld" = no; then
 	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	hardcode_libdir_flag_spec_ld='+b $libdir'
 	hardcode_libdir_separator=:
 	hardcode_direct=yes
 	hardcode_direct_absolute=yes
@@ -12153,16 +12973,16 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
 	case $host_cpu in
 	hppa*64*)
 	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	ia64*)
-	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
@@ -12174,7 +12994,46 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+
+	  # Older versions of the 11.00 compiler do not understand -b yet
+	  # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does)
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC understands -b" >&5
+$as_echo_n "checking if $CC understands -b... " >&6; }
+if ${lt_cv_prog_compiler__b+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler__b=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS -b"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_cv_prog_compiler__b=yes
+       fi
+     else
+       lt_cv_prog_compiler__b=yes
+     fi
+   fi
+   $RM -r conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler__b" >&5
+$as_echo "$lt_cv_prog_compiler__b" >&6; }
+
+if test x"$lt_cv_prog_compiler__b" = xyes; then
+    archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+else
+    archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+fi
+
 	  ;;
 	esac
       fi
@@ -12202,26 +13061,39 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
     irix5* | irix6* | nonstopux*)
       if test "$GCC" = yes; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	# Try to use the -exported_symbol ld option, if it does not
 	# work, assume that -exports_file does not work either and
 	# implicitly export all symbols.
-        save_LDFLAGS="$LDFLAGS"
-        LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
-        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+	# This should be the same for all languages, so no per-tag cache variable.
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $host_os linker accepts -exported_symbol" >&5
+$as_echo_n "checking whether the $host_os linker accepts -exported_symbol... " >&6; }
+if ${lt_cv_irix_exported_symbol+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  save_LDFLAGS="$LDFLAGS"
+	   LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
+	   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int foo(void) {}
+int foo (void) { return 0; }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
-
+  lt_cv_irix_exported_symbol=yes
+else
+  lt_cv_irix_exported_symbol=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-        LDFLAGS="$save_LDFLAGS"
+           LDFLAGS="$save_LDFLAGS"
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_irix_exported_symbol" >&5
+$as_echo "$lt_cv_irix_exported_symbol" >&6; }
+	if test "$lt_cv_irix_exported_symbol" = yes; then
+          archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
+	fi
       else
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
       fi
       archive_cmds_need_lc='no'
       hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
@@ -12283,17 +13155,17 @@ rm -f core conftest.err conftest.$ac_objext \
       hardcode_libdir_flag_spec='-L$libdir'
       hardcode_minus_L=yes
       allow_undefined_flag=unsupported
-      archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
       old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
       ;;
 
     osf3*)
       if test "$GCC" = yes; then
 	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
       else
 	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
       fi
       archive_cmds_need_lc='no'
       hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
@@ -12303,13 +13175,13 @@ rm -f core conftest.err conftest.$ac_objext \
     osf4* | osf5*)	# as osf3* with the addition of -msym flag
       if test "$GCC" = yes; then
 	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
       else
 	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
-	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
+	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	hardcode_libdir_flag_spec='-rpath $libdir'
@@ -12322,9 +13194,9 @@ rm -f core conftest.err conftest.$ac_objext \
       no_undefined_flag=' -z defs'
       if test "$GCC" = yes; then
 	wlarc='${wl}'
-	archive_cmds='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_cmds='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
       else
 	case `$CC -V 2>&1` in
 	*"Compilers 5.0"*)
@@ -12512,44 +13384,50 @@ x|xyes)
       # to ld, don't add -lc before -lgcc.
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -lc should be explicitly linked in" >&5
 $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
-      $RM conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+if ${lt_cv_archive_cmds_need_lc+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  $RM conftest*
+	echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-      if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
+	if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl
-	pic_flag=$lt_prog_compiler_pic
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag
-        allow_undefined_flag=
-        if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5
+	  soname=conftest
+	  lib=conftest
+	  libobjs=conftest.$ac_objext
+	  deplibs=
+	  wl=$lt_prog_compiler_wl
+	  pic_flag=$lt_prog_compiler_pic
+	  compiler_flags=-v
+	  linker_flags=-v
+	  verstring=
+	  output_objdir=.
+	  libname=conftest
+	  lt_save_allow_undefined_flag=$allow_undefined_flag
+	  allow_undefined_flag=
+	  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5
   (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }
-        then
-	  archive_cmds_need_lc=no
-        else
-	  archive_cmds_need_lc=yes
-        fi
-        allow_undefined_flag=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $RM conftest*
-      { $as_echo "$as_me:${as_lineno-$LINENO}: result: $archive_cmds_need_lc" >&5
-$as_echo "$archive_cmds_need_lc" >&6; }
+	  then
+	    lt_cv_archive_cmds_need_lc=no
+	  else
+	    lt_cv_archive_cmds_need_lc=yes
+	  fi
+	  allow_undefined_flag=$lt_save_allow_undefined_flag
+	else
+	  cat conftest.err 1>&5
+	fi
+	$RM conftest*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_archive_cmds_need_lc" >&5
+$as_echo "$lt_cv_archive_cmds_need_lc" >&6; }
+      archive_cmds_need_lc=$lt_cv_archive_cmds_need_lc
       ;;
     esac
   fi
@@ -12701,11 +13579,6 @@ esac
 
 
 
-
-
-
-
-
 
 
 
@@ -12720,16 +13593,23 @@ if test "$GCC" = yes; then
     darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
     *) lt_awk_arg="/^libraries:/" ;;
   esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then
+  case $host_os in
+    mingw* | cegcc*) lt_sed_strip_eq="s,=\([A-Za-z]:\),\1,g" ;;
+    *) lt_sed_strip_eq="s,=/,/,g" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq`
+  case $lt_search_path_spec in
+  *\;*)
     # if the path contains ";" then we assume it to be the separator
     # otherwise default to the standard path separator (i.e. ":") - it is
     # assumed that no part of a normal pathname contains ";" but that should
     # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'`
+    ;;
+  *)
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"`
+    ;;
+  esac
   # Ok, now we have the path, separated by spaces, we can step through it
   # and add multilib dir if necessary.
   lt_tmp_lt_search_path_spec=
@@ -12742,7 +13622,7 @@ if test "$GCC" = yes; then
 	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
     fi
   done
-  lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk '
+  lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk '
 BEGIN {RS=" "; FS="/|\n";} {
   lt_foo="";
   lt_count=0;
@@ -12762,7 +13642,13 @@ BEGIN {RS=" "; FS="/|\n";} {
   if (lt_foo != "") { lt_freq[lt_foo]++; }
   if (lt_freq[lt_foo] == 1) { print lt_foo; }
 }'`
-  sys_lib_search_path_spec=`$ECHO $lt_search_path_spec`
+  # AWK program above erroneously prepends '/' to C:/dos/paths
+  # for these hosts.
+  case $host_os in
+    mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\
+      $SED 's,/\([A-Za-z]:\),\1,g'` ;;
+  esac
+  sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP`
 else
   sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
 fi
@@ -12788,7 +13674,7 @@ need_version=unknown
 
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
   shlibpath_var=LIBPATH
 
@@ -12797,7 +13683,7 @@ aix3*)
   ;;
 
 aix[4-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   hardcode_into_libs=yes
@@ -12850,7 +13736,7 @@ amigaos*)
   m68k)
     library_names_spec='$libname.ixlibrary $libname.a'
     # Create ${libname}_ixlibrary.a entries in /sys/libs.
-    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
     ;;
   esac
   ;;
@@ -12862,7 +13748,7 @@ beos*)
   ;;
 
 bsdi[45]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -12881,8 +13767,9 @@ cygwin* | mingw* | pw32* | cegcc*)
   need_version=no
   need_lib_prefix=no
 
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*)
+  case $GCC,$cc_basename in
+  yes,*)
+    # gcc
     library_names_spec='$libname.dll.a'
     # DLL is installed to $(libdir)/../bin by postinstall_cmds
     postinstall_cmds='base_file=`basename \${file}`~
@@ -12903,36 +13790,83 @@ cygwin* | mingw* | pw32* | cegcc*)
     cygwin*)
       # Cygwin DLLs use 'cyg' prefix rather than 'lib'
       soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+
+      sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"
       ;;
     mingw* | cegcc*)
       # MinGW DLLs use traditional 'lib' prefix
       soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
       library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
+    dynamic_linker='Win32 ld.exe'
+    ;;
+
+  *,cl*)
+    # Native MSVC
+    libname_spec='$name'
+    soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+    library_names_spec='${libname}.dll.lib'
+
+    case $build_os in
+    mingw*)
+      sys_lib_search_path_spec=
+      lt_save_ifs=$IFS
+      IFS=';'
+      for lt_path in $LIB
+      do
+        IFS=$lt_save_ifs
+        # Let DOS variable expansion print the short 8.3 style file name.
+        lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"`
+        sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path"
+      done
+      IFS=$lt_save_ifs
+      # Convert to MSYS style.
+      sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([a-zA-Z]\\):| /\\1|g' -e 's|^ ||'`
+      ;;
+    cygwin*)
+      # Convert to unix form, then to dos form, then back to unix form
+      # but this time dos style (no spaces!) so that the unix form looks
+      # like /cygdrive/c/PROGRA~1:/cygdr...
+      sys_lib_search_path_spec=`cygpath --path --unix "$LIB"`
+      sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null`
+      sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      ;;
+    *)
+      sys_lib_search_path_spec="$LIB"
+      if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH.
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      # FIXME: find the short name or the path components, as spaces are
+      # common. (e.g. "Program Files" -> "PROGRA~1")
+      ;;
+    esac
+
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+    dynamic_linker='Win32 link.exe'
     ;;
 
   *)
+    # Assume MSVC wrapper
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    dynamic_linker='Win32 ld.exe'
     ;;
   esac
-  dynamic_linker='Win32 ld.exe'
   # FIXME: first we should search . and the directory the executable is in
   shlibpath_var=PATH
   ;;
@@ -12953,7 +13887,7 @@ darwin* | rhapsody*)
   ;;
 
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@@ -12961,10 +13895,6 @@ dgux*)
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -12972,7 +13902,7 @@ freebsd* | dragonfly*)
     objformat=`/usr/bin/objformat`
   else
     case $host_os in
-    freebsd[123]*) objformat=aout ;;
+    freebsd[23].*) objformat=aout ;;
     *) objformat=elf ;;
     esac
   fi
@@ -12990,7 +13920,7 @@ freebsd* | dragonfly*)
   esac
   shlibpath_var=LD_LIBRARY_PATH
   case $host_os in
-  freebsd2*)
+  freebsd2.*)
     shlibpath_overrides_runpath=yes
     ;;
   freebsd3.[01]* | freebsdelf3.[01]*)
@@ -13010,12 +13940,26 @@ freebsd* | dragonfly*)
   ;;
 
 gnu*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+haiku*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  dynamic_linker="$host_os runtime_loader"
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
   hardcode_into_libs=yes
   ;;
 
@@ -13061,12 +14005,14 @@ hpux9* | hpux10* | hpux11*)
     soname_spec='${libname}${release}${shared_ext}$major'
     ;;
   esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  # HP-UX runs *really* slowly unless shared libraries are mode 555, ...
   postinstall_cmds='chmod 555 $lib'
+  # or fails outright, so override atomically:
+  install_override_mode=555
   ;;
 
 interix[3-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@@ -13082,7 +14028,7 @@ irix5* | irix6* | nonstopux*)
     nonstopux*) version_type=nonstopux ;;
     *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@@ -13119,9 +14065,9 @@ linux*oldld* | linux*aout* | linux*coff*)
   dynamic_linker=no
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -13129,12 +14075,17 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=no
+
   # Some binutils ld are patched to set DT_RUNPATH
-  save_LDFLAGS=$LDFLAGS
-  save_libdir=$libdir
-  eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \
-       LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\""
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  if ${lt_cv_shlibpath_overrides_runpath+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_shlibpath_overrides_runpath=no
+    save_LDFLAGS=$LDFLAGS
+    save_libdir=$libdir
+    eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \
+	 LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\""
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -13147,13 +14098,17 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
   if  ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then :
-  shlibpath_overrides_runpath=yes
+  lt_cv_shlibpath_overrides_runpath=yes
 fi
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-  LDFLAGS=$save_LDFLAGS
-  libdir=$save_libdir
+    LDFLAGS=$save_LDFLAGS
+    libdir=$save_libdir
+
+fi
+
+  shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath
 
   # This implies no fast_install, which is unacceptable.
   # Some rework will be needed to allow for fast_install
@@ -13162,7 +14117,7 @@ rm -f core conftest.err conftest.$ac_objext \
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -13206,7 +14161,7 @@ netbsd*)
   ;;
 
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=yes
@@ -13275,7 +14230,7 @@ rdos*)
   ;;
 
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -13300,7 +14255,7 @@ sunos4*)
   ;;
 
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -13324,7 +14279,7 @@ sysv4 | sysv4.3*)
 
 sysv4*MP*)
   if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
     library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
     soname_spec='$libname${shared_ext}.$major'
     shlibpath_var=LD_LIBRARY_PATH
@@ -13355,7 +14310,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 
 tpf*)
   # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -13365,7 +14320,7 @@ tpf*)
   ;;
 
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -13471,6 +14426,11 @@ fi
 
 
 
+
+
+
+
+
 
 
 
@@ -13549,7 +14509,7 @@ else
   # if libdl is installed we need to link against it
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
 $as_echo_n "checking for dlopen in -ldl... " >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then :
+if ${ac_cv_lib_dl_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13583,7 +14543,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5
 $as_echo "$ac_cv_lib_dl_dlopen" >&6; }
-if test "x$ac_cv_lib_dl_dlopen" = x""yes; then :
+if test "x$ac_cv_lib_dl_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
 
@@ -13597,12 +14557,12 @@ fi
 
   *)
     ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load"
-if test "x$ac_cv_func_shl_load" = x""yes; then :
+if test "x$ac_cv_func_shl_load" = xyes; then :
   lt_cv_dlopen="shl_load"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5
 $as_echo_n "checking for shl_load in -ldld... " >&6; }
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then :
+if ${ac_cv_lib_dld_shl_load+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13636,16 +14596,16 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5
 $as_echo "$ac_cv_lib_dld_shl_load" >&6; }
-if test "x$ac_cv_lib_dld_shl_load" = x""yes; then :
+if test "x$ac_cv_lib_dld_shl_load" = xyes; then :
   lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
 else
   ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen"
-if test "x$ac_cv_func_dlopen" = x""yes; then :
+if test "x$ac_cv_func_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
 $as_echo_n "checking for dlopen in -ldl... " >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then :
+if ${ac_cv_lib_dl_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13679,12 +14639,12 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5
 $as_echo "$ac_cv_lib_dl_dlopen" >&6; }
-if test "x$ac_cv_lib_dl_dlopen" = x""yes; then :
+if test "x$ac_cv_lib_dl_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5
 $as_echo_n "checking for dlopen in -lsvld... " >&6; }
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then :
+if ${ac_cv_lib_svld_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13718,12 +14678,12 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5
 $as_echo "$ac_cv_lib_svld_dlopen" >&6; }
-if test "x$ac_cv_lib_svld_dlopen" = x""yes; then :
+if test "x$ac_cv_lib_svld_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5
 $as_echo_n "checking for dld_link in -ldld... " >&6; }
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then :
+if ${ac_cv_lib_dld_dld_link+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13757,7 +14717,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5
 $as_echo "$ac_cv_lib_dld_dld_link" >&6; }
-if test "x$ac_cv_lib_dld_dld_link" = x""yes; then :
+if test "x$ac_cv_lib_dld_dld_link" = xyes; then :
   lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
 fi
 
@@ -13798,7 +14758,7 @@ fi
 
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a program can dlopen itself" >&5
 $as_echo_n "checking whether a program can dlopen itself... " >&6; }
-if test "${lt_cv_dlopen_self+set}" = set; then :
+if ${lt_cv_dlopen_self+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   	  if test "$cross_compiling" = yes; then :
@@ -13807,7 +14767,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 13810 "configure"
+#line $LINENO "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13848,7 +14808,13 @@ else
 #  endif
 #endif
 
-void fnord() { int i=42;}
+/* When -fvisbility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
 int main ()
 {
   void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
@@ -13857,7 +14823,11 @@ int main ()
   if (self)
     {
       if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
       /* dlclose (self); */
     }
   else
@@ -13894,7 +14864,7 @@ $as_echo "$lt_cv_dlopen_self" >&6; }
       wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a statically linked program can dlopen itself" >&5
 $as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; }
-if test "${lt_cv_dlopen_self_static+set}" = set; then :
+if ${lt_cv_dlopen_self_static+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   	  if test "$cross_compiling" = yes; then :
@@ -13903,7 +14873,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 13906 "configure"
+#line $LINENO "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13944,7 +14914,13 @@ else
 #  endif
 #endif
 
-void fnord() { int i=42;}
+/* When -fvisbility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
 int main ()
 {
   void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
@@ -13953,7 +14929,11 @@ int main ()
   if (self)
     {
       if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
       /* dlclose (self); */
     }
   else
@@ -14122,6 +15102,8 @@ CC="$lt_save_CC"
 
 
 
+
+
         ac_config_commands="$ac_config_commands libtool"
 
 
@@ -14132,7 +15114,7 @@ CC="$lt_save_CC"
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
 $as_echo_n "checking for egrep... " >&6; }
-if test "${ac_cv_path_EGREP+set}" = set; then :
+if ${ac_cv_path_EGREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
@@ -14203,7 +15185,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AWK+set}" = set; then :
+if ${ac_cv_prog_AWK+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AWK"; then
@@ -14245,7 +15227,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_LEX+set}" = set; then :
+if ${ac_cv_prog_LEX+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$LEX"; then
@@ -14315,7 +15297,7 @@ $as_echo "$ac_try_echo"; } >&5
   test $ac_status = 0; }
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking lex output file root" >&5
 $as_echo_n "checking lex output file root... " >&6; }
-if test "${ac_cv_prog_lex_root+set}" = set; then :
+if ${ac_cv_prog_lex_root+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -14334,7 +15316,7 @@ LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
 if test -z "${LEXLIB+set}"; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking lex library" >&5
 $as_echo_n "checking lex library... " >&6; }
-if test "${ac_cv_lib_lex+set}" = set; then :
+if ${ac_cv_lib_lex+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -14364,7 +15346,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether yytext is a pointer" >&5
 $as_echo_n "checking whether yytext is a pointer... " >&6; }
-if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then :
+if ${ac_cv_prog_lex_yytext_pointer+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   # POSIX says lex can declare yytext either as a pointer or an array; the
@@ -14375,7 +15357,8 @@ ac_save_LIBS=$LIBS
 LIBS="$LEXLIB $ac_save_LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-#define YYTEXT_POINTER 1
+
+  #define YYTEXT_POINTER 1
 `cat $LEX_OUTPUT_ROOT.c`
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
@@ -14402,7 +15385,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_YACC+set}" = set; then :
+if ${ac_cv_prog_YACC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$YACC"; then
@@ -14443,7 +15426,7 @@ test -n "$YACC" || YACC="yacc"
 set dummy perl; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_PERL+set}" = set; then :
+if ${ac_cv_path_PERL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $PERL in
@@ -14484,7 +15467,7 @@ fi
 set dummy gperf; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_GPERF+set}" = set; then :
+if ${ac_cv_path_GPERF+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $GPERF in
@@ -14568,7 +15551,7 @@ if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_
 	tnc_tnccs=true;
 fi
 
-if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_os = xtrue -o x$imv_os = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
 	imcv=true;
 fi
 
@@ -14606,7 +15589,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdbool.h that conforms to C99" >&5
 $as_echo_n "checking for stdbool.h that conforms to C99... " >&6; }
-if test "${ac_cv_header_stdbool_h+set}" = set; then :
+if ${ac_cv_header_stdbool_h+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14638,7 +15621,7 @@ else
 	char b[false == 0 ? 1 : -1];
 	char c[__bool_true_false_are_defined == 1 ? 1 : -1];
 	char d[(bool) 0.5 == true ? 1 : -1];
-	bool e = &s;
+	/* See body of main program for 'e'.  */
 	char f[(_Bool) 0.0 == false ? 1 : -1];
 	char g[true];
 	char h[sizeof (_Bool)];
@@ -14649,25 +15632,6 @@ else
 	_Bool n[m];
 	char o[sizeof n == m * sizeof n[0] ? 1 : -1];
 	char p[-1 - (_Bool) 0 < 0 && -1 - (bool) 0 < 0 ? 1 : -1];
-#	if defined __xlc__ || defined __GNUC__
-	 /* Catch a bug in IBM AIX xlc compiler version 6.0.0.0
-	    reported by James Lemley on 2005-10-05; see
-	    http://lists.gnu.org/archive/html/bug-coreutils/2005-10/msg00086.html
-	    This test is not quite right, since xlc is allowed to
-	    reject this program, as the initializer for xlcbug is
-	    not one of the forms that C requires support for.
-	    However, doing the test right would require a runtime
-	    test, and that would make cross-compilation harder.
-	    Let us hope that IBM fixes the xlc bug, and also adds
-	    support for this kind of constant expression.  In the
-	    meantime, this test will reject xlc, which is OK, since
-	    our stdbool.h substitute should suffice.  We also test
-	    this with GCC, where it should work, to detect more
-	    quickly whether someone messes up the test in the
-	    future.  */
-	 char digs[] = "0123456789";
-	 int xlcbug = 1 / (&(digs + 5)[-2 + (bool) 1] == &digs[4] ? 1 : -1);
-#	endif
 	/* Catch a bug in an HP-UX C compiler.  See
 	   http://gcc.gnu.org/ml/gcc-patches/2003-12/msg02303.html
 	   http://lists.gnu.org/archive/html/bug-coreutils/2005-11/msg00161.html
@@ -14679,6 +15643,7 @@ int
 main ()
 {
 
+	bool e = &s;
 	*pq |= q;
 	*pq |= ! q;
 	/* Refer to every declared value, to avoid compiler optimizations.  */
@@ -14699,7 +15664,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdbool_h" >&5
 $as_echo "$ac_cv_header_stdbool_h" >&6; }
 ac_fn_c_check_type "$LINENO" "_Bool" "ac_cv_type__Bool" "$ac_includes_default"
-if test "x$ac_cv_type__Bool" = x""yes; then :
+if test "x$ac_cv_type__Bool" = xyes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE__BOOL 1
@@ -14714,11 +15679,22 @@ $as_echo "#define HAVE_STDBOOL_H 1" >>confdefs.h
 
 fi
 
+ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default"
+if test "x$ac_cv_type_size_t" = xyes; then :
+
+else
+
+cat >>confdefs.h <<_ACEOF
+#define size_t unsigned int
+_ACEOF
+
+fi
+
 # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
 # for constant arguments.  Useless!
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5
 $as_echo_n "checking for working alloca.h... " >&6; }
-if test "${ac_cv_working_alloca_h+set}" = set; then :
+if ${ac_cv_working_alloca_h+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14751,7 +15727,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5
 $as_echo_n "checking for alloca... " >&6; }
-if test "${ac_cv_func_alloca_works+set}" = set; then :
+if ${ac_cv_func_alloca_works+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14770,7 +15746,7 @@ else
  #pragma alloca
 #   else
 #    ifndef alloca /* predefined by HP cc +Olibcalls */
-char *alloca ();
+void *alloca (size_t);
 #    endif
 #   endif
 #  endif
@@ -14814,7 +15790,7 @@ $as_echo "#define C_ALLOCA 1" >>confdefs.h
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`alloca.c' needs Cray hooks" >&5
 $as_echo_n "checking whether \`alloca.c' needs Cray hooks... " >&6; }
-if test "${ac_cv_os_cray+set}" = set; then :
+if ${ac_cv_os_cray+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14855,7 +15831,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5
 $as_echo_n "checking stack direction for C alloca... " >&6; }
-if test "${ac_cv_c_stack_direction+set}" = set; then :
+if ${ac_cv_c_stack_direction+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test "$cross_compiling" = yes; then :
@@ -14904,7 +15880,7 @@ _ACEOF
 fi
 
 ac_fn_c_check_decl "$LINENO" "strerror_r" "ac_cv_have_decl_strerror_r" "$ac_includes_default"
-if test "x$ac_cv_have_decl_strerror_r" = x""yes; then :
+if test "x$ac_cv_have_decl_strerror_r" = xyes; then :
   ac_have_decl=1
 else
   ac_have_decl=0
@@ -14917,7 +15893,7 @@ _ACEOF
 for ac_func in strerror_r
 do :
   ac_fn_c_check_func "$LINENO" "strerror_r" "ac_cv_func_strerror_r"
-if test "x$ac_cv_func_strerror_r" = x""yes; then :
+if test "x$ac_cv_func_strerror_r" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_STRERROR_R 1
 _ACEOF
@@ -14927,7 +15903,7 @@ done
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether strerror_r returns char *" >&5
 $as_echo_n "checking whether strerror_r returns char *... " >&6; }
-if test "${ac_cv_func_strerror_r_char_p+set}" = set; then :
+if ${ac_cv_func_strerror_r_char_p+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -15001,7 +15977,7 @@ saved_LIBS=$LIBS
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
 $as_echo_n "checking for library containing dlopen... " >&6; }
-if test "${ac_cv_search_dlopen+set}" = set; then :
+if ${ac_cv_search_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15035,11 +16011,11 @@ for ac_lib in '' dl; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_dlopen+set}" = set; then :
+  if ${ac_cv_search_dlopen+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_dlopen+set}" = set; then :
+if ${ac_cv_search_dlopen+:} false; then :
 
 else
   ac_cv_search_dlopen=no
@@ -15060,7 +16036,7 @@ fi
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing backtrace" >&5
 $as_echo_n "checking for library containing backtrace... " >&6; }
-if test "${ac_cv_search_backtrace+set}" = set; then :
+if ${ac_cv_search_backtrace+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15094,11 +16070,11 @@ for ac_lib in '' execinfo; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_backtrace+set}" = set; then :
+  if ${ac_cv_search_backtrace+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_backtrace+set}" = set; then :
+if ${ac_cv_search_backtrace+:} false; then :
 
 else
   ac_cv_search_backtrace=no
@@ -15117,7 +16093,7 @@ fi
 for ac_func in backtrace
 do :
   ac_fn_c_check_func "$LINENO" "backtrace" "ac_cv_func_backtrace"
-if test "x$ac_cv_func_backtrace" = x""yes; then :
+if test "x$ac_cv_func_backtrace" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_BACKTRACE 1
 _ACEOF
@@ -15130,7 +16106,7 @@ done
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing socket" >&5
 $as_echo_n "checking for library containing socket... " >&6; }
-if test "${ac_cv_search_socket+set}" = set; then :
+if ${ac_cv_search_socket+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15164,11 +16140,11 @@ for ac_lib in '' socket; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_socket+set}" = set; then :
+  if ${ac_cv_search_socket+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_socket+set}" = set; then :
+if ${ac_cv_search_socket+:} false; then :
 
 else
   ac_cv_search_socket=no
@@ -15185,7 +16161,7 @@ if test "$ac_res" != no; then :
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lnsl" >&5
 $as_echo_n "checking for socket in -lnsl... " >&6; }
-if test "${ac_cv_lib_nsl_socket+set}" = set; then :
+if ${ac_cv_lib_nsl_socket+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15219,7 +16195,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nsl_socket" >&5
 $as_echo "$ac_cv_lib_nsl_socket" >&6; }
-if test "x$ac_cv_lib_nsl_socket" = x""yes; then :
+if test "x$ac_cv_lib_nsl_socket" = xyes; then :
   SOCKLIB="-lsocket -lnsl"
 fi
 
@@ -15231,7 +16207,7 @@ fi
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
 $as_echo_n "checking for library containing clock_gettime... " >&6; }
-if test "${ac_cv_search_clock_gettime+set}" = set; then :
+if ${ac_cv_search_clock_gettime+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15265,11 +16241,11 @@ for ac_lib in '' rt; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_clock_gettime+set}" = set; then :
+  if ${ac_cv_search_clock_gettime+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_clock_gettime+set}" = set; then :
+if ${ac_cv_search_clock_gettime+:} false; then :
 
 else
   ac_cv_search_clock_gettime=no
@@ -15288,7 +16264,7 @@ fi
 for ac_func in clock_gettime
 do :
   ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
-if test "x$ac_cv_func_clock_gettime" = x""yes; then :
+if test "x$ac_cv_func_clock_gettime" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_CLOCK_GETTIME 1
 _ACEOF
@@ -15301,7 +16277,7 @@ done
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing pthread_create" >&5
 $as_echo_n "checking for library containing pthread_create... " >&6; }
-if test "${ac_cv_search_pthread_create+set}" = set; then :
+if ${ac_cv_search_pthread_create+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15335,11 +16311,11 @@ for ac_lib in '' pthread; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_pthread_create+set}" = set; then :
+  if ${ac_cv_search_pthread_create+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_pthread_create+set}" = set; then :
+if ${ac_cv_search_pthread_create+:} false; then :
 
 else
   ac_cv_search_pthread_create=no
@@ -15396,7 +16372,7 @@ $as_echo "unknown" >&6; };
 	 for ac_func in pthread_condattr_setclock
 do :
   ac_fn_c_check_func "$LINENO" "pthread_condattr_setclock" "ac_cv_func_pthread_condattr_setclock"
-if test "x$ac_cv_func_pthread_condattr_setclock" = x""yes; then :
+if test "x$ac_cv_func_pthread_condattr_setclock" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_CONDATTR_SETCLOCK 1
 _ACEOF
@@ -15433,7 +16409,7 @@ fi
 for ac_func in pthread_condattr_init
 do :
   ac_fn_c_check_func "$LINENO" "pthread_condattr_init" "ac_cv_func_pthread_condattr_init"
-if test "x$ac_cv_func_pthread_condattr_init" = x""yes; then :
+if test "x$ac_cv_func_pthread_condattr_init" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_CONDATTR_INIT 1
 _ACEOF
@@ -15444,7 +16420,7 @@ done
 for ac_func in pthread_cond_timedwait_monotonic
 do :
   ac_fn_c_check_func "$LINENO" "pthread_cond_timedwait_monotonic" "ac_cv_func_pthread_cond_timedwait_monotonic"
-if test "x$ac_cv_func_pthread_cond_timedwait_monotonic" = x""yes; then :
+if test "x$ac_cv_func_pthread_cond_timedwait_monotonic" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC 1
 _ACEOF
@@ -15455,7 +16431,7 @@ done
 for ac_func in pthread_cancel
 do :
   ac_fn_c_check_func "$LINENO" "pthread_cancel" "ac_cv_func_pthread_cancel"
-if test "x$ac_cv_func_pthread_cancel" = x""yes; then :
+if test "x$ac_cv_func_pthread_cancel" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_CANCEL 1
 _ACEOF
@@ -15466,7 +16442,7 @@ done
 for ac_func in pthread_rwlock_init
 do :
   ac_fn_c_check_func "$LINENO" "pthread_rwlock_init" "ac_cv_func_pthread_rwlock_init"
-if test "x$ac_cv_func_pthread_rwlock_init" = x""yes; then :
+if test "x$ac_cv_func_pthread_rwlock_init" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_RWLOCK_INIT 1
 _ACEOF
@@ -15474,10 +16450,21 @@ _ACEOF
 fi
 done
 
+for ac_func in pthread_spin_init
+do :
+  ac_fn_c_check_func "$LINENO" "pthread_spin_init" "ac_cv_func_pthread_spin_init"
+if test "x$ac_cv_func_pthread_spin_init" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PTHREAD_SPIN_INIT 1
+_ACEOF
+
+fi
+done
+
 for ac_func in sem_timedwait
 do :
   ac_fn_c_check_func "$LINENO" "sem_timedwait" "ac_cv_func_sem_timedwait"
-if test "x$ac_cv_func_sem_timedwait" = x""yes; then :
+if test "x$ac_cv_func_sem_timedwait" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_SEM_TIMEDWAIT 1
 _ACEOF
@@ -15488,7 +16475,7 @@ done
 LIBS=$saved_LIBS
 
 ac_fn_c_check_func "$LINENO" "gettid" "ac_cv_func_gettid"
-if test "x$ac_cv_func_gettid" = x""yes; then :
+if test "x$ac_cv_func_gettid" = xyes; then :
 
 $as_echo "#define HAVE_GETTID /**/" >>confdefs.h
 
@@ -15570,7 +16557,7 @@ done
 for ac_header in netinet/ip6.h
 do :
   ac_fn_c_check_header_mongrel "$LINENO" "netinet/ip6.h" "ac_cv_header_netinet_ip6_h" "$ac_includes_default"
-if test "x$ac_cv_header_netinet_ip6_h" = x""yes; then :
+if test "x$ac_cv_header_netinet_ip6_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_NETINET_IP6_H 1
 _ACEOF
@@ -15585,7 +16572,7 @@ ac_fn_c_check_member "$LINENO" "struct sockaddr" "sa_len" "ac_cv_member_struct_s
 	#include <sys/socket.h>
 
 "
-if test "x$ac_cv_member_struct_sockaddr_sa_len" = x""yes; then :
+if test "x$ac_cv_member_struct_sockaddr_sa_len" = xyes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_STRUCT_SOCKADDR_SA_LEN 1
@@ -15605,7 +16592,7 @@ ac_fn_c_check_member "$LINENO" "struct sadb_x_policy" "sadb_x_policy_priority" "
 	#endif
 
 "
-if test "x$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" = x""yes; then :
+if test "x$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" = xyes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY 1
@@ -15811,13 +16798,13 @@ fi
 
 
 ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier"
-if test "x$ac_cv_func_register_printf_specifier" = x""yes; then :
+if test "x$ac_cv_func_register_printf_specifier" = xyes; then :
 
 $as_echo "#define HAVE_PRINTF_SPECIFIER /**/" >>confdefs.h
 
 else
   ac_fn_c_check_func "$LINENO" "register_printf_function" "ac_cv_func_register_printf_function"
-if test "x$ac_cv_func_register_printf_function" = x""yes; then :
+if test "x$ac_cv_func_register_printf_function" = xyes; then :
 
 $as_echo "#define HAVE_PRINTF_FUNCTION /**/" >>confdefs.h
 
@@ -15837,7 +16824,7 @@ fi
 if test x$vstr = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lvstr" >&5
 $as_echo_n "checking for main in -lvstr... " >&6; }
-if test "${ac_cv_lib_vstr_main+set}" = set; then :
+if ${ac_cv_lib_vstr_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15865,7 +16852,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_vstr_main" >&5
 $as_echo "$ac_cv_lib_vstr_main" >&6; }
-if test "x$ac_cv_lib_vstr_main" = x""yes; then :
+if test "x$ac_cv_lib_vstr_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "Vstr string library not found" "$LINENO" 5
@@ -15881,7 +16868,7 @@ if test x$gmp = xtrue; then
 	saved_LIBS=$LIBS
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgmp" >&5
 $as_echo_n "checking for main in -lgmp... " >&6; }
-if test "${ac_cv_lib_gmp_main+set}" = set; then :
+if ${ac_cv_lib_gmp_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15909,7 +16896,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp_main" >&5
 $as_echo "$ac_cv_lib_gmp_main" >&6; }
-if test "x$ac_cv_lib_gmp_main" = x""yes; then :
+if test "x$ac_cv_lib_gmp_main" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBGMP 1
 _ACEOF
@@ -15985,7 +16972,7 @@ fi
 if test x$ldap = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lldap" >&5
 $as_echo_n "checking for main in -lldap... " >&6; }
-if test "${ac_cv_lib_ldap_main+set}" = set; then :
+if ${ac_cv_lib_ldap_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16013,7 +17000,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_main" >&5
 $as_echo "$ac_cv_lib_ldap_main" >&6; }
-if test "x$ac_cv_lib_ldap_main" = x""yes; then :
+if test "x$ac_cv_lib_ldap_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "LDAP library ldap not found" "$LINENO" 5
@@ -16022,7 +17009,7 @@ ac_cv_lib_ldap=ac_cv_lib_ldap_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -llber" >&5
 $as_echo_n "checking for main in -llber... " >&6; }
-if test "${ac_cv_lib_lber_main+set}" = set; then :
+if ${ac_cv_lib_lber_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16050,7 +17037,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lber_main" >&5
 $as_echo "$ac_cv_lib_lber_main" >&6; }
-if test "x$ac_cv_lib_lber_main" = x""yes; then :
+if test "x$ac_cv_lib_lber_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "LDAP library lber not found" "$LINENO" 5
@@ -16058,7 +17045,7 @@ fi
 ac_cv_lib_lber=ac_cv_lib_lber_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "ldap.h" "ac_cv_header_ldap_h" "$ac_includes_default"
-if test "x$ac_cv_header_ldap_h" = x""yes; then :
+if test "x$ac_cv_header_ldap_h" = xyes; then :
 
 else
   as_fn_error $? "LDAP header ldap.h not found!" "$LINENO" 5
@@ -16070,7 +17057,7 @@ fi
 if test x$curl = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcurl" >&5
 $as_echo_n "checking for main in -lcurl... " >&6; }
-if test "${ac_cv_lib_curl_main+set}" = set; then :
+if ${ac_cv_lib_curl_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16098,7 +17085,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_main" >&5
 $as_echo "$ac_cv_lib_curl_main" >&6; }
-if test "x$ac_cv_lib_curl_main" = x""yes; then :
+if test "x$ac_cv_lib_curl_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "CURL library curl not found" "$LINENO" 5
@@ -16106,7 +17093,7 @@ fi
 ac_cv_lib_curl=ac_cv_lib_curl_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "curl/curl.h" "ac_cv_header_curl_curl_h" "$ac_includes_default"
-if test "x$ac_cv_header_curl_curl_h" = x""yes; then :
+if test "x$ac_cv_header_curl_curl_h" = xyes; then :
 
 else
   as_fn_error $? "CURL header curl/curl.h not found!" "$LINENO" 5
@@ -16131,6 +17118,7 @@ if test -n "$soup_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_soup_CFLAGS=`$PKG_CONFIG --cflags "libsoup-2.4" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16147,6 +17135,7 @@ if test -n "$soup_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_soup_LIBS=`$PKG_CONFIG --libs "libsoup-2.4" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16166,9 +17155,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        soup_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libsoup-2.4" 2>&1`
+	        soup_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsoup-2.4" 2>&1`
         else
-	        soup_PKG_ERRORS=`$PKG_CONFIG --print-errors "libsoup-2.4" 2>&1`
+	        soup_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsoup-2.4" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$soup_PKG_ERRORS" >&5
@@ -16197,7 +17186,7 @@ and soup_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	soup_CFLAGS=$pkg_cv_soup_CFLAGS
 	soup_LIBS=$pkg_cv_soup_LIBS
@@ -16225,6 +17214,7 @@ if test -n "$xml_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_xml_CFLAGS=`$PKG_CONFIG --cflags "libxml-2.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16241,6 +17231,7 @@ if test -n "$xml_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_xml_LIBS=`$PKG_CONFIG --libs "libxml-2.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16260,9 +17251,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libxml-2.0" 2>&1`
+	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libxml-2.0" 2>&1`
         else
-	        xml_PKG_ERRORS=`$PKG_CONFIG --print-errors "libxml-2.0" 2>&1`
+	        xml_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libxml-2.0" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$xml_PKG_ERRORS" >&5
@@ -16291,7 +17282,7 @@ and xml_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	xml_CFLAGS=$pkg_cv_xml_CFLAGS
 	xml_LIBS=$pkg_cv_xml_LIBS
@@ -16319,6 +17310,7 @@ if test -n "$axis2c_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_axis2c_CFLAGS=`$PKG_CONFIG --cflags "axis2c" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16335,6 +17327,7 @@ if test -n "$axis2c_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_axis2c_LIBS=`$PKG_CONFIG --libs "axis2c" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16354,9 +17347,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        axis2c_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "axis2c" 2>&1`
+	        axis2c_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "axis2c" 2>&1`
         else
-	        axis2c_PKG_ERRORS=`$PKG_CONFIG --print-errors "axis2c" 2>&1`
+	        axis2c_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "axis2c" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$axis2c_PKG_ERRORS" >&5
@@ -16385,7 +17378,7 @@ and axis2c_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	axis2c_CFLAGS=$pkg_cv_axis2c_CFLAGS
 	axis2c_LIBS=$pkg_cv_axis2c_LIBS
@@ -16397,10 +17390,10 @@ fi
 
 fi
 
-if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+if test x$tss = xtrousers; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ltspi" >&5
 $as_echo_n "checking for main in -ltspi... " >&6; }
-if test "${ac_cv_lib_tspi_main+set}" = set; then :
+if ${ac_cv_lib_tspi_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16428,7 +17421,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_main" >&5
 $as_echo "$ac_cv_lib_tspi_main" >&6; }
-if test "x$ac_cv_lib_tspi_main" = x""yes; then :
+if test "x$ac_cv_lib_tspi_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "TrouSerS library libtspi not found" "$LINENO" 5
@@ -16436,13 +17429,16 @@ fi
 ac_cv_lib_tspi=ac_cv_lib_tspi_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "trousers/tss.h" "ac_cv_header_trousers_tss_h" "$ac_includes_default"
-if test "x$ac_cv_header_trousers_tss_h" = x""yes; then :
+if test "x$ac_cv_header_trousers_tss_h" = xyes; then :
 
 else
   as_fn_error $? "TrouSerS header trousers/tss.h not found!" "$LINENO" 5
 fi
 
 
+
+$as_echo "#define TSS_TROUSERS /**/" >>confdefs.h
+
 fi
 
 if test x$dumm = xtrue; then
@@ -16461,6 +17457,7 @@ if test -n "$gtk_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16477,6 +17474,7 @@ if test -n "$gtk_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16496,9 +17494,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "gtk+-2.0 vte" 2>&1`
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1`
         else
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors "gtk+-2.0 vte" 2>&1`
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$gtk_PKG_ERRORS" >&5
@@ -16527,7 +17525,7 @@ and gtk_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
 	gtk_LIBS=$pkg_cv_gtk_LIBS
@@ -16543,7 +17541,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_RUBY+set}" = set; then :
+if ${ac_cv_prog_RUBY+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$RUBY"; then
@@ -16582,34 +17580,79 @@ done
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ruby header files" >&5
 $as_echo_n "checking for Ruby header files... " >&6; }
 	if test -n "$RUBY"; then
-		RUBYDIR=`($RUBY -rmkmf -e 'print Config::CONFIG["archdir"] || $archdir') 2>/dev/null`
-		if test -n "$RUBYDIR"; then
-			dirs="$RUBYDIR"
-			RUBYINCLUDE=none
-			for i in $dirs; do
-				if test -r $i/ruby.h; then
-					{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $i" >&5
-$as_echo "$i" >&6; }
-					RUBYINCLUDE="-I$i"
-					break;
-				fi
-			done
-			if test x"$RUBYINCLUDE" = xnone; then
-				as_fn_error $? "ruby.h not found" "$LINENO" 5
+		RUBYINCLUDE=
+		RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["rubyhdrdir"] || ""') 2>/dev/null`
+		if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+			RUBYARCH=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["arch"] || ""') 2>/dev/null`
+			if test -n "$RUBYARCH"; then
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBYDIR" >&5
+$as_echo "$RUBYDIR" >&6; }
+				RUBYINCLUDE="-I$RUBYDIR -I$RUBYDIR/$RUBYARCH"
 			fi
-
 		else
-			as_fn_error $? "unable to determine ruby configuration" "$LINENO" 5
+			RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["archdir"] || ""') 2>/dev/null`
+			if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBYDIR" >&5
+$as_echo "$RUBYDIR" >&6; }
+				RUBYINCLUDE="-I$RUBYDIR"
+			fi
+		fi
+		if test -z "$RUBYINCLUDE"; then
+			as_fn_error $? "ruby.h not found" "$LINENO" 5
 		fi
+
 	else
 		as_fn_error $? "don't know how to run ruby" "$LINENO" 5
 	fi
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libruby" >&5
+$as_echo_n "checking for libruby... " >&6; }
+	saved_LIBS=$LIBS
+	LIBS=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["LIBRUBYARG_SHARED"] || ""') 2>/dev/null`
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ruby_init ();
+int
+main ()
+{
+return ruby_init ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBS" >&5
+$as_echo "$LIBS" >&6; }; RUBYLIB=$LIBS
+else
+  as_fn_error $? "not found" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+	for ac_func in rb_errinfo
+do :
+  ac_fn_c_check_func "$LINENO" "rb_errinfo" "ac_cv_func_rb_errinfo"
+if test "x$ac_cv_func_rb_errinfo" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_RB_ERRINFO 1
+_ACEOF
+
+fi
+done
+
+	LIBS=$saved_LIBS
 fi
 
 if test x$fast = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_cgi" >&5
 $as_echo_n "checking for main in -lneo_cgi... " >&6; }
-if test "${ac_cv_lib_neo_cgi_main+set}" = set; then :
+if ${ac_cv_lib_neo_cgi_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16637,7 +17680,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_cgi_main" >&5
 $as_echo "$ac_cv_lib_neo_cgi_main" >&6; }
-if test "x$ac_cv_lib_neo_cgi_main" = x""yes; then :
+if test "x$ac_cv_lib_neo_cgi_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "ClearSilver library neo_cgi not found!" "$LINENO" 5
@@ -16646,7 +17689,7 @@ ac_cv_lib_neo_cgi=ac_cv_lib_neo_cgi_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_utl" >&5
 $as_echo_n "checking for main in -lneo_utl... " >&6; }
-if test "${ac_cv_lib_neo_utl_main+set}" = set; then :
+if ${ac_cv_lib_neo_utl_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16674,7 +17717,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_utl_main" >&5
 $as_echo "$ac_cv_lib_neo_utl_main" >&6; }
-if test "x$ac_cv_lib_neo_utl_main" = x""yes; then :
+if test "x$ac_cv_lib_neo_utl_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "ClearSilver library neo_utl not found!" "$LINENO" 5
@@ -16716,7 +17759,7 @@ rm -f core conftest.err conftest.$ac_objext \
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lfcgi" >&5
 $as_echo_n "checking for main in -lfcgi... " >&6; }
-if test "${ac_cv_lib_fcgi_main+set}" = set; then :
+if ${ac_cv_lib_fcgi_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16744,7 +17787,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_fcgi_main" >&5
 $as_echo "$ac_cv_lib_fcgi_main" >&6; }
-if test "x$ac_cv_lib_fcgi_main" = x""yes; then :
+if test "x$ac_cv_lib_fcgi_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "FastCGI library fcgi not found!" "$LINENO" 5
@@ -16752,7 +17795,7 @@ fi
 ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "fcgiapp.h" "ac_cv_header_fcgiapp_h" "$ac_includes_default"
-if test "x$ac_cv_header_fcgiapp_h" = x""yes; then :
+if test "x$ac_cv_header_fcgiapp_h" = xyes; then :
 
 else
   as_fn_error $? "FastCGI header file fcgiapp.h not found!" "$LINENO" 5
@@ -16766,7 +17809,7 @@ if test x$mysql = xtrue; then
 set dummy mysql_config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_MYSQLCONFIG+set}" = set; then :
+if ${ac_cv_path_MYSQLCONFIG+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $MYSQLCONFIG in
@@ -16815,7 +17858,7 @@ fi
 if test x$sqlite = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lsqlite3" >&5
 $as_echo_n "checking for main in -lsqlite3... " >&6; }
-if test "${ac_cv_lib_sqlite3_main+set}" = set; then :
+if ${ac_cv_lib_sqlite3_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16843,7 +17886,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sqlite3_main" >&5
 $as_echo "$ac_cv_lib_sqlite3_main" >&6; }
-if test "x$ac_cv_lib_sqlite3_main" = x""yes; then :
+if test "x$ac_cv_lib_sqlite3_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "SQLite library sqlite3 not found" "$LINENO" 5
@@ -16851,7 +17894,7 @@ fi
 ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "sqlite3.h" "ac_cv_header_sqlite3_h" "$ac_includes_default"
-if test "x$ac_cv_header_sqlite3_h" = x""yes; then :
+if test "x$ac_cv_header_sqlite3_h" = xyes; then :
 
 else
   as_fn_error $? "SQLite header sqlite3.h not found!" "$LINENO" 5
@@ -16914,7 +17957,7 @@ fi
 if test x$openssl = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcrypto" >&5
 $as_echo_n "checking for main in -lcrypto... " >&6; }
-if test "${ac_cv_lib_crypto_main+set}" = set; then :
+if ${ac_cv_lib_crypto_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16942,7 +17985,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_main" >&5
 $as_echo "$ac_cv_lib_crypto_main" >&6; }
-if test "x$ac_cv_lib_crypto_main" = x""yes; then :
+if test "x$ac_cv_lib_crypto_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "OpenSSL crypto library not found" "$LINENO" 5
@@ -16950,7 +17993,7 @@ fi
 ac_cv_lib_crypto=ac_cv_lib_crypto_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "openssl/evp.h" "ac_cv_header_openssl_evp_h" "$ac_includes_default"
-if test "x$ac_cv_header_openssl_evp_h" = x""yes; then :
+if test "x$ac_cv_header_openssl_evp_h" = xyes; then :
 
 else
   as_fn_error $? "OpenSSL header openssl/evp.h not found!" "$LINENO" 5
@@ -16962,7 +18005,7 @@ fi
 if test x$gcrypt = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgcrypt" >&5
 $as_echo_n "checking for main in -lgcrypt... " >&6; }
-if test "${ac_cv_lib_gcrypt_main+set}" = set; then :
+if ${ac_cv_lib_gcrypt_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16990,7 +18033,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gcrypt_main" >&5
 $as_echo "$ac_cv_lib_gcrypt_main" >&6; }
-if test "x$ac_cv_lib_gcrypt_main" = x""yes; then :
+if test "x$ac_cv_lib_gcrypt_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "gcrypt library not found" "$LINENO" 5
@@ -16998,7 +18041,7 @@ fi
 ac_cv_lib_gcrypt=ac_cv_lib_gcrypt_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "gcrypt.h" "ac_cv_header_gcrypt_h" "$ac_includes_default"
-if test "x$ac_cv_header_gcrypt_h" = x""yes; then :
+if test "x$ac_cv_header_gcrypt_h" = xyes; then :
 
 else
   as_fn_error $? "gcrypt header gcrypt.h not found!" "$LINENO" 5
@@ -17035,7 +18078,7 @@ fi
 if test x$uci = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5
 $as_echo_n "checking for main in -luci... " >&6; }
-if test "${ac_cv_lib_uci_main+set}" = set; then :
+if ${ac_cv_lib_uci_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17063,7 +18106,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_uci_main" >&5
 $as_echo "$ac_cv_lib_uci_main" >&6; }
-if test "x$ac_cv_lib_uci_main" = x""yes; then :
+if test "x$ac_cv_lib_uci_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "UCI library libuci not found" "$LINENO" 5
@@ -17071,7 +18114,7 @@ fi
 ac_cv_lib_uci=ac_cv_lib_uci_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "uci.h" "ac_cv_header_uci_h" "$ac_includes_default"
-if test "x$ac_cv_header_uci_h" = x""yes; then :
+if test "x$ac_cv_header_uci_h" = xyes; then :
 
 else
   as_fn_error $? "UCI header uci.h not found!" "$LINENO" 5
@@ -17083,7 +18126,7 @@ fi
 if test x$android = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcutils" >&5
 $as_echo_n "checking for main in -lcutils... " >&6; }
-if test "${ac_cv_lib_cutils_main+set}" = set; then :
+if ${ac_cv_lib_cutils_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17111,7 +18154,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cutils_main" >&5
 $as_echo "$ac_cv_lib_cutils_main" >&6; }
-if test "x$ac_cv_lib_cutils_main" = x""yes; then :
+if test "x$ac_cv_lib_cutils_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "Android library libcutils not found" "$LINENO" 5
@@ -17119,7 +18162,7 @@ fi
 ac_cv_lib_cutils=ac_cv_lib_cutils_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "cutils/properties.h" "ac_cv_header_cutils_properties_h" "$ac_includes_default"
-if test "x$ac_cv_header_cutils_properties_h" = x""yes; then :
+if test "x$ac_cv_header_cutils_properties_h" = xyes; then :
 
 else
   as_fn_error $? "Android header cutils/properties.h not found!" "$LINENO" 5
@@ -17146,6 +18189,7 @@ if test -n "$maemo_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_maemo_CFLAGS=`$PKG_CONFIG --cflags "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17162,6 +18206,7 @@ if test -n "$maemo_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_maemo_LIBS=`$PKG_CONFIG --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17181,9 +18226,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        maemo_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
+	        maemo_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
         else
-	        maemo_PKG_ERRORS=`$PKG_CONFIG --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
+	        maemo_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$maemo_PKG_ERRORS" >&5
@@ -17212,7 +18257,7 @@ and maemo_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	maemo_CFLAGS=$pkg_cv_maemo_CFLAGS
 	maemo_LIBS=$pkg_cv_maemo_LIBS
@@ -17242,6 +18287,7 @@ if test -n "$pcsclite_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_pcsclite_CFLAGS=`$PKG_CONFIG --cflags "libpcsclite" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17258,6 +18304,7 @@ if test -n "$pcsclite_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_pcsclite_LIBS=`$PKG_CONFIG --libs "libpcsclite" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17277,9 +18324,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libpcsclite" 2>&1`
+	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libpcsclite" 2>&1`
         else
-	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --print-errors "libpcsclite" 2>&1`
+	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libpcsclite" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$pcsclite_PKG_ERRORS" >&5
@@ -17308,7 +18355,7 @@ and pcsclite_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	pcsclite_CFLAGS=$pkg_cv_pcsclite_CFLAGS
 	pcsclite_LIBS=$pkg_cv_pcsclite_LIBS
@@ -17342,6 +18389,7 @@ if test -n "$nm_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17358,6 +18406,7 @@ if test -n "$nm_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17377,9 +18426,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
@@ -17408,7 +18457,7 @@ and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
@@ -17432,6 +18481,7 @@ if test -n "$nm_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17448,6 +18498,7 @@ if test -n "$nm_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17467,9 +18518,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
@@ -17498,7 +18549,7 @@ and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
@@ -17515,7 +18566,7 @@ fi
 if test x$xauth_pam = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpam" >&5
 $as_echo_n "checking for main in -lpam... " >&6; }
-if test "${ac_cv_lib_pam_main+set}" = set; then :
+if ${ac_cv_lib_pam_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17543,7 +18594,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_main" >&5
 $as_echo "$ac_cv_lib_pam_main" >&6; }
-if test "x$ac_cv_lib_pam_main" = x""yes; then :
+if test "x$ac_cv_lib_pam_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "PAM library not found" "$LINENO" 5
@@ -17551,7 +18602,7 @@ fi
 ac_cv_lib_pam=ac_cv_lib_pam_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "security/pam_appl.h" "ac_cv_header_security_pam_appl_h" "$ac_includes_default"
-if test "x$ac_cv_header_security_pam_appl_h" = x""yes; then :
+if test "x$ac_cv_header_security_pam_appl_h" = xyes; then :
 
 else
   as_fn_error $? "PAM header security/pam_appl.h not found!" "$LINENO" 5
@@ -17566,7 +18617,7 @@ $as_echo "$as_me: Usage of the native Linux capabilities interface is deprecated
 			for ac_header in sys/capability.h
 do :
   ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
-if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
+if test "x$ac_cv_header_sys_capability_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_SYS_CAPABILITY_H 1
 _ACEOF
@@ -17576,7 +18627,7 @@ fi
 done
 
 	ac_fn_c_check_func "$LINENO" "capset" "ac_cv_func_capset"
-if test "x$ac_cv_func_capset" = x""yes; then :
+if test "x$ac_cv_func_capset" = xyes; then :
 
 else
   as_fn_error $? "capset() not found!" "$LINENO" 5
@@ -17590,7 +18641,7 @@ fi
 if test x$capabilities = xlibcap; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcap" >&5
 $as_echo_n "checking for main in -lcap... " >&6; }
-if test "${ac_cv_lib_cap_main+set}" = set; then :
+if ${ac_cv_lib_cap_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17618,7 +18669,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_main" >&5
 $as_echo "$ac_cv_lib_cap_main" >&6; }
-if test "x$ac_cv_lib_cap_main" = x""yes; then :
+if test "x$ac_cv_lib_cap_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "libcap library not found" "$LINENO" 5
@@ -17626,7 +18677,7 @@ fi
 ac_cv_lib_cap=ac_cv_lib_cap_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
-if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
+if test "x$ac_cv_header_sys_capability_h" = xyes; then :
 
 $as_echo "#define HAVE_SYS_CAPABILITY_H /**/" >>confdefs.h
 
@@ -17694,7 +18745,7 @@ fi
 if test x$bfd_backtraces = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lbfd" >&5
 $as_echo_n "checking for main in -lbfd... " >&6; }
-if test "${ac_cv_lib_bfd_main+set}" = set; then :
+if ${ac_cv_lib_bfd_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17722,7 +18773,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bfd_main" >&5
 $as_echo "$ac_cv_lib_bfd_main" >&6; }
-if test "x$ac_cv_lib_bfd_main" = x""yes; then :
+if test "x$ac_cv_lib_bfd_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "binutils libbfd not found!" "$LINENO" 5
@@ -17730,7 +18781,7 @@ fi
 ac_cv_lib_bfd=ac_cv_lib_bfd_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "bfd.h" "ac_cv_header_bfd_h" "$ac_includes_default"
-if test "x$ac_cv_header_bfd_h" = x""yes; then :
+if test "x$ac_cv_header_bfd_h" = xyes; then :
 
 $as_echo "#define HAVE_BFD_H /**/" >>confdefs.h
 
@@ -17929,6 +18980,19 @@ if test x$md5 = xtrue; then
 
 	fi
 
+if test x$rdrand = xtrue; then
+		s_plugins=${s_plugins}" rdrand"
+		charon_plugins=${charon_plugins}" rdrand"
+		openac_plugins=${openac_plugins}" rdrand"
+		scepclient_plugins=${scepclient_plugins}" rdrand"
+		pki_plugins=${pki_plugins}" rdrand"
+		scripts_plugins=${scripts_plugins}" rdrand"
+		medsrv_plugins=${medsrv_plugins}" rdrand"
+		attest_plugins=${attest_plugins}" rdrand"
+		nm_plugins=${nm_plugins}" rdrand"
+
+	fi
+
 if test x$random = xtrue; then
 		s_plugins=${s_plugins}" random"
 		charon_plugins=${charon_plugins}" random"
@@ -17995,6 +19059,13 @@ if test x$pkcs1 = xtrue; then
 
 	fi
 
+if test x$pkcs7 = xtrue; then
+		s_plugins=${s_plugins}" pkcs7"
+		scepclient_plugins=${scepclient_plugins}" pkcs7"
+		pki_plugins=${pki_plugins}" pkcs7"
+
+	fi
+
 if test x$pkcs8 = xtrue; then
 		s_plugins=${s_plugins}" pkcs8"
 		charon_plugins=${charon_plugins}" pkcs8"
@@ -18477,6 +19548,18 @@ if test x$whitelist = xtrue; then
 
 	fi
 
+if test x$lookip = xtrue; then
+		c_plugins=${c_plugins}" lookip"
+		charon_plugins=${charon_plugins}" lookip"
+
+	fi
+
+if test x$error_notify = xtrue; then
+		c_plugins=${c_plugins}" error-notify"
+		charon_plugins=${charon_plugins}" error-notify"
+
+	fi
+
 if test x$certexpire = xtrue; then
 		c_plugins=${c_plugins}" certexpire"
 		charon_plugins=${charon_plugins}" certexpire"
@@ -18660,6 +19743,14 @@ else
   USE_GMP_FALSE=
 fi
 
+ if test x$rdrand = xtrue; then
+  USE_RDRAND_TRUE=
+  USE_RDRAND_FALSE='#'
+else
+  USE_RDRAND_TRUE='#'
+  USE_RDRAND_FALSE=
+fi
+
  if test x$random = xtrue; then
   USE_RANDOM_TRUE=
   USE_RANDOM_FALSE='#'
@@ -18716,6 +19807,14 @@ else
   USE_PKCS1_FALSE=
 fi
 
+ if test x$pkcs7 = xtrue; then
+  USE_PKCS7_TRUE=
+  USE_PKCS7_FALSE='#'
+else
+  USE_PKCS7_TRUE='#'
+  USE_PKCS7_FALSE=
+fi
+
  if test x$pkcs8 = xtrue; then
   USE_PKCS8_TRUE=
   USE_PKCS8_FALSE='#'
@@ -18981,6 +20080,22 @@ else
   USE_WHITELIST_FALSE=
 fi
 
+ if test x$lookip = xtrue; then
+  USE_LOOKIP_TRUE=
+  USE_LOOKIP_FALSE='#'
+else
+  USE_LOOKIP_TRUE='#'
+  USE_LOOKIP_FALSE=
+fi
+
+ if test x$error_notify = xtrue; then
+  USE_ERROR_NOTIFY_TRUE=
+  USE_ERROR_NOTIFY_FALSE='#'
+else
+  USE_ERROR_NOTIFY_TRUE='#'
+  USE_ERROR_NOTIFY_FALSE=
+fi
+
  if test x$certexpire = xtrue; then
   USE_CERTEXPIRE_TRUE=
   USE_CERTEXPIRE_FALSE='#'
@@ -19285,6 +20400,22 @@ else
   USE_IMV_SCANNER_FALSE=
 fi
 
+ if test x$imc_os = xtrue; then
+  USE_IMC_OS_TRUE=
+  USE_IMC_OS_FALSE='#'
+else
+  USE_IMC_OS_TRUE='#'
+  USE_IMC_OS_FALSE=
+fi
+
+ if test x$imv_os = xtrue; then
+  USE_IMV_OS_TRUE=
+  USE_IMV_OS_FALSE='#'
+else
+  USE_IMV_OS_TRUE='#'
+  USE_IMV_OS_FALSE=
+fi
+
  if test x$imc_attestation = xtrue; then
   USE_IMC_ATTESTATION_TRUE=
   USE_IMC_ATTESTATION_FALSE='#'
@@ -19655,6 +20786,14 @@ else
   USE_PTS_FALSE=
 fi
 
+ if test x$tss = xtrousers; then
+  USE_TROUSERS_TRUE=
+  USE_TROUSERS_FALSE='#'
+else
+  USE_TROUSERS_TRUE='#'
+  USE_TROUSERS_FALSE=
+fi
+
  if test x$monolithic = xtrue; then
   MONOLITHIC_TRUE=
   MONOLITHIC_FALSE='#'
@@ -19692,7 +20831,7 @@ $as_echo "#define USE_IKEV2 /**/" >>confdefs.h
 fi
 
 
-ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/charon/Makefile src/charon-nm/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnc_tnccs/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnc_tnccs/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -19758,10 +20897,21 @@ $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
      :end' >>confcache
 if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
   if test -w "$cache_file"; then
-    test "x$cache_file" != "x/dev/null" &&
+    if test "x$cache_file" != "x/dev/null"; then
       { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
 $as_echo "$as_me: updating cache $cache_file" >&6;}
-    cat confcache >$cache_file
+      if test ! -f "$cache_file" || test -h "$cache_file"; then
+	cat confcache >"$cache_file"
+      else
+        case $cache_file in #(
+        */* | ?:*)
+	  mv -f confcache "$cache_file"$$ &&
+	  mv -f "$cache_file"$$ "$cache_file" ;; #(
+        *)
+	  mv -f confcache "$cache_file" ;;
+	esac
+      fi
+    fi
   else
     { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
@@ -19869,6 +21019,10 @@ if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
   as_fn_error $? "conditional \"USE_GMP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_RDRAND_TRUE}" && test -z "${USE_RDRAND_FALSE}"; then
+  as_fn_error $? "conditional \"USE_RDRAND\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_RANDOM_TRUE}" && test -z "${USE_RANDOM_FALSE}"; then
   as_fn_error $? "conditional \"USE_RANDOM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19897,6 +21051,10 @@ if test -z "${USE_PKCS1_TRUE}" && test -z "${USE_PKCS1_FALSE}"; then
   as_fn_error $? "conditional \"USE_PKCS1\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_PKCS7_TRUE}" && test -z "${USE_PKCS7_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PKCS7\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PKCS8_TRUE}" && test -z "${USE_PKCS8_FALSE}"; then
   as_fn_error $? "conditional \"USE_PKCS8\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -20029,6 +21187,14 @@ if test -z "${USE_WHITELIST_TRUE}" && test -z "${USE_WHITELIST_FALSE}"; then
   as_fn_error $? "conditional \"USE_WHITELIST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_LOOKIP_TRUE}" && test -z "${USE_LOOKIP_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LOOKIP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_ERROR_NOTIFY_TRUE}" && test -z "${USE_ERROR_NOTIFY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_ERROR_NOTIFY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_CERTEXPIRE_TRUE}" && test -z "${USE_CERTEXPIRE_FALSE}"; then
   as_fn_error $? "conditional \"USE_CERTEXPIRE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -20181,6 +21347,14 @@ if test -z "${USE_IMV_SCANNER_TRUE}" && test -z "${USE_IMV_SCANNER_FALSE}"; then
   as_fn_error $? "conditional \"USE_IMV_SCANNER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_IMC_OS_TRUE}" && test -z "${USE_IMC_OS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IMC_OS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_IMV_OS_TRUE}" && test -z "${USE_IMV_OS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IMV_OS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_IMC_ATTESTATION_TRUE}" && test -z "${USE_IMC_ATTESTATION_FALSE}"; then
   as_fn_error $? "conditional \"USE_IMC_ATTESTATION\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -20365,12 +21539,16 @@ if test -z "${USE_PTS_TRUE}" && test -z "${USE_PTS_FALSE}"; then
   as_fn_error $? "conditional \"USE_PTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_TROUSERS_TRUE}" && test -z "${USE_TROUSERS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TROUSERS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${MONOLITHIC_TRUE}" && test -z "${MONOLITHIC_FALSE}"; then
   as_fn_error $? "conditional \"MONOLITHIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 
-: ${CONFIG_STATUS=./config.status}
+: "${CONFIG_STATUS=./config.status}"
 ac_write_fail=0
 ac_clean_files_save=$ac_clean_files
 ac_clean_files="$ac_clean_files $CONFIG_STATUS"
@@ -20471,6 +21649,7 @@ fi
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
+as_myself=
 case $0 in #((
   *[\\/]* ) as_myself=$0 ;;
   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -20777,8 +21956,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.0.1, which was
-generated by GNU Autoconf 2.67.  Invocation command line was
+This file was extended by strongSwan $as_me 5.0.2, which was
+generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -20843,8 +22022,8 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.0.1
-configured by $0, generated by GNU Autoconf 2.67,
+strongSwan config.status 5.0.2
+configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -20972,131 +22151,154 @@ AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
 sed_quote_subst='$sed_quote_subst'
 double_quote_subst='$double_quote_subst'
 delay_variable_subst='$delay_variable_subst'
-macro_version='`$ECHO "X$macro_version" | $Xsed -e "$delay_single_quote_subst"`'
-macro_revision='`$ECHO "X$macro_revision" | $Xsed -e "$delay_single_quote_subst"`'
-enable_shared='`$ECHO "X$enable_shared" | $Xsed -e "$delay_single_quote_subst"`'
-enable_static='`$ECHO "X$enable_static" | $Xsed -e "$delay_single_quote_subst"`'
-pic_mode='`$ECHO "X$pic_mode" | $Xsed -e "$delay_single_quote_subst"`'
-enable_fast_install='`$ECHO "X$enable_fast_install" | $Xsed -e "$delay_single_quote_subst"`'
-host_alias='`$ECHO "X$host_alias" | $Xsed -e "$delay_single_quote_subst"`'
-host='`$ECHO "X$host" | $Xsed -e "$delay_single_quote_subst"`'
-host_os='`$ECHO "X$host_os" | $Xsed -e "$delay_single_quote_subst"`'
-build_alias='`$ECHO "X$build_alias" | $Xsed -e "$delay_single_quote_subst"`'
-build='`$ECHO "X$build" | $Xsed -e "$delay_single_quote_subst"`'
-build_os='`$ECHO "X$build_os" | $Xsed -e "$delay_single_quote_subst"`'
-SED='`$ECHO "X$SED" | $Xsed -e "$delay_single_quote_subst"`'
-Xsed='`$ECHO "X$Xsed" | $Xsed -e "$delay_single_quote_subst"`'
-GREP='`$ECHO "X$GREP" | $Xsed -e "$delay_single_quote_subst"`'
-EGREP='`$ECHO "X$EGREP" | $Xsed -e "$delay_single_quote_subst"`'
-FGREP='`$ECHO "X$FGREP" | $Xsed -e "$delay_single_quote_subst"`'
-LD='`$ECHO "X$LD" | $Xsed -e "$delay_single_quote_subst"`'
-NM='`$ECHO "X$NM" | $Xsed -e "$delay_single_quote_subst"`'
-LN_S='`$ECHO "X$LN_S" | $Xsed -e "$delay_single_quote_subst"`'
-max_cmd_len='`$ECHO "X$max_cmd_len" | $Xsed -e "$delay_single_quote_subst"`'
-ac_objext='`$ECHO "X$ac_objext" | $Xsed -e "$delay_single_quote_subst"`'
-exeext='`$ECHO "X$exeext" | $Xsed -e "$delay_single_quote_subst"`'
-lt_unset='`$ECHO "X$lt_unset" | $Xsed -e "$delay_single_quote_subst"`'
-lt_SP2NL='`$ECHO "X$lt_SP2NL" | $Xsed -e "$delay_single_quote_subst"`'
-lt_NL2SP='`$ECHO "X$lt_NL2SP" | $Xsed -e "$delay_single_quote_subst"`'
-reload_flag='`$ECHO "X$reload_flag" | $Xsed -e "$delay_single_quote_subst"`'
-reload_cmds='`$ECHO "X$reload_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-OBJDUMP='`$ECHO "X$OBJDUMP" | $Xsed -e "$delay_single_quote_subst"`'
-deplibs_check_method='`$ECHO "X$deplibs_check_method" | $Xsed -e "$delay_single_quote_subst"`'
-file_magic_cmd='`$ECHO "X$file_magic_cmd" | $Xsed -e "$delay_single_quote_subst"`'
-AR='`$ECHO "X$AR" | $Xsed -e "$delay_single_quote_subst"`'
-AR_FLAGS='`$ECHO "X$AR_FLAGS" | $Xsed -e "$delay_single_quote_subst"`'
-STRIP='`$ECHO "X$STRIP" | $Xsed -e "$delay_single_quote_subst"`'
-RANLIB='`$ECHO "X$RANLIB" | $Xsed -e "$delay_single_quote_subst"`'
-old_postinstall_cmds='`$ECHO "X$old_postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-old_postuninstall_cmds='`$ECHO "X$old_postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-old_archive_cmds='`$ECHO "X$old_archive_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-CC='`$ECHO "X$CC" | $Xsed -e "$delay_single_quote_subst"`'
-CFLAGS='`$ECHO "X$CFLAGS" | $Xsed -e "$delay_single_quote_subst"`'
-compiler='`$ECHO "X$compiler" | $Xsed -e "$delay_single_quote_subst"`'
-GCC='`$ECHO "X$GCC" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_pipe='`$ECHO "X$lt_cv_sys_global_symbol_pipe" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_to_cdecl='`$ECHO "X$lt_cv_sys_global_symbol_to_cdecl" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`'
-objdir='`$ECHO "X$objdir" | $Xsed -e "$delay_single_quote_subst"`'
-SHELL='`$ECHO "X$SHELL" | $Xsed -e "$delay_single_quote_subst"`'
-ECHO='`$ECHO "X$ECHO" | $Xsed -e "$delay_single_quote_subst"`'
-MAGIC_CMD='`$ECHO "X$MAGIC_CMD" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_no_builtin_flag='`$ECHO "X$lt_prog_compiler_no_builtin_flag" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_wl='`$ECHO "X$lt_prog_compiler_wl" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_pic='`$ECHO "X$lt_prog_compiler_pic" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_static='`$ECHO "X$lt_prog_compiler_static" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_prog_compiler_c_o='`$ECHO "X$lt_cv_prog_compiler_c_o" | $Xsed -e "$delay_single_quote_subst"`'
-need_locks='`$ECHO "X$need_locks" | $Xsed -e "$delay_single_quote_subst"`'
-DSYMUTIL='`$ECHO "X$DSYMUTIL" | $Xsed -e "$delay_single_quote_subst"`'
-NMEDIT='`$ECHO "X$NMEDIT" | $Xsed -e "$delay_single_quote_subst"`'
-LIPO='`$ECHO "X$LIPO" | $Xsed -e "$delay_single_quote_subst"`'
-OTOOL='`$ECHO "X$OTOOL" | $Xsed -e "$delay_single_quote_subst"`'
-OTOOL64='`$ECHO "X$OTOOL64" | $Xsed -e "$delay_single_quote_subst"`'
-libext='`$ECHO "X$libext" | $Xsed -e "$delay_single_quote_subst"`'
-shrext_cmds='`$ECHO "X$shrext_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-extract_expsyms_cmds='`$ECHO "X$extract_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-archive_cmds_need_lc='`$ECHO "X$archive_cmds_need_lc" | $Xsed -e "$delay_single_quote_subst"`'
-enable_shared_with_static_runtimes='`$ECHO "X$enable_shared_with_static_runtimes" | $Xsed -e "$delay_single_quote_subst"`'
-export_dynamic_flag_spec='`$ECHO "X$export_dynamic_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
-whole_archive_flag_spec='`$ECHO "X$whole_archive_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
-compiler_needs_object='`$ECHO "X$compiler_needs_object" | $Xsed -e "$delay_single_quote_subst"`'
-old_archive_from_new_cmds='`$ECHO "X$old_archive_from_new_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-old_archive_from_expsyms_cmds='`$ECHO "X$old_archive_from_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-archive_cmds='`$ECHO "X$archive_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-archive_expsym_cmds='`$ECHO "X$archive_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-module_cmds='`$ECHO "X$module_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-module_expsym_cmds='`$ECHO "X$module_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-with_gnu_ld='`$ECHO "X$with_gnu_ld" | $Xsed -e "$delay_single_quote_subst"`'
-allow_undefined_flag='`$ECHO "X$allow_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`'
-no_undefined_flag='`$ECHO "X$no_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_libdir_flag_spec='`$ECHO "X$hardcode_libdir_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_libdir_flag_spec_ld='`$ECHO "X$hardcode_libdir_flag_spec_ld" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_libdir_separator='`$ECHO "X$hardcode_libdir_separator" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_direct='`$ECHO "X$hardcode_direct" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_direct_absolute='`$ECHO "X$hardcode_direct_absolute" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_minus_L='`$ECHO "X$hardcode_minus_L" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_shlibpath_var='`$ECHO "X$hardcode_shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_automatic='`$ECHO "X$hardcode_automatic" | $Xsed -e "$delay_single_quote_subst"`'
-inherit_rpath='`$ECHO "X$inherit_rpath" | $Xsed -e "$delay_single_quote_subst"`'
-link_all_deplibs='`$ECHO "X$link_all_deplibs" | $Xsed -e "$delay_single_quote_subst"`'
-fix_srcfile_path='`$ECHO "X$fix_srcfile_path" | $Xsed -e "$delay_single_quote_subst"`'
-always_export_symbols='`$ECHO "X$always_export_symbols" | $Xsed -e "$delay_single_quote_subst"`'
-export_symbols_cmds='`$ECHO "X$export_symbols_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-exclude_expsyms='`$ECHO "X$exclude_expsyms" | $Xsed -e "$delay_single_quote_subst"`'
-include_expsyms='`$ECHO "X$include_expsyms" | $Xsed -e "$delay_single_quote_subst"`'
-prelink_cmds='`$ECHO "X$prelink_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-file_list_spec='`$ECHO "X$file_list_spec" | $Xsed -e "$delay_single_quote_subst"`'
-variables_saved_for_relink='`$ECHO "X$variables_saved_for_relink" | $Xsed -e "$delay_single_quote_subst"`'
-need_lib_prefix='`$ECHO "X$need_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`'
-need_version='`$ECHO "X$need_version" | $Xsed -e "$delay_single_quote_subst"`'
-version_type='`$ECHO "X$version_type" | $Xsed -e "$delay_single_quote_subst"`'
-runpath_var='`$ECHO "X$runpath_var" | $Xsed -e "$delay_single_quote_subst"`'
-shlibpath_var='`$ECHO "X$shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`'
-shlibpath_overrides_runpath='`$ECHO "X$shlibpath_overrides_runpath" | $Xsed -e "$delay_single_quote_subst"`'
-libname_spec='`$ECHO "X$libname_spec" | $Xsed -e "$delay_single_quote_subst"`'
-library_names_spec='`$ECHO "X$library_names_spec" | $Xsed -e "$delay_single_quote_subst"`'
-soname_spec='`$ECHO "X$soname_spec" | $Xsed -e "$delay_single_quote_subst"`'
-postinstall_cmds='`$ECHO "X$postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-postuninstall_cmds='`$ECHO "X$postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-finish_cmds='`$ECHO "X$finish_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-finish_eval='`$ECHO "X$finish_eval" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_into_libs='`$ECHO "X$hardcode_into_libs" | $Xsed -e "$delay_single_quote_subst"`'
-sys_lib_search_path_spec='`$ECHO "X$sys_lib_search_path_spec" | $Xsed -e "$delay_single_quote_subst"`'
-sys_lib_dlsearch_path_spec='`$ECHO "X$sys_lib_dlsearch_path_spec" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_action='`$ECHO "X$hardcode_action" | $Xsed -e "$delay_single_quote_subst"`'
-enable_dlopen='`$ECHO "X$enable_dlopen" | $Xsed -e "$delay_single_quote_subst"`'
-enable_dlopen_self='`$ECHO "X$enable_dlopen_self" | $Xsed -e "$delay_single_quote_subst"`'
-enable_dlopen_self_static='`$ECHO "X$enable_dlopen_self_static" | $Xsed -e "$delay_single_quote_subst"`'
-old_striplib='`$ECHO "X$old_striplib" | $Xsed -e "$delay_single_quote_subst"`'
-striplib='`$ECHO "X$striplib" | $Xsed -e "$delay_single_quote_subst"`'
+macro_version='`$ECHO "$macro_version" | $SED "$delay_single_quote_subst"`'
+macro_revision='`$ECHO "$macro_revision" | $SED "$delay_single_quote_subst"`'
+enable_shared='`$ECHO "$enable_shared" | $SED "$delay_single_quote_subst"`'
+enable_static='`$ECHO "$enable_static" | $SED "$delay_single_quote_subst"`'
+pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`'
+enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`'
+SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`'
+ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`'
+PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`'
+host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`'
+host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`'
+host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`'
+build_alias='`$ECHO "$build_alias" | $SED "$delay_single_quote_subst"`'
+build='`$ECHO "$build" | $SED "$delay_single_quote_subst"`'
+build_os='`$ECHO "$build_os" | $SED "$delay_single_quote_subst"`'
+SED='`$ECHO "$SED" | $SED "$delay_single_quote_subst"`'
+Xsed='`$ECHO "$Xsed" | $SED "$delay_single_quote_subst"`'
+GREP='`$ECHO "$GREP" | $SED "$delay_single_quote_subst"`'
+EGREP='`$ECHO "$EGREP" | $SED "$delay_single_quote_subst"`'
+FGREP='`$ECHO "$FGREP" | $SED "$delay_single_quote_subst"`'
+LD='`$ECHO "$LD" | $SED "$delay_single_quote_subst"`'
+NM='`$ECHO "$NM" | $SED "$delay_single_quote_subst"`'
+LN_S='`$ECHO "$LN_S" | $SED "$delay_single_quote_subst"`'
+max_cmd_len='`$ECHO "$max_cmd_len" | $SED "$delay_single_quote_subst"`'
+ac_objext='`$ECHO "$ac_objext" | $SED "$delay_single_quote_subst"`'
+exeext='`$ECHO "$exeext" | $SED "$delay_single_quote_subst"`'
+lt_unset='`$ECHO "$lt_unset" | $SED "$delay_single_quote_subst"`'
+lt_SP2NL='`$ECHO "$lt_SP2NL" | $SED "$delay_single_quote_subst"`'
+lt_NL2SP='`$ECHO "$lt_NL2SP" | $SED "$delay_single_quote_subst"`'
+lt_cv_to_host_file_cmd='`$ECHO "$lt_cv_to_host_file_cmd" | $SED "$delay_single_quote_subst"`'
+lt_cv_to_tool_file_cmd='`$ECHO "$lt_cv_to_tool_file_cmd" | $SED "$delay_single_quote_subst"`'
+reload_flag='`$ECHO "$reload_flag" | $SED "$delay_single_quote_subst"`'
+reload_cmds='`$ECHO "$reload_cmds" | $SED "$delay_single_quote_subst"`'
+OBJDUMP='`$ECHO "$OBJDUMP" | $SED "$delay_single_quote_subst"`'
+deplibs_check_method='`$ECHO "$deplibs_check_method" | $SED "$delay_single_quote_subst"`'
+file_magic_cmd='`$ECHO "$file_magic_cmd" | $SED "$delay_single_quote_subst"`'
+file_magic_glob='`$ECHO "$file_magic_glob" | $SED "$delay_single_quote_subst"`'
+want_nocaseglob='`$ECHO "$want_nocaseglob" | $SED "$delay_single_quote_subst"`'
+DLLTOOL='`$ECHO "$DLLTOOL" | $SED "$delay_single_quote_subst"`'
+sharedlib_from_linklib_cmd='`$ECHO "$sharedlib_from_linklib_cmd" | $SED "$delay_single_quote_subst"`'
+AR='`$ECHO "$AR" | $SED "$delay_single_quote_subst"`'
+AR_FLAGS='`$ECHO "$AR_FLAGS" | $SED "$delay_single_quote_subst"`'
+archiver_list_spec='`$ECHO "$archiver_list_spec" | $SED "$delay_single_quote_subst"`'
+STRIP='`$ECHO "$STRIP" | $SED "$delay_single_quote_subst"`'
+RANLIB='`$ECHO "$RANLIB" | $SED "$delay_single_quote_subst"`'
+old_postinstall_cmds='`$ECHO "$old_postinstall_cmds" | $SED "$delay_single_quote_subst"`'
+old_postuninstall_cmds='`$ECHO "$old_postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
+old_archive_cmds='`$ECHO "$old_archive_cmds" | $SED "$delay_single_quote_subst"`'
+lock_old_archive_extraction='`$ECHO "$lock_old_archive_extraction" | $SED "$delay_single_quote_subst"`'
+CC='`$ECHO "$CC" | $SED "$delay_single_quote_subst"`'
+CFLAGS='`$ECHO "$CFLAGS" | $SED "$delay_single_quote_subst"`'
+compiler='`$ECHO "$compiler" | $SED "$delay_single_quote_subst"`'
+GCC='`$ECHO "$GCC" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_pipe='`$ECHO "$lt_cv_sys_global_symbol_pipe" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_cdecl='`$ECHO "$lt_cv_sys_global_symbol_to_cdecl" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $SED "$delay_single_quote_subst"`'
+nm_file_list_spec='`$ECHO "$nm_file_list_spec" | $SED "$delay_single_quote_subst"`'
+lt_sysroot='`$ECHO "$lt_sysroot" | $SED "$delay_single_quote_subst"`'
+objdir='`$ECHO "$objdir" | $SED "$delay_single_quote_subst"`'
+MAGIC_CMD='`$ECHO "$MAGIC_CMD" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_no_builtin_flag='`$ECHO "$lt_prog_compiler_no_builtin_flag" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_pic='`$ECHO "$lt_prog_compiler_pic" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_wl='`$ECHO "$lt_prog_compiler_wl" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_static='`$ECHO "$lt_prog_compiler_static" | $SED "$delay_single_quote_subst"`'
+lt_cv_prog_compiler_c_o='`$ECHO "$lt_cv_prog_compiler_c_o" | $SED "$delay_single_quote_subst"`'
+need_locks='`$ECHO "$need_locks" | $SED "$delay_single_quote_subst"`'
+MANIFEST_TOOL='`$ECHO "$MANIFEST_TOOL" | $SED "$delay_single_quote_subst"`'
+DSYMUTIL='`$ECHO "$DSYMUTIL" | $SED "$delay_single_quote_subst"`'
+NMEDIT='`$ECHO "$NMEDIT" | $SED "$delay_single_quote_subst"`'
+LIPO='`$ECHO "$LIPO" | $SED "$delay_single_quote_subst"`'
+OTOOL='`$ECHO "$OTOOL" | $SED "$delay_single_quote_subst"`'
+OTOOL64='`$ECHO "$OTOOL64" | $SED "$delay_single_quote_subst"`'
+libext='`$ECHO "$libext" | $SED "$delay_single_quote_subst"`'
+shrext_cmds='`$ECHO "$shrext_cmds" | $SED "$delay_single_quote_subst"`'
+extract_expsyms_cmds='`$ECHO "$extract_expsyms_cmds" | $SED "$delay_single_quote_subst"`'
+archive_cmds_need_lc='`$ECHO "$archive_cmds_need_lc" | $SED "$delay_single_quote_subst"`'
+enable_shared_with_static_runtimes='`$ECHO "$enable_shared_with_static_runtimes" | $SED "$delay_single_quote_subst"`'
+export_dynamic_flag_spec='`$ECHO "$export_dynamic_flag_spec" | $SED "$delay_single_quote_subst"`'
+whole_archive_flag_spec='`$ECHO "$whole_archive_flag_spec" | $SED "$delay_single_quote_subst"`'
+compiler_needs_object='`$ECHO "$compiler_needs_object" | $SED "$delay_single_quote_subst"`'
+old_archive_from_new_cmds='`$ECHO "$old_archive_from_new_cmds" | $SED "$delay_single_quote_subst"`'
+old_archive_from_expsyms_cmds='`$ECHO "$old_archive_from_expsyms_cmds" | $SED "$delay_single_quote_subst"`'
+archive_cmds='`$ECHO "$archive_cmds" | $SED "$delay_single_quote_subst"`'
+archive_expsym_cmds='`$ECHO "$archive_expsym_cmds" | $SED "$delay_single_quote_subst"`'
+module_cmds='`$ECHO "$module_cmds" | $SED "$delay_single_quote_subst"`'
+module_expsym_cmds='`$ECHO "$module_expsym_cmds" | $SED "$delay_single_quote_subst"`'
+with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`'
+allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`'
+no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`'
+hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`'
+hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`'
+hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`'
+hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`'
+hardcode_minus_L='`$ECHO "$hardcode_minus_L" | $SED "$delay_single_quote_subst"`'
+hardcode_shlibpath_var='`$ECHO "$hardcode_shlibpath_var" | $SED "$delay_single_quote_subst"`'
+hardcode_automatic='`$ECHO "$hardcode_automatic" | $SED "$delay_single_quote_subst"`'
+inherit_rpath='`$ECHO "$inherit_rpath" | $SED "$delay_single_quote_subst"`'
+link_all_deplibs='`$ECHO "$link_all_deplibs" | $SED "$delay_single_quote_subst"`'
+always_export_symbols='`$ECHO "$always_export_symbols" | $SED "$delay_single_quote_subst"`'
+export_symbols_cmds='`$ECHO "$export_symbols_cmds" | $SED "$delay_single_quote_subst"`'
+exclude_expsyms='`$ECHO "$exclude_expsyms" | $SED "$delay_single_quote_subst"`'
+include_expsyms='`$ECHO "$include_expsyms" | $SED "$delay_single_quote_subst"`'
+prelink_cmds='`$ECHO "$prelink_cmds" | $SED "$delay_single_quote_subst"`'
+postlink_cmds='`$ECHO "$postlink_cmds" | $SED "$delay_single_quote_subst"`'
+file_list_spec='`$ECHO "$file_list_spec" | $SED "$delay_single_quote_subst"`'
+variables_saved_for_relink='`$ECHO "$variables_saved_for_relink" | $SED "$delay_single_quote_subst"`'
+need_lib_prefix='`$ECHO "$need_lib_prefix" | $SED "$delay_single_quote_subst"`'
+need_version='`$ECHO "$need_version" | $SED "$delay_single_quote_subst"`'
+version_type='`$ECHO "$version_type" | $SED "$delay_single_quote_subst"`'
+runpath_var='`$ECHO "$runpath_var" | $SED "$delay_single_quote_subst"`'
+shlibpath_var='`$ECHO "$shlibpath_var" | $SED "$delay_single_quote_subst"`'
+shlibpath_overrides_runpath='`$ECHO "$shlibpath_overrides_runpath" | $SED "$delay_single_quote_subst"`'
+libname_spec='`$ECHO "$libname_spec" | $SED "$delay_single_quote_subst"`'
+library_names_spec='`$ECHO "$library_names_spec" | $SED "$delay_single_quote_subst"`'
+soname_spec='`$ECHO "$soname_spec" | $SED "$delay_single_quote_subst"`'
+install_override_mode='`$ECHO "$install_override_mode" | $SED "$delay_single_quote_subst"`'
+postinstall_cmds='`$ECHO "$postinstall_cmds" | $SED "$delay_single_quote_subst"`'
+postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
+finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`'
+finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`'
+hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`'
+sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`'
+sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`'
+hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`'
+enable_dlopen='`$ECHO "$enable_dlopen" | $SED "$delay_single_quote_subst"`'
+enable_dlopen_self='`$ECHO "$enable_dlopen_self" | $SED "$delay_single_quote_subst"`'
+enable_dlopen_self_static='`$ECHO "$enable_dlopen_self_static" | $SED "$delay_single_quote_subst"`'
+old_striplib='`$ECHO "$old_striplib" | $SED "$delay_single_quote_subst"`'
+striplib='`$ECHO "$striplib" | $SED "$delay_single_quote_subst"`'
 
 LTCC='$LTCC'
 LTCFLAGS='$LTCFLAGS'
 compiler='$compiler_DEFAULT'
 
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$1
+_LTECHO_EOF'
+}
+
 # Quote evaled strings.
-for var in SED \
+for var in SHELL \
+ECHO \
+PATH_SEPARATOR \
+SED \
 GREP \
 EGREP \
 FGREP \
@@ -21109,8 +22311,13 @@ reload_flag \
 OBJDUMP \
 deplibs_check_method \
 file_magic_cmd \
+file_magic_glob \
+want_nocaseglob \
+DLLTOOL \
+sharedlib_from_linklib_cmd \
 AR \
 AR_FLAGS \
+archiver_list_spec \
 STRIP \
 RANLIB \
 CC \
@@ -21120,14 +22327,14 @@ lt_cv_sys_global_symbol_pipe \
 lt_cv_sys_global_symbol_to_cdecl \
 lt_cv_sys_global_symbol_to_c_name_address \
 lt_cv_sys_global_symbol_to_c_name_address_lib_prefix \
-SHELL \
-ECHO \
+nm_file_list_spec \
 lt_prog_compiler_no_builtin_flag \
-lt_prog_compiler_wl \
 lt_prog_compiler_pic \
+lt_prog_compiler_wl \
 lt_prog_compiler_static \
 lt_cv_prog_compiler_c_o \
 need_locks \
+MANIFEST_TOOL \
 DSYMUTIL \
 NMEDIT \
 LIPO \
@@ -21141,9 +22348,7 @@ with_gnu_ld \
 allow_undefined_flag \
 no_undefined_flag \
 hardcode_libdir_flag_spec \
-hardcode_libdir_flag_spec_ld \
 hardcode_libdir_separator \
-fix_srcfile_path \
 exclude_expsyms \
 include_expsyms \
 file_list_spec \
@@ -21151,12 +22356,13 @@ variables_saved_for_relink \
 libname_spec \
 library_names_spec \
 soname_spec \
+install_override_mode \
 finish_eval \
 old_striplib \
 striplib; do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[\\\\\\\`\\"\\\$]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -21178,14 +22384,15 @@ module_cmds \
 module_expsym_cmds \
 export_symbols_cmds \
 prelink_cmds \
+postlink_cmds \
 postinstall_cmds \
 postuninstall_cmds \
 finish_cmds \
 sys_lib_search_path_spec \
 sys_lib_dlsearch_path_spec; do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[\\\\\\\`\\"\\\$]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -21193,12 +22400,6 @@ sys_lib_dlsearch_path_spec; do
     esac
 done
 
-# Fix-up fallback echo if it was mangled by the above quoting rules.
-case \$lt_ECHO in
-*'\\\$0 --fallback-echo"')  lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\$0 --fallback-echo"\$/\$0 --fallback-echo"/'\`
-  ;;
-esac
-
 ac_aux_dir='$ac_aux_dir'
 xsi_shell='$xsi_shell'
 lt_shell_append='$lt_shell_append'
@@ -21247,6 +22448,7 @@ do
     "src/libstrongswan/plugins/sha2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha2/Makefile" ;;
     "src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;;
     "src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;;
+    "src/libstrongswan/plugins/rdrand/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rdrand/Makefile" ;;
     "src/libstrongswan/plugins/random/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/random/Makefile" ;;
     "src/libstrongswan/plugins/nonce/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/nonce/Makefile" ;;
     "src/libstrongswan/plugins/hmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/hmac/Makefile" ;;
@@ -21256,6 +22458,7 @@ do
     "src/libstrongswan/plugins/constraints/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/constraints/Makefile" ;;
     "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;;
     "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;;
+    "src/libstrongswan/plugins/pkcs7/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs7/Makefile" ;;
     "src/libstrongswan/plugins/pkcs8/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs8/Makefile" ;;
     "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;;
     "src/libstrongswan/plugins/dnskey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/dnskey/Makefile" ;;
@@ -21297,6 +22500,8 @@ do
     "src/libimcv/plugins/imv_test/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_test/Makefile" ;;
     "src/libimcv/plugins/imc_scanner/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_scanner/Makefile" ;;
     "src/libimcv/plugins/imv_scanner/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_scanner/Makefile" ;;
+    "src/libimcv/plugins/imc_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_os/Makefile" ;;
+    "src/libimcv/plugins/imv_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_os/Makefile" ;;
     "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
     "src/charon-nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-nm/Makefile" ;;
     "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;;
@@ -21341,6 +22546,8 @@ do
     "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
     "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
     "src/libcharon/plugins/whitelist/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/whitelist/Makefile" ;;
+    "src/libcharon/plugins/lookip/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/lookip/Makefile" ;;
+    "src/libcharon/plugins/error_notify/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/error_notify/Makefile" ;;
     "src/libcharon/plugins/certexpire/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/certexpire/Makefile" ;;
     "src/libcharon/plugins/led/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/led/Makefile" ;;
     "src/libcharon/plugins/duplicheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/duplicheck/Makefile" ;;
@@ -21373,7 +22580,7 @@ do
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
-  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
+  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
 done
 
@@ -21396,9 +22603,10 @@ fi
 # after its creation but before its name has been assigned to `$tmp'.
 $debug ||
 {
-  tmp=
+  tmp= ac_tmp=
   trap 'exit_status=$?
-  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+  : "${ac_tmp:=$tmp}"
+  { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status
 ' 0
   trap 'as_fn_exit 1' 1 2 13 15
 }
@@ -21406,12 +22614,13 @@ $debug ||
 
 {
   tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
-  test -n "$tmp" && test -d "$tmp"
+  test -d "$tmp"
 }  ||
 {
   tmp=./conf$$-$RANDOM
   (umask 077 && mkdir "$tmp")
 } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
+ac_tmp=$tmp
 
 # Set up the scripts for CONFIG_FILES section.
 # No need to generate them if there are no CONFIG_FILES.
@@ -21433,7 +22642,7 @@ else
   ac_cs_awk_cr=$ac_cr
 fi
 
-echo 'BEGIN {' >"$tmp/subs1.awk" &&
+echo 'BEGIN {' >"$ac_tmp/subs1.awk" &&
 _ACEOF
 
 
@@ -21461,7 +22670,7 @@ done
 rm -f conf$$subs.sh
 
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
+cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK &&
 _ACEOF
 sed -n '
 h
@@ -21509,7 +22718,7 @@ t delim
 rm -f conf$$subs.awk
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 _ACAWK
-cat >>"\$tmp/subs1.awk" <<_ACAWK &&
+cat >>"\$ac_tmp/subs1.awk" <<_ACAWK &&
   for (key in S) S_is_set[key] = 1
   FS = ""
 
@@ -21541,7 +22750,7 @@ if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
   sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
 else
   cat
-fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
+fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \
   || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
 _ACEOF
 
@@ -21575,7 +22784,7 @@ fi # test -n "$CONFIG_FILES"
 # No need to generate them if there are no CONFIG_HEADERS.
 # This happens for instance with `./config.status Makefile'.
 if test -n "$CONFIG_HEADERS"; then
-cat >"$tmp/defines.awk" <<\_ACAWK ||
+cat >"$ac_tmp/defines.awk" <<\_ACAWK ||
 BEGIN {
 _ACEOF
 
@@ -21587,8 +22796,8 @@ _ACEOF
 # handling of long lines.
 ac_delim='%!_!# '
 for ac_last_try in false false :; do
-  ac_t=`sed -n "/$ac_delim/p" confdefs.h`
-  if test -z "$ac_t"; then
+  ac_tt=`sed -n "/$ac_delim/p" confdefs.h`
+  if test -z "$ac_tt"; then
     break
   elif $ac_last_try; then
     as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5
@@ -21689,7 +22898,7 @@ do
   esac
   case $ac_mode$ac_tag in
   :[FHL]*:*);;
-  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
+  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;;
   :[FH]-) ac_tag=-:-;;
   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
   esac
@@ -21708,7 +22917,7 @@ do
     for ac_f
     do
       case $ac_f in
-      -) ac_f="$tmp/stdin";;
+      -) ac_f="$ac_tmp/stdin";;
       *) # Look for the file first in the build tree, then in the source tree
 	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
 	 # because $ac_f cannot contain `:'.
@@ -21717,7 +22926,7 @@ do
 	   [\\/$]*) false;;
 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
 	   esac ||
-	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
+	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;;
       esac
       case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
       as_fn_append ac_file_inputs " '$ac_f'"
@@ -21743,8 +22952,8 @@ $as_echo "$as_me: creating $ac_file" >&6;}
     esac
 
     case $ac_tag in
-    *:-:* | *:-) cat >"$tmp/stdin" \
-      || as_fn_error $? "could not create $ac_file" "$LINENO" 5  ;;
+    *:-:* | *:-) cat >"$ac_tmp/stdin" \
+      || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;;
     esac
     ;;
   esac
@@ -21880,21 +23089,22 @@ s&@INSTALL@&$ac_INSTALL&;t t
 s&@MKDIR_P@&$ac_MKDIR_P&;t t
 $ac_datarootdir_hack
 "
-eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
-  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \
+  >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5
 
 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
-  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
-  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+  { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } &&
+  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' \
+      "$ac_tmp/out"`; test -z "$ac_out"; } &&
   { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined" >&5
 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined" >&2;}
 
-  rm -f "$tmp/stdin"
+  rm -f "$ac_tmp/stdin"
   case $ac_file in
-  -) cat "$tmp/out" && rm -f "$tmp/out";;
-  *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
+  -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";;
+  *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";;
   esac \
   || as_fn_error $? "could not create $ac_file" "$LINENO" 5
  ;;
@@ -21905,20 +23115,20 @@ which seems to be undefined.  Please make sure it is defined" >&2;}
   if test x"$ac_file" != x-; then
     {
       $as_echo "/* $configure_input  */" \
-      && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs"
-    } >"$tmp/config.h" \
+      && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs"
+    } >"$ac_tmp/config.h" \
       || as_fn_error $? "could not create $ac_file" "$LINENO" 5
-    if diff "$ac_file" "$tmp/config.h" >/dev/null 2>&1; then
+    if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then
       { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5
 $as_echo "$as_me: $ac_file is unchanged" >&6;}
     else
       rm -f "$ac_file"
-      mv "$tmp/config.h" "$ac_file" \
+      mv "$ac_tmp/config.h" "$ac_file" \
 	|| as_fn_error $? "could not create $ac_file" "$LINENO" 5
     fi
   else
     $as_echo "/* $configure_input  */" \
-      && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" \
+      && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \
       || as_fn_error $? "could not create -" "$LINENO" 5
   fi
 # Compute "$ac_file"'s index in $config_headers.
@@ -22080,7 +23290,8 @@ $as_echo X"$file" |
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@@ -22128,6 +23339,15 @@ pic_mode=$pic_mode
 # Whether or not to optimize for fast installation.
 fast_install=$enable_fast_install
 
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# An echo program that protects backslashes.
+ECHO=$lt_ECHO
+
+# The PATH separator for the build system.
+PATH_SEPARATOR=$lt_PATH_SEPARATOR
+
 # The host system.
 host_alias=$host_alias
 host=$host
@@ -22177,9 +23397,11 @@ SP2NL=$lt_lt_SP2NL
 # turn newlines into spaces.
 NL2SP=$lt_lt_NL2SP
 
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
+# convert \$build file names to \$host format.
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+
+# convert \$build files to toolchain format.
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
 
 # An object symbol dumper.
 OBJDUMP=$lt_OBJDUMP
@@ -22187,13 +23409,30 @@ OBJDUMP=$lt_OBJDUMP
 # Method to check whether dependent libraries are shared objects.
 deplibs_check_method=$lt_deplibs_check_method
 
-# Command to use when deplibs_check_method == "file_magic".
+# Command to use when deplibs_check_method = "file_magic".
 file_magic_cmd=$lt_file_magic_cmd
 
+# How to find potential files when deplibs_check_method = "file_magic".
+file_magic_glob=$lt_file_magic_glob
+
+# Find potential files using nocaseglob when deplibs_check_method = "file_magic".
+want_nocaseglob=$lt_want_nocaseglob
+
+# DLL creation program.
+DLLTOOL=$lt_DLLTOOL
+
+# Command to associate shared and link libraries.
+sharedlib_from_linklib_cmd=$lt_sharedlib_from_linklib_cmd
+
 # The archiver.
 AR=$lt_AR
+
+# Flags to create an archive.
 AR_FLAGS=$lt_AR_FLAGS
 
+# How to feed a file listing to the archiver.
+archiver_list_spec=$lt_archiver_list_spec
+
 # A symbol stripping program.
 STRIP=$lt_STRIP
 
@@ -22202,6 +23441,9 @@ RANLIB=$lt_RANLIB
 old_postinstall_cmds=$lt_old_postinstall_cmds
 old_postuninstall_cmds=$lt_old_postuninstall_cmds
 
+# Whether to use a lock for old archive extraction.
+lock_old_archive_extraction=$lock_old_archive_extraction
+
 # A C compiler.
 LTCC=$lt_CC
 
@@ -22220,14 +23462,14 @@ global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
 # Transform the output of nm in a C name address pair when lib prefix is needed.
 global_symbol_to_c_name_address_lib_prefix=$lt_lt_cv_sys_global_symbol_to_c_name_address_lib_prefix
 
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
+# Specify filename containing input files for \$NM.
+nm_file_list_spec=$lt_nm_file_list_spec
 
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
+# The root where to search for dependent libraries,and in which our libraries should be installed.
+lt_sysroot=$lt_sysroot
 
-# An echo program that does not interpret backslashes.
-ECHO=$lt_ECHO
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
 
 # Used to examine libraries when file_magic_cmd begins with "file".
 MAGIC_CMD=$MAGIC_CMD
@@ -22235,6 +23477,9 @@ MAGIC_CMD=$MAGIC_CMD
 # Must we lock files when doing compilation?
 need_locks=$lt_need_locks
 
+# Manifest tool.
+MANIFEST_TOOL=$lt_MANIFEST_TOOL
+
 # Tool to manipulate archived DWARF debug symbol files on Mac OS X.
 DSYMUTIL=$lt_DSYMUTIL
 
@@ -22291,6 +23536,9 @@ library_names_spec=$lt_library_names_spec
 # The coded name of the library, if different from the real name.
 soname_spec=$lt_soname_spec
 
+# Permission mode override for installation of shared libraries.
+install_override_mode=$lt_install_override_mode
+
 # Command to use after installation of a shared archive.
 postinstall_cmds=$lt_postinstall_cmds
 
@@ -22330,6 +23578,10 @@ striplib=$lt_striplib
 # The linker used to build libraries.
 LD=$lt_LD
 
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
 # Commands used to build an old-style archive.
 old_archive_cmds=$lt_old_archive_cmds
 
@@ -22342,12 +23594,12 @@ with_gcc=$GCC
 # Compiler flag to turn off builtin functions.
 no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
 
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl
-
 # Additional compiler flags for building library objects.
 pic_flag=$lt_lt_prog_compiler_pic
 
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl
+
 # Compiler flag to prevent dynamic linking.
 link_static_flag=$lt_lt_prog_compiler_static
 
@@ -22397,10 +23649,6 @@ no_undefined_flag=$lt_no_undefined_flag
 # This must work even if \$libdir does not exist
 hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
 
-# If ld is used when linking, flag to hardcode \$libdir into a binary
-# during linking.  This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
-
 # Whether we need a single "-rpath" flag with a separated argument.
 hardcode_libdir_separator=$lt_hardcode_libdir_separator
 
@@ -22434,9 +23682,6 @@ inherit_rpath=$inherit_rpath
 # Whether libtool must link a program against all its dependency libraries.
 link_all_deplibs=$link_all_deplibs
 
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
-
 # Set to "yes" if exported symbols are required.
 always_export_symbols=$always_export_symbols
 
@@ -22452,6 +23697,9 @@ include_expsyms=$lt_include_expsyms
 # Commands necessary for linking programs (against libraries) with templates.
 prelink_cmds=$lt_prelink_cmds
 
+# Commands necessary for finishing linking programs.
+postlink_cmds=$lt_postlink_cmds
+
 # Specify filename containing input files.
 file_list_spec=$lt_file_list_spec
 
@@ -22484,212 +23732,169 @@ ltmain="$ac_aux_dir/ltmain.sh"
   # if finds mixed CR/LF and LF-only lines.  Since sed operates in
   # text mode, it properly converts lines to CR/LF.  This bash problem
   # is reportedly fixed, but why not run on old versions too?
-  sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  case $xsi_shell in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result="${1##*/}"
-}
-
-# func_dirname_and_basename file append nondir_replacement
-# perform func_basename and func_dirname in a single function
-# call:
-#   dirname:  Compute the dirname of FILE.  If nonempty,
-#             add APPEND to the result, otherwise set result
-#             to NONDIR_REPLACEMENT.
-#             value returned in "$func_dirname_result"
-#   basename: Compute filename of FILE.
-#             value retuned in "$func_basename_result"
-# Implementation must be kept synchronized with func_dirname
-# and func_basename. For efficiency, we do not delegate to
-# those functions but instead duplicate the functionality here.
-func_dirname_and_basename ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-  func_basename_result="${1##*/}"
-}
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-func_stripname ()
-{
-  # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
-  # positional parameters, so assign one to ordinary parameter first.
-  func_stripname_result=${3}
-  func_stripname_result=${func_stripname_result#"${1}"}
-  func_stripname_result=${func_stripname_result%"${2}"}
-}
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=${1%%=*}
-  func_opt_split_arg=${1#*=}
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  case ${1} in
-    *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
-    *)    func_lo2o_result=${1} ;;
-  esac
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=${1%.*}.lo
-}
-
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=$(( $* ))
-}
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=${#1}
-}
-
-_LT_EOF
-    ;;
-  *) # Bourne compatible functions.
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  # Extract subdirectory from the argument.
-  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
-  if test "X$func_dirname_result" = "X${1}"; then
-    func_dirname_result="${3}"
-  else
-    func_dirname_result="$func_dirname_result${2}"
-  fi
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
-}
-
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-# func_strip_suffix prefix name
-func_stripname ()
-{
-  case ${2} in
-    .*) func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;;
-    *)  func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;;
-  esac
-}
-
-# sed scripts:
-my_sed_long_opt='1s/^\(-[^=]*\)=.*/\1/;q'
-my_sed_long_arg='1s/^-[^=]*=//'
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"`
-  func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"`
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"`
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[^.]*$/.lo/'`
-}
-
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=`expr "$@"`
-}
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=`expr "$1" : ".*" 2>/dev/null || echo $max_cmd_len`
-}
-
-_LT_EOF
-esac
-
-case $lt_shell_append in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$1+=\$2"
-}
-_LT_EOF
-    ;;
-  *)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$1=\$$1\$2"
-}
-
-_LT_EOF
-    ;;
-  esac
-
-
-  sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  mv -f "$cfgfile" "$ofile" ||
+  sed '$q' "$ltmain" >> "$cfgfile" \
+     || (rm -f "$cfgfile"; exit 1)
+
+  if test x"$xsi_shell" = xyes; then
+  sed -e '/^func_dirname ()$/,/^} # func_dirname /c\
+func_dirname ()\
+{\
+\    case ${1} in\
+\      */*) func_dirname_result="${1%/*}${2}" ;;\
+\      *  ) func_dirname_result="${3}" ;;\
+\    esac\
+} # Extended-shell func_dirname implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_basename ()$/,/^} # func_basename /c\
+func_basename ()\
+{\
+\    func_basename_result="${1##*/}"\
+} # Extended-shell func_basename implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_dirname_and_basename ()$/,/^} # func_dirname_and_basename /c\
+func_dirname_and_basename ()\
+{\
+\    case ${1} in\
+\      */*) func_dirname_result="${1%/*}${2}" ;;\
+\      *  ) func_dirname_result="${3}" ;;\
+\    esac\
+\    func_basename_result="${1##*/}"\
+} # Extended-shell func_dirname_and_basename implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_stripname ()$/,/^} # func_stripname /c\
+func_stripname ()\
+{\
+\    # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are\
+\    # positional parameters, so assign one to ordinary parameter first.\
+\    func_stripname_result=${3}\
+\    func_stripname_result=${func_stripname_result#"${1}"}\
+\    func_stripname_result=${func_stripname_result%"${2}"}\
+} # Extended-shell func_stripname implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_split_long_opt ()$/,/^} # func_split_long_opt /c\
+func_split_long_opt ()\
+{\
+\    func_split_long_opt_name=${1%%=*}\
+\    func_split_long_opt_arg=${1#*=}\
+} # Extended-shell func_split_long_opt implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_split_short_opt ()$/,/^} # func_split_short_opt /c\
+func_split_short_opt ()\
+{\
+\    func_split_short_opt_arg=${1#??}\
+\    func_split_short_opt_name=${1%"$func_split_short_opt_arg"}\
+} # Extended-shell func_split_short_opt implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_lo2o ()$/,/^} # func_lo2o /c\
+func_lo2o ()\
+{\
+\    case ${1} in\
+\      *.lo) func_lo2o_result=${1%.lo}.${objext} ;;\
+\      *)    func_lo2o_result=${1} ;;\
+\    esac\
+} # Extended-shell func_lo2o implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_xform ()$/,/^} # func_xform /c\
+func_xform ()\
+{\
+    func_xform_result=${1%.*}.lo\
+} # Extended-shell func_xform implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_arith ()$/,/^} # func_arith /c\
+func_arith ()\
+{\
+    func_arith_result=$(( $* ))\
+} # Extended-shell func_arith implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_len ()$/,/^} # func_len /c\
+func_len ()\
+{\
+    func_len_result=${#1}\
+} # Extended-shell func_len implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+fi
+
+if test x"$lt_shell_append" = xyes; then
+  sed -e '/^func_append ()$/,/^} # func_append /c\
+func_append ()\
+{\
+    eval "${1}+=\\${2}"\
+} # Extended-shell func_append implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_append_quoted ()$/,/^} # func_append_quoted /c\
+func_append_quoted ()\
+{\
+\    func_quote_for_eval "${2}"\
+\    eval "${1}+=\\\\ \\$func_quote_for_eval_result"\
+} # Extended-shell func_append_quoted implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  # Save a `func_append' function call where possible by direct use of '+='
+  sed -e 's%func_append \([a-zA-Z_]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+else
+  # Save a `func_append' function call even when '+=' is not available
+  sed -e 's%func_append \([a-zA-Z_]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+fi
+
+if test x"$_lt_function_replace_fail" = x":"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to substitute extended shell functions in $ofile" >&5
+$as_echo "$as_me: WARNING: Unable to substitute extended shell functions in $ofile" >&2;}
+fi
+
+
+   mv -f "$cfgfile" "$ofile" ||
     (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
   chmod +x "$ofile"
 
diff --git a/configure.in b/configure.in
index d4d54e3ce..2c3e739d6 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,5.0.1)
+AC_INIT(strongSwan,5.0.2)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_CONFIG_MACRO_DIR([m4/config])
 AC_CONFIG_HEADERS([config.h])
@@ -44,6 +44,7 @@ ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec
 ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
 ARG_WITH_SUBST([ipsec-script],       [ipsec], [change the name of the ipsec script])
 
+ARG_WITH_SET([tss],                  [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"])
 ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
 ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
 ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
@@ -111,6 +112,7 @@ ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
 ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
 ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
 ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_ENABL_SET([rdrand],         [enable Intel RDRAND random generator plugin.])
 ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
 ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
 ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
@@ -118,6 +120,7 @@ ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.]
 ARG_DISBL_SET([constraints],    [disable advanced X509 constraint checking plugin.])
 ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
 ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
+ARG_DISBL_SET([pkcs7],          [disable PKCS7 container support plugin.])
 ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
 ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
 ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
@@ -170,6 +173,8 @@ ARG_ENABL_SET([imc-test],       [enable IMC test module.])
 ARG_ENABL_SET([imv-test],       [enable IMV test module.])
 ARG_ENABL_SET([imc-scanner],    [enable IMC port scanner module.])
 ARG_ENABL_SET([imv-scanner],    [enable IMV port scanner module.])
+ARG_ENABL_SET([imc-os],         [enable IMC operating system module.])
+ARG_ENABL_SET([imv-os],         [enable IMV operating system module.])
 ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.])
 ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.])
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
@@ -214,6 +219,8 @@ ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
 ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
 ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
+ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
+ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
 ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
 ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
 ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
@@ -293,7 +300,7 @@ if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_
 	tnc_tnccs=true;
 fi
 
-if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_os = xtrue -o x$imv_os = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
 	imcv=true;
 fi
 
@@ -410,6 +417,8 @@ dnl check if we can cancel threads
 AC_CHECK_FUNCS(pthread_cancel)
 dnl check if native rwlocks are available
 AC_CHECK_FUNCS(pthread_rwlock_init)
+dnl check if pthread spinlocks are available
+AC_CHECK_FUNCS(pthread_spin_init)
 dnl check if we have POSIX semaphore functions, including timed-wait
 AC_CHECK_FUNCS(sem_timedwait)
 LIBS=$saved_LIBS
@@ -627,9 +636,10 @@ if test x$axis2c = xtrue; then
 	AC_SUBST(axis2c_LIBS)
 fi
 
-if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+if test x$tss = xtrousers; then
 	AC_HAVE_LIBRARY([tspi],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])])
 	AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
+	AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi as TSS implementation])
 fi
 
 if test x$dumm = xtrue; then
@@ -639,27 +649,37 @@ if test x$dumm = xtrue; then
 	AC_CHECK_PROGS(RUBY, ruby)
 	AC_MSG_CHECKING([for Ruby header files])
 	if test -n "$RUBY"; then
-		RUBYDIR=`($RUBY -rmkmf -e 'print Config::CONFIG[["archdir"]] || $archdir') 2>/dev/null`
-		if test -n "$RUBYDIR"; then
-			dirs="$RUBYDIR"
-			RUBYINCLUDE=none
-			for i in $dirs; do
-				if test -r $i/ruby.h; then
-					AC_MSG_RESULT([$i])
-					RUBYINCLUDE="-I$i"
-					break;
-				fi
-			done
-			if test x"$RUBYINCLUDE" = xnone; then
-				AC_MSG_ERROR([ruby.h not found])
+		RUBYINCLUDE=
+		RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["rubyhdrdir"]] || ""') 2>/dev/null`
+		if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+			RUBYARCH=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["arch"]] || ""') 2>/dev/null`
+			if test -n "$RUBYARCH"; then
+				AC_MSG_RESULT([$RUBYDIR])
+				RUBYINCLUDE="-I$RUBYDIR -I$RUBYDIR/$RUBYARCH"
 			fi
-			AC_SUBST(RUBYINCLUDE)
 		else
-			AC_MSG_ERROR([unable to determine ruby configuration])
+			RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["archdir"]] || ""') 2>/dev/null`
+			if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+				AC_MSG_RESULT([$RUBYDIR])
+				RUBYINCLUDE="-I$RUBYDIR"
+			fi
+		fi
+		if test -z "$RUBYINCLUDE"; then
+			AC_MSG_ERROR([ruby.h not found])
 		fi
+		AC_SUBST(RUBYINCLUDE)
 	else
 		AC_MSG_ERROR([don't know how to run ruby])
 	fi
+	AC_MSG_CHECKING([for libruby])
+	saved_LIBS=$LIBS
+	LIBS=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["LIBRUBYARG_SHARED"]] || ""') 2>/dev/null`
+	AC_TRY_LINK_FUNC(ruby_init,
+		[AC_MSG_RESULT([$LIBS]); RUBYLIB=$LIBS],
+		[AC_MSG_ERROR([not found])])
+	AC_SUBST(RUBYLIB)
+	AC_CHECK_FUNCS(rb_errinfo)
+	LIBS=$saved_LIBS
 fi
 
 if test x$fast = xtrue; then
@@ -871,6 +891,7 @@ ADD_PLUGIN([sha1],                 [s charon openac scepclient pki scripts medsr
 ADD_PLUGIN([sha2],                 [s charon openac scepclient pki scripts medsrv attest nm])
 ADD_PLUGIN([md4],                  [s charon openac manager scepclient pki nm])
 ADD_PLUGIN([md5],                  [s charon openac scepclient pki scripts attest nm])
+ADD_PLUGIN([rdrand],               [s charon openac scepclient pki scripts medsrv attest nm])
 ADD_PLUGIN([random],               [s charon openac scepclient pki scripts medsrv attest nm])
 ADD_PLUGIN([nonce],                [s charon nm])
 ADD_PLUGIN([x509],                 [s charon openac scepclient pki scripts attest nm])
@@ -878,6 +899,7 @@ ADD_PLUGIN([revocation],           [s charon nm])
 ADD_PLUGIN([constraints],          [s charon nm])
 ADD_PLUGIN([pubkey],               [s charon])
 ADD_PLUGIN([pkcs1],                [s charon openac scepclient pki scripts manager medsrv attest nm])
+ADD_PLUGIN([pkcs7],                [s scepclient pki])
 ADD_PLUGIN([pkcs8],                [s charon openac scepclient pki scripts manager medsrv attest nm])
 ADD_PLUGIN([pgp],                  [s charon])
 ADD_PLUGIN([dnskey],               [s charon])
@@ -946,6 +968,8 @@ ADD_PLUGIN([android],              [c charon])
 ADD_PLUGIN([android-log],          [c charon])
 ADD_PLUGIN([ha],                   [c charon])
 ADD_PLUGIN([whitelist],            [c charon])
+ADD_PLUGIN([lookip],               [c charon])
+ADD_PLUGIN([error-notify],         [c charon])
 ADD_PLUGIN([certexpire],           [c charon])
 ADD_PLUGIN([led],                  [c charon])
 ADD_PLUGIN([duplicheck],           [c charon])
@@ -993,6 +1017,7 @@ AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
 AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
 AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
 AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
+AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
 AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
 AM_CONDITIONAL(USE_NONCE, test x$nonce = xtrue)
 AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
@@ -1000,6 +1025,7 @@ AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue)
 AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue)
 AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
 AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
+AM_CONDITIONAL(USE_PKCS7, test x$pkcs7 = xtrue)
 AM_CONDITIONAL(USE_PKCS8, test x$pkcs8 = xtrue)
 AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
 AM_CONDITIONAL(USE_DNSKEY, test x$dnskey = xtrue)
@@ -1036,6 +1062,8 @@ AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
 AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
 AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
 AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
+AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
+AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
 AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
 AM_CONDITIONAL(USE_LED, test x$led = xtrue)
 AM_CONDITIONAL(USE_DUPLICHECK, test x$duplicheck = xtrue)
@@ -1074,6 +1102,8 @@ AM_CONDITIONAL(USE_IMC_TEST, test x$imc_test = xtrue)
 AM_CONDITIONAL(USE_IMV_TEST, test x$imv_test = xtrue)
 AM_CONDITIONAL(USE_IMC_SCANNER, test x$imc_scanner = xtrue)
 AM_CONDITIONAL(USE_IMV_SCANNER, test x$imv_scanner = xtrue)
+AM_CONDITIONAL(USE_IMC_OS, test x$imc_os = xtrue)
+AM_CONDITIONAL(USE_IMV_OS, test x$imv_os = xtrue)
 AM_CONDITIONAL(USE_IMC_ATTESTATION, test x$imc_attestation = xtrue)
 AM_CONDITIONAL(USE_IMV_ATTESTATION, test x$imv_attestation = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
@@ -1126,6 +1156,7 @@ AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
 AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue)
 AM_CONDITIONAL(USE_IMCV, test x$imcv = xtrue)
 AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
+AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
 
 dnl ==============================
@@ -1170,6 +1201,7 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/sha2/Makefile
 	src/libstrongswan/plugins/fips_prf/Makefile
 	src/libstrongswan/plugins/gmp/Makefile
+	src/libstrongswan/plugins/rdrand/Makefile
 	src/libstrongswan/plugins/random/Makefile
 	src/libstrongswan/plugins/nonce/Makefile
 	src/libstrongswan/plugins/hmac/Makefile
@@ -1179,6 +1211,7 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/constraints/Makefile
 	src/libstrongswan/plugins/pubkey/Makefile
 	src/libstrongswan/plugins/pkcs1/Makefile
+	src/libstrongswan/plugins/pkcs7/Makefile
 	src/libstrongswan/plugins/pkcs8/Makefile
 	src/libstrongswan/plugins/pgp/Makefile
 	src/libstrongswan/plugins/dnskey/Makefile
@@ -1220,6 +1253,8 @@ AC_OUTPUT(
 	src/libimcv/plugins/imv_test/Makefile
 	src/libimcv/plugins/imc_scanner/Makefile
 	src/libimcv/plugins/imv_scanner/Makefile
+	src/libimcv/plugins/imc_os/Makefile
+	src/libimcv/plugins/imv_os/Makefile
 	src/charon/Makefile
 	src/charon-nm/Makefile
 	src/libcharon/Makefile
@@ -1264,6 +1299,8 @@ AC_OUTPUT(
 	src/libcharon/plugins/uci/Makefile
 	src/libcharon/plugins/ha/Makefile
 	src/libcharon/plugins/whitelist/Makefile
+	src/libcharon/plugins/lookip/Makefile
+	src/libcharon/plugins/error_notify/Makefile
 	src/libcharon/plugins/certexpire/Makefile
 	src/libcharon/plugins/led/Makefile
 	src/libcharon/plugins/duplicheck/Makefile
diff --git a/depcomp b/depcomp
index df8eea7e4..bd0ac0895 100755
--- a/depcomp
+++ b/depcomp
@@ -1,10 +1,10 @@
 #! /bin/sh
 # depcomp - compile a program generating dependencies as side-effects
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2011-12-04.11; # UTC
 
-# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009 Free
-# Software Foundation, Inc.
+# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009, 2010,
+# 2011 Free Software Foundation, Inc.
 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -44,7 +44,7 @@ Environment variables:
   object      Object file output by `PROGRAMS ARGS'.
   DEPDIR      directory where to store dependencies.
   depfile     Dependency file to output.
-  tmpdepfile  Temporary file to use when outputing dependencies.
+  tmpdepfile  Temporary file to use when outputting dependencies.
   libtool     Whether libtool is used (yes/no).
 
 Report bugs to <bug-automake@gnu.org>.
@@ -90,10 +90,18 @@ if test "$depmode" = msvcmsys; then
    # This is just like msvisualcpp but w/o cygpath translation.
    # Just convert the backslash-escaped backslashes to single forward
    # slashes to satisfy depend.m4
-   cygpath_u="sed s,\\\\\\\\,/,g"
+   cygpath_u='sed s,\\\\,/,g'
    depmode=msvisualcpp
 fi
 
+if test "$depmode" = msvc7msys; then
+   # This is just like msvc7 but w/o cygpath translation.
+   # Just convert the backslash-escaped backslashes to single forward
+   # slashes to satisfy depend.m4
+   cygpath_u='sed s,\\\\,/,g'
+   depmode=msvc7
+fi
+
 case "$depmode" in
 gcc3)
 ## gcc 3 implements dependency tracking that does exactly what
@@ -158,10 +166,12 @@ gcc)
 ' < "$tmpdepfile" |
 ## Some versions of gcc put a space before the `:'.  On the theory
 ## that the space means something, we add a space to the output as
-## well.
+## well.  hp depmode also adds that space, but also prefixes the VPATH
+## to the object.  Take care to not repeat it in the output.
 ## Some versions of the HPUX 10.20 sed can't process this invocation
 ## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+    sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
+      | sed -e 's/$/ :/' >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
@@ -405,6 +415,52 @@ tru64)
    rm -f "$tmpdepfile"
    ;;
 
+msvc7)
+  if test "$libtool" = yes; then
+    showIncludes=-Wc,-showIncludes
+  else
+    showIncludes=-showIncludes
+  fi
+  "$@" $showIncludes > "$tmpdepfile"
+  stat=$?
+  grep -v '^Note: including file: ' "$tmpdepfile"
+  if test "$stat" = 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  # The first sed program below extracts the file names and escapes
+  # backslashes for cygpath.  The second sed program outputs the file
+  # name when reading, but also accumulates all include files in the
+  # hold buffer in order to output them again at the end.  This only
+  # works with sed implementations that can handle large buffers.
+  sed < "$tmpdepfile" -n '
+/^Note: including file:  *\(.*\)/ {
+  s//\1/
+  s/\\/\\\\/g
+  p
+}' | $cygpath_u | sort -u | sed -n '
+s/ /\\ /g
+s/\(.*\)/	\1 \\/p
+s/.\(.*\) \\/\1:/
+H
+$ {
+  s/.*/	/
+  G
+  p
+}' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+msvc7msys)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
 #nosideeffect)
   # This comment above is used by automake to tell side-effect
   # dependency tracking mechanisms from slower ones.
@@ -503,7 +559,9 @@ makedepend)
   touch "$tmpdepfile"
   ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
   rm -f "$depfile"
-  cat < "$tmpdepfile" > "$depfile"
+  # makedepend may prepend the VPATH from the source file name to the object.
+  # No need to regex-escape $object, excess matching of '.' is harmless.
+  sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
   sed '1,2d' "$tmpdepfile" | tr ' ' '
 ' | \
 ## Some versions of the HPUX 10.20 sed can't process this invocation
diff --git a/init/Makefile.in b/init/Makefile.in
index f8e21d34f..7d7346e0c 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -114,6 +114,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -141,6 +142,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -168,6 +170,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -180,6 +183,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -233,7 +237,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -529,10 +532,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index e9130bffb..def76088a 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(systemdsystemunitdir)"
 DATA = $(systemdsystemunit_DATA)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -97,6 +103,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -124,6 +131,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -151,6 +159,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -163,6 +172,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -216,7 +226,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -322,9 +331,7 @@ uninstall-systemdsystemunitDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(systemdsystemunitdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(systemdsystemunitdir)" && rm -f $$files
+	dir='$(DESTDIR)$(systemdsystemunitdir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -379,10 +386,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/install-sh b/install-sh
index 6781b987b..a9244eb07 100755
--- a/install-sh
+++ b/install-sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # install - install a program, script, or datafile
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2011-01-19.21; # UTC
 
 # This originates from X11R5 (mit/util/scripts/install.sh), which was
 # later released in X11R6 (xc/config/util/install.sh) with the
@@ -156,6 +156,10 @@ while test $# -ne 0; do
     -s) stripcmd=$stripprog;;
 
     -t) dst_arg=$2
+	# Protect names problematic for `test' and other utilities.
+	case $dst_arg in
+	  -* | [=\(\)!]) dst_arg=./$dst_arg;;
+	esac
 	shift;;
 
     -T) no_target_directory=true;;
@@ -186,6 +190,10 @@ if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
     fi
     shift # arg
     dst_arg=$arg
+    # Protect names problematic for `test' and other utilities.
+    case $dst_arg in
+      -* | [=\(\)!]) dst_arg=./$dst_arg;;
+    esac
   done
 fi
 
@@ -200,7 +208,11 @@ if test $# -eq 0; then
 fi
 
 if test -z "$dir_arg"; then
-  trap '(exit $?); exit' 1 2 13 15
+  do_exit='(exit $ret); exit $ret'
+  trap "ret=129; $do_exit" 1
+  trap "ret=130; $do_exit" 2
+  trap "ret=141; $do_exit" 13
+  trap "ret=143; $do_exit" 15
 
   # Set umask so as not to create temps with too-generous modes.
   # However, 'strip' requires both read and write access to temps.
@@ -228,9 +240,9 @@ fi
 
 for src
 do
-  # Protect names starting with `-'.
+  # Protect names problematic for `test' and other utilities.
   case $src in
-    -*) src=./$src;;
+    -* | [=\(\)!]) src=./$src;;
   esac
 
   if test -n "$dir_arg"; then
@@ -252,12 +264,7 @@ do
       echo "$0: no destination specified." >&2
       exit 1
     fi
-
     dst=$dst_arg
-    # Protect names starting with `-'.
-    case $dst in
-      -*) dst=./$dst;;
-    esac
 
     # If destination is a directory, append the input filename; won't work
     # if double slashes aren't ignored.
@@ -385,7 +392,7 @@ do
 
       case $dstdir in
 	/*) prefix='/';;
-	-*) prefix='./';;
+	[-=\(\)!]*) prefix='./';;
 	*)  prefix='';;
       esac
 
@@ -403,7 +410,7 @@ do
 
       for d
       do
-	test -z "$d" && continue
+	test X"$d" = X && continue
 
 	prefix=$prefix$d
 	if test -d "$prefix"; then
diff --git a/ltmain.sh b/ltmain.sh
old mode 100755
new mode 100644
index 7ed280bc9..c2852d856
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,9 +1,9 @@
-# Generated from ltmain.m4sh.
 
-# ltmain.sh (GNU libtool) 2.2.6b
+# libtool (GNU libtool) 2.4.2
 # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc.
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
+# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
 # This is free software; see the source for copying conditions.  There is NO
 # warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
@@ -32,50 +32,57 @@
 #
 # Provide generalized library-building support services.
 #
-#     --config             show all configuration variables
-#     --debug              enable verbose shell tracing
-# -n, --dry-run            display commands without modifying any files
-#     --features           display basic configuration information and exit
-#     --mode=MODE          use operation mode MODE
-#     --preserve-dup-deps  don't remove duplicate dependency libraries
-#     --quiet, --silent    don't print informational messages
-#     --tag=TAG            use configuration variables from tag TAG
-# -v, --verbose            print informational messages (default)
-#     --version            print version information
-# -h, --help               print short or long help message
+#       --config             show all configuration variables
+#       --debug              enable verbose shell tracing
+#   -n, --dry-run            display commands without modifying any files
+#       --features           display basic configuration information and exit
+#       --mode=MODE          use operation mode MODE
+#       --preserve-dup-deps  don't remove duplicate dependency libraries
+#       --quiet, --silent    don't print informational messages
+#       --no-quiet, --no-silent
+#                            print informational messages (default)
+#       --no-warn            don't display warning messages
+#       --tag=TAG            use configuration variables from tag TAG
+#   -v, --verbose            print more informational messages than default
+#       --no-verbose         don't print the extra informational messages
+#       --version            print version information
+#   -h, --help, --help-all   print short, long, or detailed help message
 #
 # MODE must be one of the following:
 #
-#       clean              remove files from the build directory
-#       compile            compile a source file into a libtool object
-#       execute            automatically set library path, then run a program
-#       finish             complete the installation of libtool libraries
-#       install            install libraries or executables
-#       link               create a library or an executable
-#       uninstall          remove libraries from an installed directory
+#         clean              remove files from the build directory
+#         compile            compile a source file into a libtool object
+#         execute            automatically set library path, then run a program
+#         finish             complete the installation of libtool libraries
+#         install            install libraries or executables
+#         link               create a library or an executable
+#         uninstall          remove libraries from an installed directory
 #
-# MODE-ARGS vary depending on the MODE.
+# MODE-ARGS vary depending on the MODE.  When passed as first option,
+# `--mode=MODE' may be abbreviated as `MODE' or a unique abbreviation of that.
 # Try `$progname --help --mode=MODE' for a more detailed description of MODE.
 #
 # When reporting a bug, please describe a test case to reproduce it and
 # include the following information:
 #
-#       host-triplet:	$host
-#       shell:		$SHELL
-#       compiler:		$LTCC
-#       compiler flags:		$LTCFLAGS
-#       linker:		$LD (gnu? $with_gnu_ld)
-#       $progname:		(GNU libtool) 2.2.6b Debian-2.2.6b-2ubuntu1
-#       automake:		$automake_version
-#       autoconf:		$autoconf_version
+#         host-triplet:	$host
+#         shell:		$SHELL
+#         compiler:		$LTCC
+#         compiler flags:		$LTCFLAGS
+#         linker:		$LD (gnu? $with_gnu_ld)
+#         $progname:	(GNU libtool) 2.4.2 Debian-2.4.2-1ubuntu1
+#         automake:	$automake_version
+#         autoconf:	$autoconf_version
 #
 # Report bugs to <bug-libtool@gnu.org>.
+# GNU libtool home page: <http://www.gnu.org/software/libtool/>.
+# General help using GNU software: <http://www.gnu.org/gethelp/>.
 
-PROGRAM=ltmain.sh
+PROGRAM=libtool
 PACKAGE=libtool
-VERSION="2.2.6b Debian-2.2.6b-2ubuntu1"
+VERSION="2.4.2 Debian-2.4.2-1ubuntu1"
 TIMESTAMP=""
-package_revision=1.3017
+package_revision=1.3337
 
 # Be Bourne compatible
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
@@ -91,10 +98,15 @@ fi
 BIN_SH=xpg4; export BIN_SH # for Tru64
 DUALCASE=1; export DUALCASE # for MKS sh
 
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+$1
+_LTECHO_EOF'
+}
+
 # NLS nuisances: We save the old values to restore during execute mode.
-# Only set LANG and LC_ALL to C if already set.
-# These must not be set unconditionally because not all systems understand
-# e.g. LANG=C (notably SCO).
 lt_user_locale=
 lt_safe_locale=
 for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
@@ -107,24 +119,28 @@ do
 	  lt_safe_locale=\"$lt_var=C; \$lt_safe_locale\"
 	fi"
 done
+LC_ALL=C
+LANGUAGE=C
+export LANGUAGE LC_ALL
 
 $lt_unset CDPATH
 
 
+# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
+# is ksh but when the shell is invoked as "sh" and the current value of
+# the _XPG environment variable is not equal to 1 (one), the special
+# positional parameter $0, within a function call, is the name of the
+# function.
+progpath="$0"
 
 
 
 : ${CP="cp -f"}
-: ${ECHO="echo"}
-: ${EGREP="/bin/grep -E"}
-: ${FGREP="/bin/grep -F"}
-: ${GREP="/bin/grep"}
-: ${LN_S="ln -s"}
+test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
 : ${MAKE="make"}
 : ${MKDIR="mkdir"}
 : ${MV="mv -f"}
 : ${RM="rm -f"}
-: ${SED="/bin/sed"}
 : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
 : ${Xsed="$SED -e 1s/^X//"}
 
@@ -144,6 +160,27 @@ IFS=" 	$lt_nl"
 dirname="s,/[^/]*$,,"
 basename="s,^.*/,,"
 
+# func_dirname file append nondir_replacement
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+func_dirname ()
+{
+    func_dirname_result=`$ECHO "${1}" | $SED "$dirname"`
+    if test "X$func_dirname_result" = "X${1}"; then
+      func_dirname_result="${3}"
+    else
+      func_dirname_result="$func_dirname_result${2}"
+    fi
+} # func_dirname may be replaced by extended shell implementation
+
+
+# func_basename file
+func_basename ()
+{
+    func_basename_result=`$ECHO "${1}" | $SED "$basename"`
+} # func_basename may be replaced by extended shell implementation
+
+
 # func_dirname_and_basename file append nondir_replacement
 # perform func_basename and func_dirname in a single function
 # call:
@@ -158,33 +195,183 @@ basename="s,^.*/,,"
 # those functions but instead duplicate the functionality here.
 func_dirname_and_basename ()
 {
-  # Extract subdirectory from the argument.
-  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
-  if test "X$func_dirname_result" = "X${1}"; then
-    func_dirname_result="${3}"
-  else
-    func_dirname_result="$func_dirname_result${2}"
-  fi
-  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
+    # Extract subdirectory from the argument.
+    func_dirname_result=`$ECHO "${1}" | $SED -e "$dirname"`
+    if test "X$func_dirname_result" = "X${1}"; then
+      func_dirname_result="${3}"
+    else
+      func_dirname_result="$func_dirname_result${2}"
+    fi
+    func_basename_result=`$ECHO "${1}" | $SED -e "$basename"`
+} # func_dirname_and_basename may be replaced by extended shell implementation
+
+
+# func_stripname prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+# func_strip_suffix prefix name
+func_stripname ()
+{
+    case ${2} in
+      .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;;
+      *)  func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;;
+    esac
+} # func_stripname may be replaced by extended shell implementation
+
+
+# These SED scripts presuppose an absolute path with a trailing slash.
+pathcar='s,^/\([^/]*\).*$,\1,'
+pathcdr='s,^/[^/]*,,'
+removedotparts=':dotsl
+		s@/\./@/@g
+		t dotsl
+		s,/\.$,/,'
+collapseslashes='s@/\{1,\}@/@g'
+finalslash='s,/*$,/,'
+
+# func_normal_abspath PATH
+# Remove doubled-up and trailing slashes, "." path components,
+# and cancel out any ".." path components in PATH after making
+# it an absolute path.
+#             value returned in "$func_normal_abspath_result"
+func_normal_abspath ()
+{
+  # Start from root dir and reassemble the path.
+  func_normal_abspath_result=
+  func_normal_abspath_tpath=$1
+  func_normal_abspath_altnamespace=
+  case $func_normal_abspath_tpath in
+    "")
+      # Empty path, that just means $cwd.
+      func_stripname '' '/' "`pwd`"
+      func_normal_abspath_result=$func_stripname_result
+      return
+    ;;
+    # The next three entries are used to spot a run of precisely
+    # two leading slashes without using negated character classes;
+    # we take advantage of case's first-match behaviour.
+    ///*)
+      # Unusual form of absolute path, do nothing.
+    ;;
+    //*)
+      # Not necessarily an ordinary path; POSIX reserves leading '//'
+      # and for example Cygwin uses it to access remote file shares
+      # over CIFS/SMB, so we conserve a leading double slash if found.
+      func_normal_abspath_altnamespace=/
+    ;;
+    /*)
+      # Absolute path, do nothing.
+    ;;
+    *)
+      # Relative path, prepend $cwd.
+      func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath
+    ;;
+  esac
+  # Cancel out all the simple stuff to save iterations.  We also want
+  # the path to end with a slash for ease of parsing, so make sure
+  # there is one (and only one) here.
+  func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
+        -e "$removedotparts" -e "$collapseslashes" -e "$finalslash"`
+  while :; do
+    # Processed it all yet?
+    if test "$func_normal_abspath_tpath" = / ; then
+      # If we ascended to the root using ".." the result may be empty now.
+      if test -z "$func_normal_abspath_result" ; then
+        func_normal_abspath_result=/
+      fi
+      break
+    fi
+    func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \
+        -e "$pathcar"`
+    func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
+        -e "$pathcdr"`
+    # Figure out what to do with it
+    case $func_normal_abspath_tcomponent in
+      "")
+        # Trailing empty path component, ignore it.
+      ;;
+      ..)
+        # Parent dir; strip last assembled component from result.
+        func_dirname "$func_normal_abspath_result"
+        func_normal_abspath_result=$func_dirname_result
+      ;;
+      *)
+        # Actual path component, append it.
+        func_normal_abspath_result=$func_normal_abspath_result/$func_normal_abspath_tcomponent
+      ;;
+    esac
+  done
+  # Restore leading double-slash if one was found on entry.
+  func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result
 }
 
-# Generated shell functions inserted here.
+# func_relative_path SRCDIR DSTDIR
+# generates a relative path from SRCDIR to DSTDIR, with a trailing
+# slash if non-empty, suitable for immediately appending a filename
+# without needing to append a separator.
+#             value returned in "$func_relative_path_result"
+func_relative_path ()
+{
+  func_relative_path_result=
+  func_normal_abspath "$1"
+  func_relative_path_tlibdir=$func_normal_abspath_result
+  func_normal_abspath "$2"
+  func_relative_path_tbindir=$func_normal_abspath_result
+
+  # Ascend the tree starting from libdir
+  while :; do
+    # check if we have found a prefix of bindir
+    case $func_relative_path_tbindir in
+      $func_relative_path_tlibdir)
+        # found an exact match
+        func_relative_path_tcancelled=
+        break
+        ;;
+      $func_relative_path_tlibdir*)
+        # found a matching prefix
+        func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir"
+        func_relative_path_tcancelled=$func_stripname_result
+        if test -z "$func_relative_path_result"; then
+          func_relative_path_result=.
+        fi
+        break
+        ;;
+      *)
+        func_dirname $func_relative_path_tlibdir
+        func_relative_path_tlibdir=${func_dirname_result}
+        if test "x$func_relative_path_tlibdir" = x ; then
+          # Have to descend all the way to the root!
+          func_relative_path_result=../$func_relative_path_result
+          func_relative_path_tcancelled=$func_relative_path_tbindir
+          break
+        fi
+        func_relative_path_result=../$func_relative_path_result
+        ;;
+    esac
+  done
 
-# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
-# is ksh but when the shell is invoked as "sh" and the current value of
-# the _XPG environment variable is not equal to 1 (one), the special
-# positional parameter $0, within a function call, is the name of the
-# function.
-progpath="$0"
+  # Now calculate path; take care to avoid doubling-up slashes.
+  func_stripname '' '/' "$func_relative_path_result"
+  func_relative_path_result=$func_stripname_result
+  func_stripname '/' '/' "$func_relative_path_tcancelled"
+  if test "x$func_stripname_result" != x ; then
+    func_relative_path_result=${func_relative_path_result}/${func_stripname_result}
+  fi
+
+  # Normalisation. If bindir is libdir, return empty string,
+  # else relative path ending with a slash; either way, target
+  # file name can be directly appended.
+  if test ! -z "$func_relative_path_result"; then
+    func_stripname './' '' "$func_relative_path_result/"
+    func_relative_path_result=$func_stripname_result
+  fi
+}
 
 # The name of this program:
-# In the unlikely event $progname began with a '-', it would play havoc with
-# func_echo (imagine progname=-n), so we prepend ./ in that case:
 func_dirname_and_basename "$progpath"
 progname=$func_basename_result
-case $progname in
-  -*) progname=./$progname ;;
-esac
 
 # Make sure we have an absolute path for reexecution:
 case $progpath in
@@ -196,7 +383,7 @@ case $progpath in
      ;;
   *)
      save_IFS="$IFS"
-     IFS=:
+     IFS=${PATH_SEPARATOR-:}
      for progdir in $PATH; do
        IFS="$save_IFS"
        test -x "$progdir/$progname" && break
@@ -215,6 +402,15 @@ sed_quote_subst='s/\([`"$\\]\)/\\\1/g'
 # Same as above, but do not quote variable references.
 double_quote_subst='s/\(["`\\]\)/\\\1/g'
 
+# Sed substitution that turns a string into a regex matching for the
+# string literally.
+sed_make_literal_regex='s,[].[^$\\*\/],\\&,g'
+
+# Sed substitution that converts a w32 file name or path
+# which contains forward slashes, into one that contains
+# (escaped) backslashes.  A very naive implementation.
+lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
+
 # Re-`\' parameter expansions in output of double_quote_subst that were
 # `\'-ed in input to the same.  If an odd number of `\' preceded a '$'
 # in input to double_quote_subst, that '$' was protected from expansion.
@@ -243,7 +439,7 @@ opt_warning=:
 # name if it has been set yet.
 func_echo ()
 {
-    $ECHO "$progname${mode+: }$mode: $*"
+    $ECHO "$progname: ${opt_mode+$opt_mode: }$*"
 }
 
 # func_verbose arg...
@@ -258,18 +454,25 @@ func_verbose ()
     :
 }
 
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO "$*"
+}
+
 # func_error arg...
 # Echo program name prefixed message to standard error.
 func_error ()
 {
-    $ECHO "$progname${mode+: }$mode: "${1+"$@"} 1>&2
+    $ECHO "$progname: ${opt_mode+$opt_mode: }"${1+"$@"} 1>&2
 }
 
 # func_warning arg...
 # Echo program name prefixed warning message to standard error.
 func_warning ()
 {
-    $opt_warning && $ECHO "$progname${mode+: }$mode: warning: "${1+"$@"} 1>&2
+    $opt_warning && $ECHO "$progname: ${opt_mode+$opt_mode: }warning: "${1+"$@"} 1>&2
 
     # bash bug again:
     :
@@ -326,9 +529,9 @@ func_mkdir_p ()
         case $my_directory_path in */*) ;; *) break ;; esac
 
         # ...otherwise throw away the child directory and loop
-        my_directory_path=`$ECHO "X$my_directory_path" | $Xsed -e "$dirname"`
+        my_directory_path=`$ECHO "$my_directory_path" | $SED -e "$dirname"`
       done
-      my_dir_list=`$ECHO "X$my_dir_list" | $Xsed -e 's,:*$,,'`
+      my_dir_list=`$ECHO "$my_dir_list" | $SED 's,:*$,,'`
 
       save_mkdir_p_IFS="$IFS"; IFS=':'
       for my_dir in $my_dir_list; do
@@ -378,7 +581,7 @@ func_mktempdir ()
         func_fatal_error "cannot create temporary directory \`$my_tmpdir'"
     fi
 
-    $ECHO "X$my_tmpdir" | $Xsed
+    $ECHO "$my_tmpdir"
 }
 
 
@@ -392,7 +595,7 @@ func_quote_for_eval ()
 {
     case $1 in
       *[\\\`\"\$]*)
-	func_quote_for_eval_unquoted_result=`$ECHO "X$1" | $Xsed -e "$sed_quote_subst"` ;;
+	func_quote_for_eval_unquoted_result=`$ECHO "$1" | $SED "$sed_quote_subst"` ;;
       *)
         func_quote_for_eval_unquoted_result="$1" ;;
     esac
@@ -419,7 +622,7 @@ func_quote_for_expand ()
 {
     case $1 in
       *[\\\`\"]*)
-	my_arg=`$ECHO "X$1" | $Xsed \
+	my_arg=`$ECHO "$1" | $SED \
 	    -e "$double_quote_subst" -e "$sed_double_backslash"` ;;
       *)
         my_arg="$1" ;;
@@ -488,15 +691,39 @@ func_show_eval_locale ()
     fi
 }
 
-
-
+# func_tr_sh
+# Turn $1 into a string suitable for a shell variable name.
+# Result is stored in $func_tr_sh_result.  All characters
+# not in the set a-zA-Z0-9_ are replaced with '_'. Further,
+# if $1 begins with a digit, a '_' is prepended as well.
+func_tr_sh ()
+{
+  case $1 in
+  [0-9]* | *[!a-zA-Z0-9_]*)
+    func_tr_sh_result=`$ECHO "$1" | $SED 's/^\([0-9]\)/_\1/; s/[^a-zA-Z0-9_]/_/g'`
+    ;;
+  * )
+    func_tr_sh_result=$1
+    ;;
+  esac
+}
 
 
 # func_version
 # Echo version message to standard output and exit.
 func_version ()
 {
-    $SED -n '/^# '$PROGRAM' (GNU /,/# warranty; / {
+    $opt_debug
+
+    $SED -n '/(C)/!b go
+	:more
+	/\./!{
+	  N
+	  s/\n# / /
+	  b more
+	}
+	:go
+	/^# '$PROGRAM' (GNU /,/# warranty; / {
         s/^# //
 	s/^# *$//
         s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/
@@ -509,22 +736,28 @@ func_version ()
 # Echo short help message to standard output and exit.
 func_usage ()
 {
-    $SED -n '/^# Usage:/,/# -h/ {
+    $opt_debug
+
+    $SED -n '/^# Usage:/,/^#  *.*--help/ {
         s/^# //
 	s/^# *$//
 	s/\$progname/'$progname'/
 	p
     }' < "$progpath"
-    $ECHO
+    echo
     $ECHO "run \`$progname --help | more' for full usage"
     exit $?
 }
 
-# func_help
-# Echo long help message to standard output and exit.
+# func_help [NOEXIT]
+# Echo long help message to standard output and exit,
+# unless 'noexit' is passed as argument.
 func_help ()
 {
+    $opt_debug
+
     $SED -n '/^# Usage:/,/# Report bugs to/ {
+	:print
         s/^# //
 	s/^# *$//
 	s*\$progname*'$progname'*
@@ -534,11 +767,18 @@ func_help ()
 	s*\$LTCFLAGS*'"$LTCFLAGS"'*
 	s*\$LD*'"$LD"'*
 	s/\$with_gnu_ld/'"$with_gnu_ld"'/
-	s/\$automake_version/'"`(automake --version) 2>/dev/null |$SED 1q`"'/
-	s/\$autoconf_version/'"`(autoconf --version) 2>/dev/null |$SED 1q`"'/
+	s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/
+	s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/
 	p
-     }' < "$progpath"
-    exit $?
+	d
+     }
+     /^# .* home page:/b print
+     /^# General help using/b print
+     ' < "$progpath"
+    ret=$?
+    if test -z "$1"; then
+      exit $ret
+    fi
 }
 
 # func_missing_arg argname
@@ -546,63 +786,106 @@ func_help ()
 # exit_cmd.
 func_missing_arg ()
 {
-    func_error "missing argument for $1"
+    $opt_debug
+
+    func_error "missing argument for $1."
     exit_cmd=exit
 }
 
-exit_cmd=:
 
+# func_split_short_opt shortopt
+# Set func_split_short_opt_name and func_split_short_opt_arg shell
+# variables after splitting SHORTOPT after the 2nd character.
+func_split_short_opt ()
+{
+    my_sed_short_opt='1s/^\(..\).*$/\1/;q'
+    my_sed_short_rest='1s/^..\(.*\)$/\1/;q'
 
+    func_split_short_opt_name=`$ECHO "$1" | $SED "$my_sed_short_opt"`
+    func_split_short_opt_arg=`$ECHO "$1" | $SED "$my_sed_short_rest"`
+} # func_split_short_opt may be replaced by extended shell implementation
+
+
+# func_split_long_opt longopt
+# Set func_split_long_opt_name and func_split_long_opt_arg shell
+# variables after splitting LONGOPT at the `=' sign.
+func_split_long_opt ()
+{
+    my_sed_long_opt='1s/^\(--[^=]*\)=.*/\1/;q'
+    my_sed_long_arg='1s/^--[^=]*=//'
+
+    func_split_long_opt_name=`$ECHO "$1" | $SED "$my_sed_long_opt"`
+    func_split_long_opt_arg=`$ECHO "$1" | $SED "$my_sed_long_arg"`
+} # func_split_long_opt may be replaced by extended shell implementation
+
+exit_cmd=:
 
 
 
-# Check that we have a working $ECHO.
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t'; then
-  # Yippee, $ECHO works!
-  :
-else
-  # Restart under the correct shell, and then maybe $ECHO will work.
-  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
-fi
 
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-$*
-EOF
-  exit $EXIT_SUCCESS
-fi
 
 magic="%%%MAGIC variable%%%"
 magic_exe="%%%MAGIC EXE variable%%%"
 
 # Global variables.
-# $mode is unset
 nonopt=
-execute_dlfiles=
 preserve_args=
 lo2o="s/\\.lo\$/.${objext}/"
 o2lo="s/\\.${objext}\$/.lo/"
 extracted_archives=
 extracted_serial=0
 
-opt_dry_run=false
-opt_duplicate_deps=false
-opt_silent=false
-opt_debug=:
-
 # If this variable is set in any of the actions, the command in it
 # will be execed at the end.  This prevents here-documents from being
 # left over by shells.
 exec_cmd=
 
+# func_append var value
+# Append VALUE to the end of shell variable VAR.
+func_append ()
+{
+    eval "${1}=\$${1}\${2}"
+} # func_append may be replaced by extended shell implementation
+
+# func_append_quoted var value
+# Quote VALUE and append to the end of shell variable VAR, separated
+# by a space.
+func_append_quoted ()
+{
+    func_quote_for_eval "${2}"
+    eval "${1}=\$${1}\\ \$func_quote_for_eval_result"
+} # func_append_quoted may be replaced by extended shell implementation
+
+
+# func_arith arithmetic-term...
+func_arith ()
+{
+    func_arith_result=`expr "${@}"`
+} # func_arith may be replaced by extended shell implementation
+
+
+# func_len string
+# STRING may not start with a hyphen.
+func_len ()
+{
+    func_len_result=`expr "${1}" : ".*" 2>/dev/null || echo $max_cmd_len`
+} # func_len may be replaced by extended shell implementation
+
+
+# func_lo2o object
+func_lo2o ()
+{
+    func_lo2o_result=`$ECHO "${1}" | $SED "$lo2o"`
+} # func_lo2o may be replaced by extended shell implementation
+
+
+# func_xform libobj-or-source
+func_xform ()
+{
+    func_xform_result=`$ECHO "${1}" | $SED 's/\.[^.]*$/.lo/'`
+} # func_xform may be replaced by extended shell implementation
+
+
 # func_fatal_configuration arg...
 # Echo program name prefixed message to standard error, followed by
 # a configuration failure hint, and exit.
@@ -636,16 +919,16 @@ func_config ()
 # Display the features supported by this script.
 func_features ()
 {
-    $ECHO "host: $host"
+    echo "host: $host"
     if test "$build_libtool_libs" = yes; then
-      $ECHO "enable shared libraries"
+      echo "enable shared libraries"
     else
-      $ECHO "disable shared libraries"
+      echo "disable shared libraries"
     fi
     if test "$build_old_libs" = yes; then
-      $ECHO "enable static libraries"
+      echo "enable static libraries"
     else
-      $ECHO "disable static libraries"
+      echo "disable static libraries"
     fi
 
     exit $?
@@ -692,117 +975,209 @@ func_enable_tag ()
   esac
 }
 
-# Parse options once, thoroughly.  This comes as soon as possible in
-# the script to make things like `libtool --version' happen quickly.
+# func_check_version_match
+# Ensure that we are using m4 macros, and libtool script from the same
+# release of libtool.
+func_check_version_match ()
 {
+  if test "$package_revision" != "$macro_revision"; then
+    if test "$VERSION" != "$macro_version"; then
+      if test -z "$macro_version"; then
+        cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
+$progname: definition of this LT_INIT comes from an older release.
+$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
+$progname: and run autoconf again.
+_LT_EOF
+      else
+        cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
+$progname: definition of this LT_INIT comes from $PACKAGE $macro_version.
+$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
+$progname: and run autoconf again.
+_LT_EOF
+      fi
+    else
+      cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, revision $package_revision,
+$progname: but the definition of this LT_INIT comes from revision $macro_revision.
+$progname: You should recreate aclocal.m4 with macros from revision $package_revision
+$progname: of $PACKAGE $VERSION and run autoconf again.
+_LT_EOF
+    fi
+
+    exit $EXIT_MISMATCH
+  fi
+}
+
+
+# Shorthand for --mode=foo, only valid as the first argument
+case $1 in
+clean|clea|cle|cl)
+  shift; set dummy --mode clean ${1+"$@"}; shift
+  ;;
+compile|compil|compi|comp|com|co|c)
+  shift; set dummy --mode compile ${1+"$@"}; shift
+  ;;
+execute|execut|execu|exec|exe|ex|e)
+  shift; set dummy --mode execute ${1+"$@"}; shift
+  ;;
+finish|finis|fini|fin|fi|f)
+  shift; set dummy --mode finish ${1+"$@"}; shift
+  ;;
+install|instal|insta|inst|ins|in|i)
+  shift; set dummy --mode install ${1+"$@"}; shift
+  ;;
+link|lin|li|l)
+  shift; set dummy --mode link ${1+"$@"}; shift
+  ;;
+uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
+  shift; set dummy --mode uninstall ${1+"$@"}; shift
+  ;;
+esac
+
+
+
+# Option defaults:
+opt_debug=:
+opt_dry_run=false
+opt_config=false
+opt_preserve_dup_deps=false
+opt_features=false
+opt_finish=false
+opt_help=false
+opt_help_all=false
+opt_silent=:
+opt_warning=:
+opt_verbose=:
+opt_silent=false
+opt_verbose=false
 
-  # Shorthand for --mode=foo, only valid as the first argument
-  case $1 in
-  clean|clea|cle|cl)
-    shift; set dummy --mode clean ${1+"$@"}; shift
-    ;;
-  compile|compil|compi|comp|com|co|c)
-    shift; set dummy --mode compile ${1+"$@"}; shift
-    ;;
-  execute|execut|execu|exec|exe|ex|e)
-    shift; set dummy --mode execute ${1+"$@"}; shift
-    ;;
-  finish|finis|fini|fin|fi|f)
-    shift; set dummy --mode finish ${1+"$@"}; shift
-    ;;
-  install|instal|insta|inst|ins|in|i)
-    shift; set dummy --mode install ${1+"$@"}; shift
-    ;;
-  link|lin|li|l)
-    shift; set dummy --mode link ${1+"$@"}; shift
-    ;;
-  uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
-    shift; set dummy --mode uninstall ${1+"$@"}; shift
-    ;;
-  esac
 
-  # Parse non-mode specific arguments:
-  while test "$#" -gt 0; do
+# Parse options once, thoroughly.  This comes as soon as possible in the
+# script to make things like `--version' happen as quickly as we can.
+{
+  # this just eases exit handling
+  while test $# -gt 0; do
     opt="$1"
     shift
-
     case $opt in
-      --config)		func_config					;;
-
-      --debug)		preserve_args="$preserve_args $opt"
+      --debug|-x)	opt_debug='set -x'
 			func_echo "enabling shell trace mode"
-			opt_debug='set -x'
 			$opt_debug
 			;;
-
-      -dlopen)		test "$#" -eq 0 && func_missing_arg "$opt" && break
-			execute_dlfiles="$execute_dlfiles $1"
-			shift
+      --dry-run|--dryrun|-n)
+			opt_dry_run=:
 			;;
-
-      --dry-run | -n)	opt_dry_run=:					;;
-      --features)       func_features					;;
-      --finish)		mode="finish"					;;
-
-      --mode)		test "$#" -eq 0 && func_missing_arg "$opt" && break
-			case $1 in
-			  # Valid mode arguments:
-			  clean)	;;
-			  compile)	;;
-			  execute)	;;
-			  finish)	;;
-			  install)	;;
-			  link)		;;
-			  relink)	;;
-			  uninstall)	;;
-
-			  # Catch anything else as an error
-			  *) func_error "invalid argument for $opt"
-			     exit_cmd=exit
-			     break
-			     ;;
-		        esac
-
-			mode="$1"
+      --config)
+			opt_config=:
+func_config
+			;;
+      --dlopen|-dlopen)
+			optarg="$1"
+			opt_dlopen="${opt_dlopen+$opt_dlopen
+}$optarg"
 			shift
 			;;
-
       --preserve-dup-deps)
-			opt_duplicate_deps=:				;;
-
-      --quiet|--silent)	preserve_args="$preserve_args $opt"
-			opt_silent=:
+			opt_preserve_dup_deps=:
 			;;
-
-      --verbose| -v)	preserve_args="$preserve_args $opt"
+      --features)
+			opt_features=:
+func_features
+			;;
+      --finish)
+			opt_finish=:
+set dummy --mode finish ${1+"$@"}; shift
+			;;
+      --help)
+			opt_help=:
+			;;
+      --help-all)
+			opt_help_all=:
+opt_help=': help-all'
+			;;
+      --mode)
+			test $# = 0 && func_missing_arg $opt && break
+			optarg="$1"
+			opt_mode="$optarg"
+case $optarg in
+  # Valid mode arguments:
+  clean|compile|execute|finish|install|link|relink|uninstall) ;;
+
+  # Catch anything else as an error
+  *) func_error "invalid argument for $opt"
+     exit_cmd=exit
+     break
+     ;;
+esac
+			shift
+			;;
+      --no-silent|--no-quiet)
 			opt_silent=false
+func_append preserve_args " $opt"
 			;;
-
-      --tag)		test "$#" -eq 0 && func_missing_arg "$opt" && break
-			preserve_args="$preserve_args $opt $1"
-			func_enable_tag "$1"	# tagname is set here
+      --no-warning|--no-warn)
+			opt_warning=false
+func_append preserve_args " $opt"
+			;;
+      --no-verbose)
+			opt_verbose=false
+func_append preserve_args " $opt"
+			;;
+      --silent|--quiet)
+			opt_silent=:
+func_append preserve_args " $opt"
+        opt_verbose=false
+			;;
+      --verbose|-v)
+			opt_verbose=:
+func_append preserve_args " $opt"
+opt_silent=false
+			;;
+      --tag)
+			test $# = 0 && func_missing_arg $opt && break
+			optarg="$1"
+			opt_tag="$optarg"
+func_append preserve_args " $opt $optarg"
+func_enable_tag "$optarg"
 			shift
 			;;
 
+      -\?|-h)		func_usage				;;
+      --help)		func_help				;;
+      --version)	func_version				;;
+
       # Separate optargs to long options:
-      -dlopen=*|--mode=*|--tag=*)
-			func_opt_split "$opt"
-			set dummy "$func_opt_split_opt" "$func_opt_split_arg" ${1+"$@"}
+      --*=*)
+			func_split_long_opt "$opt"
+			set dummy "$func_split_long_opt_name" "$func_split_long_opt_arg" ${1+"$@"}
 			shift
 			;;
 
-      -\?|-h)		func_usage					;;
-      --help)		opt_help=:					;;
-      --version)	func_version					;;
-
-      -*)		func_fatal_help "unrecognized option \`$opt'"	;;
-
-      *)		nonopt="$opt"
-			break
+      # Separate non-argument short options:
+      -\?*|-h*|-n*|-v*)
+			func_split_short_opt "$opt"
+			set dummy "$func_split_short_opt_name" "-$func_split_short_opt_arg" ${1+"$@"}
+			shift
 			;;
+
+      --)		break					;;
+      -*)		func_fatal_help "unrecognized option \`$opt'" ;;
+      *)		set dummy "$opt" ${1+"$@"};	shift; break  ;;
     esac
   done
 
+  # Validate options:
+
+  # save first non-option argument
+  if test "$#" -gt 0; then
+    nonopt="$opt"
+    shift
+  fi
+
+  # preserve --debug
+  test "$opt_debug" = : || func_append preserve_args " --debug"
 
   case $host in
     *cygwin* | *mingw* | *pw32* | *cegcc*)
@@ -810,82 +1185,44 @@ func_enable_tag ()
       opt_duplicate_compiler_generated_deps=:
       ;;
     *)
-      opt_duplicate_compiler_generated_deps=$opt_duplicate_deps
+      opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps
       ;;
   esac
 
-  # Having warned about all mis-specified options, bail out if
-  # anything was wrong.
-  $exit_cmd $EXIT_FAILURE
-}
+  $opt_help || {
+    # Sanity checks first:
+    func_check_version_match
 
-# func_check_version_match
-# Ensure that we are using m4 macros, and libtool script from the same
-# release of libtool.
-func_check_version_match ()
-{
-  if test "$package_revision" != "$macro_revision"; then
-    if test "$VERSION" != "$macro_version"; then
-      if test -z "$macro_version"; then
-        cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
-$progname: definition of this LT_INIT comes from an older release.
-$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
-$progname: and run autoconf again.
-_LT_EOF
-      else
-        cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
-$progname: definition of this LT_INIT comes from $PACKAGE $macro_version.
-$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
-$progname: and run autoconf again.
-_LT_EOF
-      fi
-    else
-      cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, revision $package_revision,
-$progname: but the definition of this LT_INIT comes from revision $macro_revision.
-$progname: You should recreate aclocal.m4 with macros from revision $package_revision
-$progname: of $PACKAGE $VERSION and run autoconf again.
-_LT_EOF
+    if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+      func_fatal_configuration "not configured to build any kind of library"
     fi
 
-    exit $EXIT_MISMATCH
-  fi
-}
-
-
-## ----------- ##
-##    Main.    ##
-## ----------- ##
-
-$opt_help || {
-  # Sanity checks first:
-  func_check_version_match
+    # Darwin sucks
+    eval std_shrext=\"$shrext_cmds\"
 
-  if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
-    func_fatal_configuration "not configured to build any kind of library"
-  fi
+    # Only execute mode is allowed to have -dlopen flags.
+    if test -n "$opt_dlopen" && test "$opt_mode" != execute; then
+      func_error "unrecognized option \`-dlopen'"
+      $ECHO "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
 
-  test -z "$mode" && func_fatal_error "error: you must specify a MODE."
+    # Change the help message to a mode-specific one.
+    generic_help="$help"
+    help="Try \`$progname --help --mode=$opt_mode' for more information."
+  }
 
 
-  # Darwin sucks
-  eval std_shrext=\"$shrext_cmds\"
+  # Bail if the options were screwed
+  $exit_cmd $EXIT_FAILURE
+}
 
 
-  # Only execute mode is allowed to have -dlopen flags.
-  if test -n "$execute_dlfiles" && test "$mode" != execute; then
-    func_error "unrecognized option \`-dlopen'"
-    $ECHO "$help" 1>&2
-    exit $EXIT_FAILURE
-  fi
 
-  # Change the help message to a mode-specific one.
-  generic_help="$help"
-  help="Try \`$progname --help --mode=$mode' for more information."
-}
 
+## ----------- ##
+##    Main.    ##
+## ----------- ##
 
 # func_lalib_p file
 # True iff FILE is a libtool `.la' library or `.lo' object file.
@@ -950,12 +1287,9 @@ func_ltwrapper_executable_p ()
 # temporary ltwrapper_script.
 func_ltwrapper_scriptname ()
 {
-    func_ltwrapper_scriptname_result=""
-    if func_ltwrapper_executable_p "$1"; then
-	func_dirname_and_basename "$1" "" "."
-	func_stripname '' '.exe' "$func_basename_result"
-	func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper"
-    fi
+    func_dirname_and_basename "$1" "" "."
+    func_stripname '' '.exe' "$func_basename_result"
+    func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper"
 }
 
 # func_ltwrapper_p file
@@ -1001,6 +1335,37 @@ func_source ()
 }
 
 
+# func_resolve_sysroot PATH
+# Replace a leading = in PATH with a sysroot.  Store the result into
+# func_resolve_sysroot_result
+func_resolve_sysroot ()
+{
+  func_resolve_sysroot_result=$1
+  case $func_resolve_sysroot_result in
+  =*)
+    func_stripname '=' '' "$func_resolve_sysroot_result"
+    func_resolve_sysroot_result=$lt_sysroot$func_stripname_result
+    ;;
+  esac
+}
+
+# func_replace_sysroot PATH
+# If PATH begins with the sysroot, replace it with = and
+# store the result into func_replace_sysroot_result.
+func_replace_sysroot ()
+{
+  case "$lt_sysroot:$1" in
+  ?*:"$lt_sysroot"*)
+    func_stripname "$lt_sysroot" '' "$1"
+    func_replace_sysroot_result="=$func_stripname_result"
+    ;;
+  *)
+    # Including no sysroot.
+    func_replace_sysroot_result=$1
+    ;;
+  esac
+}
+
 # func_infer_tag arg
 # Infer tagged configuration to use if any are available and
 # if one wasn't chosen via the "--tag" command line option.
@@ -1013,13 +1378,15 @@ func_infer_tag ()
     if test -n "$available_tags" && test -z "$tagname"; then
       CC_quoted=
       for arg in $CC; do
-        func_quote_for_eval "$arg"
-	CC_quoted="$CC_quoted $func_quote_for_eval_result"
+	func_append_quoted CC_quoted "$arg"
       done
+      CC_expanded=`func_echo_all $CC`
+      CC_quoted_expanded=`func_echo_all $CC_quoted`
       case $@ in
       # Blanks in the command may have been stripped by the calling shell,
       # but not from the CC environment variable when configure was run.
-      " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*) ;;
+      " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \
+      " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) ;;
       # Blanks at the start of $base_compile will cause this to fail
       # if we don't check for them as well.
       *)
@@ -1030,11 +1397,13 @@ func_infer_tag ()
 	    CC_quoted=
 	    for arg in $CC; do
 	      # Double-quote args containing other shell metacharacters.
-	      func_quote_for_eval "$arg"
-	      CC_quoted="$CC_quoted $func_quote_for_eval_result"
+	      func_append_quoted CC_quoted "$arg"
 	    done
+	    CC_expanded=`func_echo_all $CC`
+	    CC_quoted_expanded=`func_echo_all $CC_quoted`
 	    case "$@ " in
-	      " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*)
+	    " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \
+	    " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*)
 	      # The compiler in the base compile command matches
 	      # the one in the tagged configuration.
 	      # Assume this is the tagged configuration we want.
@@ -1097,6 +1466,486 @@ EOF
     }
 }
 
+
+##################################################
+# FILE NAME AND PATH CONVERSION HELPER FUNCTIONS #
+##################################################
+
+# func_convert_core_file_wine_to_w32 ARG
+# Helper function used by file name conversion functions when $build is *nix,
+# and $host is mingw, cygwin, or some other w32 environment. Relies on a
+# correctly configured wine environment available, with the winepath program
+# in $build's $PATH.
+#
+# ARG is the $build file name to be converted to w32 format.
+# Result is available in $func_convert_core_file_wine_to_w32_result, and will
+# be empty on error (or when ARG is empty)
+func_convert_core_file_wine_to_w32 ()
+{
+  $opt_debug
+  func_convert_core_file_wine_to_w32_result="$1"
+  if test -n "$1"; then
+    # Unfortunately, winepath does not exit with a non-zero error code, so we
+    # are forced to check the contents of stdout. On the other hand, if the
+    # command is not found, the shell will set an exit code of 127 and print
+    # *an error message* to stdout. So we must check for both error code of
+    # zero AND non-empty stdout, which explains the odd construction:
+    func_convert_core_file_wine_to_w32_tmp=`winepath -w "$1" 2>/dev/null`
+    if test "$?" -eq 0 && test -n "${func_convert_core_file_wine_to_w32_tmp}"; then
+      func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" |
+        $SED -e "$lt_sed_naive_backslashify"`
+    else
+      func_convert_core_file_wine_to_w32_result=
+    fi
+  fi
+}
+# end: func_convert_core_file_wine_to_w32
+
+
+# func_convert_core_path_wine_to_w32 ARG
+# Helper function used by path conversion functions when $build is *nix, and
+# $host is mingw, cygwin, or some other w32 environment. Relies on a correctly
+# configured wine environment available, with the winepath program in $build's
+# $PATH. Assumes ARG has no leading or trailing path separator characters.
+#
+# ARG is path to be converted from $build format to win32.
+# Result is available in $func_convert_core_path_wine_to_w32_result.
+# Unconvertible file (directory) names in ARG are skipped; if no directory names
+# are convertible, then the result may be empty.
+func_convert_core_path_wine_to_w32 ()
+{
+  $opt_debug
+  # unfortunately, winepath doesn't convert paths, only file names
+  func_convert_core_path_wine_to_w32_result=""
+  if test -n "$1"; then
+    oldIFS=$IFS
+    IFS=:
+    for func_convert_core_path_wine_to_w32_f in $1; do
+      IFS=$oldIFS
+      func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f"
+      if test -n "$func_convert_core_file_wine_to_w32_result" ; then
+        if test -z "$func_convert_core_path_wine_to_w32_result"; then
+          func_convert_core_path_wine_to_w32_result="$func_convert_core_file_wine_to_w32_result"
+        else
+          func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result"
+        fi
+      fi
+    done
+    IFS=$oldIFS
+  fi
+}
+# end: func_convert_core_path_wine_to_w32
+
+
+# func_cygpath ARGS...
+# Wrapper around calling the cygpath program via LT_CYGPATH. This is used when
+# when (1) $build is *nix and Cygwin is hosted via a wine environment; or (2)
+# $build is MSYS and $host is Cygwin, or (3) $build is Cygwin. In case (1) or
+# (2), returns the Cygwin file name or path in func_cygpath_result (input
+# file name or path is assumed to be in w32 format, as previously converted
+# from $build's *nix or MSYS format). In case (3), returns the w32 file name
+# or path in func_cygpath_result (input file name or path is assumed to be in
+# Cygwin format). Returns an empty string on error.
+#
+# ARGS are passed to cygpath, with the last one being the file name or path to
+# be converted.
+#
+# Specify the absolute *nix (or w32) name to cygpath in the LT_CYGPATH
+# environment variable; do not put it in $PATH.
+func_cygpath ()
+{
+  $opt_debug
+  if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then
+    func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null`
+    if test "$?" -ne 0; then
+      # on failure, ensure result is empty
+      func_cygpath_result=
+    fi
+  else
+    func_cygpath_result=
+    func_error "LT_CYGPATH is empty or specifies non-existent file: \`$LT_CYGPATH'"
+  fi
+}
+#end: func_cygpath
+
+
+# func_convert_core_msys_to_w32 ARG
+# Convert file name or path ARG from MSYS format to w32 format.  Return
+# result in func_convert_core_msys_to_w32_result.
+func_convert_core_msys_to_w32 ()
+{
+  $opt_debug
+  # awkward: cmd appends spaces to result
+  func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null |
+    $SED -e 's/[ ]*$//' -e "$lt_sed_naive_backslashify"`
+}
+#end: func_convert_core_msys_to_w32
+
+
+# func_convert_file_check ARG1 ARG2
+# Verify that ARG1 (a file name in $build format) was converted to $host
+# format in ARG2. Otherwise, emit an error message, but continue (resetting
+# func_to_host_file_result to ARG1).
+func_convert_file_check ()
+{
+  $opt_debug
+  if test -z "$2" && test -n "$1" ; then
+    func_error "Could not determine host file name corresponding to"
+    func_error "  \`$1'"
+    func_error "Continuing, but uninstalled executables may not work."
+    # Fallback:
+    func_to_host_file_result="$1"
+  fi
+}
+# end func_convert_file_check
+
+
+# func_convert_path_check FROM_PATHSEP TO_PATHSEP FROM_PATH TO_PATH
+# Verify that FROM_PATH (a path in $build format) was converted to $host
+# format in TO_PATH. Otherwise, emit an error message, but continue, resetting
+# func_to_host_file_result to a simplistic fallback value (see below).
+func_convert_path_check ()
+{
+  $opt_debug
+  if test -z "$4" && test -n "$3"; then
+    func_error "Could not determine the host path corresponding to"
+    func_error "  \`$3'"
+    func_error "Continuing, but uninstalled executables may not work."
+    # Fallback.  This is a deliberately simplistic "conversion" and
+    # should not be "improved".  See libtool.info.
+    if test "x$1" != "x$2"; then
+      lt_replace_pathsep_chars="s|$1|$2|g"
+      func_to_host_path_result=`echo "$3" |
+        $SED -e "$lt_replace_pathsep_chars"`
+    else
+      func_to_host_path_result="$3"
+    fi
+  fi
+}
+# end func_convert_path_check
+
+
+# func_convert_path_front_back_pathsep FRONTPAT BACKPAT REPL ORIG
+# Modifies func_to_host_path_result by prepending REPL if ORIG matches FRONTPAT
+# and appending REPL if ORIG matches BACKPAT.
+func_convert_path_front_back_pathsep ()
+{
+  $opt_debug
+  case $4 in
+  $1 ) func_to_host_path_result="$3$func_to_host_path_result"
+    ;;
+  esac
+  case $4 in
+  $2 ) func_append func_to_host_path_result "$3"
+    ;;
+  esac
+}
+# end func_convert_path_front_back_pathsep
+
+
+##################################################
+# $build to $host FILE NAME CONVERSION FUNCTIONS #
+##################################################
+# invoked via `$to_host_file_cmd ARG'
+#
+# In each case, ARG is the path to be converted from $build to $host format.
+# Result will be available in $func_to_host_file_result.
+
+
+# func_to_host_file ARG
+# Converts the file name ARG from $build format to $host format. Return result
+# in func_to_host_file_result.
+func_to_host_file ()
+{
+  $opt_debug
+  $to_host_file_cmd "$1"
+}
+# end func_to_host_file
+
+
+# func_to_tool_file ARG LAZY
+# converts the file name ARG from $build format to toolchain format. Return
+# result in func_to_tool_file_result.  If the conversion in use is listed
+# in (the comma separated) LAZY, no conversion takes place.
+func_to_tool_file ()
+{
+  $opt_debug
+  case ,$2, in
+    *,"$to_tool_file_cmd",*)
+      func_to_tool_file_result=$1
+      ;;
+    *)
+      $to_tool_file_cmd "$1"
+      func_to_tool_file_result=$func_to_host_file_result
+      ;;
+  esac
+}
+# end func_to_tool_file
+
+
+# func_convert_file_noop ARG
+# Copy ARG to func_to_host_file_result.
+func_convert_file_noop ()
+{
+  func_to_host_file_result="$1"
+}
+# end func_convert_file_noop
+
+
+# func_convert_file_msys_to_w32 ARG
+# Convert file name ARG from (mingw) MSYS to (mingw) w32 format; automatic
+# conversion to w32 is not available inside the cwrapper.  Returns result in
+# func_to_host_file_result.
+func_convert_file_msys_to_w32 ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    func_convert_core_msys_to_w32 "$1"
+    func_to_host_file_result="$func_convert_core_msys_to_w32_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_msys_to_w32
+
+
+# func_convert_file_cygwin_to_w32 ARG
+# Convert file name ARG from Cygwin to w32 format.  Returns result in
+# func_to_host_file_result.
+func_convert_file_cygwin_to_w32 ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    # because $build is cygwin, we call "the" cygpath in $PATH; no need to use
+    # LT_CYGPATH in this case.
+    func_to_host_file_result=`cygpath -m "$1"`
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_cygwin_to_w32
+
+
+# func_convert_file_nix_to_w32 ARG
+# Convert file name ARG from *nix to w32 format.  Requires a wine environment
+# and a working winepath. Returns result in func_to_host_file_result.
+func_convert_file_nix_to_w32 ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    func_convert_core_file_wine_to_w32 "$1"
+    func_to_host_file_result="$func_convert_core_file_wine_to_w32_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_nix_to_w32
+
+
+# func_convert_file_msys_to_cygwin ARG
+# Convert file name ARG from MSYS to Cygwin format.  Requires LT_CYGPATH set.
+# Returns result in func_to_host_file_result.
+func_convert_file_msys_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    func_convert_core_msys_to_w32 "$1"
+    func_cygpath -u "$func_convert_core_msys_to_w32_result"
+    func_to_host_file_result="$func_cygpath_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_msys_to_cygwin
+
+
+# func_convert_file_nix_to_cygwin ARG
+# Convert file name ARG from *nix to Cygwin format.  Requires Cygwin installed
+# in a wine environment, working winepath, and LT_CYGPATH set.  Returns result
+# in func_to_host_file_result.
+func_convert_file_nix_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    # convert from *nix to w32, then use cygpath to convert from w32 to cygwin.
+    func_convert_core_file_wine_to_w32 "$1"
+    func_cygpath -u "$func_convert_core_file_wine_to_w32_result"
+    func_to_host_file_result="$func_cygpath_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_nix_to_cygwin
+
+
+#############################################
+# $build to $host PATH CONVERSION FUNCTIONS #
+#############################################
+# invoked via `$to_host_path_cmd ARG'
+#
+# In each case, ARG is the path to be converted from $build to $host format.
+# The result will be available in $func_to_host_path_result.
+#
+# Path separators are also converted from $build format to $host format.  If
+# ARG begins or ends with a path separator character, it is preserved (but
+# converted to $host format) on output.
+#
+# All path conversion functions are named using the following convention:
+#   file name conversion function    : func_convert_file_X_to_Y ()
+#   path conversion function         : func_convert_path_X_to_Y ()
+# where, for any given $build/$host combination the 'X_to_Y' value is the
+# same.  If conversion functions are added for new $build/$host combinations,
+# the two new functions must follow this pattern, or func_init_to_host_path_cmd
+# will break.
+
+
+# func_init_to_host_path_cmd
+# Ensures that function "pointer" variable $to_host_path_cmd is set to the
+# appropriate value, based on the value of $to_host_file_cmd.
+to_host_path_cmd=
+func_init_to_host_path_cmd ()
+{
+  $opt_debug
+  if test -z "$to_host_path_cmd"; then
+    func_stripname 'func_convert_file_' '' "$to_host_file_cmd"
+    to_host_path_cmd="func_convert_path_${func_stripname_result}"
+  fi
+}
+
+
+# func_to_host_path ARG
+# Converts the path ARG from $build format to $host format. Return result
+# in func_to_host_path_result.
+func_to_host_path ()
+{
+  $opt_debug
+  func_init_to_host_path_cmd
+  $to_host_path_cmd "$1"
+}
+# end func_to_host_path
+
+
+# func_convert_path_noop ARG
+# Copy ARG to func_to_host_path_result.
+func_convert_path_noop ()
+{
+  func_to_host_path_result="$1"
+}
+# end func_convert_path_noop
+
+
+# func_convert_path_msys_to_w32 ARG
+# Convert path ARG from (mingw) MSYS to (mingw) w32 format; automatic
+# conversion to w32 is not available inside the cwrapper.  Returns result in
+# func_to_host_path_result.
+func_convert_path_msys_to_w32 ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # Remove leading and trailing path separator characters from ARG.  MSYS
+    # behavior is inconsistent here; cygpath turns them into '.;' and ';.';
+    # and winepath ignores them completely.
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
+    func_to_host_path_result="$func_convert_core_msys_to_w32_result"
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_msys_to_w32
+
+
+# func_convert_path_cygwin_to_w32 ARG
+# Convert path ARG from Cygwin to w32 format.  Returns result in
+# func_to_host_file_result.
+func_convert_path_cygwin_to_w32 ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_to_host_path_result=`cygpath -m -p "$func_to_host_path_tmp1"`
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_cygwin_to_w32
+
+
+# func_convert_path_nix_to_w32 ARG
+# Convert path ARG from *nix to w32 format.  Requires a wine environment and
+# a working winepath.  Returns result in func_to_host_file_result.
+func_convert_path_nix_to_w32 ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
+    func_to_host_path_result="$func_convert_core_path_wine_to_w32_result"
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_nix_to_w32
+
+
+# func_convert_path_msys_to_cygwin ARG
+# Convert path ARG from MSYS to Cygwin format.  Requires LT_CYGPATH set.
+# Returns result in func_to_host_file_result.
+func_convert_path_msys_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
+    func_cygpath -u -p "$func_convert_core_msys_to_w32_result"
+    func_to_host_path_result="$func_cygpath_result"
+    func_convert_path_check : : \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" : "$1"
+  fi
+}
+# end func_convert_path_msys_to_cygwin
+
+
+# func_convert_path_nix_to_cygwin ARG
+# Convert path ARG from *nix to Cygwin format.  Requires Cygwin installed in a
+# a wine environment, working winepath, and LT_CYGPATH set.  Returns result in
+# func_to_host_file_result.
+func_convert_path_nix_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # Remove leading and trailing path separator characters from
+    # ARG. msys behavior is inconsistent here, cygpath turns them
+    # into '.;' and ';.', and winepath ignores them completely.
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
+    func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result"
+    func_to_host_path_result="$func_cygpath_result"
+    func_convert_path_check : : \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" : "$1"
+  fi
+}
+# end func_convert_path_nix_to_cygwin
+
+
 # func_mode_compile arg...
 func_mode_compile ()
 {
@@ -1137,12 +1986,12 @@ func_mode_compile ()
 	  ;;
 
 	-pie | -fpie | -fPIE)
-          pie_flag="$pie_flag $arg"
+          func_append pie_flag " $arg"
 	  continue
 	  ;;
 
 	-shared | -static | -prefer-pic | -prefer-non-pic)
-	  later="$later $arg"
+	  func_append later " $arg"
 	  continue
 	  ;;
 
@@ -1163,15 +2012,14 @@ func_mode_compile ()
 	  save_ifs="$IFS"; IFS=','
 	  for arg in $args; do
 	    IFS="$save_ifs"
-	    func_quote_for_eval "$arg"
-	    lastarg="$lastarg $func_quote_for_eval_result"
+	    func_append_quoted lastarg "$arg"
 	  done
 	  IFS="$save_ifs"
 	  func_stripname ' ' '' "$lastarg"
 	  lastarg=$func_stripname_result
 
 	  # Add the arguments to base_compile.
-	  base_compile="$base_compile $lastarg"
+	  func_append base_compile " $lastarg"
 	  continue
 	  ;;
 
@@ -1187,8 +2035,7 @@ func_mode_compile ()
       esac    #  case $arg_mode
 
       # Aesthetically quote the previous argument.
-      func_quote_for_eval "$lastarg"
-      base_compile="$base_compile $func_quote_for_eval_result"
+      func_append_quoted base_compile "$lastarg"
     done # for arg
 
     case $arg_mode in
@@ -1213,7 +2060,7 @@ func_mode_compile ()
     *.[cCFSifmso] | \
     *.ada | *.adb | *.ads | *.asm | \
     *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \
-    *.[fF][09]? | *.for | *.java | *.obj | *.sx)
+    *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup)
       func_xform "$libobj"
       libobj=$func_xform_result
       ;;
@@ -1288,7 +2135,7 @@ func_mode_compile ()
     # Calculate the filename of the output object if compiler does
     # not support -o with -c
     if test "$compiler_c_o" = no; then
-      output_obj=`$ECHO "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
+      output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.${objext}
       lockfile="$output_obj.lock"
     else
       output_obj=
@@ -1319,17 +2166,16 @@ compiler."
 	$opt_dry_run || $RM $removelist
 	exit $EXIT_FAILURE
       fi
-      removelist="$removelist $output_obj"
+      func_append removelist " $output_obj"
       $ECHO "$srcfile" > "$lockfile"
     fi
 
     $opt_dry_run || $RM $removelist
-    removelist="$removelist $lockfile"
+    func_append removelist " $lockfile"
     trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15
 
-    if test -n "$fix_srcfile_path"; then
-      eval srcfile=\"$fix_srcfile_path\"
-    fi
+    func_to_tool_file "$srcfile" func_convert_file_msys_to_w32
+    srcfile=$func_to_tool_file_result
     func_quote_for_eval "$srcfile"
     qsrcfile=$func_quote_for_eval_result
 
@@ -1349,7 +2195,7 @@ compiler."
 
       if test -z "$output_obj"; then
 	# Place PIC objects in $objdir
-	command="$command -o $lobj"
+	func_append command " -o $lobj"
       fi
 
       func_show_eval_locale "$command"	\
@@ -1396,11 +2242,11 @@ compiler."
 	command="$base_compile $qsrcfile $pic_flag"
       fi
       if test "$compiler_c_o" = yes; then
-	command="$command -o $obj"
+	func_append command " -o $obj"
       fi
 
       # Suppress compiler output if we already did a PIC compilation.
-      command="$command$suppress_output"
+      func_append command "$suppress_output"
       func_show_eval_locale "$command" \
         '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE'
 
@@ -1445,13 +2291,13 @@ compiler."
 }
 
 $opt_help || {
-test "$mode" = compile && func_mode_compile ${1+"$@"}
+  test "$opt_mode" = compile && func_mode_compile ${1+"$@"}
 }
 
 func_mode_help ()
 {
     # We need to display help for each of the modes.
-    case $mode in
+    case $opt_mode in
       "")
         # Generic help is extracted from the usage comments
         # at the start of this file.
@@ -1482,10 +2328,11 @@ This mode accepts the following additional options:
 
   -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
   -no-suppress      do not suppress compiler output for multiple passes
-  -prefer-pic       try to building PIC objects only
-  -prefer-non-pic   try to building non-PIC objects only
+  -prefer-pic       try to build PIC objects only
+  -prefer-non-pic   try to build non-PIC objects only
   -shared           do not build a \`.o' file suitable for static linking
   -static           only build a \`.o' file suitable for static linking
+  -Wc,FLAG          pass FLAG directly to the compiler
 
 COMPILE-COMMAND is a command to be used in creating a \`standard' object file
 from the given SOURCEFILE.
@@ -1538,7 +2385,7 @@ either the \`install' or \`cp' program.
 
 The following components of INSTALL-COMMAND are treated specially:
 
-  -inst-prefix PREFIX-DIR  Use PREFIX-DIR as a staging area for installation
+  -inst-prefix-dir PREFIX-DIR  Use PREFIX-DIR as a staging area for installation
 
 The rest of the components are interpreted as arguments to that command (only
 BSD-compatible install options are recognized)."
@@ -1558,6 +2405,8 @@ The following components of LINK-COMMAND are treated specially:
 
   -all-static       do not do any dynamic linking at all
   -avoid-version    do not add a version suffix if possible
+  -bindir BINDIR    specify path to binaries directory (for systems where
+                    libraries must be found in the PATH setting at runtime)
   -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
   -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
   -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
@@ -1586,6 +2435,11 @@ The following components of LINK-COMMAND are treated specially:
   -version-info CURRENT[:REVISION[:AGE]]
                     specify library version info [each variable defaults to 0]
   -weak LIBNAME     declare that the target provides the LIBNAME interface
+  -Wc,FLAG
+  -Xcompiler FLAG   pass linker-specific FLAG directly to the compiler
+  -Wl,FLAG
+  -Xlinker FLAG     pass linker-specific FLAG directly to the linker
+  -XCClinker FLAG   pass link-specific FLAG to the compiler driver (CC)
 
 All other options (arguments beginning with \`-') are ignored.
 
@@ -1619,18 +2473,44 @@ Otherwise, only FILE itself is deleted using RM."
         ;;
 
       *)
-        func_fatal_help "invalid operation mode \`$mode'"
+        func_fatal_help "invalid operation mode \`$opt_mode'"
         ;;
     esac
 
-    $ECHO
+    echo
     $ECHO "Try \`$progname --help' for more information about other modes."
-
-    exit $?
 }
 
-  # Now that we've collected a possible --mode arg, show help if necessary
-  $opt_help && func_mode_help
+# Now that we've collected a possible --mode arg, show help if necessary
+if $opt_help; then
+  if test "$opt_help" = :; then
+    func_mode_help
+  else
+    {
+      func_help noexit
+      for opt_mode in compile link execute install finish uninstall clean; do
+	func_mode_help
+      done
+    } | sed -n '1p; 2,$s/^Usage:/  or: /p'
+    {
+      func_help noexit
+      for opt_mode in compile link execute install finish uninstall clean; do
+	echo
+	func_mode_help
+      done
+    } |
+    sed '1d
+      /^When reporting/,/^Report/{
+	H
+	d
+      }
+      $x
+      /information about other modes/d
+      /more detailed .*MODE/d
+      s/^Usage:.*--mode=\([^ ]*\) .*/Description of \1 mode:/'
+  fi
+  exit $?
+fi
 
 
 # func_mode_execute arg...
@@ -1643,13 +2523,16 @@ func_mode_execute ()
       func_fatal_help "you must specify a COMMAND"
 
     # Handle -dlopen flags immediately.
-    for file in $execute_dlfiles; do
+    for file in $opt_dlopen; do
       test -f "$file" \
 	|| func_fatal_help "\`$file' is not a file"
 
       dir=
       case $file in
       *.la)
+	func_resolve_sysroot "$file"
+	file=$func_resolve_sysroot_result
+
 	# Check to see that this really is a libtool archive.
 	func_lalib_unsafe_p "$file" \
 	  || func_fatal_help "\`$lib' is not a valid libtool archive"
@@ -1671,7 +2554,7 @@ func_mode_execute ()
 	dir="$func_dirname_result"
 
 	if test -f "$dir/$objdir/$dlname"; then
-	  dir="$dir/$objdir"
+	  func_append dir "/$objdir"
 	else
 	  if test ! -f "$dir/$dlname"; then
 	    func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'"
@@ -1712,7 +2595,7 @@ func_mode_execute ()
     for file
     do
       case $file in
-      -*) ;;
+      -* | *.la | *.lo ) ;;
       *)
 	# Do a test to see if this is really a libtool program.
 	if func_ltwrapper_script_p "$file"; then
@@ -1728,8 +2611,7 @@ func_mode_execute ()
 	;;
       esac
       # Quote arguments (to preserve shell metacharacters).
-      func_quote_for_eval "$file"
-      args="$args $func_quote_for_eval_result"
+      func_append_quoted args "$file"
     done
 
     if test "X$opt_dry_run" = Xfalse; then
@@ -1754,29 +2636,66 @@ func_mode_execute ()
       # Display what would be done.
       if test -n "$shlibpath_var"; then
 	eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\""
-	$ECHO "export $shlibpath_var"
+	echo "export $shlibpath_var"
       fi
       $ECHO "$cmd$args"
       exit $EXIT_SUCCESS
     fi
 }
 
-test "$mode" = execute && func_mode_execute ${1+"$@"}
+test "$opt_mode" = execute && func_mode_execute ${1+"$@"}
 
 
 # func_mode_finish arg...
 func_mode_finish ()
 {
     $opt_debug
-    libdirs="$nonopt"
+    libs=
+    libdirs=
     admincmds=
 
-    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
-      for dir
-      do
-	libdirs="$libdirs $dir"
-      done
+    for opt in "$nonopt" ${1+"$@"}
+    do
+      if test -d "$opt"; then
+	func_append libdirs " $opt"
+
+      elif test -f "$opt"; then
+	if func_lalib_unsafe_p "$opt"; then
+	  func_append libs " $opt"
+	else
+	  func_warning "\`$opt' is not a valid libtool archive"
+	fi
+
+      else
+	func_fatal_error "invalid argument \`$opt'"
+      fi
+    done
+
+    if test -n "$libs"; then
+      if test -n "$lt_sysroot"; then
+        sysroot_regex=`$ECHO "$lt_sysroot" | $SED "$sed_make_literal_regex"`
+        sysroot_cmd="s/\([ ']\)$sysroot_regex/\1/g;"
+      else
+        sysroot_cmd=
+      fi
+
+      # Remove sysroot references
+      if $opt_dry_run; then
+        for lib in $libs; do
+          echo "removing references to $lt_sysroot and \`=' prefixes from $lib"
+        done
+      else
+        tmpdir=`func_mktempdir`
+        for lib in $libs; do
+	  sed -e "${sysroot_cmd} s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \
+	    > $tmpdir/tmp-la
+	  mv -f $tmpdir/tmp-la $lib
+	done
+        ${RM}r "$tmpdir"
+      fi
+    fi
 
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
       for libdir in $libdirs; do
 	if test -n "$finish_cmds"; then
 	  # Do each command in the finish commands.
@@ -1786,7 +2705,7 @@ func_mode_finish ()
 	if test -n "$finish_eval"; then
 	  # Do the single finish_eval.
 	  eval cmds=\"$finish_eval\"
-	  $opt_dry_run || eval "$cmds" || admincmds="$admincmds
+	  $opt_dry_run || eval "$cmds" || func_append admincmds "
        $cmds"
 	fi
       done
@@ -1795,53 +2714,55 @@ func_mode_finish ()
     # Exit here if they wanted silent mode.
     $opt_silent && exit $EXIT_SUCCESS
 
-    $ECHO "X----------------------------------------------------------------------" | $Xsed
-    $ECHO "Libraries have been installed in:"
-    for libdir in $libdirs; do
-      $ECHO "   $libdir"
-    done
-    $ECHO
-    $ECHO "If you ever happen to want to link against installed libraries"
-    $ECHO "in a given directory, LIBDIR, you must either use libtool, and"
-    $ECHO "specify the full pathname of the library, or use the \`-LLIBDIR'"
-    $ECHO "flag during linking and do at least one of the following:"
-    if test -n "$shlibpath_var"; then
-      $ECHO "   - add LIBDIR to the \`$shlibpath_var' environment variable"
-      $ECHO "     during execution"
-    fi
-    if test -n "$runpath_var"; then
-      $ECHO "   - add LIBDIR to the \`$runpath_var' environment variable"
-      $ECHO "     during linking"
-    fi
-    if test -n "$hardcode_libdir_flag_spec"; then
-      libdir=LIBDIR
-      eval flag=\"$hardcode_libdir_flag_spec\"
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      echo "----------------------------------------------------------------------"
+      echo "Libraries have been installed in:"
+      for libdir in $libdirs; do
+	$ECHO "   $libdir"
+      done
+      echo
+      echo "If you ever happen to want to link against installed libraries"
+      echo "in a given directory, LIBDIR, you must either use libtool, and"
+      echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
+      echo "flag during linking and do at least one of the following:"
+      if test -n "$shlibpath_var"; then
+	echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+	echo "     during execution"
+      fi
+      if test -n "$runpath_var"; then
+	echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+	echo "     during linking"
+      fi
+      if test -n "$hardcode_libdir_flag_spec"; then
+	libdir=LIBDIR
+	eval flag=\"$hardcode_libdir_flag_spec\"
 
-      $ECHO "   - use the \`$flag' linker flag"
-    fi
-    if test -n "$admincmds"; then
-      $ECHO "   - have your system administrator run these commands:$admincmds"
-    fi
-    if test -f /etc/ld.so.conf; then
-      $ECHO "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
-    fi
-    $ECHO
+	$ECHO "   - use the \`$flag' linker flag"
+      fi
+      if test -n "$admincmds"; then
+	$ECHO "   - have your system administrator run these commands:$admincmds"
+      fi
+      if test -f /etc/ld.so.conf; then
+	echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+      fi
+      echo
 
-    $ECHO "See any operating system documentation about shared libraries for"
-    case $host in
-      solaris2.[6789]|solaris2.1[0-9])
-        $ECHO "more information, such as the ld(1), crle(1) and ld.so(8) manual"
-	$ECHO "pages."
-	;;
-      *)
-        $ECHO "more information, such as the ld(1) and ld.so(8) manual pages."
-        ;;
-    esac
-    $ECHO "X----------------------------------------------------------------------" | $Xsed
+      echo "See any operating system documentation about shared libraries for"
+      case $host in
+	solaris2.[6789]|solaris2.1[0-9])
+	  echo "more information, such as the ld(1), crle(1) and ld.so(8) manual"
+	  echo "pages."
+	  ;;
+	*)
+	  echo "more information, such as the ld(1) and ld.so(8) manual pages."
+	  ;;
+      esac
+      echo "----------------------------------------------------------------------"
+    fi
     exit $EXIT_SUCCESS
 }
 
-test "$mode" = finish && func_mode_finish ${1+"$@"}
+test "$opt_mode" = finish && func_mode_finish ${1+"$@"}
 
 
 # func_mode_install arg...
@@ -1852,7 +2773,7 @@ func_mode_install ()
     # install_prog (especially on Windows NT).
     if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
        # Allow the use of GNU shtool's install command.
-       $ECHO "X$nonopt" | $GREP shtool >/dev/null; then
+       case $nonopt in *shtool*) :;; *) false;; esac; then
       # Aesthetically quote it.
       func_quote_for_eval "$nonopt"
       install_prog="$func_quote_for_eval_result "
@@ -1866,7 +2787,12 @@ func_mode_install ()
     # The real first argument should be the name of the installation program.
     # Aesthetically quote it.
     func_quote_for_eval "$arg"
-    install_prog="$install_prog$func_quote_for_eval_result"
+    func_append install_prog "$func_quote_for_eval_result"
+    install_shared_prog=$install_prog
+    case " $install_prog " in
+      *[\\\ /]cp\ *) install_cp=: ;;
+      *) install_cp=false ;;
+    esac
 
     # We need to accept at least all the BSD install flags.
     dest=
@@ -1876,10 +2802,12 @@ func_mode_install ()
     install_type=
     isdir=no
     stripme=
+    no_mode=:
     for arg
     do
+      arg2=
       if test -n "$dest"; then
-	files="$files $dest"
+	func_append files " $dest"
 	dest=$arg
 	continue
       fi
@@ -1887,10 +2815,9 @@ func_mode_install ()
       case $arg in
       -d) isdir=yes ;;
       -f)
-	case " $install_prog " in
-	*[\\\ /]cp\ *) ;;
-	*) prev=$arg ;;
-	esac
+	if $install_cp; then :; else
+	  prev=$arg
+	fi
 	;;
       -g | -m | -o)
 	prev=$arg
@@ -1904,6 +2831,10 @@ func_mode_install ()
       *)
 	# If the previous option needed an argument, then skip it.
 	if test -n "$prev"; then
+	  if test "x$prev" = x-m && test -n "$install_override_mode"; then
+	    arg2=$install_override_mode
+	    no_mode=false
+	  fi
 	  prev=
 	else
 	  dest=$arg
@@ -1914,7 +2845,11 @@ func_mode_install ()
 
       # Aesthetically quote the argument.
       func_quote_for_eval "$arg"
-      install_prog="$install_prog $func_quote_for_eval_result"
+      func_append install_prog " $func_quote_for_eval_result"
+      if test -n "$arg2"; then
+	func_quote_for_eval "$arg2"
+      fi
+      func_append install_shared_prog " $func_quote_for_eval_result"
     done
 
     test -z "$install_prog" && \
@@ -1923,6 +2858,13 @@ func_mode_install ()
     test -n "$prev" && \
       func_fatal_help "the \`$prev' option requires an argument"
 
+    if test -n "$install_override_mode" && $no_mode; then
+      if $install_cp; then :; else
+	func_quote_for_eval "$install_override_mode"
+	func_append install_shared_prog " -m $func_quote_for_eval_result"
+      fi
+    fi
+
     if test -z "$files"; then
       if test -z "$dest"; then
 	func_fatal_help "no file or destination specified"
@@ -1977,10 +2919,13 @@ func_mode_install ()
       case $file in
       *.$libext)
 	# Do the static libraries later.
-	staticlibs="$staticlibs $file"
+	func_append staticlibs " $file"
 	;;
 
       *.la)
+	func_resolve_sysroot "$file"
+	file=$func_resolve_sysroot_result
+
 	# Check to see that this really is a libtool archive.
 	func_lalib_unsafe_p "$file" \
 	  || func_fatal_help "\`$file' is not a valid libtool archive"
@@ -1994,23 +2939,23 @@ func_mode_install ()
 	if test "X$destdir" = "X$libdir"; then
 	  case "$current_libdirs " in
 	  *" $libdir "*) ;;
-	  *) current_libdirs="$current_libdirs $libdir" ;;
+	  *) func_append current_libdirs " $libdir" ;;
 	  esac
 	else
 	  # Note the libdir as a future libdir.
 	  case "$future_libdirs " in
 	  *" $libdir "*) ;;
-	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  *) func_append future_libdirs " $libdir" ;;
 	  esac
 	fi
 
 	func_dirname "$file" "/" ""
 	dir="$func_dirname_result"
-	dir="$dir$objdir"
+	func_append dir "$objdir"
 
 	if test -n "$relink_command"; then
 	  # Determine the prefix the user has applied to our future dir.
-	  inst_prefix_dir=`$ECHO "X$destdir" | $Xsed -e "s%$libdir\$%%"`
+	  inst_prefix_dir=`$ECHO "$destdir" | $SED -e "s%$libdir\$%%"`
 
 	  # Don't allow the user to place us outside of our expected
 	  # location b/c this prevents finding dependent libraries that
@@ -2023,9 +2968,9 @@ func_mode_install ()
 
 	  if test -n "$inst_prefix_dir"; then
 	    # Stick the inst_prefix_dir data into the link command.
-	    relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
+	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
 	  else
-	    relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%%"`
+	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
 	  fi
 
 	  func_warning "relinking \`$file'"
@@ -2043,7 +2988,7 @@ func_mode_install ()
 	  test -n "$relink_command" && srcname="$realname"T
 
 	  # Install the shared library and build the symlinks.
-	  func_show_eval "$install_prog $dir/$srcname $destdir/$realname" \
+	  func_show_eval "$install_shared_prog $dir/$srcname $destdir/$realname" \
 	      'exit $?'
 	  tstripme="$stripme"
 	  case $host_os in
@@ -2083,7 +3028,7 @@ func_mode_install ()
 	func_show_eval "$install_prog $instname $destdir/$name" 'exit $?'
 
 	# Maybe install the static library, too.
-	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	test -n "$old_library" && func_append staticlibs " $dir/$old_library"
 	;;
 
       *.lo)
@@ -2183,7 +3128,7 @@ func_mode_install ()
 	    if test -f "$lib"; then
 	      func_source "$lib"
 	    fi
-	    libfile="$libdir/"`$ECHO "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    libfile="$libdir/"`$ECHO "$lib" | $SED 's%^.*/%%g'` ### testsuite: skip nested quoting test
 	    if test -n "$libdir" && test ! -f "$libfile"; then
 	      func_warning "\`$lib' has not been installed in \`$libdir'"
 	      finalize=no
@@ -2202,7 +3147,7 @@ func_mode_install ()
 		file="$func_basename_result"
 	        outputname="$tmpdir/$file"
 	        # Replace the output file specification.
-	        relink_command=`$ECHO "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+	        relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'`
 
 	        $opt_silent || {
 	          func_quote_for_expand "$relink_command"
@@ -2221,7 +3166,7 @@ func_mode_install ()
 	    }
 	  else
 	    # Install the binary that we compiled earlier.
-	    file=`$ECHO "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+	    file=`$ECHO "$file$stripped_ext" | $SED "s%\([^/]*\)$%$objdir/\1%"`
 	  fi
 	fi
 
@@ -2257,11 +3202,13 @@ func_mode_install ()
 
       # Set up the ranlib parameters.
       oldlib="$destdir/$name"
+      func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+      tool_oldlib=$func_to_tool_file_result
 
       func_show_eval "$install_prog \$file \$oldlib" 'exit $?'
 
       if test -n "$stripme" && test -n "$old_striplib"; then
-	func_show_eval "$old_striplib $oldlib" 'exit $?'
+	func_show_eval "$old_striplib $tool_oldlib" 'exit $?'
       fi
 
       # Do each command in the postinstall commands.
@@ -2280,7 +3227,7 @@ func_mode_install ()
     fi
 }
 
-test "$mode" = install && func_mode_install ${1+"$@"}
+test "$opt_mode" = install && func_mode_install ${1+"$@"}
 
 
 # func_generate_dlsyms outputname originator pic_p
@@ -2323,6 +3270,22 @@ func_generate_dlsyms ()
 extern \"C\" {
 #endif
 
+#if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4))
+#pragma GCC diagnostic ignored \"-Wstrict-prototypes\"
+#endif
+
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
+/* DATA imports from DLLs on WIN32 con't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT_DLSYM_CONST
+#elif defined(__osf__)
+/* This system does not cope well with relocations in const data.  */
+# define LT_DLSYM_CONST
+#else
+# define LT_DLSYM_CONST const
+#endif
+
 /* External symbol declarations for the compiler. */\
 "
 
@@ -2332,10 +3295,11 @@ extern \"C\" {
 	  $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist"
 
 	  # Add our own program objects to the symbol list.
-	  progfiles=`$ECHO "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	  progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP`
 	  for progfile in $progfiles; do
-	    func_verbose "extracting global C symbols from \`$progfile'"
-	    $opt_dry_run || eval "$NM $progfile | $global_symbol_pipe >> '$nlist'"
+	    func_to_tool_file "$progfile" func_convert_file_msys_to_w32
+	    func_verbose "extracting global C symbols from \`$func_to_tool_file_result'"
+	    $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'"
 	  done
 
 	  if test -n "$exclude_expsyms"; then
@@ -2371,7 +3335,7 @@ extern \"C\" {
 	      eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
 	      eval '$MV "$nlist"T "$nlist"'
 	      case $host in
-	        *cygwin | *mingw* | *cegcc* )
+	        *cygwin* | *mingw* | *cegcc* )
 	          eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
 	          eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
 	          ;;
@@ -2384,10 +3348,52 @@ extern \"C\" {
 	  func_verbose "extracting global C symbols from \`$dlprefile'"
 	  func_basename "$dlprefile"
 	  name="$func_basename_result"
-	  $opt_dry_run || {
-	    eval '$ECHO ": $name " >> "$nlist"'
-	    eval "$NM $dlprefile 2>/dev/null | $global_symbol_pipe >> '$nlist'"
-	  }
+          case $host in
+	    *cygwin* | *mingw* | *cegcc* )
+	      # if an import library, we need to obtain dlname
+	      if func_win32_import_lib_p "$dlprefile"; then
+	        func_tr_sh "$dlprefile"
+	        eval "curr_lafile=\$libfile_$func_tr_sh_result"
+	        dlprefile_dlbasename=""
+	        if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then
+	          # Use subshell, to avoid clobbering current variable values
+	          dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"`
+	          if test -n "$dlprefile_dlname" ; then
+	            func_basename "$dlprefile_dlname"
+	            dlprefile_dlbasename="$func_basename_result"
+	          else
+	            # no lafile. user explicitly requested -dlpreopen <import library>.
+	            $sharedlib_from_linklib_cmd "$dlprefile"
+	            dlprefile_dlbasename=$sharedlib_from_linklib_result
+	          fi
+	        fi
+	        $opt_dry_run || {
+	          if test -n "$dlprefile_dlbasename" ; then
+	            eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"'
+	          else
+	            func_warning "Could not compute DLL name from $name"
+	            eval '$ECHO ": $name " >> "$nlist"'
+	          fi
+	          func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	          eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe |
+	            $SED -e '/I __imp/d' -e 's/I __nm_/D /;s/_nm__//' >> '$nlist'"
+	        }
+	      else # not an import lib
+	        $opt_dry_run || {
+	          eval '$ECHO ": $name " >> "$nlist"'
+	          func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	          eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'"
+	        }
+	      fi
+	    ;;
+	    *)
+	      $opt_dry_run || {
+	        eval '$ECHO ": $name " >> "$nlist"'
+	        func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	        eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'"
+	      }
+	    ;;
+          esac
 	done
 
 	$opt_dry_run || {
@@ -2415,36 +3421,19 @@ extern \"C\" {
 	  if test -f "$nlist"S; then
 	    eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"'
 	  else
-	    $ECHO '/* NONE */' >> "$output_objdir/$my_dlsyms"
+	    echo '/* NONE */' >> "$output_objdir/$my_dlsyms"
 	  fi
 
-	  $ECHO >> "$output_objdir/$my_dlsyms" "\
+	  echo >> "$output_objdir/$my_dlsyms" "\
 
 /* The mapping between symbol names and symbols.  */
 typedef struct {
   const char *name;
   void *address;
 } lt_dlsymlist;
-"
-	  case $host in
-	  *cygwin* | *mingw* | *cegcc* )
-	    $ECHO >> "$output_objdir/$my_dlsyms" "\
-/* DATA imports from DLLs on WIN32 con't be const, because
-   runtime relocations are performed -- see ld's documentation
-   on pseudo-relocs.  */"
-	    lt_dlsym_const= ;;
-	  *osf5*)
-	    echo >> "$output_objdir/$my_dlsyms" "\
-/* This system does not cope well with relocations in const data */"
-	    lt_dlsym_const= ;;
-	  *)
-	    lt_dlsym_const=const ;;
-	  esac
-
-	  $ECHO >> "$output_objdir/$my_dlsyms" "\
-extern $lt_dlsym_const lt_dlsymlist
+extern LT_DLSYM_CONST lt_dlsymlist
 lt_${my_prefix}_LTX_preloaded_symbols[];
-$lt_dlsym_const lt_dlsymlist
+LT_DLSYM_CONST lt_dlsymlist
 lt_${my_prefix}_LTX_preloaded_symbols[] =
 {\
   { \"$my_originator\", (void *) 0 },"
@@ -2457,7 +3446,7 @@ lt_${my_prefix}_LTX_preloaded_symbols[] =
 	    eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms"
 	    ;;
 	  esac
-	  $ECHO >> "$output_objdir/$my_dlsyms" "\
+	  echo >> "$output_objdir/$my_dlsyms" "\
   {0, (void *) 0}
 };
 
@@ -2484,7 +3473,7 @@ static const void *lt_preloaded_setup() {
 	  # linked before any other PIC object.  But we must not use
 	  # pic_flag when linking with -static.  The problem exists in
 	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
-	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	  *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
 	    pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;;
 	  *-*-hpux*)
 	    pic_flag_for_symtable=" $pic_flag"  ;;
@@ -2500,7 +3489,7 @@ static const void *lt_preloaded_setup() {
 	for arg in $LTCFLAGS; do
 	  case $arg in
 	  -pie | -fpie | -fPIE) ;;
-	  *) symtab_cflags="$symtab_cflags $arg" ;;
+	  *) func_append symtab_cflags " $arg" ;;
 	  esac
 	done
 
@@ -2515,16 +3504,16 @@ static const void *lt_preloaded_setup() {
 	case $host in
 	*cygwin* | *mingw* | *cegcc* )
 	  if test -f "$output_objdir/$my_outputname.def"; then
-	    compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
-	    finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
+	    compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
+	    finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
 	  else
-	    compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
-	    finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
+	    compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"`
+	    finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"`
 	  fi
 	  ;;
 	*)
-	  compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
-	  finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
+	  compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"`
+	  finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"`
 	  ;;
 	esac
 	;;
@@ -2538,8 +3527,8 @@ static const void *lt_preloaded_setup() {
       # really was required.
 
       # Nullify the symbol file.
-      compile_command=`$ECHO "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
-      finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+      compile_command=`$ECHO "$compile_command" | $SED "s% @SYMFILE@%%"`
+      finalize_command=`$ECHO "$finalize_command" | $SED "s% @SYMFILE@%%"`
     fi
 }
 
@@ -2549,6 +3538,7 @@ static const void *lt_preloaded_setup() {
 # Need a lot of goo to handle *both* DLLs and import libs
 # Has to be a shell function in order to 'eat' the argument
 # that is supplied when $file_magic_command is called.
+# Despite the name, also deal with 64 bit binaries.
 func_win32_libid ()
 {
   $opt_debug
@@ -2559,9 +3549,11 @@ func_win32_libid ()
     win32_libid_type="x86 archive import"
     ;;
   *ar\ archive*) # could be an import, or static
+    # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD.
     if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null |
-       $EGREP 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
-      win32_nmres=`eval $NM -f posix -A $1 |
+       $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then
+      func_to_tool_file "$1" func_convert_file_msys_to_w32
+      win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" |
 	$SED -n -e '
 	    1,100{
 		/ I /{
@@ -2590,6 +3582,131 @@ func_win32_libid ()
   $ECHO "$win32_libid_type"
 }
 
+# func_cygming_dll_for_implib ARG
+#
+# Platform-specific function to extract the
+# name of the DLL associated with the specified
+# import library ARG.
+# Invoked by eval'ing the libtool variable
+#    $sharedlib_from_linklib_cmd
+# Result is available in the variable
+#    $sharedlib_from_linklib_result
+func_cygming_dll_for_implib ()
+{
+  $opt_debug
+  sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"`
+}
+
+# func_cygming_dll_for_implib_fallback_core SECTION_NAME LIBNAMEs
+#
+# The is the core of a fallback implementation of a
+# platform-specific function to extract the name of the
+# DLL associated with the specified import library LIBNAME.
+#
+# SECTION_NAME is either .idata$6 or .idata$7, depending
+# on the platform and compiler that created the implib.
+#
+# Echos the name of the DLL associated with the
+# specified import library.
+func_cygming_dll_for_implib_fallback_core ()
+{
+  $opt_debug
+  match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"`
+  $OBJDUMP -s --section "$1" "$2" 2>/dev/null |
+    $SED '/^Contents of section '"$match_literal"':/{
+      # Place marker at beginning of archive member dllname section
+      s/.*/====MARK====/
+      p
+      d
+    }
+    # These lines can sometimes be longer than 43 characters, but
+    # are always uninteresting
+    /:[	 ]*file format pe[i]\{,1\}-/d
+    /^In archive [^:]*:/d
+    # Ensure marker is printed
+    /^====MARK====/p
+    # Remove all lines with less than 43 characters
+    /^.\{43\}/!d
+    # From remaining lines, remove first 43 characters
+    s/^.\{43\}//' |
+    $SED -n '
+      # Join marker and all lines until next marker into a single line
+      /^====MARK====/ b para
+      H
+      $ b para
+      b
+      :para
+      x
+      s/\n//g
+      # Remove the marker
+      s/^====MARK====//
+      # Remove trailing dots and whitespace
+      s/[\. \t]*$//
+      # Print
+      /./p' |
+    # we now have a list, one entry per line, of the stringified
+    # contents of the appropriate section of all members of the
+    # archive which possess that section. Heuristic: eliminate
+    # all those which have a first or second character that is
+    # a '.' (that is, objdump's representation of an unprintable
+    # character.) This should work for all archives with less than
+    # 0x302f exports -- but will fail for DLLs whose name actually
+    # begins with a literal '.' or a single character followed by
+    # a '.'.
+    #
+    # Of those that remain, print the first one.
+    $SED -e '/^\./d;/^.\./d;q'
+}
+
+# func_cygming_gnu_implib_p ARG
+# This predicate returns with zero status (TRUE) if
+# ARG is a GNU/binutils-style import library. Returns
+# with nonzero status (FALSE) otherwise.
+func_cygming_gnu_implib_p ()
+{
+  $opt_debug
+  func_to_tool_file "$1" func_convert_file_msys_to_w32
+  func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'`
+  test -n "$func_cygming_gnu_implib_tmp"
+}
+
+# func_cygming_ms_implib_p ARG
+# This predicate returns with zero status (TRUE) if
+# ARG is an MS-style import library. Returns
+# with nonzero status (FALSE) otherwise.
+func_cygming_ms_implib_p ()
+{
+  $opt_debug
+  func_to_tool_file "$1" func_convert_file_msys_to_w32
+  func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'`
+  test -n "$func_cygming_ms_implib_tmp"
+}
+
+# func_cygming_dll_for_implib_fallback ARG
+# Platform-specific function to extract the
+# name of the DLL associated with the specified
+# import library ARG.
+#
+# This fallback implementation is for use when $DLLTOOL
+# does not support the --identify-strict option.
+# Invoked by eval'ing the libtool variable
+#    $sharedlib_from_linklib_cmd
+# Result is available in the variable
+#    $sharedlib_from_linklib_result
+func_cygming_dll_for_implib_fallback ()
+{
+  $opt_debug
+  if func_cygming_gnu_implib_p "$1" ; then
+    # binutils import library
+    sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"`
+  elif func_cygming_ms_implib_p "$1" ; then
+    # ms-generated import library
+    sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"`
+  else
+    # unknown
+    sharedlib_from_linklib_result=""
+  fi
+}
 
 
 # func_extract_an_archive dir oldlib
@@ -2598,7 +3715,18 @@ func_extract_an_archive ()
     $opt_debug
     f_ex_an_ar_dir="$1"; shift
     f_ex_an_ar_oldlib="$1"
-    func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" 'exit $?'
+    if test "$lock_old_archive_extraction" = yes; then
+      lockfile=$f_ex_an_ar_oldlib.lock
+      until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do
+	func_echo "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    fi
+    func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \
+		   'stat=$?; rm -f "$lockfile"; exit $stat'
+    if test "$lock_old_archive_extraction" = yes; then
+      $opt_dry_run || rm -f "$lockfile"
+    fi
     if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
      :
     else
@@ -2669,7 +3797,7 @@ func_extract_archives ()
 	    darwin_file=
 	    darwin_files=
 	    for darwin_file in $darwin_filelist; do
-	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
+	      darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP`
 	      $LIPO -create -output "$darwin_file" $darwin_files
 	    done # $darwin_filelist
 	    $RM -rf unfat-$$
@@ -2684,25 +3812,30 @@ func_extract_archives ()
         func_extract_an_archive "$my_xdir" "$my_xabs"
 	;;
       esac
-      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
     done
 
     func_extract_archives_result="$my_oldobjs"
 }
 
 
-
-# func_emit_wrapper_part1 [arg=no]
+# func_emit_wrapper [arg=no]
+#
+# Emit a libtool wrapper script on stdout.
+# Don't directly open a file because we may want to
+# incorporate the script contents within a cygwin/mingw
+# wrapper executable.  Must ONLY be called from within
+# func_mode_link because it depends on a number of variables
+# set therein.
 #
-# Emit the first part of a libtool wrapper script on stdout.
-# For more information, see the description associated with
-# func_emit_wrapper(), below.
-func_emit_wrapper_part1 ()
+# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
+# variable will take.  If 'yes', then the emitted script
+# will assume that the directory in which it is stored is
+# the $objdir directory.  This is a cygwin/mingw-specific
+# behavior.
+func_emit_wrapper ()
 {
-	func_emit_wrapper_part1_arg1=no
-	if test -n "$1" ; then
-	  func_emit_wrapper_part1_arg1=$1
-	fi
+	func_emit_wrapper_arg1=${1-no}
 
 	$ECHO "\
 #! $SHELL
@@ -2718,7 +3851,6 @@ func_emit_wrapper_part1 ()
 
 # Sed substitution that helps us do robust quoting.  It backslashifies
 # metacharacters that are still active within double-quoted strings.
-Xsed='${SED} -e 1s/^X//'
 sed_quote_subst='$sed_quote_subst'
 
 # Be Bourne compatible
@@ -2749,31 +3881,135 @@ if test \"\$libtool_install_magic\" = \"$magic\"; then
 else
   # When we are sourced in execute mode, \$file and \$ECHO are already set.
   if test \"\$libtool_execute_magic\" != \"$magic\"; then
-    ECHO=\"$qecho\"
-    file=\"\$0\"
-    # Make sure echo works.
-    if test \"X\$1\" = X--no-reexec; then
-      # Discard the --no-reexec flag, and continue.
-      shift
-    elif test \"X\`{ \$ECHO '\t'; } 2>/dev/null\`\" = 'X\t'; then
-      # Yippee, \$ECHO works!
-      :
-    else
-      # Restart under the correct shell, and then maybe \$ECHO will work.
-      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
-    fi
-  fi\
+    file=\"\$0\""
+
+    qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"`
+    $ECHO "\
+
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$1
+_LTECHO_EOF'
+}
+    ECHO=\"$qECHO\"
+  fi
+
+# Very basic option parsing. These options are (a) specific to
+# the libtool wrapper, (b) are identical between the wrapper
+# /script/ and the wrapper /executable/ which is used only on
+# windows platforms, and (c) all begin with the string "--lt-"
+# (application programs are unlikely to have options which match
+# this pattern).
+#
+# There are only two supported options: --lt-debug and
+# --lt-dump-script. There is, deliberately, no --lt-help.
+#
+# The first argument to this parsing function should be the
+# script's $0 value, followed by "$@".
+lt_option_debug=
+func_parse_lt_options ()
+{
+  lt_script_arg0=\$0
+  shift
+  for lt_opt
+  do
+    case \"\$lt_opt\" in
+    --lt-debug) lt_option_debug=1 ;;
+    --lt-dump-script)
+        lt_dump_D=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%/[^/]*$%%'\`
+        test \"X\$lt_dump_D\" = \"X\$lt_script_arg0\" && lt_dump_D=.
+        lt_dump_F=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%^.*/%%'\`
+        cat \"\$lt_dump_D/\$lt_dump_F\"
+        exit 0
+      ;;
+    --lt-*)
+        \$ECHO \"Unrecognized --lt- option: '\$lt_opt'\" 1>&2
+        exit 1
+      ;;
+    esac
+  done
+
+  # Print the debug banner immediately:
+  if test -n \"\$lt_option_debug\"; then
+    echo \"${outputname}:${output}:\${LINENO}: libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\" 1>&2
+  fi
+}
+
+# Used when --lt-debug. Prints its arguments to stdout
+# (redirection is the responsibility of the caller)
+func_lt_dump_args ()
+{
+  lt_dump_args_N=1;
+  for lt_arg
+  do
+    \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[\$lt_dump_args_N]: \$lt_arg\"
+    lt_dump_args_N=\`expr \$lt_dump_args_N + 1\`
+  done
+}
+
+# Core function for launching the target application
+func_exec_program_core ()
+{
 "
-	$ECHO "\
+  case $host in
+  # Backslashes separate directories on plain windows
+  *-*-mingw | *-*-os2* | *-cegcc*)
+    $ECHO "\
+      if test -n \"\$lt_option_debug\"; then
+        \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir\\\\\$program\" 1>&2
+        func_lt_dump_args \${1+\"\$@\"} 1>&2
+      fi
+      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
+"
+    ;;
+
+  *)
+    $ECHO "\
+      if test -n \"\$lt_option_debug\"; then
+        \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir/\$program\" 1>&2
+        func_lt_dump_args \${1+\"\$@\"} 1>&2
+      fi
+      exec \"\$progdir/\$program\" \${1+\"\$@\"}
+"
+    ;;
+  esac
+  $ECHO "\
+      \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2
+      exit 1
+}
+
+# A function to encapsulate launching the target application
+# Strips options in the --lt-* namespace from \$@ and
+# launches target application with the remaining arguments.
+func_exec_program ()
+{
+  case \" \$* \" in
+  *\\ --lt-*)
+    for lt_wr_arg
+    do
+      case \$lt_wr_arg in
+      --lt-*) ;;
+      *) set x \"\$@\" \"\$lt_wr_arg\"; shift;;
+      esac
+      shift
+    done ;;
+  esac
+  func_exec_program_core \${1+\"\$@\"}
+}
+
+  # Parse options
+  func_parse_lt_options \"\$0\" \${1+\"\$@\"}
 
   # Find the directory that this script lives in.
-  thisdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  thisdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*$%%'\`
   test \"x\$thisdir\" = \"x\$file\" && thisdir=.
 
   # Follow symbolic links until we get to the real thisdir.
-  file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\`
+  file=\`ls -ld \"\$file\" | $SED -n 's/.*-> //p'\`
   while test -n \"\$file\"; do
-    destdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+    destdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*\$%%'\`
 
     # If there was a directory component, then change thisdir.
     if test \"x\$destdir\" != \"x\$file\"; then
@@ -2783,30 +4019,13 @@ else
       esac
     fi
 
-    file=\`\$ECHO \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
-    file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
+    file=\`\$ECHO \"\$file\" | $SED 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | $SED -n 's/.*-> //p'\`
   done
-"
-}
-# end: func_emit_wrapper_part1
-
-# func_emit_wrapper_part2 [arg=no]
-#
-# Emit the second part of a libtool wrapper script on stdout.
-# For more information, see the description associated with
-# func_emit_wrapper(), below.
-func_emit_wrapper_part2 ()
-{
-	func_emit_wrapper_part2_arg1=no
-	if test -n "$1" ; then
-	  func_emit_wrapper_part2_arg1=$1
-	fi
-
-	$ECHO "\
 
   # Usually 'no', except on cygwin/mingw when embedded into
   # the cwrapper.
-  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_part2_arg1
+  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1
   if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then
     # special case for '.'
     if test \"\$thisdir\" = \".\"; then
@@ -2814,7 +4033,7 @@ func_emit_wrapper_part2 ()
     fi
     # remove .libs from thisdir
     case \"\$thisdir\" in
-    *[\\\\/]$objdir ) thisdir=\`\$ECHO \"X\$thisdir\" | \$Xsed -e 's%[\\\\/][^\\\\/]*$%%'\` ;;
+    *[\\\\/]$objdir ) thisdir=\`\$ECHO \"\$thisdir\" | $SED 's%[\\\\/][^\\\\/]*$%%'\` ;;
     $objdir )   thisdir=. ;;
     esac
   fi
@@ -2869,6 +4088,18 @@ func_emit_wrapper_part2 ()
 
   if test -f \"\$progdir/\$program\"; then"
 
+	# fixup the dll searchpath if we need to.
+	#
+	# Fix the DLL searchpath if we need to.  Do this before prepending
+	# to shlibpath, because on Windows, both are PATH and uninstalled
+	# libraries must come first.
+	if test -n "$dllsearchpath"; then
+	  $ECHO "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
 	# Export our shlibpath_var if we have one.
 	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
 	  $ECHO "\
@@ -2877,253 +4108,28 @@ func_emit_wrapper_part2 ()
 
     # Some systems cannot cope with colon-terminated $shlibpath_var
     # The second colon is a workaround for a bug in BeOS R4 sed
-    $shlibpath_var=\`\$ECHO \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
+    $shlibpath_var=\`\$ECHO \"\$$shlibpath_var\" | $SED 's/::*\$//'\`
 
     export $shlibpath_var
 "
 	fi
 
-	# fixup the dll searchpath if we need to.
-	if test -n "$dllsearchpath"; then
-	  $ECHO "\
-    # Add the dll search path components to the executable PATH
-    PATH=$dllsearchpath:\$PATH
-"
-	fi
-
 	$ECHO "\
     if test \"\$libtool_execute_magic\" != \"$magic\"; then
       # Run the actual program with our arguments.
-"
-	case $host in
-	# Backslashes separate directories on plain windows
-	*-*-mingw | *-*-os2* | *-cegcc*)
-	  $ECHO "\
-      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
-"
-	  ;;
-
-	*)
-	  $ECHO "\
-      exec \"\$progdir/\$program\" \${1+\"\$@\"}
-"
-	  ;;
-	esac
-	$ECHO "\
-      \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2
-      exit 1
+      func_exec_program \${1+\"\$@\"}
     fi
   else
     # The program doesn't exist.
     \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
     \$ECHO \"This script is just a wrapper for \$program.\" 1>&2
-    $ECHO \"See the $PACKAGE documentation for more information.\" 1>&2
+    \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2
     exit 1
   fi
 fi\
 "
 }
-# end: func_emit_wrapper_part2
-
-
-# func_emit_wrapper [arg=no]
-#
-# Emit a libtool wrapper script on stdout.
-# Don't directly open a file because we may want to
-# incorporate the script contents within a cygwin/mingw
-# wrapper executable.  Must ONLY be called from within
-# func_mode_link because it depends on a number of variables
-# set therein.
-#
-# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
-# variable will take.  If 'yes', then the emitted script
-# will assume that the directory in which it is stored is
-# the $objdir directory.  This is a cygwin/mingw-specific
-# behavior.
-func_emit_wrapper ()
-{
-	func_emit_wrapper_arg1=no
-	if test -n "$1" ; then
-	  func_emit_wrapper_arg1=$1
-	fi
-
-	# split this up so that func_emit_cwrapperexe_src
-	# can call each part independently.
-	func_emit_wrapper_part1 "${func_emit_wrapper_arg1}"
-	func_emit_wrapper_part2 "${func_emit_wrapper_arg1}"
-}
-
-
-# func_to_host_path arg
-#
-# Convert paths to host format when used with build tools.
-# Intended for use with "native" mingw (where libtool itself
-# is running under the msys shell), or in the following cross-
-# build environments:
-#    $build          $host
-#    mingw (msys)    mingw  [e.g. native]
-#    cygwin          mingw
-#    *nix + wine     mingw
-# where wine is equipped with the `winepath' executable.
-# In the native mingw case, the (msys) shell automatically
-# converts paths for any non-msys applications it launches,
-# but that facility isn't available from inside the cwrapper.
-# Similar accommodations are necessary for $host mingw and
-# $build cygwin.  Calling this function does no harm for other
-# $host/$build combinations not listed above.
-#
-# ARG is the path (on $build) that should be converted to
-# the proper representation for $host. The result is stored
-# in $func_to_host_path_result.
-func_to_host_path ()
-{
-  func_to_host_path_result="$1"
-  if test -n "$1" ; then
-    case $host in
-      *mingw* )
-        lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
-        case $build in
-          *mingw* ) # actually, msys
-            # awkward: cmd appends spaces to result
-            lt_sed_strip_trailing_spaces="s/[ ]*\$//"
-            func_to_host_path_tmp1=`( cmd //c echo "$1" |\
-              $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""`
-            func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          *cygwin* )
-            func_to_host_path_tmp1=`cygpath -w "$1"`
-            func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          * )
-            # Unfortunately, winepath does not exit with a non-zero
-            # error code, so we are forced to check the contents of
-            # stdout. On the other hand, if the command is not
-            # found, the shell will set an exit code of 127 and print
-            # *an error message* to stdout. So we must check for both
-            # error code of zero AND non-empty stdout, which explains
-            # the odd construction:
-            func_to_host_path_tmp1=`winepath -w "$1" 2>/dev/null`
-            if test "$?" -eq 0 && test -n "${func_to_host_path_tmp1}"; then
-              func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
-                $SED -e "$lt_sed_naive_backslashify"`
-            else
-              # Allow warning below.
-              func_to_host_path_result=""
-            fi
-            ;;
-        esac
-        if test -z "$func_to_host_path_result" ; then
-          func_error "Could not determine host path corresponding to"
-          func_error "  '$1'"
-          func_error "Continuing, but uninstalled executables may not work."
-          # Fallback:
-          func_to_host_path_result="$1"
-        fi
-        ;;
-    esac
-  fi
-}
-# end: func_to_host_path
 
-# func_to_host_pathlist arg
-#
-# Convert pathlists to host format when used with build tools.
-# See func_to_host_path(), above. This function supports the
-# following $build/$host combinations (but does no harm for
-# combinations not listed here):
-#    $build          $host
-#    mingw (msys)    mingw  [e.g. native]
-#    cygwin          mingw
-#    *nix + wine     mingw
-#
-# Path separators are also converted from $build format to
-# $host format. If ARG begins or ends with a path separator
-# character, it is preserved (but converted to $host format)
-# on output.
-#
-# ARG is a pathlist (on $build) that should be converted to
-# the proper representation on $host. The result is stored
-# in $func_to_host_pathlist_result.
-func_to_host_pathlist ()
-{
-  func_to_host_pathlist_result="$1"
-  if test -n "$1" ; then
-    case $host in
-      *mingw* )
-        lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
-        # Remove leading and trailing path separator characters from
-        # ARG. msys behavior is inconsistent here, cygpath turns them
-        # into '.;' and ';.', and winepath ignores them completely.
-        func_to_host_pathlist_tmp2="$1"
-        # Once set for this call, this variable should not be
-        # reassigned. It is used in tha fallback case.
-        func_to_host_pathlist_tmp1=`echo "$func_to_host_pathlist_tmp2" |\
-          $SED -e 's|^:*||' -e 's|:*$||'`
-        case $build in
-          *mingw* ) # Actually, msys.
-            # Awkward: cmd appends spaces to result.
-            lt_sed_strip_trailing_spaces="s/[ ]*\$//"
-            func_to_host_pathlist_tmp2=`( cmd //c echo "$func_to_host_pathlist_tmp1" |\
-              $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""`
-            func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          *cygwin* )
-            func_to_host_pathlist_tmp2=`cygpath -w -p "$func_to_host_pathlist_tmp1"`
-            func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          * )
-            # unfortunately, winepath doesn't convert pathlists
-            func_to_host_pathlist_result=""
-            func_to_host_pathlist_oldIFS=$IFS
-            IFS=:
-            for func_to_host_pathlist_f in $func_to_host_pathlist_tmp1 ; do
-              IFS=$func_to_host_pathlist_oldIFS
-              if test -n "$func_to_host_pathlist_f" ; then
-                func_to_host_path "$func_to_host_pathlist_f"
-                if test -n "$func_to_host_path_result" ; then
-                  if test -z "$func_to_host_pathlist_result" ; then
-                    func_to_host_pathlist_result="$func_to_host_path_result"
-                  else
-                    func_to_host_pathlist_result="$func_to_host_pathlist_result;$func_to_host_path_result"
-                  fi
-                fi
-              fi
-              IFS=:
-            done
-            IFS=$func_to_host_pathlist_oldIFS
-            ;;
-        esac
-        if test -z "$func_to_host_pathlist_result" ; then
-          func_error "Could not determine the host path(s) corresponding to"
-          func_error "  '$1'"
-          func_error "Continuing, but uninstalled executables may not work."
-          # Fallback. This may break if $1 contains DOS-style drive
-          # specifications. The fix is not to complicate the expression
-          # below, but for the user to provide a working wine installation
-          # with winepath so that path translation in the cross-to-mingw
-          # case works properly.
-          lt_replace_pathsep_nix_to_dos="s|:|;|g"
-          func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp1" |\
-            $SED -e "$lt_replace_pathsep_nix_to_dos"`
-        fi
-        # Now, add the leading and trailing path separators back
-        case "$1" in
-          :* ) func_to_host_pathlist_result=";$func_to_host_pathlist_result"
-            ;;
-        esac
-        case "$1" in
-          *: ) func_to_host_pathlist_result="$func_to_host_pathlist_result;"
-            ;;
-        esac
-        ;;
-    esac
-  fi
-}
-# end: func_to_host_pathlist
 
 # func_emit_cwrapperexe_src
 # emit the source code for a wrapper executable on stdout
@@ -3141,31 +4147,23 @@ func_emit_cwrapperexe_src ()
 
    This wrapper executable should never be moved out of the build directory.
    If it is, it will not operate correctly.
-
-   Currently, it simply execs the wrapper *script* "$SHELL $output",
-   but could eventually absorb all of the scripts functionality and
-   exec $objdir/$outputname directly.
 */
 EOF
 	    cat <<"EOF"
+#ifdef _MSC_VER
+# define _CRT_SECURE_NO_DEPRECATE 1
+#endif
 #include <stdio.h>
 #include <stdlib.h>
 #ifdef _MSC_VER
 # include <direct.h>
 # include <process.h>
 # include <io.h>
-# define setmode _setmode
 #else
 # include <unistd.h>
 # include <stdint.h>
 # ifdef __CYGWIN__
 #  include <io.h>
-#  define HAVE_SETENV
-#  ifdef __STRICT_ANSI__
-char *realpath (const char *, char *);
-int putenv (char *);
-int setenv (const char *, const char *, int);
-#  endif
 # endif
 #endif
 #include <malloc.h>
@@ -3177,6 +4175,44 @@ int setenv (const char *, const char *, int);
 #include <fcntl.h>
 #include <sys/stat.h>
 
+/* declarations of non-ANSI functions */
+#if defined(__MINGW32__)
+# ifdef __STRICT_ANSI__
+int _putenv (const char *);
+# endif
+#elif defined(__CYGWIN__)
+# ifdef __STRICT_ANSI__
+char *realpath (const char *, char *);
+int putenv (char *);
+int setenv (const char *, const char *, int);
+# endif
+/* #elif defined (other platforms) ... */
+#endif
+
+/* portability defines, excluding path handling macros */
+#if defined(_MSC_VER)
+# define setmode _setmode
+# define stat    _stat
+# define chmod   _chmod
+# define getcwd  _getcwd
+# define putenv  _putenv
+# define S_IXUSR _S_IEXEC
+# ifndef _INTPTR_T_DEFINED
+#  define _INTPTR_T_DEFINED
+#  define intptr_t int
+# endif
+#elif defined(__MINGW32__)
+# define setmode _setmode
+# define stat    _stat
+# define chmod   _chmod
+# define getcwd  _getcwd
+# define putenv  _putenv
+#elif defined(__CYGWIN__)
+# define HAVE_SETENV
+# define FOPEN_WB "wb"
+/* #elif defined (other platforms) ... */
+#endif
+
 #if defined(PATH_MAX)
 # define LT_PATHMAX PATH_MAX
 #elif defined(MAXPATHLEN)
@@ -3192,14 +4228,7 @@ int setenv (const char *, const char *, int);
 # define S_IXGRP 0
 #endif
 
-#ifdef _MSC_VER
-# define S_IXUSR _S_IEXEC
-# define stat _stat
-# ifndef _INTPTR_T_DEFINED
-#  define intptr_t int
-# endif
-#endif
-
+/* path handling portability macros */
 #ifndef DIR_SEPARATOR
 # define DIR_SEPARATOR '/'
 # define PATH_SEPARATOR ':'
@@ -3230,10 +4259,6 @@ int setenv (const char *, const char *, int);
 # define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
 #endif /* PATH_SEPARATOR_2 */
 
-#ifdef __CYGWIN__
-# define FOPEN_WB "wb"
-#endif
-
 #ifndef FOPEN_WB
 # define FOPEN_WB "w"
 #endif
@@ -3246,22 +4271,13 @@ int setenv (const char *, const char *, int);
   if (stale) { free ((void *) stale); stale = 0; } \
 } while (0)
 
-#undef LTWRAPPER_DEBUGPRINTF
-#if defined DEBUGWRAPPER
-# define LTWRAPPER_DEBUGPRINTF(args) ltwrapper_debugprintf args
-static void
-ltwrapper_debugprintf (const char *fmt, ...)
-{
-    va_list args;
-    va_start (args, fmt);
-    (void) vfprintf (stderr, fmt, args);
-    va_end (args);
-}
+#if defined(LT_DEBUGWRAPPER)
+static int lt_debug = 1;
 #else
-# define LTWRAPPER_DEBUGPRINTF(args)
+static int lt_debug = 0;
 #endif
 
-const char *program_name = NULL;
+const char *program_name = "libtool-wrapper"; /* in case xstrdup fails */
 
 void *xmalloc (size_t num);
 char *xstrdup (const char *string);
@@ -3271,41 +4287,27 @@ char *chase_symlinks (const char *pathspec);
 int make_executable (const char *path);
 int check_executable (const char *path);
 char *strendzap (char *str, const char *pat);
-void lt_fatal (const char *message, ...);
+void lt_debugprintf (const char *file, int line, const char *fmt, ...);
+void lt_fatal (const char *file, int line, const char *message, ...);
+static const char *nonnull (const char *s);
+static const char *nonempty (const char *s);
 void lt_setenv (const char *name, const char *value);
 char *lt_extend_str (const char *orig_value, const char *add, int to_end);
-void lt_opt_process_env_set (const char *arg);
-void lt_opt_process_env_prepend (const char *arg);
-void lt_opt_process_env_append (const char *arg);
-int lt_split_name_value (const char *arg, char** name, char** value);
 void lt_update_exe_path (const char *name, const char *value);
 void lt_update_lib_path (const char *name, const char *value);
-
-static const char *script_text_part1 =
-EOF
-
-	    func_emit_wrapper_part1 yes |
-	        $SED -e 's/\([\\"]\)/\\\1/g' \
-	             -e 's/^/  "/' -e 's/$/\\n"/'
-	    echo ";"
-	    cat <<EOF
-
-static const char *script_text_part2 =
+char **prepare_spawn (char **argv);
+void lt_dump_script (FILE *f);
 EOF
-	    func_emit_wrapper_part2 yes |
-	        $SED -e 's/\([\\"]\)/\\\1/g' \
-	             -e 's/^/  "/' -e 's/$/\\n"/'
-	    echo ";"
 
 	    cat <<EOF
-const char * MAGIC_EXE = "$magic_exe";
+volatile const char * MAGIC_EXE = "$magic_exe";
 const char * LIB_PATH_VARNAME = "$shlibpath_var";
 EOF
 
 	    if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
-              func_to_host_pathlist "$temp_rpath"
+              func_to_host_path "$temp_rpath"
 	      cat <<EOF
-const char * LIB_PATH_VALUE   = "$func_to_host_pathlist_result";
+const char * LIB_PATH_VALUE   = "$func_to_host_path_result";
 EOF
 	    else
 	      cat <<"EOF"
@@ -3314,10 +4316,10 @@ EOF
 	    fi
 
 	    if test -n "$dllsearchpath"; then
-              func_to_host_pathlist "$dllsearchpath:"
+              func_to_host_path "$dllsearchpath:"
 	      cat <<EOF
 const char * EXE_PATH_VARNAME = "PATH";
-const char * EXE_PATH_VALUE   = "$func_to_host_pathlist_result";
+const char * EXE_PATH_VALUE   = "$func_to_host_path_result";
 EOF
 	    else
 	      cat <<"EOF"
@@ -3340,24 +4342,10 @@ EOF
 	    cat <<"EOF"
 
 #define LTWRAPPER_OPTION_PREFIX         "--lt-"
-#define LTWRAPPER_OPTION_PREFIX_LENGTH  5
 
-static const size_t opt_prefix_len         = LTWRAPPER_OPTION_PREFIX_LENGTH;
 static const char *ltwrapper_option_prefix = LTWRAPPER_OPTION_PREFIX;
-
 static const char *dumpscript_opt       = LTWRAPPER_OPTION_PREFIX "dump-script";
-
-static const size_t env_set_opt_len     = LTWRAPPER_OPTION_PREFIX_LENGTH + 7;
-static const char *env_set_opt          = LTWRAPPER_OPTION_PREFIX "env-set";
-  /* argument is putenv-style "foo=bar", value of foo is set to bar */
-
-static const size_t env_prepend_opt_len = LTWRAPPER_OPTION_PREFIX_LENGTH + 11;
-static const char *env_prepend_opt      = LTWRAPPER_OPTION_PREFIX "env-prepend";
-  /* argument is putenv-style "foo=bar", new value of foo is bar${foo} */
-
-static const size_t env_append_opt_len  = LTWRAPPER_OPTION_PREFIX_LENGTH + 10;
-static const char *env_append_opt       = LTWRAPPER_OPTION_PREFIX "env-append";
-  /* argument is putenv-style "foo=bar", new value of foo is ${foo}bar */
+static const char *debug_opt            = LTWRAPPER_OPTION_PREFIX "debug";
 
 int
 main (int argc, char *argv[])
@@ -3374,10 +4362,13 @@ main (int argc, char *argv[])
   int i;
 
   program_name = (char *) xstrdup (base_name (argv[0]));
-  LTWRAPPER_DEBUGPRINTF (("(main) argv[0]      : %s\n", argv[0]));
-  LTWRAPPER_DEBUGPRINTF (("(main) program_name : %s\n", program_name));
+  newargz = XMALLOC (char *, argc + 1);
 
-  /* very simple arg parsing; don't want to rely on getopt */
+  /* very simple arg parsing; don't want to rely on getopt
+   * also, copy all non cwrapper options to newargz, except
+   * argz[0], which is handled differently
+   */
+  newargc=0;
   for (i = 1; i < argc; i++)
     {
       if (strcmp (argv[i], dumpscript_opt) == 0)
@@ -3391,25 +4382,57 @@ EOF
 	      esac
 
 	    cat <<"EOF"
-	  printf ("%s", script_text_part1);
-	  printf ("%s", script_text_part2);
+	  lt_dump_script (stdout);
 	  return 0;
 	}
+      if (strcmp (argv[i], debug_opt) == 0)
+	{
+          lt_debug = 1;
+          continue;
+	}
+      if (strcmp (argv[i], ltwrapper_option_prefix) == 0)
+        {
+          /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
+             namespace, but it is not one of the ones we know about and
+             have already dealt with, above (inluding dump-script), then
+             report an error. Otherwise, targets might begin to believe
+             they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
+             namespace. The first time any user complains about this, we'll
+             need to make LTWRAPPER_OPTION_PREFIX a configure-time option
+             or a configure.ac-settable value.
+           */
+          lt_fatal (__FILE__, __LINE__,
+		    "unrecognized %s option: '%s'",
+                    ltwrapper_option_prefix, argv[i]);
+        }
+      /* otherwise ... */
+      newargz[++newargc] = xstrdup (argv[i]);
     }
+  newargz[++newargc] = NULL;
+
+EOF
+	    cat <<EOF
+  /* The GNU banner must be the first non-error debug message */
+  lt_debugprintf (__FILE__, __LINE__, "libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\n");
+EOF
+	    cat <<"EOF"
+  lt_debugprintf (__FILE__, __LINE__, "(main) argv[0]: %s\n", argv[0]);
+  lt_debugprintf (__FILE__, __LINE__, "(main) program_name: %s\n", program_name);
 
-  newargz = XMALLOC (char *, argc + 1);
   tmp_pathspec = find_executable (argv[0]);
   if (tmp_pathspec == NULL)
-    lt_fatal ("Couldn't find %s", argv[0]);
-  LTWRAPPER_DEBUGPRINTF (("(main) found exe (before symlink chase) at : %s\n",
-			  tmp_pathspec));
+    lt_fatal (__FILE__, __LINE__, "couldn't find %s", argv[0]);
+  lt_debugprintf (__FILE__, __LINE__,
+                  "(main) found exe (before symlink chase) at: %s\n",
+		  tmp_pathspec);
 
   actual_cwrapper_path = chase_symlinks (tmp_pathspec);
-  LTWRAPPER_DEBUGPRINTF (("(main) found exe (after symlink chase) at : %s\n",
-			  actual_cwrapper_path));
+  lt_debugprintf (__FILE__, __LINE__,
+                  "(main) found exe (after symlink chase) at: %s\n",
+		  actual_cwrapper_path);
   XFREE (tmp_pathspec);
 
-  actual_cwrapper_name = xstrdup( base_name (actual_cwrapper_path));
+  actual_cwrapper_name = xstrdup (base_name (actual_cwrapper_path));
   strendzap (actual_cwrapper_path, actual_cwrapper_name);
 
   /* wrapper name transforms */
@@ -3427,8 +4450,9 @@ EOF
   target_name = tmp_pathspec;
   tmp_pathspec = 0;
 
-  LTWRAPPER_DEBUGPRINTF (("(main) libtool target name: %s\n",
-			  target_name));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(main) libtool target name: %s\n",
+		  target_name);
 EOF
 
 	    cat <<EOF
@@ -3478,80 +4502,19 @@ EOF
 
   lt_setenv ("BIN_SH", "xpg4"); /* for Tru64 */
   lt_setenv ("DUALCASE", "1");  /* for MSK sh */
-  lt_update_lib_path (LIB_PATH_VARNAME, LIB_PATH_VALUE);
+  /* Update the DLL searchpath.  EXE_PATH_VALUE ($dllsearchpath) must
+     be prepended before (that is, appear after) LIB_PATH_VALUE ($temp_rpath)
+     because on Windows, both *_VARNAMEs are PATH but uninstalled
+     libraries must come first. */
   lt_update_exe_path (EXE_PATH_VARNAME, EXE_PATH_VALUE);
+  lt_update_lib_path (LIB_PATH_VARNAME, LIB_PATH_VALUE);
 
-  newargc=0;
-  for (i = 1; i < argc; i++)
-    {
-      if (strncmp (argv[i], env_set_opt, env_set_opt_len) == 0)
-        {
-          if (argv[i][env_set_opt_len] == '=')
-            {
-              const char *p = argv[i] + env_set_opt_len + 1;
-              lt_opt_process_env_set (p);
-            }
-          else if (argv[i][env_set_opt_len] == '\0' && i + 1 < argc)
-            {
-              lt_opt_process_env_set (argv[++i]); /* don't copy */
-            }
-          else
-            lt_fatal ("%s missing required argument", env_set_opt);
-          continue;
-        }
-      if (strncmp (argv[i], env_prepend_opt, env_prepend_opt_len) == 0)
-        {
-          if (argv[i][env_prepend_opt_len] == '=')
-            {
-              const char *p = argv[i] + env_prepend_opt_len + 1;
-              lt_opt_process_env_prepend (p);
-            }
-          else if (argv[i][env_prepend_opt_len] == '\0' && i + 1 < argc)
-            {
-              lt_opt_process_env_prepend (argv[++i]); /* don't copy */
-            }
-          else
-            lt_fatal ("%s missing required argument", env_prepend_opt);
-          continue;
-        }
-      if (strncmp (argv[i], env_append_opt, env_append_opt_len) == 0)
-        {
-          if (argv[i][env_append_opt_len] == '=')
-            {
-              const char *p = argv[i] + env_append_opt_len + 1;
-              lt_opt_process_env_append (p);
-            }
-          else if (argv[i][env_append_opt_len] == '\0' && i + 1 < argc)
-            {
-              lt_opt_process_env_append (argv[++i]); /* don't copy */
-            }
-          else
-            lt_fatal ("%s missing required argument", env_append_opt);
-          continue;
-        }
-      if (strncmp (argv[i], ltwrapper_option_prefix, opt_prefix_len) == 0)
-        {
-          /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
-             namespace, but it is not one of the ones we know about and
-             have already dealt with, above (inluding dump-script), then
-             report an error. Otherwise, targets might begin to believe
-             they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
-             namespace. The first time any user complains about this, we'll
-             need to make LTWRAPPER_OPTION_PREFIX a configure-time option
-             or a configure.ac-settable value.
-           */
-          lt_fatal ("Unrecognized option in %s namespace: '%s'",
-                    ltwrapper_option_prefix, argv[i]);
-        }
-      /* otherwise ... */
-      newargz[++newargc] = xstrdup (argv[i]);
-    }
-  newargz[++newargc] = NULL;
-
-  LTWRAPPER_DEBUGPRINTF     (("(main) lt_argv_zero : %s\n", (lt_argv_zero ? lt_argv_zero : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__, "(main) lt_argv_zero: %s\n",
+		  nonnull (lt_argv_zero));
   for (i = 0; i < newargc; i++)
     {
-      LTWRAPPER_DEBUGPRINTF (("(main) newargz[%d]   : %s\n", i, (newargz[i] ? newargz[i] : "<NULL>")));
+      lt_debugprintf (__FILE__, __LINE__, "(main) newargz[%d]: %s\n",
+		      i, nonnull (newargz[i]));
     }
 
 EOF
@@ -3560,11 +4523,14 @@ EOF
 	      mingw*)
 		cat <<"EOF"
   /* execv doesn't actually work on mingw as expected on unix */
+  newargz = prepare_spawn (newargz);
   rval = _spawnv (_P_WAIT, lt_argv_zero, (const char * const *) newargz);
   if (rval == -1)
     {
       /* failed to start process */
-      LTWRAPPER_DEBUGPRINTF (("(main) failed to launch target \"%s\": errno = %d\n", lt_argv_zero, errno));
+      lt_debugprintf (__FILE__, __LINE__,
+		      "(main) failed to launch target \"%s\": %s\n",
+		      lt_argv_zero, nonnull (strerror (errno)));
       return 127;
     }
   return rval;
@@ -3586,7 +4552,7 @@ xmalloc (size_t num)
 {
   void *p = (void *) malloc (num);
   if (!p)
-    lt_fatal ("Memory exhausted");
+    lt_fatal (__FILE__, __LINE__, "memory exhausted");
 
   return p;
 }
@@ -3620,8 +4586,8 @@ check_executable (const char *path)
 {
   struct stat st;
 
-  LTWRAPPER_DEBUGPRINTF (("(check_executable)  : %s\n",
-			  path ? (*path ? path : "EMPTY!") : "NULL!"));
+  lt_debugprintf (__FILE__, __LINE__, "(check_executable): %s\n",
+                  nonempty (path));
   if ((!path) || (!*path))
     return 0;
 
@@ -3638,8 +4604,8 @@ make_executable (const char *path)
   int rval = 0;
   struct stat st;
 
-  LTWRAPPER_DEBUGPRINTF (("(make_executable)   : %s\n",
-			  path ? (*path ? path : "EMPTY!") : "NULL!"));
+  lt_debugprintf (__FILE__, __LINE__, "(make_executable): %s\n",
+                  nonempty (path));
   if ((!path) || (!*path))
     return 0;
 
@@ -3665,8 +4631,8 @@ find_executable (const char *wrapper)
   int tmp_len;
   char *concat_name;
 
-  LTWRAPPER_DEBUGPRINTF (("(find_executable)   : %s\n",
-			  wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!"));
+  lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n",
+                  nonempty (wrapper));
 
   if ((wrapper == NULL) || (*wrapper == '\0'))
     return NULL;
@@ -3719,7 +4685,8 @@ find_executable (const char *wrapper)
 		{
 		  /* empty path: current directory */
 		  if (getcwd (tmp, LT_PATHMAX) == NULL)
-		    lt_fatal ("getcwd failed");
+		    lt_fatal (__FILE__, __LINE__, "getcwd failed: %s",
+                              nonnull (strerror (errno)));
 		  tmp_len = strlen (tmp);
 		  concat_name =
 		    XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
@@ -3744,7 +4711,8 @@ find_executable (const char *wrapper)
     }
   /* Relative path | not found in path: prepend cwd */
   if (getcwd (tmp, LT_PATHMAX) == NULL)
-    lt_fatal ("getcwd failed");
+    lt_fatal (__FILE__, __LINE__, "getcwd failed: %s",
+              nonnull (strerror (errno)));
   tmp_len = strlen (tmp);
   concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
   memcpy (concat_name, tmp, tmp_len);
@@ -3770,8 +4738,9 @@ chase_symlinks (const char *pathspec)
   int has_symlinks = 0;
   while (strlen (tmp_pathspec) && !has_symlinks)
     {
-      LTWRAPPER_DEBUGPRINTF (("checking path component for symlinks: %s\n",
-			      tmp_pathspec));
+      lt_debugprintf (__FILE__, __LINE__,
+		      "checking path component for symlinks: %s\n",
+		      tmp_pathspec);
       if (lstat (tmp_pathspec, &s) == 0)
 	{
 	  if (S_ISLNK (s.st_mode) != 0)
@@ -3793,8 +4762,9 @@ chase_symlinks (const char *pathspec)
 	}
       else
 	{
-	  char *errstr = strerror (errno);
-	  lt_fatal ("Error accessing file %s (%s)", tmp_pathspec, errstr);
+	  lt_fatal (__FILE__, __LINE__,
+		    "error accessing file \"%s\": %s",
+		    tmp_pathspec, nonnull (strerror (errno)));
 	}
     }
   XFREE (tmp_pathspec);
@@ -3807,7 +4777,8 @@ chase_symlinks (const char *pathspec)
   tmp_pathspec = realpath (pathspec, buf);
   if (tmp_pathspec == 0)
     {
-      lt_fatal ("Could not follow symlinks for %s", pathspec);
+      lt_fatal (__FILE__, __LINE__,
+		"could not follow symlinks for %s", pathspec);
     }
   return xstrdup (tmp_pathspec);
 #endif
@@ -3833,11 +4804,25 @@ strendzap (char *str, const char *pat)
   return str;
 }
 
+void
+lt_debugprintf (const char *file, int line, const char *fmt, ...)
+{
+  va_list args;
+  if (lt_debug)
+    {
+      (void) fprintf (stderr, "%s:%s:%d: ", program_name, file, line);
+      va_start (args, fmt);
+      (void) vfprintf (stderr, fmt, args);
+      va_end (args);
+    }
+}
+
 static void
-lt_error_core (int exit_status, const char *mode,
+lt_error_core (int exit_status, const char *file,
+	       int line, const char *mode,
 	       const char *message, va_list ap)
 {
-  fprintf (stderr, "%s: %s: ", program_name, mode);
+  fprintf (stderr, "%s:%s:%d: %s: ", program_name, file, line, mode);
   vfprintf (stderr, message, ap);
   fprintf (stderr, ".\n");
 
@@ -3846,20 +4831,32 @@ lt_error_core (int exit_status, const char *mode,
 }
 
 void
-lt_fatal (const char *message, ...)
+lt_fatal (const char *file, int line, const char *message, ...)
 {
   va_list ap;
   va_start (ap, message);
-  lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
+  lt_error_core (EXIT_FAILURE, file, line, "FATAL", message, ap);
   va_end (ap);
 }
 
+static const char *
+nonnull (const char *s)
+{
+  return s ? s : "(null)";
+}
+
+static const char *
+nonempty (const char *s)
+{
+  return (s && !*s) ? "(empty)" : nonnull (s);
+}
+
 void
 lt_setenv (const char *name, const char *value)
 {
-  LTWRAPPER_DEBUGPRINTF (("(lt_setenv) setting '%s' to '%s'\n",
-                          (name ? name : "<NULL>"),
-                          (value ? value : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_setenv) setting '%s' to '%s'\n",
+                  nonnull (name), nonnull (value));
   {
 #ifdef HAVE_SETENV
     /* always make a copy, for consistency with !HAVE_SETENV */
@@ -3904,95 +4901,12 @@ lt_extend_str (const char *orig_value, const char *add, int to_end)
   return new_value;
 }
 
-int
-lt_split_name_value (const char *arg, char** name, char** value)
-{
-  const char *p;
-  int len;
-  if (!arg || !*arg)
-    return 1;
-
-  p = strchr (arg, (int)'=');
-
-  if (!p)
-    return 1;
-
-  *value = xstrdup (++p);
-
-  len = strlen (arg) - strlen (*value);
-  *name = XMALLOC (char, len);
-  strncpy (*name, arg, len-1);
-  (*name)[len - 1] = '\0';
-
-  return 0;
-}
-
-void
-lt_opt_process_env_set (const char *arg)
-{
-  char *name = NULL;
-  char *value = NULL;
-
-  if (lt_split_name_value (arg, &name, &value) != 0)
-    {
-      XFREE (name);
-      XFREE (value);
-      lt_fatal ("bad argument for %s: '%s'", env_set_opt, arg);
-    }
-
-  lt_setenv (name, value);
-  XFREE (name);
-  XFREE (value);
-}
-
-void
-lt_opt_process_env_prepend (const char *arg)
-{
-  char *name = NULL;
-  char *value = NULL;
-  char *new_value = NULL;
-
-  if (lt_split_name_value (arg, &name, &value) != 0)
-    {
-      XFREE (name);
-      XFREE (value);
-      lt_fatal ("bad argument for %s: '%s'", env_prepend_opt, arg);
-    }
-
-  new_value = lt_extend_str (getenv (name), value, 0);
-  lt_setenv (name, new_value);
-  XFREE (new_value);
-  XFREE (name);
-  XFREE (value);
-}
-
-void
-lt_opt_process_env_append (const char *arg)
-{
-  char *name = NULL;
-  char *value = NULL;
-  char *new_value = NULL;
-
-  if (lt_split_name_value (arg, &name, &value) != 0)
-    {
-      XFREE (name);
-      XFREE (value);
-      lt_fatal ("bad argument for %s: '%s'", env_append_opt, arg);
-    }
-
-  new_value = lt_extend_str (getenv (name), value, 1);
-  lt_setenv (name, new_value);
-  XFREE (new_value);
-  XFREE (name);
-  XFREE (value);
-}
-
 void
 lt_update_exe_path (const char *name, const char *value)
 {
-  LTWRAPPER_DEBUGPRINTF (("(lt_update_exe_path) modifying '%s' by prepending '%s'\n",
-                          (name ? name : "<NULL>"),
-                          (value ? value : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_update_exe_path) modifying '%s' by prepending '%s'\n",
+                  nonnull (name), nonnull (value));
 
   if (name && *name && value && *value)
     {
@@ -4011,9 +4925,9 @@ lt_update_exe_path (const char *name, const char *value)
 void
 lt_update_lib_path (const char *name, const char *value)
 {
-  LTWRAPPER_DEBUGPRINTF (("(lt_update_lib_path) modifying '%s' by prepending '%s'\n",
-                          (name ? name : "<NULL>"),
-                          (value ? value : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_update_lib_path) modifying '%s' by prepending '%s'\n",
+                  nonnull (name), nonnull (value));
 
   if (name && *name && value && *value)
     {
@@ -4023,11 +4937,158 @@ lt_update_lib_path (const char *name, const char *value)
     }
 }
 
+EOF
+	    case $host_os in
+	      mingw*)
+		cat <<"EOF"
+
+/* Prepares an argument vector before calling spawn().
+   Note that spawn() does not by itself call the command interpreter
+     (getenv ("COMSPEC") != NULL ? getenv ("COMSPEC") :
+      ({ OSVERSIONINFO v; v.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+         GetVersionEx(&v);
+         v.dwPlatformId == VER_PLATFORM_WIN32_NT;
+      }) ? "cmd.exe" : "command.com").
+   Instead it simply concatenates the arguments, separated by ' ', and calls
+   CreateProcess().  We must quote the arguments since Win32 CreateProcess()
+   interprets characters like ' ', '\t', '\\', '"' (but not '<' and '>') in a
+   special way:
+   - Space and tab are interpreted as delimiters. They are not treated as
+     delimiters if they are surrounded by double quotes: "...".
+   - Unescaped double quotes are removed from the input. Their only effect is
+     that within double quotes, space and tab are treated like normal
+     characters.
+   - Backslashes not followed by double quotes are not special.
+   - But 2*n+1 backslashes followed by a double quote become
+     n backslashes followed by a double quote (n >= 0):
+       \" -> "
+       \\\" -> \"
+       \\\\\" -> \\"
+ */
+#define SHELL_SPECIAL_CHARS "\"\\ \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037"
+#define SHELL_SPACE_CHARS " \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037"
+char **
+prepare_spawn (char **argv)
+{
+  size_t argc;
+  char **new_argv;
+  size_t i;
+
+  /* Count number of arguments.  */
+  for (argc = 0; argv[argc] != NULL; argc++)
+    ;
+
+  /* Allocate new argument vector.  */
+  new_argv = XMALLOC (char *, argc + 1);
+
+  /* Put quoted arguments into the new argument vector.  */
+  for (i = 0; i < argc; i++)
+    {
+      const char *string = argv[i];
+
+      if (string[0] == '\0')
+	new_argv[i] = xstrdup ("\"\"");
+      else if (strpbrk (string, SHELL_SPECIAL_CHARS) != NULL)
+	{
+	  int quote_around = (strpbrk (string, SHELL_SPACE_CHARS) != NULL);
+	  size_t length;
+	  unsigned int backslashes;
+	  const char *s;
+	  char *quoted_string;
+	  char *p;
+
+	  length = 0;
+	  backslashes = 0;
+	  if (quote_around)
+	    length++;
+	  for (s = string; *s != '\0'; s++)
+	    {
+	      char c = *s;
+	      if (c == '"')
+		length += backslashes + 1;
+	      length++;
+	      if (c == '\\')
+		backslashes++;
+	      else
+		backslashes = 0;
+	    }
+	  if (quote_around)
+	    length += backslashes + 1;
+
+	  quoted_string = XMALLOC (char, length + 1);
+
+	  p = quoted_string;
+	  backslashes = 0;
+	  if (quote_around)
+	    *p++ = '"';
+	  for (s = string; *s != '\0'; s++)
+	    {
+	      char c = *s;
+	      if (c == '"')
+		{
+		  unsigned int j;
+		  for (j = backslashes + 1; j > 0; j--)
+		    *p++ = '\\';
+		}
+	      *p++ = c;
+	      if (c == '\\')
+		backslashes++;
+	      else
+		backslashes = 0;
+	    }
+	  if (quote_around)
+	    {
+	      unsigned int j;
+	      for (j = backslashes; j > 0; j--)
+		*p++ = '\\';
+	      *p++ = '"';
+	    }
+	  *p = '\0';
+
+	  new_argv[i] = quoted_string;
+	}
+      else
+	new_argv[i] = (char *) string;
+    }
+  new_argv[argc] = NULL;
+
+  return new_argv;
+}
+EOF
+		;;
+	    esac
 
+            cat <<"EOF"
+void lt_dump_script (FILE* f)
+{
+EOF
+	    func_emit_wrapper yes |
+	      $SED -n -e '
+s/^\(.\{79\}\)\(..*\)/\1\
+\2/
+h
+s/\([\\"]\)/\\\1/g
+s/$/\\n/
+s/\([^\n]*\).*/  fputs ("\1", f);/p
+g
+D'
+            cat <<"EOF"
+}
 EOF
 }
 # end: func_emit_cwrapperexe_src
 
+# func_win32_import_lib_p ARG
+# True if ARG is an import lib, as indicated by $file_magic_cmd
+func_win32_import_lib_p ()
+{
+    $opt_debug
+    case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in
+    *import*) : ;;
+    *) false ;;
+    esac
+}
+
 # func_mode_link arg...
 func_mode_link ()
 {
@@ -4072,6 +5133,7 @@ func_mode_link ()
     new_inherited_linker_flags=
 
     avoid_version=no
+    bindir=
     dlfiles=
     dlprefiles=
     dlself=no
@@ -4164,6 +5226,11 @@ func_mode_link ()
 	esac
 
 	case $prev in
+	bindir)
+	  bindir="$arg"
+	  prev=
+	  continue
+	  ;;
 	dlfiles|dlprefiles)
 	  if test "$preload" = no; then
 	    # Add the symbol object into the linking commands.
@@ -4195,9 +5262,9 @@ func_mode_link ()
 	    ;;
 	  *)
 	    if test "$prev" = dlfiles; then
-	      dlfiles="$dlfiles $arg"
+	      func_append dlfiles " $arg"
 	    else
-	      dlprefiles="$dlprefiles $arg"
+	      func_append dlprefiles " $arg"
 	    fi
 	    prev=
 	    continue
@@ -4221,7 +5288,7 @@ func_mode_link ()
 	    *-*-darwin*)
 	      case "$deplibs " in
 		*" $qarg.ltframework "*) ;;
-		*) deplibs="$deplibs $qarg.ltframework" # this is fixed later
+		*) func_append deplibs " $qarg.ltframework" # this is fixed later
 		   ;;
 	      esac
 	      ;;
@@ -4240,7 +5307,7 @@ func_mode_link ()
 	    moreargs=
 	    for fil in `cat "$save_arg"`
 	    do
-#	      moreargs="$moreargs $fil"
+#	      func_append moreargs " $fil"
 	      arg=$fil
 	      # A libtool-controlled object.
 
@@ -4269,7 +5336,7 @@ func_mode_link ()
 
 		  if test "$prev" = dlfiles; then
 		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		      dlfiles="$dlfiles $pic_object"
+		      func_append dlfiles " $pic_object"
 		      prev=
 		      continue
 		    else
@@ -4281,7 +5348,7 @@ func_mode_link ()
 		  # CHECK ME:  I think I busted this.  -Ossama
 		  if test "$prev" = dlprefiles; then
 		    # Preload the old-style object.
-		    dlprefiles="$dlprefiles $pic_object"
+		    func_append dlprefiles " $pic_object"
 		    prev=
 		  fi
 
@@ -4351,12 +5418,12 @@ func_mode_link ()
 	  if test "$prev" = rpath; then
 	    case "$rpath " in
 	    *" $arg "*) ;;
-	    *) rpath="$rpath $arg" ;;
+	    *) func_append rpath " $arg" ;;
 	    esac
 	  else
 	    case "$xrpath " in
 	    *" $arg "*) ;;
-	    *) xrpath="$xrpath $arg" ;;
+	    *) func_append xrpath " $arg" ;;
 	    esac
 	  fi
 	  prev=
@@ -4368,28 +5435,28 @@ func_mode_link ()
 	  continue
 	  ;;
 	weak)
-	  weak_libs="$weak_libs $arg"
+	  func_append weak_libs " $arg"
 	  prev=
 	  continue
 	  ;;
 	xcclinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $qarg"
+	  func_append linker_flags " $qarg"
+	  func_append compiler_flags " $qarg"
 	  prev=
 	  func_append compile_command " $qarg"
 	  func_append finalize_command " $qarg"
 	  continue
 	  ;;
 	xcompiler)
-	  compiler_flags="$compiler_flags $qarg"
+	  func_append compiler_flags " $qarg"
 	  prev=
 	  func_append compile_command " $qarg"
 	  func_append finalize_command " $qarg"
 	  continue
 	  ;;
 	xlinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $wl$qarg"
+	  func_append linker_flags " $qarg"
+	  func_append compiler_flags " $wl$qarg"
 	  prev=
 	  func_append compile_command " $wl$qarg"
 	  func_append finalize_command " $wl$qarg"
@@ -4425,6 +5492,11 @@ func_mode_link ()
 	continue
 	;;
 
+      -bindir)
+	prev=bindir
+	continue
+	;;
+
       -dlopen)
 	prev=dlfiles
 	continue
@@ -4475,15 +5547,16 @@ func_mode_link ()
 	;;
 
       -L*)
-	func_stripname '-L' '' "$arg"
-	dir=$func_stripname_result
-	if test -z "$dir"; then
+	func_stripname "-L" '' "$arg"
+	if test -z "$func_stripname_result"; then
 	  if test "$#" -gt 0; then
 	    func_fatal_error "require no space between \`-L' and \`$1'"
 	  else
 	    func_fatal_error "need path for \`-L' option"
 	  fi
 	fi
+	func_resolve_sysroot "$func_stripname_result"
+	dir=$func_resolve_sysroot_result
 	# We need an absolute path.
 	case $dir in
 	[\\/]* | [A-Za-z]:[\\/]*) ;;
@@ -4495,24 +5568,30 @@ func_mode_link ()
 	  ;;
 	esac
 	case "$deplibs " in
-	*" -L$dir "*) ;;
+	*" -L$dir "* | *" $arg "*)
+	  # Will only happen for absolute or sysroot arguments
+	  ;;
 	*)
-	  deplibs="$deplibs -L$dir"
-	  lib_search_path="$lib_search_path $dir"
+	  # Preserve sysroot, but never include relative directories
+	  case $dir in
+	    [\\/]* | [A-Za-z]:[\\/]* | =*) func_append deplibs " $arg" ;;
+	    *) func_append deplibs " -L$dir" ;;
+	  esac
+	  func_append lib_search_path " $dir"
 	  ;;
 	esac
 	case $host in
 	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
-	  testbindir=`$ECHO "X$dir" | $Xsed -e 's*/lib$*/bin*'`
+	  testbindir=`$ECHO "$dir" | $SED 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
 	  *":$dir:"*) ;;
 	  ::) dllsearchpath=$dir;;
-	  *) dllsearchpath="$dllsearchpath:$dir";;
+	  *) func_append dllsearchpath ":$dir";;
 	  esac
 	  case :$dllsearchpath: in
 	  *":$testbindir:"*) ;;
 	  ::) dllsearchpath=$testbindir;;
-	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  *) func_append dllsearchpath ":$testbindir";;
 	  esac
 	  ;;
 	esac
@@ -4522,7 +5601,7 @@ func_mode_link ()
       -l*)
 	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
 	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc*)
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*)
 	    # These systems don't actually have a C or math library (as such)
 	    continue
 	    ;;
@@ -4536,7 +5615,7 @@ func_mode_link ()
 	    ;;
 	  *-*-rhapsody* | *-*-darwin1.[012])
 	    # Rhapsody C and math libraries are in the System framework
-	    deplibs="$deplibs System.ltframework"
+	    func_append deplibs " System.ltframework"
 	    continue
 	    ;;
 	  *-*-sco3.2v5* | *-*-sco5v6*)
@@ -4556,7 +5635,7 @@ func_mode_link ()
 	   ;;
 	 esac
 	fi
-	deplibs="$deplibs $arg"
+	func_append deplibs " $arg"
 	continue
 	;;
 
@@ -4568,21 +5647,22 @@ func_mode_link ()
       # Tru64 UNIX uses -model [arg] to determine the layout of C++
       # classes, name mangling, and exception handling.
       # Darwin uses the -arch flag to determine output architecture.
-      -model|-arch|-isysroot)
-	compiler_flags="$compiler_flags $arg"
+      -model|-arch|-isysroot|--sysroot)
+	func_append compiler_flags " $arg"
 	func_append compile_command " $arg"
 	func_append finalize_command " $arg"
 	prev=xcompiler
 	continue
 	;;
 
-      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
-	compiler_flags="$compiler_flags $arg"
+      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+      |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
+	func_append compiler_flags " $arg"
 	func_append compile_command " $arg"
 	func_append finalize_command " $arg"
 	case "$new_inherited_linker_flags " in
 	    *" $arg "*) ;;
-	    * ) new_inherited_linker_flags="$new_inherited_linker_flags $arg" ;;
+	    * ) func_append new_inherited_linker_flags " $arg" ;;
 	esac
 	continue
 	;;
@@ -4649,13 +5729,17 @@ func_mode_link ()
 	# We need an absolute path.
 	case $dir in
 	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	=*)
+	  func_stripname '=' '' "$dir"
+	  dir=$lt_sysroot$func_stripname_result
+	  ;;
 	*)
 	  func_fatal_error "only absolute run-paths are allowed"
 	  ;;
 	esac
 	case "$xrpath " in
 	*" $dir "*) ;;
-	*) xrpath="$xrpath $dir" ;;
+	*) func_append xrpath " $dir" ;;
 	esac
 	continue
 	;;
@@ -4708,8 +5792,8 @@ func_mode_link ()
 	for flag in $args; do
 	  IFS="$save_ifs"
           func_quote_for_eval "$flag"
-	  arg="$arg $wl$func_quote_for_eval_result"
-	  compiler_flags="$compiler_flags $func_quote_for_eval_result"
+	  func_append arg " $func_quote_for_eval_result"
+	  func_append compiler_flags " $func_quote_for_eval_result"
 	done
 	IFS="$save_ifs"
 	func_stripname ' ' '' "$arg"
@@ -4724,9 +5808,9 @@ func_mode_link ()
 	for flag in $args; do
 	  IFS="$save_ifs"
           func_quote_for_eval "$flag"
-	  arg="$arg $wl$func_quote_for_eval_result"
-	  compiler_flags="$compiler_flags $wl$func_quote_for_eval_result"
-	  linker_flags="$linker_flags $func_quote_for_eval_result"
+	  func_append arg " $wl$func_quote_for_eval_result"
+	  func_append compiler_flags " $wl$func_quote_for_eval_result"
+	  func_append linker_flags " $func_quote_for_eval_result"
 	done
 	IFS="$save_ifs"
 	func_stripname ' ' '' "$arg"
@@ -4754,23 +5838,27 @@ func_mode_link ()
 	arg="$func_quote_for_eval_result"
 	;;
 
-      # -64, -mips[0-9] enable 64-bit mode on the SGI compiler
-      # -r[0-9][0-9]* specifies the processor on the SGI compiler
-      # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler
-      # +DA*, +DD* enable 64-bit mode on the HP compiler
-      # -q* pass through compiler args for the IBM compiler
-      # -m*, -t[45]*, -txscale* pass through architecture-specific
-      # compiler args for GCC
-      # -F/path gives path to uninstalled frameworks, gcc on darwin
-      # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC
-      # @file GCC response files
+      # Flags to be passed through unchanged, with rationale:
+      # -64, -mips[0-9]      enable 64-bit mode for the SGI compiler
+      # -r[0-9][0-9]*        specify processor for the SGI compiler
+      # -xarch=*, -xtarget=* enable 64-bit mode for the Sun compiler
+      # +DA*, +DD*           enable 64-bit mode for the HP compiler
+      # -q*                  compiler args for the IBM compiler
+      # -m*, -t[45]*, -txscale* architecture-specific flags for GCC
+      # -F/path              path to uninstalled frameworks, gcc on darwin
+      # -p, -pg, --coverage, -fprofile-*  profiling flags for GCC
+      # @file                GCC response files
+      # -tp=*                Portland pgcc target processor selection
+      # --sysroot=*          for sysroot support
+      # -O*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
       -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
-      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*)
+      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
+      -O*|-flto*|-fwhopr*|-fuse-linker-plugin)
         func_quote_for_eval "$arg"
 	arg="$func_quote_for_eval_result"
         func_append compile_command " $arg"
         func_append finalize_command " $arg"
-        compiler_flags="$compiler_flags $arg"
+        func_append compiler_flags " $arg"
         continue
         ;;
 
@@ -4782,7 +5870,7 @@ func_mode_link ()
 
       *.$objext)
 	# A standard object.
-	objs="$objs $arg"
+	func_append objs " $arg"
 	;;
 
       *.lo)
@@ -4813,7 +5901,7 @@ func_mode_link ()
 
 	    if test "$prev" = dlfiles; then
 	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		dlfiles="$dlfiles $pic_object"
+		func_append dlfiles " $pic_object"
 		prev=
 		continue
 	      else
@@ -4825,7 +5913,7 @@ func_mode_link ()
 	    # CHECK ME:  I think I busted this.  -Ossama
 	    if test "$prev" = dlprefiles; then
 	      # Preload the old-style object.
-	      dlprefiles="$dlprefiles $pic_object"
+	      func_append dlprefiles " $pic_object"
 	      prev=
 	    fi
 
@@ -4870,24 +5958,25 @@ func_mode_link ()
 
       *.$libext)
 	# An archive.
-	deplibs="$deplibs $arg"
-	old_deplibs="$old_deplibs $arg"
+	func_append deplibs " $arg"
+	func_append old_deplibs " $arg"
 	continue
 	;;
 
       *.la)
 	# A libtool-controlled library.
 
+	func_resolve_sysroot "$arg"
 	if test "$prev" = dlfiles; then
 	  # This library was specified with -dlopen.
-	  dlfiles="$dlfiles $arg"
+	  func_append dlfiles " $func_resolve_sysroot_result"
 	  prev=
 	elif test "$prev" = dlprefiles; then
 	  # The library was specified with -dlpreopen.
-	  dlprefiles="$dlprefiles $arg"
+	  func_append dlprefiles " $func_resolve_sysroot_result"
 	  prev=
 	else
-	  deplibs="$deplibs $arg"
+	  func_append deplibs " $func_resolve_sysroot_result"
 	fi
 	continue
 	;;
@@ -4925,7 +6014,7 @@ func_mode_link ()
 
     if test -n "$shlibpath_var"; then
       # get the directories listed in $shlibpath_var
-      eval shlib_search_path=\`\$ECHO \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+      eval shlib_search_path=\`\$ECHO \"\${$shlibpath_var}\" \| \$SED \'s/:/ /g\'\`
     else
       shlib_search_path=
     fi
@@ -4934,6 +6023,8 @@ func_mode_link ()
 
     func_dirname "$output" "/" ""
     output_objdir="$func_dirname_result$objdir"
+    func_to_tool_file "$output_objdir/"
+    tool_output_objdir=$func_to_tool_file_result
     # Create the object directory.
     func_mkdir_p "$output_objdir"
 
@@ -4954,12 +6045,12 @@ func_mode_link ()
     # Find all interdependent deplibs by searching for libraries
     # that are linked more than once (e.g. -la -lb -la)
     for deplib in $deplibs; do
-      if $opt_duplicate_deps ; then
+      if $opt_preserve_dup_deps ; then
 	case "$libs " in
-	*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	*" $deplib "*) func_append specialdeplibs " $deplib" ;;
 	esac
       fi
-      libs="$libs $deplib"
+      func_append libs " $deplib"
     done
 
     if test "$linkmode" = lib; then
@@ -4972,9 +6063,9 @@ func_mode_link ()
       if $opt_duplicate_compiler_generated_deps; then
 	for pre_post_dep in $predeps $postdeps; do
 	  case "$pre_post_deps " in
-	  *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;;
+	  *" $pre_post_dep "*) func_append specialdeplibs " $pre_post_deps" ;;
 	  esac
-	  pre_post_deps="$pre_post_deps $pre_post_dep"
+	  func_append pre_post_deps " $pre_post_dep"
 	done
       fi
       pre_post_deps=
@@ -5044,17 +6135,19 @@ func_mode_link ()
 	for lib in $dlprefiles; do
 	  # Ignore non-libtool-libs
 	  dependency_libs=
+	  func_resolve_sysroot "$lib"
 	  case $lib in
-	  *.la)	func_source "$lib" ;;
+	  *.la)	func_source "$func_resolve_sysroot_result" ;;
 	  esac
 
 	  # Collect preopened libtool deplibs, except any this library
 	  # has declared as weak libs
 	  for deplib in $dependency_libs; do
-            deplib_base=`$ECHO "X$deplib" | $Xsed -e "$basename"`
+	    func_basename "$deplib"
+            deplib_base=$func_basename_result
 	    case " $weak_libs " in
 	    *" $deplib_base "*) ;;
-	    *) deplibs="$deplibs $deplib" ;;
+	    *) func_append deplibs " $deplib" ;;
 	    esac
 	  done
 	done
@@ -5070,16 +6163,17 @@ func_mode_link ()
 	lib=
 	found=no
 	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+        |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
 	  if test "$linkmode,$pass" = "prog,link"; then
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
 	  else
-	    compiler_flags="$compiler_flags $deplib"
+	    func_append compiler_flags " $deplib"
 	    if test "$linkmode" = lib ; then
 		case "$new_inherited_linker_flags " in
 		    *" $deplib "*) ;;
-		    * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;;
+		    * ) func_append new_inherited_linker_flags " $deplib" ;;
 		esac
 	    fi
 	  fi
@@ -5164,7 +6258,7 @@ func_mode_link ()
 	    if test "$linkmode" = lib ; then
 		case "$new_inherited_linker_flags " in
 		    *" $deplib "*) ;;
-		    * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;;
+		    * ) func_append new_inherited_linker_flags " $deplib" ;;
 		esac
 	    fi
 	  fi
@@ -5177,7 +6271,8 @@ func_mode_link ()
 	    test "$pass" = conv && continue
 	    newdependency_libs="$deplib $newdependency_libs"
 	    func_stripname '-L' '' "$deplib"
-	    newlib_search_path="$newlib_search_path $func_stripname_result"
+	    func_resolve_sysroot "$func_stripname_result"
+	    func_append newlib_search_path " $func_resolve_sysroot_result"
 	    ;;
 	  prog)
 	    if test "$pass" = conv; then
@@ -5191,7 +6286,8 @@ func_mode_link ()
 	      finalize_deplibs="$deplib $finalize_deplibs"
 	    fi
 	    func_stripname '-L' '' "$deplib"
-	    newlib_search_path="$newlib_search_path $func_stripname_result"
+	    func_resolve_sysroot "$func_stripname_result"
+	    func_append newlib_search_path " $func_resolve_sysroot_result"
 	    ;;
 	  *)
 	    func_warning "\`-L' is ignored for archives/objects"
@@ -5202,17 +6298,21 @@ func_mode_link ()
 	-R*)
 	  if test "$pass" = link; then
 	    func_stripname '-R' '' "$deplib"
-	    dir=$func_stripname_result
+	    func_resolve_sysroot "$func_stripname_result"
+	    dir=$func_resolve_sysroot_result
 	    # Make sure the xrpath contains only unique directories.
 	    case "$xrpath " in
 	    *" $dir "*) ;;
-	    *) xrpath="$xrpath $dir" ;;
+	    *) func_append xrpath " $dir" ;;
 	    esac
 	  fi
 	  deplibs="$deplib $deplibs"
 	  continue
 	  ;;
-	*.la) lib="$deplib" ;;
+	*.la)
+	  func_resolve_sysroot "$deplib"
+	  lib=$func_resolve_sysroot_result
+	  ;;
 	*.$libext)
 	  if test "$pass" = conv; then
 	    deplibs="$deplib $deplibs"
@@ -5230,7 +6330,7 @@ func_mode_link ()
 		match_pattern*)
 		  set dummy $deplibs_check_method; shift
 		  match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
-		  if eval "\$ECHO \"X$deplib\"" 2>/dev/null | $Xsed -e 10q \
+		  if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \
 		    | $EGREP "$match_pattern_regex" > /dev/null; then
 		    valid_a_lib=yes
 		  fi
@@ -5240,15 +6340,15 @@ func_mode_link ()
 		;;
 	      esac
 	      if test "$valid_a_lib" != yes; then
-		$ECHO
+		echo
 		$ECHO "*** Warning: Trying to link with static lib archive $deplib."
-		$ECHO "*** I have the capability to make that library automatically link in when"
-		$ECHO "*** you link to this library.  But I can only do this if you have a"
-		$ECHO "*** shared version of the library, which you do not appear to have"
-		$ECHO "*** because the file extensions .$libext of this argument makes me believe"
-		$ECHO "*** that it is just a static archive that I should not use here."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because the file extensions .$libext of this argument makes me believe"
+		echo "*** that it is just a static archive that I should not use here."
 	      else
-		$ECHO
+		echo
 		$ECHO "*** Warning: Linking the shared library $output against the"
 		$ECHO "*** static library $deplib is not portable!"
 		deplibs="$deplib $deplibs"
@@ -5275,11 +6375,11 @@ func_mode_link ()
 	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
 	      # If there is no dlopen support or we're linking statically,
 	      # we need to preload.
-	      newdlprefiles="$newdlprefiles $deplib"
+	      func_append newdlprefiles " $deplib"
 	      compile_deplibs="$deplib $compile_deplibs"
 	      finalize_deplibs="$deplib $finalize_deplibs"
 	    else
-	      newdlfiles="$newdlfiles $deplib"
+	      func_append newdlfiles " $deplib"
 	    fi
 	  fi
 	  continue
@@ -5321,20 +6421,20 @@ func_mode_link ()
 
 	# Convert "-framework foo" to "foo.ltframework"
 	if test -n "$inherited_linker_flags"; then
-	  tmp_inherited_linker_flags=`$ECHO "X$inherited_linker_flags" | $Xsed -e 's/-framework \([^ $]*\)/\1.ltframework/g'`
+	  tmp_inherited_linker_flags=`$ECHO "$inherited_linker_flags" | $SED 's/-framework \([^ $]*\)/\1.ltframework/g'`
 	  for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do
 	    case " $new_inherited_linker_flags " in
 	      *" $tmp_inherited_linker_flag "*) ;;
-	      *) new_inherited_linker_flags="$new_inherited_linker_flags $tmp_inherited_linker_flag";;
+	      *) func_append new_inherited_linker_flags " $tmp_inherited_linker_flag";;
 	    esac
 	  done
 	fi
-	dependency_libs=`$ECHO "X $dependency_libs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	if test "$linkmode,$pass" = "lib,link" ||
 	   test "$linkmode,$pass" = "prog,scan" ||
 	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
-	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
-	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	  test -n "$dlopen" && func_append dlfiles " $dlopen"
+	  test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen"
 	fi
 
 	if test "$pass" = conv; then
@@ -5345,17 +6445,17 @@ func_mode_link ()
 	      func_fatal_error "cannot find name of link library for \`$lib'"
 	    fi
 	    # It is a libtool convenience library, so add in its objects.
-	    convenience="$convenience $ladir/$objdir/$old_library"
-	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    func_append convenience " $ladir/$objdir/$old_library"
+	    func_append old_convenience " $ladir/$objdir/$old_library"
 	    tmp_libs=
 	    for deplib in $dependency_libs; do
 	      deplibs="$deplib $deplibs"
-	      if $opt_duplicate_deps ; then
+	      if $opt_preserve_dup_deps ; then
 		case "$tmp_libs " in
-		*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+		*" $deplib "*) func_append specialdeplibs " $deplib" ;;
 		esac
 	      fi
-	      tmp_libs="$tmp_libs $deplib"
+	      func_append tmp_libs " $deplib"
 	    done
 	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
 	    func_fatal_error "\`$lib' is not a convenience library"
@@ -5366,9 +6466,15 @@ func_mode_link ()
 
 	# Get the name of the library we link against.
 	linklib=
-	for l in $old_library $library_names; do
-	  linklib="$l"
-	done
+	if test -n "$old_library" &&
+	   { test "$prefer_static_libs" = yes ||
+	     test "$prefer_static_libs,$installed" = "built,no"; }; then
+	  linklib=$old_library
+	else
+	  for l in $old_library $library_names; do
+	    linklib="$l"
+	  done
+	fi
 	if test -z "$linklib"; then
 	  func_fatal_error "cannot find name of link library for \`$lib'"
 	fi
@@ -5385,9 +6491,9 @@ func_mode_link ()
 	    # statically, we need to preload.  We also need to preload any
 	    # dependent libraries so libltdl's deplib preloader doesn't
 	    # bomb out in the load deplibs phase.
-	    dlprefiles="$dlprefiles $lib $dependency_libs"
+	    func_append dlprefiles " $lib $dependency_libs"
 	  else
-	    newdlfiles="$newdlfiles $lib"
+	    func_append newdlfiles " $lib"
 	  fi
 	  continue
 	fi # $pass = dlopen
@@ -5409,14 +6515,14 @@ func_mode_link ()
 
 	# Find the relevant object directory and library name.
 	if test "X$installed" = Xyes; then
-	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	  if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
 	    func_warning "library \`$lib' was moved."
 	    dir="$ladir"
 	    absdir="$abs_ladir"
 	    libdir="$abs_ladir"
 	  else
-	    dir="$libdir"
-	    absdir="$libdir"
+	    dir="$lt_sysroot$libdir"
+	    absdir="$lt_sysroot$libdir"
 	  fi
 	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
 	else
@@ -5424,12 +6530,12 @@ func_mode_link ()
 	    dir="$ladir"
 	    absdir="$abs_ladir"
 	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
+	    func_append notinst_path " $abs_ladir"
 	  else
 	    dir="$ladir/$objdir"
 	    absdir="$abs_ladir/$objdir"
 	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
+	    func_append notinst_path " $abs_ladir"
 	  fi
 	fi # $installed = yes
 	func_stripname 'lib' '.la' "$laname"
@@ -5440,20 +6546,46 @@ func_mode_link ()
 	  if test -z "$libdir" && test "$linkmode" = prog; then
 	    func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'"
 	  fi
-	  # Prefer using a static library (so that no silly _DYNAMIC symbols
-	  # are required to link).
-	  if test -n "$old_library"; then
-	    newdlprefiles="$newdlprefiles $dir/$old_library"
-	    # Keep a list of preopened convenience libraries to check
-	    # that they are being used correctly in the link pass.
-	    test -z "$libdir" && \
-		dlpreconveniencelibs="$dlpreconveniencelibs $dir/$old_library"
-	  # Otherwise, use the dlname, so that lt_dlopen finds it.
-	  elif test -n "$dlname"; then
-	    newdlprefiles="$newdlprefiles $dir/$dlname"
-	  else
-	    newdlprefiles="$newdlprefiles $dir/$linklib"
-	  fi
+	  case "$host" in
+	    # special handling for platforms with PE-DLLs.
+	    *cygwin* | *mingw* | *cegcc* )
+	      # Linker will automatically link against shared library if both
+	      # static and shared are present.  Therefore, ensure we extract
+	      # symbols from the import library if a shared library is present
+	      # (otherwise, the dlopen module name will be incorrect).  We do
+	      # this by putting the import library name into $newdlprefiles.
+	      # We recover the dlopen module name by 'saving' the la file
+	      # name in a special purpose variable, and (later) extracting the
+	      # dlname from the la file.
+	      if test -n "$dlname"; then
+	        func_tr_sh "$dir/$linklib"
+	        eval "libfile_$func_tr_sh_result=\$abs_ladir/\$laname"
+	        func_append newdlprefiles " $dir/$linklib"
+	      else
+	        func_append newdlprefiles " $dir/$old_library"
+	        # Keep a list of preopened convenience libraries to check
+	        # that they are being used correctly in the link pass.
+	        test -z "$libdir" && \
+	          func_append dlpreconveniencelibs " $dir/$old_library"
+	      fi
+	    ;;
+	    * )
+	      # Prefer using a static library (so that no silly _DYNAMIC symbols
+	      # are required to link).
+	      if test -n "$old_library"; then
+	        func_append newdlprefiles " $dir/$old_library"
+	        # Keep a list of preopened convenience libraries to check
+	        # that they are being used correctly in the link pass.
+	        test -z "$libdir" && \
+	          func_append dlpreconveniencelibs " $dir/$old_library"
+	      # Otherwise, use the dlname, so that lt_dlopen finds it.
+	      elif test -n "$dlname"; then
+	        func_append newdlprefiles " $dir/$dlname"
+	      else
+	        func_append newdlprefiles " $dir/$linklib"
+	      fi
+	    ;;
+	  esac
 	fi # $pass = dlpreopen
 
 	if test -z "$libdir"; then
@@ -5471,7 +6603,7 @@ func_mode_link ()
 
 
 	if test "$linkmode" = prog && test "$pass" != link; then
-	  newlib_search_path="$newlib_search_path $ladir"
+	  func_append newlib_search_path " $ladir"
 	  deplibs="$lib $deplibs"
 
 	  linkalldeplibs=no
@@ -5484,7 +6616,8 @@ func_mode_link ()
 	  for deplib in $dependency_libs; do
 	    case $deplib in
 	    -L*) func_stripname '-L' '' "$deplib"
-	         newlib_search_path="$newlib_search_path $func_stripname_result"
+	         func_resolve_sysroot "$func_stripname_result"
+	         func_append newlib_search_path " $func_resolve_sysroot_result"
 		 ;;
 	    esac
 	    # Need to link against all dependency_libs?
@@ -5495,12 +6628,12 @@ func_mode_link ()
 	      # or/and link against static libraries
 	      newdependency_libs="$deplib $newdependency_libs"
 	    fi
-	    if $opt_duplicate_deps ; then
+	    if $opt_preserve_dup_deps ; then
 	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      *" $deplib "*) func_append specialdeplibs " $deplib" ;;
 	      esac
 	    fi
-	    tmp_libs="$tmp_libs $deplib"
+	    func_append tmp_libs " $deplib"
 	  done # for deplib
 	  continue
 	fi # $linkmode = prog...
@@ -5515,7 +6648,7 @@ func_mode_link ()
 	      # Make sure the rpath contains only unique directories.
 	      case "$temp_rpath:" in
 	      *"$absdir:"*) ;;
-	      *) temp_rpath="$temp_rpath$absdir:" ;;
+	      *) func_append temp_rpath "$absdir:" ;;
 	      esac
 	    fi
 
@@ -5527,7 +6660,7 @@ func_mode_link ()
 	    *)
 	      case "$compile_rpath " in
 	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
+	      *) func_append compile_rpath " $absdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5536,7 +6669,7 @@ func_mode_link ()
 	    *)
 	      case "$finalize_rpath " in
 	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
+	      *) func_append finalize_rpath " $libdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5561,12 +6694,12 @@ func_mode_link ()
 	  case $host in
 	  *cygwin* | *mingw* | *cegcc*)
 	      # No point in relinking DLLs because paths are not encoded
-	      notinst_deplibs="$notinst_deplibs $lib"
+	      func_append notinst_deplibs " $lib"
 	      need_relink=no
 	    ;;
 	  *)
 	    if test "$installed" = no; then
-	      notinst_deplibs="$notinst_deplibs $lib"
+	      func_append notinst_deplibs " $lib"
 	      need_relink=yes
 	    fi
 	    ;;
@@ -5583,7 +6716,7 @@ func_mode_link ()
 	    fi
 	  done
 	  if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then
-	    $ECHO
+	    echo
 	    if test "$linkmode" = prog; then
 	      $ECHO "*** Warning: Linking the executable $output against the loadable module"
 	    else
@@ -5601,7 +6734,7 @@ func_mode_link ()
 	    *)
 	      case "$compile_rpath " in
 	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
+	      *) func_append compile_rpath " $absdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5610,7 +6743,7 @@ func_mode_link ()
 	    *)
 	      case "$finalize_rpath " in
 	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
+	      *) func_append finalize_rpath " $libdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5664,7 +6797,7 @@ func_mode_link ()
 	    linklib=$newlib
 	  fi # test -n "$old_archive_from_expsyms_cmds"
 
-	  if test "$linkmode" = prog || test "$mode" != relink; then
+	  if test "$linkmode" = prog || test "$opt_mode" != relink; then
 	    add_shlibpath=
 	    add_dir=
 	    add=
@@ -5686,9 +6819,9 @@ func_mode_link ()
 		      if test "X$dlopenmodule" != "X$lib"; then
 			$ECHO "*** Warning: lib $linklib is a module, not a shared library"
 			if test -z "$old_library" ; then
-			  $ECHO
-			  $ECHO "*** And there doesn't seem to be a static archive available"
-			  $ECHO "*** The link will probably fail, sorry"
+			  echo
+			  echo "*** And there doesn't seem to be a static archive available"
+			  echo "*** The link will probably fail, sorry"
 			else
 			  add="$dir/$old_library"
 			fi
@@ -5715,12 +6848,12 @@ func_mode_link ()
 	         test "$hardcode_direct_absolute" = no; then
 		add="$dir/$linklib"
 	      elif test "$hardcode_minus_L" = yes; then
-		add_dir="-L$dir"
+		add_dir="-L$absdir"
 		# Try looking first in the location we're being installed to.
 		if test -n "$inst_prefix_dir"; then
 		  case $libdir in
 		    [\\/]*)
-		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		      func_append add_dir " -L$inst_prefix_dir$libdir"
 		      ;;
 		  esac
 		fi
@@ -5742,7 +6875,7 @@ func_mode_link ()
 	    if test -n "$add_shlibpath"; then
 	      case :$compile_shlibpath: in
 	      *":$add_shlibpath:"*) ;;
-	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      *) func_append compile_shlibpath "$add_shlibpath:" ;;
 	      esac
 	    fi
 	    if test "$linkmode" = prog; then
@@ -5756,13 +6889,13 @@ func_mode_link ()
 		 test "$hardcode_shlibpath_var" = yes; then
 		case :$finalize_shlibpath: in
 		*":$libdir:"*) ;;
-		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		*) func_append finalize_shlibpath "$libdir:" ;;
 		esac
 	      fi
 	    fi
 	  fi
 
-	  if test "$linkmode" = prog || test "$mode" = relink; then
+	  if test "$linkmode" = prog || test "$opt_mode" = relink; then
 	    add_shlibpath=
 	    add_dir=
 	    add=
@@ -5776,7 +6909,7 @@ func_mode_link ()
 	    elif test "$hardcode_shlibpath_var" = yes; then
 	      case :$finalize_shlibpath: in
 	      *":$libdir:"*) ;;
-	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      *) func_append finalize_shlibpath "$libdir:" ;;
 	      esac
 	      add="-l$name"
 	    elif test "$hardcode_automatic" = yes; then
@@ -5793,7 +6926,7 @@ func_mode_link ()
 	      if test -n "$inst_prefix_dir"; then
 		case $libdir in
 		  [\\/]*)
-		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		    func_append add_dir " -L$inst_prefix_dir$libdir"
 		    ;;
 		esac
 	      fi
@@ -5828,21 +6961,21 @@ func_mode_link ()
 
 	    # Just print a warning and add the library to dependency_libs so
 	    # that the program can be linked against the static library.
-	    $ECHO
+	    echo
 	    $ECHO "*** Warning: This system can not link to static lib archive $lib."
-	    $ECHO "*** I have the capability to make that library automatically link in when"
-	    $ECHO "*** you link to this library.  But I can only do this if you have a"
-	    $ECHO "*** shared version of the library, which you do not appear to have."
+	    echo "*** I have the capability to make that library automatically link in when"
+	    echo "*** you link to this library.  But I can only do this if you have a"
+	    echo "*** shared version of the library, which you do not appear to have."
 	    if test "$module" = yes; then
-	      $ECHO "*** But as you try to build a module library, libtool will still create "
-	      $ECHO "*** a static module, that should work as long as the dlopening application"
-	      $ECHO "*** is linked with the -dlopen flag to resolve symbols at runtime."
+	      echo "*** But as you try to build a module library, libtool will still create "
+	      echo "*** a static module, that should work as long as the dlopening application"
+	      echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
 	      if test -z "$global_symbol_pipe"; then
-		$ECHO
-		$ECHO "*** However, this would only work if libtool was able to extract symbol"
-		$ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could"
-		$ECHO "*** not find such a program.  So, this module is probably useless."
-		$ECHO "*** \`nm' from GNU binutils and a full rebuild may help."
+		echo
+		echo "*** However, this would only work if libtool was able to extract symbol"
+		echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+		echo "*** not find such a program.  So, this module is probably useless."
+		echo "*** \`nm' from GNU binutils and a full rebuild may help."
 	      fi
 	      if test "$build_old_libs" = no; then
 		build_libtool_libs=module
@@ -5870,27 +7003,33 @@ func_mode_link ()
 	           temp_xrpath=$func_stripname_result
 		   case " $xrpath " in
 		   *" $temp_xrpath "*) ;;
-		   *) xrpath="$xrpath $temp_xrpath";;
+		   *) func_append xrpath " $temp_xrpath";;
 		   esac;;
-	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      *) func_append temp_deplibs " $libdir";;
 	      esac
 	    done
 	    dependency_libs="$temp_deplibs"
 	  fi
 
-	  newlib_search_path="$newlib_search_path $absdir"
+	  func_append newlib_search_path " $absdir"
 	  # Link against this library
 	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
 	  # ... and its dependency_libs
 	  tmp_libs=
 	  for deplib in $dependency_libs; do
 	    newdependency_libs="$deplib $newdependency_libs"
-	    if $opt_duplicate_deps ; then
+	    case $deplib in
+              -L*) func_stripname '-L' '' "$deplib"
+                   func_resolve_sysroot "$func_stripname_result";;
+              *) func_resolve_sysroot "$deplib" ;;
+            esac
+	    if $opt_preserve_dup_deps ; then
 	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      *" $func_resolve_sysroot_result "*)
+                func_append specialdeplibs " $func_resolve_sysroot_result" ;;
 	      esac
 	    fi
-	    tmp_libs="$tmp_libs $deplib"
+	    func_append tmp_libs " $func_resolve_sysroot_result"
 	  done
 
 	  if test "$link_all_deplibs" != no; then
@@ -5900,8 +7039,10 @@ func_mode_link ()
 	      case $deplib in
 	      -L*) path="$deplib" ;;
 	      *.la)
+	        func_resolve_sysroot "$deplib"
+	        deplib=$func_resolve_sysroot_result
 	        func_dirname "$deplib" "" "."
-		dir="$func_dirname_result"
+		dir=$func_dirname_result
 		# We need an absolute path.
 		case $dir in
 		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
@@ -5928,8 +7069,8 @@ func_mode_link ()
                       if test -z "$darwin_install_name"; then
                           darwin_install_name=`${OTOOL64} -L $depdepl  | awk '{if (NR == 2) {print $1;exit}}'`
                       fi
-		      compiler_flags="$compiler_flags ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}"
-		      linker_flags="$linker_flags -dylib_file ${darwin_install_name}:${depdepl}"
+		      func_append compiler_flags " ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}"
+		      func_append linker_flags " -dylib_file ${darwin_install_name}:${depdepl}"
 		      path=
 		    fi
 		  fi
@@ -5962,7 +7103,7 @@ func_mode_link ()
 	  compile_deplibs="$new_inherited_linker_flags $compile_deplibs"
 	  finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs"
 	else
-	  compiler_flags="$compiler_flags "`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	fi
       fi
       dependency_libs="$newdependency_libs"
@@ -5979,7 +7120,7 @@ func_mode_link ()
 	  for dir in $newlib_search_path; do
 	    case "$lib_search_path " in
 	    *" $dir "*) ;;
-	    *) lib_search_path="$lib_search_path $dir" ;;
+	    *) func_append lib_search_path " $dir" ;;
 	    esac
 	  done
 	  newlib_search_path=
@@ -6037,10 +7178,10 @@ func_mode_link ()
 	    -L*)
 	      case " $tmp_libs " in
 	      *" $deplib "*) ;;
-	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      *) func_append tmp_libs " $deplib" ;;
 	      esac
 	      ;;
-	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    *) func_append tmp_libs " $deplib" ;;
 	    esac
 	  done
 	  eval $var=\"$tmp_libs\"
@@ -6056,7 +7197,7 @@ func_mode_link ()
 	  ;;
 	esac
 	if test -n "$i" ; then
-	  tmp_libs="$tmp_libs $i"
+	  func_append tmp_libs " $i"
 	fi
       done
       dependency_libs=$tmp_libs
@@ -6097,7 +7238,7 @@ func_mode_link ()
       # Now set the variables for building old libraries.
       build_libtool_libs=no
       oldlibs="$output"
-      objs="$objs$old_deplibs"
+      func_append objs "$old_deplibs"
       ;;
 
     lib)
@@ -6130,10 +7271,10 @@ func_mode_link ()
 	if test "$deplibs_check_method" != pass_all; then
 	  func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs"
 	else
-	  $ECHO
+	  echo
 	  $ECHO "*** Warning: Linking the shared library $output against the non-libtool"
 	  $ECHO "*** objects $objs is not portable!"
-	  libobjs="$libobjs $objs"
+	  func_append libobjs " $objs"
 	fi
       fi
 
@@ -6192,13 +7333,14 @@ func_mode_link ()
 	  # which has an extra 1 added just for fun
 	  #
 	  case $version_type in
+	  # correct linux to gnu/linux during the next big refactor
 	  darwin|linux|osf|windows|none)
 	    func_arith $number_major + $number_minor
 	    current=$func_arith_result
 	    age="$number_minor"
 	    revision="$number_revision"
 	    ;;
-	  freebsd-aout|freebsd-elf|sunos)
+	  freebsd-aout|freebsd-elf|qnx|sunos)
 	    current="$number_major"
 	    revision="$number_minor"
 	    age="0"
@@ -6311,7 +7453,7 @@ func_mode_link ()
 	  versuffix="$major.$revision"
 	  ;;
 
-	linux)
+	linux) # correct to gnu/linux during the next big refactor
 	  func_arith $current - $age
 	  major=.$func_arith_result
 	  versuffix="$major.$age.$revision"
@@ -6334,7 +7476,7 @@ func_mode_link ()
 	  done
 
 	  # Make executables depend on our current version.
-	  verstring="$verstring:${current}.0"
+	  func_append verstring ":${current}.0"
 	  ;;
 
 	qnx)
@@ -6402,10 +7544,10 @@ func_mode_link ()
       fi
 
       func_generate_dlsyms "$libname" "$libname" "yes"
-      libobjs="$libobjs $symfileobj"
+      func_append libobjs " $symfileobj"
       test "X$libobjs" = "X " && libobjs=
 
-      if test "$mode" != relink; then
+      if test "$opt_mode" != relink; then
 	# Remove our outputs, but don't remove object files since they
 	# may have been created when compiling PIC objects.
 	removelist=
@@ -6421,7 +7563,7 @@ func_mode_link ()
 		   continue
 		 fi
 	       fi
-	       removelist="$removelist $p"
+	       func_append removelist " $p"
 	       ;;
 	    *) ;;
 	  esac
@@ -6432,27 +7574,28 @@ func_mode_link ()
 
       # Now set the variables for building old libraries.
       if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
-	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+	func_append oldlibs " $output_objdir/$libname.$libext"
 
 	# Transform .lo files to .o files.
-	oldobjs="$objs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
+	oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; $lo2o" | $NL2SP`
       fi
 
       # Eliminate all temporary directories.
       #for path in $notinst_path; do
-      #	lib_search_path=`$ECHO "X$lib_search_path " | $Xsed -e "s% $path % %g"`
-      #	deplibs=`$ECHO "X$deplibs " | $Xsed -e "s% -L$path % %g"`
-      #	dependency_libs=`$ECHO "X$dependency_libs " | $Xsed -e "s% -L$path % %g"`
+      #	lib_search_path=`$ECHO "$lib_search_path " | $SED "s% $path % %g"`
+      #	deplibs=`$ECHO "$deplibs " | $SED "s% -L$path % %g"`
+      #	dependency_libs=`$ECHO "$dependency_libs " | $SED "s% -L$path % %g"`
       #done
 
       if test -n "$xrpath"; then
 	# If the user specified any rpath flags, then add them.
 	temp_xrpath=
 	for libdir in $xrpath; do
-	  temp_xrpath="$temp_xrpath -R$libdir"
+	  func_replace_sysroot "$libdir"
+	  func_append temp_xrpath " -R$func_replace_sysroot_result"
 	  case "$finalize_rpath " in
 	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  *) func_append finalize_rpath " $libdir" ;;
 	  esac
 	done
 	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
@@ -6466,7 +7609,7 @@ func_mode_link ()
       for lib in $old_dlfiles; do
 	case " $dlprefiles $dlfiles " in
 	*" $lib "*) ;;
-	*) dlfiles="$dlfiles $lib" ;;
+	*) func_append dlfiles " $lib" ;;
 	esac
       done
 
@@ -6476,19 +7619,19 @@ func_mode_link ()
       for lib in $old_dlprefiles; do
 	case "$dlprefiles " in
 	*" $lib "*) ;;
-	*) dlprefiles="$dlprefiles $lib" ;;
+	*) func_append dlprefiles " $lib" ;;
 	esac
       done
 
       if test "$build_libtool_libs" = yes; then
 	if test -n "$rpath"; then
 	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc*)
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*)
 	    # these systems don't actually have a c library (as such)!
 	    ;;
 	  *-*-rhapsody* | *-*-darwin1.[012])
 	    # Rhapsody C library is in the System framework
-	    deplibs="$deplibs System.ltframework"
+	    func_append deplibs " System.ltframework"
 	    ;;
 	  *-*-netbsd*)
 	    # Don't link with libc until the a.out ld.so is fixed.
@@ -6505,7 +7648,7 @@ func_mode_link ()
 	  *)
 	    # Add libc to deplibs on all other systems if necessary.
 	    if test "$build_libtool_need_lc" = "yes"; then
-	      deplibs="$deplibs -lc"
+	      func_append deplibs " -lc"
 	    fi
 	    ;;
 	  esac
@@ -6554,7 +7697,7 @@ EOF
 		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		  case " $predeps $postdeps " in
 		  *" $i "*)
-		    newdeplibs="$newdeplibs $i"
+		    func_append newdeplibs " $i"
 		    i=""
 		    ;;
 		  esac
@@ -6565,21 +7708,21 @@ EOF
 		  set dummy $deplib_matches; shift
 		  deplib_match=$1
 		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		    newdeplibs="$newdeplibs $i"
+		    func_append newdeplibs " $i"
 		  else
 		    droppeddeps=yes
-		    $ECHO
+		    echo
 		    $ECHO "*** Warning: dynamic linker does not accept needed library $i."
-		    $ECHO "*** I have the capability to make that library automatically link in when"
-		    $ECHO "*** you link to this library.  But I can only do this if you have a"
-		    $ECHO "*** shared version of the library, which I believe you do not have"
-		    $ECHO "*** because a test_compile did reveal that the linker did not use it for"
-		    $ECHO "*** its dynamic dependency list that programs get resolved with at runtime."
+		    echo "*** I have the capability to make that library automatically link in when"
+		    echo "*** you link to this library.  But I can only do this if you have a"
+		    echo "*** shared version of the library, which I believe you do not have"
+		    echo "*** because a test_compile did reveal that the linker did not use it for"
+		    echo "*** its dynamic dependency list that programs get resolved with at runtime."
 		  fi
 		fi
 		;;
 	      *)
-		newdeplibs="$newdeplibs $i"
+		func_append newdeplibs " $i"
 		;;
 	      esac
 	    done
@@ -6597,7 +7740,7 @@ EOF
 		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		    case " $predeps $postdeps " in
 		    *" $i "*)
-		      newdeplibs="$newdeplibs $i"
+		      func_append newdeplibs " $i"
 		      i=""
 		      ;;
 		    esac
@@ -6608,29 +7751,29 @@ EOF
 		    set dummy $deplib_matches; shift
 		    deplib_match=$1
 		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		      newdeplibs="$newdeplibs $i"
+		      func_append newdeplibs " $i"
 		    else
 		      droppeddeps=yes
-		      $ECHO
+		      echo
 		      $ECHO "*** Warning: dynamic linker does not accept needed library $i."
-		      $ECHO "*** I have the capability to make that library automatically link in when"
-		      $ECHO "*** you link to this library.  But I can only do this if you have a"
-		      $ECHO "*** shared version of the library, which you do not appear to have"
-		      $ECHO "*** because a test_compile did reveal that the linker did not use this one"
-		      $ECHO "*** as a dynamic dependency that programs can get resolved with at runtime."
+		      echo "*** I have the capability to make that library automatically link in when"
+		      echo "*** you link to this library.  But I can only do this if you have a"
+		      echo "*** shared version of the library, which you do not appear to have"
+		      echo "*** because a test_compile did reveal that the linker did not use this one"
+		      echo "*** as a dynamic dependency that programs can get resolved with at runtime."
 		    fi
 		  fi
 		else
 		  droppeddeps=yes
-		  $ECHO
+		  echo
 		  $ECHO "*** Warning!  Library $i is needed by this library but I was not able to"
-		  $ECHO "*** make it link in!  You will probably need to install it or some"
-		  $ECHO "*** library that it depends on before this library will be fully"
-		  $ECHO "*** functional.  Installing it before continuing would be even better."
+		  echo "*** make it link in!  You will probably need to install it or some"
+		  echo "*** library that it depends on before this library will be fully"
+		  echo "*** functional.  Installing it before continuing would be even better."
 		fi
 		;;
 	      *)
-		newdeplibs="$newdeplibs $i"
+		func_append newdeplibs " $i"
 		;;
 	      esac
 	    done
@@ -6647,15 +7790,27 @@ EOF
 	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		case " $predeps $postdeps " in
 		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
+		  func_append newdeplibs " $a_deplib"
 		  a_deplib=""
 		  ;;
 		esac
 	      fi
 	      if test -n "$a_deplib" ; then
 		libname=`eval "\\$ECHO \"$libname_spec\""`
+		if test -n "$file_magic_glob"; then
+		  libnameglob=`func_echo_all "$libname" | $SED -e $file_magic_glob`
+		else
+		  libnameglob=$libname
+		fi
+		test "$want_nocaseglob" = yes && nocaseglob=`shopt -p nocaseglob`
 		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  if test "$want_nocaseglob" = yes; then
+		    shopt -s nocaseglob
+		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
+		    $nocaseglob
+		  else
+		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
+		  fi
 		  for potent_lib in $potential_libs; do
 		      # Follow soft links.
 		      if ls -lLd "$potent_lib" 2>/dev/null |
@@ -6672,13 +7827,13 @@ EOF
 			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
 			case $potliblink in
 			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
-			*) potlib=`$ECHO "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			*) potlib=`$ECHO "$potlib" | $SED 's,[^/]*$,,'`"$potliblink";;
 			esac
 		      done
 		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null |
 			 $SED -e 10q |
 			 $EGREP "$file_magic_regex" > /dev/null; then
-			newdeplibs="$newdeplibs $a_deplib"
+			func_append newdeplibs " $a_deplib"
 			a_deplib=""
 			break 2
 		      fi
@@ -6687,12 +7842,12 @@ EOF
 	      fi
 	      if test -n "$a_deplib" ; then
 		droppeddeps=yes
-		$ECHO
+		echo
 		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
-		$ECHO "*** I have the capability to make that library automatically link in when"
-		$ECHO "*** you link to this library.  But I can only do this if you have a"
-		$ECHO "*** shared version of the library, which you do not appear to have"
-		$ECHO "*** because I did check the linker path looking for a file starting"
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because I did check the linker path looking for a file starting"
 		if test -z "$potlib" ; then
 		  $ECHO "*** with $libname but no candidates were found. (...for file magic test)"
 		else
@@ -6703,7 +7858,7 @@ EOF
 	      ;;
 	    *)
 	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
+	      func_append newdeplibs " $a_deplib"
 	      ;;
 	    esac
 	  done # Gone through all deplibs.
@@ -6719,7 +7874,7 @@ EOF
 	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		case " $predeps $postdeps " in
 		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
+		  func_append newdeplibs " $a_deplib"
 		  a_deplib=""
 		  ;;
 		esac
@@ -6730,9 +7885,9 @@ EOF
 		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
 		  for potent_lib in $potential_libs; do
 		    potlib="$potent_lib" # see symlink-check above in file_magic test
-		    if eval "\$ECHO \"X$potent_lib\"" 2>/dev/null | $Xsed -e 10q | \
+		    if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \
 		       $EGREP "$match_pattern_regex" > /dev/null; then
-		      newdeplibs="$newdeplibs $a_deplib"
+		      func_append newdeplibs " $a_deplib"
 		      a_deplib=""
 		      break 2
 		    fi
@@ -6741,12 +7896,12 @@ EOF
 	      fi
 	      if test -n "$a_deplib" ; then
 		droppeddeps=yes
-		$ECHO
+		echo
 		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
-		$ECHO "*** I have the capability to make that library automatically link in when"
-		$ECHO "*** you link to this library.  But I can only do this if you have a"
-		$ECHO "*** shared version of the library, which you do not appear to have"
-		$ECHO "*** because I did check the linker path looking for a file starting"
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because I did check the linker path looking for a file starting"
 		if test -z "$potlib" ; then
 		  $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)"
 		else
@@ -6757,32 +7912,32 @@ EOF
 	      ;;
 	    *)
 	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
+	      func_append newdeplibs " $a_deplib"
 	      ;;
 	    esac
 	  done # Gone through all deplibs.
 	  ;;
 	none | unknown | *)
 	  newdeplibs=""
-	  tmp_deplibs=`$ECHO "X $deplibs" | $Xsed \
-	      -e 's/ -lc$//' -e 's/ -[LR][^ ]*//g'`
+	  tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'`
 	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 	    for i in $predeps $postdeps ; do
 	      # can't use Xsed below, because $i might contain '/'
-	      tmp_deplibs=`$ECHO "X $tmp_deplibs" | $Xsed -e "s,$i,,"`
+	      tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s,$i,,"`
 	    done
 	  fi
-	  if $ECHO "X $tmp_deplibs" | $Xsed -e 's/[	 ]//g' |
-	     $GREP . >/dev/null; then
-	    $ECHO
+	  case $tmp_deplibs in
+	  *[!\	\ ]*)
+	    echo
 	    if test "X$deplibs_check_method" = "Xnone"; then
-	      $ECHO "*** Warning: inter-library dependencies are not supported in this platform."
+	      echo "*** Warning: inter-library dependencies are not supported in this platform."
 	    else
-	      $ECHO "*** Warning: inter-library dependencies are not known to be supported."
+	      echo "*** Warning: inter-library dependencies are not known to be supported."
 	    fi
-	    $ECHO "*** All declared inter-library dependencies are being dropped."
+	    echo "*** All declared inter-library dependencies are being dropped."
 	    droppeddeps=yes
-	  fi
+	    ;;
+	  esac
 	  ;;
 	esac
 	versuffix=$versuffix_save
@@ -6794,23 +7949,23 @@ EOF
 	case $host in
 	*-*-rhapsody* | *-*-darwin1.[012])
 	  # On Rhapsody replace the C library with the System framework
-	  newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
+	  newdeplibs=`$ECHO " $newdeplibs" | $SED 's/ -lc / System.ltframework /'`
 	  ;;
 	esac
 
 	if test "$droppeddeps" = yes; then
 	  if test "$module" = yes; then
-	    $ECHO
-	    $ECHO "*** Warning: libtool could not satisfy all declared inter-library"
+	    echo
+	    echo "*** Warning: libtool could not satisfy all declared inter-library"
 	    $ECHO "*** dependencies of module $libname.  Therefore, libtool will create"
-	    $ECHO "*** a static module, that should work as long as the dlopening"
-	    $ECHO "*** application is linked with the -dlopen flag."
+	    echo "*** a static module, that should work as long as the dlopening"
+	    echo "*** application is linked with the -dlopen flag."
 	    if test -z "$global_symbol_pipe"; then
-	      $ECHO
-	      $ECHO "*** However, this would only work if libtool was able to extract symbol"
-	      $ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could"
-	      $ECHO "*** not find such a program.  So, this module is probably useless."
-	      $ECHO "*** \`nm' from GNU binutils and a full rebuild may help."
+	      echo
+	      echo "*** However, this would only work if libtool was able to extract symbol"
+	      echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      echo "*** not find such a program.  So, this module is probably useless."
+	      echo "*** \`nm' from GNU binutils and a full rebuild may help."
 	    fi
 	    if test "$build_old_libs" = no; then
 	      oldlibs="$output_objdir/$libname.$libext"
@@ -6820,16 +7975,16 @@ EOF
 	      build_libtool_libs=no
 	    fi
 	  else
-	    $ECHO "*** The inter-library dependencies that have been dropped here will be"
-	    $ECHO "*** automatically added whenever a program is linked with this library"
-	    $ECHO "*** or is declared to -dlopen it."
+	    echo "*** The inter-library dependencies that have been dropped here will be"
+	    echo "*** automatically added whenever a program is linked with this library"
+	    echo "*** or is declared to -dlopen it."
 
 	    if test "$allow_undefined" = no; then
-	      $ECHO
-	      $ECHO "*** Since this library must not contain undefined symbols,"
-	      $ECHO "*** because either the platform does not support them or"
-	      $ECHO "*** it was explicitly requested with -no-undefined,"
-	      $ECHO "*** libtool will only create a static version of it."
+	      echo
+	      echo "*** Since this library must not contain undefined symbols,"
+	      echo "*** because either the platform does not support them or"
+	      echo "*** it was explicitly requested with -no-undefined,"
+	      echo "*** libtool will only create a static version of it."
 	      if test "$build_old_libs" = no; then
 		oldlibs="$output_objdir/$libname.$libext"
 		build_libtool_libs=module
@@ -6846,9 +8001,9 @@ EOF
       # Time to change all our "foo.ltframework" stuff back to "-framework foo"
       case $host in
 	*-*-darwin*)
-	  newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
-	  new_inherited_linker_flags=`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
-	  deplibs=`$ECHO "X $deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  newdeplibs=`$ECHO " $newdeplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  new_inherited_linker_flags=`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  deplibs=`$ECHO " $deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	  ;;
       esac
 
@@ -6861,7 +8016,7 @@ EOF
 	*)
 	  case " $deplibs " in
 	  *" -L$path/$objdir "*)
-	    new_libs="$new_libs -L$path/$objdir" ;;
+	    func_append new_libs " -L$path/$objdir" ;;
 	  esac
 	  ;;
 	esac
@@ -6871,10 +8026,10 @@ EOF
 	-L*)
 	  case " $new_libs " in
 	  *" $deplib "*) ;;
-	  *) new_libs="$new_libs $deplib" ;;
+	  *) func_append new_libs " $deplib" ;;
 	  esac
 	  ;;
-	*) new_libs="$new_libs $deplib" ;;
+	*) func_append new_libs " $deplib" ;;
 	esac
       done
       deplibs="$new_libs"
@@ -6886,15 +8041,22 @@ EOF
 
       # Test again, we may have decided not to build it any more
       if test "$build_libtool_libs" = yes; then
+	# Remove ${wl} instances when linking with ld.
+	# FIXME: should test the right _cmds variable.
+	case $archive_cmds in
+	  *\$LD\ *) wl= ;;
+        esac
 	if test "$hardcode_into_libs" = yes; then
 	  # Hardcode the library paths
 	  hardcode_libdirs=
 	  dep_rpath=
 	  rpath="$finalize_rpath"
-	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  test "$opt_mode" != relink && rpath="$compile_rpath$rpath"
 	  for libdir in $rpath; do
 	    if test -n "$hardcode_libdir_flag_spec"; then
 	      if test -n "$hardcode_libdir_separator"; then
+		func_replace_sysroot "$libdir"
+		libdir=$func_replace_sysroot_result
 		if test -z "$hardcode_libdirs"; then
 		  hardcode_libdirs="$libdir"
 		else
@@ -6903,18 +8065,18 @@ EOF
 		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
 		    ;;
 		  *)
-		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
 		    ;;
 		  esac
 		fi
 	      else
 		eval flag=\"$hardcode_libdir_flag_spec\"
-		dep_rpath="$dep_rpath $flag"
+		func_append dep_rpath " $flag"
 	      fi
 	    elif test -n "$runpath_var"; then
 	      case "$perm_rpath " in
 	      *" $libdir "*) ;;
-	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      *) func_append perm_rpath " $libdir" ;;
 	      esac
 	    fi
 	  done
@@ -6922,17 +8084,13 @@ EOF
 	  if test -n "$hardcode_libdir_separator" &&
 	     test -n "$hardcode_libdirs"; then
 	    libdir="$hardcode_libdirs"
-	    if test -n "$hardcode_libdir_flag_spec_ld"; then
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
-	    else
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
-	    fi
+	    eval "dep_rpath=\"$hardcode_libdir_flag_spec\""
 	  fi
 	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
 	    # We should set the runpath_var.
 	    rpath=
 	    for dir in $perm_rpath; do
-	      rpath="$rpath$dir:"
+	      func_append rpath "$dir:"
 	    done
 	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
 	  fi
@@ -6940,7 +8098,7 @@ EOF
 	fi
 
 	shlibpath="$finalize_shlibpath"
-	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	test "$opt_mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
 	if test -n "$shlibpath"; then
 	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
 	fi
@@ -6966,18 +8124,18 @@ EOF
 	linknames=
 	for link
 	do
-	  linknames="$linknames $link"
+	  func_append linknames " $link"
 	done
 
 	# Use standard objects if they are pic
-	test -z "$pic_flag" && libobjs=`$ECHO "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	test -z "$pic_flag" && libobjs=`$ECHO "$libobjs" | $SP2NL | $SED "$lo2o" | $NL2SP`
 	test "X$libobjs" = "X " && libobjs=
 
 	delfiles=
 	if test -n "$export_symbols" && test -n "$include_expsyms"; then
 	  $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp"
 	  export_symbols="$output_objdir/$libname.uexp"
-	  delfiles="$delfiles $export_symbols"
+	  func_append delfiles " $export_symbols"
 	fi
 
 	orig_export_symbols=
@@ -7008,13 +8166,45 @@ EOF
 	    $opt_dry_run || $RM $export_symbols
 	    cmds=$export_symbols_cmds
 	    save_ifs="$IFS"; IFS='~'
-	    for cmd in $cmds; do
+	    for cmd1 in $cmds; do
 	      IFS="$save_ifs"
-	      eval cmd=\"$cmd\"
-	      func_len " $cmd"
-	      len=$func_len_result
-	      if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	      # Take the normal branch if the nm_file_list_spec branch
+	      # doesn't work or if tool conversion is not needed.
+	      case $nm_file_list_spec~$to_tool_file_cmd in
+		*~func_convert_file_noop | *~func_convert_file_msys_to_w32 | ~*)
+		  try_normal_branch=yes
+		  eval cmd=\"$cmd1\"
+		  func_len " $cmd"
+		  len=$func_len_result
+		  ;;
+		*)
+		  try_normal_branch=no
+		  ;;
+	      esac
+	      if test "$try_normal_branch" = yes \
+		 && { test "$len" -lt "$max_cmd_len" \
+		      || test "$max_cmd_len" -le -1; }
+	      then
+		func_show_eval "$cmd" 'exit $?'
+		skipped_export=false
+	      elif test -n "$nm_file_list_spec"; then
+		func_basename "$output"
+		output_la=$func_basename_result
+		save_libobjs=$libobjs
+		save_output=$output
+		output=${output_objdir}/${output_la}.nm
+		func_to_tool_file "$output"
+		libobjs=$nm_file_list_spec$func_to_tool_file_result
+		func_append delfiles " $output"
+		func_verbose "creating $NM input file list: $output"
+		for obj in $save_libobjs; do
+		  func_to_tool_file "$obj"
+		  $ECHO "$func_to_tool_file_result"
+		done > "$output"
+		eval cmd=\"$cmd1\"
 		func_show_eval "$cmd" 'exit $?'
+		output=$save_output
+		libobjs=$save_libobjs
 		skipped_export=false
 	      else
 		# The command line is too long to execute in one step.
@@ -7036,7 +8226,7 @@ EOF
 	if test -n "$export_symbols" && test -n "$include_expsyms"; then
 	  tmp_export_symbols="$export_symbols"
 	  test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
-	  $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"'
+	  $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
 	fi
 
 	if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then
@@ -7048,7 +8238,7 @@ EOF
 	  # global variables. join(1) would be nice here, but unfortunately
 	  # isn't a blessed tool.
 	  $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
-	  delfiles="$delfiles $export_symbols $output_objdir/$libname.filter"
+	  func_append delfiles " $export_symbols $output_objdir/$libname.filter"
 	  export_symbols=$output_objdir/$libname.def
 	  $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
 	fi
@@ -7058,7 +8248,7 @@ EOF
 	  case " $convenience " in
 	  *" $test_deplib "*) ;;
 	  *)
-	    tmp_deplibs="$tmp_deplibs $test_deplib"
+	    func_append tmp_deplibs " $test_deplib"
 	    ;;
 	  esac
 	done
@@ -7078,21 +8268,21 @@ EOF
 	    test "X$libobjs" = "X " && libobjs=
 	  else
 	    gentop="$output_objdir/${outputname}x"
-	    generated="$generated $gentop"
+	    func_append generated " $gentop"
 
 	    func_extract_archives $gentop $convenience
-	    libobjs="$libobjs $func_extract_archives_result"
+	    func_append libobjs " $func_extract_archives_result"
 	    test "X$libobjs" = "X " && libobjs=
 	  fi
 	fi
 
 	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
 	  eval flag=\"$thread_safe_flag_spec\"
-	  linker_flags="$linker_flags $flag"
+	  func_append linker_flags " $flag"
 	fi
 
 	# Make a backup of the uninstalled library when relinking
-	if test "$mode" = relink; then
+	if test "$opt_mode" = relink; then
 	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $?
 	fi
 
@@ -7137,7 +8327,8 @@ EOF
 	    save_libobjs=$libobjs
 	  fi
 	  save_output=$output
-	  output_la=`$ECHO "X$output" | $Xsed -e "$basename"`
+	  func_basename "$output"
+	  output_la=$func_basename_result
 
 	  # Clear the reloadable object creation command queue and
 	  # initialize k to one.
@@ -7150,13 +8341,16 @@ EOF
 	  if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then
 	    output=${output_objdir}/${output_la}.lnkscript
 	    func_verbose "creating GNU ld script: $output"
-	    $ECHO 'INPUT (' > $output
+	    echo 'INPUT (' > $output
 	    for obj in $save_libobjs
 	    do
-	      $ECHO "$obj" >> $output
+	      func_to_tool_file "$obj"
+	      $ECHO "$func_to_tool_file_result" >> $output
 	    done
-	    $ECHO ')' >> $output
-	    delfiles="$delfiles $output"
+	    echo ')' >> $output
+	    func_append delfiles " $output"
+	    func_to_tool_file "$output"
+	    output=$func_to_tool_file_result
 	  elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then
 	    output=${output_objdir}/${output_la}.lnk
 	    func_verbose "creating linker input file list: $output"
@@ -7170,10 +8364,12 @@ EOF
 	    fi
 	    for obj
 	    do
-	      $ECHO "$obj" >> $output
+	      func_to_tool_file "$obj"
+	      $ECHO "$func_to_tool_file_result" >> $output
 	    done
-	    delfiles="$delfiles $output"
-	    output=$firstobj\"$file_list_spec$output\"
+	    func_append delfiles " $output"
+	    func_to_tool_file "$output"
+	    output=$firstobj\"$file_list_spec$func_to_tool_file_result\"
 	  else
 	    if test -n "$save_libobjs"; then
 	      func_verbose "creating reloadable object files..."
@@ -7197,17 +8393,19 @@ EOF
 		  # command to the queue.
 		  if test "$k" -eq 1 ; then
 		    # The first file doesn't have a previous command to add.
-		    eval concat_cmds=\"$reload_cmds $objlist $last_robj\"
+		    reload_objs=$objlist
+		    eval concat_cmds=\"$reload_cmds\"
 		  else
 		    # All subsequent reloadable object files will link in
 		    # the last one created.
-		    eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj~\$RM $last_robj\"
+		    reload_objs="$objlist $last_robj"
+		    eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\"
 		  fi
 		  last_robj=$output_objdir/$output_la-${k}.$objext
 		  func_arith $k + 1
 		  k=$func_arith_result
 		  output=$output_objdir/$output_la-${k}.$objext
-		  objlist=$obj
+		  objlist=" $obj"
 		  func_len " $last_robj"
 		  func_arith $len0 + $func_len_result
 		  len=$func_arith_result
@@ -7217,11 +8415,12 @@ EOF
 	      # reloadable object file.  All subsequent reloadable object
 	      # files will link in the last one created.
 	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	      eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\"
+	      reload_objs="$objlist $last_robj"
+	      eval concat_cmds=\"\${concat_cmds}$reload_cmds\"
 	      if test -n "$last_robj"; then
 	        eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\"
 	      fi
-	      delfiles="$delfiles $output"
+	      func_append delfiles " $output"
 
 	    else
 	      output=
@@ -7255,7 +8454,7 @@ EOF
 		lt_exit=$?
 
 		# Restore the uninstalled library and exit
-		if test "$mode" = relink; then
+		if test "$opt_mode" = relink; then
 		  ( cd "$output_objdir" && \
 		    $RM "${realname}T" && \
 		    $MV "${realname}U" "$realname" )
@@ -7276,7 +8475,7 @@ EOF
 	    if test -n "$export_symbols" && test -n "$include_expsyms"; then
 	      tmp_export_symbols="$export_symbols"
 	      test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
-	      $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"'
+	      $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
 	    fi
 
 	    if test -n "$orig_export_symbols"; then
@@ -7288,7 +8487,7 @@ EOF
 	      # global variables. join(1) would be nice here, but unfortunately
 	      # isn't a blessed tool.
 	      $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
-	      delfiles="$delfiles $export_symbols $output_objdir/$libname.filter"
+	      func_append delfiles " $export_symbols $output_objdir/$libname.filter"
 	      export_symbols=$output_objdir/$libname.def
 	      $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
 	    fi
@@ -7329,10 +8528,10 @@ EOF
 	# Add any objects from preloaded convenience libraries
 	if test -n "$dlprefiles"; then
 	  gentop="$output_objdir/${outputname}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $dlprefiles
-	  libobjs="$libobjs $func_extract_archives_result"
+	  func_append libobjs " $func_extract_archives_result"
 	  test "X$libobjs" = "X " && libobjs=
 	fi
 
@@ -7348,7 +8547,7 @@ EOF
 	    lt_exit=$?
 
 	    # Restore the uninstalled library and exit
-	    if test "$mode" = relink; then
+	    if test "$opt_mode" = relink; then
 	      ( cd "$output_objdir" && \
 	        $RM "${realname}T" && \
 		$MV "${realname}U" "$realname" )
@@ -7360,7 +8559,7 @@ EOF
 	IFS="$save_ifs"
 
 	# Restore the uninstalled library and exit
-	if test "$mode" = relink; then
+	if test "$opt_mode" = relink; then
 	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $?
 
 	  if test -n "$convenience"; then
@@ -7441,18 +8640,21 @@ EOF
       if test -n "$convenience"; then
 	if test -n "$whole_archive_flag_spec"; then
 	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
-	  reload_conv_objs=$reload_objs\ `$ECHO "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'`
+	  reload_conv_objs=$reload_objs\ `$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'`
 	else
 	  gentop="$output_objdir/${obj}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $convenience
 	  reload_conv_objs="$reload_objs $func_extract_archives_result"
 	fi
       fi
 
+      # If we're not building shared, we need to use non_pic_objs
+      test "$build_libtool_libs" != yes && libobjs="$non_pic_objects"
+
       # Create the old-style object.
-      reload_objs="$objs$old_deplibs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+      reload_objs="$objs$old_deplibs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; /\.lib$/d; $lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
 
       output="$obj"
       func_execute_cmds "$reload_cmds" 'exit $?'
@@ -7512,8 +8714,8 @@ EOF
       case $host in
       *-*-rhapsody* | *-*-darwin1.[012])
 	# On Rhapsody replace the C library is the System framework
-	compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
-	finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
+	compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's/ -lc / System.ltframework /'`
+	finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's/ -lc / System.ltframework /'`
 	;;
       esac
 
@@ -7524,14 +8726,14 @@ EOF
 	if test "$tagname" = CXX ; then
 	  case ${MACOSX_DEPLOYMENT_TARGET-10.0} in
 	    10.[0123])
-	      compile_command="$compile_command ${wl}-bind_at_load"
-	      finalize_command="$finalize_command ${wl}-bind_at_load"
+	      func_append compile_command " ${wl}-bind_at_load"
+	      func_append finalize_command " ${wl}-bind_at_load"
 	    ;;
 	  esac
 	fi
 	# Time to change all our "foo.ltframework" stuff back to "-framework foo"
-	compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
-	finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	;;
       esac
 
@@ -7545,7 +8747,7 @@ EOF
 	*)
 	  case " $compile_deplibs " in
 	  *" -L$path/$objdir "*)
-	    new_libs="$new_libs -L$path/$objdir" ;;
+	    func_append new_libs " -L$path/$objdir" ;;
 	  esac
 	  ;;
 	esac
@@ -7555,17 +8757,17 @@ EOF
 	-L*)
 	  case " $new_libs " in
 	  *" $deplib "*) ;;
-	  *) new_libs="$new_libs $deplib" ;;
+	  *) func_append new_libs " $deplib" ;;
 	  esac
 	  ;;
-	*) new_libs="$new_libs $deplib" ;;
+	*) func_append new_libs " $deplib" ;;
 	esac
       done
       compile_deplibs="$new_libs"
 
 
-      compile_command="$compile_command $compile_deplibs"
-      finalize_command="$finalize_command $finalize_deplibs"
+      func_append compile_command " $compile_deplibs"
+      func_append finalize_command " $finalize_deplibs"
 
       if test -n "$rpath$xrpath"; then
 	# If the user specified any rpath flags, then add them.
@@ -7573,7 +8775,7 @@ EOF
 	  # This is the magic to use -rpath.
 	  case "$finalize_rpath " in
 	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  *) func_append finalize_rpath " $libdir" ;;
 	  esac
 	done
       fi
@@ -7592,18 +8794,18 @@ EOF
 	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
 		;;
 	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
 		;;
 	      esac
 	    fi
 	  else
 	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
+	    func_append rpath " $flag"
 	  fi
 	elif test -n "$runpath_var"; then
 	  case "$perm_rpath " in
 	  *" $libdir "*) ;;
-	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  *) func_append perm_rpath " $libdir" ;;
 	  esac
 	fi
 	case $host in
@@ -7612,12 +8814,12 @@ EOF
 	  case :$dllsearchpath: in
 	  *":$libdir:"*) ;;
 	  ::) dllsearchpath=$libdir;;
-	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  *) func_append dllsearchpath ":$libdir";;
 	  esac
 	  case :$dllsearchpath: in
 	  *":$testbindir:"*) ;;
 	  ::) dllsearchpath=$testbindir;;
-	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  *) func_append dllsearchpath ":$testbindir";;
 	  esac
 	  ;;
 	esac
@@ -7643,18 +8845,18 @@ EOF
 	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
 		;;
 	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
 		;;
 	      esac
 	    fi
 	  else
 	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
+	    func_append rpath " $flag"
 	  fi
 	elif test -n "$runpath_var"; then
 	  case "$finalize_perm_rpath " in
 	  *" $libdir "*) ;;
-	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  *) func_append finalize_perm_rpath " $libdir" ;;
 	  esac
 	fi
       done
@@ -7668,8 +8870,8 @@ EOF
 
       if test -n "$libobjs" && test "$build_old_libs" = yes; then
 	# Transform all the library objects into standard objects.
-	compile_command=`$ECHO "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-	finalize_command=`$ECHO "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
+	finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
       fi
 
       func_generate_dlsyms "$outputname" "@PROGRAM@" "no"
@@ -7681,15 +8883,15 @@ EOF
 
       wrappers_required=yes
       case $host in
+      *cegcc* | *mingw32ce*)
+        # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway.
+        wrappers_required=no
+        ;;
       *cygwin* | *mingw* )
         if test "$build_libtool_libs" != yes; then
           wrappers_required=no
         fi
         ;;
-      *cegcc)
-        # Disable wrappers for cegcc, we are cross compiling anyway.
-        wrappers_required=no
-        ;;
       *)
         if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
           wrappers_required=no
@@ -7698,13 +8900,19 @@ EOF
       esac
       if test "$wrappers_required" = no; then
 	# Replace the output file specification.
-	compile_command=`$ECHO "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
 	link_command="$compile_command$compile_rpath"
 
 	# We have no uninstalled library dependencies, so finalize right now.
 	exit_status=0
 	func_show_eval "$link_command" 'exit_status=$?'
 
+	if test -n "$postlink_cmds"; then
+	  func_to_tool_file "$output"
+	  postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	  func_execute_cmds "$postlink_cmds" 'exit $?'
+	fi
+
 	# Delete the generated files.
 	if test -f "$output_objdir/${outputname}S.${objext}"; then
 	  func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"'
@@ -7727,7 +8935,7 @@ EOF
 	  # We should set the runpath_var.
 	  rpath=
 	  for dir in $perm_rpath; do
-	    rpath="$rpath$dir:"
+	    func_append rpath "$dir:"
 	  done
 	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
 	fi
@@ -7735,7 +8943,7 @@ EOF
 	  # We should set the runpath_var.
 	  rpath=
 	  for dir in $finalize_perm_rpath; do
-	    rpath="$rpath$dir:"
+	    func_append rpath "$dir:"
 	  done
 	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
 	fi
@@ -7745,11 +8953,18 @@ EOF
 	# We don't need to create a wrapper script.
 	link_command="$compile_var$compile_command$compile_rpath"
 	# Replace the output file specification.
-	link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
 	# Delete the old output file.
 	$opt_dry_run || $RM $output
 	# Link the executable and exit
 	func_show_eval "$link_command" 'exit $?'
+
+	if test -n "$postlink_cmds"; then
+	  func_to_tool_file "$output"
+	  postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	  func_execute_cmds "$postlink_cmds" 'exit $?'
+	fi
+
 	exit $EXIT_SUCCESS
       fi
 
@@ -7764,7 +8979,7 @@ EOF
 	if test "$fast_install" != no; then
 	  link_command="$finalize_var$compile_command$finalize_rpath"
 	  if test "$fast_install" = yes; then
-	    relink_command=`$ECHO "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	    relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'`
 	  else
 	    # fast_install is set to needless
 	    relink_command=
@@ -7776,13 +8991,19 @@ EOF
       fi
 
       # Replace the output file specification.
-      link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+      link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
 
       # Delete the old output files.
       $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname
 
       func_show_eval "$link_command" 'exit $?'
 
+      if test -n "$postlink_cmds"; then
+	func_to_tool_file "$output_objdir/$outputname"
+	postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	func_execute_cmds "$postlink_cmds" 'exit $?'
+      fi
+
       # Now create the wrapper script.
       func_verbose "creating $output"
 
@@ -7800,18 +9021,7 @@ EOF
 	  fi
 	done
 	relink_command="(cd `pwd`; $relink_command)"
-	relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"`
-      fi
-
-      # Quote $ECHO for shipping.
-      if test "X$ECHO" = "X$SHELL $progpath --fallback-echo"; then
-	case $progpath in
-	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
-	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
-	esac
-	qecho=`$ECHO "X$qecho" | $Xsed -e "$sed_quote_subst"`
-      else
-	qecho=`$ECHO "X$ECHO" | $Xsed -e "$sed_quote_subst"`
+	relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
       fi
 
       # Only actually do things if not in dry run mode.
@@ -7891,7 +9101,7 @@ EOF
 	else
 	  oldobjs="$old_deplibs $non_pic_objects"
 	  if test "$preload" = yes && test -f "$symfileobj"; then
-	    oldobjs="$oldobjs $symfileobj"
+	    func_append oldobjs " $symfileobj"
 	  fi
 	fi
 	addlibs="$old_convenience"
@@ -7899,10 +9109,10 @@ EOF
 
       if test -n "$addlibs"; then
 	gentop="$output_objdir/${outputname}x"
-	generated="$generated $gentop"
+	func_append generated " $gentop"
 
 	func_extract_archives $gentop $addlibs
-	oldobjs="$oldobjs $func_extract_archives_result"
+	func_append oldobjs " $func_extract_archives_result"
       fi
 
       # Do each command in the archive commands.
@@ -7913,10 +9123,10 @@ EOF
 	# Add any objects from preloaded convenience libraries
 	if test -n "$dlprefiles"; then
 	  gentop="$output_objdir/${outputname}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $dlprefiles
-	  oldobjs="$oldobjs $func_extract_archives_result"
+	  func_append oldobjs " $func_extract_archives_result"
 	fi
 
 	# POSIX demands no paths to be encoded in archives.  We have
@@ -7932,9 +9142,9 @@ EOF
 	    done | sort | sort -uc >/dev/null 2>&1); then
 	  :
 	else
-	  $ECHO "copying selected object files to avoid basename conflicts..."
+	  echo "copying selected object files to avoid basename conflicts..."
 	  gentop="$output_objdir/${outputname}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 	  func_mkdir_p "$gentop"
 	  save_oldobjs=$oldobjs
 	  oldobjs=
@@ -7958,18 +9168,30 @@ EOF
 		esac
 	      done
 	      func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
-	      oldobjs="$oldobjs $gentop/$newobj"
+	      func_append oldobjs " $gentop/$newobj"
 	      ;;
-	    *) oldobjs="$oldobjs $obj" ;;
+	    *) func_append oldobjs " $obj" ;;
 	    esac
 	  done
 	fi
+	func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+	tool_oldlib=$func_to_tool_file_result
 	eval cmds=\"$old_archive_cmds\"
 
 	func_len " $cmds"
 	len=$func_len_result
 	if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
 	  cmds=$old_archive_cmds
+	elif test -n "$archiver_list_spec"; then
+	  func_verbose "using command file archive linking..."
+	  for obj in $oldobjs
+	  do
+	    func_to_tool_file "$obj"
+	    $ECHO "$func_to_tool_file_result"
+	  done > $output_objdir/$libname.libcmd
+	  func_to_tool_file "$output_objdir/$libname.libcmd"
+	  oldobjs=" $archiver_list_spec$func_to_tool_file_result"
+	  cmds=$old_archive_cmds
 	else
 	  # the command line is too long to link in one step, link in parts
 	  func_verbose "using piecewise archive linking..."
@@ -8043,7 +9265,7 @@ EOF
       done
       # Quote the link command for shipping.
       relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
-      relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
       if test "$hardcode_automatic" = yes ; then
 	relink_command=
       fi
@@ -8063,12 +9285,23 @@ EOF
 	      *.la)
 		func_basename "$deplib"
 		name="$func_basename_result"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		func_resolve_sysroot "$deplib"
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$deplib' is not a valid libtool archive"
-		newdependency_libs="$newdependency_libs $libdir/$name"
+		func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name"
+		;;
+	      -L*)
+		func_stripname -L '' "$deplib"
+		func_replace_sysroot "$func_stripname_result"
+		func_append newdependency_libs " -L$func_replace_sysroot_result"
 		;;
-	      *) newdependency_libs="$newdependency_libs $deplib" ;;
+	      -R*)
+		func_stripname -R '' "$deplib"
+		func_replace_sysroot "$func_stripname_result"
+		func_append newdependency_libs " -R$func_replace_sysroot_result"
+		;;
+	      *) func_append newdependency_libs " $deplib" ;;
 	      esac
 	    done
 	    dependency_libs="$newdependency_libs"
@@ -8082,9 +9315,9 @@ EOF
 		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$lib' is not a valid libtool archive"
-		newdlfiles="$newdlfiles $libdir/$name"
+		func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name"
 		;;
-	      *) newdlfiles="$newdlfiles $lib" ;;
+	      *) func_append newdlfiles " $lib" ;;
 	      esac
 	    done
 	    dlfiles="$newdlfiles"
@@ -8101,7 +9334,7 @@ EOF
 		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$lib' is not a valid libtool archive"
-		newdlprefiles="$newdlprefiles $libdir/$name"
+		func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name"
 		;;
 	      esac
 	    done
@@ -8113,7 +9346,7 @@ EOF
 		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
-	      newdlfiles="$newdlfiles $abs"
+	      func_append newdlfiles " $abs"
 	    done
 	    dlfiles="$newdlfiles"
 	    newdlprefiles=
@@ -8122,15 +9355,33 @@ EOF
 		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
-	      newdlprefiles="$newdlprefiles $abs"
+	      func_append newdlprefiles " $abs"
 	    done
 	    dlprefiles="$newdlprefiles"
 	  fi
 	  $RM $output
 	  # place dlname in correct position for cygwin
+	  # In fact, it would be nice if we could use this code for all target
+	  # systems that can't hard-code library paths into their executables
+	  # and that have no shared library path variable independent of PATH,
+	  # but it turns out we can't easily determine that from inspecting
+	  # libtool variables, so we have to hard-code the OSs to which it
+	  # applies here; at the moment, that means platforms that use the PE
+	  # object format with DLL files.  See the long comment at the top of
+	  # tests/bindir.at for full details.
 	  tdlname=$dlname
 	  case $host,$output,$installed,$module,$dlname in
-	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
+	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll)
+	      # If a -bindir argument was supplied, place the dll there.
+	      if test "x$bindir" != x ;
+	      then
+		func_relative_path "$install_libdir" "$bindir"
+		tdlname=$func_relative_path_result$dlname
+	      else
+		# Otherwise fall back on heuristic.
+		tdlname=../bin/$dlname
+	      fi
+	      ;;
 	  esac
 	  $ECHO > $output "\
 # $outputname - a libtool library file
@@ -8189,7 +9440,7 @@ relink_command=\"$relink_command\""
     exit $EXIT_SUCCESS
 }
 
-{ test "$mode" = link || test "$mode" = relink; } &&
+{ test "$opt_mode" = link || test "$opt_mode" = relink; } &&
     func_mode_link ${1+"$@"}
 
 
@@ -8209,9 +9460,9 @@ func_mode_uninstall ()
     for arg
     do
       case $arg in
-      -f) RM="$RM $arg"; rmforce=yes ;;
-      -*) RM="$RM $arg" ;;
-      *) files="$files $arg" ;;
+      -f) func_append RM " $arg"; rmforce=yes ;;
+      -*) func_append RM " $arg" ;;
+      *) func_append files " $arg" ;;
       esac
     done
 
@@ -8220,24 +9471,23 @@ func_mode_uninstall ()
 
     rmdirs=
 
-    origobjdir="$objdir"
     for file in $files; do
       func_dirname "$file" "" "."
       dir="$func_dirname_result"
       if test "X$dir" = X.; then
-	objdir="$origobjdir"
+	odir="$objdir"
       else
-	objdir="$dir/$origobjdir"
+	odir="$dir/$objdir"
       fi
       func_basename "$file"
       name="$func_basename_result"
-      test "$mode" = uninstall && objdir="$dir"
+      test "$opt_mode" = uninstall && odir="$dir"
 
-      # Remember objdir for removal later, being careful to avoid duplicates
-      if test "$mode" = clean; then
+      # Remember odir for removal later, being careful to avoid duplicates
+      if test "$opt_mode" = clean; then
 	case " $rmdirs " in
-	  *" $objdir "*) ;;
-	  *) rmdirs="$rmdirs $objdir" ;;
+	  *" $odir "*) ;;
+	  *) func_append rmdirs " $odir" ;;
 	esac
       fi
 
@@ -8263,18 +9513,17 @@ func_mode_uninstall ()
 
 	  # Delete the libtool libraries and symlinks.
 	  for n in $library_names; do
-	    rmfiles="$rmfiles $objdir/$n"
+	    func_append rmfiles " $odir/$n"
 	  done
-	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
+	  test -n "$old_library" && func_append rmfiles " $odir/$old_library"
 
-	  case "$mode" in
+	  case "$opt_mode" in
 	  clean)
-	    case "  $library_names " in
-	    # "  " in the beginning catches empty $dlname
+	    case " $library_names " in
 	    *" $dlname "*) ;;
-	    *) rmfiles="$rmfiles $objdir/$dlname" ;;
+	    *) test -n "$dlname" && func_append rmfiles " $odir/$dlname" ;;
 	    esac
-	    test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+	    test -n "$libdir" && func_append rmfiles " $odir/$name $odir/${name}i"
 	    ;;
 	  uninstall)
 	    if test -n "$library_names"; then
@@ -8302,19 +9551,19 @@ func_mode_uninstall ()
 	  # Add PIC object to the list of files to remove.
 	  if test -n "$pic_object" &&
 	     test "$pic_object" != none; then
-	    rmfiles="$rmfiles $dir/$pic_object"
+	    func_append rmfiles " $dir/$pic_object"
 	  fi
 
 	  # Add non-PIC object to the list of files to remove.
 	  if test -n "$non_pic_object" &&
 	     test "$non_pic_object" != none; then
-	    rmfiles="$rmfiles $dir/$non_pic_object"
+	    func_append rmfiles " $dir/$non_pic_object"
 	  fi
 	fi
 	;;
 
       *)
-	if test "$mode" = clean ; then
+	if test "$opt_mode" = clean ; then
 	  noexename=$name
 	  case $file in
 	  *.exe)
@@ -8324,7 +9573,7 @@ func_mode_uninstall ()
 	    noexename=$func_stripname_result
 	    # $file with .exe has already been added to rmfiles,
 	    # add $file without .exe
-	    rmfiles="$rmfiles $file"
+	    func_append rmfiles " $file"
 	    ;;
 	  esac
 	  # Do a test to see if this is a libtool program.
@@ -8333,7 +9582,7 @@ func_mode_uninstall ()
 	      func_ltwrapper_scriptname "$file"
 	      relink_command=
 	      func_source $func_ltwrapper_scriptname_result
-	      rmfiles="$rmfiles $func_ltwrapper_scriptname_result"
+	      func_append rmfiles " $func_ltwrapper_scriptname_result"
 	    else
 	      relink_command=
 	      func_source $dir/$noexename
@@ -8341,12 +9590,12 @@ func_mode_uninstall ()
 
 	    # note $name still contains .exe if it was in $file originally
 	    # as does the version of $file that was added into $rmfiles
-	    rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
+	    func_append rmfiles " $odir/$name $odir/${name}S.${objext}"
 	    if test "$fast_install" = yes && test -n "$relink_command"; then
-	      rmfiles="$rmfiles $objdir/lt-$name"
+	      func_append rmfiles " $odir/lt-$name"
 	    fi
 	    if test "X$noexename" != "X$name" ; then
-	      rmfiles="$rmfiles $objdir/lt-${noexename}.c"
+	      func_append rmfiles " $odir/lt-${noexename}.c"
 	    fi
 	  fi
 	fi
@@ -8354,7 +9603,6 @@ func_mode_uninstall ()
       esac
       func_show_eval "$RM $rmfiles" 'exit_status=1'
     done
-    objdir="$origobjdir"
 
     # Try to remove the ${objdir}s in the directories where we deleted files
     for dir in $rmdirs; do
@@ -8366,16 +9614,16 @@ func_mode_uninstall ()
     exit $exit_status
 }
 
-{ test "$mode" = uninstall || test "$mode" = clean; } &&
+{ test "$opt_mode" = uninstall || test "$opt_mode" = clean; } &&
     func_mode_uninstall ${1+"$@"}
 
-test -z "$mode" && {
+test -z "$opt_mode" && {
   help="$generic_help"
   func_fatal_help "you must specify a MODE"
 }
 
 test -z "$exec_cmd" && \
-  func_fatal_help "invalid operation mode \`$mode'"
+  func_fatal_help "invalid operation mode \`$opt_mode'"
 
 if test -n "$exec_cmd"; then
   eval exec "$exec_cmd"
diff --git a/m4/config/libtool.m4 b/m4/config/libtool.m4
index a3fee5360..828104cfd 100644
--- a/m4/config/libtool.m4
+++ b/m4/config/libtool.m4
@@ -1,7 +1,8 @@
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 # This file is free software; the Free Software Foundation gives
@@ -10,7 +11,8 @@
 
 m4_define([_LT_COPYING], [dnl
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@@ -37,7 +39,7 @@ m4_define([_LT_COPYING], [dnl
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 ])
 
-# serial 56 LT_INIT
+# serial 57 LT_INIT
 
 
 # LT_PREREQ(VERSION)
@@ -66,6 +68,7 @@ esac
 # ------------------
 AC_DEFUN([LT_INIT],
 [AC_PREREQ([2.58])dnl We use AC_INCLUDES_DEFAULT
+AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl
 AC_BEFORE([$0], [LT_LANG])dnl
 AC_BEFORE([$0], [LT_OUTPUT])dnl
 AC_BEFORE([$0], [LTDL_INIT])dnl
@@ -82,6 +85,8 @@ AC_REQUIRE([LTVERSION_VERSION])dnl
 AC_REQUIRE([LTOBSOLETE_VERSION])dnl
 m4_require([_LT_PROG_LTMAIN])dnl
 
+_LT_SHELL_INIT([SHELL=${CONFIG_SHELL-/bin/sh}])
+
 dnl Parse OPTIONS
 _LT_SET_OPTIONS([$0], [$1])
 
@@ -118,7 +123,7 @@ m4_defun([_LT_CC_BASENAME],
     *) break;;
   esac
 done
-cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"`
 ])
 
 
@@ -138,6 +143,11 @@ m4_defun([_LT_FILEUTILS_DEFAULTS],
 m4_defun([_LT_SETUP],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl
+AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl
+
+_LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl
+dnl
 _LT_DECL([], [host_alias], [0], [The host system])dnl
 _LT_DECL([], [host], [0])dnl
 _LT_DECL([], [host_os], [0])dnl
@@ -160,10 +170,13 @@ _LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl
 dnl
 m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_CHECK_SHELL_FEATURES])dnl
+m4_require([_LT_PATH_CONVERSION_FUNCTIONS])dnl
 m4_require([_LT_CMD_RELOAD])dnl
 m4_require([_LT_CHECK_MAGIC_METHOD])dnl
+m4_require([_LT_CHECK_SHAREDLIB_FROM_LINKLIB])dnl
 m4_require([_LT_CMD_OLD_ARCHIVE])dnl
 m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
+m4_require([_LT_WITH_SYSROOT])dnl
 
 _LT_CONFIG_LIBTOOL_INIT([
 # See if we are running on zsh, and set the options which allow our
@@ -179,7 +192,6 @@ fi
 _LT_CHECK_OBJDIR
 
 m4_require([_LT_TAG_COMPILER])dnl
-_LT_PROG_ECHO_BACKSLASH
 
 case $host_os in
 aix3*)
@@ -193,23 +205,6 @@ aix3*)
   ;;
 esac
 
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\([["`\\]]\)/\\\1/g'
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to delay expansion of an escaped single quote.
-delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
 # Global variables:
 ofile=libtool
 can_build_shared=yes
@@ -250,6 +245,28 @@ _LT_CONFIG_COMMANDS
 ])# _LT_SETUP
 
 
+# _LT_PREPARE_SED_QUOTE_VARS
+# --------------------------
+# Define a few sed substitution that help us do robust quoting.
+m4_defun([_LT_PREPARE_SED_QUOTE_VARS],
+[# Backslashify metacharacters that are still active within
+# double-quoted strings.
+sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\([["`\\]]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+])
+
 # _LT_PROG_LTMAIN
 # ---------------
 # Note that this code is called both from `configure', and `config.status'
@@ -408,7 +425,7 @@ m4_define([_lt_decl_all_varnames],
 # declaration there will have the same value as in `configure'.  VARNAME
 # must have a single quote delimited value for this to work.
 m4_define([_LT_CONFIG_STATUS_DECLARE],
-[$1='`$ECHO "X$][$1" | $Xsed -e "$delay_single_quote_subst"`'])
+[$1='`$ECHO "$][$1" | $SED "$delay_single_quote_subst"`'])
 
 
 # _LT_CONFIG_STATUS_DECLARATIONS
@@ -418,7 +435,7 @@ m4_define([_LT_CONFIG_STATUS_DECLARE],
 # embedded single quotes properly.  In configure, this macro expands
 # each variable declared with _LT_DECL (and _LT_TAGDECL) into:
 #
-#    <var>='`$ECHO "X$<var>" | $Xsed -e "$delay_single_quote_subst"`'
+#    <var>='`$ECHO "$<var>" | $SED "$delay_single_quote_subst"`'
 m4_defun([_LT_CONFIG_STATUS_DECLARATIONS],
 [m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames),
     [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])])
@@ -517,12 +534,20 @@ LTCC='$LTCC'
 LTCFLAGS='$LTCFLAGS'
 compiler='$compiler_DEFAULT'
 
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$[]1
+_LTECHO_EOF'
+}
+
 # Quote evaled strings.
 for var in lt_decl_all_varnames([[ \
 ]], lt_decl_quote_varnames); do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[[\\\\\\\`\\"\\\$]]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -533,9 +558,9 @@ done
 # Double-quote double-evaled strings.
 for var in lt_decl_all_varnames([[ \
 ]], lt_decl_dquote_varnames); do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[[\\\\\\\`\\"\\\$]]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -543,16 +568,38 @@ for var in lt_decl_all_varnames([[ \
     esac
 done
 
-# Fix-up fallback echo if it was mangled by the above quoting rules.
-case \$lt_ECHO in
-*'\\\[$]0 --fallback-echo"')dnl "
-  lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\[$]0 --fallback-echo"\[$]/\[$]0 --fallback-echo"/'\`
-  ;;
-esac
-
 _LT_OUTPUT_LIBTOOL_INIT
 ])
 
+# _LT_GENERATED_FILE_INIT(FILE, [COMMENT])
+# ------------------------------------
+# Generate a child script FILE with all initialization necessary to
+# reuse the environment learned by the parent script, and make the
+# file executable.  If COMMENT is supplied, it is inserted after the
+# `#!' sequence but before initialization text begins.  After this
+# macro, additional text can be appended to FILE to form the body of
+# the child script.  The macro ends with non-zero status if the
+# file could not be fully written (such as if the disk is full).
+m4_ifdef([AS_INIT_GENERATED],
+[m4_defun([_LT_GENERATED_FILE_INIT],[AS_INIT_GENERATED($@)])],
+[m4_defun([_LT_GENERATED_FILE_INIT],
+[m4_require([AS_PREPARE])]dnl
+[m4_pushdef([AS_MESSAGE_LOG_FD])]dnl
+[lt_write_fail=0
+cat >$1 <<_ASEOF || lt_write_fail=1
+#! $SHELL
+# Generated by $as_me.
+$2
+SHELL=\${CONFIG_SHELL-$SHELL}
+export SHELL
+_ASEOF
+cat >>$1 <<\_ASEOF || lt_write_fail=1
+AS_SHELL_SANITIZE
+_AS_PREPARE
+exec AS_MESSAGE_FD>&1
+_ASEOF
+test $lt_write_fail = 0 && chmod +x $1[]dnl
+m4_popdef([AS_MESSAGE_LOG_FD])])])# _LT_GENERATED_FILE_INIT
 
 # LT_OUTPUT
 # ---------
@@ -562,20 +609,11 @@ _LT_OUTPUT_LIBTOOL_INIT
 AC_DEFUN([LT_OUTPUT],
 [: ${CONFIG_LT=./config.lt}
 AC_MSG_NOTICE([creating $CONFIG_LT])
-cat >"$CONFIG_LT" <<_LTEOF
-#! $SHELL
-# Generated by $as_me.
-# Run this file to recreate a libtool stub with the current configuration.
-
-lt_cl_silent=false
-SHELL=\${CONFIG_SHELL-$SHELL}
-_LTEOF
+_LT_GENERATED_FILE_INIT(["$CONFIG_LT"],
+[# Run this file to recreate a libtool stub with the current configuration.])
 
 cat >>"$CONFIG_LT" <<\_LTEOF
-AS_SHELL_SANITIZE
-_AS_PREPARE
-
-exec AS_MESSAGE_FD>&1
+lt_cl_silent=false
 exec AS_MESSAGE_LOG_FD>>config.log
 {
   echo
@@ -601,7 +639,7 @@ m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
 m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
 configured by $[0], generated by m4_PACKAGE_STRING.
 
-Copyright (C) 2008 Free Software Foundation, Inc.
+Copyright (C) 2011 Free Software Foundation, Inc.
 This config.lt script is free software; the Free Software Foundation
 gives unlimited permision to copy, distribute and modify it."
 
@@ -646,15 +684,13 @@ chmod +x "$CONFIG_LT"
 # appending to config.log, which fails on DOS, as config.log is still kept
 # open by configure.  Here we exec the FD to /dev/null, effectively closing
 # config.log, so it can be properly (re)opened and appended to by config.lt.
-if test "$no_create" != yes; then
-  lt_cl_success=:
-  test "$silent" = yes &&
-    lt_config_lt_args="$lt_config_lt_args --quiet"
-  exec AS_MESSAGE_LOG_FD>/dev/null
-  $SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
-  exec AS_MESSAGE_LOG_FD>>config.log
-  $lt_cl_success || AS_EXIT(1)
-fi
+lt_cl_success=:
+test "$silent" = yes &&
+  lt_config_lt_args="$lt_config_lt_args --quiet"
+exec AS_MESSAGE_LOG_FD>/dev/null
+$SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
+exec AS_MESSAGE_LOG_FD>>config.log
+$lt_cl_success || AS_EXIT(1)
 ])# LT_OUTPUT
 
 
@@ -717,15 +753,12 @@ _LT_EOF
   # if finds mixed CR/LF and LF-only lines.  Since sed operates in
   # text mode, it properly converts lines to CR/LF.  This bash problem
   # is reportedly fixed, but why not run on old versions too?
-  sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  _LT_PROG_XSI_SHELLFNS
+  sed '$q' "$ltmain" >> "$cfgfile" \
+     || (rm -f "$cfgfile"; exit 1)
 
-  sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
+  _LT_PROG_REPLACE_SHELLFNS
 
-  mv -f "$cfgfile" "$ofile" ||
+   mv -f "$cfgfile" "$ofile" ||
     (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
   chmod +x "$ofile"
 ],
@@ -770,6 +803,7 @@ AC_DEFUN([LT_LANG],
 m4_case([$1],
   [C],			[_LT_LANG(C)],
   [C++],		[_LT_LANG(CXX)],
+  [Go],			[_LT_LANG(GO)],
   [Java],		[_LT_LANG(GCJ)],
   [Fortran 77],		[_LT_LANG(F77)],
   [Fortran],		[_LT_LANG(FC)],
@@ -791,6 +825,31 @@ m4_defun([_LT_LANG],
 ])# _LT_LANG
 
 
+m4_ifndef([AC_PROG_GO], [
+############################################################
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_GO.  When it is available in    #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+############################################################
+m4_defun([AC_PROG_GO],
+[AC_LANG_PUSH(Go)dnl
+AC_ARG_VAR([GOC],     [Go compiler command])dnl
+AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl
+_AC_ARG_VAR_LDFLAGS()dnl
+AC_CHECK_TOOL(GOC, gccgo)
+if test -z "$GOC"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo])
+  fi
+fi
+if test -z "$GOC"; then
+  AC_CHECK_PROG(GOC, gccgo, gccgo, false)
+fi
+])#m4_defun
+])#m4_ifndef
+
+
 # _LT_LANG_DEFAULT_CONFIG
 # -----------------------
 m4_defun([_LT_LANG_DEFAULT_CONFIG],
@@ -821,6 +880,10 @@ AC_PROVIDE_IFELSE([AC_PROG_GCJ],
        m4_ifdef([LT_PROG_GCJ],
 	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
 
+AC_PROVIDE_IFELSE([AC_PROG_GO],
+  [LT_LANG(GO)],
+  [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])])
+
 AC_PROVIDE_IFELSE([LT_PROG_RC],
   [LT_LANG(RC)],
   [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
@@ -831,11 +894,13 @@ AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)])
 AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)])
 AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)])
 AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)])
+AU_DEFUN([AC_LIBTOOL_RC], [LT_LANG(Windows Resource)])
 dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([AC_LIBTOOL_CXX], [])
 dnl AC_DEFUN([AC_LIBTOOL_F77], [])
 dnl AC_DEFUN([AC_LIBTOOL_FC], [])
 dnl AC_DEFUN([AC_LIBTOOL_GCJ], [])
+dnl AC_DEFUN([AC_LIBTOOL_RC], [])
 
 
 # _LT_TAG_COMPILER
@@ -921,7 +986,13 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
         _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&AS_MESSAGE_LOG_FD
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&AS_MESSAGE_LOG_FD
@@ -929,6 +1000,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	rm -rf libconftest.dylib*
 	rm -f conftest.*
       fi])
+
     AC_CACHE_CHECK([for -exported_symbols_list linker flag],
       [lt_cv_ld_exported_symbols_list],
       [lt_cv_ld_exported_symbols_list=no
@@ -940,6 +1012,34 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	[lt_cv_ld_exported_symbols_list=no])
 	LDFLAGS="$save_LDFLAGS"
     ])
+
+    AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load],
+      [lt_cv_ld_force_load=no
+      cat > conftest.c << _LT_EOF
+int forced_loaded() { return 2;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
+      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
+      echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
+      $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
+      echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
+      $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
+      cat > conftest.c << _LT_EOF
+int main() { return 0;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD
+      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
+      _lt_result=$?
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&AS_MESSAGE_LOG_FD
+      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
+	lt_cv_ld_force_load=yes
+      else
+	cat conftest.err >&AS_MESSAGE_LOG_FD
+      fi
+        rm -f conftest.err libconftest.a conftest conftest.c
+        rm -rf conftest.dSYM
+    ])
     case $host_os in
     rhapsody* | darwin1.[[012]])
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
@@ -967,7 +1067,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
     else
       _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
     fi
-    if test "$DSYMUTIL" != ":"; then
+    if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then
       _lt_dsymutil='~$DSYMUTIL $lib || :'
     else
       _lt_dsymutil=
@@ -977,8 +1077,8 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 ])
 
 
-# _LT_DARWIN_LINKER_FEATURES
-# --------------------------
+# _LT_DARWIN_LINKER_FEATURES([TAG])
+# ---------------------------------
 # Checks for linker and compiler features on darwin
 m4_defun([_LT_DARWIN_LINKER_FEATURES],
 [
@@ -987,7 +1087,13 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
   _LT_TAGVAR(hardcode_direct, $1)=no
   _LT_TAGVAR(hardcode_automatic, $1)=yes
   _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-  _LT_TAGVAR(whole_archive_flag_spec, $1)=''
+  if test "$lt_cv_ld_force_load" = "yes"; then
+    _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+    m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes],
+                  [FC],  [_LT_TAGVAR(compiler_needs_object, $1)=yes])
+  else
+    _LT_TAGVAR(whole_archive_flag_spec, $1)=''
+  fi
   _LT_TAGVAR(link_all_deplibs, $1)=yes
   _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
   case $cc_basename in
@@ -995,7 +1101,7 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
      *) _lt_dar_can_shared=$GCC ;;
   esac
   if test "$_lt_dar_can_shared" = "yes"; then
-    output_verbose_link_cmd=echo
+    output_verbose_link_cmd=func_echo_all
     _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
     _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
     _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
@@ -1011,203 +1117,142 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
   fi
 ])
 
-# _LT_SYS_MODULE_PATH_AIX
-# -----------------------
+# _LT_SYS_MODULE_PATH_AIX([TAGNAME])
+# ----------------------------------
 # Links a minimal program and checks the executable
 # for the system default hardcoded library path. In most cases,
 # this is /usr/lib:/lib, but when the MPI compilers are used
 # the location of the communication and MPI libs are included too.
 # If we don't find anything, use the default library path according
 # to the aix ld manual.
+# Store the results from the different compilers for each TAGNAME.
+# Allow to override them for all tags through lt_cv_aix_libpath.
 m4_defun([_LT_SYS_MODULE_PATH_AIX],
 [m4_require([_LT_DECL_SED])dnl
-AC_LINK_IFELSE(AC_LANG_PROGRAM,[
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi],[])
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+if test "${lt_cv_aix_libpath+set}" = set; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  AC_CACHE_VAL([_LT_TAGVAR([lt_cv_aix_libpath_], [$1])],
+  [AC_LINK_IFELSE([AC_LANG_PROGRAM],[
+  lt_aix_libpath_sed='[
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }]'
+  _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then
+    _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi],[])
+  if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then
+    _LT_TAGVAR([lt_cv_aix_libpath_], [$1])="/usr/lib:/lib"
+  fi
+  ])
+  aix_libpath=$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])
+fi
 ])# _LT_SYS_MODULE_PATH_AIX
 
 
 # _LT_SHELL_INIT(ARG)
 # -------------------
 m4_define([_LT_SHELL_INIT],
-[ifdef([AC_DIVERSION_NOTICE],
-	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
-	 [AC_DIVERT_PUSH(NOTICE)])
-$1
-AC_DIVERT_POP
-])# _LT_SHELL_INIT
+[m4_divert_text([M4SH-INIT], [$1
+])])# _LT_SHELL_INIT
+
 
 
 # _LT_PROG_ECHO_BACKSLASH
 # -----------------------
-# Add some code to the start of the generated configure script which
-# will find an echo command which doesn't interpret backslashes.
+# Find how we can fake an echo command that does not interpret backslash.
+# In particular, with Autoconf 2.60 or later we add some code to the start
+# of the generated configure script which will find a shell with a builtin
+# printf (which we can use as an echo command).
 m4_defun([_LT_PROG_ECHO_BACKSLASH],
-[_LT_SHELL_INIT([
-# Check that we are running under the correct shell.
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-case X$lt_ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$lt_ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
-  ;;
-esac
-
-ECHO=${lt_ECHO-echo}
-if test "X[$]1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X[$]1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $ECHO works!
-  :
+[ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+
+AC_MSG_CHECKING([how to print strings])
+# Test print first, because it will be a builtin if present.
+if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \
+   test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='print -r --'
+elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='printf %s\n'
 else
-  # Restart under the correct shell.
-  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
-fi
-
-if test "X[$]1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<_LT_EOF
-[$]*
-_LT_EOF
-  exit 0
+  # Use this function as a fallback that always works.
+  func_fallback_echo ()
+  {
+    eval 'cat <<_LTECHO_EOF
+$[]1
+_LTECHO_EOF'
+  }
+  ECHO='func_fallback_echo'
 fi
 
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$lt_ECHO"; then
-  if test "X${echo_test_string+set}" != Xset; then
-    # find a string as large as possible, as long as the shell can cope with it
-    for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
-      # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-      if { echo_test_string=`eval $cmd`; } 2>/dev/null &&
-	 { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null
-      then
-        break
-      fi
-    done
-  fi
-
-  if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-     echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-     test "X$echo_testing_string" = "X$echo_test_string"; then
-    :
-  else
-    # The Solaris, AIX, and Digital Unix default echo programs unquote
-    # backslashes.  This makes it impossible to quote backslashes using
-    #   echo "$something" | sed 's/\\/\\\\/g'
-    #
-    # So, first we look for a working echo in the user's PATH.
-
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for dir in $PATH /usr/ucb; do
-      IFS="$lt_save_ifs"
-      if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-         test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        ECHO="$dir/echo"
-        break
-      fi
-    done
-    IFS="$lt_save_ifs"
-
-    if test "X$ECHO" = Xecho; then
-      # We didn't find a better echo, so look for alternatives.
-      if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        # This shell has a builtin print -r that does the trick.
-        ECHO='print -r'
-      elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } &&
-	   test "X$CONFIG_SHELL" != X/bin/ksh; then
-        # If we have ksh, try running configure again with it.
-        ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-        export ORIGINAL_CONFIG_SHELL
-        CONFIG_SHELL=/bin/ksh
-        export CONFIG_SHELL
-        exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
-      else
-        # Try using printf.
-        ECHO='printf %s\n'
-        if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-	   echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	  # Cool, printf works
-	  :
-        elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	  export CONFIG_SHELL
-	  SHELL="$CONFIG_SHELL"
-	  export SHELL
-	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
-        elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
-        else
-	  # maybe with a smaller string...
-	  prev=:
-
-	  for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
-	    if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null
-	    then
-	      break
-	    fi
-	    prev="$cmd"
-	  done
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO "$*" 
+}
 
-	  if test "$prev" != 'sed 50q "[$]0"'; then
-	    echo_test_string=`eval $prev`
-	    export echo_test_string
-	    exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
-	  else
-	    # Oops.  We lost completely, so just stick with echo.
-	    ECHO=echo
-	  fi
-        fi
-      fi
-    fi
-  fi
-fi
+case "$ECHO" in
+  printf*) AC_MSG_RESULT([printf]) ;;
+  print*) AC_MSG_RESULT([print -r]) ;;
+  *) AC_MSG_RESULT([cat]) ;;
+esac
 
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-lt_ECHO=$ECHO
-if test "X$lt_ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
-   lt_ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
-fi
+m4_ifdef([_AS_DETECT_SUGGESTED],
+[_AS_DETECT_SUGGESTED([
+  test -n "${ZSH_VERSION+set}${BASH_VERSION+set}" || (
+    ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+    ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+    ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+    PATH=/empty FPATH=/empty; export PATH FPATH
+    test "X`printf %s $ECHO`" = "X$ECHO" \
+      || test "X`print -r -- $ECHO`" = "X$ECHO" )])])
 
-AC_SUBST(lt_ECHO)
-])
 _LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts])
-_LT_DECL([], [ECHO], [1],
-    [An echo program that does not interpret backslashes])
+_LT_DECL([], [ECHO], [1], [An echo program that protects backslashes])
 ])# _LT_PROG_ECHO_BACKSLASH
 
 
+# _LT_WITH_SYSROOT
+# ----------------
+AC_DEFUN([_LT_WITH_SYSROOT],
+[AC_MSG_CHECKING([for sysroot])
+AC_ARG_WITH([sysroot],
+[  --with-sysroot[=DIR] Search for dependent libraries within DIR
+                        (or the compiler's sysroot if not specified).],
+[], [with_sysroot=no])
+
+dnl lt_sysroot will always be passed unquoted.  We quote it here
+dnl in case the user passed a directory name.
+lt_sysroot=
+case ${with_sysroot} in #(
+ yes)
+   if test "$GCC" = yes; then
+     lt_sysroot=`$CC --print-sysroot 2>/dev/null`
+   fi
+   ;; #(
+ /*)
+   lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"`
+   ;; #(
+ no|'')
+   ;; #(
+ *)
+   AC_MSG_RESULT([${with_sysroot}])
+   AC_MSG_ERROR([The sysroot must be an absolute path.])
+   ;;
+esac
+
+ AC_MSG_RESULT([${lt_sysroot:-no}])
+_LT_DECL([], [lt_sysroot], [0], [The root where to search for ]dnl
+[dependent libraries, and in which our libraries should be installed.])])
+
 # _LT_ENABLE_LOCK
 # ---------------
 m4_defun([_LT_ENABLE_LOCK],
@@ -1236,7 +1281,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     if test "$lt_cv_prog_gnu_ld" = yes; then
       case `/usr/bin/file conftest.$ac_objext` in
@@ -1329,14 +1374,27 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
-sparc*-*solaris*)
+*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
+        case $host in
+        i?86-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD="${LD-ld}_sol2"
+        fi
+        ;;
       *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@@ -1354,14 +1412,47 @@ need_locks="$enable_libtool_lock"
 ])# _LT_ENABLE_LOCK
 
 
+# _LT_PROG_AR
+# -----------
+m4_defun([_LT_PROG_AR],
+[AC_CHECK_TOOLS(AR, [ar], false)
+: ${AR=ar}
+: ${AR_FLAGS=cru}
+_LT_DECL([], [AR], [1], [The archiver])
+_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
+
+AC_CACHE_CHECK([for archiver @FILE support], [lt_cv_ar_at_file],
+  [lt_cv_ar_at_file=no
+   AC_COMPILE_IFELSE([AC_LANG_PROGRAM],
+     [echo conftest.$ac_objext > conftest.lst
+      lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&AS_MESSAGE_LOG_FD'
+      AC_TRY_EVAL([lt_ar_try])
+      if test "$ac_status" -eq 0; then
+	# Ensure the archiver fails upon bogus file names.
+	rm -f conftest.$ac_objext libconftest.a
+	AC_TRY_EVAL([lt_ar_try])
+	if test "$ac_status" -ne 0; then
+          lt_cv_ar_at_file=@
+        fi
+      fi
+      rm -f conftest.* libconftest.a
+     ])
+  ])
+
+if test "x$lt_cv_ar_at_file" = xno; then
+  archiver_list_spec=
+else
+  archiver_list_spec=$lt_cv_ar_at_file
+fi
+_LT_DECL([], [archiver_list_spec], [1],
+  [How to feed a file listing to the archiver])
+])# _LT_PROG_AR
+
+
 # _LT_CMD_OLD_ARCHIVE
 # -------------------
 m4_defun([_LT_CMD_OLD_ARCHIVE],
-[AC_CHECK_TOOL(AR, ar, false)
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
-_LT_DECL([], [AR], [1], [The archiver])
-_LT_DECL([], [AR_FLAGS], [1])
+[_LT_PROG_AR
 
 AC_CHECK_TOOL(STRIP, strip, :)
 test -z "$STRIP" && STRIP=:
@@ -1380,18 +1471,27 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
     ;;
   *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
     ;;
   esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
+
+case $host_os in
+  darwin*)
+    lock_old_archive_extraction=yes ;;
+  *)
+    lock_old_archive_extraction=no ;;
+esac
 _LT_DECL([], [old_postinstall_cmds], [2])
 _LT_DECL([], [old_postuninstall_cmds], [2])
 _LT_TAGDECL([], [old_archive_cmds], [2],
     [Commands used to build an old-style archive])
+_LT_DECL([], [lock_old_archive_extraction], [0],
+    [Whether to use a lock for old archive extraction])
 ])# _LT_CMD_OLD_ARCHIVE
 
 
@@ -1416,15 +1516,15 @@ AC_CACHE_CHECK([$1], [$2],
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
      $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
      if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        $2=yes
@@ -1464,7 +1564,7 @@ AC_CACHE_CHECK([$1], [$2],
      if test -s conftest.err; then
        # Append any errors to the config.log.
        cat conftest.err 1>&AS_MESSAGE_LOG_FD
-       $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
        $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
        if diff conftest.exp conftest.er2 >/dev/null; then
          $2=yes
@@ -1527,6 +1627,11 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
+  mint*)
+    # On MiNT this can take a long time and run out of memory.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
   amigaos*)
     # On AmigaOS with pdksh, this test takes hours, literally.
     # So we just punt and use a minimum line length of 8192.
@@ -1552,6 +1657,11 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=196608
     ;;
 
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
   osf*)
     # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
     # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@@ -1591,8 +1701,8 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
       # If test is not a shell built-in, we'll probably end up computing a
       # maximum length that is only half of the actual maximum length, but
       # we can't tell.
-      while { test "X"`$SHELL [$]0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \
-	         = "XX$teststring$teststring"; } >/dev/null 2>&1 &&
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
+	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
         i=`expr $i + 1`
@@ -1643,7 +1753,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-[#line __oline__ "configure"
+[#line $LINENO "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -1684,7 +1794,13 @@ else
 #  endif
 #endif
 
-void fnord() { int i=42;}
+/* When -fvisbility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
 int main ()
 {
   void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
@@ -1693,7 +1809,11 @@ int main ()
   if (self)
     {
       if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
       /* dlclose (self); */
     }
   else
@@ -1869,16 +1989,16 @@ AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
      $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
      if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
@@ -2037,6 +2157,7 @@ m4_require([_LT_DECL_EGREP])dnl
 m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_DECL_OBJDUMP])dnl
 m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_CHECK_SHELL_FEATURES])dnl
 AC_MSG_CHECKING([dynamic linker characteristics])
 m4_if([$1],
 	[], [
@@ -2045,16 +2166,23 @@ if test "$GCC" = yes; then
     darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
     *) lt_awk_arg="/^libraries:/" ;;
   esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then
+  case $host_os in
+    mingw* | cegcc*) lt_sed_strip_eq="s,=\([[A-Za-z]]:\),\1,g" ;;
+    *) lt_sed_strip_eq="s,=/,/,g" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq`
+  case $lt_search_path_spec in
+  *\;*)
     # if the path contains ";" then we assume it to be the separator
     # otherwise default to the standard path separator (i.e. ":") - it is
     # assumed that no part of a normal pathname contains ";" but that should
     # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'`
+    ;;
+  *)
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"`
+    ;;
+  esac
   # Ok, now we have the path, separated by spaces, we can step through it
   # and add multilib dir if necessary.
   lt_tmp_lt_search_path_spec=
@@ -2067,7 +2195,7 @@ if test "$GCC" = yes; then
 	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
     fi
   done
-  lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk '
+  lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk '
 BEGIN {RS=" "; FS="/|\n";} {
   lt_foo="";
   lt_count=0;
@@ -2087,7 +2215,13 @@ BEGIN {RS=" "; FS="/|\n";} {
   if (lt_foo != "") { lt_freq[[lt_foo]]++; }
   if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
 }'`
-  sys_lib_search_path_spec=`$ECHO $lt_search_path_spec`
+  # AWK program above erroneously prepends '/' to C:/dos/paths
+  # for these hosts.
+  case $host_os in
+    mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\
+      $SED 's,/\([[A-Za-z]]:\),\1,g'` ;;
+  esac
+  sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP`
 else
   sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
 fi])
@@ -2113,7 +2247,7 @@ need_version=unknown
 
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
   shlibpath_var=LIBPATH
 
@@ -2122,7 +2256,7 @@ aix3*)
   ;;
 
 aix[[4-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   hardcode_into_libs=yes
@@ -2175,7 +2309,7 @@ amigaos*)
   m68k)
     library_names_spec='$libname.ixlibrary $libname.a'
     # Create ${libname}_ixlibrary.a entries in /sys/libs.
-    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
     ;;
   esac
   ;;
@@ -2187,7 +2321,7 @@ beos*)
   ;;
 
 bsdi[[45]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -2206,8 +2340,9 @@ cygwin* | mingw* | pw32* | cegcc*)
   need_version=no
   need_lib_prefix=no
 
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*)
+  case $GCC,$cc_basename in
+  yes,*)
+    # gcc
     library_names_spec='$libname.dll.a'
     # DLL is installed to $(libdir)/../bin by postinstall_cmds
     postinstall_cmds='base_file=`basename \${file}`~
@@ -2228,36 +2363,83 @@ cygwin* | mingw* | pw32* | cegcc*)
     cygwin*)
       # Cygwin DLLs use 'cyg' prefix rather than 'lib'
       soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+m4_if([$1], [],[
+      sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"])
       ;;
     mingw* | cegcc*)
       # MinGW DLLs use traditional 'lib' prefix
       soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
       library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
+    dynamic_linker='Win32 ld.exe'
+    ;;
+
+  *,cl*)
+    # Native MSVC
+    libname_spec='$name'
+    soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+    library_names_spec='${libname}.dll.lib'
+
+    case $build_os in
+    mingw*)
+      sys_lib_search_path_spec=
+      lt_save_ifs=$IFS
+      IFS=';'
+      for lt_path in $LIB
+      do
+        IFS=$lt_save_ifs
+        # Let DOS variable expansion print the short 8.3 style file name.
+        lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"`
+        sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path"
+      done
+      IFS=$lt_save_ifs
+      # Convert to MSYS style.
+      sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([[a-zA-Z]]\\):| /\\1|g' -e 's|^ ||'`
+      ;;
+    cygwin*)
+      # Convert to unix form, then to dos form, then back to unix form
+      # but this time dos style (no spaces!) so that the unix form looks
+      # like /cygdrive/c/PROGRA~1:/cygdr...
+      sys_lib_search_path_spec=`cygpath --path --unix "$LIB"`
+      sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null`
+      sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      ;;
+    *)
+      sys_lib_search_path_spec="$LIB"
+      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
+        # It is most probably a Windows format PATH.
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      # FIXME: find the short name or the path components, as spaces are
+      # common. (e.g. "Program Files" -> "PROGRA~1")
+      ;;
+    esac
+
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+    dynamic_linker='Win32 link.exe'
     ;;
 
   *)
+    # Assume MSVC wrapper
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    dynamic_linker='Win32 ld.exe'
     ;;
   esac
-  dynamic_linker='Win32 ld.exe'
   # FIXME: first we should search . and the directory the executable is in
   shlibpath_var=PATH
   ;;
@@ -2278,7 +2460,7 @@ m4_if([$1], [],[
   ;;
 
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@@ -2286,10 +2468,6 @@ dgux*)
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -2297,7 +2475,7 @@ freebsd* | dragonfly*)
     objformat=`/usr/bin/objformat`
   else
     case $host_os in
-    freebsd[[123]]*) objformat=aout ;;
+    freebsd[[23]].*) objformat=aout ;;
     *) objformat=elf ;;
     esac
   fi
@@ -2315,7 +2493,7 @@ freebsd* | dragonfly*)
   esac
   shlibpath_var=LD_LIBRARY_PATH
   case $host_os in
-  freebsd2*)
+  freebsd2.*)
     shlibpath_overrides_runpath=yes
     ;;
   freebsd3.[[01]]* | freebsdelf3.[[01]]*)
@@ -2335,12 +2513,26 @@ freebsd* | dragonfly*)
   ;;
 
 gnu*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+haiku*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  dynamic_linker="$host_os runtime_loader"
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
   hardcode_into_libs=yes
   ;;
 
@@ -2386,12 +2578,14 @@ hpux9* | hpux10* | hpux11*)
     soname_spec='${libname}${release}${shared_ext}$major'
     ;;
   esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  # HP-UX runs *really* slowly unless shared libraries are mode 555, ...
   postinstall_cmds='chmod 555 $lib'
+  # or fails outright, so override atomically:
+  install_override_mode=555
   ;;
 
 interix[[3-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@@ -2407,7 +2601,7 @@ irix5* | irix6* | nonstopux*)
     nonstopux*) version_type=nonstopux ;;
     *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@@ -2444,9 +2638,9 @@ linux*oldld* | linux*aout* | linux*coff*)
   dynamic_linker=no
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2454,16 +2648,21 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=no
+
   # Some binutils ld are patched to set DT_RUNPATH
-  save_LDFLAGS=$LDFLAGS
-  save_libdir=$libdir
-  eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
-       LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
-  AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
-    [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
-       [shlibpath_overrides_runpath=yes])])
-  LDFLAGS=$save_LDFLAGS
-  libdir=$save_libdir
+  AC_CACHE_VAL([lt_cv_shlibpath_overrides_runpath],
+    [lt_cv_shlibpath_overrides_runpath=no
+    save_LDFLAGS=$LDFLAGS
+    save_libdir=$libdir
+    eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
+	 LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
+      [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
+	 [lt_cv_shlibpath_overrides_runpath=yes])])
+    LDFLAGS=$save_LDFLAGS
+    libdir=$save_libdir
+    ])
+  shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath
 
   # This implies no fast_install, which is unacceptable.
   # Some rework will be needed to allow for fast_install
@@ -2472,7 +2671,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -2516,7 +2715,7 @@ netbsd*)
   ;;
 
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=yes
@@ -2585,7 +2784,7 @@ rdos*)
   ;;
 
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2610,7 +2809,7 @@ sunos4*)
   ;;
 
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -2634,7 +2833,7 @@ sysv4 | sysv4.3*)
 
 sysv4*MP*)
   if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
     library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
     soname_spec='$libname${shared_ext}.$major'
     shlibpath_var=LD_LIBRARY_PATH
@@ -2665,7 +2864,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 
 tpf*)
   # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2675,7 +2874,7 @@ tpf*)
   ;;
 
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -2717,6 +2916,8 @@ _LT_DECL([], [library_names_spec], [1],
     The last name is the one that the linker finds with -lNAME]])
 _LT_DECL([], [soname_spec], [1],
     [[The coded name of the library, if different from the real name]])
+_LT_DECL([], [install_override_mode], [1],
+    [Permission mode override for installation of shared libraries])
 _LT_DECL([], [postinstall_cmds], [2],
     [Command to use after installation of a shared archive])
 _LT_DECL([], [postuninstall_cmds], [2],
@@ -2829,6 +3030,7 @@ AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_CANONICAL_BUILD])dnl
 m4_require([_LT_DECL_SED])dnl
 m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_PROG_ECHO_BACKSLASH])dnl
 
 AC_ARG_WITH([gnu-ld],
     [AS_HELP_STRING([--with-gnu-ld],
@@ -2950,6 +3152,11 @@ case $reload_flag in
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
 case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    if test "$GCC" != yes; then
+      reload_cmds=false
+    fi
+    ;;
   darwin*)
     if test "$GCC" = yes; then
       reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
@@ -2958,8 +3165,8 @@ case $host_os in
     fi
     ;;
 esac
-_LT_DECL([], [reload_flag], [1], [How to create reloadable object files])dnl
-_LT_DECL([], [reload_cmds], [2])dnl
+_LT_TAGDECL([], [reload_flag], [1], [How to create reloadable object files])dnl
+_LT_TAGDECL([], [reload_cmds], [2])dnl
 ])# _LT_CMD_RELOAD
 
 
@@ -3011,16 +3218,18 @@ mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
   # func_win32_libid shell function, so use a weaker test based on 'objdump',
   # unless we find 'file', for example because we are cross-compiling.
-  if ( file / ) >/dev/null 2>&1; then
+  # func_win32_libid assumes BSD nm, so disallow it if using MS dumpbin.
+  if ( test "$lt_cv_nm_interface" = "BSD nm" && file / ) >/dev/null 2>&1; then
     lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
     lt_cv_file_magic_cmd='func_win32_libid'
   else
-    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    # Keep this pattern in sync with the one in func_win32_libid.
+    lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)'
     lt_cv_file_magic_cmd='$OBJDUMP -f'
   fi
   ;;
 
-cegcc)
+cegcc*)
   # use the weaker test based on 'objdump'. See mingw*.
   lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
@@ -3050,6 +3259,10 @@ gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
+haiku*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
 hpux10.20* | hpux11*)
   lt_cv_file_magic_cmd=/usr/bin/file
   case $host_cpu in
@@ -3058,11 +3271,11 @@ hpux10.20* | hpux11*)
     lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
     ;;
   hppa*64*)
-    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
+    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]']
     lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
     ;;
   *)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]]\.[[0-9]]) shared library'
     lt_cv_file_magic_test_file=/usr/lib/libc.sl
     ;;
   esac
@@ -3083,7 +3296,7 @@ irix5* | irix6* | nonstopux*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -3162,6 +3375,21 @@ tpf*)
   ;;
 esac
 ])
+
+file_magic_glob=
+want_nocaseglob=no
+if test "$build" = "$host"; then
+  case $host_os in
+  mingw* | pw32*)
+    if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then
+      want_nocaseglob=yes
+    else
+      file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[[\1]]\/[[\1]]\/g;/g"`
+    fi
+    ;;
+  esac
+fi
+
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
 test -z "$deplibs_check_method" && deplibs_check_method=unknown
@@ -3169,7 +3397,11 @@ test -z "$deplibs_check_method" && deplibs_check_method=unknown
 _LT_DECL([], [deplibs_check_method], [1],
     [Method to check whether dependent libraries are shared objects])
 _LT_DECL([], [file_magic_cmd], [1],
-    [Command to use when deplibs_check_method == "file_magic"])
+    [Command to use when deplibs_check_method = "file_magic"])
+_LT_DECL([], [file_magic_glob], [1],
+    [How to find potential files when deplibs_check_method = "file_magic"])
+_LT_DECL([], [want_nocaseglob], [1],
+    [Find potential files using nocaseglob when deplibs_check_method = "file_magic"])
 ])# _LT_CHECK_MAGIC_METHOD
 
 
@@ -3226,8 +3458,20 @@ if test "$lt_cv_path_NM" != "no"; then
   NM="$lt_cv_path_NM"
 else
   # Didn't find any BSD compatible name lister, look for dumpbin.
-  AC_CHECK_TOOLS(DUMPBIN, ["dumpbin -symbols" "link -dump -symbols"], :)
-  AC_SUBST([DUMPBIN])
+  if test -n "$DUMPBIN"; then :
+    # Let the user override the test.
+  else
+    AC_CHECK_TOOLS(DUMPBIN, [dumpbin "link -dump"], :)
+    case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in
+    *COFF*)
+      DUMPBIN="$DUMPBIN -symbols"
+      ;;
+    *)
+      DUMPBIN=:
+      ;;
+    esac
+  fi
+  AC_SUBST([DUMPBIN])
   if test "$DUMPBIN" != ":"; then
     NM="$DUMPBIN"
   fi
@@ -3239,13 +3483,13 @@ _LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl
 AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface],
   [lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:__oline__: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
+  (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&AS_MESSAGE_LOG_FD
-  (eval echo "\"\$as_me:__oline__: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
+  (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&AS_MESSAGE_LOG_FD
-  (eval echo "\"\$as_me:__oline__: output\"" >&AS_MESSAGE_LOG_FD)
+  (eval echo "\"\$as_me:$LINENO: output\"" >&AS_MESSAGE_LOG_FD)
   cat conftest.out >&AS_MESSAGE_LOG_FD
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -3260,6 +3504,67 @@ dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([AM_PROG_NM], [])
 dnl AC_DEFUN([AC_PROG_NM], [])
 
+# _LT_CHECK_SHAREDLIB_FROM_LINKLIB
+# --------------------------------
+# how to determine the name of the shared library
+# associated with a specific link library.
+#  -- PORTME fill in with the dynamic library characteristics
+m4_defun([_LT_CHECK_SHAREDLIB_FROM_LINKLIB],
+[m4_require([_LT_DECL_EGREP])
+m4_require([_LT_DECL_OBJDUMP])
+m4_require([_LT_DECL_DLLTOOL])
+AC_CACHE_CHECK([how to associate runtime and link libraries],
+lt_cv_sharedlib_from_linklib_cmd,
+[lt_cv_sharedlib_from_linklib_cmd='unknown'
+
+case $host_os in
+cygwin* | mingw* | pw32* | cegcc*)
+  # two different shell functions defined in ltmain.sh
+  # decide which to use based on capabilities of $DLLTOOL
+  case `$DLLTOOL --help 2>&1` in
+  *--identify-strict*)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib
+    ;;
+  *)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback
+    ;;
+  esac
+  ;;
+*)
+  # fallback: assume linklib IS sharedlib
+  lt_cv_sharedlib_from_linklib_cmd="$ECHO"
+  ;;
+esac
+])
+sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd
+test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO
+
+_LT_DECL([], [sharedlib_from_linklib_cmd], [1],
+    [Command to associate shared and link libraries])
+])# _LT_CHECK_SHAREDLIB_FROM_LINKLIB
+
+
+# _LT_PATH_MANIFEST_TOOL
+# ----------------------
+# locate the manifest tool
+m4_defun([_LT_PATH_MANIFEST_TOOL],
+[AC_CHECK_TOOL(MANIFEST_TOOL, mt, :)
+test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt
+AC_CACHE_CHECK([if $MANIFEST_TOOL is a manifest tool], [lt_cv_path_mainfest_tool],
+  [lt_cv_path_mainfest_tool=no
+  echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&AS_MESSAGE_LOG_FD
+  $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out
+  cat conftest.err >&AS_MESSAGE_LOG_FD
+  if $GREP 'Manifest Tool' conftest.out > /dev/null; then
+    lt_cv_path_mainfest_tool=yes
+  fi
+  rm -f conftest*])
+if test "x$lt_cv_path_mainfest_tool" != xyes; then
+  MANIFEST_TOOL=:
+fi
+_LT_DECL([], [MANIFEST_TOOL], [1], [Manifest tool])dnl
+])# _LT_PATH_MANIFEST_TOOL
+
 
 # LT_LIB_M
 # --------
@@ -3268,7 +3573,7 @@ AC_DEFUN([LT_LIB_M],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 LIBM=
 case $host in
-*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
+*-*-beos* | *-*-cegcc* | *-*-cygwin* | *-*-haiku* | *-*-pw32* | *-*-darwin*)
   # These system don't have libm, or don't need it
   ;;
 *-ncr-sysv4.3*)
@@ -3296,7 +3601,12 @@ m4_defun([_LT_COMPILER_NO_RTTI],
 _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
 
 if test "$GCC" = yes; then
-  _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+  case $cc_basename in
+  nvcc*)
+    _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -Xcompiler -fno-builtin' ;;
+  *)
+    _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' ;;
+  esac
 
   _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
     lt_cv_prog_compiler_rtti_exceptions,
@@ -3313,6 +3623,7 @@ _LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1],
 m4_defun([_LT_CMD_GLOBAL_SYMBOLS],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_AWK])dnl
 AC_REQUIRE([LT_PATH_NM])dnl
 AC_REQUIRE([LT_PATH_LD])dnl
 m4_require([_LT_DECL_SED])dnl
@@ -3380,8 +3691,8 @@ esac
 lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
 
 # Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p'"
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
 
 # Handle CRLF in mingw tool chain
 opt_cr=
@@ -3405,6 +3716,7 @@ for ac_symprfx in "" "_"; do
     # which start with @ or ?.
     lt_cv_sys_global_symbol_pipe="$AWK ['"\
 "     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@@ -3417,6 +3729,7 @@ for ac_symprfx in "" "_"; do
   else
     lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[	 ]]\($symcode$symcode*\)[[	 ]][[	 ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
   fi
+  lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'"
 
   # Check to see that the pipe works correctly.
   pipe_works=no
@@ -3438,7 +3751,7 @@ _LT_EOF
   if AC_TRY_EVAL(ac_compile); then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@@ -3450,6 +3763,18 @@ _LT_EOF
       if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
 	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
 	  cat <<_LT_EOF > conftest.$ac_ext
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
+/* DATA imports from DLLs on WIN32 con't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT@&t@_DLSYM_CONST
+#elif defined(__osf__)
+/* This system does not cope well with relocations in const data.  */
+# define LT@&t@_DLSYM_CONST
+#else
+# define LT@&t@_DLSYM_CONST const
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -3461,7 +3786,7 @@ _LT_EOF
 	  cat <<_LT_EOF >> conftest.$ac_ext
 
 /* The mapping between symbol names and symbols.  */
-const struct {
+LT@&t@_DLSYM_CONST struct {
   const char *name;
   void       *address;
 }
@@ -3487,15 +3812,15 @@ static const void *lt_preloaded_setup() {
 _LT_EOF
 	  # Now try linking the two files.
 	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
+	  lt_globsym_save_LIBS=$LIBS
+	  lt_globsym_save_CFLAGS=$CFLAGS
 	  LIBS="conftstm.$ac_objext"
 	  CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
 	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
 	    pipe_works=yes
 	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
+	  LIBS=$lt_globsym_save_LIBS
+	  CFLAGS=$lt_globsym_save_CFLAGS
 	else
 	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
 	fi
@@ -3528,6 +3853,13 @@ else
   AC_MSG_RESULT(ok)
 fi
 
+# Response file support.
+if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+  nm_file_list_spec='@'
+elif $NM --help 2>/dev/null | grep '[[@]]FILE' >/dev/null; then
+  nm_file_list_spec='@'
+fi
+
 _LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1],
     [Take the output of nm and produce a listing of raw symbols and C names])
 _LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1],
@@ -3538,6 +3870,8 @@ _LT_DECL([global_symbol_to_c_name_address],
 _LT_DECL([global_symbol_to_c_name_address_lib_prefix],
     [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1],
     [Transform the output of nm in a C name address pair when lib prefix is needed])
+_LT_DECL([], [nm_file_list_spec], [1],
+    [Specify filename containing input files for $NM])
 ]) # _LT_CMD_GLOBAL_SYMBOLS
 
 
@@ -3549,7 +3883,6 @@ _LT_TAGVAR(lt_prog_compiler_wl, $1)=
 _LT_TAGVAR(lt_prog_compiler_pic, $1)=
 _LT_TAGVAR(lt_prog_compiler_static, $1)=
 
-AC_MSG_CHECKING([for $compiler option to produce PIC])
 m4_if([$1], [CXX], [
   # C++ specific cases for pic, static, wl, etc.
   if test "$GXX" = yes; then
@@ -3600,6 +3933,11 @@ m4_if([$1], [CXX], [
       # DJGPP does not support shared libraries at all
       _LT_TAGVAR(lt_prog_compiler_pic, $1)=
       ;;
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)=
+      ;;
     interix[[3-9]]*)
       # Interix 3.x gcc -fpic/-fPIC options generate broken code.
       # Instead, we relocate shared libraries at runtime.
@@ -3649,6 +3987,12 @@ m4_if([$1], [CXX], [
 	  ;;
 	esac
 	;;
+      mingw* | cygwin* | os2* | pw32* | cegcc*)
+	# This hack is so that the source file can tell whether it is being
+	# built for inclusion in a dll (and should export symbols for example).
+	m4_if([$1], [GCJ], [],
+	  [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+	;;
       dgux*)
 	case $cc_basename in
 	  ec++*)
@@ -3738,8 +4082,8 @@ m4_if([$1], [CXX], [
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
 	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
 	    ;;
-	  xlc* | xlC*)
-	    # IBM XL 8.0 on PPC
+	  xlc* | xlC* | bgxl[[cC]]* | mpixl[[cC]]*)
+	    # IBM XL 8.0, 9.0 on PPC and BlueGene
 	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
 	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
@@ -3801,7 +4145,7 @@ m4_if([$1], [CXX], [
 	;;
       solaris*)
 	case $cc_basename in
-	  CC*)
+	  CC* | sunCC*)
 	    # Sun C++ 4.2, 5.x and Centerline C++
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
@@ -3905,6 +4249,12 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
       ;;
 
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)=
+      ;;
+
     hpux*)
       # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
       # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
@@ -3947,6 +4297,15 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
       ;;
     esac
+
+    case $cc_basename in
+    nvcc*) # Cuda Compiler Driver 2.2
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker '
+      if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
+        _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)"
+      fi
+      ;;
+    esac
   else
     # PORTME Check for flag to pass linker flags through the system compiler.
     case $host_os in
@@ -4010,7 +4369,13 @@ m4_if([$1], [CXX], [
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='--static'
 	;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
+      nagfor*)
+	# NAG Fortran compiler
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,-Wl,,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	;;
+      pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
         # Portland Group compilers (*not* the Pentium gcc compiler,
 	# which looks to be a dead project)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
@@ -4022,25 +4387,40 @@ m4_if([$1], [CXX], [
         # All Alpha code is PIC.
         _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
         ;;
-      xl*)
-	# IBM XL C 8.0/Fortran 10.1 on PPC
+      xl* | bgxl* | bgf* | mpixl*)
+	# IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
 	;;
       *)
 	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
+	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+        *Intel*\ [[CF]]*Compiler*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	  ;;
+	*Portland\ Group*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
 	  ;;
 	esac
 	;;
@@ -4072,7 +4452,7 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
       _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
       case $cc_basename in
-      f77* | f90* | f95*)
+      f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
       *)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
@@ -4129,9 +4509,11 @@ case $host_os in
     _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])"
     ;;
 esac
-AC_MSG_RESULT([$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
-_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
-	[How to pass a linker flag through the compiler])
+
+AC_CACHE_CHECK([for $compiler option to produce PIC],
+  [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)],
+  [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
+_LT_TAGVAR(lt_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)
 
 #
 # Check to make sure the PIC flag actually works.
@@ -4150,6 +4532,8 @@ fi
 _LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1],
 	[Additional compiler flags for building library objects])
 
+_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
+	[How to pass a linker flag through the compiler])
 #
 # Check to make sure the static flag actually works.
 #
@@ -4170,6 +4554,7 @@ _LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1],
 m4_defun([_LT_LINKER_SHLIBS],
 [AC_REQUIRE([LT_PATH_LD])dnl
 AC_REQUIRE([LT_PATH_NM])dnl
+m4_require([_LT_PATH_MANIFEST_TOOL])dnl
 m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_DECL_EGREP])dnl
 m4_require([_LT_DECL_SED])dnl
@@ -4178,30 +4563,40 @@ m4_require([_LT_TAG_COMPILER])dnl
 AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
 m4_if([$1], [CXX], [
   _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
   case $host_os in
   aix[[4-9]]*)
     # If we're using GNU nm, then we don't want the "-C" option.
     # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    # Also, AIX nm treats weak defined symbols like other global defined
+    # symbols, whereas GNU nm marks them as "W".
     if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
     else
       _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
     fi
     ;;
   pw32*)
     _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
-  ;;
+    ;;
   cygwin* | mingw* | cegcc*)
-    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  linux* | k*bsd*-gnu)
+    case $cc_basename in
+    cl*)
+      _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+      ;;
+    *)
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
+      ;;
+    esac
+    ;;
+  linux* | k*bsd*-gnu | gnu*)
     _LT_TAGVAR(link_all_deplibs, $1)=no
-  ;;
+    ;;
   *)
     _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
+    ;;
   esac
-  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
 ], [
   runpath_var=
   _LT_TAGVAR(allow_undefined_flag, $1)=
@@ -4216,7 +4611,6 @@ m4_if([$1], [CXX], [
   _LT_TAGVAR(hardcode_direct, $1)=no
   _LT_TAGVAR(hardcode_direct_absolute, $1)=no
   _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
   _LT_TAGVAR(hardcode_libdir_separator, $1)=
   _LT_TAGVAR(hardcode_minus_L, $1)=no
   _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@@ -4261,13 +4655,39 @@ dnl Note also adjust exclude_expsyms for C++ above.
   openbsd*)
     with_gnu_ld=no
     ;;
-  linux* | k*bsd*-gnu)
+  linux* | k*bsd*-gnu | gnu*)
     _LT_TAGVAR(link_all_deplibs, $1)=no
     ;;
   esac
 
   _LT_TAGVAR(ld_shlibs, $1)=yes
+
+  # On some targets, GNU ld is compatible enough with the native linker
+  # that we're better off using the native interface for both.
+  lt_use_gnu_ld_interface=no
   if test "$with_gnu_ld" = yes; then
+    case $host_os in
+      aix*)
+	# The AIX port of GNU ld has always aspired to compatibility
+	# with the native linker.  However, as the warning in the GNU ld
+	# block says, versions before 2.19.5* couldn't really create working
+	# shared libraries, regardless of the interface used.
+	case `$LD -v 2>&1` in
+	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
+	  *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;;
+	  *\ \(GNU\ Binutils\)\ [[3-9]]*) ;;
+	  *)
+	    lt_use_gnu_ld_interface=yes
+	    ;;
+	esac
+	;;
+      *)
+	lt_use_gnu_ld_interface=yes
+	;;
+    esac
+  fi
+
+  if test "$lt_use_gnu_ld_interface" = yes; then
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
@@ -4301,11 +4721,12 @@ dnl Note also adjust exclude_expsyms for C++ above.
 	_LT_TAGVAR(ld_shlibs, $1)=no
 	cat <<_LT_EOF 1>&2
 
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** Warning: the GNU linker, at least up to release 2.19, is reported
 *** to be unable to reliably create shared libraries on AIX.
 *** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
+*** really care for shared libraries, you may want to install binutils
+*** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
+*** You will then need to restart the configuration process.
 
 _LT_EOF
       fi
@@ -4341,10 +4762,12 @@ _LT_EOF
       # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
       # as there is no search path for DLLs.
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols'
       _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
       _LT_TAGVAR(always_export_symbols, $1)=no
       _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
 
       if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
         _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
@@ -4362,6 +4785,11 @@ _LT_EOF
       fi
       ;;
 
+    haiku*)
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
     interix[[3-9]]*)
       _LT_TAGVAR(hardcode_direct, $1)=no
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
@@ -4387,15 +4815,16 @@ _LT_EOF
       if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
 	 && test "$tmp_diet" = no
       then
-	tmp_addflag=
+	tmp_addflag=' $pic_flag'
 	tmp_sharedflag='-shared'
 	case $cc_basename,$host_cpu in
         pgcc*)				# Portland Group C compiler
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag'
 	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	pgf77* | pgf90* | pgf95* | pgfortran*)
+					# Portland Group f77 and f90 compilers
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag -Mnomain' ;;
 	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
 	  tmp_addflag=' -i_dynamic' ;;
@@ -4406,13 +4835,17 @@ _LT_EOF
 	lf95*)				# Lahey Fortran 8.1
 	  _LT_TAGVAR(whole_archive_flag_spec, $1)=
 	  tmp_sharedflag='--shared' ;;
-	xl[[cC]]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
+	xl[[cC]]* | bgxl[[cC]]* | mpixl[[cC]]*) # IBM XL C 8.0 on PPC (deal with xlf below)
 	  tmp_sharedflag='-qmkshrobj'
 	  tmp_addflag= ;;
+	nvcc*)	# Cuda Compiler Driver 2.2
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(compiler_needs_object, $1)=yes
+	  ;;
 	esac
 	case `$CC -V 2>&1 | sed 5q` in
 	*Sun\ C*)			# Sun C 5.9
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  _LT_TAGVAR(compiler_needs_object, $1)=yes
 	  tmp_sharedflag='-G' ;;
 	*Sun\ F*)			# Sun Fortran 8.3
@@ -4428,17 +4861,16 @@ _LT_EOF
         fi
 
 	case $cc_basename in
-	xlf*)
+	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-	  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
 	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
 	      echo "local: *; };" >> $output_objdir/$libname.ver~
-	      $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	      $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
 	  fi
 	  ;;
 	esac
@@ -4452,8 +4884,8 @@ _LT_EOF
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
       else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       fi
       ;;
 
@@ -4471,8 +4903,8 @@ _LT_EOF
 
 _LT_EOF
       elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	_LT_TAGVAR(ld_shlibs, $1)=no
       fi
@@ -4518,8 +4950,8 @@ _LT_EOF
 
     *)
       if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	_LT_TAGVAR(ld_shlibs, $1)=no
       fi
@@ -4559,8 +4991,10 @@ _LT_EOF
       else
 	# If we're using GNU nm, then we don't want the "-C" option.
 	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	# Also, AIX nm treats weak defined symbols like other global
+	# defined symbols, whereas GNU nm marks them as "W".
 	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	else
 	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	fi
@@ -4648,9 +5082,9 @@ _LT_EOF
 	_LT_TAGVAR(allow_undefined_flag, $1)='-berok'
         # Determine the default libpath from the value encoded in an
         # empty executable.
-        _LT_SYS_MODULE_PATH_AIX
+        _LT_SYS_MODULE_PATH_AIX([$1])
         _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
       else
 	if test "$host_cpu" = ia64; then
 	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
@@ -4659,14 +5093,19 @@ _LT_EOF
 	else
 	 # Determine the default libpath from the value encoded in an
 	 # empty executable.
-	 _LT_SYS_MODULE_PATH_AIX
+	 _LT_SYS_MODULE_PATH_AIX([$1])
 	 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 	  # Warning - without using the other run time loading flags,
 	  # -berok will link without error, but may produce a broken library.
 	  _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
 	  _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  if test "$with_gnu_ld" = yes; then
+	    # We only use this code for GNU lds that support --whole-archive.
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	  else
+	    # Exported symbols can be pulled into shared objects from archives
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  fi
 	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
 	  # This is similar to how AIX traditionally builds its shared libraries.
 	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
@@ -4698,20 +5137,64 @@ _LT_EOF
       # Microsoft Visual C++.
       # hardcode_libdir_flag_spec is actually meaningless, as there is
       # no search path for DLLs.
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
-      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      _LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
-      # FIXME: Should let the user specify the lib program.
-      _LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      _LT_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
-      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      case $cc_basename in
+      cl*)
+	# Native MSVC
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	_LT_TAGVAR(always_export_symbols, $1)=yes
+	_LT_TAGVAR(file_list_spec, $1)='@'
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
+	_LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	    sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
+	  else
+	    sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
+	  fi~
+	  $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+	  linknames='
+	# The linker will not automatically build a static lib if we build a DLL.
+	# _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	_LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+	_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+	# Don't use ranlib
+	_LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
+	_LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~
+	  lt_tool_outputfile="@TOOL_OUTPUT@"~
+	  case $lt_outputfile in
+	    *.exe|*.EXE) ;;
+	    *)
+	      lt_outputfile="$lt_outputfile.exe"
+	      lt_tool_outputfile="$lt_tool_outputfile.exe"
+	      ;;
+	  esac~
+	  if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
+	    $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+	    $RM "$lt_outputfile.manifest";
+	  fi'
+	;;
+      *)
+	# Assume MSVC wrapper
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames='
+	# The linker will automatically build a .lib file if we build a DLL.
+	_LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	# FIXME: Should let the user specify the lib program.
+	_LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
+	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	;;
+      esac
       ;;
 
     darwin* | rhapsody*)
@@ -4724,10 +5207,6 @@ _LT_EOF
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
 
-    freebsd1*)
-      _LT_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
     # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
     # support.  Future versions do this automatically, but an explicit c++rt0.o
     # does not break anything, and helps significantly (at the cost of a little
@@ -4740,7 +5219,7 @@ _LT_EOF
       ;;
 
     # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
+    freebsd2.*)
       _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       _LT_TAGVAR(hardcode_direct, $1)=yes
       _LT_TAGVAR(hardcode_minus_L, $1)=yes
@@ -4749,7 +5228,7 @@ _LT_EOF
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
     freebsd* | dragonfly*)
-      _LT_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
       _LT_TAGVAR(hardcode_direct, $1)=yes
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
@@ -4757,7 +5236,7 @@ _LT_EOF
 
     hpux9*)
       if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       else
 	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       fi
@@ -4772,14 +5251,13 @@ _LT_EOF
       ;;
 
     hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
       else
 	_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
       fi
       if test "$with_gnu_ld" = no; then
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
 	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
 	_LT_TAGVAR(hardcode_direct, $1)=yes
 	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
@@ -4791,16 +5269,16 @@ _LT_EOF
       ;;
 
     hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
 	case $host_cpu in
 	hppa*64*)
 	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	ia64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
@@ -4812,7 +5290,14 @@ _LT_EOF
 	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	m4_if($1, [], [
+	  # Older versions of the 11.00 compiler do not understand -b yet
+	  # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does)
+	  _LT_LINKER_OPTION([if $CC understands -b],
+	    _LT_TAGVAR(lt_cv_prog_compiler__b, $1), [-b],
+	    [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'],
+	    [_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'])],
+	  [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'])
 	  ;;
 	esac
       fi
@@ -4840,19 +5325,34 @@ _LT_EOF
 
     irix5* | irix6* | nonstopux*)
       if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	# Try to use the -exported_symbol ld option, if it does not
 	# work, assume that -exports_file does not work either and
 	# implicitly export all symbols.
-        save_LDFLAGS="$LDFLAGS"
-        LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
-        AC_LINK_IFELSE(int foo(void) {},
-          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
-        )
-        LDFLAGS="$save_LDFLAGS"
+	# This should be the same for all languages, so no per-tag cache variable.
+	AC_CACHE_CHECK([whether the $host_os linker accepts -exported_symbol],
+	  [lt_cv_irix_exported_symbol],
+	  [save_LDFLAGS="$LDFLAGS"
+	   LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
+	   AC_LINK_IFELSE(
+	     [AC_LANG_SOURCE(
+	        [AC_LANG_CASE([C], [[int foo (void) { return 0; }]],
+			      [C++], [[int foo (void) { return 0; }]],
+			      [Fortran 77], [[
+      subroutine foo
+      end]],
+			      [Fortran], [[
+      subroutine foo
+      end]])])],
+	      [lt_cv_irix_exported_symbol=yes],
+	      [lt_cv_irix_exported_symbol=no])
+           LDFLAGS="$save_LDFLAGS"])
+	if test "$lt_cv_irix_exported_symbol" = yes; then
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
+	fi
       else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
       fi
       _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
@@ -4914,17 +5414,17 @@ _LT_EOF
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
       _LT_TAGVAR(hardcode_minus_L, $1)=yes
       _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
       _LT_TAGVAR(old_archive_from_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
       ;;
 
     osf3*)
       if test "$GCC" = yes; then
 	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
       else
 	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
       fi
       _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
@@ -4934,13 +5434,13 @@ _LT_EOF
     osf4* | osf5*)	# as osf3* with the addition of -msym flag
       if test "$GCC" = yes; then
 	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
       else
 	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
-	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
+	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
@@ -4953,9 +5453,9 @@ _LT_EOF
       _LT_TAGVAR(no_undefined_flag, $1)=' -z defs'
       if test "$GCC" = yes; then
 	wlarc='${wl}'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
       else
 	case `$CC -V 2>&1` in
 	*"Compilers 5.0"*)
@@ -5131,36 +5631,38 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
-      $RM conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
-	pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
-        _LT_TAGVAR(allow_undefined_flag, $1)=
-        if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
-        then
-	  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-        else
-	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-        fi
-        _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $RM conftest*
-      AC_MSG_RESULT([$_LT_TAGVAR(archive_cmds_need_lc, $1)])
+      AC_CACHE_CHECK([whether -lc should be explicitly linked in],
+	[lt_cv_]_LT_TAGVAR(archive_cmds_need_lc, $1),
+	[$RM conftest*
+	echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+	if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+	  soname=conftest
+	  lib=conftest
+	  libobjs=conftest.$ac_objext
+	  deplibs=
+	  wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
+	  pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
+	  compiler_flags=-v
+	  linker_flags=-v
+	  verstring=
+	  output_objdir=.
+	  libname=conftest
+	  lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
+	  _LT_TAGVAR(allow_undefined_flag, $1)=
+	  if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
+	  then
+	    lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+	  else
+	    lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  fi
+	  _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+	else
+	  cat conftest.err 1>&5
+	fi
+	$RM conftest*
+	])
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=$lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)
       ;;
     esac
   fi
@@ -5197,9 +5699,6 @@ _LT_TAGDECL([], [no_undefined_flag], [1],
 _LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
     [Flag to hardcode $libdir into a binary during linking.
     This must work even if $libdir does not exist])
-_LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1],
-    [[If ld is used when linking, flag to hardcode $libdir into a binary
-    during linking.  This must work even if $libdir does not exist]])
 _LT_TAGDECL([], [hardcode_libdir_separator], [1],
     [Whether we need a single "-rpath" flag with a separated argument])
 _LT_TAGDECL([], [hardcode_direct], [0],
@@ -5225,8 +5724,6 @@ _LT_TAGDECL([], [inherit_rpath], [0],
     to runtime path list])
 _LT_TAGDECL([], [link_all_deplibs], [0],
     [Whether libtool must link a program against all its dependency libraries])
-_LT_TAGDECL([], [fix_srcfile_path], [1],
-    [Fix the shell variable $srcfile for the compiler])
 _LT_TAGDECL([], [always_export_symbols], [0],
     [Set to "yes" if exported symbols are required])
 _LT_TAGDECL([], [export_symbols_cmds], [2],
@@ -5237,6 +5734,8 @@ _LT_TAGDECL([], [include_expsyms], [1],
     [Symbols that must always be exported])
 _LT_TAGDECL([], [prelink_cmds], [2],
     [Commands necessary for linking programs (against libraries) with templates])
+_LT_TAGDECL([], [postlink_cmds], [2],
+    [Commands necessary for finishing linking programs])
 _LT_TAGDECL([], [file_list_spec], [1],
     [Specify filename containing input files])
 dnl FIXME: Not yet implemented
@@ -5330,37 +5829,22 @@ CC="$lt_save_CC"
 ])# _LT_LANG_C_CONFIG
 
 
-# _LT_PROG_CXX
-# ------------
-# Since AC_PROG_CXX is broken, in that it returns g++ if there is no c++
-# compiler, we have our own version here.
-m4_defun([_LT_PROG_CXX],
-[
-pushdef([AC_MSG_ERROR], [_lt_caught_CXX_error=yes])
-AC_PROG_CXX
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  AC_PROG_CXXCPP
-else
-  _lt_caught_CXX_error=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_CXX
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_CXX], [])
-
-
 # _LT_LANG_CXX_CONFIG([TAG])
 # --------------------------
 # Ensure that the configuration variables for a C++ compiler are suitably
 # defined.  These variables are subsequently used by _LT_CONFIG to write
 # the compiler configuration to `libtool'.
 m4_defun([_LT_LANG_CXX_CONFIG],
-[AC_REQUIRE([_LT_PROG_CXX])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_PATH_MANIFEST_TOOL])dnl
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  AC_PROG_CXXCPP
+else
+  _lt_caught_CXX_error=yes
+fi
 
 AC_LANG_PUSH(C++)
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
@@ -5372,7 +5856,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@@ -5382,6 +5865,8 @@ _LT_TAGVAR(module_cmds, $1)=
 _LT_TAGVAR(module_expsym_cmds, $1)=
 _LT_TAGVAR(link_all_deplibs, $1)=unknown
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 _LT_TAGVAR(no_undefined_flag, $1)=
 _LT_TAGVAR(whole_archive_flag_spec, $1)=
 _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
@@ -5413,6 +5898,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 
   # Allow CC to be a program name with arguments.
   lt_save_CC=$CC
+  lt_save_CFLAGS=$CFLAGS
   lt_save_LD=$LD
   lt_save_GCC=$GCC
   GCC=$GXX
@@ -5430,6 +5916,7 @@ if test "$_lt_caught_CXX_error" != yes; then
   fi
   test -z "${LDCXX+set}" || LD=$LDCXX
   CC=${CXX-"c++"}
+  CFLAGS=$CXXFLAGS
   compiler=$CC
   _LT_TAGVAR(compiler, $1)=$CC
   _LT_CC_BASENAME([$compiler])
@@ -5451,8 +5938,8 @@ if test "$_lt_caught_CXX_error" != yes; then
       # Check if GNU C++ uses GNU ld as the underlying linker, since the
       # archiving commands below assume that GNU ld is being used.
       if test "$with_gnu_ld" = yes; then
-        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+        _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 
         _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
         _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
@@ -5484,7 +5971,7 @@ if test "$_lt_caught_CXX_error" != yes; then
       # Commands to make compiler produce verbose output that lists
       # what "hidden" libraries, object files and flags are used when
       # linking a shared library.
-      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 
     else
       GXX=no
@@ -5593,10 +6080,10 @@ if test "$_lt_caught_CXX_error" != yes; then
           _LT_TAGVAR(allow_undefined_flag, $1)='-berok'
           # Determine the default libpath from the value encoded in an empty
           # executable.
-          _LT_SYS_MODULE_PATH_AIX
+          _LT_SYS_MODULE_PATH_AIX([$1])
           _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 
-          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
         else
           if test "$host_cpu" = ia64; then
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
@@ -5605,14 +6092,19 @@ if test "$_lt_caught_CXX_error" != yes; then
           else
 	    # Determine the default libpath from the value encoded in an
 	    # empty executable.
-	    _LT_SYS_MODULE_PATH_AIX
+	    _LT_SYS_MODULE_PATH_AIX([$1])
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 	    # Warning - without using the other run time loading flags,
 	    # -berok will link without error, but may produce a broken library.
 	    _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
 	    _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	    # Exported symbols can be pulled into shared objects from archives
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	    if test "$with_gnu_ld" = yes; then
+	      # We only use this code for GNU lds that support --whole-archive.
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	    else
+	      # Exported symbols can be pulled into shared objects from archives
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	    fi
 	    _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
 	    # This is similar to how AIX traditionally builds its shared
 	    # libraries.
@@ -5642,28 +6134,75 @@ if test "$_lt_caught_CXX_error" != yes; then
         ;;
 
       cygwin* | mingw* | pw32* | cegcc*)
-        # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-        # as there is no search path for DLLs.
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-        _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-        _LT_TAGVAR(always_export_symbols, $1)=no
-        _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-
-        if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
-          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-          # If the export-symbols file already is a .def file (1st line
-          # is EXPORTS), use it as is; otherwise, prepend...
-          _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	    cp $export_symbols $output_objdir/$soname.def;
-          else
-	    echo EXPORTS > $output_objdir/$soname.def;
-	    cat $export_symbols >> $output_objdir/$soname.def;
-          fi~
-          $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-        else
-          _LT_TAGVAR(ld_shlibs, $1)=no
-        fi
-        ;;
+	case $GXX,$cc_basename in
+	,cl* | no,cl*)
+	  # Native MSVC
+	  # hardcode_libdir_flag_spec is actually meaningless, as there is
+	  # no search path for DLLs.
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  _LT_TAGVAR(always_export_symbols, $1)=yes
+	  _LT_TAGVAR(file_list_spec, $1)='@'
+	  # Tell ltmain to make .lib files, not .a files.
+	  libext=lib
+	  # Tell ltmain to make .dll files, not .so files.
+	  shrext_cmds=".dll"
+	  # FIXME: Setting linknames here is a bad hack.
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	      $SED -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
+	    else
+	      $SED -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
+	    fi~
+	    $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+	    linknames='
+	  # The linker will not automatically build a static lib if we build a DLL.
+	  # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	  # Don't use ranlib
+	  _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
+	  _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~
+	    lt_tool_outputfile="@TOOL_OUTPUT@"~
+	    case $lt_outputfile in
+	      *.exe|*.EXE) ;;
+	      *)
+		lt_outputfile="$lt_outputfile.exe"
+		lt_tool_outputfile="$lt_tool_outputfile.exe"
+		;;
+	    esac~
+	    func_to_tool_file "$lt_outputfile"~
+	    if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
+	      $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+	      $RM "$lt_outputfile.manifest";
+	    fi'
+	  ;;
+	*)
+	  # g++
+	  # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+	  # as there is no search path for DLLs.
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols'
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  _LT_TAGVAR(always_export_symbols, $1)=no
+	  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+	  if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	    # If the export-symbols file already is a .def file (1st line
+	    # is EXPORTS), use it as is; otherwise, prepend...
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	      cp $export_symbols $output_objdir/$soname.def;
+	    else
+	      echo EXPORTS > $output_objdir/$soname.def;
+	      cat $export_symbols >> $output_objdir/$soname.def;
+	    fi~
+	    $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	  else
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	  ;;
+	esac
+	;;
       darwin* | rhapsody*)
         _LT_DARWIN_LINKER_FEATURES($1)
 	;;
@@ -5686,7 +6225,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         esac
         ;;
 
-      freebsd[[12]]*)
+      freebsd2.*)
         # C++ shared libraries reported to be fairly broken before
 	# switch to ELF
         _LT_TAGVAR(ld_shlibs, $1)=no
@@ -5705,6 +6244,11 @@ if test "$_lt_caught_CXX_error" != yes; then
       gnu*)
         ;;
 
+      haiku*)
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+        _LT_TAGVAR(link_all_deplibs, $1)=yes
+        ;;
+
       hpux9*)
         _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
         _LT_TAGVAR(hardcode_libdir_separator, $1)=:
@@ -5729,11 +6273,11 @@ if test "$_lt_caught_CXX_error" != yes; then
             # explicitly linking system object files so we need to strip them
             # from the output so that they don't get included in the library
             # dependencies.
-            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
             ;;
           *)
             if test "$GXX" = yes; then
-              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
             else
               # FIXME: insert proper C++ library support
               _LT_TAGVAR(ld_shlibs, $1)=no
@@ -5794,7 +6338,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
           *)
 	    if test "$GXX" = yes; then
@@ -5804,10 +6348,10 @@ if test "$_lt_caught_CXX_error" != yes; then
 	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	            ;;
 	          ia64*)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	            ;;
 	          *)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	            ;;
 	        esac
 	      fi
@@ -5837,7 +6381,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         case $cc_basename in
           CC*)
 	    # SGI C++
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 
 	    # Archives containing C++ object files must be created using
 	    # "CC -ar", where "CC" is the IRIX C++ compiler.  This is
@@ -5848,9 +6392,9 @@ if test "$_lt_caught_CXX_error" != yes; then
           *)
 	    if test "$GXX" = yes; then
 	      if test "$with_gnu_ld" = no; then
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	      else
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` -o $lib'
 	      fi
 	    fi
 	    _LT_TAGVAR(link_all_deplibs, $1)=yes
@@ -5879,7 +6423,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
@@ -5916,26 +6460,26 @@ if test "$_lt_caught_CXX_error" != yes; then
           pgCC* | pgcpp*)
             # Portland Group C++ compiler
 	    case `$CC -V` in
-	    *pgCC\ [[1-5]]* | *pgcpp\ [[1-5]]*)
+	    *pgCC\ [[1-5]].* | *pgcpp\ [[1-5]].*)
 	      _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
-		compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
+		compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
 	      _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
-		$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
+		$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
 		$RANLIB $oldlib'
 	      _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
-		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
 	      _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
-		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
 	      ;;
-	    *) # Version 6 will use weak symbols
+	    *) # Version 6 and above use weak symbols
 	      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
 	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
 	      ;;
@@ -5943,7 +6487,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
             ;;
 	  cxx*)
 	    # Compaq C++
@@ -5962,9 +6506,9 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "X$list" | $Xsed'
 	    ;;
-	  xl*)
+	  xl* | mpixl* | bgxl*)
 	    # IBM XL 8.0 on PPC, with GNU ld
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
@@ -5984,13 +6528,13 @@ if test "$_lt_caught_CXX_error" != yes; then
 	      _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	      _LT_TAGVAR(compiler_needs_object, $1)=yes
 
 	      # Not sure whether something based on
 	      # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
 	      # would be better.
-	      output_verbose_link_cmd='echo'
+	      output_verbose_link_cmd='func_echo_all'
 
 	      # Archives containing C++ object files must be created using
 	      # "CC -xar", where "CC" is the Sun C++ compiler.  This is
@@ -6059,7 +6603,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
 	    _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
 	  fi
-	  output_verbose_link_cmd=echo
+	  output_verbose_link_cmd=func_echo_all
 	else
 	  _LT_TAGVAR(ld_shlibs, $1)=no
 	fi
@@ -6094,15 +6638,15 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    case $host in
 	      osf3*)
 	        _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && $ECHO "X${wl}-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && func_echo_all "${wl}-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 		;;
 	      *)
 	        _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	        _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
 	          echo "-hidden">> $lib.exp~
-	          $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp  `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~
+	          $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp  `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~
 	          $RM $lib.exp'
 	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
 		;;
@@ -6118,17 +6662,17 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
 	  *)
 	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	      _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
 	      case $host in
 	        osf3*)
-	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 		  ;;
 	        *)
-	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 		  ;;
 	      esac
 
@@ -6138,7 +6682,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	      # Commands to make compiler produce verbose output that lists
 	      # what "hidden" libraries, object files and flags are used when
 	      # linking a shared library.
-	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 
 	    else
 	      # FIXME: insert proper C++ library support
@@ -6174,7 +6718,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 
       solaris*)
         case $cc_basename in
-          CC*)
+          CC* | sunCC*)
 	    # Sun C++ 4.2, 5.x and Centerline C++
             _LT_TAGVAR(archive_cmds_need_lc,$1)=yes
 	    _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
@@ -6195,7 +6739,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    esac
 	    _LT_TAGVAR(link_all_deplibs, $1)=yes
 
-	    output_verbose_link_cmd='echo'
+	    output_verbose_link_cmd='func_echo_all'
 
 	    # Archives containing C++ object files must be created using
 	    # "CC -xar", where "CC" is the Sun C++ compiler.  This is
@@ -6215,14 +6759,14 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	      _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
 	      if $CC --version | $GREP -v '^2\.7' > /dev/null; then
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
 	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-		  $CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+		  $CC -shared $pic_flag -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
 
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 	      else
 	        # g++ 2.7 appears to require `-G' NOT `-shared' on this
 	        # platform.
@@ -6233,7 +6777,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 	      fi
 
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
@@ -6287,6 +6831,10 @@ if test "$_lt_caught_CXX_error" != yes; then
           CC*)
 	    _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
 	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -Tprelink_objects $oldobjs~
+	      '"$_LT_TAGVAR(old_archive_cmds, $1)"
+	    _LT_TAGVAR(reload_cmds, $1)='$CC -Tprelink_objects $reload_objs~
+	      '"$_LT_TAGVAR(reload_cmds, $1)"
 	    ;;
 	  *)
 	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
@@ -6342,6 +6890,7 @@ if test "$_lt_caught_CXX_error" != yes; then
   fi # test -n "$compiler"
 
   CC=$lt_save_CC
+  CFLAGS=$lt_save_CFLAGS
   LDCXX=$LD
   LD=$lt_save_LD
   GCC=$lt_save_GCC
@@ -6356,6 +6905,29 @@ AC_LANG_POP
 ])# _LT_LANG_CXX_CONFIG
 
 
+# _LT_FUNC_STRIPNAME_CNF
+# ----------------------
+# func_stripname_cnf prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+#
+# This function is identical to the (non-XSI) version of func_stripname,
+# except this one can be used by m4 code that may be executed by configure,
+# rather than the libtool script.
+m4_defun([_LT_FUNC_STRIPNAME_CNF],[dnl
+AC_REQUIRE([_LT_DECL_SED])
+AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])
+func_stripname_cnf ()
+{
+  case ${2} in
+  .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;;
+  *)  func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;;
+  esac
+} # func_stripname_cnf
+])# _LT_FUNC_STRIPNAME_CNF
+
 # _LT_SYS_HIDDEN_LIBDEPS([TAGNAME])
 # ---------------------------------
 # Figure out "hidden" library dependencies from verbose
@@ -6364,6 +6936,7 @@ AC_LANG_POP
 # objects, libraries and library flags.
 m4_defun([_LT_SYS_HIDDEN_LIBDEPS],
 [m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+AC_REQUIRE([_LT_FUNC_STRIPNAME_CNF])dnl
 # Dependencies to place before and after the object being linked:
 _LT_TAGVAR(predep_objects, $1)=
 _LT_TAGVAR(postdep_objects, $1)=
@@ -6413,7 +6986,20 @@ public class foo {
   }
 };
 _LT_EOF
+], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF
+package foo
+func foo() {
+}
+_LT_EOF
 ])
+
+_lt_libdeps_save_CFLAGS=$CFLAGS
+case "$CC $CFLAGS " in #(
+*\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;;
+*\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;;
+*\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;;
+esac
+
 dnl Parse the compiler output and extract the necessary
 dnl objects, libraries and library flags.
 if AC_TRY_EVAL(ac_compile); then
@@ -6425,7 +7011,7 @@ if AC_TRY_EVAL(ac_compile); then
   pre_test_object_deps_done=no
 
   for p in `eval "$output_verbose_link_cmd"`; do
-    case $p in
+    case ${prev}${p} in
 
     -L* | -R* | -l*)
        # Some compilers place space between "-{L,R}" and the path.
@@ -6434,13 +7020,22 @@ if AC_TRY_EVAL(ac_compile); then
           test $p = "-R"; then
 	 prev=$p
 	 continue
-       else
-	 prev=
        fi
 
+       # Expand the sysroot to ease extracting the directories later.
+       if test -z "$prev"; then
+         case $p in
+         -L*) func_stripname_cnf '-L' '' "$p"; prev=-L; p=$func_stripname_result ;;
+         -R*) func_stripname_cnf '-R' '' "$p"; prev=-R; p=$func_stripname_result ;;
+         -l*) func_stripname_cnf '-l' '' "$p"; prev=-l; p=$func_stripname_result ;;
+         esac
+       fi
+       case $p in
+       =*) func_stripname_cnf '=' '' "$p"; p=$lt_sysroot$func_stripname_result ;;
+       esac
        if test "$pre_test_object_deps_done" = no; then
-	 case $p in
-	 -L* | -R*)
+	 case ${prev} in
+	 -L | -R)
 	   # Internal compiler library paths should come after those
 	   # provided the user.  The postdeps already come after the
 	   # user supplied libs so there is no need to process them.
@@ -6460,8 +7055,10 @@ if AC_TRY_EVAL(ac_compile); then
 	   _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} ${prev}${p}"
 	 fi
        fi
+       prev=
        ;;
 
+    *.lto.$objext) ;; # Ignore GCC LTO objects
     *.$objext)
        # This assumes that the test object file only shows up
        # once in the compiler output.
@@ -6497,6 +7094,7 @@ else
 fi
 
 $RM -f confest.$objext
+CFLAGS=$_lt_libdeps_save_CFLAGS
 
 # PORTME: override above test on systems where it is broken
 m4_if([$1], [CXX],
@@ -6533,7 +7131,7 @@ linux*)
 
 solaris*)
   case $cc_basename in
-  CC*)
+  CC* | sunCC*)
     # The more standards-conforming stlport4 library is
     # incompatible with the Cstd library. Avoid specifying
     # it if it's in CXXFLAGS. Ignore libCrun as
@@ -6577,32 +7175,16 @@ _LT_TAGDECL([], [compiler_lib_search_path], [1],
 ])# _LT_SYS_HIDDEN_LIBDEPS
 
 
-# _LT_PROG_F77
-# ------------
-# Since AC_PROG_F77 is broken, in that it returns the empty string
-# if there is no fortran compiler, we have our own version here.
-m4_defun([_LT_PROG_F77],
-[
-pushdef([AC_MSG_ERROR], [_lt_disable_F77=yes])
-AC_PROG_F77
-if test -z "$F77" || test "X$F77" = "Xno"; then
-  _lt_disable_F77=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_F77
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_F77], [])
-
-
 # _LT_LANG_F77_CONFIG([TAG])
 # --------------------------
 # Ensure that the configuration variables for a Fortran 77 compiler are
 # suitably defined.  These variables are subsequently used by _LT_CONFIG
 # to write the compiler configuration to `libtool'.
 m4_defun([_LT_LANG_F77_CONFIG],
-[AC_REQUIRE([_LT_PROG_F77])dnl
-AC_LANG_PUSH(Fortran 77)
+[AC_LANG_PUSH(Fortran 77)
+if test -z "$F77" || test "X$F77" = "Xno"; then
+  _lt_disable_F77=yes
+fi
 
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
 _LT_TAGVAR(allow_undefined_flag, $1)=
@@ -6612,7 +7194,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@@ -6621,6 +7202,8 @@ _LT_TAGVAR(module_cmds, $1)=
 _LT_TAGVAR(module_expsym_cmds, $1)=
 _LT_TAGVAR(link_all_deplibs, $1)=unknown
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 _LT_TAGVAR(no_undefined_flag, $1)=
 _LT_TAGVAR(whole_archive_flag_spec, $1)=
 _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
@@ -6660,7 +7243,9 @@ if test "$_lt_disable_F77" != yes; then
   # Allow CC to be a program name with arguments.
   lt_save_CC="$CC"
   lt_save_GCC=$GCC
+  lt_save_CFLAGS=$CFLAGS
   CC=${F77-"f77"}
+  CFLAGS=$FFLAGS
   compiler=$CC
   _LT_TAGVAR(compiler, $1)=$CC
   _LT_CC_BASENAME([$compiler])
@@ -6714,38 +7299,24 @@ if test "$_lt_disable_F77" != yes; then
 
   GCC=$lt_save_GCC
   CC="$lt_save_CC"
+  CFLAGS="$lt_save_CFLAGS"
 fi # test "$_lt_disable_F77" != yes
 
 AC_LANG_POP
 ])# _LT_LANG_F77_CONFIG
 
 
-# _LT_PROG_FC
-# -----------
-# Since AC_PROG_FC is broken, in that it returns the empty string
-# if there is no fortran compiler, we have our own version here.
-m4_defun([_LT_PROG_FC],
-[
-pushdef([AC_MSG_ERROR], [_lt_disable_FC=yes])
-AC_PROG_FC
-if test -z "$FC" || test "X$FC" = "Xno"; then
-  _lt_disable_FC=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_FC
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_FC], [])
-
-
 # _LT_LANG_FC_CONFIG([TAG])
 # -------------------------
 # Ensure that the configuration variables for a Fortran compiler are
 # suitably defined.  These variables are subsequently used by _LT_CONFIG
 # to write the compiler configuration to `libtool'.
 m4_defun([_LT_LANG_FC_CONFIG],
-[AC_REQUIRE([_LT_PROG_FC])dnl
-AC_LANG_PUSH(Fortran)
+[AC_LANG_PUSH(Fortran)
+
+if test -z "$FC" || test "X$FC" = "Xno"; then
+  _lt_disable_FC=yes
+fi
 
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
 _LT_TAGVAR(allow_undefined_flag, $1)=
@@ -6755,7 +7326,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@@ -6764,6 +7334,8 @@ _LT_TAGVAR(module_cmds, $1)=
 _LT_TAGVAR(module_expsym_cmds, $1)=
 _LT_TAGVAR(link_all_deplibs, $1)=unknown
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 _LT_TAGVAR(no_undefined_flag, $1)=
 _LT_TAGVAR(whole_archive_flag_spec, $1)=
 _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
@@ -6803,7 +7375,9 @@ if test "$_lt_disable_FC" != yes; then
   # Allow CC to be a program name with arguments.
   lt_save_CC="$CC"
   lt_save_GCC=$GCC
+  lt_save_CFLAGS=$CFLAGS
   CC=${FC-"f95"}
+  CFLAGS=$FCFLAGS
   compiler=$CC
   GCC=$ac_cv_fc_compiler_gnu
 
@@ -6859,7 +7433,8 @@ if test "$_lt_disable_FC" != yes; then
   fi # test -n "$compiler"
 
   GCC=$lt_save_GCC
-  CC="$lt_save_CC"
+  CC=$lt_save_CC
+  CFLAGS=$lt_save_CFLAGS
 fi # test "$_lt_disable_FC" != yes
 
 AC_LANG_POP
@@ -6896,10 +7471,12 @@ _LT_COMPILER_BOILERPLATE
 _LT_LINKER_BOILERPLATE
 
 # Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
 lt_save_GCC=$GCC
 GCC=yes
 CC=${GCJ-"gcj"}
+CFLAGS=$GCJFLAGS
 compiler=$CC
 _LT_TAGVAR(compiler, $1)=$CC
 _LT_TAGVAR(LD, $1)="$LD"
@@ -6909,6 +7486,8 @@ _LT_CC_BASENAME([$compiler])
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
 
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 
 ## CAVEAT EMPTOR:
 ## There is no encapsulation within the following macros, do not change
@@ -6928,10 +7507,82 @@ fi
 AC_LANG_RESTORE
 
 GCC=$lt_save_GCC
-CC="$lt_save_CC"
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
 ])# _LT_LANG_GCJ_CONFIG
 
 
+# _LT_LANG_GO_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for the GNU Go compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_GO_CONFIG],
+[AC_REQUIRE([LT_PROG_GO])dnl
+AC_LANG_SAVE
+
+# Source file extension for Go test sources.
+ac_ext=go
+
+# Object file extension for compiled Go test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="package main; func main() { }"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='package main; func main() { }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
+lt_save_GCC=$GCC
+GCC=yes
+CC=${GOC-"gccgo"}
+CFLAGS=$GOFLAGS
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_TAGVAR(LD, $1)="$LD"
+_LT_CC_BASENAME([$compiler])
+
+# Go did not exist at the time GCC didn't implicitly link libc in.
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+
+  _LT_CONFIG($1)
+fi
+
+AC_LANG_RESTORE
+
+GCC=$lt_save_GCC
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
+])# _LT_LANG_GO_CONFIG
+
+
 # _LT_LANG_RC_CONFIG([TAG])
 # -------------------------
 # Ensure that the configuration variables for the Windows resource compiler
@@ -6963,9 +7614,11 @@ _LT_LINKER_BOILERPLATE
 
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
+lt_save_CFLAGS=$CFLAGS
 lt_save_GCC=$GCC
 GCC=
 CC=${RC-"windres"}
+CFLAGS=
 compiler=$CC
 _LT_TAGVAR(compiler, $1)=$CC
 _LT_CC_BASENAME([$compiler])
@@ -6978,7 +7631,8 @@ fi
 
 GCC=$lt_save_GCC
 AC_LANG_RESTORE
-CC="$lt_save_CC"
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
 ])# _LT_LANG_RC_CONFIG
 
 
@@ -6998,6 +7652,13 @@ dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
 
 
+# LT_PROG_GO
+# ----------
+AC_DEFUN([LT_PROG_GO],
+[AC_CHECK_TOOL(GOC, gccgo,)
+])
+
+
 # LT_PROG_RC
 # ----------
 AC_DEFUN([LT_PROG_RC],
@@ -7037,6 +7698,15 @@ _LT_DECL([], [OBJDUMP], [1], [An object symbol dumper])
 AC_SUBST([OBJDUMP])
 ])
 
+# _LT_DECL_DLLTOOL
+# ----------------
+# Ensure DLLTOOL variable is set.
+m4_defun([_LT_DECL_DLLTOOL],
+[AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+_LT_DECL([], [DLLTOOL], [1], [DLL creation program])
+AC_SUBST([DLLTOOL])
+])
 
 # _LT_DECL_SED
 # ------------
@@ -7130,8 +7800,8 @@ m4_defun([_LT_CHECK_SHELL_FEATURES],
 # Try some XSI features
 xsi_shell=no
 ( _lt_dummy="a/b/c"
-  test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \
-      = c,a/b,, \
+  test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \
+      = c,a/b,b/c, \
     && eval 'test $(( 1 + 1 )) -eq 2 \
     && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
   && xsi_shell=yes
@@ -7170,208 +7840,162 @@ _LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl
 ])# _LT_CHECK_SHELL_FEATURES
 
 
-# _LT_PROG_XSI_SHELLFNS
-# ---------------------
-# Bourne and XSI compatible variants of some useful shell functions.
-m4_defun([_LT_PROG_XSI_SHELLFNS],
-[case $xsi_shell in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result="${1##*/}"
-}
-
-# func_dirname_and_basename file append nondir_replacement
-# perform func_basename and func_dirname in a single function
-# call:
-#   dirname:  Compute the dirname of FILE.  If nonempty,
-#             add APPEND to the result, otherwise set result
-#             to NONDIR_REPLACEMENT.
-#             value returned in "$func_dirname_result"
-#   basename: Compute filename of FILE.
-#             value retuned in "$func_basename_result"
-# Implementation must be kept synchronized with func_dirname
-# and func_basename. For efficiency, we do not delegate to
-# those functions but instead duplicate the functionality here.
-func_dirname_and_basename ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-  func_basename_result="${1##*/}"
-}
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-func_stripname ()
-{
-  # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
-  # positional parameters, so assign one to ordinary parameter first.
-  func_stripname_result=${3}
-  func_stripname_result=${func_stripname_result#"${1}"}
-  func_stripname_result=${func_stripname_result%"${2}"}
-}
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=${1%%=*}
-  func_opt_split_arg=${1#*=}
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  case ${1} in
-    *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
-    *)    func_lo2o_result=${1} ;;
-  esac
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=${1%.*}.lo
-}
+# _LT_PROG_FUNCTION_REPLACE (FUNCNAME, REPLACEMENT-BODY)
+# ------------------------------------------------------
+# In `$cfgfile', look for function FUNCNAME delimited by `^FUNCNAME ()$' and
+# '^} FUNCNAME ', and replace its body with REPLACEMENT-BODY.
+m4_defun([_LT_PROG_FUNCTION_REPLACE],
+[dnl {
+sed -e '/^$1 ()$/,/^} # $1 /c\
+$1 ()\
+{\
+m4_bpatsubsts([$2], [$], [\\], [^\([	 ]\)], [\\\1])
+} # Extended-shell $1 implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+])
 
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=$(( $[*] ))
-}
 
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=${#1}
-}
+# _LT_PROG_REPLACE_SHELLFNS
+# -------------------------
+# Replace existing portable implementations of several shell functions with
+# equivalent extended shell implementations where those features are available..
+m4_defun([_LT_PROG_REPLACE_SHELLFNS],
+[if test x"$xsi_shell" = xyes; then
+  _LT_PROG_FUNCTION_REPLACE([func_dirname], [dnl
+    case ${1} in
+      */*) func_dirname_result="${1%/*}${2}" ;;
+      *  ) func_dirname_result="${3}" ;;
+    esac])
+
+  _LT_PROG_FUNCTION_REPLACE([func_basename], [dnl
+    func_basename_result="${1##*/}"])
+
+  _LT_PROG_FUNCTION_REPLACE([func_dirname_and_basename], [dnl
+    case ${1} in
+      */*) func_dirname_result="${1%/*}${2}" ;;
+      *  ) func_dirname_result="${3}" ;;
+    esac
+    func_basename_result="${1##*/}"])
 
-_LT_EOF
-    ;;
-  *) # Bourne compatible functions.
-    cat << \_LT_EOF >> "$cfgfile"
+  _LT_PROG_FUNCTION_REPLACE([func_stripname], [dnl
+    # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
+    # positional parameters, so assign one to ordinary parameter first.
+    func_stripname_result=${3}
+    func_stripname_result=${func_stripname_result#"${1}"}
+    func_stripname_result=${func_stripname_result%"${2}"}])
 
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  # Extract subdirectory from the argument.
-  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
-  if test "X$func_dirname_result" = "X${1}"; then
-    func_dirname_result="${3}"
-  else
-    func_dirname_result="$func_dirname_result${2}"
-  fi
-}
+  _LT_PROG_FUNCTION_REPLACE([func_split_long_opt], [dnl
+    func_split_long_opt_name=${1%%=*}
+    func_split_long_opt_arg=${1#*=}])
 
-# func_basename file
-func_basename ()
-{
-  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_split_short_opt], [dnl
+    func_split_short_opt_arg=${1#??}
+    func_split_short_opt_name=${1%"$func_split_short_opt_arg"}])
 
-dnl func_dirname_and_basename
-dnl A portable version of this function is already defined in general.m4sh
-dnl so there is no need for it here.
+  _LT_PROG_FUNCTION_REPLACE([func_lo2o], [dnl
+    case ${1} in
+      *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
+      *)    func_lo2o_result=${1} ;;
+    esac])
 
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-# func_strip_suffix prefix name
-func_stripname ()
-{
-  case ${2} in
-    .*) func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;;
-    *)  func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;;
-  esac
-}
+  _LT_PROG_FUNCTION_REPLACE([func_xform], [    func_xform_result=${1%.*}.lo])
 
-# sed scripts:
-my_sed_long_opt='1s/^\(-[[^=]]*\)=.*/\1/;q'
-my_sed_long_arg='1s/^-[[^=]]*=//'
+  _LT_PROG_FUNCTION_REPLACE([func_arith], [    func_arith_result=$(( $[*] ))])
 
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"`
-  func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"`
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"`
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[[^.]]*$/.lo/'`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_len], [    func_len_result=${#1}])
+fi
 
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=`expr "$[@]"`
-}
+if test x"$lt_shell_append" = xyes; then
+  _LT_PROG_FUNCTION_REPLACE([func_append], [    eval "${1}+=\\${2}"])
 
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=`expr "$[1]" : ".*" 2>/dev/null || echo $max_cmd_len`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_append_quoted], [dnl
+    func_quote_for_eval "${2}"
+dnl m4 expansion turns \\\\ into \\, and then the shell eval turns that into \
+    eval "${1}+=\\\\ \\$func_quote_for_eval_result"])
 
-_LT_EOF
-esac
+  # Save a `func_append' function call where possible by direct use of '+='
+  sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+else
+  # Save a `func_append' function call even when '+=' is not available
+  sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+fi
 
-case $lt_shell_append in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
+if test x"$_lt_function_replace_fail" = x":"; then
+  AC_MSG_WARN([Unable to substitute extended shell functions in $ofile])
+fi
+])
 
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$[1]+=\$[2]"
-}
-_LT_EOF
+# _LT_PATH_CONVERSION_FUNCTIONS
+# -----------------------------
+# Determine which file name conversion functions should be used by
+# func_to_host_file (and, implicitly, by func_to_host_path).  These are needed
+# for certain cross-compile configurations and native mingw.
+m4_defun([_LT_PATH_CONVERSION_FUNCTIONS],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_MSG_CHECKING([how to convert $build file names to $host format])
+AC_CACHE_VAL(lt_cv_to_host_file_cmd,
+[case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32
+        ;;
+    esac
     ;;
-  *)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$[1]=\$$[1]\$[2]"
-}
-
-_LT_EOF
+  *-*-cygwin* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_noop
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin
+        ;;
+    esac
     ;;
-  esac
+  * ) # unhandled hosts (and "normal" native builds)
+    lt_cv_to_host_file_cmd=func_convert_file_noop
+    ;;
+esac
+])
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+AC_MSG_RESULT([$lt_cv_to_host_file_cmd])
+_LT_DECL([to_host_file_cmd], [lt_cv_to_host_file_cmd],
+         [0], [convert $build file names to $host format])dnl
+
+AC_MSG_CHECKING([how to convert $build file names to toolchain format])
+AC_CACHE_VAL(lt_cv_to_tool_file_cmd,
+[#assume ordinary cross tools, or native build.
+lt_cv_to_tool_file_cmd=func_convert_file_noop
+case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32
+        ;;
+    esac
+    ;;
+esac
 ])
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
+AC_MSG_RESULT([$lt_cv_to_tool_file_cmd])
+_LT_DECL([to_tool_file_cmd], [lt_cv_to_tool_file_cmd],
+         [0], [convert $build files to toolchain format])dnl
+])# _LT_PATH_CONVERSION_FUNCTIONS
diff --git a/m4/config/ltoptions.m4 b/m4/config/ltoptions.m4
index 34151a3ba..5d9acd8e2 100644
--- a/m4/config/ltoptions.m4
+++ b/m4/config/ltoptions.m4
@@ -1,13 +1,14 @@
 # Helper functions for option handling.                    -*- Autoconf -*-
 #
-#   Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
+#   Copyright (C) 2004, 2005, 2007, 2008, 2009 Free Software Foundation,
+#   Inc.
 #   Written by Gary V. Vaughan, 2004
 #
 # This file is free software; the Free Software Foundation gives
 # unlimited permission to copy and/or distribute it, with or without
 # modifications, as long as this notice is preserved.
 
-# serial 6 ltoptions.m4
+# serial 7 ltoptions.m4
 
 # This is to help aclocal find these macros, as it can't see m4_define.
 AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
@@ -125,7 +126,7 @@ LT_OPTION_DEFINE([LT_INIT], [win32-dll],
 [enable_win32_dll=yes
 
 case $host in
-*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
+*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
   AC_CHECK_TOOL(AS, as, false)
   AC_CHECK_TOOL(DLLTOOL, dlltool, false)
   AC_CHECK_TOOL(OBJDUMP, objdump, false)
@@ -133,13 +134,13 @@ case $host in
 esac
 
 test -z "$AS" && AS=as
-_LT_DECL([], [AS],      [0], [Assembler program])dnl
+_LT_DECL([], [AS],      [1], [Assembler program])dnl
 
 test -z "$DLLTOOL" && DLLTOOL=dlltool
-_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
+_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
 
 test -z "$OBJDUMP" && OBJDUMP=objdump
-_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
+_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
 ])# win32-dll
 
 AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
@@ -325,9 +326,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
 # MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
 m4_define([_LT_WITH_PIC],
 [AC_ARG_WITH([pic],
-    [AS_HELP_STRING([--with-pic],
+    [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
 	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [pic_mode="$withval"],
+    [lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for lt_pkg in $withval; do
+	IFS="$lt_save_ifs"
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
     [pic_mode=default])
 
 test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
diff --git a/m4/config/ltversion.m4 b/m4/config/ltversion.m4
index f3c530980..07a8602d4 100644
--- a/m4/config/ltversion.m4
+++ b/m4/config/ltversion.m4
@@ -7,17 +7,17 @@
 # unlimited permission to copy and/or distribute it, with or without
 # modifications, as long as this notice is preserved.
 
-# Generated from ltversion.in.
+# @configure_input@
 
-# serial 3017 ltversion.m4
+# serial 3337 ltversion.m4
 # This file is part of GNU Libtool
 
-m4_define([LT_PACKAGE_VERSION], [2.2.6b])
-m4_define([LT_PACKAGE_REVISION], [1.3017])
+m4_define([LT_PACKAGE_VERSION], [2.4.2])
+m4_define([LT_PACKAGE_REVISION], [1.3337])
 
 AC_DEFUN([LTVERSION_VERSION],
-[macro_version='2.2.6b'
-macro_revision='1.3017'
+[macro_version='2.4.2'
+macro_revision='1.3337'
 _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
 _LT_DECL(, macro_revision, 0)
 ])
diff --git a/m4/config/lt~obsolete.m4 b/m4/config/lt~obsolete.m4
index 637bb2066..c573da90c 100644
--- a/m4/config/lt~obsolete.m4
+++ b/m4/config/lt~obsolete.m4
@@ -1,13 +1,13 @@
 # lt~obsolete.m4 -- aclocal satisfying obsolete definitions.    -*-Autoconf-*-
 #
-#   Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
+#   Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc.
 #   Written by Scott James Remnant, 2004.
 #
 # This file is free software; the Free Software Foundation gives
 # unlimited permission to copy and/or distribute it, with or without
 # modifications, as long as this notice is preserved.
 
-# serial 4 lt~obsolete.m4
+# serial 5 lt~obsolete.m4
 
 # These exist entirely to fool aclocal when bootstrapping libtool.
 #
@@ -77,7 +77,6 @@ m4_ifndef([AC_DISABLE_FAST_INSTALL],	[AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
 m4_ifndef([_LT_AC_LANG_CXX],		[AC_DEFUN([_LT_AC_LANG_CXX])])
 m4_ifndef([_LT_AC_LANG_F77],		[AC_DEFUN([_LT_AC_LANG_F77])])
 m4_ifndef([_LT_AC_LANG_GCJ],		[AC_DEFUN([_LT_AC_LANG_GCJ])])
-m4_ifndef([AC_LIBTOOL_RC],		[AC_DEFUN([AC_LIBTOOL_RC])])
 m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
 m4_ifndef([_LT_AC_LANG_C_CONFIG],	[AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
 m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
@@ -90,3 +89,10 @@ m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
 m4_ifndef([_LT_AC_LANG_RC_CONFIG],	[AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
 m4_ifndef([AC_LIBTOOL_CONFIG],		[AC_DEFUN([AC_LIBTOOL_CONFIG])])
 m4_ifndef([_LT_AC_FILE_LTDLL_C],	[AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
+m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS],	[AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])])
+m4_ifndef([_LT_AC_PROG_CXXCPP],		[AC_DEFUN([_LT_AC_PROG_CXXCPP])])
+m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS],	[AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])])
+m4_ifndef([_LT_PROG_ECHO_BACKSLASH],	[AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])])
+m4_ifndef([_LT_PROG_F77],		[AC_DEFUN([_LT_PROG_F77])])
+m4_ifndef([_LT_PROG_FC],		[AC_DEFUN([_LT_PROG_FC])])
+m4_ifndef([_LT_PROG_CXX],		[AC_DEFUN([_LT_PROG_CXX])])
diff --git a/man/Makefile.in b/man/Makefile.in
index b1c54dcd1..e313a4fff 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 man5dir = $(mandir)/man5
 am__installdirs = "$(DESTDIR)$(man5dir)"
 NROFF = nroff
@@ -99,6 +105,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,6 +133,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -153,6 +161,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -165,6 +174,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -218,7 +228,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -344,9 +353,7 @@ uninstall-man5:
 	  sed -n '/\.5[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -414,10 +421,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index 83ebc223c..e24196c2b 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "5.0.1rc1" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.0.2" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -369,7 +369,7 @@ for the connection, e.g.
 .BR aes128-sha256 .
 The notation is
 .BR encryption-integrity[-dhgroup][-esnmode] .
-.br
+
 Defaults to
 .BR aes128-sha1,3des-sha1 .
 The daemon adds its extensive default proposal to this default
@@ -377,7 +377,7 @@ or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
 As a responder the daemon accepts the first supported proposal received from
 the peer. In order to restrict a responder to only accept specific cipher
@@ -403,15 +403,39 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked.
 .TP
+.BR fragmentation " = yes | force | " no
+whether to use IKE fragmentation (proprietary IKEv1 extension).  Acceptable
+values are
+.BR yes ,
+.B force
+and
+.B no
+(the default). Fragmented messages sent by a peer are always accepted
+irrespective of the value of this option. If set to
+.BR yes ,
+and the peer supports it, larger IKE messages will be sent in fragments.
+If set to
+.B force
+the initial IKE message will already be fragmented if required.
+.TP
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
 to be used, e.g.
 .BR aes128-sha1-modp2048 .
 The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.BR encryption-integrity[-prf]-dhgroup .
+If no PRF is given, the algorithms defined for integrity are used for the PRF.
+The prf keywords are the same as the integrity algorithms, but have a
+.B prf
+prefix (such as
+.BR prfsha1 ,
+.B prfsha256
+or
+.BR prfaesxcbc ).
 .br
+In IKEv2, multiple algorithms and proposals may be included, such as
+.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
+
 Defaults to
 .BR aes128-sha1-modp2048,3des-sha1-modp1536 .
 The daemon adds its extensive default proposal to this
@@ -419,13 +443,14 @@ default or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
 As a responder the daemon accepts the first supported proposal received from
 the peer.  In order to restrict a responder to only accept specific cipher
 suites, the strict flag
 .RB ( ! ,
-exclamation mark) can be used, e.g: aes256-sha512-modp4096!
+exclamation mark) can be used, e.g:
+.BR aes256-sha512-modp4096!
 .TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
@@ -579,6 +604,15 @@ to the distinguished name of the certificate's subject.
 The left participant's ID can be overridden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific certificate to load from a PKCS#11 backend for this
+connection. See ipsec.secrets(5) for details about smartcard definitions.
+.B leftcert
+is required only if selecting the certificate with
+.B leftid
+is not sufficient, for example if multiple certificates use the same subject.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -1012,6 +1046,11 @@ currently can have either the value
 .BR cacert " = <path>"
 defines a path to the CA certificate either relative to
 \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific CA certificate to load from a PKCS#11 backend for this CA.
+See ipsec.secrets(5) for details about smartcard definitions.
 .TP
 .BR crluri " = <uri>"
 defines a CRL distribution point (ldap, http, or file URI)
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index f4d7ed1d6..2766cc4ed 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -369,7 +369,7 @@ for the connection, e.g.
 .BR aes128-sha256 .
 The notation is
 .BR encryption-integrity[-dhgroup][-esnmode] .
-.br
+
 Defaults to
 .BR aes128-sha1,3des-sha1 .
 The daemon adds its extensive default proposal to this default
@@ -377,7 +377,7 @@ or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
 As a responder the daemon accepts the first supported proposal received from
 the peer. In order to restrict a responder to only accept specific cipher
@@ -403,15 +403,39 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked.
 .TP
+.BR fragmentation " = yes | force | " no
+whether to use IKE fragmentation (proprietary IKEv1 extension).  Acceptable
+values are
+.BR yes ,
+.B force
+and
+.B no
+(the default). Fragmented messages sent by a peer are always accepted
+irrespective of the value of this option. If set to
+.BR yes ,
+and the peer supports it, larger IKE messages will be sent in fragments.
+If set to
+.B force
+the initial IKE message will already be fragmented if required.
+.TP
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
 to be used, e.g.
 .BR aes128-sha1-modp2048 .
 The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.BR encryption-integrity[-prf]-dhgroup .
+If no PRF is given, the algorithms defined for integrity are used for the PRF.
+The prf keywords are the same as the integrity algorithms, but have a
+.B prf
+prefix (such as
+.BR prfsha1 ,
+.B prfsha256
+or
+.BR prfaesxcbc ).
 .br
+In IKEv2, multiple algorithms and proposals may be included, such as
+.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
+
 Defaults to
 .BR aes128-sha1-modp2048,3des-sha1-modp1536 .
 The daemon adds its extensive default proposal to this
@@ -419,13 +443,14 @@ default or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
 As a responder the daemon accepts the first supported proposal received from
 the peer.  In order to restrict a responder to only accept specific cipher
 suites, the strict flag
 .RB ( ! ,
-exclamation mark) can be used, e.g: aes256-sha512-modp4096!
+exclamation mark) can be used, e.g:
+.BR aes256-sha512-modp4096!
 .TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
@@ -579,6 +604,15 @@ to the distinguished name of the certificate's subject.
 The left participant's ID can be overridden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific certificate to load from a PKCS#11 backend for this
+connection. See ipsec.secrets(5) for details about smartcard definitions.
+.B leftcert
+is required only if selecting the certificate with
+.B leftid
+is not sufficient, for example if multiple certificates use the same subject.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -1012,6 +1046,11 @@ currently can have either the value
 .BR cacert " = <path>"
 defines a path to the CA certificate either relative to
 \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific CA certificate to load from a PKCS#11 backend for this CA.
+See ipsec.secrets(5) for details about smartcard definitions.
 .TP
 .BR crluri " = <uri>"
 defines a CRL distribution point (ldap, http, or file URI)
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index c7c092502..127f18f20 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "4.6.2dr3" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.2" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
@@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a
 colon.
 .LP
 A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure.  To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
+\fB%any\fP or \fB%any6\fP (other kinds may come).
 .LP
 Matching IDs with selectors is fairly straightforward: they have to be
 equal.  In the case of a ``Road Warrior'' connection, if an equal
@@ -100,6 +94,9 @@ defines an ECDSA private key
 .B EAP
 defines EAP credentials
 .TP
+.B NTLM
+defines NTLM credentials
+.TP
 .B XAUTH
 defines XAUTH credentials
 .TP
@@ -151,18 +148,22 @@ The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
 .br
 \fBEAP\fP secrets are IKEv2 only.
 .TP
+.B <user id> : NTLM <secret>
+The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
+secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
+cleartext.
+.br
+\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
+.TP
 .B [ <servername> ] <username> : XAUTH <password>
 The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
 \fBXAUTH\fP secrets are IKEv1 only.
 .TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-IKEv1 uses the format
-.B "%smartcard[<slot nr>[:<key id>]]"
-to specify the smartcard selector (e.g. %smartcard1:50).
-The IKEv2 daemon supports multiple modules with the format
-.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
-, but always requires a keyid to uniquely select the correct key. Instead of
-specifying the pin code statically,
+.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
+The smartcard selector always requires a keyid to uniquely select the correct
+key. The slot number defines the slot on the token, the module name refers to
+the module name defined in strongswan.conf(5).
+Instead of specifying the pin code statically,
 .B %prompt
 can be specified, which causes the daemons to ask the user for the pin code.
 .LP
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index aa1b5c9c1..319d4856b 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a
 colon.
 .LP
 A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure.  To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
+\fB%any\fP or \fB%any6\fP (other kinds may come).
 .LP
 Matching IDs with selectors is fairly straightforward: they have to be
 equal.  In the case of a ``Road Warrior'' connection, if an equal
@@ -100,6 +94,9 @@ defines an ECDSA private key
 .B EAP
 defines EAP credentials
 .TP
+.B NTLM
+defines NTLM credentials
+.TP
 .B XAUTH
 defines XAUTH credentials
 .TP
@@ -151,18 +148,22 @@ The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
 .br
 \fBEAP\fP secrets are IKEv2 only.
 .TP
+.B <user id> : NTLM <secret>
+The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
+secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
+cleartext.
+.br
+\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
+.TP
 .B [ <servername> ] <username> : XAUTH <password>
 The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
 \fBXAUTH\fP secrets are IKEv1 only.
 .TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-IKEv1 uses the format
-.B "%smartcard[<slot nr>[:<key id>]]"
-to specify the smartcard selector (e.g. %smartcard1:50).
-The IKEv2 daemon supports multiple modules with the format
-.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
-, but always requires a keyid to uniquely select the correct key. Instead of
-specifying the pin code statically,
+.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
+The smartcard selector always requires a keyid to uniquely select the correct
+key. The slot number defines the slot on the token, the module name refers to
+the module name defined in strongswan.conf(5).
+Instead of specifying the pin code statically,
 .B %prompt
 can be specified, which causes the daemons to ask the user for the pin code.
 .LP
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 16b9f245a..8a34a7f93 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2012-05-01" "5.0.1" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-01-25" "5.0.2" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -164,6 +164,10 @@ are released to free memory once an IKE_SA is established.
 Enabling this might conflict with plugins that later need access to e.g. the
 used certificates.
 .TP
+.BR charon.fragment_size " [512]"
+Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+fragmentation extension.
+.TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .TP
@@ -178,6 +182,10 @@ openly transmitted hash of the PSK)
 .BR charon.ignore_routing_tables
 A space-separated list of routing tables to be excluded from route lookups
 .TP
+.BR charon.ikesa_limit " [0]"
+Maximum number of IKE_SAs that can be established at the same time before new
+connection attempts are blocked
+.TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
 .TP
@@ -635,9 +643,15 @@ Passphrase protecting the private key
 .BR charon.plugins.tnc-ifmap.username
 Authentication username of strongSwan MAP client
 .TP
+.BR charon.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use
+.TP
 .BR charon.plugins.tnc-imc.preferred_language " [en]"
 Preferred language for TNC recommendations
 .TP
+.BR charon.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
+.TP
 .BR charon.plugins.tnc-pdp.method " [ttls]"
 EAP tunnel method to be used
 .TP
@@ -696,6 +710,12 @@ strength
 .BR libstrongswan.ecp_x_coordinate_only " [yes]"
 Compliance with the errata for RFC 4753
 .TP
+.BR libstrongswan.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused)
+.TP
+.BR libstrongswan.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around
+.TP
 .BR libstrongswan.integrity_test " [no]"
 Check daemon, libstrongswan and plugin integrity at startup
 .TP
@@ -728,6 +748,12 @@ ENGINE ID to use in the OpenSSL plugin
 .BR libstrongswan.plugins.pkcs11.modules
 List of available PKCS#11 modules
 .TP
+.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens
+.TP
+.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP
+.TP
 .BR libstrongswan.plugins.pkcs11.use_dh " [no]"
 Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
 .TP
@@ -764,10 +790,13 @@ Debug level for a stand-alone libimcv library
 .TP
 .BR libimcv.stderr_quiet " [no]"
 Disable output to stderr with a stand-alone libimcv library
-.SS libimcv plugins section
 .TP
-.BR libimcv.plugins.imc-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.os_info.name
+Manually set the name of the client OS (e.g. Ubuntu)
+.TP
+.BR libimcv.os_info.version
+Manually set the version of the client OS (e.g. 12.04 i686)
+.SS libimcv plugins section
 .TP
 .BR libimcv.plugins.imc-attestation.aik_blob
 AIK encrypted private key blob file
@@ -799,12 +828,27 @@ Preferred measurement hash algorithm
 .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
 DH minimum nonce length
 .TP
-.BR libimcv.plugins.imv-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.plugins.imv-attestation.remediation_uri
+URI pointing to attestation remediation instructions
+.TP
+.BR libimcv.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted
+.TP
+.BR libimcv.plugins.imv-os.database
+Database URI for the database that stores operating system information
+.TP
+.BR libimcv.plugins.imv-os.remediation_uri
+URI pointing to operating system remediation instructions
+.TP
+.BR libimcv.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted
 .TP
 .BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
 By default all ports must be closed (yes) or can be open (no)
 .TP
+.BR libimcv.plugins.imv-scanner.remediation_uri
+URI pointing to scanner remediation instructions
+.TP
 .BR libimcv.plugins.imv-scanner.tcp_ports
 List of TCP ports that can be open or must be closed
 .TP
@@ -826,6 +870,9 @@ Do a handshake retry
 .BR libimcv.plugins.imc-test.retry_command
 Command to be sent to the Test IMV in the handshake retry
 .TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
 .BR libimcv.plugins.imv-test.rounds " [0]"
 Number of IMC-IMV retry rounds
 .SS libtls section
@@ -902,6 +949,10 @@ Session timeout for mediation service
 .TP
 .BR openac.load
 Plugins to load in ipsec openac tool
+.SS pacman section
+.TP
+.BR pacman.database
+Database URI for the database that stores the package information
 .SS pki section
 .TP
 .BR pki.load
@@ -1244,6 +1295,17 @@ Never enable the load-testing plugin on productive systems. It provides
 preconfigured credentials and allows an attacker to authenticate as any user.
 .SS Options
 .TP
+.BR charon.plugins.load-tester.addrs
+Subsection that contains key/value pairs with address pools (in CIDR notation)
+to use for a specific network interface e.g. eth0 = 10.10.0.0/16
+.TP
+.BR charon.plugins.load-tester.addrs_prefix " [16]"
+Network prefix length to use when installing dynamic addresses. If set to -1 the
+full address is used (i.e. 32 or 128)
+.TP
+.BR charon.plugins.load-tester.ca_dir
+Directory to load (intermediate) CA certificates from
+.TP
 .BR charon.plugins.load-tester.child_rekey " [600]"
 Seconds to start CHILD_SA rekeying after setup
 .TP
@@ -1253,6 +1315,9 @@ Delay between initiatons for each thread
 .BR charon.plugins.load-tester.delete_after_established " [no]"
 Delete an IKE_SA as soon as it has been established
 .TP
+.BR charon.plugins.load-tester.digest " [sha1]"
+Digest algorithm used when issuing certificates
+.TP
 .BR charon.plugins.load-tester.dpd_delay " [0]"
 DPD delay to use in load test
 .TP
@@ -1274,6 +1339,9 @@ Seconds to start IKE_SA rekeying after setup
 .BR charon.plugins.load-tester.init_limit " [0]"
 Global limit of concurrently established SAs during load test
 .TP
+.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
+Address to initiate from
+.TP
 .BR charon.plugins.load-tester.initiators " [0]"
 Number of concurrent initiator threads to use in load test
 .TP
@@ -1283,8 +1351,24 @@ Authentication method(s) the intiator uses
 .BR charon.plugins.load-tester.initiator_id
 Initiator ID used in load test
 .TP
+.BR charon.plugins.load-tester.initiator_match
+Initiator ID to to match against as responder
+.TP
+.BR charon.plugins.load-tester.initiator_tsi
+Traffic selector on initiator side, as proposed by initiator
+.TP
+.BR charon.plugins.load-tester.initiator_tsr
+Traffic selector on responder side, as proposed by initiator
+.TP
 .BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initate by each initiator in load test
+Number of IKE_SAs to initiate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.issuer_cert
+Path to the issuer certificate (if not configured a hard-coded value is used)
+.TP
+.BR charon.plugins.load-tester.issuer_key
+Path to private key that is used to issue certificates (if not configured a
+hard-coded value is used)
 .TP
 .BR charon.plugins.load-tester.pool
 Provide INTERNAL_IPV4_ADDRs from a named pool
@@ -1295,7 +1379,7 @@ Preshared key to use in load test
 .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
 IKE proposal to use in load test
 .TP
-.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+.BR charon.plugins.load-tester.responder " [127.0.0.1]"
 Address to initiation connections to
 .TP
 .BR charon.plugins.load-tester.responder_auth " [pubkey]"
@@ -1304,11 +1388,21 @@ Authentication method(s) the responder uses
 .BR charon.plugins.load-tester.responder_id
 Responder ID used in load test
 .TP
+.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
+Traffic selector on initiator side, as narrowed by responder
+.TP
+.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
+Traffic selector on responder side, as narrowed by responder
+.TP
 .BR charon.plugins.load-tester.request_virtual_ip " [no]"
 Request an INTERNAL_IPV4_ADDR from the server
 .TP
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
+.TP
+.BR charon.plugins.load-tester.version " [0]"
+IKE version to use (0 means use IKEv2 as initiator and accept any version as
+responder)
 .SS Configuration details
 For public key authentication, the responder uses the
 .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 217d7d739..2fafed62d 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2012-05-01" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-01-25" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -164,6 +164,10 @@ are released to free memory once an IKE_SA is established.
 Enabling this might conflict with plugins that later need access to e.g. the
 used certificates.
 .TP
+.BR charon.fragment_size " [512]"
+Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+fragmentation extension.
+.TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .TP
@@ -178,6 +182,10 @@ openly transmitted hash of the PSK)
 .BR charon.ignore_routing_tables
 A space-separated list of routing tables to be excluded from route lookups
 .TP
+.BR charon.ikesa_limit " [0]"
+Maximum number of IKE_SAs that can be established at the same time before new
+connection attempts are blocked
+.TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
 .TP
@@ -635,9 +643,15 @@ Passphrase protecting the private key
 .BR charon.plugins.tnc-ifmap.username
 Authentication username of strongSwan MAP client
 .TP
+.BR charon.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use
+.TP
 .BR charon.plugins.tnc-imc.preferred_language " [en]"
 Preferred language for TNC recommendations
 .TP
+.BR charon.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
+.TP
 .BR charon.plugins.tnc-pdp.method " [ttls]"
 EAP tunnel method to be used
 .TP
@@ -696,6 +710,12 @@ strength
 .BR libstrongswan.ecp_x_coordinate_only " [yes]"
 Compliance with the errata for RFC 4753
 .TP
+.BR libstrongswan.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused)
+.TP
+.BR libstrongswan.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around
+.TP
 .BR libstrongswan.integrity_test " [no]"
 Check daemon, libstrongswan and plugin integrity at startup
 .TP
@@ -728,6 +748,12 @@ ENGINE ID to use in the OpenSSL plugin
 .BR libstrongswan.plugins.pkcs11.modules
 List of available PKCS#11 modules
 .TP
+.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens
+.TP
+.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP
+.TP
 .BR libstrongswan.plugins.pkcs11.use_dh " [no]"
 Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
 .TP
@@ -764,10 +790,13 @@ Debug level for a stand-alone libimcv library
 .TP
 .BR libimcv.stderr_quiet " [no]"
 Disable output to stderr with a stand-alone libimcv library
-.SS libimcv plugins section
 .TP
-.BR libimcv.plugins.imc-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.os_info.name
+Manually set the name of the client OS (e.g. Ubuntu)
+.TP
+.BR libimcv.os_info.version
+Manually set the version of the client OS (e.g. 12.04 i686)
+.SS libimcv plugins section
 .TP
 .BR libimcv.plugins.imc-attestation.aik_blob
 AIK encrypted private key blob file
@@ -799,12 +828,27 @@ Preferred measurement hash algorithm
 .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
 DH minimum nonce length
 .TP
-.BR libimcv.plugins.imv-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.plugins.imv-attestation.remediation_uri
+URI pointing to attestation remediation instructions
+.TP
+.BR libimcv.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted
+.TP
+.BR libimcv.plugins.imv-os.database
+Database URI for the database that stores operating system information
+.TP
+.BR libimcv.plugins.imv-os.remediation_uri
+URI pointing to operating system remediation instructions
+.TP
+.BR libimcv.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted
 .TP
 .BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
 By default all ports must be closed (yes) or can be open (no)
 .TP
+.BR libimcv.plugins.imv-scanner.remediation_uri
+URI pointing to scanner remediation instructions
+.TP
 .BR libimcv.plugins.imv-scanner.tcp_ports
 List of TCP ports that can be open or must be closed
 .TP
@@ -826,6 +870,9 @@ Do a handshake retry
 .BR libimcv.plugins.imc-test.retry_command
 Command to be sent to the Test IMV in the handshake retry
 .TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
 .BR libimcv.plugins.imv-test.rounds " [0]"
 Number of IMC-IMV retry rounds
 .SS libtls section
@@ -902,6 +949,10 @@ Session timeout for mediation service
 .TP
 .BR openac.load
 Plugins to load in ipsec openac tool
+.SS pacman section
+.TP
+.BR pacman.database
+Database URI for the database that stores the package information
 .SS pki section
 .TP
 .BR pki.load
@@ -1244,6 +1295,17 @@ Never enable the load-testing plugin on productive systems. It provides
 preconfigured credentials and allows an attacker to authenticate as any user.
 .SS Options
 .TP
+.BR charon.plugins.load-tester.addrs
+Subsection that contains key/value pairs with address pools (in CIDR notation)
+to use for a specific network interface e.g. eth0 = 10.10.0.0/16
+.TP
+.BR charon.plugins.load-tester.addrs_prefix " [16]"
+Network prefix length to use when installing dynamic addresses. If set to -1 the
+full address is used (i.e. 32 or 128)
+.TP
+.BR charon.plugins.load-tester.ca_dir
+Directory to load (intermediate) CA certificates from
+.TP
 .BR charon.plugins.load-tester.child_rekey " [600]"
 Seconds to start CHILD_SA rekeying after setup
 .TP
@@ -1253,6 +1315,9 @@ Delay between initiatons for each thread
 .BR charon.plugins.load-tester.delete_after_established " [no]"
 Delete an IKE_SA as soon as it has been established
 .TP
+.BR charon.plugins.load-tester.digest " [sha1]"
+Digest algorithm used when issuing certificates
+.TP
 .BR charon.plugins.load-tester.dpd_delay " [0]"
 DPD delay to use in load test
 .TP
@@ -1274,6 +1339,9 @@ Seconds to start IKE_SA rekeying after setup
 .BR charon.plugins.load-tester.init_limit " [0]"
 Global limit of concurrently established SAs during load test
 .TP
+.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
+Address to initiate from
+.TP
 .BR charon.plugins.load-tester.initiators " [0]"
 Number of concurrent initiator threads to use in load test
 .TP
@@ -1283,8 +1351,24 @@ Authentication method(s) the intiator uses
 .BR charon.plugins.load-tester.initiator_id
 Initiator ID used in load test
 .TP
+.BR charon.plugins.load-tester.initiator_match
+Initiator ID to to match against as responder
+.TP
+.BR charon.plugins.load-tester.initiator_tsi
+Traffic selector on initiator side, as proposed by initiator
+.TP
+.BR charon.plugins.load-tester.initiator_tsr
+Traffic selector on responder side, as proposed by initiator
+.TP
 .BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initate by each initiator in load test
+Number of IKE_SAs to initiate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.issuer_cert
+Path to the issuer certificate (if not configured a hard-coded value is used)
+.TP
+.BR charon.plugins.load-tester.issuer_key
+Path to private key that is used to issue certificates (if not configured a
+hard-coded value is used)
 .TP
 .BR charon.plugins.load-tester.pool
 Provide INTERNAL_IPV4_ADDRs from a named pool
@@ -1295,7 +1379,7 @@ Preshared key to use in load test
 .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
 IKE proposal to use in load test
 .TP
-.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+.BR charon.plugins.load-tester.responder " [127.0.0.1]"
 Address to initiation connections to
 .TP
 .BR charon.plugins.load-tester.responder_auth " [pubkey]"
@@ -1304,11 +1388,21 @@ Authentication method(s) the responder uses
 .BR charon.plugins.load-tester.responder_id
 Responder ID used in load test
 .TP
+.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
+Traffic selector on initiator side, as narrowed by responder
+.TP
+.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
+Traffic selector on responder side, as narrowed by responder
+.TP
 .BR charon.plugins.load-tester.request_virtual_ip " [no]"
 Request an INTERNAL_IPV4_ADDR from the server
 .TP
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
+.TP
+.BR charon.plugins.load-tester.version " [0]"
+IKE version to use (0 means use IKEv2 as initiator and accept any version as
+responder)
 .SS Configuration details
 For public key authentication, the responder uses the
 .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
diff --git a/missing b/missing
index 28055d2ae..86a8fc31e 100755
--- a/missing
+++ b/missing
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Common stub for a few missing GNU programs while installing.
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2012-01-06.13; # UTC
 
 # Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006,
-# 2008, 2009 Free Software Foundation, Inc.
+# 2008, 2009, 2010, 2011, 2012 Free Software Foundation, Inc.
 # Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
 
 # This program is free software; you can redistribute it and/or modify
@@ -84,7 +84,6 @@ Supported PROGRAM values:
   help2man     touch the output file
   lex          create \`lex.yy.c', if possible, from existing .c
   makeinfo     touch the output file
-  tar          try tar, gnutar, gtar, then tar without non-portable flags
   yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
 
 Version suffixes to PROGRAM as well as the prefixes \`gnu-', \`gnu', and
@@ -122,15 +121,6 @@ case $1 in
     # Not GNU programs, they don't have --version.
     ;;
 
-  tar*)
-    if test -n "$run"; then
-       echo 1>&2 "ERROR: \`tar' requires --run"
-       exit 1
-    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
-       exit 1
-    fi
-    ;;
-
   *)
     if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
        # We have it, but it failed.
@@ -226,7 +216,7 @@ WARNING: \`$1' $msg.  You should only need it if
          \`Bison' from any GNU archive site."
     rm -f y.tab.c y.tab.h
     if test $# -ne 1; then
-        eval LASTARG="\${$#}"
+        eval LASTARG=\${$#}
 	case $LASTARG in
 	*.y)
 	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
@@ -256,7 +246,7 @@ WARNING: \`$1' is $msg.  You should only need it if
          \`Flex' from any GNU archive site."
     rm -f lex.yy.c
     if test $# -ne 1; then
-        eval LASTARG="\${$#}"
+        eval LASTARG=\${$#}
 	case $LASTARG in
 	*.l)
 	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
@@ -318,41 +308,6 @@ WARNING: \`$1' is $msg.  You should only need it if
     touch $file
     ;;
 
-  tar*)
-    shift
-
-    # We have already tried tar in the generic part.
-    # Look for gnutar/gtar before invocation to avoid ugly error
-    # messages.
-    if (gnutar --version > /dev/null 2>&1); then
-       gnutar "$@" && exit 0
-    fi
-    if (gtar --version > /dev/null 2>&1); then
-       gtar "$@" && exit 0
-    fi
-    firstarg="$1"
-    if shift; then
-	case $firstarg in
-	*o*)
-	    firstarg=`echo "$firstarg" | sed s/o//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-	case $firstarg in
-	*h*)
-	    firstarg=`echo "$firstarg" | sed s/h//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-    fi
-
-    echo 1>&2 "\
-WARNING: I can't seem to be able to run \`tar' with the given arguments.
-         You may want to install GNU tar or Free paxutils, or check the
-         command line arguments."
-    exit 1
-    ;;
-
   *)
     echo 1>&2 "\
 WARNING: \`$1' is needed, and is $msg.
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index a50e8d6e0..bb95cdf43 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -157,6 +157,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -184,6 +185,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -211,6 +213,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -223,6 +226,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -276,7 +280,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -395,43 +398,43 @@ clean-noinstPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES) 
+bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES) $(EXTRA_bin2array_DEPENDENCIES) 
 	@rm -f bin2array$(EXEEXT)
 	$(LINK) $(bin2array_OBJECTS) $(bin2array_LDADD) $(LIBS)
-bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) 
+bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) $(EXTRA_bin2sql_DEPENDENCIES) 
 	@rm -f bin2sql$(EXEEXT)
 	$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
-crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) 
+crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) $(EXTRA_crypt_burn_DEPENDENCIES) 
 	@rm -f crypt_burn$(EXEEXT)
 	$(LINK) $(crypt_burn_OBJECTS) $(crypt_burn_LDADD) $(LIBS)
-dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) 
+dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) $(EXTRA_dh_speed_DEPENDENCIES) 
 	@rm -f dh_speed$(EXEEXT)
 	$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
-fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) 
+fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) $(EXTRA_fetch_DEPENDENCIES) 
 	@rm -f fetch$(EXEEXT)
 	$(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS)
-hash_burn$(EXEEXT): $(hash_burn_OBJECTS) $(hash_burn_DEPENDENCIES) 
+hash_burn$(EXEEXT): $(hash_burn_OBJECTS) $(hash_burn_DEPENDENCIES) $(EXTRA_hash_burn_DEPENDENCIES) 
 	@rm -f hash_burn$(EXEEXT)
 	$(LINK) $(hash_burn_OBJECTS) $(hash_burn_LDADD) $(LIBS)
-id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) 
+id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) $(EXTRA_id2sql_DEPENDENCIES) 
 	@rm -f id2sql$(EXEEXT)
 	$(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS)
-key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) 
+key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) $(EXTRA_key2keyid_DEPENDENCIES) 
 	@rm -f key2keyid$(EXEEXT)
 	$(LINK) $(key2keyid_OBJECTS) $(key2keyid_LDADD) $(LIBS)
-keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) 
+keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) $(EXTRA_keyid2sql_DEPENDENCIES) 
 	@rm -f keyid2sql$(EXEEXT)
 	$(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS)
-oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) 
+oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) $(EXTRA_oid2der_DEPENDENCIES) 
 	@rm -f oid2der$(EXEEXT)
 	$(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS)
-pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) 
+pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) $(EXTRA_pubkey_speed_DEPENDENCIES) 
 	@rm -f pubkey_speed$(EXEEXT)
 	$(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS)
-thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) 
+thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) $(EXTRA_thread_analysis_DEPENDENCIES) 
 	@rm -f thread_analysis$(EXEEXT)
 	$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS)
-tls_test$(EXEEXT): $(tls_test_OBJECTS) $(tls_test_DEPENDENCIES) 
+tls_test$(EXEEXT): $(tls_test_OBJECTS) $(tls_test_DEPENDENCIES) $(EXTRA_tls_test_DEPENDENCIES) 
 	@rm -f tls_test$(EXEEXT)
 	$(LINK) $(tls_test_OBJECTS) $(tls_test_LDADD) $(LIBS)
 
@@ -578,10 +581,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index 629a8eabb..588807597 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -16,7 +16,7 @@
 #include <stdio.h>
 #include <time.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/diffie_hellman.h>
 
 static void usage()
diff --git a/scripts/fetch.c b/scripts/fetch.c
index ad50d0cd6..23f857246 100644
--- a/scripts/fetch.c
+++ b/scripts/fetch.c
@@ -17,7 +17,7 @@
 #include <unistd.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 static int count = 0;
 
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
index 5b63381b8..aba96a8c1 100644
--- a/scripts/key2keyid.c
+++ b/scripts/key2keyid.c
@@ -15,7 +15,7 @@
 
 #include <stdio.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
 
diff --git a/scripts/keyid2sql.c b/scripts/keyid2sql.c
index 7cad4c45e..26427ab3d 100644
--- a/scripts/keyid2sql.c
+++ b/scripts/keyid2sql.c
@@ -15,7 +15,7 @@
 
 #include <stdio.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
 
diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c
index 6402e606d..32c6e8f49 100644
--- a/scripts/pubkey_speed.c
+++ b/scripts/pubkey_speed.c
@@ -2,7 +2,7 @@
 #include <stdio.h>
 #include <time.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 
 void start_timing(struct timespec *start)
diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index 560c4a4ba..d0d259e60 100644
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -22,9 +22,9 @@
 #include <string.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <tls_socket.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <credentials/sets/mem_cred.h>
 
 /**
diff --git a/src/Makefile.in b/src/Makefile.in
index 939473424..ada684eae 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -141,6 +141,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -168,6 +169,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -195,6 +197,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -207,6 +210,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -260,7 +264,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -564,10 +567,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index c4477f303..83b25bebf 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -96,6 +96,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -123,6 +124,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -150,6 +152,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -162,6 +165,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -215,7 +219,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -344,7 +347,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-_copyright$(EXEEXT): $(_copyright_OBJECTS) $(_copyright_DEPENDENCIES) 
+_copyright$(EXEEXT): $(_copyright_OBJECTS) $(_copyright_DEPENDENCIES) $(EXTRA__copyright_DEPENDENCIES) 
 	@rm -f _copyright$(EXEEXT)
 	$(LINK) $(_copyright_OBJECTS) $(_copyright_LDADD) $(LIBS)
 
@@ -482,10 +485,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 672285ad0..d67bdb844 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(ipsec_SCRIPTS)
 SOURCES =
@@ -101,6 +107,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,6 +135,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -155,6 +163,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -167,6 +176,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -220,7 +230,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -335,9 +344,7 @@ uninstall-ipsecSCRIPTS:
 	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	       sed -e 's,.*/,,;$(transform)'`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+	dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -375,9 +382,7 @@ uninstall-man8:
 	files=`{ for i in $$list; do echo "$$i"; done; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -445,10 +450,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index b62ceba2b..88683f38b 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(dist_ipsec_SCRIPTS)
 SOURCES =
@@ -101,6 +107,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,6 +135,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -155,6 +163,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -167,6 +176,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -220,7 +230,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -333,9 +342,7 @@ uninstall-dist_ipsecSCRIPTS:
 	@list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	       sed -e 's,.*/,,;$(transform)'`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+	dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -373,9 +380,7 @@ uninstall-man8:
 	files=`{ for i in $$list; do echo "$$i"; done; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -443,10 +448,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index be72892e9..8416455ae 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -102,6 +102,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,6 +130,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -156,6 +158,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -168,6 +171,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -221,7 +225,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +373,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-charon-nm$(EXEEXT): $(charon_nm_OBJECTS) $(charon_nm_DEPENDENCIES) 
+charon-nm$(EXEEXT): $(charon_nm_OBJECTS) $(charon_nm_DEPENDENCIES) $(EXTRA_charon_nm_DEPENDENCIES) 
 	@rm -f charon-nm$(EXEEXT)
 	$(LINK) $(charon_nm_OBJECTS) $(charon_nm_LDADD) $(LIBS)
 
@@ -568,10 +571,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index 35e906778..61f2937ce 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -116,28 +116,6 @@ static void segv_handler(int signal)
 	abort();
 }
 
-/**
- * Initialize logging to syslog
- */
-static void initialize_logger()
-{
-	sys_logger_t *sys_logger;
-	debug_t group;
-	level_t def;
-
-	sys_logger = sys_logger_create(LOG_DAEMON, FALSE);
-	def = lib->settings->get_int(lib->settings,
-								 "charon-nm.syslog.default", 1);
-	for (group = 0; group < DBG_MAX; group++)
-	{
-		sys_logger->set_level(sys_logger, group,
-			lib->settings->get_int(lib->settings, "charon-nm.syslog.%N", def,
-								   debug_lower_names, group));
-	}
-	charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-	charon->bus->add_logger(charon->bus, &sys_logger->logger);
-}
-
 /**
  * Lookup UID and GID
  */
@@ -204,7 +182,11 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
-	initialize_logger();
+	/* make sure we log to the DAEMON facility by default */
+	lib->settings->set_int(lib->settings, "charon-nm.syslog.daemon.default",
+		lib->settings->get_int(lib->settings,
+							   "charon-nm.syslog.daemon.default", 1));
+	charon->load_loggers(charon, NULL, FALSE);
 
 	/* use random ports to avoid conflicts with regular charon */
 	lib->settings->set_int(lib->settings, "charon-nm.port", 0);
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index f36cf1f68..5bb2ed930 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -117,10 +117,13 @@ static bool nm_backend_init()
 	nm_backend_t *this;
 
 	g_type_init ();
+
+#if !GLIB_CHECK_VERSION(2,23,0)
 	if (!g_thread_supported())
 	{
 		g_thread_init(NULL);
 	}
+#endif
 
 	INIT(this,
 		.creds = nm_creds_create(),
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index b7155b44b..eb187496d 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -18,7 +18,7 @@
 #include "nm_service.h"
 
 #include <daemon.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
 #include <credentials/certificates/x509.h>
@@ -498,11 +498,12 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	/**
 	 * Set up configurations
 	 */
-	ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", FALSE,
+	ike_cfg = ike_cfg_create(IKEV2, TRUE, encap, "0.0.0.0", FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							(char*)address, FALSE, IKEV2_UDP_PORT);
+							(char*)address, FALSE, IKEV2_UDP_PORT,
+							 FRAGMENTATION_NO);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	peer_cfg = peer_cfg_create(priv->name, IKEV2, ike_cfg,
+	peer_cfg = peer_cfg_create(priv->name, ike_cfg,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
 					36000, 0, /* rekey 10h, reauth none */
 					600, 600, /* jitter, over 10min */
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index d8109bb7f..4776b783a 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -100,6 +100,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,6 +128,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -154,6 +156,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -166,6 +169,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -219,7 +223,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -363,7 +366,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-charon$(EXEEXT): $(charon_OBJECTS) $(charon_DEPENDENCIES) 
+charon$(EXEEXT): $(charon_OBJECTS) $(charon_DEPENDENCIES) $(EXTRA_charon_DEPENDENCIES) 
 	@rm -f charon$(EXEEXT)
 	$(LINK) $(charon_OBJECTS) $(charon_LDADD) $(LIBS)
 
@@ -501,10 +504,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/charon/charon.c b/src/charon/charon.c
index bd36c72f4..f4bd27d34 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -24,8 +24,6 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/utsname.h>
-#include <syslog.h>
-#include <errno.h>
 #include <unistd.h>
 #include <getopt.h>
 
@@ -40,10 +38,6 @@
 #include <private/android_filesystem_config.h> /* for AID_VPN */
 #endif
 
-#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
-#define LOG_AUTHPRIV LOG_AUTH
-#endif
-
 /**
  * PID file, in which charon stores its process id
  */
@@ -54,6 +48,16 @@
  */
 static FILE *pidfile = NULL;
 
+/**
+ * Log levels as defined via command line arguments
+ */
+static level_t levels[DBG_MAX];
+
+/**
+ * Whether to only use syslog when logging
+ */
+static bool use_syslog = FALSE;
+
 /**
  * hook in library for debugging messages
  */
@@ -109,6 +113,7 @@ static void run()
 					 "configuration");
 				if (lib->settings->load_files(lib->settings, NULL, FALSE))
 				{
+					charon->load_loggers(charon, levels, !use_syslog);
 					lib->plugins->reload(lib->plugins, NULL);
 				}
 				else
@@ -238,141 +243,6 @@ static void unlink_pidfile()
 	unlink(PID_FILE);
 }
 
-/**
- * Initialize logging
- */
-static void initialize_loggers(bool use_stderr, level_t levels[])
-{
-	sys_logger_t *sys_logger;
-	file_logger_t *file_logger;
-	enumerator_t *enumerator;
-	char *identifier, *facility, *filename;
-	int loggers_defined = 0;
-	debug_t group;
-	level_t  def;
-	bool append, ike_name;
-	FILE *file;
-
-	/* setup sysloggers */
-	identifier = lib->settings->get_str(lib->settings,
-										"charon.syslog.identifier", NULL);
-	if (identifier)
-	{	/* set identifier, which is prepended to each log line */
-		openlog(identifier, 0, 0);
-	}
-	enumerator = lib->settings->create_section_enumerator(lib->settings,
-														  "charon.syslog");
-	while (enumerator->enumerate(enumerator, &facility))
-	{
-		loggers_defined++;
-
-		ike_name = lib->settings->get_bool(lib->settings,
-								"charon.syslog.%s.ike_name", FALSE, facility);
-		if (streq(facility, "daemon"))
-		{
-			sys_logger = sys_logger_create(LOG_DAEMON, ike_name);
-		}
-		else if (streq(facility, "auth"))
-		{
-			sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name);
-		}
-		else
-		{
-			continue;
-		}
-		def = lib->settings->get_int(lib->settings,
-									 "charon.syslog.%s.default", 1, facility);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			sys_logger->set_level(sys_logger, group,
-				lib->settings->get_int(lib->settings,
-									   "charon.syslog.%s.%N", def,
-									   facility, debug_lower_names, group));
-		}
-		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-		charon->bus->add_logger(charon->bus, &sys_logger->logger);
-	}
-	enumerator->destroy(enumerator);
-
-	/* and file loggers */
-	enumerator = lib->settings->create_section_enumerator(lib->settings,
-														  "charon.filelog");
-	while (enumerator->enumerate(enumerator, &filename))
-	{
-		loggers_defined++;
-		if (streq(filename, "stderr"))
-		{
-			file = stderr;
-		}
-		else if (streq(filename, "stdout"))
-		{
-			file = stdout;
-		}
-		else
-		{
-			append = lib->settings->get_bool(lib->settings,
-									"charon.filelog.%s.append", TRUE, filename);
-			file = fopen(filename, append ? "a" : "w");
-			if (file == NULL)
-			{
-				DBG1(DBG_DMN, "opening file %s for logging failed: %s",
-					 filename, strerror(errno));
-				continue;
-			}
-			if (lib->settings->get_bool(lib->settings,
-							"charon.filelog.%s.flush_line", FALSE, filename))
-			{
-				setlinebuf(file);
-			}
-		}
-		file_logger = file_logger_create(file,
-						lib->settings->get_str(lib->settings,
-							"charon.filelog.%s.time_format", NULL, filename),
-						lib->settings->get_bool(lib->settings,
-							"charon.filelog.%s.ike_name", FALSE, filename));
-		def = lib->settings->get_int(lib->settings,
-									 "charon.filelog.%s.default", 1, filename);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			file_logger->set_level(file_logger, group,
-				lib->settings->get_int(lib->settings,
-									   "charon.filelog.%s.%N", def,
-									   filename, debug_lower_names, group));
-		}
-		charon->file_loggers->insert_last(charon->file_loggers, file_logger);
-		charon->bus->add_logger(charon->bus, &file_logger->logger);
-
-	}
-	enumerator->destroy(enumerator);
-
-	/* set up legacy style default loggers provided via command-line */
-	if (!loggers_defined)
-	{
-		/* set up default stdout file_logger */
-		file_logger = file_logger_create(stdout, NULL, FALSE);
-		charon->file_loggers->insert_last(charon->file_loggers, file_logger);
-		/* set up default daemon sys_logger */
-		sys_logger = sys_logger_create(LOG_DAEMON, FALSE);
-		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			sys_logger->set_level(sys_logger, group, levels[group]);
-			if (use_stderr)
-			{
-				file_logger->set_level(file_logger, group, levels[group]);
-			}
-		}
-		charon->bus->add_logger(charon->bus, &file_logger->logger);
-		charon->bus->add_logger(charon->bus, &sys_logger->logger);
-
-		/* set up default auth sys_logger */
-		sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE);
-		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
-		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-		charon->bus->add_logger(charon->bus, &sys_logger->logger);
-	}
-}
-
 /**
  * print command line usage and exit
  */
@@ -400,8 +270,6 @@ static void usage(const char *msg)
 int main(int argc, char *argv[])
 {
 	struct sigaction action;
-	bool use_syslog = FALSE;
-	level_t levels[DBG_MAX];
 	int group, status = SS_RC_INITIALIZATION_FAILED;
 	struct utsname utsname;
 
@@ -505,7 +373,7 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
-	initialize_loggers(!use_syslog, levels);
+	charon->load_loggers(charon, levels, !use_syslog);
 
 	if (uname(&utsname) != 0)
 	{
@@ -533,7 +401,6 @@ int main(int argc, char *argv[])
 	if (check_pidfile())
 	{
 		DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
-		status = -1;
 		goto deinit;
 	}
 
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index ecbc3ae39..8a816d626 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -103,6 +103,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libchecksum_la_LIBADD =
@@ -157,6 +163,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -184,6 +191,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -211,6 +219,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -223,6 +232,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -276,7 +286,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -423,7 +432,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) 
+libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) $(EXTRA_libchecksum_la_DEPENDENCIES) 
 	$(libchecksum_la_LINK)  $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
 
 clean-noinstPROGRAMS:
@@ -434,7 +443,7 @@ clean-noinstPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) 
+checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) $(EXTRA_checksum_builder_DEPENDENCIES) 
 	@rm -f checksum_builder$(EXEEXT)
 	$(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
 
@@ -573,10 +582,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index b083d54db..0d9e8fd85 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -21,7 +21,7 @@
 #include <library.h>
 #include <hydra.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /* we need to fake the pluto symbol to dlopen() the xauth plugin */
 void *pluto;
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index ea26b70e7..960705ce1 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -111,6 +111,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -138,6 +139,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -165,6 +167,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -177,6 +180,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -230,7 +234,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -379,7 +382,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) 
+conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) $(EXTRA_conftest_DEPENDENCIES) 
 	@rm -f conftest$(EXEEXT)
 	$(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS)
 
@@ -864,10 +867,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/conftest/README b/src/conftest/README
index e2156921f..617195df9 100644
--- a/src/conftest/README
+++ b/src/conftest/README
@@ -98,9 +98,10 @@ The IKE_SA configuration uses the following options (as key/value pairs):
                   src/libstrongswan/crypt/proposal/proposal_keywords.txt
   fake_nat:       Fake the NAT_DETECTION_*_IP payloads to simulate a NAT
                   scenario
-  rsa_strength:   connection requires a trustchain with RSA keys of given bits
-  ecdsa_strength: connection requires a trustchain with ECDSA keys of given bits
-  cert_policy:    connection requries a certificate with the given OID policy
+  rsa_strength:   Connection requires a trustchain with RSA keys of given bits
+  ecdsa_strength: Connection requires a trustchain with ECDSA keys of given bits
+  cert_policy:    Connection requries a certificate with the given OID policy
+  named_pool:     Name of an IP pool defined e.g. in a database backend
 
 The following CHILD_SA specific configuration options are supported:
 
@@ -109,6 +110,7 @@ The following CHILD_SA specific configuration options are supported:
   transport:   Propose IPsec transport mode instead of tunnel mode
   tfc_padding: Inject Traffic Flow Confidentialty bytes to align packets to the
                given length
+  proposal:    CHILD_SA proposal list, same syntax as IKE_SA proposal list
 
 6. Credentials
 --------------
@@ -238,6 +240,7 @@ Currently, the following hooks are defined with the following options:
   rebuild_auth:       rebuild AUTH payload, i.e. if ID payload changed
   reset_seq:          Reset sequence numbers of an ESP SA
     delay:            Seconds to delay reset after SA established
+    oseq:             Sequence number to set, default is 0
   set_critical:       Set critical bit on existing payloads:
     request:          yes to set in request, no in response
     id:               IKEv2 message identifier of message to mangle payloads
diff --git a/src/conftest/config.c b/src/conftest/config.c
index cbc6ac05f..ae0d93460 100644
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@@ -101,12 +101,13 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
 	proposal_t *proposal;
 	char *token;
 
-	ike_cfg = ike_cfg_create(TRUE,
+	ike_cfg = ike_cfg_create(IKEV2, TRUE,
 		settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config),
 		settings->get_str(settings, "configs.%s.lhost", "%any", config), FALSE,
 		settings->get_int(settings, "configs.%s.lport", 500, config),
 		settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE,
-		settings->get_int(settings, "configs.%s.rport", 500, config));
+		settings->get_int(settings, "configs.%s.rport", 500, config),
+		FRAGMENTATION_NO);
 	token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
 	if (token)
 	{
@@ -143,9 +144,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
 	proposal_t *proposal;
 	traffic_selector_t *ts;
 	ipsec_mode_t mode = MODE_TUNNEL;
-	host_t *net;
 	char *token;
-	int bits;
 	u_int32_t tfc;
 
 	if (settings->get_bool(settings, "configs.%s.%s.transport",
@@ -183,16 +182,15 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	}
 
-	token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config);
+	token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config, child);
 	if (token)
 	{
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			net = host_create_from_subnet(token, &bits);
-			if (net)
+			ts = traffic_selector_create_from_cidr(token, 0, 0);
+			if (ts)
 			{
-				ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
 				child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 			}
 			else
@@ -208,16 +206,15 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 	}
 
-	token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config);
+	token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config, child);
 	if (token)
 	{
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			net = host_create_from_subnet(token, &bits);
-			if (net)
+			ts = traffic_selector_create_from_cidr(token, 0, 0);
+			if (ts)
 			{
-				ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
 				child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 			}
 			else
@@ -247,11 +244,11 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 	child_cfg_t *child_cfg;
 	enumerator_t *enumerator;
 	identification_t *lid, *rid;
-	char *child, *policy;
+	char *child, *policy, *pool;
 	uintptr_t strength;
 
 	ike_cfg = load_ike_config(this, settings, config);
-	peer_cfg = peer_cfg_create(config, IKEV2, ike_cfg, CERT_ALWAYS_SEND,
+	peer_cfg = peer_cfg_create(config, ike_cfg, CERT_ALWAYS_SEND,
 							   UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, 0, 0,
 							   FALSE, NULL, NULL);
 
@@ -266,12 +263,12 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	rid = identification_create_from_string(
 				settings->get_str(settings, "configs.%s.rid", "%any", config));
-	strength = settings->get_int(settings, "configs.%s.rsa_strength", 0);
+	strength = settings->get_int(settings, "configs.%s.rsa_strength", 0, config);
 	if (strength)
 	{
 		auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength);
 	}
-	strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0);
+	strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0, config);
 	if (strength)
 	{
 		auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
@@ -283,6 +280,11 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 	}
 	auth->add(auth, AUTH_RULE_IDENTITY, rid);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+	pool = settings->get_str(settings, "configs.%s.named_pool", NULL, config);
+	if (pool)
+	{
+		peer_cfg->add_pool(peer_cfg, pool);
+	}
 
 	DBG1(DBG_CFG, "loaded config %s: %Y - %Y", config, lid, rid);
 
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index 6491fd294..c2251effa 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -26,6 +26,7 @@
 #include "config.h"
 #include "hooks/hook.h"
 
+#include <bus/listeners/file_logger.h>
 #include <threading/thread.h>
 #include <credentials/certificates/x509.h>
 
@@ -322,6 +323,7 @@ static bool load_hooks()
  */
 static void cleanup()
 {
+	file_logger_t *logger;
 	hook_t *hook;
 
 	DESTROY_IF(conftest->test);
@@ -344,6 +346,13 @@ static void cleanup()
 		}
 		conftest->config->destroy(conftest->config);
 	}
+	while (conftest->loggers->remove_last(conftest->loggers,
+										  (void**)&logger) == SUCCESS)
+	{
+		charon->bus->remove_logger(charon->bus, &logger->logger);
+		logger->destroy(logger);
+	}
+	conftest->loggers->destroy(conftest->loggers);
 	free(conftest->suite_dir);
 	free(conftest);
 	libcharon_deinit();
@@ -368,6 +377,22 @@ static void load_log_levels(file_logger_t *logger, char *section)
 	}
 }
 
+/**
+ * Load logger options for a logger from section
+ */
+static void load_logger_options(file_logger_t *logger, char *section)
+{
+	bool ike_name;
+	char *time_format;
+
+	time_format = conftest->test->get_str(conftest->test,
+					"log.%s.time_format", NULL, section);
+	ike_name = conftest->test->get_bool(conftest->test,
+					"log.%s.ike_name", FALSE, section);
+
+	logger->set_options(logger, time_format, ike_name);
+}
+
 /**
  * Load logger configuration
  */
@@ -375,26 +400,24 @@ static void load_loggers(file_logger_t *logger)
 {
 	enumerator_t *enumerator;
 	char *section;
-	FILE *file;
 
 	load_log_levels(logger, "stdout");
+	load_logger_options(logger, "stdout");
+	/* Re-add the logger to propagate configuration changes to the
+	 * logging system */
+	charon->bus->add_logger(charon->bus, &logger->logger);
 
 	enumerator = conftest->test->create_section_enumerator(conftest->test, "log");
 	while (enumerator->enumerate(enumerator, &section))
 	{
 		if (!streq(section, "stdout"))
 		{
-			file = fopen(section, "w");
-			if (file == NULL)
-			{
-				fprintf(stderr, "opening file %s for logging failed: %s",
-						section, strerror(errno));
-				continue;
-			}
-			logger = file_logger_create(file, NULL, FALSE);
+			logger = file_logger_create(section);
+			load_logger_options(logger, section);
+			logger->open(logger, FALSE, FALSE);
 			load_log_levels(logger, section);
 			charon->bus->add_logger(charon->bus, &logger->logger);
-			charon->file_loggers->insert_last(charon->file_loggers, logger);
+			conftest->loggers->insert_last(conftest->loggers, logger);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -433,16 +456,18 @@ int main(int argc, char *argv[])
 
 	INIT(conftest,
 		.creds = mem_cred_create(),
+		.config = config_create(),
+		.hooks = linked_list_create(),
+		.loggers = linked_list_create(),
 	);
+	lib->credmgr->add_set(lib->credmgr, &conftest->creds->set);
 
-	logger = file_logger_create(stdout, NULL, FALSE);
+	logger = file_logger_create("stdout");
+	logger->set_options(logger, NULL, FALSE);
+	logger->open(logger, FALSE, FALSE);
 	logger->set_level(logger, DBG_ANY, LEVEL_CTRL);
 	charon->bus->add_logger(charon->bus, &logger->logger);
-	charon->file_loggers->insert_last(charon->file_loggers, logger);
-
-	lib->credmgr->add_set(lib->credmgr, &conftest->creds->set);
-	conftest->hooks = linked_list_create();
-	conftest->config = config_create();
+	conftest->loggers->insert_last(conftest->loggers, logger);
 
 	atexit(cleanup);
 
diff --git a/src/conftest/conftest.h b/src/conftest/conftest.h
index 2caf9b3ce..6bbdabd07 100644
--- a/src/conftest/conftest.h
+++ b/src/conftest/conftest.h
@@ -64,6 +64,11 @@ struct conftest_t {
 	 * Action handling
 	 */
 	actions_t *actions;
+
+	/**
+	 * Test specific loggers
+	 */
+	linked_list_t *loggers;
 };
 
 /**
diff --git a/src/conftest/hooks/reset_seq.c b/src/conftest/hooks/reset_seq.c
index 6fb7a2e4b..100977324 100644
--- a/src/conftest/hooks/reset_seq.c
+++ b/src/conftest/hooks/reset_seq.c
@@ -12,6 +12,27 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
+/*
+ * Copyright (C) 2012 achelos GmbH
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 
 #include "hook.h"
 
@@ -40,21 +61,46 @@ struct private_reset_seq_t {
 	 * Delay for reset
 	 */
 	int delay;
+
+	/**
+	 * Sequence number to set for outgoing packages
+	 */
+	int oseq;
+};
+
+typedef struct reset_cb_data_t reset_cb_data_t;
+
+/**
+ * Data needed for the callback job
+ */
+struct reset_cb_data_t {
+
+	/**
+	 * The SA to modify
+	 */
+	struct xfrm_usersa_id usersa;
+
+	/**
+	 * Sequence number to set for outgoing packages
+	 */
+	int oseq;
 };
 
 /**
  * Callback job
  */
-static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
+static job_requeue_t reset_cb(struct reset_cb_data_t *data)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct xfrm_aevent_id *id;
 	struct rtattr *rthdr;
+	struct xfrm_replay_state *rpstate;
 	struct sockaddr_nl addr;
 	int s, len;
 
-	DBG1(DBG_CFG, "resetting sequence number of SPI 0x%x", htonl(data->spi));
+	DBG1(DBG_CFG, "setting sequence number of SPI 0x%x to %d",
+		 htonl(data->usersa.spi), data->oseq);
 
 	memset(&request, 0, sizeof(request));
 
@@ -66,13 +112,22 @@ static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
 
 	id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
-	id->sa_id = *data;
+	id->sa_id = data->usersa;
 
 	rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id);
 	rthdr->rta_type = XFRMA_REPLAY_VAL;
 	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
 	hdr->nlmsg_len += rthdr->rta_len;
 
+	/* xfrm_replay_state is the structure the kernel uses for
+	 * replay detection, and the oseq element contains the
+	 * sequence number for outgoing packets. Currently, this
+	 * function sets the other elements seq (records the number of
+	 * incoming packets) and bitmask to zero, but they could be
+	 * adjusted in the same way as oseq if required. */
+	rpstate = (struct xfrm_replay_state*)RTA_DATA(rthdr);
+	rpstate->oseq = data->oseq;
+
 	s = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
 	if (s == -1)
 	{
@@ -97,17 +152,21 @@ static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
 static void schedule_reset_job(private_reset_seq_t *this, host_t *dst,
 							   u_int32_t spi)
 {
-	struct xfrm_usersa_id *data;
+	struct reset_cb_data_t *data;
 	chunk_t chunk;
 
 	INIT(data,
-		.spi = spi,
-		.family = dst->get_family(dst),
-		.proto = IPPROTO_ESP,
+		.usersa = {
+			.spi = spi,
+			.family = dst->get_family(dst),
+			.proto = IPPROTO_ESP,
+		},
+		.oseq = this->oseq,
 	);
 
 	chunk = dst->get_address(dst);
-	memcpy(&data->daddr, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
+	memcpy(&data->usersa.daddr, chunk.ptr,
+		   min(chunk.len, sizeof(xfrm_address_t)));
 
 	lib->scheduler->schedule_job(lib->scheduler,
 								 (job_t*)callback_job_create(
@@ -149,6 +208,8 @@ hook_t *reset_seq_hook_create(char *name)
 		},
 		.delay = conftest->test->get_int(conftest->test,
 										"hooks.%s.delay", 10, name),
+		.oseq = conftest->test->get_int(conftest->test,
+										"hooks.%s.oseq", 0, name),
 	);
 
 	return &this->hook;
diff --git a/src/dumm/Makefile.am b/src/dumm/Makefile.am
index 8b8cebcd8..3e4625ec8 100644
--- a/src/dumm/Makefile.am
+++ b/src/dumm/Makefile.am
@@ -11,7 +11,7 @@ irdumm_SOURCES = irdumm.c
 
 libdumm_la_LIBADD = -lbridge -lfuse -lutil $(top_builddir)/src/libstrongswan/libstrongswan.la
 dumm_LDADD = libdumm.la ${gtk_LIBS} $(top_builddir)/src/libstrongswan/libstrongswan.la
-irdumm_LDADD = libdumm.la -lruby1.8 $(top_builddir)/src/libstrongswan/libstrongswan.la
+irdumm_LDADD = libdumm.la ${RUBYLIB} $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
   ${RUBYINCLUDE}
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index ad24ca998..a2b994ec3 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libdumm_la_DEPENDENCIES =  \
@@ -90,7 +96,7 @@ dumm_DEPENDENCIES = libdumm.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_irdumm_OBJECTS = irdumm.$(OBJEXT)
 irdumm_OBJECTS = $(am_irdumm_OBJECTS)
-irdumm_DEPENDENCIES = libdumm.la \
+irdumm_DEPENDENCIES = libdumm.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -129,6 +135,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -156,6 +163,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -183,6 +191,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +204,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -248,7 +258,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -306,7 +315,7 @@ dumm_SOURCES = main.c
 irdumm_SOURCES = irdumm.c
 libdumm_la_LIBADD = -lbridge -lfuse -lutil $(top_builddir)/src/libstrongswan/libstrongswan.la
 dumm_LDADD = libdumm.la ${gtk_LIBS} $(top_builddir)/src/libstrongswan/libstrongswan.la
-irdumm_LDADD = libdumm.la -lruby1.8 $(top_builddir)/src/libstrongswan/libstrongswan.la
+irdumm_LDADD = libdumm.la ${RUBYLIB} $(top_builddir)/src/libstrongswan/libstrongswan.la
 INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
   ${RUBYINCLUDE}
 
@@ -376,7 +385,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libdumm.la: $(libdumm_la_OBJECTS) $(libdumm_la_DEPENDENCIES) 
+libdumm.la: $(libdumm_la_OBJECTS) $(libdumm_la_DEPENDENCIES) $(EXTRA_libdumm_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libdumm_la_OBJECTS) $(libdumm_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
@@ -421,10 +430,10 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-dumm$(EXEEXT): $(dumm_OBJECTS) $(dumm_DEPENDENCIES) 
+dumm$(EXEEXT): $(dumm_OBJECTS) $(dumm_DEPENDENCIES) $(EXTRA_dumm_DEPENDENCIES) 
 	@rm -f dumm$(EXEEXT)
 	$(LINK) $(dumm_OBJECTS) $(dumm_LDADD) $(LIBS)
-irdumm$(EXEEXT): $(irdumm_OBJECTS) $(irdumm_DEPENDENCIES) 
+irdumm$(EXEEXT): $(irdumm_OBJECTS) $(irdumm_DEPENDENCIES) $(EXTRA_irdumm_DEPENDENCIES) 
 	@rm -f irdumm$(EXEEXT)
 	$(LINK) $(irdumm_OBJECTS) $(irdumm_LDADD) $(LIBS)
 
@@ -569,10 +578,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/dumm/bridge.c b/src/dumm/bridge.c
index 85b6471b6..d00e49b3e 100644
--- a/src/dumm/bridge.c
+++ b/src/dumm/bridge.c
@@ -16,8 +16,8 @@
 #include <sys/types.h>
 #include <libbridge.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "bridge.h"
 
diff --git a/src/dumm/bridge.h b/src/dumm/bridge.h
index c557de994..9d48092df 100644
--- a/src/dumm/bridge.h
+++ b/src/dumm/bridge.h
@@ -17,7 +17,7 @@
 #define BRIDGE_H
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct bridge_t bridge_t;
 
diff --git a/src/dumm/cowfs.c b/src/dumm/cowfs.c
index f708a293b..28c62c217 100644
--- a/src/dumm/cowfs.c
+++ b/src/dumm/cowfs.c
@@ -34,10 +34,10 @@
 #include "cowfs.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /** define _XOPEN_SOURCE 500 fails when using libstrongswan, define popen */
 extern ssize_t pread(int fd, void *buf, size_t count, off_t offset);
diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c
index 59751fa09..cc4f5a16b 100644
--- a/src/dumm/dumm.c
+++ b/src/dumm/dumm.c
@@ -23,8 +23,8 @@
 #include <dirent.h>
 #include <errno.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "dumm.h"
 
diff --git a/src/dumm/dumm.h b/src/dumm/dumm.h
index 4bd20808c..7c7923c46 100644
--- a/src/dumm/dumm.h
+++ b/src/dumm/dumm.h
@@ -20,7 +20,7 @@
 #include <signal.h>
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include "guest.h"
 #include "bridge.h"
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index ca9b29388..603fac088 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -21,8 +21,8 @@
 
 #include <library.h>
 #include <dumm.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #undef PACKAGE_NAME
 #undef PACKAGE_TARNAME
@@ -30,6 +30,8 @@
 #undef PACKAGE_STRING
 #undef PACKAGE_BUGREPORT
 #undef PACKAGE_URL
+/* avoid redefintiion of snprintf etc. */
+#define RUBY_DONT_SUBST
 #include <ruby.h>
 
 static dumm_t *dumm;
@@ -141,7 +143,11 @@ static VALUE guest_hash(VALUE class)
 	if (!rb_cvar_defined(class, id))
 	{
 		VALUE hash = guest_hash_create(class);
+#ifdef RB_CVAR_SET_4_ARGS
 		rb_cvar_set(class, id, hash, 0);
+#else
+		rb_cvar_set(class, id, hash);
+#endif
 		return hash;
 	}
 	return rb_cvar_get(class, id);
@@ -627,6 +633,7 @@ static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self)
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
 	}
+	list = linked_list_create();
 	Data_Get_Struct(self, iface_t, iface);
 	enumerator = iface->create_address_enumerator(iface);
 	while (enumerator->enumerate(enumerator, &addr))
diff --git a/src/dumm/guest.c b/src/dumm/guest.c
index 336f6effa..8e74ca629 100644
--- a/src/dumm/guest.c
+++ b/src/dumm/guest.c
@@ -28,8 +28,8 @@
 #include <termios.h>
 #include <stdarg.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "dumm.h"
 #include "guest.h"
diff --git a/src/dumm/guest.h b/src/dumm/guest.h
index 789f2310e..0da05d88c 100644
--- a/src/dumm/guest.h
+++ b/src/dumm/guest.h
@@ -18,7 +18,7 @@
 #define GUEST_H
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef enum guest_state_t guest_state_t;
 typedef struct guest_t guest_t;
diff --git a/src/dumm/iface.c b/src/dumm/iface.c
index 214387e88..3e7b010b3 100644
--- a/src/dumm/iface.c
+++ b/src/dumm/iface.c
@@ -25,8 +25,8 @@
 #include <sys/ioctl.h>
 #include <linux/if_tun.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "iface.h"
 
diff --git a/src/dumm/iface.h b/src/dumm/iface.h
index e96ee508c..ae886acc3 100644
--- a/src/dumm/iface.h
+++ b/src/dumm/iface.h
@@ -17,8 +17,8 @@
 #define IFACE_H
 
 #include <library.h>
-#include <utils/enumerator.h>
-#include <utils/host.h>
+#include <collections/enumerator.h>
+#include <networking/host.h>
 
 #define TAP_DEVICE "/dev/net/tun"
 
diff --git a/src/dumm/irdumm.c b/src/dumm/irdumm.c
index 7543e6bd6..d30973737 100644
--- a/src/dumm/irdumm.c
+++ b/src/dumm/irdumm.c
@@ -21,6 +21,10 @@
 #undef PACKAGE_URL
 #include <ruby.h>
 
+#ifdef HAVE_RB_ERRINFO
+#define ruby_errinfo rb_errinfo()
+#endif
+
 /**
  * main routine, parses args and reads from console
  */
diff --git a/src/dumm/main.c b/src/dumm/main.c
index 37e7ba8f7..4cdf4682f 100644
--- a/src/dumm/main.c
+++ b/src/dumm/main.c
@@ -15,7 +15,7 @@
 
 #include "dumm.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include <sys/types.h>
 #include <unistd.h>
diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c
index 40045cc3a..54c4fe395 100644
--- a/src/dumm/mconsole.c
+++ b/src/dumm/mconsole.c
@@ -25,7 +25,7 @@
 #include <errno.h>
 #include <sys/un.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "mconsole.h"
 
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index bdf80a49c..ccf98b280 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -100,6 +101,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -127,6 +129,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -139,6 +142,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,7 +196,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -333,10 +336,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index dbb163f42..faa5f5cef 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(sbin_SCRIPTS)
 SOURCES =
@@ -101,6 +107,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,6 +135,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -155,6 +163,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -167,6 +176,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -220,7 +230,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -335,9 +344,7 @@ uninstall-sbinSCRIPTS:
 	@list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	       sed -e 's,.*/,,;$(transform)'`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(sbindir)" && rm -f $$files
+	dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -375,9 +382,7 @@ uninstall-man8:
 	files=`{ for i in $$list; do echo "$$i"; done; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -445,10 +450,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 7802fc48f..40eeb1f3e 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2012-06-19" "5.0.1dr3" "strongSwan"
+.TH IPSEC 8 "2012-06-19" "5.0.2" "strongSwan"
 .SH NAME
 ipsec \- invoke IPsec utilities
 .SH SYNOPSIS
@@ -172,6 +172,10 @@ an HTTP- or LDAP-based CRL distribution point.
 returns revocation information fetched from OCSP servers.
 .PP
 .TP
+.B "listcounters"
+show IKE counter values collected since daemon startup.
+.PP
+.TP
 .B "listall [ --utc ]"
 returns all information generated by the list commands above. Each list command
 can be called with the
diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
index 41c6ff8d2..a190fa568 100644
--- a/src/ipsec/_ipsec.8.in
+++ b/src/ipsec/_ipsec.8.in
@@ -172,6 +172,10 @@ an HTTP- or LDAP-based CRL distribution point.
 returns revocation information fetched from OCSP servers.
 .PP
 .TP
+.B "listcounters"
+show IKE counter values collected since daemon startup.
+.PP
+.TP
 .B "listall [ --utc ]"
 returns all information generated by the list commands above. Each list command
 can be called with the
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 2acf5a3f6..8b6ad660d 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -59,7 +59,7 @@ case "$1" in
 	echo "	listalgs|listpubkeys|listcerts [--utc]"
 	echo "	listcacerts|listaacerts|listocspcerts [--utc]"
 	echo "	listacerts|listgroups|listcainfos [--utc]"
-	echo "	listcrls|listocsp|listcards|listplugins|listall [--utc]"
+	echo "	listcrls|listocsp|listcards|listplugins|listcounters|listall [--utc]"
 	echo "	leases [<poolname> [<address>]]"
 	echo "	rereadsecrets|rereadgroups"
 	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
@@ -149,7 +149,7 @@ leases)
 listalgs|listpubkeys|listplugins|\
 listcerts|listcacerts|listaacerts|\
 listacerts|listgroups|listocspcerts|\
-listcainfos|listcrls|listocsp|listall|\
+listcainfos|listcrls|listocsp|listcounters|listall|\
 rereadsecrets|rereadcacerts|rereadaacerts|\
 rereadacerts|rereadocspcerts|rereadcrls|\
 rereadall|purgeocsp)
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 9eb864f50..b2d6c3128 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -42,6 +42,7 @@ encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
 encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
+encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
 kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
 network/socket.c network/socket.h \
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 56192bf0e..5203890ff 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -40,6 +40,7 @@ encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
 encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
+encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
 kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
 network/socket.c network/socket.h \
@@ -484,6 +485,20 @@ if MONOLITHIC
 endif
 endif
 
+if USE_LOOKIP
+  SUBDIRS += plugins/lookip
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/lookip/libstrongswan-lookip.la
+endif
+endif
+
+if USE_ERROR_NOTIFY
+  SUBDIRS += plugins/error_notify
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/error_notify/libstrongswan-error-notify.la
+endif
+endif
+
 if USE_CERTEXPIRE
   SUBDIRS += plugins/certexpire
 if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 3a9239af3..063bc6d11 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -178,30 +178,34 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_89 = plugins/ha/libstrongswan-ha.la
 @USE_WHITELIST_TRUE@am__append_90 = plugins/whitelist
 @MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_91 = plugins/whitelist/libstrongswan-whitelist.la
-@USE_CERTEXPIRE_TRUE@am__append_92 = plugins/certexpire
-@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_93 = plugins/certexpire/libstrongswan-certexpire.la
-@USE_LED_TRUE@am__append_94 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_95 = plugins/led/libstrongswan-led.la
-@USE_DUPLICHECK_TRUE@am__append_96 = plugins/duplicheck
-@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_97 = plugins/duplicheck/libstrongswan-duplicheck.la
-@USE_COUPLING_TRUE@am__append_98 = plugins/coupling
-@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_99 = plugins/coupling/libstrongswan-coupling.la
-@USE_RADATTR_TRUE@am__append_100 = plugins/radattr
-@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_101 = plugins/radattr/libstrongswan-radattr.la
-@USE_UCI_TRUE@am__append_102 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_103 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_104 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_105 = plugins/addrblock/libstrongswan-addrblock.la
-@USE_UNITY_TRUE@am__append_106 = plugins/unity
-@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_107 = plugins/unity/libstrongswan-unity.la
-@USE_UNIT_TESTS_TRUE@am__append_108 = plugins/unit_tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_109 = plugins/unit_tester/libstrongswan-unit-tester.la
-@USE_XAUTH_GENERIC_TRUE@am__append_110 = plugins/xauth_generic
-@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_111 = plugins/xauth_generic/libstrongswan-xauth-generic.la
-@USE_XAUTH_EAP_TRUE@am__append_112 = plugins/xauth_eap
-@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_113 = plugins/xauth_eap/libstrongswan-xauth-eap.la
-@USE_XAUTH_PAM_TRUE@am__append_114 = plugins/xauth_pam
-@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_115 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_LOOKIP_TRUE@am__append_92 = plugins/lookip
+@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_93 = plugins/lookip/libstrongswan-lookip.la
+@USE_ERROR_NOTIFY_TRUE@am__append_94 = plugins/error_notify
+@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_95 = plugins/error_notify/libstrongswan-error-notify.la
+@USE_CERTEXPIRE_TRUE@am__append_96 = plugins/certexpire
+@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_97 = plugins/certexpire/libstrongswan-certexpire.la
+@USE_LED_TRUE@am__append_98 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_99 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_100 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_101 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_102 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_103 = plugins/coupling/libstrongswan-coupling.la
+@USE_RADATTR_TRUE@am__append_104 = plugins/radattr
+@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_105 = plugins/radattr/libstrongswan-radattr.la
+@USE_UCI_TRUE@am__append_106 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_107 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_108 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_109 = plugins/addrblock/libstrongswan-addrblock.la
+@USE_UNITY_TRUE@am__append_110 = plugins/unity
+@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_111 = plugins/unity/libstrongswan-unity.la
+@USE_UNIT_TESTS_TRUE@am__append_112 = plugins/unit_tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_113 = plugins/unit_tester/libstrongswan-unit-tester.la
+@USE_XAUTH_GENERIC_TRUE@am__append_114 = plugins/xauth_generic
+@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_115 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+@USE_XAUTH_EAP_TRUE@am__append_116 = plugins/xauth_eap
+@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_117 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+@USE_XAUTH_PAM_TRUE@am__append_118 = plugins/xauth_pam
+@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_119 = plugins/xauth_pam/libstrongswan-xauth-pam.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -241,6 +245,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -264,7 +274,8 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_93) $(am__append_95) $(am__append_97) \
 	$(am__append_99) $(am__append_101) $(am__append_103) \
 	$(am__append_105) $(am__append_107) $(am__append_109) \
-	$(am__append_111) $(am__append_113) $(am__append_115)
+	$(am__append_111) $(am__append_113) $(am__append_115) \
+	$(am__append_117) $(am__append_119)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/logger.h \
 	bus/listeners/file_logger.c bus/listeners/file_logger.h \
@@ -315,7 +326,9 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	encoding/payloads/vendor_id_payload.c \
 	encoding/payloads/vendor_id_payload.h \
 	encoding/payloads/hash_payload.c \
-	encoding/payloads/hash_payload.h kernel/kernel_handler.c \
+	encoding/payloads/hash_payload.h \
+	encoding/payloads/fragment_payload.c \
+	encoding/payloads/fragment_payload.h kernel/kernel_handler.c \
 	kernel/kernel_handler.h network/receiver.c network/receiver.h \
 	network/sender.c network/sender.h network/socket.c \
 	network/socket.h network/socket_manager.c \
@@ -448,17 +461,18 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \
 	sa_payload.lo traffic_selector_substructure.lo \
 	transform_attribute.lo transform_substructure.lo ts_payload.lo \
 	unknown_payload.lo vendor_id_payload.lo hash_payload.lo \
-	kernel_handler.lo receiver.lo sender.lo socket.lo \
-	socket_manager.lo acquire_job.lo delete_child_sa_job.lo \
-	delete_ike_sa_job.lo migrate_job.lo process_message_job.lo \
-	rekey_child_sa_job.lo rekey_ike_sa_job.lo retransmit_job.lo \
-	retry_initiate_job.lo send_dpd_job.lo send_keepalive_job.lo \
-	start_action_job.lo roam_job.lo update_sa_job.lo \
-	inactivity_job.lo eap_method.lo eap_manager.lo xauth_method.lo \
-	xauth_manager.lo authenticator.lo child_sa.lo ike_sa.lo \
-	ike_sa_id.lo keymat.lo ike_sa_manager.lo task_manager.lo \
-	shunt_manager.lo trap_manager.lo task.lo $(am__objects_1) \
-	$(am__objects_2) $(am__objects_3)
+	fragment_payload.lo kernel_handler.lo receiver.lo sender.lo \
+	socket.lo socket_manager.lo acquire_job.lo \
+	delete_child_sa_job.lo delete_ike_sa_job.lo migrate_job.lo \
+	process_message_job.lo rekey_child_sa_job.lo \
+	rekey_ike_sa_job.lo retransmit_job.lo retry_initiate_job.lo \
+	send_dpd_job.lo send_keepalive_job.lo start_action_job.lo \
+	roam_job.lo update_sa_job.lo inactivity_job.lo eap_method.lo \
+	eap_manager.lo xauth_method.lo xauth_manager.lo \
+	authenticator.lo child_sa.lo ike_sa.lo ike_sa_id.lo keymat.lo \
+	ike_sa_manager.lo task_manager.lo shunt_manager.lo \
+	trap_manager.lo task.lo $(am__objects_1) $(am__objects_2) \
+	$(am__objects_3)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -503,10 +517,11 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/tnccs_11 plugins/tnccs_20 plugins/tnccs_dynamic \
 	plugins/medsrv plugins/medcli plugins/dhcp plugins/android \
 	plugins/android_log plugins/maemo plugins/ha plugins/whitelist \
-	plugins/certexpire plugins/led plugins/duplicheck \
-	plugins/coupling plugins/radattr plugins/uci plugins/addrblock \
-	plugins/unity plugins/unit_tester plugins/xauth_generic \
-	plugins/xauth_eap plugins/xauth_pam
+	plugins/lookip plugins/error_notify plugins/certexpire \
+	plugins/led plugins/duplicheck plugins/coupling \
+	plugins/radattr plugins/uci plugins/addrblock plugins/unity \
+	plugins/unit_tester plugins/xauth_generic plugins/xauth_eap \
+	plugins/xauth_pam
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -552,6 +567,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -579,6 +595,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -606,6 +623,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -618,6 +636,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -671,7 +690,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -768,7 +786,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	encoding/payloads/vendor_id_payload.c \
 	encoding/payloads/vendor_id_payload.h \
 	encoding/payloads/hash_payload.c \
-	encoding/payloads/hash_payload.h kernel/kernel_handler.c \
+	encoding/payloads/hash_payload.h \
+	encoding/payloads/fragment_payload.c \
+	encoding/payloads/fragment_payload.h kernel/kernel_handler.c \
 	kernel/kernel_handler.h network/receiver.c network/receiver.h \
 	network/sender.c network/sender.h network/socket.c \
 	network/socket.h network/socket_manager.c \
@@ -838,7 +858,7 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
 	$(am__append_97) $(am__append_99) $(am__append_101) \
 	$(am__append_103) $(am__append_105) $(am__append_107) \
 	$(am__append_109) $(am__append_111) $(am__append_113) \
-	$(am__append_115)
+	$(am__append_115) $(am__append_117) $(am__append_119)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_4) $(am__append_6) \
 @MONOLITHIC_FALSE@	$(am__append_8) $(am__append_10) \
@@ -866,7 +886,8 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_100) $(am__append_102) \
 @MONOLITHIC_FALSE@	$(am__append_104) $(am__append_106) \
 @MONOLITHIC_FALSE@	$(am__append_108) $(am__append_110) \
-@MONOLITHIC_FALSE@	$(am__append_112) $(am__append_114)
+@MONOLITHIC_FALSE@	$(am__append_112) $(am__append_114) \
+@MONOLITHIC_FALSE@	$(am__append_116) $(am__append_118)
 
 # build optional plugins
 ########################
@@ -896,7 +917,8 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_100) $(am__append_102) \
 @MONOLITHIC_TRUE@	$(am__append_104) $(am__append_106) \
 @MONOLITHIC_TRUE@	$(am__append_108) $(am__append_110) \
-@MONOLITHIC_TRUE@	$(am__append_112) $(am__append_114)
+@MONOLITHIC_TRUE@	$(am__append_112) $(am__append_114) \
+@MONOLITHIC_TRUE@	$(am__append_116) $(am__append_118)
 all: all-recursive
 
 .SUFFIXES:
@@ -962,7 +984,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) 
+libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) $(EXTRA_libcharon_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libcharon_la_OBJECTS) $(libcharon_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -1002,6 +1024,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encryption_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/endpoint_notify.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file_logger.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fragment_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/generator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hash_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hybrid_authenticator.Plo@am__quote@
@@ -1364,6 +1387,13 @@ hash_payload.lo: encoding/payloads/hash_payload.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hash_payload.lo `test -f 'encoding/payloads/hash_payload.c' || echo '$(srcdir)/'`encoding/payloads/hash_payload.c
 
+fragment_payload.lo: encoding/payloads/fragment_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fragment_payload.lo -MD -MP -MF $(DEPDIR)/fragment_payload.Tpo -c -o fragment_payload.lo `test -f 'encoding/payloads/fragment_payload.c' || echo '$(srcdir)/'`encoding/payloads/fragment_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fragment_payload.Tpo $(DEPDIR)/fragment_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/fragment_payload.c' object='fragment_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fragment_payload.lo `test -f 'encoding/payloads/fragment_payload.c' || echo '$(srcdir)/'`encoding/payloads/fragment_payload.c
+
 kernel_handler.lo: kernel/kernel_handler.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_handler.lo -MD -MP -MF $(DEPDIR)/kernel_handler.Tpo -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_handler.Tpo $(DEPDIR)/kernel_handler.Plo
@@ -2155,10 +2185,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index 1f9592e6e..b5cdaaa89 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -309,6 +309,7 @@ METHOD(bus_t, vlog, void,
 		va_end(copy);
 		if (len >= sizeof(buf))
 		{
+			len++;
 			data.message = malloc(len);
 			len = vsnprintf(data.message, len, format, args);
 		}
@@ -719,6 +720,10 @@ METHOD(bus_t, authorize, bool,
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
+	if (!success)
+	{
+		alert(this, ALERT_AUTHORIZATION_FAILED);
+	}
 	return success;
 }
 
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index aba8acdbd..4645bbde6 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -28,7 +28,7 @@ typedef struct bus_t bus_t;
 
 #include <stdarg.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <sa/ike_sa.h>
 #include <sa/child_sa.h>
 #include <processing/jobs/job.h>
@@ -86,10 +86,50 @@ enum alert_t {
 	ALERT_RADIUS_NOT_RESPONDING,
 	/** a shutdown signal has been received, argument is the signal (int) */
 	ALERT_SHUTDOWN_SIGNAL,
+	/** creating local authentication data failed, no arguments */
+	ALERT_LOCAL_AUTH_FAILED,
 	/** peer authentication failed, no arguments */
 	ALERT_PEER_AUTH_FAILED,
 	/** failed to resolve peer address, no arguments */
 	ALERT_PEER_ADDR_FAILED,
+	/** peer did not respond to initial message, current try (int, 0-based) */
+	ALERT_PEER_INIT_UNREACHABLE,
+	/** received IKE message with invalid SPI, argument is message_t* */
+	ALERT_INVALID_IKE_SPI,
+	/** received IKE message with invalid header, argument is message_t* */
+	ALERT_PARSE_ERROR_HEADER,
+	/** received IKE message with invalid body, argument is message_t*,
+	 *  followed by a status_t result returned by message_t.parse_body(). */
+	ALERT_PARSE_ERROR_BODY,
+	/** sending a retransmit for a message, argument is packet_t */
+	ALERT_RETRANSMIT_SEND,
+	/** sending retransmits timed out, argument is packet_t */
+	ALERT_RETRANSMIT_SEND_TIMEOUT,
+	/** received a retransmit for a message, argument is message_t */
+	ALERT_RETRANSMIT_RECEIVE,
+	/** received half-open timeout before IKE_SA established, no argument */
+	ALERT_HALF_OPEN_TIMEOUT,
+	/** IKE proposals do not match, argument is linked_list_t of proposal_t */
+	ALERT_PROPOSAL_MISMATCH_IKE,
+	/** CHILD proposals do not match, argument is linked_list_t of proposal_t */
+	ALERT_PROPOSAL_MISMATCH_CHILD,
+	/** traffic selectors do not match, arguments are two linked_list_t
+	 *  containing traffic_selector_t for initiator and for responder */
+	ALERT_TS_MISMATCH,
+	/** Installation of IPsec SAs failed, argument is child_sa_t */
+	ALERT_INSTALL_CHILD_SA_FAILED,
+	/** Installation of IPsec Policy failed, argument is child_sa_t */
+	ALERT_INSTALL_CHILD_POLICY_FAILED,
+	/** IKE_SA deleted because of "replace" unique policy, no argument */
+	ALERT_UNIQUE_REPLACE,
+	/** IKE_SA deleted because of "keep" unique policy, no argument */
+	ALERT_UNIQUE_KEEP,
+	/** IKE_SA kept on failed child SA establishment, no argument */
+	ALERT_KEEP_ON_CHILD_SA_FAILURE,
+	/** allocating virtual IP failed, linked_list_t of host_t requested */
+	ALERT_VIP_FAILURE,
+	/** an authorize() hook failed, no argument */
+	ALERT_AUTHORIZATION_FAILED,
 };
 
 /**
diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c
index 9c8458eb5..68a386d11 100644
--- a/src/libcharon/bus/listeners/file_logger.c
+++ b/src/libcharon/bus/listeners/file_logger.c
@@ -17,10 +17,15 @@
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/types.h>
 
 #include "file_logger.h"
 
+#include <daemon.h>
 #include <threading/mutex.h>
+#include <threading/rwlock.h>
 
 typedef struct private_file_logger_t private_file_logger_t;
 
@@ -35,7 +40,12 @@ struct private_file_logger_t {
 	file_logger_t public;
 
 	/**
-	 * output file
+	 * File name of the target
+	 */
+	char *filename;
+
+	/**
+	 * Current output file
 	 */
 	FILE *out;
 
@@ -58,6 +68,11 @@ struct private_file_logger_t {
 	 * Mutex to ensure multi-line log messages are not torn apart
 	 */
 	mutex_t *mutex;
+
+	/**
+	 * Lock to read/write options (FD, levels, time_format, etc.)
+	 */
+	rwlock_t *lock;
 };
 
 METHOD(logger_t, log_, void,
@@ -69,6 +84,12 @@ METHOD(logger_t, log_, void,
 	struct tm tm;
 	time_t t;
 
+	this->lock->read_lock(this->lock);
+	if (!this->out)
+	{	/* file is not open */
+		this->lock->unlock(this->lock);
+		return;
+	}
 	if (this->time_format)
 	{
 		t = time(NULL);
@@ -117,17 +138,24 @@ METHOD(logger_t, log_, void,
 		current = next + 1;
 	}
 	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(logger_t, get_level, level_t,
 	private_file_logger_t *this, debug_t group)
 {
-	return this->levels[group];
+	level_t level;
+
+	this->lock->read_lock(this->lock);
+	level = this->levels[group];
+	this->lock->unlock(this->lock);
+	return level;
 }
 
 METHOD(file_logger_t, set_level, void,
 	private_file_logger_t *this, debug_t group, level_t level)
 {
+	this->lock->write_lock(this->lock);
 	if (group < DBG_ANY)
 	{
 		this->levels[group] = level;
@@ -139,23 +167,81 @@ METHOD(file_logger_t, set_level, void,
 			this->levels[group] = level;
 		}
 	}
+	this->lock->unlock(this->lock);
 }
 
-METHOD(file_logger_t, destroy, void,
-	private_file_logger_t *this)
+METHOD(file_logger_t, set_options, void,
+	private_file_logger_t *this, char *time_format, bool ike_name)
 {
-	if (this->out != stdout && this->out != stderr)
+	this->lock->write_lock(this->lock);
+	free(this->time_format);
+	this->time_format = strdupnull(time_format);
+	this->ike_name = ike_name;
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Close the current file, if any
+ */
+static void close_file(private_file_logger_t *this)
+{
+	if (this->out && this->out != stdout && this->out != stderr)
 	{
 		fclose(this->out);
+		this->out = NULL;
+	}
+}
+
+METHOD(file_logger_t, open_, void,
+	private_file_logger_t *this, bool flush_line, bool append)
+{
+	FILE *file;
+
+	if (streq(this->filename, "stderr"))
+	{
+		file = stderr;
+	}
+	else if (streq(this->filename, "stdout"))
+	{
+		file = stdout;
+	}
+	else
+	{
+		file = fopen(this->filename, append ? "a" : "w");
+		if (file == NULL)
+		{
+			DBG1(DBG_DMN, "opening file %s for logging failed: %s",
+				 this->filename, strerror(errno));
+			return;
+		}
+		if (flush_line)
+		{
+			setlinebuf(file);
+		}
 	}
+	this->lock->write_lock(this->lock);
+	close_file(this);
+	this->out = file;
+	this->lock->unlock(this->lock);
+}
+
+METHOD(file_logger_t, destroy, void,
+	private_file_logger_t *this)
+{
+	this->lock->write_lock(this->lock);
+	close_file(this);
+	this->lock->unlock(this->lock);
 	this->mutex->destroy(this->mutex);
+	this->lock->destroy(this->lock);
+	free(this->time_format);
+	free(this->filename);
 	free(this);
 }
 
 /*
  * Described in header.
  */
-file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name)
+file_logger_t *file_logger_create(char *filename)
 {
 	private_file_logger_t *this;
 
@@ -166,16 +252,16 @@ file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name)
 				.get_level = _get_level,
 			},
 			.set_level = _set_level,
+			.set_options = _set_options,
+			.open = _open_,
 			.destroy = _destroy,
 		},
-		.out = out,
-		.time_format = time_format,
-		.ike_name = ike_name,
+		.filename = strdup(filename),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
 	set_level(this, DBG_ANY, LEVEL_SILENT);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h
index 85a2690a2..9e5aed50b 100644
--- a/src/libcharon/bus/listeners/file_logger.h
+++ b/src/libcharon/bus/listeners/file_logger.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -43,6 +44,22 @@ struct file_logger_t {
 	 */
 	void (*set_level) (file_logger_t *this, debug_t group, level_t level);
 
+	/**
+	 * Set options used by this logger
+	 *
+	 * @param time_format	format of timestamp prefix, as in strftime(), cloned
+	 * @param ike_name		TRUE to prefix the name of the IKE_SA
+	 */
+	void (*set_options) (file_logger_t *this, char *time_format, bool ike_name);
+
+	/**
+	 * Open (or reopen) the log file according to the given parameters
+	 *
+	 * @param flush_line	TRUE to flush buffers after every logged line
+	 * @param append		FALSE to overwrite an existing file, TRUE to append
+	 */
+	void (*open) (file_logger_t *this, bool flush_line, bool append);
+
 	/**
 	 * Destroys a file_logger_t object.
 	 */
@@ -52,11 +69,13 @@ struct file_logger_t {
 /**
  * Constructor to create a file_logger_t object.
  *
- * @param out			FILE to write to
- * @param time_format	format of timestamp prefix, as in strftime()
- * @param ike_name		TRUE to prefix the name of the IKE_SA
- * @return				file_logger_t object
+ * The logger has to be opened via file_logger_t.open() before anything is
+ * logged.
+ *
+ * @param filename	name of the log file (stderr and stdout are handled
+ *					specially), cloned
+ * @return			file_logger_t object
  */
-file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name);
+file_logger_t *file_logger_create(char *filename);
 
 #endif /** FILE_LOGGER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c
index 53fdefe89..82e2c8e4c 100644
--- a/src/libcharon/bus/listeners/sys_logger.c
+++ b/src/libcharon/bus/listeners/sys_logger.c
@@ -21,6 +21,7 @@
 #include "sys_logger.h"
 
 #include <threading/mutex.h>
+#include <threading/rwlock.h>
 
 typedef struct private_sys_logger_t private_sys_logger_t;
 
@@ -53,6 +54,11 @@ struct private_sys_logger_t {
 	 * Mutex to ensure multi-line log messages are not torn apart
 	 */
 	mutex_t *mutex;
+
+	/**
+	 * Lock to read/write options (levels, ike_name)
+	 */
+	rwlock_t *lock;
 };
 
 METHOD(logger_t, log_, void,
@@ -65,6 +71,7 @@ METHOD(logger_t, log_, void,
 	/* cache group name and optional name string */
 	snprintf(groupstr, sizeof(groupstr), "%N", debug_names, group);
 
+	this->lock->read_lock(this->lock);
 	if (this->ike_name && ike_sa)
 	{
 		if (ike_sa->get_peer_cfg(ike_sa))
@@ -78,6 +85,7 @@ METHOD(logger_t, log_, void,
 				ike_sa->get_unique_id(ike_sa));
 		}
 	}
+	this->lock->unlock(this->lock);
 
 	/* do a syslog for every line */
 	this->mutex->lock(this->mutex);
@@ -100,12 +108,18 @@ METHOD(logger_t, log_, void,
 METHOD(logger_t, get_level, level_t,
 	private_sys_logger_t *this, debug_t group)
 {
-	return this->levels[group];
+	level_t level;
+
+	this->lock->read_lock(this->lock);
+	level = this->levels[group];
+	this->lock->unlock(this->lock);
+	return level;
 }
 
 METHOD(sys_logger_t, set_level, void,
 	private_sys_logger_t *this, debug_t group, level_t level)
 {
+	this->lock->write_lock(this->lock);
 	if (group < DBG_ANY)
 	{
 		this->levels[group] = level;
@@ -117,12 +131,21 @@ METHOD(sys_logger_t, set_level, void,
 			this->levels[group] = level;
 		}
 	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(sys_logger_t, set_options, void,
+	private_sys_logger_t *this, bool ike_name)
+{
+	this->lock->write_lock(this->lock);
+	this->ike_name = ike_name;
+	this->lock->unlock(this->lock);
 }
 
 METHOD(sys_logger_t, destroy, void,
 	private_sys_logger_t *this)
 {
-	closelog();
+	this->lock->destroy(this->lock);
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
@@ -130,7 +153,7 @@ METHOD(sys_logger_t, destroy, void,
 /*
  * Described in header.
  */
-sys_logger_t *sys_logger_create(int facility, bool ike_name)
+sys_logger_t *sys_logger_create(int facility)
 {
 	private_sys_logger_t *this;
 
@@ -141,11 +164,12 @@ sys_logger_t *sys_logger_create(int facility, bool ike_name)
 				.get_level = _get_level,
 			},
 			.set_level = _set_level,
+			.set_options = _set_options,
 			.destroy = _destroy,
 		},
 		.facility = facility,
-		.ike_name = ike_name,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
 	set_level(this, DBG_ANY, LEVEL_SILENT);
diff --git a/src/libcharon/bus/listeners/sys_logger.h b/src/libcharon/bus/listeners/sys_logger.h
index fcb6655ca..9a0fee018 100644
--- a/src/libcharon/bus/listeners/sys_logger.h
+++ b/src/libcharon/bus/listeners/sys_logger.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -43,6 +44,13 @@ struct sys_logger_t {
 	 */
 	void (*set_level) (sys_logger_t *this, debug_t group, level_t level);
 
+	/**
+	 * Set options used by this logger.
+	 *
+	 * @param ike_name	TRUE to prefix the name of the IKE_SA
+	 */
+	void (*set_options) (sys_logger_t *this, bool ike_name);
+
 	/**
 	 * Destroys a sys_logger_t object.
 	 */
@@ -53,9 +61,8 @@ struct sys_logger_t {
  * Constructor to create a sys_logger_t object.
  *
  * @param facility	syslog facility to use
- * @param ike_name	TRUE to prefix the name of the IKE_SA
  * @return			sys_logger_t object
  */
-sys_logger_t *sys_logger_create(int facility, bool ike_name);
+sys_logger_t *sys_logger_create(int facility);
 
 #endif /** SYS_LOGGER_H_ @}*/
diff --git a/src/libcharon/config/backend.h b/src/libcharon/config/backend.h
index 458abc37f..aca3352ba 100644
--- a/src/libcharon/config/backend.h
+++ b/src/libcharon/config/backend.h
@@ -26,7 +26,7 @@ typedef struct backend_t backend_t;
 #include <library.h>
 #include <config/ike_cfg.h>
 #include <config/peer_cfg.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * The interface for a configuration backend.
diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c
index 09e123e67..f47d5715a 100644
--- a/src/libcharon/config/backend_manager.c
+++ b/src/libcharon/config/backend_manager.c
@@ -18,7 +18,7 @@
 #include <sys/types.h>
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 
@@ -49,10 +49,16 @@ struct private_backend_manager_t {
  * match of an ike_cfg
  */
 typedef enum ike_cfg_match_t {
-	MATCH_NONE  = 0x00,
-	MATCH_ANY   = 0x01,
-	MATCH_ME	= 0x04,
-	MATCH_OTHER = 0x08,
+	/* doesn't match at all */
+	MATCH_NONE		= 0x00,
+	/* match for a %any host. For both hosts, hence skip 0x02 */
+	MATCH_ANY		= 0x01,
+	/* IKE version matches exactly (config is not for any version) */
+	MATCH_VERSION	= 0x04,
+	/* local identity matches */
+	MATCH_ME		= 0x08,
+	/* remote identity matches */
+	MATCH_OTHER		= 0x10,
 } ike_cfg_match_t;
 
 /**
@@ -75,13 +81,20 @@ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
 /**
  * get a match of a candidate ike_cfg for two hosts
  */
-static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
+static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other,
+									 ike_version_t version)
 {
 	host_t *me_cand, *other_cand;
 	char *my_addr, *other_addr;
 	bool my_allow_any, other_allow_any;
 	ike_cfg_match_t match = MATCH_NONE;
 
+	if (cand->get_version(cand) != IKE_ANY &&
+		version != cand->get_version(cand))
+	{
+		return MATCH_NONE;
+	}
+
 	if (me)
 	{
 		my_addr = cand->get_my_addr(cand, &my_allow_any);
@@ -137,11 +150,18 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 	{
 		match += MATCH_ANY;
 	}
+
+	if (match != MATCH_NONE &&
+		cand->get_version(cand) != IKE_ANY)
+	{	/* if we have a match, improve it if candidate version specified */
+		match += MATCH_VERSION;
+	}
 	return match;
 }
 
 METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
-	private_backend_manager_t *this, host_t *me, host_t *other)
+	private_backend_manager_t *this, host_t *me, host_t *other,
+	ike_version_t version)
 {
 	ike_cfg_t *current, *found = NULL;
 	char *my_addr, *other_addr;
@@ -164,8 +184,9 @@ METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
 						(void*)ike_enum_create, data, (void*)free);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
-		match = get_ike_match(current, me, other);
-		DBG3(DBG_CFG, "ike config match: %d (%H %H)", match, me, other);
+		match = get_ike_match(current, me, other, version);
+		DBG3(DBG_CFG, "ike config match: %d (%H %H %N)",
+			 match, me, other, ike_version_names, version);
 		if (match)
 		{
 			my_addr = current->get_my_addr(current, &my_allow_any);
@@ -242,22 +263,6 @@ static id_match_t get_peer_match(identification_t *id,
 	return match;
 }
 
-/**
- * Get match quality of IKE version
- */
-static int get_version_match(ike_version_t cfg, ike_version_t req)
-{
-	if (req == IKE_ANY || cfg == IKE_ANY)
-	{
-		return 1;
-	}
-	if (req == cfg)
-	{
-		return 2;
-	}
-	return 0;
-}
-
 /**
  * data to pass nested peer enumerator
  */
@@ -382,20 +387,18 @@ METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
 	{
 		id_match_t match_peer_me, match_peer_other;
 		ike_cfg_match_t match_ike;
-		int match_version;
 		match_entry_t *entry;
 
 		match_peer_me = get_peer_match(my_id, cfg, TRUE);
 		match_peer_other = get_peer_match(other_id, cfg, FALSE);
-		match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other);
-		match_version = get_version_match(cfg->get_ike_version(cfg), version);
-		DBG3(DBG_CFG, "ike config match: %d (%H %H)", match_ike, me, other);
+		match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other, version);
+		DBG3(DBG_CFG, "ike config match: %d (%H %H %N)",
+			 match_ike, me, other, ike_version_names, version);
 
-		if (match_peer_me && match_peer_other && match_ike && match_version)
+		if (match_peer_me && match_peer_other && match_ike)
 		{
-			DBG2(DBG_CFG, "  candidate \"%s\", match: %d/%d/%d/%d "
-				 "(me/other/ike/version)", cfg->get_name(cfg),
-				 match_peer_me, match_peer_other, match_ike, match_version);
+			DBG2(DBG_CFG, "  candidate \"%s\", match: %d/%d/%d (me/other/ike)",
+				 cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
 
 			INIT(entry,
 				.match_peer = match_peer_me + match_peer_other,
diff --git a/src/libcharon/config/backend_manager.h b/src/libcharon/config/backend_manager.h
index de263365b..cc8ef8785 100644
--- a/src/libcharon/config/backend_manager.h
+++ b/src/libcharon/config/backend_manager.h
@@ -24,7 +24,7 @@
 typedef struct backend_manager_t backend_manager_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <config/ike_cfg.h>
 #include <config/peer_cfg.h>
@@ -60,7 +60,8 @@ struct backend_manager_t {
 	 * @return					matching ike_config, or NULL if none found
 	 */
 	ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this,
-							  host_t *my_host, host_t *other_host);
+							  host_t *my_host, host_t *other_host,
+							  ike_version_t version);
 
 	/**
 	 * Get a peer_config identified by it's name.
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index b675c908f..33d47a41e 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -165,7 +165,7 @@ METHOD(child_cfg_t, get_proposals, linked_list_t*,
 		current = current->clone(current);
 		if (strip_dh)
 		{
-			current->strip_dh(current);
+			current->strip_dh(current, MODP_NONE);
 		}
 		proposals->insert_last(proposals, current);
 	}
@@ -194,7 +194,7 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
 		{
 			if (strip_dh)
 			{
-				stored->strip_dh(stored);
+				stored->strip_dh(stored, MODP_NONE);
 			}
 			selected = stored->select(stored, supplied, private);
 			if (selected)
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index acf4b6141..5e5fbba42 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -21,6 +21,12 @@
 #include <daemon.h>
 
 
+ENUM(ike_version_names, IKE_ANY, IKEV2,
+	"IKEv1/2",
+	"IKEv1",
+	"IKEv2",
+);
+
 typedef struct private_ike_cfg_t private_ike_cfg_t;
 
 /**
@@ -38,6 +44,11 @@ struct private_ike_cfg_t {
 	 */
 	refcount_t refcount;
 
+	/**
+	 * IKE version to use
+	 */
+	ike_version_t version;
+
 	/**
 	 * Address of local host
 	 */
@@ -78,12 +89,23 @@ struct private_ike_cfg_t {
 	 */
 	bool force_encap;
 
+	/**
+	 * use IKEv1 fragmentation
+	 */
+	fragmentation_t fragmentation;
+
 	/**
 	 * List of proposals to use
 	 */
 	linked_list_t *proposals;
 };
 
+METHOD(ike_cfg_t, get_version, ike_version_t,
+	private_ike_cfg_t *this)
+{
+	return this->version;
+}
+
 METHOD(ike_cfg_t, send_certreq, bool,
 	private_ike_cfg_t *this)
 {
@@ -96,6 +118,12 @@ METHOD(ike_cfg_t, force_encap_, bool,
 	return this->force_encap;
 }
 
+METHOD(ike_cfg_t, fragmentation, fragmentation_t,
+	private_ike_cfg_t *this)
+{
+	return this->fragmentation;
+}
+
 METHOD(ike_cfg_t, get_my_addr, char*,
 	private_ike_cfg_t *this, bool *allow_any)
 {
@@ -248,8 +276,10 @@ METHOD(ike_cfg_t, equals, bool,
 	e2->destroy(e2);
 
 	return (eq &&
+		this->version == other->version &&
 		this->certreq == other->certreq &&
 		this->force_encap == other->force_encap &&
+		this->fragmentation == other->fragmentation &&
 		streq(this->me, other->me) &&
 		streq(this->other, other->other) &&
 		this->my_port == other->my_port &&
@@ -279,16 +309,19 @@ METHOD(ike_cfg_t, destroy, void,
 /**
  * Described in header.
  */
-ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
+ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 						  char *me, bool my_allow_any, u_int16_t my_port,
-						  char *other, bool other_allow_any, u_int16_t other_port)
+						  char *other, bool other_allow_any, u_int16_t other_port,
+						  fragmentation_t fragmentation)
 {
 	private_ike_cfg_t *this;
 
 	INIT(this,
 		.public = {
+			.get_version = _get_version,
 			.send_certreq = _send_certreq,
 			.force_encap = _force_encap_,
+			.fragmentation = _fragmentation,
 			.get_my_addr = _get_my_addr,
 			.get_other_addr = _get_other_addr,
 			.get_my_port = _get_my_port,
@@ -302,8 +335,10 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
 			.destroy = _destroy,
 		},
 		.refcount = 1,
+		.version = version,
 		.certreq = certreq,
 		.force_encap = force_encap,
+		.fragmentation = fragmentation,
 		.me = strdup(me),
 		.other = strdup(other),
 		.my_allow_any = my_allow_any,
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index 691d223a3..5a7fae1e9 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -22,15 +23,46 @@
 #ifndef IKE_CFG_H_
 #define IKE_CFG_H_
 
+typedef enum ike_version_t ike_version_t;
+typedef enum fragmentation_t fragmentation_t;
 typedef struct ike_cfg_t ike_cfg_t;
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <config/proposal.h>
 #include <crypto/diffie_hellman.h>
 
+/**
+ * IKE version.
+ */
+enum ike_version_t {
+	/** any version */
+	IKE_ANY = 0,
+	/** IKE version 1 */
+	IKEV1 = 1,
+	/** IKE version 2 */
+	IKEV2 = 2,
+};
+
+/**
+ * Proprietary IKEv1 fragmentation
+ */
+enum fragmentation_t {
+	/** disable fragmentation */
+	FRAGMENTATION_NO,
+	/** enable fragmentation if supported by peer */
+	FRAGMENTATION_YES,
+	/** force use of fragmentation (even for the first message) */
+	FRAGMENTATION_FORCE,
+};
+
+/**
+ * enum strings fro ike_version_t
+ */
+extern enum_name_t *ike_version_names;
+
 /**
  * An ike_cfg_t defines the rules to set up an IKE_SA.
  *
@@ -38,6 +70,13 @@ typedef struct ike_cfg_t ike_cfg_t;
  */
 struct ike_cfg_t {
 
+	/**
+	 * Get the IKE version to use with this configuration.
+	 *
+	 * @return				IKE major version
+	 */
+	ike_version_t (*get_version)(ike_cfg_t *this);
+
 	/**
 	 * Get own address.
 	 *
@@ -109,10 +148,17 @@ struct ike_cfg_t {
 	/**
 	 * Enforce UDP encapsulation by faking NATD notifies?
 	 *
-	 * @return				TRUE to enfoce UDP encapsulation
+	 * @return				TRUE to enforce UDP encapsulation
 	 */
 	bool (*force_encap) (ike_cfg_t *this);
 
+	/**
+	 * Use proprietary IKEv1 fragmentation
+	 *
+	 * @return				TRUE to use fragmentation
+	 */
+	fragmentation_t (*fragmentation) (ike_cfg_t *this);
+
 	/**
 	 * Get the DH group to use for IKE_SA setup.
 	 *
@@ -149,6 +195,7 @@ struct ike_cfg_t {
  *
  * Supplied hosts become owned by ike_cfg, the name gets cloned.
  *
+ * @param version			IKE major version to use for this config
  * @param certreq			TRUE to send a certificate request
  * @param force_encap		enforce UDP encapsulation by faking NATD notify
  * @param me				address/DNS name of local peer
@@ -157,10 +204,12 @@ struct ike_cfg_t {
  * @param other				address/DNS name of remote peer
  * @param other_allow_any	allow override of remote address by any address
  * @param other_port		IKE port to use as dest, 500 uses IKEv2 port floating
+ * @param fragmentation		use IKEv1 fragmentation
  * @return 					ike_cfg_t object.
  */
-ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
+ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 						  char *me, bool my_allow_any, u_int16_t my_port,
-						  char *other, bool other_allow_any, u_int16_t other_port);
+						  char *other, bool other_allow_any, u_int16_t other_port,
+						  fragmentation_t fragmentation);
 
 #endif /** IKE_CFG_H_ @}*/
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index 01ca026e1..8de7d1289 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -22,15 +22,9 @@
 #include <daemon.h>
 
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 
-ENUM(ike_version_names, IKE_ANY, IKEV2,
-	"IKEv1/2",
-	"IKEv1",
-	"IKEv2",
-);
-
 ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
 	"CERT_ALWAYS_SEND",
 	"CERT_SEND_IF_ASKED",
@@ -65,11 +59,6 @@ struct private_peer_cfg_t {
 	 */
 	char *name;
 
-	/**
-	 * IKE version to use for initiation
-	 */
-	ike_version_t ike_version;
-
 	/**
 	 * IKE config associated to this peer config
 	 */
@@ -188,7 +177,7 @@ METHOD(peer_cfg_t, get_name, char*,
 METHOD(peer_cfg_t, get_ike_version, ike_version_t,
 	private_peer_cfg_t *this)
 {
-	return this->ike_version;
+	return this->ike_cfg->get_version(this->ike_cfg);
 }
 
 METHOD(peer_cfg_t, get_ike_cfg, ike_cfg_t*,
@@ -584,7 +573,7 @@ METHOD(peer_cfg_t, equals, bool,
 	e2->destroy(e2);
 
 	return (
-		this->ike_version == other->ike_version &&
+		get_ike_version(this) == get_ike_version(other) &&
 		this->cert_policy == other->cert_policy &&
 		this->unique == other->unique &&
 		this->keyingtries == other->keyingtries &&
@@ -594,6 +583,7 @@ METHOD(peer_cfg_t, equals, bool,
 		this->jitter_time == other->jitter_time &&
 		this->over_time == other->over_time &&
 		this->dpd == other->dpd &&
+		this->aggressive == other->aggressive &&
 		auth_cfg_equal(this, other)
 #ifdef ME
 		&& this->mediation == other->mediation &&
@@ -639,7 +629,7 @@ METHOD(peer_cfg_t, destroy, void,
 /*
  * Described in header-file
  */
-peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
+peer_cfg_t *peer_cfg_create(char *name,
 							ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
 							unique_policy_t unique, u_int32_t keyingtries,
 							u_int32_t rekey_time, u_int32_t reauth_time,
@@ -695,7 +685,6 @@ peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
 #endif /* ME */
 		},
 		.name = strdup(name),
-		.ike_version = ike_version,
 		.ike_cfg = ike_cfg,
 		.child_cfgs = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 97089e1b0..80913beba 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -23,37 +23,19 @@
 #ifndef PEER_CFG_H_
 #define PEER_CFG_H_
 
-typedef enum ike_version_t ike_version_t;
 typedef enum cert_policy_t cert_policy_t;
 typedef enum unique_policy_t unique_policy_t;
 typedef struct peer_cfg_t peer_cfg_t;
 
 #include <library.h>
 #include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <selectors/traffic_selector.h>
 #include <config/proposal.h>
 #include <config/ike_cfg.h>
 #include <config/child_cfg.h>
 #include <credentials/auth_cfg.h>
 
-/**
- * IKE version.
- */
-enum ike_version_t {
-	/** any version */
-	IKE_ANY = 0,
-	/** IKE version 1 */
-	IKEV1 = 1,
-	/** IKE version 2 */
-	IKEV2 = 2,
-};
-
-/**
- * enum strings fro ike_version_t
- */
-extern enum_name_t *ike_version_names;
-
 /**
  * Certificate sending policy. This is also used for certificate
  * requests when using this definition for the other peer. If
@@ -374,7 +356,6 @@ struct peer_cfg_t {
  * (rekeylifetime - random(0, jitter)).
  *
  * @param name				name of the peer_cfg
- * @param ike_version		which IKE version we should use for this peer
  * @param ike_cfg			IKE config to use when acting as initiator
  * @param cert_policy		should we send a certificate payload?
  * @param unique			uniqueness of an IKE_SA
@@ -392,7 +373,7 @@ struct peer_cfg_t {
  * @param peer_id			ID that identifies our peer at the mediation server
  * @return					peer_cfg_t object
  */
-peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
+peer_cfg_t *peer_cfg_create(char *name,
 							ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
 							unique_policy_t unique, u_int32_t keyingtries,
 							u_int32_t rekey_time, u_int32_t reauth_time,
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 43b467f46..4803c7be2 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -19,7 +19,7 @@
 #include "proposal.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 
 #include <crypto/transform.h>
@@ -232,14 +232,21 @@ METHOD(proposal_t, has_dh_group, bool,
 }
 
 METHOD(proposal_t, strip_dh, void,
-	private_proposal_t *this)
+	private_proposal_t *this, diffie_hellman_group_t keep)
 {
+	enumerator_t *enumerator;
 	algorithm_t *alg;
 
-	while (this->dh_groups->remove_last(this->dh_groups, (void**)&alg) == SUCCESS)
+	enumerator = this->dh_groups->create_enumerator(this->dh_groups);
+	while (enumerator->enumerate(enumerator, (void**)&alg))
 	{
-		free(alg);
+		if (alg->algorithm != keep)
+		{
+			this->dh_groups->remove_at(this->dh_groups, enumerator);
+			free(alg);
+		}
 	}
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -514,6 +521,23 @@ METHOD(proposal_t, clone_, proposal_t*,
 	return &clone->public;
 }
 
+/**
+ * Map integrity algorithms to the PRF functions using the same algorithm.
+ */
+static const struct {
+	integrity_algorithm_t integ;
+	pseudo_random_function_t prf;
+} integ_prf_map[] = {
+	{AUTH_HMAC_SHA1_96,					PRF_HMAC_SHA1					},
+	{AUTH_HMAC_SHA2_256_128,			PRF_HMAC_SHA2_256				},
+	{AUTH_HMAC_SHA2_384_192,			PRF_HMAC_SHA2_384				},
+	{AUTH_HMAC_SHA2_512_256,			PRF_HMAC_SHA2_512				},
+	{AUTH_HMAC_MD5_96,					PRF_HMAC_MD5					},
+	{AUTH_AES_XCBC_96,					PRF_AES128_XCBC					},
+	{AUTH_CAMELLIA_XCBC_96,				PRF_CAMELLIA128_XCBC			},
+	{AUTH_AES_CMAC_96,					PRF_AES128_CMAC					},
+};
+
 /**
  * Checks the proposal read from a string.
  */
@@ -522,6 +546,27 @@ static void check_proposal(private_proposal_t *this)
 	enumerator_t *e;
 	algorithm_t *alg;
 	bool all_aead = TRUE;
+	int i;
+
+	if (this->protocol == PROTO_IKE &&
+		this->prf_algos->get_count(this->prf_algos) == 0)
+	{	/* No explicit PRF found. We assume the same algorithm as used
+		 * for integrity checking */
+		e = this->integrity_algos->create_enumerator(this->integrity_algos);
+		while (e->enumerate(e, &alg))
+		{
+			for (i = 0; i < countof(integ_prf_map); i++)
+			{
+				if (alg->algorithm == integ_prf_map[i].integ)
+				{
+					add_algorithm(this, PSEUDO_RANDOM_FUNCTION,
+								  integ_prf_map[i].prf, 0);
+					break;
+				}
+			}
+		}
+		e->destroy(e);
+	}
 
 	e = this->encryption_algos->create_enumerator(this->encryption_algos);
 	while (e->enumerate(e, &alg))
@@ -572,44 +617,6 @@ static bool add_string_algo(private_proposal_t *this, const char *alg)
 
 	add_algorithm(this, token->type, token->algorithm, token->keysize);
 
-	if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM)
-	{
-		pseudo_random_function_t prf;
-
-		switch (token->algorithm)
-		{
-			case AUTH_HMAC_SHA1_96:
-				prf = PRF_HMAC_SHA1;
-				break;
-			case AUTH_HMAC_SHA2_256_128:
-				prf = PRF_HMAC_SHA2_256;
-				break;
-			case AUTH_HMAC_SHA2_384_192:
-				prf = PRF_HMAC_SHA2_384;
-				break;
-			case AUTH_HMAC_SHA2_512_256:
-				prf = PRF_HMAC_SHA2_512;
-				break;
-			case AUTH_HMAC_MD5_96:
-				prf = PRF_HMAC_MD5;
-				break;
-			case AUTH_AES_XCBC_96:
-				prf = PRF_AES128_XCBC;
-				break;
-			case AUTH_CAMELLIA_XCBC_96:
-				prf = PRF_CAMELLIA128_XCBC;
-				break;
-			case AUTH_AES_CMAC_96:
-				prf = PRF_AES128_CMAC;
-				break;
-			default:
-				prf = PRF_UNDEFINED;
-		}
-		if (prf != PRF_UNDEFINED)
-		{
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
-		}
-	}
 	return TRUE;
 }
 
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index 33abf006c..7733143a8 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -27,8 +27,8 @@ typedef struct proposal_t proposal_t;
 
 #include <library.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <utils/host.h>
+#include <collections/linked_list.h>
+#include <networking/host.h>
 #include <crypto/transform.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
@@ -111,8 +111,10 @@ struct proposal_t {
 
 	/**
 	 * Strip DH groups from proposal to use it without PFS.
+	 *
+	 * @param keep			group to keep (MODP_NONE to remove all)
 	 */
-	void (*strip_dh)(proposal_t *this);
+	void (*strip_dh)(proposal_t *this, diffie_hellman_group_t keep);
 
 	/**
 	 * Compare two proposal, and select a matching subset.
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 6e977efc4..b27e1776a 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -19,20 +19,28 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include <syslog.h>
 #include <time.h>
 
 #include "daemon.h"
 
 #include <library.h>
-#include <plugins/plugin_feature.h>
+#include <bus/listeners/sys_logger.h>
+#include <bus/listeners/file_logger.h>
 #include <config/proposal.h>
+#include <plugins/plugin_feature.h>
 #include <kernel/kernel_handler.h>
 #include <processing/jobs/start_action_job.h>
+#include <threading/mutex.h>
 
 #ifndef CAP_NET_ADMIN
 #define CAP_NET_ADMIN 12
 #endif
 
+#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+
 typedef struct private_daemon_t private_daemon_t;
 
 /**
@@ -48,6 +56,31 @@ struct private_daemon_t {
 	 * Handler for kernel events
 	 */
 	kernel_handler_t *kernel_handler;
+
+	/**
+	 * A list of installed loggers (as logger_entry_t*)
+	 */
+	linked_list_t *loggers;
+
+	/**
+	 * Identifier used for syslog (in the openlog call)
+	 */
+	char *syslog_identifier;
+
+	/**
+	 * Mutex for configured loggers
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Integrity check failed?
+	 */
+	bool integrity_failed;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
@@ -77,6 +110,325 @@ static void dbg_bus(debug_t group, level_t level, char *fmt, ...)
 	va_end(args);
 }
 
+/**
+ * Some metadata about configured loggers
+ */
+typedef struct {
+	/**
+	 * Target of the logger (syslog facility or filename)
+	 */
+	char *target;
+
+	/**
+	 * TRUE if this is a file logger
+	 */
+	bool file;
+
+	/**
+	 * The actual logger
+	 */
+	union {
+		sys_logger_t *sys;
+		file_logger_t *file;
+	} logger;
+
+} logger_entry_t;
+
+/**
+ * Destroy a logger entry
+ */
+static void logger_entry_destroy(logger_entry_t *this)
+{
+	if (this->file)
+	{
+		DESTROY_IF(this->logger.file);
+	}
+	else
+	{
+		DESTROY_IF(this->logger.sys);
+	}
+	free(this->target);
+	free(this);
+}
+
+/**
+ * Unregister and destroy a logger entry
+ */
+static void logger_entry_unregister_destroy(logger_entry_t *this)
+{
+	if (this->file)
+	{
+		charon->bus->remove_logger(charon->bus, &this->logger.file->logger);
+	}
+	else
+	{
+		charon->bus->remove_logger(charon->bus, &this->logger.sys->logger);
+	}
+	logger_entry_destroy(this);
+}
+
+/**
+ * Match a logger entry by target and whether it is a file or syslog logger
+ */
+static bool logger_entry_match(logger_entry_t *this, char *target, bool *file)
+{
+	return this->file == *file && streq(this->target, target);
+}
+
+/**
+ * Handle configured syslog identifier
+ *
+ * mutex must be locked when calling this function
+ */
+static void handle_syslog_identifier(private_daemon_t *this)
+{
+	char *identifier;
+
+	identifier = lib->settings->get_str(lib->settings, "%s.syslog.identifier",
+										NULL, charon->name);
+	if (identifier)
+	{	/* set identifier, which is prepended to each log line */
+		if (!this->syslog_identifier ||
+			!streq(identifier, this->syslog_identifier))
+		{
+			closelog();
+			this->syslog_identifier = identifier;
+			openlog(this->syslog_identifier, 0, 0);
+		}
+	}
+	else if (this->syslog_identifier)
+	{
+		closelog();
+		this->syslog_identifier = NULL;
+	}
+}
+
+/**
+ * Convert the given string into a syslog facility, returns -1 if the facility
+ * is not supported
+ */
+static int get_syslog_facility(char *facility)
+{
+	if (streq(facility, "daemon"))
+	{
+		return LOG_DAEMON;
+	}
+	else if (streq(facility, "auth"))
+	{
+		return LOG_AUTHPRIV;
+	}
+	return -1;
+}
+
+/**
+ * Returns an existing or newly created logger entry (if found, it is removed
+ * from the given linked list of existing loggers)
+ */
+static logger_entry_t *get_logger_entry(char *target, bool is_file_logger,
+										linked_list_t *existing)
+{
+	logger_entry_t *entry;
+
+	if (existing->find_first(existing, (void*)logger_entry_match,
+							(void**)&entry, target, &is_file_logger) != SUCCESS)
+	{
+		INIT(entry,
+			.target = strdup(target),
+			.file = is_file_logger,
+		);
+		if (is_file_logger)
+		{
+			entry->logger.file = file_logger_create(target);
+		}
+		else
+		{
+			entry->logger.sys = sys_logger_create(get_syslog_facility(target));
+		}
+	}
+	else
+	{
+		existing->remove(existing, entry, NULL);
+	}
+	return entry;
+}
+
+/**
+ * Create or reuse a syslog logger
+ */
+static sys_logger_t *add_sys_logger(private_daemon_t *this, char *facility,
+									linked_list_t *current_loggers)
+{
+	logger_entry_t *entry;
+
+	entry = get_logger_entry(facility, FALSE, current_loggers);
+	this->loggers->insert_last(this->loggers, entry);
+	return entry->logger.sys;
+}
+
+/**
+ * Create or reuse a file logger
+ */
+static file_logger_t *add_file_logger(private_daemon_t *this, char *filename,
+									  linked_list_t *current_loggers)
+{
+	logger_entry_t *entry;
+
+	entry = get_logger_entry(filename, TRUE, current_loggers);
+	this->loggers->insert_last(this->loggers, entry);
+	return entry->logger.file;
+}
+
+/**
+ * Load the given syslog logger configured in strongswan.conf
+ */
+static void load_sys_logger(private_daemon_t *this, char *facility,
+							linked_list_t *current_loggers)
+{
+	sys_logger_t *sys_logger;
+	debug_t group;
+	level_t def;
+
+	if (get_syslog_facility(facility) == -1)
+	{
+		return;
+	}
+
+	sys_logger = add_sys_logger(this, facility, current_loggers);
+	sys_logger->set_options(sys_logger,
+				lib->settings->get_bool(lib->settings, "%s.syslog.%s.ike_name",
+										FALSE, charon->name, facility));
+
+	def = lib->settings->get_int(lib->settings, "%s.syslog.%s.default", 1,
+								 charon->name, facility);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		sys_logger->set_level(sys_logger, group,
+				lib->settings->get_int(lib->settings, "%s.syslog.%s.%N", def,
+							charon->name, facility, debug_lower_names, group));
+	}
+	charon->bus->add_logger(charon->bus, &sys_logger->logger);
+}
+
+/**
+ * Load the given file logger configured in strongswan.conf
+ */
+static void load_file_logger(private_daemon_t *this, char *filename,
+							 linked_list_t *current_loggers)
+{
+	file_logger_t *file_logger;
+	debug_t group;
+	level_t def;
+	bool ike_name, flush_line, append;
+	char *time_format;
+
+	time_format = lib->settings->get_str(lib->settings,
+					"%s.filelog.%s.time_format", NULL, charon->name, filename);
+	ike_name = lib->settings->get_bool(lib->settings,
+					"%s.filelog.%s.ike_name", FALSE, charon->name, filename);
+	flush_line = lib->settings->get_bool(lib->settings,
+					"%s.filelog.%s.flush_line", FALSE, charon->name, filename);
+	append = lib->settings->get_bool(lib->settings,
+					"%s.filelog.%s.append", TRUE, charon->name, filename);
+
+	file_logger = add_file_logger(this, filename, current_loggers);
+	file_logger->set_options(file_logger, time_format, ike_name);
+	file_logger->open(file_logger, flush_line, append);
+
+	def = lib->settings->get_int(lib->settings, "%s.filelog.%s.default", 1,
+								 charon->name, filename);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		file_logger->set_level(file_logger, group,
+				lib->settings->get_int(lib->settings, "%s.filelog.%s.%N", def,
+							charon->name, filename, debug_lower_names, group));
+	}
+	charon->bus->add_logger(charon->bus, &file_logger->logger);
+}
+
+METHOD(daemon_t, load_loggers, void,
+	private_daemon_t *this, level_t levels[DBG_MAX], bool to_stderr)
+{
+	enumerator_t *enumerator;
+	linked_list_t *current_loggers;
+	char *target;
+
+	this->mutex->lock(this->mutex);
+	handle_syslog_identifier(this);
+	current_loggers = this->loggers;
+	this->loggers = linked_list_create();
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+													"%s.syslog", charon->name);
+	while (enumerator->enumerate(enumerator, &target))
+	{
+		load_sys_logger(this, target, current_loggers);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+													"%s.filelog", charon->name);
+	while (enumerator->enumerate(enumerator, &target))
+	{
+		load_file_logger(this, target, current_loggers);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!this->loggers->get_count(this->loggers) && levels)
+	{	/* setup legacy style default loggers configured via command-line */
+		file_logger_t *file_logger;
+		sys_logger_t *sys_logger;
+		debug_t group;
+
+		sys_logger = add_sys_logger(this, "daemon", current_loggers);
+		file_logger = add_file_logger(this, "stdout", current_loggers);
+		file_logger->open(file_logger, FALSE, FALSE);
+
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			sys_logger->set_level(sys_logger, group, levels[group]);
+			if (to_stderr)
+			{
+				file_logger->set_level(file_logger, group, levels[group]);
+			}
+		}
+		charon->bus->add_logger(charon->bus, &sys_logger->logger);
+		charon->bus->add_logger(charon->bus, &file_logger->logger);
+
+		sys_logger = add_sys_logger(this, "auth", current_loggers);
+		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
+		charon->bus->add_logger(charon->bus, &sys_logger->logger);
+	}
+	/* unregister and destroy any unused remaining loggers */
+	current_loggers->destroy_function(current_loggers,
+									 (void*)logger_entry_unregister_destroy);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(daemon_t, set_level, void,
+	private_daemon_t *this, debug_t group, level_t level)
+{
+	enumerator_t *enumerator;
+	logger_entry_t *entry;
+
+	/* we set the loglevel on ALL sys- and file-loggers */
+	this->mutex->lock(this->mutex);
+	enumerator = this->loggers->create_enumerator(this->loggers);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->file)
+		{
+			entry->logger.file->set_level(entry->logger.file, group, level);
+			charon->bus->add_logger(charon->bus, &entry->logger.file->logger);
+		}
+		else
+		{
+			entry->logger.sys->set_level(entry->logger.sys, group, level);
+			charon->bus->add_logger(charon->bus, &entry->logger.sys->logger);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
 /**
  * Clean up all daemon resources
  */
@@ -84,7 +436,8 @@ static void destroy(private_daemon_t *this)
 {
 	/* terminate all idle threads */
 	lib->processor->set_threads(lib->processor, 0);
-
+	/* make sure nobody waits for a DNS query */
+	lib->hosts->flush(lib->hosts);
 	/* close all IKE_SAs */
 	if (this->public.ike_sa_manager)
 	{
@@ -123,10 +476,8 @@ static void destroy(private_daemon_t *this)
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_old;
 	DESTROY_IF(this->public.bus);
-	this->public.file_loggers->destroy_offset(this->public.file_loggers,
-											offsetof(file_logger_t, destroy));
-	this->public.sys_loggers->destroy_offset(this->public.sys_loggers,
-											offsetof(sys_logger_t, destroy));
+	this->loggers->destroy_function(this->loggers, (void*)logger_entry_destroy);
+	this->mutex->destroy(this->mutex);
 	free((void*)this->public.name);
 	free(this);
 }
@@ -222,11 +573,14 @@ private_daemon_t *daemon_create(const char *name)
 		.public = {
 			.initialize = _initialize,
 			.start = _start,
+			.load_loggers = _load_loggers,
+			.set_level = _set_level,
 			.bus = bus_create(),
-			.file_loggers = linked_list_create(),
-			.sys_loggers = linked_list_create(),
 			.name = strdup(name ?: "libcharon"),
 		},
+		.loggers = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.ref = 1,
 	);
 	charon = &this->public;
 	this->public.caps = capabilities_create();
@@ -249,7 +603,14 @@ private_daemon_t *daemon_create(const char *name)
  */
 void libcharon_deinit()
 {
-	destroy((private_daemon_t*)charon);
+	private_daemon_t *this = (private_daemon_t*)charon;
+
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
+	destroy(this);
 	charon = NULL;
 }
 
@@ -258,7 +619,16 @@ void libcharon_deinit()
  */
 bool libcharon_init(const char *name)
 {
-	daemon_create(name);
+	private_daemon_t *this;
+
+	if (charon)
+	{	/* already initialized, increase refcount */
+		this = (private_daemon_t*)charon;
+		ref_get(&this->ref);
+		return !this->integrity_failed;
+	}
+
+	this = daemon_create(name);
 
 	/* for uncritical pseudo random numbers */
 	srandom(time(NULL) + getpid());
@@ -276,8 +646,7 @@ bool libcharon_init(const char *name)
 		!lib->integrity->check(lib->integrity, "libcharon", libcharon_init))
 	{
 		dbg(DBG_DMN, 1, "integrity check of libcharon failed");
-		return FALSE;
+		this->integrity_failed = TRUE;
 	}
-
-	return TRUE;
+	return !this->integrity_failed;
 }
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index b67de77b8..2926d945b 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -157,8 +157,6 @@ typedef struct daemon_t daemon_t;
 #include <network/socket_manager.h>
 #include <control/controller.h>
 #include <bus/bus.h>
-#include <bus/listeners/file_logger.h>
-#include <bus/listeners/sys_logger.h>
 #include <sa/ike_sa_manager.h>
 #include <sa/trap_manager.h>
 #include <sa/shunt_manager.h>
@@ -247,16 +245,6 @@ struct daemon_t {
 	 */
 	bus_t *bus;
 
-	/**
-	 * A list of installed file_logger_t's
-	 */
-	linked_list_t *file_loggers;
-
-	/**
-	 * A list of installed sys_logger_t's
-	 */
-	linked_list_t *sys_loggers;
-
 	/**
 	 * Controller to control the daemon
 	 */
@@ -307,6 +295,25 @@ struct daemon_t {
 	 */
 	void (*start)(daemon_t *this);
 
+	/**
+	 * Load/Reload loggers defined in strongswan.conf
+	 *
+	 * @param levels	optional debug levels used to create default loggers
+	 * 					if none are defined in strongswan.conf
+	 * @param to_stderr	TRUE to log to stderr/stdout if no loggers are defined
+	 * 					in strongswan.conf
+	 */
+	void (*load_loggers)(daemon_t *this, level_t levels[DBG_MAX],
+						 bool to_stderr);
+
+	/**
+	 * Set the log level for the given log group for all configured file- and
+	 * syslog-loggers.
+	 *
+	 * @param group		log group
+	 * @param level		log level
+	 */
+	void (*set_level)(daemon_t *this, debug_t group, level_t level);
 };
 
 /**
@@ -322,6 +329,9 @@ extern daemon_t *charon;
  * This function initializes the bus, listeners can be registered before
  * calling initialize().
  *
+ * libcharon_init() may be called multiple times in a single process, but each
+ * caller should call libcharon_deinit() for each call to libcharon_init().
+ *
  * @param name	name of the binary that uses the library
  * @return		FALSE if integrity check failed
  */
diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c
index 2dfaf43df..2b6825c71 100644
--- a/src/libcharon/encoding/generator.c
+++ b/src/libcharon/encoding/generator.c
@@ -24,7 +24,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/proposal_substructure.h>
 #include <encoding/payloads/transform_substructure.h>
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index d3b72ea95..28fdda735 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -57,7 +57,7 @@
 /**
  * Max number of certificate request payloads per IKEv1 message
  */
-#define MAX_CERTREQ_PAYLOADS 5
+#define MAX_CERTREQ_PAYLOADS 20
 
 /**
  * Max number of NAT-D payloads per IKEv1 message
@@ -437,10 +437,12 @@ static payload_rule_t id_prot_i_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						TRUE,	FALSE},
 	{CERTIFICATE_V1,			0,	2,						TRUE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
 	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -459,6 +461,8 @@ static payload_order_t id_prot_i_order[] = {
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -473,10 +477,12 @@ static payload_rule_t id_prot_r_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						TRUE,	FALSE},
 	{CERTIFICATE_V1,			0,	2,						TRUE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
 	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -495,6 +501,8 @@ static payload_order_t id_prot_r_order[] = {
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -509,10 +517,12 @@ static payload_rule_t aggressive_i_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						FALSE,	FALSE},
 	{CERTIFICATE_V1,			0,	1,						TRUE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
 	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -526,11 +536,13 @@ static payload_order_t aggressive_i_order[] = {
 	{ID_V1,						0},
 	{CERTIFICATE_V1,			0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
 	{SIGNATURE_V1,				0},
 	{HASH_V1,					0},
 	{CERTIFICATE_REQUEST_V1,	0},
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -545,10 +557,12 @@ static payload_rule_t aggressive_r_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						FALSE,	FALSE},
 	{CERTIFICATE_V1,			0,	1,						FALSE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						FALSE,	FALSE},
 	{HASH_V1,					0,	1,						FALSE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -562,11 +576,13 @@ static payload_order_t aggressive_r_order[] = {
 	{ID_V1,						0},
 	{CERTIFICATE_V1,			0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
 	{SIGNATURE_V1,				0},
 	{HASH_V1,					0},
 	{CERTIFICATE_REQUEST_V1,	0},
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -624,6 +640,7 @@ static payload_rule_t quick_mode_i_rules[] = {
 	{KEY_EXCHANGE_V1,			0,	1,						TRUE,	FALSE},
 	{ID_V1,						0,	2,						TRUE,	FALSE},
 	{NAT_OA_V1,					0,	2,						TRUE,	FALSE},
+	{NAT_OA_DRAFT_00_03_V1,		0,	2,						TRUE,	FALSE},
 };
 
 /**
@@ -639,6 +656,7 @@ static payload_order_t quick_mode_i_order[] = {
 	{KEY_EXCHANGE_V1,			0},
 	{ID_V1,						0},
 	{NAT_OA_V1,					0},
+	{NAT_OA_DRAFT_00_03_V1,		0},
 };
 
 /**
@@ -654,6 +672,7 @@ static payload_rule_t quick_mode_r_rules[] = {
 	{KEY_EXCHANGE_V1,			0,	1,						TRUE,	FALSE},
 	{ID_V1,						0,	2,						TRUE,	FALSE},
 	{NAT_OA_V1,					0,	2,						TRUE,	FALSE},
+	{NAT_OA_DRAFT_00_03_V1,		0,	2,						TRUE,	FALSE},
 };
 
 /**
@@ -669,6 +688,7 @@ static payload_order_t quick_mode_r_order[] = {
 	{KEY_EXCHANGE_V1,			0},
 	{ID_V1,						0},
 	{NAT_OA_V1,					0},
+	{NAT_OA_DRAFT_00_03_V1,		0},
 };
 
 /**
@@ -1681,6 +1701,12 @@ METHOD(message_t, parse_header, status_t,
 	}
 	this->first_payload = ike_header->payload_interface.get_next_type(
 												&ike_header->payload_interface);
+	if (this->first_payload == FRAGMENT_V1 && this->is_encrypted)
+	{	/* racoon sets the encryted bit when sending a fragment, but these
+		 * messages are really not encrypted */
+		this->is_encrypted = FALSE;
+	}
+
 	for (i = 0; i < countof(this->reserved); i++)
 	{
 		reserved = payload_get_field(&ike_header->payload_interface,
diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h
index 6d558daf6..2c11e4581 100644
--- a/src/libcharon/encoding/message.h
+++ b/src/libcharon/encoding/message.h
@@ -31,8 +31,8 @@ typedef struct message_t message_t;
 #include <encoding/payloads/notify_payload.h>
 #include <sa/keymat.h>
 #include <sa/ike_sa_id.h>
-#include <utils/packet.h>
-#include <utils/linked_list.h>
+#include <networking/packet.h>
+#include <collections/linked_list.h>
 
 /**
  * This class is used to represent an IKE-Message.
diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c
index e4b140c3e..9e7f8311b 100644
--- a/src/libcharon/encoding/parser.c
+++ b/src/libcharon/encoding/parser.c
@@ -22,7 +22,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <encoding/payloads/encodings.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/sa_payload.h>
diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index 3a230b91e..a32f5705d 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -234,6 +234,23 @@ METHOD(cert_payload_t, get_cert, certificate_t*,
 							  BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
 }
 
+METHOD(cert_payload_t, get_container, container_t*,
+	private_cert_payload_t *this)
+{
+	int type;
+
+	switch (this->encoding)
+	{
+		case ENC_PKCS7_WRAPPED_X509:
+			type = CONTAINER_PKCS7;
+			break;
+		default:
+			return NULL;
+	}
+	return lib->creds->create(lib->creds, CRED_CONTAINER, type,
+							  BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
+}
+
 METHOD(cert_payload_t, get_hash, chunk_t,
 	private_cert_payload_t *this)
 {
@@ -289,6 +306,7 @@ cert_payload_t *cert_payload_create(payload_type_t type)
 				.destroy = _destroy,
 			},
 			.get_cert = _get_cert,
+			.get_container = _get_container,
 			.get_cert_encoding = _get_cert_encoding,
 			.get_hash = _get_hash,
 			.get_url = _get_url,
diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h
index 19ed2ccd2..834f35d60 100644
--- a/src/libcharon/encoding/payloads/cert_payload.h
+++ b/src/libcharon/encoding/payloads/cert_payload.h
@@ -28,10 +28,11 @@ typedef enum cert_encoding_t cert_encoding_t;
 
 #include <library.h>
 #include <credentials/certificates/certificate.h>
+#include <credentials/containers/container.h>
 #include <encoding/payloads/payload.h>
 
 /**
- * Certifcate encodings, as in RFC4306
+ * Certificate encodings, as in RFC4306
  */
 enum cert_encoding_t {
 	ENC_PKCS7_WRAPPED_X509 =		 1,
@@ -65,12 +66,19 @@ struct cert_payload_t {
 	payload_t payload_interface;
 
 	/**
-	 * Get the playoads encoded certifcate.
+	 * Get the payloads encoded certificate.
 	 *
-	 * @return				certifcate copy
+	 * @return				certificate copy
 	 */
 	certificate_t *(*get_cert)(cert_payload_t *this);
 
+	/**
+	 * Get the payloads certificate container.
+	 *
+	 * @return				container copy
+	 */
+	container_t *(*get_container)(cert_payload_t *this);
+
 	/**
 	 * Get the encoding of the certificate.
 	 *
diff --git a/src/libcharon/encoding/payloads/certreq_payload.h b/src/libcharon/encoding/payloads/certreq_payload.h
index cce71c0ad..2915decf3 100644
--- a/src/libcharon/encoding/payloads/certreq_payload.h
+++ b/src/libcharon/encoding/payloads/certreq_payload.h
@@ -56,7 +56,7 @@ struct certreq_payload_t {
 	/**
 	 * Add a certificates keyid to the payload (IKEv2 only).
 	 *
-	 * @param keyid		keyid of the trusted certifcate
+	 * @param keyid		keyid of the trusted certificate
 	 * @return
 	 */
 	void (*add_keyid)(certreq_payload_t *this, chunk_t keyid);
diff --git a/src/libcharon/encoding/payloads/cp_payload.c b/src/libcharon/encoding/payloads/cp_payload.c
index 40f6ae48f..f6f373f99 100644
--- a/src/libcharon/encoding/payloads/cp_payload.c
+++ b/src/libcharon/encoding/payloads/cp_payload.c
@@ -20,7 +20,7 @@
 #include "cp_payload.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 ENUM(config_type_names, CFG_REQUEST, CFG_ACK,
 	"CFG_REQUEST",
diff --git a/src/libcharon/encoding/payloads/cp_payload.h b/src/libcharon/encoding/payloads/cp_payload.h
index 5eb1e06a7..c23bc0bb4 100644
--- a/src/libcharon/encoding/payloads/cp_payload.h
+++ b/src/libcharon/encoding/payloads/cp_payload.h
@@ -28,7 +28,7 @@ typedef struct cp_payload_t cp_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/configuration_attribute.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /**
  * Config Type of an Configuration Payload.
diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c
index dd2e25795..f2f35aa69 100644
--- a/src/libcharon/encoding/payloads/eap_payload.c
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@@ -410,14 +410,15 @@ eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
 	eap_type_t reg_type;
 	u_int32_t reg_vendor;
 	bio_writer_t *writer;
-	chunk_t length, data;
+	chunk_t data;
 	bool added_any = FALSE, found_vendor = FALSE;
 	eap_payload_t *payload;
 
 	writer = bio_writer_create(12);
 	writer->write_uint8(writer, EAP_RESPONSE);
 	writer->write_uint8(writer, identifier);
-	length = writer->skip(writer, 2);
+	/* write zero length, we update it once we know the length */
+	writer->write_uint16(writer, 0);
 
 	write_type(writer, EAP_NAK, 0, expanded);
 
@@ -453,10 +454,9 @@ eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
 
 	/* set length */
 	data = writer->get_buf(writer);
-	htoun16(length.ptr, data.len);
+	htoun16(data.ptr + offsetof(eap_packet_t, length), data.len);
 
 	payload = eap_payload_create_data(data);
 	writer->destroy(writer);
 	return payload;
 }
-
diff --git a/src/libcharon/encoding/payloads/encryption_payload.c b/src/libcharon/encoding/payloads/encryption_payload.c
index 02e7b8bf3..6ba1b23a0 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.c
+++ b/src/libcharon/encoding/payloads/encryption_payload.c
@@ -23,7 +23,7 @@
 
 #include <daemon.h>
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <encoding/generator.h>
 #include <encoding/parser.h>
 
diff --git a/src/libcharon/encoding/payloads/fragment_payload.c b/src/libcharon/encoding/payloads/fragment_payload.c
new file mode 100644
index 000000000..1a6b3234b
--- /dev/null
+++ b/src/libcharon/encoding/payloads/fragment_payload.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "fragment_payload.h"
+
+#include <encoding/payloads/encodings.h>
+
+/** Flag that is set in case the given fragment is the last for the message */
+#define LAST_FRAGMENT 0x01
+
+typedef struct private_fragment_payload_t private_fragment_payload_t;
+
+/**
+ * Private data of an fragment_payload_t object.
+ */
+struct private_fragment_payload_t {
+
+	/**
+	 * Public fragment_payload_t interface.
+	 */
+	fragment_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Reserved byte
+	 */
+	u_int8_t reserved;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Fragment ID.
+	 */
+	u_int16_t fragment_id;
+
+	/**
+	 * Fragment number.
+	 */
+	u_int8_t fragment_number;
+
+	/**
+	 * Flags
+	 */
+	u_int8_t flags;
+
+	/**
+	 * The contained fragment data.
+	 */
+	chunk_t data;
+};
+
+/**
+ * Encoding rules for an IKEv1 fragment payload
+ */
+static encoding_rule_t encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_fragment_payload_t, next_payload)		},
+	{ RESERVED_BYTE,	offsetof(private_fragment_payload_t, reserved)			},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_fragment_payload_t, payload_length)	},
+	{ U_INT_16,			offsetof(private_fragment_payload_t, fragment_id)		},
+	{ U_INT_8,			offsetof(private_fragment_payload_t, fragment_number)	},
+	{ U_INT_8,			offsetof(private_fragment_payload_t, flags)				},
+	/* Fragment data is of variable size */
+	{ CHUNK_DATA,		offsetof(private_fragment_payload_t, data)				},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !    RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !         Fragment ID           !  Fragment Num !     Flags     !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       Fragment Data                           ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+METHOD(payload_t, verify, status_t,
+	private_fragment_payload_t *this)
+{
+	if (this->fragment_number == 0)
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+METHOD(payload_t, get_encoding_rules, int,
+	private_fragment_payload_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_fragment_payload_t *this)
+{
+	return 8;
+}
+
+METHOD(payload_t, get_type, payload_type_t,
+	private_fragment_payload_t *this)
+{
+	return FRAGMENT_V1;
+}
+
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_fragment_payload_t *this)
+{
+	return this->next_payload;
+}
+
+METHOD(payload_t, set_next_type, void,
+	private_fragment_payload_t *this, payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+METHOD(payload_t, get_length, size_t,
+	private_fragment_payload_t *this)
+{
+	return this->payload_length;
+}
+
+METHOD(fragment_payload_t, get_id, u_int16_t,
+	private_fragment_payload_t *this)
+{
+	return this->fragment_id;
+}
+
+METHOD(fragment_payload_t, get_number, u_int8_t,
+	private_fragment_payload_t *this)
+{
+	return this->fragment_number;
+}
+
+METHOD(fragment_payload_t, is_last, bool,
+	private_fragment_payload_t *this)
+{
+	return (this->flags & LAST_FRAGMENT) == LAST_FRAGMENT;
+}
+
+METHOD(fragment_payload_t, get_data, chunk_t,
+	private_fragment_payload_t *this)
+{
+	return this->data;
+}
+
+METHOD2(payload_t, fragment_payload_t, destroy, void,
+	private_fragment_payload_t *this)
+{
+	free(this->data.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+fragment_payload_t *fragment_payload_create()
+{
+	private_fragment_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_id = _get_id,
+			.get_number = _get_number,
+			.is_last = _is_last,
+			.get_data = _get_data,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+	);
+	this->payload_length = get_header_length(this);
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+fragment_payload_t *fragment_payload_create_from_data(u_int8_t num, bool last,
+													  chunk_t data)
+{
+	private_fragment_payload_t *this;
+
+	this = (private_fragment_payload_t*)fragment_payload_create();
+	this->fragment_id = 1;
+	this->fragment_number = num;
+	this->flags |= (last ? LAST_FRAGMENT : 0);
+	this->data = chunk_clone(data);
+	this->payload_length = get_header_length(this) + data.len;
+	return &this->public;
+}
\ No newline at end of file
diff --git a/src/libcharon/encoding/payloads/fragment_payload.h b/src/libcharon/encoding/payloads/fragment_payload.h
new file mode 100644
index 000000000..a49cf32dd
--- /dev/null
+++ b/src/libcharon/encoding/payloads/fragment_payload.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fragment_payload fragment_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef FRAGMENT_PAYLOAD_H_
+#define FRAGMENT_PAYLOAD_H_
+
+typedef struct fragment_payload_t fragment_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Object representing an IKEv1 fragment payload.
+ */
+struct fragment_payload_t {
+
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the fragment ID. Identifies the fragments for a particular IKE
+	 * message.
+	 *
+	 * @return				fragment ID
+	 */
+	u_int16_t (*get_id)(fragment_payload_t *this);
+
+	/**
+	 * Get the fragment number. Defines the order of the fragments.
+	 *
+	 * @return				fragment number
+	 */
+	u_int8_t (*get_number)(fragment_payload_t *this);
+
+	/**
+	 * Check if this is the last fragment.
+	 *
+	 * @return				TRUE if this is the last fragment
+	 */
+	bool (*is_last)(fragment_payload_t *this);
+
+	/**
+	 * Get the fragment data.
+	 *
+	 * @return				chunkt to internal fragment data
+	 */
+	chunk_t (*get_data)(fragment_payload_t *this);
+
+	/**
+	 * Destroys an fragment_payload_t object.
+	 */
+	void (*destroy)(fragment_payload_t *this);
+};
+
+/**
+ * Creates an empty fragment_payload_t object.
+ *
+ * @return			fragment_payload_t object
+ */
+fragment_payload_t *fragment_payload_create();
+
+/**
+ * Creates a fragment payload from the given data.  All fragments currently
+ * have the same fragment ID (1), which seems what other implementations are
+ * doing.
+ *
+ * @param num		fragment number (first one should be 1)
+ * @param last		TRUE to indicate that this is the last fragment
+ * @param data		fragment data (gets cloned)
+ * @return			fragment_payload_t object
+ */
+fragment_payload_t *fragment_payload_create_from_data(u_int8_t num, bool last,
+													  chunk_t data);
+
+#endif /** FRAGMENT_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
index 02b07d691..7470bb3b4 100644
--- a/src/libcharon/encoding/payloads/id_payload.c
+++ b/src/libcharon/encoding/payloads/id_payload.c
@@ -165,7 +165,7 @@ METHOD(payload_t, verify, status_t,
 {
 	bool bad_length = FALSE;
 
-	if (this->type == NAT_OA_V1 &&
+	if ((this->type == NAT_OA_V1 || this->type == NAT_OA_DRAFT_00_03_V1) &&
 		this->id_type != ID_IPV4_ADDR && this->id_type != ID_IPV6_ADDR)
 	{
 		DBG1(DBG_ENC, "invalid ID type %N for %N payload", id_type_names,
@@ -195,7 +195,8 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_id_payload_t *this, encoding_rule_t **rules)
 {
-	if (this->type == ID_V1 || this->type == NAT_OA_V1)
+	if (this->type == ID_V1 ||
+		this->type == NAT_OA_V1 || this->type == NAT_OA_DRAFT_00_03_V1)
 	{
 		*rules = encodings_v1;
 		return countof(encodings_v1);
diff --git a/src/libcharon/encoding/payloads/ike_header.h b/src/libcharon/encoding/payloads/ike_header.h
index e6b7d0dff..d9a44dd0c 100644
--- a/src/libcharon/encoding/payloads/ike_header.h
+++ b/src/libcharon/encoding/payloads/ike_header.h
@@ -72,7 +72,7 @@ enum exchange_type_t{
 	AUTH_ONLY = 3,
 
 	/**
-	 * Aggresive (Aggressive mode)
+	 * Aggressive (Aggressive mode)
 	 */
 	AGGRESSIVE = 4,
 
diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h
index 5942954d9..d3aa18484 100644
--- a/src/libcharon/encoding/payloads/ke_payload.h
+++ b/src/libcharon/encoding/payloads/ke_payload.h
@@ -27,7 +27,7 @@ typedef struct ke_payload_t ke_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/transform_substructure.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/diffie_hellman.h>
 
 /**
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index beec1e233..498c659b1 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -30,7 +30,7 @@ typedef struct notify_payload_t notify_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/proposal_substructure.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Notify message types for IKEv2, and a subset for IKEv1.
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index dc158476b..f9dd33edb 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -36,6 +36,7 @@
 #include <encoding/payloads/configuration_attribute.h>
 #include <encoding/payloads/eap_payload.h>
 #include <encoding/payloads/hash_payload.h>
+#include <encoding/payloads/fragment_payload.h>
 #include <encoding/payloads/unknown_payload.h>
 
 ENUM_BEGIN(payload_type_names, NO_PAYLOAD, NO_PAYLOAD,
@@ -79,20 +80,17 @@ ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, GENERIC_SECURE_PASSWORD_METH
 #ifdef ME
 ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, GENERIC_SECURE_PASSWORD_METHOD,
 	"ID_PEER");
-ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, ID_PEER,
-	"HEADER",
-	"PROPOSAL_SUBSTRUCTURE",
-	"PROPOSAL_SUBSTRUCTURE_V1",
-	"TRANSFORM_SUBSTRUCTURE",
-	"TRANSFORM_SUBSTRUCTURE_V1",
-	"TRANSFORM_ATTRIBUTE",
-	"TRANSFORM_ATTRIBUTE_V1",
-	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
-	"CONFIGURATION_ATTRIBUTE",
-	"CONFIGURATION_ATTRIBUTE_V1",
-	"ENCRYPTED_V1");
+ENUM_NEXT(payload_type_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, ID_PEER,
+	"NAT_D_DRAFT_V1",
+	"NAT_OA_DRAFT_V1",
+	"FRAGMENT");
 #else
-ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, GENERIC_SECURE_PASSWORD_METHOD,
+	"NAT_D_DRAFT_V1",
+	"NAT_OA_DRAFT_V1",
+	"FRAGMENT");
+#endif /* ME */
+ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, FRAGMENT_V1,
 	"HEADER",
 	"PROPOSAL_SUBSTRUCTURE",
 	"PROPOSAL_SUBSTRUCTURE_V1",
@@ -104,7 +102,6 @@ ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, GENERIC_SECURE_PASSWORD_METH
 	"CONFIGURATION_ATTRIBUTE",
 	"CONFIGURATION_ATTRIBUTE_V1",
 	"ENCRYPTED_V1");
-#endif /* ME */
 ENUM_END(payload_type_names, ENCRYPTED_V1);
 
 /* short forms of payload names */
@@ -147,23 +144,19 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, GENERIC_SECURE_PASSWOR
 	"EAP",
 	"GSPM");
 #ifdef ME
-ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER,
-									GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, GENERIC_SECURE_PASSWORD_METHOD,
 	"IDp");
-ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, ID_PEER,
-	"HDR",
-	"PROP",
-	"PROP",
-	"TRANS",
-	"TRANS",
-	"TRANSATTR",
-	"TRANSATTR",
-	"TSSUB",
-	"CATTR",
-	"CATTR",
-	"E");
+ENUM_NEXT(payload_type_short_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, ID_PEER,
+	"NAT-D",
+	"NAT-OA",
+	"FRAG");
 #else
-ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_short_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, GENERIC_SECURE_PASSWORD_METHOD,
+	"NAT-D",
+	"NAT-OA",
+	"FRAG");
+#endif /* ME */
+ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, FRAGMENT_V1,
 	"HDR",
 	"PROP",
 	"PROP",
@@ -175,7 +168,6 @@ ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, GENERIC_SECURE_PASSWOR
 	"CATTR",
 	"CATTR",
 	"E");
-#endif /* ME */
 ENUM_END(payload_type_short_names, ENCRYPTED_V1);
 
 /*
@@ -206,6 +198,7 @@ payload_t *payload_create(payload_type_t type)
 		case ID_RESPONDER:
 		case ID_V1:
 		case NAT_OA_V1:
+		case NAT_OA_DRAFT_00_03_V1:
 #ifdef ME
 		case ID_PEER:
 #endif /* ME */
@@ -239,6 +232,7 @@ payload_t *payload_create(payload_type_t type)
 		case HASH_V1:
 		case SIGNATURE_V1:
 		case NAT_D_V1:
+		case NAT_D_DRAFT_00_03_V1:
 			return (payload_t*)hash_payload_create(type);
 		case CONFIGURATION:
 		case CONFIGURATION_V1:
@@ -251,6 +245,8 @@ payload_t *payload_create(payload_type_t type)
 		case ENCRYPTED:
 		case ENCRYPTED_V1:
 			return (payload_t*)encryption_payload_create(type);
+		case FRAGMENT_V1:
+			return (payload_t*)fragment_payload_create();
 		default:
 			return (payload_t*)unknown_payload_create(type);
 	}
@@ -283,6 +279,10 @@ bool payload_is_known(payload_type_t type)
 		return TRUE;
 	}
 #endif
+	if (type >= NAT_D_DRAFT_00_03_V1 && type <= FRAGMENT_V1)
+	{
+		return TRUE;
+	}
 	return FALSE;
 }
 
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index d5e862601..0e8a9267b 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -123,7 +123,7 @@ enum payload_type_t {
 	NAT_D_V1 = 20,
 
 	/**
-	 * NAT original address payload (NAT-OA)
+	 * NAT original address payload (NAT-OA).
 	 */
 	NAT_OA_V1 = 21,
 
@@ -220,6 +220,21 @@ enum payload_type_t {
 	ID_PEER = 128,
 #endif /* ME */
 
+	/**
+	 * NAT discovery payload (NAT-D) (drafts).
+	 */
+	NAT_D_DRAFT_00_03_V1 = 130,
+
+	/**
+	 * NAT original address payload (NAT-OA) (drafts).
+	 */
+	NAT_OA_DRAFT_00_03_V1 = 131,
+
+	/**
+	 * IKE fragment (proprietary IKEv1 extension)
+	 */
+	FRAGMENT_V1 = 132,
+
 	/**
 	 * Header has a value of PRIVATE USE space.
 	 *
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index 653f51a46..ae0fce991 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -22,7 +22,7 @@
 #include <encoding/payloads/encodings.h>
 #include <encoding/payloads/transform_substructure.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <daemon.h>
 
 /**
@@ -253,6 +253,8 @@ typedef enum {
   IKEV1_ENCAP_TRANSPORT = 2,
   IKEV1_ENCAP_UDP_TUNNEL = 3,
   IKEV1_ENCAP_UDP_TRANSPORT = 4,
+  IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03 = 61443,
+  IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03 = 61444,
 } ikev1_esp_encap_t;
 
 /**
@@ -810,14 +812,30 @@ static u_int16_t get_ikev1_auth(auth_method_t method)
 /**
  * Get IKEv1 encapsulation mode
  */
-static u_int16_t get_ikev1_mode(ipsec_mode_t mode, bool udp)
+static u_int16_t get_ikev1_mode(ipsec_mode_t mode, encap_t udp)
 {
 	switch (mode)
 	{
 		case MODE_TUNNEL:
-			return udp ? IKEV1_ENCAP_UDP_TUNNEL : IKEV1_ENCAP_TUNNEL;
+			switch (udp)
+			{
+				case ENCAP_UDP:
+					return IKEV1_ENCAP_UDP_TUNNEL;
+				case ENCAP_UDP_DRAFT_00_03:
+					return IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03;
+				default:
+					return IKEV1_ENCAP_TUNNEL;
+			}
 		case MODE_TRANSPORT:
-			return udp ? IKEV1_ENCAP_UDP_TRANSPORT : IKEV1_ENCAP_TRANSPORT;
+			switch (udp)
+			{
+				case ENCAP_UDP:
+					return IKEV1_ENCAP_UDP_TRANSPORT;
+				case ENCAP_UDP_DRAFT_00_03:
+					return IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03;
+				default:
+					return IKEV1_ENCAP_TRANSPORT;
+			}
 		default:
 			return IKEV1_ENCAP_TUNNEL;
 	}
@@ -1125,9 +1143,11 @@ METHOD(proposal_substructure_t, get_encap_mode, ipsec_mode_t,
 		case IKEV1_ENCAP_TUNNEL:
 			return MODE_TUNNEL;
 		case IKEV1_ENCAP_UDP_TRANSPORT:
+		case IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03:
 			*udp = TRUE;
 			return MODE_TRANSPORT;
 		case IKEV1_ENCAP_UDP_TUNNEL:
+		case IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03:
 			*udp = TRUE;
 			return MODE_TUNNEL;
 		default:
@@ -1263,7 +1283,7 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
  */
 static void set_from_proposal_v1_esp(private_proposal_substructure_t *this,
 				proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
-				ipsec_mode_t mode, bool udp, int number)
+				ipsec_mode_t mode, encap_t udp, int number)
 {
 	transform_substructure_t *transform = NULL;
 	u_int16_t alg, key_size;
@@ -1459,7 +1479,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
  */
 proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
 			proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
-			auth_method_t auth, ipsec_mode_t mode, bool udp)
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp)
 {
 	private_proposal_substructure_t *this;
 
@@ -1487,7 +1507,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
  */
 proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
 			linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes,
-			auth_method_t auth, ipsec_mode_t mode, bool udp)
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp)
 {
 	private_proposal_substructure_t *this = NULL;
 	enumerator_t *enumerator;
@@ -1531,7 +1551,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
  */
 proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
 			u_int32_t lifetime, u_int64_t lifebytes, u_int16_t cpi,
-			ipsec_mode_t mode, bool udp, u_int8_t proposal_number)
+			ipsec_mode_t mode, encap_t udp, u_int8_t proposal_number)
 {
 	private_proposal_substructure_t *this;
 	transform_substructure_t *transform;
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h
index 5d42a6116..c8e7adfd8 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.h
+++ b/src/libcharon/encoding/payloads/proposal_substructure.h
@@ -23,16 +23,26 @@
 #ifndef PROPOSAL_SUBSTRUCTURE_H_
 #define PROPOSAL_SUBSTRUCTURE_H_
 
+typedef enum encap_t encap_t;
 typedef struct proposal_substructure_t proposal_substructure_t;
 
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/transform_substructure.h>
 #include <config/proposal.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <kernel/kernel_ipsec.h>
 #include <sa/authenticator.h>
 
+/**
+ * Encap type for proposal substructure
+ */
+enum encap_t {
+	ENCAP_NONE = 0,
+	ENCAP_UDP,
+	ENCAP_UDP_DRAFT_00_03,
+};
+
 /**
  * Class representing an IKEv1/IKEv2 proposal substructure.
  */
@@ -179,12 +189,12 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
  * @param lifebytes	lifebytes, in bytes
  * @param auth		authentication method to use, or AUTH_NONE
  * @param mode		IPsec encapsulation mode, TRANSPORT or TUNNEL
- * @param udp		TRUE to use UDP encapsulation
+ * @param udp		ENCAP_UDP to use UDP encapsulation
  * @return			proposal_substructure_t object PROPOSAL_SUBSTRUCTURE_V1
  */
 proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
 			proposal_t *proposal,  u_int32_t lifetime, u_int64_t lifebytes,
-			auth_method_t auth, ipsec_mode_t mode, bool udp);
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp);
 
 /**
  * Creates an IKEv1 proposal_substructure_t from a list of proposal_t.
@@ -194,12 +204,12 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
  * @param lifebytes	lifebytes, in bytes
  * @param auth		authentication method to use, or AUTH_NONE
  * @param mode		IPsec encapsulation mode, TRANSPORT or TUNNEL
- * @param udp		TRUE to use UDP encapsulation
+ * @param udp		ENCAP_UDP to use UDP encapsulation
  * @return			IKEv1 proposal_substructure_t PROPOSAL_SUBSTRUCTURE_V1
  */
 proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
 			linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes,
-			auth_method_t auth, ipsec_mode_t mode, bool udp);
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp);
 
 /**
  * Creates an IKEv1 proposal_substructure_t for IPComp with the given
@@ -209,12 +219,12 @@ proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
  * @param lifebytes			lifebytes, in bytes
  * @param cpi				the CPI to be used
  * @param mode				IPsec encapsulation mode, TRANSPORT or TUNNEL
- * @param udp				TRUE to use UDP encapsulation
+ * @param udp				ENCAP_UDP to use UDP encapsulation
  * @param proposal_number	the proposal number of the proposal to be linked
  * @return					IKEv1 proposal_substructure_t PROPOSAL_SUBSTRUCTURE_V1
  */
 proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
 			u_int32_t lifetime, u_int64_t lifebytes, u_int16_t cpi,
-			ipsec_mode_t mode, bool udp, u_int8_t proposal_number);
+			ipsec_mode_t mode, encap_t udp, u_int8_t proposal_number);
 
 #endif /** PROPOSAL_SUBSTRUCTURE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index adf19aa67..a588d4e97 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -20,7 +20,7 @@
 #include "sa_payload.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <daemon.h>
 
 /* IKEv1 situation */
@@ -552,8 +552,8 @@ sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal)
  */
 sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
 								u_int32_t lifetime, u_int64_t lifebytes,
-								auth_method_t auth, ipsec_mode_t mode, bool udp,
-								u_int16_t cpi)
+								auth_method_t auth, ipsec_mode_t mode,
+								encap_t udp, u_int16_t cpi)
 {
 	proposal_substructure_t *substruct;
 	private_sa_payload_t *this;
@@ -591,8 +591,8 @@ sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
  */
 sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
 								u_int32_t lifetime, u_int64_t lifebytes,
-								auth_method_t auth, ipsec_mode_t mode, bool udp,
-								u_int16_t cpi)
+								auth_method_t auth, ipsec_mode_t mode,
+								encap_t udp, u_int16_t cpi)
 {
 	private_sa_payload_t *this;
 	linked_list_t *proposals;
diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h
index 9a88cccd5..b62a341d8 100644
--- a/src/libcharon/encoding/payloads/sa_payload.h
+++ b/src/libcharon/encoding/payloads/sa_payload.h
@@ -27,7 +27,7 @@ typedef struct sa_payload_t sa_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/proposal_substructure.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <kernel/kernel_ipsec.h>
 #include <sa/authenticator.h>
 
@@ -133,13 +133,13 @@ sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal);
  * @param lifebytes			lifebytes, in bytes
  * @param auth				authentication method to use, or AUTH_NONE
  * @param mode				IPsec encapsulation mode, TRANSPORT or TUNNEL
- * @param udp				TRUE to use UDP encapsulation
+ * @param udp				ENCAP_UDP to use UDP encapsulation
  * @param cpi				CPI in case IPComp should be used
  * @return					sa_payload_t object
  */
 sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
 							u_int32_t lifetime, u_int64_t lifebytes,
-							auth_method_t auth, ipsec_mode_t mode, bool udp,
+							auth_method_t auth, ipsec_mode_t mode, encap_t udp,
 							u_int16_t cpi);
 
 /**
@@ -150,13 +150,13 @@ sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
  * @param lifebytes			lifebytes, in bytes
  * @param auth				authentication method to use, or AUTH_NONE
  * @param mode				IPsec encapsulation mode, TRANSPORT or TUNNEL
- * @param udp				TRUE to use UDP encapsulation
+ * @param udp				ENCAP_UDP to use UDP encapsulation
  * @param cpi				CPI in case IPComp should be used
  * @return					sa_payload_t object
  */
 sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
 							u_int32_t lifetime, u_int64_t lifebytes,
-							auth_method_t auth, ipsec_mode_t mode, bool udp,
+							auth_method_t auth, ipsec_mode_t mode, encap_t udp,
 							u_int16_t cpi);
 
 #endif /** SA_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
index 378f5bbc3..15f791b95 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
@@ -18,7 +18,7 @@
 #include "traffic_selector_substructure.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_traffic_selector_substructure_t private_traffic_selector_substructure_t;
 
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.h b/src/libcharon/encoding/payloads/traffic_selector_substructure.h
index 1ad5fb526..d3fbe8476 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.h
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.h
@@ -25,7 +25,7 @@
 typedef struct traffic_selector_substructure_t traffic_selector_substructure_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <selectors/traffic_selector.h>
 #include <encoding/payloads/payload.h>
 
diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c
index a4a920b60..a85027561 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.c
+++ b/src/libcharon/encoding/payloads/transform_substructure.c
@@ -22,7 +22,7 @@
 #include <encoding/payloads/transform_attribute.h>
 #include <encoding/payloads/encodings.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <daemon.h>
 
 typedef struct private_transform_substructure_t private_transform_substructure_t;
diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h
index 947df24f9..97717e65b 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.h
+++ b/src/libcharon/encoding/payloads/transform_substructure.h
@@ -27,7 +27,7 @@ typedef struct transform_substructure_t transform_substructure_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/transform_attribute.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/diffie_hellman.h>
 #include <crypto/signers/signer.h>
 #include <crypto/prfs/prf.h>
diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c
index a7678da73..8dfa47bc2 100644
--- a/src/libcharon/encoding/payloads/ts_payload.c
+++ b/src/libcharon/encoding/payloads/ts_payload.c
@@ -20,7 +20,7 @@
 #include "ts_payload.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_ts_payload_t private_ts_payload_t;
 
diff --git a/src/libcharon/encoding/payloads/ts_payload.h b/src/libcharon/encoding/payloads/ts_payload.h
index 5a92655dc..933245c62 100644
--- a/src/libcharon/encoding/payloads/ts_payload.h
+++ b/src/libcharon/encoding/payloads/ts_payload.h
@@ -25,7 +25,7 @@
 typedef struct ts_payload_t ts_payload_t;
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <selectors/traffic_selector.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/traffic_selector_substructure.h>
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index 2f87a5ecb..f683cf818 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -28,7 +28,7 @@
 #include <processing/jobs/callback_job.h>
 #include <crypto/hashers/hasher.h>
 #include <threading/mutex.h>
-#include <utils/packet.h>
+#include <networking/packet.h>
 
 /** lifetime of a cookie, in seconds */
 #define COOKIE_LIFETIME 10
@@ -488,6 +488,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 	{
 		DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
 			 packet->get_source(packet));
+		charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_HEADER, message);
 		message->destroy(message);
 		return JOB_REQUEUE_DIRECT;
 	}
diff --git a/src/libcharon/network/receiver.h b/src/libcharon/network/receiver.h
index 9e8edee45..58bfe4a96 100644
--- a/src/libcharon/network/receiver.h
+++ b/src/libcharon/network/receiver.h
@@ -26,8 +26,8 @@
 typedef struct receiver_t receiver_t;
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/packet.h>
+#include <networking/host.h>
+#include <networking/packet.h>
 
 /**
  * Callback called for any received UDP encapsulated ESP packet.
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
index 059f24b39..dd8efc1ec 100644
--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
@@ -94,10 +94,11 @@ METHOD(sender_t, send_, void,
 {
 	host_t *src, *dst;
 
-	/* if neither source nor destination port is 500 we add a Non-ESP marker */
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
-	DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+
+	DBG1(DBG_NET, "sending packet: from %#H to %#H (%zu bytes)", src, dst,
+		 packet->get_data(packet).len);
 
 	if (this->send_delay)
 	{
@@ -120,6 +121,7 @@ METHOD(sender_t, send_, void,
 		message->destroy(message);
 	}
 
+	/* if neither source nor destination port is 500 we add a Non-ESP marker */
 	if (dst->get_port(dst) != IKEV2_UDP_PORT &&
 		src->get_port(src) != IKEV2_UDP_PORT)
 	{
diff --git a/src/libcharon/network/sender.h b/src/libcharon/network/sender.h
index 9b5c325cc..080559b89 100644
--- a/src/libcharon/network/sender.h
+++ b/src/libcharon/network/sender.h
@@ -26,7 +26,7 @@
 typedef struct sender_t sender_t;
 
 #include <library.h>
-#include <utils/packet.h>
+#include <networking/packet.h>
 
 /**
  * Callback job responsible for sending IKE packets over the socket.
diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h
index b8850c6ed..f6c8a8660 100644
--- a/src/libcharon/network/socket.h
+++ b/src/libcharon/network/socket.h
@@ -27,8 +27,8 @@
 typedef struct socket_t socket_t;
 
 #include <library.h>
-#include <utils/packet.h>
-#include <utils/enumerator.h>
+#include <networking/packet.h>
+#include <collections/enumerator.h>
 #include <plugins/plugin.h>
 
 /**
diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c
index d2736de8e..bf1fe5ba2 100644
--- a/src/libcharon/network/socket_manager.c
+++ b/src/libcharon/network/socket_manager.c
@@ -20,7 +20,7 @@
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_socket_manager_t private_socket_manager_t;
 
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 8673e6ecd..5bc6d1ec3 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_addrblock_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -376,7 +385,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-addrblock.la: $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_DEPENDENCIES) 
+libstrongswan-addrblock.la: $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_DEPENDENCIES) $(EXTRA_libstrongswan_addrblock_la_DEPENDENCIES) 
 	$(libstrongswan_addrblock_la_LINK) $(am_libstrongswan_addrblock_la_rpath) $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -515,10 +524,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
index 1b07378f7..65f4ed08c 100644
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -15,7 +15,7 @@
 
 #include "addrblock_validator.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <selectors/traffic_selector.h>
 
diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in
index ebe6ebb4d..312e63f2a 100644
--- a/src/libcharon/plugins/android/Makefile.in
+++ b/src/libcharon/plugins/android/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_android_la_DEPENDENCIES =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -377,7 +386,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-android.la: $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_DEPENDENCIES) 
+libstrongswan-android.la: $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_DEPENDENCIES) $(EXTRA_libstrongswan_android_la_DEPENDENCIES) 
 	$(libstrongswan_android_la_LINK) $(am_libstrongswan_android_la_rpath) $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -517,10 +526,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/android/android_handler.c b/src/libcharon/plugins/android/android_handler.c
index f1d3045ca..29dbbbfd0 100644
--- a/src/libcharon/plugins/android/android_handler.c
+++ b/src/libcharon/plugins/android/android_handler.c
@@ -16,7 +16,8 @@
 
 #include "android_handler.h"
 
-#include <utils/linked_list.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
 
 #include <cutils/properties.h>
 
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
index 81628b80a..6af35e5df 100644
--- a/src/libcharon/plugins/android/android_service.c
+++ b/src/libcharon/plugins/android/android_service.c
@@ -264,12 +264,12 @@ static job_requeue_t initiate(private_android_service_t *this)
 		this->creds->set_username_password(this->creds, user, password);
 	}
 
-	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", FALSE,
+	ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							 hostname, FALSE, IKEV2_UDP_PORT);
+							 hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 
-	peer_cfg = peer_cfg_create("android", IKEV2, ike_cfg, CERT_SEND_IF_ASKED,
+	peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
 							   UNIQUE_REPLACE, 1, /* keyingtries */
 							   36000, 0, /* rekey 10h, reauth none */
 							   600, 600, /* jitter, over 10min */
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 00f0eb869..5875e6202 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_android_log_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-android-log.la: $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_DEPENDENCIES) 
+libstrongswan-android-log.la: $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_DEPENDENCIES) $(EXTRA_libstrongswan_android_log_la_DEPENDENCIES) 
 	$(libstrongswan_android_log_la_LINK) $(am_libstrongswan_android_log_la_rpath) $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 4c098fcc7..50000ce5e 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_certexpire_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -378,7 +387,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-certexpire.la: $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_DEPENDENCIES) 
+libstrongswan-certexpire.la: $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_DEPENDENCIES) $(EXTRA_libstrongswan_certexpire_la_DEPENDENCIES) 
 	$(libstrongswan_certexpire_la_LINK) $(am_libstrongswan_certexpire_la_rpath) $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -518,10 +527,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/certexpire/certexpire_cron.c b/src/libcharon/plugins/certexpire/certexpire_cron.c
index e8cd4bfd8..5f2fd7ca4 100644
--- a/src/libcharon/plugins/certexpire/certexpire_cron.c
+++ b/src/libcharon/plugins/certexpire/certexpire_cron.c
@@ -17,7 +17,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <processing/jobs/callback_job.h>
 
 typedef struct private_certexpire_cron_t private_certexpire_cron_t;
diff --git a/src/libcharon/plugins/certexpire/certexpire_export.c b/src/libcharon/plugins/certexpire/certexpire_export.c
index 8e046d0fe..e339b8004 100644
--- a/src/libcharon/plugins/certexpire/certexpire_export.c
+++ b/src/libcharon/plugins/certexpire/certexpire_export.c
@@ -21,9 +21,9 @@
 #include <limits.h>
 #include <errno.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 #include <credentials/certificates/x509.h>
 
diff --git a/src/libcharon/plugins/certexpire/certexpire_export.h b/src/libcharon/plugins/certexpire/certexpire_export.h
index 64281d0bd..7b75f2c92 100644
--- a/src/libcharon/plugins/certexpire/certexpire_export.h
+++ b/src/libcharon/plugins/certexpire/certexpire_export.h
@@ -23,7 +23,7 @@
 
 typedef struct certexpire_export_t certexpire_export_t;
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Caches and exports trustchain information to CSV files.
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 9ad158b4c..7eaadf74f 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_coupling_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-coupling.la: $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_DEPENDENCIES) 
+libstrongswan-coupling.la: $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_DEPENDENCIES) $(EXTRA_libstrongswan_coupling_la_DEPENDENCIES) 
 	$(libstrongswan_coupling_la_LINK) $(am_libstrongswan_coupling_la_rpath) $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index ec42d8de6..f25f02845 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_dhcp_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-dhcp.la: $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_DEPENDENCIES) 
+libstrongswan-dhcp.la: $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_DEPENDENCIES) $(EXTRA_libstrongswan_dhcp_la_DEPENDENCIES) 
 	$(libstrongswan_dhcp_la_LINK) $(am_libstrongswan_dhcp_la_rpath) $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c
index 8bc547462..f83efda5d 100644
--- a/src/libcharon/plugins/dhcp/dhcp_provider.c
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.c
@@ -15,7 +15,7 @@
 
 #include "dhcp_provider.h"
 
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 
 typedef struct private_dhcp_provider_t private_dhcp_provider_t;
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index f469c5a35..46d4c64ef 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -25,7 +25,7 @@
 #include <linux/if_ether.h>
 #include <linux/filter.h>
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <threading/mutex.h>
 #include <threading/condvar.h>
diff --git a/src/libcharon/plugins/dhcp/dhcp_transaction.c b/src/libcharon/plugins/dhcp/dhcp_transaction.c
index 83f822dd8..22d3f3fdf 100644
--- a/src/libcharon/plugins/dhcp/dhcp_transaction.c
+++ b/src/libcharon/plugins/dhcp/dhcp_transaction.c
@@ -15,7 +15,7 @@
 
 #include "dhcp_transaction.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_dhcp_transaction_t private_dhcp_transaction_t;
 
diff --git a/src/libcharon/plugins/dhcp/dhcp_transaction.h b/src/libcharon/plugins/dhcp/dhcp_transaction.h
index 19c163f88..35f08e836 100644
--- a/src/libcharon/plugins/dhcp/dhcp_transaction.h
+++ b/src/libcharon/plugins/dhcp/dhcp_transaction.h
@@ -21,7 +21,7 @@
 #ifndef DHCP_TRANSACTION_H_
 #define DHCP_TRANSACTION_H_
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <attributes/attributes.h>
 
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index d739660da..0577b25ac 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_duplicheck_la_LIBADD =
@@ -131,6 +137,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -158,6 +165,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -185,6 +193,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -197,6 +206,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -250,7 +260,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -385,7 +394,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-duplicheck.la: $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_DEPENDENCIES) 
+libstrongswan-duplicheck.la: $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_DEPENDENCIES) $(EXTRA_libstrongswan_duplicheck_la_DEPENDENCIES) 
 	$(libstrongswan_duplicheck_la_LINK) $(am_libstrongswan_duplicheck_la_rpath) $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
@@ -430,7 +439,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-duplicheck$(EXEEXT): $(duplicheck_OBJECTS) $(duplicheck_DEPENDENCIES) 
+duplicheck$(EXEEXT): $(duplicheck_OBJECTS) $(duplicheck_DEPENDENCIES) $(EXTRA_duplicheck_DEPENDENCIES) 
 	@rm -f duplicheck$(EXEEXT)
 	$(LINK) $(duplicheck_OBJECTS) $(duplicheck_LDADD) $(LIBS)
 
@@ -571,10 +580,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_listener.c b/src/libcharon/plugins/duplicheck/duplicheck_listener.c
index 4f59e034f..1b0df1e8b 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_listener.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_listener.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <encoding/payloads/delete_payload.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 
@@ -191,6 +191,7 @@ METHOD(listener_t, message_hook, bool,
 		{
 			DBG1(DBG_CFG, "got a response on a duplicate IKE_SA for '%Y', "
 				 "deleting new IKE_SA", id);
+			charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
 			entry_destroy(entry);
 			this->mutex->lock(this->mutex);
 			entry = this->active->remove(this->active, id);
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
index 06a88ed7d..cd5d4970b 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
@@ -25,7 +25,7 @@
 #include <daemon.h>
 #include <threading/mutex.h>
 #include <threading/thread.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 #define DUPLICHECK_SOCKET IPSEC_PIDDIR "/charon.dck"
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index e098c2c75..b0be409aa 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_aka_la_DEPENDENCIES =  \
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -377,7 +386,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-aka.la: $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_DEPENDENCIES) 
+libstrongswan-eap-aka.la: $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_aka_la_DEPENDENCIES) 
 	$(libstrongswan_eap_aka_la_LINK) $(am_libstrongswan_eap_aka_la_rpath) $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -516,10 +525,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 4655d341b..1b805a050 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES = $(am__append_1)
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-aka-3gpp2.la: $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) 
+libstrongswan-eap-aka-3gpp2.la: $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) 
 	$(libstrongswan_eap_aka_3gpp2_la_LINK) $(am_libstrongswan_eap_aka_3gpp2_la_rpath) $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -520,10 +529,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index bf467ebeb..7e55847d6 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_dynamic_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-dynamic.la: $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_DEPENDENCIES) 
+libstrongswan-eap-dynamic.la: $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_dynamic_la_DEPENDENCIES) 
 	$(libstrongswan_eap_dynamic_la_LINK) $(am_libstrongswan_eap_dynamic_la_rpath) $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 8a334983b..3bff722d3 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_gtc_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-gtc.la: $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_DEPENDENCIES) 
+libstrongswan-eap-gtc.la: $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_gtc_la_DEPENDENCIES) 
 	$(libstrongswan_eap_gtc_la_LINK) $(am_libstrongswan_eap_gtc_la_rpath) $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 2f4494c39..f7e768aa1 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_identity_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-identity.la: $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_DEPENDENCIES) 
+libstrongswan-eap-identity.la: $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_identity_la_DEPENDENCIES) 
 	$(libstrongswan_eap_identity_la_LINK) $(am_libstrongswan_eap_identity_la_rpath) $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index dcf95198f..9b344967b 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_md5_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-md5.la: $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_DEPENDENCIES) 
+libstrongswan-eap-md5.la: $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_md5_la_DEPENDENCIES) 
 	$(libstrongswan_eap_md5_la_LINK) $(am_libstrongswan_eap_md5_la_rpath) $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index e954396ec..82ea844a0 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_mschapv2_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) 
+libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_mschapv2_la_DEPENDENCIES) 
 	$(libstrongswan_eap_mschapv2_la_LINK) $(am_libstrongswan_eap_mschapv2_la_rpath) $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 0d71c3d97..96f437583 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -21,7 +21,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/hashers/hasher.h>
 
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 82aa990ae..e6ccb9e17 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_peap_la_DEPENDENCIES =  \
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-peap.la: $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_DEPENDENCIES) 
+libstrongswan-eap-peap.la: $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_peap_la_DEPENDENCIES) 
 	$(libstrongswan_eap_peap_la_LINK) $(am_libstrongswan_eap_peap_la_rpath) $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -521,10 +530,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_avp.c b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
index 10f6ec11c..f7f634a53 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_avp.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
@@ -16,7 +16,7 @@
 #include "eap_peap_avp.h"
 
 #include <eap/eap.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Microsoft Success and Failure Result AVPs
@@ -78,7 +78,7 @@ METHOD(eap_peap_avp_t, build, void,
 	}
 	*/
 	else
-	{	
+	{
 		avp_data = chunk_skip(data, 4);
 	}
 	writer->write_data(writer, avp_data);
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
index 79fd667cb..f482c5b54 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_peer.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
@@ -16,7 +16,7 @@
 #include "eap_peap_peer.h"
 #include "eap_peap_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 typedef struct private_eap_peap_peer_t private_eap_peap_peer_t;
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c
index 0e8046501..5237cb62c 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_server.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_server.c
@@ -16,7 +16,7 @@
 #include "eap_peap_server.h"
 #include "eap_peap_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 typedef struct private_eap_peap_server_t private_eap_peap_server_t;
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 1bdf24c2c..86d26390f 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_radius_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -381,7 +390,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) 
+libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_radius_la_DEPENDENCIES) 
 	$(libstrongswan_eap_radius_la_LINK) $(am_libstrongswan_eap_radius_la_rpath) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -522,10 +531,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 870ed1fc0..6009d3a1f 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -181,9 +181,23 @@ METHOD(eap_method_t, initiate, status_t,
 	if (response)
 	{
 		eap_radius_forward_to_ike(response);
-		if (radius2ike(this, response, out))
+		switch (response->get_code(response))
 		{
-			status = NEED_MORE;
+			case RMC_ACCESS_CHALLENGE:
+				if (radius2ike(this, response, out))
+				{
+					status = NEED_MORE;
+				}
+				break;
+			case RMC_ACCESS_ACCEPT:
+				/* Microsoft RADIUS servers can run in a mode where they respond
+				 * like this on the first request (i.e. without authentication),
+				 * we treat this as Access-Reject */
+			case RMC_ACCESS_REJECT:
+			default:
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
+					 this->peer);
+				break;
 		}
 		response->destroy(response);
 	}
@@ -365,7 +379,8 @@ METHOD(eap_method_t, process, status_t,
 				break;
 			case RMC_ACCESS_REJECT:
 			default:
-				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer);
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
+					 this->peer);
 				status = FAILED;
 				break;
 		}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index f164f67ed..3c72c122d 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -21,7 +21,7 @@
 #include <radius_message.h>
 #include <radius_client.h>
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 
 typedef struct private_eap_radius_accounting_t private_eap_radius_accounting_t;
@@ -301,6 +301,28 @@ METHOD(listener_t, message_hook, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, ike_rekey, bool,
+	private_eap_radius_accounting_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	entry = this->sessions->remove(this->sessions,
+							(void*)(uintptr_t)old->get_unique_id(old));
+	if (entry)
+	{
+		entry = this->sessions->put(this->sessions,
+							(void*)(uintptr_t)new->get_unique_id(new), entry);
+		if (entry)
+		{
+			free(entry);
+		}
+	}
+	this->mutex->unlock(this->mutex);
+
+	return TRUE;
+}
+
 METHOD(listener_t, child_rekey, bool,
 	private_eap_radius_accounting_t *this, ike_sa_t *ike_sa,
 	child_sa_t *old, child_sa_t *new)
@@ -340,6 +362,7 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 		.public = {
 			.listener = {
 				.ike_updown = _ike_updown,
+				.ike_rekey = _ike_rekey,
 				.message = _message_hook,
 				.child_updown = _child_updown,
 				.child_rekey = _child_rekey,
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
index 2dd38ea2f..e9124877c 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
@@ -16,8 +16,8 @@
 #include "eap_radius_forward.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 
 typedef struct private_eap_radius_forward_t private_eap_radius_forward_t;
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 99a5c1cc5..8cf79e503 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_sim_la_DEPENDENCIES =  \
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -377,7 +386,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-sim.la: $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_DEPENDENCIES) 
+libstrongswan-eap-sim.la: $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_la_DEPENDENCIES) 
 	$(libstrongswan_eap_sim_la_LINK) $(am_libstrongswan_eap_sim_la_rpath) $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -516,10 +525,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index d1caa30c4..781087d3b 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_sim_file_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-sim-file.la: $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_DEPENDENCIES) 
+libstrongswan-eap-sim-file.la: $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_file_la_DEPENDENCIES) 
 	$(libstrongswan_eap_sim_file_la_LINK) $(am_libstrongswan_eap_sim_file_la_rpath) $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -520,10 +529,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
index de3b69382..ec1686910 100644
--- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -19,7 +19,7 @@
 #include <errno.h>
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 #include <simaka_manager.h>
 
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
index c8e9e0359..3fa0ea381 100644
--- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
@@ -21,7 +21,7 @@
 #ifndef EAP_SIM_FILE_TRIPLETS_H_
 #define EAP_SIM_FILE_TRIPLETS_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
 
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 83d931883..168b0e3d6 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -127,6 +133,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -154,6 +161,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,6 +189,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +202,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -246,7 +256,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-sim-pcsc.la: $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) 
+libstrongswan-eap-sim-pcsc.la: $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) 
 	$(libstrongswan_eap_sim_pcsc_la_LINK) $(am_libstrongswan_eap_sim_pcsc_la_rpath) $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -518,10 +527,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index e8436f2b6..63ef0db8e 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES =  \
@@ -127,6 +133,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -154,6 +161,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,6 +189,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +202,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -246,7 +256,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-simaka-pseudonym.la: $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) 
+libstrongswan-eap-simaka-pseudonym.la: $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) 
 	$(libstrongswan_eap_simaka_pseudonym_la_LINK) $(am_libstrongswan_eap_simaka_pseudonym_la_rpath) $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -519,10 +528,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
index 5f78c967a..b5bbdd60f 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
@@ -16,7 +16,7 @@
 #include "eap_simaka_pseudonym_card.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_pseudonym_card_t private_eap_simaka_pseudonym_card_t;
 
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
index 3070b808a..3c63e82a9 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
@@ -15,8 +15,8 @@
 
 #include "eap_simaka_pseudonym_provider.h"
 
-#include <debug.h>
-#include <utils/hashtable.h>
+#include <utils/debug.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_pseudonym_provider_t private_eap_simaka_pseudonym_provider_t;
 
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 627f8c12e..daf329ce2 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_reauth_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -379,7 +388,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-simaka-reauth.la: $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) 
+libstrongswan-eap-simaka-reauth.la: $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) 
 	$(libstrongswan_eap_simaka_reauth_la_LINK) $(am_libstrongswan_eap_simaka_reauth_la_rpath) $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -518,10 +527,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
index 870d72781..5bc5fd382 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
@@ -16,7 +16,7 @@
 #include "eap_simaka_reauth_card.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_reauth_card_t private_eap_simaka_reauth_card_t;
 
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
index b1a9a7f7c..937095ec1 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
@@ -16,7 +16,7 @@
 #include "eap_simaka_reauth_provider.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_reauth_provider_t private_eap_simaka_reauth_provider_t;
 
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 8030190f8..b72fc42e9 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_sql_la_DEPENDENCIES =  \
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -378,7 +387,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-simaka-sql.la: $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_DEPENDENCIES) 
+libstrongswan-eap-simaka-sql.la: $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_sql_la_DEPENDENCIES) 
 	$(libstrongswan_eap_simaka_sql_la_LINK) $(am_libstrongswan_eap_simaka_sql_la_rpath) $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -517,10 +526,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index 55e03b2f7..095eff6cf 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_tls_la_DEPENDENCIES =  \
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) 
+libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_tls_la_DEPENDENCIES) 
 	$(libstrongswan_eap_tls_la_LINK) $(am_libstrongswan_eap_tls_la_rpath) $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index c452f7e16..60a6d6de6 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_DEPENDENCIES =  \
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -383,7 +392,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) 
+libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_tnc_la_DEPENDENCIES) 
 	$(libstrongswan_eap_tnc_la_LINK) $(am_libstrongswan_eap_tnc_la_rpath) $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -521,10 +530,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 7efc0fec5..ffa1bae39 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -18,7 +18,7 @@
 #include <tnc/tnc.h>
 #include <tnc/tnccs/tnccs_manager.h>
 #include <tls_eap.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 /**
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 95a5c1fda..f3ec17b0f 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -382,7 +391,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) 
+libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_ttls_la_DEPENDENCIES) 
 	$(libstrongswan_eap_ttls_la_LINK) $(am_libstrongswan_eap_ttls_la_rpath) $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -523,10 +532,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
index 0d531c437..47e0f8afb 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
@@ -15,7 +15,7 @@
 
 #include "eap_ttls_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #define AVP_EAP_MESSAGE		79
 #define AVP_HEADER_LEN		 8
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
index 00a4da3f8..66c9deed8 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -16,7 +16,7 @@
 #include "eap_ttls_peer.h"
 #include "eap_ttls_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 #include <radius_message.h>
 #include <sa/eap/eap_method.h>
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
index 1418d6a4d..464de17ba 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
@@ -16,7 +16,7 @@
 #include "eap_ttls_server.h"
 #include "eap_ttls_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 #include <sa/eap/eap_method.h>
diff --git a/src/libcharon/plugins/error_notify/Makefile.am b/src/libcharon/plugins/error_notify/Makefile.am
new file mode 100644
index 000000000..fccd25201
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/Makefile.am
@@ -0,0 +1,23 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-error-notify.la
+else
+plugin_LTLIBRARIES = libstrongswan-error-notify.la
+endif
+
+libstrongswan_error_notify_la_SOURCES = \
+	error_notify_plugin.h error_notify_plugin.c \
+	error_notify_socket.h error_notify_socket.c \
+	error_notify_listener.h error_notify_listener.c \
+	error_notify_msg.h
+
+libstrongswan_error_notify_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = error-notify
+error_notify_SOURCES = error_notify.c
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
new file mode 100644
index 000000000..814304dce
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -0,0 +1,698 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = error-notify$(EXEEXT)
+subdir = src/libcharon/plugins/error_notify
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_error_notify_la_LIBADD =
+am_libstrongswan_error_notify_la_OBJECTS = error_notify_plugin.lo \
+	error_notify_socket.lo error_notify_listener.lo
+libstrongswan_error_notify_la_OBJECTS =  \
+	$(am_libstrongswan_error_notify_la_OBJECTS)
+libstrongswan_error_notify_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_error_notify_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_error_notify_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_error_notify_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_error_notify_OBJECTS = error_notify.$(OBJEXT)
+error_notify_OBJECTS = $(am_error_notify_OBJECTS)
+error_notify_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_error_notify_la_SOURCES) \
+	$(error_notify_SOURCES)
+DIST_SOURCES = $(libstrongswan_error_notify_la_SOURCES) \
+	$(error_notify_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-error-notify.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-error-notify.la
+libstrongswan_error_notify_la_SOURCES = \
+	error_notify_plugin.h error_notify_plugin.c \
+	error_notify_socket.h error_notify_socket.c \
+	error_notify_listener.h error_notify_listener.c \
+	error_notify_msg.h
+
+libstrongswan_error_notify_la_LDFLAGS = -module -avoid-version
+error_notify_SOURCES = error_notify.c
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/error_notify/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/error_notify/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-error-notify.la: $(libstrongswan_error_notify_la_OBJECTS) $(libstrongswan_error_notify_la_DEPENDENCIES) $(EXTRA_libstrongswan_error_notify_la_DEPENDENCIES) 
+	$(libstrongswan_error_notify_la_LINK) $(am_libstrongswan_error_notify_la_rpath) $(libstrongswan_error_notify_la_OBJECTS) $(libstrongswan_error_notify_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+error-notify$(EXEEXT): $(error_notify_OBJECTS) $(error_notify_DEPENDENCIES) $(EXTRA_error_notify_DEPENDENCIES) 
+	@rm -f error-notify$(EXEEXT)
+	$(LINK) $(error_notify_OBJECTS) $(error_notify_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify_socket.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/error_notify/error_notify.c b/src/libcharon/plugins/error_notify/error_notify.c
new file mode 100644
index 000000000..fec35a45d
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_msg.h"
+
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <errno.h>
+
+/**
+ * Example of a simple notification listener
+ */
+int main(int argc, char *argv[])
+{
+	struct sockaddr_un addr;
+	error_notify_msg_t msg;
+	int s;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, ERROR_NOTIFY_SOCKET);
+
+	s = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (s < 0)
+	{
+		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+		return 1;
+	}
+	if (connect(s, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	{
+		fprintf(stderr, "connect failed: %s\n", strerror(errno));
+		close(s);
+		return 1;
+	}
+	while (1)
+	{
+		if (read(s, &msg, sizeof(msg)) != sizeof(msg))
+		{
+			fprintf(stderr, "read failed: %s\n", strerror(errno));
+			close(s);
+			return 1;
+		}
+		printf("%d %s %s %s %s\n",
+			   msg.type, msg.name, msg.id, msg.ip, msg.str);
+	}
+	close(s);
+	return 0;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c
new file mode 100644
index 000000000..9a6383cbe
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_error_notify_listener_t private_error_notify_listener_t;
+
+/**
+ * Private data of an error_notify_listener_t object.
+ */
+struct private_error_notify_listener_t {
+
+	/**
+	 * Public error_notify_listener_t interface.
+	 */
+	error_notify_listener_t public;
+
+	/**
+	 * Socket to send notifications over
+	 */
+	error_notify_socket_t *socket;
+};
+
+METHOD(listener_t, alert, bool,
+	private_error_notify_listener_t *this, ike_sa_t *ike_sa,
+	alert_t alert, va_list args)
+{
+	error_notify_msg_t msg;
+	message_t *message;
+	host_t *host;
+	identification_t *id;
+	linked_list_t *list, *list2;
+	peer_cfg_t *peer_cfg;
+
+	if (!this->socket->has_listeners(this->socket))
+	{
+		return TRUE;
+	}
+
+	memset(&msg, 0, sizeof(msg));
+
+	switch (alert)
+	{
+		case ALERT_RADIUS_NOT_RESPONDING:
+			msg.type = ERROR_NOTIFY_RADIUS_NOT_RESPONDING;
+			snprintf(msg.str, sizeof(msg.str),
+					 "a RADIUS request message timed out");
+			break;
+		case ALERT_LOCAL_AUTH_FAILED:
+			msg.type = ERROR_NOTIFY_LOCAL_AUTH_FAILED;
+			snprintf(msg.str, sizeof(msg.str),
+					 "creating local authentication data failed");
+			break;
+		case ALERT_PEER_AUTH_FAILED:
+			msg.type = ERROR_NOTIFY_PEER_AUTH_FAILED;
+			snprintf(msg.str, sizeof(msg.str), "peer authentication failed");
+			break;
+		case ALERT_PARSE_ERROR_HEADER:
+			msg.type = ERROR_NOTIFY_PARSE_ERROR_HEADER;
+			message = va_arg(args, message_t*);
+			snprintf(msg.str, sizeof(msg.str), "parsing IKE header from "
+					 "%#H failed", message->get_source(message));
+			break;
+		case ALERT_PARSE_ERROR_BODY:
+			msg.type = ERROR_NOTIFY_PARSE_ERROR_BODY;
+			message = va_arg(args, message_t*);
+			snprintf(msg.str, sizeof(msg.str), "parsing IKE message from "
+					 "%#H failed", message->get_source(message));
+			break;
+		case ALERT_RETRANSMIT_SEND_TIMEOUT:
+			msg.type = ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT;
+			snprintf(msg.str, sizeof(msg.str),
+					 "IKE message retransmission timed out");
+			break;
+		case ALERT_HALF_OPEN_TIMEOUT:
+			msg.type = ERROR_NOTIFY_HALF_OPEN_TIMEOUT;
+			snprintf(msg.str, sizeof(msg.str), "IKE_SA timed out before it "
+					 "could be established");
+			break;
+		case ALERT_PROPOSAL_MISMATCH_IKE:
+			msg.type = ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE;
+			list = va_arg(args, linked_list_t*);
+			snprintf(msg.str, sizeof(msg.str), "the received IKE_SA poposals "
+					 "did not match: %#P", list);
+			break;
+		case ALERT_PROPOSAL_MISMATCH_CHILD:
+			msg.type = ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD;
+			list = va_arg(args, linked_list_t*);
+			snprintf(msg.str, sizeof(msg.str), "the received CHILD_SA poposals "
+					 "did not match: %#P", list);
+			break;
+		case ALERT_TS_MISMATCH:
+			msg.type = ERROR_NOTIFY_TS_MISMATCH;
+			list = va_arg(args, linked_list_t*);
+			list2 = va_arg(args, linked_list_t*);
+			snprintf(msg.str, sizeof(msg.str), "the received traffic selectors "
+					 "did not match: %#R=== %#R", list, list2);
+			break;
+		case ALERT_INSTALL_CHILD_SA_FAILED:
+			msg.type = ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED;
+			snprintf(msg.str, sizeof(msg.str), "installing IPsec SA failed");
+			break;
+		case ALERT_INSTALL_CHILD_POLICY_FAILED:
+			msg.type = ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED;
+			snprintf(msg.str, sizeof(msg.str), "installing IPsec policy failed");
+			break;
+		case ALERT_UNIQUE_REPLACE:
+			msg.type = ERROR_NOTIFY_UNIQUE_REPLACE;
+			snprintf(msg.str, sizeof(msg.str),
+					 "replaced old IKE_SA due to uniqueness policy");
+			break;
+		case ALERT_UNIQUE_KEEP:
+			msg.type = ERROR_NOTIFY_UNIQUE_KEEP;
+			snprintf(msg.str, sizeof(msg.str), "keep existing in favor of "
+					 "rejected new IKE_SA due to uniqueness policy");
+			break;
+		case ALERT_VIP_FAILURE:
+			msg.type = ERROR_NOTIFY_VIP_FAILURE;
+			list = va_arg(args, linked_list_t*);
+			if (list->get_first(list, (void**)&host) == SUCCESS)
+			{
+				snprintf(msg.str, sizeof(msg.str),
+					"allocating a virtual IP failed, requested was %H", host);
+			}
+			else
+			{
+				snprintf(msg.str, sizeof(msg.str),
+					"expected a virtual IP request, but none found");
+			}
+			break;
+		case ALERT_AUTHORIZATION_FAILED:
+			msg.type = ERROR_NOTIFY_AUTHORIZATION_FAILED;
+			snprintf(msg.str, sizeof(msg.str), "an authorization plugin "
+					 "prevented establishment of an IKE_SA");
+			break;
+		default:
+			return TRUE;
+	}
+
+	if (ike_sa)
+	{
+		id = ike_sa->get_other_eap_id(ike_sa);
+		if (id->get_type(id) != ID_ANY)
+		{
+			snprintf(msg.id, sizeof(msg.id), "%Y", id);
+		}
+		host = ike_sa->get_other_host(ike_sa);
+		if (!host->is_anyaddr(host))
+		{
+			snprintf(msg.ip, sizeof(msg.ip), "%#H", host);
+		}
+		peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+		if (peer_cfg)
+		{
+			snprintf(msg.name, sizeof(msg.name), "%s",
+					 peer_cfg->get_name(peer_cfg));
+		}
+	}
+
+	this->socket->notify(this->socket, &msg);
+
+	return TRUE;
+}
+
+METHOD(error_notify_listener_t, destroy, void,
+	private_error_notify_listener_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+error_notify_listener_t *error_notify_listener_create(error_notify_socket_t *s)
+{
+	private_error_notify_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.alert = _alert,
+			},
+			.destroy = _destroy,
+		},
+		.socket = s,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.h b/src/libcharon/plugins/error_notify/error_notify_listener.h
new file mode 100644
index 000000000..70be9d1ad
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify_listener error_notify_listener
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_LISTENER_H_
+#define ERROR_NOTIFY_LISTENER_H_
+
+typedef struct error_notify_listener_t error_notify_listener_t;
+
+#include <bus/listeners/listener.h>
+
+#include "error_notify_socket.h"
+
+/**
+ * Listener catching bus alerts.
+ */
+struct error_notify_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a error_notify_listener_t.
+	 */
+	void (*destroy)(error_notify_listener_t *this);
+};
+
+/**
+ * Create a error_notify_listener instance.
+ */
+error_notify_listener_t *error_notify_listener_create(error_notify_socket_t *s);
+
+#endif /** ERROR_NOTIFY_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/error_notify_msg.h b/src/libcharon/plugins/error_notify/error_notify_msg.h
new file mode 100644
index 000000000..e3cdd67e9
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_msg.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify_msg error_notify_msg
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_MSG_H_
+#define ERROR_NOTIFY_MSG_H_
+
+#define ERROR_NOTIFY_SOCKET IPSEC_PIDDIR "/charon.enfy"
+
+typedef struct error_notify_msg_t error_notify_msg_t;
+
+/**
+ * Message type, these are mapped to ALERT_* types.
+ */
+enum {
+	ERROR_NOTIFY_RADIUS_NOT_RESPONDING = 1,
+	ERROR_NOTIFY_LOCAL_AUTH_FAILED = 2,
+	ERROR_NOTIFY_PEER_AUTH_FAILED = 3,
+	ERROR_NOTIFY_PARSE_ERROR_HEADER = 4,
+	ERROR_NOTIFY_PARSE_ERROR_BODY = 5,
+	ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT = 6,
+	ERROR_NOTIFY_HALF_OPEN_TIMEOUT = 7,
+	ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE = 8,
+	ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD = 9,
+	ERROR_NOTIFY_TS_MISMATCH = 10,
+	ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED = 11,
+	ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED = 12,
+	ERROR_NOTIFY_UNIQUE_REPLACE = 13,
+	ERROR_NOTIFY_UNIQUE_KEEP = 14,
+	ERROR_NOTIFY_VIP_FAILURE = 15,
+	ERROR_NOTIFY_AUTHORIZATION_FAILED = 16,
+};
+
+/**
+ * Message to exchange over notify socket, strings are null-terminated.
+ */
+struct error_notify_msg_t {
+	/** message type */
+	int type;
+	/** string with an error description */
+	char str[128];
+	/** connection name, if known */
+	char name[64];
+	/** peer identity, if known */
+	char id[128];
+	/** peer address and port, if known */
+	char ip[60];
+};
+
+#endif /** ERROR_NOTIFY_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c
new file mode 100644
index 000000000..f4f0647fb
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_plugin.h"
+
+#include "error_notify_listener.h"
+#include "error_notify_socket.h"
+
+#include <daemon.h>
+
+typedef struct private_error_notify_plugin_t private_error_notify_plugin_t;
+
+/**
+ * private data of error_notify plugin
+ */
+struct private_error_notify_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	error_notify_plugin_t public;
+
+	/**
+	 * Listener catching error alerts
+	 */
+	error_notify_listener_t *listener;
+
+	/**
+	 * Socket sending notifications
+	 */
+	error_notify_socket_t *socket;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_error_notify_plugin_t *this)
+{
+	return "error-notify";
+}
+
+METHOD(plugin_t, destroy, void,
+	private_error_notify_plugin_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->listener->destroy(this->listener);
+	this->socket->destroy(this->socket);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *error_notify_plugin_create()
+{
+	private_error_notify_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.socket = error_notify_socket_create(),
+	);
+
+	this->listener = error_notify_listener_create(this->socket);
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.h b/src/libcharon/plugins/error_notify/error_notify_plugin.h
new file mode 100644
index 000000000..ed5303a91
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify error_notify
+ * @ingroup cplugins
+ *
+ * @defgroup error_notify_plugin error_notify_plugin
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_PLUGIN_H_
+#define ERROR_NOTIFY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct error_notify_plugin_t error_notify_plugin_t;
+
+/**
+ * Plugin sending error notifications over a UNIX socket.
+ */
+struct error_notify_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ERROR_NOTIFY_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c
new file mode 100644
index 000000000..fe3b6355d
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_socket.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#include "error_notify_msg.h"
+
+typedef struct private_error_notify_socket_t private_error_notify_socket_t;
+
+/**
+ * Private data of an error_notify_socket_t object.
+ */
+struct private_error_notify_socket_t {
+
+	/**
+	 * Public error_notify_socket_t interface.
+	 */
+	error_notify_socket_t public;
+
+	/**
+	 * Unix socket file descriptor
+	 */
+	int socket;
+
+	/**
+	 * List of connected clients, as uintptr_t FD
+	 */
+	linked_list_t *connected;
+
+	/**
+	 * Mutex to lock clients list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Open error notify unix socket
+ */
+static bool open_socket(private_error_notify_socket_t *this)
+{
+	struct sockaddr_un addr;
+	mode_t old;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, ERROR_NOTIFY_SOCKET);
+
+	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "creating notify socket failed");
+		return FALSE;
+	}
+	unlink(addr.sun_path);
+	old = umask(~(S_IRWXU | S_IRWXG));
+	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_CFG, "binding notify socket failed: %s", strerror(errno));
+		close(this->socket);
+		return FALSE;
+	}
+	umask(old);
+	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
+			  charon->caps->get_gid(charon->caps)) != 0)
+	{
+		DBG1(DBG_CFG, "changing notify socket permissions failed: %s",
+			 strerror(errno));
+	}
+	if (listen(this->socket, 10) < 0)
+	{
+		DBG1(DBG_CFG, "listening on notify socket failed: %s", strerror(errno));
+		close(this->socket);
+		unlink(addr.sun_path);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(error_notify_socket_t, has_listeners, bool,
+	private_error_notify_socket_t *this)
+{
+	int count;
+
+	this->mutex->lock(this->mutex);
+	count = this->connected->get_count(this->connected);
+	this->mutex->unlock(this->mutex);
+
+	return count != 0;
+}
+
+METHOD(error_notify_socket_t, notify, void,
+	private_error_notify_socket_t *this, error_notify_msg_t *msg)
+{
+	enumerator_t *enumerator;
+	uintptr_t fd;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, (void*)&fd))
+	{
+		while (send(fd, msg, sizeof(*msg), 0) <= 0)
+		{
+			switch (errno)
+			{
+				case EINTR:
+					continue;
+				case ECONNRESET:
+				case EPIPE:
+					/* disconnect, remove this listener */
+					this->connected->remove_at(this->connected, enumerator);
+					close(fd);
+					break;
+				default:
+					DBG1(DBG_CFG, "sending notify failed: %s", strerror(errno));
+					break;
+			}
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Accept client connections, dispatch
+ */
+static job_requeue_t accept_(private_error_notify_socket_t *this)
+{
+	struct sockaddr_un addr;
+	int fd, len;
+	bool oldstate;
+
+	len = sizeof(addr);
+	oldstate = thread_cancelability(TRUE);
+	fd = accept(this->socket, (struct sockaddr*)&addr, &len);
+	thread_cancelability(oldstate);
+
+	if (fd != -1)
+	{
+		this->mutex->lock(this->mutex);
+		this->connected->insert_last(this->connected, (void*)(uintptr_t)fd);
+		this->mutex->unlock(this->mutex);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "accepting notify connection failed: %s",
+			 strerror(errno));
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(error_notify_socket_t, destroy, void,
+	private_error_notify_socket_t *this)
+{
+	this->connected->destroy(this->connected);
+	this->mutex->destroy(this->mutex);
+	close(this->socket);
+	free(this);
+}
+
+/**
+ * See header
+ */
+error_notify_socket_t *error_notify_socket_create()
+{
+	private_error_notify_socket_t *this;
+
+	INIT(this,
+		.public = {
+			.notify = _notify,
+			.has_listeners = _has_listeners,
+			.destroy = _destroy,
+		},
+		.connected = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	if (!open_socket(this))
+	{
+		free(this);
+		return NULL;
+	}
+
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)accept_, this,
+				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.h b/src/libcharon/plugins/error_notify/error_notify_socket.h
new file mode 100644
index 000000000..cb35b5584
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify_socket error_notify_socket
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_SOCKET_H_
+#define ERROR_NOTIFY_SOCKET_H_
+
+typedef struct error_notify_socket_t error_notify_socket_t;
+
+#include "error_notify_listener.h"
+#include "error_notify_msg.h"
+
+/**
+ * Error notification socket.
+ */
+struct error_notify_socket_t {
+
+	/**
+	 * Send an error notification message to all registered listeners.
+	 *
+	 * @param msg		msg to send
+	 */
+	void (*notify)(error_notify_socket_t *this, error_notify_msg_t *msg);
+
+	/**
+	 * Check if we have active listeners on the socket.
+	 *
+	 * @return			TRUE if listeners active
+	 */
+	bool (*has_listeners)(error_notify_socket_t *this);
+
+	/**
+	 * Destroy a error_notify_socket_t.
+	 */
+	void (*destroy)(error_notify_socket_t *this);
+};
+
+/**
+ * Create a error_notify_socket instance.
+ */
+error_notify_socket_t *error_notify_socket_create();
+
+#endif /** ERROR_NOTIFY_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index c26bd7856..2e5cf9f64 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_farp_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-farp.la: $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_DEPENDENCIES) 
+libstrongswan-farp.la: $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_DEPENDENCIES) $(EXTRA_libstrongswan_farp_la_DEPENDENCIES) 
 	$(libstrongswan_farp_la_LINK) $(am_libstrongswan_farp_la_rpath) $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/farp/farp_listener.c b/src/libcharon/plugins/farp/farp_listener.c
index d1df4cc27..81d5d2405 100644
--- a/src/libcharon/plugins/farp/farp_listener.c
+++ b/src/libcharon/plugins/farp/farp_listener.c
@@ -15,7 +15,7 @@
 
 #include "farp_listener.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_farp_listener_t private_farp_listener_t;
diff --git a/src/libcharon/plugins/farp/farp_listener.h b/src/libcharon/plugins/farp/farp_listener.h
index 3155f60e2..c7dc56a10 100644
--- a/src/libcharon/plugins/farp/farp_listener.h
+++ b/src/libcharon/plugins/farp/farp_listener.h
@@ -21,7 +21,7 @@
 #ifndef FARP_LISTENER_H_
 #define FARP_LISTENER_H_
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <bus/listeners/listener.h>
 
 typedef struct farp_listener_t farp_listener_t;
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 0ac139ca0..aa533165f 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ha_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -384,7 +393,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ha.la: $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_DEPENDENCIES) 
+libstrongswan-ha.la: $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_DEPENDENCIES) $(EXTRA_libstrongswan_ha_la_DEPENDENCIES) 
 	$(libstrongswan_ha_la_LINK) $(am_libstrongswan_ha_la_rpath) $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -532,10 +541,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index ae6296462..981def6a3 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -15,7 +15,7 @@
 
 #include "ha_attribute.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_ha_attribute_t private_ha_attribute_t;
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
index e21b461a7..ce1afe6f9 100644
--- a/src/libcharon/plugins/ha/ha_cache.c
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -15,8 +15,8 @@
 
 #include "ha_cache.h"
 
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
 
diff --git a/src/libcharon/plugins/ha/ha_cache.h b/src/libcharon/plugins/ha/ha_cache.h
index 39f1947a8..5e3936a20 100644
--- a/src/libcharon/plugins/ha/ha_cache.h
+++ b/src/libcharon/plugins/ha/ha_cache.h
@@ -27,7 +27,7 @@ typedef struct ha_cache_t ha_cache_t;
 #include "ha_kernel.h"
 #include "ha_socket.h"
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include <sa/ike_sa.h>
 
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
index 8cd30f711..2ccb1fc55 100644
--- a/src/libcharon/plugins/ha/ha_message.h
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -22,7 +22,7 @@
 #define HA_MESSAGE_H_
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <sa/ike_sa_id.h>
 #include <selectors/traffic_selector.h>
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index fb07809ef..688e09bdc 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -17,7 +17,7 @@
 
 #include <threading/mutex.h>
 #include <threading/condvar.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c
index 5196a5dc7..e41e78bbf 100644
--- a/src/libcharon/plugins/ha/ha_socket.c
+++ b/src/libcharon/plugins/ha/ha_socket.c
@@ -22,7 +22,7 @@
 #include <unistd.h>
 
 #include <daemon.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index 541dd9313..130c86e48 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -203,11 +203,11 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	lib->credmgr->add_set(lib->credmgr, &this->creds.public);
 
 	/* create config and backend */
-	ike_cfg = ike_cfg_create(FALSE, FALSE, local, FALSE,
+	ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local, FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							 remote, FALSE, IKEV2_UDP_PORT);
+							 remote, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	peer_cfg = peer_cfg_create("ha", IKEV2, ike_cfg, CERT_NEVER_SEND,
+	peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND,
 						UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, 30,
 						0, FALSE, NULL, NULL);
 
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index a78ca9701..63ce51f11 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_led_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) 
+libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) $(EXTRA_libstrongswan_led_la_DEPENDENCIES) 
 	$(libstrongswan_led_la_LINK) $(am_libstrongswan_led_la_rpath) $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -508,10 +517,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/load_tester/Makefile.am b/src/libcharon/plugins/load_tester/Makefile.am
index cdd0445a9..0a5cada43 100644
--- a/src/libcharon/plugins/load_tester/Makefile.am
+++ b/src/libcharon/plugins/load_tester/Makefile.am
@@ -2,7 +2,8 @@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-load-tester.la
@@ -16,6 +17,10 @@ libstrongswan_load_tester_la_SOURCES = \
 	load_tester_creds.c load_tester_creds.h \
 	load_tester_ipsec.c load_tester_ipsec.h \
 	load_tester_listener.c load_tester_listener.h \
+	load_tester_control.c load_tester_control.h \
 	load_tester_diffie_hellman.c load_tester_diffie_hellman.h
 
 libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = load-tester
+load_tester_SOURCES = load_tester.c
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index cb11cff28..e238f443c 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,6 +15,7 @@
 
 @SET_MAKE@
 
+
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -34,6 +35,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+ipsec_PROGRAMS = load-tester$(EXEEXT)
 subdir = src/libcharon/plugins/load_tester
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -73,13 +75,19 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_load_tester_la_LIBADD =
 am_libstrongswan_load_tester_la_OBJECTS = load_tester_plugin.lo \
 	load_tester_config.lo load_tester_creds.lo \
 	load_tester_ipsec.lo load_tester_listener.lo \
-	load_tester_diffie_hellman.lo
+	load_tester_control.lo load_tester_diffie_hellman.lo
 libstrongswan_load_tester_la_OBJECTS =  \
 	$(am_libstrongswan_load_tester_la_OBJECTS)
 libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
@@ -89,6 +97,10 @@ libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
 @MONOLITHIC_FALSE@am_libstrongswan_load_tester_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_load_tester_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_load_tester_OBJECTS = load_tester.$(OBJEXT)
+load_tester_OBJECTS = $(am_load_tester_OBJECTS)
+load_tester_LDADD = $(LDADD)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -102,8 +114,10 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_load_tester_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES)
+SOURCES = $(libstrongswan_load_tester_la_SOURCES) \
+	$(load_tester_SOURCES)
+DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES) \
+	$(load_tester_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +140,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +168,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +196,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +209,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +263,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -295,7 +312,9 @@ xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-load-tester.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-load-tester.la
 libstrongswan_load_tester_la_SOURCES = \
@@ -304,9 +323,11 @@ libstrongswan_load_tester_la_SOURCES = \
 	load_tester_creds.c load_tester_creds.h \
 	load_tester_ipsec.c load_tester_ipsec.h \
 	load_tester_listener.c load_tester_listener.h \
+	load_tester_control.c load_tester_control.h \
 	load_tester_diffie_hellman.c load_tester_diffie_hellman.h
 
 libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
+load_tester_SOURCES = load_tester.c
 all: all-am
 
 .SUFFIXES:
@@ -381,8 +402,54 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES) 
+libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_load_tester_la_DEPENDENCIES) 
 	$(libstrongswan_load_tester_la_LINK) $(am_libstrongswan_load_tester_la_rpath) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+load-tester$(EXEEXT): $(load_tester_OBJECTS) $(load_tester_DEPENDENCIES) $(EXTRA_load_tester_DEPENDENCIES) 
+	@rm -f load-tester$(EXEEXT)
+	$(LINK) $(load_tester_OBJECTS) $(load_tester_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -390,7 +457,9 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_control.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_creds.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_ipsec.Plo@am__quote@
@@ -508,9 +577,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(LTLIBRARIES)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
 installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -523,10 +592,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -540,8 +614,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -561,7 +635,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-pluginLTLIBRARIES
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
@@ -607,23 +681,24 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-pluginLTLIBRARIES
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
 	uninstall-pluginLTLIBRARIES
 
 
diff --git a/src/libcharon/plugins/load_tester/load_tester.c b/src/libcharon/plugins/load_tester/load_tester.c
new file mode 100644
index 000000000..f7361e606
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_control.h"
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+
+/**
+ * Connect to the daemon, return stream
+ */
+static FILE* make_connection()
+{
+	struct sockaddr_un addr;
+	FILE *stream;
+	int fd;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, LOAD_TESTER_SOCKET);
+
+	fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (fd < 0)
+	{
+		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+		return NULL;
+	}
+	if (connect(fd, (struct sockaddr *)&addr,
+			offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+	{
+		fprintf(stderr, "connecting to %s failed: %s\n",
+				LOAD_TESTER_SOCKET, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	stream = fdopen(fd, "r+");
+	if (!stream)
+	{
+		close(fd);
+		return NULL;
+	}
+	return stream;
+}
+
+/**
+ * Initiate load-tests
+ */
+static int initiate(unsigned int count, unsigned int delay)
+{
+	FILE *stream;
+	char c;
+
+	stream = make_connection();
+	if (!stream)
+	{
+		return 1;
+	}
+
+	fprintf(stream, "%u %u\n", count, delay);
+
+	while (1)
+	{
+		fflush(stream);
+		c = fgetc(stream);
+		if (c == EOF)
+		{
+			break;
+		}
+		if (fputc(c, stdout) == EOF)
+		{
+			break;
+		}
+		fflush(stdout);
+	}
+	fclose(stream);
+	return 0;
+}
+
+int main(int argc, char *argv[])
+{
+	if (argc >= 3 && strcmp(argv[1], "initiate") == 0)
+	{
+		return initiate(atoi(argv[2]), argc > 3 ? atoi(argv[3]) : 0);
+	}
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "  %s initiate <count> [<delay in ms>]\n", argv[0]);
+	return 1;
+}
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 735f17985..c6288c5d9 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -16,6 +16,10 @@
 #include "load_tester_config.h"
 
 #include <daemon.h>
+#include <hydra.h>
+#include <attributes/mem_pool.h>
+#include <collections/hashtable.h>
+#include <threading/mutex.h>
 
 typedef struct private_load_tester_config_t private_load_tester_config_t;
 
@@ -40,14 +44,14 @@ struct private_load_tester_config_t {
 	host_t *vip;
 
 	/**
-	 * Remote address
+	 * Initiator address
 	 */
-	char *remote;
+	char *initiator;
 
 	/**
-	 * Local address
+	 * Responder address
 	 */
-	char *local;
+	char *responder;
 
 	/**
 	 * IP address pool
@@ -74,11 +78,36 @@ struct private_load_tester_config_t {
 	 */
 	char *initiator_id;
 
+	/**
+	 * Initiator ID to to match against as responder
+	 */
+	char *initiator_match;
+
 	/**
 	 * Responder ID to enforce
 	 */
 	char *responder_id;
 
+	/**
+	 * Traffic Selector on initiator side, as proposed from initiator
+	 */
+	char *initiator_tsi;
+
+	/**
+	 * Traffic Selector on responder side, as proposed from initiator
+	 */
+	char *initiator_tsr;
+
+	/**
+	 * Traffic Selector on initiator side, as narrowed by responder
+	 */
+	char *responder_tsi;
+
+	/**
+	 * Traffic Selector on responder side, as narrowed by responder
+	 */
+	char *responder_tsr;
+
 	/**
 	 * IKE_SA rekeying delay
 	 */
@@ -108,8 +137,103 @@ struct private_load_tester_config_t {
 	 * Dynamic source port, if used
 	 */
 	u_int16_t port;
+
+	/**
+	 * IKE version to use for load testing
+	 */
+	ike_version_t version;
+
+	/**
+	 * List of pools to allocate external addresses dynamically, as mem_pool_t
+	 */
+	linked_list_t *pools;
+
+	/**
+	 * Address prefix to use when installing dynamic addresses
+	 */
+	int prefix;
+
+	/**
+	 * Hashtable with leases in "pools", host_t => entry_t
+	 */
+	hashtable_t *leases;
+
+	/**
+	 * Mutex for leases hashtable
+	 */
+	mutex_t *mutex;
 };
 
+/**
+ * Lease entry
+ */
+typedef struct {
+	/** host reference, equal to key */
+	host_t *host;
+	/** associated identity */
+	identification_t *id;
+} entry_t;
+
+/**
+ * Destroy an entry_t
+ */
+static void entry_destroy(entry_t *this)
+{
+	this->host->destroy(this->host);
+	this->id->destroy(this->id);
+	free(this);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(host_t *key)
+{
+	return chunk_hash(key->get_address(key));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(host_t *a, host_t *b)
+{
+	return a->ip_equals(a, b);
+}
+
+/**
+ * Load external addresses to use, if any
+ */
+static void load_addrs(private_load_tester_config_t *this)
+{
+	enumerator_t *enumerator;
+	host_t *net;
+	int bits;
+	char *iface, *cidr;
+	mem_pool_t *pool;
+
+
+	this->prefix = lib->settings->get_int(lib->settings,
+						"%s.plugins.load-tester.addrs_prefix", 16, charon->name);
+	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
+						"%s.plugins.load-tester.addrs", charon->name);
+	while (enumerator->enumerate(enumerator, &iface, &cidr))
+	{
+		net = host_create_from_subnet(cidr, &bits);
+		if (net)
+		{
+			DBG1(DBG_CFG, "loaded load-tester addresses %s", cidr);
+			pool = mem_pool_create(iface, net, bits);
+			net->destroy(net);
+			this->pools->insert_last(this->pools, pool);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "parsing load-tester addresses %s failed", cidr);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
 /**
  * Generate auth config from string
  */
@@ -133,8 +257,14 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 
 		if (this->initiator_id)
 		{
-			if ((local && num) || (!local && !num))
-			{
+			if (this->initiator_match && (!local && !num))
+			{	/* as responder, use the secified identity that matches
+				 * all used initiator identities, if given. */
+				snprintf(buf, sizeof(buf), this->initiator_match, rnd);
+				id = identification_create_from_string(buf);
+			}
+			else if ((local && num) || (!local && !num))
+			{	/* as initiator, create peer specific identities */
 				snprintf(buf, sizeof(buf), this->initiator_id, num, rnd);
 				id = identification_create_from_string(buf);
 			}
@@ -230,6 +360,88 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 	enumerator->destroy(enumerator);
 }
 
+/**
+ * Add a TS from a string to a child_cfg
+ */
+static void add_ts(char *string, child_cfg_t *cfg, bool local)
+{
+	traffic_selector_t *ts;
+
+	if (string)
+	{
+		ts = traffic_selector_create_from_cidr(string, 0, 0);
+		if (!ts)
+		{
+			DBG1(DBG_CFG, "parsing TS string '%s' failed", string);
+		}
+	}
+	else
+	{
+		ts = traffic_selector_create_dynamic(0, 0, 65535);
+	}
+	if (ts)
+	{
+		cfg->add_traffic_selector(cfg, local, ts);
+	}
+}
+
+/**
+ * Allocate and install a dynamic external address to use
+ */
+static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
+{
+	enumerator_t *enumerator;
+	mem_pool_t *pool;
+	host_t *found = NULL, *requested;
+	identification_t *id;
+	char *iface = NULL, buf[32];
+	entry_t *entry;
+
+	requested = host_create_any(AF_INET);
+	snprintf(buf, sizeof(buf), "ext-%d", num);
+	id = identification_create_from_string(buf);
+	enumerator = this->pools->create_enumerator(this->pools);
+	while (enumerator->enumerate(enumerator, &pool))
+	{
+		found = pool->acquire_address(pool, id, requested, MEM_POOL_NEW);
+		if (found)
+		{
+			iface = (char*)pool->get_name(pool);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	requested->destroy(requested);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "no address found to install as load-tester external IP");
+		id->destroy(id);
+		return NULL;
+	}
+	if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
+										found, this->prefix, iface) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "installing load-tester IP %H on %s failed", found, iface);
+		found->destroy(found);
+		id->destroy(id);
+		return NULL;
+	}
+	DBG1(DBG_CFG, "installed load-tester IP %H on %s", found, iface);
+	INIT(entry,
+		.host = found->clone(found),
+		.id = id,
+	);
+	this->mutex->lock(this->mutex);
+	entry = this->leases->put(this->leases, entry->host, entry);
+	this->mutex->unlock(this->mutex);
+	if (entry)
+	{	/* shouldn't actually happen */
+		entry_destroy(entry);
+	}
+	return found;
+}
+
 /**
  * Generate a new initiator config, num = 0 for responder config
  */
@@ -238,8 +450,9 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
 	peer_cfg_t *peer_cfg;
-	traffic_selector_t *ts;
 	proposal_t *proposal;
+	char local[32], *remote;
+	host_t *addr;
 	lifetime_cfg_t lifetime = {
 		.time = {
 			.life = this->child_rekey * 2,
@@ -248,20 +461,48 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 		}
 	};
 
+	if (num)
+	{	/* initiator */
+		if (this->pools->get_count(this->pools))
+		{	/* using dynamically installed external addresses */
+			addr = allocate_addr(this, num);
+			if (!addr)
+			{
+				DBG1(DBG_CFG, "allocating external address failed");
+				return NULL;
+			}
+			snprintf(local, sizeof(local), "%H", addr);
+			addr->destroy(addr);
+		}
+		else
+		{
+			snprintf(local, sizeof(local), "%s", this->initiator);
+		}
+		remote = this->responder;
+	}
+	else
+	{
+		snprintf(local, sizeof(local), "%s", this->responder);
+		remote = this->initiator;
+	}
+
 	if (this->port && num)
 	{
-		ike_cfg = ike_cfg_create(FALSE, FALSE,
-								 this->local, FALSE, this->port + num - 1,
-								 this->remote, FALSE, IKEV2_NATT_PORT);
+		ike_cfg = ike_cfg_create(this->version, TRUE, FALSE,
+								 local, FALSE, this->port + num - 1,
+								 remote, FALSE, IKEV2_NATT_PORT,
+								 FRAGMENTATION_NO);
 	}
 	else
 	{
-		ike_cfg = ike_cfg_create(FALSE, FALSE,
-								 this->local, FALSE, charon->socket->get_port(charon->socket, FALSE),
-								 this->remote, FALSE, IKEV2_UDP_PORT);
+		ike_cfg = ike_cfg_create(this->version, TRUE, FALSE,
+								 local, FALSE,
+								 charon->socket->get_port(charon->socket, FALSE),
+								 remote, FALSE, IKEV2_UDP_PORT,
+								 FRAGMENTATION_NO);
 	}
 	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
-	peer_cfg = peer_cfg_create("load-test", IKEV2, ike_cfg,
+	peer_cfg = peer_cfg_create("load-test", ike_cfg,
 							   CERT_SEND_IF_ASKED, UNIQUE_NO, 1, /* keytries */
 							   this->ike_rekey, 0, /* rekey, reauth */
 							   0, this->ike_rekey, /* jitter, overtime */
@@ -293,10 +534,24 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 								 0, 0, NULL, NULL, 0);
 	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
 	child_cfg->add_proposal(child_cfg, proposal);
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+
+	if (num)
+	{	/* initiator */
+		if (this->vip)
+		{
+			add_ts(NULL, child_cfg, TRUE);
+		}
+		else
+		{
+			add_ts(this->initiator_tsi, child_cfg, TRUE);
+		}
+		add_ts(this->initiator_tsr, child_cfg, FALSE);
+	}
+	else
+	{	/* responder */
+		add_ts(this->responder_tsr, child_cfg, TRUE);
+		add_ts(this->responder_tsi, child_cfg, FALSE);
+	}
 	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
 	return peer_cfg;
 }
@@ -327,9 +582,40 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 	return NULL;
 }
 
+METHOD(load_tester_config_t, delete_ip, void,
+	private_load_tester_config_t *this, host_t *ip)
+{
+	enumerator_t *enumerator;
+	mem_pool_t *pool;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	entry = this->leases->remove(this->leases, ip);
+	this->mutex->unlock(this->mutex);
+
+	if (entry)
+	{
+		enumerator = this->pools->create_enumerator(this->pools);
+		while (enumerator->enumerate(enumerator, &pool))
+		{
+			if (pool->release_address(pool, entry->host, entry->id))
+			{
+				hydra->kernel_interface->del_ip(hydra->kernel_interface,
+											entry->host, this->prefix, FALSE);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		entry_destroy(entry);
+	}
+}
+
 METHOD(load_tester_config_t, destroy, void,
 	private_load_tester_config_t *this)
 {
+	this->mutex->destroy(this->mutex);
+	this->leases->destroy(this->leases);
+	this->pools->destroy_offset(this->pools, offsetof(mem_pool_t, destroy));
 	this->peer_cfg->destroy(this->peer_cfg);
 	DESTROY_IF(this->proposal);
 	DESTROY_IF(this->vip);
@@ -350,8 +636,13 @@ load_tester_config_t *load_tester_config_create()
 				.create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
 				.get_peer_cfg_by_name = _get_peer_cfg_by_name,
 			},
+			.delete_ip = _delete_ip,
 			.destroy = _destroy,
 		},
+		.pools = linked_list_create(),
+		.leases = hashtable_create((hashtable_hash_t)hash,
+								   (hashtable_equals_t)equals, 256),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.num = 1,
 	);
 
@@ -362,10 +653,10 @@ load_tester_config_t *load_tester_config_create()
 	}
 	this->pool = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.pool", NULL, charon->name);
-	this->remote = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.remote", "127.0.0.1", charon->name);
-	this->local = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.local", "0.0.0.0", charon->name);
+	this->initiator = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator", "0.0.0.0", charon->name);
+	this->responder = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.responder", "127.0.0.1", charon->name);
 
 	this->proposal = proposal_create_from_string(PROTO_IKE,
 				lib->settings->get_str(lib->settings,
@@ -391,14 +682,30 @@ load_tester_config_t *load_tester_config_create()
 			"%s.plugins.load-tester.responder_auth", "pubkey", charon->name);
 	this->initiator_id = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.initiator_id", NULL, charon->name);
+	this->initiator_match = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator_match", NULL, charon->name);
 	this->responder_id = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.responder_id", NULL, charon->name);
 
+	this->initiator_tsi = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator_tsi", NULL, charon->name);
+	this->responder_tsi =lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.responder_tsi",
+			this->initiator_tsi, charon->name);
+	this->initiator_tsr = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator_tsr", NULL, charon->name);
+	this->responder_tsr =lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.responder_tsr",
+			this->initiator_tsr, charon->name);
+
 	this->port = lib->settings->get_int(lib->settings,
 			"%s.plugins.load-tester.dynamic_port", 0, charon->name);
+	this->version = lib->settings->get_int(lib->settings,
+			"%s.plugins.load-tester.version", IKE_ANY, charon->name);
+
+	load_addrs(this);
 
 	this->peer_cfg = generate_config(this, 0);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.h b/src/libcharon/plugins/load_tester/load_tester_config.h
index c22387743..cfa4b1edc 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.h
+++ b/src/libcharon/plugins/load_tester/load_tester_config.h
@@ -35,6 +35,13 @@ struct load_tester_config_t {
 	 */
 	backend_t backend;
 
+	/**
+	 * Delete external IP if it was dynamically installed.
+	 *
+	 * @param ip			external IP
+	 */
+	void (*delete_ip)(load_tester_config_t *this, host_t *ip);
+
 	/**
 	 * Destroy the backend.
 	 */
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
new file mode 100644
index 000000000..0c21c23ca
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
@@ -0,0 +1,383 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_control.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <collections/hashtable.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_load_tester_control_t private_load_tester_control_t;
+typedef struct init_listener_t init_listener_t;
+
+/**
+ * Private data of an load_tester_control_t object.
+ */
+struct private_load_tester_control_t {
+
+	/**
+	 * Public load_tester_control_t interface.
+	 */
+	load_tester_control_t public;
+
+	/**
+	 * Load tester unix socket file descriptor
+	 */
+	int socket;
+};
+
+/**
+ * Listener to follow initiation progress
+ */
+struct init_listener_t {
+
+	/**
+	 * implements listener_t
+	 */
+	listener_t listener;
+
+	/**
+	 * Output stream to log to
+	 */
+	FILE *stream;
+
+	/**
+	 * IKE_SAs we have started to initiate
+	 */
+	hashtable_t *initiated;
+
+	/**
+	 * IKE_SAs we have completed to initate (success or failure)
+	 */
+	hashtable_t *completed;
+
+	/**
+	 * Mutex to lock IKE_SA tables
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for completion
+	 */
+	condvar_t *condvar;
+};
+
+/**
+ * Open load-tester listening socket
+ */
+static bool open_socket(private_load_tester_control_t *this)
+{
+	struct sockaddr_un addr;
+	mode_t old;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, LOAD_TESTER_SOCKET);
+
+	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "creating load-tester socket failed");
+		return FALSE;
+	}
+	unlink(addr.sun_path);
+	old = umask(~(S_IRWXU | S_IRWXG));
+	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_CFG, "binding load-tester socket failed: %s", strerror(errno));
+		close(this->socket);
+		return FALSE;
+	}
+	umask(old);
+	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
+			  charon->caps->get_gid(charon->caps)) != 0)
+	{
+		DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s",
+			 strerror(errno));
+	}
+	if (listen(this->socket, 10) < 0)
+	{
+		DBG1(DBG_CFG, "listening on load-tester socket failed: %s", strerror(errno));
+		close(this->socket);
+		unlink(addr.sun_path);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(uintptr_t id)
+{
+	return id;
+}
+
+/**
+ * Hashtable hash function
+ */
+static bool equals(uintptr_t a, uintptr_t b)
+{
+	return a == b;
+}
+
+METHOD(listener_t, alert, bool,
+	init_listener_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args)
+{
+	if (alert == ALERT_RETRANSMIT_SEND)
+	{
+		uintptr_t id;
+		bool match = FALSE;
+
+		id = ike_sa->get_unique_id(ike_sa);
+		this->mutex->lock(this->mutex);
+		if (this->initiated->get(this->initiated, (void*)id))
+		{
+			match = TRUE;
+		}
+		this->mutex->unlock(this->mutex);
+
+		if (match)
+		{
+			fprintf(this->stream, "*");
+			fflush(this->stream);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_state_change, bool,
+	init_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	if (state == IKE_ESTABLISHED || state == IKE_DESTROYING)
+	{
+		uintptr_t id;
+		bool match = FALSE;
+
+		id = ike_sa->get_unique_id(ike_sa);
+		this->mutex->lock(this->mutex);
+		if (this->initiated->get(this->initiated, (void*)id))
+		{
+			match = !this->completed->put(this->completed, (void*)id, (void*)id);
+		}
+		this->mutex->unlock(this->mutex);
+
+		if (match)
+		{
+			this->condvar->signal(this->condvar);
+			fprintf(this->stream, state == IKE_ESTABLISHED ? "+" : "-");
+			fflush(this->stream);
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Logging callback function used during initiate
+ */
+static bool initiate_cb(init_listener_t *this, debug_t group, level_t level,
+						ike_sa_t *ike_sa, const char *message)
+{
+	uintptr_t id;
+
+	if (ike_sa)
+	{
+		id = ike_sa->get_unique_id(ike_sa);
+		this->mutex->lock(this->mutex);
+		this->initiated->put(this->initiated, (void*)id, (void*)id);
+		this->mutex->unlock(this->mutex);
+
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+/**
+ * Initiate load-test, write progress to stream
+ */
+static job_requeue_t initiate(FILE *stream)
+{
+	init_listener_t *listener;
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	u_int i, count, failed = 0, delay = 0;
+	char buf[16] = "";
+
+	fflush(stream);
+	if (fgets(buf, sizeof(buf), stream) == NULL)
+	{
+		return JOB_REQUEUE_NONE;
+	}
+	if (sscanf(buf, "%u %u", &count, &delay) < 1)
+	{
+		return JOB_REQUEUE_NONE;
+	}
+
+	INIT(listener,
+		.listener = {
+			.ike_state_change = _ike_state_change,
+			.alert = _alert,
+		},
+		.stream = stream,
+		.initiated = hashtable_create((void*)hash, (void*)equals, count),
+		.completed = hashtable_create((void*)hash, (void*)equals, count),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	charon->bus->add_listener(charon->bus, &listener->listener);
+
+	for (i = 0; i < count; i++)
+	{
+		peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+														  "load-test");
+		if (!peer_cfg)
+		{
+			failed++;
+			fprintf(stream, "!");
+			continue;
+		}
+		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+		if (!enumerator->enumerate(enumerator, &child_cfg))
+		{
+			enumerator->destroy(enumerator);
+			peer_cfg->destroy(peer_cfg);
+			failed++;
+			fprintf(stream, "!");
+			continue;
+		}
+		enumerator->destroy(enumerator);
+
+		switch (charon->controller->initiate(charon->controller,
+										peer_cfg, child_cfg->get_ref(child_cfg),
+										(void*)initiate_cb, listener, 0))
+		{
+			case NEED_MORE:
+				/* Callback returns FALSE once it got track of this IKE_SA.
+				 * FALL */
+			case SUCCESS:
+				fprintf(stream, ".");
+				break;
+			default:
+				fprintf(stream, "!");
+				break;
+		}
+		if (delay)
+		{
+			usleep(delay * 1000);
+		}
+		fflush(stream);
+	}
+
+	listener->mutex->lock(listener->mutex);
+	while (listener->completed->get_count(listener->completed) < count - failed)
+	{
+		listener->condvar->wait(listener->condvar, listener->mutex);
+	}
+	listener->mutex->unlock(listener->mutex);
+
+	charon->bus->remove_listener(charon->bus, &listener->listener);
+
+	listener->initiated->destroy(listener->initiated);
+	listener->completed->destroy(listener->completed);
+	listener->mutex->destroy(listener->mutex);
+	listener->condvar->destroy(listener->condvar);
+	free(listener);
+
+	fprintf(stream, "\n");
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Accept load-tester control connections, dispatch
+ */
+static job_requeue_t receive(private_load_tester_control_t *this)
+{
+	struct sockaddr_un addr;
+	int fd, len = sizeof(addr);
+	bool oldstate;
+	FILE *stream;
+
+	oldstate = thread_cancelability(TRUE);
+	fd = accept(this->socket, (struct sockaddr*)&addr, &len);
+	thread_cancelability(oldstate);
+
+	if (fd != -1)
+	{
+		stream = fdopen(fd, "r+");
+		if (stream)
+		{
+			DBG1(DBG_CFG, "client connected");
+			lib->processor->queue_job(lib->processor,
+				(job_t*)callback_job_create_with_prio(
+					(callback_job_cb_t)initiate, stream, (void*)fclose,
+					(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+		}
+		else
+		{
+			close(fd);
+		}
+	}
+	return JOB_REQUEUE_FAIR;
+}
+
+METHOD(load_tester_control_t, destroy, void,
+	private_load_tester_control_t *this)
+{
+	if (this->socket != -1)
+	{
+		close(this->socket);
+	}
+	free(this);
+}
+
+/**
+ * See header
+ */
+load_tester_control_t *load_tester_control_create()
+{
+	private_load_tester_control_t *this;
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+	);
+
+	if (open_socket(this))
+	{
+		lib->processor->queue_job(lib->processor, (job_t*)
+			callback_job_create_with_prio((callback_job_cb_t)receive, this, NULL,
+						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	}
+	else
+	{
+		this->socket = -1;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.h b/src/libcharon/plugins/load_tester/load_tester_control.h
new file mode 100644
index 000000000..5d280f0a0
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_control.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup load_tester_control load_tester_control
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_CONTROL_H_
+#define LOAD_TESTER_CONTROL_H_
+
+/**
+ * Socket to accept connections.
+ */
+#define LOAD_TESTER_SOCKET IPSEC_PIDDIR "/charon.ldt"
+
+typedef struct load_tester_control_t load_tester_control_t;
+
+/**
+ * Unix control socket to initiate batches of load-tests.
+ */
+struct load_tester_control_t {
+
+	/**
+	 * Destroy a load_tester_control_t.
+	 */
+	void (*destroy)(load_tester_control_t *this);
+};
+
+/**
+ * Create a load_tester_control instance.
+ */
+load_tester_control_t *load_tester_control_create();
+
+#endif /** LOAD_TESTER_CONTROL_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_creds.c b/src/libcharon/plugins/load_tester/load_tester_creds.c
index 6d3b6933d..946d62021 100644
--- a/src/libcharon/plugins/load_tester/load_tester_creds.c
+++ b/src/libcharon/plugins/load_tester/load_tester_creds.c
@@ -16,6 +16,7 @@
 #include "load_tester_creds.h"
 
 #include <time.h>
+#include <sys/stat.h>
 
 #include <daemon.h>
 #include <credentials/keys/shared_key.h>
@@ -43,6 +44,16 @@ struct private_load_tester_creds_t {
 	 */
 	certificate_t *ca;
 
+	/**
+	 * Trusted CA certificates, including issuer CA
+	 */
+	linked_list_t *cas;
+
+	/**
+	 * Digest algorithm to issue certificates
+	 */
+	hash_algorithm_t digest;
+
 	/**
 	 * serial number to issue certificates
 	 */
@@ -182,6 +193,84 @@ static char *default_psk = "default-psk";
  */
 static char *default_pwd = "default-pwd";
 
+
+/**
+ * Load the private key, hard-coded or from a file
+ */
+static private_key_t *load_issuer_key()
+{
+	char *path;
+
+	path = lib->settings->get_str(lib->settings,
+					"%s.plugins.load-tester.issuer_key", NULL, charon->name);
+	if (!path)
+	{
+		return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+					BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
+					BUILD_END);
+	}
+	DBG1(DBG_CFG, "loading load-tester private key from '%s'", path);
+	return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+					BUILD_FROM_FILE, path, BUILD_END);
+}
+
+/**
+ * Load the issuing certificate, hard-coded or from a file
+ */
+static certificate_t *load_issuer_cert()
+{
+	char *path;
+
+	path = lib->settings->get_str(lib->settings,
+					"%s.plugins.load-tester.issuer_cert", NULL, charon->name);
+	if (!path)
+	{
+		return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+					BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
+					BUILD_X509_FLAG, X509_CA,
+					BUILD_END);
+	}
+	DBG1(DBG_CFG, "loading load-tester issuer cert from '%s'", path);
+	return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+					BUILD_FROM_FILE, path, BUILD_END);
+}
+
+/**
+ * Load (intermediate) CA certificates, hard-coded or from a file
+ */
+static void load_ca_certs(private_load_tester_creds_t *this)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	struct stat st;
+	char *path;
+
+	path = lib->settings->get_str(lib->settings,
+						"%s.plugins.load-tester.ca_dir", NULL, charon->name);
+	if (path)
+	{
+		enumerator = enumerator_create_directory(path);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, NULL, &path, &st))
+			{
+				if (S_ISREG(st.st_mode))
+				{
+					DBG1(DBG_CFG, "loading load-tester CA cert from '%s'", path);
+					cert = lib->creds->create(lib->creds,
+											CRED_CERTIFICATE, CERT_X509,
+											BUILD_FROM_FILE, path, BUILD_END);
+					if (cert)
+					{
+						this->cas->insert_last(this->cas, cert);
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+}
+
 METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
 	private_load_tester_creds_t *this, key_type_t type, identification_t *id)
 {
@@ -207,8 +296,12 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 	private_load_tester_creds_t *this, certificate_type_t cert, key_type_t key,
 	identification_t *id, bool trusted)
 {
-	certificate_t *peer_cert;
+	enumerator_t *enumerator;
+	certificate_t *peer_cert, *ca_cert;
 	public_key_t *peer_key, *ca_key;
+	identification_t *dn = NULL;
+	linked_list_t *sans;
+	char buf[128];
 	u_int32_t serial;
 	time_t now;
 
@@ -226,7 +319,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 	}
 	if (!id)
 	{
-		return enumerator_create_single(this->ca, NULL);
+		return this->cas->create_enumerator(this->cas);
 	}
 	ca_key = this->ca->get_public_key(this->ca);
 	if (ca_key)
@@ -238,26 +331,56 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 		}
 		ca_key->destroy(ca_key);
 	}
-	if (this->ca->has_subject(this->ca, id))
+	enumerator = this->cas->create_enumerator(this->cas);
+	while (enumerator->enumerate(enumerator, &ca_cert))
 	{
-		return enumerator_create_single(this->ca, NULL);
+		if (ca_cert->has_subject(ca_cert, id))
+		{
+			enumerator->destroy(enumerator);
+			return enumerator_create_single(ca_cert, NULL);
+		}
 	}
+	enumerator->destroy(enumerator);
+
 	if (!trusted)
 	{
 		/* peer certificate, generate on demand */
 		serial = htonl(++this->serial);
 		now = time(NULL);
+		sans = linked_list_create();
+
+		switch (id->get_type(id))
+		{
+			case ID_DER_ASN1_DN:
+				break;
+			case ID_FQDN:
+			case ID_RFC822_ADDR:
+			case ID_IPV4_ADDR:
+			case ID_IPV6_ADDR:
+				/* encode as subjectAltName, construct a sane DN */
+				sans->insert_last(sans, id);
+				snprintf(buf, sizeof(buf), "CN=%Y", id);
+				dn = identification_create_from_string(buf);
+				break;
+			default:
+				sans->destroy(sans);
+				return NULL;
+		}
 		peer_key = this->private->get_public_key(this->private);
 		peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 									BUILD_SIGNING_KEY, this->private,
 									BUILD_SIGNING_CERT, this->ca,
+									BUILD_DIGEST_ALG, this->digest,
 									BUILD_PUBLIC_KEY, peer_key,
-									BUILD_SUBJECT, id,
+									BUILD_SUBJECT, dn ?: id,
+									BUILD_SUBJECT_ALTNAMES, sans,
 									BUILD_NOT_BEFORE_TIME, now - 60 * 60 * 24,
 									BUILD_NOT_AFTER_TIME, now + 60 * 60 * 24,
 									BUILD_SERIAL, chunk_from_thing(serial),
 									BUILD_END);
 		peer_key->destroy(peer_key);
+		sans->destroy(sans);
+		DESTROY_IF(dn);
 		if (peer_cert)
 		{
 			return enumerator_create_single(peer_cert, (void*)peer_cert->destroy);
@@ -308,6 +431,7 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
 METHOD(load_tester_creds_t, destroy, void,
 	private_load_tester_creds_t *this)
 {
+	this->cas->destroy_offset(this->cas, offsetof(certificate_t, destroy));
 	DESTROY_IF(this->private);
 	DESTROY_IF(this->ca);
 	this->psk->destroy(this->psk);
@@ -318,12 +442,14 @@ METHOD(load_tester_creds_t, destroy, void,
 load_tester_creds_t *load_tester_creds_create()
 {
 	private_load_tester_creds_t *this;
-	char *pwd, *psk;
+	char *pwd, *psk, *digest;
 
 	psk = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.preshared_key", default_psk, charon->name);
 	pwd = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.eap_password", default_pwd, charon->name);
+	digest = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.digest", "sha1", charon->name);
 
 	INIT(this,
 		.public = {
@@ -336,18 +462,29 @@ load_tester_creds_t *load_tester_creds_create()
 			},
 			.destroy = _destroy,
 		},
-		.private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-					BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
-					BUILD_END),
-		.ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-					BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
-					BUILD_X509_FLAG, X509_CA,
-					BUILD_END),
+		.private = load_issuer_key(),
+		.ca = load_issuer_cert(),
+		.cas = linked_list_create(),
+		.digest = enum_from_name(hash_algorithm_short_names, digest),
 		.psk = shared_key_create(SHARED_IKE,
 								 chunk_clone(chunk_create(psk, strlen(psk)))),
 		.pwd = shared_key_create(SHARED_EAP,
 								 chunk_clone(chunk_create(pwd, strlen(pwd)))),
 	);
+
+	if (this->ca)
+	{
+		this->cas->insert_last(this->cas, this->ca->get_ref(this->ca));
+	}
+
+	if (this->digest == -1)
+	{
+		DBG1(DBG_CFG, "invalid load-tester digest: '%s', using sha1", digest);
+		this->digest = HASH_SHA1;
+	}
+
+	load_ca_certs(this);
+
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c
index 92073e62c..0192c8ff9 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.c
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.c
@@ -50,6 +50,11 @@ struct private_load_tester_listener_t {
 	 * Shutdown the daemon if we have established this SA count
 	 */
 	u_int shutdown_on;
+
+	/**
+	 * Configuration backend
+	 */
+	load_tester_config_t *config;
 };
 
 METHOD(listener_t, ike_updown, bool,
@@ -83,6 +88,16 @@ METHOD(listener_t, ike_updown, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, ike_state_change, bool,
+	private_load_tester_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	if (state == IKE_DESTROYING)
+	{
+		this->config->delete_ip(this->config, ike_sa->get_my_host(ike_sa));
+	}
+	return TRUE;
+}
+
 METHOD(load_tester_listener_t, get_established, u_int,
 	private_load_tester_listener_t *this)
 {
@@ -95,7 +110,8 @@ METHOD(load_tester_listener_t, destroy, void,
 	free(this);
 }
 
-load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
+load_tester_listener_t *load_tester_listener_create(u_int shutdown_on,
+													load_tester_config_t *config)
 {
 	private_load_tester_listener_t *this;
 
@@ -103,6 +119,7 @@ load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
 		.public = {
 			.listener = {
 				.ike_updown = _ike_updown,
+				.ike_state_change = _ike_state_change,
 			},
 			.get_established = _get_established,
 			.destroy = _destroy,
@@ -111,6 +128,7 @@ load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
 					"%s.plugins.load-tester.delete_after_established", FALSE,
 					charon->name),
 		.shutdown_on = shutdown_on,
+		.config = config,
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.h b/src/libcharon/plugins/load_tester/load_tester_listener.h
index 2621798c8..eba4afcf1 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.h
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.h
@@ -23,6 +23,8 @@
 
 #include <bus/bus.h>
 
+#include "load_tester_config.h"
+
 typedef struct load_tester_listener_t load_tester_listener_t;
 
 /**
@@ -52,8 +54,10 @@ struct load_tester_listener_t {
  * Create a listener to handle special events during load test
  *
  * @param shutdown_on	shut down the daemon after this many SAs are established
+ * @param config		configuration backend
  * @return				listener
  */
-load_tester_listener_t *load_tester_listener_create(u_int shutdown_on);
+load_tester_listener_t *load_tester_listener_create(u_int shutdown_on,
+													load_tester_config_t *config);
 
 #endif /** LOAD_TESTER_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 4a982d4b7..6fee2bf3b 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -18,6 +18,7 @@
 #include "load_tester_creds.h"
 #include "load_tester_ipsec.h"
 #include "load_tester_listener.h"
+#include "load_tester_control.h"
 #include "load_tester_diffie_hellman.h"
 
 #include <unistd.h>
@@ -50,6 +51,11 @@ struct private_load_tester_plugin_t {
 	 */
 	load_tester_creds_t *creds;
 
+	/**
+	 * Unix control socket to initiate load-tests
+	 */
+	load_tester_control_t *control;
+
 	/**
 	 * event handler, listens on bus
 	 */
@@ -181,6 +187,7 @@ static bool register_load_tester(private_load_tester_plugin_t *this,
 
 		this->config = load_tester_config_create();
 		this->creds = load_tester_creds_create();
+		this->control = load_tester_control_create();
 
 		charon->backends->add_backend(charon->backends, &this->config->backend);
 		lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
@@ -190,7 +197,7 @@ static bool register_load_tester(private_load_tester_plugin_t *this,
 		{
 			shutdown_on = this->iterations * this->initiators;
 		}
-		this->listener = load_tester_listener_create(shutdown_on);
+		this->listener = load_tester_listener_create(shutdown_on, this->config);
 		charon->bus->add_listener(charon->bus, &this->listener->listener);
 
 		for (i = 0; i < this->initiators; i++)
@@ -215,6 +222,7 @@ static bool register_load_tester(private_load_tester_plugin_t *this,
 		this->config->destroy(this->config);
 		this->creds->destroy(this->creds);
 		this->listener->destroy(this->listener);
+		this->control->destroy(this->control);
 	}
 	return TRUE;
 }
@@ -228,6 +236,7 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_DEPENDS(CUSTOM, "load-tester"),
 		PLUGIN_CALLBACK((plugin_feature_callback_t)register_load_tester, NULL),
 			PLUGIN_PROVIDE(CUSTOM, "load-tester"),
+				PLUGIN_DEPENDS(CUSTOM, "kernel-net"),
 				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
diff --git a/src/libcharon/plugins/lookip/Makefile.am b/src/libcharon/plugins/lookip/Makefile.am
new file mode 100644
index 000000000..450995c9c
--- /dev/null
+++ b/src/libcharon/plugins/lookip/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-lookip.la
+else
+plugin_LTLIBRARIES = libstrongswan-lookip.la
+endif
+
+libstrongswan_lookip_la_SOURCES = lookip_plugin.h lookip_plugin.c \
+	lookip_listener.h lookip_listener.c lookip_msg.h \
+	lookip_socket.h lookip_socket.c
+
+libstrongswan_lookip_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = lookip
+lookip_SOURCES = lookip.c
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
new file mode 100644
index 000000000..26ab61ba8
--- /dev/null
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -0,0 +1,693 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = lookip$(EXEEXT)
+subdir = src/libcharon/plugins/lookip
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_lookip_la_LIBADD =
+am_libstrongswan_lookip_la_OBJECTS = lookip_plugin.lo \
+	lookip_listener.lo lookip_socket.lo
+libstrongswan_lookip_la_OBJECTS =  \
+	$(am_libstrongswan_lookip_la_OBJECTS)
+libstrongswan_lookip_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_lookip_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_lookip_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_lookip_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_lookip_OBJECTS = lookip.$(OBJEXT)
+lookip_OBJECTS = $(am_lookip_OBJECTS)
+lookip_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_lookip_la_SOURCES) $(lookip_SOURCES)
+DIST_SOURCES = $(libstrongswan_lookip_la_SOURCES) $(lookip_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-lookip.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-lookip.la
+libstrongswan_lookip_la_SOURCES = lookip_plugin.h lookip_plugin.c \
+	lookip_listener.h lookip_listener.c lookip_msg.h \
+	lookip_socket.h lookip_socket.c
+
+libstrongswan_lookip_la_LDFLAGS = -module -avoid-version
+lookip_SOURCES = lookip.c
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/lookip/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/lookip/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-lookip.la: $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_lookip_la_DEPENDENCIES) $(EXTRA_libstrongswan_lookip_la_DEPENDENCIES) 
+	$(libstrongswan_lookip_la_LINK) $(am_libstrongswan_lookip_la_rpath) $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_lookip_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+lookip$(EXEEXT): $(lookip_OBJECTS) $(lookip_DEPENDENCIES) $(EXTRA_lookip_DEPENDENCIES) 
+	@rm -f lookip$(EXEEXT)
+	$(LINK) $(lookip_OBJECTS) $(lookip_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip_socket.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/lookip/lookip.c b/src/libcharon/plugins/lookip/lookip.c
new file mode 100644
index 000000000..9887a3a92
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_msg.h"
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <errno.h>
+#include <getopt.h>
+
+/**
+ * Connect to the daemon, return FD
+ */
+static int make_connection()
+{
+	struct sockaddr_un addr;
+	int fd;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, LOOKIP_SOCKET);
+
+	fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (fd < 0)
+	{
+		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+		return -1;
+	}
+	if (connect(fd, (struct sockaddr *)&addr,
+			offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+	{
+		fprintf(stderr, "connecting to %s failed: %s\n",
+				LOOKIP_SOCKET, strerror(errno));
+		close(fd);
+		return -1;
+	}
+	return fd;
+}
+
+/**
+ * Send a request message
+ */
+static int send_request(int fd, int type, char *vip)
+{
+	lookip_request_t req = {
+		.type = type,
+	};
+
+	if (vip)
+	{
+		snprintf(req.vip, sizeof(req.vip), "%s", vip);
+	}
+	if (send(fd, &req, sizeof(req), 0) != sizeof(req))
+	{
+		fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
+		return 2;
+	}
+	return 0;
+}
+
+/**
+ * Receive entries from fd. If block is != 0, the call blocks until closed
+ */
+static int receive(int fd, int block, int loop)
+{
+	lookip_response_t resp;
+	char *label, name[32];
+	int res;
+
+	do
+	{
+		res = recv(fd, &resp, sizeof(resp), block ? 0 : MSG_DONTWAIT);
+		if (res == 0)
+		{	/* closed by server */
+			return 0;
+		}
+		if (res != sizeof(resp))
+		{
+			if (!block && (errno == EAGAIN || errno == EWOULDBLOCK))
+			{	/* call would block, but we don't */
+				return 0;
+			}
+			fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
+			return 1;
+		}
+		switch (resp.type)
+		{
+			case LOOKIP_ENTRY:
+				label = "lookup:";
+				break;
+			case LOOKIP_NOT_FOUND:
+				label = "not found:";
+				break;
+			case LOOKIP_NOTIFY_UP:
+				label = "up:";
+				break;
+			case LOOKIP_NOTIFY_DOWN:
+				label = "down:";
+				break;
+			default:
+				fprintf(stderr, "received invalid message type: %d\n", resp.type);
+				return 1;
+		}
+		resp.vip[sizeof(resp.vip) - 1] = '\0';
+		resp.ip[sizeof(resp.ip) - 1] = '\0';
+		resp.id[sizeof(resp.id) - 1] = '\0';
+		resp.name[sizeof(resp.name) - 1] = '\0';
+
+		snprintf(name, sizeof(name), "%s[%u]", resp.name, resp.unique_id);
+		printf("%-12s %16s %16s %20s %s\n",
+			   label, resp.vip, resp.ip, name, resp.id);
+	}
+	while (loop);
+
+	return 0;
+}
+
+/**
+ * Interactive IP lookup shell
+ */
+static int interactive(int fd)
+{
+	printf("Enter IP address or 'quit'\n");
+
+	while (1)
+	{
+		char line[64], *pos;
+		int res;
+
+		printf("> ");
+		fflush(stdout);
+
+		if (fgets(line, sizeof(line), stdin))
+		{
+			pos = strchr(line, '\n');
+			if (pos)
+			{
+				*pos = '\0';
+			}
+			if (strlen(line) == 0)
+			{
+				continue;
+			}
+			if (strcmp(line, "quit") == 0)
+			{
+				return send_request(fd, LOOKIP_END, NULL);
+			}
+			res = send_request(fd, LOOKIP_LOOKUP, line);
+			if (res != 0)
+			{
+				return res;
+			}
+			res = receive(fd, 1, 0);
+			if (res != 0)
+			{
+				return res;
+			}
+		}
+	}
+}
+
+/**
+ * Print usage information
+ */
+static void usage(char *cmd)
+{
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "  %s --help\n", cmd);
+	fprintf(stderr, "  %s --dump\n", cmd);
+	fprintf(stderr, "  %s --lookup <IP>\n", cmd);
+	fprintf(stderr, "  %s --listen-up\n", cmd);
+	fprintf(stderr, "  %s --listen-down\n", cmd);
+	fprintf(stderr, "Any combination of options is allowed.\n");
+}
+
+int main(int argc, char *argv[])
+{
+	int fd, res = 0, end = 0;
+	struct option long_opts[] = {
+		{ "help", no_argument, NULL, 'h' },
+		{ "dump", no_argument, NULL, 'd' },
+		{ "lookup", required_argument, NULL, 'l' },
+		{ "listen-up", no_argument, NULL, 'u' },
+		{ "listen-down", no_argument, NULL, 'c' },
+		{ 0,0,0,0 }
+	};
+
+	fd = make_connection();
+	if (fd == -1)
+	{
+		return 1;
+	}
+
+	if (argc == 1)
+	{
+		res = interactive(fd);
+		close(fd);
+		return res;
+	}
+
+	while (res == 0)
+	{
+		switch (getopt_long(argc, argv, "", long_opts, NULL))
+		{
+			case EOF:
+				end = 1;
+				break;
+			case 'h':
+				usage(argv[0]);
+				break;
+			case 'd':
+				res = send_request(fd, LOOKIP_DUMP, NULL);
+				break;
+			case 'l':
+				res = send_request(fd, LOOKIP_LOOKUP, optarg);
+				break;
+			case 'u':
+				res = send_request(fd, LOOKIP_REGISTER_UP, NULL);
+				break;
+			case 'c':
+				res = send_request(fd, LOOKIP_REGISTER_DOWN, NULL);
+				break;
+			default:
+				usage(argv[0]);
+				res = 1;
+				break;
+		}
+		if (end)
+		{
+			break;
+		}
+		if (res == 0)
+		{	/* read all currently available results */
+			res = receive(fd, 0, 1);
+		}
+	}
+	if (res == 0)
+	{
+		/* send close message */
+		send_request(fd, LOOKIP_END, NULL);
+		/* read until socket gets closed */
+		res = receive(fd, 1, 1);
+	}
+	close(fd);
+
+	return res;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_listener.c b/src/libcharon/plugins/lookip/lookip_listener.c
new file mode 100644
index 000000000..caf336a2e
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_listener.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_listener.h"
+
+#include <daemon.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_lookip_listener_t private_lookip_listener_t;
+
+/**
+ * Private data of an lookip_listener_t object.
+ */
+struct private_lookip_listener_t {
+
+	/**
+	 * Public lookip_listener_t interface.
+	 */
+	lookip_listener_t public;
+
+	/**
+	 * Lock for hashtable
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * Hashtable with entries: host_t => entry_t
+	 */
+	hashtable_t *entries;
+
+	/**
+	 * List of registered listeners
+	 */
+	linked_list_t *listeners;
+};
+
+/**
+ * Listener entry
+ */
+typedef struct {
+	/** callback function */
+	lookip_callback_t cb;
+	/** user data for callback */
+	void *user;
+} listener_entry_t;
+
+/**
+ * Hashtable entry
+ */
+typedef struct {
+	/** virtual IP, serves as lookup key */
+	host_t *vip;
+	/** peers external address */
+	host_t *other;
+	/** peer (EAP-)Identity */
+	identification_t *id;
+	/** associated connection name */
+	char *name;
+	/** IKE_SA unique identifier */
+	u_int unique_id;
+} entry_t;
+
+/**
+ * Destroy a hashtable entry
+ */
+static void entry_destroy(entry_t *entry)
+{
+	entry->vip->destroy(entry->vip);
+	entry->other->destroy(entry->other);
+	entry->id->destroy(entry->id);
+	free(entry->name);
+	free(entry);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(host_t *key)
+{
+	return chunk_hash(key->get_address(key));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(host_t *a, host_t *b)
+{
+	return a->ip_equals(a, b);
+}
+
+/**
+ * Compare callback that invokes up callback of all registered listeners
+ */
+static bool notify_up(listener_entry_t *listener, entry_t *entry)
+{
+	if (!listener->cb(listener->user, TRUE, entry->vip, entry->other,
+					  entry->id, entry->name, entry->unique_id))
+	{
+		free(listener);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Compare callback that invokes down callback of all registered listeners
+ */
+static bool notify_down(listener_entry_t *listener, entry_t *entry)
+{
+	if (!listener->cb(listener->user, FALSE, entry->vip, entry->other,
+					  entry->id, entry->name, entry->unique_id))
+	{
+		free(listener);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Add a new entry to the hashtable
+ */
+static void add_entry(private_lookip_listener_t *this, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	host_t *vip, *other;
+	identification_t *id;
+	entry_t *entry;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		other = ike_sa->get_other_host(ike_sa);
+		id = ike_sa->get_other_eap_id(ike_sa);
+
+		INIT(entry,
+			.vip = vip->clone(vip),
+			.other = other->clone(other),
+			.id = id->clone(id),
+			.name = strdup(ike_sa->get_name(ike_sa)),
+			.unique_id = ike_sa->get_unique_id(ike_sa),
+		);
+
+		this->lock->read_lock(this->lock);
+		this->listeners->remove(this->listeners, entry, (void*)notify_up);
+		this->lock->unlock(this->lock);
+
+		this->lock->write_lock(this->lock);
+		entry = this->entries->put(this->entries, entry->vip, entry);
+		this->lock->unlock(this->lock);
+		if (entry)
+		{
+			entry_destroy(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Remove an entry from the hashtable
+ */
+static void remove_entry(private_lookip_listener_t *this, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	host_t *vip;
+	entry_t *entry;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		this->lock->write_lock(this->lock);
+		entry = this->entries->remove(this->entries, vip);
+		this->lock->unlock(this->lock);
+		if (entry)
+		{
+			this->lock->read_lock(this->lock);
+			this->listeners->remove(this->listeners, entry, (void*)notify_down);
+			this->lock->unlock(this->lock);
+
+			entry_destroy(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_lookip_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming, bool plain)
+{
+	if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+		!incoming && !message->get_request(message))
+	{
+		if (ike_sa->get_version(ike_sa) == IKEV1 &&
+			message->get_exchange_type(message) == TRANSACTION)
+		{
+			add_entry(this, ike_sa);
+		}
+		if (ike_sa->get_version(ike_sa) == IKEV2 &&
+			message->get_exchange_type(message) == IKE_AUTH)
+		{
+			add_entry(this, ike_sa);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_lookip_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+	if (!up)
+	{
+		remove_entry(this, ike_sa);
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_lookip_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	/* During IKE_SA rekey, the unique identifier changes. Fire update events
+	 * and update the cached entry. During the invocation of this hook, the
+	 * virtual IPs have been migrated to new, hence remove that entry. */
+	remove_entry(this, new);
+	add_entry(this, new);
+
+	return TRUE;
+}
+
+METHOD(lookip_listener_t, lookup, int,
+	private_lookip_listener_t *this, host_t *vip,
+	lookip_callback_t cb, void *user)
+{
+	entry_t *entry;
+	int matches = 0;
+
+	this->lock->read_lock(this->lock);
+	if (vip)
+	{
+		entry = this->entries->get(this->entries, vip);
+		if (entry)
+		{
+			cb(user, TRUE, entry->vip, entry->other, entry->id,
+			   entry->name, entry->unique_id);
+			matches ++;
+		}
+	}
+	else
+	{
+		enumerator_t *enumerator;
+
+		enumerator = this->entries->create_enumerator(this->entries);
+		while (enumerator->enumerate(enumerator, &vip, &entry))
+		{
+			cb(user, TRUE, entry->vip, entry->other, entry->id,
+			   entry->name, entry->unique_id);
+			matches++;
+		}
+		enumerator->destroy(enumerator);
+	}
+	this->lock->unlock(this->lock);
+
+	return matches;
+}
+
+METHOD(lookip_listener_t, add_listener, void,
+	private_lookip_listener_t *this, lookip_callback_t cb, void *user)
+{
+	listener_entry_t *listener;
+
+	INIT(listener,
+		.cb = cb,
+		.user = user,
+	);
+
+	this->lock->write_lock(this->lock);
+	this->listeners->insert_last(this->listeners, listener);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(lookip_listener_t, destroy, void,
+	private_lookip_listener_t *this)
+{
+	this->listeners->destroy_function(this->listeners, free);
+	this->entries->destroy(this->entries);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+lookip_listener_t *lookip_listener_create()
+{
+	private_lookip_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.message = _message_hook,
+				.ike_updown = _ike_updown,
+				.ike_rekey = _ike_rekey,
+			},
+			.lookup = _lookup,
+			.add_listener = _add_listener,
+			.destroy = _destroy,
+		},
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.entries = hashtable_create((hashtable_hash_t)hash,
+									(hashtable_equals_t)equals, 32),
+		.listeners = linked_list_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_listener.h b/src/libcharon/plugins/lookip/lookip_listener.h
new file mode 100644
index 000000000..56f74ed48
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_listener.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip_listener lookip_listener
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_LISTENER_H_
+#define LOOKIP_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct lookip_listener_t lookip_listener_t;
+
+/**
+ * Callback function to query virtual IP entries
+ *
+ * @param user		user supplied pointer
+ * @param up		TRUE if tunnels established, FALSE if closed
+ * @param vip		virtual IP of remote peer
+ * @param other		peer external IP
+ * @param id		peer identity
+ * @param name		associated connection name
+ * @param unique_id	unique IKE_SA identifier
+ * @return			TRUE to receive more results, FALSE to cancel
+ */
+typedef bool (*lookip_callback_t)(void *user, bool up, host_t *vip,
+								  host_t *other, identification_t *id,
+								  char *name, u_int unique_id);
+
+/**
+ * Listener collecting virtual IPs.
+ */
+struct lookip_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Perform a lookup for a given virtual IP, invoke callback for matches.
+	 *
+	 * The "up" parameter is always TRUE when the callback is invoked using
+	 * lookup().
+	 *
+	 * @param vip		virtual IP to look up, NULL to get all entries
+	 * @param cb		callback function to invoke
+	 * @param user		user data to pass to callback function
+	 * @return			number of matches
+	 */
+	int (*lookup)(lookip_listener_t *this, host_t *vip,
+				  lookip_callback_t cb, void *user);
+
+	/**
+	 * Register a listener function that gets notified about virtual IP changes.
+	 *
+	 * @param cb		callback function to invoke
+	 * @param user		user data to pass to callback function
+	 */
+	void (*add_listener)(lookip_listener_t *this,
+						 lookip_callback_t cb, void *user);
+
+	/**
+	 * Destroy a lookip_listener_t.
+	 */
+	void (*destroy)(lookip_listener_t *this);
+};
+
+/**
+ * Create a lookip_listener instance.
+ */
+lookip_listener_t *lookip_listener_create();
+
+#endif /** LOOKIP_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/lookip/lookip_msg.h b/src/libcharon/plugins/lookip/lookip_msg.h
new file mode 100644
index 000000000..d5789c29f
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_msg.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip_msg lookip_msg
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_MSG_H_
+#define LOOKIP_MSG_H_
+
+#define LOOKIP_SOCKET IPSEC_PIDDIR "/charon.lkp"
+
+typedef struct lookip_request_t lookip_request_t;
+typedef struct lookip_response_t lookip_response_t;
+
+/**
+ * Message type.
+ *
+ * The client can send a batch of request messages, containing DUMP, LOOKUP or
+ * REGISTER_* messages. The server immediately starts sending responses for
+ * these messages, using ENTRY or NOTIFY_* messages.
+ * A client MUST send an END message to complete a batch. The server will
+ * send any remaining responses, but will not accept new requests and closes
+ * the connection when complete.
+ */
+enum {
+	/** request a dump of all entries */
+	LOOKIP_DUMP = 1,
+	/** lookup a specific virtual IP */
+	LOOKIP_LOOKUP,
+	/** reply message for DUMP and LOOKUP */
+	LOOKIP_ENTRY,
+	/** reply message for LOOKUP if no such IP found */
+	LOOKIP_NOT_FOUND,
+	/** register for notifications about new virtual IPs */
+	LOOKIP_REGISTER_UP,
+	/** register for notifications about virtual IPs released */
+	LOOKIP_REGISTER_DOWN,
+	/** notify reply message for REGISTER_UP */
+	LOOKIP_NOTIFY_UP,
+	/** notify reply message for REGISTER_DOWN */
+	LOOKIP_NOTIFY_DOWN,
+	/** end of request batch */
+	LOOKIP_END,
+};
+
+/**
+ * Request message sent from client.
+ *
+ * Valid request message types are DUMP, LOOKUP, REGISTER_UP/DOWN and END.
+ *
+ * The vip field is used only in LOOKUP requests, but ignored otherwise.
+ */
+struct lookip_request_t {
+	/** request message type */
+	int type;
+	/** null terminated string representation of virtual IP */
+	char vip[40];
+};
+
+/**
+ * Response message sent to client.
+ *
+ * Valid response message types are ENTRY, NOT_FOUND and NOTIFY_UP/DOWN.
+ *
+ * All fields are set in all messages, except in NOT_FOUND: Only vip is set.
+ */
+struct lookip_response_t {
+	/** response message type */
+	int type;
+	/** null terminated string representation of virtual IP */
+	char vip[40];
+	/** null terminated string representation of outer IP */
+	char ip[40];
+	/** null terminated peer identity */
+	char id[128];
+	/** null terminated connection name */
+	char name[40];
+	/** unique connection id */
+	unsigned int unique_id;
+};
+
+#endif /** LOOKIP_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
new file mode 100644
index 000000000..360864849
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_plugin.h"
+
+#include "lookip_listener.h"
+#include "lookip_socket.h"
+
+#include <daemon.h>
+
+typedef struct private_lookip_plugin_t private_lookip_plugin_t;
+
+/**
+ * private data of lookip plugin
+ */
+struct private_lookip_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	lookip_plugin_t public;
+
+	/**
+	 * Listener collecting virtual IP assignements
+	 */
+	lookip_listener_t *listener;
+
+	/**
+	 * UNIX socket to serve client queries
+	 */
+	lookip_socket_t *socket;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_lookip_plugin_t *this)
+{
+	return "lookip";
+}
+
+METHOD(plugin_t, destroy, void,
+	private_lookip_plugin_t *this)
+{
+	this->socket->destroy(this->socket);
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *lookip_plugin_create()
+{
+	private_lookip_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.listener = lookip_listener_create(),
+	);
+
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+	this->socket = lookip_socket_create(this->listener);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.h b/src/libcharon/plugins/lookip/lookip_plugin.h
new file mode 100644
index 000000000..ea780ebe7
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip lookip
+ * @ingroup cplugins
+ *
+ * @defgroup lookip_plugin lookip_plugin
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_PLUGIN_H_
+#define LOOKIP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct lookip_plugin_t lookip_plugin_t;
+
+/**
+ * Plugin providing fast connection lookup and notification for virtual IPs.
+ */
+struct lookip_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** LOOKIP_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/lookip/lookip_socket.c b/src/libcharon/plugins/lookip/lookip_socket.c
new file mode 100644
index 000000000..f2a469e92
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_socket.c
@@ -0,0 +1,461 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_socket.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#include "lookip_msg.h"
+
+typedef struct private_lookip_socket_t private_lookip_socket_t;
+
+/**
+ * Private data of an lookip_socket_t object.
+ */
+struct private_lookip_socket_t {
+
+	/**
+	 * Public lookip_socket_t interface.
+	 */
+	lookip_socket_t public;
+
+	/**
+	 * lookip
+	 */
+	lookip_listener_t *listener;
+
+	/**
+	 * lookip unix socket file descriptor
+	 */
+	int socket;
+
+	/**
+	 * List of registered listeners, as entry_t
+	 */
+	linked_list_t *registered;
+
+	/**
+	 * List of connected clients, as uintptr_t FD
+	 */
+	linked_list_t *connected;
+
+	/**
+	 * Mutex to lock clients list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Open lookip unix socket
+ */
+static bool open_socket(private_lookip_socket_t *this)
+{
+	struct sockaddr_un addr;
+	mode_t old;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, LOOKIP_SOCKET);
+
+	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "creating lookip socket failed");
+		return FALSE;
+	}
+	unlink(addr.sun_path);
+	old = umask(~(S_IRWXU | S_IRWXG));
+	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_CFG, "binding lookip socket failed: %s", strerror(errno));
+		close(this->socket);
+		return FALSE;
+	}
+	umask(old);
+	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
+			  charon->caps->get_gid(charon->caps)) != 0)
+	{
+		DBG1(DBG_CFG, "changing lookip socket permissions failed: %s",
+			 strerror(errno));
+	}
+	if (listen(this->socket, 10) < 0)
+	{
+		DBG1(DBG_CFG, "listening on lookip socket failed: %s", strerror(errno));
+		close(this->socket);
+		unlink(addr.sun_path);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Listener callback entry
+ */
+typedef struct {
+	/* FD to write to */
+	int fd;
+	/* message type to send */
+	int type;
+	/* back pointer to socket, only for subscriptions */
+	private_lookip_socket_t *this;
+} entry_t;
+
+/**
+ * Destroy entry
+ */
+static void entry_destroy(entry_t *this)
+{
+	close(this->fd);
+	free(this);
+}
+
+/**
+ * Callback function for listener
+ */
+static bool listener_cb(entry_t *entry, bool up, host_t *vip,
+						host_t *other, identification_t *id,
+						char *name, u_int unique_id)
+{
+	lookip_response_t resp = {
+		.type = entry->type,
+		.unique_id = unique_id,
+	};
+
+	/* filter events */
+	if (up && entry->type == LOOKIP_NOTIFY_DOWN)
+	{
+		return TRUE;
+	}
+	if (!up && entry->type == LOOKIP_NOTIFY_UP)
+	{
+		return TRUE;
+	}
+
+	snprintf(resp.vip, sizeof(resp.vip), "%H", vip);
+	snprintf(resp.ip, sizeof(resp.ip), "%H", other);
+	snprintf(resp.id, sizeof(resp.id), "%Y", id);
+	snprintf(resp.name, sizeof(resp.name), "%s", name);
+
+	switch (send(entry->fd, &resp, sizeof(resp), 0))
+	{
+		case sizeof(resp):
+			return TRUE;
+		case 0:
+			/* client disconnected, adios */
+			break;
+		default:
+			DBG1(DBG_CFG, "sending lookip response failed: %s", strerror(errno));
+			break;
+	}
+	if (entry->this)
+	{	/* unregister listener */
+		entry->this->mutex->lock(entry->this->mutex);
+		entry->this->registered->remove(entry->this->registered, entry, NULL);
+		entry->this->mutex->unlock(entry->this->mutex);
+
+		entry_destroy(entry);
+	}
+	return FALSE;
+}
+
+/**
+ * Perform a entry lookup
+ */
+static void query(private_lookip_socket_t *this, int fd, lookip_request_t *req)
+{
+	entry_t entry = {
+		.fd = fd,
+		.type = LOOKIP_ENTRY,
+	};
+	host_t *vip = NULL;
+	int matches = 0;
+
+	if (req)
+	{	/* lookup */
+		req->vip[sizeof(req->vip) - 1] = 0;
+		vip = host_create_from_string(req->vip, 0);
+		if (vip)
+		{
+			matches = this->listener->lookup(this->listener, vip,
+											 (void*)listener_cb, &entry);
+			vip->destroy(vip);
+		}
+		if (matches == 0)
+		{
+			lookip_response_t resp = {
+				.type = LOOKIP_NOT_FOUND,
+			};
+
+			snprintf(resp.vip, sizeof(resp.vip), "%s", req->vip);
+			if (send(fd, &resp, sizeof(resp), 0) < 0)
+			{
+				DBG1(DBG_CFG, "sending lookip not-found failed: %s",
+					 strerror(errno));
+			}
+		}
+	}
+	else
+	{	/* dump */
+		this->listener->lookup(this->listener, NULL,
+							   (void*)listener_cb, &entry);
+	}
+}
+
+/**
+ * Subscribe to virtual IP events
+ */
+static void subscribe(private_lookip_socket_t *this, int fd, int type)
+{
+	entry_t *entry;
+
+	INIT(entry,
+		.fd = fd,
+		.type = type,
+		.this = this,
+	);
+
+	this->mutex->lock(this->mutex);
+	this->registered->insert_last(this->registered, entry);
+	this->mutex->unlock(this->mutex);
+
+	this->listener->add_listener(this->listener, (void*)listener_cb, entry);
+}
+
+/**
+ * Check if a client is subscribed for notifications
+ */
+static bool subscribed(private_lookip_socket_t *this, int fd)
+{
+	enumerator_t *enumerator;
+	bool subscribed = FALSE;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->registered->create_enumerator(this->registered);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->fd == fd)
+		{
+			subscribed = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	return subscribed;
+}
+
+/**
+ * Create a fd_set from all bound sockets
+ */
+static int build_fds(private_lookip_socket_t *this, fd_set *fds)
+{
+	enumerator_t *enumerator;
+	uintptr_t fd;
+	int maxfd;
+
+	FD_ZERO(fds);
+	FD_SET(this->socket, fds);
+	maxfd = this->socket;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, &fd))
+	{
+		FD_SET(fd, fds);
+		maxfd = max(maxfd, fd);
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	return maxfd + 1;
+}
+
+/**
+ * Find the socket select()ed
+ */
+static int scan_fds(private_lookip_socket_t *this, fd_set *fds)
+{
+	enumerator_t *enumerator;
+	uintptr_t fd;
+	int selected = -1;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, &fd))
+	{
+		if (FD_ISSET(fd, fds))
+		{
+			selected = fd;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	return selected;
+}
+
+/**
+ * Dispatch from a socket, return TRUE to end communication
+ */
+static bool dispatch(private_lookip_socket_t *this, int fd)
+{
+	lookip_request_t req;
+	int len;
+
+	len = recv(fd, &req, sizeof(req), 0);
+	if (len != sizeof(req))
+	{
+		if (len != 0)
+		{
+			DBG1(DBG_CFG, "receiving lookip request failed: %s",
+				 strerror(errno));
+		}
+		return TRUE;
+	}
+	switch (req.type)
+	{
+		case LOOKIP_LOOKUP:
+			query(this, fd, &req);
+			return FALSE;
+		case LOOKIP_DUMP:
+			query(this, fd, NULL);
+			return FALSE;
+		case LOOKIP_REGISTER_UP:
+			subscribe(this, fd, LOOKIP_NOTIFY_UP);
+			return FALSE;
+		case LOOKIP_REGISTER_DOWN:
+			subscribe(this, fd, LOOKIP_NOTIFY_DOWN);
+			return FALSE;
+		case LOOKIP_END:
+			return TRUE;
+		default:
+			DBG1(DBG_CFG, "received unknown lookip command");
+			return TRUE;
+	}
+}
+
+/**
+ * Accept client connections, dispatch
+ */
+static job_requeue_t receive(private_lookip_socket_t *this)
+{
+	struct sockaddr_un addr;
+	int fd, maxfd, len;
+	bool oldstate;
+	fd_set fds;
+
+	while (TRUE)
+	{
+		maxfd = build_fds(this, &fds);
+		oldstate = thread_cancelability(TRUE);
+		if (select(maxfd, &fds, NULL, NULL, NULL) <= 0)
+		{
+			thread_cancelability(oldstate);
+			DBG1(DBG_CFG, "selecting lookip sockets failed: %s",
+				 strerror(errno));
+			break;
+		}
+		thread_cancelability(oldstate);
+
+		if (FD_ISSET(this->socket, &fds))
+		{	/* new connection, accept() */
+			len = sizeof(addr);
+			fd = accept(this->socket, (struct sockaddr*)&addr, &len);
+			if (fd != -1)
+			{
+				this->mutex->lock(this->mutex);
+				this->connected->insert_last(this->connected,
+											 (void*)(uintptr_t)fd);
+				this->mutex->unlock(this->mutex);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "accepting lookip connection failed: %s",
+					 strerror(errno));
+			}
+			continue;
+		}
+
+		fd = scan_fds(this, &fds);
+		if (fd == -1)
+		{
+			continue;
+		}
+		if (dispatch(this, fd))
+		{
+			this->mutex->lock(this->mutex);
+			this->connected->remove(this->connected, (void*)(uintptr_t)fd, NULL);
+			this->mutex->unlock(this->mutex);
+			if (!subscribed(this, fd))
+			{
+				close(fd);
+			}
+		}
+	}
+	return JOB_REQUEUE_FAIR;
+}
+
+METHOD(lookip_socket_t, destroy, void,
+	private_lookip_socket_t *this)
+{
+	this->registered->destroy_function(this->registered, (void*)entry_destroy);
+	this->connected->destroy(this->connected);
+	this->mutex->destroy(this->mutex);
+	close(this->socket);
+	free(this);
+}
+
+/**
+ * See header
+ */
+lookip_socket_t *lookip_socket_create(lookip_listener_t *listener)
+{
+	private_lookip_socket_t *this;
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+		.listener = listener,
+		.registered = linked_list_create(),
+		.connected = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	if (!open_socket(this))
+	{
+		free(this);
+		return NULL;
+	}
+
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, this,
+				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_socket.h b/src/libcharon/plugins/lookip/lookip_socket.h
new file mode 100644
index 000000000..c1c50246d
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_socket.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip_socket lookip_socket
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_SOCKET_H_
+#define LOOKIP_SOCKET_H_
+
+#include "lookip_listener.h"
+
+typedef struct lookip_socket_t lookip_socket_t;
+
+/**
+ * Lookip plugin UNIX query socket.
+ */
+struct lookip_socket_t {
+
+	/**
+	 * Destroy a lookip_socket_t.
+	 */
+	void (*destroy)(lookip_socket_t *this);
+};
+
+/**
+ * Create a lookip_socket instance.
+ */
+lookip_socket_t *lookip_socket_create(lookip_listener_t *listener);
+
+#endif /** LOOKIP_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index dfcd1f6ef..bd6f08e9b 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" \
 	"$(DESTDIR)$(dbusservicedir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) 
+libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) $(EXTRA_libstrongswan_maemo_la_DEPENDENCIES) 
 	$(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -435,9 +444,7 @@ uninstall-dbusserviceDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(dbusservicedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(dbusservicedir)" && rm -f $$files
+	dir='$(DESTDIR)$(dbusservicedir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -538,10 +545,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
index cb2fc9ebb..806e4cd65 100644
--- a/src/libcharon/plugins/maemo/maemo_service.c
+++ b/src/libcharon/plugins/maemo/maemo_service.c
@@ -323,12 +323,12 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 								NULL);
 	}
 
-	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", FALSE,
+	ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							 hostname, FALSE, IKEV2_UDP_PORT);
+							 hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 
-	peer_cfg = peer_cfg_create(this->current, IKEV2, ike_cfg,
+	peer_cfg = peer_cfg_create(this->current, ike_cfg,
 							   CERT_SEND_IF_ASKED,
 							   UNIQUE_REPLACE, 1, /* keyingtries */
 							   36000, 0, /* rekey 10h, reauth none */
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 359533a60..afccfee91 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_medcli_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -376,7 +385,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-medcli.la: $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_DEPENDENCIES) 
+libstrongswan-medcli.la: $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_DEPENDENCIES) $(EXTRA_libstrongswan_medcli_la_DEPENDENCIES) 
 	$(libstrongswan_medcli_la_LINK) $(am_libstrongswan_medcli_la_rpath) $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -516,10 +525,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index a1825effc..4be3dea02 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -61,28 +61,12 @@ static traffic_selector_t *ts_from_string(char *str)
 {
 	if (str)
 	{
-		int netbits = 32;
-		host_t *net;
-		char *pos;
+		traffic_selector_t *ts;
 
-		str = strdupa(str);
-		pos = strchr(str, '/');
-		if (pos)
+		ts = traffic_selector_create_from_cidr(str, 0, 0);
+		if (ts)
 		{
-			*pos++ = '\0';
-			netbits = atoi(pos);
-		}
-		else
-		{
-			if (strchr(str, ':'))
-			{
-				netbits = 128;
-			}
-		}
-		net = host_create_from_string(str, 0);
-		if (net)
-		{
-			return traffic_selector_create_from_subnet(net, netbits, 0, 0);
+			return ts;
 		}
 	}
 	return traffic_selector_create_dynamic(0, 0, 65535);
@@ -118,12 +102,13 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 		DESTROY_IF(e);
 		return NULL;
 	}
-	ike_cfg = ike_cfg_create(FALSE, FALSE,
-							 "0.0.0.0", FALSE, charon->socket->get_port(charon->socket, FALSE),
-							 address, FALSE, IKEV2_UDP_PORT);
+	ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
+							 "0.0.0.0", FALSE,
+							 charon->socket->get_port(charon->socket, FALSE),
+							 address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	med_cfg = peer_cfg_create(
-		"mediation", IKEV2, ike_cfg,
+		"mediation", ike_cfg,
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
 		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3,	/* jitter, overtime */
@@ -160,7 +145,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 		return NULL;
 	}
 	peer_cfg = peer_cfg_create(
-		name, IKEV2, this->ike->get_ref(this->ike),
+		name, this->ike->get_ref(this->ike),
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
 		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3,	/* jitter, overtime */
@@ -235,7 +220,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 		return FALSE;
 	}
 	this->current = peer_cfg_create(
-				name, IKEV2, this->ike->get_ref(this->ike),
+				name, this->ike->get_ref(this->ike),
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3,	/* jitter, overtime */
@@ -392,9 +377,11 @@ medcli_config_t *medcli_config_create(database_t *db)
 		.db = db,
 		.rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200),
 		.dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300),
-		.ike = ike_cfg_create(FALSE, FALSE,
-							  "0.0.0.0", FALSE, charon->socket->get_port(charon->socket, FALSE),
-							  "0.0.0.0", FALSE, IKEV2_UDP_PORT),
+		.ike = ike_cfg_create(IKEV2, FALSE, FALSE,
+							  "0.0.0.0", FALSE,
+							  charon->socket->get_port(charon->socket, FALSE),
+							  "0.0.0.0", FALSE, IKEV2_UDP_PORT,
+							  FRAGMENTATION_NO),
 	);
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 
diff --git a/src/libcharon/plugins/medcli/medcli_creds.c b/src/libcharon/plugins/medcli/medcli_creds.c
index 9c4a0b756..677229b9f 100644
--- a/src/libcharon/plugins/medcli/medcli_creds.c
+++ b/src/libcharon/plugins/medcli/medcli_creds.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct private_medcli_creds_t private_medcli_creds_t;
 
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index ba27b8570..5d65aadc5 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_medsrv_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-medsrv.la: $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_DEPENDENCIES) 
+libstrongswan-medsrv.la: $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_DEPENDENCIES) $(EXTRA_libstrongswan_medsrv_la_DEPENDENCIES) 
 	$(libstrongswan_medsrv_la_LINK) $(am_libstrongswan_medsrv_la_rpath) $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -514,10 +523,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c
index ff33c53e1..be14380ea 100644
--- a/src/libcharon/plugins/medsrv/medsrv_config.c
+++ b/src/libcharon/plugins/medsrv/medsrv_config.c
@@ -88,7 +88,7 @@ METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
 		if (e->enumerate(e, &name))
 		{
 			peer_cfg = peer_cfg_create(
-				name, IKEV2, this->ike->get_ref(this->ike),
+				name, this->ike->get_ref(this->ike),
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3,	/* jitter, overtime */
@@ -139,9 +139,11 @@ medsrv_config_t *medsrv_config_create(database_t *db)
 		.db = db,
 		.rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200),
 		.dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300),
-		.ike = ike_cfg_create(FALSE, FALSE,
-							  "0.0.0.0", FALSE, charon->socket->get_port(charon->socket, FALSE),
-							  "0.0.0.0", FALSE, IKEV2_UDP_PORT),
+		.ike = ike_cfg_create(IKEV2, FALSE, FALSE,
+							  "0.0.0.0", FALSE,
+							  charon->socket->get_port(charon->socket, FALSE),
+							  "0.0.0.0", FALSE, IKEV2_UDP_PORT,
+							  FRAGMENTATION_NO),
 	);
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 
diff --git a/src/libcharon/plugins/medsrv/medsrv_creds.c b/src/libcharon/plugins/medsrv/medsrv_creds.c
index 3ae80f64c..0d99c4f77 100644
--- a/src/libcharon/plugins/medsrv/medsrv_creds.c
+++ b/src/libcharon/plugins/medsrv/medsrv_creds.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct private_medsrv_creds_t private_medsrv_creds_t;
 
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index 32bdad00c..b22a74e94 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_radattr_la_DEPENDENCIES =  \
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-radattr.la: $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_DEPENDENCIES) 
+libstrongswan-radattr.la: $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_DEPENDENCIES) $(EXTRA_libstrongswan_radattr_la_DEPENDENCIES) 
 	$(libstrongswan_radattr_la_LINK) $(am_libstrongswan_radattr_la_rpath) $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 19cb7987b..433d019c1 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-smp.la: $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_DEPENDENCIES) 
+libstrongswan-smp.la: $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_DEPENDENCIES) $(EXTRA_libstrongswan_smp_la_DEPENDENCIES) 
 	$(libstrongswan_smp_la_LINK) $(am_libstrongswan_smp_la_rpath) $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -509,10 +518,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 3919e053a..5e947a7e9 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_socket_default_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-socket-default.la: $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_DEPENDENCIES) 
+libstrongswan-socket-default.la: $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_DEPENDENCIES) $(EXTRA_libstrongswan_socket_default_la_DEPENDENCIES) 
 	$(libstrongswan_socket_default_la_LINK) $(am_libstrongswan_socket_default_la_rpath) $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index dfde282b2..e3fe4334a 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_socket_dynamic_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-socket-dynamic.la: $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_DEPENDENCIES) 
+libstrongswan-socket-dynamic.la: $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_socket_dynamic_la_DEPENDENCIES) 
 	$(libstrongswan_socket_dynamic_la_LINK) $(am_libstrongswan_socket_dynamic_la_rpath) $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index 33f16cc45..a5e919348 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -40,7 +40,7 @@
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 /* Maximum size of a packet */
 #define MAX_PACKET 10000
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index a6c6cbe1e..22868fce7 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sql_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sql.la: $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_DEPENDENCIES) 
+libstrongswan-sql.la: $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_sql_la_DEPENDENCIES) 
 	$(libstrongswan_sql_la_LINK) $(am_libstrongswan_sql_la_rpath) $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index c614c679e..37bd86671 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -258,9 +258,11 @@ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e,
 	{
 		ike_cfg_t *ike_cfg;
 
-		ike_cfg = ike_cfg_create(certreq, force_encap,
-								 local, FALSE, charon->socket->get_port(charon->socket, FALSE),
-								 remote, FALSE, IKEV2_UDP_PORT);
+		ike_cfg = ike_cfg_create(IKEV2, certreq, force_encap,
+								 local, FALSE,
+								 charon->socket->get_port(charon->socket, FALSE),
+								 remote, FALSE, IKEV2_UDP_PORT,
+								 FRAGMENTATION_NO);
 		add_ike_proposals(this, ike_cfg, id);
 		return ike_cfg;
 	}
@@ -370,7 +372,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		if (ike)
 		{
 			peer_cfg = peer_cfg_create(
-					name, IKEV2, ike, cert_policy, uniqueid,
+					name, ike, cert_policy, uniqueid,
 					keyingtries, rekeytime, reauthtime, jitter, overtime,
 					mobike, FALSE, dpd_delay, 0,
 					mediation, mediated_cfg, peer_id);
diff --git a/src/libcharon/plugins/sql/sql_logger.c b/src/libcharon/plugins/sql/sql_logger.c
index 6db3258d2..547e7691e 100644
--- a/src/libcharon/plugins/sql/sql_logger.c
+++ b/src/libcharon/plugins/sql/sql_logger.c
@@ -102,7 +102,8 @@ METHOD(logger_t, log_, void,
 						  DB_BLOB, local_host->get_address(local_host),
 						  DB_BLOB, remote_host->get_address(remote_host));
 		this->db->execute(this->db, NULL, "INSERT INTO logs ("
-						  "local_spi, signal, level, msg) VALUES (?, ?, ?, ?)",
+						  "local_spi, `signal`, level, msg) "
+						  "VALUES (?, ?, ?, ?)",
 						  DB_BLOB, local_spi, DB_INT, group, DB_INT, level,
 						  DB_TEXT, message);
 	}
diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am
index cebcd984f..39b3e79d2 100644
--- a/src/libcharon/plugins/stroke/Makefile.am
+++ b/src/libcharon/plugins/stroke/Makefile.am
@@ -22,6 +22,7 @@ libstrongswan_stroke_la_SOURCES = \
 	stroke_ca.h stroke_ca.c \
 	stroke_attribute.h stroke_attribute.c \
 	stroke_handler.h stroke_handler.c \
+	stroke_counter.h stroke_counter.c \
 	stroke_list.h stroke_list.c
 
 libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index f0db20c42..38924708a 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,12 +73,19 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_stroke_la_LIBADD =
 am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \
 	stroke_config.lo stroke_control.lo stroke_cred.lo stroke_ca.lo \
-	stroke_attribute.lo stroke_handler.lo stroke_list.lo
+	stroke_attribute.lo stroke_handler.lo stroke_counter.lo \
+	stroke_list.lo
 libstrongswan_stroke_la_OBJECTS =  \
 	$(am_libstrongswan_stroke_la_OBJECTS)
 libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -124,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -309,6 +319,7 @@ libstrongswan_stroke_la_SOURCES = \
 	stroke_ca.h stroke_ca.c \
 	stroke_attribute.h stroke_attribute.c \
 	stroke_handler.h stroke_handler.c \
+	stroke_counter.h stroke_counter.c \
 	stroke_list.h stroke_list.c
 
 libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
@@ -386,7 +397,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-stroke.la: $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_DEPENDENCIES) 
+libstrongswan-stroke.la: $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_DEPENDENCIES) $(EXTRA_libstrongswan_stroke_la_DEPENDENCIES) 
 	$(libstrongswan_stroke_la_LINK) $(am_libstrongswan_stroke_la_rpath) $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -399,6 +410,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_ca.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_config.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_control.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_counter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_cred.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_handler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_list.Plo@am__quote@
@@ -531,10 +543,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/stroke/stroke_attribute.c b/src/libcharon/plugins/stroke/stroke_attribute.c
index 85fb94e9e..0f3c38986 100644
--- a/src/libcharon/plugins/stroke/stroke_attribute.c
+++ b/src/libcharon/plugins/stroke/stroke_attribute.c
@@ -17,7 +17,7 @@
 #include "stroke_attribute.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_stroke_attribute_t private_stroke_attribute_t;
diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
index 763b4cc0f..f8026875f 100644
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -18,7 +18,7 @@
 #include "stroke_cred.h"
 
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
 #include <daemon.h>
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index e43672b18..9f6124dc9 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -225,14 +225,16 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 	ikeport = msg->add_conn.me.ikeport;
 	ikeport = (ikeport == IKEV2_UDP_PORT) ?
 			   charon->socket->get_port(charon->socket, FALSE) : ikeport;
-	ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
+	ike_cfg = ike_cfg_create(msg->add_conn.version,
+							 msg->add_conn.other.sendcert != CERT_NEVER_SEND,
 							 msg->add_conn.force_encap,
 							 msg->add_conn.me.address,
 							 msg->add_conn.me.allow_any,
 							 ikeport,
 							 msg->add_conn.other.address,
 							 msg->add_conn.other.allow_any,
-							 msg->add_conn.other.ikeport);
+							 msg->add_conn.other.ikeport,
+							 msg->add_conn.fragmentation);
 	add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
 	return ike_cfg;
 }
@@ -412,7 +414,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			ca = other_end->ca2;
 		}
 	}
-	if (id && *id == '%' && !streq(id, "%any"))
+	if (id && *id == '%' && !streq(id, "%any") && !streq(id, "%any6"))
 	{	/* has only an effect on rightid/2 */
 		loose = !local;
 		id++;
@@ -441,7 +443,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 
 	cfg = auth_cfg_create();
 
-	/* add identity and peer certifcate */
+	/* add identity and peer certificate */
 	identity = identification_create_from_string(id);
 	if (cert)
 	{
@@ -707,8 +709,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	/* other.sourceip is managed in stroke_attributes. If it is set, we define
 	 * the pool name as the connection name, which the attribute provider
 	 * uses to serve pool addresses. */
-	peer_cfg = peer_cfg_create(msg->add_conn.name,
-		msg->add_conn.version, ike_cfg,
+	peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg,
 		msg->add_conn.me.sendcert, unique,
 		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
 		msg->add_conn.mobike, msg->add_conn.aggressive,
@@ -881,10 +882,10 @@ static void add_ts(private_stroke_config_t *this,
 	}
 	else
 	{
-		host_t *net;
-
 		if (!end->subnets)
 		{
+			host_t *net;
+
 			net = host_create_from_string(end->address, 0);
 			if (net)
 			{
@@ -895,39 +896,24 @@ static void add_ts(private_stroke_config_t *this,
 		}
 		else
 		{
-			char *del, *start, *bits;
+			enumerator_t *enumerator;
+			char *subnet;
 
-			start = end->subnets;
-			do
+			enumerator = enumerator_create_token(end->subnets, ",", " ");
+			while (enumerator->enumerate(enumerator, &subnet))
 			{
-				int intbits = 0;
-
-				del = strchr(start, ',');
-				if (del)
-				{
-					*del = '\0';
-				}
-				bits = strchr(start, '/');
-				if (bits)
+				ts = traffic_selector_create_from_cidr(subnet,
+													end->protocol, end->port);
+				if (ts)
 				{
-					*bits = '\0';
-					intbits = atoi(bits + 1);
-				}
-
-				net = host_create_from_string(start, 0);
-				if (net)
-				{
-					ts = traffic_selector_create_from_subnet(net, intbits,
-												end->protocol, end->port);
 					child_cfg->add_traffic_selector(child_cfg, local, ts);
 				}
 				else
 				{
-					DBG1(DBG_CFG, "invalid subnet: %s, skipped", start);
+					DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
 				}
-				start = del + 1;
 			}
-			while (del);
+			enumerator->destroy(enumerator);
 		}
 	}
 }
@@ -1326,4 +1312,3 @@ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_counter.c b/src/libcharon/plugins/stroke/stroke_counter.c
new file mode 100644
index 000000000..56eda945a
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_counter.c
@@ -0,0 +1,254 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_counter.h"
+
+#include <threading/spinlock.h>
+
+ENUM(stroke_counter_type_names,
+	COUNTER_INIT_IKE_SA_REKEY, COUNTER_OUT_INFORMATIONAL_RSP,
+	"ikeInitRekey",
+	"ikeRspRekey",
+	"ikeChildSaRekey",
+	"ikeInInvalid",
+	"ikeInInvalidSpi",
+	"ikeInInitReq",
+	"ikeInInitRsp",
+	"ikeOutInitReq",
+	"ikeOutInitRsp",
+	"ikeInAuthReq",
+	"ikeInAuthRsp",
+	"ikeOutAuthReq",
+	"ikeOutAuthRsp",
+	"ikeInCrChildReq",
+	"ikeInCrChildRsp",
+	"ikeOutCrChildReq",
+	"ikeOutCrChildRsp",
+	"ikeInInfoReq",
+	"ikeInInfoRsp",
+	"ikeOutInfoReq",
+	"ikeOutInfoRsp",
+);
+
+typedef struct private_stroke_counter_t private_stroke_counter_t;
+
+/**
+ * Private data of an stroke_counter_t object.
+ */
+struct private_stroke_counter_t {
+
+	/**
+	 * Public stroke_counter_t interface.
+	 */
+	stroke_counter_t public;
+
+	/**
+	 * Counter values
+	 */
+	u_int64_t counter[COUNTER_MAX];
+
+	/**
+	 * Lock for counter values
+	 */
+	spinlock_t *lock;
+};
+
+METHOD(listener_t, alert, bool,
+	private_stroke_counter_t *this, ike_sa_t *ike_sa,
+	alert_t alert, va_list args)
+{
+	stroke_counter_type_t type;
+
+	switch (alert)
+	{
+		case ALERT_INVALID_IKE_SPI:
+			type = COUNTER_IN_INVALID_IKE_SPI;
+			break;
+		case ALERT_PARSE_ERROR_HEADER:
+		case ALERT_PARSE_ERROR_BODY:
+			type = COUNTER_IN_INVALID;
+			break;
+		default:
+			return TRUE;
+	}
+
+	this->lock->lock(this->lock);
+	this->counter[type]++;
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_stroke_counter_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	stroke_counter_type_t type;
+	ike_sa_id_t *id;
+
+	id = new->get_id(new);
+	if (id->is_initiator(id))
+	{
+		type = COUNTER_INIT_IKE_SA_REKEY;
+	}
+	else
+	{
+		type = COUNTER_RESP_IKE_SA_REKEY;
+	}
+
+	this->lock->lock(this->lock);
+	this->counter[type]++;
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(listener_t, child_rekey, bool,
+	private_stroke_counter_t *this, ike_sa_t *ike_sa,
+	child_sa_t *old, child_sa_t *new)
+{
+	this->lock->lock(this->lock);
+	this->counter[COUNTER_CHILD_SA_REKEY]++;
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_stroke_counter_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming, bool plain)
+{
+	stroke_counter_type_t type;
+	bool request;
+
+	if ((incoming && !plain) || (!incoming && !plain))
+	{	/* handle each message only once */
+		return TRUE;
+	}
+
+	request = message->get_request(message);
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_IKE_SA_INIT_REQ
+							   : COUNTER_IN_IKE_SA_INIT_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_IKE_SA_INIT_REQ
+							   : COUNTER_OUT_IKE_SA_INIT_RES;
+			}
+			break;
+		case IKE_AUTH:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_IKE_AUTH_REQ
+							   : COUNTER_IN_IKE_AUTH_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_IKE_AUTH_REQ
+							   : COUNTER_OUT_IKE_AUTH_RSP;
+			}
+			break;
+		case CREATE_CHILD_SA:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_CREATE_CHILD_SA_REQ
+							   : COUNTER_IN_CREATE_CHILD_SA_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_CREATE_CHILD_SA_REQ
+							   : COUNTER_OUT_CREATE_CHILD_SA_RSP;
+			}
+			break;
+		case INFORMATIONAL:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_INFORMATIONAL_REQ
+							   : COUNTER_IN_INFORMATIONAL_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_INFORMATIONAL_REQ
+							   : COUNTER_OUT_INFORMATIONAL_RSP;
+			}
+			break;
+		default:
+			return TRUE;
+	}
+
+	this->lock->lock(this->lock);
+	this->counter[type]++;
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(stroke_counter_t, print, void,
+	private_stroke_counter_t *this, FILE *out)
+{
+	u_int64_t counter[COUNTER_MAX];
+	int i;
+
+	/* Take a snapshot to have congruent results, */
+	this->lock->lock(this->lock);
+	for (i = 0; i < countof(this->counter); i++)
+	{
+		counter[i] = this->counter[i];
+	}
+	this->lock->unlock(this->lock);
+
+	fprintf(out, "\nList of IKE counters:\n\n");
+
+	/* but do blocking write without the lock. */
+	for (i = 0; i < countof(this->counter); i++)
+	{
+		fprintf(out, "%-18N %12llu\n", stroke_counter_type_names, i, counter[i]);
+	}
+}
+
+METHOD(stroke_counter_t, destroy, void,
+	private_stroke_counter_t *this)
+{
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+stroke_counter_t *stroke_counter_create()
+{
+	private_stroke_counter_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.alert = _alert,
+				.ike_rekey = _ike_rekey,
+				.child_rekey = _child_rekey,
+				.message = _message_hook,
+			},
+			.print = _print,
+			.destroy = _destroy,
+		},
+		.lock = spinlock_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/stroke/stroke_counter.h b/src/libcharon/plugins/stroke/stroke_counter.h
new file mode 100644
index 000000000..efaae0d6f
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_counter.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_counter stroke_counter
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_COUNTER_H_
+#define STROKE_COUNTER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct stroke_counter_t stroke_counter_t;
+typedef enum stroke_counter_type_t stroke_counter_type_t;
+
+enum stroke_counter_type_t {
+	/** initiated IKE_SA rekeyings */
+	COUNTER_INIT_IKE_SA_REKEY,
+	/** responded IKE_SA rekeyings */
+	COUNTER_RESP_IKE_SA_REKEY,
+	/** completed CHILD_SA rekeyings */
+	COUNTER_CHILD_SA_REKEY,
+	/** messages with invalid types, length, or a value out of range */
+	COUNTER_IN_INVALID,
+	/** messages with an invalid IKE SPI */
+	COUNTER_IN_INVALID_IKE_SPI,
+	/** received IKE_SA_INIT requests */
+	COUNTER_IN_IKE_SA_INIT_REQ,
+	/** received IKE_SA_INIT responses */
+	COUNTER_IN_IKE_SA_INIT_RSP,
+	/** sent IKE_SA_INIT requests */
+	COUNTER_OUT_IKE_SA_INIT_REQ,
+	/** sent IKE_SA_INIT responses */
+	COUNTER_OUT_IKE_SA_INIT_RES,
+	/** received IKE_AUTH requests */
+	COUNTER_IN_IKE_AUTH_REQ,
+	/** received IKE_AUTH responses */
+	COUNTER_IN_IKE_AUTH_RSP,
+	/** sent IKE_AUTH requests */
+	COUNTER_OUT_IKE_AUTH_REQ,
+	/** sent IKE_AUTH responses */
+	COUNTER_OUT_IKE_AUTH_RSP,
+	/** received CREATE_CHILD_SA requests */
+	COUNTER_IN_CREATE_CHILD_SA_REQ,
+	/** received CREATE_CHILD_SA responses */
+	COUNTER_IN_CREATE_CHILD_SA_RSP,
+	/** sent CREATE_CHILD_SA requests */
+	COUNTER_OUT_CREATE_CHILD_SA_REQ,
+	/** sent CREATE_CHILD_SA responses */
+	COUNTER_OUT_CREATE_CHILD_SA_RSP,
+	/** received INFORMATIONAL requests */
+	COUNTER_IN_INFORMATIONAL_REQ,
+	/** received INFORMATIONAL responses */
+	COUNTER_IN_INFORMATIONAL_RSP,
+	/** sent INFORMATIONAL requests */
+	COUNTER_OUT_INFORMATIONAL_REQ,
+	/** sent INFORMATIONAL responses */
+	COUNTER_OUT_INFORMATIONAL_RSP,
+	/** number of counter types */
+	COUNTER_MAX
+};
+
+/**
+ * Collection of counter values for different IKE events.
+ */
+struct stroke_counter_t {
+
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+
+	/**
+	 * Print counter values to an output stream.
+	 *
+	 * @param out		output stream to write to
+	 */
+	void (*print)(stroke_counter_t *this, FILE *out);
+
+	/**
+	 * Destroy a stroke_counter_t.
+	 */
+	void (*destroy)(stroke_counter_t *this);
+};
+
+/**
+ * Create a stroke_counter instance.
+ */
+stroke_counter_t *stroke_counter_create();
+
+#endif /** STROKE_COUNTER_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index ebc09c0d5..c401bc6f1 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -34,7 +34,7 @@
 #include <credentials/certificates/ac.h>
 #include <credentials/sets/mem_cred.h>
 #include <credentials/sets/callback_cred.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
 #include <threading/rwlock.h>
 #include <daemon.h>
@@ -82,35 +82,137 @@ struct private_stroke_cred_t {
 	bool cachecrl;
 };
 
-METHOD(stroke_cred_t, load_ca, certificate_t*,
-	private_stroke_cred_t *this, char *filename)
+/** Length of smartcard specifier parts (module, keyid) */
+#define SC_PART_LEN 128
+
+/**
+ * Kind of smartcard specifier token
+ */
+typedef enum {
+	SC_FORMAT_SLOT_MODULE_KEYID,
+	SC_FORMAT_SLOT_KEYID,
+	SC_FORMAT_KEYID,
+	SC_FORMAT_INVALID,
+} smartcard_format_t;
+
+/**
+ * Parse a smartcard specifier token
+ */
+static smartcard_format_t parse_smartcard(char *smartcard, u_int *slot,
+										  char *module, char *keyid)
 {
-	certificate_t *cert;
-	char path[PATH_MAX];
+	/* The token has one of the following three formats:
+	 * - %smartcard<slot>@<module>:<keyid>
+	 * - %smartcard<slot>:<keyid>
+	 * - %smartcard:<keyid>
+	 */
+	char buf[2 * SC_PART_LEN], *pos;
 
-	if (*filename == '/')
+	if (sscanf(smartcard, "%%smartcard%u@%255s", slot, buf) == 2)
+	{
+		pos = strchr(buf, ':');
+		if (!pos)
+		{
+			return SC_FORMAT_INVALID;
+		}
+		*pos++ = '\0';
+		snprintf(module, SC_PART_LEN, "%s", buf);
+		snprintf(keyid, SC_PART_LEN, "%s", pos);
+		return SC_FORMAT_SLOT_MODULE_KEYID;
+	}
+	if (sscanf(smartcard, "%%smartcard%u:%127s", slot, keyid) == 2)
 	{
-		snprintf(path, sizeof(path), "%s", filename);
+		return SC_FORMAT_SLOT_KEYID;
 	}
-	else
+	if (sscanf(smartcard, "%%smartcard:%127s", keyid) == 1)
 	{
-		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
+		return SC_FORMAT_KEYID;
 	}
+	return SC_FORMAT_INVALID;
+}
 
-	if (this->force_ca_cert)
-	{	/* we treat this certificate as a CA certificate even if it has no
-		 * CA basic constraint */
-		cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_X509,
-							  BUILD_FROM_FILE, path, BUILD_X509_FLAG, X509_CA,
-							  BUILD_END);
+/**
+ * Load a credential from a smartcard
+ */
+static certificate_t *load_from_smartcard(smartcard_format_t format,
+										  u_int slot, char *module, char *keyid,
+										  credential_type_t type, int subtype)
+{
+	chunk_t chunk;
+	void *cred;
+
+	chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+	switch (format)
+	{
+		case SC_FORMAT_SLOT_MODULE_KEYID:
+			cred = lib->creds->create(lib->creds, type, subtype,
+							BUILD_PKCS11_SLOT, slot,
+							BUILD_PKCS11_MODULE, module,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		case SC_FORMAT_SLOT_KEYID:
+			cred = lib->creds->create(lib->creds, type, subtype,
+							BUILD_PKCS11_SLOT, slot,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		case SC_FORMAT_KEYID:
+			cred = lib->creds->create(lib->creds, type, subtype,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		default:
+			cred = NULL;
+			break;
+	}
+	free(chunk.ptr);
+
+	return cred;
+}
+
+METHOD(stroke_cred_t, load_ca, certificate_t*,
+	private_stroke_cred_t *this, char *filename)
+{
+	certificate_t *cert = NULL;
+	char path[PATH_MAX];
+
+	if (strneq(filename, "%smartcard", strlen("%smartcard")))
+	{
+		smartcard_format_t format;
+		char module[SC_PART_LEN], keyid[SC_PART_LEN];
+		u_int slot;
+
+		format = parse_smartcard(filename, &slot, module, keyid);
+		if (format != SC_FORMAT_INVALID)
+		{
+			cert = (certificate_t*)load_from_smartcard(format,
+							slot, module, keyid, CRED_CERTIFICATE, CERT_X509);
+		}
 	}
 	else
 	{
-		cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_X509,
-							  BUILD_FROM_FILE, path,
-							  BUILD_END);
+		if (*filename == '/')
+		{
+			snprintf(path, sizeof(path), "%s", filename);
+		}
+		else
+		{
+			snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
+		}
+
+		if (this->force_ca_cert)
+		{	/* we treat this certificate as a CA certificate even if it has no
+			 * CA basic constraint */
+			cert = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, path, BUILD_X509_FLAG, X509_CA,
+								  BUILD_END);
+		}
+		else
+		{
+			cert = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, path,
+								  BUILD_END);
+		}
 	}
 	if (cert)
 	{
@@ -123,6 +225,8 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
 			cert->destroy(cert);
 			return NULL;
 		}
+		DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s",
+			 cert->get_subject(cert), filename);
 		return this->creds->add_cert_ref(this->creds, TRUE, cert);
 	}
 	return NULL;
@@ -131,22 +235,38 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
 METHOD(stroke_cred_t, load_peer, certificate_t*,
 	private_stroke_cred_t *this, char *filename)
 {
-	certificate_t *cert;
+	certificate_t *cert = NULL;
 	char path[PATH_MAX];
 
-	if (*filename == '/')
+	if (strneq(filename, "%smartcard", strlen("%smartcard")))
 	{
-		snprintf(path, sizeof(path), "%s", filename);
+		smartcard_format_t format;
+		char module[SC_PART_LEN], keyid[SC_PART_LEN];
+		u_int slot;
+
+		format = parse_smartcard(filename, &slot, module, keyid);
+		if (format != SC_FORMAT_INVALID)
+		{
+			cert = (certificate_t*)load_from_smartcard(format,
+							slot, module, keyid, CRED_CERTIFICATE, CERT_X509);
+		}
 	}
 	else
 	{
-		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
-	}
+		if (*filename == '/')
+		{
+			snprintf(path, sizeof(path), "%s", filename);
+		}
+		else
+		{
+			snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
+		}
 
-	cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_ANY,
-							  BUILD_FROM_FILE, path,
-							  BUILD_END);
+		cert = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_ANY,
+								  BUILD_FROM_FILE, path,
+								  BUILD_END);
+	}
 	if (cert)
 	{
 		cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
@@ -585,7 +705,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 					 FILE *prompt)
 {
 	chunk_t sc = chunk_empty, secret = chunk_empty;
-	char smartcard[64], keyid[64], module[64], *pos;
+	char smartcard[BUF_LEN], keyid[SC_PART_LEN], module[SC_PART_LEN];
 	private_key_t *key = NULL;
 	u_int slot;
 	chunk_t chunk;
@@ -594,11 +714,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	mem_cred_t *mem = NULL;
 	callback_cred_t *cb = NULL;
 	pin_cb_data_t pin_data;
-	enum {
-		SC_FORMAT_SLOT_MODULE_KEYID,
-		SC_FORMAT_SLOT_KEYID,
-		SC_FORMAT_KEYID,
-	} format;
+	smartcard_format_t format;
 
 	err_t ugh = extract_value(&sc, &line);
 
@@ -615,33 +731,8 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	snprintf(smartcard, sizeof(smartcard), "%.*s", (int)sc.len, sc.ptr);
 	smartcard[sizeof(smartcard) - 1] = '\0';
 
-	/* parse slot and key id. Three formats are supported:
-	 * - %smartcard<slot>@<module>:<keyid>
-	 * - %smartcard<slot>:<keyid>
-	 * - %smartcard:<keyid>
-	 */
-	if (sscanf(smartcard, "%%smartcard%u@%s", &slot, module) == 2)
-	{
-		pos = strchr(module, ':');
-		if (!pos)
-		{
-			DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is "
-				 "invalid", line_nr);
-			return FALSE;
-		}
-		*pos = '\0';
-		strncpy(keyid, pos + 1, sizeof(keyid));
-		format = SC_FORMAT_SLOT_MODULE_KEYID;
-	}
-	else if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
-	{
-		format = SC_FORMAT_SLOT_KEYID;
-	}
-	else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1)
-	{
-		format = SC_FORMAT_KEYID;
-	}
-	else
+	format = parse_smartcard(smartcard, &slot, module, keyid);
+	if (format == SC_FORMAT_INVALID)
 	{
 		DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not"
 				" supported or invalid", line_nr);
@@ -666,7 +757,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		free(secret.ptr);
 		if (!prompt)
 		{	/* no IO channel to prompt, skip */
-			free(chunk.ptr);
+			chunk_clear(&chunk);
 			return TRUE;
 		}
 		/* use callback credential set to prompt for the pin */
@@ -688,27 +779,8 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	}
 
 	/* unlock: smartcard needs the pin and potentially calls public set */
-	switch (format)
-	{
-		case SC_FORMAT_SLOT_MODULE_KEYID:
-			key = lib->creds->create(lib->creds,
-							CRED_PRIVATE_KEY, KEY_ANY,
-							BUILD_PKCS11_SLOT, slot,
-							BUILD_PKCS11_MODULE, module,
-							BUILD_PKCS11_KEYID, chunk, BUILD_END);
-			break;
-		case SC_FORMAT_SLOT_KEYID:
-			key = lib->creds->create(lib->creds,
-							CRED_PRIVATE_KEY, KEY_ANY,
-							BUILD_PKCS11_SLOT, slot,
-							BUILD_PKCS11_KEYID, chunk, BUILD_END);
-			break;
-		case SC_FORMAT_KEYID:
-			key = lib->creds->create(lib->creds,
-							CRED_PRIVATE_KEY, KEY_ANY,
-							BUILD_PKCS11_KEYID, chunk, BUILD_END);
-			break;
-	}
+	key = (private_key_t*)load_from_smartcard(format, slot, module, keyid,
+											  CRED_PRIVATE_KEY, KEY_ANY);
 	if (mem)
 	{
 		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
@@ -719,6 +791,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
 		cb->destroy(cb);
 	}
+	chunk_clear(&chunk);
 
 	if (key)
 	{
diff --git a/src/libcharon/plugins/stroke/stroke_cred.h b/src/libcharon/plugins/stroke/stroke_cred.h
index 83e648819..c37d05808 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.h
+++ b/src/libcharon/plugins/stroke/stroke_cred.h
@@ -27,7 +27,7 @@
 #include <stroke_msg.h>
 #include <credentials/credential_set.h>
 #include <credentials/certificates/certificate.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct stroke_cred_t stroke_cred_t;
 
diff --git a/src/libcharon/plugins/stroke/stroke_handler.c b/src/libcharon/plugins/stroke/stroke_handler.c
index 523151efb..fef8cab67 100644
--- a/src/libcharon/plugins/stroke/stroke_handler.c
+++ b/src/libcharon/plugins/stroke/stroke_handler.c
@@ -16,7 +16,7 @@
 #include "stroke_handler.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_stroke_handler_t private_stroke_handler_t;
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index c012ff25d..b3a20a6c7 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -25,7 +25,7 @@
 
 #include <hydra.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <plugins/plugin.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 241f0fbf6..2771f0146 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -29,7 +29,7 @@
 #include <threading/mutex.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 #include "stroke_config.h"
@@ -39,6 +39,7 @@
 #include "stroke_attribute.h"
 #include "stroke_handler.h"
 #include "stroke_list.h"
+#include "stroke_counter.h"
 
 /**
  * To avoid clogging the thread pool with (blocking) jobs, we limit the number
@@ -123,6 +124,11 @@ struct private_stroke_socket_t {
 	 * status information logging
 	 */
 	stroke_list_t *list;
+
+	/**
+	 * Counter values for IKE events
+	 */
+	stroke_counter_t *counter;
 };
 
 /**
@@ -389,6 +395,10 @@ static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *
 		this->ca->list(this->ca, msg, out);
 	}
 	this->list->list(this->list, msg, out);
+	if (msg->list.flags & LIST_COUNTERS)
+	{
+		this->counter->print(this->counter, out);
+	}
 }
 
 /**
@@ -500,9 +510,6 @@ static void stroke_user_creds(private_stroke_socket_t *this,
 static void stroke_loglevel(private_stroke_socket_t *this,
 							stroke_msg_t *msg, FILE *out)
 {
-	enumerator_t *enumerator;
-	sys_logger_t *sys_logger;
-	file_logger_t *file_logger;
 	debug_t group;
 
 	pop_string(msg, &(msg->loglevel.type));
@@ -515,21 +522,7 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
 		return;
 	}
-	/* we set the loglevel on ALL sys- and file-loggers */
-	enumerator = charon->sys_loggers->create_enumerator(charon->sys_loggers);
-	while (enumerator->enumerate(enumerator, &sys_logger))
-	{
-		sys_logger->set_level(sys_logger, group, msg->loglevel.level);
-		charon->bus->add_logger(charon->bus, &sys_logger->logger);
-	}
-	enumerator->destroy(enumerator);
-	enumerator = charon->file_loggers->create_enumerator(charon->file_loggers);
-	while (enumerator->enumerate(enumerator, &file_logger))
-	{
-		file_logger->set_level(file_logger, group, msg->loglevel.level);
-		charon->bus->add_logger(charon->bus, &file_logger->logger);
-	}
-	enumerator->destroy(enumerator);
+	charon->set_level(charon, group, msg->loglevel.level);
 }
 
 /**
@@ -798,6 +791,7 @@ METHOD(stroke_socket_t, destroy, void,
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
 	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
 	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	charon->bus->remove_listener(charon->bus, &this->counter->listener);
 	this->cred->destroy(this->cred);
 	this->ca->destroy(this->ca);
 	this->config->destroy(this->config);
@@ -805,6 +799,7 @@ METHOD(stroke_socket_t, destroy, void,
 	this->handler->destroy(this->handler);
 	this->control->destroy(this->control);
 	this->list->destroy(this->list);
+	this->counter->destroy(this->counter);
 	free(this);
 }
 
@@ -834,6 +829,7 @@ stroke_socket_t *stroke_socket_create()
 	this->config = stroke_config_create(this->ca, this->cred, this->attribute);
 	this->control = stroke_control_create();
 	this->list = stroke_list_create(this->attribute);
+	this->counter = stroke_counter_create();
 
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
@@ -847,6 +843,7 @@ stroke_socket_t *stroke_socket_create()
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
 	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+	charon->bus->add_listener(charon->bus, &this->counter->listener);
 
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, this,
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 5ead4379a..6d2802c65 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -378,7 +387,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-ifmap.la: $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_DEPENDENCIES) 
+libstrongswan-tnc-ifmap.la: $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_ifmap_la_DEPENDENCIES) 
 	$(libstrongswan_tnc_ifmap_la_LINK) $(am_libstrongswan_tnc_ifmap_la_rpath) $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -517,10 +526,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
index eac285ca3..9cd1ec381 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
@@ -18,7 +18,7 @@
 
 #include <daemon.h>
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnc_ifmap_listener_t private_tnc_ifmap_listener_t;
 
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index b13193612..33480bb85 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -15,7 +15,7 @@
 
 #include "tnc_ifmap_soap.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 #include <axis2_util.h>
@@ -584,7 +584,7 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 	 * update or delete capability metadata
 	 */
 	e1 = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
-	while (e1->enumerate(e1, &auth))
+	while (e1->enumerate(e1, &auth) && (first || up))
 	{
 		e2 = auth->create_enumerator(auth);
 		while (e2->enumerate(e2, &type, &group))
@@ -621,10 +621,6 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 				axiom_node_add_child(node2, this->env,
 									 create_capability(this, group));
 			}
-			if (!first && !up)
-			{
-				break;
-			}
 		}
 		e2->destroy(e2);
 	}
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
index 4bf421e33..4efdc779f 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
@@ -15,14 +15,14 @@
 
 /**
  * @defgroup tnc_ifmap_soap tnc_ifmap_soap
- * @{ @ingroup tnc_ifmap 
+ * @{ @ingroup tnc_ifmap
  */
 
 #ifndef TNC_IFMAP_SOAP_H_
 #define TNC_IFMAP_SOAP_H_
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <sa/ike_sa.h>
 
 typedef struct tnc_ifmap_soap_t tnc_ifmap_soap_t;
@@ -47,7 +47,7 @@ struct tnc_ifmap_soap_t {
 	bool (*purgePublisher)(tnc_ifmap_soap_t *this);
 
 	/**
-	 * Publish metadata about established/deleted IKE_SAs 
+	 * Publish metadata about established/deleted IKE_SAs
 	 *
 	 * @param ike_sa		IKE_SA for which metadate is published
 	 * @param up			TRUE if IKE_SEA is up, FALSE if down
@@ -56,7 +56,7 @@ struct tnc_ifmap_soap_t {
 	bool (*publish_ike_sa)(tnc_ifmap_soap_t *this, ike_sa_t *ike_sa, bool up);
 
 	/**
-	 * Publish PEP device-ip metadata 
+	 * Publish PEP device-ip metadata
 	 *
 	 * @param host			IP address of local endpoint
 	 * @return				TRUE if command was successful
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in
index 00c0d0d61..b21cbb348 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.in
+++ b/src/libcharon/plugins/tnc_imc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_imc_la_DEPENDENCIES =  \
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -384,7 +393,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) 
+libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_imc_la_DEPENDENCIES) 
 	$(libstrongswan_tnc_imc_la_LINK) $(am_libstrongswan_tnc_imc_la_rpath) $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -524,10 +533,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.c b/src/libcharon/plugins/tnc_imc/tnc_imc.c
index a1f2d770f..9ac578401 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc.c
@@ -20,9 +20,10 @@
 
 #include <tncif_pa_subtypes.h>
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <daemon.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_tnc_imc_t private_tnc_imc_t;
@@ -37,11 +38,6 @@ struct private_tnc_imc_t {
 	 */
 	imc_t public;
 
-	/**
-	 * Path of loaded IMC
-	 */
-	char *path;
-
 	/**
 	 * Name of loaded IMC
 	 */
@@ -291,10 +287,10 @@ METHOD(imc_t, type_supported, bool,
 
 	for (i = 0; i < this->type_count; i++)
 	{
-	    vid = this->supported_vids[i];
-	    subtype = this->supported_subtypes[i];
+		vid = this->supported_vids[i];
+		subtype = this->supported_subtypes[i];
 
-	    if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
+		if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
 			(vid == msg_vid && (subtype == TNC_SUBTYPE_ANY ||
 			 subtype == msg_subtype)))
 		{
@@ -307,20 +303,23 @@ METHOD(imc_t, type_supported, bool,
 METHOD(imc_t, destroy, void,
 	private_tnc_imc_t *this)
 {
-	dlclose(this->handle);
+	if (this->handle && lib->settings->get_bool(lib->settings,
+		"%s.plugins.tnc-imc.dlclose", TRUE, charon->name))
+	{
+		dlclose(this->handle);
+	}
 	this->mutex->destroy(this->mutex);
 	this->additional_ids->destroy(this->additional_ids);
 	free(this->supported_vids);
 	free(this->supported_subtypes);
 	free(this->name);
-	free(this->path);
 	free(this);
 }
 
 /**
- * Described in header.
+ * Generic constructor
  */
-imc_t* tnc_imc_create(char *name, char *path)
+static private_tnc_imc_t* tnc_imc_create_empty(char *name)
 {
 	private_tnc_imc_t *this;
 
@@ -335,59 +334,96 @@ imc_t* tnc_imc_create(char *name, char *path)
 			.set_message_types_long = _set_message_types_long,
 			.type_supported = _type_supported,
 			.destroy = _destroy,
-        },
-		.name = name,
-		.path = path,
+		},
+		.name = strdup(name),
 		.additional_ids = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
+	return this;
+}
+
+/**
+ * See header
+ */
+imc_t* tnc_imc_create(char *name, char *path)
+{
+	private_tnc_imc_t *this;
+
+	this = tnc_imc_create_empty(name);
+
 	this->handle = dlopen(path, RTLD_LAZY);
 	if (!this->handle)
 	{
 		DBG1(DBG_TNC, "IMC \"%s\" failed to load: %s", name, dlerror());
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
 	this->public.initialize = dlsym(this->handle, "TNC_IMC_Initialize");
 	if (!this->public.initialize)
-    {
+	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMC_Initialize in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	this->public.notify_connection_change =
 						 dlsym(this->handle, "TNC_IMC_NotifyConnectionChange");
-    this->public.begin_handshake = dlsym(this->handle, "TNC_IMC_BeginHandshake");
+	this->public.begin_handshake = dlsym(this->handle, "TNC_IMC_BeginHandshake");
 	if (!this->public.begin_handshake)
-    {
+	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMC_BeginHandshake in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
-    this->public.receive_message =
+	this->public.receive_message =
 						dlsym(this->handle, "TNC_IMC_ReceiveMessage");
-    this->public.receive_message_long =
+	this->public.receive_message_long =
 						dlsym(this->handle, "TNC_IMC_ReceiveMessageLong");
-    this->public.batch_ending =
+	this->public.batch_ending =
 						dlsym(this->handle, "TNC_IMC_BatchEnding");
-    this->public.terminate =
+	this->public.terminate =
 						dlsym(this->handle, "TNC_IMC_Terminate");
-    this->public.provide_bind_function =
+	this->public.provide_bind_function =
 						dlsym(this->handle, "TNC_IMC_ProvideBindFunction");
-    if (!this->public.provide_bind_function)
+	if (!this->public.provide_bind_function)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMC_ProvideBindFunction in %s: %s\n",
 					  path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
 	return &this->public;
 }
+
+/**
+ * See header
+ */
+imc_t* tnc_imc_create_from_functions(char *name,
+				TNC_IMC_InitializePointer initialize,
+				TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMC_BeginHandshakePointer begin_handshake,
+				TNC_IMC_ReceiveMessagePointer receive_message,
+				TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMC_BatchEndingPointer batch_ending,
+				TNC_IMC_TerminatePointer terminate,
+				TNC_IMC_ProvideBindFunctionPointer provide_bind_function)
+{
+	private_tnc_imc_t *this;
+
+	this = tnc_imc_create_empty(name);
+
+	this->public.initialize = initialize;
+	this->public.notify_connection_change = notify_connection_change;
+	this->public.begin_handshake = begin_handshake;
+	this->public.receive_message = receive_message;
+	this->public.receive_message_long = receive_message_long;
+	this->public.batch_ending = batch_ending;
+	this->public.terminate = terminate;
+	this->public.provide_bind_function = provide_bind_function;
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.h b/src/libcharon/plugins/tnc_imc/tnc_imc.h
index 10a67f90b..2d4607e77 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc.h
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc.h
@@ -25,7 +25,7 @@
 #include <tnc/imc/imc.h>
 
 /**
- * Create an Integrity Measurement Collector.
+ * Create an Integrity Measurement Collector loaded from a library.
  *
  * @param name			name of the IMC
  * @param filename		path to the dynamic IMC library
@@ -33,4 +33,28 @@
  */
 imc_t* tnc_imc_create(char *name, char *filename);
 
+/**
+ * Create an Integrity Measurement Collector from a set of IMC functions.
+ *
+ * @param name						name of the IMC
+ * @param initialize				TNC_IMC_InitializePointer
+ * @param notify_connection_change	TNC_IMC_NotifyConnectionChangePointer
+ * @param begin_handshake			TNC_IMC_BeginHandshakePointer
+ * @param receive_message			TNC_IMC_ReceiveMessagePointer
+ * @param receive_message_long		TNC_IMC_ReceiveMessageLongPointer
+ * @param batch_ending				TNC_IMC_BatchEndingPointer
+ * @param terminate					TNC_IMC_TerminatePointer
+ * @param provide_bind_function		TNC_IMC_ProvideBindFunctionPointer
+ * @return							instance of the imc_t interface
+ */
+imc_t* tnc_imc_create_from_functions(char *name,
+				TNC_IMC_InitializePointer initialize,
+				TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMC_BeginHandshakePointer begin_handshake,
+				TNC_IMC_ReceiveMessagePointer receive_message,
+				TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMC_BatchEndingPointer batch_ending,
+				TNC_IMC_TerminatePointer terminate,
+				TNC_IMC_ProvideBindFunctionPointer provide_bind_function);
+
 #endif /** TNC_IMC_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
index 90a607ccc..26a5ed2b4 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
@@ -17,7 +17,7 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/tnccs/tnccs_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Called by the IMC to inform a TNCC about the set of message types the IMC
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
index 65ec81dae..078f7bc34 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
@@ -19,9 +19,11 @@
 
 #include <tncifimc.h>
 
-#include <utils/linked_list.h>
-#include <debug.h>
 #include <daemon.h>
+#include <utils/debug.h>
+#include <threading/rwlock.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
 
 typedef struct private_tnc_imc_manager_t private_tnc_imc_manager_t;
 
@@ -40,37 +42,57 @@ struct private_tnc_imc_manager_t {
 	 */
 	linked_list_t *imcs;
 
+	/**
+	 * Lock to access IMC list
+	 */
+	rwlock_t *lock;
+
 	/**
 	 * Next IMC ID to be assigned
 	 */
 	TNC_IMCID next_imc_id;
+
+	/**
+	 * Mutex to access next IMC ID
+	 */
+	mutex_t *id_mutex;
 };
 
 METHOD(imc_manager_t, add, bool,
 	private_tnc_imc_manager_t *this, imc_t *imc)
 {
 	TNC_Version version;
+	TNC_IMCID imc_id;
+
+	this->id_mutex->lock(this->id_mutex);
+	imc_id = this->next_imc_id++;
+	this->id_mutex->unlock(this->id_mutex);
 
-	/* Initialize the module */
-	imc->set_id(imc, this->next_imc_id);
-	if (imc->initialize(imc->get_id(imc), TNC_IFIMC_VERSION_1,
-			TNC_IFIMC_VERSION_1, &version) != TNC_RESULT_SUCCESS)
+	imc->set_id(imc, imc_id);
+	if (imc->initialize(imc_id, TNC_IFIMC_VERSION_1,
+						TNC_IFIMC_VERSION_1, &version) != TNC_RESULT_SUCCESS)
 	{
 		DBG1(DBG_TNC, "IMC \"%s\" failed to initialize", imc->get_name(imc));
 		return FALSE;
 	}
+	this->lock->write_lock(this->lock);
 	this->imcs->insert_last(this->imcs, imc);
-	this->next_imc_id++;
+	this->lock->unlock(this->lock);
 
-	if (imc->provide_bind_function(imc->get_id(imc), TNC_TNCC_BindFunction)
-			!= TNC_RESULT_SUCCESS)
+	if (imc->provide_bind_function(imc->get_id(imc),
+								   TNC_TNCC_BindFunction) != TNC_RESULT_SUCCESS)
 	{
+		if (imc->terminate)
+		{
+			imc->terminate(imc->get_id(imc));
+		}
 		DBG1(DBG_TNC, "IMC \"%s\" failed to obtain bind function",
-					   imc->get_name(imc));
+			 imc->get_name(imc));
+		this->lock->write_lock(this->lock);
 		this->imcs->remove_last(this->imcs, (void**)&imc);
+		this->lock->unlock(this->lock);
 		return FALSE;
 	}
-
 	return TRUE;
 }
 
@@ -80,6 +102,7 @@ METHOD(imc_manager_t, remove_, imc_t*,
 	enumerator_t *enumerator;
 	imc_t *imc, *removed_imc = NULL;
 
+	this->lock->write_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -91,6 +114,7 @@ METHOD(imc_manager_t, remove_, imc_t*,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return removed_imc;
 }
@@ -103,18 +127,10 @@ METHOD(imc_manager_t, load, bool,
 	imc = tnc_imc_create(name, path);
 	if (!imc)
 	{
-		free(name);
-		free(path);
 		return FALSE;
 	}
 	if (!add(this, imc))
 	{
-		if (imc->terminate &&
-			imc->terminate(imc->get_id(imc)) != TNC_RESULT_SUCCESS)
-		{
-			DBG1(DBG_TNC, "IMC \"%s\" not terminated successfully",
-						   imc->get_name(imc));
-		}
 		imc->destroy(imc);
 		return FALSE;
 	}
@@ -122,6 +138,37 @@ METHOD(imc_manager_t, load, bool,
 	return TRUE;
 }
 
+METHOD(imc_manager_t, load_from_functions, bool,
+	private_tnc_imc_manager_t *this, char *name,
+	TNC_IMC_InitializePointer initialize,
+	TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+	TNC_IMC_BeginHandshakePointer begin_handshake,
+	TNC_IMC_ReceiveMessagePointer receive_message,
+	TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+	TNC_IMC_BatchEndingPointer batch_ending,
+	TNC_IMC_TerminatePointer terminate,
+	TNC_IMC_ProvideBindFunctionPointer provide_bind_function)
+{
+	imc_t *imc;
+
+	imc = tnc_imc_create_from_functions(name,
+										initialize, notify_connection_change,
+										begin_handshake, receive_message,
+										receive_message_long, batch_ending,
+										terminate, provide_bind_function);
+	if (!imc)
+	{
+		return FALSE;
+	}
+	if (!add(this, imc))
+	{
+		imc->destroy(imc);
+		return FALSE;
+	}
+	DBG1(DBG_TNC, "IMC %u \"%s\" loaded", imc->get_id(imc), name);
+	return TRUE;
+}
+
 METHOD(imc_manager_t, is_registered, bool,
 	private_tnc_imc_manager_t *this, TNC_IMCID id)
 {
@@ -129,6 +176,7 @@ METHOD(imc_manager_t, is_registered, bool,
 	imc_t *imc;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -139,6 +187,7 @@ METHOD(imc_manager_t, is_registered, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -150,13 +199,16 @@ METHOD(imc_manager_t, reserve_id, bool,
 	imc_t *imc;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
-		if (imc->get_id(imc))
+		if (id == imc->get_id(imc))
 		{
 			found = TRUE;
+			this->id_mutex->lock(this->id_mutex);
 			*new_id = this->next_imc_id++;
+			this->id_mutex->unlock(this->id_mutex);
 			imc->add_id(imc, *new_id);
 			DBG2(DBG_TNC, "additional ID %u reserved for IMC with primary ID %u",
 						  *new_id, id);
@@ -164,6 +216,7 @@ METHOD(imc_manager_t, reserve_id, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -182,6 +235,7 @@ METHOD(imc_manager_t, notify_connection_change, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -191,6 +245,7 @@ METHOD(imc_manager_t, notify_connection_change, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imc_manager_t, begin_handshake, void,
@@ -199,12 +254,14 @@ METHOD(imc_manager_t, begin_handshake, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
 		imc->begin_handshake(imc->get_id(imc), id);
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imc_manager_t, set_message_types, TNC_Result,
@@ -216,6 +273,7 @@ METHOD(imc_manager_t, set_message_types, TNC_Result,
 	imc_t *imc;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -227,6 +285,7 @@ METHOD(imc_manager_t, set_message_types, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -240,6 +299,7 @@ METHOD(imc_manager_t, set_message_types_long, TNC_Result,
 	imc_t *imc;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -252,6 +312,7 @@ METHOD(imc_manager_t, set_message_types_long, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -271,11 +332,12 @@ METHOD(imc_manager_t, receive_message, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
 		if (imc->type_supported(imc, msg_vid, msg_subtype) &&
-		   (!excl || (excl && imc->has_id(imc, dst_imc_id)) ))
+			(!excl || (excl && imc->has_id(imc, dst_imc_id))))
 		{
 			if (imc->receive_message_long && src_imv_id)
 			{
@@ -297,6 +359,8 @@ METHOD(imc_manager_t, receive_message, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
 	if (!type_supported)
 	{
 		DBG2(DBG_TNC, "message type 0x%06x/0x%08x not supported by any IMC",
@@ -310,6 +374,7 @@ METHOD(imc_manager_t, batch_ending, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -319,6 +384,7 @@ METHOD(imc_manager_t, batch_ending, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imc_manager_t, destroy, void,
@@ -337,6 +403,8 @@ METHOD(imc_manager_t, destroy, void,
 		imc->destroy(imc);
 	}
 	this->imcs->destroy(this->imcs);
+	this->lock->destroy(this->lock);
+	this->id_mutex->destroy(this->id_mutex);
 	free(this);
 }
 
@@ -352,6 +420,7 @@ imc_manager_t* tnc_imc_manager_create(void)
 			.add = _add,
 			.remove = _remove_, /* avoid name conflict with stdio.h */
 			.load = _load,
+			.load_from_functions = _load_from_functions,
 			.is_registered = _is_registered,
 			.reserve_id = _reserve_id,
 			.get_preferred_language = _get_preferred_language,
@@ -364,6 +433,8 @@ imc_manager_t* tnc_imc_manager_create(void)
 			.destroy = _destroy,
 		},
 		.imcs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.id_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.next_imc_id = 1,
 	);
 
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
index 13b011101..6e0133c2d 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.in
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_imv_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -386,7 +395,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) 
+libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_imv_la_DEPENDENCIES) 
 	$(libstrongswan_tnc_imv_la_LINK) $(am_libstrongswan_tnc_imv_la_rpath) $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -527,10 +536,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libcharon/plugins/tnc_imv/tnc_imv.c
index f0b150743..ef0387d70 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.c
@@ -20,9 +20,10 @@
 
 #include <tncif_pa_subtypes.h>
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <daemon.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_tnc_imv_t private_tnc_imv_t;
@@ -37,11 +38,6 @@ struct private_tnc_imv_t {
 	 */
 	imv_t public;
 
-	/**
-	 * Path of loaded IMV
-	 */
-	char *path;
-
 	/**
 	 * Name of loaded IMV
 	 */
@@ -287,10 +283,10 @@ METHOD(imv_t, type_supported, bool,
 
 	for (i = 0; i < this->type_count; i++)
 	{
-	    vid = this->supported_vids[i];
-	    subtype = this->supported_subtypes[i];
+		vid = this->supported_vids[i];
+		subtype = this->supported_subtypes[i];
 
-	    if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
+		if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
 			(vid == msg_vid && (subtype == TNC_SUBTYPE_ANY ||
 			 subtype == msg_subtype)))
 		{
@@ -303,20 +299,23 @@ METHOD(imv_t, type_supported, bool,
 METHOD(imv_t, destroy, void,
 	private_tnc_imv_t *this)
 {
-	dlclose(this->handle);
+	if (this->handle && lib->settings->get_bool(lib->settings,
+		"%s.plugins.tnc-imv.dlclose", TRUE, charon->name))
+	{
+		dlclose(this->handle);
+	}
 	this->mutex->destroy(this->mutex);
 	this->additional_ids->destroy_function(this->additional_ids, free);
 	free(this->supported_vids);
 	free(this->supported_subtypes);
 	free(this->name);
-	free(this->path);
 	free(this);
 }
 
 /**
- * Described in header.
+ * Generic constructor.
  */
-imv_t* tnc_imv_create(char *name, char *path)
+static private_tnc_imv_t* tnc_imv_create_empty(char *name)
 {
 	private_tnc_imv_t *this;
 
@@ -332,17 +331,28 @@ imv_t* tnc_imv_create(char *name, char *path)
 			.type_supported = _type_supported,
 			.destroy = _destroy,
 		},
-		.name = name,
-		.path = path,
+		.name = strdup(name),
 		.additional_ids = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
+	return this;
+}
+
+/**
+ * Described in header.
+ */
+imv_t* tnc_imv_create(char *name, char *path)
+{
+	private_tnc_imv_t *this;
+
+	this = tnc_imv_create_empty(name);
+
 	this->handle = dlopen(path, RTLD_LAZY);
 	if (!this->handle)
 	{
 		DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror());
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
@@ -351,8 +361,7 @@ imv_t* tnc_imv_create(char *name, char *path)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMV_Initialize in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	this->public.notify_connection_change =
@@ -363,8 +372,7 @@ imv_t* tnc_imv_create(char *name, char *path)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMV_SolicitRecommendation in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	this->public.receive_message =
@@ -381,10 +389,38 @@ imv_t* tnc_imv_create(char *name, char *path)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMV_ProvideBindFunction in %s: %s\n",
 					  path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
 	return &this->public;
 }
+
+/**
+ * Described in header.
+ */
+imv_t* tnc_imv_create_from_functions(char *name,
+				TNC_IMV_InitializePointer initialize,
+				TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMV_ReceiveMessagePointer receive_message,
+				TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+				TNC_IMV_BatchEndingPointer batch_ending,
+				TNC_IMV_TerminatePointer terminate,
+				TNC_IMV_ProvideBindFunctionPointer provide_bind_function)
+{
+	private_tnc_imv_t *this;
+
+	this = tnc_imv_create_empty(name);
+
+	this->public.initialize = initialize;
+	this->public.notify_connection_change = notify_connection_change;
+	this->public.receive_message = receive_message;
+	this->public.receive_message_long = receive_message_long;
+	this->public.solicit_recommendation = solicit_recommendation;
+	this->public.batch_ending = batch_ending;
+	this->public.terminate = terminate;
+	this->public.provide_bind_function = provide_bind_function;
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.h b/src/libcharon/plugins/tnc_imv/tnc_imv.h
index 75939e54c..e7c7b8b4f 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv.h
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.h
@@ -25,7 +25,7 @@
 #include <tnc/imv/imv.h>
 
 /**
- * Create an Integrity Measurement Verifier.
+ * Create an Integrity Measurement Verifier loaded from a library.
  *
  * @param name			name of the IMV
  * @param filename		path to the dynamic IMV library
@@ -33,4 +33,28 @@
  */
 imv_t* tnc_imv_create(char *name, char *filename);
 
+/**
+ * Create an Integrity Measurement Verifier from a set of IMV functions.
+ *
+ * @param name						name of the IMV
+ * @param initialize				TNC_IMV_InitializePointer
+ * @param notify_connection_change	TNC_IMV_NotifyConnectionChangePointer
+ * @param receive_message			TNC_IMV_ReceiveMessagePointer
+ * @param receive_message_long		TNC_IMV_ReceiveMessageLongPointer
+ * @param solicit_recommendation	TNC_IMV_SolicitRecommendationPointer
+ * @param batch_ending				TNC_IMV_BatchEndingPointer
+ * @param terminate					TNC_IMV_TerminatePointer
+ * @param provide_bind_function		TNC_IMV_ProvideBindFunctionPointer
+ * @return							instance of the imv_t interface
+ */
+imv_t* tnc_imv_create_from_functions(char *name,
+				TNC_IMV_InitializePointer initialize,
+				TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMV_ReceiveMessagePointer receive_message,
+				TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+				TNC_IMV_BatchEndingPointer batch_ending,
+				TNC_IMV_TerminatePointer terminate,
+				TNC_IMV_ProvideBindFunctionPointer provide_bind_function);
+
 #endif /** TNC_IMV_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
index dd11c5009..36cdb7fbb 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
@@ -18,7 +18,7 @@
 #include <tnc/imv/imv_manager.h>
 #include <tnc/tnccs/tnccs_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Called by the IMV to inform a TNCS about the set of message types the IMV
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
index 0985a47a8..b950e3119 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
@@ -29,13 +29,13 @@
 #include <fcntl.h>
 
 #include <daemon.h>
-#include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
+#include <threading/rwlock.h>
 #include <threading/mutex.h>
+#include <collections/linked_list.h>
 
 typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
 
-
 /**
  * Private data of an imv_manager_t object.
  */
@@ -51,11 +51,21 @@ struct private_tnc_imv_manager_t {
 	 */
 	linked_list_t *imvs;
 
+	/**
+	 * Lock for IMV list
+	 */
+	rwlock_t *lock;
+
 	/**
 	 * Next IMV ID to be assigned
 	 */
 	TNC_IMVID next_imv_id;
 
+	/**
+	 * Mutex to access next IMV ID
+	 */
+	mutex_t *id_mutex;
+
 	/**
 	 * Policy defining how to derive final recommendation from individual ones
 	 */
@@ -66,27 +76,37 @@ METHOD(imv_manager_t, add, bool,
 	private_tnc_imv_manager_t *this, imv_t *imv)
 {
 	TNC_Version version;
+	TNC_IMVID imv_id;
 
-	/* Initialize the IMV module */
-	imv->set_id(imv, this->next_imv_id);
-	if (imv->initialize(imv->get_id(imv), TNC_IFIMV_VERSION_1,
-		TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS)
+	this->id_mutex->lock(this->id_mutex);
+	imv_id = this->next_imv_id++;
+	this->id_mutex->unlock(this->id_mutex);
+
+	imv->set_id(imv, imv_id);
+	if (imv->initialize(imv_id, TNC_IFIMV_VERSION_1,
+						TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS)
 	{
 		DBG1(DBG_TNC, "IMV \"%s\" failed to initialize", imv->get_name(imv));
 		return FALSE;
 	}
+	this->lock->write_lock(this->lock);
 	this->imvs->insert_last(this->imvs, imv);
-	this->next_imv_id++;
+	this->lock->unlock(this->lock);
 
-	if (imv->provide_bind_function(imv->get_id(imv), TNC_TNCS_BindFunction)
-			!= TNC_RESULT_SUCCESS)
+	if (imv->provide_bind_function(imv->get_id(imv),
+								   TNC_TNCS_BindFunction) != TNC_RESULT_SUCCESS)
 	{
-		DBG1(DBG_TNC, "IMV \"%s\" could failed to obtain bind function",
-					   imv->get_name(imv));
+		if (imv->terminate)
+		{
+			imv->terminate(imv->get_id(imv));
+		}
+		DBG1(DBG_TNC, "IMV \"%s\" failed to obtain bind function",
+			 imv->get_name(imv));
+		this->lock->write_lock(this->lock);
 		this->imvs->remove_last(this->imvs, (void**)&imv);
+		this->lock->unlock(this->lock);
 		return FALSE;
 	}
-
 	return TRUE;
 }
 
@@ -96,6 +116,7 @@ METHOD(imv_manager_t, remove_, imv_t*,
 	enumerator_t *enumerator;
 	imv_t *imv, *removed_imv = NULL;
 
+	this->lock->write_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -107,6 +128,7 @@ METHOD(imv_manager_t, remove_, imv_t*,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return removed_imv;
 }
@@ -119,18 +141,10 @@ METHOD(imv_manager_t, load, bool,
 	imv = tnc_imv_create(name, path);
 	if (!imv)
 	{
-		free(name);
-		free(path);
 		return FALSE;
 	}
 	if (!add(this, imv))
 	{
-		if (imv->terminate &&
-			imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS)
-		{
-			DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully",
-						   imv->get_name(imv));
-		}
 		imv->destroy(imv);
 		return FALSE;
 	}
@@ -138,6 +152,37 @@ METHOD(imv_manager_t, load, bool,
 	return TRUE;
 }
 
+METHOD(imv_manager_t, load_from_functions, bool,
+	private_tnc_imv_manager_t *this, char *name,
+	TNC_IMV_InitializePointer initialize,
+	TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+	TNC_IMV_ReceiveMessagePointer receive_message,
+	TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+	TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+	TNC_IMV_BatchEndingPointer batch_ending,
+	TNC_IMV_TerminatePointer terminate,
+	TNC_IMV_ProvideBindFunctionPointer provide_bind_function)
+{
+	imv_t *imv;
+
+	imv = tnc_imv_create_from_functions(name,
+										initialize,notify_connection_change,
+										receive_message, receive_message_long,
+										solicit_recommendation, batch_ending,
+										terminate, provide_bind_function);
+	if (!imv)
+	{
+		return FALSE;
+	}
+	if (!add(this, imv))
+	{
+		imv->destroy(imv);
+		return FALSE;
+	}
+	DBG1(DBG_TNC, "IMV %u \"%s\" loaded", imv->get_id(imv), name);
+	return TRUE;
+}
+
 METHOD(imv_manager_t, is_registered, bool,
 	private_tnc_imv_manager_t *this, TNC_IMVID id)
 {
@@ -145,6 +190,7 @@ METHOD(imv_manager_t, is_registered, bool,
 	imv_t *imv;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -155,6 +201,7 @@ METHOD(imv_manager_t, is_registered, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -166,13 +213,16 @@ METHOD(imv_manager_t, reserve_id, bool,
 	imv_t *imv;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
-		if (imv->get_id(imv))
+		if (id == imv->get_id(imv))
 		{
 			found = TRUE;
+			this->id_mutex->lock(this->id_mutex);
 			*new_id = this->next_imv_id++;
+			this->id_mutex->unlock(this->id_mutex);
 			imv->add_id(imv, *new_id);
 			DBG2(DBG_TNC, "additional ID %u reserved for IMV with primary ID %u",
 						  *new_id, id);
@@ -180,6 +230,7 @@ METHOD(imv_manager_t, reserve_id, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -259,6 +310,7 @@ METHOD(imv_manager_t, notify_connection_change, void,
 	enumerator_t *enumerator;
 	imv_t *imv;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -268,6 +320,7 @@ METHOD(imv_manager_t, notify_connection_change, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imv_manager_t, set_message_types, TNC_Result,
@@ -279,6 +332,7 @@ METHOD(imv_manager_t, set_message_types, TNC_Result,
 	imv_t *imv;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -290,6 +344,7 @@ METHOD(imv_manager_t, set_message_types, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -303,6 +358,7 @@ METHOD(imv_manager_t, set_message_types_long, TNC_Result,
 	imv_t *imv;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -315,6 +371,7 @@ METHOD(imv_manager_t, set_message_types_long, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -324,12 +381,14 @@ METHOD(imv_manager_t, solicit_recommendation, void,
 	enumerator_t *enumerator;
 	imv_t *imv;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
 		imv->solicit_recommendation(imv->get_id(imv), id);
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imv_manager_t, receive_message, void,
@@ -350,11 +409,12 @@ METHOD(imv_manager_t, receive_message, void,
 
 	msg_type = (msg_vid << 8) | msg_subtype;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
 		if (imv->type_supported(imv, msg_vid, msg_subtype) &&
-		   (!excl || (excl && imv->has_id(imv, dst_imv_id)) ))
+			(!excl || (excl && imv->has_id(imv, dst_imv_id))))
 		{
 			if (imv->receive_message_long && src_imc_id)
 			{
@@ -376,6 +436,8 @@ METHOD(imv_manager_t, receive_message, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
 	if (!type_supported)
 	{
 		DBG2(DBG_TNC, "message type 0x%06x/0x%08x not supported by any IMV",
@@ -389,6 +451,7 @@ METHOD(imv_manager_t, batch_ending, void,
 	enumerator_t *enumerator;
 	imv_t *imv;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -398,9 +461,9 @@ METHOD(imv_manager_t, batch_ending, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
-
 METHOD(imv_manager_t, destroy, void,
 	private_tnc_imv_manager_t *this)
 {
@@ -417,6 +480,8 @@ METHOD(imv_manager_t, destroy, void,
 		imv->destroy(imv);
 	}
 	this->imvs->destroy(this->imvs);
+	this->lock->destroy(this->lock);
+	this->id_mutex->destroy(this->id_mutex);
 	free(this);
 }
 
@@ -433,6 +498,7 @@ imv_manager_t* tnc_imv_manager_create(void)
 			.add = _add,
 			.remove = _remove_, /* avoid name conflict with stdio.h */
 			.load = _load,
+			.load_from_functions = _load_from_functions,
 			.is_registered = _is_registered,
 			.reserve_id = _reserve_id,
 			.get_recommendation_policy = _get_recommendation_policy,
@@ -447,6 +513,8 @@ imv_manager_t* tnc_imv_manager_create(void)
 			.destroy = _destroy,
 		},
 		.imvs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.id_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.next_imv_id = 1,
 	);
 
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
index 396d5d854..b39d9cbc9 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
@@ -21,8 +21,8 @@
 #include <tnc/imv/imv_manager.h>
 #include <tnc/imv/imv_recommendations.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_tnc_imv_recommendations_t private_tnc_imv_recommendations_t;
 typedef struct recommendation_entry_t recommendation_entry_t;
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
index 6d65a2521..66d03b2f8 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
@@ -23,7 +23,7 @@
 #define TNC_IMV_RECOMMENDATIONS_H_
 
 #include <tnc/imv/imv_recommendations.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Create an IMV empty recommendations instance
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index 2b3fbd42b..ac764a163 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -385,7 +394,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-pdp.la: $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_DEPENDENCIES) 
+libstrongswan-tnc-pdp.la: $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_pdp_la_DEPENDENCIES) 
 	$(libstrongswan_tnc_pdp_la_LINK) $(am_libstrongswan_tnc_pdp_la_rpath) $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -524,10 +533,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 77eaa0e05..39939d34e 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -23,7 +23,7 @@
 #include <radius_mppe.h>
 
 #include <daemon.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
index bca43985f..0a960635b 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
@@ -15,8 +15,8 @@
 
 #include "tnc_pdp_connections.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_tnc_pdp_connections_t private_tnc_pdp_connections_t;
 typedef struct entry_t entry_t;
diff --git a/src/libcharon/plugins/tnc_tnccs/Makefile.in b/src/libcharon/plugins/tnc_tnccs/Makefile.in
index 3ef913e7b..f4bc7a6e5 100644
--- a/src/libcharon/plugins/tnc_tnccs/Makefile.in
+++ b/src/libcharon/plugins/tnc_tnccs/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_tnccs_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -383,7 +392,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-tnccs.la: $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_DEPENDENCIES) 
+libstrongswan-tnc-tnccs.la: $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_tnccs_la_DEPENDENCIES) 
 	$(libstrongswan_tnc_tnccs_la_LINK) $(am_libstrongswan_tnc_tnccs_la_rpath) $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -521,10 +530,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
index 515e85804..0b623d6ff 100644
--- a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
+++ b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
@@ -20,8 +20,8 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/imv/imv_manager.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_tnc_tnccs_manager_t private_tnc_tnccs_manager_t;
@@ -454,7 +454,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 	enumerator_t *enumerator;
 	tnccs_connection_entry_t *entry;
 	bool attribute_match = FALSE, entry_found = FALSE;
-	
+
 	if (is_imc)
 	{
 		switch (attribute_id)
@@ -520,7 +520,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 				return TNC_RESULT_INVALID_PARAMETER;
 		}
 	}
-	
+
 	/* attributes specific to the TNCC or TNCS are unsupported */
 	if (id == TNC_CONNECTIONID_ANY)
 	{
@@ -577,10 +577,10 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 								  entry->max_msg_len);
 		case TNC_ATTRIBUTEID_HAS_LONG_TYPES:
 		case TNC_ATTRIBUTEID_HAS_EXCLUSIVE:
-			return bool_attribute(buffer_len, buffer, value_len, 
+			return bool_attribute(buffer_len, buffer, value_len,
 								  entry->type == TNCCS_2_0);
 		case TNC_ATTRIBUTEID_HAS_SOH:
-			return bool_attribute(buffer_len, buffer, value_len, 
+			return bool_attribute(buffer_len, buffer, value_len,
 								  entry->type == TNCCS_SOH);
 		case TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL:
 		{
diff --git a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c
index a44319ed1..1e4ddc195 100644
--- a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c
+++ b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c
@@ -18,7 +18,7 @@
 
 #include <tnc/tnc.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnc_tnccs_plugin_t private_tnc_tnccs_plugin_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in
index 3a506e672..be091b134 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.in
+++ b/src/libcharon/plugins/tnccs_11/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -77,6 +77,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -132,6 +138,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -159,6 +166,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -186,6 +194,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -198,6 +207,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -251,7 +261,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -397,7 +406,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) 
+libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_11_la_DEPENDENCIES) 
 	$(libstrongswan_tnccs_11_la_LINK) $(am_libstrongswan_tnccs_11_la_rpath) $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -599,10 +608,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
index c9397722b..b27458fde 100644
--- a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
+++ b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
@@ -18,8 +18,8 @@
 
 #include <tnc/tnccs/tnccs.h>
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 #include <libxml/parser.h>
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
index fa570aae9..cf3e58451 100644
--- a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
@@ -18,7 +18,7 @@
 #include <tnc/tnccs/tnccs.h>
 
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_imc_imv_msg_t private_imc_imv_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
index d0df4e7ca..ba92c26b1 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
@@ -15,7 +15,7 @@
 
 #include "tnccs_error_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(tnccs_error_type_names, TNCCS_ERROR_BATCH_TOO_LONG, TNCCS_ERROR_OTHER,
 	"batch-too-long",
@@ -108,7 +108,7 @@ tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node)
 {
 	private_tnccs_error_msg_t *this;
 	xmlChar *error_type_name, *error_msg;
-	
+
 	INIT(this,
 		.public = {
 			.tnccs_msg_interface = {
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
index 5a050393a..79c663905 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
@@ -22,7 +22,7 @@
 #include "tnccs_tncs_contact_info_msg.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(tnccs_msg_type_names, IMC_IMV_MSG, TNCCS_MSG_ROOF,
 	"IMC-IMV",
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
index e0b54449a..88d6f07aa 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
@@ -25,7 +25,7 @@ typedef enum tnccs_msg_type_t tnccs_msg_type_t;
 typedef struct tnccs_msg_t tnccs_msg_t;
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <libxml/parser.h>
 
 /**
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
index fd85350b5..e1c193e18 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
@@ -15,7 +15,7 @@
 
 #include "tnccs_preferred_language_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_preferred_language_msg_t private_tnccs_preferred_language_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
index af60a4b3a..cf3c367d8 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
@@ -16,7 +16,7 @@
 #include "tnccs_reason_strings_msg.h"
 #include "tnccs_error_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_reason_strings_msg_t private_tnccs_reason_strings_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
index 610224242..32e123b2e 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
@@ -16,7 +16,7 @@
 #include "tnccs_recommendation_msg.h"
 #include "tnccs_error_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_recommendation_msg_t private_tnccs_recommendation_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
index b8aac30fa..fe288f01d 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
@@ -14,7 +14,7 @@
 
 #include "tnccs_tncs_contact_info_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_tncs_contact_info_msg_t private_tnccs_tncs_contact_info_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c
index 56858a8b4..cfc29d6ab 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11.c
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c
@@ -31,7 +31,7 @@
 #include <tnc/tnccs/tnccs.h>
 #include <tnc/tnccs/tnccs_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 #include <threading/mutex.h>
 
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in
index 26d26dbd9..60c8e562e 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.in
+++ b/src/libcharon/plugins/tnccs_20/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_DEPENDENCIES =  \
@@ -130,6 +136,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -157,6 +164,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -184,6 +192,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -196,6 +205,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -249,7 +259,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -400,7 +409,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) 
+libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_20_la_DEPENDENCIES) 
 	$(libstrongswan_tnccs_20_la_LINK) $(am_libstrongswan_tnccs_20_la_rpath) $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -626,10 +635,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
index 2f932637a..3a2c70f5a 100644
--- a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
+++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
@@ -20,11 +20,11 @@
 
 #include <tnc/tnccs/tnccs.h>
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_batch_type_names, PB_BATCH_CDATA, PB_BATCH_CLOSE,
 	"CDATA",
@@ -172,12 +172,12 @@ METHOD(pb_tnc_batch_t, build, void,
 	bio_writer_t *writer;
 
 	/* build PB-TNC batch header */
-	writer = bio_writer_create(this->batch_len);	
+	writer = bio_writer_create(this->batch_len);
 	writer->write_uint8 (writer, PB_TNC_VERSION);
 	writer->write_uint8 (writer, this->is_server ?
 								 PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE);
 	writer->write_uint16(writer, this->type);
-	writer->write_uint32(writer, this->batch_len); 
+	writer->write_uint32(writer, this->batch_len);
 
 	/* build PB-TNC messages */
 	enumerator = this->messages->create_enumerator(this->messages);
@@ -297,7 +297,7 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
 
 fatal:
 	this->errors->insert_last(this->errors, msg);
-	return FAILED;	
+	return FAILED;
 }
 
 static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
@@ -329,7 +329,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 	reader->destroy(reader);
 
 	noskip_flag = (flags & PB_TNC_FLAG_NOSKIP) != PB_TNC_FLAG_NONE;
-	
+
 	if (msg_len > data.len)
 	{
 		DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message", data.len);
@@ -455,7 +455,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 
 fatal:
 	this->errors->insert_last(this->errors, msg);
-	return FAILED;	
+	return FAILED;
 }
 
 METHOD(pb_tnc_batch_t, process, status_t,
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
index 974db4d70..cdd0d0d0d 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_access_recommendation_code_names, PB_REC_ACCESS_ALLOWED, PB_REC_QUARANTINED,
 	"Access Allowed",
@@ -113,7 +113,7 @@ METHOD(pb_tnc_msg_t, process, status_t,
 		*offset = 2;
 		return FAILED;
 	}
-		
+
 	return SUCCESS;
 }
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
index ee06575b4..4e50446be 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
@@ -19,7 +19,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_assessment_result_msg_t private_pb_assessment_result_msg_t;
 
@@ -106,7 +106,7 @@ METHOD(pb_tnc_msg_t, process, status_t,
 		*offset = 0;
 		return FAILED;
 	}
-		
+
 	return SUCCESS;
 }
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
index 457d3da21..d048f437c 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
@@ -20,7 +20,7 @@
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_error_code_names, PB_ERROR_UNEXPECTED_BATCH_TYPE,
 							  PB_ERROR_VERSION_NOT_SUPPORTED,
@@ -88,7 +88,7 @@ struct private_pb_error_msg_t {
 	u_int32_t error_offset;
 
 	/**
-	 * Bad PB-TNC version received 
+	 * Bad PB-TNC version received
 	 */
 	u_int8_t bad_version;
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
index 46df54486..70a03cdc5 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_language_preference_msg_t private_pb_language_preference_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
index bbad9bf55..2d2c1316b 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
@@ -22,7 +22,7 @@
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_pa_msg_t private_pb_pa_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
index 511b45402..935c52d7b 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_reason_string_msg_t private_pb_reason_string_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
index c853f03a3..63d94b94d 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_remed_param_type_names, PB_REMEDIATION_URI, PB_REMEDIATION_STRING,
 	"Remediation-URI",
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
index e20c8d8ff..97ebed27f 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
@@ -56,7 +56,7 @@ struct pb_tnc_msg_info_t {
 	u_int32_t min_size;
 	bool exact_size;
 	bool in_result_batch;
-	bool has_noskip_flag;
+	signed char has_noskip_flag;
 };
 
 #define	TRUE_OR_FALSE	2
diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
index 5e95131a8..43f185440 100644
--- a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
+++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
@@ -15,7 +15,7 @@
 
 #include "pb_tnc_state_machine.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_state_names, PB_STATE_INIT, PB_STATE_END,
 	"Init",
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
index 44e1d278f..6239b152d 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -34,10 +34,10 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/imv/imv_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <pen/pen.h>
 
 typedef struct private_tnccs_20_t private_tnccs_20_t;
@@ -369,10 +369,9 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
 			reason_msg = (pb_reason_string_msg_t*)msg;
 			reason_string = reason_msg->get_reason_string(reason_msg);
 			language_code = reason_msg->get_language_code(reason_msg);
-			DBG2(DBG_TNC, "reason string is '%.*s'", (int)reason_string.len,
-													 reason_string.ptr);
-			DBG2(DBG_TNC, "language code is '%.*s'", (int)language_code.len,
-													 language_code.ptr);
+			DBG1(DBG_TNC, "reason string is '%.*s' [%.*s]",
+				 (int)reason_string.len, reason_string.ptr,
+				 (int)language_code.len, language_code.ptr);
 			break;
 		}
 		default:
@@ -647,28 +646,40 @@ METHOD(tls_t, build, status_t,
 
 	if (this->batch_type == PB_BATCH_NONE)
 	{
-		if (this->is_server && state == PB_STATE_SERVER_WORKING)
+		if (this->is_server)
 		{
-			if (this->state_machine->get_empty_cdata(this->state_machine))
-			{
-				check_and_build_recommendation(this);
-			}
-			else
+			if (state == PB_STATE_SERVER_WORKING)
 			{
-				DBG2(DBG_TNC, "no recommendation available yet, "
-							  "sending empty PB-TNC SDATA batch");
-				this->batch_type = PB_BATCH_SDATA;
+				if (this->state_machine->get_empty_cdata(this->state_machine))
+				{
+					check_and_build_recommendation(this);
+				}
+				else
+				{
+					DBG2(DBG_TNC, "no recommendation available yet, "
+								  "sending empty PB-TNC SDATA batch");
+					this->batch_type = PB_BATCH_SDATA;
+				}
 			}
 		}
 		else
-        {
-			/**
-			 * In the DECIDED state and if no CRETRY is under way,
-			 * a PB-TNC client replies with an empty CLOSE batch.
-			 */
-			if (state == PB_STATE_DECIDED)
+		{
+			switch (state)
 			{
-				this->batch_type = PB_BATCH_CLOSE;
+				case PB_STATE_CLIENT_WORKING:
+					DBG2(DBG_TNC, "no client data to send, "
+								  "sending empty PB-TNC CDATA batch");
+					this->batch_type = PB_BATCH_CDATA;
+					break;
+				case PB_STATE_DECIDED:
+					/**
+					 * In the DECIDED state and if no CRETRY is under way,
+					 * a PB-TNC client replies with an empty CLOSE batch.
+					 */
+					this->batch_type = PB_BATCH_CLOSE;
+					break;
+				default:
+					break;
 			}
 		}
 	}
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
index f08d00dab..b17afda82 100644
--- a/src/libcharon/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -383,7 +392,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnccs-dynamic.la: $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_DEPENDENCIES) 
+libstrongswan-tnccs-dynamic.la: $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_dynamic_la_DEPENDENCIES) 
 	$(libstrongswan_tnccs_dynamic_la_LINK) $(am_libstrongswan_tnccs_dynamic_la_rpath) $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -521,10 +530,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
index b68d2dd6b..03795a947 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
@@ -17,7 +17,7 @@
 
 #include <tnc/tnc.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_dynamic_t private_tnccs_dynamic_t;
 
@@ -120,7 +120,7 @@ METHOD(tls_t, destroy, void,
 	private_tnccs_dynamic_t *this)
 {
 	DESTROY_IF(this->tls);
-	free(this);	
+	free(this);
 }
 
 /**
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index da9310aa0..aff566c08 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_uci_la_DEPENDENCIES =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-uci.la: $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_DEPENDENCIES) 
+libstrongswan-uci.la: $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_DEPENDENCIES) $(EXTRA_libstrongswan_uci_la_DEPENDENCIES) 
 	$(libstrongswan_uci_la_LINK) $(am_libstrongswan_uci_la_rpath) $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -515,10 +524,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
index 1201f568e..de0bf91af 100644
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -87,28 +87,12 @@ static traffic_selector_t *create_ts(char *string)
 {
 	if (string)
 	{
-		int netbits = 32;
-		host_t *net;
-		char *pos;
+		traffic_selector_t *ts;
 
-		string = strdupa(string);
-		pos = strchr(string, '/');
-		if (pos)
+		ts = traffic_selector_create_from_cidr(string, 0, 0);
+		if (ts)
 		{
-			*pos++ = '\0';
-			netbits = atoi(pos);
-		}
-		else
-		{
-			if (strchr(string, ':'))
-			{
-				netbits = 128;
-			}
-		}
-		net = host_create_from_string(string, 0);
-		if (net)
-		{
-			return traffic_selector_create_from_subnet(net, netbits, 0, 0);
+			return ts;
 		}
 	}
 	return traffic_selector_create_dynamic(0, 0, 65535);
@@ -168,12 +152,14 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 			&ike_proposal, &esp_proposal, &ike_rekey, &esp_rekey))
 	{
 		DESTROY_IF(this->peer_cfg);
-		ike_cfg = ike_cfg_create(FALSE, FALSE,
-								 local_addr, FALSE, charon->socket->get_port(charon->socket, FALSE),
-								 remote_addr, FALSE, IKEV2_UDP_PORT);
+		ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
+								 local_addr, FALSE,
+								 charon->socket->get_port(charon->socket, FALSE),
+								 remote_addr, FALSE, IKEV2_UDP_PORT,
+								 FRAGMENTATION_NO);
 		ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
 		this->peer_cfg = peer_cfg_create(
-					name, IKEV2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
+					name, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
 					1, create_rekey(ike_rekey), 0,  /* keytries, rekey, reauth */
 					1800, 900,						/* jitter, overtime */
 					TRUE, FALSE,				/* mobike, aggressive */
@@ -265,9 +251,11 @@ METHOD(enumerator_t, ike_enumerator_enumerate, bool,
 							   &local_addr, &remote_addr, &ike_proposal))
 	{
 		DESTROY_IF(this->ike_cfg);
-		this->ike_cfg = ike_cfg_create(FALSE, FALSE,
-									   local_addr, FALSE, charon->socket->get_port(charon->socket, FALSE),
-									   remote_addr, FALSE, IKEV2_UDP_PORT);
+		this->ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
+								local_addr, FALSE,
+								charon->socket->get_port(charon->socket, FALSE),
+								remote_addr, FALSE, IKEV2_UDP_PORT,
+								FRAGMENTATION_NO);
 		this->ike_cfg->add_proposal(this->ike_cfg,
 									create_proposal(ike_proposal, PROTO_IKE));
 
diff --git a/src/libcharon/plugins/uci/uci_parser.h b/src/libcharon/plugins/uci/uci_parser.h
index 7217e507a..230c35e86 100644
--- a/src/libcharon/plugins/uci/uci_parser.h
+++ b/src/libcharon/plugins/uci/uci_parser.h
@@ -22,7 +22,7 @@
 #ifndef UCI_PARSER_H_
 #define UCI_PARSER_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct uci_parser_t uci_parser_t;
 
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 9d936a273..8e60d97b2 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_unit_tester_la_LIBADD =
@@ -127,6 +133,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -154,6 +161,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,6 +189,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +202,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -246,7 +256,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -391,7 +400,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) 
+libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_unit_tester_la_DEPENDENCIES) 
 	$(libstrongswan_unit_tester_la_LINK) $(am_libstrongswan_unit_tester_la_rpath) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -640,10 +649,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/unit_tester/tests/test_enumerator.c b/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
index edbf0f5bb..83b78c092 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
@@ -13,7 +13,7 @@
  * for more details.
  */
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 
 /*******************************************************************************
diff --git a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
index bd79e12f7..5513f6707 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
@@ -14,7 +14,7 @@
  */
 
 #include <library.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 static u_int hash(char *key)
 {
diff --git a/src/libcharon/plugins/unit_tester/tests/test_med_db.c b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
index ae1d08e15..75244ab8f 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_med_db.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
@@ -15,7 +15,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include <unistd.h>
 
diff --git a/src/libcharon/plugins/unit_tester/tests/test_mysql.c b/src/libcharon/plugins/unit_tester/tests/test_mysql.c
index 252441ef8..eda238623 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_mysql.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_mysql.c
@@ -15,7 +15,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /*******************************************************************************
  * mysql simple test
diff --git a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
index dd8d1955e..99490b566 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
@@ -15,7 +15,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include <unistd.h>
 
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 3b74530b3..5cb81fd51 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_unity_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-unity.la: $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_DEPENDENCIES) 
+libstrongswan-unity.la: $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_DEPENDENCIES) $(EXTRA_libstrongswan_unity_la_DEPENDENCIES) 
 	$(libstrongswan_unity_la_LINK) $(am_libstrongswan_unity_la_rpath) $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -515,10 +524,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index b2aeba605..31d13add2 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 typedef struct private_unity_handler_t private_unity_handler_t;
@@ -115,7 +115,7 @@ static bool add_include(private_unity_handler_t *this, chunk_t subnet)
 }
 
 /**
- * Rempve a subnet from the inclusion list for this IKE_SA
+ * Remove a subnet from the inclusion list for this IKE_SA
  */
 static bool remove_include(private_unity_handler_t *this, chunk_t subnet)
 {
@@ -170,7 +170,7 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 {
 	enumerator_t *enumerator;
 	child_cfg_t *child_cfg;
-	lifetime_cfg_t lft = {};
+	lifetime_cfg_t lft = { .time = { .life = 0 } };
 	ike_sa_t *ike_sa;
 	char name[128];
 	host_t *host;
diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c
index c7feb090c..655b8724a 100644
--- a/src/libcharon/plugins/unity/unity_provider.c
+++ b/src/libcharon/plugins/unity/unity_provider.c
@@ -58,10 +58,8 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 		{
 			return FALSE;
 		}
-		if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE &&
-			ts->to_subnet(ts, &net, &mask))
+		if (ts->to_subnet(ts, &net, &mask))
 		{
-			ts->destroy(ts);
 			break;
 		}
 		ts->destroy(ts);
@@ -94,6 +92,30 @@ METHOD(enumerator_t, attribute_destroy, void,
 	free(this);
 }
 
+/**
+ * Check if we should send a configured TS as Split-Include attribute
+ */
+static bool use_ts(traffic_selector_t *ts)
+{
+	u_int8_t mask;
+	host_t *net;
+
+	if (ts->get_type(ts) != TS_IPV4_ADDR_RANGE)
+	{
+		return FALSE;
+	}
+	if (ts->is_dynamic(ts))
+	{
+		return FALSE;
+	}
+	if (!ts->to_subnet(ts, &net, &mask))
+	{
+		return FALSE;
+	}
+	net->destroy(net);
+	return mask > 0;
+}
+
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	private_unity_provider_t *this, linked_list_t *pools, identification_t *id,
 	linked_list_t *vips)
@@ -122,7 +144,14 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 		current = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
 		while (current->remove_first(current, (void**)&ts) == SUCCESS)
 		{
-			list->insert_last(list, ts);
+			if (use_ts(ts))
+			{
+				list->insert_last(list, ts);
+			}
+			else
+			{
+				ts->destroy(ts);
+			}
 		}
 		current->destroy(current);
 	}
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 0f3463704..f8df24116 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_updown_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES) 
+libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES) $(EXTRA_libstrongswan_updown_la_DEPENDENCIES) 
 	$(libstrongswan_updown_la_LINK) $(am_libstrongswan_updown_la_rpath) $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -514,10 +523,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
index b2ac02e85..3a644380a 100644
--- a/src/libcharon/plugins/updown/updown_handler.c
+++ b/src/libcharon/plugins/updown/updown_handler.c
@@ -16,7 +16,7 @@
 #include "updown_handler.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_updown_handler_t private_updown_handler_t;
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 8b2af05b6..617618057 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -200,7 +200,7 @@ METHOD(listener_t, child_updown, bool,
 		char command[1024];
 		host_t *my_client, *other_client;
 		u_int8_t my_client_mask, other_client_mask;
-		char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns;
+		char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns, *xauth;
 		mark_t mark;
 		bool is_host, is_ipv6;
 		FILE *shell;
@@ -265,6 +265,23 @@ METHOD(listener_t, child_updown, bool,
 
 		}
 
+		if (ike_sa->has_condition(ike_sa, COND_EAP_AUTHENTICATED) ||
+			ike_sa->has_condition(ike_sa, COND_XAUTH_AUTHENTICATED))
+		{
+			if (asprintf(&xauth, "PLUTO_XAUTH_ID='%Y' ",
+						 ike_sa->get_other_eap_id(ike_sa)) < 0)
+			{
+				xauth = NULL;
+			}
+		}
+		else
+		{
+			if (asprintf(&xauth, "") < 0)
+			{
+				xauth = NULL;
+			}
+		}
+
 		if (up)
 		{
 			if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
@@ -311,6 +328,7 @@ METHOD(listener_t, child_updown, bool,
 				"%s"
 				"%s"
 				"%s"
+				"%s"
 				"%s",
 				 up ? "up" : "down",
 				 is_host ? "-host" : "-client",
@@ -326,6 +344,7 @@ METHOD(listener_t, child_updown, bool,
 				 other_client, other_client_mask,
 				 other_ts->get_from_port(other_ts),
 				 other_ts->get_protocol(other_ts),
+				 xauth,
 				 virtual_ip,
 				 mark_in,
 				 mark_out,
@@ -341,6 +360,7 @@ METHOD(listener_t, child_updown, bool,
 		free(udp_enc);
 		free(dns);
 		free(iface);
+		free(xauth);
 
 		DBG3(DBG_CHD, "running updown script: %s", command);
 		shell = popen(command, "r");
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 80f12df47..5ca4fd36d 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_whitelist_la_LIBADD =
@@ -131,6 +137,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -158,6 +165,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -185,6 +193,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -197,6 +206,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -250,7 +260,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -385,7 +394,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-whitelist.la: $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_DEPENDENCIES) 
+libstrongswan-whitelist.la: $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_DEPENDENCIES) $(EXTRA_libstrongswan_whitelist_la_DEPENDENCIES) 
 	$(libstrongswan_whitelist_la_LINK) $(am_libstrongswan_whitelist_la_rpath) $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
@@ -430,7 +439,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-whitelist$(EXEEXT): $(whitelist_OBJECTS) $(whitelist_DEPENDENCIES) 
+whitelist$(EXEEXT): $(whitelist_OBJECTS) $(whitelist_DEPENDENCIES) $(EXTRA_whitelist_DEPENDENCIES) 
 	@rm -f whitelist$(EXEEXT)
 	$(LINK) $(whitelist_OBJECTS) $(whitelist_LDADD) $(LIBS)
 
@@ -571,10 +580,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/whitelist/whitelist_listener.c b/src/libcharon/plugins/whitelist/whitelist_listener.c
index 64ef04800..382ee3b8b 100644
--- a/src/libcharon/plugins/whitelist/whitelist_listener.c
+++ b/src/libcharon/plugins/whitelist/whitelist_listener.c
@@ -16,7 +16,7 @@
 #include "whitelist_listener.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
 typedef struct private_whitelist_listener_t private_whitelist_listener_t;
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index 709e2be03..f5edbaeeb 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xauth_eap_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-xauth-eap.la: $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_DEPENDENCIES) 
+libstrongswan-xauth-eap.la: $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_eap_la_DEPENDENCIES) 
 	$(libstrongswan_xauth_eap_la_LINK) $(am_libstrongswan_xauth_eap_la_rpath) $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 9f9743ef1..ecd480fb5 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xauth_generic_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-xauth-generic.la: $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_DEPENDENCIES) 
+libstrongswan-xauth-generic.la: $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_generic_la_DEPENDENCIES) 
 	$(libstrongswan_xauth_generic_la_LINK) $(am_libstrongswan_xauth_generic_la_rpath) $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index c3514473c..b249b418f 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xauth_pam_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-xauth-pam.la: $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_DEPENDENCIES) 
+libstrongswan-xauth-pam.la: $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_pam_la_DEPENDENCIES) 
 	$(libstrongswan_xauth_pam_la_LINK) $(am_libstrongswan_xauth_pam_la_rpath) $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c
index 08b41af8c..3a8c2e1cd 100644
--- a/src/libcharon/processing/jobs/delete_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c
@@ -84,6 +84,7 @@ METHOD(job_t, execute, job_requeue_t,
 			else
 			{
 				DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
+				charon->bus->alert(charon->bus, ALERT_HALF_OPEN_TIMEOUT);
 				charon->ike_sa_manager->checkin_and_destroy(
 												charon->ike_sa_manager, ike_sa);
 			}
diff --git a/src/libcharon/processing/jobs/dpd_timeout_job.c b/src/libcharon/processing/jobs/dpd_timeout_job.c
index 91a76bbaf..64a9785a6 100644
--- a/src/libcharon/processing/jobs/dpd_timeout_job.c
+++ b/src/libcharon/processing/jobs/dpd_timeout_job.c
@@ -77,6 +77,7 @@ METHOD(job_t, execute, job_requeue_t,
 		if (use_time < this->check)
 		{
 			DBG1(DBG_JOB, "DPD check timed out, enforcing DPD action");
+			charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
 			ike_sa->reestablish(ike_sa);
 			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
 														ike_sa);
diff --git a/src/libcharon/processing/jobs/mediation_job.h b/src/libcharon/processing/jobs/mediation_job.h
index 41485cbc6..6a1475102 100644
--- a/src/libcharon/processing/jobs/mediation_job.h
+++ b/src/libcharon/processing/jobs/mediation_job.h
@@ -26,7 +26,7 @@ typedef struct mediation_job_t mediation_job_t;
 #include <library.h>
 #include <processing/jobs/job.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Class representing a MEDIATION Job.
diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h
index 09679c734..30c0ad0ac 100644
--- a/src/libcharon/processing/jobs/migrate_job.h
+++ b/src/libcharon/processing/jobs/migrate_job.h
@@ -24,7 +24,7 @@
 typedef struct migrate_job_t migrate_job_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <selectors/traffic_selector.h>
 #include <kernel/kernel_ipsec.h>
 #include <processing/jobs/job.h>
diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c
index 71a2cb45d..606135b0b 100644
--- a/src/libcharon/processing/jobs/process_message_job.c
+++ b/src/libcharon/processing/jobs/process_message_job.c
@@ -67,9 +67,10 @@ METHOD(job_t, execute, job_requeue_t,
 														 this->message);
 	if (ike_sa)
 	{
-		DBG1(DBG_NET, "received packet: from %#H to %#H",
+		DBG1(DBG_NET, "received packet: from %#H to %#H (%zu bytes)",
 			 this->message->get_source(this->message),
-			 this->message->get_destination(this->message));
+			 this->message->get_destination(this->message),
+			 this->message->get_packet_data(this->message).len);
 		if (ike_sa->process_message(ike_sa, this->message) == DESTROY_ME)
 		{
 			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h
index e2344fcc4..55a3df83e 100644
--- a/src/libcharon/processing/jobs/update_sa_job.h
+++ b/src/libcharon/processing/jobs/update_sa_job.h
@@ -24,7 +24,7 @@
 typedef struct update_sa_job_t update_sa_job_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <processing/jobs/job.h>
 
 /**
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 1245734c9..f02d836cf 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -824,8 +824,15 @@ METHOD(child_sa_t, add_policies, status_t,
  */
 static void reinstall_vip(host_t *vip, host_t *me)
 {
-	hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
-	hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, me);
+	char *iface;
+
+	if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
+											   me, &iface))
+	{
+		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
+		hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, -1, iface);
+		free(iface);
+	}
 }
 
 METHOD(child_sa_t, update, status_t,
diff --git a/src/libcharon/sa/eap/eap_manager.c b/src/libcharon/sa/eap/eap_manager.c
index 520c0ce56..1886307e9 100644
--- a/src/libcharon/sa/eap/eap_manager.c
+++ b/src/libcharon/sa/eap/eap_manager.c
@@ -16,7 +16,7 @@
 
 #include "eap_manager.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_eap_manager_t private_eap_manager_t;
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 1d49acb52..4029db11d 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -26,7 +26,7 @@
 #include <library.h>
 #include <hydra.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
 #include <processing/jobs/retransmit_job.h>
 #include <processing/jobs/delete_ike_sa_job.h>
@@ -741,15 +741,26 @@ METHOD(ike_sa_t, add_virtual_ip, void,
 {
 	if (local)
 	{
-		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
-		if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
-											this->my_host) == SUCCESS)
+		char *iface;
+
+		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
+												   this->my_host, &iface))
 		{
-			this->my_vips->insert_last(this->my_vips, ip->clone(ip));
+			DBG1(DBG_IKE, "installing new virtual IP %H", ip);
+			if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
+												ip, -1, iface) == SUCCESS)
+			{
+				this->my_vips->insert_last(this->my_vips, ip->clone(ip));
+			}
+			else
+			{
+				DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
+			}
+			free(iface);
 		}
 		else
 		{
-			DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
+			DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
 		}
 	}
 	else
@@ -769,7 +780,8 @@ METHOD(ike_sa_t, clear_virtual_ips, void,
 	{
 		if (local)
 		{
-			hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
+			hydra->kernel_interface->del_ip(hydra->kernel_interface,
+											vip, -1, TRUE);
 		}
 		vip->destroy(vip);
 	}
@@ -1220,7 +1232,8 @@ METHOD(ike_sa_t, process_message, status_t,
 		case IKE_SA_INIT:
 		case IKE_AUTH:
 			if (this->state != IKE_CREATED &&
-				this->state != IKE_CONNECTING)
+				this->state != IKE_CONNECTING &&
+				message->get_first_payload_type(message) != FRAGMENT_V1)
 			{
 				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
 					 exchange_type_names, message->get_exchange_type(message));
@@ -1690,6 +1703,8 @@ METHOD(ike_sa_t, retransmit, status_t,
 			{
 				/* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
 				u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
+				charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
+								   this->keyingtry);
 				this->keyingtry++;
 				if (tries == 0 || tries > this->keyingtry)
 				{
@@ -1965,14 +1980,14 @@ METHOD(ike_sa_t, inherit, void,
 	this->other_id = other->other_id->clone(other->other_id);
 
 	/* apply assigned virtual IPs... */
-	while (this->my_vips->remove_last(this->my_vips, (void**)&vip) == SUCCESS)
+	while (other->my_vips->remove_last(other->my_vips, (void**)&vip) == SUCCESS)
 	{
-		other->my_vips->insert_first(other->my_vips, vip);
+		this->my_vips->insert_first(this->my_vips, vip);
 	}
-	while (this->other_vips->remove_last(this->other_vips,
-										 (void**)&vip) == SUCCESS)
+	while (other->other_vips->remove_last(other->other_vips,
+										  (void**)&vip) == SUCCESS)
 	{
-		other->other_vips->insert_first(other->other_vips, vip);
+		this->other_vips->insert_first(this->other_vips, vip);
 	}
 
 	/* authentication information */
@@ -2074,7 +2089,7 @@ METHOD(ike_sa_t, destroy, void,
 
 	while (this->my_vips->remove_last(this->my_vips, (void**)&vip) == SUCCESS)
 	{
-		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
+		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
 		vip->destroy(vip);
 	}
 	this->my_vips->destroy(this->my_vips);
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index af741c799..625859a3f 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -43,7 +43,7 @@ typedef struct ike_sa_t ike_sa_t;
 #include <config/peer_cfg.h>
 #include <config/ike_cfg.h>
 #include <credentials/auth_cfg.h>
-#include <utils/packet.h>
+#include <networking/packet.h>
 
 /**
  * Timeout in seconds after that a half open IKE_SA gets deleted.
@@ -72,6 +72,7 @@ enum ike_extension_t {
 
 	/**
 	 * peer supports NAT traversal as specified in RFC4306 or RFC3947
+	 * including some RFC3947 drafts
 	 */
 	EXT_NATT = (1<<0),
 
@@ -119,6 +120,17 @@ enum ike_extension_t {
 	 * peer supports Cisco Unity configuration attributes
 	 */
 	EXT_CISCO_UNITY = (1<<9),
+
+	/**
+	 * peer supports NAT traversal as specified in
+	 * draft-ietf-ipsec-nat-t-ike-02 .. -03
+	 */
+	EXT_NATT_DRAFT_02_03 = (1<<10),
+
+	/**
+	 * peer support proprietary IKE fragmentation
+	 */
+	EXT_IKE_FRAGMENTATION = (1<<11),
 };
 
 /**
@@ -1014,9 +1026,8 @@ struct ike_sa_t {
 	 *
 	 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
 	 * outstanding tasks are moved from other to this.
-	 * As this call may initiate inherited tasks, a status is returned.
 	 *
-	 * @param other			other task to inherit from
+	 * @param other			other IKE SA to inherit from
 	 */
 	void (*inherit) (ike_sa_t *this, ike_sa_t *other);
 
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index a396235c2..2ac8c3123 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -26,7 +26,7 @@
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
 /* the default size of the hash table (MUST be a power of 2) */
@@ -397,6 +397,11 @@ struct private_ike_sa_manager_t {
 	 * reuse existing IKE_SAs in checkout_by_config
 	 */
 	bool reuse_ikesa;
+
+	/**
+	 * Configured IKE_SA limit, if any
+	 */
+	u_int ikesa_limit;
 };
 
 /**
@@ -963,14 +968,37 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this)
 static bool get_init_hash(private_ike_sa_manager_t *this, message_t *message,
 						  chunk_t *hash)
 {
+	host_t *src;
+
 	if (!this->hasher)
 	{	/* this might be the case when flush() has been called */
 		return FALSE;
 	}
+	if (message->get_first_payload_type(message) == FRAGMENT_V1)
+	{	/* only hash the source IP, port and SPI for fragmented init messages */
+		u_int16_t port;
+		u_int64_t spi;
+
+		src = message->get_source(message);
+		if (!this->hasher->allocate_hash(this->hasher,
+										 src->get_address(src), NULL))
+		{
+			return FALSE;
+		}
+		port = src->get_port(src);
+		if (!this->hasher->allocate_hash(this->hasher,
+										 chunk_from_thing(port), NULL))
+		{
+			return FALSE;
+		}
+		spi = message->get_initiator_spi(message);
+		return this->hasher->allocate_hash(this->hasher,
+										   chunk_from_thing(spi), hash);
+	}
 	if (message->get_exchange_type(message) == ID_PROT)
 	{	/* include the source for Main Mode as the hash will be the same if
 		 * SPIs are reused by two initiators that use the same proposal */
-		host_t *src = message->get_source(message);
+		src = message->get_source(message);
 
 		if (!this->hasher->allocate_hash(this->hasher,
 										 src->get_address(src), NULL))
@@ -1203,34 +1231,46 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		{
 			case NOT_FOUND:
 			{	/* we've not seen this packet yet, create a new IKE_SA */
-				id->set_responder_spi(id, our_spi);
-				ike_sa = ike_sa_create(id, FALSE, ike_version);
-				if (ike_sa)
+				if (!this->ikesa_limit ||
+					this->public.get_count(&this->public) < this->ikesa_limit)
 				{
-					entry = entry_create();
-					entry->ike_sa = ike_sa;
-					entry->ike_sa_id = id->clone(id);
+					id->set_responder_spi(id, our_spi);
+					ike_sa = ike_sa_create(id, FALSE, ike_version);
+					if (ike_sa)
+					{
+						entry = entry_create();
+						entry->ike_sa = ike_sa;
+						entry->ike_sa_id = id;
 
-					segment = put_entry(this, entry);
-					entry->checked_out = TRUE;
-					unlock_single_segment(this, segment);
+						segment = put_entry(this, entry);
+						entry->checked_out = TRUE;
+						unlock_single_segment(this, segment);
 
-					entry->message_id = message->get_message_id(message);
-					entry->init_hash = hash;
+						entry->message_id = message->get_message_id(message);
+						entry->init_hash = hash;
 
-					DBG2(DBG_MGR, "created IKE_SA %s[%u]",
-						 ike_sa->get_name(ike_sa),
-						 ike_sa->get_unique_id(ike_sa));
+						DBG2(DBG_MGR, "created IKE_SA %s[%u]",
+							 ike_sa->get_name(ike_sa),
+							 ike_sa->get_unique_id(ike_sa));
+
+						charon->bus->set_sa(charon->bus, ike_sa);
+						return ike_sa;
+					}
+					else
+					{
+						DBG1(DBG_MGR, "creating IKE_SA failed, ignoring message");
+					}
 				}
 				else
 				{
-					remove_init_hash(this, hash);
-					chunk_free(&hash);
-					DBG1(DBG_MGR, "ignoring message, no such IKE_SA");
+					DBG1(DBG_MGR, "ignoring %N, hitting IKE_SA limit (%u)",
+						 exchange_type_names, message->get_exchange_type(message),
+						 this->ikesa_limit);
 				}
+				remove_init_hash(this, hash);
+				chunk_free(&hash);
 				id->destroy(id);
-				charon->bus->set_sa(charon->bus, ike_sa);
-				return ike_sa;
+				return NULL;
 			}
 			case FAILED:
 			{	/* we failed to allocate an SPI */
@@ -1263,7 +1303,10 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 
 			ike_id = entry->ike_sa->get_id(entry->ike_sa);
 			entry->checked_out = TRUE;
-			entry->message_id = message->get_message_id(message);
+			if (message->get_first_payload_type(message) != FRAGMENT_V1)
+			{
+				entry->message_id = message->get_message_id(message);
+			}
 			if (ike_id->get_responder_spi(ike_id) == 0)
 			{
 				ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
@@ -1274,6 +1317,10 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		}
 		unlock_single_segment(this, segment);
 	}
+	else
+	{
+		charon->bus->alert(charon->bus, ALERT_INVALID_IKE_SPI, message);
+	}
 	id->destroy(id);
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
@@ -1748,6 +1795,7 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
 					switch (policy)
 					{
 						case UNIQUE_REPLACE:
+							charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
 							DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
 									"'%Y' due to uniqueness policy", other);
 							status = duplicate->delete(duplicate);
@@ -2045,6 +2093,9 @@ ike_sa_manager_t *ike_sa_manager_create()
 		return NULL;
 	}
 
+	this->ikesa_limit = lib->settings->get_int(lib->settings,
+									"%s.ikesa_limit", 0, charon->name);
+
 	this->table_size = get_nearest_powerof2(lib->settings->get_int(
 									lib->settings, "%s.ikesa_table_size",
 									DEFAULT_HASHTABLE_SIZE, charon->name));
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index cff344a34..eb642109b 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -18,7 +18,7 @@
 #include <daemon.h>
 #include <encoding/generator.h>
 #include <encoding/payloads/nonce_payload.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_keymat_v1_t private_keymat_v1_t;
 
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index 4096141ec..1189d3c69 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -22,7 +22,7 @@
 #include <sa/ikev1/keymat_v1.h>
 #include <encoding/payloads/ke_payload.h>
 #include <encoding/payloads/nonce_payload.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_phase1_t private_phase1_t;
 
@@ -186,7 +186,7 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	if (!peer_cfg)
+	if (!shared_key)
 	{
 		DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
 	}
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index fd0ad235a..8a4761d5c 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2011 Tobias Brunner
+ * Copyright (C) 2007-2013 Tobias Brunner
  * Copyright (C) 2007-2011 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -36,6 +36,10 @@
 #include <processing/jobs/retransmit_job.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 #include <processing/jobs/dpd_timeout_job.h>
+#include <processing/jobs/process_message_job.h>
+
+#include <encoding/payloads/fragment_payload.h>
+#include <bio/bio_writer.h>
 
 /**
  * Number of old messages hashes we keep for retransmission.
@@ -46,6 +50,20 @@
  */
 #define MAX_OLD_HASHES 2
 
+/**
+ * Maximum packet size for fragmented packets (same as in sockets)
+ */
+#define MAX_PACKET 10000
+
+/**
+ * Maximum size of fragment data when sending packets (currently the same is
+ * used for IPv4 and IPv6, even though the latter has a higher minimum datagram
+ * size).  576 (= min. IPv4) - 20 (= IP header) - 8 (= UDP header) -
+ *  - 28 (= IKE header) - 8 (= fragment header) = 512
+ * This is reduced by 4 in case of NAT-T (due to the non-ESP marker).
+ */
+#define MAX_FRAGMENT_SIZE 512
+
 /**
  * First sequence number of responding packets.
  *
@@ -160,19 +178,65 @@ struct private_task_manager_t {
 		packet_t *packet;
 
 		/**
-		 * type of the initated exchange
+		 * type of the initiated exchange
 		 */
 		exchange_type_t type;
 
 	} initiating;
 
+	/**
+	 * Data used to reassemble a fragmented message
+	 */
+	struct {
+
+		/**
+		 * Fragment ID (currently only one is supported at a time)
+		 */
+		u_int16_t id;
+
+		/**
+		 * The number of the last fragment (in case we receive the fragments out
+		 * of order), since the first starts with 1 this defines the number of
+		 * fragments we expect
+		 */
+		u_int8_t last;
+
+		/**
+		 * List of fragments (fragment_t*)
+		 */
+		linked_list_t *list;
+
+		/**
+		 * Length of all currently received fragments
+		 */
+		size_t len;
+
+		/**
+		 * Maximum length of a fragmented packet
+		 */
+		size_t max_packet;
+
+		/**
+		 * Maximum length of a single fragment (when sending)
+		 */
+		size_t size;
+
+		/**
+		 * The exchange type we use for fragments. Always the initial type even
+		 * for fragmented quick mode or transaction messages (i.e. either
+		 * ID_PROT or AGGRESSIVE)
+		 */
+		exchange_type_t exchange;
+
+	} frag;
+
 	/**
 	 * List of queued tasks not yet in action
 	 */
 	linked_list_t *queued_tasks;
 
 	/**
-	 * List of active tasks, initiated by ourselve
+	 * List of active tasks, initiated by ourselves
 	 */
 	linked_list_t *active_tasks;
 
@@ -212,6 +276,34 @@ struct private_task_manager_t {
 	u_int32_t dpd_recv;
 };
 
+/**
+ * A single fragment within a fragmented message
+ */
+typedef struct {
+
+	/** fragment number */
+	u_int8_t num;
+
+	/** fragment data */
+	chunk_t data;
+
+} fragment_t;
+
+static void fragment_destroy(fragment_t *this)
+{
+	chunk_free(&this->data);
+	free(this);
+}
+
+static void clear_fragments(private_task_manager_t *this, u_int16_t id)
+{
+	DESTROY_FUNCTION_IF(this->frag.list, (void*)fragment_destroy);
+	this->frag.list = NULL;
+	this->frag.last = 0;
+	this->frag.len = 0;
+	this->frag.id = id;
+}
+
 METHOD(task_manager_t, flush_queue, void,
 	private_task_manager_t *this, task_queue_t queue)
 {
@@ -282,17 +374,104 @@ static bool activate_task(private_task_manager_t *this, task_type_t type)
 	return found;
 }
 
+/**
+ * Send a single fragment with the given data
+ */
+static bool send_fragment(private_task_manager_t *this, bool request,
+					host_t *src, host_t *dst, fragment_payload_t *fragment)
+{
+	message_t *message;
+	packet_t *packet;
+	status_t status;
+
+	message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
+	/* other implementations seem to just use 0 as message ID, so here we go */
+	message->set_message_id(message, 0);
+	message->set_request(message, request);
+	message->set_source(message, src->clone(src));
+	message->set_destination(message, dst->clone(dst));
+	message->set_exchange_type(message, this->frag.exchange);
+	message->add_payload(message, (payload_t*)fragment);
+
+	status = this->ike_sa->generate_message(this->ike_sa, message, &packet);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "failed to generate IKE fragment");
+		message->destroy(message);
+		return FALSE;
+	}
+	charon->sender->send(charon->sender, packet);
+	message->destroy(message);
+	return TRUE;
+}
+
+/**
+ * Send a packet, if supported and required do so in fragments
+ */
+static bool send_packet(private_task_manager_t *this, bool request,
+						packet_t *packet)
+{
+	fragmentation_t fragmentation = FRAGMENTATION_NO;
+	ike_cfg_t *ike_cfg;
+	host_t *src, *dst;
+	chunk_t data;
+
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+	if (ike_cfg)
+	{
+		fragmentation = ike_cfg->fragmentation(ike_cfg);
+	}
+	data = packet->get_data(packet);
+	if (data.len > this->frag.size && (fragmentation == FRAGMENTATION_FORCE ||
+	   (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_FRAGMENTATION) &&
+		fragmentation == FRAGMENTATION_YES)))
+	{
+		fragment_payload_t *fragment;
+		u_int8_t num, count;
+		size_t len, frag_size;
+		bool nat;
+
+		/* reduce size due to non-ESP marker */
+		nat = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
+		frag_size = this->frag.size - (nat ? 4 : 0);
+
+		src = packet->get_source(packet);
+		dst = packet->get_destination(packet);
+		count = (data.len / (frag_size + 1)) + 1;
+
+		DBG1(DBG_IKE, "sending IKE message with length of %zu bytes in "
+			 "%hhu fragments", data.len, count);
+		for (num = 1; num <= count; num++)
+		{
+			len = min(data.len, frag_size);
+			fragment = fragment_payload_create_from_data(num, num == count,
+												chunk_create(data.ptr, len));
+			if (!send_fragment(this, request, src, dst, fragment))
+			{
+				packet->destroy(packet);
+				return FALSE;
+			}
+			data = chunk_skip(data, len);
+		}
+		packet->destroy(packet);
+		return TRUE;
+	}
+	charon->sender->send(charon->sender, packet);
+	return TRUE;
+}
+
 /**
  * Retransmit a packet, either as initiator or as responder
  */
-static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
-							u_int mid, u_int retransmitted, packet_t *packet)
+static status_t retransmit_packet(private_task_manager_t *this, bool request,
+			u_int32_t seqnr, u_int mid, u_int retransmitted, packet_t *packet)
 {
 	u_int32_t t;
 
 	if (retransmitted > this->retransmit_tries)
 	{
 		DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1);
+		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet);
 		return DESTROY_ME;
 	}
 	t = (u_int32_t)(this->retransmit_timeout * 1000.0 *
@@ -302,8 +481,12 @@ static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
 		DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
 			 retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
 			 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
+		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
+	}
+	if (!send_packet(this, request, packet->clone(packet)))
+	{
+		return DESTROY_ME;
 	}
-	charon->sender->send(charon->sender, packet->clone(packet));
 	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
 			retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
 	return NEED_MORE;
@@ -316,7 +499,7 @@ METHOD(task_manager_t, retransmit, status_t,
 
 	if (seqnr == this->initiating.seqnr && this->initiating.packet)
 	{
-		status = retransmit_packet(this, seqnr, this->initiating.mid,
+		status = retransmit_packet(this, TRUE, seqnr, this->initiating.mid,
 					this->initiating.retransmitted, this->initiating.packet);
 		if (status == NEED_MORE)
 		{
@@ -326,7 +509,7 @@ METHOD(task_manager_t, retransmit, status_t,
 	}
 	if (seqnr == this->responding.seqnr && this->responding.packet)
 	{
-		status = retransmit_packet(this, seqnr, this->responding.mid,
+		status = retransmit_packet(this, FALSE, seqnr, this->responding.mid,
 					this->responding.retransmitted, this->responding.packet);
 		if (status == NEED_MORE)
 		{
@@ -602,12 +785,12 @@ METHOD(task_manager_t, initiate, status_t,
 	}
 	if (keep)
 	{	/* keep the packet for retransmission, the responder might request it */
-		charon->sender->send(charon->sender,
+		send_packet(this, TRUE,
 					this->initiating.packet->clone(this->initiating.packet));
 	}
 	else
 	{
-		charon->sender->send(charon->sender, this->initiating.packet);
+		send_packet(this, TRUE, this->initiating.packet);
 		this->initiating.packet = NULL;
 	}
 	message->destroy(message);
@@ -711,8 +894,8 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	{
 		return retransmit(this, this->responding.seqnr);
 	}
-	charon->sender->send(charon->sender,
-					this->responding.packet->clone(this->responding.packet));
+	send_packet(this, FALSE,
+				this->responding.packet->clone(this->responding.packet));
 	if (delete)
 	{
 		return DESTROY_ME;
@@ -767,7 +950,7 @@ static void send_notify(private_task_manager_t *this, message_t *request,
 	if (this->ike_sa->generate_message(this->ike_sa, response,
 									   &packet) == SUCCESS)
 	{
-		charon->sender->send(charon->sender, packet);
+		send_packet(this, TRUE, packet);
 	}
 	response->destroy(response);
 }
@@ -866,6 +1049,7 @@ static status_t process_request(private_task_manager_t *this,
 				this->passive_tasks->insert_last(this->passive_tasks, task);
 				task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
+				this->frag.exchange = AGGRESSIVE;
 				break;
 			case QUICK_MODE:
 				if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
@@ -1036,6 +1220,114 @@ static status_t process_response(private_task_manager_t *this,
 	return initiate(this);
 }
 
+static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
+{
+	fragment_payload_t *payload;
+	enumerator_t *enumerator;
+	fragment_t *fragment;
+	status_t status = SUCCESS;
+	chunk_t data;
+	u_int8_t num;
+
+	payload = (fragment_payload_t*)msg->get_payload(msg, FRAGMENT_V1);
+	if (!payload)
+	{
+		return FAILED;
+	}
+
+	if (this->frag.id != payload->get_id(payload))
+	{
+		clear_fragments(this, payload->get_id(payload));
+		this->frag.list = linked_list_create();
+	}
+
+	num = payload->get_number(payload);
+	if (!this->frag.last && payload->is_last(payload))
+	{
+		this->frag.last = num;
+	}
+
+	enumerator = this->frag.list->create_enumerator(this->frag.list);
+	while (enumerator->enumerate(enumerator, &fragment))
+	{
+		if (fragment->num == num)
+		{	/* ignore a duplicate fragment */
+			DBG1(DBG_IKE, "received duplicate fragment #%hhu", num);
+			enumerator->destroy(enumerator);
+			return NEED_MORE;
+		}
+		if (fragment->num > num)
+		{
+			break;
+		}
+	}
+
+	data = payload->get_data(payload);
+	this->frag.len += data.len;
+	if (this->frag.len > this->frag.max_packet)
+	{
+		DBG1(DBG_IKE, "fragmented IKE message is too large");
+		enumerator->destroy(enumerator);
+		clear_fragments(this, 0);
+		return FAILED;
+	}
+
+	INIT(fragment,
+		.num = num,
+		.data = chunk_clone(data),
+	);
+
+	this->frag.list->insert_before(this->frag.list, enumerator, fragment);
+	enumerator->destroy(enumerator);
+
+	if (this->frag.list->get_count(this->frag.list) == this->frag.last)
+	{
+		message_t *message;
+		packet_t *pkt;
+		host_t *src, *dst;
+		bio_writer_t *writer;
+
+		writer = bio_writer_create(this->frag.len);
+		DBG1(DBG_IKE, "received fragment #%hhu, reassembling fragmented IKE "
+			 "message", num);
+		enumerator = this->frag.list->create_enumerator(this->frag.list);
+		while (enumerator->enumerate(enumerator, &fragment))
+		{
+			writer->write_data(writer, fragment->data);
+		}
+		enumerator->destroy(enumerator);
+
+		src = msg->get_source(msg);
+		dst = msg->get_destination(msg);
+		pkt = packet_create_from_data(src->clone(src), dst->clone(dst),
+									  writer->extract_buf(writer));
+		writer->destroy(writer);
+
+		message = message_create_from_packet(pkt);
+		if (message->parse_header(message) != SUCCESS)
+		{
+			DBG1(DBG_IKE, "failed to parse header of reassembled IKE message");
+			message->destroy(message);
+			status = FAILED;
+		}
+		else
+		{
+			lib->processor->queue_job(lib->processor,
+								(job_t*)process_message_job_create(message));
+			status = NEED_MORE;
+
+		}
+		clear_fragments(this, 0);
+	}
+	else
+	{	/* there are some fragments missing */
+		DBG1(DBG_IKE, "received fragment #%hhu, waiting for complete IKE "
+			 "message", num);
+		status = NEED_MORE;
+	}
+	return status;
+}
+
 /**
  * Parse the given message and verify that it is valid.
  */
@@ -1076,11 +1368,18 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
 			 msg->get_request(msg) ? "request" : "response",
 			 msg->get_message_id(msg));
 
+		charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
+
 		if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
 		{	/* invalid initiation attempt, close SA */
 			return DESTROY_ME;
 		}
 	}
+
+	if (msg->get_first_payload_type(msg) == FRAGMENT_V1)
+	{
+		return handle_fragment(this, msg);
+	}
 	return status;
 }
 
@@ -1107,8 +1406,8 @@ METHOD(task_manager_t, process_message, status_t,
 			{
 				DBG1(DBG_IKE, "received retransmit of response with ID %u, "
 					 "resending last request", mid);
-				charon->sender->send(charon->sender,
-						this->initiating.packet->clone(this->initiating.packet));
+				send_packet(this, TRUE,
+					this->initiating.packet->clone(this->initiating.packet));
 				return SUCCESS;
 			}
 			DBG1(DBG_IKE, "received retransmit of response with ID %u, "
@@ -1125,6 +1424,10 @@ METHOD(task_manager_t, process_message, status_t,
 		msg->set_request(msg, FALSE);
 		charon->bus->message(charon->bus, msg, TRUE, FALSE);
 		status = parse_message(this, msg);
+		if (status == NEED_MORE)
+		{
+			return SUCCESS;
+		}
 		if (status != SUCCESS)
 		{
 			return status;
@@ -1149,7 +1452,7 @@ METHOD(task_manager_t, process_message, status_t,
 			{
 				DBG1(DBG_IKE, "received retransmit of request with ID %u, "
 					 "retransmitting response", mid);
-				charon->sender->send(charon->sender,
+				send_packet(this, FALSE,
 						this->responding.packet->clone(this->responding.packet));
 			}
 			else if (this->initiating.packet &&
@@ -1157,7 +1460,7 @@ METHOD(task_manager_t, process_message, status_t,
 			{
 				DBG1(DBG_IKE, "received retransmit of DPD request, "
 					 "retransmitting response");
-				charon->sender->send(charon->sender,
+				send_packet(this, TRUE,
 						this->initiating.packet->clone(this->initiating.packet));
 			}
 			else
@@ -1165,6 +1468,7 @@ METHOD(task_manager_t, process_message, status_t,
 				DBG1(DBG_IKE, "received retransmit of request with ID %u, "
 					 "but no response to retransmit", mid);
 			}
+			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
 			return SUCCESS;
 		}
 		if (msg->get_exchange_type(msg) == TRANSACTION &&
@@ -1191,6 +1495,10 @@ METHOD(task_manager_t, process_message, status_t,
 		msg->set_request(msg, TRUE);
 		charon->bus->message(charon->bus, msg, TRUE, FALSE);
 		status = parse_message(this, msg);
+		if (status == NEED_MORE)
+		{
+			return SUCCESS;
+		}
 		if (status != SUCCESS)
 		{
 			return status;
@@ -1202,7 +1510,8 @@ METHOD(task_manager_t, process_message, status_t,
 			ike_cfg_t *ike_cfg;
 			job_t *job;
 
-			ike_cfg = charon->backends->get_ike_cfg(charon->backends, me, other);
+			ike_cfg = charon->backends->get_ike_cfg(charon->backends,
+													me, other, IKEV1);
 			if (ike_cfg == NULL)
 			{
 				/* no config found for these hosts, destroy */
@@ -1282,6 +1591,7 @@ METHOD(task_manager_t, queue_ike, void,
 		{
 			queue_task(this, (task_t*)aggressive_mode_create(this->ike_sa, TRUE));
 		}
+		this->frag.exchange = AGGRESSIVE;
 	}
 	else
 	{
@@ -1585,6 +1895,7 @@ METHOD(task_manager_t, reset, void,
 	this->initiating.seqnr = 0;
 	this->initiating.retransmitted = 0;
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+	clear_fragments(this, 0);
 	if (initiate != UINT_MAX)
 	{
 		this->dpd_send = initiate;
@@ -1635,6 +1946,7 @@ METHOD(task_manager_t, destroy, void,
 	this->active_tasks->destroy(this->active_tasks);
 	this->queued_tasks->destroy(this->queued_tasks);
 	this->passive_tasks->destroy(this->passive_tasks);
+	clear_fragments(this, 0);
 
 	DESTROY_IF(this->queued);
 	DESTROY_IF(this->responding.packet);
@@ -1681,6 +1993,13 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 		.responding = {
 			.seqnr = RESPONDING_SEQ,
 		},
+		.frag = {
+			.exchange = ID_PROT,
+			.max_packet = lib->settings->get_int(lib->settings,
+					"%s.max_packet", MAX_PACKET, charon->name),
+			.size = lib->settings->get_int(lib->settings,
+					"%s.fragment_size", MAX_FRAGMENT_SIZE, charon->name),
+		},
 		.ike_sa = ike_sa,
 		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
 		.queued_tasks = linked_list_create(),
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 954dea880..7336d5d64 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -235,7 +235,8 @@ METHOD(task_t, build_i, status_t,
 			this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
 			proposals = this->ike_cfg->get_proposals(this->ike_cfg);
 			sa_payload = sa_payload_create_from_proposals_v1(proposals,
-						this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
 			proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
 
 			message->add_payload(message, &sa_payload->payload_interface);
@@ -520,7 +521,8 @@ METHOD(task_t, build_r, status_t,
 		identification_t *id;
 
 		sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
-						this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
 		message->add_payload(message, &sa_payload->payload_interface);
 
 		if (!this->ph1->add_nonce_ke(this->ph1, message))
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
index d48484f09..43a0aaa36 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
@@ -13,6 +13,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2013 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "isakmp_cert_pre.h"
 
 #include <daemon.h>
@@ -21,6 +43,7 @@
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/certreq_payload.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/containers/pkcs7.h>
 
 
 typedef struct private_isakmp_cert_pre_t private_isakmp_cert_pre_t;
@@ -132,7 +155,106 @@ static void process_certreqs(private_isakmp_cert_pre_t *this, message_t *message
 }
 
 /**
- * Import receuved certificates
+ * Process an X509 certificate payload
+ */
+static void process_x509(cert_payload_t *payload, auth_cfg_t *auth, bool *first)
+{
+	certificate_t *cert;
+
+	cert = payload->get_cert(payload);
+	if (cert)
+	{
+		if (*first)
+		{	/* the first is an end entity certificate */
+			DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
+			*first = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_IM_CERT, cert);
+		}
+	}
+}
+
+/**
+ * Process a CRL certificate payload
+ */
+static void process_crl(cert_payload_t *payload, auth_cfg_t *auth)
+{
+	certificate_t *cert;
+
+	cert = payload->get_cert(payload);
+	if (cert)
+	{
+		DBG1(DBG_IKE, "received CRL \"%Y\"", cert->get_subject(cert));
+		auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+	}
+}
+
+/**
+ * Process a PKCS7 certificate payload
+ */
+static void process_pkcs7(cert_payload_t *payload, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	container_t *container;
+	certificate_t *cert;
+	pkcs7_t *pkcs7;
+
+	container = payload->get_container(payload);
+	if (!container)
+	{
+		return;
+	}
+	switch (container->get_type(container))
+	{
+		case CONTAINER_PKCS7_DATA:
+		case CONTAINER_PKCS7_SIGNED_DATA:
+		case CONTAINER_PKCS7_ENVELOPED_DATA:
+			break;
+		default:
+			container->destroy(container);
+			return;
+	}
+
+	pkcs7 = (pkcs7_t *)container;
+	enumerator = pkcs7->create_cert_enumerator(pkcs7);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (cert->get_type(cert) == CERT_X509)
+		{
+			x509_t *x509 = (x509_t*)cert;
+
+			if (x509->get_flags(x509) & X509_CA)
+			{
+				DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+					 cert->get_subject(cert));
+				auth->add(auth, AUTH_HELPER_IM_CERT, cert->get_ref(cert));
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+					 cert->get_subject(cert));
+				auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert->get_ref(cert));
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received unsupported cert type %N",
+				 certificate_type_names, cert->get_type(cert));
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	container->destroy(container);
+}
+
+/**
+ * Import received certificates
  */
 static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
 {
@@ -150,7 +272,6 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
 		{
 			cert_payload_t *cert_payload;
 			cert_encoding_t encoding;
-			certificate_t *cert;
 
 			cert_payload = (cert_payload_t*)payload;
 			encoding = cert_payload->get_cert_encoding(cert_payload);
@@ -158,36 +279,14 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
 			switch (encoding)
 			{
 				case ENC_X509_SIGNATURE:
-				{
-					cert = cert_payload->get_cert(cert_payload);
-					if (cert)
-					{
-						if (first)
-						{	/* the first is an end entity certificate */
-							DBG1(DBG_IKE, "received end entity cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
-							first = FALSE;
-						}
-						else
-						{
-							DBG1(DBG_IKE, "received issuer cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_IM_CERT, cert);
-						}
-					}
+					process_x509(cert_payload, auth, &first);
 					break;
-				}
 				case ENC_CRL:
-					cert = cert_payload->get_cert(cert_payload);
-					if (cert)
-					{
-						DBG1(DBG_IKE, "received CRL \"%Y\"",
-							 cert->get_subject(cert));
-						auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
-					}
+					process_crl(cert_payload, auth);
 					break;
 				case ENC_PKCS7_WRAPPED_X509:
+					process_pkcs7(cert_payload, auth);
+					break;
 				case ENC_PGP:
 				case ENC_DNS_SIGNED_KEY:
 				case ENC_KERBEROS_TOKEN:
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
index 50bf1612d..5a779ff62 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
@@ -15,6 +15,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2012 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "isakmp_natd.h"
 
 #include <string.h>
@@ -74,6 +96,18 @@ struct private_isakmp_natd_t {
 	bool dst_matched;
 };
 
+/**
+ * Get NAT-D payload type (RFC 3947 or RFC 3947 drafts).
+ */
+static payload_type_t get_nat_d_payload_type(ike_sa_t *ike_sa)
+{
+	if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
+	{
+		return NAT_D_DRAFT_00_03_V1;
+	}
+	return NAT_D_V1;
+}
+
 /**
  * Build NAT detection hash for a host.
  */
@@ -162,7 +196,7 @@ static hash_payload_t *build_natd_payload(private_isakmp_natd_t *this, bool src,
 	{
 		return NULL;
 	}
-	payload = hash_payload_create(NAT_D_V1);
+	payload = hash_payload_create(get_nat_d_payload_type(this->ike_sa));
 	payload->set_hash(payload, hash);
 	chunk_free(&hash);
 	return payload;
@@ -221,7 +255,8 @@ static void process_payloads(private_isakmp_natd_t *this, message_t *message)
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
-		if (payload->get_type(payload) != NAT_D_V1)
+		if (payload->get_type(payload) != NAT_D_V1 &&
+			payload->get_type(payload) != NAT_D_DRAFT_00_03_V1)
 		{
 			continue;
 		}
@@ -350,7 +385,7 @@ METHOD(task_t, process_r, status_t,
 	switch (message->get_exchange_type(message))
 	{
 		case AGGRESSIVE:
-		{	/* proccess NAT-D payloads in the second request, already added ours
+		{	/* process NAT-D payloads in the second request, already added ours
 			 * in the first response */
 			result = SUCCESS;
 			/* fall */
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 4fd0ef39b..2ff2b55e9 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,6 +14,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2012 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "isakmp_vendor.h"
 
 #include <daemon.h>
@@ -39,6 +62,11 @@ struct private_isakmp_vendor_t {
 	 * Are we the inititator of this task
 	 */
 	bool initiator;
+
+	/**
+	 * Index of best nat traversal VID found
+	 */
+	int best_natt_ext;
 };
 
 /**
@@ -65,76 +93,132 @@ static struct {
 	{ "XAuth", EXT_XAUTH, TRUE, 8,
 	  "\x09\x00\x26\x89\xdf\xd6\xb7\x12"},
 
-	/* NAT-Traversal, MD5("RFC 3947") */
-	{ "NAT-T (RFC 3947)", EXT_NATT, TRUE, 16,
-	  "\x4a\x13\x1c\x81\x07\x03\x58\x45\x5c\x57\x28\xf2\x0e\x95\x45\x2f"},
-
 	/* Dead peer detection, RFC 3706 */
 	{ "DPD", EXT_DPD, TRUE, 16,
 	  "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00"},
 
-	{ "draft-stenberg-ipsec-nat-traversal-01", 0, FALSE, 16,
-	  "\x27\xba\xb5\xdc\x01\xea\x07\x60\xea\x4e\x31\x90\xac\x27\xc0\xd0"},
+	{ "Cisco Unity", EXT_CISCO_UNITY, FALSE, 16,
+	  "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
 
-	{ "draft-stenberg-ipsec-nat-traversal-02", 0, FALSE, 16,
-	  "\x61\x05\xc4\x22\xe7\x68\x47\xe4\x3f\x96\x84\x80\x12\x92\xae\xcd"},
+	/* Proprietary IKE fragmentation extension. Capabilities are handled
+	 * specially on receipt of this VID. */
+	{ "FRAGMENTATION", EXT_IKE_FRAGMENTATION, FALSE, 20,
+	  "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3\x80\x00\x00\x00"},
 
-	{ "draft-ietf-ipsec-nat-t-ike", 0, FALSE, 16,
-	  "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62"},
+}, vendor_natt_ids[] = {
 
-	{ "draft-ietf-ipsec-nat-t-ike-00", 0, FALSE, 16,
-	  "\x44\x85\x15\x2d\x18\xb6\xbb\xcd\x0b\xe8\xa8\x46\x95\x79\xdd\xcc"},
+	/* NAT-Traversal VIDs ordered by preference */
+
+	/* NAT-Traversal, MD5("RFC 3947") */
+	{ "NAT-T (RFC 3947)", EXT_NATT, TRUE, 16,
+	  "\x4a\x13\x1c\x81\x07\x03\x58\x45\x5c\x57\x28\xf2\x0e\x95\x45\x2f"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-02", 0, FALSE, 16,
+	{ "draft-ietf-ipsec-nat-t-ike-03", EXT_NATT | EXT_NATT_DRAFT_02_03,
+	  FALSE, 16,
+	  "\x7d\x94\x19\xa6\x53\x10\xca\x6f\x2c\x17\x9d\x92\x15\x52\x9d\x56"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-02", EXT_NATT | EXT_NATT_DRAFT_02_03,
+	  FALSE, 16,
 	  "\xcd\x60\x46\x43\x35\xdf\x21\xf8\x7c\xfd\xb2\xfc\x68\xb6\xa4\x48"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-02\\n", 0, FALSE, 16,
+	{ "draft-ietf-ipsec-nat-t-ike-02\\n", EXT_NATT | EXT_NATT_DRAFT_02_03,
+	  TRUE, 16,
 	  "\x90\xcb\x80\x91\x3e\xbb\x69\x6e\x08\x63\x81\xb5\xec\x42\x7b\x1f"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-03", 0, FALSE, 16,
-	  "\x7d\x94\x19\xa6\x53\x10\xca\x6f\x2c\x17\x9d\x92\x15\x52\x9d\x56"},
+	{ "draft-ietf-ipsec-nat-t-ike-08", 0, FALSE, 16,
+	  "\x8f\x8d\x83\x82\x6d\x24\x6b\x6f\xc7\xa8\xa6\xa4\x28\xc1\x1d\xe8"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-04", 0, FALSE, 16,
-	  "\x99\x09\xb6\x4e\xed\x93\x7c\x65\x73\xde\x52\xac\xe9\x52\xfa\x6b"},
+	{ "draft-ietf-ipsec-nat-t-ike-07", 0, FALSE, 16,
+	  "\x43\x9b\x59\xf8\xba\x67\x6c\x4c\x77\x37\xae\x22\xea\xb8\xf5\x82"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-06", 0, FALSE, 16,
+	  "\x4d\x1e\x0e\x13\x6d\xea\xfa\x34\xc4\xf3\xea\x9f\x02\xec\x72\x85"},
 
 	{ "draft-ietf-ipsec-nat-t-ike-05", 0, FALSE, 16,
 	  "\x80\xd0\xbb\x3d\xef\x54\x56\x5e\xe8\x46\x45\xd4\xc8\x5c\xe3\xee"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-06", 0, FALSE, 16,
-	  "\x4d\x1e\x0e\x13\x6d\xea\xfa\x34\xc4\xf3\xea\x9f\x02\xec\x72\x85"},
+	{ "draft-ietf-ipsec-nat-t-ike-04", 0, FALSE, 16,
+	  "\x99\x09\xb6\x4e\xed\x93\x7c\x65\x73\xde\x52\xac\xe9\x52\xfa\x6b"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-07", 0, FALSE, 16,
-	  "\x43\x9b\x59\xf8\xba\x67\x6c\x4c\x77\x37\xae\x22\xea\xb8\xf5\x82"},
+	{ "draft-ietf-ipsec-nat-t-ike-00", 0, FALSE, 16,
+	  "\x44\x85\x15\x2d\x18\xb6\xbb\xcd\x0b\xe8\xa8\x46\x95\x79\xdd\xcc"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-08", 0, FALSE, 16,
-	  "\x8f\x8d\x83\x82\x6d\x24\x6b\x6f\xc7\xa8\xa6\xa4\x28\xc1\x1d\xe8"},
+	{ "draft-ietf-ipsec-nat-t-ike", 0, FALSE, 16,
+	  "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62"},
+
+	{ "draft-stenberg-ipsec-nat-traversal-02", 0, FALSE, 16,
+	  "\x61\x05\xc4\x22\xe7\x68\x47\xe4\x3f\x96\x84\x80\x12\x92\xae\xcd"},
+
+	{ "draft-stenberg-ipsec-nat-traversal-01", 0, FALSE, 16,
+	  "\x27\xba\xb5\xdc\x01\xea\x07\x60\xea\x4e\x31\x90\xac\x27\xc0\xd0"},
 
-	{ "Cisco Unity", EXT_CISCO_UNITY, FALSE, 16,
-	  "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
 };
 
+/**
+ * According to racoon 0x80000000 seems to indicate support for fragmentation
+ * of Aggressive and Main mode messages.  0x40000000 seems to indicate support
+ * for fragmentation of base ISAKMP messages (Cisco adds that and thus sends
+ * 0xc0000000)
+ */
+static const u_int32_t fragmentation_ike = 0x80000000;
+
+/**
+ * Check if the given vendor ID indicate support for fragmentation
+ */
+static bool fragmentation_supported(chunk_t data, int i)
+{
+	if (vendor_ids[i].extension  == EXT_IKE_FRAGMENTATION &&
+		data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16))
+	{
+		return untoh32(&data.ptr[16]) & fragmentation_ike;
+	}
+	return FALSE;
+}
+
 METHOD(task_t, build, status_t,
 	private_isakmp_vendor_t *this, message_t *message)
 {
 	vendor_id_payload_t *vid_payload;
-	bool strongswan, cisco_unity;
+	bool strongswan, cisco_unity, fragmentation;
+	ike_cfg_t *ike_cfg;
 	int i;
 
 	strongswan = lib->settings->get_bool(lib->settings,
-									"%s.send_vendor_id", FALSE, charon->name);
+								"%s.send_vendor_id", FALSE, charon->name);
 	cisco_unity = lib->settings->get_bool(lib->settings,
-									"%s.cisco_unity", FALSE, charon->name);
+								"%s.cisco_unity", FALSE, charon->name);
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+	fragmentation = ike_cfg->fragmentation(ike_cfg) != FRAGMENTATION_NO;
+	if (!this->initiator && fragmentation)
+	{
+		fragmentation = this->ike_sa->supports_extension(this->ike_sa,
+														 EXT_IKE_FRAGMENTATION);
+	}
 	for (i = 0; i < countof(vendor_ids); i++)
 	{
 		if (vendor_ids[i].send ||
 		   (vendor_ids[i].extension == EXT_STRONGSWAN && strongswan) ||
-		   (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity))
+		   (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity) ||
+		   (vendor_ids[i].extension == EXT_IKE_FRAGMENTATION && fragmentation))
 		{
+			DBG2(DBG_IKE, "sending %s vendor ID", vendor_ids[i].desc);
 			vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1,
 				chunk_clone(chunk_create(vendor_ids[i].id, vendor_ids[i].len)));
 			message->add_payload(message, &vid_payload->payload_interface);
 		}
 	}
+	for (i = 0; i < countof(vendor_natt_ids); i++)
+	{
+		if ((this->initiator && vendor_natt_ids[i].send) ||
+			this->best_natt_ext == i)
+		{
+			DBG2(DBG_IKE, "sending %s vendor ID", vendor_natt_ids[i].desc);
+			vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1,
+							chunk_clone(chunk_create(vendor_natt_ids[i].id,
+													 vendor_natt_ids[i].len)));
+			message->add_payload(message, &vid_payload->payload_interface);
+		}
+	}
 	return this->initiator ? NEED_MORE : SUCCESS;
 }
 
@@ -160,7 +244,8 @@ METHOD(task_t, process, status_t,
 			for (i = 0; i < countof(vendor_ids); i++)
 			{
 				if (chunk_equals(data, chunk_create(vendor_ids[i].id,
-													vendor_ids[i].len)))
+													vendor_ids[i].len)) ||
+					fragmentation_supported(data, i))
 				{
 					DBG1(DBG_IKE, "received %s vendor ID", vendor_ids[i].desc);
 					if (vendor_ids[i].extension)
@@ -169,6 +254,26 @@ METHOD(task_t, process, status_t,
 													   vendor_ids[i].extension);
 					}
 					found = TRUE;
+					break;
+				}
+			}
+			if (!found)
+			{
+				for (i = 0; i < countof(vendor_natt_ids); i++)
+				{
+					if (chunk_equals(data, chunk_create(vendor_natt_ids[i].id,
+													vendor_natt_ids[i].len)))
+					{
+						DBG1(DBG_IKE, "received %s vendor ID",
+							 vendor_natt_ids[i].desc);
+						if (vendor_natt_ids[i].extension &&
+						   (i < this->best_natt_ext || this->best_natt_ext < 0))
+						{
+							this->best_natt_ext = i;
+						}
+						found = TRUE;
+						break;
+					}
 				}
 			}
 			if (!found)
@@ -179,6 +284,12 @@ METHOD(task_t, process, status_t,
 	}
 	enumerator->destroy(enumerator);
 
+	if (this->best_natt_ext >= 0)
+	{
+		this->ike_sa->enable_extension(this->ike_sa,
+								vendor_natt_ids[this->best_natt_ext].extension);
+	}
+
 	return this->initiator ? SUCCESS : NEED_MORE;
 }
 
@@ -219,6 +330,7 @@ isakmp_vendor_t *isakmp_vendor_create(ike_sa_t *ike_sa, bool initiator)
 		},
 		.initiator = initiator,
 		.ike_sa = ike_sa,
+		.best_natt_ext = -1,
 	);
 
 	return &this->public;
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 9ccf9abf5..bc9d4bbc3 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -241,7 +241,8 @@ METHOD(task_t, build_i, status_t,
 			this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
 			proposals = this->ike_cfg->get_proposals(this->ike_cfg);
 			sa_payload = sa_payload_create_from_proposals_v1(proposals,
-						this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
 			proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
 
 			message->add_payload(message, &sa_payload->payload_interface);
@@ -455,7 +456,8 @@ METHOD(task_t, build_r, status_t,
 			sa_payload_t *sa_payload;
 
 			sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
-						this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
 			message->add_payload(message, &sa_payload->payload_interface);
 
 			return NEED_MORE;
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 82a7238c3..1eae6aa93 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -16,6 +16,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2012 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "quick_mode.h"
 
 #include <string.h>
@@ -561,7 +583,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 		tsr = traffic_selector_create_from_subnet(hsr->clone(hsr),
 							hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0);
 	}
-	if (!this->initiator && this->mode == MODE_TRANSPORT && this->udp &&
+	if (this->mode == MODE_TRANSPORT && this->udp &&
 	   (!tsi->is_host(tsi, hsi) || !tsr->is_host(tsr, hsr)))
 	{	/* change TS in case of a NAT in transport mode */
 		DBG2(DBG_IKE, "changing received traffic selectors %R=== %R due to NAT",
@@ -572,11 +594,11 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 
 	if (this->initiator)
 	{
-		/* check if peer selection valid */
+		/* check if peer selection is valid */
 		if (!tsr->is_contained_in(tsr, this->tsr) ||
 			!tsi->is_contained_in(tsi, this->tsi))
 		{
-			DBG1(DBG_IKE, "peer selected invalid traffic selectors: ",
+			DBG1(DBG_IKE, "peer selected invalid traffic selectors: "
 				 "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);
 			tsi->destroy(tsi);
 			tsr->destroy(tsr);
@@ -595,6 +617,34 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 	return TRUE;
 }
 
+/**
+ * Get encap
+ */
+static encap_t get_encap(ike_sa_t* ike_sa, bool udp)
+{
+	if (!udp)
+	{
+		return ENCAP_NONE;
+	}
+	if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
+	{
+		return ENCAP_UDP_DRAFT_00_03;
+	}
+	return ENCAP_UDP;
+}
+
+/**
+ * Get NAT-OA payload type (RFC 3947 or RFC 3947 drafts).
+ */
+static payload_type_t get_nat_oa_payload_type(ike_sa_t *ike_sa)
+{
+	if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
+	{
+		return NAT_OA_DRAFT_00_03_V1;
+	}
+	return NAT_OA_V1;
+}
+
 /**
  * Add NAT-OA payloads
  */
@@ -603,6 +653,7 @@ static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message)
 	identification_t *id;
 	id_payload_t *nat_oa;
 	host_t *src, *dst;
+	payload_type_t nat_oa_payload_type;
 
 	src = message->get_source(message);
 	dst = message->get_destination(message);
@@ -610,15 +661,17 @@ static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message)
 	src = this->initiator ? src : dst;
 	dst = this->initiator ? dst : src;
 
+	nat_oa_payload_type = get_nat_oa_payload_type(this->ike_sa);
+
 	/* first NAT-OA is the initiator's address */
 	id = identification_create_from_sockaddr(src->get_sockaddr(src));
-	nat_oa = id_payload_create_from_identification(NAT_OA_V1, id);
+	nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
 	message->add_payload(message, (payload_t*)nat_oa);
 	id->destroy(id);
 
 	/* second NAT-OA is that of the responder */
 	id = identification_create_from_sockaddr(dst->get_sockaddr(dst));
-	nat_oa = id_payload_create_from_identification(NAT_OA_V1, id);
+	nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
 	message->add_payload(message, (payload_t*)nat_oa);
 	id->destroy(id);
 }
@@ -697,6 +750,7 @@ METHOD(task_t, build_i, status_t,
 			linked_list_t *list, *tsi, *tsr;
 			proposal_t *proposal;
 			diffie_hellman_group_t group;
+			encap_t encap;
 
 			this->udp = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
 			this->mode = this->config->get_mode(this->config);
@@ -735,19 +789,42 @@ METHOD(task_t, build_i, status_t,
 				DBG1(DBG_IKE, "allocating SPI from kernel failed");
 				return FAILED;
 			}
+			group = this->config->get_dh_group(this->config);
+			if (group != MODP_NONE)
+			{
+				this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+														  group);
+				if (!this->dh)
+				{
+					DBG1(DBG_IKE, "configured DH group %N not supported",
+						 diffie_hellman_group_names, group);
+					return FAILED;
+				}
+			}
 
 			list = this->config->get_proposals(this->config, FALSE);
 			enumerator = list->create_enumerator(list);
 			while (enumerator->enumerate(enumerator, &proposal))
 			{
+				if (group != MODP_NONE)
+				{
+					if (!proposal->has_dh_group(proposal, group))
+					{
+						list->remove_at(list, enumerator);
+						proposal->destroy(proposal);
+						continue;
+					}
+					proposal->strip_dh(proposal, group);
+				}
 				proposal->set_spi(proposal, this->spi_i);
 			}
 			enumerator->destroy(enumerator);
 
 			get_lifetimes(this);
+			encap = get_encap(this->ike_sa, this->udp);
 			sa_payload = sa_payload_create_from_proposals_v1(list,
 								this->lifetime, this->lifebytes, AUTH_NONE,
-								this->mode, this->udp, this->cpi_i);
+								this->mode, encap, this->cpi_i);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			message->add_payload(message, &sa_payload->payload_interface);
 
@@ -755,18 +832,8 @@ METHOD(task_t, build_i, status_t,
 			{
 				return FAILED;
 			}
-
-			group = this->config->get_dh_group(this->config);
 			if (group != MODP_NONE)
 			{
-				this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
-														  group);
-				if (!this->dh)
-				{
-					DBG1(DBG_IKE, "configured DH group %N not supported",
-						 diffie_hellman_group_names, group);
-					return FAILED;
-				}
 				add_ke(this, message);
 			}
 			if (!this->tsi)
@@ -1048,6 +1115,7 @@ METHOD(task_t, build_r, status_t,
 		case QM_INIT:
 		{
 			sa_payload_t *sa_payload;
+			encap_t encap;
 
 			this->spi_r = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
 			if (!this->spi_r)
@@ -1074,9 +1142,10 @@ METHOD(task_t, build_r, status_t,
 				add_nat_oa_payloads(this, message);
 			}
 
+			encap = get_encap(this->ike_sa, this->udp);
 			sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
 								this->lifetime, this->lifebytes, AUTH_NONE,
-								this->mode, this->udp, this->cpi_r);
+								this->mode, encap, this->cpi_r);
 			message->add_payload(message, &sa_payload->payload_interface);
 
 			if (!add_nonce(this, &this->nonce_r, message))
diff --git a/src/libcharon/sa/ikev2/connect_manager.c b/src/libcharon/sa/ikev2/connect_manager.c
index 5fdcea1ab..c4e5ea7a0 100644
--- a/src/libcharon/sa/ikev2/connect_manager.c
+++ b/src/libcharon/sa/ikev2/connect_manager.c
@@ -19,7 +19,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
 #include <processing/jobs/callback_job.h>
diff --git a/src/libcharon/sa/ikev2/mediation_manager.c b/src/libcharon/sa/ikev2/mediation_manager.c
index 60eeb5d4b..bf5b2f4b3 100644
--- a/src/libcharon/sa/ikev2/mediation_manager.c
+++ b/src/libcharon/sa/ikev2/mediation_manager.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/mediation_job.h>
 
 typedef struct peer_t peer_t;
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 53051fab4..ea0117c54 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -257,6 +257,8 @@ METHOD(task_manager_t, retransmit, status_t,
 			{
 				DBG1(DBG_IKE, "giving up after %d retransmits",
 					 this->initiating.retransmitted - 1);
+				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
+								   this->initiating.packet);
 				return DESTROY_ME;
 			}
 
@@ -264,6 +266,8 @@ METHOD(task_manager_t, retransmit, status_t,
 			{
 				DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
 					 this->initiating.retransmitted, message_id);
+				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND,
+								   this->initiating.packet);
 			}
 			packet = this->initiating.packet->clone(this->initiating.packet);
 			charon->sender->send(charon->sender, packet);
@@ -626,6 +630,8 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	message_t *message;
 	host_t *me, *other;
 	bool delete = FALSE, hook = FALSE;
+	ike_sa_id_t *id = NULL;
+	u_int64_t responder_spi;
 	status_t status;
 
 	me = request->get_destination(request);
@@ -676,10 +682,15 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	}
 	enumerator->destroy(enumerator);
 
-	/* remove resonder SPI if IKE_SA_INIT failed */
+	/* RFC 5996, section 2.6 mentions that in the event of a failure during
+	 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
+	 * actually explicitly allows it to be non-zero.  Since we use the responder
+	 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
+	 * zero temporarily, otherwise checking the SA in would fail. */
 	if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
 	{
-		ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
+		id = this->ike_sa->get_id(this->ike_sa);
+		responder_spi = id->get_responder_spi(id);
 		id->set_responder_spi(id, 0);
 	}
 
@@ -689,6 +700,10 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	status = this->ike_sa->generate_message(this->ike_sa, message,
 											&this->responding.packet);
 	message->destroy(message);
+	if (id)
+	{
+		id->set_responder_spi(id, responder_spi);
+	}
 	if (status != SUCCESS)
 	{
 		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
@@ -1045,6 +1060,8 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
 			 is_request ? "request" : "response",
 			 msg->get_message_id(msg));
 
+		charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
+
 		if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
 		{	/* invalid initiation attempt, close SA */
 			return DESTROY_ME;
@@ -1077,7 +1094,8 @@ METHOD(task_manager_t, process_message, status_t,
 		ike_sa_id_t *ike_sa_id;
 		ike_cfg_t *ike_cfg;
 		job_t *job;
-		ike_cfg = charon->backends->get_ike_cfg(charon->backends, me, other);
+		ike_cfg = charon->backends->get_ike_cfg(charon->backends,
+												me, other, IKEV2);
 		if (ike_cfg == NULL)
 		{
 			/* no config found for these hosts, destroy */
@@ -1133,6 +1151,7 @@ METHOD(task_manager_t, process_message, status_t,
 
 			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
 				 "retransmitting response", mid);
+			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
 			clone = this->responding.packet->clone(this->responding.packet);
 			host = msg->get_destination(msg);
 			clone->set_source(clone, host->clone(host));
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 46a165546..eb3972c29 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -377,6 +377,8 @@ static status_t select_and_install(private_child_create_t *this,
 	if (this->proposal == NULL)
 	{
 		DBG1(DBG_IKE, "no acceptable proposal found");
+		charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD,
+						   this->proposals);
 		return FAILED;
 	}
 	this->other_spi = this->proposal->get_spi(this->proposal);
@@ -452,6 +454,7 @@ static status_t select_and_install(private_child_create_t *this,
 
 	if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
 	{
+		charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
 		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
 		DBG1(DBG_IKE, "no acceptable traffic selectors found");
@@ -549,6 +552,8 @@ static status_t select_and_install(private_child_create_t *this,
 			(status_i != SUCCESS) ? "inbound " : "",
 			(status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
 			(status_o != SUCCESS) ? "outbound " : "");
+		charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_SA_FAILED,
+						   this->child_sa);
 		return FAILED;
 	}
 
@@ -581,6 +586,8 @@ static status_t select_and_install(private_child_create_t *this,
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
+		charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_POLICY_FAILED,
+						   this->child_sa);
 		return NOT_FOUND;
 	}
 
@@ -982,6 +989,7 @@ static void handle_child_sa_failure(private_child_create_t *this,
 	else
 	{
 		DBG1(DBG_IKE, "failed to establish CHILD_SA, keeping IKE_SA");
+		charon->bus->alert(charon->bus, ALERT_KEEP_ON_CHILD_SA_FAILURE);
 	}
 }
 
@@ -1040,6 +1048,7 @@ METHOD(task_t, build_r, status_t,
 	{
 		DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
 			 this->tsr, this->tsi);
+		charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
 		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
 		handle_child_sa_failure(this, message);
 		return SUCCESS;
@@ -1154,7 +1163,7 @@ METHOD(task_t, process_i, status_t,
 			break;
 	}
 
-	/* check for erronous notifies */
+	/* check for erroneous notifies */
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index cd94ccd9e..70efcd7af 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -12,7 +12,7 @@
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details
+ * for more details.
  */
 
 #include "ike_auth.h"
@@ -457,6 +457,7 @@ METHOD(task_t, build_i, status_t,
 							this->reserved);
 		if (!this->my_auth)
 		{
+			charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
 			return FAILED;
 		}
 	}
@@ -473,6 +474,7 @@ METHOD(task_t, build_i, status_t,
 		case NEED_MORE:
 			break;
 		default:
+			charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
 			return FAILED;
 	}
 
@@ -748,7 +750,7 @@ METHOD(task_t, build_r, status_t,
 								this->reserved);
 			if (!this->my_auth)
 			{
-				goto peer_auth_failed;
+				goto local_auth_failed;
 			}
 		}
 	}
@@ -786,9 +788,7 @@ METHOD(task_t, build_r, status_t,
 			case NEED_MORE:
 				break;
 			default:
-				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-									chunk_empty);
-				return FAILED;
+				goto local_auth_failed;
 		}
 	}
 
@@ -807,6 +807,7 @@ METHOD(task_t, build_r, status_t,
 													 this->ike_sa, FALSE))
 		{
 			DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
+			charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
 			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
 								chunk_empty);
 			return FAILED;
@@ -830,11 +831,14 @@ METHOD(task_t, build_r, status_t,
 	return NEED_MORE;
 
 peer_auth_failed:
-	message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-						chunk_empty);
+	message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
 peer_auth_failed_no_notify:
 	charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
 	return FAILED;
+local_auth_failed:
+	message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+	charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
+	return FAILED;
 }
 
 METHOD(task_t, process_i, status_t,
@@ -987,6 +991,7 @@ METHOD(task_t, process_i, status_t,
 			case NEED_MORE:
 				break;
 			default:
+				charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
 				return FAILED;
 		}
 	}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index 60e878777..2cbe8f8c5 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -56,6 +56,72 @@ struct private_ike_cert_pre_t {
 	bool final;
 };
 
+/**
+ * Process a single certificate request payload
+ */
+static void process_certreq(private_ike_cert_pre_t *this,
+							certreq_payload_t *certreq, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	u_int unknown = 0;
+	chunk_t keyid;
+
+	this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
+
+	if (certreq->get_cert_type(certreq) != CERT_X509)
+	{
+		DBG1(DBG_IKE, "cert payload %N not supported - ignored",
+			 certificate_type_names, certreq->get_cert_type(certreq));
+		return;
+	}
+
+	enumerator = certreq->create_keyid_enumerator(certreq);
+	while (enumerator->enumerate(enumerator, &keyid))
+	{
+		identification_t *id;
+		certificate_t *cert;
+
+		id = identification_create_from_encoding(ID_KEY_ID, keyid);
+		cert = lib->credmgr->get_cert(lib->credmgr,
+									  CERT_X509, KEY_ANY, id, TRUE);
+		if (cert)
+		{
+			DBG1(DBG_IKE, "received cert request for \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_RULE_CA_CERT, cert);
+		}
+		else
+		{
+			DBG2(DBG_IKE, "received cert request for unknown ca with keyid %Y",
+				 id);
+			unknown++;
+		}
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+	if (unknown)
+	{
+		DBG1(DBG_IKE, "received %u cert requests for an unknown ca",
+			 unknown);
+	}
+}
+
+/**
+ * Process a single notify payload
+ */
+static void process_notify(private_ike_cert_pre_t *this,
+						   notify_payload_t *notify)
+{
+	switch (notify->get_notify_type(notify))
+	{
+		case HTTP_CERT_LOOKUP_SUPPORTED:
+			this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL);
+			break;
+		default:
+			break;
+	}
+}
+
 /**
  * read certificate requests
  */
@@ -73,62 +139,11 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 		switch (payload->get_type(payload))
 		{
 			case CERTIFICATE_REQUEST:
-			{
-				certreq_payload_t *certreq = (certreq_payload_t*)payload;
-				enumerator_t *enumerator;
-				u_int unknown = 0;
-				chunk_t keyid;
-
-				this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
-
-				if (certreq->get_cert_type(certreq) != CERT_X509)
-				{
-					DBG1(DBG_IKE, "cert payload %N not supported - ignored",
-						 certificate_type_names, certreq->get_cert_type(certreq));
-					break;
-				}
-				enumerator = certreq->create_keyid_enumerator(certreq);
-				while (enumerator->enumerate(enumerator, &keyid))
-				{
-					identification_t *id;
-					certificate_t *cert;
-
-					id = identification_create_from_encoding(ID_KEY_ID, keyid);
-					cert = lib->credmgr->get_cert(lib->credmgr,
-												  CERT_X509, KEY_ANY, id, TRUE);
-					if (cert)
-					{
-						DBG1(DBG_IKE, "received cert request for \"%Y\"",
-							 cert->get_subject(cert));
-						auth->add(auth, AUTH_RULE_CA_CERT, cert);
-					}
-					else
-					{
-						DBG2(DBG_IKE, "received cert request for unknown ca "
-									  "with keyid %Y", id);
-						unknown++;
-					}
-					id->destroy(id);
-				}
-				enumerator->destroy(enumerator);
-				if (unknown)
-				{
-					DBG1(DBG_IKE, "received %u cert requests for an unknown ca",
-						 unknown);
-				}
+				process_certreq(this, (certreq_payload_t*)payload, auth);
 				break;
-			}
 			case NOTIFY:
-			{
-				notify_payload_t *notify = (notify_payload_t*)payload;
-
-				/* we only handle one type of notify here */
-				if (notify->get_notify_type(notify) == HTTP_CERT_LOOKUP_SUPPORTED)
-				{
-					this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL);
-				}
+				process_notify(this, (notify_payload_t*)payload);
 				break;
-			}
 			default:
 				/* ignore other payloads here, these are handled elsewhere */
 				break;
@@ -177,7 +192,75 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload)
 }
 
 /**
- * import certificates
+ * Process a X509 certificate payload
+ */
+static void process_x509(cert_payload_t *payload, auth_cfg_t *auth,
+						 cert_encoding_t encoding, bool *first)
+{
+	certificate_t *cert;
+	char *url;
+
+	cert = try_get_cert(payload);
+	if (cert)
+	{
+		if (*first)
+		{	/* the first is an end entity certificate */
+			DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
+			*first = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_IM_CERT, cert);
+		}
+	}
+	else if (encoding == ENC_X509_HASH_AND_URL)
+	{
+		/* we fetch the certificate not yet, but only if
+		 * it is really needed during authentication */
+		url = payload->get_url(payload);
+		if (!url)
+		{
+			DBG1(DBG_IKE, "received invalid hash-and-url "
+				 "encoded cert, ignore");
+			return;
+		}
+		url = strdup(url);
+		if (first)
+		{	/* first URL is for an end entity certificate */
+			DBG1(DBG_IKE, "received hash-and-url for end entity cert \"%s\"",
+				 url);
+			auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
+			first = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received hash-and-url for issuer cert \"%s\"", url);
+			auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
+		}
+	}
+}
+
+/**
+ * Process a CRL certificate payload
+ */
+static void process_crl(cert_payload_t *payload, auth_cfg_t *auth)
+{
+	certificate_t *cert;
+
+	cert = payload->get_cert(payload);
+	if (cert)
+	{
+		DBG1(DBG_IKE, "received CRL \"%Y\"", cert->get_subject(cert));
+		auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+	}
+}
+
+/**
+ * Process certificate payloads
  */
 static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 {
@@ -195,8 +278,6 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 		{
 			cert_payload_t *cert_payload;
 			cert_encoding_t encoding;
-			certificate_t *cert;
-			char *url;
 
 			cert_payload = (cert_payload_t*)payload;
 			encoding = cert_payload->get_cert_encoding(cert_payload);
@@ -204,70 +285,18 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 			switch (encoding)
 			{
 				case ENC_X509_HASH_AND_URL:
-				{
 					if (!this->do_http_lookup)
 					{
-						DBG1(DBG_IKE, "received hash-and-url encoded cert, but"
-								" we don't accept them, ignore");
+						DBG1(DBG_IKE, "received hash-and-url encoded cert, but "
+							 "we don't accept them, ignore");
 						break;
 					}
 					/* FALL */
-				}
 				case ENC_X509_SIGNATURE:
-				{
-					cert = try_get_cert(cert_payload);
-					if (cert)
-					{
-						if (first)
-						{	/* the first is an end entity certificate */
-							DBG1(DBG_IKE, "received end entity cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
-							first = FALSE;
-						}
-						else
-						{
-							DBG1(DBG_IKE, "received issuer cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_IM_CERT, cert);
-						}
-					}
-					else if (encoding == ENC_X509_HASH_AND_URL)
-					{
-						/* we fetch the certificate not yet, but only if
-						 * it is really needed during authentication */
-						url = cert_payload->get_url(cert_payload);
-						if (!url)
-						{
-							DBG1(DBG_IKE, "received invalid hash-and-url "
-								 "encoded cert, ignore");
-							break;
-						}
-						url = strdup(url);
-						if (first)
-						{	/* first URL is for an end entity certificate */
-							DBG1(DBG_IKE, "received hash-and-url for end"
-								 " entity cert \"%s\"", url);
-							auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
-							first = FALSE;
-						}
-						else
-						{
-							DBG1(DBG_IKE, "received hash-and-url for issuer"
-									" cert \"%s\"", url);
-							auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
-						}
-					}
+					process_x509(cert_payload, auth, encoding, &first);
 					break;
-				}
 				case ENC_CRL:
-					cert = cert_payload->get_cert(cert_payload);
-					if (cert)
-					{
-						DBG1(DBG_IKE, "received CRL \"%Y\"",
-							 cert->get_subject(cert));
-						auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
-					}
+					process_crl(cert_payload, auth);
 					break;
 				case ENC_PKCS7_WRAPPED_X509:
 				case ENC_PGP:
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c
index c44f0452c..d637c26fe 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_config.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.c
@@ -380,6 +380,7 @@ METHOD(task_t, build_r, status_t,
 		{
 			DBG1(DBG_IKE, "no virtual IP found, sending %N",
 				 notify_type_names, INTERNAL_ADDRESS_FAILURE);
+			charon->bus->alert(charon->bus, ALERT_VIP_FAILURE, this->vips);
 			message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE,
 								chunk_empty);
 			vips->destroy_offset(vips, offsetof(host_t, destroy));
@@ -390,6 +391,7 @@ METHOD(task_t, build_r, status_t,
 		{
 			DBG1(DBG_IKE, "expected a virtual IP request, sending %N",
 				 notify_type_names, FAILED_CP_REQUIRED);
+			charon->bus->alert(charon->bus, ALERT_VIP_FAILURE, this->vips);
 			message->add_notify(message, FALSE, FAILED_CP_REQUIRED, chunk_empty);
 			vips->destroy_offset(vips, offsetof(host_t, destroy));
 			pools->destroy(pools);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index f2a06735e..7542937b3 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -187,6 +187,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 														   EXT_STRONGSWAN);
 				this->proposal = this->config->select_proposal(this->config,
 														proposal_list, private);
+				if (!this->proposal)
+				{
+					charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE,
+									   proposal_list);
+				}
 				proposal_list->destroy_offset(proposal_list,
 											  offsetof(proposal_t, destroy));
 				break;
@@ -421,7 +426,7 @@ METHOD(task_t, process_i, status_t,
 	enumerator_t *enumerator;
 	payload_t *payload;
 
-	/* check for erronous notifies */
+	/* check for erroneous notifies */
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.h b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
index 3b447af51..b145a9a8b 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
@@ -26,7 +26,7 @@ typedef struct ike_mobike_t ike_mobike_t;
 #include <library.h>
 #include <sa/ike_sa.h>
 #include <sa/task.h>
-#include <utils/packet.h>
+#include <networking/packet.h>
 
 /**
  * Task of type ike_mobike, detects and handles MOBIKE extension.
diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
index 5af43fb91..94be7d433 100644
--- a/src/libcharon/sa/shunt_manager.c
+++ b/src/libcharon/sa/shunt_manager.c
@@ -18,7 +18,7 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 
 typedef struct private_shunt_manager_t private_shunt_manager_t;
diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h
index 12ff08558..28a795dc9 100644
--- a/src/libcharon/sa/shunt_manager.h
+++ b/src/libcharon/sa/shunt_manager.h
@@ -22,7 +22,7 @@
 #define SHUNT_MANAGER_H_
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <config/child_cfg.h>
 
 typedef struct shunt_manager_t shunt_manager_t;
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index fdcfa0a20..6c0ae19c7 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2012 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -19,7 +19,7 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 
 typedef struct private_trap_manager_t private_trap_manager_t;
@@ -94,36 +94,14 @@ static void destroy_entry(entry_t *entry)
 METHOD(trap_manager_t, install, u_int32_t,
 	private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child)
 {
-	entry_t *entry;
+	entry_t *entry, *found = NULL;
 	ike_cfg_t *ike_cfg;
 	child_sa_t *child_sa;
 	host_t *me, *other;
 	linked_list_t *my_ts, *other_ts, *list;
 	enumerator_t *enumerator;
-	bool found = FALSE;
 	status_t status;
-	u_int32_t reqid;
-
-	/* check if not already done */
-	this->lock->read_lock(this->lock);
-	enumerator = this->traps->create_enumerator(this->traps);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (streq(entry->child_sa->get_name(entry->child_sa),
-				  child->get_name(child)))
-		{
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	if (found)
-	{
-		DBG1(DBG_CFG, "CHILD_SA named '%s' already routed",
-			 child->get_name(child));
-		return 0;
-	}
+	u_int32_t reqid = 0;
 
 	/* try to resolve addresses */
 	ike_cfg = peer->get_ike_cfg(peer);
@@ -150,8 +128,28 @@ METHOD(trap_manager_t, install, u_int32_t,
 		me->set_port(me, ike_cfg->get_my_port(ike_cfg));
 	}
 
+	this->lock->write_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (streq(entry->child_sa->get_name(entry->child_sa),
+				  child->get_name(child)))
+		{
+			this->traps->remove_at(this->traps, enumerator);
+			found = entry;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (found)
+	{	/* config might have changed so update everything */
+		DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'",
+			 child->get_name(child));
+		reqid = found->child_sa->get_reqid(found->child_sa);
+	}
+
 	/* create and route CHILD_SA */
-	child_sa = child_sa_create(me, other, child, 0, FALSE);
+	child_sa = child_sa_create(me, other, child, reqid, FALSE);
 
 	list = linked_list_create_with_items(me, NULL);
 	my_ts = child->get_traffic_selectors(child, TRUE, NULL, list);
@@ -171,21 +169,29 @@ METHOD(trap_manager_t, install, u_int32_t,
 	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
 	if (status != SUCCESS)
 	{
-		child_sa->destroy(child_sa);
 		DBG1(DBG_CFG, "installing trap failed");
-		return 0;
+		reqid = 0;
+		/* hold off destroying the CHILD_SA until we released the lock */
+	}
+	else
+	{
+		INIT(entry,
+			.child_sa = child_sa,
+			.peer_cfg = peer->get_ref(peer),
+		);
+		this->traps->insert_last(this->traps, entry);
+		reqid = child_sa->get_reqid(child_sa);
 	}
-
-	reqid = child_sa->get_reqid(child_sa);
-	INIT(entry,
-		.child_sa = child_sa,
-		.peer_cfg = peer->get_ref(peer),
-	);
-
-	this->lock->write_lock(this->lock);
-	this->traps->insert_last(this->traps, entry);
 	this->lock->unlock(this->lock);
 
+	if (status != SUCCESS)
+	{
+		child_sa->destroy(child_sa);
+	}
+	if (found)
+	{
+		destroy_entry(found);
+	}
 	return reqid;
 }
 
diff --git a/src/libcharon/sa/trap_manager.h b/src/libcharon/sa/trap_manager.h
index 928b2a49f..e3d355662 100644
--- a/src/libcharon/sa/trap_manager.h
+++ b/src/libcharon/sa/trap_manager.h
@@ -22,7 +22,7 @@
 #define TRAP_MANAGER_H_
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <config/peer_cfg.h>
 
 typedef struct trap_manager_t trap_manager_t;
diff --git a/src/libcharon/sa/xauth/xauth_manager.c b/src/libcharon/sa/xauth/xauth_manager.c
index 432c9c0ab..f0602a673 100644
--- a/src/libcharon/sa/xauth/xauth_manager.c
+++ b/src/libcharon/sa/xauth/xauth_manager.c
@@ -15,7 +15,7 @@
 
 #include "xauth_manager.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_xauth_manager_t private_xauth_manager_t;
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 78341c7e7..906ea2119 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" \
 	"$(DESTDIR)$(fast_includedir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libfast.la: $(libfast_la_OBJECTS) $(libfast_la_DEPENDENCIES) 
+libfast.la: $(libfast_la_OBJECTS) $(libfast_la_DEPENDENCIES) $(EXTRA_libfast_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libfast_la_OBJECTS) $(libfast_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -428,9 +437,7 @@ uninstall-nobase_fast_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nobase_fast_include_HEADERS)'; test -n "$(fast_includedir)" || list=; \
 	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(fast_includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(fast_includedir)" && rm -f $$files
+	dir='$(DESTDIR)$(fast_includedir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -531,10 +538,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libfast/dispatcher.c b/src/libfast/dispatcher.c
index 63c872e35..e5a02c63b 100644
--- a/src/libfast/dispatcher.c
+++ b/src/libfast/dispatcher.c
@@ -22,12 +22,12 @@
 #include <signal.h>
 #include <unistd.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 
 /** Intervall to check for expired sessions, in seconds */
 #define CLEANUP_INTERVAL 30
diff --git a/src/libfast/request.c b/src/libfast/request.c
index 6ca474037..5d03227af 100644
--- a/src/libfast/request.c
+++ b/src/libfast/request.c
@@ -18,7 +18,7 @@
 #include "request.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <stdlib.h>
 #include <pthread.h>
 #include <string.h>
diff --git a/src/libfast/session.c b/src/libfast/session.c
index cf14dbeb6..87a157b61 100644
--- a/src/libfast/session.c
+++ b/src/libfast/session.c
@@ -21,7 +21,7 @@
 #include <fcgiapp.h>
 #include <stdio.h>
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #define COOKIE_LEN 16
 
diff --git a/src/libfast/smtp.c b/src/libfast/smtp.c
index 1375c2944..a6ca67ddc 100644
--- a/src/libfast/smtp.c
+++ b/src/libfast/smtp.c
@@ -18,7 +18,7 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_smtp_t private_smtp_t;
 
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index a10981a94..f433b24dc 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -87,6 +87,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \
@@ -172,6 +178,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -199,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -226,6 +234,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -238,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -291,7 +301,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -436,7 +445,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) 
+libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) $(EXTRA_libhydra_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libhydra_la_OBJECTS) $(libhydra_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -733,10 +742,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/attributes/attribute_handler.h b/src/libhydra/attributes/attribute_handler.h
index 6014ef0fa..bc488f6cb 100644
--- a/src/libhydra/attributes/attribute_handler.h
+++ b/src/libhydra/attributes/attribute_handler.h
@@ -21,9 +21,9 @@
 #ifndef ATTRIBUTE_HANDLER_H_
 #define ATTRIBUTE_HANDLER_H_
 
-#include <chunk.h>
+#include <utils/chunk.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include "attributes.h"
 
diff --git a/src/libhydra/attributes/attribute_manager.c b/src/libhydra/attributes/attribute_manager.c
index 000d2e082..5fda8b426 100644
--- a/src/libhydra/attributes/attribute_manager.c
+++ b/src/libhydra/attributes/attribute_manager.c
@@ -15,8 +15,8 @@
 
 #include "attribute_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_attribute_manager_t private_attribute_manager_t;
diff --git a/src/libhydra/attributes/attribute_provider.h b/src/libhydra/attributes/attribute_provider.h
index e5e556fc4..adfd4a516 100644
--- a/src/libhydra/attributes/attribute_provider.h
+++ b/src/libhydra/attributes/attribute_provider.h
@@ -21,9 +21,9 @@
 #ifndef ATTRIBUTE_PROVIDER_H_
 #define ATTRIBUTE_PROVIDER_H_
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct attribute_provider_t attribute_provider_t;
 
diff --git a/src/libhydra/attributes/attributes.h b/src/libhydra/attributes/attributes.h
index 8ff774b64..c3c37cfc4 100644
--- a/src/libhydra/attributes/attributes.h
+++ b/src/libhydra/attributes/attributes.h
@@ -24,7 +24,7 @@
 
 typedef enum configuration_attribute_type_t configuration_attribute_type_t;
 
-#include <enum.h>
+#include <utils/enum.h>
 
 /**
  * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig.
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
index 1e150c794..af53e10de 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libhydra/attributes/mem_pool.c
@@ -16,9 +16,9 @@
 
 #include "mem_pool.h"
 
-#include <debug.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 #define POOL_LIMIT (sizeof(uintptr_t)*8)
diff --git a/src/libhydra/attributes/mem_pool.h b/src/libhydra/attributes/mem_pool.h
index fa4e6485c..692885ecd 100644
--- a/src/libhydra/attributes/mem_pool.h
+++ b/src/libhydra/attributes/mem_pool.h
@@ -24,7 +24,7 @@
 typedef struct mem_pool_t mem_pool_t;
 typedef enum mem_pool_op_t mem_pool_op_t;
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 
 /**
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index 7d6256598..b199b2ffb 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -15,7 +15,7 @@
 
 #include "hydra.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_hydra_t private_hydra_t;
 
@@ -28,12 +28,22 @@ struct private_hydra_t {
 	 * Public members of hydra_t.
 	 */
 	hydra_t public;
+
+	/**
+	 * Integrity check failed?
+	 */
+	bool integrity_failed;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
  * Single instance of hydra_t.
  */
-hydra_t *hydra;
+hydra_t *hydra = NULL;
 
 /**
  * Described in header.
@@ -41,6 +51,12 @@ hydra_t *hydra;
 void libhydra_deinit()
 {
 	private_hydra_t *this = (private_hydra_t*)hydra;
+
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
 	this->public.attributes->destroy(this->public.attributes);
 	this->public.kernel_interface->destroy(this->public.kernel_interface);
 	free((void*)this->public.daemon);
@@ -55,11 +71,19 @@ bool libhydra_init(const char *daemon)
 {
 	private_hydra_t *this;
 
+	if (hydra)
+	{	/* already initialized, increase refcount */
+		this = (private_hydra_t*)hydra;
+		ref_get(&this->ref);
+		return !this->integrity_failed;
+	}
+
 	INIT(this,
 		.public = {
 			.attributes = attribute_manager_create(),
 			.daemon = strdup(daemon ?: "libhydra"),
 		},
+		.ref = 1,
 	);
 	hydra = &this->public;
 
@@ -69,8 +93,8 @@ bool libhydra_init(const char *daemon)
 		!lib->integrity->check(lib->integrity, "libhydra", libhydra_init))
 	{
 		DBG1(DBG_LIB, "integrity check of libhydra failed");
-		return FALSE;
+		this->integrity_failed = TRUE;
 	}
-	return TRUE;
+	return !this->integrity_failed;
 }
 
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
index d7a7d8de4..2a8709d72 100644
--- a/src/libhydra/hydra.h
+++ b/src/libhydra/hydra.h
@@ -72,6 +72,9 @@ extern hydra_t *hydra;
  *
  * The daemon's name is used to load daemon-specific settings.
  *
+ * libhydra_init() may be called multiple times in a single process, but each
+ * caller should call libhydra_deinit() for each call to libhydra_init().
+ *
  * @param daemon		name of the daemon that initializes the library
  * @return				FALSE if integrity check failed
  */
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 5320ee2e9..8948e0561 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -40,9 +40,9 @@
 #include "kernel_interface.h"
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_kernel_interface_t private_kernel_interface_t;
 
@@ -312,23 +312,24 @@ METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*,
 }
 
 METHOD(kernel_interface_t, add_ip, status_t,
-	private_kernel_interface_t *this, host_t *virtual_ip, host_t *iface_ip)
+	private_kernel_interface_t *this, host_t *virtual_ip, int prefix,
+	char *iface)
 {
 	if (!this->net)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->net->add_ip(this->net, virtual_ip, iface_ip);
+	return this->net->add_ip(this->net, virtual_ip, prefix, iface);
 }
 
 METHOD(kernel_interface_t, del_ip, status_t,
-	private_kernel_interface_t *this, host_t *virtual_ip)
+	private_kernel_interface_t *this, host_t *virtual_ip, int prefix, bool wait)
 {
 	if (!this->net)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->net->del_ip(this->net, virtual_ip);
+	return this->net->del_ip(this->net, virtual_ip, prefix, wait);
 }
 
 METHOD(kernel_interface_t, add_route, status_t,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 88d4a5bce..8d8ef2e83 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -48,7 +48,7 @@
 
 typedef struct kernel_interface_t kernel_interface_t;
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <crypto/prf_plus.h>
 
 #include <kernel/kernel_listener.h>
@@ -333,14 +333,14 @@ struct kernel_interface_t {
 	 * Virtual IPs are attached to an interface. If an IP is added multiple
 	 * times, the IP is refcounted and not removed until del_ip() was called
 	 * as many times as add_ip().
-	 * The virtual IP is attached to the interface where the iface_ip is found.
 	 *
 	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @param prefix		prefix length to install IP with, -1 for auto
+	 * @param iface			interface to install virtual IP on
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
+	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, int prefix,
+						char *iface);
 
 	/**
 	 * Remove a virtual IP from an interface.
@@ -348,9 +348,12 @@ struct kernel_interface_t {
 	 * The kernel interface uses refcounting, see add_ip().
 	 *
 	 * @param virtual_ip	virtual ip address to assign
+	 * @param prefix		prefix length of the IP to uninstall, -1 for auto
+	 * @param wait			TRUE to wait untily IP is gone
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
+	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip,
+						int prefix, bool wait);
 
 	/**
 	 * Add a route.
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index ee0ade2aa..1da0805cb 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -26,7 +26,7 @@
 
 typedef struct kernel_ipsec_t kernel_ipsec_t;
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
 #include <plugins/plugin.h>
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h
index 5db297b6f..27ea947eb 100644
--- a/src/libhydra/kernel/kernel_listener.h
+++ b/src/libhydra/kernel/kernel_listener.h
@@ -25,7 +25,7 @@ typedef struct kernel_listener_t kernel_listener_t;
 
 #include <kernel/kernel_ipsec.h>
 #include <selectors/traffic_selector.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 /**
  * Interface for components interested in kernel events.
diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h
index 10350d644..6a3b2cee7 100644
--- a/src/libhydra/kernel/kernel_net.h
+++ b/src/libhydra/kernel/kernel_net.h
@@ -25,8 +25,8 @@
 typedef struct kernel_net_t kernel_net_t;
 typedef enum kernel_address_type_t kernel_address_type_t;
 
-#include <utils/enumerator.h>
-#include <utils/host.h>
+#include <collections/enumerator.h>
+#include <networking/host.h>
 #include <plugins/plugin.h>
 
 /**
@@ -112,14 +112,14 @@ struct kernel_net_t {
 	 * Virtual IPs are attached to an interface. If an IP is added multiple
 	 * times, the IP is refcounted and not removed until del_ip() was called
 	 * as many times as add_ip().
-	 * The virtual IP is attached to the interface where the iface_ip is found.
 	 *
 	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @param prefix		prefix length to install with IP address, -1 for auto
+	 * @param iface			interface to install virtual IP on
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
+	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip, int prefix,
+						char *iface);
 
 	/**
 	 * Remove a virtual IP from an interface.
@@ -127,9 +127,12 @@ struct kernel_net_t {
 	 * The kernel interface uses refcounting, see add_ip().
 	 *
 	 * @param virtual_ip	virtual ip address to assign
+	 * @param prefix		prefix length of the IP to uninstall, -1 for auto
+	 * @param wait			TRUE to wait until IP is gone
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip);
+	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip, int prefix,
+						bool wait);
 
 	/**
 	 * Add a route.
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index 831adf9d6..9dc84880a 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_attr_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) 
+libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_la_DEPENDENCIES) 
 	$(libstrongswan_attr_la_LINK) $(am_libstrongswan_attr_la_rpath) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index c1c3cd895..1f333d03f 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -19,8 +19,8 @@
 #include <time.h>
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 #define SERVER_MAX		2
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 71810ae5e..416712f3d 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_attr_sql_la_LIBADD =
@@ -133,6 +139,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -160,6 +167,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -187,6 +195,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -199,6 +208,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -252,7 +262,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -391,7 +400,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) 
+libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_sql_la_DEPENDENCIES) 
 	$(libstrongswan_attr_sql_la_LINK) $(am_libstrongswan_attr_sql_la_rpath) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
@@ -436,7 +445,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) 
+pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) $(EXTRA_pool_DEPENDENCIES) 
 	@rm -f pool$(EXEEXT)
 	$(LINK) $(pool_OBJECTS) $(pool_LDADD) $(LIBS)
 
@@ -578,10 +587,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
index c04ec9a01..69e6f7be6 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
+++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
@@ -14,7 +14,7 @@
  */
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "attr_sql_plugin.h"
 #include "sql_attribute.h"
diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c
index a2000cffe..f355e96e2 100644
--- a/src/libhydra/plugins/attr_sql/pool.c
+++ b/src/libhydra/plugins/attr_sql/pool.c
@@ -21,9 +21,9 @@
 #include <string.h>
 #include <errno.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <attributes/attributes.h>
 
diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.c b/src/libhydra/plugins/attr_sql/pool_attributes.c
index d3fc06eeb..5dcfe85ed 100644
--- a/src/libhydra/plugins/attr_sql/pool_attributes.c
+++ b/src/libhydra/plugins/attr_sql/pool_attributes.c
@@ -17,7 +17,7 @@
 #include <string.h>
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 #include "pool_attributes.h"
 #include "pool_usage.h"
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c
index a7d90e728..1a4ee7a51 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.c
+++ b/src/libhydra/plugins/attr_sql/sql_attribute.c
@@ -15,7 +15,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 
 #include "sql_attribute.h"
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index 1dd633ee2..d62261d0b 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_klips_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) 
+libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_klips_la_DEPENDENCIES) 
 	$(libstrongswan_kernel_klips_la_LINK) $(am_libstrongswan_kernel_klips_la_rpath) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index d875dab04..431174e72 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -29,8 +29,8 @@
 #include "kernel_klips_ipsec.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index d0adb3b1e..f0b3c9cfc 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_netlink_la_LIBADD =
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -381,7 +390,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) 
+libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_netlink_la_DEPENDENCIES) 
 	$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -521,10 +530,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 4f5b6600d..f9b2634a0 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -36,11 +36,11 @@
 #include "kernel_netlink_shared.h"
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 /** Required for Linux 2.6.26 kernel and later */
@@ -1537,7 +1537,8 @@ failed:
  * Allocates into one the replay state structure we get from the kernel.
  */
 static void get_replay_state(private_kernel_netlink_ipsec_t *this,
-							 u_int32_t spi, u_int8_t protocol, host_t *dst,
+							 u_int32_t spi, u_int8_t protocol,
+							 host_t *dst, mark_t mark,
 							 struct xfrm_replay_state_esn **replay_esn,
 							 struct xfrm_replay_state **replay)
 {
@@ -1566,6 +1567,24 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 	aevent_id->sa_id.proto = protocol;
 	aevent_id->sa_id.family = dst->get_family(dst);
 
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1834,6 +1853,24 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1868,7 +1905,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		goto failed;
 	}
 
-	get_replay_state(this, spi, protocol, dst, &replay_esn, &replay);
+	get_replay_state(this, spi, protocol, dst, mark, &replay_esn, &replay);
 
 	/* delete the old SA (without affecting the IPComp SA) */
 	if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index 3f63a8496..e47887859 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -49,14 +49,14 @@
 #include "kernel_netlink_shared.h"
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
 #include <threading/rwlock_condvar.h>
 #include <threading/spinlock.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 /** delay before firing roam events (ms) */
@@ -65,6 +65,9 @@
 /** delay before reinstalling routes (ms) */
 #define ROUTE_DELAY 100
 
+/** maximum recursion when searching for addresses in get_route() */
+#define MAX_ROUTE_RECURSION 2
+
 typedef struct addr_entry_t addr_entry_t;
 
 /**
@@ -543,12 +546,7 @@ static void queue_route_reinstall(private_kernel_netlink_net_t *this,
 	time_monotonic(&now);
 	if (timercmp(&now, &this->last_route_reinstall, >))
 	{
-		now.tv_usec += ROUTE_DELAY * 1000;
-		while (now.tv_usec > 1000000)
-		{
-			now.tv_sec++;
-			now.tv_usec -= 1000000;
-		}
+		timeval_add_ms(&now, ROUTE_DELAY);
 		this->last_route_reinstall = now;
 
 		job = (job_t*)callback_job_create((callback_job_cb_t)reinstall_routes,
@@ -704,12 +702,7 @@ static void fire_roam_event(private_kernel_netlink_net_t *this, bool address)
 		this->roam_lock->unlock(this->roam_lock);
 		return;
 	}
-	now.tv_usec += ROAM_DELAY * 1000;
-	while (now.tv_usec > 1000000)
-	{
-		now.tv_sec++;
-		now.tv_usec -= 1000000;
-	}
+	timeval_add_ms(&now, ROAM_DELAY);
 	this->next_roam = now;
 	this->roam_lock->unlock(this->roam_lock);
 
@@ -1236,6 +1229,19 @@ METHOD(kernel_net_t, get_interface_name, bool,
 		this->lock->unlock(this->lock);
 		return TRUE;
 	}
+	/* in a second step, consider virtual IPs installed by us */
+	entry = this->vips->get_match(this->vips, &lookup,
+								  (void*)addr_map_entry_match_up_and_usable);
+	if (entry)
+	{
+		if (name)
+		{
+			*name = strdup(entry->iface->ifname);
+			DBG2(DBG_KNL, "virtual %H is on interface %s", ip, *name);
+		}
+		this->lock->unlock(this->lock);
+		return TRUE;
+	}
 	/* maybe it is installed on an ignored interface */
 	entry = this->addrs->get_match(this->addrs, &lookup,
 								  (void*)addr_map_entry_match_up);
@@ -1400,7 +1406,7 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
  * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
  */
 static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
-						 bool nexthop, host_t *candidate)
+						 bool nexthop, host_t *candidate, u_int recursion)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out, *current;
@@ -1412,6 +1418,11 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 	enumerator_t *enumerator;
 	host_t *addr = NULL;
 
+	if (recursion > MAX_ROUTE_RECURSION)
+	{
+		return NULL;
+	}
+
 	memset(&request, 0, sizeof(request));
 
 	hdr = (struct nlmsghdr*)request;
@@ -1567,8 +1578,12 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 			host_t *gtw;
 
 			gtw = host_create_from_chunk(msg->rtm_family, route->gtw, 0);
-			route->src_host = get_route(this, gtw, FALSE, candidate);
-			gtw->destroy(gtw);
+			if (gtw && !gtw->ip_equals(gtw, dest))
+			{
+				route->src_host = get_route(this, gtw, FALSE, candidate,
+											recursion + 1);
+			}
+			DESTROY_IF(gtw);
 			if (route->src_host)
 			{	/* more of the same */
 				if (!candidate ||
@@ -1607,7 +1622,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 		DBG2(DBG_KNL, "using %H as %s to reach %H", addr,
 			 nexthop ? "nexthop" : "address", dest);
 	}
-	else
+	else if (!recursion)
 	{
 		DBG2(DBG_KNL, "no %s found to reach %H",
 			 nexthop ? "nexthop" : "address", dest);
@@ -1618,13 +1633,13 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 METHOD(kernel_net_t, get_source_addr, host_t*,
 	private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
 {
-	return get_route(this, dest, FALSE, src);
+	return get_route(this, dest, FALSE, src, 0);
 }
 
 METHOD(kernel_net_t, get_nexthop, host_t*,
 	private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
 {
-	return get_route(this, dest, TRUE, src);
+	return get_route(this, dest, TRUE, src, 0);
 }
 
 /**
@@ -1632,7 +1647,7 @@ METHOD(kernel_net_t, get_nexthop, host_t*,
  * By setting the appropriate nlmsg_type, the ip will be set or unset.
  */
 static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
-							  int flags, int if_index, host_t *ip)
+							  int flags, int if_index, host_t *ip, int prefix)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
@@ -1651,7 +1666,7 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
 	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
 	msg->ifa_family = ip->get_family(ip);
 	msg->ifa_flags = 0;
-	msg->ifa_prefixlen = 8 * chunk.len;
+	msg->ifa_prefixlen = prefix < 0 ? chunk.len * 8 : prefix;
 	msg->ifa_scope = RT_SCOPE_UNIVERSE;
 	msg->ifa_index = if_index;
 
@@ -1661,7 +1676,8 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
 }
 
 METHOD(kernel_net_t, add_ip, status_t,
-	private_kernel_netlink_net_t *this, host_t *virtual_ip, host_t *iface_ip)
+	private_kernel_netlink_net_t *this, host_t *virtual_ip, int prefix,
+	char *iface_name)
 {
 	addr_map_entry_t *entry, lookup = {
 		.ip = virtual_ip,
@@ -1712,17 +1728,11 @@ METHOD(kernel_net_t, add_ip, status_t,
 		 this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_name,
 						(void**)&iface, this->install_virtual_ip_on) != SUCCESS)
 	{
-		lookup.ip = iface_ip;
-		entry = this->addrs->get_match(this->addrs, &lookup,
-									  (void*)addr_map_entry_match);
-		if (!entry)
+		if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_name,
+									 (void**)&iface, iface_name) != SUCCESS)
 		{	/* if we don't find the requested interface we just use the first */
 			this->ifaces->get_first(this->ifaces, (void**)&iface);
 		}
-		else
-		{
-			iface = entry->iface;
-		}
 	}
 	if (iface)
 	{
@@ -1736,7 +1746,7 @@ METHOD(kernel_net_t, add_ip, status_t,
 		iface->addrs->insert_last(iface->addrs, addr);
 		addr_map_entry_add(this->vips, addr, iface);
 		if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
-						  iface->ifindex, virtual_ip) == SUCCESS)
+						  iface->ifindex, virtual_ip, prefix) == SUCCESS)
 		{
 			while (!is_vip_installed_or_gone(this, virtual_ip, &entry))
 			{	/* wait until address appears */
@@ -1761,7 +1771,8 @@ METHOD(kernel_net_t, add_ip, status_t,
 }
 
 METHOD(kernel_net_t, del_ip, status_t,
-	private_kernel_netlink_net_t *this, host_t *virtual_ip)
+	private_kernel_netlink_net_t *this, host_t *virtual_ip, int prefix,
+	bool wait)
 {
 	addr_map_entry_t *entry, lookup = {
 		.ip = virtual_ip,
@@ -1800,8 +1811,8 @@ METHOD(kernel_net_t, del_ip, status_t,
 		 * until the entry is gone, also so we can wait below */
 		entry->addr->installed = FALSE;
 		status = manage_ipaddr(this, RTM_DELADDR, 0, entry->iface->ifindex,
-							   virtual_ip);
-		if (status == SUCCESS)
+							   virtual_ip, prefix);
+		if (status == SUCCESS && wait)
 		{	/* wait until the address is really gone */
 			while (is_known_vip(this, virtual_ip))
 			{
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
index 285f6c8b2..561e8529d 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -21,7 +21,7 @@
 
 #include "kernel_netlink_shared.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 typedef struct private_netlink_socket_t private_netlink_socket_t;
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index aac85a4e6..5f3a3c590 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_pfkey_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
+libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
 	$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index b099bc714..71bdbbe2b 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -58,10 +58,10 @@
 #include "kernel_pfkey_ipsec.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <utils/debug.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 6fa2fc9c1..56ba5aac7 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_pfroute_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
+libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
 	$(libstrongswan_kernel_pfroute_la_LINK) $(am_libstrongswan_kernel_pfroute_la_rpath) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index 16a46bb56..7ac3e8a3c 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -24,13 +24,13 @@
 #include "kernel_pfroute_net.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/host.h>
+#include <utils/debug.h>
+#include <networking/host.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 #ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
@@ -285,12 +285,7 @@ static void fire_roam_event(private_kernel_pfroute_net_t *this, bool address)
 	time_monotonic(&now);
 	if (timercmp(&now, &this->last_roam, >))
 	{
-		now.tv_usec += ROAM_DELAY * 1000;
-		while (now.tv_usec > 1000000)
-		{
-			now.tv_sec++;
-			now.tv_usec -= 1000000;
-		}
+		timeval_add_ms(&now, ROAM_DELAY);
 		this->last_roam = now;
 
 		job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
@@ -645,13 +640,15 @@ METHOD(kernel_net_t, get_nexthop, host_t*,
 }
 
 METHOD(kernel_net_t, add_ip, status_t,
-	private_kernel_pfroute_net_t *this, host_t *virtual_ip, host_t *iface_ip)
+	private_kernel_pfroute_net_t *this, host_t *virtual_ip, int prefix,
+	char *iface)
 {
 	return FAILED;
 }
 
 METHOD(kernel_net_t, del_ip, status_t,
-	private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+	private_kernel_pfroute_net_t *this, host_t *virtual_ip, int prefix,
+	bool wait)
 {
 	return FAILED;
 }
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index aed5ee19d..f26c04fbe 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_resolve_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) 
+libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) $(EXTRA_libstrongswan_resolve_la_DEPENDENCIES) 
 	$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c
index 0a3094fd7..6b8d6be7f 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.c
+++ b/src/libhydra/plugins/resolve/resolve_handler.c
@@ -21,7 +21,7 @@
 #include <unistd.h>
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 /* path to resolvconf executable */
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index e0e8f1017..51a7be046 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -8,16 +8,32 @@ libimcv_la_LIBADD = $(top_builddir)/src/libtncif/libtncif.la
 libimcv_la_SOURCES = \
 	imcv.h imcv.c \
 	imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \
+	imc/imc_msg.h imc/imc_msg.c \
 	imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \
+	imv/imv_msg.h imv/imv_msg.c \
+	imv/imv_lang_string.h imv/imv_lang_string.c \
+	imv/imv_reason_string.h imv/imv_reason_string.c \
+	imv/imv_remediation_string.h imv/imv_remediation_string.c \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
+	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
+	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
+	ietf/ietf_attr_fwd_enabled.h ietf/ietf_attr_fwd_enabled.c \
+	ietf/ietf_attr_default_pwd_enabled.h ietf/ietf_attr_default_pwd_enabled.c \
+	ietf/ietf_attr_installed_packages.h ietf/ietf_attr_installed_packages.c \
+	ietf/ietf_attr_numeric_version.h ietf/ietf_attr_numeric_version.c \
+	ietf/ietf_attr_op_status.h ietf/ietf_attr_op_status.c \
 	ietf/ietf_attr_pa_tnc_error.h ietf/ietf_attr_pa_tnc_error.c \
 	ietf/ietf_attr_port_filter.h ietf/ietf_attr_port_filter.c \
 	ietf/ietf_attr_product_info.h ietf/ietf_attr_product_info.c \
-	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
-	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
+	ietf/ietf_attr_remediation_instr.h ietf/ietf_attr_remediation_instr.c \
+	ietf/ietf_attr_string_version.h ietf/ietf_attr_string_version.c \
 	ita/ita_attr.h ita/ita_attr.c \
 	ita/ita_attr_command.h ita/ita_attr_command.c \
 	ita/ita_attr_dummy.h ita/ita_attr_dummy.c \
+	ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \
+	ita/ita_attr_settings.h ita/ita_attr_settings.c \
+	ita/ita_attr_angel.h ita/ita_attr_angel.c \
+	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
 	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
@@ -38,4 +54,12 @@ endif
 
 if USE_IMV_SCANNER
   SUBDIRS += plugins/imv_scanner
-endif 
+endif
+
+if USE_IMC_OS
+  SUBDIRS += plugins/imc_os
+endif
+
+if USE_IMV_OS
+  SUBDIRS += plugins/imv_os
+endif
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index d1a1373af..4263d0a74 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -38,6 +38,8 @@ host_triplet = @host@
 @USE_IMV_TEST_TRUE@am__append_2 = plugins/imv_test
 @USE_IMC_SCANNER_TRUE@am__append_3 = plugins/imc_scanner
 @USE_IMV_SCANNER_TRUE@am__append_4 = plugins/imv_scanner
+@USE_IMC_OS_TRUE@am__append_5 = plugins/imc_os
+@USE_IMV_OS_TRUE@am__append_6 = plugins/imv_os
 subdir = src/libimcv
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -77,14 +79,28 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libimcv_la_DEPENDENCIES = $(top_builddir)/src/libtncif/libtncif.la
-am_libimcv_la_OBJECTS = imcv.lo imc_agent.lo imv_agent.lo ietf_attr.lo \
-	ietf_attr_pa_tnc_error.lo ietf_attr_port_filter.lo \
-	ietf_attr_product_info.lo ietf_attr_attr_request.lo \
-	ietf_attr_assess_result.lo ita_attr.lo ita_attr_command.lo \
-	ita_attr_dummy.lo pa_tnc_msg.lo pa_tnc_attr_manager.lo
+am_libimcv_la_OBJECTS = imcv.lo imc_agent.lo imc_msg.lo imv_agent.lo \
+	imv_msg.lo imv_lang_string.lo imv_reason_string.lo \
+	imv_remediation_string.lo ietf_attr.lo \
+	ietf_attr_assess_result.lo ietf_attr_attr_request.lo \
+	ietf_attr_fwd_enabled.lo ietf_attr_default_pwd_enabled.lo \
+	ietf_attr_installed_packages.lo ietf_attr_numeric_version.lo \
+	ietf_attr_op_status.lo ietf_attr_pa_tnc_error.lo \
+	ietf_attr_port_filter.lo ietf_attr_product_info.lo \
+	ietf_attr_remediation_instr.lo ietf_attr_string_version.lo \
+	ita_attr.lo ita_attr_command.lo ita_attr_dummy.lo \
+	ita_attr_get_settings.lo ita_attr_settings.lo \
+	ita_attr_angel.lo os_info.lo pa_tnc_msg.lo \
+	pa_tnc_attr_manager.lo
 libimcv_la_OBJECTS = $(am_libimcv_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -116,7 +132,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/imc_test plugins/imv_test plugins/imc_scanner \
-	plugins/imv_scanner
+	plugins/imv_scanner plugins/imc_os plugins/imv_os
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -162,6 +178,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -189,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -216,6 +234,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -228,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -281,7 +301,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -334,22 +353,38 @@ libimcv_la_LIBADD = $(top_builddir)/src/libtncif/libtncif.la
 libimcv_la_SOURCES = \
 	imcv.h imcv.c \
 	imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \
+	imc/imc_msg.h imc/imc_msg.c \
 	imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \
+	imv/imv_msg.h imv/imv_msg.c \
+	imv/imv_lang_string.h imv/imv_lang_string.c \
+	imv/imv_reason_string.h imv/imv_reason_string.c \
+	imv/imv_remediation_string.h imv/imv_remediation_string.c \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
+	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
+	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
+	ietf/ietf_attr_fwd_enabled.h ietf/ietf_attr_fwd_enabled.c \
+	ietf/ietf_attr_default_pwd_enabled.h ietf/ietf_attr_default_pwd_enabled.c \
+	ietf/ietf_attr_installed_packages.h ietf/ietf_attr_installed_packages.c \
+	ietf/ietf_attr_numeric_version.h ietf/ietf_attr_numeric_version.c \
+	ietf/ietf_attr_op_status.h ietf/ietf_attr_op_status.c \
 	ietf/ietf_attr_pa_tnc_error.h ietf/ietf_attr_pa_tnc_error.c \
 	ietf/ietf_attr_port_filter.h ietf/ietf_attr_port_filter.c \
 	ietf/ietf_attr_product_info.h ietf/ietf_attr_product_info.c \
-	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
-	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
+	ietf/ietf_attr_remediation_instr.h ietf/ietf_attr_remediation_instr.c \
+	ietf/ietf_attr_string_version.h ietf/ietf_attr_string_version.c \
 	ita/ita_attr.h ita/ita_attr.c \
 	ita/ita_attr_command.h ita/ita_attr_command.c \
 	ita/ita_attr_dummy.h ita/ita_attr_dummy.c \
+	ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \
+	ita/ita_attr_settings.h ita/ita_attr_settings.c \
+	ita/ita_attr_angel.h ita/ita_attr_angel.c \
+	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
 	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
 
 SUBDIRS = . $(am__append_1) $(am__append_2) $(am__append_3) \
-	$(am__append_4)
+	$(am__append_4) $(am__append_5) $(am__append_6)
 all: all-recursive
 
 .SUFFIXES:
@@ -415,7 +450,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libimcv.la: $(libimcv_la_OBJECTS) $(libimcv_la_DEPENDENCIES) 
+libimcv.la: $(libimcv_la_OBJECTS) $(libimcv_la_DEPENDENCIES) $(EXTRA_libimcv_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libimcv_la_OBJECTS) $(libimcv_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -427,15 +462,31 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_assess_result.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_attr_request.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_default_pwd_enabled.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_fwd_enabled.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_installed_packages.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_numeric_version.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_op_status.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_pa_tnc_error.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_port_filter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_product_info.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_remediation_instr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_string_version.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_agent.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_msg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imcv.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_agent.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_lang_string.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_reason_string.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_remediation_string.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_angel.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_command.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_dummy.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_get_settings.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_settings.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/os_info.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pa_tnc_attr_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pa_tnc_msg.Plo@am__quote@
 
@@ -467,6 +518,13 @@ imc_agent.lo: imc/imc_agent.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_agent.lo `test -f 'imc/imc_agent.c' || echo '$(srcdir)/'`imc/imc_agent.c
 
+imc_msg.lo: imc/imc_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_msg.lo -MD -MP -MF $(DEPDIR)/imc_msg.Tpo -c -o imc_msg.lo `test -f 'imc/imc_msg.c' || echo '$(srcdir)/'`imc/imc_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imc_msg.Tpo $(DEPDIR)/imc_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imc/imc_msg.c' object='imc_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_msg.lo `test -f 'imc/imc_msg.c' || echo '$(srcdir)/'`imc/imc_msg.c
+
 imv_agent.lo: imv/imv_agent.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_agent.lo -MD -MP -MF $(DEPDIR)/imv_agent.Tpo -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_agent.Tpo $(DEPDIR)/imv_agent.Plo
@@ -474,6 +532,34 @@ imv_agent.lo: imv/imv_agent.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
 
+imv_msg.lo: imv/imv_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_msg.lo -MD -MP -MF $(DEPDIR)/imv_msg.Tpo -c -o imv_msg.lo `test -f 'imv/imv_msg.c' || echo '$(srcdir)/'`imv/imv_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_msg.Tpo $(DEPDIR)/imv_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_msg.c' object='imv_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_msg.lo `test -f 'imv/imv_msg.c' || echo '$(srcdir)/'`imv/imv_msg.c
+
+imv_lang_string.lo: imv/imv_lang_string.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_lang_string.lo -MD -MP -MF $(DEPDIR)/imv_lang_string.Tpo -c -o imv_lang_string.lo `test -f 'imv/imv_lang_string.c' || echo '$(srcdir)/'`imv/imv_lang_string.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_lang_string.Tpo $(DEPDIR)/imv_lang_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_lang_string.c' object='imv_lang_string.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_lang_string.lo `test -f 'imv/imv_lang_string.c' || echo '$(srcdir)/'`imv/imv_lang_string.c
+
+imv_reason_string.lo: imv/imv_reason_string.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_reason_string.lo -MD -MP -MF $(DEPDIR)/imv_reason_string.Tpo -c -o imv_reason_string.lo `test -f 'imv/imv_reason_string.c' || echo '$(srcdir)/'`imv/imv_reason_string.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_reason_string.Tpo $(DEPDIR)/imv_reason_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_reason_string.c' object='imv_reason_string.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_reason_string.lo `test -f 'imv/imv_reason_string.c' || echo '$(srcdir)/'`imv/imv_reason_string.c
+
+imv_remediation_string.lo: imv/imv_remediation_string.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_remediation_string.lo -MD -MP -MF $(DEPDIR)/imv_remediation_string.Tpo -c -o imv_remediation_string.lo `test -f 'imv/imv_remediation_string.c' || echo '$(srcdir)/'`imv/imv_remediation_string.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_remediation_string.Tpo $(DEPDIR)/imv_remediation_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_remediation_string.c' object='imv_remediation_string.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_remediation_string.lo `test -f 'imv/imv_remediation_string.c' || echo '$(srcdir)/'`imv/imv_remediation_string.c
+
 ietf_attr.lo: ietf/ietf_attr.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr.lo -MD -MP -MF $(DEPDIR)/ietf_attr.Tpo -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr.Tpo $(DEPDIR)/ietf_attr.Plo
@@ -481,6 +567,55 @@ ietf_attr.lo: ietf/ietf_attr.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
 
+ietf_attr_assess_result.lo: ietf/ietf_attr_assess_result.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_assess_result.lo -MD -MP -MF $(DEPDIR)/ietf_attr_assess_result.Tpo -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_assess_result.Tpo $(DEPDIR)/ietf_attr_assess_result.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_assess_result.c' object='ietf_attr_assess_result.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
+
+ietf_attr_attr_request.lo: ietf/ietf_attr_attr_request.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_attr_request.lo -MD -MP -MF $(DEPDIR)/ietf_attr_attr_request.Tpo -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_attr_request.Tpo $(DEPDIR)/ietf_attr_attr_request.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_attr_request.c' object='ietf_attr_attr_request.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
+
+ietf_attr_fwd_enabled.lo: ietf/ietf_attr_fwd_enabled.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_fwd_enabled.lo -MD -MP -MF $(DEPDIR)/ietf_attr_fwd_enabled.Tpo -c -o ietf_attr_fwd_enabled.lo `test -f 'ietf/ietf_attr_fwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_fwd_enabled.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_fwd_enabled.Tpo $(DEPDIR)/ietf_attr_fwd_enabled.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_fwd_enabled.c' object='ietf_attr_fwd_enabled.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_fwd_enabled.lo `test -f 'ietf/ietf_attr_fwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_fwd_enabled.c
+
+ietf_attr_default_pwd_enabled.lo: ietf/ietf_attr_default_pwd_enabled.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_default_pwd_enabled.lo -MD -MP -MF $(DEPDIR)/ietf_attr_default_pwd_enabled.Tpo -c -o ietf_attr_default_pwd_enabled.lo `test -f 'ietf/ietf_attr_default_pwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_default_pwd_enabled.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_default_pwd_enabled.Tpo $(DEPDIR)/ietf_attr_default_pwd_enabled.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_default_pwd_enabled.c' object='ietf_attr_default_pwd_enabled.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_default_pwd_enabled.lo `test -f 'ietf/ietf_attr_default_pwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_default_pwd_enabled.c
+
+ietf_attr_installed_packages.lo: ietf/ietf_attr_installed_packages.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_installed_packages.lo -MD -MP -MF $(DEPDIR)/ietf_attr_installed_packages.Tpo -c -o ietf_attr_installed_packages.lo `test -f 'ietf/ietf_attr_installed_packages.c' || echo '$(srcdir)/'`ietf/ietf_attr_installed_packages.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_installed_packages.Tpo $(DEPDIR)/ietf_attr_installed_packages.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_installed_packages.c' object='ietf_attr_installed_packages.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_installed_packages.lo `test -f 'ietf/ietf_attr_installed_packages.c' || echo '$(srcdir)/'`ietf/ietf_attr_installed_packages.c
+
+ietf_attr_numeric_version.lo: ietf/ietf_attr_numeric_version.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_numeric_version.lo -MD -MP -MF $(DEPDIR)/ietf_attr_numeric_version.Tpo -c -o ietf_attr_numeric_version.lo `test -f 'ietf/ietf_attr_numeric_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_numeric_version.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_numeric_version.Tpo $(DEPDIR)/ietf_attr_numeric_version.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_numeric_version.c' object='ietf_attr_numeric_version.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_numeric_version.lo `test -f 'ietf/ietf_attr_numeric_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_numeric_version.c
+
+ietf_attr_op_status.lo: ietf/ietf_attr_op_status.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_op_status.lo -MD -MP -MF $(DEPDIR)/ietf_attr_op_status.Tpo -c -o ietf_attr_op_status.lo `test -f 'ietf/ietf_attr_op_status.c' || echo '$(srcdir)/'`ietf/ietf_attr_op_status.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_op_status.Tpo $(DEPDIR)/ietf_attr_op_status.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_op_status.c' object='ietf_attr_op_status.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_op_status.lo `test -f 'ietf/ietf_attr_op_status.c' || echo '$(srcdir)/'`ietf/ietf_attr_op_status.c
+
 ietf_attr_pa_tnc_error.lo: ietf/ietf_attr_pa_tnc_error.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_pa_tnc_error.lo -MD -MP -MF $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo -c -o ietf_attr_pa_tnc_error.lo `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo $(DEPDIR)/ietf_attr_pa_tnc_error.Plo
@@ -502,19 +637,19 @@ ietf_attr_product_info.lo: ietf/ietf_attr_product_info.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_product_info.lo `test -f 'ietf/ietf_attr_product_info.c' || echo '$(srcdir)/'`ietf/ietf_attr_product_info.c
 
-ietf_attr_attr_request.lo: ietf/ietf_attr_attr_request.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_attr_request.lo -MD -MP -MF $(DEPDIR)/ietf_attr_attr_request.Tpo -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_attr_request.Tpo $(DEPDIR)/ietf_attr_attr_request.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_attr_request.c' object='ietf_attr_attr_request.lo' libtool=yes @AMDEPBACKSLASH@
+ietf_attr_remediation_instr.lo: ietf/ietf_attr_remediation_instr.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_remediation_instr.lo -MD -MP -MF $(DEPDIR)/ietf_attr_remediation_instr.Tpo -c -o ietf_attr_remediation_instr.lo `test -f 'ietf/ietf_attr_remediation_instr.c' || echo '$(srcdir)/'`ietf/ietf_attr_remediation_instr.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_remediation_instr.Tpo $(DEPDIR)/ietf_attr_remediation_instr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_remediation_instr.c' object='ietf_attr_remediation_instr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_remediation_instr.lo `test -f 'ietf/ietf_attr_remediation_instr.c' || echo '$(srcdir)/'`ietf/ietf_attr_remediation_instr.c
 
-ietf_attr_assess_result.lo: ietf/ietf_attr_assess_result.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_assess_result.lo -MD -MP -MF $(DEPDIR)/ietf_attr_assess_result.Tpo -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_assess_result.Tpo $(DEPDIR)/ietf_attr_assess_result.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_assess_result.c' object='ietf_attr_assess_result.lo' libtool=yes @AMDEPBACKSLASH@
+ietf_attr_string_version.lo: ietf/ietf_attr_string_version.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_string_version.lo -MD -MP -MF $(DEPDIR)/ietf_attr_string_version.Tpo -c -o ietf_attr_string_version.lo `test -f 'ietf/ietf_attr_string_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_string_version.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_string_version.Tpo $(DEPDIR)/ietf_attr_string_version.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_string_version.c' object='ietf_attr_string_version.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_string_version.lo `test -f 'ietf/ietf_attr_string_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_string_version.c
 
 ita_attr.lo: ita/ita_attr.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr.lo -MD -MP -MF $(DEPDIR)/ita_attr.Tpo -c -o ita_attr.lo `test -f 'ita/ita_attr.c' || echo '$(srcdir)/'`ita/ita_attr.c
@@ -537,6 +672,34 @@ ita_attr_dummy.lo: ita/ita_attr_dummy.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_dummy.lo `test -f 'ita/ita_attr_dummy.c' || echo '$(srcdir)/'`ita/ita_attr_dummy.c
 
+ita_attr_get_settings.lo: ita/ita_attr_get_settings.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_get_settings.lo -MD -MP -MF $(DEPDIR)/ita_attr_get_settings.Tpo -c -o ita_attr_get_settings.lo `test -f 'ita/ita_attr_get_settings.c' || echo '$(srcdir)/'`ita/ita_attr_get_settings.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_get_settings.Tpo $(DEPDIR)/ita_attr_get_settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_get_settings.c' object='ita_attr_get_settings.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_get_settings.lo `test -f 'ita/ita_attr_get_settings.c' || echo '$(srcdir)/'`ita/ita_attr_get_settings.c
+
+ita_attr_settings.lo: ita/ita_attr_settings.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_settings.lo -MD -MP -MF $(DEPDIR)/ita_attr_settings.Tpo -c -o ita_attr_settings.lo `test -f 'ita/ita_attr_settings.c' || echo '$(srcdir)/'`ita/ita_attr_settings.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_settings.Tpo $(DEPDIR)/ita_attr_settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_settings.c' object='ita_attr_settings.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_settings.lo `test -f 'ita/ita_attr_settings.c' || echo '$(srcdir)/'`ita/ita_attr_settings.c
+
+ita_attr_angel.lo: ita/ita_attr_angel.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_angel.lo -MD -MP -MF $(DEPDIR)/ita_attr_angel.Tpo -c -o ita_attr_angel.lo `test -f 'ita/ita_attr_angel.c' || echo '$(srcdir)/'`ita/ita_attr_angel.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_angel.Tpo $(DEPDIR)/ita_attr_angel.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_angel.c' object='ita_attr_angel.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_angel.lo `test -f 'ita/ita_attr_angel.c' || echo '$(srcdir)/'`ita/ita_attr_angel.c
+
+os_info.lo: os_info/os_info.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT os_info.lo -MD -MP -MF $(DEPDIR)/os_info.Tpo -c -o os_info.lo `test -f 'os_info/os_info.c' || echo '$(srcdir)/'`os_info/os_info.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/os_info.Tpo $(DEPDIR)/os_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='os_info/os_info.c' object='os_info.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o os_info.lo `test -f 'os_info/os_info.c' || echo '$(srcdir)/'`os_info/os_info.c
+
 pa_tnc_msg.lo: pa_tnc/pa_tnc_msg.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pa_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pa_tnc_msg.Tpo -c -o pa_tnc_msg.lo `test -f 'pa_tnc/pa_tnc_msg.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_msg.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pa_tnc_msg.Tpo $(DEPDIR)/pa_tnc_msg.Plo
@@ -768,10 +931,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/ietf/ietf_attr.c b/src/libimcv/ietf/ietf_attr.c
index fc89c5716..2f3819898 100644
--- a/src/libimcv/ietf/ietf_attr.c
+++ b/src/libimcv/ietf/ietf_attr.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,11 +14,19 @@
  */
 
 #include "ietf_attr.h"
+#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_attr_request.h"
+#include "ietf/ietf_attr_fwd_enabled.h"
+#include "ietf/ietf_attr_default_pwd_enabled.h"
+#include "ietf/ietf_attr_installed_packages.h"
+#include "ietf/ietf_attr_numeric_version.h"
+#include "ietf/ietf_attr_op_status.h"
 #include "ietf/ietf_attr_pa_tnc_error.h"
 #include "ietf/ietf_attr_port_filter.h"
 #include "ietf/ietf_attr_product_info.h"
-#include "ietf/ietf_attr_attr_request.h"
-#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_remediation_instr.h"
+#include "ietf/ietf_attr_string_version.h"
+
 
 ENUM(ietf_attr_names, IETF_ATTR_TESTING, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED,
 	"Testing",
@@ -46,20 +55,27 @@ pa_tnc_attr_t* ietf_attr_create_from_data(u_int32_t type, chunk_t value)
 			return ietf_attr_attr_request_create_from_data(value);
 		case IETF_ATTR_PRODUCT_INFORMATION:
 			return ietf_attr_product_info_create_from_data(value);
+		case IETF_ATTR_NUMERIC_VERSION:
+			return ietf_attr_numeric_version_create_from_data(value);
+		case IETF_ATTR_STRING_VERSION:
+			return ietf_attr_string_version_create_from_data(value);
+		case IETF_ATTR_OPERATIONAL_STATUS:
+			return ietf_attr_op_status_create_from_data(value);
 		case IETF_ATTR_PORT_FILTER:
 			return ietf_attr_port_filter_create_from_data(value);
+		case IETF_ATTR_INSTALLED_PACKAGES:
+			return ietf_attr_installed_packages_create_from_data(value);
 		case IETF_ATTR_PA_TNC_ERROR:
 			return ietf_attr_pa_tnc_error_create_from_data(value);
 		case IETF_ATTR_ASSESSMENT_RESULT:
 			return ietf_attr_assess_result_create_from_data(value);
-		case IETF_ATTR_TESTING:
-		case IETF_ATTR_NUMERIC_VERSION:
-		case IETF_ATTR_STRING_VERSION:
-		case IETF_ATTR_OPERATIONAL_STATUS:
-		case IETF_ATTR_INSTALLED_PACKAGES:
 		case IETF_ATTR_REMEDIATION_INSTRUCTIONS:
+			return ietf_attr_remediation_instr_create_from_data(value);
 		case IETF_ATTR_FORWARDING_ENABLED:
+			return ietf_attr_fwd_enabled_create_from_data(value);
 		case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+			return ietf_attr_default_pwd_enabled_create_from_data(value);
+		case IETF_ATTR_TESTING:
 		case IETF_ATTR_RESERVED:
 		default:
 			return NULL;
diff --git a/src/libimcv/ietf/ietf_attr_assess_result.c b/src/libimcv/ietf/ietf_attr_assess_result.c
index 6893730bf..1c0d6b0eb 100644
--- a/src/libimcv/ietf/ietf_attr_assess_result.c
+++ b/src/libimcv/ietf/ietf_attr_assess_result.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ietf_attr_assess_result_t private_ietf_attr_assess_result_t;
 
@@ -192,6 +192,8 @@ pa_tnc_attr_t *ietf_attr_assess_result_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.c b/src/libimcv/ietf/ietf_attr_attr_request.c
index c0dcd0983..c93c9276e 100644
--- a/src/libimcv/ietf/ietf_attr_attr_request.c
+++ b/src/libimcv/ietf/ietf_attr_attr_request.c
@@ -19,9 +19,9 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ietf_attr_attr_request_t private_ietf_attr_attr_request_t;
 
@@ -114,12 +114,12 @@ METHOD(pa_tnc_attr_t, build, void,
 	{
 		return;
 	}
-	writer = bio_writer_create(ATTR_REQUEST_ENTRY_SIZE * 
+	writer = bio_writer_create(ATTR_REQUEST_ENTRY_SIZE *
 							   this->list->get_count(this->list));
 
 	enumerator = this->list->create_enumerator(this->list);
 	while (enumerator->enumerate(enumerator, &entry))
-	{	
+	{
 		writer->write_uint32(writer, entry->vendor_id);
 		writer->write_uint32(writer, entry->type);
 	}
@@ -161,7 +161,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader = bio_reader_create(this->value);
 	while (count--)
 	{
-		reader->read_uint8 (reader, &reserved);	
+		reader->read_uint8 (reader, &reserved);
 		reader->read_uint24(reader, &vendor_id);
 		reader->read_uint32(reader, &type);
 
@@ -251,6 +251,8 @@ pa_tnc_attr_t *ietf_attr_attr_request_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
@@ -259,7 +261,7 @@ pa_tnc_attr_t *ietf_attr_attr_request_create_from_data(chunk_t data)
 			.add = _add,
 			.create_enumerator = _create_enumerator,
 		},
-		.type = { PEN_IETF,IETF_ATTR_ATTRIBUTE_REQUEST },
+		.type = { PEN_IETF, IETF_ATTR_ATTRIBUTE_REQUEST },
 		.value = chunk_clone(data),
 		.list = linked_list_create(),
 		.ref = 1,
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.h b/src/libimcv/ietf/ietf_attr_attr_request.h
index 22c5be0a0..387ba345d 100644
--- a/src/libimcv/ietf/ietf_attr_attr_request.h
+++ b/src/libimcv/ietf/ietf_attr_attr_request.h
@@ -50,7 +50,7 @@ struct ietf_attr_attr_request_t {
 	 * Creates an enumerator over all attribute types contained
 	 * in the attribute request
 	 *
-	 * @return				Attribute Type enumerator returns (vendor ID, type)
+	 * @return			Attribute Type enumerator returns { vendor ID, type }
 	 */
 	enumerator_t* (*create_enumerator)(ietf_attr_attr_request_t *this);
 };
diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
new file mode 100644
index 000000000..2022f45cf
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
@@ -0,0 +1,222 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_default_pwd_enabled.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_default_pwd_enabled_t private_ietf_attr_default_pwd_enabled_t;
+
+/**
+ * PA-TNC Factory Default Password Enabled type (see section 4.2.12 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |              Factory Default Password Enabled                 |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define DEFAULT_PWD_ENABLED_SIZE	4
+
+/**
+ * Private data of an ietf_attr_default_pwd_enabled_t object.
+ */
+struct private_ietf_attr_default_pwd_enabled_t {
+
+	/**
+	 * Public members of ietf_attr_default_pwd_enabled_t
+	 */
+	ietf_attr_default_pwd_enabled_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Factory Default Password Enabled status
+	 */
+	bool status;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_default_pwd_enabled_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(DEFAULT_PWD_ENABLED_SIZE);
+	writer->write_uint32(writer, this->status);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_default_pwd_enabled_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t status;
+
+	*offset = 0;
+
+	if (this->value.len != DEFAULT_PWD_ENABLED_SIZE)
+	{
+		DBG1(DBG_TNC, "incorrect size for IETF factory default password "
+					  "enabled attribute");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &status);
+	reader->destroy(reader);
+
+	if (status > TRUE)
+	{
+		DBG1(DBG_TNC, "IETF factory default password enabled field "
+					  "has unknown value %u", status);
+		return FAILED;
+	}
+	this->status = status;
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_default_pwd_enabled_t, get_status, bool,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->status;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create(bool status)
+{
+	private_ietf_attr_default_pwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED },
+		.status = status,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create_from_data(chunk_t data)
+{
+	private_ietf_attr_default_pwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
new file mode 100644
index 000000000..f6026b0e8
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_default_pwd_enabled ietf_attr_default_pwd_enabled
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_PWD_ENABLED_H_
+#define IETF_ATTR_PWD_ENABLED_H_
+
+typedef struct ietf_attr_default_pwd_enabled_t ietf_attr_default_pwd_enabled_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the IETF PA-TNC Factory Default Password Enabled attribute.
+ *
+ */
+struct ietf_attr_default_pwd_enabled_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Factory Default Password Enabled status
+	 *
+	 * @return				Factory Default Password Enabled status
+	 */
+	bool (*get_status)(ietf_attr_default_pwd_enabled_t *this);
+
+};
+
+/**
+ * Creates an ietf_attr_default_pwd_enabled_t object
+ *
+ * @param status			Factory Default Password Enabled status
+ */
+pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create(bool status);
+
+/**
+ * Creates an ietf_attr_default_pwd_enabled_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_PWD_ENABLED_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.c b/src/libimcv/ietf/ietf_attr_fwd_enabled.c
new file mode 100644
index 000000000..911ee5b89
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.c
@@ -0,0 +1,221 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_fwd_enabled.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_fwd_enabled_t private_ietf_attr_fwd_enabled_t;
+
+/**
+ * PA-TNC Forwarding Enabled type  (see section 4.2.11 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Forwarding Enabled                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define FORWARDING_ENABLED_SIZE		4
+
+/**
+ * Private data of an ietf_attr_fwd_enabled_t object.
+ */
+struct private_ietf_attr_fwd_enabled_t {
+
+	/**
+	 * Public members of ietf_attr_fwd_enabled_t
+	 */
+	ietf_attr_fwd_enabled_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Forwarding Enabled status
+	 */
+	os_fwd_status_t fwd_status;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_fwd_enabled_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(FORWARDING_ENABLED_SIZE);
+	writer->write_uint32(writer, this->fwd_status);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_fwd_enabled_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t fwd_status;
+
+	*offset = 0;
+
+	if (this->value.len != FORWARDING_ENABLED_SIZE)
+	{
+		DBG1(DBG_TNC, "incorrect size for IETF forwarding enabled attribute");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &fwd_status);
+	reader->destroy(reader);
+
+	if (fwd_status > OS_FWD_UNKNOWN)
+	{
+		DBG1(DBG_TNC, "IETF forwarding enabled field has unknown value %u",
+					   fwd_status);
+		return FAILED;
+	}
+	this->fwd_status = fwd_status;
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_fwd_enabled_t, get_status, os_fwd_status_t,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->fwd_status;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status)
+{
+	private_ietf_attr_fwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FORWARDING_ENABLED },
+		.fwd_status = fwd_status,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_fwd_enabled_create_from_data(chunk_t data)
+{
+	private_ietf_attr_fwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FORWARDING_ENABLED },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.h b/src/libimcv/ietf/ietf_attr_fwd_enabled.h
new file mode 100644
index 000000000..bfde1a7b1
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_fwd_enabled ietf_attr_fwd_enabled
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_FWD_ENABLED_H_
+#define IETF_ATTR_FWD_ENABLED_H_
+
+typedef struct ietf_attr_fwd_enabled_t ietf_attr_fwd_enabled_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+#include "os_info/os_info.h"
+
+/**
+ * Class implementing the IETF PA-TNC Forwarding Enabled attribute.
+ *
+ */
+struct ietf_attr_fwd_enabled_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Forwarding Enabled status
+	 *
+	 * @return				Forwarding Enabled status
+	 */
+	os_fwd_status_t (*get_status)(ietf_attr_fwd_enabled_t *this);
+
+};
+
+/**
+ * Creates an ietf_attr_fwd_enabled_t object
+ *
+ * @param fwd_status		Forwarding Enabled status
+ */
+pa_tnc_attr_t* ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status);
+
+/**
+ * Creates an ietf_attr_fwd_enabled_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_fwd_enabled_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_FWD_ENABLED_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.c b/src/libimcv/ietf/ietf_attr_installed_packages.c
new file mode 100644
index 000000000..72a3c1344
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_installed_packages.c
@@ -0,0 +1,335 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_installed_packages.h"
+
+#include <string.h>
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+
+typedef struct private_ietf_attr_installed_packages_t private_ietf_attr_installed_packages_t;
+typedef struct package_entry_t package_entry_t;
+
+/**
+ * PA-TNC Installed Packages Type  (see section 4.2.7 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |          Reserved             |         Package Count         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  | Pkg Name Len  |        Package Name (Variable Length)         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Version Len  |    Package Version Number (Variable Length)   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define INSTALLED_PACKAGES_MIN_SIZE		4
+
+/**
+ * Private data of an ietf_attr_installed_packages_t object.
+ */
+struct private_ietf_attr_installed_packages_t {
+
+	/**
+	 * Public members of ietf_attr_installed_packages_t
+	 */
+	ietf_attr_installed_packages_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * List of Installed Package entries
+	 */
+	linked_list_t *packages;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Package entry
+ */
+struct package_entry_t {
+	chunk_t name;
+	chunk_t version;
+};
+
+/**
+ * Free a package entry
+ */
+static void free_package_entry(package_entry_t *entry)
+{
+	free(entry->name.ptr);
+	free(entry->version.ptr);
+	free(entry);
+}
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_installed_packages_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_installed_packages_t *this)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	package_entry_t *entry;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(INSTALLED_PACKAGES_MIN_SIZE);
+	writer->write_uint16(writer, 0x0000);
+	writer->write_uint16(writer, this->packages->get_count(this->packages));
+
+	enumerator = this->packages->create_enumerator(this->packages);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		writer->write_data8(writer, entry->name);
+		writer->write_data8(writer, entry->version);
+	}
+	enumerator->destroy(enumerator);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_installed_packages_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	package_entry_t *entry;
+	status_t status = FAILED;
+	chunk_t name, version;
+	u_int16_t reserved, count;
+	u_char *pos;
+
+	*offset = 0;
+
+	if (this->value.len < INSTALLED_PACKAGES_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF installed packages");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint16(reader, &reserved);
+	reader->read_uint16(reader, &count);
+	*offset = INSTALLED_PACKAGES_MIN_SIZE;
+
+	while (reader->remaining(reader))
+	{
+		if (!reader->read_data8(reader, &name))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF installed package name");
+			goto end;
+		}
+		pos = memchr(name.ptr, '\0', name.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in IETF installed package name");
+			*offset += 1 + (pos - name.ptr);
+			goto end;
+		}
+		*offset += 1 + name.len;
+
+		if (!reader->read_data8(reader, &version))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF installed package version");
+			goto end;
+		}
+		pos = memchr(version.ptr, '\0', version.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in IETF installed package version");
+			*offset += 1 + (pos - version.ptr);
+			goto end;
+		}
+		*offset += 1 + version.len;
+
+		entry = malloc_thing(package_entry_t);
+		entry->name = chunk_clone(name);
+		entry->version = chunk_clone(version);
+		this->packages->insert_last(this->packages, entry);
+	}
+
+	if (count != this->packages->get_count(this->packages))
+	{
+		DBG1(DBG_TNC, "IETF installed package count unequal to "
+					  "number of included packages");
+		goto end;
+	}
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_installed_packages_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_installed_packages_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->packages->destroy_function(this->packages, (void*)free_package_entry);
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_installed_packages_t, add, void,
+	private_ietf_attr_installed_packages_t *this, chunk_t name, chunk_t version)
+{
+	package_entry_t *entry;
+
+	/* restrict package name and package version number fields to 255 octets */
+	name.len = min(255, name.len);
+	version.len = min(255, version.len);
+
+	entry = malloc_thing(package_entry_t);
+	entry->name = chunk_clone(name);
+	entry->version = chunk_clone(version);
+	this->packages->insert_last(this->packages, entry);
+}
+
+/**
+ * Enumerate package filter entries
+ */
+static bool package_filter(void *null, package_entry_t **entry, chunk_t *name,
+						   void *i2, chunk_t *version)
+{
+	*name = (*entry)->name;
+	*version = (*entry)->version;
+	return TRUE;
+}
+
+METHOD(ietf_attr_installed_packages_t, create_enumerator, enumerator_t*,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return enumerator_create_filter(
+						this->packages->create_enumerator(this->packages),
+						(void*)package_filter, NULL, NULL);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_installed_packages_create(void)
+{
+	private_ietf_attr_installed_packages_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_IETF, IETF_ATTR_INSTALLED_PACKAGES },
+		.packages = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_installed_packages_create_from_data(chunk_t data)
+{
+	private_ietf_attr_installed_packages_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = {PEN_IETF, IETF_ATTR_INSTALLED_PACKAGES },
+		.value = chunk_clone(data),
+		.packages = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.h b/src/libimcv/ietf/ietf_attr_installed_packages.h
new file mode 100644
index 000000000..a9f6768e0
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_installed_packages.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_installed_packagest ietf_attr_installed_packages
+ * @{ @ingroup ietf_attr_installed_packages
+ */
+
+#ifndef IETF_ATTR_INSTALLED_PACKAGES_H_
+#define IETF_ATTR_INSTALLED_PACKAGES_H_
+
+typedef struct ietf_attr_installed_packages_t ietf_attr_installed_packages_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC Installed Packages attribute.
+ *
+ */
+struct ietf_attr_installed_packages_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Add a package entry
+	 *
+	 * @param name			package name
+	 * @param version		package version number
+	 */
+	void (*add)(ietf_attr_installed_packages_t *this, chunk_t name,
+													  chunk_t version);
+
+	/**
+	 * Enumerates over all packages
+	 * Format:  chunk_t name, chunk_t version
+	 *
+	 * @return				enumerator
+	 */
+	enumerator_t* (*create_enumerator)(ietf_attr_installed_packages_t *this);
+
+};
+
+/**
+ * Creates an ietf_attr_installed_packages_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_installed_packages_create(void);
+
+/**
+ * Creates an ietf_attr_installed_packages_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_installed_packages_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_INSTALLED_PACKAGES_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.c b/src/libimcv/ietf/ietf_attr_numeric_version.c
new file mode 100644
index 000000000..797205473
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_numeric_version.c
@@ -0,0 +1,282 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_numeric_version.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_numeric_version_t private_ietf_attr_numeric_version_t;
+
+/**
+ * PA-TNC Numeric Version type  (see section 4.2.3 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Major Version Number                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Minor Version Number                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                            Build Number                       |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |      Service Pack Major       |      Service Pack Minor       |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define NUMERIC_VERSION_SIZE		16
+
+/**
+ * Private data of an ietf_attr_numeric_version_t object.
+ */
+struct private_ietf_attr_numeric_version_t {
+
+	/**
+	 * Public members of ietf_attr_numeric_version_t
+	 */
+	ietf_attr_numeric_version_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Major Version Number
+	 */
+	u_int32_t major_version;
+
+	/**
+	 * Minor Version Number
+	 */
+	u_int32_t minor_version;
+
+	/**
+	 * IBuild Number
+	 */
+	u_int32_t build;
+
+	/**
+	 * Service Pack Major Number
+	 */
+	u_int16_t service_pack_major;
+
+	/**
+	 * Service Pack Minor Number
+	 */
+	u_int16_t service_pack_minor;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_numeric_version_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_numeric_version_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	writer = bio_writer_create(NUMERIC_VERSION_SIZE);
+	writer->write_uint32(writer, this->major_version);
+	writer->write_uint32(writer, this->minor_version);
+	writer->write_uint32(writer, this->build);
+	writer->write_uint16(writer, this->service_pack_major);
+	writer->write_uint16(writer, this->service_pack_minor);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_numeric_version_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+
+	if (this->value.len < NUMERIC_VERSION_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF numeric version");
+		*offset = 0;
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &this->major_version);
+	reader->read_uint32(reader, &this->minor_version);
+	reader->read_uint32(reader, &this->build);
+	reader->read_uint16(reader, &this->service_pack_major);
+	reader->read_uint16(reader, &this->service_pack_minor);
+	reader->destroy(reader);
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_numeric_version_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_numeric_version_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_numeric_version_t, get_version, void,
+	private_ietf_attr_numeric_version_t *this, u_int32_t *major, u_int32_t *minor)
+{
+	if (major)
+	{
+		*major = this->major_version;
+	}
+	if (minor)
+	{
+		*minor = this->minor_version;
+	}
+}
+
+METHOD(ietf_attr_numeric_version_t, get_build, u_int32_t,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->build;
+}
+
+METHOD(ietf_attr_numeric_version_t, get_service_pack, void,
+	private_ietf_attr_numeric_version_t *this, u_int16_t *major, u_int16_t *minor)
+{
+	if (major)
+	{
+		*major = this->service_pack_major;
+	}
+	if (minor)
+	{
+		*minor = this->service_pack_minor;
+	}
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_numeric_version_create(u_int32_t major, u_int32_t minor,
+												u_int32_t build,
+												u_int16_t service_pack_major,
+												u_int16_t service_pack_minor)
+{
+	private_ietf_attr_numeric_version_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+			.get_build = _get_build,
+			.get_service_pack = _get_service_pack,
+		},
+		.type = { PEN_IETF, IETF_ATTR_NUMERIC_VERSION },
+		.major_version = major,
+		.minor_version = minor,
+		.build = build,
+		.service_pack_major = service_pack_major,
+		.service_pack_minor = service_pack_minor,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_numeric_version_create_from_data(chunk_t data)
+{
+	private_ietf_attr_numeric_version_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+			.get_build = _get_build,
+			.get_service_pack = _get_service_pack,
+		},
+		.type = { PEN_IETF, IETF_ATTR_NUMERIC_VERSION },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.h b/src/libimcv/ietf/ietf_attr_numeric_version.h
new file mode 100644
index 000000000..f7d6c909d
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_numeric_version.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_numeric_versiont ietf_attr_numeric_version
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_NUMERIC_VERSION_H_
+#define IETF_ATTR_NUMERIC_VERSION_H_
+
+typedef struct ietf_attr_numeric_version_t ietf_attr_numeric_version_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC String Version attribute.
+ *
+ */
+struct ietf_attr_numeric_version_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Major and Minor Version Numbers
+	 *
+	 * @param major			Major Version Number
+	 * @param minor			Minor Version Number
+	 */
+	void (*get_version)(ietf_attr_numeric_version_t *this,
+						u_int32_t *major, u_int32_t *minor);
+
+	/**
+	 * Gets the Build Number
+	 *
+	 * @param major			Major Version Number
+	 * @param minor			Minor Version Number
+	 */
+	u_int32_t (*get_build)(ietf_attr_numeric_version_t *this);
+
+	/**
+	 * Gets the Major and Minor Numbers of the Service Pack
+	 *
+	 * @param major			Service Pack Major Number
+	 * @param minor			Servcie Pack Minor Number
+	 */
+	void (*get_service_pack)(ietf_attr_numeric_version_t *this,
+							 u_int16_t *major, u_int16_t *minor);
+};
+
+/**
+ * Creates an ietf_attr_numeric_version_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_numeric_version_create(u_int32_t major, u_int32_t minor,
+												u_int32_t build,
+												u_int16_t service_pack_major,
+												u_int16_t service_pack_minor);
+
+/**
+ * Creates an ietf_attr_numeric_version_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_numeric_version_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_NUMERIC_VERSION_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_op_status.c b/src/libimcv/ietf/ietf_attr_op_status.c
new file mode 100644
index 000000000..d9610b29d
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_op_status.c
@@ -0,0 +1,314 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_op_status.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+#include <time.h>
+
+typedef struct private_ietf_attr_op_status_t private_ietf_attr_op_status_t;
+
+ENUM(op_status_names, OP_STATUS_UNKNOWN, OP_STATUS_OPERATIONAL,
+	"unknown",
+	"not installed",
+	"installed",
+	"operational"
+);
+
+ENUM(op_result_names, OP_RESULT_UNKNOWN, OP_RESULT_UNSUCCESSFUL,
+	"unknown",
+	"successful",
+	"errored",
+	"unsuccessful"
+);
+
+/**
+ * PA-TNC Operational Status type  (see section 4.2.5 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Status     |     Result    |         Reserved              |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                          Last Use                             |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define OP_STATUS_SIZE		24
+
+/**
+ * Private data of an ietf_attr_op_status_t object.
+ */
+struct private_ietf_attr_op_status_t {
+
+	/**
+	 * Public members of ietf_attr_op_status_t
+	 */
+	ietf_attr_op_status_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Status
+	 */
+	u_int8_t status;
+
+	/**
+	 * Result
+	 */
+	u_int8_t result;
+
+	/**
+	 * Last Use
+	 */
+	time_t last_use;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_op_status_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_op_status_t *this)
+{
+	bio_writer_t *writer;
+	char last_use[24];
+	struct tm t;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	/* Conversion from time_t to RFC 3339 ASCII string */
+	gmtime_r(&this->last_use, &t);
+	snprintf(last_use, 21, "%04d-%02d-%02dT%02d:%02d:%02dZ", 1900 + t.tm_year,
+			 t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec);
+
+	writer = bio_writer_create(OP_STATUS_SIZE);
+	writer->write_uint8 (writer, this->status);
+	writer->write_uint8 (writer, this->result);
+	writer->write_uint16(writer, 0x0000);
+	writer->write_data  (writer, chunk_create(last_use, 20));
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_op_status_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	chunk_t last_use;
+	u_int16_t reserved;
+	struct tm t;
+
+	*offset = 0;
+
+	if (this->value.len != OP_STATUS_SIZE)
+	{
+		DBG1(DBG_TNC, "incorrect size for IETF operational status");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint8 (reader, &this->status);
+	reader->read_uint8 (reader, &this->result);
+	reader->read_uint16(reader, &reserved);
+	reader->read_data  (reader, 20, &last_use);
+	reader->destroy(reader);
+
+	if (this->status > OP_STATUS_ROOF)
+	{
+		DBG1(DBG_TNC, "invalid status value %c for IETF operational status",
+					   this->status);
+		return FAILED;
+	}
+
+	*offset = 1;
+
+	if (this->result > OP_RESULT_ROOF)
+	{
+		DBG1(DBG_TNC, "invalid result value %c for IETF operational status",
+					   this->result);
+		return FAILED;
+	}
+
+	*offset = 4;
+
+	/* Conversion from RFC 3339 ASCII string to time_t */
+	if (sscanf(last_use.ptr, "%4d-%2d-%2dT%2d:%2d:%2dZ", &t.tm_year, &t.tm_mon,
+			   &t.tm_mday, &t.tm_hour, &t.tm_min, &t.tm_sec) != 6)
+	{
+		DBG1(DBG_TNC, "invalid last_use time format in IETF operational status");
+		return FAILED;
+	}
+	t.tm_year -= 1900;
+	t.tm_mon -= 1;
+	t.tm_isdst = 0;
+	this->last_use = mktime(&t) - timezone;
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_op_status_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_op_status_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_op_status_t, get_status, u_int8_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->status;
+}
+
+METHOD(ietf_attr_op_status_t, get_result, u_int8_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->result;
+}
+
+METHOD(ietf_attr_op_status_t, get_last_use, time_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->last_use;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_op_status_create(u_int8_t status, u_int8_t result,
+										  time_t last_use)
+{
+	private_ietf_attr_op_status_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+			.get_result = _get_result,
+			.get_last_use = _get_last_use,
+		},
+		.type = { PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS },
+		.status = status,
+		.result = result,
+		.last_use = last_use,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_op_status_create_from_data(chunk_t data)
+{
+	private_ietf_attr_op_status_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+			.get_result = _get_result,
+			.get_last_use = _get_last_use,
+		},
+		.type = { PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_op_status.h b/src/libimcv/ietf/ietf_attr_op_status.h
new file mode 100644
index 000000000..2e14148c4
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_op_status.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_op_statust ietf_attr_op_status
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_OP_STATUS_H_
+#define IETF_ATTR_OP_STATUS_H_
+
+typedef struct ietf_attr_op_status_t ietf_attr_op_status_t;
+typedef enum op_status_t op_status_t;
+typedef enum op_result_t op_result_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Operational Status type
+ */
+enum op_status_t {
+	OP_STATUS_UNKNOWN =       0,
+	OP_STATUS_NOT_INSTALLED = 1,
+	OP_STATUS_INSTALLED =     2,
+	OP_STATUS_OPERATIONAL =   3,
+	OP_STATUS_ROOF =          3
+};
+
+extern enum_name_t *op_status_names;
+ 
+/**
+ * Operational Result type
+ */
+enum op_result_t {
+	OP_RESULT_UNKNOWN =      0,
+	OP_RESULT_SUCCESSFUL =   1,
+	OP_RESULT_ERRORED =      2,
+	OP_RESULT_UNSUCCESSFUL = 3,
+	OP_RESULT_ROOF         = 3
+};
+
+extern enum_name_t *op_result_names;
+
+/**
+ * Class implementing the IETF PA-TNC Operational Status attribute.
+ *
+ */
+struct ietf_attr_op_status_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Operational Status
+	 *
+	 * @return				Operational Status
+	 */
+	u_int8_t (*get_status)(ietf_attr_op_status_t *this);
+
+	/**
+	 * Gets the Operational Result
+	 *
+	 * @return				Operational Result
+	 */
+	u_int8_t (*get_result)(ietf_attr_op_status_t *this);
+
+	/**
+	 * Gets the time of last use
+	 *
+	 * @return				Time of last use
+	 */
+	time_t (*get_last_use)(ietf_attr_op_status_t *this);
+};
+
+/**
+ * Creates an ietf_attr_op_status_t object
+ *
+ * @param status			Operational Status
+ * @param result			Operational Result
+ * @param last_use			Time of last use 
+ */
+pa_tnc_attr_t* ietf_attr_op_status_create(u_int8_t status, u_int8_t result,
+										  time_t last_use);
+
+/**
+ * Creates an ietf_attr_op_status_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_op_status_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_OP_STATUS_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
index 46f5d6716..f92022fe0 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pa_tnc_error_code_names, PA_ERROR_RESERVED,
 							  PA_ERROR_ATTR_TYPE_NOT_SUPPORTED,
@@ -80,7 +80,7 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t
  *  |  Max Version  |  Min Version  |            Reserved           |
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
-	
+
 #define PA_ERROR_VERSION_RESERVED	0x0000
 
 /**
@@ -186,7 +186,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint24(writer, this->error_code.vendor_id);
 	writer->write_uint32(writer, this->error_code.type);
 	writer->write_data  (writer, this->msg_info);
-	
+
 	if (this->error_code.vendor_id == PEN_IETF)
 	{
 		switch (this->error_code.type)
@@ -272,7 +272,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	}
 	reader->destroy(reader);
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -420,6 +420,8 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
index d28c524aa..a5a10d470 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
@@ -54,13 +54,6 @@ struct ietf_attr_pa_tnc_error_t {
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
 
-	/**
-	 * Get PA-TNC error code vendor ID
-	 *
-	 * @return				error code vendor ID
-	 */
-	pen_t (*get_vendor_id)(ietf_attr_pa_tnc_error_t *this);
-
 	/**
 	 * Get Vendor-specific PA-TNC error code
 	 *
diff --git a/src/libimcv/ietf/ietf_attr_port_filter.c b/src/libimcv/ietf/ietf_attr_port_filter.c
index 5ea52256b..8b8da3a41 100644
--- a/src/libimcv/ietf/ietf_attr_port_filter.c
+++ b/src/libimcv/ietf/ietf_attr_port_filter.c
@@ -17,8 +17,8 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 
 typedef struct private_ietf_attr_port_filter_t private_ietf_attr_port_filter_t;
@@ -36,8 +36,8 @@ struct port_entry_t {
 /**
  * PA-TNC Port Filter Type  (see section 4.2.6 of RFC 5792)
  *
- *                        1                   2                   3
- *    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |   Reserved  |B|    Protocol   |         Port Number           |
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -152,7 +152,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	while (reader->remaining(reader))
 	{
-		entry = malloc_thing(port_entry_t);	
+		entry = malloc_thing(port_entry_t);
 		reader->read_uint8 (reader, &blocked);
 		entry->blocked = blocked & 0x01;
 		reader->read_uint8 (reader, &entry->protocol);
@@ -161,7 +161,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	}
 	reader->destroy(reader);
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -192,7 +192,7 @@ METHOD(ietf_attr_port_filter_t, add_port, void,
 	entry->blocked = blocked;
 	entry->protocol = protocol;
 	entry->port = port;
-	this->ports->insert_last(this->ports, entry);	
+	this->ports->insert_last(this->ports, entry);
 }
 
 /**
@@ -257,6 +257,8 @@ pa_tnc_attr_t *ietf_attr_port_filter_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ietf/ietf_attr_product_info.c b/src/libimcv/ietf/ietf_attr_product_info.c
index dcc0e0294..115f00130 100644
--- a/src/libimcv/ietf/ietf_attr_product_info.c
+++ b/src/libimcv/ietf/ietf_attr_product_info.c
@@ -17,7 +17,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ietf_attr_product_info_t private_ietf_attr_product_info_t;
 
@@ -73,7 +73,7 @@ struct private_ietf_attr_product_info_t {
 	/**
 	 * Product Name
 	 */
-	char *product_name;
+	chunk_t product_name;
 
 	/**
 	 * Reference count
@@ -109,18 +109,15 @@ METHOD(pa_tnc_attr_t, build, void,
 	private_ietf_attr_product_info_t *this)
 {
 	bio_writer_t *writer;
-	chunk_t product_name;
 
 	if (this->value.ptr)
 	{
 		return;
 	}
-	product_name = chunk_create(this->product_name, strlen(this->product_name));
-
 	writer = bio_writer_create(PRODUCT_INFO_MIN_SIZE);
 	writer->write_uint24(writer, this->product_vendor_id);
 	writer->write_uint16(writer, this->product_id);
-	writer->write_data  (writer, product_name);
+	writer->write_data  (writer, this->product_name);
 
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
@@ -144,9 +141,14 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_data  (reader, reader->remaining(reader), &product_name);
 	reader->destroy(reader);
 
-	this->product_name = malloc(product_name.len + 1);
-	memcpy(this->product_name, product_name.ptr, product_name.len);
-	this->product_name[product_name.len] = '\0';
+	if (!this->product_vendor_id && this->product_id)
+	{
+		DBG1(DBG_TNC, "IETF product information vendor ID is 0 "
+					  "but product ID is not 0");
+		*offset = 3;
+		return FAILED;
+	}
+	this->product_name = chunk_clone(product_name);
 
 	return SUCCESS;
 }
@@ -163,13 +165,13 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		free(this->product_name);
+		free(this->product_name.ptr);
 		free(this->value.ptr);
 		free(this);
 	}
 }
 
-METHOD(ietf_attr_product_info_t, get_info, char*,
+METHOD(ietf_attr_product_info_t, get_info, chunk_t,
 	private_ietf_attr_product_info_t *this, pen_t *vendor_id, u_int16_t *id)
 {
 	if (vendor_id)
@@ -187,7 +189,7 @@ METHOD(ietf_attr_product_info_t, get_info, char*,
  * Described in header.
  */
 pa_tnc_attr_t *ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
-											 char *name)
+											 chunk_t name)
 {
 	private_ietf_attr_product_info_t *this;
 
@@ -208,7 +210,7 @@ pa_tnc_attr_t *ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
 		.type = { PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION },
 		.product_vendor_id = vendor_id,
 		.product_id = id,
-		.product_name = strdup(name),
+		.product_name = chunk_clone(name),
 		.ref = 1,
 	);
 
@@ -227,6 +229,8 @@ pa_tnc_attr_t *ietf_attr_product_info_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ietf/ietf_attr_product_info.h b/src/libimcv/ietf/ietf_attr_product_info.h
index f1dfc3e83..dfaa67d6c 100644
--- a/src/libimcv/ietf/ietf_attr_product_info.h
+++ b/src/libimcv/ietf/ietf_attr_product_info.h
@@ -45,8 +45,8 @@ struct ietf_attr_product_info_t {
 	 * @param id			Product ID
 	 * @return				Product Name
 	 */
-	char* (*get_info)(ietf_attr_product_info_t *this,
-					  pen_t *vendor_id, u_int16_t *id);
+	chunk_t (*get_info)(ietf_attr_product_info_t *this,
+						pen_t *vendor_id, u_int16_t *id);
 
 };
 
@@ -55,7 +55,7 @@ struct ietf_attr_product_info_t {
  *
  */
 pa_tnc_attr_t* ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
-											 char *name);
+											 chunk_t name);
 
 /**
  * Creates an ietf_attr_product_info_t object from received data
diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.c b/src/libimcv/ietf/ietf_attr_remediation_instr.c
new file mode 100644
index 000000000..f3b4e83dd
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_remediation_instr.c
@@ -0,0 +1,363 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_remediation_instr.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_remediation_instr_t private_ietf_attr_remediation_instr_t;
+
+/**
+ * PA-TNC Remediation Instructions type  (see section 4.2.10 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Reserved   |       Remediation Parameters Vendor ID        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                  Remediation Parameters Type                  |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |            Remediation Parameters (Variable Length)           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define REMEDIATION_INSTR_MIN_SIZE		8
+#define REMEDIATION_INSTR_RESERVED		0x00
+
+/**
+ * IETF Remediation Parameters URI type  (see section 4.2.10.1 of RFC 5792)
+ *
+ *                     1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                 Remediation URI (Variable Length)             |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * IETF Remediation Parameters String type  (see section 4.2.10.2 of RFC 5792)
+ *
+ *                     1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                   Remediation String Length                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                Remediation String (Variable Length)           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  | Lang Code Len |  Remediation String Lang Code (Variable Len)  |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Private data of an ietf_attr_remediation_instr_t object.
+ */
+struct private_ietf_attr_remediation_instr_t {
+
+	/**
+	 * Public members of ietf_attr_remediation_instr_t
+	 */
+	ietf_attr_remediation_instr_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Remediation Parameters Type
+	 */
+	pen_type_t parameters_type;
+
+	/**
+	 * Remediation Parameters
+	 */
+	chunk_t parameters;
+
+	/**
+	 * Remediation String
+	 */
+	chunk_t string;
+
+	/**
+	 * Remediation Language Code
+	 */
+	chunk_t lang_code;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_remediation_instr_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	writer = bio_writer_create(REMEDIATION_INSTR_MIN_SIZE);
+	writer->write_uint8 (writer, REMEDIATION_INSTR_RESERVED);
+	writer->write_uint24(writer, this->parameters_type.vendor_id);
+	writer->write_uint32(writer, this->parameters_type.type);
+	writer->write_data  (writer, this->parameters);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_remediation_instr_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int8_t reserved;
+	status_t status = SUCCESS;
+	u_char *pos;
+
+	*offset = 0;
+
+	if (this->value.len < REMEDIATION_INSTR_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF remediation instructions");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &this->parameters_type.vendor_id);
+	reader->read_uint32(reader, &this->parameters_type.type);
+	reader->read_data  (reader, reader->remaining(reader), &this->parameters);
+
+	this->parameters = chunk_clone(this->parameters);
+	reader->destroy(reader);
+
+	if (this->parameters_type.vendor_id == PEN_IETF &&
+		this->parameters_type.type == IETF_REMEDIATION_PARAMETERS_STRING)
+	{
+		reader = bio_reader_create(this->parameters);
+		status = FAILED;
+		*offset = 8;
+
+		if (!reader->read_data32(reader, &this->string))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF remediation string");
+			goto end;
+		}
+		pos = memchr(this->string.ptr, '\0', this->string.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in IETF remediation string");
+			*offset += 1 + (pos - this->string.ptr);
+			goto end;
+		}
+		*offset += 4 + this->string.len;
+
+		if (!reader->read_data8(reader, &this->lang_code))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF remediation lang code");
+			goto end;
+		}
+		status = SUCCESS;
+
+end:
+		reader->destroy(reader);
+	}
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->parameters.ptr);
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_parameters_type, pen_type_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->parameters_type;
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_parameters, chunk_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->parameters;
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_uri, chunk_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->parameters;
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_string, chunk_t,
+	private_ietf_attr_remediation_instr_t *this, chunk_t *lang_code)
+{
+	if (lang_code)
+	{
+		*lang_code = this->lang_code;
+	}
+	return this->string;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create(pen_type_t parameters_type,
+												  chunk_t parameters)
+{
+	private_ietf_attr_remediation_instr_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_parameters_type = _get_parameters_type,
+			.get_parameters = _get_parameters,
+			.get_uri = _get_uri,
+			.get_string = _get_string,
+		},
+		.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
+		.parameters_type = parameters_type,
+		.parameters = chunk_clone(parameters),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_uri(chunk_t uri)
+{
+	pen_type_t type = { PEN_IETF, IETF_REMEDIATION_PARAMETERS_URI };
+
+	return ietf_attr_remediation_instr_create(type, uri);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_string(chunk_t string,
+															  chunk_t lang_code)
+{
+	pa_tnc_attr_t *attr;
+	bio_writer_t *writer;
+	pen_type_t type = { PEN_IETF, IETF_REMEDIATION_PARAMETERS_STRING };
+
+	/* limit language code to 255 octets */
+	lang_code.len = min(255, lang_code.len);
+
+	writer = bio_writer_create(4 + string.len + 1 + lang_code.len);
+	writer->write_data32(writer, string);
+	writer->write_data8 (writer, lang_code);
+
+	attr = ietf_attr_remediation_instr_create(type, writer->get_buf(writer));
+	writer->destroy(writer);
+
+	return attr;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_data(chunk_t data)
+{
+	private_ietf_attr_remediation_instr_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_parameters_type = _get_parameters_type,
+			.get_parameters = _get_parameters,
+			.get_uri = _get_uri,
+			.get_string = _get_string,
+		},
+		.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.h b/src/libimcv/ietf/ietf_attr_remediation_instr.h
new file mode 100644
index 000000000..473280c33
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_remediation_instr.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_remediation_instrt ietf_attr_remediation_instr
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_REMEDIATION_INSTR_H_
+#define IETF_ATTR_REMEDIATION_INSTR_H_
+
+typedef struct ietf_attr_remediation_instr_t ietf_attr_remediation_instr_t;
+typedef enum ietf_remediation_parameters_t ietf_remediation_parameters_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+enum ietf_remediation_parameters_t {
+	IETF_REMEDIATION_PARAMETERS_URI =    1,
+	IETF_REMEDIATION_PARAMETERS_STRING = 2
+};
+
+/**
+ * Class implementing the IETF PA-TNC Remediation Instructions attribute.
+ *
+ */
+struct ietf_attr_remediation_instr_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Get the Remediation Parameters Type (Vendor ID and Type)
+	 *
+	 * @return				Remediation Parameters Type
+	 */
+	pen_type_t (*get_parameters_type)(ietf_attr_remediation_instr_t *this);
+
+	/**
+	 * Get the Remediation Parameters
+	 *
+	 * @return				Remediation Parameters
+	 */
+	chunk_t (*get_parameters)(ietf_attr_remediation_instr_t *this);
+
+	/**
+	 * Get the Remediation URI
+	 *
+	 * @return				Remediation URI
+	 */
+	chunk_t (*get_uri)(ietf_attr_remediation_instr_t *this);
+
+	/**
+	 * Get the Remediation String
+	 *
+	 * @param lang_code		Optional Language Code
+	 * @return				Remediation String
+	 */
+	chunk_t (*get_string)(ietf_attr_remediation_instr_t *this,
+						  chunk_t *lang_code);
+};
+
+/**
+ * Creates a general ietf_attr_remediation_instr_t object
+ *
+ * @param parameters_type	Remediation Parameters Type
+ * @param parameters		Remediation Parameters
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create(pen_type_t parameters_type,
+												  chunk_t parameters);
+
+/**
+ * Creates an ietf_attr_remediation_instr_t object of Remediation URI Type
+ *
+ * @param uri				Remediation URI
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_uri(chunk_t uri);
+
+/**
+ * Creates an ietf_attr_remediation_instr_t object of Remediation String Type
+ *
+ * @param string			Remediation String
+ * @param lang_code			Remediation String Language Code
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_string(chunk_t string,
+															  chunk_t lang_code);
+
+/**
+ * Creates an ietf_attr_remediation_instr_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_REMEDIATION_INSTR_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_string_version.c b/src/libimcv/ietf/ietf_attr_string_version.c
new file mode 100644
index 000000000..8f4129eac
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_string_version.c
@@ -0,0 +1,300 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_string_version.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_string_version_t private_ietf_attr_string_version_t;
+
+/**
+ * PA-TNC String Version type  (see section 4.2.4 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Version Len  |   Product Version Number (Variable Length)    |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  | Build Num Len |   Internal Build Number (Variable Length)     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Config. Len  | Configuration Version Number (Variable Length)|
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define STRING_VERSION_MIN_SIZE		3
+
+/**
+ * Private data of an ietf_attr_string_version_t object.
+ */
+struct private_ietf_attr_string_version_t {
+
+	/**
+	 * Public members of ietf_attr_string_version_t
+	 */
+	ietf_attr_string_version_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Product Version Number
+	 */
+	chunk_t version;
+
+	/**
+	 * Internal Build Number
+	 */
+	chunk_t build;
+
+	/**
+	 * Configuration Version Number
+	 */
+	chunk_t config;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_string_version_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_string_version_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_string_version_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_string_version_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_string_version_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	writer = bio_writer_create(STRING_VERSION_MIN_SIZE);
+	writer->write_data8(writer, this->version);
+	writer->write_data8(writer, this->build);
+	writer->write_data8(writer, this->config);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_string_version_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	status_t status = FAILED;
+	chunk_t version, build, config;
+	u_char *pos;
+
+	*offset = 0;
+
+	if (this->value.len < STRING_VERSION_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF string version");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+
+	if (!reader->read_data8(reader, &version))
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF product version number");
+		goto end;
+
+	}
+	pos = memchr(version.ptr, '\0', version.len);
+	if (pos)
+	{
+		DBG1(DBG_TNC, "nul termination in IETF product version number");
+		*offset += 1 + (pos - version.ptr);
+		goto end;
+	}
+	*offset += 1 + version.len;
+
+	if (!reader->read_data8(reader, &build))
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF internal build number");
+		goto end;
+
+	}
+	pos = memchr(build.ptr, '\0', build.len);
+	if (pos)
+	{
+		DBG1(DBG_TNC, "nul termination in IETF internal build number");
+		*offset += 1 + (pos - build.ptr);
+		goto end;
+	}
+	*offset += 1 + build.len;
+
+	if (!reader->read_data8(reader, &config))
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF configuration version number");
+		goto end;
+
+	}
+	pos = memchr(config.ptr, '\0', config.len);
+	if (pos)
+	{
+		DBG1(DBG_TNC, "nul termination in IETF configuration version number");
+		*offset += 1 + (pos - config.ptr);
+		goto end;
+	}
+
+	this->version = chunk_clone(version);
+	this->build = chunk_clone(build);
+	this->config = chunk_clone(config);
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_string_version_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_string_version_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->version.ptr);
+		free(this->build.ptr);
+		free(this->config.ptr);
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_string_version_t, get_version, chunk_t,
+	private_ietf_attr_string_version_t *this, chunk_t *build, chunk_t *config)
+{
+	if (build)
+	{
+		*build = this->build;
+	}
+	if (config)
+	{
+		*config = this->config;
+	}
+	return this->version;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_string_version_create(chunk_t version, chunk_t build,
+											   chunk_t config)
+{
+	private_ietf_attr_string_version_t *this;
+
+	/* limit version numbers to 255 octets */
+	version.len = min(255, version.len);
+	build.len = min(255, build.len);
+	config.len = min(255, config.len);
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+		},
+		.type = { PEN_IETF, IETF_ATTR_STRING_VERSION },
+		.version = chunk_clone(version),
+		.build = chunk_clone(build),
+		.config = chunk_clone(config),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_string_version_create_from_data(chunk_t data)
+{
+	private_ietf_attr_string_version_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+		},
+		.type = { PEN_IETF, IETF_ATTR_STRING_VERSION },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_string_version.h b/src/libimcv/ietf/ietf_attr_string_version.h
new file mode 100644
index 000000000..5ffbea8e0
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_string_version.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_string_versiont ietf_attr_string_version
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_STRING_VERSION_H_
+#define IETF_ATTR_STRING_VERSION_H_
+
+typedef struct ietf_attr_string_version_t ietf_attr_string_version_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC String Version attribute.
+ *
+ */
+struct ietf_attr_string_version_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Product Version Number and optionally the Internal Build
+	 * and Configuration Version Numbers
+	 *
+	 * @param build			Internal Build Number (if build != NULL)
+	 * @param config		Configuration Version Number (if config != NULL)
+	 * @return				Product Version Number
+	 */
+	chunk_t (*get_version)(ietf_attr_string_version_t *this, chunk_t *build,
+															 chunk_t *config);
+};
+
+/**
+ * Creates an ietf_attr_string_version_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_string_version_create(chunk_t version, chunk_t build,
+											   chunk_t config);
+
+/**
+ * Creates an ietf_attr_string_version_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_string_version_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_STRING_VERSION_H_ @}*/
diff --git a/src/libimcv/imc/imc_agent.c b/src/libimcv/imc/imc_agent.c
index 8d1e70716..161623477 100644
--- a/src/libimcv/imc/imc_agent.c
+++ b/src/libimcv/imc/imc_agent.c
@@ -18,7 +18,7 @@
 
 #include <tncif_names.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
 
 typedef struct private_imc_agent_t private_imc_agent_t;
@@ -39,14 +39,14 @@ struct private_imc_agent_t {
 	const char *name;
 
 	/**
-	 * message vendor ID of IMC
+	 * message types registered by IMC
 	 */
-	TNC_VendorID vendor_id;
+	pen_type_t *supported_types;
 
 	/**
-	 * message subtype of IMC
+	 * number of message types registered by IMC
 	 */
-	TNC_MessageSubtype subtype;
+	u_int32_t type_count;
 
 	/**
 	 * ID of IMC as assigned by TNCC
@@ -94,45 +94,6 @@ struct private_imc_agent_t {
 									TNC_MessageSubtypeList supported_subtypes,
 									TNC_UInt32 type_count);
 
-	/**
-	 * Call when an IMC-IMC message is to be sent
-	 *
-	 * @param imc_id			IMC ID assigned by TNCC
-	 * @param connection_id		network connection ID assigned by TNCC
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_type			message type
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message)(TNC_IMCID imc_id,
-							   TNC_ConnectionID connection_id,
-							   TNC_BufferReference msg,
-							   TNC_UInt32 msg_len,
-							   TNC_MessageType msg_type);
-
-
-	/**
-	 * Call when an IMC-IMC message is to be sent with long message types
-	 *
-	 * @param imc_id			IMC ID assigned by TNCC
-	 * @param connection_id		network connection ID assigned by TNCC
-	 * @param msg_flags			message flags
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_vid			message vendor ID
-	 * @param msg_subtype		message subtype
-	 * @param dst_imc_id		destination IMV ID
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message_long)(TNC_IMCID imc_id,
-									TNC_ConnectionID connection_id,
-									TNC_UInt32 msg_flags,
-									TNC_BufferReference msg,
-									TNC_UInt32 msg_len,
-									TNC_VendorID msg_vid,
-									TNC_MessageSubtype msg_subtype,
-									TNC_UInt32 dst_imv_id);
-
 	/**
 	 * Get the value of an attribute associated with a connection
 	 * or with the TNCC as a whole.
@@ -205,14 +166,14 @@ METHOD(imc_agent_t, bind_functions, TNC_Result,
 		this->public.request_handshake_retry = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCC_SendMessage",
-			(void**)&this->send_message) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message = NULL;
+		this->public.send_message = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCC_SendMessageLong",
-			(void**)&this->send_message_long) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message_long) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message_long = NULL;
+		this->public.send_message_long = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCC_GetAttribute",
 			(void**)&this->get_attribute) != TNC_RESULT_SUCCESS)
@@ -234,17 +195,37 @@ METHOD(imc_agent_t, bind_functions, TNC_Result,
 
 	if (this->report_message_types_long)
 	{
-		this->report_message_types_long(this->id, &this->vendor_id,
-										&this->subtype, 1);
+		TNC_VendorIDList vendor_id_list;
+		TNC_MessageSubtypeList subtype_list;
+		int i;
+
+		vendor_id_list = malloc(this->type_count * sizeof(TNC_UInt32));
+		subtype_list   = malloc(this->type_count * sizeof(TNC_UInt32));
+
+		for (i = 0; i < this->type_count; i++)
+		{
+			vendor_id_list[i] = this->supported_types[i].vendor_id;
+			subtype_list[i]   = this->supported_types[i].type;
+		}
+		this->report_message_types_long(this->id, vendor_id_list, subtype_list,
+										this->type_count);
+		free(vendor_id_list);
+		free(subtype_list);
 	}
-	else if (this->report_message_types &&
-			 this->vendor_id <= TNC_VENDORID_ANY &&
-			 this->subtype <= TNC_SUBTYPE_ANY)
+	else if (this->report_message_types)
 	{
-		TNC_MessageType type;
+		TNC_MessageTypeList type_list;
+		int i;
+
+		type_list = malloc(this->type_count * sizeof(TNC_UInt32));
 
-		type = (this->vendor_id << 8) | this->subtype;
-		this->report_message_types(this->id, &type, 1);
+		for (i = 0; i < this->type_count; i++)
+		{
+			type_list[i] = (this->supported_types[i].vendor_id << 8) |
+						   (this->supported_types[i].type & 0xff);
+		}
+		this->report_message_types(this->id, type_list, this->type_count);
+		free(type_list);
 	}
 	return TNC_RESULT_SUCCESS;
 }
@@ -372,7 +353,7 @@ METHOD(imc_agent_t, create_state, TNC_Result,
 	has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES);
 	has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
 	has_soh  = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH);
-	tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); 
+	tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
 	tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION);
 	t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
 	t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
@@ -427,7 +408,7 @@ METHOD(imc_agent_t, change_state, TNC_Result,
 		case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
 		case TNC_CONNECTION_STATE_ACCESS_NONE:
 			state = find_connection(this, connection_id);
-			
+
 			if (!state)
 			{
 				DBG1(DBG_IMC, "IMC %u \"%s\" has no state for Connection ID %u",
@@ -455,7 +436,7 @@ METHOD(imc_agent_t, change_state, TNC_Result,
 			DBG1(DBG_IMC, "IMC %u \"%s\" was notified of unknown state %u "
 				 		  "for Connection ID %u",
 						  this->id, this->name, new_state, connection_id);
-			return TNC_RESULT_INVALID_PARAMETER;		
+			return TNC_RESULT_INVALID_PARAMETER;
 	}
 	return TNC_RESULT_SUCCESS;
 }
@@ -474,165 +455,16 @@ METHOD(imc_agent_t, get_state, bool,
 	return TRUE;
 }
 
-METHOD(imc_agent_t, send_message, TNC_Result,
-	private_imc_agent_t *this, TNC_ConnectionID connection_id, bool excl,
-	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id, linked_list_t *attr_list)
+METHOD(imc_agent_t, get_name, const char*,
+	private_imc_agent_t *this)
 {
-	TNC_MessageType type;
-	TNC_UInt32 msg_flags;
-	TNC_Result result = TNC_RESULT_FATAL;
-	imc_state_t *state;
-	pa_tnc_attr_t *attr;
-	pa_tnc_msg_t *pa_tnc_msg;
-	chunk_t msg;
-	enumerator_t *enumerator;
-	bool attr_added;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMC %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-
-	while (attr_list->get_count(attr_list))
-	{
-		pa_tnc_msg = pa_tnc_msg_create(state->get_max_msg_len(state));
-		attr_added = FALSE;
-
-		enumerator = attr_list->create_enumerator(attr_list);
-		while (enumerator->enumerate(enumerator, &attr))
-		{
-			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
-			{
-				attr_added = TRUE;
-			}
-			else
-			{
-				if (attr_added)
-				{
-					break;
-				}
-				else
-				{
-					DBG1(DBG_IMC, "PA-TNC attribute too large to send, deleted");
-					attr->destroy(attr);
-				}
-			}
-			attr_list->remove_at(attr_list, enumerator);
-		}
-		enumerator->destroy(enumerator);
-
-		/* build and send the PA-TNC message via the IF-IMC interface */
-		if (!pa_tnc_msg->build(pa_tnc_msg))
-		{
-			pa_tnc_msg->destroy(pa_tnc_msg);
-			return TNC_RESULT_FATAL;
-		}
-		msg = pa_tnc_msg->get_encoding(pa_tnc_msg);
-
-		if (state->has_long(state) && this->send_message_long)
-		{
-			if (!src_imc_id)
-			{
-				src_imc_id = this->id;
-			}
-			msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
-
-			result = this->send_message_long(src_imc_id, connection_id,
-								msg_flags, msg.ptr, msg.len, this->vendor_id,
-								this->subtype, dst_imv_id);
-		}
-		else if (this->send_message)
-		{
-			type = (this->vendor_id << 8) | this->subtype;
-
-			result = this->send_message(this->id, connection_id, msg.ptr,
-								msg.len, type);
-		}
-
-		pa_tnc_msg->destroy(pa_tnc_msg);
-
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			break;
-		}
-	}
-	return result;
+	return	this->name;
 }
 
-METHOD(imc_agent_t, receive_message, TNC_Result,
-	private_imc_agent_t *this, imc_state_t *state, chunk_t msg,
-	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype,
-	TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id, pa_tnc_msg_t **pa_tnc_msg)
+METHOD(imc_agent_t, get_id, TNC_IMCID,
+	private_imc_agent_t *this)
 {
-	pa_tnc_msg_t *pa_msg;
-	pa_tnc_attr_t *error_attr;
-	linked_list_t *error_attr_list;
-	enumerator_t *enumerator;
-	TNC_UInt32 src_imc_id, dst_imv_id;
-	TNC_ConnectionID connection_id;
-	TNC_Result result;
-
-	connection_id = state->get_connection_id(state);
-
-	if (state->has_long(state))
-	{
-		if (dst_imc_id != TNC_IMCID_ANY)
-		{
-			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
-						  "from IMV %u to IMC %u", this->id, this->name,
-						   connection_id, src_imv_id, dst_imc_id);
-		}
-		else
-		{
-			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
-						  "from IMV %u", this->id, this->name, connection_id,
-						   src_imv_id);
-		}
-	}
-	else
-	{
-		DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u",
-					   this->id, this->name, connection_id);
-	}
-
-	*pa_tnc_msg = NULL;
-	pa_msg = pa_tnc_msg_create_from_data(msg);
-
-	switch (pa_msg->process(pa_msg))
-	{
-		case SUCCESS:
-			*pa_tnc_msg = pa_msg;
-			break;
-		case VERIFY_ERROR:
-			/* extract and copy by refence all error attributes */
-			error_attr_list = linked_list_create();
-
-			enumerator = pa_msg->create_error_enumerator(pa_msg);
-			while (enumerator->enumerate(enumerator, &error_attr))
-			{
-				error_attr_list->insert_last(error_attr_list,
-											 error_attr->get_ref(error_attr));
-			}
-			enumerator->destroy(enumerator);
-
-			src_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? this->id : dst_imc_id;
-			dst_imv_id = state->has_excl(state) ? src_imv_id : TNC_IMVID_ANY;
-
-			result = send_message(this, connection_id, state->has_excl(state),
- 								  src_imc_id, dst_imv_id, error_attr_list);
-
-			error_attr_list->destroy(error_attr_list);
-			pa_msg->destroy(pa_msg);
-			return result;
-		case FAILED:
-		default:
-			pa_msg->destroy(pa_msg);
-			return TNC_RESULT_FATAL;
-	}
-	return TNC_RESULT_SUCCESS;
+	return	this->id;
 }
 
 METHOD(imc_agent_t, reserve_additional_ids, TNC_Result,
@@ -697,7 +529,7 @@ METHOD(imc_agent_t, destroy, void,
  * Described in header.
  */
 imc_agent_t *imc_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMCID id, TNC_Version *actual_version)
 {
 	private_imc_agent_t *this;
@@ -715,22 +547,22 @@ imc_agent_t *imc_agent_create(const char *name,
 			.delete_state = _delete_state,
 			.change_state = _change_state,
 			.get_state = _get_state,
-			.send_message = _send_message,
-			.receive_message = _receive_message,
+			.get_name = _get_name,
+			.get_id = _get_id,
 			.reserve_additional_ids = _reserve_additional_ids,
 			.count_additional_ids = _count_additional_ids,
 			.create_id_enumerator = _create_id_enumerator,
 			.destroy = _destroy,
 		},
 		.name = name,
-		.vendor_id = vendor_id,
-		.subtype = subtype,
+		.supported_types = supported_types,
+		.type_count = type_count,
 		.id = id,
 		.additional_ids = linked_list_create(),
 		.connections = linked_list_create(),
 		.connection_lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
-	
+
 	*actual_version = TNC_IFIMC_VERSION_1;
 	DBG1(DBG_IMC, "IMC %u \"%s\" initialized", this->id, this->name);
 
diff --git a/src/libimcv/imc/imc_agent.h b/src/libimcv/imc/imc_agent.h
index e87450aa6..aef10c0d7 100644
--- a/src/libimcv/imc/imc_agent.h
+++ b/src/libimcv/imc/imc_agent.h
@@ -27,7 +27,7 @@
 
 #include <tncifimc.h>
 #include <pen/pen.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include <library.h>
 
@@ -50,6 +50,44 @@ struct imc_agent_t {
 										  TNC_ConnectionID connection_id,
 										  TNC_RetryReason reason);
 
+	/**
+	 * Call when an IMC-IMC message is to be sent
+	 *
+	 * @param imc_id			IMC ID assigned by TNCC
+	 * @param connection_id		network connection ID assigned by TNCC
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_type			message type
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message)(TNC_IMCID imc_id,
+							   TNC_ConnectionID connection_id,
+							   TNC_BufferReference msg,
+							   TNC_UInt32 msg_len,
+							   TNC_MessageType msg_type);
+
+	/**
+	 * Call when an IMC-IMC message is to be sent with long message types
+	 *
+	 * @param imc_id			IMC ID assigned by TNCC
+	 * @param connection_id		network connection ID assigned by TNCC
+	 * @param msg_flags			message flags
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_vid			message vendor ID
+	 * @param msg_subtype		message subtype
+	 * @param dst_imc_id		destination IMV ID
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message_long)(TNC_IMCID imc_id,
+									TNC_ConnectionID connection_id,
+									TNC_UInt32 msg_flags,
+									TNC_BufferReference msg,
+									TNC_UInt32 msg_len,
+									TNC_VendorID msg_vid,
+									TNC_MessageSubtype msg_subtype,
+									TNC_UInt32 dst_imv_id);
+
 	/**
 	 * Bind TNCC functions
 	 *
@@ -100,39 +138,18 @@ struct imc_agent_t {
 					  TNC_ConnectionID connection_id, imc_state_t **state);
 
 	/**
-	 * Call when an PA-TNC message is to be sent
+	 * Get IMC name
 	 *
-	 * @param connection_id		network connection ID assigned by TNCC
-	 * @param excl				exclusive flag
-	 * @param src_imc_id		IMC ID to be set as source
-	 * @param dst_imv_id		IMV ID to be set as destination
-	 * @param attr_list			list of PA-TNC attributes to send
-	 * @return					TNC result code
+	 * return					IMC name
 	 */
-	TNC_Result (*send_message)(imc_agent_t *this,
-							   TNC_ConnectionID connection_id, bool excl,
-							   TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
-							   linked_list_t *attr_list);
+	const char* (*get_name)(imc_agent_t *this);
 
 	/**
-	 * Call when a PA-TNC message was received
+	 * Get base IMC ID
 	 *
-	 * @param state				state for current connection
-	 * @param msg				received unparsed message
-	 * @param msg_vid			message vendorID of the received message
-	 * @param msg_subtype		message subtype of the received message
-	 * @param src_imv_id		source IMV ID
-	 * @param dst_imc_id		destination IMC ID
-	 * @param pa_tnc_message	parsed PA-TNC message or NULL if an error occurred
-	 * @return					TNC result code
+	 * return					base IMC ID
 	 */
-	TNC_Result (*receive_message)(imc_agent_t *this,
-								  imc_state_t *state, chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id,
-								  pa_tnc_msg_t **pa_tnc_msg);
+	TNC_IMCID (*get_id)(imc_agent_t *this);
 
 	/**
 	 * Reserve additional IMC IDs from TNCC
@@ -164,14 +181,14 @@ struct imc_agent_t {
  * Create an imc_agent_t object
  *
  * @param name				name of the IMC
- * @param vendor_id			vendor ID of the IMC
- * @param subtype			message subtype of the IMC
+ * @param supported_types	list of message types registered by the IMC
+ * @param type_count		number of registered message types
  * @param id				ID of the IMC as assigned by the TNCS
  * @param actual_version	actual version of the IF-IMC API
  *
  */
 imc_agent_t *imc_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMCID id, TNC_Version *actual_version);
 
 #endif /** IMC_AGENT_H_ @}*/
diff --git a/src/libimcv/imc/imc_msg.c b/src/libimcv/imc/imc_msg.c
new file mode 100644
index 000000000..050e63f32
--- /dev/null
+++ b/src/libimcv/imc/imc_msg.c
@@ -0,0 +1,457 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_msg.h"
+
+#include "ietf/ietf_attr.h"
+#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_remediation_instr.h"
+
+#include <tncif_names.h>
+
+#include <pen/pen.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+typedef struct private_imc_msg_t private_imc_msg_t;
+
+/**
+ * Private data of a imc_msg_t object.
+ *
+ */
+struct private_imc_msg_t {
+
+	/**
+	 * Public imc_msg_t interface.
+	 */
+	imc_msg_t public;
+
+	/**
+	 * Connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * source ID
+	 */
+	TNC_UInt32 src_id;
+
+	/**
+	 * destination ID
+	 */
+	TNC_UInt32 dst_id;
+
+	/**
+	 * PA-TNC message type
+	 */
+	pen_type_t msg_type;
+
+	/**
+	 * List of PA-TNC attributes to be sent
+	 */
+	linked_list_t *attr_list;
+
+	/**
+	 * PA-TNC message
+	 */
+	pa_tnc_msg_t *pa_msg;
+
+	/**
+	 * Assigned IMC agent
+	 */
+	imc_agent_t *agent;
+
+	/**
+	 * Assigned IMC state
+	 */
+	imc_state_t *state;
+};
+
+METHOD(imc_msg_t, get_src_id, TNC_UInt32,
+	private_imc_msg_t *this)
+{
+	return this->src_id;
+}
+
+METHOD(imc_msg_t, get_dst_id, TNC_UInt32,
+	private_imc_msg_t *this)
+{
+	return this->dst_id;
+}
+
+METHOD(imc_msg_t, send_, TNC_Result,
+	private_imc_msg_t *this, bool excl)
+{
+	pa_tnc_msg_t *pa_tnc_msg;
+	pa_tnc_attr_t *attr;
+	TNC_UInt32 msg_flags;
+	TNC_MessageType msg_type;
+	bool attr_added;
+	chunk_t msg;
+	enumerator_t *enumerator;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	while (this->attr_list->get_count(this->attr_list))
+	{
+		pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state));
+		attr_added = FALSE;
+
+		enumerator = this->attr_list->create_enumerator(this->attr_list);
+		while (enumerator->enumerate(enumerator, &attr))
+		{
+			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
+			{
+				attr_added = TRUE;
+			}
+			else
+			{
+				if (attr_added)
+				{
+					break;
+				}
+				else
+				{
+					DBG1(DBG_IMC, "PA-TNC attribute too large to send, deleted");
+					attr->destroy(attr);
+				}
+			}
+			this->attr_list->remove_at(this->attr_list, enumerator);
+		}
+		enumerator->destroy(enumerator);
+
+		/* build and send the PA-TNC message via the IF-IMC interface */
+		if (!pa_tnc_msg->build(pa_tnc_msg))
+		{
+			pa_tnc_msg->destroy(pa_tnc_msg);
+			return TNC_RESULT_FATAL;
+		}
+		msg = pa_tnc_msg->get_encoding(pa_tnc_msg);
+		DBG3(DBG_IMC, "created PA-TNC message: %B", &msg);
+
+		if (this->state->has_long(this->state) && this->agent->send_message_long)
+		{
+			excl = excl && this->state->has_excl(this->state) &&
+						   this->dst_id != TNC_IMVID_ANY;
+			msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
+			result = this->agent->send_message_long(this->src_id,
+							this->connection_id, msg_flags,	msg.ptr, msg.len,
+							this->msg_type.vendor_id, this->msg_type.type,
+							this->dst_id);
+		}
+		else if (this->agent->send_message)
+		{
+			msg_type = (this->msg_type.vendor_id << 8) |
+					   (this->msg_type.type & 0x000000ff);
+			result = this->agent->send_message(this->src_id, this->connection_id,
+											   msg.ptr, msg.len, msg_type);
+		}
+
+		pa_tnc_msg->destroy(pa_tnc_msg);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			break;
+		}
+	}
+	return result;
+}
+
+/**
+ * Print a clearly visible assessment header to the log
+ */
+static void print_assessment_header(const char *name, TNC_UInt32 id, bool *first)
+{
+	if (*first)
+	{
+		DBG1(DBG_IMC, "***** assessment of IMC %u \"%s\" *****", id, name);
+		*first = FALSE;
+	}
+}
+
+/**
+ * Print a clearly visible assessment trailer to the log
+ */
+static void print_assessment_trailer(bool first)
+{
+	if (!first)
+	{
+		DBG1(DBG_IMC, "***** end of assessment *****");
+	}
+}
+
+METHOD(imc_msg_t, receive, TNC_Result,
+	private_imc_msg_t *this, bool *fatal_error)
+{
+	TNC_UInt32 target_imc_id;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
+	chunk_t msg;
+	bool first = TRUE;
+
+	if (this->state->has_long(this->state))
+	{
+		if (this->dst_id != TNC_IMCID_ANY)
+		{
+			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
+						  "from IMV %u to IMC %u",
+						   this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id, this->dst_id);
+		}
+		else
+		{
+			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
+						  "from IMV %u", this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id);
+		}
+	}
+	else
+	{
+		DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u",
+					   this->agent->get_id(this->agent),
+					   this->agent->get_name(this->agent),
+					   this->connection_id);
+	}
+	msg = this->pa_msg->get_encoding(this->pa_msg);
+	DBG3(DBG_IMC, "%B", &msg);
+
+	switch (this->pa_msg->process(this->pa_msg))
+	{
+		case SUCCESS:
+			break;
+		case VERIFY_ERROR:
+		{
+			imc_msg_t *error_msg;
+			TNC_Result result;
+
+			error_msg = imc_msg_create_as_reply(&this->public);
+
+			/* extract and copy by reference all error attributes */
+			enumerator = this->pa_msg->create_error_enumerator(this->pa_msg);
+			while (enumerator->enumerate(enumerator, &attr))
+			{
+				error_msg->add_attribute(error_msg, attr->get_ref(attr));
+			}
+			enumerator->destroy(enumerator);
+
+			/*
+			 * send the PA-TNC message containing all error attributes
+			 * with the excl flag set
+			 */
+			result = error_msg->send(error_msg, TRUE);
+			error_msg->destroy(error_msg);
+			return result;
+		}
+		case FAILED:
+		default:
+			return TNC_RESULT_FATAL;
+	}
+
+	/* determine target IMC ID */
+	target_imc_id = (this->dst_id != TNC_IMCID_ANY) ?
+					 this->dst_id : this->agent->get_id(this->agent);
+
+	/* preprocess any received IETF standard error attributes */
+	*fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg);
+
+	/* preprocess any received IETF assessment result attribute */
+	enumerator = this->pa_msg->create_attribute_enumerator(this->pa_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		attr_type = attr->get_type(attr);
+
+		if (attr_type.vendor_id != PEN_IETF)
+		{
+			continue;
+		}
+		if (attr_type.type == IETF_ATTR_ASSESSMENT_RESULT)
+		{
+			ietf_attr_assess_result_t *attr_cast;
+			TNC_IMV_Evaluation_Result result;
+
+			attr_cast = (ietf_attr_assess_result_t*)attr;
+			result =  attr_cast->get_result(attr_cast);
+			this->state->set_result(this->state, target_imc_id, result);
+
+			print_assessment_header(this->agent->get_name(this->agent),
+									target_imc_id, &first);
+			DBG1(DBG_IMC, "assessment result is '%N'",
+				 TNC_IMV_Evaluation_Result_names, result);
+		}
+		else if (attr_type.type == IETF_ATTR_REMEDIATION_INSTRUCTIONS)
+		{
+			ietf_attr_remediation_instr_t *attr_cast;
+			pen_type_t parameters_type;
+			chunk_t parameters, string, lang_code;
+
+			attr_cast = (ietf_attr_remediation_instr_t*)attr;
+			parameters_type = attr_cast->get_parameters_type(attr_cast);
+			parameters = attr_cast->get_parameters(attr_cast);
+
+			print_assessment_header(this->agent->get_name(this->agent),
+									target_imc_id, &first);
+			if (parameters_type.vendor_id == PEN_IETF)
+			{
+				switch (parameters_type.type)
+				{
+					case IETF_REMEDIATION_PARAMETERS_URI:
+						DBG1(DBG_IMC, "remediation uri: %.*s",
+									   parameters.len, parameters.ptr);
+						break;
+					case IETF_REMEDIATION_PARAMETERS_STRING:
+						string = attr_cast->get_string(attr_cast, &lang_code);
+						DBG1(DBG_IMC, "remediation string: [%.*s]\n%.*s",
+									   lang_code.len, lang_code.ptr,
+									   string.len, string.ptr);
+						break;
+					default:
+						DBG1(DBG_IMC, "remediation parameters: %B", &parameters);
+				}
+			}
+			else
+			{
+				DBG1(DBG_IMC, "remediation parameters: %B", &parameters);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	print_assessment_trailer(first);
+
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imc_msg_t, add_attribute, void,
+	private_imc_msg_t *this, pa_tnc_attr_t *attr)
+{
+	this->attr_list->insert_last(this->attr_list, attr);
+}
+
+METHOD(imc_msg_t, create_attribute_enumerator, enumerator_t*,
+	private_imc_msg_t *this)
+{
+	return this->pa_msg->create_attribute_enumerator(this->pa_msg);
+}
+
+METHOD(imc_msg_t, get_encoding, chunk_t,
+	private_imc_msg_t *this)
+{
+	if (this->pa_msg)
+	{
+		return this->pa_msg->get_encoding(this->pa_msg);
+	}
+	return chunk_empty;
+}
+
+METHOD(imc_msg_t, destroy, void,
+	private_imc_msg_t *this)
+{
+	this->attr_list->destroy_offset(this->attr_list,
+									offsetof(pa_tnc_attr_t, destroy));
+	DESTROY_IF(this->pa_msg);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imc_msg_t *imc_msg_create(imc_agent_t *agent, imc_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type)
+{
+	private_imc_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.get_src_id = _get_src_id,
+			.get_dst_id = _get_dst_id,
+			.send = _send_,
+			.receive = _receive,
+			.add_attribute = _add_attribute,
+			.create_attribute_enumerator = _create_attribute_enumerator,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.connection_id = connection_id,
+		.src_id = src_id,
+		.dst_id = dst_id,
+		.msg_type = msg_type,
+		.attr_list = linked_list_create(),
+		.agent = agent,
+		.state = state,
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+imc_msg_t* imc_msg_create_as_reply(imc_msg_t *msg)
+{
+	private_imc_msg_t *in;
+	TNC_UInt32 src_id;
+
+	in = (private_imc_msg_t*)msg;
+	src_id = (in->dst_id != TNC_IMCID_ANY) ?
+			  in->dst_id : in->agent->get_id(in->agent);
+
+	return imc_msg_create(in->agent, in->state, in->connection_id, src_id,
+						  in->src_id, in->msg_type);
+}
+
+/**
+ * See header
+ */
+imc_msg_t *imc_msg_create_from_data(imc_agent_t *agent, imc_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg)
+{
+	TNC_VendorID msg_vid;
+	TNC_MessageSubtype msg_subtype;
+
+	msg_vid = msg_type >> 8;
+	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+
+	return imc_msg_create_from_long_data(agent, state, connection_id,
+								TNC_IMVID_ANY, agent->get_id(agent),
+								msg_vid, msg_subtype, msg);
+}
+
+/**
+ * See header
+ */
+imc_msg_t *imc_msg_create_from_long_data(imc_agent_t *agent, imc_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id,
+										 TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg)
+{
+	private_imc_msg_t *this;
+
+	this = (private_imc_msg_t*)imc_msg_create(agent, state,
+										connection_id, src_id, dst_id,
+										pen_type_create(msg_vid, msg_subtype));
+	this->pa_msg = pa_tnc_msg_create_from_data(msg);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imc/imc_msg.h b/src/libimcv/imc/imc_msg.h
new file mode 100644
index 000000000..6dd712e84
--- /dev/null
+++ b/src/libimcv/imc/imc_msg.h
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imc_msg imc_msg
+ * @{ @ingroup libimcv
+ */
+
+#ifndef IMC_MSG_H_
+#define IMC_MSG_H_
+
+#include <imc/imc_agent.h>
+
+typedef struct imc_msg_t imc_msg_t;
+
+#include <library.h>
+
+/**
+ * Interface for a PA-TNC message handled by an IMC.
+ *
+ */
+struct imc_msg_t {
+
+	/**
+	 * Get source ID of PA-TNC message
+	 *
+	 * @return					src ID
+	 */
+	TNC_UInt32 (*get_src_id)(imc_msg_t *this);
+
+	/**
+	 * Get destination ID of PA-TNC message
+	 *
+	 * @return					destination ID
+	 */
+	TNC_UInt32 (*get_dst_id)(imc_msg_t *this);
+
+	/**
+	 * Sends one or multiple PA-TNC messages
+	 *
+	 * @param excl				set the excl message flag if supported
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send)(imc_msg_t *this, bool excl);
+
+	/**
+	 * Processes a received PA-TNC message
+	 *
+	 * @param fatal_error		TRUE if IMV sent a fatal error message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive)(imc_msg_t *this, bool *fatal_error);
+
+	/**
+	 * Add a PA-TNC attribute to the send queue
+	 *
+	 * @param attr				PA-TNC attribute to be added
+	 */
+	void (*add_attribute)(imc_msg_t *this, pa_tnc_attr_t *attr);
+
+	/**
+	 * Enumerator over PA-TNC attributes contained in the PA-TNC message
+	 *
+	 * @return					PA-TNC attribute enumerator
+	 */
+	enumerator_t* (*create_attribute_enumerator)(imc_msg_t *this);
+
+	/**
+	 * Get the encoding of the IMC message.
+	 *
+	 * @return					message encoding, internal data
+	 */
+	chunk_t (*get_encoding)(imc_msg_t *this);
+
+	/**
+	 * Destroys a imc_msg_t object.
+	 */
+	void (*destroy)(imc_msg_t *this);
+};
+
+/**
+ * Create a wrapper for an outbound message
+ *
+ * @param agent					IMC agent responsible for the message
+ * @param state					IMC state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMC ID
+ * @param dst_id				destination IMV ID
+ * @param msg_type				PA-TNC message type
+ */
+imc_msg_t* imc_msg_create(imc_agent_t *agent, imc_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type);
+
+/**
+ * Create a wrapper for an outbound message based on a received message
+ *
+ * @param msg					received message the reply is based on
+ */
+imc_msg_t* imc_msg_create_as_reply(imc_msg_t *msg);
+
+/**
+ * Create a wrapper around message data received via the legacy IF-IMC interface
+ *
+ * @param agent					IMC agent responsible for the message
+ * @param state					IMC state for the given connection ID
+ * @param connection_id			connection ID
+ * @param msg_type				PA-TNC message type
+ * @param msg					received PA-TNC message blob
+ */
+imc_msg_t* imc_msg_create_from_data(imc_agent_t *agent, imc_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg);
+
+/**
+ * Create a wrapper around message data received via the long IF-IMC interface
+ *
+ * @param agent					IMC agent responsible for the message
+ * @param state					IMC state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMV ID
+ * @param dst_id				destination IMC ID
+ * @param msg_flags				PA-TNC message flags
+ * @param msg_vid				PA-TNC message vendor ID
+ * @param msg_subtype			PA-TNC subtype
+ * @param msg					received PA-TNC message blob
+ */
+imc_msg_t* imc_msg_create_from_long_data(imc_agent_t *agent, imc_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id, TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg);
+
+#endif /** IMC_MSG_H_ @}*/
diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c
index b84548f9b..e1b828d10 100644
--- a/src/libimcv/imcv.c
+++ b/src/libimcv/imcv.c
@@ -16,8 +16,8 @@
 #include "ietf/ietf_attr.h"
 #include "ita/ita_attr.h"
 
-#include <utils.h>
-#include <debug.h>
+#include <utils/debug.h>
+#include <utils/utils.h>
 #include <pen/pen.h>
 
 #include <syslog.h>
@@ -119,7 +119,7 @@ bool libimcv_init(void)
 									"libimcv.debug_level", IMCV_DEBUG_LEVEL);
 		imcv_stderr_quiet = lib->settings->get_int(lib->settings,
 									"libimcv.stderr_quiet", FALSE);
-		
+
 		/* activate the imcv debugging hook */
 		dbg = imcv_dbg;
 		openlog("imcv", 0, LOG_DAEMON);
@@ -155,7 +155,7 @@ void libimcv_deinit(void)
 	}
 	if (ref_put(&libstrongswan_ref))
 	{
-		library_deinit();		
+		library_deinit();
 	}
 }
 
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index fa04e0237..6a33e396c 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -19,7 +19,7 @@
 
 #include <tncif_names.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
 
 typedef struct private_imv_agent_t private_imv_agent_t;
@@ -40,19 +40,14 @@ struct private_imv_agent_t {
 	const char *name;
 
 	/**
-	 * message vendor ID of IMV
+	 * message types registered by IMV
 	 */
-	TNC_VendorID vendor_id;
+	pen_type_t *supported_types;
 
 	/**
-	 * message subtype of IMV
+	 * number of message types registered by IMV
 	 */
-	TNC_MessageSubtype subtype;
-
-	/**
-	 * Maximum PA-TNC Message size
-	 */
-	size_t max_msg_len;
+	u_int32_t type_count;
 
 	/**
 	 * ID of IMV as assigned by TNCS
@@ -100,44 +95,6 @@ struct private_imv_agent_t {
 									TNC_MessageSubtypeList supported_subtypes,
 									TNC_UInt32 type_count);
 
-	/**
-	 * Call when an IMV-IMC message is to be sent
-	 *
-	 * @param imv_id			IMV ID assigned by TNCS
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_type			message type
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message)(TNC_IMVID imv_id,
-							   TNC_ConnectionID connection_id,
-							   TNC_BufferReference msg,
-							   TNC_UInt32 msg_len,
-							   TNC_MessageType msg_type);
-
-	/**
-	 * Call when an IMV-IMC message is to be sent with long message types
-	 *
-	 * @param imv_id			IMV ID assigned by TNCS
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param msg_flags			message flags
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_vid			message vendor ID
-	 * @param msg_subtype		message subtype
-	 * @param dst_imc_id		destination IMC ID
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message_long)(TNC_IMVID imv_id,
-									TNC_ConnectionID connection_id,
-									TNC_UInt32 msg_flags,
-									TNC_BufferReference msg,
-									TNC_UInt32 msg_len,
-									TNC_VendorID msg_vid,
-									TNC_MessageSubtype msg_subtype,
-									TNC_UInt32 dst_imc_id);
-
 	/**
 	 * Deliver IMV Action Recommendation and IMV Evaluation Results to the TNCS
 	 *
@@ -224,14 +181,14 @@ METHOD(imv_agent_t, bind_functions, TNC_Result,
 		this->public.request_handshake_retry = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCS_SendMessage",
-			(void**)&this->send_message) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message = NULL;
+		this->public.send_message = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCS_SendMessageLong",
-			(void**)&this->send_message_long) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message_long) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message_long = NULL;
+		this->public.send_message_long = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCS_ProvideRecommendation",
 			(void**)&this->provide_recommendation) != TNC_RESULT_SUCCESS)
@@ -258,17 +215,37 @@ METHOD(imv_agent_t, bind_functions, TNC_Result,
 
 	if (this->report_message_types_long)
 	{
-		this->report_message_types_long(this->id, &this->vendor_id,
-										&this->subtype, 1);
+		TNC_VendorIDList vendor_id_list;
+		TNC_MessageSubtypeList subtype_list;
+		int i;
+
+		vendor_id_list = malloc(this->type_count * sizeof(TNC_UInt32));
+		subtype_list   = malloc(this->type_count * sizeof(TNC_UInt32));
+
+		for (i = 0; i < this->type_count; i++)
+		{
+			vendor_id_list[i] = this->supported_types[i].vendor_id;
+			subtype_list[i]   = this->supported_types[i].type;
+		}
+		this->report_message_types_long(this->id, vendor_id_list, subtype_list,
+										this->type_count);
+		free(vendor_id_list);
+		free(subtype_list);
 	}
-	else if (this->report_message_types &&
-			 this->vendor_id <= TNC_VENDORID_ANY &&
-			 this->subtype <= TNC_SUBTYPE_ANY)
+	else if (this->report_message_types)
 	{
-		TNC_MessageType type;
+		TNC_MessageTypeList type_list;
+		int i;
 
-		type = (this->vendor_id << 8) | this->subtype;
-		this->report_message_types(this->id, &type, 1);
+		type_list = malloc(this->type_count * sizeof(TNC_UInt32));
+
+		for (i = 0; i < this->type_count; i++)
+		{
+			type_list[i] = (this->supported_types[i].vendor_id << 8) |
+						   (this->supported_types[i].type & 0xff);
+		}
+		this->report_message_types(this->id, type_list, this->type_count);
+		free(type_list);
 	}
 	return TNC_RESULT_SUCCESS;
 }
@@ -497,258 +474,16 @@ METHOD(imv_agent_t, get_state, bool,
 	return TRUE;
 }
 
-METHOD(imv_agent_t, send_message, TNC_Result,
-	private_imv_agent_t *this, TNC_ConnectionID connection_id, bool excl,
-	TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id, linked_list_t *attr_list)
-{
-	TNC_MessageType type;
-	TNC_UInt32 msg_flags;
-	TNC_Result result = TNC_RESULT_FATAL;
-	imv_state_t *state;
-	pa_tnc_attr_t *attr;
-	pa_tnc_msg_t *pa_tnc_msg;
-	chunk_t msg;
-	enumerator_t *enumerator;
-	bool attr_added;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-
-	while (attr_list->get_count(attr_list))
-	{
-		pa_tnc_msg = pa_tnc_msg_create(this->max_msg_len);
-		attr_added = FALSE;
-
-		enumerator = attr_list->create_enumerator(attr_list);
-		while (enumerator->enumerate(enumerator, &attr))
-		{
-			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
-			{
-				attr_added = TRUE;
-			}
-			else
-			{
-				if (attr_added)
-				{
-					break;
-				}
-				else
-				{
-					DBG1(DBG_IMV, "PA-TNC attribute too large to send, deleted");
-					attr->destroy(attr);
-				}
-			}
-			attr_list->remove_at(attr_list, enumerator);
-		}
-		enumerator->destroy(enumerator);
-
-		/* build and send the PA-TNC message via the IF-IMV interface */
-		if (!pa_tnc_msg->build(pa_tnc_msg))
-		{
-			pa_tnc_msg->destroy(pa_tnc_msg);
-			return TNC_RESULT_FATAL;
-		}
-		msg = pa_tnc_msg->get_encoding(pa_tnc_msg);
-
-		if (state->has_long(state) && this->send_message_long)
-		{
-			if (!src_imv_id)
-			{
-				src_imv_id = this->id;
-			}
-			msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
-
-			result = this->send_message_long(src_imv_id, connection_id,
-								msg_flags, msg.ptr, msg.len, this->vendor_id,
-								this->subtype, dst_imc_id);
-		}
-		else if (this->send_message)
-		{
-			type = (this->vendor_id << 8) | this->subtype;
-
-			result = this->send_message(this->id, connection_id, msg.ptr,
-								msg.len, type);
-		}
-
-		pa_tnc_msg->destroy(pa_tnc_msg);
-
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			break;
-		}
-	}
-	return result;
-}
-
-METHOD(imv_agent_t, set_recommendation, TNC_Result,
-	private_imv_agent_t *this, TNC_ConnectionID connection_id,
-							   TNC_IMV_Action_Recommendation rec,
-							   TNC_IMV_Evaluation_Result eval)
-{
-	imv_state_t *state;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-
-	state->set_recommendation(state, rec, eval);
-	return this->provide_recommendation(this->id, connection_id, rec, eval);
-}
-
-METHOD(imv_agent_t, receive_message, TNC_Result,
-	private_imv_agent_t *this, imv_state_t *state, chunk_t msg,
-	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype,
-	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id, pa_tnc_msg_t **pa_tnc_msg)
+METHOD(imv_agent_t, get_name, const char*,
+	private_imv_agent_t *this)
 {
-	pa_tnc_msg_t *pa_msg;
-	pa_tnc_attr_t *error_attr;
-	linked_list_t *error_attr_list;
-	enumerator_t *enumerator;
-	TNC_UInt32 src_imv_id, dst_imc_id;
-	TNC_ConnectionID connection_id;
-	TNC_Result result;
-
-	connection_id = state->get_connection_id(state);
-
-	if (state->has_long(state))
-	{
-		if (dst_imv_id != TNC_IMVID_ANY)
-		{
-			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
-						  "from IMC %u to IMV %u", this->id, this->name,
-						   connection_id, src_imc_id, dst_imv_id);
-		}
-		else
-		{
-			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
-						  "from IMC %u", this->id, this->name, connection_id,
-						   src_imc_id);
-		}
-	}
-	else
-	{
-		DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u",
-					   this->id, this->name, connection_id);
-	}
-
-	*pa_tnc_msg = NULL;
-	pa_msg = pa_tnc_msg_create_from_data(msg);
-
-	switch (pa_msg->process(pa_msg))
-	{
-		case SUCCESS:
-			*pa_tnc_msg = pa_msg;
-			break;
-		case VERIFY_ERROR:
-			/* extract and copy by refence all error attributes */
-			error_attr_list = linked_list_create();
-
-			enumerator = pa_msg->create_error_enumerator(pa_msg);
-			while (enumerator->enumerate(enumerator, &error_attr))
-			{
-				error_attr_list->insert_last(error_attr_list,
-											 error_attr->get_ref(error_attr));
-			}
-			enumerator->destroy(enumerator);
-
-			src_imv_id = (dst_imv_id == TNC_IMVID_ANY) ? this->id : dst_imv_id;
-			dst_imc_id = state->has_excl(state) ? src_imc_id : TNC_IMCID_ANY;
-
-			result = send_message(this, connection_id, state->has_excl(state),
- 								  src_imv_id, dst_imc_id, error_attr_list);
-
-			error_attr_list->destroy(error_attr_list);
-			pa_msg->destroy(pa_msg);
-			return result;
-		case FAILED:
-		default:
-			pa_msg->destroy(pa_msg);
-			state->set_recommendation(state,
-							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-							TNC_IMV_EVALUATION_RESULT_ERROR);
-			return this->provide_recommendation(this->id, connection_id,
-							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-							TNC_IMV_EVALUATION_RESULT_ERROR);
-	}
-	return TNC_RESULT_SUCCESS;
+	return	this->name;
 }
 
-METHOD(imv_agent_t, provide_recommendation, TNC_Result,
-	private_imv_agent_t *this, TNC_ConnectionID connection_id,
-	TNC_UInt32 dst_imc_id)
+METHOD(imv_agent_t, get_id, TNC_IMVID,
+	private_imv_agent_t *this)
 {
-	imv_state_t *state;
-	linked_list_t *attr_list;
-	pa_tnc_attr_t *attr;
-	TNC_Result result;
-	TNC_IMV_Action_Recommendation rec;
-	TNC_IMV_Evaluation_Result eval;
-	TNC_UInt32 lang_len;
-	char buf[BUF_LEN];
-	chunk_t pref_lang = { buf, 0 }, reason_string, reason_lang;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-	state->get_recommendation(state, &rec, &eval);
-
-	/* send a reason string if action recommendation is not allow */
-	if (rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
-	{
-		/* check if there a preferred language has been requested */
-		if (this->get_attribute  &&
-			this->get_attribute(this->id, connection_id,
-								TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN,
-								buf, &lang_len) == TNC_RESULT_SUCCESS &&
-			lang_len <= BUF_LEN)
-		{
-			pref_lang.len = lang_len;
-			DBG2(DBG_IMV, "preferred language is '%.*s'", (int)pref_lang.len,
-				 pref_lang.ptr);
-		}
-
-		/* find a reason string for the preferred or default language and set it */
-		if (this->set_attribute &&
-			state->get_reason_string(state, pref_lang, &reason_string,
-													   &reason_lang))
-		{
-			this->set_attribute(this->id, connection_id,
-								TNC_ATTRIBUTEID_REASON_STRING,
-								reason_string.len, reason_string.ptr);
-			this->set_attribute(this->id, connection_id,
-								TNC_ATTRIBUTEID_REASON_LANGUAGE,
-								reason_lang.len, reason_lang.ptr);
-		}
-	}
-
-	/* Send an IETF Assessment Result attribute if enabled */
-	if (lib->settings->get_bool(lib->settings, "libimcv.assessment_result", TRUE))
-	{
-		attr = ietf_attr_assess_result_create(eval);
-		attr_list = linked_list_create();
-		attr_list->insert_last(attr_list, attr);
-		result = send_message(this, connection_id, FALSE, this->id, dst_imc_id,
-							  attr_list);
-		attr_list->destroy(attr_list);
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			return result;
-		}
-	}
-	return this->provide_recommendation(this->id, connection_id, rec, eval);
+	return	this->id;
 }
 
 METHOD(imv_agent_t, reserve_additional_ids, TNC_Result,
@@ -796,6 +531,146 @@ METHOD(imv_agent_t, create_id_enumerator, enumerator_t*,
 	return this->additional_ids->create_enumerator(this->additional_ids);
 }
 
+typedef struct {
+	/**
+	 * implements enumerator_t
+	 */
+	enumerator_t public;
+
+	/**
+	 * language length
+	 */
+	TNC_UInt32 lang_len;
+
+	/**
+	 * language buffer
+	 */
+	char lang_buf[BUF_LEN];
+
+	/**
+	 * position pointer into language buffer
+	 */
+	char *lang_pos;
+
+} language_enumerator_t;
+
+/**
+ * Implementation of language_enumerator.destroy.
+ */
+static void language_enumerator_destroy(language_enumerator_t *this)
+{
+	free(this);
+}
+
+/**
+ * Implementation of language_enumerator.enumerate
+ */
+static bool language_enumerator_enumerate(language_enumerator_t *this, ...)
+{
+	char *pos, *cur_lang, **lang;
+	TNC_UInt32 len;
+	va_list args;
+
+	if (!this->lang_len)
+	{
+		return FALSE;
+	}
+	cur_lang = this->lang_pos;
+	pos = strchr(this->lang_pos, ',');
+	if (pos)
+	{
+		len = pos - this->lang_pos;
+		this->lang_pos += len + 1,
+		this->lang_len -= len + 1;
+	}
+	else
+	{
+		len = this->lang_len;
+		pos = this->lang_pos + len;
+		this->lang_pos = NULL;
+		this->lang_len = 0;
+	}
+
+	/* remove preceding whitespace */
+	while (*cur_lang == ' ' && len--)
+	{
+		cur_lang++;
+	}
+
+	/* remove trailing whitespace */
+	while (len && *(--pos) == ' ')
+	{
+		len--;
+	}
+	cur_lang[len] = '\0';
+
+	va_start(args, this);
+	lang = va_arg(args, char**);
+	*lang = cur_lang;
+	va_end(args);
+
+	return TRUE;
+}
+
+METHOD(imv_agent_t, create_language_enumerator, enumerator_t*,
+	private_imv_agent_t *this, imv_state_t *state)
+{
+	language_enumerator_t *e;
+
+	/* Create a language enumerator instance */
+	e = malloc_thing(language_enumerator_t);
+	e->public.enumerate = (void*)language_enumerator_enumerate;
+	e->public.destroy = (void*)language_enumerator_destroy;
+
+	if (!this->get_attribute ||
+		!this->get_attribute(this->id, state->get_connection_id(state),
+						TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN,
+						e->lang_buf, &e->lang_len) == TNC_RESULT_SUCCESS ||
+		e->lang_len >= BUF_LEN)
+	{
+		e->lang_len = 0;
+	}
+	e->lang_buf[e->lang_len] = '\0';
+	e->lang_pos = e->lang_buf;
+
+	return (enumerator_t*)e;
+}
+
+METHOD(imv_agent_t, provide_recommendation, TNC_Result,
+	private_imv_agent_t *this, imv_state_t *state)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	TNC_ConnectionID connection_id;
+	chunk_t reason_string;
+	char *reason_lang;
+	enumerator_t *e;
+
+	state->get_recommendation(state, &rec, &eval);
+	connection_id = state->get_connection_id(state);
+
+	/* send a reason string if action recommendation is not allow */
+	if (rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
+	{
+		/* find a reason string for the preferred language and set it */
+		if (this->set_attribute)
+		{
+			e = create_language_enumerator(this, state);
+			if (state->get_reason_string(state, e, &reason_string, &reason_lang))
+			{
+				this->set_attribute(this->id, connection_id,
+									TNC_ATTRIBUTEID_REASON_STRING,
+									reason_string.len, reason_string.ptr);
+				this->set_attribute(this->id, connection_id,
+									TNC_ATTRIBUTEID_REASON_LANGUAGE,
+									strlen(reason_lang), reason_lang);
+			}
+			e->destroy(e);
+		}
+	}
+	return this->provide_recommendation(this->id, connection_id, rec, eval);
+}
+
 METHOD(imv_agent_t, destroy, void,
 	private_imv_agent_t *this)
 {
@@ -814,7 +689,7 @@ METHOD(imv_agent_t, destroy, void,
  * Described in header.
  */
 imv_agent_t *imv_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMVID id, TNC_Version *actual_version)
 {
 	private_imv_agent_t *this;
@@ -832,19 +707,18 @@ imv_agent_t *imv_agent_create(const char *name,
 			.delete_state = _delete_state,
 			.change_state = _change_state,
 			.get_state = _get_state,
-			.send_message = _send_message,
-			.receive_message = _receive_message,
-			.set_recommendation = _set_recommendation,
-			.provide_recommendation = _provide_recommendation,
+			.get_name = _get_name,
+			.get_id = _get_id,
 			.reserve_additional_ids = _reserve_additional_ids,
 			.count_additional_ids = _count_additional_ids,
 			.create_id_enumerator = _create_id_enumerator,
+			.create_language_enumerator = _create_language_enumerator,
+			.provide_recommendation = _provide_recommendation,
 			.destroy = _destroy,
 		},
 		.name = name,
-		.vendor_id = vendor_id,
-		.subtype = subtype,
-		.max_msg_len = 65490,
+		.supported_types = supported_types,
+		.type_count = type_count,
 		.id = id,
 		.additional_ids = linked_list_create(),
 		.connections = linked_list_create(),
diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h
index 34ac3c109..5b2cffefe 100644
--- a/src/libimcv/imv/imv_agent.h
+++ b/src/libimcv/imv/imv_agent.h
@@ -27,7 +27,7 @@
 
 #include <tncifimv.h>
 #include <pen/pen.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include <library.h>
 
@@ -50,6 +50,44 @@ struct imv_agent_t {
 										  TNC_ConnectionID connection_id,
 										  TNC_RetryReason reason);
 
+	/**
+	 * Call when an IMV-IMC message is to be sent
+	 *
+	 * @param imv_id			IMV ID assigned by TNCS
+	 * @param connection_id		network connection ID assigned by TNCS
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_type			message type
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message)(TNC_IMVID imv_id,
+							   TNC_ConnectionID connection_id,
+							   TNC_BufferReference msg,
+							   TNC_UInt32 msg_len,
+							   TNC_MessageType msg_type);
+
+	/**
+	 * Call when an IMV-IMC message is to be sent with long message types
+	 *
+	 * @param imv_id			IMV ID assigned by TNCS
+	 * @param connection_id		network connection ID assigned by TNCS
+	 * @param msg_flags			message flags
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_vid			message vendor ID
+	 * @param msg_subtype		message subtype
+	 * @param dst_imc_id		destination IMC ID
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message_long)(TNC_IMVID imv_id,
+									TNC_ConnectionID connection_id,
+									TNC_UInt32 msg_flags,
+									TNC_BufferReference msg,
+									TNC_UInt32 msg_len,
+									TNC_VendorID msg_vid,
+									TNC_MessageSubtype msg_subtype,
+									TNC_UInt32 dst_imc_id);
+
 	/**
 	 * Bind TNCS functions
 	 *
@@ -100,63 +138,18 @@ struct imv_agent_t {
 					  TNC_ConnectionID connection_id, imv_state_t **state);
 
 	/**
-	 * Call when a PA-TNC message is to be sent
+	 * Get IMV name
 	 *
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param excl				exclusive flag
-	 * @param src_imv_id		IMV ID to be set as source
-	 * @param dst_imc_id		IMD ID to be set as destination
-	 * @param attr_list			list of PA-TNC attributes to send
-	 * @return					TNC result code
+	 * return					IMV name
 	 */
-	TNC_Result (*send_message)(imv_agent_t *this,
-							   TNC_ConnectionID connection_id, bool excl,
-							   TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id,
-							   linked_list_t *attr_list);
+	const char* (*get_name)(imv_agent_t *this);
 
 	/**
-	 * Call when a PA-TNC message was received
+	 * Get base IMV ID
 	 *
-	 * @param state				state for current connection
-	 * @param msg				received unparsed message
-	 * @param msg_vid			message vendorID of the received message
-	 * @param msg_subtype		message subtype of the received message
-	 * @param src_imc_id		source IMC ID
-	 * @param dst_imv_id		destination IMV ID
-	 * @param pa_tnc_message	parsed PA-TNC message or NULL if an error occurred
-	 * @return					TNC result code
+	 * return					base IMV ID
 	 */
-	TNC_Result (*receive_message)(imv_agent_t *this,
-								  imv_state_t *state, chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id,
-								  pa_tnc_msg_t **pa_tnc_msg);
-
-	/**
-	 * Set Action Recommendation and Evaluation Result in the IMV state
-	 *
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param rec				IMV action recommendation
-	 * @param eval				IMV evaluation result
-	 * @return					TNC result code
-	 */
-	TNC_Result (*set_recommendation)(imv_agent_t *this,
-									 TNC_ConnectionID connection_id,
-									 TNC_IMV_Action_Recommendation rec,
-									 TNC_IMV_Evaluation_Result eval);
-
-	/**
-	 * Deliver IMV Action Recommendation and IMV Evaluation Result to the TNCS
-	 *
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param dst_imc_id		IMD ID to be set as destination
-	 * @return					TNC result code
-	 */
-	TNC_Result (*provide_recommendation)(imv_agent_t *this,
-										 TNC_ConnectionID connection_id,
-										 TNC_UInt32 dst_imc_id);
+	TNC_IMVID (*get_id)(imv_agent_t *this);
 
 	/**
 	 * Reserve additional IMV IDs from TNCS
@@ -178,6 +171,22 @@ struct imv_agent_t {
 	 */
 	enumerator_t* (*create_id_enumerator)(imv_agent_t *this);
 
+	/**
+	 * Create a preferred languages enumerator
+	 *
+	 * @param					state of TNCCS connection
+	 */
+	enumerator_t* (*create_language_enumerator)(imv_agent_t *this,
+				   imv_state_t *state);
+
+	/**
+	 * Deliver IMV Action Recommendation and IMV Evaluation Result to the TNCS
+	 *
+	 * @param state				state bound to a connection ID
+	 * @return					TNC result code
+	 */
+	TNC_Result (*provide_recommendation)(imv_agent_t *this, imv_state_t* state);
+
 	/**
 	 * Destroys an imv_agent_t object
 	 */
@@ -188,14 +197,14 @@ struct imv_agent_t {
  * Create an imv_agent_t object
  *
  * @param name				name of the IMV
- * @param vendor_id			vendor ID of the IMV
- * @param subtype			message subtype of the IMV
+ * @param supported_types	list of message types registered by the IMV
+ * @param type_count		number of registered message types
  * @param id				ID of the IMV as assigned by the TNCS
  * @param actual_version	actual version of the IF-IMV API
  *
  */
 imv_agent_t *imv_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMVID id, TNC_Version *actual_version);
 
 #endif /** IMV_AGENT_H_ @}*/
diff --git a/src/libimcv/imv/imv_lang_string.c b/src/libimcv/imv/imv_lang_string.c
new file mode 100644
index 000000000..c86fc5cd7
--- /dev/null
+++ b/src/libimcv/imv/imv_lang_string.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_lang_string.h"
+
+#include <utils/debug.h>
+
+/**
+ * Described in header.
+ */
+char* imv_lang_string_select_lang(enumerator_t *language_enumerator,
+								  char* languages[], int lang_count)
+{
+	bool match = FALSE;
+	char *lang;
+	int i, i_chosen = 0;
+
+	while (language_enumerator->enumerate(language_enumerator, &lang))
+	{
+		for (i = 0; i < lang_count; i++)
+		{
+			if (streq(lang, languages[i]))
+			{
+				match = TRUE;
+				i_chosen = i;
+				break;
+			}
+		}
+		if (match)
+		{
+			break;
+		}
+	}
+	return languages[i_chosen];
+}
+
+/**
+ * Described in header.
+ */
+char* imv_lang_string_select_string(imv_lang_string_t lang_string[], char *lang)
+{
+	char *string;
+	int i = 0;
+
+	if (!lang_string)
+	{
+		return NULL;
+	}
+
+	string = lang_string[0].string;
+	while (lang_string[i].lang)
+	{
+		if (streq(lang, lang_string[i].lang))
+		{
+			string = lang_string[i].string;
+			break;
+		}
+		i++;
+	}
+	return string;
+}
diff --git a/src/libimcv/imv/imv_lang_string.h b/src/libimcv/imv/imv_lang_string.h
new file mode 100644
index 000000000..90a66db76
--- /dev/null
+++ b/src/libimcv/imv/imv_lang_string.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_lang_string_t imv_lang_string
+ * @{ @ingroup imv_lang_string
+ */
+
+#ifndef IMV_LANG_STRING_H_
+#define IMV_LANG_STRING_H_
+
+#include <library.h>
+#include <collections/enumerator.h>
+
+typedef struct imv_lang_string_t imv_lang_string_t;
+
+/**
+ * Define a language string entry
+ */
+struct imv_lang_string_t {
+
+	/**
+	 * language code
+	 */
+	char *lang;
+
+	/**
+	 * UTF-8 string in the corresponding language
+	 */
+	char *string;
+
+};
+
+/**
+ * Select the preferred language
+ *
+ * @param language_enumerator	enumerator over user preferred languages
+ * @param languages				string array of available languages
+ * @param lang_count			number of available languages
+ * @return						selected language as a language code
+ */
+char* imv_lang_string_select_lang(enumerator_t *language_enumerator,
+								  char* languages[], int lang_count);
+
+/**
+ * Select the preferred language string
+ *
+ * @param lang_string			multi-lingual array of strings
+ * @param lang					language code of preferred language
+ * @return						selected string
+ */
+char* imv_lang_string_select_string(imv_lang_string_t lang_string[], char *lang);
+
+#endif /** IMV_LANG_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_msg.c b/src/libimcv/imv/imv_msg.c
new file mode 100644
index 000000000..4ed19dd13
--- /dev/null
+++ b/src/libimcv/imv/imv_msg.c
@@ -0,0 +1,429 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_msg.h"
+
+#include "ietf/ietf_attr.h"
+#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_remediation_instr.h"
+
+#include <tncif_names.h>
+
+#include <pen/pen.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+typedef struct private_imv_msg_t private_imv_msg_t;
+
+/**
+ * Private data of a imv_msg_t object.
+ *
+ */
+struct private_imv_msg_t {
+
+	/**
+	 * Public imv_msg_t interface.
+	 */
+	imv_msg_t public;
+
+	/**
+	 * Connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * source ID
+	 */
+	TNC_UInt32 src_id;
+
+	/**
+	 * destination ID
+	 */
+	TNC_UInt32 dst_id;
+
+	/**
+	 * PA-TNC message type
+	 */
+	pen_type_t msg_type;
+
+	/**
+	 * List of PA-TNC attributes to be sent
+	 */
+	linked_list_t *attr_list;
+
+	/**
+	 * PA-TNC message
+	 */
+	pa_tnc_msg_t *pa_msg;
+
+	/**
+	 * Assigned IMV agent
+	 */
+	imv_agent_t *agent;
+
+	/**
+	 * Assigned IMV state
+	 */
+	imv_state_t *state;
+};
+
+METHOD(imv_msg_t, get_src_id, TNC_UInt32,
+	private_imv_msg_t *this)
+{
+	return this->src_id;
+}
+
+METHOD(imv_msg_t, get_dst_id, TNC_UInt32,
+	private_imv_msg_t *this)
+{
+	return this->dst_id;
+}
+
+METHOD(imv_msg_t, set_msg_type, void,
+	private_imv_msg_t *this, pen_type_t msg_type)
+{
+	if (msg_type.vendor_id != this->msg_type.vendor_id ||
+		msg_type.type != this->msg_type.type)
+	{
+		this->msg_type = msg_type;
+		this->dst_id = TNC_IMCID_ANY;
+	}
+}
+
+METHOD(imv_msg_t, add_attribute, void,
+	private_imv_msg_t *this, pa_tnc_attr_t *attr)
+{
+	this->attr_list->insert_last(this->attr_list, attr);
+}
+
+METHOD(imv_msg_t, send_, TNC_Result,
+	private_imv_msg_t *this, bool excl)
+{
+	pa_tnc_msg_t *pa_tnc_msg;
+	pa_tnc_attr_t *attr;
+	TNC_UInt32 msg_flags;
+	TNC_MessageType msg_type;
+	bool attr_added;
+	chunk_t msg;
+	enumerator_t *enumerator;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	while (this->attr_list->get_count(this->attr_list))
+	{
+		pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state));
+		attr_added = FALSE;
+
+		enumerator = this->attr_list->create_enumerator(this->attr_list);
+		while (enumerator->enumerate(enumerator, &attr))
+		{
+			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
+			{
+				attr_added = TRUE;
+			}
+			else
+			{
+				if (attr_added)
+				{
+					break;
+				}
+				else
+				{
+					DBG1(DBG_IMV, "PA-TNC attribute too large to send, deleted");
+					attr->destroy(attr);
+				}
+			}
+			this->attr_list->remove_at(this->attr_list, enumerator);
+		}
+		enumerator->destroy(enumerator);
+
+		/* build and send the PA-TNC message via the IF-IMV interface */
+		if (!pa_tnc_msg->build(pa_tnc_msg))
+		{
+			pa_tnc_msg->destroy(pa_tnc_msg);
+			return TNC_RESULT_FATAL;
+		}
+		msg = pa_tnc_msg->get_encoding(pa_tnc_msg);
+		DBG3(DBG_IMV, "created PA-TNC message: %B", &msg);
+
+		if (this->state->has_long(this->state) && this->agent->send_message_long)
+		{
+			excl = excl && this->state->has_excl(this->state) &&
+						   this->dst_id != TNC_IMCID_ANY;
+			msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
+			result = this->agent->send_message_long(this->src_id,
+							this->connection_id, msg_flags,	msg.ptr, msg.len,
+							this->msg_type.vendor_id, this->msg_type.type,
+							this->dst_id);
+		}
+		else if (this->agent->send_message)
+		{
+			msg_type = (this->msg_type.vendor_id << 8) |
+					   (this->msg_type.type & 0x000000ff);
+			result = this->agent->send_message(this->src_id, this->connection_id,
+											   msg.ptr, msg.len, msg_type);
+		}
+
+		pa_tnc_msg->destroy(pa_tnc_msg);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			break;
+		}
+	}
+	return result;
+}
+
+METHOD(imv_msg_t, send_assessment, TNC_Result,
+	private_imv_msg_t *this)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	pa_tnc_attr_t *attr;
+	chunk_t string = chunk_empty;
+	char *lang_code = NULL, *uri = NULL;
+	enumerator_t *e;
+
+	/* Remove any attributes that have already been constructed */
+	while (this->attr_list->remove_last(this->attr_list, (void**)&attr) == SUCCESS)
+	{
+		attr->destroy(attr);
+	}
+
+	/* Send an IETF Assessment Result attribute if enabled */
+	if (lib->settings->get_bool(lib->settings, "libimcv.assessment_result",
+								TRUE))
+	{
+		this->state->get_recommendation(this->state, &rec, &eval);
+		attr = ietf_attr_assess_result_create(eval);
+		add_attribute(this, attr);
+
+		/* Send IETF Remediation Instructions if available */
+		if (eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT)
+		{
+			e = this->agent->create_language_enumerator(this->agent,
+									this->state);
+			if (this->state->get_remediation_instructions(this->state,
+									e, &string, &lang_code, &uri))
+			{
+				if (string.len && lang_code)
+				{
+					attr = ietf_attr_remediation_instr_create_from_string(string,
+									chunk_create(lang_code, strlen(lang_code)));
+					add_attribute(this, attr);
+				}
+				if (uri)
+				{
+					attr = ietf_attr_remediation_instr_create_from_uri(
+									chunk_create(uri, strlen(uri)));
+					add_attribute(this, attr);
+				}
+			}
+			e->destroy(e);
+		}
+
+		/* send PA-TNC message with the excl flag set */
+		return send_(this, TRUE);
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imv_msg_t, receive, TNC_Result,
+	private_imv_msg_t *this, bool *fatal_error)
+{
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	chunk_t msg;
+
+	if (this->state->has_long(this->state))
+	{
+		if (this->dst_id != TNC_IMVID_ANY)
+		{
+			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
+						  "from IMC %u to IMV %u",
+						   this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id, this->dst_id);
+		}
+		else
+		{
+			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
+						  "from IMC %u", this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id);
+		}
+	}
+	else
+	{
+		DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u",
+					   this->agent->get_id(this->agent),
+					   this->agent->get_name(this->agent),
+					   this->connection_id);
+	}
+	msg = this->pa_msg->get_encoding(this->pa_msg);
+	DBG3(DBG_IMV, "%B", &msg);
+
+	switch (this->pa_msg->process(this->pa_msg))
+	{
+		case SUCCESS:
+			break;
+		case VERIFY_ERROR:
+		{
+			imv_msg_t *error_msg;
+			TNC_Result result;
+
+			error_msg = imv_msg_create_as_reply(&this->public);
+
+			/* extract and copy by reference all error attributes */
+			enumerator = this->pa_msg->create_error_enumerator(this->pa_msg);
+			while (enumerator->enumerate(enumerator, &attr))
+			{
+				error_msg->add_attribute(error_msg, attr->get_ref(attr));
+			}
+			enumerator->destroy(enumerator);
+
+			/*
+			 * send the PA-TNC message containing all error attributes
+			 * with the excl flag set
+			 */
+			result = error_msg->send(error_msg, TRUE);
+			error_msg->destroy(error_msg);
+			return result;
+		}
+		case FAILED:
+		default:
+			return TNC_RESULT_FATAL;
+	}
+
+	/* preprocess any received IETF standard error attributes */
+	*fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg);
+
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imv_msg_t, create_attribute_enumerator, enumerator_t*,
+	private_imv_msg_t *this)
+{
+	return this->pa_msg->create_attribute_enumerator(this->pa_msg);
+}
+
+METHOD(imv_msg_t, get_encoding, chunk_t,
+	private_imv_msg_t *this)
+{
+	if (this->pa_msg)
+	{
+		return this->pa_msg->get_encoding(this->pa_msg);
+	}
+	return chunk_empty;
+}
+
+METHOD(imv_msg_t, destroy, void,
+	private_imv_msg_t *this)
+{
+	this->attr_list->destroy_offset(this->attr_list,
+									offsetof(pa_tnc_attr_t, destroy));
+	DESTROY_IF(this->pa_msg);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_msg_t *imv_msg_create(imv_agent_t *agent, imv_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type)
+{
+	private_imv_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.get_src_id = _get_src_id,
+			.get_dst_id = _get_dst_id,
+			.set_msg_type = _set_msg_type,
+			.send = _send_,
+			.send_assessment = _send_assessment,
+			.receive = _receive,
+			.add_attribute = _add_attribute,
+			.create_attribute_enumerator = _create_attribute_enumerator,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.connection_id = connection_id,
+		.src_id = src_id,
+		.dst_id = dst_id,
+		.msg_type = msg_type,
+		.attr_list = linked_list_create(),
+		.agent = agent,
+		.state = state,
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+imv_msg_t* imv_msg_create_as_reply(imv_msg_t *msg)
+{
+	private_imv_msg_t *in;
+	TNC_UInt32 src_id;
+
+	in = (private_imv_msg_t*)msg;
+	src_id = (in->dst_id != TNC_IMVID_ANY) ?
+			  in->dst_id : in->agent->get_id(in->agent);
+
+	return imv_msg_create(in->agent, in->state, in->connection_id, src_id,
+						  in->src_id, in->msg_type);
+}
+
+/**
+ * See header
+ */
+imv_msg_t *imv_msg_create_from_data(imv_agent_t *agent, imv_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg)
+{
+	TNC_VendorID msg_vid;
+	TNC_MessageSubtype msg_subtype;
+
+	msg_vid = msg_type >> 8;
+	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+
+	return imv_msg_create_from_long_data(agent, state, connection_id,
+								TNC_IMCID_ANY, agent->get_id(agent),
+								msg_vid, msg_subtype, msg);
+}
+
+/**
+ * See header
+ */
+imv_msg_t *imv_msg_create_from_long_data(imv_agent_t *agent, imv_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id,
+										 TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg)
+{
+	private_imv_msg_t *this;
+
+	this = (private_imv_msg_t*)imv_msg_create(agent, state,
+										connection_id, src_id, dst_id,
+										pen_type_create(msg_vid, msg_subtype));
+	this->pa_msg = pa_tnc_msg_create_from_data(msg);
+
+	return &this->public;
+}
diff --git a/src/libimcv/imv/imv_msg.h b/src/libimcv/imv/imv_msg.h
new file mode 100644
index 000000000..b639712e8
--- /dev/null
+++ b/src/libimcv/imv/imv_msg.h
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_msg imv_msg
+ * @{ @ingroup libimcv
+ */
+
+#ifndef IMV_MSG_H_
+#define IMV_MSG_H_
+
+#include <imv/imv_agent.h>
+
+typedef struct imv_msg_t imv_msg_t;
+
+#include <library.h>
+
+/**
+ * Interface for a PA-TNC message handled by an IMV.
+ *
+ */
+struct imv_msg_t {
+
+	/**
+	 * Get source ID of PA-TNC message
+	 *
+	 * @return					src ID
+	 */
+	TNC_UInt32 (*get_src_id)(imv_msg_t *this);
+
+	/**
+	 * Get destination ID of PA-TNC message
+	 *
+	 * @return					destination ID
+	 */
+	TNC_UInt32 (*get_dst_id)(imv_msg_t *this);
+
+	/**
+	 * Set the type of a PA-TNC message
+	 *
+	 * @param msg_type			message type
+	 */
+	void (*set_msg_type)(imv_msg_t *this, pen_type_t msg_type);
+
+	/**
+	 * Sends one or multiple PA-TNC messages
+	 *
+	 * @param excl				set the excl message flag if supported
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send)(imv_msg_t *this, bool excl);
+
+	/**
+	 * Send a PA-TNC message containing an IETF Assessment Result attribute
+	 *
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_assessment)(imv_msg_t *this);
+
+	/**
+	 * Processes a received PA-TNC message
+	 *
+	 * @param fatal_error		TRUE if IMC sent a fatal error message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive)(imv_msg_t *this, bool *fatal_error);
+
+	/**
+	 * Add a PA-TNC attribute to the send queue
+	 *
+	 * @param attr				PA-TNC attribute to be added
+	 */
+	void (*add_attribute)(imv_msg_t *this, pa_tnc_attr_t *attr);
+
+	/**
+	 * Enumerator over PA-TNC attributes contained in the PA-TNC message
+	 *
+	 * @return					PA-TNC attribute enumerator
+	 */
+	enumerator_t* (*create_attribute_enumerator)(imv_msg_t *this);
+
+	/**
+	 * Get the full encoding of an IMV message.
+	 *
+	 * @return					message encoding, internal data
+	 */
+	chunk_t (*get_encoding)(imv_msg_t *this);
+
+	/**
+	 * Destroys a imv_msg_t object.
+	 */
+	void (*destroy)(imv_msg_t *this);
+};
+
+/**
+ * Create a wrapper for an outbound message
+ *
+ * @param agent					IMV agent responsible for the message
+ * @param state					IMV state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMV ID
+ * @param dst_id				destination IMC ID
+ * @param msg_type				PA-TNC message type
+ */
+imv_msg_t* imv_msg_create(imv_agent_t *agent, imv_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type);
+
+/**
+ * Create a wrapper for an outbound message based on a received message
+ *
+ * @param msg					received message the reply is based on
+ */
+imv_msg_t* imv_msg_create_as_reply(imv_msg_t *msg);
+
+/**
+ * Create a wrapper around message data received via the legacy IF-IMV interface
+ *
+ * @param agent					IMV agent responsible for the message
+ * @param state					IMV state for the given connection ID
+ * @param connection_id			connection ID
+ * @param msg_type				PA-TNC message type
+ * @param msg					received PA-TNC message blob
+ */
+imv_msg_t* imv_msg_create_from_data(imv_agent_t *agent, imv_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg);
+
+/**
+ * Create a wrapper around message data received via the long IF-IMV interface
+ *
+ * @param agent					IMV agent responsible for the message
+ * @param state					IMV state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMC ID
+ * @param dst_id				destination IMV ID
+ * @param msg_flags				PA-TNC message flags
+ * @param msg_vid				PA-TNC message vendor ID
+ * @param msg_subtype			PA-TNC subtype
+ * @param msg					received PA-TNC message blob
+ */
+imv_msg_t* imv_msg_create_from_long_data(imv_agent_t *agent, imv_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id, TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg);
+
+#endif /** IMV_MSG_H_ @}*/
diff --git a/src/libimcv/imv/imv_reason_string.c b/src/libimcv/imv/imv_reason_string.c
new file mode 100644
index 000000000..18eade01b
--- /dev/null
+++ b/src/libimcv/imv/imv_reason_string.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_reason_string.h"
+
+#include <utils/debug.h>
+
+typedef struct private_imv_reason_string_t private_imv_reason_string_t;
+
+/**
+ * Private data of an imv_reason_string_t object.
+ */
+struct private_imv_reason_string_t {
+
+	/**
+	 * Public members of imv_reason_string_t
+	 */
+	imv_reason_string_t public;
+
+	/**
+	 * Preferred language
+	 */
+	char *lang;
+
+	/**
+	 * Contains the concatenated reasons
+	 */
+	chunk_t reasons;
+
+};
+
+METHOD(imv_reason_string_t, add_reason, void,
+	private_imv_reason_string_t *this, imv_lang_string_t reason[])
+{
+	char *s_reason;
+
+	s_reason = imv_lang_string_select_string(reason, this->lang);
+
+	if (this->reasons.len)
+	{
+		/* append any further reasons */
+		this->reasons = chunk_cat("cm", this->reasons, chunk_from_chars('\n'),
+								  chunk_create(s_reason, strlen(s_reason)));
+	}
+	else
+	{
+		/* add the first reason */
+		this->reasons = chunk_clone(chunk_create(s_reason, strlen(s_reason)));
+	}
+}
+
+METHOD(imv_reason_string_t, get_encoding, chunk_t,
+	private_imv_reason_string_t *this)
+{
+	return this->reasons;
+}
+
+METHOD(imv_reason_string_t, destroy, void,
+	private_imv_reason_string_t *this)
+{
+	free(this->reasons.ptr);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_reason_string_t *imv_reason_string_create(char *lang)
+{
+	private_imv_reason_string_t *this;
+
+	INIT(this,
+		.public = {
+			.add_reason = _add_reason,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.lang = lang,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_reason_string.h b/src/libimcv/imv/imv_reason_string.h
new file mode 100644
index 000000000..320b2476a
--- /dev/null
+++ b/src/libimcv/imv/imv_reason_string.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_reason_string_t imv_reason_string
+ * @{ @ingroup imv_reason_string
+ */
+
+#ifndef IMV_REASON_STRING_H_
+#define IMV_REASON_STRING_H_
+
+#include "imv_lang_string.h"
+
+#include <library.h>
+#include <collections/linked_list.h>
+
+typedef struct imv_reason_string_t imv_reason_string_t;
+
+/**
+ * Defines and builds a TNC Reason String
+ */
+struct imv_reason_string_t {
+
+	/**
+	 * Add an individual remediation instruction to the string
+	 *
+	 * @param reason		Multi-lingual reason string
+	 */
+	 void (*add_reason)(imv_reason_string_t *this, imv_lang_string_t reason[]);
+
+	/**
+	 * Gets  encoding of the reason string
+	 *
+	 * @return				TNC reason string
+	 */
+	chunk_t (*get_encoding)(imv_reason_string_t *this);
+
+	/**
+	 * Destroys an imv_reason_string_t object
+	 */
+	void (*destroy)(imv_reason_string_t *this);
+};
+
+/**
+ * Creates an Reason String object
+ *
+ * @param lang				Preferred language
+ */
+ imv_reason_string_t* imv_reason_string_create(char *lang);
+
+#endif /** IMV_REASON_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_remediation_string.c b/src/libimcv/imv/imv_remediation_string.c
new file mode 100644
index 000000000..af82e1cdd
--- /dev/null
+++ b/src/libimcv/imv/imv_remediation_string.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_remediation_string.h"
+
+#include <utils/debug.h>
+
+typedef struct private_imv_remediation_string_t private_imv_remediation_string_t;
+
+/**
+ * Private data of an imv_remediation_string_t object.
+ */
+struct private_imv_remediation_string_t {
+
+	/**
+	 * Public members of imv_remediation_string_t
+	 */
+	imv_remediation_string_t public;
+
+	/**
+	 * XML or plaintext encoding
+	 */
+	bool as_xml;
+
+	/**
+	 * Preferred language
+	 */
+	char *lang;
+
+	/**
+	 * Contains the concatenated remediation instructions
+	 */
+	chunk_t instructions;
+
+};
+
+METHOD(imv_remediation_string_t, add_instruction, void,
+	private_imv_remediation_string_t *this, imv_lang_string_t title[],
+	imv_lang_string_t description[], imv_lang_string_t itemsheader[],
+	linked_list_t *item_list)
+{
+	char xml_format[] = "  <instruction>\n"
+						"    <title>%s</title>\n"
+						"    <description>%s</description>\n"
+						"%s%s"
+						"  </instruction>\n";
+	char *instruction, *format, *item, *pos, *header, *items;
+	char *s_title, *s_description, *s_itemsheader;
+	size_t len;
+
+	s_title = imv_lang_string_select_string(title, this->lang);
+	s_description = imv_lang_string_select_string(description, this->lang);
+	s_itemsheader = imv_lang_string_select_string(itemsheader, this->lang);
+	header = NULL;
+	items = NULL;
+
+	if (s_itemsheader)
+	{
+		int header_len = strlen(s_itemsheader);
+		char *header_format;
+
+		if (this->as_xml)
+		{
+			header_format = "    <itemsheader>%s</itemsheader>\n";
+			header_len +=  strlen(header_format) - 2;
+		}
+		else
+		{
+			header_format = "\n  %s";
+			header_len += 3;
+		}
+		header = malloc(header_len + 1);
+		sprintf(header, header_format, s_itemsheader);
+	}
+
+	if (item_list && item_list->get_count(item_list))
+	{
+		enumerator_t *enumerator;
+		int items_len = 0;
+
+		/* compute total length of all items */
+		enumerator = item_list->create_enumerator(item_list);
+		while (enumerator->enumerate(enumerator, &item))
+		{
+			items_len += strlen(item);
+		}
+		enumerator->destroy(enumerator);
+
+		if (this->as_xml)
+		{
+			items_len += 12 + 20 * item_list->get_count(item_list) + 13;
+
+			pos = items = malloc(items_len + 1);
+			pos += sprintf(pos, "    <items>\n");
+
+			enumerator = item_list->create_enumerator(item_list);
+			while (enumerator->enumerate(enumerator, &item))
+			{
+				pos += sprintf(pos, "      <item>%s</item>\n", item);
+			}
+			enumerator->destroy(enumerator);
+
+			pos += sprintf(pos, "    </items>\n");
+		}
+		else
+		{
+			items_len += 5 * item_list->get_count(item_list);
+
+			pos = items = malloc(items_len + 1);
+
+			enumerator = item_list->create_enumerator(item_list);
+			while (enumerator->enumerate(enumerator, &item))
+			{
+				pos += sprintf(pos, "\n    %s", item);
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+
+	len = strlen(s_title) + strlen(s_description);
+	if (header)
+	{
+		len += strlen(header);
+	}
+	if (items)
+	{
+		len += strlen(items);
+	}
+
+	if (this->as_xml)
+	{
+		format = xml_format;
+		len += strlen(xml_format) - 8;
+	}
+	else
+	{
+		format = this->instructions.len ? "\n%s\n  %s%s%s" : "%s\n  %s%s%s";
+		len += 4;
+	}
+	instruction = malloc(len + 1);
+	sprintf(instruction, format, s_title, s_description, header ? header : "",
+			items ? items : "");
+	free(header);
+	free(items);
+	this->instructions = chunk_cat("mm", this->instructions, 
+							chunk_create(instruction, strlen(instruction)));
+}
+
+METHOD(imv_remediation_string_t, get_encoding, chunk_t,
+	private_imv_remediation_string_t *this)
+{
+	char xml_header[]  = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+						 "<remediationinstructions>\n";
+	char xml_trailer[] = "</remediationinstructions>";
+
+	if (!this->instructions.len)
+	{
+		return chunk_empty;
+	}
+	if (this->as_xml)
+	{
+		this->instructions = chunk_cat("cmc",
+								chunk_create(xml_header, strlen(xml_header)),
+								this->instructions,
+								chunk_create(xml_trailer, strlen(xml_trailer))
+							 );
+	}
+	return this->instructions;
+}
+
+METHOD(imv_remediation_string_t, destroy, void,
+	private_imv_remediation_string_t *this)
+{
+	free(this->instructions.ptr);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_remediation_string_t *imv_remediation_string_create(bool as_xml, char *lang)
+{
+	private_imv_remediation_string_t *this;
+
+	INIT(this,
+		.public = {
+			.add_instruction = _add_instruction,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.as_xml = as_xml,
+		.lang = lang,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_remediation_string.h b/src/libimcv/imv/imv_remediation_string.h
new file mode 100644
index 000000000..9249c2aab
--- /dev/null
+++ b/src/libimcv/imv/imv_remediation_string.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_remediation_string_t imv_remediation_string
+ * @{ @ingroup imv_remediation_string
+ */
+
+#ifndef IMV_REMEDIATION_STRING_H_
+#define IMV_REMEDIATION_STRING_H_
+
+#include "imv_lang_string.h"
+
+#include <library.h>
+#include <collections/linked_list.h>
+
+typedef struct imv_remediation_string_t imv_remediation_string_t;
+
+/**
+ * Defines and builds an IETF Remediation Instructions String
+ */
+struct imv_remediation_string_t {
+
+	/**
+	 * Add an individual remediation instruction to the string
+	 *
+	 * @param title			instruction title
+	 * @param description	instruction description
+	 * @param itemsheader	optional items header or NULL
+	 * @param items			optional items list or NULL
+	 */
+	 void (*add_instruction)(imv_remediation_string_t *this,
+							 imv_lang_string_t title[],
+							 imv_lang_string_t description[],
+							 imv_lang_string_t itemsheader[],
+							 linked_list_t *items);
+
+	/**
+	 * Gets the plaintext or XML encoding of the remediation instructions
+	 *
+	 * @return				remediation instructions string
+	 */
+	chunk_t (*get_encoding)(imv_remediation_string_t *this);
+
+	/**
+	 * Destroys an imv_remediation_string_t object
+	 */
+	void (*destroy)(imv_remediation_string_t *this);
+};
+
+/**
+ * Creates an IETF Remediation Instructions String object
+ *
+ * @param as_xml			XML encoding if TRUE, plaintext otherwise
+ * @param lang				Preferred language
+ */
+ imv_remediation_string_t* imv_remediation_string_create(bool as_xml, char *lang);
+
+#endif /** IMV_REMEDIATION_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_state.h b/src/libimcv/imv/imv_state.h
index 1b0845b84..f40402e2b 100644
--- a/src/libimcv/imv/imv_state.h
+++ b/src/libimcv/imv/imv_state.h
@@ -109,13 +109,28 @@ struct imv_state_t {
 	/**
 	 * Get reason string based on the preferred language
 	 *
-	 * @param preferred_language	preferred language
+	 * @param language_enumerator	language enumerator
 	 * @param reason_string			reason string
-	 * @param language code			language of the returned reason string
+	 * @param reason_language		language of the returned reason string
 	 * @return						TRUE if a reason string was found
 	 */
-	bool (*get_reason_string)(imv_state_t *this, chunk_t preferred_language,
-							  chunk_t *reason_string, chunk_t *language_code);
+	bool (*get_reason_string)(imv_state_t *this,
+							  enumerator_t *language_enumerator,
+							  chunk_t *reason_string, char **reason_language);
+
+	/**
+	 * Get remediation instructions based on the preferred language
+	 *
+	 * @param language_enumerator	language enumerator
+	 * @param string				remediation instruction string
+	 * @param lang_code				language of the remediation instructions
+	 * @param uri					remediation URI
+	 * @return						TRUE if remediation instructions were found
+	 */
+	bool (*get_remediation_instructions)(imv_state_t *this,
+										 enumerator_t *language_enumerator,
+										 chunk_t *string, char **lang_code,
+										 char **uri);
 
 	/**
 	 * Destroys an imv_state_t object
diff --git a/src/libimcv/ita/ita_attr.c b/src/libimcv/ita/ita_attr.c
index 0ea799c3a..09754aed6 100644
--- a/src/libimcv/ita/ita_attr.c
+++ b/src/libimcv/ita/ita_attr.c
@@ -16,10 +16,17 @@
 #include "ita_attr.h"
 #include "ita/ita_attr_command.h"
 #include "ita/ita_attr_dummy.h"
+#include "ita/ita_attr_get_settings.h"
+#include "ita/ita_attr_settings.h"
+#include "ita/ita_attr_angel.h"
 
-ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_DUMMY,
+ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_STOP_ANGEL,
 	"Command",
 	"Dummy",
+	"Get Settings",
+	"Settings",
+	"Start Angel",
+	"Stop Angel"
 );
 
 /**
@@ -33,6 +40,14 @@ pa_tnc_attr_t* ita_attr_create_from_data(u_int32_t type, chunk_t value)
 			return ita_attr_command_create_from_data(value);
 		case ITA_ATTR_DUMMY:
 			return ita_attr_dummy_create_from_data(value);
+		case ITA_ATTR_GET_SETTINGS:
+			return ita_attr_get_settings_create_from_data(value);
+		case ITA_ATTR_SETTINGS:
+			return ita_attr_settings_create_from_data(value);
+		case ITA_ATTR_START_ANGEL:
+			return ita_attr_angel_create_from_data(TRUE, value);
+		case ITA_ATTR_STOP_ANGEL:
+			return ita_attr_angel_create_from_data(FALSE, value);
 		default:
 			return NULL;
 	}
diff --git a/src/libimcv/ita/ita_attr.h b/src/libimcv/ita/ita_attr.h
index 3baf0e3b8..d7b06146f 100644
--- a/src/libimcv/ita/ita_attr.h
+++ b/src/libimcv/ita/ita_attr.h
@@ -33,6 +33,10 @@ typedef enum ita_attr_t ita_attr_t;
 enum ita_attr_t {
 	ITA_ATTR_COMMAND =	1,
 	ITA_ATTR_DUMMY = 2,
+	ITA_ATTR_GET_SETTINGS = 3,
+	ITA_ATTR_SETTINGS = 4,
+	ITA_ATTR_START_ANGEL = 5,
+	ITA_ATTR_STOP_ANGEL = 6
 };
 
 /**
diff --git a/src/libimcv/ita/ita_attr_angel.c b/src/libimcv/ita/ita_attr_angel.c
new file mode 100644
index 000000000..0e9cff0a9
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_angel.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_angel.h"
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_ita_attr_angel_t private_ita_attr_angel_t;
+
+/**
+ * Private data of an ita_attr_angel_t object.
+ */
+struct private_ita_attr_angel_t {
+
+	/**
+	 * Public members of ita_attr_angel_t
+	 */
+	ita_attr_angel_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_angel_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_angel_t *this)
+{
+	return chunk_empty;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_angel_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_angel_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_angel_t *this)
+{
+	/* nothing to build */
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_angel_t *this, u_int32_t *offset)
+{
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_angel_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_angel_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this);
+	}
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_angel_create(bool start)
+{
+	private_ita_attr_angel_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = { PEN_ITA, start ? ITA_ATTR_START_ANGEL : ITA_ATTR_STOP_ANGEL },
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_angel_create_from_data(bool start, chunk_t data)
+{
+	private_ita_attr_angel_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = { PEN_ITA, start ? ITA_ATTR_START_ANGEL : ITA_ATTR_STOP_ANGEL },
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ita/ita_attr_angel.h b/src/libimcv/ita/ita_attr_angel.h
new file mode 100644
index 000000000..c392f7927
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_angel.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_angelt ita_attr_angel
+ * @{ @ingroup ita_attr_angel
+ */
+
+#ifndef ITA_ATTR_ANGEL_H_
+#define ITA_ATTR_ANGEL_H_
+
+typedef struct ita_attr_angel_t ita_attr_angel_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Start/Stop Angel PA-TNC attribute.
+ *
+ */
+struct ita_attr_angel_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+};
+
+/**
+ * Creates an ita_attr_angel_t object with an empty settings list
+ *
+ * @param start				TRUE for Start, FALSE for Stop Angel attribute
+ */
+pa_tnc_attr_t* ita_attr_angel_create(bool start);
+
+/**
+ * Creates an ita_attr_angel_t object from received data
+ *
+ * @param start				TRUE for Start, FALSE for Stop Angel attribute
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_angel_create_from_data(bool start, chunk_t value);
+
+#endif /** ITA_ATTR_ANGEL_H_ @}*/
diff --git a/src/libimcv/ita/ita_attr_command.c b/src/libimcv/ita/ita_attr_command.c
index d43e4777b..f32ab2bfe 100644
--- a/src/libimcv/ita/ita_attr_command.c
+++ b/src/libimcv/ita/ita_attr_command.c
@@ -17,8 +17,9 @@
 #include "ita_attr_command.h"
 
 #include <pen/pen.h>
+#include <utils/debug.h>
 
-#include <debug.h>
+#include <string.h>
 
 typedef struct private_ita_attr_command_t private_ita_attr_command_t;
 
@@ -96,11 +97,9 @@ METHOD(pa_tnc_attr_t, build, void,
 METHOD(pa_tnc_attr_t, process, status_t,
 	private_ita_attr_command_t *this, u_int32_t *offset)
 {
-	this->command = malloc(this->value.len + 1);
-	memcpy(this->command, this->value.ptr, this->value.len);
-	this->command[this->value.len] = '\0';
+	this->command = strndup(this->value.ptr, this->value.len);
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -168,6 +167,8 @@ pa_tnc_attr_t *ita_attr_command_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ita/ita_attr_dummy.c b/src/libimcv/ita/ita_attr_dummy.c
index f122256a1..6497d4645 100644
--- a/src/libimcv/ita/ita_attr_dummy.c
+++ b/src/libimcv/ita/ita_attr_dummy.c
@@ -18,7 +18,7 @@
 
 #include <pen/pen.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ita_attr_dummy_t private_ita_attr_dummy_t;
 
@@ -98,7 +98,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	this->size = this->value.len;
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -165,6 +165,8 @@ pa_tnc_attr_t *ita_attr_dummy_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ita/ita_attr_get_settings.c b/src/libimcv/ita/ita_attr_get_settings.c
new file mode 100644
index 000000000..8016b761d
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_get_settings.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_get_settings.h"
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+#include <string.h>
+
+typedef struct private_ita_attr_get_settings_t private_ita_attr_get_settings_t;
+
+/**
+ * ITA Get Settings
+ *
+ *					   1				   2				   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Settings Count                        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *					 ...........................
+ */
+
+#define ITA_GET_SETTINGS_MIN_SIZE	4
+
+/**
+ * Private data of an ita_attr_get_settings_t object.
+ */
+struct private_ita_attr_get_settings_t {
+
+	/**
+	 * Public members of ita_attr_get_settings_t
+	 */
+	ita_attr_get_settings_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * List of requested settings
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_get_settings_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_get_settings_t *this)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	char *name;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(ITA_GET_SETTINGS_MIN_SIZE);
+	writer->write_uint32(writer, this->list->get_count(this->list));
+
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		writer->write_data16(writer, chunk_create(name, strlen(name)));
+	}
+	enumerator->destroy(enumerator);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_get_settings_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t count;
+	chunk_t name;
+	status_t status = FAILED;
+
+	if (this->value.len < ITA_GET_SETTINGS_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for ITA Get Settings attribute");
+		*offset = 0;
+		return FAILED;
+	}
+
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &count);
+
+	*offset = ITA_GET_SETTINGS_MIN_SIZE;
+
+	while (count--)
+	{
+		if (!reader->read_data16(reader, &name))
+		{
+			DBG1(DBG_TNC, "insufficient data for setting name");
+			goto end;
+		}
+		*offset += 2 + name.len;
+
+		this->list->insert_last(this->list, strndup(name.ptr, name.len));
+	}
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);	
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_get_settings_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_get_settings_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->list->destroy_function(this->list, free);	
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ita_attr_get_settings_t, add, void,
+	private_ita_attr_get_settings_t *this, char *name)
+{
+	this->list->insert_last(this->list, strdup(name));
+}
+
+METHOD(ita_attr_get_settings_t, create_enumerator, enumerator_t*,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->list->create_enumerator(this->list);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_get_settings_create(void)
+{
+	private_ita_attr_get_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_GET_SETTINGS },
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_get_settings_create_from_data(chunk_t data)
+{
+	private_ita_attr_get_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_GET_SETTINGS },
+		.value = chunk_clone(data),
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ita/ita_attr_get_settings.h b/src/libimcv/ita/ita_attr_get_settings.h
new file mode 100644
index 000000000..cc5c18140
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_get_settings.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_get_settingst ita_attr_get_settings
+ * @{ @ingroup ita_attr_get_settings
+ */
+
+#ifndef ITA_ATTR_GET_SETTINGS_H_
+#define ITA_ATTR_GET_SETTINGS_H_
+
+typedef struct ita_attr_get_settings_t ita_attr_get_settings_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Get Settings PA-TNC attribute.
+ *
+ */
+struct ita_attr_get_settings_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Add a setting request to the list
+	 *
+	 * @param name			name of the requested setting
+	 */
+	void (*add)(ita_attr_get_settings_t *this, char *name);
+
+	/**
+	 * Return an enumerator over all requested settings
+	 *
+	 * @return				enumerator returns char *name
+	 */
+	enumerator_t* (*create_enumerator)(ita_attr_get_settings_t *this);
+};
+
+/**
+ * Creates an ita_attr_get_settings_t object with an empty settings list
+ */
+pa_tnc_attr_t* ita_attr_get_settings_create(void);
+
+/**
+ * Creates an ita_attr_get_settings_t object from received data
+ *
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_get_settings_create_from_data(chunk_t value);
+
+#endif /** ITA_ATTR_GET_SETTINGS_H_ @}*/
diff --git a/src/libimcv/ita/ita_attr_settings.c b/src/libimcv/ita/ita_attr_settings.c
new file mode 100644
index 000000000..7941cf69e
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_settings.c
@@ -0,0 +1,326 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_settings.h"
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+#include <string.h>
+
+typedef struct private_ita_attr_settings_t private_ita_attr_settings_t;
+typedef struct entry_t entry_t;
+
+/**
+ * Contains a settins name/value pair
+ */
+struct entry_t {
+	char *name;
+	chunk_t value;
+};
+
+/**
+ * Free an entry_t object
+ */
+static void free_entry(entry_t *this)
+{
+	free(this->name);
+	free(this->value.ptr);
+	free(this);
+}
+
+/**
+ * ITA Settings
+ *
+ *					   1				   2				   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Settings Count                        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Value Length           |  Value (Variable Length)      ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Value (Variable Length)                  ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Value Length           |  Value (Variable Length)      ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Value (Variable Length)                  ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *					 ...........................
+ */
+
+#define ITA_SETTINGS_MIN_SIZE	4
+
+/**
+ * Private data of an ita_attr_settings_t object.
+ */
+struct private_ita_attr_settings_t {
+
+	/**
+	 * Public members of ita_attr_settings_t
+	 */
+	ita_attr_settings_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * List of settings
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_settings_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_settings_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_settings_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_settings_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_settings_t *this)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(ITA_SETTINGS_MIN_SIZE);
+	writer->write_uint32(writer, this->list->get_count(this->list));
+
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		writer->write_data16(writer, chunk_create(entry->name,
+												  strlen(entry->name)));
+		writer->write_data16(writer, entry->value);
+	}
+	enumerator->destroy(enumerator);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_settings_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t count;
+	chunk_t name, value;
+	entry_t *entry;
+	status_t status = FAILED;
+
+	if (this->value.len < ITA_SETTINGS_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for ITA Settings attribute");
+		*offset = 0;
+		return FAILED;
+	}
+
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &count);
+
+	*offset = ITA_SETTINGS_MIN_SIZE;
+
+	while (count--)
+	{
+		if (!reader->read_data16(reader, &name))
+		{
+			DBG1(DBG_TNC, "insufficient data for setting name");
+			goto end;
+		}
+		*offset += 2 + name.len;
+
+		if (!reader->read_data16(reader, &value))
+		{
+			DBG1(DBG_TNC, "insufficient data for setting value");
+			goto end;
+		}
+		*offset += 2 + value.len;
+
+		/* remove a terminating newline character */
+		if (value.len && value.ptr[value.len - 1] == '\n')
+		{
+			value.len--;
+		}
+		entry = malloc_thing(entry_t);
+		entry->name = strndup(name.ptr, name.len);
+		entry->value = chunk_clone(value);
+		this->list->insert_last(this->list, entry);
+	}
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);	
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_settings_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_settings_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->list->destroy_function(this->list, (void*)free_entry);	
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ita_attr_settings_t, add, void,
+	private_ita_attr_settings_t *this, char *name, chunk_t value)
+{
+	entry_t *entry;
+
+	entry = malloc_thing(entry_t);
+	entry->name = strdup(name);
+	entry->value = chunk_clone(value);
+	this->list->insert_last(this->list, entry);
+}
+
+/**
+ * Enumerate name/value pairs
+ */
+static bool entry_filter(void *null, entry_t **entry, char **name,
+						 void *i2, chunk_t *value)
+{
+	*name = (*entry)->name;
+	*value = (*entry)->value;
+	return TRUE;
+}
+
+METHOD(ita_attr_settings_t, create_enumerator, enumerator_t*,
+	private_ita_attr_settings_t *this)
+{
+	return enumerator_create_filter(this->list->create_enumerator(this->list),
+								   (void*)entry_filter, NULL, NULL);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_settings_create(void)
+{
+	private_ita_attr_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_SETTINGS },
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_settings_create_from_data(chunk_t data)
+{
+	private_ita_attr_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_SETTINGS },
+		.value = chunk_clone(data),
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ita/ita_attr_settings.h b/src/libimcv/ita/ita_attr_settings.h
new file mode 100644
index 000000000..f3d1fd438
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_settings.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_settingst ita_attr_settings
+ * @{ @ingroup ita_attr_settings
+ */
+
+#ifndef ITA_ATTR_SETTINGS_H_
+#define ITA_ATTR_SETTINGS_H_
+
+typedef struct ita_attr_settings_t ita_attr_settings_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Settings PA-TNC attribute.
+ *
+ */
+struct ita_attr_settings_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Add a setting to the list
+	 *
+	 * @param name			name of the setting
+	 * @param value			value of the setting
+	 */
+	void (*add)(ita_attr_settings_t *this, char *name, chunk_t value);
+
+	/**
+	 * Return an enumerator over all name/value pairs
+	 *
+	 * @return				enumerator returns char **name, chunk_t *value
+	 */
+	enumerator_t* (*create_enumerator)(ita_attr_settings_t *this);
+};
+
+/**
+ * Creates an ita_attr_settings_t object with an empty settings list
+ */
+pa_tnc_attr_t* ita_attr_settings_create(void);
+
+/**
+ * Creates an ita_attr_settings_t object from received data
+ *
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_settings_create_from_data(chunk_t value);
+
+#endif /** ITA_ATTR_SETTINGS_H_ @}*/
diff --git a/src/libimcv/os_info/os_info.c b/src/libimcv/os_info/os_info.c
new file mode 100644
index 000000000..13374c876
--- /dev/null
+++ b/src/libimcv/os_info/os_info.c
@@ -0,0 +1,606 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "os_info.h"
+
+#include <sys/utsname.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+typedef struct private_os_info_t private_os_info_t;
+
+ENUM(os_type_names, OS_TYPE_UNKNOWN, OS_TYPE_ANDROID,
+	"Unknown",
+	"Debian",
+	"Ubuntu",
+	"Fedora",
+	"Red Hat",
+	"CentOS",
+	"SUSE",
+	"Gentoo",
+	"Android"
+);
+
+ENUM(os_fwd_status_names, OS_FWD_DISABLED, OS_FWD_UNKNOWN,
+	"disabled",
+	"enabled",
+	"unknown"
+);
+
+ENUM(os_package_state_names, OS_PACKAGE_STATE_UPDATE, OS_PACKAGE_STATE_BLACKLIST,
+	"",
+	" [s]",
+	" [b]"
+);
+
+/**
+ * Private data of an os_info_t object.
+ *
+ */
+struct private_os_info_t {
+
+	/**
+	 * Public os_info_t interface.
+	 */
+	os_info_t public;
+
+	/**
+	 * OS type
+	 */
+	os_type_t type;
+
+	/**
+	 * OS name
+	 */
+	chunk_t name;
+
+	/**
+	 * OS version
+	 */
+	chunk_t version;
+
+};
+
+METHOD(os_info_t, get_type, os_type_t,
+	private_os_info_t *this)
+{
+	return this->type;
+}
+
+METHOD(os_info_t, get_name, chunk_t,
+	private_os_info_t *this)
+{
+	return this->name;
+}
+
+METHOD(os_info_t, get_numeric_version, void,
+	private_os_info_t *this, u_int32_t *major, u_int32_t *minor)
+{
+	u_char *pos;
+
+	if (major)
+	{
+		*major = atol(this->version.ptr);
+	}
+	pos = memchr(this->version.ptr, '.', this->version.len);
+	if (minor)
+	{
+		*minor = pos ? atol(pos + 1) : 0;
+	}
+}
+
+METHOD(os_info_t, get_version, chunk_t,
+	private_os_info_t *this)
+{
+	return this->version;
+}
+
+METHOD(os_info_t, get_fwd_status, os_fwd_status_t,
+	private_os_info_t *this)
+{
+	const char ip_forward[] = "/proc/sys/net/ipv4/ip_forward";
+	char buf[2];
+	FILE *file;
+
+	os_fwd_status_t fwd_status = OS_FWD_UNKNOWN;
+
+	file = fopen(ip_forward, "r");
+	if (file)
+	{
+		if (fread(buf, 1, 1, file) == 1)
+		{
+			switch (buf[0])
+			{
+				case '0':
+					fwd_status = OS_FWD_DISABLED;
+					break;
+				case '1':
+					fwd_status = OS_FWD_ENABLED;
+					break;
+				default:
+					DBG1(DBG_IMC, "\"%s\" returns invalid value ", ip_forward);
+					break;
+			}
+		}
+		else
+		{
+			DBG1(DBG_IMC, "could not read from \"%s\"", ip_forward);
+		}
+		fclose(file);
+	}
+	else
+	{
+		DBG1(DBG_IMC, "failed to open \"%s\"", ip_forward);
+	}
+
+	return fwd_status;
+}
+
+METHOD(os_info_t, get_uptime, time_t,
+	private_os_info_t *this)
+{
+	const char proc_uptime[] = "/proc/uptime";
+	FILE *file;
+	time_t uptime;
+
+	file = fopen(proc_uptime, "r");
+	if (!file)
+	{
+		DBG1(DBG_IMC, "failed to open \"%s\"", proc_uptime);
+		return 0;
+	}
+	if (fscanf(file, "%u", &uptime) != 1)
+	{
+		DBG1(DBG_IMC, "failed to read file \"%s\"", proc_uptime);
+		uptime = 0;
+	}
+	fclose(file);
+
+	return uptime;
+}
+
+METHOD(os_info_t, get_setting, chunk_t,
+	private_os_info_t *this, char *name)
+{
+	FILE *file;
+	u_char buf[2048];
+	size_t i = 0;
+	chunk_t value;
+
+	if (!strneq(name, "/etc/", 5) && !strneq(name, "/proc/", 6) &&
+		!strneq(name, "/sys/", 5) && !strneq(name, "/var/", 5))
+	{
+		/**
+		 * In order to guarantee privacy, only settings from the
+		 * /etc/, /proc/ and /sys/ directories can be retrieved
+		 */
+		DBG1(DBG_IMC, "not allowed to access '%s'", name);
+
+		return chunk_empty;
+	}
+
+	file = fopen(name, "r");
+	if (!file)
+	{
+		DBG1(DBG_IMC, "failed to open '%s'", name);
+
+		return chunk_empty;
+	}
+	while (i < sizeof(buf) && fread(buf + i, 1, 1, file) == 1)
+	{
+		i++;
+	}
+	fclose(file);
+
+	value = chunk_create(buf, i);
+
+	return chunk_clone(value);
+}
+
+typedef struct {
+	/**
+	 * implements enumerator_t
+	 */
+	enumerator_t public;
+
+	/**
+	 * package info pipe stream
+	 */
+	FILE* file;
+
+	/**
+	 * line buffer
+	 */
+	u_char line[512];
+
+} package_enumerator_t;
+
+/**
+ * Implementation of package_enumerator.destroy.
+ */
+static void package_enumerator_destroy(package_enumerator_t *this)
+{
+	pclose(this->file);
+	free(this);
+}
+
+/**
+ * Implementation of package_enumerator.enumerate
+ */
+static bool package_enumerator_enumerate(package_enumerator_t *this, ...)
+{
+	chunk_t *name, *version;
+	u_char *pos;
+	va_list args;
+
+	while (TRUE)
+	{
+		if (!fgets(this->line, sizeof(this->line), this->file))
+		{
+			return FALSE;
+		}
+
+		pos = strchr(this->line, '\t');
+		if (!pos)
+		{
+			return FALSE;
+		}
+		*pos++ = '\0';
+
+		if (!streq(this->line, "install ok installed"))
+		{
+			continue;
+		}
+		va_start(args, this);
+
+		name = va_arg(args, chunk_t*);
+		name->ptr = pos;
+		pos = strchr(pos, '\t');
+		if (!pos)
+		{
+			va_end(args);
+			return FALSE;
+		}
+		name->len = pos++ - name->ptr;
+
+		version = va_arg(args, chunk_t*);
+		version->ptr = pos;
+		version->len = strlen(pos) - 1;
+
+		va_end(args);
+		return TRUE;
+	}
+}
+
+METHOD(os_info_t, create_package_enumerator, enumerator_t*,
+	private_os_info_t *this)
+{
+	FILE *file;
+	const char command[] = "dpkg-query --show --showformat="
+								"'${Status}\t${Package}\t${Version}\n'";
+	package_enumerator_t *enumerator;
+
+	/* Only Debian and Ubuntu package enumeration is currently supported */
+	if (this->type != OS_TYPE_DEBIAN && this->type != OS_TYPE_UBUNTU)
+	{
+		return NULL;
+	}
+
+	/* Open a pipe stream for reading the output of the dpkg-query commmand */
+	file = popen(command, "r");
+	if (!file)
+	{
+		DBG1(DBG_IMC, "failed to run dpkg command");
+		return NULL;
+	}
+
+	/* Create a package enumerator instance */
+	enumerator = malloc_thing(package_enumerator_t);
+	enumerator->public.enumerate = (void*)package_enumerator_enumerate;
+	enumerator->public.destroy = (void*)package_enumerator_destroy;
+	enumerator->file = file;
+
+	return (enumerator_t*)enumerator;
+}
+
+
+METHOD(os_info_t, destroy, void,
+	private_os_info_t *this)
+{
+	free(this->name.ptr);
+	free(this->version.ptr);
+	free(this);
+}
+
+#define RELEASE_LSB		0
+#define RELEASE_DEBIAN	1
+
+/**
+ * Determine Linux distribution version and hardware platform
+ */
+static bool extract_platform_info(os_type_t *type, chunk_t *name,
+								  chunk_t *version)
+{
+	FILE *file;
+	u_char buf[BUF_LEN], *pos = buf;
+	int len = BUF_LEN - 1;
+	os_type_t os_type = OS_TYPE_UNKNOWN;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	char *os_str;
+	struct utsname uninfo;
+	int i;
+
+	/* Linux/Unix distribution release info (from http://linuxmafia.com) */
+	const char* releases[] = {
+		"/etc/lsb-release",           "/etc/debian_version",
+		"/etc/SuSE-release",          "/etc/novell-release",
+		"/etc/sles-release",          "/etc/redhat-release",
+		"/etc/fedora-release",        "/etc/gentoo-release",
+		"/etc/slackware-version",     "/etc/annvix-release",
+		"/etc/arch-release",          "/etc/arklinux-release",
+		"/etc/aurox-release",         "/etc/blackcat-release",
+		"/etc/cobalt-release",        "/etc/conectiva-release",
+		"/etc/debian_release",        "/etc/immunix-release",
+		"/etc/lfs-release",           "/etc/linuxppc-release",
+		"/etc/mandrake-release",      "/etc/mandriva-release",
+		"/etc/mandrakelinux-release", "/etc/mklinux-release",
+		"/etc/pld-release",           "/etc/redhat_version",
+		"/etc/slackware-release",     "/etc/e-smith-release",
+		"/etc/release",               "/etc/sun-release",
+		"/etc/tinysofa-release",      "/etc/turbolinux-release",
+		"/etc/ultrapenguin-release",  "/etc/UnitedLinux-release",
+		"/etc/va-release",            "/etc/yellowdog-release"
+	};
+
+	const char lsb_distrib_id[]      = "DISTRIB_ID=";
+	const char lsb_distrib_release[] = "DISTRIB_RELEASE=";
+
+	for (i = 0; i < countof(releases); i++)
+	{
+		file = fopen(releases[i], "r");
+		if (!file)
+		{
+			continue;
+		}
+
+		/* read release file into buffer */
+		fseek(file, 0, SEEK_END);
+		len = min(ftell(file), len);
+		rewind(file);
+		buf[len] = '\0';
+		if (fread(buf, 1, len, file) != len)
+		{
+			DBG1(DBG_IMC, "failed to read file \"%s\"", releases[i]);
+			fclose(file);
+			return FALSE;
+		}
+		fclose(file);
+
+		DBG1(DBG_IMC, "processing \"%s\" file", releases[i]);
+
+		switch (i)
+		{
+			case RELEASE_LSB:
+			{
+				/* Determine Distribution ID */
+				pos = strstr(buf, lsb_distrib_id);
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find begin of DISTRIB_ID field");
+					return FALSE;
+				}
+				pos += strlen(lsb_distrib_id);
+
+				os_name.ptr = pos;
+
+				pos = strchr(pos, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find end of DISTRIB_ID field");
+					return FALSE;
+			 	}
+				os_name.len = pos - os_name.ptr;
+
+				/* Determine Distribution Release */
+				pos = strstr(buf, lsb_distrib_release);
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find begin of DISTRIB_RELEASE field");
+					return FALSE;
+				}
+				pos += strlen(lsb_distrib_release);
+
+				os_version.ptr = pos;
+
+				pos = strchr(pos, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find end of DISTRIB_RELEASE field");
+					return FALSE;
+			 	}
+				os_version.len = pos - os_version.ptr;
+
+				break;
+			}
+			case RELEASE_DEBIAN:
+			{
+				os_type = OS_TYPE_DEBIAN;
+
+				os_version.ptr = buf;
+				pos = strchr(buf, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_PTS, "failed to find end of release string");
+					return FALSE;
+				}
+
+				os_version.len = pos - os_version.ptr;
+
+				break;
+			}
+			default:
+			{
+				const char str_release[] = " release ";
+
+				os_name.ptr = buf;
+
+				pos = strstr(buf, str_release);
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find release keyword");
+					return FALSE;
+				}
+
+				os_name.len = pos - os_name.ptr;
+
+				pos += strlen(str_release);
+				os_version.ptr = pos;
+
+				pos = strchr(pos, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find end of release string");
+					return FALSE;
+			 	}
+
+				os_version.len = pos - os_version.ptr;
+
+				break;
+			}
+		}
+		break;
+	}
+
+	if (!os_version.ptr)
+	{
+		DBG1(DBG_IMC, "no distribution release file found");
+		return FALSE;
+	}
+
+	if (uname(&uninfo) < 0)
+	{
+		DBG1(DBG_IMC, "could not retrieve machine architecture");
+		return FALSE;
+	}
+
+	/* Try to find a matching OS type based on the OS name */
+	if (os_type == OS_TYPE_UNKNOWN)
+	{
+		os_type = os_type_from_name(os_name);
+	}
+
+	/* If known use the official OS name */
+	if (os_type != OS_TYPE_UNKNOWN)
+	{
+		os_str = enum_to_name(os_type_names, os_type);
+		os_name = chunk_create(os_str, strlen(os_str));
+	}
+
+	/* copy OS type */
+	*type = os_type;
+
+	/* copy OS name */
+	*name = chunk_clone(os_name);
+
+	/* copy OS version and machine architecture */
+	*version = chunk_alloc(os_version.len + 1 + strlen(uninfo.machine));
+	pos = version->ptr;
+	memcpy(pos, os_version.ptr, os_version.len);
+	pos += os_version.len;
+	*pos++ = ' ';
+	memcpy(pos, uninfo.machine, strlen(uninfo.machine));
+
+	return TRUE;
+}
+
+/**
+ * See header
+ */
+os_type_t os_type_from_name(chunk_t name)
+{
+	os_type_t type;
+	char *name_str;
+
+	for (type = OS_TYPE_DEBIAN; type < OS_TYPE_ROOF; type++)
+	{
+		/* name_str is a substring of name.ptr */
+		name_str = enum_to_name(os_type_names, type);
+		if (memeq(name.ptr, name_str, min(name.len, strlen(name_str))))
+		{
+			return type;
+		}
+	}
+	return OS_TYPE_UNKNOWN;
+}
+
+/**
+ * See header
+ */
+os_info_t *os_info_create(void)
+{
+	private_os_info_t *this;
+	chunk_t name, version;
+	os_type_t type;
+
+	/* As an option OS name and OS version can be configured manually */
+	name.ptr = lib->settings->get_str(lib->settings,
+									  "libimcv.os_info.name", NULL);
+	version.ptr = lib->settings->get_str(lib->settings,
+									  "libimcv.os_info.version", NULL);
+	if (name.ptr && version.ptr)
+	{
+		name.len = strlen(name.ptr);
+		name = chunk_clone(name);
+
+		version.len = strlen(version.ptr);
+		version = chunk_clone(version);
+
+		type = os_type_from_name(name);
+	}
+	else
+	{
+		if (!extract_platform_info(&type, &name, &version))
+		{
+			return NULL;
+		}
+	}
+	DBG1(DBG_IMC, "operating system name is '%.*s'",
+				   name.len, name.ptr);
+	DBG1(DBG_IMC, "operating system version is '%.*s'",
+				   version.len, version.ptr);
+
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.get_name = _get_name,
+			.get_numeric_version = _get_numeric_version,
+			.get_version = _get_version,
+			.get_fwd_status = _get_fwd_status,
+			.get_uptime = _get_uptime,
+			.get_setting = _get_setting,
+			.create_package_enumerator = _create_package_enumerator,
+			.destroy = _destroy,
+		},
+		.type = type,
+		.name = name,
+		.version = version,
+	);
+
+	return &this->public;
+}
diff --git a/src/libimcv/os_info/os_info.h b/src/libimcv/os_info/os_info.h
new file mode 100644
index 000000000..f47460709
--- /dev/null
+++ b/src/libimcv/os_info/os_info.h
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup os_info os_info
+ * @{ @ingroup libimcv
+ */
+
+#ifndef OS_INFO_H_
+#define OS_INFO_H_
+
+typedef struct os_info_t os_info_t;
+typedef enum os_type_t os_type_t;
+typedef enum os_fwd_status_t os_fwd_status_t;
+typedef enum os_package_state_t os_package_state_t;
+
+#include <library.h>
+
+#include <time.h>
+
+enum os_type_t {
+	OS_TYPE_UNKNOWN,
+	OS_TYPE_DEBIAN,
+	OS_TYPE_UBUNTU,
+	OS_TYPE_FEDORA,
+	OS_TYPE_REDHAT,
+	OS_TYPE_CENTOS,
+	OS_TYPE_SUSE,
+	OS_TYPE_GENTOO,
+	OS_TYPE_ANDROID,
+	OS_TYPE_ROOF
+};
+
+extern enum_name_t *os_type_names;
+
+/**
+ * Defines the security state of a package stored in the database
+ */
+enum os_package_state_t {
+	OS_PACKAGE_STATE_UPDATE =    0,		/* latest update */
+	OS_PACKAGE_STATE_SECURITY =  1,		/* latest security fix */
+	OS_PACKAGE_STATE_BLACKLIST = 2 		/* blacklisted package */
+};
+
+extern enum_name_t *os_package_state_names;
+
+/**
+ * Defines the IPv4 forwarding status
+ */
+enum os_fwd_status_t {
+	OS_FWD_DISABLED =	0,
+	OS_FWD_ENABLED =	1,
+	OS_FWD_UNKNOWN =	2
+};
+
+extern enum_name_t *os_fwd_status_names;
+
+/**
+ * Interface for the Operating System (OS) information module
+ */
+struct os_info_t {
+
+	/**
+	 * Get the OS type if it can be determined
+	 *
+	 * @return					OS type
+	 */
+	os_type_t (*get_type)(os_info_t *this);
+
+	/**
+	 * Get the OS product name or distribution
+	 *
+	 * @return					OS name
+	 */
+	chunk_t (*get_name)(os_info_t *this);
+
+	/**
+	 * Get the numeric OS version or release
+	 *
+	 * @param major				OS major version number
+	 * @param minor				OS minor version number
+	 */
+	void (*get_numeric_version)(os_info_t *this, u_int32_t *major,
+												 u_int32_t *minor);
+
+	/**
+	 * Get the OS version or release
+	 *
+	 * @return					OS version
+	 */
+	chunk_t (*get_version)(os_info_t *this);
+
+	/**
+	 * Get the OS IPv4 forwarding status
+	 *
+	 * @return					IP forwarding status
+	 */
+	os_fwd_status_t (*get_fwd_status)(os_info_t *this);
+
+	/**
+	 * Get the OS uptime in seconds
+	 *
+	 * @return					OS uptime
+	 */
+	time_t (*get_uptime)(os_info_t *this);
+
+	/**
+	 * Get an OS setting (restricted to /proc, /sys, and /etc)
+	 *
+	 * @param name				name of OS setting
+	 * @return					value of OS setting
+	 */
+	chunk_t (*get_setting)(os_info_t *this, char *name);
+
+	/**
+	 * Enumerates over all installed packages
+	 *
+	 * @return				return package enumerator
+	 */
+	enumerator_t* (*create_package_enumerator)(os_info_t *this);
+
+	/**
+	 * Destroys an os_info_t object.
+	 */
+	void (*destroy)(os_info_t *this);
+};
+
+/**
+ * Convert an OS name into an OS enumeration type
+ *
+ * @param name				OS name
+ * @return					OS enumeration type
+ */
+os_type_t os_type_from_name(chunk_t name);
+
+/**
+ * Create an os_info_t object
+ */
+os_info_t* os_info_create(void);
+
+#endif /** OS_INFO_H_ @}*/
diff --git a/src/libimcv/pa_tnc/pa_tnc_attr_manager.c b/src/libimcv/pa_tnc/pa_tnc_attr_manager.c
index 1de89d87d..900a55716 100644
--- a/src/libimcv/pa_tnc/pa_tnc_attr_manager.c
+++ b/src/libimcv/pa_tnc/pa_tnc_attr_manager.c
@@ -16,8 +16,8 @@
 
 #include "pa_tnc_attr_manager.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_pa_tnc_attr_manager_t private_pa_tnc_attr_manager_t;
 typedef struct entry_t entry_t;
@@ -46,7 +46,7 @@ struct private_pa_tnc_attr_manager_t {
 };
 
 METHOD(pa_tnc_attr_manager_t, add_vendor, void,
-	private_pa_tnc_attr_manager_t *this, pen_t vendor_id, 
+	private_pa_tnc_attr_manager_t *this, pen_t vendor_id,
 	pa_tnc_attr_create_t attr_create, enum_name_t *attr_names)
 {
 	entry_t *entry;
@@ -128,7 +128,7 @@ METHOD(pa_tnc_attr_manager_t, create, pa_tnc_attr_t*,
 METHOD(pa_tnc_attr_manager_t, destroy, void,
 	private_pa_tnc_attr_manager_t *this)
 {
-	this->list->destroy_function(this->list, free); 
+	this->list->destroy_function(this->list, free);
 	free(this);
 }
 
diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c
index b1476fc7f..63445f3a1 100644
--- a/src/libimcv/pa_tnc/pa_tnc_msg.c
+++ b/src/libimcv/pa_tnc/pa_tnc_msg.c
@@ -19,9 +19,9 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 
 typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
@@ -42,7 +42,7 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
 #define PA_TNC_RESERVED		0x000000
 
 /**
- *  PA-TNC attribute 
+ *  PA-TNC attribute
  *
  *                       1                   2                   3
  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
@@ -207,7 +207,7 @@ METHOD(pa_tnc_msg_t, process, status_t,
 	pa_tnc_attr_t *error;
 	u_int8_t version;
 	u_int32_t reserved, offset, attr_offset;
-	pen_type_t error_code;
+	pen_type_t error_code = { PEN_IETF, PA_ERROR_INVALID_PARAMETER };
 
 	/* process message header */
 	if (this->encoding.len < PA_TNC_HEADER_SIZE)
@@ -224,13 +224,12 @@ METHOD(pa_tnc_msg_t, process, status_t,
 
 	if (version != PA_TNC_VERSION)
 	{
-		pen_type_t error_code = { PEN_IETF, PA_ERROR_VERSION_NOT_SUPPORTED };
-
 		DBG1(DBG_TNC, "PA-TNC version %u not supported", version);
+		error_code = pen_type_create(PEN_IETF, PA_ERROR_VERSION_NOT_SUPPORTED);
 		error = ietf_attr_pa_tnc_error_create(error_code, this->encoding);
 		goto err;
 	}
-	
+
 	/* offset of the first PA-TNC attribute in the PA-TNC message */
 	offset = PA_TNC_HEADER_SIZE;
 
@@ -244,7 +243,6 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		pa_tnc_attr_t *attr;
 		enum_name_t *pa_attr_names;
 		ietf_attr_pa_tnc_error_t *error_attr;
-		pen_type_t error_code;
 
 		attr_info = reader->peek(reader);
 		attr_info.len = PA_TNC_ATTR_INFO_SIZE;
@@ -272,7 +270,6 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		{
 			DBG1(DBG_TNC, "%u bytes too small for PA-TNC attribute length",
 						   length);
-			error_code = pen_type_create(PEN_IETF, PA_ERROR_INVALID_PARAMETER);
 			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
 						this->encoding, offset + PA_TNC_ATTR_INFO_SIZE);
 			goto err;
@@ -281,11 +278,10 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		if (!reader->read_data(reader, length - PA_TNC_ATTR_HEADER_SIZE, &value))
 		{
 			DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute value");
-			error_code = pen_type_create(PEN_IETF, PA_ERROR_INVALID_PARAMETER);
 			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
 						this->encoding, offset + PA_TNC_ATTR_INFO_SIZE);
-			goto err; 
-		} 
+			goto err;
+		}
 		DBG3(DBG_TNC, "%B", &value);
 
 		attr = imcv_pa_tnc_attributes->create(imcv_pa_tnc_attributes,
@@ -314,15 +310,14 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		if (attr->process(attr, &attr_offset) != SUCCESS)
 		{
 			attr->destroy(attr);
-			if (error_code.vendor_id == PEN_IETF &&
-				error_code.type == IETF_ATTR_PA_TNC_ERROR)
+			if (vendor_id == PEN_IETF && type == IETF_ATTR_PA_TNC_ERROR)
 			{
 				/* error while processing a PA-TNC error attribute - abort */
 				reader->destroy(reader);
 				return FAILED;
 			}
 			error_code = pen_type_create(PEN_IETF,
-										 PA_ERROR_ATTR_TYPE_NOT_SUPPORTED);
+										 PA_ERROR_INVALID_PARAMETER);
 			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
 						this->encoding,
 						offset + PA_TNC_ATTR_HEADER_SIZE + attr_offset);
@@ -338,7 +333,6 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		return SUCCESS;
 	}
 	DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute header");
-	error_code = pen_type_create(PEN_IETF, PA_ERROR_INVALID_PARAMETER);
 	error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
 						this->encoding, offset);
 
@@ -377,7 +371,7 @@ METHOD(pa_tnc_msg_t, process_ietf_std_errors, bool,
 			{
 				continue;
 			}
-			DBG1(DBG_IMC, "received PA-TNC error '%N' concerning message "
+			DBG1(DBG_TNC, "received PA-TNC error '%N' concerning message "
 				 "0x%08x/0x%08x", pa_tnc_error_code_names, error_code.type,
 				 untoh32(msg_info.ptr), untoh32(msg_info.ptr + 4));
 
@@ -385,19 +379,15 @@ METHOD(pa_tnc_msg_t, process_ietf_std_errors, bool,
 			{
 				case PA_ERROR_INVALID_PARAMETER:
 					offset = error_attr->get_offset(error_attr);
-					DBG1(DBG_IMC, "  occurred at offset of %u bytes", offset);
+					DBG1(DBG_TNC, "  occurred at offset of %u bytes", offset);
 					break;
 				case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
 					attr_info = error_attr->get_attr_info(error_attr);
-					DBG1(DBG_IMC, "  unsupported attribute %#B", &attr_info);
+					DBG1(DBG_TNC, "  unsupported attribute %#B", &attr_info);
 					break;
 				default:
 					break;
 			}
-
-			/* remove and delete the processed IETF standard error attribute */
-			this->attributes->remove_at(this->attributes, enumerator);
-			attr->destroy(attr);
 			fatal_error = TRUE;
 		}
 	}
@@ -422,7 +412,7 @@ METHOD(pa_tnc_msg_t, destroy, void,
 	private_pa_tnc_msg_t *this)
 {
 	this->attributes->destroy_offset(this->attributes,
-									 offsetof(pa_tnc_attr_t, destroy)); 
+									 offsetof(pa_tnc_attr_t, destroy));
 	this->errors->destroy_offset(this->errors,
 									 offsetof(pa_tnc_attr_t, destroy));
 	free(this->encoding.ptr);
diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.h b/src/libimcv/pa_tnc/pa_tnc_msg.h
index 80016fecd..332f2506f 100644
--- a/src/libimcv/pa_tnc/pa_tnc_msg.h
+++ b/src/libimcv/pa_tnc/pa_tnc_msg.h
@@ -65,7 +65,7 @@ struct pa_tnc_msg_t {
 	status_t (*process)(pa_tnc_msg_t *this);
 
 	/**
-	 * Process and remove all IETF standard error PA-TNC attributes
+	 * Process all IETF standard error PA-TNC attributes
 	 *
 	 * @return					TRUE if at least one error attribute processed
 	 */
diff --git a/src/libimcv/plugins/imc_os/Makefile.am b/src/libimcv/plugins/imc_os/Makefile.am
new file mode 100644
index 000000000..0bfe776a5
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/Makefile.am
@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = -rdynamic
+
+imcv_LTLIBRARIES = imc-os.la
+
+imc_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imc_os_la_SOURCES = imc_os.c imc_os_state.h imc_os_state.c
+
+imc_os_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
new file mode 100644
index 000000000..7b871df2a
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -0,0 +1,620 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libimcv/plugins/imc_os
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(imcvdir)"
+LTLIBRARIES = $(imcv_LTLIBRARIES)
+imc_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_imc_os_la_OBJECTS = imc_os.lo imc_os_state.lo
+imc_os_la_OBJECTS = $(am_imc_os_la_OBJECTS)
+imc_os_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(imc_os_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(imc_os_la_SOURCES)
+DIST_SOURCES = $(imc_os_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = -rdynamic
+imcv_LTLIBRARIES = imc-os.la
+imc_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imc_os_la_SOURCES = imc_os.c imc_os_state.h imc_os_state.c
+imc_os_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libimcv/plugins/imc_os/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libimcv/plugins/imc_os/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
+	}
+
+uninstall-imcvLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(imcvdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(imcvdir)/$$f"; \
+	done
+
+clean-imcvLTLIBRARIES:
+	-test -z "$(imcv_LTLIBRARIES)" || rm -f $(imcv_LTLIBRARIES)
+	@list='$(imcv_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+imc-os.la: $(imc_os_la_OBJECTS) $(imc_os_la_DEPENDENCIES) $(EXTRA_imc_os_la_DEPENDENCIES) 
+	$(imc_os_la_LINK) -rpath $(imcvdir) $(imc_os_la_OBJECTS) $(imc_os_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_os.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_os_state.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(imcvdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-imcvLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-imcvLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-imcvLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-imcvLTLIBRARIES clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-imcvLTLIBRARIES install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-imcvLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c
new file mode 100644
index 000000000..f6e205ce7
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/imc_os.c
@@ -0,0 +1,585 @@
+/*
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_os_state.h"
+
+#include <imc/imc_agent.h>
+#include <imc/imc_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_default_pwd_enabled.h>
+#include <ietf/ietf_attr_fwd_enabled.h>
+#include <ietf/ietf_attr_installed_packages.h>
+#include <ietf/ietf_attr_numeric_version.h>
+#include <ietf/ietf_attr_op_status.h>
+#include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_string_version.h>
+#include <ita/ita_attr.h>
+#include <ita/ita_attr_get_settings.h>
+#include <ita/ita_attr_settings.h>
+#include <ita/ita_attr_angel.h>
+#include <os_info/os_info.h>
+
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+/* IMC definitions */
+
+static const char imc_name[] = "OS";
+
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
+
+static imc_agent_t *imc_os;
+static os_info_t *os;
+
+/**
+ * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
+							  TNC_Version min_version,
+							  TNC_Version max_version,
+							  TNC_Version *actual_version)
+{
+	if (imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
+		return TNC_RESULT_ALREADY_INITIALIZED;
+	}
+	imc_os = imc_agent_create(imc_name, msg_types, countof(msg_types),
+							  imc_id, actual_version);
+	if (!imc_os)
+	{
+		return TNC_RESULT_FATAL;
+	}
+
+	os = os_info_create();
+	if (!os)
+	{
+		imc_os->destroy(imc_os);
+		imc_os = NULL;
+
+		return TNC_RESULT_FATAL;
+	}
+
+	if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1)
+	{
+		DBG1(DBG_IMC, "no common IF-IMC version");
+		return TNC_RESULT_NO_COMMON_VERSION;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.8.2 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_ConnectionState new_state)
+{
+	imc_state_t *state;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imc_os_state_create(connection_id);
+			return imc_os->create_state(imc_os, state);
+		case TNC_CONNECTION_STATE_HANDSHAKE:
+			if (imc_os->change_state(imc_os, connection_id, new_state,
+				&state) != TNC_RESULT_SUCCESS)
+			{
+				return TNC_RESULT_FATAL;
+			}
+			state->set_result(state, imc_id,
+							  TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			return TNC_RESULT_SUCCESS;
+		case TNC_CONNECTION_STATE_DELETE:
+			return imc_os->delete_state(imc_os, connection_id);
+		default:
+			return imc_os->change_state(imc_os, connection_id,
+											 new_state, NULL);
+	}
+}
+
+/**
+ * Add IETF Product Information attribute to the send queue
+ */
+static void add_product_info(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	os_type_t os_type;
+	pen_t vendor_id = PEN_IETF;
+	int i;
+
+	typedef struct vendor_pen_t {
+		os_type_t os_type;
+		pen_t pen;
+	} vendor_pen_t;
+
+	vendor_pen_t vendor_pens[] = {
+		{ OS_TYPE_DEBIAN,  PEN_DEBIAN },
+		{ OS_TYPE_UBUNTU,  PEN_CANONICAL },
+		{ OS_TYPE_FEDORA,  PEN_FEDORA },
+		{ OS_TYPE_REDHAT,  PEN_REDHAT },
+		{ OS_TYPE_ANDROID, PEN_GOOGLE }
+	};
+
+	os_type = os->get_type(os);
+	for (i = 0; i < countof(vendor_pens); i++)
+	{
+		if (os_type == vendor_pens[i].os_type)
+		{
+			vendor_id = vendor_pens[i].pen;
+			break;
+		}
+	}
+	attr = ietf_attr_product_info_create(vendor_id, 0, os->get_name(os));
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Numeric Version attribute to the send queue
+ */
+static void add_numeric_version(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	u_int32_t major, minor;
+
+	os->get_numeric_version(os, &major, &minor);
+	DBG1(DBG_IMC, "operating system numeric version is %d.%d",
+				   major, minor);
+
+	attr = ietf_attr_numeric_version_create(major, minor, 0, 0, 0);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF String Version attribute to the send queue
+ */
+static void add_string_version(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+
+	attr = ietf_attr_string_version_create(os->get_version(os),
+										   chunk_empty, chunk_empty);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Operational Status attribute to the send queue
+ */
+static void add_op_status(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	time_t uptime, last_boot;
+
+	uptime = os->get_uptime(os);
+	last_boot = uptime ? time(NULL) - uptime : UNDEFINED_TIME;
+	if (last_boot != UNDEFINED_TIME)
+	{
+		DBG1(DBG_IMC, "last boot: %T, %u s ago", &last_boot, TRUE, uptime);
+	}
+	attr = ietf_attr_op_status_create(OP_STATUS_OPERATIONAL,
+									  OP_RESULT_SUCCESSFUL, last_boot);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Forwarding Enabled attribute to the send queue
+ */
+static void add_fwd_enabled(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	os_fwd_status_t fwd_status;
+
+	fwd_status = os->get_fwd_status(os);
+	DBG1(DBG_IMC, "IPv4 forwarding status: %N",
+				   os_fwd_status_names, fwd_status);
+	attr = ietf_attr_fwd_enabled_create(fwd_status);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Factory Default Password Enabled attribute to the send queue
+ */
+static void add_default_pwd_enabled(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+
+	DBG1(DBG_IMC, "factory default password: disabled");
+	attr = ietf_attr_default_pwd_enabled_create(FALSE);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add an IETF Installed Packages attribute to the send queue
+ */
+static void add_installed_packages(imc_state_t *state, imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr = NULL, *attr_angel;
+	ietf_attr_installed_packages_t *attr_cast;
+	enumerator_t *enumerator;
+	chunk_t name, version;
+	size_t max_attr_size, attr_size, entry_size;
+	bool first = TRUE;
+
+	/**
+	 * Compute the maximum IETF Installed Packages attribute size
+	 * leaving space for an additional ITA Angel attribute
+	 */
+	max_attr_size = state->get_max_msg_len(state) - 8 - 12;
+
+	/* At least one IETF Installed Packages attribute is sent */
+	attr = ietf_attr_installed_packages_create();
+	attr_size = 12 + 4;
+
+	enumerator = os->create_package_enumerator(os);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &name, &version))
+		{
+			DBG2(DBG_IMC, "package '%.*s' (%.*s)",
+						   name.len, name.ptr, version.len, version.ptr);
+
+			entry_size = 2 + name.len + version.len;
+			if (attr_size + entry_size > max_attr_size)
+			{
+				if (first)
+				{
+					/**
+					 * Send an ITA Start Angel attribute to the IMV signalling
+					 * that multiple ITA Installed Package attributes follow.
+					 */
+					attr_angel = ita_attr_angel_create(TRUE);
+					msg->add_attribute(msg, attr_angel);
+					first = FALSE;
+				}
+				msg->add_attribute(msg, attr);
+
+				/* create the next IETF Installed Packages attribute */
+				attr = ietf_attr_installed_packages_create();
+				attr_size = 12 + 4;
+			}
+			attr_cast = (ietf_attr_installed_packages_t*)attr;
+			attr_cast->add(attr_cast, name, version);
+			attr_size += entry_size;
+		}
+		enumerator->destroy(enumerator);
+	}
+	msg->add_attribute(msg, attr);
+
+	if (!first)
+	{
+		/**
+		 * If we sent an ITA Start Angel attribute in the first place,
+		 * terminate by appending a matching ITA Stop Angel attribute.
+		 */
+		attr_angel = ita_attr_angel_create(FALSE);
+		msg->add_attribute(msg, attr_angel);
+	}
+}
+
+/**
+ * Add ITA Settings attribute to the send queue
+ */
+static void add_settings(enumerator_t *enumerator, imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr = NULL;
+	ita_attr_settings_t *attr_cast;
+	chunk_t value;
+	char *name;
+	bool first = TRUE;
+
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		DBG1(DBG_IMC, "setting '%s'", name);
+
+		value = os->get_setting(os, name);
+		if (!value.ptr)
+		{
+			continue;
+		}
+		if (first)
+		{
+			attr = ita_attr_settings_create();
+			first = FALSE;
+		}
+		attr_cast = (ita_attr_settings_t*)attr;
+		attr_cast->add(attr_cast, name, value);
+		chunk_free(&value);
+	}
+
+	if (attr)
+	{
+		msg->add_attribute(msg, attr);
+	}
+}
+
+/**
+ * see section 3.8.3 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
+								  TNC_ConnectionID connection_id)
+{
+	imc_state_t *state;
+	imc_msg_t *out_msg;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_os->get_state(imc_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	if (lib->settings->get_bool(lib->settings,
+								"libimcv.plugins.imc-os.push_info", TRUE))
+	{
+		out_msg = imc_msg_create(imc_os, state, connection_id, imc_id,
+								 TNC_IMVID_ANY, msg_types[0]);
+		add_product_info(out_msg);
+		add_string_version(out_msg);
+		add_numeric_version(out_msg);
+		add_op_status(out_msg);
+		add_fwd_enabled(out_msg);
+		add_default_pwd_enabled(out_msg);
+
+		/* send PA-TNC message with the excl flag not set */
+		result = out_msg->send(out_msg, FALSE);
+		out_msg->destroy(out_msg);
+	}
+
+	return result;
+}
+
+static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
+{
+	imc_msg_t *out_msg;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	bool fatal_error = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+	out_msg = imc_msg_create_as_reply(in_msg);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF)
+		{
+			if (type.type == IETF_ATTR_ATTRIBUTE_REQUEST)
+			{
+				ietf_attr_attr_request_t *attr_cast;
+				pen_type_t *entry;
+				enumerator_t *e;
+
+				attr_cast = (ietf_attr_attr_request_t*)attr;
+
+				e = attr_cast->create_enumerator(attr_cast);
+				while (e->enumerate(e, &entry))
+				{
+					if (entry->vendor_id != PEN_IETF)
+					{
+						continue;
+					}
+					switch (entry->type)
+					{
+						case IETF_ATTR_PRODUCT_INFORMATION:
+							add_product_info(out_msg);
+							break;
+						case IETF_ATTR_STRING_VERSION:
+							add_string_version(out_msg);
+							break;
+						case IETF_ATTR_NUMERIC_VERSION:
+							add_numeric_version(out_msg);
+							break;
+						case IETF_ATTR_OPERATIONAL_STATUS:
+							add_op_status(out_msg);
+							break;
+						case IETF_ATTR_FORWARDING_ENABLED:
+							add_fwd_enabled(out_msg);
+							break;
+						case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+							add_default_pwd_enabled(out_msg);
+							break;
+						case IETF_ATTR_INSTALLED_PACKAGES:
+							add_installed_packages(state, out_msg);
+							break;
+						default:
+							break;
+					}
+				}
+				e->destroy(e);
+			}
+		}
+		else if (type.vendor_id == PEN_ITA && type.type == ITA_ATTR_GET_SETTINGS)
+		{
+			ita_attr_get_settings_t *attr_cast;
+			enumerator_t *e;
+
+			attr_cast = (ita_attr_get_settings_t*)attr;
+
+			e = attr_cast->create_enumerator(attr_cast);
+			add_settings(e, out_msg);
+			e->destroy(e);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (fatal_error)
+	{
+		result = TNC_RESULT_FATAL;
+	}
+	else
+	{
+		result = out_msg->send(out_msg, TRUE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.4 of TCG TNC IF-IMC Specification 1.3
+
+ */
+TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
+								  TNC_ConnectionID connection_id,
+								  TNC_BufferReference msg,
+								  TNC_UInt32 msg_len,
+								  TNC_MessageType msg_type)
+{
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_os->get_state(imc_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_data(imc_os, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
+									  TNC_ConnectionID connection_id,
+									  TNC_UInt32 msg_flags,
+									  TNC_BufferReference msg,
+									  TNC_UInt32 msg_len,
+									  TNC_VendorID msg_vid,
+									  TNC_MessageSubtype msg_subtype,
+									  TNC_UInt32 src_imv_id,
+									  TNC_UInt32 dst_imc_id)
+{
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_os->get_state(imc_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_os, state, connection_id,
+								src_imv_id, dst_imc_id,msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.7 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id,
+							   TNC_ConnectionID connection_id)
+{
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.8.8 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id)
+{
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	imc_os->destroy(imc_os);
+	imc_os = NULL;
+
+	os->destroy(os);
+	os = NULL;
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 4.2.8.1 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id,
+									   TNC_TNCC_BindFunctionPointer bind_function)
+{
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imc_os->bind_functions(imc_os, bind_function);
+}
diff --git a/src/libimcv/plugins/imc_os/imc_os_state.c b/src/libimcv/plugins/imc_os/imc_os_state.c
new file mode 100644
index 000000000..f49959ab9
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/imc_os_state.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_os_state.h"
+
+#include <tncif_names.h>
+
+#include <utils/debug.h>
+
+typedef struct private_imc_os_state_t private_imc_os_state_t;
+
+/**
+ * Private data of an imc_os_state_t object.
+ */
+struct private_imc_os_state_t {
+
+	/**
+	 * Public members of imc_os_state_t
+	 */
+	imc_os_state_t public;
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * TNCCS connection state
+	 */
+	TNC_ConnectionState state;
+
+	/**
+	 * Assessment/Evaluation Result
+	 */
+	TNC_IMV_Evaluation_Result result;
+
+	/**
+	 * Does the TNCCS connection support long message types?
+	 */
+	bool has_long;
+
+	/**
+	 * Does the TNCCS connection support exclusive delivery?
+	 */
+	bool has_excl;
+
+	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
+};
+
+METHOD(imc_state_t, get_connection_id, TNC_ConnectionID,
+	private_imc_os_state_t *this)
+{
+	return this->connection_id;
+}
+
+METHOD(imc_state_t, has_long, bool,
+	private_imc_os_state_t *this)
+{
+	return this->has_long;
+}
+
+METHOD(imc_state_t, has_excl, bool,
+	private_imc_os_state_t *this)
+{
+	return this->has_excl;
+}
+
+METHOD(imc_state_t, set_flags, void,
+	private_imc_os_state_t *this, bool has_long, bool has_excl)
+{
+	this->has_long = has_long;
+	this->has_excl = has_excl;
+}
+
+METHOD(imc_state_t, set_max_msg_len, void,
+	private_imc_os_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imc_state_t, get_max_msg_len, u_int32_t,
+	private_imc_os_state_t *this)
+{
+	return this->max_msg_len;
+}
+
+METHOD(imc_state_t, change_state, void,
+	private_imc_os_state_t *this, TNC_ConnectionState new_state)
+{
+	this->state = new_state;
+}
+
+METHOD(imc_state_t, set_result, void,
+	private_imc_os_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result result)
+{
+	this->result = result;
+}
+
+METHOD(imc_state_t, get_result, bool,
+	private_imc_os_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result *result)
+{
+	if (result)
+	{
+		*result = this->result;
+	}
+	return this->result != TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+}
+
+METHOD(imc_state_t, destroy, void,
+	private_imc_os_state_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imc_state_t *imc_os_state_create(TNC_ConnectionID connection_id)
+{
+	private_imc_os_state_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_connection_id = _get_connection_id,
+				.has_long = _has_long,
+				.has_excl = _has_excl,
+				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
+				.change_state = _change_state,
+				.set_result = _set_result,
+				.get_result = _get_result,
+				.destroy = _destroy,
+			},
+		},
+		.state = TNC_CONNECTION_STATE_CREATE,
+		.result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
+		.connection_id = connection_id,
+	);
+
+	return &this->public.interface;
+}
+
+
diff --git a/src/libimcv/plugins/imc_os/imc_os_state.h b/src/libimcv/plugins/imc_os/imc_os_state.h
new file mode 100644
index 000000000..1fe23175a
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/imc_os_state.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imc_os_state_t imc_os_state
+ * @{ @ingroup imc_os_state
+ */
+
+#ifndef IMC_OS_STATE_H_
+#define IMC_OS_STATE_H_
+
+#include <imc/imc_state.h>
+#include <library.h>
+
+typedef struct imc_os_state_t imc_os_state_t;
+
+/**
+ * Internal state of an imc_os_t connection instance
+ */
+struct imc_os_state_t {
+
+	/**
+	 * imc_state_t interface
+	 */
+	imc_state_t interface;
+};
+
+/**
+ * Create an imc_os_state_t instance
+ *
+ * @param id		connection ID
+ */
+imc_state_t* imc_os_state_create(TNC_ConnectionID id);
+
+#endif /** IMC_OS_STATE_H_ @}*/
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index d06798170..c865544f6 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imc_scanner_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
@@ -119,6 +125,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -146,6 +153,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,6 +181,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +194,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -238,7 +248,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -360,7 +369,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imc-scanner.la: $(imc_scanner_la_OBJECTS) $(imc_scanner_la_DEPENDENCIES) 
+imc-scanner.la: $(imc_scanner_la_OBJECTS) $(imc_scanner_la_DEPENDENCIES) $(EXTRA_imc_scanner_la_DEPENDENCIES) 
 	$(imc_scanner_la_LINK) -rpath $(imcvdir) $(imc_scanner_la_OBJECTS) $(imc_scanner_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -498,10 +507,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner.c b/src/libimcv/plugins/imc_scanner/imc_scanner.c
index 34c9359fe..c87e827cd 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner.c
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner.c
@@ -16,17 +16,16 @@
 #include "imc_scanner_state.h"
 
 #include <imc/imc_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imc/imc_msg.h>
 #include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_attr_request.h>
 #include <ietf/ietf_attr_port_filter.h>
-#include <ietf/ietf_attr_assess_result.h>
 
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <stdio.h>
 
@@ -34,8 +33,9 @@
 
 static const char imc_name[] = "Scanner";
 
-#define IMC_VENDOR_ID	PEN_ITA
-#define IMC_SUBTYPE		PA_SUBTYPE_ITA_SCANNER
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_VPN }
+};
 
 static imc_agent_t *imc_scanner;
 
@@ -52,8 +52,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
-	imc_scanner = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
-								imc_id, actual_version);
+	imc_scanner = imc_agent_create(imc_name, msg_types, countof(msg_types),
+								   imc_id, actual_version);
 	if (!imc_scanner)
 	{
 		return TNC_RESULT_FATAL;
@@ -112,6 +112,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 	chunk_t line, token;
 	int n = 0;
 	bool success = FALSE;
+	const char system_v4[]   = "127.0.1.1";
 	const char loopback_v4[] = "127.0.0.1";
 	const char loopback_v6[] = "::1";
 
@@ -119,12 +120,12 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 	file = popen("/bin/netstat -n -l -p -4 -6 --inet", "r");
 	if (!file)
 	{
-		DBG1(DBG_IMC, "Failed to run netstat command");
+		DBG1(DBG_IMC, "failed to run netstat command");
 		return FALSE;
 	}
 
 	/* Read the output a line at a time */
-	while (fgets(buf, BUF_LEN-1, file))
+	while (fgets(buf, sizeof(buf), file))
 	{
 		u_char *pos;
 		u_int8_t new_protocol, protocol;
@@ -145,7 +146,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		/* Extract the IP protocol type */
 		if (!extract_token(&token, ' ', &line))
 		{
-			DBG1(DBG_IMC, "Protocol field in netstat output not found");
+			DBG1(DBG_IMC, "protocol field in netstat output not found");
 			goto end;
 		}
 		if (match("tcp", &token) || match("tcp6", &token))
@@ -158,7 +159,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		}
 		else
 		{
-			DBG1(DBG_IMC, "Skipped unknown IP protocol in netstat output");
+			DBG1(DBG_IMC, "skipped unknown IP protocol in netstat output");
 			continue;
 		}
 
@@ -173,7 +174,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		}
 		if (token.len == 0)
 		{
-			DBG1(DBG_IMC, "Local Address field in netstat output not found");
+			DBG1(DBG_IMC, "local address field in netstat output not found");
 			goto end;
 		}
 
@@ -182,13 +183,16 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		while (*--pos != ':' && --token.len);
 		if (*pos != ':')
 		{
-			DBG1(DBG_IMC, "Local port field in netstat output not found");
+			DBG1(DBG_IMC, "local port field in netstat output not found");
 			goto end;
 		}
 		token.len--;
 
-		/* ignore ports of IPv4 and IPv6 loopback interfaces */
-		if ((token.len == strlen(loopback_v4) &&
+		/* ignore ports of IPv4 and IPv6 loopback interfaces
+		   and the internal system IPv4 address */
+		if ((token.len == strlen(system_v4) &&
+				memeq(system_v4, token.ptr, token.len)) ||
+			(token.len == strlen(loopback_v4) &&
 				memeq(loopback_v4, token.ptr, token.len)) ||
 			(token.len == strlen(loopback_v6) &&
 				memeq(loopback_v6, token.ptr, token.len)))
@@ -229,12 +233,13 @@ end:
 	return success;
 }
 
-static TNC_Result send_message(TNC_ConnectionID connection_id)
+/**
+ * Add IETF Port Filter attribute to the send queue
+ */
+static TNC_Result add_port_filter(imc_msg_t *msg)
 {
-	linked_list_t *attr_list;
 	pa_tnc_attr_t *attr;
 	ietf_attr_port_filter_t *attr_port_filter;
-	TNC_Result result;
 
 	attr = ietf_attr_port_filter_create();
 	attr->set_noskip_flag(attr, TRUE);
@@ -244,13 +249,9 @@ static TNC_Result send_message(TNC_ConnectionID connection_id)
 		attr->destroy(attr);
 		return TNC_RESULT_FATAL;
 	}
-	attr_list = linked_list_create();
-	attr_list->insert_last(attr_list, attr);
-	result = imc_scanner->send_message(imc_scanner, connection_id, FALSE, 0,
-									   TNC_IMVID_ANY, attr_list);
-	attr_list->destroy(attr_list);
+	msg->add_attribute(msg, attr);
 
-	return result;
+	return TNC_RESULT_SUCCESS;
 }
 
 /**
@@ -259,85 +260,103 @@ static TNC_Result send_message(TNC_ConnectionID connection_id)
 TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 								  TNC_ConnectionID connection_id)
 {
-	if (!imc_scanner)
-	{
-		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return send_message(connection_id);
-}
-
-static TNC_Result receive_message(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id)
-{
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	pen_type_t attr_type;
 	imc_state_t *state;
-	enumerator_t *enumerator;
-	TNC_Result result;
-	TNC_UInt32 target_imc_id;
-	bool fatal_error;
+	imc_msg_t *out_msg;
+	TNC_Result result = TNC_RESULT_SUCCESS;
 
 	if (!imc_scanner)
 	{
 		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-
-	/* get current IMC state */
 	if (!imc_scanner->get_state(imc_scanner, connection_id, &state))
 	{
 		return TNC_RESULT_FATAL;
 	}
+	if (lib->settings->get_bool(lib->settings,
+								"libimcv.plugins.imc-scanner.push_info", TRUE))
+	{
+		out_msg = imc_msg_create(imc_scanner, state, connection_id, imc_id,
+								 TNC_IMVID_ANY, msg_types[0]);
+		result = add_port_filter(out_msg);
+		if (result == TNC_RESULT_SUCCESS)
+		{
+			/* send PA-TNC message with the excl flag not set */
+			result = out_msg->send(out_msg, FALSE);
+		}
+		out_msg->destroy(out_msg);
+	}
 
-	/* parse received PA-TNC message and automatically handle any errors */
-	result = imc_scanner->receive_message(imc_scanner, state, msg, msg_vid,
-							msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg);
+	return result;
+}
 
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+static TNC_Result receive_message(imc_msg_t *in_msg)
+{
+	imc_msg_t *out_msg;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	bool fatal_error = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
-	target_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? imc_id : dst_imc_id;
-
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
+	out_msg = imc_msg_create_as_reply(in_msg);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		attr_type = attr->get_type(attr);
 
-		if (attr_type.vendor_id == PEN_IETF &&
-			attr_type.type == IETF_ATTR_ASSESSMENT_RESULT)
+		if (attr_type.vendor_id != PEN_IETF)
+		{
+			continue;
+		}
+		if (attr_type.type == IETF_ATTR_ATTRIBUTE_REQUEST)
 		{
-			ietf_attr_assess_result_t *ietf_attr;
+			ietf_attr_attr_request_t *attr_cast;
+			pen_type_t *entry;
+			enumerator_t *e;
 
-			ietf_attr = (ietf_attr_assess_result_t*)attr;
-			state->set_result(state, target_imc_id,
-							  ietf_attr->get_result(ietf_attr));
+			attr_cast = (ietf_attr_attr_request_t*)attr;
+
+			e = attr_cast->create_enumerator(attr_cast);
+			while (e->enumerate(e, &entry))
+			{
+				if (entry->vendor_id != PEN_IETF)
+				{
+					continue;
+				}
+				switch (entry->type)
+				{
+					case IETF_ATTR_PORT_FILTER:
+						result = add_port_filter(out_msg);
+						break;
+					default:
+						break;
+				}
+			}
+			e->destroy(e);
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
 	if (fatal_error)
 	{
-		return TNC_RESULT_FATAL;
+		result = TNC_RESULT_FATAL;
 	}
+	else if (result == TNC_RESULT_SUCCESS)
+	{
+		result = out_msg->send(out_msg, TRUE);
+	}
+	out_msg->destroy(out_msg);
 
-	/* if no assessment result is known then repeat the measurement */
-	return state->get_result(state, target_imc_id, NULL) ?
-		   TNC_RESULT_SUCCESS : send_message(connection_id);
+	return result;
 }
 
 /**
@@ -350,14 +369,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_scanner)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_scanner->get_state(imc_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	in_msg = imc_msg_create_from_data(imc_scanner, state, connection_id,
+									  msg_type, chunk_create(msg, msg_len));
+	result = receive_message(in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMCID_ANY);
+	return result;
 }
 
 /**
@@ -373,9 +404,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
 									  TNC_UInt32 src_imv_id,
 									  TNC_UInt32 dst_imc_id)
 {
-	return receive_message(imc_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imv_id, dst_imc_id);
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_scanner)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_scanner->get_state(imc_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_scanner, state, connection_id,
+								src_imv_id, dst_imc_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result = receive_message(in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner_state.c b/src/libimcv/plugins/imc_scanner/imc_scanner_state.c
index 991b24a73..b5a6cdd20 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner_state.c
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner_state.c
@@ -17,7 +17,7 @@
 
 #include <tncif_names.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_imc_scanner_state_t private_imc_scanner_state_t;
 
@@ -109,8 +109,6 @@ METHOD(imc_state_t, set_result, void,
 	private_imc_scanner_state_t *this, TNC_IMCID id,
 	TNC_IMV_Evaluation_Result result)
 {
-	DBG1(DBG_IMC, "set assessment result for IMC %u to '%N'",
-		 id, TNC_IMV_Evaluation_Result_names, result);
 	this->result = result;
 }
 
@@ -157,7 +155,7 @@ imc_state_t *imc_scanner_state_create(TNC_ConnectionID connection_id)
 		.result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
 		.connection_id = connection_id,
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 8e37e7e9e..51878adc0 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imc_test_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
@@ -119,6 +125,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -146,6 +153,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,6 +181,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +194,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -238,7 +248,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -360,7 +369,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imc-test.la: $(imc_test_la_OBJECTS) $(imc_test_la_DEPENDENCIES) 
+imc-test.la: $(imc_test_la_OBJECTS) $(imc_test_la_DEPENDENCIES) $(EXTRA_imc_test_la_DEPENDENCIES) 
 	$(imc_test_la_LINK) -rpath $(imcvdir) $(imc_test_la_OBJECTS) $(imc_test_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -498,10 +507,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imc_test/imc_test.c b/src/libimcv/plugins/imc_test/imc_test.c
index ee8e5b206..c97d41628 100644
--- a/src/libimcv/plugins/imc_test/imc_test.c
+++ b/src/libimcv/plugins/imc_test/imc_test.c
@@ -16,10 +16,8 @@
 #include "imc_test_state.h"
 
 #include <imc/imc_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imc/imc_msg.h>
 #include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
-#include <ietf/ietf_attr_assess_result.h>
 #include <ita/ita_attr.h>
 #include <ita/ita_attr_command.h>
 #include <ita/ita_attr_dummy.h>
@@ -27,17 +25,18 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /* IMC definitions */
 
 static const char imc_name[] = "Test";
 
-#define IMC_VENDOR_ID	PEN_ITA
-#define IMC_SUBTYPE		PA_SUBTYPE_ITA_TEST
+static pen_type_t msg_types[] = {
+	{ PEN_ITA, PA_SUBTYPE_ITA_TEST }
+};
 
 static imc_agent_t *imc_test;
- 
+
 /**
  * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3
  */
@@ -51,7 +50,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
-	imc_test = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
+	imc_test = imc_agent_create(imc_name, msg_types, countof(msg_types),
 								imc_id, actual_version);
 	if (!imc_test)
 	{
@@ -182,36 +181,24 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 	}
 }
 
-static TNC_Result send_message(imc_state_t *state, TNC_UInt32 src_imc_id,
-												   TNC_UInt32 dst_imv_id)
+static TNC_Result send_message(imc_state_t *state, imc_msg_t *out_msg)
 {
 	imc_test_state_t *test_state;
-	linked_list_t *attr_list;
 	pa_tnc_attr_t *attr;
-	bool excl;
-	TNC_ConnectionID connection_id;
-	TNC_Result result;
 
-	attr_list = linked_list_create();
-	connection_id = state->get_connection_id(state);
 	test_state = (imc_test_state_t*)state;
-
 	if (test_state->get_dummy_size(test_state))
 	{
 		attr = ita_attr_dummy_create(test_state->get_dummy_size(test_state));
 		attr->set_noskip_flag(attr, TRUE);
-		attr_list->insert_last(attr_list, attr);
+		out_msg->add_attribute(out_msg, attr);
 	}
 	attr = ita_attr_command_create(test_state->get_command(test_state));
 	attr->set_noskip_flag(attr, TRUE);
-	attr_list->insert_last(attr_list, attr);
-
-	excl = dst_imv_id != TNC_IMVID_ANY;
-	result = imc_test->send_message(imc_test, connection_id, excl, src_imc_id,
-									dst_imv_id, attr_list);
-	attr_list->destroy(attr_list);
+	out_msg->add_attribute(out_msg, attr);
 
-	return result;
+	/* send PA-TNC message with the excl flag set */
+	return out_msg->send(out_msg, TRUE);
 }
 
 /**
@@ -221,6 +208,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 								  TNC_ConnectionID connection_id)
 {
 	imc_state_t *state;
+	imc_msg_t *out_msg;
 	enumerator_t *enumerator;
 	void *pointer;
 	TNC_UInt32 additional_id;
@@ -231,15 +219,16 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-
-	/* get current IMC state */
 	if (!imc_test->get_state(imc_test, connection_id, &state))
 	{
 		return TNC_RESULT_FATAL;
 	}
 
 	/* send PA message for primary IMC ID */
-	result = send_message(state, imc_id, TNC_IMVID_ANY);
+	out_msg = imc_msg_create(imc_test, state, connection_id, imc_id,
+							 TNC_IMVID_ANY, msg_types[0]);
+	result = send_message(state, out_msg);
+	out_msg->destroy(out_msg);
 
 	/* Exit if there are no additional IMC IDs */
 	if (!imc_test->count_additional_ids(imc_test))
@@ -262,93 +251,60 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 	{
 		/* interpret pointer as scalar value */
 		additional_id = (TNC_UInt32)pointer;
-		result = send_message(state, additional_id, TNC_IMVID_ANY);	
+		out_msg = imc_msg_create(imc_test, state, connection_id, additional_id,
+								 TNC_IMVID_ANY, msg_types[0]);
+		result = send_message(state, out_msg);
+		out_msg->destroy(out_msg);
 	}
 	enumerator->destroy(enumerator);
 
 	return result;
 }
 
-static TNC_Result receive_message(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id)
+static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
+	imc_msg_t *out_msg;
+	enumerator_t *enumerator;
 	pa_tnc_attr_t *attr;
 	pen_type_t attr_type;
-	imc_state_t *state;
-	enumerator_t *enumerator;
 	TNC_Result result;
-	TNC_UInt32 target_imc_id;
 	bool fatal_error = FALSE;
 
-	if (!imc_test)
-	{
-		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMC state */
-	if (!imc_test->get_state(imc_test, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	/* parse received PA-TNC message and automatically handle any errors */ 
-	result = imc_test->receive_message(imc_test, state, msg, msg_vid,
-							msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
-	target_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? imc_id : dst_imc_id;
-
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		attr_type = attr->get_type(attr);
 
-		if (attr_type.vendor_id == PEN_IETF)
+		if (attr_type.vendor_id != PEN_ITA)
 		{
-			ietf_attr_assess_result_t *ietf_attr;
-
-			ietf_attr = (ietf_attr_assess_result_t*)attr;
-			state->set_result(state, target_imc_id,
-							  ietf_attr->get_result(ietf_attr));
+			continue;
 		}
-		else if (attr_type.vendor_id == PEN_ITA)
+		if (attr_type.type == ITA_ATTR_COMMAND)
 		{
-			if (attr_type.type == ITA_ATTR_COMMAND)
-			{
-				ita_attr_command_t *ita_attr;
+			ita_attr_command_t *ita_attr;
 
-				ita_attr = (ita_attr_command_t*)attr;
-				DBG1(DBG_IMC, "received command '%s'",
-					 ita_attr->get_command(ita_attr));
-			}
-			else if (attr_type.type == ITA_ATTR_DUMMY)
-			{
-				ita_attr_dummy_t *ita_attr;
+			ita_attr = (ita_attr_command_t*)attr;
+			DBG1(DBG_IMC, "received command '%s'",
+				 ita_attr->get_command(ita_attr));
+		}
+		else if (attr_type.type == ITA_ATTR_DUMMY)
+		{
+			ita_attr_dummy_t *ita_attr;
 
-				ita_attr = (ita_attr_dummy_t*)attr;
-				DBG1(DBG_IMC, "received dummy attribute value (%d bytes)",
-					 ita_attr->get_size(ita_attr));
-			}
+			ita_attr = (ita_attr_dummy_t*)attr;
+			DBG1(DBG_IMC, "received dummy attribute value (%d bytes)",
+				 ita_attr->get_size(ita_attr));
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
 	if (fatal_error)
 	{
@@ -356,8 +312,15 @@ static TNC_Result receive_message(TNC_IMCID imc_id,
 	}
 
 	/* if no assessment result is known then repeat the measurement */
-	return state->get_result(state, target_imc_id, NULL) ?
-		   TNC_RESULT_SUCCESS : send_message(state, dst_imc_id, src_imv_id);
+	if (state->get_result(state, in_msg->get_dst_id(in_msg), NULL))
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+	out_msg = imc_msg_create_as_reply(in_msg);
+ 	result = send_message(state, out_msg);
+	out_msg->destroy(out_msg);
+
+	return result;
 }
 
 /**
@@ -369,14 +332,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_test->get_state(imc_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	in_msg = imc_msg_create_from_data(imc_test, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMCID_ANY);
+	return result;
 }
 
 /**
@@ -392,9 +367,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
 									  TNC_UInt32 src_imv_id,
 									  TNC_UInt32 dst_imc_id)
 {
-	return receive_message(imc_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imv_id, dst_imc_id);
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_test->get_state(imc_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_test, state, connection_id,
+								src_imv_id, dst_imc_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
diff --git a/src/libimcv/plugins/imc_test/imc_test_state.c b/src/libimcv/plugins/imc_test/imc_test_state.c
index e70eb1492..e7beca0aa 100644
--- a/src/libimcv/plugins/imc_test/imc_test_state.c
+++ b/src/libimcv/plugins/imc_test/imc_test_state.c
@@ -17,8 +17,8 @@
 
 #include <tncif_names.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_imc_test_state_t private_imc_test_state_t;
 typedef struct entry_t entry_t;
@@ -82,7 +82,7 @@ struct private_imc_test_state_t {
 	 * Do a handshake retry
 	 */
 	bool handshake_retry;
-	
+
 };
 
 /**
@@ -144,9 +144,6 @@ METHOD(imc_state_t, set_result, void,
 	entry_t *entry;
 	bool found = FALSE;
 
-	DBG1(DBG_IMC, "set assessment result for IMC %u to '%N'",
-		 id, TNC_IMV_Evaluation_Result_names, result);
-
 	enumerator = this->results->create_enumerator(this->results);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -283,7 +280,7 @@ imc_state_t *imc_test_state_create(TNC_ConnectionID connection_id,
 		.first_handshake = TRUE,
 		.handshake_retry = retry,
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libimcv/plugins/imv_os/Makefile.am b/src/libimcv/plugins/imv_os/Makefile.am
new file mode 100644
index 000000000..58edc6963
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/Makefile.am
@@ -0,0 +1,24 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = -rdynamic
+
+imcv_LTLIBRARIES = imv-os.la
+
+imv_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imv_os_la_SOURCES = \
+	imv_os.c imv_os_state.h imv_os_state.c \
+	imv_os_database.c imv_os_database.h
+
+imv_os_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = pacman
+pacman_SOURCES = pacman.c 
+pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pacman.o :	$(top_builddir)/config.status
+
+EXTRA_DIST = pacman.sh
+
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
new file mode 100644
index 000000000..53a547a4d
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -0,0 +1,684 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = pacman$(EXEEXT)
+subdir = src/libimcv/plugins/imv_os
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(imcv_LTLIBRARIES)
+imv_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_imv_os_la_OBJECTS = imv_os.lo imv_os_state.lo imv_os_database.lo
+imv_os_la_OBJECTS = $(am_imv_os_la_OBJECTS)
+imv_os_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(imv_os_la_LDFLAGS) $(LDFLAGS) -o $@
+PROGRAMS = $(ipsec_PROGRAMS)
+am_pacman_OBJECTS = pacman.$(OBJEXT)
+pacman_OBJECTS = $(am_pacman_OBJECTS)
+pacman_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES)
+DIST_SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = -rdynamic
+imcv_LTLIBRARIES = imv-os.la
+imv_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imv_os_la_SOURCES = \
+	imv_os.c imv_os_state.h imv_os_state.c \
+	imv_os_database.c imv_os_database.h
+
+imv_os_la_LDFLAGS = -module -avoid-version
+pacman_SOURCES = pacman.c 
+pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+EXTRA_DIST = pacman.sh
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libimcv/plugins/imv_os/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libimcv/plugins/imv_os/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
+	}
+
+uninstall-imcvLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(imcvdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(imcvdir)/$$f"; \
+	done
+
+clean-imcvLTLIBRARIES:
+	-test -z "$(imcv_LTLIBRARIES)" || rm -f $(imcv_LTLIBRARIES)
+	@list='$(imcv_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+imv-os.la: $(imv_os_la_OBJECTS) $(imv_os_la_DEPENDENCIES) $(EXTRA_imv_os_la_DEPENDENCIES) 
+	$(imv_os_la_LINK) -rpath $(imcvdir) $(imv_os_la_OBJECTS) $(imv_os_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+pacman$(EXEEXT): $(pacman_OBJECTS) $(pacman_DEPENDENCIES) $(EXTRA_pacman_DEPENDENCIES) 
+	@rm -f pacman$(EXEEXT)
+	$(LINK) $(pacman_OBJECTS) $(pacman_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_database.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_state.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pacman.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-imcvLTLIBRARIES clean-ipsecPROGRAMS \
+	clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-imcvLTLIBRARIES install-ipsecPROGRAMS
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-imcvLTLIBRARIES uninstall-ipsecPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-imcvLTLIBRARIES clean-ipsecPROGRAMS clean-libtool ctags \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am \
+	install-imcvLTLIBRARIES install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-imcvLTLIBRARIES \
+	uninstall-ipsecPROGRAMS
+
+pacman.o :	$(top_builddir)/config.status
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libimcv/plugins/imv_os/imv_os.c b/src/libimcv/plugins/imv_os/imv_os.c
new file mode 100644
index 000000000..65538df07
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os.c
@@ -0,0 +1,590 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_os_state.h"
+#include "imv_os_database.h"
+
+#include <imv/imv_agent.h>
+#include <imv/imv_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_default_pwd_enabled.h>
+#include <ietf/ietf_attr_fwd_enabled.h>
+#include <ietf/ietf_attr_installed_packages.h>
+#include <ietf/ietf_attr_numeric_version.h>
+#include <ietf/ietf_attr_op_status.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_remediation_instr.h>
+#include <ietf/ietf_attr_string_version.h>
+#include <ita/ita_attr.h>
+#include <ita/ita_attr_get_settings.h>
+#include <ita/ita_attr_settings.h>
+#include <ita/ita_attr_angel.h>
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+#include <utils/lexparser.h>
+
+/* IMV definitions */
+
+static const char imv_name[] = "OS";
+
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
+
+static imv_agent_t *imv_os;
+
+/**
+ * IMV OS database
+ */
+static imv_os_database_t *os_db;
+
+/*
+ * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
+							  TNC_Version min_version,
+							  TNC_Version max_version,
+							  TNC_Version *actual_version)
+{
+	char *uri;
+
+	if (imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
+		return TNC_RESULT_ALREADY_INITIALIZED;
+	}
+	imv_os = imv_agent_create(imv_name, msg_types, countof(msg_types),
+							  imv_id, actual_version);
+	if (!imv_os)
+	{
+		return TNC_RESULT_FATAL;
+	}
+	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
+	{
+		DBG1(DBG_IMV, "no common IF-IMV version");
+		return TNC_RESULT_NO_COMMON_VERSION;
+	}
+
+	/* attach OS database */
+	uri = lib->settings->get_str(lib->settings,
+				"libimcv.plugins.imv-os.database", NULL);
+	if (uri)
+	{
+		os_db = imv_os_database_create(uri);
+	}
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_ConnectionState new_state)
+{
+	imv_state_t *state;
+
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imv_os_state_create(connection_id);
+			return imv_os->create_state(imv_os, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return imv_os->delete_state(imv_os, connection_id);
+		default:
+			return imv_os->change_state(imv_os, connection_id,
+											 new_state, NULL);
+	}
+}
+
+static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
+{
+	imv_msg_t *out_msg;
+	imv_os_state_t *os_state;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	bool fatal_error = FALSE, assessment = FALSE;
+	char non_market_apps_str[] = "install_non_market_apps";
+	char android_id_str[] = "android_id";
+	char machine_id_str[] = "/var/lib/dbus/machine-id";
+
+	os_state = (imv_os_state_t*)state;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	out_msg = imv_msg_create_as_reply(in_msg);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF)
+		{
+			switch (type.type)
+			{
+				case IETF_ATTR_PRODUCT_INFORMATION:
+				{
+					ietf_attr_product_info_t *attr_cast;
+					pen_t vendor_id;
+
+					attr_cast = (ietf_attr_product_info_t*)attr;
+					os_name = attr_cast->get_info(attr_cast, &vendor_id, NULL);
+					if (vendor_id != PEN_IETF)
+					{
+						DBG1(DBG_IMV, "operating system name is '%.*s' "
+									  "from vendor %N", os_name.len, os_name.ptr,
+									   pen_names, vendor_id);
+					}
+					else
+					{
+						DBG1(DBG_IMV, "operating system name is '%.*s'",
+									   os_name.len, os_name.ptr);
+					}
+					break;
+				}
+				case IETF_ATTR_STRING_VERSION:
+				{
+					ietf_attr_string_version_t *attr_cast;
+
+					attr_cast = (ietf_attr_string_version_t*)attr;
+					os_version = attr_cast->get_version(attr_cast, NULL, NULL);
+					if (os_version.len)
+					{
+						DBG1(DBG_IMV, "operating system version is '%.*s'",
+									   os_version.len, os_version.ptr);
+					}
+					break;
+				}
+				case IETF_ATTR_NUMERIC_VERSION:
+				{
+					ietf_attr_numeric_version_t *attr_cast;
+					u_int32_t major, minor;
+
+					attr_cast = (ietf_attr_numeric_version_t*)attr;
+					attr_cast->get_version(attr_cast, &major, &minor);
+					DBG1(DBG_IMV, "operating system numeric version is %d.%d",
+								   major, minor);
+					break;
+				}
+				case IETF_ATTR_OPERATIONAL_STATUS:
+				{
+					ietf_attr_op_status_t *attr_cast;
+					op_status_t op_status;
+					op_result_t op_result;
+					time_t last_boot;
+
+					attr_cast = (ietf_attr_op_status_t*)attr;
+					op_status = attr_cast->get_status(attr_cast);
+					op_result = attr_cast->get_result(attr_cast);
+					last_boot = attr_cast->get_last_use(attr_cast);
+					DBG1(DBG_IMV, "operational status: %N, result: %N",
+						 op_status_names, op_status, op_result_names, op_result);
+					DBG1(DBG_IMV, "last boot: %T", &last_boot, TRUE);
+					break;
+				}
+				case IETF_ATTR_FORWARDING_ENABLED:
+				{
+					ietf_attr_fwd_enabled_t *attr_cast;
+					os_fwd_status_t fwd_status;
+
+					attr_cast = (ietf_attr_fwd_enabled_t*)attr;
+					fwd_status = attr_cast->get_status(attr_cast);
+					DBG1(DBG_IMV, "IPv4 forwarding status: %N",
+								   os_fwd_status_names, fwd_status);
+					if (fwd_status == OS_FWD_ENABLED)
+					{
+						os_state->set_os_settings(os_state,
+											OS_SETTINGS_FWD_ENABLED);
+					}
+					break;
+				}
+				case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+				{
+					ietf_attr_default_pwd_enabled_t *attr_cast;
+					bool default_pwd_status;
+
+					attr_cast = (ietf_attr_default_pwd_enabled_t*)attr;
+					default_pwd_status = attr_cast->get_status(attr_cast);
+					DBG1(DBG_IMV, "factory default password: %sabled",
+								   default_pwd_status ? "en":"dis");
+					if (default_pwd_status)
+					{
+						os_state->set_os_settings(os_state,
+											OS_SETTINGS_DEFAULT_PWD_ENABLED);
+					}
+					break;
+				}
+				case IETF_ATTR_INSTALLED_PACKAGES:
+				{
+					ietf_attr_installed_packages_t *attr_cast;
+					enumerator_t *e;
+					status_t status;
+
+					/* Received at least one Installed Packages attribute */
+					os_state->set_package_request(os_state, FALSE);
+
+					if (!os_db)
+					{
+						break;
+					}
+					attr_cast = (ietf_attr_installed_packages_t*)attr;
+
+					e = attr_cast->create_enumerator(attr_cast);
+					status = os_db->check_packages(os_db, os_state, e);
+					e->destroy(e);
+
+					if (status == FAILED)
+					{
+						state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+						assessment = TRUE;
+					}
+					break;
+				}
+				default:
+					break;
+			}
+		}
+		else if (type.vendor_id == PEN_ITA)
+		{
+			switch (type.type)
+			{
+				case ITA_ATTR_SETTINGS:
+				{
+					ita_attr_settings_t *attr_cast;
+					enumerator_t *e;
+					char *name;
+					chunk_t value;
+
+					attr_cast = (ita_attr_settings_t*)attr;
+					e = attr_cast->create_enumerator(attr_cast);
+					while (e->enumerate(e, &name, &value))
+					{
+						if (streq(name, non_market_apps_str) &&
+							chunk_equals(value, chunk_from_chars('1')))
+						{
+							os_state->set_os_settings(os_state,
+												OS_SETTINGS_NON_MARKET_APPS);
+						}
+						else if ((streq(name, android_id_str) ||
+								  streq(name, machine_id_str)) && os_db)
+						{
+							os_state->set_device_id(os_state,
+										os_db->get_device_id(os_db, value));
+						}
+						DBG1(DBG_IMV, "setting '%s'\n  %.*s",
+							 name, value.len, value.ptr);
+					}
+					e->destroy(e);
+					break;
+				}
+				case ITA_ATTR_START_ANGEL:
+					os_state->set_angel_count(os_state, TRUE);
+					break;
+				case ITA_ATTR_STOP_ANGEL:
+					os_state->set_angel_count(os_state, FALSE);
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (os_name.len && os_version.len)
+	{
+		os_type_t os_type;
+		ita_attr_get_settings_t *attr_cast;
+
+		/* set the OS type, name and version */
+		os_type = os_type_from_name(os_name);
+		os_state->set_info(os_state,os_type, os_name, os_version);
+
+		/* requesting installed packages */
+		os_state->set_package_request(os_state, TRUE);
+		attr = ietf_attr_attr_request_create(PEN_IETF,
+											 IETF_ATTR_INSTALLED_PACKAGES);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* requesting Android or Linux settings */
+		attr = ita_attr_get_settings_create();
+		attr_cast = (ita_attr_get_settings_t*)attr;
+
+		if (os_type == OS_TYPE_ANDROID)
+		{
+			attr_cast->add(attr_cast, android_id_str);
+			attr_cast->add(attr_cast, non_market_apps_str);
+		}
+		else
+		{
+			attr_cast->add(attr_cast, machine_id_str);
+			attr_cast->add(attr_cast, "/proc/sys/kernel/tainted");
+		}
+		out_msg->add_attribute(out_msg, attr);
+	}
+
+	if (fatal_error)
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		assessment = TRUE;
+	}
+
+	/* If all Installed Packages attributes were received, go to assessment */
+	if (!assessment &&
+		!os_state->get_package_request(os_state) &&
+		!os_state->get_angel_count(os_state))
+	{
+		int device_id, count, count_update, count_blacklist, count_ok;
+		u_int os_settings;
+
+		os_settings = os_state->get_os_settings(os_state);
+		os_state->get_count(os_state, &count, &count_update, &count_blacklist,
+									  &count_ok);
+		DBG1(DBG_IMV, "processed %d packages: %d not updated, %d blacklisted, "
+			 "%d ok, %d not found", count, count_update, count_blacklist,
+			 count_ok, count - count_update - count_blacklist - count_ok);
+
+		/* Store device information in database */
+		device_id = os_state->get_device_id(os_state);
+		if (os_db && device_id)
+		{
+			os_db->set_device_info(os_db, device_id,
+						os_state->get_info(os_state, NULL, NULL, NULL),
+						count, count_update, count_blacklist, os_settings);
+		}
+
+		if (count_update || count_blacklist || os_settings)
+		{
+			state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
+		}
+		else
+		{
+			state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
+		}
+		assessment = TRUE;
+	}
+
+	if (assessment)
+	{
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}  
+		return imv_os->provide_recommendation(imv_os, state);
+	}
+
+	/* send PA-TNC message with excl flag set */ 
+	result = out_msg->send(out_msg, TRUE);
+	out_msg->destroy(out_msg);
+
+	return result;
+ }
+
+/**
+ * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
+								  TNC_ConnectionID connection_id,
+								  TNC_BufferReference msg,
+								  TNC_UInt32 msg_len,
+								  TNC_MessageType msg_type)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_os->get_state(imv_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(imv_os, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
+									  TNC_ConnectionID connection_id,
+									  TNC_UInt32 msg_flags,
+									  TNC_BufferReference msg,
+									  TNC_UInt32 msg_len,
+									  TNC_VendorID msg_vid,
+									  TNC_MessageSubtype msg_subtype,
+									  TNC_UInt32 src_imc_id,
+									  TNC_UInt32 dst_imv_id)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_os->get_state(imv_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(imv_os, state, connection_id,
+								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
+										 TNC_ConnectionID connection_id)
+{
+	imv_state_t *state;
+
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_os->get_state(imv_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return imv_os->provide_recommendation(imv_os, state);
+}
+
+/**
+ * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
+							   TNC_ConnectionID connection_id)
+{
+	imv_state_t *state;
+	imv_os_state_t *os_state;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_os->get_state(imv_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	os_state = (imv_os_state_t*)state;
+
+	if (os_state->get_info(os_state, NULL, NULL, NULL) == NULL)
+	{
+		imv_msg_t *out_msg;
+		pa_tnc_attr_t *attr;
+		ietf_attr_attr_request_t *attr_cast;
+
+		out_msg = imv_msg_create(imv_os, state, connection_id, imv_id,
+								 TNC_IMCID_ANY, msg_types[0]);
+		attr = ietf_attr_attr_request_create(PEN_IETF,
+											 IETF_ATTR_PRODUCT_INFORMATION);
+		attr_cast = (ietf_attr_attr_request_t*)attr;
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION);
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_NUMERIC_VERSION);
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS);
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FORWARDING_ENABLED);
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* send PA-TNC message with excl flag not set */
+		result = out_msg->send(out_msg, FALSE);
+		out_msg->destroy(out_msg);
+	}
+
+	return result;
+}
+
+/**
+ * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
+{
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	DESTROY_IF(os_db);
+
+	imv_os->destroy(imv_os);
+	imv_os = NULL;
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
+									   TNC_TNCS_BindFunctionPointer bind_function)
+{
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_os->bind_functions(imv_os, bind_function);
+}
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c
new file mode 100644
index 000000000..c6db9953f
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_database.c
@@ -0,0 +1,311 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_os_database.h"
+
+#include <utils/debug.h>
+
+#include <string.h>
+
+typedef struct private_imv_os_database_t private_imv_os_database_t;
+
+/**
+ * Private data of a imv_os_database_t object.
+ *
+ */
+struct private_imv_os_database_t {
+
+	/**
+	 * Public imv_os_database_t interface.
+	 */
+	imv_os_database_t public;
+
+	/**
+	 * database instance
+	 */
+	database_t *db;
+
+};
+
+METHOD(imv_os_database_t, check_packages, status_t,
+	private_imv_os_database_t *this, imv_os_state_t *state,
+	enumerator_t *package_enumerator)
+{
+	char *product, *package, *release, *cur_release;
+	u_char *pos;
+	chunk_t os_name, os_version, name, version;
+	os_type_t os_type;
+	size_t os_version_len;
+	os_package_state_t package_state;
+	int pid, gid;
+	int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0;
+	enumerator_t *e;
+	status_t status = SUCCESS;
+	bool found, match;
+
+	state->get_info(state, &os_type, &os_name, &os_version);
+
+	if (os_type == OS_TYPE_ANDROID)
+	{
+		/*no package dependency on Android version */
+		product = strdup(enum_to_name(os_type_names, os_type));
+	}
+	else
+	{
+		/* remove appended platform info */
+		pos = memchr(os_version.ptr, ' ', os_version.len);
+		os_version_len = pos ? (pos - os_version.ptr) : os_version.len;
+		product = malloc(os_name.len + 1 + os_version_len + 1);
+		sprintf(product, "%.*s %.*s", (int)os_name.len, os_name.ptr,
+									  (int)os_version_len, os_version.ptr);
+	}
+	DBG1(DBG_IMV, "processing installed '%s' packages", product);
+
+	/* Get primary key of product */
+	e = this->db->query(this->db,
+				"SELECT id FROM products WHERE name = ?",
+				DB_TEXT, product, DB_INT);
+	if (!e)
+	{
+		free(product);
+		return FAILED;
+	}
+	if (!e->enumerate(e, &pid))
+	{
+		e->destroy(e);
+		free(product);
+		return NOT_FOUND;
+	}
+	e->destroy(e);
+
+	while (package_enumerator->enumerate(package_enumerator, &name, &version))
+	{
+		/* Convert package name chunk to a string */
+		package = strndup(name.ptr, name.len);
+		count++;
+
+		/* Get primary key of package */
+		e = this->db->query(this->db,
+					"SELECT id FROM packages WHERE name = ?",
+					DB_TEXT, package, DB_INT);
+		if (!e)
+		{
+			free(product);
+			free(package);
+			return FAILED;
+		}
+		if (!e->enumerate(e, &gid))
+		{
+			/* package not present in database for any product - skip */
+			if (os_type == OS_TYPE_ANDROID)
+			{
+				DBG2(DBG_IMV, "package '%s' (%.*s) not found",
+					 package, version.len, version.ptr);
+			}
+			free(package);
+			e->destroy(e);
+			continue;
+		}
+		e->destroy(e);
+
+		/* Convert package version chunk to a string */
+		release = strndup(version.ptr, version.len);
+
+		/* Enumerate over all acceptable versions */
+		e = this->db->query(this->db,
+				"SELECT release, security FROM versions "
+				"WHERE product = ? AND package = ?",
+				DB_INT, pid, DB_INT, gid, DB_TEXT, DB_INT);
+		if (!e)
+		{
+			free(product);
+			free(package);
+			free(release);
+			return FAILED;
+		}
+		found = FALSE;
+		match = FALSE;
+
+		while (e->enumerate(e, &cur_release, &package_state))
+		{
+			found = TRUE;
+			if (streq(release, cur_release) || streq("*", cur_release))
+			{
+				match = TRUE;
+				break;
+			}
+		}
+		e->destroy(e);
+
+		if (found)
+		{
+			if (match)
+			{
+				if (package_state == OS_PACKAGE_STATE_BLACKLIST)
+				{
+					DBG2(DBG_IMV, "package '%s' (%s) is blacklisted",
+								   package, release);
+					count_blacklist++;
+					state->add_bad_package(state, package, package_state);
+				}
+				else
+				{
+					DBG2(DBG_IMV, "package '%s' (%s)%N is ok", package, release,
+								   os_package_state_names, package_state);
+					count_ok++;
+				}
+			}
+			else
+			{
+				DBG1(DBG_IMV, "package '%s' (%s) no match", package, release);
+				count_no_match++;
+				state->add_bad_package(state, package, package_state);
+			}
+		}
+		else
+		{
+			/* package not present in database for this product - skip */
+		}
+		free(package);
+		free(release);
+	}
+	free(product);
+	state->set_count(state, count, count_no_match, count_blacklist, count_ok);
+
+	return status;
+}
+
+METHOD(imv_os_database_t, get_device_id, int,
+	private_imv_os_database_t *this, chunk_t value)
+{
+	enumerator_t *e;
+	int id;
+
+	/* get primary key of device ID */
+	e = this->db->query(this->db, "SELECT id FROM devices WHERE value = ?",
+						DB_BLOB, value, DB_INT);
+	if (!e)
+	{
+		return 0;
+	}
+	if (e->enumerate(e, &id))
+	{
+		/* device ID already exists in database - return primary key */
+		e->destroy(e);
+		return id;
+	}
+
+	/* register new device ID in database and return primary key */
+	return (this->db->execute(this->db, &id,
+			"INSERT INTO devices (value) VALUES (?)", DB_BLOB, value) == 1) ?
+			id : 0;
+}
+
+METHOD(imv_os_database_t, set_device_info, void,
+	private_imv_os_database_t *this,  int device_id, char *os_info,
+	int count, int count_update, int count_blacklist, u_int flags)
+{
+	enumerator_t *e;
+	time_t last_time;
+	int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0;
+	u_int last_flags;
+	bool found = FALSE;
+
+	/* get primary key of OS info string if it exists */
+	e = this->db->query(this->db,
+			"SELECT id FROM products WHERE name = ?", DB_TEXT, os_info,
+			 DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &pid);
+		e->destroy(e);
+	}
+
+	/* if OS ifo string has not been found - register it */
+	if (!pid)
+	{
+		this->db->execute(this->db, &pid,
+			"INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info);
+	}
+
+	/* get latest device info record if it exists */
+	e = this->db->query(this->db,
+			"SELECT time, product, count_update, count_blacklist, flags "
+			"FROM device_infos WHERE device = ? ORDER BY time DESC",
+			 DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT);
+	if (e)
+	{
+		found = e->enumerate(e, &last_time, &last_pid, &last_count_update,
+								&last_count_blacklist, &last_flags);
+		e->destroy(e);
+	}
+	if (found && !last_count_update && !last_count_blacklist && !last_flags &&
+		pid == last_pid)
+	{
+		/* update device info */
+		this->db->execute(this->db, NULL,
+			"UPDATE device_infos SET time = ?, count = ?, count_update = ?, "
+			"count_blacklist = ?, flags = ? WHERE device = ? AND time = ?",
+			 DB_UINT, time(NULL), DB_INT, count, DB_INT, count_update,
+			 DB_INT, count_blacklist, DB_UINT, flags,
+			 DB_INT, device_id, DB_UINT, last_time);
+	}
+	else
+	{
+		/* insert device info */
+		this->db->execute(this->db, NULL,
+			"INSERT INTO device_infos (device, time, product, count, "
+			"count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)",
+			 DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid,
+			 DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
+			 DB_UINT, flags);
+	}
+}
+
+METHOD(imv_os_database_t, destroy, void,
+	private_imv_os_database_t *this)
+{
+	this->db->destroy(this->db);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_os_database_t *imv_os_database_create(char *uri)
+{
+	private_imv_os_database_t *this;
+
+	INIT(this,
+		.public = {
+			.check_packages = _check_packages,
+			.get_device_id = _get_device_id,
+			.set_device_info = _set_device_info,
+			.destroy = _destroy,
+		},
+		.db = lib->db->create(lib->db, uri),
+	);
+
+	if (!this->db)
+	{
+		DBG1(DBG_IMV,
+			 "failed to connect to OS database '%s'", uri);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.h b/src/libimcv/plugins/imv_os/imv_os_database.h
new file mode 100644
index 000000000..9ce748f9b
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_database.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_os_database_t imv_os_database
+ * @{ @ingroup imv_os_database
+ */
+
+#ifndef IMV_OS_DATABASE_H_
+#define IMV_OS_DATABASE_H_
+
+#include "imv_os_state.h"
+
+#include <library.h>
+
+typedef struct imv_os_database_t imv_os_database_t;
+
+/**
+ * Internal state of an imv_os_database_t instance
+ */
+struct imv_os_database_t {
+
+	/**
+	 * Check Installed Packages for a given OS
+	 *
+	 * @param state					OS IMV state
+	 * @param package_enumerator	enumerates over installed packages
+	 */
+	status_t (*check_packages)(imv_os_database_t *this, imv_os_state_t *state,
+							   enumerator_t *package_enumerator);
+
+	/**
+	* Get the primary database key of the device ID
+	*
+	* @param value					Device ID value
+	*/
+	int (*get_device_id)(imv_os_database_t *this, chunk_t value);
+
+	/**
+	* Set health infos for a given  device
+	*
+	* @param device_id				Device ID primary key
+	* @param os_info				OS info string
+	* @param count					Number of installed packages
+	* @param count_update			Number of packages to be updated
+	* @param count_blacklist		Number of blacklisted packages
+	* @param flags					Various flags, e.g. illegal OS settings
+	*/
+	void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info,
+							int count, int count_update, int count_blacklist,
+							u_int flags);
+
+	/**
+	* Destroys an imv_os_database_t object.
+	*/
+	void (*destroy)(imv_os_database_t *this);
+
+};
+
+/**
+ * Create an imv_os_database_t instance
+ *
+ * @param uri			database uri
+ */
+imv_os_database_t* imv_os_database_create(char *uri);
+
+#endif /** IMV_OS_DATABASE_H_ @}*/
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c
new file mode 100644
index 000000000..ca6e050f7
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_state.c
@@ -0,0 +1,621 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_os_state.h"
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
+#include "imv/imv_remediation_string.h"
+
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+
+typedef struct private_imv_os_state_t private_imv_os_state_t;
+typedef struct package_entry_t package_entry_t;
+typedef struct entry_t entry_t;
+typedef struct instruction_entry_t instruction_entry_t;
+
+/**
+ * Private data of an imv_os_state_t object.
+ */
+struct private_imv_os_state_t {
+
+	/**
+	 * Public members of imv_os_state_t
+	 */
+	imv_os_state_t public;
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * TNCCS connection state
+	 */
+	TNC_ConnectionState state;
+
+	/**
+	 * Does the TNCCS connection support long message types?
+	 */
+	bool has_long;
+
+	/**
+	 * Does the TNCCS connection support exclusive delivery?
+	 */
+	bool has_excl;
+
+	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec;
+
+	/**
+	 * IMV evaluation result
+	 */
+	TNC_IMV_Evaluation_Result eval;
+
+	/**
+	 * OS Product Information (concatenation of OS Name and Version)
+	 */
+	char *info;
+
+	/**
+	 * OS Type
+	 */
+	os_type_t type;
+
+	/**
+	 * OS Name
+	 */
+	chunk_t name;
+
+	/**
+	 * OS Version
+	 */
+	chunk_t version;
+
+	/**
+	 * List of blacklisted packages to be removed
+	 */
+	linked_list_t *remove_packages;
+
+	/**
+	 * List of vulnerable packages to be updated
+	 */
+	linked_list_t *update_packages;
+
+	/**
+	 * TNC Reason String
+	 */
+	imv_reason_string_t *reason_string;
+
+	/**
+	 * IETF Remediation Instructions String
+	 */
+	imv_remediation_string_t *remediation_string;
+
+	/**
+	 * Primary database key of device ID
+	 */
+	int device_id;
+
+	/**
+	 * Number of processed packages
+	 */
+	int count;
+
+	/**
+	 * Number of not updated packages
+	 */
+	int count_update;
+
+	/**
+	 * Number of blacklisted packages
+	 */
+	int count_blacklist;
+
+	/**
+	 * Number of whitelisted packages
+	 */
+	int count_ok;
+
+	/**
+	 * OS Installed Package request sent - mandatory response expected
+	 */
+	bool package_request;
+
+	/**
+	 * OS Settings
+	 */
+	u_int os_settings;
+
+	/**
+	 * Angel count
+	 */
+	int angel_count;
+
+};
+
+/**
+ * Supported languages
+ */
+static char* languages[] = { "en", "de", "pl" };
+
+/**
+ * Reason strings for "OS settings"
+ */
+static imv_lang_string_t reason_settings[] = {
+	{ "en", "Improper OS settings were detected" },
+	{ "de", "Unzulässige OS Einstellungen wurden festgestellt" },
+	{ "pl", "Stwierdzono niewłaściwe ustawienia OS" },
+	{ NULL, NULL }
+};
+
+/**
+ * Reason strings for "installed software packages"
+ */
+static imv_lang_string_t reason_packages[] = {
+	{ "en", "Vulnerable or blacklisted software packages were found" },
+	{ "de", "Schwachstellenbehaftete oder gesperrte Softwarepakete wurden gefunden" },
+	{ "pl", "Znaleziono pakiety podatne na atak lub będące na czarnej liście" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for "Software Security Updates"
+ */
+static imv_lang_string_t instr_update_packages_title[] = {
+	{ "en", "Software Security Updates" },
+	{ "de", "Software Sicherheitsupdates" },
+	{ "pl", "Aktualizacja softwaru zabezpieczającego" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_update_packages_descr[] = {
+	{ "en", "Packages with security vulnerabilities were found" },
+	{ "de", "Softwarepakete mit Sicherheitsschwachstellen wurden gefunden" },
+	{ "pl", "Znaleziono pakiety podatne na atak" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_update_packages_header[] = {
+	{ "en", "Please update the following software packages:" },
+	{ "de", "Bitte updaten Sie die folgenden Softwarepakete:" },
+	{ "pl", "Proszę zaktualizować następujące pakiety:" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for "Blacklisted Software Packages"
+ */
+static imv_lang_string_t instr_remove_packages_title[] = {
+	{ "en", "Blacklisted Software Packages" },
+	{ "de", "Gesperrte Softwarepakete" },
+	{ "pl", "Pakiety będące na czarnej liście" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_remove_packages_descr[] = {
+	{ "en", "Dangerous software packages were found" },
+	{ "de", "Gefährliche Softwarepakete wurden gefunden" },
+	{ "pl", "Znaleziono niebezpieczne pakiety" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_remove_packages_header[] = {
+	{ "en", "Please remove the following software packages:" },
+	{ "de", "Bitte entfernen Sie die folgenden Softwarepakete:" },
+	{ "pl", "Proszę usunąć następujące pakiety:" },
+	{ NULL, NULL }
+};
+
+;/**
+ * Instruction strings for "Forwarding Enabled"
+ */
+static imv_lang_string_t instr_fwd_enabled_title[] = {
+	{ "en", "IP Packet Forwarding" },
+	{ "de", "Weiterleitung von IP Paketen" },
+	{ "pl", "Przekazywanie pakietów IP" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_fwd_enabled_descr[] = {
+	{ "en", "Please disable the forwarding of IP packets" },
+	{ "de", "Bitte deaktivieren Sie das Forwarding von IP Paketen" },
+	{ "pl", "Proszę zdezaktywować przekazywanie pakietów IP" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for "Default Password Enabled"
+ */
+static imv_lang_string_t instr_default_pwd_enabled_title[] = {
+	{ "en", "Default Password" },
+	{ "de", "Default Passwort" },
+	{ "pl", "Hasło domyślne" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_default_pwd_enabled_descr[] = {
+	{ "en", "Please change the default password" },
+	{ "de", "Bitte ändern Sie das Default Passwort" },
+	{ "pl", "Proszę zmienić domyślne hasło" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for  "Install Non-Market Apps"
+ */
+static imv_lang_string_t instr_non_market_apps_title[] = {
+	{ "en", "Unknown Software Origin" },
+	{ "de", "Unbekannte Softwareherkunft" },
+	{ "pl", "Nieznane pochodzenie softwaru" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_non_market_apps_descr[] = {
+	{ "en", "Do not allow the installation of apps from unknown sources" },
+	{ "de", "Erlauben Sie nicht die Installation von Apps aus unbekannten Quellen" },
+	{ "pl", "Proszę nie dopuszczać do instalacji Apps z nieznanych źródeł" },
+	{ NULL, NULL }
+};
+
+METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
+	private_imv_os_state_t *this)
+{
+	return this->connection_id;
+}
+
+METHOD(imv_state_t, has_long, bool,
+	private_imv_os_state_t *this)
+{
+	return this->has_long;
+}
+
+METHOD(imv_state_t, has_excl, bool,
+	private_imv_os_state_t *this)
+{
+	return this->has_excl;
+}
+
+METHOD(imv_state_t, set_flags, void,
+	private_imv_os_state_t *this, bool has_long, bool has_excl)
+{
+	this->has_long = has_long;
+	this->has_excl = has_excl;
+}
+
+METHOD(imv_state_t, set_max_msg_len, void,
+	private_imv_os_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imv_state_t, get_max_msg_len, u_int32_t,
+	private_imv_os_state_t *this)
+{
+	return this->max_msg_len;
+}
+
+METHOD(imv_state_t, change_state, void,
+	private_imv_os_state_t *this, TNC_ConnectionState new_state)
+{
+	this->state = new_state;
+}
+
+METHOD(imv_state_t, get_recommendation, void,
+	private_imv_os_state_t *this, TNC_IMV_Action_Recommendation *rec,
+									TNC_IMV_Evaluation_Result *eval)
+{
+	*rec = this->rec;
+	*eval = this->eval;
+}
+
+METHOD(imv_state_t, set_recommendation, void,
+	private_imv_os_state_t *this, TNC_IMV_Action_Recommendation rec,
+									TNC_IMV_Evaluation_Result eval)
+{
+	this->rec = rec;
+	this->eval = eval;
+}
+
+METHOD(imv_state_t, get_reason_string, bool,
+	private_imv_os_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
+{
+	if (!this->count_update && !this->count_blacklist & !this->os_settings)
+	{
+		return FALSE;
+	}
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
+
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
+
+	if (this->count_update || this->count_blacklist)
+	{
+		this->reason_string->add_reason(this->reason_string, reason_packages);
+	}
+	if (this->os_settings)
+	{
+		this->reason_string->add_reason(this->reason_string, reason_settings);
+	}
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
+
+	return TRUE;
+}
+
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_os_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	if (!this->count_update && !this->count_blacklist & !this->os_settings)
+	{
+		return FALSE;
+	}
+	*lang_code = imv_lang_string_select_lang(language_enumerator,
+										languages, countof(languages));
+
+	/* Instantiate an IETF Remediation Instructions String object */
+	DESTROY_IF(this->remediation_string);
+	this->remediation_string = imv_remediation_string_create(
+									this->type == OS_TYPE_ANDROID, *lang_code);
+
+	/* List of blacklisted packages to be removed, if any */
+	if (this->count_blacklist)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_remove_packages_title,
+							instr_remove_packages_descr,
+							instr_remove_packages_header,
+							this->remove_packages);
+	}
+
+	/* List of packages in need of an update, if any */
+	if (this->count_update)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_update_packages_title,
+							instr_update_packages_descr,
+							instr_update_packages_header,
+							this->update_packages);
+	}
+
+	/* Add instructions concerning improper OS settings */
+	if (this->os_settings & OS_SETTINGS_FWD_ENABLED)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_fwd_enabled_title,
+							instr_fwd_enabled_descr, NULL, NULL);
+	}
+	if (this->os_settings & OS_SETTINGS_DEFAULT_PWD_ENABLED)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_default_pwd_enabled_title,
+							instr_default_pwd_enabled_descr, NULL, NULL);
+	}
+	if (this->os_settings & OS_SETTINGS_NON_MARKET_APPS)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_non_market_apps_title,
+							instr_non_market_apps_descr, NULL, NULL);
+	}
+
+	*string = this->remediation_string->get_encoding(this->remediation_string);
+	*uri = lib->settings->get_str(lib->settings,
+							"libimcv.plugins.imv-os.remediation_uri", NULL);
+
+	return TRUE;
+}
+
+METHOD(imv_state_t, destroy, void,
+	private_imv_os_state_t *this)
+{
+	DESTROY_IF(this->reason_string);
+	DESTROY_IF(this->remediation_string);
+	this->update_packages->destroy_function(this->update_packages, free);
+	this->remove_packages->destroy_function(this->remove_packages, free);
+	free(this->info);
+	free(this->name.ptr);
+	free(this->version.ptr);
+	free(this);
+}
+
+METHOD(imv_os_state_t, set_info, void,
+	private_imv_os_state_t *this, os_type_t type, chunk_t name, chunk_t version)
+{
+	int len = name.len + 1 + version.len + 1;
+
+	/* OS info is a concatenation of OS name and OS version */
+	free(this->info);
+	this->info = malloc(len);
+	snprintf(this->info, len, "%.*s %.*s", (int)name.len, name.ptr,
+										   (int)version.len, version.ptr);
+	this->type = type;
+	this->name = chunk_clone(name);
+	this->version = chunk_clone(version);
+}
+
+METHOD(imv_os_state_t, get_info, char*,
+	private_imv_os_state_t *this, os_type_t *type, chunk_t *name,
+	chunk_t *version)
+{
+	if (type)
+	{
+		*type = this->type;
+	}
+	if (name)
+	{
+		*name = this->name;
+	}
+	if (version)
+	{
+		*version = this->version;
+	}
+	return this->info;
+}
+
+METHOD(imv_os_state_t, set_count, void,
+	private_imv_os_state_t *this, int count, int count_update,
+	int count_blacklist, int count_ok)
+{
+	this->count           += count;
+	this->count_update    += count_update;
+	this->count_blacklist += count_blacklist;
+	this->count_ok        += count_ok;
+}
+
+METHOD(imv_os_state_t, get_count, void,
+	private_imv_os_state_t *this, int *count, int *count_update,
+	int *count_blacklist, int *count_ok)
+{
+	if (count)
+	{
+		*count = this->count;
+	}
+	if (count_update)
+	{
+		*count_update = this->count_update;
+	}
+	if (count_blacklist)
+	{
+		*count_blacklist = this->count_blacklist;
+	}
+	if (count_ok)
+	{
+		*count_ok = this->count_ok;
+	}
+}
+
+METHOD(imv_os_state_t, set_package_request, void,
+	private_imv_os_state_t *this, bool set)
+{
+	this->package_request = set;
+}
+
+METHOD(imv_os_state_t, get_package_request, bool,
+	private_imv_os_state_t *this)
+{
+	return this->package_request;
+}
+
+METHOD(imv_os_state_t, set_device_id, void,
+	private_imv_os_state_t *this, int id)
+{
+	this->device_id = id;
+}
+
+METHOD(imv_os_state_t, get_device_id, int,
+	private_imv_os_state_t *this)
+{
+	return this->device_id;
+}
+
+METHOD(imv_os_state_t, set_os_settings, void,
+	private_imv_os_state_t *this, u_int settings)
+{
+	this->os_settings |= settings;
+}
+
+METHOD(imv_os_state_t, get_os_settings, u_int,
+	private_imv_os_state_t *this)
+{
+	return this->os_settings;
+}
+
+METHOD(imv_os_state_t, set_angel_count, void,
+	private_imv_os_state_t *this, bool start)
+{
+	this->angel_count += start ? 1 : -1;
+}
+
+METHOD(imv_os_state_t, get_angel_count, int,
+	private_imv_os_state_t *this)
+{
+	return this->angel_count;
+}
+
+METHOD(imv_os_state_t, add_bad_package, void,
+	private_imv_os_state_t *this, char *package,
+	os_package_state_t package_state)
+{
+	package = strdup(package);
+
+	if (package_state == OS_PACKAGE_STATE_BLACKLIST)
+	{
+		this->remove_packages->insert_last(this->remove_packages, package);
+	}
+	else
+	{
+		this->update_packages->insert_last(this->update_packages, package);
+	}
+}
+
+/**
+ * Described in header.
+ */
+imv_state_t *imv_os_state_create(TNC_ConnectionID connection_id)
+{
+	private_imv_os_state_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_connection_id = _get_connection_id,
+				.has_long = _has_long,
+				.has_excl = _has_excl,
+				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
+				.change_state = _change_state,
+				.get_recommendation = _get_recommendation,
+				.set_recommendation = _set_recommendation,
+				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
+				.destroy = _destroy,
+			},
+			.set_info = _set_info,
+			.get_info = _get_info,
+			.set_count = _set_count,
+			.get_count = _get_count,
+			.set_package_request = _set_package_request,
+			.get_package_request = _get_package_request,
+			.set_device_id = _set_device_id,
+			.get_device_id = _get_device_id,
+			.set_os_settings = _set_os_settings,
+			.get_os_settings = _get_os_settings,
+			.set_angel_count = _set_angel_count,
+			.get_angel_count = _get_angel_count,
+			.add_bad_package = _add_bad_package,
+		},
+		.state = TNC_CONNECTION_STATE_CREATE,
+		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
+		.connection_id = connection_id,
+		.update_packages = linked_list_create(),
+		.remove_packages = linked_list_create(),
+	);
+
+	return &this->public.interface;
+}
+
+
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h
new file mode 100644
index 000000000..05abdbb6c
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_state.h
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_os_state_t imv_os_state
+ * @{ @ingroup imv_os_state
+ */
+
+#ifndef IMV_OS_STATE_H_
+#define IMV_OS_STATE_H_
+
+#include "os_info/os_info.h"
+#include <imv/imv_state.h>
+#include <library.h>
+
+typedef struct imv_os_state_t imv_os_state_t;
+typedef enum os_settings_t os_settings_t;
+
+enum os_settings_t {
+	OS_SETTINGS_FWD_ENABLED =         1,
+	OS_SETTINGS_DEFAULT_PWD_ENABLED = 2,
+	OS_SETTINGS_NON_MARKET_APPS =     4
+};
+
+/**
+ * Internal state of an imv_os_t connection instance
+ */
+struct imv_os_state_t {
+
+	/**
+	 * imv_state_t interface
+	 */
+	imv_state_t interface;
+
+	/**
+	 * Set OS Product Information
+	 *
+	 * @param type			OS type (enumerated)
+	 * @param name			OS name (string)
+	 * @param version		OS version
+	 */
+	void (*set_info)(imv_os_state_t *this, os_type_t os_type,
+					 chunk_t name, chunk_t version);
+
+	/**
+	 * Get OS Product Information
+	 *
+	 * @param type			OS type (enumerated)
+	 * @param name			OS name (string)
+	 * @param version		OS version
+	 * @return				OS name & version as a concatenated string 
+	 */
+	char* (*get_info)(imv_os_state_t *this, os_type_t *os_type,
+					  chunk_t *name, chunk_t *version);
+
+	/**
+	 * Set [or with multiple attributes increment] package counters
+	 *
+	 * @param count				Number of processed packages
+	 * @param count_update		Number of not updated packages
+	 * @param count_blacklist	Number of blacklisted packages
+	 * @param count_ok			Number of whitelisted packages
+	 */
+	void (*set_count)(imv_os_state_t *this, int count, int count_update,
+					  int count_blacklist, int count_ok);
+
+	/**
+	 * Set [or with multiple attributes increment] package counters
+	 *
+	 * @param count				Number of processed packages
+	 * @param count_update		Number of not updated packages
+	 * @param count_blacklist	Number of blacklisted packages
+	 * @param count_ok			Number of whitelisted packages
+	 */
+	void (*get_count)(imv_os_state_t *this, int *count, int *count_update,
+					  int *count_blacklist, int *count_ok);
+	/**
+	 * Set/reset OS Installed Packages request status
+	 *
+	 * @param set			TRUE to set, FALSE to clear
+	 */
+	void (*set_package_request)(imv_os_state_t *this, bool set);
+
+	/**
+	 * Get OS Installed Packages request status
+	 *
+	 * @return				TRUE if set, FALSE if unset
+	 */
+	bool (*get_package_request)(imv_os_state_t *this);
+
+	/**
+	 * Set device ID
+	 *
+	 * @param device_id		Device ID primary database key
+	 */
+	void (*set_device_id)(imv_os_state_t *this, int id);
+
+	/**
+	 * Get device ID
+	 *
+	 * @return				Device ID primary database key
+	 */
+	int (*get_device_id)(imv_os_state_t *this);
+
+	/**
+	 * Set OS settings
+	 *
+	 * @param settings		OS settings
+	 */
+	void (*set_os_settings)(imv_os_state_t *this, u_int settings);
+
+	/**
+	 * Get OS settings
+	 *
+	 * @return				OS settings
+	 */
+	u_int (*get_os_settings)(imv_os_state_t *this);
+
+	/**
+	 * Increase/Decrease the ITA Angel count
+	 *
+	 * @param start			TRUE increases and FALSE decreases count by one
+	 */
+	void (*set_angel_count)(imv_os_state_t *this, bool start);
+
+	/**
+	 * Get the ITA Angel count
+	 *
+	 * @return				ITA Angel count
+	 */
+	int (*get_angel_count)(imv_os_state_t *this);
+
+	/**
+	 * Store a bad package that has to be updated or removed
+	 *
+	 * @param package		Name of software package
+	 * @param package_state	Security state of software package
+	 */
+	void (*add_bad_package)(imv_os_state_t *this, char *package,
+							os_package_state_t package_state);
+
+};
+
+/**
+ * Create an imv_os_state_t instance
+ *
+ * @param id			connection ID
+ */
+imv_state_t* imv_os_state_create(TNC_ConnectionID id);
+
+#endif /** IMV_OS_STATE_H_ @}*/
diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c
new file mode 100644
index 000000000..f5f52885d
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/pacman.c
@@ -0,0 +1,498 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <getopt.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <syslog.h>
+#include <time.h>
+
+#include "imv_os_state.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+/**
+ * global debug output variables
+ */
+static int debug_level = 1;
+static bool stderr_quiet = TRUE;
+
+/**
+ * pacman dbg function
+ */
+static void pacman_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+	int priority = LOG_INFO;
+	char buffer[8192];
+	char *current = buffer, *next;
+	va_list args;
+
+	if (level <= debug_level)
+	{
+		if (!stderr_quiet)
+		{
+			va_start(args, fmt);
+			vfprintf(stderr, fmt, args);
+			fprintf(stderr, "\n");
+			va_end(args);
+		}
+
+		/* write in memory buffer first */
+		va_start(args, fmt);
+		vsnprintf(buffer, sizeof(buffer), fmt, args);
+		va_end(args);
+
+		/* do a syslog with every line */
+		while (current)
+		{
+			next = strchr(current, '\n');
+			if (next)
+			{
+				*(next++) = '\0';
+			}
+			syslog(priority, "%s\n", current);
+			current = next;
+		}
+	}
+}
+
+/**
+ * atexit handler to close everything on shutdown
+ */
+static void cleanup(void)
+{
+	closelog();
+	library_deinit();
+}
+
+static void usage(void)
+{
+ 	printf("Usage:\n"
+		   "ipsec pacman --product <name> --file <filename> [--update]\n");
+}
+
+/**
+ * Extract the time the package file was generated
+ */
+static time_t extract_time(char *line)
+{
+	struct tm t;
+	char wday[4], mon[4];
+	char* months[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+					   "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
+	int i;
+
+	if (sscanf(line, "Generated: %3s %3s %2d %2d:%2d:%2d %4d UTC", wday, mon,
+			   &t.tm_mday, &t.tm_hour, &t.tm_min, &t.tm_sec, &t.tm_year) != 7)
+	{
+		return UNDEFINED_TIME;
+	}
+	t.tm_isdst = 0;
+	t.tm_year -= 1900;
+	t.tm_mon = 12;
+
+	for (i = 0; i < countof(months); i++)
+	{
+		if (streq(mon, months[i]))
+		{
+			t.tm_mon = i;
+			break;
+		}
+	}
+	if (t.tm_mon == 12)
+	{
+		return UNDEFINED_TIME;
+	}
+
+	return mktime(&t) - timezone;
+}
+
+/**
+ * Process a package file and store updates in the database
+ */
+static void process_packages(char *filename, char *product, bool update)
+{
+	char *uri, line[12288], *pos;
+	int count = 0, errored = 0, vulnerable = 0, new_packages = 0;
+	int new_versions = 0, updated_versions = 0, deleted_versions = 0;
+	u_int32_t pid = 0;
+	enumerator_t *e;
+	database_t *db;
+	FILE *file;
+
+	/* opening package file */
+	printf("loading\"%s\"\n", filename);
+	file = fopen(filename, "r");
+	if (!file)
+	{
+		fprintf(stderr, "could not open \"%s\"\n", filename);
+		exit(EXIT_FAILURE);
+	}
+
+	/* connect package database */
+	uri = lib->settings->get_str(lib->settings, "pacman.database", NULL);
+	if (!uri)
+	{
+		fprintf(stderr, "database URI pacman.database not set\n");
+		fclose(file);
+		exit(EXIT_FAILURE);
+	}
+	db = lib->db->create(lib->db, uri);
+	if (!db)
+	{
+		fprintf(stderr, "could not connect to database '%s'\n", uri);
+		fclose(file);
+		exit(EXIT_FAILURE);
+	}
+
+	/* check if product is already in database */
+	e = db->query(db, "SELECT id FROM products WHERE name = ?",
+				  DB_TEXT, product, DB_INT);
+	if (e)
+	{
+		if (!e->enumerate(e, &pid))
+		{
+			pid = 0;
+		}
+		e->destroy(e);
+	}
+	if (!pid)
+	{
+		if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)",
+						DB_TEXT, product) != 1)
+		{
+			fprintf(stderr, "could not store product '%s' to database\n",
+							 product);
+			fclose(file);
+			db->destroy(db);
+			exit(EXIT_FAILURE);
+		}
+	}
+
+	while (fgets(line, sizeof(line), file))
+	{
+		char *package, *version;
+		char *cur_version, *version_update = NULL, *version_delete = NULL;
+		bool security, add_version = TRUE;
+		int cur_security, security_update = 0, security_delete = 0;
+		u_int32_t gid = 0, vid = 0, vid_update = 0, vid_delete = 0;
+		time_t gen_time, cur_time;
+
+		count++;
+		if (count == 1)
+		{
+			printf("%s", line);
+		}
+		if (count == 3)
+		{
+			gen_time = extract_time(line);
+
+			if (gen_time == UNDEFINED_TIME)
+			{
+				fprintf(stderr, "could not extract generation time\n");
+				fclose(file);
+				db->destroy(db);
+				exit(EXIT_FAILURE);
+			}
+			printf("Generated: %T\n", &gen_time, TRUE);
+		}
+		if (count < 7)
+		{
+			continue;
+		}
+
+		/* look for the package name */
+		pos = strchr(line, ' ');
+		if (!pos)
+		{
+			fprintf(stderr, "could not extract package name from '%.*s'\n",
+					(int)(strlen(line)-1), line);
+			errored++;
+			continue;
+		}
+		*pos++ = '\0';
+		package = line;
+
+		/* look for version string in parentheses */
+		if (*pos == '(')
+		{
+			version = ++pos;
+			pos = strchr(pos, ')');
+			if (pos)
+			{
+				*pos++ = '\0';
+			}
+			else
+			{
+				fprintf(stderr, "could not extract package version from "
+						"'%.*s'\n", (int)(strlen(line)-1), line);
+				errored++;
+				continue;
+			}
+		}
+		else
+		{
+			/* no version information, skip entry */
+			continue;
+		}
+		security = (strstr(pos, "[security]") != NULL);
+		if (security)
+		{
+			vulnerable++;
+		}
+
+		/* handle non-security packages in update mode only */
+		if (!update && !security)
+		{
+			continue;
+		}
+
+		/* check if package is already in database */
+		e = db->query(db, "SELECT id FROM packages WHERE name = ?",
+						  DB_TEXT, package, DB_INT);
+		if (e)
+		{
+			if (!e->enumerate(e, &gid))
+			{
+				gid = 0;
+			}
+			e->destroy(e);
+		}
+		if (!gid && security)
+		{
+			if (db->execute(db, &gid, "INSERT INTO packages (name) VALUES (?)",
+								DB_TEXT, package) != 1)
+			{
+				fprintf(stderr, "could not store package '%s' to database\n",
+								 package);
+				fclose(file);
+				db->destroy(db);
+				exit(EXIT_FAILURE);
+			}
+			new_packages++;
+		}
+
+		/* check for package versions already in database */
+		e = db->query(db,
+				"SELECT id, release, security, time FROM versions "
+				"WHERE package = ? AND product = ?",
+				DB_INT, gid, DB_INT, pid, DB_INT, DB_TEXT, DB_INT, DB_INT);
+		if (!e)
+		{
+			break;
+		}
+		while (e->enumerate(e, &vid, &cur_version, &cur_security, &cur_time))
+		{
+			if (streq(version, cur_version))
+			{
+				/* already in data base */
+				add_version = FALSE;
+				break;
+			}
+			else if (gen_time > cur_time)
+			{
+				if (security)
+				{
+					if (cur_security)
+					{
+						vid_update = vid;
+						version_update = strdup(cur_version);
+						security_update = cur_security;
+					}
+					else
+					{
+						vid_delete = vid;
+						version_delete = strdup(cur_version);
+						security_delete = cur_security;
+					}
+				}
+				else
+				{
+					if (!cur_security)
+					{
+						vid_update = vid;
+						version_update = strdup(cur_version);
+						security_update = cur_security;
+					}
+				}
+			}
+			else
+			{
+				if (security == cur_security)
+				{
+					add_version = FALSE;
+				}
+			}
+		}
+		e->destroy(e);
+
+		if ((!vid && !security) || (vid && !add_version))
+		{
+			free(version_update);
+			free(version_delete);
+			continue;
+		}
+
+		if ((!vid && security) || (vid && !vid_update))
+		{
+			printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
+
+			if (db->execute(db, &vid,
+				"INSERT INTO versions "
+				"(package, product, release, security, time) "
+				"VALUES (?, ?, ?, ?, ?)", DB_INT, gid, DB_INT, pid,
+				DB_TEXT, version, DB_INT, security, DB_INT, gen_time) != 1)
+			{
+				fprintf(stderr, "could not store version '%s' to database\n",
+								 version);
+				free(version_update);
+				free(version_delete);
+				fclose(file);
+				db->destroy(db);
+				exit(EXIT_FAILURE);
+			}
+			new_versions++;
+		}
+		else
+		{
+			printf("%s (%s) %s updated by\n",
+				   package, version_update, security_update ? "[s]" : "");
+			printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
+
+			if (db->execute(db, NULL,
+				"UPDATE versions SET release = ?, time = ? WHERE id = ?",
+				DB_TEXT, version, DB_INT, gen_time, DB_INT, vid_update) <= 0)
+			{
+				fprintf(stderr, "could not update version '%s' to database\n",
+								 version);
+				free(version_update);
+				free(version_delete);
+				fclose(file);
+				db->destroy(db);
+				exit(EXIT_FAILURE);
+			}
+			updated_versions++;
+		}
+
+		if (vid_delete)
+		{
+			printf("%s (%s) %s deleted\n",
+				   package, version_delete, security_delete ? "[s]" : "");
+
+			if (db->execute(db, NULL,
+				"DELETE FROM  versions WHERE id = ?",
+				DB_INT, vid_delete) <= 0)
+			{
+				fprintf(stderr, "could not delete version '%s' from database\n",
+								 version_delete);
+				free(version_update);
+				free(version_delete);
+				fclose(file);
+				db->destroy(db);
+				exit(EXIT_FAILURE);
+			}
+			deleted_versions++;
+		}
+		free(version_update);
+		free(version_delete);
+	}
+	fclose(file);
+	db->destroy(db);
+
+	printf("processed %d packages, %d security, %d new packages, "
+		   "%d new versions, %d updated versions, %d deleted versions, "
+		   "%d errored\n", count - 6, vulnerable, new_packages, new_versions,
+		   updated_versions, deleted_versions, errored);
+}
+
+static void do_args(int argc, char *argv[])
+{
+	char *filename = NULL, *product = NULL;
+	bool update = FALSE;
+
+	/* reinit getopt state */
+	optind = 0;
+
+	while (TRUE)
+	{
+		int c;
+
+		struct option long_opts[] = {
+			{ "help", no_argument, NULL, 'h' },
+			{ "file", required_argument, NULL, 'f' },
+			{ "product", required_argument, NULL, 'p' },
+			{ "update", no_argument, NULL, 'u' },
+			{ 0,0,0,0 }
+		};
+
+		c = getopt_long(argc, argv, "", long_opts, NULL);
+		switch (c)
+		{
+			case EOF:
+				break;
+			case 'h':
+				usage();
+				exit(EXIT_SUCCESS);
+			case 'f':
+				filename = optarg;
+				continue;
+			case 'p':
+				product = optarg;
+				continue;
+			case 'u':
+				update = TRUE;
+				continue;
+		}
+		break;
+	}
+
+	if (filename && product)
+	{
+		process_packages(filename, product, update);
+	}
+	else
+	{
+		usage();
+		exit(EXIT_FAILURE);
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	/* enable attest debugging hook */
+	dbg = pacman_dbg;
+	openlog("pacman", 0, LOG_DEBUG);
+
+	atexit(cleanup);
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "attest.load", "sqlite")))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	do_args(argc, argv);
+
+	exit(EXIT_SUCCESS);
+}
+
diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh
new file mode 100755
index 000000000..e9134ea5d
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/pacman.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+DATE=`date +%Y%m%d`
+DEBIAN=http://packages.debian.org
+UBUNTU=http://packages.ubuntu.com
+UBUNTU_VERSIONS="quantal precise oneiric lucid"
+PACKAGES=allpackages?format=txt.gz
+PACMAN=/usr/libexec/ipsec/pacman
+DIR=/etc/pts
+
+cd $DIR
+
+for v in $UBUNTU_VERSIONS
+do
+  wget $UBUNTU/$v/$PACKAGES -O $DATE-$v.txt.gz
+  wget $UBUNTU/$v-updates/$PACKAGES -O $DATE-$v-updates.txt.gz
+done
+
+wget $DEBIAN/stable/$PACKAGES -O $DATE-squeeze.txt.gz
+gunzip *.gz
+
+$PACMAN --product "Ubuntu 12.10" --file $DATE-quantal.txt
+echo
+$PACMAN --product "Ubuntu 12.10" --file $DATE-quantal-updates.txt --update
+echo
+$PACMAN --product "Ubuntu 12.04" --file $DATE-precise.txt
+echo
+$PACMAN --product "Ubuntu 12.04" --file $DATE-precise-updates.txt --update
+echo
+$PACMAN --product "Ubuntu 11.10" --file $DATE-oneiric.txt
+echo
+$PACMAN --product "Ubuntu 11.10" --file $DATE-oneiric-updates.txt --update
+echo
+$PACMAN --product "Ubuntu 10.04" --file $DATE-lucid.txt
+echo
+$PACMAN --product "Ubuntu 10.04" --file $DATE-lucid-updates.txt --update
+echo
+$PACMAN --product "Debian squeeze" --file $DATE-squeeze.txt
+
+cp config.db config.db-$DATE
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 126a42c93..da797a9b0 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_scanner_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
@@ -119,6 +125,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -146,6 +153,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,6 +181,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +194,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -238,7 +248,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -360,7 +369,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imv-scanner.la: $(imv_scanner_la_OBJECTS) $(imv_scanner_la_DEPENDENCIES) 
+imv-scanner.la: $(imv_scanner_la_OBJECTS) $(imv_scanner_la_DEPENDENCIES) $(EXTRA_imv_scanner_la_DEPENDENCIES) 
 	$(imv_scanner_la_LINK) -rpath $(imcvdir) $(imv_scanner_la_OBJECTS) $(imv_scanner_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -498,10 +507,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner.c b/src/libimcv/plugins/imv_scanner/imv_scanner.c
index 1352397c6..16ce0863f 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner.c
@@ -16,8 +16,9 @@
 #include "imv_scanner_state.h"
 
 #include <imv/imv_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imv/imv_msg.h>
 #include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ietf/ietf_attr_port_filter.h>
 
@@ -25,16 +26,17 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /* IMV definitions */
 
 static const char imv_name[] = "Scanner";
 
-#define IMV_VENDOR_ID	PEN_ITA
-#define IMV_SUBTYPE		PA_SUBTYPE_ITA_SCANNER
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_VPN }
+};
 
 static imv_agent_t *imv_scanner;
 
@@ -46,7 +48,7 @@ struct port_range_t {
 
 
 /**
- * Default port policy 
+ * Default port policy
  *
  * TRUE:  all server ports on the TNC client must be closed
  * FALSE: any server port on the TNC client is allowed to be open
@@ -124,8 +126,8 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
-	imv_scanner = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
-								imv_id, actual_version);
+	imv_scanner = imv_agent_create(imv_name, msg_types, countof(msg_types),
+								   imv_id, actual_version);
 	if (!imv_scanner)
 	{
 		return TNC_RESULT_FATAL;
@@ -176,64 +178,39 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
 	}
 }
 
-static TNC_Result receive_message(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id)
+static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
+	imv_msg_t *out_msg;
+	enumerator_t *enumerator;
 	pa_tnc_attr_t *attr;
 	pen_type_t type;
-	imv_state_t *state;
-	enumerator_t *enumerator;
 	TNC_Result result;
-	bool fatal_error;
+	bool fatal_error = FALSE;
 
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMV state */
-	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	/* parse received PA-TNC message and automatically handle any errors */ 
-	result = imv_scanner->receive_message(imv_scanner, state, msg, msg_vid,
-					 		msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
 
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
-
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		type = attr->get_type(attr);
 
 		if (type.vendor_id == PEN_IETF && type.type == IETF_ATTR_PORT_FILTER)
 		{
+			imv_scanner_state_t *imv_scanner_state;
 			ietf_attr_port_filter_t *attr_port_filter;
 			enumerator_t *enumerator;
 			u_int8_t protocol;
 			u_int16_t port;
-			char buf[BUF_LEN], *pos = buf;
-			size_t len = BUF_LEN;
 			bool blocked, compliant = TRUE;
-	
+
+
+			imv_scanner_state = (imv_scanner_state_t*)state;
 			attr_port_filter = (ietf_attr_port_filter_t*)attr;
 			enumerator = attr_port_filter->create_port_enumerator(attr_port_filter);
 			while (enumerator->enumerate(enumerator, &blocked, &protocol, &port))
@@ -241,7 +218,7 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 				enumerator_t *e;
 				port_range_t *port_range;
 				bool passed, found = FALSE;
-				int written = 0;
+				char buf[20];
 
 				if (blocked)
 				{
@@ -263,54 +240,51 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 				e->destroy(e);
 
 				passed = (closed_port_policy == found);
-				DBG2(DBG_IMV, "%s port %5u %s: %s", 
+				DBG2(DBG_IMV, "%s port %5u %s: %s",
 					(protocol == IPPROTO_TCP) ? "tcp" : "udp", port,
 					 blocked ? "closed" : "open", passed ? "ok" : "fatal");
 				if (!passed)
 				{
 					compliant = FALSE;
-					written = snprintf(pos, len, " %s/%u",
-									  (protocol == IPPROTO_TCP) ? "tcp" : "udp",
-									   port);
-					if (written < 0 || written >= len)
-					{
-						break;
-					}
-					pos += written;
-					len -= written;
+					snprintf(buf, sizeof(buf), "%s/%u",
+							(protocol == IPPROTO_TCP) ? "tcp" : "udp", port);
+					imv_scanner_state->add_violating_port(imv_scanner_state,
+														  strdup(buf));
 				}
-			} 
+			}
 			enumerator->destroy(enumerator);
 
 			if (compliant)
 			{
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);	
+								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
 			}
 			else
 			{
-				imv_scanner_state_t *imv_scanner_state;
-
-				imv_scanner_state = (imv_scanner_state_t*)state;
-				imv_scanner_state->set_violating_ports(imv_scanner_state, buf);
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);	
-			}		  
-		}		
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
+			}
+		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
 	if (fatal_error)
 	{
 		state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);			  
+								TNC_IMV_EVALUATION_RESULT_ERROR);
 	}
-	return imv_scanner->provide_recommendation(imv_scanner, connection_id,
-											   src_imc_id);
+
+	out_msg = imv_msg_create_as_reply(in_msg);
+	result = out_msg->send_assessment(out_msg);
+	out_msg->destroy(out_msg);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}  
+	return imv_scanner->provide_recommendation(imv_scanner, state);
  }
 
 /**
@@ -322,14 +296,26 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	if (!imv_scanner)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+
+	in_msg = imv_msg_create_from_data(imv_scanner, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMVID_ANY);
+	return result;
 }
 
 /**
@@ -345,9 +331,26 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 									  TNC_UInt32 src_imc_id,
 									  TNC_UInt32 dst_imv_id)
 {
-	return receive_message(imv_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imc_id, dst_imv_id);
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imv_scanner)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(imv_scanner, state, connection_id,
+								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
@@ -356,13 +359,18 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 										 TNC_ConnectionID connection_id)
 {
+	imv_state_t *state;
+
 	if (!imv_scanner)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	return imv_scanner->provide_recommendation(imv_scanner, connection_id,
-											   TNC_IMCID_ANY);
+	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return imv_scanner->provide_recommendation(imv_scanner, state);
 }
 
 /**
@@ -371,12 +379,36 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
 							   TNC_ConnectionID connection_id)
 {
+	imv_state_t *state;
+	imv_msg_t *out_msg;
+	pa_tnc_attr_t *attr;
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
 	if (!imv_scanner)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	return TNC_RESULT_SUCCESS;
+	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	state->get_recommendation(state, &rec, &eval);
+	if (rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+	{
+		out_msg = imv_msg_create(imv_scanner, state, connection_id, imv_id,
+								 TNC_IMCID_ANY, msg_types[0]);
+		attr = ietf_attr_attr_request_create(PEN_IETF, IETF_ATTR_PORT_FILTER);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* send PA-TNC message with excl flag not set */
+		result = out_msg->send(out_msg, FALSE);
+		out_msg->destroy(out_msg);
+
+	}
+	return result;
 }
 
 /**
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
index fecc84e70..108e5ff6f 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
@@ -14,9 +14,12 @@
  */
 
 #include "imv_scanner_state.h"
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
+#include "imv/imv_remediation_string.h"
 
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_imv_scanner_state_t private_imv_scanner_state_t;
 
@@ -66,34 +69,63 @@ struct private_imv_scanner_state_t {
 	TNC_IMV_Evaluation_Result eval;
 
 	/**
-	 * String with list of ports that should be closed
+	 * List with ports that should be closed
 	 */
-	char *violating_ports;
+	 linked_list_t *violating_ports;
 
 	/**
-	 * Local copy of the reason string
+	 * TNC Reason String
 	 */
-	chunk_t reason_string;
+	imv_reason_string_t *reason_string;
+
+	/**
+	 * IETF Remediation Instructions String
+	 */
+	imv_remediation_string_t *remediation_string;
+
 };
 
-typedef struct entry_t entry_t;
+/**
+ * Supported languages
+ */
+static char* languages[] = { "en", "de", "fr", "pl" };
 
 /**
- * Define an internal reason string entry
+ * Reason strings for "Port Filter"
  */
-struct entry_t {
-	char *lang;
-	char *string;
+static imv_lang_string_t reasons[] = {
+	{ "en", "Open server ports were detected" },
+	{ "de", "Offene Serverports wurden festgestellt" },
+	{ "fr", "Il y a des ports du serveur ouverts" },
+	{ "pl", "Są otwarte porty serwera" },
+	{ NULL, NULL }
 };
 
 /**
- * Table of multi-lingual reason string entries 
+ * Instruction strings for "Port Filters"
  */
-static entry_t reasons[] = {
-	{ "en", "The following ports are open:" },
-	{ "de", "Die folgenden Ports sind offen" },
-	{ "fr", "Les ports suivants sont ouverts:" },
-	{ "pl", "Następujące porty sa otwarte:" }
+static imv_lang_string_t instr_ports_title[] = {
+	{ "en", "Open Server Ports" },
+	{ "de", "Offene Server Ports" },
+	{ "fr", "Ports ouverts du serveur" },
+	{ "pl", "Otwarte Porty Serwera" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_ports_descr[] = {
+	{ "en", "Open Internet ports have been detected" },
+	{ "de", "Offenen Internet-Ports wurden festgestellt" },
+	{ "fr", "Il y'a des ports Internet ouverts" },
+	{ "pl", "Porty internetowe są otwarte" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_ports_header[] = {
+	{ "en", "Please close the following server ports:" },
+	{ "de", "Bitte schliessen Sie die folgenden Serverports:" },
+	{ "fr", "Fermez les ports du serveur suivants s'il vous plait:" },
+	{ "pl", "Proszę zamknąć następujące porty serwera:" },
+	{ NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -156,75 +188,66 @@ METHOD(imv_state_t, set_recommendation, void,
 }
 
 METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_scanner_state_t *this, chunk_t preferred_language,
-	chunk_t *reason_string, chunk_t *reason_language)
+	private_imv_scanner_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
 {
-	chunk_t pref_lang, lang;
-	u_char *pos;
-	int i;
-
 	if (!this->violating_ports)
 	{
 		return FALSE;
 	}
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
+
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string->add_reason(this->reason_string, reasons);
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
+
+	return TRUE;
+}
 
-	while (eat_whitespace(&preferred_language))
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_scanner_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	if (!this->violating_ports)
 	{
-		if (!extract_token(&pref_lang, ',', &preferred_language))
-		{
-			/* last entry in a comma-separated list or single entry */
-			pref_lang = preferred_language;
-		}
-
-		/* eat trailing whitespace */
-		pos = pref_lang.ptr + pref_lang.len - 1;
-		while (pref_lang.len && *pos-- == ' ')
-		{
-			pref_lang.len--;
-		}
-
-		for (i = 0 ; i < countof(reasons); i++)
-		{
-			lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang));
-			if (chunk_equals(lang, pref_lang))
-			{
-				this->reason_string = chunk_cat("cc",
-									chunk_create(reasons[i].string, 
-												 strlen(reasons[i].string)),
-									chunk_create(this->violating_ports,
-												 strlen(this->violating_ports)));
-				*reason_string = this->reason_string;
-				*reason_language = lang;
-				return TRUE;
-			}
-		}
+		return FALSE;
 	}
+	*lang_code = imv_lang_string_select_lang(language_enumerator,
+										languages, countof(languages));
+
+	/* Instantiate an IETF Remediation Instructions String object */
+	DESTROY_IF(this->remediation_string);
+	this->remediation_string = imv_remediation_string_create(
+									TRUE, *lang_code);	/* TODO get os_type */
+
+	this->remediation_string->add_instruction(this->remediation_string,
+									instr_ports_title,
+									instr_ports_descr,
+									instr_ports_header,
+									this->violating_ports);
+	*string = this->remediation_string->get_encoding(this->remediation_string);
+	*uri = lib->settings->get_str(lib->settings,
+				"libimcv.plugins.imv-scanner.remediation_uri", NULL);
 
-	/* no preferred language match found - use the default language */
-
-	this->reason_string =   chunk_cat("cc",
-									chunk_create(reasons[0].string,
-												 strlen(reasons[0].string)),
-									chunk_create(this->violating_ports,
-												 strlen(this->violating_ports)));
-	*reason_string = this->reason_string;
-	*reason_language = chunk_create(reasons[0].lang, 
-									strlen(reasons[0].lang));
 	return TRUE;
 }
 
 METHOD(imv_state_t, destroy, void,
 	private_imv_scanner_state_t *this)
 {
-	free(this->violating_ports);
-	free(this->reason_string.ptr);
+	DESTROY_IF(this->reason_string);
+	DESTROY_IF(this->remediation_string);
+	this->violating_ports->destroy_function(this->violating_ports, free);
 	free(this);
 }
 
-METHOD(imv_scanner_state_t, set_violating_ports, void,
-	private_imv_scanner_state_t *this, char *ports)
+METHOD(imv_scanner_state_t, add_violating_port, void,
+	private_imv_scanner_state_t *this, char *port)
 {
-	this->violating_ports = strdup(ports);
+	this->violating_ports->insert_last(this->violating_ports, port);
 }
 
 /**
@@ -247,16 +270,18 @@ imv_state_t *imv_scanner_state_create(TNC_ConnectionID connection_id)
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
 				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
-			.set_violating_ports = _set_violating_ports,
+			.add_violating_port = _add_violating_port,
 		},
 		.state = TNC_CONNECTION_STATE_CREATE,
 		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
 		.connection_id = connection_id,
+		.violating_ports = linked_list_create(),
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
index 716ddfea0..9a0930396 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
@@ -37,9 +37,9 @@ struct imv_scanner_state_t {
 	imv_state_t interface;
 
 	/**
-	 * list of violating TCP and UDP ports
+	 * add a violating TCP or UDP port
 	 */
-	void (*set_violating_ports)(imv_scanner_state_t *this, char *ports);
+	void (*add_violating_port)(imv_scanner_state_t *this, char *port);
 };
 
 /**
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index e395f8187..04b750973 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_test_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
@@ -119,6 +125,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -146,6 +153,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,6 +181,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +194,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -238,7 +248,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -360,7 +369,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imv-test.la: $(imv_test_la_OBJECTS) $(imv_test_la_DEPENDENCIES) 
+imv-test.la: $(imv_test_la_OBJECTS) $(imv_test_la_DEPENDENCIES) $(EXTRA_imv_test_la_DEPENDENCIES) 
 	$(imv_test_la_LINK) -rpath $(imcvdir) $(imv_test_la_OBJECTS) $(imv_test_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -498,10 +507,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imv_test/imv_test.c b/src/libimcv/plugins/imv_test/imv_test.c
index 5ea82e97c..df45ce69a 100644
--- a/src/libimcv/plugins/imv_test/imv_test.c
+++ b/src/libimcv/plugins/imv_test/imv_test.c
@@ -16,7 +16,7 @@
 #include "imv_test_state.h"
 
 #include <imv/imv_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imv/imv_msg.h>
 #include <ietf/ietf_attr.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ita/ita_attr.h>
@@ -27,14 +27,15 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /* IMV definitions */
 
 static const char imv_name[] = "Test";
 
-#define IMV_VENDOR_ID	PEN_ITA
-#define IMV_SUBTYPE		PA_SUBTYPE_ITA_TEST
+static pen_type_t msg_types[] = {
+	{ PEN_ITA, PA_SUBTYPE_ITA_TEST }
+};
 
 static imv_agent_t *imv_test;
 
@@ -51,7 +52,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
-	imv_test = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
+	imv_test = imv_agent_create(imv_name, msg_types, countof(msg_types),
 								imv_id, actual_version);
 	if (!imv_test)
 	{
@@ -92,59 +93,32 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
 	}
 }
 
-static TNC_Result receive_message(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id)
+static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	pen_type_t attr_type;
-	linked_list_t *attr_list;
-	imv_state_t *state;
+	imv_msg_t *out_msg;
 	imv_test_state_t *test_state;
 	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
 	TNC_Result result;
 	int rounds;
-	bool fatal_error, received_command = FALSE, retry = FALSE;
-
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMV state */
-	if (!imv_test->get_state(imv_test, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	test_state = (imv_test_state_t*)state;
-
-	/* parse received PA-TNC message and automatically handle any errors */ 
-	result = imv_test->receive_message(imv_test, state, msg, msg_vid,
-					 		msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
+	bool fatal_error = FALSE, received_command = FALSE, retry = FALSE;
 
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
 
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
-
 	/* add any new IMC and set its number of rounds */
 	rounds = lib->settings->get_int(lib->settings,
 								"libimcv.plugins.imv-test.rounds", 0);
-	test_state->add_imc(test_state, src_imc_id, rounds);
+	test_state = (imv_test_state_t*)state;
+	test_state->add_imc(test_state, in_msg->get_src_id(in_msg), rounds);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		attr_type = attr->get_type(attr);
@@ -157,7 +131,7 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 		{
 			ita_attr_command_t *ita_attr;
 			char *command;
-	
+
 			received_command = TRUE;
 			ita_attr = (ita_attr_command_t*)attr;
 			command = ita_attr->get_command(ita_attr);
@@ -166,19 +140,19 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 			{
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);			  
+								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
 			}
 			else if (streq(command, "isolate"))
 			{
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);			  
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
 			}
 			else if (streq(command, "block") || streq(command, "none"))
 			{
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);			  
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
 			}
 			else if (streq(command, "retry"))
 			{
@@ -189,7 +163,7 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 				DBG1(DBG_IMV, "unsupported ITA Command '%s'", command);
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);			  
+								TNC_IMV_EVALUATION_RESULT_ERROR);
 			}
 		}
 		else if (attr_type.type == ITA_ATTR_DUMMY)
@@ -202,40 +176,60 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
 	if (fatal_error)
 	{
 		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);			  
-		return imv_test->provide_recommendation(imv_test, connection_id,
-												src_imc_id);
+							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+							TNC_IMV_EVALUATION_RESULT_ERROR);
+		out_msg = imv_msg_create_as_reply(in_msg);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}  
+		return imv_test->provide_recommendation(imv_test, state);
 	}
 
 	/* request a handshake retry ? */
 	if (retry)
 	{
 		test_state->set_rounds(test_state, rounds);
-		return imv_test->request_handshake_retry(imv_id, connection_id,
-								TNC_RETRY_REASON_IMV_SERIOUS_EVENT);
+		return imv_test->request_handshake_retry(imv_test->get_id(imv_test),
+											state->get_connection_id(state),
+											TNC_RETRY_REASON_IMV_SERIOUS_EVENT);
 	}
-	
+
 	/* repeat the measurement ? */
-	if (test_state->another_round(test_state, src_imc_id))
+	if (test_state->another_round(test_state, in_msg->get_src_id(in_msg)))
 	{
-		attr_list = linked_list_create();
+		out_msg = imv_msg_create_as_reply(in_msg);
 		attr = ita_attr_command_create("repeat");
-		attr_list->insert_last(attr_list, attr);
-		result = imv_test->send_message(imv_test, connection_id, TRUE, imv_id,
-							src_imc_id, attr_list);	
-		attr_list->destroy(attr_list);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* send PA-TNC message with excl flag set */
+		result = out_msg->send(out_msg, TRUE);	
+		out_msg->destroy(out_msg);
 
 		return result;
 	}
 
-	return received_command ? imv_test->provide_recommendation(imv_test,
-			 connection_id, src_imc_id) : TNC_RESULT_SUCCESS;
+	if (received_command)
+	{
+		out_msg = imv_msg_create_as_reply(in_msg);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}  
+		return imv_test->provide_recommendation(imv_test, state);
+	}
+	else
+	{	
+		return TNC_RESULT_SUCCESS;
+	}
 }
 
 /**
@@ -247,14 +241,25 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	if (!imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_test->get_state(imv_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(imv_test, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMVID_ANY);
+	return result;
 }
 
 /**
@@ -270,9 +275,26 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 									  TNC_UInt32 src_imc_id,
 									  TNC_UInt32 dst_imv_id)
 {
-	return receive_message(imv_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imc_id, dst_imv_id);
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_test->get_state(imv_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(imv_test, state, connection_id,
+								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
@@ -281,13 +303,18 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 										 TNC_ConnectionID connection_id)
 {
+	imv_state_t *state;
+
 	if (!imv_test)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	return imv_test->provide_recommendation(imv_test, connection_id,
-											TNC_IMCID_ANY);
+	if (!imv_test->get_state(imv_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return imv_test->provide_recommendation(imv_test, state);
 }
 
 /**
diff --git a/src/libimcv/plugins/imv_test/imv_test_state.c b/src/libimcv/plugins/imv_test/imv_test_state.c
index 67f22c062..9b9344bf6 100644
--- a/src/libimcv/plugins/imv_test/imv_test_state.c
+++ b/src/libimcv/plugins/imv_test/imv_test_state.c
@@ -14,10 +14,12 @@
  */
 
 #include "imv_test_state.h"
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
 
 #include <utils/lexparser.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_imv_test_state_t private_imv_test_state_t;
 
@@ -66,6 +68,11 @@ struct private_imv_test_state_t {
 	 */
 	TNC_IMV_Evaluation_Result eval;
 
+	/**
+	 * TNC Reason String
+	 */
+	imv_reason_string_t *reason_string;
+
 	/**
 	 * List of IMCs
 	 */
@@ -83,24 +90,20 @@ struct imc_entry_t {
 	int rounds;
 };
 
-typedef struct entry_t entry_t;
-
 /**
- * Define an internal reason string entry
+ * Supported languages
  */
-struct entry_t {
-	char *lang;
-	char *string;
-};
+static char* languages[] = { "en", "de", "fr", "pl" };
 
 /**
- * Table of multi-lingual reason string entries 
+ * Table of reason strings
  */
-static entry_t reasons[] = {
+static imv_lang_string_t reasons[] = {
 	{ "en", "IMC Test was not configured with \"command = allow\"" },
 	{ "de", "IMC Test wurde nicht mit \"command = allow\" konfiguriert" },
 	{ "fr", "IMC Test n'etait pas configuré avec \"command = allow\"" },
-	{ "pl", "IMC Test nie zostało skonfigurowany z \"command = allow\"" }
+	{ "pl", "IMC Test nie zostało skonfigurowany z \"command = allow\"" },
+	{ NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -163,52 +166,32 @@ METHOD(imv_state_t, set_recommendation, void,
 }
 
 METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_test_state_t *this, chunk_t preferred_language,
-	chunk_t *reason_string, chunk_t *reason_language)
+	private_imv_test_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
 {
-	chunk_t pref_lang, lang;
-	u_char *pos;
-	int i;
-
-	while (eat_whitespace(&preferred_language))
-	{
-		if (!extract_token(&pref_lang, ',', &preferred_language))
-		{
-			/* last entry in a comma-separated list or single entry */
-			pref_lang = preferred_language;
-		}
-
-		/* eat trailing whitespace */
-		pos = pref_lang.ptr + pref_lang.len - 1;
-		while (pref_lang.len && *pos-- == ' ')
-		{
-			pref_lang.len--;
-		}
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
 
-		for (i = 0 ; i < countof(reasons); i++)
-		{
-			lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang));
-			if (chunk_equals(lang, pref_lang))
-			{
-				*reason_language = lang;
-				*reason_string = chunk_create(reasons[i].string, 
-										strlen(reasons[i].string));
-				return TRUE;
-			}
-		}
-	}
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string->add_reason(this->reason_string, reasons);
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
-	/* no preferred language match found - use the default language */
-	*reason_string =   chunk_create(reasons[0].string,
-									strlen(reasons[0].string));
-	*reason_language = chunk_create(reasons[0].lang, 
-									strlen(reasons[0].lang));
 	return TRUE;
 }
 
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_test_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	return FALSE;
+}
+
 METHOD(imv_state_t, destroy, void,
 	private_imv_test_state_t *this)
 {
+	DESTROY_IF(this->reason_string);
 	this->imcs->destroy_function(this->imcs, free);
 	free(this);
 }
@@ -274,8 +257,8 @@ METHOD(imv_test_state_t, another_round, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
-	
-	return not_finished;	
+
+	return not_finished;
 }
 
 /**
@@ -298,6 +281,7 @@ imv_state_t *imv_test_state_create(TNC_ConnectionID connection_id)
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
 				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
 			.add_imc = _add_imc,
@@ -310,7 +294,7 @@ imv_state_t *imv_test_state_create(TNC_ConnectionID connection_id)
 		.connection_id = connection_id,
 		.imcs = linked_list_create(),
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 6d984d8ab..628857cbe 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libipsec_la_DEPENDENCIES =
@@ -156,6 +162,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -183,6 +190,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -210,6 +218,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -222,6 +231,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -275,7 +285,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -411,7 +420,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libipsec.la: $(libipsec_la_OBJECTS) $(libipsec_la_DEPENDENCIES) 
+libipsec.la: $(libipsec_la_OBJECTS) $(libipsec_la_DEPENDENCIES) $(EXTRA_libipsec_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libipsec_la_OBJECTS) $(libipsec_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -669,10 +678,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index dc3ad3f8b..44b1117d9 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -21,7 +21,7 @@
 #include "esp_context.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
 
diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c
index bfcab95eb..16cc687ef 100644
--- a/src/libipsec/esp_packet.c
+++ b/src/libipsec/esp_packet.c
@@ -19,7 +19,7 @@
 #include "esp_packet.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
 #include <bio/bio_reader.h>
diff --git a/src/libipsec/esp_packet.h b/src/libipsec/esp_packet.h
index a1d1602c1..ce8645825 100644
--- a/src/libipsec/esp_packet.h
+++ b/src/libipsec/esp_packet.h
@@ -27,8 +27,8 @@
 #include "esp_context.h"
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/packet.h>
+#include <networking/host.h>
+#include <networking/packet.h>
 
 typedef struct esp_packet_t esp_packet_t;
 
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index 096ca33a8..5c8cc2e3e 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -17,7 +17,7 @@
 #include "ip_packet.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <netinet/in.h>
 #include <netinet/ip.h>
diff --git a/src/libipsec/ip_packet.h b/src/libipsec/ip_packet.h
index b4fc298ff..de817e23e 100644
--- a/src/libipsec/ip_packet.h
+++ b/src/libipsec/ip_packet.h
@@ -22,8 +22,8 @@
 #define IP_PACKET_H_
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/packet.h>
+#include <networking/host.h>
+#include <networking/packet.h>
 
 typedef struct ip_packet_t ip_packet_t;
 
diff --git a/src/libipsec/ipsec.c b/src/libipsec/ipsec.c
index 50d9163ea..6c9a26acf 100644
--- a/src/libipsec/ipsec.c
+++ b/src/libipsec/ipsec.c
@@ -17,7 +17,7 @@
 
 #include "ipsec.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ipsec_t private_ipsec_t;
 
diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
index 34222258c..d7d7e8276 100644
--- a/src/libipsec/ipsec_event_relay.c
+++ b/src/libipsec/ipsec_event_relay.c
@@ -18,10 +18,10 @@
 #include "ipsec_event_relay.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
-#include <utils/blocking_queue.h>
+#include <collections/linked_list.h>
+#include <collections/blocking_queue.h>
 #include <processing/jobs/callback_job.h>
 
 typedef struct private_ipsec_event_relay_t private_ipsec_event_relay_t;
diff --git a/src/libipsec/ipsec_policy.c b/src/libipsec/ipsec_policy.c
index af8ea9f9d..8407921ac 100644
--- a/src/libipsec/ipsec_policy.c
+++ b/src/libipsec/ipsec_policy.c
@@ -17,7 +17,7 @@
 
 #include "ipsec_policy.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ipsec_policy_t private_ipsec_policy_t;
 
diff --git a/src/libipsec/ipsec_policy.h b/src/libipsec/ipsec_policy.h
index 67ad0b0ed..23a9ea99d 100644
--- a/src/libipsec/ipsec_policy.h
+++ b/src/libipsec/ipsec_policy.h
@@ -26,7 +26,7 @@
 #include "ip_packet.h"
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
 
diff --git a/src/libipsec/ipsec_policy_mgr.c b/src/libipsec/ipsec_policy_mgr.c
index 41ba792c3..72f94ec20 100644
--- a/src/libipsec/ipsec_policy_mgr.c
+++ b/src/libipsec/ipsec_policy_mgr.c
@@ -17,9 +17,9 @@
 
 #include "ipsec_policy_mgr.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /** Base priority for installed policies */
 #define PRIO_BASE 512
diff --git a/src/libipsec/ipsec_policy_mgr.h b/src/libipsec/ipsec_policy_mgr.h
index d3ee1074f..dfa4b12c3 100644
--- a/src/libipsec/ipsec_policy_mgr.h
+++ b/src/libipsec/ipsec_policy_mgr.h
@@ -27,8 +27,8 @@
 #include "ip_packet.h"
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
 #include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
 
diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
index a91d9e074..66f43a408 100644
--- a/src/libipsec/ipsec_processor.c
+++ b/src/libipsec/ipsec_processor.c
@@ -16,10 +16,10 @@
 #include "ipsec.h"
 #include "ipsec_processor.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <threading/rwlock.h>
-#include <utils/blocking_queue.h>
+#include <collections/blocking_queue.h>
 #include <processing/jobs/callback_job.h>
 
 typedef struct private_ipsec_processor_t private_ipsec_processor_t;
@@ -146,7 +146,9 @@ static job_requeue_t process_inbound(private_ipsec_processor_t *this)
 				policy->destroy(policy);
 				break;
 			}
-			DBG1(DBG_ESP, "discarding inbound IP packet due to policy");
+			DBG1(DBG_ESP, "discarding inbound IP packet %H == %H due to "
+				 "policy", ip_packet->get_source(ip_packet),
+				 ip_packet->get_destination(ip_packet));
 			/* no matching policy found, fall-through */
 		}
 		case IPPROTO_NONE:
diff --git a/src/libipsec/ipsec_sa.c b/src/libipsec/ipsec_sa.c
index cccd16404..2ff5cff55 100644
--- a/src/libipsec/ipsec_sa.c
+++ b/src/libipsec/ipsec_sa.c
@@ -18,7 +18,7 @@
 #include "ipsec_sa.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ipsec_sa_t private_ipsec_sa_t;
 
@@ -95,6 +95,20 @@ METHOD(ipsec_sa_t, get_destination, host_t*,
 	return this->dst;
 }
 
+METHOD(ipsec_sa_t, set_source, void,
+	private_ipsec_sa_t *this, host_t *addr)
+{
+	this->src->destroy(this->src);
+	this->src = addr->clone(addr);
+}
+
+METHOD(ipsec_sa_t, set_destination, void,
+	private_ipsec_sa_t *this, host_t *addr)
+{
+	this->dst->destroy(this->dst);
+	this->dst = addr->clone(addr);
+}
+
 METHOD(ipsec_sa_t, get_spi, u_int32_t,
 	private_ipsec_sa_t *this)
 {
@@ -202,6 +216,8 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
 			.destroy = _destroy,
 			.get_source = _get_source,
 			.get_destination = _get_destination,
+			.set_source = _set_source,
+			.set_destination = _set_destination,
 			.get_spi = _get_spi,
 			.get_reqid = _get_reqid,
 			.get_protocol = _get_protocol,
diff --git a/src/libipsec/ipsec_sa.h b/src/libipsec/ipsec_sa.h
index 5fd03b6e4..dec688e68 100644
--- a/src/libipsec/ipsec_sa.h
+++ b/src/libipsec/ipsec_sa.h
@@ -26,7 +26,7 @@
 #include "esp_context.h"
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <selectors/traffic_selector.h>
 #include <ipsec/ipsec_types.h>
 
@@ -51,6 +51,20 @@ struct ipsec_sa_t {
 	 */
 	host_t *(*get_destination)(ipsec_sa_t *this);
 
+	/**
+	 * Set the source address for this SA
+	 *
+	 * @param addr		source address of this SA (gets cloned)
+	 */
+	void (*set_source)(ipsec_sa_t *this, host_t *addr);
+
+	/**
+	 * Set the destination address for this SA
+	 *
+	 * @param addr		destination address of this SA (gets cloned)
+	 */
+	void (*set_destination)(ipsec_sa_t *this, host_t *addr);
+
 	/**
 	 * Get the SPI for this SA
 	 *
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index e42c77aa5..28748971d 100644
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -18,13 +18,13 @@
 #include "ipsec.h"
 #include "ipsec_sa_mgr.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <processing/jobs/callback_job.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 
 typedef struct private_ipsec_sa_mgr_t private_ipsec_sa_mgr_t;
 
@@ -237,29 +237,29 @@ static bool match_entry_by_sa_ptr(ipsec_sa_entry_t *item, ipsec_sa_t *sa)
 	return item->sa == sa;
 }
 
-static bool match_entry_by_spi_inbound(ipsec_sa_entry_t *item, u_int32_t spi,
-									   bool inbound)
+static bool match_entry_by_spi_inbound(ipsec_sa_entry_t *item, u_int32_t *spi,
+									   bool *inbound)
 {
-	return item->sa->get_spi(item->sa) == spi &&
-		   item->sa->is_inbound(item->sa) == inbound;
+	return item->sa->get_spi(item->sa) == *spi &&
+		   item->sa->is_inbound(item->sa) == *inbound;
 }
 
-static bool match_entry_by_spi_src_dst(ipsec_sa_entry_t *item, u_int32_t spi,
+static bool match_entry_by_spi_src_dst(ipsec_sa_entry_t *item, u_int32_t *spi,
 									   host_t *src, host_t *dst)
 {
-	return item->sa->match_by_spi_src_dst(item->sa, spi, src, dst);
+	return item->sa->match_by_spi_src_dst(item->sa, *spi, src, dst);
 }
 
 static bool match_entry_by_reqid_inbound(ipsec_sa_entry_t *item,
-										 u_int32_t reqid, bool inbound)
+										 u_int32_t *reqid, bool *inbound)
 {
-	return item->sa->match_by_reqid(item->sa, reqid, inbound);
+	return item->sa->match_by_reqid(item->sa, *reqid, *inbound);
 }
 
-static bool match_entry_by_spi_dst(ipsec_sa_entry_t *item, u_int32_t spi,
+static bool match_entry_by_spi_dst(ipsec_sa_entry_t *item, u_int32_t *spi,
 								   host_t *dst)
 {
-	return item->sa->match_by_spi_dst(item->sa, spi, dst);
+	return item->sa->match_by_spi_dst(item->sa, *spi, dst);
 }
 
 /**
@@ -381,7 +381,7 @@ static bool allocate_spi(private_ipsec_sa_mgr_t *this, u_int32_t spi)
 
 	if (this->allocated_spis->get(this->allocated_spis, &spi) ||
 		this->sas->find_first(this->sas, (void*)match_entry_by_spi_inbound,
-							  NULL, spi, TRUE) == SUCCESS)
+							  NULL, &spi, TRUE) == SUCCESS)
 	{
 		return FALSE;
 	}
@@ -471,7 +471,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 	}
 
 	if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_src_dst,
-							  NULL, spi, src, dst) == SUCCESS)
+							  NULL, &spi, src, dst) == SUCCESS)
 	{
 		this->mutex->unlock(this->mutex);
 		DBG1(DBG_ESP, "failed to install SAD entry: already installed");
@@ -487,6 +487,44 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 	return SUCCESS;
 }
 
+METHOD(ipsec_sa_mgr_t, update_sa, status_t,
+	private_ipsec_sa_mgr_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap, mark_t mark)
+{
+	ipsec_sa_entry_t *entry = NULL;
+
+	DBG2(DBG_ESP, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+
+	if (!new_encap)
+	{
+		DBG1(DBG_ESP, "failed to update SAD entry: can't deactivate UDP "
+			 "encapsulation");
+		return NOT_SUPPORTED;
+	}
+
+	this->mutex->lock(this->mutex);
+	if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_src_dst,
+							 (void**)&entry, &spi, src, dst) == SUCCESS &&
+		wait_for_entry(this, entry))
+	{
+		entry->sa->set_source(entry->sa, new_src);
+		entry->sa->set_destination(entry->sa, new_dst);
+		/* checkin the entry */
+		entry->locked = FALSE;
+		entry->condvar->signal(entry->condvar);
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (!entry)
+	{
+		DBG1(DBG_ESP, "failed to update SAD entry: not found");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
 METHOD(ipsec_sa_mgr_t, del_sa, status_t,
 	private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int32_t spi,
 	u_int8_t protocol, u_int16_t cpi, mark_t mark)
@@ -498,7 +536,7 @@ METHOD(ipsec_sa_mgr_t, del_sa, status_t,
 	enumerator = this->sas->create_enumerator(this->sas);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
-		if (match_entry_by_spi_src_dst(current, spi, src, dst))
+		if (match_entry_by_spi_src_dst(current, &spi, src, dst))
 		{
 			if (wait_remove_entry(this, current))
 			{
@@ -529,7 +567,7 @@ METHOD(ipsec_sa_mgr_t, checkout_by_reqid, ipsec_sa_t*,
 
 	this->mutex->lock(this->mutex);
 	if (this->sas->find_first(this->sas, (void*)match_entry_by_reqid_inbound,
-							 (void**)&entry, reqid, inbound) == SUCCESS &&
+							 (void**)&entry, &reqid, &inbound) == SUCCESS &&
 		wait_for_entry(this, entry))
 	{
 		sa = entry->sa;
@@ -546,7 +584,7 @@ METHOD(ipsec_sa_mgr_t, checkout_by_spi, ipsec_sa_t*,
 
 	this->mutex->lock(this->mutex);
 	if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_dst,
-							 (void**)&entry, spi, dst) == SUCCESS &&
+							 (void**)&entry, &spi, dst) == SUCCESS &&
 		wait_for_entry(this, entry))
 	{
 		sa = entry->sa;
@@ -609,6 +647,7 @@ ipsec_sa_mgr_t *ipsec_sa_mgr_create()
 		.public = {
 			.get_spi = _get_spi,
 			.add_sa = _add_sa,
+			.update_sa = _update_sa,
 			.del_sa = _del_sa,
 			.checkout_by_spi = _checkout_by_spi,
 			.checkout_by_reqid = _checkout_by_reqid,
diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h
index 303b36f0e..3ff092038 100644
--- a/src/libipsec/ipsec_sa_mgr.h
+++ b/src/libipsec/ipsec_sa_mgr.h
@@ -28,7 +28,7 @@
 #include <library.h>
 #include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 typedef struct ipsec_sa_mgr_t ipsec_sa_mgr_t;
 
@@ -85,6 +85,27 @@ struct ipsec_sa_mgr_t {
 					   u_int16_t cpi, bool encap, bool esn, bool inbound,
 					   traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
 
+	/**
+	 * Update the hosts on an installed SA.
+	 *
+	 * @param spi			SPI of the SA
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
+	 * @param src			current source address
+	 * @param dst			current destination address
+	 * @param new_src		new source address
+	 * @param new_dst		new destination address
+	 * @param encap			current use of UDP encapsulation
+	 * @param new_encap		new use of UDP encapsulation
+	 * @param mark			optional mark for this SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*update_sa)(ipsec_sa_mgr_t *this,
+						  u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap, mark_t mark);
+
 	/**
 	 * Delete a previously added SA
 	 *
diff --git a/src/libpts/Makefile.am b/src/libpts/Makefile.am
index 8137493ab..edf3f7416 100644
--- a/src/libpts/Makefile.am
+++ b/src/libpts/Makefile.am
@@ -3,7 +3,11 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libimcv
 
 ipseclib_LTLIBRARIES = libpts.la
 
-libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la -ltspi
+libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la
+
+if USE_TROUSERS
+  libpts_la_LIBADD += -ltspi
+endif
 
 libpts_la_SOURCES = \
 	libpts.h libpts.c \
@@ -47,7 +51,7 @@ libpts_la_SOURCES = \
 	tcg/tcg_pts_attr_file_meas.h tcg/tcg_pts_attr_file_meas.c \
 	tcg/tcg_pts_attr_req_file_meta.h tcg/tcg_pts_attr_req_file_meta.c \
 	tcg/tcg_pts_attr_unix_file_meta.h tcg/tcg_pts_attr_unix_file_meta.c
-	
+
 SUBDIRS = .
 
 if USE_IMC_ATTESTATION
diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index 0b6451bcc..d275a8b2b 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -34,8 +34,9 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-@USE_IMC_ATTESTATION_TRUE@am__append_1 = plugins/imc_attestation
-@USE_IMV_ATTESTATION_TRUE@am__append_2 = plugins/imv_attestation
+@USE_TROUSERS_TRUE@am__append_1 = -ltspi
+@USE_IMC_ATTESTATION_TRUE@am__append_2 = plugins/imc_attestation
+@USE_IMV_ATTESTATION_TRUE@am__append_3 = plugins/imv_attestation
 subdir = src/libpts
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -75,9 +76,17 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
-libpts_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la
+am__DEPENDENCIES_1 =
+libpts_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
+	$(am__DEPENDENCIES_1)
 am_libpts_la_OBJECTS = libpts.lo pts.lo pts_error.lo pts_pcr.lo \
 	pts_creds.lo pts_database.lo pts_dh_group.lo pts_file_meas.lo \
 	pts_file_meta.lo pts_file_type.lo pts_meas_algo.lo \
@@ -172,6 +181,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -199,6 +209,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -226,6 +237,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -238,6 +250,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -291,7 +304,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -340,7 +352,8 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libimcv
 ipseclib_LTLIBRARIES = libpts.la
-libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la -ltspi
+libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(am__append_1)
 libpts_la_SOURCES = \
 	libpts.h libpts.c \
 	pts/pts.h pts/pts.c \
@@ -384,7 +397,7 @@ libpts_la_SOURCES = \
 	tcg/tcg_pts_attr_req_file_meta.h tcg/tcg_pts_attr_req_file_meta.c \
 	tcg/tcg_pts_attr_unix_file_meta.h tcg/tcg_pts_attr_unix_file_meta.c
 
-SUBDIRS = . $(am__append_1) $(am__append_2)
+SUBDIRS = . $(am__append_2) $(am__append_3)
 all: all-recursive
 
 .SUFFIXES:
@@ -450,7 +463,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libpts.la: $(libpts_la_OBJECTS) $(libpts_la_DEPENDENCIES) 
+libpts.la: $(libpts_la_OBJECTS) $(libpts_la_DEPENDENCIES) $(EXTRA_libpts_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libpts_la_OBJECTS) $(libpts_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -987,10 +1000,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libpts/libpts.c b/src/libpts/libpts.c
index 384ee4ed7..95110823c 100644
--- a/src/libpts/libpts.c
+++ b/src/libpts/libpts.c
@@ -23,7 +23,7 @@
 #include "pts/components/ita/ita_comp_tgrub.h"
 
 #include <imcv.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * PTS Functional Component manager
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index 4734379bf..15028d677 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imc_attestation_la_DEPENDENCIES =  \
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -367,7 +376,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) 
+imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) $(EXTRA_imc_attestation_la_DEPENDENCIES) 
 	$(imc_attestation_la_LINK) -rpath $(imcvdir) $(imc_attestation_la_OBJECTS) $(imc_attestation_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c
index 7cb2a0671..bb327e936 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation.c
@@ -17,11 +17,13 @@
 #include "imc_attestation_process.h"
 
 #include <imc/imc_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imc/imc_msg.h>
 #include <ietf/ietf_attr.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_string_version.h>
 #include <ietf/ietf_attr_assess_result.h>
+#include <os_info/os_info.h>
 
 #include <libpts.h>
 
@@ -33,15 +35,16 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 /* IMC definitions */
 
 static const char imc_name[] = "Attestation";
 
-#define IMC_VENDOR_ID				PEN_TCG
-#define IMC_SUBTYPE					PA_SUBTYPE_TCG_PTS
+static pen_type_t msg_types[] = {
+	{ PEN_TCG, PA_SUBTYPE_TCG_PTS }
+};
 
 static imc_agent_t *imc_attestation;
 
@@ -73,7 +76,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 	{
 		return TNC_RESULT_FATAL;
 	}
-	imc_attestation = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
+	imc_attestation = imc_agent_create(imc_name, msg_types, countof(msg_types),
 									   imc_id, actual_version);
 	if (!imc_attestation)
 	{
@@ -81,7 +84,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 	}
 
 	libpts_init();
-	
+
 	if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1)
 	{
 		DBG1(DBG_IMC, "no common IF-IMC version");
@@ -135,94 +138,35 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 								  TNC_ConnectionID connection_id)
 {
-	imc_state_t *state;
-	imc_attestation_state_t *attestation_state;
-	pts_t *pts;
-	char *platform_info;
-	TNC_Result result = TNC_RESULT_SUCCESS;
-
 	if (!imc_attestation)
 	{
 		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
 
-	/* get current IMC state */
-	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imc_attestation_state_t*)state;
-	pts = attestation_state->get_pts(attestation_state);
-
-	platform_info = pts->get_platform_info(pts);
-	if (platform_info)
-	{
-		linked_list_t *attr_list;
-		pa_tnc_attr_t *attr;
-
-		attr_list = linked_list_create();
-		attr = ietf_attr_product_info_create(0, 0, platform_info);
-		attr_list->insert_last(attr_list, attr);
-		result = imc_attestation->send_message(imc_attestation, connection_id,
-										FALSE, 0, TNC_IMVID_ANY, attr_list);
-		attr_list->destroy(attr_list);
-	}
-
-	return result;
+	return TNC_RESULT_SUCCESS;
 }
 
-static TNC_Result receive_message(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id)
+static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	pen_type_t type;
-	linked_list_t *attr_list;
-	imc_state_t *state;
+	imc_msg_t *out_msg;
 	imc_attestation_state_t *attestation_state;
 	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
 	TNC_Result result;
-	TNC_UInt32 target_imc_id;
-
-	if (!imc_attestation)
-	{
-		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMC state */
-	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imc_attestation_state_t*)state;
-
-	/* parse received PA-TNC message and automatically handle any errors */
-	result = imc_attestation->receive_message(imc_attestation, state, msg,
-					msg_vid, msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg);
+	bool fatal_error = FALSE;
 
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
-	target_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? imc_id : dst_imc_id;
-	
-	/* preprocess any IETF standard error attributes */
-	result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
-					TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
-
-	attr_list = linked_list_create();
+	out_msg = imc_msg_create_as_reply(in_msg);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		type = attr->get_type(attr);
@@ -249,18 +193,12 @@ static TNC_Result receive_message(TNC_IMCID imc_id,
 					result = TNC_RESULT_FATAL;
 				}
 			}
-			else if (type.type == IETF_ATTR_ASSESSMENT_RESULT)
-			{
-				ietf_attr_assess_result_t *ietf_attr;
-
-				ietf_attr = (ietf_attr_assess_result_t*)attr;
-				state->set_result(state, target_imc_id,
-								  ietf_attr->get_result(ietf_attr));
-			}
 		}
 		else if (type.vendor_id == PEN_TCG)
 		{
-			if (!imc_attestation_process(attr, attr_list, attestation_state,
+			attestation_state = (imc_attestation_state_t*)state;
+
+			if (!imc_attestation_process(attr, out_msg, attestation_state,
 				supported_algorithms, supported_dh_groups))
 			{
 				result = TNC_RESULT_FATAL;
@@ -269,14 +207,13 @@ static TNC_Result receive_message(TNC_IMCID imc_id,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
-	if (result == TNC_RESULT_SUCCESS && attr_list->get_count(attr_list))
+	if (result == TNC_RESULT_SUCCESS)
 	{
-		result = imc_attestation->send_message(imc_attestation, connection_id,
-										FALSE, 0, TNC_IMVID_ANY, attr_list);
+		/* send PA-TNC message with the excl flag set */
+		result = out_msg->send(out_msg, TRUE);
 	}
-	attr_list->destroy(attr_list);
+	out_msg->destroy(out_msg);
 
 	return result;
 }
@@ -290,14 +227,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_attestation)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	in_msg = imc_msg_create_from_data(imc_attestation, state, connection_id,
+									  msg_type, chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMCID_ANY);
+	return result;
 }
 
 /**
@@ -313,9 +262,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
 									  TNC_UInt32 src_imv_id,
 									  TNC_UInt32 dst_imc_id)
 {
-	return receive_message(imc_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imv_id, dst_imc_id);
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_attestation)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_attestation, state, connection_id,
+								src_imv_id, dst_imc_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.c b/src/libpts/plugins/imc_attestation/imc_attestation_process.c
index bd2fa649d..88d24dd88 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_process.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.c
@@ -43,12 +43,12 @@
 #include <tcg/tcg_pts_attr_req_file_meta.h>
 #include <tcg/tcg_pts_attr_unix_file_meta.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/lexparser.h>
 
 #define DEFAULT_NONCE_LEN		20
 
-bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
+bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 							 imc_attestation_state_t *attestation_state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups)
@@ -76,7 +76,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			/* Send PTS Protocol Capabilities attribute */
 			attr = tcg_pts_attr_proto_caps_create(imc_caps & imv_caps, FALSE);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_MEAS_ALGO:
@@ -91,14 +91,14 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (selected_algorithm == PTS_MEAS_ALGO_NONE)
 			{
 				attr = pts_hash_alg_error_create(supported_algorithms);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
 			/* Send Measurement Algorithm Selection attribute */
 			pts->set_meas_algorithm(pts, selected_algorithm);
 			attr = tcg_pts_attr_meas_algo_create(selected_algorithm, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_DH_NONCE_PARAMS_REQ:
@@ -118,7 +118,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				(min_nonce_len > 0 && nonce_len < min_nonce_len))
 			{
 				attr = pts_dh_nonce_error_create(nonce_len, PTS_MAX_NONCE_LEN);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
@@ -128,7 +128,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (selected_dh_group == PTS_DH_GROUP_NONE)
 			{
 				attr = pts_dh_group_error_create(supported_dh_groups);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
@@ -142,7 +142,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			/* Send DH Nonce Parameters Response attribute */
 			attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group,
 					 supported_algorithms, responder_nonce, responder_value);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_DH_NONCE_FINISH:
@@ -173,7 +173,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 							  "have differing lengths");
 				return FALSE;
 			}
-					
+
 			pts->set_peer_public_value(pts, initiator_value, initiator_nonce);
 			if (!pts->calculate_secret(pts))
 			{
@@ -190,13 +190,13 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			{
 				attr_info = attr->get_value(attr);
 				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
 			/* Send TPM Version Info attribute */
 			attr = tcg_pts_attr_tpm_version_info_create(tpm_version_info);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_GET_AIK:
@@ -212,7 +212,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			/* Send AIK attribute */
 			attr = tcg_pts_attr_aik_create(aik);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_REQ_FILE_MEAS:
@@ -237,7 +237,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			{
 				error_code = pen_type_create(PEN_TCG, pts_error);
 				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 			else if (!valid_path)
@@ -250,7 +250,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				error_code = pen_type_create(PEN_TCG,
 											 TCG_PTS_INVALID_DELIMITER);
 				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
@@ -268,7 +268,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			}
 			attr = tcg_pts_attr_file_meas_create(measurements);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_REQ_FILE_META:
@@ -291,7 +291,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			{
 				error_code = pen_type_create(PEN_TCG, pts_error);
 				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 			else if (!valid_path)
@@ -303,7 +303,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				error_code = pen_type_create(PEN_TCG,
 											 TCG_PTS_INVALID_DELIMITER);
 				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 			/* Get File Metadata and send them to PTS-IMV */
@@ -319,8 +319,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			}
 			attr = tcg_pts_attr_unix_file_meta_create(metadata);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
-
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_REQ_FUNC_COMP_EVID:
@@ -335,7 +334,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			u_int8_t flags;
 			status_t status;
 			enumerator_t *e;
-			
+
 			attr_info = attr->get_value(attr);
 			attr_cast = (tcg_pts_attr_req_func_comp_evid_t*)attr;
 
@@ -351,9 +350,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				if (flags & PTS_REQ_FUNC_COMP_EVID_TTC)
 				{
 					error_code = pen_type_create(PEN_TCG,
-												 TCG_PTS_UNABLE_DET_TTC); 
+												 TCG_PTS_UNABLE_DET_TTC);
 					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (flags & PTS_REQ_FUNC_COMP_EVID_VER &&
@@ -362,7 +361,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 					error_code = pen_type_create(PEN_TCG,
 												 TCG_PTS_UNABLE_LOCAL_VAL);
 					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (flags & PTS_REQ_FUNC_COMP_EVID_CURR &&
@@ -371,7 +370,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 					error_code = pen_type_create(PEN_TCG,
 												 TCG_PTS_UNABLE_CUR_EVID);
 					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (flags & PTS_REQ_FUNC_COMP_EVID_PCR &&
@@ -380,7 +379,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 					error_code = pen_type_create(PEN_TCG,
 												 TCG_PTS_UNABLE_DET_PCR);
 					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (depth > 0)
@@ -425,7 +424,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			while (attestation_state->next_evidence(attestation_state, &evid))
 			{
 				attr = tcg_pts_attr_simple_comp_evid_create(evid);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 			}
 
 			use_quote2 = lib->settings->get_bool(lib->settings,
@@ -443,7 +442,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			attr = tcg_pts_attr_simple_evid_final_create(flags,
 								comp_hash_algorithm, pcr_composite, quote_sig);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		/* TODO: Not implemented yet */
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.h b/src/libpts/plugins/imc_attestation/imc_attestation_process.h
index b6dca1f56..5ada104fa 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_process.h
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.h
@@ -26,6 +26,7 @@
 
 #include <library.h>
 
+#include <imc/imc_msg.h>
 #include <pa_tnc/pa_tnc_attr.h>
 
 #include <pts/pts_dh_group.h>
@@ -35,13 +36,13 @@
  * Process a TCG PTS attribute
  *
  * @param attr					PA-TNC attribute to be processed
- * @param attr_list				list with PA-TNC error attributes
+ * @param msg					outbound PA-TNC message to be assembled
  * @param attestation_state		attestation state of a given connection
  * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
  * @return						TRUE if successful
  */
-bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
+bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 							 imc_attestation_state_t *attestation_state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups);
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.c b/src/libpts/plugins/imc_attestation/imc_attestation_state.c
index 8ebabafa2..4fcbdfa8a 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_state.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.c
@@ -19,8 +19,8 @@
 
 #include <tncif_names.h>
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_imc_attestation_state_t private_imc_attestation_state_t;
 typedef struct func_comp_t func_comp_t;
@@ -129,8 +129,6 @@ METHOD(imc_state_t, set_result, void,
 	private_imc_attestation_state_t *this, TNC_IMCID id,
 	TNC_IMV_Evaluation_Result result)
 {
-	DBG1(DBG_IMC, "set assessment result for IMC %u to '%N'",
-		 id, TNC_IMV_Evaluation_Result_names, result);
 	this->result = result;
 }
 
@@ -212,7 +210,6 @@ METHOD(imc_attestation_state_t, next_evidence, bool,
 imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id)
 {
 	private_imc_attestation_state_t *this;
-	char *platform_info;
 
 	INIT(this,
 		.public = {
@@ -241,13 +238,6 @@ imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id)
 		.list = linked_list_create(),
 	);
 
-	platform_info = lib->settings->get_str(lib->settings,
-						 "libimcv.plugins.imc-attestation.platform_info", NULL);
-	if (platform_info)
-	{
-		this->pts->set_platform_info(this->pts, platform_info);
-	}
-	
 	return &this->public.interface;
 }
 
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index afb4abed7..59ef5311e 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_attestation_la_DEPENDENCIES =  \
@@ -132,6 +138,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -159,6 +166,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -186,6 +194,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -198,6 +207,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -251,7 +261,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -393,7 +402,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) 
+imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) $(EXTRA_imv_attestation_la_DEPENDENCIES) 
 	$(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
@@ -438,7 +447,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) 
+attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) $(EXTRA_attest_DEPENDENCIES) 
 	@rm -f attest$(EXEEXT)
 	$(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS)
 
@@ -582,10 +591,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index a202d128f..1cdacaeeb 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -22,7 +22,7 @@
 #include <syslog.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <imcv.h>
 #include <libpts.h>
@@ -99,9 +99,11 @@ static void do_args(int argc, char *argv[])
 		OP_USAGE,
 		OP_KEYS,
 		OP_COMPONENTS,
+		OP_DEVICES,
 		OP_FILES,
 		OP_HASHES,
 		OP_MEASUREMENTS,
+		OP_PACKAGES,
 		OP_PRODUCTS,
 		OP_ADD,
 		OP_DEL,
@@ -117,8 +119,10 @@ static void do_args(int argc, char *argv[])
 		struct option long_opts[] = {
 			{ "help", no_argument, NULL, 'h' },
 			{ "components", no_argument, NULL, 'c' },
+			{ "devices", no_argument, NULL, 'e' },
 			{ "files", no_argument, NULL, 'f' },
 			{ "keys", no_argument, NULL, 'k' },
+			{ "packages", no_argument, NULL, 'g' },
 			{ "products", no_argument, NULL, 'p' },
 			{ "hashes", no_argument, NULL, 'H' },
 			{ "measurements", no_argument, NULL, 'm' },
@@ -126,12 +130,14 @@ static void do_args(int argc, char *argv[])
 			{ "delete", no_argument, NULL, 'd' },
 			{ "del", no_argument, NULL, 'd' },
 			{ "aik", required_argument, NULL, 'A' },
+			{ "blacklist", no_argument, NULL, 'B' },
 			{ "component", required_argument, NULL, 'C' },
 			{ "comp", required_argument, NULL, 'C' },
 			{ "directory", required_argument, NULL, 'D' },
 			{ "dir", required_argument, NULL, 'D' },
 			{ "file", required_argument, NULL, 'F' },
 			{ "sha1-ima", no_argument, NULL, 'I' },
+			{ "package", required_argument, NULL, 'G' },
 			{ "key", required_argument, NULL, 'K' },
 			{ "owner", required_argument, NULL, 'O' },
 			{ "product", required_argument, NULL, 'P' },
@@ -139,6 +145,9 @@ static void do_args(int argc, char *argv[])
 			{ "rel", no_argument, NULL, 'R' },
 			{ "sequence", required_argument, NULL, 'S' },
 			{ "seq", required_argument, NULL, 'S' },
+			{ "utc", no_argument, NULL, 'U' },
+			{ "version", required_argument, NULL, 'V' },
+			{ "security", no_argument, NULL, 'Y' },
 			{ "sha1", no_argument, NULL, '1' },
 			{ "sha256", no_argument, NULL, '2' },
 			{ "sha384", no_argument, NULL, '3' },
@@ -147,6 +156,7 @@ static void do_args(int argc, char *argv[])
 			{ "pid", required_argument, NULL, '6' },
 			{ "cid", required_argument, NULL, '7' },
 			{ "kid", required_argument, NULL, '8' },
+			{ "gid", required_argument, NULL, '9' },
 			{ 0,0,0,0 }
 		};
 
@@ -161,9 +171,15 @@ static void do_args(int argc, char *argv[])
 			case 'c':
 				op = OP_COMPONENTS;
 				continue;
+			case 'e':
+				op = OP_DEVICES;
+				continue;
 			case 'f':
 				op = OP_FILES;
 				continue;
+			case 'g':
+				op = OP_PACKAGES;
+				continue;
 			case 'k':
 				op = OP_KEYS;
 				continue;
@@ -219,6 +235,9 @@ static void do_args(int argc, char *argv[])
 				}
 				continue;
 			}
+			case 'B':
+				attest->set_security(attest, OS_PACKAGE_STATE_BLACKLIST);
+				continue;
 			case 'C':
 				if (!attest->set_component(attest, optarg, op == OP_ADD))
 				{
@@ -237,6 +256,12 @@ static void do_args(int argc, char *argv[])
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			case 'G':
+				if (!attest->set_package(attest, optarg, op == OP_ADD))
+				{
+					exit(EXIT_FAILURE);
+				}
+				continue;
 			case 'I':
 				attest->set_algo(attest, PTS_MEAS_ALGO_SHA1_IMA);
 				continue;
@@ -266,6 +291,18 @@ static void do_args(int argc, char *argv[])
 			case 'S':
 				attest->set_sequence(attest, atoi(optarg));
 				continue;
+			case 'U':
+				attest->set_utc(attest);
+				continue;
+			case 'V':
+				if (!attest->set_version(attest, optarg))
+				{
+					exit(EXIT_FAILURE);
+				}
+				continue;
+			case 'Y':
+				attest->set_security(attest, OS_PACKAGE_STATE_SECURITY);
+				continue;
 			case '1':
 				attest->set_algo(attest, PTS_MEAS_ALGO_SHA1);
 				continue;
@@ -305,6 +342,12 @@ static void do_args(int argc, char *argv[])
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			case '9':
+				if (!attest->set_gid(attest, atoi(optarg)))
+				{
+					exit(EXIT_FAILURE);
+				}
+				continue;
 		}
 		break;
 	}
@@ -314,6 +357,9 @@ static void do_args(int argc, char *argv[])
 		case OP_USAGE:
 			usage();
 			break;
+		case OP_PACKAGES:
+			attest->list_packages(attest);
+			break;
 		case OP_PRODUCTS:
 			attest->list_products(attest);
 			break;
@@ -323,6 +369,9 @@ static void do_args(int argc, char *argv[])
 		case OP_COMPONENTS:
 			attest->list_components(attest);
 			break;
+		case OP_DEVICES:
+			attest->list_devices(attest);
+			break;
 		case OP_FILES:
 			attest->list_files(attest);
 			break;
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index 55afbf701..91e9766d0 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -21,6 +21,7 @@
 #include "pts/components/pts_comp_func_name.h"
 
 #include <libgen.h>
+#include <time.h>
 
 #define IMA_MAX_NAME_LEN	255
 
@@ -96,6 +97,21 @@ struct private_attest_db_t {
 	 */
 	bool key_set;
 
+	/**
+	 * Software package to be queried
+	 */
+	char *package;
+
+	/**
+	 * Primary key of software package to be queried
+	 */
+	int gid;
+
+	/**
+	 * TRUE if package has been set
+	 */
+	bool package_set;
+
 	/**
 	 * Software product to be queried
 	 */
@@ -111,11 +127,31 @@ struct private_attest_db_t {
 	 */
 	bool product_set;
 
+	/**
+	 * Software package version to be queried
+	 */
+	char *version;
+
+	/**
+	 * TRUE if version has been set
+	 */
+	bool version_set;
+
 	/**
 	 * TRUE if relative filenames are to be used
 	 */
 	bool relative;
 
+	/**
+	 * TRUE if dates are to be displayed in UTC
+	 */
+	bool utc;
+
+	/**
+	 * Package security state
+	 */
+	os_package_state_t security;
+
 	/**
 	 * Sequence number for ordering entries
 	 */
@@ -588,6 +624,96 @@ METHOD(attest_db_t, set_pid, bool,
 	return this->product_set;
 }
 
+METHOD(attest_db_t, set_package, bool,
+	private_attest_db_t *this, char *package, bool create)
+{
+	enumerator_t *e;
+
+	if (this->package_set)
+	{
+		printf("package has already been set\n");
+		return FALSE;
+	}
+	this->package = strdup(package);
+
+	e = this->db->query(this->db, "SELECT id FROM packages WHERE name = ?",
+						DB_TEXT, package, DB_INT);
+	if (e)
+	{
+		if (e->enumerate(e, &this->gid))
+		{
+			this->package_set = TRUE;
+		}
+		e->destroy(e);
+	}
+	if (this->package_set)
+	{
+		return TRUE;
+	}
+
+	if (!create)
+	{
+		printf("package '%s' not found in database\n", package);
+		return FALSE;
+	}
+
+	/* Add a new database entry */
+	this->package_set = this->db->execute(this->db, &this->gid,
+									"INSERT INTO packages (name) VALUES (?)",
+									DB_TEXT, package) == 1;
+
+	printf("package '%s' %sinserted into database\n", package,
+		   this->package_set ? "" : "could not be ");
+
+	return this->package_set;
+}
+
+METHOD(attest_db_t, set_gid, bool,
+	private_attest_db_t *this, int gid)
+{
+	enumerator_t *e;
+	char *package;
+
+	if (this->package_set)
+	{
+		printf("package has already been set\n");
+		return FALSE;
+	}
+	this->gid = gid;
+
+	e = this->db->query(this->db, "SELECT name FROM packages WHERE id = ?",
+						DB_UINT, gid, DB_TEXT);
+	if (e)
+	{
+		if (e->enumerate(e, &package))
+		{
+			this->package = strdup(package);
+			this->package_set = TRUE;
+		}
+		else
+		{
+			printf("no package found with gid %d in database\n", gid);
+		}
+		e->destroy(e);
+	}
+	return this->package_set;
+}
+
+METHOD(attest_db_t, set_version, bool,
+	private_attest_db_t *this, char *version)
+{
+	if (this->version_set)
+	{
+		printf("version has already been set\n");
+		return FALSE;
+	}
+	this->version = strdup(version);
+	this->version_set = TRUE;
+
+	return TRUE;
+}
+
+
 METHOD(attest_db_t, set_algo, void,
 	private_attest_db_t *this, pts_meas_algorithms_t algo)
 {
@@ -600,6 +726,12 @@ METHOD(attest_db_t, set_relative, void,
 	this->relative = TRUE;
 }
 
+METHOD(attest_db_t, set_security, void,
+	private_attest_db_t *this, os_package_state_t security)
+{
+	this->security = security;
+}
+
 METHOD(attest_db_t, set_sequence, void,
 	private_attest_db_t *this, int seq_no)
 {
@@ -613,6 +745,12 @@ METHOD(attest_db_t, set_owner, void,
 	this->owner = strdup(owner);
 }
 
+METHOD(attest_db_t, set_utc, void,
+	private_attest_db_t *this)
+{
+	this->utc = TRUE;
+}
+
 METHOD(attest_db_t, list_components, void,
 	private_attest_db_t *this)
 {
@@ -663,6 +801,46 @@ METHOD(attest_db_t, list_components, void,
 	}
 }
 
+METHOD(attest_db_t, list_devices, void,
+	private_attest_db_t *this)
+{
+	enumerator_t *e;
+	chunk_t value;
+	char *product;
+	time_t timestamp;
+	int id, last_id = 0, device_count = 0;
+	int count, count_update, count_blacklist;
+	u_int tstamp, flags = 0;
+
+	e = this->db->query(this->db,
+			"SELECT d.id, d.value, i.time, i.count, i.count_update, "
+			"i.count_blacklist, i.flags, p.name FROM devices AS d "
+			"JOIN device_infos AS i ON d.id = i.device "
+			"JOIN products AS p ON p.id = i.product "
+			"ORDER BY d.value, i.time DESC",
+			 DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT);
+
+	if (e)
+	{
+		while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
+							   &count_blacklist, &flags, &product))
+		{
+			if (id != last_id)
+			{
+				printf("%4d: %.*s\n", id, (int)value.len, value.ptr);
+				device_count++;
+				last_id = id;
+			}
+			timestamp = tstamp;
+			printf("      %T, %4d, %3d, %3d, %1u, '%s'\n", &timestamp, this->utc,
+				   count, count_update, count_blacklist, flags, product);
+		}
+		e->destroy(e);
+		printf("%d device%s found\n", device_count,
+									 (device_count == 1) ? "" : "s");
+	}
+}
+
 METHOD(attest_db_t, list_keys, void,
 	private_attest_db_t *this)
 {
@@ -765,6 +943,70 @@ METHOD(attest_db_t, list_files, void,
 	printf("\n");
 }
 
+METHOD(attest_db_t, list_packages, void,
+	private_attest_db_t *this)
+{
+	enumerator_t *e;
+	char *package, *version;
+	os_package_state_t security;
+	int gid, gid_old = 0, spaces, count = 0;
+	time_t t;
+
+	if (this->pid)
+	{
+		e = this->db->query(this->db,
+				"SELECT p.id, p.name, v.release, v.security, v.time "
+				"FROM packages AS p JOIN versions AS v ON v.package = p.id "
+				"WHERE v.product = ? ORDER BY p.name, v.release",
+				DB_INT, this->pid, DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT);
+		if (e)
+		{
+			while (e->enumerate(e, &gid, &package, &version, &security, &t))
+			{
+				if (gid != gid_old)
+				{
+					printf("%5d: %s,", gid, package);
+					gid_old = gid;
+				}
+				else
+				{
+					spaces = 8 + strlen(package);
+					while (spaces--)
+					{
+						printf(" ");
+					}
+				}
+				printf(" %T (%s)%N\n", &t, this->utc, version,
+					 os_package_state_names, security);
+				count++;
+			}
+			e->destroy(e);
+		}
+	}
+	else
+	{
+		e = this->db->query(this->db, "SELECT id, name FROM packages "
+				"ORDER BY name",
+				DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &gid, &package))
+			{
+				printf("%4d: %s\n", gid, package);
+				count++;
+			}
+			e->destroy(e);
+		}
+	}
+
+	printf("%d package%s found", count, (count == 1) ? "" : "s");
+	if (this->product_set)
+	{
+		printf(" for product '%s'", this->product);
+	}
+	printf("\n");
+}
+
 METHOD(attest_db_t, list_products, void,
 	private_attest_db_t *this)
 {
@@ -858,7 +1100,7 @@ METHOD(attest_db_t, list_hashes, void,
 
 	dir = strdup("");
 
-	if (this->pid && this->fid)
+	if (this->pid && this->fid & this->did)
 	{
 		e = this->db->query(this->db,
 				"SELECT hash FROM file_hashes "
@@ -885,6 +1127,32 @@ METHOD(attest_db_t, list_hashes, void,
 				   (count == 1) ? "" : "s", this->product);
 		}
 	}
+	else if (this->pid && this->fid)
+	{
+		e = this->db->query(this->db,
+				"SELECT f.path, fh.hash FROM file_hashes AS fh "
+				"JOIN files AS f ON f.id = fh.file "
+				"WHERE algo = ? AND file = ? AND product = ?",
+				DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->pid,
+				DB_TEXT, DB_BLOB);
+		if (e)
+		{
+			free(dir);
+			while (e->enumerate(e, &dir, &hash))
+			{
+				printf("%4d: %s%s%s\n", this->fid, dir,
+						   slash(dir, this->file) ? "/" : "", this->file);
+				printf("      %#B\n", &hash);
+				count++;
+			}
+			e->destroy(e);
+
+			printf("%d %N value%s found for product '%s'\n", count,
+				   pts_meas_algorithm_names, this->algo,
+				   (count == 1) ? "" : "s", this->product);
+			dir = NULL;
+		}
+	}
 	else if (this->pid)
 	{
 		e = this->db->query(this->db,
@@ -1089,7 +1357,7 @@ METHOD(attest_db_t, list_measurements, void,
 
 bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
 					  chunk_t measurement, int fid, int did, bool ima,
-					  int *hashes_added)
+					  int *hashes_added, int *hashes_updated)
 {
 	enumerator_t *e;
 	chunk_t hash;
@@ -1108,8 +1376,22 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
 	}
 	if (e->enumerate(e, &hash))
 	{
-		label = chunk_equals(measurement, hash) ?
-				"exists and equals" : "exists and differs";
+		if (chunk_equals(measurement, hash))
+		{
+			label = "exists and equals";
+		}
+		else
+		{
+			if (this->db->execute(this->db, NULL,
+				"UPDATE file_hashes SET hash = ? WHERE algo = ? "
+				"AND file = ? AND directory = ? AND product = ? and key = 0",
+				DB_BLOB, measurement, DB_INT, algo, DB_UINT, fid, DB_UINT, did,
+				DB_UINT, this->pid) == 1)
+			{
+				label = "updated";
+				(*hashes_updated)++;
+			}
+		}
 	}
 	else
 	{
@@ -1161,7 +1443,8 @@ METHOD(attest_db_t, add, bool,
 		hasher_t *hasher = NULL;
 		bool ima = FALSE;
 		int fid, did;
-		int files_added = 0, hashes_added = 0, ima_hashes_added = 0;
+		int files_added = 0, hashes_added = 0, hashes_updated = 0;
+		int ima_hashes_added = 0, ima_hashes_updated = 0;
 		enumerator_t *enumerator, *e;
 
 		if (this->algo == PTS_MEAS_ALGO_SHA1_IMA)
@@ -1225,7 +1508,8 @@ METHOD(attest_db_t, add, bool,
 
 			/* compute file measurement hash */
 			if (!insert_file_hash(this, this->algo, measurement,
-								  fid, did, FALSE, &hashes_added))
+								  fid, did, FALSE,
+								  &hashes_added, &hashes_updated))
 			{
 				break;
 			}
@@ -1246,25 +1530,49 @@ METHOD(attest_db_t, add, bool,
 				break;
 			}
 			if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement,
-								  fid, did, TRUE, &ima_hashes_added))
+								  fid, did, TRUE,
+								  &ima_hashes_added, &ima_hashes_updated))
 			{
 				break;
 			}
 		}
 		enumerator->destroy(enumerator);
 
-		printf("%d measurements, added %d new files, %d new file hashes",
-			    measurements->get_file_count(measurements),
-			    files_added, hashes_added);
+		printf("%d measurements, added %d new files, %d file hashes",
+			    measurements->get_file_count(measurements), files_added,
+				hashes_added);
 		if (ima)
 		{
-			printf(" , %d new ima hashes", ima_hashes_added);
+			printf(", %d ima hashes", ima_hashes_added);
 			hasher->destroy(hasher);
 		}
+		printf(", updated %d file hashes", hashes_updated);
+		if (ima)
+		{
+			printf(", %d ima hashes", ima_hashes_updated);
+		}
 		printf("\n");
 		measurements->destroy(measurements);
 		success = TRUE;
 	}
+
+	/* insert package version */
+	if (this->version_set && this->gid && this->pid)
+	{
+		time_t t = time(NULL);
+
+		success = this->db->execute(this->db, NULL,
+					"INSERT INTO versions "
+					"(package, product, release, security, time) "
+					"VALUES (?, ?, ?, ?, ?)",
+					DB_UINT, this->gid, DB_UINT, this->pid, DB_TEXT,
+					this->version, DB_UINT, this->security, DB_INT, t) == 1;
+
+		printf("'%s' package %s (%s)%N %sinserted into database\n",
+				this->product, this->package, this->version,
+				os_package_state_names, this->security,
+				success ? "" : "could not be ");
+	}
 	return success;
 }
 
@@ -1384,7 +1692,9 @@ METHOD(attest_db_t, destroy, void,
 {
 	DESTROY_IF(this->db);
 	DESTROY_IF(this->cfn);
+	free(this->package);
 	free(this->product);
+	free(this->version);
 	free(this->file);
 	free(this->dir);
 	free(this->owner);
@@ -1409,15 +1719,22 @@ attest_db_t *attest_db_create(char *uri)
 			.set_fid = _set_fid,
 			.set_key = _set_key,
 			.set_kid = _set_kid,
+			.set_package = _set_package,
+			.set_gid = _set_gid,
 			.set_product = _set_product,
 			.set_pid = _set_pid,
+			.set_version = _set_version,
 			.set_algo = _set_algo,
 			.set_relative = _set_relative,
+			.set_security = _set_security,
 			.set_sequence = _set_sequence,
 			.set_owner = _set_owner,
+			.set_utc = _set_utc,
+			.list_packages = _list_packages,
 			.list_products = _list_products,
 			.list_files = _list_files,
 			.list_components = _list_components,
+			.list_devices = _list_devices,
 			.list_keys = _list_keys,
 			.list_hashes = _list_hashes,
 			.list_measurements = _list_measurements,
diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h
index e32a368d8..e2297d0c4 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.h
+++ b/src/libpts/plugins/imv_attestation/attest_db.h
@@ -23,7 +23,7 @@
 #define ATTEST_DB_H_
 
 #include <pts/pts_meas_algo.h>
-
+#include <os_info/os_info.h>
 #include <library.h>
 
 typedef struct attest_db_t attest_db_t;
@@ -101,6 +101,23 @@ struct attest_db_t {
 	 */
 	bool (*set_kid)(attest_db_t *this, int kid);
 
+	/**
+	 * Set software package to be queried
+	 *
+	 * @param product		software package
+	 * @param create		if TRUE create database entry if it doesn't exist
+	 * @return				TRUE if successful
+	 */
+	bool (*set_package)(attest_db_t *this, char *package, bool create);
+
+	/**
+	 * Set primary key of the software package to be queried
+	 *
+	 * @param gid			primary key of software package
+	 * @return				TRUE if successful
+	 */
+	bool (*set_gid)(attest_db_t *this, int gid);
+
 	/**
 	 * Set software product to be queried
 	 *
@@ -118,6 +135,14 @@ struct attest_db_t {
 	 */
 	bool (*set_pid)(attest_db_t *this, int pid);
 
+	/**
+	 * Set software package version to be queried
+	 *
+	 * @param version		software package version
+	 * @return				TRUE if successful
+	 */
+	bool (*set_version)(attest_db_t *this, char *version);
+
 	/**
 	 * Set measurement hash algorithm
 	 *
@@ -135,6 +160,11 @@ struct attest_db_t {
 	 */
 	void (*set_relative)(attest_db_t *this);
 
+	/**
+	 * Set the package security state
+	 */
+	void (*set_security)(attest_db_t *this, os_package_state_t security);
+
 	/**
 	 * Set the sequence number
 	 */
@@ -148,6 +178,16 @@ struct attest_db_t {
 	 */
 	void (*set_owner)(attest_db_t *this, char *owner);
 
+	/**
+	 * Display all dates in UTC
+	 */
+	void (*set_utc)(attest_db_t *this);
+
+	/**
+	 * List all packages stored in the database
+	 */
+	void (*list_packages)(attest_db_t *this);
+
 	/**
 	 * List all products stored in the database
 	 */
@@ -163,6 +203,11 @@ struct attest_db_t {
 	 */
 	void (*list_components)(attest_db_t *this);
 
+	/**
+	 * List all devices stored in the database
+	 */
+	void (*list_devices)(attest_db_t *this);
+
 	/**
 	 * List all AIKs stored in the database
 	 */
diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c
index f7040f7ad..324fcafc3 100644
--- a/src/libpts/plugins/imv_attestation/attest_usage.c
+++ b/src/libpts/plugins/imv_attestation/attest_usage.c
@@ -24,16 +24,19 @@ void usage(void)
 {
 	printf("\
 Usage:\n\
-  ipsec attest --files|--products|--keys|--hashes [options]\n\
+  ipsec attest --components|--devices|--files|--hashes|--keys [options]\n\
   \n\
-  ipsec attest --components|-keys|--measurements|--add|--del [options]\n\
+  ipsec attest --measurements|--packages|--products|--add|--del [options]\n\
   \n\
-  ipsec attest --files [--product <name>|--pid <id>]\n\
-    Show a list of files with a software product name or\n\
+  ipsec attest --components [--key <digest>|--kid <id>]\n\
+    Show a list of components with an AIK digest or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --products [--file <path>|--fid <id>]\n\
-    Show a list of supported software products with a file path or\n\
+  ipsec attest --devices [--utc]\n\
+    Show a list of registered devices and associated collected information\n\
+  \n\
+  ipsec attest --files [--product <name>|--pid <id>]\n\
+    Show a list of files with a software product name or\n\
     its primary key as an optional selector.\n\
   \n\
   ipsec attest --hashes [--sha1|--sha256|--sha384] [--product <name>|--pid <id>]\n\
@@ -44,10 +47,6 @@ Usage:\n\
     Show a list of measurement hashes for a given file or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --components [--key <digest>|--kid <id>]\n\
-    Show a list of components with an AIK digest or\n\
-    its primary key as an optional selector.\n\
-  \n\
   ipsec attest --keys [--components <cfn>|--cid <id>]\n\
     Show a list of AIK key digests with a component or\n\
     its primary key as an optional selector.\n\
@@ -60,6 +59,14 @@ Usage:\n\
     Show a list of component measurements for a given AIK or\n\
     its primary key as an optional selector.\n\
   \n\
+  ipsec attest --packages [--product <name>|--pid <id>] [--utc]\n\
+    Show a list of software packages for a given product or\n\
+    its primary key as an optional selector.\n\
+  \n\
+  ipsec attest --products [--file <path>|--fid <id>]\n\
+    Show a list of supported software products with a file path or\n\
+    its primary key as an optional selector.\n\
+  \n\
   ipsec attest --add --file <path>|--dir <path>|--product <name>|--component <cfn>\n\
     Add a file, directory, product or component entry\n\
     Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\
@@ -74,6 +81,10 @@ Usage:\n\
   ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\
     Add an ordered key/component entry\n\
   \n\
+  ipsec attest --add --package <name> --version <string> [--security|--blacklist]\n\
+              [--product <name>|--pid <id>]\n\
+    Add a package version for a given product optionally with security or blacklist flag\n\
+  \n\
   ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\
     Delete a file or directory entry referenced either by value or primary key\n\
   \n\
diff --git a/src/libpts/plugins/imv_attestation/build-database.sh b/src/libpts/plugins/imv_attestation/build-database.sh
index a89258e1d..be1024de0 100755
--- a/src/libpts/plugins/imv_attestation/build-database.sh
+++ b/src/libpts/plugins/imv_attestation/build-database.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-p="Ubuntu 12.04.1 LTS i686"
+p="Ubuntu 12.04 i686"
 
 ipsec attest --add --product "$p" --sha1-ima --dir  /sbin 
 ipsec attest --add --product "$p" --sha1-ima --dir  /usr/sbin
diff --git a/src/libpts/plugins/imv_attestation/data.sql b/src/libpts/plugins/imv_attestation/data.sql
index b1646b724..60c312e30 100644
--- a/src/libpts/plugins/imv_attestation/data.sql
+++ b/src/libpts/plugins/imv_attestation/data.sql
@@ -51,7 +51,7 @@ INSERT INTO products (
 INSERT INTO products (
   name
 ) VALUES (
- 'Ubuntu 12.04.1 LTS i686'
+ 'Ubuntu 12.04 i686'
 );
 
 /* Files */
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c
index 201496e8a..3c5488eba 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation.c
@@ -18,10 +18,11 @@
 #include "imv_attestation_build.h"
 
 #include <imv/imv_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imv/imv_msg.h>
 #include <ietf/ietf_attr.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_string_version.h>
 
 #include <libpts.h>
 
@@ -34,16 +35,18 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/credential_manager.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /* IMV definitions */
 
 static const char imv_name[] = "Attestation";
 
-#define IMV_VENDOR_ID			PEN_TCG
-#define IMV_SUBTYPE				PA_SUBTYPE_TCG_PTS
+static pen_type_t msg_types[] = {
+	{ PEN_TCG,  PA_SUBTYPE_TCG_PTS },
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
 
 static imv_agent_t *imv_attestation;
 
@@ -92,7 +95,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 	{
 		return TNC_RESULT_FATAL;
 	}
-	imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
+	imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types),
 									   imv_id, actual_version);
 	if (!imv_attestation)
 	{
@@ -100,7 +103,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 	}
 
 	libpts_init();
-	
+
 	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
 	{
 		DBG1(DBG_IMV, "no common IF-IMV version");
@@ -166,133 +169,106 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
 	}
 }
 
-static TNC_Result send_message(TNC_ConnectionID connection_id)
+static TNC_Result send_message(imv_state_t *state, imv_msg_t *out_msg)
 {
-	linked_list_t *attr_list;
-	imv_state_t *state;
 	imv_attestation_state_t *attestation_state;
 	TNC_Result result;
 
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
 	attestation_state = (imv_attestation_state_t*)state;
-	attr_list = linked_list_create();
 
-	if (imv_attestation_build(attr_list, attestation_state, supported_algorithms,
+	if (imv_attestation_build(out_msg, attestation_state, supported_algorithms,
 							  supported_dh_groups, pts_db))
 	{
-		if (attr_list->get_count(attr_list))
-		{
-			result = imv_attestation->send_message(imv_attestation,
-							connection_id, FALSE, 0, TNC_IMCID_ANY,	attr_list);
-		}
-		else
-		{
-			result = TNC_RESULT_SUCCESS;
-		}
-		attr_list->destroy(attr_list);
+		result = out_msg->send(out_msg, TRUE);
 	}
 	else
 	{
-		attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
 		result = TNC_RESULT_FATAL;
 	}
 
 	return result;
 }
 
-static TNC_Result receive_message(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id)
+static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	pen_type_t type;
-	linked_list_t *attr_list;
-	imv_state_t *state;
 	imv_attestation_state_t *attestation_state;
-	pts_t *pts;
+	imv_msg_t *out_msg;
 	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
 	TNC_Result result;
+	pts_t *pts;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	bool fatal_error = FALSE;
 
-	if (!imv_attestation)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
+		return result;
 	}
 
-	/* get current IMV state */
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
 	attestation_state = (imv_attestation_state_t*)state;
 	pts = attestation_state->get_pts(attestation_state);
 
-	/* parse received PA-TNC message and automatically handle any errors */
-	result = imv_attestation->receive_message(imv_attestation, state, msg,
-					 msg_vid, msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
-	{
-		return result;
-	}
-
-	/* preprocess any IETF standard error attributes */
-	result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
-					TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
-
-	attr_list = linked_list_create();
+	out_msg = imv_msg_create_as_reply(in_msg);
+	out_msg->set_msg_type(out_msg, msg_types[0]);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		type = attr->get_type(attr);
 
 		if (type.vendor_id == PEN_IETF)
 		{
-			if (type.type == IETF_ATTR_PA_TNC_ERROR)
+			switch (type.type)
 			{
-				ietf_attr_pa_tnc_error_t *error_attr;
-				pen_type_t error_code;
-				chunk_t msg_info;
+				case IETF_ATTR_PA_TNC_ERROR:
+				{
+					ietf_attr_pa_tnc_error_t *error_attr;
+					pen_type_t error_code;
+					chunk_t msg_info;
 
-				error_attr = (ietf_attr_pa_tnc_error_t*)attr;
-				error_code = error_attr->get_error_code(error_attr);
+					error_attr = (ietf_attr_pa_tnc_error_t*)attr;
+					error_code = error_attr->get_error_code(error_attr);
 
-				if (error_code.vendor_id == PEN_TCG)
-				{
-					msg_info = error_attr->get_msg_info(error_attr);
+					if (error_code.vendor_id == PEN_TCG)
+					{
+						msg_info = error_attr->get_msg_info(error_attr);
 
-					DBG1(DBG_IMV, "received TCG-PTS error '%N'",
-						 pts_error_code_names, error_code.type);
-					DBG1(DBG_IMV, "error information: %B", &msg_info);
+						DBG1(DBG_IMV, "received TCG-PTS error '%N'",
+							 pts_error_code_names, error_code.type);
+						DBG1(DBG_IMV, "error information: %B", &msg_info);
 
-					result = TNC_RESULT_FATAL;
+						result = TNC_RESULT_FATAL;
+					}
+					break;
 				}
-			}
-			else if (type.type == IETF_ATTR_PRODUCT_INFORMATION)
-			{
-				ietf_attr_product_info_t *attr_cast;
-				char *platform_info;
+				case IETF_ATTR_PRODUCT_INFORMATION:
+				{
+					ietf_attr_product_info_t *attr_cast;
 
-				attr_cast = (ietf_attr_product_info_t*)attr;
-				platform_info = attr_cast->get_info(attr_cast, NULL, NULL);
-				pts->set_platform_info(pts, platform_info);
+					attr_cast = (ietf_attr_product_info_t*)attr;
+					os_name = attr_cast->get_info(attr_cast, NULL, NULL);
+					break;
+				}
+				case IETF_ATTR_STRING_VERSION:
+				{
+					ietf_attr_string_version_t *attr_cast;
+
+					attr_cast = (ietf_attr_string_version_t*)attr;
+					os_version = attr_cast->get_version(attr_cast, NULL, NULL);
+					break;
+				}
+				default:
+					break;
 			}
 		}
 		else if (type.vendor_id == PEN_TCG)
 		{
-			if (!imv_attestation_process(attr, attr_list, attestation_state,
+			if (!imv_attestation_process(attr, out_msg, attestation_state, 
 				supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
 			{
 				result = TNC_RESULT_FATAL;
@@ -301,36 +277,50 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
-	if (result != TNC_RESULT_SUCCESS)
+	if (os_name.len && os_version.len)
+	{
+		pts->set_platform_info(pts, os_name, os_version);
+	}
+
+	if (fatal_error || result != TNC_RESULT_SUCCESS)
 	{
-		attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
 		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 								TNC_IMV_EVALUATION_RESULT_ERROR);
-		return imv_attestation->provide_recommendation(imv_attestation,
-													   connection_id, src_imc_id);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return imv_attestation->provide_recommendation(imv_attestation, state);
 	}
 
-	if (attr_list->get_count(attr_list))
+	/* send PA-TNC message with excl flag set */
+	result = out_msg->send(out_msg, TRUE);
+
+	if (result != TNC_RESULT_SUCCESS)
 	{
-		result = imv_attestation->send_message(imv_attestation, connection_id,
-										FALSE, 0, TNC_IMCID_ANY, attr_list);
-		attr_list->destroy(attr_list);
+		out_msg->destroy(out_msg);
 		return result;
 	}
-	attr_list->destroy(attr_list);
 
 	/* check the IMV state for the next PA-TNC attributes to send */
-	result = send_message(connection_id);
+	result = send_message(state, out_msg);
+
 	if (result != TNC_RESULT_SUCCESS)
 	{
 		state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 								TNC_IMV_EVALUATION_RESULT_ERROR);
-		return imv_attestation->provide_recommendation(imv_attestation,
-													   connection_id, src_imc_id);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return imv_attestation->provide_recommendation(imv_attestation, state);
 	}
 
 	if (attestation_state->get_handshake_state(attestation_state) ==
@@ -340,7 +330,8 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 		{
 			DBG1(DBG_IMV, "failure due to %d pending file measurements",
 				attestation_state->get_file_meas_request_count(attestation_state));
-			attestation_state->set_measurement_error(attestation_state);
+			attestation_state->set_measurement_error(attestation_state,
+								IMV_ATTESTATION_ERROR_FILE_MEAS_PEND);
 		}
 		if (attestation_state->get_measurement_error(attestation_state))
 		{
@@ -354,9 +345,15 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
 								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
 		}
-		return imv_attestation->provide_recommendation(imv_attestation,
-													   connection_id, src_imc_id);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return imv_attestation->provide_recommendation(imv_attestation, state);
 	}
+	out_msg->destroy(out_msg);
 
 	return result;
 }
@@ -370,14 +367,25 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	if (!imv_attestation)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(imv_attestation, state, connection_id, 
+									  msg_type, chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMVID_ANY);
+	return result;
 }
 
 /**
@@ -393,9 +401,26 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 									  TNC_UInt32 src_imc_id,
 									  TNC_UInt32 dst_imv_id)
 {
-	return receive_message(imv_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imc_id, dst_imv_id);
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imv_attestation)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(imv_attestation, state, connection_id,
+								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
@@ -404,13 +429,18 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 										 TNC_ConnectionID connection_id)
 {
+	imv_state_t *state;
+
 	if (!imv_attestation)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	return imv_attestation->provide_recommendation(imv_attestation,
-												   connection_id, TNC_IMCID_ANY);
+	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return imv_attestation->provide_recommendation(imv_attestation, state);
 }
 
 /**
@@ -419,27 +449,11 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
 							   TNC_ConnectionID connection_id)
 {
-	imv_state_t *state;
-	imv_attestation_state_t *attestation_state;
-
 	if (!imv_attestation)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	/* get current IMV state */
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imv_attestation_state_t*)state;
-
-	/* Check if IMV has to initiate the PA-TNC exchange */
-	if (attestation_state->get_handshake_state(attestation_state) ==
-		IMV_ATTESTATION_STATE_INIT)
-	{
-		return send_message(connection_id);
-	}
 	return TNC_RESULT_SUCCESS;
 }
 
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
index 23195d6e3..b4feec7cd 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
@@ -27,9 +27,9 @@
 #include <tcg/tcg_pts_attr_req_file_meas.h>
 #include <tcg/tcg_pts_attr_req_file_meta.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
-bool imv_attestation_build(linked_list_t *attr_list,
+bool imv_attestation_build(imv_msg_t *out_msg,
 						   imv_attestation_state_t *attestation_state,
 						   pts_meas_algorithms_t supported_algorithms,
 						   pts_dh_group_t supported_dh_groups,
@@ -76,12 +76,12 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			flags = pts->get_proto_caps(pts);
 			attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			/* Send Measurement Algorithms attribute */
 			attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_NONCE_REQ);
@@ -97,7 +97,7 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
 													 supported_dh_groups);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_TPM_INIT);
@@ -116,18 +116,18 @@ bool imv_attestation_build(linked_list_t *attr_list,
 				attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
 											initiator_value, initiator_nonce);
 				attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 			}
 
 			/* Send Get TPM Version attribute */
 			attr = tcg_pts_attr_get_tpm_version_info_create();
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			/* Send Get AIK attribute */
 			attr = tcg_pts_attr_get_aik_create();
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_MEAS);
@@ -140,7 +140,7 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			char *platform_info, *pathname;
 			u_int16_t request_id;
 			int id, type;
-			bool is_dir;
+			bool is_dir, have_request = FALSE;
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_COMP_EVID);
@@ -173,10 +173,11 @@ bool imv_attestation_build(linked_list_t *attr_list,
 				attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter,
 														 pathname);
 				attr->set_noskip_flag(attr, TRUE);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
+				have_request = TRUE;
 			}
 			enumerator->destroy(enumerator);
-			
+
 			/* Send Request File Measurement attribute */
 			enumerator = pts_db->create_file_meas_enumerator(pts_db,
 															 platform_info);
@@ -194,12 +195,13 @@ bool imv_attestation_build(linked_list_t *attr_list,
 				attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
 													 delimiter, pathname);
 				attr->set_noskip_flag(attr, TRUE);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
+				have_request = TRUE;
 			}
 			enumerator->destroy(enumerator);
 
 			/* do we have any file metadata or measurement requests? */
-			if (attr_list->get_count(attr_list))
+			if (have_request)
 			{
 				break;
 			}
@@ -282,12 +284,12 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			if (attr)
 			{
 				/* Send Request Functional Component Evidence attribute */
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 
 				/* Send Generate Attestation Evidence attribute */
 				attr = tcg_pts_attr_gen_attest_evid_create();
 				attr->set_noskip_flag(attr, TRUE);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 
 				attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_EVID_FINAL);
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
index 7f934fd09..0fc10f0ce 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
@@ -24,7 +24,7 @@
 
 #include "imv_attestation_state.h"
 
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imv/imv_msg.h>
 #include <library.h>
 
 #include <pts/pts_database.h>
@@ -34,14 +34,14 @@
 /**
  * Process a TCG PTS attribute
  *
- * @param attr_list				list of PA-TNC attriubutes to be built
+ * @param out_msg				outbound PA-TNC message to be built
  * @param attestation_state		attestation state of a given connection
  * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
  * @param pts_db				PTS configuration database
  * @return						TRUE if successful
  */
-bool imv_attestation_build(linked_list_t *attr_list,
+bool imv_attestation_build(imv_msg_t *out_msg,
 						   imv_attestation_state_t *attestation_state,
 						   pts_meas_algorithms_t supported_algorithms,
 						   pts_dh_group_t supported_dh_groups,
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
index 37e9ac77a..4541075ef 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@@ -29,12 +29,12 @@
 #include <tcg/tcg_pts_attr_tpm_version_info.h>
 #include <tcg/tcg_pts_attr_unix_file_meta.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 
 #include <inttypes.h>
 
-bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
+bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 							 imv_attestation_state_t *attestation_state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups,
@@ -43,7 +43,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 {
 	pen_type_t attr_type;
 	pts_t *pts;
-	
+
 	pts = attestation_state->get_pts(attestation_state);
 	attr_type = attr->get_type(attr);
 
@@ -96,7 +96,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				attr = pts_dh_nonce_error_create(
 									max(PTS_MIN_NONCE_LEN, min_nonce_len),
 										PTS_MAX_NONCE_LEN);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 				break;
 			}
 
@@ -113,7 +113,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (selected_algorithm == PTS_MEAS_ALGO_NONE)
 			{
 				attr = pts_hash_alg_error_create(supported_algorithms);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 				break;
 			}
 			pts->set_dh_hash_algorithm(pts, selected_algorithm);
@@ -233,7 +233,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 								platform_info, algo, file_id, is_dir);
 				if (!measurements->verify(measurements, e_hash, is_dir))
 				{
-					attestation_state->set_measurement_error(attestation_state);
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL);
 				}
 				e_hash->destroy(e_hash);
 			}
@@ -299,7 +300,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (comp->verify(comp, name->get_qualifier(name), pts,
 							 evidence) != SUCCESS)
 			{
-				attestation_state->set_measurement_error(attestation_state);
+				attestation_state->set_measurement_error(attestation_state,
+									IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
 				name->log(name, "  measurement mismatch for ");
 			}
 			break;
@@ -335,17 +337,21 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				{
 					DBG1(DBG_IMV, "received PCR Composite does not match "
 								  "constructed one");
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
 					free(pcr_composite.ptr);
 					free(quote_info.ptr);
-					return FALSE;
+					break;
 				}
 				DBG2(DBG_IMV, "received PCR Composite matches constructed one");
 				free(pcr_composite.ptr);
 
 				if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
 				{
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
 					free(quote_info.ptr);
-					return FALSE;
+					break;
 				}
 				DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
 				free(quote_info.ptr);
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.h b/src/libpts/plugins/imv_attestation/imv_attestation_process.h
index 4d4eeefbb..73b4251e0 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.h
@@ -25,10 +25,11 @@
 #include "imv_attestation_state.h"
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/credential_manager.h>
 #include <crypto/hashers/hasher.h>
 
+#include <imv/imv_msg.h>
 #include <pa_tnc/pa_tnc_attr.h>
 
 #include <pts/pts_database.h>
@@ -39,7 +40,7 @@
  * Process a TCG PTS attribute
  *
  * @param attr					PA-TNC attribute to be processed
- * @param attr_list				list with PA-TNC error attributes
+ * @param out_msg				PA-TNC message containing error messages
  * @param attestation_state		attestation state of a given connection
  * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
@@ -47,7 +48,7 @@
  * @param pts_credmgr			PTS credential manager
  * @return						TRUE if successful
  */
-bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
+bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 							 imv_attestation_state_t *attestation_state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups,
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
index 1dbc88309..93da9aee5 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
@@ -17,9 +17,11 @@
 
 #include <libpts.h>
 
-#include <utils/lexparser.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <imv/imv_lang_string.h>
+#include "imv/imv_reason_string.h"
+
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_imv_attestation_state_t private_imv_attestation_state_t;
 typedef struct file_meas_request_t file_meas_request_t;
@@ -44,7 +46,7 @@ struct private_imv_attestation_state_t {
 	 * TNCCS connection state
 	 */
 	TNC_ConnectionState state;
-	
+
 	/**
 	 * Does the TNCCS connection support long message types?
 	 */
@@ -96,9 +98,14 @@ struct private_imv_attestation_state_t {
 	pts_t *pts;
 
 	/**
-	 * Measurement error
+	 * Measurement error flags
+	 */
+	u_int32_t measurement_error;
+
+	/**
+	 * TNC Reason String
 	 */
-	bool measurement_error;
+	imv_reason_string_t *reason_string;
 
 };
 
@@ -128,26 +135,47 @@ static void free_func_comp(func_comp_t *this)
 	free(this);
 }
 
-typedef struct entry_t entry_t;
-
 /**
- * Define an internal reason string entry
+ * Supported languages
  */
-struct entry_t {
-	char *lang;
-	char *string;
-};
+static char* languages[] = { "en", "de", "mn" };
 
 /**
- * Table of multi-lingual reason string entries 
+ * Table of reason strings
  */
-static entry_t reasons[] = {
-	{ "en", "IMV Attestation: Incorrect/pending file measurement/component"
-			" evidence or invalid TPM Quote signature received" },
-	{ "mn", "IMV Attestation:  Буруу/хүлээгдэж байгаа файл/компонент хэмжилт "
-			"эсвэл буруу TPM Quote гарын үсэг" },
-	{ "de", "IMV Attestation: Falsche/Fehlende Dateimessung/Komponenten Beweis "
-			"oder ungültige TPM Quote Unterschrift ist erhalten" },
+static imv_lang_string_t reason_file_meas_fail[] = {
+	{ "en", "Incorrect file measurement" },
+	{ "de", "Falsche Dateimessung" },
+	{ "mn", "Буруу байгаа файл" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_file_meas_pend[] = {
+	{ "en", "Pending file measurement" },
+	{ "de", "Ausstehende Dateimessung" },
+	{ "mn", "Xүлээгдэж байгаа файл" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_comp_evid_fail[] = {
+	{ "en", "Incorrect component evidence" },
+	{ "de", "Falsche Komponenten-Evidenz" },
+	{ "mn", "Буруу компонент хэмжилт" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_comp_evid_pend[] = {
+	{ "en", "Pending component evidence" },
+	{ "de", "Ausstehende Komponenten-Evidenz" },
+	{ "mn", "Xүлээгдэж компонент хэмжилт" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_tpm_quote_fail[] = {
+	{ "en", "Invalid TPM Quote signature received" },
+	{ "de", "Falsche TPM Quote Signature erhalten" },
+	{ "mn", "Буруу TPM Quote гарын үсэг" },
+	{ NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -210,52 +238,57 @@ METHOD(imv_state_t, set_recommendation, void,
 }
 
 METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_attestation_state_t *this, chunk_t preferred_language,
-	chunk_t *reason_string, chunk_t *reason_language)
+	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
 {
-	chunk_t pref_lang, lang;
-	u_char *pos;
-	int i;
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
 
-	while (eat_whitespace(&preferred_language))
-	{
-		if (!extract_token(&pref_lang, ',', &preferred_language))
-		{
-			/* last entry in a comma-separated list or single entry */
-			pref_lang = preferred_language;
-		}
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
 
-		/* eat trailing whitespace */
-		pos = pref_lang.ptr + pref_lang.len - 1;
-		while (pref_lang.len && *pos-- == ' ')
-		{
-			pref_lang.len--;
-		}
-
-		for (i = 0 ; i < countof(reasons); i++)
-		{
-			lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang));
-			if (chunk_equals(lang, pref_lang))
-			{
-				*reason_language = lang;
-				*reason_string = chunk_create(reasons[i].string,
-										strlen(reasons[i].string));
-				return TRUE;
-			}
-		}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_file_meas_fail);
+	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_PEND)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_file_meas_pend);
+	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_comp_evid_fail);
+	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_PEND)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_comp_evid_pend);
 	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_tpm_quote_fail);
+	}
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
-	/* no preferred language match found - use the default language */
-	*reason_string =   chunk_create(reasons[0].string,
-									strlen(reasons[0].string));
-	*reason_language = chunk_create(reasons[0].lang,
-									strlen(reasons[0].lang));
 	return TRUE;
 }
 
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	return FALSE;
+}
+
 METHOD(imv_state_t, destroy, void,
 	private_imv_attestation_state_t *this)
 {
+	DESTROY_IF(this->reason_string);
 	this->file_meas_requests->destroy_function(this->file_meas_requests, free);
 	this->components->destroy_function(this->components, (void *)free_func_comp);
 	this->pts->destroy(this->pts);
@@ -302,7 +335,7 @@ METHOD(imv_attestation_state_t, check_off_file_meas_request, bool,
 	enumerator_t *enumerator;
 	file_meas_request_t *request;
 	bool found = FALSE;
-	
+
 	enumerator = this->file_meas_requests->create_enumerator(this->file_meas_requests);
 	while (enumerator->enumerate(enumerator, &request))
 	{
@@ -396,16 +429,16 @@ METHOD(imv_attestation_state_t, get_component, pts_component_t*,
 	return found;
 }
 
-METHOD(imv_attestation_state_t, get_measurement_error, bool,
+METHOD(imv_attestation_state_t, get_measurement_error, u_int32_t,
 	private_imv_attestation_state_t *this)
 {
 	return this->measurement_error;
 }
 
 METHOD(imv_attestation_state_t, set_measurement_error, void,
-	private_imv_attestation_state_t *this)
+	private_imv_attestation_state_t *this, u_int32_t error)
 {
-	this->measurement_error = TRUE;
+	this->measurement_error |= error;
 }
 
 METHOD(imv_attestation_state_t, finalize_components, void,
@@ -418,7 +451,7 @@ METHOD(imv_attestation_state_t, finalize_components, void,
 	{
 		if (!entry->comp->finalize(entry->comp, entry->qualifier))
 		{
-			_set_measurement_error(this);
+			set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND);
 		}
 		free_func_comp(entry);
 	}
@@ -436,7 +469,6 @@ METHOD(imv_attestation_state_t, components_finalized, bool,
 imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 {
 	private_imv_attestation_state_t *this;
-	char *platform_info;
 
 	INIT(this,
 		.public = {
@@ -451,6 +483,7 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
 				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
 			.get_handshake_state = _get_handshake_state,
@@ -476,12 +509,5 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 		.pts = pts_create(FALSE),
 	);
 
-	platform_info = lib->settings->get_str(lib->settings,
-						 "libimcv.plugins.imv-attestation.platform_info", NULL);
-	if (platform_info)
-	{
-		this->pts->set_platform_info(this->pts, platform_info);
-	}
-	
 	return &this->public.interface;
 }
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
index 901d4b19d..f64314e71 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
@@ -30,6 +30,7 @@
 
 typedef struct imv_attestation_state_t imv_attestation_state_t;
 typedef enum imv_attestation_handshake_state_t imv_attestation_handshake_state_t;
+typedef enum imv_meas_error_t imv_meas_error_t;
 
 /**
  * IMV Attestation Handshake States (state machine)
@@ -44,6 +45,17 @@ enum imv_attestation_handshake_state_t {
 	IMV_ATTESTATION_STATE_END,
 };
 
+/**
+ * IMV Measurement Error Types
+ */
+enum imv_meas_error_t {
+	IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL =  1,
+	IMV_ATTESTATION_ERROR_FILE_MEAS_PEND =  2,
+	IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  4,
+	IMV_ATTESTATION_ERROR_COMP_EVID_PEND =  8,
+	IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16
+};
+
 /**
  * Internal state of an imv_attestation_t connection instance
  */
@@ -139,16 +151,19 @@ struct imv_attestation_state_t {
 	bool (*components_finalized)(imv_attestation_state_t *this);
 
 	/**
-	 * Indicates if a file measurement error occurred
+	 * Indicates the types of measurement errors that occurred
 	 *
-	 * @return					TRUE in case of measurement error
+	 * @return					Measurement error flags
 	 */
-	bool (*get_measurement_error)(imv_attestation_state_t *this);
+	u_int32_t (*get_measurement_error)(imv_attestation_state_t *this);
 
 	/**
-	 * Call if a file measurement error is encountered
+	 * Call if a measurement error is encountered
+	 *
+	 * @param error				Measurement error type
 	 */
-	void (*set_measurement_error)(imv_attestation_state_t *this);
+	void (*set_measurement_error)(imv_attestation_state_t *this,
+								  u_int32_t error);
 
 };
 
diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql
index 42553bef0..8a79ea7cf 100644
--- a/src/libpts/plugins/imv_attestation/tables.sql
+++ b/src/libpts/plugins/imv_attestation/tables.sql
@@ -85,3 +85,54 @@ CREATE TABLE component_hashes (
   hash BLOB NOT NULL,
   PRIMARY KEY(component, key, seq_no, algo)
 );
+
+DROP TABLE IF EXISTS packages;
+CREATE TABLE packages (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS packages_name;
+CREATE INDEX packages_name ON packages (
+  name
+);
+
+DROP TABLE IF EXISTS versions;
+CREATE TABLE versions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  package INTEGER NOT NULL,
+  product INTEGER NOT NULL,
+  release TEXT NOT NULL,
+  security INTEGER DEFAULT 0,
+  time INTEGER DEFAULT 0
+);
+DROP INDEX IF EXISTS versions_release;
+CREATE INDEX versions_release ON versions (
+  release
+);
+DROP INDEX IF EXISTS versions_package_product;
+CREATE INDEX versions_package_product ON versions (
+  package, product
+);
+
+DROP TABLE IF EXISTS devices;
+CREATE TABLE devices (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  value BLOB NOT NULL
+);
+DROP INDEX IF EXISTS devices_id;
+CREATE INDEX devices_value ON devices (
+  value
+);
+
+DROP TABLE IF EXISTS device_infos;
+CREATE TABLE device_infos (
+  device INTEGER NOT NULL,
+  time INTEGER NOT NULL,
+  product INTEGER DEFAULT 0,
+  count INTEGER DEFAULT 0,
+  count_update INTEGER DEFAULT 0,
+  count_blacklist INTEGER DEFAULT 0,
+  flags INTEGER DEFAULT 0,
+  PRIMARY KEY (device, time)
+);
+
diff --git a/src/libpts/pts/components/ita/ita_comp_ima.c b/src/libpts/pts/components/ita/ita_comp_ima.c
index a59732428..02470f5f5 100644
--- a/src/libpts/pts/components/ita/ita_comp_ima.c
+++ b/src/libpts/pts/components/ita/ita_comp_ima.c
@@ -20,7 +20,7 @@
 #include "pts/pts_pcr.h"
 #include "pts/components/pts_component.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 
 #include <sys/types.h>
@@ -96,12 +96,12 @@ struct pts_ita_comp_ima_t {
 	int ima_cid;
 
 	/**
-	 * Component is registering IMA BIOS measurements 
+	 * Component is registering IMA BIOS measurements
 	 */
 	bool is_bios_registering;
 
 	/**
-	 * Component is registering IMA boot aggregate measurement 
+	 * Component is registering IMA boot aggregate measurement
 	 */
 	bool is_ima_registering;
 
@@ -184,7 +184,7 @@ struct bios_entry_t {
 
 	/**
 	 * SHA1 measurement hash
-	 */	
+	 */
 	chunk_t measurement;
 };
 
@@ -291,6 +291,7 @@ static bool load_bios_measurements(char *file, linked_list_t *list,
 
 	DBG1(DBG_PTS, "loading bios measurements '%s' failed: %s", file,
 		 strerror(errno));
+	free_bios_entry(entry);
 	close(fd);
 	return FALSE;
 }
@@ -377,6 +378,7 @@ static bool load_runtime_measurements(char *file, linked_list_t *list,
 
 	DBG1(DBG_PTS, "loading ima measurements '%s' failed: %s",
 		 file, strerror(errno));
+	free_ima_entry(entry);
 	close(fd);
 	return FALSE;
 }
@@ -526,7 +528,7 @@ METHOD(pts_component_t, measure, status_t,
 				evid = extend_pcr(this, qualifier, pcrs, bios_entry->pcr,
 								  bios_entry->measurement);
 				free(bios_entry);
-	
+
 				this->state = this->bios_list->get_count(this->bios_list) ?
 										IMA_STATE_BIOS : IMA_STATE_INIT;
 				break;
@@ -821,7 +823,7 @@ METHOD(pts_component_t, finalize, bool,
 	u_int32_t vid, name;
 	enum_name_t *names;
 	bool success = TRUE;
-		
+
 	this->name->set_qualifier(this->name, qualifier);
 	vid = this->name->get_vendor_id(this->name);
 	name = this->name->get_name(this->name);
@@ -915,7 +917,7 @@ METHOD(pts_component_t, destroy, void,
 		}
 		this->bios_list->destroy_function(this->bios_list,
 										 (void *)free_bios_entry);
-		this->ima_list->destroy_function(this->ima_list, 
+		this->ima_list->destroy_function(this->ima_list,
 										 (void *)free_ima_entry);
 		this->name->destroy(this->name);
 		free(this->keyid.ptr);
diff --git a/src/libpts/pts/components/ita/ita_comp_tboot.c b/src/libpts/pts/components/ita/ita_comp_tboot.c
index 9deeb19b5..8fb5abddf 100644
--- a/src/libpts/pts/components/ita/ita_comp_tboot.c
+++ b/src/libpts/pts/components/ita/ita_comp_tboot.c
@@ -19,7 +19,7 @@
 #include "libpts.h"
 #include "pts/components/pts_component.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 
 typedef struct pts_ita_comp_tboot_t pts_ita_comp_tboot_t;
@@ -66,7 +66,7 @@ struct pts_ita_comp_tboot_t {
 	int kid;
 
 	/**
-	 * Component is registering measurements 
+	 * Component is registering measurements
 	 */
 	bool is_registering;
 
@@ -123,7 +123,7 @@ METHOD(pts_component_t, measure, status_t,
 	char *meas_hex, *pcr_before_hex, *pcr_after_hex;
 	chunk_t measurement, pcr_before, pcr_after;
 	u_int32_t extended_pcr;
-	
+
 	switch (this->seq_no++)
 	{
 		case 0:
@@ -286,7 +286,7 @@ METHOD(pts_component_t, finalize, bool,
 {
 	u_int32_t vid, name;
 	enum_name_t *names;
-		
+
 	vid = this->name->get_vendor_id(this->name);
 	name = this->name->get_name(this->name);
 	names = pts_components->get_comp_func_names(pts_components, vid);
diff --git a/src/libpts/pts/components/ita/ita_comp_tgrub.c b/src/libpts/pts/components/ita/ita_comp_tgrub.c
index 986f7ace2..e3acd8774 100644
--- a/src/libpts/pts/components/ita/ita_comp_tgrub.c
+++ b/src/libpts/pts/components/ita/ita_comp_tgrub.c
@@ -18,7 +18,7 @@
 
 #include "pts/components/pts_component.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 
 typedef struct pts_ita_comp_tgrub_t pts_ita_comp_tgrub_t;
@@ -90,7 +90,7 @@ METHOD(pts_component_t, measure, status_t,
 	/* Provisional implementation for TGRUB */
 	extended_pcr = PCR_DEBUG;
 	time(&measurement_time);
-		
+
 	if (!pts->read_pcr(pts, extended_pcr, &pcr_after))
 	{
 		DBG1(DBG_PTS, "error occurred while reading PCR: %d", extended_pcr);
@@ -103,7 +103,7 @@ METHOD(pts_component_t, measure, status_t,
 
 	measurement = chunk_alloc(pcr_len);
 	memset(measurement.ptr, 0x00, measurement.len);
-		
+
 	pcr_before = chunk_alloc(pcr_len);
 	memset(pcr_before.ptr, 0x00, pcr_before.len);
 
@@ -150,7 +150,7 @@ METHOD(pts_component_t, verify, status_t,
 			return SUCCESS;
 		}
 	}
-	
+
 	return SUCCESS;
 }
 
diff --git a/src/libpts/pts/components/pts_comp_evidence.c b/src/libpts/pts/components/pts_comp_evidence.c
index 050717472..08c3d5e9a 100644
--- a/src/libpts/pts/components/pts_comp_evidence.c
+++ b/src/libpts/pts/components/pts_comp_evidence.c
@@ -15,7 +15,7 @@
 
 #include "pts/components/pts_comp_evidence.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_comp_evidence_t private_pts_comp_evidence_t;
 
@@ -148,7 +148,7 @@ METHOD(pts_comp_evidence_t, get_pcr_info, bool,
 METHOD(pts_comp_evidence_t, set_pcr_info, void,
 	private_pts_comp_evidence_t *this, chunk_t pcr_before, chunk_t pcr_after)
 {
-	this->has_pcr_info = TRUE;	
+	this->has_pcr_info = TRUE;
 	this->pcr_before = pcr_before;
 	this->pcr_after =  pcr_after;
 
diff --git a/src/libpts/pts/components/pts_comp_func_name.c b/src/libpts/pts/components/pts_comp_func_name.c
index 7501be044..6c630f8fb 100644
--- a/src/libpts/pts/components/pts_comp_func_name.c
+++ b/src/libpts/pts/components/pts_comp_func_name.c
@@ -17,7 +17,7 @@
 #include "libpts.h"
 #include "pts/components/pts_comp_func_name.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_comp_func_name_t private_pts_comp_func_name_t;
 
diff --git a/src/libpts/pts/components/pts_component_manager.c b/src/libpts/pts/components/pts_component_manager.c
index e330aeebf..9c1375b79 100644
--- a/src/libpts/pts/components/pts_component_manager.c
+++ b/src/libpts/pts/components/pts_component_manager.c
@@ -15,8 +15,8 @@
 
 #include "pts/components/pts_component_manager.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_component_manager_t private_pts_component_manager_t;
 typedef struct vendor_entry_t vendor_entry_t;
@@ -56,7 +56,7 @@ struct vendor_entry_t {
 
 	/**
 	 * List of vendor-specific registered Functional Components
-	 */	
+	 */
 	linked_list_t *components;
 };
 
@@ -103,7 +103,7 @@ struct private_pts_component_manager_t {
 };
 
 METHOD(pts_component_manager_t, add_vendor, void,
-	private_pts_component_manager_t *this, pen_t vendor_id, 
+	private_pts_component_manager_t *this, pen_t vendor_id,
 	enum_name_t *comp_func_names, int qualifier_type_size,
 	char *qualifier_flag_names, enum_name_t *qualifier_type_names)
 {
@@ -285,7 +285,7 @@ METHOD(pts_component_manager_t, create, pts_component_t*,
 METHOD(pts_component_manager_t, destroy, void,
 	private_pts_component_manager_t *this)
 {
-	this->list->destroy_function(this->list, (void *)vendor_entry_destroy); 
+	this->list->destroy_function(this->list, (void *)vendor_entry_destroy);
 	free(this);
 }
 
diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c
index 4c6c5bc22..84a9961c8 100644
--- a/src/libpts/pts/pts.c
+++ b/src/libpts/pts/pts.c
@@ -15,13 +15,22 @@
 
 #include "pts.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 
+#ifdef TSS_TROUSERS
 #include <trousers/tss.h>
 #include <trousers/trousers.h>
+#else
+#ifndef TPM_TAG_QUOTE_INFO2
+#define TPM_TAG_QUOTE_INFO2 0x0036
+#endif
+#ifndef TPM_LOC_ZERO
+#define TPM_LOC_ZERO 0x01
+#endif
+#endif
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -280,6 +289,8 @@ METHOD(pts_t, calculate_secret, bool,
 	return TRUE;
 }
 
+#ifdef TSS_TROUSERS
+
 /**
  * Print TPM 1.2 Version Info
  */
@@ -299,14 +310,26 @@ static void print_tpm_version_info(private_pts_t *this)
 	else
 	{
 		DBG2(DBG_PTS, "TPM 1.2 Version Info: Chip Version: %hhu.%hhu.%hhu.%hhu,"
-					  " Spec Level: %hu, Errata Rev: %hhu, Vendor ID: %.4s",
+					  " Spec Level: %hu, Errata Rev: %hhu, Vendor ID: %.4s [%.*s]",
 					  versionInfo.version.major, versionInfo.version.minor,
 					  versionInfo.version.revMajor, versionInfo.version.revMinor,
 					  versionInfo.specLevel, versionInfo.errataRev,
-					  versionInfo.tpmVendorID);
+					  versionInfo.tpmVendorID, versionInfo.vendorSpecificSize,
+					  versionInfo.vendorSpecificSize ?
+					  (char*)versionInfo.vendorSpecific : "");
 	}
+	free(versionInfo.vendorSpecific);
+}
+
+#else
+
+static void print_tpm_version_info(private_pts_t *this)
+{
+	DBG1(DBG_PTS, "unknown TPM version: no TSS implementation available");
 }
 
+#endif /* TSS_TROUSERS */
+
 METHOD(pts_t, get_platform_info, char*,
 	private_pts_t *this)
 {
@@ -314,10 +337,15 @@ METHOD(pts_t, get_platform_info, char*,
 }
 
 METHOD(pts_t, set_platform_info, void,
-	private_pts_t *this, char *info)
+	private_pts_t *this, chunk_t name, chunk_t version)
 {
+	int len = name.len + 1 + version.len + 1;
+
+	/* platform info is a concatenation of OS name and OS version */
 	free(this->platform_info);
-	this->platform_info = strdup(info);
+	this->platform_info = malloc(len);
+	snprintf(this->platform_info, len, "%.*s %.*s", (int)name.len, name.ptr,
+			(int)version.len, version.ptr);
 }
 
 METHOD(pts_t, get_tpm_version_info, bool,
@@ -606,6 +634,9 @@ METHOD(pts_t, get_metadata, pts_file_meta_t*,
 	return metadata;
 }
 
+
+#ifdef TSS_TROUSERS
+
 METHOD(pts_t, read_pcr, bool,
 	private_pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value)
 {
@@ -857,21 +888,35 @@ err2:
 
 err1:
 	Tspi_Context_Close(hContext);
-
 	if (!success)
 	{
 		DBG1(DBG_PTS, "TPM not available: tss error 0x%x", result);
 	}
-
 	return success;
 }
 
-METHOD(pts_t, get_pcrs, pts_pcr_t*,
-	private_pts_t *this)
+#else /* TSS_TROUSERS */
+
+METHOD(pts_t, read_pcr, bool,
+	private_pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value)
 {
-	return this->pcrs;
+	return FALSE;
 }
 
+METHOD(pts_t, extend_pcr, bool,
+	private_pts_t *this, u_int32_t pcr_num, chunk_t input, chunk_t *output)
+{
+	return FALSE;
+}
+
+METHOD(pts_t, quote_tpm, bool,
+	private_pts_t *this, bool use_quote2, chunk_t *pcr_comp, chunk_t *quote_sig)
+{
+	return FALSE;
+}
+
+#endif /* TSS_TROUSERS */
+
 /**
  * TPM_QUOTE_INFO structure:
  *	4 bytes of version
@@ -1032,6 +1077,12 @@ METHOD(pts_t, verify_quote_signature, bool,
 	return TRUE;
 }
 
+METHOD(pts_t, get_pcrs, pts_pcr_t*,
+	private_pts_t *this)
+{
+	return this->pcrs;
+}
+
 METHOD(pts_t, destroy, void,
 	private_pts_t *this)
 {
@@ -1047,121 +1098,8 @@ METHOD(pts_t, destroy, void,
 	free(this);
 }
 
-#define RELEASE_LSB		0
-#define RELEASE_DEBIAN	1
 
-/**
- * Determine Linux distribution and hardware platform
- */
-static char* extract_platform_info(void)
-{
-	FILE *file;
-	char buf[BUF_LEN], *pos = buf, *value = NULL;
-	int i, len = BUF_LEN - 1;
-	struct utsname uninfo;
-
-	/* Linux/Unix distribution release info (from http://linuxmafia.com) */
-	const char* releases[] = {
-		"/etc/lsb-release",           "/etc/debian_version",
-		"/etc/SuSE-release",          "/etc/novell-release",
-		"/etc/sles-release",          "/etc/redhat-release",
-		"/etc/fedora-release",        "/etc/gentoo-release",
-		"/etc/slackware-version",     "/etc/annvix-release",
-		"/etc/arch-release",          "/etc/arklinux-release",
-		"/etc/aurox-release",         "/etc/blackcat-release",
-		"/etc/cobalt-release",        "/etc/conectiva-release",
-		"/etc/debian_release",        "/etc/immunix-release",
-		"/etc/lfs-release",           "/etc/linuxppc-release",
-		"/etc/mandrake-release",      "/etc/mandriva-release",
-		"/etc/mandrakelinux-release", "/etc/mklinux-release",
-		"/etc/pld-release",           "/etc/redhat_version",
-		"/etc/slackware-release",     "/etc/e-smith-release",
-		"/etc/release",               "/etc/sun-release",
-		"/etc/tinysofa-release",      "/etc/turbolinux-release",
-		"/etc/ultrapenguin-release",  "/etc/UnitedLinux-release",
-		"/etc/va-release",            "/etc/yellowdog-release"
-	};
-
-	const char description[] = "DISTRIB_DESCRIPTION=\"";
-	const char str_debian[] = "Debian ";
-
-	for (i = 0; i < countof(releases); i++)
-	{
-		file = fopen(releases[i], "r");
-		if (!file)
-		{
-			continue;
-		}
-
-		if (i == RELEASE_DEBIAN)
-		{
-			strcpy(buf, str_debian);
-			pos += strlen(str_debian);
-			len -= strlen(str_debian);
-		}
-
-		fseek(file, 0, SEEK_END);
-		len = min(ftell(file), len);
-		rewind(file);
-		pos[len] = '\0';
-		if (fread(pos, 1, len, file) != len)
-		{
-			DBG1(DBG_PTS, "failed to read file '%s'", releases[i]);
-			fclose(file);
-			return NULL;
-		}
-		fclose(file);
-
-		if (i == RELEASE_LSB)
-		{
-			pos = strstr(buf, description);
-			if (!pos)
-			{
-				DBG1(DBG_PTS, "failed to find begin of lsb-release "
-							  "DESCRIPTION field");
-				return NULL;
-			}
-			value = pos + strlen(description);
-			pos = strchr(value, '"');
-			if (!pos)
-			{
-				DBG1(DBG_PTS, "failed to find end of lsb-release "
-							  "DESCRIPTION field");
-				return NULL;
-			 }
-		}
-		else
-		{
-			value = buf;
-			pos = strchr(pos, '\n');
-			if (!pos)
-			{
-				DBG1(DBG_PTS, "failed to find end of release string");
-				return NULL;
-			 }
-		}
-		break;
-	}
-
-	if (!value)
-	{
-		DBG1(DBG_PTS, "no distribution release file found");
-		return NULL;
-	}
-
-	if (uname(&uninfo) < 0)
-	{
-		DBG1(DBG_PTS, "could not retrieve machine architecture");
-		return NULL;
-	}
-
-	*pos++ = ' ';
-	len = sizeof(buf)-1 + (pos - buf);
-	strncpy(pos, uninfo.machine, len);
-
-	DBG1(DBG_PTS, "platform is '%s'", value);
-	return strdup(value);
-}
+#ifdef TSS_TROUSERS
 
 /**
  * Check for a TPM by querying for TPM Version Info
@@ -1211,6 +1149,16 @@ static bool has_tpm(private_pts_t *this)
 	return FALSE;
 }
 
+#else /* TSS_TROUSERS */
+
+static bool has_tpm(private_pts_t *this)
+{
+	return FALSE;
+}
+
+#endif /* TSS_TROUSERS */
+
+
 /**
  * See header
  */
@@ -1264,8 +1212,6 @@ pts_t *pts_create(bool is_imc)
 
 	if (is_imc)
 	{
-		this->platform_info = extract_platform_info();
-
 		if (has_tpm(this))
 		{
 			this->has_tpm = TRUE;
diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h
index 5f88cd15c..423a4c802 100644
--- a/src/libpts/pts/pts.h
+++ b/src/libpts/pts/pts.h
@@ -35,7 +35,7 @@ typedef struct pts_t pts_t;
 #include "components/pts_comp_func_name.h"
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * UTF-8 encoding of the character used to delimiter the filename
@@ -171,9 +171,10 @@ struct pts_t {
 	/**
 	 * Set Platform and OS Info
 	 *
-	 * @param info				Platform and OS info
+	 * @param name				OS name
+	 * @param version			OS version
 	 */
-	void (*set_platform_info)(pts_t *this, char *info);
+	void (*set_platform_info)(pts_t *this, chunk_t name, chunk_t version);
 
 	/**
 	 * Get TPM 1.2 Version Info
diff --git a/src/libpts/pts/pts_creds.c b/src/libpts/pts/pts_creds.c
index 5a6197bdb..bc483eb84 100644
--- a/src/libpts/pts/pts_creds.c
+++ b/src/libpts/pts/pts_creds.c
@@ -15,7 +15,7 @@
 
 #include "pts_creds.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/sets/mem_cred.h>
 
diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c
index 946f37e1e..e0778aaef 100644
--- a/src/libpts/pts/pts_database.c
+++ b/src/libpts/pts/pts_database.c
@@ -15,7 +15,7 @@
 
 #include "pts_database.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 
 
@@ -151,7 +151,7 @@ METHOD(pts_database_t, check_file_measurement, status_t,
 		{
 			status = VERIFY_ERROR;
 		}
-	}	
+	}
 	e->destroy(e);
 
 	return status;
@@ -179,7 +179,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t,
 	enumerator_t *e;
 	chunk_t hash;
 	status_t status = NOT_FOUND;
-	
+
 	e = this->db->query(this->db,
 					"SELECT hash FROM component_hashes "
 					"WHERE component = ?  AND key = ? "
@@ -188,7 +188,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t,
 					DB_INT, pcr, DB_INT, algo, DB_BLOB);
 	if (!e)
 	{
-		DBG1(DBG_PTS, "no database query enumerator returned"); 
+		DBG1(DBG_PTS, "no database query enumerator returned");
 		return FAILED;
 	}
 
@@ -225,7 +225,7 @@ METHOD(pts_database_t, insert_comp_measurement, status_t,
 	int seq_no, int pcr, pts_meas_algorithms_t algo)
 {
 	int id;
-	
+
 	if (this->db->execute(this->db, &id,
 					"INSERT INTO component_hashes "
 					"(component, key, seq_no, pcr, algo, hash) "
diff --git a/src/libpts/pts/pts_dh_group.c b/src/libpts/pts/pts_dh_group.c
index fb141327f..41a436036 100644
--- a/src/libpts/pts/pts_dh_group.c
+++ b/src/libpts/pts/pts_dh_group.c
@@ -15,7 +15,7 @@
 
 #include "pts_dh_group.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Described in header.
@@ -27,7 +27,7 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
 	const char *plugin_name;
 	char format1[] = "  %s PTS DH group %N[%s] available";
 	char format2[] = "  %s PTS DH group %N not available";
-	
+
 	*dh_groups = PTS_DH_GROUP_NONE;
 
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
diff --git a/src/libpts/pts/pts_file_meas.c b/src/libpts/pts/pts_file_meas.c
index 4fece6b3c..e69c32443 100644
--- a/src/libpts/pts/pts_file_meas.c
+++ b/src/libpts/pts/pts_file_meas.c
@@ -15,8 +15,8 @@
 
 #include "pts_file_meas.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 #include <sys/stat.h>
 #include <libgen.h>
@@ -179,7 +179,7 @@ METHOD(pts_file_meas_t, verify, bool,
 			}
 		}
 		enumerator->destroy(enumerator);
-		
+
 		if (!found)
 		{
 			DBG1(DBG_PTS, "  no measurement found for '%s'", filename);
@@ -200,7 +200,7 @@ METHOD(pts_file_meas_t, verify, bool,
 			break;
 		}
 	}
-	return success;	
+	return success;
 }
 
 METHOD(pts_file_meas_t, destroy, void,
diff --git a/src/libpts/pts/pts_file_meta.c b/src/libpts/pts/pts_file_meta.c
index 6ed1c01b4..9cca0a5a5 100644
--- a/src/libpts/pts/pts_file_meta.c
+++ b/src/libpts/pts/pts_file_meta.c
@@ -15,8 +15,8 @@
 
 #include "pts_file_meta.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_file_meta_t private_pts_file_meta_t;
 
diff --git a/src/libpts/pts/pts_meas_algo.c b/src/libpts/pts/pts_meas_algo.c
index fbc9c6959..16a66e7b3 100644
--- a/src/libpts/pts/pts_meas_algo.c
+++ b/src/libpts/pts/pts_meas_algo.c
@@ -15,7 +15,7 @@
 
 #include "pts_meas_algo.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM_BEGIN(pts_meas_algorithm_names, PTS_MEAS_ALGO_NONE, PTS_MEAS_ALGO_NONE,
 	"None");
@@ -43,7 +43,7 @@ bool pts_meas_algo_probe(pts_meas_algorithms_t *algorithms)
 	const char *plugin_name;
 	char format1[] = "  %s PTS measurement algorithm %N[%s] available";
 	char format2[] = "  %s PTS measurement algorithm %N not available";
-	
+
 	*algorithms = 0;
 
 	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
diff --git a/src/libpts/pts/pts_pcr.c b/src/libpts/pts/pts_pcr.c
index a7a2f5fae..0af93b608 100644
--- a/src/libpts/pts/pts_pcr.c
+++ b/src/libpts/pts/pts_pcr.c
@@ -15,7 +15,7 @@
 
 #include "pts_pcr.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <stdarg.h>
 
diff --git a/src/libpts/tcg/tcg_pts_attr_aik.c b/src/libpts/tcg/tcg_pts_attr_aik.c
index 75f3f179c..d5bbdc9cd 100644
--- a/src/libpts/tcg/tcg_pts_attr_aik.c
+++ b/src/libpts/tcg/tcg_pts_attr_aik.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_aik_t private_tcg_pts_attr_aik_t;
 
@@ -57,7 +57,7 @@ struct private_tcg_pts_attr_aik_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
@@ -135,7 +135,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int8_t flags;
 	certificate_type_t type;
 	chunk_t aik_blob;
-	
+
 	if (this->value.len < PTS_AIK_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Attestation Identity Key");
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
index 3ca255cba..4d7281243 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_dh_nonce_finish_t
 					private_tcg_pts_attr_dh_nonce_finish_t;
@@ -36,7 +36,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_finish_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						D-H Initiator Nonce ...					|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_DH_NONCE_FINISH_SIZE			12
@@ -66,7 +66,7 @@ struct private_tcg_pts_attr_dh_nonce_finish_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Selected Hashing Algorithm
 	 */
@@ -127,7 +127,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, this->hash_algo);
 	writer->write_data  (writer, this->initiator_value);
 	writer->write_data  (writer, this->initiator_nonce);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
index 828c09605..7796dbaab 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_dh_nonce_params_req_t
 					private_tcg_pts_attr_dh_nonce_params_req_t;
@@ -32,7 +32,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_params_req_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |	Reserved  | Min. Nonce Len |		D-H Group Set			|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_DH_NONCE_PARAMS_REQ_SIZE			4
@@ -62,7 +62,7 @@ struct private_tcg_pts_attr_dh_nonce_params_req_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Minimum acceptable length of nonce
 	 */
@@ -116,7 +116,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint8 (writer, PTS_DH_NONCE_PARAMS_REQ_RESERVED);
 	writer->write_uint8 (writer, this->min_nonce_len);
 	writer->write_uint16(writer, this->dh_groups);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
index 66ac185b3..1e82e7098 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_dh_nonce_params_resp_t
 					private_tcg_pts_attr_dh_nonce_params_resp_t;
@@ -38,7 +38,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_params_resp_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |					D-H Responder Public Value ...				|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_DH_NONCE_PARAMS_RESP_SIZE			16
@@ -68,7 +68,7 @@ struct private_tcg_pts_attr_dh_nonce_params_resp_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Selected Diffie Hellman group
 	 */
@@ -135,7 +135,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, this->hash_algo_set);
 	writer->write_data  (writer, this->responder_nonce);
 	writer->write_data  (writer, this->responder_value);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
diff --git a/src/libpts/tcg/tcg_pts_attr_file_meas.c b/src/libpts/tcg/tcg_pts_attr_file_meas.c
index 01c4361e1..1daac70e5 100644
--- a/src/libpts/tcg/tcg_pts_attr_file_meas.c
+++ b/src/libpts/tcg/tcg_pts_attr_file_meas.c
@@ -18,15 +18,15 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_file_meas_t private_tcg_pts_attr_file_meas_t;
 
 /**
  * File Measurement
  * see section 3.19.2 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -72,12 +72,12 @@ struct private_tcg_pts_attr_file_meas_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * PTS File Measurements
 	 */
@@ -123,7 +123,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	char *filename;
 	chunk_t measurement;
 	bool first = TRUE;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -144,8 +144,7 @@ METHOD(pa_tnc_attr_t, build, void,
 			first = FALSE;
 		}
 		writer->write_data  (writer, measurement);
-		writer->write_uint16(writer, strlen(filename));
-		writer->write_data  (writer, chunk_create(filename, strlen(filename)));
+		writer->write_data16(writer, chunk_create(filename, strlen(filename)));
 	}
 	enumerator->destroy(enumerator);
 
@@ -164,12 +163,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int64_t number_of_files;
-	u_int16_t request_id, meas_len, filename_len;
-	size_t len;
+	u_int16_t request_id, meas_len;
 	chunk_t measurement, filename;
+	size_t len;
 	char buf[BUF_LEN];
 	status_t status = FAILED;
-	
+
 	if (this->value.len < PTS_FILE_MEAS_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for PTS file measurement header");
@@ -181,9 +180,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_uint64(reader, &number_of_files);
 	reader->read_uint16(reader, &request_id);
 	reader->read_uint16(reader, &meas_len);
-	
+	*offset = PTS_FILE_MEAS_SIZE;
+
 	this->measurements = pts_file_meas_create(request_id);
-	
+
 	while (number_of_files--)
 	{
 		if (!reader->read_data(reader, meas_len, &measurement))
@@ -191,16 +191,14 @@ METHOD(pa_tnc_attr_t, process, status_t,
 			DBG1(DBG_TNC, "insufficient data for PTS file measurement");
 			goto end;
 		}
-		if (!reader->read_uint16(reader, &filename_len))
-		{
-			DBG1(DBG_TNC, "insufficient data for filename length");
-			goto end;
-		}
-		if (!reader->read_data(reader, filename_len, &filename))
+		*offset += meas_len;
+
+		if (!reader->read_data16(reader, &filename))
 		{
 			DBG1(DBG_TNC, "insufficient data for filename");
 			goto end;
 		}
+		*offset += 2 + filename.len;
 
 		len = min(filename.len, BUF_LEN-1);
 		memcpy(buf, filename.ptr, len);
@@ -225,7 +223,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->measurements->destroy(this->measurements);
+		DESTROY_IF(this->measurements);
 		free(this->value.ptr);
 		free(this);
 	}
diff --git a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
index 5eac5ecae..9103e06b2 100644
--- a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_gen_attest_evid_t
 					private_tcg_pts_attr_gen_attest_evid_t;
@@ -33,7 +33,7 @@ typedef struct private_tcg_pts_attr_gen_attest_evid_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						   Reserved								|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_GEN_ATTEST_EVID_SIZE		4
@@ -115,7 +115,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int32_t reserved;
-	
+
 	if (this->value.len < PTS_GEN_ATTEST_EVID_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Generate Attestation Evidence");
diff --git a/src/libpts/tcg/tcg_pts_attr_get_aik.c b/src/libpts/tcg/tcg_pts_attr_get_aik.c
index 4b5eae7a7..6f35f5419 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_aik.c
+++ b/src/libpts/tcg/tcg_pts_attr_get_aik.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_get_aik_t private_tcg_pts_attr_get_aik_t;
 
@@ -112,7 +112,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int32_t reserved;
-	
+
 	if (this->value.len < PTS_GET_AIK_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Get AIK");
diff --git a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
index 0cfc7efa9..4dd64e3a7 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
+++ b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_get_tpm_version_info_t
 					private_tcg_pts_attr_get_tpm_version_info_t;
@@ -33,7 +33,7 @@ typedef struct private_tcg_pts_attr_get_tpm_version_info_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						   Reserved								|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_GET_TPM_VER_INFO_SIZE		4
@@ -115,7 +115,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int32_t reserved;
-	
+
 	if (this->value.len < PTS_GET_TPM_VER_INFO_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Get TPM Version Information");
diff --git a/src/libpts/tcg/tcg_pts_attr_meas_algo.c b/src/libpts/tcg/tcg_pts_attr_meas_algo.c
index bb95adc9e..abef45bdd 100644
--- a/src/libpts/tcg/tcg_pts_attr_meas_algo.c
+++ b/src/libpts/tcg/tcg_pts_attr_meas_algo.c
@@ -18,12 +18,12 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_meas_algo_t private_tcg_pts_attr_meas_algo_t;
 
 /**
- * PTS Measurement Algorithm 
+ * PTS Measurement Algorithm
  * see section 3.9.1 of PTS Protocol: Binding to TNC IF-M Specification
  *
  *					   1				   2				   3
@@ -31,7 +31,7 @@ typedef struct private_tcg_pts_attr_meas_algo_t private_tcg_pts_attr_meas_algo_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |			Reserved			|	   Hash Algorithm Set	  	|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_MEAS_ALGO_SIZE		4
@@ -61,7 +61,7 @@ struct private_tcg_pts_attr_meas_algo_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Set of algorithms
 	 */
diff --git a/src/libpts/tcg/tcg_pts_attr_proto_caps.c b/src/libpts/tcg/tcg_pts_attr_proto_caps.c
index 83665ff69..360883282 100644
--- a/src/libpts/tcg/tcg_pts_attr_proto_caps.c
+++ b/src/libpts/tcg/tcg_pts_attr_proto_caps.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_proto_caps_t private_tcg_pts_attr_proto_caps_t;
 
@@ -31,7 +31,7 @@ typedef struct private_tcg_pts_attr_proto_caps_t private_tcg_pts_attr_proto_caps
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						Reserved					  |C|V|D|T|X|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_PROTO_CAPS_SIZE			4
@@ -61,7 +61,7 @@ struct private_tcg_pts_attr_proto_caps_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Set of flags
 	 */
@@ -109,7 +109,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_PROTO_CAPS_SIZE);
 	writer->write_uint16(writer, PTS_PROTO_CAPS_RESERVED);
 	writer->write_uint16(writer, this->flags);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
index 65bdff579..8b4bfe54d 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
@@ -18,14 +18,16 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
+
+#include <string.h>
 
 typedef struct private_tcg_pts_attr_req_file_meas_t private_tcg_pts_attr_req_file_meas_t;
 
 /**
  * Request File Measurement
  * see section 3.19.1 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -62,12 +64,12 @@ struct private_tcg_pts_attr_req_file_meas_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Directory Contents flag
 	 */
@@ -77,12 +79,12 @@ struct private_tcg_pts_attr_req_file_meas_t {
 	 * Request ID
 	 */
 	u_int16_t request_id;
-	
+
 	/**
 	 * UTF8 Encoding of Delimiter Character
 	 */
 	u_int32_t delimiter;
-	
+
 	/**
 	 * Fully Qualified File Pathname
 	 */
@@ -124,7 +126,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	u_int8_t flags = PTS_REQ_FILE_MEAS_NO_FLAGS;
 	chunk_t pathname;
 	bio_writer_t *writer;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -152,7 +154,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int8_t flags;
 	u_int8_t reserved;
 	chunk_t pathname;
-	
+
 	if (this->value.len < PTS_REQ_FILE_MEAS_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Request File Measurement");
@@ -169,10 +171,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	this->directory_flag = (flags & DIRECTORY_CONTENTS_FLAG) !=
 							PTS_REQ_FILE_MEAS_NO_FLAGS;
-
-	this->pathname = malloc(pathname.len + 1);
-	memcpy(this->pathname, pathname.ptr, pathname.len);
-	this->pathname[pathname.len] = '\0';
+	this->pathname = strndup(pathname.ptr, pathname.len);
 
 	reader->destroy(reader);
 	return SUCCESS;
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
index eb5114172..ff5581435 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
@@ -18,14 +18,16 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
+
+#include <string.h>
 
 typedef struct private_tcg_pts_attr_req_file_meta_t private_tcg_pts_attr_req_file_meta_t;
 
 /**
  * Request File Metadata
  * see section 3.17.1 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -60,22 +62,22 @@ struct private_tcg_pts_attr_req_file_meta_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Directory Contents flag
 	 */
 	bool directory_flag;
-	
+
 	/**
 	 * UTF8 Encoding of Delimiter Character
 	 */
 	u_int8_t delimiter;
-	
+
 	/**
 	 * Fully Qualified File Pathname
 	 */
@@ -117,7 +119,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	u_int8_t flags = PTS_REQ_FILE_META_NO_FLAGS;
 	chunk_t pathname;
 	bio_writer_t *writer;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -132,7 +134,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint8 (writer, flags);
 	writer->write_uint8 (writer, this->delimiter);
 	writer->write_uint16(writer, PTS_REQ_FILE_META_RESERVED);
-	
+
 	writer->write_data  (writer, pathname);
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
@@ -145,7 +147,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int8_t flags;
 	u_int16_t reserved;
 	chunk_t pathname;
-	
+
 	if (this->value.len < PTS_REQ_FILE_META_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Request File Metadata");
@@ -157,15 +159,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_uint8 (reader, &flags);
 	reader->read_uint8 (reader, &this->delimiter);
 	reader->read_uint16(reader, &reserved);
-	
+
 	reader->read_data  (reader, reader->remaining(reader), &pathname);
 
 	this->directory_flag = (flags & DIRECTORY_CONTENTS_FLAG) !=
 							PTS_REQ_FILE_META_NO_FLAGS;
-
-	this->pathname = malloc(pathname.len + 1);
-	memcpy(this->pathname, pathname.ptr, pathname.len);
-	this->pathname[pathname.len] = '\0';
+	this->pathname = strndup(pathname.ptr, pathname.len);
 
 	reader->destroy(reader);
 	return SUCCESS;
diff --git a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
index a631e9891..8bb43aef8 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
@@ -18,8 +18,8 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_req_func_comp_evid_t;
 
@@ -47,7 +47,7 @@ typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_re
  */
 
 /**
- * Component Functional Name Structure 
+ * Component Functional Name Structure
  * (see section 5.1 of PTS Protocol: Binding to TNC IF-M Specification)
  *
  *					   1				   2				   3
@@ -58,7 +58,7 @@ typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_re
  *  |                   Component Functional Name                   |
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
- 
+
 #define PTS_REQ_FUNC_COMP_EVID_SIZE		12
 #define PTS_REQ_FUNC_COMP_FAMILY_MASK	0xC0
 
@@ -81,7 +81,7 @@ struct private_tcg_pts_attr_req_func_comp_evid_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
@@ -249,7 +249,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		entry->flags = flags;
 		entry->depth = depth;
 		entry->name = pts_comp_func_name_create(vendor_id, name, qualifier);
-		
+
 		this->list->insert_last(this->list, entry);
 	}
 	status = SUCCESS;
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
index 387f4a115..c659443b7 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
@@ -18,16 +18,16 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <time.h>
 
 typedef struct private_tcg_pts_attr_simple_comp_evid_t private_tcg_pts_attr_simple_comp_evid_t;
 
 /**
- * Simple Component Evidence 
+ * Simple Component Evidence
  * see section 3.15.1 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -66,7 +66,7 @@ typedef struct private_tcg_pts_attr_simple_comp_evid_t private_tcg_pts_attr_simp
  */
 
 /**
- * Specific Functional Component -> Component Functional Name Structure 
+ * Specific Functional Component -> Component Functional Name Structure
  * see section 5.1 of PTS Protocol: Binding to TNC IF-M Specification
  *
  *					   1				   2				   3
@@ -108,12 +108,12 @@ struct private_tcg_pts_attr_simple_comp_evid_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * PTS Component Evidence
 	 */
@@ -184,7 +184,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	pts_comp_evid_validation_t validation;
 	time_t measurement_time;
 	chunk_t measurement, utc_time, pcr_before, pcr_after;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -200,7 +200,7 @@ METHOD(pa_tnc_attr_t, build, void,
 							&pcr_before, &pcr_after);
 	validation   = this->evidence->get_validation(this->evidence,
 							&policy_uri);
-	
+
 	/* Determine the flags to set*/
 	flags = validation;
 	if (has_pcr_info)
@@ -208,7 +208,7 @@ METHOD(pa_tnc_attr_t, build, void,
 		flags |= PTS_SIMPLE_COMP_EVID_FLAG_PCR;
 	}
 
-	utc_time = chunk_create(utc_time_buf, PTS_SIMPLE_COMP_EVID_MEAS_TIME_SIZE);	
+	utc_time = chunk_create(utc_time_buf, PTS_SIMPLE_COMP_EVID_MEAS_TIME_SIZE);
 	measurement_time_to_utc(measurement_time, &utc_time);
 
 	writer = bio_writer_create(PTS_SIMPLE_COMP_EVID_SIZE);
@@ -224,7 +224,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint8 (writer, transform);
 	writer->write_uint8 (writer, PTS_SIMPLE_COMP_EVID_RESERVED);
 	writer->write_data  (writer, utc_time);
-	
+
 	/* Optional fields */
 	if (validation == PTS_COMP_EVID_VALIDATION_FAILED ||
 		validation == PTS_COMP_EVID_VALIDATION_PASSED)
@@ -241,7 +241,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 
 	writer->write_data(writer, measurement);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
@@ -250,7 +250,7 @@ static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 33
 static const int tm_leap_1970 = 477;
 
 /**
- * Convert Simple Component Evidence UTS string format to time_t  
+ * Convert Simple Component Evidence UTS string format to time_t
  */
 bool measurement_time_from_utc(time_t *measurement_time, chunk_t utc_time)
 {
@@ -314,7 +314,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
-	
+
 	reader->read_uint8 (reader, &flags);
 	reader->read_uint24(reader, &depth);
 	reader->read_uint24(reader, &vendor_id);
@@ -364,7 +364,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		}
 		has_validation = TRUE;
 	}
-	
+
 	/*  Are optional PCR value fields included? */
 	if (flags & PTS_SIMPLE_COMP_EVID_FLAG_PCR)
 	{
@@ -389,11 +389,11 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		has_pcr_info = TRUE;
 	}
 
-	/* Measurement field comes at the very end */ 
+	/* Measurement field comes at the very end */
 	reader->read_data(reader,reader->remaining(reader), &measurement);
 	reader->destroy(reader);
 
-	/* Create Component Functional Name object */	
+	/* Create Component Functional Name object */
 	name = pts_comp_func_name_create(vendor_id, comp_name, qualifier);
 
 	/* Create Component Evidence object */
@@ -439,7 +439,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->evidence->destroy(this->evidence);
+		DESTROY_IF(this->evidence);
 		free(this->value.ptr);
 		free(this);
 	}
@@ -457,7 +457,7 @@ METHOD(tcg_pts_attr_simple_comp_evid_t, get_comp_evidence, pts_comp_evidence_t*,
 pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create(pts_comp_evidence_t *evid)
 {
 	private_tcg_pts_attr_simple_comp_evid_t *this;
-	
+
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
index 8d2d4f82d..8c76651d6 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
+++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
@@ -19,14 +19,14 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_simple_evid_final_t private_tcg_pts_attr_simple_evid_final_t;
 
 /**
  * Simple Evidence Final
  * see section 3.15.2 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -66,7 +66,7 @@ struct private_tcg_pts_attr_simple_evid_final_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
@@ -81,22 +81,22 @@ struct private_tcg_pts_attr_simple_evid_final_t {
 	 * Optional Composite Hash Algorithm
 	 */
 	pts_meas_algorithms_t comp_hash_algorithm;
-	
+
 	/**
 	 * Optional TPM PCR Composite
 	 */
 	chunk_t pcr_comp;
-	
+
 	/**
 	 * Optional TPM Quote Signature
 	 */
 	chunk_t tpm_quote_sig;
-	
+
 	/**
 	 * Is Evidence Signature included?
 	 */
 	bool has_evid_sig;
-	
+
 	/**
 	 * Optional Evidence Signature
 	 */
@@ -157,7 +157,7 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 	u_int8_t flags;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -172,7 +172,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_SIMPLE_EVID_FINAL_SIZE);
 	writer->write_uint8 (writer, flags);
 	writer->write_uint8 (writer, PTS_SIMPLE_EVID_FINAL_RESERVED);
-	
+
 	/** Optional Composite Hash Algorithm field is always present
 	 * Field has value of all zeroes if not used.
 	 * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011
@@ -193,7 +193,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	{
 		writer->write_data (writer, this->evid_sig);
 	}
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
@@ -206,7 +206,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int16_t algorithm;
 	u_int32_t pcr_comp_len, tpm_quote_sig_len, evid_sig_len;
 	status_t status = FAILED;
-	
+
 	if (this->value.len < PTS_SIMPLE_EVID_FINAL_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Simple Evidence Final");
@@ -214,7 +214,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
-	
+
 	reader->read_uint8(reader, &flags);
 	reader->read_uint8(reader, &reserved);
 
@@ -226,10 +226,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	 * Field has value of all zeroes if not used.
 	 * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011
 	 */
-	
+
 	reader->read_uint16(reader, &algorithm);
 	this->comp_hash_algorithm = algorithm;
-	
+
 	/*  Optional Composite Hash Algorithm and TPM PCR Composite fields */
 	if (this->flags != PTS_SIMPLE_EVID_FINAL_NO)
 	{
@@ -246,7 +246,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 			goto end;
 		}
 		this->pcr_comp = chunk_clone(this->pcr_comp);
-		
+
 		if (!reader->read_uint32(reader, &tpm_quote_sig_len))
 		{
 			DBG1(DBG_TNC, "insufficient data for PTS Simple Evidence Final "
@@ -261,7 +261,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		}
 		this->tpm_quote_sig = chunk_clone(this->tpm_quote_sig);
 	}
-	
+
 	/*  Optional Evidence Signature field */
 	if (this->has_evid_sig)
 	{
@@ -269,7 +269,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		reader->read_data(reader, evid_sig_len, &this->evid_sig);
 		this->evid_sig = chunk_clone(this->evid_sig);
 	}
-	
+
 	reader->destroy(reader);
 	return SUCCESS;
 
diff --git a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
index 8d1e78f18..5143e1676 100644
--- a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
+++ b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_tpm_version_info_t private_tcg_pts_attr_tpm_version_info_t;
 
@@ -62,7 +62,7 @@ struct private_tcg_pts_attr_tpm_version_info_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * TPM Version Information
 	 */
@@ -118,7 +118,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	private_tcg_pts_attr_tpm_version_info_t *this, u_int32_t *offset)
 {
 	bio_reader_t *reader;
-	
+
 	if (this->value.len < PTS_TPM_VER_INFO_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for TPM Version Information");
diff --git a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
index 4f93ee885..56686d8ca 100644
--- a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
+++ b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
@@ -18,15 +18,17 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+#include <string.h>
 
 typedef struct private_tcg_pts_attr_file_meta_t private_tcg_pts_attr_file_meta_t;
 
 /**
  * Unix-Style File Metadata
  * see section 3.17.3 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -88,12 +90,12 @@ struct private_tcg_pts_attr_file_meta_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * PTS File Metadata
 	 */
@@ -136,7 +138,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	enumerator_t *enumerator;
 	pts_file_metadata_t *entry;
 	u_int64_t number_of_files;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -163,7 +165,7 @@ METHOD(pa_tnc_attr_t, build, void,
 												  strlen(entry->filename)));
 	}
 	enumerator->destroy(enumerator);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
@@ -179,7 +181,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int64_t owner, group;
 	chunk_t filename;
 	status_t status = FAILED;
-	
+
 	if (this->value.len < PTS_FILE_META_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for PTS Unix-Style file metadata header");
@@ -190,7 +192,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_uint64(reader, &number_of_files);
 
 	this->metadata = pts_file_meta_create();
-	
+
 	while (number_of_files--)
 	{
 		if (!reader->read_uint16(reader, &len))
@@ -243,7 +245,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 			DBG1(DBG_TNC, "insufficient data for filename");
 			goto end;
 		}
-		
+
 		entry = malloc_thing(pts_file_metadata_t);
 		entry->type = type;
 		entry->filesize = filesize;
@@ -252,9 +254,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		entry->accessed = accessed;
 		entry->owner = owner;
 		entry->group = group;
-		entry->filename = malloc(filename.len + 1);
-		entry->filename[filename.len] = '\0';
-		memcpy(entry->filename, filename.ptr, filename.len);
+		entry->filename = strndup(filename.ptr, filename.len);
 
 		this->metadata->add(this->metadata, entry);
 	}
@@ -277,7 +277,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->metadata->destroy(this->metadata);
+		DESTROY_IF(this->metadata);
 		free(this->value.ptr);
 		free(this);
 	}
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index 15642db64..ea306d748 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libradius_la_LIBADD =
@@ -116,6 +122,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -143,6 +150,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -170,6 +178,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -182,6 +191,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -235,7 +245,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -356,7 +365,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libradius.la: $(libradius_la_OBJECTS) $(libradius_la_DEPENDENCIES) 
+libradius.la: $(libradius_la_OBJECTS) $(libradius_la_DEPENDENCIES) $(EXTRA_libradius_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libradius_la_OBJECTS) $(libradius_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -496,10 +505,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libradius/radius_client.c b/src/libradius/radius_client.c
index acdac78c9..1478c3d9e 100644
--- a/src/libradius/radius_client.c
+++ b/src/libradius/radius_client.c
@@ -19,9 +19,9 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <debug.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 
diff --git a/src/libradius/radius_config.c b/src/libradius/radius_config.c
index 6e3394bb0..5dbd1d7e0 100644
--- a/src/libradius/radius_config.c
+++ b/src/libradius/radius_config.c
@@ -17,7 +17,7 @@
 
 #include <threading/mutex.h>
 #include <threading/condvar.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_radius_config_t private_radius_config_t;
 
diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
index 77f9b0398..059dcda4b 100644
--- a/src/libradius/radius_message.c
+++ b/src/libradius/radius_message.c
@@ -15,7 +15,7 @@
 
 #include "radius_message.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 
 typedef struct private_radius_message_t private_radius_message_t;
diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c
index ba7cb14b0..7dab968d8 100644
--- a/src/libradius/radius_socket.c
+++ b/src/libradius/radius_socket.c
@@ -20,7 +20,7 @@
 #include <unistd.h>
 
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_radius_socket_t private_radius_socket_t;
 
diff --git a/src/libradius/radius_socket.h b/src/libradius/radius_socket.h
index 07d642c08..eb510ea89 100644
--- a/src/libradius/radius_socket.h
+++ b/src/libradius/radius_socket.h
@@ -25,7 +25,7 @@ typedef struct radius_socket_t radius_socket_t;
 
 #include "radius_message.h"
 
-#include <utils/host.h>
+#include <networking/host.h>
 
 /**
  * RADIUS socket to a server.
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index cdc7799ae..cf9bd61d8 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libsimaka_la_LIBADD =
@@ -116,6 +122,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -143,6 +150,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -170,6 +178,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -182,6 +191,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -235,7 +245,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -353,7 +362,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libsimaka.la: $(libsimaka_la_OBJECTS) $(libsimaka_la_DEPENDENCIES) 
+libsimaka.la: $(libsimaka_la_OBJECTS) $(libsimaka_la_DEPENDENCIES) $(EXTRA_libsimaka_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libsimaka_la_OBJECTS) $(libsimaka_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -492,10 +501,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libsimaka/simaka_crypto.c b/src/libsimaka/simaka_crypto.c
index 92db19317..e60c02a1a 100644
--- a/src/libsimaka/simaka_crypto.c
+++ b/src/libsimaka/simaka_crypto.c
@@ -17,7 +17,7 @@
 
 #include "simaka_manager.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /** length of the k_encr key */
 #define KENCR_LEN 16
@@ -150,7 +150,6 @@ METHOD(simaka_crypto_t, derive_keys_full, bool,
 
 	k_encr = chunk_create(str.ptr, KENCR_LEN);
 	k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN);
-	DBG3(DBG_LIB, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, &msk);
 
 	if (!this->signer->set_key(this->signer, k_auth) ||
 		!this->crypter->set_key(this->crypter, k_encr))
@@ -160,6 +159,7 @@ METHOD(simaka_crypto_t, derive_keys_full, bool,
 	}
 
 	*msk = chunk_clone(chunk_create(str.ptr + KENCR_LEN + KAUTH_LEN, MSK_LEN));
+	DBG3(DBG_LIB, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, msk);
 
 	call_hook(this, k_encr, k_auth);
 
diff --git a/src/libsimaka/simaka_manager.c b/src/libsimaka/simaka_manager.c
index 65de1c5ab..e85dd660b 100644
--- a/src/libsimaka/simaka_manager.c
+++ b/src/libsimaka/simaka_manager.c
@@ -15,8 +15,8 @@
 
 #include "simaka_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_simaka_manager_t private_simaka_manager_t;
diff --git a/src/libsimaka/simaka_manager.h b/src/libsimaka/simaka_manager.h
index 64a67e56c..810cb0685 100644
--- a/src/libsimaka/simaka_manager.h
+++ b/src/libsimaka/simaka_manager.h
@@ -23,7 +23,7 @@
 
 #include <crypto/hashers/hasher.h>
 #include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <plugins/plugin.h>
 
 typedef struct simaka_manager_t simaka_manager_t;
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index aa36a0974..7dd15480b 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -17,8 +17,8 @@
 
 #include "simaka_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_simaka_message_t private_simaka_message_t;
 typedef struct hdr_t hdr_t;
diff --git a/src/libsimaka/simaka_message.h b/src/libsimaka/simaka_message.h
index 209067c70..32c39a348 100644
--- a/src/libsimaka/simaka_message.h
+++ b/src/libsimaka/simaka_message.h
@@ -26,7 +26,7 @@
 #ifndef SIMAKA_MESSAGE_H_
 #define SIMAKA_MESSAGE_H_
 
-#include <enum.h>
+#include <utils/enum.h>
 #include <eap/eap.h>
 
 #include "simaka_crypto.h"
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 4912576df..65cfe5292 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -3,9 +3,10 @@ include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
 LOCAL_SRC_FILES := \
-library.c chunk.c debug.c enum.c settings.c printf_hook.c asn1/asn1.c \
-asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
-crypto/crypters/crypter.c crypto/hashers/hasher.c crypto/pkcs7.c crypto/pkcs9.c \
+library.c \
+asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
+collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
+collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
 crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
 crypto/prfs/prf.c crypto/prfs/mac_prf.c \
 crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
@@ -16,19 +17,22 @@ credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
+credentials/containers/container.c \
 credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
 database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
 ipsec/ipsec_types.c \
+networking/host.c networking/host_resolver.c networking/packet.c \
+networking/tun_device.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
-utils.c utils/host.c utils/packet.c utils/identification.c utils/lexparser.c \
-utils/linked_list.c utils/blocking_queue.c utils/hashtable.c utils/enumerator.c \
-utils/optionsfrom.c utils/capabilities.c utils/backtrace.c utils/tun_device.c
+utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
+utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \
+utils/printf_hook.c utils/settings.c
 
 # adding the plugin source files
 
@@ -68,6 +72,8 @@ LOCAL_SRC_FILES += $(call add_plugin, pem)
 
 LOCAL_SRC_FILES += $(call add_plugin, pkcs1)
 
+LOCAL_SRC_FILES += $(call add_plugin, pkcs7)
+
 LOCAL_SRC_FILES += $(call add_plugin, pkcs8)
 
 LOCAL_SRC_FILES += $(call add_plugin, pkcs11)
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 463d57d95..9c4665eeb 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -1,9 +1,10 @@
 ipseclib_LTLIBRARIES = libstrongswan.la
 
 libstrongswan_la_SOURCES = \
-library.c chunk.c debug.c enum.c settings.c printf_hook.c asn1/asn1.c \
-asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
-crypto/crypters/crypter.c crypto/hashers/hasher.c crypto/pkcs7.c crypto/pkcs9.c \
+library.c \
+asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
+collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
+collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
 crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
 crypto/prfs/prf.c crypto/prfs/mac_prf.c \
 crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
@@ -14,28 +15,32 @@ credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
+credentials/containers/container.c \
 credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
 database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
 ipsec/ipsec_types.c \
+networking/host.c networking/host_resolver.c networking/packet.c \
+networking/tun_device.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
-utils.c utils/host.c utils/packet.c utils/identification.c utils/lexparser.c \
-utils/linked_list.c utils/blocking_queue.c utils/hashtable.c utils/enumerator.c \
-utils/optionsfrom.c utils/capabilities.c utils/backtrace.c utils/tun_device.c
+utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
+utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \
+utils/printf_hook.c utils/settings.c
 
 if USE_DEV_HEADERS
 strongswan_includedir = ${dev_headers}
 nobase_strongswan_include_HEADERS = \
-library.h chunk.h debug.h enum.h settings.h printf_hook.h \
+library.h \
 asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
+collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
+collections/linked_list.h \
 crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
-crypto/pkcs7.h crypto/pkcs9.h crypto/proposal/proposal_keywords.h \
-crypto/proposal/proposal_keywords_static.h \
+crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
 crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
@@ -48,6 +53,7 @@ credentials/certificates/ac.h credentials/certificates/crl.h \
 credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h \
 credentials/certificates/pgp_certificate.h \
+credentials/containers/container.h credentials/containers/pkcs7.h \
 credentials/ietf_attributes/ietf_attributes.h \
 credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
@@ -55,16 +61,17 @@ credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
 credentials/auth_cfg.h credentials/credential_set.h credentials/cert_validator.h \
 database/database.h database/database_factory.h fetcher/fetcher.h \
 fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
+networking/host.h networking/host_resolver.h networking/packet.h \
+networking/tun_device.h \
 plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
 processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
 processing/scheduler.h selectors/traffic_selector.h \
 threading/thread.h threading/thread_value.h \
 threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \
 threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \
-utils.h utils/host.h utils/packet.h utils/identification.h utils/lexparser.h \
-utils/linked_list.h utils/blocking_queue.h utils/hashtable.h utils/enumerator.h \
-utils/optionsfrom.h utils/capabilities.h utils/backtrace.h utils/tun_device.h \
-utils/leak_detective.h integrity_checker.h
+utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \
+utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
+utils/leak_detective.h utils/printf_hook.h utils/settings.h utils/integrity_checker.h
 endif
 
 library.lo :	$(top_builddir)/config.status
@@ -89,7 +96,7 @@ endif
 
 if USE_INTEGRITY_TEST
   AM_CFLAGS += -DINTEGRITY_TEST
-  libstrongswan_la_SOURCES += integrity_checker.c
+  libstrongswan_la_SOURCES += utils/integrity_checker.c
 endif
 
 if USE_VSTR
@@ -197,6 +204,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_RDRAND
+  SUBDIRS += plugins/rdrand
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/rdrand/libstrongswan-rdrand.la
+endif
+endif
+
 if USE_RANDOM
   SUBDIRS += plugins/random
 if MONOLITHIC
@@ -267,6 +281,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_PKCS7
+  SUBDIRS += plugins/pkcs7
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pkcs7/libstrongswan-pkcs7.la
+endif
+endif
+
 if USE_PKCS8
   SUBDIRS += plugins/pkcs8
 if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index aeebb25c0..6c0ce7a88 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -39,7 +39,7 @@ host_triplet = @host@
 @USE_LEAK_DETECTIVE_TRUE@am__append_2 = utils/leak_detective.c
 @USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER
 @USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
-@USE_INTEGRITY_TEST_TRUE@am__append_5 = integrity_checker.c
+@USE_INTEGRITY_TEST_TRUE@am__append_5 = utils/integrity_checker.c
 @USE_VSTR_TRUE@am__append_6 = -lvstr
 @USE_LIBCAP_TRUE@am__append_7 = -lcap
 @USE_AF_ALG_TRUE@am__append_8 = plugins/af_alg
@@ -60,64 +60,68 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_23 = plugins/sha2/libstrongswan-sha2.la
 @USE_GMP_TRUE@am__append_24 = plugins/gmp
 @MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_25 = plugins/gmp/libstrongswan-gmp.la
-@USE_RANDOM_TRUE@am__append_26 = plugins/random
-@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_27 = plugins/random/libstrongswan-random.la
-@USE_NONCE_TRUE@am__append_28 = plugins/nonce
-@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_29 = plugins/nonce/libstrongswan-nonce.la
-@USE_HMAC_TRUE@am__append_30 = plugins/hmac
-@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_31 = plugins/hmac/libstrongswan-hmac.la
-@USE_CMAC_TRUE@am__append_32 = plugins/cmac
-@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_33 = plugins/cmac/libstrongswan-cmac.la
-@USE_XCBC_TRUE@am__append_34 = plugins/xcbc
-@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_35 = plugins/xcbc/libstrongswan-xcbc.la
-@USE_X509_TRUE@am__append_36 = plugins/x509
-@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_37 = plugins/x509/libstrongswan-x509.la
-@USE_REVOCATION_TRUE@am__append_38 = plugins/revocation
-@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_39 = plugins/revocation/libstrongswan-revocation.la
-@USE_CONSTRAINTS_TRUE@am__append_40 = plugins/constraints
-@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_41 = plugins/constraints/libstrongswan-constraints.la
-@USE_PUBKEY_TRUE@am__append_42 = plugins/pubkey
-@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_43 = plugins/pubkey/libstrongswan-pubkey.la
-@USE_PKCS1_TRUE@am__append_44 = plugins/pkcs1
-@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_45 = plugins/pkcs1/libstrongswan-pkcs1.la
-@USE_PKCS8_TRUE@am__append_46 = plugins/pkcs8
-@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_47 = plugins/pkcs8/libstrongswan-pkcs8.la
-@USE_PGP_TRUE@am__append_48 = plugins/pgp
-@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_49 = plugins/pgp/libstrongswan-pgp.la
-@USE_DNSKEY_TRUE@am__append_50 = plugins/dnskey
-@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_51 = plugins/dnskey/libstrongswan-dnskey.la
-@USE_PEM_TRUE@am__append_52 = plugins/pem
-@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_53 = plugins/pem/libstrongswan-pem.la
-@USE_CURL_TRUE@am__append_54 = plugins/curl
-@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_55 = plugins/curl/libstrongswan-curl.la
-@USE_SOUP_TRUE@am__append_56 = plugins/soup
-@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_57 = plugins/soup/libstrongswan-soup.la
-@USE_LDAP_TRUE@am__append_58 = plugins/ldap
-@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_59 = plugins/ldap/libstrongswan-ldap.la
-@USE_MYSQL_TRUE@am__append_60 = plugins/mysql
-@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_61 = plugins/mysql/libstrongswan-mysql.la
-@USE_SQLITE_TRUE@am__append_62 = plugins/sqlite
-@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_63 = plugins/sqlite/libstrongswan-sqlite.la
-@USE_PADLOCK_TRUE@am__append_64 = plugins/padlock
-@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_65 = plugins/padlock/libstrongswan-padlock.la
-@USE_OPENSSL_TRUE@am__append_66 = plugins/openssl
-@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_67 = plugins/openssl/libstrongswan-openssl.la
-@USE_GCRYPT_TRUE@am__append_68 = plugins/gcrypt
-@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_69 = plugins/gcrypt/libstrongswan-gcrypt.la
-@USE_FIPS_PRF_TRUE@am__append_70 = plugins/fips_prf
-@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_71 = plugins/fips_prf/libstrongswan-fips-prf.la
-@USE_AGENT_TRUE@am__append_72 = plugins/agent
-@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_73 = plugins/agent/libstrongswan-agent.la
-@USE_PKCS11_TRUE@am__append_74 = plugins/pkcs11
-@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_75 = plugins/pkcs11/libstrongswan-pkcs11.la
-@USE_CTR_TRUE@am__append_76 = plugins/ctr
-@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_77 = plugins/ctr/libstrongswan-ctr.la
-@USE_CCM_TRUE@am__append_78 = plugins/ccm
-@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_79 = plugins/ccm/libstrongswan-ccm.la
-@USE_GCM_TRUE@am__append_80 = plugins/gcm
-@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_81 = plugins/gcm/libstrongswan-gcm.la
-@USE_TEST_VECTORS_TRUE@am__append_82 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_83 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_RDRAND_TRUE@am__append_26 = plugins/rdrand
+@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_27 = plugins/rdrand/libstrongswan-rdrand.la
+@USE_RANDOM_TRUE@am__append_28 = plugins/random
+@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_29 = plugins/random/libstrongswan-random.la
+@USE_NONCE_TRUE@am__append_30 = plugins/nonce
+@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_31 = plugins/nonce/libstrongswan-nonce.la
+@USE_HMAC_TRUE@am__append_32 = plugins/hmac
+@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_33 = plugins/hmac/libstrongswan-hmac.la
+@USE_CMAC_TRUE@am__append_34 = plugins/cmac
+@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_35 = plugins/cmac/libstrongswan-cmac.la
+@USE_XCBC_TRUE@am__append_36 = plugins/xcbc
+@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_37 = plugins/xcbc/libstrongswan-xcbc.la
+@USE_X509_TRUE@am__append_38 = plugins/x509
+@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_39 = plugins/x509/libstrongswan-x509.la
+@USE_REVOCATION_TRUE@am__append_40 = plugins/revocation
+@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_41 = plugins/revocation/libstrongswan-revocation.la
+@USE_CONSTRAINTS_TRUE@am__append_42 = plugins/constraints
+@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_43 = plugins/constraints/libstrongswan-constraints.la
+@USE_PUBKEY_TRUE@am__append_44 = plugins/pubkey
+@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_45 = plugins/pubkey/libstrongswan-pubkey.la
+@USE_PKCS1_TRUE@am__append_46 = plugins/pkcs1
+@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_47 = plugins/pkcs1/libstrongswan-pkcs1.la
+@USE_PKCS7_TRUE@am__append_48 = plugins/pkcs7
+@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_49 = plugins/pkcs7/libstrongswan-pkcs7.la
+@USE_PKCS8_TRUE@am__append_50 = plugins/pkcs8
+@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_51 = plugins/pkcs8/libstrongswan-pkcs8.la
+@USE_PGP_TRUE@am__append_52 = plugins/pgp
+@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_53 = plugins/pgp/libstrongswan-pgp.la
+@USE_DNSKEY_TRUE@am__append_54 = plugins/dnskey
+@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_55 = plugins/dnskey/libstrongswan-dnskey.la
+@USE_PEM_TRUE@am__append_56 = plugins/pem
+@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_57 = plugins/pem/libstrongswan-pem.la
+@USE_CURL_TRUE@am__append_58 = plugins/curl
+@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_59 = plugins/curl/libstrongswan-curl.la
+@USE_SOUP_TRUE@am__append_60 = plugins/soup
+@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_61 = plugins/soup/libstrongswan-soup.la
+@USE_LDAP_TRUE@am__append_62 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_63 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_64 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_65 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_66 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_67 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_68 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_69 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_70 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_71 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_72 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_73 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_74 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_75 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_76 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_77 = plugins/agent/libstrongswan-agent.la
+@USE_PKCS11_TRUE@am__append_78 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_79 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_80 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_81 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_82 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_83 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_84 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_85 = plugins/gcm/libstrongswan-gcm.la
+@USE_TEST_VECTORS_TRUE@am__append_86 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_87 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(am__nobase_strongswan_include_HEADERS_DIST) \
 	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
@@ -158,6 +162,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" \
 	"$(DESTDIR)$(strongswan_includedir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
@@ -178,13 +188,14 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_61) $(am__append_63) $(am__append_65) \
 	$(am__append_67) $(am__append_69) $(am__append_71) \
 	$(am__append_73) $(am__append_75) $(am__append_77) \
-	$(am__append_79) $(am__append_81) $(am__append_83)
-am__libstrongswan_la_SOURCES_DIST = library.c chunk.c debug.c enum.c \
-	settings.c printf_hook.c asn1/asn1.c asn1/asn1_parser.c \
-	asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
-	crypto/crypters/crypter.c crypto/hashers/hasher.c \
-	crypto/pkcs7.c crypto/pkcs9.c \
-	crypto/proposal/proposal_keywords.c \
+	$(am__append_79) $(am__append_81) $(am__append_83) \
+	$(am__append_85) $(am__append_87)
+am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
+	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
+	bio/bio_writer.c collections/blocking_queue.c \
+	collections/enumerator.c collections/hashtable.c \
+	collections/linked_list.c crypto/crypters/crypter.c \
+	crypto/hashers/hasher.c crypto/proposal/proposal_keywords.c \
 	crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
 	crypto/prfs/mac_prf.c crypto/rngs/rng.c crypto/prf_plus.c \
 	crypto/signers/signer.c crypto/signers/mac_signer.c \
@@ -196,6 +207,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c chunk.c debug.c enum.c \
 	credentials/certificates/certificate.c \
 	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
+	credentials/containers/container.c \
 	credentials/ietf_attributes/ietf_attributes.c \
 	credentials/credential_manager.c \
 	credentials/sets/auth_cfg_wrapper.c \
@@ -204,39 +216,41 @@ am__libstrongswan_la_SOURCES_DIST = library.c chunk.c debug.c enum.c \
 	credentials/sets/callback_cred.c credentials/auth_cfg.c \
 	database/database.c database/database_factory.c \
 	fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
-	ipsec/ipsec_types.c pen/pen.c plugins/plugin_loader.c \
+	ipsec/ipsec_types.c networking/host.c \
+	networking/host_resolver.c networking/packet.c \
+	networking/tun_device.c pen/pen.c plugins/plugin_loader.c \
 	plugins/plugin_feature.c processing/jobs/job.c \
 	processing/jobs/callback_job.c processing/processor.c \
 	processing/scheduler.c selectors/traffic_selector.c \
 	threading/thread.c threading/thread_value.c threading/mutex.c \
 	threading/semaphore.c threading/rwlock.c threading/spinlock.c \
-	utils.c utils/host.c utils/packet.c utils/identification.c \
-	utils/lexparser.c utils/linked_list.c utils/blocking_queue.c \
-	utils/hashtable.c utils/enumerator.c utils/optionsfrom.c \
-	utils/capabilities.c utils/backtrace.c utils/tun_device.c \
-	utils/leak_detective.c integrity_checker.c
+	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
+	utils/identification.c utils/lexparser.c utils/optionsfrom.c \
+	utils/capabilities.c utils/backtrace.c utils/printf_hook.c \
+	utils/settings.c utils/leak_detective.c \
+	utils/integrity_checker.c
 @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo
 @USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
-am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
-	settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \
-	bio_reader.lo bio_writer.lo crypter.lo hasher.lo pkcs7.lo \
-	pkcs9.lo proposal_keywords.lo proposal_keywords_static.lo \
-	prf.lo mac_prf.lo rng.lo prf_plus.lo signer.lo mac_signer.lo \
+am_libstrongswan_la_OBJECTS = library.lo asn1.lo asn1_parser.lo oid.lo \
+	bio_reader.lo bio_writer.lo blocking_queue.lo enumerator.lo \
+	hashtable.lo linked_list.lo crypter.lo hasher.lo \
+	proposal_keywords.lo proposal_keywords_static.lo prf.lo \
+	mac_prf.lo rng.lo prf_plus.lo signer.lo mac_signer.lo \
 	crypto_factory.lo crypto_tester.lo diffie_hellman.lo aead.lo \
 	transform.lo credential_factory.lo builder.lo cred_encoding.lo \
 	private_key.lo public_key.lo shared_key.lo certificate.lo \
-	crl.lo ocsp_response.lo ietf_attributes.lo \
+	crl.lo ocsp_response.lo container.lo ietf_attributes.lo \
 	credential_manager.lo auth_cfg_wrapper.lo \
 	ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \
 	callback_cred.lo auth_cfg.lo database.lo database_factory.lo \
-	fetcher.lo fetcher_manager.lo eap.lo ipsec_types.lo pen.lo \
+	fetcher.lo fetcher_manager.lo eap.lo ipsec_types.lo host.lo \
+	host_resolver.lo packet.lo tun_device.lo pen.lo \
 	plugin_loader.lo plugin_feature.lo job.lo callback_job.lo \
 	processor.lo scheduler.lo traffic_selector.lo thread.lo \
 	thread_value.lo mutex.lo semaphore.lo rwlock.lo spinlock.lo \
-	utils.lo host.lo packet.lo identification.lo lexparser.lo \
-	linked_list.lo blocking_queue.lo hashtable.lo enumerator.lo \
-	optionsfrom.lo capabilities.lo backtrace.lo tun_device.lo \
-	$(am__objects_1) $(am__objects_2)
+	utils.lo chunk.lo debug.lo enum.lo identification.lo \
+	lexparser.lo optionsfrom.lo capabilities.lo backtrace.lo \
+	printf_hook.lo settings.lo $(am__objects_1) $(am__objects_2)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -260,11 +274,12 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
-am__nobase_strongswan_include_HEADERS_DIST = library.h chunk.h debug.h \
-	enum.h settings.h printf_hook.h asn1/asn1.h asn1/asn1_parser.h \
-	asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
-	crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
-	crypto/pkcs7.h crypto/pkcs9.h \
+am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
+	asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h \
+	bio/bio_writer.h collections/blocking_queue.h \
+	collections/enumerator.h collections/hashtable.h \
+	collections/linked_list.h crypto/crypters/crypter.h \
+	crypto/hashers/hasher.h crypto/mac.h \
 	crypto/proposal/proposal_keywords.h \
 	crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \
 	crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
@@ -282,6 +297,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h chunk.h debug.h \
 	credentials/certificates/ocsp_request.h \
 	credentials/certificates/ocsp_response.h \
 	credentials/certificates/pgp_certificate.h \
+	credentials/containers/container.h \
+	credentials/containers/pkcs7.h \
 	credentials/ietf_attributes/ietf_attributes.h \
 	credentials/credential_manager.h \
 	credentials/sets/auth_cfg_wrapper.h \
@@ -291,19 +308,20 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h chunk.h debug.h \
 	credentials/credential_set.h credentials/cert_validator.h \
 	database/database.h database/database_factory.h \
 	fetcher/fetcher.h fetcher/fetcher_manager.h eap/eap.h \
-	pen/pen.h ipsec/ipsec_types.h plugins/plugin_loader.h \
+	pen/pen.h ipsec/ipsec_types.h networking/host.h \
+	networking/host_resolver.h networking/packet.h \
+	networking/tun_device.h plugins/plugin_loader.h \
 	plugins/plugin.h plugins/plugin_feature.h \
 	processing/jobs/job.h processing/jobs/callback_job.h \
 	processing/processor.h processing/scheduler.h \
 	selectors/traffic_selector.h threading/thread.h \
 	threading/thread_value.h threading/mutex.h threading/condvar.h \
 	threading/spinlock.h threading/semaphore.h threading/rwlock.h \
-	threading/rwlock_condvar.h threading/lock_profiler.h utils.h \
-	utils/host.h utils/packet.h utils/identification.h \
-	utils/lexparser.h utils/linked_list.h utils/blocking_queue.h \
-	utils/hashtable.h utils/enumerator.h utils/optionsfrom.h \
-	utils/capabilities.h utils/backtrace.h utils/tun_device.h \
-	utils/leak_detective.h integrity_checker.h
+	threading/rwlock_condvar.h threading/lock_profiler.h \
+	utils/utils.h utils/chunk.h utils/debug.h utils/enum.h \
+	utils/identification.h utils/lexparser.h utils/optionsfrom.h \
+	utils/capabilities.h utils/backtrace.h utils/leak_detective.h \
+	utils/printf_hook.h utils/settings.h utils/integrity_checker.h
 HEADERS = $(nobase_strongswan_include_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
@@ -314,14 +332,15 @@ ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
 	plugins/blowfish plugins/md4 plugins/md5 plugins/sha1 \
-	plugins/sha2 plugins/gmp plugins/random plugins/nonce \
-	plugins/hmac plugins/cmac plugins/xcbc plugins/x509 \
-	plugins/revocation plugins/constraints plugins/pubkey \
-	plugins/pkcs1 plugins/pkcs8 plugins/pgp plugins/dnskey \
-	plugins/pem plugins/curl plugins/soup plugins/ldap \
-	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
-	plugins/gcrypt plugins/fips_prf plugins/agent plugins/pkcs11 \
-	plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors
+	plugins/sha2 plugins/gmp plugins/rdrand plugins/random \
+	plugins/nonce plugins/hmac plugins/cmac plugins/xcbc \
+	plugins/x509 plugins/revocation plugins/constraints \
+	plugins/pubkey plugins/pkcs1 plugins/pkcs7 plugins/pkcs8 \
+	plugins/pgp plugins/dnskey plugins/pem plugins/curl \
+	plugins/soup plugins/ldap plugins/mysql plugins/sqlite \
+	plugins/padlock plugins/openssl plugins/gcrypt \
+	plugins/fips_prf plugins/agent plugins/pkcs11 plugins/ctr \
+	plugins/ccm plugins/gcm plugins/test_vectors
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -367,6 +386,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -394,6 +414,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -421,6 +442,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -433,6 +455,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -486,7 +509,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -534,10 +556,11 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 ipseclib_LTLIBRARIES = libstrongswan.la
-libstrongswan_la_SOURCES = library.c chunk.c debug.c enum.c settings.c \
-	printf_hook.c asn1/asn1.c asn1/asn1_parser.c asn1/oid.c \
-	bio/bio_reader.c bio/bio_writer.c crypto/crypters/crypter.c \
-	crypto/hashers/hasher.c crypto/pkcs7.c crypto/pkcs9.c \
+libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
+	asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
+	collections/blocking_queue.c collections/enumerator.c \
+	collections/hashtable.c collections/linked_list.c \
+	crypto/crypters/crypter.c crypto/hashers/hasher.c \
 	crypto/proposal/proposal_keywords.c \
 	crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
 	crypto/prfs/mac_prf.c crypto/rngs/rng.c crypto/prf_plus.c \
@@ -550,6 +573,7 @@ libstrongswan_la_SOURCES = library.c chunk.c debug.c enum.c settings.c \
 	credentials/certificates/certificate.c \
 	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
+	credentials/containers/container.c \
 	credentials/ietf_attributes/ietf_attributes.c \
 	credentials/credential_manager.c \
 	credentials/sets/auth_cfg_wrapper.c \
@@ -558,24 +582,26 @@ libstrongswan_la_SOURCES = library.c chunk.c debug.c enum.c settings.c \
 	credentials/sets/callback_cred.c credentials/auth_cfg.c \
 	database/database.c database/database_factory.c \
 	fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
-	ipsec/ipsec_types.c pen/pen.c plugins/plugin_loader.c \
+	ipsec/ipsec_types.c networking/host.c \
+	networking/host_resolver.c networking/packet.c \
+	networking/tun_device.c pen/pen.c plugins/plugin_loader.c \
 	plugins/plugin_feature.c processing/jobs/job.c \
 	processing/jobs/callback_job.c processing/processor.c \
 	processing/scheduler.c selectors/traffic_selector.c \
 	threading/thread.c threading/thread_value.c threading/mutex.c \
 	threading/semaphore.c threading/rwlock.c threading/spinlock.c \
-	utils.c utils/host.c utils/packet.c utils/identification.c \
-	utils/lexparser.c utils/linked_list.c utils/blocking_queue.c \
-	utils/hashtable.c utils/enumerator.c utils/optionsfrom.c \
-	utils/capabilities.c utils/backtrace.c utils/tun_device.c \
-	$(am__append_2) $(am__append_5)
+	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
+	utils/identification.c utils/lexparser.c utils/optionsfrom.c \
+	utils/capabilities.c utils/backtrace.c utils/printf_hook.c \
+	utils/settings.c $(am__append_2) $(am__append_5)
 @USE_DEV_HEADERS_TRUE@strongswan_includedir = ${dev_headers}
 @USE_DEV_HEADERS_TRUE@nobase_strongswan_include_HEADERS = \
-@USE_DEV_HEADERS_TRUE@library.h chunk.h debug.h enum.h settings.h printf_hook.h \
+@USE_DEV_HEADERS_TRUE@library.h \
 @USE_DEV_HEADERS_TRUE@asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
+@USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
+@USE_DEV_HEADERS_TRUE@collections/linked_list.h \
 @USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
-@USE_DEV_HEADERS_TRUE@crypto/pkcs7.h crypto/pkcs9.h crypto/proposal/proposal_keywords.h \
-@USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords_static.h \
+@USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
 @USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 @USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 @USE_DEV_HEADERS_TRUE@crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
@@ -588,6 +614,7 @@ libstrongswan_la_SOURCES = library.c chunk.c debug.c enum.c settings.c \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/ocsp_response.h \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/pgp_certificate.h \
+@USE_DEV_HEADERS_TRUE@credentials/containers/container.h credentials/containers/pkcs7.h \
 @USE_DEV_HEADERS_TRUE@credentials/ietf_attributes/ietf_attributes.h \
 @USE_DEV_HEADERS_TRUE@credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
 @USE_DEV_HEADERS_TRUE@credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
@@ -595,16 +622,17 @@ libstrongswan_la_SOURCES = library.c chunk.c debug.c enum.c settings.c \
 @USE_DEV_HEADERS_TRUE@credentials/auth_cfg.h credentials/credential_set.h credentials/cert_validator.h \
 @USE_DEV_HEADERS_TRUE@database/database.h database/database_factory.h fetcher/fetcher.h \
 @USE_DEV_HEADERS_TRUE@fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
+@USE_DEV_HEADERS_TRUE@networking/host.h networking/host_resolver.h networking/packet.h \
+@USE_DEV_HEADERS_TRUE@networking/tun_device.h \
 @USE_DEV_HEADERS_TRUE@plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
 @USE_DEV_HEADERS_TRUE@processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
 @USE_DEV_HEADERS_TRUE@processing/scheduler.h selectors/traffic_selector.h \
 @USE_DEV_HEADERS_TRUE@threading/thread.h threading/thread_value.h \
 @USE_DEV_HEADERS_TRUE@threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \
 @USE_DEV_HEADERS_TRUE@threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \
-@USE_DEV_HEADERS_TRUE@utils.h utils/host.h utils/packet.h utils/identification.h utils/lexparser.h \
-@USE_DEV_HEADERS_TRUE@utils/linked_list.h utils/blocking_queue.h utils/hashtable.h utils/enumerator.h \
-@USE_DEV_HEADERS_TRUE@utils/optionsfrom.h utils/capabilities.h utils/backtrace.h utils/tun_device.h \
-@USE_DEV_HEADERS_TRUE@utils/leak_detective.h integrity_checker.h
+@USE_DEV_HEADERS_TRUE@utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \
+@USE_DEV_HEADERS_TRUE@utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
+@USE_DEV_HEADERS_TRUE@utils/leak_detective.h utils/printf_hook.h utils/settings.h utils/integrity_checker.h
 
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(RTLIB) $(BFDLIB) $(am__append_6) $(am__append_7) \
@@ -620,7 +648,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_63) $(am__append_65) $(am__append_67) \
 	$(am__append_69) $(am__append_71) $(am__append_73) \
 	$(am__append_75) $(am__append_77) $(am__append_79) \
-	$(am__append_81) $(am__append_83)
+	$(am__append_81) $(am__append_83) $(am__append_85) \
+	$(am__append_87)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
@@ -658,7 +687,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_FALSE@	$(am__append_68) $(am__append_70) \
 @MONOLITHIC_FALSE@	$(am__append_72) $(am__append_74) \
 @MONOLITHIC_FALSE@	$(am__append_76) $(am__append_78) \
-@MONOLITHIC_FALSE@	$(am__append_80) $(am__append_82)
+@MONOLITHIC_FALSE@	$(am__append_80) $(am__append_82) \
+@MONOLITHIC_FALSE@	$(am__append_84) $(am__append_86)
 
 # build plugins with their own Makefile
 #######################################
@@ -680,7 +710,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_TRUE@	$(am__append_68) $(am__append_70) \
 @MONOLITHIC_TRUE@	$(am__append_72) $(am__append_74) \
 @MONOLITHIC_TRUE@	$(am__append_76) $(am__append_78) \
-@MONOLITHIC_TRUE@	$(am__append_80) $(am__append_82)
+@MONOLITHIC_TRUE@	$(am__append_80) $(am__append_82) \
+@MONOLITHIC_TRUE@	$(am__append_84) $(am__append_86)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -747,7 +778,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) 
+libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) $(EXTRA_libstrongswan_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -772,6 +803,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/container.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cred_encoding.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_factory.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Plo@am__quote@
@@ -791,6 +823,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host_resolver.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@
@@ -810,8 +843,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pen.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs9.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_feature.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_loader.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Plo@am__quote@
@@ -893,6 +924,34 @@ bio_writer.lo: bio/bio_writer.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bio_writer.lo `test -f 'bio/bio_writer.c' || echo '$(srcdir)/'`bio/bio_writer.c
 
+blocking_queue.lo: collections/blocking_queue.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blocking_queue.lo -MD -MP -MF $(DEPDIR)/blocking_queue.Tpo -c -o blocking_queue.lo `test -f 'collections/blocking_queue.c' || echo '$(srcdir)/'`collections/blocking_queue.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blocking_queue.Tpo $(DEPDIR)/blocking_queue.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/blocking_queue.c' object='blocking_queue.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blocking_queue.lo `test -f 'collections/blocking_queue.c' || echo '$(srcdir)/'`collections/blocking_queue.c
+
+enumerator.lo: collections/enumerator.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'collections/enumerator.c' || echo '$(srcdir)/'`collections/enumerator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'collections/enumerator.c' || echo '$(srcdir)/'`collections/enumerator.c
+
+hashtable.lo: collections/hashtable.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'collections/hashtable.c' || echo '$(srcdir)/'`collections/hashtable.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/hashtable.c' object='hashtable.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'collections/hashtable.c' || echo '$(srcdir)/'`collections/hashtable.c
+
+linked_list.lo: collections/linked_list.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'collections/linked_list.c' || echo '$(srcdir)/'`collections/linked_list.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'collections/linked_list.c' || echo '$(srcdir)/'`collections/linked_list.c
+
 crypter.lo: crypto/crypters/crypter.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo
@@ -907,20 +966,6 @@ hasher.lo: crypto/hashers/hasher.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
 
-pkcs7.lo: crypto/pkcs7.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.lo -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.lo `test -f 'crypto/pkcs7.c' || echo '$(srcdir)/'`crypto/pkcs7.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/pkcs7.c' object='pkcs7.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.lo `test -f 'crypto/pkcs7.c' || echo '$(srcdir)/'`crypto/pkcs7.c
-
-pkcs9.lo: crypto/pkcs9.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs9.lo -MD -MP -MF $(DEPDIR)/pkcs9.Tpo -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs9.Tpo $(DEPDIR)/pkcs9.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/pkcs9.c' object='pkcs9.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
-
 proposal_keywords.lo: crypto/proposal/proposal_keywords.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords.lo -MD -MP -MF $(DEPDIR)/proposal_keywords.Tpo -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_keywords.Tpo $(DEPDIR)/proposal_keywords.Plo
@@ -1075,6 +1120,13 @@ ocsp_response.lo: credentials/certificates/ocsp_response.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
 
+container.lo: credentials/containers/container.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT container.lo -MD -MP -MF $(DEPDIR)/container.Tpo -c -o container.lo `test -f 'credentials/containers/container.c' || echo '$(srcdir)/'`credentials/containers/container.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/container.Tpo $(DEPDIR)/container.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/containers/container.c' object='container.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o container.lo `test -f 'credentials/containers/container.c' || echo '$(srcdir)/'`credentials/containers/container.c
+
 ietf_attributes.lo: credentials/ietf_attributes/ietf_attributes.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attributes.lo -MD -MP -MF $(DEPDIR)/ietf_attributes.Tpo -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attributes.Tpo $(DEPDIR)/ietf_attributes.Plo
@@ -1173,6 +1225,34 @@ ipsec_types.lo: ipsec/ipsec_types.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ipsec_types.lo `test -f 'ipsec/ipsec_types.c' || echo '$(srcdir)/'`ipsec/ipsec_types.c
 
+host.lo: networking/host.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'networking/host.c' || echo '$(srcdir)/'`networking/host.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'networking/host.c' || echo '$(srcdir)/'`networking/host.c
+
+host_resolver.lo: networking/host_resolver.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host_resolver.lo -MD -MP -MF $(DEPDIR)/host_resolver.Tpo -c -o host_resolver.lo `test -f 'networking/host_resolver.c' || echo '$(srcdir)/'`networking/host_resolver.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/host_resolver.Tpo $(DEPDIR)/host_resolver.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/host_resolver.c' object='host_resolver.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host_resolver.lo `test -f 'networking/host_resolver.c' || echo '$(srcdir)/'`networking/host_resolver.c
+
+packet.lo: networking/packet.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'networking/packet.c' || echo '$(srcdir)/'`networking/packet.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/packet.c' object='packet.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.lo `test -f 'networking/packet.c' || echo '$(srcdir)/'`networking/packet.c
+
+tun_device.lo: networking/tun_device.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tun_device.lo -MD -MP -MF $(DEPDIR)/tun_device.Tpo -c -o tun_device.lo `test -f 'networking/tun_device.c' || echo '$(srcdir)/'`networking/tun_device.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tun_device.Tpo $(DEPDIR)/tun_device.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/tun_device.c' object='tun_device.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tun_device.lo `test -f 'networking/tun_device.c' || echo '$(srcdir)/'`networking/tun_device.c
+
 pen.lo: pen/pen.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pen.lo -MD -MP -MF $(DEPDIR)/pen.Tpo -c -o pen.lo `test -f 'pen/pen.c' || echo '$(srcdir)/'`pen/pen.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pen.Tpo $(DEPDIR)/pen.Plo
@@ -1271,19 +1351,33 @@ spinlock.lo: threading/spinlock.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spinlock.lo `test -f 'threading/spinlock.c' || echo '$(srcdir)/'`threading/spinlock.c
 
-host.lo: utils/host.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
+utils.lo: utils/utils.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT utils.lo -MD -MP -MF $(DEPDIR)/utils.Tpo -c -o utils.lo `test -f 'utils/utils.c' || echo '$(srcdir)/'`utils/utils.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/utils.Tpo $(DEPDIR)/utils.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/utils.c' object='utils.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o utils.lo `test -f 'utils/utils.c' || echo '$(srcdir)/'`utils/utils.c
 
-packet.lo: utils/packet.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'utils/packet.c' || echo '$(srcdir)/'`utils/packet.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/packet.c' object='packet.lo' libtool=yes @AMDEPBACKSLASH@
+chunk.lo: utils/chunk.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT chunk.lo -MD -MP -MF $(DEPDIR)/chunk.Tpo -c -o chunk.lo `test -f 'utils/chunk.c' || echo '$(srcdir)/'`utils/chunk.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/chunk.Tpo $(DEPDIR)/chunk.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/chunk.c' object='chunk.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o chunk.lo `test -f 'utils/chunk.c' || echo '$(srcdir)/'`utils/chunk.c
+
+debug.lo: utils/debug.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT debug.lo -MD -MP -MF $(DEPDIR)/debug.Tpo -c -o debug.lo `test -f 'utils/debug.c' || echo '$(srcdir)/'`utils/debug.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/debug.Tpo $(DEPDIR)/debug.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/debug.c' object='debug.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.lo `test -f 'utils/packet.c' || echo '$(srcdir)/'`utils/packet.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o debug.lo `test -f 'utils/debug.c' || echo '$(srcdir)/'`utils/debug.c
+
+enum.lo: utils/enum.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enum.lo -MD -MP -MF $(DEPDIR)/enum.Tpo -c -o enum.lo `test -f 'utils/enum.c' || echo '$(srcdir)/'`utils/enum.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/enum.Tpo $(DEPDIR)/enum.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/enum.c' object='enum.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enum.lo `test -f 'utils/enum.c' || echo '$(srcdir)/'`utils/enum.c
 
 identification.lo: utils/identification.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF $(DEPDIR)/identification.Tpo -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
@@ -1299,34 +1393,6 @@ lexparser.lo: utils/lexparser.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
 
-linked_list.lo: utils/linked_list.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
-
-blocking_queue.lo: utils/blocking_queue.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blocking_queue.lo -MD -MP -MF $(DEPDIR)/blocking_queue.Tpo -c -o blocking_queue.lo `test -f 'utils/blocking_queue.c' || echo '$(srcdir)/'`utils/blocking_queue.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blocking_queue.Tpo $(DEPDIR)/blocking_queue.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/blocking_queue.c' object='blocking_queue.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blocking_queue.lo `test -f 'utils/blocking_queue.c' || echo '$(srcdir)/'`utils/blocking_queue.c
-
-hashtable.lo: utils/hashtable.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/hashtable.c' object='hashtable.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
-
-enumerator.lo: utils/enumerator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
-
 optionsfrom.lo: utils/optionsfrom.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT optionsfrom.lo -MD -MP -MF $(DEPDIR)/optionsfrom.Tpo -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/optionsfrom.Tpo $(DEPDIR)/optionsfrom.Plo
@@ -1348,12 +1414,19 @@ backtrace.lo: utils/backtrace.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
 
-tun_device.lo: utils/tun_device.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tun_device.lo -MD -MP -MF $(DEPDIR)/tun_device.Tpo -c -o tun_device.lo `test -f 'utils/tun_device.c' || echo '$(srcdir)/'`utils/tun_device.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tun_device.Tpo $(DEPDIR)/tun_device.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/tun_device.c' object='tun_device.lo' libtool=yes @AMDEPBACKSLASH@
+printf_hook.lo: utils/printf_hook.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT printf_hook.lo -MD -MP -MF $(DEPDIR)/printf_hook.Tpo -c -o printf_hook.lo `test -f 'utils/printf_hook.c' || echo '$(srcdir)/'`utils/printf_hook.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/printf_hook.Tpo $(DEPDIR)/printf_hook.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/printf_hook.c' object='printf_hook.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o printf_hook.lo `test -f 'utils/printf_hook.c' || echo '$(srcdir)/'`utils/printf_hook.c
+
+settings.lo: utils/settings.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT settings.lo -MD -MP -MF $(DEPDIR)/settings.Tpo -c -o settings.lo `test -f 'utils/settings.c' || echo '$(srcdir)/'`utils/settings.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/settings.Tpo $(DEPDIR)/settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/settings.c' object='settings.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tun_device.lo `test -f 'utils/tun_device.c' || echo '$(srcdir)/'`utils/tun_device.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o settings.lo `test -f 'utils/settings.c' || echo '$(srcdir)/'`utils/settings.c
 
 leak_detective.lo: utils/leak_detective.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
@@ -1362,6 +1435,13 @@ leak_detective.lo: utils/leak_detective.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
 
+integrity_checker.lo: utils/integrity_checker.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT integrity_checker.lo -MD -MP -MF $(DEPDIR)/integrity_checker.Tpo -c -o integrity_checker.lo `test -f 'utils/integrity_checker.c' || echo '$(srcdir)/'`utils/integrity_checker.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/integrity_checker.Tpo $(DEPDIR)/integrity_checker.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/integrity_checker.c' object='integrity_checker.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o integrity_checker.lo `test -f 'utils/integrity_checker.c' || echo '$(srcdir)/'`utils/integrity_checker.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -1387,9 +1467,7 @@ uninstall-nobase_strongswan_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nobase_strongswan_include_HEADERS)'; test -n "$(strongswan_includedir)" || list=; \
 	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(strongswan_includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(strongswan_includedir)" && rm -f $$files
+	dir='$(DESTDIR)$(strongswan_includedir)'; $(am__uninstall_files_from_dir)
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
@@ -1604,10 +1682,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index c9f6fce25..f438cb20e 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -19,7 +19,7 @@
 #include <string.h>
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "oid.h"
 #include "asn1.h"
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index 40e11b321..c31fb75f0 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -19,7 +19,7 @@
 #include <string.h>
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "asn1.h"
 #include "asn1_parser.h"
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index b21299620..ec60be811 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -333,11 +333,11 @@ const oid_t oid_names[] = {
  {        0x25,               321, 0,  4, "sect409r1"                 }, /* 320 */
  {        0x26,               322, 0,  4, "sect571k1"                 }, /* 321 */
  {        0x27,                 0, 0,  4, "sect571r1"                 }, /* 322 */
- {0x60,                       369, 1,  0, ""                          }, /* 323 */
+ {0x60,                       371, 1,  0, ""                          }, /* 323 */
  {  0x86,                       0, 1,  1, ""                          }, /* 324 */
  {    0x48,                     0, 1,  2, ""                          }, /* 325 */
  {      0x01,                   0, 1,  3, "organization"              }, /* 326 */
- {        0x65,               345, 1,  4, "gov"                       }, /* 327 */
+ {        0x65,               347, 1,  4, "gov"                       }, /* 327 */
  {          0x03,               0, 1,  5, "csor"                      }, /* 328 */
  {            0x04,             0, 1,  6, "nistalgorithm"             }, /* 329 */
  {              0x01,         340, 1,  7, "aes"                       }, /* 330 */
@@ -354,37 +354,39 @@ const oid_t oid_names[] = {
  {                0x01,       342, 0,  8, "id-SHA-256"                }, /* 341 */
  {                0x02,       343, 0,  8, "id-SHA-384"                }, /* 342 */
  {                0x03,       344, 0,  8, "id-SHA-512"                }, /* 343 */
- {                0x04,         0, 0,  8, "id-SHA-224"                }, /* 344 */
- {        0x86,                 0, 1,  4, ""                          }, /* 345 */
- {          0xf8,               0, 1,  5, ""                          }, /* 346 */
- {            0x42,           359, 1,  6, "netscape"                  }, /* 347 */
- {              0x01,         354, 1,  7, ""                          }, /* 348 */
- {                0x01,       350, 0,  8, "nsCertType"                }, /* 349 */
- {                0x03,       351, 0,  8, "nsRevocationUrl"           }, /* 350 */
- {                0x04,       352, 0,  8, "nsCaRevocationUrl"         }, /* 351 */
- {                0x08,       353, 0,  8, "nsCaPolicyUrl"             }, /* 352 */
- {                0x0d,         0, 0,  8, "nsComment"                 }, /* 353 */
- {              0x03,         357, 1,  7, "directory"                 }, /* 354 */
- {                0x01,         0, 1,  8, ""                          }, /* 355 */
- {                  0x03,       0, 0,  9, "employeeNumber"            }, /* 356 */
- {              0x04,           0, 1,  7, "policy"                    }, /* 357 */
- {                0x01,         0, 0,  8, "nsSGC"                     }, /* 358 */
- {            0x45,             0, 1,  6, "verisign"                  }, /* 359 */
- {              0x01,           0, 1,  7, "pki"                       }, /* 360 */
- {                0x09,         0, 1,  8, "attributes"                }, /* 361 */
- {                  0x02,     363, 0,  9, "messageType"               }, /* 362 */
- {                  0x03,     364, 0,  9, "pkiStatus"                 }, /* 363 */
- {                  0x04,     365, 0,  9, "failInfo"                  }, /* 364 */
- {                  0x05,     366, 0,  9, "senderNonce"               }, /* 365 */
- {                  0x06,     367, 0,  9, "recipientNonce"            }, /* 366 */
- {                  0x07,     368, 0,  9, "transID"                   }, /* 367 */
- {                  0x08,       0, 0,  9, "extensionReq"              }, /* 368 */
- {0x67,                         0, 1,  0, ""                          }, /* 369 */
- {  0x81,                       0, 1,  1, ""                          }, /* 370 */
- {    0x05,                     0, 1,  2, ""                          }, /* 371 */
- {      0x02,                   0, 1,  3, "tcg-attribute"             }, /* 372 */
- {        0x01,               374, 0,  4, "tcg-at-tpmManufacturer"    }, /* 373 */
- {        0x02,               375, 0,  4, "tcg-at-tpmModel"           }, /* 374 */
- {        0x03,               376, 0,  4, "tcg-at-tpmVersion"         }, /* 375 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"         }  /* 376 */
+ {                0x04,       345, 0,  8, "id-SHA-224"                }, /* 344 */
+ {                0x05,       346, 0,  8, "id-SHA-512-224"            }, /* 345 */
+ {                0x06,         0, 0,  8, "id-SHA-512-256"            }, /* 346 */
+ {        0x86,                 0, 1,  4, ""                          }, /* 347 */
+ {          0xf8,               0, 1,  5, ""                          }, /* 348 */
+ {            0x42,           361, 1,  6, "netscape"                  }, /* 349 */
+ {              0x01,         356, 1,  7, ""                          }, /* 350 */
+ {                0x01,       352, 0,  8, "nsCertType"                }, /* 351 */
+ {                0x03,       353, 0,  8, "nsRevocationUrl"           }, /* 352 */
+ {                0x04,       354, 0,  8, "nsCaRevocationUrl"         }, /* 353 */
+ {                0x08,       355, 0,  8, "nsCaPolicyUrl"             }, /* 354 */
+ {                0x0d,         0, 0,  8, "nsComment"                 }, /* 355 */
+ {              0x03,         359, 1,  7, "directory"                 }, /* 356 */
+ {                0x01,         0, 1,  8, ""                          }, /* 357 */
+ {                  0x03,       0, 0,  9, "employeeNumber"            }, /* 358 */
+ {              0x04,           0, 1,  7, "policy"                    }, /* 359 */
+ {                0x01,         0, 0,  8, "nsSGC"                     }, /* 360 */
+ {            0x45,             0, 1,  6, "verisign"                  }, /* 361 */
+ {              0x01,           0, 1,  7, "pki"                       }, /* 362 */
+ {                0x09,         0, 1,  8, "attributes"                }, /* 363 */
+ {                  0x02,     365, 0,  9, "messageType"               }, /* 364 */
+ {                  0x03,     366, 0,  9, "pkiStatus"                 }, /* 365 */
+ {                  0x04,     367, 0,  9, "failInfo"                  }, /* 366 */
+ {                  0x05,     368, 0,  9, "senderNonce"               }, /* 367 */
+ {                  0x06,     369, 0,  9, "recipientNonce"            }, /* 368 */
+ {                  0x07,     370, 0,  9, "transID"                   }, /* 369 */
+ {                  0x08,       0, 0,  9, "extensionReq"              }, /* 370 */
+ {0x67,                         0, 1,  0, ""                          }, /* 371 */
+ {  0x81,                       0, 1,  1, ""                          }, /* 372 */
+ {    0x05,                     0, 1,  2, ""                          }, /* 373 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"             }, /* 374 */
+ {        0x01,               376, 0,  4, "tcg-at-tpmManufacturer"    }, /* 375 */
+ {        0x02,               377, 0,  4, "tcg-at-tpmModel"           }, /* 376 */
+ {        0x03,               378, 0,  4, "tcg-at-tpmVersion"         }, /* 377 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"         }  /* 378 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 5e30a3675..d9838ccd8 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -205,22 +205,22 @@ extern const oid_t oid_names[];
 #define OID_SHA384							342
 #define OID_SHA512							343
 #define OID_SHA224							344
-#define OID_NS_REVOCATION_URL				350
-#define OID_NS_CA_REVOCATION_URL			351
-#define OID_NS_CA_POLICY_URL				352
-#define OID_NS_COMMENT						353
-#define OID_EMPLOYEE_NUMBER					356
-#define OID_PKI_MESSAGE_TYPE				362
-#define OID_PKI_STATUS						363
-#define OID_PKI_FAIL_INFO					364
-#define OID_PKI_SENDER_NONCE				365
-#define OID_PKI_RECIPIENT_NONCE				366
-#define OID_PKI_TRANS_ID					367
-#define OID_TPM_MANUFACTURER				373
-#define OID_TPM_MODEL						374
-#define OID_TPM_VERSION						375
-#define OID_TPM_ID_LABEL					376
+#define OID_NS_REVOCATION_URL				352
+#define OID_NS_CA_REVOCATION_URL			353
+#define OID_NS_CA_POLICY_URL				354
+#define OID_NS_COMMENT						355
+#define OID_EMPLOYEE_NUMBER					358
+#define OID_PKI_MESSAGE_TYPE				364
+#define OID_PKI_STATUS						365
+#define OID_PKI_FAIL_INFO					366
+#define OID_PKI_SENDER_NONCE				367
+#define OID_PKI_RECIPIENT_NONCE				368
+#define OID_PKI_TRANS_ID					369
+#define OID_TPM_MANUFACTURER				375
+#define OID_TPM_MODEL						376
+#define OID_TPM_VERSION						377
+#define OID_TPM_ID_LABEL					378
 
-#define OID_MAX								377
+#define OID_MAX								379
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 51a29eb33..c4677a537 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -343,6 +343,8 @@
                 0x02         "id-SHA-384"				OID_SHA384
                 0x03         "id-SHA-512"				OID_SHA512
                 0x04         "id-SHA-224"				OID_SHA224
+                0x05         "id-SHA-512-224"
+                0x06         "id-SHA-512-256"
         0x86                 ""
           0xf8               ""
             0x42             "netscape"
diff --git a/src/libstrongswan/bio/bio_reader.c b/src/libstrongswan/bio/bio_reader.c
index 3a62bb541..17815d6c0 100644
--- a/src/libstrongswan/bio/bio_reader.c
+++ b/src/libstrongswan/bio/bio_reader.c
@@ -18,7 +18,7 @@
 
 #include "bio_reader.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_bio_reader_t private_bio_reader_t;
 
diff --git a/src/libstrongswan/bio/bio_writer.h b/src/libstrongswan/bio/bio_writer.h
index 57a5c3d38..2ac4f3556 100644
--- a/src/libstrongswan/bio/bio_writer.h
+++ b/src/libstrongswan/bio/bio_writer.h
@@ -126,8 +126,11 @@ struct bio_writer_t {
 	void (*wrap32)(bio_writer_t *this);
 
 	/**
-	 * Skips len bytes in the buffer before the next data is written, returns
-	 * a chunk covering the skipped bytes.
+	 * Skips len bytes in the buffer, return chunk of skipped data.
+	 *
+	 * The returned chunk is not valid after calling any other writer function
+	 * (except get_buf()), because a buffer reallocation might move the
+	 * internal buffer to a different memory location!
 	 *
 	 * @param len		number of bytes to skip
 	 * @return			chunk pointing to skipped bytes in the internal buffer
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
deleted file mode 100644
index d7f1c31d9..000000000
--- a/src/libstrongswan/chunk.c
+++ /dev/null
@@ -1,690 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <errno.h>
-#include <ctype.h>
-
-#include "chunk.h"
-#include "debug.h"
-
-/* required for chunk_hash */
-#undef get16bits
-#if (defined(__GNUC__) && defined(__i386__))
-#define get16bits(d) (*((const u_int16_t*)(d)))
-#endif
-#if !defined (get16bits)
-#define get16bits(d) ((((u_int32_t)(((const u_int8_t*)(d))[1])) << 8)\
-                      + (u_int32_t)(((const u_int8_t*)(d))[0]) )
-#endif
-
-/**
- * Empty chunk.
- */
-chunk_t chunk_empty = { NULL, 0 };
-
-/**
- * Described in header.
- */
-chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk)
-{
-	chunk_t clone = chunk_empty;
-
-	if (chunk.ptr && chunk.len > 0)
-	{
-		clone.ptr = ptr;
-		clone.len = chunk.len;
-		memcpy(clone.ptr, chunk.ptr, chunk.len);
-	}
-
-	return clone;
-}
-
-/**
- * Described in header.
- */
-size_t chunk_length(const char* mode, ...)
-{
-	va_list chunks;
-	size_t length = 0;
-
-	va_start(chunks, mode);
-	while (TRUE)
-	{
-		switch (*mode++)
-		{
-			case 'm':
-			case 'c':
-			case 's':
-			{
-				chunk_t ch = va_arg(chunks, chunk_t);
-				length += ch.len;
-				continue;
-			}
-			default:
-				break;
-		}
-		break;
-	}
-	va_end(chunks);
-	return length;
-}
-
-/**
- * Described in header.
- */
-chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
-{
-	va_list chunks;
-	chunk_t construct = chunk_create(ptr, 0);
-
-	va_start(chunks, mode);
-	while (TRUE)
-	{
-		bool free_chunk = FALSE, clear_chunk = FALSE;
-		chunk_t ch;
-
-		switch (*mode++)
-		{
-			case 's':
-				clear_chunk = TRUE;
-				/* FALL */
-			case 'm':
-				free_chunk = TRUE;
-				/* FALL */
-			case 'c':
-				ch = va_arg(chunks, chunk_t);
-				memcpy(ptr, ch.ptr, ch.len);
-				ptr += ch.len;
-				construct.len += ch.len;
-				if (clear_chunk)
-				{
-					chunk_clear(&ch);
-				}
-				else if (free_chunk)
-				{
-					free(ch.ptr);
-				}
-				continue;
-			default:
-				break;
-		}
-		break;
-	}
-	va_end(chunks);
-
-	return construct;
-}
-
-/**
- * Described in header.
- */
-void chunk_split(chunk_t chunk, const char *mode, ...)
-{
-	va_list chunks;
-	u_int len;
-	chunk_t *ch;
-
-	va_start(chunks, mode);
-	while (TRUE)
-	{
-		if (*mode == '\0')
-		{
-			break;
-		}
-		len = va_arg(chunks, u_int);
-		ch = va_arg(chunks, chunk_t*);
-		/* a null chunk means skip len bytes */
-		if (ch == NULL)
-		{
-			chunk = chunk_skip(chunk, len);
-			continue;
-		}
-		switch (*mode++)
-		{
-			case 'm':
-			{
-				ch->len = min(chunk.len, len);
-				if (ch->len)
-				{
-					ch->ptr = chunk.ptr;
-				}
-				else
-				{
-					ch->ptr = NULL;
-				}
-				chunk = chunk_skip(chunk, ch->len);
-				continue;
-			}
-			case 'a':
-			{
-				ch->len = min(chunk.len, len);
-				if (ch->len)
-				{
-					ch->ptr = malloc(ch->len);
-					memcpy(ch->ptr, chunk.ptr, ch->len);
-				}
-				else
-				{
-					ch->ptr = NULL;
-				}
-				chunk = chunk_skip(chunk, ch->len);
-				continue;
-			}
-			case 'c':
-			{
-				ch->len = min(ch->len, chunk.len);
-				ch->len = min(ch->len, len);
-				if (ch->len)
-				{
-					memcpy(ch->ptr, chunk.ptr, ch->len);
-				}
-				else
-				{
-					ch->ptr = NULL;
-				}
-				chunk = chunk_skip(chunk, ch->len);
-				continue;
-			}
-			default:
-				break;
-		}
-		break;
-	}
-	va_end(chunks);
-}
-
-/**
- * Described in header.
- */
-bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force)
-{
-	mode_t oldmask;
-	FILE *fd;
-	bool good = FALSE;
-
-	if (!force && access(path, F_OK) == 0)
-	{
-		DBG1(DBG_LIB, "  %s file '%s' already exists", label, path);
-		return FALSE;
-	}
-	oldmask = umask(mask);
-	fd = fopen(path, "w");
-	if (fd)
-	{
-		if (fwrite(chunk.ptr, sizeof(u_char), chunk.len, fd) == chunk.len)
-		{
-			DBG1(DBG_LIB, "  written %s file '%s' (%d bytes)",
-				 label, path, chunk.len);
-			good = TRUE;
-		}
-		else
-		{
-			DBG1(DBG_LIB, "  writing %s file '%s' failed: %s",
-				 label, path, strerror(errno));
-		}
-		fclose(fd);
-	}
-	else
-	{
-		DBG1(DBG_LIB, "  could not open %s file '%s': %s", label, path,
-			 strerror(errno));
-	}
-	umask(oldmask);
-	return good;
-}
-
-
-/** hex conversion digits */
-static char hexdig_upper[] = "0123456789ABCDEF";
-static char hexdig_lower[] = "0123456789abcdef";
-
-/**
- * Described in header.
- */
-chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase)
-{
-	int i, len;
-	char *hexdig = hexdig_lower;
-
-	if (uppercase)
-	{
-		hexdig = hexdig_upper;
-	}
-
-	len = chunk.len * 2;
-	if (!buf)
-	{
-		buf = malloc(len + 1);
-	}
-	buf[len] = '\0';
-
-	for (i = 0; i < chunk.len; i++)
-	{
-		buf[i*2]   = hexdig[(chunk.ptr[i] >> 4) & 0xF];
-		buf[i*2+1] = hexdig[(chunk.ptr[i]     ) & 0xF];
-	}
-	return chunk_create(buf, len);
-}
-
-/**
- * convert a signle hex character to its binary value
- */
-static char hex2bin(char hex)
-{
-	switch (hex)
-	{
-		case '0' ... '9':
-			return hex - '0';
-		case 'A' ... 'F':
-			return hex - 'A' + 10;
-		case 'a' ... 'f':
-			return hex - 'a' + 10;
-		default:
-			return 0;
-	}
-}
-
-/**
- * Described in header.
- */
-chunk_t chunk_from_hex(chunk_t hex, char *buf)
-{
-	int i, len;
-	u_char *ptr;
-	bool odd = FALSE;
-
-   /* subtract the number of optional ':' separation characters */
-	len = hex.len;
-	ptr = hex.ptr;
-	for (i = 0; i < hex.len; i++)
-	{
-		if (*ptr++ == ':')
-		{
-			len--;
-		}
-	}
-
-	/* compute the number of binary bytes */
-	if (len % 2)
-	{
-		odd = TRUE;
-		len++;
-	}
-	len /= 2;
-
-	/* allocate buffer memory unless provided by caller */
-	if (!buf)
-	{
-		buf = malloc(len);
-	}
-
-	/* buffer is filled from the right */
-	memset(buf, 0, len);
-	hex.ptr += hex.len;
-
-	for (i = len - 1; i >= 0; i--)
-	{
-		/* skip separation characters */
-		if (*(--hex.ptr) == ':')
-		{
-			--hex.ptr;
-		}
-		buf[i] = hex2bin(*hex.ptr);
-		if (i > 0 || !odd)
-		{
-			buf[i] |= hex2bin(*(--hex.ptr)) << 4;
-		}
-	}
-	return chunk_create(buf, len);
-}
-
-/** base 64 conversion digits */
-static char b64digits[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
-/**
- * Described in header.
- */
-chunk_t chunk_to_base64(chunk_t chunk, char *buf)
-{
-	int i, len;
-	char *pos;
-
-	len = chunk.len + ((3 - chunk.len % 3) % 3);
-	if (!buf)
-	{
-		buf = malloc(len * 4 / 3 + 1);
-	}
-	pos = buf;
-	for (i = 0; i < len; i+=3)
-	{
-		*pos++ = b64digits[chunk.ptr[i] >> 2];
-		if (i+1 >= chunk.len)
-		{
-			*pos++ = b64digits[(chunk.ptr[i] & 0x03) << 4];
-			*pos++ = '=';
-			*pos++ = '=';
-			break;
-		}
-		*pos++ = b64digits[((chunk.ptr[i] & 0x03) << 4) | (chunk.ptr[i+1] >> 4)];
-		if (i+2 >= chunk.len)
-		{
-			*pos++ = b64digits[(chunk.ptr[i+1] & 0x0F) << 2];
-			*pos++ = '=';
-			break;
-		}
-		*pos++ = b64digits[((chunk.ptr[i+1] & 0x0F) << 2) | (chunk.ptr[i+2] >> 6)];
-		*pos++ = b64digits[chunk.ptr[i+2] & 0x3F];
-	}
-	*pos = '\0';
-	return chunk_create(buf, len * 4 / 3);
-}
-
-/**
- * convert a base 64 digit to its binary form (inversion of b64digits array)
- */
-static int b642bin(char b64)
-{
-	switch (b64)
-	{
-		case 'A' ... 'Z':
-			return b64 - 'A';
-		case 'a' ... 'z':
-			return ('Z' - 'A' + 1) + b64 - 'a';
-		case '0' ... '9':
-			return ('Z' - 'A' + 1) + ('z' - 'a' + 1) + b64 - '0';
-		case '+':
-		case '-':
-			return 62;
-		case '/':
-		case '_':
-			return 63;
-		case '=':
-			return 0;
-		default:
-			return -1;
-	}
-}
-
-/**
- * Described in header.
- */
-chunk_t chunk_from_base64(chunk_t base64, char *buf)
-{
-	u_char *pos, byte[4];
-	int i, j, len, outlen;
-
-	len = base64.len / 4 * 3;
-	if (!buf)
-	{
-		buf = malloc(len);
-	}
-	pos = base64.ptr;
-	outlen = 0;
-	for (i = 0; i < len; i+=3)
-	{
-		outlen += 3;
-		for (j = 0; j < 4; j++)
-		{
-			if (*pos == '=')
-			{
-				outlen--;
-			}
-			byte[j] = b642bin(*pos++);
-		}
-		buf[i] = (byte[0] << 2) | (byte[1] >> 4);
-		buf[i+1] = (byte[1] << 4) | (byte[2] >> 2);
-		buf[i+2] = (byte[2] << 6) | (byte[3]);
-	}
-	return chunk_create(buf, outlen);
-}
-
-/** base 32 conversion digits */
-static char b32digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-
-/**
- * Described in header.
- */
-chunk_t chunk_to_base32(chunk_t chunk, char *buf)
-{
-	int i, len;
-	char *pos;
-
-	len = chunk.len + ((5 - chunk.len % 5) % 5);
-	if (!buf)
-	{
-		buf = malloc(len * 8 / 5 + 1);
-	}
-	pos = buf;
-	for (i = 0; i < len; i+=5)
-	{
-		*pos++ = b32digits[chunk.ptr[i] >> 3];
-		if (i+1 >= chunk.len)
-		{
-			*pos++ = b32digits[(chunk.ptr[i] & 0x07) << 2];
-			memset(pos, '=', 6);
-			pos += 6;
-			break;
-		}
-		*pos++ = b32digits[((chunk.ptr[i] & 0x07) << 2) |
-						   (chunk.ptr[i+1] >> 6)];
-		*pos++ = b32digits[(chunk.ptr[i+1] & 0x3E) >> 1];
-		if (i+2 >= chunk.len)
-		{
-			*pos++ = b32digits[(chunk.ptr[i+1] & 0x01) << 4];
-			memset(pos, '=', 4);
-			pos += 4;
-			break;
-		}
-		*pos++ = b32digits[((chunk.ptr[i+1] & 0x01) << 4) |
-						   (chunk.ptr[i+2] >> 4)];
-		if (i+3 >= chunk.len)
-		{
-			*pos++ = b32digits[(chunk.ptr[i+2] & 0x0F) << 1];
-			memset(pos, '=', 3);
-			pos += 3;
-			break;
-		}
-		*pos++ = b32digits[((chunk.ptr[i+2] & 0x0F) << 1) |
-						   (chunk.ptr[i+3] >> 7)];
-		*pos++ = b32digits[(chunk.ptr[i+3] & 0x7F) >> 2];
-		if (i+4 >= chunk.len)
-		{
-			*pos++ = b32digits[(chunk.ptr[i+3] & 0x03) << 3];
-			*pos++ = '=';
-			break;
-		}
-		*pos++ = b32digits[((chunk.ptr[i+3] & 0x03) << 3) |
-						   (chunk.ptr[i+4] >> 5)];
-		*pos++ = b32digits[chunk.ptr[i+4] & 0x1F];
-	}
-	*pos = '\0';
-	return chunk_create(buf, len * 8 / 5);
-}
-
-/**
- * Described in header.
- */
-int chunk_compare(chunk_t a, chunk_t b)
-{
-	int compare_len = a.len - b.len;
-	int len = (compare_len < 0)? a.len : b.len;
-
-	if (compare_len != 0 || len == 0)
-	{
-		return compare_len;
-	}
-	return memcmp(a.ptr, b.ptr, len);
-};
-
-
-/**
- * Described in header.
- */
-bool chunk_increment(chunk_t chunk)
-{
-	int i;
-
-	for (i = chunk.len - 1; i >= 0; i--)
-	{
-		if (++chunk.ptr[i] != 0)
-		{
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Remove non-printable characters from a chunk.
- */
-bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
-{
-	bool printable = TRUE;
-	int i;
-
-	if (sane)
-	{
-		*sane = chunk_clone(chunk);
-	}
-	for (i = 0; i < chunk.len; i++)
-	{
-		if (!isprint(chunk.ptr[i]))
-		{
-			if (sane)
-			{
-				sane->ptr[i] = replace;
-			}
-			printable = FALSE;
-		}
-	}
-	return printable;
-}
-
-/**
- * Described in header.
- *
- * The implementation is based on Paul Hsieh's SuperFastHash:
- *	 http://www.azillionmonkeys.com/qed/hash.html
- */
-u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
-{
-	u_char *data = chunk.ptr;
-	size_t len = chunk.len;
-	u_int32_t tmp;
-	int rem;
-
-	if (!len || data == NULL)
-	{
-		return 0;
-	}
-
-	rem = len & 3;
-	len >>= 2;
-
-	/* Main loop */
-	for (; len > 0; --len)
-	{
-		hash += get16bits(data);
-		tmp   = (get16bits(data + 2) << 11) ^ hash;
-		hash  = (hash << 16) ^ tmp;
-		data += 2 * sizeof(u_int16_t);
-		hash += hash >> 11;
-	}
-
-	/* Handle end cases */
-	switch (rem)
-	{
-		case 3:
-		{
-			hash += get16bits(data);
-			hash ^= hash << 16;
-			hash ^= data[sizeof(u_int16_t)] << 18;
-			hash += hash >> 11;
-			break;
-		}
-		case 2:
-		{
-			hash += get16bits(data);
-			hash ^= hash << 11;
-			hash += hash >> 17;
-			break;
-		}
-		case 1:
-		{
-			hash += *data;
-			hash ^= hash << 10;
-			hash += hash >> 1;
-			break;
-		}
-	}
-
-	/* Force "avalanching" of final 127 bits */
-	hash ^= hash << 3;
-	hash += hash >> 5;
-	hash ^= hash << 4;
-	hash += hash >> 17;
-	hash ^= hash << 25;
-	hash += hash >> 6;
-
-	return hash;
-}
-
-/**
- * Described in header.
- */
-u_int32_t chunk_hash(chunk_t chunk)
-{
-	return chunk_hash_inc(chunk, chunk.len);
-}
-
-/**
- * Described in header.
- */
-int chunk_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-					  const void *const *args)
-{
-	chunk_t *chunk = *((chunk_t**)(args[0]));
-	bool first = TRUE;
-	chunk_t copy = *chunk;
-	int written = 0;
-
-	if (!spec->hash)
-	{
-		u_int chunk_len = chunk->len;
-		const void *new_args[] = {&chunk->ptr, &chunk_len};
-		return mem_printf_hook(data, spec, new_args);
-	}
-
-	while (copy.len > 0)
-	{
-		if (first)
-		{
-			first = FALSE;
-		}
-		else
-		{
-			written += print_in_hook(data, ":");
-		}
-		written += print_in_hook(data, "%02x", *copy.ptr++);
-		copy.len--;
-	}
-	return written;
-}
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
deleted file mode 100644
index 91b23da3b..000000000
--- a/src/libstrongswan/chunk.h
+++ /dev/null
@@ -1,318 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup chunk chunk
- * @{ @ingroup libstrongswan
- */
-
-#ifndef CHUNK_H_
-#define CHUNK_H_
-
-#include <string.h>
-#include <stdarg.h>
-#include <sys/types.h>
-#ifdef HAVE_ALLOCA_H
-#include <alloca.h>
-#endif
-
-typedef struct chunk_t chunk_t;
-
-/**
- * General purpose pointer/length abstraction.
- */
-struct chunk_t {
-	/** Pointer to start of data */
-	u_char *ptr;
-	/** Length of data in bytes */
-	size_t len;
-};
-
-#include "utils.h"
-
-/**
- * A { NULL, 0 }-chunk handy for initialization.
- */
-extern chunk_t chunk_empty;
-
-/**
- * Create a new chunk pointing to "ptr" with length "len"
- */
-static inline chunk_t chunk_create(u_char *ptr, size_t len)
-{
-	chunk_t chunk = {ptr, len};
-	return chunk;
-}
-
-/**
- * Create a clone of a chunk pointing to "ptr"
- */
-chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk);
-
-/**
- * Calculate length of multiple chunks
- */
-size_t chunk_length(const char *mode, ...);
-
-/**
- * Concatenate chunks into a chunk pointing to "ptr".
- *
- * The mode string specifies the number of chunks, and how to handle each of
- * them with a single character: 'c' for copy (allocate new chunk), 'm' for move
- * (free given chunk) or 's' for sensitive-move (clear given chunk, then free).
- */
-chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...);
-
-/**
- * Split up a chunk into parts, "mode" is a string of "a" (alloc),
- * "c" (copy) and "m" (move). Each letter say for the corresponding chunk if
- * it should get allocated on heap, copied into existing chunk, or the chunk
- * should point into "chunk". The length of each part is an argument before
- * each target chunk. E.g.:
- * chunk_split(chunk, "mcac", 3, &a, 7, &b, 5, &c, d.len, &d);
- */
-void chunk_split(chunk_t chunk, const char *mode, ...);
-
-/**
- * Write the binary contents of a chunk_t to a file
- *
- * @param chunk			contents to write to file
- * @param path			path where file is written to
- * @param label			label specifying file type
- * @param mask			file mode creation mask
- * @param force			overwrite existing file by force
- * @return				TRUE if write operation was successful
- */
-bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force);
-
-/**
- * Convert a chunk of data to hex encoding.
- *
- * The resulting string is '\\0' terminated, but the chunk does not include
- * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1).
- *
- * @param chunk			data to convert to hex encoding
- * @param buf			buffer to write to, NULL to malloc
- * @param uppercase		TRUE to use uppercase letters
- * @return				chunk of encoded data
- */
-chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase);
-
-/**
- * Convert a hex encoded in a binary chunk.
- *
- * If buf is supplied, it must hold at least (hex.len / 2) + (hex.len % 2)
- * bytes. It is filled by the right to give correct values for short inputs.
- *
- * @param hex			hex encoded input data
- * @param buf			buffer to write decoded data, NULL to malloc
- * @return				converted data
- */
-chunk_t chunk_from_hex(chunk_t hex, char *buf);
-
-/**
- * Convert a chunk of data to its base64 encoding.
- *
- * The resulting string is '\\0' terminated, but the chunk does not include
- * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 4 / 3 + 1).
- *
- * @param chunk			data to convert
- * @param buf			buffer to write to, NULL to malloc
- * @return				chunk of encoded data
- */
-chunk_t chunk_to_base64(chunk_t chunk, char *buf);
-
-/**
- * Convert a base64 in a binary chunk.
- *
- * If buf is supplied, it must hold at least (base64.len / 4 * 3).
- *
- * @param base64		base64 encoded input data
- * @param buf			buffer to write decoded data, NULL to malloc
- * @return				converted data
- */
-chunk_t chunk_from_base64(chunk_t base64, char *buf);
-
-/**
- * Convert a chunk of data to its base32 encoding.
- *
- * The resulting string is '\\0' terminated, but the chunk does not include
- * the '\\0'. If buf is supplied, it must hold (chunk.len * 8 / 5 + 1) bytes.
- *
- * @param chunk			data to convert
- * @param buf			buffer to write to, NULL to malloc
- * @return				chunk of encoded data
- */
-chunk_t chunk_to_base32(chunk_t chunk, char *buf);
-
-/**
- * Free contents of a chunk
- */
-static inline void chunk_free(chunk_t *chunk)
-{
-	free(chunk->ptr);
-	*chunk = chunk_empty;
-}
-
-/**
- * Overwrite the contents of a chunk and free it
- */
-static inline void chunk_clear(chunk_t *chunk)
-{
-	if (chunk->ptr)
-	{
-		memwipe(chunk->ptr, chunk->len);
-		chunk_free(chunk);
-	}
-}
-
-/**
- * Initialize a chunk using a char array
- */
-#define chunk_from_chars(...) ((chunk_t){(char[]){__VA_ARGS__}, sizeof((char[]){__VA_ARGS__})})
-
-/**
- * Initialize a chunk to point to a thing
- */
-#define chunk_from_thing(thing) chunk_create((char*)&(thing), sizeof(thing))
-
-/**
- * Allocate a chunk on the heap
- */
-#define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(x ? malloc(x) : NULL, x);})
-
-/**
- * Allocate a chunk on the stack
- */
-#define chunk_alloca(bytes) ({size_t x = (bytes); chunk_create(x ? alloca(x) : NULL, x);})
-
-/**
- * Clone a chunk on heap
- */
-#define chunk_clone(chunk) ({chunk_t x = (chunk); chunk_create_clone(x.len ? malloc(x.len) : NULL, x);})
-
-/**
- * Clone a chunk on stack
- */
-#define chunk_clonea(chunk) ({chunk_t x = (chunk); chunk_create_clone(x.len ? alloca(x.len) : NULL, x);})
-
-/**
- * Concatenate chunks into a chunk on heap
- */
-#define chunk_cat(mode, ...) chunk_create_cat(malloc(chunk_length(mode, __VA_ARGS__)), mode, __VA_ARGS__)
-
-/**
- * Concatenate chunks into a chunk on stack
- */
-#define chunk_cata(mode, ...) chunk_create_cat(alloca(chunk_length(mode, __VA_ARGS__)), mode, __VA_ARGS__)
-
-/**
- * Skip n bytes in chunk (forward pointer, shorten length)
- */
-static inline chunk_t chunk_skip(chunk_t chunk, size_t bytes)
-{
-	if (chunk.len > bytes)
-	{
-		chunk.ptr += bytes;
-		chunk.len -= bytes;
-		return chunk;
-	}
-	return chunk_empty;
-}
-
-/**
- * Skip a leading zero-valued byte
- */
-static inline chunk_t chunk_skip_zero(chunk_t chunk)
-{
-	if (chunk.len > 1 && *chunk.ptr == 0x00)
-	{
-		chunk.ptr++;
-		chunk.len--;
-	}
-	return chunk;
-}
-
-
-/**
- *  Compare two chunks, returns zero if a equals b
- *  or negative/positive if a is small/greater than b
- */
-int chunk_compare(chunk_t a, chunk_t b);
-
-/**
- * Compare two chunks for equality,
- * NULL chunks are never equal.
- */
-static inline bool chunk_equals(chunk_t a, chunk_t b)
-{
-	return a.ptr != NULL  && b.ptr != NULL &&
-			a.len == b.len && memeq(a.ptr, b.ptr, a.len);
-}
-
-/**
- * Compare two chunks (given as pointers) for equality (useful as callback),
- * NULL chunks are never equal.
- */
-static inline bool chunk_equals_ptr(chunk_t *a, chunk_t *b)
-{
-	return a != NULL && b != NULL && chunk_equals(*a, *b);
-}
-
-/**
- * Increment a chunk, as it would reprensent a network order integer.
- *
- * @param chunk			chunk to increment
- * @return				TRUE if an overflow occurred
- */
-bool chunk_increment(chunk_t chunk);
-
-/**
- * Check if a chunk has printable characters only.
- *
- * If sane is given, chunk is cloned into sane and all non printable characters
- * get replaced by "replace".
- *
- * @param chunk			chunk to check for printability
- * @param sane			pointer where sane version is allocated, or NULL
- * @param replace		character to use for replaceing unprintable characters
- * @return				TRUE if all characters in chunk are printable
- */
-bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace);
-
-/**
- * Computes a 32 bit hash of the given chunk.
- * Note: This hash is only intended for hash tables not for cryptographic purposes.
- */
-u_int32_t chunk_hash(chunk_t chunk);
-
-/**
- * Incremental version of chunk_hash. Use this to hash two or more chunks.
- */
-u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash);
-
-/**
- * printf hook function for chunk_t.
- *
- * Arguments are:
- *	chunk_t *chunk
- * Use #-modifier to print a compact version
- */
-int chunk_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-					  const void *const *args);
-
-#endif /** CHUNK_H_ @}*/
diff --git a/src/libstrongswan/collections/blocking_queue.c b/src/libstrongswan/collections/blocking_queue.c
new file mode 100644
index 000000000..da3356970
--- /dev/null
+++ b/src/libstrongswan/collections/blocking_queue.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "blocking_queue.h"
+
+#include <threading/mutex.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <collections/linked_list.h>
+
+typedef struct private_blocking_queue_t private_blocking_queue_t;
+
+/**
+ * Private data of a blocking_queue_t object.
+ */
+struct private_blocking_queue_t {
+
+	/**
+	 * Public part
+	 */
+	blocking_queue_t public;
+
+	/**
+	 * Linked list containing all items in the queue
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Mutex used to synchronize access to the queue
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar used to wait for items
+	 */
+	condvar_t *condvar;
+
+};
+
+METHOD(blocking_queue_t, enqueue, void,
+	private_blocking_queue_t *this, void *item)
+{
+	this->mutex->lock(this->mutex);
+	this->list->insert_first(this->list, item);
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(blocking_queue_t, dequeue, void*,
+	private_blocking_queue_t *this)
+{
+	bool oldstate;
+	void *item;
+
+
+	this->mutex->lock(this->mutex);
+	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+	/* ensure that a canceled thread does not dequeue any items */
+	thread_cancellation_point();
+	while (this->list->remove_last(this->list, &item) != SUCCESS)
+	{
+		oldstate = thread_cancelability(TRUE);
+		this->condvar->wait(this->condvar, this->mutex);
+		thread_cancelability(oldstate);
+	}
+	thread_cleanup_pop(TRUE);
+	return item;
+}
+
+METHOD(blocking_queue_t, destroy, void,
+	private_blocking_queue_t *this)
+{
+	this->list->destroy(this->list);
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+METHOD(blocking_queue_t, destroy_offset, void,
+	private_blocking_queue_t *this, size_t offset)
+{
+	this->list->invoke_offset(this->list, offset);
+	destroy(this);
+}
+
+METHOD(blocking_queue_t, destroy_function, void,
+	private_blocking_queue_t *this, void (*fn)(void*))
+{
+	this->list->invoke_function(this->list, (linked_list_invoke_t)fn);
+	destroy(this);
+}
+
+/*
+ * Described in header.
+ */
+blocking_queue_t *blocking_queue_create()
+{
+	private_blocking_queue_t *this;
+
+	INIT(this,
+		.public = {
+			.enqueue = _enqueue,
+			.dequeue = _dequeue,
+			.destroy = _destroy,
+			.destroy_offset = _destroy_offset,
+			.destroy_function = _destroy_function,
+		},
+		.list = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/collections/blocking_queue.h b/src/libstrongswan/collections/blocking_queue.h
new file mode 100644
index 000000000..9b014f719
--- /dev/null
+++ b/src/libstrongswan/collections/blocking_queue.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup blocking_queue blocking_queue
+ * @{ @ingroup collections
+ */
+
+#ifndef BLOCKING_QUEUE_H_
+#define BLOCKING_QUEUE_H_
+
+typedef struct blocking_queue_t blocking_queue_t;
+
+#include <library.h>
+
+/**
+ * Class implementing a synchronized blocking queue based on linked_list_t
+ */
+struct blocking_queue_t {
+
+	/**
+	 * Inserts a new item at the tail of the queue
+	 *
+	 * @param item		item to insert in queue
+	 */
+	void (*enqueue)(blocking_queue_t *this, void *item);
+
+	/**
+	 * Removes the first item in the queue and returns its value.
+	 * If the queue is empty, this call blocks until a new item is inserted.
+	 *
+	 * @note This is a thread cancellation point
+	 *
+	 * @return			removed item
+	 */
+	void *(*dequeue)(blocking_queue_t *this);
+
+	/**
+	 * Destroys a blocking_queue_t object.
+	 *
+	 * @note No thread must wait in dequeue() when this function is called
+	 */
+	void (*destroy)(blocking_queue_t *this);
+
+	/**
+	 * Destroys a queue and its objects using the given destructor.
+	 *
+	 * If a queue and the contained objects should be destroyed, use
+	 * destroy_offset. The supplied offset specifies the destructor to
+	 * call on each object. The offset may be calculated using the offsetof
+	 * macro, e.g.: queue->destroy_offset(queue, offsetof(object_t, destroy));
+	 *
+	 * @note No thread must wait in dequeue() when this function is called
+	 *
+	 * @param offset	offset of the objects destructor
+	 */
+	void (*destroy_offset)(blocking_queue_t *this, size_t offset);
+
+	/**
+	 * Destroys a queue and its objects using a cleanup function.
+	 *
+	 * If a queue and its contents should get destroyed using a specific
+	 * cleanup function, use destroy_function. This is useful when the
+	 * list contains malloc()-ed blocks which should get freed,
+	 * e.g.: queue->destroy_function(queue, free);
+	 *
+	 * @note No thread must wait in dequeue() when this function is called
+	 *
+	 * @param function	function to call on each object
+	 */
+	void (*destroy_function)(blocking_queue_t *this, void (*)(void*));
+
+};
+
+/**
+ * Creates an empty queue object.
+ *
+ * @return		blocking_queue_t object.
+ */
+blocking_queue_t *blocking_queue_create();
+
+#endif /** BLOCKING_QUEUE_H_ @}*/
+
diff --git a/src/libstrongswan/collections/enumerator.c b/src/libstrongswan/collections/enumerator.c
new file mode 100644
index 000000000..f80cdabd2
--- /dev/null
+++ b/src/libstrongswan/collections/enumerator.c
@@ -0,0 +1,560 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "enumerator.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <limits.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <errno.h>
+#include <string.h>
+
+#include <utils/debug.h>
+
+/**
+ * Implementation of enumerator_create_empty().enumerate
+ */
+static bool enumerate_empty(enumerator_t *enumerator, ...)
+{
+	return FALSE;
+}
+
+/**
+ * See header
+ */
+enumerator_t* enumerator_create_empty()
+{
+	enumerator_t *this = malloc_thing(enumerator_t);
+	this->enumerate = enumerate_empty;
+	this->destroy = (void*)free;
+	return this;
+}
+
+/**
+ * Enumerator implementation for directory enumerator
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** directory handle */
+	DIR *dir;
+	/** absolute path of current file */
+	char full[PATH_MAX];
+	/** where directory part of full ends and relative file gets written */
+	char *full_end;
+} dir_enum_t;
+
+/**
+ * Implementation of enumerator_create_directory().destroy
+ */
+static void destroy_dir_enum(dir_enum_t *this)
+{
+	closedir(this->dir);
+	free(this);
+}
+
+/**
+ * Implementation of enumerator_create_directory().enumerate
+ */
+static bool enumerate_dir_enum(dir_enum_t *this, char **relative,
+							   char **absolute, struct stat *st)
+{
+	struct dirent *entry = readdir(this->dir);
+	size_t remaining;
+	int len;
+
+	if (!entry)
+	{
+		return FALSE;
+	}
+	if (streq(entry->d_name, ".") || streq(entry->d_name, ".."))
+	{
+		return enumerate_dir_enum(this, relative, absolute, st);
+	}
+	if (relative)
+	{
+		*relative = entry->d_name;
+	}
+	if (absolute || st)
+	{
+		remaining = sizeof(this->full) - (this->full_end - this->full);
+		len = snprintf(this->full_end, remaining, "%s", entry->d_name);
+		if (len < 0 || len >= remaining)
+		{
+			DBG1(DBG_LIB, "buffer too small to enumerate file '%s'",
+				 entry->d_name);
+			return FALSE;
+		}
+		if (absolute)
+		{
+			*absolute = this->full;
+		}
+		if (st)
+		{
+			if (stat(this->full, st))
+			{
+				DBG1(DBG_LIB, "stat() on '%s' failed: %s", this->full,
+					 strerror(errno));
+				return FALSE;
+			}
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * See header
+ */
+enumerator_t* enumerator_create_directory(const char *path)
+{
+	int len;
+	dir_enum_t *this = malloc_thing(dir_enum_t);
+	this->public.enumerate = (void*)enumerate_dir_enum;
+	this->public.destroy = (void*)destroy_dir_enum;
+
+	if (*path == '\0')
+	{
+		path = "./";
+	}
+	len = snprintf(this->full, sizeof(this->full)-1, "%s", path);
+	if (len < 0 || len >= sizeof(this->full)-1)
+	{
+		DBG1(DBG_LIB, "path string '%s' too long", path);
+		free(this);
+		return NULL;
+	}
+	/* append a '/' if not already done */
+	if (this->full[len-1] != '/')
+	{
+		this->full[len++] = '/';
+		this->full[len] = '\0';
+	}
+	this->full_end = &this->full[len];
+
+	this->dir = opendir(path);
+	if (this->dir == NULL)
+	{
+		DBG1(DBG_LIB, "opening directory '%s' failed: %s", path, strerror(errno));
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/**
+ * Enumerator implementation for directory enumerator
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** string to parse */
+	char *string;
+	/** current position */
+	char *pos;
+	/** separater chars */
+	const char *sep;
+	/** trim chars */
+	const char *trim;
+} token_enum_t;
+
+/**
+ * Implementation of enumerator_create_token().destroy
+ */
+static void destroy_token_enum(token_enum_t *this)
+{
+	free(this->string);
+	free(this);
+}
+
+/**
+ * Implementation of enumerator_create_token().enumerate
+ */
+static bool enumerate_token_enum(token_enum_t *this, char **token)
+{
+	const char *sep, *trim;
+	char *pos = NULL, *tmp;
+	bool last = FALSE;
+
+	/* trim leading characters/separators */
+	while (*this->pos)
+	{
+		trim = this->trim;
+		while (*trim)
+		{
+			if (*trim == *this->pos)
+			{
+				this->pos++;
+				break;
+			}
+			trim++;
+		}
+		sep = this->sep;
+		while (*sep)
+		{
+			if (*sep == *this->pos)
+			{
+				this->pos++;
+				break;
+			}
+			sep++;
+		}
+		if (!*trim && !*sep)
+		{
+			break;
+		}
+	}
+
+	switch (*this->pos)
+	{
+		case '"':
+		case '\'':
+		{
+			/* read quoted token */
+			tmp = strchr(this->pos + 1, *this->pos);
+			if (tmp)
+			{
+				*token = this->pos + 1;
+				*tmp = '\0';
+				this->pos = tmp + 1;
+				return TRUE;
+			}
+			/* unterminated string, FALL-THROUGH */
+		}
+		default:
+		{
+			/* find nearest separator */
+			sep = this->sep;
+			while (*sep)
+			{
+				tmp = strchr(this->pos, *sep);
+				if (tmp && (pos == NULL || tmp < pos))
+				{
+					pos = tmp;
+				}
+				sep++;
+			}
+			*token = this->pos;
+			if (pos)
+			{
+				*pos = '\0';
+				this->pos = pos + 1;
+			}
+			else
+			{
+				last = TRUE;
+				pos = this->pos = strchr(this->pos, '\0');
+			}
+			break;
+		}
+	}
+
+	/* trim trailing characters/separators */
+	pos--;
+	while (pos >= *token)
+	{
+		trim = this->trim;
+		while (*trim)
+		{
+			if (*trim == *pos)
+			{
+				*(pos--) = '\0';
+				break;
+			}
+			trim++;
+		}
+		sep = this->sep;
+		while (*sep)
+		{
+			if (*sep == *pos)
+			{
+				*(pos--) = '\0';
+				break;
+			}
+			sep++;
+		}
+		if (!*trim && !*sep)
+		{
+			break;
+		}
+	}
+
+	if (!last || pos >= *token)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * See header
+ */
+enumerator_t* enumerator_create_token(const char *string, const char *sep,
+									  const char *trim)
+{
+	token_enum_t *enumerator = malloc_thing(token_enum_t);
+
+	enumerator->public.enumerate = (void*)enumerate_token_enum;
+	enumerator->public.destroy = (void*)destroy_token_enum;
+	enumerator->string = strdup(string);
+	enumerator->pos = enumerator->string;
+	enumerator->sep = sep;
+	enumerator->trim = trim;
+
+	return &enumerator->public;
+}
+
+/**
+ * enumerator for nested enumerations
+ */
+typedef struct {
+	/* implements enumerator_t */
+	enumerator_t public;
+	/* outer enumerator */
+	enumerator_t *outer;
+	/* inner enumerator */
+	enumerator_t *inner;
+	/* constructor for inner enumerator */
+	enumerator_t *(*create_inner)(void *outer, void *data);
+	/* data to pass to constructor above */
+	void *data;
+	/* destructor for data */
+	void (*destroy_data)(void *data);
+} nested_enumerator_t;
+
+
+/**
+ * Implementation of enumerator_create_nested().enumerate()
+ */
+static bool enumerate_nested(nested_enumerator_t *this, void *v1, void *v2,
+							 void *v3, void *v4, void *v5)
+{
+	while (TRUE)
+	{
+		while (this->inner == NULL)
+		{
+			void *outer;
+
+			if (!this->outer->enumerate(this->outer, &outer))
+			{
+				return FALSE;
+			}
+			this->inner = this->create_inner(outer, this->data);
+		}
+		if (this->inner->enumerate(this->inner, v1, v2, v3, v4, v5))
+		{
+			return TRUE;
+		}
+		this->inner->destroy(this->inner);
+		this->inner = NULL;
+	}
+}
+
+/**
+ * Implementation of enumerator_create_nested().destroy()
+ **/
+static void destroy_nested(nested_enumerator_t *this)
+{
+	if (this->destroy_data)
+	{
+		this->destroy_data(this->data);
+	}
+	DESTROY_IF(this->inner);
+	this->outer->destroy(this->outer);
+	free(this);
+}
+
+/**
+ * See header
+ */
+enumerator_t *enumerator_create_nested(enumerator_t *outer,
+					enumerator_t *(inner_constructor)(void *outer, void *data),
+					void *data, void (*destroy_data)(void *data))
+{
+	nested_enumerator_t *enumerator = malloc_thing(nested_enumerator_t);
+
+	enumerator->public.enumerate = (void*)enumerate_nested;
+	enumerator->public.destroy = (void*)destroy_nested;
+	enumerator->outer = outer;
+	enumerator->inner = NULL;
+	enumerator->create_inner = (void*)inner_constructor;
+	enumerator->data = data;
+	enumerator->destroy_data = destroy_data;
+
+	return &enumerator->public;
+}
+
+/**
+ * enumerator for filtered enumerator
+ */
+typedef struct {
+	enumerator_t public;
+	enumerator_t *unfiltered;
+	void *data;
+	bool (*filter)(void *data, ...);
+	void (*destructor)(void *data);
+} filter_enumerator_t;
+
+/**
+ * Implementation of enumerator_create_filter().destroy
+ */
+static void destroy_filter(filter_enumerator_t *this)
+{
+	if (this->destructor)
+	{
+		this->destructor(this->data);
+	}
+	this->unfiltered->destroy(this->unfiltered);
+	free(this);
+}
+
+/**
+ * Implementation of enumerator_create_filter().enumerate
+ */
+static bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2,
+							 void *o3, void *o4, void *o5)
+{
+	void *i1, *i2, *i3, *i4, *i5;
+
+	while (this->unfiltered->enumerate(this->unfiltered, &i1, &i2, &i3, &i4, &i5))
+	{
+		if (this->filter(this->data, &i1, o1, &i2, o2, &i3, o3, &i4, o4, &i5, o5))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * see header
+ */
+enumerator_t *enumerator_create_filter(enumerator_t *unfiltered,
+									   bool (*filter)(void *data, ...),
+									   void *data, void (*destructor)(void *data))
+{
+	filter_enumerator_t *this = malloc_thing(filter_enumerator_t);
+
+	this->public.enumerate = (void*)enumerate_filter;
+	this->public.destroy = (void*)destroy_filter;
+	this->unfiltered = unfiltered;
+	this->filter = filter;
+	this->data = data;
+	this->destructor = destructor;
+
+	return &this->public;
+}
+
+/**
+ * enumerator for cleaner enumerator
+ */
+typedef struct {
+	enumerator_t public;
+	enumerator_t *wrapped;
+	void (*cleanup)(void *data);
+	void *data;
+} cleaner_enumerator_t;
+
+/**
+ * Implementation of enumerator_create_cleanup().destroy
+ */
+static void destroy_cleaner(cleaner_enumerator_t *this)
+{
+	this->cleanup(this->data);
+	this->wrapped->destroy(this->wrapped);
+	free(this);
+}
+
+/**
+ * Implementation of enumerator_create_cleaner().enumerate
+ */
+static bool enumerate_cleaner(cleaner_enumerator_t *this, void *v1, void *v2,
+							  void *v3, void *v4, void *v5)
+{
+	return this->wrapped->enumerate(this->wrapped, v1, v2, v3, v4, v5);
+}
+
+/**
+ * see header
+ */
+enumerator_t *enumerator_create_cleaner(enumerator_t *wrapped,
+										void (*cleanup)(void *data), void *data)
+{
+	cleaner_enumerator_t *this = malloc_thing(cleaner_enumerator_t);
+
+	this->public.enumerate = (void*)enumerate_cleaner;
+	this->public.destroy = (void*)destroy_cleaner;
+	this->wrapped = wrapped;
+	this->cleanup = cleanup;
+	this->data = data;
+
+	return &this->public;
+}
+
+/**
+ * enumerator for single enumerator
+ */
+typedef struct {
+	enumerator_t public;
+	void *item;
+	void (*cleanup)(void *item);
+	bool done;
+} single_enumerator_t;
+
+/**
+ * Implementation of enumerator_create_single().destroy
+ */
+static void destroy_single(single_enumerator_t *this)
+{
+	if (this->cleanup)
+	{
+		this->cleanup(this->item);
+	}
+	free(this);
+}
+
+/**
+ * Implementation of enumerator_create_single().enumerate
+ */
+static bool enumerate_single(single_enumerator_t *this, void **item)
+{
+	if (this->done)
+	{
+		return FALSE;
+	}
+	*item = this->item;
+	this->done = TRUE;
+	return TRUE;
+}
+
+/**
+ * see header
+ */
+enumerator_t *enumerator_create_single(void *item, void (*cleanup)(void *item))
+{
+	single_enumerator_t *this = malloc_thing(single_enumerator_t);
+
+	this->public.enumerate = (void*)enumerate_single;
+	this->public.destroy = (void*)destroy_single;
+	this->item = item;
+	this->cleanup = cleanup;
+	this->done = FALSE;
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/collections/enumerator.h b/src/libstrongswan/collections/enumerator.h
new file mode 100644
index 000000000..299373a3e
--- /dev/null
+++ b/src/libstrongswan/collections/enumerator.h
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup enumerator enumerator
+ * @{ @ingroup collections
+ */
+
+#ifndef ENUMERATOR_H_
+#define ENUMERATOR_H_
+
+typedef struct enumerator_t enumerator_t;
+
+#include <utils/utils.h>
+
+/**
+ * Enumerator interface, allows enumeration over collections.
+ */
+struct enumerator_t {
+
+	/**
+	 * Enumerate collection.
+	 *
+	 * The enumerate function takes a variable argument list containing
+	 * pointers where the enumerated values get written.
+	 *
+	 * @param ...	variable list of enumerated items, implementation dependent
+	 * @return		TRUE if pointers returned
+	 */
+	bool (*enumerate)(enumerator_t *this, ...);
+
+	/**
+	 * Destroy a enumerator instance.
+	 */
+	void (*destroy)(enumerator_t *this);
+};
+
+/**
+ * Create an enumerator which enumerates over nothing
+ *
+ * @return			an enumerator over no values
+ */
+enumerator_t* enumerator_create_empty();
+
+/**
+ * Create an enumerator which enumerates over a single item
+ *
+ * @param item		item to enumerate
+ * @param cleanup	cleanup function called on destroy with the item
+ * @return			an enumerator over a single value
+ */
+enumerator_t *enumerator_create_single(void *item, void (*cleanup)(void *item));
+
+/**
+ * Create an enumerator over files/subdirectories in a directory.
+ *
+ * This enumerator_t.enumerate() function returns a (to the directory) relative
+ * filename (as a char*), an absolute filename (as a char*) and a file status
+ * (to a struct stat), which all may be NULL. "." and ".." entries are
+ * skipped. Example:
+ *
+ * @code
+	char *rel, *abs;
+	struct stat st;
+	enumerator_t *e;
+
+	e = enumerator_create_directory("/tmp");
+	if (e)
+	{
+		while (e->enumerate(e, &rel, &abs, &st))
+		{
+			if (S_ISDIR(st.st_mode) && *rel != '.')
+			{
+				printf("%s\n", abs);
+			}
+		}
+		e->destroy(e);
+	}
+   @endcode
+ *
+ * @param path		path of the directory
+ * @return 			the directory enumerator, NULL on failure
+ */
+enumerator_t* enumerator_create_directory(const char *path);
+
+/**
+ * Create an enumerator over tokens of a string.
+ *
+ * Tokens are separated by one of the characters in sep and trimmed by the
+ * characters in trim.
+ *
+ * @param string	string to parse
+ * @param sep		separator characters
+ * @param trim		characters to trim from tokens
+ * @return			enumerator over char* tokens
+ */
+enumerator_t* enumerator_create_token(const char *string, const char *sep,
+									  const char *trim);
+
+/**
+ * Creates an enumerator which enumerates over enumerated enumerators :-).
+ *
+ * The variable argument list of enumeration values is limit to 5.
+ *
+ * @param outer					outer enumerator
+ * @param inner_constructor		constructor to inner enumerator
+ * @param data					data to pass to each inner_constructor call
+ * @param destroy_data			destructor to pass to data
+ * @return						the nested enumerator
+ */
+enumerator_t *enumerator_create_nested(enumerator_t *outer,
+					enumerator_t *(*inner_constructor)(void *outer, void *data),
+					void *data, void (*destroy_data)(void *data));
+
+/**
+ * Creates an enumerator which filters output of another enumerator.
+ *
+ * The filter function receives the user supplied "data" followed by a
+ * unfiltered enumeration item, followed by an output pointer where to write
+ * the filtered data. Then the next input/output pair follows.
+ * It returns TRUE to deliver the
+ * values to the caller of enumerate(), FALSE to filter this enumeration.
+ *
+ * The variable argument list of enumeration values is limit to 5.
+ *
+ * @param unfiltered			unfiltered enumerator to wrap, gets destroyed
+ * @param filter				filter function
+ * @param data					user data to supply to filter
+ * @param destructor			destructor function to clean up data after use
+ * @return						the filtered enumerator
+ */
+enumerator_t *enumerator_create_filter(enumerator_t *unfiltered,
+					bool (*filter)(void *data, ...),
+					void *data, void (*destructor)(void *data));
+
+/**
+ * Create an enumerator wrapper which does a cleanup on destroy.
+ *
+ * @param wrapped				wrapped enumerator
+ * @param cleanup				cleanup function called on destroy
+ * @param data					user data to supply to cleanup
+ * @return						the enumerator with cleanup
+ */
+enumerator_t *enumerator_create_cleaner(enumerator_t *wrapped,
+					void (*cleanup)(void *data), void *data);
+
+#endif /** ENUMERATOR_H_ @}*/
diff --git a/src/libstrongswan/collections/hashtable.c b/src/libstrongswan/collections/hashtable.c
new file mode 100644
index 000000000..d181d8ec8
--- /dev/null
+++ b/src/libstrongswan/collections/hashtable.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright (C) 2008-2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "hashtable.h"
+
+/** The maximum capacity of the hash table (MUST be a power of 2) */
+#define MAX_CAPACITY (1 << 30)
+
+typedef struct pair_t pair_t;
+
+/**
+ * This pair holds a pointer to the key and value it represents.
+ */
+struct pair_t {
+	/**
+	 * Key of a hash table item.
+	 */
+	void *key;
+
+	/**
+	 * Value of a hash table item.
+	 */
+	void *value;
+
+	/**
+	 * Cached hash (used in case of a resize).
+	 */
+	u_int hash;
+
+	/**
+	 * Next pair in an overflow list.
+	 */
+	pair_t *next;
+};
+
+/**
+ * Creates an empty pair object.
+ */
+static inline pair_t *pair_create(void *key, void *value, u_int hash)
+{
+	pair_t *this;
+
+	INIT(this,
+		.key = key,
+		.value = value,
+		.hash = hash,
+	);
+
+	return this;
+}
+
+typedef struct private_hashtable_t private_hashtable_t;
+
+/**
+ * Private data of a hashtable_t object.
+ *
+ */
+struct private_hashtable_t {
+	/**
+	 * Public part of hash table.
+	 */
+	hashtable_t public;
+
+	/**
+	 * The number of items in the hash table.
+	 */
+	u_int count;
+
+	/**
+	 * The current capacity of the hash table (always a power of 2).
+	 */
+	u_int capacity;
+
+	/**
+	 * The current mask to calculate the row index (capacity - 1).
+	 */
+	u_int mask;
+
+	/**
+	 * The load factor.
+	 */
+	float load_factor;
+
+	/**
+	 * The actual table.
+	 */
+	pair_t **table;
+
+	/**
+	 * The hashing function.
+	 */
+	hashtable_hash_t hash;
+
+	/**
+	 * The equality function.
+	 */
+	hashtable_equals_t equals;
+};
+
+typedef struct private_enumerator_t private_enumerator_t;
+
+/**
+ * hash table enumerator implementation
+ */
+struct private_enumerator_t {
+
+	/**
+	 * implements enumerator interface
+	 */
+	enumerator_t enumerator;
+
+	/**
+	 * associated hash table
+	 */
+	private_hashtable_t *table;
+
+	/**
+	 * current row index
+	 */
+	u_int row;
+
+	/**
+	 * number of remaining items in hashtable
+	 */
+	u_int count;
+
+	/**
+	 * current pair
+	 */
+	pair_t *current;
+
+	/**
+	 * previous pair (used by remove_at)
+	 */
+	pair_t *prev;
+
+};
+
+/**
+ * This function returns the next-highest power of two for the given number.
+ * The algorithm works by setting all bits on the right-hand side of the most
+ * significant 1 to 1 and then increments the whole number so it rolls over
+ * to the nearest power of two. Note: returns 0 for n == 0
+ */
+static u_int get_nearest_powerof2(u_int n)
+{
+	u_int i;
+
+	--n;
+	for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
+	{
+		n |= n >> i;
+	}
+	return ++n;
+}
+
+/**
+ * Init hash table parameters
+ */
+static void init_hashtable(private_hashtable_t *this, u_int capacity)
+{
+	capacity = max(1, min(capacity, MAX_CAPACITY));
+	this->capacity = get_nearest_powerof2(capacity);
+	this->mask = this->capacity - 1;
+	this->load_factor = 0.75;
+
+	this->table = calloc(this->capacity, sizeof(pair_t*));
+}
+
+/**
+ * Double the size of the hash table and rehash all the elements.
+ */
+static void rehash(private_hashtable_t *this)
+{
+	pair_t **old_table;
+	u_int row, old_capacity;
+
+	if (this->capacity >= MAX_CAPACITY)
+	{
+		return;
+	}
+
+	old_capacity = this->capacity;
+	old_table = this->table;
+
+	init_hashtable(this, old_capacity << 1);
+
+	for (row = 0; row < old_capacity; row++)
+	{
+		pair_t *pair, *next;
+		u_int new_row;
+
+		pair = old_table[row];
+		while (pair)
+		{	/* insert pair at the front of new bucket*/
+			next = pair->next;
+			new_row = pair->hash & this->mask;
+			pair->next = this->table[new_row];
+			this->table[new_row] = pair;
+			pair = next;
+		}
+	}
+	free(old_table);
+}
+
+METHOD(hashtable_t, put, void*,
+	   private_hashtable_t *this, void *key, void *value)
+{
+	void *old_value = NULL;
+	pair_t *pair;
+	u_int hash, row;
+
+	hash = this->hash(key);
+	row = hash & this->mask;
+	pair = this->table[row];
+	while (pair)
+	{	/* search existing bucket for key */
+		if (this->equals(key, pair->key))
+		{
+			old_value = pair->value;
+			pair->value = value;
+			pair->key = key;
+			break;
+		}
+		pair = pair->next;
+	}
+	if (!pair)
+	{	/* insert at the front of bucket */
+		pair = pair_create(key, value, hash);
+		pair->next = this->table[row];
+		this->table[row] = pair;
+		this->count++;
+	}
+	if (this->count >= this->capacity * this->load_factor)
+	{
+		rehash(this);
+	}
+	return old_value;
+}
+
+static void *get_internal(private_hashtable_t *this, void *key,
+						  hashtable_equals_t equals)
+{
+	void *value = NULL;
+	pair_t *pair;
+
+	if (!this->count)
+	{	/* no need to calculate the hash */
+		return NULL;
+	}
+
+	pair = this->table[this->hash(key) & this->mask];
+	while (pair)
+	{
+		if (equals(key, pair->key))
+		{
+			value = pair->value;
+			break;
+		}
+		pair = pair->next;
+	}
+	return value;
+}
+
+METHOD(hashtable_t, get, void*,
+	   private_hashtable_t *this, void *key)
+{
+	return get_internal(this, key, this->equals);
+}
+
+METHOD(hashtable_t, get_match, void*,
+	   private_hashtable_t *this, void *key, hashtable_equals_t match)
+{
+	return get_internal(this, key, match);
+}
+
+METHOD(hashtable_t, remove_, void*,
+	   private_hashtable_t *this, void *key)
+{
+	void *value = NULL;
+	pair_t *pair, *prev = NULL;
+	u_int row;
+
+	row = this->hash(key) & this->mask;
+	pair = this->table[row];
+	while (pair)
+	{
+		if (this->equals(key, pair->key))
+		{
+			if (prev)
+			{
+				prev->next = pair->next;
+			}
+			else
+			{
+				this->table[row] = pair->next;
+			}
+			value = pair->value;
+			this->count--;
+			free(pair);
+			break;
+		}
+		prev = pair;
+		pair = pair->next;
+	}
+	return value;
+}
+
+METHOD(hashtable_t, remove_at, void,
+	   private_hashtable_t *this, private_enumerator_t *enumerator)
+{
+	if (enumerator->table == this && enumerator->current)
+	{
+		pair_t *current = enumerator->current;
+		if (enumerator->prev)
+		{
+			enumerator->prev->next = current->next;
+		}
+		else
+		{
+			this->table[enumerator->row] = current->next;
+		}
+		enumerator->current = enumerator->prev;
+		free(current);
+		this->count--;
+	}
+}
+
+METHOD(hashtable_t, get_count, u_int,
+	   private_hashtable_t *this)
+{
+	return this->count;
+}
+
+METHOD(enumerator_t, enumerate, bool,
+	   private_enumerator_t *this, void **key, void **value)
+{
+	while (this->count && this->row < this->table->capacity)
+	{
+		this->prev = this->current;
+		if (this->current)
+		{
+			this->current = this->current->next;
+		}
+		else
+		{
+			this->current = this->table->table[this->row];
+		}
+		if (this->current)
+		{
+			if (key)
+			{
+				*key = this->current->key;
+			}
+			if (value)
+			{
+				*value = this->current->value;
+			}
+			this->count--;
+			return TRUE;
+		}
+		this->row++;
+	}
+	return FALSE;
+}
+
+METHOD(hashtable_t, create_enumerator, enumerator_t*,
+	   private_hashtable_t *this)
+{
+	private_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.enumerator = {
+			.enumerate = (void*)_enumerate,
+			.destroy = (void*)free,
+		},
+		.table = this,
+		.count = this->count,
+	);
+
+	return &enumerator->enumerator;
+}
+
+METHOD(hashtable_t, destroy, void,
+	   private_hashtable_t *this)
+{
+	pair_t *pair, *next;
+	u_int row;
+
+	for (row = 0; row < this->capacity; row++)
+	{
+		pair = this->table[row];
+		while (pair)
+		{
+			next = pair->next;
+			free(pair);
+			pair = next;
+		}
+	}
+	free(this->table);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
+							  u_int capacity)
+{
+	private_hashtable_t *this;
+
+	INIT(this,
+		.public = {
+			.put = _put,
+			.get = _get,
+			.get_match = _get_match,
+			.remove = _remove_,
+			.remove_at = (void*)_remove_at,
+			.get_count = _get_count,
+			.create_enumerator = _create_enumerator,
+			.destroy = _destroy,
+		},
+		.hash = hash,
+		.equals = equals,
+	);
+
+	init_hashtable(this, capacity);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/collections/hashtable.h b/src/libstrongswan/collections/hashtable.h
new file mode 100644
index 000000000..e38850ded
--- /dev/null
+++ b/src/libstrongswan/collections/hashtable.h
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2008-2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hashtable hashtable
+ * @{ @ingroup collections
+ */
+
+#ifndef HASHTABLE_H_
+#define HASHTABLE_H_
+
+#include <collections/enumerator.h>
+
+typedef struct hashtable_t hashtable_t;
+
+/**
+ * Prototype for a function that computes the hash code from the given key.
+ *
+ * @param key			key to hash
+ * @return				hash code
+ */
+typedef u_int (*hashtable_hash_t)(void *key);
+
+/**
+ * Prototype for a function that compares the two keys for equality.
+ *
+ * @param key			first key (the one we are looking for)
+ * @param other_key		second key
+ * @return				TRUE if the keys are equal
+ */
+typedef bool (*hashtable_equals_t)(void *key, void *other_key);
+
+/**
+ * Class implementing a hash table.
+ *
+ * General purpose hash table. This hash table is not synchronized.
+ */
+struct hashtable_t {
+
+	/**
+	 * Create an enumerator over the hash table key/value pairs.
+	 *
+	 * @return			enumerator over (void *key, void *value)
+	 */
+	enumerator_t *(*create_enumerator) (hashtable_t *this);
+
+	/**
+	 * Adds the given value with the given key to the hash table, if there
+	 * exists no entry with that key. NULL is returned in this case.
+	 * Otherwise the existing value is replaced and the function returns the
+	 * old value.
+	 *
+	 * @param key		the key to store
+	 * @param value		the value to store
+	 * @return			NULL if no item was replaced, the old value otherwise
+	 */
+	void *(*put) (hashtable_t *this, void *key, void *value);
+
+	/**
+	 * Returns the value with the given key, if the hash table contains such an
+	 * entry, otherwise NULL is returned.
+	 *
+	 * @param key		the key of the requested value
+	 * @return			the value, NULL if not found
+	 */
+	void *(*get) (hashtable_t *this, void *key);
+
+	/**
+	 * Returns the value with a matching key, if the hash table contains such an
+	 * entry, otherwise NULL is returned.
+	 *
+	 * Compared to get() the given match function is used to compare the keys
+	 * for equality.  The hash function does have to be deviced properly in
+	 * order to make this work if the match function compares keys differently
+	 * than the equals function provided to the constructor.  This basically
+	 * allows to enumerate all entries with the same hash value.
+	 *
+	 * @param key		the key to match against
+	 * @param match		match function to be used when comparing keys
+	 * @return			the value, NULL if not found
+	 */
+	void *(*get_match) (hashtable_t *this, void *key, hashtable_equals_t match);
+
+	/**
+	 * Removes the value with the given key from the hash table and returns the
+	 * removed value (or NULL if no such value existed).
+	 *
+	 * @param key		the key of the value to remove
+	 * @return			the removed value, NULL if not found
+	 */
+	void *(*remove) (hashtable_t *this, void *key);
+
+	/**
+	 * Removes the key and value pair from the hash table at which the given
+	 * enumerator currently points.
+	 *
+	 * @param enumerator	enumerator, from create_enumerator
+	 */
+	void (*remove_at) (hashtable_t *this, enumerator_t *enumerator);
+
+	/**
+	 * Gets the number of items in the hash table.
+	 *
+	 * @return			number of items
+	 */
+	u_int (*get_count) (hashtable_t *this);
+
+	/**
+	 * Destroys a hash table object.
+	 */
+	void (*destroy) (hashtable_t *this);
+
+};
+
+/**
+ * Creates an empty hash table object.
+ *
+ * @param hash			hash function
+ * @param equals		equals function
+ * @param capacity		initial capacity
+ * @return				hashtable_t object.
+ */
+hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
+							  u_int capacity);
+
+#endif /** HASHTABLE_H_ @}*/
diff --git a/src/libstrongswan/collections/linked_list.c b/src/libstrongswan/collections/linked_list.c
new file mode 100644
index 000000000..1ff80999b
--- /dev/null
+++ b/src/libstrongswan/collections/linked_list.c
@@ -0,0 +1,615 @@
+/*
+ * Copyright (C) 2007-2011 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include "linked_list.h"
+
+typedef struct element_t element_t;
+
+/**
+ * This element holds a pointer to the value it represents.
+ */
+struct element_t {
+
+	/**
+	 * Value of a list item.
+	 */
+	void *value;
+
+	/**
+	 * Previous list element.
+	 *
+	 * NULL if first element in list.
+	 */
+	element_t *previous;
+
+	/**
+	 * Next list element.
+	 *
+	 * NULL if last element in list.
+	 */
+	element_t *next;
+};
+
+/**
+ * Creates an empty linked list object.
+ */
+element_t *element_create(void *value)
+{
+	element_t *this;
+	INIT(this,
+		.value = value,
+	);
+	return this;
+}
+
+
+typedef struct private_linked_list_t private_linked_list_t;
+
+/**
+ * Private data of a linked_list_t object.
+ *
+ */
+struct private_linked_list_t {
+	/**
+	 * Public part of linked list.
+	 */
+	linked_list_t public;
+
+	/**
+	 * Number of items in the list.
+	 */
+	int count;
+
+	/**
+	 * First element in list.
+	 * NULL if no elements in list.
+	 */
+	element_t *first;
+
+	/**
+	 * Last element in list.
+	 * NULL if no elements in list.
+	 */
+	element_t *last;
+};
+
+typedef struct private_enumerator_t private_enumerator_t;
+
+/**
+ * linked lists enumerator implementation
+ */
+struct private_enumerator_t {
+
+	/**
+	 * implements enumerator interface
+	 */
+	enumerator_t enumerator;
+
+	/**
+	 * associated linked list
+	 */
+	private_linked_list_t *list;
+
+	/**
+	 * current item
+	 */
+	element_t *current;
+
+	/**
+	 * enumerator has enumerated all items
+	 */
+	bool finished;
+};
+
+METHOD(enumerator_t, enumerate, bool,
+	private_enumerator_t *this, void **item)
+{
+	if (this->finished)
+	{
+		return FALSE;
+	}
+	if (!this->current)
+	{
+		this->current = this->list->first;
+	}
+	else
+	{
+		this->current = this->current->next;
+	}
+	if (!this->current)
+	{
+		this->finished = TRUE;
+		return FALSE;
+	}
+	*item = this->current->value;
+	return TRUE;
+}
+
+METHOD(linked_list_t, create_enumerator, enumerator_t*,
+	private_linked_list_t *this)
+{
+	private_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.enumerator = {
+			.enumerate = (void*)_enumerate,
+			.destroy = (void*)free,
+		},
+		.list = this,
+	);
+
+	return &enumerator->enumerator;
+}
+
+METHOD(linked_list_t, reset_enumerator, void,
+	private_linked_list_t *this, private_enumerator_t *enumerator)
+{
+	enumerator->current = NULL;
+	enumerator->finished = FALSE;
+}
+
+METHOD(linked_list_t, has_more, bool,
+	private_linked_list_t *this, private_enumerator_t *enumerator)
+{
+	if (enumerator->current)
+	{
+		return enumerator->current->next != NULL;
+	}
+	return !enumerator->finished && this->first != NULL;
+}
+
+METHOD(linked_list_t, get_count, int,
+	private_linked_list_t *this)
+{
+	return this->count;
+}
+
+METHOD(linked_list_t, insert_first, void,
+	private_linked_list_t *this, void *item)
+{
+	element_t *element;
+
+	element = element_create(item);
+	if (this->count == 0)
+	{
+		/* first entry in list */
+		this->first = element;
+		this->last = element;
+	}
+	else
+	{
+		element->next = this->first;
+		this->first->previous = element;
+		this->first = element;
+	}
+	this->count++;
+}
+
+/**
+ * unlink an element form the list, returns following element
+ */
+static element_t* remove_element(private_linked_list_t *this,
+								 element_t *element)
+{
+	element_t *next, *previous;
+
+	next = element->next;
+	previous = element->previous;
+	free(element);
+	if (next)
+	{
+		next->previous = previous;
+	}
+	else
+	{
+		this->last = previous;
+	}
+	if (previous)
+	{
+		previous->next = next;
+	}
+	else
+	{
+		this->first = next;
+	}
+	if (--this->count == 0)
+	{
+		this->first = NULL;
+		this->last = NULL;
+	}
+	return next;
+}
+
+METHOD(linked_list_t, get_first, status_t,
+	private_linked_list_t *this, void **item)
+{
+	if (this->count == 0)
+	{
+		return NOT_FOUND;
+	}
+	*item = this->first->value;
+	return SUCCESS;
+}
+
+METHOD(linked_list_t, remove_first, status_t,
+	private_linked_list_t *this, void **item)
+{
+	if (get_first(this, item) == SUCCESS)
+	{
+		remove_element(this, this->first);
+		return SUCCESS;
+	}
+	return NOT_FOUND;
+}
+
+METHOD(linked_list_t, insert_last, void,
+	private_linked_list_t *this, void *item)
+{
+	element_t *element;
+
+	element = element_create(item);
+	if (this->count == 0)
+	{
+		/* first entry in list */
+		this->first = element;
+		this->last = element;
+	}
+	else
+	{
+		element->previous = this->last;
+		this->last->next = element;
+		this->last = element;
+	}
+	this->count++;
+}
+
+METHOD(linked_list_t, insert_before, void,
+	private_linked_list_t *this, private_enumerator_t *enumerator,
+	void *item)
+{
+	element_t *current, *element;
+
+	current = enumerator->current;
+	if (!current)
+	{
+		if (enumerator->finished)
+		{
+			this->public.insert_last(&this->public, item);
+		}
+		else
+		{
+			this->public.insert_first(&this->public, item);
+		}
+		return;
+	}
+	element = element_create(item);
+	if (current->previous)
+	{
+		current->previous->next = element;
+		element->previous = current->previous;
+		current->previous = element;
+		element->next = current;
+	}
+	else
+	{
+		current->previous = element;
+		element->next = current;
+		this->first = element;
+	}
+	this->count++;
+}
+
+METHOD(linked_list_t, replace, void*,
+	private_linked_list_t *this, private_enumerator_t *enumerator,
+	void *item)
+{
+	void *old = NULL;
+
+	if (enumerator->current)
+	{
+		old = enumerator->current->value;
+		enumerator->current->value = item;
+	}
+	return old;
+}
+
+METHOD(linked_list_t, get_last, status_t,
+	private_linked_list_t *this, void **item)
+{
+	if (this->count == 0)
+	{
+		return NOT_FOUND;
+	}
+	*item = this->last->value;
+	return SUCCESS;
+}
+
+METHOD(linked_list_t, remove_last, status_t,
+	private_linked_list_t *this, void **item)
+{
+	if (get_last(this, item) == SUCCESS)
+	{
+		remove_element(this, this->last);
+		return SUCCESS;
+	}
+	return NOT_FOUND;
+}
+
+METHOD(linked_list_t, remove_, int,
+	private_linked_list_t *this, void *item, bool (*compare)(void*,void*))
+{
+	element_t *current = this->first;
+	int removed = 0;
+
+	while (current)
+	{
+		if ((compare && compare(current->value, item)) ||
+			(!compare && current->value == item))
+		{
+			removed++;
+			current = remove_element(this, current);
+		}
+		else
+		{
+			current = current->next;
+		}
+	}
+	return removed;
+}
+
+METHOD(linked_list_t, remove_at, void,
+	   private_linked_list_t *this, private_enumerator_t *enumerator)
+{
+	element_t *current;
+
+	if (enumerator->current)
+	{
+		current = enumerator->current;
+		enumerator->current = current->previous;
+		remove_element(this, current);
+	}
+}
+
+METHOD(linked_list_t, find_first, status_t,
+	private_linked_list_t *this, linked_list_match_t match,
+	void **item, void *d1, void *d2, void *d3, void *d4, void *d5)
+{
+	element_t *current = this->first;
+
+	while (current)
+	{
+		if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
+			(!match && item && current->value == *item))
+		{
+			if (item != NULL)
+			{
+				*item = current->value;
+			}
+			return SUCCESS;
+		}
+		current = current->next;
+	}
+	return NOT_FOUND;
+}
+
+METHOD(linked_list_t, find_last, status_t,
+	private_linked_list_t *this, linked_list_match_t match,
+	void **item, void *d1, void *d2, void *d3, void *d4, void *d5)
+{
+	element_t *current = this->last;
+
+	while (current)
+	{
+		if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
+			(!match && item && current->value == *item))
+		{
+			if (item != NULL)
+			{
+				*item = current->value;
+			}
+			return SUCCESS;
+		}
+		current = current->previous;
+	}
+	return NOT_FOUND;
+}
+
+METHOD(linked_list_t, invoke_offset, void,
+	private_linked_list_t *this, size_t offset,
+	void *d1, void *d2, void *d3, void *d4, void *d5)
+{
+	element_t *current = this->first;
+	linked_list_invoke_t *method;
+
+	while (current)
+	{
+		method = current->value + offset;
+		(*method)(current->value, d1, d2, d3, d4, d5);
+		current = current->next;
+	}
+}
+
+METHOD(linked_list_t, invoke_function, void,
+	private_linked_list_t *this, linked_list_invoke_t fn,
+	void *d1, void *d2, void *d3, void *d4, void *d5)
+{
+	element_t *current = this->first;
+
+	while (current)
+	{
+		fn(current->value, d1, d2, d3, d4, d5);
+		current = current->next;
+	}
+}
+
+METHOD(linked_list_t, clone_offset, linked_list_t*,
+	private_linked_list_t *this, size_t offset)
+{
+	element_t *current = this->first;
+	linked_list_t *clone;
+
+	clone = linked_list_create();
+	while (current)
+	{
+		void* (**method)(void*) = current->value + offset;
+		clone->insert_last(clone, (*method)(current->value));
+		current = current->next;
+	}
+
+	return clone;
+}
+
+METHOD(linked_list_t, clone_function, linked_list_t*,
+	private_linked_list_t *this, void* (*fn)(void*))
+{
+	element_t *current = this->first;
+	linked_list_t *clone;
+
+	clone = linked_list_create();
+	while (current)
+	{
+		clone->insert_last(clone, fn(current->value));
+		current = current->next;
+	}
+	return clone;
+}
+
+METHOD(linked_list_t, destroy, void,
+	private_linked_list_t *this)
+{
+	void *value;
+
+	/* Remove all list items before destroying list */
+	while (remove_first(this, &value) == SUCCESS)
+	{
+		/* values are not destroyed so memory leaks are possible
+		 * if list is not empty when deleting */
+	}
+	free(this);
+}
+
+METHOD(linked_list_t, destroy_offset, void,
+	private_linked_list_t *this, size_t offset)
+{
+	element_t *current = this->first, *next;
+
+	while (current)
+	{
+		void (**method)(void*) = current->value + offset;
+		(*method)(current->value);
+		next = current->next;
+		free(current);
+		current = next;
+	}
+	free(this);
+}
+
+METHOD(linked_list_t, destroy_function, void,
+	private_linked_list_t *this, void (*fn)(void*))
+{
+	element_t *current = this->first, *next;
+
+	while (current)
+	{
+		fn(current->value);
+		next = current->next;
+		free(current);
+		current = next;
+	}
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+linked_list_t *linked_list_create()
+{
+	private_linked_list_t *this;
+
+	INIT(this,
+		.public = {
+			.get_count = _get_count,
+			.create_enumerator = _create_enumerator,
+			.reset_enumerator = (void*)_reset_enumerator,
+			.has_more = (void*)_has_more,
+			.get_first = _get_first,
+			.get_last = _get_last,
+			.find_first = (void*)_find_first,
+			.find_last = (void*)_find_last,
+			.insert_first = _insert_first,
+			.insert_last = _insert_last,
+			.insert_before = (void*)_insert_before,
+			.replace = (void*)_replace,
+			.remove_first = _remove_first,
+			.remove_last = _remove_last,
+			.remove = _remove_,
+			.remove_at = (void*)_remove_at,
+			.invoke_offset = (void*)_invoke_offset,
+			.invoke_function = (void*)_invoke_function,
+			.clone_offset = _clone_offset,
+			.clone_function = _clone_function,
+			.destroy = _destroy,
+			.destroy_offset = _destroy_offset,
+			.destroy_function = _destroy_function,
+		},
+	);
+
+	return &this->public;
+}
+
+/*
+ * See header.
+ */
+linked_list_t *linked_list_create_from_enumerator(enumerator_t *enumerator)
+{
+	linked_list_t *list;
+	void *item;
+
+	list = linked_list_create();
+
+	while (enumerator->enumerate(enumerator, &item))
+	{
+		list->insert_last(list, item);
+	}
+	enumerator->destroy(enumerator);
+
+	return list;
+}
+
+/*
+ * See header.
+ */
+linked_list_t *linked_list_create_with_items(void *item, ...)
+{
+	linked_list_t *list;
+	va_list args;
+
+	list = linked_list_create();
+
+	va_start(args, item);
+	while (item)
+	{
+		list->insert_last(list, item);
+		item = va_arg(args, void*);
+	}
+	va_end(args);
+
+	return list;
+}
diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h
new file mode 100644
index 000000000..da539a231
--- /dev/null
+++ b/src/libstrongswan/collections/linked_list.h
@@ -0,0 +1,319 @@
+/*
+ * Copyright (C) 2007-2011 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup linked_list linked_list
+ * @{ @ingroup collections
+ */
+
+#ifndef LINKED_LIST_H_
+#define LINKED_LIST_H_
+
+typedef struct linked_list_t linked_list_t;
+
+#include <collections/enumerator.h>
+
+/**
+ * Method to match elements in a linked list (used in find_* functions)
+ *
+ * @param item			current list item
+ * @param ...			user supplied data (only pointers, at most 5)
+ * @return
+ *						- TRUE, if the item matched
+ *						- FALSE, otherwise
+ */
+typedef bool (*linked_list_match_t)(void *item, ...);
+
+/**
+ * Method to be invoked on elements in a linked list (used in invoke_* functions)
+ *
+ * @param item			current list item
+ * @param ...			user supplied data (only pointers, at most 5)
+ */
+typedef void (*linked_list_invoke_t)(void *item, ...);
+
+/**
+ * Class implementing a double linked list.
+ *
+ * General purpose linked list. This list is not synchronized.
+ */
+struct linked_list_t {
+
+	/**
+	 * Gets the count of items in the list.
+	 *
+	 * @return			number of items in list
+	 */
+	int (*get_count) (linked_list_t *this);
+
+	/**
+	 * Create an enumerator over the list.
+	 *
+	 * @note The enumerator's position is invalid before the first call
+	 * to enumerate().
+	 *
+	 * @return			enumerator over list items
+	 */
+	enumerator_t* (*create_enumerator)(linked_list_t *this);
+
+	/**
+	 * Resets the enumerator's current position to the beginning of the list.
+	 *
+	 * @param enumerator	enumerator to reset
+	 */
+	void (*reset_enumerator)(linked_list_t *this, enumerator_t *enumerator);
+
+	/**
+	 * Checks if there are more elements following after the enumerator's
+	 * current position.
+	 *
+	 * @param enumerator	enumerator to check
+	 */
+	bool (*has_more)(linked_list_t *this, enumerator_t *enumerator);
+
+	/**
+	 * Inserts a new item at the beginning of the list.
+	 *
+	 * @param item		item value to insert in list
+	 */
+	void (*insert_first) (linked_list_t *this, void *item);
+
+	/**
+	 * Removes the first item in the list and returns its value.
+	 *
+	 * @param item		returned value of first item, or NULL
+	 * @return			SUCCESS, or NOT_FOUND if list is empty
+	 */
+	status_t (*remove_first) (linked_list_t *this, void **item);
+
+	/**
+	 * Inserts a new item before the item the enumerator currently points to.
+	 *
+	 * If this method is called before starting the enumeration the item is
+	 * inserted first. If it is called after all items have been enumerated
+	 * the item is inserted last. This is helpful when inserting items into
+	 * a sorted list.
+	 *
+	 * @note The position of the enumerator is not changed.
+	 *
+	 * @param enumerator	enumerator with position
+	 * @param item			item value to insert in list
+	 */
+	void (*insert_before)(linked_list_t *this, enumerator_t *enumerator,
+						  void *item);
+
+	/**
+	 * Replaces the item the enumerator currently points to with the given item.
+	 *
+	 * @param enumerator	enumerator with position
+	 * @param item			item value to replace current item with
+	 * @return				current item or NULL if the enumerator is at an
+	 *						invalid position
+	 */
+	void *(*replace)(linked_list_t *this, enumerator_t *enumerator, void *item);
+
+	/**
+	 * Remove an item from the list where the enumerator points to.
+	 *
+	 * @param enumerator enumerator with position
+	 */
+	void (*remove_at)(linked_list_t *this, enumerator_t *enumerator);
+
+	/**
+	 * Remove items from the list matching the given item.
+	 *
+	 * If a compare function is given, it is called for each item, with the
+	 * first parameter being the current list item and the second parameter
+	 * being the supplied item. Return TRUE from the compare function to remove
+	 * the item, return FALSE to keep it in the list.
+	 *
+	 * If compare is NULL, comparison is done by pointers.
+	 *
+	 * @param item		item to remove/pass to comparator
+	 * @param compare	compare function, or NULL
+	 * @return			number of removed items
+	 */
+	int (*remove)(linked_list_t *this, void *item, bool (*compare)(void*,void*));
+
+	/**
+	 * Returns the value of the first list item without removing it.
+	 *
+	 * @param item		returned value of first item
+	 * @return			SUCCESS, NOT_FOUND if list is empty
+	 */
+	status_t (*get_first) (linked_list_t *this, void **item);
+
+	/**
+	 * Inserts a new item at the end of the list.
+	 *
+	 * @param item		value to insert into list
+	 */
+	void (*insert_last) (linked_list_t *this, void *item);
+
+	/**
+	 * Removes the last item in the list and returns its value.
+	 *
+	 * @param item		returned value of last item, or NULL
+	 * @return			SUCCESS, NOT_FOUND if list is empty
+	 */
+	status_t (*remove_last) (linked_list_t *this, void **item);
+
+	/**
+	 * Returns the value of the last list item without removing it.
+	 *
+	 * @param item		returned value of last item
+	 * @return			SUCCESS, NOT_FOUND if list is empty
+	 */
+	status_t (*get_last) (linked_list_t *this, void **item);
+
+	/** Find the first matching element in the list.
+	 *
+	 * The first object passed to the match function is the current list item,
+	 * followed by the user supplied data.
+	 * If the supplied function returns TRUE this function returns SUCCESS, and
+	 * the current object is returned in the third parameter, otherwise,
+	 * the next item is checked.
+	 *
+	 * If match is NULL, *item and the current object are compared.
+	 *
+	 * @warning Only use pointers as user supplied data.
+	 *
+	 * @param match			comparison function to call on each object, or NULL
+	 * @param item			the list item, if found
+	 * @param ...			user data to supply to match function (limited to 5 arguments)
+	 * @return				SUCCESS if found, NOT_FOUND otherwise
+	 */
+	status_t (*find_first) (linked_list_t *this, linked_list_match_t match,
+							void **item, ...);
+
+	/** Find the last matching element in the list.
+	 *
+	 * The first object passed to the match function is the current list item,
+	 * followed by the user supplied data.
+	 * If the supplied function returns TRUE this function returns SUCCESS, and
+	 * the current object is returned in the third parameter, otherwise,
+	 * the next item is checked.
+	 *
+	 * If match is NULL, *item and the current object are compared.
+	 *
+	 * @warning Only use pointers as user supplied data.
+	 *
+	 * @param match			comparison function to call on each object, or NULL
+	 * @param item			the list item, if found
+	 * @param ...			user data to supply to match function (limited to 5 arguments)
+	 * @return				SUCCESS if found, NOT_FOUND otherwise
+	 */
+	status_t (*find_last) (linked_list_t *this, linked_list_match_t match,
+						   void **item, ...);
+
+	/**
+	 * Invoke a method on all of the contained objects.
+	 *
+	 * If a linked list contains objects with function pointers,
+	 * invoke() can call a method on each of the objects. The
+	 * method is specified by an offset of the function pointer,
+	 * which can be evalutated at compile time using the offsetof
+	 * macro, e.g.: list->invoke(list, offsetof(object_t, method));
+	 *
+	 * @warning Only use pointers as user supplied data.
+	 *
+	 * @param offset	offset of the method to invoke on objects
+	 * @param ...		user data to supply to called function (limited to 5 arguments)
+	 */
+	void (*invoke_offset) (linked_list_t *this, size_t offset, ...);
+
+	/**
+	 * Invoke a function on all of the contained objects.
+	 *
+	 * @warning Only use pointers as user supplied data.
+	 *
+	 * @param function	offset of the method to invoke on objects
+	 * @param ...		user data to supply to called function (limited to 5 arguments)
+	 */
+	void (*invoke_function) (linked_list_t *this, linked_list_invoke_t function, ...);
+
+	/**
+	 * Clones a list and its objects using the objects' clone method.
+	 *
+	 * @param offset	offset ot the objects clone function
+	 * @return			cloned list
+	 */
+	linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
+
+	/**
+	 * Clones a list and its objects using a given function.
+	 *
+	 * @param function	function that clones an object
+	 * @return			cloned list
+	 */
+	linked_list_t *(*clone_function) (linked_list_t *this, void*(*)(void*));
+
+	/**
+	 * Destroys a linked_list object.
+	 */
+	void (*destroy) (linked_list_t *this);
+
+	/**
+	 * Destroys a list and its objects using the destructor.
+	 *
+	 * If a linked list and the contained objects should be destroyed, use
+	 * destroy_offset. The supplied offset specifies the destructor to
+	 * call on each object. The offset may be calculated using the offsetof
+	 * macro, e.g.: list->destroy_offset(list, offsetof(object_t, destroy));
+	 *
+	 * @param offset	offset of the objects destructor
+	 */
+	void (*destroy_offset) (linked_list_t *this, size_t offset);
+
+	/**
+	 * Destroys a list and its contents using a a cleanup function.
+	 *
+	 * If a linked list and its contents should get destroyed using a specific
+	 * cleanup function, use destroy_function. This is useful when the
+	 * list contains malloc()-ed blocks which should get freed,
+	 * e.g.: list->destroy_function(list, free);
+	 *
+	 * @param function	function to call on each object
+	 */
+	void (*destroy_function) (linked_list_t *this, void (*)(void*));
+};
+
+/**
+ * Creates an empty linked list object.
+ *
+ * @return		linked_list_t object.
+ */
+linked_list_t *linked_list_create(void);
+
+/**
+ * Creates a linked list from an enumerator.
+ *
+ * @param enumerator	enumerator over void*, gets destroyed
+ * @return				linked_list_t object, containing enumerated values
+ */
+linked_list_t *linked_list_create_from_enumerator(enumerator_t *enumerator);
+
+/**
+ * Creates a linked list from a NULL terminated vararg list of items.
+ *
+ * @param first			first item
+ * @param ...			subsequent items, terminated by NULL
+ * @return				linked_list_t object, containing passed items
+ */
+linked_list_t *linked_list_create_with_items(void *first, ...);
+
+#endif /** LINKED_LIST_H_ @}*/
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 6ee4f9b6e..a718de3dc 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -17,8 +17,8 @@
 #include "auth_cfg.h"
 
 #include <library.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <eap/eap.h>
 #include <credentials/certificates/certificate.h>
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 79484a04c..d87935589 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -22,7 +22,7 @@
 #ifndef AUTH_CFG_H_
 #define AUTH_CFG_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct auth_cfg_t auth_cfg_t;
 typedef enum auth_rule_t auth_rule_t;
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index d3157c80e..f5858382f 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -19,6 +19,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_FROM_FILE",
 	"BUILD_FROM_FD",
 	"BUILD_AGENT_SOCKET",
+	"BUILD_BLOB",
 	"BUILD_BLOB_ASN1_DER",
 	"BUILD_BLOB_PEM",
 	"BUILD_BLOB_PGP",
@@ -36,6 +37,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_NOT_AFTER_TIME",
 	"BUILD_SERIAL",
 	"BUILD_DIGEST_ALG",
+	"BUILD_ENCRYPTION_ALG",
 	"BUILD_IETF_GROUP_ATTR",
 	"BUILD_CA_CERT",
 	"BUILD_CERT",
@@ -53,6 +55,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_REVOKED_ENUMERATOR",
 	"BUILD_BASE_CRL",
 	"BUILD_CHALLENGE_PWD",
+	"BUILD_PKCS7_ATTRIBUTE",
 	"BUILD_PKCS11_MODULE",
 	"BUILD_PKCS11_SLOT",
 	"BUILD_PKCS11_KEYID",
@@ -64,6 +67,9 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_RSA_EXP1",
 	"BUILD_RSA_EXP2",
 	"BUILD_RSA_COEFF",
+	"BUILD_SAFE_PRIMES",
+	"BUILD_SHARES",
+	"BUILD_THRESHOLD",
 	"BUILD_END",
 );
 
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 41250ccae..740041aac 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -49,6 +49,8 @@ enum builder_part_t {
 	BUILD_FROM_FD,
 	/** unix socket of a ssh/pgp agent, char* */
 	BUILD_AGENT_SOCKET,
+	/** An arbitrary blob of data, chunk_t */
+	BUILD_BLOB,
 	/** DER encoded ASN.1 blob, chunk_t */
 	BUILD_BLOB_ASN1_DER,
 	/** PEM encoded ASN.1/PGP blob, chunk_t */
@@ -81,8 +83,10 @@ enum builder_part_t {
 	BUILD_NOT_AFTER_TIME,
 	/** a serial number in binary form, chunk_t */
 	BUILD_SERIAL,
-	/** digest algorithm to be used for signature, int */
+	/** digest algorithm to be used for signature, hash_algorithm_t */
 	BUILD_DIGEST_ALG,
+	/** encryption algorithm to use, encryption_algorithm_t */
+	BUILD_ENCRYPTION_ALG,
 	/** a comma-separated list of ietf group attributes, char* */
 	BUILD_IETF_GROUP_ATTR,
 	/** a ca certificate, certificate_t* */
@@ -117,6 +121,8 @@ enum builder_part_t {
 	BUILD_BASE_CRL,
 	/** PKCS#10 challenge password */
 	BUILD_CHALLENGE_PWD,
+	/** PKCS#7 attribute, int oid, chunk_t with ASN1 type encoded value */
+	BUILD_PKCS7_ATTRIBUTE,
 	/** friendly name of a PKCS#11 module, null terminated char* */
 	BUILD_PKCS11_MODULE,
 	/** slot specifier for a token in a PKCS#11 module, int */
@@ -139,6 +145,12 @@ enum builder_part_t {
 	BUILD_RSA_EXP2,
 	/** coefficient (coeff) of a RSA key, chunk_t */
 	BUILD_RSA_COEFF,
+	/** generate (p) and (q) as safe primes */
+	BUILD_SAFE_PRIMES,
+	/** number of private key shares */
+	BUILD_SHARES,
+	/** minimum number of participating private key shares */
+	BUILD_THRESHOLD,
 	/** end of variable argument builder list */
 	BUILD_END,
 };
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 33ba4e907..bc4209ca7 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -15,7 +15,7 @@
 
 #include "certificate.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
 ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 69bd80b84..09fd0bfc8 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,7 +16,7 @@
 
 #include "crl.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"unspecified",
diff --git a/src/libstrongswan/credentials/certificates/pkcs10.h b/src/libstrongswan/credentials/certificates/pkcs10.h
index 9a4979757..2f35eb6a5 100644
--- a/src/libstrongswan/credentials/certificates/pkcs10.h
+++ b/src/libstrongswan/credentials/certificates/pkcs10.h
@@ -21,7 +21,7 @@
 #ifndef PKCS10_H_
 #define PKCS10_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
 typedef struct pkcs10_t pkcs10_t;
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 00171a718..4e8d4317f 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -21,7 +21,7 @@
 #ifndef X509_H_
 #define X509_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
 /* constraints are currently restricted to the range 0..127 */
diff --git a/src/libstrongswan/credentials/containers/container.c b/src/libstrongswan/credentials/containers/container.c
new file mode 100644
index 000000000..d1e67b21b
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/container.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "container.h"
+
+ENUM(container_type_names, CONTAINER_PKCS7, CONTAINER_PKCS7_ENVELOPED_DATA,
+	"PKCS7",
+	"PKCS7_DATA",
+	"PKCS7_SIGNED_DATA",
+	"PKCS7_ENVELOPED_DATA",
+);
diff --git a/src/libstrongswan/credentials/containers/container.h b/src/libstrongswan/credentials/containers/container.h
new file mode 100644
index 000000000..fc5c09041
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/container.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup container container
+ * @{ @ingroup containers
+ */
+
+#ifndef CONTAINER_H_
+#define CONTAINER_H_
+
+typedef struct container_t container_t;
+typedef enum container_type_t container_type_t;
+
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
+
+/**
+ * Type of the container.
+ */
+enum container_type_t {
+	/** Any kind of PKCS7/CMS container */
+	CONTAINER_PKCS7,
+	/** PKCS7/CMS plain "data" */
+	CONTAINER_PKCS7_DATA,
+	/** PKCS7/CMS "signed-data" */
+	CONTAINER_PKCS7_SIGNED_DATA,
+	/** PKCS7/CMS "enveloped-data" */
+	CONTAINER_PKCS7_ENVELOPED_DATA,
+};
+
+/**
+ * Enum names for container_type_t
+ */
+extern enum_name_t *container_type_names;
+
+/**
+ * Generic interface for cryptographic containers.
+ */
+struct container_t {
+
+	/**
+	 * Get the type of the container.
+	 *
+	 * @return		container type
+	 */
+	container_type_t (*get_type)(container_t *this);
+
+	/**
+	 * Create an enumerator over trustchains for valid container signatures.
+	 *
+	 * @return		enumerator over auth_cfg_t*
+	 */
+	enumerator_t* (*create_signature_enumerator)(container_t *this);
+
+	/**
+	 * Get signed/decrypted data wrapped in this container.
+	 *
+	 * This function does not verify any associated signatures, use
+	 * create_signature_enumerator() to verify them.
+	 *
+	 * @param data	allocated data wrapped in this container
+	 * @return		TRUE if data decrypted successfully
+	 */
+	bool (*get_data)(container_t *this, chunk_t *data);
+
+	/**
+	 * Get the encoding of the full signed/encrypted container.
+	 *
+	 * @param data	allocated container encoding
+	 * @return		TRUE if encodign successful
+	 */
+	bool (*get_encoding)(container_t *this, chunk_t *encoding);
+
+	/**
+	 * Destroy a container_t.
+	 */
+	void (*destroy)(container_t *this);
+};
+
+#endif /** CONTAINER_H_ @}*/
diff --git a/src/libstrongswan/credentials/containers/pkcs7.h b/src/libstrongswan/credentials/containers/pkcs7.h
new file mode 100644
index 000000000..d42d82b0b
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs7.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7 pkcs7
+ * @{ @ingroup containers
+ */
+
+#ifndef PKCS7_H_
+#define PKCS7_H_
+
+#include <credentials/containers/container.h>
+
+typedef struct pkcs7_t pkcs7_t;
+
+/**
+ * PKCS#7/CMS container type.
+ */
+struct pkcs7_t {
+
+	/**
+	 * Implements container_t.
+	 */
+	container_t container;
+
+	/**
+	 * Get an authenticated PKCS#9 attribute from PKCS#7 signerInfo.
+	 *
+	 * To select the signerInfo structure to get the attribute from, pass
+	 * the enumerator position from container_t.create_signature_enumerator().
+	 *
+	 * The attribute returned does not contain type information and must be
+	 * freed after use.
+	 *
+	 * @param oid			OID from the attribute to get
+	 * @param enumerator	enumerator to select signerInfo
+	 * @param value			chunk receiving attribute value, allocated
+	 * @return				TRUE if attribute found
+	 */
+	bool (*get_attribute)(pkcs7_t *this, int oid, enumerator_t *enumerator,
+						  chunk_t *value);
+
+	/**
+	 * Create an enumerator over attached certificates.
+	 *
+	 * @return				enumerator over certificate_t
+	 */
+	enumerator_t* (*create_cert_enumerator)(pkcs7_t *this);
+};
+
+#endif /** PKCS7_H_ @}*/
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index 4865984dd..53ac13cbb 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -17,8 +17,8 @@
 
 #include <stdint.h>
 
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
 typedef struct private_cred_encoding_t private_cred_encoding_t;
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index ff621012f..94c7820e1 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -17,17 +17,18 @@
 
 #include "credential_factory.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/thread_value.h>
 #include <threading/rwlock.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/containers/container.h>
 
-ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CERTIFICATE,
+ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CONTAINER,
 	"CRED_PRIVATE_KEY",
 	"CRED_PUBLIC_KEY",
 	"CRED_CERTIFICATE",
-	"CRED_PLUTO_CERT",
+	"CRED_CONTAINER",
 );
 
 typedef struct private_credential_factory_t private_credential_factory_t;
@@ -139,11 +140,21 @@ METHOD(credential_factory_t, create, void*,
 
 	if (!construct && !level)
 	{
-		enum_name_t *names = key_type_names;
+		enum_name_t *names;
 
-		if (type == CRED_CERTIFICATE)
+		switch (type)
 		{
-			names = certificate_type_names;
+			case CRED_CERTIFICATE:
+				names = certificate_type_names;
+				break;
+			case CRED_CONTAINER:
+				names = container_type_names;
+				break;
+			case CRED_PRIVATE_KEY:
+			case CRED_PUBLIC_KEY:
+			default:
+				names = key_type_names;
+				break;
 		}
 		DBG1(DBG_LIB, "building %N - %N failed, tried %d builders",
 			 credential_type_names, type, names, subtype, failures);
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index c31601245..55b669529 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -28,6 +28,9 @@ typedef enum credential_type_t credential_type_t;
 
 /**
  * Kind of credential.
+ *
+ * While crypto containers are not really credentials, we still use the
+ * credential factory and builders create them.
  */
 enum credential_type_t {
 	/** private key, implemented in private_key_t */
@@ -36,6 +39,8 @@ enum credential_type_t {
 	CRED_PUBLIC_KEY,
 	/** certificates, implemented in certificate_t */
 	CRED_CERTIFICATE,
+	/** crypto container, implemented in container_t */
+	CRED_CONTAINER,
 };
 
 /**
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index a96abdc69..9e40c5a10 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -16,11 +16,11 @@
 #include "credential_manager.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread_value.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/sets/cert_cache.h>
 #include <credentials/sets/auth_cfg_wrapper.h>
 #include <credentials/certificates/x509.h>
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index d9a47b7d7..73c585734 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -24,7 +24,7 @@
 typedef struct credential_manager_t credential_manager_t;
 
 #include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/auth_cfg.h>
 #include <credentials/credential_set.h>
 #include <credentials/keys/private_key.h>
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
index fb18fb53d..49af5a079 100644
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
@@ -17,7 +17,7 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
 
 #include "ietf_attributes.h"
diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h
index d00b8d12e..900c6613e 100644
--- a/src/libstrongswan/credentials/keys/shared_key.h
+++ b/src/libstrongswan/credentials/keys/shared_key.h
@@ -21,7 +21,7 @@
 #ifndef SHARED_KEY_H_
 #define SHARED_KEY_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <utils/identification.h>
 
 typedef struct shared_key_t shared_key_t;
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index 2cef23328..46bfb5c6e 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -15,7 +15,7 @@
  */
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "auth_cfg_wrapper.h"
 
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index a7d0ed8f9..e8f0e7ec0 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -20,7 +20,7 @@
 
 #include <library.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /** cache size, a power of 2 for fast modulo */
 #define CACHE_SIZE 32
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index e023e8443..d697a56ef 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -18,7 +18,7 @@
 #include "mem_cred.h"
 
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_mem_cred_t private_mem_cred_t;
 
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index eb46b065b..20447207c 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -27,7 +27,7 @@ typedef struct mem_cred_t mem_cred_t;
 
 #include <credentials/credential_set.h>
 #include <credentials/certificates/crl.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Generic in-memory credential set.
diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c
index 02fb8d50a..32a0e6759 100644
--- a/src/libstrongswan/crypto/aead.c
+++ b/src/libstrongswan/crypto/aead.c
@@ -15,7 +15,7 @@
 
 #include "aead.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_aead_t private_aead_t;
 
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 3736ae38f..5a363e9f0 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -15,9 +15,9 @@
 
 #include "crypto_factory.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/crypto_tester.h>
 
 const char *default_plugin_name = "default";
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 611ca0bbb..5d23c8977 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -24,6 +24,7 @@
 typedef struct crypto_factory_t crypto_factory_t;
 
 #include <library.h>
+#include <collections/enumerator.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/aead.h>
 #include <crypto/signers/signer.h>
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 01e84a133..08b226468 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -20,8 +20,8 @@
 
 #include "crypto_tester.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_crypto_tester_t private_crypto_tester_t;
 
diff --git a/src/libstrongswan/crypto/nonce_gen.h b/src/libstrongswan/crypto/nonce_gen.h
index 50f3c0090..7dae4f776 100644
--- a/src/libstrongswan/crypto/nonce_gen.h
+++ b/src/libstrongswan/crypto/nonce_gen.h
@@ -35,7 +35,7 @@ struct nonce_gen_t {
 	 *
 	 * @param size		size of nonce in bytes
 	 * @param buffer	pointer where the generated nonce will be written
-	 * @return			TRUE if nonce allocation was succesful, FALSE otherwise
+	 * @return			TRUE if nonce allocation was successful, FALSE otherwise
 	 */
 	bool (*get_nonce)(nonce_gen_t *this, size_t size,
 					  u_int8_t *buffer) __attribute__((warn_unused_result));
@@ -45,7 +45,7 @@ struct nonce_gen_t {
 	 *
 	 * @param size		size of nonce in bytes
 	 * @param chunk		chunk which will hold the generated nonce
-	 * @return			TRUE if nonce allocation was succesful, FALSE otherwise
+	 * @return			TRUE if nonce allocation was successful, FALSE otherwise
 	 */
 	bool (*allocate_nonce)(nonce_gen_t *this, size_t size,
 						   chunk_t *chunk) __attribute__((warn_unused_result));
diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c
deleted file mode 100644
index 0ec19f2cd..000000000
--- a/src/libstrongswan/crypto/pkcs7.c
+++ /dev/null
@@ -1,1061 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2002-2008 Andreas Steffen
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include <library.h>
-#include <debug.h>
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/keys/public_key.h>
-#include <crypto/pkcs9.h>
-#include <crypto/hashers/hasher.h>
-#include <crypto/crypters/crypter.h>
-#include <utils/linked_list.h>
-
-#include "pkcs7.h"
-
-typedef struct private_pkcs7_t private_pkcs7_t;
-
-/**
- * Private data of a pkcs7_t object.
- */
-struct private_pkcs7_t {
-	/**
-	 * Public interface for this certificate.
-	 */
-	pkcs7_t public;
-
-	/**
-	 * contentInfo type
-	 */
-	int type;
-
-	/**
-	 * ASN.1 encoded content
-	 */
-	chunk_t content;
-
-	/**
-	 * ASN.1 parsing start level
-	 */
-	u_int level;
-
-	/**
-	 * retrieved data
-	 */
-	chunk_t data;
-
-	/**
-	 * ASN.1 encoded attributes
-	 */
-	pkcs9_t *attributes;
-
-	/**
-	 * Linked list of X.509 certificates
-	 */
-	linked_list_t *certs;
-};
-
-METHOD(pkcs7_t, is_data, bool,
-	private_pkcs7_t *this)
-{
-	return this->type == OID_PKCS7_DATA;
-}
-
-METHOD(pkcs7_t, is_signedData, bool,
-	private_pkcs7_t *this)
-{
-	return this->type == OID_PKCS7_SIGNED_DATA;
-}
-
-METHOD(pkcs7_t, is_envelopedData, bool,
-	private_pkcs7_t *this)
-{
-	return this->type == OID_PKCS7_ENVELOPED_DATA;
-}
-
-/**
- * ASN.1 definition of the PKCS#7 ContentInfo type
- */
-static const asn1Object_t contentInfoObjects[] = {
-	{ 0, "contentInfo",		ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
-	{ 1,   "contentType",	ASN1_OID,			ASN1_BODY }, /* 1 */
-	{ 1,   "content",		ASN1_CONTEXT_C_0,	ASN1_OPT |
-												ASN1_BODY }, /* 2 */
-	{ 1,   "end opt",		ASN1_EOC,			ASN1_END  }, /* 3 */
-	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT }
-};
-#define PKCS7_INFO_TYPE		1
-#define PKCS7_INFO_CONTENT	2
-
-/**
- * Parse PKCS#7 contentInfo object
- */
-static bool parse_contentInfo(private_pkcs7_t *this)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	bool success = FALSE;
-
-	if (!this->data.ptr)
-	{
-		return FALSE;
-	}
-
-	parser = asn1_parser_create(contentInfoObjects, this->data);
-	parser->set_top_level(parser, this->level);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		if (objectID == PKCS7_INFO_TYPE)
-		{
-			this->type = asn1_known_oid(object);
-			if (this->type < OID_PKCS7_DATA ||
-				this->type > OID_PKCS7_ENCRYPTED_DATA)
-			{
-				DBG1(DBG_LIB, "unknown pkcs7 content type");
-				goto end;
-			}
-		}
-		else if (objectID == PKCS7_INFO_CONTENT && object.len > 0)
-		{
-			chunk_free(&this->content);
-			this->content = chunk_clone(object);
-		}
-	}
-	success = parser->success(parser);
-
-	if (success)
-	{
-		this->level += 2;
-		chunk_free(&this->data);
-	}
-
-end:
-	parser->destroy(parser);
-	return success;
-}
-
-/**
- * Check whether to abort the requested parsing
- */
-static bool abort_parsing(private_pkcs7_t *this, int type)
-{
-	if (this->type != type)
-	{
-		DBG1(DBG_LIB, "pkcs7 content to be parsed is not of type '%s'",
-			 oid_names[type].name);
-		return TRUE;
-	}
-	return FALSE;
-}
-
-METHOD(pkcs7_t, parse_data, bool,
-	private_pkcs7_t *this)
-{
-	chunk_t data;
-
-	if (!parse_contentInfo(this) ||
-		 abort_parsing(this, OID_PKCS7_DATA))
-	{
-		return FALSE;
-	}
-	data = this->content;
-	if (data.len == 0)
-	{
-		this->data = chunk_empty;
-		return TRUE;
-	}
-	if (asn1_parse_simple_object(&data, ASN1_OCTET_STRING,
-								 this->level, "data"))
-	{
-		this->data = chunk_clone(data);
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * ASN.1 definition of the PKCS#7 signedData type
- */
-static const asn1Object_t signedDataObjects[] = {
-	{ 0, "signedData",						ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
-	{ 1,   "version",						ASN1_INTEGER,		ASN1_BODY }, /*  1 */
-	{ 1,   "digestAlgorithms",				ASN1_SET,			ASN1_LOOP }, /*  2 */
-	{ 2,     "algorithm",					ASN1_EOC,			ASN1_RAW  }, /*  3 */
-	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /*  4 */
-	{ 1,   "contentInfo",					ASN1_EOC,			ASN1_RAW  }, /*  5 */
-	{ 1,   "certificates",					ASN1_CONTEXT_C_0,	ASN1_OPT |
-																ASN1_LOOP }, /*  6 */
-	{ 2,      "certificate",				ASN1_SEQUENCE,		ASN1_OBJ  }, /*  7 */
-	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /*  8 */
-	{ 1,   "crls",							ASN1_CONTEXT_C_1,	ASN1_OPT |
-																ASN1_LOOP }, /*  9 */
-	{ 2,	    "crl",						ASN1_SEQUENCE,		ASN1_OBJ  }, /* 10 */
-	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /* 11 */
-	{ 1,   "signerInfos",					ASN1_SET,			ASN1_LOOP }, /* 12 */
-	{ 2,     "signerInfo",					ASN1_SEQUENCE,		ASN1_NONE }, /* 13 */
-	{ 3,       "version",					ASN1_INTEGER,		ASN1_BODY }, /* 14 */
-	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /* 15 */
-	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /* 16 */
-	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /* 17 */
-	{ 3,       "digestAlgorithm",			ASN1_EOC,			ASN1_RAW  }, /* 18 */
-	{ 3,       "authenticatedAttributes",	ASN1_CONTEXT_C_0,	ASN1_OPT |
-																ASN1_OBJ  }, /* 19 */
-	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 20 */
-	{ 3,       "digestEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 21 */
-	{ 3,       "encryptedDigest",			ASN1_OCTET_STRING,	ASN1_BODY }, /* 22 */
-	{ 3,       "unauthenticatedAttributes", ASN1_CONTEXT_C_1,	ASN1_OPT  }, /* 23 */
-	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 24 */
-	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 25 */
-	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
-};
-#define PKCS7_SIGNED_VERSION		 1
-#define PKCS7_DIGEST_ALG			 3
-#define PKCS7_SIGNED_CONTENT_INFO	 5
-#define PKCS7_SIGNED_CERT			 7
-#define PKCS7_SIGNER_INFO			13
-#define PKCS7_SIGNER_INFO_VERSION	14
-#define PKCS7_SIGNED_ISSUER			16
-#define PKCS7_SIGNED_SERIAL_NUMBER	17
-#define PKCS7_DIGEST_ALGORITHM		18
-#define PKCS7_AUTH_ATTRIBUTES		19
-#define PKCS7_DIGEST_ENC_ALGORITHM	21
-#define PKCS7_ENCRYPTED_DIGEST		22
-
-METHOD(pkcs7_t, parse_signedData, bool,
-	private_pkcs7_t *this, certificate_t *cacert)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID, version;
-	int digest_alg = OID_UNKNOWN;
-	int enc_alg    = OID_UNKNOWN;
-	int signerInfos = 0;
-	bool success = FALSE;
-
-	chunk_t encrypted_digest = chunk_empty;
-
-	if (!parse_contentInfo(this) ||
-		 abort_parsing(this, OID_PKCS7_SIGNED_DATA))
-	{
-		return FALSE;
-	}
-
-	parser = asn1_parser_create(signedDataObjects, this->content);
-	parser->set_top_level(parser, this->level);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		u_int level = parser->get_level(parser);
-
-		switch (objectID)
-		{
-			case PKCS7_SIGNED_VERSION:
-				version = object.len ? (int)*object.ptr : 0;
-				DBG2(DBG_LIB, "  v%d", version);
-				break;
-			case PKCS7_DIGEST_ALG:
-				digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-				break;
-			case PKCS7_SIGNED_CONTENT_INFO:
-			{
-				pkcs7_t *data = pkcs7_create_from_chunk(object, level+1);
-
-				if (!data || !data->parse_data(data))
-				{
-					DESTROY_IF(data);
-					goto end;
-				}
-				this->data = chunk_clone(data->get_data(data));
-				data->destroy(data);
-				break;
-			}
-			case PKCS7_SIGNED_CERT:
-			{
-				certificate_t *cert;
-
-				DBG2(DBG_LIB, "  parsing pkcs7-wrapped certificate");
-				cert = lib->creds->create(lib->creds,
-										  CRED_CERTIFICATE, CERT_X509,
-										  BUILD_BLOB_ASN1_DER, object,
-										  BUILD_END);
-				if (cert)
-				{
-					this->certs->insert_last(this->certs, cert);
-				}
-				break;
-			}
-			case PKCS7_SIGNER_INFO:
-				signerInfos++;
-				DBG2(DBG_LIB, "  signer #%d", signerInfos);
-				break;
-			case PKCS7_SIGNER_INFO_VERSION:
-				version = object.len ? (int)*object.ptr : 0;
-				DBG2(DBG_LIB, "  v%d", version);
-				break;
-			case PKCS7_SIGNED_ISSUER:
-			{
-				identification_t *issuer;
-
-				issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2(DBG_LIB, "  '%Y'", issuer);
-				issuer->destroy(issuer);
-				break;
-			}
-			case PKCS7_AUTH_ATTRIBUTES:
-				*object.ptr = ASN1_SET;
-				this->attributes = pkcs9_create_from_chunk(object, level+1);
-				*object.ptr = ASN1_CONTEXT_C_0;
-				break;
-			case PKCS7_DIGEST_ALGORITHM:
-				digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-				break;
-			case PKCS7_DIGEST_ENC_ALGORITHM:
-				enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-				break;
-			case PKCS7_ENCRYPTED_DIGEST:
-				encrypted_digest = object;
-		}
-	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	if (!success)
-	{
-		return FALSE;
-	}
-
-	/* check the signature only if a cacert is available */
-	if (cacert != NULL)
-	{
-		signature_scheme_t scheme;
-		public_key_t *key;
-
-		scheme = signature_scheme_from_oid(digest_alg);
-		if (scheme == SIGN_UNKNOWN)
-		{
-			DBG1(DBG_LIB, "unsupported signature scheme");
-			return FALSE;
-		}
-		if (signerInfos == 0)
-		{
-			DBG1(DBG_LIB, "no signerInfo object found");
-			return FALSE;
-		}
-		else if (signerInfos > 1)
-		{
-			DBG1(DBG_LIB, "more than one signerInfo object found");
-			return FALSE;
-		}
-		if (this->attributes == NULL)
-		{
-			DBG1(DBG_LIB, "no authenticatedAttributes object found");
-			return FALSE;
-		}
-		if (enc_alg != OID_RSA_ENCRYPTION)
-		{
-			DBG1(DBG_LIB, "only RSA digest encryption supported");
-			return FALSE;
-		}
-
-		/* verify the signature */
-		key = cacert->get_public_key(cacert);
-		if (key == NULL)
-		{
-			DBG1(DBG_LIB, "no public key found in CA certificate");
-			return FALSE;
-		}
-		if (key->verify(key, scheme,
-			this->attributes->get_encoding(this->attributes), encrypted_digest))
-		{
-			DBG2(DBG_LIB, "signature is valid");
-		}
-		else
-		{
-			DBG1(DBG_LIB, "invalid signature");
-			key->destroy(key);
-			return FALSE;
-		}
-		key->destroy(key);
-
-		if (this->data.ptr != NULL)
-		{
-			chunk_t messageDigest;
-
-			messageDigest = this->attributes->get_attribute(this->attributes,
-													OID_PKCS9_MESSAGE_DIGEST);
-			if (messageDigest.ptr == NULL)
-			{
-				DBG1(DBG_LIB, "messageDigest attribute not found");
-				return FALSE;
-			}
-			else
-			{
-				hash_algorithm_t algorithm;
-				hasher_t *hasher;
-				chunk_t hash;
-				bool valid;
-
-				algorithm = hasher_algorithm_from_oid(digest_alg);
-				hasher = lib->crypto->create_hasher(lib->crypto, algorithm);
-				if (!hasher || !hasher->allocate_hash(hasher, this->data, &hash))
-				{
-					DESTROY_IF(hasher);
-					DBG1(DBG_LIB, "hash algorithm %N not supported",
-						 hash_algorithm_names, algorithm);
-					return FALSE;
-				}
-				hasher->destroy(hasher);
-				DBG3(DBG_LIB, "hash: %B", &hash);
-
-				valid = chunk_equals(messageDigest, hash);
-				free(hash.ptr);
-				if (valid)
-				{
-					DBG2(DBG_LIB, "messageDigest is valid");
-				}
-				else
-				{
-					DBG1(DBG_LIB, "invalid messageDigest");
-					return FALSE;
-				}
-			}
-		}
-	}
-	return TRUE;
-}
-
-/**
- * ASN.1 definition of the PKCS#7 envelopedData type
- */
-static const asn1Object_t envelopedDataObjects[] = {
-	{ 0, "envelopedData",					ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
-	{ 1,   "version",						ASN1_INTEGER, 		ASN1_BODY }, /*  1 */
-	{ 1,   "recipientInfos",				ASN1_SET,    		ASN1_LOOP }, /*  2 */
-	{ 2,     "recipientInfo",				ASN1_SEQUENCE, 		ASN1_BODY }, /*  3 */
-	{ 3,       "version",					ASN1_INTEGER, 		ASN1_BODY }, /*  4 */
-	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /*  5 */
-	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /*  6 */
-	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /*  7 */
-	{ 3,       "encryptionAlgorithm",		ASN1_EOC,			ASN1_RAW  }, /*  8 */
-	{ 3,       "encryptedKey",				ASN1_OCTET_STRING,	ASN1_BODY }, /*  9 */
-	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 10 */
-	{ 1,   "encryptedContentInfo",			ASN1_SEQUENCE,		ASN1_OBJ  }, /* 11 */
-	{ 2,     "contentType",					ASN1_OID,			ASN1_BODY }, /* 12 */
-	{ 2,     "contentEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 13 */
-	{ 2,     "encryptedContent",			ASN1_CONTEXT_S_0, 	ASN1_BODY }, /* 14 */
-	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
-};
-#define PKCS7_ENVELOPED_VERSION			 1
-#define PKCS7_RECIPIENT_INFO_VERSION	 4
-#define PKCS7_ISSUER					 6
-#define PKCS7_SERIAL_NUMBER				 7
-#define PKCS7_ENCRYPTION_ALG			 8
-#define PKCS7_ENCRYPTED_KEY				 9
-#define PKCS7_CONTENT_TYPE				12
-#define PKCS7_CONTENT_ENC_ALGORITHM		13
-#define PKCS7_ENCRYPTED_CONTENT			14
-
-METHOD(pkcs7_t, parse_envelopedData, bool,
-	private_pkcs7_t *this, chunk_t serialNumber, private_key_t *key)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID, version;
-	bool success = FALSE;
-
-	chunk_t iv                = chunk_empty;
-	chunk_t symmetric_key     = chunk_empty;
-	chunk_t encrypted_content = chunk_empty;
-
-	crypter_t *crypter = NULL;
-
-	if (!parse_contentInfo(this) ||
-		 abort_parsing(this, OID_PKCS7_ENVELOPED_DATA))
-	{
-		return FALSE;
-	}
-
-	parser = asn1_parser_create(envelopedDataObjects, this->content);
-	parser->set_top_level(parser, this->level);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		u_int level = parser->get_level(parser);
-
-		switch (objectID)
-		{
-			case PKCS7_ENVELOPED_VERSION:
-			{
-				version = object.len ? (int)*object.ptr : 0;
-				DBG2(DBG_LIB, "  v%d", version);
-				if (version != 0)
-				{
-					DBG1(DBG_LIB, "envelopedData version is not 0");
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_RECIPIENT_INFO_VERSION:
-			{
-				version = object.len ? (int)*object.ptr : 0;
-				DBG2(DBG_LIB, "  v%d", version);
-				if (version != 0)
-				{
-					DBG1(DBG_LIB, "recipient info version is not 0");
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_ISSUER:
-			{
-				identification_t *issuer;
-
-				issuer = identification_create_from_encoding(ID_DER_ASN1_DN,
-															 object);
-				DBG2(DBG_LIB, "  '%Y'", issuer);
-				issuer->destroy(issuer);
-				break;
-			}
-			case PKCS7_SERIAL_NUMBER:
-			{
-				if (!chunk_equals(serialNumber, object))
-				{
-					DBG1(DBG_LIB, "serial numbers do not match");
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_ENCRYPTION_ALG:
-			{
-				int alg;
-
-				alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-				if (alg != OID_RSA_ENCRYPTION)
-				{
-					DBG1(DBG_LIB, "only rsa encryption supported");
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_ENCRYPTED_KEY:
-			{
-				if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key))
-				{
-					DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
-					goto end;
-				}
-				DBG4(DBG_LIB, "symmetric key %B", &symmetric_key);
-				break;
-			}
-			case PKCS7_CONTENT_TYPE:
-			{
-				if (asn1_known_oid(object) != OID_PKCS7_DATA)
-				{
-					DBG1(DBG_LIB, "encrypted content not of type pkcs7 data");
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_CONTENT_ENC_ALGORITHM:
-			{
-				encryption_algorithm_t enc_alg;
-				size_t key_size;
-				int alg;
-
-				alg = asn1_parse_algorithmIdentifier(object, level, &iv);
-				enc_alg = encryption_algorithm_from_oid(alg, &key_size);
-				if (enc_alg == ENCR_UNDEFINED)
-				{
-					DBG1(DBG_LIB, "unsupported content encryption algorithm");
-					goto end;
-				}
-				crypter = lib->crypto->create_crypter(lib->crypto, enc_alg,
-													  key_size);
-				if (crypter == NULL)
-				{
-					DBG1(DBG_LIB, "crypter %N not available",
-						 encryption_algorithm_names, enc_alg);
-					goto end;
-				}
-				if (symmetric_key.len != crypter->get_key_size(crypter))
-				{
-					DBG1(DBG_LIB, "symmetric key length %d is wrong",
-						 symmetric_key.len);
-					goto end;
-				}
-				if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING,
-											  level + 1, "IV"))
-				{
-					DBG1(DBG_LIB, "IV could not be parsed");
-					goto end;
-				}
-				if (iv.len != crypter->get_iv_size(crypter))
-				{
-					DBG1(DBG_LIB, "IV length %d is wrong", iv.len);
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_ENCRYPTED_CONTENT:
-			{
-				encrypted_content = object;
-				break;
-			}
-		}
-	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	if (!success)
-	{
-		goto failed;
-	}
-	success = FALSE;
-
-	/* decrypt the content */
-	if (!crypter->set_key(crypter, symmetric_key) ||
-		!crypter->decrypt(crypter, encrypted_content, iv, &this->data))
-	{
-		success = FALSE;
-		goto failed;
-	}
-	DBG4(DBG_LIB, "decrypted content with padding: %B", &this->data);
-
-	/* remove the padding */
-	{
-		u_char *pos = this->data.ptr + this->data.len - 1;
-		u_char pattern = *pos;
-		size_t padding = pattern;
-
-		if (padding > this->data.len)
-		{
-			DBG1(DBG_LIB, "padding greater than data length");
-			goto failed;
-		}
-		this->data.len -= padding;
-
-		while (padding-- > 0)
-		{
-			if (*pos-- != pattern)
-			{
-				DBG1(DBG_LIB, "wrong padding pattern");
-				goto failed;
-			}
-		}
-	}
-	success = TRUE;
-
-failed:
-	DESTROY_IF(crypter);
-	chunk_clear(&symmetric_key);
-	if (!success)
-	{
-		chunk_free(&this->data);
-	}
-	return success;
-}
-
-METHOD(pkcs7_t, get_data, chunk_t,
-	private_pkcs7_t *this)
-{
-	return this->data;
-}
-
-METHOD(pkcs7_t, get_contentInfo, chunk_t,
-	private_pkcs7_t *this)
-{
-	chunk_t content_type;
-
-	/* create DER-encoded OID for pkcs7_contentInfo type */
-	switch(this->type)
-	{
-		case OID_PKCS7_DATA:
-		case OID_PKCS7_SIGNED_DATA:
-		case OID_PKCS7_ENVELOPED_DATA:
-		case OID_PKCS7_SIGNED_ENVELOPED_DATA:
-		case OID_PKCS7_DIGESTED_DATA:
-		case OID_PKCS7_ENCRYPTED_DATA:
-			content_type = asn1_build_known_oid(this->type);
-			break;
-		case OID_UNKNOWN:
-		default:
-			DBG1(DBG_LIB, "invalid pkcs7 contentInfo type");
-			return chunk_empty;
-	}
-
-	return this->content.ptr == NULL
-				? asn1_wrap(ASN1_SEQUENCE, "m", content_type)
-				: asn1_wrap(ASN1_SEQUENCE, "mm", content_type,
-					asn1_simple_object(ASN1_CONTEXT_C_0, this->content));
-}
-
-METHOD(pkcs7_t, create_certificate_enumerator, enumerator_t*,
-	private_pkcs7_t *this)
-{
-	return this->certs->create_enumerator(this->certs);
-}
-
-METHOD(pkcs7_t, set_certificate, void,
-	private_pkcs7_t *this, certificate_t *cert)
-{
-	if (cert)
-	{
-		this->certs->insert_last(this->certs, cert);
-	}
-}
-
-METHOD(pkcs7_t, set_attributes, void,
-	private_pkcs7_t *this, pkcs9_t *attributes)
-{
-	this->attributes = attributes;
-}
-
-METHOD(pkcs7_t, get_attributes, pkcs9_t*,
-	private_pkcs7_t *this)
-{
-	return this->attributes;
-}
-
-/**
- * build a DER-encoded issuerAndSerialNumber object
- */
-chunk_t pkcs7_build_issuerAndSerialNumber(certificate_t *cert)
-{
-	identification_t *issuer = cert->get_issuer(cert);
-	chunk_t serial = chunk_empty;
-
-	if (cert->get_type(cert) == CERT_X509)
-	{
-		x509_t *x509 = (x509_t*)cert;
-		serial = x509->get_serial(x509);
-	}
-
-	return asn1_wrap(ASN1_SEQUENCE, "cm",
-					 issuer->get_encoding(issuer),
-					 asn1_integer("c", serial));
-}
-
-METHOD(pkcs7_t, build_envelopedData, bool,
-	private_pkcs7_t *this, certificate_t *cert, encryption_algorithm_t alg,
-	size_t key_size)
-{
-	chunk_t iv, symmetricKey, protectedKey, in, out;
-	crypter_t *crypter;
-	int alg_oid;
-
-	/* select OID of symmetric encryption algorithm */
-	alg_oid = encryption_algorithm_to_oid(alg, key_size);
-	if (alg_oid == OID_UNKNOWN)
-	{
-		DBG1(DBG_LIB, "  encryption algorithm %N not supported",
-			 encryption_algorithm_names, alg);
-		return FALSE;
-	}
-	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
-	if (crypter == NULL)
-	{
-		DBG1(DBG_LIB, "  could not create crypter for algorithm %N",
-			 encryption_algorithm_names, alg);
-		return FALSE;
-	}
-
-	/* generate a true random symmetric encryption key
-	 * and a pseudo-random iv
-	 */
-	{
-		rng_t *rng;
-
-		rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
-		if (!rng || !rng->allocate_bytes(rng, crypter->get_key_size(crypter),
-										 &symmetricKey))
-		{
-			DBG1(DBG_LIB, "  failed to allocate symmetric encryption key");
-			DESTROY_IF(rng);
-			return FALSE;
-		}
-		DBG4(DBG_LIB, "  symmetric encryption key: %B", &symmetricKey);
-		rng->destroy(rng);
-
-		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		if (!rng || !rng->allocate_bytes(rng, crypter->get_iv_size(crypter),
-										 &iv))
-		{
-			DBG1(DBG_LIB, "  failed to allocate initialization vector");
-			DESTROY_IF(rng);
-			return FALSE;
-		}
-		DBG4(DBG_LIB, "  initialization vector: %B", &iv);
-		rng->destroy(rng);
-	}
-
-	/* pad the data so that the total length becomes
-	 * a multiple of the block size
-	 */
-	{
-		size_t block_size = crypter->get_block_size(crypter);
-		size_t padding = block_size - this->data.len % block_size;
-
-		in.len = this->data.len + padding;
-		in.ptr = malloc(in.len);
-
-		DBG2(DBG_LIB, "  padding %d bytes of data to multiple block size of %d bytes",
-			(int)this->data.len, (int)in.len);
-
-		/* copy data */
-		memcpy(in.ptr, this->data.ptr, this->data.len);
-		/* append padding */
-		memset(in.ptr + this->data.len, padding, padding);
-	}
-	DBG3(DBG_LIB, "  padded unencrypted data: %B", &in);
-
-	/* symmetric encryption of data object */
-	if (!crypter->set_key(crypter, symmetricKey) ||
-		!crypter->encrypt(crypter, in, iv, &out))
-	{
-		crypter->destroy(crypter);
-		chunk_clear(&in);
-		chunk_clear(&symmetricKey);
-		chunk_free(&iv);
-		return FALSE;
-	}
-	crypter->destroy(crypter);
-	chunk_clear(&in);
-	DBG3(DBG_LIB, "  encrypted data: %B", &out);
-
-	/* protect symmetric key by public key encryption */
-	{
-		public_key_t *key = cert->get_public_key(cert);
-
-		if (key == NULL)
-		{
-			DBG1(DBG_LIB, "  public key not found in encryption certificate");
-			chunk_clear(&symmetricKey);
-			chunk_free(&iv);
-			chunk_free(&out);
-			return FALSE;
-		}
-		key->encrypt(key, ENCRYPT_RSA_PKCS1, symmetricKey, &protectedKey);
-		key->destroy(key);
-		chunk_clear(&symmetricKey);
-	}
-
-	/* build pkcs7 enveloped data object */
-	{
-		chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm",
-					asn1_build_known_oid(alg_oid),
-					asn1_wrap(ASN1_OCTET_STRING, "m", iv));
-
-		chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "mmm",
-					asn1_build_known_oid(OID_PKCS7_DATA),
-					contentEncryptionAlgorithm,
-					asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
-
-		chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m", protectedKey);
-
-		chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm",
-					ASN1_INTEGER_0,
-					pkcs7_build_issuerAndSerialNumber(cert),
-					asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
-					encryptedKey);
-
-		this->content = asn1_wrap(ASN1_SEQUENCE, "cmm",
-					ASN1_INTEGER_0,
-					asn1_wrap(ASN1_SET, "m", recipientInfo),
-					encryptedContentInfo);
-		chunk_free(&this->data);
-		this->type = OID_PKCS7_ENVELOPED_DATA;
-		this->data = get_contentInfo(this);
-	}
-	return TRUE;
-}
-
-METHOD(pkcs7_t, build_signedData, bool,
-	private_pkcs7_t *this, private_key_t *private_key, hash_algorithm_t alg)
-{
-	chunk_t authenticatedAttributes = chunk_empty;
-	chunk_t encryptedDigest = chunk_empty;
-	chunk_t signerInfo, encoding = chunk_empty;
-	signature_scheme_t scheme;
-	int digest_oid;
-	certificate_t *cert;
-
-	if (this->certs->get_first(this->certs, (void**)&cert) != SUCCESS)
-	{
-		DBG1(DBG_LIB, "  no pkcs7 signer certificate found");
-		return FALSE;
-	}
-	digest_oid = hasher_algorithm_to_oid(alg);
-	scheme = signature_scheme_from_oid(digest_oid);
-
-	if (this->attributes != NULL)
-	{
-		if (this->data.ptr != NULL)
-		{
-			chunk_t messageDigest, signingTime, attributes;
-			hasher_t *hasher;
-			time_t now;
-
-			hasher = lib->crypto->create_hasher(lib->crypto, alg);
-			if (!hasher ||
-				!hasher->allocate_hash(hasher, this->data, &messageDigest))
-			{
-				DESTROY_IF(hasher);
-				DBG1(DBG_LIB, "  hash algorithm %N not support",
-					 hash_algorithm_names, alg);
-				return FALSE;
-			}
-			hasher->destroy(hasher);
-			this->attributes->set_attribute(this->attributes,
-									OID_PKCS9_MESSAGE_DIGEST,
-									messageDigest);
-			free(messageDigest.ptr);
-
-			/* take the current time as signingTime */
-			now = time(NULL);
-			signingTime = asn1_from_time(&now, ASN1_UTCTIME);
-			this->attributes->set_attribute_raw(this->attributes,
-									OID_PKCS9_SIGNING_TIME, signingTime);
-			this->attributes->set_attribute_raw(this->attributes,
-									OID_PKCS9_CONTENT_TYPE,
-									asn1_build_known_oid(OID_PKCS7_DATA));
-
-			attributes = this->attributes->get_encoding(this->attributes);
-
-			private_key->sign(private_key, scheme, attributes, &encryptedDigest);
-			authenticatedAttributes = chunk_clone(attributes);
-			*authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
-		}
-	}
-	else if (this->data.ptr != NULL)
-	{
-		private_key->sign(private_key, scheme, this->data, &encryptedDigest);
-	}
-	if (encryptedDigest.ptr)
-	{
-		encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", encryptedDigest);
-	}
-	signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmmmmm",
-					ASN1_INTEGER_1,
-					pkcs7_build_issuerAndSerialNumber(cert),
-					asn1_algorithmIdentifier(digest_oid),
-					authenticatedAttributes,
-					asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
-					encryptedDigest);
-
-	if (this->data.ptr != NULL)
-	{
-		chunk_free(&this->content);
-		this->content = asn1_simple_object(ASN1_OCTET_STRING, this->data);
-		chunk_free(&this->data);
-	}
-	this->type = OID_PKCS7_DATA;
-	this->data = get_contentInfo(this);
-	chunk_free(&this->content);
-
-	cert->get_encoding(cert, CERT_ASN1_DER, &encoding);
-
-	this->content = asn1_wrap(ASN1_SEQUENCE, "cmcmm",
-			ASN1_INTEGER_1,
-			asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_oid)),
-			this->data,
-			asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding),
-			asn1_wrap(ASN1_SET, "m", signerInfo));
-	chunk_free(&this->data);
-	this->type = OID_PKCS7_SIGNED_DATA;
-	this->data = get_contentInfo(this);
-
-	return TRUE;
-}
-
-METHOD(pkcs7_t, destroy, void,
-	private_pkcs7_t *this)
-{
-	DESTROY_IF(this->attributes);
-	this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
-	free(this->content.ptr);
-	free(this->data.ptr);
-	free(this);
-}
-
-/**
- * Generic private constructor
- */
-static private_pkcs7_t *pkcs7_create_empty(void)
-{
-	private_pkcs7_t *this;
-
-	INIT(this,
-		.public = {
-			.is_data = _is_data,
-			.is_signedData = _is_signedData,
-			.is_envelopedData = _is_envelopedData,
-			.parse_data = _parse_data,
-			.parse_signedData = _parse_signedData,
-			.parse_envelopedData = _parse_envelopedData,
-			.get_data = _get_data,
-			.get_contentInfo = _get_contentInfo,
-			.create_certificate_enumerator = _create_certificate_enumerator,
-			.set_certificate = _set_certificate,
-			.set_attributes = _set_attributes,
-			.get_attributes = _get_attributes,
-			.build_envelopedData = _build_envelopedData,
-			.build_signedData = _build_signedData,
-			.destroy = _destroy,
-		},
-		.type = OID_UNKNOWN,
-		.certs = linked_list_create(),
-	);
-
-	return this;
-}
-
-/*
- * Described in header.
- */
-pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level)
-{
-	private_pkcs7_t *this = pkcs7_create_empty();
-
-	this->level = level;
-	this->data = chunk_clone(chunk);
-
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-pkcs7_t *pkcs7_create_from_data(chunk_t data)
-{
-	private_pkcs7_t *this = pkcs7_create_empty();
-
-	this->data = chunk_clone(data);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/crypto/pkcs7.h b/src/libstrongswan/crypto/pkcs7.h
deleted file mode 100644
index 7c9a6b037..000000000
--- a/src/libstrongswan/crypto/pkcs7.h
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Copyright (C) 2002-2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pkcs7 pkcs7
- * @{ @ingroup crypto
- */
-
-#ifndef PKCS7_H_
-#define PKCS7_H_
-
-typedef struct pkcs7_t pkcs7_t;
-
-#include <library.h>
-#include <credentials/keys/private_key.h>
-#include <crypto/pkcs9.h>
-#include <crypto/crypters/crypter.h>
-#include <utils/enumerator.h>
-
-/**
- * PKCS#7 contentInfo object.
- */
-struct pkcs7_t {
-
-	/**
-	 * Check if the PKCS#7 contentType is data
-	 *
-	 * @return				TRUE if the contentType is data
-	 */
-	bool (*is_data) (pkcs7_t *this);
-
-	/**
-	 * Check if the PKCS#7 contentType is signedData
-	 *
-	 * @return				TRUE if the contentType is signedData
-	 */
-	bool (*is_signedData) (pkcs7_t *this);
-
-	/**
-	 * Check if the PKCS#7 contentType is envelopedData
-	 *
-	 * @return				TRUE if the contentType is envelopedData
-	 */
-	bool (*is_envelopedData) (pkcs7_t *this);
-
-	/**
-	 * Parse a PKCS#7 data content.
-	 *
-	 * @return				TRUE if parsing was successful
-	 */
-	bool (*parse_data) (pkcs7_t *this);
-
-	/**
-	 * Parse a PKCS#7 signedData content.  The contained PKCS#7 data is parsed
-	 * and verified.
-	 *
-	 * @param cacert		cacert used to verify the signature
-	 * @return				TRUE if parsing was successful
-	 */
-	bool (*parse_signedData) (pkcs7_t *this, certificate_t *cacert);
-
-	/**
-	 * Parse a PKCS#7 envelopedData content.
-	 *
-	 * @param serialNumber	serialNumber of the request
-	 * @param key			private key used to decrypt the symmetric key
-	 * @return				TRUE if parsing was successful
-	 */
-	bool (*parse_envelopedData) (pkcs7_t *this, chunk_t serialNumber,
-								 private_key_t *key);
-
-	/**
-	 * Returns the parsed data object
-	 *
-	 * @return				chunk containing the data object
-	 */
-	chunk_t (*get_data) (pkcs7_t *this);
-
-	/**
-	 * Returns the a DER-encoded contentInfo object
-	 *
-	 * @return				chunk containing the contentInfo object
-	 */
-	chunk_t (*get_contentInfo) (pkcs7_t *this);
-
-	/**
-	 * Create an enumerator for the certificates.
-	 *
-	 * @return				enumerator for the certificates
-	 */
-	enumerator_t *(*create_certificate_enumerator) (pkcs7_t *this);
-
-	/**
-	 * Add a certificate.
-	 *
-	 * @param cert			certificate to be included (gets adopted)
-	 */
-	void (*set_certificate) (pkcs7_t *this, certificate_t *cert);
-
-	/**
-	 * Add authenticated attributes.
-	 *
-	 * @param attributes	attributes to be included (gets adopted)
-	 */
-	void (*set_attributes) (pkcs7_t *this, pkcs9_t *attributes);
-
-	/**
-	 * Get attributes.
-	 *
-	 * @return				attributes (internal data)
-	 */
-	pkcs9_t *(*get_attributes) (pkcs7_t *this);
-
-	/**
-	 * Build a data object
-	 *
-	 * @return				TRUE if build was successful
-	 */
-	bool (*build_data) (pkcs7_t *this);
-
-	/**
-	 * Build an envelopedData object
-	 *
-	 * @param cert			receivers's certificate
-	 * @param alg			encryption algorithm
-	 * @param key_size		key size to use
-	 * @return				TRUE if build was successful
-	 */
-	bool (*build_envelopedData) (pkcs7_t *this, certificate_t *cert,
-								 encryption_algorithm_t alg, size_t key_size);
-
-	/**
-	 * Build an signedData object
-	 *
-	 * @param key			signer's private key
-	 * @param alg			digest algorithm used for signature
-	 * @return				TRUE if build was successful
-	 */
-	bool (*build_signedData) (pkcs7_t *this, private_key_t *key,
-							  hash_algorithm_t alg);
-
-	/**
-	 * Destroys the contentInfo object.
-	 */
-	void (*destroy) (pkcs7_t *this);
-};
-
-/**
- * Read a PKCS#7 contentInfo object from a DER encoded chunk.
- *
- * @param chunk		chunk containing DER encoded data
- * @param level		ASN.1 parsing start level
- * @return			created pkcs7_contentInfo object, or NULL if invalid.
- */
-pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level);
-
-/**
- * Create a PKCS#7 contentInfo object
- *
- * @param data			chunk containing data
- * @return				created pkcs7_contentInfo object.
- */
-pkcs7_t *pkcs7_create_from_data(chunk_t data);
-
-#endif /** PKCS7_H_ @}*/
diff --git a/src/libstrongswan/crypto/pkcs9.c b/src/libstrongswan/crypto/pkcs9.c
deleted file mode 100644
index d24ab1b80..000000000
--- a/src/libstrongswan/crypto/pkcs9.c
+++ /dev/null
@@ -1,369 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <debug.h>
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <utils/linked_list.h>
-
-#include "pkcs9.h"
-
-typedef struct private_pkcs9_t private_pkcs9_t;
-
-/**
- * Private data of a pkcs9_t attribute list.
- */
-struct private_pkcs9_t {
-	/**
-	 * Public interface
-	 */
-	pkcs9_t public;
-
-	/**
-	 * DER encoding of PKCS#9 attributes
-	 */
-	chunk_t encoding;
-
-	/**
-	 * Linked list of PKCS#9 attributes
-	 */
-	linked_list_t *attributes;
-};
-
-typedef struct attribute_t attribute_t;
-
-/**
- * Definition of an attribute_t object.
- */
-struct attribute_t {
-	/**
-	 * Object Identifier (OID)
-	 */
-	int oid;
-
-	/**
-	 * Attribute value
-	 */
-	chunk_t value;
-
-	/**
-	 * ASN.1 encoding
-	 */
-	chunk_t encoding;
-
-	/**
-	 * Destroys the attribute.
-	 */
-	void (*destroy) (attribute_t *this);
-
-};
-
-/**
- * return the ASN.1 encoding of a PKCS#9 attribute
- */
-static asn1_t asn1_attributeType(int oid)
-{
-	asn1_t type;
-
-	switch (oid)
-	{
-		case OID_PKCS9_CONTENT_TYPE:
-			type = ASN1_OID;
-			break;
-		case OID_PKCS9_SIGNING_TIME:
-			type = ASN1_UTCTIME;
-			break;
-		case OID_PKCS9_MESSAGE_DIGEST:
-			type = ASN1_OCTET_STRING;
-			break;
-		case OID_PKI_MESSAGE_TYPE:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		case OID_PKI_STATUS:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		case OID_PKI_FAIL_INFO:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		case OID_PKI_SENDER_NONCE:
-			type = ASN1_OCTET_STRING;
-			break;
-		case OID_PKI_RECIPIENT_NONCE:
-			type = ASN1_OCTET_STRING;
-			break;
-		case OID_PKI_TRANS_ID:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		default:
-			type = ASN1_EOC;
-	}
-	return type;
-}
-
-/**
- * Destroy an attribute_t object.
- */
-static void attribute_destroy(attribute_t *this)
-{
-	free(this->value.ptr);
-	free(this->encoding.ptr);
-	free(this);
-}
-
-/**
- * Create an attribute_t object.
- */
-static attribute_t *attribute_create(int oid, chunk_t value)
-{
-	attribute_t *this;
-
-	INIT(this,
-		.destroy = attribute_destroy,
-		.oid = oid,
-		.value = chunk_clone(value),
-		.encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
-							asn1_build_known_oid(oid),
-							asn1_simple_object(ASN1_SET, value)),
-	);
-
-	return this;
-}
-
-METHOD(pkcs9_t, build_encoding, void,
-	private_pkcs9_t *this)
-{
-	enumerator_t *enumerator;
-	attribute_t *attribute;
-	u_int attributes_len = 0;
-
-	if (this->encoding.ptr)
-	{
-		chunk_free(&this->encoding);
-	}
-	if (this->attributes->get_count(this->attributes) == 0)
-	{
-		return;
-	}
-
-	/* compute the total length of the encoded attributes */
-	enumerator = this->attributes->create_enumerator(this->attributes);
-
-	while (enumerator->enumerate(enumerator, (void**)&attribute))
-	{
-		attributes_len += attribute->encoding.len;
-	}
-	enumerator->destroy(enumerator);
-
-	/* allocate memory for the attributes and build the encoding */
-	{
-		u_char *pos = asn1_build_object(&this->encoding, ASN1_SET, attributes_len);
-
-		enumerator = this->attributes->create_enumerator(this->attributes);
-
-		while (enumerator->enumerate(enumerator, (void**)&attribute))
-		{
-			memcpy(pos, attribute->encoding.ptr, attribute->encoding.len);
-			pos += attribute->encoding.len;
-		}
-		enumerator->destroy(enumerator);
-	}
-}
-
-METHOD(pkcs9_t, get_encoding, chunk_t,
-	private_pkcs9_t *this)
-{
-	if (this->encoding.ptr == NULL)
-	{
-		build_encoding(this);
-	}
-	return this->encoding;
-}
-
-METHOD(pkcs9_t, get_attribute, chunk_t,
-	private_pkcs9_t *this, int oid)
-{
-	enumerator_t *enumerator;
-	chunk_t value = chunk_empty;
-	attribute_t *attribute;
-
-	enumerator = this->attributes->create_enumerator(this->attributes);
-	while (enumerator->enumerate(enumerator, (void**)&attribute))
-	{
-		if (attribute->oid == oid)
-		{
-			value = attribute->value;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (value.ptr &&
-		!asn1_parse_simple_object(&value, asn1_attributeType(oid), 0,
-								  oid_names[oid].name))
-	{
-		return chunk_empty;
-	}
-	return value;
-}
-
-METHOD(pkcs9_t, set_attribute_raw, void,
-	private_pkcs9_t *this, int oid, chunk_t value)
-{
-	attribute_t *attribute = attribute_create(oid, value);
-
-	this->attributes->insert_last(this->attributes, attribute);
-	chunk_free(&value);
-}
-
-METHOD(pkcs9_t, set_attribute, void,
-	private_pkcs9_t *this, int oid, chunk_t value)
-{
-	chunk_t attr = asn1_simple_object(asn1_attributeType(oid), value);
-
-	set_attribute_raw(this, oid, attr);
-}
-
-METHOD(pkcs9_t, destroy, void,
-	private_pkcs9_t *this)
-{
-	this->attributes->destroy_offset(this->attributes, offsetof(attribute_t, destroy));
-	free(this->encoding.ptr);
-	free(this);
-}
-
-/**
- * Generic private constructor
- */
-static private_pkcs9_t *pkcs9_create_empty(void)
-{
-	private_pkcs9_t *this;
-
-	INIT(this,
-		.public = {
-			.build_encoding = _build_encoding,
-			.get_encoding = _get_encoding,
-			.get_attribute = _get_attribute,
-			.set_attribute = _set_attribute,
-			.set_attribute_raw = _set_attribute_raw,
-			.destroy = _destroy,
-		},
-		.attributes = linked_list_create(),
-	);
-
-	return this;
-}
-
-/*
- * Described in header.
- */
-pkcs9_t *pkcs9_create(void)
-{
-	private_pkcs9_t *this = pkcs9_create_empty();
-
-	return &this->public;
-}
-
-/**
- * ASN.1 definition of the X.501 atttribute type
- */
-static const asn1Object_t attributesObjects[] = {
-	{ 0, "attributes",		ASN1_SET,		ASN1_LOOP }, /* 0 */
-	{ 1,   "attribute",		ASN1_SEQUENCE,	ASN1_NONE }, /* 1 */
-	{ 2,     "type",		ASN1_OID,		ASN1_BODY }, /* 2 */
-	{ 2,     "values",		ASN1_SET,		ASN1_LOOP }, /* 3 */
-	{ 3,       "value",		ASN1_EOC,		ASN1_RAW  }, /* 4 */
-	{ 2,     "end loop",	ASN1_EOC,		ASN1_END  }, /* 5 */
-	{ 0, "end loop",		ASN1_EOC,		ASN1_END  }, /* 6 */
-	{ 0, "exit",			ASN1_EOC,		ASN1_EXIT }
-};
-#define ATTRIBUTE_OBJ_TYPE 	2
-#define ATTRIBUTE_OBJ_VALUE	4
-
-/**
- * Parse a PKCS#9 attribute list
- */
-static bool parse_attributes(chunk_t chunk, int level0, private_pkcs9_t* this)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	int oid = OID_UNKNOWN;
-	bool success = FALSE;
-
-	parser = asn1_parser_create(attributesObjects, chunk);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case ATTRIBUTE_OBJ_TYPE:
-				oid = asn1_known_oid(object);
-				break;
-			case ATTRIBUTE_OBJ_VALUE:
-				if (oid == OID_UNKNOWN)
-				{
-					break;
-				}
-				/* add the attribute to a linked list */
-				{
-					attribute_t *attribute = attribute_create(oid, object);
-
-					this->attributes->insert_last(this->attributes,
-												 (void*)attribute);
-				}
-				/* parse known attributes  */
-				{
-					asn1_t type = asn1_attributeType(oid);
-
-					if (type != ASN1_EOC)
-					{
-						if (!asn1_parse_simple_object(&object, type,
-										parser->get_level(parser)+1,
-										oid_names[oid].name))
-						{
-							goto end;
-						}
-					}
-				}
-		}
-	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	return success;
-}
-
-
- /*
- * Described in header.
- */
-pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level)
-{
-	private_pkcs9_t *this = pkcs9_create_empty();
-
-	this->encoding = chunk_clone(chunk);
-
-	if (!parse_attributes(chunk, level, this))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
diff --git a/src/libstrongswan/crypto/pkcs9.h b/src/libstrongswan/crypto/pkcs9.h
deleted file mode 100644
index c442d4441..000000000
--- a/src/libstrongswan/crypto/pkcs9.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pkcs9 pkcs9
- * @{ @ingroup crypto
- */
-
-#ifndef PKCS9_H_
-#define PKCS9_H_
-
-typedef struct pkcs9_t pkcs9_t;
-
-#include <library.h>
-
-/**
- * PKCS#9 attributes.
- */
-struct pkcs9_t {
-
-	/**
-	 * Generate ASN.1 encoding of attribute list
-	 */
-	void (*build_encoding) (pkcs9_t *this);
-
-	/**
-	 * Gets ASN.1 encoding of PKCS#9 attribute list
-	 *
-	 * @return				ASN.1 encoded PKCSI#9 list
-	 */
-	chunk_t (*get_encoding) (pkcs9_t *this);
-
-	/**
-	 * Gets a PKCS#9 attribute
-	 *
-	 * @param oid			OID of the attribute
-	 * @return				value of the attribute (internal data)
-	 */
-	chunk_t (*get_attribute) (pkcs9_t *this, int oid);
-
-	/**
-	 * Adds a PKCS#9 attribute
-	 *
-	 * @param oid			OID of the attribute
-	 * @param value			value of the attribute (gets cloned)
-	 */
-	void (*set_attribute) (pkcs9_t *this, int oid, chunk_t value);
-
-	/**
-	 * Adds a ASN.1 encoded PKCS#9 attribute
-	 *
-	 * @param oid			OID of the attribute
-	 * @param value			ASN.1 encoded value of the attribute (gets adopted)
-	 */
-	void (*set_attribute_raw) (pkcs9_t *this, int oid, chunk_t value);
-
-	/**
-	 * Destroys the PKCS#9 attribute list.
-	 */
-	void (*destroy) (pkcs9_t *this);
-};
-
-/**
- * Read a PKCS#9 attribute list from a DER encoded chunk.
- *
- * @param chunk		chunk containing DER encoded data
- * @param level		ASN.1 parsing start level
- * @return 			created pkcs9 attribute list, or NULL if invalid.
- */
-pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level);
-
-/**
- * Create an empty PKCS#9 attribute list
- *
- * @return 				created pkcs9 attribute list.
- */
-pkcs9_t *pkcs9_create(void);
-
-#endif /** PKCS9_H_ @}*/
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index 7356dc367..4db504eb0 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -38,7 +38,7 @@
 #include "proposal_keywords.h"
 #include "proposal_keywords_static.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_proposal_keywords_t private_proposal_keywords_t;
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
index ce52bc2ce..d85bfebd0 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -59,11 +59,11 @@ struct proposal_token {
 	u_int16_t         keysize;
 };
 
-#define TOTAL_KEYWORDS 122
+#define TOTAL_KEYWORDS 130
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 213
+#define MIN_HASH_VALUE 12
+#define MAX_HASH_VALUE 216
 /* maximum key range = 205, duplicates = 0 */
 
 #ifdef __GNUC__
@@ -80,32 +80,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214,  14,   9,
-        4,  34,  66,  19,   8,   4,   5,   3, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 131, 214,   3,  22,  21,
-        3,   1, 101,  48,   3,   4, 214, 214,   3,  10,
-       57,   4, 214, 214,  94,   6,   3,  32, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217,  35,  10,
+        5,  34,  68,  21,   9,  16,   6,   4, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 117, 217,  15,  22,  23,
+        4,  29,   4,  51,  57,   4, 217, 217,   4,  16,
+       58,   4, 217,   5,  81, 104,   6,  34, 217, 217,
+        5, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217
     };
   register int hval = len;
 
@@ -142,23 +142,21 @@ hash (str, len)
 
 static const struct proposal_token wordlist[] =
   {
-    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
     {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
+    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
     {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
     {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
-    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
     {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
     {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
     {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
-    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
     {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
     {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
@@ -170,17 +168,18 @@ static const struct proposal_token wordlist[] =
     {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
     {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
     {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
+    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
     {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
+    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
     {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
     {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
     {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
     {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
     {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
     {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
@@ -191,18 +190,23 @@ static const struct proposal_token wordlist[] =
     {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
     {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
     {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
-    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
     {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
-    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
     {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
+    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
     {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
-    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
     {"md5_128",          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0},
+    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
     {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
     {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
     {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"prfaesxcbc",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0},
     {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
     {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
     {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
     {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
@@ -216,80 +220,84 @@ static const struct proposal_token wordlist[] =
     {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
     {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
     {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
-    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
+    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
+    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
+    {"prfaescmac",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0},
+    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
+    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
     {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
     {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
     {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
     {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
     {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
-    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
-    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
-    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
     {"noesn",            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0},
+    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
+    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
+    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
     {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
     {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
-    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
     {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
     {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
-    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
+    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
     {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
-    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
+    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
     {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
     {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
+    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
     {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
-    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
     {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
-    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
+    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
     {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
-    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
     {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
     {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
-    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
-    {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
-    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
+    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
     {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
-    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
+    {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
     {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
-    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
-    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
     {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
-    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
-    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0}
+    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0}
   };
 
 static const short lookup[] =
   {
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,
-      1,   2,  -1,  -1,  -1,  -1,   3,   4,  -1,  -1,
-     -1,   5,   6,  -1,  -1,   7,  -1,   8,   9,  10,
-     11,  12,  -1,  13,  -1,  14,  15,  16,  17,  18,
-     19,  20,  21,  22,  23,  24,  25,  26,  27,  28,
-     -1,  -1,  -1,  -1,  29,  30,  31,  32,  33,  34,
-     35,  -1,  36,  -1,  37,  38,  39,  40,  41,  42,
-     43,  44,  45,  46,  47,  48,  49,  50,  51,  52,
-     53,  54,  55,  56,  57,  -1,  58,  -1,  59,  -1,
-     60,  -1,  61,  62,  63,  64,  65,  66,  67,  68,
-     69,  70,  71,  72,  73,  74,  -1,  75,  -1,  76,
-     -1,  77,  -1,  78,  79,  80,  81,  82,  -1,  83,
-     84,  85,  86,  87,  -1,  88,  89,  -1,  90,  -1,
-     -1,  91,  92,  -1,  93,  -1,  -1,  94,  -1,  95,
-     96,  97,  98,  -1,  99,  -1, 100, 101, 102, 103,
-    104, 105,  -1,  -1,  -1, 106,  -1,  -1, 107, 108,
-     -1, 109,  -1,  -1, 110, 111, 112,  -1,  -1, 113,
-    114,  -1,  -1,  -1, 115, 116,  -1, 117, 118,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1, 119,  -1,  -1,  -1, 120,
-     -1,  -1,  -1, 121
+     -1,  -1,   0,  -1,  -1,  -1,  -1,  -1,  -1,   1,
+      2,  -1,  -1,  -1,   3,   4,  -1,   5,  -1,  -1,
+     -1,  -1,   6,   7,   8,   9,  10,  11,  -1,  12,
+     13,  -1,  14,  15,  16,  17,  18,  19,  20,  21,
+     22,  23,  24,  25,  26,  -1,  -1,  -1,  27,  -1,
+     28,  29,  30,  31,  32,  33,  34,  -1,  35,  36,
+     37,  38,  39,  40,  41,  42,  43,  44,  45,  46,
+     47,  48,  49,  50,  51,  52,  53,  54,  55,  56,
+     57,  58,  59,  60,  61,  62,  63,  64,  65,  66,
+     67,  68,  69,  70,  71,  72,  73,  74,  75,  76,
+     77,  78,  79,  80,  81,  82,  83,  84,  85,  86,
+     87,  88,  89,  90,  91,  92,  93,  -1,  94,  95,
+     96,  -1,  97,  98,  99,  -1, 100, 101, 102, 103,
+    104,  -1,  -1,  -1,  -1, 105, 106, 107,  -1, 108,
+    109, 110,  -1, 111, 112,  -1, 113, 114,  -1, 115,
+     -1, 116, 117,  -1,  -1, 118, 119,  -1, 120,  -1,
+     -1,  -1, 121, 122,  -1, 123, 124,  -1,  -1,  -1,
+     -1,  -1, 125,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1, 126,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1, 127,  -1,  -1,  -1,  -1,
+     -1, 128,  -1,  -1,  -1,  -1, 129
   };
 
 #ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
index 7f8c95757..445438f03 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -132,6 +132,14 @@ md5_128,          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0
 aesxcbc,          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0
 camelliaxcbc,     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0
 aescmac,          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0
+prfsha1,          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0
+prfsha256,        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0
+prfsha384,        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0
+prfsha512,        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0
+prfmd5,           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0
+prfaesxcbc,       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0
+prfcamelliaxcbc,  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0
+prfaescmac,       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0
 modpnull,         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0
 modp768,          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0
 modp1024,         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0
diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h
index 311df068f..4a98f81e9 100644
--- a/src/libstrongswan/crypto/transform.h
+++ b/src/libstrongswan/crypto/transform.h
@@ -23,7 +23,7 @@
 
 typedef enum transform_type_t transform_type_t;
 
-#include <enum.h>
+#include <utils/enum.h>
 
 /**
  * Type of a transform, as in IKEv2 RFC 3.3.2.
diff --git a/src/libstrongswan/database/database.h b/src/libstrongswan/database/database.h
index dda29b5fb..d46fc3d34 100644
--- a/src/libstrongswan/database/database.h
+++ b/src/libstrongswan/database/database.h
@@ -25,7 +25,7 @@ typedef enum db_type_t db_type_t;
 typedef enum db_driver_t db_driver_t;
 typedef struct database_t database_t;
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /**
  * Database column types
diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c
index 909522d64..6c714ba51 100644
--- a/src/libstrongswan/database/database_factory.c
+++ b/src/libstrongswan/database/database_factory.c
@@ -15,7 +15,7 @@
 
 #include "database_factory.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_database_factory_t private_database_factory_t;
diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/debug.c
deleted file mode 100644
index e8c9e6b98..000000000
--- a/src/libstrongswan/debug.c
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdarg.h>
-
-#include "debug.h"
-
-ENUM(debug_names, DBG_DMN, DBG_LIB,
-	"DMN",
-	"MGR",
-	"IKE",
-	"CHD",
-	"JOB",
-	"CFG",
-	"KNL",
-	"NET",
-	"ASN",
-	"ENC",
-	"TNC",
-	"IMC",
-	"IMV",
-	"PTS",
-	"TLS",
-	"APP",
-	"ESP",
-	"LIB",
-);
-
-ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
-	"dmn",
-	"mgr",
-	"ike",
-	"chd",
-	"job",
-	"cfg",
-	"knl",
-	"net",
-	"asn",
-	"enc",
-	"tnc",
-	"imc",
-	"imv",
-	"pts",
-	"tls",
-	"app",
-	"esp",
-	"lib",
-);
-
-/**
- * level logged by the default logger
- */
-static level_t default_level = 1;
-
-/**
- * stream logged to by the default logger
- */
-static FILE *default_stream = NULL;
-
-/**
- * default dbg function which printf all to stderr
- */
-void dbg_default(debug_t group, level_t level, char *fmt, ...)
-{
-	if (!default_stream)
-	{
-		default_stream = stderr;
-	}
-	if (level <= default_level)
-	{
-		va_list args;
-
-		va_start(args, fmt);
-		vfprintf(default_stream, fmt, args);
-		fprintf(default_stream, "\n");
-		va_end(args);
-	}
-}
-
-/**
- * set the level logged by the default stderr logger
- */
-void dbg_default_set_level(level_t level)
-{
-	default_level = level;
-}
-
-/**
- * set the stream logged by dbg_default() to
- */
-void dbg_default_set_stream(FILE *stream)
-{
-	default_stream = stream;
-}
-
-/**
- * The registered debug hook.
- */
-void (*dbg) (debug_t group, level_t level, char *fmt, ...) = dbg_default;
-
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h
deleted file mode 100644
index ff4b4a1e9..000000000
--- a/src/libstrongswan/debug.h
+++ /dev/null
@@ -1,154 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup debug debug
- * @{ @ingroup libstrongswan
- */
-
-#ifndef DEBUG_H_
-#define DEBUG_H_
-
-typedef enum debug_t debug_t;
-typedef enum level_t level_t;
-
-#include <stdio.h>
-
-#include "enum.h"
-
-/**
- * Debug message group.
- */
-enum debug_t {
-	/** daemon specific */
-	DBG_DMN,
-	/** IKE_SA_MANAGER */
-	DBG_MGR,
-	/** IKE_SA */
-	DBG_IKE,
-	/** CHILD_SA */
-	DBG_CHD,
-	/** job processing */
-	DBG_JOB,
-	/** configuration backends */
-	DBG_CFG,
-	/** kernel interface */
-	DBG_KNL,
-	/** networking/sockets */
-	DBG_NET,
-	/** low-level encoding/decoding (ASN.1, X.509 etc.) */
-	DBG_ASN,
-	/** message encoding/decoding */
-	DBG_ENC,
-	/** trusted network connect */
-	DBG_TNC,
-	/** integrity measurement client */
-	DBG_IMC,
-	/** integrity measurement verifier */
-	DBG_IMV,
-	/** platform trust service */
-	DBG_PTS,
-	/** libtls */
-	DBG_TLS,
-	/** applications other than daemons */
-	DBG_APP,
-	/** libipsec */
-	DBG_ESP,
-	/** libstrongswan */
-	DBG_LIB,
-	/** number of groups */
-	DBG_MAX,
-	/** pseudo group with all groups */
-	DBG_ANY = DBG_MAX,
-};
-
-/**
- * short names of debug message group.
- */
-extern enum_name_t *debug_names;
-
-/**
- * short names of debug message group, lower case.
- */
-extern enum_name_t *debug_lower_names;
-
-/**
- * Debug levels used to control output verbosity.
- */
-enum level_t {
-	/** absolutely silent */
-	LEVEL_SILENT = -1,
-	/** most important auditing logs */
-	LEVEL_AUDIT =   0,
-	/** control flow */
-	LEVEL_CTRL =    1,
-	/** diagnose problems */
-	LEVEL_DIAG =    2,
-	/** raw binary blobs */
-	LEVEL_RAW =     3,
-	/** including sensitive data (private keys) */
-	LEVEL_PRIVATE = 4,
-};
-
-#ifndef DEBUG_LEVEL
-# define DEBUG_LEVEL 4
-#endif /* DEBUG_LEVEL */
-
-/** debug macros, they call the dbg function hook */
-#if DEBUG_LEVEL >= 0
-# define DBG0(group, fmt, ...) dbg(group, 0, fmt, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL */
-#if DEBUG_LEVEL >= 1
-# define DBG1(group, fmt, ...) dbg(group, 1, fmt, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL */
-#if DEBUG_LEVEL >= 2
-# define DBG2(group, fmt, ...) dbg(group, 2, fmt, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL */
-#if DEBUG_LEVEL >= 3
-# define DBG3(group, fmt, ...) dbg(group, 3, fmt, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL */
-#if DEBUG_LEVEL >= 4
-# define DBG4(group, fmt, ...) dbg(group, 4, fmt, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL */
-
-#ifndef DBG0
-# define DBG0(...) {}
-#endif
-#ifndef DBG1
-# define DBG1(...) {}
-#endif
-#ifndef DBG2
-# define DBG2(...) {}
-#endif
-#ifndef DBG3
-# define DBG3(...) {}
-#endif
-#ifndef DBG4
-# define DBG4(...) {}
-#endif
-
-/** dbg function hook, uses dbg_default() by default */
-extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
-
-/** default logging function */
-void dbg_default(debug_t group, level_t level, char *fmt, ...);
-
-/** set the level logged by dbg_default() */
-void dbg_default_set_level(level_t level);
-
-/** set the stream logged by dbg_default() to */
-void dbg_default_set_stream(FILE *stream);
-
-#endif /** DEBUG_H_ @}*/
diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c
index 1e4cf11bf..c181c5de7 100644
--- a/src/libstrongswan/eap/eap.c
+++ b/src/libstrongswan/eap/eap.c
@@ -19,7 +19,7 @@
 
 #include "eap.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
 	"EAP_REQUEST",
diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c
deleted file mode 100644
index 2dc7c5dde..000000000
--- a/src/libstrongswan/enum.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-#include <stdio.h>
-
-#include <library.h>
-
-#include "enum.h"
-
-/**
- * See header.
- */
-char *enum_to_name(enum_name_t *e, int val)
-{
-	do
-	{
-		if (val >= e->first && val <= e->last)
-		{
-			return e->names[val - e->first];
-		}
-	}
-	while ((e = e->next));
-	return NULL;
-}
-
-/**
- * See header.
- */
-int enum_from_name(enum_name_t *e, char *name)
-{
-	do
-	{
-		int i, count = e->last - e->first + 1;
-
-		for (i = 0; i < count; i++)
-		{
-			if (strcaseeq(name, e->names[i]))
-			{
-				return e->first + i;
-			}
-		}
-	}
-	while ((e = e->next));
-	return -1;
-}
-
-/**
- * Described in header.
- */
-int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-					 const void *const *args)
-{
-	enum_name_t *ed = *((enum_name_t**)(args[0]));
-	int val = *((int*)(args[1]));
-
-	char *name = enum_to_name(ed, val);
-
-	if (name == NULL)
-	{
-		return print_in_hook(data, "(%d)", val);
-	}
-	else
-	{
-		return print_in_hook(data, "%s", name);
-	}
-}
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/enum.h
deleted file mode 100644
index 840371245..000000000
--- a/src/libstrongswan/enum.h
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2006-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup enum enum
- * @{ @ingroup libstrongswan
- */
-
-#ifndef ENUM_H_
-#define ENUM_H_
-
-#include "printf_hook.h"
-
-typedef struct enum_name_t enum_name_t;
-
-/**
- * Struct to store names for enums.
- *
- * To print the string representation of enumeration values, the strings
- * are stored in these structures. Every enum_name contains a range
- * of strings, multiple ranges are linked together.
- * Use the convenience macros to define these linked ranges.
- *
- * For a single range, use:
- * @code
-   ENUM(name, first, last, string1, string2, ...)
-   @endcode
- * For multiple linked ranges, use:
- * @code
-   ENUM_BEGIN(name, first, last, string1, string2, ...)
-     ENUM_NEXT(name, first, last, last_from_previous, string3, ...)
-     ENUM_NEXT(name, first, last, last_from_previous, string4, ...)
-   ENUM_END(name, last_from_previous)
-   @endcode
- * The ENUM and the ENUM_END define a enum_name_t pointer with the name supplied
- * in "name".
- *
- * Resolving of enum names is done using a printf hook. A printf fromat
- * character %N is replaced by the enum string. Printf needs two arguments to
- * resolve a %N, the enum_name_t* (the defined name in ENUM_BEGIN) followed
- * by the numerical enum value.
- */
-struct enum_name_t {
-	/** value of the first enum string */
-	int first;
-	/** value of the last enum string */
-	int last;
-	/** next enum_name_t in list */
-	enum_name_t *next;
-	/** array of strings containing names from first to last */
-	char *names[];
-};
-
-/**
- * Begin a new enum_name list.
- *
- * @param name	name of the enum_name list
- * @param first	enum value of the first enum string
- * @param last	enum value of the last enum string
- * @param ...	a list of strings
- */
-#define ENUM_BEGIN(name, first, last, ...) static enum_name_t name##last = {first, last, NULL, { __VA_ARGS__ }}
-
-/**
- * Continue a enum name list startetd with ENUM_BEGIN.
- *
- * @param name	name of the enum_name list
- * @param first	enum value of the first enum string
- * @param last	enum value of the last enum string
- * @param prev	enum value of the "last" defined in ENUM_BEGIN/previous ENUM_NEXT
- * @param ...	a list of strings
- */
-#define ENUM_NEXT(name, first, last, prev, ...) static enum_name_t name##last = {first, last, &name##prev, { __VA_ARGS__ }}
-
-/**
- * Complete enum name list started with ENUM_BEGIN.
- *
- * @param name	name of the enum_name list
- * @param prev	enum value of the "last" defined in ENUM_BEGIN/previous ENUM_NEXT
- */
-#define ENUM_END(name, prev) enum_name_t *name = &name##prev;
-
-/**
- * Define a enum name with only one range.
- *
- * This is a convenience macro to use when a enum_name list contains only
- * one range, and is equal as defining ENUM_BEGIN followed by ENUM_END.
- *
- * @param name	name of the enum_name list
- * @param first	enum value of the first enum string
- * @param last	enum value of the last enum string
- * @param ...	a list of strings
- */
-#define ENUM(name, first, last, ...) ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last)
-
-/**
- * Convert a enum value to its string representation.
- *
- * @param e		enum names for this enum value
- * @param val	enum value to get string for
- * @return		string for enum, NULL if not found
- */
-char *enum_to_name(enum_name_t *e, int val);
-
-/**
- * Convert a enum string back to its enum value.
- *
- * @param e		enum names for this enum value
- * @param name	name to get enum value for
- * @return		enum value, -1 if not found
- */
-int enum_from_name(enum_name_t *e, char *name);
-
-/**
- * printf hook function for enum_names_t.
- *
- * Arguments are:
- *	enum_names_t *names, int value
- */
-int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-					 const void *const *args);
-
-#endif /** ENUM_H_ @}*/
diff --git a/src/libstrongswan/fetcher/fetcher.h b/src/libstrongswan/fetcher/fetcher.h
index 5b734da3d..58451aef2 100644
--- a/src/libstrongswan/fetcher/fetcher.h
+++ b/src/libstrongswan/fetcher/fetcher.h
@@ -26,7 +26,7 @@ typedef struct fetcher_t fetcher_t;
 typedef enum fetcher_option_t fetcher_option_t;
 
 #include <stdarg.h>
-#include <chunk.h>
+#include <utils/chunk.h>
 
 /**
  * Constructor function which creates fetcher instances.
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index 9b363c7eb..a638eef2f 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -15,9 +15,9 @@
 
 #include "fetcher_manager.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_fetcher_manager_t private_fetcher_manager_t;
 
diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c
deleted file mode 100644
index e962aba70..000000000
--- a/src/libstrongswan/integrity_checker.c
+++ /dev/null
@@ -1,321 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-
-#include "integrity_checker.h"
-
-#include <dlfcn.h>
-#include <link.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <unistd.h>
-#include <sys/mman.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#include "debug.h"
-#include "library.h"
-
-typedef struct private_integrity_checker_t private_integrity_checker_t;
-
-/**
- * Private data of an integrity_checker_t object.
- */
-struct private_integrity_checker_t {
-
-	/**
-	 * Public integrity_checker_t interface.
-	 */
-	integrity_checker_t public;
-
-	/**
-	 * dlopen handle to checksum library
-	 */
-	void *handle;
-
-	/**
-	 * checksum array
-	 */
-	integrity_checksum_t *checksums;
-
-	/**
-	 * number of checksums in array
-	 */
-	int checksum_count;
-};
-
-METHOD(integrity_checker_t, build_file, u_int32_t,
-	private_integrity_checker_t *this, char *file, size_t *len)
-{
-	u_int32_t checksum;
-	chunk_t contents;
-	struct stat sb;
-	void *addr;
-	int fd;
-
-	fd = open(file, O_RDONLY);
-	if (fd == -1)
-	{
-		DBG1(DBG_LIB, "  opening '%s' failed: %s", file, strerror(errno));
-		return 0;
-	}
-
-	if (fstat(fd, &sb) == -1)
-	{
-		DBG1(DBG_LIB, "  getting file size of '%s' failed: %s", file,
-			 strerror(errno));
-		close(fd);
-		return 0;
-	}
-
-	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		DBG1(DBG_LIB, "  mapping '%s' failed: %s", file, strerror(errno));
-		close(fd);
-		return 0;
-	}
-
-	*len = sb.st_size;
-	contents = chunk_create(addr, sb.st_size);
-	checksum = chunk_hash(contents);
-
-	munmap(addr, sb.st_size);
-	close(fd);
-
-	return checksum;
-}
-
-/**
- * dl_iterate_phdr callback function
- */
-static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli)
-{
-	/* We are looking for the dlpi_addr matching the address of our dladdr().
-	 * dl_iterate_phdr() returns such an address for other (unknown) objects
-	 * in very rare cases (e.g. in a chrooted gentoo, but only if
-	 * the checksum_builder is invoked by 'make'). As a workaround, we filter
-	 * objects by dlpi_name; valid objects have a library name.
-	 */
-	if (dli->dli_fbase == (void*)dlpi->dlpi_addr &&
-		dlpi->dlpi_name && *dlpi->dlpi_name)
-	{
-		int i;
-
-		for (i = 0; i < dlpi->dlpi_phnum; i++)
-		{
-			const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i];
-
-			/* we are interested in the executable LOAD segment */
-			if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X))
-			{
-				/* safe begin of segment in dli_fbase */
-				dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr;
-				/* safe end of segment in dli_saddr */
-				dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz;
-				return 1;
-			}
-		}
-	}
-	return 0;
-}
-
-METHOD(integrity_checker_t, build_segment, u_int32_t,
-	private_integrity_checker_t *this, void *sym, size_t *len)
-{
-	chunk_t segment;
-	Dl_info dli;
-
-	if (dladdr(sym, &dli) == 0)
-	{
-		DBG1(DBG_LIB, "  unable to locate symbol: %s", dlerror());
-		return 0;
-	}
-	/* we reuse the Dl_info struct as in/out parameter */
-	if (!dl_iterate_phdr((void*)callback, &dli))
-	{
-		DBG1(DBG_LIB, "  executable section not found");
-		return 0;
-	}
-
-	segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
-	*len = segment.len;
-	return chunk_hash(segment);
-}
-
-/**
- * Find a checksum by its name
- */
-static integrity_checksum_t *find_checksum(private_integrity_checker_t *this,
-										   char *name)
-{
-	int i;
-
-	for (i = 0; i < this->checksum_count; i++)
-	{
-		if (streq(this->checksums[i].name, name))
-		{
-			return &this->checksums[i];
-		}
-	}
-	return NULL;
-}
-
-METHOD(integrity_checker_t, check_file, bool,
-	private_integrity_checker_t *this, char *name, char *file)
-{
-	integrity_checksum_t *cs;
-	u_int32_t sum;
-	size_t len = 0;
-
-	cs = find_checksum(this, name);
-	if (!cs)
-	{
-		DBG1(DBG_LIB, "  '%s' file checksum not found", name);
-		return FALSE;
-	}
-	sum = build_file(this, file, &len);
-	if (!sum)
-	{
-		return FALSE;
-	}
-	if (cs->file_len != len)
-	{
-		DBG1(DBG_LIB, "  invalid '%s' file size: %u bytes, expected %u bytes",
-			 name, len, cs->file_len);
-		return FALSE;
-	}
-	if (cs->file != sum)
-	{
-		DBG1(DBG_LIB, "  invalid '%s' file checksum: %08x, expected %08x",
-			 name, sum, cs->file);
-		return FALSE;
-	}
-	DBG2(DBG_LIB, "  valid '%s' file checksum: %08x", name, sum);
-	return TRUE;
-}
-
-METHOD(integrity_checker_t, check_segment, bool,
-	private_integrity_checker_t *this, char *name, void *sym)
-{
-	integrity_checksum_t *cs;
-	u_int32_t sum;
-	size_t len = 0;
-
-	cs = find_checksum(this, name);
-	if (!cs)
-	{
-		DBG1(DBG_LIB, "  '%s' segment checksum not found", name);
-		return FALSE;
-	}
-	sum = build_segment(this, sym, &len);
-	if (!sum)
-	{
-		return FALSE;
-	}
-	if (cs->segment_len != len)
-	{
-		DBG1(DBG_LIB, "  invalid '%s' segment size: %u bytes,"
-			 " expected %u bytes", name, len, cs->segment_len);
-		return FALSE;
-	}
-	if (cs->segment != sum)
-	{
-		DBG1(DBG_LIB, "  invalid '%s' segment checksum: %08x, expected %08x",
-			 name, sum, cs->segment);
-		return FALSE;
-	}
-	DBG2(DBG_LIB, "  valid '%s' segment checksum: %08x", name, sum);
-	return TRUE;
-}
-
-METHOD(integrity_checker_t, check, bool,
-	private_integrity_checker_t *this, char *name, void *sym)
-{
-	Dl_info dli;
-
-	if (dladdr(sym, &dli) == 0)
-	{
-		DBG1(DBG_LIB, "unable to locate symbol: %s", dlerror());
-		return FALSE;
-	}
-	if (!check_file(this, name, (char*)dli.dli_fname))
-	{
-		return FALSE;
-	}
-	if (!check_segment(this, name, sym))
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(integrity_checker_t, destroy, void,
-	private_integrity_checker_t *this)
-{
-	if (this->handle)
-	{
-		dlclose(this->handle);
-	}
-	free(this);
-}
-
-/**
- * See header
- */
-integrity_checker_t *integrity_checker_create(char *checksum_library)
-{
-	private_integrity_checker_t *this;
-
-	INIT(this,
-		.public = {
-			.check_file = _check_file,
-			.build_file = _build_file,
-			.check_segment = _check_segment,
-			.build_segment = _build_segment,
-			.check = _check,
-			.destroy = _destroy,
-		},
-	);
-
-	if (checksum_library)
-	{
-		this->handle = dlopen(checksum_library, RTLD_LAZY);
-		if (this->handle)
-		{
-			int *checksum_count;
-
-			this->checksums = dlsym(this->handle, "checksums");
-			checksum_count = dlsym(this->handle, "checksum_count");
-			if (this->checksums && checksum_count)
-			{
-				this->checksum_count = *checksum_count;
-			}
-			else
-			{
-				DBG1(DBG_LIB, "checksum library '%s' invalid",
-					 checksum_library);
-			}
-		}
-		else
-		{
-			DBG1(DBG_LIB, "loading checksum library '%s' failed",
-				 checksum_library);
-		}
-	}
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/integrity_checker.h
deleted file mode 100644
index 891ccccf7..000000000
--- a/src/libstrongswan/integrity_checker.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup integrity_checker integrity_checker
- * @{ @ingroup libstrongswan
- */
-
-#ifndef INTEGRITY_CHECKER_H_
-#define INTEGRITY_CHECKER_H_
-
-#include "utils.h"
-
-typedef struct integrity_checker_t integrity_checker_t;
-typedef struct integrity_checksum_t integrity_checksum_t;
-
-/**
- * Struct to hold a precalculated checksum, implemented in the checksum library.
- */
-struct integrity_checksum_t {
-	/* name of the checksum */
-	char *name;
-	/* size in bytes of the file on disk */
-	size_t file_len;
-	/* checksum of the file on disk */
-	u_int32_t file;
-	/* size in bytes of executable segment in memory */
-	size_t segment_len;
-	/* checksum of the executable segment in memory */
-	u_int32_t segment;
-};
-
-/**
- * Code integrity checker to detect non-malicious file manipulation.
- *
- * The integrity checker reads the checksums from a separate library
- * libchecksum.so to compare the checksums.
- */
-struct integrity_checker_t {
-
-	/**
-	 * Check the integrity of a file on disk.
-	 *
-	 * @param name		name to lookup checksum
-	 * @param file		path to file
-	 * @return			TRUE if integrity tested successfully
-	 */
-	bool (*check_file)(integrity_checker_t *this, char *name, char *file);
-
-	/**
-	 * Build the integrity checksum of a file on disk.
-	 *
-	 * @param file		path to file
-	 * @param len		return length in bytes of file
-	 * @return			checksum, 0 on error
-	 */
-	u_int32_t (*build_file)(integrity_checker_t *this, char *file, size_t *len);
-
-	/**
-	 * Check the integrity of the code segment in memory.
-	 *
-	 * @param name		name to lookup checksum
-	 * @param sym		a symbol in the segment to check
-	 * @return			TRUE if integrity tested successfully
-	 */
-	bool (*check_segment)(integrity_checker_t *this, char *name, void *sym);
-	/**
-	 * Build the integrity checksum of a code segment in memory.
-	 *
-	 * @param sym		a symbol in the segment to check
-	 * @param len		return length in bytes of code segment in memory
-	 * @return			checksum, 0 on error
-	 */
-	u_int32_t (*build_segment)(integrity_checker_t *this, void *sym, size_t *len);
-
-	/**
-	 * Check both, on disk file integrity and loaded segment.
-	 *
-	 * @param name		name to lookup checksum
-	 * @param sym		a symbol to look up library and segment
-	 * @return			TRUE if integrity tested successfully
-	 */
-	bool (*check)(integrity_checker_t *this, char *name, void *sym);
-
-	/**
-	 * Destroy a integrity_checker_t.
-	 */
-	void (*destroy)(integrity_checker_t *this);
-};
-
-/**
- * Create a integrity_checker instance.
- *
- * @param checksum_library		library containing checksums
- */
-integrity_checker_t *integrity_checker_create(char *checksum_library);
-
-#endif /** INTEGRITY_CHECKER_H_ @}*/
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 1179b468c..30a7774df 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -18,11 +18,11 @@
 
 #include <stdlib.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <utils/identification.h>
-#include <utils/host.h>
-#include <utils/hashtable.h>
+#include <networking/host.h>
+#include <collections/hashtable.h>
 #include <utils/backtrace.h>
 #include <selectors/traffic_selector.h>
 
@@ -44,12 +44,22 @@ struct private_library_t {
 	 * Hashtable with registered objects (name => object)
 	 */
 	hashtable_t *objects;
+
+	/**
+	 * Integrity check failed?
+	 */
+	bool integrity_failed;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
  * library instance
  */
-library_t *lib;
+library_t *lib = NULL;
 
 /**
  * Deinitialize library
@@ -59,6 +69,11 @@ void library_deinit()
 	private_library_t *this = (private_library_t*)lib;
 	bool detailed;
 
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
 	detailed = lib->settings->get_bool(lib->settings,
 								"libstrongswan.leak_detective.detailed", TRUE);
 
@@ -68,6 +83,7 @@ void library_deinit()
 	this->public.scheduler->destroy(this->public.scheduler);
 	this->public.processor->destroy(this->public.processor);
 	this->public.plugins->destroy(this->public.plugins);
+	this->public.hosts->destroy(this->public.hosts);
 	this->public.settings->destroy(this->public.settings);
 	this->public.credmgr->destroy(this->public.credmgr);
 	this->public.creds->destroy(this->public.creds);
@@ -141,11 +157,19 @@ bool library_init(char *settings)
 	private_library_t *this;
 	printf_hook_t *pfh;
 
+	if (lib)
+	{	/* already initialized, increase refcount */
+		this = (private_library_t*)lib;
+		ref_get(&this->ref);
+		return !this->integrity_failed;
+	}
+
 	INIT(this,
 		.public = {
 			.get = _get,
 			.set = _set,
 		},
+		.ref = 1,
 	);
 	lib = &this->public;
 
@@ -183,6 +207,7 @@ bool library_init(char *settings)
 	this->objects = hashtable_create((hashtable_hash_t)hash,
 									 (hashtable_equals_t)equals, 4);
 	this->public.settings = settings_create(settings);
+	this->public.hosts = host_resolver_create();
 	this->public.proposal = proposal_keywords_create();
 	this->public.crypto = crypto_factory_create();
 	this->public.creds = credential_factory_create();
@@ -202,14 +227,14 @@ bool library_init(char *settings)
 		if (!lib->integrity->check(lib->integrity, "libstrongswan", library_init))
 		{
 			DBG1(DBG_LIB, "integrity check of libstrongswan failed");
-			return FALSE;
+			this->integrity_failed = TRUE;
 		}
 #else /* !INTEGRITY_TEST */
 		DBG1(DBG_LIB, "integrity test enabled, but not supported");
-		return FALSE;
+		this->integrity_failed = TRUE;
 #endif /* INTEGRITY_TEST */
 	}
 
-	return TRUE;
+	return !this->integrity_failed;
 }
 
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index b79bd91be..f164a6052 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -22,6 +22,9 @@
  * @defgroup bio bio
  * @ingroup libstrongswan
  *
+ * @defgroup collections collections
+ * @ingroup libstrongswan
+ *
  * @defgroup credentials credentials
  * @ingroup libstrongswan
  *
@@ -31,6 +34,9 @@
  * @defgroup certificates certificates
  * @ingroup credentials
  *
+ * @defgroup containers containers
+ * @ingroup credentials
+ *
  * @defgroup sets sets
  * @ingroup credentials
  *
@@ -46,6 +52,9 @@
  * @defgroup ipsec ipsec
  * @ingroup libstrongswan
  *
+ * @defgroup networking networking
+ * @ingroup libstrongswan
+ *
  * @defgroup plugins plugins
  * @ingroup libstrongswan
  *
@@ -74,11 +83,10 @@
 # error config.h not included, pass "-include [...]/config.h" to gcc
 #endif
 
-#include "printf_hook.h"
-#include "utils.h"
-#include "chunk.h"
-#include "settings.h"
-#include "integrity_checker.h"
+/* make sure we include printf_hook.h and utils.h first */
+#include "utils/printf_hook.h"
+#include "utils/utils.h"
+#include "networking/host_resolver.h"
 #include "processing/processor.h"
 #include "processing/scheduler.h"
 #include "crypto/crypto_factory.h"
@@ -88,7 +96,10 @@
 #include "credentials/credential_factory.h"
 #include "credentials/credential_manager.h"
 #include "credentials/cred_encoding.h"
+#include "utils/chunk.h"
+#include "utils/integrity_checker.h"
 #include "utils/leak_detective.h"
+#include "utils/settings.h"
 #include "plugins/plugin_loader.h"
 
 typedef struct library_t library_t;
@@ -170,6 +181,11 @@ struct library_t {
 	 */
 	scheduler_t *scheduler;
 
+	/**
+	 * resolve hosts by DNS name
+	 */
+	host_resolver_t *hosts;
+
 	/**
 	 * various settings loaded from settings file
 	 */
@@ -189,6 +205,9 @@ struct library_t {
 /**
  * Initialize library, creates "lib" instance.
  *
+ * library_init() may be called multiple times in a single process, but each
+ * caller should call library_deinit() for each call to library_init().
+ *
  * @param settings		file to read settings from, may be NULL for default
  * @return				FALSE if integrity check failed
  */
diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c
new file mode 100644
index 000000000..bffa96064
--- /dev/null
+++ b/src/libstrongswan/networking/host.c
@@ -0,0 +1,597 @@
+/*
+ * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "host.h"
+
+#include <utils/debug.h>
+#include <library.h>
+
+#define IPV4_LEN	 4
+#define IPV6_LEN	16
+
+typedef struct private_host_t private_host_t;
+
+/**
+ * Private Data of a host object.
+ */
+struct private_host_t {
+	/**
+	 * Public data
+	 */
+	host_t public;
+
+	/**
+	 * low-lewel structure, which stores the address
+	 */
+	union {
+		/** generic type */
+		struct sockaddr address;
+		/** maximum sockaddr size */
+		struct sockaddr_storage address_max;
+		/** IPv4 address */
+		struct sockaddr_in address4;
+		/** IPv6 address */
+		struct sockaddr_in6 address6;
+	};
+	/**
+	 * length of address structure
+	 */
+	socklen_t socklen;
+};
+
+
+METHOD(host_t, get_sockaddr, sockaddr_t*,
+	private_host_t *this)
+{
+	return &(this->address);
+}
+
+METHOD(host_t, get_sockaddr_len, socklen_t*,
+	private_host_t *this)
+{
+	return &(this->socklen);
+}
+
+METHOD(host_t, is_anyaddr, bool,
+	private_host_t *this)
+{
+	static const u_int8_t zeroes[IPV6_LEN];
+
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			return memeq(zeroes, &(this->address4.sin_addr.s_addr), IPV4_LEN);
+		}
+		case AF_INET6:
+		{
+			return memeq(zeroes, &(this->address6.sin6_addr.s6_addr), IPV6_LEN);
+		}
+		default:
+		{
+			return FALSE;
+		}
+	}
+}
+
+/**
+ * Described in header.
+ */
+int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					 const void *const *args)
+{
+	private_host_t *this = *((private_host_t**)(args[0]));
+	char buffer[INET6_ADDRSTRLEN + 16];
+
+	if (this == NULL)
+	{
+		snprintf(buffer, sizeof(buffer), "(null)");
+	}
+	else if (is_anyaddr(this) && !spec->plus)
+	{
+		snprintf(buffer, sizeof(buffer), "%%any%s",
+				 this->address.sa_family == AF_INET6 ? "6" : "");
+	}
+	else
+	{
+		void *address;
+		u_int16_t port;
+		int len;
+
+		address = &this->address6.sin6_addr;
+		port = this->address6.sin6_port;
+
+		switch (this->address.sa_family)
+		{
+			case AF_INET:
+				address = &this->address4.sin_addr;
+				port = this->address4.sin_port;
+				/* fall */
+			case AF_INET6:
+
+				if (inet_ntop(this->address.sa_family, address,
+							  buffer, sizeof(buffer)) == NULL)
+				{
+					snprintf(buffer, sizeof(buffer),
+							 "(address conversion failed)");
+				}
+				else if (spec->hash)
+				{
+					len = strlen(buffer);
+					snprintf(buffer + len, sizeof(buffer) - len,
+							 "[%d]", ntohs(port));
+				}
+				break;
+			default:
+				snprintf(buffer, sizeof(buffer), "(family not supported)");
+				break;
+		}
+	}
+	if (spec->minus)
+	{
+		return print_in_hook(data, "%-*s", spec->width, buffer);
+	}
+	return print_in_hook(data, "%*s", spec->width, buffer);
+}
+
+METHOD(host_t, get_address, chunk_t,
+	private_host_t *this)
+{
+	chunk_t address = chunk_empty;
+
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			address.ptr = (char*)&(this->address4.sin_addr.s_addr);
+			address.len = IPV4_LEN;
+			return address;
+		}
+		case AF_INET6:
+		{
+			address.ptr = (char*)&(this->address6.sin6_addr.s6_addr);
+			address.len = IPV6_LEN;
+			return address;
+		}
+		default:
+		{
+			/* return empty chunk */
+			return address;
+		}
+	}
+}
+
+METHOD(host_t, get_family, int,
+	private_host_t *this)
+{
+	return this->address.sa_family;
+}
+
+METHOD(host_t, get_port, u_int16_t,
+	private_host_t *this)
+{
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			return ntohs(this->address4.sin_port);
+		}
+		case AF_INET6:
+		{
+			return ntohs(this->address6.sin6_port);
+		}
+		default:
+		{
+			return 0;
+		}
+	}
+}
+
+METHOD(host_t, set_port, void,
+	private_host_t *this, u_int16_t port)
+{
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			this->address4.sin_port = htons(port);
+			break;
+		}
+		case AF_INET6:
+		{
+			this->address6.sin6_port = htons(port);
+			break;
+		}
+		default:
+		{
+			break;
+		}
+	}
+}
+
+METHOD(host_t, clone_, host_t*,
+	private_host_t *this)
+{
+	private_host_t *new;
+
+	new = malloc_thing(private_host_t);
+	memcpy(new, this, sizeof(private_host_t));
+
+	return &new->public;
+}
+
+/**
+ * Implements host_t.ip_equals
+ */
+static bool ip_equals(private_host_t *this, private_host_t *other)
+{
+	if (this->address.sa_family != other->address.sa_family)
+	{
+		/* 0.0.0.0 and 0::0 are equal */
+		return (is_anyaddr(this) && is_anyaddr(other));
+	}
+
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			return memeq(&this->address4.sin_addr, &other->address4.sin_addr,
+						 sizeof(this->address4.sin_addr));
+		}
+		case AF_INET6:
+		{
+			return memeq(&this->address6.sin6_addr, &other->address6.sin6_addr,
+						 sizeof(this->address6.sin6_addr));
+		}
+		default:
+			break;
+	}
+	return FALSE;
+}
+
+/**
+ * Implements host_t.get_differences
+ */
+static host_diff_t get_differences(host_t *this, host_t *other)
+{
+	host_diff_t ret = HOST_DIFF_NONE;
+
+	if (!this->ip_equals(this, other))
+	{
+		ret |= HOST_DIFF_ADDR;
+	}
+
+	if (this->get_port(this) != other->get_port(other))
+	{
+		ret |= HOST_DIFF_PORT;
+	}
+
+	return ret;
+}
+
+/**
+ * Implements host_t.equals
+ */
+static bool equals(private_host_t *this, private_host_t *other)
+{
+	if (!ip_equals(this, other))
+	{
+		return FALSE;
+	}
+
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			return (this->address4.sin_port == other->address4.sin_port);
+		}
+		case AF_INET6:
+		{
+			return (this->address6.sin6_port == other->address6.sin6_port);
+		}
+		default:
+			break;
+	}
+	return FALSE;
+}
+
+METHOD(host_t, destroy, void,
+	private_host_t *this)
+{
+	free(this);
+}
+
+/**
+ * Creates an empty host_t object
+ */
+static private_host_t *host_create_empty(void)
+{
+	private_host_t *this;
+
+	INIT(this,
+		.public = {
+			.get_sockaddr = _get_sockaddr,
+			.get_sockaddr_len = _get_sockaddr_len,
+			.clone = _clone_,
+			.get_family = _get_family,
+			.get_address = _get_address,
+			.get_port = _get_port,
+			.set_port = _set_port,
+			.get_differences = get_differences,
+			.ip_equals = (bool (*)(host_t *,host_t *))ip_equals,
+			.equals = (bool (*)(host_t *,host_t *)) equals,
+			.is_anyaddr = _is_anyaddr,
+			.destroy = _destroy,
+		},
+	);
+
+	return this;
+}
+
+/*
+ * Create a %any host with port
+ */
+static host_t *host_create_any_port(int family, u_int16_t port)
+{
+	host_t *this;
+
+	this = host_create_any(family);
+	this->set_port(this, port);
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_string_and_family(char *string, int family,
+										   u_int16_t port)
+{
+	union {
+		struct sockaddr_in v4;
+		struct sockaddr_in6 v6;
+	} addr;
+
+	if (streq(string, "%any"))
+	{
+		return host_create_any_port(family ? family : AF_INET, port);
+	}
+	if (family == AF_UNSPEC || family == AF_INET)
+	{
+		if (streq(string, "%any4") || streq(string, "0.0.0.0"))
+		{
+			return host_create_any_port(AF_INET, port);
+		}
+	}
+	if (family == AF_UNSPEC || family == AF_INET6)
+	{
+		if (streq(string, "%any6") || streq(string, "::"))
+		{
+			return host_create_any_port(AF_INET6, port);
+		}
+	}
+	switch (family)
+	{
+		case AF_UNSPEC:
+			if (strchr(string, '.'))
+			{
+				goto af_inet;
+			}
+			/* FALL */
+		case AF_INET6:
+			if (inet_pton(AF_INET6, string, &addr.v6.sin6_addr) != 1)
+			{
+				return NULL;
+			}
+			addr.v6.sin6_port = htons(port);
+			addr.v6.sin6_family = AF_INET6;
+			return host_create_from_sockaddr((sockaddr_t*)&addr);
+		case AF_INET:
+			if (strchr(string, ':'))
+			{	/* do not try to convert v6 addresses for v4 family */
+				return NULL;
+			}
+		af_inet:
+			if (inet_pton(AF_INET, string, &addr.v4.sin_addr) != 1)
+			{
+				return NULL;
+			}
+			addr.v4.sin_port = htons(port);
+			addr.v4.sin_family = AF_INET;
+			return host_create_from_sockaddr((sockaddr_t*)&addr);
+		default:
+			return NULL;
+	}
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_string(char *string, u_int16_t port)
+{
+	return host_create_from_string_and_family(string, AF_UNSPEC, port);
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
+{
+	private_host_t *this = host_create_empty();
+
+	switch (sockaddr->sa_family)
+	{
+		case AF_INET:
+		{
+			memcpy(&this->address4, (struct sockaddr_in*)sockaddr,
+				   sizeof(struct sockaddr_in));
+			this->socklen = sizeof(struct sockaddr_in);
+			return &this->public;
+		}
+		case AF_INET6:
+		{
+			memcpy(&this->address6, (struct sockaddr_in6*)sockaddr,
+				   sizeof(struct sockaddr_in6));
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	free(this);
+	return NULL;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_dns(char *string, int af, u_int16_t port)
+{
+	host_t *this;
+
+	this = host_create_from_string_and_family(string, af, port);
+	if (!this)
+	{
+		this = lib->hosts->resolve(lib->hosts, string, af);
+	}
+	if (this)
+	{
+		this->set_port(this, port);
+	}
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
+{
+	private_host_t *this;
+
+	switch (family)
+	{
+		case AF_INET:
+			if (address.len < IPV4_LEN)
+			{
+				return NULL;
+			}
+			address.len = IPV4_LEN;
+			break;
+		case AF_INET6:
+			if (address.len < IPV6_LEN)
+			{
+				return NULL;
+			}
+			address.len = IPV6_LEN;
+			break;
+		case AF_UNSPEC:
+			switch (address.len)
+			{
+				case IPV4_LEN:
+					family = AF_INET;
+					break;
+				case IPV6_LEN:
+					family = AF_INET6;
+					break;
+				default:
+					return NULL;
+			}
+			break;
+		default:
+			return NULL;
+	}
+	this = host_create_empty();
+	this->address.sa_family = family;
+	switch (family)
+	{
+		case AF_INET:
+			memcpy(&this->address4.sin_addr.s_addr, address.ptr, address.len);
+			this->address4.sin_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in);
+			break;
+		case AF_INET6:
+			memcpy(&this->address6.sin6_addr.s6_addr, address.ptr, address.len);
+			this->address6.sin6_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in6);
+			break;
+	}
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_subnet(char *string, int *bits)
+{
+	char *pos, buf[64];
+	host_t *net;
+
+	pos = strchr(string, '/');
+	if (pos)
+	{
+		if (pos - string >= sizeof(buf))
+		{
+			return NULL;
+		}
+		strncpy(buf, string, pos - string);
+		buf[pos - string] = '\0';
+		*bits = atoi(pos + 1);
+		return host_create_from_string(buf, 0);
+	}
+	net = host_create_from_string(string, 0);
+	if (net)
+	{
+		if (net->get_family(net) == AF_INET)
+		{
+			*bits = 32;
+		}
+		else
+		{
+			*bits = 128;
+		}
+	}
+	return net;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_any(int family)
+{
+	private_host_t *this = host_create_empty();
+
+	memset(&this->address_max, 0, sizeof(struct sockaddr_storage));
+	this->address.sa_family = family;
+
+	switch (family)
+	{
+		case AF_INET:
+		{
+			this->socklen = sizeof(struct sockaddr_in);
+			return &(this->public);
+		}
+		case AF_INET6:
+		{
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	free(this);
+	return NULL;
+}
diff --git a/src/libstrongswan/networking/host.h b/src/libstrongswan/networking/host.h
new file mode 100644
index 000000000..25f334779
--- /dev/null
+++ b/src/libstrongswan/networking/host.h
@@ -0,0 +1,231 @@
+/*
+ * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup host host
+ * @{ @ingroup networking
+ */
+
+#ifndef HOST_H_
+#define HOST_H_
+
+typedef enum host_diff_t host_diff_t;
+typedef struct host_t host_t;
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <utils/chunk.h>
+
+/**
+ * Differences between two hosts. They differ in
+ * address, port, or both.
+ */
+enum host_diff_t {
+	HOST_DIFF_NONE = 0,
+	HOST_DIFF_ADDR = 1,
+	HOST_DIFF_PORT = 2,
+};
+
+/**
+ * Representates a Host
+ *
+ * Host object, identifies a address:port pair and defines some
+ * useful functions on it.
+ */
+struct host_t {
+
+	/**
+	 * Build a clone of this host object.
+	 *
+	 * @return		cloned host
+	 */
+	host_t *(*clone) (host_t *this);
+
+	/**
+	 * Get a pointer to the internal sockaddr struct.
+	 *
+	 * This is used for sending and receiving via sockets.
+	 *
+	 * @return		pointer to the internal sockaddr structure
+	 */
+	sockaddr_t  *(*get_sockaddr) (host_t *this);
+
+	/**
+	 * Get the length of the sockaddr struct.
+	 *
+	 * Depending on the family, the length of the sockaddr struct
+	 * is different. Use this function to get the length of the sockaddr
+	 * struct returned by get_sock_addr.
+	 *
+	 * This is used for sending and receiving via sockets.
+	 *
+	 * @return		length of the sockaddr struct
+	 */
+	socklen_t *(*get_sockaddr_len) (host_t *this);
+
+	/**
+	 * Gets the family of the address
+	 *
+	 * @return		family
+	 */
+	int (*get_family) (host_t *this);
+
+	/**
+	 * Checks if the ip address of host is set to default route.
+	 *
+	 * @return		TRUE if host is 0.0.0.0 or 0::0, FALSE otherwise
+	 */
+	bool (*is_anyaddr) (host_t *this);
+
+	/**
+	 * Get the address of this host as chunk_t
+	 *
+	 * Returned chunk points to internal data.
+	 *
+	 * @return		address string,
+	 */
+	chunk_t (*get_address) (host_t *this);
+
+	/**
+	 * Get the port of this host
+	 *
+	 * @return		port number
+	 */
+	u_int16_t (*get_port) (host_t *this);
+
+	/**
+	 * Set the port of this host
+	 *
+	 * @param port	port numer
+	 */
+	void (*set_port) (host_t *this, u_int16_t port);
+
+	/**
+	 * Compare the ips of two hosts hosts.
+	 *
+	 * @param other	the other to compare
+	 * @return		TRUE if addresses are equal.
+	 */
+	bool (*ip_equals) (host_t *this, host_t *other);
+
+	/**
+	 * Compare two hosts, with port.
+	 *
+	 * @param other	the other to compare
+	 * @return		TRUE if addresses and ports are equal.
+	 */
+	bool (*equals) (host_t *this, host_t *other);
+
+	/**
+	 * Compare two hosts and return the differences.
+	 *
+	 * @param other	the other to compare
+	 * @return		differences in a combination of host_diff_t's
+	 */
+	host_diff_t (*get_differences) (host_t *this, host_t *other);
+
+	/**
+	 * Destroy this host object.
+	 */
+	void (*destroy) (host_t *this);
+};
+
+/**
+ * Constructor to create a host_t object from an address string.
+ *
+ * @param string		string of an address, such as "152.96.193.130"
+ * @param port			port number
+ * @return				host_t, NULL if string not an address.
+ */
+host_t *host_create_from_string(char *string, u_int16_t port);
+
+/**
+ * Same as host_create_from_string(), but with the option to enforce a family.
+ *
+ * @param string		string of an address
+ * @param family		address family, or AF_UNSPEC
+ * @param port			port number
+ * @return				host_t, NULL if string not an address.
+ */
+host_t *host_create_from_string_and_family(char *string, int family,
+										   u_int16_t port);
+
+/**
+ * Constructor to create a host_t from a DNS name.
+ *
+ * @param string		hostname to resolve
+ * @param family		family to prefer, 0 for first match
+ * @param port			port number
+ * @return				host_t, NULL lookup failed
+ */
+host_t *host_create_from_dns(char *string, int family, u_int16_t port);
+
+/**
+ * Constructor to create a host_t object from an address chunk.
+ *
+ * If family is AF_UNSPEC, it is guessed using address.len.
+ *
+ * @param family		Address family, such as AF_INET or AF_INET6
+ * @param address		address as chunk_t in network order
+ * @param port			port number
+ * @return				host_t, NULL if family not supported/chunk invalid
+ */
+host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
+
+/**
+ * Constructor to create a host_t object from a sockaddr struct
+ *
+ * @param sockaddr		sockaddr struct which contains family, address and port
+ * @return				host_t, NULL if family not supported
+ */
+host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
+
+/**
+ * Create a host from a CIDR subnet definition (1.2.3.0/24), return bits.
+ *
+ * @param string		string to parse
+ * @param bits			gets the number of network bits in CIDR notation
+ * @return				network start address, NULL on error
+ */
+host_t *host_create_from_subnet(char *string, int *bits);
+
+/**
+ * Create a host without an address, a "any" host.
+ *
+ * @param family		family of the any host
+ * @return				host_t, NULL if family not supported
+ */
+host_t *host_create_any(int family);
+
+/**
+ * printf hook function for host_t.
+ *
+ * Arguments are:
+ *	host_t *host
+ * Use #-modifier to include port number
+ * Use +-modifier to force numeric representation (instead of e.g. %any)
+ */
+int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					 const void *const *args);
+
+#endif /** HOST_H_ @}*/
diff --git a/src/libstrongswan/networking/host_resolver.c b/src/libstrongswan/networking/host_resolver.c
new file mode 100644
index 000000000..5e244f114
--- /dev/null
+++ b/src/libstrongswan/networking/host_resolver.c
@@ -0,0 +1,351 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#include "host_resolver.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <threading/thread.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
+
+/**
+ * Default minimum and maximum number of threads
+ */
+#define MIN_THREADS_DEFAULT 0
+#define MAX_THREADS_DEFAULT 3
+
+/**
+ * Timeout in seconds to wait for new queries until a thread may be stopped
+ */
+#define NEW_QUERY_WAIT_TIMEOUT 30
+
+typedef struct private_host_resolver_t private_host_resolver_t;
+
+/**
+ * Private data of host_resolver_t
+ */
+struct private_host_resolver_t {
+
+	/**
+	 * Public interface
+	 */
+	host_resolver_t public;
+
+	/**
+	 * Hashtable to check for queued queries, query_t*
+	 */
+	hashtable_t *queries;
+
+	/**
+	 * Queue for queries, query_t*
+	 */
+	linked_list_t *queue;
+
+	/**
+	 * Mutex to safely access private data
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to signal arrival of new queries
+	 */
+	condvar_t *new_query;
+
+	/**
+	 * Minimum number of resolver threads
+	 */
+	u_int min_threads;
+
+	/**
+	 * Maximum number of resolver threads
+	 */
+	u_int max_threads;
+
+	/**
+	 * Current number of threads
+	 */
+	u_int threads;
+
+	/**
+	 * Current number of busy threads
+	 */
+	u_int busy_threads;
+
+	/**
+	 * Pool of threads, thread_t*
+	 */
+	linked_list_t *pool;
+
+	/**
+	 * TRUE if no new queries are accepted
+	 */
+	bool disabled;
+
+};
+
+typedef struct {
+	/** DNS name we are looking for */
+	char *name;
+	/** address family we request */
+	int family;
+	/** Condvar to signal completion of a query */
+	condvar_t *done;
+	/** refcount */
+	refcount_t refcount;
+	/** the result if successful */
+	host_t *result;
+} query_t;
+
+/**
+ * Destroy the given query_t object if refcount is zero
+ */
+static void query_destroy(query_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		DESTROY_IF(this->result);
+		this->done->destroy(this->done);
+		free(this->name);
+		free(this);
+	}
+}
+
+/**
+ * Signals all waiting threads and destroys the query
+ */
+static void query_signal_and_destroy(query_t *this)
+{
+	this->done->broadcast(this->done);
+	query_destroy(this);
+}
+
+/**
+ * Hash a queued query
+ */
+static u_int query_hash(query_t *this)
+{
+	return chunk_hash_inc(chunk_create(this->name, strlen(this->name)),
+						  chunk_hash(chunk_from_thing(this->family)));
+}
+
+/**
+ * Compare two queued queries
+ */
+static bool query_equals(query_t *this, query_t *other)
+{
+	return this->family == other->family && streq(this->name, other->name);
+}
+
+/**
+ * Main function of resolver threads
+ */
+static void *resolve_hosts(private_host_resolver_t *this)
+{
+	struct addrinfo hints, *result;
+	query_t *query;
+	int error;
+	bool old, timed_out;
+
+	while (TRUE)
+	{
+		this->mutex->lock(this->mutex);
+		thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+		while (this->queue->remove_first(this->queue,
+										(void**)&query) != SUCCESS)
+		{
+			old = thread_cancelability(TRUE);
+			timed_out = this->new_query->timed_wait(this->new_query,
+									this->mutex, NEW_QUERY_WAIT_TIMEOUT * 1000);
+			thread_cancelability(old);
+			if (this->disabled)
+			{
+				thread_cleanup_pop(TRUE);
+				return NULL;
+			}
+			else if (timed_out && (this->threads > this->min_threads))
+			{	/* terminate this thread by detaching it */
+				thread_t *thread = thread_current();
+
+				this->threads--;
+				this->pool->remove(this->pool, thread, NULL);
+				thread_cleanup_pop(TRUE);
+				thread->detach(thread);
+				return NULL;
+			}
+		}
+		this->busy_threads++;
+		thread_cleanup_pop(TRUE);
+
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = query->family;
+		hints.ai_socktype = SOCK_DGRAM;
+
+		thread_cleanup_push((thread_cleanup_t)query_signal_and_destroy, query);
+		old = thread_cancelability(TRUE);
+		error = getaddrinfo(query->name, NULL, &hints, &result);
+		thread_cancelability(old);
+		thread_cleanup_pop(FALSE);
+
+		this->mutex->lock(this->mutex);
+		this->busy_threads--;
+		if (error != 0)
+		{
+			DBG1(DBG_LIB, "resolving '%s' failed: %s", query->name,
+				 gai_strerror(error));
+		}
+		else
+		{	/* result is a linked list, but we use only the first address */
+			query->result = host_create_from_sockaddr(result->ai_addr);
+			freeaddrinfo(result);
+		}
+		this->queries->remove(this->queries, query);
+		query->done->broadcast(query->done);
+		this->mutex->unlock(this->mutex);
+		query_destroy(query);
+	}
+	return NULL;
+}
+
+METHOD(host_resolver_t, resolve, host_t*,
+	private_host_resolver_t *this, char *name, int family)
+{
+	query_t *query, lookup = {
+		.name = name,
+		.family = family,
+	};
+	host_t *result;
+
+	if (family == AF_INET && strchr(name, ':'))
+	{	/* do not try to convert v6 addresses for v4 family */
+		return NULL;
+	}
+	this->mutex->lock(this->mutex);
+	if (this->disabled)
+	{
+		this->mutex->unlock(this->mutex);
+		return NULL;
+	}
+	query = this->queries->get(this->queries, &lookup);
+	if (!query)
+	{
+		INIT(query,
+			.name = strdup(name),
+			.family = family,
+			.done = condvar_create(CONDVAR_TYPE_DEFAULT),
+			.refcount = 1,
+		);
+		this->queries->put(this->queries, query, query);
+		this->queue->insert_last(this->queue, query);
+		this->new_query->signal(this->new_query);
+	}
+	ref_get(&query->refcount);
+	if (this->busy_threads == this->threads &&
+		this->threads < this->max_threads)
+	{
+		thread_t *thread;
+
+		thread = thread_create((thread_main_t)resolve_hosts, this);
+		if (thread)
+		{
+			this->threads++;
+			this->pool->insert_last(this->pool, thread);
+		}
+	}
+	query->done->wait(query->done, this->mutex);
+	this->mutex->unlock(this->mutex);
+
+	result = query->result ? query->result->clone(query->result) : NULL;
+	query_destroy(query);
+	return result;
+}
+
+METHOD(host_resolver_t, flush, void,
+	private_host_resolver_t *this)
+{
+	enumerator_t *enumerator;
+	query_t *query;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->queries->create_enumerator(this->queries);
+	while (enumerator->enumerate(enumerator, &query, NULL))
+	{	/* use the hashtable here as we also want to signal dequeued queries */
+		this->queries->remove_at(this->queries, enumerator);
+		query->done->broadcast(query->done);
+	}
+	enumerator->destroy(enumerator);
+	this->queue->destroy_function(this->queue, (void*)query_destroy);
+	this->queue = linked_list_create();
+	this->disabled = TRUE;
+	/* this will already terminate most idle threads */
+	this->new_query->broadcast(this->new_query);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(host_resolver_t, destroy, void,
+	private_host_resolver_t *this)
+{
+	thread_t *thread;
+
+	flush(this);
+	this->pool->invoke_offset(this->pool, offsetof(thread_t, cancel));
+	while (this->pool->remove_first(this->pool, (void**)&thread) == SUCCESS)
+	{
+		thread->join(thread);
+	}
+	this->pool->destroy(this->pool);
+	this->queue->destroy(this->queue);
+	this->queries->destroy(this->queries);
+	this->new_query->destroy(this->new_query);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+host_resolver_t *host_resolver_create()
+{
+	private_host_resolver_t *this;
+
+	INIT(this,
+		.public = {
+			.resolve = _resolve,
+			.flush = _flush,
+			.destroy = _destroy,
+		},
+		.queries = hashtable_create((hashtable_hash_t)query_hash,
+									(hashtable_equals_t)query_equals, 8),
+		.queue = linked_list_create(),
+		.pool = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.new_query = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	this->min_threads = max(0, lib->settings->get_int(lib->settings,
+									"libstrongswan.host_resolver.min_threads",
+									 MIN_THREADS_DEFAULT));
+	this->max_threads = max(this->min_threads ?: 1,
+							lib->settings->get_int(lib->settings,
+									"libstrongswan.host_resolver.max_threads",
+									 MAX_THREADS_DEFAULT));
+	return &this->public;
+}
diff --git a/src/libstrongswan/networking/host_resolver.h b/src/libstrongswan/networking/host_resolver.h
new file mode 100644
index 000000000..f944a9cdf
--- /dev/null
+++ b/src/libstrongswan/networking/host_resolver.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup host_resolver host_resolver
+ * @{ @ingroup networking
+ */
+
+#ifndef HOST_RESOLVER_H_
+#define HOST_RESOLVER_H_
+
+#include "host.h"
+
+typedef struct host_resolver_t host_resolver_t;
+
+/**
+ * Resolve hosts by DNS name but do so in a separate thread (calling
+ * getaddrinfo(3) directly might block indefinitely, or at least a very long
+ * time if no DNS servers are reachable).
+ */
+struct host_resolver_t {
+
+	/**
+	 * Resolve host from the given DNS name.
+	 *
+	 * @param name		name to lookup
+	 * @param family	requested address family
+	 * @return			resolved host or NULL if failed or canceled
+	 */
+	host_t *(*resolve)(host_resolver_t *this, char *name, int family);
+
+	/**
+	 * Flush the queue of queries. No new queries will be accepted afterwards.
+	 */
+	void (*flush)(host_resolver_t *this);
+
+	/**
+	 * Destroy a host_resolver_t.
+	 */
+	void (*destroy)(host_resolver_t *this);
+};
+
+/**
+ * Create a host_resolver_t instance.
+ */
+host_resolver_t *host_resolver_create();
+
+#endif /** HOST_RESOLVER_H_ @}*/
diff --git a/src/libstrongswan/networking/packet.c b/src/libstrongswan/networking/packet.c
new file mode 100644
index 000000000..a2c329d60
--- /dev/null
+++ b/src/libstrongswan/networking/packet.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "packet.h"
+
+typedef struct private_packet_t private_packet_t;
+
+/**
+ * Private data of an packet_t object.
+ */
+struct private_packet_t {
+
+	/**
+	 * Public part of a packet_t object.
+	 */
+	packet_t public;
+
+	/**
+	 * source address
+	 */
+	host_t *source;
+
+	/**
+	 * destination address
+	 */
+	host_t *destination;
+
+	 /**
+	  * message data
+	  */
+	chunk_t data;
+
+	/**
+	 * actual chunk returned from get_data, adjusted when skip_bytes is called
+	 */
+	chunk_t adjusted_data;
+};
+
+METHOD(packet_t, set_source, void,
+	private_packet_t *this, host_t *source)
+{
+	DESTROY_IF(this->source);
+	this->source = source;
+}
+
+METHOD(packet_t, set_destination, void,
+	private_packet_t *this, host_t *destination)
+{
+	DESTROY_IF(this->destination);
+	this->destination = destination;
+}
+
+METHOD(packet_t, get_source, host_t*,
+	private_packet_t *this)
+{
+	return this->source;
+}
+
+METHOD(packet_t, get_destination, host_t*,
+	private_packet_t *this)
+{
+	return this->destination;
+}
+
+METHOD(packet_t, get_data, chunk_t,
+	private_packet_t *this)
+{
+	return this->adjusted_data;
+}
+
+METHOD(packet_t, set_data, void,
+	private_packet_t *this, chunk_t data)
+{
+	free(this->data.ptr);
+	this->adjusted_data = this->data = data;
+}
+
+METHOD(packet_t, skip_bytes, void,
+	private_packet_t *this, size_t bytes)
+{
+	this->adjusted_data = chunk_skip(this->adjusted_data, bytes);
+}
+
+METHOD(packet_t, destroy, void,
+	private_packet_t *this)
+{
+	DESTROY_IF(this->source);
+	DESTROY_IF(this->destination);
+	free(this->data.ptr);
+	free(this);
+}
+
+METHOD(packet_t, clone_, packet_t*,
+	private_packet_t *this)
+{
+	packet_t *other;
+
+	other = packet_create();
+	if (this->destination)
+	{
+		other->set_destination(other,
+							   this->destination->clone(this->destination));
+	}
+	if (this->source)
+	{
+		other->set_source(other, this->source->clone(this->source));
+	}
+	if (this->data.ptr)
+	{
+		other->set_data(other, chunk_clone(this->adjusted_data));
+	}
+	return other;
+}
+
+/**
+ * Described in header.
+ */
+packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data)
+{
+	private_packet_t *this;
+
+	INIT(this,
+		.public = {
+			.set_data = _set_data,
+			.get_data = _get_data,
+			.set_source = _set_source,
+			.get_source = _get_source,
+			.set_destination = _set_destination,
+			.get_destination = _get_destination,
+			.skip_bytes = _skip_bytes,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+		.source = src,
+		.destination = dst,
+		.adjusted_data = data,
+		.data = data,
+	);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+packet_t *packet_create()
+{
+	return packet_create_from_data(NULL, NULL, chunk_empty);
+}
diff --git a/src/libstrongswan/networking/packet.h b/src/libstrongswan/networking/packet.h
new file mode 100644
index 000000000..6fb9cece2
--- /dev/null
+++ b/src/libstrongswan/networking/packet.h
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup packet packet
+ * @{ @ingroup networking
+ */
+
+#ifndef PACKET_H_
+#define PACKET_H_
+
+typedef struct packet_t packet_t;
+
+#include <library.h>
+#include <networking/host.h>
+
+/**
+ * Abstraction of an IP/UDP-Packet, contains data, sender and receiver.
+ */
+struct packet_t {
+
+	/**
+	 * Set the source address.
+	 *
+	 * @param source	address to set as source (gets owned)
+	 */
+	void (*set_source)(packet_t *packet, host_t *source);
+
+	/**
+	 * Set the destination address.
+	 *
+	 * @param source	address to set as destination (gets owned)
+	 */
+	void (*set_destination)(packet_t *packet, host_t *destination);
+
+	/**
+	 * Get the source address.
+	 *
+	 * @return			source address (internal data)
+	 */
+	host_t *(*get_source)(packet_t *packet);
+
+	/**
+	 * Get the destination address.
+	 *
+	 * @return			destination address (internal data)
+	 */
+	host_t *(*get_destination)(packet_t *packet);
+
+	/**
+	 * Get the data from the packet.
+	 *
+	 * @return			chunk containing the data (internal data)
+	 */
+	chunk_t (*get_data)(packet_t *packet);
+
+	/**
+	 * Set the data in the packet.
+	 *
+	 * @param data		chunk with data to set (gets owned)
+	 */
+	void (*set_data)(packet_t *packet, chunk_t data);
+
+	/**
+	 * Increase the offset where the actual packet data starts.
+	 *
+	 * The total offset applies to future calls of get_data() and clone().
+	 *
+	 * @note The offset is reset to 0 when set_data() is called.
+	 *
+	 * @param bytes		the number of additional bytes to skip
+	 */
+	void (*skip_bytes)(packet_t *packet, size_t bytes);
+
+	/**
+	 * Clones a packet_t object.
+	 *
+	 * @note Data is cloned without skipped bytes.
+	 *
+	 * @param clone		clone of the packet
+	 */
+	packet_t* (*clone)(packet_t *packet);
+
+	/**
+	 * Destroy the packet, freeing contained data.
+	 */
+	void (*destroy)(packet_t *packet);
+};
+
+/**
+ * Create an empty packet
+ *
+ * @return packet_t object
+ */
+packet_t *packet_create();
+
+/**
+ * Create a packet from the supplied data
+ *
+ * @param src			source address (gets owned)
+ * @param dst			destination address (gets owned)
+ * @param data			packet data (gets owned)
+ * @return packet_t object
+ */
+packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data);
+
+#endif /** PACKET_H_ @}*/
diff --git a/src/libstrongswan/networking/tun_device.c b/src/libstrongswan/networking/tun_device.c
new file mode 100644
index 000000000..d07327e5c
--- /dev/null
+++ b/src/libstrongswan/networking/tun_device.c
@@ -0,0 +1,461 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2012 Martin Willi
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <netinet/in.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <net/if.h>
+
+#ifdef __APPLE__
+#include <net/if_utun.h>
+#include <netinet/in_var.h>
+#include <sys/kern_control.h>
+#elif defined(__linux__)
+#include <linux/if_tun.h>
+#else
+#include <net/if_tun.h>
+#endif
+
+#include "tun_device.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <threading/thread.h>
+
+#define TUN_DEFAULT_MTU 1500
+
+typedef struct private_tun_device_t private_tun_device_t;
+
+struct private_tun_device_t {
+
+	/**
+	 * Public interface
+	 */
+	tun_device_t public;
+
+	/**
+	 * The TUN device's file descriptor
+	 */
+	int tunfd;
+
+	/**
+	 * Name of the TUN device
+	 */
+	char if_name[IFNAMSIZ];
+
+	/**
+	 * Socket used for ioctl() to set interface addr, ...
+	 */
+	int sock;
+
+	/**
+	 * The current MTU
+	 */
+	int mtu;
+};
+
+/**
+ * Set the sockaddr_t from the given netmask
+ */
+static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask)
+{
+	int len, bytes, bits;
+	char *target;
+
+	switch (family)
+	{
+		case AF_INET:
+		{
+			struct sockaddr_in *addr = (struct sockaddr_in*)&ifr->ifr_addr;
+			addr->sin_family = AF_INET;
+			target = (char*)&addr->sin_addr;
+			len = 4;
+			break;
+		}
+		case AF_INET6:
+		{
+			struct sockaddr_in6 *addr = (struct sockaddr_in6*)&ifr->ifr_addr;
+			addr->sin6_family = AF_INET6;
+			target = (char*)&addr->sin6_addr;
+			len = 16;
+			break;
+		}
+		default:
+			return;
+	}
+
+	bytes = (netmask + 7) / 8;
+	bits = (bytes * 8) - netmask;
+
+	memset(target, 0xff, bytes);
+	memset(target + bytes, 0x00, len - bytes);
+	target[bytes - 1] = bits ? (u_int8_t)(0xff << bits) : 0xff;
+}
+
+METHOD(tun_device_t, set_address, bool,
+	private_tun_device_t *this, host_t *addr, u_int8_t netmask)
+{
+	struct ifreq ifr;
+	int family;
+
+	family = addr->get_family(addr);
+	if ((netmask > 32 && family == AF_INET) || netmask > 128)
+	{
+		DBG1(DBG_LIB, "failed to set address on %s: invalid netmask",
+			 this->if_name);
+		return FALSE;
+	}
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	memcpy(&ifr.ifr_addr, addr->get_sockaddr(addr), sizeof(sockaddr_t));
+
+	if (ioctl(this->sock, SIOCSIFADDR, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set address on %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+#ifdef __APPLE__
+	if (ioctl(this->sock, SIOCSIFDSTADDR, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set dest address on %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+#endif /* __APPLE__ */
+
+	set_netmask(&ifr, family, netmask);
+
+	if (ioctl(this->sock, SIOCSIFNETMASK, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set netmask on %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tun_device_t, up, bool,
+	private_tun_device_t *this)
+{
+	struct ifreq ifr;
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+
+	if (ioctl(this->sock, SIOCGIFFLAGS, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to get interface flags for %s: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+
+	ifr.ifr_flags |= IFF_RUNNING | IFF_UP;
+
+	if (ioctl(this->sock, SIOCSIFFLAGS, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set interface flags on %s: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tun_device_t, set_mtu, bool,
+	private_tun_device_t *this, int mtu)
+{
+	struct ifreq ifr;
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	ifr.ifr_mtu = mtu;
+
+	if (ioctl(this->sock, SIOCSIFMTU, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set MTU on %s: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+	this->mtu = mtu;
+	return TRUE;
+}
+
+METHOD(tun_device_t, get_mtu, int,
+	private_tun_device_t *this)
+{
+	struct ifreq ifr;
+
+	if (this->mtu > 0)
+	{
+		return this->mtu;
+	}
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	this->mtu = TUN_DEFAULT_MTU;
+
+	if (ioctl(this->sock, SIOCGIFMTU, &ifr) == 0)
+	{
+		this->mtu = ifr.ifr_mtu;
+	}
+	return this->mtu;
+}
+
+METHOD(tun_device_t, get_name, char*,
+	private_tun_device_t *this)
+{
+	return this->if_name;
+}
+
+METHOD(tun_device_t, write_packet, bool,
+	private_tun_device_t *this, chunk_t packet)
+{
+	ssize_t s;
+
+	s = write(this->tunfd, packet.ptr, packet.len);
+	if (s < 0)
+	{
+		DBG1(DBG_LIB, "failed to write packet to TUN device %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+	else if (s != packet.len)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tun_device_t, read_packet, bool,
+	private_tun_device_t *this, chunk_t *packet)
+{
+	ssize_t len;
+	fd_set set;
+	bool old;
+
+	FD_ZERO(&set);
+	FD_SET(this->tunfd, &set);
+
+	old = thread_cancelability(TRUE);
+	len = select(this->tunfd + 1, &set, NULL, NULL, NULL);
+	thread_cancelability(old);
+
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "select on TUN device %s failed: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+	/* FIXME: this is quite expensive for lots of small packets, copy from
+	 * local buffer instead? */
+	*packet = chunk_alloc(get_mtu(this));
+	len = read(this->tunfd, packet->ptr, packet->len);
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "reading from TUN device %s failed: %s", this->if_name,
+			 strerror(errno));
+		chunk_free(packet);
+		return FALSE;
+	}
+	packet->len = len;
+	return TRUE;
+}
+
+METHOD(tun_device_t, destroy, void,
+	private_tun_device_t *this)
+{
+	if (this->tunfd > 0)
+	{
+		close(this->tunfd);
+#ifdef __FreeBSD__
+		/* tun(4) says the following: "These network interfaces persist until
+		 * the if_tun.ko module is unloaded, or until removed with the
+		 * ifconfig(8) command."  So simply closing the FD is not enough. */
+		struct ifreq ifr;
+
+		memset(&ifr, 0, sizeof(ifr));
+		strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+		if (ioctl(this->sock, SIOCIFDESTROY, &ifr) < 0)
+		{
+			DBG1(DBG_LIB, "failed to destroy %s: %s", this->if_name,
+				 strerror(errno));
+		}
+#endif /* __FreeBSD__ */
+	}
+	if (this->sock > 0)
+	{
+		close(this->sock);
+	}
+	free(this);
+}
+
+/**
+ * Initialize the tun device
+ */
+static bool init_tun(private_tun_device_t *this, const char *name_tmpl)
+{
+#ifdef __APPLE__
+
+	struct ctl_info info;
+	struct sockaddr_ctl addr;
+	socklen_t size = IFNAMSIZ;
+
+	memset(&info, 0, sizeof(info));
+	memset(&addr, 0, sizeof(addr));
+
+	this->tunfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
+	if (this->tunfd < 0)
+	{
+		DBG1(DBG_LIB, "failed to open tundevice PF_SYSTEM socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+
+	/* get a control identifier for the utun kernel extension */
+	strncpy(info.ctl_name, UTUN_CONTROL_NAME, strlen(UTUN_CONTROL_NAME));
+	if (ioctl(this->tunfd, CTLIOCGINFO, &info) < 0)
+	{
+		DBG1(DBG_LIB, "failed to ioctl tundevice: %s", strerror(errno));
+		close(this->tunfd);
+		return FALSE;
+	}
+
+	addr.sc_id = info.ctl_id;
+	addr.sc_len = sizeof(addr);
+	addr.sc_family = AF_SYSTEM;
+	addr.ss_sysaddr = AF_SYS_CONTROL;
+	/* allocate identifier dynamically */
+	addr.sc_unit = 0;
+
+	if (connect(this->tunfd, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_LIB, "failed to connect tundevice: %s", strerror(errno));
+		close(this->tunfd);
+		return FALSE;
+	}
+	if (getsockopt(this->tunfd, SYSPROTO_CONTROL, UTUN_OPT_IFNAME,
+				   this->if_name, &size) < 0)
+	{
+		DBG1(DBG_LIB, "getting tundevice name failed: %s", strerror(errno));
+		close(this->tunfd);
+		return FALSE;
+	}
+	return TRUE;
+
+#elif defined(IFF_TUN)
+
+	struct ifreq ifr;
+
+	strncpy(this->if_name, name_tmpl ?: "tun%d", IFNAMSIZ);
+	this->if_name[IFNAMSIZ-1] = '\0';
+
+	this->tunfd = open("/dev/net/tun", O_RDWR);
+	if (this->tunfd < 0)
+	{
+		DBG1(DBG_LIB, "failed to open /dev/net/tun: %s", strerror(errno));
+		return FALSE;
+	}
+
+	memset(&ifr, 0, sizeof(ifr));
+
+	/* TUN device, no packet info */
+	ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
+
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	if (ioctl(this->tunfd, TUNSETIFF, (void*)&ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to configure TUN device: %s", strerror(errno));
+		close(this->tunfd);
+		return FALSE;
+	}
+	strncpy(this->if_name, ifr.ifr_name, IFNAMSIZ);
+	return TRUE;
+
+#else /* !IFF_TUN */
+
+	/* this works on FreeBSD and might also work on Linux with older TUN
+	 * driver versions (no IFF_TUN) */
+	char devname[IFNAMSIZ];
+	int i;
+
+	if (name_tmpl)
+	{
+		DBG1(DBG_LIB, "arbitrary naming of TUN devices is not supported");
+	}
+
+	for (i = 0; i < 256; i++)
+	{
+		snprintf(devname, IFNAMSIZ, "/dev/tun%d", i);
+		this->tunfd = open(devname, O_RDWR);
+		if (this->tunfd > 0)
+		{	/* for ioctl(2) calls only the interface name is used */
+			snprintf(this->if_name, IFNAMSIZ, "tun%d", i);
+			break;
+		}
+		DBG1(DBG_LIB, "failed to open %s: %s", this->if_name, strerror(errno));
+	}
+	return this->tunfd > 0;
+
+#endif /* !__APPLE__ */
+}
+
+/*
+ * Described in header
+ */
+tun_device_t *tun_device_create(const char *name_tmpl)
+{
+	private_tun_device_t *this;
+
+	INIT(this,
+		.public = {
+			.read_packet = _read_packet,
+			.write_packet = _write_packet,
+			.get_mtu = _get_mtu,
+			.set_mtu = _set_mtu,
+			.get_name = _get_name,
+			.set_address = _set_address,
+			.up = _up,
+			.destroy = _destroy,
+		},
+		.tunfd = -1,
+		.sock = -1,
+	);
+
+	if (!init_tun(this, name_tmpl))
+	{
+		free(this);
+		return NULL;
+	}
+	DBG1(DBG_LIB, "created TUN device: %s", this->if_name);
+
+	this->sock = socket(AF_INET, SOCK_DGRAM, 0);
+	if (this->sock < 0)
+	{
+		DBG1(DBG_LIB, "failed to open socket to configure TUN device");
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/networking/tun_device.h b/src/libstrongswan/networking/tun_device.h
new file mode 100644
index 000000000..b22a5d170
--- /dev/null
+++ b/src/libstrongswan/networking/tun_device.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tun_device tun_device
+ * @{ @ingroup networking
+ */
+
+#ifndef TUN_DEVICE_H_
+#define TUN_DEVICE_H_
+
+#include <library.h>
+#include <networking/host.h>
+
+typedef struct tun_device_t tun_device_t;
+
+/**
+ * Class to create TUN devices
+ *
+ * Creating such a device requires the CAP_NET_ADMIN capability.
+ *
+ * @note The implementation is currently very Linux specific
+ */
+struct tun_device_t {
+
+	/**
+	 * Read a packet from the TUN device
+	 *
+	 * @note This call blocks until a packet is available. It is a thread
+	 * cancellation point.
+	 *
+	 * @param packet		the packet read from the device
+	 * @return				TRUE if successful
+	 */
+	bool (*read_packet)(tun_device_t *this, chunk_t *packet);
+
+	/**
+	 * Write a packet to the TUN device
+	 *
+	 * @param packet		the packet to write to the TUN device
+	 * @return				TRUE if successful
+	 */
+	bool (*write_packet)(tun_device_t *this, chunk_t packet);
+
+	/**
+	 * Set the IP address of the device
+	 *
+	 * @param addr			the desired interface address
+	 * @param netmask		the netmask to use
+	 * @return				TRUE if operation successful
+	 */
+	bool (*set_address)(tun_device_t *this, host_t *addr, u_int8_t netmask);
+
+	/**
+	 * Bring the TUN device up
+	 *
+	 * @return				TRUE if operation successful
+	 */
+	bool (*up)(tun_device_t *this);
+
+	/**
+	 * Set the MTU for this TUN device
+	 *
+	 * @param mtu			new MTU
+	 * @return				TRUE if operation successful
+	 */
+	bool (*set_mtu)(tun_device_t *this, int mtu);
+
+	/**
+	 * Get the current MTU for this TUN device
+	 *
+	 * @return				current MTU
+	 */
+	int (*get_mtu)(tun_device_t *this);
+
+	/**
+	 * Get the interface name of this device
+	 *
+	 * @return				interface name
+	 */
+	char *(*get_name)(tun_device_t *this);
+
+	/**
+	 * Destroy a tun_device_t
+	 */
+	void (*destroy)(tun_device_t *this);
+
+};
+
+/**
+ * Create a TUN device using the given name template.
+ *
+ * @param name_tmpl			name template, defaults to "tun%d" if not given
+ * @return					TUN device
+ */
+tun_device_t *tun_device_create(const char *name_tmpl);
+
+#endif /** TUN_DEVICE_H_ @}*/
diff --git a/src/libstrongswan/pen/pen.c b/src/libstrongswan/pen/pen.c
index a80e949e3..b1b0731d4 100644
--- a/src/libstrongswan/pen/pen.c
+++ b/src/libstrongswan/pen/pen.c
@@ -21,11 +21,21 @@ ENUM_NEXT(pen_names, PEN_IBM, PEN_IBM, PEN_IETF,
 	"IBM");
 ENUM_NEXT(pen_names, PEN_MICROSOFT, PEN_MICROSOFT, PEN_IBM,
 	"Microsoft");
-ENUM_NEXT(pen_names, PEN_OSC, PEN_OSC, PEN_MICROSOFT,
+ENUM_NEXT(pen_names, PEN_REDHAT, PEN_REDHAT, PEN_MICROSOFT,
+    "Redhat");
+ENUM_NEXT(pen_names, PEN_OSC, PEN_OSC, PEN_REDHAT,
 	"OSC");
-ENUM_NEXT(pen_names, PEN_TCG, PEN_TCG, PEN_OSC,
+ENUM_NEXT(pen_names, PEN_DEBIAN, PEN_DEBIAN, PEN_OSC,
+	"Debian Project");
+ENUM_NEXT(pen_names, PEN_GOOGLE, PEN_GOOGLE, PEN_DEBIAN,
+	"Google");
+ENUM_NEXT(pen_names, PEN_TCG, PEN_TCG, PEN_GOOGLE,
 	"TCG");
-ENUM_NEXT(pen_names, PEN_FHH, PEN_FHH, PEN_TCG,
+ENUM_NEXT(pen_names, PEN_CANONICAL, PEN_CANONICAL, PEN_TCG,
+    "Canonical");
+ENUM_NEXT(pen_names, PEN_FEDORA, PEN_FEDORA, PEN_CANONICAL,
+	"Fedora Project");
+ENUM_NEXT(pen_names, PEN_FHH, PEN_FHH, PEN_FEDORA,
 	"FHH");
 ENUM_NEXT(pen_names, PEN_ITA, PEN_ITA, PEN_FHH,
 	"ITA-HSR");
diff --git a/src/libstrongswan/pen/pen.h b/src/libstrongswan/pen/pen.h
index 78b6e4df2..9d5df7d49 100644
--- a/src/libstrongswan/pen/pen.h
+++ b/src/libstrongswan/pen/pen.h
@@ -33,8 +33,13 @@ enum pen_t {
 	PEN_IETF =		0x000000,	/*        0 */
 	PEN_IBM	=		0x000002,	/*        2 */
 	PEN_MICROSOFT = 0x000137,	/*      311 */
+	PEN_REDHAT =	0x000908,	/*     2312 */
 	PEN_OSC =		0x002358,	/*     9048 */
+	PEN_DEBIAN =	0x002572,	/*     9586 */
+	PEN_GOOGLE =    0x002B79,	/*    11129 */
 	PEN_TCG =		0x005597,	/*    21911 */
+	PEN_CANONICAL = 0x007132,	/*    28978 */
+	PEN_FEDORA =	0x0076C1,	/*    30401 */
 	PEN_FHH =		0x0080ab,	/*    32939 */
 	PEN_ITA =		0x00902a,	/*    36906 */
 	PEN_OPENPTS =	0x00950e,	/*    38158 */
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index c09cf66a7..99cc71e2c 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_aes_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-aes.la: $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_DEPENDENCIES) 
+libstrongswan-aes.la: $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_DEPENDENCIES) $(EXTRA_libstrongswan_aes_la_DEPENDENCIES) 
 	$(libstrongswan_aes_la_LINK) $(am_libstrongswan_aes_la_rpath) $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index d3da24718..66b525016 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_af_alg_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -377,7 +386,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES) 
+libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES) $(EXTRA_libstrongswan_af_alg_la_DEPENDENCIES) 
 	$(libstrongswan_af_alg_la_LINK) $(am_libstrongswan_af_alg_la_rpath) $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -519,10 +528,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.c b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
index 7fe47c578..331d1e801 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_ops.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
@@ -19,7 +19,7 @@
 #include <errno.h>
 #include <linux/socket.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_af_alg_ops_t private_af_alg_ops_t;
 
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 8e606bf39..ec98cacb9 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_agent_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-agent.la: $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_DEPENDENCIES) 
+libstrongswan-agent.la: $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_DEPENDENCIES) $(EXTRA_libstrongswan_agent_la_DEPENDENCIES) 
 	$(libstrongswan_agent_la_LINK) $(am_libstrongswan_agent_la_rpath) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -509,10 +518,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 60b57ad2d..42c78c172 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -24,8 +24,8 @@
 #include <errno.h>
 
 #include <library.h>
-#include <chunk.h>
-#include <debug.h>
+#include <utils/chunk.h>
+#include <utils/debug.h>
 
 #ifndef UNIX_PATH_MAX
 #define UNIX_PATH_MAX 108
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index c8b904eb9..7904719a4 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_blowfish_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-blowfish.la: $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_DEPENDENCIES) 
+libstrongswan-blowfish.la: $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_DEPENDENCIES) $(EXTRA_libstrongswan_blowfish_la_DEPENDENCIES) 
 	$(libstrongswan_blowfish_la_LINK) $(am_libstrongswan_blowfish_la_rpath) $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index bb094f04c..2b00c4c46 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ccm_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) 
+libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) $(EXTRA_libstrongswan_ccm_la_DEPENDENCIES) 
 	$(libstrongswan_ccm_la_LINK) $(am_libstrongswan_ccm_la_rpath) $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index eba059a29..883469557 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_cmac_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-cmac.la: $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_DEPENDENCIES) 
+libstrongswan-cmac.la: $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_DEPENDENCIES) $(EXTRA_libstrongswan_cmac_la_DEPENDENCIES) 
 	$(libstrongswan_cmac_la_LINK) $(am_libstrongswan_cmac_la_rpath) $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/cmac/cmac.c b/src/libstrongswan/plugins/cmac/cmac.c
index 725d02d76..c8cb7fbf2 100644
--- a/src/libstrongswan/plugins/cmac/cmac.c
+++ b/src/libstrongswan/plugins/cmac/cmac.c
@@ -17,7 +17,7 @@
 
 #include "cmac.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/mac.h>
 #include <crypto/prfs/mac_prf.h>
 #include <crypto/signers/mac_signer.h>
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 693d76334..65f36db54 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_constraints_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES) 
+libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES) $(EXTRA_libstrongswan_constraints_la_DEPENDENCIES) 
 	$(libstrongswan_constraints_la_LINK) $(am_libstrongswan_constraints_la_rpath) $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index b54d813df..83a74299a 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -15,9 +15,9 @@
 
 #include "constraints_validator.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/x509.h>
 
 typedef struct private_constraints_validator_t private_constraints_validator_t;
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index adab5d7d5..8b4ee6771 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ctr_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) 
+libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) $(EXTRA_libstrongswan_ctr_la_DEPENDENCIES) 
 	$(libstrongswan_ctr_la_LINK) $(am_libstrongswan_ctr_la_rpath) $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index b6f38681f..93b9ba114 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_curl_la_DEPENDENCIES =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-curl.la: $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_DEPENDENCIES) 
+libstrongswan-curl.la: $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_DEPENDENCIES) $(EXTRA_libstrongswan_curl_la_DEPENDENCIES) 
 	$(libstrongswan_curl_la_LINK) $(am_libstrongswan_curl_la_rpath) $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 7f8c0aec2..c68b74f96 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -17,7 +17,7 @@
 #include <curl/curl.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "curl_fetcher.h"
 
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
index 8628c4bb5..062fe129f 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -16,7 +16,7 @@
 #include "curl_plugin.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include "curl_fetcher.h"
 
 #include <curl/curl.h>
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 04d489824..49d9f6b6f 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_des_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-des.la: $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_DEPENDENCIES) 
+libstrongswan-des.la: $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_DEPENDENCIES) $(EXTRA_libstrongswan_des_la_DEPENDENCIES) 
 	$(libstrongswan_des_la_LINK) $(am_libstrongswan_des_la_rpath) $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 2f86f7558..d49cac8a7 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_dnskey_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-dnskey.la: $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_DEPENDENCIES) 
+libstrongswan-dnskey.la: $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_DEPENDENCIES) $(EXTRA_libstrongswan_dnskey_la_DEPENDENCIES) 
 	$(libstrongswan_dnskey_la_LINK) $(am_libstrongswan_dnskey_la_rpath) $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_builder.c b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
index ea4eb6cda..b8a451500 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_builder.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
@@ -15,7 +15,7 @@
 
 #include "dnskey_builder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 
 
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 017f00e50..8192b7f37 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_fips_prf_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-fips-prf.la: $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_DEPENDENCIES) 
+libstrongswan-fips-prf.la: $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_DEPENDENCIES) $(EXTRA_libstrongswan_fips_prf_la_DEPENDENCIES) 
 	$(libstrongswan_fips_prf_la_LINK) $(am_libstrongswan_fips_prf_la_rpath) $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -509,10 +518,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
index 3fe204d35..23825078e 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -17,7 +17,7 @@
 
 #include <arpa/inet.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_fips_prf_t private_fips_prf_t;
 
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index 0c5eea0a7..e8f89a7c5 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gcm_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) 
+libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) $(EXTRA_libstrongswan_gcm_la_DEPENDENCIES) 
 	$(libstrongswan_gcm_la_LINK) $(am_libstrongswan_gcm_la_rpath) $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 72e525b16..ee300b8f3 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gcrypt_la_DEPENDENCIES =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -379,7 +388,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-gcrypt.la: $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_DEPENDENCIES) 
+libstrongswan-gcrypt.la: $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_DEPENDENCIES) $(EXTRA_libstrongswan_gcrypt_la_DEPENDENCIES) 
 	$(libstrongswan_gcrypt_la_LINK) $(am_libstrongswan_gcrypt_la_rpath) $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -522,10 +531,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
index 0b5dc0365..a737cb13d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -17,7 +17,7 @@
 
 #include <gcrypt.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_gcrypt_crypter_t private_gcrypt_crypter_t;
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index 0efd3ba16..f418b941d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -18,7 +18,7 @@
 
 #include "gcrypt_dh.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_gcrypt_dh_t private_gcrypt_dh_t;
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 3155a4aa0..af7993101 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -15,7 +15,7 @@
 
 #include "gcrypt_hasher.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <gcrypt.h>
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 5ebdcebce..78d75a238 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -23,7 +23,7 @@
 #include "gcrypt_rsa_public_key.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 #include <errno.h>
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index 9fdb2d45b..938a46490 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -17,7 +17,7 @@
 
 #include "gcrypt_rsa_private_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index c54f2c0cf..291287a8f 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -17,7 +17,7 @@
 
 #include "gcrypt_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index f1bb28c1f..aeb48ff8a 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gmp_la_DEPENDENCIES =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-gmp.la: $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_DEPENDENCIES) 
+libstrongswan-gmp.la: $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_DEPENDENCIES) $(EXTRA_libstrongswan_gmp_la_DEPENDENCIES) 
 	$(libstrongswan_gmp_la_LINK) $(am_libstrongswan_gmp_la_rpath) $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index 7d232e4f1..b74d35169 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -21,7 +21,7 @@
 
 #include "gmp_diffie_hellman.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #ifdef HAVE_MPZ_POWM_SEC
 # undef mpz_powm
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index 590ab6cb4..052b10741 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -1,7 +1,8 @@
 /*
- * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -22,7 +23,7 @@
 #include "gmp_rsa_private_key.h"
 #include "gmp_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
@@ -69,9 +70,14 @@ struct private_gmp_rsa_private_key_t {
 	mpz_t q;
 
 	/**
-	 * Private exponent.
+	 * Carmichael function m = lambda(n) = lcm(p-1,q-1).
+	*/
+	mpz_t m;
+
+	/**
+	 * Private exponent and optional secret sharing polynomial coefficients.
 	 */
-	mpz_t d;
+	mpz_t *d;
 
 	/**
 	 * Private exponent 1.
@@ -88,6 +94,21 @@ struct private_gmp_rsa_private_key_t {
 	 */
 	mpz_t coeff;
 
+	/**
+	 * Total number of private key shares
+	 */
+	u_int shares;
+
+	/**
+	 * Secret sharing threshold
+	 */
+	u_int threshold;
+
+	/**
+	 * Optional verification key (threshold > 1).
+	 */
+	mpz_t v;
+
 	/**
 	 * Keysize in bytes.
 	 */
@@ -121,22 +142,22 @@ chunk_t gmp_mpz_to_chunk(const mpz_t value)
 static void mpz_clear_sensitive(mpz_t z)
 {
 	size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
-	u_int8_t *random = alloca(len);
+	u_int8_t *zeros = alloca(len);
 
-	memset(random, 0, len);
+	memset(zeros, 0, len);
 	/* overwrite mpz_t with zero bytes before clearing it */
-	mpz_import(z, len, 1, 1, 1, 0, random);
+	mpz_import(z, len, 1, 1, 1, 0, zeros);
 	mpz_clear(z);
 }
 
 /**
  * Create a mpz prime of at least prime_size
  */
-static status_t compute_prime(private_gmp_rsa_private_key_t *this,
-							  size_t prime_size, mpz_t *prime)
+static status_t compute_prime(size_t prime_size, bool safe, mpz_t *p, mpz_t *q)
 {
 	rng_t *rng;
 	chunk_t random_bytes;
+	int count = 0;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
 	if (!rng)
@@ -146,26 +167,53 @@ static status_t compute_prime(private_gmp_rsa_private_key_t *this,
 		return FAILED;
 	}
 
-	mpz_init(*prime);
+	mpz_init(*p);
+	mpz_init(*q);
+
 	do
 	{
 		if (!rng->allocate_bytes(rng, prime_size, &random_bytes))
 		{
 			DBG1(DBG_LIB, "failed to allocate random prime");
+			mpz_clear(*p);
+			mpz_clear(*q);
 			rng->destroy(rng);
 			return FAILED;
 		}
-		/* make sure the two most significant bits are set */
-		random_bytes.ptr[0] = random_bytes.ptr[0] | 0xC0;
 
-		mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
-		mpz_nextprime (*prime, *prime);
+		/* make sure the two most significant bits are set */
+		if (safe)
+		{
+			random_bytes.ptr[0] &= 0x7F;
+			random_bytes.ptr[0] |= 0x60;
+			mpz_import(*q, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			do
+			{
+				count++;
+				mpz_nextprime (*q, *q);
+				mpz_mul_ui(*p, *q, 2);
+				mpz_add_ui(*p, *p, 1);
+			}
+			while (mpz_probab_prime_p(*p, 10) == 0);
+			DBG2(DBG_LIB, "safe prime found after %d iterations", count);
+		}
+		else
+		{
+			random_bytes.ptr[0] |= 0xC0;
+			mpz_import(*p, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			mpz_nextprime (*p, *p);
+		}
 		chunk_clear(&random_bytes);
 	}
-	/* check if it isn't too large */
-	while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
+
+	/* check if the prime isn't too large */
+	while (((mpz_sizeinbase(*p, 2) + 7) / 8) > prime_size);
 
 	rng->destroy(rng);
+
+	/* additionally return p-1 */
+	mpz_sub_ui(*q, *p, 1);
+
 	return SUCCESS;
 }
 
@@ -393,7 +441,7 @@ METHOD(private_key_t, get_encoding, bool,
 
 	n = gmp_mpz_to_chunk(this->n);
 	e = gmp_mpz_to_chunk(this->e);
-	d = gmp_mpz_to_chunk(this->d);
+	d = gmp_mpz_to_chunk(*this->d);
 	p = gmp_mpz_to_chunk(this->p);
 	q = gmp_mpz_to_chunk(this->q);
 	exp1 = gmp_mpz_to_chunk(this->exp1);
@@ -451,14 +499,24 @@ METHOD(private_key_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		mpz_clear_sensitive(this->n);
-		mpz_clear_sensitive(this->e);
+		int i;
+
+		mpz_clear(this->n);
+		mpz_clear(this->e);
+		mpz_clear(this->v);
 		mpz_clear_sensitive(this->p);
 		mpz_clear_sensitive(this->q);
-		mpz_clear_sensitive(this->d);
+		mpz_clear_sensitive(this->m);
 		mpz_clear_sensitive(this->exp1);
 		mpz_clear_sensitive(this->exp2);
 		mpz_clear_sensitive(this->coeff);
+
+		for (i = 0; i < this->threshold; i++)
+		{
+			mpz_clear_sensitive(*this->d + i);
+		}
+		free(this->d);
+
 		lib->encoding->clear_cache(lib->encoding, this);
 		free(this);
 	}
@@ -469,7 +527,7 @@ METHOD(private_key_t, destroy, void,
  */
 static status_t check(private_gmp_rsa_private_key_t *this)
 {
-	mpz_t t, u, q1;
+	mpz_t u, p1, q1;
 	status_t status = SUCCESS;
 
 	/* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
@@ -488,10 +546,14 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 		return FAILED;
 	}
 
-	mpz_init(t);
 	mpz_init(u);
+	mpz_init(p1);
 	mpz_init(q1);
 
+	/* precompute p1 = p-1 and q1 = q-1 */
+	mpz_sub_ui(p1, this->p, 1);
+	mpz_sub_ui(q1, this->q, 1);
+
 	/* check that n == p * q */
 	mpz_mul(u, this->p, this->q);
 	if (mpz_cmp(u, this->n) != 0)
@@ -500,62 +562,54 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	}
 
 	/* check that e divides neither p-1 nor q-1 */
-	mpz_sub_ui(t, this->p, 1);
-	mpz_mod(t, t, this->e);
-	if (mpz_cmp_ui(t, 0) == 0)
+	mpz_mod(u, p1, this->e);
+	if (mpz_cmp_ui(u, 0) == 0)
 	{
 		status = FAILED;
 	}
 
-	mpz_sub_ui(t, this->q, 1);
-	mpz_mod(t, t, this->e);
-	if (mpz_cmp_ui(t, 0) == 0)
+	mpz_mod(u, q1, this->e);
+	if (mpz_cmp_ui(u, 0) == 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that d is e^-1 (mod lcm(p-1, q-1)) */
 	/* see PKCS#1v2, aka RFC 2437, for the "lcm" */
-	mpz_sub_ui(q1, this->q, 1);
-	mpz_sub_ui(u, this->p, 1);
-	mpz_gcd(t, u, q1);		/* t := gcd(p-1, q-1) */
-	mpz_mul(u, u, q1);		/* u := (p-1) * (q-1) */
-	mpz_divexact(u, u, t);	/* u := lcm(p-1, q-1) */
-
-	mpz_mul(t, this->d, this->e);
-	mpz_mod(t, t, u);
-	if (mpz_cmp_ui(t, 1) != 0)
+	mpz_lcm(this->m, p1, q1);
+	mpz_mul(u, *this->d, this->e);
+	mpz_mod(u, u, this->m);
+	if (mpz_cmp_ui(u, 1) != 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that exp1 is d mod (p-1) */
-	mpz_sub_ui(u, this->p, 1);
-	mpz_mod(t, this->d, u);
-	if (mpz_cmp(t, this->exp1) != 0)
+	mpz_mod(u, *this->d, p1);
+	if (mpz_cmp(u, this->exp1) != 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that exp2 is d mod (q-1) */
-	mpz_sub_ui(u, this->q, 1);
-	mpz_mod(t, this->d, u);
-	if (mpz_cmp(t, this->exp2) != 0)
+	mpz_mod(u, *this->d, q1);
+	if (mpz_cmp(u, this->exp2) != 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that coeff is (q^-1) mod p */
-	mpz_mul(t, this->coeff, this->q);
-	mpz_mod(t, t, this->p);
-	if (mpz_cmp_ui(t, 1) != 0)
+	mpz_mul(u, this->coeff, this->q);
+	mpz_mod(u, u, this->p);
+	if (mpz_cmp_ui(u, 1) != 0)
 	{
 		status = FAILED;
 	}
 
-	mpz_clear_sensitive(t);
 	mpz_clear_sensitive(u);
+	mpz_clear_sensitive(p1);
 	mpz_clear_sensitive(q1);
+
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_LIB, "key integrity tests failed");
@@ -587,6 +641,7 @@ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
 				.destroy = _destroy,
 			},
 		},
+		.threshold = 1,
 		.ref = 1,
 	);
 	return this;
@@ -597,9 +652,11 @@ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
  */
 gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 {
-	mpz_t p, q, n, e, d, exp1, exp2, coeff, m, q1, t;
 	private_gmp_rsa_private_key_t *this;
-	u_int key_size = 0;
+	u_int key_size = 0, shares = 0, threshold = 1;
+	bool safe_prime = FALSE, rng_failed = FALSE, invert_failed = FALSE;
+	mpz_t p, q, p1, q1, d;
+;
 
 	while (TRUE)
 	{
@@ -608,6 +665,15 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 			case BUILD_KEY_SIZE:
 				key_size = va_arg(args, u_int);
 				continue;
+			case BUILD_SAFE_PRIMES:
+				safe_prime = TRUE;
+				continue;
+			case BUILD_SHARES:
+				shares = va_arg(args, u_int);
+				continue;
+			case BUILD_THRESHOLD:
+				threshold = va_arg(args, u_int);
+				continue;
 			case BUILD_END:
 				break;
 			default:
@@ -619,76 +685,112 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 	{
 		return NULL;
 	}
-
-	this = gmp_rsa_private_key_create_empty();
 	key_size = key_size / BITS_PER_BYTE;
 
 	/* Get values of primes p and q  */
-	if (compute_prime(this, key_size/2, &p) != SUCCESS)
+	if (compute_prime(key_size/2, safe_prime, &p, &p1) != SUCCESS)
 	{
-		free(this);
 		return NULL;
 	}
-	if (compute_prime(this, key_size/2, &q) != SUCCESS)
+	if (compute_prime(key_size/2, safe_prime, &q, &q1) != SUCCESS)
 	{
 		mpz_clear(p);
-		free(this);
+		mpz_clear(p1);
 		return NULL;
 	}
 
-	mpz_init(t);
-	mpz_init(n);
-	mpz_init(d);
-	mpz_init(exp1);
-	mpz_init(exp2);
-	mpz_init(coeff);
-
 	/* Swapping Primes so p is larger then q */
 	if (mpz_cmp(p, q) < 0)
 	{
 		mpz_swap(p, q);
+		mpz_swap(p1, q1);
 	}
 
-	mpz_mul(n, p, q);						/* n = p*q */
-	mpz_init_set_ui(e, PUBLIC_EXPONENT);	/* assign public exponent */
-	mpz_init_set(m, p);					/* m = p */
-	mpz_sub_ui(m, m, 1);					/* m = m -1 */
-	mpz_init_set(q1, q);					/* q1 = q */
-	mpz_sub_ui(q1, q1, 1);					/* q1 = q1 -1 */
-	mpz_gcd(t, m, q1);						/* t = gcd(p-1, q-1) */
-	mpz_mul(m, m, q1);						/* m = (p-1)*(q-1) */
-	mpz_divexact(m, m, t);					/* m = m / t */
-	mpz_gcd(t, m, e);						/* t = gcd(m, e) */
+	/* Create and initialize RSA private key object */
+	this = gmp_rsa_private_key_create_empty();
+	this->shares = shares;
+	this->threshold = threshold;
+	this->d = malloc(threshold * sizeof(mpz_t));
+	*this->p = *p;
+	*this->q = *q;
 
-	mpz_invert(d, e, m);					/* e has an inverse mod m */
-	if (mpz_cmp_ui(d, 0) < 0)				/* make sure d is positive */
-	{
-		mpz_add(d, d, m);
-	}
-	mpz_sub_ui(t, p, 1);					/* t = p-1 */
-	mpz_mod(exp1, d, t);					/* exp1 = d mod p-1 */
-	mpz_sub_ui(t, q, 1);					/* t = q-1 */
-	mpz_mod(exp2, d, t);					/* exp2 = d mod q-1 */
+	mpz_init_set_ui(this->e, PUBLIC_EXPONENT);
+	mpz_init(this->n);
+	mpz_init(this->m);
+	mpz_init(this->exp1);
+	mpz_init(this->exp2);
+	mpz_init(this->coeff);
+	mpz_init(this->v);
+	mpz_init(d);
 
-	mpz_invert(coeff, q, p);				/* coeff = q^-1 mod p */
-	if (mpz_cmp_ui(coeff, 0) < 0)			/* make coeff d is positive */
+	mpz_mul(this->n, p, q);					/* n = p*q */
+	mpz_lcm(this->m, p1, q1);				/* m = lcm(p-1,q-1) */
+	mpz_invert(d, this->e, this->m);		/* e has an inverse mod m */
+	mpz_mod(this->exp1, d, p1);				/* exp1 = d mod p-1 */
+	mpz_mod(this->exp2, d, q1);				/* exp2 = d mod q-1 */
+	mpz_invert(this->coeff, q, p);			/* coeff = q^-1 mod p */
+
+	invert_failed = mpz_cmp_ui(this->m, 0) == 0 ||
+					mpz_cmp_ui(this->coeff, 0) == 0;
+
+    /* store secret exponent d */
+	(*this->d)[0] = *d;
+
+	/* generate and store random coefficients of secret sharing polynomial */
+	if (threshold > 1)
 	{
-		mpz_add(coeff, coeff, p);
+		rng_t *rng;
+		chunk_t random_bytes;
+		mpz_t u;
+		int i;
+
+		rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+		mpz_init(u);
+
+		for (i = 1; i < threshold; i++)
+		{
+			mpz_init(d);
+
+			if (!rng->allocate_bytes(rng, key_size, &random_bytes))
+			{
+				rng_failed = TRUE;
+				continue;
+			}
+			mpz_import(d, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			mpz_mod(d, d, this->m);
+			(*this->d)[i] = *d;
+			chunk_clear(&random_bytes);
+		}
+
+		/* generate verification key v as a square number */
+		do
+		{
+			if (!rng->allocate_bytes(rng, key_size, &random_bytes))
+			{
+				rng_failed = TRUE;
+				break;
+			}
+			mpz_import(this->v, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			mpz_mul(this->v, this->v, this->v);
+			mpz_mod(this->v, this->v, this->n);
+			mpz_gcd(u, this->v, this->n);
+			chunk_free(&random_bytes);
+		}
+		while (mpz_cmp_ui(u, 1) != 0);
+
+		mpz_clear(u);
+		rng->destroy(rng);
 	}
 
+	mpz_clear_sensitive(p1);
 	mpz_clear_sensitive(q1);
-	mpz_clear_sensitive(m);
-	mpz_clear_sensitive(t);
-
-	/* apply values */
-	*(this->p) = *p;
-	*(this->q) = *q;
-	*(this->n) = *n;
-	*(this->e) = *e;
-	*(this->d) = *d;
-	*(this->exp1) = *exp1;
-	*(this->exp2) = *exp2;
-	*(this->coeff) = *coeff;
+
+	if (rng_failed || invert_failed)
+	{
+		DBG1(DBG_LIB, "rsa key generation failed");
+		destroy(this);
+		return NULL;
+	}
 
 	/* set key size in bytes */
 	this->k = key_size;
@@ -701,8 +803,8 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
  */
 gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
 {
-	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 	private_gmp_rsa_private_key_t *this;
+	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 
 	n = e = d = p = q = exp1 = exp2 = coeff = chunk_empty;
 	while (TRUE)
@@ -743,25 +845,28 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
 
 	this = gmp_rsa_private_key_create_empty();
 
+	this->d = malloc(sizeof(mpz_t));
 	mpz_init(this->n);
 	mpz_init(this->e);
+	mpz_init(*this->d);
 	mpz_init(this->p);
 	mpz_init(this->q);
-	mpz_init(this->d);
+	mpz_init(this->m);
 	mpz_init(this->exp1);
 	mpz_init(this->exp2);
 	mpz_init(this->coeff);
+	mpz_init(this->v);
 
 	mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
 	mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
-	mpz_import(this->d, d.len, 1, 1, 1, 0, d.ptr);
+	mpz_import(*this->d, d.len, 1, 1, 1, 0, d.ptr);
 	mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
 	mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr);
 	mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr);
 	if (!exp1.len)
 	{	/* exp1 missing in key, recalculate: exp1 = d mod (p-1) */
 		mpz_sub_ui(this->exp1, this->p, 1);
-		mpz_mod(this->exp1, this->d, this->exp1);
+		mpz_mod(this->exp1, *this->d, this->exp1);
 	}
 	else
 	{
@@ -770,7 +875,7 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
 	if (!exp2.len)
 	{	/* exp2 missing in key, recalculate: exp2 = d mod (q-1) */
 		mpz_sub_ui(this->exp2, this->q, 1);
-		mpz_mod(this->exp2, this->d, this->exp2);
+		mpz_mod(this->exp2, *this->d, this->exp2);
 	}
 	else
 	{
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 2d84f0025..ad659e4d7 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -22,7 +22,7 @@
 
 #include "gmp_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
@@ -361,6 +361,8 @@ METHOD(public_key_t, encrypt_, bool,
 	}
 	rng->destroy(rng);
 
+	pos += padding;
+
 	/* append the padding terminator */
 	*pos++ = 0x00;
 
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index aed35cf16..6af056617 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_hmac_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-hmac.la: $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_DEPENDENCIES) 
+libstrongswan-hmac.la: $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_DEPENDENCIES) $(EXTRA_libstrongswan_hmac_la_DEPENDENCIES) 
 	$(libstrongswan_hmac_la_LINK) $(am_libstrongswan_hmac_la_rpath) $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index d11feddb1..95c1932bc 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ldap_la_DEPENDENCIES =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ldap.la: $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_DEPENDENCIES) 
+libstrongswan-ldap.la: $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_DEPENDENCIES) $(EXTRA_libstrongswan_ldap_la_DEPENDENCIES) 
 	$(libstrongswan_ldap_la_LINK) $(am_libstrongswan_ldap_la_rpath) $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index 75f964853..40b6d1f63 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -22,7 +22,7 @@
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "ldap_fetcher.h"
 
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 14b6370f4..1abdfecd6 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_md4_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-md4.la: $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_DEPENDENCIES) 
+libstrongswan-md4.la: $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_DEPENDENCIES) $(EXTRA_libstrongswan_md4_la_DEPENDENCIES) 
 	$(libstrongswan_md4_la_LINK) $(am_libstrongswan_md4_la_rpath) $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index ba228f8ea..2e005e084 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_md5_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-md5.la: $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_DEPENDENCIES) 
+libstrongswan-md5.la: $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_DEPENDENCIES) $(EXTRA_libstrongswan_md5_la_DEPENDENCIES) 
 	$(libstrongswan_md5_la_LINK) $(am_libstrongswan_md5_la_rpath) $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 88dba0967..347b57e11 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-mysql.la: $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_DEPENDENCIES) 
+libstrongswan-mysql.la: $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_DEPENDENCIES) $(EXTRA_libstrongswan_mysql_la_DEPENDENCIES) 
 	$(libstrongswan_mysql_la_LINK) $(am_libstrongswan_mysql_la_rpath) $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 1a20a804a..7e1da683e 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -19,11 +19,11 @@
 
 #include "mysql_database.h"
 
-#include <debug.h>
-#include <chunk.h>
+#include <utils/debug.h>
+#include <utils/chunk.h>
 #include <threading/thread_value.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /* Older mysql.h headers do not define it, but we need it. It is not returned
  * in in MySQL 4 by default, but by MySQL 5. To avoid this problem, we catch
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c
index dd8b32761..23d709739 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.c
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c
@@ -16,7 +16,7 @@
 #include "mysql_plugin.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include "mysql_database.h"
 
 typedef struct private_mysql_plugin_t private_mysql_plugin_t;
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 7ce23b4d9..03ccb8119 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_nonce_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-nonce.la: $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_DEPENDENCIES) 
+libstrongswan-nonce.la: $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_DEPENDENCIES) $(EXTRA_libstrongswan_nonce_la_DEPENDENCIES) 
 	$(libstrongswan_nonce_la_LINK) $(am_libstrongswan_nonce_la_rpath) $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -508,10 +517,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/nonce/nonce_nonceg.c b/src/libstrongswan/plugins/nonce/nonce_nonceg.c
index 0402e3574..64ed2e08d 100644
--- a/src/libstrongswan/plugins/nonce/nonce_nonceg.c
+++ b/src/libstrongswan/plugins/nonce/nonce_nonceg.c
@@ -15,7 +15,7 @@
 
 #include "nonce_nonceg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_nonce_nonceg_t private_nonce_nonceg_t;
 
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index c59888663..f971a5e08 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -23,6 +23,7 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_ec_public_key.c openssl_ec_public_key.h \
 	openssl_x509.c openssl_x509.h \
 	openssl_crl.c openssl_crl.h \
+	openssl_pkcs7.c openssl_pkcs7.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h
 
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index ada44ead3..6d4e2b0d8 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_openssl_la_DEPENDENCIES =
@@ -82,7 +88,7 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
 	openssl_rsa_private_key.lo openssl_rsa_public_key.lo \
 	openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \
 	openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo \
-	openssl_rng.lo openssl_hmac.lo
+	openssl_pkcs7.lo openssl_rng.lo openssl_hmac.lo
 libstrongswan_openssl_la_OBJECTS =  \
 	$(am_libstrongswan_openssl_la_OBJECTS)
 libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -128,6 +134,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -155,6 +162,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -182,6 +190,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +203,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -247,7 +257,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -312,6 +321,7 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_ec_public_key.c openssl_ec_public_key.h \
 	openssl_x509.c openssl_x509.h \
 	openssl_crl.c openssl_crl.h \
+	openssl_pkcs7.c openssl_pkcs7.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h
 
@@ -391,7 +401,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES) 
+libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES) $(EXTRA_libstrongswan_openssl_la_DEPENDENCIES) 
 	$(libstrongswan_openssl_la_LINK) $(am_libstrongswan_openssl_la_rpath) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -408,6 +418,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hmac.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_pkcs7.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_private_key.Plo@am__quote@
@@ -542,10 +553,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index e529ff8a5..d4f36f58b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -42,8 +42,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-#include <debug.h>
-#include <utils/enumerator.h>
+#include <utils/debug.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/x509.h>
 
 typedef struct private_openssl_crl_t private_openssl_crl_t;
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index b27aa3391..4dc5663f1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -18,7 +18,7 @@
 
 #include "openssl_diffie_hellman.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_openssl_diffie_hellman_t private_openssl_diffie_hellman_t;
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 9e4067589..d846278c8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -23,7 +23,7 @@
 #include "openssl_ec_diffie_hellman.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_openssl_ec_diffie_hellman_t private_openssl_ec_diffie_hellman_t;
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 950504573..d350d050b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -22,7 +22,7 @@
 #include "openssl_ec_public_key.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/ecdsa.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 9cb68a3ab..3f5125b31 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -21,7 +21,7 @@
 #include "openssl_ec_public_key.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/ecdsa.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
new file mode 100644
index 000000000..ccc426235
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
@@ -0,0 +1,790 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_CMS
+
+#include "openssl_pkcs7.h"
+#include "openssl_util.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <credentials/sets/mem_cred.h>
+
+#include <openssl/cms.h>
+
+typedef struct private_openssl_pkcs7_t private_openssl_pkcs7_t;
+
+/**
+ * Private data of an openssl_pkcs7_t object.
+ */
+struct private_openssl_pkcs7_t {
+
+	/**
+	 * Public pkcs7_t interface.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Type of this container
+	 */
+	container_type_t type;
+
+	/**
+	 * OpenSSL CMS structure
+	 */
+	CMS_ContentInfo *cms;
+};
+
+/**
+ * OpenSSL does not allow us to read the signature to verify it with our own
+ * crypto API. We define the internal CMS_SignerInfo structure here to get it.
+ */
+struct CMS_SignerInfo_st {
+	long version;
+	void *sid;
+	X509_ALGOR *digestAlgorithm;
+	STACK_OF(X509_ATTRIBUTE) *signedAttrs;
+	X509_ALGOR *signatureAlgorithm;
+	ASN1_OCTET_STRING *signature;
+	/* and more... */
+};
+
+/**
+ * And we also need access to the wrappend CMS_KeyTransRecipientInfo to
+ * read the encrypted key
+ */
+struct CMS_KeyTransRecipientInfo_st {
+	long version;
+	void *rid;
+	X509_ALGOR *keyEncryptionAlgorithm;
+	ASN1_OCTET_STRING *encryptedKey;
+};
+
+struct CMS_RecipientInfo_st {
+	int type;
+	struct CMS_KeyTransRecipientInfo_st *ktri;
+	/* and more in union... */
+};
+
+struct CMS_EncryptedContentInfo_st {
+	ASN1_OBJECT *contentType;
+	X509_ALGOR *contentEncryptionAlgorithm;
+	ASN1_OCTET_STRING *encryptedContent;
+	/* and more... */
+};
+
+struct CMS_EnvelopedData_st {
+	long version;
+	void *originatorInfo;
+	STACK_OF(CMS_RecipientInfo) *recipientInfos;
+	struct CMS_EncryptedContentInfo_st *encryptedContentInfo;
+	/* and more... */
+};
+
+struct CMS_ContentInfo_st {
+	ASN1_OBJECT *contentType;
+	struct CMS_EnvelopedData_st *envelopedData;
+	/* and more in union... */
+};
+
+/**
+ * We can't include asn1.h, declare function prototypes directly
+ */
+chunk_t asn1_wrap(int, const char *mode, ...);
+int asn1_unwrap(chunk_t*, chunk_t*);
+
+/**
+ * Enumerator over certificates
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** Stack of X509 certificates */
+	STACK_OF(X509) *certs;
+	/** current enumerator position in certificates */
+	int i;
+	/** currently enumerating certificate_t */
+	certificate_t *cert;
+} cert_enumerator_t;
+
+METHOD(enumerator_t, cert_destroy, void,
+	cert_enumerator_t *this)
+{
+	DESTROY_IF(this->cert);
+	free(this);
+}
+
+METHOD(enumerator_t, cert_enumerate, bool,
+	cert_enumerator_t *this, certificate_t **out)
+{
+	if (!this->certs)
+	{
+		return FALSE;
+	}
+	while (this->i < sk_X509_num(this->certs))
+	{
+		chunk_t encoding;
+		X509 *x509;
+
+		/* clean up previous round */
+		DESTROY_IF(this->cert);
+		this->cert = NULL;
+
+		x509 = sk_X509_value(this->certs, this->i++);
+		encoding = openssl_i2chunk(X509, x509);
+		this->cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+										BUILD_BLOB_ASN1_DER, encoding,
+										BUILD_END);
+		free(encoding.ptr);
+		if (!this->cert)
+		{
+			continue;
+		}
+		*out = this->cert;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(pkcs7_t, create_cert_enumerator, enumerator_t*,
+	private_openssl_pkcs7_t *this)
+{
+	cert_enumerator_t *enumerator;
+
+	if (this->type == CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		INIT(enumerator,
+			.public = {
+				.enumerate = (void*)_cert_enumerate,
+				.destroy = _cert_destroy,
+			},
+			.certs = CMS_get1_certs(this->cms),
+		);
+		return &enumerator->public;
+	}
+	return enumerator_create_empty();
+}
+
+/**
+ * Enumerator for signatures
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** Stack of signerinfos */
+	STACK_OF(CMS_SignerInfo) *signers;
+	/** current enumerator position in signers */
+	int i;
+	/** currently enumerating auth config */
+	auth_cfg_t *auth;
+	/** full CMS */
+	CMS_ContentInfo *cms;
+	/** credential set containing wrapped certificates */
+	mem_cred_t *creds;
+} signature_enumerator_t;
+
+/**
+ * Verify signerInfo signature
+ */
+static auth_cfg_t *verify_signature(CMS_SignerInfo *si, int hash_oid)
+{
+	enumerator_t *enumerator;
+	public_key_t *key;
+	certificate_t *cert;
+	auth_cfg_t *auth, *found = NULL;
+	identification_t *issuer, *serial;
+	chunk_t attrs = chunk_empty, sig, attr;
+	X509_NAME *name;
+	ASN1_INTEGER *snr;
+	int i;
+
+	if (CMS_SignerInfo_get0_signer_id(si, NULL, &name, &snr) != 1)
+	{
+		return NULL;
+	}
+	issuer = openssl_x509_name2id(name);
+	if (!issuer)
+	{
+		return NULL;
+	}
+	serial = identification_create_from_encoding(
+									ID_KEY_ID, openssl_asn1_str2chunk(snr));
+
+	/* reconstruct DER encoded attributes to verify signature */
+	for (i = 0; i < CMS_signed_get_attr_count(si); i++)
+	{
+		attr = openssl_i2chunk(X509_ATTRIBUTE, CMS_signed_get_attr(si, i));
+		attrs = chunk_cat("mm", attrs, attr);
+	}
+	/* wrap in a ASN1_SET */
+	attrs = asn1_wrap(0x31, "m", attrs);
+
+	/* TODO: find a better way to access and verify the signature */
+	sig = openssl_asn1_str2chunk(si->signature);
+	enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+														KEY_RSA, serial, FALSE);
+	while (enumerator->enumerate(enumerator, &cert, &auth))
+	{
+		if (issuer->equals(issuer, cert->get_issuer(cert)))
+		{
+			key = cert->get_public_key(cert);
+			if (key)
+			{
+				if (key->verify(key, signature_scheme_from_oid(hash_oid),
+								attrs, sig))
+				{
+					found = auth->clone(auth);
+					key->destroy(key);
+					break;
+				}
+				key->destroy(key);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	issuer->destroy(issuer);
+	serial->destroy(serial);
+	free(attrs.ptr);
+
+	return found;
+}
+
+/**
+ * Verify the message digest in the signerInfo attributes
+ */
+static bool verify_digest(CMS_ContentInfo *cms, CMS_SignerInfo *si, int hash_oid)
+{
+	ASN1_OCTET_STRING *os, **osp;
+	hash_algorithm_t hash_alg;
+	chunk_t digest, content, hash;
+	hasher_t *hasher;
+
+	os = CMS_signed_get0_data_by_OBJ(si,
+				OBJ_nid2obj(NID_pkcs9_messageDigest), -3, V_ASN1_OCTET_STRING);
+	if (!os)
+	{
+		return FALSE;
+	}
+	digest = openssl_asn1_str2chunk(os);
+	osp = CMS_get0_content(cms);
+	if (!osp)
+	{
+		return FALSE;
+	}
+	content = openssl_asn1_str2chunk(*osp);
+
+	hash_alg = hasher_algorithm_from_oid(hash_oid);
+	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+	if (!hasher)
+	{
+		DBG1(DBG_LIB, "hash algorithm %N not supported",
+			 hash_algorithm_names, hash_alg);
+		return FALSE;
+	}
+	if (!hasher->allocate_hash(hasher, content, &hash))
+	{
+		hasher->destroy(hasher);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+
+	if (!chunk_equals(digest, hash))
+	{
+		free(hash.ptr);
+		DBG1(DBG_LIB, "invalid messageDigest");
+		return FALSE;
+	}
+	free(hash.ptr);
+	return TRUE;
+}
+
+METHOD(enumerator_t, signature_enumerate, bool,
+	signature_enumerator_t *this, auth_cfg_t **out)
+{
+	if (!this->signers)
+	{
+		return FALSE;
+	}
+	while (this->i < sk_CMS_SignerInfo_num(this->signers))
+	{
+		CMS_SignerInfo *si;
+		X509_ALGOR *digest, *sig;
+		int hash_oid;
+
+		/* clean up previous round */
+		DESTROY_IF(this->auth);
+		this->auth = NULL;
+
+		si = sk_CMS_SignerInfo_value(this->signers, this->i++);
+
+		CMS_SignerInfo_get0_algs(si, NULL, NULL, &digest, &sig);
+		hash_oid = openssl_asn1_known_oid(digest->algorithm);
+		if (openssl_asn1_known_oid(sig->algorithm) != OID_RSA_ENCRYPTION)
+		{
+			DBG1(DBG_LIB, "only RSA digest encryption supported");
+			continue;
+		}
+		this->auth = verify_signature(si, hash_oid);
+		if (!this->auth)
+		{
+			DBG1(DBG_LIB, "unable to verify pkcs7 attributes signature");
+			continue;
+		}
+		if (!verify_digest(this->cms, si, hash_oid))
+		{
+			continue;
+		}
+		*out = this->auth;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, signature_destroy, void,
+	signature_enumerator_t *this)
+{
+	lib->credmgr->remove_local_set(lib->credmgr, &this->creds->set);
+	this->creds->destroy(this->creds);
+	DESTROY_IF(this->auth);
+	free(this);
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_openssl_pkcs7_t *this)
+{
+	signature_enumerator_t *enumerator;
+
+	if (this->type == CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		enumerator_t *certs;
+		certificate_t *cert;
+
+		INIT(enumerator,
+			.public = {
+				.enumerate = (void*)_signature_enumerate,
+				.destroy = _signature_destroy,
+			},
+			.cms = this->cms,
+			.signers = CMS_get0_SignerInfos(this->cms),
+			.creds = mem_cred_create(),
+		);
+
+		/* make available wrapped certs during signature checking */
+		certs = create_cert_enumerator(this);
+		while (certs->enumerate(certs, &cert))
+		{
+			enumerator->creds->add_cert(enumerator->creds, FALSE,
+										cert->get_ref(cert));
+		}
+		certs->destroy(certs);
+
+		lib->credmgr->add_local_set(lib->credmgr, &enumerator->creds->set,
+									FALSE);
+
+		return &enumerator->public;
+	}
+	return enumerator_create_empty();
+}
+
+
+METHOD(container_t, get_type, container_type_t,
+	private_openssl_pkcs7_t *this)
+{
+	return this->type;
+}
+
+METHOD(pkcs7_t, get_attribute, bool,
+	private_openssl_pkcs7_t *this, int oid,
+	enumerator_t *enumerator, chunk_t *value)
+{
+	signature_enumerator_t *e;
+	CMS_SignerInfo *si;
+	X509_ATTRIBUTE *attr;
+	ASN1_TYPE *type;
+	chunk_t chunk, wrapped;
+	int i;
+
+	e = (signature_enumerator_t*)enumerator;
+	if (e->i <= 0)
+	{
+		return FALSE;
+	}
+
+	/* "i" gets incremeneted after enumerate(), hence read from previous */
+	si = sk_CMS_SignerInfo_value(e->signers, e->i - 1);
+	for (i = 0; i < CMS_signed_get_attr_count(si); i++)
+	{
+		attr = CMS_signed_get_attr(si, i);
+		if (!attr->single && sk_ASN1_TYPE_num(attr->value.set) == 1 &&
+			openssl_asn1_known_oid(attr->object) == oid)
+		{
+			/* get first value in SET */
+			type = sk_ASN1_TYPE_value(attr->value.set, 0);
+			chunk = wrapped = openssl_i2chunk(ASN1_TYPE, type);
+			if (asn1_unwrap(&chunk, &chunk) != 0x100 /* ASN1_INVALID */)
+			{
+				*value = chunk_clone(chunk);
+				free(wrapped.ptr);
+				return TRUE;
+			}
+			free(wrapped.ptr);
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Find a private key for issuerAndSerialNumber
+ */
+static private_key_t *find_private(identification_t *issuer,
+								   identification_t *serial)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *public;
+	private_key_t *private = NULL;
+	identification_t *id;
+	chunk_t fp;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_RSA, serial, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (issuer->equals(issuer, cert->get_issuer(cert)))
+		{
+			public = cert->get_public_key(cert);
+			if (public)
+			{
+				if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &fp))
+				{
+					id = identification_create_from_encoding(ID_KEY_ID, fp);
+					private = lib->credmgr->get_private(lib->credmgr,
+														KEY_ANY, id, NULL);
+					id->destroy(id);
+				}
+				public->destroy(public);
+			}
+		}
+		if (private)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return private;
+}
+
+/**
+ * Decrypt enveloped-data with a decrypted symmetric key
+ */
+static bool decrypt_symmetric(private_openssl_pkcs7_t *this, chunk_t key,
+							  chunk_t encrypted, chunk_t *plain)
+{
+	encryption_algorithm_t encr;
+	X509_ALGOR *alg;
+	crypter_t *crypter;
+	chunk_t iv;
+	size_t key_size;
+
+	/* read encryption algorithm from interal structures; TODO fixup */
+	alg = this->cms->envelopedData->encryptedContentInfo->
+												contentEncryptionAlgorithm;
+	encr = encryption_algorithm_from_oid(openssl_asn1_known_oid(alg->algorithm),
+										 &key_size);
+	if (alg->parameter->type != V_ASN1_OCTET_STRING)
+	{
+		return FALSE;
+	}
+	iv = openssl_asn1_str2chunk(alg->parameter->value.octet_string);
+
+	crypter = lib->crypto->create_crypter(lib->crypto, encr, key_size / 8);
+	if (!crypter)
+	{
+		DBG1(DBG_LIB, "crypter %N-%d not available",
+			 encryption_algorithm_names, alg, key_size);
+		return FALSE;
+	}
+	if (key.len != crypter->get_key_size(crypter))
+	{
+		DBG1(DBG_LIB, "symmetric key length is wrong");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (iv.len != crypter->get_iv_size(crypter))
+	{
+		DBG1(DBG_LIB, "IV length is wrong");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (!crypter->set_key(crypter, key) ||
+		!crypter->decrypt(crypter, encrypted, iv, plain))
+	{
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	crypter->destroy(crypter);
+	return TRUE;
+}
+
+/**
+ * Remove enveloped-data PKCS#7 padding from plain data
+ */
+static bool remove_padding(chunk_t *data)
+{
+	u_char *pos;
+	u_char pattern;
+	size_t padding;
+
+	if (!data->len)
+	{
+		return FALSE;
+	}
+	pos = data->ptr + data->len - 1;
+	padding = pattern = *pos;
+
+	if (padding > data->len)
+	{
+		DBG1(DBG_LIB, "padding greater than data length");
+		return FALSE;
+	}
+	data->len -= padding;
+
+	while (padding-- > 0)
+	{
+		if (*pos-- != pattern)
+		{
+			DBG1(DBG_LIB, "wrong padding pattern");
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Decrypt PKCS#7 enveloped-data
+ */
+static bool decrypt(private_openssl_pkcs7_t *this,
+					chunk_t encrypted, chunk_t *plain)
+{
+	STACK_OF(CMS_RecipientInfo) *ris;
+	CMS_RecipientInfo *ri;
+	chunk_t chunk, key = chunk_empty;
+	int i;
+
+	ris = CMS_get0_RecipientInfos(this->cms);
+	for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
+	{
+		ri = sk_CMS_RecipientInfo_value(ris, i);
+		if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_TRANS)
+		{
+			identification_t *serial, *issuer;
+			private_key_t *private;
+			X509_ALGOR *alg;
+			X509_NAME *name;
+			ASN1_INTEGER *sn;
+			u_char zero = 0;
+			int oid;
+
+			if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) == 1 &&
+				CMS_RecipientInfo_ktri_get0_signer_id(ri, NULL, &name, &sn) == 1)
+			{
+				oid = openssl_asn1_known_oid(alg->algorithm);
+				if (oid != OID_RSA_ENCRYPTION)
+				{
+					DBG1(DBG_LIB, "only RSA encryption supported in PKCS#7");
+					continue;
+				}
+				issuer = openssl_x509_name2id(name);
+				if (!issuer)
+				{
+					continue;
+				}
+				chunk = openssl_asn1_str2chunk(sn);
+				if (chunk.len && chunk.ptr[0] & 0x80)
+				{	/* if MSB is set, append a zero to make it non-negative */
+					chunk = chunk_cata("cc", chunk_from_thing(zero), chunk);
+				}
+				serial = identification_create_from_encoding(ID_KEY_ID, chunk);
+				private = find_private(issuer, serial);
+				issuer->destroy(issuer);
+				serial->destroy(serial);
+
+				if (private)
+				{
+					/* get encryptedKey from internal structure; TODO fixup */
+					chunk = openssl_asn1_str2chunk(ri->ktri->encryptedKey);
+					if (private->decrypt(private, ENCRYPT_RSA_PKCS1,
+										 chunk, &key))
+					{
+						private->destroy(private);
+						break;
+					}
+					private->destroy(private);
+				}
+			}
+		}
+	}
+	if (!key.len)
+	{
+		DBG1(DBG_LIB, "no private key found to decrypt PKCS#7");
+		return FALSE;
+	}
+	if (!decrypt_symmetric(this, key, encrypted, plain))
+	{
+		chunk_clear(&key);
+		return FALSE;
+	}
+	chunk_clear(&key);
+	if (!remove_padding(plain))
+	{
+		free(plain->ptr);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(container_t, get_data, bool,
+	private_openssl_pkcs7_t *this, chunk_t *data)
+{
+	ASN1_OCTET_STRING **os;
+	chunk_t chunk;
+
+	os = CMS_get0_content(this->cms);
+	if (os)
+	{
+		chunk = openssl_asn1_str2chunk(*os);
+		switch (this->type)
+		{
+			case CONTAINER_PKCS7_DATA:
+			case CONTAINER_PKCS7_SIGNED_DATA:
+				*data = chunk_clone(chunk);
+				return TRUE;
+			case CONTAINER_PKCS7_ENVELOPED_DATA:
+				return decrypt(this, chunk, data);
+			default:
+				break;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_openssl_pkcs7_t *this, chunk_t *data)
+{
+	return FALSE;
+}
+
+METHOD(container_t, destroy, void,
+	private_openssl_pkcs7_t *this)
+{
+	CMS_ContentInfo_free(this->cms);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_openssl_pkcs7_t* create_empty()
+{
+	private_openssl_pkcs7_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.get_attribute = _get_attribute,
+			.create_cert_enumerator = _create_cert_enumerator,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * Parse a PKCS#7 container
+ */
+static bool parse(private_openssl_pkcs7_t *this, chunk_t blob)
+{
+	BIO *bio;
+
+	bio = BIO_new_mem_buf(blob.ptr, blob.len);
+	this->cms = d2i_CMS_bio(bio, NULL);
+	BIO_free(bio);
+
+	if (!this->cms)
+	{
+		return FALSE;
+	}
+	switch (openssl_asn1_known_oid((ASN1_OBJECT*)CMS_get0_type(this->cms)))
+	{
+		case OID_PKCS7_DATA:
+			this->type = CONTAINER_PKCS7_DATA;
+			break;
+		case OID_PKCS7_SIGNED_DATA:
+			this->type = CONTAINER_PKCS7_SIGNED_DATA;
+			break;
+		case OID_PKCS7_ENVELOPED_DATA:
+			this->type = CONTAINER_PKCS7_ENVELOPED_DATA;
+			break;
+		default:
+			return FALSE;
+	}
+
+	return TRUE;
+}
+
+/**
+ * See header
+ */
+pkcs7_t *openssl_pkcs7_load(container_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+	private_openssl_pkcs7_t *this;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len)
+	{
+		this = create_empty();
+		if (parse(this, blob))
+		{
+			return &this->public;
+		}
+		destroy(this);
+	}
+	return NULL;
+}
+
+#endif /* OPENSSL_NO_CMS */
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.h b/src/libstrongswan/plugins/openssl/openssl_pkcs7.h
new file mode 100644
index 000000000..2c7939ebd
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_pkcs7 openssl_pkcs7
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_PKCS7_H_
+#define OPENSSL_PKCS7_H_
+
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Load a generic PKCS#7 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS7
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs7_t *openssl_pkcs7_load(container_type_t type, va_list args);
+
+#endif /** OPENSSL_PKCS7_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index b69de981e..dd6a379d2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -25,7 +25,7 @@
 #include "openssl_plugin.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include "openssl_util.h"
@@ -40,6 +40,7 @@
 #include "openssl_ec_public_key.h"
 #include "openssl_x509.h"
 #include "openssl_crl.h"
+#include "openssl_pkcs7.h"
 #include "openssl_rng.h"
 #include "openssl_hmac.h"
 
@@ -365,6 +366,10 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
 		PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
+#ifndef OPENSSL_NO_CMS
+		PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
+#endif /* OPENSSL_NO_CMS */
 #ifndef OPENSSL_NO_ECDH
 		/* EC DH groups */
 		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c
index c83244f60..d3d64f5e8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rng.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rng.c
@@ -20,7 +20,7 @@
  * THE SOFTWARE.
  */
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 98cd700bf..926e5928c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -17,7 +17,7 @@
 #include "openssl_rsa_private_key.h"
 #include "openssl_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 5872a8159..0da5d2514 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -16,7 +16,7 @@
 
 #include "openssl_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index 1eb1c6723..bc10dd28c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -16,7 +16,7 @@
 
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/x509.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index e85c5cc90..676b97f7a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -47,9 +47,9 @@
 #include "openssl_x509.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 
 typedef struct private_openssl_x509_t private_openssl_x509_t;
@@ -327,6 +327,10 @@ METHOD(certificate_t, has_subject, id_match_t,
 		{
 			return ID_MATCH_PERFECT;
 		}
+		if (chunk_equals(get_serial(this), encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
 	}
 	best = this->subject->matches(this->subject, subject);
 	enumerator = create_subjectAltName_enumerator(this);
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 5a559eadf..94feb11f9 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_padlock_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-padlock.la: $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_DEPENDENCIES) 
+libstrongswan-padlock.la: $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_DEPENDENCIES) $(EXTRA_libstrongswan_padlock_la_DEPENDENCIES) 
 	$(libstrongswan_padlock_la_LINK) $(am_libstrongswan_padlock_la_rpath) $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -514,10 +523,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index 9d4afd8e8..b887c2c84 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -21,7 +21,7 @@
 #include <stdio.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_padlock_plugin_t private_padlock_plugin_t;
 typedef enum padlock_feature_t padlock_feature_t;
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 7988d1e74..580b39caf 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pem_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pem.la: $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_DEPENDENCIES) 
+libstrongswan-pem.la: $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_DEPENDENCIES) $(EXTRA_libstrongswan_pem_la_DEPENDENCIES) 
 	$(libstrongswan_pem_la_LINK) $(am_libstrongswan_pem_la_rpath) $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 9b9777031..08e81b3c5 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -27,7 +27,7 @@
 #include <sys/mman.h>
 #include <sys/stat.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <utils/lexparser.h>
 #include <asn1/asn1.h>
@@ -288,8 +288,11 @@ static status_t pem_to_bin(chunk_t *blob, bool *pgp)
 							 " not supported", (int)dek.len, dek.ptr);
 						return NOT_SUPPORTED;
 					}
-					eat_whitespace(&value);
-					iv = chunk_from_hex(value, iv.ptr);
+					if (!eat_whitespace(&value) || value.len > 2*sizeof(iv_buf))
+					{
+						return PARSE_ERROR;
+					}
+					iv = chunk_from_hex(value, iv_buf);
 				}
 			}
 			else /* state is PEM_BODY */
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 65acdc196..ed0a880f6 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pgp_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pgp.la: $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_DEPENDENCIES) 
+libstrongswan-pgp.la: $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_DEPENDENCIES) $(EXTRA_libstrongswan_pgp_la_DEPENDENCIES) 
 	$(libstrongswan_pgp_la_LINK) $(am_libstrongswan_pgp_la_rpath) $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -514,10 +523,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c
index 361157742..3ff357202 100644
--- a/src/libstrongswan/plugins/pgp/pgp_builder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_builder.c
@@ -17,8 +17,8 @@
 #include "pgp_builder.h"
 #include "pgp_utils.h"
 
-#include <enum.h>
-#include <debug.h>
+#include <utils/enum.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 
 /**
diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c
index a99bed2f6..89d7094ad 100644
--- a/src/libstrongswan/plugins/pgp/pgp_cert.c
+++ b/src/libstrongswan/plugins/pgp/pgp_cert.c
@@ -18,7 +18,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pgp_cert_t private_pgp_cert_t;
 
diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c
index d16d1d71b..100f3ef33 100644
--- a/src/libstrongswan/plugins/pgp/pgp_encoder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c
@@ -15,7 +15,7 @@
 
 #include "pgp_encoder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Build a PGPv3 fingerprint
diff --git a/src/libstrongswan/plugins/pgp/pgp_utils.c b/src/libstrongswan/plugins/pgp/pgp_utils.c
index 7fd905ce4..bb15627fd 100644
--- a/src/libstrongswan/plugins/pgp/pgp_utils.c
+++ b/src/libstrongswan/plugins/pgp/pgp_utils.c
@@ -15,7 +15,7 @@
 
 #include "pgp_utils.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM_BEGIN(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_RSA, PGP_PUBKEY_ALG_RSA_SIGN_ONLY,
 	"RSA",
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 85246f3de..58989e574 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs1_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pkcs1.la: $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_DEPENDENCIES) 
+libstrongswan-pkcs1.la: $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs1_la_DEPENDENCIES) 
 	$(libstrongswan_pkcs1_la_LINK) $(am_libstrongswan_pkcs1_la_rpath) $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index 6d022f362..c6661fcda 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -17,7 +17,7 @@
 
 #include "pkcs1_builder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
index 9122e8d8e..60f0ca757 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
@@ -15,7 +15,7 @@
 
 #include "pkcs1_encoder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index dc0ab1e82..75faadcf1 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs11_la_LIBADD =
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -381,7 +390,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) 
+libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs11_la_DEPENDENCIES) 
 	$(libstrongswan_pkcs11_la_LINK) $(am_libstrongswan_pkcs11_la_rpath) $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -526,10 +535,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
index 7536ce1d3..e65f3a06b 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
@@ -14,9 +14,10 @@
  */
 
 #include "pkcs11_creds.h"
+#include "pkcs11_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_pkcs11_creds_t private_pkcs11_creds_t;
 
@@ -257,3 +258,112 @@ pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot)
 
 	return &this->public;
 }
+
+/**
+ * See header.
+ */
+certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args)
+{
+	chunk_t keyid = chunk_empty, data = chunk_empty;
+	enumerator_t *enumerator, *certs;
+	pkcs11_manager_t *manager;
+	pkcs11_library_t *p11;
+	certificate_t *cert = NULL;
+	CK_SLOT_ID current, slot = -1;
+	char *module = NULL;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_PKCS11_KEYID:
+				keyid = va_arg(args, chunk_t);
+				continue;
+			case BUILD_PKCS11_SLOT:
+				slot = va_arg(args, int);
+				continue;
+			case BUILD_PKCS11_MODULE:
+				module = va_arg(args, char*);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!keyid.len)
+	{
+		return NULL;
+	}
+
+	manager = lib->get(lib, "pkcs11-manager");
+	if (!manager)
+	{
+		return NULL;
+	}
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &current))
+	{
+		CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+		CK_CERTIFICATE_TYPE type = CKC_X_509;
+		CK_ATTRIBUTE tmpl[] = {
+			{CKA_CLASS, &class, sizeof(class)},
+			{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+			{CKA_ID, keyid.ptr, keyid.len},
+		};
+		CK_ATTRIBUTE attr[] = {
+			{CKA_VALUE, NULL, 0},
+		};
+		CK_OBJECT_HANDLE object;
+		CK_SESSION_HANDLE session;
+		CK_RV rv;
+
+		if (slot != -1 && slot != current)
+		{
+			continue;
+		}
+		if (module && !streq(module, p11->get_name(p11)))
+		{
+			continue;
+		}
+
+		rv = p11->f->C_OpenSession(current, CKF_SERIAL_SESSION, NULL, NULL,
+								   &session);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
+			continue;
+		}
+		certs = p11->create_object_enumerator(p11, session,
+									tmpl, countof(tmpl), attr, countof(attr));
+		if (certs->enumerate(certs, &object))
+		{
+			data = chunk_clone(chunk_create(attr[0].pValue, attr[0].ulValueLen));
+		}
+		certs->destroy(certs);
+		p11->f->C_CloseSession(session);
+
+		if (data.ptr)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (data.ptr)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+		free(data.ptr);
+		if (!cert)
+		{
+			DBG1(DBG_CFG, "parsing PKCS#11 certificate %#B failed", &keyid);
+		}
+	}
+	else
+	{
+		DBG1(DBG_CFG, "PKCS#11 certificate %#B not found", &keyid);
+	}
+	return cert;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
index c40a8dea6..a5a042397 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
@@ -65,4 +65,16 @@ struct pkcs11_creds_t {
  */
 pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot);
 
+/**
+ * Load a specific certificate from a token.
+ *
+ * Requires a BUILD_PKCS11_KEYID argument, and optionally BUILD_PKCS11_MODULE
+ * and/or BUILD_PKCS11_SLOT.
+ *
+ * @param type			certificate type, must be CERT_X509
+ * @param args			variable argument list, containing BUILD_PKCS11_KEYID.
+ * @return				loaded certificate, or NULL on failure
+ */
+certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args);
+
 #endif /** PKCS11_CREDS_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
index c870370c8..2e5af95ff 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
@@ -15,7 +15,7 @@
 
 #include "pkcs11_dh.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
index 53a2bfca7..80079b9a9 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
@@ -17,7 +17,7 @@
 
 #include <unistd.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 #include "pkcs11_manager.h"
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index 97c3d2fcf..7661473b1 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -21,9 +21,9 @@
 #include <dlfcn.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_pkcs11_library_t private_pkcs11_library_t;
 
@@ -895,6 +895,7 @@ METHOD(pkcs11_library_t, destroy, void,
 {
 	this->public.f->C_Finalize(NULL);
 	dlclose(this->handle);
+	free(this->name);
 	free(this);
 }
 
@@ -1077,7 +1078,7 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking)
 			.get_ck_attribute = _get_ck_attribute,
 			.destroy = _destroy,
 		},
-		.name = name,
+		.name = strdup(name),
 		.handle = dlopen(file, RTLD_LAZY),
 	);
 
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index e76e65e07..abd99ed5f 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -29,9 +29,9 @@ typedef struct pkcs11_library_t pkcs11_library_t;
 
 #include "pkcs11.h"
 
-#include <enum.h>
-#include <chunk.h>
-#include <utils/enumerator.h>
+#include <utils/enum.h>
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
 
 /**
  * Optional PKCS#11 features some libraries support, some not
@@ -161,7 +161,7 @@ void pkcs11_library_trim(char *str, int len);
 /**
  * Create a pkcs11_library instance.
  *
- * @param name		an arbitrary name, for debugging
+ * @param name		an arbitrary name (for debugging), cloned
  * @param file		pkcs11 library file to dlopen()
  * @param os_lock	enforce OS Locking for this library
  * @return			library abstraction
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
index 83c383671..8bda5b66f 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -15,8 +15,8 @@
 
 #include "pkcs11_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/thread.h>
 
 #include "pkcs11_library.h"
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index 183fce53a..9afaf123a 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -19,8 +19,8 @@
 #include "pkcs11_plugin.h"
 
 #include <library.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
 
@@ -82,13 +82,18 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
 	this->handle_events_lock->read_lock(this->handle_events_lock);
 	if (add && this->handle_events)
 	{
-		creds = pkcs11_creds_create(p11, slot);
-		if (creds)
+		if (lib->settings->get_bool(lib->settings,
+						"libstrongswan.plugins.pkcs11.modules.%s.load_certs",
+						TRUE, p11->get_name(p11)))
 		{
-			this->mutex->lock(this->mutex);
-			this->creds->insert_last(this->creds, creds);
-			this->mutex->unlock(this->mutex);
-			lib->credmgr->add_set(lib->credmgr, &creds->set);
+			creds = pkcs11_creds_create(p11, slot);
+			if (creds)
+			{
+				this->mutex->lock(this->mutex);
+				this->creds->insert_last(this->creds, creds);
+				this->mutex->unlock(this->mutex);
+				lib->credmgr->add_set(lib->credmgr, &creds->set);
+			}
 		}
 	}
 	else if (this->handle_events)
@@ -147,6 +152,9 @@ static bool handle_certs(private_pkcs11_plugin_t *this,
 			token_event_cb(this, p11, slot, TRUE);
 		}
 		enumerator->destroy(enumerator);
+
+		lib->creds->add_builder(lib->creds, CRED_CERTIFICATE,
+								CERT_X509, FALSE, (void*)pkcs11_creds_load);
 	}
 	else
 	{
@@ -157,9 +165,26 @@ static bool handle_certs(private_pkcs11_plugin_t *this,
 			lib->credmgr->remove_set(lib->credmgr, &creds->set);
 			creds->destroy(creds);
 		}
+
+		lib->creds->remove_builder(lib->creds, (void*)pkcs11_creds_load);
 	}
 	return TRUE;
 }
+
+METHOD(plugin_t, reload, bool,
+	private_pkcs11_plugin_t *this)
+{
+	if (lib->settings->get_bool(lib->settings,
+					"libstrongswan.plugins.pkcs11.reload_certs", FALSE))
+	{
+		DBG1(DBG_CFG, "reloading certificates from PKCS#11 tokens");
+		handle_certs(this, NULL, FALSE, NULL);
+		handle_certs(this, NULL, TRUE, NULL);
+		return TRUE;
+	}
+	return FALSE;
+}
+
 /**
  * Add a set of features
  */
@@ -292,6 +317,7 @@ plugin_t *pkcs11_plugin_create()
 			.plugin = {
 				.get_name = _get_name,
 				.get_features = _get_features,
+				.reload = _reload,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index f7f7d3f79..bb9cc7a21 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -20,8 +20,9 @@
 
 #include "pkcs11_library.h"
 #include "pkcs11_manager.h"
+#include "pkcs11_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pkcs11_private_key_t private_pkcs11_private_key_t;
 
@@ -81,12 +82,6 @@ struct private_pkcs11_private_key_t {
 	key_type_t type;
 };
 
-/**
- * Implemented in pkcs11_public_key.c
- */
-public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11,
-									int slot, key_type_t type, chunk_t keyid);
-
 
 METHOD(private_key_t, get_type, key_type_t,
 	private_pkcs11_private_key_t *this)
@@ -420,7 +415,8 @@ static pkcs11_library_t* find_lib(char *module)
 /**
  * Find the PKCS#11 lib having a keyid, and optionally a slot
  */
-static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot)
+static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot,
+										   CK_OBJECT_CLASS class)
 {
 	pkcs11_manager_t *manager;
 	enumerator_t *enumerator;
@@ -437,8 +433,7 @@ static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot)
 	{
 		if (*slot == -1 || *slot == current)
 		{
-			/* we look for a public key, it is usually readable without login */
-			CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+			/* look for a pubkey/cert, it is usually readable without login */
 			CK_ATTRIBUTE tmpl[] = {
 				{CKA_CLASS, &class, sizeof(class)},
 				{CKA_ID, keyid.ptr, keyid.len},
@@ -576,6 +571,50 @@ static bool login(private_pkcs11_private_key_t *this, int slot)
 	return success;
 }
 
+/**
+ * Get a public key from a certificate with a given key ID.
+ */
+static public_key_t* find_pubkey_in_certs(private_pkcs11_private_key_t *this,
+										  chunk_t keyid)
+{
+	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE type = CKC_X_509;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+		{CKA_ID, keyid.ptr, keyid.len},
+	};
+	CK_OBJECT_HANDLE object;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_VALUE, NULL, 0},
+	};
+	enumerator_t *enumerator;
+	chunk_t data = chunk_empty;
+	public_key_t *key = NULL;
+	certificate_t *cert;
+
+	enumerator = this->lib->create_object_enumerator(this->lib, this->session,
+									tmpl, countof(tmpl), attr, countof(attr));
+	if (enumerator->enumerate(enumerator, &object))
+	{
+		data = chunk_clone(chunk_create(attr[0].pValue, attr[0].ulValueLen));
+	}
+	enumerator->destroy(enumerator);
+
+	if (data.ptr)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+		free(data.ptr);
+		if (cert)
+		{
+			key = cert->get_public_key(cert);
+			cert->destroy(cert);
+		}
+	}
+	return key;
+}
+
 /**
  * See header.
  */
@@ -644,7 +683,11 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 	}
 	else
 	{
-		this->lib = find_lib_by_keyid(keyid, &slot);
+		this->lib = find_lib_by_keyid(keyid, &slot, CKO_PUBLIC_KEY);
+		if (!this->lib)
+		{
+			this->lib = find_lib_by_keyid(keyid, &slot, CKO_CERTIFICATE);
+		}
 		if (!this->lib)
 		{
 			DBG1(DBG_CFG, "no PKCS#11 module found having a keyid %#B", &keyid);
@@ -678,12 +721,17 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 		return NULL;
 	}
 
-	this->pubkey = pkcs11_public_key_connect(this->lib, slot, this->type,
-											 keyid);
+	this->pubkey = pkcs11_public_key_connect(this->lib, slot, this->type, keyid);
 	if (!this->pubkey)
 	{
-		destroy(this);
-		return NULL;
+		this->pubkey = find_pubkey_in_certs(this, keyid);
+		if (!this->pubkey)
+		{
+			DBG1(DBG_CFG, "no public key or certificate found for private key "
+				 "on '%s':%d", module, slot);
+			destroy(this);
+			return NULL;
+		}
 	}
 
 	return &this->public;
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
index f0d7093db..0302c0edd 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@@ -25,7 +25,7 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pkcs11_public_key_t private_pkcs11_public_key_t;
 
@@ -882,20 +882,10 @@ static private_pkcs11_public_key_t *find_key_by_keyid(pkcs11_library_t *p11,
 }
 
 /**
- * Find a public key on the given token with a specific keyid.
- *
- * Used by pkcs11_private_key_t.
- *
- * TODO: if no public key is found, we should perhaps search for a certificate
- * with the given keyid and extract the key from there
- *
- * @param p11		PKCS#11 module
- * @param slot		slot id
- * @param type		type of the key
- * @param keyid		key id
+ * See header.
  */
-pkcs11_public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11,
-									int slot, key_type_t type, chunk_t keyid)
+public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11, int slot,
+										key_type_t type, chunk_t keyid)
 {
 	private_pkcs11_public_key_t *this;
 
@@ -904,5 +894,5 @@ pkcs11_public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11,
 	{
 		return NULL;
 	}
-	return &this->public;
+	return &this->public.key;
 }
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
index b3ea725a2..4585e736e 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
@@ -26,6 +26,8 @@ typedef struct pkcs11_public_key_t pkcs11_public_key_t;
 #include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
+#include "pkcs11_library.h"
+
 /**
  * PKCS#11 based public key implementation.
  */
@@ -46,4 +48,15 @@ struct pkcs11_public_key_t {
  */
 pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args);
 
+/**
+ * Find a public key on the given token with a specific keyid.
+ *
+ * @param p11		PKCS#11 module
+ * @param slot		slot id
+ * @param type		type of the key
+ * @param keyid		key id
+ */
+public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11, int slot,
+										key_type_t type, chunk_t keyid);
+
 #endif /** PKCS11_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c b/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c
index 20e4b6f76..d18028b45 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c
@@ -15,7 +15,7 @@
 
 #include "pkcs11_rng.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "pkcs11_manager.h"
 
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.am b/src/libstrongswan/plugins/pkcs7/Makefile.am
new file mode 100644
index 000000000..6310daece
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.am
@@ -0,0 +1,20 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pkcs7.la
+else
+plugin_LTLIBRARIES = libstrongswan-pkcs7.la
+endif
+
+libstrongswan_pkcs7_la_SOURCES = \
+	pkcs7_generic.h pkcs7_generic.c \
+	pkcs7_signed_data.h pkcs7_signed_data.c \
+	pkcs7_enveloped_data.h pkcs7_enveloped_data.c \
+	pkcs7_data.h pkcs7_data.c \
+	pkcs7_attributes.h pkcs7_attributes.c \
+	pkcs7_plugin.h pkcs7_plugin.c
+
+libstrongswan_pkcs7_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
new file mode 100644
index 000000000..ef45de39d
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -0,0 +1,641 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pkcs7
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_pkcs7_la_LIBADD =
+am_libstrongswan_pkcs7_la_OBJECTS = pkcs7_generic.lo \
+	pkcs7_signed_data.lo pkcs7_enveloped_data.lo pkcs7_data.lo \
+	pkcs7_attributes.lo pkcs7_plugin.lo
+libstrongswan_pkcs7_la_OBJECTS = $(am_libstrongswan_pkcs7_la_OBJECTS)
+libstrongswan_pkcs7_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_pkcs7_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pkcs7_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pkcs7_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_pkcs7_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pkcs7_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs7.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs7.la
+libstrongswan_pkcs7_la_SOURCES = \
+	pkcs7_generic.h pkcs7_generic.c \
+	pkcs7_signed_data.h pkcs7_signed_data.c \
+	pkcs7_enveloped_data.h pkcs7_enveloped_data.c \
+	pkcs7_data.h pkcs7_data.c \
+	pkcs7_attributes.h pkcs7_attributes.c \
+	pkcs7_plugin.h pkcs7_plugin.c
+
+libstrongswan_pkcs7_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs7/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs7/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pkcs7.la: $(libstrongswan_pkcs7_la_OBJECTS) $(libstrongswan_pkcs7_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs7_la_DEPENDENCIES) 
+	$(libstrongswan_pkcs7_la_LINK) $(am_libstrongswan_pkcs7_la_rpath) $(libstrongswan_pkcs7_la_OBJECTS) $(libstrongswan_pkcs7_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_attributes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_data.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_enveloped_data.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_generic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_signed_data.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
new file mode 100644
index 000000000..ca6899786
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <collections/linked_list.h>
+
+#include "pkcs7_attributes.h"
+
+typedef struct private_pkcs7_attributes_t private_pkcs7_attributes_t;
+typedef struct attribute_t attribute_t;
+
+/**
+ * Private data of a pkcs7_attributes_t attribute list.
+ */
+struct private_pkcs7_attributes_t {
+	/**
+	 * Public interface
+	 */
+	pkcs7_attributes_t public;
+
+	/**
+	 * DER encoding of PKCS#9 attributes
+	 */
+	chunk_t encoding;
+
+	/**
+	 * Linked list of PKCS#9 attributes
+	 */
+	linked_list_t *attributes;
+};
+
+/**
+ * Definition of an attribute_t object.
+ */
+struct attribute_t {
+
+	/**
+	 * Object Identifier (OID)
+	 */
+	int oid;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * ASN.1 encoding
+	 */
+	chunk_t encoding;
+};
+
+/**
+ * Destroy an attribute_t object.
+ */
+static void attribute_destroy(attribute_t *this)
+{
+	free(this->value.ptr);
+	free(this);
+}
+
+/**
+ * Create an attribute_t object.
+ */
+static attribute_t *attribute_create(int oid, chunk_t value)
+{
+	attribute_t *this;
+
+	INIT(this,
+		.oid = oid,
+		.value = chunk_clone(value),
+	);
+
+	return this;
+}
+
+/**
+ * Build encoding of the attribute list
+ */
+static void build_encoding(private_pkcs7_attributes_t *this)
+{
+	enumerator_t *enumerator;
+	attribute_t *attribute;
+	u_int len = 0, count, i = 0;
+	chunk_t *chunks;
+	u_char *pos;
+
+	count = this->attributes->get_count(this->attributes);
+	chunks = malloc(sizeof(chunk_t) * count);
+
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
+	{
+		chunks[i] = asn1_wrap(ASN1_SEQUENCE, "mm",
+								asn1_build_known_oid(attribute->oid),
+								asn1_wrap(ASN1_SET, "c", attribute->value));
+		len += chunks[i].len;
+		i++;
+	}
+	enumerator->destroy(enumerator);
+
+	pos = asn1_build_object(&this->encoding, ASN1_SET, len);
+	for (i = 0; i < count; i++)
+	{
+		memcpy(pos, chunks[i].ptr, chunks[i].len);
+		pos += chunks[i].len;
+		free(chunks[i].ptr);
+	}
+	free(chunks);
+}
+
+METHOD(pkcs7_attributes_t, get_encoding, chunk_t,
+	private_pkcs7_attributes_t *this)
+{
+	if (!this->encoding.len)
+	{
+		build_encoding(this);
+	}
+	return this->encoding;
+}
+
+METHOD(pkcs7_attributes_t, get_attribute, chunk_t,
+	private_pkcs7_attributes_t *this, int oid)
+{
+	enumerator_t *enumerator;
+	chunk_t value = chunk_empty;
+	attribute_t *attribute;
+
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
+	{
+		if (attribute->oid == oid)
+		{
+			value = attribute->value;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (value.len && asn1_unwrap(&value, &value) != ASN1_INVALID)
+	{
+		return value;
+	}
+	return chunk_empty;
+}
+
+METHOD(pkcs7_attributes_t, add_attribute, void,
+	private_pkcs7_attributes_t *this, int oid, chunk_t value)
+{
+	this->attributes->insert_last(this->attributes,
+								  attribute_create(oid, value));
+	chunk_free(&value);
+
+	/* rebuild encoding when adding attributes */
+	chunk_free(&this->encoding);
+}
+
+METHOD(pkcs7_attributes_t, destroy, void,
+	private_pkcs7_attributes_t *this)
+{
+	this->attributes->destroy_function(this->attributes,
+									   (void*)attribute_destroy);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+pkcs7_attributes_t *pkcs7_attributes_create(void)
+{
+	private_pkcs7_attributes_t *this;
+
+	INIT(this,
+		.public = {
+			.get_encoding = _get_encoding,
+			.get_attribute = _get_attribute,
+			.add_attribute = _add_attribute,
+			.destroy = _destroy,
+		},
+		.attributes = linked_list_create(),
+	);
+
+	return &this->public;
+}
+
+/**
+ * ASN.1 definition of the X.501 atttribute type
+ */
+static const asn1Object_t attributesObjects[] = {
+	{ 0, "attributes",		ASN1_SET,		ASN1_LOOP }, /* 0 */
+	{ 1,   "attribute",		ASN1_SEQUENCE,	ASN1_NONE }, /* 1 */
+	{ 2,     "type",		ASN1_OID,		ASN1_BODY }, /* 2 */
+	{ 2,     "values",		ASN1_SET,		ASN1_LOOP }, /* 3 */
+	{ 3,       "value",		ASN1_EOC,		ASN1_RAW  }, /* 4 */
+	{ 2,     "end loop",	ASN1_EOC,		ASN1_END  }, /* 5 */
+	{ 0, "end loop",		ASN1_EOC,		ASN1_END  }, /* 6 */
+	{ 0, "exit",			ASN1_EOC,		ASN1_EXIT }
+};
+#define ATTRIBUTE_OBJ_TYPE 	2
+#define ATTRIBUTE_OBJ_VALUE	4
+
+/**
+ * Parse a PKCS#9 attribute list
+ */
+static bool parse_attributes(chunk_t chunk, int level0,
+							 private_pkcs7_attributes_t* this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int oid = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(attributesObjects, chunk);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case ATTRIBUTE_OBJ_TYPE:
+				oid = asn1_known_oid(object);
+				break;
+			case ATTRIBUTE_OBJ_VALUE:
+				if (oid != OID_UNKNOWN)
+				{
+					this->attributes->insert_last(this->attributes,
+												  attribute_create(oid, object));
+				}
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+	parser->destroy(parser);
+	return success;
+}
+
+ /*
+ * Described in header.
+ */
+pkcs7_attributes_t *pkcs7_attributes_create_from_chunk(chunk_t chunk,
+													   u_int level)
+{
+	private_pkcs7_attributes_t *this;
+
+	this = (private_pkcs7_attributes_t*)pkcs7_attributes_create();
+	this->encoding = chunk_clone(chunk);
+	if (!parse_attributes(chunk, level, this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.h b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.h
new file mode 100644
index 000000000..d5f6156a1
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_attributes pkcs7_attributes
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_ATTRIBUTES_H_
+#define PKCS7_ATTRIBUTES_H_
+
+typedef struct pkcs7_attributes_t pkcs7_attributes_t;
+
+#include <library.h>
+
+/**
+ * PKCS#7 attribute lists, aka PKCS#9.
+ */
+struct pkcs7_attributes_t {
+
+	/**
+	 * Gets ASN.1 encoding of PKCS#9 attribute list.
+	 *
+	 * @return				ASN.1 encoded PKCSI#9 list
+	 */
+	chunk_t (*get_encoding) (pkcs7_attributes_t *this);
+
+	/**
+	 * Gets a PKCS#9 attribute from the list.
+	 *
+	 * @param oid			OID of the attribute
+	 * @return				value of the attribute (internal data)
+	 */
+	chunk_t (*get_attribute) (pkcs7_attributes_t *this, int oid);
+
+	/**
+	 * Adds a PKCS#9 attribute.
+	 *
+	 * @param oid			OID of the attribute
+	 * @param value			value of the attribute, with ASN1 type (gets owned)
+	 */
+	void (*add_attribute) (pkcs7_attributes_t *this, int oid, chunk_t value);
+
+	/**
+	 * Destroys the PKCS#9 attribute list.
+	 */
+	void (*destroy) (pkcs7_attributes_t *this);
+};
+
+/**
+ * Read a PKCS#7 attribute list (aka PKCS#9) from a DER encoded chunk.
+ *
+ * @param chunk		chunk containing DER encoded data
+ * @param level		ASN.1 parsing start level
+ * @return 			created pkcs9 attribute list, or NULL if invalid.
+ */
+pkcs7_attributes_t *pkcs7_attributes_create_from_chunk(chunk_t chunk, u_int level);
+
+/**
+ * Create an empty PKCS#7 attribute list, aka PKCS#9.
+ *
+ * @return 				created pkcs9 attribute list.
+ */
+pkcs7_attributes_t *pkcs7_attributes_create(void);
+
+#endif /** PKCS9_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_data.c
new file mode 100644
index 000000000..06816095c
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_data.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_data.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+typedef struct private_pkcs7_data_t private_pkcs7_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Encoded data
+	 */
+	chunk_t content;
+
+	/**
+	 * Encoded PKCS#7 data
+	 */
+	chunk_t encoding;
+};
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_data_t *this)
+{
+	return CONTAINER_PKCS7_DATA;
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_pkcs7_data_t *this)
+{
+	return enumerator_create_empty();
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_data_t *this, chunk_t *data)
+{
+	chunk_t chunk;
+
+	chunk = this->content;
+	if (asn1_unwrap(&chunk, &chunk) == ASN1_OCTET_STRING)
+	{
+		*data = chunk_clone(chunk);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_data_t *this)
+{
+	free(this->content.ptr);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Create an empty container
+ */
+static private_pkcs7_data_t* create_empty()
+{
+	private_pkcs7_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.get_attribute = (void*)return_false,
+			.create_cert_enumerator = (void*)enumerator_create_empty,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	this->content = chunk_clone(content);
+
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_data_gen(container_type_t type, va_list args)
+{
+	private_pkcs7_data_t *this;
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (blob.len)
+	{
+		this = create_empty();
+
+		this->content = asn1_wrap(ASN1_OCTET_STRING, "c", blob);
+		this->encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_PKCS7_DATA),
+							asn1_wrap(ASN1_CONTEXT_C_0, "c", this->content));
+		return &this->public;
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_data.h
new file mode 100644
index 000000000..86512b76f
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_data.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_data pkcs7_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_DATA_H_
+#define PKCS7_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 "data" container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_data_load(chunk_t encoding, chunk_t content);
+
+/**
+ * Generate a PKCS#7 data container.
+ *
+ * The only accepted builder argument is BUILDER_BLOB.
+ *
+ * @param type		container type, must be CONTAINER_PKCS7_DATA
+ * @param args		builder_t arguments to use.
+ */
+pkcs7_t *pkcs7_data_gen(container_type_t type, va_list args);
+
+#endif /** PKCS7_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
new file mode 100644
index 000000000..5cd0d8f93
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
@@ -0,0 +1,613 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_enveloped_data.h"
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <credentials/certificates/x509.h>
+#include <utils/debug.h>
+
+typedef struct private_pkcs7_enveloped_data_t private_pkcs7_enveloped_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_enveloped_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Decrypted content
+	 */
+	chunk_t content;
+
+	/**
+	 * Encrypted and encoded PKCS#7 enveloped-data
+	 */
+	chunk_t encoding;
+};
+
+/**
+ * ASN.1 definition of the PKCS#7 envelopedData type
+ */
+static const asn1Object_t envelopedDataObjects[] = {
+	{ 0, "envelopedData",					ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "version",						ASN1_INTEGER, 		ASN1_BODY }, /*  1 */
+	{ 1,   "recipientInfos",				ASN1_SET,    		ASN1_LOOP }, /*  2 */
+	{ 2,     "recipientInfo",				ASN1_SEQUENCE, 		ASN1_BODY }, /*  3 */
+	{ 3,       "version",					ASN1_INTEGER, 		ASN1_BODY }, /*  4 */
+	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /*  5 */
+	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /*  6 */
+	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /*  7 */
+	{ 3,       "encryptionAlgorithm",		ASN1_EOC,			ASN1_RAW  }, /*  8 */
+	{ 3,       "encryptedKey",				ASN1_OCTET_STRING,	ASN1_BODY }, /*  9 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 10 */
+	{ 1,   "encryptedContentInfo",			ASN1_SEQUENCE,		ASN1_OBJ  }, /* 11 */
+	{ 2,     "contentType",					ASN1_OID,			ASN1_BODY }, /* 12 */
+	{ 2,     "contentEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 13 */
+	{ 2,     "encryptedContent",			ASN1_CONTEXT_S_0, 	ASN1_BODY }, /* 14 */
+	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_VERSION					 1
+#define PKCS7_RECIPIENT_INFO_VERSION	 4
+#define PKCS7_ISSUER					 6
+#define PKCS7_SERIAL_NUMBER				 7
+#define PKCS7_ENCRYPTION_ALG			 8
+#define PKCS7_ENCRYPTED_KEY				 9
+#define PKCS7_CONTENT_TYPE				12
+#define PKCS7_CONTENT_ENC_ALGORITHM		13
+#define PKCS7_ENCRYPTED_CONTENT			14
+
+/**
+ * Find a private key for issuerAndSerialNumber
+ */
+static private_key_t *find_private(identification_t *issuer,
+								   identification_t *serial)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *public;
+	private_key_t *private = NULL;
+	identification_t *id;
+	chunk_t fp;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_RSA, serial, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (issuer->equals(issuer, cert->get_issuer(cert)))
+		{
+			public = cert->get_public_key(cert);
+			if (public)
+			{
+				if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &fp))
+				{
+					id = identification_create_from_encoding(ID_KEY_ID, fp);
+					private = lib->credmgr->get_private(lib->credmgr,
+														KEY_ANY, id, NULL);
+					id->destroy(id);
+				}
+				public->destroy(public);
+			}
+		}
+		if (private)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return private;
+}
+
+/**
+ * Decrypt content using a private key from "issuer"
+ */
+static bool decrypt(private_key_t *private, chunk_t key, chunk_t iv, int oid,
+					chunk_t encrypted, chunk_t *plain)
+{
+	encryption_algorithm_t alg;
+	chunk_t plain_key;
+	crypter_t *crypter;
+	size_t key_size;
+
+	alg = encryption_algorithm_from_oid(oid, &key_size);
+	if (alg == ENCR_UNDEFINED)
+	{
+		DBG1(DBG_LIB, "unsupported content encryption algorithm");
+		return FALSE;
+	}
+	if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, key, &plain_key))
+	{
+		DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
+		return FALSE;
+	}
+	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	if (!crypter)
+	{
+		DBG1(DBG_LIB, "crypter %N-%d not available",
+			 encryption_algorithm_names, alg, key_size);
+		free(plain_key.ptr);
+		return FALSE;
+	}
+	if (plain_key.len != crypter->get_key_size(crypter))
+	{
+		DBG1(DBG_LIB, "symmetric key length %d is wrong", plain_key.len);
+		free(plain_key.ptr);
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (iv.len != crypter->get_iv_size(crypter))
+	{
+		DBG1(DBG_LIB, "IV length %d is wrong", iv.len);
+		free(plain_key.ptr);
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (!crypter->set_key(crypter, plain_key) ||
+		!crypter->decrypt(crypter, encrypted, iv, plain))
+	{
+		free(plain_key.ptr);
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	DBG4(DBG_LIB, "decrypted content with padding: %B", plain);
+	free(plain_key.ptr);
+	crypter->destroy(crypter);
+	return TRUE;
+}
+
+/**
+ * Remove the padding from plain data
+ */
+static bool remove_padding(private_pkcs7_enveloped_data_t *this)
+{
+	u_char *pos = this->content.ptr + this->content.len - 1;
+	u_char pattern = *pos;
+	size_t padding = pattern;
+
+	if (padding > this->content.len)
+	{
+		DBG1(DBG_LIB, "padding greater than data length");
+		return FALSE;
+	}
+	this->content.len -= padding;
+
+	while (padding-- > 0)
+	{
+		if (*pos-- != pattern)
+		{
+			DBG1(DBG_LIB, "wrong padding pattern");
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Parse and decrypt enveloped-data
+ */
+static bool parse(private_pkcs7_enveloped_data_t *this, chunk_t content)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, version, alg = OID_UNKNOWN;
+	bool success = FALSE;
+	identification_t *issuer = NULL, *serial = NULL;
+	private_key_t *private = NULL;
+	chunk_t iv = chunk_empty, key = chunk_empty, encrypted = chunk_empty;
+
+	parser = asn1_parser_create(envelopedDataObjects, content);
+	parser->set_top_level(parser, 0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser);
+
+		switch (objectID)
+		{
+			case PKCS7_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				if (version != 0)
+				{
+					DBG1(DBG_LIB, "envelopedData version is not 0");
+					goto end;
+				}
+				break;
+			case PKCS7_RECIPIENT_INFO_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				if (version != 0)
+				{
+					DBG1(DBG_LIB, "recipient info version is not 0");
+					goto end;
+				}
+				break;
+			case PKCS7_ISSUER:
+				if (!issuer)
+				{
+					issuer = identification_create_from_encoding(ID_DER_ASN1_DN,
+																 object);
+				}
+				break;
+			case PKCS7_SERIAL_NUMBER:
+				if (!serial)
+				{
+					serial = identification_create_from_encoding(ID_KEY_ID,
+																 object);
+				}
+				break;
+			case PKCS7_ENCRYPTION_ALG:
+				if (asn1_parse_algorithmIdentifier(object, level,
+												   NULL) != OID_RSA_ENCRYPTION)
+				{
+					DBG1(DBG_LIB, "only rsa encryption supported");
+					goto end;
+				}
+				break;
+			case PKCS7_ENCRYPTED_KEY:
+				key = object;
+				break;
+			case PKCS7_CONTENT_TYPE:
+				if (asn1_known_oid(object) != OID_PKCS7_DATA)
+				{
+					DBG1(DBG_LIB, "encrypted content not of type pkcs7 data");
+					goto end;
+				}
+				break;
+			case PKCS7_CONTENT_ENC_ALGORITHM:
+				alg = asn1_parse_algorithmIdentifier(object, level, &iv);
+				if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING,
+											  level + 1, "IV"))
+				{
+					DBG1(DBG_LIB, "IV could not be parsed");
+					goto end;
+				}
+				break;
+			case PKCS7_ENCRYPTED_CONTENT:
+				encrypted = object;
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	if (!success)
+	{
+		goto failed;
+	}
+	success = FALSE;
+	if (!issuer)
+	{
+		goto failed;
+	}
+	private = find_private(issuer, serial);
+	if (!private)
+	{
+		DBG1(DBG_LIB, "no private key found to decrypt pkcs7");
+		goto failed;
+	}
+	if (!decrypt(private, key, iv, alg, encrypted, &this->content))
+	{
+		goto failed;
+	}
+	if (!remove_padding(this))
+	{
+		goto failed;
+	}
+
+	success = TRUE;
+failed:
+	DESTROY_IF(issuer);
+	DESTROY_IF(serial);
+	DESTROY_IF(private);
+	return success;
+}
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_enveloped_data_t *this)
+{
+	return CONTAINER_PKCS7_ENVELOPED_DATA;
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_pkcs7_enveloped_data_t *this)
+{
+	return enumerator_create_empty();
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_enveloped_data_t *this, chunk_t *data)
+{
+	if (this->content.len)
+	{
+		*data = chunk_clone(this->content);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_enveloped_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_enveloped_data_t *this)
+{
+	free(this->content.ptr);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_pkcs7_enveloped_data_t* create_empty()
+{
+	private_pkcs7_enveloped_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.create_cert_enumerator = (void*)enumerator_create_empty,
+			.get_attribute = (void*)return_false,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_enveloped_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_enveloped_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	if (!parse(this, content))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
+/**
+ * Allocate data with an RNG
+ */
+static bool get_random(rng_quality_t quality, size_t size, chunk_t *out)
+{
+	rng_t *rng;
+
+	rng = lib->crypto->create_rng(lib->crypto, quality);
+	if (!rng)
+	{
+		return FALSE;
+	}
+	if (!rng->allocate_bytes(rng, size, out))
+	{
+		rng->destroy(rng);
+		return FALSE;
+	}
+	rng->destroy(rng);
+	return TRUE;
+}
+
+/**
+ * Encrypt symmetric key using a public key from a certificate
+ */
+static bool encrypt_key(certificate_t *cert, chunk_t in, chunk_t *out)
+{
+	public_key_t *key;
+
+	key = cert->get_public_key(cert);
+	if (!key)
+	{
+		return FALSE;
+	}
+	if (!key->encrypt(key, ENCRYPT_RSA_PKCS1, in, out))
+	{
+		key->destroy(key);
+		return FALSE;
+	}
+	key->destroy(key);
+	return TRUE;
+}
+
+/**
+ * build a DER-encoded issuerAndSerialNumber object
+ */
+static chunk_t build_issuerAndSerialNumber(certificate_t *cert)
+{
+	identification_t *issuer = cert->get_issuer(cert);
+	chunk_t serial = chunk_empty;
+
+	if (cert->get_type(cert) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)cert;
+		serial = x509->get_serial(x509);
+	}
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+					 issuer->get_encoding(issuer),
+					 asn1_integer("c", serial));
+}
+
+/**
+ * Generate a new PKCS#7 enveloped-data container
+ */
+static bool generate(private_pkcs7_enveloped_data_t *this,
+				certificate_t *cert, encryption_algorithm_t alg, int key_size)
+{
+	chunk_t contentEncryptionAlgorithm, encryptedContentInfo, recipientInfo;
+	chunk_t iv, symmetricKey, protectedKey, content;
+	crypter_t *crypter;
+	size_t bs, padding;
+	int alg_oid;
+
+	alg_oid = encryption_algorithm_to_oid(alg, key_size);
+	if (alg_oid == OID_UNKNOWN)
+	{
+		DBG1(DBG_LIB, "  encryption algorithm %N not supported",
+			 encryption_algorithm_names, alg);
+		return FALSE;
+	}
+	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	if (crypter == NULL)
+	{
+		DBG1(DBG_LIB, "  could not create crypter for algorithm %N",
+			 encryption_algorithm_names, alg);
+		return FALSE;
+	}
+
+	if (!get_random(RNG_TRUE, crypter->get_key_size(crypter), &symmetricKey))
+	{
+		DBG1(DBG_LIB, "  failed to allocate symmetric encryption key");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	DBG4(DBG_LIB, "  symmetric encryption key: %B", &symmetricKey);
+
+	if (!get_random(RNG_WEAK, crypter->get_iv_size(crypter), &iv))
+	{
+		DBG1(DBG_LIB, "  failed to allocate initialization vector");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	DBG4(DBG_LIB, "  initialization vector: %B", &iv);
+
+	bs = crypter->get_block_size(crypter);
+	padding = bs - this->content.len % bs;
+	content = chunk_alloc(this->content.len + padding);
+	memcpy(content.ptr, this->content.ptr, this->content.len);
+	memset(content.ptr + this->content.len, padding, padding);
+	DBG3(DBG_LIB, "  padded unencrypted data: %B", &content);
+
+	/* symmetric inline encryption of content */
+	if (!crypter->set_key(crypter, symmetricKey) ||
+		!crypter->encrypt(crypter, content, iv, NULL))
+	{
+		crypter->destroy(crypter);
+		chunk_clear(&symmetricKey);
+		chunk_free(&iv);
+		return FALSE;
+	}
+	crypter->destroy(crypter);
+	DBG3(DBG_LIB, "  encrypted data: %B", &content);
+
+	if (!encrypt_key(cert, symmetricKey, &protectedKey))
+	{
+		DBG1(DBG_LIB, "  encrypting symmetric key failed");
+		chunk_clear(&symmetricKey);
+		chunk_free(&iv);
+		chunk_free(&content);
+		return FALSE;
+	}
+	chunk_clear(&symmetricKey);
+
+	contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm",
+				asn1_build_known_oid(alg_oid),
+				asn1_wrap(ASN1_OCTET_STRING, "m", iv));
+
+	encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "mmm",
+				asn1_build_known_oid(OID_PKCS7_DATA),
+				contentEncryptionAlgorithm,
+				asn1_wrap(ASN1_CONTEXT_S_0, "m", content));
+
+	recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm",
+				ASN1_INTEGER_0,
+				build_issuerAndSerialNumber(cert),
+				asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+				asn1_wrap(ASN1_OCTET_STRING, "m", protectedKey));
+
+	this->encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+		asn1_build_known_oid(OID_PKCS7_ENVELOPED_DATA),
+		asn1_wrap(ASN1_CONTEXT_C_0, "m",
+			asn1_wrap(ASN1_SEQUENCE, "cmm",
+				ASN1_INTEGER_0,
+				asn1_wrap(ASN1_SET, "m", recipientInfo),
+				encryptedContentInfo)));
+
+	return TRUE;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_enveloped_data_gen(container_type_t type, va_list args)
+{
+	private_pkcs7_enveloped_data_t *this;
+	chunk_t blob = chunk_empty;
+	encryption_algorithm_t alg = ENCR_AES_CBC;
+	certificate_t *cert = NULL;
+	int key_size = 128;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_CERT:
+				cert = va_arg(args, certificate_t*);
+				continue;
+			case BUILD_ENCRYPTION_ALG:
+				alg = va_arg(args, int);
+				continue;
+			case BUILD_KEY_SIZE:
+				key_size = va_arg(args, int);
+				continue;
+			case BUILD_BLOB:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len && cert)
+	{
+		this = create_empty();
+
+		this->content = chunk_clone(blob);
+		if (generate(this, cert, alg, key_size))
+		{
+			return &this->public;
+		}
+		destroy(this);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.h
new file mode 100644
index 000000000..5e35abd54
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_enveloped_data pkcs7_enveloped_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_ENVELOPED_DATA_H_
+#define PKCS7_ENVELOPED_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 enveloped-data container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_ENVELOPED_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_enveloped_data_load(chunk_t encoding, chunk_t content);
+
+/**
+ * Generate a PKCS#7 enveloped-data container.
+ *
+ * @param type		container type, must be CONTAINER_PKCS7_ENVELOPED_DATA
+ * @param args		builder_t arguments to use.
+ */
+pkcs7_t *pkcs7_enveloped_data_gen(container_type_t type, va_list args);
+
+#endif /** PKCS7_ENVELOPED_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
new file mode 100644
index 000000000..35d8d11a7
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_generic.h"
+#include "pkcs7_data.h"
+#include "pkcs7_signed_data.h"
+#include "pkcs7_enveloped_data.h"
+
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+
+/**
+ * ASN.1 definition of the PKCS#7 ContentInfo type
+ */
+static const asn1Object_t contentInfoObjects[] = {
+	{ 0, "contentInfo",		ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
+	{ 1,   "contentType",	ASN1_OID,			ASN1_BODY }, /* 1 */
+	{ 1,   "content",		ASN1_CONTEXT_C_0,	ASN1_OPT |
+												ASN1_BODY }, /* 2 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END  }, /* 3 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_INFO_TYPE		1
+#define PKCS7_INFO_CONTENT	2
+
+/**
+ * Parse PKCS#7 contentInfo object
+ */
+static pkcs7_t* parse_contentInfo(chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object, content = chunk_empty;
+	int objectID, type = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(contentInfoObjects, blob);
+	parser->set_top_level(parser, 0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == PKCS7_INFO_TYPE)
+		{
+			type = asn1_known_oid(object);
+			if (type < OID_PKCS7_DATA || type > OID_PKCS7_ENCRYPTED_DATA)
+			{
+				DBG1(DBG_ASN, "unknown pkcs7 content type");
+				goto end;
+			}
+		}
+		else if (objectID == PKCS7_INFO_CONTENT)
+		{
+			content = object;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+
+	if (success)
+	{
+		switch (type)
+		{
+			case OID_PKCS7_DATA:
+				return pkcs7_data_load(blob, content);
+			case OID_PKCS7_SIGNED_DATA:
+				return pkcs7_signed_data_load(blob, content);
+			case OID_PKCS7_ENVELOPED_DATA:
+				return pkcs7_enveloped_data_load(blob, content);
+			default:
+				DBG1(DBG_ASN, "pkcs7 content type %d not supported", type);
+				return NULL;
+		}
+	}
+	return NULL;
+}
+
+
+pkcs7_t *pkcs7_generic_load(container_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len)
+	{
+		if (blob.len >= 2 &&
+			blob.ptr[0] == ASN1_SEQUENCE && blob.ptr[1] == 0x80)
+		{	/* looks like infinite length BER encoding, but we can't handle it.
+			 * ignore silently, our openssl backend can handle it */
+			return NULL;
+		}
+		return parse_contentInfo(blob);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_generic.h b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.h
new file mode 100644
index 000000000..819343c4d
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_generic pkcs7_generic
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_GENERIC_H_
+#define PKCS7_GENERIC_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Load a generic PKCS#7 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS7
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs7_t *pkcs7_generic_load(container_type_t type, va_list args);
+
+#endif /** PKCS7_GENERIC_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c
new file mode 100644
index 000000000..7d350155d
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_plugin.h"
+#include "pkcs7_generic.h"
+#include "pkcs7_data.h"
+#include "pkcs7_signed_data.h"
+#include "pkcs7_enveloped_data.h"
+
+#include <library.h>
+
+typedef struct private_pkcs7_plugin_t private_pkcs7_plugin_t;
+
+/**
+ * private data of pkcs7_plugin
+ */
+struct private_pkcs7_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pkcs7_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_pkcs7_plugin_t *this)
+{
+	return "pkcs7";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_pkcs7_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(CONTAINER_DECODE, pkcs7_generic_load, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
+		PLUGIN_REGISTER(CONTAINER_ENCODE, pkcs7_data_gen, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_ENCODE, CONTAINER_PKCS7_DATA),
+		PLUGIN_REGISTER(CONTAINER_ENCODE, pkcs7_signed_data_gen, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_ENCODE, CONTAINER_PKCS7_SIGNED_DATA),
+		PLUGIN_REGISTER(CONTAINER_ENCODE, pkcs7_enveloped_data_gen, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_ENCODE, CONTAINER_PKCS7_ENVELOPED_DATA),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_pkcs7_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *pkcs7_plugin_create()
+{
+	private_pkcs7_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h
new file mode 100644
index 000000000..3d582c7c6
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7p pkcs7
+ * @ingroup plugins
+ *
+ * @defgroup pkcs7_plugin pkcs7_plugin
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_PLUGIN_H_
+#define PKCS7_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pkcs7_plugin_t pkcs7_plugin_t;
+
+/**
+ * Plugin providing PKCS#7 container functionality.
+ */
+struct pkcs7_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** PKCS7_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c
new file mode 100644
index 000000000..48fb5e6a4
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c
@@ -0,0 +1,678 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_signed_data.h"
+#include "pkcs7_attributes.h"
+
+#include <time.h>
+
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/keys/private_key.h>
+
+typedef struct private_pkcs7_signed_data_t private_pkcs7_signed_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_signed_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Signed content data
+	 */
+	container_t *content;
+
+	/**
+	 * Encoded PKCS#7 signed-data
+	 */
+	chunk_t encoding;
+
+	/**
+	 * list of signerInfos, signerinfo_t
+	 */
+	linked_list_t *signerinfos;
+
+	/**
+	 * Contained certificates
+	 */
+	mem_cred_t *creds;
+};
+
+/**
+ * A single signerInfo
+ */
+typedef struct {
+
+	/**
+	 * Signed attributes of signerInfo
+	 */
+	pkcs7_attributes_t *attributes;
+
+	/**
+	 * Serial of signing certificate
+	 */
+	identification_t *serial;
+
+	/**
+	 * Issuer of signing certificate
+	 */
+	identification_t *issuer;
+
+	/**
+	 * EncryptedDigest
+	 */
+	chunk_t encrypted_digest;
+
+	/**
+	 * Digesting algorithm OID
+	 */
+	int digest_alg;
+
+	/**
+	 * Public key encryption algorithm OID
+	 */
+	int enc_alg;
+
+} signerinfo_t;
+
+/**
+ * Destroy a signerinfo_t entry
+ */
+void signerinfo_destroy(signerinfo_t *this)
+{
+	DESTROY_IF(this->attributes);
+	DESTROY_IF(this->serial);
+	DESTROY_IF(this->issuer);
+	free(this->encrypted_digest.ptr);
+	free(this);
+}
+
+/**
+ * ASN.1 definition of the PKCS#7 signedData type
+ */
+static const asn1Object_t signedDataObjects[] = {
+	{ 0, "signedData",						ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "version",						ASN1_INTEGER,		ASN1_BODY }, /*  1 */
+	{ 1,   "digestAlgorithms",				ASN1_SET,			ASN1_LOOP }, /*  2 */
+	{ 2,     "algorithm",					ASN1_EOC,			ASN1_RAW  }, /*  3 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /*  4 */
+	{ 1,   "contentInfo",					ASN1_EOC,			ASN1_RAW  }, /*  5 */
+	{ 1,   "certificates",					ASN1_CONTEXT_C_0,	ASN1_OPT |
+																ASN1_LOOP }, /*  6 */
+	{ 2,      "certificate",				ASN1_SEQUENCE,		ASN1_OBJ  }, /*  7 */
+	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /*  8 */
+	{ 1,   "crls",							ASN1_CONTEXT_C_1,	ASN1_OPT |
+																ASN1_LOOP }, /*  9 */
+	{ 2,	    "crl",						ASN1_SEQUENCE,		ASN1_OBJ  }, /* 10 */
+	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /* 11 */
+	{ 1,   "signerInfos",					ASN1_SET,			ASN1_LOOP }, /* 12 */
+	{ 2,     "signerInfo",					ASN1_SEQUENCE,		ASN1_NONE }, /* 13 */
+	{ 3,       "version",					ASN1_INTEGER,		ASN1_BODY }, /* 14 */
+	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /* 15 */
+	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /* 16 */
+	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /* 17 */
+	{ 3,       "digestAlgorithm",			ASN1_EOC,			ASN1_RAW  }, /* 18 */
+	{ 3,       "authenticatedAttributes",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+																ASN1_OBJ  }, /* 19 */
+	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 20 */
+	{ 3,       "digestEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 21 */
+	{ 3,       "encryptedDigest",			ASN1_OCTET_STRING,	ASN1_BODY }, /* 22 */
+	{ 3,       "unauthenticatedAttributes", ASN1_CONTEXT_C_1,	ASN1_OPT  }, /* 23 */
+	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 24 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 25 */
+	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_VERSION				 1
+#define PKCS7_DIGEST_ALG			 3
+#define PKCS7_CONTENT_INFO			 5
+#define PKCS7_CERT					 7
+#define PKCS7_SIGNER_INFO			13
+#define PKCS7_SIGNER_INFO_VERSION	14
+#define PKCS7_ISSUER				16
+#define PKCS7_SERIAL_NUMBER			17
+#define PKCS7_DIGEST_ALGORITHM		18
+#define PKCS7_AUTH_ATTRIBUTES		19
+#define PKCS7_DIGEST_ENC_ALGORITHM	21
+#define PKCS7_ENCRYPTED_DIGEST		22
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_signed_data_t *this)
+{
+	return CONTAINER_PKCS7_SIGNED_DATA;
+}
+
+/**
+ * Signature enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner signerinfos enumerator */
+	enumerator_t *inner;
+	/** currently enumerated auth_cfg */
+	auth_cfg_t *auth;
+	/** currently enumerating signerinfo */
+	signerinfo_t *info;
+	/** reference to container */
+	private_pkcs7_signed_data_t *this;
+} signature_enumerator_t;
+
+METHOD(enumerator_t, enumerate, bool,
+	signature_enumerator_t *this, auth_cfg_t **out)
+{
+	signerinfo_t *info;
+	signature_scheme_t scheme;
+	hash_algorithm_t algorithm;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *key;
+	auth_cfg_t *auth;
+	chunk_t chunk, hash, content;
+	hasher_t *hasher;
+	bool valid;
+
+	while (this->inner->enumerate(this->inner, &info))
+	{
+		/* clean up previous round */
+		DESTROY_IF(this->auth);
+		this->auth = NULL;
+
+		scheme = signature_scheme_from_oid(info->digest_alg);
+		if (scheme == SIGN_UNKNOWN)
+		{
+			DBG1(DBG_LIB, "unsupported signature scheme");
+			continue;
+		}
+		if (!info->attributes)
+		{
+			DBG1(DBG_LIB, "no authenticatedAttributes object found");
+			continue;
+		}
+		if (info->enc_alg != OID_RSA_ENCRYPTION)
+		{
+			DBG1(DBG_LIB, "only RSA digest encryption supported");
+			continue;
+		}
+
+		enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+												KEY_RSA, info->serial, FALSE);
+		while (enumerator->enumerate(enumerator, &cert, &auth))
+		{
+			if (info->issuer->equals(info->issuer, cert->get_issuer(cert)))
+			{
+				key = cert->get_public_key(cert);
+				if (key)
+				{
+					chunk = info->attributes->get_encoding(info->attributes);
+					if (key->verify(key, scheme, chunk, info->encrypted_digest))
+					{
+						this->auth = auth->clone(auth);
+						key->destroy(key);
+						break;
+					}
+					key->destroy(key);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (!this->auth)
+		{
+			DBG1(DBG_LIB, "unable to verify pkcs7 attributes signature");
+			continue;
+		}
+
+		chunk = info->attributes->get_attribute(info->attributes,
+												OID_PKCS9_MESSAGE_DIGEST);
+		if (!chunk.len)
+		{
+			DBG1(DBG_LIB, "messageDigest attribute not found");
+			continue;
+		}
+		if (!this->this->content->get_data(this->this->content, &content))
+		{
+			continue;
+		}
+
+		algorithm = hasher_algorithm_from_oid(info->digest_alg);
+		hasher = lib->crypto->create_hasher(lib->crypto, algorithm);
+		if (!hasher || !hasher->allocate_hash(hasher, content, &hash))
+		{
+			free(content.ptr);
+			DESTROY_IF(hasher);
+			DBG1(DBG_LIB, "hash algorithm %N not supported",
+				 hash_algorithm_names, algorithm);
+			continue;
+		}
+		free(content.ptr);
+		hasher->destroy(hasher);
+		DBG3(DBG_LIB, "hash: %B", &hash);
+
+		valid = chunk_equals(chunk, hash);
+		free(hash.ptr);
+		if (!valid)
+		{
+			DBG1(DBG_LIB, "invalid messageDigest");
+			continue;
+		}
+		*out = this->auth;
+		this->info = info;
+		return TRUE;
+	}
+	this->info = NULL;
+	return FALSE;
+}
+
+METHOD(enumerator_t, enumerator_destroy, void,
+	signature_enumerator_t *this)
+{
+	lib->credmgr->remove_local_set(lib->credmgr, &this->this->creds->set);
+	this->inner->destroy(this->inner);
+	DESTROY_IF(this->auth);
+	free(this);
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_pkcs7_signed_data_t *this)
+{
+	signature_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate,
+			.destroy = _enumerator_destroy,
+		},
+		.inner = this->signerinfos->create_enumerator(this->signerinfos),
+		.this = this,
+	);
+
+	lib->credmgr->add_local_set(lib->credmgr, &this->creds->set, FALSE);
+	return &enumerator->public;
+}
+
+METHOD(pkcs7_t, get_attribute, bool,
+	private_pkcs7_signed_data_t *this, int oid, enumerator_t *enumerator, chunk_t *value)
+{
+	signature_enumerator_t *e;
+	chunk_t chunk;
+
+	e = (signature_enumerator_t*)enumerator;
+	if (e->info)
+	{
+		chunk = e->info->attributes->get_attribute(e->info->attributes, oid);
+		if (chunk.len)
+		{
+			*value = chunk_clone(chunk);
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(pkcs7_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs7_signed_data_t *this)
+{
+	return this->creds->set.create_cert_enumerator(&this->creds->set,
+											CERT_ANY, KEY_ANY, NULL, FALSE);
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_signed_data_t *this, chunk_t *data)
+{
+	if (this->content)
+	{
+		return this->content->get_data(this->content, data);
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_signed_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_signed_data_t *this)
+{
+	this->creds->destroy(this->creds);
+	this->signerinfos->destroy_function(this->signerinfos,
+										(void*)signerinfo_destroy);
+	DESTROY_IF(this->content);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Create an empty PKCS#7 signed-data container.
+ */
+static private_pkcs7_signed_data_t* create_empty()
+{
+	private_pkcs7_signed_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.get_attribute = _get_attribute,
+			.create_cert_enumerator = _create_cert_enumerator,
+		},
+		.creds = mem_cred_create(),
+		.signerinfos = linked_list_create(),
+	);
+
+	return this;
+}
+
+/**
+ * Parse PKCS#7 signed data
+ */
+static bool parse(private_pkcs7_signed_data_t *this, chunk_t content)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, version;
+	signerinfo_t *info = NULL;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(signedDataObjects, content);
+	parser->set_top_level(parser, 0);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser);
+
+		switch (objectID)
+		{
+			case PKCS7_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				break;
+			case PKCS7_CONTENT_INFO:
+				this->content = lib->creds->create(lib->creds,
+										CRED_CONTAINER, CONTAINER_PKCS7,
+										BUILD_BLOB_ASN1_DER, object, BUILD_END);
+				break;
+			case PKCS7_CERT:
+			{
+				certificate_t *cert;
+
+				DBG2(DBG_LIB, "  parsing pkcs7-wrapped certificate");
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509,
+										  BUILD_BLOB_ASN1_DER, object,
+										  BUILD_END);
+				if (cert)
+				{
+					this->creds->add_cert(this->creds, FALSE, cert);
+				}
+				break;
+			}
+			case PKCS7_SIGNER_INFO:
+				INIT(info,
+					.digest_alg = OID_UNKNOWN,
+					.enc_alg = OID_UNKNOWN,
+				);
+				this->signerinfos->insert_last(this->signerinfos, info);
+				break;
+			case PKCS7_SIGNER_INFO_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				break;
+			case PKCS7_ISSUER:
+				info->issuer = identification_create_from_encoding(
+														ID_DER_ASN1_DN, object);
+				break;
+			case PKCS7_SERIAL_NUMBER:
+				info->serial = identification_create_from_encoding(
+														ID_KEY_ID, object);
+				break;
+			case PKCS7_AUTH_ATTRIBUTES:
+				*object.ptr = ASN1_SET;
+				info->attributes = pkcs7_attributes_create_from_chunk(
+														object, level+1);
+				*object.ptr = ASN1_CONTEXT_C_0;
+				break;
+			case PKCS7_DIGEST_ALGORITHM:
+				info->digest_alg = asn1_parse_algorithmIdentifier(object,
+														level, NULL);
+				break;
+			case PKCS7_DIGEST_ENC_ALGORITHM:
+				info->enc_alg = asn1_parse_algorithmIdentifier(object,
+														level, NULL);
+				break;
+			case PKCS7_ENCRYPTED_DIGEST:
+				info->encrypted_digest = chunk_clone(object);
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	return success;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_signed_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_signed_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	if (!parse(this, content))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/**
+ * build a DER-encoded issuerAndSerialNumber object
+ */
+static chunk_t build_issuerAndSerialNumber(certificate_t *cert)
+{
+	identification_t *issuer = cert->get_issuer(cert);
+	chunk_t serial = chunk_empty;
+
+	if (cert->get_type(cert) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)cert;
+		serial = x509->get_serial(x509);
+	}
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+					 issuer->get_encoding(issuer),
+					 asn1_integer("c", serial));
+}
+
+/**
+ * Generate a new PKCS#7 signed-data container
+ */
+static bool generate(private_pkcs7_signed_data_t *this, private_key_t *key,
+					 certificate_t *cert, hash_algorithm_t alg,
+					 pkcs7_attributes_t *pkcs9)
+{
+	chunk_t authenticatedAttributes = chunk_empty;
+	chunk_t encryptedDigest = chunk_empty;
+	chunk_t data, signerInfo, encoding = chunk_empty;
+	chunk_t messageDigest, signingTime, attributes;
+	signature_scheme_t scheme;
+	hasher_t *hasher;
+	time_t now;
+	int digest_oid;
+
+	digest_oid = hasher_algorithm_to_oid(alg);
+	scheme = signature_scheme_from_oid(digest_oid);
+
+	if (!this->content->get_data(this->content, &data))
+	{
+		return FALSE;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, alg);
+	if (!hasher || !hasher->allocate_hash(hasher, data, &messageDigest))
+	{
+		DESTROY_IF(hasher);
+		DBG1(DBG_LIB, "  hash algorithm %N not support",
+			 hash_algorithm_names, alg);
+		free(data.ptr);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+	pkcs9->add_attribute(pkcs9,
+					OID_PKCS9_MESSAGE_DIGEST,
+					asn1_wrap(ASN1_OCTET_STRING, "m", messageDigest));
+
+	/* take the current time as signingTime */
+	now = time(NULL);
+	signingTime = asn1_from_time(&now, ASN1_UTCTIME);
+	pkcs9->add_attribute(pkcs9, OID_PKCS9_SIGNING_TIME, signingTime);
+	pkcs9->add_attribute(pkcs9, OID_PKCS9_CONTENT_TYPE,
+						 asn1_build_known_oid(OID_PKCS7_DATA));
+
+	attributes = pkcs9->get_encoding(pkcs9);
+
+	if (!key->sign(key, scheme, attributes, &encryptedDigest))
+	{
+		free(data.ptr);
+		return FALSE;
+	}
+	authenticatedAttributes = chunk_clone(attributes);
+	*authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
+
+	free(data.ptr);
+	if (encryptedDigest.ptr)
+	{
+		encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", encryptedDigest);
+	}
+	signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmmmmm",
+					ASN1_INTEGER_1,
+					build_issuerAndSerialNumber(cert),
+					asn1_algorithmIdentifier(digest_oid),
+					authenticatedAttributes,
+					asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+					encryptedDigest);
+
+	if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+	{
+		free(signerInfo.ptr);
+		return FALSE;
+	}
+	if (!this->content->get_encoding(this->content, &data))
+	{
+		free(encoding.ptr);
+		free(signerInfo.ptr);
+		return FALSE;
+	}
+
+	this->encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+		asn1_build_known_oid(OID_PKCS7_SIGNED_DATA),
+		asn1_wrap(ASN1_CONTEXT_C_0, "m",
+			asn1_wrap(ASN1_SEQUENCE, "cmmmm",
+				ASN1_INTEGER_1,
+				asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_oid)),
+				data,
+				asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding),
+				asn1_wrap(ASN1_SET, "m", signerInfo))));
+
+
+	pkcs9->destroy(pkcs9);
+	/* TODO: create signerInfos entry */
+	return TRUE;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_signed_data_gen(container_type_t type, va_list args)
+{
+	private_pkcs7_signed_data_t *this;
+	chunk_t blob = chunk_empty;
+	hash_algorithm_t alg = HASH_SHA1;
+	private_key_t *key = NULL;
+	certificate_t *cert = NULL;
+	pkcs7_attributes_t *pkcs9;
+	chunk_t value;
+	int oid;
+
+	pkcs9 = pkcs7_attributes_create();
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_SIGNING_KEY:
+				key = va_arg(args, private_key_t*);
+				continue;
+			case BUILD_SIGNING_CERT:
+				cert = va_arg(args, certificate_t*);
+				continue;
+			case BUILD_DIGEST_ALG:
+				alg = va_arg(args, int);
+				continue;
+			case BUILD_BLOB:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_PKCS7_ATTRIBUTE:
+				oid = va_arg(args, int);
+				value = va_arg(args, chunk_t);
+				pkcs9->add_attribute(pkcs9, oid, chunk_clone(value));
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				pkcs9->destroy(pkcs9);
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len && key && cert)
+	{
+		this = create_empty();
+
+		this->creds->add_cert(this->creds, FALSE, cert->get_ref(cert));
+		this->content = lib->creds->create(lib->creds,
+										   CRED_CONTAINER, CONTAINER_PKCS7_DATA,
+										   BUILD_BLOB, blob, BUILD_END);
+
+		if (this->content && generate(this, key, cert, alg, pkcs9))
+		{
+			return &this->public;
+		}
+		pkcs9->destroy(pkcs9);
+		destroy(this);
+	}
+	else
+	{
+		pkcs9->destroy(pkcs9);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.h
new file mode 100644
index 000000000..5de672117
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_signed_data pkcs7_signed_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_SIGNED_DATA_H_
+#define PKCS7_SIGNED_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 signed-data container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_SIGNED_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_signed_data_load(chunk_t encoding, chunk_t content);
+
+/**
+ * Generate a PKCS#7 signed-data container.
+ *
+ * @param type		container type, must be CONTAINER_PKCS7_SIGNED_DATA
+ * @param args		builder_t arguments to use.
+ */
+pkcs7_t *pkcs7_signed_data_gen(container_type_t type, va_list args);
+
+#endif /** PKCS7_SIGNED_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 60d7ae643..45a1e16e8 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs8_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pkcs8.la: $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_DEPENDENCIES) 
+libstrongswan-pkcs8.la: $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs8_la_DEPENDENCIES) 
 	$(libstrongswan_pkcs8_la_LINK) $(am_libstrongswan_pkcs8_la_rpath) $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -508,10 +517,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
index a501423b1..26a3620d7 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
@@ -15,7 +15,7 @@
 
 #include "pkcs8_builder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c
index 6e043878c..6c954f76d 100644
--- a/src/libstrongswan/plugins/plugin_feature.c
+++ b/src/libstrongswan/plugins/plugin_feature.c
@@ -21,7 +21,7 @@
 
 #include "plugin_feature.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM,
 	"NONE",
@@ -42,6 +42,8 @@ ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM,
 	"PUBKEY_ENCRYPT",
 	"CERT_DECODE",
 	"CERT_ENCODE",
+	"CONTAINER_DECODE",
+	"CONTAINER_ENCODE",
 	"EAP_SERVER",
 	"EAP_CLIENT",
 	"XAUTH_SERVER",
@@ -83,6 +85,8 @@ u_int32_t plugin_feature_hash(plugin_feature_t *feature)
 		case FEATURE_PUBKEY_ENCRYPT:
 		case FEATURE_CERT_DECODE:
 		case FEATURE_CERT_ENCODE:
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
 		case FEATURE_EAP_SERVER:
 		case FEATURE_EAP_PEER:
 			data = chunk_from_thing(feature->arg);
@@ -143,6 +147,9 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 			case FEATURE_CERT_DECODE:
 			case FEATURE_CERT_ENCODE:
 				return a->arg.cert == b->arg.cert;
+			case FEATURE_CONTAINER_DECODE:
+			case FEATURE_CONTAINER_ENCODE:
+				return a->arg.container == b->arg.container;
 			case FEATURE_EAP_SERVER:
 			case FEATURE_EAP_PEER:
 				return a->arg.eap == b->arg.eap;
@@ -267,6 +274,14 @@ char* plugin_feature_get_string(plugin_feature_t *feature)
 				return str;
 			}
 			break;
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
+			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
+					container_type_names, feature->arg.container) > 0)
+			{
+				return str;
+			}
+			break;
 		case FEATURE_EAP_SERVER:
 		case FEATURE_EAP_PEER:
 			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
@@ -385,6 +400,12 @@ bool plugin_feature_load(plugin_t *plugin, plugin_feature_t *feature,
 								feature->arg.cert, reg->arg.reg.final,
 								reg->arg.reg.f);
 			break;
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
+			lib->creds->add_builder(lib->creds, CRED_CONTAINER,
+								feature->arg.container, reg->arg.reg.final,
+								reg->arg.reg.f);
+			break;
 		case FEATURE_DATABASE:
 			lib->db->add_database(lib->db, reg->arg.reg.f);
 			break;
@@ -454,6 +475,10 @@ bool plugin_feature_unload(plugin_t *plugin, plugin_feature_t *feature,
 		case FEATURE_CERT_ENCODE:
 			lib->creds->remove_builder(lib->creds, reg->arg.reg.f);
 			break;
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
+			lib->creds->remove_builder(lib->creds, reg->arg.reg.f);
+			break;
 		case FEATURE_DATABASE:
 			lib->db->remove_database(lib->db, reg->arg.reg.f);
 			break;
diff --git a/src/libstrongswan/plugins/plugin_feature.h b/src/libstrongswan/plugins/plugin_feature.h
index 90f8a948a..7667fff3e 100644
--- a/src/libstrongswan/plugins/plugin_feature.h
+++ b/src/libstrongswan/plugins/plugin_feature.h
@@ -29,6 +29,7 @@ typedef struct plugin_feature_t plugin_feature_t;
 #include <library.h>
 #include <eap/eap.h>
 #include <plugins/plugin.h>
+#include <credentials/containers/container.h>
 
 /**
  * Callback function of a plugin to (un-)register a specified feature.
@@ -133,6 +134,10 @@ struct plugin_feature_t {
 		FEATURE_CERT_DECODE,
 		/** generating certificates */
 		FEATURE_CERT_ENCODE,
+		/** parsing containers */
+		FEATURE_CONTAINER_DECODE,
+		/** generating containers */
+		FEATURE_CONTAINER_ENCODE,
 		/** EAP server implementation */
 		FEATURE_EAP_SERVER,
 		/** EAP peer implementation */
@@ -186,6 +191,8 @@ struct plugin_feature_t {
 		encryption_scheme_t pubkey_encrypt;
 		/** FEATURE_CERT_DECODE/ENCODE */
 		certificate_type_t cert;
+		/** FEATURE_CONTAINER_DECODE/ENCODE */
+		container_type_t container;
 		/** FEATURE_EAP_SERVER/CLIENT */
 		eap_type_t eap;
 		/** FEATURE_DATABASE */
@@ -281,6 +288,8 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_PUBKEY_ENCRYPT(kind, scheme)		__PLUGIN_FEATURE(kind, PUBKEY_ENCRYPT, .pubkey_encrypt = scheme)
 #define _PLUGIN_FEATURE_CERT_DECODE(kind, type)				__PLUGIN_FEATURE(kind, CERT_DECODE, .cert = type)
 #define _PLUGIN_FEATURE_CERT_ENCODE(kind, type)				__PLUGIN_FEATURE(kind, CERT_ENCODE, .cert = type)
+#define _PLUGIN_FEATURE_CONTAINER_DECODE(kind, type)		__PLUGIN_FEATURE(kind, CONTAINER_DECODE, .container = type)
+#define _PLUGIN_FEATURE_CONTAINER_ENCODE(kind, type)		__PLUGIN_FEATURE(kind, CONTAINER_ENCODE, .container = type)
 #define _PLUGIN_FEATURE_EAP_SERVER(kind, type)				__PLUGIN_FEATURE(kind, EAP_SERVER, .eap = type)
 #define _PLUGIN_FEATURE_EAP_PEER(kind, type)				__PLUGIN_FEATURE(kind, EAP_PEER, .eap = type)
 #define _PLUGIN_FEATURE_DATABASE(kind, type)				__PLUGIN_FEATURE(kind, DATABASE, .database = type)
@@ -304,6 +313,8 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_REGISTER_PUBKEY(type, f, final)		__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_CERT_DECODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_CERT_ENCODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
+#define _PLUGIN_FEATURE_REGISTER_CONTAINER_DECODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
+#define _PLUGIN_FEATURE_REGISTER_CONTAINER_ENCODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_DATABASE(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_FETCHER(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 95a0bfc02..cea219e92 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -22,12 +22,12 @@
 #include <limits.h>
 #include <stdio.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
-#include <integrity_checker.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <plugins/plugin.h>
+#include <utils/integrity_checker.h>
 
 typedef struct private_plugin_loader_t private_plugin_loader_t;
 typedef struct plugin_entry_t plugin_entry_t;
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index 94181dbb6..6a8f8f6a1 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -24,7 +24,7 @@
 
 typedef struct plugin_loader_t plugin_loader_t;
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /* to avoid circular references we can't include plugin_feature.h */
 struct plugin_feature_t;
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 6680873c2..165314993 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pubkey_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pubkey.la: $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_DEPENDENCIES) 
+libstrongswan-pubkey.la: $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_pubkey_la_DEPENDENCIES) 
 	$(libstrongswan_pubkey_la_LINK) $(am_libstrongswan_pubkey_la_rpath) $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -509,10 +518,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index 0304ccb36..95f53f919 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -17,7 +17,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pubkey_cert_t private_pubkey_cert_t;
 
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index a393e8049..07e5dba40 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_random_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-random.la: $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_DEPENDENCIES) 
+libstrongswan-random.la: $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_DEPENDENCIES) $(EXTRA_libstrongswan_random_la_DEPENDENCIES) 
 	$(libstrongswan_random_la_LINK) $(am_libstrongswan_random_la_rpath) $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index cef20047a..24c711a69 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -22,7 +22,7 @@
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include "random_rng.h"
 
 #ifndef DEV_RANDOM
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 52cfc080e..568844899 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -17,7 +17,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <errno.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "random_rng.h"
 #include "random_plugin.h"
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.am b/src/libstrongswan/plugins/rdrand/Makefile.am
new file mode 100644
index 000000000..4be7b7215
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-rdrand.la
+else
+plugin_LTLIBRARIES = libstrongswan-rdrand.la
+endif
+
+libstrongswan_rdrand_la_SOURCES = \
+	rdrand_plugin.h rdrand_plugin.c \
+	rdrand_rng.h rdrand_rng.c
+
+libstrongswan_rdrand_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
new file mode 100644
index 000000000..9da0ae0c2
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -0,0 +1,632 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/rdrand
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_rdrand_la_LIBADD =
+am_libstrongswan_rdrand_la_OBJECTS = rdrand_plugin.lo rdrand_rng.lo
+libstrongswan_rdrand_la_OBJECTS =  \
+	$(am_libstrongswan_rdrand_la_OBJECTS)
+libstrongswan_rdrand_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_rdrand_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_rdrand_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_rdrand_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_rdrand_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_rdrand_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-rdrand.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-rdrand.la
+libstrongswan_rdrand_la_SOURCES = \
+	rdrand_plugin.h rdrand_plugin.c \
+	rdrand_rng.h rdrand_rng.c
+
+libstrongswan_rdrand_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/rdrand/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/rdrand/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-rdrand.la: $(libstrongswan_rdrand_la_OBJECTS) $(libstrongswan_rdrand_la_DEPENDENCIES) $(EXTRA_libstrongswan_rdrand_la_DEPENDENCIES) 
+	$(libstrongswan_rdrand_la_LINK) $(am_libstrongswan_rdrand_la_rpath) $(libstrongswan_rdrand_la_OBJECTS) $(libstrongswan_rdrand_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rdrand_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rdrand_rng.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_plugin.c b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
new file mode 100644
index 000000000..4bdfc258e
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rdrand_plugin.h"
+#include "rdrand_rng.h"
+
+#include <stdio.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef struct private_rdrand_plugin_t private_rdrand_plugin_t;
+typedef enum cpuid_feature_t cpuid_feature_t;
+
+/**
+ * private data of rdrand_plugin
+ */
+struct private_rdrand_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	rdrand_plugin_t public;
+};
+
+/**
+ * CPU feature flags, returned via cpuid(1)
+ */
+enum cpuid_feature_t {
+	CPUID_RDRAND =		(1<<30),
+};
+
+/**
+ * Get cpuid for info, return eax, ebx, ecx and edx.
+ * -fPIC requires to save ebx on IA-32.
+ */
+static void cpuid(u_int op, u_int *a, u_int *b, u_int *c, u_int *d)
+{
+#ifdef __x86_64__
+	asm("cpuid" : "=a" (*a), "=b" (*b), "=c" (*c), "=d" (*d) : "a" (op));
+#else /* __i386__ */
+	asm("pushl %%ebx;"
+		"cpuid;"
+		"movl %%ebx, %1;"
+		"popl %%ebx;"
+		: "=a" (*a), "=r" (*b), "=c" (*c), "=d" (*d) : "a" (op));
+#endif /* __x86_64__ / __i386__*/
+}
+
+/**
+ * Check if we have RDRAND instruction
+ */
+static bool have_rdrand()
+{
+	char vendor[3 * sizeof(u_int32_t) + 1];
+	u_int a, b, c, d;
+
+	cpuid(0, &a, &b, &c, &d);
+	/* VendorID string is in b-d-c (yes, in this order) */
+	snprintf(vendor, sizeof(vendor), "%.4s%.4s%.4s", &b, &d, &c);
+
+	/* check if we have an Intel CPU */
+	if (streq(vendor, "GenuineIntel"))
+	{
+		cpuid(1, &a, &b, &c, &d);
+		if (c & CPUID_RDRAND)
+		{
+			DBG1(DBG_LIB, "detected RDRAND support on %s CPU", vendor);
+			return TRUE;
+		}
+	}
+	DBG1(DBG_LIB, "no RDRAND support on %s CPU, disabled", vendor);
+	return FALSE;
+}
+
+METHOD(plugin_t, get_name, char*,
+	private_rdrand_plugin_t *this)
+{
+	return "rdrand";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_rdrand_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(RNG, rdrand_rng_create),
+			PLUGIN_PROVIDE(RNG, RNG_WEAK),
+			PLUGIN_PROVIDE(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(RNG, RNG_TRUE),
+				PLUGIN_DEPENDS(CRYPTER, ENCR_AES_CBC, 16),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_rdrand_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *rdrand_plugin_create()
+{
+	private_rdrand_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	if (have_rdrand())
+	{
+		this->public.plugin.get_features = _get_features;
+	}
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_plugin.h b/src/libstrongswan/plugins/rdrand/rdrand_plugin.h
new file mode 100644
index 000000000..6f0e55313
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rdrand_p rdrand
+ * @ingroup plugins
+ *
+ * @defgroup rdrand_plugin rdrand_plugin
+ * @{ @ingroup rdrand_p
+ */
+
+#ifndef RDRAND_PLUGIN_H_
+#define RDRAND_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct rdrand_plugin_t rdrand_plugin_t;
+
+/**
+ * Plugin providing random generators based on Intels RDRAND instruction.
+ */
+struct rdrand_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** RDRAND_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_rng.c b/src/libstrongswan/plugins/rdrand/rdrand_rng.c
new file mode 100644
index 000000000..fa66f3ad7
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_rng.c
@@ -0,0 +1,442 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rdrand_rng.h"
+
+#include <unistd.h>
+
+typedef struct private_rdrand_rng_t private_rdrand_rng_t;
+
+/**
+ * Private data of an rdrand_rng_t object.
+ */
+struct private_rdrand_rng_t {
+
+	/**
+	 * Public rdrand_rng_t interface.
+	 */
+	rdrand_rng_t public;
+
+	/**
+	 * Quality we produce RNG data
+	 */
+	rng_quality_t quality;
+};
+
+/**
+ * Retries for failed RDRAND instructions
+ */
+#define MAX_TRIES 16
+
+/**
+ * After how many bytes should we reseed for RNG_STRONG
+ * (must be a power of two >= 8)
+ */
+#define FORCE_RESEED 16
+
+/**
+ * How many times we mix reseeded RDRAND output when using RNG_TRUE
+ */
+#define MIX_ROUNDS 32
+
+/**
+ * Get a two byte word using RDRAND
+ */
+static bool rdrand16(u_int16_t *out)
+{
+	u_char res;
+	int i;
+
+	for (i = 0; i < MAX_TRIES; i++)
+	{
+		asm(".byte 0x66;.byte 0x0f;.byte 0xc7;.byte 0xf0; " /* rdrand */
+			"setc %1;"
+			: "=a"(*out), "=qm"(res));
+
+		if (res)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Get a four byte word using RDRAND
+ */
+static bool rdrand32(u_int32_t *out)
+{
+	u_char res;
+	int i;
+
+	for (i = 0; i < MAX_TRIES; i++)
+	{
+		asm(".byte 0x0f;.byte 0xc7;.byte 0xf0;" /* rdrand */
+			"setc %1;"
+			: "=a"(*out), "=qm"(res));
+
+		if (res)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+#ifdef __x86_64__
+/**
+ * Get a eight byte word using RDRAND
+ */
+static bool rdrand64(u_int64_t *out)
+{
+	u_char res;
+	int i;
+
+	for (i = 0; i < MAX_TRIES; i++)
+	{
+		asm(".byte 0x48;.byte 0x0f;.byte 0xc7;.byte 0xf0;" /* rdrand */
+			"setc %1;"
+			: "=a"(*out), "=qm"(res));
+
+		if (res)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+#endif /* __x86_64__ */
+
+/**
+ * Get a one byte word using RDRAND
+ */
+static bool rdrand8(u_int8_t *out)
+{
+	u_int16_t u16;
+
+	if (!rdrand16(&u16))
+	{
+		return FALSE;
+	}
+	*out = u16;
+	return TRUE;
+}
+
+/**
+ * Get a 16 byte word using RDRAND
+ */
+static bool rdrand128(void *out)
+{
+#ifdef __x86_64__
+	if (!rdrand64(out) ||
+		!rdrand64(out + sizeof(u_int64_t)))
+	{
+		return FALSE;
+	}
+#else /* __i386__ */
+	if (!rdrand32(out) ||
+		!rdrand32(out + 1 * sizeof(u_int32_t)) ||
+		!rdrand32(out + 2 * sizeof(u_int32_t)) ||
+		!rdrand32(out + 3 * sizeof(u_int32_t)))
+	{
+		return FALSE;
+	}
+#endif /* __x86_64__ / __i386__ */
+	return TRUE;
+}
+
+/**
+ * Enforce a DRNG reseed by reading 511 128-bit samples
+ */
+static bool reseed()
+{
+	int i;
+
+#ifdef __x86_64__
+	u_int64_t tmp;
+
+	for (i = 0; i < 511 * 16 / sizeof(u_int64_t); i++)
+	{
+		if (!rdrand64(&tmp))
+		{
+			return FALSE;
+		}
+	}
+#else /* __i386__ */
+	u_int32_t tmp;
+
+	for (i = 0; i < 511 * 16 / sizeof(u_int32_t); i++)
+	{
+		if (!rdrand32(&tmp))
+		{
+			return FALSE;
+		}
+	}
+#endif /* __x86_64__ / __i386__ */
+	return TRUE;
+}
+
+/**
+ * Fill a preallocated chunk of data with random bytes
+ */
+static bool rdrand_chunk(private_rdrand_rng_t *this, chunk_t chunk)
+{
+	if (this->quality == RNG_STRONG)
+	{
+		if (!reseed())
+		{
+			return FALSE;
+		}
+	}
+
+	/* align to 2 byte */
+	if (chunk.len >= sizeof(u_int8_t))
+	{
+		if ((uintptr_t)chunk.ptr % 2)
+		{
+			if (!rdrand8((u_int8_t*)chunk.ptr))
+			{
+				return FALSE;
+			}
+			chunk = chunk_skip(chunk, sizeof(u_int8_t));
+		}
+	}
+
+	/* align to 4 byte */
+	if (chunk.len >= sizeof(u_int16_t))
+	{
+		if ((uintptr_t)chunk.ptr % 4)
+		{
+			if (!rdrand16((u_int16_t*)chunk.ptr))
+			{
+				return FALSE;
+			}
+			chunk = chunk_skip(chunk, sizeof(u_int16_t));
+		}
+	}
+
+#ifdef __x86_64__
+
+	/* align to 8 byte */
+	if (chunk.len >= sizeof(u_int32_t))
+	{
+		if ((uintptr_t)chunk.ptr % 8)
+		{
+			if (!rdrand32((u_int32_t*)chunk.ptr))
+			{
+				return FALSE;
+			}
+			chunk = chunk_skip(chunk, sizeof(u_int32_t));
+		}
+	}
+
+	/* fill with 8 byte words */
+	while (chunk.len >= sizeof(u_int64_t))
+	{
+		if (this->quality == RNG_STRONG && chunk.len % FORCE_RESEED == 0)
+		{
+			if (!reseed())
+			{
+				return FALSE;
+			}
+		}
+		if (!rdrand64((u_int64_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int64_t));
+	}
+
+	/* append 4 byte word */
+	if (chunk.len >= sizeof(u_int32_t))
+	{
+		if (!rdrand32((u_int32_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int32_t));
+	}
+
+#else /* __i386__ */
+
+	/* fill with 4 byte words */
+	while (chunk.len >= sizeof(u_int32_t))
+	{
+		if (this->quality == RNG_STRONG && chunk.len % FORCE_RESEED == 0)
+		{
+			if (!reseed())
+			{
+				return FALSE;
+			}
+		}
+		if (!rdrand32((u_int32_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int32_t));
+	}
+
+#endif /* __x86_64__ / __i386__ */
+
+	if (this->quality == RNG_STRONG)
+	{
+		if (!reseed())
+		{
+			return FALSE;
+		}
+	}
+
+	/* append 2 byte word */
+	if (chunk.len >= sizeof(u_int16_t))
+	{
+		if (!rdrand16((u_int16_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int16_t));
+	}
+
+	/* append 1 byte word */
+	if (chunk.len >= sizeof(u_int8_t))
+	{
+		if (!rdrand8((u_int8_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int8_t));
+	}
+
+	return TRUE;
+}
+
+/**
+ * Stronger variant mixing reseeded results of rdrand output
+ *
+ * This is based on the Intel DRNG "Software Implementation Guide", using
+ * AES-CBC to mix several reseeded RDRAND outputs.
+ */
+static bool rdrand_mixed(private_rdrand_rng_t *this, chunk_t chunk)
+{
+	u_char block[16], forward[16], key[16], iv[16];
+	crypter_t *crypter;
+	int i, len;
+
+	memset(iv, 0, sizeof(iv));
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16);
+	if (!crypter)
+	{
+		return FALSE;
+	}
+	for (i = 0; i < sizeof(key); i++)
+	{
+		key[i] = i;
+	}
+	if (!crypter->set_key(crypter, chunk_from_thing(key)))
+	{
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	while (chunk.len > 0)
+	{
+		memset(forward, 0, sizeof(forward));
+		for (i = 0; i < MIX_ROUNDS; i++)
+		{
+			/* sleep to reseed PRNG */
+			usleep(10);
+			if (!rdrand128(block))
+			{
+				crypter->destroy(crypter);
+				return FALSE;
+			}
+			memxor(forward, block, sizeof(block));
+			if (!crypter->encrypt(crypter, chunk_from_thing(forward),
+								  chunk_from_thing(iv), NULL))
+			{
+				crypter->destroy(crypter);
+				return FALSE;
+			}
+		}
+		len = min(chunk.len, sizeof(forward));
+		memcpy(chunk.ptr, forward, len);
+		chunk = chunk_skip(chunk, len);
+	}
+	crypter->destroy(crypter);
+
+	return TRUE;
+}
+
+METHOD(rng_t, get_bytes, bool,
+	private_rdrand_rng_t *this, size_t bytes, u_int8_t *buffer)
+{
+	switch (this->quality)
+	{
+		case RNG_WEAK:
+		case RNG_STRONG:
+			return rdrand_chunk(this, chunk_create(buffer, bytes));
+		case RNG_TRUE:
+			return rdrand_mixed(this, chunk_create(buffer, bytes));
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(rng_t, allocate_bytes, bool,
+	private_rdrand_rng_t *this, size_t bytes, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(bytes);
+	if (get_bytes(this, bytes, chunk->ptr))
+	{
+		return TRUE;
+	}
+	free(chunk->ptr);
+	return FALSE;
+}
+
+METHOD(rng_t, destroy, void,
+	private_rdrand_rng_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+rdrand_rng_t *rdrand_rng_create(rng_quality_t quality)
+{
+	private_rdrand_rng_t *this;
+
+	switch (quality)
+	{
+		case RNG_WEAK:
+		case RNG_STRONG:
+		case RNG_TRUE:
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+		.quality = quality,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_rng.h b/src/libstrongswan/plugins/rdrand/rdrand_rng.h
new file mode 100644
index 000000000..d15a48224
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_rng.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rdrand_rng rdrand_rng
+ * @{ @ingroup rdrand
+ */
+
+#ifndef RDRAND_RNG_H_
+#define RDRAND_RNG_H_
+
+#include <crypto/rngs/rng.h>
+
+typedef struct rdrand_rng_t rdrand_rng_t;
+
+/**
+ * RNG implemented with Intels RDRAND instructions, introduced in Ivy Bridge.
+ */
+struct rdrand_rng_t {
+
+	/**
+	 * Implements rng_t interface.
+	 */
+	rng_t rng;
+};
+
+/**
+ * Create a rdrand_rng instance.
+ *
+ * @param quality		RNG quality
+ * @return				RNG instance
+ */
+rdrand_rng_t *rdrand_rng_create(rng_quality_t quality);
+
+#endif /** RDRAND_RNG_H_ @}*/
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index e2cbbbbe0..df94dc36e 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_revocation_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-revocation.la: $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_DEPENDENCIES) 
+libstrongswan-revocation.la: $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_DEPENDENCIES) $(EXTRA_libstrongswan_revocation_la_DEPENDENCIES) 
 	$(libstrongswan_revocation_la_LINK) $(am_libstrongswan_revocation_la_rpath) $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index dc8e454e7..44c234559 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -17,7 +17,7 @@
 
 #include "revocation_validator.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/ocsp_request.h>
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 5188c3fbf..bfc35d1b8 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sha1_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sha1.la: $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_DEPENDENCIES) 
+libstrongswan-sha1.la: $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha1_la_DEPENDENCIES) 
 	$(libstrongswan_sha1_la_LINK) $(am_libstrongswan_sha1_la_rpath) $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -509,10 +518,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index adf7d10b4..1b9d7b717 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sha2_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sha2.la: $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_DEPENDENCIES) 
+libstrongswan-sha2.la: $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha2_la_DEPENDENCIES) 
 	$(libstrongswan_sha2_la_LINK) $(am_libstrongswan_sha2_la_rpath) $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 5ab3f94aa..41cd7bac5 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES) 
+libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES) $(EXTRA_libstrongswan_soup_la_DEPENDENCIES) 
 	$(libstrongswan_soup_la_LINK) $(am_libstrongswan_soup_la_rpath) $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -508,10 +517,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.c b/src/libstrongswan/plugins/soup/soup_fetcher.c
index 3e5786b12..681a3c357 100644
--- a/src/libstrongswan/plugins/soup/soup_fetcher.c
+++ b/src/libstrongswan/plugins/soup/soup_fetcher.c
@@ -18,7 +18,7 @@
 #include <libsoup/soup.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #define DEFAULT_TIMEOUT 10
 
diff --git a/src/libstrongswan/plugins/soup/soup_plugin.c b/src/libstrongswan/plugins/soup/soup_plugin.c
index b21b28b9f..1260a5a60 100644
--- a/src/libstrongswan/plugins/soup/soup_plugin.c
+++ b/src/libstrongswan/plugins/soup/soup_plugin.c
@@ -66,10 +66,13 @@ plugin_t *soup_plugin_create()
 	private_soup_plugin_t *this;
 
 	g_type_init();
+
+#if !GLIB_CHECK_VERSION(2,23,0)
 	if (!g_thread_get_initialized())
 	{
 		g_thread_init(NULL);
 	}
+#endif
 
 	INIT(this,
 		.public = {
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index f13540edb..8e5b21e49 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sqlite_la_DEPENDENCIES =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sqlite.la: $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_DEPENDENCIES) 
+libstrongswan-sqlite.la: $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_DEPENDENCIES) $(EXTRA_libstrongswan_sqlite_la_DEPENDENCIES) 
 	$(libstrongswan_sqlite_la_LINK) $(am_libstrongswan_sqlite_la_rpath) $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index 0fb3c7fff..1fb306579 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -18,7 +18,7 @@
 #include <sqlite3.h>
 #include <unistd.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 typedef struct private_sqlite_database_t private_sqlite_database_t;
@@ -300,7 +300,10 @@ static int busy_handler(private_sqlite_database_t *this, int count)
 METHOD(database_t, destroy, void,
 	private_sqlite_database_t *this)
 {
-	sqlite3_close(this->db);
+	if (sqlite3_close(this->db) == SQLITE_BUSY)
+	{
+		DBG1(DBG_LIB, "sqlite close failed because database is busy");
+	}
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index f717ad6d9..f7ac9f9d0 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_test_vectors_la_LIBADD =
@@ -129,6 +135,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -156,6 +163,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -183,6 +191,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +204,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -248,7 +258,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -405,7 +414,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-test-vectors.la: $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_DEPENDENCIES) 
+libstrongswan-test-vectors.la: $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_DEPENDENCIES) $(EXTRA_libstrongswan_test_vectors_la_DEPENDENCIES) 
 	$(libstrongswan_test_vectors_la_LINK) $(am_libstrongswan_test_vectors_la_rpath) $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -766,10 +775,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
index 18e0c9278..3316c364d 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
@@ -15,7 +15,7 @@
 
 #include <crypto/crypto_tester.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Monobit test
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 6d9f88647..5c1258986 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_x509_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -376,7 +385,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-x509.la: $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_DEPENDENCIES) 
+libstrongswan-x509.la: $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_DEPENDENCIES) $(EXTRA_libstrongswan_x509_la_DEPENDENCIES) 
 	$(libstrongswan_x509_la_LINK) $(am_libstrongswan_x509_la_rpath) $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -519,10 +528,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index d6ca8c4fa..7d83e48ea 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -22,12 +22,12 @@
 #include <time.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/ietf_attributes/ietf_attributes.h>
 #include <credentials/keys/private_key.h>
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 2269eb453..85c481552 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -29,13 +29,13 @@
 #include <stdio.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <crypto/hashers/hasher.h>
 #include <credentials/keys/private_key.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <selectors/traffic_selector.h>
 
@@ -1547,6 +1547,10 @@ METHOD(certificate_t, has_subject, id_match_t,
 		{
 			return ID_MATCH_PERFECT;
 		}
+		if (chunk_equals(this->serialNumber, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
 	}
 	best = this->subject->matches(this->subject, subject);
 	enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 47621103e..5350d4a51 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -20,14 +20,14 @@ typedef struct revoked_t revoked_t;
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/keys/private_key.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * entry for a revoked certificate
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index bbd1c5905..09c5a8539 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -21,8 +21,8 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/keys/private_key.h>
 
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 27497e0e3..1f8929958 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -23,8 +23,8 @@
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 #include <library.h>
 #include <credentials/certificates/x509.h>
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index 9fa91fed2..024b4dba5 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -18,12 +18,12 @@
 #include "x509_pkcs10.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <credentials/keys/private_key.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 
 typedef struct private_x509_pkcs10_t private_x509_pkcs10_t;
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index b4d0a2160..b29989c9d 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xcbc_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-xcbc.la: $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_DEPENDENCIES) 
+libstrongswan-xcbc.la: $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_DEPENDENCIES) $(EXTRA_libstrongswan_xcbc_la_DEPENDENCIES) 
 	$(libstrongswan_xcbc_la_LINK) $(am_libstrongswan_xcbc_la_rpath) $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index 1bb7e640a..802c8a39f 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -18,7 +18,7 @@
 
 #include "xcbc.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/mac.h>
 #include <crypto/prfs/mac_prf.h>
 #include <crypto/signers/mac_signer.h>
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c
deleted file mode 100644
index 6e51aa4c3..000000000
--- a/src/libstrongswan/printf_hook.c
+++ /dev/null
@@ -1,511 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2006-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "printf_hook.h"
-
-#include "utils.h"
-#include "debug.h"
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <string.h>
-
-typedef struct private_printf_hook_t private_printf_hook_t;
-typedef struct printf_hook_handler_t printf_hook_handler_t;
-
-#define PRINTF_BUF_LEN 8192
-#define ARGS_MAX 3
-
-/**
- * private data of printf_hook
- */
-struct private_printf_hook_t {
-
-	/**
-	 * public functions
-	 */
-	printf_hook_t public;
-};
-
-/**
- * struct with information about a registered handler
- */
-struct printf_hook_handler_t {
-
-	/**
-	 * callback function
-	 */
-	printf_hook_function_t hook;
-
-	/**
-	 * number of arguments
-	 */
-	int numargs;
-
-	/**
-	 * types of the arguments
-	 */
-	int argtypes[ARGS_MAX];
-
-#ifdef USE_VSTR
-	/**
-	 * name required for Vstr
-	 */
-	char *name;
-#endif
-};
-
-/* A-Z | 6 other chars | a-z */
-#define NUM_HANDLERS 58
-static printf_hook_handler_t *printf_hooks[NUM_HANDLERS];
-
-#define SPEC_TO_INDEX(spec) ((int)(spec) - (int)'A')
-#define IS_VALID_SPEC(spec) (SPEC_TO_INDEX(spec) > -1 && SPEC_TO_INDEX(spec) < NUM_HANDLERS)
-
-#if !defined(USE_VSTR) && \
-	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
-
-/**
- * Printf hook print function. This is actually of type "printf_function",
- * however glibc does it typedef to function, but uclibc to a pointer.
- * So we redefine it here.
- */
-static int custom_print(FILE *stream, const struct printf_info *info,
-						const void *const *args)
-{
-	printf_hook_spec_t spec;
-	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
-	printf_hook_data_t data = {
-		.stream = stream,
-	};
-
-	spec.hash = info->alt;
-	spec.plus = info->showsign;
-	spec.minus = info->left;
-	spec.width = info->width;
-
-	return handler->hook(&data, &spec, args);
-}
-
-/**
- * Printf hook arginfo function, which is actually of type
- * "printf_arginfo_[size_]function".
- */
-static int custom_arginfo(const struct printf_info *info, size_t n, int *argtypes
-#ifdef HAVE_PRINTF_SPECIFIER
-						  , int *size
-#endif
-						  )
-{
-	int i;
-	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
-
-	if (handler->numargs <= n)
-	{
-		for (i = 0; i < handler->numargs; ++i)
-		{
-			argtypes[i] = handler->argtypes[i];
-		}
-	}
-	/* we never set "size", as we have no user defined types */
-	return handler->numargs;
-}
-
-#else
-
-#include <errno.h>
-#include <unistd.h> /* for STDOUT_FILENO */
-
-/**
- * These are used below, whenever the public wrapper functions are called before
- * initialization or after destruction.
- */
-#undef vprintf
-#undef vfprintf
-#undef vsnprintf
-
-/**
- * Vstr custom format specifier callback function.
- */
-static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec)
-{
-	int i;
-	const void *args[ARGS_MAX];
-	printf_hook_spec_t spec;
-	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(fmt_spec->name[0])];
-	printf_hook_data_t data = {
-		.base = base,
-		.pos = pos,
-	};
-
-	for (i = 0; i < handler->numargs; i++)
-	{
-		switch(handler->argtypes[i])
-		{
-			case PRINTF_HOOK_ARGTYPE_INT:
-				args[i] = VSTR_FMT_CB_ARG_PTR(fmt_spec, i);
-				break;
-			case PRINTF_HOOK_ARGTYPE_POINTER:
-				args[i] = &VSTR_FMT_CB_ARG_PTR(fmt_spec, i);
-				break;
-		}
-	}
-
-	spec.hash = fmt_spec->fmt_hash;
-	spec.plus = fmt_spec->fmt_plus;
-	spec.minus = fmt_spec->fmt_minus;
-	spec.width = fmt_spec->fmt_field_width;
-
-	handler->hook(&data, &spec, args);
-	return 1;
-}
-
-/**
- * Add a custom format handler to the given Vstr_conf object
- */
-static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler)
-{
-	int *at = handler->argtypes;
-	switch(handler->numargs)
-	{
-		case 1:
-			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
-						 VSTR_TYPE_FMT_END);
-			break;
-		case 2:
-			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
-						 at[1], VSTR_TYPE_FMT_END);
-			break;
-		case 3:
-			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
-						 at[1], at[2], VSTR_TYPE_FMT_END);
-			break;
-	}
-}
-
-/**
- * Management of thread-specific Vstr_conf objects
- */
-#include <threading/thread_value.h>
-
-static thread_value_t *vstr_conf = NULL;
-
-static Vstr_conf *create_vstr_conf()
-{
-	int i;
-	Vstr_conf *conf = vstr_make_conf();
-	vstr_cntl_conf(conf, VSTR_CNTL_CONF_SET_FMT_CHAR_ESC, '%');
-	vstr_cntl_conf(conf, VSTR_CNTL_CONF_SET_TYPE_GRPALLOC_CACHE,
-						 VSTR_TYPE_CNTL_CONF_GRPALLOC_CSTR);
-	vstr_cntl_conf(conf, VSTR_CNTL_CONF_SET_NUM_BUF_SZ, PRINTF_BUF_LEN);
-	for (i = 0; i < NUM_HANDLERS; ++i)
-	{
-		printf_hook_handler_t *handler = printf_hooks[i];
-		if (handler)
-		{
-			vstr_fmt_add_handler(conf, handler);
-		}
-	}
-	return conf;
-}
-
-static inline Vstr_conf *get_vstr_conf()
-{
-	Vstr_conf *conf = NULL;
-	if (vstr_conf)
-	{
-		conf = (Vstr_conf*)vstr_conf->get(vstr_conf);
-		if (!conf)
-		{
-			conf = create_vstr_conf();
-			vstr_conf->set(vstr_conf, conf);
-		}
-	}
-	return conf;
-}
-
-/**
- * Described in header
- */
-size_t vstr_print_in_hook(struct Vstr_base *base, size_t pos, const char *fmt,
-						  ...)
-{
-	va_list args;
-	int written;
-
-	va_start(args, fmt);
-	written = vstr_add_vfmt(base, pos, fmt, args);
-	va_end(args);
-	return written;
-}
-
-/**
- * Wrapper functions for printf and alike
- */
-int vstr_wrapper_printf(const char *format, ...)
-{
-	int written;
-	va_list args;
-	va_start(args, format);
-	written = vstr_wrapper_vprintf(format, args);
-	va_end(args);
-	return written;
-}
-int vstr_wrapper_fprintf(FILE *stream, const char *format, ...)
-{
-	int written;
-	va_list args;
-	va_start(args, format);
-	written = vstr_wrapper_vfprintf(stream, format, args);
-	va_end(args);
-	return written;
-}
-int vstr_wrapper_sprintf(char *str, const char *format, ...)
-{
-	int written;
-	va_list args;
-	va_start(args, format);
-	written = vstr_wrapper_vsprintf(str, format, args);
-	va_end(args);
-	return written;
-}
-int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...)
-{
-	int written;
-	va_list args;
-	va_start(args, format);
-	written = vstr_wrapper_vsnprintf(str, size, format, args);
-	va_end(args);
-	return written;
-}
-int vstr_wrapper_asprintf(char **str, const char *format, ...)
-{
-	int written;
-	va_list args;
-	va_start(args, format);
-	written = vstr_wrapper_vasprintf(str, format, args);
-	va_end(args);
-	return written;
-}
-static inline int vstr_wrapper_vprintf_internal(Vstr_conf *conf, int fd,
-												const char *format,
-												va_list args)
-{
-	int written;
-	Vstr_base *s = vstr_make_base(conf);
-	vstr_add_vfmt(s, 0, format, args);
-	written = s->len;
-	while (s->len)
-	{
-		if (!vstr_sc_write_fd(s, 1, s->len, fd, NULL))
-		{
-			if (errno != EAGAIN && errno != EINTR)
-			{
-				written -= s->len;
-				break;
-			}
-		}
-	}
-	vstr_free_base(s);
-	return written;
-}
-int vstr_wrapper_vprintf(const char *format, va_list args)
-{
-	Vstr_conf *conf = get_vstr_conf();
-	if (conf)
-	{
-		return vstr_wrapper_vprintf_internal(conf, STDOUT_FILENO, format, args);
-	}
-	return vprintf(format, args);
-}
-int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list args)
-{
-	Vstr_conf *conf = get_vstr_conf();
-	if (conf)
-	{
-		return vstr_wrapper_vprintf_internal(conf, fileno(stream), format,
-											 args);
-	}
-	return vfprintf(stream, format, args);
-}
-static inline int vstr_wrapper_vsnprintf_internal(char *str, size_t size,
-												  const char *format,
-												  va_list args)
-{
-	Vstr_conf *conf = get_vstr_conf();
-	if (conf)
-	{
-		int written;
-		Vstr_base *s = vstr_make_base(conf);
-		vstr_add_vfmt(s, 0, format, args);
-		written = s->len;
-		vstr_export_cstr_buf(s, 1, s->len, str, (size > 0) ? size : s->len + 1);
-		vstr_free_base(s);
-		return written;
-	}
-	return vsnprintf(str, size, format, args);
-}
-int vstr_wrapper_vsprintf(char *str, const char *format, va_list args)
-{
-	return vstr_wrapper_vsnprintf_internal(str, 0, format, args);
-}
-int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format,
-						   va_list args)
-{
-	return (size > 0) ? vstr_wrapper_vsnprintf_internal(str, size, format, args) : 0;
-}
-int vstr_wrapper_vasprintf(char **str, const char *format, va_list args)
-{
-	size_t len = 100;
-	int written;
-	*str = malloc(len);
-	while (TRUE)
-	{
-		va_list ac;
-		va_copy(ac, args);
-		written = vstr_wrapper_vsnprintf_internal(*str, len, format, ac);
-		va_end(ac);
-		if (written < len)
-		{
-			break;
-		}
-		len = written + 1;
-		*str = realloc(*str, len);
-	}
-	return written;
-}
-#endif
-
-METHOD(printf_hook_t, add_handler, void,
-	private_printf_hook_t *this, char spec,
-						printf_hook_function_t hook, ...)
-{
-	int i = -1;
-	printf_hook_handler_t *handler;
-	printf_hook_argtype_t argtype;
-	va_list args;
-
-	if (!IS_VALID_SPEC(spec))
-	{
-		DBG1(DBG_LIB, "'%c' is not a valid printf hook specifier, "
-			 "not registered!", spec);
-		return;
-	}
-
-	handler = malloc_thing(printf_hook_handler_t);
-	handler->hook = hook;
-
-	va_start(args, hook);
-	while ((argtype = va_arg(args, printf_hook_argtype_t)) != PRINTF_HOOK_ARGTYPE_END)
-	{
-		if (++i >= ARGS_MAX)
-		{
-			DBG1(DBG_LIB, "Too many arguments for printf hook with "
-				 "specifier '%c', not registered!", spec);
-			va_end(args);
-			free(handler);
-			return;
-		}
-		handler->argtypes[i] = argtype;
-	}
-	va_end(args);
-
-	handler->numargs = i + 1;
-
-	if (handler->numargs > 0)
-	{
-#if !defined(USE_VSTR) && \
-	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
-#	ifdef HAVE_PRINTF_SPECIFIER
-		register_printf_specifier(spec, custom_print, custom_arginfo);
-#	else
-		register_printf_function(spec, custom_print, custom_arginfo);
-#	endif
-#else
-		Vstr_conf *conf = get_vstr_conf();
-		handler->name = malloc(2);
-		handler->name[0] = spec;
-		handler->name[1] = '\0';
-		vstr_fmt_add_handler(conf, handler);
-#endif
-		printf_hooks[SPEC_TO_INDEX(spec)] = handler;
-	}
-	else
-	{
-		free(handler);
-	}
-}
-
-METHOD(printf_hook_t, destroy, void,
-	private_printf_hook_t *this)
-{
-	int i;
-#ifdef USE_VSTR
-	Vstr_conf *conf = get_vstr_conf();
-#endif
-
-	for (i = 0; i < NUM_HANDLERS; ++i)
-	{
-		printf_hook_handler_t *handler = printf_hooks[i];
-		if (handler)
-		{
-#ifdef USE_VSTR
-			vstr_fmt_del(conf, handler->name);
-			free(handler->name);
-#endif
-			free(handler);
-		}
-	}
-
-#ifdef USE_VSTR
-	/* freeing the Vstr_conf of the main thread */
-	vstr_conf->destroy(vstr_conf);
-	vstr_conf = NULL;
-	vstr_free_conf(conf);
-	vstr_exit();
-#endif
-	free(this);
-}
-
-/*
- * see header file
- */
-printf_hook_t *printf_hook_create()
-{
-	private_printf_hook_t *this;
-
-	INIT(this,
-		.public = {
-			.add_handler = _add_handler,
-			.destroy = _destroy,
-		},
-	);
-
-	memset(printf_hooks, 0, sizeof(printf_hooks));
-
-#ifdef USE_VSTR
-	if (!vstr_init())
-	{
-		DBG1(DBG_LIB, "failed to initialize Vstr library!");
-		free(this);
-		return NULL;
-	}
-	vstr_conf = thread_value_create((thread_cleanup_t)vstr_free_conf);
-#endif
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
deleted file mode 100644
index 7d3f23bce..000000000
--- a/src/libstrongswan/printf_hook.h
+++ /dev/null
@@ -1,247 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2006-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup printf_hook printf_hook
- * @{ @ingroup libstrongswan
- */
-
-#ifndef PRINTF_HOOK_H_
-#define PRINTF_HOOK_H_
-
-typedef struct printf_hook_t printf_hook_t;
-typedef struct printf_hook_spec_t printf_hook_spec_t;
-typedef struct printf_hook_data_t printf_hook_data_t;
-typedef enum printf_hook_argtype_t printf_hook_argtype_t;
-
-#if !defined(USE_VSTR) && \
-	!defined(HAVE_PRINTF_FUNCTION) && \
-	!defined(HAVE_PRINTF_SPECIFIER)
-/* assume newer glibc register_printf_specifier if none given */
-#define HAVE_PRINTF_SPECIFIER
-#endif
-
-#if !defined(USE_VSTR) && \
-	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
-
-#include <stdio.h>
-#include <printf.h>
-
-enum printf_hook_argtype_t {
-	PRINTF_HOOK_ARGTYPE_END = -1,
-	PRINTF_HOOK_ARGTYPE_INT = PA_INT,
-	PRINTF_HOOK_ARGTYPE_POINTER = PA_POINTER,
-};
-
-/**
- * Data to pass to a printf hook.
- */
-struct printf_hook_data_t {
-
-	/**
-	 * Output FILE stream
-	 */
-	FILE *stream;;
-};
-
-/**
- * Helper macro to be used in printf hook callbacks.
- */
-#define print_in_hook(data, fmt, ...) ({\
-	ssize_t _written = fprintf(data->stream, fmt, ##__VA_ARGS__);\
-	if (_written < 0)\
-	{\
-		_written = 0;\
-	}\
-	_written;\
-})
-
-#else
-
-#include <vstr.h>
-
-enum printf_hook_argtype_t {
-	PRINTF_HOOK_ARGTYPE_END = VSTR_TYPE_FMT_END,
-	PRINTF_HOOK_ARGTYPE_INT = VSTR_TYPE_FMT_INT,
-	PRINTF_HOOK_ARGTYPE_POINTER = VSTR_TYPE_FMT_PTR_VOID,
-};
-
-/**
- * Redefining printf and alike
- */
-#include <stdio.h>
-#include <stdarg.h>
-
-int vstr_wrapper_printf(const char *format, ...);
-int vstr_wrapper_fprintf(FILE *stream, const char *format, ...);
-int vstr_wrapper_sprintf(char *str, const char *format, ...);
-int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...);
-int vstr_wrapper_asprintf(char **str, const char *format, ...);
-
-int vstr_wrapper_vprintf(const char *format, va_list ap);
-int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list ap);
-int vstr_wrapper_vsprintf(char *str, const char *format, va_list ap);
-int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list ap);
-int vstr_wrapper_vasprintf(char **str, const char *format, va_list ap);
-
-#ifdef printf
-#undef printf
-#endif
-#ifdef fprintf
-#undef fprintf
-#endif
-#ifdef sprintf
-#undef sprintf
-#endif
-#ifdef snprintf
-#undef snprintf
-#endif
-#ifdef asprintf
-#undef asprintf
-#endif
-#ifdef vprintf
-#undef vprintf
-#endif
-#ifdef vfprintf
-#undef vfprintf
-#endif
-#ifdef vsprintf
-#undef vsprintf
-#endif
-#ifdef vsnprintf
-#undef vsnprintf
-#endif
-#ifdef vasprintf
-#undef vasprintf
-#endif
-
-#define printf vstr_wrapper_printf
-#define fprintf vstr_wrapper_fprintf
-#define sprintf vstr_wrapper_sprintf
-#define snprintf vstr_wrapper_snprintf
-#define asprintf vstr_wrapper_asprintf
-
-#define vprintf vstr_wrapper_vprintf
-#define vfprintf vstr_wrapper_vfprintf
-#define vsprintf vstr_wrapper_vsprintf
-#define vsnprintf vstr_wrapper_vsnprintf
-#define vasprintf vstr_wrapper_vasprintf
-
-/**
- * Data to pass to a printf hook.
- */
-struct printf_hook_data_t {
-
-	/**
-	 * Base to append printf to
-	 */
-	Vstr_base *base;
-
-	/**
-	 * Position in base to write to
-	 */
-	size_t pos;
-};
-
-/**
- * Wrapper around vstr_add_vfmt(), avoids having to link all users of
- * print_in_hook() against libvstr.
- *
- * @param base		Vstr_string to add string to
- * @param pos		position to write to
- * @param fmt		format string
- * @param ...		arguments
- * @return			number of characters written
- */
-size_t vstr_print_in_hook(struct Vstr_base *base, size_t pos, const char *fmt,
-						  ...);
-
-/**
- * Helper macro to be used in printf hook callbacks.
- */
-#define print_in_hook(data, fmt, ...) ({\
-	size_t _written; \
-	_written = vstr_print_in_hook(data->base, data->pos, fmt, ##__VA_ARGS__);\
-	data->pos += _written;\
-	_written;\
-})
-
-#endif
-
-/**
- * Callback function type for printf hooks.
- *
- * @param data		hook data, to pass to print_in_hook()
- * @param spec		format specifier
- * @param args		arguments array
- * @return			number of characters written
- */
-typedef int (*printf_hook_function_t)(printf_hook_data_t *data,
-									  printf_hook_spec_t *spec,
-									  const void *const *args);
-
-/**
- * Properties of the format specifier
- */
-struct printf_hook_spec_t {
-	/**
-	 * TRUE if a '#' was used in the format specifier
-	 */
-	int hash;
-
-	/**
-	 * TRUE if a '-' was used in the format specifier
-	 */
-	int minus;
-
-	/**
-	 * TRUE if a '+' was used in the format specifier
-	 */
-	int plus;
-
-	/**
-	 * The width as given in the format specifier.
-	 */
-	int width;
-};
-
-/**
- * Printf handler management.
- */
-struct printf_hook_t {
-
-	/**
-	 * Register a printf handler.
-	 *
-	 * @param spec		printf hook format character
-	 * @param hook		hook function
-	 * @param ...		list of PRINTF_HOOK_ARGTYPE_*, MUST end with PRINTF_HOOK_ARGTYPE_END
-	 */
-	void (*add_handler)(printf_hook_t *this, char spec,
-						printf_hook_function_t hook, ...);
-
-	/**
-	 * Destroy a printf_hook instance.
-	 */
-	void (*destroy)(printf_hook_t *this);
-};
-
-/**
- * Create a printf_hook instance.
- */
-printf_hook_t *printf_hook_create();
-
-#endif /** PRINTF_HOOK_H_ @}*/
diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
index a5ddc8ff6..8258ccb33 100644
--- a/src/libstrongswan/processing/jobs/callback_job.c
+++ b/src/libstrongswan/processing/jobs/callback_job.c
@@ -21,7 +21,7 @@
 #include <threading/condvar.h>
 #include <threading/semaphore.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_callback_job_t private_callback_job_t;
 
diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c
index 5b7fd467c..934636fc0 100644
--- a/src/libstrongswan/processing/processor.c
+++ b/src/libstrongswan/processing/processor.c
@@ -22,12 +22,12 @@
 
 #include "processor.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 #include <threading/thread_value.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_processor_t private_processor_t;
 
diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
index c97dbc4be..3f1598fc4 100644
--- a/src/libstrongswan/processing/scheduler.c
+++ b/src/libstrongswan/processing/scheduler.c
@@ -19,7 +19,7 @@
 
 #include "scheduler.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <processing/processor.h>
 #include <processing/jobs/callback_job.h>
 #include <threading/thread.h>
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index b19b962e6..87e57095c 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -22,9 +22,9 @@
 
 #include "traffic_selector.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #define NON_SUBNET_ADDRESS_RANGE	255
 
@@ -815,6 +815,23 @@ traffic_selector_t *traffic_selector_create_from_string(
 	return (&this->public);
 }
 
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_cidr(char *string,
+									u_int8_t protocol, u_int16_t port)
+{
+	host_t *net;
+	int bits;
+
+	net = host_create_from_subnet(string, &bits);
+	if (net)
+	{
+		return traffic_selector_create_from_subnet(net, bits, protocol, port);
+	}
+	return NULL;
+}
+
 /*
  * see header
  */
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index 7a81521e9..b6da391aa 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -27,7 +27,7 @@ typedef enum ts_type_t ts_type_t;
 typedef struct traffic_selector_t traffic_selector_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 /**
  * Traffic selector types.
@@ -231,6 +231,19 @@ traffic_selector_t *traffic_selector_create_from_string(
 									char *from_addr, u_int16_t from_port,
 									char *to_addr, u_int16_t to_port);
 
+
+
+/**
+ * Create a traffic selector from a CIDR string.
+ *
+ * @param string		CIDR string, such as 10.1.0.0/16
+ * @param protocol		protocol for this ts, such as TCP or UDP
+ * @param port			single port for this TS, 0 for any port
+ * @return				traffic selector, NULL if string invalid
+ */
+traffic_selector_t *traffic_selector_create_from_cidr(char *string,
+									u_int8_t protocol, u_int16_t port);
+
 /**
  * Create a new traffic selector using data read from the net.
  *
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c
deleted file mode 100644
index 8977cd9ed..000000000
--- a/src/libstrongswan/settings.c
+++ /dev/null
@@ -1,1227 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <string.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <errno.h>
-#include <limits.h>
-#include <libgen.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-
-#ifdef HAVE_GLOB_H
-#include <glob.h>
-#endif /* HAVE_GLOB_H */
-
-#include "settings.h"
-
-#include "debug.h"
-#include "utils/linked_list.h"
-#include "threading/rwlock.h"
-
-#define MAX_INCLUSION_LEVEL		10
-
-typedef struct private_settings_t private_settings_t;
-typedef struct section_t section_t;
-typedef struct kv_t kv_t;
-
-/**
- * private data of settings
- */
-struct private_settings_t {
-
-	/**
-	 * public functions
-	 */
-	settings_t public;
-
-	/**
-	 * top level section
-	 */
-	section_t *top;
-
-	/**
-	 * contents of loaded files and in-memory settings (char*)
-	 */
-	linked_list_t *contents;
-
-	/**
-	 * lock to safely access the settings
-	 */
-	rwlock_t *lock;
-};
-
-/**
- * section containing subsections and key value pairs
- */
-struct section_t {
-
-	/**
-	 * name of the section
-	 */
-	char *name;
-
-	/**
-	 * subsections, as section_t
-	 */
-	linked_list_t *sections;
-
-	/**
-	 * key value pairs, as kv_t
-	 */
-	linked_list_t *kv;
-};
-
-/**
- * Key value pair
- */
-struct kv_t {
-
-	/**
-	 * key string, relative
-	 */
-	char *key;
-
-	/**
-	 * value as string
-	 */
-	char *value;
-};
-
-/**
- * create a key/value pair
- */
-static kv_t *kv_create(char *key, char *value)
-{
-	kv_t *this;
-	INIT(this,
-		.key = strdup(key),
-		.value = value,
-	);
-	return this;
-}
-
-/**
- * destroy a key/value pair
- */
-static void kv_destroy(kv_t *this)
-{
-	free(this->key);
-	free(this);
-}
-
-/**
- * create a section with the given name
- */
-static section_t *section_create(char *name)
-{
-	section_t *this;
-	INIT(this,
-		.name = strdupnull(name),
-		.sections = linked_list_create(),
-		.kv = linked_list_create(),
-	);
-	return this;
-}
-
-/**
- * destroy a section
- */
-static void section_destroy(section_t *this)
-{
-	this->kv->destroy_function(this->kv, (void*)kv_destroy);
-	this->sections->destroy_function(this->sections, (void*)section_destroy);
-	free(this->name);
-	free(this);
-}
-
-/**
- * Purge contents of a section
- */
-static void section_purge(section_t *this)
-{
-	this->kv->destroy_function(this->kv, (void*)kv_destroy);
-	this->kv = linked_list_create();
-	this->sections->destroy_function(this->sections, (void*)section_destroy);
-	this->sections = linked_list_create();
-}
-
-/**
- * callback to find a section by name
- */
-static bool section_find(section_t *this, char *name)
-{
-	return streq(this->name, name);
-}
-
-/**
- * callback to find a kv pair by key
- */
-static bool kv_find(kv_t *this, char *key)
-{
-	return streq(this->key, key);
-}
-
-/**
- * Print a format key, but consume already processed arguments
- */
-static bool print_key(char *buf, int len, char *start, char *key, va_list args)
-{
-	va_list copy;
-	bool res;
-	char *pos;
-
-	va_copy(copy, args);
-	while (start < key)
-	{
-		pos = strchr(start, '%');
-		if (!pos)
-		{
-			start += strlen(start) + 1;
-			continue;
-		}
-		pos++;
-		switch (*pos)
-		{
-			case 'd':
-				va_arg(copy, int);
-				break;
-			case 's':
-				va_arg(copy, char*);
-				break;
-			case 'N':
-				va_arg(copy, enum_name_t*);
-				va_arg(copy, int);
-				break;
-			case '%':
-				break;
-			default:
-				DBG1(DBG_CFG, "settings with %%%c not supported!", *pos);
-				break;
-		}
-		start = pos;
-		if (*start)
-		{
-			start++;
-		}
-	}
-	res = vsnprintf(buf, len, key, copy) < len;
-	va_end(copy);
-	return res;
-}
-
-/**
- * Find a section by a given key, using buffered key, reusable buffer.
- * If "ensure" is TRUE, the sections are created if they don't exist.
- */
-static section_t *find_section_buffered(section_t *section,
-					char *start, char *key, va_list args, char *buf, int len,
-					bool ensure)
-{
-	char *pos;
-	section_t *found = NULL;
-
-	if (section == NULL)
-	{
-		return NULL;
-	}
-	pos = strchr(key, '.');
-	if (pos)
-	{
-		*pos = '\0';
-		pos++;
-	}
-	if (!print_key(buf, len, start, key, args))
-	{
-		return NULL;
-	}
-	if (section->sections->find_first(section->sections,
-									  (linked_list_match_t)section_find,
-									  (void**)&found, buf) != SUCCESS)
-	{
-		if (ensure)
-		{
-			found = section_create(buf);
-			section->sections->insert_last(section->sections, found);
-		}
-	}
-	if (found && pos)
-	{
-		return find_section_buffered(found, start, pos, args, buf, len, ensure);
-	}
-	return found;
-}
-
-/**
- * Find a section by a given key (thread-safe).
- */
-static section_t *find_section(private_settings_t *this, section_t *section,
-							   char *key, va_list args)
-{
-	char buf[128], keybuf[512];
-	section_t *found;
-
-	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
-	{
-		return NULL;
-	}
-	this->lock->read_lock(this->lock);
-	found = find_section_buffered(section, keybuf, keybuf, args, buf,
-								  sizeof(buf), FALSE);
-	this->lock->unlock(this->lock);
-	return found;
-}
-
-/**
- * Ensure that the section with the given key exists (thread-safe).
- */
-static section_t *ensure_section(private_settings_t *this, section_t *section,
-								 char *key, va_list args)
-{
-	char buf[128], keybuf[512];
-	section_t *found;
-
-	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
-	{
-		return NULL;
-	}
-	/* we might have to change the tree */
-	this->lock->write_lock(this->lock);
-	found = find_section_buffered(section, keybuf, keybuf, args, buf,
-								  sizeof(buf), TRUE);
-	this->lock->unlock(this->lock);
-	return found;
-}
-
-/**
- * Find the key/value pair for a key, using buffered key, reusable buffer
- * If "ensure" is TRUE, the sections (and key/value pair) are created if they
- * don't exist.
- */
-static kv_t *find_value_buffered(section_t *section, char *start, char *key,
-								 va_list args, char *buf, int len, bool ensure)
-{
-	char *pos;
-	kv_t *kv = NULL;
-	section_t *found = NULL;
-
-	if (section == NULL)
-	{
-		return NULL;
-	}
-
-	pos = strchr(key, '.');
-	if (pos)
-	{
-		*pos = '\0';
-		pos++;
-
-		if (!print_key(buf, len, start, key, args))
-		{
-			return NULL;
-		}
-		if (section->sections->find_first(section->sections,
-										  (linked_list_match_t)section_find,
-										  (void**)&found, buf) != SUCCESS)
-		{
-			if (!ensure)
-			{
-				return NULL;
-			}
-			found = section_create(buf);
-			section->sections->insert_last(section->sections, found);
-		}
-		return find_value_buffered(found, start, pos, args, buf, len,
-								   ensure);
-	}
-	else
-	{
-		if (!print_key(buf, len, start, key, args))
-		{
-			return NULL;
-		}
-		if (section->kv->find_first(section->kv, (linked_list_match_t)kv_find,
-									(void**)&kv, buf) != SUCCESS)
-		{
-			if (ensure)
-			{
-				kv = kv_create(buf, NULL);
-				section->kv->insert_last(section->kv, kv);
-			}
-		}
-	}
-	return kv;
-}
-
-/**
- * Find the string value for a key (thread-safe).
- */
-static char *find_value(private_settings_t *this, section_t *section,
-						char *key, va_list args)
-{
-	char buf[128], keybuf[512], *value = NULL;
-	kv_t *kv;
-
-	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
-	{
-		return NULL;
-	}
-	this->lock->read_lock(this->lock);
-	kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf),
-							 FALSE);
-	if (kv)
-	{
-		value = kv->value;
-	}
-	this->lock->unlock(this->lock);
-	return value;
-}
-
-/**
- * Set a value to a copy of the given string (thread-safe).
- */
-static void set_value(private_settings_t *this, section_t *section,
-					  char *key, va_list args, char *value)
-{
-	char buf[128], keybuf[512];
-	kv_t *kv;
-
-	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
-	{
-		return;
-	}
-	this->lock->write_lock(this->lock);
-	kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf),
-							 TRUE);
-	if (kv)
-	{
-		if (!value)
-		{
-			kv->value = NULL;
-		}
-		else if (kv->value && (strlen(value) <= strlen(kv->value)))
-		{	/* overwrite in-place, if possible */
-			strcpy(kv->value, value);
-		}
-		else
-		{	/* otherwise clone the string and store it in the cache */
-			kv->value = strdup(value);
-			this->contents->insert_last(this->contents, kv->value);
-		}
-	}
-	this->lock->unlock(this->lock);
-}
-
-METHOD(settings_t, get_str, char*,
-	   private_settings_t *this, char *key, char *def, ...)
-{
-	char *value;
-	va_list args;
-
-	va_start(args, def);
-	value = find_value(this, this->top, key, args);
-	va_end(args);
-	if (value)
-	{
-		return value;
-	}
-	return def;
-}
-
-/**
- * Described in header
- */
-inline bool settings_value_as_bool(char *value, bool def)
-{
-	if (value)
-	{
-		if (strcaseeq(value, "1") ||
-			strcaseeq(value, "yes") ||
-			strcaseeq(value, "true") ||
-			strcaseeq(value, "enabled"))
-		{
-			return TRUE;
-		}
-		else if (strcaseeq(value, "0") ||
-				 strcaseeq(value, "no") ||
-				 strcaseeq(value, "false") ||
-				 strcaseeq(value, "disabled"))
-		{
-			return FALSE;
-		}
-	}
-	return def;
-}
-
-METHOD(settings_t, get_bool, bool,
-	   private_settings_t *this, char *key, bool def, ...)
-{
-	char *value;
-	va_list args;
-
-	va_start(args, def);
-	value = find_value(this, this->top, key, args);
-	va_end(args);
-	return settings_value_as_bool(value, def);
-}
-
-/**
- * Described in header
- */
-inline int settings_value_as_int(char *value, int def)
-{
-	int intval;
-	if (value)
-	{
-		errno = 0;
-		intval = strtol(value, NULL, 10);
-		if (errno == 0)
-		{
-			return intval;
-		}
-	}
-	return def;
-}
-
-METHOD(settings_t, get_int, int,
-	   private_settings_t *this, char *key, int def, ...)
-{
-	char *value;
-	va_list args;
-
-	va_start(args, def);
-	value = find_value(this, this->top, key, args);
-	va_end(args);
-	return settings_value_as_int(value, def);
-}
-
-/**
- * Described in header
- */
-inline double settings_value_as_double(char *value, double def)
-{
-	double dval;
-	if (value)
-	{
-		errno = 0;
-		dval = strtod(value, NULL);
-		if (errno == 0)
-		{
-			return dval;
-		}
-	}
-	return def;
-}
-
-METHOD(settings_t, get_double, double,
-	   private_settings_t *this, char *key, double def, ...)
-{
-	char *value;
-	va_list args;
-
-	va_start(args, def);
-	value = find_value(this, this->top, key, args);
-	va_end(args);
-	return settings_value_as_double(value, def);
-}
-
-/**
- * Described in header
- */
-inline u_int32_t settings_value_as_time(char *value, u_int32_t def)
-{
-	char *endptr;
-	u_int32_t timeval;
-	if (value)
-	{
-		errno = 0;
-		timeval = strtoul(value, &endptr, 10);
-		if (errno == 0)
-		{
-			switch (*endptr)
-			{
-				case 'd':		/* time in days */
-					timeval *= 24 * 3600;
-					break;
-				case 'h':		/* time in hours */
-					timeval *= 3600;
-					break;
-				case 'm':		/* time in minutes */
-					timeval *= 60;
-					break;
-				case 's':		/* time in seconds */
-				default:
-					break;
-			}
-			return timeval;
-		}
-	}
-	return def;
-}
-
-METHOD(settings_t, get_time, u_int32_t,
-	   private_settings_t *this, char *key, u_int32_t def, ...)
-{
-	char *value;
-	va_list args;
-
-	va_start(args, def);
-	value = find_value(this, this->top, key, args);
-	va_end(args);
-	return settings_value_as_time(value, def);
-}
-
-METHOD(settings_t, set_str, void,
-	   private_settings_t *this, char *key, char *value, ...)
-{
-	va_list args;
-	va_start(args, value);
-	set_value(this, this->top, key, args, value);
-	va_end(args);
-}
-
-METHOD(settings_t, set_bool, void,
-	   private_settings_t *this, char *key, bool value, ...)
-{
-	va_list args;
-	va_start(args, value);
-	set_value(this, this->top, key, args, value ? "1" : "0");
-	va_end(args);
-}
-
-METHOD(settings_t, set_int, void,
-	   private_settings_t *this, char *key, int value, ...)
-{
-	char val[16];
-	va_list args;
-	va_start(args, value);
-	if (snprintf(val, sizeof(val), "%d", value) < sizeof(val))
-	{
-		set_value(this, this->top, key, args, val);
-	}
-	va_end(args);
-}
-
-METHOD(settings_t, set_double, void,
-	   private_settings_t *this, char *key, double value, ...)
-{
-	char val[64];
-	va_list args;
-	va_start(args, value);
-	if (snprintf(val, sizeof(val), "%f", value) < sizeof(val))
-	{
-		set_value(this, this->top, key, args, val);
-	}
-	va_end(args);
-}
-
-METHOD(settings_t, set_time, void,
-	   private_settings_t *this, char *key, u_int32_t value, ...)
-{
-	char val[16];
-	va_list args;
-	va_start(args, value);
-	if (snprintf(val, sizeof(val), "%u", value) < sizeof(val))
-	{
-		set_value(this, this->top, key, args, val);
-	}
-	va_end(args);
-}
-
-/**
- * Enumerate section names, not sections
- */
-static bool section_filter(void *null, section_t **in, char **out)
-{
-	*out = (*in)->name;
-	return TRUE;
-}
-
-METHOD(settings_t, create_section_enumerator, enumerator_t*,
-	   private_settings_t *this, char *key, ...)
-{
-	section_t *section;
-	va_list args;
-
-	va_start(args, key);
-	section = find_section(this, this->top, key, args);
-	va_end(args);
-
-	if (!section)
-	{
-		return enumerator_create_empty();
-	}
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(
-				section->sections->create_enumerator(section->sections),
-				(void*)section_filter, this->lock, (void*)this->lock->unlock);
-}
-
-/**
- * Enumerate key and values, not kv_t entries
- */
-static bool kv_filter(void *null, kv_t **in, char **key,
-					  void *none, char **value)
-{
-	*key = (*in)->key;
-	*value = (*in)->value;
-	return TRUE;
-}
-
-METHOD(settings_t, create_key_value_enumerator, enumerator_t*,
-	   private_settings_t *this, char *key, ...)
-{
-	section_t *section;
-	va_list args;
-
-	va_start(args, key);
-	section = find_section(this, this->top, key, args);
-	va_end(args);
-
-	if (!section)
-	{
-		return enumerator_create_empty();
-	}
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(
-					section->kv->create_enumerator(section->kv),
-					(void*)kv_filter, this->lock, (void*)this->lock->unlock);
-}
-
-/**
- * parse text, truncate "skip" chars, delimited by term respecting brackets.
- *
- * Chars in "skip" are truncated at the beginning and the end of the resulting
- * token. "term" contains a list of characters to read up to (first match),
- * while "br" contains bracket counterparts found in "term" to skip.
- */
-static char parse(char **text, char *skip, char *term, char *br, char **token)
-{
-	char *best = NULL;
-	char best_term = '\0';
-
-	/* skip leading chars */
-	while (strchr(skip, **text))
-	{
-		(*text)++;
-		if (!**text)
-		{
-			return 0;
-		}
-	}
-	/* mark begin of subtext */
-	*token = *text;
-	while (*term)
-	{
-		char *pos = *text;
-		int level = 1;
-
-		/* find terminator */
-		while (*pos)
-		{
-			if (*pos == *term)
-			{
-				level--;
-			}
-			else if (br && *pos == *br)
-			{
-				level++;
-			}
-			if (level == 0)
-			{
-				if (best == NULL || best > pos)
-				{
-					best = pos;
-					best_term = *term;
-				}
-				break;
-			}
-			pos++;
-		}
-		/* try next terminator */
-		term++;
-		if (br)
-		{
-			br++;
-		}
-	}
-	if (best)
-	{
-		/* update input */
-		*text = best;
-		/* null trailing bytes */
-		do
-		{
-			*best = '\0';
-			best--;
-		}
-		while (best >= *token && strchr(skip, *best));
-		/* return found terminator */
-		return best_term;
-	}
-	return 0;
-}
-
-/**
- * Check if "text" starts with "pattern".
- * Characters in "skip" are skipped first. If found, TRUE is returned and "text"
- * is modified to point to the character right after "pattern".
- */
-static bool starts_with(char **text, char *skip, char *pattern)
-{
-	char *pos = *text;
-	int len = strlen(pattern);
-	while (strchr(skip, *pos))
-	{
-		pos++;
-		if (!*pos)
-		{
-			return FALSE;
-		}
-	}
-	if (strlen(pos) < len || !strneq(pos, pattern, len))
-	{
-		return FALSE;
-	}
-	*text = pos + len;
-	return TRUE;
-}
-
-/**
- * Check if what follows in "text" is an include statement.
- * If this function returns TRUE, "text" will point to the character right after
- * the include pattern, which is returned in "pattern".
- */
-static bool parse_include(char **text, char **pattern)
-{
-	char *pos = *text;
-	if (!starts_with(&pos, "\n\t ", "include"))
-	{
-		return FALSE;
-	}
-	if (starts_with(&pos, "\t ", "="))
-	{	/* ignore "include = value" */
-		return FALSE;
-	}
-	*text = pos;
-	return parse(text, "\t ", "\n", NULL, pattern) != 0;
-}
-
-/**
- * Forward declaration.
- */
-static bool parse_files(linked_list_t *contents, char *file, int level,
-						char *pattern, section_t *section);
-
-/**
- * Parse a section
- */
-static bool parse_section(linked_list_t *contents, char *file, int level,
-						  char **text, section_t *section)
-{
-	bool finished = FALSE;
-	char *key, *value, *inner;
-
-	while (!finished)
-	{
-		if (parse_include(text, &value))
-		{
-			if (!parse_files(contents, file, level, value, section))
-			{
-				DBG1(DBG_LIB, "failed to include '%s'", value);
-				return FALSE;
-			}
-			continue;
-		}
-		switch (parse(text, "\t\n ", "{=#", NULL, &key))
-		{
-			case '{':
-				if (parse(text, "\t ", "}", "{", &inner))
-				{
-					section_t *sub;
-					if (!strlen(key))
-					{
-						DBG1(DBG_LIB, "skipping section without name in '%s'",
-							 section->name);
-						continue;
-					}
-					if (section->sections->find_first(section->sections,
-											(linked_list_match_t)section_find,
-											(void**)&sub, key) != SUCCESS)
-					{
-						sub = section_create(key);
-						if (parse_section(contents, file, level, &inner, sub))
-						{
-							section->sections->insert_last(section->sections,
-														   sub);
-							continue;
-						}
-						section_destroy(sub);
-					}
-					else
-					{	/* extend the existing section */
-						if (parse_section(contents, file, level, &inner, sub))
-						{
-							continue;
-						}
-					}
-					DBG1(DBG_LIB, "parsing subsection '%s' failed", key);
-					break;
-				}
-				DBG1(DBG_LIB, "matching '}' not found near %s", *text);
-				break;
-			case '=':
-				if (parse(text, "\t ", "\n", NULL, &value))
-				{
-					kv_t *kv;
-					if (!strlen(key))
-					{
-						DBG1(DBG_LIB, "skipping value without key in '%s'",
-							 section->name);
-						continue;
-					}
-					if (section->kv->find_first(section->kv,
-								(linked_list_match_t)kv_find,
-								(void**)&kv, key) != SUCCESS)
-					{
-						kv = kv_create(key, value);
-						section->kv->insert_last(section->kv, kv);
-					}
-					else
-					{	/* replace with the most recently read value */
-						kv->value = value;
-					}
-					continue;
-				}
-				DBG1(DBG_LIB, "parsing value failed near %s", *text);
-				break;
-			case '#':
-				parse(text, "", "\n", NULL, &value);
-				continue;
-			default:
-				finished = TRUE;
-				continue;
-		}
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Parse a file and add the settings to the given section.
- */
-static bool parse_file(linked_list_t *contents, char *file, int level,
-					   section_t *section)
-{
-	bool success;
-	char *text, *pos;
-	struct stat st;
-	FILE *fd;
-	int len;
-
-	DBG2(DBG_LIB, "loading config file '%s'", file);
-	if (stat(file, &st) == -1)
-	{
-		if (errno == ENOENT)
-		{
-			DBG2(DBG_LIB, "'%s' does not exist, ignored", file);
-			return TRUE;
-		}
-		DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno));
-		return FALSE;
-	}
-	else if (!S_ISREG(st.st_mode))
-	{
-		DBG1(DBG_LIB, "'%s' is not a regular file", file);
-		return FALSE;
-	}
-	fd = fopen(file, "r");
-	if (fd == NULL)
-	{
-		DBG1(DBG_LIB, "'%s' is not readable", file);
-		return FALSE;
-	}
-	fseek(fd, 0, SEEK_END);
-	len = ftell(fd);
-	rewind(fd);
-	text = malloc(len + 1);
-	text[len] = '\0';
-	if (fread(text, 1, len, fd) != len)
-	{
-		free(text);
-		fclose(fd);
-		return FALSE;
-	}
-	fclose(fd);
-
-	pos = text;
-	success = parse_section(contents, file, level, &pos, section);
-	if (!success)
-	{
-		free(text);
-	}
-	else
-	{
-		contents->insert_last(contents, text);
-	}
-	return success;
-}
-
-/**
- * Load the files matching "pattern", which is resolved with glob(3), if
- * available.
- * If the pattern is relative, the directory of "file" is used as base.
- */
-static bool parse_files(linked_list_t *contents, char *file, int level,
-						char *pattern, section_t *section)
-{
-	bool success = TRUE;
-	char pat[PATH_MAX];
-
-	if (level > MAX_INCLUSION_LEVEL)
-	{
-		DBG1(DBG_LIB, "maximum level of %d includes reached, ignored",
-			 MAX_INCLUSION_LEVEL);
-		return TRUE;
-	}
-
-	if (!strlen(pattern))
-	{
-		DBG2(DBG_LIB, "empty include pattern, ignored");
-		return TRUE;
-	}
-
-	if (!file || pattern[0] == '/')
-	{	/* absolute path */
-		if (snprintf(pat, sizeof(pat), "%s", pattern) >= sizeof(pat))
-		{
-			DBG1(DBG_LIB, "include pattern too long, ignored");
-			return TRUE;
-		}
-	}
-	else
-	{	/* base relative paths to the directory of the current file */
-		char *dir = strdup(file);
-		dir = dirname(dir);
-		if (snprintf(pat, sizeof(pat), "%s/%s", dir, pattern) >= sizeof(pat))
-		{
-			DBG1(DBG_LIB, "include pattern too long, ignored");
-			free(dir);
-			return TRUE;
-		}
-		free(dir);
-	}
-#ifdef HAVE_GLOB_H
-	{
-		int status;
-		glob_t buf;
-
-		status = glob(pat, GLOB_ERR, NULL, &buf);
-		if (status == GLOB_NOMATCH)
-		{
-			DBG2(DBG_LIB, "no files found matching '%s', ignored", pat);
-		}
-		else if (status != 0)
-		{
-			DBG1(DBG_LIB, "expanding file pattern '%s' failed", pat);
-			success = FALSE;
-		}
-		else
-		{
-			char **expanded;
-			for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
-			{
-				success &= parse_file(contents, *expanded, level + 1, section);
-				if (!success)
-				{
-					break;
-				}
-			}
-		}
-		globfree(&buf);
-	}
-#else /* HAVE_GLOB_H */
-	/* if glob(3) is not available, try to load pattern directly */
-	success = parse_file(contents, pat, level + 1, section);
-#endif /* HAVE_GLOB_H */
-	return success;
-}
-
-/**
- * Recursivly extends "base" with "extension".
- */
-static void section_extend(section_t *base, section_t *extension)
-{
-	enumerator_t *enumerator;
-	section_t *sec;
-	kv_t *kv;
-
-	enumerator = extension->sections->create_enumerator(extension->sections);
-	while (enumerator->enumerate(enumerator, (void**)&sec))
-	{
-		section_t *found;
-		if (base->sections->find_first(base->sections,
-					(linked_list_match_t)section_find, (void**)&found,
-					sec->name) == SUCCESS)
-		{
-			section_extend(found, sec);
-		}
-		else
-		{
-			extension->sections->remove_at(extension->sections, enumerator);
-			base->sections->insert_last(base->sections, sec);
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = extension->kv->create_enumerator(extension->kv);
-	while (enumerator->enumerate(enumerator, (void**)&kv))
-	{
-		kv_t *found;
-		if (base->kv->find_first(base->kv, (linked_list_match_t)kv_find,
-					(void**)&found, kv->key) == SUCCESS)
-		{
-			found->value = kv->value;
-		}
-		else
-		{
-			extension->kv->remove_at(extension->kv, enumerator);
-			base->kv->insert_last(base->kv, kv);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Load settings from files matching the given file pattern.
- * All sections and values are added relative to "parent".
- * All files (even included ones) have to be loaded successfully.
- */
-static bool load_files_internal(private_settings_t *this, section_t *parent,
-								char *pattern, bool merge)
-{
-	char *text;
-	linked_list_t *contents;
-	section_t *section;
-
-	if (pattern == NULL)
-	{
-#ifdef STRONGSWAN_CONF
-		pattern = STRONGSWAN_CONF;
-#else
-		return FALSE;
-#endif
-	}
-
-	contents = linked_list_create();
-	section = section_create(NULL);
-
-	if (!parse_files(contents, NULL, 0, pattern, section))
-	{
-		contents->destroy_function(contents, (void*)free);
-		section_destroy(section);
-		return FALSE;
-	}
-
-	this->lock->write_lock(this->lock);
-	if (!merge)
-	{
-		section_purge(parent);
-	}
-	/* extend parent section */
-	section_extend(parent, section);
-	/* move contents of loaded files to main store */
-	while (contents->remove_first(contents, (void**)&text) == SUCCESS)
-	{
-		this->contents->insert_last(this->contents, text);
-	}
-	this->lock->unlock(this->lock);
-
-	section_destroy(section);
-	contents->destroy(contents);
-	return TRUE;
-}
-
-METHOD(settings_t, load_files, bool,
-	   private_settings_t *this, char *pattern, bool merge)
-{
-	return load_files_internal(this, this->top, pattern, merge);
-}
-
-METHOD(settings_t, load_files_section, bool,
-	   private_settings_t *this, char *pattern, bool merge, char *key, ...)
-{
-	section_t *section;
-	va_list args;
-
-	va_start(args, key);
-	section = ensure_section(this, this->top, key, args);
-	va_end(args);
-
-	if (!section)
-	{
-		return FALSE;
-	}
-	return load_files_internal(this, section, pattern, merge);
-}
-
-METHOD(settings_t, destroy, void,
-	   private_settings_t *this)
-{
-	section_destroy(this->top);
-	this->contents->destroy_function(this->contents, (void*)free);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/*
- * see header file
- */
-settings_t *settings_create(char *file)
-{
-	private_settings_t *this;
-
-	INIT(this,
-		.public = {
-			.get_str = _get_str,
-			.get_int = _get_int,
-			.get_double = _get_double,
-			.get_time = _get_time,
-			.get_bool = _get_bool,
-			.set_str = _set_str,
-			.set_int = _set_int,
-			.set_double = _set_double,
-			.set_time = _set_time,
-			.set_bool = _set_bool,
-			.create_section_enumerator = _create_section_enumerator,
-			.create_key_value_enumerator = _create_key_value_enumerator,
-			.load_files = _load_files,
-			.load_files_section = _load_files_section,
-			.destroy = _destroy,
-		},
-		.top = section_create(NULL),
-		.contents = linked_list_create(),
-		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-	);
-
-	load_files(this, file, FALSE);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
deleted file mode 100644
index c8b50d008..000000000
--- a/src/libstrongswan/settings.h
+++ /dev/null
@@ -1,313 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup settings settings
- * @{ @ingroup libstrongswan
- */
-
-#ifndef SETTINGS_H_
-#define SETTINGS_H_
-
-typedef struct settings_t settings_t;
-
-#include "utils.h"
-#include "utils/enumerator.h"
-
-/**
- * Convert a string value returned by a key/value enumerator to a boolean.
- *
- * @see settings_t.create_key_value_enumerator()
- * @see settings_t.get_bool()
- * @param value			the string value
- * @param def			the default value, if value is NULL or invalid
- */
-bool settings_value_as_bool(char *value, bool def);
-
-/**
- * Convert a string value returned by a key/value enumerator to an integer.
- *
- * @see settings_t.create_key_value_enumerator()
- * @see settings_t.get_int()
- * @param value			the string value
- * @param def			the default value, if value is NULL or invalid
- */
-int settings_value_as_int(char *value, int def);
-
-/**
- * Convert a string value returned by a key/value enumerator to a double.
- *
- * @see settings_t.create_key_value_enumerator()
- * @see settings_t.get_double()
- * @param value			the string value
- * @param def			the default value, if value is NULL or invalid
- */
-double settings_value_as_double(char *value, double def);
-
-/**
- * Convert a string value returned by a key/value enumerator to a time value.
- *
- * @see settings_t.create_key_value_enumerator()
- * @see settings_t.get_time()
- * @param value			the string value
- * @param def			the default value, if value is NULL or invalid
- */
-u_int32_t settings_value_as_time(char *value, u_int32_t def);
-
-/**
- * Generic configuration options read from a config file.
- *
- * The syntax is quite simple:
- * @code
- * settings := (section|keyvalue)*
- * section  := name { settings }
- * keyvalue := key = value\n
- * @endcode
- * E.g.:
- * @code
-	a = b
-	section-one {
-		somevalue = asdf
-		subsection {
-			othervalue = xxx
-		}
-		yetanother = zz
-	}
-	section-two {
-	}
-	@endcode
- *
- * The values are accessed using the get() functions using dotted keys, e.g.
- *   section-one.subsection.othervalue
- *
- * Currently only a limited set of printf format specifiers are supported
- * (namely %s, %d and %N, see implementation for details).
- *
- * \section includes Including other files
- * Other files can be included, using the include statement e.g.
- * @code
- *   include /somepath/subconfig.conf
- * @endcode
- * Shell patterns like *.conf are possible.
- *
- * If the path is relative, the directory of the file containing the include
- * statement is used as base.
- *
- * Sections loaded from included files extend previously loaded sections,
- * already existing values are replaced.
- *
- * All settings included from files are added relative to the section the
- * include statement is in.
- *
- * The following files result in the same final config as above:
- *
- * @code
-	a = b
-	section-one {
-		somevalue = before include
-		include include.conf
-	}
-	include two.conf
-	@endcode
- * include.conf
- * @code
-	somevalue = asdf
-	subsection {
-		othervalue = yyy
-	}
-	yetanother = zz
-	@endcode
- * two.conf
- * @code
-	section-one {
-		subsection {
-			othervalue = xxx
-		}
-	}
-	section-two {
-	}
-	@endcode
- */
-struct settings_t {
-
-	/**
-	 * Get a settings value as a string.
-	 *
-	 * @param key		key including sections, printf style format
-	 * @param def		value returned if key not found
-	 * @param ...		argument list for key
-	 * @return			value pointing to internal string
-	 */
-	char* (*get_str)(settings_t *this, char *key, char *def, ...);
-
-	/**
-	 * Get a boolean yes|no, true|false value.
-	 *
-	 * @param key		key including sections, printf style format
-	 * @param def		value returned if key not found
-	 * @param ...		argument list for key
-	 * @return			value of the key
-	 */
-	bool (*get_bool)(settings_t *this, char *key, bool def, ...);
-
-	/**
-	 * Get an integer value.
-	 *
-	 * @param key		key including sections, printf style format
-	 * @param def		value returned if key not found
-	 * @param ...		argument list for key
-	 * @return			value of the key
-	 */
-	int (*get_int)(settings_t *this, char *key, int def, ...);
-
-	/**
-	 * Get an double value.
-	 *
-	 * @param key		key including sections, printf style format
-	 * @param def		value returned if key not found
-	 * @param ...		argument list for key
-	 * @return			value of the key
-	 */
-	double (*get_double)(settings_t *this, char *key, double def, ...);
-
-	/**
-	 * Get a time value.
-	 *
-	 * @param key		key including sections, printf style format
-	 * @param def		value returned if key not found
-	 * @param ...		argument list for key
-	 * @return			value of the key (in seconds)
-	 */
-	u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def, ...);
-
-	/**
-	 * Set a string value.
-	 *
-	 * @param key		key including sections, printf style format
-	 * @param value		value to set (gets cloned)
-	 * @param ...		argument list for key
-	 */
-	void (*set_str)(settings_t *this, char *key, char *value, ...);
-
-	/**
-	 * Set a boolean value.
-	 *
-	 * @param key		key including sections, printf style format
-	 * @param value		value to set
-	 * @param ...		argument list for key
-	 */
-	void (*set_bool)(settings_t *this, char *key, bool value, ...);
-
-	/**
-	 * Set an integer value.
-	 *
-	 * @param key		key including sections, printf style format
-	 * @param value		value to set
-	 * @param ...		argument list for key
-	 */
-	void (*set_int)(settings_t *this, char *key, int value, ...);
-
-	/**
-	 * Set an double value.
-	 *
-	 * @param key		key including sections, printf style format
-	 * @param value		value to set
-	 * @param ...		argument list for key
-	 */
-	void (*set_double)(settings_t *this, char *key, double value, ...);
-
-	/**
-	 * Set a time value.
-	 *
-	 * @param key		key including sections, printf style format
-	 * @param def		value to set
-	 * @param ...		argument list for key
-	 */
-	void (*set_time)(settings_t *this, char *key, u_int32_t value, ...);
-
-	/**
-	 * Create an enumerator over subsection names of a section.
-	 *
-	 * @param section	section including parents, printf style format
-	 * @param ...		argument list for key
-	 * @return			enumerator over subsection names
-	 */
-	enumerator_t* (*create_section_enumerator)(settings_t *this,
-											   char *section, ...);
-
-	/**
-	 * Create an enumerator over key/value pairs in a section.
-	 *
-	 * @param section	section name to list key/value pairs of, printf style
-	 * @param ...		argument list for section
-	 * @return			enumerator over (char *key, char *value)
-	 */
-	enumerator_t* (*create_key_value_enumerator)(settings_t *this,
-												 char *section, ...);
-
-	/**
-	 * Load settings from the files matching the given pattern.
-	 *
-	 * If merge is TRUE, existing sections are extended, existing values
-	 * replaced, by those found in the loaded files. If it is FALSE, existing
-	 * sections are purged before reading the new config.
-	 *
-	 * @note If any of the files matching the pattern fails to load, no settings
-	 * are added at all. So, it's all or nothing.
-	 *
-	 * @param pattern	file pattern
-	 * @param merge		TRUE to merge config with existing values
-	 * @return			TRUE, if settings were loaded successfully
-	 */
-	bool (*load_files)(settings_t *this, char *pattern, bool merge);
-
-	/**
-	 * Load settings from the files matching the given pattern.
-	 *
-	 * If merge is TRUE, existing sections are extended, existing values
-	 * replaced, by those found in the loaded files. If it is FALSE, existing
-	 * sections are purged before reading the new config.
-	 *
-	 * All settings are loaded relative to the given section. The section is
-	 * created, if it does not yet exist.
-	 *
-	 * @note If any of the files matching the pattern fails to load, no settings
-	 * are added at all. So, it's all or nothing.
-	 *
-	 * @param pattern	file pattern
-	 * @param merge		TRUE to merge config with existing values
-	 * @param section	section name of parent section, printf style
-	 * @param ...		argument list for section
-	 * @return			TRUE, if settings were loaded successfully
-	 */
-	bool (*load_files_section)(settings_t *this, char *pattern, bool merge,
-							   char *section, ...);
-
-	/**
-	 * Destroy a settings instance.
-	 */
-	void (*destroy)(settings_t *this);
-};
-
-/**
- * Load settings from a file.
- *
- * @param file			file to read settings from, NULL for default
- * @return				settings object
- */
-settings_t *settings_create(char *file);
-
-#endif /** SETTINGS_H_ @}*/
diff --git a/src/libstrongswan/threading/mutex.c b/src/libstrongswan/threading/mutex.c
index 2ef918a28..f86e781c5 100644
--- a/src/libstrongswan/threading/mutex.c
+++ b/src/libstrongswan/threading/mutex.c
@@ -21,7 +21,7 @@
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "condvar.h"
 #include "mutex.h"
@@ -282,13 +282,7 @@ METHOD(condvar_t, timed_wait, bool,
 	ms = timeout % 1000;
 
 	tv.tv_sec += s;
-	tv.tv_usec += ms * 1000;
-
-	if (tv.tv_usec > 1000000 /* 1s */)
-	{
-		tv.tv_usec -= 1000000;
-		tv.tv_sec++;
-	}
+	timeval_add_ms(&tv, ms);
 	return timed_wait_abs(this, mutex, tv);
 }
 
diff --git a/src/libstrongswan/threading/rwlock.c b/src/libstrongswan/threading/rwlock.c
index 7097a8e8c..176445705 100644
--- a/src/libstrongswan/threading/rwlock.c
+++ b/src/libstrongswan/threading/rwlock.c
@@ -18,7 +18,7 @@
 #include <pthread.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "rwlock.h"
 #include "rwlock_condvar.h"
@@ -433,13 +433,8 @@ METHOD(rwlock_condvar_t, timed_wait, bool,
 	ms = timeout % 1000;
 
 	tv.tv_sec += s;
-	tv.tv_usec += ms * 1000;
+	timeval_add_ms(&tv, ms);
 
-	if (tv.tv_usec > 1000000 /* 1s */)
-	{
-		tv.tv_usec -= 1000000;
-		tv.tv_sec++;
-	}
 	return timed_wait_abs(this, lock, tv);
 }
 
diff --git a/src/libstrongswan/threading/spinlock.c b/src/libstrongswan/threading/spinlock.c
index 812cf696b..a0de02ce5 100644
--- a/src/libstrongswan/threading/spinlock.c
+++ b/src/libstrongswan/threading/spinlock.c
@@ -13,20 +13,15 @@
  * for more details.
  */
 
-#include <unistd.h> /* for _POSIX_SPIN_LOCKS */
 #include <pthread.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "spinlock.h"
 #include "mutex.h"
 #include "lock_profiler.h"
 
-#if defined(_POSIX_SPIN_LOCKS) && _POSIX_SPIN_LOCKS == -1
-#undef _POSIX_SPIN_LOCKS
-#endif
-
 typedef struct private_spinlock_t private_spinlock_t;
 
 /**
@@ -39,7 +34,7 @@ struct private_spinlock_t {
 	 */
 	spinlock_t public;
 
-#ifdef _POSIX_SPIN_LOCKS
+#ifdef HAVE_PTHREAD_SPIN_INIT
 
 	/**
 	 * wrapped pthread spin lock
@@ -51,20 +46,20 @@ struct private_spinlock_t {
 	 */
 	lock_profile_t profile;
 
-#else /* _POSIX_SPIN_LOCKS */
+#else /* HAVE_PTHREAD_SPIN_INIT */
 
 	/**
 	 * use a mutex if spin locks are not available
 	 */
 	mutex_t *mutex;
 
-#endif /* _POSIX_SPIN_LOCKS */
+#endif /* HAVE_PTHREAD_SPIN_INIT */
 };
 
 METHOD(spinlock_t, lock, void,
 	private_spinlock_t *this)
 {
-#ifdef _POSIX_SPIN_LOCKS
+#ifdef HAVE_PTHREAD_SPIN_INIT
 	int err;
 
 	profiler_start(&this->profile);
@@ -82,7 +77,7 @@ METHOD(spinlock_t, lock, void,
 METHOD(spinlock_t, unlock, void,
 	private_spinlock_t *this)
 {
-#ifdef _POSIX_SPIN_LOCKS
+#ifdef HAVE_PTHREAD_SPIN_INIT
 	int err;
 
 	err = pthread_spin_unlock(&this->spinlock);
@@ -98,7 +93,7 @@ METHOD(spinlock_t, unlock, void,
 METHOD(spinlock_t, destroy, void,
 	private_spinlock_t *this)
 {
-#ifdef _POSIX_SPIN_LOCKS
+#ifdef HAVE_PTHREAD_SPIN_INIT
 	profiler_cleanup(&this->profile);
 	pthread_spin_destroy(&this->spinlock);
 #else
@@ -122,15 +117,12 @@ spinlock_t *spinlock_create()
 		},
 	);
 
-#ifdef _POSIX_SPIN_LOCKS
+#ifdef HAVE_PTHREAD_SPIN_INIT
 	pthread_spin_init(&this->spinlock, PTHREAD_PROCESS_PRIVATE);
 	profiler_init(&this->profile);
 #else
-	#warning Using mutexes as spin lock alternatives
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 #endif
 
 	return &this->public;
 }
-
-
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index 9ef514ebc..e524409c7 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -32,11 +32,11 @@ static inline pid_t gettid()
 #endif
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <threading/thread_value.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include "thread.h"
 
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
deleted file mode 100644
index d43a4bc2f..000000000
--- a/src/libstrongswan/utils.c
+++ /dev/null
@@ -1,571 +0,0 @@
-/*
- * Copyright (C) 2008-2012 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "utils.h"
-
-#include <sys/stat.h>
-#include <string.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <inttypes.h>
-#include <stdint.h>
-#include <limits.h>
-#include <dirent.h>
-#include <time.h>
-#include <pthread.h>
-
-#include "enum.h"
-#include "debug.h"
-#include "utils/enumerator.h"
-
-ENUM(status_names, SUCCESS, NEED_MORE,
-	"SUCCESS",
-	"FAILED",
-	"OUT_OF_RES",
-	"ALREADY_DONE",
-	"NOT_SUPPORTED",
-	"INVALID_ARG",
-	"NOT_FOUND",
-	"PARSE_ERROR",
-	"VERIFY_ERROR",
-	"INVALID_STATE",
-	"DESTROY_ME",
-	"NEED_MORE",
-);
-
-/**
- * Described in header.
- */
-void *clalloc(void * pointer, size_t size)
-{
-	void *data;
-	data = malloc(size);
-
-	memcpy(data, pointer, size);
-
-	return (data);
-}
-
-/**
- * Described in header.
- */
-void memxor(u_int8_t dst[], u_int8_t src[], size_t n)
-{
-	int m, i;
-
-	/* byte wise XOR until dst aligned */
-	for (i = 0; (uintptr_t)&dst[i] % sizeof(long) && i < n; i++)
-	{
-		dst[i] ^= src[i];
-	}
-	/* try to use words if src shares an aligment with dst */
-	switch (((uintptr_t)&src[i] % sizeof(long)))
-	{
-		case 0:
-			for (m = n - sizeof(long); i <= m; i += sizeof(long))
-			{
-				*(long*)&dst[i] ^= *(long*)&src[i];
-			}
-			break;
-		case sizeof(int):
-			for (m = n - sizeof(int); i <= m; i += sizeof(int))
-			{
-				*(int*)&dst[i] ^= *(int*)&src[i];
-			}
-			break;
-		case sizeof(short):
-			for (m = n - sizeof(short); i <= m; i += sizeof(short))
-			{
-				*(short*)&dst[i] ^= *(short*)&src[i];
-			}
-			break;
-		default:
-			break;
-	}
-	/* byte wise XOR of the rest */
-	for (; i < n; i++)
-	{
-		dst[i] ^= src[i];
-	}
-}
-
-/**
- * Described in header.
- */
-void memwipe_noinline(void *ptr, size_t n)
-{
-	memwipe_inline(ptr, n);
-}
-
-/**
- * Described in header.
- */
-void *memstr(const void *haystack, const char *needle, size_t n)
-{
-	unsigned const char *pos = haystack;
-	size_t l = strlen(needle);
-	for (; n >= l; ++pos, --n)
-	{
-		if (memeq(pos, needle, l))
-		{
-			return (void*)pos;
-		}
-	}
-	return NULL;
-}
-
-/**
- * Described in header.
- */
-char* translate(char *str, const char *from, const char *to)
-{
-	char *pos = str;
-	if (strlen(from) != strlen(to))
-	{
-		return str;
-	}
-	while (pos && *pos)
-	{
-		char *match;
-		if ((match = strchr(from, *pos)) != NULL)
-		{
-			*pos = to[match - from];
-		}
-		pos++;
-	}
-	return str;
-}
-
-/**
- * Described in header.
- */
-bool mkdir_p(const char *path, mode_t mode)
-{
-	int len;
-	char *pos, full[PATH_MAX];
-	pos = full;
-	if (!path || *path == '\0')
-	{
-		return TRUE;
-	}
-	len = snprintf(full, sizeof(full)-1, "%s", path);
-	if (len < 0 || len >= sizeof(full)-1)
-	{
-		DBG1(DBG_LIB, "path string %s too long", path);
-		return FALSE;
-	}
-	/* ensure that the path ends with a '/' */
-	if (full[len-1] != '/')
-	{
-		full[len++] = '/';
-		full[len] = '\0';
-	}
-	/* skip '/' at the beginning */
-	while (*pos == '/')
-	{
-		pos++;
-	}
-	while ((pos = strchr(pos, '/')))
-	{
-		*pos = '\0';
-		if (access(full, F_OK) < 0)
-		{
-			if (mkdir(full, mode) < 0)
-			{
-				DBG1(DBG_LIB, "failed to create directory %s", full);
-				return FALSE;
-			}
-		}
-		*pos = '/';
-		pos++;
-	}
-	return TRUE;
-}
-
-
-/**
- * The size of the thread-specific error buffer
- */
-#define STRERROR_BUF_LEN 256
-
-/**
- * Key to store thread-specific error buffer
- */
-static pthread_key_t strerror_buf_key;
-
-/**
- * Only initialize the key above once
- */
-static pthread_once_t strerror_buf_key_once = PTHREAD_ONCE_INIT;
-
-/**
- * Create the key used for the thread-specific error buffer
- */
-static void create_strerror_buf_key()
-{
-	pthread_key_create(&strerror_buf_key, free);
-}
-
-/**
- * Retrieve the error buffer assigned to the current thread (or create it)
- */
-static inline char *get_strerror_buf()
-{
-	char *buf;
-
-	pthread_once(&strerror_buf_key_once, create_strerror_buf_key);
-	buf = pthread_getspecific(strerror_buf_key);
-	if (!buf)
-	{
-		buf = malloc(STRERROR_BUF_LEN);
-		pthread_setspecific(strerror_buf_key, buf);
-	}
-	return buf;
-}
-
-#ifdef HAVE_STRERROR_R
-/*
- * Described in header.
- */
-const char *safe_strerror(int errnum)
-{
-	char *buf = get_strerror_buf(), *msg;
-
-#ifdef STRERROR_R_CHAR_P
-	/* char* version which may or may not return the original buffer */
-	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN);
-#else
-	/* int version returns 0 on success */
-	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN) ? "Unknown error" : buf;
-#endif
-	return msg;
-}
-#else /* HAVE_STRERROR_R */
-/* we actually wan't to call strerror(3) below */
-#undef strerror
-/*
- * Described in header.
- */
-const char *safe_strerror(int errnum)
-{
-	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
-	char *buf = get_strerror_buf();
-
-	/* use a mutex to ensure calling strerror(3) is thread-safe */
-	pthread_mutex_lock(&mutex);
-	strncpy(buf, strerror(errnum), STRERROR_BUF_LEN);
-	pthread_mutex_unlock(&mutex);
-	buf[STRERROR_BUF_LEN - 1] = '\0';
-	return buf;
-}
-#endif /* HAVE_STRERROR_R */
-
-
-#ifndef HAVE_CLOSEFROM
-/**
- * Described in header.
- */
-void closefrom(int lowfd)
-{
-	char fd_dir[PATH_MAX];
-	int maxfd, fd, len;
-
-	/* try to close only open file descriptors on Linux... */
-	len = snprintf(fd_dir, sizeof(fd_dir), "/proc/%u/fd", getpid());
-	if (len > 0 && len < sizeof(fd_dir) && access(fd_dir, F_OK) == 0)
-	{
-		enumerator_t *enumerator = enumerator_create_directory(fd_dir);
-		if (enumerator)
-		{
-			char *rel;
-			while (enumerator->enumerate(enumerator, &rel, NULL, NULL))
-			{
-				fd = atoi(rel);
-				if (fd >= lowfd)
-				{
-					close(fd);
-				}
-			}
-			enumerator->destroy(enumerator);
-			return;
-		}
-	}
-
-	/* ...fall back to closing all fds otherwise */
-	maxfd = (int)sysconf(_SC_OPEN_MAX);
-	if (maxfd < 0)
-	{
-		maxfd = 256;
-	}
-	for (fd = lowfd; fd < maxfd; fd++)
-	{
-		close(fd);
-	}
-}
-#endif /* HAVE_CLOSEFROM */
-
-/**
- * Return monotonic time
- */
-time_t time_monotonic(timeval_t *tv)
-{
-#if defined(HAVE_CLOCK_GETTIME) && \
-	(defined(HAVE_CONDATTR_CLOCK_MONOTONIC) || \
-	 defined(HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC))
-	/* as we use time_monotonic() for condvar operations, we use the
-	 * monotonic time source only if it is also supported by pthread. */
-	timespec_t ts;
-
-	if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
-	{
-		if (tv)
-		{
-			tv->tv_sec = ts.tv_sec;
-			tv->tv_usec = ts.tv_nsec / 1000;
-		}
-		return ts.tv_sec;
-	}
-#endif /* HAVE_CLOCK_GETTIME && (...) */
-	/* Fallback to non-monotonic timestamps:
-	 * On MAC OS X, creating monotonic timestamps is rather difficult. We
-	 * could use mach_absolute_time() and catch sleep/wakeup notifications.
-	 * We stick to the simpler (non-monotonic) gettimeofday() for now.
-	 * But keep in mind: we need the same time source here as in condvar! */
-	if (!tv)
-	{
-		return time(NULL);
-	}
-	if (gettimeofday(tv, NULL) != 0)
-	{	/* should actually never fail if passed pointers are valid */
-		return -1;
-	}
-	return tv->tv_sec;
-}
-
-/**
- * return null
- */
-void *return_null()
-{
-	return NULL;
-}
-
-/**
- * returns TRUE
- */
-bool return_true()
-{
-	return TRUE;
-}
-
-/**
- * returns FALSE
- */
-bool return_false()
-{
-	return FALSE;
-}
-
-/**
- * returns FAILED
- */
-status_t return_failed()
-{
-	return FAILED;
-}
-
-/**
- * nop operation
- */
-void nop()
-{
-}
-
-#ifndef HAVE_GCC_ATOMIC_OPERATIONS
-
-/**
- * We use a single mutex for all refcount variables.
- */
-static pthread_mutex_t ref_mutex = PTHREAD_MUTEX_INITIALIZER;
-
-/**
- * Increase refcount
- */
-void ref_get(refcount_t *ref)
-{
-	pthread_mutex_lock(&ref_mutex);
-	(*ref)++;
-	pthread_mutex_unlock(&ref_mutex);
-}
-
-/**
- * Decrease refcount
- */
-bool ref_put(refcount_t *ref)
-{
-	bool more_refs;
-
-	pthread_mutex_lock(&ref_mutex);
-	more_refs = --(*ref) > 0;
-	pthread_mutex_unlock(&ref_mutex);
-	return !more_refs;
-}
-
-/**
- * Single mutex for all compare and swap operations.
- */
-static pthread_mutex_t cas_mutex = PTHREAD_MUTEX_INITIALIZER;
-
-/**
- * Compare and swap if equal to old value
- */
-#define _cas_impl(name, type) \
-bool cas_##name(type *ptr, type oldval, type newval) \
-{ \
-	bool swapped; \
-	pthread_mutex_lock(&cas_mutex); \
-	if ((swapped = (*ptr == oldval))) { *ptr = newval; } \
-	pthread_mutex_unlock(&cas_mutex); \
-	return swapped; \
-}
-
-_cas_impl(bool, bool)
-_cas_impl(ptr, void*)
-
-#endif /* HAVE_GCC_ATOMIC_OPERATIONS */
-
-/**
- * Described in header.
- */
-int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-					 const void *const *args)
-{
-	static const char* months[] = {
-		"Jan", "Feb", "Mar", "Apr", "May", "Jun",
-		"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
-	};
-	time_t *time = *((time_t**)(args[0]));
-	bool utc = *((bool*)(args[1]));;
-	struct tm t;
-
-	if (time == UNDEFINED_TIME)
-	{
-		return print_in_hook(data, "--- -- --:--:--%s----",
-							 utc ? " UTC " : " ");
-	}
-	if (utc)
-	{
-		gmtime_r(time, &t);
-	}
-	else
-	{
-		localtime_r(time, &t);
-	}
-	return print_in_hook(data, "%s %02d %02d:%02d:%02d%s%04d",
-						 months[t.tm_mon], t.tm_mday, t.tm_hour, t.tm_min,
-						 t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900);
-}
-
-/**
- * Described in header.
- */
-int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-						   const void *const *args)
-{
-	char* unit = "second";
-	time_t *arg1 = *((time_t**)(args[0]));
-	time_t *arg2 = *((time_t**)(args[1]));
-	u_int64_t delta = llabs(*arg1 - *arg2);
-
-	if (delta > 2 * 60 * 60 * 24)
-	{
-		delta /= 60 * 60 * 24;
-		unit = "day";
-	}
-	else if (delta > 2 * 60 * 60)
-	{
-		delta /= 60 * 60;
-		unit = "hour";
-	}
-	else if (delta > 2 * 60)
-	{
-		delta /= 60;
-		unit = "minute";
-	}
-	return print_in_hook(data, "%" PRIu64 " %s%s", delta, unit,
-						 (delta == 1) ? "" : "s");
-}
-
-/**
- * Number of bytes per line to dump raw data
- */
-#define BYTES_PER_LINE 16
-
-static char hexdig_upper[] = "0123456789ABCDEF";
-
-/**
- * Described in header.
- */
-int mem_printf_hook(printf_hook_data_t *data,
-					printf_hook_spec_t *spec, const void *const *args)
-{
-	char *bytes = *((void**)(args[0]));
-	u_int len = *((int*)(args[1]));
-
-	char buffer[BYTES_PER_LINE * 3];
-	char ascii_buffer[BYTES_PER_LINE + 1];
-	char *buffer_pos = buffer;
-	char *bytes_pos  = bytes;
-	char *bytes_roof = bytes + len;
-	int line_start = 0;
-	int i = 0;
-	int written = 0;
-
-	written += print_in_hook(data, "=> %u bytes @ %p", len, bytes);
-
-	while (bytes_pos < bytes_roof)
-	{
-		*buffer_pos++ = hexdig_upper[(*bytes_pos >> 4) & 0xF];
-		*buffer_pos++ = hexdig_upper[ *bytes_pos       & 0xF];
-
-		ascii_buffer[i++] =
-				(*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.';
-
-		if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE)
-		{
-			int padding = 3 * (BYTES_PER_LINE - i);
-
-			while (padding--)
-			{
-				*buffer_pos++ = ' ';
-			}
-			*buffer_pos++ = '\0';
-			ascii_buffer[i] = '\0';
-
-			written += print_in_hook(data, "\n%4d: %s  %s",
-									 line_start, buffer, ascii_buffer);
-
-			buffer_pos = buffer;
-			line_start += BYTES_PER_LINE;
-			i = 0;
-		}
-		else
-		{
-			*buffer_pos++ = ' ';
-		}
-	}
-	return written;
-}
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
deleted file mode 100644
index f47c65ac1..000000000
--- a/src/libstrongswan/utils.h
+++ /dev/null
@@ -1,683 +0,0 @@
-/*
- * Copyright (C) 2008-2012 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup utils utils
- * @{ @ingroup libstrongswan
- */
-
-#ifndef UTILS_H_
-#define UTILS_H_
-
-#include <sys/types.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <sys/time.h>
-#include <arpa/inet.h>
-#include <string.h>
-
-#include "enum.h"
-
-/**
- * strongSwan program return codes
- */
-#define SS_RC_LIBSTRONGSWAN_INTEGRITY	64
-#define SS_RC_DAEMON_INTEGRITY			65
-#define SS_RC_INITIALIZATION_FAILED		66
-
-#define SS_RC_FIRST	SS_RC_LIBSTRONGSWAN_INTEGRITY
-#define SS_RC_LAST	SS_RC_INITIALIZATION_FAILED
-
-/**
- * Number of bits in a byte
- */
-#define BITS_PER_BYTE 8
-
-/**
- * Default length for various auxiliary text buffers
- */
-#define BUF_LEN 512
-
-/**
- * General purpose boolean type.
- */
-#ifdef HAVE_STDBOOL_H
-# include <stdbool.h>
-#else
-# ifndef HAVE__BOOL
-#  define _Bool signed char
-# endif /* HAVE__BOOL */
-# define bool _Bool
-# define false 0
-# define true 1
-# define __bool_true_false_are_defined 1
-#endif /* HAVE_STDBOOL_H */
-#ifndef FALSE
-# define FALSE false
-#endif /* FALSE */
-#ifndef TRUE
-# define TRUE  true
-#endif /* TRUE */
-
-/**
- * Helper function that compares two strings for equality
- */
-static inline bool streq(const char *x, const char *y)
-{
-	return strcmp(x, y) == 0;
-}
-
-/**
- * Macro compares two strings for equality, length limited
- */
-#define strneq(x,y,len) (strncmp(x, y, len) == 0)
-
-/**
- * Helper function that compares two strings for equality ignoring case
- */
-static inline bool strcaseeq(const char *x, const char *y)
-{
-	return strcasecmp(x, y) == 0;
-}
-
-/**
- * Macro compares two strings for equality ignoring case, length limited
- */
-#define strncaseeq(x,y,len) (strncasecmp(x, y, len) == 0)
-
-/**
- * NULL-safe strdup variant
- */
-static inline char *strdupnull(const char *s)
-{
-	return s ? strdup(s) : NULL;
-}
-
-/**
- * Macro compares two binary blobs for equality
- */
-#define memeq(x,y,len) (memcmp(x, y, len) == 0)
-
-/**
- * Macro gives back larger of two values.
- */
-#define max(x,y) ({ \
-	typeof(x) _x = (x); \
-	typeof(y) _y = (y); \
-	_x > _y ? _x : _y; })
-
-
-/**
- * Macro gives back smaller of two values.
- */
-#define min(x,y) ({ \
-	typeof(x) _x = (x); \
-	typeof(y) _y = (y); \
-	_x < _y ? _x : _y; })
-
-/**
- * Call destructor of an object, if object != NULL
- */
-#define DESTROY_IF(obj) if (obj) (obj)->destroy(obj)
-
-/**
- * Call offset destructor of an object, if object != NULL
- */
-#define DESTROY_OFFSET_IF(obj, offset) if (obj) obj->destroy_offset(obj, offset);
-
-/**
- * Call function destructor of an object, if object != NULL
- */
-#define DESTROY_FUNCTION_IF(obj, fn) if (obj) obj->destroy_function(obj, fn);
-
-/**
- * Debug macro to follow control flow
- */
-#define POS printf("%s, line %d\n", __FILE__, __LINE__)
-
-/**
- * Object allocation/initialization macro, using designated initializer.
- */
-#define INIT(this, ...) { (this) = malloc(sizeof(*(this))); \
-						   *(this) = (typeof(*(this))){ __VA_ARGS__ }; }
-
-/**
- * Method declaration/definition macro, providing private and public interface.
- *
- * Defines a method name with this as first parameter and a return value ret,
- * and an alias for this method with a _ prefix, having the this argument
- * safely casted to the public interface iface.
- * _name is provided a function pointer, but will get optimized out by GCC.
- */
-#define METHOD(iface, name, ret, this, ...) \
-	static ret name(union {iface *_public; this;} \
-	__attribute__((transparent_union)), ##__VA_ARGS__); \
-	static typeof(name) *_##name = (typeof(name)*)name; \
-	static ret name(this, ##__VA_ARGS__)
-
-/**
- * Same as METHOD(), but is defined for two public interfaces.
- */
-#define METHOD2(iface1, iface2, name, ret, this, ...) \
-	static ret name(union {iface1 *_public1; iface2 *_public2; this;} \
-	__attribute__((transparent_union)), ##__VA_ARGS__); \
-	static typeof(name) *_##name = (typeof(name)*)name; \
-	static ret name(this, ##__VA_ARGS__)
-
-/**
- * Architecture independent bitfield definition helpers (at least with GCC).
- *
- * Defines a bitfield with a type t and a fixed size of bitfield members, e.g.:
- * BITFIELD2(u_int8_t,
- *     low: 4,
- *     high: 4,
- * ) flags;
- * The member defined first placed at bit 0.
- */
-#if BYTE_ORDER == LITTLE_ENDIAN
-#define BITFIELD2(t, a, b,...)			struct { t a; t b; __VA_ARGS__}
-#define BITFIELD3(t, a, b, c,...)		struct { t a; t b; t c; __VA_ARGS__}
-#define BITFIELD4(t, a, b, c, d,...)	struct { t a; t b; t c; t d; __VA_ARGS__}
-#define BITFIELD5(t, a, b, c, d, e,...)	struct { t a; t b; t c; t d; t e; __VA_ARGS__}
-#elif BYTE_ORDER == BIG_ENDIAN
-#define BITFIELD2(t, a, b,...)			struct { t b; t a; __VA_ARGS__}
-#define BITFIELD3(t, a, b, c,...)		struct { t c; t b; t a; __VA_ARGS__}
-#define BITFIELD4(t, a, b, c, d,...)	struct { t d; t c; t b; t a; __VA_ARGS__}
-#define BITFIELD5(t, a, b, c, d, e,...)	struct { t e; t d; t c; t b; t a; __VA_ARGS__}
-#endif
-
-/**
- * Macro to allocate a sized type.
- */
-#define malloc_thing(thing) ((thing*)malloc(sizeof(thing)))
-
-/**
- * Get the number of elements in an array
- */
-#define countof(array) (sizeof(array)/sizeof(array[0]))
-
-/**
- * Ignore result of functions tagged with warn_unused_result attributes
- */
-#define ignore_result(call) { if(call){}; }
-
-/**
- * Assign a function as a class method
- */
-#define ASSIGN(method, function) (method = (typeof(method))function)
-
-/**
- * time_t not defined
- */
-#define UNDEFINED_TIME 0
-
-/**
- * Maximum time since epoch causing wrap-around on Jan 19 03:14:07 UTC 2038
- */
-#define TIME_32_BIT_SIGNED_MAX	0x7fffffff
-
-/**
- * define some missing fixed width int types on OpenSolaris.
- * TODO: since the uintXX_t types are defined by the C99 standard we should
- * probably use those anyway
- */
-#ifdef __sun
-        #include <stdint.h>
-        typedef uint8_t         u_int8_t;
-        typedef uint16_t        u_int16_t;
-        typedef uint32_t        u_int32_t;
-        typedef uint64_t        u_int64_t;
-#endif
-
-typedef enum status_t status_t;
-
-/**
- * Return values of function calls.
- */
-enum status_t {
-	/**
-	 * Call succeeded.
-	 */
-	SUCCESS,
-
-	/**
-	 * Call failed.
-	 */
-	FAILED,
-
-	/**
-	 * Out of resources.
-	 */
-	OUT_OF_RES,
-
-	/**
-	 * The suggested operation is already done
-	 */
-	ALREADY_DONE,
-
-	/**
-	 * Not supported.
-	 */
-	NOT_SUPPORTED,
-
-	/**
-	 * One of the arguments is invalid.
-	 */
-	INVALID_ARG,
-
-	/**
-	 * Something could not be found.
-	 */
-	NOT_FOUND,
-
-	/**
-	 * Error while parsing.
-	 */
-	PARSE_ERROR,
-
-	/**
-	 * Error while verifying.
-	 */
-	VERIFY_ERROR,
-
-	/**
-	 * Object in invalid state.
-	 */
-	INVALID_STATE,
-
-	/**
-	 * Destroy object which called method belongs to.
-	 */
-	DESTROY_ME,
-
-	/**
-	 * Another call to the method is required.
-	 */
-	NEED_MORE,
-};
-
-/**
- * enum_names for type status_t.
- */
-extern enum_name_t *status_names;
-
-/**
- * deprecated pluto style return value:
- * error message, NULL for success
- */
-typedef const char *err_t;
-
-/**
- * Handle struct timeval like an own type.
- */
-typedef struct timeval timeval_t;
-
-/**
- * Handle struct timespec like an own type.
- */
-typedef struct timespec timespec_t;
-
-/**
- * Handle struct chunk_t like an own type.
- */
-typedef struct sockaddr sockaddr_t;
-
-/**
- * Clone a data to a newly allocated buffer
- */
-void *clalloc(void *pointer, size_t size);
-
-/**
- * Same as memcpy, but XORs src into dst instead of copy
- */
-void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
-
-/**
- * Safely overwrite n bytes of memory at ptr with zero, non-inlining variant.
- */
-void memwipe_noinline(void *ptr, size_t n);
-
-/**
- * Safely overwrite n bytes of memory at ptr with zero, inlining variant.
- */
-static inline void memwipe_inline(void *ptr, size_t n)
-{
-	volatile char *c = (volatile char*)ptr;
-	size_t m, i;
-
-	/* byte wise until long aligned */
-	for (i = 0; (uintptr_t)&c[i] % sizeof(long) && i < n; i++)
-	{
-		c[i] = 0;
-	}
-	/* word wise */
-	if (n >= sizeof(long))
-	{
-		for (m = n - sizeof(long); i <= m; i += sizeof(long))
-		{
-			*(volatile long*)&c[i] = 0;
-		}
-	}
-	/* byte wise of the rest */
-	for (; i < n; i++)
-	{
-		c[i] = 0;
-	}
-}
-
-/**
- * Safely overwrite n bytes of memory at ptr with zero, auto-inlining variant.
- */
-static inline void memwipe(void *ptr, size_t n)
-{
-	if (__builtin_constant_p(n))
-	{
-		memwipe_inline(ptr, n);
-	}
-	else
-	{
-		memwipe_noinline(ptr, n);
-	}
-}
-
-/**
- * A variant of strstr with the characteristics of memchr, where haystack is not
- * a null-terminated string but simply a memory area of length n.
- */
-void *memstr(const void *haystack, const char *needle, size_t n);
-
-/**
- * Translates the characters in the given string, searching for characters
- * in 'from' and mapping them to characters in 'to'.
- * The two characters sets 'from' and 'to' must contain the same number of
- * characters.
- */
-char *translate(char *str, const char *from, const char *to);
-
-/**
- * Creates a directory and all required parent directories.
- *
- * @param path		path to the new directory
- * @param mode		permissions of the new directory/directories
- * @return			TRUE on success
- */
-bool mkdir_p(const char *path, mode_t mode);
-
-/**
- * Thread-safe wrapper around strerror and strerror_r.
- *
- * This is required because the first is not thread-safe (on some platforms)
- * and the second uses two different signatures (POSIX/GNU) and is impractical
- * to use anyway.
- *
- * @param errnum	error code (i.e. errno)
- * @return			error message
- */
-const char *safe_strerror(int errnum);
-
-/**
- * Replace usages of strerror(3) with thread-safe variant.
- */
-#define strerror(errnum) safe_strerror(errnum)
-
-#ifndef HAVE_CLOSEFROM
-/**
- * Close open file descriptors greater than or equal to lowfd.
- *
- * @param lowfd		start closing file descriptoros from here
- */
-void closefrom(int lowfd);
-#endif
-
-/**
- * Get a timestamp from a monotonic time source.
- *
- * While the time()/gettimeofday() functions are affected by leap seconds
- * and system time changes, this function returns ever increasing monotonic
- * time stamps.
- *
- * @param tv		timeval struct receiving monotonic timestamps, or NULL
- * @return			monotonic timestamp in seconds
- */
-time_t time_monotonic(timeval_t *tv);
-
-/**
- * returns null
- */
-void *return_null();
-
-/**
- * No-Operation function
- */
-void nop();
-
-/**
- * returns TRUE
- */
-bool return_true();
-
-/**
- * returns FALSE
- */
-bool return_false();
-
-/**
- * returns FAILED
- */
-status_t return_failed();
-
-/**
- * Write a 16-bit host order value in network order to an unaligned address.
- *
- * @param host		host order 16-bit value
- * @param network	unaligned address to write network order value to
- */
-static inline void htoun16(void *network, u_int16_t host)
-{
-	char *unaligned = (char*)network;
-
-	host = htons(host);
-	memcpy(unaligned, &host, sizeof(host));
-}
-
-/**
- * Write a 32-bit host order value in network order to an unaligned address.
- *
- * @param host		host order 32-bit value
- * @param network	unaligned address to write network order value to
- */
-static inline void htoun32(void *network, u_int32_t host)
-{
-	char *unaligned = (char*)network;
-
-	host = htonl(host);
-	memcpy((char*)unaligned, &host, sizeof(host));
-}
-
-/**
- * Write a 64-bit host order value in network order to an unaligned address.
- *
- * @param host		host order 64-bit value
- * @param network	unaligned address to write network order value to
- */
-static inline void htoun64(void *network, u_int64_t host)
-{
-	char *unaligned = (char*)network;
-
-#ifdef be64toh
-	host = htobe64(host);
-	memcpy((char*)unaligned, &host, sizeof(host));
-#else
-	u_int32_t high_part, low_part;
-
-	high_part = host >> 32;
-	high_part = htonl(high_part);
-	low_part  = host & 0xFFFFFFFFLL;
-	low_part  = htonl(low_part);
-
-	memcpy(unaligned, &high_part, sizeof(high_part));
-	unaligned += sizeof(high_part);
-	memcpy(unaligned, &low_part, sizeof(low_part));
-#endif
-}
-
-/**
- * Read a 16-bit value in network order from an unaligned address to host order.
- *
- * @param network	unaligned address to read network order value from
- * @return			host order value
- */
-static inline u_int16_t untoh16(void *network)
-{
-	char *unaligned = (char*)network;
-	u_int16_t tmp;
-
-	memcpy(&tmp, unaligned, sizeof(tmp));
-	return ntohs(tmp);
-}
-
-/**
- * Read a 32-bit value in network order from an unaligned address to host order.
- *
- * @param network	unaligned address to read network order value from
- * @return			host order value
- */
-static inline u_int32_t untoh32(void *network)
-{
-	char *unaligned = (char*)network;
-	u_int32_t tmp;
-
-	memcpy(&tmp, unaligned, sizeof(tmp));
-	return ntohl(tmp);
-}
-
-/**
- * Read a 64-bit value in network order from an unaligned address to host order.
- *
- * @param network	unaligned address to read network order value from
- * @return			host order value
- */
-static inline u_int64_t untoh64(void *network)
-{
-	char *unaligned = (char*)network;
-
-#ifdef be64toh
-	u_int64_t tmp;
-
-	memcpy(&tmp, unaligned, sizeof(tmp));
-	return be64toh(tmp);
-#else
-	u_int32_t high_part, low_part;
-
-	memcpy(&high_part, unaligned, sizeof(high_part));
-	unaligned += sizeof(high_part);
-	memcpy(&low_part, unaligned, sizeof(low_part));
-
-	high_part = ntohl(high_part);
-	low_part  = ntohl(low_part);
-
-	return (((u_int64_t)high_part) << 32) + low_part;
-#endif
-}
-
-/**
- * Special type to count references
- */
-typedef volatile u_int refcount_t;
-
-
-#ifdef HAVE_GCC_ATOMIC_OPERATIONS
-
-#define ref_get(ref) {__sync_fetch_and_add(ref, 1); }
-#define ref_put(ref) (!__sync_sub_and_fetch(ref, 1))
-
-#define cas_bool(ptr, oldval, newval) \
-					(__sync_bool_compare_and_swap(ptr, oldval, newval))
-#define cas_ptr(ptr, oldval, newval) \
-					(__sync_bool_compare_and_swap(ptr, oldval, newval))
-
-#else /* !HAVE_GCC_ATOMIC_OPERATIONS */
-
-/**
- * Get a new reference.
- *
- * Increments the reference counter atomic.
- *
- * @param ref	pointer to ref counter
- */
-void ref_get(refcount_t *ref);
-
-/**
- * Put back a unused reference.
- *
- * Decrements the reference counter atomic and
- * says if more references available.
- *
- * @param ref	pointer to ref counter
- * @return		TRUE if no more references counted
- */
-bool ref_put(refcount_t *ref);
-
-/**
- * Atomically replace value of ptr with newval if it currently equals oldval.
- *
- * @param ptr		pointer to variable
- * @param oldval	old value of the variable
- * @param newval	new value set if possible
- * @return			TRUE if value equaled oldval and newval was written
- */
-bool cas_bool(bool *ptr, bool oldval, bool newval);
-
-/**
- * Atomically replace value of ptr with newval if it currently equals oldval.
- *
- * @param ptr		pointer to variable
- * @param oldval	old value of the variable
- * @param newval	new value set if possible
- * @return			TRUE if value equaled oldval and newval was written
- */
-bool cas_ptr(void **ptr, void *oldval, void *newval);
-
-#endif /* HAVE_GCC_ATOMIC_OPERATIONS */
-
-/**
- * printf hook for time_t.
- *
- * Arguments are:
- *	time_t* time, bool utc
- */
-int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-					 const void *const *args);
-
-/**
- * printf hook for time_t deltas.
- *
- * Arguments are:
- *	time_t* begin, time_t* end
- */
-int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-						   const void *const *args);
-
-/**
- * printf hook for memory areas.
- *
- * Arguments are:
- *	u_char *ptr, u_int len
- */
-int mem_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-					const void *const *args);
-
-#endif /** UTILS_H_ @}*/
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index b6015fb35..0b6683233 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -54,7 +54,7 @@ struct private_backtrace_t {
 #ifdef HAVE_BFD_H
 
 #include <bfd.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 
 /**
diff --git a/src/libstrongswan/utils/blocking_queue.c b/src/libstrongswan/utils/blocking_queue.c
deleted file mode 100644
index c70184198..000000000
--- a/src/libstrongswan/utils/blocking_queue.c
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2012 Giuliano Grassi
- * Copyright (C) 2012 Ralf Sager
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "blocking_queue.h"
-
-#include <threading/mutex.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <utils/linked_list.h>
-
-typedef struct private_blocking_queue_t private_blocking_queue_t;
-
-/**
- * Private data of a blocking_queue_t object.
- */
-struct private_blocking_queue_t {
-
-	/**
-	 * Public part
-	 */
-	blocking_queue_t public;
-
-	/**
-	 * Linked list containing all items in the queue
-	 */
-	linked_list_t *list;
-
-	/**
-	 * Mutex used to synchronize access to the queue
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Condvar used to wait for items
-	 */
-	condvar_t *condvar;
-
-};
-
-METHOD(blocking_queue_t, enqueue, void,
-	private_blocking_queue_t *this, void *item)
-{
-	this->mutex->lock(this->mutex);
-	this->list->insert_first(this->list, item);
-	this->condvar->signal(this->condvar);
-	this->mutex->unlock(this->mutex);
-}
-
-METHOD(blocking_queue_t, dequeue, void*,
-	private_blocking_queue_t *this)
-{
-	bool oldstate;
-	void *item;
-
-
-	this->mutex->lock(this->mutex);
-	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
-	/* ensure that a canceled thread does not dequeue any items */
-	thread_cancellation_point();
-	while (this->list->remove_last(this->list, &item) != SUCCESS)
-	{
-		oldstate = thread_cancelability(TRUE);
-		this->condvar->wait(this->condvar, this->mutex);
-		thread_cancelability(oldstate);
-	}
-	thread_cleanup_pop(TRUE);
-	return item;
-}
-
-METHOD(blocking_queue_t, destroy, void,
-	private_blocking_queue_t *this)
-{
-	this->list->destroy(this->list);
-	this->condvar->destroy(this->condvar);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-METHOD(blocking_queue_t, destroy_offset, void,
-	private_blocking_queue_t *this, size_t offset)
-{
-	this->list->invoke_offset(this->list, offset);
-	destroy(this);
-}
-
-METHOD(blocking_queue_t, destroy_function, void,
-	private_blocking_queue_t *this, void (*fn)(void*))
-{
-	this->list->invoke_function(this->list, (linked_list_invoke_t)fn);
-	destroy(this);
-}
-
-/*
- * Described in header.
- */
-blocking_queue_t *blocking_queue_create()
-{
-	private_blocking_queue_t *this;
-
-	INIT(this,
-		.public = {
-			.enqueue = _enqueue,
-			.dequeue = _dequeue,
-			.destroy = _destroy,
-			.destroy_offset = _destroy_offset,
-			.destroy_function = _destroy_function,
-		},
-		.list = linked_list_create(),
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/utils/blocking_queue.h b/src/libstrongswan/utils/blocking_queue.h
deleted file mode 100644
index cf2712cf4..000000000
--- a/src/libstrongswan/utils/blocking_queue.h
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2012 Giuliano Grassi
- * Copyright (C) 2012 Ralf Sager
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup blocking_queue blocking_queue
- * @{ @ingroup utils
- */
-
-#ifndef BLOCKING_QUEUE_H_
-#define BLOCKING_QUEUE_H_
-
-typedef struct blocking_queue_t blocking_queue_t;
-
-#include <library.h>
-
-/**
- * Class implementing a synchronized blocking queue based on linked_list_t
- */
-struct blocking_queue_t {
-
-	/**
-	 * Inserts a new item at the tail of the queue
-	 *
-	 * @param item		item to insert in queue
-	 */
-	void (*enqueue)(blocking_queue_t *this, void *item);
-
-	/**
-	 * Removes the first item in the queue and returns its value.
-	 * If the queue is empty, this call blocks until a new item is inserted.
-	 *
-	 * @note This is a thread cancellation point
-	 *
-	 * @return			removed item
-	 */
-	void *(*dequeue)(blocking_queue_t *this);
-
-	/**
-	 * Destroys a blocking_queue_t object.
-	 *
-	 * @note No thread must wait in dequeue() when this function is called
-	 */
-	void (*destroy)(blocking_queue_t *this);
-
-	/**
-	 * Destroys a queue and its objects using the given destructor.
-	 *
-	 * If a queue and the contained objects should be destroyed, use
-	 * destroy_offset. The supplied offset specifies the destructor to
-	 * call on each object. The offset may be calculated using the offsetof
-	 * macro, e.g.: queue->destroy_offset(queue, offsetof(object_t, destroy));
-	 *
-	 * @note No thread must wait in dequeue() when this function is called
-	 *
-	 * @param offset	offset of the objects destructor
-	 */
-	void (*destroy_offset)(blocking_queue_t *this, size_t offset);
-
-	/**
-	 * Destroys a queue and its objects using a cleanup function.
-	 *
-	 * If a queue and its contents should get destroyed using a specific
-	 * cleanup function, use destroy_function. This is useful when the
-	 * list contains malloc()-ed blocks which should get freed,
-	 * e.g.: queue->destroy_function(queue, free);
-	 *
-	 * @note No thread must wait in dequeue() when this function is called
-	 *
-	 * @param function	function to call on each object
-	 */
-	void (*destroy_function)(blocking_queue_t *this, void (*)(void*));
-
-};
-
-/**
- * Creates an empty queue object.
- *
- * @return		blocking_queue_t object.
- */
-blocking_queue_t *blocking_queue_create();
-
-#endif /** BLOCKING_QUEUE_H_ @}*/
-
diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c
index 34128d010..c36a76efe 100644
--- a/src/libstrongswan/utils/capabilities.c
+++ b/src/libstrongswan/utils/capabilities.c
@@ -27,7 +27,7 @@
 # include <sys/prctl.h>
 #endif /* HAVE_PRCTL */
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #if !defined(HAVE_GETPWNAM_R) || !defined(HAVE_GETGRNAM_R)
 # include <threading/mutex.h>
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
new file mode 100644
index 000000000..d7f1c31d9
--- /dev/null
+++ b/src/libstrongswan/utils/chunk.c
@@ -0,0 +1,690 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <errno.h>
+#include <ctype.h>
+
+#include "chunk.h"
+#include "debug.h"
+
+/* required for chunk_hash */
+#undef get16bits
+#if (defined(__GNUC__) && defined(__i386__))
+#define get16bits(d) (*((const u_int16_t*)(d)))
+#endif
+#if !defined (get16bits)
+#define get16bits(d) ((((u_int32_t)(((const u_int8_t*)(d))[1])) << 8)\
+                      + (u_int32_t)(((const u_int8_t*)(d))[0]) )
+#endif
+
+/**
+ * Empty chunk.
+ */
+chunk_t chunk_empty = { NULL, 0 };
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk)
+{
+	chunk_t clone = chunk_empty;
+
+	if (chunk.ptr && chunk.len > 0)
+	{
+		clone.ptr = ptr;
+		clone.len = chunk.len;
+		memcpy(clone.ptr, chunk.ptr, chunk.len);
+	}
+
+	return clone;
+}
+
+/**
+ * Described in header.
+ */
+size_t chunk_length(const char* mode, ...)
+{
+	va_list chunks;
+	size_t length = 0;
+
+	va_start(chunks, mode);
+	while (TRUE)
+	{
+		switch (*mode++)
+		{
+			case 'm':
+			case 'c':
+			case 's':
+			{
+				chunk_t ch = va_arg(chunks, chunk_t);
+				length += ch.len;
+				continue;
+			}
+			default:
+				break;
+		}
+		break;
+	}
+	va_end(chunks);
+	return length;
+}
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
+{
+	va_list chunks;
+	chunk_t construct = chunk_create(ptr, 0);
+
+	va_start(chunks, mode);
+	while (TRUE)
+	{
+		bool free_chunk = FALSE, clear_chunk = FALSE;
+		chunk_t ch;
+
+		switch (*mode++)
+		{
+			case 's':
+				clear_chunk = TRUE;
+				/* FALL */
+			case 'm':
+				free_chunk = TRUE;
+				/* FALL */
+			case 'c':
+				ch = va_arg(chunks, chunk_t);
+				memcpy(ptr, ch.ptr, ch.len);
+				ptr += ch.len;
+				construct.len += ch.len;
+				if (clear_chunk)
+				{
+					chunk_clear(&ch);
+				}
+				else if (free_chunk)
+				{
+					free(ch.ptr);
+				}
+				continue;
+			default:
+				break;
+		}
+		break;
+	}
+	va_end(chunks);
+
+	return construct;
+}
+
+/**
+ * Described in header.
+ */
+void chunk_split(chunk_t chunk, const char *mode, ...)
+{
+	va_list chunks;
+	u_int len;
+	chunk_t *ch;
+
+	va_start(chunks, mode);
+	while (TRUE)
+	{
+		if (*mode == '\0')
+		{
+			break;
+		}
+		len = va_arg(chunks, u_int);
+		ch = va_arg(chunks, chunk_t*);
+		/* a null chunk means skip len bytes */
+		if (ch == NULL)
+		{
+			chunk = chunk_skip(chunk, len);
+			continue;
+		}
+		switch (*mode++)
+		{
+			case 'm':
+			{
+				ch->len = min(chunk.len, len);
+				if (ch->len)
+				{
+					ch->ptr = chunk.ptr;
+				}
+				else
+				{
+					ch->ptr = NULL;
+				}
+				chunk = chunk_skip(chunk, ch->len);
+				continue;
+			}
+			case 'a':
+			{
+				ch->len = min(chunk.len, len);
+				if (ch->len)
+				{
+					ch->ptr = malloc(ch->len);
+					memcpy(ch->ptr, chunk.ptr, ch->len);
+				}
+				else
+				{
+					ch->ptr = NULL;
+				}
+				chunk = chunk_skip(chunk, ch->len);
+				continue;
+			}
+			case 'c':
+			{
+				ch->len = min(ch->len, chunk.len);
+				ch->len = min(ch->len, len);
+				if (ch->len)
+				{
+					memcpy(ch->ptr, chunk.ptr, ch->len);
+				}
+				else
+				{
+					ch->ptr = NULL;
+				}
+				chunk = chunk_skip(chunk, ch->len);
+				continue;
+			}
+			default:
+				break;
+		}
+		break;
+	}
+	va_end(chunks);
+}
+
+/**
+ * Described in header.
+ */
+bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force)
+{
+	mode_t oldmask;
+	FILE *fd;
+	bool good = FALSE;
+
+	if (!force && access(path, F_OK) == 0)
+	{
+		DBG1(DBG_LIB, "  %s file '%s' already exists", label, path);
+		return FALSE;
+	}
+	oldmask = umask(mask);
+	fd = fopen(path, "w");
+	if (fd)
+	{
+		if (fwrite(chunk.ptr, sizeof(u_char), chunk.len, fd) == chunk.len)
+		{
+			DBG1(DBG_LIB, "  written %s file '%s' (%d bytes)",
+				 label, path, chunk.len);
+			good = TRUE;
+		}
+		else
+		{
+			DBG1(DBG_LIB, "  writing %s file '%s' failed: %s",
+				 label, path, strerror(errno));
+		}
+		fclose(fd);
+	}
+	else
+	{
+		DBG1(DBG_LIB, "  could not open %s file '%s': %s", label, path,
+			 strerror(errno));
+	}
+	umask(oldmask);
+	return good;
+}
+
+
+/** hex conversion digits */
+static char hexdig_upper[] = "0123456789ABCDEF";
+static char hexdig_lower[] = "0123456789abcdef";
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase)
+{
+	int i, len;
+	char *hexdig = hexdig_lower;
+
+	if (uppercase)
+	{
+		hexdig = hexdig_upper;
+	}
+
+	len = chunk.len * 2;
+	if (!buf)
+	{
+		buf = malloc(len + 1);
+	}
+	buf[len] = '\0';
+
+	for (i = 0; i < chunk.len; i++)
+	{
+		buf[i*2]   = hexdig[(chunk.ptr[i] >> 4) & 0xF];
+		buf[i*2+1] = hexdig[(chunk.ptr[i]     ) & 0xF];
+	}
+	return chunk_create(buf, len);
+}
+
+/**
+ * convert a signle hex character to its binary value
+ */
+static char hex2bin(char hex)
+{
+	switch (hex)
+	{
+		case '0' ... '9':
+			return hex - '0';
+		case 'A' ... 'F':
+			return hex - 'A' + 10;
+		case 'a' ... 'f':
+			return hex - 'a' + 10;
+		default:
+			return 0;
+	}
+}
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_from_hex(chunk_t hex, char *buf)
+{
+	int i, len;
+	u_char *ptr;
+	bool odd = FALSE;
+
+   /* subtract the number of optional ':' separation characters */
+	len = hex.len;
+	ptr = hex.ptr;
+	for (i = 0; i < hex.len; i++)
+	{
+		if (*ptr++ == ':')
+		{
+			len--;
+		}
+	}
+
+	/* compute the number of binary bytes */
+	if (len % 2)
+	{
+		odd = TRUE;
+		len++;
+	}
+	len /= 2;
+
+	/* allocate buffer memory unless provided by caller */
+	if (!buf)
+	{
+		buf = malloc(len);
+	}
+
+	/* buffer is filled from the right */
+	memset(buf, 0, len);
+	hex.ptr += hex.len;
+
+	for (i = len - 1; i >= 0; i--)
+	{
+		/* skip separation characters */
+		if (*(--hex.ptr) == ':')
+		{
+			--hex.ptr;
+		}
+		buf[i] = hex2bin(*hex.ptr);
+		if (i > 0 || !odd)
+		{
+			buf[i] |= hex2bin(*(--hex.ptr)) << 4;
+		}
+	}
+	return chunk_create(buf, len);
+}
+
+/** base 64 conversion digits */
+static char b64digits[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_to_base64(chunk_t chunk, char *buf)
+{
+	int i, len;
+	char *pos;
+
+	len = chunk.len + ((3 - chunk.len % 3) % 3);
+	if (!buf)
+	{
+		buf = malloc(len * 4 / 3 + 1);
+	}
+	pos = buf;
+	for (i = 0; i < len; i+=3)
+	{
+		*pos++ = b64digits[chunk.ptr[i] >> 2];
+		if (i+1 >= chunk.len)
+		{
+			*pos++ = b64digits[(chunk.ptr[i] & 0x03) << 4];
+			*pos++ = '=';
+			*pos++ = '=';
+			break;
+		}
+		*pos++ = b64digits[((chunk.ptr[i] & 0x03) << 4) | (chunk.ptr[i+1] >> 4)];
+		if (i+2 >= chunk.len)
+		{
+			*pos++ = b64digits[(chunk.ptr[i+1] & 0x0F) << 2];
+			*pos++ = '=';
+			break;
+		}
+		*pos++ = b64digits[((chunk.ptr[i+1] & 0x0F) << 2) | (chunk.ptr[i+2] >> 6)];
+		*pos++ = b64digits[chunk.ptr[i+2] & 0x3F];
+	}
+	*pos = '\0';
+	return chunk_create(buf, len * 4 / 3);
+}
+
+/**
+ * convert a base 64 digit to its binary form (inversion of b64digits array)
+ */
+static int b642bin(char b64)
+{
+	switch (b64)
+	{
+		case 'A' ... 'Z':
+			return b64 - 'A';
+		case 'a' ... 'z':
+			return ('Z' - 'A' + 1) + b64 - 'a';
+		case '0' ... '9':
+			return ('Z' - 'A' + 1) + ('z' - 'a' + 1) + b64 - '0';
+		case '+':
+		case '-':
+			return 62;
+		case '/':
+		case '_':
+			return 63;
+		case '=':
+			return 0;
+		default:
+			return -1;
+	}
+}
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_from_base64(chunk_t base64, char *buf)
+{
+	u_char *pos, byte[4];
+	int i, j, len, outlen;
+
+	len = base64.len / 4 * 3;
+	if (!buf)
+	{
+		buf = malloc(len);
+	}
+	pos = base64.ptr;
+	outlen = 0;
+	for (i = 0; i < len; i+=3)
+	{
+		outlen += 3;
+		for (j = 0; j < 4; j++)
+		{
+			if (*pos == '=')
+			{
+				outlen--;
+			}
+			byte[j] = b642bin(*pos++);
+		}
+		buf[i] = (byte[0] << 2) | (byte[1] >> 4);
+		buf[i+1] = (byte[1] << 4) | (byte[2] >> 2);
+		buf[i+2] = (byte[2] << 6) | (byte[3]);
+	}
+	return chunk_create(buf, outlen);
+}
+
+/** base 32 conversion digits */
+static char b32digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_to_base32(chunk_t chunk, char *buf)
+{
+	int i, len;
+	char *pos;
+
+	len = chunk.len + ((5 - chunk.len % 5) % 5);
+	if (!buf)
+	{
+		buf = malloc(len * 8 / 5 + 1);
+	}
+	pos = buf;
+	for (i = 0; i < len; i+=5)
+	{
+		*pos++ = b32digits[chunk.ptr[i] >> 3];
+		if (i+1 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i] & 0x07) << 2];
+			memset(pos, '=', 6);
+			pos += 6;
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i] & 0x07) << 2) |
+						   (chunk.ptr[i+1] >> 6)];
+		*pos++ = b32digits[(chunk.ptr[i+1] & 0x3E) >> 1];
+		if (i+2 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i+1] & 0x01) << 4];
+			memset(pos, '=', 4);
+			pos += 4;
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i+1] & 0x01) << 4) |
+						   (chunk.ptr[i+2] >> 4)];
+		if (i+3 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i+2] & 0x0F) << 1];
+			memset(pos, '=', 3);
+			pos += 3;
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i+2] & 0x0F) << 1) |
+						   (chunk.ptr[i+3] >> 7)];
+		*pos++ = b32digits[(chunk.ptr[i+3] & 0x7F) >> 2];
+		if (i+4 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i+3] & 0x03) << 3];
+			*pos++ = '=';
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i+3] & 0x03) << 3) |
+						   (chunk.ptr[i+4] >> 5)];
+		*pos++ = b32digits[chunk.ptr[i+4] & 0x1F];
+	}
+	*pos = '\0';
+	return chunk_create(buf, len * 8 / 5);
+}
+
+/**
+ * Described in header.
+ */
+int chunk_compare(chunk_t a, chunk_t b)
+{
+	int compare_len = a.len - b.len;
+	int len = (compare_len < 0)? a.len : b.len;
+
+	if (compare_len != 0 || len == 0)
+	{
+		return compare_len;
+	}
+	return memcmp(a.ptr, b.ptr, len);
+};
+
+
+/**
+ * Described in header.
+ */
+bool chunk_increment(chunk_t chunk)
+{
+	int i;
+
+	for (i = chunk.len - 1; i >= 0; i--)
+	{
+		if (++chunk.ptr[i] != 0)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Remove non-printable characters from a chunk.
+ */
+bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
+{
+	bool printable = TRUE;
+	int i;
+
+	if (sane)
+	{
+		*sane = chunk_clone(chunk);
+	}
+	for (i = 0; i < chunk.len; i++)
+	{
+		if (!isprint(chunk.ptr[i]))
+		{
+			if (sane)
+			{
+				sane->ptr[i] = replace;
+			}
+			printable = FALSE;
+		}
+	}
+	return printable;
+}
+
+/**
+ * Described in header.
+ *
+ * The implementation is based on Paul Hsieh's SuperFastHash:
+ *	 http://www.azillionmonkeys.com/qed/hash.html
+ */
+u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
+{
+	u_char *data = chunk.ptr;
+	size_t len = chunk.len;
+	u_int32_t tmp;
+	int rem;
+
+	if (!len || data == NULL)
+	{
+		return 0;
+	}
+
+	rem = len & 3;
+	len >>= 2;
+
+	/* Main loop */
+	for (; len > 0; --len)
+	{
+		hash += get16bits(data);
+		tmp   = (get16bits(data + 2) << 11) ^ hash;
+		hash  = (hash << 16) ^ tmp;
+		data += 2 * sizeof(u_int16_t);
+		hash += hash >> 11;
+	}
+
+	/* Handle end cases */
+	switch (rem)
+	{
+		case 3:
+		{
+			hash += get16bits(data);
+			hash ^= hash << 16;
+			hash ^= data[sizeof(u_int16_t)] << 18;
+			hash += hash >> 11;
+			break;
+		}
+		case 2:
+		{
+			hash += get16bits(data);
+			hash ^= hash << 11;
+			hash += hash >> 17;
+			break;
+		}
+		case 1:
+		{
+			hash += *data;
+			hash ^= hash << 10;
+			hash += hash >> 1;
+			break;
+		}
+	}
+
+	/* Force "avalanching" of final 127 bits */
+	hash ^= hash << 3;
+	hash += hash >> 5;
+	hash ^= hash << 4;
+	hash += hash >> 17;
+	hash ^= hash << 25;
+	hash += hash >> 6;
+
+	return hash;
+}
+
+/**
+ * Described in header.
+ */
+u_int32_t chunk_hash(chunk_t chunk)
+{
+	return chunk_hash_inc(chunk, chunk.len);
+}
+
+/**
+ * Described in header.
+ */
+int chunk_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					  const void *const *args)
+{
+	chunk_t *chunk = *((chunk_t**)(args[0]));
+	bool first = TRUE;
+	chunk_t copy = *chunk;
+	int written = 0;
+
+	if (!spec->hash)
+	{
+		u_int chunk_len = chunk->len;
+		const void *new_args[] = {&chunk->ptr, &chunk_len};
+		return mem_printf_hook(data, spec, new_args);
+	}
+
+	while (copy.len > 0)
+	{
+		if (first)
+		{
+			first = FALSE;
+		}
+		else
+		{
+			written += print_in_hook(data, ":");
+		}
+		written += print_in_hook(data, "%02x", *copy.ptr++);
+		copy.len--;
+	}
+	return written;
+}
diff --git a/src/libstrongswan/utils/chunk.h b/src/libstrongswan/utils/chunk.h
new file mode 100644
index 000000000..67848eec1
--- /dev/null
+++ b/src/libstrongswan/utils/chunk.h
@@ -0,0 +1,318 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup chunk chunk
+ * @{ @ingroup utils
+ */
+
+#ifndef CHUNK_H_
+#define CHUNK_H_
+
+#include <string.h>
+#include <stdarg.h>
+#include <sys/types.h>
+#ifdef HAVE_ALLOCA_H
+#include <alloca.h>
+#endif
+
+typedef struct chunk_t chunk_t;
+
+/**
+ * General purpose pointer/length abstraction.
+ */
+struct chunk_t {
+	/** Pointer to start of data */
+	u_char *ptr;
+	/** Length of data in bytes */
+	size_t len;
+};
+
+#include "utils.h"
+
+/**
+ * A { NULL, 0 }-chunk handy for initialization.
+ */
+extern chunk_t chunk_empty;
+
+/**
+ * Create a new chunk pointing to "ptr" with length "len"
+ */
+static inline chunk_t chunk_create(u_char *ptr, size_t len)
+{
+	chunk_t chunk = {ptr, len};
+	return chunk;
+}
+
+/**
+ * Create a clone of a chunk pointing to "ptr"
+ */
+chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk);
+
+/**
+ * Calculate length of multiple chunks
+ */
+size_t chunk_length(const char *mode, ...);
+
+/**
+ * Concatenate chunks into a chunk pointing to "ptr".
+ *
+ * The mode string specifies the number of chunks, and how to handle each of
+ * them with a single character: 'c' for copy (allocate new chunk), 'm' for move
+ * (free given chunk) or 's' for sensitive-move (clear given chunk, then free).
+ */
+chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...);
+
+/**
+ * Split up a chunk into parts, "mode" is a string of "a" (alloc),
+ * "c" (copy) and "m" (move). Each letter say for the corresponding chunk if
+ * it should get allocated on heap, copied into existing chunk, or the chunk
+ * should point into "chunk". The length of each part is an argument before
+ * each target chunk. E.g.:
+ * chunk_split(chunk, "mcac", 3, &a, 7, &b, 5, &c, d.len, &d);
+ */
+void chunk_split(chunk_t chunk, const char *mode, ...);
+
+/**
+ * Write the binary contents of a chunk_t to a file
+ *
+ * @param chunk			contents to write to file
+ * @param path			path where file is written to
+ * @param label			label specifying file type
+ * @param mask			file mode creation mask
+ * @param force			overwrite existing file by force
+ * @return				TRUE if write operation was successful
+ */
+bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force);
+
+/**
+ * Convert a chunk of data to hex encoding.
+ *
+ * The resulting string is '\\0' terminated, but the chunk does not include
+ * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1).
+ *
+ * @param chunk			data to convert to hex encoding
+ * @param buf			buffer to write to, NULL to malloc
+ * @param uppercase		TRUE to use uppercase letters
+ * @return				chunk of encoded data
+ */
+chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase);
+
+/**
+ * Convert a hex encoded in a binary chunk.
+ *
+ * If buf is supplied, it must hold at least (hex.len / 2) + (hex.len % 2)
+ * bytes. It is filled by the right to give correct values for short inputs.
+ *
+ * @param hex			hex encoded input data
+ * @param buf			buffer to write decoded data, NULL to malloc
+ * @return				converted data
+ */
+chunk_t chunk_from_hex(chunk_t hex, char *buf);
+
+/**
+ * Convert a chunk of data to its base64 encoding.
+ *
+ * The resulting string is '\\0' terminated, but the chunk does not include
+ * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 4 / 3 + 1).
+ *
+ * @param chunk			data to convert
+ * @param buf			buffer to write to, NULL to malloc
+ * @return				chunk of encoded data
+ */
+chunk_t chunk_to_base64(chunk_t chunk, char *buf);
+
+/**
+ * Convert a base64 in a binary chunk.
+ *
+ * If buf is supplied, it must hold at least (base64.len / 4 * 3).
+ *
+ * @param base64		base64 encoded input data
+ * @param buf			buffer to write decoded data, NULL to malloc
+ * @return				converted data
+ */
+chunk_t chunk_from_base64(chunk_t base64, char *buf);
+
+/**
+ * Convert a chunk of data to its base32 encoding.
+ *
+ * The resulting string is '\\0' terminated, but the chunk does not include
+ * the '\\0'. If buf is supplied, it must hold (chunk.len * 8 / 5 + 1) bytes.
+ *
+ * @param chunk			data to convert
+ * @param buf			buffer to write to, NULL to malloc
+ * @return				chunk of encoded data
+ */
+chunk_t chunk_to_base32(chunk_t chunk, char *buf);
+
+/**
+ * Free contents of a chunk
+ */
+static inline void chunk_free(chunk_t *chunk)
+{
+	free(chunk->ptr);
+	*chunk = chunk_empty;
+}
+
+/**
+ * Overwrite the contents of a chunk and free it
+ */
+static inline void chunk_clear(chunk_t *chunk)
+{
+	if (chunk->ptr)
+	{
+		memwipe(chunk->ptr, chunk->len);
+		chunk_free(chunk);
+	}
+}
+
+/**
+ * Initialize a chunk using a char array
+ */
+#define chunk_from_chars(...) ((chunk_t){(char[]){__VA_ARGS__}, sizeof((char[]){__VA_ARGS__})})
+
+/**
+ * Initialize a chunk to point to a thing
+ */
+#define chunk_from_thing(thing) chunk_create((char*)&(thing), sizeof(thing))
+
+/**
+ * Allocate a chunk on the heap
+ */
+#define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(x ? malloc(x) : NULL, x);})
+
+/**
+ * Allocate a chunk on the stack
+ */
+#define chunk_alloca(bytes) ({size_t x = (bytes); chunk_create(x ? alloca(x) : NULL, x);})
+
+/**
+ * Clone a chunk on heap
+ */
+#define chunk_clone(chunk) ({chunk_t x = (chunk); chunk_create_clone(x.len ? malloc(x.len) : NULL, x);})
+
+/**
+ * Clone a chunk on stack
+ */
+#define chunk_clonea(chunk) ({chunk_t x = (chunk); chunk_create_clone(x.len ? alloca(x.len) : NULL, x);})
+
+/**
+ * Concatenate chunks into a chunk on heap
+ */
+#define chunk_cat(mode, ...) chunk_create_cat(malloc(chunk_length(mode, __VA_ARGS__)), mode, __VA_ARGS__)
+
+/**
+ * Concatenate chunks into a chunk on stack
+ */
+#define chunk_cata(mode, ...) chunk_create_cat(alloca(chunk_length(mode, __VA_ARGS__)), mode, __VA_ARGS__)
+
+/**
+ * Skip n bytes in chunk (forward pointer, shorten length)
+ */
+static inline chunk_t chunk_skip(chunk_t chunk, size_t bytes)
+{
+	if (chunk.len > bytes)
+	{
+		chunk.ptr += bytes;
+		chunk.len -= bytes;
+		return chunk;
+	}
+	return chunk_empty;
+}
+
+/**
+ * Skip a leading zero-valued byte
+ */
+static inline chunk_t chunk_skip_zero(chunk_t chunk)
+{
+	if (chunk.len > 1 && *chunk.ptr == 0x00)
+	{
+		chunk.ptr++;
+		chunk.len--;
+	}
+	return chunk;
+}
+
+
+/**
+ *  Compare two chunks, returns zero if a equals b
+ *  or negative/positive if a is small/greater than b
+ */
+int chunk_compare(chunk_t a, chunk_t b);
+
+/**
+ * Compare two chunks for equality,
+ * NULL chunks are never equal.
+ */
+static inline bool chunk_equals(chunk_t a, chunk_t b)
+{
+	return a.ptr != NULL  && b.ptr != NULL &&
+			a.len == b.len && memeq(a.ptr, b.ptr, a.len);
+}
+
+/**
+ * Compare two chunks (given as pointers) for equality (useful as callback),
+ * NULL chunks are never equal.
+ */
+static inline bool chunk_equals_ptr(chunk_t *a, chunk_t *b)
+{
+	return a != NULL && b != NULL && chunk_equals(*a, *b);
+}
+
+/**
+ * Increment a chunk, as it would reprensent a network order integer.
+ *
+ * @param chunk			chunk to increment
+ * @return				TRUE if an overflow occurred
+ */
+bool chunk_increment(chunk_t chunk);
+
+/**
+ * Check if a chunk has printable characters only.
+ *
+ * If sane is given, chunk is cloned into sane and all non printable characters
+ * get replaced by "replace".
+ *
+ * @param chunk			chunk to check for printability
+ * @param sane			pointer where sane version is allocated, or NULL
+ * @param replace		character to use for replaceing unprintable characters
+ * @return				TRUE if all characters in chunk are printable
+ */
+bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace);
+
+/**
+ * Computes a 32 bit hash of the given chunk.
+ * Note: This hash is only intended for hash tables not for cryptographic purposes.
+ */
+u_int32_t chunk_hash(chunk_t chunk);
+
+/**
+ * Incremental version of chunk_hash. Use this to hash two or more chunks.
+ */
+u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash);
+
+/**
+ * printf hook function for chunk_t.
+ *
+ * Arguments are:
+ *	chunk_t *chunk
+ * Use #-modifier to print a compact version
+ */
+int chunk_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					  const void *const *args);
+
+#endif /** CHUNK_H_ @}*/
diff --git a/src/libstrongswan/utils/debug.c b/src/libstrongswan/utils/debug.c
new file mode 100644
index 000000000..e8c9e6b98
--- /dev/null
+++ b/src/libstrongswan/utils/debug.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdarg.h>
+
+#include "debug.h"
+
+ENUM(debug_names, DBG_DMN, DBG_LIB,
+	"DMN",
+	"MGR",
+	"IKE",
+	"CHD",
+	"JOB",
+	"CFG",
+	"KNL",
+	"NET",
+	"ASN",
+	"ENC",
+	"TNC",
+	"IMC",
+	"IMV",
+	"PTS",
+	"TLS",
+	"APP",
+	"ESP",
+	"LIB",
+);
+
+ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
+	"dmn",
+	"mgr",
+	"ike",
+	"chd",
+	"job",
+	"cfg",
+	"knl",
+	"net",
+	"asn",
+	"enc",
+	"tnc",
+	"imc",
+	"imv",
+	"pts",
+	"tls",
+	"app",
+	"esp",
+	"lib",
+);
+
+/**
+ * level logged by the default logger
+ */
+static level_t default_level = 1;
+
+/**
+ * stream logged to by the default logger
+ */
+static FILE *default_stream = NULL;
+
+/**
+ * default dbg function which printf all to stderr
+ */
+void dbg_default(debug_t group, level_t level, char *fmt, ...)
+{
+	if (!default_stream)
+	{
+		default_stream = stderr;
+	}
+	if (level <= default_level)
+	{
+		va_list args;
+
+		va_start(args, fmt);
+		vfprintf(default_stream, fmt, args);
+		fprintf(default_stream, "\n");
+		va_end(args);
+	}
+}
+
+/**
+ * set the level logged by the default stderr logger
+ */
+void dbg_default_set_level(level_t level)
+{
+	default_level = level;
+}
+
+/**
+ * set the stream logged by dbg_default() to
+ */
+void dbg_default_set_stream(FILE *stream)
+{
+	default_stream = stream;
+}
+
+/**
+ * The registered debug hook.
+ */
+void (*dbg) (debug_t group, level_t level, char *fmt, ...) = dbg_default;
+
diff --git a/src/libstrongswan/utils/debug.h b/src/libstrongswan/utils/debug.h
new file mode 100644
index 000000000..c46d3fe55
--- /dev/null
+++ b/src/libstrongswan/utils/debug.h
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup debug debug
+ * @{ @ingroup utils
+ */
+
+#ifndef DEBUG_H_
+#define DEBUG_H_
+
+typedef enum debug_t debug_t;
+typedef enum level_t level_t;
+
+#include <stdio.h>
+
+#include "utils/enum.h"
+
+/**
+ * Debug message group.
+ */
+enum debug_t {
+	/** daemon specific */
+	DBG_DMN,
+	/** IKE_SA_MANAGER */
+	DBG_MGR,
+	/** IKE_SA */
+	DBG_IKE,
+	/** CHILD_SA */
+	DBG_CHD,
+	/** job processing */
+	DBG_JOB,
+	/** configuration backends */
+	DBG_CFG,
+	/** kernel interface */
+	DBG_KNL,
+	/** networking/sockets */
+	DBG_NET,
+	/** low-level encoding/decoding (ASN.1, X.509 etc.) */
+	DBG_ASN,
+	/** message encoding/decoding */
+	DBG_ENC,
+	/** trusted network connect */
+	DBG_TNC,
+	/** integrity measurement client */
+	DBG_IMC,
+	/** integrity measurement verifier */
+	DBG_IMV,
+	/** platform trust service */
+	DBG_PTS,
+	/** libtls */
+	DBG_TLS,
+	/** applications other than daemons */
+	DBG_APP,
+	/** libipsec */
+	DBG_ESP,
+	/** libstrongswan */
+	DBG_LIB,
+	/** number of groups */
+	DBG_MAX,
+	/** pseudo group with all groups */
+	DBG_ANY = DBG_MAX,
+};
+
+/**
+ * short names of debug message group.
+ */
+extern enum_name_t *debug_names;
+
+/**
+ * short names of debug message group, lower case.
+ */
+extern enum_name_t *debug_lower_names;
+
+/**
+ * Debug levels used to control output verbosity.
+ */
+enum level_t {
+	/** absolutely silent */
+	LEVEL_SILENT = -1,
+	/** most important auditing logs */
+	LEVEL_AUDIT =   0,
+	/** control flow */
+	LEVEL_CTRL =    1,
+	/** diagnose problems */
+	LEVEL_DIAG =    2,
+	/** raw binary blobs */
+	LEVEL_RAW =     3,
+	/** including sensitive data (private keys) */
+	LEVEL_PRIVATE = 4,
+};
+
+#ifndef DEBUG_LEVEL
+# define DEBUG_LEVEL 4
+#endif /* DEBUG_LEVEL */
+
+/** debug macros, they call the dbg function hook */
+#if DEBUG_LEVEL >= 0
+# define DBG0(group, fmt, ...) dbg(group, 0, fmt, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+#if DEBUG_LEVEL >= 1
+# define DBG1(group, fmt, ...) dbg(group, 1, fmt, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+#if DEBUG_LEVEL >= 2
+# define DBG2(group, fmt, ...) dbg(group, 2, fmt, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+#if DEBUG_LEVEL >= 3
+# define DBG3(group, fmt, ...) dbg(group, 3, fmt, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+#if DEBUG_LEVEL >= 4
+# define DBG4(group, fmt, ...) dbg(group, 4, fmt, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+
+#ifndef DBG0
+# define DBG0(...) {}
+#endif
+#ifndef DBG1
+# define DBG1(...) {}
+#endif
+#ifndef DBG2
+# define DBG2(...) {}
+#endif
+#ifndef DBG3
+# define DBG3(...) {}
+#endif
+#ifndef DBG4
+# define DBG4(...) {}
+#endif
+
+/** dbg function hook, uses dbg_default() by default */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/** default logging function */
+void dbg_default(debug_t group, level_t level, char *fmt, ...);
+
+/** set the level logged by dbg_default() */
+void dbg_default_set_level(level_t level);
+
+/** set the stream logged by dbg_default() to */
+void dbg_default_set_stream(FILE *stream);
+
+#endif /** DEBUG_H_ @}*/
diff --git a/src/libstrongswan/utils/enum.c b/src/libstrongswan/utils/enum.c
new file mode 100644
index 000000000..9b3c4d566
--- /dev/null
+++ b/src/libstrongswan/utils/enum.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+#include <stdio.h>
+
+#include <library.h>
+
+#include "enum.h"
+
+/**
+ * See header.
+ */
+char *enum_to_name(enum_name_t *e, int val)
+{
+	do
+	{
+		if (val >= e->first && val <= e->last)
+		{
+			return e->names[val - e->first];
+		}
+	}
+	while ((e = e->next));
+	return NULL;
+}
+
+/**
+ * See header.
+ */
+int enum_from_name(enum_name_t *e, char *name)
+{
+	do
+	{
+		int i, count = e->last - e->first + 1;
+
+		for (i = 0; i < count; i++)
+		{
+			if (strcaseeq(name, e->names[i]))
+			{
+				return e->first + i;
+			}
+		}
+	}
+	while ((e = e->next));
+	return -1;
+}
+
+/**
+ * Described in header.
+ */
+int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					 const void *const *args)
+{
+	enum_name_t *ed = *((enum_name_t**)(args[0]));
+	int val = *((int*)(args[1]));
+	char *name, buf[32];
+
+	name = enum_to_name(ed, val);
+	if (name == NULL)
+	{
+		snprintf(buf, sizeof(buf), "(%d)", val);
+		name = buf;
+	}
+	if (spec->minus)
+	{
+		return print_in_hook(data, "%-*s", spec->width, name);
+	}
+	return print_in_hook(data, "%*s", spec->width, name);
+}
diff --git a/src/libstrongswan/utils/enum.h b/src/libstrongswan/utils/enum.h
new file mode 100644
index 000000000..df8dbf8c1
--- /dev/null
+++ b/src/libstrongswan/utils/enum.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup enum enum
+ * @{ @ingroup utils
+ */
+
+#ifndef ENUM_H_
+#define ENUM_H_
+
+#include "printf_hook.h"
+
+typedef struct enum_name_t enum_name_t;
+
+/**
+ * Struct to store names for enums.
+ *
+ * To print the string representation of enumeration values, the strings
+ * are stored in these structures. Every enum_name contains a range
+ * of strings, multiple ranges are linked together.
+ * Use the convenience macros to define these linked ranges.
+ *
+ * For a single range, use:
+ * @code
+   ENUM(name, first, last, string1, string2, ...)
+   @endcode
+ * For multiple linked ranges, use:
+ * @code
+   ENUM_BEGIN(name, first, last, string1, string2, ...)
+     ENUM_NEXT(name, first, last, last_from_previous, string3, ...)
+     ENUM_NEXT(name, first, last, last_from_previous, string4, ...)
+   ENUM_END(name, last_from_previous)
+   @endcode
+ * The ENUM and the ENUM_END define a enum_name_t pointer with the name supplied
+ * in "name".
+ *
+ * Resolving of enum names is done using a printf hook. A printf fromat
+ * character %N is replaced by the enum string. Printf needs two arguments to
+ * resolve a %N, the enum_name_t* (the defined name in ENUM_BEGIN) followed
+ * by the numerical enum value.
+ */
+struct enum_name_t {
+	/** value of the first enum string */
+	int first;
+	/** value of the last enum string */
+	int last;
+	/** next enum_name_t in list */
+	enum_name_t *next;
+	/** array of strings containing names from first to last */
+	char *names[];
+};
+
+/**
+ * Begin a new enum_name list.
+ *
+ * @param name	name of the enum_name list
+ * @param first	enum value of the first enum string
+ * @param last	enum value of the last enum string
+ * @param ...	a list of strings
+ */
+#define ENUM_BEGIN(name, first, last, ...) static enum_name_t name##last = {first, last, NULL, { __VA_ARGS__ }}
+
+/**
+ * Continue a enum name list startetd with ENUM_BEGIN.
+ *
+ * @param name	name of the enum_name list
+ * @param first	enum value of the first enum string
+ * @param last	enum value of the last enum string
+ * @param prev	enum value of the "last" defined in ENUM_BEGIN/previous ENUM_NEXT
+ * @param ...	a list of strings
+ */
+#define ENUM_NEXT(name, first, last, prev, ...) static enum_name_t name##last = {first, last, &name##prev, { __VA_ARGS__ }}
+
+/**
+ * Complete enum name list started with ENUM_BEGIN.
+ *
+ * @param name	name of the enum_name list
+ * @param prev	enum value of the "last" defined in ENUM_BEGIN/previous ENUM_NEXT
+ */
+#define ENUM_END(name, prev) enum_name_t *name = &name##prev;
+
+/**
+ * Define a enum name with only one range.
+ *
+ * This is a convenience macro to use when a enum_name list contains only
+ * one range, and is equal as defining ENUM_BEGIN followed by ENUM_END.
+ *
+ * @param name	name of the enum_name list
+ * @param first	enum value of the first enum string
+ * @param last	enum value of the last enum string
+ * @param ...	a list of strings
+ */
+#define ENUM(name, first, last, ...) ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last)
+
+/**
+ * Convert a enum value to its string representation.
+ *
+ * @param e		enum names for this enum value
+ * @param val	enum value to get string for
+ * @return		string for enum, NULL if not found
+ */
+char *enum_to_name(enum_name_t *e, int val);
+
+/**
+ * Convert a enum string back to its enum value.
+ *
+ * @param e		enum names for this enum value
+ * @param name	name to get enum value for
+ * @return		enum value, -1 if not found
+ */
+int enum_from_name(enum_name_t *e, char *name);
+
+/**
+ * printf hook function for enum_names_t.
+ *
+ * Arguments are:
+ *	enum_names_t *names, int value
+ */
+int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					 const void *const *args);
+
+#endif /** ENUM_H_ @}*/
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c
deleted file mode 100644
index 53c94f9dd..000000000
--- a/src/libstrongswan/utils/enumerator.c
+++ /dev/null
@@ -1,560 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "enumerator.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <limits.h>
-#include <stdio.h>
-#include <dirent.h>
-#include <errno.h>
-#include <string.h>
-
-#include <debug.h>
-
-/**
- * Implementation of enumerator_create_empty().enumerate
- */
-static bool enumerate_empty(enumerator_t *enumerator, ...)
-{
-	return FALSE;
-}
-
-/**
- * See header
- */
-enumerator_t* enumerator_create_empty()
-{
-	enumerator_t *this = malloc_thing(enumerator_t);
-	this->enumerate = enumerate_empty;
-	this->destroy = (void*)free;
-	return this;
-}
-
-/**
- * Enumerator implementation for directory enumerator
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** directory handle */
-	DIR *dir;
-	/** absolute path of current file */
-	char full[PATH_MAX];
-	/** where directory part of full ends and relative file gets written */
-	char *full_end;
-} dir_enum_t;
-
-/**
- * Implementation of enumerator_create_directory().destroy
- */
-static void destroy_dir_enum(dir_enum_t *this)
-{
-	closedir(this->dir);
-	free(this);
-}
-
-/**
- * Implementation of enumerator_create_directory().enumerate
- */
-static bool enumerate_dir_enum(dir_enum_t *this, char **relative,
-							   char **absolute, struct stat *st)
-{
-	struct dirent *entry = readdir(this->dir);
-	size_t remaining;
-	int len;
-
-	if (!entry)
-	{
-		return FALSE;
-	}
-	if (streq(entry->d_name, ".") || streq(entry->d_name, ".."))
-	{
-		return enumerate_dir_enum(this, relative, absolute, st);
-	}
-	if (relative)
-	{
-		*relative = entry->d_name;
-	}
-	if (absolute || st)
-	{
-		remaining = sizeof(this->full) - (this->full_end - this->full);
-		len = snprintf(this->full_end, remaining, "%s", entry->d_name);
-		if (len < 0 || len >= remaining)
-		{
-			DBG1(DBG_LIB, "buffer too small to enumerate file '%s'",
-				 entry->d_name);
-			return FALSE;
-		}
-		if (absolute)
-		{
-			*absolute = this->full;
-		}
-		if (st)
-		{
-			if (stat(this->full, st))
-			{
-				DBG1(DBG_LIB, "stat() on '%s' failed: %s", this->full,
-					 strerror(errno));
-				return FALSE;
-			}
-		}
-	}
-	return TRUE;
-}
-
-/**
- * See header
- */
-enumerator_t* enumerator_create_directory(const char *path)
-{
-	int len;
-	dir_enum_t *this = malloc_thing(dir_enum_t);
-	this->public.enumerate = (void*)enumerate_dir_enum;
-	this->public.destroy = (void*)destroy_dir_enum;
-
-	if (*path == '\0')
-	{
-		path = "./";
-	}
-	len = snprintf(this->full, sizeof(this->full)-1, "%s", path);
-	if (len < 0 || len >= sizeof(this->full)-1)
-	{
-		DBG1(DBG_LIB, "path string '%s' too long", path);
-		free(this);
-		return NULL;
-	}
-	/* append a '/' if not already done */
-	if (this->full[len-1] != '/')
-	{
-		this->full[len++] = '/';
-		this->full[len] = '\0';
-	}
-	this->full_end = &this->full[len];
-
-	this->dir = opendir(path);
-	if (this->dir == NULL)
-	{
-		DBG1(DBG_LIB, "opening directory '%s' failed: %s", path, strerror(errno));
-		free(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
-/**
- * Enumerator implementation for directory enumerator
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** string to parse */
-	char *string;
-	/** current position */
-	char *pos;
-	/** separater chars */
-	const char *sep;
-	/** trim chars */
-	const char *trim;
-} token_enum_t;
-
-/**
- * Implementation of enumerator_create_token().destroy
- */
-static void destroy_token_enum(token_enum_t *this)
-{
-	free(this->string);
-	free(this);
-}
-
-/**
- * Implementation of enumerator_create_token().enumerate
- */
-static bool enumerate_token_enum(token_enum_t *this, char **token)
-{
-	const char *sep, *trim;
-	char *pos = NULL, *tmp;
-	bool last = FALSE;
-
-	/* trim leading characters/separators */
-	while (*this->pos)
-	{
-		trim = this->trim;
-		while (*trim)
-		{
-			if (*trim == *this->pos)
-			{
-				this->pos++;
-				break;
-			}
-			trim++;
-		}
-		sep = this->sep;
-		while (*sep)
-		{
-			if (*sep == *this->pos)
-			{
-				this->pos++;
-				break;
-			}
-			sep++;
-		}
-		if (!*trim && !*sep)
-		{
-			break;
-		}
-	}
-
-	switch (*this->pos)
-	{
-		case '"':
-		case '\'':
-		{
-			/* read quoted token */
-			tmp = strchr(this->pos + 1, *this->pos);
-			if (tmp)
-			{
-				*token = this->pos + 1;
-				*tmp = '\0';
-				this->pos = tmp + 1;
-				return TRUE;
-			}
-			/* unterminated string, FALL-THROUGH */
-		}
-		default:
-		{
-			/* find nearest separator */
-			sep = this->sep;
-			while (*sep)
-			{
-				tmp = strchr(this->pos, *sep);
-				if (tmp && (pos == NULL || tmp < pos))
-				{
-					pos = tmp;
-				}
-				sep++;
-			}
-			*token = this->pos;
-			if (pos)
-			{
-				*pos = '\0';
-				this->pos = pos + 1;
-			}
-			else
-			{
-				last = TRUE;
-				pos = this->pos = strchr(this->pos, '\0');
-			}
-			break;
-		}
-	}
-
-	/* trim trailing characters/separators */
-	pos--;
-	while (pos >= *token)
-	{
-		trim = this->trim;
-		while (*trim)
-		{
-			if (*trim == *pos)
-			{
-				*(pos--) = '\0';
-				break;
-			}
-			trim++;
-		}
-		sep = this->sep;
-		while (*sep)
-		{
-			if (*sep == *pos)
-			{
-				*(pos--) = '\0';
-				break;
-			}
-			sep++;
-		}
-		if (!*trim && !*sep)
-		{
-			break;
-		}
-	}
-
-	if (!last || pos >= *token)
-	{
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * See header
- */
-enumerator_t* enumerator_create_token(const char *string, const char *sep,
-									  const char *trim)
-{
-	token_enum_t *enumerator = malloc_thing(token_enum_t);
-
-	enumerator->public.enumerate = (void*)enumerate_token_enum;
-	enumerator->public.destroy = (void*)destroy_token_enum;
-	enumerator->string = strdup(string);
-	enumerator->pos = enumerator->string;
-	enumerator->sep = sep;
-	enumerator->trim = trim;
-
-	return &enumerator->public;
-}
-
-/**
- * enumerator for nested enumerations
- */
-typedef struct {
-	/* implements enumerator_t */
-	enumerator_t public;
-	/* outer enumerator */
-	enumerator_t *outer;
-	/* inner enumerator */
-	enumerator_t *inner;
-	/* constructor for inner enumerator */
-	enumerator_t *(*create_inner)(void *outer, void *data);
-	/* data to pass to constructor above */
-	void *data;
-	/* destructor for data */
-	void (*destroy_data)(void *data);
-} nested_enumerator_t;
-
-
-/**
- * Implementation of enumerator_create_nested().enumerate()
- */
-static bool enumerate_nested(nested_enumerator_t *this, void *v1, void *v2,
-							 void *v3, void *v4, void *v5)
-{
-	while (TRUE)
-	{
-		while (this->inner == NULL)
-		{
-			void *outer;
-
-			if (!this->outer->enumerate(this->outer, &outer))
-			{
-				return FALSE;
-			}
-			this->inner = this->create_inner(outer, this->data);
-		}
-		if (this->inner->enumerate(this->inner, v1, v2, v3, v4, v5))
-		{
-			return TRUE;
-		}
-		this->inner->destroy(this->inner);
-		this->inner = NULL;
-	}
-}
-
-/**
- * Implementation of enumerator_create_nested().destroy()
- **/
-static void destroy_nested(nested_enumerator_t *this)
-{
-	if (this->destroy_data)
-	{
-		this->destroy_data(this->data);
-	}
-	DESTROY_IF(this->inner);
-	this->outer->destroy(this->outer);
-	free(this);
-}
-
-/**
- * See header
- */
-enumerator_t *enumerator_create_nested(enumerator_t *outer,
-					enumerator_t *(inner_constructor)(void *outer, void *data),
-					void *data, void (*destroy_data)(void *data))
-{
-	nested_enumerator_t *enumerator = malloc_thing(nested_enumerator_t);
-
-	enumerator->public.enumerate = (void*)enumerate_nested;
-	enumerator->public.destroy = (void*)destroy_nested;
-	enumerator->outer = outer;
-	enumerator->inner = NULL;
-	enumerator->create_inner = (void*)inner_constructor;
-	enumerator->data = data;
-	enumerator->destroy_data = destroy_data;
-
-	return &enumerator->public;
-}
-
-/**
- * enumerator for filtered enumerator
- */
-typedef struct {
-	enumerator_t public;
-	enumerator_t *unfiltered;
-	void *data;
-	bool (*filter)(void *data, ...);
-	void (*destructor)(void *data);
-} filter_enumerator_t;
-
-/**
- * Implementation of enumerator_create_filter().destroy
- */
-static void destroy_filter(filter_enumerator_t *this)
-{
-	if (this->destructor)
-	{
-		this->destructor(this->data);
-	}
-	this->unfiltered->destroy(this->unfiltered);
-	free(this);
-}
-
-/**
- * Implementation of enumerator_create_filter().enumerate
- */
-static bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2,
-							 void *o3, void *o4, void *o5)
-{
-	void *i1, *i2, *i3, *i4, *i5;
-
-	while (this->unfiltered->enumerate(this->unfiltered, &i1, &i2, &i3, &i4, &i5))
-	{
-		if (this->filter(this->data, &i1, o1, &i2, o2, &i3, o3, &i4, o4, &i5, o5))
-		{
-			return TRUE;
-		}
-	}
-	return FALSE;
-}
-
-/**
- * see header
- */
-enumerator_t *enumerator_create_filter(enumerator_t *unfiltered,
-									   bool (*filter)(void *data, ...),
-									   void *data, void (*destructor)(void *data))
-{
-	filter_enumerator_t *this = malloc_thing(filter_enumerator_t);
-
-	this->public.enumerate = (void*)enumerate_filter;
-	this->public.destroy = (void*)destroy_filter;
-	this->unfiltered = unfiltered;
-	this->filter = filter;
-	this->data = data;
-	this->destructor = destructor;
-
-	return &this->public;
-}
-
-/**
- * enumerator for cleaner enumerator
- */
-typedef struct {
-	enumerator_t public;
-	enumerator_t *wrapped;
-	void (*cleanup)(void *data);
-	void *data;
-} cleaner_enumerator_t;
-
-/**
- * Implementation of enumerator_create_cleanup().destroy
- */
-static void destroy_cleaner(cleaner_enumerator_t *this)
-{
-	this->cleanup(this->data);
-	this->wrapped->destroy(this->wrapped);
-	free(this);
-}
-
-/**
- * Implementation of enumerator_create_cleaner().enumerate
- */
-static bool enumerate_cleaner(cleaner_enumerator_t *this, void *v1, void *v2,
-							  void *v3, void *v4, void *v5)
-{
-	return this->wrapped->enumerate(this->wrapped, v1, v2, v3, v4, v5);
-}
-
-/**
- * see header
- */
-enumerator_t *enumerator_create_cleaner(enumerator_t *wrapped,
-										void (*cleanup)(void *data), void *data)
-{
-	cleaner_enumerator_t *this = malloc_thing(cleaner_enumerator_t);
-
-	this->public.enumerate = (void*)enumerate_cleaner;
-	this->public.destroy = (void*)destroy_cleaner;
-	this->wrapped = wrapped;
-	this->cleanup = cleanup;
-	this->data = data;
-
-	return &this->public;
-}
-
-/**
- * enumerator for single enumerator
- */
-typedef struct {
-	enumerator_t public;
-	void *item;
-	void (*cleanup)(void *item);
-	bool done;
-} single_enumerator_t;
-
-/**
- * Implementation of enumerator_create_single().destroy
- */
-static void destroy_single(single_enumerator_t *this)
-{
-	if (this->cleanup)
-	{
-		this->cleanup(this->item);
-	}
-	free(this);
-}
-
-/**
- * Implementation of enumerator_create_single().enumerate
- */
-static bool enumerate_single(single_enumerator_t *this, void **item)
-{
-	if (this->done)
-	{
-		return FALSE;
-	}
-	*item = this->item;
-	this->done = TRUE;
-	return TRUE;
-}
-
-/**
- * see header
- */
-enumerator_t *enumerator_create_single(void *item, void (*cleanup)(void *item))
-{
-	single_enumerator_t *this = malloc_thing(single_enumerator_t);
-
-	this->public.enumerate = (void*)enumerate_single;
-	this->public.destroy = (void*)destroy_single;
-	this->item = item;
-	this->cleanup = cleanup;
-	this->done = FALSE;
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/utils/enumerator.h
deleted file mode 100644
index 8c3d70173..000000000
--- a/src/libstrongswan/utils/enumerator.h
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup enumerator enumerator
- * @{ @ingroup utils
- */
-
-#ifndef ENUMERATOR_H_
-#define ENUMERATOR_H_
-
-typedef struct enumerator_t enumerator_t;
-
-#include "../utils.h"
-
-/**
- * Enumerator interface, allows enumeration over collections.
- */
-struct enumerator_t {
-
-	/**
-	 * Enumerate collection.
-	 *
-	 * The enumerate function takes a variable argument list containing
-	 * pointers where the enumerated values get written.
-	 *
-	 * @param ...	variable list of enumerated items, implementation dependent
-	 * @return		TRUE if pointers returned
-	 */
-	bool (*enumerate)(enumerator_t *this, ...);
-
-	/**
-	 * Destroy a enumerator instance.
-	 */
-	void (*destroy)(enumerator_t *this);
-};
-
-/**
- * Create an enumerator which enumerates over nothing
- *
- * @return			an enumerator over no values
- */
-enumerator_t* enumerator_create_empty();
-
-/**
- * Create an enumerator which enumerates over a single item
- *
- * @param item		item to enumerate
- * @param cleanup	cleanup function called on destroy with the item
- * @return			an enumerator over a single value
- */
-enumerator_t *enumerator_create_single(void *item, void (*cleanup)(void *item));
-
-/**
- * Create an enumerator over files/subdirectories in a directory.
- *
- * This enumerator_t.enumerate() function returns a (to the directory) relative
- * filename (as a char*), an absolute filename (as a char*) and a file status
- * (to a struct stat), which all may be NULL. "." and ".." entries are
- * skipped. Example:
- *
- * @code
-	char *rel, *abs;
-	struct stat st;
-	enumerator_t *e;
-
-	e = enumerator_create_directory("/tmp");
-	if (e)
-	{
-		while (e->enumerate(e, &rel, &abs, &st))
-		{
-			if (S_ISDIR(st.st_mode) && *rel != '.')
-			{
-				printf("%s\n", abs);
-			}
-		}
-		e->destroy(e);
-	}
-   @endcode
- *
- * @param path		path of the directory
- * @return 			the directory enumerator, NULL on failure
- */
-enumerator_t* enumerator_create_directory(const char *path);
-
-/**
- * Create an enumerator over tokens of a string.
- *
- * Tokens are separated by one of the characters in sep and trimmed by the
- * characters in trim.
- *
- * @param string	string to parse
- * @param sep		separator characters
- * @param trim		characters to trim from tokens
- * @return			enumerator over char* tokens
- */
-enumerator_t* enumerator_create_token(const char *string, const char *sep,
-									  const char *trim);
-
-/**
- * Creates an enumerator which enumerates over enumerated enumerators :-).
- *
- * The variable argument list of enumeration values is limit to 5.
- *
- * @param outer					outer enumerator
- * @param inner_constructor		constructor to inner enumerator
- * @param data					data to pass to each inner_constructor call
- * @param destroy_data			destructor to pass to data
- * @return						the nested enumerator
- */
-enumerator_t *enumerator_create_nested(enumerator_t *outer,
-					enumerator_t *(*inner_constructor)(void *outer, void *data),
-					void *data, void (*destroy_data)(void *data));
-
-/**
- * Creates an enumerator which filters output of another enumerator.
- *
- * The filter function receives the user supplied "data" followed by a
- * unfiltered enumeration item, followed by an output pointer where to write
- * the filtered data. Then the next input/output pair follows.
- * It returns TRUE to deliver the
- * values to the caller of enumerate(), FALSE to filter this enumeration.
- *
- * The variable argument list of enumeration values is limit to 5.
- *
- * @param unfiltered			unfiltered enumerator to wrap, gets destroyed
- * @param filter				filter function
- * @param data					user data to supply to filter
- * @param destructor			destructor function to clean up data after use
- * @return						the filtered enumerator
- */
-enumerator_t *enumerator_create_filter(enumerator_t *unfiltered,
-					bool (*filter)(void *data, ...),
-					void *data, void (*destructor)(void *data));
-
-/**
- * Create an enumerator wrapper which does a cleanup on destroy.
- *
- * @param wrapped				wrapped enumerator
- * @param cleanup				cleanup function called on destroy
- * @param data					user data to supply to cleanup
- * @return						the enumerator with cleanup
- */
-enumerator_t *enumerator_create_cleaner(enumerator_t *wrapped,
-					void (*cleanup)(void *data), void *data);
-
-#endif /** ENUMERATOR_H_ @}*/
diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c
deleted file mode 100644
index d181d8ec8..000000000
--- a/src/libstrongswan/utils/hashtable.c
+++ /dev/null
@@ -1,444 +0,0 @@
-/*
- * Copyright (C) 2008-2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "hashtable.h"
-
-/** The maximum capacity of the hash table (MUST be a power of 2) */
-#define MAX_CAPACITY (1 << 30)
-
-typedef struct pair_t pair_t;
-
-/**
- * This pair holds a pointer to the key and value it represents.
- */
-struct pair_t {
-	/**
-	 * Key of a hash table item.
-	 */
-	void *key;
-
-	/**
-	 * Value of a hash table item.
-	 */
-	void *value;
-
-	/**
-	 * Cached hash (used in case of a resize).
-	 */
-	u_int hash;
-
-	/**
-	 * Next pair in an overflow list.
-	 */
-	pair_t *next;
-};
-
-/**
- * Creates an empty pair object.
- */
-static inline pair_t *pair_create(void *key, void *value, u_int hash)
-{
-	pair_t *this;
-
-	INIT(this,
-		.key = key,
-		.value = value,
-		.hash = hash,
-	);
-
-	return this;
-}
-
-typedef struct private_hashtable_t private_hashtable_t;
-
-/**
- * Private data of a hashtable_t object.
- *
- */
-struct private_hashtable_t {
-	/**
-	 * Public part of hash table.
-	 */
-	hashtable_t public;
-
-	/**
-	 * The number of items in the hash table.
-	 */
-	u_int count;
-
-	/**
-	 * The current capacity of the hash table (always a power of 2).
-	 */
-	u_int capacity;
-
-	/**
-	 * The current mask to calculate the row index (capacity - 1).
-	 */
-	u_int mask;
-
-	/**
-	 * The load factor.
-	 */
-	float load_factor;
-
-	/**
-	 * The actual table.
-	 */
-	pair_t **table;
-
-	/**
-	 * The hashing function.
-	 */
-	hashtable_hash_t hash;
-
-	/**
-	 * The equality function.
-	 */
-	hashtable_equals_t equals;
-};
-
-typedef struct private_enumerator_t private_enumerator_t;
-
-/**
- * hash table enumerator implementation
- */
-struct private_enumerator_t {
-
-	/**
-	 * implements enumerator interface
-	 */
-	enumerator_t enumerator;
-
-	/**
-	 * associated hash table
-	 */
-	private_hashtable_t *table;
-
-	/**
-	 * current row index
-	 */
-	u_int row;
-
-	/**
-	 * number of remaining items in hashtable
-	 */
-	u_int count;
-
-	/**
-	 * current pair
-	 */
-	pair_t *current;
-
-	/**
-	 * previous pair (used by remove_at)
-	 */
-	pair_t *prev;
-
-};
-
-/**
- * This function returns the next-highest power of two for the given number.
- * The algorithm works by setting all bits on the right-hand side of the most
- * significant 1 to 1 and then increments the whole number so it rolls over
- * to the nearest power of two. Note: returns 0 for n == 0
- */
-static u_int get_nearest_powerof2(u_int n)
-{
-	u_int i;
-
-	--n;
-	for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
-	{
-		n |= n >> i;
-	}
-	return ++n;
-}
-
-/**
- * Init hash table parameters
- */
-static void init_hashtable(private_hashtable_t *this, u_int capacity)
-{
-	capacity = max(1, min(capacity, MAX_CAPACITY));
-	this->capacity = get_nearest_powerof2(capacity);
-	this->mask = this->capacity - 1;
-	this->load_factor = 0.75;
-
-	this->table = calloc(this->capacity, sizeof(pair_t*));
-}
-
-/**
- * Double the size of the hash table and rehash all the elements.
- */
-static void rehash(private_hashtable_t *this)
-{
-	pair_t **old_table;
-	u_int row, old_capacity;
-
-	if (this->capacity >= MAX_CAPACITY)
-	{
-		return;
-	}
-
-	old_capacity = this->capacity;
-	old_table = this->table;
-
-	init_hashtable(this, old_capacity << 1);
-
-	for (row = 0; row < old_capacity; row++)
-	{
-		pair_t *pair, *next;
-		u_int new_row;
-
-		pair = old_table[row];
-		while (pair)
-		{	/* insert pair at the front of new bucket*/
-			next = pair->next;
-			new_row = pair->hash & this->mask;
-			pair->next = this->table[new_row];
-			this->table[new_row] = pair;
-			pair = next;
-		}
-	}
-	free(old_table);
-}
-
-METHOD(hashtable_t, put, void*,
-	   private_hashtable_t *this, void *key, void *value)
-{
-	void *old_value = NULL;
-	pair_t *pair;
-	u_int hash, row;
-
-	hash = this->hash(key);
-	row = hash & this->mask;
-	pair = this->table[row];
-	while (pair)
-	{	/* search existing bucket for key */
-		if (this->equals(key, pair->key))
-		{
-			old_value = pair->value;
-			pair->value = value;
-			pair->key = key;
-			break;
-		}
-		pair = pair->next;
-	}
-	if (!pair)
-	{	/* insert at the front of bucket */
-		pair = pair_create(key, value, hash);
-		pair->next = this->table[row];
-		this->table[row] = pair;
-		this->count++;
-	}
-	if (this->count >= this->capacity * this->load_factor)
-	{
-		rehash(this);
-	}
-	return old_value;
-}
-
-static void *get_internal(private_hashtable_t *this, void *key,
-						  hashtable_equals_t equals)
-{
-	void *value = NULL;
-	pair_t *pair;
-
-	if (!this->count)
-	{	/* no need to calculate the hash */
-		return NULL;
-	}
-
-	pair = this->table[this->hash(key) & this->mask];
-	while (pair)
-	{
-		if (equals(key, pair->key))
-		{
-			value = pair->value;
-			break;
-		}
-		pair = pair->next;
-	}
-	return value;
-}
-
-METHOD(hashtable_t, get, void*,
-	   private_hashtable_t *this, void *key)
-{
-	return get_internal(this, key, this->equals);
-}
-
-METHOD(hashtable_t, get_match, void*,
-	   private_hashtable_t *this, void *key, hashtable_equals_t match)
-{
-	return get_internal(this, key, match);
-}
-
-METHOD(hashtable_t, remove_, void*,
-	   private_hashtable_t *this, void *key)
-{
-	void *value = NULL;
-	pair_t *pair, *prev = NULL;
-	u_int row;
-
-	row = this->hash(key) & this->mask;
-	pair = this->table[row];
-	while (pair)
-	{
-		if (this->equals(key, pair->key))
-		{
-			if (prev)
-			{
-				prev->next = pair->next;
-			}
-			else
-			{
-				this->table[row] = pair->next;
-			}
-			value = pair->value;
-			this->count--;
-			free(pair);
-			break;
-		}
-		prev = pair;
-		pair = pair->next;
-	}
-	return value;
-}
-
-METHOD(hashtable_t, remove_at, void,
-	   private_hashtable_t *this, private_enumerator_t *enumerator)
-{
-	if (enumerator->table == this && enumerator->current)
-	{
-		pair_t *current = enumerator->current;
-		if (enumerator->prev)
-		{
-			enumerator->prev->next = current->next;
-		}
-		else
-		{
-			this->table[enumerator->row] = current->next;
-		}
-		enumerator->current = enumerator->prev;
-		free(current);
-		this->count--;
-	}
-}
-
-METHOD(hashtable_t, get_count, u_int,
-	   private_hashtable_t *this)
-{
-	return this->count;
-}
-
-METHOD(enumerator_t, enumerate, bool,
-	   private_enumerator_t *this, void **key, void **value)
-{
-	while (this->count && this->row < this->table->capacity)
-	{
-		this->prev = this->current;
-		if (this->current)
-		{
-			this->current = this->current->next;
-		}
-		else
-		{
-			this->current = this->table->table[this->row];
-		}
-		if (this->current)
-		{
-			if (key)
-			{
-				*key = this->current->key;
-			}
-			if (value)
-			{
-				*value = this->current->value;
-			}
-			this->count--;
-			return TRUE;
-		}
-		this->row++;
-	}
-	return FALSE;
-}
-
-METHOD(hashtable_t, create_enumerator, enumerator_t*,
-	   private_hashtable_t *this)
-{
-	private_enumerator_t *enumerator;
-
-	INIT(enumerator,
-		.enumerator = {
-			.enumerate = (void*)_enumerate,
-			.destroy = (void*)free,
-		},
-		.table = this,
-		.count = this->count,
-	);
-
-	return &enumerator->enumerator;
-}
-
-METHOD(hashtable_t, destroy, void,
-	   private_hashtable_t *this)
-{
-	pair_t *pair, *next;
-	u_int row;
-
-	for (row = 0; row < this->capacity; row++)
-	{
-		pair = this->table[row];
-		while (pair)
-		{
-			next = pair->next;
-			free(pair);
-			pair = next;
-		}
-	}
-	free(this->table);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
-							  u_int capacity)
-{
-	private_hashtable_t *this;
-
-	INIT(this,
-		.public = {
-			.put = _put,
-			.get = _get,
-			.get_match = _get_match,
-			.remove = _remove_,
-			.remove_at = (void*)_remove_at,
-			.get_count = _get_count,
-			.create_enumerator = _create_enumerator,
-			.destroy = _destroy,
-		},
-		.hash = hash,
-		.equals = equals,
-	);
-
-	init_hashtable(this, capacity);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/utils/hashtable.h
deleted file mode 100644
index 0a21ca373..000000000
--- a/src/libstrongswan/utils/hashtable.h
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright (C) 2008-2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup hashtable hashtable
- * @{ @ingroup utils
- */
-
-#ifndef HASHTABLE_H_
-#define HASHTABLE_H_
-
-#include <utils/enumerator.h>
-
-typedef struct hashtable_t hashtable_t;
-
-/**
- * Prototype for a function that computes the hash code from the given key.
- *
- * @param key			key to hash
- * @return				hash code
- */
-typedef u_int (*hashtable_hash_t)(void *key);
-
-/**
- * Prototype for a function that compares the two keys for equality.
- *
- * @param key			first key (the one we are looking for)
- * @param other_key		second key
- * @return				TRUE if the keys are equal
- */
-typedef bool (*hashtable_equals_t)(void *key, void *other_key);
-
-/**
- * Class implementing a hash table.
- *
- * General purpose hash table. This hash table is not synchronized.
- */
-struct hashtable_t {
-
-	/**
-	 * Create an enumerator over the hash table key/value pairs.
-	 *
-	 * @return			enumerator over (void *key, void *value)
-	 */
-	enumerator_t *(*create_enumerator) (hashtable_t *this);
-
-	/**
-	 * Adds the given value with the given key to the hash table, if there
-	 * exists no entry with that key. NULL is returned in this case.
-	 * Otherwise the existing value is replaced and the function returns the
-	 * old value.
-	 *
-	 * @param key		the key to store
-	 * @param value		the value to store
-	 * @return			NULL if no item was replaced, the old value otherwise
-	 */
-	void *(*put) (hashtable_t *this, void *key, void *value);
-
-	/**
-	 * Returns the value with the given key, if the hash table contains such an
-	 * entry, otherwise NULL is returned.
-	 *
-	 * @param key		the key of the requested value
-	 * @return			the value, NULL if not found
-	 */
-	void *(*get) (hashtable_t *this, void *key);
-
-	/**
-	 * Returns the value with a matching key, if the hash table contains such an
-	 * entry, otherwise NULL is returned.
-	 *
-	 * Compared to get() the given match function is used to compare the keys
-	 * for equality.  The hash function does have to be deviced properly in
-	 * order to make this work if the match function compares keys differently
-	 * than the equals function provided to the constructor.  This basically
-	 * allows to enumerate all entries with the same hash value.
-	 *
-	 * @param key		the key to match against
-	 * @param match		match function to be used when comparing keys
-	 * @return			the value, NULL if not found
-	 */
-	void *(*get_match) (hashtable_t *this, void *key, hashtable_equals_t match);
-
-	/**
-	 * Removes the value with the given key from the hash table and returns the
-	 * removed value (or NULL if no such value existed).
-	 *
-	 * @param key		the key of the value to remove
-	 * @return			the removed value, NULL if not found
-	 */
-	void *(*remove) (hashtable_t *this, void *key);
-
-	/**
-	 * Removes the key and value pair from the hash table at which the given
-	 * enumerator currently points.
-	 *
-	 * @param enumerator	enumerator, from create_enumerator
-	 */
-	void (*remove_at) (hashtable_t *this, enumerator_t *enumerator);
-
-	/**
-	 * Gets the number of items in the hash table.
-	 *
-	 * @return			number of items
-	 */
-	u_int (*get_count) (hashtable_t *this);
-
-	/**
-	 * Destroys a hash table object.
-	 */
-	void (*destroy) (hashtable_t *this);
-
-};
-
-/**
- * Creates an empty hash table object.
- *
- * @param hash			hash function
- * @param equals		equals function
- * @param capacity		initial capacity
- * @return				hashtable_t object.
- */
-hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
-							  u_int capacity);
-
-#endif /** HASHTABLE_H_ @}*/
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
deleted file mode 100644
index e17b6ad02..000000000
--- a/src/libstrongswan/utils/host.c
+++ /dev/null
@@ -1,616 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <sys/socket.h>
-#include <netdb.h>
-#include <string.h>
-
-#include "host.h"
-
-#include <debug.h>
-
-#define IPV4_LEN	 4
-#define IPV6_LEN	16
-
-typedef struct private_host_t private_host_t;
-
-/**
- * Private Data of a host object.
- */
-struct private_host_t {
-	/**
-	 * Public data
-	 */
-	host_t public;
-
-	/**
-	 * low-lewel structure, which stores the address
-	 */
-	union {
-		/** generic type */
-		struct sockaddr address;
-		/** maximum sockaddr size */
-		struct sockaddr_storage address_max;
-		/** IPv4 address */
-		struct sockaddr_in address4;
-		/** IPv6 address */
-		struct sockaddr_in6 address6;
-	};
-	/**
-	 * length of address structure
-	 */
-	socklen_t socklen;
-};
-
-
-METHOD(host_t, get_sockaddr, sockaddr_t*,
-	private_host_t *this)
-{
-	return &(this->address);
-}
-
-METHOD(host_t, get_sockaddr_len, socklen_t*,
-	private_host_t *this)
-{
-	return &(this->socklen);
-}
-
-METHOD(host_t, is_anyaddr, bool,
-	private_host_t *this)
-{
-	static const u_int8_t zeroes[IPV6_LEN];
-
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			return memeq(zeroes, &(this->address4.sin_addr.s_addr), IPV4_LEN);
-		}
-		case AF_INET6:
-		{
-			return memeq(zeroes, &(this->address6.sin6_addr.s6_addr), IPV6_LEN);
-		}
-		default:
-		{
-			return FALSE;
-		}
-	}
-}
-
-/**
- * Described in header.
- */
-int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-					 const void *const *args)
-{
-	private_host_t *this = *((private_host_t**)(args[0]));
-	char buffer[INET6_ADDRSTRLEN + 16];
-
-	if (this == NULL)
-	{
-		snprintf(buffer, sizeof(buffer), "(null)");
-	}
-	else if (is_anyaddr(this) && !spec->plus)
-	{
-		snprintf(buffer, sizeof(buffer), "%%any%s",
-				 this->address.sa_family == AF_INET6 ? "6" : "");
-	}
-	else
-	{
-		void *address;
-		u_int16_t port;
-		int len;
-
-		address = &this->address6.sin6_addr;
-		port = this->address6.sin6_port;
-
-		switch (this->address.sa_family)
-		{
-			case AF_INET:
-				address = &this->address4.sin_addr;
-				port = this->address4.sin_port;
-				/* fall */
-			case AF_INET6:
-
-				if (inet_ntop(this->address.sa_family, address,
-							  buffer, sizeof(buffer)) == NULL)
-				{
-					snprintf(buffer, sizeof(buffer),
-							 "(address conversion failed)");
-				}
-				else if (spec->hash)
-				{
-					len = strlen(buffer);
-					snprintf(buffer + len, sizeof(buffer) - len,
-							 "[%d]", ntohs(port));
-				}
-				break;
-			default:
-				snprintf(buffer, sizeof(buffer), "(family not supported)");
-				break;
-		}
-	}
-	if (spec->minus)
-	{
-		return print_in_hook(data, "%-*s", spec->width, buffer);
-	}
-	return print_in_hook(data, "%*s", spec->width, buffer);
-}
-
-METHOD(host_t, get_address, chunk_t,
-	private_host_t *this)
-{
-	chunk_t address = chunk_empty;
-
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			address.ptr = (char*)&(this->address4.sin_addr.s_addr);
-			address.len = IPV4_LEN;
-			return address;
-		}
-		case AF_INET6:
-		{
-			address.ptr = (char*)&(this->address6.sin6_addr.s6_addr);
-			address.len = IPV6_LEN;
-			return address;
-		}
-		default:
-		{
-			/* return empty chunk */
-			return address;
-		}
-	}
-}
-
-METHOD(host_t, get_family, int,
-	private_host_t *this)
-{
-	return this->address.sa_family;
-}
-
-METHOD(host_t, get_port, u_int16_t,
-	private_host_t *this)
-{
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			return ntohs(this->address4.sin_port);
-		}
-		case AF_INET6:
-		{
-			return ntohs(this->address6.sin6_port);
-		}
-		default:
-		{
-			return 0;
-		}
-	}
-}
-
-METHOD(host_t, set_port, void,
-	private_host_t *this, u_int16_t port)
-{
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			this->address4.sin_port = htons(port);
-			break;
-		}
-		case AF_INET6:
-		{
-			this->address6.sin6_port = htons(port);
-			break;
-		}
-		default:
-		{
-			break;
-		}
-	}
-}
-
-METHOD(host_t, clone_, host_t*,
-	private_host_t *this)
-{
-	private_host_t *new;
-
-	new = malloc_thing(private_host_t);
-	memcpy(new, this, sizeof(private_host_t));
-
-	return &new->public;
-}
-
-/**
- * Implements host_t.ip_equals
- */
-static bool ip_equals(private_host_t *this, private_host_t *other)
-{
-	if (this->address.sa_family != other->address.sa_family)
-	{
-		/* 0.0.0.0 and 0::0 are equal */
-		return (is_anyaddr(this) && is_anyaddr(other));
-	}
-
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			return memeq(&this->address4.sin_addr, &other->address4.sin_addr,
-						 sizeof(this->address4.sin_addr));
-		}
-		case AF_INET6:
-		{
-			return memeq(&this->address6.sin6_addr, &other->address6.sin6_addr,
-						 sizeof(this->address6.sin6_addr));
-		}
-		default:
-			break;
-	}
-	return FALSE;
-}
-
-/**
- * Implements host_t.get_differences
- */
-static host_diff_t get_differences(host_t *this, host_t *other)
-{
-	host_diff_t ret = HOST_DIFF_NONE;
-
-	if (!this->ip_equals(this, other))
-	{
-		ret |= HOST_DIFF_ADDR;
-	}
-
-	if (this->get_port(this) != other->get_port(other))
-	{
-		ret |= HOST_DIFF_PORT;
-	}
-
-	return ret;
-}
-
-/**
- * Implements host_t.equals
- */
-static bool equals(private_host_t *this, private_host_t *other)
-{
-	if (!ip_equals(this, other))
-	{
-		return FALSE;
-	}
-
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			return (this->address4.sin_port == other->address4.sin_port);
-		}
-		case AF_INET6:
-		{
-			return (this->address6.sin6_port == other->address6.sin6_port);
-		}
-		default:
-			break;
-	}
-	return FALSE;
-}
-
-METHOD(host_t, destroy, void,
-	private_host_t *this)
-{
-	free(this);
-}
-
-/**
- * Creates an empty host_t object
- */
-static private_host_t *host_create_empty(void)
-{
-	private_host_t *this;
-
-	INIT(this,
-		.public = {
-			.get_sockaddr = _get_sockaddr,
-			.get_sockaddr_len = _get_sockaddr_len,
-			.clone = _clone_,
-			.get_family = _get_family,
-			.get_address = _get_address,
-			.get_port = _get_port,
-			.set_port = _set_port,
-			.get_differences = get_differences,
-			.ip_equals = (bool (*)(host_t *,host_t *))ip_equals,
-			.equals = (bool (*)(host_t *,host_t *)) equals,
-			.is_anyaddr = _is_anyaddr,
-			.destroy = _destroy,
-		},
-	);
-
-	return this;
-}
-
-/*
- * Create a %any host with port
- */
-static host_t *host_create_any_port(int family, u_int16_t port)
-{
-	host_t *this;
-
-	this = host_create_any(family);
-	this->set_port(this, port);
-	return this;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_from_string(char *string, u_int16_t port)
-{
-	private_host_t *this;
-
-	if (streq(string, "%any"))
-	{
-		return host_create_any_port(AF_INET, port);
-	}
-	if (streq(string, "%any6"))
-	{
-		return host_create_any_port(AF_INET6, port);
-	}
-
-	this = host_create_empty();
-	if (strchr(string, '.'))
-	{
-		this->address.sa_family = AF_INET;
-	}
-	else
-	{
-		this->address.sa_family = AF_INET6;
-	}
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			if (inet_pton(AF_INET, string, &this->address4.sin_addr) <=0)
-			{
-				break;
-			}
-			this->address4.sin_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in);
-			return &this->public;
-		}
-		case AF_INET6:
-		{
-			if (inet_pton(AF_INET6, string, &this->address6.sin6_addr) <=0)
-			{
-				break;
-			}
-			this->address6.sin6_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in6);
-			return &this->public;
-		}
-		default:
-		{
-			break;
-		}
-	}
-	free(this);
-	return NULL;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
-{
-	private_host_t *this = host_create_empty();
-
-	switch (sockaddr->sa_family)
-	{
-		case AF_INET:
-		{
-			memcpy(&this->address4, (struct sockaddr_in*)sockaddr,
-				   sizeof(struct sockaddr_in));
-			this->socklen = sizeof(struct sockaddr_in);
-			return &this->public;
-		}
-		case AF_INET6:
-		{
-			memcpy(&this->address6, (struct sockaddr_in6*)sockaddr,
-				   sizeof(struct sockaddr_in6));
-			this->socklen = sizeof(struct sockaddr_in6);
-			return &this->public;
-		}
-		default:
-			break;
-	}
-	free(this);
-	return NULL;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_from_dns(char *string, int af, u_int16_t port)
-{
-	private_host_t *this;
-	struct addrinfo hints, *result;
-	int error;
-
-	if (streq(string, "%any"))
-	{
-		return host_create_any_port(af ? af : AF_INET, port);
-	}
-	if (streq(string, "%any6"))
-	{
-		return host_create_any_port(af ? af : AF_INET6, port);
-	}
-	if (af == AF_INET && strchr(string, ':'))
-	{	/* do not try to convert v6 addresses for v4 family */
-		return NULL;
-	}
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = af;
-	error = getaddrinfo(string, NULL, &hints, &result);
-	if (error != 0)
-	{
-		DBG1(DBG_LIB, "resolving '%s' failed: %s", string, gai_strerror(error));
-		return NULL;
-	}
-	/* result is a linked list, but we use only the first address */
-	this = (private_host_t*)host_create_from_sockaddr(result->ai_addr);
-	freeaddrinfo(result);
-	if (this)
-	{
-		switch (this->address.sa_family)
-		{
-			case AF_INET:
-				this->address4.sin_port = htons(port);
-				break;
-			case AF_INET6:
-				this->address6.sin6_port = htons(port);
-				break;
-		}
-		return &this->public;
-	}
-	return NULL;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
-{
-	private_host_t *this;
-
-	switch (family)
-	{
-		case AF_INET:
-			if (address.len < IPV4_LEN)
-			{
-				return NULL;
-			}
-			address.len = IPV4_LEN;
-			break;
-		case AF_INET6:
-			if (address.len < IPV6_LEN)
-			{
-				return NULL;
-			}
-			address.len = IPV6_LEN;
-			break;
-		case AF_UNSPEC:
-			switch (address.len)
-			{
-				case IPV4_LEN:
-					family = AF_INET;
-					break;
-				case IPV6_LEN:
-					family = AF_INET6;
-					break;
-				default:
-					return NULL;
-			}
-			break;
-		default:
-			return NULL;
-	}
-	this = host_create_empty();
-	this->address.sa_family = family;
-	switch (family)
-	{
-		case AF_INET:
-			memcpy(&this->address4.sin_addr.s_addr, address.ptr, address.len);
-			this->address4.sin_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in);
-			break;
-		case AF_INET6:
-			memcpy(&this->address6.sin6_addr.s6_addr, address.ptr, address.len);
-			this->address6.sin6_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in6);
-			break;
-	}
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_from_subnet(char *string, int *bits)
-{
-	char *pos, buf[64];
-	host_t *net;
-
-	pos = strchr(string, '/');
-	if (pos)
-	{
-		if (pos - string >= sizeof(buf))
-		{
-			return NULL;
-		}
-		strncpy(buf, string, pos - string);
-		buf[pos - string] = '\0';
-		*bits = atoi(pos + 1);
-		return host_create_from_string(buf, 0);
-	}
-	net = host_create_from_string(string, 0);
-	if (net)
-	{
-		if (net->get_family(net) == AF_INET)
-		{
-			*bits = 32;
-		}
-		else
-		{
-			*bits = 128;
-		}
-	}
-	return net;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_any(int family)
-{
-	private_host_t *this = host_create_empty();
-
-	memset(&this->address_max, 0, sizeof(struct sockaddr_storage));
-	this->address.sa_family = family;
-
-	switch (family)
-	{
-		case AF_INET:
-		{
-			this->socklen = sizeof(struct sockaddr_in);
-			return &(this->public);
-		}
-		case AF_INET6:
-		{
-			this->socklen = sizeof(struct sockaddr_in6);
-			return &this->public;
-		}
-		default:
-			break;
-	}
-	free(this);
-	return NULL;
-}
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h
deleted file mode 100644
index a8b010544..000000000
--- a/src/libstrongswan/utils/host.h
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup host host
- * @{ @ingroup utils
- */
-
-#ifndef HOST_H_
-#define HOST_H_
-
-typedef enum host_diff_t host_diff_t;
-typedef struct host_t host_t;
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <chunk.h>
-
-/**
- * Differences between two hosts. They differ in
- * address, port, or both.
- */
-enum host_diff_t {
-	HOST_DIFF_NONE = 0,
-	HOST_DIFF_ADDR = 1,
-	HOST_DIFF_PORT = 2,
-};
-
-/**
- * Representates a Host
- *
- * Host object, identifies a address:port pair and defines some
- * useful functions on it.
- */
-struct host_t {
-
-	/**
-	 * Build a clone of this host object.
-	 *
-	 * @return		cloned host
-	 */
-	host_t *(*clone) (host_t *this);
-
-	/**
-	 * Get a pointer to the internal sockaddr struct.
-	 *
-	 * This is used for sending and receiving via sockets.
-	 *
-	 * @return		pointer to the internal sockaddr structure
-	 */
-	sockaddr_t  *(*get_sockaddr) (host_t *this);
-
-	/**
-	 * Get the length of the sockaddr struct.
-	 *
-	 * Depending on the family, the length of the sockaddr struct
-	 * is different. Use this function to get the length of the sockaddr
-	 * struct returned by get_sock_addr.
-	 *
-	 * This is used for sending and receiving via sockets.
-	 *
-	 * @return		length of the sockaddr struct
-	 */
-	socklen_t *(*get_sockaddr_len) (host_t *this);
-
-	/**
-	 * Gets the family of the address
-	 *
-	 * @return		family
-	 */
-	int (*get_family) (host_t *this);
-
-	/**
-	 * Checks if the ip address of host is set to default route.
-	 *
-	 * @return		TRUE if host is 0.0.0.0 or 0::0, FALSE otherwise
-	 */
-	bool (*is_anyaddr) (host_t *this);
-
-	/**
-	 * Get the address of this host as chunk_t
-	 *
-	 * Returned chunk points to internal data.
-	 *
-	 * @return		address string,
-	 */
-	chunk_t (*get_address) (host_t *this);
-
-	/**
-	 * Get the port of this host
-	 *
-	 * @return		port number
-	 */
-	u_int16_t (*get_port) (host_t *this);
-
-	/**
-	 * Set the port of this host
-	 *
-	 * @param port	port numer
-	 */
-	void (*set_port) (host_t *this, u_int16_t port);
-
-	/**
-	 * Compare the ips of two hosts hosts.
-	 *
-	 * @param other	the other to compare
-	 * @return		TRUE if addresses are equal.
-	 */
-	bool (*ip_equals) (host_t *this, host_t *other);
-
-	/**
-	 * Compare two hosts, with port.
-	 *
-	 * @param other	the other to compare
-	 * @return		TRUE if addresses and ports are equal.
-	 */
-	bool (*equals) (host_t *this, host_t *other);
-
-	/**
-	 * Compare two hosts and return the differences.
-	 *
-	 * @param other	the other to compare
-	 * @return		differences in a combination of host_diff_t's
-	 */
-	host_diff_t (*get_differences) (host_t *this, host_t *other);
-
-	/**
-	 * Destroy this host object.
-	 */
-	void (*destroy) (host_t *this);
-};
-
-/**
- * Constructor to create a host_t object from an address string.
- *
- * @param string		string of an address, such as "152.96.193.130"
- * @param port			port number
- * @return				host_t, NULL if string not an address.
- */
-host_t *host_create_from_string(char *string, u_int16_t port);
-
-/**
- * Constructor to create a host_t from a DNS name.
- *
- * @param string		hostname to resolve
- * @param family		family to prefer, 0 for first match
- * @param port			port number
- * @return				host_t, NULL lookup failed
- */
-host_t *host_create_from_dns(char *string, int family, u_int16_t port);
-
-/**
- * Constructor to create a host_t object from an address chunk.
- *
- * If family is AF_UNSPEC, it is guessed using address.len.
- *
- * @param family		Address family, such as AF_INET or AF_INET6
- * @param address		address as chunk_t in network order
- * @param port			port number
- * @return				host_t, NULL if family not supported/chunk invalid
- */
-host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
-
-/**
- * Constructor to create a host_t object from a sockaddr struct
- *
- * @param sockaddr		sockaddr struct which contains family, address and port
- * @return				host_t, NULL if family not supported
- */
-host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
-
-/**
- * Create a host from a CIDR subnet definition (1.2.3.0/24), return bits.
- *
- * @param string		string to parse
- * @param bits			gets the number of network bits in CIDR notation
- * @return				network start address, NULL on error
- */
-host_t *host_create_from_subnet(char *string, int *bits);
-
-/**
- * Create a host without an address, a "any" host.
- *
- * @param family		family of the any host
- * @return				host_t, NULL if family not supported
- */
-host_t *host_create_any(int family);
-
-/**
- * printf hook function for host_t.
- *
- * Arguments are:
- *	host_t *host
- * Use #-modifier to include port number
- * Use +-modifier to force numeric representation (instead of e.g. %any)
- */
-int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
-					 const void *const *args);
-
-#endif /** HOST_H_ @}*/
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 024fcea4b..cdf229127 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -29,8 +29,8 @@ typedef struct identification_t identification_t;
 typedef enum id_match_t id_match_t;
 typedef enum id_part_t id_part_t;
 
-#include <chunk.h>
-#include <utils/enumerator.h>
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
 
 /**
  * Matches returned from identification_t.match
diff --git a/src/libstrongswan/utils/integrity_checker.c b/src/libstrongswan/utils/integrity_checker.c
new file mode 100644
index 000000000..e962aba70
--- /dev/null
+++ b/src/libstrongswan/utils/integrity_checker.c
@@ -0,0 +1,321 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include "integrity_checker.h"
+
+#include <dlfcn.h>
+#include <link.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include "debug.h"
+#include "library.h"
+
+typedef struct private_integrity_checker_t private_integrity_checker_t;
+
+/**
+ * Private data of an integrity_checker_t object.
+ */
+struct private_integrity_checker_t {
+
+	/**
+	 * Public integrity_checker_t interface.
+	 */
+	integrity_checker_t public;
+
+	/**
+	 * dlopen handle to checksum library
+	 */
+	void *handle;
+
+	/**
+	 * checksum array
+	 */
+	integrity_checksum_t *checksums;
+
+	/**
+	 * number of checksums in array
+	 */
+	int checksum_count;
+};
+
+METHOD(integrity_checker_t, build_file, u_int32_t,
+	private_integrity_checker_t *this, char *file, size_t *len)
+{
+	u_int32_t checksum;
+	chunk_t contents;
+	struct stat sb;
+	void *addr;
+	int fd;
+
+	fd = open(file, O_RDONLY);
+	if (fd == -1)
+	{
+		DBG1(DBG_LIB, "  opening '%s' failed: %s", file, strerror(errno));
+		return 0;
+	}
+
+	if (fstat(fd, &sb) == -1)
+	{
+		DBG1(DBG_LIB, "  getting file size of '%s' failed: %s", file,
+			 strerror(errno));
+		close(fd);
+		return 0;
+	}
+
+	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+	if (addr == MAP_FAILED)
+	{
+		DBG1(DBG_LIB, "  mapping '%s' failed: %s", file, strerror(errno));
+		close(fd);
+		return 0;
+	}
+
+	*len = sb.st_size;
+	contents = chunk_create(addr, sb.st_size);
+	checksum = chunk_hash(contents);
+
+	munmap(addr, sb.st_size);
+	close(fd);
+
+	return checksum;
+}
+
+/**
+ * dl_iterate_phdr callback function
+ */
+static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli)
+{
+	/* We are looking for the dlpi_addr matching the address of our dladdr().
+	 * dl_iterate_phdr() returns such an address for other (unknown) objects
+	 * in very rare cases (e.g. in a chrooted gentoo, but only if
+	 * the checksum_builder is invoked by 'make'). As a workaround, we filter
+	 * objects by dlpi_name; valid objects have a library name.
+	 */
+	if (dli->dli_fbase == (void*)dlpi->dlpi_addr &&
+		dlpi->dlpi_name && *dlpi->dlpi_name)
+	{
+		int i;
+
+		for (i = 0; i < dlpi->dlpi_phnum; i++)
+		{
+			const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i];
+
+			/* we are interested in the executable LOAD segment */
+			if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X))
+			{
+				/* safe begin of segment in dli_fbase */
+				dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr;
+				/* safe end of segment in dli_saddr */
+				dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz;
+				return 1;
+			}
+		}
+	}
+	return 0;
+}
+
+METHOD(integrity_checker_t, build_segment, u_int32_t,
+	private_integrity_checker_t *this, void *sym, size_t *len)
+{
+	chunk_t segment;
+	Dl_info dli;
+
+	if (dladdr(sym, &dli) == 0)
+	{
+		DBG1(DBG_LIB, "  unable to locate symbol: %s", dlerror());
+		return 0;
+	}
+	/* we reuse the Dl_info struct as in/out parameter */
+	if (!dl_iterate_phdr((void*)callback, &dli))
+	{
+		DBG1(DBG_LIB, "  executable section not found");
+		return 0;
+	}
+
+	segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
+	*len = segment.len;
+	return chunk_hash(segment);
+}
+
+/**
+ * Find a checksum by its name
+ */
+static integrity_checksum_t *find_checksum(private_integrity_checker_t *this,
+										   char *name)
+{
+	int i;
+
+	for (i = 0; i < this->checksum_count; i++)
+	{
+		if (streq(this->checksums[i].name, name))
+		{
+			return &this->checksums[i];
+		}
+	}
+	return NULL;
+}
+
+METHOD(integrity_checker_t, check_file, bool,
+	private_integrity_checker_t *this, char *name, char *file)
+{
+	integrity_checksum_t *cs;
+	u_int32_t sum;
+	size_t len = 0;
+
+	cs = find_checksum(this, name);
+	if (!cs)
+	{
+		DBG1(DBG_LIB, "  '%s' file checksum not found", name);
+		return FALSE;
+	}
+	sum = build_file(this, file, &len);
+	if (!sum)
+	{
+		return FALSE;
+	}
+	if (cs->file_len != len)
+	{
+		DBG1(DBG_LIB, "  invalid '%s' file size: %u bytes, expected %u bytes",
+			 name, len, cs->file_len);
+		return FALSE;
+	}
+	if (cs->file != sum)
+	{
+		DBG1(DBG_LIB, "  invalid '%s' file checksum: %08x, expected %08x",
+			 name, sum, cs->file);
+		return FALSE;
+	}
+	DBG2(DBG_LIB, "  valid '%s' file checksum: %08x", name, sum);
+	return TRUE;
+}
+
+METHOD(integrity_checker_t, check_segment, bool,
+	private_integrity_checker_t *this, char *name, void *sym)
+{
+	integrity_checksum_t *cs;
+	u_int32_t sum;
+	size_t len = 0;
+
+	cs = find_checksum(this, name);
+	if (!cs)
+	{
+		DBG1(DBG_LIB, "  '%s' segment checksum not found", name);
+		return FALSE;
+	}
+	sum = build_segment(this, sym, &len);
+	if (!sum)
+	{
+		return FALSE;
+	}
+	if (cs->segment_len != len)
+	{
+		DBG1(DBG_LIB, "  invalid '%s' segment size: %u bytes,"
+			 " expected %u bytes", name, len, cs->segment_len);
+		return FALSE;
+	}
+	if (cs->segment != sum)
+	{
+		DBG1(DBG_LIB, "  invalid '%s' segment checksum: %08x, expected %08x",
+			 name, sum, cs->segment);
+		return FALSE;
+	}
+	DBG2(DBG_LIB, "  valid '%s' segment checksum: %08x", name, sum);
+	return TRUE;
+}
+
+METHOD(integrity_checker_t, check, bool,
+	private_integrity_checker_t *this, char *name, void *sym)
+{
+	Dl_info dli;
+
+	if (dladdr(sym, &dli) == 0)
+	{
+		DBG1(DBG_LIB, "unable to locate symbol: %s", dlerror());
+		return FALSE;
+	}
+	if (!check_file(this, name, (char*)dli.dli_fname))
+	{
+		return FALSE;
+	}
+	if (!check_segment(this, name, sym))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(integrity_checker_t, destroy, void,
+	private_integrity_checker_t *this)
+{
+	if (this->handle)
+	{
+		dlclose(this->handle);
+	}
+	free(this);
+}
+
+/**
+ * See header
+ */
+integrity_checker_t *integrity_checker_create(char *checksum_library)
+{
+	private_integrity_checker_t *this;
+
+	INIT(this,
+		.public = {
+			.check_file = _check_file,
+			.build_file = _build_file,
+			.check_segment = _check_segment,
+			.build_segment = _build_segment,
+			.check = _check,
+			.destroy = _destroy,
+		},
+	);
+
+	if (checksum_library)
+	{
+		this->handle = dlopen(checksum_library, RTLD_LAZY);
+		if (this->handle)
+		{
+			int *checksum_count;
+
+			this->checksums = dlsym(this->handle, "checksums");
+			checksum_count = dlsym(this->handle, "checksum_count");
+			if (this->checksums && checksum_count)
+			{
+				this->checksum_count = *checksum_count;
+			}
+			else
+			{
+				DBG1(DBG_LIB, "checksum library '%s' invalid",
+					 checksum_library);
+			}
+		}
+		else
+		{
+			DBG1(DBG_LIB, "loading checksum library '%s' failed",
+				 checksum_library);
+		}
+	}
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/utils/integrity_checker.h b/src/libstrongswan/utils/integrity_checker.h
new file mode 100644
index 000000000..afaa114b3
--- /dev/null
+++ b/src/libstrongswan/utils/integrity_checker.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup integrity_checker integrity_checker
+ * @{ @ingroup utils
+ */
+
+#ifndef INTEGRITY_CHECKER_H_
+#define INTEGRITY_CHECKER_H_
+
+#include "utils.h"
+
+typedef struct integrity_checker_t integrity_checker_t;
+typedef struct integrity_checksum_t integrity_checksum_t;
+
+/**
+ * Struct to hold a precalculated checksum, implemented in the checksum library.
+ */
+struct integrity_checksum_t {
+	/* name of the checksum */
+	char *name;
+	/* size in bytes of the file on disk */
+	size_t file_len;
+	/* checksum of the file on disk */
+	u_int32_t file;
+	/* size in bytes of executable segment in memory */
+	size_t segment_len;
+	/* checksum of the executable segment in memory */
+	u_int32_t segment;
+};
+
+/**
+ * Code integrity checker to detect non-malicious file manipulation.
+ *
+ * The integrity checker reads the checksums from a separate library
+ * libchecksum.so to compare the checksums.
+ */
+struct integrity_checker_t {
+
+	/**
+	 * Check the integrity of a file on disk.
+	 *
+	 * @param name		name to lookup checksum
+	 * @param file		path to file
+	 * @return			TRUE if integrity tested successfully
+	 */
+	bool (*check_file)(integrity_checker_t *this, char *name, char *file);
+
+	/**
+	 * Build the integrity checksum of a file on disk.
+	 *
+	 * @param file		path to file
+	 * @param len		return length in bytes of file
+	 * @return			checksum, 0 on error
+	 */
+	u_int32_t (*build_file)(integrity_checker_t *this, char *file, size_t *len);
+
+	/**
+	 * Check the integrity of the code segment in memory.
+	 *
+	 * @param name		name to lookup checksum
+	 * @param sym		a symbol in the segment to check
+	 * @return			TRUE if integrity tested successfully
+	 */
+	bool (*check_segment)(integrity_checker_t *this, char *name, void *sym);
+	/**
+	 * Build the integrity checksum of a code segment in memory.
+	 *
+	 * @param sym		a symbol in the segment to check
+	 * @param len		return length in bytes of code segment in memory
+	 * @return			checksum, 0 on error
+	 */
+	u_int32_t (*build_segment)(integrity_checker_t *this, void *sym, size_t *len);
+
+	/**
+	 * Check both, on disk file integrity and loaded segment.
+	 *
+	 * @param name		name to lookup checksum
+	 * @param sym		a symbol to look up library and segment
+	 * @return			TRUE if integrity tested successfully
+	 */
+	bool (*check)(integrity_checker_t *this, char *name, void *sym);
+
+	/**
+	 * Destroy a integrity_checker_t.
+	 */
+	void (*destroy)(integrity_checker_t *this);
+};
+
+/**
+ * Create a integrity_checker instance.
+ *
+ * @param checksum_library		library containing checksums
+ */
+integrity_checker_t *integrity_checker_create(char *checksum_library);
+
+#endif /** INTEGRITY_CHECKER_H_ @}*/
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index cface0538..2b0be1661 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -32,9 +32,9 @@
 #include "leak_detective.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/backtrace.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_leak_detective_t private_leak_detective_t;
 
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c
deleted file mode 100644
index 1ff80999b..000000000
--- a/src/libstrongswan/utils/linked_list.c
+++ /dev/null
@@ -1,615 +0,0 @@
-/*
- * Copyright (C) 2007-2011 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <stdarg.h>
-
-#include "linked_list.h"
-
-typedef struct element_t element_t;
-
-/**
- * This element holds a pointer to the value it represents.
- */
-struct element_t {
-
-	/**
-	 * Value of a list item.
-	 */
-	void *value;
-
-	/**
-	 * Previous list element.
-	 *
-	 * NULL if first element in list.
-	 */
-	element_t *previous;
-
-	/**
-	 * Next list element.
-	 *
-	 * NULL if last element in list.
-	 */
-	element_t *next;
-};
-
-/**
- * Creates an empty linked list object.
- */
-element_t *element_create(void *value)
-{
-	element_t *this;
-	INIT(this,
-		.value = value,
-	);
-	return this;
-}
-
-
-typedef struct private_linked_list_t private_linked_list_t;
-
-/**
- * Private data of a linked_list_t object.
- *
- */
-struct private_linked_list_t {
-	/**
-	 * Public part of linked list.
-	 */
-	linked_list_t public;
-
-	/**
-	 * Number of items in the list.
-	 */
-	int count;
-
-	/**
-	 * First element in list.
-	 * NULL if no elements in list.
-	 */
-	element_t *first;
-
-	/**
-	 * Last element in list.
-	 * NULL if no elements in list.
-	 */
-	element_t *last;
-};
-
-typedef struct private_enumerator_t private_enumerator_t;
-
-/**
- * linked lists enumerator implementation
- */
-struct private_enumerator_t {
-
-	/**
-	 * implements enumerator interface
-	 */
-	enumerator_t enumerator;
-
-	/**
-	 * associated linked list
-	 */
-	private_linked_list_t *list;
-
-	/**
-	 * current item
-	 */
-	element_t *current;
-
-	/**
-	 * enumerator has enumerated all items
-	 */
-	bool finished;
-};
-
-METHOD(enumerator_t, enumerate, bool,
-	private_enumerator_t *this, void **item)
-{
-	if (this->finished)
-	{
-		return FALSE;
-	}
-	if (!this->current)
-	{
-		this->current = this->list->first;
-	}
-	else
-	{
-		this->current = this->current->next;
-	}
-	if (!this->current)
-	{
-		this->finished = TRUE;
-		return FALSE;
-	}
-	*item = this->current->value;
-	return TRUE;
-}
-
-METHOD(linked_list_t, create_enumerator, enumerator_t*,
-	private_linked_list_t *this)
-{
-	private_enumerator_t *enumerator;
-
-	INIT(enumerator,
-		.enumerator = {
-			.enumerate = (void*)_enumerate,
-			.destroy = (void*)free,
-		},
-		.list = this,
-	);
-
-	return &enumerator->enumerator;
-}
-
-METHOD(linked_list_t, reset_enumerator, void,
-	private_linked_list_t *this, private_enumerator_t *enumerator)
-{
-	enumerator->current = NULL;
-	enumerator->finished = FALSE;
-}
-
-METHOD(linked_list_t, has_more, bool,
-	private_linked_list_t *this, private_enumerator_t *enumerator)
-{
-	if (enumerator->current)
-	{
-		return enumerator->current->next != NULL;
-	}
-	return !enumerator->finished && this->first != NULL;
-}
-
-METHOD(linked_list_t, get_count, int,
-	private_linked_list_t *this)
-{
-	return this->count;
-}
-
-METHOD(linked_list_t, insert_first, void,
-	private_linked_list_t *this, void *item)
-{
-	element_t *element;
-
-	element = element_create(item);
-	if (this->count == 0)
-	{
-		/* first entry in list */
-		this->first = element;
-		this->last = element;
-	}
-	else
-	{
-		element->next = this->first;
-		this->first->previous = element;
-		this->first = element;
-	}
-	this->count++;
-}
-
-/**
- * unlink an element form the list, returns following element
- */
-static element_t* remove_element(private_linked_list_t *this,
-								 element_t *element)
-{
-	element_t *next, *previous;
-
-	next = element->next;
-	previous = element->previous;
-	free(element);
-	if (next)
-	{
-		next->previous = previous;
-	}
-	else
-	{
-		this->last = previous;
-	}
-	if (previous)
-	{
-		previous->next = next;
-	}
-	else
-	{
-		this->first = next;
-	}
-	if (--this->count == 0)
-	{
-		this->first = NULL;
-		this->last = NULL;
-	}
-	return next;
-}
-
-METHOD(linked_list_t, get_first, status_t,
-	private_linked_list_t *this, void **item)
-{
-	if (this->count == 0)
-	{
-		return NOT_FOUND;
-	}
-	*item = this->first->value;
-	return SUCCESS;
-}
-
-METHOD(linked_list_t, remove_first, status_t,
-	private_linked_list_t *this, void **item)
-{
-	if (get_first(this, item) == SUCCESS)
-	{
-		remove_element(this, this->first);
-		return SUCCESS;
-	}
-	return NOT_FOUND;
-}
-
-METHOD(linked_list_t, insert_last, void,
-	private_linked_list_t *this, void *item)
-{
-	element_t *element;
-
-	element = element_create(item);
-	if (this->count == 0)
-	{
-		/* first entry in list */
-		this->first = element;
-		this->last = element;
-	}
-	else
-	{
-		element->previous = this->last;
-		this->last->next = element;
-		this->last = element;
-	}
-	this->count++;
-}
-
-METHOD(linked_list_t, insert_before, void,
-	private_linked_list_t *this, private_enumerator_t *enumerator,
-	void *item)
-{
-	element_t *current, *element;
-
-	current = enumerator->current;
-	if (!current)
-	{
-		if (enumerator->finished)
-		{
-			this->public.insert_last(&this->public, item);
-		}
-		else
-		{
-			this->public.insert_first(&this->public, item);
-		}
-		return;
-	}
-	element = element_create(item);
-	if (current->previous)
-	{
-		current->previous->next = element;
-		element->previous = current->previous;
-		current->previous = element;
-		element->next = current;
-	}
-	else
-	{
-		current->previous = element;
-		element->next = current;
-		this->first = element;
-	}
-	this->count++;
-}
-
-METHOD(linked_list_t, replace, void*,
-	private_linked_list_t *this, private_enumerator_t *enumerator,
-	void *item)
-{
-	void *old = NULL;
-
-	if (enumerator->current)
-	{
-		old = enumerator->current->value;
-		enumerator->current->value = item;
-	}
-	return old;
-}
-
-METHOD(linked_list_t, get_last, status_t,
-	private_linked_list_t *this, void **item)
-{
-	if (this->count == 0)
-	{
-		return NOT_FOUND;
-	}
-	*item = this->last->value;
-	return SUCCESS;
-}
-
-METHOD(linked_list_t, remove_last, status_t,
-	private_linked_list_t *this, void **item)
-{
-	if (get_last(this, item) == SUCCESS)
-	{
-		remove_element(this, this->last);
-		return SUCCESS;
-	}
-	return NOT_FOUND;
-}
-
-METHOD(linked_list_t, remove_, int,
-	private_linked_list_t *this, void *item, bool (*compare)(void*,void*))
-{
-	element_t *current = this->first;
-	int removed = 0;
-
-	while (current)
-	{
-		if ((compare && compare(current->value, item)) ||
-			(!compare && current->value == item))
-		{
-			removed++;
-			current = remove_element(this, current);
-		}
-		else
-		{
-			current = current->next;
-		}
-	}
-	return removed;
-}
-
-METHOD(linked_list_t, remove_at, void,
-	   private_linked_list_t *this, private_enumerator_t *enumerator)
-{
-	element_t *current;
-
-	if (enumerator->current)
-	{
-		current = enumerator->current;
-		enumerator->current = current->previous;
-		remove_element(this, current);
-	}
-}
-
-METHOD(linked_list_t, find_first, status_t,
-	private_linked_list_t *this, linked_list_match_t match,
-	void **item, void *d1, void *d2, void *d3, void *d4, void *d5)
-{
-	element_t *current = this->first;
-
-	while (current)
-	{
-		if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
-			(!match && item && current->value == *item))
-		{
-			if (item != NULL)
-			{
-				*item = current->value;
-			}
-			return SUCCESS;
-		}
-		current = current->next;
-	}
-	return NOT_FOUND;
-}
-
-METHOD(linked_list_t, find_last, status_t,
-	private_linked_list_t *this, linked_list_match_t match,
-	void **item, void *d1, void *d2, void *d3, void *d4, void *d5)
-{
-	element_t *current = this->last;
-
-	while (current)
-	{
-		if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
-			(!match && item && current->value == *item))
-		{
-			if (item != NULL)
-			{
-				*item = current->value;
-			}
-			return SUCCESS;
-		}
-		current = current->previous;
-	}
-	return NOT_FOUND;
-}
-
-METHOD(linked_list_t, invoke_offset, void,
-	private_linked_list_t *this, size_t offset,
-	void *d1, void *d2, void *d3, void *d4, void *d5)
-{
-	element_t *current = this->first;
-	linked_list_invoke_t *method;
-
-	while (current)
-	{
-		method = current->value + offset;
-		(*method)(current->value, d1, d2, d3, d4, d5);
-		current = current->next;
-	}
-}
-
-METHOD(linked_list_t, invoke_function, void,
-	private_linked_list_t *this, linked_list_invoke_t fn,
-	void *d1, void *d2, void *d3, void *d4, void *d5)
-{
-	element_t *current = this->first;
-
-	while (current)
-	{
-		fn(current->value, d1, d2, d3, d4, d5);
-		current = current->next;
-	}
-}
-
-METHOD(linked_list_t, clone_offset, linked_list_t*,
-	private_linked_list_t *this, size_t offset)
-{
-	element_t *current = this->first;
-	linked_list_t *clone;
-
-	clone = linked_list_create();
-	while (current)
-	{
-		void* (**method)(void*) = current->value + offset;
-		clone->insert_last(clone, (*method)(current->value));
-		current = current->next;
-	}
-
-	return clone;
-}
-
-METHOD(linked_list_t, clone_function, linked_list_t*,
-	private_linked_list_t *this, void* (*fn)(void*))
-{
-	element_t *current = this->first;
-	linked_list_t *clone;
-
-	clone = linked_list_create();
-	while (current)
-	{
-		clone->insert_last(clone, fn(current->value));
-		current = current->next;
-	}
-	return clone;
-}
-
-METHOD(linked_list_t, destroy, void,
-	private_linked_list_t *this)
-{
-	void *value;
-
-	/* Remove all list items before destroying list */
-	while (remove_first(this, &value) == SUCCESS)
-	{
-		/* values are not destroyed so memory leaks are possible
-		 * if list is not empty when deleting */
-	}
-	free(this);
-}
-
-METHOD(linked_list_t, destroy_offset, void,
-	private_linked_list_t *this, size_t offset)
-{
-	element_t *current = this->first, *next;
-
-	while (current)
-	{
-		void (**method)(void*) = current->value + offset;
-		(*method)(current->value);
-		next = current->next;
-		free(current);
-		current = next;
-	}
-	free(this);
-}
-
-METHOD(linked_list_t, destroy_function, void,
-	private_linked_list_t *this, void (*fn)(void*))
-{
-	element_t *current = this->first, *next;
-
-	while (current)
-	{
-		fn(current->value);
-		next = current->next;
-		free(current);
-		current = next;
-	}
-	free(this);
-}
-
-/*
- * Described in header.
- */
-linked_list_t *linked_list_create()
-{
-	private_linked_list_t *this;
-
-	INIT(this,
-		.public = {
-			.get_count = _get_count,
-			.create_enumerator = _create_enumerator,
-			.reset_enumerator = (void*)_reset_enumerator,
-			.has_more = (void*)_has_more,
-			.get_first = _get_first,
-			.get_last = _get_last,
-			.find_first = (void*)_find_first,
-			.find_last = (void*)_find_last,
-			.insert_first = _insert_first,
-			.insert_last = _insert_last,
-			.insert_before = (void*)_insert_before,
-			.replace = (void*)_replace,
-			.remove_first = _remove_first,
-			.remove_last = _remove_last,
-			.remove = _remove_,
-			.remove_at = (void*)_remove_at,
-			.invoke_offset = (void*)_invoke_offset,
-			.invoke_function = (void*)_invoke_function,
-			.clone_offset = _clone_offset,
-			.clone_function = _clone_function,
-			.destroy = _destroy,
-			.destroy_offset = _destroy_offset,
-			.destroy_function = _destroy_function,
-		},
-	);
-
-	return &this->public;
-}
-
-/*
- * See header.
- */
-linked_list_t *linked_list_create_from_enumerator(enumerator_t *enumerator)
-{
-	linked_list_t *list;
-	void *item;
-
-	list = linked_list_create();
-
-	while (enumerator->enumerate(enumerator, &item))
-	{
-		list->insert_last(list, item);
-	}
-	enumerator->destroy(enumerator);
-
-	return list;
-}
-
-/*
- * See header.
- */
-linked_list_t *linked_list_create_with_items(void *item, ...)
-{
-	linked_list_t *list;
-	va_list args;
-
-	list = linked_list_create();
-
-	va_start(args, item);
-	while (item)
-	{
-		list->insert_last(list, item);
-		item = va_arg(args, void*);
-	}
-	va_end(args);
-
-	return list;
-}
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h
deleted file mode 100644
index 1b5518480..000000000
--- a/src/libstrongswan/utils/linked_list.h
+++ /dev/null
@@ -1,319 +0,0 @@
-/*
- * Copyright (C) 2007-2011 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup linked_list linked_list
- * @{ @ingroup utils
- */
-
-#ifndef LINKED_LIST_H_
-#define LINKED_LIST_H_
-
-typedef struct linked_list_t linked_list_t;
-
-#include <utils/enumerator.h>
-
-/**
- * Method to match elements in a linked list (used in find_* functions)
- *
- * @param item			current list item
- * @param ...			user supplied data (only pointers, at most 5)
- * @return
- *						- TRUE, if the item matched
- *						- FALSE, otherwise
- */
-typedef bool (*linked_list_match_t)(void *item, ...);
-
-/**
- * Method to be invoked on elements in a linked list (used in invoke_* functions)
- *
- * @param item			current list item
- * @param ...			user supplied data (only pointers, at most 5)
- */
-typedef void (*linked_list_invoke_t)(void *item, ...);
-
-/**
- * Class implementing a double linked list.
- *
- * General purpose linked list. This list is not synchronized.
- */
-struct linked_list_t {
-
-	/**
-	 * Gets the count of items in the list.
-	 *
-	 * @return			number of items in list
-	 */
-	int (*get_count) (linked_list_t *this);
-
-	/**
-	 * Create an enumerator over the list.
-	 *
-	 * @note The enumerator's position is invalid before the first call
-	 * to enumerate().
-	 *
-	 * @return			enumerator over list items
-	 */
-	enumerator_t* (*create_enumerator)(linked_list_t *this);
-
-	/**
-	 * Resets the enumerator's current position to the beginning of the list.
-	 *
-	 * @param enumerator	enumerator to reset
-	 */
-	void (*reset_enumerator)(linked_list_t *this, enumerator_t *enumerator);
-
-	/**
-	 * Checks if there are more elements following after the enumerator's
-	 * current position.
-	 *
-	 * @param enumerator	enumerator to check
-	 */
-	bool (*has_more)(linked_list_t *this, enumerator_t *enumerator);
-
-	/**
-	 * Inserts a new item at the beginning of the list.
-	 *
-	 * @param item		item value to insert in list
-	 */
-	void (*insert_first) (linked_list_t *this, void *item);
-
-	/**
-	 * Removes the first item in the list and returns its value.
-	 *
-	 * @param item		returned value of first item, or NULL
-	 * @return			SUCCESS, or NOT_FOUND if list is empty
-	 */
-	status_t (*remove_first) (linked_list_t *this, void **item);
-
-	/**
-	 * Inserts a new item before the item the enumerator currently points to.
-	 *
-	 * If this method is called before starting the enumeration the item is
-	 * inserted first. If it is called after all items have been enumerated
-	 * the item is inserted last. This is helpful when inserting items into
-	 * a sorted list.
-	 *
-	 * @note The position of the enumerator is not changed.
-	 *
-	 * @param enumerator	enumerator with position
-	 * @param item			item value to insert in list
-	 */
-	void (*insert_before)(linked_list_t *this, enumerator_t *enumerator,
-						  void *item);
-
-	/**
-	 * Replaces the item the enumerator currently points to with the given item.
-	 *
-	 * @param enumerator	enumerator with position
-	 * @param item			item value to replace current item with
-	 * @return				current item or NULL if the enumerator is at an
-	 *						invalid position
-	 */
-	void *(*replace)(linked_list_t *this, enumerator_t *enumerator, void *item);
-
-	/**
-	 * Remove an item from the list where the enumerator points to.
-	 *
-	 * @param enumerator enumerator with position
-	 */
-	void (*remove_at)(linked_list_t *this, enumerator_t *enumerator);
-
-	/**
-	 * Remove items from the list matching the given item.
-	 *
-	 * If a compare function is given, it is called for each item, with the
-	 * first parameter being the current list item and the second parameter
-	 * being the supplied item. Return TRUE from the compare function to remove
-	 * the item, return FALSE to keep it in the list.
-	 *
-	 * If compare is NULL, comparison is done by pointers.
-	 *
-	 * @param item		item to remove/pass to comparator
-	 * @param compare	compare function, or NULL
-	 * @return			number of removed items
-	 */
-	int (*remove)(linked_list_t *this, void *item, bool (*compare)(void*,void*));
-
-	/**
-	 * Returns the value of the first list item without removing it.
-	 *
-	 * @param item		returned value of first item
-	 * @return			SUCCESS, NOT_FOUND if list is empty
-	 */
-	status_t (*get_first) (linked_list_t *this, void **item);
-
-	/**
-	 * Inserts a new item at the end of the list.
-	 *
-	 * @param item		value to insert into list
-	 */
-	void (*insert_last) (linked_list_t *this, void *item);
-
-	/**
-	 * Removes the last item in the list and returns its value.
-	 *
-	 * @param item		returned value of last item, or NULL
-	 * @return			SUCCESS, NOT_FOUND if list is empty
-	 */
-	status_t (*remove_last) (linked_list_t *this, void **item);
-
-	/**
-	 * Returns the value of the last list item without removing it.
-	 *
-	 * @param item		returned value of last item
-	 * @return			SUCCESS, NOT_FOUND if list is empty
-	 */
-	status_t (*get_last) (linked_list_t *this, void **item);
-
-	/** Find the first matching element in the list.
-	 *
-	 * The first object passed to the match function is the current list item,
-	 * followed by the user supplied data.
-	 * If the supplied function returns TRUE this function returns SUCCESS, and
-	 * the current object is returned in the third parameter, otherwise,
-	 * the next item is checked.
-	 *
-	 * If match is NULL, *item and the current object are compared.
-	 *
-	 * @warning Only use pointers as user supplied data.
-	 *
-	 * @param match			comparison function to call on each object, or NULL
-	 * @param item			the list item, if found
-	 * @param ...			user data to supply to match function (limited to 5 arguments)
-	 * @return				SUCCESS if found, NOT_FOUND otherwise
-	 */
-	status_t (*find_first) (linked_list_t *this, linked_list_match_t match,
-							void **item, ...);
-
-	/** Find the last matching element in the list.
-	 *
-	 * The first object passed to the match function is the current list item,
-	 * followed by the user supplied data.
-	 * If the supplied function returns TRUE this function returns SUCCESS, and
-	 * the current object is returned in the third parameter, otherwise,
-	 * the next item is checked.
-	 *
-	 * If match is NULL, *item and the current object are compared.
-	 *
-	 * @warning Only use pointers as user supplied data.
-	 *
-	 * @param match			comparison function to call on each object, or NULL
-	 * @param item			the list item, if found
-	 * @param ...			user data to supply to match function (limited to 5 arguments)
-	 * @return				SUCCESS if found, NOT_FOUND otherwise
-	 */
-	status_t (*find_last) (linked_list_t *this, linked_list_match_t match,
-						   void **item, ...);
-
-	/**
-	 * Invoke a method on all of the contained objects.
-	 *
-	 * If a linked list contains objects with function pointers,
-	 * invoke() can call a method on each of the objects. The
-	 * method is specified by an offset of the function pointer,
-	 * which can be evalutated at compile time using the offsetof
-	 * macro, e.g.: list->invoke(list, offsetof(object_t, method));
-	 *
-	 * @warning Only use pointers as user supplied data.
-	 *
-	 * @param offset	offset of the method to invoke on objects
-	 * @param ...		user data to supply to called function (limited to 5 arguments)
-	 */
-	void (*invoke_offset) (linked_list_t *this, size_t offset, ...);
-
-	/**
-	 * Invoke a function on all of the contained objects.
-	 *
-	 * @warning Only use pointers as user supplied data.
-	 *
-	 * @param function	offset of the method to invoke on objects
-	 * @param ...		user data to supply to called function (limited to 5 arguments)
-	 */
-	void (*invoke_function) (linked_list_t *this, linked_list_invoke_t function, ...);
-
-	/**
-	 * Clones a list and its objects using the objects' clone method.
-	 *
-	 * @param offset	offset ot the objects clone function
-	 * @return			cloned list
-	 */
-	linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
-
-	/**
-	 * Clones a list and its objects using a given function.
-	 *
-	 * @param function	function that clones an object
-	 * @return			cloned list
-	 */
-	linked_list_t *(*clone_function) (linked_list_t *this, void*(*)(void*));
-
-	/**
-	 * Destroys a linked_list object.
-	 */
-	void (*destroy) (linked_list_t *this);
-
-	/**
-	 * Destroys a list and its objects using the destructor.
-	 *
-	 * If a linked list and the contained objects should be destroyed, use
-	 * destroy_offset. The supplied offset specifies the destructor to
-	 * call on each object. The offset may be calculated using the offsetof
-	 * macro, e.g.: list->destroy_offset(list, offsetof(object_t, destroy));
-	 *
-	 * @param offset	offset of the objects destructor
-	 */
-	void (*destroy_offset) (linked_list_t *this, size_t offset);
-
-	/**
-	 * Destroys a list and its contents using a a cleanup function.
-	 *
-	 * If a linked list and its contents should get destroyed using a specific
-	 * cleanup function, use destroy_function. This is useful when the
-	 * list contains malloc()-ed blocks which should get freed,
-	 * e.g.: list->destroy_function(list, free);
-	 *
-	 * @param function	function to call on each object
-	 */
-	void (*destroy_function) (linked_list_t *this, void (*)(void*));
-};
-
-/**
- * Creates an empty linked list object.
- *
- * @return		linked_list_t object.
- */
-linked_list_t *linked_list_create(void);
-
-/**
- * Creates a linked list from an enumerator.
- *
- * @param enumerator	enumerator over void*, gets destroyed
- * @return				linked_list_t object, containing enumerated values
- */
-linked_list_t *linked_list_create_from_enumerator(enumerator_t *enumerator);
-
-/**
- * Creates a linked list from a NULL terminated vararg list of items.
- *
- * @param first			first item
- * @param ...			subsequent items, terminated by NULL
- * @return				linked_list_t object, containing passed items
- */
-linked_list_t *linked_list_create_with_items(void *first, ...);
-
-#endif /** LINKED_LIST_H_ @}*/
diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c
index 5fd4cfd4d..117071351 100644
--- a/src/libstrongswan/utils/optionsfrom.c
+++ b/src/libstrongswan/utils/optionsfrom.c
@@ -2,22 +2,22 @@
  * Copyright (C) 2007-2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  *
- * This library is distributed in the hope that it will be useful, but
+ * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
  */
 
 #include <stdio.h>
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/lexparser.h>
 
 #include "optionsfrom.h"
diff --git a/src/libstrongswan/utils/packet.c b/src/libstrongswan/utils/packet.c
deleted file mode 100644
index a2c329d60..000000000
--- a/src/libstrongswan/utils/packet.c
+++ /dev/null
@@ -1,163 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "packet.h"
-
-typedef struct private_packet_t private_packet_t;
-
-/**
- * Private data of an packet_t object.
- */
-struct private_packet_t {
-
-	/**
-	 * Public part of a packet_t object.
-	 */
-	packet_t public;
-
-	/**
-	 * source address
-	 */
-	host_t *source;
-
-	/**
-	 * destination address
-	 */
-	host_t *destination;
-
-	 /**
-	  * message data
-	  */
-	chunk_t data;
-
-	/**
-	 * actual chunk returned from get_data, adjusted when skip_bytes is called
-	 */
-	chunk_t adjusted_data;
-};
-
-METHOD(packet_t, set_source, void,
-	private_packet_t *this, host_t *source)
-{
-	DESTROY_IF(this->source);
-	this->source = source;
-}
-
-METHOD(packet_t, set_destination, void,
-	private_packet_t *this, host_t *destination)
-{
-	DESTROY_IF(this->destination);
-	this->destination = destination;
-}
-
-METHOD(packet_t, get_source, host_t*,
-	private_packet_t *this)
-{
-	return this->source;
-}
-
-METHOD(packet_t, get_destination, host_t*,
-	private_packet_t *this)
-{
-	return this->destination;
-}
-
-METHOD(packet_t, get_data, chunk_t,
-	private_packet_t *this)
-{
-	return this->adjusted_data;
-}
-
-METHOD(packet_t, set_data, void,
-	private_packet_t *this, chunk_t data)
-{
-	free(this->data.ptr);
-	this->adjusted_data = this->data = data;
-}
-
-METHOD(packet_t, skip_bytes, void,
-	private_packet_t *this, size_t bytes)
-{
-	this->adjusted_data = chunk_skip(this->adjusted_data, bytes);
-}
-
-METHOD(packet_t, destroy, void,
-	private_packet_t *this)
-{
-	DESTROY_IF(this->source);
-	DESTROY_IF(this->destination);
-	free(this->data.ptr);
-	free(this);
-}
-
-METHOD(packet_t, clone_, packet_t*,
-	private_packet_t *this)
-{
-	packet_t *other;
-
-	other = packet_create();
-	if (this->destination)
-	{
-		other->set_destination(other,
-							   this->destination->clone(this->destination));
-	}
-	if (this->source)
-	{
-		other->set_source(other, this->source->clone(this->source));
-	}
-	if (this->data.ptr)
-	{
-		other->set_data(other, chunk_clone(this->adjusted_data));
-	}
-	return other;
-}
-
-/**
- * Described in header.
- */
-packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data)
-{
-	private_packet_t *this;
-
-	INIT(this,
-		.public = {
-			.set_data = _set_data,
-			.get_data = _get_data,
-			.set_source = _set_source,
-			.get_source = _get_source,
-			.set_destination = _set_destination,
-			.get_destination = _get_destination,
-			.skip_bytes = _skip_bytes,
-			.clone = _clone_,
-			.destroy = _destroy,
-		},
-		.source = src,
-		.destination = dst,
-		.adjusted_data = data,
-		.data = data,
-	);
-
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-packet_t *packet_create()
-{
-	return packet_create_from_data(NULL, NULL, chunk_empty);
-}
diff --git a/src/libstrongswan/utils/packet.h b/src/libstrongswan/utils/packet.h
deleted file mode 100644
index 5c4440115..000000000
--- a/src/libstrongswan/utils/packet.h
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup packet packet
- * @{ @ingroup utils
- */
-
-#ifndef PACKET_H_
-#define PACKET_H_
-
-typedef struct packet_t packet_t;
-
-#include <library.h>
-#include <utils/host.h>
-
-/**
- * Abstraction of an IP/UDP-Packet, contains data, sender and receiver.
- */
-struct packet_t {
-
-	/**
-	 * Set the source address.
-	 *
-	 * @param source	address to set as source (gets owned)
-	 */
-	void (*set_source)(packet_t *packet, host_t *source);
-
-	/**
-	 * Set the destination address.
-	 *
-	 * @param source	address to set as destination (gets owned)
-	 */
-	void (*set_destination)(packet_t *packet, host_t *destination);
-
-	/**
-	 * Get the source address.
-	 *
-	 * @return			source address (internal data)
-	 */
-	host_t *(*get_source)(packet_t *packet);
-
-	/**
-	 * Get the destination address.
-	 *
-	 * @return			destination address (internal data)
-	 */
-	host_t *(*get_destination)(packet_t *packet);
-
-	/**
-	 * Get the data from the packet.
-	 *
-	 * @return			chunk containing the data (internal data)
-	 */
-	chunk_t (*get_data)(packet_t *packet);
-
-	/**
-	 * Set the data in the packet.
-	 *
-	 * @param data		chunk with data to set (gets owned)
-	 */
-	void (*set_data)(packet_t *packet, chunk_t data);
-
-	/**
-	 * Increase the offset where the actual packet data starts.
-	 *
-	 * The total offset applies to future calls of get_data() and clone().
-	 *
-	 * @note The offset is reset to 0 when set_data() is called.
-	 *
-	 * @param bytes		the number of additional bytes to skip
-	 */
-	void (*skip_bytes)(packet_t *packet, size_t bytes);
-
-	/**
-	 * Clones a packet_t object.
-	 *
-	 * @note Data is cloned without skipped bytes.
-	 *
-	 * @param clone		clone of the packet
-	 */
-	packet_t* (*clone)(packet_t *packet);
-
-	/**
-	 * Destroy the packet, freeing contained data.
-	 */
-	void (*destroy)(packet_t *packet);
-};
-
-/**
- * Create an empty packet
- *
- * @return packet_t object
- */
-packet_t *packet_create();
-
-/**
- * Create a packet from the supplied data
- *
- * @param src			source address (gets owned)
- * @param dst			destination address (gets owned)
- * @param data			packet data (gets owned)
- * @return packet_t object
- */
-packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data);
-
-#endif /** PACKET_H_ @}*/
diff --git a/src/libstrongswan/utils/printf_hook.c b/src/libstrongswan/utils/printf_hook.c
new file mode 100644
index 000000000..6e51aa4c3
--- /dev/null
+++ b/src/libstrongswan/utils/printf_hook.c
@@ -0,0 +1,511 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "printf_hook.h"
+
+#include "utils.h"
+#include "debug.h"
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+
+typedef struct private_printf_hook_t private_printf_hook_t;
+typedef struct printf_hook_handler_t printf_hook_handler_t;
+
+#define PRINTF_BUF_LEN 8192
+#define ARGS_MAX 3
+
+/**
+ * private data of printf_hook
+ */
+struct private_printf_hook_t {
+
+	/**
+	 * public functions
+	 */
+	printf_hook_t public;
+};
+
+/**
+ * struct with information about a registered handler
+ */
+struct printf_hook_handler_t {
+
+	/**
+	 * callback function
+	 */
+	printf_hook_function_t hook;
+
+	/**
+	 * number of arguments
+	 */
+	int numargs;
+
+	/**
+	 * types of the arguments
+	 */
+	int argtypes[ARGS_MAX];
+
+#ifdef USE_VSTR
+	/**
+	 * name required for Vstr
+	 */
+	char *name;
+#endif
+};
+
+/* A-Z | 6 other chars | a-z */
+#define NUM_HANDLERS 58
+static printf_hook_handler_t *printf_hooks[NUM_HANDLERS];
+
+#define SPEC_TO_INDEX(spec) ((int)(spec) - (int)'A')
+#define IS_VALID_SPEC(spec) (SPEC_TO_INDEX(spec) > -1 && SPEC_TO_INDEX(spec) < NUM_HANDLERS)
+
+#if !defined(USE_VSTR) && \
+	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
+
+/**
+ * Printf hook print function. This is actually of type "printf_function",
+ * however glibc does it typedef to function, but uclibc to a pointer.
+ * So we redefine it here.
+ */
+static int custom_print(FILE *stream, const struct printf_info *info,
+						const void *const *args)
+{
+	printf_hook_spec_t spec;
+	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
+	printf_hook_data_t data = {
+		.stream = stream,
+	};
+
+	spec.hash = info->alt;
+	spec.plus = info->showsign;
+	spec.minus = info->left;
+	spec.width = info->width;
+
+	return handler->hook(&data, &spec, args);
+}
+
+/**
+ * Printf hook arginfo function, which is actually of type
+ * "printf_arginfo_[size_]function".
+ */
+static int custom_arginfo(const struct printf_info *info, size_t n, int *argtypes
+#ifdef HAVE_PRINTF_SPECIFIER
+						  , int *size
+#endif
+						  )
+{
+	int i;
+	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
+
+	if (handler->numargs <= n)
+	{
+		for (i = 0; i < handler->numargs; ++i)
+		{
+			argtypes[i] = handler->argtypes[i];
+		}
+	}
+	/* we never set "size", as we have no user defined types */
+	return handler->numargs;
+}
+
+#else
+
+#include <errno.h>
+#include <unistd.h> /* for STDOUT_FILENO */
+
+/**
+ * These are used below, whenever the public wrapper functions are called before
+ * initialization or after destruction.
+ */
+#undef vprintf
+#undef vfprintf
+#undef vsnprintf
+
+/**
+ * Vstr custom format specifier callback function.
+ */
+static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec)
+{
+	int i;
+	const void *args[ARGS_MAX];
+	printf_hook_spec_t spec;
+	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(fmt_spec->name[0])];
+	printf_hook_data_t data = {
+		.base = base,
+		.pos = pos,
+	};
+
+	for (i = 0; i < handler->numargs; i++)
+	{
+		switch(handler->argtypes[i])
+		{
+			case PRINTF_HOOK_ARGTYPE_INT:
+				args[i] = VSTR_FMT_CB_ARG_PTR(fmt_spec, i);
+				break;
+			case PRINTF_HOOK_ARGTYPE_POINTER:
+				args[i] = &VSTR_FMT_CB_ARG_PTR(fmt_spec, i);
+				break;
+		}
+	}
+
+	spec.hash = fmt_spec->fmt_hash;
+	spec.plus = fmt_spec->fmt_plus;
+	spec.minus = fmt_spec->fmt_minus;
+	spec.width = fmt_spec->fmt_field_width;
+
+	handler->hook(&data, &spec, args);
+	return 1;
+}
+
+/**
+ * Add a custom format handler to the given Vstr_conf object
+ */
+static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler)
+{
+	int *at = handler->argtypes;
+	switch(handler->numargs)
+	{
+		case 1:
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
+						 VSTR_TYPE_FMT_END);
+			break;
+		case 2:
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
+						 at[1], VSTR_TYPE_FMT_END);
+			break;
+		case 3:
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
+						 at[1], at[2], VSTR_TYPE_FMT_END);
+			break;
+	}
+}
+
+/**
+ * Management of thread-specific Vstr_conf objects
+ */
+#include <threading/thread_value.h>
+
+static thread_value_t *vstr_conf = NULL;
+
+static Vstr_conf *create_vstr_conf()
+{
+	int i;
+	Vstr_conf *conf = vstr_make_conf();
+	vstr_cntl_conf(conf, VSTR_CNTL_CONF_SET_FMT_CHAR_ESC, '%');
+	vstr_cntl_conf(conf, VSTR_CNTL_CONF_SET_TYPE_GRPALLOC_CACHE,
+						 VSTR_TYPE_CNTL_CONF_GRPALLOC_CSTR);
+	vstr_cntl_conf(conf, VSTR_CNTL_CONF_SET_NUM_BUF_SZ, PRINTF_BUF_LEN);
+	for (i = 0; i < NUM_HANDLERS; ++i)
+	{
+		printf_hook_handler_t *handler = printf_hooks[i];
+		if (handler)
+		{
+			vstr_fmt_add_handler(conf, handler);
+		}
+	}
+	return conf;
+}
+
+static inline Vstr_conf *get_vstr_conf()
+{
+	Vstr_conf *conf = NULL;
+	if (vstr_conf)
+	{
+		conf = (Vstr_conf*)vstr_conf->get(vstr_conf);
+		if (!conf)
+		{
+			conf = create_vstr_conf();
+			vstr_conf->set(vstr_conf, conf);
+		}
+	}
+	return conf;
+}
+
+/**
+ * Described in header
+ */
+size_t vstr_print_in_hook(struct Vstr_base *base, size_t pos, const char *fmt,
+						  ...)
+{
+	va_list args;
+	int written;
+
+	va_start(args, fmt);
+	written = vstr_add_vfmt(base, pos, fmt, args);
+	va_end(args);
+	return written;
+}
+
+/**
+ * Wrapper functions for printf and alike
+ */
+int vstr_wrapper_printf(const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vprintf(format, args);
+	va_end(args);
+	return written;
+}
+int vstr_wrapper_fprintf(FILE *stream, const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vfprintf(stream, format, args);
+	va_end(args);
+	return written;
+}
+int vstr_wrapper_sprintf(char *str, const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vsprintf(str, format, args);
+	va_end(args);
+	return written;
+}
+int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vsnprintf(str, size, format, args);
+	va_end(args);
+	return written;
+}
+int vstr_wrapper_asprintf(char **str, const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vasprintf(str, format, args);
+	va_end(args);
+	return written;
+}
+static inline int vstr_wrapper_vprintf_internal(Vstr_conf *conf, int fd,
+												const char *format,
+												va_list args)
+{
+	int written;
+	Vstr_base *s = vstr_make_base(conf);
+	vstr_add_vfmt(s, 0, format, args);
+	written = s->len;
+	while (s->len)
+	{
+		if (!vstr_sc_write_fd(s, 1, s->len, fd, NULL))
+		{
+			if (errno != EAGAIN && errno != EINTR)
+			{
+				written -= s->len;
+				break;
+			}
+		}
+	}
+	vstr_free_base(s);
+	return written;
+}
+int vstr_wrapper_vprintf(const char *format, va_list args)
+{
+	Vstr_conf *conf = get_vstr_conf();
+	if (conf)
+	{
+		return vstr_wrapper_vprintf_internal(conf, STDOUT_FILENO, format, args);
+	}
+	return vprintf(format, args);
+}
+int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list args)
+{
+	Vstr_conf *conf = get_vstr_conf();
+	if (conf)
+	{
+		return vstr_wrapper_vprintf_internal(conf, fileno(stream), format,
+											 args);
+	}
+	return vfprintf(stream, format, args);
+}
+static inline int vstr_wrapper_vsnprintf_internal(char *str, size_t size,
+												  const char *format,
+												  va_list args)
+{
+	Vstr_conf *conf = get_vstr_conf();
+	if (conf)
+	{
+		int written;
+		Vstr_base *s = vstr_make_base(conf);
+		vstr_add_vfmt(s, 0, format, args);
+		written = s->len;
+		vstr_export_cstr_buf(s, 1, s->len, str, (size > 0) ? size : s->len + 1);
+		vstr_free_base(s);
+		return written;
+	}
+	return vsnprintf(str, size, format, args);
+}
+int vstr_wrapper_vsprintf(char *str, const char *format, va_list args)
+{
+	return vstr_wrapper_vsnprintf_internal(str, 0, format, args);
+}
+int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format,
+						   va_list args)
+{
+	return (size > 0) ? vstr_wrapper_vsnprintf_internal(str, size, format, args) : 0;
+}
+int vstr_wrapper_vasprintf(char **str, const char *format, va_list args)
+{
+	size_t len = 100;
+	int written;
+	*str = malloc(len);
+	while (TRUE)
+	{
+		va_list ac;
+		va_copy(ac, args);
+		written = vstr_wrapper_vsnprintf_internal(*str, len, format, ac);
+		va_end(ac);
+		if (written < len)
+		{
+			break;
+		}
+		len = written + 1;
+		*str = realloc(*str, len);
+	}
+	return written;
+}
+#endif
+
+METHOD(printf_hook_t, add_handler, void,
+	private_printf_hook_t *this, char spec,
+						printf_hook_function_t hook, ...)
+{
+	int i = -1;
+	printf_hook_handler_t *handler;
+	printf_hook_argtype_t argtype;
+	va_list args;
+
+	if (!IS_VALID_SPEC(spec))
+	{
+		DBG1(DBG_LIB, "'%c' is not a valid printf hook specifier, "
+			 "not registered!", spec);
+		return;
+	}
+
+	handler = malloc_thing(printf_hook_handler_t);
+	handler->hook = hook;
+
+	va_start(args, hook);
+	while ((argtype = va_arg(args, printf_hook_argtype_t)) != PRINTF_HOOK_ARGTYPE_END)
+	{
+		if (++i >= ARGS_MAX)
+		{
+			DBG1(DBG_LIB, "Too many arguments for printf hook with "
+				 "specifier '%c', not registered!", spec);
+			va_end(args);
+			free(handler);
+			return;
+		}
+		handler->argtypes[i] = argtype;
+	}
+	va_end(args);
+
+	handler->numargs = i + 1;
+
+	if (handler->numargs > 0)
+	{
+#if !defined(USE_VSTR) && \
+	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
+#	ifdef HAVE_PRINTF_SPECIFIER
+		register_printf_specifier(spec, custom_print, custom_arginfo);
+#	else
+		register_printf_function(spec, custom_print, custom_arginfo);
+#	endif
+#else
+		Vstr_conf *conf = get_vstr_conf();
+		handler->name = malloc(2);
+		handler->name[0] = spec;
+		handler->name[1] = '\0';
+		vstr_fmt_add_handler(conf, handler);
+#endif
+		printf_hooks[SPEC_TO_INDEX(spec)] = handler;
+	}
+	else
+	{
+		free(handler);
+	}
+}
+
+METHOD(printf_hook_t, destroy, void,
+	private_printf_hook_t *this)
+{
+	int i;
+#ifdef USE_VSTR
+	Vstr_conf *conf = get_vstr_conf();
+#endif
+
+	for (i = 0; i < NUM_HANDLERS; ++i)
+	{
+		printf_hook_handler_t *handler = printf_hooks[i];
+		if (handler)
+		{
+#ifdef USE_VSTR
+			vstr_fmt_del(conf, handler->name);
+			free(handler->name);
+#endif
+			free(handler);
+		}
+	}
+
+#ifdef USE_VSTR
+	/* freeing the Vstr_conf of the main thread */
+	vstr_conf->destroy(vstr_conf);
+	vstr_conf = NULL;
+	vstr_free_conf(conf);
+	vstr_exit();
+#endif
+	free(this);
+}
+
+/*
+ * see header file
+ */
+printf_hook_t *printf_hook_create()
+{
+	private_printf_hook_t *this;
+
+	INIT(this,
+		.public = {
+			.add_handler = _add_handler,
+			.destroy = _destroy,
+		},
+	);
+
+	memset(printf_hooks, 0, sizeof(printf_hooks));
+
+#ifdef USE_VSTR
+	if (!vstr_init())
+	{
+		DBG1(DBG_LIB, "failed to initialize Vstr library!");
+		free(this);
+		return NULL;
+	}
+	vstr_conf = thread_value_create((thread_cleanup_t)vstr_free_conf);
+#endif
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/utils/printf_hook.h b/src/libstrongswan/utils/printf_hook.h
new file mode 100644
index 000000000..1425910be
--- /dev/null
+++ b/src/libstrongswan/utils/printf_hook.h
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup printf_hook printf_hook
+ * @{ @ingroup utils
+ */
+
+#ifndef PRINTF_HOOK_H_
+#define PRINTF_HOOK_H_
+
+typedef struct printf_hook_t printf_hook_t;
+typedef struct printf_hook_spec_t printf_hook_spec_t;
+typedef struct printf_hook_data_t printf_hook_data_t;
+typedef enum printf_hook_argtype_t printf_hook_argtype_t;
+
+#if !defined(USE_VSTR) && \
+	!defined(HAVE_PRINTF_FUNCTION) && \
+	!defined(HAVE_PRINTF_SPECIFIER)
+/* assume newer glibc register_printf_specifier if none given */
+#define HAVE_PRINTF_SPECIFIER
+#endif
+
+#if !defined(USE_VSTR) && \
+	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
+
+#include <stdio.h>
+#include <printf.h>
+
+enum printf_hook_argtype_t {
+	PRINTF_HOOK_ARGTYPE_END = -1,
+	PRINTF_HOOK_ARGTYPE_INT = PA_INT,
+	PRINTF_HOOK_ARGTYPE_POINTER = PA_POINTER,
+};
+
+/**
+ * Data to pass to a printf hook.
+ */
+struct printf_hook_data_t {
+
+	/**
+	 * Output FILE stream
+	 */
+	FILE *stream;;
+};
+
+/**
+ * Helper macro to be used in printf hook callbacks.
+ */
+#define print_in_hook(data, fmt, ...) ({\
+	ssize_t _written = fprintf(data->stream, fmt, ##__VA_ARGS__);\
+	if (_written < 0)\
+	{\
+		_written = 0;\
+	}\
+	_written;\
+})
+
+#else
+
+#include <vstr.h>
+
+enum printf_hook_argtype_t {
+	PRINTF_HOOK_ARGTYPE_END = VSTR_TYPE_FMT_END,
+	PRINTF_HOOK_ARGTYPE_INT = VSTR_TYPE_FMT_INT,
+	PRINTF_HOOK_ARGTYPE_POINTER = VSTR_TYPE_FMT_PTR_VOID,
+};
+
+/**
+ * Redefining printf and alike
+ */
+#include <stdio.h>
+#include <stdarg.h>
+
+int vstr_wrapper_printf(const char *format, ...);
+int vstr_wrapper_fprintf(FILE *stream, const char *format, ...);
+int vstr_wrapper_sprintf(char *str, const char *format, ...);
+int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...);
+int vstr_wrapper_asprintf(char **str, const char *format, ...);
+
+int vstr_wrapper_vprintf(const char *format, va_list ap);
+int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list ap);
+int vstr_wrapper_vsprintf(char *str, const char *format, va_list ap);
+int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list ap);
+int vstr_wrapper_vasprintf(char **str, const char *format, va_list ap);
+
+#ifdef printf
+#undef printf
+#endif
+#ifdef fprintf
+#undef fprintf
+#endif
+#ifdef sprintf
+#undef sprintf
+#endif
+#ifdef snprintf
+#undef snprintf
+#endif
+#ifdef asprintf
+#undef asprintf
+#endif
+#ifdef vprintf
+#undef vprintf
+#endif
+#ifdef vfprintf
+#undef vfprintf
+#endif
+#ifdef vsprintf
+#undef vsprintf
+#endif
+#ifdef vsnprintf
+#undef vsnprintf
+#endif
+#ifdef vasprintf
+#undef vasprintf
+#endif
+
+#define printf vstr_wrapper_printf
+#define fprintf vstr_wrapper_fprintf
+#define sprintf vstr_wrapper_sprintf
+#define snprintf vstr_wrapper_snprintf
+#define asprintf vstr_wrapper_asprintf
+
+#define vprintf vstr_wrapper_vprintf
+#define vfprintf vstr_wrapper_vfprintf
+#define vsprintf vstr_wrapper_vsprintf
+#define vsnprintf vstr_wrapper_vsnprintf
+#define vasprintf vstr_wrapper_vasprintf
+
+/**
+ * Data to pass to a printf hook.
+ */
+struct printf_hook_data_t {
+
+	/**
+	 * Base to append printf to
+	 */
+	Vstr_base *base;
+
+	/**
+	 * Position in base to write to
+	 */
+	size_t pos;
+};
+
+/**
+ * Wrapper around vstr_add_vfmt(), avoids having to link all users of
+ * print_in_hook() against libvstr.
+ *
+ * @param base		Vstr_string to add string to
+ * @param pos		position to write to
+ * @param fmt		format string
+ * @param ...		arguments
+ * @return			number of characters written
+ */
+size_t vstr_print_in_hook(struct Vstr_base *base, size_t pos, const char *fmt,
+						  ...);
+
+/**
+ * Helper macro to be used in printf hook callbacks.
+ */
+#define print_in_hook(data, fmt, ...) ({\
+	size_t _written; \
+	_written = vstr_print_in_hook(data->base, data->pos, fmt, ##__VA_ARGS__);\
+	data->pos += _written;\
+	_written;\
+})
+
+#endif
+
+/**
+ * Callback function type for printf hooks.
+ *
+ * @param data		hook data, to pass to print_in_hook()
+ * @param spec		format specifier
+ * @param args		arguments array
+ * @return			number of characters written
+ */
+typedef int (*printf_hook_function_t)(printf_hook_data_t *data,
+									  printf_hook_spec_t *spec,
+									  const void *const *args);
+
+/**
+ * Properties of the format specifier
+ */
+struct printf_hook_spec_t {
+	/**
+	 * TRUE if a '#' was used in the format specifier
+	 */
+	int hash;
+
+	/**
+	 * TRUE if a '-' was used in the format specifier
+	 */
+	int minus;
+
+	/**
+	 * TRUE if a '+' was used in the format specifier
+	 */
+	int plus;
+
+	/**
+	 * The width as given in the format specifier.
+	 */
+	int width;
+};
+
+/**
+ * Printf handler management.
+ */
+struct printf_hook_t {
+
+	/**
+	 * Register a printf handler.
+	 *
+	 * @param spec		printf hook format character
+	 * @param hook		hook function
+	 * @param ...		list of PRINTF_HOOK_ARGTYPE_*, MUST end with PRINTF_HOOK_ARGTYPE_END
+	 */
+	void (*add_handler)(printf_hook_t *this, char spec,
+						printf_hook_function_t hook, ...);
+
+	/**
+	 * Destroy a printf_hook instance.
+	 */
+	void (*destroy)(printf_hook_t *this);
+};
+
+/**
+ * Create a printf_hook instance.
+ */
+printf_hook_t *printf_hook_create();
+
+#endif /** PRINTF_HOOK_H_ @}*/
diff --git a/src/libstrongswan/utils/settings.c b/src/libstrongswan/utils/settings.c
new file mode 100644
index 000000000..712ea6ee2
--- /dev/null
+++ b/src/libstrongswan/utils/settings.c
@@ -0,0 +1,1227 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <errno.h>
+#include <limits.h>
+#include <libgen.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#ifdef HAVE_GLOB_H
+#include <glob.h>
+#endif /* HAVE_GLOB_H */
+
+#include "settings.h"
+
+#include "collections/linked_list.h"
+#include "threading/rwlock.h"
+#include "utils/debug.h"
+
+#define MAX_INCLUSION_LEVEL		10
+
+typedef struct private_settings_t private_settings_t;
+typedef struct section_t section_t;
+typedef struct kv_t kv_t;
+
+/**
+ * private data of settings
+ */
+struct private_settings_t {
+
+	/**
+	 * public functions
+	 */
+	settings_t public;
+
+	/**
+	 * top level section
+	 */
+	section_t *top;
+
+	/**
+	 * contents of loaded files and in-memory settings (char*)
+	 */
+	linked_list_t *contents;
+
+	/**
+	 * lock to safely access the settings
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * section containing subsections and key value pairs
+ */
+struct section_t {
+
+	/**
+	 * name of the section
+	 */
+	char *name;
+
+	/**
+	 * subsections, as section_t
+	 */
+	linked_list_t *sections;
+
+	/**
+	 * key value pairs, as kv_t
+	 */
+	linked_list_t *kv;
+};
+
+/**
+ * Key value pair
+ */
+struct kv_t {
+
+	/**
+	 * key string, relative
+	 */
+	char *key;
+
+	/**
+	 * value as string
+	 */
+	char *value;
+};
+
+/**
+ * create a key/value pair
+ */
+static kv_t *kv_create(char *key, char *value)
+{
+	kv_t *this;
+	INIT(this,
+		.key = strdup(key),
+		.value = value,
+	);
+	return this;
+}
+
+/**
+ * destroy a key/value pair
+ */
+static void kv_destroy(kv_t *this)
+{
+	free(this->key);
+	free(this);
+}
+
+/**
+ * create a section with the given name
+ */
+static section_t *section_create(char *name)
+{
+	section_t *this;
+	INIT(this,
+		.name = strdupnull(name),
+		.sections = linked_list_create(),
+		.kv = linked_list_create(),
+	);
+	return this;
+}
+
+/**
+ * destroy a section
+ */
+static void section_destroy(section_t *this)
+{
+	this->kv->destroy_function(this->kv, (void*)kv_destroy);
+	this->sections->destroy_function(this->sections, (void*)section_destroy);
+	free(this->name);
+	free(this);
+}
+
+/**
+ * Purge contents of a section
+ */
+static void section_purge(section_t *this)
+{
+	this->kv->destroy_function(this->kv, (void*)kv_destroy);
+	this->kv = linked_list_create();
+	this->sections->destroy_function(this->sections, (void*)section_destroy);
+	this->sections = linked_list_create();
+}
+
+/**
+ * callback to find a section by name
+ */
+static bool section_find(section_t *this, char *name)
+{
+	return streq(this->name, name);
+}
+
+/**
+ * callback to find a kv pair by key
+ */
+static bool kv_find(kv_t *this, char *key)
+{
+	return streq(this->key, key);
+}
+
+/**
+ * Print a format key, but consume already processed arguments
+ */
+static bool print_key(char *buf, int len, char *start, char *key, va_list args)
+{
+	va_list copy;
+	bool res;
+	char *pos;
+
+	va_copy(copy, args);
+	while (start < key)
+	{
+		pos = strchr(start, '%');
+		if (!pos)
+		{
+			start += strlen(start) + 1;
+			continue;
+		}
+		pos++;
+		switch (*pos)
+		{
+			case 'd':
+				va_arg(copy, int);
+				break;
+			case 's':
+				va_arg(copy, char*);
+				break;
+			case 'N':
+				va_arg(copy, enum_name_t*);
+				va_arg(copy, int);
+				break;
+			case '%':
+				break;
+			default:
+				DBG1(DBG_CFG, "settings with %%%c not supported!", *pos);
+				break;
+		}
+		start = pos;
+		if (*start)
+		{
+			start++;
+		}
+	}
+	res = vsnprintf(buf, len, key, copy) < len;
+	va_end(copy);
+	return res;
+}
+
+/**
+ * Find a section by a given key, using buffered key, reusable buffer.
+ * If "ensure" is TRUE, the sections are created if they don't exist.
+ */
+static section_t *find_section_buffered(section_t *section,
+					char *start, char *key, va_list args, char *buf, int len,
+					bool ensure)
+{
+	char *pos;
+	section_t *found = NULL;
+
+	if (section == NULL)
+	{
+		return NULL;
+	}
+	pos = strchr(key, '.');
+	if (pos)
+	{
+		*pos = '\0';
+		pos++;
+	}
+	if (!print_key(buf, len, start, key, args))
+	{
+		return NULL;
+	}
+	if (section->sections->find_first(section->sections,
+									  (linked_list_match_t)section_find,
+									  (void**)&found, buf) != SUCCESS)
+	{
+		if (ensure)
+		{
+			found = section_create(buf);
+			section->sections->insert_last(section->sections, found);
+		}
+	}
+	if (found && pos)
+	{
+		return find_section_buffered(found, start, pos, args, buf, len, ensure);
+	}
+	return found;
+}
+
+/**
+ * Find a section by a given key (thread-safe).
+ */
+static section_t *find_section(private_settings_t *this, section_t *section,
+							   char *key, va_list args)
+{
+	char buf[128], keybuf[512];
+	section_t *found;
+
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
+	{
+		return NULL;
+	}
+	this->lock->read_lock(this->lock);
+	found = find_section_buffered(section, keybuf, keybuf, args, buf,
+								  sizeof(buf), FALSE);
+	this->lock->unlock(this->lock);
+	return found;
+}
+
+/**
+ * Ensure that the section with the given key exists (thread-safe).
+ */
+static section_t *ensure_section(private_settings_t *this, section_t *section,
+								 char *key, va_list args)
+{
+	char buf[128], keybuf[512];
+	section_t *found;
+
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
+	{
+		return NULL;
+	}
+	/* we might have to change the tree */
+	this->lock->write_lock(this->lock);
+	found = find_section_buffered(section, keybuf, keybuf, args, buf,
+								  sizeof(buf), TRUE);
+	this->lock->unlock(this->lock);
+	return found;
+}
+
+/**
+ * Find the key/value pair for a key, using buffered key, reusable buffer
+ * If "ensure" is TRUE, the sections (and key/value pair) are created if they
+ * don't exist.
+ */
+static kv_t *find_value_buffered(section_t *section, char *start, char *key,
+								 va_list args, char *buf, int len, bool ensure)
+{
+	char *pos;
+	kv_t *kv = NULL;
+	section_t *found = NULL;
+
+	if (section == NULL)
+	{
+		return NULL;
+	}
+
+	pos = strchr(key, '.');
+	if (pos)
+	{
+		*pos = '\0';
+		pos++;
+
+		if (!print_key(buf, len, start, key, args))
+		{
+			return NULL;
+		}
+		if (section->sections->find_first(section->sections,
+										  (linked_list_match_t)section_find,
+										  (void**)&found, buf) != SUCCESS)
+		{
+			if (!ensure)
+			{
+				return NULL;
+			}
+			found = section_create(buf);
+			section->sections->insert_last(section->sections, found);
+		}
+		return find_value_buffered(found, start, pos, args, buf, len,
+								   ensure);
+	}
+	else
+	{
+		if (!print_key(buf, len, start, key, args))
+		{
+			return NULL;
+		}
+		if (section->kv->find_first(section->kv, (linked_list_match_t)kv_find,
+									(void**)&kv, buf) != SUCCESS)
+		{
+			if (ensure)
+			{
+				kv = kv_create(buf, NULL);
+				section->kv->insert_last(section->kv, kv);
+			}
+		}
+	}
+	return kv;
+}
+
+/**
+ * Find the string value for a key (thread-safe).
+ */
+static char *find_value(private_settings_t *this, section_t *section,
+						char *key, va_list args)
+{
+	char buf[128], keybuf[512], *value = NULL;
+	kv_t *kv;
+
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
+	{
+		return NULL;
+	}
+	this->lock->read_lock(this->lock);
+	kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf),
+							 FALSE);
+	if (kv)
+	{
+		value = kv->value;
+	}
+	this->lock->unlock(this->lock);
+	return value;
+}
+
+/**
+ * Set a value to a copy of the given string (thread-safe).
+ */
+static void set_value(private_settings_t *this, section_t *section,
+					  char *key, va_list args, char *value)
+{
+	char buf[128], keybuf[512];
+	kv_t *kv;
+
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
+	{
+		return;
+	}
+	this->lock->write_lock(this->lock);
+	kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf),
+							 TRUE);
+	if (kv)
+	{
+		if (!value)
+		{
+			kv->value = NULL;
+		}
+		else if (kv->value && (strlen(value) <= strlen(kv->value)))
+		{	/* overwrite in-place, if possible */
+			strcpy(kv->value, value);
+		}
+		else
+		{	/* otherwise clone the string and store it in the cache */
+			kv->value = strdup(value);
+			this->contents->insert_last(this->contents, kv->value);
+		}
+	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(settings_t, get_str, char*,
+	   private_settings_t *this, char *key, char *def, ...)
+{
+	char *value;
+	va_list args;
+
+	va_start(args, def);
+	value = find_value(this, this->top, key, args);
+	va_end(args);
+	if (value)
+	{
+		return value;
+	}
+	return def;
+}
+
+/**
+ * Described in header
+ */
+inline bool settings_value_as_bool(char *value, bool def)
+{
+	if (value)
+	{
+		if (strcaseeq(value, "1") ||
+			strcaseeq(value, "yes") ||
+			strcaseeq(value, "true") ||
+			strcaseeq(value, "enabled"))
+		{
+			return TRUE;
+		}
+		else if (strcaseeq(value, "0") ||
+				 strcaseeq(value, "no") ||
+				 strcaseeq(value, "false") ||
+				 strcaseeq(value, "disabled"))
+		{
+			return FALSE;
+		}
+	}
+	return def;
+}
+
+METHOD(settings_t, get_bool, bool,
+	   private_settings_t *this, char *key, bool def, ...)
+{
+	char *value;
+	va_list args;
+
+	va_start(args, def);
+	value = find_value(this, this->top, key, args);
+	va_end(args);
+	return settings_value_as_bool(value, def);
+}
+
+/**
+ * Described in header
+ */
+inline int settings_value_as_int(char *value, int def)
+{
+	int intval;
+	if (value)
+	{
+		errno = 0;
+		intval = strtol(value, NULL, 10);
+		if (errno == 0)
+		{
+			return intval;
+		}
+	}
+	return def;
+}
+
+METHOD(settings_t, get_int, int,
+	   private_settings_t *this, char *key, int def, ...)
+{
+	char *value;
+	va_list args;
+
+	va_start(args, def);
+	value = find_value(this, this->top, key, args);
+	va_end(args);
+	return settings_value_as_int(value, def);
+}
+
+/**
+ * Described in header
+ */
+inline double settings_value_as_double(char *value, double def)
+{
+	double dval;
+	if (value)
+	{
+		errno = 0;
+		dval = strtod(value, NULL);
+		if (errno == 0)
+		{
+			return dval;
+		}
+	}
+	return def;
+}
+
+METHOD(settings_t, get_double, double,
+	   private_settings_t *this, char *key, double def, ...)
+{
+	char *value;
+	va_list args;
+
+	va_start(args, def);
+	value = find_value(this, this->top, key, args);
+	va_end(args);
+	return settings_value_as_double(value, def);
+}
+
+/**
+ * Described in header
+ */
+inline u_int32_t settings_value_as_time(char *value, u_int32_t def)
+{
+	char *endptr;
+	u_int32_t timeval;
+	if (value)
+	{
+		errno = 0;
+		timeval = strtoul(value, &endptr, 10);
+		if (errno == 0)
+		{
+			switch (*endptr)
+			{
+				case 'd':		/* time in days */
+					timeval *= 24 * 3600;
+					break;
+				case 'h':		/* time in hours */
+					timeval *= 3600;
+					break;
+				case 'm':		/* time in minutes */
+					timeval *= 60;
+					break;
+				case 's':		/* time in seconds */
+				default:
+					break;
+			}
+			return timeval;
+		}
+	}
+	return def;
+}
+
+METHOD(settings_t, get_time, u_int32_t,
+	   private_settings_t *this, char *key, u_int32_t def, ...)
+{
+	char *value;
+	va_list args;
+
+	va_start(args, def);
+	value = find_value(this, this->top, key, args);
+	va_end(args);
+	return settings_value_as_time(value, def);
+}
+
+METHOD(settings_t, set_str, void,
+	   private_settings_t *this, char *key, char *value, ...)
+{
+	va_list args;
+	va_start(args, value);
+	set_value(this, this->top, key, args, value);
+	va_end(args);
+}
+
+METHOD(settings_t, set_bool, void,
+	   private_settings_t *this, char *key, bool value, ...)
+{
+	va_list args;
+	va_start(args, value);
+	set_value(this, this->top, key, args, value ? "1" : "0");
+	va_end(args);
+}
+
+METHOD(settings_t, set_int, void,
+	   private_settings_t *this, char *key, int value, ...)
+{
+	char val[16];
+	va_list args;
+	va_start(args, value);
+	if (snprintf(val, sizeof(val), "%d", value) < sizeof(val))
+	{
+		set_value(this, this->top, key, args, val);
+	}
+	va_end(args);
+}
+
+METHOD(settings_t, set_double, void,
+	   private_settings_t *this, char *key, double value, ...)
+{
+	char val[64];
+	va_list args;
+	va_start(args, value);
+	if (snprintf(val, sizeof(val), "%f", value) < sizeof(val))
+	{
+		set_value(this, this->top, key, args, val);
+	}
+	va_end(args);
+}
+
+METHOD(settings_t, set_time, void,
+	   private_settings_t *this, char *key, u_int32_t value, ...)
+{
+	char val[16];
+	va_list args;
+	va_start(args, value);
+	if (snprintf(val, sizeof(val), "%u", value) < sizeof(val))
+	{
+		set_value(this, this->top, key, args, val);
+	}
+	va_end(args);
+}
+
+/**
+ * Enumerate section names, not sections
+ */
+static bool section_filter(void *null, section_t **in, char **out)
+{
+	*out = (*in)->name;
+	return TRUE;
+}
+
+METHOD(settings_t, create_section_enumerator, enumerator_t*,
+	   private_settings_t *this, char *key, ...)
+{
+	section_t *section;
+	va_list args;
+
+	va_start(args, key);
+	section = find_section(this, this->top, key, args);
+	va_end(args);
+
+	if (!section)
+	{
+		return enumerator_create_empty();
+	}
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(
+				section->sections->create_enumerator(section->sections),
+				(void*)section_filter, this->lock, (void*)this->lock->unlock);
+}
+
+/**
+ * Enumerate key and values, not kv_t entries
+ */
+static bool kv_filter(void *null, kv_t **in, char **key,
+					  void *none, char **value)
+{
+	*key = (*in)->key;
+	*value = (*in)->value;
+	return TRUE;
+}
+
+METHOD(settings_t, create_key_value_enumerator, enumerator_t*,
+	   private_settings_t *this, char *key, ...)
+{
+	section_t *section;
+	va_list args;
+
+	va_start(args, key);
+	section = find_section(this, this->top, key, args);
+	va_end(args);
+
+	if (!section)
+	{
+		return enumerator_create_empty();
+	}
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(
+					section->kv->create_enumerator(section->kv),
+					(void*)kv_filter, this->lock, (void*)this->lock->unlock);
+}
+
+/**
+ * parse text, truncate "skip" chars, delimited by term respecting brackets.
+ *
+ * Chars in "skip" are truncated at the beginning and the end of the resulting
+ * token. "term" contains a list of characters to read up to (first match),
+ * while "br" contains bracket counterparts found in "term" to skip.
+ */
+static char parse(char **text, char *skip, char *term, char *br, char **token)
+{
+	char *best = NULL;
+	char best_term = '\0';
+
+	/* skip leading chars */
+	while (strchr(skip, **text))
+	{
+		(*text)++;
+		if (!**text)
+		{
+			return 0;
+		}
+	}
+	/* mark begin of subtext */
+	*token = *text;
+	while (*term)
+	{
+		char *pos = *text;
+		int level = 1;
+
+		/* find terminator */
+		while (*pos)
+		{
+			if (*pos == *term)
+			{
+				level--;
+			}
+			else if (br && *pos == *br)
+			{
+				level++;
+			}
+			if (level == 0)
+			{
+				if (best == NULL || best > pos)
+				{
+					best = pos;
+					best_term = *term;
+				}
+				break;
+			}
+			pos++;
+		}
+		/* try next terminator */
+		term++;
+		if (br)
+		{
+			br++;
+		}
+	}
+	if (best)
+	{
+		/* update input */
+		*text = best;
+		/* null trailing bytes */
+		do
+		{
+			*best = '\0';
+			best--;
+		}
+		while (best >= *token && strchr(skip, *best));
+		/* return found terminator */
+		return best_term;
+	}
+	return 0;
+}
+
+/**
+ * Check if "text" starts with "pattern".
+ * Characters in "skip" are skipped first. If found, TRUE is returned and "text"
+ * is modified to point to the character right after "pattern".
+ */
+static bool starts_with(char **text, char *skip, char *pattern)
+{
+	char *pos = *text;
+	int len = strlen(pattern);
+	while (strchr(skip, *pos))
+	{
+		pos++;
+		if (!*pos)
+		{
+			return FALSE;
+		}
+	}
+	if (strlen(pos) < len || !strneq(pos, pattern, len))
+	{
+		return FALSE;
+	}
+	*text = pos + len;
+	return TRUE;
+}
+
+/**
+ * Check if what follows in "text" is an include statement.
+ * If this function returns TRUE, "text" will point to the character right after
+ * the include pattern, which is returned in "pattern".
+ */
+static bool parse_include(char **text, char **pattern)
+{
+	char *pos = *text;
+	if (!starts_with(&pos, "\n\t ", "include"))
+	{
+		return FALSE;
+	}
+	if (starts_with(&pos, "\t ", "="))
+	{	/* ignore "include = value" */
+		return FALSE;
+	}
+	*text = pos;
+	return parse(text, "\t ", "\n", NULL, pattern) != 0;
+}
+
+/**
+ * Forward declaration.
+ */
+static bool parse_files(linked_list_t *contents, char *file, int level,
+						char *pattern, section_t *section);
+
+/**
+ * Parse a section
+ */
+static bool parse_section(linked_list_t *contents, char *file, int level,
+						  char **text, section_t *section)
+{
+	bool finished = FALSE;
+	char *key, *value, *inner;
+
+	while (!finished)
+	{
+		if (parse_include(text, &value))
+		{
+			if (!parse_files(contents, file, level, value, section))
+			{
+				DBG1(DBG_LIB, "failed to include '%s'", value);
+				return FALSE;
+			}
+			continue;
+		}
+		switch (parse(text, "\t\n ", "{=#", NULL, &key))
+		{
+			case '{':
+				if (parse(text, "\t ", "}", "{", &inner))
+				{
+					section_t *sub;
+					if (!strlen(key))
+					{
+						DBG1(DBG_LIB, "skipping section without name in '%s'",
+							 section->name);
+						continue;
+					}
+					if (section->sections->find_first(section->sections,
+											(linked_list_match_t)section_find,
+											(void**)&sub, key) != SUCCESS)
+					{
+						sub = section_create(key);
+						if (parse_section(contents, file, level, &inner, sub))
+						{
+							section->sections->insert_last(section->sections,
+														   sub);
+							continue;
+						}
+						section_destroy(sub);
+					}
+					else
+					{	/* extend the existing section */
+						if (parse_section(contents, file, level, &inner, sub))
+						{
+							continue;
+						}
+					}
+					DBG1(DBG_LIB, "parsing subsection '%s' failed", key);
+					break;
+				}
+				DBG1(DBG_LIB, "matching '}' not found near %s", *text);
+				break;
+			case '=':
+				if (parse(text, "\t ", "\n", NULL, &value))
+				{
+					kv_t *kv;
+					if (!strlen(key))
+					{
+						DBG1(DBG_LIB, "skipping value without key in '%s'",
+							 section->name);
+						continue;
+					}
+					if (section->kv->find_first(section->kv,
+								(linked_list_match_t)kv_find,
+								(void**)&kv, key) != SUCCESS)
+					{
+						kv = kv_create(key, value);
+						section->kv->insert_last(section->kv, kv);
+					}
+					else
+					{	/* replace with the most recently read value */
+						kv->value = value;
+					}
+					continue;
+				}
+				DBG1(DBG_LIB, "parsing value failed near %s", *text);
+				break;
+			case '#':
+				parse(text, "", "\n", NULL, &value);
+				continue;
+			default:
+				finished = TRUE;
+				continue;
+		}
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Parse a file and add the settings to the given section.
+ */
+static bool parse_file(linked_list_t *contents, char *file, int level,
+					   section_t *section)
+{
+	bool success;
+	char *text, *pos;
+	struct stat st;
+	FILE *fd;
+	int len;
+
+	DBG2(DBG_LIB, "loading config file '%s'", file);
+	if (stat(file, &st) == -1)
+	{
+		if (errno == ENOENT)
+		{
+			DBG2(DBG_LIB, "'%s' does not exist, ignored", file);
+			return TRUE;
+		}
+		DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno));
+		return FALSE;
+	}
+	else if (!S_ISREG(st.st_mode))
+	{
+		DBG1(DBG_LIB, "'%s' is not a regular file", file);
+		return FALSE;
+	}
+	fd = fopen(file, "r");
+	if (fd == NULL)
+	{
+		DBG1(DBG_LIB, "'%s' is not readable", file);
+		return FALSE;
+	}
+	fseek(fd, 0, SEEK_END);
+	len = ftell(fd);
+	rewind(fd);
+	text = malloc(len + 1);
+	text[len] = '\0';
+	if (fread(text, 1, len, fd) != len)
+	{
+		free(text);
+		fclose(fd);
+		return FALSE;
+	}
+	fclose(fd);
+
+	pos = text;
+	success = parse_section(contents, file, level, &pos, section);
+	if (!success)
+	{
+		free(text);
+	}
+	else
+	{
+		contents->insert_last(contents, text);
+	}
+	return success;
+}
+
+/**
+ * Load the files matching "pattern", which is resolved with glob(3), if
+ * available.
+ * If the pattern is relative, the directory of "file" is used as base.
+ */
+static bool parse_files(linked_list_t *contents, char *file, int level,
+						char *pattern, section_t *section)
+{
+	bool success = TRUE;
+	char pat[PATH_MAX];
+
+	if (level > MAX_INCLUSION_LEVEL)
+	{
+		DBG1(DBG_LIB, "maximum level of %d includes reached, ignored",
+			 MAX_INCLUSION_LEVEL);
+		return TRUE;
+	}
+
+	if (!strlen(pattern))
+	{
+		DBG2(DBG_LIB, "empty include pattern, ignored");
+		return TRUE;
+	}
+
+	if (!file || pattern[0] == '/')
+	{	/* absolute path */
+		if (snprintf(pat, sizeof(pat), "%s", pattern) >= sizeof(pat))
+		{
+			DBG1(DBG_LIB, "include pattern too long, ignored");
+			return TRUE;
+		}
+	}
+	else
+	{	/* base relative paths to the directory of the current file */
+		char *dir = strdup(file);
+		dir = dirname(dir);
+		if (snprintf(pat, sizeof(pat), "%s/%s", dir, pattern) >= sizeof(pat))
+		{
+			DBG1(DBG_LIB, "include pattern too long, ignored");
+			free(dir);
+			return TRUE;
+		}
+		free(dir);
+	}
+#ifdef HAVE_GLOB_H
+	{
+		int status;
+		glob_t buf;
+
+		status = glob(pat, GLOB_ERR, NULL, &buf);
+		if (status == GLOB_NOMATCH)
+		{
+			DBG2(DBG_LIB, "no files found matching '%s', ignored", pat);
+		}
+		else if (status != 0)
+		{
+			DBG1(DBG_LIB, "expanding file pattern '%s' failed", pat);
+			success = FALSE;
+		}
+		else
+		{
+			char **expanded;
+			for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
+			{
+				success &= parse_file(contents, *expanded, level + 1, section);
+				if (!success)
+				{
+					break;
+				}
+			}
+		}
+		globfree(&buf);
+	}
+#else /* HAVE_GLOB_H */
+	/* if glob(3) is not available, try to load pattern directly */
+	success = parse_file(contents, pat, level + 1, section);
+#endif /* HAVE_GLOB_H */
+	return success;
+}
+
+/**
+ * Recursivly extends "base" with "extension".
+ */
+static void section_extend(section_t *base, section_t *extension)
+{
+	enumerator_t *enumerator;
+	section_t *sec;
+	kv_t *kv;
+
+	enumerator = extension->sections->create_enumerator(extension->sections);
+	while (enumerator->enumerate(enumerator, (void**)&sec))
+	{
+		section_t *found;
+		if (base->sections->find_first(base->sections,
+					(linked_list_match_t)section_find, (void**)&found,
+					sec->name) == SUCCESS)
+		{
+			section_extend(found, sec);
+		}
+		else
+		{
+			extension->sections->remove_at(extension->sections, enumerator);
+			base->sections->insert_last(base->sections, sec);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = extension->kv->create_enumerator(extension->kv);
+	while (enumerator->enumerate(enumerator, (void**)&kv))
+	{
+		kv_t *found;
+		if (base->kv->find_first(base->kv, (linked_list_match_t)kv_find,
+					(void**)&found, kv->key) == SUCCESS)
+		{
+			found->value = kv->value;
+		}
+		else
+		{
+			extension->kv->remove_at(extension->kv, enumerator);
+			base->kv->insert_last(base->kv, kv);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Load settings from files matching the given file pattern.
+ * All sections and values are added relative to "parent".
+ * All files (even included ones) have to be loaded successfully.
+ */
+static bool load_files_internal(private_settings_t *this, section_t *parent,
+								char *pattern, bool merge)
+{
+	char *text;
+	linked_list_t *contents;
+	section_t *section;
+
+	if (pattern == NULL)
+	{
+#ifdef STRONGSWAN_CONF
+		pattern = STRONGSWAN_CONF;
+#else
+		return FALSE;
+#endif
+	}
+
+	contents = linked_list_create();
+	section = section_create(NULL);
+
+	if (!parse_files(contents, NULL, 0, pattern, section))
+	{
+		contents->destroy_function(contents, (void*)free);
+		section_destroy(section);
+		return FALSE;
+	}
+
+	this->lock->write_lock(this->lock);
+	if (!merge)
+	{
+		section_purge(parent);
+	}
+	/* extend parent section */
+	section_extend(parent, section);
+	/* move contents of loaded files to main store */
+	while (contents->remove_first(contents, (void**)&text) == SUCCESS)
+	{
+		this->contents->insert_last(this->contents, text);
+	}
+	this->lock->unlock(this->lock);
+
+	section_destroy(section);
+	contents->destroy(contents);
+	return TRUE;
+}
+
+METHOD(settings_t, load_files, bool,
+	   private_settings_t *this, char *pattern, bool merge)
+{
+	return load_files_internal(this, this->top, pattern, merge);
+}
+
+METHOD(settings_t, load_files_section, bool,
+	   private_settings_t *this, char *pattern, bool merge, char *key, ...)
+{
+	section_t *section;
+	va_list args;
+
+	va_start(args, key);
+	section = ensure_section(this, this->top, key, args);
+	va_end(args);
+
+	if (!section)
+	{
+		return FALSE;
+	}
+	return load_files_internal(this, section, pattern, merge);
+}
+
+METHOD(settings_t, destroy, void,
+	   private_settings_t *this)
+{
+	section_destroy(this->top);
+	this->contents->destroy_function(this->contents, (void*)free);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+settings_t *settings_create(char *file)
+{
+	private_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.get_str = _get_str,
+			.get_int = _get_int,
+			.get_double = _get_double,
+			.get_time = _get_time,
+			.get_bool = _get_bool,
+			.set_str = _set_str,
+			.set_int = _set_int,
+			.set_double = _set_double,
+			.set_time = _set_time,
+			.set_bool = _set_bool,
+			.create_section_enumerator = _create_section_enumerator,
+			.create_key_value_enumerator = _create_key_value_enumerator,
+			.load_files = _load_files,
+			.load_files_section = _load_files_section,
+			.destroy = _destroy,
+		},
+		.top = section_create(NULL),
+		.contents = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	load_files(this, file, FALSE);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/utils/settings.h b/src/libstrongswan/utils/settings.h
new file mode 100644
index 000000000..a861325f5
--- /dev/null
+++ b/src/libstrongswan/utils/settings.h
@@ -0,0 +1,313 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup settings settings
+ * @{ @ingroup utils
+ */
+
+#ifndef SETTINGS_H_
+#define SETTINGS_H_
+
+typedef struct settings_t settings_t;
+
+#include "utils.h"
+#include "collections/enumerator.h"
+
+/**
+ * Convert a string value returned by a key/value enumerator to a boolean.
+ *
+ * @see settings_t.create_key_value_enumerator()
+ * @see settings_t.get_bool()
+ * @param value			the string value
+ * @param def			the default value, if value is NULL or invalid
+ */
+bool settings_value_as_bool(char *value, bool def);
+
+/**
+ * Convert a string value returned by a key/value enumerator to an integer.
+ *
+ * @see settings_t.create_key_value_enumerator()
+ * @see settings_t.get_int()
+ * @param value			the string value
+ * @param def			the default value, if value is NULL or invalid
+ */
+int settings_value_as_int(char *value, int def);
+
+/**
+ * Convert a string value returned by a key/value enumerator to a double.
+ *
+ * @see settings_t.create_key_value_enumerator()
+ * @see settings_t.get_double()
+ * @param value			the string value
+ * @param def			the default value, if value is NULL or invalid
+ */
+double settings_value_as_double(char *value, double def);
+
+/**
+ * Convert a string value returned by a key/value enumerator to a time value.
+ *
+ * @see settings_t.create_key_value_enumerator()
+ * @see settings_t.get_time()
+ * @param value			the string value
+ * @param def			the default value, if value is NULL or invalid
+ */
+u_int32_t settings_value_as_time(char *value, u_int32_t def);
+
+/**
+ * Generic configuration options read from a config file.
+ *
+ * The syntax is quite simple:
+ * @code
+ * settings := (section|keyvalue)*
+ * section  := name { settings }
+ * keyvalue := key = value\n
+ * @endcode
+ * E.g.:
+ * @code
+	a = b
+	section-one {
+		somevalue = asdf
+		subsection {
+			othervalue = xxx
+		}
+		yetanother = zz
+	}
+	section-two {
+	}
+	@endcode
+ *
+ * The values are accessed using the get() functions using dotted keys, e.g.
+ *   section-one.subsection.othervalue
+ *
+ * Currently only a limited set of printf format specifiers are supported
+ * (namely %s, %d and %N, see implementation for details).
+ *
+ * \section includes Including other files
+ * Other files can be included, using the include statement e.g.
+ * @code
+ *   include /somepath/subconfig.conf
+ * @endcode
+ * Shell patterns like *.conf are possible.
+ *
+ * If the path is relative, the directory of the file containing the include
+ * statement is used as base.
+ *
+ * Sections loaded from included files extend previously loaded sections,
+ * already existing values are replaced.
+ *
+ * All settings included from files are added relative to the section the
+ * include statement is in.
+ *
+ * The following files result in the same final config as above:
+ *
+ * @code
+	a = b
+	section-one {
+		somevalue = before include
+		include include.conf
+	}
+	include two.conf
+	@endcode
+ * include.conf
+ * @code
+	somevalue = asdf
+	subsection {
+		othervalue = yyy
+	}
+	yetanother = zz
+	@endcode
+ * two.conf
+ * @code
+	section-one {
+		subsection {
+			othervalue = xxx
+		}
+	}
+	section-two {
+	}
+	@endcode
+ */
+struct settings_t {
+
+	/**
+	 * Get a settings value as a string.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param def		value returned if key not found
+	 * @param ...		argument list for key
+	 * @return			value pointing to internal string
+	 */
+	char* (*get_str)(settings_t *this, char *key, char *def, ...);
+
+	/**
+	 * Get a boolean yes|no, true|false value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param def		value returned if key not found
+	 * @param ...		argument list for key
+	 * @return			value of the key
+	 */
+	bool (*get_bool)(settings_t *this, char *key, bool def, ...);
+
+	/**
+	 * Get an integer value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param def		value returned if key not found
+	 * @param ...		argument list for key
+	 * @return			value of the key
+	 */
+	int (*get_int)(settings_t *this, char *key, int def, ...);
+
+	/**
+	 * Get an double value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param def		value returned if key not found
+	 * @param ...		argument list for key
+	 * @return			value of the key
+	 */
+	double (*get_double)(settings_t *this, char *key, double def, ...);
+
+	/**
+	 * Get a time value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param def		value returned if key not found
+	 * @param ...		argument list for key
+	 * @return			value of the key (in seconds)
+	 */
+	u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def, ...);
+
+	/**
+	 * Set a string value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param value		value to set (gets cloned)
+	 * @param ...		argument list for key
+	 */
+	void (*set_str)(settings_t *this, char *key, char *value, ...);
+
+	/**
+	 * Set a boolean value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param value		value to set
+	 * @param ...		argument list for key
+	 */
+	void (*set_bool)(settings_t *this, char *key, bool value, ...);
+
+	/**
+	 * Set an integer value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param value		value to set
+	 * @param ...		argument list for key
+	 */
+	void (*set_int)(settings_t *this, char *key, int value, ...);
+
+	/**
+	 * Set an double value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param value		value to set
+	 * @param ...		argument list for key
+	 */
+	void (*set_double)(settings_t *this, char *key, double value, ...);
+
+	/**
+	 * Set a time value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param def		value to set
+	 * @param ...		argument list for key
+	 */
+	void (*set_time)(settings_t *this, char *key, u_int32_t value, ...);
+
+	/**
+	 * Create an enumerator over subsection names of a section.
+	 *
+	 * @param section	section including parents, printf style format
+	 * @param ...		argument list for key
+	 * @return			enumerator over subsection names
+	 */
+	enumerator_t* (*create_section_enumerator)(settings_t *this,
+											   char *section, ...);
+
+	/**
+	 * Create an enumerator over key/value pairs in a section.
+	 *
+	 * @param section	section name to list key/value pairs of, printf style
+	 * @param ...		argument list for section
+	 * @return			enumerator over (char *key, char *value)
+	 */
+	enumerator_t* (*create_key_value_enumerator)(settings_t *this,
+												 char *section, ...);
+
+	/**
+	 * Load settings from the files matching the given pattern.
+	 *
+	 * If merge is TRUE, existing sections are extended, existing values
+	 * replaced, by those found in the loaded files. If it is FALSE, existing
+	 * sections are purged before reading the new config.
+	 *
+	 * @note If any of the files matching the pattern fails to load, no settings
+	 * are added at all. So, it's all or nothing.
+	 *
+	 * @param pattern	file pattern
+	 * @param merge		TRUE to merge config with existing values
+	 * @return			TRUE, if settings were loaded successfully
+	 */
+	bool (*load_files)(settings_t *this, char *pattern, bool merge);
+
+	/**
+	 * Load settings from the files matching the given pattern.
+	 *
+	 * If merge is TRUE, existing sections are extended, existing values
+	 * replaced, by those found in the loaded files. If it is FALSE, existing
+	 * sections are purged before reading the new config.
+	 *
+	 * All settings are loaded relative to the given section. The section is
+	 * created, if it does not yet exist.
+	 *
+	 * @note If any of the files matching the pattern fails to load, no settings
+	 * are added at all. So, it's all or nothing.
+	 *
+	 * @param pattern	file pattern
+	 * @param merge		TRUE to merge config with existing values
+	 * @param section	section name of parent section, printf style
+	 * @param ...		argument list for section
+	 * @return			TRUE, if settings were loaded successfully
+	 */
+	bool (*load_files_section)(settings_t *this, char *pattern, bool merge,
+							   char *section, ...);
+
+	/**
+	 * Destroy a settings instance.
+	 */
+	void (*destroy)(settings_t *this);
+};
+
+/**
+ * Load settings from a file.
+ *
+ * @param file			file to read settings from, NULL for default
+ * @return				settings object
+ */
+settings_t *settings_create(char *file);
+
+#endif /** SETTINGS_H_ @}*/
diff --git a/src/libstrongswan/utils/tun_device.c b/src/libstrongswan/utils/tun_device.c
deleted file mode 100644
index 36f3359c0..000000000
--- a/src/libstrongswan/utils/tun_device.c
+++ /dev/null
@@ -1,461 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2012 Giuliano Grassi
- * Copyright (C) 2012 Ralf Sager
- * Hochschule fuer Technik Rapperswil
- * Copyright (C) 2012 Martin Willi
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <netinet/in.h>
-#include <string.h>
-#include <sys/ioctl.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <net/if.h>
-
-#ifdef __APPLE__
-#include <net/if_utun.h>
-#include <netinet/in_var.h>
-#include <sys/kern_control.h>
-#elif defined(__linux__)
-#include <linux/if_tun.h>
-#else
-#include <net/if_tun.h>
-#endif
-
-#include "tun_device.h"
-
-#include <library.h>
-#include <debug.h>
-#include <threading/thread.h>
-
-#define TUN_DEFAULT_MTU 1500
-
-typedef struct private_tun_device_t private_tun_device_t;
-
-struct private_tun_device_t {
-
-	/**
-	 * Public interface
-	 */
-	tun_device_t public;
-
-	/**
-	 * The TUN device's file descriptor
-	 */
-	int tunfd;
-
-	/**
-	 * Name of the TUN device
-	 */
-	char if_name[IFNAMSIZ];
-
-	/**
-	 * Socket used for ioctl() to set interface addr, ...
-	 */
-	int sock;
-
-	/**
-	 * The current MTU
-	 */
-	int mtu;
-};
-
-/**
- * Set the sockaddr_t from the given netmask
- */
-static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask)
-{
-	int len, bytes, bits;
-	char *target;
-
-	switch (family)
-	{
-		case AF_INET:
-		{
-			struct sockaddr_in *addr = (struct sockaddr_in*)&ifr->ifr_addr;
-			addr->sin_family = AF_INET;
-			target = (char*)&addr->sin_addr;
-			len = 4;
-			break;
-		}
-		case AF_INET6:
-		{
-			struct sockaddr_in6 *addr = (struct sockaddr_in6*)&ifr->ifr_addr;
-			addr->sin6_family = AF_INET6;
-			target = (char*)&addr->sin6_addr;
-			len = 16;
-			break;
-		}
-		default:
-			return;
-	}
-
-	bytes = (netmask + 7) / 8;
-	bits = (bytes * 8) - netmask;
-
-	memset(target, 0xff, bytes);
-	memset(target + bytes, 0x00, len - bytes);
-	target[bytes - 1] = bits ? (u_int8_t)(0xff << bits) : 0xff;
-}
-
-METHOD(tun_device_t, set_address, bool,
-	private_tun_device_t *this, host_t *addr, u_int8_t netmask)
-{
-	struct ifreq ifr;
-	int family;
-
-	family = addr->get_family(addr);
-	if ((netmask > 32 && family == AF_INET) || netmask > 128)
-	{
-		DBG1(DBG_LIB, "failed to set address on %s: invalid netmask",
-			 this->if_name);
-		return FALSE;
-	}
-
-	memset(&ifr, 0, sizeof(ifr));
-	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
-	memcpy(&ifr.ifr_addr, addr->get_sockaddr(addr), sizeof(sockaddr_t));
-
-	if (ioctl(this->sock, SIOCSIFADDR, &ifr) < 0)
-	{
-		DBG1(DBG_LIB, "failed to set address on %s: %s",
-			 this->if_name, strerror(errno));
-		return FALSE;
-	}
-#ifdef __APPLE__
-	if (ioctl(this->sock, SIOCSIFDSTADDR, &ifr) < 0)
-	{
-		DBG1(DBG_LIB, "failed to set dest address on %s: %s",
-			 this->if_name, strerror(errno));
-		return FALSE;
-	}
-#endif /* __APPLE__ */
-
-	set_netmask(&ifr, family, netmask);
-
-	if (ioctl(this->sock, SIOCSIFNETMASK, &ifr) < 0)
-	{
-		DBG1(DBG_LIB, "failed to set netmask on %s: %s",
-			 this->if_name, strerror(errno));
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(tun_device_t, up, bool,
-	private_tun_device_t *this)
-{
-	struct ifreq ifr;
-
-	memset(&ifr, 0, sizeof(ifr));
-	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
-
-	if (ioctl(this->sock, SIOCGIFFLAGS, &ifr) < 0)
-	{
-		DBG1(DBG_LIB, "failed to get interface flags for %s: %s", this->if_name,
-			 strerror(errno));
-		return FALSE;
-	}
-
-	ifr.ifr_flags |= IFF_RUNNING | IFF_UP;
-
-	if (ioctl(this->sock, SIOCSIFFLAGS, &ifr) < 0)
-	{
-		DBG1(DBG_LIB, "failed to set interface flags on %s: %s", this->if_name,
-			 strerror(errno));
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(tun_device_t, set_mtu, bool,
-	private_tun_device_t *this, int mtu)
-{
-	struct ifreq ifr;
-
-	memset(&ifr, 0, sizeof(ifr));
-	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
-	ifr.ifr_mtu = mtu;
-
-	if (ioctl(this->sock, SIOCSIFMTU, &ifr) < 0)
-	{
-		DBG1(DBG_LIB, "failed to set MTU on %s: %s", this->if_name,
-			 strerror(errno));
-		return FALSE;
-	}
-	this->mtu = mtu;
-	return TRUE;
-}
-
-METHOD(tun_device_t, get_mtu, int,
-	private_tun_device_t *this)
-{
-	struct ifreq ifr;
-
-	if (this->mtu > 0)
-	{
-		return this->mtu;
-	}
-
-	memset(&ifr, 0, sizeof(ifr));
-	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
-	this->mtu = TUN_DEFAULT_MTU;
-
-	if (ioctl(this->sock, SIOCGIFMTU, &ifr) == 0)
-	{
-		this->mtu = ifr.ifr_mtu;
-	}
-	return this->mtu;
-}
-
-METHOD(tun_device_t, get_name, char*,
-	private_tun_device_t *this)
-{
-	return this->if_name;
-}
-
-METHOD(tun_device_t, write_packet, bool,
-	private_tun_device_t *this, chunk_t packet)
-{
-	ssize_t s;
-
-	s = write(this->tunfd, packet.ptr, packet.len);
-	if (s < 0)
-	{
-		DBG1(DBG_LIB, "failed to write packet to TUN device %s: %s",
-			 this->if_name, strerror(errno));
-		return FALSE;
-	}
-	else if (s != packet.len)
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(tun_device_t, read_packet, bool,
-	private_tun_device_t *this, chunk_t *packet)
-{
-	ssize_t len;
-	fd_set set;
-	bool old;
-
-	FD_ZERO(&set);
-	FD_SET(this->tunfd, &set);
-
-	old = thread_cancelability(TRUE);
-	len = select(this->tunfd + 1, &set, NULL, NULL, NULL);
-	thread_cancelability(old);
-
-	if (len < 0)
-	{
-		DBG1(DBG_LIB, "select on TUN device %s failed: %s", this->if_name,
-			 strerror(errno));
-		return FALSE;
-	}
-	/* FIXME: this is quite expensive for lots of small packets, copy from
-	 * local buffer instead? */
-	*packet = chunk_alloc(get_mtu(this));
-	len = read(this->tunfd, packet->ptr, packet->len);
-	if (len < 0)
-	{
-		DBG1(DBG_LIB, "reading from TUN device %s failed: %s", this->if_name,
-			 strerror(errno));
-		chunk_free(packet);
-		return FALSE;
-	}
-	packet->len = len;
-	return TRUE;
-}
-
-METHOD(tun_device_t, destroy, void,
-	private_tun_device_t *this)
-{
-	if (this->tunfd > 0)
-	{
-		close(this->tunfd);
-#ifdef __FreeBSD__
-		/* tun(4) says the following: "These network interfaces persist until
-		 * the if_tun.ko module is unloaded, or until removed with the
-		 * ifconfig(8) command."  So simply closing the FD is not enough. */
-		struct ifreq ifr;
-
-		memset(&ifr, 0, sizeof(ifr));
-		strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
-		if (ioctl(this->sock, SIOCIFDESTROY, &ifr) < 0)
-		{
-			DBG1(DBG_LIB, "failed to destroy %s: %s", this->if_name,
-				 strerror(errno));
-		}
-#endif /* __FreeBSD__ */
-	}
-	if (this->sock > 0)
-	{
-		close(this->sock);
-	}
-	free(this);
-}
-
-/**
- * Initialize the tun device
- */
-static bool init_tun(private_tun_device_t *this, const char *name_tmpl)
-{
-#ifdef __APPLE__
-
-	struct ctl_info info;
-	struct sockaddr_ctl addr;
-	socklen_t size = IFNAMSIZ;
-
-	memset(&info, 0, sizeof(info));
-	memset(&addr, 0, sizeof(addr));
-
-	this->tunfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
-	if (this->tunfd < 0)
-	{
-		DBG1(DBG_LIB, "failed to open tundevice PF_SYSTEM socket: %s",
-			 strerror(errno));
-		return FALSE;
-	}
-
-	/* get a control identifier for the utun kernel extension */
-	strncpy(info.ctl_name, UTUN_CONTROL_NAME, strlen(UTUN_CONTROL_NAME));
-	if (ioctl(this->tunfd, CTLIOCGINFO, &info) < 0)
-	{
-		DBG1(DBG_LIB, "failed to ioctl tundevice: %s", strerror(errno));
-		close(this->tunfd);
-		return FALSE;
-	}
-
-	addr.sc_id = info.ctl_id;
-	addr.sc_len = sizeof(addr);
-	addr.sc_family = AF_SYSTEM;
-	addr.ss_sysaddr = AF_SYS_CONTROL;
-	/* allocate identifier dynamically */
-	addr.sc_unit = 0;
-
-	if (connect(this->tunfd, (struct sockaddr*)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_LIB, "failed to connect tundevice: %s", strerror(errno));
-		close(this->tunfd);
-		return FALSE;
-	}
-	if (getsockopt(this->tunfd, SYSPROTO_CONTROL, UTUN_OPT_IFNAME,
-				   this->if_name, &size) < 0)
-	{
-		DBG1(DBG_LIB, "getting tundevice name failed: %s", strerror(errno));
-		close(this->tunfd);
-		return FALSE;
-	}
-	return TRUE;
-
-#elif defined(IFF_TUN)
-
-	struct ifreq ifr;
-
-	strncpy(this->if_name, name_tmpl ?: "tun%d", IFNAMSIZ);
-	this->if_name[IFNAMSIZ-1] = '\0';
-
-	this->tunfd = open("/dev/net/tun", O_RDWR);
-	if (this->tunfd < 0)
-	{
-		DBG1(DBG_LIB, "failed to open /dev/net/tun: %s", strerror(errno));
-		return FALSE;
-	}
-
-	memset(&ifr, 0, sizeof(ifr));
-
-	/* TUN device, no packet info */
-	ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
-
-	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
-	if (ioctl(this->tunfd, TUNSETIFF, (void*)&ifr) < 0)
-	{
-		DBG1(DBG_LIB, "failed to configure TUN device: %s", strerror(errno));
-		close(this->tunfd);
-		return FALSE;
-	}
-	strncpy(this->if_name, ifr.ifr_name, IFNAMSIZ);
-	return TRUE;
-
-#else /* !IFF_TUN */
-
-	/* this works on FreeBSD and might also work on Linux with older TUN
-	 * driver versions (no IFF_TUN) */
-	char devname[IFNAMSIZ];
-	int i;
-
-	if (name_tmpl)
-	{
-		DBG1(DBG_LIB, "arbitrary naming of TUN devices is not supported");
-	}
-
-	for (i = 0; i < 256; i++)
-	{
-		snprintf(devname, IFNAMSIZ, "/dev/tun%d", i);
-		this->tunfd = open(devname, O_RDWR);
-		if (this->tunfd > 0)
-		{	/* for ioctl(2) calls only the interface name is used */
-			snprintf(this->if_name, IFNAMSIZ, "tun%d", i);
-			break;
-		}
-		DBG1(DBG_LIB, "failed to open %s: %s", this->if_name, strerror(errno));
-	}
-	return this->tunfd > 0;
-
-#endif /* !__APPLE__ */
-}
-
-/*
- * Described in header
- */
-tun_device_t *tun_device_create(const char *name_tmpl)
-{
-	private_tun_device_t *this;
-
-	INIT(this,
-		.public = {
-			.read_packet = _read_packet,
-			.write_packet = _write_packet,
-			.get_mtu = _get_mtu,
-			.set_mtu = _set_mtu,
-			.get_name = _get_name,
-			.set_address = _set_address,
-			.up = _up,
-			.destroy = _destroy,
-		},
-		.tunfd = -1,
-		.sock = -1,
-	);
-
-	if (!init_tun(this, name_tmpl))
-	{
-		free(this);
-		return NULL;
-	}
-	DBG1(DBG_LIB, "created TUN device: %s", this->if_name);
-
-	this->sock = socket(AF_INET, SOCK_DGRAM, 0);
-	if (this->sock < 0)
-	{
-		DBG1(DBG_LIB, "failed to open socket to configure TUN device");
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
diff --git a/src/libstrongswan/utils/tun_device.h b/src/libstrongswan/utils/tun_device.h
deleted file mode 100644
index 71af0386b..000000000
--- a/src/libstrongswan/utils/tun_device.h
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2012 Giuliano Grassi
- * Copyright (C) 2012 Ralf Sager
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup tun_device tun_device
- * @{ @ingroup utils
- */
-
-#ifndef TUN_DEVICE_H_
-#define TUN_DEVICE_H_
-
-#include <library.h>
-#include <utils/host.h>
-
-typedef struct tun_device_t tun_device_t;
-
-/**
- * Class to create TUN devices
- *
- * Creating such a device requires the CAP_NET_ADMIN capability.
- *
- * @note The implementation is currently very Linux specific
- */
-struct tun_device_t {
-
-	/**
-	 * Read a packet from the TUN device
-	 *
-	 * @note This call blocks until a packet is available. It is a thread
-	 * cancellation point.
-	 *
-	 * @param packet		the packet read from the device
-	 * @return				TRUE if successful
-	 */
-	bool (*read_packet)(tun_device_t *this, chunk_t *packet);
-
-	/**
-	 * Write a packet to the TUN device
-	 *
-	 * @param packet		the packet to write to the TUN device
-	 * @return				TRUE if successful
-	 */
-	bool (*write_packet)(tun_device_t *this, chunk_t packet);
-
-	/**
-	 * Set the IP address of the device
-	 *
-	 * @param addr			the desired interface address
-	 * @param netmask		the netmask to use
-	 * @return				TRUE if operation successful
-	 */
-	bool (*set_address)(tun_device_t *this, host_t *addr, u_int8_t netmask);
-
-	/**
-	 * Bring the TUN device up
-	 *
-	 * @return				TRUE if operation successful
-	 */
-	bool (*up)(tun_device_t *this);
-
-	/**
-	 * Set the MTU for this TUN device
-	 *
-	 * @param mtu			new MTU
-	 * @return				TRUE if operation successful
-	 */
-	bool (*set_mtu)(tun_device_t *this, int mtu);
-
-	/**
-	 * Get the current MTU for this TUN device
-	 *
-	 * @return				current MTU
-	 */
-	int (*get_mtu)(tun_device_t *this);
-
-	/**
-	 * Get the interface name of this device
-	 *
-	 * @return				interface name
-	 */
-	char *(*get_name)(tun_device_t *this);
-
-	/**
-	 * Destroy a tun_device_t
-	 */
-	void (*destroy)(tun_device_t *this);
-
-};
-
-/**
- * Create a TUN device using the given name template.
- *
- * @param name_tmpl			name template, defaults to "tun%d" if not given
- * @return					TUN device
- */
-tun_device_t *tun_device_create(const char *name_tmpl);
-
-#endif /** TUN_DEVICE_H_ @}*/
diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c
new file mode 100644
index 000000000..bf0224c5f
--- /dev/null
+++ b/src/libstrongswan/utils/utils.c
@@ -0,0 +1,570 @@
+/*
+ * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "utils.h"
+
+#include <sys/stat.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <stdint.h>
+#include <limits.h>
+#include <dirent.h>
+#include <time.h>
+#include <pthread.h>
+
+#include "collections/enumerator.h"
+#include "utils/debug.h"
+
+ENUM(status_names, SUCCESS, NEED_MORE,
+	"SUCCESS",
+	"FAILED",
+	"OUT_OF_RES",
+	"ALREADY_DONE",
+	"NOT_SUPPORTED",
+	"INVALID_ARG",
+	"NOT_FOUND",
+	"PARSE_ERROR",
+	"VERIFY_ERROR",
+	"INVALID_STATE",
+	"DESTROY_ME",
+	"NEED_MORE",
+);
+
+/**
+ * Described in header.
+ */
+void *clalloc(void * pointer, size_t size)
+{
+	void *data;
+	data = malloc(size);
+
+	memcpy(data, pointer, size);
+
+	return (data);
+}
+
+/**
+ * Described in header.
+ */
+void memxor(u_int8_t dst[], u_int8_t src[], size_t n)
+{
+	int m, i;
+
+	/* byte wise XOR until dst aligned */
+	for (i = 0; (uintptr_t)&dst[i] % sizeof(long) && i < n; i++)
+	{
+		dst[i] ^= src[i];
+	}
+	/* try to use words if src shares an aligment with dst */
+	switch (((uintptr_t)&src[i] % sizeof(long)))
+	{
+		case 0:
+			for (m = n - sizeof(long); i <= m; i += sizeof(long))
+			{
+				*(long*)&dst[i] ^= *(long*)&src[i];
+			}
+			break;
+		case sizeof(int):
+			for (m = n - sizeof(int); i <= m; i += sizeof(int))
+			{
+				*(int*)&dst[i] ^= *(int*)&src[i];
+			}
+			break;
+		case sizeof(short):
+			for (m = n - sizeof(short); i <= m; i += sizeof(short))
+			{
+				*(short*)&dst[i] ^= *(short*)&src[i];
+			}
+			break;
+		default:
+			break;
+	}
+	/* byte wise XOR of the rest */
+	for (; i < n; i++)
+	{
+		dst[i] ^= src[i];
+	}
+}
+
+/**
+ * Described in header.
+ */
+void memwipe_noinline(void *ptr, size_t n)
+{
+	memwipe_inline(ptr, n);
+}
+
+/**
+ * Described in header.
+ */
+void *memstr(const void *haystack, const char *needle, size_t n)
+{
+	unsigned const char *pos = haystack;
+	size_t l = strlen(needle);
+	for (; n >= l; ++pos, --n)
+	{
+		if (memeq(pos, needle, l))
+		{
+			return (void*)pos;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Described in header.
+ */
+char* translate(char *str, const char *from, const char *to)
+{
+	char *pos = str;
+	if (strlen(from) != strlen(to))
+	{
+		return str;
+	}
+	while (pos && *pos)
+	{
+		char *match;
+		if ((match = strchr(from, *pos)) != NULL)
+		{
+			*pos = to[match - from];
+		}
+		pos++;
+	}
+	return str;
+}
+
+/**
+ * Described in header.
+ */
+bool mkdir_p(const char *path, mode_t mode)
+{
+	int len;
+	char *pos, full[PATH_MAX];
+	pos = full;
+	if (!path || *path == '\0')
+	{
+		return TRUE;
+	}
+	len = snprintf(full, sizeof(full)-1, "%s", path);
+	if (len < 0 || len >= sizeof(full)-1)
+	{
+		DBG1(DBG_LIB, "path string %s too long", path);
+		return FALSE;
+	}
+	/* ensure that the path ends with a '/' */
+	if (full[len-1] != '/')
+	{
+		full[len++] = '/';
+		full[len] = '\0';
+	}
+	/* skip '/' at the beginning */
+	while (*pos == '/')
+	{
+		pos++;
+	}
+	while ((pos = strchr(pos, '/')))
+	{
+		*pos = '\0';
+		if (access(full, F_OK) < 0)
+		{
+			if (mkdir(full, mode) < 0)
+			{
+				DBG1(DBG_LIB, "failed to create directory %s", full);
+				return FALSE;
+			}
+		}
+		*pos = '/';
+		pos++;
+	}
+	return TRUE;
+}
+
+
+/**
+ * The size of the thread-specific error buffer
+ */
+#define STRERROR_BUF_LEN 256
+
+/**
+ * Key to store thread-specific error buffer
+ */
+static pthread_key_t strerror_buf_key;
+
+/**
+ * Only initialize the key above once
+ */
+static pthread_once_t strerror_buf_key_once = PTHREAD_ONCE_INIT;
+
+/**
+ * Create the key used for the thread-specific error buffer
+ */
+static void create_strerror_buf_key()
+{
+	pthread_key_create(&strerror_buf_key, free);
+}
+
+/**
+ * Retrieve the error buffer assigned to the current thread (or create it)
+ */
+static inline char *get_strerror_buf()
+{
+	char *buf;
+
+	pthread_once(&strerror_buf_key_once, create_strerror_buf_key);
+	buf = pthread_getspecific(strerror_buf_key);
+	if (!buf)
+	{
+		buf = malloc(STRERROR_BUF_LEN);
+		pthread_setspecific(strerror_buf_key, buf);
+	}
+	return buf;
+}
+
+#ifdef HAVE_STRERROR_R
+/*
+ * Described in header.
+ */
+const char *safe_strerror(int errnum)
+{
+	char *buf = get_strerror_buf(), *msg;
+
+#ifdef STRERROR_R_CHAR_P
+	/* char* version which may or may not return the original buffer */
+	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN);
+#else
+	/* int version returns 0 on success */
+	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN) ? "Unknown error" : buf;
+#endif
+	return msg;
+}
+#else /* HAVE_STRERROR_R */
+/* we actually wan't to call strerror(3) below */
+#undef strerror
+/*
+ * Described in header.
+ */
+const char *safe_strerror(int errnum)
+{
+	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+	char *buf = get_strerror_buf();
+
+	/* use a mutex to ensure calling strerror(3) is thread-safe */
+	pthread_mutex_lock(&mutex);
+	strncpy(buf, strerror(errnum), STRERROR_BUF_LEN);
+	pthread_mutex_unlock(&mutex);
+	buf[STRERROR_BUF_LEN - 1] = '\0';
+	return buf;
+}
+#endif /* HAVE_STRERROR_R */
+
+
+#ifndef HAVE_CLOSEFROM
+/**
+ * Described in header.
+ */
+void closefrom(int lowfd)
+{
+	char fd_dir[PATH_MAX];
+	int maxfd, fd, len;
+
+	/* try to close only open file descriptors on Linux... */
+	len = snprintf(fd_dir, sizeof(fd_dir), "/proc/%u/fd", getpid());
+	if (len > 0 && len < sizeof(fd_dir) && access(fd_dir, F_OK) == 0)
+	{
+		enumerator_t *enumerator = enumerator_create_directory(fd_dir);
+		if (enumerator)
+		{
+			char *rel;
+			while (enumerator->enumerate(enumerator, &rel, NULL, NULL))
+			{
+				fd = atoi(rel);
+				if (fd >= lowfd)
+				{
+					close(fd);
+				}
+			}
+			enumerator->destroy(enumerator);
+			return;
+		}
+	}
+
+	/* ...fall back to closing all fds otherwise */
+	maxfd = (int)sysconf(_SC_OPEN_MAX);
+	if (maxfd < 0)
+	{
+		maxfd = 256;
+	}
+	for (fd = lowfd; fd < maxfd; fd++)
+	{
+		close(fd);
+	}
+}
+#endif /* HAVE_CLOSEFROM */
+
+/**
+ * Return monotonic time
+ */
+time_t time_monotonic(timeval_t *tv)
+{
+#if defined(HAVE_CLOCK_GETTIME) && \
+	(defined(HAVE_CONDATTR_CLOCK_MONOTONIC) || \
+	 defined(HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC))
+	/* as we use time_monotonic() for condvar operations, we use the
+	 * monotonic time source only if it is also supported by pthread. */
+	timespec_t ts;
+
+	if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
+	{
+		if (tv)
+		{
+			tv->tv_sec = ts.tv_sec;
+			tv->tv_usec = ts.tv_nsec / 1000;
+		}
+		return ts.tv_sec;
+	}
+#endif /* HAVE_CLOCK_GETTIME && (...) */
+	/* Fallback to non-monotonic timestamps:
+	 * On MAC OS X, creating monotonic timestamps is rather difficult. We
+	 * could use mach_absolute_time() and catch sleep/wakeup notifications.
+	 * We stick to the simpler (non-monotonic) gettimeofday() for now.
+	 * But keep in mind: we need the same time source here as in condvar! */
+	if (!tv)
+	{
+		return time(NULL);
+	}
+	if (gettimeofday(tv, NULL) != 0)
+	{	/* should actually never fail if passed pointers are valid */
+		return -1;
+	}
+	return tv->tv_sec;
+}
+
+/**
+ * return null
+ */
+void *return_null()
+{
+	return NULL;
+}
+
+/**
+ * returns TRUE
+ */
+bool return_true()
+{
+	return TRUE;
+}
+
+/**
+ * returns FALSE
+ */
+bool return_false()
+{
+	return FALSE;
+}
+
+/**
+ * returns FAILED
+ */
+status_t return_failed()
+{
+	return FAILED;
+}
+
+/**
+ * nop operation
+ */
+void nop()
+{
+}
+
+#ifndef HAVE_GCC_ATOMIC_OPERATIONS
+
+/**
+ * We use a single mutex for all refcount variables.
+ */
+static pthread_mutex_t ref_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/**
+ * Increase refcount
+ */
+void ref_get(refcount_t *ref)
+{
+	pthread_mutex_lock(&ref_mutex);
+	(*ref)++;
+	pthread_mutex_unlock(&ref_mutex);
+}
+
+/**
+ * Decrease refcount
+ */
+bool ref_put(refcount_t *ref)
+{
+	bool more_refs;
+
+	pthread_mutex_lock(&ref_mutex);
+	more_refs = --(*ref) > 0;
+	pthread_mutex_unlock(&ref_mutex);
+	return !more_refs;
+}
+
+/**
+ * Single mutex for all compare and swap operations.
+ */
+static pthread_mutex_t cas_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/**
+ * Compare and swap if equal to old value
+ */
+#define _cas_impl(name, type) \
+bool cas_##name(type *ptr, type oldval, type newval) \
+{ \
+	bool swapped; \
+	pthread_mutex_lock(&cas_mutex); \
+	if ((swapped = (*ptr == oldval))) { *ptr = newval; } \
+	pthread_mutex_unlock(&cas_mutex); \
+	return swapped; \
+}
+
+_cas_impl(bool, bool)
+_cas_impl(ptr, void*)
+
+#endif /* HAVE_GCC_ATOMIC_OPERATIONS */
+
+/**
+ * Described in header.
+ */
+int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					 const void *const *args)
+{
+	static const char* months[] = {
+		"Jan", "Feb", "Mar", "Apr", "May", "Jun",
+		"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+	};
+	time_t *time = *((time_t**)(args[0]));
+	bool utc = *((bool*)(args[1]));;
+	struct tm t;
+
+	if (time == UNDEFINED_TIME)
+	{
+		return print_in_hook(data, "--- -- --:--:--%s----",
+							 utc ? " UTC " : " ");
+	}
+	if (utc)
+	{
+		gmtime_r(time, &t);
+	}
+	else
+	{
+		localtime_r(time, &t);
+	}
+	return print_in_hook(data, "%s %02d %02d:%02d:%02d%s%04d",
+						 months[t.tm_mon], t.tm_mday, t.tm_hour, t.tm_min,
+						 t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900);
+}
+
+/**
+ * Described in header.
+ */
+int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+						   const void *const *args)
+{
+	char* unit = "second";
+	time_t *arg1 = *((time_t**)(args[0]));
+	time_t *arg2 = *((time_t**)(args[1]));
+	u_int64_t delta = llabs(*arg1 - *arg2);
+
+	if (delta > 2 * 60 * 60 * 24)
+	{
+		delta /= 60 * 60 * 24;
+		unit = "day";
+	}
+	else if (delta > 2 * 60 * 60)
+	{
+		delta /= 60 * 60;
+		unit = "hour";
+	}
+	else if (delta > 2 * 60)
+	{
+		delta /= 60;
+		unit = "minute";
+	}
+	return print_in_hook(data, "%" PRIu64 " %s%s", delta, unit,
+						 (delta == 1) ? "" : "s");
+}
+
+/**
+ * Number of bytes per line to dump raw data
+ */
+#define BYTES_PER_LINE 16
+
+static char hexdig_upper[] = "0123456789ABCDEF";
+
+/**
+ * Described in header.
+ */
+int mem_printf_hook(printf_hook_data_t *data,
+					printf_hook_spec_t *spec, const void *const *args)
+{
+	char *bytes = *((void**)(args[0]));
+	u_int len = *((int*)(args[1]));
+
+	char buffer[BYTES_PER_LINE * 3];
+	char ascii_buffer[BYTES_PER_LINE + 1];
+	char *buffer_pos = buffer;
+	char *bytes_pos  = bytes;
+	char *bytes_roof = bytes + len;
+	int line_start = 0;
+	int i = 0;
+	int written = 0;
+
+	written += print_in_hook(data, "=> %u bytes @ %p", len, bytes);
+
+	while (bytes_pos < bytes_roof)
+	{
+		*buffer_pos++ = hexdig_upper[(*bytes_pos >> 4) & 0xF];
+		*buffer_pos++ = hexdig_upper[ *bytes_pos       & 0xF];
+
+		ascii_buffer[i++] =
+				(*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.';
+
+		if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE)
+		{
+			int padding = 3 * (BYTES_PER_LINE - i);
+
+			while (padding--)
+			{
+				*buffer_pos++ = ' ';
+			}
+			*buffer_pos++ = '\0';
+			ascii_buffer[i] = '\0';
+
+			written += print_in_hook(data, "\n%4d: %s  %s",
+									 line_start, buffer, ascii_buffer);
+
+			buffer_pos = buffer;
+			line_start += BYTES_PER_LINE;
+			i = 0;
+		}
+		else
+		{
+			*buffer_pos++ = ' ';
+		}
+	}
+	return written;
+}
diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h
new file mode 100644
index 000000000..7b1beb93a
--- /dev/null
+++ b/src/libstrongswan/utils/utils.h
@@ -0,0 +1,699 @@
+/*
+ * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup utils_i utils
+ * @{ @ingroup utils
+ */
+
+#ifndef UTILS_H_
+#define UTILS_H_
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <sys/time.h>
+#include <arpa/inet.h>
+#include <string.h>
+
+#include "enum.h"
+
+/**
+ * strongSwan program return codes
+ */
+#define SS_RC_LIBSTRONGSWAN_INTEGRITY	64
+#define SS_RC_DAEMON_INTEGRITY			65
+#define SS_RC_INITIALIZATION_FAILED		66
+
+#define SS_RC_FIRST	SS_RC_LIBSTRONGSWAN_INTEGRITY
+#define SS_RC_LAST	SS_RC_INITIALIZATION_FAILED
+
+/**
+ * Number of bits in a byte
+ */
+#define BITS_PER_BYTE 8
+
+/**
+ * Default length for various auxiliary text buffers
+ */
+#define BUF_LEN 512
+
+/**
+ * General purpose boolean type.
+ */
+#ifdef HAVE_STDBOOL_H
+# include <stdbool.h>
+#else
+# ifndef HAVE__BOOL
+#  define _Bool signed char
+# endif /* HAVE__BOOL */
+# define bool _Bool
+# define false 0
+# define true 1
+# define __bool_true_false_are_defined 1
+#endif /* HAVE_STDBOOL_H */
+#ifndef FALSE
+# define FALSE false
+#endif /* FALSE */
+#ifndef TRUE
+# define TRUE  true
+#endif /* TRUE */
+
+/**
+ * Helper function that compares two strings for equality
+ */
+static inline bool streq(const char *x, const char *y)
+{
+	return strcmp(x, y) == 0;
+}
+
+/**
+ * Macro compares two strings for equality, length limited
+ */
+#define strneq(x,y,len) (strncmp(x, y, len) == 0)
+
+/**
+ * Helper function that compares two strings for equality ignoring case
+ */
+static inline bool strcaseeq(const char *x, const char *y)
+{
+	return strcasecmp(x, y) == 0;
+}
+
+/**
+ * Macro compares two strings for equality ignoring case, length limited
+ */
+#define strncaseeq(x,y,len) (strncasecmp(x, y, len) == 0)
+
+/**
+ * NULL-safe strdup variant
+ */
+static inline char *strdupnull(const char *s)
+{
+	return s ? strdup(s) : NULL;
+}
+
+/**
+ * Macro compares two binary blobs for equality
+ */
+#define memeq(x,y,len) (memcmp(x, y, len) == 0)
+
+/**
+ * Macro gives back larger of two values.
+ */
+#define max(x,y) ({ \
+	typeof(x) _x = (x); \
+	typeof(y) _y = (y); \
+	_x > _y ? _x : _y; })
+
+
+/**
+ * Macro gives back smaller of two values.
+ */
+#define min(x,y) ({ \
+	typeof(x) _x = (x); \
+	typeof(y) _y = (y); \
+	_x < _y ? _x : _y; })
+
+/**
+ * Call destructor of an object, if object != NULL
+ */
+#define DESTROY_IF(obj) if (obj) (obj)->destroy(obj)
+
+/**
+ * Call offset destructor of an object, if object != NULL
+ */
+#define DESTROY_OFFSET_IF(obj, offset) if (obj) obj->destroy_offset(obj, offset);
+
+/**
+ * Call function destructor of an object, if object != NULL
+ */
+#define DESTROY_FUNCTION_IF(obj, fn) if (obj) obj->destroy_function(obj, fn);
+
+/**
+ * Debug macro to follow control flow
+ */
+#define POS printf("%s, line %d\n", __FILE__, __LINE__)
+
+/**
+ * Object allocation/initialization macro, using designated initializer.
+ */
+#define INIT(this, ...) { (this) = malloc(sizeof(*(this))); \
+						   *(this) = (typeof(*(this))){ __VA_ARGS__ }; }
+
+/**
+ * Method declaration/definition macro, providing private and public interface.
+ *
+ * Defines a method name with this as first parameter and a return value ret,
+ * and an alias for this method with a _ prefix, having the this argument
+ * safely casted to the public interface iface.
+ * _name is provided a function pointer, but will get optimized out by GCC.
+ */
+#define METHOD(iface, name, ret, this, ...) \
+	static ret name(union {iface *_public; this;} \
+	__attribute__((transparent_union)), ##__VA_ARGS__); \
+	static typeof(name) *_##name = (typeof(name)*)name; \
+	static ret name(this, ##__VA_ARGS__)
+
+/**
+ * Same as METHOD(), but is defined for two public interfaces.
+ */
+#define METHOD2(iface1, iface2, name, ret, this, ...) \
+	static ret name(union {iface1 *_public1; iface2 *_public2; this;} \
+	__attribute__((transparent_union)), ##__VA_ARGS__); \
+	static typeof(name) *_##name = (typeof(name)*)name; \
+	static ret name(this, ##__VA_ARGS__)
+
+/**
+ * Architecture independent bitfield definition helpers (at least with GCC).
+ *
+ * Defines a bitfield with a type t and a fixed size of bitfield members, e.g.:
+ * BITFIELD2(u_int8_t,
+ *     low: 4,
+ *     high: 4,
+ * ) flags;
+ * The member defined first placed at bit 0.
+ */
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define BITFIELD2(t, a, b,...)			struct { t a; t b; __VA_ARGS__}
+#define BITFIELD3(t, a, b, c,...)		struct { t a; t b; t c; __VA_ARGS__}
+#define BITFIELD4(t, a, b, c, d,...)	struct { t a; t b; t c; t d; __VA_ARGS__}
+#define BITFIELD5(t, a, b, c, d, e,...)	struct { t a; t b; t c; t d; t e; __VA_ARGS__}
+#elif BYTE_ORDER == BIG_ENDIAN
+#define BITFIELD2(t, a, b,...)			struct { t b; t a; __VA_ARGS__}
+#define BITFIELD3(t, a, b, c,...)		struct { t c; t b; t a; __VA_ARGS__}
+#define BITFIELD4(t, a, b, c, d,...)	struct { t d; t c; t b; t a; __VA_ARGS__}
+#define BITFIELD5(t, a, b, c, d, e,...)	struct { t e; t d; t c; t b; t a; __VA_ARGS__}
+#endif
+
+/**
+ * Macro to allocate a sized type.
+ */
+#define malloc_thing(thing) ((thing*)malloc(sizeof(thing)))
+
+/**
+ * Get the number of elements in an array
+ */
+#define countof(array) (sizeof(array)/sizeof(array[0]))
+
+/**
+ * Ignore result of functions tagged with warn_unused_result attributes
+ */
+#define ignore_result(call) { if(call){}; }
+
+/**
+ * Assign a function as a class method
+ */
+#define ASSIGN(method, function) (method = (typeof(method))function)
+
+/**
+ * time_t not defined
+ */
+#define UNDEFINED_TIME 0
+
+/**
+ * Maximum time since epoch causing wrap-around on Jan 19 03:14:07 UTC 2038
+ */
+#define TIME_32_BIT_SIGNED_MAX	0x7fffffff
+
+/**
+ * define some missing fixed width int types on OpenSolaris.
+ * TODO: since the uintXX_t types are defined by the C99 standard we should
+ * probably use those anyway
+ */
+#ifdef __sun
+        #include <stdint.h>
+        typedef uint8_t         u_int8_t;
+        typedef uint16_t        u_int16_t;
+        typedef uint32_t        u_int32_t;
+        typedef uint64_t        u_int64_t;
+#endif
+
+typedef enum status_t status_t;
+
+/**
+ * Return values of function calls.
+ */
+enum status_t {
+	/**
+	 * Call succeeded.
+	 */
+	SUCCESS,
+
+	/**
+	 * Call failed.
+	 */
+	FAILED,
+
+	/**
+	 * Out of resources.
+	 */
+	OUT_OF_RES,
+
+	/**
+	 * The suggested operation is already done
+	 */
+	ALREADY_DONE,
+
+	/**
+	 * Not supported.
+	 */
+	NOT_SUPPORTED,
+
+	/**
+	 * One of the arguments is invalid.
+	 */
+	INVALID_ARG,
+
+	/**
+	 * Something could not be found.
+	 */
+	NOT_FOUND,
+
+	/**
+	 * Error while parsing.
+	 */
+	PARSE_ERROR,
+
+	/**
+	 * Error while verifying.
+	 */
+	VERIFY_ERROR,
+
+	/**
+	 * Object in invalid state.
+	 */
+	INVALID_STATE,
+
+	/**
+	 * Destroy object which called method belongs to.
+	 */
+	DESTROY_ME,
+
+	/**
+	 * Another call to the method is required.
+	 */
+	NEED_MORE,
+};
+
+/**
+ * enum_names for type status_t.
+ */
+extern enum_name_t *status_names;
+
+/**
+ * deprecated pluto style return value:
+ * error message, NULL for success
+ */
+typedef const char *err_t;
+
+/**
+ * Handle struct timeval like an own type.
+ */
+typedef struct timeval timeval_t;
+
+/**
+ * Handle struct timespec like an own type.
+ */
+typedef struct timespec timespec_t;
+
+/**
+ * Handle struct chunk_t like an own type.
+ */
+typedef struct sockaddr sockaddr_t;
+
+/**
+ * Clone a data to a newly allocated buffer
+ */
+void *clalloc(void *pointer, size_t size);
+
+/**
+ * Same as memcpy, but XORs src into dst instead of copy
+ */
+void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
+
+/**
+ * Safely overwrite n bytes of memory at ptr with zero, non-inlining variant.
+ */
+void memwipe_noinline(void *ptr, size_t n);
+
+/**
+ * Safely overwrite n bytes of memory at ptr with zero, inlining variant.
+ */
+static inline void memwipe_inline(void *ptr, size_t n)
+{
+	volatile char *c = (volatile char*)ptr;
+	size_t m, i;
+
+	/* byte wise until long aligned */
+	for (i = 0; (uintptr_t)&c[i] % sizeof(long) && i < n; i++)
+	{
+		c[i] = 0;
+	}
+	/* word wise */
+	if (n >= sizeof(long))
+	{
+		for (m = n - sizeof(long); i <= m; i += sizeof(long))
+		{
+			*(volatile long*)&c[i] = 0;
+		}
+	}
+	/* byte wise of the rest */
+	for (; i < n; i++)
+	{
+		c[i] = 0;
+	}
+}
+
+/**
+ * Safely overwrite n bytes of memory at ptr with zero, auto-inlining variant.
+ */
+static inline void memwipe(void *ptr, size_t n)
+{
+	if (__builtin_constant_p(n))
+	{
+		memwipe_inline(ptr, n);
+	}
+	else
+	{
+		memwipe_noinline(ptr, n);
+	}
+}
+
+/**
+ * A variant of strstr with the characteristics of memchr, where haystack is not
+ * a null-terminated string but simply a memory area of length n.
+ */
+void *memstr(const void *haystack, const char *needle, size_t n);
+
+/**
+ * Translates the characters in the given string, searching for characters
+ * in 'from' and mapping them to characters in 'to'.
+ * The two characters sets 'from' and 'to' must contain the same number of
+ * characters.
+ */
+char *translate(char *str, const char *from, const char *to);
+
+/**
+ * Creates a directory and all required parent directories.
+ *
+ * @param path		path to the new directory
+ * @param mode		permissions of the new directory/directories
+ * @return			TRUE on success
+ */
+bool mkdir_p(const char *path, mode_t mode);
+
+/**
+ * Thread-safe wrapper around strerror and strerror_r.
+ *
+ * This is required because the first is not thread-safe (on some platforms)
+ * and the second uses two different signatures (POSIX/GNU) and is impractical
+ * to use anyway.
+ *
+ * @param errnum	error code (i.e. errno)
+ * @return			error message
+ */
+const char *safe_strerror(int errnum);
+
+/**
+ * Replace usages of strerror(3) with thread-safe variant.
+ */
+#define strerror(errnum) safe_strerror(errnum)
+
+#ifndef HAVE_CLOSEFROM
+/**
+ * Close open file descriptors greater than or equal to lowfd.
+ *
+ * @param lowfd		start closing file descriptoros from here
+ */
+void closefrom(int lowfd);
+#endif
+
+/**
+ * Get a timestamp from a monotonic time source.
+ *
+ * While the time()/gettimeofday() functions are affected by leap seconds
+ * and system time changes, this function returns ever increasing monotonic
+ * time stamps.
+ *
+ * @param tv		timeval struct receiving monotonic timestamps, or NULL
+ * @return			monotonic timestamp in seconds
+ */
+time_t time_monotonic(timeval_t *tv);
+
+/**
+ * Add the given number of milliseconds to the given timeval struct
+ *
+ * @param tv		timeval struct to modify
+ * @param ms		number of milliseconds
+ */
+static inline void timeval_add_ms(timeval_t *tv, u_int ms)
+{
+	tv->tv_usec += ms * 1000;
+	while (tv->tv_usec > 1000000 /* 1s */)
+	{
+		tv->tv_usec -= 1000000;
+		tv->tv_sec++;
+	}
+}
+
+/**
+ * returns null
+ */
+void *return_null();
+
+/**
+ * No-Operation function
+ */
+void nop();
+
+/**
+ * returns TRUE
+ */
+bool return_true();
+
+/**
+ * returns FALSE
+ */
+bool return_false();
+
+/**
+ * returns FAILED
+ */
+status_t return_failed();
+
+/**
+ * Write a 16-bit host order value in network order to an unaligned address.
+ *
+ * @param host		host order 16-bit value
+ * @param network	unaligned address to write network order value to
+ */
+static inline void htoun16(void *network, u_int16_t host)
+{
+	char *unaligned = (char*)network;
+
+	host = htons(host);
+	memcpy(unaligned, &host, sizeof(host));
+}
+
+/**
+ * Write a 32-bit host order value in network order to an unaligned address.
+ *
+ * @param host		host order 32-bit value
+ * @param network	unaligned address to write network order value to
+ */
+static inline void htoun32(void *network, u_int32_t host)
+{
+	char *unaligned = (char*)network;
+
+	host = htonl(host);
+	memcpy((char*)unaligned, &host, sizeof(host));
+}
+
+/**
+ * Write a 64-bit host order value in network order to an unaligned address.
+ *
+ * @param host		host order 64-bit value
+ * @param network	unaligned address to write network order value to
+ */
+static inline void htoun64(void *network, u_int64_t host)
+{
+	char *unaligned = (char*)network;
+
+#ifdef be64toh
+	host = htobe64(host);
+	memcpy((char*)unaligned, &host, sizeof(host));
+#else
+	u_int32_t high_part, low_part;
+
+	high_part = host >> 32;
+	high_part = htonl(high_part);
+	low_part  = host & 0xFFFFFFFFLL;
+	low_part  = htonl(low_part);
+
+	memcpy(unaligned, &high_part, sizeof(high_part));
+	unaligned += sizeof(high_part);
+	memcpy(unaligned, &low_part, sizeof(low_part));
+#endif
+}
+
+/**
+ * Read a 16-bit value in network order from an unaligned address to host order.
+ *
+ * @param network	unaligned address to read network order value from
+ * @return			host order value
+ */
+static inline u_int16_t untoh16(void *network)
+{
+	char *unaligned = (char*)network;
+	u_int16_t tmp;
+
+	memcpy(&tmp, unaligned, sizeof(tmp));
+	return ntohs(tmp);
+}
+
+/**
+ * Read a 32-bit value in network order from an unaligned address to host order.
+ *
+ * @param network	unaligned address to read network order value from
+ * @return			host order value
+ */
+static inline u_int32_t untoh32(void *network)
+{
+	char *unaligned = (char*)network;
+	u_int32_t tmp;
+
+	memcpy(&tmp, unaligned, sizeof(tmp));
+	return ntohl(tmp);
+}
+
+/**
+ * Read a 64-bit value in network order from an unaligned address to host order.
+ *
+ * @param network	unaligned address to read network order value from
+ * @return			host order value
+ */
+static inline u_int64_t untoh64(void *network)
+{
+	char *unaligned = (char*)network;
+
+#ifdef be64toh
+	u_int64_t tmp;
+
+	memcpy(&tmp, unaligned, sizeof(tmp));
+	return be64toh(tmp);
+#else
+	u_int32_t high_part, low_part;
+
+	memcpy(&high_part, unaligned, sizeof(high_part));
+	unaligned += sizeof(high_part);
+	memcpy(&low_part, unaligned, sizeof(low_part));
+
+	high_part = ntohl(high_part);
+	low_part  = ntohl(low_part);
+
+	return (((u_int64_t)high_part) << 32) + low_part;
+#endif
+}
+
+/**
+ * Special type to count references
+ */
+typedef volatile u_int refcount_t;
+
+
+#ifdef HAVE_GCC_ATOMIC_OPERATIONS
+
+#define ref_get(ref) {__sync_fetch_and_add(ref, 1); }
+#define ref_put(ref) (!__sync_sub_and_fetch(ref, 1))
+
+#define cas_bool(ptr, oldval, newval) \
+					(__sync_bool_compare_and_swap(ptr, oldval, newval))
+#define cas_ptr(ptr, oldval, newval) \
+					(__sync_bool_compare_and_swap(ptr, oldval, newval))
+
+#else /* !HAVE_GCC_ATOMIC_OPERATIONS */
+
+/**
+ * Get a new reference.
+ *
+ * Increments the reference counter atomic.
+ *
+ * @param ref	pointer to ref counter
+ */
+void ref_get(refcount_t *ref);
+
+/**
+ * Put back a unused reference.
+ *
+ * Decrements the reference counter atomic and
+ * says if more references available.
+ *
+ * @param ref	pointer to ref counter
+ * @return		TRUE if no more references counted
+ */
+bool ref_put(refcount_t *ref);
+
+/**
+ * Atomically replace value of ptr with newval if it currently equals oldval.
+ *
+ * @param ptr		pointer to variable
+ * @param oldval	old value of the variable
+ * @param newval	new value set if possible
+ * @return			TRUE if value equaled oldval and newval was written
+ */
+bool cas_bool(bool *ptr, bool oldval, bool newval);
+
+/**
+ * Atomically replace value of ptr with newval if it currently equals oldval.
+ *
+ * @param ptr		pointer to variable
+ * @param oldval	old value of the variable
+ * @param newval	new value set if possible
+ * @return			TRUE if value equaled oldval and newval was written
+ */
+bool cas_ptr(void **ptr, void *oldval, void *newval);
+
+#endif /* HAVE_GCC_ATOMIC_OPERATIONS */
+
+/**
+ * printf hook for time_t.
+ *
+ * Arguments are:
+ *	time_t* time, bool utc
+ */
+int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					 const void *const *args);
+
+/**
+ * printf hook for time_t deltas.
+ *
+ * Arguments are:
+ *	time_t* begin, time_t* end
+ */
+int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+						   const void *const *args);
+
+/**
+ * printf hook for memory areas.
+ *
+ * Arguments are:
+ *	u_char *ptr, u_int len
+ */
+int mem_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					const void *const *args);
+
+#endif /** UTILS_H_ @}*/
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index fb1136ee0..d54545aac 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" \
 	"$(DESTDIR)$(tls_includedir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libtls.la: $(libtls_la_OBJECTS) $(libtls_la_DEPENDENCIES) 
+libtls.la: $(libtls_la_OBJECTS) $(libtls_la_DEPENDENCIES) $(EXTRA_libtls_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libtls_la_OBJECTS) $(libtls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -438,9 +447,7 @@ uninstall-nobase_tls_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nobase_tls_include_HEADERS)'; test -n "$(tls_includedir)" || list=; \
 	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(tls_includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(tls_includedir)" && rm -f $$files
+	dir='$(DESTDIR)$(tls_includedir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -541,10 +548,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 2bcaffbc8..dea08e3eb 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -15,7 +15,7 @@
 
 #include "tls.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "tls_protection.h"
 #include "tls_compression.h"
diff --git a/src/libtls/tls_alert.c b/src/libtls/tls_alert.c
index 8a4fa7d77..7dd219db8 100644
--- a/src/libtls/tls_alert.c
+++ b/src/libtls/tls_alert.c
@@ -15,8 +15,8 @@
 
 #include "tls_alert.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 ENUM_BEGIN(tls_alert_desc_names, TLS_CLOSE_NOTIFY, TLS_CLOSE_NOTIFY,
 	"close notify",
diff --git a/src/libtls/tls_cache.c b/src/libtls/tls_cache.c
index a89201ad7..c13b1e851 100644
--- a/src/libtls/tls_cache.c
+++ b/src/libtls/tls_cache.c
@@ -15,9 +15,9 @@
 
 #include "tls_cache.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
 typedef struct private_tls_cache_t private_tls_cache_t;
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index f74984879..12aa049a2 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -15,7 +15,7 @@
 
 #include "tls_crypto.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
 								   TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
@@ -1110,6 +1110,7 @@ METHOD(tls_crypto_t, get_signature_algorithms, void,
 	}
 	enumerator->destroy(enumerator);
 
+	supported->wrap16(supported);
 	writer->write_data16(writer, supported->get_buf(supported));
 	supported->destroy(supported);
 }
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index 928aadcb3..68cebb994 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -18,7 +18,7 @@
 
 #include "tls.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 
 /**
diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
index f2fa77cfd..c76376b43 100644
--- a/src/libtls/tls_fragmentation.c
+++ b/src/libtls/tls_fragmentation.c
@@ -16,7 +16,7 @@
 #include "tls_fragmentation.h"
 
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Maximum size of a TLS handshake message we accept
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 65072d087..622df4035 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -15,7 +15,7 @@
 
 #include "tls_peer.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
 #include <time.h>
@@ -760,6 +760,7 @@ static status_t send_client_hello(private_tls_peer_t *this,
 	enumerator->destroy(enumerator);
 	if (curves)
 	{
+		curves->wrap16(curves);
 		extensions->write_data16(extensions, curves->get_buf(curves));
 		curves->destroy(curves);
 
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index 8263728bb..0d5df18f7 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -15,7 +15,7 @@
 
 #include "tls_protection.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tls_protection_t private_tls_protection_t;
 
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index a66448d24..ec42b67fc 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -17,7 +17,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
 typedef struct private_tls_server_t private_tls_server_t;
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 3abff596d..75b714e30 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -18,7 +18,7 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 
 /**
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index 5eac73ab0..1e9f639f8 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libtnccs_la_DEPENDENCIES = $(top_builddir)/src/libtncif/libtncif.la
@@ -116,6 +122,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -143,6 +150,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -170,6 +178,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -182,6 +191,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -235,7 +245,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -359,7 +368,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libtnccs.la: $(libtnccs_la_OBJECTS) $(libtnccs_la_DEPENDENCIES) 
+libtnccs.la: $(libtnccs_la_OBJECTS) $(libtnccs_la_DEPENDENCIES) $(EXTRA_libtnccs_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libtnccs_la_OBJECTS) $(libtnccs_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -527,10 +536,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libtnccs/tnc/imc/imc_manager.h b/src/libtnccs/tnc/imc/imc_manager.h
index 25e0efe9d..db033c4c0 100644
--- a/src/libtnccs/tnc/imc/imc_manager.h
+++ b/src/libtnccs/tnc/imc/imc_manager.h
@@ -55,7 +55,31 @@ struct imc_manager_t {
 	 * @param path				path of the IMC dynamic library file
 	 * @return					TRUE if loading succeeded
 	 */
-	 bool (*load)(imc_manager_t *this, char *name, char *path);
+	bool (*load)(imc_manager_t *this, char *name, char *path);
+
+	/**
+	 * Load and initialize an IMC from a set of TNC IMC functions.
+	 *
+	 * @param name						name of the IMC
+	 * @param initialize				TNC_IMC_InitializePointer
+	 * @param notify_connection_change	TNC_IMC_NotifyConnectionChangePointer
+	 * @param begin_handshake			TNC_IMC_BeginHandshakePointer
+	 * @param receive_message			TNC_IMC_ReceiveMessagePointer
+	 * @param receive_message_long		TNC_IMC_ReceiveMessageLongPointer
+	 * @param batch_ending				TNC_IMC_BatchEndingPointer
+	 * @param terminate					TNC_IMC_TerminatePointer
+	 * @param provide_bind_function		TNC_IMC_ProvideBindFunctionPointer
+	 * @return							TRUE if loading succeeded
+	 */
+	bool (*load_from_functions)(imc_manager_t *this, char *name,
+				TNC_IMC_InitializePointer initialize,
+				TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMC_BeginHandshakePointer begin_handshake,
+				TNC_IMC_ReceiveMessagePointer receive_message,
+				TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMC_BatchEndingPointer batch_ending,
+				TNC_IMC_TerminatePointer terminate,
+				TNC_IMC_ProvideBindFunctionPointer provide_bind_function);
 
 	/**
 	 * Check if an IMC with a given ID is registered with the IMC manager
diff --git a/src/libtnccs/tnc/imv/imv_manager.h b/src/libtnccs/tnc/imv/imv_manager.h
index 43f40973c..7772b7e08 100644
--- a/src/libtnccs/tnc/imv/imv_manager.h
+++ b/src/libtnccs/tnc/imv/imv_manager.h
@@ -56,8 +56,31 @@ struct imv_manager_t {
 	 * @param path				path of the IMV dynamic library file
 	 * @return					TRUE if loading succeeded
 	 */
-	 bool (*load)(imv_manager_t *this, char *name, char *path);
+	bool (*load)(imv_manager_t *this, char *name, char *path);
 
+	/**
+	 * Load and initialize an IMV from a set of TNC IMC functions.
+	 *
+	 * @param name						name of the IMV
+	 * @param initialize				TNC_IMV_InitializePointer
+	 * @param notify_connection_change	TNC_IMV_NotifyConnectionChangePointer
+	 * @param receive_message			TNC_IMV_ReceiveMessagePointer
+	 * @param receive_message_long		TNC_IMV_ReceiveMessageLongPointer
+	 * @param solicit_recommendation	TNC_IMV_SolicitRecommendationPointer
+	 * @param batch_ending				TNC_IMV_BatchEndingPointer
+	 * @param terminate					TNC_IMV_TerminatePointer
+	 * @param provide_bind_function		TNC_IMV_ProvideBindFunctionPointer
+	 * @return							TRUE if loading succeeded
+	 */
+	bool (*load_from_functions)(imv_manager_t *this, char *name,
+				TNC_IMV_InitializePointer initialize,
+				TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMV_ReceiveMessagePointer receive_message,
+				TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+				TNC_IMV_BatchEndingPointer batch_ending,
+				TNC_IMV_TerminatePointer terminate,
+				TNC_IMV_ProvideBindFunctionPointer provide_bind_function);
 
 	/**
 	 * Check if an IMV with a given ID is registered with the IMV manager
diff --git a/src/libtnccs/tnc/tnc.c b/src/libtnccs/tnc/tnc.c
index 7c0ee4132..769b9fa54 100644
--- a/src/libtnccs/tnc/tnc.c
+++ b/src/libtnccs/tnc/tnc.c
@@ -23,7 +23,7 @@
 #include <fcntl.h>
 
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnc_t private_tnc_t;
 
@@ -40,6 +40,11 @@ struct private_tnc_t {
 	 * Public members of tnc_t.
 	 */
 	tnc_t public;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
@@ -54,9 +59,17 @@ void libtnccs_init(void)
 {
 	private_tnc_t *this;
 
+	if (tnc)
+	{	/* already initialized, increase refcount */
+		this = (private_tnc_t*)tnc;
+		ref_get(&this->ref);
+		return;
+	}
+
 	INIT(this,
 		.public = {
 		},
+		.ref = 1,
 	);
 
 	tnc = &this->public;
@@ -69,6 +82,11 @@ void libtnccs_deinit(void)
 {
 	private_tnc_t *this = (private_tnc_t*)tnc;
 
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
 	free(this);
 	tnc = NULL;
 }
@@ -145,9 +163,7 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 		}
 
 		/* copy the IMC/IMV name */
-		name = malloc(token.len + 1);
-		memcpy(name, token.ptr, token.len);
-		name[token.len] = '\0';
+		name = strndup(token.ptr, token.len);
 
 		/* advance to the IMC/IMV path and extract it */
 		if (!eat_whitespace(&line))
@@ -162,9 +178,7 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 		}
 
 		/* copy the IMC/IMV path */
-		path = malloc(token.len + 1);
-		memcpy(path, token.ptr, token.len);
-		path[token.len] = '\0';
+		path = strndup(token.ptr, token.len);
 
 		/* load and register an IMC/IMV instance */
 		if (is_imc)
@@ -175,6 +189,8 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 		{
 			success = tnc->imvs->load(tnc->imvs, name, path);
 		}
+		free(name);
+		free(path);
 		if (!success)
 		{
 			break;
@@ -243,24 +259,10 @@ bool tnc_manager_register(plugin_t *plugin, plugin_feature_t *feature,
 
 		if (load_imcvs)
 		{
-			char *tnc_config;
-
-			tnc_config = lib->settings->get_str(lib->settings,
-								"libtnccs.tnc_config", "/etc/tnc_config");
-			if (!load_imcvs_from_config(tnc_config, is_imc))
-			{
-				if (is_imc)
-				{
-					tnc->imcs->destroy(tnc->imcs);
-					tnc->imcs = NULL;
-				}
-				else
-				{
-					tnc->imvs->destroy(tnc->imvs);
-					tnc->imvs = NULL;
-				}
-				return FALSE;
-			}
+			load_imcvs_from_config(
+						lib->settings->get_str(lib->settings,
+									"libtnccs.tnc_config", "/etc/tnc_config"),
+						is_imc);
 		}
 	}
 	return TRUE;
diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.c b/src/libtnccs/tnc/tnccs/tnccs_manager.c
index fa91bfb21..fca4b2584 100644
--- a/src/libtnccs/tnc/tnccs/tnccs_manager.c
+++ b/src/libtnccs/tnc/tnccs/tnccs_manager.c
@@ -17,7 +17,7 @@
 
 #include "tnc/tnc.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * See header
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index 013266c20..e2add7ab0 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -93,6 +93,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -120,6 +121,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -147,6 +149,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -159,6 +162,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -212,7 +216,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -309,7 +312,7 @@ clean-noinstLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libtncif.la: $(libtncif_la_OBJECTS) $(libtncif_la_DEPENDENCIES) 
+libtncif.la: $(libtncif_la_OBJECTS) $(libtncif_la_DEPENDENCIES) $(EXTRA_libtncif_la_DEPENDENCIES) 
 	$(LINK)  $(libtncif_la_OBJECTS) $(libtncif_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -444,10 +447,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libtncif/tncif_pa_subtypes.c b/src/libtncif/tncif_pa_subtypes.c
index d15a1c864..135be3c31 100644
--- a/src/libtncif/tncif_pa_subtypes.c
+++ b/src/libtncif/tncif_pa_subtypes.c
@@ -61,12 +61,11 @@ ENUM_NEXT(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY, PA_SUBTYPE_FHH_ANY,
 );
 ENUM_END(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY);
 
-ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_SCANNER,
-	"Test",
-	"Scanner"
+ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_TEST,
+	"Test"
 );
 ENUM_NEXT(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY, PA_SUBTYPE_ITA_ANY,
-								PA_SUBTYPE_ITA_SCANNER,
+								PA_SUBTYPE_ITA_TEST,
 	"ANY"
 );
 ENUM_END(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY);
diff --git a/src/libtncif/tncif_pa_subtypes.h b/src/libtncif/tncif_pa_subtypes.h
index 0be495bfc..2dc4c9220 100644
--- a/src/libtncif/tncif_pa_subtypes.h
+++ b/src/libtncif/tncif_pa_subtypes.h
@@ -84,7 +84,6 @@ extern enum_name_t *pa_subtype_fhh_names;
  */
  enum pa_subtype_ita_t {
 	PA_SUBTYPE_ITA_TEST =				0x01,
-	PA_SUBTYPE_ITA_SCANNER =			0x02,
 	PA_SUBTYPE_ITA_ANY =				0xff
 };
 
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index e65328cfa..7aeed94f8 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -109,6 +109,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 DATA = $(manager_templates_DATA) $(manager_templates_auth_DATA) \
 	$(manager_templates_config_DATA) \
 	$(manager_templates_control_DATA) \
@@ -137,6 +143,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -164,6 +171,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -191,6 +199,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -203,6 +212,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -256,7 +266,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -430,7 +439,7 @@ clean-managerPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-manager.fcgi$(EXEEXT): $(manager_fcgi_OBJECTS) $(manager_fcgi_DEPENDENCIES) 
+manager.fcgi$(EXEEXT): $(manager_fcgi_OBJECTS) $(manager_fcgi_DEPENDENCIES) $(EXTRA_manager_fcgi_DEPENDENCIES) 
 	@rm -f manager.fcgi$(EXEEXT)
 	$(LINK) $(manager_fcgi_OBJECTS) $(manager_fcgi_LDADD) $(LIBS)
 
@@ -564,9 +573,7 @@ uninstall-manager_templatesDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_DATA)'; test -n "$(manager_templatesdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templatesdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templatesdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templatesdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_authDATA: $(manager_templates_auth_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_authdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_authdir)"
@@ -584,9 +591,7 @@ uninstall-manager_templates_authDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_auth_DATA)'; test -n "$(manager_templates_authdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_authdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_authdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_authdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_configDATA: $(manager_templates_config_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_configdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_configdir)"
@@ -604,9 +609,7 @@ uninstall-manager_templates_configDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_config_DATA)'; test -n "$(manager_templates_configdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_configdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_configdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_configdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_controlDATA: $(manager_templates_control_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_controldir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_controldir)"
@@ -624,9 +627,7 @@ uninstall-manager_templates_controlDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_control_DATA)'; test -n "$(manager_templates_controldir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_controldir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_controldir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_controldir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_gatewayDATA: $(manager_templates_gateway_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_gatewaydir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_gatewaydir)"
@@ -644,9 +645,7 @@ uninstall-manager_templates_gatewayDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_gateway_DATA)'; test -n "$(manager_templates_gatewaydir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_gatewaydir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_gatewaydir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_gatewaydir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_ikesaDATA: $(manager_templates_ikesa_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_ikesadir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_ikesadir)"
@@ -664,9 +663,7 @@ uninstall-manager_templates_ikesaDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_ikesa_DATA)'; test -n "$(manager_templates_ikesadir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_ikesadir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_ikesadir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_ikesadir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_staticDATA: $(manager_templates_static_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_staticdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_staticdir)"
@@ -684,9 +681,7 @@ uninstall-manager_templates_staticDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_static_DATA)'; test -n "$(manager_templates_staticdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_staticdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_staticdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_staticdir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -787,10 +782,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/manager/gateway.h b/src/manager/gateway.h
index db44a2ffa..5792ebf02 100644
--- a/src/manager/gateway.h
+++ b/src/manager/gateway.h
@@ -21,8 +21,8 @@
 #ifndef GATEWAY_H_
 #define GATEWAY_H_
 
-#include <utils/host.h>
-#include <utils/enumerator.h>
+#include <networking/host.h>
+#include <collections/enumerator.h>
 
 typedef struct gateway_t gateway_t;
 
diff --git a/src/manager/main.c b/src/manager/main.c
index 5c297cf0c..15ed38154 100644
--- a/src/manager/main.c
+++ b/src/manager/main.c
@@ -14,7 +14,7 @@
  */
 
 #include <dispatcher.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <stdio.h>
 
 #include "manager.h"
diff --git a/src/manager/manager.c b/src/manager/manager.c
index b6f3951c4..207800bd2 100644
--- a/src/manager/manager.c
+++ b/src/manager/manager.c
@@ -17,7 +17,7 @@
 
 #include "gateway.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_manager_t private_manager_t;
 
diff --git a/src/manager/storage.h b/src/manager/storage.h
index 69459e5aa..4324e99fe 100644
--- a/src/manager/storage.h
+++ b/src/manager/storage.h
@@ -21,7 +21,7 @@
 #ifndef STORAGE_H_
 #define STORAGE_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 
 typedef struct storage_t storage_t;
diff --git a/src/manager/xml.h b/src/manager/xml.h
index 0c362fed1..bd11cb4f8 100644
--- a/src/manager/xml.h
+++ b/src/manager/xml.h
@@ -21,7 +21,7 @@
 #ifndef XML_H_
 #define XML_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct xml_t xml_t;
 
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 85b1f0d92..de602300a 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -103,6 +103,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 DATA = $(medsrv_templates_DATA) $(medsrv_templates_peer_DATA) \
 	$(medsrv_templates_static_DATA) $(medsrv_templates_user_DATA)
 ETAGS = etags
@@ -127,6 +133,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -154,6 +161,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,6 +189,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +202,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -246,7 +256,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -407,7 +416,7 @@ clean-medsrvPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-medsrv.fcgi$(EXEEXT): $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_DEPENDENCIES) 
+medsrv.fcgi$(EXEEXT): $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_DEPENDENCIES) $(EXTRA_medsrv_fcgi_DEPENDENCIES) 
 	@rm -f medsrv.fcgi$(EXEEXT)
 	$(LINK) $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_LDADD) $(LIBS)
 
@@ -508,9 +517,7 @@ uninstall-medsrv_templatesDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_DATA)'; test -n "$(medsrv_templatesdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templatesdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templatesdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templatesdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_peerDATA: $(medsrv_templates_peer_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrv_templates_peerdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_peerdir)"
@@ -528,9 +535,7 @@ uninstall-medsrv_templates_peerDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_peer_DATA)'; test -n "$(medsrv_templates_peerdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templates_peerdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templates_peerdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templates_peerdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_staticDATA: $(medsrv_templates_static_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrv_templates_staticdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_staticdir)"
@@ -548,9 +553,7 @@ uninstall-medsrv_templates_staticDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_static_DATA)'; test -n "$(medsrv_templates_staticdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templates_staticdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templates_staticdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templates_staticdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_userDATA: $(medsrv_templates_user_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrv_templates_userdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_userdir)"
@@ -568,9 +571,7 @@ uninstall-medsrv_templates_userDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_user_DATA)'; test -n "$(medsrv_templates_userdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templates_userdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templates_userdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templates_userdir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -671,10 +672,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c
index edcf653b2..7b0b9e6ac 100644
--- a/src/medsrv/controller/peer_controller.c
+++ b/src/medsrv/controller/peer_controller.c
@@ -20,7 +20,7 @@
 #include "peer_controller.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 #include <utils/identification.h>
diff --git a/src/medsrv/filter/auth_filter.c b/src/medsrv/filter/auth_filter.c
index d21abdc46..436a72f2b 100644
--- a/src/medsrv/filter/auth_filter.c
+++ b/src/medsrv/filter/auth_filter.c
@@ -16,7 +16,7 @@
 
 #include "auth_filter.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_auth_filter_t private_auth_filter_t;
 
diff --git a/src/medsrv/main.c b/src/medsrv/main.c
index 1f43a7e17..03b135289 100644
--- a/src/medsrv/main.c
+++ b/src/medsrv/main.c
@@ -17,7 +17,7 @@
 #include <stdio.h>
 
 #include <dispatcher.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <database/database.h>
 
 #include "filter/auth_filter.h"
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 9b67a5667..0315adf08 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -96,6 +96,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) 
+openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) $(EXTRA_openac_DEPENDENCIES) 
 	@rm -f openac$(EXEEXT)
 	$(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
 
@@ -445,9 +454,7 @@ uninstall-man8:
 	  sed -n '/\.8[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -561,10 +568,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 745988750..7b81d6cea 100644
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -31,7 +31,7 @@
 #include <time.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index 482f83834..be74e5d00 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -9,6 +9,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/self.c \
 	commands/print.c \
 	commands/signcrl.c \
+	commands/pkcs7.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 609ab345b..bc38e96c0 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -58,7 +58,7 @@ PROGRAMS = $(ipsec_PROGRAMS)
 am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \
 	issue.$(OBJEXT) keyid.$(OBJEXT) pub.$(OBJEXT) req.$(OBJEXT) \
 	self.$(OBJEXT) print.$(OBJEXT) signcrl.$(OBJEXT) \
-	verify.$(OBJEXT)
+	pkcs7.$(OBJEXT) verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
 pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -98,6 +98,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -125,6 +126,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -152,6 +154,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -164,6 +167,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -217,7 +221,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -273,6 +276,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/self.c \
 	commands/print.c \
 	commands/signcrl.c \
+	commands/pkcs7.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -357,7 +361,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-pki$(EXEEXT): $(pki_OBJECTS) $(pki_DEPENDENCIES) 
+pki$(EXEEXT): $(pki_OBJECTS) $(pki_DEPENDENCIES) $(EXTRA_pki_DEPENDENCIES) 
 	@rm -f pki$(EXEEXT)
 	$(LINK) $(pki_OBJECTS) $(pki_LDADD) $(LIBS)
 
@@ -371,6 +375,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/issue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pub.Po@am__quote@
@@ -512,6 +517,20 @@ signcrl.obj: commands/signcrl.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
 
+pkcs7.o: commands/pkcs7.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.o -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pkcs7.c' object='pkcs7.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
+
+pkcs7.obj: commands/pkcs7.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.obj -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pkcs7.c' object='pkcs7.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
+
 verify.o: commands/verify.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
@@ -631,10 +650,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/pki/command.c b/src/pki/command.c
index 43328575c..a5e5b8528 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -23,7 +23,7 @@
 #include <stdio.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/optionsfrom.h>
 
 /**
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index 33d9cf35d..e3602f0c3 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -22,9 +22,10 @@ static int gen()
 {
 	cred_encoding_type_t form = PRIVKEY_ASN1_DER;
 	key_type_t type = KEY_RSA;
-	u_int size = 0;
+	u_int size = 0, shares = 0, threshold = 1;
 	private_key_t *key;
 	chunk_t encoding;
+	bool safe_primes = FALSE;
 	char *arg;
 
 	while (TRUE)
@@ -60,6 +61,23 @@ static int gen()
 					return command_usage("invalid key size");
 				}
 				continue;
+			case 'p':
+				safe_primes = TRUE;
+				continue;
+			case 'n':
+				shares = atoi(arg);
+				if (shares < 2)
+				{
+					return command_usage("invalid number of key shares");
+				}
+				continue;
+			case 'l':
+				threshold = atoi(arg);
+				if (threshold < 1)
+				{
+					return command_usage("invalid key share threshold");
+				}
+				continue;
 			case EOF:
 				break;
 			default:
@@ -82,8 +100,27 @@ static int gen()
 				break;
 		}
 	}
-	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-							 BUILD_KEY_SIZE, size, BUILD_END);
+	if (type == KEY_RSA && shares)
+	{
+		if (threshold > shares)
+		{
+			return command_usage("threshold is larger than number of shares");
+		}
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+							BUILD_KEY_SIZE, size, BUILD_SAFE_PRIMES,
+							BUILD_SHARES, shares, BUILD_THRESHOLD, threshold,
+							BUILD_END);
+	}
+	else if (type == KEY_RSA && safe_primes)
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+							BUILD_KEY_SIZE, size, BUILD_SAFE_PRIMES, BUILD_END);
+	}
+	else
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+							BUILD_KEY_SIZE, size, BUILD_END);
+	}
 	if (!key)
 	{
 		fprintf(stderr, "private key generation failed\n");
@@ -113,12 +150,16 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		gen, 'g', "gen", "generate a new private key",
-		{"[--type rsa|ecdsa] [--size bits] [--outform der|pem|pgp]"},
+		{"  [--type rsa|ecdsa] [--size bits] [--safe-primes]",
+		 "[--shares n] [--threshold l] [--outform der|pem|pgp]"},
 		{
-			{"help",	'h', 0, "show usage information"},
-			{"type",	't', 1, "type of key, default: rsa"},
-			{"size",	's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"},
-			{"outform",	'f', 1, "encoding of generated private key"},
+			{"help",		'h', 0, "show usage information"},
+			{"type",		't', 1, "type of key, default: rsa"},
+			{"size",		's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"},
+			{"safe-primes", 'p', 0, "generate rsa safe primes"},
+			{"shares",		'n', 1, "number of private rsa key shares"},
+			{"threshold",	'l', 1, "minimum number of participating rsa key shares"},
+			{"outform",		'f', 1, "encoding of generated private key"},
 		}
 	});
 }
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 47e668b6c..5f098ba41 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -17,9 +17,9 @@
 
 #include "pki.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/pkcs10.h>
diff --git a/src/pki/commands/pkcs7.c b/src/pki/commands/pkcs7.c
new file mode 100644
index 000000000..790656c62
--- /dev/null
+++ b/src/pki/commands/pkcs7.c
@@ -0,0 +1,462 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pki.h"
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <credentials/containers/pkcs7.h>
+#include <credentials/sets/mem_cred.h>
+
+/**
+ * Read input data as chunk
+ */
+static chunk_t read_from_stream(FILE *stream)
+{
+	char buf[8096];
+	size_t len, total = 0;
+
+	while (TRUE)
+	{
+		len = fread(buf + total, 1, sizeof(buf) - total, stream);
+		if (len < (sizeof(buf) - total))
+		{
+			if (ferror(stream))
+			{
+				return chunk_empty;
+			}
+			if (feof(stream))
+			{
+				return chunk_clone(chunk_create(buf, total + len));
+			}
+		}
+		total += len;
+		if (total == sizeof(buf))
+		{
+			fprintf(stderr, "buffer too small to read input!\n");
+			return chunk_empty;
+		}
+	}
+}
+
+/**
+ * Write output data from chunk to stream
+ */
+static bool write_to_stream(FILE *stream, chunk_t data)
+{
+	size_t len, total = 0;
+
+	while (total < data.len)
+	{
+		len = fwrite(data.ptr + total, 1, data.len - total, stream);
+		if (len <= 0)
+		{
+			return FALSE;
+		}
+		total += len;
+	}
+	return TRUE;
+}
+
+/**
+ * Verify PKCS#7 signed-data
+ */
+static int verify(chunk_t chunk)
+{
+	container_t *container;
+	pkcs7_t *pkcs7;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	auth_cfg_t *auth;
+	chunk_t data;
+	time_t t;
+	bool verified = FALSE;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	if (!container)
+	{
+		return 1;
+	}
+
+	if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		fprintf(stderr, "verification failed, container is %N\n",
+				container_type_names, container->get_type(container));
+		container->destroy(container);
+		return 1;
+	}
+
+	pkcs7 = (pkcs7_t*)container;
+	enumerator = container->create_signature_enumerator(container);
+	while (enumerator->enumerate(enumerator, &auth))
+	{
+		verified = TRUE;
+		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+		if (cert)
+		{
+			fprintf(stderr, "signed by '%Y'", cert->get_subject(cert));
+
+			if (pkcs7->get_attribute(pkcs7, OID_PKCS9_SIGNING_TIME,
+									 enumerator, &data))
+			{
+				t = asn1_to_time(&data, ASN1_UTCTIME);
+				if (t != UNDEFINED_TIME)
+				{
+					fprintf(stderr, " at %T", &t, FALSE);
+				}
+				free(data.ptr);
+			}
+			fprintf(stderr, "\n");
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!verified)
+	{
+		fprintf(stderr, "no trusted signature found\n");
+	}
+
+	if (verified)
+	{
+		if (container->get_data(container, &data))
+		{
+			write_to_stream(stdout, data);
+			free(data.ptr);
+		}
+		else
+		{
+			verified = FALSE;
+		}
+	}
+	container->destroy(container);
+
+	return verified ? 0 : 1;
+}
+
+/**
+ * Sign data into PKCS#7 signed-data
+ */
+static int sign(chunk_t chunk, certificate_t *cert, private_key_t *key)
+{
+	container_t *container;
+	chunk_t encoding;
+	int res = 1;
+
+	container = lib->creds->create(lib->creds,
+								   CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
+								   BUILD_BLOB, chunk,
+								   BUILD_SIGNING_CERT, cert,
+								   BUILD_SIGNING_KEY, key,
+								   BUILD_END);
+	if (container)
+	{
+		if (container->get_encoding(container, &encoding))
+		{
+			write_to_stream(stdout, encoding);
+			free(encoding.ptr);
+		}
+		container->destroy(container);
+	}
+	return res;
+}
+
+/**
+ * Encrypt data to a PKCS#7 enveloped-data
+ */
+static int encrypt(chunk_t chunk, certificate_t *cert)
+{
+	container_t *container;
+	chunk_t encoding;
+	int res = 1;
+
+	container = lib->creds->create(lib->creds,
+								   CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
+								   BUILD_BLOB, chunk, BUILD_CERT, cert,
+								   BUILD_END);
+	if (container)
+	{
+		if (container->get_encoding(container, &encoding))
+		{
+			write_to_stream(stdout, encoding);
+			free(encoding.ptr);
+		}
+		container->destroy(container);
+	}
+	return res;
+}
+
+/**
+ * Decrypt PKCS#7 enveloped-data
+ */
+static int decrypt(chunk_t chunk)
+{
+	container_t *container;
+	chunk_t data;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	if (!container)
+	{
+		return 1;
+	}
+	if (container->get_type(container) != CONTAINER_PKCS7_ENVELOPED_DATA)
+	{
+		fprintf(stderr, "decryption failed, container is %N\n",
+				container_type_names, container->get_type(container));
+		container->destroy(container);
+		return 1;
+	}
+	if (!container->get_data(container, &data))
+	{
+		fprintf(stderr, "PKCS#7 decryption failed\n");
+		container->destroy(container);
+		return 1;
+	}
+	container->destroy(container);
+
+	write_to_stream(stdout, data);
+	free(data.ptr);
+
+	return 0;
+}
+
+/**
+ * Show info about PKCS#7 container
+ */
+static int show(chunk_t chunk)
+{
+	container_t *container;
+	pkcs7_t *pkcs7;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	chunk_t data;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	if (!container)
+	{
+		return 1;
+	}
+	fprintf(stderr, "%N\n", container_type_names, container->get_type(container));
+
+	if (container->get_type(container) == CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		pkcs7 = (pkcs7_t*)container;
+		enumerator = pkcs7->create_cert_enumerator(pkcs7);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			if (cert->get_encoding(cert, CERT_PEM, &data))
+			{
+				printf("%.*s", (int)data.len, data.ptr);
+				free(data.ptr);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	container->destroy(container);
+	return 0;
+}
+
+/**
+ * Wrap/Unwrap PKCs#7 containers
+ */
+static int pkcs7()
+{
+	char *arg, *file = NULL;
+	private_key_t *key = NULL;
+	certificate_t *cert = NULL;
+	chunk_t data = chunk_empty;
+	mem_cred_t *creds;
+	int res = 1;
+	FILE *in;
+	enum {
+		OP_NONE,
+		OP_SIGN,
+		OP_VERIFY,
+		OP_ENCRYPT,
+		OP_DECRYPT,
+		OP_SHOW,
+	} op = OP_NONE;
+
+	creds = mem_cred_create();
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				creds->destroy(creds);
+				return command_usage(NULL);
+			case 'i':
+				file = arg;
+				continue;
+			case 's':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_SIGN;
+				continue;
+			case 'u':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_VERIFY;
+				continue;
+			case 'e':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_ENCRYPT;
+				continue;
+			case 'd':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_DECRYPT;
+				continue;
+			case 'p':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_SHOW;
+				continue;
+			case 'k':
+				key = lib->creds->create(lib->creds,
+										 CRED_PRIVATE_KEY, KEY_RSA,
+										 BUILD_FROM_FILE, arg, BUILD_END);
+				if (!key)
+				{
+					fprintf(stderr, "parsing private key failed\n");
+					goto end;
+				}
+				creds->add_key(creds, key);
+				continue;
+			case 'c':
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509,
+										  BUILD_FROM_FILE, arg, BUILD_END);
+				if (!cert)
+				{
+					fprintf(stderr, "parsing certificate failed\n");
+					goto end;
+				}
+				creds->add_cert(creds, TRUE, cert);
+				continue;
+			case EOF:
+				break;
+			default:
+			invalid:
+				creds->destroy(creds);
+				return command_usage("invalid --pkcs7 option");
+		}
+		break;
+	}
+
+	if (file)
+	{
+		in = fopen(file, "r");
+		if (in)
+		{
+			data = read_from_stream(in);
+			fclose(in);
+		}
+	}
+	else
+	{
+		data = read_from_stream(stdin);
+	}
+
+	if (!data.len)
+	{
+		fprintf(stderr, "reading input failed!\n");
+		goto end;
+	}
+	if (op != OP_SHOW && !cert)
+	{
+		fprintf(stderr, "requiring a certificate!\n");
+		goto end;
+	}
+
+	lib->credmgr->add_local_set(lib->credmgr, &creds->set, FALSE);
+
+	switch (op)
+	{
+		case OP_SIGN:
+			if (!key)
+			{
+				fprintf(stderr, "signing requires a private key\n");
+				res = 1;
+				break;
+			}
+			res = sign(data, cert, key);
+			break;
+		case OP_VERIFY:
+			res = verify(data);
+			break;
+		case OP_ENCRYPT:
+			res = encrypt(data, cert);
+			break;
+		case OP_DECRYPT:
+			if (!key)
+			{
+				fprintf(stderr, "decryption requires a private key\n");
+				res = 1;
+				break;
+			}
+			res = decrypt(data);
+			break;
+		case OP_SHOW:
+			res = show(data);
+			break;
+		default:
+			res = 1;
+			break;
+	}
+	lib->credmgr->remove_local_set(lib->credmgr, &creds->set);
+
+end:
+	creds->destroy(creds);
+	free(data.ptr);
+	return res;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		pkcs7, '7', "pkcs7", "PKCS#7 wrap/unwrap functions",
+		{"--sign | --verify | --encrypt | --decrypt",
+		 "--certificate+ [--key]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"sign",	's', 0, "create PKCS#7 signed-data"},
+			{"verify",	'u', 0, "verify PKCS#7 signed-data"},
+			{"encrypt",	'e', 0, "create PKCS#7 enveloped-data"},
+			{"decrypt",	'd', 0, "decrypt PKCS#7 enveloped-data"},
+			{"show",	'p', 0, "show info about PKCS#7, print certificates"},
+			{"in",		'i', 1, "input file, default: stdin"},
+			{"key",		'k', 1, "path to private key for sign/decryp"},
+			{"cert",	'c', 1, "path to certificate for sign/verify/encryp"},
+		}
+	});
+}
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index d050c7032..d90ddc251 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -19,7 +19,7 @@
 
 #include "pki.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 
 /**
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 4a50aa463..448360821 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -17,7 +17,7 @@
 
 #include "pki.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <asn1/asn1.h>
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 4ada120ed..f9746cca7 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -17,8 +17,8 @@
 
 #include "pki.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
diff --git a/src/pki/pki.c b/src/pki/pki.c
index e28bf1595..3f77c5e8d 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -18,7 +18,7 @@
 
 #include <unistd.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/sets/callback_cred.h>
 
 /**
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index c2814a4e6..e67c8ebc3 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -96,6 +96,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -379,7 +388,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) 
+scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) $(EXTRA_scepclient_DEPENDENCIES) 
 	@rm -f scepclient$(EXEEXT)
 	$(LINK) $(scepclient_OBJECTS) $(scepclient_LDADD) $(LIBS)
 
@@ -453,9 +462,7 @@ uninstall-man8:
 	  sed -n '/\.8[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -569,10 +576,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 8b2fd179a..f2090274c 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -18,11 +18,10 @@
 #include <stdlib.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <asn1/oid.h>
-#include <crypto/pkcs9.h>
 #include <crypto/rngs/rng.h>
 #include <crypto/hashers/hasher.h>
 
@@ -68,13 +67,12 @@ const scep_attributes_t empty_scep_attributes = {
 /**
  * Extract X.501 attributes
  */
-void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
+void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator,
+						scep_attributes_t *attrs)
 {
-	pkcs9_t *attributes = pkcs7->get_attributes(pkcs7);
 	chunk_t attr;
 
-	attr = attributes->get_attribute(attributes, OID_PKI_MESSAGE_TYPE);
-	if (attr.ptr)
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr))
 	{
 		scep_msg_t m;
 
@@ -86,9 +84,9 @@ void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
 			}
 		}
 		DBG2(DBG_APP, "messageType:  %s", msgType_names[attrs->msgType]);
+		free(attr.ptr);
 	}
-	attr = attributes->get_attribute(attributes, OID_PKI_STATUS);
-	if (attr.ptr)
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr))
 	{
 		pkiStatus_t s;
 
@@ -100,9 +98,9 @@ void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
 			}
 		}
 		DBG2(DBG_APP, "pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus]);
+		free(attr.ptr);
 	}
-	attr = attributes->get_attribute(attributes, OID_PKI_FAIL_INFO);
-	if (attr.ptr)
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr))
 	{
 		if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
 		{
@@ -112,13 +110,15 @@ void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
 		{
 			DBG1(DBG_APP, "failInfo:     %s", failInfo_reasons[attrs->failInfo]);
 		}
+		free(attr.ptr);
 	}
-	attrs->senderNonce = attributes->get_attribute(attributes,
-											OID_PKI_SENDER_NONCE);
-	attrs->recipientNonce = attributes->get_attribute(attributes,
-											OID_PKI_RECIPIENT_NONCE);
-	attrs->transID = attributes->get_attribute(attributes,
-											OID_PKI_TRANS_ID);
+
+	pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator,
+						 &attrs->senderNonce);
+	pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator,
+						 &attrs->recipientNonce);
+	pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator,
+						 &attrs->transID);
 }
 
 /**
@@ -188,68 +188,81 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 }
 
 /**
- * Adds a senderNonce attribute to the given pkcs9 attribute list
+ * Builds a pkcs7 enveloped and signed scep request
  */
-static bool add_senderNonce_attribute(pkcs9_t *pkcs9)
+chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
+					certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+					size_t key_size, certificate_t *signer_cert,
+					hash_algorithm_t digest_alg, private_key_t *private_key)
 {
-	const size_t nonce_len = 16;
-	u_char nonce_buf[nonce_len];
-	chunk_t senderNonce = { nonce_buf, nonce_len };
+	chunk_t request;
+	container_t *container;
+	char nonce[16];
 	rng_t *rng;
+	chunk_t senderNonce, msgType;
 
+	/* generate senderNonce */
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng || !rng->get_bytes(rng, nonce_len, nonce_buf))
+	if (!rng || !rng->get_bytes(rng, sizeof(nonce), nonce))
 	{
 		DESTROY_IF(rng);
-		return FALSE;
+		return chunk_empty;
 	}
 	rng->destroy(rng);
 
-	pkcs9->set_attribute(pkcs9, OID_PKI_SENDER_NONCE, senderNonce);
-	return TRUE;
-}
-
-/**
- * Builds a pkcs7 enveloped and signed scep request
- */
-chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
-					certificate_t *enc_cert, encryption_algorithm_t enc_alg,
-					size_t key_size, certificate_t *signer_cert,
-					hash_algorithm_t digest_alg, private_key_t *private_key)
-{
-	chunk_t request, msgType = {
-		(u_char*)msgType_values[msg],
-		strlen(msgType_values[msg]),
-	};
-	pkcs7_t *pkcs7;
-	pkcs9_t *pkcs9;
-
-	pkcs7 = pkcs7_create_from_data(data);
-	if (!pkcs7->build_envelopedData(pkcs7, enc_cert, enc_alg, key_size))
+	/* encrypt data in enveloped-data PKCS#7 */
+	container = lib->creds->create(lib->creds,
+					CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
+					BUILD_BLOB, data,
+					BUILD_CERT, enc_cert,
+					BUILD_ENCRYPTION_ALG, enc_alg,
+					BUILD_KEY_SIZE, (int)key_size,
+					BUILD_END);
+	if (!container)
 	{
-		pkcs7->destroy(pkcs7);
 		return chunk_empty;
 	}
-
-	pkcs9 = pkcs9_create();
-	pkcs9->set_attribute(pkcs9, OID_PKI_TRANS_ID, transID);
-	pkcs9->set_attribute(pkcs9, OID_PKI_MESSAGE_TYPE, msgType);
-	if (!add_senderNonce_attribute(pkcs9))
+	if (!container->get_encoding(container, &request))
 	{
-		pkcs9->destroy(pkcs9);
-		pkcs7->destroy(pkcs7);
+		container->destroy(container);
 		return chunk_empty;
 	}
-
-	pkcs7->set_attributes(pkcs7, pkcs9);
-	pkcs7->set_certificate(pkcs7, signer_cert->get_ref(signer_cert));
-	if (!pkcs7->build_signedData(pkcs7, private_key, digest_alg))
+	container->destroy(container);
+
+	/* sign enveloped-data in a signed-data PKCS#7 */
+	senderNonce = asn1_wrap(ASN1_OCTET_STRING, "c", chunk_from_thing(nonce));
+	transID = asn1_wrap(ASN1_PRINTABLESTRING, "c", transID);
+	msgType = asn1_wrap(ASN1_PRINTABLESTRING, "c",
+						chunk_create((char*)msgType_values[msg],
+									 strlen(msgType_values[msg])));
+
+	container = lib->creds->create(lib->creds,
+					CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
+					BUILD_BLOB, request,
+					BUILD_SIGNING_CERT, signer_cert,
+					BUILD_SIGNING_KEY, private_key,
+					BUILD_DIGEST_ALG, digest_alg,
+					BUILD_PKCS7_ATTRIBUTE, OID_PKI_SENDER_NONCE, senderNonce,
+					BUILD_PKCS7_ATTRIBUTE, OID_PKI_TRANS_ID, transID,
+					BUILD_PKCS7_ATTRIBUTE, OID_PKI_MESSAGE_TYPE, msgType,
+					BUILD_END);
+
+	free(request.ptr);
+	free(senderNonce.ptr);
+	free(transID.ptr);
+	free(msgType.ptr);
+
+	if (!container)
 	{
-		pkcs7->destroy(pkcs7);
 		return chunk_empty;
 	}
-	request = pkcs7->get_contentInfo(pkcs7);
-	pkcs7->destroy(pkcs7);
+	if (!container->get_encoding(container, &request))
+	{
+		container->destroy(container);
+		return chunk_empty;
+	}
+	container->destroy(container);
+
 	return request;
 }
 
@@ -319,7 +332,7 @@ static char* escape_http_request(chunk_t req)
 /**
  * Send a SCEP request via HTTP and wait for a response
  */
-bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 					   bool http_get_request, chunk_t *response)
 {
 	int len;
@@ -337,7 +350,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 
 		if (http_get_request)
 		{
-			char *escaped_req = escape_http_request(pkcs7);
+			char *escaped_req = escape_http_request(msg);
 
 			/* form complete url */
 			len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
@@ -362,7 +375,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 										 FETCH_HTTP_VERSION_1_0,
-										 FETCH_REQUEST_DATA, pkcs7,
+										 FETCH_REQUEST_DATA, msg,
 										 FETCH_REQUEST_TYPE, "",
 										 FETCH_REQUEST_HEADER, "Expect:",
 										 FETCH_END);
@@ -371,12 +384,22 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 	else  /* SCEP_GET_CA_CERT */
 	{
 		const char operation[] = "GetCACert";
+		int i;
+
+		/* escape spaces, TODO: complete URL escape */
+		for (i = 0; i < msg.len; i++)
+		{
+			if (msg.ptr[i] == ' ')
+			{
+				msg.ptr[i] = '+';
+			}
+		}
 
 		/* form complete url */
-		len = strlen(url) + 32 + strlen(operation) + 1;
+		len = strlen(url) + 32 + strlen(operation) + msg.len + 1;
 		complete_url = malloc(len);
-		snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier",
-				 url, operation);
+		snprintf(complete_url, len, "%s?operation=%s&message=%.*s",
+				 url, operation, (int)msg.len, msg.ptr);
 
 		status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 									 FETCH_HTTP_VERSION_1_0,
@@ -387,23 +410,44 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 	return (status == SUCCESS);
 }
 
-err_t scep_parse_response(chunk_t response, chunk_t transID, pkcs7_t **data,
-						  scep_attributes_t *attrs, certificate_t *signer_cert)
+err_t scep_parse_response(chunk_t response, chunk_t transID,
+						  container_t **out, scep_attributes_t *attrs)
 {
-	pkcs7_t *pkcs7;
-
-	pkcs7 = pkcs7_create_from_chunk(response, 0);
-	if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, signer_cert))
+	enumerator_t *enumerator;
+	bool verified = FALSE;
+	container_t *container;
+	auth_cfg_t *auth;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, response, BUILD_END);
+	if (!container)
 	{
-		DESTROY_IF(pkcs7);
 		return "error parsing the scep response";
 	}
-	extract_attributes(pkcs7, attrs);
-	if (!chunk_equals(transID, attrs->transID))
+	if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		container->destroy(container);
+		return "scep response is not PKCS#7 signed-data";
+	}
+
+	enumerator = container->create_signature_enumerator(container);
+	while (enumerator->enumerate(enumerator, &auth))
+	{
+		verified = TRUE;
+		extract_attributes((pkcs7_t*)container, enumerator, attrs);
+		if (!chunk_equals(transID, attrs->transID))
+		{
+			enumerator->destroy(enumerator);
+			container->destroy(container);
+			return "transaction ID of scep response does not match";
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!verified)
 	{
-		pkcs7->destroy(pkcs7);
-		return "transaction ID of scep response does not match";
+		container->destroy(container);
+		return "unable to verify PKCS#7 container";
 	}
-	*data = pkcs7;
+	*out = container;
 	return NULL;
 }
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index 6227faba4..30551d2db 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -17,7 +17,7 @@
 #ifndef _SCEP_H
 #define _SCEP_H
 
-#include <crypto/pkcs7.h>
+#include <credentials/containers/pkcs7.h>
 #include <credentials/certificates/certificate.h>
 
 /* supported SCEP operation types */
@@ -78,10 +78,9 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
 						certificate_t *enc_cert, encryption_algorithm_t enc_alg,
 						size_t key_size, certificate_t *signer_cert,
 						hash_algorithm_t digest_alg, private_key_t *private_key);
-bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+bool scep_http_request(const char *url, chunk_t message, scep_op_t op,
 					   bool http_get_request, chunk_t *response);
 err_t scep_parse_response(chunk_t response, chunk_t transID,
-						  pkcs7_t **data, scep_attributes_t *attrs,
-						  certificate_t *signer_cert);
+						  container_t **out, scep_attributes_t *attrs);
 
 #endif /* _SCEP_H */
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 78b0d7e7a..83b5d6219 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -26,12 +26,12 @@
 #include <syslog.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 #include <utils/optionsfrom.h>
-#include <utils/enumerator.h>
-#include <utils/linked_list.h>
+#include <collections/enumerator.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/proposal/proposal_keywords.h>
@@ -40,6 +40,7 @@
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/pkcs10.h>
+#include <credentials/sets/mem_cred.h>
 #include <plugins/plugin.h>
 
 #include "scep.h"
@@ -140,6 +141,8 @@ certificate_t *x509_ca_enc     = NULL;
 certificate_t *x509_ca_sig     = NULL;
 certificate_t *pkcs10_req      = NULL;
 
+mem_cred_t *creds              = NULL;
+
 /* logging */
 static bool log_to_stderr = TRUE;
 static bool log_to_syslog = TRUE;
@@ -255,6 +258,12 @@ static void exit_scepclient(err_t message, ...)
 {
 	int status = 0;
 
+	if (creds)
+	{
+		lib->credmgr->remove_set(lib->credmgr, &creds->set);
+		creds->destroy(creds);
+	}
+
 	DESTROY_IF(subject);
 	DESTROY_IF(private_key);
 	DESTROY_IF(public_key);
@@ -361,6 +370,9 @@ static void usage(const char *message)
 		"                                   <algo> = md5 (default) | sha1 | sha256 |\n"
 		"                                            sha384 | sha512\n"
 		"\n"
+		"Options for CA certificate acquisition:\n"
+		" --caname (-c) <name>              name of CA to fetch CA certificate(s)\n"
+		"                                   (default: CAIdentifier)\n"
 		"Options for enrollment (cert):\n"
 		" --url (-u) <url>                  url of the SCEP server\n"
 		" --method (-m) post | get          http request type\n"
@@ -451,6 +463,9 @@ int main(int argc, char **argv)
 	/* URL of the SCEP-Server */
 	char *scep_url = NULL;
 
+	/* Name of CA to fetch CA certs for */
+	char *ca_name = "CAIdentifier";
+
 	/* http request method, default is GET */
 	bool http_get_request = TRUE;
 
@@ -512,6 +527,7 @@ int main(int argc, char **argv)
 			{ "password", required_argument, NULL, 'p' },
 			{ "algorithm", required_argument, NULL, 'a' },
 			{ "url", required_argument, NULL, 'u' },
+			{ "caname", required_argument, NULL, 'c'},
 			{ "method", required_argument, NULL, 'm' },
 			{ "interval", required_argument, NULL, 't' },
 			{ "maxpolltime", required_argument, NULL, 'x' },
@@ -519,7 +535,7 @@ int main(int argc, char **argv)
 		};
 
 		/* parse next option */
-		int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
+		int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
 
 		switch (c)
 		{
@@ -782,6 +798,10 @@ int main(int argc, char **argv)
 				scep_url = optarg;
 				continue;
 
+			case 'c':       /* -- caname */
+				ca_name = optarg;
+				continue;
+
 			case 'm':       /* --method */
 				if (strcaseeq("get", optarg))
 				{
@@ -915,20 +935,24 @@ int main(int argc, char **argv)
 	if (request_ca_certificate)
 	{
 		char ca_path[PATH_MAX];
+		container_t *container;
 		pkcs7_t *pkcs7;
 
-		if (!scep_http_request(scep_url, chunk_empty, SCEP_GET_CA_CERT,
-							   http_get_request, &scep_response))
+		if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
+							SCEP_GET_CA_CERT, http_get_request, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
 
 		join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert);
 
-		pkcs7 = pkcs7_create_from_chunk(scep_response, 0);
-		if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, NULL))
+		pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								BUILD_BLOB_ASN1_DER, scep_response, BUILD_END);
+
+		if (!pkcs7)
 		{	/* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
-			DESTROY_IF(pkcs7);
+
+			DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
 			if (!chunk_write(scep_response, ca_path, "ca cert",  0022, force))
 			{
 				exit_scepclient("could not write ca cert file '%s'", ca_path);
@@ -941,7 +965,7 @@ int main(int argc, char **argv)
 			int ra_certs = 0, ca_certs = 0;
 			int ra_index = 1, ca_index = 1;
 
-			enumerator = pkcs7->create_certificate_enumerator(pkcs7);
+			enumerator = pkcs7->create_cert_enumerator(pkcs7);
 			while (enumerator->enumerate(enumerator, &cert))
 			{
 				x509_t *x509 = (x509_t*)cert;
@@ -956,7 +980,7 @@ int main(int argc, char **argv)
 			}
 			enumerator->destroy(enumerator);
 
-			enumerator = pkcs7->create_certificate_enumerator(pkcs7);
+			enumerator = pkcs7->create_cert_enumerator(pkcs7);
 			while (enumerator->enumerate(enumerator, &cert))
 			{
 				x509_t *x509 = (x509_t*)cert;
@@ -993,11 +1017,15 @@ int main(int argc, char **argv)
 				chunk_free(&encoding);
 			}
 			enumerator->destroy(enumerator);
-			pkcs7->destroy(pkcs7);
+			container = &pkcs7->container;
+			container->destroy(container);
 		}
 		exit_scepclient(NULL); /* no further output required */
 	}
 
+	creds = mem_cred_create();
+	lib->credmgr->add_set(lib->credmgr, &creds->set);
+
 	/*
 	 * input of PKCS#1 file
 	 */
@@ -1020,6 +1048,7 @@ int main(int argc, char **argv)
 	{
 		exit_scepclient("no RSA private key available");
 	}
+	creds->add_key(creds, private_key->get_ref(private_key));
 	public_key = private_key->get_public_key(private_key);
 
 	/* check for minimum key length */
@@ -1170,6 +1199,7 @@ int main(int argc, char **argv)
 			exit_scepclient("generating certificate failed");
 		}
 	}
+	creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer));
 
 	/*
 	 * output of self-signed X.509 certificate file
@@ -1270,7 +1300,9 @@ int main(int argc, char **argv)
 		enumerator_t  *enumerator;
 		char path[PATH_MAX];
 		time_t poll_start = 0;
-		pkcs7_t *data = NULL;
+		pkcs7_t *p7;
+		container_t *container = NULL;
+		chunk_t chunk;
 		scep_attributes_t attrs = empty_scep_attributes;
 
 		join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
@@ -1282,13 +1314,14 @@ int main(int argc, char **argv)
 			exit_scepclient("could not load signature cacert file '%s'", path);
 		}
 
+		creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
+
 		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
 				http_get_request, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
-		ugh = scep_parse_response(scep_response, transID, &data, &attrs,
-								  x509_ca_sig);
+		ugh = scep_parse_response(scep_response, transID, &container, &attrs);
 		if (ugh != NULL)
 		{
 			exit_scepclient(ugh);
@@ -1317,7 +1350,7 @@ int main(int argc, char **argv)
 			DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
 			sleep(poll_interval);
 			free(scep_response.ptr);
-			data->destroy(data);
+			container->destroy(container);
 
 			DBG2(DBG_APP, "fingerprint:    %.*s",
 				 (int)fingerprint.len, fingerprint.ptr);
@@ -1338,8 +1371,7 @@ int main(int argc, char **argv)
 			{
 				exit_scepclient("did not receive a valid scep response");
 			}
-			ugh = scep_parse_response(scep_response, transID, &data, &attrs,
-									  x509_ca_sig);
+			ugh = scep_parse_response(scep_response, transID, &container, &attrs);
 			if (ugh != NULL)
 			{
 				exit_scepclient(ugh);
@@ -1348,25 +1380,53 @@ int main(int argc, char **argv)
 
 		if (attrs.pkiStatus != SCEP_SUCCESS)
 		{
-			data->destroy(data);
+			container->destroy(container);
 			exit_scepclient("reply status is not 'SUCCESS'");
 		}
 
-		if (!data->parse_envelopedData(data, serialNumber, private_key))
+		if (!container->get_data(container, &chunk))
+		{
+			container->destroy(container);
+			exit_scepclient("extracting signed-data failed");
+		}
+		container->destroy(container);
+
+		/* decrypt enveloped-data container */
+		container = lib->creds->create(lib->creds,
+									   CRED_CONTAINER, CONTAINER_PKCS7,
+									   BUILD_BLOB_ASN1_DER, chunk,
+									   BUILD_END);
+		free(chunk.ptr);
+		if (!container)
 		{
-			data->destroy(data);
 			exit_scepclient("could not decrypt envelopedData");
 		}
-		if (!data->parse_signedData(data, NULL))
+
+		if (!container->get_data(container, &chunk))
+		{
+			container->destroy(container);
+			exit_scepclient("extracting encrypted-data failed");
+		}
+		container->destroy(container);
+
+		/* parse signed-data container */
+		container = lib->creds->create(lib->creds,
+									   CRED_CONTAINER, CONTAINER_PKCS7,
+									   BUILD_BLOB_ASN1_DER, chunk,
+									   BUILD_END);
+		free(chunk.ptr);
+		if (!container)
 		{
-			data->destroy(data);
-			exit_scepclient("error parsing the scep response");
+			exit_scepclient("could not parse singed-data");
 		}
+		/* no need to verify the signed-data container, the signature does NOT
+		 * cover the contained certificates */
 
 		/* store the end entity certificate */
 		join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
 
-		enumerator = data->create_certificate_enumerator(data);
+		p7 = (pkcs7_t*)container;
+		enumerator = p7->create_cert_enumerator(p7);
 		while (enumerator->enumerate(enumerator, &cert))
 		{
 			x509_t *x509 = (x509_t*)cert;
@@ -1387,7 +1447,11 @@ int main(int argc, char **argv)
 			}
 		}
 		enumerator->destroy(enumerator);
-		data->destroy(data);
+		container->destroy(container);
+		chunk_free(&attrs.transID);
+		chunk_free(&attrs.senderNonce);
+		chunk_free(&attrs.recipientNonce);
+
 		filetype_out &= ~CERT;   /* delete CERT flag */
 	}
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index a6d55c5e2..b2c86384e 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -82,13 +82,13 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
 LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+	--mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
 YLWRAP = $(top_srcdir)/ylwrap
-YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
+YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
 LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+	--mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
 SOURCES = $(starter_SOURCES)
 DIST_SOURCES = $(starter_SOURCES)
 ETAGS = etags
@@ -113,6 +113,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -140,6 +141,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -167,6 +169,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -179,6 +182,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -232,7 +236,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -382,11 +385,9 @@ clean-ipsecPROGRAMS:
 	echo " rm -f" $$list; \
 	rm -f $$list
 parser.h: parser.c
-	@if test ! -f $@; then \
-	  rm -f parser.c; \
-	  $(MAKE) $(AM_MAKEFLAGS) parser.c; \
-	else :; fi
-starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) 
+	@if test ! -f $@; then rm -f parser.c; else :; fi
+	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) parser.c; else :; fi
+starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) $(EXTRA_starter_DEPENDENCIES) 
 	@rm -f starter$(EXEEXT)
 	$(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
 
@@ -542,10 +543,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/starter/args.c b/src/starter/args.c
index 2416960bd..390062a99 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -18,7 +18,7 @@
 #include <string.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "keywords.h"
 #include "confread.h"
@@ -108,6 +108,13 @@ static const char *LST_authby[] = {
 	 NULL
 };
 
+static const char *LST_fragmentation[] = {
+	"no",
+	"yes",
+	"force",
+	 NULL
+};
+
 typedef struct {
 	arg_t       type;
 	size_t      offset;
@@ -138,6 +145,7 @@ static const token_info_t token_info[] =
 	{ ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
 	{ ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
 	{ ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
+	{ ARG_ENUM, offsetof(starter_conn_t, fragmentation), LST_fragmentation         },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 6544b1ccd..fecb998df 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -22,7 +22,7 @@
 #include <netdb.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "keywords.h"
 #include "confread.h"
@@ -36,7 +36,7 @@
 #define SA_REPLACEMENT_RETRIES_DEFAULT   3
 
 static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
-static const char esp_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
+static const char esp_defaults[] = "aes128-sha1,3des-sha1";
 
 static const char firewall_defaults[] = "ipsec _updown iptables";
 
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 3f2079883..a0f6234f9 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -50,7 +50,7 @@ typedef enum {
 typedef enum {
 		STRICT_NO,
 		STRICT_YES,
-		STRICT_IFURI
+		STRICT_IFURI,
 } strict_t;
 
 typedef enum {
@@ -69,6 +69,13 @@ typedef enum {
 		DPD_ACTION_UNKNOW,
 } dpd_action_t;
 
+typedef enum {
+		/* same as in ike_cfg.h */
+		FRAGMENTATION_NO,
+		FRAGMENTATION_YES,
+		FRAGMENTATION_FORCE,
+} fragmentation_t;
+
 typedef enum {
 		/* IPsec options */
 		SA_OPTION_AUTHENTICATE	= 1 << 0, /* use AH instead of ESP? */
@@ -140,6 +147,7 @@ struct starter_conn {
 		char            *authby;
 		ipsec_mode_t    mode;
 		bool            proxy_mode;
+		fragmentation_t fragmentation;
 		sa_option_t     options;
 		time_t          sa_ike_life_seconds;
 		time_t          sa_ipsec_life_seconds;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 102d1589e..1c93381f7 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -24,7 +24,7 @@
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "confread.h"
 #include "invokecharon.h"
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 7615a81d2..b75ff1395 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 134
+#define TOTAL_KEYWORDS 135
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 220
-/* maximum key range = 212, duplicates = 0 */
+#define MIN_HASH_VALUE 10
+#define MAX_HASH_VALUE 259
+/* maximum key range = 250, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -73,34 +73,34 @@ hash (str, len)
      register const char *str;
      register unsigned int len;
 {
-  static const unsigned char asso_values[] =
+  static const unsigned short asso_values[] =
     {
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221,  62,
-      117, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221,   0, 221,  27,   0,  79,
-       26,   0,   6,   0,  92,   0, 221,  44,  58,  36,
-       36,  73,  33,   5,  16,   0,   7,  87,   0, 221,
-      221,  11,   3, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260,  15,
+       99, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260,  11, 260,  11,   2,  80,
+       55,   6,   3,   2, 114,   2, 260,  83,  70,   6,
+       22,  81,  51,   7,  14,   2,   7, 122,   2, 260,
+      260,  43,  19, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260
     };
   register int hval = len;
 
@@ -124,166 +124,170 @@ hash (str, len)
 static const struct kw_entry wordlist[] =
   {
     {"pfs",               KW_PFS_DEPRECATED},
-    {"aggressive",        KW_AGGRESSIVE},
-    {"rightgroups",       KW_RIGHTGROUPS},
     {"right",             KW_RIGHT},
-    {"lifetime",          KW_KEYLIFE},
+    {"rightgroups",       KW_RIGHTGROUPS},
     {"left",              KW_LEFT},
+    {"lifetime",          KW_KEYLIFE},
+    {"aggressive",        KW_AGGRESSIVE},
     {"rightsubnet",       KW_RIGHTSUBNET},
     {"rightikeport",      KW_RIGHTIKEPORT},
     {"rightsendcert",     KW_RIGHTSENDCERT},
+    {"lifepackets",       KW_LIFEPACKETS},
     {"leftcert",          KW_LEFTCERT},
-    {"keyingtries",       KW_KEYINGTRIES},
-    {"keylife",           KW_KEYLIFE},
     {"leftsendcert",      KW_LEFTSENDCERT},
-    {"lifebytes",         KW_LIFEBYTES},
-    {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {"leftcertpolicy",    KW_LEFTCERTPOLICY},
     {"leftgroups",        KW_LEFTGROUPS},
-    {"rightid",           KW_RIGHTID},
-    {"rightdns",          KW_RIGHTDNS},
-    {"me_peerid",         KW_ME_PEERID},
-    {"reqid",             KW_REQID},
+    {"leftca",            KW_LEFTCA},
     {"keep_alive",        KW_SETUP_DEPRECATED},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"leftdns",           KW_LEFTDNS},
+    {"uniqueids",         KW_UNIQUEIDS},
     {"leftprotoport",     KW_LEFTPROTOPORT},
+    {"interfaces",        KW_SETUP_DEPRECATED},
+    {"rightsubnetwithin", KW_RIGHTSUBNET},
+    {"virtual_private",   KW_SETUP_DEPRECATED},
     {"certuribase",       KW_CERTURIBASE},
-    {"lifepackets",       KW_LIFEPACKETS},
-    {"uniqueids",         KW_UNIQUEIDS},
+    {"mark_in",           KW_MARK_IN},
+    {"lifebytes",         KW_LIFEBYTES},
+    {"marginbytes",       KW_MARGINBYTES},
+    {"marginpackets",     KW_MARGINPACKETS},
+    {"margintime",        KW_REKEYMARGIN},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"keylife",           KW_KEYLIFE},
+    {"fragmentation",     KW_FRAGMENTATION},
+    {"leftrsasigkey",     KW_LEFTRSASIGKEY},
+    {"rightid",           KW_RIGHTID},
+    {"rightdns",          KW_RIGHTDNS},
     {"rightsourceip",     KW_RIGHTSOURCEIP},
-    {"ike",               KW_IKE},
-    {"type",              KW_TYPE},
-    {"leftdns",           KW_LEFTDNS},
-    {"leftnexthop",       KW_LEFT_DEPRECATED},
     {"rightallowany",     KW_RIGHTALLOWANY},
-    {"rightsubnetwithin", KW_RIGHTSUBNET},
+    {"leftcertpolicy",    KW_LEFTCERTPOLICY},
+    {"reqid",             KW_REQID},
+    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
     {"rightprotoport",    KW_RIGHTPROTOPORT},
-    {"mediated_by",       KW_MEDIATED_BY},
+    {"leftnexthop",       KW_LEFT_DEPRECATED},
     {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
-    {"virtual_private",   KW_SETUP_DEPRECATED},
-    {"interfaces",        KW_SETUP_DEPRECATED},
-    {"rekey",             KW_REKEY},
-    {"ikelifetime",       KW_IKELIFETIME},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
-    {"leftid",            KW_LEFTID},
-    {"leftca",            KW_LEFTCA},
-    {"leftikeport",       KW_LEFTIKEPORT},
-    {"esp",               KW_ESP},
-    {"leftfirewall",      KW_LEFTFIREWALL},
+    {"me_peerid",         KW_ME_PEERID},
+    {"inactivity",        KW_INACTIVITY},
+    {"rightnexthop",      KW_RIGHT_DEPRECATED},
     {"rightfirewall",     KW_RIGHTFIREWALL},
+    {"ldapbase",          KW_CA_DEPRECATED},
+    {"leftupdown",        KW_LEFTUPDOWN},
+    {"leftfirewall",      KW_LEFTFIREWALL},
+    {"crluri",            KW_CRLURI},
+    {"ike",               KW_IKE},
     {"mediation",         KW_MEDIATION},
+    {"rightcert",         KW_RIGHTCERT},
     {"mobike",	           KW_MOBIKE},
-    {"crluri",            KW_CRLURI},
-    {"rightnexthop",      KW_RIGHT_DEPRECATED},
-    {"inactivity",        KW_INACTIVITY},
-    {"leftupdown",        KW_LEFTUPDOWN},
-    {"mark_in",           KW_MARK_IN},
-    {"leftallowany",      KW_LEFTALLOWANY},
-    {"ldapbase",          KW_CA_DEPRECATED},
-    {"margintime",        KW_REKEYMARGIN},
-    {"marginbytes",       KW_MARGINBYTES},
-    {"mark",              KW_MARK},
-    {"marginpackets",     KW_MARGINPACKETS},
+    {"rightca",           KW_RIGHTCA},
+    {"compress",          KW_COMPRESS},
+    {"type",              KW_TYPE},
+    {"ocspuri",           KW_OCSPURI},
     {"lefthostaccess",    KW_LEFTHOSTACCESS},
-    {"klipsdebug",        KW_SETUP_DEPRECATED},
-    {"rightcert",         KW_RIGHTCERT},
-    {"eap",               KW_CONN_DEPRECATED},
-    {"overridemtu",       KW_SETUP_DEPRECATED},
+    {"esp",               KW_ESP},
+    {"crluri1",           KW_CRLURI},
+    {"ikelifetime",       KW_IKELIFETIME},
+    {"leftikeport",       KW_LEFTIKEPORT},
+    {"cacert",            KW_CACERT},
+    {"mark",              KW_MARK},
+    {"rightid2",          KW_RIGHTID2},
     {"forceencaps",       KW_FORCEENCAPS},
-    {"keyexchange",       KW_KEYEXCHANGE},
-    {"ocspuri",           KW_OCSPURI},
-    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"nat_traversal",     KW_SETUP_DEPRECATED},
+    {"eap",               KW_CONN_DEPRECATED},
+    {"rightgroups2",      KW_RIGHTGROUPS2},
+    {"packetdefault",     KW_SETUP_DEPRECATED},
+    {"ocspuri1",          KW_OCSPURI},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"mark_out",          KW_MARK_OUT},
+    {"mediated_by",       KW_MEDIATED_BY},
+    {"leftcert2",         KW_LEFTCERT2},
+    {"rightauth2",        KW_RIGHTAUTH2},
+    {"leftid",            KW_LEFTID},
+    {"leftca2",           KW_LEFTCA2},
     {"force_keepalive",   KW_SETUP_DEPRECATED},
+    {"rekeymargin",       KW_REKEYMARGIN},
+    {"dpdtimeout",        KW_DPDTIMEOUT},
+    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"leftgroups2",       KW_LEFTGROUPS2},
+    {"leftallowany",      KW_LEFTALLOWANY},
+    {"righthostaccess",   KW_RIGHTHOSTACCESS},
+    {"rekey",             KW_REKEY},
+    {"rightauth",         KW_RIGHTAUTH},
+    {"klipsdebug",        KW_SETUP_DEPRECATED},
     {"rightcertpolicy",   KW_RIGHTCERTPOLICY},
+    {"overridemtu",       KW_SETUP_DEPRECATED},
+    {"dpdaction",         KW_DPDACTION},
+    {"pfsgroup",          KW_PFS_DEPRECATED},
+    {"keyexchange",       KW_KEYEXCHANGE},
     {"hidetos",           KW_SETUP_DEPRECATED},
-    {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"eap_identity",      KW_EAP_IDENTITY},
     {"leftsubnet",        KW_LEFTSUBNET},
-    {"dpdaction",         KW_DPDACTION},
-    {"dpdtimeout",        KW_DPDTIMEOUT},
-    {"rightca",           KW_RIGHTCA},
-    {"compress",          KW_COMPRESS},
     {"installpolicy",     KW_INSTALLPOLICY},
-    {"pfsgroup",          KW_PFS_DEPRECATED},
-    {"nat_traversal",     KW_SETUP_DEPRECATED},
-    {"authby",            KW_AUTHBY},
+    {"dumpdir",           KW_SETUP_DEPRECATED},
     {"leftsourceip",      KW_LEFTSOURCEIP},
-    {"rightid2",          KW_RIGHTID2},
-    {"cacert",            KW_CACERT},
-    {"rekeymargin",       KW_REKEYMARGIN},
-    {"rightauth",         KW_RIGHTAUTH},
-    {"rightgroups2",      KW_RIGHTGROUPS2},
-    {"mark_out",          KW_MARK_OUT},
-    {"leftcert2",         KW_LEFTCERT2},
-    {"packetdefault",     KW_SETUP_DEPRECATED},
-    {"rightupdown",       KW_RIGHTUPDOWN},
     {"also",              KW_ALSO},
-    {"dpddelay",          KW_DPDDELAY},
-    {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"charondebug",       KW_CHARONDEBUG},
     {"ldaphost",          KW_CA_DEPRECATED},
-    {"crluri1",           KW_CRLURI},
+    {"fragicmp",          KW_SETUP_DEPRECATED},
+    {"charonstart",       KW_SETUP_DEPRECATED},
+    {"tfc",               KW_TFC},
     {"leftsubnetwithin",  KW_LEFTSUBNET},
-    {"dumpdir",           KW_SETUP_DEPRECATED},
-    {"crlcheckinterval",  KW_SETUP_DEPRECATED},
-    {"leftgroups2",       KW_LEFTGROUPS2},
-    {"rightauth2",        KW_RIGHTAUTH2},
     {"leftid2",           KW_LEFTID2},
-    {"leftca2",           KW_LEFTCA2},
+    {"eap_identity",      KW_EAP_IDENTITY},
+    {"crlcheckinterval",  KW_SETUP_DEPRECATED},
+    {"cachecrls",         KW_CACHECRLS},
+    {"rightca2",          KW_RIGHTCA2},
+    {"crluri2",           KW_CRLURI2},
+    {"rightcert2",        KW_RIGHTCERT2},
+    {"pkcs11initargs",    KW_PKCS11_DEPRECATED},
+    {"closeaction",       KW_CLOSEACTION},
+    {"pkcs11module",      KW_PKCS11_DEPRECATED},
+    {"pkcs11keepstate",   KW_PKCS11_DEPRECATED},
+    {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"ocspuri2",          KW_OCSPURI2},
     {"plutostderrlog",    KW_SETUP_DEPRECATED},
     {"plutostart",        KW_SETUP_DEPRECATED},
-    {"fragicmp",          KW_SETUP_DEPRECATED},
-    {"ocspuri1",          KW_OCSPURI},
-    {"charondebug",       KW_CHARONDEBUG},
-    {"tfc",               KW_TFC},
     {"auto",              KW_AUTO},
-    {"charonstart",       KW_SETUP_DEPRECATED},
-    {"plutodebug",        KW_SETUP_DEPRECATED},
+    {"authby",            KW_AUTHBY},
+    {"dpddelay",          KW_DPDDELAY},
     {"modeconfig",        KW_MODECONFIG},
-    {"prepluto",          KW_SETUP_DEPRECATED},
     {"nocrsend",          KW_SETUP_DEPRECATED},
-    {"auth",              KW_AUTH},
-    {"leftauth",          KW_LEFTAUTH},
-    {"cachecrls",         KW_CACHECRLS},
-    {"pkcs11module",      KW_PKCS11_DEPRECATED},
-    {"crluri2",           KW_CRLURI2},
-    {"pkcs11initargs",    KW_PKCS11_DEPRECATED},
-    {"pkcs11keepstate",   KW_PKCS11_DEPRECATED},
-    {"rightca2",          KW_RIGHTCA2},
-    {"closeaction",       KW_CLOSEACTION},
-    {"rightcert2",        KW_RIGHTCERT2},
+    {"prepluto",          KW_SETUP_DEPRECATED},
     {"pkcs11proxy",       KW_PKCS11_DEPRECATED},
-    {"xauth",             KW_XAUTH},
+    {"leftauth2",         KW_LEFTAUTH2},
     {"postpluto",         KW_SETUP_DEPRECATED},
+    {"auth",              KW_AUTH},
     {"reauth",            KW_REAUTH},
-    {"leftauth2",         KW_LEFTAUTH2},
-    {"ocspuri2",          KW_OCSPURI2}
+    {"xauth",             KW_XAUTH},
+    {"leftauth",          KW_LEFTAUTH},
+    {"plutodebug",        KW_SETUP_DEPRECATED}
   };
 
 static const short lookup[] =
   {
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,
-      1,   2,   3,  -1,   4,  -1,  -1,   5,   6,   7,
-      8,   9,  10,  -1,  11,  12,  13,  -1,  -1,  -1,
-     14,  15,  16,  17,  18,  19,  20,  21,  -1,  -1,
-     -1,  22,  23,  24,  25,  26,  27,  28,  29,  30,
-     31,  32,  -1,  33,  34,  35,  36,  -1,  37,  38,
-     39,  40,  41,  -1,  42,  -1,  43,  -1,  44,  45,
-     -1,  -1,  -1,  -1,  -1,  -1,  46,  47,  48,  49,
-     50,  51,  -1,  -1,  52,  53,  54,  55,  56,  57,
-     58,  59,  60,  61,  62,  63,  64,  -1,  65,  -1,
-     66,  67,  68,  69,  70,  71,  72,  73,  -1,  74,
-     75,  76,  77,  78,  -1,  -1,  -1,  79,  80,  -1,
-     81,  82,  83,  -1,  84,  85,  86,  87,  88,  89,
-     -1,  90,  91,  92,  93,  94,  95,  -1,  -1,  96,
-     -1,  97,  -1,  98,  -1,  99, 100,  -1, 101,  -1,
-    102,  -1,  -1,  -1, 103,  -1, 104, 105,  -1, 106,
-     -1,  -1, 107, 108,  -1, 109, 110, 111,  -1,  -1,
-     -1, 112,  -1, 113,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1, 114, 115,  -1, 116,  -1, 117,  -1,  -1,  -1,
-    118,  -1,  -1, 119, 120,  -1,  -1, 121, 122, 123,
-    124,  -1,  -1,  -1, 125, 126, 127, 128,  -1,  -1,
-     -1, 129,  -1, 130,  -1,  -1,  -1, 131,  -1, 132,
-    133
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+      0,  -1,  -1,  -1,  -1,  -1,   1,  -1,  -1,   2,
+      3,   4,   5,  -1,   6,   7,   8,  -1,  -1,   9,
+     10,  -1,  -1,  -1,  11,  12,  -1,  13,  -1,  14,
+     15,  16,  -1,  17,  18,  19,  -1,  -1,  20,  -1,
+     -1,  21,  -1,  -1,  -1,  -1,  22,  -1,  -1,  23,
+     24,  -1,  25,  26,  27,  28,  29,  30,  31,  32,
+     33,  34,  35,  36,  -1,  37,  38,  39,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  40,  41,  42,  43,
+     44,  45,  46,  47,  48,  -1,  -1,  -1,  49,  50,
+     51,  52,  53,  54,  55,  56,  57,  58,  59,  60,
+     61,  62,  63,  64,  65,  66,  67,  68,  69,  70,
+     71,  72,  73,  74,  75,  76,  77,  78,  79,  80,
+     -1,  -1,  81,  82,  83,  84,  -1,  85,  86,  87,
+     -1,  -1,  88,  89,  90,  91,  92,  93,  94,  -1,
+     95,  96,  -1,  97,  -1,  -1,  -1,  98,  -1,  99,
+    100,  -1, 101,  -1, 102, 103, 104,  -1,  -1, 105,
+    106,  -1, 107,  -1,  -1,  -1, 108,  -1,  -1,  -1,
+     -1,  -1, 109,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1, 110, 111, 112, 113, 114, 115,  -1,  -1, 116,
+     -1, 117,  -1, 118,  -1,  -1,  -1,  -1,  -1,  -1,
+    119, 120,  -1,  -1, 121,  -1,  -1,  -1,  -1,  -1,
+     -1, 122,  -1,  -1,  -1,  -1,  -1, 123,  -1, 124,
+    125, 126, 127,  -1,  -1,  -1,  -1,  -1,  -1, 128,
+     -1,  -1,  -1, 129,  -1,  -1,  -1, 130,  -1,  -1,
+     -1, 131, 132, 133,  -1,  -1,  -1,  -1,  -1, 134
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 537bceb07..f776f33c9 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -42,6 +42,7 @@ typedef enum {
 	KW_AAA_IDENTITY,
 	KW_MOBIKE,
 	KW_FORCEENCAPS,
+	KW_FRAGMENTATION,
 	KW_IKELIFETIME,
 	KW_KEYLIFE,
 	KW_REKEYMARGIN,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 8366f5209..1f1641287 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -40,6 +40,7 @@ eap_identity,      KW_EAP_IDENTITY
 aaa_identity,      KW_AAA_IDENTITY
 mobike,	           KW_MOBIKE
 forceencaps,       KW_FORCEENCAPS
+fragmentation,     KW_FRAGMENTATION
 ikelifetime,       KW_IKELIFETIME
 lifetime,          KW_KEYLIFE
 keylife,           KW_KEYLIFE
diff --git a/src/starter/klips.c b/src/starter/klips.c
index 484b7e281..22165465f 100644
--- a/src/starter/klips.c
+++ b/src/starter/klips.c
@@ -17,7 +17,7 @@
 #include <stdlib.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "files.h"
 
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index 25f68e505..921a220db 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -18,7 +18,7 @@
 
 #include <library.h>
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "files.h"
 
diff --git a/src/starter/parser.c b/src/starter/parser.c
index beb752a51..9a5831ef8 100644
--- a/src/starter/parser.c
+++ b/src/starter/parser.c
@@ -1,10 +1,8 @@
+/* A Bison parser, made by GNU Bison 2.5.  */
 
-/* A Bison parser, made by GNU Bison 2.4.1.  */
-
-/* Skeleton implementation for Bison's Yacc-like parsers in C
+/* Bison implementation for Yacc-like parsers in C
    
-      Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
-   Free Software Foundation, Inc.
+      Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc.
    
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -46,7 +44,7 @@
 #define YYBISON 1
 
 /* Bison version.  */
-#define YYBISON_VERSION "2.4.1"
+#define YYBISON_VERSION "2.5"
 
 /* Skeleton name.  */
 #define YYSKELETON_NAME "yacc.c"
@@ -67,7 +65,7 @@
 
 /* Copy the first part of user declarations.  */
 
-/* Line 189 of yacc.c  */
+/* Line 268 of yacc.c  */
 #line 1 "parser.y"
 
 /* strongSwan config file parser (parser.y)
@@ -89,7 +87,7 @@
 #include <string.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "ipsec-parser.h"
 
@@ -120,8 +118,8 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 
 
 
-/* Line 189 of yacc.c  */
-#line 125 "parser.c"
+/* Line 268 of yacc.c  */
+#line 123 "parser.c"
 
 /* Enabling traces.  */
 #ifndef YYDEBUG
@@ -179,13 +177,13 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 typedef union YYSTYPE
 {
 
-/* Line 214 of yacc.c  */
+/* Line 293 of yacc.c  */
 #line 52 "parser.y"
  char *s; 
 
 
-/* Line 214 of yacc.c  */
-#line 189 "parser.c"
+/* Line 293 of yacc.c  */
+#line 187 "parser.c"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
@@ -196,8 +194,8 @@ typedef union YYSTYPE
 /* Copy the second part of user declarations.  */
 
 
-/* Line 264 of yacc.c  */
-#line 201 "parser.c"
+/* Line 343 of yacc.c  */
+#line 199 "parser.c"
 
 #ifdef short
 # undef short
@@ -247,7 +245,7 @@ typedef short int yytype_int16;
 #define YYSIZE_MAXIMUM ((YYSIZE_T) -1)
 
 #ifndef YY_
-# if YYENABLE_NLS
+# if defined YYENABLE_NLS && YYENABLE_NLS
 #  if ENABLE_NLS
 #   include <libintl.h> /* INFRINGES ON USER NAME SPACE */
 #   define YY_(msgid) dgettext ("bison-runtime", msgid)
@@ -300,11 +298,11 @@ YYID (yyi)
 #    define alloca _alloca
 #   else
 #    define YYSTACK_ALLOC alloca
-#    if ! defined _ALLOCA_H && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+#    if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 #     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-#     ifndef _STDLIB_H
-#      define _STDLIB_H 1
+#     ifndef EXIT_SUCCESS
+#      define EXIT_SUCCESS 0
 #     endif
 #    endif
 #   endif
@@ -327,24 +325,24 @@ YYID (yyi)
 #  ifndef YYSTACK_ALLOC_MAXIMUM
 #   define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
 #  endif
-#  if (defined __cplusplus && ! defined _STDLIB_H \
+#  if (defined __cplusplus && ! defined EXIT_SUCCESS \
        && ! ((defined YYMALLOC || defined malloc) \
 	     && (defined YYFREE || defined free)))
 #   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-#   ifndef _STDLIB_H
-#    define _STDLIB_H 1
+#   ifndef EXIT_SUCCESS
+#    define EXIT_SUCCESS 0
 #   endif
 #  endif
 #  ifndef YYMALLOC
 #   define YYMALLOC malloc
-#   if ! defined malloc && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+#   if ! defined malloc && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
 #   endif
 #  endif
 #  ifndef YYFREE
 #   define YYFREE free
-#   if ! defined free && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+#   if ! defined free && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 void free (void *); /* INFRINGES ON USER NAME SPACE */
 #   endif
@@ -373,23 +371,7 @@ union yyalloc
      ((N) * (sizeof (yytype_int16) + sizeof (YYSTYPE)) \
       + YYSTACK_GAP_MAXIMUM)
 
-/* Copy COUNT objects from FROM to TO.  The source and destination do
-   not overlap.  */
-# ifndef YYCOPY
-#  if defined __GNUC__ && 1 < __GNUC__
-#   define YYCOPY(To, From, Count) \
-      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
-#  else
-#   define YYCOPY(To, From, Count)		\
-      do					\
-	{					\
-	  YYSIZE_T yyi;				\
-	  for (yyi = 0; yyi < (Count); yyi++)	\
-	    (To)[yyi] = (From)[yyi];		\
-	}					\
-      while (YYID (0))
-#  endif
-# endif
+# define YYCOPY_NEEDED 1
 
 /* Relocate STACK from its old location to the new one.  The
    local variables YYSIZE and YYSTACKSIZE give the old and new number of
@@ -409,6 +391,26 @@ union yyalloc
 
 #endif
 
+#if defined YYCOPY_NEEDED && YYCOPY_NEEDED
+/* Copy COUNT objects from FROM to TO.  The source and destination do
+   not overlap.  */
+# ifndef YYCOPY
+#  if defined __GNUC__ && 1 < __GNUC__
+#   define YYCOPY(To, From, Count) \
+      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+#  else
+#   define YYCOPY(To, From, Count)		\
+      do					\
+	{					\
+	  YYSIZE_T yyi;				\
+	  for (yyi = 0; yyi < (Count); yyi++)	\
+	    (To)[yyi] = (From)[yyi];		\
+	}					\
+      while (YYID (0))
+#  endif
+# endif
+#endif /* !YYCOPY_NEEDED */
+
 /* YYFINAL -- State number of the termination state.  */
 #define YYFINAL  2
 /* YYLAST -- Last index in YYTABLE.  */
@@ -526,8 +528,8 @@ static const yytype_uint8 yyr2[] =
        5,     0,     4,     1,     4,     0,     3,     2,     0
 };
 
-/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
-   STATE-NUM when YYTABLE doesn't specify something else to do.  Zero
+/* YYDEFACT[STATE-NAME] -- Default reduction number in state STATE-NUM.
+   Performed when YYTABLE doesn't specify something else to do.  Zero
    means the default is an error.  */
 static const yytype_uint8 yydefact[] =
 {
@@ -562,8 +564,7 @@ static const yytype_int8 yypgoto[] =
 
 /* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
    positive, shift that token.  If negative, reduce the rule which
-   number is the opposite.  If zero, do what YYDEFACT says.
-   If YYTABLE_NINF, syntax error.  */
+   number is the opposite.  If YYTABLE_NINF, syntax error.  */
 #define YYTABLE_NINF -1
 static const yytype_uint8 yytable[] =
 {
@@ -572,6 +573,12 @@ static const yytype_uint8 yytable[] =
       24,    28,    30,    31,     0,     0,     0,    32
 };
 
+#define yypact_value_is_default(yystate) \
+  ((yystate) == (-20))
+
+#define yytable_value_is_error(yytable_value) \
+  YYID (0)
+
 static const yytype_int8 yycheck[] =
 {
        0,     7,    21,    22,    12,     5,     6,    12,     8,     9,
@@ -601,9 +608,18 @@ static const yytype_uint8 yystos[] =
 
 /* Like YYERROR except do call yyerror.  This remains here temporarily
    to ease the transition to the new meaning of YYERROR, for GCC.
-   Once GCC version 2 has supplanted version 1, this can go.  */
+   Once GCC version 2 has supplanted version 1, this can go.  However,
+   YYFAIL appears to be in use.  Nevertheless, it is formally deprecated
+   in Bison 2.4.2's NEWS entry, where a plan to phase it out is
+   discussed.  */
 
 #define YYFAIL		goto yyerrlab
+#if defined YYFAIL
+  /* This is here to suppress warnings from the GCC cpp's
+     -Wunused-macros.  Normally we don't worry about that warning, but
+     some users do, and we want to make it easy for users to remove
+     YYFAIL uses, which will produce warnings from Bison 2.5.  */
+#endif
 
 #define YYRECOVERING()  (!!yyerrstatus)
 
@@ -613,7 +629,6 @@ do								\
     {								\
       yychar = (Token);						\
       yylval = (Value);						\
-      yytoken = YYTRANSLATE (yychar);				\
       YYPOPSTACK (1);						\
       goto yybackup;						\
     }								\
@@ -655,19 +670,10 @@ while (YYID (0))
 #endif
 
 
-/* YY_LOCATION_PRINT -- Print the location on the stream.
-   This macro was not mandated originally: define only if we know
-   we won't break user code: when these are the locations we know.  */
+/* This macro is provided for backward compatibility. */
 
 #ifndef YY_LOCATION_PRINT
-# if YYLTYPE_IS_TRIVIAL
-#  define YY_LOCATION_PRINT(File, Loc)			\
-     fprintf (File, "%d.%d-%d.%d",			\
-	      (Loc).first_line, (Loc).first_column,	\
-	      (Loc).last_line,  (Loc).last_column)
-# else
-#  define YY_LOCATION_PRINT(File, Loc) ((void) 0)
-# endif
+# define YY_LOCATION_PRINT(File, Loc) ((void) 0)
 #endif
 
 
@@ -859,7 +865,6 @@ int yydebug;
 # define YYMAXDEPTH 10000
 #endif
 
-
 
 #if YYERROR_VERBOSE
 
@@ -962,115 +967,142 @@ yytnamerr (char *yyres, const char *yystr)
 }
 # endif
 
-/* Copy into YYRESULT an error message about the unexpected token
-   YYCHAR while in state YYSTATE.  Return the number of bytes copied,
-   including the terminating null byte.  If YYRESULT is null, do not
-   copy anything; just return the number of bytes that would be
-   copied.  As a special case, return 0 if an ordinary "syntax error"
-   message will do.  Return YYSIZE_MAXIMUM if overflow occurs during
-   size calculation.  */
-static YYSIZE_T
-yysyntax_error (char *yyresult, int yystate, int yychar)
-{
-  int yyn = yypact[yystate];
+/* Copy into *YYMSG, which is of size *YYMSG_ALLOC, an error message
+   about the unexpected token YYTOKEN for the state stack whose top is
+   YYSSP.
 
-  if (! (YYPACT_NINF < yyn && yyn <= YYLAST))
-    return 0;
-  else
+   Return 0 if *YYMSG was successfully written.  Return 1 if *YYMSG is
+   not large enough to hold the message.  In that case, also set
+   *YYMSG_ALLOC to the required number of bytes.  Return 2 if the
+   required number of bytes is too large to store.  */
+static int
+yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
+                yytype_int16 *yyssp, int yytoken)
+{
+  YYSIZE_T yysize0 = yytnamerr (0, yytname[yytoken]);
+  YYSIZE_T yysize = yysize0;
+  YYSIZE_T yysize1;
+  enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
+  /* Internationalized format string. */
+  const char *yyformat = 0;
+  /* Arguments of yyformat. */
+  char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
+  /* Number of reported tokens (one for the "unexpected", one per
+     "expected"). */
+  int yycount = 0;
+
+  /* There are many possibilities here to consider:
+     - Assume YYFAIL is not used.  It's too flawed to consider.  See
+       <http://lists.gnu.org/archive/html/bison-patches/2009-12/msg00024.html>
+       for details.  YYERROR is fine as it does not invoke this
+       function.
+     - If this state is a consistent state with a default action, then
+       the only way this function was invoked is if the default action
+       is an error action.  In that case, don't check for expected
+       tokens because there are none.
+     - The only way there can be no lookahead present (in yychar) is if
+       this state is a consistent state with a default action.  Thus,
+       detecting the absence of a lookahead is sufficient to determine
+       that there is no unexpected or expected token to report.  In that
+       case, just report a simple "syntax error".
+     - Don't assume there isn't a lookahead just because this state is a
+       consistent state with a default action.  There might have been a
+       previous inconsistent state, consistent state with a non-default
+       action, or user semantic action that manipulated yychar.
+     - Of course, the expected token list depends on states to have
+       correct lookahead information, and it depends on the parser not
+       to perform extra reductions after fetching a lookahead from the
+       scanner and before detecting a syntax error.  Thus, state merging
+       (from LALR or IELR) and default reductions corrupt the expected
+       token list.  However, the list is correct for canonical LR with
+       one exception: it will still contain any token that will not be
+       accepted due to an error action in a later state.
+  */
+  if (yytoken != YYEMPTY)
     {
-      int yytype = YYTRANSLATE (yychar);
-      YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
-      YYSIZE_T yysize = yysize0;
-      YYSIZE_T yysize1;
-      int yysize_overflow = 0;
-      enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
-      char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
-      int yyx;
-
-# if 0
-      /* This is so xgettext sees the translatable formats that are
-	 constructed on the fly.  */
-      YY_("syntax error, unexpected %s");
-      YY_("syntax error, unexpected %s, expecting %s");
-      YY_("syntax error, unexpected %s, expecting %s or %s");
-      YY_("syntax error, unexpected %s, expecting %s or %s or %s");
-      YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
-# endif
-      char *yyfmt;
-      char const *yyf;
-      static char const yyunexpected[] = "syntax error, unexpected %s";
-      static char const yyexpecting[] = ", expecting %s";
-      static char const yyor[] = " or %s";
-      char yyformat[sizeof yyunexpected
-		    + sizeof yyexpecting - 1
-		    + ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
-		       * (sizeof yyor - 1))];
-      char const *yyprefix = yyexpecting;
-
-      /* Start YYX at -YYN if negative to avoid negative indexes in
-	 YYCHECK.  */
-      int yyxbegin = yyn < 0 ? -yyn : 0;
-
-      /* Stay within bounds of both yycheck and yytname.  */
-      int yychecklim = YYLAST - yyn + 1;
-      int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
-      int yycount = 1;
-
-      yyarg[0] = yytname[yytype];
-      yyfmt = yystpcpy (yyformat, yyunexpected);
-
-      for (yyx = yyxbegin; yyx < yyxend; ++yyx)
-	if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
-	  {
-	    if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
-	      {
-		yycount = 1;
-		yysize = yysize0;
-		yyformat[sizeof yyunexpected - 1] = '\0';
-		break;
-	      }
-	    yyarg[yycount++] = yytname[yyx];
-	    yysize1 = yysize + yytnamerr (0, yytname[yyx]);
-	    yysize_overflow |= (yysize1 < yysize);
-	    yysize = yysize1;
-	    yyfmt = yystpcpy (yyfmt, yyprefix);
-	    yyprefix = yyor;
-	  }
+      int yyn = yypact[*yyssp];
+      yyarg[yycount++] = yytname[yytoken];
+      if (!yypact_value_is_default (yyn))
+        {
+          /* Start YYX at -YYN if negative to avoid negative indexes in
+             YYCHECK.  In other words, skip the first -YYN actions for
+             this state because they are default actions.  */
+          int yyxbegin = yyn < 0 ? -yyn : 0;
+          /* Stay within bounds of both yycheck and yytname.  */
+          int yychecklim = YYLAST - yyn + 1;
+          int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
+          int yyx;
+
+          for (yyx = yyxbegin; yyx < yyxend; ++yyx)
+            if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR
+                && !yytable_value_is_error (yytable[yyx + yyn]))
+              {
+                if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
+                  {
+                    yycount = 1;
+                    yysize = yysize0;
+                    break;
+                  }
+                yyarg[yycount++] = yytname[yyx];
+                yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+                if (! (yysize <= yysize1
+                       && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
+                  return 2;
+                yysize = yysize1;
+              }
+        }
+    }
 
-      yyf = YY_(yyformat);
-      yysize1 = yysize + yystrlen (yyf);
-      yysize_overflow |= (yysize1 < yysize);
-      yysize = yysize1;
+  switch (yycount)
+    {
+# define YYCASE_(N, S)                      \
+      case N:                               \
+        yyformat = S;                       \
+      break
+      YYCASE_(0, YY_("syntax error"));
+      YYCASE_(1, YY_("syntax error, unexpected %s"));
+      YYCASE_(2, YY_("syntax error, unexpected %s, expecting %s"));
+      YYCASE_(3, YY_("syntax error, unexpected %s, expecting %s or %s"));
+      YYCASE_(4, YY_("syntax error, unexpected %s, expecting %s or %s or %s"));
+      YYCASE_(5, YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s"));
+# undef YYCASE_
+    }
 
-      if (yysize_overflow)
-	return YYSIZE_MAXIMUM;
+  yysize1 = yysize + yystrlen (yyformat);
+  if (! (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
+    return 2;
+  yysize = yysize1;
 
-      if (yyresult)
-	{
-	  /* Avoid sprintf, as that infringes on the user's name space.
-	     Don't have undefined behavior even if the translation
-	     produced a string with the wrong number of "%s"s.  */
-	  char *yyp = yyresult;
-	  int yyi = 0;
-	  while ((*yyp = *yyf) != '\0')
-	    {
-	      if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
-		{
-		  yyp += yytnamerr (yyp, yyarg[yyi++]);
-		  yyf += 2;
-		}
-	      else
-		{
-		  yyp++;
-		  yyf++;
-		}
-	    }
-	}
-      return yysize;
+  if (*yymsg_alloc < yysize)
+    {
+      *yymsg_alloc = 2 * yysize;
+      if (! (yysize <= *yymsg_alloc
+             && *yymsg_alloc <= YYSTACK_ALLOC_MAXIMUM))
+        *yymsg_alloc = YYSTACK_ALLOC_MAXIMUM;
+      return 1;
     }
+
+  /* Avoid sprintf, as that infringes on the user's name space.
+     Don't have undefined behavior even if the translation
+     produced a string with the wrong number of "%s"s.  */
+  {
+    char *yyp = *yymsg;
+    int yyi = 0;
+    while ((*yyp = *yyformat) != '\0')
+      if (*yyp == '%' && yyformat[1] == 's' && yyi < yycount)
+        {
+          yyp += yytnamerr (yyp, yyarg[yyi++]);
+          yyformat += 2;
+        }
+      else
+        {
+          yyp++;
+          yyformat++;
+        }
+  }
+  return 0;
 }
 #endif /* YYERROR_VERBOSE */
-
 
 /*-----------------------------------------------.
 | Release the memory associated to this symbol.  |
@@ -1103,6 +1135,7 @@ yydestruct (yymsg, yytype, yyvaluep)
     }
 }
 
+
 /* Prevent warnings from -Wmissing-prototypes.  */
 #ifdef YYPARSE_PARAM
 #if defined __STDC__ || defined __cplusplus
@@ -1129,10 +1162,9 @@ YYSTYPE yylval;
 int yynerrs;
 
 
-
-/*-------------------------.
-| yyparse or yypush_parse.  |
-`-------------------------*/
+/*----------.
+| yyparse.  |
+`----------*/
 
 #ifdef YYPARSE_PARAM
 #if (defined __STDC__ || defined __C99__FUNC__ \
@@ -1156,8 +1188,6 @@ yyparse ()
 #endif
 #endif
 {
-
-
     int yystate;
     /* Number of tokens to shift before error messages enabled.  */
     int yyerrstatus;
@@ -1312,7 +1342,7 @@ yybackup:
 
   /* First try to decide what to do without reference to lookahead token.  */
   yyn = yypact[yystate];
-  if (yyn == YYPACT_NINF)
+  if (yypact_value_is_default (yyn))
     goto yydefault;
 
   /* Not known => get a lookahead token if don't already have one.  */
@@ -1343,8 +1373,8 @@ yybackup:
   yyn = yytable[yyn];
   if (yyn <= 0)
     {
-      if (yyn == 0 || yyn == YYTABLE_NINF)
-	goto yyerrlab;
+      if (yytable_value_is_error (yyn))
+        goto yyerrlab;
       yyn = -yyn;
       goto yyreduce;
     }
@@ -1399,7 +1429,7 @@ yyreduce:
     {
         case 4:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 69 "parser.y"
     {
 		free((yyvsp[(2) - (3)].s));
@@ -1408,7 +1438,7 @@ yyreduce:
 
   case 5:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 73 "parser.y"
     {
 		_parser_kw = &(_parser_cfg->config_setup);
@@ -1418,7 +1448,7 @@ yyreduce:
 
   case 7:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 78 "parser.y"
     {
 		section_list_t *section = malloc_thing(section_list_t);
@@ -1439,7 +1469,7 @@ yyreduce:
 
   case 9:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 94 "parser.y"
     {
 		section_list_t *section = malloc_thing(section_list_t);
@@ -1459,7 +1489,7 @@ yyreduce:
 
   case 11:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 109 "parser.y"
     {
 		extern void _parser_y_include (const char *f);
@@ -1470,7 +1500,7 @@ yyreduce:
 
   case 16:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 124 "parser.y"
     {
 		kw_list_t  *new;
@@ -1500,7 +1530,7 @@ yyreduce:
 
   case 17:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 149 "parser.y"
     {
 		free((yyvsp[(1) - (2)].s));
@@ -1509,10 +1539,21 @@ yyreduce:
 
 
 
-/* Line 1455 of yacc.c  */
-#line 1514 "parser.c"
+/* Line 1806 of yacc.c  */
+#line 1544 "parser.c"
       default: break;
     }
+  /* User semantic actions sometimes alter yychar, and that requires
+     that yytoken be updated with the new translation.  We take the
+     approach of translating immediately before every use of yytoken.
+     One alternative is translating here after every semantic action,
+     but that translation would be missed if the semantic action invokes
+     YYABORT, YYACCEPT, or YYERROR immediately after altering yychar or
+     if it invokes YYBACKUP.  In the case of YYABORT or YYACCEPT, an
+     incorrect destructor might then be invoked immediately.  In the
+     case of YYERROR or YYBACKUP, subsequent parser actions might lead
+     to an incorrect destructor call or verbose syntax error message
+     before the lookahead is translated.  */
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
 
   YYPOPSTACK (yylen);
@@ -1540,6 +1581,10 @@ yyreduce:
 | yyerrlab -- here on detecting error |
 `------------------------------------*/
 yyerrlab:
+  /* Make sure we have latest lookahead translation.  See comments at
+     user semantic actions for why this is necessary.  */
+  yytoken = yychar == YYEMPTY ? YYEMPTY : YYTRANSLATE (yychar);
+
   /* If not already recovering from an error, report this error.  */
   if (!yyerrstatus)
     {
@@ -1547,37 +1592,36 @@ yyerrlab:
 #if ! YYERROR_VERBOSE
       yyerror (YY_("syntax error"));
 #else
+# define YYSYNTAX_ERROR yysyntax_error (&yymsg_alloc, &yymsg, \
+                                        yyssp, yytoken)
       {
-	YYSIZE_T yysize = yysyntax_error (0, yystate, yychar);
-	if (yymsg_alloc < yysize && yymsg_alloc < YYSTACK_ALLOC_MAXIMUM)
-	  {
-	    YYSIZE_T yyalloc = 2 * yysize;
-	    if (! (yysize <= yyalloc && yyalloc <= YYSTACK_ALLOC_MAXIMUM))
-	      yyalloc = YYSTACK_ALLOC_MAXIMUM;
-	    if (yymsg != yymsgbuf)
-	      YYSTACK_FREE (yymsg);
-	    yymsg = (char *) YYSTACK_ALLOC (yyalloc);
-	    if (yymsg)
-	      yymsg_alloc = yyalloc;
-	    else
-	      {
-		yymsg = yymsgbuf;
-		yymsg_alloc = sizeof yymsgbuf;
-	      }
-	  }
-
-	if (0 < yysize && yysize <= yymsg_alloc)
-	  {
-	    (void) yysyntax_error (yymsg, yystate, yychar);
-	    yyerror (yymsg);
-	  }
-	else
-	  {
-	    yyerror (YY_("syntax error"));
-	    if (yysize != 0)
-	      goto yyexhaustedlab;
-	  }
+        char const *yymsgp = YY_("syntax error");
+        int yysyntax_error_status;
+        yysyntax_error_status = YYSYNTAX_ERROR;
+        if (yysyntax_error_status == 0)
+          yymsgp = yymsg;
+        else if (yysyntax_error_status == 1)
+          {
+            if (yymsg != yymsgbuf)
+              YYSTACK_FREE (yymsg);
+            yymsg = (char *) YYSTACK_ALLOC (yymsg_alloc);
+            if (!yymsg)
+              {
+                yymsg = yymsgbuf;
+                yymsg_alloc = sizeof yymsgbuf;
+                yysyntax_error_status = 2;
+              }
+            else
+              {
+                yysyntax_error_status = YYSYNTAX_ERROR;
+                yymsgp = yymsg;
+              }
+          }
+        yyerror (yymsgp);
+        if (yysyntax_error_status == 2)
+          goto yyexhaustedlab;
       }
+# undef YYSYNTAX_ERROR
 #endif
     }
 
@@ -1636,7 +1680,7 @@ yyerrlab1:
   for (;;)
     {
       yyn = yypact[yystate];
-      if (yyn != YYPACT_NINF)
+      if (!yypact_value_is_default (yyn))
 	{
 	  yyn += YYTERROR;
 	  if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
@@ -1695,8 +1739,13 @@ yyexhaustedlab:
 
 yyreturn:
   if (yychar != YYEMPTY)
-     yydestruct ("Cleanup: discarding lookahead",
-		 yytoken, &yylval);
+    {
+      /* Make sure we have latest lookahead translation.  See comments at
+         user semantic actions for why this is necessary.  */
+      yytoken = YYTRANSLATE (yychar);
+      yydestruct ("Cleanup: discarding lookahead",
+                  yytoken, &yylval);
+    }
   /* Do not reclaim the symbols of the rule which action triggered
      this YYABORT or YYACCEPT.  */
   YYPOPSTACK (yylen);
@@ -1721,7 +1770,7 @@ yyreturn:
 
 
 
-/* Line 1675 of yacc.c  */
+/* Line 2067 of yacc.c  */
 #line 155 "parser.y"
 
 
diff --git a/src/starter/parser.h b/src/starter/parser.h
index eff532f6d..7007dfef5 100644
--- a/src/starter/parser.h
+++ b/src/starter/parser.h
@@ -1,10 +1,8 @@
+/* A Bison parser, made by GNU Bison 2.5.  */
 
-/* A Bison parser, made by GNU Bison 2.4.1.  */
-
-/* Skeleton interface for Bison's Yacc-like parsers in C
+/* Bison interface for Yacc-like parsers in C
    
-      Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
-   Free Software Foundation, Inc.
+      Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc.
    
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -70,13 +68,13 @@
 typedef union YYSTYPE
 {
 
-/* Line 1676 of yacc.c  */
+/* Line 2068 of yacc.c  */
 #line 52 "parser.y"
  char *s; 
 
 
-/* Line 1676 of yacc.c  */
-#line 80 "parser.h"
+/* Line 2068 of yacc.c  */
+#line 78 "parser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
diff --git a/src/starter/parser.y b/src/starter/parser.y
index 424e3a9fd..2cf0501f4 100644
--- a/src/starter/parser.y
+++ b/src/starter/parser.y
@@ -18,7 +18,7 @@
 #include <string.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "ipsec-parser.h"
 
diff --git a/src/starter/starter.c b/src/starter/starter.c
index c6efcb2f4..ae6863fd7 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -34,7 +34,7 @@
 #include <hydra.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "confread.h"
 #include "files.h"
@@ -328,7 +328,8 @@ static bool check_pid(char *pid_file)
 static void usage(char *name)
 {
 	fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>]\n"
-			"               [--debug|--debug-more|--debug-all|--nolog]\n");
+			"               [--debug|--debug-more|--debug-all|--nolog]\n"
+			"               [--attach-gdb]\n");
 	exit(LSB_RC_INVALID_ARGUMENT);
 }
 
@@ -594,6 +595,10 @@ int main (int argc, char **argv)
 					{
 						if (starter_charon_pid())
 						{
+							if (conn->startup == STARTUP_ROUTE)
+							{
+								starter_stroke_unroute_conn(conn);
+							}
 							starter_stroke_del_conn(conn);
 						}
 						conn->state = STATE_TO_ADD;
@@ -622,7 +627,7 @@ int main (int argc, char **argv)
 			DBG2(DBG_APP, "Reloading config...");
 			new_cfg = confread_load(CONFIG_FILE);
 
-			if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
+			if (new_cfg && (new_cfg->err == 0))
 			{
 				/* Switch to new config. New conn will be loaded below */
 
@@ -651,6 +656,10 @@ int main (int argc, char **argv)
 					{
 						if (starter_charon_pid())
 						{
+							if (conn->startup == STARTUP_ROUTE)
+							{
+								starter_stroke_unroute_conn(conn);
+							}
 							starter_stroke_del_conn(conn);
 						}
 					}
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index d6ad3eb89..4f9e8fb14 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -27,7 +27,7 @@
 #include <credentials/auth_cfg.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <stroke_msg.h>
 
@@ -180,6 +180,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	}
 	msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
 	msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
+	msg.add_conn.fragmentation = conn->fragmentation;
 	msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
 	msg.add_conn.install_policy = conn->install_policy;
 	msg.add_conn.aggressive = conn->aggressive;
@@ -270,6 +271,16 @@ int starter_stroke_route_conn(starter_conn_t *conn)
 	return send_stroke_msg(&msg);
 }
 
+int starter_stroke_unroute_conn(starter_conn_t *conn)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_UNROUTE;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.route.name = push_string(&msg, connection_name(conn));
+	return send_stroke_msg(&msg);
+}
+
 int starter_stroke_initiate_conn(starter_conn_t *conn)
 {
 	stroke_msg_t msg;
diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h
index fd2a3e320..126486325 100644
--- a/src/starter/starterstroke.h
+++ b/src/starter/starterstroke.h
@@ -21,6 +21,7 @@
 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn);
 int starter_stroke_del_conn(starter_conn_t *conn);
 int starter_stroke_route_conn(starter_conn_t *conn);
+int starter_stroke_unroute_conn(starter_conn_t *conn);
 int starter_stroke_initiate_conn(starter_conn_t *conn);
 int starter_stroke_add_ca(starter_ca_t *ca);
 int starter_stroke_del_ca(starter_ca_t *ca);
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index acf9d3485..01288296e 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -98,6 +98,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -125,6 +126,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -152,6 +154,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -164,6 +167,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -217,7 +221,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -351,7 +354,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-stroke$(EXEEXT): $(stroke_OBJECTS) $(stroke_DEPENDENCIES) 
+stroke$(EXEEXT): $(stroke_OBJECTS) $(stroke_DEPENDENCIES) $(EXTRA_stroke_DEPENDENCIES) 
 	@rm -f stroke$(EXEEXT)
 	$(LINK) $(stroke_OBJECTS) $(stroke_LDADD) $(LIBS)
 
@@ -492,10 +495,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 03890b517..e289296c1 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -144,6 +144,7 @@ static int add_connection(char *name,
 	msg.add_conn.mode = 1;
 	msg.add_conn.mobike = 1;
 	msg.add_conn.dpd.action = 1;
+	msg.add_conn.install_policy = 1;
 
 	msg.add_conn.me.id = push_string(&msg, my_id);
 	msg.add_conn.me.address = push_string(&msg, my_addr);
@@ -265,6 +266,7 @@ static int list_flags[] = {
 	LIST_OCSP,
 	LIST_ALGS,
 	LIST_PLUGINS,
+	LIST_COUNTERS,
 	LIST_ALL
 };
 
@@ -363,7 +365,6 @@ static int user_credentials(char *name, char *user, char *pass)
 	return send_stroke_msg(&msg);
 }
 
-
 static int set_loglevel(char *type, u_int level)
 {
 	stroke_msg_t msg;
@@ -389,7 +390,7 @@ static void exit_usage(char *error)
 	printf("Usage:\n");
 	printf("  Add a connection:\n");
 	printf("    stroke add NAME MY_ID OTHER_ID MY_ADDR OTHER_ADDR\\\n");
-	printf("           MY_NET OTHER_NET MY_NETBITS OTHER_NETBITS\n");
+	printf("           MY_NET OTHER_NET\n");
 	printf("    where: ID is any IKEv2 ID \n");
 	printf("           ADDR is a IPv4 address\n");
 	printf("           NET is a IPv4 subnet in CIDR notation\n");
@@ -418,7 +419,7 @@ static void exit_usage(char *error)
 	printf("  Show list of authority and attribute certificates:\n");
 	printf("    stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
 	printf("  Show list of end entity certificates, ca info records  and crls:\n");
-	printf("    stroke listcerts|listcainfos|listcrls|listall\n");
+	printf("    stroke listcerts|listcainfos|listcrls|listcounters|listall\n");
 	printf("  Show list of supported algorithms:\n");
 	printf("    stroke listalgs\n");
 	printf("  Reload authority and attribute certificates:\n");
@@ -470,7 +471,7 @@ int main(int argc, char *argv[])
 	switch (token->kw)
 	{
 		case STROKE_ADD:
-			if (argc < 11)
+			if (argc < 9)
 			{
 				exit_usage("\"add\" needs more parameters...");
 			}
@@ -552,6 +553,7 @@ int main(int argc, char *argv[])
 		case STROKE_LIST_OCSP:
 		case STROKE_LIST_ALGS:
 		case STROKE_LIST_PLUGINS:
+		case STROKE_LIST_COUNTERS:
 		case STROKE_LIST_ALL:
 			res = list(token->kw, argc > 2 && strcmp(argv[2], "--utc") == 0);
 			break;
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index b5ca2e143..3f53b7fa8 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -54,12 +54,12 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 41
+#define TOTAL_KEYWORDS 42
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
-#define MIN_HASH_VALUE 2
-#define MAX_HASH_VALUE 44
-/* maximum key range = 43, duplicates = 0 */
+#define MIN_HASH_VALUE 4
+#define MAX_HASH_VALUE 49
+/* maximum key range = 46, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 15, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45,  0, 30,  1,
-       1, 15, 45, 15, 45, 30, 45, 13,  0,  0,
-      45,  9,  3, 45,  6, 18,  1,  0, 45, 45,
-       5,  0, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 19, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50,  1, 12,  2,
+       2, 16, 50, 14, 50, 11, 50, 16,  1,  8,
+      50, 18,  7, 50,  6, 12,  1, 11, 50, 50,
+       4,  3, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50
     };
   register int hval = len;
 
@@ -125,17 +125,16 @@ hash (str, len)
 
 static const struct stroke_token wordlist[] =
   {
-    {"up",              STROKE_UP},
     {"add",             STROKE_ADD},
     {"del",             STROKE_DEL},
     {"down",            STROKE_DOWN},
-    {"listall",         STROKE_LIST_ALL},
     {"delete",          STROKE_DELETE},
+    {"listall",         STROKE_LIST_ALL},
     {"listcrls",        STROKE_LIST_CRLS},
+    {"up",              STROKE_UP},
     {"rekey",           STROKE_REKEY},
     {"listaacerts",     STROKE_LIST_AACERTS},
     {"listcacerts",     STROKE_LIST_CACERTS},
-    {"listplugins",     STROKE_LIST_PLUGINS},
     {"rereadall",       STROKE_REREAD_ALL},
     {"listcerts",       STROKE_LIST_CERTS},
     {"rereadcrls",      STROKE_REREAD_CRLS},
@@ -143,37 +142,39 @@ static const struct stroke_token wordlist[] =
     {"rereadaacerts",   STROKE_REREAD_AACERTS},
     {"rereadcacerts",   STROKE_REREAD_CACERTS},
     {"leases",          STROKE_LEASES},
-    {"unroute",         STROKE_UNROUTE},
     {"listalgs",        STROKE_LIST_ALGS},
-    {"status",          STROKE_STATUS},
-    {"listacerts",      STROKE_LIST_ACERTS},
+    {"listcainfos",     STROKE_LIST_CAINFOS},
+    {"listcounters",    STROKE_LIST_COUNTERS},
     {"route",           STROKE_ROUTE},
+    {"listacerts",      STROKE_LIST_ACERTS},
+    {"status",          STROKE_STATUS},
+    {"listplugins",     STROKE_LIST_PLUGINS},
+    {"listpubkeys",     STROKE_LIST_PUBKEYS},
+    {"rereadsecrets",   STROKE_REREAD_SECRETS},
     {"statusall",       STROKE_STATUSALL},
     {"purgeocsp",       STROKE_PURGE_OCSP},
     {"statusallnb",     STROKE_STATUSALL_NOBLK},
-    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
-    {"user-creds",      STROKE_USER_CREDS},
+    {"exportx509",      STROKE_EXPORT_X509},
     {"down-srcip",      STROKE_DOWN_SRCIP},
     {"purgecrls",       STROKE_PURGE_CRLS},
-    {"listgroups",      STROKE_LIST_GROUPS},
     {"listocsp",        STROKE_LIST_OCSP},
-    {"exportx509",      STROKE_EXPORT_X509},
-    {"rereadsecrets",   STROKE_REREAD_SECRETS},
+    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
     {"loglevel",        STROKE_LOGLEVEL},
-    {"purgeike",        STROKE_PURGE_IKE},
-    {"listocspcerts",   STROKE_LIST_OCSPCERTS},
     {"memusage",        STROKE_MEMUSAGE},
-    {"listcainfos",     STROKE_LIST_CAINFOS},
-    {"purgecerts",      STROKE_PURGE_CERTS},
-    {"listpubkeys",     STROKE_LIST_PUBKEYS}
+    {"listgroups",      STROKE_LIST_GROUPS},
+    {"listocspcerts",   STROKE_LIST_OCSPCERTS},
+    {"unroute",         STROKE_UNROUTE},
+    {"user-creds",      STROKE_USER_CREDS},
+    {"purgeike",        STROKE_PURGE_IKE},
+    {"purgecerts",      STROKE_PURGE_CERTS}
   };
 
 static const short lookup[] =
   {
-    -1, -1,  0,  1,  2,  3, -1,  4,  5,  6, -1,  7,  8,  9,
-    10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
-    24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37,
-    38, 39, 40
+    -1, -1, -1, -1,  0,  1,  2, -1, -1,  3,  4, -1,  5,  6,
+     7,  8,  9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
+    21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34,
+    35, 36, 37, 38, 39, 40, -1, 41
   };
 
 #ifdef __GNUC__
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 554d071f3..0ad87b705 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -42,6 +42,7 @@ typedef enum {
 	STROKE_LIST_OCSP,
 	STROKE_LIST_ALGS,
 	STROKE_LIST_PLUGINS,
+	STROKE_LIST_COUNTERS,
 	STROKE_LIST_ALL,
 	STROKE_REREAD_SECRETS,
 	STROKE_REREAD_CACERTS,
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 1d7ab8a45..95b2981d9 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -49,6 +49,7 @@ listcrls,        STROKE_LIST_CRLS
 listocsp,        STROKE_LIST_OCSP
 listalgs,        STROKE_LIST_ALGS
 listplugins,     STROKE_LIST_PLUGINS
+listcounters,    STROKE_LIST_COUNTERS
 listall,         STROKE_LIST_ALL
 rereadsecrets,   STROKE_REREAD_SECRETS
 rereadcacerts,   STROKE_REREAD_CACERTS
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 662feed69..e972a5984 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -67,8 +67,10 @@ enum list_flag_t {
 	LIST_ALGS =			0x0400,
 	/** list plugin information */
 	LIST_PLUGINS =		0x0800,
+	/** list IKE counters */
+	LIST_COUNTERS =		0x1000,
 	/** all list options */
-	LIST_ALL =			0x0FFF,
+	LIST_ALL =			0x1FFF,
 };
 
 typedef enum reread_flag_t reread_flag_t;
@@ -252,6 +254,7 @@ struct stroke_msg_t {
 			int mobike;
 			int aggressive;
 			int force_encap;
+			int fragmentation;
 			int ipcomp;
 			time_t inactivity;
 			int proxy_mode;
diff --git a/testing/INSTALL b/testing/INSTALL
deleted file mode 100644
index bb4272eaf..000000000
--- a/testing/INSTALL
+++ /dev/null
@@ -1,145 +0,0 @@
-
-                 -------------------------------
-	          strongSwan UML - Installation
-                 -------------------------------
-
-
-Contents
---------
-
-   1. Making the host system UML-capable
-   2. Installing the required files
-   3. Creating the UML testing environment
-
-
-1. Making the host system UML-capable
-   ----------------------------------
-
-   UML instances can be run on both Linux 2.4 and Linux 2.6 kernels.
-   If you are using a vanilla kernel from kernel.org then you must first
-   apply the host SKAS patch available from
-
-    http://www.user-mode-linux.org/~blaisorblade/patches/
-
-   and recompile and reboot your host kernel. Some Linux distributions as e.g.
-   SuSE already include the SKAS patch in their kernels.
-
-   You will also need the UML utilities (uml_mconsole and uml_switch)
-   available from
-
-   http://prdownloads.sourceforge.net/user-mode-linux/uml_utilities_20040406.tar.bz2
-
-   Many Linux distributions offer the UML utilities as a package.
-
-
-2. Installing the required files
-   -----------------------------
-
-First create a directory where you want the strongSwan UML testing environment
-to be located.The default directory is "~/strongswan-testing". If you choose a
-different location, please adapt the UMLTESTDIR variable in "testing.conf"
-accordingly.
-
-    mkdir ~/strongswan-testing
-
-Now copy the "testing" subdirectory coming with the strongSwan distribution to
-the UML testing environment:
-
-    cp -r testing ~/strongswan-testing
-   
-Next you need to copy several files into the ~/strongswan-testing directory that
-are required for the strongSwan testing environment:
-
-    * A vanilla Linux kernel on which the UML kernel will be based on.
-      We recommend the use of
-
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.36.tar.bz2
-
-    * The Linux kernel 2.6.36 does not require any patches for the uml guest kernel
-      to successfully start up.
-
-    * The matching .config file required to compile the UML kernel:
-
-      http://download.strongswan.org/uml/.config-2.6.36
-
-    * A gentoo-based UML file system (compressed size 130 MBytes) found at
-
-      http://download.strongswan.org/uml/gentoo-fs-20100830.tar.bz2
-
-    * The latest strongSwan distribution
-
-      http://download.strongswan.org/strongswan-4.5.1.tar.bz2
-
-
-3. Creating the environment
-   ------------------------
-
-Now change into the testing subdirectory
-
-    cd ~/strongswan-testing/testing
-
-and make the UML testing environment:
-
-    ./make-testing <hosts>
-
-The "make-testing" script calls a series of subscripts which can be
-enabled or disabled individually by setting the corresponding flags
-in "testing.conf":
-
-    if [ $ENABLE_BUILD_UMLKERNEL = "yes" ]
-    then
-        scripts/build-umlkernel
-    fi
-
-builds an UML kernel out of the vanilla Linux kernel and the corresponding
-UML kernel patch.
-
-    if [ $ENABLE_BUILD_HOSTCONFIG = "yes" ]
-    then
-        scripts/build-hostconfig
-    fi
-
-generates the default configurations for the UML hosts alice, venus, moon,
-carol, winnetou, dave, sun, and bob by replacing the wildcards PH_IP_ALICE,
-etc. by the actual IP addresses defined in "testing.conf".
-
-    if [ $ENABLE_BUILD_UMLROOTFS = "yes" ]
-    then
-        scripts/build-umlrootfs
-    fi
-
-takes the gentoo-based UML file system and compiles the latest strongSwan
-distribution into it.
-
-    if [ $ENABLE_BUILD_SSHKEYS = "yes" ]
-    then
-        scripts/build-sshkeys
-    fi
-
-adds the common RSA public key of the UML instances to your ~/.ssh/known_hosts
-directory so that you can log onto the UML instances using ssh without typing
-in a password. The "scripts/build-sshkeys" script should only be run once.
-
-    if [ $ENABLE_BUILD_UMLHOSTFS = "yes" ]
-    then
-        scripts/build-umlhostfs <hosts>
-    fi
-
-creates the customized UML file systems for the instances given as command line 
-arguments by adding the default host configurations to the UML root file system.
-If the "make-starting" scripts is called without any arguments then by default
-the UML file systems are created for the hosts alice, venus, moon, carol,
-winnetou, dave, sun, and bob. Each UML root file system has as size defined by
-the ROOTFSSIZE in testing.conf which by default is 544 MBytes. Thus all 8 UML
-hosts plus the master copy will require a total of 5 GBytes of disk space.
-
-    if [ $ENABLE_START_TESTING = "yes" ]
-    then
-       ./start-testing <hosts>
-    fi
-
-starts the automated testing. More details on the tests you'll find in the
-README document.
-
------------------------------------------------------------------------------
-
diff --git a/testing/Makefile.am b/testing/Makefile.am
index 2aa7d70bc..305bf7f72 100644
--- a/testing/Makefile.am
+++ b/testing/Makefile.am
@@ -1,11 +1,4 @@
-noinst_SCRIPTS = do-tests
-CLEANFILES = do-tests
-EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
-             testing.conf ssh_config hosts images scripts tests INSTALL README
-
-do-tests : do-tests.in
-	sed \
-	-e "s:\@routing_table\@:$(routing_table):" \
-	$(srcdir)/$@.in > $@
-	chmod +x $@
+EXTRA_DIST = do-tests make-testing start-testing stop-testing \
+             testing.conf ssh_config config hosts images scripts tests \
+			 README
 
diff --git a/testing/Makefile.in b/testing/Makefile.in
index d37e9ec73..0f7ada07d 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,7 +14,6 @@
 # PARTICULAR PURPOSE.
 
 @SET_MAKE@
-
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -35,8 +34,7 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = testing
-DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
-	INSTALL
+DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -53,7 +51,6 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-SCRIPTS = $(noinst_SCRIPTS)
 SOURCES =
 DIST_SOURCES =
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -76,6 +73,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -103,6 +101,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -130,6 +129,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -142,6 +142,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,7 +196,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -242,10 +242,9 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-noinst_SCRIPTS = do-tests
-CLEANFILES = do-tests
-EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
-             testing.conf ssh_config hosts images scripts tests INSTALL README
+EXTRA_DIST = do-tests make-testing start-testing stop-testing \
+             testing.conf ssh_config config hosts images scripts tests \
+			 README
 
 all: all-am
 
@@ -325,7 +324,7 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(SCRIPTS)
+all-am: Makefile
 installdirs:
 install: install-am
 install-exec: install-exec-am
@@ -337,14 +336,18 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -433,12 +436,6 @@ uninstall-am:
 	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am
 
 
-do-tests : do-tests.in
-	sed \
-	-e "s:\@routing_table\@:$(routing_table):" \
-	$(srcdir)/$@.in > $@
-	chmod +x $@
-
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/testing/README b/testing/README
index 097b4264d..a62497269 100644
--- a/testing/README
+++ b/testing/README
@@ -1,158 +1,88 @@
 
-                 ------------------------------------
-	          strongSwan UML - Running the Tests
-                 ------------------------------------
+                 ------------------------------
+                  strongSwan Integration Tests
+                 ------------------------------
 
 
 Contents
 --------
 
-   1. Starting up the UML testing environment
-   2. Running the automated tests
-   3. Manual testing
+   1. Building the testing environment
+   2. Starting up the testing environment
+   3. Running the automated tests
+   4. Manual testing
 
 
-1. Starting up the UML testing environment
-   ---------------------------------------
-  
-When the strongSwan UML testing environment has been put into place by
-running the "make-testing" script then you are ready to start up the
-UML instances by calling
+1. Building the testing environment
+   --------------------------------
 
-    ./start-testing <hosts>
-    
-This main script first calls the subscript
+The testing environment can be built with the "make-testing" script after
+adjusting the variables in the testing.conf file.  By default everything is
+built when executing the script.  Setting any of the ENABLE_BUILD_* variables
+in the configuration file to "no" will not build those parts.
 
-    scripts/start-switches
 
-that starts the three UML switches umlswitch0, umlswitch1, and umlswitch2
-which are connecting the UML instances among each other and via tun/tap
-devices also make them accessible from the host system.
-      
-Then depending on the setting of the UMLSTARTMODE variable defined
-in "testing.conf", the UML instances given on the command line are started
-up with different terminals:
+2. Starting up the testing environment
+   -----------------------------------
 
-If you are running the KDE graphical environment then by setting
+When the strongSwan testing environment has been put into place by running
+the "make-testing" script you are ready to start up the KVM instances by
+executing the "start-testing" script.
 
-    UMLSTARTMODE=konsole
-    
-the script
 
-    scripts/kstart-umls <hosts>
-     
-is called which starts up each of the UML instances defined by <hosts> in
-a KDE konsole. If
-
-    UMLSTARTMODE=xterm
-
-is set then
- 
-    scripts/xstart-umls <hosts>
-    
-starts up the UML instances in an xterm each. And with the choice
-
-    UMLSTARTMODE=screen
-   
-the instances are started up by
-
-    scripts/start-umls <hosts>
-    
-in the background but the Linux command "screen -r <host>" can be used to
-connect a terminal to the UML instance <host> if desired.
-
-
-    if [ $ENABLE_DO_TESTS = "yes" ]
-    then
-        do-tests
-    fi
-
-either executes all the tests defined in the "testing/tests" directory
-if the variable SELECTEDTESTSONLY in "testing.conf" is set to "no" or the
-selected tests defined by the string in SELELECTEDTESTS if SELECTEDTESTSONLY
-is set to "yes".
-
-    if [ $ENABLE_STOP_TESTING = "yes" ]
-    then
-        stop-testing <hosts>
-    fi
-
-stops the both the UML switches and the UML instances designated by the
-<hosts> argument.
-
-
-2. Running the automated tests
+3. Running the automated tests
    ---------------------------
 
 The script
 
     ./do-tests <testnames>
 
-runs the automated tests. With an empty <testnames> argument the tests
-as defined in "testing.conf" are executed, otherwise the tests enumerated
-by the <testnames> argument will be run as shown in the example below.
+runs the automated tests.  If the <testnames> argument is omitted all tests
+are executed, otherwise only the tests listed will be run as shown in the
+example below:
 
-    ./do-tests net2net-psk net2net-cert
+    ./do-tests ikev2/net2net-psk ikev2/net2net-cert
 
 Each test is divided into the following phases:
 
-    * scripts/load-testconfig <testname>
-      loads the UML hosts with test specific settings if such are provided.
-      
-    * next the "pretest.dat" script found in each test directory is executed.
-      Among other commands, strongSwan is started on the IPsec hosts.
+    * Load the test-specific guest configuration if any is provided.
 
-    * the "evaltest.dat" script evaluates if the test has been successful.
-      
-    * the "posttest.dat" script terminates the test e.g. by stopping
-      strongSwan on the IPsec hosts.
+    * Next the "pretest.dat" script found in each test directory is executed.
+      Among other commands, strongSwan is started on the IPsec hosts.
 
-    * scripts/restore-defaults <testname>
-      restores the default settings on the UML hosts.
+    * The "evaltest.dat" script evaluates if the test has been successful.
 
-The test results and configuration settings for all tests settings are stored
-in a folder labeled with the current date in the directory
-  
-    ~/strongswan-testing/testresults
-     
-the same results are also automatically transferred to the Apache server
-running on UML instance "winnetou" and can be accessed via the URL
+    * The "posttest.dat" script terminates the test e.g. by stopping
+      strongSwan on the IPsec hosts.  It is also responsible to cleaning up
+      things (e.g. firewall rules) set up in "pretest.dat".
 
-    http://192.168.0.150/testresults/
+    * Restore the default configuration on every host (new files have to be
+      deleted manually in "posttest.dat").
 
+The test results and configuration files for all tests are stored in a
+folder labeled with the current date and time in the $TESTRESULTSDIR directory.
 
-3. Manual testing
-   --------------
-   
-The greates flexibility can be achieved with manual testing. Just set
-   
-    ENABLE_DO_TESTS="no"
-    ENABLE_STOP_TESTING="no"
-       
-in "testing.conf" and start the UML instances that you want to experiment with
-by calling
+The same results are also automatically transferred to the Apache server
+running on guest "winnetou" and can be accessed via the URL
 
-    ./start-testing <hosts>
-    
-If you want to preload a test scenario with configurations differing from
-the default values, e.g. when using Preshared Keys then you can do this
-with the command
+    http://192.168.0.150/testresults/
 
-    scripts/load-testconfig net2net-psk
-    
-You can then log onto any UML instance using its konsole, xterm or screen
-terminal as root with the default password
 
-    tuxmux
-    
-You can then execute any commands the UML instances, including changing
-and recompiling the strongSwan source code located in the /root directory.
+4. Manual testing
+   --------------
 
-After you have finished testing, the default configuration settings can
-restored with the command
+Instead of running tests automatically with "do-tests" it is possible to
+preload a test scenario with the script:
 
-    scripts/restore-defaults net2net-psk
+    scripts/load-testconfig <testname>
 
+Individual configuration files can be changed and any command can be executed by
+logging into a guest host directly (via SSH or a console window).  No password
+is required to login as root.  The sources for every software built during
+"make-testing" are mounted at /root/shared/, which allows you to change and
+recompile these components.
 
------------------------------------------------------------------------------
+After you have finished testing, the default configuration can be restored
+with the following command (newly created files have to be deleted manually)
 
+    scripts/restore-defaults
diff --git a/testing/config/kernel/config-3.5 b/testing/config/kernel/config-3.5
new file mode 100644
index 000000000..9494331eb
--- /dev/null
+++ b/testing/config/kernel/config-3.5
@@ -0,0 +1,1817 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86_64 3.5.3 Kernel Configuration
+#
+CONFIG_64BIT=y
+# CONFIG_X86_32 is not set
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+# CONFIG_RWSEM_GENERIC_SPINLOCK is not set
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_DEFAULT_IDLE=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_HAVE_IRQ_WORK=y
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_EXPERIMENTAL=y
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_FHANDLE is not set
+# CONFIG_TASKSTATS is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_HOTPLUG=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+# CONFIG_INLINE_SPIN_TRYLOCK is not set
+# CONFIG_INLINE_SPIN_TRYLOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK is not set
+# CONFIG_INLINE_SPIN_LOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQ is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQSAVE is not set
+# CONFIG_INLINE_SPIN_UNLOCK_BH is not set
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+# CONFIG_INLINE_SPIN_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_READ_TRYLOCK is not set
+# CONFIG_INLINE_READ_LOCK is not set
+# CONFIG_INLINE_READ_LOCK_BH is not set
+# CONFIG_INLINE_READ_LOCK_IRQ is not set
+# CONFIG_INLINE_READ_LOCK_IRQSAVE is not set
+CONFIG_INLINE_READ_UNLOCK=y
+# CONFIG_INLINE_READ_UNLOCK_BH is not set
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+# CONFIG_INLINE_READ_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_WRITE_TRYLOCK is not set
+# CONFIG_INLINE_WRITE_LOCK is not set
+# CONFIG_INLINE_WRITE_LOCK_BH is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQ is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQSAVE is not set
+CONFIG_INLINE_WRITE_UNLOCK=y
+# CONFIG_INLINE_WRITE_UNLOCK_BH is not set
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+# CONFIG_INLINE_WRITE_UNLOCK_IRQRESTORE is not set
+# CONFIG_MUTEX_SPIN_ON_OWNER is not set
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_PARAVIRT_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+# CONFIG_XEN is not set
+# CONFIG_XEN_PRIVILEGED_GUEST is not set
+CONFIG_KVM_CLOCK=y
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_CLOCK=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_CMPXCHG=y
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_XADD=y
+CONFIG_X86_WP_WORKS_OK=y
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_BGRT is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCI_CNB20LE_QUIRK is not set
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_COMPAT_FOR_U64_ALIGNMENT is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+# CONFIG_IPV6_TUNNEL is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+# CONFIG_NETFILTER_XT_TARGET_CT is not set
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_QUEUE=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+# CONFIG_NF_NAT_SIP is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+# CONFIG_NET_DSA is not set
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_WAN_ROUTER is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+
+#
+# DRBD disabled because PROC_FS, INET or CONNECTOR not selected
+#
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_VMWARE_BALLOON is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_ZNET is not set
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+# CONFIG_SEEQ8005 is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_OMAP4 is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_XILINX_PS_UART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_RTC is not set
+# CONFIG_GEN_RTC is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+
+#
+# Enable Device Drivers -> PPS to see the PTP clock options.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_STUB_POULSBO is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+# CONFIG_USB_GADGET is not set
+
+#
+# OTG and related infrastructure
+#
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_RING=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_APPLE_GMUX is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers (EXPERIMENTAL)
+#
+
+#
+# Rpmsg drivers (EXPERIMENTAL)
+#
+# CONFIG_VIRT_DRIVERS is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_VME_BUS is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_HARDLOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+# CONFIG_CRYPTO_AES_X86_64 is not set
+# CONFIG_CRYPTO_AES_NI_INTEL is not set
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+# CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
+CONFIG_CRYPTO_CAMELLIA=y
+# CONFIG_CRYPTO_CAMELLIA_X86_64 is not set
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+# CONFIG_CRYPTO_SALSA20_X86_64 is not set
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+# CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+# CONFIG_CRYPTO_TWOFISH_X86_64 is not set
+# CONFIG_CRYPTO_TWOFISH_X86_64_3WAY is not set
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+# CONFIG_CRYPTO_LZO is not set
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kernel/config-3.6 b/testing/config/kernel/config-3.6
new file mode 100644
index 000000000..8755bf772
--- /dev/null
+++ b/testing/config/kernel/config-3.6
@@ -0,0 +1,1830 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86_64 3.6.11 Kernel Configuration
+#
+CONFIG_64BIT=y
+# CONFIG_X86_32 is not set
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+# CONFIG_RWSEM_GENERIC_SPINLOCK is not set
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_DEFAULT_IDLE=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_HAVE_IRQ_WORK=y
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_EXPERIMENTAL=y
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_FHANDLE is not set
+# CONFIG_TASKSTATS is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_HOTPLUG=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+# CONFIG_INLINE_SPIN_TRYLOCK is not set
+# CONFIG_INLINE_SPIN_TRYLOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK is not set
+# CONFIG_INLINE_SPIN_LOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQ is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQSAVE is not set
+# CONFIG_INLINE_SPIN_UNLOCK_BH is not set
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+# CONFIG_INLINE_SPIN_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_READ_TRYLOCK is not set
+# CONFIG_INLINE_READ_LOCK is not set
+# CONFIG_INLINE_READ_LOCK_BH is not set
+# CONFIG_INLINE_READ_LOCK_IRQ is not set
+# CONFIG_INLINE_READ_LOCK_IRQSAVE is not set
+CONFIG_INLINE_READ_UNLOCK=y
+# CONFIG_INLINE_READ_UNLOCK_BH is not set
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+# CONFIG_INLINE_READ_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_WRITE_TRYLOCK is not set
+# CONFIG_INLINE_WRITE_LOCK is not set
+# CONFIG_INLINE_WRITE_LOCK_BH is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQ is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQSAVE is not set
+CONFIG_INLINE_WRITE_UNLOCK=y
+# CONFIG_INLINE_WRITE_UNLOCK_BH is not set
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+# CONFIG_INLINE_WRITE_UNLOCK_IRQRESTORE is not set
+# CONFIG_MUTEX_SPIN_ON_OWNER is not set
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_PARAVIRT_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+# CONFIG_XEN is not set
+# CONFIG_XEN_PRIVILEGED_GUEST is not set
+CONFIG_KVM_CLOCK=y
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_CLOCK=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_CMPXCHG=y
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_XADD=y
+CONFIG_X86_WP_WORKS_OK=y
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_BGRT is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCI_CNB20LE_QUIRK is not set
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_COMPAT_FOR_U64_ALIGNMENT is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+# CONFIG_IPV6_TUNNEL is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+# CONFIG_NETFILTER_XT_TARGET_CT is not set
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_QUEUE=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+# CONFIG_NF_NAT_SIP is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+# CONFIG_NET_DSA is not set
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_WAN_ROUTER is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+
+#
+# DRBD disabled because PROC_FS, INET or CONNECTOR not selected
+#
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_VMWARE_BALLOON is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_ZNET is not set
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+# CONFIG_SEEQ8005 is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_OMAP4 is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_XILINX_PS_UART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_RTC is not set
+# CONFIG_GEN_RTC is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+
+#
+# Enable Device Drivers -> PPS to see the PTP clock options.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_STUB_POULSBO is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+# CONFIG_USB_GADGET is not set
+
+#
+# OTG and related infrastructure
+#
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_RING=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers (EXPERIMENTAL)
+#
+
+#
+# Rpmsg drivers (EXPERIMENTAL)
+#
+# CONFIG_VIRT_DRIVERS is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_HARDLOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+# CONFIG_CRYPTO_AES_X86_64 is not set
+# CONFIG_CRYPTO_AES_NI_INTEL is not set
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+# CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
+CONFIG_CRYPTO_CAMELLIA=y
+# CONFIG_CRYPTO_CAMELLIA_X86_64 is not set
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+# CONFIG_CRYPTO_SALSA20_X86_64 is not set
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+# CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+# CONFIG_CRYPTO_LZO is not set
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kvm/alice.xml b/testing/config/kvm/alice.xml
new file mode 100644
index 000000000..6ca78f861
--- /dev/null
+++ b/testing/config/kvm/alice.xml
@@ -0,0 +1,70 @@
+<domain type='kvm'>
+  <name>alice</name>
+  <uuid>1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/alice.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:9a:e2:de'/>
+      <source network='vnet2'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <interface type='network'>
+      <mac address='52:54:00:3b:0c:d7'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/bob.xml b/testing/config/kvm/bob.xml
new file mode 100644
index 000000000..d9a9b4c05
--- /dev/null
+++ b/testing/config/kvm/bob.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+  <name>bob</name>
+  <uuid>72728516-377f-f5be-ea1d-b1f1e851538f</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/bob.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:40:85:6b'/>
+      <source network='vnet3'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/carol.xml b/testing/config/kvm/carol.xml
new file mode 100644
index 000000000..fbdabe2e4
--- /dev/null
+++ b/testing/config/kvm/carol.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+  <name>carol</name>
+  <uuid>6bc2eef5-7faf-cde0-5f27-6fc29f93bc3d</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/carol.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:ae:f1:f8'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/dave.xml b/testing/config/kvm/dave.xml
new file mode 100644
index 000000000..bfebe9b60
--- /dev/null
+++ b/testing/config/kvm/dave.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+  <name>dave</name>
+  <uuid>05f1debe-4e38-4f3d-10a0-c07fbb70d816</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/dave.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:b9:15:a9'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/moon.xml b/testing/config/kvm/moon.xml
new file mode 100644
index 000000000..e019fcea5
--- /dev/null
+++ b/testing/config/kvm/moon.xml
@@ -0,0 +1,70 @@
+<domain type='kvm'>
+  <name>moon</name>
+  <uuid>b5e00ad3-1c81-3b2a-7f66-cdf8727b3c65</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/moon.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:43:e3:35'/>
+      <source network='vnet2'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+    </interface>
+    <interface type='network'>
+      <mac address='52:54:00:c7:b8:b0'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/sun.xml b/testing/config/kvm/sun.xml
new file mode 100644
index 000000000..5ed1a47ea
--- /dev/null
+++ b/testing/config/kvm/sun.xml
@@ -0,0 +1,70 @@
+<domain type='kvm'>
+  <name>sun</name>
+  <uuid>35341843-346c-a63a-786b-9df0fd5e6264</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/sun.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:77:43:ea'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <interface type='network'>
+      <mac address='52:54:00:0f:97:db'/>
+      <source network='vnet3'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/venus.xml b/testing/config/kvm/venus.xml
new file mode 100644
index 000000000..77a333655
--- /dev/null
+++ b/testing/config/kvm/venus.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+  <name>venus</name>
+  <uuid>f0838df9-7cc0-84f5-6c14-2d16ab002e8d</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/venus.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:69:d3:80'/>
+      <source network='vnet2'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/vnet1.xml b/testing/config/kvm/vnet1.xml
new file mode 100644
index 000000000..f9d979be1
--- /dev/null
+++ b/testing/config/kvm/vnet1.xml
@@ -0,0 +1,11 @@
+<network>
+  <name>vnet1</name>
+  <uuid>1d6ac7c7-60d9-56c1-a7df-210d3d0cc6d1</uuid>
+  <forward dev='lo' mode='route'>
+    <interface dev='lo'/>
+  </forward>
+  <bridge name='virbr1' stp='on' delay='0' />
+  <mac address='52:54:00:97:F9:FD'/>
+  <ip address='192.168.0.254' netmask='255.255.255.0'>
+  </ip>
+</network>
diff --git a/testing/config/kvm/vnet2.xml b/testing/config/kvm/vnet2.xml
new file mode 100644
index 000000000..7d125bfc6
--- /dev/null
+++ b/testing/config/kvm/vnet2.xml
@@ -0,0 +1,11 @@
+<network>
+  <name>vnet2</name>
+  <uuid>b5147a7d-e184-5c9e-3838-4621796ba95c</uuid>
+  <forward dev='lo' mode='route'>
+    <interface dev='lo'/>
+  </forward>
+  <bridge name='virbr2' stp='on' delay='0' />
+  <mac address='52:54:00:05:F3:34'/>
+  <ip address='10.1.0.254' netmask='255.255.0.0'>
+  </ip>
+</network>
diff --git a/testing/config/kvm/vnet3.xml b/testing/config/kvm/vnet3.xml
new file mode 100644
index 000000000..1da06c448
--- /dev/null
+++ b/testing/config/kvm/vnet3.xml
@@ -0,0 +1,11 @@
+<network>
+  <name>vnet3</name>
+  <uuid>5c537abc-c116-90e9-a0ef-886340d4c356</uuid>
+  <forward dev='lo' mode='route'>
+    <interface dev='lo'/>
+  </forward>
+  <bridge name='virbr3' stp='on' delay='0' />
+  <mac address='52:54:00:62:4C:69'/>
+  <ip address='10.2.0.254' netmask='255.255.0.0'>
+  </ip>
+</network>
diff --git a/testing/config/kvm/winnetou.xml b/testing/config/kvm/winnetou.xml
new file mode 100644
index 000000000..99d5deb99
--- /dev/null
+++ b/testing/config/kvm/winnetou.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+  <name>winnetou</name>
+  <uuid>b1d3d2f7-e20b-ab95-277e-66d4cac33cc3</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/winnetou.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:4b:23:fa'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/do-tests b/testing/do-tests
new file mode 100755
index 000000000..fafbe6e89
--- /dev/null
+++ b/testing/do-tests
@@ -0,0 +1,791 @@
+#!/bin/bash
+# Automatically execute the strongSwan test cases
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+. $DIR/scripts/function.sh
+
+[ -d $DIR/hosts ] || die "Directory 'hosts' not found"
+[ -d $DIR/tests ] || die "Directory 'tests' not found"
+[ -d $BUILDDIR ] ||
+	die "Directory '$BUILDDIR' does not exist, please run make-testing first"
+
+ln -sfT $DIR $TESTDIR/testing
+
+##############################################################################
+# take care of new path and file variables
+#
+
+[ -d $TESTRESULTSDIR ] || mkdir $TESTRESULTSDIR
+
+TESTDATE=`date +%Y%m%d-%H%M-%S`
+
+TODAYDIR=$TESTRESULTSDIR/$TESTDATE
+mkdir $TODAYDIR
+TESTRESULTSHTML=$TODAYDIR/all.html
+INDEX=$TODAYDIR/index.html
+DEFAULTTESTSDIR=$TESTDIR/testing/tests
+
+SOURCEIP_ROUTING_TABLE=220
+
+testnumber="0"
+failed_cnt="0"
+passed_cnt="0"
+
+
+##############################################################################
+# copy default tests to $BUILDDIR
+#
+
+TESTSDIR=$BUILDDIR/tests
+[ -d $TESTSDIR ] || mkdir $TESTSDIR
+
+##############################################################################
+# assign IP for each host to hostname
+#
+
+for host in $STRONGSWANHOSTS
+do
+    eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+    eval ipv6_${host}="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+
+    case $host in
+    moon)
+        eval ipv4_moon1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_moon1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        ;;
+    sun)
+        eval ipv4_sun1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        ;;
+    alice)
+        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        ;;
+    venus)
+        ;;
+    bob)
+        ;;
+    carol)
+        eval ipv4_carol1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_carol1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+         ;;
+    dave)
+        eval ipv4_dave1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_dave1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        ;;
+    winnetou)
+        ;;
+    esac
+done
+
+
+##############################################################################
+# open ssh sessions
+#
+for host in $STRONGSWANHOSTS
+do
+    ssh $SSHCONF -N root@`eval echo \\\$ipv4_$host` >/dev/null 2>&1 &
+    eval ssh_pid_$host="`echo $!`"
+    do_on_exit kill `eval echo \\\$ssh_pid_$host`
+done
+
+
+##############################################################################
+# create header for the results html file
+#
+
+ENVIRONMENT_HEADER=$(cat <<@EOF
+  <table border="0" cellspacing="2" cellpadding="2">
+    <tr valign="top">
+      <td><b>Host</b></td>
+      <td colspan="3">`uname -a`</td>
+    </tr>
+    <tr valign="top">
+      <td><b>Guest kernel</b></td>
+      <td colspan="3">$KERNELVERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>strongSwan</b></td>
+      <td colspan="3">$SWANVERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>Date</b></td>
+      <td colspan="3">$TESTDATE</td>
+    </tr>
+    <tr>
+      <td width="100">&nbsp;</td>
+      <td width="300">&nbsp;</td>
+      <td width=" 50">&nbsp;</td>
+      <td >&nbsp;</td>
+    </tr>
+@EOF
+)
+
+cat > $INDEX <<@EOF
+<html>
+<head>
+  <title>strongSwan KVM Tests</title>
+</head>
+<body>
+  <h2>strongSwan KVM Tests</h2>
+  $ENVIRONMENT_HEADER
+@EOF
+
+cat > $TESTRESULTSHTML <<@EOF
+<html>
+<head>
+  <title>strongSwan KVM Tests - All Tests</title>
+</head>
+<body>
+  <div><a href="index.html">strongSwan KVM Tests</a> / All Tests</div>
+  <h2>All Tests</h2>
+  $ENVIRONMENT_HEADER
+    <tr align="left">
+      <th>Number</th>
+      <th>Test</th>
+      <th colspan="2">Result</th>
+    </tr>
+@EOF
+
+echo "Guest kernel : $KERNELVERSION"
+echo "strongSwan   : $SWANVERSION"
+echo "Date         : $TESTDATE"
+echo
+
+
+##############################################################################
+# enter specific test directory
+#
+
+if [ $# -gt 0 ]
+then
+    TESTS=$*
+else
+    # set internal field seperator
+    TESTS="`ls $DEFAULTTESTSDIR`"
+fi
+
+for SUBDIR in $TESTS
+do
+    SUBTESTS="`basename $SUBDIR`"
+
+    if [ $SUBTESTS = $SUBDIR ]
+    then
+	SUBTESTS="`ls $DEFAULTTESTSDIR/$SUBDIR`"
+    else
+	SUBDIR="`dirname $SUBDIR`"
+    fi
+
+    if [ ! -d $TODAYDIR/$SUBDIR ]
+    then
+	mkdir $TODAYDIR/$SUBDIR
+	if [ $testnumber == 0 ]
+	then
+	    FIRST="<b>Category</b>"
+	else
+	    FIRST="&nbsp;"
+	fi
+	echo "    <tr>" >> $INDEX
+    echo "      <td>$FIRST</td>">> $INDEX
+    echo "      <td><a href=\"$SUBDIR/index.html\">$SUBDIR</a></td>" >> $INDEX
+    echo "      <td align=\"right\">x</td>" >> $INDEX
+    echo "      <td>&nbsp;</td>" >> $INDEX
+    echo "    </tr>" >> $INDEX
+	SUBTESTSINDEX=$TODAYDIR/$SUBDIR/index.html
+	cat > $SUBTESTSINDEX <<@EOF
+<html>
+<head>
+  <title>strongSwan $SUBDIR Tests</title>
+</head>
+<body>
+  <div><a href="../index.html">strongSwan KVM Tests</a> / $SUBDIR</div>
+  <h2>strongSwan $SUBDIR Tests</h2>
+  <table border="0" cellspacing="2" cellpadding="2">
+    <tr valign="top">
+      <td><b>Guest kernel</b></td>
+      <td colspan="3">$KERNELVERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>strongSwan</b></td>
+      <td colspan="3">$SWANVERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>Date</b></td>
+      <td colspan="3">$TESTDATE</td>
+    </tr>
+    <tr>
+      <td width="100">&nbsp;</td>
+      <td width="300">&nbsp;</td>
+      <td width=" 50">&nbsp;</td>
+      <td >&nbsp;</td>
+    </tr>
+    <tr align="left">
+       <th>Number</th>
+       <th>Test</th>
+       <th colspan="2">Result</th>
+    </tr>
+@EOF
+    fi
+
+    for name in $SUBTESTS
+    do
+	let "testnumber += 1"
+	testname=$SUBDIR/$name
+	log_action " $testnumber $testname:"
+
+	if [ ! -d $DEFAULTTESTSDIR/${testname} ]
+	then
+	    echo "is missing..skipped"
+	    continue
+	fi
+
+	if [ $SUBDIR = "ipv6" -o $name = "rw-psk-ipv6" ]
+	then
+	    IPROUTE_CMD="ip -6 route list table $SOURCEIP_ROUTING_TABLE"
+	    IPROUTE_DSP=$IPROUTE_CMD
+	    IPTABLES_CMD="ip6tables -v -n -L"
+	    IPTABLES_DSP="ip6tables -L"
+	else
+	    IPROUTE_CMD="ip route list table $SOURCEIP_ROUTING_TABLE"
+	    IPROUTE_DSP=$IPROUTE_CMD
+	    IPTABLES_CMD="iptables -v -n -L"
+	    IPTABLES_DSP="iptables -L"
+	fi
+
+	if [ $name = "net2net-ip4-in-ip6-ikev2" -o $name = "net2net-ip6-in-ip4-ikev2" ]
+	then
+	    IPROUTE_CMD="ip route list table $SOURCEIP_ROUTING_TABLE; echo; ip -6 route list table $SOURCEIP_ROUTING_TABLE"
+	    IPROUTE_DSP="ip (-6) route list table $SOURCEIP_ROUTING_TABLE"
+	    IPTABLES_CMD="iptables -v -n -L ; echo ; ip6tables -v -n -L"
+	    IPTABLES_DSP="iptables -L ; ip6tables -L"
+	fi
+
+	[ -f $DEFAULTTESTSDIR/${testname}/description.txt ] || die "!! File 'description.txt' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/test.conf ]       || die "!! File 'test.conf' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/pretest.dat ]     || die "!! File 'pretest.dat' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/posttest.dat ]    || die "!! File 'posttest.dat' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/evaltest.dat ]    || die "!! File 'evaltest.dat' is missing"
+
+	TESTRESULTDIR=$TODAYDIR/$testname
+	mkdir -p $TESTRESULTDIR
+	CONSOLE_LOG=$TESTRESULTDIR/console.log
+	touch $CONSOLE_LOG
+
+	TESTDIR=$TESTSDIR/${testname}
+	rm -rf $TESTDIR
+	mkdir -p $TESTDIR
+	cp -rfp $DEFAULTTESTSDIR/${testname}/* $TESTDIR
+
+
+	##############################################################################
+	# replace IP wildcards with actual IPv4 and IPv6 addresses
+	#
+
+	for host in $STRONGSWANHOSTS
+	do
+	    case $host in
+	    moon)
+		searchandreplace PH_IP_MOON1     $ipv4_moon1 $TESTDIR
+		searchandreplace PH_IP_MOON      $ipv4_moon  $TESTDIR
+		searchandreplace PH_IP6_MOON1    $ipv6_moon1 $TESTDIR
+		searchandreplace PH_IP6_MOON     $ipv6_moon  $TESTDIR
+		;;
+	    sun)
+		searchandreplace PH_IP_SUN1      $ipv4_sun1 $TESTDIR
+		searchandreplace PH_IP_SUN       $ipv4_sun  $TESTDIR
+		searchandreplace PH_IP6_SUN1     $ipv6_sun1 $TESTDIR
+		searchandreplace PH_IP6_SUN      $ipv6_sun  $TESTDIR
+		;;
+	    alice)
+		searchandreplace PH_IP_ALICE1    $ipv4_alice1 $TESTDIR
+		searchandreplace PH_IP_ALICE     $ipv4_alice  $TESTDIR
+		searchandreplace PH_IP6_ALICE1   $ipv6_alice1 $TESTDIR
+		searchandreplace PH_IP6_ALICE    $ipv6_alice  $TESTDIR
+		;;
+	    venus)
+		searchandreplace PH_IP_VENUS     $ipv4_venus $TESTDIR
+		searchandreplace PH_IP6_VENUS    $ipv6_venus $TESTDIR
+		;;
+	    bob)
+		searchandreplace PH_IP_BOB       $ipv4_bob $TESTDIR
+		searchandreplace PH_IPV6_BOB     $ipv6_bob $TESTDIR
+		;;
+	    carol)
+		searchandreplace PH_IP_CAROL1    $ipv4_carol1 $TESTDIR
+		searchandreplace PH_IP_CAROL     $ipv4_carol  $TESTDIR
+		searchandreplace PH_IP6_CAROL1   $ipv6_carol1 $TESTDIR
+		searchandreplace PH_IP6_CAROL    $ipv6_carol  $TESTDIR
+		;;
+	    dave)
+		searchandreplace PH_IP_DAVE1     $ipv4_dave1 $TESTDIR
+		searchandreplace PH_IP_DAVE      $ipv4_dave  $TESTDIR
+		searchandreplace PH_IP6_DAVE1    $ipv6_dave1 $TESTDIR
+		searchandreplace PH_IP6_DAVE     $ipv6_dave  $TESTDIR
+		;;
+	    winnetou)
+		searchandreplace PH_IP_WINNETOU  $ipv4_winnetou $TESTDIR
+		searchandreplace PH_IP6_WINNETOU $ipv6_winnetou $TESTDIR
+		;;
+	    esac
+	done
+
+
+	##########################################################################
+	# copy test specific configurations to uml hosts and clear auth.log files
+	#
+
+	$DIR/scripts/load-testconfig $testname
+	unset RADIUSHOSTS
+	source $TESTDIR/test.conf
+
+
+	##########################################################################
+	# run tcpdump in the background
+	#
+
+	if [ "$TCPDUMPHOSTS" != "" ]
+	then
+	    echo -e "TCPDUMP\n" >> $CONSOLE_LOG 2>&1
+
+	    for host_iface in $TCPDUMPHOSTS
+	    do
+		host=`echo $host_iface | awk -F ":" '{print $1}'`
+		iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
+		tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &"
+		echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
+		ssh $SSHCONF root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
+		eval TDUP_${host}="true"
+	    done
+	fi
+
+
+	##########################################################################
+	# execute pre-test commands
+	#
+
+	echo -n "pre.."
+	echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1
+
+	eval `awk -F "::" '{
+	    if ($2 != "")
+	    {
+		printf("echo \"%s# %s\"; ", $1, $2)
+		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
+		printf("echo;\n")
+	    }
+	}' $TESTDIR/pretest.dat` >> $CONSOLE_LOG 2>&1
+
+
+	##########################################################################
+	# stop tcpdump
+	#
+
+	function stop_tcpdump {
+	    echo "${1}# killall tcpdump" >> $CONSOLE_LOG
+	    eval ssh $SSHCONF root@\$ipv4_${1} killall tcpdump
+	    eval TDUP_${1}="false"
+	    echo ""
+	}
+
+
+	##########################################################################
+	# get and evaluate test results
+	#
+
+	echo -n "test.."
+	echo -e "\nTEST\n" >> $CONSOLE_LOG 2>&1
+
+	STATUS="passed"
+
+	eval `awk -F "::" '{
+	    host=$1
+	    command=$2
+	    pattern=$3
+	    hit=$4
+	    if (command != "")
+	    {
+		if (command == "tcpdump")
+		{
+		    printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
+		    printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
+		    printf("ssh \044SSHCONF root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
+		}
+		else
+		{
+		    printf("echo \"%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
+		    printf("ssh \044SSHCONF root@\044ipv4_%s %s | grep \"%s\"; ",  host, command, pattern)
+		}
+		printf("cmd_exit=\044?; ")
+		printf("echo; ")
+		printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\"  ] ", hit)
+		printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit)
+		printf("; then STATUS=\"failed\"; fi; \n")
+	    }
+	}' $TESTDIR/evaltest.dat` >> $CONSOLE_LOG 2>&1
+
+
+	##########################################################################
+	# set counters
+	#
+
+	if [ $STATUS = "failed" ]
+	then
+	    let "failed_cnt += 1"
+	else
+	    let "passed_cnt += 1"
+	fi
+
+
+	##########################################################################
+	# log statusall and listall output
+	# get copies of ipsec.conf, ipsec.secrets
+	# create index.html for the given test case
+
+	cat > $TESTRESULTDIR/index.html <<@EOF
+<html>
+<head>
+  <title>Test $testname</title>
+</head>
+<body>
+<table border="0" cellpadding="0" cellspacing="0" width="600">
+  <tr><td>
+    <div><a href="../../index.html">strongSwan KVM Tests</a> / <a href="../index.html">$SUBDIR</a> / $name</div>
+    <h2>Test $testname</h2>
+    <h3>Description</h3>
+@EOF
+
+	cat $TESTDIR/description.txt >> $TESTRESULTDIR/index.html
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
+    <ul>
+      <li><a href="console.log">console.log</a></li>
+    </ul>
+    <img src="../../images/$DIAGRAM" alt="$VIRTHOSTS">
+@EOF
+
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+	    for command in statusall listall
+	    do
+		ssh $SSHCONF $HOSTLOGIN ipsec $command \
+		    > $TESTRESULTDIR/${host}.$command 2>/dev/null
+	    done
+
+	    for file in strongswan.conf ipsec.conf ipsec.secrets
+	    do
+		scp $SSHCONF $HOSTLOGIN:/etc/$file \
+		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
+	    done
+
+	    scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
+		$TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
+
+	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm policy \
+		    > $TESTRESULTDIR/${host}.ip.policy 2>/dev/null
+	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm state \
+		    > $TESTRESULTDIR/${host}.ip.state 2>/dev/null
+	    ssh $SSHCONF $HOSTLOGIN $IPROUTE_CMD \
+		    > $TESTRESULTDIR/${host}.ip.route 2>/dev/null
+	    ssh $SSHCONF $HOSTLOGIN $IPTABLES_CMD \
+		    > $TESTRESULTDIR/${host}.iptables 2>/dev/null
+	    chmod a+r $TESTRESULTDIR/*
+	    cat >> $TESTRESULTDIR/index.html <<@EOF
+    <h3>$host</h3>
+      <table border="0" cellspacing="0" width="600">
+      <tr>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.ipsec.conf">ipsec.conf</a></li>
+	    <li><a href="$host.ipsec.secrets">ipsec.secrets</a></li>
+	    <li><a href="$host.ipsec.sql">ipsec.sql</a></li>
+	    <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
+	  </ul>
+	</td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.statusall">ipsec statusall</a></li>
+	    <li><a href="$host.listall">ipsec listall</a></li>
+	    <li><a href="$host.auth.log">auth.log</a></li>
+	    <li><a href="$host.daemon.log">daemon.log</a></li>
+	  </ul>
+      </td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.ip.policy">ip -s xfrm policy</a></li>
+	    <li><a href="$host.ip.state">ip -s xfrm state</a></li>
+	    <li><a href="$host.ip.route">$IPROUTE_DSP</a></li>
+	    <li><a href="$host.iptables">$IPTABLES_DSP</a></li>
+	  </ul>
+      </td>
+    </tr>
+    </table>
+@EOF
+
+	done
+
+	for host in $RADIUSHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+	    for file in clients.conf eap.conf radiusd.conf proxy.conf users
+	    do
+		scp $SSHCONF $HOSTLOGIN:/etc/freeradius/$file \
+		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
+	    done
+
+		scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \
+		    $TESTRESULTDIR/${host}.strongswan.conf  > /dev/null 2>&1
+
+	    scp $SSHCONF $HOSTLOGIN:/var/log/freeradius/radius.log \
+		$TESTRESULTDIR/${host}.radius.log  > /dev/null 2>&1
+
+	    ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \
+		>> $TESTRESULTDIR/${host}.daemon.log
+
+	    chmod a+r $TESTRESULTDIR/*
+	    cat >> $TESTRESULTDIR/index.html <<@EOF
+    <h3>$host</h3>
+      <table border="0" cellspacing="0" width="600">
+      <tr>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.clients.conf">clients.conf</a></li>
+	    <li><a href="$host.radiusd.conf">radiusd.conf</a></li>
+	    <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
+	  </ul>
+	</td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.eap.conf">eap.conf</a></li>
+	    <li><a href="$host.radius.log">radius.log</a></li>
+	    <li><a href="$host.daemon.log">daemon.log</a></li>
+	  </ul>
+      </td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.proxy.conf">proxy.conf</a></li>
+	    <li><a href="$host.users">users</a></li>
+	  </ul>
+      </td>
+    </tr>
+    </table>
+@EOF
+
+	done
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
+	<h3>tcpdump</h3>
+	<ul>
+@EOF
+
+	for host in $TCPDUMPHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+		scp $SSHCONF $HOSTLOGIN:/tmp/tcpdump.log \
+			$TESTRESULTDIR/${host}.tcpdump.log > /dev/null 2>&1
+
+	    cat >> $TESTRESULTDIR/index.html <<@EOF
+	    <li><a href="$host.tcpdump.log">$host tcpdump.log</a></li>
+@EOF
+
+	done
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
+	</ul>
+@EOF
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
+  </td></tr>
+</table>
+</body>
+</html>
+@EOF
+
+
+	##########################################################################
+	# execute post-test commands
+	#
+
+	echo -n "post"
+	echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1
+
+	eval `awk -F "::" '{
+	    if ($2 != "")
+	    {
+		printf("echo \"%s# %s\"; ", $1, $2)
+		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
+		printf("echo;\n")
+	    }
+	}' $TESTDIR/posttest.dat` >> $CONSOLE_LOG 2>&1
+
+
+	##########################################################################
+	# get a copy of /var/log/auth.log
+	#
+
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+	    ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated' \
+		/var/log/auth.log" >> $TESTRESULTDIR/${host}.auth.log
+	done
+
+
+	##########################################################################
+	# get a copy of /var/log/daemon.log
+	#
+
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+	    ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated' \
+		/var/log/daemon.log" >> $TESTRESULTDIR/${host}.daemon.log
+	done
+
+
+	##########################################################################
+	# stop tcpdump if necessary
+	#
+
+	for host in $TCPDUMPHOSTS
+	do
+	    if [ "`eval echo \\\$TDUP_${host}`" = "true" ]
+	    then
+		echo "${host}# killall tcpdump" >> $CONSOLE_LOG
+		eval ssh $SSHCONF root@\$ipv4_$host killall tcpdump
+		eval TDUP_${host}="false"
+	    fi
+	done
+
+
+	##########################################################################
+	# copy default host config back if necessary
+	#
+
+	$DIR/scripts/restore-defaults $testname
+
+
+	##########################################################################
+	# write test status to html file
+	#
+
+	if [ $STATUS = "passed" ]
+	then
+		COLOR="green"
+		log_status 0
+	else
+		COLOR="red"
+		log_status 1
+	fi
+
+	cat >> $TESTRESULTSHTML << @EOF
+  <tr>
+    <td>$testnumber</td>
+    <td><a href="$testname/index.html">$testname</a></td>
+    <td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td>
+    <td>&nbsp;</td>
+  </tr>
+@EOF
+	cat >> $SUBTESTSINDEX << @EOF
+  <tr>
+    <td>$testnumber</td>
+    <td><a href="$name/index.html">$name</a></td>
+    <td><a href="$name/console.log"><font color="$COLOR">$STATUS</font></a></td>
+    <td>&nbsp;</td>
+  </tr>
+@EOF
+
+
+	##########################################################################
+	# remove any charon.pid files that still may exist
+	#
+
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+	    ssh $SSHCONF $HOSTLOGIN 'if [ -f /var/run/charon.pid ]; then rm /var/run/charon.pid; echo "    removed charon.pid on `hostname`"; fi'
+	done
+
+    done
+
+done
+
+
+##############################################################################
+# finish the results html file
+#
+
+cat >> $TESTRESULTSHTML << @EOF
+    <tr>
+      <td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td>
+    </tr>
+    <tr>
+      <td><b>Passed</b></td><td><b><font color="green">$passed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
+    </tr>
+    <tr>
+      <td><b>Failed</b></td><td><b><font color="red">$failed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
+    </tr>
+  </table>
+</body>
+</html>
+@EOF
+
+let "all_cnt = $passed_cnt + $failed_cnt"
+
+cat >> $INDEX << @EOF
+    <tr>
+      <td>&nbsp;</td>
+      <td><a href="all.html"><b>all</b></a></td>
+      <td align="right"><b>$all_cnt</b></td>
+      <td>&nbsp;</td>
+    </tr>
+    <tr>
+      <td><b>Failed</b></td>
+      <td>&nbsp;</td>
+      <td align="right"><b><font color="red">$failed_cnt</font></b></td>
+      <td>&nbsp;</td>
+    </tr>
+  </table>
+</body>
+</html>
+@EOF
+
+echo
+echo_ok     "Passed : $passed_cnt"
+echo_failed "Failed : $failed_cnt"
+echo
+
+
+##############################################################################
+# copy the test results to the apache server
+#
+
+HTDOCS="/var/www"
+
+ssh $SSHCONF root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
+scp $SSHCONF -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
+ssh $SSHCONF root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
+echo
+echo "The results are available in $TODAYDIR"
+echo "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
+
+ENDDATE=`date +%Y%m%d-%H%M`
+echo
+echo "Finished : $ENDDATE"
diff --git a/testing/do-tests.in b/testing/do-tests.in
deleted file mode 100755
index 82e027078..000000000
--- a/testing/do-tests.in
+++ /dev/null
@@ -1,799 +0,0 @@
-#!/bin/bash
-# Automatically execute the strongSwan test cases
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/scripts/function.sh
-
-[ -f $DIR/testing.conf ] || die "Configuration file 'testing.conf' not found"
-[ -d $DIR/hosts ] || die "Directory 'hosts' not found"
-[ -d $DIR/tests ] || die "Directory 'tests' not found"
-
-source $DIR/testing.conf
-
-
-##############################################################################
-# test if UMLs have been built at all
-#
-
-[ -d $BUILDDIR ] || die "Directory '$BUILDDIR' does not exist. Please run 'make-testing'first."
-
-
-##############################################################################
-# take care of new path and file variables
-#
-
-[ -d $TESTRESULTSDIR ] || mkdir $TESTRESULTSDIR
-
-TESTDATE=`date +%Y%m%d-%H%M`
-
-TODAYDIR=$TESTRESULTSDIR/$TESTDATE
-mkdir $TODAYDIR
-TESTRESULTSHTML=$TODAYDIR/all.html
-INDEX=$TODAYDIR/index.html
-DEFAULTTESTSDIR=$UMLTESTDIR/testing/tests
-
-SOURCEIP_ROUTING_TABLE=@routing_table@
-
-testnumber="0"
-failed_cnt="0"
-passed_cnt="0"
-
-
-##############################################################################
-# copy default tests to $BUILDDIR
-#
-
-TESTSDIR=$BUILDDIR/tests
-[ -d $TESTSDIR ] || mkdir $TESTSDIR
-
-##############################################################################
-# assign IP for each host to hostname
-#
-
-for host in $STRONGSWANHOSTS
-do
-    eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    eval ipv6_${host}="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-
-    case $host in
-    moon)
-        eval ipv4_moon1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        eval ipv6_moon1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        ;;
-    sun)
-        eval ipv4_sun1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        ;;
-    alice)
-        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        ;;
-    venus)
-        ;;
-    bob)
-        ;;
-    carol)
-        eval ipv4_carol1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        eval ipv6_carol1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-         ;;
-    dave)
-        eval ipv4_dave1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        eval ipv6_dave1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        ;;
-    winnetou)
-        ;;
-    esac
-done
-
-
-##############################################################################
-# open ssh sessions
-#
-for host in $STRONGSWANHOSTS
-do
-    ssh $SSHCONF -N root@`eval echo \\\$ipv4_$host` &
-    eval ssh_pid_$host="`echo $!`"
-done
-
-
-##############################################################################
-# create header for the results html file
-#
-
-KERNEL_VERSION=`basename $KERNEL .tar.bz2`
-IPSEC_VERSION=`basename $STRONGSWAN .tar.bz2`
-
-ENVIRONMENT_HEADER=$(cat <<@EOF
-  <table border="0" cellspacing="2">
-    <tr valign="top">
-      <td><b>Host:</b></td>
-      <td colspan="3">`uname -a`</td>
-    </tr>
-    <tr valign="top">
-      <td><b>UML kernel: &nbsp;</b></td>
-      <td colspan="3">$KERNEL_VERSION</td>
-    </tr>
-    <tr valign="top">
-      <td><b>IPsec:</b></td>
-      <td colspan="3">$IPSEC_VERSION</td>
-    </tr>
-    <tr valign="top">
-      <td><b>Date:</b></td>
-      <td colspan="3">$TESTDATE</td>
-    </tr>
-    <tr>
-      <td width="100">&nbsp;</td>
-      <td width="200">&nbsp;</td>
-      <td width=" 50">&nbsp;</td>
-      <td >&nbsp;</td>
-    </tr>
-@EOF
-)
-
-cat > $INDEX <<@EOF
-<html>
-<head>
-  <title>strongSwan UML Tests</title>
-</head>
-<body>
-  <h2>strongSwan UML Tests</h2>
-  $ENVIRONMENT_HEADER
-@EOF
-
-cat > $TESTRESULTSHTML <<@EOF
-<html>
-<head>
-  <title>strongSwan UML Tests - All Tests</title>
-</head>
-<body>
-  <div><a href="index.html">strongSwan UML Tests</a> / All Tests</div>
-  <h2>All Tests</h2>
-  $ENVIRONMENT_HEADER
-    <tr align="left">
-      <th>Number</th>
-      <th>Test</th>
-      <th colspan="2">Result</th>
-    </tr>
-@EOF
-
-cecho "UML kernel: $KERNEL_VERSION"
-cecho "IPsec:      $IPSEC_VERSION"
-cecho "Date:       $TESTDATE"
-cecho ""
-
-
-##############################################################################
-# enter specific test directory
-#
-
-if [ $# -gt 0 ]
-then
-    TESTS=$*
-elif [ $SELECTEDTESTSONLY = "yes" ]
-then
-    # set internal field seperator
-    TESTS=$SELECTEDTESTS
-else
-    # set internal field seperator
-    TESTS="`ls $DEFAULTTESTSDIR`"
-fi
-
-for SUBDIR in $TESTS
-do
-    SUBTESTS="`basename $SUBDIR`"
-
-    if [ $SUBTESTS = $SUBDIR ]
-    then
-	SUBTESTS="`ls $DEFAULTTESTSDIR/$SUBDIR`"
-    else
-	SUBDIR="`dirname $SUBDIR`"
-    fi
-
-    if [ ! -d $TODAYDIR/$SUBDIR ]
-    then
-	mkdir $TODAYDIR/$SUBDIR
-	if [ $testnumber == 0 ]
-	then
-	    FIRST="<b>Category:</b"
-	else
-	    FIRST="&nbsp;"
-	fi
-	echo "    <tr>" >> $INDEX
-    echo "      <td>$FIRST</td>">> $INDEX
-    echo "      <td><a href=\"$SUBDIR/index.html\">$SUBDIR</a></td>" >> $INDEX
-    echo "      <td align=\"right\">x</td>" >> $INDEX
-    echo "      <td>&nbsp;</td>" >> $INDEX
-    echo "    </tr>" >> $INDEX
-	SUBTESTSINDEX=$TODAYDIR/$SUBDIR/index.html
-	cat > $SUBTESTSINDEX <<@EOF
-<html>
-<head>
-  <title>strongSwan $SUBDIR Tests</title>
-</head>
-<body>
-  <div><a href="../index.html">strongSwan UML Tests</a> / $SUBDIR</div>
-  <h2>strongSwan $SUBDIR Tests</h2>
-  <table border="0" cellspacing="2">
-    <tr valign="top">
-      <td><b>UML kernel: &nbsp;</b></td>
-      <td colspan="3">$KERNEL_VERSION</td>
-    </tr>
-    <tr valign="top">
-      <td><b>IPsec:</b></td>
-      <td colspan="3">$IPSEC_VERSION</td>
-    </tr>
-    <tr valign="top">
-      <td><b>Date:</b></td>
-      <td colspan="3">$TESTDATE</td>
-    </tr>
-    <tr>
-      <td width="100">&nbsp;</td>
-      <td width="200">&nbsp;</td>
-      <td width=" 50">&nbsp;</td>
-      <td >&nbsp;</td>
-    </tr>
-    <tr align="left">
-       <th>Number</th>
-       <th>Test</th>
-       <th colspan="2">Result</th>
-    </tr>
-@EOF
-    fi
-
-    for name in $SUBTESTS
-    do
-	let "testnumber += 1"
-	testname=$SUBDIR/$name
-	cecho-n " $testnumber $testname.."
-
-	if [ ! -d $DEFAULTTESTSDIR/${testname} ]
-	then
-	    cecho "is missing..skipped"
-	    continue
-	fi
-
-	if [ $SUBDIR = "ipv6" -o $name = "rw-psk-ipv6" ]
-	then
-	    IPROUTE_CMD="ip -6 route list table $SOURCEIP_ROUTING_TABLE"
-	    IPROUTE_DSP=$IPROUTE_CMD
-	    IPTABLES_CMD="ip6tables -v -n -L"
-	    IPTABLES_DSP="ip6tables -L"
-	else
-	    IPROUTE_CMD="ip route list table $SOURCEIP_ROUTING_TABLE"
-	    IPROUTE_DSP=$IPROUTE_CMD
-	    IPTABLES_CMD="iptables -v -n -L"
-	    IPTABLES_DSP="iptables -L"
-	fi
-
-	if [ $name = "net2net-ip4-in-ip6-ikev2" -o $name = "net2net-ip6-in-ip4-ikev2" ]
-	then
-	    IPROUTE_CMD="ip route list table $SOURCEIP_ROUTING_TABLE; echo; ip -6 route list table $SOURCEIP_ROUTING_TABLE"
-	    IPROUTE_DSP="ip (-6) route list table $SOURCEIP_ROUTING_TABLE"
-	    IPTABLES_CMD="iptables -v -n -L ; echo ; ip6tables -v -n -L"
-	    IPTABLES_DSP="iptables -L ; ip6tables -L"
-	fi
-
-	[ -f $DEFAULTTESTSDIR/${testname}/description.txt ] || die "!! File 'description.txt' is missing"
-	[ -f $DEFAULTTESTSDIR/${testname}/test.conf ]       || die "!! File 'test.conf' is missing"
-	[ -f $DEFAULTTESTSDIR/${testname}/pretest.dat ]     || die "!! File 'pretest.dat' is missing"
-	[ -f $DEFAULTTESTSDIR/${testname}/posttest.dat ]    || die "!! File 'posttest.dat' is missing"
-	[ -f $DEFAULTTESTSDIR/${testname}/evaltest.dat ]    || die "!! File 'evaltest.dat' is missing"
-
-	TESTRESULTDIR=$TODAYDIR/$testname
-	mkdir -p $TESTRESULTDIR
-	CONSOLE_LOG=$TESTRESULTDIR/console.log
-	touch $CONSOLE_LOG
-
-	TESTDIR=$TESTSDIR/${testname}
-	rm -rf $TESTDIR
-	mkdir -p $TESTDIR
-	cp -rfp $DEFAULTTESTSDIR/${testname}/* $TESTDIR
-
-
-	##############################################################################
-	# replace IP wildcards with actual IPv4 and IPv6 addresses
-	#
-
-	for host in $STRONGSWANHOSTS
-	do
-	    case $host in
-	    moon)
-		searchandreplace PH_IP_MOON1     $ipv4_moon1 $TESTDIR
-		searchandreplace PH_IP_MOON      $ipv4_moon  $TESTDIR
-		searchandreplace PH_IP6_MOON1    $ipv6_moon1 $TESTDIR
-		searchandreplace PH_IP6_MOON     $ipv6_moon  $TESTDIR
-		;;
-	    sun)
-		searchandreplace PH_IP_SUN1      $ipv4_sun1 $TESTDIR
-		searchandreplace PH_IP_SUN       $ipv4_sun  $TESTDIR
-		searchandreplace PH_IP6_SUN1     $ipv6_sun1 $TESTDIR
-		searchandreplace PH_IP6_SUN      $ipv6_sun  $TESTDIR
-		;;
-	    alice)
-		searchandreplace PH_IP_ALICE1    $ipv4_alice1 $TESTDIR
-		searchandreplace PH_IP_ALICE     $ipv4_alice  $TESTDIR
-		searchandreplace PH_IP6_ALICE1   $ipv6_alice1 $TESTDIR
-		searchandreplace PH_IP6_ALICE    $ipv6_alice  $TESTDIR
-		;;
-	    venus)
-		searchandreplace PH_IP_VENUS     $ipv4_venus $TESTDIR
-		searchandreplace PH_IP6_VENUS    $ipv6_venus $TESTDIR
-		;;
-	    bob)
-		searchandreplace PH_IP_BOB       $ipv4_bob $TESTDIR
-		searchandreplace PH_IPV6_BOB     $ipv6_bob $TESTDIR
-		;;
-	    carol)
-		searchandreplace PH_IP_CAROL1    $ipv4_carol1 $TESTDIR
-		searchandreplace PH_IP_CAROL     $ipv4_carol  $TESTDIR
-		searchandreplace PH_IP6_CAROL1   $ipv6_carol1 $TESTDIR
-		searchandreplace PH_IP6_CAROL    $ipv6_carol  $TESTDIR
-		;;
-	    dave)
-		searchandreplace PH_IP_DAVE1     $ipv4_dave1 $TESTDIR
-		searchandreplace PH_IP_DAVE      $ipv4_dave  $TESTDIR
-		searchandreplace PH_IP6_DAVE1    $ipv6_dave1 $TESTDIR
-		searchandreplace PH_IP6_DAVE     $ipv6_dave  $TESTDIR
-		;;
-	    winnetou)
-		searchandreplace PH_IP_WINNETOU  $ipv4_winnetou $TESTDIR
-		searchandreplace PH_IP6_WINNETOU $ipv6_winnetou $TESTDIR
-		;;
-	    esac
-	done
-
-
-	##########################################################################
-	# copy test specific configurations to uml hosts and clear auth.log files
-	#
-
-	$DIR/scripts/load-testconfig $testname
-	unset RADIUSHOSTS
-	source $TESTDIR/test.conf
-
-
-	##########################################################################
-	# run tcpdump in the background
-	#
-
-	if [ "$TCPDUMPHOSTS" != "" ]
-	then
-	    echo -e "TCPDUMP\n" >> $CONSOLE_LOG 2>&1
-
-	    for host_iface in $TCPDUMPHOSTS
-	    do
-		host=`echo $host_iface | awk -F ":" '{print $1}'`
-		iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
-		tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &"
-		echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
-		ssh $SSHCONF root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
-		eval TDUP_${host}="true"
-	    done
-	fi
-
-
-	##########################################################################
-	# execute pre-test commands
-	#
-
-	cecho-n "pre.."
-	echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1
-
-	eval `awk -F "::" '{
-	    if ($2 != "")
-	    {
-		printf("echo \"%s# %s\"; ", $1, $2)
-		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
-		printf("echo;\n")
-	    }
-	}' $TESTDIR/pretest.dat` >> $CONSOLE_LOG 2>&1
-
-
-	##########################################################################
-	# stop tcpdump
-	#
-
-	function stop_tcpdump {
-	    echo "${1}# killall tcpdump" >> $CONSOLE_LOG
-	    eval ssh $SSHCONF root@\$ipv4_${1} killall tcpdump
-	    eval TDUP_${1}="false"
-	    echo ""
-	}
-
-
-	##########################################################################
-	# get and evaluate test results
-	#
-
-	cecho-n "test.."
-	echo -e "\nTEST\n" >> $CONSOLE_LOG 2>&1
-
-	STATUS="passed"
-
-	eval `awk -F "::" '{
-	    host=$1
-	    command=$2
-	    pattern=$3
-	    hit=$4
-	    if (command != "")
-	    {
-		if (command == "tcpdump")
-		{
-		    printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
-		    printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
-		    printf("ssh \044SSHCONF root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
-		}
-		else
-		{
-		    printf("echo \"%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
-		    printf("ssh \044SSHCONF root@\044ipv4_%s %s | grep \"%s\"; ",  host, command, pattern)
-		}
-		printf("cmd_exit=\044?; ")
-		printf("echo; ")
-		printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\"  ] ", hit)
-		printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit)
-		printf("; then STATUS=\"failed\"; fi; \n")
-	    }
-	}' $TESTDIR/evaltest.dat` >> $CONSOLE_LOG 2>&1
-
-
-	##########################################################################
-	# set counters
-	#
-
-	if [ $STATUS = "failed" ]
-	then
-	    let "failed_cnt += 1"
-	else
-	    let "passed_cnt += 1"
-	fi
-
-
-	##########################################################################
-	# log statusall and listall output
-	# get copies of ipsec.conf, ipsec.secrets
-	# create index.html for the given test case
-
-	cat > $TESTRESULTDIR/index.html <<@EOF
-<html>
-<head>
-  <title>Test $testname</title>
-</head>
-<body>
-<table border="0" cellpadding="0" cellspacing="0" width="600">
-  <tr><td>
-    <div><a href="../../index.html">strongSwan UML Tests</a> / <a href="../index.html">$SUBDIR</a> / $name</div>
-    <h2>Test $testname</h2>
-    <h3>Description</h3>
-@EOF
-
-	cat $TESTDIR/description.txt >> $TESTRESULTDIR/index.html
-
-	cat >> $TESTRESULTDIR/index.html <<@EOF
-    <ul>
-      <li><a href="console.log">console.log</a></li>
-    </ul>
-    <img src="../../images/$DIAGRAM" alt="$UMLHOSTS">
-@EOF
-
-	for host in $IPSECHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-
-	    for command in statusall listall
-	    do
-		ssh $SSHCONF $HOSTLOGIN ipsec $command \
-		    > $TESTRESULTDIR/${host}.$command 2>/dev/null
-	    done
-
-	    for file in strongswan.conf ipsec.conf ipsec.secrets
-	    do
-		scp $SSHCONF $HOSTLOGIN:/etc/$file \
-		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
-	    done
-
-	    scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
-	    	$TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
-
-	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm policy \
-		    > $TESTRESULTDIR/${host}.ip.policy 2>/dev/null
-	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm state \
-		    > $TESTRESULTDIR/${host}.ip.state 2>/dev/null
-	    ssh $SSHCONF $HOSTLOGIN $IPROUTE_CMD \
-		    > $TESTRESULTDIR/${host}.ip.route 2>/dev/null
-	    ssh $SSHCONF $HOSTLOGIN $IPTABLES_CMD \
-		    > $TESTRESULTDIR/${host}.iptables 2>/dev/null
-	    chmod a+r $TESTRESULTDIR/*
-	    cat >> $TESTRESULTDIR/index.html <<@EOF
-    <h3>$host</h3>
-      <table border="0" cellspacing="0" width="600">
-      <tr>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.ipsec.conf">ipsec.conf</a></li>
-	    <li><a href="$host.ipsec.secrets">ipsec.secrets</a></li>
-	    <li><a href="$host.ipsec.sql">ipsec.sql</a></li>
-	    <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
-	  </ul>
-	</td>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.statusall">ipsec statusall</a></li>
-	    <li><a href="$host.listall">ipsec listall</a></li>
-	    <li><a href="$host.auth.log">auth.log</a></li>
-	    <li><a href="$host.daemon.log">daemon.log</a></li>
-	  </ul>
-      </td>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.ip.policy">ip -s xfrm policy</a></li>
-	    <li><a href="$host.ip.state">ip -s xfrm state</a></li>
-	    <li><a href="$host.ip.route">$IPROUTE_DSP</a></li>
-	    <li><a href="$host.iptables">$IPTABLES_DSP</a></li>
-	  </ul>
-      </td>
-    </tr>
-    </table>
-@EOF
-
-	done
-
-	for host in $RADIUSHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-
-	    for file in clients.conf eap.conf radiusd.conf proxy.conf users
-	    do
-		scp $SSHCONF $HOSTLOGIN:/etc/raddb/$file \
-		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
-	    done
-
-		scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \
-		    $TESTRESULTDIR/${host}.strongswan.conf  > /dev/null 2>&1
-
-	    scp $SSHCONF $HOSTLOGIN:/var/log/radius/radius.log \
-	    	$TESTRESULTDIR/${host}.radius.log  > /dev/null 2>&1
-
-	    chmod a+r $TESTRESULTDIR/*
-	    cat >> $TESTRESULTDIR/index.html <<@EOF
-    <h3>$host</h3>
-      <table border="0" cellspacing="0" width="600">
-      <tr>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.clients.conf">clients.conf</a></li>
-	    <li><a href="$host.radiusd.conf">radiusd.conf</a></li>
-	    <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
-	  </ul>
-	</td>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.eap.conf">eap.conf</a></li>
-	    <li><a href="$host.radius.log">radius.log</a></li>
-	    <li><a href="$host.daemon.log">daemon.log</a></li>
-	  </ul>
-      </td>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.proxy.conf">proxy.conf</a></li>
-	    <li><a href="$host.users">users</a></li>
-	  </ul>
-      </td>
-    </tr>
-    </table>
-@EOF
-
-	done
-
-	cat >> $TESTRESULTDIR/index.html <<@EOF
-  </td></tr>
-</table>
-</body>
-</html>
-@EOF
-
-
-	##########################################################################
-	# execute post-test commands
-	#
-
-	cecho-n "post.."
-	echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1
-
-	eval `awk -F "::" '{
-	    if ($2 != "")
-	    {
-		printf("echo \"%s# %s\"; ", $1, $2)
-		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
-		printf("echo;\n")
-	    }
-	}' $TESTDIR/posttest.dat` >> $CONSOLE_LOG 2>&1
-
-
-	##########################################################################
-	# get a copy of /var/log/auth.log
-	#
-
-	for host in $IPSECHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated' \
-		/var/log/auth.log" >> $TESTRESULTDIR/${host}.auth.log
-	done
-
-
-	##########################################################################
-	# get a copy of /var/log/daemon.log
-	#
-
-	for host in $IPSECHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated' \
-		/var/log/daemon.log" >> $TESTRESULTDIR/${host}.daemon.log
-	done
-
-
-	##########################################################################
-	# get a copy of /var/log/daemon.log
-	#
-
-	for host in $RADIUSHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \
-		>> $TESTRESULTDIR/${host}.daemon.log
-	done
-
-
-	##########################################################################
-	# stop tcpdump if necessary
-	#
-
-	for host in $TCPDUMPHOSTS
-	do
-	    if [ "`eval echo \\\$TDUP_${host}`" = "true" ]
-	    then
-		echo "${host}# killall tcpdump" >> $CONSOLE_LOG
-		eval ssh $SSHCONF root@\$ipv4_$host killall tcpdump
-		eval TDUP_${host}="false"
-	    fi
-	done
-
-
-	##########################################################################
-	# copy default host config back if necessary
-	#
-
-	$DIR/scripts/restore-defaults $testname
-
-
-	##########################################################################
-	# write test status to html file
-	#
-
-	if [ $STATUS = "passed" ]
-	then
-	    COLOR="green"
-	    cecho "\033[1;32m$STATUS"
-	else
-	    COLOR="red"
-	    cecho "$STATUS"
-	fi
-
-	cat >> $TESTRESULTSHTML << @EOF
-  <tr>
-    <td>$testnumber</td>
-    <td><a href="$testname/index.html">$testname</a></td>
-    <td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td>
-    <td>&nbsp;</td>
-  </tr>
-@EOF
-	cat >> $SUBTESTSINDEX << @EOF
-  <tr>
-    <td>$testnumber</td>
-    <td><a href="$name/index.html">$name</a></td>
-    <td><a href="$name/console.log"><font color="$COLOR">$STATUS</font></a></td>
-    <td>&nbsp;</td>
-  </tr>
-@EOF
-
-
-	##########################################################################
-	# remove any charon.pid files that still may exist
-	#
-
-	for host in $IPSECHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN 'if [ -f /var/run/charon.pid ]; then rm /var/run/charon.pid; echo "    removed charon.pid on `hostname`"; fi'
-	done
-
-    done
-
-done
-
-
-##############################################################################
-# finish the results html file
-#
-
-cat >> $TESTRESULTSHTML << @EOF
-    <tr>
-      <td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td>
-    </tr>
-    <tr>
-      <td><b>Passed:</b></td><td><b><font color="green">$passed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
-    </tr>
-    <tr>
-      <td><b>Failed:</b></td><td><b><font color="red">$failed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
-    </tr>
-  </table>
-</body>
-</html>
-@EOF
-
-let "all_cnt = $passed_cnt + $failed_cnt"
-
-cat >> $INDEX << @EOF
-    <tr>
-      <td>&nbsp;</td>
-      <td><a href="all.html"><b>all</b></a></td>
-      <td align="right"><b>$all_cnt</b></td>
-      <td>&nbsp;</td>
-    </tr>
-    <tr>
-      <td><b>Failed:</b></td>
-      <td>&nbsp;</td>
-      <td align="right"><b><font color="red">$failed_cnt</font></b></td>
-      <td>&nbsp;</td>
-    </tr>
-  </table>
-</body>
-</html>
-@EOF
-
-cecho ""
-cecho "\033[1;32mPassed:   $passed_cnt"
-cecho "Failed:   $failed_cnt"
-cecho ""
-
-
-##############################################################################
-# copy the test results to the apache server
-#
-
-HTDOCS="/var/www/localhost/htdocs"
-
-cecho-n "Copying test results to winnetou.."
-ssh $SSHCONF root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
-scp $SSHCONF -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
-ssh $SSHCONF root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
-cgecho "done"
-cecho ""
-cecho "The results are available in $TODAYDIR"
-cecho "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
-
-
-##########################################################################
-# close ssh sessions
-#
-for host in $STRONGSWANHOSTS
-do
-    kill `eval echo \\\$ssh_pid_$host`
-done
-
diff --git a/testing/hosts/alice/etc/conf.d/hostname b/testing/hosts/alice/etc/conf.d/hostname
deleted file mode 100644
index 2012e0451..000000000
--- a/testing/hosts/alice/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=alice
diff --git a/testing/hosts/alice/etc/conf.d/net b/testing/hosts/alice/etc/conf.d/net
deleted file mode 100644
index 41e8887c4..000000000
--- a/testing/hosts/alice/etc/conf.d/net
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_ALICE broadcast 10.1.255.255 netmask 255.255.0.0"
-              "PH_IP6_ALICE/16" )
-config_eth1=( "PH_IP_ALICE1 broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_ALICE1/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via PH_IP_MOON1" )
diff --git a/testing/hosts/alice/etc/freeradius/clients.conf b/testing/hosts/alice/etc/freeradius/clients.conf
new file mode 100644
index 000000000..5fb47a2ad
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/clients.conf
@@ -0,0 +1,4 @@
+client 10.1.0.1 {
+  secret    = gv6URkSs
+  shortname = moon
+}
diff --git a/testing/hosts/alice/etc/freeradius/dictionary b/testing/hosts/alice/etc/freeradius/dictionary
new file mode 100644
index 000000000..59a874b3e
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/dictionary
@@ -0,0 +1,32 @@
+#
+#	This is the master dictionary file, which references the
+#	pre-defined dictionary files included with the server.
+#
+#	Any new/changed attributes MUST be placed in this file, as
+#	the pre-defined dictionaries SHOULD NOT be edited.
+#
+#	$Id$
+#
+
+#
+#	The filename given here should be an absolute path.
+#
+$INCLUDE	/usr/local/share/freeradius/dictionary
+
+#
+#	Place additional attributes or $INCLUDEs here.  They will
+#	over-ride the definitions in the pre-defined dictionaries.
+#
+#	See the 'man' page for 'dictionary' for information on
+#	the format of the dictionary files.
+
+#
+#	If you want to add entries to the dictionary file,
+#	which are NOT going to be placed in a RADIUS packet,
+#	add them here.  The numbers you pick should be between
+#	3000 and 4000.
+#
+
+#ATTRIBUTE	My-Local-String		3000	string
+#ATTRIBUTE	My-Local-IPAddr		3001	ipaddr
+#ATTRIBUTE	My-Local-Integer	3002	integer
diff --git a/testing/hosts/alice/etc/freeradius/radiusd.conf b/testing/hosts/alice/etc/freeradius/radiusd.conf
new file mode 100644
index 000000000..e4f721738
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/freeradius
+raddbdir = ${sysconfdir}/freeradius
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = freeradius
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes
+  auth_badpass = yes
+  auth_goodpass = yes
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/hosts/alice/etc/hostname b/testing/hosts/alice/etc/hostname
new file mode 100644
index 000000000..c9fc40bfb
--- /dev/null
+++ b/testing/hosts/alice/etc/hostname
@@ -0,0 +1 @@
+alice
diff --git a/testing/hosts/alice/etc/init.d/iptables b/testing/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 1097ac5a4..000000000
--- a/testing/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/alice/etc/init.d/net.eth0 b/testing/hosts/alice/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/alice/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/alice/etc/init.d/net.eth1 b/testing/hosts/alice/etc/init.d/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/alice/etc/init.d/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/alice/etc/init.d/radiusd b/testing/hosts/alice/etc/init.d/radiusd
deleted file mode 100755
index 8334385f9..000000000
--- a/testing/hosts/alice/etc/init.d/radiusd
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/sbin/runscript
-
-opts="${opts} reload"
-
-depend() {
-	need net
-	use dns
-}
-
-checkconfig() {
-	# set the location of log files
-	if ! cd /var/log/radius ; then
-		eerror "Failed to change current directory to /var/log/radius"
-		return 1
-	fi
-
-	if [ ! -d /var/run/radiusd ] && ! mkdir /var/run/radiusd ; then
-		eerror "Failed to create /var/run/radiusd"
-		return 1
-	fi
-	
-	if [ ! -f /etc/raddb/radiusd.conf ] ; then
-		eerror "No /etc/raddb/radiusd.conf file exists!"
-		return 1
-	fi
-
-	RADIUSD_OPTS="-xx"
-	RADIUSD_USER=`grep '^ *user *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
-	RADIUSD_GROUP=`grep '^ *group *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
-	if [ -n "${RADIUSD_USER}" ] && ! getent passwd ${RADIUSD_USER} > /dev/null ; then
-		eerror "${RADIUSD_USER} user missing!"
-		return 1
-	fi
-	if [ -n "${RADIUSD_GROUP}" ] && ! getent group ${RADIUSD_GROUP} > /dev/null ; then
-		eerror "${RADIUSD_GROUP} group missing!"
-		return 1
-	fi
-
-	# radius.log is created before privileges are dropped - need to set proper permissions on it
-	[ -f radius.log ] || touch radius.log || return 1
-
-	chown -R "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" . /var/run/radiusd && \
-		chmod -R u+rwX,g+rX . /var/run/radiusd || return 1
-}
-
-start() {
-	checkconfig || return 1
-
-	ebegin "Starting radiusd"
-	start-stop-daemon --start --quiet --exec /usr/sbin/radiusd -- ${RADIUSD_OPTS} >/dev/null
-	eend $?
-}
-
-stop () {
-	ebegin "Stopping radiusd"
-	start-stop-daemon --stop --quiet --pidfile=/var/run/radiusd/radiusd.pid
-	eend $?
-}
-
-reload () {
-	ebegin "Reloading radiusd"
-	kill -HUP `</var/run/radiusd/radiusd.pid`
-	eend $?
-}
diff --git a/testing/hosts/alice/etc/ipsec.conf b/testing/hosts/alice/etc/ipsec.conf
old mode 100755
new mode 100644
index 0671537e9..6d8aa629d
--- a/testing/hosts/alice/etc/ipsec.conf
+++ b/testing/hosts/alice/etc/ipsec.conf
@@ -13,7 +13,7 @@ conn nat-t
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
 	auto=add
diff --git a/testing/hosts/alice/etc/network/interfaces b/testing/hosts/alice/etc/network/interfaces
new file mode 100644
index 000000000..6fcbaa597
--- /dev/null
+++ b/testing/hosts/alice/etc/network/interfaces
@@ -0,0 +1,20 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 10.1.0.10
+	netmask 255.255.0.0
+	broadcast 10.1.255.255
+	gateway 10.1.0.1
+iface eth0 inet6 static
+	address fec1::10
+	netmask 16
+
+iface eth1 inet static
+	address 192.168.0.50
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+iface eth1 inet6 static
+	address fec0::5
+	netmask 16
diff --git a/testing/hosts/alice/etc/runlevels/default/net.eth0 b/testing/hosts/alice/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/alice/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/bob/etc/conf.d/hostname b/testing/hosts/bob/etc/conf.d/hostname
deleted file mode 100644
index bbf5a2ea6..000000000
--- a/testing/hosts/bob/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=bob
diff --git a/testing/hosts/bob/etc/conf.d/net b/testing/hosts/bob/etc/conf.d/net
deleted file mode 100644
index bd0b3a5ce..000000000
--- a/testing/hosts/bob/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_BOB broadcast 10.2.255.255 netmask 255.255.0.0"
-              "PH_IP6_BOB/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via PH_IP_SUN1" )
diff --git a/testing/hosts/bob/etc/hostname b/testing/hosts/bob/etc/hostname
new file mode 100644
index 000000000..696fb6baa
--- /dev/null
+++ b/testing/hosts/bob/etc/hostname
@@ -0,0 +1 @@
+bob
diff --git a/testing/hosts/bob/etc/init.d/iptables b/testing/hosts/bob/etc/init.d/iptables
deleted file mode 100755
index 7b8756b81..000000000
--- a/testing/hosts/bob/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/bob/etc/init.d/net.eth0 b/testing/hosts/bob/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/bob/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf
old mode 100755
new mode 100644
diff --git a/testing/hosts/bob/etc/network/interfaces b/testing/hosts/bob/etc/network/interfaces
new file mode 100644
index 000000000..eca4f8fe7
--- /dev/null
+++ b/testing/hosts/bob/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 10.2.0.10
+	netmask 255.255.0.0
+	broadcast 10.2.255.255
+	gateway 10.2.0.1
+iface eth0 inet6 static
+	address fec2::10
+	netmask 16
diff --git a/testing/hosts/bob/etc/runlevels/default/net.eth0 b/testing/hosts/bob/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/bob/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/carol/etc/conf.d/hostname b/testing/hosts/carol/etc/conf.d/hostname
deleted file mode 100644
index d5101b924..000000000
--- a/testing/hosts/carol/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=carol
diff --git a/testing/hosts/carol/etc/conf.d/net b/testing/hosts/carol/etc/conf.d/net
deleted file mode 100644
index f7f685942..000000000
--- a/testing/hosts/carol/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_CAROL broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_CAROL/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/carol/etc/hostname b/testing/hosts/carol/etc/hostname
new file mode 100644
index 000000000..da4b06358
--- /dev/null
+++ b/testing/hosts/carol/etc/hostname
@@ -0,0 +1 @@
+carol
diff --git a/testing/hosts/carol/etc/init.d/iptables b/testing/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 6ff11a424..000000000
--- a/testing/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/carol/etc/init.d/net.eth0 b/testing/hosts/carol/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/carol/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf
old mode 100755
new mode 100644
index 0848ee716..d2d481b68
--- a/testing/hosts/carol/etc/ipsec.conf
+++ b/testing/hosts/carol/etc/ipsec.conf
@@ -9,11 +9,11 @@ conn %default
 	keyingtries=1
 
 conn home
-	left=PH_IP_CAROL
+	left=192.168.0.100
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/hosts/carol/etc/network/interfaces b/testing/hosts/carol/etc/network/interfaces
new file mode 100644
index 000000000..67bc73359
--- /dev/null
+++ b/testing/hosts/carol/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.100
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::10
+	netmask 16
diff --git a/testing/hosts/carol/etc/runlevels/default/net.eth0 b/testing/hosts/carol/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/carol/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/dave/etc/conf.d/hostname b/testing/hosts/dave/etc/conf.d/hostname
deleted file mode 100644
index c3fabf331..000000000
--- a/testing/hosts/dave/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=dave
diff --git a/testing/hosts/dave/etc/conf.d/net b/testing/hosts/dave/etc/conf.d/net
deleted file mode 100644
index 2b902525a..000000000
--- a/testing/hosts/dave/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_DAVE broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_DAVE/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/dave/etc/hostname b/testing/hosts/dave/etc/hostname
new file mode 100644
index 000000000..9fcf7b10e
--- /dev/null
+++ b/testing/hosts/dave/etc/hostname
@@ -0,0 +1 @@
+dave
diff --git a/testing/hosts/dave/etc/init.d/iptables b/testing/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 6ff11a424..000000000
--- a/testing/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/dave/etc/init.d/net.eth0 b/testing/hosts/dave/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/dave/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf
old mode 100755
new mode 100644
index 96502581e..5c546e260
--- a/testing/hosts/dave/etc/ipsec.conf
+++ b/testing/hosts/dave/etc/ipsec.conf
@@ -9,11 +9,11 @@ conn %default
 	keyingtries=1
 
 conn home
-	left=PH_IP_DAVE
+	left=192.168.0.200
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/hosts/dave/etc/network/interfaces b/testing/hosts/dave/etc/network/interfaces
new file mode 100644
index 000000000..59e526751
--- /dev/null
+++ b/testing/hosts/dave/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.200
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::20
+	netmask 16
diff --git a/testing/hosts/dave/etc/runlevels/default/net.eth0 b/testing/hosts/dave/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/dave/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/default/etc/default/slapd b/testing/hosts/default/etc/default/slapd
new file mode 100644
index 000000000..a4a0a6e2a
--- /dev/null
+++ b/testing/hosts/default/etc/default/slapd
@@ -0,0 +1,45 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=/etc/ldap/slapd.conf
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldap:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
diff --git a/testing/hosts/default/etc/fstab b/testing/hosts/default/etc/fstab
new file mode 100644
index 000000000..12747232e
--- /dev/null
+++ b/testing/hosts/default/etc/fstab
@@ -0,0 +1 @@
+/hostshare /root/shared 9p trans=virtio,version=9p2000.L 0 0
diff --git a/testing/hosts/default/etc/ip6tables.flush b/testing/hosts/default/etc/ip6tables.flush
new file mode 100644
index 000000000..c3f5a9254
--- /dev/null
+++ b/testing/hosts/default/etc/ip6tables.flush
@@ -0,0 +1,15 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/hosts/default/etc/ip6tables.rules b/testing/hosts/default/etc/ip6tables.rules
new file mode 100644
index 000000000..6a2c6af8e
--- /dev/null
+++ b/testing/hosts/default/etc/ip6tables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow last UDP fragment
+-A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# allow crl and certficate fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s fec0::15 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d fec0::15 -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.drop b/testing/hosts/default/etc/iptables.drop
new file mode 100644
index 000000000..445c45669
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.drop
@@ -0,0 +1,12 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.flush b/testing/hosts/default/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.rules b/testing/hosts/default/etc/iptables.rules
new file mode 100644
index 000000000..c3f036cf9
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/hosts/default/etc/profile.d/coredumps.sh b/testing/hosts/default/etc/profile.d/coredumps.sh
new file mode 100644
index 000000000..ea44c0ef6
--- /dev/null
+++ b/testing/hosts/default/etc/profile.d/coredumps.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -e
+
+ulimit -c unlimited >/dev/null 2>&1
+install -m 1777 -d /var/local/dumps >/dev/null 2>&1
+echo "/var/local/dumps/core.%e.%p" > /proc/sys/kernel/core_pattern
diff --git a/testing/hosts/default/etc/rsyslog.conf b/testing/hosts/default/etc/rsyslog.conf
new file mode 100644
index 000000000..9f76da36e
--- /dev/null
+++ b/testing/hosts/default/etc/rsyslog.conf
@@ -0,0 +1,125 @@
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog   # provides kernel logging support
+#$ModLoad immark  # provides --MARK-- message capability
+
+# Don't drop messages
+$SystemLogRateLimitInterval 0
+$RepeatedMsgReduction off
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+*.*;auth,authpriv.none		-/var/log/syslog
+#cron.*				/var/log/cron.log
+daemon.*			/var/log/daemon.log
+kern.*				-/var/log/kern.log
+lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info			-/var/log/mail.info
+mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit			/var/log/news/news.crit
+news.err			/var/log/news/news.err
+news.notice			-/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;\
+	auth,authpriv.none;\
+	news.none;mail.none	-/var/log/debug
+*.=info;*.=notice;*.=warn;\
+	auth,authpriv.none;\
+	cron,daemon.none;\
+	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+#
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+daemon.*;mail.*;\
+	news.err;\
+	*.=debug;*.=info;\
+	*.=notice;*.=warn	|/dev/xconsole
diff --git a/testing/hosts/default/etc/security/limits.conf b/testing/hosts/default/etc/security/limits.conf
new file mode 100644
index 000000000..2658b3236
--- /dev/null
+++ b/testing/hosts/default/etc/security/limits.conf
@@ -0,0 +1,58 @@
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - an user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#        - NOTE: group and wildcard limits are not applied to root.
+#          To apply a limit to the root user, <domain> must be
+#          the literal username root.
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open files
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#        - chroot - change root to directory (Debian-specific)
+#
+#<domain>      <type>  <item>         <value>
+#
+
+#*               soft    core            0
+#root            hard    core            100000
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#ftp             -       chroot          /ftp
+#@student        -       maxlogins       4
+
+* soft core unlimited
+
+# End of file
diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
new file mode 100644
index 000000000..07b7e78e5
--- /dev/null
+++ b/testing/hosts/default/etc/ssh/sshd_config
@@ -0,0 +1,13 @@
+Port 22
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+UsePrivilegeSeparation no
+PermitRootLogin yes
+StrictModes no
+PubkeyAuthentication no
+PermitEmptyPasswords yes
+PrintMotd no
+PrintLastLog no
+UsePAM no
diff --git a/testing/hosts/default/etc/sysctl.conf b/testing/hosts/default/etc/sysctl.conf
new file mode 100644
index 000000000..43010d52e
--- /dev/null
+++ b/testing/hosts/default/etc/sysctl.conf
@@ -0,0 +1,62 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additonal system variables
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+##############################################################3
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+
+# Enable coredump for suid binaries
+fs.suid_dumpable = 1
diff --git a/testing/hosts/default/root/.ssh/config b/testing/hosts/default/root/.ssh/config
new file mode 100644
index 000000000..aa102a144
--- /dev/null
+++ b/testing/hosts/default/root/.ssh/config
@@ -0,0 +1,3 @@
+Host *
+	StrictHostKeyChecking no
+	UserKnownHostsFile /dev/null
diff --git a/testing/hosts/default/usr/local/bin/expect-connection b/testing/hosts/default/usr/local/bin/expect-connection
new file mode 100755
index 000000000..10a709255
--- /dev/null
+++ b/testing/hosts/default/usr/local/bin/expect-connection
@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Wait until a given IPsec connection becomes available
+#
+# Params:
+# $1 - connection name
+# $2 - maximum time to wait in seconds, default is 5 seconds
+
+if [[ $# -lt 1 || $# -gt 2 ]]
+then
+	echo "invalid arguments"
+	exit 1
+fi
+
+secs=$2
+[ ! $secs ] && secs=5
+
+let steps=$secs*10
+for i in `seq 1 $steps`
+do
+	ipsec statusall 2>&1 | grep ^[[:space:]]*$1: >/dev/null
+	[ $? -eq 0 ] && exit 0
+	sleep 0.1
+done
+
+echo "Connection '$1' not available after $secs second(s)"
+exit 1
diff --git a/testing/hosts/moon/etc/conf.d/hostname b/testing/hosts/moon/etc/conf.d/hostname
deleted file mode 100644
index 78e695337..000000000
--- a/testing/hosts/moon/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=moon
diff --git a/testing/hosts/moon/etc/conf.d/net b/testing/hosts/moon/etc/conf.d/net
deleted file mode 100644
index 7f09fd8a5..000000000
--- a/testing/hosts/moon/etc/conf.d/net
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_MOON broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_MOON/16" )
-config_eth1=( "PH_IP_MOON1 broadcast 10.1.255.255 netmask 255.255.0.0"
-              "PH_IP6_MOON1/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/moon/etc/hostname b/testing/hosts/moon/etc/hostname
new file mode 100644
index 000000000..605185ef1
--- /dev/null
+++ b/testing/hosts/moon/etc/hostname
@@ -0,0 +1 @@
+moon
diff --git a/testing/hosts/moon/etc/init.d/iptables b/testing/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index f5fa80b26..000000000
--- a/testing/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/moon/etc/init.d/net.eth0 b/testing/hosts/moon/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/moon/etc/init.d/net.eth1 b/testing/hosts/moon/etc/init.d/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/init.d/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf
old mode 100755
new mode 100644
index 6ee481e49..623e75d0a
--- a/testing/hosts/moon/etc/ipsec.conf
+++ b/testing/hosts/moon/etc/ipsec.conf
@@ -7,20 +7,20 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	left=PH_IP_MOON
+	left=192.168.0.1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
 
 conn net-net
 	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
 	auto=add
-        
+
 conn host-host
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightid=@sun.strongswan.org
 	auto=add
 
diff --git a/testing/hosts/moon/etc/network/interfaces b/testing/hosts/moon/etc/network/interfaces
new file mode 100644
index 000000000..fde2f102f
--- /dev/null
+++ b/testing/hosts/moon/etc/network/interfaces
@@ -0,0 +1,21 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.1
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::1
+	netmask 16
+
+auto eth1
+iface eth1 inet static
+	address 10.1.0.1
+	netmask 255.255.0.0
+	broadcast 10.1.255.255
+iface eth1 inet6 static
+	address fec1::1
+	netmask 16
diff --git a/testing/hosts/moon/etc/rc.local b/testing/hosts/moon/etc/rc.local
new file mode 100755
index 000000000..8649a2bcb
--- /dev/null
+++ b/testing/hosts/moon/etc/rc.local
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+#
+# rc.local
+#
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+#
+# In order to enable or disable this script just change the execution
+# bits.
+#
+
+# Disable checksum offloading on eth1 because it does not currently work with
+# libvirt and isc-dhcp-server running on venus, see [1]
+# [1] - https://bugs.mageia.org/show_bug.cgi?id=1243
+
+ethtool --offload eth1 tx off >/dev/null 2>&1
+ethtool --offload eth1 rx off >/dev/null 2>&1
+
+exit 0
diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth0 b/testing/hosts/moon/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth1 b/testing/hosts/moon/etc/runlevels/default/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/runlevels/default/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/ssh_host_rsa_key.pub b/testing/hosts/ssh_host_rsa_key.pub
deleted file mode 100644
index a5f71de4e..000000000
--- a/testing/hosts/ssh_host_rsa_key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAsxKfTm05po6leGD8C+M0eAR5EE4s1pQXc0D/dVlqrmfZ65h5BFQY9lnwpCvapV6OVqKWx8ICmeIH3OhaPxPPNKlU81f3d0xgh8BRJpWh459DYkRVa5f7ax5eeFE1lelj9s1d0seUl/IZolpJ8Wmt9TN1hwJ0mrkwN4670rb3urc=
diff --git a/testing/hosts/sun/etc/conf.d/hostname b/testing/hosts/sun/etc/conf.d/hostname
deleted file mode 100644
index bc042b68b..000000000
--- a/testing/hosts/sun/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=sun
diff --git a/testing/hosts/sun/etc/conf.d/net b/testing/hosts/sun/etc/conf.d/net
deleted file mode 100644
index 4a6370ab7..000000000
--- a/testing/hosts/sun/etc/conf.d/net
+++ /dev/null
@@ -1,14 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_SUN broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_SUN/16" )
-config_eth1=( "PH_IP_SUN1 broadcast 10.2.255.255 netmask 255.255.0.0"
-              "PH_IP6_SUN1/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
-
-
diff --git a/testing/hosts/sun/etc/hostname b/testing/hosts/sun/etc/hostname
new file mode 100644
index 000000000..692699759
--- /dev/null
+++ b/testing/hosts/sun/etc/hostname
@@ -0,0 +1 @@
+sun
diff --git a/testing/hosts/sun/etc/init.d/iptables b/testing/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index aeaf472fb..000000000
--- a/testing/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/sun/etc/init.d/net.eth0 b/testing/hosts/sun/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/sun/etc/init.d/net.eth1 b/testing/hosts/sun/etc/init.d/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/init.d/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/sun/etc/ipsec.conf b/testing/hosts/sun/etc/ipsec.conf
old mode 100755
new mode 100644
index 277928ec1..2f979f122
--- a/testing/hosts/sun/etc/ipsec.conf
+++ b/testing/hosts/sun/etc/ipsec.conf
@@ -7,20 +7,20 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	left=PH_IP_SUN
+	left=192.168.0.2
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftfirewall=yes
 
 conn net-net
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
 
 conn host-host
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightid=@moon.strongswan.org
 	auto=add
 
diff --git a/testing/hosts/sun/etc/network/interfaces b/testing/hosts/sun/etc/network/interfaces
new file mode 100644
index 000000000..841735af1
--- /dev/null
+++ b/testing/hosts/sun/etc/network/interfaces
@@ -0,0 +1,21 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.2
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::2
+	netmask 16
+
+auto eth1
+iface eth1 inet static
+	address 10.2.0.1
+	netmask 255.255.0.0
+	broadcast 10.2.255.255
+iface eth1 inet6 static
+	address fec2::1
+	netmask 16
diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth0 b/testing/hosts/sun/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth1 b/testing/hosts/sun/etc/runlevels/default/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/runlevels/default/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/venus/etc/conf.d/hostname b/testing/hosts/venus/etc/conf.d/hostname
deleted file mode 100644
index c9e3dd1d4..000000000
--- a/testing/hosts/venus/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=venus
diff --git a/testing/hosts/venus/etc/conf.d/net b/testing/hosts/venus/etc/conf.d/net
deleted file mode 100644
index 43ec97807..000000000
--- a/testing/hosts/venus/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_VENUS broadcast 10.1.255.255 netmask 255.255.0.0"
-              "PH_IP6_VENUS/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via PH_IP_MOON1" )
diff --git a/testing/hosts/venus/etc/hostname b/testing/hosts/venus/etc/hostname
new file mode 100644
index 000000000..acf16d8be
--- /dev/null
+++ b/testing/hosts/venus/etc/hostname
@@ -0,0 +1 @@
+venus
diff --git a/testing/hosts/venus/etc/init.d/iptables b/testing/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 1097ac5a4..000000000
--- a/testing/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/venus/etc/init.d/net.eth0 b/testing/hosts/venus/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/venus/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/venus/etc/ipsec.conf b/testing/hosts/venus/etc/ipsec.conf
old mode 100755
new mode 100644
index dd6a82f89..e4604cb44
--- a/testing/hosts/venus/etc/ipsec.conf
+++ b/testing/hosts/venus/etc/ipsec.conf
@@ -13,7 +13,7 @@ conn nat-t
 	leftcert=venusCert.pem
 	leftid=@venus.strongswan.org
 	leftfirewall=yes
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
 	auto=add
diff --git a/testing/hosts/venus/etc/network/interfaces b/testing/hosts/venus/etc/network/interfaces
new file mode 100644
index 000000000..9cbae6041
--- /dev/null
+++ b/testing/hosts/venus/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 10.1.0.20
+	netmask 255.255.0.0
+	broadcast 10.1.255.255
+	gateway 10.1.0.1
+iface eth0 inet6 static
+	address fec1::20
+	netmask 16
diff --git a/testing/hosts/venus/etc/runlevels/default/net.eth0 b/testing/hosts/venus/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/venus/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
new file mode 100644
index 000000000..6f5f3011c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
@@ -0,0 +1 @@
+AddType text/plain .iptables .log .sql
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt
deleted file mode 100644
index 0de3b268d..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
-Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
-X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
-FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
-4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
-7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
-gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
------END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt
deleted file mode 100644
index 956c217d9..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYwODE5MTcxNFoXDTEwMDYwNzE5MTcxNFowSjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l
-dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqXuh16Ahe3S5vZ
-F56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/u7BlyqpBUtLa
-r14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRBK2gQGBUULo26
-sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqVjlKyqG7vdggk
-wW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3MuOP3FNHIRMd2H
-AcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV
-HQ8EBAMCA6gwHQYDVR0OBBYEFEMS0mbhrA4zDvmfKf4MntUNxkH4MG0GA1UdIwRm
-MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290
-IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud
-HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh
-bi5jcmwwDQYJKoZIhvcNAQEEBQADggEBACO4+j1Mwt/lbkopeSJst46uFh7OtegG
-6IWNE30i3l3FIn9slSwAOMtmZR0hAF8sExvk61EPlzCR/d9trSJ5+gyjPkeF/enw
-p61rxPMT13Grzomi9gYlk6Q/0zLmE9uYWEY69Q0bEIUcfdZfwB+F7kesa946JNMc
-yHfVEhKtvzmns9ueG0S/8E+6MPDeJv+JHQ++SdWSvOVg6JNxXDGusnim2fjM2Aln
-JmqA6iU4IaPl9DUCuXlLOVv/YhwhviNEbF94upyHq8xjOZdzPbKroHXg/2yvalAw
-4aXc/ZsnFxqsq3i6a2Fj1Y4J7gYsNO/HwA0xvKz3loOTqHaJqO/qeow=
------END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key
deleted file mode 100644
index 727027188..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqX
-uh16Ahe3S5vZF56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/
-u7BlyqpBUtLar14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRB
-K2gQGBUULo26sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqV
-jlKyqG7vdggkwW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3Mu
-OP3FNHIRMd2HAcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABAoIBACYiWrCgl8B/c4Lz
-Uay4Tlm8hvQ/zQJjY3v93EXwbB21hBV8qrYlt9zGfHqj+5q2vsbB9c0pzdO2VDba
-EWueS2fUIWhglEG5VCebrztNCldx2O7jo9bMk8iBt+oLNaJunSK7ACeYHHGcE7dF
-KZh1eyd7z4+SMBWZqmhO5ZisasQoHCusVGepcyyMGQNkc3XKJ6resGAsOqrOoq7Q
-C4vO5Kkbnk8nnEGmQ/ldD8LwIyq1hzVLDiiqWXZgh6S5l4BEo7Dy3KYrZoZfVcZK
-GMVhAI2+uA1ZqY9twpwryT6VZ3eK4DXF/COQntiBW5pLOpaqTOnKqiVmZFwfbo3u
-cq8n5jkCgYEA5zgzRLifbM0q34c2HX8pTegh+BH7MGCxtcoU2uRPaXiGkqQObHI9
-aItrgUQp+pAmKSBnEWJKgKsOh2Uf5ogjIeNuruGG/AXw/Pw2ORHNueenhDuhu69T
-E2I4yxT3PPYbdzJ4ylBElfgm9WTrv7Wi7wSSfgQ6rEFdWukXa5vvsqMCgYEA1K+q
-m1Jv9MGVIVc6MxhuOOj2Ym+qcWt/Pjvg78rR8SRsKwHlGTuv1rdWUSXYDr3f2Nf7
-6DdbJtaSx5f8gY/UG34yGZx5FFbYV03vcCYBaLXsi/b6H7vb/VW74Y5g6bXqnprv
-4mcdVU7xfyNFgdbLPAP9sYVLijPYDwm0Qq3cz/8CgYBKSJz4BBR8AQI4JBl3qoXb
-mKtpJmW76iTN0amXlWgJ64XYkMptftpJvxj/w6V08WDBL77NL/XdlpcpWozAJJac
-6ZOCrcQPLd15eZH2Dck5Y7pG2l2gjbgz7wdt/0NbG3pBdj6mSNlwEPR7PDwdMD6z
-aZWi1LsA4lMaxO4YTVXZ3wKBgQCoFhTNH/+e/YawjNFQJFSn4WUnMn0Pmhc7xfLl
-T/NPkqtx6dN3d7ZmCQrMow33yJOqOje5tFXzgc0KtNE4S8Uj3T4XA5SlQGVFyjAa
-/85JRM2naA8RGVSpCCKuBeoNilnb8zL2SOvjyboN8oAyNuDzk2vh6ihjFsoASHkP
-4XwLXQKBgQC0k6rzt/plIwEiP56XXOqwOxJj6kuE/hx1zGIiGT6lWiOsih20Ym2T
-kYegVFvuDIWmSIAxGONWyee1lfnJbEuaHRixWQTnHUpqrU0FSnZTubnR3q/faZat
-hrvLDdpa0ydAKoMEn3qUPSrh3CdBfi3KTQAQn2Mlk7bGHh9ICWi3vA==
------END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/apache2/modules.d/00_mod_mime.conf b/testing/hosts/winnetou/etc/apache2/modules.d/00_mod_mime.conf
deleted file mode 100644
index 72b7e0ea4..000000000
--- a/testing/hosts/winnetou/etc/apache2/modules.d/00_mod_mime.conf
+++ /dev/null
@@ -1,61 +0,0 @@
-# DefaultType: the default MIME type the server will use for a document
-# if it cannot otherwise determine one, such as from filename extensions.
-# If your server contains mostly text or HTML documents, "text/plain" is
-# a good value.  If most of your content is binary, such as applications
-# or images, you may want to use "application/octet-stream" instead to
-# keep browsers from trying to display binary files as though they are
-# text.
-DefaultType text/plain
-
-<IfModule mime_module>
-# TypesConfig points to the file containing the list of mappings from
-# filename extension to MIME-type.
-TypesConfig /etc/mime.types
-
-# AddType allows you to add to or override the MIME configuration
-# file specified in TypesConfig for specific file types.
-#AddType application/x-gzip .tgz
-
-# AddEncoding allows you to have certain browsers uncompress
-# information on the fly. Note: Not all browsers support this.
-#AddEncoding x-compress .Z
-#AddEncoding x-gzip .gz .tgz
-
-# If the AddEncoding directives above are commented-out, then you
-# probably should define those extensions to indicate media types:
-AddType application/x-compress .Z
-AddType application/x-gzip .gz .tgz
-
-# AddHandler allows you to map certain file extensions to "handlers":
-# actions unrelated to filetype. These can be either built into the server
-# or added with the Action directive (see below)
-
-# To use CGI scripts outside of ScriptAliased directories:
-# (You will also need to add "ExecCGI" to the "Options" directive.)
-AddHandler cgi-script .cgi
-
-# For files that include their own HTTP headers:
-#AddHandler send-as-is asis
-
-# For server-parsed imagemap files:
-#AddHandler imap-file map
-
-# For type maps (negotiated resources):
-AddHandler type-map var
-
-# Filters allow you to process content before it is sent to the client.
-#
-# To parse .shtml files for server-side includes (SSI):
-# (You will also need to add "Includes" to the "Options" directive.)
-#AddType text/html .shtml
-#AddOutputFilter INCLUDES .shtml
-</IfModule>
-
-<IfModule mime_magic_module>
-# The mod_mime_magic module allows the server to use various hints from the
-# contents of the file itself to determine its type.  The MIMEMagicFile
-# directive tells the module where the hint definitions are located.
-MIMEMagicFile /etc/apache2/magic
-</IfModule>
-
-# vim: ts=4 filetype=apache
diff --git a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost
new file mode 100644
index 000000000..b76080e37
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost
@@ -0,0 +1,54 @@
+# OCSP Server
+
+Listen 8880
+
+AddHandler cgi-script .cgi
+
+<VirtualHost *:8880>
+    ServerAdmin  root@strongswan.org
+    DocumentRoot /etc/openssl/ocsp
+    ServerName   ocsp.strongswan.org
+    ServerAlias	 192.168.0.150
+    DirectoryIndex ocsp.cgi
+    <Directory "/etc/openssl/ocsp">
+       Options  +ExecCGI
+       Order allow,deny
+       Allow from all
+   </Directory>
+   ErrorLog     /var/log/apache2/ocsp/error_log
+   CustomLog    /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
+
+Listen 8881
+
+<VirtualHost *:8881>
+    ServerAdmin  root@research.strongswan.org
+    DocumentRoot /etc/openssl/research/ocsp
+    ServerName   ocsp.research.strongswan.org
+    ServerAlias	 ocsp.strongswan.org 192.168.0.150
+    DirectoryIndex ocsp.cgi
+    <Directory "/etc/openssl/research/ocsp">
+       Options +ExecCGI
+       Order allow,deny
+       Allow from all
+   </Directory>
+   ErrorLog     /var/log/apache2/ocsp/error_log
+   CustomLog    /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
+
+Listen 8882
+
+<VirtualHost *:8882>
+    ServerAdmin  root@sales.strongswan.org
+    DocumentRoot /etc/openssl/sales/ocsp
+    ServerName   ocsp.sales.strongswan.org
+    ServerAlias	 ocsp.strongswan.org 192.168.0.150
+    DirectoryIndex ocsp.cgi
+    <Directory "/etc/openssl/sales/ocsp">
+       Options +ExecCGI
+       Order allow,deny
+       Allow from all
+   </Directory>
+   ErrorLog     /var/log/apache2/ocsp/error_log
+   CustomLog    /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
diff --git a/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf
deleted file mode 100644
index 9a32412db..000000000
--- a/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# OCSP Server
-
-Listen 8880
-
-<VirtualHost *:8880>
-    ServerAdmin  root@strongswan.org
-    DocumentRoot /etc/openssl/ocsp
-    ServerName   ocsp.strongswan.org
-    ServerAlias	 192.168.0.150
-    DirectoryIndex ocsp.cgi
-    <Directory "/etc/openssl/ocsp">
-       Options  +ExecCGI
-       Order allow,deny
-       Allow from all
-   </Directory>
-   ErrorLog     /var/log/apache2/ocsp/error_log
-   CustomLog    /var/log/apache2/ocsp/access_log combined
-</VirtualHost>
-
-Listen 8881
-
-<VirtualHost *:8881>
-    ServerAdmin  root@research.strongswan.org
-    DocumentRoot /etc/openssl/research/ocsp
-    ServerName   ocsp.research.strongswan.org
-    ServerAlias	 ocsp.strongswan.org 192.168.0.150
-    DirectoryIndex ocsp.cgi
-    <Directory "/etc/openssl/research/ocsp">
-       Options +ExecCGI
-       Order allow,deny
-       Allow from all
-   </Directory>
-   ErrorLog     /var/log/apache2/ocsp/error_log
-   CustomLog    /var/log/apache2/ocsp/access_log combined
-</VirtualHost>
-
-Listen 8882
-
-<VirtualHost *:8882>
-    ServerAdmin  root@sales.strongswan.org
-    DocumentRoot /etc/openssl/sales/ocsp
-    ServerName   ocsp.sales.strongswan.org
-    ServerAlias	 ocsp.strongswan.org 192.168.0.150
-    DirectoryIndex ocsp.cgi
-    <Directory "/etc/openssl/sales/ocsp">
-       Options +ExecCGI
-       Order allow,deny
-       Allow from all
-   </Directory>
-   ErrorLog     /var/log/apache2/ocsp/error_log
-   CustomLog    /var/log/apache2/ocsp/access_log combined
-</VirtualHost>
diff --git a/testing/hosts/winnetou/etc/conf.d/hostname b/testing/hosts/winnetou/etc/conf.d/hostname
deleted file mode 100644
index 1bfa5acbd..000000000
--- a/testing/hosts/winnetou/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=winnetou
diff --git a/testing/hosts/winnetou/etc/conf.d/net b/testing/hosts/winnetou/etc/conf.d/net
deleted file mode 100644
index 7fbc37014..000000000
--- a/testing/hosts/winnetou/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_WINNETOU broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_WINNETOU/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/winnetou/etc/conf.d/slapd b/testing/hosts/winnetou/etc/conf.d/slapd
deleted file mode 100644
index 8d9ac4787..000000000
--- a/testing/hosts/winnetou/etc/conf.d/slapd
+++ /dev/null
@@ -1,8 +0,0 @@
-# conf.d file for the openldap-2.1 series
-#
-# To enable both the standard unciphered server and the ssl encrypted
-# one uncomment this line or set any other server starting options
-# you may desire.
-#
-# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
-OPTS="-4"
diff --git a/testing/hosts/winnetou/etc/init.d/apache2 b/testing/hosts/winnetou/etc/init.d/apache2
deleted file mode 100755
index 5f72d3090..000000000
--- a/testing/hosts/winnetou/etc/init.d/apache2
+++ /dev/null
@@ -1,121 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="configtest fullstatus graceful gracefulstop modules reload"
-
-depend() {
-	need net
-	use mysql dns logger netmount postgresql
-	after sshd
-}
-
-configtest() {
-	ebegin "Checking Apache Configuration"
-	checkconfig
-	eend $?
-}
-
-checkconfig() {
-	SERVERROOT="${SERVERROOT:-/usr/lib/apache2}"
-	if [ ! -d ${SERVERROOT} ]; then
-		eerror "SERVERROOT does not exist: ${SERVERROOT}"
-		return 1
-	fi
-
-	CONFIGFILE="${CONFIGFILE:-/etc/apache2/httpd.conf}"
-	[ "${CONFIGFILE#/}" = "${CONFIGFILE}" ] && CONFIGFILE="${SERVERROOT}/${CONFIGFILE}"
-	if [ ! -r "${CONFIGFILE}" ]; then
-		eerror "Unable to read configuration file: ${CONFIGFILE}"
-		return 1
-	fi
-
-	APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}"
-	APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}"
-	[ -n "${STARTUPERRORLOG}" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}"
-
-	APACHE2="/usr/sbin/apache2"
-
-	${APACHE2} ${APACHE2_OPTS} -t 1>/dev/null 2>&1
-	ret=$?
-	if [ $ret -ne 0 ]; then
-		eerror "Apache2 has detected a syntax error in your configuration files:"
-		${APACHE2} ${APACHE2_OPTS} -t
-	fi
-
-	return $ret
-}
-
-start() {
-	checkconfig || return 1
-	ebegin "Starting apache2"
-	[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
-
-	start-stop-daemon --start --exec ${APACHE2} -- ${APACHE2_OPTS} -k start
-	eend $?
-}
-
-stop() {
-	checkconfig || return 1
-	ebegin "Stopping apache2"
-	start-stop-daemon --stop --retry -TERM/5/-KILL/5 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-reload() {
-	RELOAD_TYPE="${RELOAD_TYPE:-graceful}"
-
-	checkconfig || return 1
-	if [ "${RELOAD_TYPE}" = "restart" ]; then
-		ebegin "Restarting apache2"
-		start-stop-daemon --stop --oknodo --signal HUP --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	elif [ "${RELOAD_TYPE}" = "graceful" ]; then
-		ebegin "Gracefully restarting apache2"
-		start-stop-daemon --stop --oknodo --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	else
-		eerror "${RELOAD_TYPE} is not a valid RELOAD_TYPE. Please edit /etc/conf.d/apache2"
-	fi
-}
-
-graceful() {
-	checkconfig || return 1
-	ebegin "Gracefully restarting apache2"
-	start-stop-daemon --stop --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-gracefulstop() {
-	checkconfig || return 1
-	
-	# zap!
-	if service_started "${myservice}"; then
-		mark_service_stopped "${myservice}"
-	fi
-
-	ebegin "Gracefully stopping apache2"
-	# 28 is SIGWINCH
-	start-stop-daemon --stop --signal 28 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-modules() {
-	checkconfig || return 1
-
-	${APACHE2} ${APACHE2_OPTS} -M 2>&1
-}
-
-status() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL} | awk ' /process$/ { print; exit } { print } '
-}
-
-fullstatus() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL}
-}
diff --git a/testing/hosts/winnetou/etc/init.d/net.eth0 b/testing/hosts/winnetou/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/winnetou/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/winnetou/etc/init.d/slapd b/testing/hosts/winnetou/etc/init.d/slapd
deleted file mode 100755
index d4c070b33..000000000
--- a/testing/hosts/winnetou/etc/init.d/slapd
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/init.d/slapd,v 1.2 2005/05/31 14:04:43 as Exp $
-
-depend() {
-	need net
-}
-
-start() {
-	ebegin "Starting ldap-server"
-	eval start-stop-daemon --start --quiet --pidfile /var/run/openldap/slapd.pid --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}"
-	eend $?
-	if [ ! -e /var/lib/openldap-data/objectClass.bdb ]
-	then
-		sleep 5
-		ldapadd -x -D "cn=Manager, o=Linux strongSwan, c=CH" -w tuxmux -f /etc/openldap/ldif.txt
-	fi
-}
-
-stop() {
-	ebegin "Stopping ldap-server"
-	start-stop-daemon --stop --signal 2 --quiet --pidfile /var/run/openldap/slapd.pid 
-	eend $?
-}
diff --git a/testing/hosts/winnetou/etc/ldap/ldif.txt b/testing/hosts/winnetou/etc/ldap/ldif.txt
new file mode 100644
index 000000000..d06621adb
--- /dev/null
+++ b/testing/hosts/winnetou/etc/ldap/ldif.txt
@@ -0,0 +1,39 @@
+dn: o=Linux strongSwan, c=CH
+objectclass: organization
+o: Linux strongSwan
+
+dn: cn=Manager,o=Linux strongSwan, c=CH
+objectclass: organizationalRole
+cn: Manager
+
+dn: cn=strongSwan Root CA, o=Linux strongSwan, c=CH
+objectClass: organizationalRole
+cn: strongSwan Root CA
+objectClass: certificationAuthority
+authorityRevocationList;binary:< file:///etc/openssl/strongswan.crl
+certificateRevocationList;binary:< file:///etc/openssl/strongswan.crl
+cACertificate;binary:< file:///etc/openssl/strongswanCert.der
+
+dn: ou=Research, o=Linux strongSwan, c=CH
+objectclass: organizationalUnit
+ou: Research
+
+dn: cn=Research CA, ou=Research, o=Linux strongSwan, c=CH
+objectClass: organizationalRole
+cn: Research CA
+objectClass: certificationAuthority
+authorityRevocationList;binary:< file:///etc/openssl/research/research.crl
+certificateRevocationList;binary:< file:///etc/openssl/research/research.crl
+cACertificate;binary:< file:///etc/openssl/research/researchCert.der
+
+dn: ou=Sales, o=Linux strongSwan, c=CH
+objectclass: organizationalUnit
+ou: Sales
+
+dn: cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH
+objectClass: organizationalRole
+cn: Sales CA
+objectClass: certificationAuthority
+authorityRevocationList;binary:< file:///etc/openssl/sales/sales.crl
+certificateRevocationList;binary:< file:///etc/openssl/sales/sales.crl
+cACertificate;binary:< file:///etc/openssl/sales/salesCert.der
diff --git a/testing/hosts/winnetou/etc/ldap/slapd.conf b/testing/hosts/winnetou/etc/ldap/slapd.conf
new file mode 100644
index 000000000..103d4573f
--- /dev/null
+++ b/testing/hosts/winnetou/etc/ldap/slapd.conf
@@ -0,0 +1,23 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+moduleload	back_bdb.la
+
+include		/etc/ldap/schema/core.schema
+
+pidfile		/var/run/openldap/slapd.pid
+argsfile	/var/run/openldap/slapd.args
+
+#######################################################################
+# BDB database definitions
+#######################################################################
+
+database	bdb
+suffix		"o=Linux strongSwan,c=CH"
+rootdn		"cn=Manager,o=Linux strongSwan,c=CH"
+checkpoint	32	30
+rootpw		tuxmux
+directory	/var/lib/ldap
+index		objectClass	eq
diff --git a/testing/hosts/winnetou/etc/network/interfaces b/testing/hosts/winnetou/etc/network/interfaces
new file mode 100644
index 000000000..7bfb6a9f2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.150
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::15
+	netmask 16
diff --git a/testing/hosts/winnetou/etc/openldap/ldif.txt b/testing/hosts/winnetou/etc/openldap/ldif.txt
deleted file mode 100644
index 3eca4d6c6..000000000
--- a/testing/hosts/winnetou/etc/openldap/ldif.txt
+++ /dev/null
@@ -1,40 +0,0 @@
-dn: o=Linux strongSwan, c=CH
-objectclass: organization
-o: Linux strongSwan
-
-dn: cn=Manager,o=Linux strongSwan, c=CH
-objectclass: organizationalRole
-cn: Manager
-
-dn: cn=strongSwan Root CA, o=Linux strongSwan, c=CH
-objectClass: organizationalRole
-cn: strongSwan Root CA
-objectClass: certificationAuthority
-authorityRevocationList;binary:< file:///etc/openssl/strongswan.crl
-certificateRevocationList;binary:< file:///etc/openssl/strongswan.crl
-cACertificate;binary:< file:///etc/openssl/strongswanCert.der
-
-dn: ou=Research, o=Linux strongSwan, c=CH
-objectclass: organizationalUnit
-ou: Research
-
-dn: cn=Research CA, ou=Research, o=Linux strongSwan, c=CH
-objectClass: organizationalRole
-cn: Research CA
-objectClass: certificationAuthority
-authorityRevocationList;binary:< file:///etc/openssl/research/research.crl
-certificateRevocationList;binary:< file:///etc/openssl/research/research.crl
-cACertificate;binary:< file:///etc/openssl/research/researchCert.der
-
-dn: ou=Sales, o=Linux strongSwan, c=CH
-objectclass: organizationalUnit
-ou: Sales 
-
-dn: cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH
-objectClass: organizationalRole
-cn: Sales CA
-objectClass: certificationAuthority
-authorityRevocationList;binary:< file:///etc/openssl/sales/sales.crl
-certificateRevocationList;binary:< file:///etc/openssl/sales/sales.crl
-cACertificate;binary:< file:///etc/openssl/sales/salesCert.der
-
diff --git a/testing/hosts/winnetou/etc/openldap/slapd.conf b/testing/hosts/winnetou/etc/openldap/slapd.conf
deleted file mode 100644
index 5a99f955d..000000000
--- a/testing/hosts/winnetou/etc/openldap/slapd.conf
+++ /dev/null
@@ -1,68 +0,0 @@
-#
-# See slapd.conf(5) for details on configuration options.
-# This file should NOT be world readable.
-#
-include		/etc/openldap/schema/core.schema
-
-# Define global ACLs to disable default read access.
-
-# Do not enable referrals until AFTER you have a working directory
-# service AND an understanding of referrals.
-#referral	ldap://root.openldap.org
-
-pidfile		/var/run/openldap/slapd.pid
-argsfile	/var/run/openldap/slapd.args
-
-# Load dynamic backend modules:
-# modulepath	/usr/lib/openldap/openldap
-# moduleload	back_bdb.la
-# moduleload	back_ldap.la
-# moduleload	back_ldbm.la
-# moduleload	back_passwd.la
-# moduleload	back_shell.la
-
-# Sample security restrictions
-#	Require integrity protection (prevent hijacking)
-#	Require 112-bit (3DES or better) encryption for updates
-#	Require 63-bit encryption for simple bind
-# security ssf=1 update_ssf=112 simple_bind=64
-
-# Sample access control policy:
-#	Root DSE: allow anyone to read it
-#	Subschema (sub)entry DSE: allow anyone to read it
-#	Other DSEs:
-#		Allow self write access
-#		Allow authenticated users read access
-#		Allow anonymous users to authenticate
-#	Directives needed to implement policy:
-# access to dn.base="" by * read
-# access to dn.base="cn=Subschema" by * read
-# access to *
-#	by self write
-#	by users read
-#	by anonymous auth
-#
-# if no access controls are present, the default policy
-# allows anyone and everyone to read anything but restricts
-# updates to rootdn.  (e.g., "access to * by * read")
-#
-# rootdn can always read and write EVERYTHING!
-
-#######################################################################
-# BDB database definitions
-#######################################################################
-
-database	bdb
-suffix		"o=Linux strongSwan,c=CH"
-rootdn		"cn=Manager,o=Linux strongSwan,c=CH"
-checkpoint	32	30 # <kbyte> <min>
-# Cleartext passwords, especially for the rootdn, should
-# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
-# Use of strong authentication encouraged.
-rootpw		tuxmux	
-# The database directory MUST exist prior to running slapd AND 
-# should only be accessible by the slapd and slap tools.
-# Mode 700 recommended.
-directory	/var/lib/openldap-data
-# Indices to maintain
-index	objectClass	eq
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 60e53a0a4..839816bf5 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -16,30 +16,32 @@
 
 export COMMON_NAME=strongSwan
 
+ROOT=/var/www
+
 cd /etc/openssl
 openssl ca -gencrl -crldays 30 -config /etc/openssl/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan.crl
-cp strongswan.crl     /var/www/localhost/htdocs/
-cp strongswanCert.pem /var/www/localhost/htdocs/
-cp index.html         /var/www/localhost/htdocs/
+cp strongswan.crl     ${ROOT}
+cp strongswanCert.pem ${ROOT}
+cp index.html         ${ROOT}
 cd /etc/openssl/research
 openssl ca -gencrl -crldays 15 -config /etc/openssl/research/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out research.crl
-cp research.crl       /var/www/localhost/htdocs/
+cp research.crl       ${ROOT}
 cd /etc/openssl/sales
 openssl ca -gencrl -crldays 15 -config /etc/openssl/sales/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out sales.crl
-cp sales.crl         /var/www/localhost/htdocs/
+cp sales.crl         ${ROOT}
 cd /etc/openssl/ecdsa
 openssl ca -gencrl -crldays 15 -config /etc/openssl/ecdsa/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan_ec.crl
-cp strongswan_ec.crl /var/www/localhost/htdocs/
+cp strongswan_ec.crl ${ROOT}
 cd /etc/openssl/monster
 openssl ca -gencrl -crldays 15 -config /etc/openssl/monster/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan-monster.crl
-cp strongswan-monster.crl /var/www/localhost/htdocs/
+cp strongswan-monster.crl ${ROOT}
 cd /etc/openssl/rfc3779
 openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl
-cp strongswan_rfc3779.crl /var/www/localhost/htdocs/
+cp strongswan_rfc3779.crl ${ROOT}
 
diff --git a/testing/hosts/winnetou/etc/openssl/index.html b/testing/hosts/winnetou/etc/openssl/index.html
index 1641768ae..8cbb2c482 100644
--- a/testing/hosts/winnetou/etc/openssl/index.html
+++ b/testing/hosts/winnetou/etc/openssl/index.html
@@ -20,10 +20,10 @@
     </li>
   </ul>
 
-  <h2>strongSwan UML Testing Environment</h2>
+  <h2>strongSwan Testing Environment</h2>
   <ul>
     <li>
-      <a href="testresults/">UML Test Results</a>
+      <a href="testresults/">Test Results</a>
     </li>
   </ul>
   <a href="images/umlArchitecture_large.png" target="_blank">
diff --git a/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index cb585ed08..a62fe16bd 100755
--- a/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
index c193e8779..32405f81c 100755
--- a/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl/research
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
index c53cb9a76..74a2aebc2 100755
--- a/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl/sales
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/runlevels/default/apache2 b/testing/hosts/winnetou/etc/runlevels/default/apache2
deleted file mode 100755
index 5f72d3090..000000000
--- a/testing/hosts/winnetou/etc/runlevels/default/apache2
+++ /dev/null
@@ -1,121 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="configtest fullstatus graceful gracefulstop modules reload"
-
-depend() {
-	need net
-	use mysql dns logger netmount postgresql
-	after sshd
-}
-
-configtest() {
-	ebegin "Checking Apache Configuration"
-	checkconfig
-	eend $?
-}
-
-checkconfig() {
-	SERVERROOT="${SERVERROOT:-/usr/lib/apache2}"
-	if [ ! -d ${SERVERROOT} ]; then
-		eerror "SERVERROOT does not exist: ${SERVERROOT}"
-		return 1
-	fi
-
-	CONFIGFILE="${CONFIGFILE:-/etc/apache2/httpd.conf}"
-	[ "${CONFIGFILE#/}" = "${CONFIGFILE}" ] && CONFIGFILE="${SERVERROOT}/${CONFIGFILE}"
-	if [ ! -r "${CONFIGFILE}" ]; then
-		eerror "Unable to read configuration file: ${CONFIGFILE}"
-		return 1
-	fi
-
-	APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}"
-	APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}"
-	[ -n "${STARTUPERRORLOG}" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}"
-
-	APACHE2="/usr/sbin/apache2"
-
-	${APACHE2} ${APACHE2_OPTS} -t 1>/dev/null 2>&1
-	ret=$?
-	if [ $ret -ne 0 ]; then
-		eerror "Apache2 has detected a syntax error in your configuration files:"
-		${APACHE2} ${APACHE2_OPTS} -t
-	fi
-
-	return $ret
-}
-
-start() {
-	checkconfig || return 1
-	ebegin "Starting apache2"
-	[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
-
-	start-stop-daemon --start --exec ${APACHE2} -- ${APACHE2_OPTS} -k start
-	eend $?
-}
-
-stop() {
-	checkconfig || return 1
-	ebegin "Stopping apache2"
-	start-stop-daemon --stop --retry -TERM/5/-KILL/5 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-reload() {
-	RELOAD_TYPE="${RELOAD_TYPE:-graceful}"
-
-	checkconfig || return 1
-	if [ "${RELOAD_TYPE}" = "restart" ]; then
-		ebegin "Restarting apache2"
-		start-stop-daemon --stop --oknodo --signal HUP --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	elif [ "${RELOAD_TYPE}" = "graceful" ]; then
-		ebegin "Gracefully restarting apache2"
-		start-stop-daemon --stop --oknodo --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	else
-		eerror "${RELOAD_TYPE} is not a valid RELOAD_TYPE. Please edit /etc/conf.d/apache2"
-	fi
-}
-
-graceful() {
-	checkconfig || return 1
-	ebegin "Gracefully restarting apache2"
-	start-stop-daemon --stop --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-gracefulstop() {
-	checkconfig || return 1
-	
-	# zap!
-	if service_started "${myservice}"; then
-		mark_service_stopped "${myservice}"
-	fi
-
-	ebegin "Gracefully stopping apache2"
-	# 28 is SIGWINCH
-	start-stop-daemon --stop --signal 28 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-modules() {
-	checkconfig || return 1
-
-	${APACHE2} ${APACHE2_OPTS} -M 2>&1
-}
-
-status() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL} | awk ' /process$/ { print; exit } { print } '
-}
-
-fullstatus() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL}
-}
diff --git a/testing/hosts/winnetou/etc/runlevels/default/net.eth0 b/testing/hosts/winnetou/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/winnetou/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/make-testing b/testing/make-testing
index 7cd3324e0..84ac20bf2 100755
--- a/testing/make-testing
+++ b/testing/make-testing
@@ -1,87 +1,27 @@
 #!/bin/bash
-# Create the strongSwan UML testing environment
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
 
-DIR=`dirname $0`
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
 
-source $DIR/scripts/function.sh
+rm -f $LOGFILE
+mkdir -p $BUILDDIR
 
-[ -f $DIR/testing.conf ] || die "!! Configuration file 'testing.conf' not found."
-
-source $DIR/testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-##########################################################################
-# build the UML kernel based on a vanilla kernel form kernel.org
-# and a matching UML patch from user-mode-linux.sourceforge.net
-#
-if [ $ENABLE_BUILD_UMLKERNEL = "yes" ]
-then
-   cecho "Building uml kernel (scripts/build-umlkernel)"
-   $DIR/scripts/build-umlkernel
-fi
-
-##########################################################################
-# Adding the ssh RSA public keys to ~/.ssh/known_hosts
-#
-if [ $ENABLE_BUILD_SSHKEYS = "yes" ]
-then
-   cecho "Adding ssh public keys of the uml instances (scripts/build-sshkeys)"
-   $DIR/scripts/build-sshkeys
-fi
-
-##########################################################################
-# copy the default UML host configurations to $BUILDDIR
-# and assign actual IP addresses to the UML hosts
-#
-if [ $ENABLE_BUILD_HOSTCONFIG = "yes" ]
+if [ $ENABLE_BUILD_BASEIMAGE = "yes" ]
 then
-   cecho "Building host configurations (scripts/build-hostconfig)"
-   $DIR/scripts/build-hostconfig
+	$DIR/scripts/build-baseimage || exit 1
 fi
 
-##########################################################################
-# build a generic UML root file system based on a Gentoo root file system.
-# compile and install a specified strongSwan release into the file system.
-#
-if [ $ENABLE_BUILD_UMLROOTFS = "yes" ]
+if [ $ENABLE_BUILD_ROOTIMAGE = "yes" ]
 then
-   cecho "Building uml root file system with strongSwan (scripts/build-umlrootfs)"
-   $DIR/scripts/build-umlrootfs
+	$DIR/scripts/build-rootimage || exit 1
 fi
 
-##########################################################################
-# Creating the root filesystems for the specified UML instances
-#
-if [ $ENABLE_BUILD_UMLHOSTFS = "yes" ]
+if [ $ENABLE_BUILD_GUESTKERNEL = "yes" ]
 then
-   cecho "Building uml host root file systems (scripts/build-umlhostfs)"
-   $DIR/scripts/build-umlhostfs $HOSTS
+	$DIR/scripts/build-guestkernel || exit 1
 fi
 
-##########################################################################
-# Start up the UML switches and designated UML instances
-#
-if [ $ENABLE_START_TESTING = "yes" ]
+if [ $ENABLE_BUILD_GUESTIMAGES = "yes" ]
 then
-   cecho "Starting the uml switches and instances (start-testing)"
-   $DIR/start-testing $HOSTS
+	$DIR/scripts/build-guestimages $HOSTS || exit 1
 fi
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
new file mode 100755
index 000000000..1355d7a05
--- /dev/null
+++ b/testing/scripts/build-baseimage
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+echo "Building base image"
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+
+check_commands debootstrap mkfs.ext3 partprobe qemu-img qemu-nbd sfdisk
+
+# package includes/excludes
+INC=build-essential,gperf,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool
+INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc
+INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev
+INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core
+INC=$INC,less,acpid,acpi-support-base
+SERVICES="apache2 dbus isc-dhcp-server slapd"
+INC=$INC,${SERVICES// /,}
+EXC=iptables
+
+CACHEDIR=$BUILDDIR/cache
+APTCACHE=$LOOPDIR/var/cache/apt/archives
+
+mkdir -p $LOOPDIR
+mkdir -p $CACHEDIR
+mkdir -p $IMGDIR
+rm -f $BASEIMG
+
+echo "`date`, building $BASEIMG" >>$LOGFILE
+
+load_qemu_nbd
+
+log_action "Creating base image $BASEIMG"
+execute "qemu-img create -f $IMGEXT $BASEIMG ${BASEIMGSIZE}M"
+
+log_action "Connecting image to NBD device $NBDEV"
+execute "qemu-nbd -c $NBDEV $BASEIMG"
+do_on_exit qemu-nbd -d $NBDEV
+
+log_action "Partitioning disk"
+sfdisk /dev/nbd0 -D -uM >>$LOGFILE 2>&1 << EOF
+;
+EOF
+if [ $? != 0 ]
+then
+	log_status 1
+	exit 1
+else
+	log_status 0
+fi
+partprobe $NBDEV
+
+log_action "Creating ext3 filesystem"
+execute "mkfs.ext3 $NBDPARTITION"
+
+log_action "Mounting $NBDPARTITION to $LOOPDIR"
+execute "mount $NBDPARTITION $LOOPDIR"
+do_on_exit graceful_umount $LOOPDIR
+
+log_action "Using $CACHEDIR as archive for apt"
+mkdir -p $APTCACHE
+execute "mount -o bind $CACHEDIR $APTCACHE"
+do_on_exit graceful_umount $APTCACHE
+
+log_action "Running debootstrap ($BASEIMGSUITE, $BASEIMGARCH)"
+execute "debootstrap --arch=$BASEIMGARCH --include=$INC --exclude $EXC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR"
+
+for service in $SERVICES
+do
+	log_action "Stopping service $service"
+	execute_chroot "/etc/init.d/$service stop"
+	log_action "Disabling service $service"
+	execute_chroot "update-rc.d -f $service remove"
+done
+
+log_action "Disabling root password"
+execute_chroot "passwd -d root"
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
new file mode 100755
index 000000000..f5669040e
--- /dev/null
+++ b/testing/scripts/build-guestimages
@@ -0,0 +1,65 @@
+#!/bin/bash
+# create specific guest images
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+echo "Creating guest images"
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+HOSTSDIR=$DIR/../hosts
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+[ -f $ROOTIMG ] || die "Root image $ROOTIMG not found"
+[ -f $HOSTDIR ] || die "Hosts directory $HOSTSDIR not found"
+
+check_commands partprobe qemu-img qemu-nbd
+
+load_qemu_nbd
+
+mkdir -p $IMGDIR
+mkdir -p $LOOPDIR
+
+# just to be sure
+do_on_exit qemu-nbd -d $NBDEV
+do_on_exit umount $LOOPDIR
+
+for host in $STRONGSWANHOSTS
+do
+	log_action "Creating guest image for $host"
+	execute "qemu-img create -b $ROOTIMG -f $IMGEXT $IMGDIR/$host.$IMGEXT" 0
+	execute "qemu-nbd -c $NBDEV $IMGDIR/$host.$IMGEXT" 0
+	partprobe $NBDEV
+	execute "mount $NBDPARTITION $LOOPDIR" 0
+	execute "cp -rf $HOSTSDIR/${host}/etc $LOOPDIR" 0
+	execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
+	if [ "$host" = "winnetou" ]
+	then
+		execute "mkdir $LOOPDIR/var/log/apache2/ocsp" 0
+		execute "cp -rf $DIR/../images $LOOPDIR/var/www/" 0
+		execute_chroot "ln -s /etc/openssl/certs /var/www/certs" 0
+		execute_chroot "/etc/openssl/generate-crl" 0
+		execute_chroot "update-rc.d apache2 defaults" 0
+		execute_chroot "update-rc.d slapd defaults" 0
+		execute_chroot "rm -rf /var/lib/ldap/*" 0
+		execute_chroot "slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf" 0
+		execute_chroot "chown -R openldap:openldap /var/lib/ldap" 0
+	fi
+	sync
+	execute "umount $LOOPDIR" 0
+	execute "qemu-nbd -d $NBDEV" 0
+	log_status 0
+done
diff --git a/testing/scripts/build-guestkernel b/testing/scripts/build-guestkernel
new file mode 100755
index 000000000..66a9fe7a4
--- /dev/null
+++ b/testing/scripts/build-guestkernel
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+echo "Building guest kernel version $KERNELVERSION"
+
+[ -f "$KERNELCONFIG" ] || die "Kernel config $KERNELCONFIG not found"
+
+check_commands bunzip2 bzcat make wget
+
+cd $BUILDDIR
+
+if [ ! -f "$KERNELTARBALL" ]
+then
+	url=ftp://ftp.kernel.org/pub/linux/kernel/v3.x/$KERNELTARBALL
+	log_action "Downloading $url"
+	execute "wget -q $url"
+fi
+
+if [[ $KERNELPATCH && ! -f "$KERNELPATCH" ]]
+then
+	url=http://download.strongswan.org/uml/$KERNELPATCH
+	log_action "Downloading $url"
+	execute "wget -q $url"
+fi
+
+log_action "Unpacking kernel"
+execute "tar xjf $KERNELTARBALL"
+
+KERNELDIR=$BUILDDIR/$KERNEL
+cd $KERNELDIR
+
+if [ $KERNELPATCH ]
+then
+	log_action "Applying kernel patch"
+	bzcat ../$KERNELPATCH | patch -p1 >>$LOGFILE 2>&1
+	log_status $?
+	[ $? -eq 0 ] || exit 1
+fi
+
+execute "cp $KERNELCONFIG .config" 0
+
+echo "Creating kernel configuration, you might get prompted for new parameters"
+make oldconfig 2>&1 | tee -a $LOGFILE
+
+log_action "Compiling the kernel"
+execute "make -j5"
diff --git a/testing/scripts/build-hostconfig b/testing/scripts/build-hostconfig
deleted file mode 100755
index 0ebbc5264..000000000
--- a/testing/scripts/build-hostconfig
+++ /dev/null
@@ -1,122 +0,0 @@
-#!/bin/bash
-# build the hosts configuration directory with the actual IP addresses
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-[ -d $DIR/../hosts ]        || die "!! Directory 'hosts' not found"
-
-source $DIR/../testing.conf
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho " * Creating directory '$BUILDDIR'"
-    mkdir $BUILDDIR
-fi
-
-########################################
-# copy default host configs to $BUILDDIR
-#
-
-HOSTCONFIGDIR=${BUILDDIR}/hosts
-
-if [ -d $HOSTCONFIGDIR ]
-then
-    rm -r $HOSTCONFIGDIR
-fi
-
-mkdir $HOSTCONFIGDIR
-cp -rfp ${UMLTESTDIR}/testing/hosts $BUILDDIR
-
-cecho " * Copied default host config directory to '$HOSTCONFIGDIR'"
-
-########################################
-# assign IP for each host to hostname
-#
-
-cecho-n " * Generate default config for.."
-
-HOSTIP=`ifconfig eth0 |grep inet |sed -e "s/.*inet addr://" -e "s/  Bcast.*//"`
-
-for host in $STRONGSWANHOSTS
-do
-    cecho-n "${host}.."
-    eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    eval ipv6_${host}="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-
-    [ "`eval echo \\\$ipv4_${host}`" != "$HOSTIP" ] || die "$host has the same IP as eth0 (Host)! Please change that."
-
-    case $host in
-    moon)
-        eval ipv4_moon1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        [ "`eval echo \\\$ipv4_moon1`" != "$HOSTIP" ] || die "eth1 of $host has the same IP as eth0 (Host)! Please change that."
-        searchandreplace PH_IP_MOON1 $ipv4_moon1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_MOON  $ipv4_moon  $HOSTCONFIGDIR
-        eval ipv6_moon1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_MOON1 $ipv6_moon1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_MOON  $ipv6_moon  $HOSTCONFIGDIR
-        ;;
-    sun)
-        eval ipv4_sun1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        [ "`eval echo \\\$ipv4_sun1`" != "$HOSTIP" ] || die "eth1 of $host has the same IP as eth0 (Host)! Please change that."
-        searchandreplace PH_IP_SUN1 $ipv4_sun1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_SUN  $ipv4_sun  $HOSTCONFIGDIR
-        eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_SUN1 $ipv6_sun1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_SUN  $ipv6_sun  $HOSTCONFIGDIR
-        ;;
-    alice)
-        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_ALICE1 $ipv4_alice1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_ALICE  $ipv4_alice  $HOSTCONFIGDIR
-        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_ALICE1 $ipv6_alice1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_ALICE  $ipv6_alice  $HOSTCONFIGDIR
-        ;;
-    venus)
-        searchandreplace PH_IP_VENUS  $ipv4_venus $HOSTCONFIGDIR
-        searchandreplace PH_IP6_VENUS $ipv6_venus $HOSTCONFIGDIR
-        ;;
-    bob)
-        searchandreplace PH_IP_BOB  $ipv4_bob $HOSTCONFIGDIR
-        searchandreplace PH_IP6_BOB $ipv6_bob $HOSTCONFIGDIR
-        ;;
-    carol)
-        eval ipv4_carol1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_CAROL1 $ipv4_carol1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_CAROL  $ipv4_carol  $HOSTCONFIGDIR
-        eval ipv6_carol1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_CAROL1 $ipv6_carol1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_CAROL  $ipv6_carol  $HOSTCONFIGDIR
-        ;;
-    dave)
-        eval ipv4_dave1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_DAVE1 $ipv4_dave1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_DAVE  $ipv4_dave  $HOSTCONFIGDIR
-        eval ipv6_dave1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_DAVE1 $ipv6_dave1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_DAVE  $ipv6_dave  $HOSTCONFIGDIR
-        ;;
-    winnetou)
-        searchandreplace PH_IP_WINNETOU  $ipv4_winnetou $HOSTCONFIGDIR
-        searchandreplace PH_IP6_WINNETOU $ipv6_winnetou $HOSTCONFIGDIR
-        ;;
-    esac
-done
-
-cgecho "done"
diff --git a/testing/scripts/build-rootimage b/testing/scripts/build-rootimage
new file mode 100755
index 000000000..8e10ce5f3
--- /dev/null
+++ b/testing/scripts/build-rootimage
@@ -0,0 +1,67 @@
+#!/bin/bash
+# Create guest root image
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+echo "Building root image"
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+[ -f "$BASEIMG" ] || die "Base image $BASEIMG not found"
+
+check_commands partprobe qemu-img qemu-nbd
+
+load_qemu_nbd
+
+mkdir -p $LOOPDIR
+mkdir -p $SHAREDDIR/compile
+mkdir -p $IMGDIR
+
+log_action "Creating root image $ROOTIMG"
+execute "qemu-img create -b $BASEIMG -f $IMGEXT $ROOTIMG"
+
+log_action "Connecting root image to NBD device $NBDEV"
+execute "qemu-nbd -c $NBDEV $ROOTIMG"
+do_on_exit qemu-nbd -d $NBDEV
+partprobe $NBDEV
+
+log_action "Mounting $NBDPARTITION to $LOOPDIR"
+execute "mount $NBDPARTITION $LOOPDIR"
+do_on_exit umount $LOOPDIR
+
+log_action "Mounting proc filesystem to $LOOPDIR/proc"
+execute "mount -t proc none $LOOPDIR/proc"
+do_on_exit umount $LOOPDIR/proc
+
+mkdir -p $LOOPDIR/root/shared
+log_action "Mounting $SHAREDDIR as /root/shared"
+execute "mount -o bind $SHAREDDIR $LOOPDIR/root/shared"
+do_on_exit umount $LOOPDIR/root/shared
+
+echo "Installing software from source"
+RECPDIR=$DIR/recipes
+RECIPES=`ls $RECPDIR/*.mk | xargs -n1 basename`
+execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
+for r in $RECIPES
+do
+	cp $RECPDIR/$r ${LOOPDIR}/root/shared/compile
+	log_action "Installing from recipe $r"
+	execute_chroot "make SWANVERSION=$SWANVERSION -C /root/shared/compile -f $r"
+done
+
+log_action "Removing /etc/resolv.conf"
+execute "rm -f $LOOPDIR/etc/resolv.conf"
diff --git a/testing/scripts/build-sshkeys b/testing/scripts/build-sshkeys
deleted file mode 100755
index 799078557..000000000
--- a/testing/scripts/build-sshkeys
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/bin/bash
-# build the hosts configuration directory with the actual IP addresses
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-[ -d $DIR/../hosts ]        || die "!! Directory 'hosts' not found"
-
-source $DIR/../testing.conf
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho " * Creating directory '$BUILDDIR'"
-    mkdir $BUILDDIR
-fi
-
-LOGFILE=${BUILDDIR}/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-if [ ! -d ~/.ssh ]
-then
-    cecho-n " * Creating directory '~/.ssh'.."
-    mkdir ~/.ssh
-    cgecho "done"
-fi
-
-if [ -f ~/.ssh/known_hosts ]
-then
-    cecho-n " * Backing up ~/.ssh/known_hosts to '~/.ssh/known_hosts.before_uml'.."
-    cp -fp ~/.ssh/known_hosts ~/.ssh/known_hosts.before_uml
-    cgecho "done"
-else
-    cecho-n " * Creating '~/.ssh/known_hosts'"
-    touch ~/.ssh/known_hosts
-    cgecho "done"
-fi
-
-for host in $HOSTNAMEIPV4
-do
-    HOSTNAME=`echo $host | awk -F, '{ print $1 }'`
-    IP=`echo $host | awk -F, '{ print $2 }'`
-    if [ `grep "$IP " ~/.ssh/known_hosts | wc -l` != "0" ]
-    then
-        cecho "!! Warning: An entry exists for the following IP address: $IP"
-    else
-	cecho-n " * Adding uml host $HOSTNAME ($IP) to '~/.ssh/known_hosts'.."
-	echo "$HOSTNAME,$IP `cat $DIR/../hosts/ssh_host_rsa_key.pub`" >> ~/.ssh/known_hosts
-	cgecho "done"
-    fi
-done
-
-#####################################
-# preparing ssh for PK authentication
-#
-
-cecho-n " * Checking for ssh rsa key '~/.ssh/id_rsa.pub'.."
-if [ -f ~/.ssh/id_rsa.pub ]
-then
-    cecho "already exists"
-else
-    cecho "not found"
-    cecho-n " * Generating ssh rsa key pair.."
-    echo "" | ssh-keygen -N "" -t rsa -f ~/.ssh/id_rsa >> $LOGFILE 2>&1
-    cgecho "done"
-fi
diff --git a/testing/scripts/build-umlhostfs b/testing/scripts/build-umlhostfs
deleted file mode 100755
index 75feaa4ed..000000000
--- a/testing/scripts/build-umlhostfs
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/bash
-# create UML host file systems
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found."
-
-source $DIR/../testing.conf
-
-cd $BUILDDIR/root-fs
-
-[ -f gentoo-fs ] || die "!! Root file system 'gentoo-fs' not found."
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho-n " * Directory '$BUILDDIR' does not exist..creating.."
-    mkdir $BUILDDIR
-    cgecho "done"
-fi
-
-LOGFILE=${BUILDDIR}/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-LOOPDIR=loop
-
-if [ ! -d $LOOPDIR ]
-then
-    mkdir $LOOPDIR
-fi
-
-cecho-n " * Creating root filesystem for.."
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-for host in $HOSTS
-do
-    cecho-n "$host.."
-    cp gentoo-fs gentoo-fs-$host
-    mount -o loop gentoo-fs-$host $LOOPDIR
-    cp -rf $BUILDDIR/hosts/${host}/etc $LOOPDIR
-    if [ "$host" = "winnetou" ]
-    then
-    	mkdir $LOOPDIR/var/log/apache2/ocsp
-	cp -rf $UMLTESTDIR/testing/images $LOOPDIR/var/www/localhost/htdocs
-	chroot $LOOPDIR ln -s /etc/openssl/certs /var/www/localhost/htdocs/certs
-        chroot $LOOPDIR /etc/openssl/generate-crl >> $LOGFILE 2>&1
-    fi
-    chroot $LOOPDIR /etc/init.d/depscan.sh --update >> $LOGFILE 2>&1
-    umount $LOOPDIR
-done
-
-cgecho "done"
diff --git a/testing/scripts/build-umlkernel b/testing/scripts/build-umlkernel
deleted file mode 100755
index b9f0d710d..000000000
--- a/testing/scripts/build-umlkernel
+++ /dev/null
@@ -1,130 +0,0 @@
-#!/bin/bash
-# build an UML kernel based on a vanilla kernel and UML patch
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-cecho-n " * Looking for kernel at '$KERNEL'.."
-if [ -f "${KERNEL}" ]
-then
-    cecho "found it"
-    KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
-    cecho " * Kernel version is $KERNELVERSION"
-else
-    cecho "none"
-    exit
-fi
-
-if [ ${UMLPATCH} ]
-then
-    cecho-n " * Looking for uml patch at '$UMLPATCH'.."
-    if [ -f "${UMLPATCH}" ]
-    then
-	cecho "found it"
-    else
-	cecho "none"
-	exit
-    fi
-fi
-
-cecho-n " * Looking for kernel config at '$KERNELCONFIG'.."
-if [ -f "${KERNEL}" ]
-then
-    cecho "found it"
-else
-    cecho "none"
-    exit
-fi
-
-#######################################################
-# unpack kernel and create symlink
-#
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho " * Creating directory '$BUILDDIR'"
-    mkdir $BUILDDIR
-fi
-
-cecho " * Changing to directory '$BUILDDIR'"
-cd $BUILDDIR
-
-LOGFILE=${BUILDDIR}/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-cecho-n " * Unpacking kernel.."
-tar xjf $KERNEL >> $LOGFILE 2>&1
-cgecho "done"
-
-KERNELDIR=${BUILDDIR}/linux-${KERNELVERSION}
-
-if [ -d $KERNELDIR ]
-then
-    cecho " * Kernel directory is '$KERNELDIR'"
-    cecho " * Creating symlink 'linux'"
-    if [ -d linux ]
-    then
-	rm linux
-    fi
-    ln -s linux-${KERNELVERSION} linux
-else
-    cecho "!! Kernel directory '$KERNELDIR' can not be found"
-    exit
-fi
-
-#######################################################
-# patch kernel
-#
-
-cecho " * Changing to directory '$KERNELDIR'"
-cd $KERNELDIR
-
-if [ $UMLPATCH ]
-then
-    cecho-n " * Applying uml patch.."
-    bzcat $UMLPATCH | patch -p1 >> $LOGFILE 2>&1
-    cgecho  "done"
-fi
-
-#######################################################
-# copy our default .config to linux and build kernel
-#
-
-cp $KERNELCONFIG .config
-
-cecho "!!"
-cecho "!! Making .config for kernel. You might be prompted for new parameters!"
-cecho "!!"
-make oldconfig ARCH=um SUBARCH=i386 2>&1 | tee -a $LOGFILE
-
-cecho-n " * Now compiling uml kernel.."
-make linux ARCH=um SUBARCH=i386 >> $LOGFILE 2>&1
-cgecho "done"
-
-cecho-n " * Copying uml kernel to '${BUILDDIR}/linux-uml-${KERNELVERSION}'.."
-mv linux ${BUILDDIR}/linux-uml-${KERNELVERSION}
-cgecho "done"
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
deleted file mode 100755
index 92595222c..000000000
--- a/testing/scripts/build-umlrootfs
+++ /dev/null
@@ -1,451 +0,0 @@
-#!/bin/bash
-# Create UML root filesystem
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-STRONGSWANVERSION=`basename $STRONGSWAN .tar.bz2`
-
-cecho-n " * Looking for strongSwan at '$STRONGSWAN'.."
-if [ -f "$STRONGSWAN" ]
-then
-    cecho "found it"
-    cecho " * strongSwan version is '$STRONGSWANVERSION'"
-else
-    cecho "none"
-    exit
-fi
-
-cecho-n " * Looking for gentoo root filesystem at '$ROOTFS'.."
-if [ -f "$ROOTFS" ]
-then
-    cecho "found it"
-else
-    cecho "none"
-    exit
-fi
-
-[ -d $BUILDDIR ] || die "!! Directory '$BUILDDIR' does not exist"
-
-HOSTCONFIGDIR=$BUILDDIR/hosts
-
-[ -d $HOSTCONFIGDIR ] || die "!! Directory '$HOSTCONFIGDIR' does not exist"
-
-LOGFILE=$BUILDDIR/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-ROOTFSDIR=$BUILDDIR/root-fs
-
-if [ ! -d $ROOTFSDIR ]
-then
-    cecho-n " * Root file system directory '$ROOTFSDIR' does not exist..creating.."
-    mkdir $ROOTFSDIR
-    cgecho "done"
-fi
-
-cd $ROOTFSDIR
-
-LOOPDIR=$ROOTFSDIR/loop
-
-if [ ! -d $LOOPDIR ]
-then
-    mkdir $LOOPDIR
-fi
-
-######################################################
-# creating reiser-based uml root filesystem
-#
-
-cecho-n " * Building basic root filesystem (gentoo).."
-dd if=/dev/zero of=gentoo-fs count=$ROOTFSSIZE bs=1M >> $LOGFILE 2>&1
-mkreiserfs -q -f gentoo-fs       >> $LOGFILE 2>&1
-mount -o loop gentoo-fs $LOOPDIR >> $LOGFILE 2>&1
-tar xjpf $ROOTFS -C $LOOPDIR     >> $LOGFILE 2>&1
-cgecho "done"
-
-######################################################
-# remove /etc/resolv.conf
-#
-cecho " * Removing /etc/resolv.conf"
-rm -f $LOOPDIR/etc/resolv.conf
-
-######################################################
-# copying default /etc/hosts to the root filesystem
-#
-cecho " * Copying '$HOSTCONFIGDIR/default/etc/hosts' to the root filesystem"
-cp -fp $HOSTCONFIGDIR/default/etc/hosts $LOOPDIR/etc/hosts
-
-#####################################################
-# extracting strongSwan into the root filesystem
-#
-cecho " * Extracting strongSwan into the root filesystem"
-tar xjf $STRONGSWAN -C $LOOPDIR/root >> $LOGFILE 2>&1
-
-######################################################
-# setting up mountpoint for shared source tree
-#
-if [ "${SHAREDTREE+set}" = "set" ]; then
-    cecho " * setting up shared strongswan tree at '$SHAREDTREE'"
-    mkdir $LOOPDIR/root/strongswan-shared
-    echo "" >> $LOOPDIR/etc/fstab
-    echo "none /root/strongswan-shared hostfs $SHAREDTREE" >> $LOOPDIR/etc/fstab
-fi
-
-######################################################
-# installing strongSwan and setting the local timezone
-#
-
-INSTALLSHELL=${LOOPDIR}/install.sh
-
-cecho " * Preparing strongSwan installation script"
-echo "ln -sf /usr/share/zoneinfo/${TZUML} /etc/localtime" >> $INSTALLSHELL
-
-echo "cd /root/${STRONGSWANVERSION}" >> $INSTALLSHELL
-echo -n "./configure --sysconfdir=/etc" >> $INSTALLSHELL
-echo -n " --with-random-device=/dev/urandom" >> $INSTALLSHELL
-echo -n " --disable-load-warning" >> $INSTALLSHELL
-
-if [ "$USE_LIBCURL" = "yes" ]
-then
-    echo -n " --enable-curl" >> $INSTALLSHELL
-fi
-
-if [ "$USE_LDAP" = "yes" ]
-then
-    echo -n " --enable-ldap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_AKA" = "yes" ]
-then
-    echo -n " --enable-eap-aka" >> $INSTALLSHELL
-    echo -n " --enable-eap-aka-3gpp2" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_SIM" = "yes" ]
-then
-    echo -n " --enable-eap-sim" >> $INSTALLSHELL
-    echo -n " --enable-eap-sim-file" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_MD5" = "yes" ]
-then
-    echo -n " --enable-eap-md5" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_MSCHAPV2" = "yes" ]
-then
-    echo -n " --enable-md4" >> $INSTALLSHELL
-    echo -n " --enable-eap-mschapv2" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_IDENTITY" = "yes" ]
-then
-    echo -n " --enable-eap-identity" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_RADIUS" = "yes" ]
-then
-    echo -n " --enable-eap-radius" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_DYNAMIC" = "yes" ]
-then
-    echo -n " --enable-eap-dynamic" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_TLS" = "yes" ]
-then
-    echo -n " --enable-eap-tls" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_TTLS" = "yes" ]
-then
-    echo -n " --enable-eap-ttls" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_PEAP" = "yes" ]
-then
-    echo -n " --enable-eap-peap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_TNC" = "yes" ]
-then
-    echo -n " --enable-eap-tnc" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNC_PDP" = "yes" ]
-then
-    echo -n " --enable-tnc-pdp" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNC_IMC" = "yes" ]
-then
-    echo -n " --enable-tnc-imc" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNC_IMV" = "yes" ]
-then
-    echo -n " --enable-tnc-imv" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNCCS_11" = "yes" ]
-then
-    echo -n " --enable-tnccs-11" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNCCS_20" = "yes" ]
-then
-    echo -n " --enable-tnccs-20" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNCCS_DYNAMIC" = "yes" ]
-then
-    echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMC_TEST" = "yes" ]
-then
-    echo -n " --enable-imc-test" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMV_TEST" = "yes" ]
-then
-    echo -n " --enable-imv-test" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMC_SCANNER" = "yes" ]
-then
-    echo -n " --enable-imc-scanner" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMV_SCANNER" = "yes" ]
-then
-    echo -n " --enable-imv-scanner" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMC_ATTESTATION" = "yes" ]
-then
-    echo -n " --enable-imc-attestation" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMV_ATTESTATION" = "yes" ]
-then
-    echo -n " --enable-imv-attestation" >> $INSTALLSHELL
-fi
-
-if [ "$USE_SQL" = "yes" ]
-then
-    echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
-    fi
-
-if [ "$USE_MEDIATION" = "yes" ]
-then
-    echo -n " --enable-mediation" >> $INSTALLSHELL
-fi
-
-if [ "$USE_OPENSSL" = "yes" ]
-then
-    echo -n " --enable-openssl" >> $INSTALLSHELL
-fi
-
-if [ "$USE_BLOWFISH" = "yes" ]
-then
-    echo -n " --enable-blowfish" >> $INSTALLSHELL
-fi
-
-if [ "$USE_KERNEL_PFKEY" = "yes" ]
-then
-    echo -n " --enable-kernel-pfkey" >> $INSTALLSHELL
-fi
-  
-if [ "$USE_INTEGRITY_TEST" = "yes" ]
-then
-    echo -n " --enable-integrity-test" >> $INSTALLSHELL
-fi
-
-if [ "$USE_LEAK_DETECTIVE" = "yes" ]
-then
-    echo -n " --enable-leak-detective" >> $INSTALLSHELL
-fi
-
-if [ "$USE_LOAD_TESTER" = "yes" ]
-then
-    echo -n " --enable-load-tester" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TEST_VECTORS" = "yes" ]
-then
-    echo -n " --enable-test-vectors" >> $INSTALLSHELL
-fi
-
-if [ "$USE_GCRYPT" = "yes" ]
-then
-    echo -n " --enable-gcrypt" >> $INSTALLSHELL
-fi
-
-if [ "$USE_SOCKET_DEFAULT" = "yes" ]
-then
-    echo -n " --enable-socket-default" >> $INSTALLSHELL
-fi
-
-if [ "$USE_SOCKET_DYNAMIC" = "yes" ]
-then
-    echo -n " --enable-socket-dynamic" >> $INSTALLSHELL
-fi
-
-if [ "$USE_DHCP" = "yes" ]
-then
-    echo -n " --enable-dhcp" >> $INSTALLSHELL
-fi
-
-if [ "$USE_FARP" = "yes" ]
-then
-    echo -n " --enable-farp" >> $INSTALLSHELL
-fi
-
-if [ "$USE_ADDRBLOCK" = "yes" ]
-then
-    echo -n " --enable-addrblock" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CTR" = "yes" ]
-then
-    echo -n " --enable-ctr" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CCM" = "yes" ]
-then
-    echo -n " --enable-ccm" >> $INSTALLSHELL
-fi
-
-if [ "$USE_GCM" = "yes" ]
-then
-    echo -n " --enable-gcm" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CMAC" = "yes" ]
-then
-    echo -n " --enable-cmac" >> $INSTALLSHELL
-fi
-
-if [ "$USE_HA" = "yes" ]
-then
-    echo -n " --enable-ha" >> $INSTALLSHELL
-fi
-
-if [ "$USE_AF_ALG" = "yes" ]
-then
-    echo -n " --enable-af-alg" >> $INSTALLSHELL
-fi
-
-if [ "$USE_WHITELIST" = "yes" ]
-then
-    echo -n " --enable-whitelist" >> $INSTALLSHELL
-fi
-
-if [ "$USE_XAUTH_GENERIC" = "yes" ]
-then
-    echo -n " --enable-xauth-generic" >> $INSTALLSHELL
-fi
-
-if [ "$USE_XAUTH_EAP" = "yes" ]
-then
-    echo -n " --enable-xauth-eap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_PKCS8" = "yes" ]
-then
-    echo -n " --enable-pkcs8" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IFMAP" = "yes" ]
-then
-    echo -n " --enable-tnc-ifmap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CISCO_QUIRKS" = "yes" ]
-then
-    echo -n " --enable-cisco-quirks" >> $INSTALLSHELL
-fi
-
-if [ "$USE_UNITY" = "yes" ]
-then
-    echo -n " --enable-unity" >> $INSTALLSHELL
-fi
-
-echo "" >> $INSTALLSHELL
-echo "make -j" >> $INSTALLSHELL
-echo "make install" >> $INSTALLSHELL
-echo "ldconfig" >> $INSTALLSHELL
-
-cecho-n " * Compiling $STRONGSWANVERSION within the root file system as chroot.."
-chroot $LOOPDIR /bin/bash /install.sh >> $LOGFILE 2>&1
-rm -f $INSTALLSHELL
-cgecho "done"
-
-######################################################
-# copying default /etc/ipsec.d/tables.sql to the root filesystem
-#
-cecho " * Copying '$HOSTCONFIGDIR/default/etc/ipsec.d/tables.sql' to the root filesystem"
-cp -fp $HOSTCONFIGDIR/default/etc/ipsec.d/tables.sql $LOOPDIR/etc/ipsec.d/tables.sql
-
-######################################################
-# copying the host's ssh public key
-#
-
-if [ ! -d $LOOPDIR/root/.ssh ]
-then
-    mkdir $LOOPDIR/root/.ssh
-fi
-cp ~/.ssh/id_rsa.pub $LOOPDIR/root/.ssh/authorized_keys
-
-######################################################
-# setup public key based login among all hosts
-#
-cp $LOOPDIR/etc/ssh/ssh_host_rsa_key $LOOPDIR/root/.ssh/id_rsa
-
-for host in $STRONGSWANHOSTS
-do
-    eval ip="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F- '{ print $1 }' | awk '{ print $1 }'`"
-    echo "$host,$ip `cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub`" >> $LOOPDIR/root/.ssh/known_hosts
-    echo "`cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub` root@$host" >> $LOOPDIR/root/.ssh/authorized_keys
-done
-
-######################################################
-# defining an empty modules.dep
-#
-
-if [ $UMLPATCH ]
-then
-    mkdir $LOOPDIR/lib/modules/`basename $UMLPATCH .bz2 | sed s/uml-patch-//`um
-    touch $LOOPDIR/lib/modules/`basename $UMLPATCH .bz2 | sed s/uml-patch-//`um/modules.dep
-else
-    mkdir $LOOPDIR/lib/modules/$KERNELVERSION
-    touch $LOOPDIR/lib/modules/$KERNELVERSION/modules.dep
-fi
-
-umount $LOOPDIR
diff --git a/testing/scripts/function.sh b/testing/scripts/function.sh
index e7ecbcf83..c4769678c 100755
--- a/testing/scripts/function.sh
+++ b/testing/scripts/function.sh
@@ -14,31 +14,146 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
+export TERM=xterm
+RED=$(tput setaf 1)
+GREEN=$(tput setaf 2)
+NORMAL=$(tput op)
 
-############################################
-# print output in color
-#
+# exit with given error message
+# $1 - error message
+die() {
+	echo -e "${RED}$1${NORMAL}"
+	exit 1
+}
 
-function cecho {
-    echo -e "\033[1;31m$1\033[0m"
+# execute command
+# $1 - command to execute
+# $2 - whether or not to log command exit status
+#      (0 -> disable exit status logging)
+execute()
+{
+	cmd=${1}
+	echo $cmd >>$LOGFILE 2>&1
+	$cmd >>$LOGFILE 2>&1
+	status=$?
+	[ "$2" != 0 ] && log_status $status
+	if [ $status != 0 ]; then
+		echo
+		echo "! Command $cmd failed, exiting (status $status)"
+		echo "! Check why here $LOGFILE"
+		exit 1
+	fi
 }
-function cgecho {
-    echo -e "\033[1;32m$1\033[0m"
+
+# execute command in chroot
+# $1 - command to execute
+execute_chroot()
+{
+	execute "chroot $LOOPDIR $@"
 }
 
-function cecho-n {
-    echo -en "\033[1;31m$1\033[0m"
+# write green status message to console
+# $1 - msg
+echo_ok()
+{
+	echo -e "${GREEN}$1${NORMAL}"
 }
 
+# write red status message to console
+# $1 - msg
+echo_failed()
+{
+	echo -e "${RED}$1${NORMAL}"
+}
 
-#############################################
-# output all args to stderr and exit with
-# return code 1
-#
+# log an action
+# $1 - current action description
+log_action()
+{
+	/bin/echo -n "[....] $1 "
+}
 
-die() {
-    echo $* 1>&2
-    exit 1
+# log an action status
+# $1 - exit status of action
+log_status()
+{
+	tput hpa 0
+	if [ $1 -eq 0 ]; then
+		/bin/echo -ne "[${GREEN} ok ${NORMAL}"
+	else
+		/bin/echo -ne "[${RED}FAIL${NORMAL}"
+	fi
+	echo
+}
+
+# the following two functions are stolen from [1]
+# [1] - http://www.linuxjournal.com/content/use-bash-trap-statement-cleanup-temporary-files
+
+declare -a on_exit_items
+
+# perform registered actions on exit
+on_exit()
+{
+	for ((onex=${#on_exit_items[@]}-1; onex>=0; onex--))
+	do
+		echo "On_Exit: ${on_exit_items[$onex]}" >>$LOGFILE
+		${on_exit_items[$onex]} >>$LOGFILE 2>&1
+	done
+	on_exit_items=""
+	trap - EXIT
+}
+
+# register a command to execute when the calling script terminates. The
+# registered commands are called in FILO order.
+# $* - command to register
+do_on_exit()
+{
+	local n=${#on_exit_items[*]}
+	on_exit_items[$n]="$*"
+	if [ $n -eq 0 ]; then
+		trap on_exit EXIT
+	fi
+}
+
+# wait for a mount to disappear
+# $1 - device/image to wait for
+# $2 - maximum time to wait in seconds, default is 5 seconds
+graceful_umount()
+{
+	secs=$2
+	[ ! $secs ] && secs=5
+
+	let steps=$secs*100
+	for st in `seq 1 $steps`
+	do
+		umount $1 >>$LOGFILE 2>&1
+		mount | grep $1 >/dev/null 2>&1
+		[ $? -eq 0 ] || return 0
+		sleep 0.01
+	done
+
+	return 1
+}
+
+# load qemu NBD kernel module, if not already loaded
+load_qemu_nbd()
+{
+	lsmod | grep ^nbd[[:space:]]* >/dev/null 2>&1
+	if [ $? != 0 ]
+	then
+		log_action "Loading NBD kernel module"
+		execute "modprobe nbd max_part=16"
+	fi
+}
+
+# check if given commands exist in $PATH
+# $* - commands to check
+check_commands()
+{
+	for i in $*
+	do
+		command -v $i >/dev/null || { die "Required command $i not found"; exit 1; }
+	done
 }
 
 #############################################
@@ -55,13 +170,6 @@ function searchandreplace {
     [ -d "$DESTDIR" ] || die "$DESTDIR is not a directory!"
 
 
-    #########################
-    # create a temporary file
-    #
-
-    TMPFILE="/tmp/sr.$$"
-
-
     ###########################################
     # search and replace in each found file the
     # given string
@@ -69,59 +177,7 @@ function searchandreplace {
 
     for eachfoundfile in `find $DESTDIR -type f`
     do
-        sed -e "s/$SEARCHSTRING/$REPLACESTRING/g" "$eachfoundfile" > "$TMPFILE"
-        cp -f "$TMPFILE" "$eachfoundfile"
+        sed -i -e "s/$SEARCHSTRING/$REPLACESTRING/g" "$eachfoundfile"
     done
 
-
-    ###########################
-    # delete the temporary file
-    #
-
-    rm -f "$TMPFILE"
-
-}
-
-#############################################
-# add a bridge
-#
-
-function umlbr_add {
-	brctl addbr     "umlbr$1"
-	brctl setfd     "umlbr$1" 0
-	brctl setageing "umlbr$1" 3600
-	brctl stp       "umlbr$1" off
-	ifconfig        "umlbr$1" "$2" netmask "$3" up 
 }
-
-#############################################
-# delete a bridge
-#
-
-function umlbr_del {
-	ifconfig    "umlbr$1" down                     &> /dev/null 2>&1
-	brctl delbr "umlbr$1"                          &> /dev/null 2>&1
-}
-
-#############################################
-# add a tap interface to a bridge
-#
-
-function umlbr_add_tap {
-	tunctl -t "tap$1_$2"                           &> /dev/null 2>&1
-	ifconfig "tap$1_$2" 0.0.0.0 promisc up         &> /dev/null 2>&1
-	brctl addif "umlbr$1" "tap$1_$2"               &> /dev/null 2>&1
-	cecho-n "$2.."
- }
-
-#############################################
-# delete a tap interface from a bridge
-#
-
-function umlbr_del_tap {
-	ifconfig "umlbr$2" down                        &> /dev/null 2>&1
-	brctl delif "umlbr$1" "tap$1_$2"               &> /dev/null 2>&1
-	tunctl -d "tap$1_$2"                           &> /dev/null 2>&1
-	cecho-n "$2.."
- }
-
diff --git a/testing/scripts/gstart-umls b/testing/scripts/gstart-umls
deleted file mode 100755
index c6fcd26dc..000000000
--- a/testing/scripts/gstart-umls
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-# starts the UML instances in an gnome-terminal (requires X11R6)
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-#position of xterm window on the desktop
-x0=8
-y0=52
-dx=12
-dy=24
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-    
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval gnome-terminal --title=${host} --geometry="+${x0}+${y0}" --show-menubar --execute "$UMLKERNEL \
-            umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
-        cgecho "done"
-        sleep 15
-    fi
-    let "x0+=dx"
-    let "y0+=dy"
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/scripts/install-shared b/testing/scripts/install-shared
deleted file mode 100755
index 4cfac9e77..000000000
--- a/testing/scripts/install-shared
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-# Install strongSwan from mounted strongswan-shared tree
-#
-# Copyright (C) 2006 Martin Willi
-# Hochschule fuer Technik Rapperswil
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-cecho "installing strongSwan from shared tree"
-cecho-n "  on: "
-
-for host in $STRONGSWANHOSTS
-do
-    eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    cecho-n "$host... "
-    ssh $HOSTLOGIN 'cd ~/strongswan-shared && make install' > /dev/null
-done
-
-cecho
diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls
deleted file mode 100755
index 18dc64a9d..000000000
--- a/testing/scripts/kstart-umls
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-# starts the UML instances in a konsole (requires KDE)
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-#position of konsole window on the desktop
-x0=8
-y0=8
-dx=12
-dy=24
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval konsole -title ${host} --geometry "+${x0}+${y0}" -e "$UMLKERNEL \
-	    umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
-        cgecho "done"
-        sleep 15
-    fi
-    let "x0+=dx"
-    let "y0+=dy"
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig
index 43100dbe0..0ea4fbf00 100755
--- a/testing/scripts/load-testconfig
+++ b/testing/scripts/load-testconfig
@@ -14,13 +14,9 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
 
 ##########################################################################
 # load-testconfig requires a testname as an argument
@@ -58,17 +54,16 @@ for host in $IPSECHOSTS
 do
     eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
     ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
-		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
+		    kill -SIGHUP `cat /var/run/rsyslogd.pid`' > /dev/null 2>&1
 done
 
 
 ##########################################################################
-# clear radius.log and daemon.log on FreeRadius servers
+# clear radius.log on FreeRadius servers
 #
 
 for host in $RADIUSHOSTS
 do
     eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/radius/radius.log /var/log/daemon.log; \
-		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
+    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/freeradius/radius.log' > /dev/null 2>&1
 done
diff --git a/testing/scripts/recipes/001_libtnc.mk b/testing/scripts/recipes/001_libtnc.mk
new file mode 100644
index 000000000..b835958b7
--- /dev/null
+++ b/testing/scripts/recipes/001_libtnc.mk
@@ -0,0 +1,31 @@
+#!/usr/bin/make
+
+PV  = 1.25
+PKG = libtnc-$(PV)
+TAR = $(PKG).tar.gz
+SRC = http://downloads.sourceforge.net/project/libtnc/libtnc/$(PV)/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--sysconfdir=/etc
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+.$(PKG)-unpacked: $(TAR)
+	tar xfz $(TAR)
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-unpacked
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG) && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/002_tnc-fhh.mk b/testing/scripts/recipes/002_tnc-fhh.mk
new file mode 100644
index 000000000..397cef950
--- /dev/null
+++ b/testing/scripts/recipes/002_tnc-fhh.mk
@@ -0,0 +1,28 @@
+#!/usr/bin/make
+
+PKG = fhhtnc
+SRC = git://github.com/trustatfhh/tnc-fhh.git
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	-DCOMPONENT=all \
+	-DNAL=8021x
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	mkdir $(PKG)/build
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-cloned
+	cd $(PKG)/build && cmake $(CONFIG_OPTS) ../
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG)/build && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG)/build && make install
diff --git a/testing/scripts/recipes/003_freeradius.mk b/testing/scripts/recipes/003_freeradius.mk
new file mode 100644
index 000000000..7b7a5fe82
--- /dev/null
+++ b/testing/scripts/recipes/003_freeradius.mk
@@ -0,0 +1,44 @@
+#!/usr/bin/make
+
+PV  = 2.2.0
+PKG = freeradius-server-$(PV)
+TAR = $(PKG).tar.bz2
+SRC = ftp://ftp.freeradius.org/pub/freeradius/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--with-raddbdir=/etc/freeradius \
+	--sysconfdir=/etc \
+	--with-logdir=/var/log/freeradius \
+	--enable-developer \
+	--with-experimental-modules
+
+PATCHES = \
+	freeradius-eap-sim-identity \
+	freeradius-avp-size \
+	freeradius-tnc-fhh
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+.$(PKG)-unpacked: $(TAR)
+	tar xfj $(TAR)
+	@touch $@
+
+.$(PKG)-patches-applied: .$(PKG)-unpacked
+	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-patches-applied
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG) && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/004_iptables.mk b/testing/scripts/recipes/004_iptables.mk
new file mode 100644
index 000000000..51200201a
--- /dev/null
+++ b/testing/scripts/recipes/004_iptables.mk
@@ -0,0 +1,37 @@
+#!/usr/bin/make
+
+PV  = 1.4.16.3
+PKG = iptables-$(PV)
+TAR = $(PKG).tar.bz2
+SRC = http://www.netfilter.org/projects/iptables/files/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS =
+
+PATCHES = \
+	iptables-xfrm-hooks
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+.$(PKG)-unpacked: $(TAR)
+	tar xfj $(TAR)
+	@touch $@
+
+.$(PKG)-patches-applied: .$(PKG)-unpacked
+	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-patches-applied
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG) && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/005_strongswan.mk b/testing/scripts/recipes/005_strongswan.mk
new file mode 100644
index 000000000..76d2d0882
--- /dev/null
+++ b/testing/scripts/recipes/005_strongswan.mk
@@ -0,0 +1,87 @@
+#!/usr/bin/make
+
+PV  = $(SWANVERSION)
+PKG = strongswan-$(PV)
+TAR = $(PKG).tar.bz2
+SRC = http://download.strongswan.org/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--sysconfdir=/etc \
+	--with-random-device=/dev/urandom \
+	--disable-load-warning \
+	--enable-curl \
+	--enable-ldap \
+	--enable-eap-aka \
+	--enable-eap-aka-3gpp2 \
+	--enable-eap-sim \
+	--enable-eap-sim-file \
+	--enable-eap-md5 \
+	--enable-md4 \
+	--enable-eap-mschapv2 \
+	--enable-eap-identity \
+	--enable-eap-radius \
+	--enable-eap-dynamic \
+	--enable-eap-tls \
+	--enable-eap-ttls \
+	--enable-eap-peap \
+	--enable-eap-tnc \
+	--enable-tnc-pdp \
+	--enable-tnc-imc \
+	--enable-tnc-imv \
+	--enable-tnccs-11 \
+	--enable-tnccs-20 \
+	--enable-tnccs-dynamic \
+	--enable-imc-test \
+	--enable-imv-test \
+	--enable-imc-scanner \
+	--enable-imv-scanner \
+	--enable-imc-os \
+	--enable-imv-os \
+	--enable-imc-attestation \
+	--enable-imv-attestation \
+	--enable-sql \
+	--enable-sqlite \
+	--enable-mediation \
+	--enable-openssl \
+	--enable-blowfish \
+	--enable-kernel-pfkey \
+	--enable-integrity-test \
+	--enable-leak-detective \
+	--enable-load-tester \
+	--enable-test-vectors \
+	--enable-gcrypt \
+	--enable-socket-default \
+	--enable-socket-dynamic \
+	--enable-dhcp \
+	--enable-farp \
+	--enable-addrblock \
+	--enable-ctr \
+	--enable-ccm \
+	--enable-gcm \
+	--enable-cmac \
+	--enable-ha \
+	--enable-af-alg \
+	--enable-whitelist \
+	--enable-xauth-generic \
+	--enable-xauth-eap \
+	--enable-pkcs8 \
+	--enable-unity
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+$(PKG): $(TAR)
+	tar xfj $(TAR)
+
+configure: $(PKG)
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+
+build: configure
+	cd $(PKG) && make -j $(NUM_CPUS)
+
+install: build
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/patches/freeradius-avp-size b/testing/scripts/recipes/patches/freeradius-avp-size
new file mode 100644
index 000000000..e7e1f635b
--- /dev/null
+++ b/testing/scripts/recipes/patches/freeradius-avp-size
@@ -0,0 +1,18 @@
+diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+index 6c9bd13..3344c53 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
++++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+@@ -201,8 +201,11 @@ static VALUE_PAIR *diameter2vp(REQUEST *request, SSL *ssl,
+ 			goto next_attr;
+ 		}
+ 
+-		if (size > 253) {
+-			RDEBUG2("WARNING: diameter2vp skipping long attribute %u, attr");
++		/*
++		 * EAP-Message AVPs can be larger than 253 octets.
++		 */
++		if ((size > 253) && !((VENDOR(attr) == 0) && (attr == PW_EAP_MESSAGE))) {
++			RDEBUG2("WARNING: diameter2vp skipping long attribute %u", attr);
+ 			goto next_attr;
+ 		}
+ 
diff --git a/testing/scripts/recipes/patches/freeradius-eap-sim-identity b/testing/scripts/recipes/patches/freeradius-eap-sim-identity
new file mode 100644
index 000000000..1ab95ecc6
--- /dev/null
+++ b/testing/scripts/recipes/patches/freeradius-eap-sim-identity
@@ -0,0 +1,30 @@
+--- a/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c	2012-11-28 11:03:05.081225276 +0100
++++ b/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c	2012-11-28 11:46:59.746289881 +0100
+@@ -246,14 +246,21 @@
+	newvp->vp_integer = ess->sim_id++;
+	pairreplace(outvps, newvp);
+
++	ess->keys.identitylen = strlen(handler->identity);
++	memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
++
+	/* make a copy of the identity */
+	newvp = pairfind(*invps, ATTRIBUTE_EAP_SIM_BASE + PW_EAP_SIM_IDENTITY);
+-	if (newvp) {
+-		ess->keys.identitylen = newvp->length;
+-		memcpy(ess->keys.identity, newvp->vp_octets, newvp->length);
+-	} else {
+-		ess->keys.identitylen = strlen(handler->identity);
+-		memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
++	if (newvp && newvp->length > 2) {
++		uint16_t len;
++
++		memcpy(&len, newvp->vp_octets, sizeof(uint16_t));
++		len = ntohs(len);
++		if (len <= newvp->length - 2 && len <= MAX_STRING_LEN) {
++			ess->keys.identitylen = len;
++			memcpy(ess->keys.identity, newvp->vp_octets + 2,
++			       ess->keys.identitylen);
++		}
+	}
+
+	/* all set, calculate keys! */
diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh
new file mode 100644
index 000000000..5abc6b25f
--- /dev/null
+++ b/testing/scripts/recipes/patches/freeradius-tnc-fhh
@@ -0,0 +1,6687 @@
+diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary freeradius-server-2.2.0/share/dictionary
+--- freeradius-server-2.2.0.orig/share/dictionary	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/share/dictionary	2012-12-04 19:39:42.261423097 +0100
+@@ -196,6 +196,7 @@
+ $INCLUDE dictionary.starent
+ $INCLUDE dictionary.symbol
+ $INCLUDE dictionary.telebit
++$INCLUDE dictionary.tncfhh
+ $INCLUDE dictionary.terena
+ $INCLUDE dictionary.trapeze
+ $INCLUDE dictionary.tropos
+diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary.tncfhh freeradius-server-2.2.0/share/dictionary.tncfhh
+--- freeradius-server-2.2.0.orig/share/dictionary.tncfhh	1970-01-01 01:00:00.000000000 +0100
++++ freeradius-server-2.2.0/share/dictionary.tncfhh	2012-12-04 19:39:49.645421869 +0100
+@@ -0,0 +1,20 @@
++# -*- text -*-
++# Dictionary for the tnc@fhh Server.
++#
++# Website: http://trust.inform.fh-hannover.de
++#
++# Version: 0.8.4
++# Author: Bastian Hellmann
++# Email: trust@f4-i.fh-hannover.de
++#
++
++VENDOR tncfhh	10000
++BEGIN-VENDOR tncfhh
++
++ATTRIBUTE	TNC-Status	1	integer
++
++VALUE	TNC-Status	Access	0 
++VALUE	TNC-Status	Isolate	1
++VALUE	TNC-Status	None	2
++
++END-VENDOR tncfhh
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure	2012-12-04 19:38:00.237420970 +0100
+@@ -1,61 +1,84 @@
+ #! /bin/sh
+ # From configure.in Revision.
+ # Guess values for system-dependent variables and create Makefiles.
+-# Generated by GNU Autoconf 2.61.
++# Generated by GNU Autoconf 2.67.
++#
+ #
+ # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+-# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
++# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
++# Foundation, Inc.
++#
++#
+ # This configure script is free software; the Free Software Foundation
+ # gives unlimited permission to copy, distribute and modify it.
+-## --------------------- ##
+-## M4sh Initialization.  ##
+-## --------------------- ##
++## -------------------- ##
++## M4sh Initialization. ##
++## -------------------- ##
+ 
+ # Be more Bourne compatible
+ DUALCASE=1; export DUALCASE # for MKS sh
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
++if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+   emulate sh
+   NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
++  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+   # is contrary to our usage.  Disable this feature.
+   alias -g '${1+"$@"}'='"$@"'
+   setopt NO_GLOB_SUBST
+ else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
++  case `(set -o) 2>/dev/null` in #(
++  *posix*) :
++    set -o posix ;; #(
++  *) :
++     ;;
+ esac
+-
+ fi
+ 
+ 
+-
+-
+-# PATH needs CR
+-# Avoid depending upon Character Ranges.
+-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+-as_cr_digits='0123456789'
+-as_cr_alnum=$as_cr_Letters$as_cr_digits
+-
+-# The user is always right.
+-if test "${PATH_SEPARATOR+set}" != set; then
+-  echo "#! /bin/sh" >conf$$.sh
+-  echo  "exit 0"   >>conf$$.sh
+-  chmod +x conf$$.sh
+-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+-    PATH_SEPARATOR=';'
++as_nl='
++'
++export as_nl
++# Printing a long string crashes Solaris 7 /usr/bin/printf.
++as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
++# Prefer a ksh shell builtin over an external printf program on Solaris,
++# but without wasting forks for bash or zsh.
++if test -z "$BASH_VERSION$ZSH_VERSION" \
++    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='print -r --'
++  as_echo_n='print -rn --'
++elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='printf %s\n'
++  as_echo_n='printf %s'
++else
++  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
++    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
++    as_echo_n='/usr/ucb/echo -n'
+   else
+-    PATH_SEPARATOR=:
++    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
++    as_echo_n_body='eval
++      arg=$1;
++      case $arg in #(
++      *"$as_nl"*)
++	expr "X$arg" : "X\\(.*\\)$as_nl";
++	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
++      esac;
++      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
++    '
++    export as_echo_n_body
++    as_echo_n='sh -c $as_echo_n_body as_echo'
+   fi
+-  rm -f conf$$.sh
++  export as_echo_body
++  as_echo='sh -c $as_echo_body as_echo'
+ fi
+ 
+-# Support unset when possible.
+-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+-  as_unset=unset
+-else
+-  as_unset=false
++# The user is always right.
++if test "${PATH_SEPARATOR+set}" != set; then
++  PATH_SEPARATOR=:
++  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
++    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
++      PATH_SEPARATOR=';'
++  }
+ fi
+ 
+ 
+@@ -64,20 +87,18 @@
+ # there to prevent editors from complaining about space-tab.
+ # (If _AS_PATH_WALK were called with IFS unset, it would disable word
+ # splitting by setting IFS to empty value.)
+-as_nl='
+-'
+ IFS=" ""	$as_nl"
+ 
+ # Find who we are.  Look in the path if we contain no directory separator.
+-case $0 in
++case $0 in #((
+   *[\\/]* ) as_myself=$0 ;;
+   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ for as_dir in $PATH
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+-done
++    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
++  done
+ IFS=$as_save_IFS
+ 
+      ;;
+@@ -88,354 +109,321 @@
+   as_myself=$0
+ fi
+ if test ! -f "$as_myself"; then
+-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+-  { (exit 1); exit 1; }
++  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
++  exit 1
+ fi
+ 
+-# Work around bugs in pre-3.0 UWIN ksh.
+-for as_var in ENV MAIL MAILPATH
+-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
++# Unset variables that we do not need and which cause bugs (e.g. in
++# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
++# suppresses any "Segmentation fault" message there.  '((' could
++# trigger a bug in pdksh 5.2.14.
++for as_var in BASH_ENV ENV MAIL MAILPATH
++do eval test x\${$as_var+set} = xset \
++  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+ done
+ PS1='$ '
+ PS2='> '
+ PS4='+ '
+ 
+ # NLS nuisances.
+-for as_var in \
+-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+-  LC_TELEPHONE LC_TIME
+-do
+-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+-    eval $as_var=C; export $as_var
+-  else
+-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+-  fi
+-done
+-
+-# Required to use basename.
+-if expr a : '\(a\)' >/dev/null 2>&1 &&
+-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+-  as_expr=expr
+-else
+-  as_expr=false
+-fi
+-
+-if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+-  as_basename=basename
+-else
+-  as_basename=false
+-fi
+-
+-
+-# Name of the executable.
+-as_me=`$as_basename -- "$0" ||
+-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+-	 X"$0" : 'X\(//\)$' \| \
+-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X/"$0" |
+-    sed '/^.*\/\([^/][^/]*\)\/*$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\/\(\/\/\)$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\/\(\/\).*/{
+-	    s//\1/
+-	    q
+-	  }
+-	  s/.*/./; q'`
++LC_ALL=C
++export LC_ALL
++LANGUAGE=C
++export LANGUAGE
+ 
+ # CDPATH.
+-$as_unset CDPATH
+-
++(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+ 
+ if test "x$CONFIG_SHELL" = x; then
+-  if (eval ":") 2>/dev/null; then
+-  as_have_required=yes
++  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
++  emulate sh
++  NULLCMD=:
++  # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
++  # is contrary to our usage.  Disable this feature.
++  alias -g '\${1+\"\$@\"}'='\"\$@\"'
++  setopt NO_GLOB_SUBST
+ else
+-  as_have_required=no
++  case \`(set -o) 2>/dev/null\` in #(
++  *posix*) :
++    set -o posix ;; #(
++  *) :
++     ;;
++esac
+ fi
+-
+-  if test $as_have_required = yes && 	 (eval ":
+-(as_func_return () {
+-  (exit \$1)
+-}
+-as_func_success () {
+-  as_func_return 0
+-}
+-as_func_failure () {
+-  as_func_return 1
+-}
+-as_func_ret_success () {
+-  return 0
+-}
+-as_func_ret_failure () {
+-  return 1
+-}
++"
++  as_required="as_fn_return () { (exit \$1); }
++as_fn_success () { as_fn_return 0; }
++as_fn_failure () { as_fn_return 1; }
++as_fn_ret_success () { return 0; }
++as_fn_ret_failure () { return 1; }
+ 
+ exitcode=0
+-if as_func_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_success failed.
+-fi
+-
+-if as_func_failure; then
+-  exitcode=1
+-  echo as_func_failure succeeded.
+-fi
+-
+-if as_func_ret_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_ret_success failed.
+-fi
+-
+-if as_func_ret_failure; then
+-  exitcode=1
+-  echo as_func_ret_failure succeeded.
+-fi
+-
+-if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+-  :
++as_fn_success || { exitcode=1; echo as_fn_success failed.; }
++as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
++as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
++as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
++if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
++
++else
++  exitcode=1; echo positional parameters were not saved.
++fi
++test x\$exitcode = x0 || exit 1"
++  as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
++  as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
++  eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
++  test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
++test \$(( 1 + 1 )) = 2 || exit 1"
++  if (eval "$as_required") 2>/dev/null; then :
++  as_have_required=yes
+ else
+-  exitcode=1
+-  echo positional parameters were not saved.
++  as_have_required=no
+ fi
++  if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :
+ 
+-test \$exitcode = 0) || { (exit 1); exit 1; }
+-
+-(
+-  as_lineno_1=\$LINENO
+-  as_lineno_2=\$LINENO
+-  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
+-  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
+-") 2> /dev/null; then
+-  :
+ else
+-  as_candidate_shells=
+-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++as_found=false
+ for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  case $as_dir in
++  as_found=:
++  case $as_dir in #(
+ 	 /*)
+ 	   for as_base in sh bash ksh sh5; do
+-	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
++	     # Try only shells that exist, to save several forks.
++	     as_shell=$as_dir/$as_base
++	     if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
++		    { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
++  CONFIG_SHELL=$as_shell as_have_required=yes
++		   if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
++  break 2
++fi
++fi
+ 	   done;;
+        esac
++  as_found=false
+ done
++$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
++	      { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
++  CONFIG_SHELL=$SHELL as_have_required=yes
++fi; }
+ IFS=$as_save_IFS
+ 
+ 
+-      for as_shell in $as_candidate_shells $SHELL; do
+-	 # Try only shells that exist, to save several forks.
+-	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+-		{ ("$as_shell") 2> /dev/null <<\_ASEOF
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+-  emulate sh
+-  NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+-  # is contrary to our usage.  Disable this feature.
+-  alias -g '${1+"$@"}'='"$@"'
+-  setopt NO_GLOB_SUBST
+-else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
+-esac
+-
++      if test "x$CONFIG_SHELL" != x; then :
++  # We cannot yet assume a decent shell, so we have to provide a
++	# neutralization value for shells without unset; and this also
++	# works around shells that cannot unset nonexistent variables.
++	BASH_ENV=/dev/null
++	ENV=/dev/null
++	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
++	export CONFIG_SHELL
++	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
++fi
++
++    if test x$as_have_required = xno; then :
++  $as_echo "$0: This script requires a shell more modern than all"
++  $as_echo "$0: the shells that I found on your system."
++  if test x${ZSH_VERSION+set} = xset ; then
++    $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
++    $as_echo "$0: be upgraded to zsh 4.3.4 or later."
++  else
++    $as_echo "$0: Please tell bug-autoconf@gnu.org about your system,
++$0: including any error possibly output before this
++$0: message. Then install a modern shell, or manually run
++$0: the script under such a shell if you do have one."
++  fi
++  exit 1
+ fi
+-
+-
+-:
+-_ASEOF
+-}; then
+-  CONFIG_SHELL=$as_shell
+-	       as_have_required=yes
+-	       if { "$as_shell" 2> /dev/null <<\_ASEOF
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+-  emulate sh
+-  NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+-  # is contrary to our usage.  Disable this feature.
+-  alias -g '${1+"$@"}'='"$@"'
+-  setopt NO_GLOB_SUBST
+-else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
+-esac
+-
+ fi
++fi
++SHELL=${CONFIG_SHELL-/bin/sh}
++export SHELL
++# Unset more variables known to interfere with behavior of common tools.
++CLICOLOR_FORCE= GREP_OPTIONS=
++unset CLICOLOR_FORCE GREP_OPTIONS
+ 
+-
+-:
+-(as_func_return () {
+-  (exit $1)
+-}
+-as_func_success () {
+-  as_func_return 0
+-}
+-as_func_failure () {
+-  as_func_return 1
+-}
+-as_func_ret_success () {
+-  return 0
+-}
+-as_func_ret_failure () {
+-  return 1
++## --------------------- ##
++## M4sh Shell Functions. ##
++## --------------------- ##
++# as_fn_unset VAR
++# ---------------
++# Portably unset VAR.
++as_fn_unset ()
++{
++  { eval $1=; unset $1;}
+ }
++as_unset=as_fn_unset
+ 
+-exitcode=0
+-if as_func_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_success failed.
+-fi
++# as_fn_set_status STATUS
++# -----------------------
++# Set $? to STATUS, without forking.
++as_fn_set_status ()
++{
++  return $1
++} # as_fn_set_status
+ 
+-if as_func_failure; then
+-  exitcode=1
+-  echo as_func_failure succeeded.
+-fi
++# as_fn_exit STATUS
++# -----------------
++# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
++as_fn_exit ()
++{
++  set +e
++  as_fn_set_status $1
++  exit $1
++} # as_fn_exit
++
++# as_fn_mkdir_p
++# -------------
++# Create "$as_dir" as a directory, including parents if necessary.
++as_fn_mkdir_p ()
++{
+ 
+-if as_func_ret_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_ret_success failed.
+-fi
++  case $as_dir in #(
++  -*) as_dir=./$as_dir;;
++  esac
++  test -d "$as_dir" || eval $as_mkdir_p || {
++    as_dirs=
++    while :; do
++      case $as_dir in #(
++      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
++      *) as_qdir=$as_dir;;
++      esac
++      as_dirs="'$as_qdir' $as_dirs"
++      as_dir=`$as_dirname -- "$as_dir" ||
++$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
++	 X"$as_dir" : 'X\(//\)[^/]' \| \
++	 X"$as_dir" : 'X\(//\)$' \| \
++	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X"$as_dir" |
++    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)[^/].*/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\).*/{
++	    s//\1/
++	    q
++	  }
++	  s/.*/./; q'`
++      test -d "$as_dir" && break
++    done
++    test -z "$as_dirs" || eval "mkdir $as_dirs"
++  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
+ 
+-if as_func_ret_failure; then
+-  exitcode=1
+-  echo as_func_ret_failure succeeded.
+-fi
+ 
+-if ( set x; as_func_ret_success y && test x = "$1" ); then
+-  :
++} # as_fn_mkdir_p
++# as_fn_append VAR VALUE
++# ----------------------
++# Append the text in VALUE to the end of the definition contained in VAR. Take
++# advantage of any shell optimizations that allow amortized linear growth over
++# repeated appends, instead of the typical quadratic growth present in naive
++# implementations.
++if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
++  eval 'as_fn_append ()
++  {
++    eval $1+=\$2
++  }'
+ else
+-  exitcode=1
+-  echo positional parameters were not saved.
+-fi
+-
+-test $exitcode = 0) || { (exit 1); exit 1; }
+-
+-(
+-  as_lineno_1=$LINENO
+-  as_lineno_2=$LINENO
+-  test "x$as_lineno_1" != "x$as_lineno_2" &&
+-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
+-
+-_ASEOF
+-}; then
+-  break
+-fi
+-
+-fi
+-
+-      done
+-
+-      if test "x$CONFIG_SHELL" != x; then
+-  for as_var in BASH_ENV ENV
+-        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+-        done
+-        export CONFIG_SHELL
+-        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+-fi
+-
+-
+-    if test $as_have_required = no; then
+-  echo This script requires a shell more modern than all the
+-      echo shells that I found on your system.  Please install a
+-      echo modern shell, or manually run the script under such a
+-      echo shell if you do have one.
+-      { (exit 1); exit 1; }
+-fi
+-
+-
+-fi
+-
+-fi
+-
++  as_fn_append ()
++  {
++    eval $1=\$$1\$2
++  }
++fi # as_fn_append
++
++# as_fn_arith ARG...
++# ------------------
++# Perform arithmetic evaluation on the ARGs, and store the result in the
++# global $as_val. Take advantage of shells that can avoid forks. The arguments
++# must be portable across $(()) and expr.
++if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
++  eval 'as_fn_arith ()
++  {
++    as_val=$(( $* ))
++  }'
++else
++  as_fn_arith ()
++  {
++    as_val=`expr "$@" || test $? -eq 1`
++  }
++fi # as_fn_arith
+ 
+ 
+-(eval "as_func_return () {
+-  (exit \$1)
+-}
+-as_func_success () {
+-  as_func_return 0
+-}
+-as_func_failure () {
+-  as_func_return 1
+-}
+-as_func_ret_success () {
+-  return 0
+-}
+-as_func_ret_failure () {
+-  return 1
+-}
++# as_fn_error STATUS ERROR [LINENO LOG_FD]
++# ----------------------------------------
++# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
++# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
++# script with STATUS, using 1 if that was 0.
++as_fn_error ()
++{
++  as_status=$1; test $as_status -eq 0 && as_status=1
++  if test "$4"; then
++    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
++  fi
++  $as_echo "$as_me: error: $2" >&2
++  as_fn_exit $as_status
++} # as_fn_error
+ 
+-exitcode=0
+-if as_func_success; then
+-  :
++if expr a : '\(a\)' >/dev/null 2>&1 &&
++   test "X`expr 00001 : '.*\(...\)'`" = X001; then
++  as_expr=expr
+ else
+-  exitcode=1
+-  echo as_func_success failed.
+-fi
+-
+-if as_func_failure; then
+-  exitcode=1
+-  echo as_func_failure succeeded.
++  as_expr=false
+ fi
+ 
+-if as_func_ret_success; then
+-  :
++if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
++  as_basename=basename
+ else
+-  exitcode=1
+-  echo as_func_ret_success failed.
+-fi
+-
+-if as_func_ret_failure; then
+-  exitcode=1
+-  echo as_func_ret_failure succeeded.
++  as_basename=false
+ fi
+ 
+-if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+-  :
++if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
++  as_dirname=dirname
+ else
+-  exitcode=1
+-  echo positional parameters were not saved.
++  as_dirname=false
+ fi
+ 
+-test \$exitcode = 0") || {
+-  echo No shell found that supports shell functions.
+-  echo Please tell autoconf@gnu.org about your system,
+-  echo including any error possibly output before this
+-  echo message
+-}
++as_me=`$as_basename -- "$0" ||
++$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
++	 X"$0" : 'X\(//\)$' \| \
++	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X/"$0" |
++    sed '/^.*\/\([^/][^/]*\)\/*$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\/\(\/\/\)$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\/\(\/\).*/{
++	    s//\1/
++	    q
++	  }
++	  s/.*/./; q'`
+ 
++# Avoid depending upon Character Ranges.
++as_cr_letters='abcdefghijklmnopqrstuvwxyz'
++as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
++as_cr_Letters=$as_cr_letters$as_cr_LETTERS
++as_cr_digits='0123456789'
++as_cr_alnum=$as_cr_Letters$as_cr_digits
+ 
+ 
+-  as_lineno_1=$LINENO
+-  as_lineno_2=$LINENO
+-  test "x$as_lineno_1" != "x$as_lineno_2" &&
+-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+-
+-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+-  # uniformly replaced by the line number.  The first 'sed' inserts a
+-  # line-number line after each line using $LINENO; the second 'sed'
+-  # does the real work.  The second script uses 'N' to pair each
+-  # line-number line with the line containing $LINENO, and appends
+-  # trailing '-' during substitution so that $LINENO is not a special
+-  # case at line end.
+-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+-  # E. McMahon (1931-1989) for sed's syntax.  :-)
++  as_lineno_1=$LINENO as_lineno_1a=$LINENO
++  as_lineno_2=$LINENO as_lineno_2a=$LINENO
++  eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
++  test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
++  # Blame Lee E. McMahon (1931-1989) for sed's syntax.  :-)
+   sed -n '
+     p
+     /[$]LINENO/=
+@@ -452,8 +440,7 @@
+       s/-\n.*//
+     ' >$as_me.lineno &&
+   chmod +x "$as_me.lineno" ||
+-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+-   { (exit 1); exit 1; }; }
++    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
+ 
+   # Don't try to exec as it changes $[0], causing all sort of problems
+   # (the dirname of $[0] is not the place where we might find the
+@@ -463,49 +450,40 @@
+   exit
+ }
+ 
+-
+-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+-  as_dirname=dirname
+-else
+-  as_dirname=false
+-fi
+-
+ ECHO_C= ECHO_N= ECHO_T=
+-case `echo -n x` in
++case `echo -n x` in #(((((
+ -n*)
+-  case `echo 'x\c'` in
++  case `echo 'xy\c'` in
+   *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+-  *)   ECHO_C='\c';;
++  xy)  ECHO_C='\c';;
++  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
++       ECHO_T='	';;
+   esac;;
+ *)
+   ECHO_N='-n';;
+ esac
+ 
+-if expr a : '\(a\)' >/dev/null 2>&1 &&
+-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+-  as_expr=expr
+-else
+-  as_expr=false
+-fi
+-
+ rm -f conf$$ conf$$.exe conf$$.file
+ if test -d conf$$.dir; then
+   rm -f conf$$.dir/conf$$.file
+ else
+   rm -f conf$$.dir
+-  mkdir conf$$.dir
++  mkdir conf$$.dir 2>/dev/null
+ fi
+-echo >conf$$.file
+-if ln -s conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s='ln -s'
+-  # ... but there are two gotchas:
+-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+-  # In both cases, we have to default to `cp -p'.
+-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++if (echo >conf$$.file) 2>/dev/null; then
++  if ln -s conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s='ln -s'
++    # ... but there are two gotchas:
++    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
++    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
++    # In both cases, we have to default to `cp -p'.
++    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++      as_ln_s='cp -p'
++  elif ln conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s=ln
++  else
+     as_ln_s='cp -p'
+-elif ln conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s=ln
++  fi
+ else
+   as_ln_s='cp -p'
+ fi
+@@ -513,7 +491,7 @@
+ rmdir conf$$.dir 2>/dev/null
+ 
+ if mkdir -p . 2>/dev/null; then
+-  as_mkdir_p=:
++  as_mkdir_p='mkdir -p "$as_dir"'
+ else
+   test -d ./-p && rmdir ./-p
+   as_mkdir_p=false
+@@ -530,12 +508,12 @@
+   as_test_x='
+     eval sh -c '\''
+       if test -d "$1"; then
+-        test -d "$1/.";
++	test -d "$1/.";
+       else
+-	case $1 in
+-        -*)set "./$1";;
++	case $1 in #(
++	-*)set "./$1";;
+ 	esac;
+-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
++	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+ 	???[sx]*):;;*)false;;esac;fi
+     '\'' sh
+   '
+@@ -549,11 +527,11 @@
+ as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+ 
+ 
+-
+-exec 7<&0 </dev/null 6>&1
++test -n "$DJDIR" || exec 7<&0 </dev/null
++exec 6>&1
+ 
+ # Name of the host.
+-# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
++# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
+ # so uname gets run too.
+ ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+ 
+@@ -568,7 +546,6 @@
+ subdirs=
+ MFLAGS=
+ MAKEFLAGS=
+-SHELL=${CONFIG_SHELL-/bin/sh}
+ 
+ # Identity of this package.
+ PACKAGE_NAME=
+@@ -576,58 +553,102 @@
+ PACKAGE_VERSION=
+ PACKAGE_STRING=
+ PACKAGE_BUGREPORT=
++PACKAGE_URL=
+ 
+ ac_unique_file="rlm_eap_tnc.c"
+-ac_subst_vars='SHELL
+-PATH_SEPARATOR
+-PACKAGE_NAME
+-PACKAGE_TARNAME
+-PACKAGE_VERSION
+-PACKAGE_STRING
+-PACKAGE_BUGREPORT
+-exec_prefix
+-prefix
+-program_transform_name
+-bindir
+-sbindir
+-libexecdir
+-datarootdir
+-datadir
+-sysconfdir
+-sharedstatedir
+-localstatedir
+-includedir
+-oldincludedir
+-docdir
+-infodir
+-htmldir
+-dvidir
+-pdfdir
+-psdir
+-libdir
+-localedir
+-mandir
+-DEFS
+-ECHO_C
+-ECHO_N
+-ECHO_T
+-LIBS
+-build_alias
+-host_alias
+-target_alias
+-CC
+-CFLAGS
+-LDFLAGS
+-CPPFLAGS
+-ac_ct_CC
+-EXEEXT
+-OBJEXT
+-eap_tnc_cflags
+-eap_tnc_ldflags
+-targetname
++# Factoring default headers for most tests.
++ac_includes_default="\
++#include <stdio.h>
++#ifdef HAVE_SYS_TYPES_H
++# include <sys/types.h>
++#endif
++#ifdef HAVE_SYS_STAT_H
++# include <sys/stat.h>
++#endif
++#ifdef STDC_HEADERS
++# include <stdlib.h>
++# include <stddef.h>
++#else
++# ifdef HAVE_STDLIB_H
++#  include <stdlib.h>
++# endif
++#endif
++#ifdef HAVE_STRING_H
++# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
++#  include <memory.h>
++# endif
++# include <string.h>
++#endif
++#ifdef HAVE_STRINGS_H
++# include <strings.h>
++#endif
++#ifdef HAVE_INTTYPES_H
++# include <inttypes.h>
++#endif
++#ifdef HAVE_STDINT_H
++# include <stdint.h>
++#endif
++#ifdef HAVE_UNISTD_H
++# include <unistd.h>
++#endif"
++
++ac_subst_vars='LTLIBOBJS
+ LIBOBJS
+-LTLIBOBJS'
++targetname
++eap_tnc_ldflags
++eap_tnc_cflags
++EGREP
++GREP
++CPP
++OBJEXT
++EXEEXT
++ac_ct_CC
++CPPFLAGS
++LDFLAGS
++CFLAGS
++CC
++target_alias
++host_alias
++build_alias
++LIBS
++ECHO_T
++ECHO_N
++ECHO_C
++DEFS
++mandir
++localedir
++libdir
++psdir
++pdfdir
++dvidir
++htmldir
++infodir
++docdir
++oldincludedir
++includedir
++localstatedir
++sharedstatedir
++sysconfdir
++datadir
++datarootdir
++libexecdir
++sbindir
++bindir
++program_transform_name
++prefix
++exec_prefix
++PACKAGE_URL
++PACKAGE_BUGREPORT
++PACKAGE_STRING
++PACKAGE_VERSION
++PACKAGE_TARNAME
++PACKAGE_NAME
++PATH_SEPARATOR
++SHELL'
+ ac_subst_files=''
++ac_user_opts='
++enable_option_checking
++'
+       ac_precious_vars='build_alias
+ host_alias
+ target_alias
+@@ -635,12 +656,15 @@
+ CFLAGS
+ LDFLAGS
+ LIBS
+-CPPFLAGS'
++CPPFLAGS
++CPP'
+ 
+ 
+ # Initialize some variables set by options.
+ ac_init_help=
+ ac_init_version=false
++ac_unrecognized_opts=
++ac_unrecognized_sep=
+ # The variables have the same names as the options, with
+ # dashes changed to underlines.
+ cache_file=/dev/null
+@@ -696,8 +720,9 @@
+   fi
+ 
+   case $ac_option in
+-  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+-  *)	ac_optarg=yes ;;
++  *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
++  *=)   ac_optarg= ;;
++  *)    ac_optarg=yes ;;
+   esac
+ 
+   # Accept the important Cygnus configure options, so we can diagnose typos.
+@@ -739,13 +764,20 @@
+     datarootdir=$ac_optarg ;;
+ 
+   -disable-* | --disable-*)
+-    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+-    eval enable_$ac_feature=no ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid feature name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"enable_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval enable_$ac_useropt=no ;;
+ 
+   -docdir | --docdir | --docdi | --doc | --do)
+     ac_prev=docdir ;;
+@@ -758,13 +790,20 @@
+     dvidir=$ac_optarg ;;
+ 
+   -enable-* | --enable-*)
+-    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+-    eval enable_$ac_feature=\$ac_optarg ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid feature name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"enable_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval enable_$ac_useropt=\$ac_optarg ;;
+ 
+   -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+   | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+@@ -955,22 +994,36 @@
+     ac_init_version=: ;;
+ 
+   -with-* | --with-*)
+-    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid package name: $ac_package" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+-    eval with_$ac_package=\$ac_optarg ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid package name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"with_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval with_$ac_useropt=\$ac_optarg ;;
+ 
+   -without-* | --without-*)
+-    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid package name: $ac_package" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+-    eval with_$ac_package=no ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid package name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"with_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval with_$ac_useropt=no ;;
+ 
+   --x)
+     # Obsolete; use --with-x.
+@@ -990,25 +1043,25 @@
+   | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+     x_libraries=$ac_optarg ;;
+ 
+-  -*) { echo "$as_me: error: unrecognized option: $ac_option
+-Try \`$0 --help' for more information." >&2
+-   { (exit 1); exit 1; }; }
++  -*) as_fn_error $? "unrecognized option: \`$ac_option'
++Try \`$0 --help' for more information"
+     ;;
+ 
+   *=*)
+     ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
+-   { (exit 1); exit 1; }; }
++    case $ac_envvar in #(
++      '' | [0-9]* | *[!_$as_cr_alnum]* )
++      as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
++    esac
+     eval $ac_envvar=\$ac_optarg
+     export $ac_envvar ;;
+ 
+   *)
+     # FIXME: should be removed in autoconf 3.0.
+-    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
++    $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+     expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
++      $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+     : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+     ;;
+ 
+@@ -1017,23 +1070,36 @@
+ 
+ if test -n "$ac_prev"; then
+   ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+-  { echo "$as_me: error: missing argument to $ac_option" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "missing argument to $ac_option"
++fi
++
++if test -n "$ac_unrecognized_opts"; then
++  case $enable_option_checking in
++    no) ;;
++    fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
++    *)     $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
++  esac
+ fi
+ 
+-# Be sure to have absolute directory names.
++# Check all directory arguments for consistency.
+ for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
+ 		datadir sysconfdir sharedstatedir localstatedir includedir \
+ 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+ 		libdir localedir mandir
+ do
+   eval ac_val=\$$ac_var
++  # Remove trailing slashes.
++  case $ac_val in
++    */ )
++      ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
++      eval $ac_var=\$ac_val;;
++  esac
++  # Be sure to have absolute directory names.
+   case $ac_val in
+     [\\/$]* | ?:[\\/]* )  continue;;
+     NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
+   esac
+-  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
+ done
+ 
+ # There might be people who depend on the old broken behavior: `$host'
+@@ -1047,8 +1113,8 @@
+ if test "x$host_alias" != x; then
+   if test "x$build_alias" = x; then
+     cross_compiling=maybe
+-    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
+-    If a cross compiler is detected then cross compile mode will be used." >&2
++    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
++    If a cross compiler is detected then cross compile mode will be used" >&2
+   elif test "x$build_alias" != "x$host_alias"; then
+     cross_compiling=yes
+   fi
+@@ -1063,23 +1129,21 @@
+ ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ ac_ls_di=`ls -di .` &&
+ ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+-  { echo "$as_me: error: Working directory cannot be determined" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "working directory cannot be determined"
+ test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+-  { echo "$as_me: error: pwd does not report name of working directory" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "pwd does not report name of working directory"
+ 
+ 
+ # Find the source files, if location was not specified.
+ if test -z "$srcdir"; then
+   ac_srcdir_defaulted=yes
+   # Try the directory containing this script, then the parent directory.
+-  ac_confdir=`$as_dirname -- "$0" ||
+-$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+-	 X"$0" : 'X\(//\)[^/]' \| \
+-	 X"$0" : 'X\(//\)$' \| \
+-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X"$0" |
++  ac_confdir=`$as_dirname -- "$as_myself" ||
++$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
++	 X"$as_myself" : 'X\(//\)[^/]' \| \
++	 X"$as_myself" : 'X\(//\)$' \| \
++	 X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X"$as_myself" |
+     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ 	    s//\1/
+ 	    q
+@@ -1106,13 +1170,11 @@
+ fi
+ if test ! -r "$srcdir/$ac_unique_file"; then
+   test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+-  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
+ fi
+ ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ ac_abs_confdir=`(
+-	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
+-   { (exit 1); exit 1; }; }
++	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
+ 	pwd)`
+ # When building in place, set srcdir=.
+ if test "$ac_abs_confdir" = "$ac_pwd"; then
+@@ -1152,7 +1214,7 @@
+       --help=short        display options specific to this package
+       --help=recursive    display the short help of all the included packages
+   -V, --version           display version information and exit
+-  -q, --quiet, --silent   do not print \`checking...' messages
++  -q, --quiet, --silent   do not print \`checking ...' messages
+       --cache-file=FILE   cache test results in FILE [disabled]
+   -C, --config-cache      alias for \`--cache-file=config.cache'
+   -n, --no-create         do not create output files
+@@ -1160,9 +1222,9 @@
+ 
+ Installation directories:
+   --prefix=PREFIX         install architecture-independent files in PREFIX
+-			  [$ac_default_prefix]
++                          [$ac_default_prefix]
+   --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+-			  [PREFIX]
++                          [PREFIX]
+ 
+ By default, \`make install' will install all the files in
+ \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
+@@ -1172,25 +1234,25 @@
+ For better control, use the options below.
+ 
+ Fine tuning of the installation directories:
+-  --bindir=DIR           user executables [EPREFIX/bin]
+-  --sbindir=DIR          system admin executables [EPREFIX/sbin]
+-  --libexecdir=DIR       program executables [EPREFIX/libexec]
+-  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
+-  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
+-  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
+-  --libdir=DIR           object code libraries [EPREFIX/lib]
+-  --includedir=DIR       C header files [PREFIX/include]
+-  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
+-  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
+-  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
+-  --infodir=DIR          info documentation [DATAROOTDIR/info]
+-  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
+-  --mandir=DIR           man documentation [DATAROOTDIR/man]
+-  --docdir=DIR           documentation root [DATAROOTDIR/doc/PACKAGE]
+-  --htmldir=DIR          html documentation [DOCDIR]
+-  --dvidir=DIR           dvi documentation [DOCDIR]
+-  --pdfdir=DIR           pdf documentation [DOCDIR]
+-  --psdir=DIR            ps documentation [DOCDIR]
++  --bindir=DIR            user executables [EPREFIX/bin]
++  --sbindir=DIR           system admin executables [EPREFIX/sbin]
++  --libexecdir=DIR        program executables [EPREFIX/libexec]
++  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
++  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
++  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
++  --libdir=DIR            object code libraries [EPREFIX/lib]
++  --includedir=DIR        C header files [PREFIX/include]
++  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
++  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
++  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
++  --infodir=DIR           info documentation [DATAROOTDIR/info]
++  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
++  --mandir=DIR            man documentation [DATAROOTDIR/man]
++  --docdir=DIR            documentation root [DATAROOTDIR/doc/PACKAGE]
++  --htmldir=DIR           html documentation [DOCDIR]
++  --dvidir=DIR            dvi documentation [DOCDIR]
++  --pdfdir=DIR            pdf documentation [DOCDIR]
++  --psdir=DIR             ps documentation [DOCDIR]
+ _ACEOF
+ 
+   cat <<\_ACEOF
+@@ -1207,12 +1269,14 @@
+   LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
+               nonstandard directory <lib dir>
+   LIBS        libraries to pass to the linker, e.g. -l<library>
+-  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
++  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
+               you have headers in a nonstandard directory <include dir>
++  CPP         C preprocessor
+ 
+ Use these variables to override the choices made by `configure' or to help
+ it to find libraries and programs with nonstandard names/locations.
+ 
++Report bugs to the package provider.
+ _ACEOF
+ ac_status=$?
+ fi
+@@ -1220,15 +1284,17 @@
+ if test "$ac_init_help" = "recursive"; then
+   # If there are subdirs, report their specific --help.
+   for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
+-    test -d "$ac_dir" || continue
++    test -d "$ac_dir" ||
++      { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
++      continue
+     ac_builddir=.
+ 
+ case "$ac_dir" in
+ .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *)
+-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
++  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+   # A ".." for each directory in $ac_dir_suffix.
+-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
++  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+   case $ac_top_builddir_sub in
+   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+@@ -1264,7 +1330,7 @@
+       echo &&
+       $SHELL "$ac_srcdir/configure" --help=recursive
+     else
+-      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
++      $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+     fi || ac_status=$?
+     cd "$ac_pwd" || { ac_status=$?; break; }
+   done
+@@ -1274,21 +1340,305 @@
+ if $ac_init_version; then
+   cat <<\_ACEOF
+ configure
+-generated by GNU Autoconf 2.61
++generated by GNU Autoconf 2.67
+ 
+-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+-2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
++Copyright (C) 2010 Free Software Foundation, Inc.
+ This configure script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it.
+ _ACEOF
+   exit
+ fi
++
++## ------------------------ ##
++## Autoconf initialization. ##
++## ------------------------ ##
++
++# ac_fn_c_try_compile LINENO
++# --------------------------
++# Try to compile conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_compile ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  rm -f conftest.$ac_objext
++  if { { ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_compile") 2>conftest.err
++  ac_status=$?
++  if test -s conftest.err; then
++    grep -v '^ *+' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++    mv -f conftest.er1 conftest.err
++  fi
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_retval=1
++fi
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_compile
++
++# ac_fn_c_try_link LINENO
++# -----------------------
++# Try to link conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_link ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  rm -f conftest.$ac_objext conftest$ac_exeext
++  if { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>conftest.err
++  ac_status=$?
++  if test -s conftest.err; then
++    grep -v '^ *+' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++    mv -f conftest.er1 conftest.err
++  fi
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest$ac_exeext && {
++	 test "$cross_compiling" = yes ||
++	 $as_test_x conftest$ac_exeext
++       }; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_retval=1
++fi
++  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
++  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
++  # interfere with the next link command; also delete a directory that is
++  # left behind by Apple's compiler.  We do this before executing the actions.
++  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_link
++
++# ac_fn_c_try_cpp LINENO
++# ----------------------
++# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_cpp ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  if { { ac_try="$ac_cpp conftest.$ac_ext"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
++  ac_status=$?
++  if test -s conftest.err; then
++    grep -v '^ *+' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++    mv -f conftest.er1 conftest.err
++  fi
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } > conftest.i && {
++	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       }; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++    ac_retval=1
++fi
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_cpp
++
++# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES
++# -------------------------------------------------------
++# Tests whether HEADER exists, giving a warning if it cannot be compiled using
++# the include files in INCLUDES and setting the cache variable VAR
++# accordingly.
++ac_fn_c_check_header_mongrel ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  if eval "test \"\${$3+set}\"" = set; then :
++  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
++$as_echo_n "checking for $2... " >&6; }
++if eval "test \"\${$3+set}\"" = set; then :
++  $as_echo_n "(cached) " >&6
++fi
++eval ac_res=\$$3
++	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++else
++  # Is the header compilable?
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5
++$as_echo_n "checking $2 usability... " >&6; }
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$4
++#include <$2>
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  ac_header_compiler=yes
++else
++  ac_header_compiler=no
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5
++$as_echo "$ac_header_compiler" >&6; }
++
++# Is the header present?
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5
++$as_echo_n "checking $2 presence... " >&6; }
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <$2>
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++  ac_header_preproc=yes
++else
++  ac_header_preproc=no
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5
++$as_echo "$ac_header_preproc" >&6; }
++
++# So?  What about this header?
++case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #((
++  yes:no: )
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5
++$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
++$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
++    ;;
++  no:yes:* )
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5
++$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     check for missing prerequisite headers?" >&5
++$as_echo "$as_me: WARNING: $2:     check for missing prerequisite headers?" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5
++$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&5
++$as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
++$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
++    ;;
++esac
++  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
++$as_echo_n "checking for $2... " >&6; }
++if eval "test \"\${$3+set}\"" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  eval "$3=\$ac_header_compiler"
++fi
++eval ac_res=\$$3
++	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++fi
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++
++} # ac_fn_c_check_header_mongrel
++
++# ac_fn_c_try_run LINENO
++# ----------------------
++# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes
++# that executables *can* be run.
++ac_fn_c_try_run ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  if { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } && { ac_try='./conftest$ac_exeext'
++  { { case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_try") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; }; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: program exited with status $ac_status" >&5
++       $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++       ac_retval=$ac_status
++fi
++  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_run
++
++# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
++# -------------------------------------------------------
++# Tests whether HEADER exists and can be compiled using the include files in
++# INCLUDES, setting the cache variable VAR accordingly.
++ac_fn_c_check_header_compile ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
++$as_echo_n "checking for $2... " >&6; }
++if eval "test \"\${$3+set}\"" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$4
++#include <$2>
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  eval "$3=yes"
++else
++  eval "$3=no"
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++eval ac_res=\$$3
++	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++
++} # ac_fn_c_check_header_compile
+ cat >config.log <<_ACEOF
+ This file contains any messages produced by compilers while
+ running configure, to aid debugging if configure makes a mistake.
+ 
+ It was created by $as_me, which was
+-generated by GNU Autoconf 2.61.  Invocation command line was
++generated by GNU Autoconf 2.67.  Invocation command line was
+ 
+   $ $0 $@
+ 
+@@ -1324,8 +1674,8 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  echo "PATH: $as_dir"
+-done
++    $as_echo "PATH: $as_dir"
++  done
+ IFS=$as_save_IFS
+ 
+ } >&5
+@@ -1359,12 +1709,12 @@
+     | -silent | --silent | --silen | --sile | --sil)
+       continue ;;
+     *\'*)
+-      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
++      ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+     esac
+     case $ac_pass in
+-    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
++    1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
+     2)
+-      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
++      as_fn_append ac_configure_args1 " '$ac_arg'"
+       if test $ac_must_keep_next = true; then
+ 	ac_must_keep_next=false # Got value, back to normal.
+       else
+@@ -1380,13 +1730,13 @@
+ 	  -* ) ac_must_keep_next=true ;;
+ 	esac
+       fi
+-      ac_configure_args="$ac_configure_args '$ac_arg'"
++      as_fn_append ac_configure_args " '$ac_arg'"
+       ;;
+     esac
+   done
+ done
+-$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
+-$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
++{ ac_configure_args0=; unset ac_configure_args0;}
++{ ac_configure_args1=; unset ac_configure_args1;}
+ 
+ # When interrupted or exit'd, cleanup temporary files, and complete
+ # config.log.  We remove comments because anyway the quotes in there
+@@ -1398,11 +1748,9 @@
+   {
+     echo
+ 
+-    cat <<\_ASBOX
+-## ---------------- ##
++    $as_echo "## ---------------- ##
+ ## Cache variables. ##
+-## ---------------- ##
+-_ASBOX
++## ---------------- ##"
+     echo
+     # The following way of writing the cache mishandles newlines in values,
+ (
+@@ -1411,12 +1759,13 @@
+     case $ac_val in #(
+     *${as_nl}*)
+       case $ac_var in #(
+-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
++      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
++$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
+       esac
+       case $ac_var in #(
+       _ | IFS | as_nl) ;; #(
+-      *) $as_unset $ac_var ;;
++      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
++      *) { eval $ac_var=; unset $ac_var;} ;;
+       esac ;;
+     esac
+   done
+@@ -1435,128 +1784,136 @@
+ )
+     echo
+ 
+-    cat <<\_ASBOX
+-## ----------------- ##
++    $as_echo "## ----------------- ##
+ ## Output variables. ##
+-## ----------------- ##
+-_ASBOX
++## ----------------- ##"
+     echo
+     for ac_var in $ac_subst_vars
+     do
+       eval ac_val=\$$ac_var
+       case $ac_val in
+-      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
++      *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+       esac
+-      echo "$ac_var='\''$ac_val'\''"
++      $as_echo "$ac_var='\''$ac_val'\''"
+     done | sort
+     echo
+ 
+     if test -n "$ac_subst_files"; then
+-      cat <<\_ASBOX
+-## ------------------- ##
++      $as_echo "## ------------------- ##
+ ## File substitutions. ##
+-## ------------------- ##
+-_ASBOX
++## ------------------- ##"
+       echo
+       for ac_var in $ac_subst_files
+       do
+ 	eval ac_val=\$$ac_var
+ 	case $ac_val in
+-	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
++	*\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+ 	esac
+-	echo "$ac_var='\''$ac_val'\''"
++	$as_echo "$ac_var='\''$ac_val'\''"
+       done | sort
+       echo
+     fi
+ 
+     if test -s confdefs.h; then
+-      cat <<\_ASBOX
+-## ----------- ##
++      $as_echo "## ----------- ##
+ ## confdefs.h. ##
+-## ----------- ##
+-_ASBOX
++## ----------- ##"
+       echo
+       cat confdefs.h
+       echo
+     fi
+     test "$ac_signal" != 0 &&
+-      echo "$as_me: caught signal $ac_signal"
+-    echo "$as_me: exit $exit_status"
++      $as_echo "$as_me: caught signal $ac_signal"
++    $as_echo "$as_me: exit $exit_status"
+   } >&5
+   rm -f core *.core core.conftest.* &&
+     rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
+     exit $exit_status
+ ' 0
+ for ac_signal in 1 2 13 15; do
+-  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
++  trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
+ done
+ ac_signal=0
+ 
+ # confdefs.h avoids OS command line length limits that DEFS can exceed.
+ rm -f -r conftest* confdefs.h
+ 
++$as_echo "/* confdefs.h */" > confdefs.h
++
+ # Predefined preprocessor variables.
+ 
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_NAME "$PACKAGE_NAME"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_TARNAME "$PACKAGE_TARNAME"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_VERSION "$PACKAGE_VERSION"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_STRING "$PACKAGE_STRING"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
+ _ACEOF
+ 
++cat >>confdefs.h <<_ACEOF
++#define PACKAGE_URL "$PACKAGE_URL"
++_ACEOF
++
+ 
+ # Let the site file select an alternate cache file if it wants to.
+-# Prefer explicitly selected file to automatically selected ones.
++# Prefer an explicitly selected file to automatically selected ones.
++ac_site_file1=NONE
++ac_site_file2=NONE
+ if test -n "$CONFIG_SITE"; then
+-  set x "$CONFIG_SITE"
++  # We do not want a PATH search for config.site.
++  case $CONFIG_SITE in #((
++    -*)  ac_site_file1=./$CONFIG_SITE;;
++    */*) ac_site_file1=$CONFIG_SITE;;
++    *)   ac_site_file1=./$CONFIG_SITE;;
++  esac
+ elif test "x$prefix" != xNONE; then
+-  set x "$prefix/share/config.site" "$prefix/etc/config.site"
++  ac_site_file1=$prefix/share/config.site
++  ac_site_file2=$prefix/etc/config.site
+ else
+-  set x "$ac_default_prefix/share/config.site" \
+-	"$ac_default_prefix/etc/config.site"
++  ac_site_file1=$ac_default_prefix/share/config.site
++  ac_site_file2=$ac_default_prefix/etc/config.site
+ fi
+-shift
+-for ac_site_file
++for ac_site_file in "$ac_site_file1" "$ac_site_file2"
+ do
+-  if test -r "$ac_site_file"; then
+-    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+-echo "$as_me: loading site script $ac_site_file" >&6;}
++  test "x$ac_site_file" = xNONE && continue
++  if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
++    { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
++$as_echo "$as_me: loading site script $ac_site_file" >&6;}
+     sed 's/^/| /' "$ac_site_file" >&5
+-    . "$ac_site_file"
++    . "$ac_site_file" \
++      || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "failed to load site script $ac_site_file
++See \`config.log' for more details" "$LINENO" 5 ; }
+   fi
+ done
+ 
+ if test -r "$cache_file"; then
+-  # Some versions of bash will fail to source /dev/null (special
+-  # files actually), so we avoid doing that.
+-  if test -f "$cache_file"; then
+-    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
+-echo "$as_me: loading cache $cache_file" >&6;}
++  # Some versions of bash will fail to source /dev/null (special files
++  # actually), so we avoid doing that.  DJGPP emulates it as a regular file.
++  if test /dev/null != "$cache_file" && test -f "$cache_file"; then
++    { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
++$as_echo "$as_me: loading cache $cache_file" >&6;}
+     case $cache_file in
+       [\\/]* | ?:[\\/]* ) . "$cache_file";;
+       *)                      . "./$cache_file";;
+     esac
+   fi
+ else
+-  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
+-echo "$as_me: creating cache $cache_file" >&6;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
++$as_echo "$as_me: creating cache $cache_file" >&6;}
+   >$cache_file
+ fi
+ 
+@@ -1570,60 +1927,56 @@
+   eval ac_new_val=\$ac_env_${ac_var}_value
+   case $ac_old_set,$ac_new_set in
+     set,)
+-      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+-echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
++$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+       ac_cache_corrupted=: ;;
+     ,set)
+-      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+-echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
++$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+       ac_cache_corrupted=: ;;
+     ,);;
+     *)
+       if test "x$ac_old_val" != "x$ac_new_val"; then
+-	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+-echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+-	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
+-echo "$as_me:   former value:  $ac_old_val" >&2;}
+-	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
+-echo "$as_me:   current value: $ac_new_val" >&2;}
+-	ac_cache_corrupted=:
++	# differences in whitespace do not lead to failure.
++	ac_old_val_w=`echo x $ac_old_val`
++	ac_new_val_w=`echo x $ac_new_val`
++	if test "$ac_old_val_w" != "$ac_new_val_w"; then
++	  { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
++$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
++	  ac_cache_corrupted=:
++	else
++	  { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
++$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
++	  eval $ac_var=\$ac_old_val
++	fi
++	{ $as_echo "$as_me:${as_lineno-$LINENO}:   former value:  \`$ac_old_val'" >&5
++$as_echo "$as_me:   former value:  \`$ac_old_val'" >&2;}
++	{ $as_echo "$as_me:${as_lineno-$LINENO}:   current value: \`$ac_new_val'" >&5
++$as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
+       fi;;
+   esac
+   # Pass precious variables to config.status.
+   if test "$ac_new_set" = set; then
+     case $ac_new_val in
+-    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
++    *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+     *) ac_arg=$ac_var=$ac_new_val ;;
+     esac
+     case " $ac_configure_args " in
+       *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
+-      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
++      *) as_fn_append ac_configure_args " '$ac_arg'" ;;
+     esac
+   fi
+ done
+ if $ac_cache_corrupted; then
+-  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+-echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+-  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
+-echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
+-   { (exit 1); exit 1; }; }
+-fi
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
++  { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
++$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
++  as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
++fi
++## -------------------- ##
++## Main body of script. ##
++## -------------------- ##
+ 
+ ac_ext=c
+ ac_cpp='$CPP $CPPFLAGS'
+@@ -1635,6 +1988,9 @@
+ 
+ 
+ 
++eap_tnc_cflags=
++eap_tnc_ldflags=-lnaaeap
++
+ if test x$with_rlm_eap_tnc != xno; then
+ 
+ 	ac_ext=c
+@@ -1645,10 +2001,10 @@
+ if test -n "$ac_tool_prefix"; then
+   # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+ set dummy ${ac_tool_prefix}gcc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1658,25 +2014,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_CC="${ac_tool_prefix}gcc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1685,10 +2041,10 @@
+   ac_ct_CC=$CC
+   # Extract the first word of "gcc", so it can be a program name with args.
+ set dummy gcc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$ac_ct_CC"; then
+   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+@@ -1698,25 +2054,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_ac_ct_CC="gcc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ ac_ct_CC=$ac_cv_prog_ac_ct_CC
+ if test -n "$ac_ct_CC"; then
+-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+-echo "${ECHO_T}$ac_ct_CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
++$as_echo "$ac_ct_CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+   if test "x$ac_ct_CC" = x; then
+@@ -1724,12 +2080,8 @@
+   else
+     case $cross_compiling:$ac_tool_warned in
+ yes:)
+-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&5
+-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
++{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
++$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ ac_tool_warned=yes ;;
+ esac
+     CC=$ac_ct_CC
+@@ -1742,10 +2094,10 @@
+           if test -n "$ac_tool_prefix"; then
+     # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+ set dummy ${ac_tool_prefix}cc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1755,25 +2107,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_CC="${ac_tool_prefix}cc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1782,10 +2134,10 @@
+ if test -z "$CC"; then
+   # Extract the first word of "cc", so it can be a program name with args.
+ set dummy cc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1796,18 +2148,18 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+        ac_prog_rejected=yes
+        continue
+      fi
+     ac_cv_prog_CC="cc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ if test $ac_prog_rejected = yes; then
+@@ -1826,11 +2178,11 @@
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1841,10 +2193,10 @@
+   do
+     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+ set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1854,25 +2206,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1885,10 +2237,10 @@
+ do
+   # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$ac_ct_CC"; then
+   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+@@ -1898,25 +2250,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_ac_ct_CC="$ac_prog"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ ac_ct_CC=$ac_cv_prog_ac_ct_CC
+ if test -n "$ac_ct_CC"; then
+-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+-echo "${ECHO_T}$ac_ct_CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
++$as_echo "$ac_ct_CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1928,12 +2280,8 @@
+   else
+     case $cross_compiling:$ac_tool_warned in
+ yes:)
+-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&5
+-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
++{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
++$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ ac_tool_warned=yes ;;
+ esac
+     CC=$ac_ct_CC
+@@ -1943,51 +2291,37 @@
+ fi
+ 
+ 
+-test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: no acceptable C compiler found in \$PATH
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
++test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "no acceptable C compiler found in \$PATH
++See \`config.log' for more details" "$LINENO" 5 ; }
+ 
+ # Provide some information about the compiler.
+-echo "$as_me:$LINENO: checking for C compiler version" >&5
+-ac_compiler=`set X $ac_compile; echo $2`
+-{ (ac_try="$ac_compiler --version >&5"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compiler --version >&5") 2>&5
+-  ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }
+-{ (ac_try="$ac_compiler -v >&5"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compiler -v >&5") 2>&5
+-  ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }
+-{ (ac_try="$ac_compiler -V >&5"
++$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
++set X $ac_compile
++ac_compiler=$2
++for ac_option in --version -v -V -qversion; do
++  { { ac_try="$ac_compiler $ac_option >&5"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compiler -V >&5") 2>&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_compiler $ac_option >&5") 2>conftest.err
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }
++  if test -s conftest.err; then
++    sed '10a\
++... rest of stderr output deleted ...
++         10q' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++  fi
++  rm -f conftest.er1 conftest.err
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }
++done
+ 
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -1999,42 +2333,38 @@
+ }
+ _ACEOF
+ ac_clean_files_save=$ac_clean_files
+-ac_clean_files="$ac_clean_files a.out a.exe b.out"
++ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
+ # Try to create an executable without -o first, disregard a.out.
+ # It will help us diagnose broken compilers, and finding out an intuition
+ # of exeext.
+-{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
+-ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+-#
+-# List of possible output files, starting from the most likely.
+-# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
+-# only as a last resort.  b.out is created by i960 compilers.
+-ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
+-#
+-# The IRIX 6 linker writes into existing files which may not be
+-# executable, retaining their permissions.  Remove them first so a
+-# subsequent execution test works.
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
++$as_echo_n "checking whether the C compiler works... " >&6; }
++ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
++
++# The possible output files:
++ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
++
+ ac_rmfiles=
+ for ac_file in $ac_files
+ do
+   case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+     * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+   esac
+ done
+ rm -f $ac_rmfiles
+ 
+-if { (ac_try="$ac_link_default"
++if { { ac_try="$ac_link_default"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
+   (eval "$ac_link_default") 2>&5
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; then
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then :
+   # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+ # So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+ # in a Makefile.  We should not override ac_cv_exeext if it was cached,
+@@ -2044,14 +2374,14 @@
+ do
+   test -f "$ac_file" || continue
+   case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
+ 	;;
+     [ab].out )
+ 	# We found the default executable, but exeext='' is most
+ 	# certainly right.
+ 	break;;
+     *.* )
+-        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
++	if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+ 	then :; else
+ 	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+ 	fi
+@@ -2070,116 +2400,132 @@
+ else
+   ac_file=''
+ fi
+-
+-{ echo "$as_me:$LINENO: result: $ac_file" >&5
+-echo "${ECHO_T}$ac_file" >&6; }
+-if test -z "$ac_file"; then
+-  echo "$as_me: failed program was:" >&5
++if test -z "$ac_file"; then :
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++$as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+ 
+-{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: C compiler cannot create executables
+-See \`config.log' for more details." >&2;}
+-   { (exit 77); exit 77; }; }
+-fi
+-
++{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error 77 "C compiler cannot create executables
++See \`config.log' for more details" "$LINENO" 5 ; }
++else
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
++$as_echo_n "checking for C compiler default output file name... " >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
++$as_echo "$ac_file" >&6; }
+ ac_exeext=$ac_cv_exeext
+ 
++rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
++ac_clean_files=$ac_clean_files_save
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
++$as_echo_n "checking for suffix of executables... " >&6; }
++if { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then :
++  # If both `conftest.exe' and `conftest' are `present' (well, observable)
++# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
++# work properly (i.e., refer to `conftest.exe'), while it won't with
++# `rm'.
++for ac_file in conftest.exe conftest conftest.*; do
++  test -f "$ac_file" || continue
++  case $ac_file in
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
++    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
++	  break;;
++    * ) break;;
++  esac
++done
++else
++  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "cannot compute suffix of executables: cannot compile and link
++See \`config.log' for more details" "$LINENO" 5 ; }
++fi
++rm -f conftest conftest$ac_cv_exeext
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
++$as_echo "$ac_cv_exeext" >&6; }
++
++rm -f conftest.$ac_ext
++EXEEXT=$ac_cv_exeext
++ac_exeext=$EXEEXT
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <stdio.h>
++int
++main ()
++{
++FILE *f = fopen ("conftest.out", "w");
++ return ferror (f) || fclose (f) != 0;
++
++  ;
++  return 0;
++}
++_ACEOF
++ac_clean_files="$ac_clean_files conftest.out"
+ # Check that the compiler produces executables we can run.  If not, either
+ # the compiler is broken, or we cross compile.
+-{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
+-# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
+-# If not cross compiling, check that we can run a simple program.
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
++$as_echo_n "checking whether we are cross compiling... " >&6; }
+ if test "$cross_compiling" != yes; then
+-  if { ac_try='./$ac_file'
+-  { (case "(($ac_try" in
++  { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }
++  if { ac_try='./conftest$ac_cv_exeext'
++  { { case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
+   (eval "$ac_try") 2>&5
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; }; then
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; }; then
+     cross_compiling=no
+   else
+     if test "$cross_compiling" = maybe; then
+ 	cross_compiling=yes
+     else
+-	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
+-If you meant to cross compile, use \`--host'.
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: cannot run C compiled programs.
++	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "cannot run C compiled programs.
+ If you meant to cross compile, use \`--host'.
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
++See \`config.log' for more details" "$LINENO" 5 ; }
+     fi
+   fi
+ fi
+-{ echo "$as_me:$LINENO: result: yes" >&5
+-echo "${ECHO_T}yes" >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
++$as_echo "$cross_compiling" >&6; }
+ 
+-rm -f a.out a.exe conftest$ac_cv_exeext b.out
++rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
+ ac_clean_files=$ac_clean_files_save
+-# Check that the compiler produces executables we can run.  If not, either
+-# the compiler is broken, or we cross compile.
+-{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
+-{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
+-echo "${ECHO_T}$cross_compiling" >&6; }
+-
+-{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
+-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
+-if { (ac_try="$ac_link"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_link") 2>&5
+-  ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; then
+-  # If both `conftest.exe' and `conftest' are `present' (well, observable)
+-# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
+-# work properly (i.e., refer to `conftest.exe'), while it won't with
+-# `rm'.
+-for ac_file in conftest.exe conftest conftest.*; do
+-  test -f "$ac_file" || continue
+-  case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+-    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+-	  break;;
+-    * ) break;;
+-  esac
+-done
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
++$as_echo_n "checking for suffix of object files... " >&6; }
++if test "${ac_cv_objext+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+-  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
+-fi
+-
+-rm -f conftest$ac_cv_exeext
+-{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+-echo "${ECHO_T}$ac_cv_exeext" >&6; }
+-
+-rm -f conftest.$ac_ext
+-EXEEXT=$ac_cv_exeext
+-ac_exeext=$EXEEXT
+-{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
+-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
+-if test "${ac_cv_objext+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
+-else
+-  cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2191,51 +2537,46 @@
+ }
+ _ACEOF
+ rm -f conftest.o conftest.obj
+-if { (ac_try="$ac_compile"
++if { { ac_try="$ac_compile"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
+   (eval "$ac_compile") 2>&5
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; then
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then :
+   for ac_file in conftest.o conftest.obj conftest.*; do
+   test -f "$ac_file" || continue;
+   case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
+     *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+        break;;
+   esac
+ done
+ else
+-  echo "$as_me: failed program was:" >&5
++  $as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+ 
+-{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: cannot compute suffix of object files: cannot compile
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
++{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "cannot compute suffix of object files: cannot compile
++See \`config.log' for more details" "$LINENO" 5 ; }
+ fi
+-
+ rm -f conftest.$ac_cv_objext conftest.$ac_ext
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+-echo "${ECHO_T}$ac_cv_objext" >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5
++$as_echo "$ac_cv_objext" >&6; }
+ OBJEXT=$ac_cv_objext
+ ac_objext=$OBJEXT
+-{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
+-if test "${ac_cv_c_compiler_gnu+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
++$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
++if test "${ac_cv_c_compiler_gnu+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+-  cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2249,54 +2590,34 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++if ac_fn_c_try_compile "$LINENO"; then :
+   ac_compiler_gnu=yes
+ else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-	ac_compiler_gnu=no
++  ac_compiler_gnu=no
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ ac_cv_c_compiler_gnu=$ac_compiler_gnu
+ 
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
+-GCC=`test $ac_compiler_gnu = yes && echo yes`
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
++$as_echo "$ac_cv_c_compiler_gnu" >&6; }
++if test $ac_compiler_gnu = yes; then
++  GCC=yes
++else
++  GCC=
++fi
+ ac_test_CFLAGS=${CFLAGS+set}
+ ac_save_CFLAGS=$CFLAGS
+-{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_cc_g+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
++$as_echo_n "checking whether $CC accepts -g... " >&6; }
++if test "${ac_cv_prog_cc_g+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   ac_save_c_werror_flag=$ac_c_werror_flag
+    ac_c_werror_flag=yes
+    ac_cv_prog_cc_g=no
+    CFLAGS="-g"
+-   cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2307,34 +2628,11 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++if ac_fn_c_try_compile "$LINENO"; then :
+   ac_cv_prog_cc_g=yes
+ else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-	CFLAGS=""
+-      cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++  CFLAGS=""
++      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2345,35 +2643,12 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
+-  :
+-else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
++if ac_fn_c_try_compile "$LINENO"; then :
+ 
+-	ac_c_werror_flag=$ac_save_c_werror_flag
++else
++  ac_c_werror_flag=$ac_save_c_werror_flag
+ 	 CFLAGS="-g"
+-	 cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2384,42 +2659,18 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++if ac_fn_c_try_compile "$LINENO"; then :
+   ac_cv_prog_cc_g=yes
+-else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+    ac_c_werror_flag=$ac_save_c_werror_flag
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
++$as_echo "$ac_cv_prog_cc_g" >&6; }
+ if test "$ac_test_CFLAGS" = set; then
+   CFLAGS=$ac_save_CFLAGS
+ elif test $ac_cv_prog_cc_g = yes; then
+@@ -2435,18 +2686,14 @@
+     CFLAGS=
+   fi
+ fi
+-{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+-echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_cc_c89+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
++$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
++if test "${ac_cv_prog_cc_c89+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   ac_cv_prog_cc_c89=no
+ ac_save_CC=$CC
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -2503,31 +2750,9 @@
+ 	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+ do
+   CC="$ac_save_CC $ac_arg"
+-  rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++  if ac_fn_c_try_compile "$LINENO"; then :
+   ac_cv_prog_cc_c89=$ac_arg
+-else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext
+   test "x$ac_cv_prog_cc_c89" != "xno" && break
+ done
+@@ -2538,17 +2763,19 @@
+ # AC_CACHE_VAL
+ case "x$ac_cv_prog_cc_c89" in
+   x)
+-    { echo "$as_me:$LINENO: result: none needed" >&5
+-echo "${ECHO_T}none needed" >&6; } ;;
++    { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
++$as_echo "none needed" >&6; } ;;
+   xno)
+-    { echo "$as_me:$LINENO: result: unsupported" >&5
+-echo "${ECHO_T}unsupported" >&6; } ;;
++    { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
++$as_echo "unsupported" >&6; } ;;
+   *)
+     CC="$CC $ac_cv_prog_cc_c89"
+-    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+-echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
++    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
++$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+ esac
++if test "x$ac_cv_prog_cc_c89" != xno; then :
+ 
++fi
+ 
+ ac_ext=c
+ ac_cpp='$CPP $CPPFLAGS'
+@@ -2557,81 +2784,474 @@
+ ac_compiler_gnu=$ac_cv_c_compiler_gnu
+ 
+ 
+-
+-{ echo "$as_me:$LINENO: checking for exchangeTNCCSMessages in -lTNCS" >&5
+-echo $ECHO_N "checking for exchangeTNCCSMessages in -lTNCS... $ECHO_C" >&6; }
+-if test "${ac_cv_lib_TNCS_exchangeTNCCSMessages+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for processEAPTNCData in -lnaaeap" >&5
++$as_echo_n "checking for processEAPTNCData in -lnaaeap... " >&6; }
++if test "${ac_cv_lib_naaeap_processEAPTNCData+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   ac_check_lib_save_LIBS=$LIBS
+-LIBS="-lTNCS  $LIBS"
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
++LIBS="-lnaaeap  $LIBS"
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++
++/* Override any GCC internal prototype to avoid an error.
++   Use char because int might match the return type of a GCC
++   builtin and then its argument prototype would still apply.  */
++#ifdef __cplusplus
++extern "C"
++#endif
++char processEAPTNCData ();
++int
++main ()
++{
++return processEAPTNCData ();
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_link "$LINENO"; then :
++  ac_cv_lib_naaeap_processEAPTNCData=yes
++else
++  ac_cv_lib_naaeap_processEAPTNCData=no
++fi
++rm -f core conftest.err conftest.$ac_objext \
++    conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_naaeap_processEAPTNCData" >&5
++$as_echo "$ac_cv_lib_naaeap_processEAPTNCData" >&6; }
++if test "x$ac_cv_lib_naaeap_processEAPTNCData" = x""yes; then :
++  cat >>confdefs.h <<_ACEOF
++#define HAVE_LIBNAAEAP 1
++_ACEOF
++
++  LIBS="-lnaaeap $LIBS"
++
++else
++  fail="$fail -lnaaeap"
++fi
++
++	if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the NAAEAP library was not found!" >&5
++$as_echo "$as_me: WARNING: the NAAEAP library was not found!" >&2;}
++		fail="$fail -lNAAEAP"
++	fi
++
++	ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
++$as_echo_n "checking how to run the C preprocessor... " >&6; }
++# On Suns, sometimes $CPP names a directory.
++if test -n "$CPP" && test -d "$CPP"; then
++  CPP=
++fi
++if test -z "$CPP"; then
++  if test "${ac_cv_prog_CPP+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++      # Double quotes because CPP needs to be expanded
++    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
++    do
++      ac_preproc_ok=false
++for ac_c_preproc_warn_flag in '' yes
++do
++  # Use a header file that comes with gcc, so configuring glibc
++  # with a fresh cross-compiler works.
++  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
++  # <limits.h> exists even on freestanding compilers.
++  # On the NeXT, cc -E runs the code through the compiler's parser,
++  # not just through cpp. "Syntax error" is here to catch this case.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#ifdef __STDC__
++# include <limits.h>
++#else
++# include <assert.h>
++#endif
++		     Syntax error
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++
++else
++  # Broken: fails on valid input.
++continue
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++  # OK, works on sane cases.  Now check whether nonexistent headers
++  # can be detected and how.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <ac_nonexistent.h>
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++  # Broken: success on invalid input.
++continue
++else
++  # Passes both tests.
++ac_preproc_ok=:
++break
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++done
++# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
++rm -f conftest.i conftest.err conftest.$ac_ext
++if $ac_preproc_ok; then :
++  break
++fi
++
++    done
++    ac_cv_prog_CPP=$CPP
++
++fi
++  CPP=$ac_cv_prog_CPP
++else
++  ac_cv_prog_CPP=$CPP
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
++$as_echo "$CPP" >&6; }
++ac_preproc_ok=false
++for ac_c_preproc_warn_flag in '' yes
++do
++  # Use a header file that comes with gcc, so configuring glibc
++  # with a fresh cross-compiler works.
++  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
++  # <limits.h> exists even on freestanding compilers.
++  # On the NeXT, cc -E runs the code through the compiler's parser,
++  # not just through cpp. "Syntax error" is here to catch this case.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#ifdef __STDC__
++# include <limits.h>
++#else
++# include <assert.h>
++#endif
++		     Syntax error
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++
++else
++  # Broken: fails on valid input.
++continue
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++  # OK, works on sane cases.  Now check whether nonexistent headers
++  # can be detected and how.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <ac_nonexistent.h>
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++  # Broken: success on invalid input.
++continue
++else
++  # Passes both tests.
++ac_preproc_ok=:
++break
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++done
++# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
++rm -f conftest.i conftest.err conftest.$ac_ext
++if $ac_preproc_ok; then :
++
++else
++  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
++See \`config.log' for more details" "$LINENO" 5 ; }
++fi
++
++ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
++$as_echo_n "checking for grep that handles long lines and -e... " >&6; }
++if test "${ac_cv_path_GREP+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  if test -z "$GREP"; then
++  ac_path_GREP_found=false
++  # Loop through the user's path and test for each of PROGNAME-LIST
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
++do
++  IFS=$as_save_IFS
++  test -z "$as_dir" && as_dir=.
++    for ac_prog in grep ggrep; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
++      ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
++      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
++# Check for GNU ac_path_GREP and select it if it is found.
++  # Check for GNU $ac_path_GREP
++case `"$ac_path_GREP" --version 2>&1` in
++*GNU*)
++  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
++*)
++  ac_count=0
++  $as_echo_n 0123456789 >"conftest.in"
++  while :
++  do
++    cat "conftest.in" "conftest.in" >"conftest.tmp"
++    mv "conftest.tmp" "conftest.in"
++    cp "conftest.in" "conftest.nl"
++    $as_echo 'GREP' >> "conftest.nl"
++    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
++    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
++    as_fn_arith $ac_count + 1 && ac_count=$as_val
++    if test $ac_count -gt ${ac_path_GREP_max-0}; then
++      # Best one so far, save it but keep looking for a better one
++      ac_cv_path_GREP="$ac_path_GREP"
++      ac_path_GREP_max=$ac_count
++    fi
++    # 10*(2^10) chars as input seems more than enough
++    test $ac_count -gt 10 && break
++  done
++  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
++esac
++
++      $ac_path_GREP_found && break 3
++    done
++  done
++  done
++IFS=$as_save_IFS
++  if test -z "$ac_cv_path_GREP"; then
++    as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
++  fi
++else
++  ac_cv_path_GREP=$GREP
++fi
++
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5
++$as_echo "$ac_cv_path_GREP" >&6; }
++ GREP="$ac_cv_path_GREP"
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
++$as_echo_n "checking for egrep... " >&6; }
++if test "${ac_cv_path_EGREP+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
++   then ac_cv_path_EGREP="$GREP -E"
++   else
++     if test -z "$EGREP"; then
++  ac_path_EGREP_found=false
++  # Loop through the user's path and test for each of PROGNAME-LIST
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
++do
++  IFS=$as_save_IFS
++  test -z "$as_dir" && as_dir=.
++    for ac_prog in egrep; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
++      ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
++      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
++# Check for GNU ac_path_EGREP and select it if it is found.
++  # Check for GNU $ac_path_EGREP
++case `"$ac_path_EGREP" --version 2>&1` in
++*GNU*)
++  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
++*)
++  ac_count=0
++  $as_echo_n 0123456789 >"conftest.in"
++  while :
++  do
++    cat "conftest.in" "conftest.in" >"conftest.tmp"
++    mv "conftest.tmp" "conftest.in"
++    cp "conftest.in" "conftest.nl"
++    $as_echo 'EGREP' >> "conftest.nl"
++    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
++    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
++    as_fn_arith $ac_count + 1 && ac_count=$as_val
++    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
++      # Best one so far, save it but keep looking for a better one
++      ac_cv_path_EGREP="$ac_path_EGREP"
++      ac_path_EGREP_max=$ac_count
++    fi
++    # 10*(2^10) chars as input seems more than enough
++    test $ac_count -gt 10 && break
++  done
++  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
++esac
++
++      $ac_path_EGREP_found && break 3
++    done
++  done
++  done
++IFS=$as_save_IFS
++  if test -z "$ac_cv_path_EGREP"; then
++    as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
++  fi
++else
++  ac_cv_path_EGREP=$EGREP
++fi
++
++   fi
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5
++$as_echo "$ac_cv_path_EGREP" >&6; }
++ EGREP="$ac_cv_path_EGREP"
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
++$as_echo_n "checking for ANSI C header files... " >&6; }
++if test "${ac_cv_header_stdc+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <stdlib.h>
++#include <stdarg.h>
++#include <string.h>
++#include <float.h>
++
++int
++main ()
++{
++
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  ac_cv_header_stdc=yes
++else
++  ac_cv_header_stdc=no
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++
++if test $ac_cv_header_stdc = yes; then
++  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <string.h>
++
+ _ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
++  $EGREP "memchr" >/dev/null 2>&1; then :
++
++else
++  ac_cv_header_stdc=no
++fi
++rm -f conftest*
++
++fi
++
++if test $ac_cv_header_stdc = yes; then
++  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <stdlib.h>
++
++_ACEOF
++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
++  $EGREP "free" >/dev/null 2>&1; then :
++
++else
++  ac_cv_header_stdc=no
++fi
++rm -f conftest*
++
++fi
++
++if test $ac_cv_header_stdc = yes; then
++  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
++  if test "$cross_compiling" = yes; then :
++  :
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+-
+-/* Override any GCC internal prototype to avoid an error.
+-   Use char because int might match the return type of a GCC
+-   builtin and then its argument prototype would still apply.  */
+-#ifdef __cplusplus
+-extern "C"
++#include <ctype.h>
++#include <stdlib.h>
++#if ((' ' & 0x0FF) == 0x020)
++# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
++# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
++#else
++# define ISLOWER(c) \
++		   (('a' <= (c) && (c) <= 'i') \
++		     || ('j' <= (c) && (c) <= 'r') \
++		     || ('s' <= (c) && (c) <= 'z'))
++# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+ #endif
+-char exchangeTNCCSMessages ();
++
++#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+ int
+ main ()
+ {
+-return exchangeTNCCSMessages ();
+-  ;
++  int i;
++  for (i = 0; i < 256; i++)
++    if (XOR (islower (i), ISLOWER (i))
++	|| toupper (i) != TOUPPER (i))
++      return 2;
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_link") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest$ac_exeext &&
+-       $as_test_x conftest$ac_exeext; then
+-  ac_cv_lib_TNCS_exchangeTNCCSMessages=yes
++if ac_fn_c_try_run "$LINENO"; then :
++
+ else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
++  ac_cv_header_stdc=no
++fi
++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
++  conftest.$ac_objext conftest.beam conftest.$ac_ext
++fi
+ 
+-	ac_cv_lib_TNCS_exchangeTNCCSMessages=no
+ fi
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5
++$as_echo "$ac_cv_header_stdc" >&6; }
++if test $ac_cv_header_stdc = yes; then
++
++$as_echo "#define STDC_HEADERS 1" >>confdefs.h
+ 
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+-      conftest$ac_exeext conftest.$ac_ext
+-LIBS=$ac_check_lib_save_LIBS
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_lib_TNCS_exchangeTNCCSMessages" >&5
+-echo "${ECHO_T}$ac_cv_lib_TNCS_exchangeTNCCSMessages" >&6; }
+-if test $ac_cv_lib_TNCS_exchangeTNCCSMessages = yes; then
++
++# On IRIX 5.3, sys/types and inttypes.h are conflicting.
++for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
++		  inttypes.h stdint.h unistd.h
++do :
++  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
++ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
++"
++if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+   cat >>confdefs.h <<_ACEOF
+-#define HAVE_LIBTNCS 1
++#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+ _ACEOF
+ 
+-  LIBS="-lTNCS $LIBS"
++fi
++
++done
++
++
++for ac_header in naaeap/naaeap.h
++do :
++  ac_fn_c_check_header_mongrel "$LINENO" "naaeap/naaeap.h" "ac_cv_header_naaeap_naaeap_h" "$ac_includes_default"
++if test "x$ac_cv_header_naaeap_naaeap_h" = x""yes; then :
++  cat >>confdefs.h <<_ACEOF
++#define HAVE_NAAEAP_NAAEAP_H 1
++_ACEOF
+ 
++else
++  fail="$fail -Inaaeap.h"
+ fi
+ 
+-	if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
+-		{ echo "$as_me:$LINENO: WARNING: the TNCS library isn't found!" >&5
+-echo "$as_me: WARNING: the TNCS library isn't found!" >&2;}
+-		fail="$fail -lTNCS"
++done
++
++	if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the naaeap header was not found!" >&5
++$as_echo "$as_me: WARNING: the naaeap header was not found!" >&2;}
++		fail="$fail -Inaaeap.h"
+ 	fi
+ 
+ 	targetname=rlm_eap_tnc
+@@ -2642,14 +3262,12 @@
+ 
+ if test x"$fail" != x""; then
+ 	if test x"${enable_strict_dependencies}" = x"yes"; then
+-		{ { echo "$as_me:$LINENO: error: set --without-rlm_eap_tnc to disable it explicitly." >&5
+-echo "$as_me: error: set --without-rlm_eap_tnc to disable it explicitly." >&2;}
+-   { (exit 1); exit 1; }; }
++		as_fn_error $? "set --without-rlm_eap_tnc to disable it explicitly." "$LINENO" 5
+ 	else
+-		{ echo "$as_me:$LINENO: WARNING: silently not building rlm_eap_tnc." >&5
+-echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
+-		{ echo "$as_me:$LINENO: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
+-echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_eap_tnc." >&5
++$as_echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
++$as_echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
+ 		targetname=""
+ 	fi
+ fi
+@@ -2658,11 +3276,7 @@
+ 
+ 
+ 
+-
+-  unset ac_cv_env_LIBS_set
+-  unset ac_cv_env_LIBS_value
+-
+-  ac_config_files="$ac_config_files Makefile"
++ac_config_files="$ac_config_files Makefile"
+ 
+ cat >confcache <<\_ACEOF
+ # This file is a shell script that caches the results of configure
+@@ -2691,12 +3305,13 @@
+     case $ac_val in #(
+     *${as_nl}*)
+       case $ac_var in #(
+-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
++      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
++$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
+       esac
+       case $ac_var in #(
+       _ | IFS | as_nl) ;; #(
+-      *) $as_unset $ac_var ;;
++      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
++      *) { eval $ac_var=; unset $ac_var;} ;;
+       esac ;;
+     esac
+   done
+@@ -2704,8 +3319,8 @@
+   (set) 2>&1 |
+     case $as_nl`(ac_space=' '; set) 2>&1` in #(
+     *${as_nl}ac_space=\ *)
+-      # `set' does not quote correctly, so add quotes (double-quote
+-      # substitution turns \\\\ into \\, and sed turns \\ into \).
++      # `set' does not quote correctly, so add quotes: double-quote
++      # substitution turns \\\\ into \\, and sed turns \\ into \.
+       sed -n \
+ 	"s/'/'\\\\''/g;
+ 	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+@@ -2728,12 +3343,12 @@
+ if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+   if test -w "$cache_file"; then
+     test "x$cache_file" != "x/dev/null" &&
+-      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+-echo "$as_me: updating cache $cache_file" >&6;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
++$as_echo "$as_me: updating cache $cache_file" >&6;}
+     cat confcache >$cache_file
+   else
+-    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+-echo "$as_me: not updating unwritable cache $cache_file" >&6;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
++$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
+   fi
+ fi
+ rm -f confcache
+@@ -2750,6 +3365,12 @@
+ # take arguments), then branch to the quote section.  Otherwise,
+ # look for a macro that doesn't take arguments.
+ ac_script='
++:mline
++/\\$/{
++ N
++ s,\\\n,,
++ b mline
++}
+ t clear
+ :clear
+ s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
+@@ -2776,14 +3397,15 @@
+ 
+ ac_libobjs=
+ ac_ltlibobjs=
++U=
+ for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+   # 1. Remove the extension, and $U if already installed.
+   ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+-  ac_i=`echo "$ac_i" | sed "$ac_script"`
++  ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
+   # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
+   #    will be set to the directory where LIBOBJS objects are built.
+-  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+-  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
++  as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
++  as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
+ done
+ LIBOBJS=$ac_libobjs
+ 
+@@ -2792,11 +3414,13 @@
+ 
+ 
+ : ${CONFIG_STATUS=./config.status}
++ac_write_fail=0
+ ac_clean_files_save=$ac_clean_files
+ ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+-{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+-echo "$as_me: creating $CONFIG_STATUS" >&6;}
+-cat >$CONFIG_STATUS <<_ACEOF
++{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
++$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
++as_write_fail=0
++cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
+ #! $SHELL
+ # Generated by $as_me.
+ # Run this file to recreate the current configuration.
+@@ -2806,59 +3430,79 @@
+ debug=false
+ ac_cs_recheck=false
+ ac_cs_silent=false
+-SHELL=\${CONFIG_SHELL-$SHELL}
+-_ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
+-## --------------------- ##
+-## M4sh Initialization.  ##
+-## --------------------- ##
++SHELL=\${CONFIG_SHELL-$SHELL}
++export SHELL
++_ASEOF
++cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
++## -------------------- ##
++## M4sh Initialization. ##
++## -------------------- ##
+ 
+ # Be more Bourne compatible
+ DUALCASE=1; export DUALCASE # for MKS sh
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
++if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+   emulate sh
+   NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
++  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+   # is contrary to our usage.  Disable this feature.
+   alias -g '${1+"$@"}'='"$@"'
+   setopt NO_GLOB_SUBST
+ else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
++  case `(set -o) 2>/dev/null` in #(
++  *posix*) :
++    set -o posix ;; #(
++  *) :
++     ;;
+ esac
+-
+ fi
+ 
+ 
+-
+-
+-# PATH needs CR
+-# Avoid depending upon Character Ranges.
+-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+-as_cr_digits='0123456789'
+-as_cr_alnum=$as_cr_Letters$as_cr_digits
+-
+-# The user is always right.
+-if test "${PATH_SEPARATOR+set}" != set; then
+-  echo "#! /bin/sh" >conf$$.sh
+-  echo  "exit 0"   >>conf$$.sh
+-  chmod +x conf$$.sh
+-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+-    PATH_SEPARATOR=';'
++as_nl='
++'
++export as_nl
++# Printing a long string crashes Solaris 7 /usr/bin/printf.
++as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
++# Prefer a ksh shell builtin over an external printf program on Solaris,
++# but without wasting forks for bash or zsh.
++if test -z "$BASH_VERSION$ZSH_VERSION" \
++    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='print -r --'
++  as_echo_n='print -rn --'
++elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='printf %s\n'
++  as_echo_n='printf %s'
++else
++  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
++    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
++    as_echo_n='/usr/ucb/echo -n'
+   else
+-    PATH_SEPARATOR=:
++    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
++    as_echo_n_body='eval
++      arg=$1;
++      case $arg in #(
++      *"$as_nl"*)
++	expr "X$arg" : "X\\(.*\\)$as_nl";
++	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
++      esac;
++      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
++    '
++    export as_echo_n_body
++    as_echo_n='sh -c $as_echo_n_body as_echo'
+   fi
+-  rm -f conf$$.sh
++  export as_echo_body
++  as_echo='sh -c $as_echo_body as_echo'
+ fi
+ 
+-# Support unset when possible.
+-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+-  as_unset=unset
+-else
+-  as_unset=false
++# The user is always right.
++if test "${PATH_SEPARATOR+set}" != set; then
++  PATH_SEPARATOR=:
++  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
++    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
++      PATH_SEPARATOR=';'
++  }
+ fi
+ 
+ 
+@@ -2867,20 +3511,18 @@
+ # there to prevent editors from complaining about space-tab.
+ # (If _AS_PATH_WALK were called with IFS unset, it would disable word
+ # splitting by setting IFS to empty value.)
+-as_nl='
+-'
+ IFS=" ""	$as_nl"
+ 
+ # Find who we are.  Look in the path if we contain no directory separator.
+-case $0 in
++case $0 in #((
+   *[\\/]* ) as_myself=$0 ;;
+   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ for as_dir in $PATH
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+-done
++    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
++  done
+ IFS=$as_save_IFS
+ 
+      ;;
+@@ -2891,32 +3533,111 @@
+   as_myself=$0
+ fi
+ if test ! -f "$as_myself"; then
+-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+-  { (exit 1); exit 1; }
++  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
++  exit 1
+ fi
+ 
+-# Work around bugs in pre-3.0 UWIN ksh.
+-for as_var in ENV MAIL MAILPATH
+-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
++# Unset variables that we do not need and which cause bugs (e.g. in
++# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
++# suppresses any "Segmentation fault" message there.  '((' could
++# trigger a bug in pdksh 5.2.14.
++for as_var in BASH_ENV ENV MAIL MAILPATH
++do eval test x\${$as_var+set} = xset \
++  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+ done
+ PS1='$ '
+ PS2='> '
+ PS4='+ '
+ 
+ # NLS nuisances.
+-for as_var in \
+-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+-  LC_TELEPHONE LC_TIME
+-do
+-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+-    eval $as_var=C; export $as_var
+-  else
+-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
++LC_ALL=C
++export LC_ALL
++LANGUAGE=C
++export LANGUAGE
++
++# CDPATH.
++(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
++
++
++# as_fn_error STATUS ERROR [LINENO LOG_FD]
++# ----------------------------------------
++# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
++# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
++# script with STATUS, using 1 if that was 0.
++as_fn_error ()
++{
++  as_status=$1; test $as_status -eq 0 && as_status=1
++  if test "$4"; then
++    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
+   fi
+-done
++  $as_echo "$as_me: error: $2" >&2
++  as_fn_exit $as_status
++} # as_fn_error
++
++
++# as_fn_set_status STATUS
++# -----------------------
++# Set $? to STATUS, without forking.
++as_fn_set_status ()
++{
++  return $1
++} # as_fn_set_status
++
++# as_fn_exit STATUS
++# -----------------
++# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
++as_fn_exit ()
++{
++  set +e
++  as_fn_set_status $1
++  exit $1
++} # as_fn_exit
++
++# as_fn_unset VAR
++# ---------------
++# Portably unset VAR.
++as_fn_unset ()
++{
++  { eval $1=; unset $1;}
++}
++as_unset=as_fn_unset
++# as_fn_append VAR VALUE
++# ----------------------
++# Append the text in VALUE to the end of the definition contained in VAR. Take
++# advantage of any shell optimizations that allow amortized linear growth over
++# repeated appends, instead of the typical quadratic growth present in naive
++# implementations.
++if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
++  eval 'as_fn_append ()
++  {
++    eval $1+=\$2
++  }'
++else
++  as_fn_append ()
++  {
++    eval $1=\$$1\$2
++  }
++fi # as_fn_append
++
++# as_fn_arith ARG...
++# ------------------
++# Perform arithmetic evaluation on the ARGs, and store the result in the
++# global $as_val. Take advantage of shells that can avoid forks. The arguments
++# must be portable across $(()) and expr.
++if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
++  eval 'as_fn_arith ()
++  {
++    as_val=$(( $* ))
++  }'
++else
++  as_fn_arith ()
++  {
++    as_val=`expr "$@" || test $? -eq 1`
++  }
++fi # as_fn_arith
++
+ 
+-# Required to use basename.
+ if expr a : '\(a\)' >/dev/null 2>&1 &&
+    test "X`expr 00001 : '.*\(...\)'`" = X001; then
+   as_expr=expr
+@@ -2930,13 +3651,17 @@
+   as_basename=false
+ fi
+ 
++if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
++  as_dirname=dirname
++else
++  as_dirname=false
++fi
+ 
+-# Name of the executable.
+ as_me=`$as_basename -- "$0" ||
+ $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+ 	 X"$0" : 'X\(//\)$' \| \
+ 	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X/"$0" |
++$as_echo X/"$0" |
+     sed '/^.*\/\([^/][^/]*\)\/*$/{
+ 	    s//\1/
+ 	    q
+@@ -2951,104 +3676,103 @@
+ 	  }
+ 	  s/.*/./; q'`
+ 
+-# CDPATH.
+-$as_unset CDPATH
+-
+-
+-
+-  as_lineno_1=$LINENO
+-  as_lineno_2=$LINENO
+-  test "x$as_lineno_1" != "x$as_lineno_2" &&
+-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+-
+-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+-  # uniformly replaced by the line number.  The first 'sed' inserts a
+-  # line-number line after each line using $LINENO; the second 'sed'
+-  # does the real work.  The second script uses 'N' to pair each
+-  # line-number line with the line containing $LINENO, and appends
+-  # trailing '-' during substitution so that $LINENO is not a special
+-  # case at line end.
+-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+-  # E. McMahon (1931-1989) for sed's syntax.  :-)
+-  sed -n '
+-    p
+-    /[$]LINENO/=
+-  ' <$as_myself |
+-    sed '
+-      s/[$]LINENO.*/&-/
+-      t lineno
+-      b
+-      :lineno
+-      N
+-      :loop
+-      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+-      t loop
+-      s/-\n.*//
+-    ' >$as_me.lineno &&
+-  chmod +x "$as_me.lineno" ||
+-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+-   { (exit 1); exit 1; }; }
+-
+-  # Don't try to exec as it changes $[0], causing all sort of problems
+-  # (the dirname of $[0] is not the place where we might find the
+-  # original and so on.  Autoconf is especially sensitive to this).
+-  . "./$as_me.lineno"
+-  # Exit status is that of the last command.
+-  exit
+-}
+-
+-
+-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+-  as_dirname=dirname
+-else
+-  as_dirname=false
+-fi
++# Avoid depending upon Character Ranges.
++as_cr_letters='abcdefghijklmnopqrstuvwxyz'
++as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
++as_cr_Letters=$as_cr_letters$as_cr_LETTERS
++as_cr_digits='0123456789'
++as_cr_alnum=$as_cr_Letters$as_cr_digits
+ 
+ ECHO_C= ECHO_N= ECHO_T=
+-case `echo -n x` in
++case `echo -n x` in #(((((
+ -n*)
+-  case `echo 'x\c'` in
++  case `echo 'xy\c'` in
+   *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+-  *)   ECHO_C='\c';;
++  xy)  ECHO_C='\c';;
++  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
++       ECHO_T='	';;
+   esac;;
+ *)
+   ECHO_N='-n';;
+ esac
+ 
+-if expr a : '\(a\)' >/dev/null 2>&1 &&
+-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+-  as_expr=expr
+-else
+-  as_expr=false
+-fi
+-
+ rm -f conf$$ conf$$.exe conf$$.file
+ if test -d conf$$.dir; then
+   rm -f conf$$.dir/conf$$.file
+ else
+   rm -f conf$$.dir
+-  mkdir conf$$.dir
++  mkdir conf$$.dir 2>/dev/null
+ fi
+-echo >conf$$.file
+-if ln -s conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s='ln -s'
+-  # ... but there are two gotchas:
+-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+-  # In both cases, we have to default to `cp -p'.
+-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++if (echo >conf$$.file) 2>/dev/null; then
++  if ln -s conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s='ln -s'
++    # ... but there are two gotchas:
++    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
++    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
++    # In both cases, we have to default to `cp -p'.
++    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++      as_ln_s='cp -p'
++  elif ln conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s=ln
++  else
+     as_ln_s='cp -p'
+-elif ln conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s=ln
++  fi
+ else
+   as_ln_s='cp -p'
+ fi
+ rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+ rmdir conf$$.dir 2>/dev/null
+ 
++
++# as_fn_mkdir_p
++# -------------
++# Create "$as_dir" as a directory, including parents if necessary.
++as_fn_mkdir_p ()
++{
++
++  case $as_dir in #(
++  -*) as_dir=./$as_dir;;
++  esac
++  test -d "$as_dir" || eval $as_mkdir_p || {
++    as_dirs=
++    while :; do
++      case $as_dir in #(
++      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
++      *) as_qdir=$as_dir;;
++      esac
++      as_dirs="'$as_qdir' $as_dirs"
++      as_dir=`$as_dirname -- "$as_dir" ||
++$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
++	 X"$as_dir" : 'X\(//\)[^/]' \| \
++	 X"$as_dir" : 'X\(//\)$' \| \
++	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X"$as_dir" |
++    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)[^/].*/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\).*/{
++	    s//\1/
++	    q
++	  }
++	  s/.*/./; q'`
++      test -d "$as_dir" && break
++    done
++    test -z "$as_dirs" || eval "mkdir $as_dirs"
++  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
++
++
++} # as_fn_mkdir_p
+ if mkdir -p . 2>/dev/null; then
+-  as_mkdir_p=:
++  as_mkdir_p='mkdir -p "$as_dir"'
+ else
+   test -d ./-p && rmdir ./-p
+   as_mkdir_p=false
+@@ -3065,12 +3789,12 @@
+   as_test_x='
+     eval sh -c '\''
+       if test -d "$1"; then
+-        test -d "$1/.";
++	test -d "$1/.";
+       else
+-	case $1 in
+-        -*)set "./$1";;
++	case $1 in #(
++	-*)set "./$1";;
+ 	esac;
+-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
++	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+ 	???[sx]*):;;*)false;;esac;fi
+     '\'' sh
+   '
+@@ -3085,13 +3809,19 @@
+ 
+ 
+ exec 6>&1
++## ----------------------------------- ##
++## Main body of $CONFIG_STATUS script. ##
++## ----------------------------------- ##
++_ASEOF
++test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
+ 
+-# Save the log message, to keep $[0] and so on meaningful, and to
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
++# Save the log message, to keep $0 and so on meaningful, and to
+ # report actual input values of CONFIG_FILES etc. instead of their
+ # values after options handling.
+ ac_log="
+ This file was extended by $as_me, which was
+-generated by GNU Autoconf 2.61.  Invocation command line was
++generated by GNU Autoconf 2.67.  Invocation command line was
+ 
+   CONFIG_FILES    = $CONFIG_FILES
+   CONFIG_HEADERS  = $CONFIG_HEADERS
+@@ -3104,59 +3834,74 @@
+ 
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<_ACEOF
++case $ac_config_files in *"
++"*) set x $ac_config_files; shift; ac_config_files=$*;;
++esac
++
++
++
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ # Files that config.status was made for.
+ config_files="$ac_config_files"
+ 
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ ac_cs_usage="\
+-\`$as_me' instantiates files from templates according to the
+-current configuration.
++\`$as_me' instantiates files and other configuration actions
++from templates according to the current configuration.  Unless the files
++and actions are specified as TAGs, all are instantiated by default.
+ 
+-Usage: $0 [OPTIONS] [FILE]...
++Usage: $0 [OPTION]... [TAG]...
+ 
+   -h, --help       print this help, then exit
+   -V, --version    print version number and configuration settings, then exit
+-  -q, --quiet      do not print progress messages
++      --config     print configuration, then exit
++  -q, --quiet, --silent
++                   do not print progress messages
+   -d, --debug      don't remove temporary files
+       --recheck    update $as_me by reconfiguring in the same conditions
+-  --file=FILE[:TEMPLATE]
+-		   instantiate the configuration file FILE
++      --file=FILE[:TEMPLATE]
++                   instantiate the configuration file FILE
+ 
+ Configuration files:
+ $config_files
+ 
+-Report bugs to <bug-autoconf@gnu.org>."
++Report bugs to the package provider."
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
+ ac_cs_version="\\
+ config.status
+-configured by $0, generated by GNU Autoconf 2.61,
+-  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
++configured by $0, generated by GNU Autoconf 2.67,
++  with options \\"\$ac_cs_config\\"
+ 
+-Copyright (C) 2006 Free Software Foundation, Inc.
++Copyright (C) 2010 Free Software Foundation, Inc.
+ This config.status script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it."
+ 
+ ac_pwd='$ac_pwd'
+ srcdir='$srcdir'
++test -n "\$AWK" || AWK=awk
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
+-# If no file are specified by the user, then we need to provide default
+-# value.  By we need to know if files were specified by the user.
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
++# The default lists apply if the user does not specify any file.
+ ac_need_defaults=:
+ while test $# != 0
+ do
+   case $1 in
+-  --*=*)
++  --*=?*)
+     ac_option=`expr "X$1" : 'X\([^=]*\)='`
+     ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
+     ac_shift=:
+     ;;
++  --*=)
++    ac_option=`expr "X$1" : 'X\([^=]*\)='`
++    ac_optarg=
++    ac_shift=:
++    ;;
+   *)
+     ac_option=$1
+     ac_optarg=$2
+@@ -3169,25 +3914,30 @@
+   -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+     ac_cs_recheck=: ;;
+   --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+-    echo "$ac_cs_version"; exit ;;
++    $as_echo "$ac_cs_version"; exit ;;
++  --config | --confi | --conf | --con | --co | --c )
++    $as_echo "$ac_cs_config"; exit ;;
+   --debug | --debu | --deb | --de | --d | -d )
+     debug=: ;;
+   --file | --fil | --fi | --f )
+     $ac_shift
+-    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
++    case $ac_optarg in
++    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
++    '') as_fn_error $? "missing file argument" ;;
++    esac
++    as_fn_append CONFIG_FILES " '$ac_optarg'"
+     ac_need_defaults=false;;
+   --he | --h |  --help | --hel | -h )
+-    echo "$ac_cs_usage"; exit ;;
++    $as_echo "$ac_cs_usage"; exit ;;
+   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+   | -silent | --silent | --silen | --sile | --sil | --si | --s)
+     ac_cs_silent=: ;;
+ 
+   # This is an error.
+-  -*) { echo "$as_me: error: unrecognized option: $1
+-Try \`$0 --help' for more information." >&2
+-   { (exit 1); exit 1; }; } ;;
++  -*) as_fn_error $? "unrecognized option: \`$1'
++Try \`$0 --help' for more information." ;;
+ 
+-  *) ac_config_targets="$ac_config_targets $1"
++  *) as_fn_append ac_config_targets " $1"
+      ac_need_defaults=false ;;
+ 
+   esac
+@@ -3202,30 +3952,32 @@
+ fi
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ if \$ac_cs_recheck; then
+-  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+-  CONFIG_SHELL=$SHELL
++  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
++  shift
++  \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
++  CONFIG_SHELL='$SHELL'
+   export CONFIG_SHELL
+-  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
++  exec "\$@"
+ fi
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ exec 5>>config.log
+ {
+   echo
+   sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+ ## Running $as_me. ##
+ _ASBOX
+-  echo "$ac_log"
++  $as_echo "$ac_log"
+ } >&5
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ 
+ # Handling of arguments.
+ for ac_config_target in $ac_config_targets
+@@ -3233,9 +3985,7 @@
+   case $ac_config_target in
+     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+ 
+-  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+-echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+-   { (exit 1); exit 1; }; };;
++  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
+   esac
+ done
+ 
+@@ -3260,7 +4010,7 @@
+   trap 'exit_status=$?
+   { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+ ' 0
+-  trap '{ (exit 1); exit 1; }' 1 2 13 15
++  trap 'as_fn_exit 1' 1 2 13 15
+ }
+ # Create a (secure) tmp directory for tmp files.
+ 
+@@ -3271,145 +4021,177 @@
+ {
+   tmp=./conf$$-$RANDOM
+   (umask 077 && mkdir "$tmp")
+-} ||
+-{
+-   echo "$me: cannot create a temporary directory in ." >&2
+-   { (exit 1); exit 1; }
+-}
+-
+-#
+-# Set up the sed scripts for CONFIG_FILES section.
+-#
++} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
+ 
+-# No need to generate the scripts if there are no CONFIG_FILES.
+-# This happens for instance when ./config.status config.h
++# Set up the scripts for CONFIG_FILES section.
++# No need to generate them if there are no CONFIG_FILES.
++# This happens for instance with `./config.status config.h'.
+ if test -n "$CONFIG_FILES"; then
+ 
+-_ACEOF
+ 
++ac_cr=`echo X | tr X '\015'`
++# On cygwin, bash can eat \r inside `` if the user requested igncr.
++# But we know of no other shell where ac_cr would be empty at this
++# point, so we can use a bashism as a fallback.
++if test "x$ac_cr" = x; then
++  eval ac_cr=\$\'\\r\'
++fi
++ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
++if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
++  ac_cs_awk_cr='\\r'
++else
++  ac_cs_awk_cr=$ac_cr
++fi
++
++echo 'BEGIN {' >"$tmp/subs1.awk" &&
++_ACEOF
+ 
+ 
++{
++  echo "cat >conf$$subs.awk <<_ACEOF" &&
++  echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
++  echo "_ACEOF"
++} >conf$$subs.sh ||
++  as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
++ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
+ ac_delim='%!_!# '
+ for ac_last_try in false false false false false :; do
+-  cat >conf$$subs.sed <<_ACEOF
+-SHELL!$SHELL$ac_delim
+-PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+-PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+-PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+-PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+-PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+-PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+-exec_prefix!$exec_prefix$ac_delim
+-prefix!$prefix$ac_delim
+-program_transform_name!$program_transform_name$ac_delim
+-bindir!$bindir$ac_delim
+-sbindir!$sbindir$ac_delim
+-libexecdir!$libexecdir$ac_delim
+-datarootdir!$datarootdir$ac_delim
+-datadir!$datadir$ac_delim
+-sysconfdir!$sysconfdir$ac_delim
+-sharedstatedir!$sharedstatedir$ac_delim
+-localstatedir!$localstatedir$ac_delim
+-includedir!$includedir$ac_delim
+-oldincludedir!$oldincludedir$ac_delim
+-docdir!$docdir$ac_delim
+-infodir!$infodir$ac_delim
+-htmldir!$htmldir$ac_delim
+-dvidir!$dvidir$ac_delim
+-pdfdir!$pdfdir$ac_delim
+-psdir!$psdir$ac_delim
+-libdir!$libdir$ac_delim
+-localedir!$localedir$ac_delim
+-mandir!$mandir$ac_delim
+-DEFS!$DEFS$ac_delim
+-ECHO_C!$ECHO_C$ac_delim
+-ECHO_N!$ECHO_N$ac_delim
+-ECHO_T!$ECHO_T$ac_delim
+-LIBS!$LIBS$ac_delim
+-build_alias!$build_alias$ac_delim
+-host_alias!$host_alias$ac_delim
+-target_alias!$target_alias$ac_delim
+-CC!$CC$ac_delim
+-CFLAGS!$CFLAGS$ac_delim
+-LDFLAGS!$LDFLAGS$ac_delim
+-CPPFLAGS!$CPPFLAGS$ac_delim
+-ac_ct_CC!$ac_ct_CC$ac_delim
+-EXEEXT!$EXEEXT$ac_delim
+-OBJEXT!$OBJEXT$ac_delim
+-eap_tnc_cflags!$eap_tnc_cflags$ac_delim
+-eap_tnc_ldflags!$eap_tnc_ldflags$ac_delim
+-targetname!$targetname$ac_delim
+-LIBOBJS!$LIBOBJS$ac_delim
+-LTLIBOBJS!$LTLIBOBJS$ac_delim
+-_ACEOF
++  . ./conf$$subs.sh ||
++    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+ 
+-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 49; then
++  ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
++  if test $ac_delim_n = $ac_delim_num; then
+     break
+   elif $ac_last_try; then
+-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+-   { (exit 1); exit 1; }; }
++    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+   else
+     ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+   fi
+ done
++rm -f conf$$subs.sh
+ 
+-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+-if test -n "$ac_eof"; then
+-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+-  ac_eof=`expr $ac_eof + 1`
+-fi
+-
+-cat >>$CONFIG_STATUS <<_ACEOF
+-cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+-_ACEOF
+-sed '
+-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+-s/^/s,@/; s/!/@,|#_!!_#|/
+-:n
+-t n
+-s/'"$ac_delim"'$/,g/; t
+-s/$/\\/; p
+-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+-' >>$CONFIG_STATUS <conf$$subs.sed
+-rm -f conf$$subs.sed
+-cat >>$CONFIG_STATUS <<_ACEOF
+-:end
+-s/|#_!!_#|//g
+-CEOF$ac_eof
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
+ _ACEOF
++sed -n '
++h
++s/^/S["/; s/!.*/"]=/
++p
++g
++s/^[^!]*!//
++:repl
++t repl
++s/'"$ac_delim"'$//
++t delim
++:nl
++h
++s/\(.\{148\}\)..*/\1/
++t more1
++s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
++p
++n
++b repl
++:more1
++s/["\\]/\\&/g; s/^/"/; s/$/"\\/
++p
++g
++s/.\{148\}//
++t nl
++:delim
++h
++s/\(.\{148\}\)..*/\1/
++t more2
++s/["\\]/\\&/g; s/^/"/; s/$/"/
++p
++b
++:more2
++s/["\\]/\\&/g; s/^/"/; s/$/"\\/
++p
++g
++s/.\{148\}//
++t delim
++' <conf$$subs.awk | sed '
++/^[^""]/{
++  N
++  s/\n//
++}
++' >>$CONFIG_STATUS || ac_write_fail=1
++rm -f conf$$subs.awk
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++_ACAWK
++cat >>"\$tmp/subs1.awk" <<_ACAWK &&
++  for (key in S) S_is_set[key] = 1
++  FS = ""
++
++}
++{
++  line = $ 0
++  nfields = split(line, field, "@")
++  substed = 0
++  len = length(field[1])
++  for (i = 2; i < nfields; i++) {
++    key = field[i]
++    keylen = length(key)
++    if (S_is_set[key]) {
++      value = S[key]
++      line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
++      len += length(value) + length(field[++i])
++      substed = 1
++    } else
++      len += 1 + keylen
++  }
++
++  print line
++}
+ 
++_ACAWK
++_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
++if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
++  sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
++else
++  cat
++fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
++  || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
++_ACEOF
+ 
+-# VPATH may cause trouble with some makes, so we remove $(srcdir),
+-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
++# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
++# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
+ # trailing colons and then remove the whole line if VPATH becomes empty
+ # (actually we leave an empty line to preserve line numbers).
+ if test "x$srcdir" = x.; then
+-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
+-s/:*\$(srcdir):*/:/
+-s/:*\${srcdir}:*/:/
+-s/:*@srcdir@:*/:/
+-s/^\([^=]*=[	 ]*\):*/\1/
++  ac_vpsub='/^[	 ]*VPATH[	 ]*=[	 ]*/{
++h
++s///
++s/^/:/
++s/[	 ]*$/:/
++s/:\$(srcdir):/:/g
++s/:\${srcdir}:/:/g
++s/:@srcdir@:/:/g
++s/^:*//
+ s/:*$//
++x
++s/\(=[	 ]*\).*/\1/
++G
++s/\n//
+ s/^[^=]*=[	 ]*$//
+ }'
+ fi
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ fi # test -n "$CONFIG_FILES"
+ 
+ 
+-for ac_tag in  :F $CONFIG_FILES
++eval set X "  :F $CONFIG_FILES      "
++shift
++for ac_tag
+ do
+   case $ac_tag in
+   :[FHLC]) ac_mode=$ac_tag; continue;;
+   esac
+   case $ac_mode$ac_tag in
+   :[FHL]*:*);;
+-  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+-echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+-   { (exit 1); exit 1; }; };;
++  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
+   :[FH]-) ac_tag=-:-;;
+   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+   esac
+@@ -3437,26 +4219,34 @@
+ 	   [\\/$]*) false;;
+ 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+ 	   esac ||
+-	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+-echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+-   { (exit 1); exit 1; }; };;
++	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
+       esac
+-      ac_file_inputs="$ac_file_inputs $ac_f"
++      case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
++      as_fn_append ac_file_inputs " '$ac_f'"
+     done
+ 
+     # Let's still pretend it is `configure' which instantiates (i.e., don't
+     # use $as_me), people would be surprised to read:
+     #    /* config.h.  Generated by config.status.  */
+-    configure_input="Generated from "`IFS=:
+-	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
++    configure_input='Generated from '`
++	  $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
++	`' by configure.'
+     if test x"$ac_file" != x-; then
+       configure_input="$ac_file.  $configure_input"
+-      { echo "$as_me:$LINENO: creating $ac_file" >&5
+-echo "$as_me: creating $ac_file" >&6;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
++$as_echo "$as_me: creating $ac_file" >&6;}
+     fi
++    # Neutralize special characters interpreted by sed in replacement strings.
++    case $configure_input in #(
++    *\&* | *\|* | *\\* )
++       ac_sed_conf_input=`$as_echo "$configure_input" |
++       sed 's/[\\\\&|]/\\\\&/g'`;; #(
++    *) ac_sed_conf_input=$configure_input;;
++    esac
+ 
+     case $ac_tag in
+-    *:-:* | *:-) cat >"$tmp/stdin";;
++    *:-:* | *:-) cat >"$tmp/stdin" \
++      || as_fn_error $? "could not create $ac_file" "$LINENO" 5  ;;
+     esac
+     ;;
+   esac
+@@ -3466,42 +4256,7 @@
+ 	 X"$ac_file" : 'X\(//\)[^/]' \| \
+ 	 X"$ac_file" : 'X\(//\)$' \| \
+ 	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X"$ac_file" |
+-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\(\/\/\)[^/].*/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\(\/\/\)$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\(\/\).*/{
+-	    s//\1/
+-	    q
+-	  }
+-	  s/.*/./; q'`
+-  { as_dir="$ac_dir"
+-  case $as_dir in #(
+-  -*) as_dir=./$as_dir;;
+-  esac
+-  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
+-    as_dirs=
+-    while :; do
+-      case $as_dir in #(
+-      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+-      *) as_qdir=$as_dir;;
+-      esac
+-      as_dirs="'$as_qdir' $as_dirs"
+-      as_dir=`$as_dirname -- "$as_dir" ||
+-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+-	 X"$as_dir" : 'X\(//\)[^/]' \| \
+-	 X"$as_dir" : 'X\(//\)$' \| \
+-	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X"$as_dir" |
++$as_echo X"$ac_file" |
+     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ 	    s//\1/
+ 	    q
+@@ -3519,20 +4274,15 @@
+ 	    q
+ 	  }
+ 	  s/.*/./; q'`
+-      test -d "$as_dir" && break
+-    done
+-    test -z "$as_dirs" || eval "mkdir $as_dirs"
+-  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+-echo "$as_me: error: cannot create directory $as_dir" >&2;}
+-   { (exit 1); exit 1; }; }; }
++  as_dir="$ac_dir"; as_fn_mkdir_p
+   ac_builddir=.
+ 
+ case "$ac_dir" in
+ .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *)
+-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
++  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+   # A ".." for each directory in $ac_dir_suffix.
+-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
++  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+   case $ac_top_builddir_sub in
+   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+@@ -3568,12 +4318,12 @@
+ 
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ # If the template does not know about datarootdir, expand it.
+ # FIXME: This hack should be removed a few years after 2.60.
+ ac_datarootdir_hack=; ac_datarootdir_seen=
+-
+-case `sed -n '/datarootdir/ {
++ac_sed_dataroot='
++/datarootdir/ {
+   p
+   q
+ }
+@@ -3581,36 +4331,37 @@
+ /@docdir@/p
+ /@infodir@/p
+ /@localedir@/p
+-/@mandir@/p
+-' $ac_file_inputs` in
++/@mandir@/p'
++case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
+ *datarootdir*) ac_datarootdir_seen=yes;;
+ *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+-  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+-echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
++$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+   ac_datarootdir_hack='
+   s&@datadir@&$datadir&g
+   s&@docdir@&$docdir&g
+   s&@infodir@&$infodir&g
+   s&@localedir@&$localedir&g
+   s&@mandir@&$mandir&g
+-    s&\\\${datarootdir}&$datarootdir&g' ;;
++  s&\\\${datarootdir}&$datarootdir&g' ;;
+ esac
+ _ACEOF
+ 
+ # Neutralize VPATH when `$srcdir' = `.'.
+ # Shell code in configure.ac might set extrasub.
+ # FIXME: do we really want to maintain this feature?
+-cat >>$CONFIG_STATUS <<_ACEOF
+-  sed "$ac_vpsub
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++ac_sed_extra="$ac_vpsub
+ $extrasub
+ _ACEOF
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ :t
+ /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+-s&@configure_input@&$configure_input&;t t
++s|@configure_input@|$ac_sed_conf_input|;t t
+ s&@top_builddir@&$ac_top_builddir_sub&;t t
++s&@top_build_prefix@&$ac_top_build_prefix&;t t
+ s&@srcdir@&$ac_srcdir&;t t
+ s&@abs_srcdir@&$ac_abs_srcdir&;t t
+ s&@top_srcdir@&$ac_top_srcdir&;t t
+@@ -3619,21 +4370,24 @@
+ s&@abs_builddir@&$ac_abs_builddir&;t t
+ s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+ $ac_datarootdir_hack
+-" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out
++"
++eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
++  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+ 
+ test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+   { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+-  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+-which seems to be undefined.  Please make sure it is defined." >&5
+-echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+-which seems to be undefined.  Please make sure it is defined." >&2;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
++which seems to be undefined.  Please make sure it is defined" >&5
++$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
++which seems to be undefined.  Please make sure it is defined" >&2;}
+ 
+   rm -f "$tmp/stdin"
+   case $ac_file in
+-  -) cat "$tmp/out"; rm -f "$tmp/out";;
+-  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
+-  esac
++  -) cat "$tmp/out" && rm -f "$tmp/out";;
++  *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
++  esac \
++  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+  ;;
+ 
+ 
+@@ -3643,11 +4397,13 @@
+ done # for ac_tag
+ 
+ 
+-{ (exit 0); exit 0; }
++as_fn_exit 0
+ _ACEOF
+-chmod +x $CONFIG_STATUS
+ ac_clean_files=$ac_clean_files_save
+ 
++test $ac_write_fail = 0 ||
++  as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
++
+ 
+ # configure is writing to config.log, and then calls config.status.
+ # config.status does its own redirection, appending to config.log.
+@@ -3667,7 +4423,10 @@
+   exec 5>>config.log
+   # Use ||, not &&, to avoid exiting from the if with $? = 1, which
+   # would make configure fail if this is the last instruction.
+-  $ac_cs_success || { (exit 1); exit 1; }
++  $ac_cs_success || as_fn_exit 1
++fi
++if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
++  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
++$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
+ fi
+-
+ 
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in	2012-12-04 19:38:00.241420966 +0100
+@@ -2,12 +2,21 @@
+ AC_REVISION($Revision$)
+ AC_DEFUN(modname,[rlm_eap_tnc])
+ 
++eap_tnc_cflags=
++eap_tnc_ldflags=-lnaaeap
++
+ if test x$with_[]modname != xno; then
+ 
+-	AC_CHECK_LIB(TNCS, exchangeTNCCSMessages)
+-	if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
+-		AC_MSG_WARN([the TNCS library isn't found!])
+-		fail="$fail -lTNCS"
++	AC_CHECK_LIB(naaeap,processEAPTNCData,,fail="$fail -lnaaeap",)
++	if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
++		AC_MSG_WARN([the NAAEAP library was not found!])
++		fail="$fail -lNAAEAP"
++	fi
++	
++	AC_CHECK_HEADERS(naaeap/naaeap.h,,fail="$fail -Inaaeap.h",)
++	if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
++		AC_MSG_WARN([the naaeap header was not found!])
++		fail="$fail -Inaaeap.h"
+ 	fi
+ 
+ 	targetname=modname
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c	2012-12-04 19:38:00.241420966 +0100
+@@ -1,12 +1,12 @@
+ /*
+  *   eap_tnc.c  EAP TNC functionality.
+  *
+- *   This software is Copyright (C) 2006,2007 FH Hannover
++ *   This software is Copyright (C) 2006-2009 FH Hannover
+  *
+  *   Portions of this code unrelated to FreeRADIUS are available
+  *   separately under a commercial license.  If you require an
+  *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
++ *   contact trust@f4-i.fh-hannover.de for details.
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -23,230 +23,41 @@
+  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+  *
+  */
+-#include <freeradius-devel/ident.h>
+-RCSID("$Id$")
+-
+-
+-/*
+- *
+- *  MD5 Packet Format in EAP Type-Data
+- *  --- ------ ------ -- --- ---------
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Value-Size   |  Value ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Name ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- *
+- * EAP-TNC Packet Format in EAP Type-Data
+- * 
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Flags  |Ver  | Data Length ...                                   
+- * |L M S R R|=1   |                                               
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |...            |  Data ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- 
+- *
+- */
+-
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include "eap.h"
+ 
+ #include "eap_tnc.h"
+ 
+-     /*
+-      *	WTF is wrong with htonl ?
+-      */
+-static uint32_t ByteSwap2 (uint32_t nLongNumber)
+-{
+-   return (((nLongNumber&0x000000FF)<<24)+((nLongNumber&0x0000FF00)<<8)+
+-   ((nLongNumber&0x00FF0000)>>8)+((nLongNumber&0xFF000000)>>24));
+-}
+-
+ /*
+- *      Allocate a new TNC_PACKET
++ *	Forms an EAP_REQUEST packet from the EAP_TNC specific data.
+  */
+-TNC_PACKET *eaptnc_alloc(void)
++int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code)
+ {
+-	TNC_PACKET   *rp;
+-
+-	if ((rp = malloc(sizeof(TNC_PACKET))) == NULL) {
+-		radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-		return NULL;
++	// check parameters
++	if(handler == NULL || (request == NULL && length != 0) || (request != NULL && length < 1) || code > PW_EAP_MAX_CODES){
++		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler == %p, request == %p, length == %lu, code == %u", handler, request, length, code);
++		return 0;
+ 	}
+-	memset(rp, 0, sizeof(TNC_PACKET));
+-	return rp;
+-}
+-
+-/*
+- *      Free TNC_PACKET
+- */
+-void eaptnc_free(TNC_PACKET **tnc_packet_ptr)
+-{
+-	TNC_PACKET *tnc_packet;
+-
+-	if (!tnc_packet_ptr) return;
+-	tnc_packet = *tnc_packet_ptr;
+-	if (tnc_packet == NULL) return;
+-
+-	if (tnc_packet->data) free(tnc_packet->data);
+ 
+-	free(tnc_packet);
+-
+-	*tnc_packet_ptr = NULL;
+-}
+-
+-/*
+- *	We expect only RESPONSE for which REQUEST, SUCCESS or FAILURE is sent back
+- */
+-TNC_PACKET *eaptnc_extract(EAP_DS *eap_ds)
+-{
+-	tnc_packet_t	*data;
+-	TNC_PACKET	*packet;
+-	/*
+-	 *	We need a response, of type EAP-TNC
+-     */
+-	if (!eap_ds 					 ||
+-	    !eap_ds->response 				 ||
+-	    (eap_ds->response->code != PW_TNC_RESPONSE)	 ||
+-	    eap_ds->response->type.type != PW_EAP_TNC	 ||
+-	    !eap_ds->response->type.data 		 ||
+-	    (eap_ds->response->length <= TNC_HEADER_LEN) ||
+-	    (eap_ds->response->type.data[0] <= 0)) {
+-		radlog(L_ERR, "rlm_eap_tnc: corrupted data");
+-		return NULL;
++	// further check parameters
++	if(handler->opaque == NULL || handler->eap_ds == NULL){
++		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->opaque == %p, handler->eap_ds == %p", handler->opaque, handler->eap_ds);
++		return 0;
+ 	}
+-	packet = eaptnc_alloc();
+-	if (!packet) return NULL;
+-
+ 
+-	packet->code = eap_ds->response->code;
+-	packet->id = eap_ds->response->id;
+-	packet->length = eap_ds->response->length; 
+-
+-	data = (tnc_packet_t *)eap_ds->response->type.data;
+-	/*
+-	 *	Already checked the size above.
+-	 */
+-    packet->flags_ver = data->flags_ver;
+-    unsigned char *ptr = (unsigned char*)data;
+-
+-
+-	DEBUG2("Flags/Ver: %x\n", packet->flags_ver);
+-	int thisDataLength;
+-    int dataStart;
+-    if(TNC_LENGTH_INCLUDED(packet->flags_ver)){
+-        DEBUG2("data_length included\n");
+-//        memcpy(&packet->flags_ver[1], &data->flags_ver[1], 4);
+-        //packet->data_length = data->data_length;
+-        memcpy(&packet->data_length, &ptr[1], TNC_DATA_LENGTH_LENGTH);
+-        DEBUG2("data_length: %x\n", packet->data_length);
+-        DEBUG2("data_length: %d\n", packet->data_length);
+-        DEBUG2("data_length: %x\n", ByteSwap2(packet->data_length));
+-        DEBUG2("data_length: %d\n", ByteSwap2(packet->data_length));
+-        packet->data_length = ByteSwap2(packet->data_length);
+-		thisDataLength = packet->length-TNC_PACKET_LENGTH; //1: we need space for flags_ver
+-        dataStart = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH;
+-    }else{
+-        DEBUG2("no data_length included\n");
+-	 	thisDataLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
+-        packet->data_length = 0;
+-        dataStart = TNC_FLAGS_VERSION_LENGTH;
+-        
+-    }
+-	/*
+-	 *	Allocate room for the data, and copy over the data.
+-	 */
+-	packet->data = malloc(thisDataLength);
+-	if (packet->data == NULL) {
+-		radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-		eaptnc_free(&packet);
+-		return NULL;
++	if(handler->eap_ds->request == NULL){
++		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->eap_ds->request == %p", handler->eap_ds->request);
++		return 0;
+ 	}
+-    
+-    memcpy(packet->data, &(eap_ds->response->type.data[dataStart]), thisDataLength);
+-
+-	return packet;
+-}
+ 
+-
+-/*
+- *	Compose the portions of the reply packet specific to the
+- *	EAP-TNC protocol, in the EAP reply typedata
+- */
+-int eaptnc_compose(EAP_DS *eap_ds, TNC_PACKET *reply)
+-{
+-	uint8_t *ptr;
+-
+-
+-	if (reply->code < 3) {
+-		//fill: EAP-Type (0x888e)
+-		eap_ds->request->type.type = PW_EAP_TNC;
+-        DEBUG2("TYPE: EAP-TNC set\n");
+-		rad_assert(reply->length > 0);
+-		
+-		//alloc enough space for whole TNC-Packet (from Code on)
+-		eap_ds->request->type.data = calloc(reply->length, sizeof(unsigned char*));
+-        DEBUG2("Malloc %d bytes for packet\n", reply->length);
+-		if (eap_ds->request->type.data == NULL) {
+-			radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-			return 0;
+-		}
+-		//put pointer at position where data starts (behind Type)
+-		ptr = eap_ds->request->type.data;
+-		//*ptr = (uint8_t)(reply->data_length & 0xFF);
+-
+-		//ptr++;
+-		*ptr = reply->flags_ver;
+-        DEBUG2("Set Flags/Version: %d\n", *ptr);
+-		if(reply->data_length!=0){
+-            DEBUG2("Set data-length: %d\n", reply->data_length);
+-			ptr++; //move to start-position of "data_length"
+-            DEBUG2("Set data-length: %x\n", reply->data_length);
+-            DEBUG2("Set data-length (swapped): %x\n", ByteSwap2(reply->data_length));
+-            unsigned long swappedDataLength = ByteSwap2(reply->data_length);
+-            //DEBUG2("DATA-length: %d", reply->data_
+-            memcpy(ptr, &swappedDataLength, 4);
+-			//*ptr = swappedDataLength;
+-		}
+-		uint16_t thisDataLength=0;
+-		if(reply->data!=NULL){
+-            DEBUG2("Adding TNCCS-Data ");
+-			int offset;
+-			//if data_length-Field present
+-			if(reply->data_length !=0){
+-                DEBUG2("with Fragmentation\n");
+-				offset = TNC_DATA_LENGTH_LENGTH; //length of data_length-field: 4
+-				thisDataLength = reply->length-TNC_PACKET_LENGTH;
+-			}else{ //data_length-Field not present
+-                DEBUG2("without Fragmentation\n");
+-				offset = 1;
+-				thisDataLength = reply->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
+-			}
+-            DEBUG2("TNCCS-Datalength: %d\n", thisDataLength);
+-			ptr=ptr+offset; //move to start-position of "data"
+-			memcpy(ptr,reply->data, thisDataLength);
+-		}else{
+-            DEBUG2("No TNCCS-Data present");
+-        }
+-
+-		//the length of the TNC-packet (behind Type)
+-        if(reply->data_length!=0){
+-    		eap_ds->request->type.length = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH+thisDataLength; //4:data_length, 1: flags_ver
+-        }else{
+-            eap_ds->request->type.length = TNC_FLAGS_VERSION_LENGTH+thisDataLength; //1: flags_ver
+-        }
+-        DEBUG2("Packet built\n");
+-
+-	} else {
+-		eap_ds->request->type.length = 0;
+-	}
+-	eap_ds->request->code = reply->code;
++	// fill EAP data to handler
++	handler->eap_ds->request->code = code;
++	handler->eap_ds->request->type.type = PW_EAP_TNC;
++	// fill EAP TYPE specific data to handler
++	handler->eap_ds->request->type.length = length;
++	free(handler->eap_ds->request->type.data);
++	handler->eap_ds->request->type.data = request;
+ 
+ 	return 1;
+ }
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h	2012-12-04 19:38:00.241420966 +0100
+@@ -1,10 +1,10 @@
+ /*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
++ *   This software is Copyright (C) 2006-2009 FH Hannover
+  *
+  *   Portions of this code unrelated to FreeRADIUS are available
+  *   separately under a commercial license.  If you require an
+  *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
++ *   contact trust@f4-i.fh-hannover.de for details.
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -26,105 +26,20 @@
+ #define _EAP_TNC_H
+ 
+ #include "eap.h"
++#include <naaeap/naaeap.h>
+ 
+-#define PW_TNC_REQUEST	1
+-#define PW_TNC_RESPONSE		2
+-#define PW_TNC_SUCCESS		3
+-#define PW_TNC_FAILURE		4
+-#define PW_TNC_MAX_CODES	4
+-
+-#define TNC_HEADER_LEN 		4
+-#define TNC_CHALLENGE_LEN 	16
+-#define TNC_START_LEN 	8
+-
+-#define TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH 6
+-#define TNC_PACKET_LENGTH 10
+-#define TNC_DATA_LENGTH_LENGTH 4
+-#define TNC_FLAGS_VERSION_LENGTH 1
+-
+-typedef unsigned int VlanAccessMode;
+-
+-#define VLAN_ISOLATE 97
+-#define VLAN_ACCESS 2
+-/*
+- ****
+- * EAP - MD5 doesnot specify code, id & length but chap specifies them,
+- *	for generalization purpose, complete header should be sent
+- *	and not just value_size, value and name.
+- *	future implementation.
+- *
+- *	Huh? What does that mean?
+- */
++#define SET_START(x) 		((x) | (0x20))
+ 
+-/*
++/**
++ * Composes the EAP packet.
+  *
+- *  MD5 Packet Format in EAP Type-Data
+- *  --- ------ ------ -- --- ---------
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Value-Size   |  Value ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Name ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- *
+- * EAP-TNC Packet Format in EAP Type-Data
+- * 
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Flags  |Ver  | Data Length ...                                   
+- * |L M S R R|=1   |                                               
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |...            |  Data ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- 
++ * @param handler The EAP_HANDLER from tnc_initiate() or tnc_authenticate
++ * @param request The EAP_TNC packet received from NAA-TNCS
++ * @param length The length of the EAP_TNC packet received from NAA-TNCS
++ * @param code EAP_CODE for the request
+  *
++ * @return True if operation was successful, otherwise false.
+  */
+-
+-/* eap packet structure */
+-typedef struct tnc_packet_t {
+-/*
+-	uint8_t	code;
+-	uint8_t	id;
+-	uint16_t	length;
+-*/
+-	uint8_t	flags_ver;
+-	uint32_t data_length;
+-	uint8_t *data;
+-} tnc_packet_t;
+-
+-typedef struct tnc_packet {
+-	uint8_t		code;
+-	uint8_t		id;
+-	uint16_t	length;
+-	uint8_t	flags_ver;
+-	uint32_t data_length;
+-	uint8_t *data;
+-} TNC_PACKET;
+-
+-#define TNC_START(x) 		(((x) & 0x20) != 0)
+-#define TNC_MORE_FRAGMENTS(x) 	(((x) & 0x40) != 0)
+-#define TNC_LENGTH_INCLUDED(x) 	(((x) & 0x80) != 0)
+-#define TNC_RESERVED_EQ_NULL(x) (((x) & 0x10) == 0 && ((x) & 0x8) == 0)
+-#define TNC_VERSION_EQ_ONE(x) (((x) & 0x07) == 1)
+-
+-#define SET_START(x) 		((x) | (0x20))
+-#define SET_MORE_FRAGMENTS(x) 	((x) | (0x40))
+-#define SET_LENGTH_INCLUDED(x) 	((x) | (0x80))
+-
+-
+-/* function declarations here */
+-
+-TNC_PACKET 	*eaptnc_alloc(void);
+-void 		eaptnc_free(TNC_PACKET **tnc_packet_ptr);
+-
+-int 		eaptnc_compose(EAP_DS *auth, TNC_PACKET *reply);
+-TNC_PACKET 	*eaptnc_extract(EAP_DS *auth);
+-int 		eaptnc_verify(TNC_PACKET *pkt, VALUE_PAIR* pwd, uint8_t *ch);
+-
+-
+-
+-
++int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code);
+ 
+ #endif /*_EAP_TNC_H*/
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in	2012-12-04 19:38:49.277421870 +0100
+@@ -3,8 +3,8 @@
+ #
+ 
+ TARGET      = @targetname@
+-SRCS        = rlm_eap_tnc.c eap_tnc.c tncs_connect.c 
+-HEADERS     = eap_tnc.h tncs.h tncs_connect.h ../../eap.h ../../rlm_eap.h
++SRCS        = rlm_eap_tnc.c eap_tnc.c
++HEADERS     = eap_tnc.h ../../eap.h ../../rlm_eap.h
+ RLM_CFLAGS  = -I../.. -I../../libeap $(OPENSSL_INCLUDE) @eap_tnc_cflags@
+ RLM_LIBS    = @eap_tnc_ldflags@ ../../libeap/$(LIBPREFIX)freeradius-eap.la $(OPENSSL_LIBS)
+ RLM_INSTALL =
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c	2012-12-04 19:38:00.241420966 +0100
+@@ -1,12 +1,12 @@
+ /*
+  * rlm_eap_tnc.c    Handles that are called from eap
+  *
+- *   This software is Copyright (C) 2006,2007 FH Hannover
++ *   This software is Copyright (C) 2006-2009 FH Hannover
+  *
+  *   Portions of this code unrelated to FreeRADIUS are available
+  *   separately under a commercial license.  If you require an
+  *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
++ *   contact trust@f4-i.fh-hannover.de for details.
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -26,96 +26,262 @@
+  *   Copyright (C) 2007 Alan DeKok <aland@deployingradius.com>
+  */
+ 
+-#include <freeradius-devel/ident.h>
+-RCSID("$Id$")
++/*
++ * EAP-TNC Packet with EAP Header, general structure
++ *
++ *  0                   1                   2                   3
++ *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Code     |   Identifier  |            Length             |
++ * |               |               |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Type     |  Flags  | Ver |          Data Length          |
++ * |               |L M S R R| =1  |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |          Data Length          |           Data ...
++ * |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ */
+ 
+ #include <freeradius-devel/autoconf.h>
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+ 
+-#include "tncs_connect.h"
+ #include "eap_tnc.h"
+-#include "tncs.h"
++#include <naaeap/naaeap.h>
+ #include <freeradius-devel/rad_assert.h>
++//#include <freeradius-devel/libradius.h>
+ 
+-typedef struct rlm_eap_tnc_t {
+-	char	*vlan_access;
+-	char	*vlan_isolate;
+-	char	*tnc_path;
+-} rlm_eap_tnc_t;
++#include <netinet/in.h>
+ 
+-static int sessionCounter=0;
++/**
++ * Calculates an identifying string based upon nas_port, nas_ip and nas_port_type.
++ * The maximum length of the calculated string is 70 (not including the trailing '\0').
++ *
++ * @return the number of bytes written to out (not including the trailing '\0')
++ */
++static uint32_t calculateConnectionString(RADIUS_PACKET* radius_packet, char *out, size_t outMaxLength)
++{
++	VALUE_PAIR *vp = NULL;
++	uint32_t nas_port = 0;
++	uint32_t nas_ip = 0;
++	uint32_t nas_port_type = 0;
++
++	char out_nas_port[11];
++	char out_nas_ip_byte_0[4];
++	char out_nas_ip_byte_1[4];
++	char out_nas_ip_byte_2[4];
++	char out_nas_ip_byte_3[4];
++	char out_nas_port_type[11];
++
++    // check for NULL
++	if (radius_packet == NULL) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: calculateConnectionString failed. radius_packet == NULL!");
++		return 0;
++	}
++
++	// read NAS port, ip and port type
++	for (vp = radius_packet->vps; vp; vp=vp->next) {
++		switch (vp->attribute) {
++		case PW_NAS_PORT:
++			nas_port = vp->vp_integer;
++			DEBUG("NAS scr port = %u\n", nas_port);
++			break;
++		case PW_NAS_IP_ADDRESS:
++			nas_ip = vp->vp_ipaddr;
++			DEBUG("NAS scr ip = %X\n", ntohl(nas_ip));
++			break;
++		case PW_NAS_PORT_TYPE:
++			nas_port_type = vp->vp_integer;
++			DEBUG("NAS scr port type = %u\n", nas_port_type);
++			break;
++		}
++	}
++
++	snprintf(out_nas_port, 11, "%u", nas_port);
++	snprintf(out_nas_ip_byte_0, 4, "%u", nas_ip & 0xFF);
++	snprintf(out_nas_ip_byte_1, 4, "%u", (nas_ip >> 8) & 0xFF);
++	snprintf(out_nas_ip_byte_2, 4, "%u", (nas_ip >> 16) & 0xFF);
++	snprintf(out_nas_ip_byte_3, 4, "%u", (nas_ip >> 24) & 0xFF);
++	snprintf(out_nas_port_type, 11, "%u", nas_port_type);
++
++	return snprintf(out, outMaxLength, "NAS Port: %s NAS IP: %s.%s.%s.%s NAS_PORT_TYPE: %s", out_nas_port, out_nas_ip_byte_3, out_nas_ip_byte_2, out_nas_ip_byte_1, out_nas_ip_byte_0, out_nas_port_type);
++}
++
++/*
++ * This function is called when the FreeRADIUS attach this module.
++ */
++static int tnc_attach(CONF_SECTION *conf, void **type_data)
++{
++    // initialize NAA-EAP
++	DEBUG2("TNC-ATTACH initializing NAA-EAP");
++	TNC_Result result = initializeDefault();
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_attach error while calling NAA-EAP initializeDefault()");
++		return -1;
++	}
++	return 0;
++}
++
++/*
++ * This function is called when the FreeRADIUS detach this module.
++ */
++static int tnc_detach(void *args)
++{
++    // terminate NAA-EAP
++	DEBUG2("TNC-TERMINATE terminating NAA-EAP");
++	TNC_Result result = terminate();
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_attach error while calling NAA-EAP terminate()");
++		return -1;
++	}
++	return 0;
++}
+ 
+ /*
+- *	Initiate the EAP-MD5 session by sending a challenge to the peer.
+- *  Initiate the EAP-TNC session by sending a EAP Request witch Start Bit set 
+- *  and with no data
++ * This function is called when the first EAP_IDENTITY_RESPONSE message
++ * was received.
++ *
++ * Initiates the EPA_TNC session by sending the first EAP_TNC_RESPONSE
++ * to the peer. The packet has the Start-Bit set and contains no data.
++ *
++ *  0                   1                   2                   3
++ *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Code     |   Identifier  |            Length             |
++ * |               |               |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Type     |  Flags  | Ver |
++ * |               |0 0 1 0 0|0 0 1|
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ *
++ * For this package, only 'Identifier' has to be set dynamically. Any
++ * other information is static.
+  */
+ static int tnc_initiate(void *type_data, EAP_HANDLER *handler)
+ {
+-	uint8_t flags_ver = 1; //set version to 1
+-	rlm_eap_tnc_t *inst = type_data;
+-	TNC_PACKET *reply;
++	size_t buflen = 71;
++	size_t ret = 0;
++	char buf[buflen];
++	REQUEST * request = NULL;
++	TNC_Result result;
++	TNC_ConnectionID conID;
++	TNC_BufferReference username;
+ 
++	// check if we run inside a secure EAP method.
++	// FIXME check concrete outer EAP method
+ 	if (!handler->request || !handler->request->parent) {
+-		DEBUG("rlm_eap_tnc: EAP-TNC can only be run inside of a TLS-based method.");
++		DEBUG2("rlm_eap_tnc: EAP_TNC must only be used as an inner method within a protected tunneled EAP created by an outer EAP method.");
++		request = handler->request;
+ 		return 0;
++	} else {
++		request = handler->request->parent;
+ 	}
+ 
+-	/*
+-	 *	FIXME: Update this when the TTLS and PEAP methods can
+-	 *	run EAP-TLC *after* the user has been authenticated.
+-	 *	This likely means moving the phase2 handlers to a
+-	 *	common code base.
+-	 */
+-	if (1) {
+-		DEBUG("rlm-eap_tnc: EAP-TNC can only be run after the user has been authenticated.");
++	if (request->packet == NULL) {
++		DEBUG2("rlm_eap_tnc: ERROR request->packet is NULL.");
+ 		return 0;
+ 	}
+ 
+ 	DEBUG("tnc_initiate: %ld", handler->timestamp);
+ 
+-	if(connectToTncs(inst->tnc_path)==-1){
+-		DEBUG("Could not connect to TNCS");
++	//calculate connectionString
++	ret = calculateConnectionString(request->packet, buf, buflen);
++	if(ret == 0){
++		radlog(L_ERR, "rlm_eap_tnc:tnc_attach: calculating connection String failed.");
++		return 0;
+ 	}
+ 
++	DEBUG2("TNC-INITIATE getting connection from NAA-EAP");
++
+ 	/*
+-	 *	Allocate an EAP-MD5 packet.
++	 * get connection
++	 * (uses a function from the NAA-EAP-library)
++	 * the presence of the library is checked via the configure-script
+ 	 */
+-	reply = eaptnc_alloc();
+-	if (reply == NULL)  {
+-		radlog(L_ERR, "rlm_eap_tnc: out of memory");
++	result = getConnection(buf, &conID);
++
++	// check for errors
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_initiate error while calling NAA-EAP getConnection");
+ 		return 0;
+ 	}
+ 
+ 	/*
+-	 *	Fill it with data.
++	 * tries to get the username from FreeRADIUS;
++	 * copied from modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+ 	 */
+-	reply->code = PW_TNC_REQUEST;
+-	flags_ver = SET_START(flags_ver); //set start-flag
+-	DEBUG("$$$$$$$$$$$$$$$$Flags: %d", flags_ver);
+-	reply->flags_ver = flags_ver;
+-	reply->length = 1+1; /* one byte of flags_ver */
++	VALUE_PAIR *usernameValuePair;
++	usernameValuePair = pairfind(request->packet->vps, PW_USER_NAME);
+ 
++	VALUE_PAIR *eapMessageValuePair;
++	if (!usernameValuePair) {
++		eapMessageValuePair = pairfind(request->packet->vps, PW_EAP_MESSAGE);
++
++		if (eapMessageValuePair &&
++			(eapMessageValuePair->length >= EAP_HEADER_LEN + 2) &&
++			(eapMessageValuePair->vp_strvalue[0] == PW_EAP_RESPONSE) &&
++			(eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
++			(eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
++
++			/*
++			 *	Create & remember a User-Name
++			 */
++			usernameValuePair = pairmake("User-Name", "", T_OP_EQ);
++			rad_assert(usernameValuePair != NULL);
++
++			memcpy(usernameValuePair->vp_strvalue, eapMessageValuePair->vp_strvalue + 5,
++					eapMessageValuePair->length - 5);
++			usernameValuePair->length = eapMessageValuePair->length - 5;
++			usernameValuePair->vp_strvalue[usernameValuePair->length] = 0;
++		}
++	}
++
++	username = malloc(usernameValuePair->length + 1);
++	memcpy(username, usernameValuePair->vp_strvalue, usernameValuePair->length);
++	username[usernameValuePair->length] = '\0';
++
++	RDEBUG("Username for current TNC connection: %s", username);
++
++	/*
++	 * stores the username of this connection
++	 * (uses a function from the NAA-EAP-library)
++	 * the presence of the library is checked via the configure-script
++	 */
++	result = storeUsername(conID, username, usernameValuePair->length);
++
++	// check for errors
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_initiate error while calling NAA-EAP storeUsername");
++		return 0;
++	}
++
++	// set connection ID in FreeRADIUS
++	handler->opaque = malloc(sizeof(TNC_ConnectionID));
++	memcpy(handler->opaque, &conID, sizeof(TNC_ConnectionID));
++
++	// build first EAP TNC request
++	TNC_BufferReference eap_tnc_request = malloc(sizeof(unsigned char));
++	if (eap_tnc_request == NULL) {
++		radlog(L_ERR, "rlm_eap_tnc:tnc_initiate: malloc failed.");
++		return 0;
++	}
++	*eap_tnc_request = SET_START(1);
++	TNC_UInt32 eap_tnc_length = 1;
++	type_data = type_data; /* suppress -Wunused */
+ 
+ 	/*
+ 	 *	Compose the EAP-TNC packet out of the data structure,
+ 	 *	and free it.
+ 	 */
+-	eaptnc_compose(handler->eap_ds, reply);
+-	eaptnc_free(&reply);
++	eaptnc_compose(handler, eap_tnc_request, eap_tnc_length, PW_EAP_REQUEST);
+ 
+-    //put sessionAttribute to Handler and increase sessionCounter
+-    handler->opaque = calloc(sizeof(TNC_ConnectionID), 1);
+-    if (handler->opaque == NULL)  {
+-	radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-	return 0;
+-    }
+-    handler->free_opaque = free;
+-    memcpy(handler->opaque, &sessionCounter, sizeof(int));
+-    sessionCounter++;
+-    
+ 	/*
+ 	 *	We don't need to authorize the user at this point.
+ 	 *
+@@ -124,246 +290,114 @@
+ 	 *	to us...
+ 	 */
+ 	handler->stage = AUTHENTICATE;
+-    
+-	return 1;
+-}
+ 
+-static void setVlanAttribute(rlm_eap_tnc_t *inst, EAP_HANDLER *handler,
+-			     VlanAccessMode mode){
+-	VALUE_PAIR *vp;
+-    char *vlanNumber = NULL;
+-    switch(mode){
+-        case VLAN_ISOLATE:
+-            vlanNumber = inst->vlan_isolate;
+-	    vp = pairfind(handler->request->config_items,
+-			  PW_TNC_VLAN_ISOLATE);
+-	    if (vp) vlanNumber = vp->vp_strvalue;
+-            break;
+-        case VLAN_ACCESS:
+-            vlanNumber = inst->vlan_access;
+-	    vp = pairfind(handler->request->config_items,
+-			  PW_TNC_VLAN_ACCESS);
+-	    if (vp) vlanNumber = vp->vp_strvalue;
+-            break;
+-
+-    default:
+-	    DEBUG2("  rlm_eap_tnc: Internal error.  Not setting vlan number");
+-	    return;
+-    }
+-    pairadd(&handler->request->reply->vps,
+-	    pairmake("Tunnel-Type", "VLAN", T_OP_SET));
+-    
+-    pairadd(&handler->request->reply->vps,
+-	    pairmake("Tunnel-Medium-Type", "IEEE-802", T_OP_SET));
+-    
+-    pairadd(&handler->request->reply->vps,
+-	    pairmake("Tunnel-Private-Group-ID", vlanNumber, T_OP_SET));
+-    
++	return 1;
+ }
+ 
+-/*
+- *	Authenticate a previously sent challenge.
++/**
++ * This function is called when a EAP_TNC_RESPONSE was received.
++ * It basically forwards the EAP_TNC data to NAA-TNCS and forms
++ * and appropriate EAP_RESPONSE. Furthermore, it sets the VlanID
++ * based on the TNC_ConnectionState determined by NAA-TNCS.
++ *
++ * @param type_arg The configuration data
++ * @param handler The EAP_HANDLER
++ * @return True, if successfully, else false.
+  */
+-static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler)
+-{
+-    TNC_PACKET	*packet;
+-    TNC_PACKET	*reply;
+-    TNC_ConnectionID connId = *((TNC_ConnectionID *) (handler->opaque));
+-    TNC_ConnectionState state;
+-    rlm_eap_tnc_t *inst = type_arg;
+-    int isAcknowledgement = 0;
+-    TNC_UInt32 tnccsMsgLength = 0;
+-    int isLengthIncluded;
+-    int moreFragments;
+-    TNC_UInt32 overallLength;
+-    TNC_BufferReference outMessage;
+-    TNC_UInt32 outMessageLength = 2;
+-    int outIsLengthIncluded=0;
+-    int outMoreFragments=0;
+-    TNC_UInt32 outOverallLength=0;
++static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler) {
+ 
+-    DEBUG2("HANDLER_OPAQUE: %d", (int) *((TNC_ConnectionID *) (handler->opaque)));
+-    DEBUG2("TNC-AUTHENTICATE is starting now for %d..........", (int) connId);
++	rad_assert(handler->request != NULL); // check that request has been sent previously
++	rad_assert(handler->stage == AUTHENTICATE); // check if initiate has been called
+ 
+-	/*
+-	 *	Get the User-Password for this user.
+-	 */
+-    rad_assert(handler->request != NULL);
+-	rad_assert(handler->stage == AUTHENTICATE);
+-    
+-	/*
+-	 *	Extract the EAP-TNC packet.
+-	 */
+-    if (!(packet = eaptnc_extract(handler->eap_ds)))
++	if (handler == NULL) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler == NULL");
+ 		return 0;
++	}
++	if (handler->eap_ds == NULL) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds == NULL");
++		return 0;
++	}
++	if (handler->eap_ds->response == NULL) {
++		radlog(
++				L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->resonse == NULL");
++		return 0;
++	}
++	if (handler->eap_ds->response->type.type != PW_EAP_TNC
++			|| handler->eap_ds->response->type.length < 1
++			|| handler->eap_ds->response->type.data == NULL) {
++		radlog(
++				L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->response->type.type == %X, ->type.length == %u, ->type.data == %p",
++				handler->eap_ds->response->type.type,
++				handler->eap_ds->response->type.length,
++				handler->eap_ds->response->type.data);
++		return 0;
++	}
+ 
+-	/*
+-	 *	Create a reply, and initialize it.
+-	 */
+-	reply = eaptnc_alloc();
+-	if (!reply) {
+-		eaptnc_free(&packet);
+-		return 0;
+-	}
+-    
+-	reply->id = handler->eap_ds->request->id;
+-	reply->length = 0;
+-    if(packet->data_length==0){
+-        tnccsMsgLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
+-    }else{
+-        tnccsMsgLength = packet->length-TNC_PACKET_LENGTH;
+-    }
+-    isLengthIncluded = TNC_LENGTH_INCLUDED(packet->flags_ver);
+-    moreFragments = TNC_MORE_FRAGMENTS(packet->flags_ver);
+-    overallLength = packet->data_length;
+-    if(isLengthIncluded == 0 
+-        && moreFragments == 0 
+-        && overallLength == 0 
+-        && tnccsMsgLength == 0
+-        && TNC_START(packet->flags_ver)==0){
+-        
+-        isAcknowledgement = 1;
+-    }
+-    
+-    DEBUG("Data received: (%d)", (int) tnccsMsgLength);
+-/*    int i;
+-    for(i=0;i<tnccsMsgLength;i++){
+-        DEBUG2("%c", (packet->data)[i]);
+-    }
+-    DEBUG2("\n");
+-   */
+-    state = exchangeTNCCSMessages(inst->tnc_path,
+-                                  connId,
+-                                  isAcknowledgement,
+-                                  packet->data, 
+-                                  tnccsMsgLength, 
+-                                  isLengthIncluded, 
+-                                  moreFragments, 
+-                                  overallLength, 
+-                                  &outMessage, 
+-                                  &outMessageLength,
+-                                  &outIsLengthIncluded,
+-                                  &outMoreFragments,
+-                                  &outOverallLength);
+-    DEBUG("GOT State %08x from TNCS", (unsigned int) state);
+-    if(state == TNC_CONNECTION_EAP_ACKNOWLEDGEMENT){ //send back acknoledgement
+-        reply->code = PW_TNC_REQUEST;
+-        reply->data = NULL;
+-        reply->data_length = 0;
+-        reply->flags_ver = 1;
+-        reply->length =TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; 
+-    }else{ //send back normal message
+-        DEBUG("GOT Message from TNCS (length: %d)", (int) outMessageLength);
+-        
+- /*       for(i=0;i<outMessageLength;i++){
+-            DEBUG2("%c", outMessage[i]);
+-        }
+-        DEBUG2("\n");
+- */
+-        DEBUG("outIsLengthIncluded: %d, outMoreFragments: %d, outOverallLength: %d", 
+-                outIsLengthIncluded, outMoreFragments, (int) outOverallLength);
+-        DEBUG("NEW STATE: %08x", (unsigned int) state);
+-        switch(state){
+-            case TNC_CONNECTION_STATE_HANDSHAKE:
+-                reply->code = PW_TNC_REQUEST;
+-                DEBUG2("Set Reply->Code to EAP-REQUEST\n");
+-                break;
+-            case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+-                reply->code = PW_TNC_SUCCESS;
+-                setVlanAttribute(inst, handler,VLAN_ACCESS);
+-                break;
+-            case TNC_CONNECTION_STATE_ACCESS_NONE:
+-                reply->code = PW_TNC_FAILURE;
+-                //setVlanAttribute(inst, handler, VLAN_ISOLATE);
+-                break;
+-            case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+-                reply->code = PW_TNC_SUCCESS;
+-                setVlanAttribute(inst, handler, VLAN_ISOLATE);
+-                break;
+-            default:
+-                reply->code= PW_TNC_FAILURE;
+-                
+-        }
+-        if(outMessage!=NULL && outMessageLength!=0){
+-            reply->data = outMessage;
+-        }
+-        reply->flags_ver = 1;
+-        if(outIsLengthIncluded){
+-            reply->flags_ver = SET_LENGTH_INCLUDED(reply->flags_ver);
+-            reply->data_length = outOverallLength;
+-            reply->length = TNC_PACKET_LENGTH + outMessageLength;
+-            DEBUG("SET LENGTH: %d", reply->length);
+-            DEBUG("SET DATALENGTH: %d", (int) outOverallLength);
+-        }else{
+-            reply->data_length = 0;
+-            reply->length = TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH + outMessageLength;        
+-            DEBUG("SET LENGTH: %d", reply->length);
+-        }
+-        if(outMoreFragments){
+-            reply->flags_ver = SET_MORE_FRAGMENTS(reply->flags_ver);
+-        }
+-    }
+-    
+-	/*
+-	 *	Compose the EAP-MD5 packet out of the data structure,
+-	 *	and free it.
+-	 */
+-	eaptnc_compose(handler->eap_ds, reply);
+-    	eaptnc_free(&reply);
+-
+-    handler->stage = AUTHENTICATE;
+-    
+-	eaptnc_free(&packet);
+-	return 1;
+-}
+-
+-/*
+- *	Detach the EAP-TNC module.
+- */
+-static int tnc_detach(void *arg)
+-{
+-	free(arg);
+-	return 0;
+-}
+-
+-
+-static CONF_PARSER module_config[] = {
+-	{ "vlan_access", PW_TYPE_STRING_PTR,
+-	  offsetof(rlm_eap_tnc_t, vlan_access), NULL, NULL },
+-	{ "vlan_isolate", PW_TYPE_STRING_PTR,
+-	  offsetof(rlm_eap_tnc_t, vlan_isolate), NULL, NULL },
+-	{ "tnc_path", PW_TYPE_STRING_PTR,
+-	  offsetof(rlm_eap_tnc_t, tnc_path), NULL,
+-	"/usr/local/lib/libTNCS.so"},
++	// get connection ID
++	TNC_ConnectionID conID = *((TNC_ConnectionID *) (handler->opaque));
+ 
+- 	{ NULL, -1, 0, NULL, NULL }           /* end the list */
+-};
++	DEBUG2("TNC-AUTHENTICATE is starting now for connection ID %lX !", conID);
+ 
+-/*
+- *	Attach the EAP-TNC module.
+- */
+-static int tnc_attach(CONF_SECTION *cs, void **instance)
+-{
+-	rlm_eap_tnc_t *inst;
++	// pass EAP_TNC data to NAA-EAP and get answer data
++	TNC_BufferReference output = NULL;
++	TNC_UInt32 outputLength = 0;
++	TNC_ConnectionState connectionState = TNC_CONNECTION_STATE_CREATE;
+ 
+-	inst = malloc(sizeof(*inst));
+-	if (!inst) return -1;
+-	memset(inst, 0, sizeof(*inst));
++	/*
++	 * forwards the eap_tnc data to NAA-EAP and gets the response
++	 * (uses a function from the NAA-EAP-library)
++	 * the presence of the library is checked via the configure-script
++	 */
++	TNC_Result result = processEAPTNCData(conID, handler->eap_ds->response->type.data,
++			handler->eap_ds->response->type.length, &output, &outputLength,
++			&connectionState);
++
++	// check for errors
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate error while calling NAA-EAP processEAPTNCData");
++		return 0;
++	}
+ 
+-	if (cf_section_parse(cs, inst, module_config) < 0) {
+-		tnc_detach(inst);
+-		return -1;
++	// output contains now the answer from NAA-EAP
++	uint8_t eapCode = 0;
++	// determine eapCode for request
++	switch (connectionState) {
++	case TNC_CONNECTION_STATE_HANDSHAKE:
++		eapCode = PW_EAP_REQUEST;
++		break;
++	case TNC_CONNECTION_STATE_ACCESS_NONE:
++		eapCode = PW_EAP_FAILURE;
++		break;
++	case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
++		eapCode = PW_EAP_SUCCESS;
++		pairadd(&handler->request->config_items, pairmake("TNC-Status", "Access", T_OP_SET));
++		break;
++	case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
++		eapCode = PW_EAP_SUCCESS;
++		pairadd(&handler->request->config_items, pairmake("TNC-Status", "Isolate", T_OP_SET));
++		break;
++	default:
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid TNC_CONNECTION_STATE.");
++		return 0;
+ 	}
+ 
+-	
+-	if (!inst->vlan_access || !inst->vlan_isolate) {
+-		radlog(L_ERR, "rlm_eap_tnc: Must set both vlan_access and vlan_isolate");
+-		tnc_detach(inst);
+-		return -1;
++	// form EAP_REQUEST
++	if (!eaptnc_compose(handler, output, outputLength, eapCode)) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate error while forming EAP_REQUEST.");
++		return 0;
+ 	}
+ 
+-	*instance = inst;
+-	return 0;
++	// FIXME: Why is that needed?
++	handler->stage = AUTHENTICATE;
++
++	return 1;
+ }
+ 
+ /*
+@@ -371,10 +405,10 @@
+  *	That is, everything else should be 'static'.
+  */
+ EAP_TYPE rlm_eap_tnc = {
+-	"eap_tnc",
+-	tnc_attach,			/* attach */
+-	tnc_initiate,			/* Start the initial request */
+-	NULL,				/* authorization */
+-	tnc_authenticate,		/* authentication */
+-	tnc_detach		      	/* detach */
++		"eap_tnc",
++		tnc_attach, /* attach */
++		tnc_initiate, /* Start the initial request */
++		NULL, /* authorization */
++		tnc_authenticate, /* authentication */
++		tnc_detach /* detach */
+ };
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c	1970-01-01 01:00:00.000000000 +0100
+@@ -1,146 +0,0 @@
+-/*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
+- *
+- *   Portions of this code unrelated to FreeRADIUS are available
+- *   separately under a commercial license.  If you require an
+- *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
+- *
+- *   This program is free software; you can redistribute it and/or modify
+- *   it under the terms of the GNU General Public License as published by
+- *   the Free Software Foundation; either version 2 of the License, or
+- *   (at your option) any later version.
+- *
+- *   This program is distributed in the hope that it will be useful,
+- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- *   GNU General Public License for more details.
+- *
+- *   You should have received a copy of the GNU General Public License
+- *   along with this program; if not, write to the Free Software
+- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+- *
+- */
+-#include <freeradius-devel/ident.h>
+-RCSID("$Id$")
+-
+-#include "tncs_connect.h"
+-#include <ltdl.h>
+-#include <stdlib.h>
+-#include <stdio.h>
+-#include <eap.h>
+-
+-     /*
+-      *	FIXME: This linking should really be done at compile time.
+-      */
+-static lt_dlhandle handle = NULL;
+-
+-static ExchangeTNCCSMessagePointer callTNCS = NULL;
+-
+-/*
+- * returns the function-pointer to a function of a shared-object
+- * 
+- * soHandle: handle to a shared-object
+- * name: name of the requested function
+- * 
+- * return: the procAddress if found, else NULL
+- */
+-static void *getProcAddress(lt_dlhandle soHandle, const char *name){
+-	void *proc = lt_dlsym(soHandle, name);
+-	DEBUG("Searching for function %s", name);
+-	if(proc == NULL){
+-		DEBUG("rlm_eap_tnc: Failed to resolve symbol %s: %s",
+-		      name, lt_dlerror());
+-	}
+-	return proc;
+-}
+-
+-
+-/*
+- * establishs the connection to the TNCCS without calling functionality.
+- * That means that the TNCS-shared-object is loaded and the function-pointer
+- * to "exchangeTNCCSMessages" is explored.
+- * 
+- * return: -1 if connect failed, 0 if connect was successful
+- */
+-int connectToTncs(char *pathToSO){
+-	int state = -1;
+-	if(handle==NULL){
+-		handle = lt_dlopen(pathToSO);
+-		DEBUG("OPENED HANDLE!");
+-	}
+-	
+-	if(handle==NULL){
+-		DEBUG("HANDLE IS NULL");
+-        DEBUG("rlm_eap_tnc: Failed to link to library %s: %s",
+-	      pathToSO, lt_dlerror());
+-	}else{
+-		DEBUG("SO %s found!", pathToSO);
+-		if(callTNCS==NULL){
+-			callTNCS = (ExchangeTNCCSMessagePointer) getProcAddress(handle, "exchangeTNCCSMessages");
+-		}
+-		if(callTNCS!=NULL){
+-			DEBUG("TNCS is connected");
+-			state = 0;
+-//			int ret = callTNCS2(2, "Bla", NULL);
+-	//		DEBUG("GOT %d from exchangeTNCCSMessages", ret);
+-		}else{
+-			DEBUG("Could not find exchangeTNCCSMessages");
+-		}
+-
+-	}
+-	return state;	
+-}
+-
+-/*
+- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
+- * -pathToSO: Path to TNCCS-Shared Object 
+- * -connId: identifies the client which the passed message belongs to.
+- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
+- * -input: input-TNCCS-message received from the client with connId
+- * -inputLength: length of input-TNCCS-message
+- * -isFirst: 1 if first message in fragmentation else 0
+- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
+- * -overallLength: length of all fragments together (only set if fragmentation)
+- * -output: answer-TNCCS-message from the TNCS to the client
+- * -outputLength: length of answer-TNCCS-message
+- * -answerIsFirst: returned answer is first in row
+- * -moreFragmentsFollow: more fragments after this answer
+- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
+- * 
+- * return: state of connection as result of the exchange
+- */
+-TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
+-                                          /*in*/ TNC_ConnectionID connId, 
+-                                          /*in*/ int isAcknoledgement,
+-					  /*in*/ TNC_BufferReference input, 
+-                                          /*in*/ TNC_UInt32 inputLength,
+-                                          /*in*/ int isFirst, 
+-                                          /*in*/ int moreFragments,
+-                                          /*in*/ TNC_UInt32 overallLength,
+-					  /*out*/ TNC_BufferReference *output,
+-                                          /*out*/ TNC_UInt32 *outputLength,
+-                                          /*out*/ int *answerIsFirst,
+-                                          /*out*/ int *moreFragmentsFollow,
+-                                          /*out*/ TNC_UInt32 *overallLengthOut){
+-	TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
+-	int connectStatus = connectToTncs(pathToSO);
+-    if(connectStatus!=-1){
+-		state = callTNCS(connId,
+-                            isAcknoledgement,
+-                            input,
+-                            inputLength, 
+-                            isFirst, 
+-                            moreFragments, 
+-                            overallLength, 
+-                            output, 
+-                            outputLength, 
+-                            answerIsFirst, 
+-                            moreFragmentsFollow, 
+-                            overallLengthOut);
+-        DEBUG("GOT TNC_ConnectionState (juhuuu): %u", (unsigned int) state);
+-	}else{
+-		DEBUG("CAN NOT CONNECT TO TNCS");
+-	}
+-	return state;
+-}
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h	1970-01-01 01:00:00.000000000 +0100
+@@ -1,70 +0,0 @@
+-/*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
+- *
+- *   Portions of this code unrelated to FreeRADIUS are available
+- *   separately under a commercial license.  If you require an
+- *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
+- *
+- *   This program is free software; you can redistribute it and/or modify
+- *   it under the terms of the GNU General Public License as published by
+- *   the Free Software Foundation; either version 2 of the License, or
+- *   (at your option) any later version.
+- *
+- *   This program is distributed in the hope that it will be useful,
+- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- *   GNU General Public License for more details.
+- *
+- *   You should have received a copy of the GNU General Public License
+- *   along with this program; if not, write to the Free Software
+- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+- *
+- */
+-
+-#ifndef _TNCS_CONNECT_H_
+-#define _TNCS_CONNECT_H_
+-
+-#include "tncs.h"
+-
+-/*
+- * establishs the connection to the TNCCS without calling functionality.
+- * That means that the TNCS-shared-object is loaded and the function-pointer
+- * to "exchangeTNCCSMessages" is explored.
+- * 
+- * return: -1 if connect failed, 0 if connect was successful
+- */
+-int connectToTncs(char *pathToSO);
+-/*
+- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
+- * -pathToSO: Path to TNCCS-Shared Object
+- * -connId: identifies the client which the passed message belongs to.
+- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
+- * -input: input-TNCCS-message received from the client with connId
+- * -inputLength: length of input-TNCCS-message
+- * -isFirst: 1 if first message in fragmentation else 0
+- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
+- * -overallLength: length of all fragments together (only set if fragmentation) 
+- * -output: answer-TNCCS-message from the TNCS to the client
+- * -outputLength: length of answer-TNCCS-message
+- * -answerIsFirst: returned answer is first in row
+- * -moreFragmentsFollow: more fragments after this answer
+- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
+- * 
+- * return: state of connection as result of the exchange
+- */
+-TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
+-                                          /*in*/ TNC_ConnectionID connId, 
+-                                          /*in*/ int isAcknoledgement, 
+-                                          /*in*/ TNC_BufferReference input, 
+-                                          /*in*/ TNC_UInt32 inputLength,
+-                                          /*in*/ int isFirst,
+-                                          /*in*/ int moreFragments,
+-                                          /*in*/ TNC_UInt32 overallLength,
+-                                          /*out*/ TNC_BufferReference *output,
+-                                          /*out*/ TNC_UInt32 *outputLength,
+-                                          /*out*/ int *answerIsFirst,
+-                                          /*out*/ int *moreFragmentsFollow,
+-                                          /*out*/ TNC_UInt32 *overallLengthOut);
+-
+-#endif //_TNCS_CONNECT_H_
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h	1970-01-01 01:00:00.000000000 +0100
+@@ -1,86 +0,0 @@
+-/*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
+- *
+- *   Portions of this code unrelated to FreeRADIUS are available
+- *   separately under a commercial license.  If you require an
+- *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
+- *
+- *   This program is free software; you can redistribute it and/or modify
+- *   it under the terms of the GNU General Public License as published by
+- *   the Free Software Foundation; either version 2 of the License, or
+- *   (at your option) any later version.
+- *
+- *   This program is distributed in the hope that it will be useful,
+- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- *   GNU General Public License for more details.
+- *
+- *   You should have received a copy of the GNU General Public License
+- *   along with this program; if not, write to the Free Software
+- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+- *
+- */
+-
+-#ifndef _TNCS_H_
+-#define _TNCS_H_
+-
+-
+-
+-#ifdef __cplusplus
+-extern "C" {
+-#endif 
+-
+-/*
+- * copied from tncimv.h:
+- */
+-typedef unsigned long TNC_UInt32;
+-typedef TNC_UInt32 TNC_ConnectionState;
+-typedef unsigned char *TNC_BufferReference;
+-typedef TNC_UInt32 TNC_ConnectionID;
+-
+-#define TNC_CONNECTION_STATE_CREATE 0
+-#define TNC_CONNECTION_STATE_HANDSHAKE 1
+-#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2
+-#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3
+-#define TNC_CONNECTION_STATE_ACCESS_NONE 4
+-#define TNC_CONNECTION_STATE_DELETE 5
+-#define TNC_CONNECTION_EAP_ACKNOWLEDGEMENT 6
+-
+-/*
+- * Accesspoint (as function-pointer) to the TNCS for sending and receiving 
+- * TNCCS-Messages.
+- * 
+- * -connId: identifies the client which the passed message belongs to.
+- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
+- * -input: input-TNCCS-message received from the client with connId
+- * -inputLength: length of input-TNCCS-message
+- * -isFirst: 1 if first message in fragmentation else 0
+- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
+- * -overallLength: length of all fragments together (only set if fragmentation) 
+- * -output: answer-TNCCS-message from the TNCS to the client
+- * -outputLength: length of answer-TNCCS-message
+- * -answerIsFirst: returned answer is first in row
+- * -moreFragmentsFollow: more fragments after this answer
+- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
+- * 
+- * return: state of connection as result of the exchange
+- */
+-typedef TNC_ConnectionState (*ExchangeTNCCSMessagePointer)(/*in*/ TNC_ConnectionID connId, 
+-                                          /*in*/ int isAcknoledgement, 
+-                                          /*in*/ TNC_BufferReference input, 
+-                                          /*in*/ TNC_UInt32 inputLength,
+-                                          /*in*/ int isFirst,
+-                                          /*in*/ int moreFragments,
+-                                          /*in*/ TNC_UInt32 overallLength,
+-                                          /*out*/ TNC_BufferReference *output,
+-                                          /*out*/ TNC_UInt32 *outputLength,
+-                                          /*out*/ int *answerIsFirst,
+-                                          /*out*/ int *moreFragmentsFollow,
+-                                          /*out*/ TNC_UInt32 *overallLengthOut
+-);
+-
+-#ifdef __cplusplus
+-}
+-#endif
+-#endif //_TNCS_H_
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h	2012-12-04 19:39:54.749423138 +0100
+@@ -37,6 +37,10 @@
+ 	int		copy_request_to_tunnel;
+ 	int		use_tunneled_reply;
+ 	const char	*virtual_server;
++	const char	*tnc_virtual_server;	// virtual server for EAP-TNC as the second inner method
++	VALUE_PAIR	*auth_reply;		// cache storage of the last reply of the first inner method
++	int		auth_code;		// cache storage of the reply-code of the first inner method
++	int		doing_tnc;		// status if we're doing EAP-TNC
+ } ttls_tunnel_t;
+ 
+ /*
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c	2012-12-04 19:39:54.749423138 +0100
+@@ -62,6 +62,11 @@
+ 	 *	Virtual server for inner tunnel session.
+ 	 */
+ 	char	*virtual_server;
++
++	/*
++	 *	Virtual server for the second inner tunnel method, which is EAP-TNC.
++	 */
++	char	*tnc_virtual_server;
+ } rlm_eap_ttls_t;
+ 
+ 
+@@ -78,6 +83,9 @@
+ 	{ "virtual_server", PW_TYPE_STRING_PTR,
+ 	  offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
+ 
++	{ "tnc_virtual_server", PW_TYPE_STRING_PTR,
++	  offsetof(rlm_eap_ttls_t, tnc_virtual_server), NULL, NULL },
++
+ 	{ "include_length", PW_TYPE_BOOLEAN,
+ 	  offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
+ 
+@@ -171,6 +179,10 @@
+ 	t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
+ 	t->use_tunneled_reply = inst->use_tunneled_reply;
+ 	t->virtual_server = inst->virtual_server;
++	t->tnc_virtual_server = inst->tnc_virtual_server;	// virtual server for EAP-TNC as the second inner method
++	t->auth_reply = NULL;								// cache storage of the last reply of the first inner method
++	t->auth_code = -1;									// cache storage of the reply-code of the first inner method
++	t->doing_tnc = 0;									// status if we're doing EAP-TNC (on start we're doing NOT)
+ 	return t;
+ }
+ 
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c	2012-12-04 19:39:54.749423138 +0100
+@@ -585,6 +585,94 @@
+ }
+ 
+ /*
++ *	Start EAP-TNC as a second inner method.
++ *	Creates a new fake-request out of the original incoming request (via EAP_HANDLER).
++ *	If it's the first time, we create a EAP-START-packet and send
++ *	EAP-START :=	code = PW_EAP_REQUEST
++ *
++ */
++static REQUEST* start_tnc(EAP_HANDLER *handler, ttls_tunnel_t *t) {
++	REQUEST* request = handler->request;
++	RDEBUG2("EAP-TNC as second inner authentication method starts now");
++
++	/*
++	 *	Allocate a fake REQUEST struct,
++	 *	to make a new request, based on the original request.
++	 */
++	REQUEST* fake = request_alloc_fake(request);
++
++	/*
++	 * Set the virtual server to that of EAP-TNC.
++	 */
++	fake->server = t->tnc_virtual_server;
++
++	/*
++	 * Build a new EAP-Message.
++	 */
++	VALUE_PAIR *eap_msg;
++	eap_msg = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS);
++
++	/*
++	 * Set the EAP-Message to look like EAP-Start
++	 */
++	eap_msg->vp_octets[0] = PW_EAP_RESPONSE;
++	eap_msg->vp_octets[1] = 0x00;
++
++	/*
++	 * Only setting EAP-TNC here,
++	 * because it is intended to do user-authentication in the first inner method,
++	 * and then a hardware-authentication (like EAP-TNC) as the second method.
++	 */
++	eap_msg->vp_octets[4] = PW_EAP_TNC;
++
++	eap_msg->length = 0;
++
++	/*
++	 * Add the EAP-Message to the request.
++	 */
++	pairadd(&(fake->packet->vps), eap_msg);
++
++	/*
++	 * Process the new request by the virtual server configured for
++	 * EAP-TNC.
++	 */
++	rad_authenticate(fake);
++
++	/*
++	 * From now on we're doing EAP-TNC as the second inner authentication method.
++	 */
++	t->doing_tnc = TRUE;
++
++	return fake;
++}
++
++/*
++ * 	Stop EAP-TNC as a second inner method.
++ *	Copy the value pairs from the cached Access-Accept of the first inner method
++ *	to the Access-Accept/Reject package of EAP-TNC.
++ */
++static REQUEST* stop_tnc(REQUEST *request, ttls_tunnel_t *t) {
++	RDEBUG2("EAP-TNC as second inner authentication method stops now");
++
++	/*
++	 * Copy the value-pairs of the origina Access-Accept of the first
++	 * inner authentication method to the Access-Accept/Reject of the
++	 * second inner authentication method (EAP-TNC).
++	 */
++	if (request->reply->code == PW_AUTHENTICATION_ACK) {
++		pairadd(&(request->reply->vps), t->auth_reply);
++	} else if (request->reply->code == PW_AUTHENTICATION_REJECT) {
++		pairadd(&(request->reply->vps), t->auth_reply);
++	}
++
++	pairdelete(&(request->reply->vps), PW_MESSAGE_AUTHENTICATOR);
++	pairdelete(&(request->reply->vps), PW_PROXY_STATE);
++	pairdelete(&(request->reply->vps), PW_USER_NAME);
++
++	return request;
++}
++
++/*
+  *	Use a reply packet to determine what to do.
+  */
+ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
+@@ -1135,6 +1223,16 @@
+ 
+ 	} /* else fake->server == request->server */
+ 
++	/*
++	 * If we're doing EAP-TNC as a second method,
++	 * then set the server to that one.
++	 * Then, rad_authenticate will run EAP-TNC,
++	 * so that afterwards we have to look for the state of
++	 * EAP-TNC.
++	 */
++	if (t->doing_tnc) {
++		fake->server = t->tnc_virtual_server;
++	}
+ 
+ 	if ((debug_flag > 0) && fr_log_fp) {
+ 		RDEBUG("Sending tunneled request");
+@@ -1248,6 +1346,53 @@
+ 
+ 	default:
+ 		/*
++		 * If the result of the first method was an acknowledgment OR
++		 * if were already running EAP-TNC,
++		 * we're doing additional things before processing the reply.
++		 * Also the configuration for EAP-TTLS has to contain a virtual server
++		 * for EAP-TNC as the second method.
++		 */
++		if (t->tnc_virtual_server) {
++			/*
++			 * If the reply code of the first inner method is PW_AUTHENTICATION_ACK
++			 * which means that the method was successful,
++			 * and we're not doing EAP-TNC as the second method,
++			 * then we want to intercept the Access-Accept and start EAP-TNC as the second inner method.
++			 */
++			if (fake->reply->code == PW_AUTHENTICATION_ACK
++				 && t->doing_tnc == FALSE) {
++				RDEBUG2("Reply-Code of the first inner method was: %d (PW_AUTHENTICATION_ACK)", fake->reply->code);
++
++				/*
++				 * Save reply-value pairs and reply-code of the first method.
++				 */
++				t->auth_reply = fake->reply->vps;
++				fake->reply->vps = NULL;
++				t->auth_code = fake->reply->code;
++
++				/*
++				 * Create the start package for EAP-TNC.
++				 */
++				fake = start_tnc(handler, t);
++
++				/*
++				 * If we're doing EAP-TNC as the second inner method,
++				 * and the reply->code was PW_AUTHENTICATION_ACK or PW_AUTHENTICATION_REJECT,
++				 * then we stop EAP-TNC and create an combined Access-Accept or Access-Reject.
++				 */
++			} else if (t->doing_tnc == TRUE
++					&& (fake->reply->code == PW_AUTHENTICATION_ACK || fake->reply->code == PW_AUTHENTICATION_REJECT)) {
++
++				/*
++				 * Create the combined Access-Accept or -Reject.
++				 */
++				RDEBUG2("Reply-Code of EAP-TNC as the second inner method was: %d (%s)", fake->reply->code,
++						fake->reply->code == PW_AUTHENTICATION_ACK ? "PW_AUTHENTICATION_ACK" : "PW_AUTHENTICATION_REJECT");
++				fake = stop_tnc(fake, t);
++			}
++		}
++
++		/*
+ 		 *	Returns RLM_MODULE_FOO, and we want to return
+ 		 *	PW_FOO
+ 		 */
diff --git a/testing/scripts/recipes/patches/iptables-xfrm-hooks b/testing/scripts/recipes/patches/iptables-xfrm-hooks
new file mode 100644
index 000000000..baa4a65c1
--- /dev/null
+++ b/testing/scripts/recipes/patches/iptables-xfrm-hooks
@@ -0,0 +1,61 @@
+From 4553ba0130bb9f0aa266cc1e4c3288a52f34eed6 Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@revosec.ch>
+Date: Wed, 7 Apr 2010 11:40:15 +0200
+Subject: [PATCH] Added XFRM hooks to iptables headers
+
+---
+ include/linux/netfilter.h      |    2 ++
+ include/linux/netfilter_ipv4.h |    6 +++++-
+ include/linux/netfilter_ipv6.h |    6 +++++-
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
+index 2eb00b6..b692c67 100644
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -35,6 +35,8 @@ enum nf_inet_hooks {
+ 	NF_INET_FORWARD,
+ 	NF_INET_LOCAL_OUT,
+ 	NF_INET_POST_ROUTING,
++	NF_INET_XFRM_IN,
++	NF_INET_XFRM_OUT,
+ 	NF_INET_NUMHOOKS
+ };
+ 
+diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
+index 4d7ba3e..28d3ca9 100644
+--- a/include/linux/netfilter_ipv4.h
++++ b/include/linux/netfilter_ipv4.h
+@@ -47,7 +47,11 @@
+ #define NF_IP_LOCAL_OUT		3
+ /* Packets about to hit the wire. */
+ #define NF_IP_POST_ROUTING	4
+-#define NF_IP_NUMHOOKS		5
++/* Packets going into XFRM input transformation. */
++#define NF_IP_XFRM_IN		5
++/* Packets going into XFRM output transformation. */
++#define NF_IP_XFRM_OUT		6
++#define NF_IP_NUMHOOKS		7
+ 
+ enum nf_ip_hook_priorities {
+ 	NF_IP_PRI_FIRST = INT_MIN,
+diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
+index 7430b39..18590a5 100644
+--- a/include/linux/netfilter_ipv6.h
++++ b/include/linux/netfilter_ipv6.h
+@@ -51,7 +51,11 @@
+ #define NF_IP6_LOCAL_OUT		3
+ /* Packets about to hit the wire. */
+ #define NF_IP6_POST_ROUTING	4
+-#define NF_IP6_NUMHOOKS		5
++/* Packets going into XFRM input transformation. */
++#define NF_IP6_XFRM_IN		5
++/* Packets going into XFRM output transformation. */
++#define NF_IP6_XFRM_OUT		6
++#define NF_IP6_NUMHOOKS		7
+ 
+ 
+ enum nf_ip6_hook_priorities {
+-- 
+1.6.3.3
+
diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults
index 64cc0262e..953548a1b 100755
--- a/testing/scripts/restore-defaults
+++ b/testing/scripts/restore-defaults
@@ -14,32 +14,20 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-##########################################################################
-# load-testconfig requires a testname as an argument
-#
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
 
 testname=$1
 
-HOSTCONFIGDIR=$BUILDDIR/hosts
+HOSTCONFIGDIR=$DIR/../hosts
 TESTSDIR=$BUILDDIR/tests
 
 [ -d $TESTSDIR ] || die "Directory '$TESTSDIR' not found"
 [ -d $TESTSDIR/$testname ] || die "Test '$testname' not found"
 [ -f $TESTSDIR/$testname/test.conf ] || die "File 'test.conf' is missing"
 
-source $TESTSDIR/$testname/test.conf
-
-##########################################################################
-# copy default host config back if necessary
-#
+. $TESTSDIR/$testname/test.conf
 
 if [ -d $TESTSDIR/${testname}/hosts ]
 then
@@ -47,5 +35,6 @@ then
     do
 	eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
 	scp $SSHCONF -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
+	scp $SSHCONF -r $HOSTCONFIGDIR/default/etc $HOSTLOGIN:/ > /dev/null 2>&1
     done
 fi
diff --git a/testing/scripts/shutdown-umls b/testing/scripts/shutdown-umls
deleted file mode 100755
index e71e46602..000000000
--- a/testing/scripts/shutdown-umls
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-# Install strongSwan from mounted strongswan-shared tree
-#
-# Copyright (C) 2006 Martin Willi
-# Hochschule fuer Technik Rapperswil
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-cecho "shutting down"
-cecho-n "  "
-
-for host in $STRONGSWANHOSTS
-do
-    eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    cecho-n "$host... "
-    ssh $HOSTLOGIN 'shutdown now -h' > /dev/null
-done
-
-cecho
diff --git a/testing/scripts/start-bridges b/testing/scripts/start-bridges
deleted file mode 100755
index 1e09d6e7d..000000000
--- a/testing/scripts/start-bridges
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/bin/bash
-# start the UML bridges in the kernel using the brctl command
-#
-# Copyright (C) 2009  Andreas Steffen
-# HSR Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-# create umlbr1 and its taps 
-#
-if [ `brctl show | grep umlbr1 | wc -l` -eq 1 ]
-then
-	cecho " * Great, umlbr1 is already running!"
-else
-	cecho-n " * Starting umlbr1 with taps.."
-	umlbr_add     1 10.1.0.254 255.255.0.0
-	umlbr_add_tap 1 alice
-	umlbr_add_tap 1 venus
-	umlbr_add_tap 1 moon
-	cgecho "done"
-fi
-
-# create umlbr0 and its taps
-#
-if [ `brctl show | grep umlbr0 | wc -l` -eq 1 ]
-then
-	cecho " * Great, umlbr0 is already running!"
-else
-	cecho-n " * Starting umlbr0 with taps.."
-	umlbr_add     0 192.168.0.254 255.255.255.0
-	umlbr_add_tap 0 alice
-	umlbr_add_tap 0 moon
-	umlbr_add_tap 0 carol
-	umlbr_add_tap 0 winnetou
-	umlbr_add_tap 0 dave
-	umlbr_add_tap 0 sun
-	cgecho "done"
-fi
-
-# create umlbr2 and its taps
-#
-if [ `brctl show | grep umlbr2 | wc -l` -eq 1 ]
-then
-	cecho " * Great, umlbr2 is already running!"
-else
-	cecho-n " * Starting umlbr2 with taps.."
-	umlbr_add     2 10.2.0.254 255.255.0.0
-	umlbr_add_tap 2 sun
-	umlbr_add_tap 2 bob
-	cgecho "done"
-fi
-
diff --git a/testing/scripts/start-umls b/testing/scripts/start-umls
deleted file mode 100755
index 878494370..000000000
--- a/testing/scripts/start-umls
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/bin/bash
-# starts the UML instances with a hidden screen
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-    
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval screen -dmS ${host} "$UMLKERNEL \
-	    umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1"
-        cgecho "done"
-    fi
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/scripts/stop-bridges b/testing/scripts/stop-bridges
deleted file mode 100755
index eb92bd0eb..000000000
--- a/testing/scripts/stop-bridges
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/bash
-# stop the UML bridges in the kernel using the brctl command
-#
-# Copyright (C) 2009  Andreas Steffen
-# HSR Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-# stop umlbr1 and its taps 
-#
-cecho-n " * Stopping umlbr1 with taps.."
-umlbr_del_tap 1 alice
-umlbr_del_tap 1 venus
-umlbr_del_tap 1 moon
-umlbr_del     1
-cgecho "done"
-
-# stop umlbr0 and its taps
-#
-cecho-n " * Stopping umlbr0 with taps.."
-umlbr_del_tap 0 alice
-umlbr_del_tap 0 moon
-umlbr_del_tap 0 carol
-umlbr_del_tap 0 winnetou
-umlbr_del_tap 0 dave
-umlbr_del_tap 0 sun
-umlbr_del     0
-cgecho "done"
-
-# stop umlbr2 and its taps
-#
-cecho-n " * Stopping umlbr2 with taps.."
-umlbr_del_tap 2 sun
-umlbr_del_tap 2 bob
-umlbr_del     2
-cgecho "done"
-
diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls
deleted file mode 100755
index ed2662b6c..000000000
--- a/testing/scripts/xstart-umls
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-# starts the UML instances in an xterm (requires X11R6)
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-#position of xterm window on the desktop
-x0=8
-y0=8
-dx=12
-dy=24
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-    
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval xterm -title ${host} -geometry "+${x0}+${y0}" -rightbar -sb -sl 500 -e "$UMLKERNEL \
-	    umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
-        cgecho "done"
-        sleep 15
-    fi
-    let "x0+=dx"
-    let "y0+=dy"
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/ssh_config b/testing/ssh_config
index 36569c07c..831b9dc1a 100644
--- a/testing/ssh_config
+++ b/testing/ssh_config
@@ -1,7 +1,8 @@
 Host *
 	# debian default
 	SendEnv LANG LC_*
-	HashKnownHosts yes
+	StrictHostKeyChecking no
+	UserKnownHostsFile /dev/null
 	GSSAPIAuthentication yes
 	# faster encryption
 	Ciphers arcfour
diff --git a/testing/start-testing b/testing/start-testing
index 278500e6f..183729423 100755
--- a/testing/start-testing
+++ b/testing/start-testing
@@ -1,85 +1,48 @@
 #!/bin/bash
-# Start up the specified UML instances and wait for them to finish booting
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/scripts/function.sh
-
-[ -f $DIR/testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-[ -d $DIR/hosts ] || die "Directory hosts cannot be found."
-
-source $DIR/testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-#####################################################
-# start the uml bridges
-#
-cecho "Start the uml bridges  (scripts/start-bridges)"
-$DIR/scripts/start-bridges
-
-
-#####################################################
-# start the uml instances
-#
-case $UMLSTARTMODE in
-    konsole)
-	cecho "Start the uml instances  (scripts/kstart-umls)"
-	$DIR/scripts/kstart-umls $HOSTS
-	;;
-    gnome-terminal)
-	cecho "Start the uml instances  (scripts/gstart-umls)"
-	$DIR/scripts/gstart-umls $HOSTS
-	;;
-    xterm)
-	cecho "Start the uml instances  (scripts/xstart-umls)"
-	$DIR/scripts/xstart-umls $HOSTS
-	;;
-    screen)
-	cecho "Start the uml instances  (scripts/start-umls)"
-	$DIR/scripts/start-umls $HOSTS
-	;;
-    *)
-        die "The start mode is unknown! Please set $UMLSTARTMODE properly."
-	;;
-esac
-
-
-#####################################################
-# do the automated testing
-#
-if [ $ENABLE_DO_TESTS = "yes" ]
-then
-   cecho "Run the automated tests (do-tests)"
-   $DIR/do-tests
-fi
-
-
-##############################################################################
-# stop all UML instances and switches
-#
-
-if [ $ENABLE_STOP_TESTING = "yes" ]
-then
-   cecho "Stopping all UML instances and switches (stop-testing)"
-   $DIR/stop-testing $HOSTS
-fi
 
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+. $DIR/scripts/function.sh
+
+NETWORKS="vnet1 vnet2 vnet3"
+CONFDIR=$DIR/config/kvm
+KNLSRC=$BUILDDIR/$KERNEL/arch/x86/boot/bzImage
+KNLTARGET=/var/run/kvm-swan-kernel
+HOSTFSTARGET=/var/run/kvm-swan-hostfs
+MCASTBRS="virbr1 virbr2"
+
+echo "Starting test environment"
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+
+check_commands virsh
+
+log_action "Deploying kernel $KERNEL"
+execute "ln -fs $KNLSRC $KNLTARGET"
+
+log_action "Deploying $SHAREDDIR as hostfs"
+execute "chown -R $KVMUSER:$KVMGROUP $SHAREDDIR" 0
+execute "ln -Tfs $SHAREDDIR $HOSTFSTARGET"
+
+for net in $NETWORKS
+do
+	log_action "Network $net"
+	execute "virsh net-create $CONFDIR/$net.xml"
+done
+
+for host in $STRONGSWANHOSTS
+do
+	ln -fs $IMGDIR/$host.$IMGEXT $VIRTIMGSTORE/$host.$IMGEXT
+	log_action "Guest $host"
+	execute "virsh create $CONFDIR/$host.xml"
+done
+
+# Enforce reception of multicast traffic on bridges
+for br in $MCASTBRS
+do
+	cd /sys/devices/virtual/net/$br/brif
+	for vnet in `find . -name "vnet*"`
+	do
+		echo 2 > $vnet/multicast_router
+	done
+done
diff --git a/testing/stop-testing b/testing/stop-testing
index 023a5b39e..704ae6667 100755
--- a/testing/stop-testing
+++ b/testing/stop-testing
@@ -1,48 +1,34 @@
 #!/bin/bash
-# Stop all UML instances and UML switches
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/scripts/function.sh
-
-[ -f $DIR/testing.conf ] || die "No configuration file testing.conf found."
-
-source $DIR/testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-#####################################################
-# Shutting down the uml instances
-#
-cecho-n " * Halting all UML instances.."
-for host in $HOSTS
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+. $DIR/scripts/function.sh
+
+echo "Stopping test environment"
+
+NETWORKS="vnet1 vnet2 vnet3"
+KNLTARGET=/var/run/kvm-swan-kernel
+HOSTFSTARGET=/var/run/kvm-swan-hostfs
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+
+check_commands virsh
+
+for net in $NETWORKS
 do
-    uml_mconsole $host halt &> /dev/null
+	log_action "Network $net"
+	execute "virsh net-destroy $net"
 done
-cgecho "done"
 
-#####################################################
-# Shutting down the uml bridhges
-#
-cecho "Stop the uml bridges  (scripts/stop-bridges)"
-$DIR/scripts/stop-bridges
+for host in $STRONGSWANHOSTS
+do
+	log_action "Guest $host"
+	execute "virsh shutdown $host"
+	rm -f $VIRTIMGSTORE/$host.$IMGEXT
+done
 
+log_action "Removing kernel $KERNEL"
+execute "rm $KNLTARGET"
 
+log_action "Removing link to hostfs"
+execute "rm $HOSTFSTARGET"
diff --git a/testing/testing.conf b/testing/testing.conf
old mode 100755
new mode 100644
index d0c918860..960d3f63e
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Global configuration file for strongswan UML testing.
+# Global configuration file for strongswan integration testing.
 #
 # Copyright (C) 2004  Eric Marchionni, Patrik Rayo
 # Zuercher Hochschule Winterthur
@@ -15,146 +15,66 @@
 # for more details.
 
 # Root directory of testing
-UMLTESTDIR=~/strongswan-testing
-
-# Bzipped kernel sources
-# (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-3.5.3.tar.bz2
-
-# Extract kernel version
-KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
-
-# Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-3.5
-
-
-# Bzipped uml patch for kernel
-UMLPATCH=$UMLTESTDIR/ha-3.0.patch.bz2
-
-# Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-5.0.1.tar.bz2
-
-# strongSwan compile options (use "yes" or "no")
-USE_LIBCURL="yes"
-USE_LDAP="yes"
-USE_EAP_AKA="yes"
-USE_EAP_SIM="yes"
-USE_EAP_MD5="yes"
-USE_EAP_MSCHAPV2="yes"
-USE_EAP_IDENTITY="yes"
-USE_EAP_RADIUS="yes"
-USE_EAP_DYNAMIC="yes"
-USE_EAP_TLS="yes"
-USE_EAP_TTLS="yes"
-USE_EAP_PEAP="yes"
-USE_EAP_TNC="yes"
-USE_TNC_PDP="yes"
-USE_TNC_IMC="yes"
-USE_TNC_IMV="yes"
-USE_TNCCS_11="yes"
-USE_TNCCS_20="yes"
-USE_TNCCS_DYNAMIC="yes"
-USE_IMC_TEST="yes"
-USE_IMV_TEST="yes"
-USE_IMC_SCANNER="yes"
-USE_IMV_SCANNER="yes"
-USE_IMC_ATTESTATION="yes"
-USE_IMV_ATTESTATION="yes"
-USE_SQL="yes"
-USE_MEDIATION="yes"
-USE_OPENSSL="yes"
-USE_BLOWFISH="yes"
-USE_KERNEL_PFKEY="yes"
-USE_INTEGRITY_TEST="yes"
-USE_LEAK_DETECTIVE="yes"
-USE_LOAD_TESTER="yes"
-USE_TEST_VECTORS="yes"
-USE_GCRYPT="yes"
-USE_SOCKET_DEFAULT="yes"
-USE_SOCKET_DYNAMIC="yes"
-USE_DHCP="yes"
-USE_FARP="yes"
-USE_ADDRBLOCK="yes"
-USE_CTR="yes"
-USE_CCM="yes"
-USE_GCM="yes"
-USE_CMAC="yes"
-USE_HA="yes"
-USE_AF_ALG="yes"
-USE_WHITELIST="yes"
-USE_XAUTH_GENERIC="yes"
-USE_XAUTH_EAP="yes"
-USE_PKCS8="yes"
-USE_IFMAP="no"
-USE_CISCO_QUIRKS="no"
-USE_UNITY="yes"
-
-# Gentoo linux root filesystem
-ROOTFS=$UMLTESTDIR/gentoo-fs-20111212.tar.bz2
-
-# Size of the finished root filesystem in MB
-ROOTFSSIZE=850
-
-# Amount of Memory to use per UML [MB].
-# If "auto" is stated 1/12 of total host ram will be used.
-# Examples: MEM=64, MEM="128", MEM="auto"
-MEM=96
-
-# Directory where the UML kernels and file system will be built
-BUILDDIR=$UMLTESTDIR/umlbuild
-
-# Filename of the built UML Kernel
-UMLKERNEL=$BUILDDIR/linux-uml-$KERNELVERSION
+TESTDIR=/srv/strongswan-testing
+
+# Kernel configuration
+KERNELVERSION=3.5.3
+KERNEL=linux-$KERNELVERSION
+KERNELTARBALL=$KERNEL.tar.bz2
+KERNELCONFIG=$DIR/../config/kernel/config-3.5
+KERNELPATCH=ha-3.0.patch.bz2
+
+# strongSwan version used in tests
+SWANVERSION=5.0.2dr4
+
+# Build directory where the guest kernel and images will be built
+BUILDDIR=$TESTDIR/build
+# Directory shared between host and guests
+SHAREDDIR=$BUILDDIR/shared
+
+# Logfile
+LOGFILE=$BUILDDIR/testing.log
+
+# Directory used for loop-mounts
+LOOPDIR=$BUILDDIR/loop
+
+# Common image settings
+IMGEXT=qcow2
+IMGDIR=$BUILDDIR/images
+
+# Base image settings
+# The base image is a pristine OS installation created using debootstrap.
+BASEIMGSIZE=1024
+BASEIMGSUITE=wheezy
+BASEIMGARCH=amd64
+BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT
+BASEIMGMIRROR=http://cdn.debian.net/debian
+
+# Root image settings
+# The root image is the origin of all guest images. It is a clone of the base
+# image and contains additional test-specific software and patches.
+ROOTIMG=$IMGDIR/root.$IMGEXT
+
+# libvirt config
+NBDEV=/dev/nbd0
+NBDPARTITION=${NBDEV}p1
+VIRTIMGSTORE=/var/lib/libvirt/images
+KVMUSER=libvirt-qemu
+KVMGROUP=kvm
 
 # Directory where test results will be stored
-TESTRESULTSDIR=$UMLTESTDIR/testresults
+TESTRESULTSDIR=$TESTDIR/testresults
 
 # SSH configuration (speedup SSH)
-SSHCONF="-F $UMLTESTDIR/testing/ssh_config"
-
-# Path to a full strongswan tree on the host system, which is
-# mounted into /root/strongswan-shared. This gives us an easy
-# way to apply and test changes instantly.
-#SHAREDTREE=/home/martin/strongswan/trunk
-
-# Timezone for the UMLs, look in /usr/share/zoneinfo!
-TZUML="Europe/Zurich"
-
-##############################################################
-# Enable particular steps in the make-testing and
-# start-testing scripts
-#
-ENABLE_BUILD_UMLKERNEL="yes"
-ENABLE_BUILD_SSHKEYS="yes"
-ENABLE_BUILD_HOSTCONFIG="yes"
-ENABLE_BUILD_UMLROOTFS="yes"
-ENABLE_BUILD_UMLHOSTFS="yes"
-ENABLE_START_TESTING="yes"
-ENABLE_DO_TESTS="no"
-ENABLE_STOP_TESTING="no"
+SSHCONF="-F $TESTDIR/testing/ssh_config"
 
 ##############################################################
-# How to start the UMLs?
-#
-# Start the UML instance in KDE konsole (requires KDE)
-# UMLSTARTMODE="konsole"
-# Start the UML instance in a gnome-terminal (requires gnome)
-UMLSTARTMODE="gnome-terminal"
-# Start the UML instance in an xterm (requires X11R6)
-# UMLSTARTMODE="xterm"
-# Start the UML instance without a terminal window
-# but screen -r <host> can open a window anytime
-# UMLSTARTMODE="screen"
-
-##############################################################
-# If set to "yes" only the tests stated at $SELECTEDTESTS
-# will be executed. (use "yes" or "no")
-#
-SELECTEDTESTSONLY="no"
-
-# Tests to do if $SELECTEDTESTSONLY is set "yes".
+# Enable particular steps in the make-testing
 #
-SELECTEDTESTS="ikev2/rw-cert"
+ENABLE_BUILD_BASEIMAGE="yes"
+ENABLE_BUILD_ROOTIMAGE="yes"
+ENABLE_BUILD_GUESTKERNEL="yes"
+ENABLE_BUILD_GUESTIMAGES="yes"
 
 ##############################################################
 # hostname and corresponding IPv4 and IPv6 addresses
@@ -186,35 +106,5 @@ bob,fec2::10"
 # VPN gateways / clients
 # The hosts stated here will be created. Possible values
 # are sun, moon, dave, carol, alice, venus, bob, winnetou.
-# It's fine to make them all unless you don't have much
-# resources. In this case we assume you know what you do!
-#
-STRONGSWANHOSTS="sun moon dave carol alice venus bob winnetou"
-
-##############################################################
-# Needed programs, do not change!
-#
-PROGRAMS="uml_switch uml_mconsole ssh ssh-keygen iptables \
-          chroot screen mkreiserfs"
-
-##############################################################
-# IP parameters of the UML switches
-#
-IFCONFIG_0="192.168.0.254 netmask 255.255.255.0"
-IFCONFIG_1="10.1.0.254 netmask 255.255.0.0"
-IFCONFIG_2="10.2.0.254 netmask 255.255.0.0"
-
-##############################################################
-# Network interfaces of the UML instances
 #
-SWITCH_alice="eth0=tuntap,tap1_alice,fe:fd:0a:01:00:0a \
-              eth1=tuntap,tap0_alice,fe:fd:c0:a8:00:32"
-SWITCH_venus="eth0=tuntap,tap1_venus,fe:fd:0a:01:00:14"
-SWITCH_moon="eth0=tuntap,tap0_moon,fe:fd:c0:a8:00:01 \
-             eth1=tuntap,tap1_moon,fe:fd:0a:01:00:01"
-SWITCH_carol="eth0=tuntap,tap0_carol,fe:fd:c0:a8:00:64"
-SWITCH_winnetou="eth0=tuntap,tap0_winnetou,fe:fd:c0:a8:00:96"
-SWITCH_dave="eth0=tuntap,tap0_dave,fe:fd:c0:a8:00:c8"
-SWITCH_sun="eth0=tuntap,tap0_sun,fe:fd:c0:a8:00:02 \
-            eth1=tuntap,tap2_sun,fe:fd:0a:02:00:01"
-SWITCH_bob="eth0=tuntap,tap2_bob,fe:fd:0a:02:00:0a"
+STRONGSWANHOSTS="alice bob carol dave moon sun venus winnetou"
diff --git a/testing/tests/af-alg/alg-camellia/evaltest.dat b/testing/tests/af-alg/alg-camellia/evaltest.dat
index 72e3c5e29..2096cb994 100644
--- a/testing/tests/af-alg/alg-camellia/evaltest.dat
+++ b/testing/tests/af-alg/alg-camellia/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
diff --git a/testing/tests/af-alg/alg-camellia/posttest.dat b/testing/tests/af-alg/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/af-alg/alg-camellia/posttest.dat
+++ b/testing/tests/af-alg/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/af-alg/alg-camellia/pretest.dat
+++ b/testing/tests/af-alg/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/af-alg/alg-camellia/test.conf b/testing/tests/af-alg/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/af-alg/alg-camellia/test.conf
+++ b/testing/tests/af-alg/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/af-alg/rw-cert/evaltest.dat b/testing/tests/af-alg/rw-cert/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/af-alg/rw-cert/evaltest.dat
+++ b/testing/tests/af-alg/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/af-alg/rw-cert/posttest.dat b/testing/tests/af-alg/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/af-alg/rw-cert/posttest.dat
+++ b/testing/tests/af-alg/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/af-alg/rw-cert/pretest.dat
+++ b/testing/tests/af-alg/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/af-alg/rw-cert/test.conf b/testing/tests/af-alg/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/af-alg/rw-cert/test.conf
+++ b/testing/tests/af-alg/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
index 81e413f98..db5a76204 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
@@ -4,7 +4,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512_256::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512_256::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::SERPENT_CBC_256/HMAC_SHA2_512_256,::YES
 moon:: ipsec statusall 2> /dev/null::SERPENT_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ip xfrm state::enc cbc(serpent)::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
index 6d2eeb5f9..1b8fc3b79 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2 
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
index 7003977f9..ac3b5e0b0 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
@@ -4,7 +4,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512_256::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512_256::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::TWOFISH_CBC_256/HMAC_SHA2_512_256,::YES
 moon:: ipsec statusall 2> /dev/null::TWOFISH_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ip xfrm state::enc cbc(twofish)::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
index 6d2eeb5f9..1b8fc3b79 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2 
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
index d82b68dcb..5f0bb3cdc 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
@@ -4,7 +4,7 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/test.conf b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/test.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat
index 36d72ff97..89e5f4b6e 100644
--- a/testing/tests/ha/both-active/evaltest.dat
+++ b/testing/tests/ha/both-active/evaltest.dat
@@ -8,8 +8,8 @@ alice::cat /var/log/daemon.log::HA segment 1 activated::YES
 moon:: cat /var/log/daemon.log::HA segment 2 activated::YES
 alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES
 moon:: cat /var/log/daemon.log::installed HA CHILD_SA::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES
 carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES
 dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 95d3b8828..000000000
--- a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# forward ESP-tunneled traffic
-	iptables -A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
-	iptables -A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
-	iptables -A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-        # clusterip rules
-        iptables -A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 
-        iptables -A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 
-
-	# allow esp
-	iptables -A INPUT  -p 50 -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow heartbeat
-        iptables -A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
-
-	# allow ICMP type 3
-	iptables -A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
-
-	# allow IGMP multicasts
-	iptables -A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
-	iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
- 
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules b/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..cad1d202a
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules
@@ -0,0 +1,50 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# forward ESP-tunneled traffic
+-A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+-A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+-A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# clusterip rules
+-A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 
+-A INPUT -i eth0 -d 10.1.0.5    -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 
+
+# allow esp
+-A INPUT  -p 50 -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow heartbeat
+-A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
+-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
+
+# allow ICMP type 3
+-A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
+-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
+
+# allow IGMP multicasts
+-A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
+-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 6f7a0316b..000000000
--- a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# forward ESP-tunneled traffic
-	iptables -A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
-	iptables -A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
-	iptables -A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT
-
-        # clusterip rules
-        iptables -A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1
-        iptables -A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1
-
-	# allow esp
-	iptables -A INPUT  -p 50 -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_DAVE  -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow heartbeat
-	iptables -A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
-
-	# allow ICMP type 3
-        iptables -A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
-
-	# allow IGMP multicasts
-	iptables -A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
-	iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules b/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..ab7fd7fcb
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules
@@ -0,0 +1,50 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# forward ESP-tunneled traffic
+-A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+-A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+-A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT
+
+# clusterip rules
+-A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1
+-A INPUT -i eth1 -d 10.1.0.5    -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1
+
+# allow esp
+-A INPUT  -p 50 -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_DAVE  -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow heartbeat
+-A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
+-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
+
+# allow ICMP type 3
+-A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
+-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
+
+# allow IGMP multicasts
+-A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
+-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat
index 49bf76055..e4ffe8eef 100644
--- a/testing/tests/ha/both-active/posttest.dat
+++ b/testing/tests/ha/both-active/posttest.dat
@@ -2,15 +2,15 @@ carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
 alice::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ip addr del 192.168.0.5/24 dev eth0
 moon::ip addr del 10.1.0.5/16 dev eth1
 alice::ip addr del 192.168.0.5/24 dev eth1
 alice::ip addr del 10.1.0.5/16 dev eth0
-alice::/etc/init.d/net.eth1 stop
+alice::ifdown eth1
 venus::ip route del default via 10.1.0.5 dev eth0
 venus::ip route add default via 10.1.0.1 dev eth0
 moon::conntrack -F
diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat
index e2e509855..af4d66cfc 100644
--- a/testing/tests/ha/both-active/pretest.dat
+++ b/testing/tests/ha/both-active/pretest.dat
@@ -1,14 +1,14 @@
 moon::ip addr add 192.168.0.5/24 dev eth0
 moon::ip addr add 10.1.0.5/16 dev eth1
-alice::/etc/init.d/net.eth1 start
+alice::ifup eth1
 alice::ip addr add 192.168.0.5/24 dev eth1
 alice::ip addr add 10.1.0.5/16 dev eth0
 venus::ip route del default via 10.1.0.1 dev eth0
 venus::ip route add default via 10.1.0.5 dev eth0
-moon::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 alice::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ha/both-active/test.conf b/testing/tests/ha/both-active/test.conf
index 0473013e1..8056d9ce4 100644
--- a/testing/tests/ha/both-active/test.conf
+++ b/testing/tests/ha/both-active/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="venus carol dave"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol dave"
diff --git a/testing/tests/ike/rw-cert/evaltest.dat b/testing/tests/ike/rw-cert/evaltest.dat
index c8fcb2370..e431ce533 100644
--- a/testing/tests/ike/rw-cert/evaltest.dat
+++ b/testing/tests/ike/rw-cert/evaltest.dat
@@ -10,8 +10,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ike/rw-cert/pretest.dat b/testing/tests/ike/rw-cert/pretest.dat
index 587b6aeed..e50793830 100644
--- a/testing/tests/ike/rw-cert/pretest.dat
+++ b/testing/tests/ike/rw-cert/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ike/rw-cert/test.conf b/testing/tests/ike/rw-cert/test.conf
index 845a6dcd7..51bf2b7f2 100644
--- a/testing/tests/ike/rw-cert/test.conf
+++ b/testing/tests/ike/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ike/rw_v1-net_v2/evaltest.dat b/testing/tests/ike/rw_v1-net_v2/evaltest.dat
index f12b19e3d..847a2d92d 100644
--- a/testing/tests/ike/rw_v1-net_v2/evaltest.dat
+++ b/testing/tests/ike/rw_v1-net_v2/evaltest.dat
@@ -2,13 +2,13 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES 
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ike/rw_v1-net_v2/pretest.dat b/testing/tests/ike/rw_v1-net_v2/pretest.dat
index 03b8dc218..f61a4cb51 100644
--- a/testing/tests/ike/rw_v1-net_v2/pretest.dat
+++ b/testing/tests/ike/rw_v1-net_v2/pretest.dat
@@ -1,5 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 sun::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ike/rw_v1-net_v2/test.conf b/testing/tests/ike/rw_v1-net_v2/test.conf
index 983881e5d..864f944d7 100644
--- a/testing/tests/ike/rw_v1-net_v2/test.conf
+++ b/testing/tests/ike/rw_v1-net_v2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="carol moon sun"
diff --git a/testing/tests/ikev1/alg-3des-md5/evaltest.dat b/testing/tests/ikev1/alg-3des-md5/evaltest.dat
index a553ff168..abd29e97e 100644
--- a/testing/tests/ikev1/alg-3des-md5/evaltest.dat
+++ b/testing/tests/ikev1/alg-3des-md5/evaltest.dat
@@ -4,12 +4,12 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
 moon:: ip xfrm state::enc cbc(des3_ede)::YES
 carol::ip xfrm state::enc cbc(des3_ede)::YES
-moon:: ip xfrm state::auth hmac(md5)::YES
-carol::ip xfrm state::auth hmac(md5)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/alg-3des-md5/posttest.dat b/testing/tests/ikev1/alg-3des-md5/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-3des-md5/posttest.dat
+++ b/testing/tests/ikev1/alg-3des-md5/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-3des-md5/pretest.dat b/testing/tests/ikev1/alg-3des-md5/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/alg-3des-md5/pretest.dat
+++ b/testing/tests/ikev1/alg-3des-md5/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/alg-3des-md5/test.conf b/testing/tests/ikev1/alg-3des-md5/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-3des-md5/test.conf
+++ b/testing/tests/ikev1/alg-3des-md5/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat
index 3787bdb68..cd83c56b4 100644
--- a/testing/tests/ikev1/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat
@@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*caro
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
 dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
 dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
diff --git a/testing/tests/ikev1/alg-blowfish/posttest.dat b/testing/tests/ikev1/alg-blowfish/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/alg-blowfish/posttest.dat
+++ b/testing/tests/ikev1/alg-blowfish/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev1/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev1/alg-blowfish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/alg-blowfish/test.conf
+++ b/testing/tests/ikev1/alg-blowfish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
index c07c176b5..8230ee30c 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/alg-modp-subgroup/test.conf b/testing/tests/ikev1/alg-modp-subgroup/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/test.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat
index 7b5640af8..eba856742 100644
--- a/testing/tests/ikev1/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha256/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-moon:: ip xfrm state::auth hmac(sha256)::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev1/alg-sha256/posttest.dat b/testing/tests/ikev1/alg-sha256/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha256/posttest.dat
+++ b/testing/tests/ikev1/alg-sha256/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev1/alg-sha256/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha256/pretest.dat
+++ b/testing/tests/ikev1/alg-sha256/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha256/test.conf
+++ b/testing/tests/ikev1/alg-sha256/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat
index 21b3d5a4f..3b24217c5 100644
--- a/testing/tests/ikev1/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha384/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon:: ip xfrm state::auth hmac(sha384)::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev1/alg-sha384/posttest.dat b/testing/tests/ikev1/alg-sha384/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha384/posttest.dat
+++ b/testing/tests/ikev1/alg-sha384/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev1/alg-sha384/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha384/pretest.dat
+++ b/testing/tests/ikev1/alg-sha384/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev1/alg-sha384/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha384/test.conf
+++ b/testing/tests/ikev1/alg-sha384/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/alg-sha512/evaltest.dat b/testing/tests/ikev1/alg-sha512/evaltest.dat
index 7b94d2182..6bdceeb44 100644
--- a/testing/tests/ikev1/alg-sha512/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha512/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon:: ip xfrm state::auth hmac(sha512)::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev1/alg-sha512/posttest.dat b/testing/tests/ikev1/alg-sha512/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha512/posttest.dat
+++ b/testing/tests/ikev1/alg-sha512/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev1/alg-sha512/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha512/pretest.dat
+++ b/testing/tests/ikev1/alg-sha512/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev1/alg-sha512/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha512/test.conf
+++ b/testing/tests/ikev1/alg-sha512/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat
index 7d077c126..f5aa989fe 100644
--- a/testing/tests/ikev1/compress/pretest.dat
+++ b/testing/tests/ikev1/compress/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/ikev1/compress/test.conf
+++ b/testing/tests/ikev1/compress/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/config-payload/evaltest.dat b/testing/tests/ikev1/config-payload/evaltest.dat
index a429e9b32..b46dfddf6 100644
--- a/testing/tests/ikev1/config-payload/evaltest.dat
+++ b/testing/tests/ikev1/config-payload/evaltest.dat
@@ -5,13 +5,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev1/config-payload/posttest.dat b/testing/tests/ikev1/config-payload/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/config-payload/posttest.dat
+++ b/testing/tests/ikev1/config-payload/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/config-payload/pretest.dat b/testing/tests/ikev1/config-payload/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev1/config-payload/pretest.dat
+++ b/testing/tests/ikev1/config-payload/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/config-payload/test.conf b/testing/tests/ikev1/config-payload/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/config-payload/test.conf
+++ b/testing/tests/ikev1/config-payload/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat
index 05dc82d70..52c561964 100644
--- a/testing/tests/ikev1/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev1/double-nat-net/evaltest.dat
@@ -2,6 +2,6 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat
index 484297418..63d4f98e7 100644
--- a/testing/tests/ikev1/double-nat-net/posttest.dat
+++ b/testing/tests/ikev1/double-nat-net/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat
index 41b69aed6..17a4fe5eb 100644
--- a/testing/tests/ikev1/double-nat-net/pretest.dat
+++ b/testing/tests/ikev1/double-nat-net/pretest.dat
@@ -1,8 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-bob::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev1/double-nat-net/test.conf b/testing/tests/ikev1/double-nat-net/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev1/double-nat-net/test.conf
+++ b/testing/tests/ikev1/double-nat-net/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat
index b080482f9..9ddad2de5 100644
--- a/testing/tests/ikev1/double-nat/evaltest.dat
+++ b/testing/tests/ikev1/double-nat/evaltest.dat
@@ -2,6 +2,6 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules b/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat
index 5d39e406d..aa806bfc9 100644
--- a/testing/tests/ikev1/double-nat/posttest.dat
+++ b/testing/tests/ikev1/double-nat/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat
index 10ba6d735..65f18b756 100644
--- a/testing/tests/ikev1/double-nat/pretest.dat
+++ b/testing/tests/ikev1/double-nat/pretest.dat
@@ -1,7 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev1/double-nat/test.conf b/testing/tests/ikev1/double-nat/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev1/double-nat/test.conf
+++ b/testing/tests/ikev1/double-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev1/dpd-clear/test.conf b/testing/tests/ikev1/dpd-clear/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev1/dpd-clear/test.conf
+++ b/testing/tests/ikev1/dpd-clear/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/dpd-restart/test.conf b/testing/tests/ikev1/dpd-restart/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev1/dpd-restart/test.conf
+++ b/testing/tests/ikev1/dpd-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/dynamic-initiator/evaltest.dat b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
index f22f1247f..61546f417 100644
--- a/testing/tests/ikev1/dynamic-initiator/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
@@ -5,6 +5,6 @@ dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
 moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat
index 4dbf3d4a4..32ac12ddc 100644
--- a/testing/tests/ikev1/dynamic-initiator/posttest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat
@@ -2,8 +2,6 @@ dave::ipsec stop
 carol::ipsec stop
 dave::sleep 1
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+carol::iptables-restore < /etc/iptables.flush
 dave::rm /etc/ipsec.d/certs/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat
index 92681011f..9aadb2a4c 100644
--- a/testing/tests/ikev1/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat
@@ -1,6 +1,4 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
@@ -10,4 +8,4 @@ carol::sleep 1
 carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 dave::ipsec up moon
-dave::sleep 2 
+dave::sleep 2
diff --git a/testing/tests/ikev1/dynamic-initiator/test.conf b/testing/tests/ikev1/dynamic-initiator/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-initiator/test.conf
+++ b/testing/tests/ikev1/dynamic-initiator/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-responder/evaltest.dat b/testing/tests/ikev1/dynamic-responder/evaltest.dat
index f22f1247f..61546f417 100644
--- a/testing/tests/ikev1/dynamic-responder/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-responder/evaltest.dat
@@ -5,6 +5,6 @@ dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
 moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat
index 4dbf3d4a4..32ac12ddc 100644
--- a/testing/tests/ikev1/dynamic-responder/posttest.dat
+++ b/testing/tests/ikev1/dynamic-responder/posttest.dat
@@ -2,8 +2,6 @@ dave::ipsec stop
 carol::ipsec stop
 dave::sleep 1
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+carol::iptables-restore < /etc/iptables.flush
 dave::rm /etc/ipsec.d/certs/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat
index c0f166ff4..8dc744f9a 100644
--- a/testing/tests/ikev1/dynamic-responder/pretest.dat
+++ b/testing/tests/ikev1/dynamic-responder/pretest.dat
@@ -1,6 +1,4 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
@@ -10,4 +8,4 @@ moon::sleep 1
 carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 dave::ipsec up moon
-dave::sleep 2 
+dave::sleep 2
diff --git a/testing/tests/ikev1/dynamic-responder/test.conf b/testing/tests/ikev1/dynamic-responder/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-responder/test.conf
+++ b/testing/tests/ikev1/dynamic-responder/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
index 1d5ff68ec..82d2e7318 100644
--- a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
index e120b87db..7b2609846 100644
--- a/testing/tests/ikev1/dynamic-two-peers/posttest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
@@ -3,6 +3,6 @@ dave::ipsec stop
 moon::sleep 1
 moon::ipsec stop
 moon::mv /etc/hosts.ori /etc/hosts
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
index 6596a2527..4bb2a4686 100644
--- a/testing/tests/ikev1/dynamic-two-peers/pretest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
@@ -1,8 +1,8 @@
 moon::mv /etc/hosts /etc/hosts.ori
 moon::mv /etc/hosts.stale /etc/hosts
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/dynamic-two-peers/test.conf b/testing/tests/ikev1/dynamic-two-peers/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-two-peers/test.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
index 6f7c13704..648920105 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
 carol::ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
 carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
index 9a8b46897..c86f58081 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
 carol::ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
 moon:: ip xfrm state::rfc3686(ctr(aes))::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
index 9d5fb7cc3..a7f52c72e 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
 carol::ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
 carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
index 74150fb04..d5d3bc0d3 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
index 6f5b89332..b466813fe 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
@@ -2,10 +2,10 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
 moon:: ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
-moon:: ip xfrm state::auth xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
index 7d077c126..f5aa989fe 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat
index 937d85ed2..1b9c6c27e 100644
--- a/testing/tests/ikev1/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 moon:: ip xfrm state::enc ecb(cipher_null)::YES
diff --git a/testing/tests/ikev1/esp-alg-null/posttest.dat b/testing/tests/ikev1/esp-alg-null/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-null/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-null/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev1/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-null/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-null/test.conf
+++ b/testing/tests/ikev1/esp-alg-null/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/host2host-cert/evaltest.dat b/testing/tests/ikev1/host2host-cert/evaltest.dat
index 53e5589ca..3305f4558 100644
--- a/testing/tests/ikev1/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev1/host2host-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su
 sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-cert/posttest.dat b/testing/tests/ikev1/host2host-cert/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/host2host-cert/posttest.dat
+++ b/testing/tests/ikev1/host2host-cert/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat
index 1fa70177c..3bce9f6e5 100644
--- a/testing/tests/ikev1/host2host-cert/pretest.dat
+++ b/testing/tests/ikev1/host2host-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev1/host2host-cert/test.conf b/testing/tests/ikev1/host2host-cert/test.conf
index 305a67316..55d6e9fd6 100644
--- a/testing/tests/ikev1/host2host-cert/test.conf
+++ b/testing/tests/ikev1/host2host-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/host2host-transport/evaltest.dat b/testing/tests/ikev1/host2host-transport/evaltest.dat
index 3021b5e04..fc49e57d8 100644
--- a/testing/tests/ikev1/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev1/host2host-transport/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su
 sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-transport/posttest.dat b/testing/tests/ikev1/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/host2host-transport/posttest.dat
+++ b/testing/tests/ikev1/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/ikev1/host2host-transport/pretest.dat
+++ b/testing/tests/ikev1/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/ikev1/host2host-transport/test.conf b/testing/tests/ikev1/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/ikev1/host2host-transport/test.conf
+++ b/testing/tests/ikev1/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat
index 941cb34c0..42e353084 100644
--- a/testing/tests/ikev1/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat
@@ -6,7 +6,7 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
@@ -15,7 +15,7 @@ dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat
index 5b88b2163..c99f347e3 100644
--- a/testing/tests/ikev1/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev1/ip-pool-db/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ipsec pool --del bigpool 2> /dev/null
 moon::ipsec pool --del dns 2> /dev/null
 moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat
index 4a2add194..fce551c69 100644
--- a/testing/tests/ikev1/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev1/ip-pool-db/pretest.dat
@@ -4,9 +4,9 @@ moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2>
 moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
 moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
 moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/ip-pool-db/test.conf
+++ b/testing/tests/ikev1/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/ip-pool/evaltest.dat b/testing/tests/ikev1/ip-pool/evaltest.dat
index db46646a6..1fdc3f087 100644
--- a/testing/tests/ikev1/ip-pool/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool/evaltest.dat
@@ -3,13 +3,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/ikev1/ip-pool/posttest.dat b/testing/tests/ikev1/ip-pool/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev1/ip-pool/posttest.dat
+++ b/testing/tests/ikev1/ip-pool/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev1/ip-pool/pretest.dat
+++ b/testing/tests/ikev1/ip-pool/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/ip-pool/test.conf b/testing/tests/ikev1/ip-pool/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/ip-pool/test.conf
+++ b/testing/tests/ikev1/ip-pool/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
index c8e7adcb7..2eebc0f84 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/test.conf b/testing/tests/ikev1/multi-level-ca-cr-init/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-init/test.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev1/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/multi-level-ca/test.conf b/testing/tests/ikev1/multi-level-ca/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev1/multi-level-ca/test.conf
+++ b/testing/tests/ikev1/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat
index e0b458dba..387dbae23 100644
--- a/testing/tests/ikev1/nat-rw/evaltest.dat
+++ b/testing/tests/ikev1/nat-rw/evaltest.dat
@@ -6,13 +6,13 @@ alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon:: sleep 6::no output expected::NO
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP-encap: ESP::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: isakmp-nat-keep-alive::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: isakmp-nat-keep-alive::YES
 alice::cat /var/log/daemon.log::sending keep alive::YES
 venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/nat-rw/posttest.dat b/testing/tests/ikev1/nat-rw/posttest.dat
index 52572ece8..4643a3a7b 100644
--- a/testing/tests/ikev1/nat-rw/posttest.dat
+++ b/testing/tests/ikev1/nat-rw/posttest.dat
@@ -1,8 +1,8 @@
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-rw/pretest.dat b/testing/tests/ikev1/nat-rw/pretest.dat
index e365ff5c5..d701a1d61 100644
--- a/testing/tests/ikev1/nat-rw/pretest.dat
+++ b/testing/tests/ikev1/nat-rw/pretest.dat
@@ -1,7 +1,6 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
diff --git a/testing/tests/ikev1/nat-rw/test.conf b/testing/tests/ikev1/nat-rw/test.conf
index 84317fd70..f515d4bc7 100644
--- a/testing/tests/ikev1/nat-rw/test.conf
+++ b/testing/tests/ikev1/nat-rw/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-virtual-ip/description.txt b/testing/tests/ikev1/nat-virtual-ip/description.txt
new file mode 100644
index 000000000..31d24cda6
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/description.txt
@@ -0,0 +1,6 @@
+The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
+to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
+virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
+specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
+which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
+This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.
diff --git a/testing/tests/ikev1/nat-virtual-ip/evaltest.dat b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..c60ffc772
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat
@@ -0,0 +1,8 @@
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
+bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts b/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts
new file mode 100644
index 000000000..ee854da09
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts
@@ -0,0 +1,70 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+10.1.0.10	alice.strongswan.org	alice
+10.1.0.20	venus.strongswan.org	venus
+10.1.0.1	moon1.strongswan.org	moon1
+192.168.0.1	moon.strongswan.org	moon
+192.168.0.50	alice1.strongswan.org	alice1
+192.168.0.100	carol.strongswan.org	carol
+10.3.0.1	carol1.strongswan.org	carol1
+192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+192.168.0.200	dave.strongswan.org	dave
+10.3.0.2	dave1.strongswan.org	dave1
+192.168.0.2	sun.strongswan.org	sun
+10.2.0.1	sun1.strongswan.org	sun1
+10.2.0.10	bob.strongswan.org	bob
+10.4.0.1	alice2.strongswan.org	alice2
+
+# IPv6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+# IPv6 solicited-node multicast addresses
+ff02::1:ff00:1	ip6-mcast-1
+ff02::1:ff00:2	ip6-mcast-2
+ff02::1:ff00:10	ip6-mcast-10
+ff02::1:ff00:15	ip6-mcast-15
+ff02::1:ff00:20	ip6-mcast-20
+
+# IPv6 site-local addresses
+fec0::5		ip6-alice1.strongswan.org   ip6-alice1
+fec1::10	ip6-alice.strongswan.org    ip6-alice
+fec1::20	ip6-venus.strongswan.org    ip6-venus
+fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
+fec0::1 	ip6-moon.strongswan.org     ip6-moon
+fec0::10	ip6-carol.strongswan.org    ip6-carol
+fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
+fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
+fec0::20	ip6-dave.strongswan.org     ip6-dave
+fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
+fec0::2 	ip6-sun.strongswan.org      ip6-sun
+fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
+fec2::10	ip6-bob.strongswan.org      ip6-bob
+
+# IPv6 link-local HW derived addresses
+fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
+fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
+fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
+fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
+fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
+fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
+fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
+fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
+fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
+fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..28853ce75
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/nat_updown
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
new file mode 100755
index 000000000..aab1df687
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -0,0 +1,152 @@
+#! /bin/sh
+# NAT updown script
+#
+# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
+export PATH
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+case "$PLUTO_VERB:$1" in
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+        iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+         iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+        echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2    
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..ff030b5b5
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsourceip=10.4.0.0/24
+	auto=add
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
new file mode 100644
index 000000000..11bd19da7
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::conntrack -F
+moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
new file mode 100644
index 000000000..eb0c28c7f
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::conntrack -F
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ikev1/nat-virtual-ip/test.conf b/testing/tests/ikev1/nat-virtual-ip/test.conf
new file mode 100644
index 000000000..f46f137b4
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-cert/evaltest.dat b/testing/tests/ikev1/net2net-cert/evaltest.dat
index c98f5d78d..2b37cad99 100644
--- a/testing/tests/ikev1/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev1/net2net-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-cert/posttest.dat b/testing/tests/ikev1/net2net-cert/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev1/net2net-cert/posttest.dat
+++ b/testing/tests/ikev1/net2net-cert/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev1/net2net-cert/pretest.dat
+++ b/testing/tests/ikev1/net2net-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev1/net2net-cert/test.conf b/testing/tests/ikev1/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev1/net2net-cert/test.conf
+++ b/testing/tests/ikev1/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/net2net-psk-fail/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev1/net2net-psk-fail/test.conf b/testing/tests/ikev1/net2net-psk-fail/test.conf
index f6e064e7d..eb4822b5d 100644
--- a/testing/tests/ikev1/net2net-psk-fail/test.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-psk/evaltest.dat b/testing/tests/ikev1/net2net-psk/evaltest.dat
index c98f5d78d..2b37cad99 100644
--- a/testing/tests/ikev1/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-psk/posttest.dat b/testing/tests/ikev1/net2net-psk/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/net2net-psk/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev1/net2net-psk/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev1/net2net-psk/test.conf b/testing/tests/ikev1/net2net-psk/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev1/net2net-psk/test.conf
+++ b/testing/tests/ikev1/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/protoport-dual/evaltest.dat b/testing/tests/ikev1/protoport-dual/evaltest.dat
index a65460cc8..cf45f3b52 100644
--- a/testing/tests/ikev1/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev1/protoport-dual/evaltest.dat
@@ -2,8 +2,8 @@ carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/protoport-dual/posttest.dat b/testing/tests/ikev1/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/protoport-dual/posttest.dat
+++ b/testing/tests/ikev1/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/ikev1/protoport-dual/pretest.dat
+++ b/testing/tests/ikev1/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/protoport-dual/test.conf b/testing/tests/ikev1/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/protoport-dual/test.conf
+++ b/testing/tests/ikev1/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
+++ b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
+++ b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/rw-cert-aggressive/test.conf b/testing/tests/ikev1/rw-cert-aggressive/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/test.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-cert-unity/evaltest.dat b/testing/tests/ikev1/rw-cert-unity/evaltest.dat
index b6a860b86..c183f48e9 100644
--- a/testing/tests/ikev1/rw-cert-unity/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert-unity/evaltest.dat
@@ -3,6 +3,6 @@ moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::10.2.1.1/32 === 192.168.0.0/24 PASS::YES
 carol::ipsec status 2> /dev/null::home.*10.2.1.1/32 === 10.1.0.0/16 10.2.1.0/24::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 10.2.1.0/24 === 10.2.1.1/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert-unity/test.conf b/testing/tests/ikev1/rw-cert-unity/test.conf
index 25cff970f..09e6f6cdb 100644
--- a/testing/tests/ikev1/rw-cert-unity/test.conf
+++ b/testing/tests/ikev1/rw-cert-unity/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-cert/evaltest.dat b/testing/tests/ikev1/rw-cert/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/ikev1/rw-cert/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert/posttest.dat b/testing/tests/ikev1/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/rw-cert/posttest.dat
+++ b/testing/tests/ikev1/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev1/rw-cert/pretest.dat
+++ b/testing/tests/ikev1/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/rw-cert/test.conf b/testing/tests/ikev1/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/rw-cert/test.conf
+++ b/testing/tests/ikev1/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
index 761abe274..44f41f995 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/rw-psk-aggressive/test.conf b/testing/tests/ikev1/rw-psk-aggressive/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/test.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
index ef964a234..77f548848 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
index 761abe274..44f41f995 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/rw-psk-fqdn/test.conf b/testing/tests/ikev1/rw-psk-fqdn/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
index d56c5220f..df37719e9 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
index 761abe274..44f41f995 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/rw-psk-ipv4/test.conf b/testing/tests/ikev1/rw-psk-ipv4/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/virtual-ip/evaltest.dat b/testing/tests/ikev1/virtual-ip/evaltest.dat
index dd3143ae7..0f5df71d7 100644
--- a/testing/tests/ikev1/virtual-ip/evaltest.dat
+++ b/testing/tests/ikev1/virtual-ip/evaltest.dat
@@ -14,12 +14,12 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::src PH_IP_CAROL1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::src PH_IP_DAVE1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/virtual-ip/posttest.dat b/testing/tests/ikev1/virtual-ip/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/virtual-ip/posttest.dat
+++ b/testing/tests/ikev1/virtual-ip/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1/virtual-ip/pretest.dat
index 5ec37aae1..1765a83cd 100644
--- a/testing/tests/ikev1/virtual-ip/pretest.dat
+++ b/testing/tests/ikev1/virtual-ip/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/virtual-ip/test.conf b/testing/tests/ikev1/virtual-ip/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/virtual-ip/test.conf
+++ b/testing/tests/ikev1/virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
index 02ed911ba..cd4ebd8ec 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YE
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
index 95a6be131..88a91ae86 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/xauth-id-psk-config/test.conf b/testing/tests/ikev1/xauth-id-psk-config/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/test.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
index 5b021a09a..34c124c95 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
index 78e2d57f8..e5a06d44c 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
index 198dd3782..7604a1527 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YE
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
index 78e2d57f8..e5a06d44c 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/test.conf b/testing/tests/ikev1/xauth-id-rsa-config/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/test.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
index 5b021a09a..34c124c95 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
index 78e2d57f8..e5a06d44c 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat
index 988a6c541..c6637cbfe 100644
--- a/testing/tests/ikev1/xauth-psk/evaltest.dat
+++ b/testing/tests/ikev1/xauth-psk/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-psk/posttest.dat b/testing/tests/ikev1/xauth-psk/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-psk/posttest.dat
+++ b/testing/tests/ikev1/xauth-psk/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat
index 95a6be131..88a91ae86 100644
--- a/testing/tests/ikev1/xauth-psk/pretest.dat
+++ b/testing/tests/ikev1/xauth-psk/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/xauth-psk/test.conf b/testing/tests/ikev1/xauth-psk/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-psk/test.conf
+++ b/testing/tests/ikev1/xauth-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
index 0591e22b6..d568273d1 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
@@ -5,6 +5,6 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index 623f42904..000000000
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = md5
-  md5 {
-  }
-}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index 4fb07b912..000000000
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1 +0,0 @@
-carol	Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat
index 988a6c541..c6637cbfe 100644
--- a/testing/tests/ikev1/xauth-rsa/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-rsa/posttest.dat b/testing/tests/ikev1/xauth-rsa/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-rsa/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat
index 78e2d57f8..e5a06d44c 100644
--- a/testing/tests/ikev1/xauth-rsa/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/xauth-rsa/test.conf b/testing/tests/ikev1/xauth-rsa/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-rsa/test.conf
+++ b/testing/tests/ikev1/xauth-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/after-2038-certs/evaltest.dat b/testing/tests/ikev2/after-2038-certs/evaltest.dat
index 3efaa5a98..427aa74da 100644
--- a/testing/tests/ikev2/after-2038-certs/evaltest.dat
+++ b/testing/tests/ikev2/after-2038-certs/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/after-2038-certs/posttest.dat b/testing/tests/ikev2/after-2038-certs/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/after-2038-certs/posttest.dat
+++ b/testing/tests/ikev2/after-2038-certs/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat
index 4921d5097..baacc1605 100644
--- a/testing/tests/ikev2/after-2038-certs/pretest.dat
+++ b/testing/tests/ikev2/after-2038-certs/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/after-2038-certs/test.conf b/testing/tests/ikev2/after-2038-certs/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/after-2038-certs/test.conf
+++ b/testing/tests/ikev2/after-2038-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-3des-md5/evaltest.dat b/testing/tests/ikev2/alg-3des-md5/evaltest.dat
index a553ff168..abd29e97e 100644
--- a/testing/tests/ikev2/alg-3des-md5/evaltest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/evaltest.dat
@@ -4,12 +4,12 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
 moon:: ip xfrm state::enc cbc(des3_ede)::YES
 carol::ip xfrm state::enc cbc(des3_ede)::YES
-moon:: ip xfrm state::auth hmac(md5)::YES
-carol::ip xfrm state::auth hmac(md5)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-3des-md5/posttest.dat b/testing/tests/ikev2/alg-3des-md5/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-3des-md5/posttest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-3des-md5/pretest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev2/alg-3des-md5/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-3des-md5/test.conf
+++ b/testing/tests/ikev2/alg-3des-md5/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
index e2cf773ea..5a14b98d6 100644
--- a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES
 moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES
diff --git a/testing/tests/ikev2/alg-aes-ccm/posttest.dat b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-ccm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-ccm/test.conf b/testing/tests/ikev2/alg-aes-ccm/test.conf
index acb73b06f..11423f723 100644
--- a/testing/tests/ikev2/alg-aes-ccm/test.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
index 177e0ea62..6a5203a2d 100644
--- a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES
 moon:: ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES
diff --git a/testing/tests/ikev2/alg-aes-ctr/posttest.dat b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-ctr/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-ctr/test.conf b/testing/tests/ikev2/alg-aes-ctr/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-ctr/test.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
index 39f8b1cc4..ce27fcc05 100644
--- a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
 moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
diff --git a/testing/tests/ikev2/alg-aes-gcm/posttest.dat b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-gcm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-gcm/test.conf b/testing/tests/ikev2/alg-aes-gcm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-gcm/test.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
index 7a9874528..f11018347 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
@@ -4,11 +4,11 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
-moon:: ip xfrm state::auth xcbc(aes)::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
 
diff --git a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat
index a458f0241..f76522c5c 100644
--- a/testing/tests/ikev2/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev2/alg-blowfish/evaltest.dat
@@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*caro
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
 dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
 dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
diff --git a/testing/tests/ikev2/alg-blowfish/posttest.dat b/testing/tests/ikev2/alg-blowfish/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/alg-blowfish/posttest.dat
+++ b/testing/tests/ikev2/alg-blowfish/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev2/alg-blowfish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/alg-blowfish/test.conf b/testing/tests/ikev2/alg-blowfish/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/alg-blowfish/test.conf
+++ b/testing/tests/ikev2/alg-blowfish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
index 0acd6d2ce..5e4ab98b3 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
@@ -10,8 +10,8 @@ carol::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_1024_160::YES
 dave:: cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/alg-modp-subgroup/test.conf b/testing/tests/ikev2/alg-modp-subgroup/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/test.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
index 4bbc82d9b..6c4e23710 100644
--- a/testing/tests/ikev2/alg-sha256-96/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
@@ -6,10 +6,10 @@ moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES
 carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
-moon:: ip xfrm state::auth hmac(sha256)::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev2/alg-sha256-96/posttest.dat b/testing/tests/ikev2/alg-sha256-96/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha256-96/posttest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha256-96/pretest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha256-96/test.conf
+++ b/testing/tests/ikev2/alg-sha256-96/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat
index 7b5640af8..eba856742 100644
--- a/testing/tests/ikev2/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-moon:: ip xfrm state::auth hmac(sha256)::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev2/alg-sha256/posttest.dat b/testing/tests/ikev2/alg-sha256/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha256/posttest.dat
+++ b/testing/tests/ikev2/alg-sha256/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha256/pretest.dat
+++ b/testing/tests/ikev2/alg-sha256/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha256/test.conf
+++ b/testing/tests/ikev2/alg-sha256/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha384/evaltest.dat b/testing/tests/ikev2/alg-sha384/evaltest.dat
index 21b3d5a4f..3b24217c5 100644
--- a/testing/tests/ikev2/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha384/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon:: ip xfrm state::auth hmac(sha384)::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev2/alg-sha384/posttest.dat b/testing/tests/ikev2/alg-sha384/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha384/posttest.dat
+++ b/testing/tests/ikev2/alg-sha384/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha384/pretest.dat
+++ b/testing/tests/ikev2/alg-sha384/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha384/test.conf
+++ b/testing/tests/ikev2/alg-sha384/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha512/evaltest.dat b/testing/tests/ikev2/alg-sha512/evaltest.dat
index 7b94d2182..6bdceeb44 100644
--- a/testing/tests/ikev2/alg-sha512/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha512/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon:: ip xfrm state::auth hmac(sha512)::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev2/alg-sha512/posttest.dat b/testing/tests/ikev2/alg-sha512/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha512/posttest.dat
+++ b/testing/tests/ikev2/alg-sha512/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha512/pretest.dat
+++ b/testing/tests/ikev2/alg-sha512/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha512/test.conf
+++ b/testing/tests/ikev2/alg-sha512/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2/any-interface/pretest.dat
index b8e91194e..0a6ce8be4 100644
--- a/testing/tests/ikev2/any-interface/pretest.dat
+++ b/testing/tests/ikev2/any-interface/pretest.dat
@@ -1,5 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
 winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route add 10.2.0.0/16 via PH_IP_SUN
 alice::ipsec start
diff --git a/testing/tests/ikev2/any-interface/test.conf b/testing/tests/ikev2/any-interface/test.conf
index 25e5cd872..cc04d45e6 100644
--- a/testing/tests/ikev2/any-interface/test.conf
+++ b/testing/tests/ikev2/any-interface/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon sun bob"
diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat
index 7d077c126..f5aa989fe 100644
--- a/testing/tests/ikev2/compress/pretest.dat
+++ b/testing/tests/ikev2/compress/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/ikev2/compress/test.conf
+++ b/testing/tests/ikev2/compress/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/config-payload-swapped/evaltest.dat b/testing/tests/ikev2/config-payload-swapped/evaltest.dat
index 3c41a596c..b6a1c96a6 100644
--- a/testing/tests/ikev2/config-payload-swapped/evaltest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/evaltest.dat
@@ -3,13 +3,13 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/config-payload-swapped/posttest.dat b/testing/tests/ikev2/config-payload-swapped/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/config-payload-swapped/posttest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev2/config-payload-swapped/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/config-payload-swapped/pretest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/config-payload-swapped/test.conf b/testing/tests/ikev2/config-payload-swapped/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/config-payload-swapped/test.conf
+++ b/testing/tests/ikev2/config-payload-swapped/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/config-payload/evaltest.dat b/testing/tests/ikev2/config-payload/evaltest.dat
index a429e9b32..b46dfddf6 100644
--- a/testing/tests/ikev2/config-payload/evaltest.dat
+++ b/testing/tests/ikev2/config-payload/evaltest.dat
@@ -5,13 +5,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/config-payload/posttest.dat b/testing/tests/ikev2/config-payload/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/config-payload/posttest.dat
+++ b/testing/tests/ikev2/config-payload/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/config-payload/pretest.dat
+++ b/testing/tests/ikev2/config-payload/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/config-payload/test.conf b/testing/tests/ikev2/config-payload/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/config-payload/test.conf
+++ b/testing/tests/ikev2/config-payload/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/critical-extension/posttest.dat
+++ b/testing/tests/ikev2/critical-extension/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/critical-extension/pretest.dat
+++ b/testing/tests/ikev2/critical-extension/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf
index 41ee3037e..b286ef6eb 100644
--- a/testing/tests/ikev2/critical-extension/test.conf
+++ b/testing/tests/ikev2/critical-extension/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/crl-from-cache/test.conf b/testing/tests/ikev2/crl-from-cache/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-from-cache/test.conf
+++ b/testing/tests/ikev2/crl-from-cache/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 999d0d183..000000000
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 4f4f3228b..000000000
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/crl-ldap/posttest.dat b/testing/tests/ikev2/crl-ldap/posttest.dat
index bddd87424..8474bd3aa 100644
--- a/testing/tests/ikev2/crl-ldap/posttest.dat
+++ b/testing/tests/ikev2/crl-ldap/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/crls/*
 carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat
index 64fa8116b..8ffa9d3ed 100644
--- a/testing/tests/ikev2/crl-ldap/pretest.dat
+++ b/testing/tests/ikev2/crl-ldap/pretest.dat
@@ -1,6 +1,6 @@
 winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/crl-ldap/test.conf b/testing/tests/ikev2/crl-ldap/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-ldap/test.conf
+++ b/testing/tests/ikev2/crl-ldap/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-revoked/test.conf b/testing/tests/ikev2/crl-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-revoked/test.conf
+++ b/testing/tests/ikev2/crl-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-to-cache/test.conf b/testing/tests/ikev2/crl-to-cache/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-to-cache/test.conf
+++ b/testing/tests/ikev2/crl-to-cache/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/default-keys/description.txt b/testing/tests/ikev2/default-keys/description.txt
index 639e909da..889f8297a 100644
--- a/testing/tests/ikev2/default-keys/description.txt
+++ b/testing/tests/ikev2/default-keys/description.txt
@@ -1,8 +1,8 @@
 Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
 and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
-and a self-signed X.509 certificate. Because the UML testing environment does
-not offer enough entropy, the non-blocking /dev/urandom device is used in place
-of /dev/random for generating the random primes.
+and a self-signed X.509 certificate. Because the virtual testing environment
+does not offer enough entropy, the non-blocking /dev/urandom device is used in
+place of /dev/random for generating the random primes.
 <p>
 The self-signed certificates are then distributed to the peers via scp
 and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev2/default-keys/evaltest.dat b/testing/tests/ikev2/default-keys/evaltest.dat
index 1c206fff0..4df2d1e11 100644
--- a/testing/tests/ikev2/default-keys/evaltest.dat
+++ b/testing/tests/ikev2/default-keys/evaltest.dat
@@ -4,6 +4,6 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*CN=carol.*CN=moon::YES
 moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*CN=moon.*CN=carol::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 5a262c084..000000000
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..72a1c17c3
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
@@ -0,0 +1,30 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --sport 22 -j ACCEPT
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+-A OUTPUT -p tcp --dport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat
index 8cada5e7e..25f737ecc 100644
--- a/testing/tests/ikev2/default-keys/posttest.dat
+++ b/testing/tests/ikev2/default-keys/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat
index 88f9a2ca9..ef5f67097 100644
--- a/testing/tests/ikev2/default-keys/pretest.dat
+++ b/testing/tests/ikev2/default-keys/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 carol::rm /etc/ipsec.secrets
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
@@ -10,9 +10,10 @@ moon::rm /etc/ipsec.d/private/*
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
-moon::sleep 5 
+moon::sleep 5
 moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
 moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
-moon::ipsec reload 
-carol::ipsec reload 
+moon::ipsec reload
+carol::ipsec reload
+carol::sleep 1
 carol::ipsec up home
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/ikev2/default-keys/test.conf
index 0baa48d90..ce84ce41a 100644
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/ikev2/default-keys/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol"
+VIRTHOSTS="alice moon carol"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
index 4b0ddace7..9e536870e 100644
--- a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.50/32::YES
@@ -14,12 +14,12 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol3.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol3.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave3.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave3.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
new file mode 100644
index 000000000..7a178505f
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
@@ -0,0 +1,14 @@
+# dhcpd configuration file
+
+ddns-update-style none;
+
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option domain-name          "strongswan.org";
+  option domain-name-servers   PH_IP_VENUS;
+  option netbios-name-servers  PH_IP_ALICE;
+  option routers               PH_IP_MOON1;
+  option broadcast-address     10.1.255.255;
+  next-server                  PH_IP_VENUS;
+
+  range 10.1.0.50 10.1.0.60;
+}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf
deleted file mode 100644
index 2176af702..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# dhcpd configuration file
-
-ddns-update-style none;
-
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option domain-name          "strongswan.org";
-  option domain-name-servers   10.1.0.20;
-  option netbios-name-servers  10.1.0.10;
-  option routers               10.1.0.1;
-  option broadcast-address     10.1.255.255;
-  next-server                  10.1.0.20;
-
-  range 10.1.0.50 10.1.0.60;
-}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
index 2d35dfd64..ec8c945a7 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
@@ -1,7 +1,7 @@
 interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-dynamic/posttest.dat b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
index 1f5487596..f783127bf 100644
--- a/testing/tests/ikev2/dhcp-dynamic/posttest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
@@ -2,9 +2,9 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 venus::cat /var/state/dhcp/dhcpd.leases
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.50
 alice::arp -d 10.1.0.51
diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-dynamic/pretest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-dynamic/test.conf b/testing/tests/ikev2/dhcp-dynamic/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-dynamic/test.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
index 830094c7a..c95b69a11 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES
@@ -14,12 +14,12 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf
new file mode 100644
index 000000000..334ea30e2
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf
@@ -0,0 +1,24 @@
+# dhcpd configuration file
+
+ddns-update-style none;
+
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option domain-name            "strongswan.org";
+  option domain-name-servers     PH_IP_VENUS;
+  option netbios-name-servers    PH_IP_ALICE;
+  option routers                 PH_IP_MOON1;
+  option broadcast-address       10.1.255.255;
+  next-server                    PH_IP_VENUS;
+
+  range 10.1.0.50 10.1.0.60;
+}
+
+host carol {
+  option dhcp-client-identifier "carol@strongswan.org";
+  fixed-address                  10.1.0.30;
+}
+
+host dave {
+  option dhcp-client-identifier "dave@strongswan.org";
+  fixed-address                  10.1.0.40;
+}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf
deleted file mode 100644
index 44ee681b6..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# dhcpd configuration file
-
-ddns-update-style none;
-
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option domain-name            "strongswan.org";
-  option domain-name-servers     10.1.0.20;
-  option netbios-name-servers    10.1.0.10;
-  option routers                 10.1.0.1;
-  option broadcast-address       10.1.255.255;
-  next-server                    10.1.0.20;
-
-  range 10.1.0.50 10.1.0.60;
-}
-
-host carol {
-  option dhcp-client-identifier "carol@strongswan.org";
-  fixed-address                  10.1.0.30;
-}
-
-host dave {
-  option dhcp-client-identifier "dave@strongswan.org";
-  fixed-address                  10.1.0.40;
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
index 5672236a0..aca225955 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
@@ -2,8 +2,8 @@ interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
 dhcp-host=id:carol@strongswan.org,10.1.0.30
 dhcp-host=id:dave@strongswan.org,10.1.0.40
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
index e1aadc618..7fff9981b 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-client-id/test.conf b/testing/tests/ikev2/dhcp-static-client-id/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/test.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
index 830094c7a..c95b69a11 100644
--- a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES
@@ -14,12 +14,12 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
new file mode 100644
index 000000000..cdade2f2e
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
@@ -0,0 +1,24 @@
+# dhcpd configuration file
+
+ddns-update-style none;
+
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option domain-name          "strongswan.org";
+  option domain-name-servers   PH_IP_VENUS;
+  option netbios-name-servers  PH_IP_ALICE;
+  option routers               PH_IP_MOON1;
+  option broadcast-address     10.1.255.255;
+  next-server                  PH_IP_VENUS;
+
+  range 10.1.0.50 10.1.0.60;
+}
+
+host carol {
+  hardware ethernet            7a:a7:8f:fc:db:3b;
+  fixed-address                10.1.0.30;
+}
+
+host dave {
+  hardware ethernet            7a:a7:35:78:bc:85;
+  fixed-address                10.1.0.40;
+}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf
deleted file mode 100644
index 20666f701..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# dhcpd configuration file
-
-ddns-update-style none;
-
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option domain-name          "strongswan.org";
-  option domain-name-servers   10.1.0.20;
-  option netbios-name-servers  10.1.0.10;
-  option routers               10.1.0.1;
-  option broadcast-address     10.1.255.255;
-  next-server                  10.1.0.20;
-
-  range 10.1.0.50 10.1.0.60;
-}
-
-host carol {
-  hardware ethernet            7a:a7:8f:fc:db:3b;
-  fixed-address                10.1.0.30;
-}
-
-host dave {
-  hardware ethernet            7a:a7:35:78:bc:85;
-  fixed-address                10.1.0.40;
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
index e3729081f..61d31a0ba 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
@@ -2,8 +2,8 @@ interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
 dhcp-host=7a:a7:8f:fc:db:3b,10.1.0.30
 dhcp-host=7a:a7:35:78:bc:85,10.1.0.40
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-static-mac/posttest.dat b/testing/tests/ikev2/dhcp-static-mac/posttest.dat
index e1aadc618..7fff9981b 100644
--- a/testing/tests/ikev2/dhcp-static-mac/posttest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-static-mac/pretest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-mac/test.conf b/testing/tests/ikev2/dhcp-static-mac/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-static-mac/test.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat
index 05dc82d70..52c561964 100644
--- a/testing/tests/ikev2/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev2/double-nat-net/evaltest.dat
@@ -2,6 +2,6 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat
index 484297418..63d4f98e7 100644
--- a/testing/tests/ikev2/double-nat-net/posttest.dat
+++ b/testing/tests/ikev2/double-nat-net/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat
index 41b69aed6..17a4fe5eb 100644
--- a/testing/tests/ikev2/double-nat-net/pretest.dat
+++ b/testing/tests/ikev2/double-nat-net/pretest.dat
@@ -1,8 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-bob::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev2/double-nat-net/test.conf b/testing/tests/ikev2/double-nat-net/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev2/double-nat-net/test.conf
+++ b/testing/tests/ikev2/double-nat-net/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat
index b080482f9..9ddad2de5 100644
--- a/testing/tests/ikev2/double-nat/evaltest.dat
+++ b/testing/tests/ikev2/double-nat/evaltest.dat
@@ -2,6 +2,6 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules b/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat
index 5d39e406d..aa806bfc9 100644
--- a/testing/tests/ikev2/double-nat/posttest.dat
+++ b/testing/tests/ikev2/double-nat/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat
index 10ba6d735..65f18b756 100644
--- a/testing/tests/ikev2/double-nat/pretest.dat
+++ b/testing/tests/ikev2/double-nat/pretest.dat
@@ -1,7 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev2/double-nat/test.conf b/testing/tests/ikev2/double-nat/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev2/double-nat/test.conf
+++ b/testing/tests/ikev2/double-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/dpd-clear/test.conf b/testing/tests/ikev2/dpd-clear/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/dpd-clear/test.conf
+++ b/testing/tests/ikev2/dpd-clear/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2/dpd-hold/test.conf
index 5442565f8..f8b62b953 100644
--- a/testing/tests/ikev2/dpd-hold/test.conf
+++ b/testing/tests/ikev2/dpd-hold/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dpd-restart/test.conf b/testing/tests/ikev2/dpd-restart/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/dpd-restart/test.conf
+++ b/testing/tests/ikev2/dpd-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dynamic-initiator/evaltest.dat b/testing/tests/ikev2/dynamic-initiator/evaltest.dat
index 9d050ecde..3db70be71 100644
--- a/testing/tests/ikev2/dynamic-initiator/evaltest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/evaltest.dat
@@ -5,6 +5,6 @@ dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
 moon:: cat /var/log/daemon.log::destroying duplicate IKE_SA for.*carol@strongswan.org.*received INITIAL_CONTACT::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat
index 4dbf3d4a4..83063a23f 100644
--- a/testing/tests/ikev2/dynamic-initiator/posttest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat
@@ -2,8 +2,8 @@ dave::ipsec stop
 carol::ipsec stop
 dave::sleep 1
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 dave::rm /etc/ipsec.d/certs/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat
index 92681011f..3e1cfce77 100644
--- a/testing/tests/ikev2/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/dynamic-initiator/test.conf b/testing/tests/ikev2/dynamic-initiator/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/dynamic-initiator/test.conf
+++ b/testing/tests/ikev2/dynamic-initiator/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
index 1d5ff68ec..82d2e7318 100644
--- a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
+++ b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dynamic-two-peers/posttest.dat b/testing/tests/ikev2/dynamic-two-peers/posttest.dat
index e120b87db..7b2609846 100644
--- a/testing/tests/ikev2/dynamic-two-peers/posttest.dat
+++ b/testing/tests/ikev2/dynamic-two-peers/posttest.dat
@@ -3,6 +3,6 @@ dave::ipsec stop
 moon::sleep 1
 moon::ipsec stop
 moon::mv /etc/hosts.ori /etc/hosts
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/dynamic-two-peers/pretest.dat b/testing/tests/ikev2/dynamic-two-peers/pretest.dat
index 6596a2527..4bb2a4686 100644
--- a/testing/tests/ikev2/dynamic-two-peers/pretest.dat
+++ b/testing/tests/ikev2/dynamic-two-peers/pretest.dat
@@ -1,8 +1,8 @@
 moon::mv /etc/hosts /etc/hosts.ori
 moon::mv /etc/hosts.stale /etc/hosts
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/dynamic-two-peers/test.conf b/testing/tests/ikev2/dynamic-two-peers/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/dynamic-two-peers/test.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
index 74150fb04..d5d3bc0d3 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
index a66edc5fe..366539936 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
@@ -2,10 +2,10 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES
 carol::ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES
-moon:: ip xfrm state::auth hmac(md5)::YES
-carol::ip xfrm state::auth hmac(md5)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-md5-128/test.conf b/testing/tests/ikev2/esp-alg-md5-128/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/test.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-null/evaltest.dat b/testing/tests/ikev2/esp-alg-null/evaltest.dat
index 937d85ed2..1b9c6c27e 100644
--- a/testing/tests/ikev2/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-null/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 moon:: ip xfrm state::enc ecb(cipher_null)::YES
diff --git a/testing/tests/ikev2/esp-alg-null/posttest.dat b/testing/tests/ikev2/esp-alg-null/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-null/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-null/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-null/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-null/test.conf
+++ b/testing/tests/ikev2/esp-alg-null/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
index 52c27cba5..00c353686 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
@@ -2,10 +2,10 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES
 carol::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES
-moon:: ip xfrm state::auth hmac(sha1)::YES
-carol::ip xfrm state::auth hmac(sha1)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha1)::YES
+carol::ip xfrm state::auth-trunc hmac(sha1)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 204::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 204::YES
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/test.conf b/testing/tests/ikev2/esp-alg-sha1-160/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/test.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/farp/evaltest.dat b/testing/tests/ikev2/farp/evaltest.dat
index 21b10d170..891ec20d5 100644
--- a/testing/tests/ikev2/farp/evaltest.dat
+++ b/testing/tests/ikev2/farp/evaltest.dat
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
@@ -14,12 +14,12 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/farp/posttest.dat b/testing/tests/ikev2/farp/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/farp/posttest.dat
+++ b/testing/tests/ikev2/farp/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2/farp/pretest.dat
index 709931e1b..f0254da6c 100644
--- a/testing/tests/ikev2/farp/pretest.dat
+++ b/testing/tests/ikev2/farp/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
 carol::ipsec start
diff --git a/testing/tests/ikev2/farp/test.conf b/testing/tests/ikev2/farp/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/farp/test.conf
+++ b/testing/tests/ikev2/farp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/force-udp-encaps/evaltest.dat b/testing/tests/ikev2/force-udp-encaps/evaltest.dat
index d7fe707ab..36af646d2 100644
--- a/testing/tests/ikev2/force-udp-encaps/evaltest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/evaltest.dat
@@ -3,6 +3,6 @@ sun::  ipsec status 2> /dev/null::nat.t.*ESTABLISHED.*sun.strongswan.org.*alice@
 alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
 alice::cat /var/log/daemon.log::faking NAT situation to enforce UDP encapsulation::YES
-alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > alice.strongswan.org.*: UDP::YES
+alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > alice.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 5bb63f5ac..000000000
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/force-udp-encaps/posttest.dat b/testing/tests/ikev2/force-udp-encaps/posttest.dat
index 979f2fcd0..03edb42cb 100644
--- a/testing/tests/ikev2/force-udp-encaps/posttest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/posttest.dat
@@ -1,6 +1,6 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/force-udp-encaps/pretest.dat b/testing/tests/ikev2/force-udp-encaps/pretest.dat
index 6f00cd387..7be66867a 100644
--- a/testing/tests/ikev2/force-udp-encaps/pretest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/pretest.dat
@@ -1,8 +1,7 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 alice::ipsec start
 sun::ipsec start
 alice::sleep 4
diff --git a/testing/tests/ikev2/force-udp-encaps/test.conf b/testing/tests/ikev2/force-udp-encaps/test.conf
index d84149aaf..42fa97190 100644
--- a/testing/tests/ikev2/force-udp-encaps/test.conf
+++ b/testing/tests/ikev2/force-udp-encaps/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/host2host-cert/evaltest.dat b/testing/tests/ikev2/host2host-cert/evaltest.dat
index 53e5589ca..3305f4558 100644
--- a/testing/tests/ikev2/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev2/host2host-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su
 sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-cert/posttest.dat b/testing/tests/ikev2/host2host-cert/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-cert/posttest.dat
+++ b/testing/tests/ikev2/host2host-cert/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat
index 1fa70177c..3bce9f6e5 100644
--- a/testing/tests/ikev2/host2host-cert/pretest.dat
+++ b/testing/tests/ikev2/host2host-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/host2host-cert/test.conf b/testing/tests/ikev2/host2host-cert/test.conf
index 305a67316..55d6e9fd6 100644
--- a/testing/tests/ikev2/host2host-cert/test.conf
+++ b/testing/tests/ikev2/host2host-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-swapped/evaltest.dat b/testing/tests/ikev2/host2host-swapped/evaltest.dat
index 53e5589ca..3305f4558 100644
--- a/testing/tests/ikev2/host2host-swapped/evaltest.dat
+++ b/testing/tests/ikev2/host2host-swapped/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su
 sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-swapped/posttest.dat b/testing/tests/ikev2/host2host-swapped/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-swapped/posttest.dat
+++ b/testing/tests/ikev2/host2host-swapped/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat
index 1fa70177c..3bce9f6e5 100644
--- a/testing/tests/ikev2/host2host-swapped/pretest.dat
+++ b/testing/tests/ikev2/host2host-swapped/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/host2host-swapped/test.conf b/testing/tests/ikev2/host2host-swapped/test.conf
index 305a67316..55d6e9fd6 100644
--- a/testing/tests/ikev2/host2host-swapped/test.conf
+++ b/testing/tests/ikev2/host2host-swapped/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat
index 3021b5e04..fc49e57d8 100644
--- a/testing/tests/ikev2/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su
 sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-transport/posttest.dat b/testing/tests/ikev2/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-transport/posttest.dat
+++ b/testing/tests/ikev2/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/ikev2/host2host-transport/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/ikev2/host2host-transport/test.conf b/testing/tests/ikev2/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/ikev2/host2host-transport/test.conf
+++ b/testing/tests/ikev2/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
index dceceaef6..221c59318 100644
--- a/testing/tests/ikev2/inactivity-timeout/evaltest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
@@ -1,8 +1,8 @@
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::sleep 15::NO
 carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
 carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::NO
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/inactivity-timeout/posttest.dat b/testing/tests/ikev2/inactivity-timeout/posttest.dat
index 94a400606..6ca9c5b35 100644
--- a/testing/tests/ikev2/inactivity-timeout/posttest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/posttest.dat
@@ -1,4 +1,3 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2/inactivity-timeout/pretest.dat
index 3c3df0196..b949aaeaf 100644
--- a/testing/tests/ikev2/inactivity-timeout/pretest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/pretest.dat
@@ -1,7 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
-carol::sleep 1 
+carol::sleep 1
 carol::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/inactivity-timeout/test.conf b/testing/tests/ikev2/inactivity-timeout/test.conf
index acb73b06f..11423f723 100644
--- a/testing/tests/ikev2/inactivity-timeout/test.conf
+++ b/testing/tests/ikev2/inactivity-timeout/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat
index 941cb34c0..42e353084 100644
--- a/testing/tests/ikev2/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat
@@ -6,7 +6,7 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
@@ -15,7 +15,7 @@ dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
index 5b88b2163..c99f347e3 100644
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ipsec pool --del bigpool 2> /dev/null
 moon::ipsec pool --del dns 2> /dev/null
 moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat
index 4a2add194..fce551c69 100644
--- a/testing/tests/ikev2/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -4,9 +4,9 @@ moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2>
 moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
 moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
 moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool-db/test.conf
+++ b/testing/tests/ikev2/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
index fd15d5209..44310cd16 100644
--- a/testing/tests/ikev2/ip-pool-wish/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
@@ -3,13 +3,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org.::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/ip-pool-wish/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat
index 1f4ff286a..1466fd2f2 100644
--- a/testing/tests/ikev2/ip-pool-wish/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool-wish/test.conf b/testing/tests/ikev2/ip-pool-wish/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool-wish/test.conf
+++ b/testing/tests/ikev2/ip-pool-wish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat
index db46646a6..8ea7960b5 100644
--- a/testing/tests/ikev2/ip-pool/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool/evaltest.dat
@@ -3,19 +3,19 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
 moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES
-moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
-moon:: ipsec leases 10.3.0.0/28 10.3.0.2 2> /dev/null::dave@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_DAVE1 2> /dev/null::dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/ip-pool/posttest.dat
+++ b/testing/tests/ikev2/ip-pool/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/ip-pool/pretest.dat
+++ b/testing/tests/ikev2/ip-pool/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool/test.conf b/testing/tests/ikev2/ip-pool/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool/test.conf
+++ b/testing/tests/ikev2/ip-pool/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-split-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
index fd0413d11..fdc3d4d3f 100644
--- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
@@ -28,10 +28,10 @@ carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/res
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
 alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
 venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
-alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
-dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_req=1::YES
+dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_req=1::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
 alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
 dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 7b0393ebd..9c0bb5cae 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -3,11 +3,11 @@ venus::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ip route del 10.3.0.0/16 via PH_IP_MOON
 moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
 moon::conntrack -F
diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
index e4eb8b0b9..3aba87994 100644
--- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
@@ -8,11 +8,11 @@ moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/nu
 moon::ipsec pool --statusattr 2> /dev/null
 moon::ip route add 10.3.0.0/16 via PH_IP_MOON
 moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::ipsec start
 venus::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf
index ea1307b16..c88e11d28 100644
--- a/testing/tests/ikev2/ip-two-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice venus carol dave"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus moon carol dave"
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
index 3b09b32bd..0d7a36452 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
@@ -13,8 +13,8 @@ moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*
 moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
index db5e6237f..a3924b2f6 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 alice::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::ipsec pool --del intpool 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
index b579464f2..b74c1e07a 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
@@ -1,9 +1,9 @@
 moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 alice::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
index 329774c0a..1ed3473ab 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice carol"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
index 7a0c1ed6f..0bf3500b5 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
@@ -5,5 +5,5 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
 carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
index fafe030c1..bb20cae05 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
@@ -1,5 +1,4 @@
 alice::ip -6 route del default via fec1:\:1
 carol::ipsec stop
-moon::echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
 moon::ipsec stop
 moon::conntrack -F
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
index f97ff54b5..04139badf 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
@@ -1,5 +1,4 @@
 alice::ip -6 route add default via fec1:\:1
-moon::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf
index c86dd1d66..cd03759f0 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="carol"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-two-pools/evaltest.dat b/testing/tests/ikev2/ip-two-pools/evaltest.dat
index 5de62e447..fad3781d7 100644
--- a/testing/tests/ikev2/ip-two-pools/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools/evaltest.dat
@@ -10,12 +10,12 @@ moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.4.0.0/28::YES
 moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES
 moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES
 moon:: ipsec leases 10.4.0.0/28 2> /dev/null::1/14, 1 online::YES
-moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
 moon:: ipsec leases 10.4.0.0/28 10.4.0.1 2> /dev/null::alice@strongswan.org::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
index f41bb0fbc..2fbc2c3a0 100644
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -1,8 +1,8 @@
 alice::ipsec stop
 carol::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat
index db422a105..4e8b639f4 100644
--- a/testing/tests/ikev2/ip-two-pools/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 alice::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools/test.conf b/testing/tests/ikev2/ip-two-pools/test.conf
index 329774c0a..1ed3473ab 100644
--- a/testing/tests/ikev2/ip-two-pools/test.conf
+++ b/testing/tests/ikev2/ip-two-pools/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice carol"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2/mobike-nat/evaltest.dat
index aded7a040..c71e3f7c1 100644
--- a/testing/tests/ikev2/mobike-nat/evaltest.dat
+++ b/testing/tests/ikev2/mobike-nat/evaltest.dat
@@ -2,14 +2,14 @@ alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::
 sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
 alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
 sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
 alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
 sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
 alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
 sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
index efbce1fb2..ffb7f563a 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
@@ -10,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftsourceip=%config
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..6dd261f20
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP 
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 642c414d5..000000000
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IPsec tunnel traffic
-	iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-	iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..0a7d1fa40
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP 
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2/mobike-nat/posttest.dat
index cd0d4df25..f4e5316c9 100644
--- a/testing/tests/ikev2/mobike-nat/posttest.dat
+++ b/testing/tests/ikev2/mobike-nat/posttest.dat
@@ -1,6 +1,6 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat
index 08c2be95c..86ac6e7e0 100644
--- a/testing/tests/ikev2/mobike-nat/pretest.dat
+++ b/testing/tests/ikev2/mobike-nat/pretest.dat
@@ -1,12 +1,11 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2/mobike-nat/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike-nat/test.conf
+++ b/testing/tests/ikev2/mobike-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
index c4c7b0b6f..17593ef82 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
-sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES
 alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
 sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
 alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
 sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
 alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
 sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
index efbce1fb2..ffb7f563a 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
@@ -10,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftsourceip=%config
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..a238c8d19
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 642c414d5..000000000
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IPsec tunnel traffic
-	iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-	iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
index eeee6ffb0..2b0c8aebd 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -14,7 +14,7 @@ conn mobike
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_ALICE1
+	right=192.168.0.50
 	rightsourceip=10.3.0.3
 	rightid=alice@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..d86a461ac
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
index 32fdf0053..95c963091 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
@@ -1,5 +1,5 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
index 6666e7794..067c1a1ec 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
@@ -1,10 +1,9 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2/mobike-virtual-ip/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/test.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2/mobike/evaltest.dat
index ebf5ad4cf..e3464040e 100644
--- a/testing/tests/ikev2/mobike/evaltest.dat
+++ b/testing/tests/ikev2/mobike/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
-sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
-alice::ipsec statusall 2> /dev/null::PH_IP_ALICE1/32 === 10.2.0.0/16::YES
-sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === PH_IP_ALICE1/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES
+alice::ipsec statusall 2> /dev/null::192.168.0.50/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 192.168.0.50/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
 alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
 sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
 alice::ipsec statusall 2> /dev/null::PH_IP_ALICE/32 === 10.2.0.0/16::YES
 sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === PH_IP_ALICE/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::alice.strongswan.org.*sun.strongswan.org: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
index 66cbce781..95683fdc3 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
@@ -10,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	right=PH_IP_SUN
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..a238c8d19
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 6934b1948..000000000
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-        # enable IP forwarding
-        echo 1 > /proc/sys/net/ipv4/ip_forward
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
index f3fa9209c..f7693106f 100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
@@ -14,6 +14,6 @@ conn mobike
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_ALICE1
+	right=192.168.0.50
 	rightid=alice@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..d86a461ac
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike/posttest.dat b/testing/tests/ikev2/mobike/posttest.dat
index 32fdf0053..95c963091 100644
--- a/testing/tests/ikev2/mobike/posttest.dat
+++ b/testing/tests/ikev2/mobike/posttest.dat
@@ -1,5 +1,5 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2/mobike/pretest.dat
index 6666e7794..067c1a1ec 100644
--- a/testing/tests/ikev2/mobike/pretest.dat
+++ b/testing/tests/ikev2/mobike/pretest.dat
@@ -1,10 +1,9 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2/mobike/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike/test.conf
+++ b/testing/tests/ikev2/mobike/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index 4a72b4392..65a003d23 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -6,7 +6,7 @@ moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
 moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES
@@ -18,4 +18,4 @@ moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 22806012345600
 moon::ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 dave::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..91425f812
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,61 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
new file mode 100644
index 000000000..aaabab89e
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
@@ -0,0 +1,6 @@
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
+228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
+228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
+228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..e69de29bb
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index dfceb037d..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,62 +0,0 @@
-authorize {
-  preprocess
-  chap
-  mschap
-  sim_files
-  suffix
-  eap {
-    ok = return
-  }
-  unix
-  files
-  expiration
-  logintime
-  pap
-}
-
-authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
deleted file mode 100644
index 002ee94d1..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
-228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
-228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
-228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
-228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
-228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users
deleted file mode 100644
index e69de29bb..000000000
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
index dbe56013a..6a4da6631 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,7 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
index b3fd4cbf1..2d54c6027 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,11 +1,8 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+alice::cat /etc/freeradius/clients.conf
+alice::cat /etc/freeradius/eap.conf
+alice::cat /etc/freeradius/proxy.conf
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
index 70416826e..42d23a50b 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
@@ -1,21 +1,25 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
index c8e7adcb7..2eebc0f84 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 4f4f3228b..000000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
index ec4ba6e10..6f0ec4b97 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
@@ -3,5 +3,5 @@ carol::ipsec stop
 dave::ipsec stop
 moon::rm /etc/ipsec.d/cacerts/*
 winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
index 322f42102..41319ae4d 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
@@ -1,5 +1,5 @@
 winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/test.conf b/testing/tests/ikev2/multi-level-ca-ldap/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
index 0a0ec22bf..bb538c160 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
 carol::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-loop/test.conf b/testing/tests/ikev2/multi-level-ca-loop/test.conf
index 3189fdfc7..a24ec4f1d 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
index 9f0232a7b..e209e60ff 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
index b118cb7dc..587964390 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/test.conf b/testing/tests/ikev2/multi-level-ca-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-strict/test.conf b/testing/tests/ikev2/multi-level-ca-strict/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev2/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca/test.conf b/testing/tests/ikev2/multi-level-ca/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca/test.conf
+++ b/testing/tests/ikev2/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/nat-rw-mark/description.txt b/testing/tests/ikev2/nat-rw-mark/description.txt
index 2a93d11d8..b8074e665 100644
--- a/testing/tests/ikev2/nat-rw-mark/description.txt
+++ b/testing/tests/ikev2/nat-rw-mark/description.txt
@@ -1,7 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
 Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
-after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
+after ESP decryption to map these subnets to PH_IP_CAROL10 and PH_IP_DAVE10, respectively.
 <p/>
 In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
 <b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
index db9e969d2..bb8e856cc 100644
--- a/testing/tests/ikev2/nat-rw-mark/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
@@ -6,13 +6,13 @@ sun::  ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@
 sun::  ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
 sun::  ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
 sun::  ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4510.*: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4520.*: UDP::YES
+bob::tcpdump::PH_IP_CAROL10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::PH_IP_DAVE10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > PH_IP_CAROL10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > PH_IP_DAVE10: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
index 0d22e684d..421335ffb 100755
--- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # uncomment to log VPN connections
diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2/nat-rw-mark/posttest.dat
index 89d5f534b..72dff4e10 100644
--- a/testing/tests/ikev2/nat-rw-mark/posttest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/posttest.dat
@@ -2,10 +2,11 @@ sun::iptables -t mangle -v -n -L PREROUTING
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
+sun::iptables-restore < /etc/iptables.flush
 sun::conntrack -F
 sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/nat-rw-mark/pretest.dat b/testing/tests/ikev2/nat-rw-mark/pretest.dat
index 3ed13d5fa..6cddfd4fe 100644
--- a/testing/tests/ikev2/nat-rw-mark/pretest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/pretest.dat
@@ -1,21 +1,20 @@
-sun::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500  -j SNAT --to PH_IP_MOON:510
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500  -j SNAT --to PH_IP_MOON:520
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20
 sun::ipsec start
 alice::ipsec start
 venus::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up nat-t
-venus::sleep 2 
+venus::sleep 2
 venus::ipsec up nat-t
 venus::sleep 2
diff --git a/testing/tests/ikev2/nat-rw-mark/test.conf b/testing/tests/ikev2/nat-rw-mark/test.conf
index ae3c190b8..105472cbe 100644
--- a/testing/tests/ikev2/nat-rw-mark/test.conf
+++ b/testing/tests/ikev2/nat-rw-mark/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
index 051db978a..6ec29c779 100644
--- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
@@ -3,7 +3,7 @@ venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES
 sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw-psk/posttest.dat b/testing/tests/ikev2/nat-rw-psk/posttest.dat
index 52572ece8..4643a3a7b 100644
--- a/testing/tests/ikev2/nat-rw-psk/posttest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/posttest.dat
@@ -1,8 +1,8 @@
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-rw-psk/pretest.dat b/testing/tests/ikev2/nat-rw-psk/pretest.dat
index 6a542ec8f..c5d091f32 100644
--- a/testing/tests/ikev2/nat-rw-psk/pretest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/pretest.dat
@@ -1,7 +1,6 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/nat-rw-psk/test.conf b/testing/tests/ikev2/nat-rw-psk/test.conf
index 84317fd70..f515d4bc7 100644
--- a/testing/tests/ikev2/nat-rw-psk/test.conf
+++ b/testing/tests/ikev2/nat-rw-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat
index e0b458dba..387dbae23 100644
--- a/testing/tests/ikev2/nat-rw/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw/evaltest.dat
@@ -6,13 +6,13 @@ alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon:: sleep 6::no output expected::NO
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP-encap: ESP::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: isakmp-nat-keep-alive::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: isakmp-nat-keep-alive::YES
 alice::cat /var/log/daemon.log::sending keep alive::YES
 venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw/posttest.dat b/testing/tests/ikev2/nat-rw/posttest.dat
index 52572ece8..4643a3a7b 100644
--- a/testing/tests/ikev2/nat-rw/posttest.dat
+++ b/testing/tests/ikev2/nat-rw/posttest.dat
@@ -1,8 +1,8 @@
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat
index e365ff5c5..d701a1d61 100644
--- a/testing/tests/ikev2/nat-rw/pretest.dat
+++ b/testing/tests/ikev2/nat-rw/pretest.dat
@@ -1,7 +1,6 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
diff --git a/testing/tests/ikev2/nat-rw/test.conf b/testing/tests/ikev2/nat-rw/test.conf
index 84317fd70..f515d4bc7 100644
--- a/testing/tests/ikev2/nat-rw/test.conf
+++ b/testing/tests/ikev2/nat-rw/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
index 9c98e312a..c60ffc772 100644
--- a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
@@ -1,7 +1,7 @@
 moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
index ee30e2c59..11bd19da7 100644
--- a/testing/tests/ikev2/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
index abbca90d7..eb0c28c7f 100644
--- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
@@ -1,7 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/nat-virtual-ip/test.conf b/testing/tests/ikev2/nat-virtual-ip/test.conf
index 1971a33ab..f46f137b4 100644
--- a/testing/tests/ikev2/nat-virtual-ip/test.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-cert/evaltest.dat b/testing/tests/ikev2/net2net-cert/evaltest.dat
index c98f5d78d..2b37cad99 100644
--- a/testing/tests/ikev2/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev2/net2net-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-cert/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-cert/posttest.dat
+++ b/testing/tests/ikev2/net2net-cert/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-cert/pretest.dat
+++ b/testing/tests/ikev2/net2net-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-cert/test.conf b/testing/tests/ikev2/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-cert/test.conf
+++ b/testing/tests/ikev2/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-esn/posttest.dat b/testing/tests/ikev2/net2net-esn/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-esn/posttest.dat
+++ b/testing/tests/ikev2/net2net-esn/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-esn/pretest.dat
+++ b/testing/tests/ikev2/net2net-esn/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-esn/test.conf b/testing/tests/ikev2/net2net-esn/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-esn/test.conf
+++ b/testing/tests/ikev2/net2net-esn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
index 97dd63c5a..460c659d9 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
index fafcde975..9a9513dc3 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
 sun::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pgp-v3/test.conf b/testing/tests/ikev2/net2net-pgp-v3/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/test.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
index 4615c3ed8..f74eb6a19 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*b4:
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*b4:2f:31:fe:c8:0a:e3:26:4a:10:1c:85:97:7a:04:ac:8d:16:38:d3.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
index fafcde975..9a9513dc3 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
 sun::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pgp-v4/test.conf b/testing/tests/ikev2/net2net-pgp-v4/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/test.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
index 1556143cf..113c3d9c0 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*moon-be.*sun-be::YES
 moon:: ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*moon-ef.*sun-ef::YES
 sun::  ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*sun-be.*moon-be::YES
 sun::  ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*sun-ef.*moon-ef::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
index d070c1443..21a22bfb8 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 alice::iptables -t mangle -F OUTPUT
 venus::iptables -t mangle -F OUTPUT
 bob::iptables -t mangle -F OUTPUT
diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
index 058c24f8f..0495890dd 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
 venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF
 moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
diff --git a/testing/tests/ikev2/net2net-psk-dscp/test.conf b/testing/tests/ikev2/net2net-psk-dscp/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/test.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk-fail/posttest.dat b/testing/tests/ikev2/net2net-psk-fail/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-psk-fail/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk-fail/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-psk-fail/pretest.dat b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
index 976a196db..cb9282595 100644
--- a/testing/tests/ikev2/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-psk-fail/test.conf b/testing/tests/ikev2/net2net-psk-fail/test.conf
index f6e064e7d..eb4822b5d 100644
--- a/testing/tests/ikev2/net2net-psk-fail/test.conf
+++ b/testing/tests/ikev2/net2net-psk-fail/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk/evaltest.dat b/testing/tests/ikev2/net2net-psk/evaltest.dat
index c98f5d78d..2b37cad99 100644
--- a/testing/tests/ikev2/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev2/net2net-psk/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
index cbdddfb18..ba909a234 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
@@ -8,5 +8,5 @@
 
 : PSK 'My "home" is my "castle"!'
 
-192.168.0.1 : PSK   "Andi's home"
+PH_IP_MOON : PSK   "Andi's home"
 
diff --git a/testing/tests/ikev2/net2net-psk/posttest.dat b/testing/tests/ikev2/net2net-psk/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-psk/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat
index 976a196db..cb9282595 100644
--- a/testing/tests/ikev2/net2net-psk/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-psk/test.conf b/testing/tests/ikev2/net2net-psk/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-psk/test.conf
+++ b/testing/tests/ikev2/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pubkey/evaltest.dat b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
index e47e709e2..bc03a39fb 100644
--- a/testing/tests/ikev2/net2net-pubkey/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pubkey/posttest.dat b/testing/tests/ikev2/net2net-pubkey/posttest.dat
index 65b18b7ca..675b02976 100644
--- a/testing/tests/ikev2/net2net-pubkey/posttest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/moonKey.der
 sun::rm /etc/ipsec.d/private/sunKey.der
 moon::rm /etc/ipsec.d/certs/*.der
diff --git a/testing/tests/ikev2/net2net-pubkey/pretest.dat b/testing/tests/ikev2/net2net-pubkey/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pubkey/pretest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pubkey/test.conf b/testing/tests/ikev2/net2net-pubkey/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pubkey/test.conf
+++ b/testing/tests/ikev2/net2net-pubkey/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
index 59d0372dc..e8e1a46e4 100644
--- a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
@@ -1,15 +1,15 @@
 moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
-moon:: cat /var/log/daemon.log::subject address block 192.168.0.2/32 is contained in issuer address block 192.168.0.0/24::YES 
+moon:: cat /var/log/daemon.log::subject address block PH_IP_SUN/32 is contained in issuer address block 192.168.0.0/24::YES
 moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
 moon:: cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
 sun::  cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
-sun::  cat /var/log/daemon.log::subject address block 192.168.0.1/32 is contained in issuer address block 192.168.0.0/24::YES 
+sun::  cat /var/log/daemon.log::subject address block PH_IP_MOON/32 is contained in issuer address block 192.168.0.0/24::YES
 sun::  cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
 sun::  cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
 moon:: cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES
 sun::  cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/posttest.dat b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-rfc3779/posttest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
index 545a3690e..9fe2860b9 100644
--- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-rfc3779/test.conf b/testing/tests/ikev2/net2net-rfc3779/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-rfc3779/test.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-route/evaltest.dat b/testing/tests/ikev2/net2net-route/evaltest.dat
index 63d1cde24..77ab6e7c6 100644
--- a/testing/tests/ikev2/net2net-route/evaltest.dat
+++ b/testing/tests/ikev2/net2net-route/evaltest.dat
@@ -3,6 +3,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-route/posttest.dat b/testing/tests/ikev2/net2net-route/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-route/posttest.dat
+++ b/testing/tests/ikev2/net2net-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat
index 2eef7de19..e4ee3fac2 100644
--- a/testing/tests/ikev2/net2net-route/pretest.dat
+++ b/testing/tests/ikev2/net2net-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
diff --git a/testing/tests/ikev2/net2net-route/test.conf b/testing/tests/ikev2/net2net-route/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-route/test.conf
+++ b/testing/tests/ikev2/net2net-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-rsa/evaltest.dat b/testing/tests/ikev2/net2net-rsa/evaltest.dat
index e47e709e2..bc03a39fb 100644
--- a/testing/tests/ikev2/net2net-rsa/evaltest.dat
+++ b/testing/tests/ikev2/net2net-rsa/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rsa/posttest.dat b/testing/tests/ikev2/net2net-rsa/posttest.dat
index a199946aa..f7fe7dc48 100644
--- a/testing/tests/ikev2/net2net-rsa/posttest.dat
+++ b/testing/tests/ikev2/net2net-rsa/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/moonKey.der
 sun::rm /etc/ipsec.d/private/sunKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-rsa/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-rsa/pretest.dat
+++ b/testing/tests/ikev2/net2net-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-rsa/test.conf b/testing/tests/ikev2/net2net-rsa/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-rsa/test.conf
+++ b/testing/tests/ikev2/net2net-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
index 1ca7e2d60..3b479cefa 100644
--- a/testing/tests/ikev2/net2net-same-nets/evaltest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
-bob::  ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
+alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_req=1::YES
+bob::  ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index c64158a2f..bdba3fb05 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # check parameter(s)
@@ -196,8 +206,8 @@ up-client:)
 	    iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
 	             -d $OUT_NET -j NETMAP --to $SAME_NET
 	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
-            iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-                     -s $SAME_NET -j NETMAP --to $IN_NET
+	    iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -s $SAME_NET -j NETMAP --to $IN_NET
 	fi
 	;;
 down-client:)
@@ -215,7 +225,11 @@ down-client:)
 	if [ -n "$PLUTO_MARK_OUT" ]
 	then
 	    iptables -t mangle -D PREROUTING $SET_MARK_OUT
+	    iptables -t nat -D PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -d $OUT_NET -j NETMAP --to $SAME_NET
 	    iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+	    iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -s $SAME_NET -j NETMAP --to $IN_NET
 	fi
 	;;
 *)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat
index e75e66650..b0225c37e 100644
--- a/testing/tests/ikev2/net2net-same-nets/posttest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat
@@ -2,6 +2,6 @@ sun::iptables -t mangle -n -v -L PREROUTING
 sun::iptables -t nat -n -v -L
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::conntrack -F
diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-same-nets/pretest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-same-nets/test.conf b/testing/tests/ikev2/net2net-same-nets/test.conf
index 1971a33ab..f46f137b4 100644
--- a/testing/tests/ikev2/net2net-same-nets/test.conf
+++ b/testing/tests/ikev2/net2net-same-nets/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-start/evaltest.dat b/testing/tests/ikev2/net2net-start/evaltest.dat
index dbd06104f..f003f822f 100644
--- a/testing/tests/ikev2/net2net-start/evaltest.dat
+++ b/testing/tests/ikev2/net2net-start/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-start/posttest.dat b/testing/tests/ikev2/net2net-start/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-start/posttest.dat
+++ b/testing/tests/ikev2/net2net-start/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat
index 8f3d17207..9d23c553e 100644
--- a/testing/tests/ikev2/net2net-start/pretest.dat
+++ b/testing/tests/ikev2/net2net-start/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 sun::sleep 2
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-start/test.conf b/testing/tests/ikev2/net2net-start/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-start/test.conf
+++ b/testing/tests/ikev2/net2net-start/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index dda793f44..4e2cc2860 100755
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-		      -resp_no_certs -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+	-resp_no_certs -nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-local-cert/test.conf b/testing/tests/ikev2/ocsp-local-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-local-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ocsp-multi-level/test.conf b/testing/tests/ikev2/ocsp-multi-level/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/ocsp-multi-level/test.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 74d22b90d..429061376 100755
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey winnetouKey.pem -rsigner winnetouCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey winnetouKey.pem -rsigner winnetouCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-revoked/test.conf b/testing/tests/ikev2/ocsp-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-revoked/test.conf
+++ b/testing/tests/ikev2/ocsp-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index e998b6ad0..59c356302 100755
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey strongswanKey.pem -rsigner strongswanCert.pem \
-		      -resp_no_certs -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey strongswanKey.pem -rsigner strongswanCert.pem \
+	-resp_no_certs -nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-root-cert/test.conf b/testing/tests/ikev2/ocsp-root-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-root-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-signer-cert/test.conf b/testing/tests/ikev2/ocsp-signer-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 92aa920aa..aa70321d5 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -6,9 +6,9 @@ echo "Content-type: application/ocsp-response"
 echo ""
 
 # simulate a delayed response
-sleep 5 
+sleep 5
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/test.conf b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/test.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 20c4b2a22..72aa7a6c4 100755
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/protoport-dual/evaltest.dat b/testing/tests/ikev2/protoport-dual/evaltest.dat
index a65460cc8..cf45f3b52 100644
--- a/testing/tests/ikev2/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev2/protoport-dual/evaltest.dat
@@ -2,8 +2,8 @@ carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/protoport-dual/posttest.dat b/testing/tests/ikev2/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/protoport-dual/posttest.dat
+++ b/testing/tests/ikev2/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/ikev2/protoport-dual/pretest.dat
+++ b/testing/tests/ikev2/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/protoport-dual/test.conf b/testing/tests/ikev2/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/protoport-dual/test.conf
+++ b/testing/tests/ikev2/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/protoport-route/evaltest.dat b/testing/tests/ikev2/protoport-route/evaltest.dat
index 83a5e1bde..75c547995 100644
--- a/testing/tests/ikev2/protoport-route/evaltest.dat
+++ b/testing/tests/ikev2/protoport-route/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
 carol::cat /var/log/daemon.log::creating acquire job::YES
 carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED::YES
diff --git a/testing/tests/ikev2/protoport-route/posttest.dat b/testing/tests/ikev2/protoport-route/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/protoport-route/posttest.dat
+++ b/testing/tests/ikev2/protoport-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2/protoport-route/pretest.dat
index 0aded0f4d..5a15574d6 100644
--- a/testing/tests/ikev2/protoport-route/pretest.dat
+++ b/testing/tests/ikev2/protoport-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/protoport-route/test.conf b/testing/tests/ikev2/protoport-route/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/protoport-route/test.conf
+++ b/testing/tests/ikev2/protoport-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-early/evaltest.dat b/testing/tests/ikev2/reauth-early/evaltest.dat
index 1d3a35916..dbc6f8d97 100644
--- a/testing/tests/ikev2/reauth-early/evaltest.dat
+++ b/testing/tests/ikev2/reauth-early/evaltest.dat
@@ -1,6 +1,6 @@
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 30s, scheduling reauthentication in 25s::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-early/posttest.dat b/testing/tests/ikev2/reauth-early/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/reauth-early/posttest.dat
+++ b/testing/tests/ikev2/reauth-early/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-early/pretest.dat b/testing/tests/ikev2/reauth-early/pretest.dat
index 7ed2423be..153ea7c43 100644
--- a/testing/tests/ikev2/reauth-early/pretest.dat
+++ b/testing/tests/ikev2/reauth-early/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/reauth-early/test.conf b/testing/tests/ikev2/reauth-early/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/reauth-early/test.conf
+++ b/testing/tests/ikev2/reauth-early/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat
index d86758f9a..205a4d9e7 100644
--- a/testing/tests/ikev2/reauth-late/evaltest.dat
+++ b/testing/tests/ikev2/reauth-late/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES
 carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 360[01]s, reauthentication already scheduled in 2[0-5]s::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-late/posttest.dat b/testing/tests/ikev2/reauth-late/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/reauth-late/posttest.dat
+++ b/testing/tests/ikev2/reauth-late/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-late/pretest.dat b/testing/tests/ikev2/reauth-late/pretest.dat
index 7ed2423be..153ea7c43 100644
--- a/testing/tests/ikev2/reauth-late/pretest.dat
+++ b/testing/tests/ikev2/reauth-late/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/reauth-late/test.conf b/testing/tests/ikev2/reauth-late/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/reauth-late/test.conf
+++ b/testing/tests/ikev2/reauth-late/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-cert/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/ikev2/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-cert/posttest.dat b/testing/tests/ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-cert/posttest.dat
+++ b/testing/tests/ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-cert/pretest.dat
+++ b/testing/tests/ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-cert/test.conf b/testing/tests/ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-cert/test.conf
+++ b/testing/tests/ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
index a39bf3afe..d59eef513 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -7,7 +7,7 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index 2abfdd19b..0ea4e21ab 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -6,7 +6,7 @@ moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
index 9c6ae73e9..6a20b8e8c 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
@@ -15,8 +15,8 @@ moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-dynamic/posttest.dat b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-dynamic/test.conf b/testing/tests/ikev2/rw-eap-dynamic/test.conf
index a71d09e9d..a5525e6aa 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/test.conf
+++ b/testing/tests/ikev2/rw-eap-dynamic/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice  moon carol winnetou dave"
+VIRTHOSTS="alice  moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt
new file mode 100644
index 000000000..6860700db
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. At the outset the gateway authenticates itself to the client by
+sending an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate
+against the gateway <b>moon</b>. The user credentials of <b>carol</b>
+and <b>dave</b> are kept both on the local clients and the RADIUS server <b>alice</b>.
+<b>carol</b> possesses the RADIUS class attribute <b>Research</b> and therefore obtains
+access to the <b>research</b> subnet behind gateway <b>moon</b> whereas <b>dave</b>
+belongs to the class <b>Accounting</b> and has access to the <b>acccess</b> subnet.
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
new file mode 100644
index 000000000..aa6d4291b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
+dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO
+dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..62d459115
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,4 @@
+carol	Cleartext-Password := "Ar3etTnp"
+		Class = "Research"
+dave	Cleartext-Password := "W7R0g3do"
+		Class = "Accounting"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..53e2be638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice
+	rightsubnet=10.1.0.10/32
+	also=home
+	auto=add
+
+conn venus
+	rightsubnet=10.1.0.20/32
+	also=home
+	auto=add
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..23d79cf2e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..9428f323a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice
+	rightsubnet=10.1.0.10/32
+	also=home
+	auto=add
+
+conn venus
+	rightsubnet=10.1.0.20/32
+	also=home
+	auto=add
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	eap_identity=dave
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..02e0c9963
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..9dcbcca75
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn research
+	rightgroups=Research
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn accounting
+	rightgroups=Accounting
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightsendcert=never
+	rightauth=eap-radius
+	eap_identity=%any
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4297a3056
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  plugins {
+    eap-radius {
+      class_group = yes
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
new file mode 100644
index 000000000..670d2e72f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
new file mode 100644
index 000000000..a2704e833
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up alice
+dave::ipsec up venus
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf
new file mode 100644
index 000000000..5dfb41723
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
index a239b56e7..42d2c319e 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
@@ -2,13 +2,13 @@ carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES
 carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
 moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
index 9c301f484..180537f5f 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
index 73f606be3..8f813395a 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -7,7 +7,7 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index 623f42904..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = md5
-  md5 {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 783587b55..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm LOCAL {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 2de32a6f2..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,43 +0,0 @@
-authorize {
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index 247b918e3..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1 +0,0 @@
-carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
index 525d987af..a8019b3e7 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -6,6 +6,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index 623f42904..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = md5
-  md5 {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index 247b918e3..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1 +0,0 @@
-carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
index dd67704eb..84f41fd93 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -5,7 +5,7 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
index eafd09b80..010f48315 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -3,11 +3,11 @@ carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YE
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
 moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
 moon:: cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
index 871d3b931..4ed5257b1 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
@@ -18,6 +18,6 @@ moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO 
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
index 643b2c39d..fc75e1c9a 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
@@ -14,6 +14,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@stronswan.org::NO
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
index 81244bd85..95c29b7f5 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
@@ -14,6 +14,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..11d3e2acd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,18 @@
+eap {
+  md5 {
+  }
+  default_eap_type = peap
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  peap {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index df50901d5..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-eap {
-  md5 {
-  }
-  default_eap_type = peap 
-  tls {
-    private_key_file = /etc/raddb/certs/aaaKey.pem
-    certificate_file = /etc/raddb/certs/aaaCert.pem
-    CA_file = /etc/raddb/certs/strongswanCert.pem
-    cipher_list = "DEFAULT"
-    dh_file = /etc/raddb/certs/dh
-    random_file = /etc/raddb/certs/random
-  }
-  peap {
-    default_eap_type = md5
-    use_tunneled_reply = yes
-    virtual_server = "inner-tunnel"
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
-	suffix
-	eap {
-		ok = return
-	}
-	files
-}
-
-authenticate {
-	eap
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-pre-proxy {
-}
-
-post-proxy {
-	eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index 50ccf3e76..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1,2 +0,0 @@
-carol	Cleartext-Password := "Ar3etTnp"
-dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
index cbe1ae229..3e7fc0bb1 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/test.conf b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
index e6a786a94..20d586309 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol winnetou dave moon"
+VIRTHOSTS="alice carol winnetou dave moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
index 7f1def4a5..f1a68bc19 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -7,6 +7,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..893529324
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  sim_files
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
new file mode 100644
index 000000000..c167ba940
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
@@ -0,0 +1,3 @@
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..e69de29bb
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 783587b55..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm LOCAL {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 92896b11e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,43 +0,0 @@
-authorize {
-  sim_files
-  eap {
-    ok = return
-  }
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
deleted file mode 100644
index c167ba940..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
-228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
-228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index e69de29bb..000000000
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index 0da980c07..b9117af36 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
index f2654766a..f434ddfc6 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
@@ -4,7 +4,7 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
@@ -12,4 +12,4 @@ moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongsw
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..fbdf75f4c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
new file mode 100644
index 000000000..3e9a644eb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
@@ -0,0 +1,6 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
+dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..e69de29bb
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 126d61d05..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  sim_files
-  suffix
-  eap {
-    ok = return
-  }
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat
deleted file mode 100644
index fd0eb19b9..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
-carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
-carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
-dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
-dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
-dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index e69de29bb..000000000
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 5a51733dc..0b3e901c2 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -1,11 +1,11 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
index bb6b68687..29bfaa78c 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index 8e12c29d0..21cfe429a 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -4,7 +4,7 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
@@ -12,4 +12,4 @@ moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongsw
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..91425f812
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,61 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
new file mode 100644
index 000000000..3e9a644eb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
@@ -0,0 +1,6 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
+dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..e69de29bb
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index dfceb037d..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,62 +0,0 @@
-authorize {
-  preprocess
-  chap
-  mschap
-  sim_files
-  suffix
-  eap {
-    ok = return
-  }
-  unix
-  files
-  expiration
-  logintime
-  pap
-}
-
-authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
deleted file mode 100644
index fd0eb19b9..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
-carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
-carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
-dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
-dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
-dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index e69de29bb..000000000
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
index b3fd4cbf1..c17bec0f7 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -1,11 +1,11 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/freeradius/clients.conf
+alice::cat /etc/freeradius/eap.conf
+alice::cat /etc/freeradius/proxy.conf
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
index ade9306cf..ab27b4510 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
@@ -5,6 +5,6 @@ moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap-sim.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
index 23c7a62b2..ae464b51c 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::cat /etc/ipsec.d/triplets.dat
 carol::cat /etc/ipsec.d/triplets.dat
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
index 4db0a30b4..314769b3e 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
@@ -4,6 +4,6 @@ carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, C
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
index 085b19509..e8156ea70 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/cacerts/*
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
index 35d35dc86..3d680ab78 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
 carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
index 96417face..a436131bf 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@@ -4,6 +4,6 @@ carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-only/test.conf b/testing/tests/ikev2/rw-eap-tls-only/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
index 21190669e..7584e14dc 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -4,6 +4,6 @@ carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..92f96ad66
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,13 @@
+eap {
+  default_eap_type = tls
+  tls {
+    certdir = /etc/raddb/certs
+    cadir = /etc/raddb/certs
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..18ebf9e9d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,41 @@
+authorize {
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index 92f96ad66..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-eap {
-  default_eap_type = tls
-  tls {
-    certdir = /etc/raddb/certs
-    cadir = /etc/raddb/certs
-    private_key_file = /etc/raddb/certs/aaaKey.pem
-    certificate_file = /etc/raddb/certs/aaaCert.pem
-    CA_file = /etc/raddb/certs/strongswanCert.pem
-    cipher_list = "DEFAULT"
-    dh_file = /etc/raddb/certs/dh
-    random_file = /etc/raddb/certs/random
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 990184919..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,42 +0,0 @@
-authorize {
-  eap {
-    ok = return
-  }
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index 247b918e3..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1 +0,0 @@
-carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/test.conf b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
index 941bb2985..d22dd18db 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
@@ -14,6 +14,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
index 369596177..589d478e7 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
@@ -1,10 +1,10 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
+dave::sleep 2
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
index 941bb2985..d22dd18db 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
@@ -14,6 +14,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
index ff08ae792..a471a2cfa 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -14,7 +14,7 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..c91cd40fb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,18 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index c91cd40fb..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-eap {
-  md5 {
-  }
-  default_eap_type = ttls
-  tls {
-    private_key_file = /etc/raddb/certs/aaaKey.pem
-    certificate_file = /etc/raddb/certs/aaaCert.pem
-    CA_file = /etc/raddb/certs/strongswanCert.pem
-    cipher_list = "DEFAULT"
-    dh_file = /etc/raddb/certs/dh
-    random_file = /etc/raddb/certs/random
-  }
-  ttls {
-    default_eap_type = md5
-    use_tunneled_reply = yes
-    virtual_server = "inner-tunnel"
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
-	suffix
-	eap {
-		ok = return
-	}
-	files
-}
-
-authenticate {
-	eap
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-pre-proxy {
-}
-
-post-proxy {
-	eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index 50ccf3e76..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1,2 +0,0 @@
-carol	Cleartext-Password := "Ar3etTnp"
-dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
index cbe1ae229..3e7fc0bb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
index e6a786a94..20d586309 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol winnetou dave moon"
+VIRTHOSTS="alice carol winnetou dave moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
index c52036028..7a9a70939 100644
--- a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
@@ -10,8 +10,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-hash-and-url/posttest.dat b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-hash-and-url/posttest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-hash-and-url/pretest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-hash-and-url/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-hash-and-url/test.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2/rw-mark-in-out/description.txt
index 4c35081b1..3012fc656 100644
--- a/testing/tests/ikev2/rw-mark-in-out/description.txt
+++ b/testing/tests/ikev2/rw-mark-in-out/description.txt
@@ -1,7 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
-gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
-and 10.3.0.20, respectively.
+gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to PH_IP_CAROL10
+and PH_IP_DAVE10, respectively.
 <p/>
 In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
 <b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
index 4a93dc921..26b26204c 100644
--- a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
@@ -3,9 +3,9 @@ venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
 sun::  ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
 sun::  ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
-sun::  ipsec statusall 2>::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::  ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
 moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
 moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 0d22e684d..421335ffb 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # uncomment to log VPN connections
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
index fae79271b..283099acb 100644
--- a/testing/tests/ikev2/rw-mark-in-out/posttest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
@@ -2,9 +2,9 @@ sun::iptables -t mangle -v -n -L PREROUTING
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
 sun::conntrack -F
 sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
index 3d9a5f340..8e9dd2f51 100644
--- a/testing/tests/ikev2/rw-mark-in-out/pretest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
@@ -1,13 +1,12 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON 
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON 
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 11
+sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 21
 alice::ipsec start
 venus::ipsec start
 sun::ipsec start
diff --git a/testing/tests/ikev2/rw-mark-in-out/test.conf b/testing/tests/ikev2/rw-mark-in-out/test.conf
index ae3c190b8..105472cbe 100644
--- a/testing/tests/ikev2/rw-mark-in-out/test.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/rw-pkcs8/evaltest.dat b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/ikev2/rw-pkcs8/evaltest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-pkcs8/posttest.dat b/testing/tests/ikev2/rw-pkcs8/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-pkcs8/posttest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-pkcs8/pretest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-pkcs8/test.conf b/testing/tests/ikev2/rw-pkcs8/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-pkcs8/test.conf
+++ b/testing/tests/ikev2/rw-pkcs8/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
index 683173c30..2fbcc474f 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
@@ -7,8 +7,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-fqdn/test.conf b/testing/tests/ikev2/rw-psk-fqdn/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
index 1ad36fcaf..2bd97b76c 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
@@ -1,13 +1,13 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*\[PH_IP_MOON]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_DAVE].*\[PH_IP_MOON]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_CAROL]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_DAVE]::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
index 18a074472..57ce85d61 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+PH_IP_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
index e989540e9..111de272b 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.200  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+PH_IP_DAVE  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
index ab3fb129b..6706534eb 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
@@ -1,5 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+PH_IP_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
 
-192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+PH_IP_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-ipv4/test.conf b/testing/tests/ikev2/rw-psk-ipv4/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-no-idr/test.conf b/testing/tests/ikev2/rw-psk-no-idr/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/test.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
index 51e868760..ab398a3bb 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
@@ -1,13 +1,13 @@
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
 moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[192.168.0.1]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
 moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
index e48d11e42..446f81426 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
index 9a1ab3f8f..1648c9557 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
@@ -9,8 +9,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/test.conf b/testing/tests/ikev2/rw-psk-rsa-split/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/test.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
index 5c453f8b4..ccbc769e2 100644
--- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
@@ -9,6 +9,6 @@ carol::ping -c 5 -s 1392 PH_IP_ALICE::1400 bytes from PH_IP_ALICE::YES
 carol::ipsec down home 2> /dev/null::no output expected::NO
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::User-Name =.*carol::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Output-Octets = 7100::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Input-Octets = 7100::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::User-Name =.*carol::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Output-Octets = 7100::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Input-Octets = 7100::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index 623f42904..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = md5
-  md5 {
-  }
-}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 783587b55..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm LOCAL {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 2de32a6f2..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,43 +0,0 @@
-authorize {
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users
deleted file mode 100644
index 247b918e3..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1 +0,0 @@
-carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 962a418d9..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow RADIUS accounting protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b9560a38e
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules
@@ -0,0 +1,36 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+# allow RADIUS accounting protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
index b1f971402..98f7a6954 100644
--- a/testing/tests/ikev2/rw-radius-accounting/posttest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
@@ -1,7 +1,6 @@
 carol::ipsec stop
 moon::ipsec stop
-alice::/etc/init.d/radiusd stop
-alice::cat /var/log/radius/radacct/10.1.0.1/*
-carol::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-
+alice::killall radiusd
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*
+carol::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
index 30c8bd573..9f437fe85 100644
--- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::rm /var/log/radius/radacct/10.1.0.1/*
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/*
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-radius-accounting/test.conf b/testing/tests/ikev2/rw-radius-accounting/test.conf
index f2d20e984..6dbb1c7fd 100644
--- a/testing/tests/ikev2/rw-radius-accounting/test.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/test.conf
@@ -1,25 +1,25 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat
index d6f71d7c0..9418d6ee1 100644
--- a/testing/tests/ikev2/rw-whitelist/evaltest.dat
+++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat
@@ -3,10 +3,10 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RS
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
 moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2/rw-whitelist/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/rw-whitelist/posttest.dat
+++ b/testing/tests/ikev2/rw-whitelist/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-whitelist/pretest.dat b/testing/tests/ikev2/rw-whitelist/pretest.dat
index c4ac77d77..87760775a 100644
--- a/testing/tests/ikev2/rw-whitelist/pretest.dat
+++ b/testing/tests/ikev2/rw-whitelist/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2/rw-whitelist/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/rw-whitelist/test.conf
+++ b/testing/tests/ikev2/rw-whitelist/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/shunt-policies/evaltest.dat b/testing/tests/ikev2/shunt-policies/evaltest.dat
index f40437e3e..a6e40a817 100644
--- a/testing/tests/ikev2/shunt-policies/evaltest.dat
+++ b/testing/tests/ikev2/shunt-policies/evaltest.dat
@@ -1,15 +1,15 @@
 moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
index 90a5d61b1..46ca4cdc3 100644
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -18,7 +18,7 @@ conn local-net
 	auto=route
 
 conn venus-icmp
-	leftsubnet=10.1.0.20/32
+	leftsubnet=PH_IP_VENUS/32
 	rightsubnet=0.0.0.0/0
 	leftprotoport=icmp
 	rightprotoport=icmp
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/shunt-policies/posttest.dat b/testing/tests/ikev2/shunt-policies/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/shunt-policies/posttest.dat
+++ b/testing/tests/ikev2/shunt-policies/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/shunt-policies/pretest.dat b/testing/tests/ikev2/shunt-policies/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/shunt-policies/pretest.dat
+++ b/testing/tests/ikev2/shunt-policies/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/shunt-policies/test.conf b/testing/tests/ikev2/shunt-policies/test.conf
index cf2ef7424..6b7432ca6 100644
--- a/testing/tests/ikev2/shunt-policies/test.conf
+++ b/testing/tests/ikev2/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/strong-keys-certs/evaltest.dat b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/ikev2/strong-keys-certs/evaltest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/strong-keys-certs/posttest.dat b/testing/tests/ikev2/strong-keys-certs/posttest.dat
index 9ccbaa1c2..3fd6a690e 100644
--- a/testing/tests/ikev2/strong-keys-certs/posttest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/private/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat
index de51ccdfa..dea5fc162 100644
--- a/testing/tests/ikev2/strong-keys-certs/pretest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/strong-keys-certs/test.conf b/testing/tests/ikev2/strong-keys-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/strong-keys-certs/test.conf
+++ b/testing/tests/ikev2/strong-keys-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat
index f50e7c30d..2b4476afa 100644
--- a/testing/tests/ikev2/two-certs/evaltest.dat
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -1,11 +1,11 @@
 moon:: cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::YES
 moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
index a0f44e312..9ec202e3d 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -18,11 +18,11 @@ conn %default
 
 conn alice 
 	leftcert=carolCert.pem
-	rightsubnet=10.1.0.10/32
+	rightsubnet=PH_IP_ALICE/32
 	auto=add
 
 conn venus
 	leftcert=carolCert-002.pem
-	rightsubnet=10.1.0.20/32
+	rightsubnet=PH_IP_VENUS/32
 	auto=add
 
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
index dac656243..d8f1443ac 100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -23,10 +23,10 @@ conn %default
 	keyexchange=ikev2
 
 conn alice 
-	leftsubnet=10.1.0.10/32
+	leftsubnet=PH_IP_ALICE/32
 	auto=add
 
 conn venus 
-	leftsubnet=10.1.0.20/32
+	leftsubnet=PH_IP_VENUS/32
 	auto=add
 
diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat
index a1f067838..eae8c27d4 100644
--- a/testing/tests/ikev2/two-certs/posttest.dat
+++ b/testing/tests/ikev2/two-certs/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat
index 716cf71e8..fe2aaec19 100644
--- a/testing/tests/ikev2/two-certs/pretest.dat
+++ b/testing/tests/ikev2/two-certs/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf
index d0306cd25..3f6afa02e 100644
--- a/testing/tests/ikev2/two-certs/test.conf
+++ b/testing/tests/ikev2/two-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/virtual-ip-override/posttest.dat b/testing/tests/ikev2/virtual-ip-override/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/virtual-ip-override/posttest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev2/virtual-ip-override/pretest.dat
index 5ec37aae1..1765a83cd 100644
--- a/testing/tests/ikev2/virtual-ip-override/pretest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/virtual-ip-override/test.conf b/testing/tests/ikev2/virtual-ip-override/test.conf
index 01c94f7fb..5139506ac 100644
--- a/testing/tests/ikev2/virtual-ip-override/test.conf
+++ b/testing/tests/ikev2/virtual-ip-override/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/virtual-ip/evaltest.dat b/testing/tests/ikev2/virtual-ip/evaltest.dat
index dd3143ae7..0f5df71d7 100644
--- a/testing/tests/ikev2/virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/virtual-ip/evaltest.dat
@@ -14,12 +14,12 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::src PH_IP_CAROL1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::src PH_IP_DAVE1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/virtual-ip/posttest.dat b/testing/tests/ikev2/virtual-ip/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/virtual-ip/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2/virtual-ip/pretest.dat
index 5ec37aae1..1765a83cd 100644
--- a/testing/tests/ikev2/virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/virtual-ip/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/virtual-ip/test.conf b/testing/tests/ikev2/virtual-ip/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/virtual-ip/test.conf
+++ b/testing/tests/ikev2/virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2/wildcards/pretest.dat
index e3da87520..3c4832e5e 100644
--- a/testing/tests/ikev2/wildcards/pretest.dat
+++ b/testing/tests/ikev2/wildcards/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/wildcards/test.conf b/testing/tests/ikev2/wildcards/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/wildcards/test.conf
+++ b/testing/tests/ikev2/wildcards/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev1/posttest.dat b/testing/tests/ipv6/host2host-ikev1/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/host2host-ikev1/posttest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/host2host-ikev1/pretest.dat b/testing/tests/ipv6/host2host-ikev1/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/host2host-ikev1/pretest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/host2host-ikev1/test.conf b/testing/tests/ipv6/host2host-ikev1/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/host2host-ikev1/test.conf
+++ b/testing/tests/ipv6/host2host-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev2/posttest.dat b/testing/tests/ipv6/host2host-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/host2host-ikev2/posttest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/host2host-ikev2/pretest.dat b/testing/tests/ipv6/host2host-ikev2/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/host2host-ikev2/pretest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/host2host-ikev2/test.conf b/testing/tests/ipv6/host2host-ikev2/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/host2host-ikev2/test.conf
+++ b/testing/tests/ipv6/host2host-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ikev1/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ikev1/pretest.dat
index 8a8af2ccb..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ikev1/test.conf b/testing/tests/ipv6/net2net-ikev1/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ikev2/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ikev2/pretest.dat
index 8a8af2ccb..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ikev2/test.conf b/testing/tests/ipv6/net2net-ikev2/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
index 3b3200418..151b73c27 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
index a88456d52..812ccd162 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 2 
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
index cab801a1c..8f8d9222d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip4-in-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
index 3b3200418..151b73c27 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
index a88456d52..812ccd162 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 2 
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
index cab801a1c..8f8d9222d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip4-in-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index d556762b7..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 21ff88d0d..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-        # allow crl fetch from winnetou
-        iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
index c78d884ee..078fca541 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
@@ -1,8 +1,10 @@
 moon::ipsec stop
 sun::ipsec stop
 alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2" 
-sun::"ip route del fec1:\:/16 via fec0:\:1" 
+moon::"ip route del fec2:\:/16 via fec0:\:2"
+sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
index 7781f9b9f..58711bc06 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2" 
-sun::"ip route add fec1:\:/16 via fec0:\:1" 
+moon::"ip route add fec2:\:/16 via fec0:\:2"
+sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
index d5d55c749..fe141076d 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6-in-ip4.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index d556762b7..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 21ff88d0d..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-        # allow crl fetch from winnetou
-        iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
index c78d884ee..078fca541 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
@@ -1,8 +1,10 @@
 moon::ipsec stop
 sun::ipsec stop
 alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2" 
-sun::"ip route del fec1:\:/16 via fec0:\:1" 
+moon::"ip route del fec2:\:/16 via fec0:\:2"
+sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
index 7781f9b9f..58711bc06 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2" 
-sun::"ip route add fec1:\:/16 via fec0:\:1" 
+moon::"ip route add fec2:\:/16 via fec0:\:2"
+sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
index d5d55c749..fe141076d 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6-in-ip4.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
index 8a8af2ccb..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev1/posttest.dat b/testing/tests/ipv6/rw-ikev1/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-ikev1/posttest.dat
+++ b/testing/tests/ipv6/rw-ikev1/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-ikev1/pretest.dat b/testing/tests/ipv6/rw-ikev1/pretest.dat
index 7da0c1028..f60be3887 100644
--- a/testing/tests/ipv6/rw-ikev1/pretest.dat
+++ b/testing/tests/ipv6/rw-ikev1/pretest.dat
@@ -1,13 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ikev1/test.conf b/testing/tests/ipv6/rw-ikev1/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ikev1/test.conf
+++ b/testing/tests/ipv6/rw-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/posttest.dat b/testing/tests/ipv6/rw-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-ikev2/pretest.dat b/testing/tests/ipv6/rw-ikev2/pretest.dat
index 7da0c1028..f60be3887 100644
--- a/testing/tests/ipv6/rw-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-ikev2/pretest.dat
@@ -1,13 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ikev2/test.conf b/testing/tests/ipv6/rw-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 7f904a693..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 7f904a693..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index f5bd956ad..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat
index 179b8fe58..ebe5e2a80 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat
@@ -1,7 +1,10 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec3:\:/16 via fec1:\:1"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat
index ca544e373..e73bde487 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat
@@ -1,11 +1,15 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec3:\:/16 via fec1:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/description.txt
deleted file mode 100644
index 9609ae268..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address from <b>moon</b> via
-the IKEvi1 mode config payload.
-<p/>
-Upon the successful establishment of the ESP tunnels, <b>leftfirewall=yes</b>
-automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send
-an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
-using the ping6 command.
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/evaltest.dat
deleted file mode 100644
index f6dc9aa3e..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/evaltest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/posttest.dat
deleted file mode 100644
index 179b8fe58..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-alice::"ip route del fec3:\:/16 via fec1:\:1"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/pretest.dat
deleted file mode 100644
index ca544e373..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::"ip route add fec3:\:/16 via fec1:\:1"
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/test.conf
deleted file mode 100644
index 80cf5e3a1..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d-ip6.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 7f904a693..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 7f904a693..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index f5bd956ad..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat
index 179b8fe58..ebe5e2a80 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat
@@ -1,7 +1,10 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec3:\:/16 via fec1:\:1"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat
index ca544e373..e73bde487 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat
@@ -1,11 +1,15 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec3:\:/16 via fec1:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
index e3040d125..93a96ec36 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
@@ -10,7 +13,8 @@ dave::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ipv6/rw-psk-ikev1/test.conf b/testing/tests/ipv6/rw-psk-ikev1/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/test.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
index e3040d125..93a96ec36 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
@@ -10,7 +13,8 @@ dave::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ipv6/rw-psk-ikev2/test.conf b/testing/tests/ipv6/rw-psk-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
index 7da0c1028..f60be3887 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
@@ -1,13 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 343fd49ed..000000000
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certficate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev1/posttest.dat b/testing/tests/ipv6/transport-ikev1/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/transport-ikev1/posttest.dat
+++ b/testing/tests/ipv6/transport-ikev1/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/transport-ikev1/pretest.dat b/testing/tests/ipv6/transport-ikev1/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/transport-ikev1/pretest.dat
+++ b/testing/tests/ipv6/transport-ikev1/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/transport-ikev1/test.conf b/testing/tests/ipv6/transport-ikev1/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/transport-ikev1/test.conf
+++ b/testing/tests/ipv6/transport-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b1e7073af..000000000
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certficate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev2/posttest.dat b/testing/tests/ipv6/transport-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/transport-ikev2/posttest.dat
+++ b/testing/tests/ipv6/transport-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/transport-ikev2/pretest.dat b/testing/tests/ipv6/transport-ikev2/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/transport-ikev2/pretest.dat
+++ b/testing/tests/ipv6/transport-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/transport-ikev2/test.conf b/testing/tests/ipv6/transport-ikev2/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/transport-ikev2/test.conf
+++ b/testing/tests/ipv6/transport-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
index 5b5c94fb1..4d614bf7e 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
index 2ba48e5ce..ac7d8cd98 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
index 6cf2438d4..178d541da 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
index 244ea0331..69c893f0c 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with EC
 moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
 dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
index 3787bdb68..cd83c56b4 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
@@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*caro
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
 dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
 dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/test.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
index 5b5c94fb1..4d614bf7e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
index 2540eb106..375ed86a1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
@@ -10,8 +10,8 @@ carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
 dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
index f82159e7c..c46ed1dd2 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
@@ -10,8 +10,8 @@ carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
 dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES
 carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/openssl-ikev2/critical-extension/posttest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf
index 41ee3037e..b286ef6eb 100644
--- a/testing/tests/openssl-ikev2/critical-extension/test.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index 5918faa8c..0110bb996 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -10,8 +10,8 @@ moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with EC
 moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
 dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
index 52913759f..8a4215dcc 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -6,8 +6,8 @@ moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with EC
 moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
 dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/rw-cert/test.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
index e476da03f..1ae780e4b 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -5,6 +5,6 @@ carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_W
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/p2pnat/behind-same-nat/evaltest.dat b/testing/tests/p2pnat/behind-same-nat/evaltest.dat
index 8c79a28c1..378520596 100644
--- a/testing/tests/p2pnat/behind-same-nat/evaltest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/evaltest.dat
@@ -7,5 +7,5 @@ alice::ipsec status 2> /dev/null::peer.*ESTABLISHED.*alice@strongswan.org.*venus
 venus::ipsec status 2> /dev/null::peer.*ESTABLISHED.*venus.strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
 venus::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 1eb88c15c..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..da385d22a
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 40510ce60..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE behind NAT
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 6fca87b4a..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules
new file mode 100644
index 000000000..da385d22a
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/posttest.dat b/testing/tests/p2pnat/behind-same-nat/posttest.dat
index 36cd0f36d..a1d5b4612 100644
--- a/testing/tests/p2pnat/behind-same-nat/posttest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/posttest.dat
@@ -1,8 +1,8 @@
 venus::ipsec stop
 alice::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat
index f1e33dc39..eb1d67fa2 100644
--- a/testing/tests/p2pnat/behind-same-nat/pretest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat
@@ -1,7 +1,7 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1100-1200
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
@@ -10,5 +10,5 @@ carol::ipsec start
 carol::sleep 1
 alice::ipsec start
 alice::sleep 1
-venus::ipsec start 
-venus::sleep 4 
+venus::ipsec start
+venus::sleep 4
diff --git a/testing/tests/p2pnat/behind-same-nat/test.conf b/testing/tests/p2pnat/behind-same-nat/test.conf
index f98a0ab1b..fe44ff97b 100644
--- a/testing/tests/p2pnat/behind-same-nat/test.conf
+++ b/testing/tests/p2pnat/behind-same-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-med.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus carol"
diff --git a/testing/tests/p2pnat/medsrv-psk/evaltest.dat b/testing/tests/p2pnat/medsrv-psk/evaltest.dat
index 1b89c7ebe..2c6080775 100644
--- a/testing/tests/p2pnat/medsrv-psk/evaltest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/evaltest.dat
@@ -6,7 +6,7 @@ alice::ipsec status 2> /dev/null::peer.*ESTABLISHED.*alice@strongswan.org.*bob@s
 bob::  ipsec status 2> /dev/null::peer.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
 bob::  ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
 moon::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index c6371c745..000000000
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 40510ce60..000000000
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE behind NAT
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/posttest.dat b/testing/tests/p2pnat/medsrv-psk/posttest.dat
index ca3cebc0a..4b696b90f 100644
--- a/testing/tests/p2pnat/medsrv-psk/posttest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/posttest.dat
@@ -1,10 +1,10 @@
 bob::ipsec stop
 alice::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 sun::conntrack -F
diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat
index fba7be01d..09b658318 100644
--- a/testing/tests/p2pnat/medsrv-psk/pretest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat
@@ -1,8 +1,8 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1100-1200
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
@@ -15,5 +15,5 @@ carol::ipsec start
 carol::sleep 1
 bob::ipsec start
 bob::sleep 1
-alice::ipsec start 
-alice::sleep 4 
+alice::ipsec start
+alice::sleep 4
diff --git a/testing/tests/p2pnat/medsrv-psk/test.conf b/testing/tests/p2pnat/medsrv-psk/test.conf
index 2dc4cd8c1..a1c6b8c15 100644
--- a/testing/tests/p2pnat/medsrv-psk/test.conf
+++ b/testing/tests/p2pnat/medsrv-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou sun bob"
+VIRTHOSTS="alice moon carol winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-s-b-med.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice carol bob"
diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
index 9ca168e82..590b7fe9c 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
-moon:: ip xfrm state::auth xcbc(aes)::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/pfkey/alg-aes-xcbc/posttest.dat b/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-aes-xcbc/test.conf b/testing/tests/pfkey/alg-aes-xcbc/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/test.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-sha384/evaltest.dat b/testing/tests/pfkey/alg-sha384/evaltest.dat
index 21b3d5a4f..3b24217c5 100644
--- a/testing/tests/pfkey/alg-sha384/evaltest.dat
+++ b/testing/tests/pfkey/alg-sha384/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon:: ip xfrm state::auth hmac(sha384)::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/pfkey/alg-sha384/posttest.dat b/testing/tests/pfkey/alg-sha384/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-sha384/posttest.dat
+++ b/testing/tests/pfkey/alg-sha384/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-sha384/pretest.dat b/testing/tests/pfkey/alg-sha384/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-sha384/pretest.dat
+++ b/testing/tests/pfkey/alg-sha384/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-sha384/test.conf b/testing/tests/pfkey/alg-sha384/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-sha384/test.conf
+++ b/testing/tests/pfkey/alg-sha384/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-sha512/evaltest.dat b/testing/tests/pfkey/alg-sha512/evaltest.dat
index 7b94d2182..6bdceeb44 100644
--- a/testing/tests/pfkey/alg-sha512/evaltest.dat
+++ b/testing/tests/pfkey/alg-sha512/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon:: ip xfrm state::auth hmac(sha512)::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/pfkey/alg-sha512/posttest.dat b/testing/tests/pfkey/alg-sha512/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-sha512/posttest.dat
+++ b/testing/tests/pfkey/alg-sha512/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-sha512/pretest.dat b/testing/tests/pfkey/alg-sha512/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-sha512/pretest.dat
+++ b/testing/tests/pfkey/alg-sha512/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-sha512/test.conf b/testing/tests/pfkey/alg-sha512/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-sha512/test.conf
+++ b/testing/tests/pfkey/alg-sha512/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/esp-alg-null/evaltest.dat b/testing/tests/pfkey/esp-alg-null/evaltest.dat
index 271e274c8..c50b188bb 100644
--- a/testing/tests/pfkey/esp-alg-null/evaltest.dat
+++ b/testing/tests/pfkey/esp-alg-null/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 moon:: ip xfrm state::enc ecb(cipher_null)::YES
diff --git a/testing/tests/pfkey/esp-alg-null/posttest.dat b/testing/tests/pfkey/esp-alg-null/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/esp-alg-null/posttest.dat
+++ b/testing/tests/pfkey/esp-alg-null/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/esp-alg-null/pretest.dat b/testing/tests/pfkey/esp-alg-null/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/esp-alg-null/pretest.dat
+++ b/testing/tests/pfkey/esp-alg-null/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/esp-alg-null/test.conf b/testing/tests/pfkey/esp-alg-null/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/esp-alg-null/test.conf
+++ b/testing/tests/pfkey/esp-alg-null/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/host2host-transport/evaltest.dat b/testing/tests/pfkey/host2host-transport/evaltest.dat
index 5ef5bed9c..fbd0c1c96 100644
--- a/testing/tests/pfkey/host2host-transport/evaltest.dat
+++ b/testing/tests/pfkey/host2host-transport/evaltest.dat
@@ -5,6 +5,6 @@ sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
 moon::ip xfrm state::mode transport::YES
 sun:: ip xfrm state::mode transport::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/host2host-transport/posttest.dat b/testing/tests/pfkey/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/pfkey/host2host-transport/posttest.dat
+++ b/testing/tests/pfkey/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/host2host-transport/pretest.dat b/testing/tests/pfkey/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/pfkey/host2host-transport/pretest.dat
+++ b/testing/tests/pfkey/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/pfkey/host2host-transport/test.conf b/testing/tests/pfkey/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/pfkey/host2host-transport/test.conf
+++ b/testing/tests/pfkey/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/pfkey/nat-rw/evaltest.dat b/testing/tests/pfkey/nat-rw/evaltest.dat
index a0b9c678f..ac09e2d6b 100644
--- a/testing/tests/pfkey/nat-rw/evaltest.dat
+++ b/testing/tests/pfkey/nat-rw/evaltest.dat
@@ -6,7 +6,7 @@ alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
 venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/pfkey/nat-rw/posttest.dat b/testing/tests/pfkey/nat-rw/posttest.dat
index 52572ece8..4643a3a7b 100644
--- a/testing/tests/pfkey/nat-rw/posttest.dat
+++ b/testing/tests/pfkey/nat-rw/posttest.dat
@@ -1,8 +1,8 @@
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/pfkey/nat-rw/pretest.dat b/testing/tests/pfkey/nat-rw/pretest.dat
index e365ff5c5..d701a1d61 100644
--- a/testing/tests/pfkey/nat-rw/pretest.dat
+++ b/testing/tests/pfkey/nat-rw/pretest.dat
@@ -1,7 +1,6 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
diff --git a/testing/tests/pfkey/nat-rw/test.conf b/testing/tests/pfkey/nat-rw/test.conf
index 84317fd70..f515d4bc7 100644
--- a/testing/tests/pfkey/nat-rw/test.conf
+++ b/testing/tests/pfkey/nat-rw/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/pfkey/net2net-route/evaltest.dat b/testing/tests/pfkey/net2net-route/evaltest.dat
index 9adb31e97..1de6ca8e1 100644
--- a/testing/tests/pfkey/net2net-route/evaltest.dat
+++ b/testing/tests/pfkey/net2net-route/evaltest.dat
@@ -4,6 +4,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/net2net-route/posttest.dat b/testing/tests/pfkey/net2net-route/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/pfkey/net2net-route/posttest.dat
+++ b/testing/tests/pfkey/net2net-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/net2net-route/pretest.dat b/testing/tests/pfkey/net2net-route/pretest.dat
index 2eef7de19..e4ee3fac2 100644
--- a/testing/tests/pfkey/net2net-route/pretest.dat
+++ b/testing/tests/pfkey/net2net-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
diff --git a/testing/tests/pfkey/net2net-route/test.conf b/testing/tests/pfkey/net2net-route/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/pfkey/net2net-route/test.conf
+++ b/testing/tests/pfkey/net2net-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/pfkey/protoport-dual/evaltest.dat b/testing/tests/pfkey/protoport-dual/evaltest.dat
index d2fc698f9..50b53cc00 100644
--- a/testing/tests/pfkey/protoport-dual/evaltest.dat
+++ b/testing/tests/pfkey/protoport-dual/evaltest.dat
@@ -4,8 +4,8 @@ carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/protoport-dual/posttest.dat b/testing/tests/pfkey/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/protoport-dual/posttest.dat
+++ b/testing/tests/pfkey/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/protoport-dual/pretest.dat b/testing/tests/pfkey/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/pfkey/protoport-dual/pretest.dat
+++ b/testing/tests/pfkey/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/pfkey/protoport-dual/test.conf b/testing/tests/pfkey/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/protoport-dual/test.conf
+++ b/testing/tests/pfkey/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/protoport-route/evaltest.dat b/testing/tests/pfkey/protoport-route/evaltest.dat
index 09dfd8f42..9e970f055 100644
--- a/testing/tests/pfkey/protoport-route/evaltest.dat
+++ b/testing/tests/pfkey/protoport-route/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
 carol::cat /var/log/daemon.log::creating acquire job::YES
 carol::ipsec status 2> /dev/null::home-icmp.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/pfkey/protoport-route/posttest.dat b/testing/tests/pfkey/protoport-route/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/protoport-route/posttest.dat
+++ b/testing/tests/pfkey/protoport-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/protoport-route/pretest.dat b/testing/tests/pfkey/protoport-route/pretest.dat
index 0aded0f4d..5a15574d6 100644
--- a/testing/tests/pfkey/protoport-route/pretest.dat
+++ b/testing/tests/pfkey/protoport-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/pfkey/protoport-route/test.conf b/testing/tests/pfkey/protoport-route/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/protoport-route/test.conf
+++ b/testing/tests/pfkey/protoport-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/rw-cert/evaltest.dat b/testing/tests/pfkey/rw-cert/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/pfkey/rw-cert/evaltest.dat
+++ b/testing/tests/pfkey/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/rw-cert/posttest.dat b/testing/tests/pfkey/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/pfkey/rw-cert/posttest.dat
+++ b/testing/tests/pfkey/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/rw-cert/pretest.dat b/testing/tests/pfkey/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/pfkey/rw-cert/pretest.dat
+++ b/testing/tests/pfkey/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/pfkey/rw-cert/test.conf b/testing/tests/pfkey/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/pfkey/rw-cert/test.conf
+++ b/testing/tests/pfkey/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/pfkey/shunt-policies/evaltest.dat b/testing/tests/pfkey/shunt-policies/evaltest.dat
index 87368fb31..6ba3a988f 100644
--- a/testing/tests/pfkey/shunt-policies/evaltest.dat
+++ b/testing/tests/pfkey/shunt-policies/evaltest.dat
@@ -4,16 +4,16 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/pfkey/shunt-policies/posttest.dat b/testing/tests/pfkey/shunt-policies/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/pfkey/shunt-policies/posttest.dat
+++ b/testing/tests/pfkey/shunt-policies/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/pfkey/shunt-policies/pretest.dat b/testing/tests/pfkey/shunt-policies/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/pfkey/shunt-policies/pretest.dat
+++ b/testing/tests/pfkey/shunt-policies/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/pfkey/shunt-policies/test.conf b/testing/tests/pfkey/shunt-policies/test.conf
index cf2ef7424..6b7432ca6 100644
--- a/testing/tests/pfkey/shunt-policies/test.conf
+++ b/testing/tests/pfkey/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
index 3239dfe1f..5ff5edbf8 100644
--- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
@@ -3,13 +3,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db-expired/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat
index 4df33509f..391785a1c 100644
--- a/testing/tests/sql/ip-pool-db-expired/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat
@@ -8,9 +8,9 @@ moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --leases 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db-expired/test.conf
+++ b/testing/tests/sql/ip-pool-db-expired/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
index 58706fa48..f70e2d2de 100644
--- a/testing/tests/sql/ip-pool-db-restart/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
@@ -3,13 +3,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat
index b5108051c..20b1937b7 100644
--- a/testing/tests/sql/ip-pool-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat
@@ -8,9 +8,9 @@ moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --leases 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db-restart/test.conf
+++ b/testing/tests/sql/ip-pool-db-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat
index 3910ab9c2..cfa87ae3f 100644
--- a/testing/tests/sql/ip-pool-db/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db/evaltest.dat
@@ -7,7 +7,7 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
@@ -18,7 +18,7 @@ dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db/posttest.dat
+++ b/testing/tests/sql/ip-pool-db/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat
index a5d786b3f..819aca3d9 100644
--- a/testing/tests/sql/ip-pool-db/pretest.dat
+++ b/testing/tests/sql/ip-pool-db/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db/test.conf
+++ b/testing/tests/sql/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/test.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-split-pools-db/test.conf
+++ b/testing/tests/sql/ip-split-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat
index dfdd36a51..72a555d4b 100644
--- a/testing/tests/sql/multi-level-ca/evaltest.dat
+++ b/testing/tests/sql/multi-level-ca/evaltest.dat
@@ -14,8 +14,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/multi-level-ca/posttest.dat
+++ b/testing/tests/sql/multi-level-ca/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/multi-level-ca/pretest.dat
+++ b/testing/tests/sql/multi-level-ca/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/multi-level-ca/test.conf
+++ b/testing/tests/sql/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/net2net-cert/evaltest.dat b/testing/tests/sql/net2net-cert/evaltest.dat
index dbd06104f..f003f822f 100644
--- a/testing/tests/sql/net2net-cert/evaltest.dat
+++ b/testing/tests/sql/net2net-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-cert/posttest.dat
+++ b/testing/tests/sql/net2net-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/net2net-cert/pretest.dat
+++ b/testing/tests/sql/net2net-cert/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/sql/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/net2net-cert/test.conf
+++ b/testing/tests/sql/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-psk/evaltest.dat b/testing/tests/sql/net2net-psk/evaltest.dat
index dbd06104f..f003f822f 100644
--- a/testing/tests/sql/net2net-psk/evaltest.dat
+++ b/testing/tests/sql/net2net-psk/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-psk/posttest.dat
+++ b/testing/tests/sql/net2net-psk/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/net2net-psk/pretest.dat
+++ b/testing/tests/sql/net2net-psk/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/net2net-psk/test.conf
+++ b/testing/tests/sql/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat
index 719ba09ff..3fd32907c 100644
--- a/testing/tests/sql/net2net-route-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-route-pem/evaltest.dat
@@ -10,7 +10,7 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-route-pem/posttest.dat
+++ b/testing/tests/sql/net2net-route-pem/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat
index 5a537e15b..8ca573ee5 100644
--- a/testing/tests/sql/net2net-route-pem/pretest.dat
+++ b/testing/tests/sql/net2net-route-pem/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 moon::ipsec start
 moon::sleep 1
diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/sql/net2net-route-pem/test.conf
+++ b/testing/tests/sql/net2net-route-pem/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-start-pem/evaltest.dat b/testing/tests/sql/net2net-start-pem/evaltest.dat
index e6b8890f9..6534adc07 100644
--- a/testing/tests/sql/net2net-start-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-start-pem/evaltest.dat
@@ -6,7 +6,7 @@ moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-start-pem/posttest.dat
+++ b/testing/tests/sql/net2net-start-pem/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat
index c09d50f08..1c71f0c14 100644
--- a/testing/tests/sql/net2net-start-pem/pretest.dat
+++ b/testing/tests/sql/net2net-start-pem/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 moon::ipsec start
 moon::sleep 3
diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/sql/net2net-start-pem/test.conf
+++ b/testing/tests/sql/net2net-start-pem/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/rw-cert/evaltest.dat b/testing/tests/sql/rw-cert/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/sql/rw-cert/evaltest.dat
+++ b/testing/tests/sql/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-cert/posttest.dat
+++ b/testing/tests/sql/rw-cert/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-cert/pretest.dat
+++ b/testing/tests/sql/rw-cert/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-cert/test.conf
+++ b/testing/tests/sql/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
index 65a7c8e09..e1d33feb7 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
@@ -5,7 +5,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
index 23eeb0d17..584356d8e 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 ~
diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
index b78fd480f..8f2387ba1 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/sql/rw-eap-aka-rsa/test.conf b/testing/tests/sql/rw-eap-aka-rsa/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/sql/rw-psk-ipv4/evaltest.dat b/testing/tests/sql/rw-psk-ipv4/evaltest.dat
index 1ad36fcaf..eaf47395e 100644
--- a/testing/tests/sql/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-psk-ipv4/test.conf
+++ b/testing/tests/sql/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat
index bdfd9ed00..ab753507f 100644
--- a/testing/tests/sql/rw-psk-ipv6/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat
index 253438dbf..587dd7f85 100644
--- a/testing/tests/sql/rw-psk-ipv6/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat
@@ -7,9 +7,12 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/sql/rw-psk-ipv6/test.conf
+++ b/testing/tests/sql/rw-psk-ipv6/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
index 9a1ab3f8f..1648c9557 100644
--- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
@@ -9,8 +9,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-psk-rsa-split/test.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-rsa-keyid/evaltest.dat b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
index 26f82653a..4f5cd724c 100644
--- a/testing/tests/sql/rw-rsa-keyid/evaltest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat
index b10aeb3aa..892650ccb 100644
--- a/testing/tests/sql/rw-rsa-keyid/posttest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.db
 carol::rm /etc/ipsec.d/ipsec.db
 dave::rm /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-rsa-keyid/pretest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-rsa-keyid/test.conf b/testing/tests/sql/rw-rsa-keyid/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-rsa-keyid/test.conf
+++ b/testing/tests/sql/rw-rsa-keyid/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-rsa/evaltest.dat b/testing/tests/sql/rw-rsa/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/sql/rw-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-rsa/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat
index b10aeb3aa..892650ccb 100644
--- a/testing/tests/sql/rw-rsa/posttest.dat
+++ b/testing/tests/sql/rw-rsa/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.db
 carol::rm /etc/ipsec.d/ipsec.db
 dave::rm /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-rsa/pretest.dat
+++ b/testing/tests/sql/rw-rsa/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-rsa/test.conf b/testing/tests/sql/rw-rsa/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-rsa/test.conf
+++ b/testing/tests/sql/rw-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/shunt-policies/evaltest.dat b/testing/tests/sql/shunt-policies/evaltest.dat
index 70aea411e..51dd9610b 100644
--- a/testing/tests/sql/shunt-policies/evaltest.dat
+++ b/testing/tests/sql/shunt-policies/evaltest.dat
@@ -4,16 +4,16 @@ moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::local-net.*PASS::YES
 moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/shunt-policies/posttest.dat b/testing/tests/sql/shunt-policies/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/shunt-policies/posttest.dat
+++ b/testing/tests/sql/shunt-policies/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/shunt-policies/pretest.dat b/testing/tests/sql/shunt-policies/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/shunt-policies/pretest.dat
+++ b/testing/tests/sql/shunt-policies/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/shunt-policies/test.conf b/testing/tests/sql/shunt-policies/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/shunt-policies/test.conf
+++ b/testing/tests/sql/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
index b6663ea5e..6b7c713ef 100644
--- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
index c7a30ee7c..997c70a8e 100644
--- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/tnc/tnccs-11-fhh/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-11-fhh/test.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
index b875eed49..d93407434 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
@@ -9,6 +9,6 @@ dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/3
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..2d4961288
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
@@ -0,0 +1,23 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
deleted file mode 100644
index 1a27a02fc..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
+++ /dev/null
@@ -1,2 +0,0 @@
-$INCLUDE	/usr/share/freeradius/dictionary
-$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
deleted file mode 100644
index f295467a9..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
+++ /dev/null
@@ -1,5 +0,0 @@
-ATTRIBUTE	TNC-Status	3001	integer
-
-VALUE	TNC-Status	Access	0 
-VALUE	TNC-Status	Isolate	1
-VALUE	TNC-Status	None	2
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index 31556361e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-eap {
-  md5 {
-  }
-  default_eap_type = ttls
-  tls {
-    private_key_file = /etc/raddb/certs/aaaKey.pem
-    certificate_file = /etc/raddb/certs/aaaCert.pem
-    CA_file = /etc/raddb/certs/strongswanCert.pem
-    cipher_list = "DEFAULT"
-    dh_file = /etc/raddb/certs/dh
-    random_file = /etc/raddb/certs/random
-  }
-  ttls {
-    default_eap_type = md5
-    use_tunneled_reply = yes
-    virtual_server = "inner-tunnel"
-    tnc_virtual_server = "inner-tunnel-second"
-  }
-}
-
-eap eap_tnc {
-      default_eap_type = tnc
-      tnc {
-      }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
-	suffix
-	eap {
-		ok = return
-	}
-	files
-}
-
-authenticate {
-	eap
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-pre-proxy {
-}
-
-post-proxy {
-	eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
deleted file mode 100644
index 2d4961288..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,23 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
-	eap_tnc {
-		ok = return
-	}
-}
-
-authenticate {
-	eap_tnc
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users
deleted file mode 100644
index 50ccf3e76..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1,2 +0,0 @@
-carol	Cleartext-Password := "Ar3etTnp"
-dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
index 51d8ca1b3..5e5a8514d 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
@@ -2,8 +2,8 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::killall radiusd
-alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
index 0fa88dbc7..c8f2139a8 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
@@ -1,9 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 dave::/etc/init.d/apache2 start 2> /dev/null
-alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
-alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 moon::ipsec start
 carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/tnc/tnccs-11-radius-block/test.conf
index bb6b68687..29bfaa78c 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
index d72239e8e..e22b767f7 100644
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
@@ -1,10 +1,10 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..c5bde6a9e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
@@ -0,0 +1,36 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	if (control:TNC-Status == "Access") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "allow"
+		}
+	}
+	elsif (control:TNC-Status == "Isolate") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "isolate"
+		}
+	}
+
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
deleted file mode 100644
index 1a27a02fc..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
+++ /dev/null
@@ -1,2 +0,0 @@
-$INCLUDE	/usr/share/freeradius/dictionary
-$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
deleted file mode 100644
index f295467a9..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
+++ /dev/null
@@ -1,5 +0,0 @@
-ATTRIBUTE	TNC-Status	3001	integer
-
-VALUE	TNC-Status	Access	0 
-VALUE	TNC-Status	Isolate	1
-VALUE	TNC-Status	None	2
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index 31556361e..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-eap {
-  md5 {
-  }
-  default_eap_type = ttls
-  tls {
-    private_key_file = /etc/raddb/certs/aaaKey.pem
-    certificate_file = /etc/raddb/certs/aaaCert.pem
-    CA_file = /etc/raddb/certs/strongswanCert.pem
-    cipher_list = "DEFAULT"
-    dh_file = /etc/raddb/certs/dh
-    random_file = /etc/raddb/certs/random
-  }
-  ttls {
-    default_eap_type = md5
-    use_tunneled_reply = yes
-    virtual_server = "inner-tunnel"
-    tnc_virtual_server = "inner-tunnel-second"
-  }
-}
-
-eap eap_tnc {
-      default_eap_type = tnc
-      tnc {
-      }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
-	suffix
-	eap {
-		ok = return
-	}
-	files
-}
-
-authenticate {
-	eap
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-pre-proxy {
-}
-
-post-proxy {
-	eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
deleted file mode 100644
index f91bccc72..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
-	eap_tnc {
-		ok = return
-	}
-}
-
-authenticate {
-	eap_tnc
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	if (control:TNC-Status == "Access") {
-		update reply {
-			Tunnel-Type := ESP 
-			Filter-Id := "allow"
-		}
-	}
-	elsif (control:TNC-Status == "Isolate") {
-		update reply {
-			Tunnel-Type := ESP 
-			Filter-Id := "isolate"	
-		}
-	}
-
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index 50ccf3e76..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1,2 +0,0 @@
-carol	Cleartext-Password := "Ar3etTnp"
-dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat
index 86bd89dea..a64a9147c 100644
--- a/testing/tests/tnc/tnccs-11-radius/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat
@@ -2,7 +2,7 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::killall radiusd
-alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
index b5d284278..8f79c776a 100644
--- a/testing/tests/tnc/tnccs-11-radius/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat
@@ -1,8 +1,8 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
-alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/tnc/tnccs-11-radius/test.conf
index 2a52df203..f23a19329 100644
--- a/testing/tests/tnc/tnccs-11-radius/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/tnc/tnccs-11/evaltest.dat b/testing/tests/tnc/tnccs-11/evaltest.dat
index b6663ea5e..6b7c713ef 100644
--- a/testing/tests/tnc/tnccs-11/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11/posttest.dat b/testing/tests/tnc/tnccs-11/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-11/posttest.dat
+++ b/testing/tests/tnc/tnccs-11/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat
index dd729cb0b..7bfcf0d07 100644
--- a/testing/tests/tnc/tnccs-11/pretest.dat
+++ b/testing/tests/tnc/tnccs-11/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-11/test.conf b/testing/tests/tnc/tnccs-11/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-11/test.conf
+++ b/testing/tests/tnc/tnccs-11/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-block/evaltest.dat b/testing/tests/tnc/tnccs-20-block/evaltest.dat
index 881f442b7..03b576efa 100644
--- a/testing/tests/tnc/tnccs-20-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat
@@ -8,5 +8,5 @@ dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/3
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-block/posttest.dat b/testing/tests/tnc/tnccs-20-block/posttest.dat
index 50bb7e117..2258e03ff 100644
--- a/testing/tests/tnc/tnccs-20-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-block/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat
index 7b0a42fcd..f5b3b2e8c 100644
--- a/testing/tests/tnc/tnccs-20-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-block/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 dave::/etc/init.d/apache2 start 2> /dev/null
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-block/test.conf b/testing/tests/tnc/tnccs-20-block/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-block/test.conf
+++ b/testing/tests/tnc/tnccs-20-block/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
index 3d84f81e3..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-client-retry/test.conf b/testing/tests/tnc/tnccs-20-client-retry/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/test.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
index 3d84f81e3..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
index 76ad91f98..72c9b1665 100644
--- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/tnc/tnccs-20-fhh/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-fhh/test.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt
new file mode 100644
index 000000000..b5d12fc8c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/description.txt
@@ -0,0 +1,23 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
+is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
+exchange PA-TNC attributes.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, <em>Numeric Version</em>,
+<em>Operational Status</em>, <em>Forwarding Enabled</em>, and
+<em>Factory Default Password Enabled</em> up-front, whereas <b>dave</b> must be prompted
+by the IMV to do so via an <em>Attribute Request</em> PA-TNC attribute. <b>carol</b> is
+then prompted to send a list of installed packages using the <em>Installed Packages</em>
+PA-TNC attribute whereas <b>dave</b>'s "Windows 1.2.3" operating system is not supported
+and thus <b>dave</b> receives a <em>Remediation Instructions</em> PA-TNC attribute.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these assessments
+which are communicated to the IMCs using the <em>Assessment Result</em> PA-TNC attribute,
+the clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate"
+subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat
new file mode 100644
index 000000000..3c13e5ffa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..34941e52c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..25c28442f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..77446cbae
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..149f51d65
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de
+    }
+  }
+}
+
+libimcv {
+  os_info {
+    name = Windows
+    version = 1.2.3
+  }
+  plugins {
+    imc-os {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..25c28442f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b11617cb2
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,24 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imv-os {
+      request_installed_packages = yes 
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..b75a9cb1e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat
new file mode 100644
index 000000000..74b902c69
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
new file mode 100644
index 000000000..8169afab2
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+dave::ipsec start 
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-os/test.conf b/testing/tests/tnc/tnccs-20-os/test.conf
new file mode 100644
index 000000000..a8a05af19
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
index 83739b70a..e969774c5 100644
--- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
@@ -1,10 +1,10 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
@@ -12,7 +12,7 @@ moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pdp/posttest.dat b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
index 16218f385..e7eecd5f4 100644
--- a/testing/tests/tnc/tnccs-20-pdp/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
@@ -2,6 +2,6 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp/pretest.dat b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
index 9b9d6b699..32ed4d854 100644
--- a/testing/tests/tnc/tnccs-20-pdp/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-pdp/test.conf b/testing/tests/tnc/tnccs-20-pdp/test.conf
index 400628531..c4ca1a19f 100644
--- a/testing/tests/tnc/tnccs-20-pdp/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave alice"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
index 3d84f81e3..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-server-retry/test.conf b/testing/tests/tnc/tnccs-20-server-retry/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/test.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
index 3d84f81e3..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat
index c332f131b..cac1cfafc 100644
--- a/testing/tests/tnc/tnccs-20-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-tls/test.conf b/testing/tests/tnc/tnccs-20-tls/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-tls/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20/evaltest.dat b/testing/tests/tnc/tnccs-20/evaltest.dat
index 3d84f81e3..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
index a483d6df8..e2bf349d9 100644
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	charondebug="tnc 3, imc 2"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
index 11378131a..77446cbae 100644
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	charondebug="tnc 3, imc 2"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
index b1093d46d..e21ef0d14 100644
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	charondebug="tnc 3, imv 2"
+	charondebug="tnc 3, imv 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20/posttest.dat b/testing/tests/tnc/tnccs-20/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20/posttest.dat
+++ b/testing/tests/tnc/tnccs-20/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20/pretest.dat
+++ b/testing/tests/tnc/tnccs-20/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20/test.conf b/testing/tests/tnc/tnccs-20/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20/test.conf
+++ b/testing/tests/tnc/tnccs-20/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-dynamic/evaltest.dat b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
index 69baaf592..405298381 100644
--- a/testing/tests/tnc/tnccs-dynamic/evaltest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
@@ -20,8 +20,8 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP
 moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-dynamic/posttest.dat b/testing/tests/tnc/tnccs-dynamic/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-dynamic/posttest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat
index a7a3bf412..60775a11e 100644
--- a/testing/tests/tnc/tnccs-dynamic/pretest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-dynamic/test.conf b/testing/tests/tnc/tnccs-dynamic/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-dynamic/test.conf
+++ b/testing/tests/tnc/tnccs-dynamic/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/ylwrap b/ylwrap
index 84d563405..92536350c 100755
--- a/ylwrap
+++ b/ylwrap
@@ -1,10 +1,10 @@
 #! /bin/sh
 # ylwrap - wrapper for lex/yacc invocations.
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2011-08-25.18; # UTC
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2001, 2002, 2003, 2004, 2005,
-# 2007, 2009 Free Software Foundation, Inc.
+# 2007, 2009, 2010, 2011 Free Software Foundation, Inc.
 #
 # Written by Tom Tromey <tromey@cygnus.com>.
 #
@@ -99,7 +99,11 @@ esac
 # FIXME: add hostname here for parallel makes that run commands on
 # other machines.  But that might take us over the 14-char limit.
 dirname=ylwrap$$
-trap "cd '`pwd`'; rm -rf $dirname > /dev/null 2>&1" 1 2 3 15
+do_exit="cd '`pwd`' && rm -rf $dirname > /dev/null 2>&1;"' (exit $ret); exit $ret'
+trap "ret=129; $do_exit" 1
+trap "ret=130; $do_exit" 2
+trap "ret=141; $do_exit" 13
+trap "ret=143; $do_exit" 15
 mkdir $dirname || exit 1
 
 cd $dirname
@@ -133,19 +137,19 @@ if test $ret -eq 0; then
     # Handle y_tab.c and y_tab.h output by DOS
     if test $y_tab_nodot = "yes"; then
       if test $from = "y.tab.c"; then
-    	from="y_tab.c"
+        from="y_tab.c"
       else
-    	if test $from = "y.tab.h"; then
-    	  from="y_tab.h"
-    	fi
+        if test $from = "y.tab.h"; then
+          from="y_tab.h"
+        fi
       fi
     fi
     if test -f "$from"; then
       # If $2 is an absolute path name, then just use that,
       # otherwise prepend `../'.
       case "$2" in
-    	[\\/]* | ?:[\\/]*) target="$2";;
-    	*) target="../$2";;
+        [\\/]* | ?:[\\/]*) target="$2";;
+        *) target="../$2";;
       esac
 
       # We do not want to overwrite a header file if it hasn't
@@ -155,8 +159,8 @@ if test $ret -eq 0; then
       # Makefile.  Divert the output of all other files to a temporary
       # file so we can compare them to existing versions.
       if test $first = no; then
-	realtarget="$target"
-	target="tmp-`echo $target | sed s/.*[\\/]//g`"
+        realtarget="$target"
+        target="tmp-`echo $target | sed s/.*[\\/]//g`"
       fi
       # Edit out `#line' or `#' directives.
       #
@@ -180,10 +184,10 @@ if test $ret -eq 0; then
 
       # Check whether header files must be updated.
       if test $first = no; then
-	if test -f "$realtarget" && cmp -s "$realtarget" "$target"; then
-	  echo "$2" is unchanged
-	  rm -f "$target"
-	else
+        if test -f "$realtarget" && cmp -s "$realtarget" "$target"; then
+          echo "$2" is unchanged
+          rm -f "$target"
+        else
           echo updating "$2"
           mv -f "$target" "$realtarget"
         fi
-- 
cgit v1.2.3


From 10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 Mon Sep 17 00:00:00 2001
From: Yves-Alexis Perez <corsac@debian.org>
Date: Fri, 26 Apr 2013 14:57:47 +0200
Subject: Imported Upstream version 5.0.3

---
 Android.common.mk                                  |    2 +-
 Android.mk                                         |    3 +-
 Doxyfile.in                                        |  660 +++++--
 Makefile.in                                        |   52 +-
 NEWS                                               |   57 +-
 aclocal.m4                                         |   45 +-
 compile                                            |  343 ++++
 config.h.in                                        |    6 +
 config.sub                                         |   11 +-
 configure                                          | 1497 +++++++++++-----
 configure.in                                       |  576 +++---
 depcomp                                            |  124 +-
 init/Makefile.in                                   |   41 +-
 init/systemd/Makefile.in                           |   35 +-
 ltmain.sh                                          |    4 +-
 m4/macros/enable-disable.m4                        |    4 +-
 man/Makefile.in                                    |   47 +-
 man/ipsec.conf.5                                   |   19 +-
 man/ipsec.conf.5.in                                |   17 +
 man/ipsec.secrets.5                                |    2 +-
 man/strongswan.conf.5                              |   70 +-
 man/strongswan.conf.5.in                           |   70 +-
 scripts/Makefile.am                                |    5 +-
 scripts/Makefile.in                                |   54 +-
 scripts/crypt_burn.c                               |    4 +-
 scripts/dnssec.c                                   |  125 ++
 scripts/tls_test.c                                 |   59 +-
 src/Makefile.am                                    |    8 +
 src/Makefile.in                                    |   86 +-
 src/_copyright/Makefile.in                         |   35 +-
 src/_updown/Makefile.in                            |   50 +-
 src/_updown_espmark/Makefile.in                    |   50 +-
 src/charon-nm/Makefile.in                          |   35 +-
 src/charon-nm/nm/nm_backend.c                      |    4 +
 src/charon-nm/nm/nm_service.c                      |   64 +-
 src/charon-nm/nm/nm_service.h                      |    6 +-
 src/charon-tkm/Makefile.am                         |   54 +
 src/charon-tkm/Makefile.in                         |  506 ++++++
 src/charon-tkm/build_charon.gpr                    |   20 +
 src/charon-tkm/build_common.gpr                    |   25 +
 src/charon-tkm/build_tests.gpr                     |   14 +
 src/charon-tkm/src/charon-tkm.c                    |  387 ++++
 src/charon-tkm/src/ees/ees_callbacks.c             |   40 +
 src/charon-tkm/src/ees/ees_callbacks.h             |   42 +
 src/charon-tkm/src/ees/esa_event_service.adb       |   57 +
 src/charon-tkm/src/ees/esa_event_service.ads       |   30 +
 src/charon-tkm/src/ees/tkmrpc-servers-ees.adb      |   65 +
 src/charon-tkm/src/ehandler/eh_callbacks.c         |   28 +
 src/charon-tkm/src/ehandler/eh_callbacks.h         |   34 +
 src/charon-tkm/src/ehandler/exception_handler.adb  |   57 +
 src/charon-tkm/src/ehandler/exception_handler.ads  |   24 +
 src/charon-tkm/src/tkm/.gitignore                  |    1 +
 src/charon-tkm/src/tkm/tkm.c                       |  123 ++
 src/charon-tkm/src/tkm/tkm.h                       |  113 ++
 src/charon-tkm/src/tkm/tkm_chunk_map.c             |  171 ++
 src/charon-tkm/src/tkm/tkm_chunk_map.h             |   72 +
 src/charon-tkm/src/tkm/tkm_cred.c                  |  148 ++
 src/charon-tkm/src/tkm/tkm_cred.h                  |   51 +
 src/charon-tkm/src/tkm/tkm_diffie_hellman.c        |  140 ++
 src/charon-tkm/src/tkm/tkm_diffie_hellman.h        |   57 +
 src/charon-tkm/src/tkm/tkm_encoder.c               |  106 ++
 src/charon-tkm/src/tkm/tkm_encoder.h               |   33 +
 src/charon-tkm/src/tkm/tkm_id_manager.c            |  168 ++
 src/charon-tkm/src/tkm/tkm_id_manager.h            |   99 ++
 src/charon-tkm/src/tkm/tkm_kernel_ipsec.c          |  392 ++++
 src/charon-tkm/src/tkm/tkm_kernel_ipsec.h          |   47 +
 src/charon-tkm/src/tkm/tkm_kernel_sad.c            |  253 +++
 src/charon-tkm/src/tkm/tkm_kernel_sad.h            |   83 +
 src/charon-tkm/src/tkm/tkm_keymat.c                |  511 ++++++
 src/charon-tkm/src/tkm/tkm_keymat.h                |   77 +
 src/charon-tkm/src/tkm/tkm_listener.c              |  355 ++++
 src/charon-tkm/src/tkm/tkm_listener.h              |   52 +
 src/charon-tkm/src/tkm/tkm_nonceg.c                |  106 ++
 src/charon-tkm/src/tkm/tkm_nonceg.h                |   56 +
 src/charon-tkm/src/tkm/tkm_private_key.c           |  190 ++
 src/charon-tkm/src/tkm/tkm_private_key.h           |   45 +
 src/charon-tkm/src/tkm/tkm_public_key.c            |  169 ++
 src/charon-tkm/src/tkm/tkm_public_key.h            |   49 +
 src/charon-tkm/src/tkm/tkm_types.h                 |  128 ++
 src/charon-tkm/src/tkm/tkm_utils.c                 |   53 +
 src/charon-tkm/src/tkm/tkm_utils.h                 |   48 +
 src/charon-tkm/tests/.gitignore                    |    1 +
 src/charon-tkm/tests/chunk_map_tests.c             |   58 +
 src/charon-tkm/tests/diffie_hellman_tests.c        |   59 +
 src/charon-tkm/tests/id_manager_tests.c            |  150 ++
 src/charon-tkm/tests/kernel_sad_tests.c            |  122 ++
 src/charon-tkm/tests/keymat_tests.c                |  149 ++
 src/charon-tkm/tests/nonceg_tests.c                |   93 +
 src/charon-tkm/tests/test_runner.c                 |   84 +
 src/charon-tkm/tests/test_runner.h                 |   30 +
 src/charon-tkm/tests/utils_tests.c                 |   63 +
 src/charon/Makefile.in                             |   35 +-
 src/charon/charon.c                                |    1 +
 src/checksum/Makefile.in                           |   33 +-
 src/conftest/Makefile.in                           |   35 +-
 src/conftest/config.c                              |    6 +-
 src/conftest/config.h                              |    2 +-
 src/conftest/hooks/hook.h                          |    4 +-
 src/dumm/Makefile.in                               |   38 +-
 src/include/Makefile.in                            |   30 +-
 src/ipsec/Android.mk                               |    3 +-
 src/ipsec/Makefile.in                              |   50 +-
 src/ipsec/_ipsec.8                                 |    2 +-
 src/ipsec/_ipsec.in                                |   16 +-
 src/libcharon/Android.mk                           |   15 +-
 src/libcharon/Makefile.am                          |   29 +-
 src/libcharon/Makefile.in                          |  329 ++--
 src/libcharon/bus/bus.h                            |    4 +-
 src/libcharon/config/ike_cfg.c                     |   15 +-
 src/libcharon/config/ike_cfg.h                     |   10 +-
 src/libcharon/control/controller.c                 |   16 +-
 src/libcharon/encoding/message.c                   |    6 +-
 src/libcharon/encoding/payloads/notify_payload.c   |   14 +-
 src/libcharon/encoding/payloads/notify_payload.h   |    4 +-
 .../payloads/traffic_selector_substructure.c       |    6 +-
 src/libcharon/network/receiver.c                   |    2 +-
 src/libcharon/plugins/addrblock/Makefile.in        |   33 +-
 src/libcharon/plugins/android/Makefile.am          |   20 -
 src/libcharon/plugins/android/Makefile.in          |  640 -------
 src/libcharon/plugins/android/android_creds.c      |  294 ---
 src/libcharon/plugins/android/android_creds.h      |   73 -
 src/libcharon/plugins/android/android_handler.c    |  240 ---
 src/libcharon/plugins/android/android_handler.h    |   52 -
 src/libcharon/plugins/android/android_plugin.c     |   97 -
 src/libcharon/plugins/android/android_plugin.h     |   42 -
 src/libcharon/plugins/android/android_service.c    |  389 ----
 src/libcharon/plugins/android/android_service.h    |   54 -
 src/libcharon/plugins/android_dns/Makefile.am      |   18 +
 src/libcharon/plugins/android_dns/Makefile.in      |  660 +++++++
 .../plugins/android_dns/android_dns_handler.c      |  235 +++
 .../plugins/android_dns/android_dns_handler.h      |   50 +
 .../plugins/android_dns/android_dns_plugin.c       |   76 +
 .../plugins/android_dns/android_dns_plugin.h       |   42 +
 src/libcharon/plugins/android_log/Makefile.in      |   33 +-
 src/libcharon/plugins/certexpire/Makefile.in       |   33 +-
 src/libcharon/plugins/coupling/Makefile.in         |   33 +-
 src/libcharon/plugins/dhcp/Makefile.in             |   33 +-
 src/libcharon/plugins/duplicheck/Makefile.in       |   38 +-
 .../plugins/duplicheck/duplicheck_listener.c       |  186 +-
 src/libcharon/plugins/eap_aka/Makefile.in          |   33 +-
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |   33 +-
 src/libcharon/plugins/eap_dynamic/Makefile.in      |   33 +-
 src/libcharon/plugins/eap_gtc/Makefile.in          |   33 +-
 src/libcharon/plugins/eap_identity/Makefile.in     |   33 +-
 src/libcharon/plugins/eap_md5/Makefile.in          |   33 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |   33 +-
 src/libcharon/plugins/eap_peap/Makefile.in         |   33 +-
 src/libcharon/plugins/eap_radius/Makefile.am       |    1 +
 src/libcharon/plugins/eap_radius/Makefile.in       |   39 +-
 src/libcharon/plugins/eap_radius/eap_radius.c      |  142 +-
 .../plugins/eap_radius/eap_radius_accounting.c     |  425 ++++-
 .../plugins/eap_radius/eap_radius_accounting.h     |    8 +
 .../plugins/eap_radius/eap_radius_plugin.c         |   66 +-
 .../plugins/eap_radius/eap_radius_plugin.h         |   11 +
 .../plugins/eap_radius/eap_radius_provider.c       |  486 +++++
 .../plugins/eap_radius/eap_radius_provider.h       |   74 +
 src/libcharon/plugins/eap_sim/Makefile.in          |   33 +-
 src/libcharon/plugins/eap_sim_file/Makefile.in     |   33 +-
 src/libcharon/plugins/eap_sim_pcsc/Makefile.in     |   33 +-
 .../plugins/eap_simaka_pseudonym/Makefile.in       |   33 +-
 .../plugins/eap_simaka_reauth/Makefile.in          |   33 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |   33 +-
 src/libcharon/plugins/eap_tls/Makefile.in          |   33 +-
 src/libcharon/plugins/eap_tnc/Makefile.in          |   33 +-
 src/libcharon/plugins/eap_tnc/eap_tnc.c            |   83 +-
 src/libcharon/plugins/eap_tnc/eap_tnc.h            |    6 +-
 src/libcharon/plugins/eap_ttls/Makefile.in         |   33 +-
 src/libcharon/plugins/eap_ttls/eap_ttls_server.c   |   13 +-
 src/libcharon/plugins/error_notify/Makefile.in     |   38 +-
 .../plugins/error_notify/error_notify_socket.c     |    6 +
 src/libcharon/plugins/farp/Makefile.in             |   33 +-
 src/libcharon/plugins/ha/Makefile.in               |   33 +-
 src/libcharon/plugins/ha/ha_attribute.c            |    2 +-
 src/libcharon/plugins/ha/ha_segments.c             |   90 +-
 src/libcharon/plugins/ha/ha_tunnel.c               |    3 +-
 src/libcharon/plugins/ipseckey/Makefile.am         |   18 +
 src/libcharon/plugins/ipseckey/Makefile.in         |  662 +++++++
 src/libcharon/plugins/ipseckey/ipseckey.c          |  209 +++
 src/libcharon/plugins/ipseckey/ipseckey.h          |  149 ++
 src/libcharon/plugins/ipseckey/ipseckey_cred.c     |  263 +++
 src/libcharon/plugins/ipseckey/ipseckey_cred.h     |   57 +
 src/libcharon/plugins/ipseckey/ipseckey_plugin.c   |  103 ++
 src/libcharon/plugins/ipseckey/ipseckey_plugin.h   |   48 +
 src/libcharon/plugins/led/Makefile.in              |   33 +-
 src/libcharon/plugins/load_tester/Makefile.in      |   38 +-
 .../plugins/load_tester/load_tester_config.c       |  149 +-
 .../plugins/load_tester/load_tester_ipsec.c        |    4 +-
 .../plugins/load_tester/load_tester_listener.c     |    1 -
 src/libcharon/plugins/lookip/Makefile.in           |   38 +-
 src/libcharon/plugins/maemo/Makefile.in            |   38 +-
 src/libcharon/plugins/maemo/maemo_service.c        |    4 +-
 src/libcharon/plugins/medcli/Makefile.in           |   33 +-
 src/libcharon/plugins/medcli/medcli_config.c       |    7 +-
 src/libcharon/plugins/medsrv/Makefile.in           |   33 +-
 src/libcharon/plugins/medsrv/medsrv_config.c       |    3 +-
 src/libcharon/plugins/medsrv/medsrv_config.h       |    2 +-
 src/libcharon/plugins/medsrv/medsrv_creds.h        |    2 +-
 src/libcharon/plugins/medsrv/medsrv_plugin.h       |    4 +-
 src/libcharon/plugins/radattr/Makefile.in          |   33 +-
 src/libcharon/plugins/smp/Makefile.in              |   33 +-
 src/libcharon/plugins/socket_default/Makefile.in   |   33 +-
 .../plugins/socket_default/socket_default_socket.c |  136 +-
 src/libcharon/plugins/socket_dynamic/Makefile.in   |   33 +-
 src/libcharon/plugins/sql/Makefile.in              |   33 +-
 src/libcharon/plugins/sql/sql_config.c             |    3 +-
 src/libcharon/plugins/stroke/Makefile.in           |   33 +-
 src/libcharon/plugins/stroke/stroke_config.c       |   79 +-
 src/libcharon/plugins/stroke/stroke_control.c      |  100 +-
 src/libcharon/plugins/stroke/stroke_counter.c      |  222 ++-
 src/libcharon/plugins/stroke/stroke_counter.h      |   10 +-
 src/libcharon/plugins/stroke/stroke_cred.c         |   49 +-
 src/libcharon/plugins/stroke/stroke_list.c         |   19 +-
 src/libcharon/plugins/stroke/stroke_socket.c       |   44 +-
 src/libcharon/plugins/systime_fix/Makefile.am      |   15 +
 src/libcharon/plugins/systime_fix/Makefile.in      |  658 +++++++
 .../plugins/systime_fix/systime_fix_plugin.c       |  256 +++
 .../plugins/systime_fix/systime_fix_plugin.h       |   42 +
 .../plugins/systime_fix/systime_fix_validator.c    |   83 +
 .../plugins/systime_fix/systime_fix_validator.h    |   49 +
 src/libcharon/plugins/tnc_ifmap/Makefile.am        |   18 +-
 src/libcharon/plugins/tnc_ifmap/Makefile.in        |   59 +-
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c   |  244 +++
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.h   |   68 +
 .../plugins/tnc_ifmap/tnc_ifmap_listener.c         |   25 +-
 .../plugins/tnc_ifmap/tnc_ifmap_listener.h         |    2 +-
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c |   55 +-
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.h |    2 +-
 .../tnc_ifmap/tnc_ifmap_renew_session_job.c        |  103 ++
 .../tnc_ifmap/tnc_ifmap_renew_session_job.h        |   51 +
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c   |  920 +++++-----
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h   |   30 +-
 .../plugins/tnc_ifmap/tnc_ifmap_soap_msg.c         |  256 +++
 .../plugins/tnc_ifmap/tnc_ifmap_soap_msg.h         |   62 +
 src/libcharon/plugins/tnc_imc/Makefile.am          |    3 +-
 src/libcharon/plugins/tnc_imc/Makefile.in          |   36 +-
 src/libcharon/plugins/tnc_imv/Makefile.am          |    3 +-
 src/libcharon/plugins/tnc_imv/Makefile.in          |   36 +-
 src/libcharon/plugins/tnc_pdp/Makefile.in          |   33 +-
 src/libcharon/plugins/tnc_pdp/tnc_pdp.c            |   12 +-
 .../plugins/tnc_pdp/tnc_pdp_connections.c          |   98 +-
 .../plugins/tnc_pdp/tnc_pdp_connections.h          |   10 +-
 src/libcharon/plugins/tnc_tnccs/Makefile.am        |    1 +
 src/libcharon/plugins/tnc_tnccs/Makefile.in        |   34 +-
 .../plugins/tnc_tnccs/tnc_tnccs_manager.c          |  160 +-
 src/libcharon/plugins/tnccs_11/Makefile.in         |   33 +-
 src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c |   39 +-
 .../plugins/tnccs_11/messages/imc_imv_msg.c        |   18 +-
 .../plugins/tnccs_11/messages/tnccs_error_msg.c    |   21 +-
 .../plugins/tnccs_11/messages/tnccs_msg.c          |    6 +-
 .../messages/tnccs_preferred_language_msg.c        |   14 +-
 .../tnccs_11/messages/tnccs_reason_strings_msg.c   |   32 +-
 .../tnccs_11/messages/tnccs_recommendation_msg.c   |   20 +-
 .../messages/tnccs_tncs_contact_info_msg.c         |   12 +-
 src/libcharon/plugins/tnccs_11/tnccs_11.c          |   94 +-
 src/libcharon/plugins/tnccs_11/tnccs_11.h          |   16 +-
 src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c   |    3 -
 src/libcharon/plugins/tnccs_20/Makefile.in         |   33 +-
 .../plugins/tnccs_20/batch/pb_tnc_batch.c          |    9 +-
 .../plugins/tnccs_20/messages/pb_pa_msg.c          |    1 +
 .../messages/pb_remediation_parameters_msg.c       |  200 ++-
 .../messages/pb_remediation_parameters_msg.h       |   64 +-
 src/libcharon/plugins/tnccs_20/tnccs_20.c          |  134 +-
 src/libcharon/plugins/tnccs_20/tnccs_20.h          |   16 +-
 src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c   |    3 -
 src/libcharon/plugins/tnccs_dynamic/Makefile.in    |   33 +-
 .../plugins/tnccs_dynamic/tnccs_dynamic.c          |  103 +-
 .../plugins/tnccs_dynamic/tnccs_dynamic.h          |   16 +-
 .../plugins/tnccs_dynamic/tnccs_dynamic_plugin.c   |    3 -
 src/libcharon/plugins/uci/Makefile.in              |   33 +-
 src/libcharon/plugins/uci/uci_config.c             |    7 +-
 src/libcharon/plugins/unit_tester/Makefile.in      |   33 +-
 src/libcharon/plugins/unity/Makefile.in            |   33 +-
 src/libcharon/plugins/unity/unity_handler.c        |   19 +-
 src/libcharon/plugins/updown/Makefile.in           |   33 +-
 src/libcharon/plugins/whitelist/Makefile.in        |   38 +-
 src/libcharon/plugins/xauth_eap/Makefile.in        |   33 +-
 src/libcharon/plugins/xauth_generic/Makefile.in    |   33 +-
 src/libcharon/plugins/xauth_noauth/Makefile.am     |   17 +
 src/libcharon/plugins/xauth_noauth/Makefile.in     |  659 +++++++
 src/libcharon/plugins/xauth_noauth/xauth_noauth.c  |   89 +
 src/libcharon/plugins/xauth_noauth/xauth_noauth.h  |   50 +
 .../plugins/xauth_noauth/xauth_noauth_plugin.c     |   60 +
 .../plugins/xauth_noauth/xauth_noauth_plugin.h     |   45 +
 src/libcharon/plugins/xauth_pam/Makefile.in        |   33 +-
 src/libcharon/processing/jobs/delete_ike_sa_job.c  |   12 +-
 src/libcharon/processing/jobs/dpd_timeout_job.c    |    3 +-
 src/libcharon/processing/jobs/inactivity_job.c     |    5 +-
 src/libcharon/sa/child_sa.c                        |   25 +-
 src/libcharon/sa/child_sa.h                        |    3 +-
 src/libcharon/sa/eap/eap_inner_method.h            |   57 +
 src/libcharon/sa/ike_sa.c                          |   56 +-
 src/libcharon/sa/ike_sa_manager.c                  |   76 +-
 src/libcharon/sa/ikev1/keymat_v1.c                 |    1 +
 src/libcharon/sa/ikev1/task_manager_v1.c           |   44 +-
 src/libcharon/sa/ikev1/tasks/aggressive_mode.c     |    9 +-
 src/libcharon/sa/ikev1/tasks/main_mode.c           |    9 +-
 src/libcharon/sa/ikev1/tasks/quick_delete.c        |    4 +-
 src/libcharon/sa/ikev1/tasks/quick_mode.c          |   60 +-
 src/libcharon/sa/ikev1/tasks/xauth.c               |   66 +-
 .../sa/ikev2/authenticators/eap_authenticator.c    |   10 +
 src/libcharon/sa/ikev2/task_manager_v2.c           |   17 +
 src/libcharon/sa/ikev2/tasks/child_create.c        |    9 +
 src/libcharon/sa/ikev2/tasks/child_delete.c        |    4 +-
 src/libcharon/sa/ikev2/tasks/child_rekey.c         |   37 +-
 src/libcharon/sa/ikev2/tasks/ike_auth.c            |   68 +-
 src/libcharon/sa/ikev2/tasks/ike_dpd.c             |   10 +-
 src/libcharon/sa/xauth/xauth_manager.c             |    7 +-
 src/libfast/Makefile.in                            |   40 +-
 src/libfast/controller.h                           |    2 +-
 src/libhydra/Android.mk                            |    4 +-
 src/libhydra/Makefile.in                           |   44 +-
 src/libhydra/attributes/mem_pool.c                 |   55 +-
 src/libhydra/attributes/mem_pool.h                 |   16 +-
 src/libhydra/kernel/kernel_interface.c             |   24 +-
 src/libhydra/kernel/kernel_interface.h             |   22 +-
 src/libhydra/kernel/kernel_ipsec.h                 |   11 +-
 src/libhydra/kernel/kernel_net.h                   |    8 +
 src/libhydra/plugins/attr/Makefile.in              |   33 +-
 src/libhydra/plugins/attr/attr_provider.c          |   53 +-
 src/libhydra/plugins/attr_sql/Makefile.in          |   38 +-
 src/libhydra/plugins/attr_sql/pool.c               |   15 +
 src/libhydra/plugins/attr_sql/sql_attribute.c      |   31 +-
 src/libhydra/plugins/kernel_klips/Makefile.in      |   33 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.c      |    4 +-
 src/libhydra/plugins/kernel_netlink/Makefile.in    |   33 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |  410 ++---
 .../plugins/kernel_netlink/kernel_netlink_net.c    |    4 +
 .../plugins/kernel_netlink/kernel_netlink_shared.c |   23 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.h |   25 +-
 src/libhydra/plugins/kernel_pfkey/Makefile.in      |   33 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |   19 +-
 src/libhydra/plugins/kernel_pfroute/Makefile.in    |   33 +-
 src/libhydra/plugins/resolve/Makefile.in           |   33 +-
 src/libimcv/Makefile.in                            |   44 +-
 src/libimcv/ietf/ietf_attr.h                       |    4 +-
 src/libimcv/ietf/ietf_attr_assess_result.c         |    2 +-
 src/libimcv/ietf/ietf_attr_assess_result.h         |    2 +-
 src/libimcv/ietf/ietf_attr_attr_request.c          |    2 +-
 src/libimcv/ietf/ietf_attr_attr_request.h          |    2 +-
 src/libimcv/ietf/ietf_attr_default_pwd_enabled.c   |    2 +-
 src/libimcv/ietf/ietf_attr_default_pwd_enabled.h   |    2 +-
 src/libimcv/ietf/ietf_attr_fwd_enabled.c           |    2 +-
 src/libimcv/ietf/ietf_attr_fwd_enabled.h           |    2 +-
 src/libimcv/ietf/ietf_attr_installed_packages.c    |    2 +-
 src/libimcv/ietf/ietf_attr_installed_packages.h    |    2 +-
 src/libimcv/ietf/ietf_attr_numeric_version.c       |    2 +-
 src/libimcv/ietf/ietf_attr_numeric_version.h       |    2 +-
 src/libimcv/ietf/ietf_attr_op_status.c             |    2 +-
 src/libimcv/ietf/ietf_attr_op_status.h             |    6 +-
 src/libimcv/ietf/ietf_attr_pa_tnc_error.c          |   96 +-
 src/libimcv/ietf/ietf_attr_pa_tnc_error.h          |    6 +-
 src/libimcv/ietf/ietf_attr_port_filter.c           |    2 +-
 src/libimcv/ietf/ietf_attr_port_filter.h           |    2 +-
 src/libimcv/ietf/ietf_attr_product_info.c          |    2 +-
 src/libimcv/ietf/ietf_attr_product_info.h          |    2 +-
 src/libimcv/ietf/ietf_attr_remediation_instr.c     |   18 +-
 src/libimcv/ietf/ietf_attr_remediation_instr.h     |    2 +-
 src/libimcv/ietf/ietf_attr_string_version.c        |    2 +-
 src/libimcv/ietf/ietf_attr_string_version.h        |    2 +-
 src/libimcv/imc/imc_agent.c                        |    2 -
 src/libimcv/imc/imc_agent.h                        |    2 +-
 src/libimcv/imc/imc_msg.c                          |    8 +-
 src/libimcv/imc/imc_msg.h                          |   10 +-
 src/libimcv/imc/imc_state.h                        |    4 +-
 src/libimcv/imcv.c                                 |   14 +-
 src/libimcv/imcv.h                                 |   11 +-
 src/libimcv/imv/imv_agent.c                        |   85 +-
 src/libimcv/imv/imv_agent.h                        |    4 +-
 src/libimcv/imv/imv_lang_string.h                  |    2 +-
 src/libimcv/imv/imv_msg.c                          |    7 +
 src/libimcv/imv/imv_msg.h                          |   12 +-
 src/libimcv/imv/imv_reason_string.c                |    2 +-
 src/libimcv/imv/imv_reason_string.h                |    2 +-
 src/libimcv/imv/imv_remediation_string.h           |    2 +-
 src/libimcv/imv/imv_state.h                        |   23 +-
 src/libimcv/ita/ita_attr.c                         |    5 +-
 src/libimcv/ita/ita_attr.h                         |    7 +-
 src/libimcv/ita/ita_attr_angel.h                   |    4 +-
 src/libimcv/ita/ita_attr_command.h                 |    6 +-
 src/libimcv/ita/ita_attr_dummy.h                   |    8 +-
 src/libimcv/ita/ita_attr_get_settings.c            |    2 +-
 src/libimcv/ita/ita_attr_get_settings.h            |    4 +-
 src/libimcv/ita/ita_attr_settings.c                |    2 +-
 src/libimcv/ita/ita_attr_settings.h                |    4 +-
 src/libimcv/os_info/os_info.c                      |    2 +-
 src/libimcv/pa_tnc/pa_tnc_attr.h                   |    2 +-
 src/libimcv/pa_tnc/pa_tnc_attr_manager.h           |    6 +-
 src/libimcv/pa_tnc/pa_tnc_msg.c                    |   14 +-
 src/libimcv/pa_tnc/pa_tnc_msg.h                    |    2 +-
 src/libimcv/plugins/imc_os/Makefile.in             |   33 +-
 src/libimcv/plugins/imc_os/imc_os_state.h          |    4 +-
 src/libimcv/plugins/imc_scanner/Makefile.in        |   33 +-
 .../plugins/imc_scanner/imc_scanner_state.h        |    4 +-
 src/libimcv/plugins/imc_test/Makefile.in           |   33 +-
 src/libimcv/plugins/imc_test/imc_test_state.h      |    4 +-
 src/libimcv/plugins/imv_os/Makefile.in             |   38 +-
 src/libimcv/plugins/imv_os/imv_os.c                |   29 +-
 src/libimcv/plugins/imv_os/imv_os_database.c       |   46 +-
 src/libimcv/plugins/imv_os/imv_os_database.h       |   12 +-
 src/libimcv/plugins/imv_os/imv_os_state.c          |   51 +-
 src/libimcv/plugins/imv_os/imv_os_state.h          |   21 +-
 src/libimcv/plugins/imv_os/pacman.c                |    3 +-
 src/libimcv/plugins/imv_scanner/Makefile.in        |   33 +-
 .../plugins/imv_scanner/imv_scanner_state.c        |   32 +-
 .../plugins/imv_scanner/imv_scanner_state.h        |    4 +-
 src/libimcv/plugins/imv_test/Makefile.in           |   33 +-
 src/libimcv/plugins/imv_test/imv_test_state.c      |   32 +-
 src/libimcv/plugins/imv_test/imv_test_state.h      |    4 +-
 src/libipsec/Android.mk                            |    4 +-
 src/libipsec/Makefile.in                           |   44 +-
 src/libipsec/esp_packet.c                          |   14 +
 src/libipsec/ip_packet.c                           |    1 +
 src/libipsec/ipsec_processor.c                     |    2 +-
 src/libpts/Makefile.in                             |   44 +-
 src/libpts/libpts.h                                |    2 +-
 src/libpts/plugins/imc_attestation/Makefile.in     |   33 +-
 .../imc_attestation/imc_attestation_process.h      |    3 +-
 .../imc_attestation/imc_attestation_state.h        |    4 +-
 src/libpts/plugins/imv_attestation/Makefile.in     |   38 +-
 src/libpts/plugins/imv_attestation/attest_db.c     |   38 +-
 src/libpts/plugins/imv_attestation/attest_db.h     |    3 +-
 .../imv_attestation/imv_attestation_build.h        |    3 +-
 .../imv_attestation/imv_attestation_process.h      |    3 +-
 .../imv_attestation/imv_attestation_state.c        |   33 +-
 .../imv_attestation/imv_attestation_state.h        |    8 +-
 src/libpts/plugins/imv_attestation/tables.sql      |   12 +-
 src/libpts/pts/components/pts_comp_func_name.h     |    2 +-
 src/libpts/pts/pts.c                               |    2 +-
 src/libpts/pts/pts.h                               |    2 +-
 src/libpts/pts/pts_dh_group.h                      |   10 +-
 src/libpts/pts/pts_file_meas.h                     |    4 +-
 src/libpts/tcg/tcg_attr.c                          |   17 +-
 src/libpts/tcg/tcg_attr.h                          |   17 +-
 src/libpts/tcg/tcg_pts_attr_aik.c                  |    4 +-
 src/libpts/tcg/tcg_pts_attr_aik.h                  |    6 +-
 src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c      |    2 +-
 src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h      |    6 +-
 src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c  |    2 +-
 src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h  |    2 +-
 src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c |    2 +-
 src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h |    8 +-
 src/libpts/tcg/tcg_pts_attr_file_meas.c            |    2 +-
 src/libpts/tcg/tcg_pts_attr_file_meas.h            |    8 +-
 src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c      |    2 +-
 src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h      |    2 +-
 src/libpts/tcg/tcg_pts_attr_get_aik.c              |    2 +-
 src/libpts/tcg/tcg_pts_attr_get_aik.h              |    2 +-
 src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c |    2 +-
 src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h |    2 +-
 src/libpts/tcg/tcg_pts_attr_meas_algo.c            |    2 +-
 src/libpts/tcg/tcg_pts_attr_meas_algo.h            |    2 +-
 src/libpts/tcg/tcg_pts_attr_proto_caps.c           |    2 +-
 src/libpts/tcg/tcg_pts_attr_proto_caps.h           |    2 +-
 src/libpts/tcg/tcg_pts_attr_req_file_meas.c        |    2 +-
 src/libpts/tcg/tcg_pts_attr_req_file_meas.h        |   11 +-
 src/libpts/tcg/tcg_pts_attr_req_file_meta.c        |    2 +-
 src/libpts/tcg/tcg_pts_attr_req_file_meta.h        |   10 +-
 src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c   |    2 +-
 src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h   |    6 +-
 src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c     |    2 +-
 src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h     |    8 +-
 src/libpts/tcg/tcg_pts_attr_simple_evid_final.c    |    2 +-
 src/libpts/tcg/tcg_pts_attr_simple_evid_final.h    |   18 +-
 src/libpts/tcg/tcg_pts_attr_tpm_version_info.c     |    2 +-
 src/libpts/tcg/tcg_pts_attr_tpm_version_info.h     |    6 +-
 src/libpts/tcg/tcg_pts_attr_unix_file_meta.c       |    2 +-
 src/libpts/tcg/tcg_pts_attr_unix_file_meta.h       |    8 +-
 src/libpttls/Makefile.am                           |   12 +
 src/libpttls/Makefile.in                           |  660 +++++++
 src/libpttls/pt_tls.c                              |  120 ++
 src/libpttls/pt_tls.h                              |  109 ++
 src/libpttls/pt_tls_client.c                       |  497 ++++++
 src/libpttls/pt_tls_client.h                       |   65 +
 src/libpttls/pt_tls_dispatcher.c                   |  204 +++
 src/libpttls/pt_tls_dispatcher.h                   |   75 +
 src/libpttls/pt_tls_server.c                       |  544 ++++++
 src/libpttls/pt_tls_server.h                       |   72 +
 src/libpttls/sasl/sasl_mechanism.c                 |   92 +
 src/libpttls/sasl/sasl_mechanism.h                 |  103 ++
 src/libpttls/sasl/sasl_plain/sasl_plain.c          |  171 ++
 src/libpttls/sasl/sasl_plain/sasl_plain.h          |   48 +
 src/libradius/Makefile.in                          |   33 +-
 src/libradius/radius_client.c                      |    3 -
 src/libradius/radius_message.c                     |   81 +
 src/libradius/radius_message.h                     |   25 +-
 src/libsimaka/Makefile.in                          |   33 +-
 src/libsimaka/simaka_manager.h                     |   14 +-
 src/libstrongswan/Android.mk                       |    1 +
 src/libstrongswan/Makefile.am                      |   10 +
 src/libstrongswan/Makefile.in                      |  162 +-
 src/libstrongswan/asn1/oid.c                       |  342 ++--
 src/libstrongswan/asn1/oid.h                       |  170 +-
 src/libstrongswan/asn1/oid.txt                     |    6 +
 src/libstrongswan/bio/bio_reader.c                 |   20 +
 src/libstrongswan/bio/bio_reader.h                 |   13 +-
 src/libstrongswan/credentials/auth_cfg.c           |   56 +-
 src/libstrongswan/credentials/cert_validator.h     |   17 +
 src/libstrongswan/credentials/cred_encoding.h      |    2 +
 src/libstrongswan/credentials/credential_manager.c |  116 +-
 src/libstrongswan/credentials/sets/mem_cred.c      |   61 +-
 src/libstrongswan/credentials/sets/mem_cred.h      |   12 +-
 src/libstrongswan/crypto/crypto_tester.c           |    5 +-
 src/libstrongswan/library.c                        |    2 +
 src/libstrongswan/library.h                        |    9 +
 src/libstrongswan/networking/packet.c              |   19 +
 src/libstrongswan/networking/packet.h              |   14 +
 src/libstrongswan/networking/tun_device.c          |    4 +-
 src/libstrongswan/pen/pen.c                        |   12 +-
 src/libstrongswan/pen/pen.h                        |   69 +-
 src/libstrongswan/plugins/aes/Makefile.in          |   33 +-
 src/libstrongswan/plugins/af_alg/Makefile.in       |   33 +-
 src/libstrongswan/plugins/agent/Makefile.in        |   33 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |   33 +-
 src/libstrongswan/plugins/ccm/Makefile.in          |   33 +-
 src/libstrongswan/plugins/ccm/ccm_aead.h           |    2 +-
 src/libstrongswan/plugins/cmac/Makefile.in         |   33 +-
 src/libstrongswan/plugins/constraints/Makefile.in  |   33 +-
 src/libstrongswan/plugins/ctr/Makefile.in          |   33 +-
 src/libstrongswan/plugins/curl/Makefile.in         |   33 +-
 src/libstrongswan/plugins/curl/curl_fetcher.c      |   17 +-
 src/libstrongswan/plugins/des/Makefile.in          |   33 +-
 src/libstrongswan/plugins/dnskey/Makefile.am       |    3 +-
 src/libstrongswan/plugins/dnskey/Makefile.in       |   39 +-
 src/libstrongswan/plugins/dnskey/dnskey_builder.c  |   12 +-
 src/libstrongswan/plugins/dnskey/dnskey_encoder.c  |   91 +
 src/libstrongswan/plugins/dnskey/dnskey_encoder.h  |   32 +
 src/libstrongswan/plugins/dnskey/dnskey_plugin.c   |    5 +
 src/libstrongswan/plugins/fips_prf/Makefile.in     |   33 +-
 src/libstrongswan/plugins/gcm/Makefile.in          |   33 +-
 src/libstrongswan/plugins/gcm/gcm_aead.h           |    2 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |   33 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |   33 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |   33 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |   33 +-
 src/libstrongswan/plugins/md4/Makefile.in          |   33 +-
 src/libstrongswan/plugins/md5/Makefile.in          |   33 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |   33 +-
 src/libstrongswan/plugins/mysql/mysql_database.c   |    2 +-
 src/libstrongswan/plugins/nonce/Makefile.in        |   33 +-
 src/libstrongswan/plugins/openssl/Makefile.am      |    3 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |   39 +-
 .../plugins/openssl/openssl_diffie_hellman.c       |    6 +
 .../plugins/openssl/openssl_ec_private_key.c       |    5 +-
 .../plugins/openssl/openssl_ec_public_key.c        |    4 +-
 src/libstrongswan/plugins/openssl/openssl_gcm.c    |  265 +++
 src/libstrongswan/plugins/openssl/openssl_gcm.h    |   37 +
 src/libstrongswan/plugins/openssl/openssl_hmac.c   |    5 +
 src/libstrongswan/plugins/openssl/openssl_pkcs7.c  |    3 +
 src/libstrongswan/plugins/openssl/openssl_plugin.c |   19 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |    5 +
 .../plugins/openssl/openssl_rsa_public_key.c       |    6 +
 .../plugins/openssl/openssl_sha1_prf.c             |    5 +
 src/libstrongswan/plugins/padlock/Makefile.in      |   33 +-
 src/libstrongswan/plugins/pem/Makefile.in          |   33 +-
 src/libstrongswan/plugins/pgp/Makefile.in          |   33 +-
 src/libstrongswan/plugins/pkcs1/Makefile.in        |   33 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c    |    6 +-
 src/libstrongswan/plugins/pkcs11/Makefile.in       |   33 +-
 src/libstrongswan/plugins/pkcs7/Makefile.in        |   33 +-
 src/libstrongswan/plugins/pkcs8/Makefile.in        |   33 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |   33 +-
 src/libstrongswan/plugins/random/Makefile.in       |   33 +-
 src/libstrongswan/plugins/rdrand/Makefile.in       |   33 +-
 src/libstrongswan/plugins/rdrand/rdrand_rng.h      |    2 +-
 src/libstrongswan/plugins/revocation/Makefile.in   |   33 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |   33 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |   33 +-
 src/libstrongswan/plugins/soup/Makefile.in         |   33 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |   33 +-
 src/libstrongswan/plugins/test_vectors/Makefile.in |   33 +-
 src/libstrongswan/plugins/unbound/Makefile.am      |   20 +
 src/libstrongswan/plugins/unbound/Makefile.in      |  661 +++++++
 src/libstrongswan/plugins/unbound/unbound_plugin.c |   66 +
 src/libstrongswan/plugins/unbound/unbound_plugin.h |   42 +
 .../plugins/unbound/unbound_resolver.c             |  143 ++
 .../plugins/unbound/unbound_resolver.h             |   29 +
 .../plugins/unbound/unbound_response.c             |  259 +++
 .../plugins/unbound/unbound_response.h             |   51 +
 src/libstrongswan/plugins/unbound/unbound_rr.c     |  164 ++
 src/libstrongswan/plugins/unbound/unbound_rr.h     |   48 +
 src/libstrongswan/plugins/x509/Makefile.in         |   33 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |   33 +-
 src/libstrongswan/resolver/resolver.h              |   58 +
 src/libstrongswan/resolver/resolver_manager.c      |   90 +
 src/libstrongswan/resolver/resolver_manager.h      |   72 +
 src/libstrongswan/resolver/resolver_response.h     |  143 ++
 src/libstrongswan/resolver/rr.h                    |  268 +++
 src/libstrongswan/resolver/rr_set.c                |  100 ++
 src/libstrongswan/resolver/rr_set.h                |   79 +
 src/libstrongswan/selectors/traffic_selector.c     |  202 ++-
 src/libstrongswan/selectors/traffic_selector.h     |   15 +-
 src/libstrongswan/threading/thread.c               |    4 +
 src/libstrongswan/utils/backtrace.c                |   91 +-
 src/libstrongswan/utils/backtrace.h                |    7 +-
 src/libstrongswan/utils/capabilities.c             |   38 +-
 src/libstrongswan/utils/chunk.h                    |    5 +
 src/libstrongswan/utils/identification.c           |   24 +-
 src/libstrongswan/utils/identification.h           |    6 +-
 src/libstrongswan/utils/leak_detective.c           |    2 +
 src/libstrongswan/utils/utils.c                    |   73 +-
 src/libstrongswan/utils/utils.h                    |   45 +
 src/libtls/Makefile.in                             |   40 +-
 src/libtls/tls.c                                   |   32 +-
 src/libtls/tls.h                                   |   14 +
 src/libtls/tls_fragmentation.c                     |    8 +-
 src/libtls/tls_handshake.h                         |   14 +
 src/libtls/tls_peer.c                              |   23 +-
 src/libtls/tls_peer.h                              |    8 +-
 src/libtls/tls_server.c                            |   54 +-
 src/libtls/tls_server.h                            |    7 +-
 src/libtls/tls_socket.c                            |  272 ++-
 src/libtls/tls_socket.h                            |   37 +-
 src/libtnccs/Android.mk                            |    5 +-
 src/libtnccs/Makefile.am                           |    5 +-
 src/libtnccs/Makefile.in                           |   39 +-
 src/libtnccs/tnc/tnccs/tnccs.h                     |   65 +-
 src/libtnccs/tnc/tnccs/tnccs_manager.h             |    9 +-
 src/libtncif/Android.mk                            |    5 +-
 src/libtncif/Makefile.am                           |    1 +
 src/libtncif/Makefile.in                           |   35 +-
 src/libtncif/tncif_identity.c                      |  205 +++
 src/libtncif/tncif_identity.h                      |  112 ++
 src/libtncif/tncif_names.c                         |   17 +
 src/libtncif/tncif_names.h                         |    2 +
 src/libtncif/tncif_pa_subtypes.c                   |   15 +-
 src/libtncif/tncif_pa_subtypes.h                   |    3 +
 src/libtncif/tncifimv.h                            |   24 +
 src/manager/Makefile.in                            |   70 +-
 src/manager/controller/auth_controller.h           |    2 +-
 src/manager/controller/config_controller.h         |    2 +-
 src/manager/controller/control_controller.h        |    2 +-
 src/manager/controller/gateway_controller.h        |    2 +-
 src/manager/controller/ikesa_controller.h          |    2 +-
 src/manager/manager.h                              |    2 +-
 src/medsrv/Makefile.in                             |   55 +-
 src/medsrv/controller/peer_controller.h            |    4 +-
 src/medsrv/controller/user_controller.h            |    4 +-
 src/medsrv/filter/auth_filter.h                    |    4 +-
 src/medsrv/user.h                                  |    9 +-
 src/openac/Makefile.in                             |   52 +-
 src/pki/Makefile.in                                |   35 +-
 src/pki/command.h                                  |    2 +-
 src/pki/commands/pub.c                             |    2 +-
 src/pki/pki.c                                      |   11 +
 src/pki/pki.h                                      |    4 +-
 src/scepclient/Makefile.in                         |   52 +-
 src/scepclient/scep.c                              |   37 +-
 src/scepclient/scep.h                              |    2 +-
 src/scepclient/scepclient.c                        |   24 +-
 src/starter/Android.mk                             |    4 +-
 src/starter/Makefile.in                            |   35 +-
 src/starter/args.c                                 |   17 +
 src/starter/cmp.c                                  |    4 +-
 src/starter/confread.c                             |   39 +-
 src/starter/confread.h                             |    5 +-
 src/starter/files.h                                |    8 +-
 src/starter/invokecharon.c                         |   37 +-
 src/starter/keywords.c                             |   91 +-
 src/starter/keywords.h                             |    2 +-
 src/starter/keywords.txt                           |    1 +
 src/starter/starter.c                              |  108 +-
 src/starter/starterstroke.c                        |    5 +-
 src/stroke/Android.mk                              |    4 +-
 src/stroke/Makefile.in                             |   35 +-
 src/stroke/stroke.c                                |   25 +-
 src/stroke/stroke_keywords.c                       |   81 +-
 src/stroke/stroke_keywords.h                       |    4 +-
 src/stroke/stroke_keywords.txt                     |    3 +-
 src/stroke/stroke_msg.h                            |   17 +-
 testing/Makefile.in                                |   30 +-
 testing/config/kernel/config-3.8                   | 1863 ++++++++++++++++++++
 testing/config/kvm/alice.xml                       |    4 +-
 testing/config/kvm/bob.xml                         |    3 +-
 testing/config/kvm/carol.xml                       |    3 +-
 testing/config/kvm/dave.xml                        |    3 +-
 testing/config/kvm/moon.xml                        |    4 +-
 testing/config/kvm/sun.xml                         |    4 +-
 testing/config/kvm/venus.xml                       |    3 +-
 testing/config/kvm/vnet1.xml                       |    2 +-
 testing/config/kvm/vnet2.xml                       |    2 +-
 testing/config/kvm/vnet3.xml                       |    2 +-
 testing/config/kvm/winnetou.xml                    |    3 +-
 testing/do-tests                                   |    5 +-
 .../hosts/default/etc/ld.so.conf.d/strongswan.conf |    1 +
 testing/hosts/default/usr/local/bin/expect-file    |   29 +
 testing/hosts/winnetou/etc/bind/K.+008+32329.key   |    5 +
 .../hosts/winnetou/etc/bind/K.+008+32329.private   |   13 +
 testing/hosts/winnetou/etc/bind/K.+008+43749.key   |    5 +
 .../hosts/winnetou/etc/bind/K.+008+43749.private   |   13 +
 .../hosts/winnetou/etc/bind/Korg.+008+24285.key    |    5 +
 .../winnetou/etc/bind/Korg.+008+24285.private      |   13 +
 .../hosts/winnetou/etc/bind/Korg.+008+51859.key    |    5 +
 .../winnetou/etc/bind/Korg.+008+51859.private      |   13 +
 .../etc/bind/Kstrongswan.org.+008+00481.key        |    5 +
 .../etc/bind/Kstrongswan.org.+008+00481.private    |   13 +
 .../etc/bind/Kstrongswan.org.+008+09396.key        |    5 +
 .../etc/bind/Kstrongswan.org.+008+09396.private    |   13 +
 testing/hosts/winnetou/etc/bind/bind.keys          |   46 +
 testing/hosts/winnetou/etc/bind/db.org             |   40 +
 testing/hosts/winnetou/etc/bind/db.root            |   40 +
 testing/hosts/winnetou/etc/bind/db.strongswan.org  |   88 +
 .../winnetou/etc/bind/named.conf.default-zones     |   23 +
 testing/hosts/winnetou/etc/bind/named.conf.local   |   18 +
 testing/scripts/build-baseimage                    |   12 +-
 testing/scripts/build-guestimages                  |    8 +-
 testing/scripts/load-testconfig                    |    6 +-
 testing/scripts/recipes/004_iptables.mk            |   37 -
 testing/scripts/recipes/004_wpa_supplicant.mk      |   39 +
 testing/scripts/recipes/005_anet.mk                |   21 +
 testing/scripts/recipes/005_strongswan.mk          |   87 -
 testing/scripts/recipes/006_tkm-rpc.mk             |   23 +
 testing/scripts/recipes/007_x509-ada.mk            |   21 +
 testing/scripts/recipes/008_xfrm-ada.mk            |   23 +
 testing/scripts/recipes/009_tkm.mk                 |   21 +
 testing/scripts/recipes/010_strongswan.mk          |   94 +
 testing/scripts/recipes/011_xfrm-proxy.mk          |   21 +
 .../scripts/recipes/patches/iptables-xfrm-hooks    |   61 -
 .../scripts/recipes/patches/wpa_supplicant-eap-tnc |   47 +
 testing/scripts/restore-defaults                   |    1 +
 testing/start-testing                              |    9 +-
 testing/testing.conf                               |   11 +-
 .../ikev1/net2net-fragmentation/description.txt    |    9 +
 .../tests/ikev1/net2net-fragmentation/evaltest.dat |   15 +
 .../hosts/moon/etc/ipsec.conf                      |   22 +
 .../hosts/moon/etc/strongswan.conf                 |   11 +
 .../net2net-fragmentation/hosts/sun/etc/ipsec.conf |   22 +
 .../hosts/sun/etc/strongswan.conf                  |   11 +
 .../tests/ikev1/net2net-fragmentation/posttest.dat |    5 +
 .../tests/ikev1/net2net-fragmentation/pretest.dat  |    6 +
 .../tests/ikev1/net2net-fragmentation/test.conf    |   21 +
 .../ikev2/ip-two-pools-v4v6-db/description.txt     |    5 +
 .../tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat  |    9 +
 .../hosts/carol/etc/ipsec.conf                     |   20 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf |   19 +
 .../hosts/moon/etc/strongswan.conf                 |   17 +
 .../tests/ikev2/ip-two-pools-v4v6-db/posttest.dat  |    5 +
 .../tests/ikev2/ip-two-pools-v4v6-db/pretest.dat   |    9 +
 testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf |   21 +
 testing/tests/ikev2/net2net-dnssec/description.txt |    8 +
 testing/tests/ikev2/net2net-dnssec/evaltest.dat    |    9 +
 .../ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf |   24 +
 .../hosts/moon/etc/ipsec.d/certs/moonPub.der       |  Bin 0 -> 294 bytes
 .../hosts/moon/etc/ipsec.d/dnssec.keys             |   10 +
 .../net2net-dnssec/hosts/moon/etc/iptables.rules   |   28 +
 .../net2net-dnssec/hosts/moon/etc/resolv.conf      |    1 +
 .../net2net-dnssec/hosts/moon/etc/strongswan.conf  |   20 +
 .../ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf  |   24 +
 .../hosts/sun/etc/ipsec.d/certs/sunPub.der         |  Bin 0 -> 294 bytes
 .../hosts/sun/etc/ipsec.d/dnssec.keys              |   10 +
 .../net2net-dnssec/hosts/sun/etc/iptables.rules    |   28 +
 .../ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf |    1 +
 .../net2net-dnssec/hosts/sun/etc/strongswan.conf   |   20 +
 testing/tests/ikev2/net2net-dnssec/posttest.dat    |    8 +
 testing/tests/ikev2/net2net-dnssec/pretest.dat     |    8 +
 testing/tests/ikev2/net2net-dnssec/test.conf       |   21 +
 testing/tests/ikev2/rw-dnssec/description.txt      |   10 +
 testing/tests/ikev2/rw-dnssec/evaltest.dat         |   24 +
 .../ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf     |   23 +
 .../rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys  |   10 +
 .../ikev2/rw-dnssec/hosts/carol/etc/iptables.rules |   28 +
 .../ikev2/rw-dnssec/hosts/carol/etc/resolv.conf    |    1 +
 .../rw-dnssec/hosts/carol/etc/strongswan.conf      |   11 +
 .../ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf      |   23 +
 .../rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys   |   10 +
 .../ikev2/rw-dnssec/hosts/dave/etc/iptables.rules  |   28 +
 .../ikev2/rw-dnssec/hosts/dave/etc/resolv.conf     |    1 +
 .../ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf |   11 +
 .../ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf      |   22 +
 .../hosts/moon/etc/ipsec.d/certs/moonPub.der       |  Bin 0 -> 294 bytes
 .../rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys   |   10 +
 .../ikev2/rw-dnssec/hosts/moon/etc/iptables.rules  |   28 +
 .../ikev2/rw-dnssec/hosts/moon/etc/resolv.conf     |    1 +
 .../ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf |   14 +
 testing/tests/ikev2/rw-dnssec/posttest.dat         |   12 +
 testing/tests/ikev2/rw-dnssec/pretest.dat          |   13 +
 testing/tests/ikev2/rw-dnssec/test.conf            |   21 +
 .../ikev2/rw-eap-framed-ip-radius/description.txt  |    9 +
 .../ikev2/rw-eap-framed-ip-radius/evaltest.dat     |   26 +
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   42 +
 .../hosts/alice/etc/freeradius/users               |    4 +
 .../hosts/carol/etc/ipsec.conf                     |   22 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../hosts/dave/etc/ipsec.conf                      |   22 +
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    5 +
 .../hosts/moon/etc/ipsec.conf                      |   24 +
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../hosts/moon/etc/strongswan.conf                 |   12 +
 .../ikev2/rw-eap-framed-ip-radius/posttest.dat     |    7 +
 .../ikev2/rw-eap-framed-ip-radius/pretest.dat      |   11 +
 .../tests/ikev2/rw-eap-framed-ip-radius/test.conf  |   26 +
 .../hosts/carol/etc/ipsec.conf                     |    1 +
 .../rw-radius-accounting/hosts/moon/etc/ipsec.conf |    1 +
 .../openssl-ikev2/alg-aes-gcm/description.txt      |   16 +
 .../tests/openssl-ikev2/alg-aes-gcm/evaltest.dat   |   26 +
 .../alg-aes-gcm/hosts/carol/etc/ipsec.conf         |   22 +
 .../alg-aes-gcm/hosts/carol/etc/strongswan.conf    |    5 +
 .../alg-aes-gcm/hosts/dave/etc/ipsec.conf          |   22 +
 .../alg-aes-gcm/hosts/dave/etc/strongswan.conf     |    5 +
 .../alg-aes-gcm/hosts/moon/etc/ipsec.conf          |   21 +
 .../alg-aes-gcm/hosts/moon/etc/strongswan.conf     |    5 +
 .../tests/openssl-ikev2/alg-aes-gcm/posttest.dat   |    6 +
 .../tests/openssl-ikev2/alg-aes-gcm/pretest.dat    |    9 +
 testing/tests/openssl-ikev2/alg-aes-gcm/test.conf  |   21 +
 .../tests/tkm/host2host-initiator/description.txt  |    3 +
 testing/tests/tkm/host2host-initiator/evaltest.dat |   12 +
 .../hosts/moon/etc/tkm/moonKey.der                 |  Bin 0 -> 1191 bytes
 .../hosts/moon/etc/tkm/strongswanCert.der          |  Bin 0 -> 956 bytes
 .../hosts/moon/etc/tkm/tkm.conf                    |   21 +
 .../host2host-initiator/hosts/sun/etc/ipsec.conf   |   20 +
 .../hosts/sun/etc/strongswan.conf                  |    5 +
 testing/tests/tkm/host2host-initiator/posttest.dat |    4 +
 testing/tests/tkm/host2host-initiator/pretest.dat  |   10 +
 testing/tests/tkm/host2host-initiator/test.conf    |   21 +
 .../tests/tkm/host2host-responder/description.txt  |    3 +
 testing/tests/tkm/host2host-responder/evaltest.dat |   12 +
 .../hosts/moon/etc/tkm/moonKey.der                 |  Bin 0 -> 1191 bytes
 .../hosts/moon/etc/tkm/strongswanCert.der          |  Bin 0 -> 956 bytes
 .../hosts/moon/etc/tkm/tkm.conf                    |   21 +
 .../host2host-responder/hosts/sun/etc/ipsec.conf   |   21 +
 .../hosts/sun/etc/strongswan.conf                  |    5 +
 testing/tests/tkm/host2host-responder/posttest.dat |    4 +
 testing/tests/tkm/host2host-responder/pretest.dat  |   10 +
 testing/tests/tkm/host2host-responder/test.conf    |   21 +
 .../tests/tkm/host2host-xfrmproxy/description.txt  |    5 +
 testing/tests/tkm/host2host-xfrmproxy/evaltest.dat |   13 +
 .../hosts/moon/etc/tkm/moonKey.der                 |  Bin 0 -> 1191 bytes
 .../hosts/moon/etc/tkm/strongswanCert.der          |  Bin 0 -> 956 bytes
 .../hosts/moon/etc/tkm/tkm.conf                    |   21 +
 .../host2host-xfrmproxy/hosts/sun/etc/ipsec.conf   |   20 +
 .../hosts/sun/etc/strongswan.conf                  |    5 +
 testing/tests/tkm/host2host-xfrmproxy/posttest.dat |    5 +
 testing/tests/tkm/host2host-xfrmproxy/pretest.dat  |   12 +
 testing/tests/tkm/host2host-xfrmproxy/test.conf    |   21 +
 testing/tests/tkm/multiple-clients/description.txt |    5 +
 testing/tests/tkm/multiple-clients/evaltest.dat    |   23 +
 .../multiple-clients/hosts/carol/etc/ipsec.conf    |   22 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../tkm/multiple-clients/hosts/dave/etc/ipsec.conf |   22 +
 .../hosts/dave/etc/strongswan.conf                 |    5 +
 .../hosts/sun/etc/tkm/strongswanCert.der           |  Bin 0 -> 956 bytes
 .../multiple-clients/hosts/sun/etc/tkm/sunKey.der  |  Bin 0 -> 1192 bytes
 .../multiple-clients/hosts/sun/etc/tkm/tkm.conf    |   36 +
 testing/tests/tkm/multiple-clients/posttest.dat    |    5 +
 testing/tests/tkm/multiple-clients/pretest.dat     |   14 +
 testing/tests/tkm/multiple-clients/test.conf       |   21 +
 .../tests/tkm/net2net-initiator/description.txt    |    5 +
 testing/tests/tkm/net2net-initiator/evaltest.dat   |   12 +
 .../hosts/moon/etc/tkm/moonKey.der                 |  Bin 0 -> 1191 bytes
 .../net2net-initiator/hosts/moon/etc/tkm/tkm.conf  |   23 +
 .../tkm/net2net-initiator/hosts/sun/etc/ipsec.conf |   23 +
 .../hosts/sun/etc/strongswan.conf                  |    6 +
 testing/tests/tkm/net2net-initiator/posttest.dat   |    4 +
 testing/tests/tkm/net2net-initiator/pretest.dat    |   10 +
 testing/tests/tkm/net2net-initiator/test.conf      |   21 +
 .../tests/tkm/net2net-xfrmproxy/description.txt    |    6 +
 testing/tests/tkm/net2net-xfrmproxy/evaltest.dat   |   13 +
 .../hosts/moon/etc/tkm/moonKey.der                 |  Bin 0 -> 1191 bytes
 .../hosts/moon/etc/tkm/strongswanCert.der          |  Bin 0 -> 956 bytes
 .../net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf  |   23 +
 .../tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf |   23 +
 .../hosts/sun/etc/strongswan.conf                  |    6 +
 testing/tests/tkm/net2net-xfrmproxy/posttest.dat   |    4 +
 testing/tests/tkm/net2net-xfrmproxy/pretest.dat    |   12 +
 testing/tests/tkm/net2net-xfrmproxy/test.conf      |   21 +
 testing/tests/tnc/tnccs-11-fhh/pretest.dat         |    6 +-
 .../tests/tnc/tnccs-11-radius-block/pretest.dat    |    4 +-
 testing/tests/tnc/tnccs-11-radius/pretest.dat      |    4 +-
 testing/tests/tnc/tnccs-11/pretest.dat             |    6 +-
 testing/tests/tnc/tnccs-20-pdp/evaltest.dat        |    6 +-
 .../tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets |    4 +-
 .../tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf    |    2 +-
 .../tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets |    2 +-
 .../tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf     |    2 +-
 .../tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets  |    2 +-
 .../tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf     |    2 +-
 .../tnccs-20-pdp/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/tnc/tnccs-20-tls/evaltest.dat        |    4 +-
 .../tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf    |    1 -
 .../tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf     |    1 -
 .../tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf     |    2 +-
 886 files changed, 36535 insertions(+), 6856 deletions(-)
 create mode 100755 compile
 create mode 100644 scripts/dnssec.c
 create mode 100644 src/charon-tkm/Makefile.am
 create mode 100644 src/charon-tkm/Makefile.in
 create mode 100644 src/charon-tkm/build_charon.gpr
 create mode 100644 src/charon-tkm/build_common.gpr
 create mode 100644 src/charon-tkm/build_tests.gpr
 create mode 100644 src/charon-tkm/src/charon-tkm.c
 create mode 100644 src/charon-tkm/src/ees/ees_callbacks.c
 create mode 100644 src/charon-tkm/src/ees/ees_callbacks.h
 create mode 100644 src/charon-tkm/src/ees/esa_event_service.adb
 create mode 100644 src/charon-tkm/src/ees/esa_event_service.ads
 create mode 100644 src/charon-tkm/src/ees/tkmrpc-servers-ees.adb
 create mode 100644 src/charon-tkm/src/ehandler/eh_callbacks.c
 create mode 100644 src/charon-tkm/src/ehandler/eh_callbacks.h
 create mode 100644 src/charon-tkm/src/ehandler/exception_handler.adb
 create mode 100644 src/charon-tkm/src/ehandler/exception_handler.ads
 create mode 100644 src/charon-tkm/src/tkm/.gitignore
 create mode 100644 src/charon-tkm/src/tkm/tkm.c
 create mode 100644 src/charon-tkm/src/tkm/tkm.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_chunk_map.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_chunk_map.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_cred.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_cred.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_diffie_hellman.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_diffie_hellman.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_encoder.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_encoder.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_id_manager.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_id_manager.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_kernel_ipsec.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_kernel_sad.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_kernel_sad.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_keymat.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_keymat.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_listener.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_listener.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_nonceg.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_nonceg.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_private_key.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_private_key.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_public_key.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_public_key.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_types.h
 create mode 100644 src/charon-tkm/src/tkm/tkm_utils.c
 create mode 100644 src/charon-tkm/src/tkm/tkm_utils.h
 create mode 100644 src/charon-tkm/tests/.gitignore
 create mode 100644 src/charon-tkm/tests/chunk_map_tests.c
 create mode 100644 src/charon-tkm/tests/diffie_hellman_tests.c
 create mode 100644 src/charon-tkm/tests/id_manager_tests.c
 create mode 100644 src/charon-tkm/tests/kernel_sad_tests.c
 create mode 100644 src/charon-tkm/tests/keymat_tests.c
 create mode 100644 src/charon-tkm/tests/nonceg_tests.c
 create mode 100644 src/charon-tkm/tests/test_runner.c
 create mode 100644 src/charon-tkm/tests/test_runner.h
 create mode 100644 src/charon-tkm/tests/utils_tests.c
 delete mode 100644 src/libcharon/plugins/android/Makefile.am
 delete mode 100644 src/libcharon/plugins/android/Makefile.in
 delete mode 100644 src/libcharon/plugins/android/android_creds.c
 delete mode 100644 src/libcharon/plugins/android/android_creds.h
 delete mode 100644 src/libcharon/plugins/android/android_handler.c
 delete mode 100644 src/libcharon/plugins/android/android_handler.h
 delete mode 100644 src/libcharon/plugins/android/android_plugin.c
 delete mode 100644 src/libcharon/plugins/android/android_plugin.h
 delete mode 100644 src/libcharon/plugins/android/android_service.c
 delete mode 100644 src/libcharon/plugins/android/android_service.h
 create mode 100644 src/libcharon/plugins/android_dns/Makefile.am
 create mode 100644 src/libcharon/plugins/android_dns/Makefile.in
 create mode 100644 src/libcharon/plugins/android_dns/android_dns_handler.c
 create mode 100644 src/libcharon/plugins/android_dns/android_dns_handler.h
 create mode 100644 src/libcharon/plugins/android_dns/android_dns_plugin.c
 create mode 100644 src/libcharon/plugins/android_dns/android_dns_plugin.h
 create mode 100644 src/libcharon/plugins/eap_radius/eap_radius_provider.c
 create mode 100644 src/libcharon/plugins/eap_radius/eap_radius_provider.h
 create mode 100644 src/libcharon/plugins/ipseckey/Makefile.am
 create mode 100644 src/libcharon/plugins/ipseckey/Makefile.in
 create mode 100644 src/libcharon/plugins/ipseckey/ipseckey.c
 create mode 100644 src/libcharon/plugins/ipseckey/ipseckey.h
 create mode 100644 src/libcharon/plugins/ipseckey/ipseckey_cred.c
 create mode 100644 src/libcharon/plugins/ipseckey/ipseckey_cred.h
 create mode 100644 src/libcharon/plugins/ipseckey/ipseckey_plugin.c
 create mode 100644 src/libcharon/plugins/ipseckey/ipseckey_plugin.h
 create mode 100644 src/libcharon/plugins/systime_fix/Makefile.am
 create mode 100644 src/libcharon/plugins/systime_fix/Makefile.in
 create mode 100644 src/libcharon/plugins/systime_fix/systime_fix_plugin.c
 create mode 100644 src/libcharon/plugins/systime_fix/systime_fix_plugin.h
 create mode 100644 src/libcharon/plugins/systime_fix/systime_fix_validator.c
 create mode 100644 src/libcharon/plugins/systime_fix/systime_fix_validator.h
 create mode 100644 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c
 create mode 100644 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.h
 create mode 100644 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c
 create mode 100644 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h
 create mode 100644 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.c
 create mode 100644 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.h
 create mode 100644 src/libcharon/plugins/xauth_noauth/Makefile.am
 create mode 100644 src/libcharon/plugins/xauth_noauth/Makefile.in
 create mode 100644 src/libcharon/plugins/xauth_noauth/xauth_noauth.c
 create mode 100644 src/libcharon/plugins/xauth_noauth/xauth_noauth.h
 create mode 100644 src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c
 create mode 100644 src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h
 create mode 100644 src/libcharon/sa/eap/eap_inner_method.h
 create mode 100644 src/libpttls/Makefile.am
 create mode 100644 src/libpttls/Makefile.in
 create mode 100644 src/libpttls/pt_tls.c
 create mode 100644 src/libpttls/pt_tls.h
 create mode 100644 src/libpttls/pt_tls_client.c
 create mode 100644 src/libpttls/pt_tls_client.h
 create mode 100644 src/libpttls/pt_tls_dispatcher.c
 create mode 100644 src/libpttls/pt_tls_dispatcher.h
 create mode 100644 src/libpttls/pt_tls_server.c
 create mode 100644 src/libpttls/pt_tls_server.h
 create mode 100644 src/libpttls/sasl/sasl_mechanism.c
 create mode 100644 src/libpttls/sasl/sasl_mechanism.h
 create mode 100644 src/libpttls/sasl/sasl_plain/sasl_plain.c
 create mode 100644 src/libpttls/sasl/sasl_plain/sasl_plain.h
 create mode 100644 src/libstrongswan/plugins/dnskey/dnskey_encoder.c
 create mode 100644 src/libstrongswan/plugins/dnskey/dnskey_encoder.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_gcm.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_gcm.h
 create mode 100644 src/libstrongswan/plugins/unbound/Makefile.am
 create mode 100644 src/libstrongswan/plugins/unbound/Makefile.in
 create mode 100644 src/libstrongswan/plugins/unbound/unbound_plugin.c
 create mode 100644 src/libstrongswan/plugins/unbound/unbound_plugin.h
 create mode 100644 src/libstrongswan/plugins/unbound/unbound_resolver.c
 create mode 100644 src/libstrongswan/plugins/unbound/unbound_resolver.h
 create mode 100644 src/libstrongswan/plugins/unbound/unbound_response.c
 create mode 100644 src/libstrongswan/plugins/unbound/unbound_response.h
 create mode 100644 src/libstrongswan/plugins/unbound/unbound_rr.c
 create mode 100644 src/libstrongswan/plugins/unbound/unbound_rr.h
 create mode 100644 src/libstrongswan/resolver/resolver.h
 create mode 100644 src/libstrongswan/resolver/resolver_manager.c
 create mode 100644 src/libstrongswan/resolver/resolver_manager.h
 create mode 100644 src/libstrongswan/resolver/resolver_response.h
 create mode 100644 src/libstrongswan/resolver/rr.h
 create mode 100644 src/libstrongswan/resolver/rr_set.c
 create mode 100644 src/libstrongswan/resolver/rr_set.h
 create mode 100644 src/libtncif/tncif_identity.c
 create mode 100644 src/libtncif/tncif_identity.h
 create mode 100644 testing/config/kernel/config-3.8
 create mode 100644 testing/hosts/default/etc/ld.so.conf.d/strongswan.conf
 create mode 100755 testing/hosts/default/usr/local/bin/expect-file
 create mode 100644 testing/hosts/winnetou/etc/bind/K.+008+32329.key
 create mode 100644 testing/hosts/winnetou/etc/bind/K.+008+32329.private
 create mode 100644 testing/hosts/winnetou/etc/bind/K.+008+43749.key
 create mode 100644 testing/hosts/winnetou/etc/bind/K.+008+43749.private
 create mode 100644 testing/hosts/winnetou/etc/bind/Korg.+008+24285.key
 create mode 100644 testing/hosts/winnetou/etc/bind/Korg.+008+24285.private
 create mode 100644 testing/hosts/winnetou/etc/bind/Korg.+008+51859.key
 create mode 100644 testing/hosts/winnetou/etc/bind/Korg.+008+51859.private
 create mode 100644 testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key
 create mode 100644 testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private
 create mode 100644 testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key
 create mode 100644 testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private
 create mode 100644 testing/hosts/winnetou/etc/bind/bind.keys
 create mode 100644 testing/hosts/winnetou/etc/bind/db.org
 create mode 100644 testing/hosts/winnetou/etc/bind/db.root
 create mode 100644 testing/hosts/winnetou/etc/bind/db.strongswan.org
 create mode 100644 testing/hosts/winnetou/etc/bind/named.conf.default-zones
 create mode 100644 testing/hosts/winnetou/etc/bind/named.conf.local
 delete mode 100644 testing/scripts/recipes/004_iptables.mk
 create mode 100644 testing/scripts/recipes/004_wpa_supplicant.mk
 create mode 100644 testing/scripts/recipes/005_anet.mk
 delete mode 100644 testing/scripts/recipes/005_strongswan.mk
 create mode 100644 testing/scripts/recipes/006_tkm-rpc.mk
 create mode 100644 testing/scripts/recipes/007_x509-ada.mk
 create mode 100644 testing/scripts/recipes/008_xfrm-ada.mk
 create mode 100644 testing/scripts/recipes/009_tkm.mk
 create mode 100644 testing/scripts/recipes/010_strongswan.mk
 create mode 100644 testing/scripts/recipes/011_xfrm-proxy.mk
 delete mode 100644 testing/scripts/recipes/patches/iptables-xfrm-hooks
 create mode 100644 testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
 create mode 100644 testing/tests/ikev1/net2net-fragmentation/description.txt
 create mode 100644 testing/tests/ikev1/net2net-fragmentation/evaltest.dat
 create mode 100644 testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-fragmentation/posttest.dat
 create mode 100644 testing/tests/ikev1/net2net-fragmentation/pretest.dat
 create mode 100644 testing/tests/ikev1/net2net-fragmentation/test.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt
 create mode 100644 testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
 create mode 100644 testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
 create mode 100644 testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
 create mode 100644 testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf
 create mode 100644 testing/tests/ikev2/net2net-dnssec/description.txt
 create mode 100644 testing/tests/ikev2/net2net-dnssec/evaltest.dat
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf
 create mode 100644 testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/net2net-dnssec/posttest.dat
 create mode 100644 testing/tests/ikev2/net2net-dnssec/pretest.dat
 create mode 100644 testing/tests/ikev2/net2net-dnssec/test.conf
 create mode 100644 testing/tests/ikev2/rw-dnssec/description.txt
 create mode 100644 testing/tests/ikev2/rw-dnssec/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf
 create mode 100644 testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-dnssec/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-dnssec/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-dnssec/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/test.conf
 create mode 100644 testing/tests/tkm/host2host-initiator/description.txt
 create mode 100644 testing/tests/tkm/host2host-initiator/evaltest.dat
 create mode 100644 testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der
 create mode 100644 testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der
 create mode 100644 testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf
 create mode 100644 testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/tkm/host2host-initiator/posttest.dat
 create mode 100644 testing/tests/tkm/host2host-initiator/pretest.dat
 create mode 100644 testing/tests/tkm/host2host-initiator/test.conf
 create mode 100644 testing/tests/tkm/host2host-responder/description.txt
 create mode 100644 testing/tests/tkm/host2host-responder/evaltest.dat
 create mode 100644 testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der
 create mode 100644 testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der
 create mode 100644 testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf
 create mode 100644 testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/tkm/host2host-responder/posttest.dat
 create mode 100644 testing/tests/tkm/host2host-responder/pretest.dat
 create mode 100644 testing/tests/tkm/host2host-responder/test.conf
 create mode 100644 testing/tests/tkm/host2host-xfrmproxy/description.txt
 create mode 100644 testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
 create mode 100644 testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
 create mode 100644 testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
 create mode 100644 testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
 create mode 100644 testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/tkm/host2host-xfrmproxy/posttest.dat
 create mode 100644 testing/tests/tkm/host2host-xfrmproxy/pretest.dat
 create mode 100644 testing/tests/tkm/host2host-xfrmproxy/test.conf
 create mode 100644 testing/tests/tkm/multiple-clients/description.txt
 create mode 100644 testing/tests/tkm/multiple-clients/evaltest.dat
 create mode 100644 testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der
 create mode 100644 testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der
 create mode 100644 testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf
 create mode 100644 testing/tests/tkm/multiple-clients/posttest.dat
 create mode 100644 testing/tests/tkm/multiple-clients/pretest.dat
 create mode 100644 testing/tests/tkm/multiple-clients/test.conf
 create mode 100644 testing/tests/tkm/net2net-initiator/description.txt
 create mode 100644 testing/tests/tkm/net2net-initiator/evaltest.dat
 create mode 100644 testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der
 create mode 100644 testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf
 create mode 100644 testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/tkm/net2net-initiator/posttest.dat
 create mode 100644 testing/tests/tkm/net2net-initiator/pretest.dat
 create mode 100644 testing/tests/tkm/net2net-initiator/test.conf
 create mode 100644 testing/tests/tkm/net2net-xfrmproxy/description.txt
 create mode 100644 testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
 create mode 100644 testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
 create mode 100644 testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
 create mode 100644 testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
 create mode 100644 testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/tkm/net2net-xfrmproxy/posttest.dat
 create mode 100644 testing/tests/tkm/net2net-xfrmproxy/pretest.dat
 create mode 100644 testing/tests/tkm/net2net-xfrmproxy/test.conf

(limited to 'man')

diff --git a/Android.common.mk b/Android.common.mk
index 9824242d7..21dbbb9ce 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -15,5 +15,5 @@ add_plugin = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.0.2"
+strongswan_VERSION := "5.0.3"
 
diff --git a/Android.mk b/Android.mk
index 0b8da5b8d..e762fe955 100644
--- a/Android.mk
+++ b/Android.mk
@@ -17,7 +17,7 @@ include $(CLEAR_VARS)
 # this is the list of plugins that are built into libstrongswan and charon
 # also these plugins are loaded by default (if not changed in strongswan.conf)
 strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \
-	pkcs1 pkcs8 pem xcbc hmac kernel-netlink socket-default android \
+	pkcs1 pkcs8 pem xcbc hmac kernel-netlink socket-default android-dns \
 	stroke eap-identity eap-mschapv2 eap-md5 eap-gtc
 
 ifneq ($(strongswan_BUILD_SCEPCLIENT),)
@@ -67,7 +67,6 @@ strongswan_CFLAGS := \
 	-DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY \
 	-DHAVE_IPSEC_MODE_BEET \
 	-DHAVE_IPSEC_DIR_FWD \
-	-DOPENSSL_NO_CMS \
 	-DOPENSSL_NO_EC \
 	-DOPENSSL_NO_ECDSA \
 	-DOPENSSL_NO_ECDH \
diff --git a/Doxyfile.in b/Doxyfile.in
index 343f130b3..ac0a96c88 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -1,14 +1,14 @@
-# Doxyfile 1.5.6
+# Doxyfile 1.8.1.2
 
 # This file describes the settings to be used by the documentation system
-# doxygen (www.doxygen.org) for a project
+# doxygen (www.doxygen.org) for a project.
 #
-# All text after a hash (#) is considered a comment and will be ignored
+# All text after a hash (#) is considered a comment and will be ignored.
 # The format is:
 #       TAG = value [value, ...]
 # For lists items can also be appended using:
 #       TAG += value [value, ...]
-# Values that contain spaces should be placed between quotes (" ")
+# Values that contain spaces should be placed between quotes (" ").
 
 #---------------------------------------------------------------------------
 # Project related configuration options
@@ -22,8 +22,9 @@
 
 DOXYFILE_ENCODING      = UTF-8
 
-# The PROJECT_NAME tag is a single word (or a sequence of words surrounded
-# by quotes) that should identify the project.
+# The PROJECT_NAME tag is a single word (or sequence of words) that should
+# identify the project. Note that if you do not use Doxywizard you need
+# to put quotes around the project name if it contains spaces.
 
 PROJECT_NAME           = "@PACKAGE_NAME@"
 
@@ -33,6 +34,19 @@ PROJECT_NAME           = "@PACKAGE_NAME@"
 
 PROJECT_NUMBER         = "@PACKAGE_VERSION@"
 
+# Using the PROJECT_BRIEF tag one can provide an optional one line description
+# for a project that appears at the top of each page and should give viewer
+# a quick idea about the purpose of the project. Keep the description short.
+
+PROJECT_BRIEF          =
+
+# With the PROJECT_LOGO tag one can specify an logo or icon that is
+# included in the documentation. The maximum height of the logo should not
+# exceed 55 pixels and the maximum width should not exceed 200 pixels.
+# Doxygen will copy the logo to the output directory.
+
+PROJECT_LOGO           =
+
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.
 # If a relative path is entered, it will be relative to the location
@@ -54,11 +68,11 @@ CREATE_SUBDIRS         = NO
 # information to generate all constant output in the proper language.
 # The default language is English, other supported languages are:
 # Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional,
-# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek,
-# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages),
-# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish,
-# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish,
-# and Ukrainian.
+# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German,
+# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English
+# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian,
+# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrillic, Slovak,
+# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese.
 
 OUTPUT_LANGUAGE        = English
 
@@ -126,7 +140,7 @@ STRIP_FROM_PATH        =
 STRIP_FROM_INC_PATH    =
 
 # If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter
-# (but less readable) file names. This can be useful is your file systems
+# (but less readable) file names. This can be useful if your file system
 # doesn't support long names like on DOS, Mac, or CD-ROM.
 
 SHORT_NAMES            = NO
@@ -181,6 +195,13 @@ TAB_SIZE               = 4
 
 ALIASES                =
 
+# This tag can be used to specify a number of word-keyword mappings (TCL only).
+# A mapping has the form "name=value". For example adding
+# "class=itcl::class" will allow you to use the command class in the
+# itcl::class meaning.
+
+TCL_SUBST              =
+
 # Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C
 # sources only. Doxygen will then generate output that is more tailored for C.
 # For instance, some of the names that are used will be different. The list
@@ -207,11 +228,32 @@ OPTIMIZE_FOR_FORTRAN   = NO
 
 OPTIMIZE_OUTPUT_VHDL   = NO
 
+# Doxygen selects the parser to use depending on the extension of the files it
+# parses. With this tag you can assign which parser to use for a given extension.
+# Doxygen has a built-in mapping, but you can override or extend it using this
+# tag. The format is ext=language, where ext is a file extension, and language
+# is one of the parsers supported by doxygen: IDL, Java, Javascript, CSharp, C,
+# C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, C++. For instance to make
+# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
+# (default is Fortran), use: inc=Fortran f=C. Note that for custom extensions
+# you also need to set FILE_PATTERNS otherwise the files are not read by doxygen.
+
+EXTENSION_MAPPING      =
+
+# If MARKDOWN_SUPPORT is enabled (the default) then doxygen pre-processes all
+# comments according to the Markdown format, which allows for more readable
+# documentation. See http://daringfireball.net/projects/markdown/ for details.
+# The output of markdown processing is further processed by doxygen, so you
+# can mix doxygen, HTML, and XML commands with Markdown formatting.
+# Disable only in case of backward compatibilities issues.
+
+MARKDOWN_SUPPORT       = YES
+
 # If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
 # to include (a tag file for) the STL sources as input, then you should
 # set this tag to YES in order to let doxygen match functions declarations and
 # definitions whose arguments contain STL classes (e.g. func(std::string); v.s.
-# func(std::string) {}). This also make the inheritance and collaboration
+# func(std::string) {}). This also makes the inheritance and collaboration
 # diagrams that involve STL classes more complete and accurate.
 
 BUILTIN_STL_SUPPORT    = NO
@@ -229,7 +271,7 @@ SIP_SUPPORT            = NO
 
 # For Microsoft's IDL there are propget and propput attributes to indicate getter
 # and setter methods for a property. Setting this option to YES (the default)
-# will make doxygen to replace the get and set methods by a property in the
+# will make doxygen replace the get and set methods by a property in the
 # documentation. This will only work if the methods are indeed getting or
 # setting a simple type. If this is not the case, or you want to show the
 # methods anyway, you should set this option to NO.
@@ -251,6 +293,22 @@ DISTRIBUTE_GROUP_DOC   = NO
 
 SUBGROUPING            = YES
 
+# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and
+# unions are shown inside the group in which they are included (e.g. using
+# @ingroup) instead of on a separate page (for HTML and Man pages) or
+# section (for LaTeX and RTF).
+
+INLINE_GROUPED_CLASSES = NO
+
+# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and
+# unions with only public data fields will be shown inline in the documentation
+# of the scope in which they are defined (i.e. file, namespace, or group
+# documentation), provided this scope is documented. If set to NO (the default),
+# structs, classes, and unions are shown on a separate page (for HTML and Man
+# pages) or section (for LaTeX and RTF).
+
+INLINE_SIMPLE_STRUCTS  = NO
+
 # When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum
 # is documented as struct, union, or enum with the name of the typedef. So
 # typedef struct TypeS {} TypeT, will appear in the documentation as a struct
@@ -261,6 +319,33 @@ SUBGROUPING            = YES
 
 TYPEDEF_HIDES_STRUCT   = YES
 
+# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to
+# determine which symbols to keep in memory and which to flush to disk.
+# When the cache is full, less often used symbols will be written to disk.
+# For small to medium size projects (<1000 input files) the default value is
+# probably good enough. For larger projects a too small cache size can cause
+# doxygen to be busy swapping symbols to and from disk most of the time
+# causing a significant performance penalty.
+# If the system has enough physical memory increasing the cache will improve the
+# performance by keeping more symbols in memory. Note that the value works on
+# a logarithmic scale so increasing the size by one will roughly double the
+# memory usage. The cache size is given by this formula:
+# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0,
+# corresponding to a cache size of 2^16 = 65536 symbols.
+
+SYMBOL_CACHE_SIZE      = 0
+
+# Similar to the SYMBOL_CACHE_SIZE the size of the symbol lookup cache can be
+# set using LOOKUP_CACHE_SIZE. This cache is used to resolve symbols given
+# their name and scope. Since this can be an expensive process and often the
+# same symbol appear multiple times in the code, doxygen keeps a cache of
+# pre-resolved symbols. If the cache is too small doxygen will become slower.
+# If the cache is too large, memory is wasted. The cache size is given by this
+# formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range is 0..9, the default is 0,
+# corresponding to a cache size of 2^16 = 65536 symbols.
+
+LOOKUP_CACHE_SIZE      = 0
+
 #---------------------------------------------------------------------------
 # Build related configuration options
 #---------------------------------------------------------------------------
@@ -277,6 +362,10 @@ EXTRACT_ALL            = NO
 
 EXTRACT_PRIVATE        = NO
 
+# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal scope will be included in the documentation.
+
+EXTRACT_PACKAGE        = NO
+
 # If the EXTRACT_STATIC tag is set to YES all static members of a file
 # will be included in the documentation.
 
@@ -299,7 +388,7 @@ EXTRACT_LOCAL_METHODS  = NO
 # extracted and appear in the documentation as a namespace called
 # 'anonymous_namespace{file}', where file will be replaced with the base
 # name of the file that contains the anonymous namespace. By default
-# anonymous namespace are hidden.
+# anonymous namespaces are hidden.
 
 EXTRACT_ANON_NSPACES   = NO
 
@@ -359,6 +448,12 @@ HIDE_SCOPE_NAMES       = NO
 
 SHOW_INCLUDE_FILES     = NO
 
+# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen
+# will list include files with double quotes in the documentation
+# rather than with sharp brackets.
+
+FORCE_LOCAL_INCLUDES   = NO
+
 # If the INLINE_INFO tag is set to YES (the default) then a tag [inline]
 # is inserted in the documentation for inline members.
 
@@ -378,6 +473,16 @@ SORT_MEMBER_DOCS       = NO
 
 SORT_BRIEF_DOCS        = NO
 
+# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen
+# will sort the (brief and detailed) documentation of class members so that
+# constructors and destructors are listed first. If set to NO (the default)
+# the constructors will appear in the respective orders defined by
+# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS.
+# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO
+# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO.
+
+SORT_MEMBERS_CTORS_1ST = NO
+
 # If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the
 # hierarchy of group names into alphabetical order. If set to NO (the default)
 # the group names will appear in their defined order.
@@ -394,6 +499,15 @@ SORT_GROUP_NAMES       = NO
 
 SORT_BY_SCOPE_NAME     = NO
 
+# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to
+# do proper type resolution of all parameters of a function it will reject a
+# match between the prototype and the implementation of a member function even
+# if there is only one candidate or it is obvious which candidate to choose
+# by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen
+# will still accept a match between prototype and implementation in such cases.
+
+STRICT_PROTO_MATCHING  = NO
+
 # The GENERATE_TODOLIST tag can be used to enable (YES) or
 # disable (NO) the todo list. This list is created by putting \todo
 # commands in the documentation.
@@ -424,10 +538,10 @@ GENERATE_DEPRECATEDLIST= NO
 ENABLED_SECTIONS       =
 
 # The MAX_INITIALIZER_LINES tag determines the maximum number of lines
-# the initial value of a variable or define consists of for it to appear in
+# the initial value of a variable or macro consists of for it to appear in
 # the documentation. If the initializer consists of more lines than specified
 # here it will be hidden. Use a value of 0 to hide initializers completely.
-# The appearance of the initializer of individual variables and defines in the
+# The appearance of the initializer of individual variables and macros in the
 # documentation can be controlled using \showinitializer or \hideinitializer
 # command in the documentation regardless of this setting.
 
@@ -439,20 +553,15 @@ MAX_INITIALIZER_LINES  = 30
 
 SHOW_USED_FILES        = NO
 
-# If the sources in your project are distributed over multiple directories
-# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy
-# in the documentation. The default is NO.
-
-SHOW_DIRECTORIES       = YES
-
 # Set the SHOW_FILES tag to NO to disable the generation of the Files page.
 # This will remove the Files entry from the Quick Index and from the
 # Folder Tree View (if specified). The default is YES.
 
-SHOW_FILES             = NO
+SHOW_FILES             = YES
 
 # Set the SHOW_NAMESPACES tag to NO to disable the generation of the
-# Namespaces page.  This will remove the Namespaces entry from the Quick Index
+# Namespaces page.
+# This will remove the Namespaces entry from the Quick Index
 # and from the Folder Tree View (if specified). The default is YES.
 
 SHOW_NAMESPACES        = YES
@@ -467,6 +576,25 @@ SHOW_NAMESPACES        = YES
 
 FILE_VERSION_FILTER    =
 
+# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
+# by doxygen. The layout file controls the global structure of the generated
+# output files in an output format independent way. To create the layout file
+# that represents doxygen's defaults, run doxygen with the -l option.
+# You can optionally specify a file name after the option, if omitted
+# DoxygenLayout.xml will be used as the name of the layout file.
+
+LAYOUT_FILE            =
+
+# The CITE_BIB_FILES tag can be used to specify one or more bib files
+# containing the references data. This must be a list of .bib files. The
+# .bib extension is automatically appended if omitted. Using this command
+# requires the bibtex tool to be installed. See also
+# http://en.wikipedia.org/wiki/BibTeX for more info. For LaTeX the style
+# of the bibliography can be controlled using LATEX_BIB_STYLE. To use this
+# feature you need bibtex and perl available in the search path.
+
+CITE_BIB_FILES         =
+
 #---------------------------------------------------------------------------
 # configuration options related to warning and progress messages
 #---------------------------------------------------------------------------
@@ -495,13 +623,13 @@ WARN_IF_UNDOCUMENTED   = NO
 
 WARN_IF_DOC_ERROR      = YES
 
-# This WARN_NO_PARAMDOC option can be abled to get warnings for
+# The WARN_NO_PARAMDOC option can be enabled to get warnings for
 # functions that are documented, but have no documentation for their parameters
 # or return value. If set to NO (the default) doxygen will only warn about
 # wrong or incomplete parameter documentation, but not about the absence of
 # documentation.
 
-WARN_NO_PARAMDOC       = NO
+WARN_NO_PARAMDOC       = YES
 
 # The WARN_FORMAT tag determines the format of the warning messages that
 # doxygen can produce. The string should contain the $file, $line, and $text
@@ -527,17 +655,7 @@ WARN_LOGFILE           =
 # directories like "/usr/src/myproject". Separate the files or directories
 # with spaces.
 
-INPUT                  = @SRC_DIR@/src/libstrongswan \
-                         @SRC_DIR@/src/libhydra \
-                         @SRC_DIR@/src/libcharon \
-                         @SRC_DIR@/src/libipsec \
-                         @SRC_DIR@/src/libsimaka \
-                         @SRC_DIR@/src/libtls \
-                         @SRC_DIR@/src/libradius \
-                         @SRC_DIR@/src/libtnccs \
-                         @SRC_DIR@/src/libtncif \
-                         @SRC_DIR@/src/libfast \
-                         @SRC_DIR@/src/manager
+INPUT                  = @SRC_DIR@/src/
 
 # This tag can be used to specify the character encoding of the source files
 # that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is
@@ -551,8 +669,9 @@ INPUT_ENCODING         = UTF-8
 # FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
 # and *.h) to filter out the source-files in the directories. If left
 # blank the following patterns are tested:
-# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx
-# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
+# *.c *.cc *.cxx *.cpp *.c++ *.d *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh
+# *.hxx *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.dox *.py
+# *.f90 *.f *.for *.vhd *.vhdl
 
 FILE_PATTERNS          = *.h
 
@@ -562,17 +681,19 @@ FILE_PATTERNS          = *.h
 
 RECURSIVE              = YES
 
-# The EXCLUDE tag can be used to specify files and/or directories that should
+# The EXCLUDE tag can be used to specify files and/or directories that should be
 # excluded from the INPUT source files. This way you can easily exclude a
 # subdirectory from a directory tree whose root is specified with the INPUT tag.
+# Note that relative paths are relative to the directory from which doxygen is
+# run.
 
-EXCLUDE                =
+EXCLUDE                = @SRC_DIR@/src/include
 
-# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
-# directories that are symbolic links (a Unix filesystem feature) are excluded
+# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
+# directories that are symbolic links (a Unix file system feature) are excluded
 # from the input.
 
-EXCLUDE_SYMLINKS       = NO
+EXCLUDE_SYMLINKS       = YES
 
 # If the value of the INPUT tag contains directories, you can use the
 # EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
@@ -621,17 +742,20 @@ IMAGE_PATH             =
 # by executing (via popen()) the command <filter> <input-file>, where <filter>
 # is the value of the INPUT_FILTER tag, and <input-file> is the name of an
 # input file. Doxygen will then use the output that the filter program writes
-# to standard output.  If FILTER_PATTERNS is specified, this tag will be
+# to standard output.
+# If FILTER_PATTERNS is specified, this tag will be
 # ignored.
 
 INPUT_FILTER           =
 
 # The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
-# basis.  Doxygen will compare the file name with each pattern and apply the
-# filter if there is a match.  The filters are a list of the form:
+# basis.
+# Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match.
+# The filters are a list of the form:
 # pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further
-# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER
-# is applied to all files.
+# info on how filters are used. If FILTER_PATTERNS is empty or if
+# non of the patterns match the file name, INPUT_FILTER is applied.
 
 FILTER_PATTERNS        =
 
@@ -641,6 +765,14 @@ FILTER_PATTERNS        =
 
 FILTER_SOURCE_FILES    = NO
 
+# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file
+# pattern. A pattern will override the setting for FILTER_PATTERN (if any)
+# and it is also possible to disable source filtering for a specific pattern
+# using *.ext= (so without naming a filter). This option only has effect when
+# FILTER_SOURCE_FILES is enabled.
+
+FILTER_SOURCE_PATTERNS =
+
 #---------------------------------------------------------------------------
 # configuration options related to source browsing
 #---------------------------------------------------------------------------
@@ -650,7 +782,7 @@ FILTER_SOURCE_FILES    = NO
 # Note: To get rid of all source code in the generated output, make sure also
 # VERBATIM_HEADERS is set to NO.
 
-SOURCE_BROWSER         = NO
+SOURCE_BROWSER         = YES
 
 # Setting the INLINE_SOURCES tag to YES will include the body
 # of functions and classes directly in the documentation.
@@ -659,7 +791,7 @@ INLINE_SOURCES         = NO
 
 # Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct
 # doxygen to hide any special comment blocks from generated source code
-# fragments. Normal C and C++ comments will always remain visible.
+# fragments. Normal C, C++ and Fortran comments will always remain visible.
 
 STRIP_CODE_COMMENTS    = NO
 
@@ -678,7 +810,8 @@ REFERENCES_RELATION    = NO
 # If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
 # and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
 # functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
-# link to the source code.  Otherwise they will link to the documentstion.
+# link to the source code.
+# Otherwise they will link to the documentation.
 
 REFERENCES_LINK_SOURCE = YES
 
@@ -742,7 +875,14 @@ HTML_FILE_EXTENSION    = .html
 
 # The HTML_HEADER tag can be used to specify a personal HTML header for
 # each generated HTML page. If it is left blank doxygen will generate a
-# standard header.
+# standard header. Note that when using a custom header you are responsible
+#  for the proper inclusion of any scripts and style sheets that doxygen
+# needs, which is dependent on the configuration options used.
+# It is advised to generate a default header using "doxygen -w html
+# header.html footer.html stylesheet.css YourConfigFile" and then modify
+# that header. Note that the header is subject to change so you typically
+# have to redo this when upgrading to a newer version of doxygen or when
+# changing the value of configuration settings such as GENERATE_TREEVIEW!
 
 HTML_HEADER            =
 
@@ -757,22 +897,66 @@ HTML_FOOTER            =
 # fine-tune the look of the HTML output. If the tag is left blank doxygen
 # will generate a default style sheet. Note that doxygen will try to copy
 # the style sheet file to the HTML output directory, so don't put your own
-# stylesheet in the HTML output directory as well, or it will be erased!
+# style sheet in the HTML output directory as well, or it will be erased!
 
 HTML_STYLESHEET        =
 
-# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
-# files or namespaces will be aligned in HTML using tables. If set to
-# NO a bullet list will be used.
+# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the HTML output directory. Note
+# that these files will be copied to the base HTML output directory. Use the
+# $relpath$ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
+# files. In the HTML_STYLESHEET file, use the file name only. Also note that
+# the files will be copied as-is; there are no commands or markers available.
 
-HTML_ALIGN_MEMBERS     = YES
+HTML_EXTRA_FILES       =
 
-# If the GENERATE_HTMLHELP tag is set to YES, additional index files
-# will be generated that can be used as input for tools like the
-# Microsoft HTML help workshop to generate a compiled HTML help file (.chm)
-# of the generated HTML documentation.
+# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output.
+# Doxygen will adjust the colors in the style sheet and background images
+# according to this color. Hue is specified as an angle on a colorwheel,
+# see http://en.wikipedia.org/wiki/Hue for more information.
+# For instance the value 0 represents red, 60 is yellow, 120 is green,
+# 180 is cyan, 240 is blue, 300 purple, and 360 is red again.
+# The allowed range is 0 to 359.
 
-GENERATE_HTMLHELP      = NO
+HTML_COLORSTYLE_HUE    = 220
+
+# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of
+# the colors in the HTML output. For a value of 0 the output will use
+# grayscales only. A value of 255 will produce the most vivid colors.
+
+HTML_COLORSTYLE_SAT    = 100
+
+# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to
+# the luminance component of the colors in the HTML output. Values below
+# 100 gradually make the output lighter, whereas values above 100 make
+# the output darker. The value divided by 100 is the actual gamma applied,
+# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2,
+# and 100 does not change the gamma.
+
+HTML_COLORSTYLE_GAMMA  = 80
+
+# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
+# page will contain the date and time when the page was generated. Setting
+# this to NO can help when comparing the output of multiple runs.
+
+HTML_TIMESTAMP         = YES
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
+# documentation will contain sections that can be hidden and shown after the
+# page has loaded.
+
+HTML_DYNAMIC_SECTIONS  = YES
+
+# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of
+# entries shown in the various tree structured indices initially; the user
+# can expand and collapse entries dynamically later on. Doxygen will expand
+# the tree to such a level that at most the specified number of entries are
+# visible (unless a fully collapsed tree already exceeds this amount).
+# So setting the number of entries 1 will produce a full collapsed tree by
+# default. 0 is a special value representing an infinite number of entries
+# and will result in a full expanded tree by default.
+
+HTML_INDEX_NUM_ENTRIES = 100
 
 # If the GENERATE_DOCSET tag is set to YES, additional index files
 # will be generated that can be used as input for Apple's Xcode 3
@@ -782,6 +966,8 @@ GENERATE_HTMLHELP      = NO
 # directory and running "make install" will install the docset in
 # ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find
 # it at startup.
+# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html
+# for more information.
 
 GENERATE_DOCSET        = NO
 
@@ -799,13 +985,22 @@ DOCSET_FEEDNAME        = "Doxygen generated docs"
 
 DOCSET_BUNDLE_ID       = org.doxygen.Project
 
-# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
-# documentation will contain sections that can be hidden and shown after the
-# page has loaded. For this to work a browser that supports
-# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox
-# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
+# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely identify
+# the documentation publisher. This should be a reverse domain-name style
+# string, e.g. com.mycompany.MyDocSet.documentation.
 
-HTML_DYNAMIC_SECTIONS  = NO
+DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
+
+# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher.
+
+DOCSET_PUBLISHER_NAME  = Publisher
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files
+# will be generated that can be used as input for tools like the
+# Microsoft HTML help workshop to generate a compiled HTML help file (.chm)
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP      = NO
 
 # If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can
 # be used to specify the file name of the resulting .chm file. You
@@ -844,40 +1039,114 @@ BINARY_TOC             = NO
 
 TOC_EXPAND             = NO
 
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
-# top of each HTML page. The value NO (the default) enables the index and
-# the value YES disables it.
+# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
+# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated
+# that can be used as input for Qt's qhelpgenerator to generate a
+# Qt Compressed Help (.qch) of the generated HTML documentation.
 
-DISABLE_INDEX          = NO
+GENERATE_QHP           = NO
 
-# This tag can be used to set the number of enum values (range [1..20])
-# that doxygen will group on one line in the generated HTML documentation.
+# If the QHG_LOCATION tag is specified, the QCH_FILE tag can
+# be used to specify the file name of the resulting .qch file.
+# The path specified is relative to the HTML output folder.
 
-ENUM_VALUES_PER_LINE   = 1
+QCH_FILE               =
+
+# The QHP_NAMESPACE tag specifies the namespace to use when generating
+# Qt Help Project output. For more information please see
+# http://doc.trolltech.com/qthelpproject.html#namespace
+
+QHP_NAMESPACE          = org.doxygen.Project
+
+# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating
+# Qt Help Project output. For more information please see
+# http://doc.trolltech.com/qthelpproject.html#virtual-folders
+
+QHP_VIRTUAL_FOLDER     = doc
+
+# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to
+# add. For more information please see
+# http://doc.trolltech.com/qthelpproject.html#custom-filters
+
+QHP_CUST_FILTER_NAME   =
+
+# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the
+# custom filter to add. For more information please see
+# <a href="http://doc.trolltech.com/qthelpproject.html#custom-filters">
+# Qt Help Project / Custom Filters</a>.
+
+QHP_CUST_FILTER_ATTRS  =
+
+# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
+# project's
+# filter section matches.
+# <a href="http://doc.trolltech.com/qthelpproject.html#filter-attributes">
+# Qt Help Project / Filter Attributes</a>.
+
+QHP_SECT_FILTER_ATTRS  =
+
+# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can
+# be used to specify the location of Qt's qhelpgenerator.
+# If non-empty doxygen will try to run qhelpgenerator on the generated
+# .qhp file.
+
+QHG_LOCATION           =
+
+# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files
+#  will be generated, which together with the HTML files, form an Eclipse help
+# plugin. To install this plugin and make it available under the help contents
+# menu in Eclipse, the contents of the directory containing the HTML and XML
+# files needs to be copied into the plugins directory of eclipse. The name of
+# the directory within the plugins directory should be the same as
+# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before
+# the help appears.
+
+GENERATE_ECLIPSEHELP   = NO
+
+# A unique identifier for the eclipse help plugin. When installing the plugin
+# the directory name containing the HTML and XML files should also have
+# this name.
+
+ECLIPSE_DOC_ID         = org.doxygen.Project
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs)
+# at top of each HTML page. The value NO (the default) enables the index and
+# the value YES disables it. Since the tabs have the same information as the
+# navigation tree you can set this option to NO if you already set
+# GENERATE_TREEVIEW to YES.
+
+DISABLE_INDEX          = NO
 
 # The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
 # structure should be generated to display hierarchical information.
-# If the tag value is set to FRAME, a side panel will be generated
+# If the tag value is set to YES, a side panel will be generated
 # containing a tree-like index structure (just like the one that
 # is generated for HTML Help). For this to work a browser that supports
-# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+,
-# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are
-# probably better off using the HTML help feature. Other possible values
-# for this tag are: HIERARCHIES, which will generate the Groups, Directories,
-# and Class Hiererachy pages using a tree view instead of an ordered list;
-# ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which
-# disables this behavior completely. For backwards compatibility with previous
-# releases of Doxygen, the values YES and NO are equivalent to FRAME and NONE
-# respectively.
+# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser).
+# Windows users are probably better off using the HTML help feature.
+# Since the tree basically has the same information as the tab index you
+# could consider to set DISABLE_INDEX to NO when enabling this option.
 
 GENERATE_TREEVIEW      = YES
 
+# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values
+# (range [0,1..20]) that doxygen will group on one line in the generated HTML
+# documentation. Note that a value of 0 will completely suppress the enum
+# values from appearing in the overview section.
+
+ENUM_VALUES_PER_LINE   = 1
+
 # If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
 # used to set the initial width (in pixels) of the frame in which the tree
 # is shown.
 
 TREEVIEW_WIDTH         = 250
 
+# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open
+# links to external symbols imported via tag files in a separate window.
+
+EXT_LINKS_IN_WINDOW    = NO
+
 # Use this tag to change the font size of Latex formulas included
 # as images in the HTML documentation. The default is 10. Note that
 # when you change the font size after a successful doxygen run you need
@@ -886,6 +1155,60 @@ TREEVIEW_WIDTH         = 250
 
 FORMULA_FONTSIZE       = 10
 
+# Use the FORMULA_TRANPARENT tag to determine whether or not the images
+# generated for formulas are transparent PNGs. Transparent PNGs are
+# not supported properly for IE 6.0, but are supported on all modern browsers.
+# Note that when changing this option you need to delete any form_*.png files
+# in the HTML output before the changes have effect.
+
+FORMULA_TRANSPARENT    = YES
+
+# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax
+# (see http://www.mathjax.org) which uses client side Javascript for the
+# rendering instead of using prerendered bitmaps. Use this if you do not
+# have LaTeX installed or if you want to formulas look prettier in the HTML
+# output. When enabled you may also need to install MathJax separately and
+# configure the path to it using the MATHJAX_RELPATH option.
+
+USE_MATHJAX            = NO
+
+# When MathJax is enabled you need to specify the location relative to the
+# HTML output directory using the MATHJAX_RELPATH option. The destination
+# directory should contain the MathJax.js script. For instance, if the mathjax
+# directory is located at the same level as the HTML output directory, then
+# MATHJAX_RELPATH should be ../mathjax. The default value points to
+# the MathJax Content Delivery Network so you can quickly see the result without
+# installing MathJax.
+# However, it is strongly recommended to install a local
+# copy of MathJax from http://www.mathjax.org before deployment.
+
+MATHJAX_RELPATH        = http://cdn.mathjax.org/mathjax/latest
+
+# The MATHJAX_EXTENSIONS tag can be used to specify one or MathJax extension
+# names that should be enabled during MathJax rendering.
+
+MATHJAX_EXTENSIONS     =
+
+# When the SEARCHENGINE tag is enabled doxygen will generate a search box
+# for the HTML output. The underlying search engine uses javascript
+# and DHTML and should work on any modern browser. Note that when using
+# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets
+# (GENERATE_DOCSET) there is already a search function so this one should
+# typically be disabled. For large projects the javascript based search engine
+# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution.
+
+SEARCHENGINE           = NO
+
+# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
+# implemented using a PHP enabled web server instead of at the web client
+# using Javascript. Doxygen will generate the search PHP script and index
+# file to put on the web server. The advantage of the server
+# based approach is that it scales better to large projects and allows
+# full text search. The disadvantages are that it is more difficult to setup
+# and does not have live searching capabilities.
+
+SERVER_BASED_SEARCH    = NO
+
 #---------------------------------------------------------------------------
 # configuration options related to the LaTeX output
 #---------------------------------------------------------------------------
@@ -903,6 +1226,9 @@ LATEX_OUTPUT           = latex
 
 # The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
 # invoked. If left blank `latex' will be used as the default command name.
+# Note that when enabling USE_PDFLATEX this option is only used for
+# generating bitmaps for formulas in the HTML output, but not in the
+# Makefile that is written to the output directory.
 
 LATEX_CMD_NAME         = latex
 
@@ -919,7 +1245,7 @@ MAKEINDEX_CMD_NAME     = makeindex
 COMPACT_LATEX          = NO
 
 # The PAPER_TYPE tag can be used to set the paper type that is used
-# by the printer. Possible values are: a4, a4wide, letter, legal and
+# by the printer. Possible values are: a4, letter, legal and
 # executive. If left blank a4wide will be used.
 
 PAPER_TYPE             = a4wide
@@ -936,6 +1262,13 @@ EXTRA_PACKAGES         =
 
 LATEX_HEADER           =
 
+# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for
+# the generated latex document. The footer should contain everything after
+# the last chapter. If it is left blank doxygen will generate a
+# standard footer. Notice: only use this tag if you know what you are doing!
+
+LATEX_FOOTER           =
+
 # If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
 # is prepared for conversion to pdf (using ps2pdf). The pdf file will
 # contain links (just like the HTML output) instead of page references
@@ -962,6 +1295,19 @@ LATEX_BATCHMODE        = NO
 
 LATEX_HIDE_INDICES     = NO
 
+# If LATEX_SOURCE_CODE is set to YES then doxygen will include
+# source code with syntax highlighting in the LaTeX output.
+# Note that which sources are shown also depends on other settings
+# such as SOURCE_BROWSER.
+
+LATEX_SOURCE_CODE      = NO
+
+# The LATEX_BIB_STYLE tag can be used to specify the style to use for the
+# bibliography, e.g. plainnat, or ieeetr. The default style is "plain". See
+# http://en.wikipedia.org/wiki/BibTeX for more info.
+
+LATEX_BIB_STYLE        = plain
+
 #---------------------------------------------------------------------------
 # configuration options related to the RTF output
 #---------------------------------------------------------------------------
@@ -993,7 +1339,7 @@ COMPACT_RTF            = NO
 
 RTF_HYPERLINKS         = NO
 
-# Load stylesheet definitions from file. Syntax is similar to doxygen's
+# Load style sheet definitions from file. Syntax is similar to doxygen's
 # config file, i.e. a series of assignments. You only have to provide
 # replacements, missing definitions are set to their default value.
 
@@ -1098,8 +1444,10 @@ GENERATE_PERLMOD       = NO
 PERLMOD_LATEX          = NO
 
 # If the PERLMOD_PRETTY tag is set to YES the Perl module output will be
-# nicely formatted so it can be parsed by a human reader.  This is useful
-# if you want to understand what is going on.  On the other hand, if this
+# nicely formatted so it can be parsed by a human reader.
+# This is useful
+# if you want to understand what is going on.
+# On the other hand, if this
 # tag is set to NO the size of the Perl module output will be much smaller
 # and Perl will parse it just the same.
 
@@ -1136,7 +1484,7 @@ MACRO_EXPANSION        = YES
 EXPAND_ONLY_PREDEF     = NO
 
 # If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
-# in the INCLUDE_PATH (see below) will be search if a #include is found.
+# pointed to by INCLUDE_PATH will be searched when a #include is found.
 
 SEARCH_INCLUDES        = YES
 
@@ -1161,20 +1509,20 @@ INCLUDE_FILE_PATTERNS  =
 # undefined via #undef or recursively expanded use the := operator
 # instead of the = operator.
 
-PREDEFINED             = LEAK_DETECTIVE
+PREDEFINED             = LEAK_DETECTIVE __attribute__(x)=
 
 # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
 # this tag can be used to specify a list of macro names that should be expanded.
 # The macro definition that is found in the sources will be used.
-# Use the PREDEFINED tag if you want to use a different macro definition.
+# Use the PREDEFINED tag if you want to use a different macro definition that
+# overrules the definition found in the source code.
 
 EXPAND_AS_DEFINED      =
 
 # If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then
-# doxygen's preprocessor will remove all function-like macros that are alone
-# on a line, have an all uppercase name, and do not end with a semicolon. Such
-# function macros are typically used for boiler-plate code, and will confuse
-# the parser if not removed.
+# doxygen's preprocessor will remove all references to function-like macros
+# that are alone on a line, have an all uppercase name, and do not end with a
+# semicolon, because these will confuse the parser if not removed.
 
 SKIP_FUNCTION_MACROS   = YES
 
@@ -1182,20 +1530,18 @@ SKIP_FUNCTION_MACROS   = YES
 # Configuration::additions related to external references
 #---------------------------------------------------------------------------
 
-# The TAGFILES option can be used to specify one or more tagfiles.
-# Optionally an initial location of the external documentation
-# can be added for each tagfile. The format of a tag file without
-# this location is as follows:
-#   TAGFILES = file1 file2 ...
+# The TAGFILES option can be used to specify one or more tagfiles. For each
+# tag file the location of the external documentation should be added. The
+# format of a tag file without this location is as follows:
+#
+# TAGFILES = file1 file2 ...
 # Adding location for the tag files is done as follows:
-#   TAGFILES = file1=loc1 "file2 = loc2" ...
-# where "loc1" and "loc2" can be relative or absolute paths or
-# URLs. If a location is present for each tag, the installdox tool
-# does not have to be run to correct the links.
-# Note that each tag file must have a unique name
-# (where the name does NOT include the path)
-# If a tag file is not located in the directory in which doxygen
-# is run, you must also specify the path to the tagfile here.
+#
+# TAGFILES = file1=loc1 "file2 = loc2" ...
+# where "loc1" and "loc2" can be relative or absolute paths
+# or URLs. Note that each tag file must have a unique name (where the name does
+# NOT include the path). If a tag file is not located in the directory in which
+# doxygen is run, you must also specify the path to the tagfile here.
 
 TAGFILES               =
 
@@ -1228,9 +1574,8 @@ PERL_PATH              = /usr/bin/perl
 # If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
 # generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base
 # or super classes. Setting the tag to NO turns the diagrams off. Note that
-# this option is superseded by the HAVE_DOT option below. This is only a
-# fallback. It is recommended to install and use dot, since it yields more
-# powerful graphs.
+# this option also works with HAVE_DOT disabled, but it is recommended to
+# install and use dot, since it yields more powerful graphs.
 
 CLASS_DIAGRAMS         = YES
 
@@ -1256,28 +1601,38 @@ HIDE_UNDOC_RELATIONS   = YES
 
 HAVE_DOT               = NO
 
-# By default doxygen will write a font called FreeSans.ttf to the output
-# directory and reference it in all dot files that doxygen generates. This
-# font does not include all possible unicode characters however, so when you need
-# these (or just want a differently looking font) you can specify the font name
-# using DOT_FONTNAME. You need need to make sure dot is able to find the font,
-# which can be done by putting it in a standard location or by setting the
-# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory
-# containing the font.
+# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is
+# allowed to run in parallel. When set to 0 (the default) doxygen will
+# base this on the number of processors available in the system. You can set it
+# explicitly to a value larger than 0 to get control over the balance
+# between CPU load and processing speed.
+
+DOT_NUM_THREADS        = 0
+
+# By default doxygen will use the Helvetica font for all dot files that
+# doxygen generates. When you want a differently looking font you can specify
+# the font name using DOT_FONTNAME. You need to make sure dot is able to find
+# the font, which can be done by putting it in a standard location or by setting
+# the DOTFONTPATH environment variable or by setting DOT_FONTPATH to the
+# directory containing the font.
 
 DOT_FONTNAME           = FreeSans
 
-# By default doxygen will tell dot to use the output directory to look for the
-# FreeSans.ttf font (which doxygen will put there itself). If you specify a
-# different font using DOT_FONTNAME you can set the path where dot
-# can find it using this tag.
+# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs.
+# The default size is 10pt.
+
+DOT_FONTSIZE           = 10
+
+# By default doxygen will tell dot to use the Helvetica font.
+# If you specify a different font using DOT_FONTNAME you can use DOT_FONTPATH to
+# set the path where dot can find it.
 
 DOT_FONTPATH           =
 
 # If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen
 # will generate a graph for each documented class showing the direct and
 # indirect inheritance relations. Setting this tag to YES will force the
-# the CLASS_DIAGRAMS tag to NO.
+# CLASS_DIAGRAMS tag to NO.
 
 CLASS_GRAPH            = YES
 
@@ -1299,6 +1654,15 @@ GROUP_GRAPHS           = YES
 
 UML_LOOK               = NO
 
+# If the UML_LOOK tag is enabled, the fields and methods are shown inside
+# the class node. If there are many fields or methods and many nodes the
+# graph may become too big to be useful. The UML_LIMIT_NUM_FIELDS
+# threshold limits the number of items for each type to make the size more
+# managable. Set this to 0 for no limit. Note that the threshold may be
+# exceeded by 50% before the limit is enforced.
+
+UML_LIMIT_NUM_FIELDS   = 10
+
 # If set to YES, the inheritance and collaboration graphs will show the
 # relations between templates and their instances.
 
@@ -1335,11 +1699,11 @@ CALL_GRAPH             = NO
 CALLER_GRAPH           = NO
 
 # If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen
-# will graphical hierarchy of all classes instead of a textual one.
+# will generate a graphical hierarchy of all classes instead of a textual one.
 
 GRAPHICAL_HIERARCHY    = YES
 
-# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES
+# If the DIRECTORY_GRAPH and HAVE_DOT tags are set to YES
 # then doxygen will show the dependencies a directory has on other directories
 # in a graphical way. The dependency relations are determined by the #include
 # relations between the files in the directories.
@@ -1347,11 +1711,22 @@ GRAPHICAL_HIERARCHY    = YES
 DIRECTORY_GRAPH        = YES
 
 # The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
-# generated by dot. Possible values are png, jpg, or gif
-# If left blank png will be used.
+# generated by dot. Possible values are svg, png, jpg, or gif.
+# If left blank png will be used. If you choose svg you need to set
+# HTML_FILE_EXTENSION to xhtml in order to make the SVG files
+# visible in IE 9+ (other browsers do not have this requirement).
 
 DOT_IMAGE_FORMAT       = png
 
+# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
+# enable generation of interactive SVG images that allow zooming and panning.
+# Note that this requires a modern browser other than Internet Explorer.
+# Tested and working are Firefox, Chrome, Safari, and Opera. For IE 9+ you
+# need to set HTML_FILE_EXTENSION to xhtml in order to make the SVG files
+# visible. Older versions of IE do not have SVG support.
+
+INTERACTIVE_SVG        = NO
+
 # The tag DOT_PATH can be used to specify the path where the dot tool can be
 # found. If left blank, it is assumed the dot tool can be found in the path.
 
@@ -1363,6 +1738,12 @@ DOT_PATH               =
 
 DOTFILE_DIRS           =
 
+# The MSCFILE_DIRS tag can be used to specify one or more directories that
+# contain msc files that are included in the documentation (see the
+# \mscfile command).
+
+MSCFILE_DIRS           =
+
 # The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of
 # nodes that will be shown in the graph. If the number of nodes in a graph
 # becomes larger than this value, doxygen will truncate the graph, which is
@@ -1384,10 +1765,10 @@ DOT_GRAPH_MAX_NODES    = 50
 MAX_DOT_GRAPH_DEPTH    = 0
 
 # Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
-# background. This is enabled by default, which results in a transparent
-# background. Warning: Depending on the platform used, enabling this option
-# may lead to badly anti-aliased labels on the edges of a graph (i.e. they
-# become hard to read).
+# background. This is disabled by default, because dot on Windows does not
+# seem to support this out of the box. Warning: Depending on the platform used,
+# enabling this option may lead to badly anti-aliased labels on the edges of
+# a graph (i.e. they become hard to read).
 
 DOT_TRANSPARENT        = NO
 
@@ -1409,12 +1790,3 @@ GENERATE_LEGEND        = YES
 # the various graphs.
 
 DOT_CLEANUP            = YES
-
-#---------------------------------------------------------------------------
-# Configuration::additions related to the search engine
-#---------------------------------------------------------------------------
-
-# The SEARCHENGINE tag specifies whether or not a search engine should be
-# used. If set to NO the values of all tags below this one will be ignored.
-
-SEARCHENGINE           = NO
diff --git a/Makefile.in b/Makefile.in
index 2b952cc52..a457a4519 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -40,8 +57,8 @@ DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(srcdir)/config.h.in \
 	$(top_srcdir)/configure \
 	$(top_srcdir)/src/dumm/ext/extconf.rb.in AUTHORS COPYING \
-	ChangeLog INSTALL NEWS TODO config.guess config.sub depcomp \
-	install-sh ltmain.sh missing ylwrap
+	ChangeLog INSTALL NEWS TODO compile config.guess config.sub \
+	depcomp install-sh ltmain.sh missing ylwrap
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -69,6 +86,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -159,6 +181,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -175,6 +199,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -243,8 +268,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -300,7 +323,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -408,8 +430,11 @@ distclean-libtool:
 	-rm -f libtool config.lt
 install-nodist_config_includeHEADERS: $(nodist_config_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(config_includedir)" || $(MKDIR_P) "$(DESTDIR)$(config_includedir)"
 	@list='$(nodist_config_include_HEADERS)'; test -n "$(config_includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(config_includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(config_includedir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -594,13 +619,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
@@ -686,7 +708,7 @@ distcheck: dist
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
 	esac
-	chmod -R a-w $(distdir); chmod a+w $(distdir)
+	chmod -R a-w $(distdir); chmod u+w $(distdir)
 	mkdir $(distdir)/_build
 	mkdir $(distdir)/_inst
 	chmod a-w $(distdir)
diff --git a/NEWS b/NEWS
index 95f7e1c60..b95698d91 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,56 @@
+strongswan-5.0.3
+----------------
+
+- The new ipseckey plugin enables authentication based on trustworthy public
+  keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
+  To do so it uses a DNSSEC enabled resolver, like the one provided by the new
+  unbound plugin, which is based on libldns and libunbound.  Both plugins were
+  created by Reto Guadagnini.
+
+- Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
+  available to an IMV. The OS IMV stores the AR identity together with the
+  device ID in the attest database.
+
+- The openssl plugin now uses the AES-NI accelerated version of AES-GCM
+  if the hardware supports it.
+
+- The eap-radius plugin can now assign virtual IPs to IKE clients using the
+  Framed-IP-Address attribute by using the "%radius" named pool in the
+  rightsourceip ipsec.conf option. Cisco Banner attributes are forwarded to
+  Unity-capable IKEv1 clients during mode config. charon now sends Interim
+  Accounting updates if requested by the RADIUS server, reports
+  sent/received packets in Accounting messages, and adds a Terminate-Cause
+  to Accounting-Stops.
+
+- The recently introduced "ipsec listcounters" command can report connection
+  specific counters by passing a connection name, and global or connection
+  counters can be reset by the "ipsec resetcounters" command.
+
+- The strongSwan libpttls library provides an experimental implementation of
+  PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
+
+- The charon systime-fix plugin can disable certificate lifetime checks on
+  embedded systems if the system time is obviously out of sync after bootup.
+  Certificates lifetimes get checked once the system time gets sane, closing
+  or reauthenticating connections using expired certificates.
+
+- The "ikedscp" ipsec.conf option can set DiffServ code points on outgoing
+  IKE packets.
+
+- The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
+  clients that cannot be configured without XAuth authentication.  The plugin
+  simply concludes the XAuth exchange successfully without actually performing
+  any authentication.  Therefore, to use this backend it has to be selected
+  explicitly with rightauth2=xauth-noauth.
+
+- The new charon-tkm IKEv2 daemon delegates security critical operations to a
+  separate process. This has the benefit that the network facing daemon has no
+  knowledge of keying material used to protect child SAs. Thus subverting
+  charon-tkm does not result in the compromise of cryptographic keys.
+  The extracted functionality has been implemented from scratch in a minimal TCB
+  (trusted computing base) in the Ada programming language. Further information
+  can be found at http://www.codelabs.ch/tkm/.
+
 strongswan-5.0.2
 ----------------
 
@@ -49,6 +102,7 @@ strongswan-5.0.2
 - The integration test environment was updated and now uses KVM and reproducible
   guest images based on Debian.
 
+
 strongswan-5.0.1
 ----------------
 
@@ -122,6 +176,7 @@ strongswan-5.0.1
 - All crypto primitives gained return values for most operations, allowing
   crypto backends to fail, for example when using hardware accelerators.
 
+
 strongswan-5.0.0
 ----------------
 
@@ -425,7 +480,7 @@ strongswan-4.5.1
   ./configure switch.
 
 - The new libstrongswan constraints plugin provides advanced X.509 constraint
-  checking. In additon to X.509 pathLen constraints, the plugin checks for
+  checking. In addition to X.509 pathLen constraints, the plugin checks for
   nameConstraints and certificatePolicies, including policyMappings and
   policyConstraints. The x509 certificate plugin and the pki tool have been
   enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf
diff --git a/aclocal.m4 b/aclocal.m4
index b27ee7bab..b2938b090 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
-# generated automatically by aclocal 1.11.3 -*- Autoconf -*-
+# generated automatically by aclocal 1.11.6 -*- Autoconf -*-
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
 # 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
@@ -14,8 +14,8 @@
 
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.68],,
-[m4_warning([this file was generated for autoconf 2.68.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.69],,
+[m4_warning([this file was generated for autoconf 2.69.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
@@ -423,7 +423,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
 [am__api_version='1.11'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.11.3], [],
+m4_if([$1], [1.11.6], [],
       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
 
@@ -439,7 +439,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.11.3])dnl
+[AM_AUTOMAKE_VERSION([1.11.6])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
@@ -1037,6 +1037,41 @@ AC_MSG_RESULT([$_am_result])
 rm -f confinc confmf
 ])
 
+# Copyright (C) 1999, 2000, 2001, 2003, 2004, 2005, 2008
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 6
+
+# AM_PROG_CC_C_O
+# --------------
+# Like AC_PROG_CC_C_O, but changed for automake.
+AC_DEFUN([AM_PROG_CC_C_O],
+[AC_REQUIRE([AC_PROG_CC_C_O])dnl
+AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+AC_REQUIRE_AUX_FILE([compile])dnl
+# FIXME: we rely on the cache variable name because
+# there is no other way.
+set dummy $CC
+am_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
+eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
+if test "$am_t" != yes; then
+   # Losing compiler, so override with the script.
+   # FIXME: It is wrong to rewrite CC.
+   # But if we don't then we get into trouble of one sort or another.
+   # A longer-term fix would be to have automake use am__CC in this case,
+   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+   CC="$am_aux_dir/compile $CC"
+fi
+dnl Make sure AC_PROG_CC is never called again, or it will override our
+dnl setting of CC.
+m4_define([AC_PROG_CC],
+          [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
+])
+
 # Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
 
 # Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005, 2008
diff --git a/compile b/compile
new file mode 100755
index 000000000..862a14e8c
--- /dev/null
+++ b/compile
@@ -0,0 +1,343 @@
+#! /bin/sh
+# Wrapper for compilers which do not understand '-c -o'.
+
+scriptversion=2012-03-05.13; # UTC
+
+# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009, 2010, 2012 Free
+# Software Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+nl='
+'
+
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent tools from complaining about whitespace usage.
+IFS=" ""	$nl"
+
+file_conv=
+
+# func_file_conv build_file lazy
+# Convert a $build file to $host form and store it in $file
+# Currently only supports Windows hosts. If the determined conversion
+# type is listed in (the comma separated) LAZY, no conversion will
+# take place.
+func_file_conv ()
+{
+  file=$1
+  case $file in
+    / | /[!/]*) # absolute file, and not a UNC file
+      if test -z "$file_conv"; then
+	# lazily determine how to convert abs files
+	case `uname -s` in
+	  MINGW*)
+	    file_conv=mingw
+	    ;;
+	  CYGWIN*)
+	    file_conv=cygwin
+	    ;;
+	  *)
+	    file_conv=wine
+	    ;;
+	esac
+      fi
+      case $file_conv/,$2, in
+	*,$file_conv,*)
+	  ;;
+	mingw/*)
+	  file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
+	  ;;
+	cygwin/*)
+	  file=`cygpath -m "$file" || echo "$file"`
+	  ;;
+	wine/*)
+	  file=`winepath -w "$file" || echo "$file"`
+	  ;;
+      esac
+      ;;
+  esac
+}
+
+# func_cl_dashL linkdir
+# Make cl look for libraries in LINKDIR
+func_cl_dashL ()
+{
+  func_file_conv "$1"
+  if test -z "$lib_path"; then
+    lib_path=$file
+  else
+    lib_path="$lib_path;$file"
+  fi
+  linker_opts="$linker_opts -LIBPATH:$file"
+}
+
+# func_cl_dashl library
+# Do a library search-path lookup for cl
+func_cl_dashl ()
+{
+  lib=$1
+  found=no
+  save_IFS=$IFS
+  IFS=';'
+  for dir in $lib_path $LIB
+  do
+    IFS=$save_IFS
+    if $shared && test -f "$dir/$lib.dll.lib"; then
+      found=yes
+      lib=$dir/$lib.dll.lib
+      break
+    fi
+    if test -f "$dir/$lib.lib"; then
+      found=yes
+      lib=$dir/$lib.lib
+      break
+    fi
+  done
+  IFS=$save_IFS
+
+  if test "$found" != yes; then
+    lib=$lib.lib
+  fi
+}
+
+# func_cl_wrapper cl arg...
+# Adjust compile command to suit cl
+func_cl_wrapper ()
+{
+  # Assume a capable shell
+  lib_path=
+  shared=:
+  linker_opts=
+  for arg
+  do
+    if test -n "$eat"; then
+      eat=
+    else
+      case $1 in
+	-o)
+	  # configure might choose to run compile as 'compile cc -o foo foo.c'.
+	  eat=1
+	  case $2 in
+	    *.o | *.[oO][bB][jJ])
+	      func_file_conv "$2"
+	      set x "$@" -Fo"$file"
+	      shift
+	      ;;
+	    *)
+	      func_file_conv "$2"
+	      set x "$@" -Fe"$file"
+	      shift
+	      ;;
+	  esac
+	  ;;
+	-I)
+	  eat=1
+	  func_file_conv "$2" mingw
+	  set x "$@" -I"$file"
+	  shift
+	  ;;
+	-I*)
+	  func_file_conv "${1#-I}" mingw
+	  set x "$@" -I"$file"
+	  shift
+	  ;;
+	-l)
+	  eat=1
+	  func_cl_dashl "$2"
+	  set x "$@" "$lib"
+	  shift
+	  ;;
+	-l*)
+	  func_cl_dashl "${1#-l}"
+	  set x "$@" "$lib"
+	  shift
+	  ;;
+	-L)
+	  eat=1
+	  func_cl_dashL "$2"
+	  ;;
+	-L*)
+	  func_cl_dashL "${1#-L}"
+	  ;;
+	-static)
+	  shared=false
+	  ;;
+	-Wl,*)
+	  arg=${1#-Wl,}
+	  save_ifs="$IFS"; IFS=','
+	  for flag in $arg; do
+	    IFS="$save_ifs"
+	    linker_opts="$linker_opts $flag"
+	  done
+	  IFS="$save_ifs"
+	  ;;
+	-Xlinker)
+	  eat=1
+	  linker_opts="$linker_opts $2"
+	  ;;
+	-*)
+	  set x "$@" "$1"
+	  shift
+	  ;;
+	*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
+	  func_file_conv "$1"
+	  set x "$@" -Tp"$file"
+	  shift
+	  ;;
+	*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
+	  func_file_conv "$1" mingw
+	  set x "$@" "$file"
+	  shift
+	  ;;
+	*)
+	  set x "$@" "$1"
+	  shift
+	  ;;
+      esac
+    fi
+    shift
+  done
+  if test -n "$linker_opts"; then
+    linker_opts="-link$linker_opts"
+  fi
+  exec "$@" $linker_opts
+  exit 1
+}
+
+eat=
+
+case $1 in
+  '')
+     echo "$0: No command.  Try '$0 --help' for more information." 1>&2
+     exit 1;
+     ;;
+  -h | --h*)
+    cat <<\EOF
+Usage: compile [--help] [--version] PROGRAM [ARGS]
+
+Wrapper for compilers which do not understand '-c -o'.
+Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
+arguments, and rename the output as expected.
+
+If you are trying to build a whole package this is not the
+right script to run: please start by reading the file 'INSTALL'.
+
+Report bugs to <bug-automake@gnu.org>.
+EOF
+    exit $?
+    ;;
+  -v | --v*)
+    echo "compile $scriptversion"
+    exit $?
+    ;;
+  cl | *[/\\]cl | cl.exe | *[/\\]cl.exe )
+    func_cl_wrapper "$@"      # Doesn't return...
+    ;;
+esac
+
+ofile=
+cfile=
+
+for arg
+do
+  if test -n "$eat"; then
+    eat=
+  else
+    case $1 in
+      -o)
+	# configure might choose to run compile as 'compile cc -o foo foo.c'.
+	# So we strip '-o arg' only if arg is an object.
+	eat=1
+	case $2 in
+	  *.o | *.obj)
+	    ofile=$2
+	    ;;
+	  *)
+	    set x "$@" -o "$2"
+	    shift
+	    ;;
+	esac
+	;;
+      *.c)
+	cfile=$1
+	set x "$@" "$1"
+	shift
+	;;
+      *)
+	set x "$@" "$1"
+	shift
+	;;
+    esac
+  fi
+  shift
+done
+
+if test -z "$ofile" || test -z "$cfile"; then
+  # If no '-o' option was seen then we might have been invoked from a
+  # pattern rule where we don't need one.  That is ok -- this is a
+  # normal compilation that the losing compiler can handle.  If no
+  # '.c' file was seen then we are probably linking.  That is also
+  # ok.
+  exec "$@"
+fi
+
+# Name of file we expect compiler to create.
+cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
+
+# Create the lock directory.
+# Note: use '[/\\:.-]' here to ensure that we don't use the same name
+# that we are using for the .o file.  Also, base the name on the expected
+# object file name, since that is what matters with a parallel build.
+lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
+while true; do
+  if mkdir "$lockdir" >/dev/null 2>&1; then
+    break
+  fi
+  sleep 1
+done
+# FIXME: race condition here if user kills between mkdir and trap.
+trap "rmdir '$lockdir'; exit 1" 1 2 15
+
+# Run the compile.
+"$@"
+ret=$?
+
+if test -f "$cofile"; then
+  test "$cofile" = "$ofile" || mv "$cofile" "$ofile"
+elif test -f "${cofile}bj"; then
+  test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile"
+fi
+
+rmdir "$lockdir"
+exit $ret
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
+# End:
diff --git a/config.h.in b/config.h.in
index 3965ed25c..a761227f3 100644
--- a/config.h.in
+++ b/config.h.in
@@ -76,6 +76,9 @@
 /* Define to 1 if you have the `getpwnam_r' function. */
 #undef HAVE_GETPWNAM_R
 
+/* Define to 1 if you have the `getpwuid_r' function. */
+#undef HAVE_GETPWUID_R
+
 /* have gettid() */
 #undef HAVE_GETTID
 
@@ -225,6 +228,9 @@
 /* monolithic build embedding plugins */
 #undef MONOLITHIC
 
+/* Define to 1 if your C compiler doesn't accept -c and -o together. */
+#undef NO_MINUS_C_MINUS_O
+
 /* Name of package */
 #undef PACKAGE
 
diff --git a/config.sub b/config.sub
index c894da455..6205f8423 100755
--- a/config.sub
+++ b/config.sub
@@ -4,7 +4,7 @@
 #   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
 #   2011, 2012 Free Software Foundation, Inc.
 
-timestamp='2012-02-10'
+timestamp='2012-04-18'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -225,6 +225,12 @@ case $os in
 	-isc*)
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
 		;;
+	-lynx*178)
+		os=-lynxos178
+		;;
+	-lynx*5)
+		os=-lynxos5
+		;;
 	-lynx*)
 		os=-lynxos
 		;;
@@ -1537,6 +1543,9 @@ case $basic_machine in
 	c4x-* | tic4x-*)
 		os=-coff
 		;;
+	hexagon-*)
+		os=-elf
+		;;
 	tic54x-*)
 		os=-coff
 		;;
diff --git a/configure b/configure
index 7424477b3..178f9c9ca 100755
--- a/configure
+++ b/configure
@@ -1,11 +1,9 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for strongSwan 5.0.2.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.0.3.
 #
 #
-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
-# Foundation, Inc.
+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
 #
 #
 # This configure script is free software; the Free Software Foundation
@@ -134,6 +132,31 @@ export LANGUAGE
 # CDPATH.
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
+# Use a proper internal environment variable to ensure we don't fall
+  # into an infinite loop, continuously re-executing ourselves.
+  if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
+    _as_can_reexec=no; export _as_can_reexec;
+    # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+as_fn_exit 255
+  fi
+  # We don't want this to propagate to other subprocesses.
+          { _as_can_reexec=; unset _as_can_reexec;}
 if test "x$CONFIG_SHELL" = x; then
   as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
@@ -167,7 +190,8 @@ if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
 else
   exitcode=1; echo positional parameters were not saved.
 fi
-test x\$exitcode = x0 || exit 1"
+test x\$exitcode = x0 || exit 1
+test -x / || exit 1"
   as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
   as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
   eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
@@ -220,21 +244,25 @@ IFS=$as_save_IFS
 
 
       if test "x$CONFIG_SHELL" != x; then :
-  # We cannot yet assume a decent shell, so we have to provide a
-	# neutralization value for shells without unset; and this also
-	# works around shells that cannot unset nonexistent variables.
-	# Preserve -v and -x to the replacement shell.
-	BASH_ENV=/dev/null
-	ENV=/dev/null
-	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-	export CONFIG_SHELL
-	case $- in # ((((
-	  *v*x* | *x*v* ) as_opts=-vx ;;
-	  *v* ) as_opts=-v ;;
-	  *x* ) as_opts=-x ;;
-	  * ) as_opts= ;;
-	esac
-	exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
+  export CONFIG_SHELL
+             # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+exit 255
 fi
 
     if test x$as_have_required = xno; then :
@@ -336,6 +364,14 @@ $as_echo X"$as_dir" |
 
 
 } # as_fn_mkdir_p
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
 # as_fn_append VAR VALUE
 # ----------------------
 # Append the text in VALUE to the end of the definition contained in VAR. Take
@@ -457,6 +493,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
   chmod +x "$as_me.lineno" ||
     { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
 
+  # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
+  # already done that, so ensure we don't try to do so again and fall
+  # in an infinite loop.  This has already happened in practice.
+  _as_can_reexec=no; export _as_can_reexec
   # Don't try to exec as it changes $[0], causing all sort of problems
   # (the dirname of $[0] is not the place where we might find the
   # original and so on.  Autoconf is especially sensitive to this).
@@ -491,16 +531,16 @@ if (echo >conf$$.file) 2>/dev/null; then
     # ... but there are two gotchas:
     # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
     # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
+    # In both cases, we have to default to `cp -pR'.
     ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
+      as_ln_s='cp -pR'
   elif ln conf$$.file conf$$ 2>/dev/null; then
     as_ln_s=ln
   else
-    as_ln_s='cp -p'
+    as_ln_s='cp -pR'
   fi
 else
-  as_ln_s='cp -p'
+  as_ln_s='cp -pR'
 fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
@@ -512,28 +552,8 @@ else
   as_mkdir_p=false
 fi
 
-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in #(
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -567,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.0.2'
-PACKAGE_STRING='strongSwan 5.0.2'
+PACKAGE_VERSION='5.0.3'
+PACKAGE_STRING='strongSwan 5.0.3'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -612,6 +632,10 @@ ac_subst_vars='am__EXEEXT_FALSE
 am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
+USE_TKM_FALSE
+USE_TKM_TRUE
+UNITTESTS_FALSE
+UNITTESTS_TRUE
 MONOLITHIC_FALSE
 MONOLITHIC_TRUE
 USE_TROUSERS_FALSE
@@ -634,6 +658,8 @@ USE_IPSEC_SCRIPT_FALSE
 USE_IPSEC_SCRIPT_TRUE
 USE_FILE_CONFIG_FALSE
 USE_FILE_CONFIG_TRUE
+USE_LIBPTTLS_FALSE
+USE_LIBPTTLS_TRUE
 USE_LIBTNCCS_FALSE
 USE_LIBTNCCS_TRUE
 USE_LIBTNCIF_FALSE
@@ -736,6 +762,8 @@ USE_TNC_PDP_FALSE
 USE_TNC_PDP_TRUE
 USE_TNC_IFMAP_FALSE
 USE_TNC_IFMAP_TRUE
+USE_XAUTH_NOAUTH_FALSE
+USE_XAUTH_NOAUTH_TRUE
 USE_XAUTH_PAM_FALSE
 USE_XAUTH_PAM_TRUE
 USE_XAUTH_EAP_FALSE
@@ -786,6 +814,8 @@ USE_DUPLICHECK_FALSE
 USE_DUPLICHECK_TRUE
 USE_LED_FALSE
 USE_LED_TRUE
+USE_SYSTIME_FIX_FALSE
+USE_SYSTIME_FIX_TRUE
 USE_CERTEXPIRE_FALSE
 USE_CERTEXPIRE_TRUE
 USE_ERROR_NOTIFY_FALSE
@@ -804,6 +834,8 @@ USE_DHCP_FALSE
 USE_DHCP_TRUE
 USE_UPDOWN_FALSE
 USE_UPDOWN_TRUE
+USE_IPSECKEY_FALSE
+USE_IPSECKEY_TRUE
 USE_SQL_FALSE
 USE_SQL_TRUE
 USE_SMP_FALSE
@@ -812,8 +844,8 @@ USE_MAEMO_FALSE
 USE_MAEMO_TRUE
 USE_ANDROID_LOG_FALSE
 USE_ANDROID_LOG_TRUE
-USE_ANDROID_FALSE
-USE_ANDROID_TRUE
+USE_ANDROID_DNS_FALSE
+USE_ANDROID_DNS_TRUE
 USE_UCI_FALSE
 USE_UCI_TRUE
 USE_MEDCLI_FALSE
@@ -898,13 +930,14 @@ USE_LDAP_FALSE
 USE_LDAP_TRUE
 USE_SOUP_FALSE
 USE_SOUP_TRUE
+USE_UNBOUND_FALSE
+USE_UNBOUND_TRUE
 USE_CURL_FALSE
 USE_CURL_TRUE
 USE_TEST_VECTORS_FALSE
 USE_TEST_VECTORS_TRUE
 s_plugins
 h_plugins
-p_plugins
 c_plugins
 nm_plugins
 medsrv_plugins
@@ -917,6 +950,9 @@ attest_plugins
 pool_plugins
 starter_plugins
 charon_plugins
+CHECK_LIBS
+CHECK_CFLAGS
+GPRBUILD
 dev_headers
 USE_DEV_HEADERS_FALSE
 USE_DEV_HEADERS_TRUE
@@ -937,8 +973,6 @@ RUBYINCLUDE
 RUBY
 gtk_LIBS
 gtk_CFLAGS
-axis2c_LIBS
-axis2c_CFLAGS
 xml_LIBS
 xml_CFLAGS
 soup_LIBS
@@ -1116,6 +1150,7 @@ with_group
 with_charon_udp_port
 with_charon_natt_port
 enable_curl
+enable_unbound
 enable_soup
 enable_ldap
 enable_aes
@@ -1139,6 +1174,7 @@ enable_pkcs7
 enable_pkcs8
 enable_pgp
 enable_dnskey
+enable_ipseckey
 enable_pem
 enable_hmac
 enable_cmac
@@ -1177,6 +1213,7 @@ enable_eap_radius
 enable_xauth_generic
 enable_xauth_eap
 enable_xauth_pam
+enable_xauth_noauth
 enable_tnc_ifmap
 enable_tnc_pdp
 enable_tnc_imc
@@ -1228,7 +1265,7 @@ enable_gcm
 enable_addrblock
 enable_unity
 enable_uci
-enable_android
+enable_android_dns
 enable_android_log
 enable_maemo
 enable_nm
@@ -1237,6 +1274,7 @@ enable_whitelist
 enable_lookip
 enable_error_notify
 enable_certexpire
+enable_systime_fix
 enable_led
 enable_duplicheck
 enable_coupling
@@ -1244,6 +1282,9 @@ enable_radattr
 enable_vstr
 enable_monolithic
 enable_bfd_backtraces
+enable_unit_tests
+enable_tkm
+enable_defaults
 enable_dependency_tracking
 with_lib_prefix
 enable_shared
@@ -1272,8 +1313,6 @@ soup_CFLAGS
 soup_LIBS
 xml_CFLAGS
 xml_LIBS
-axis2c_CFLAGS
-axis2c_LIBS
 gtk_CFLAGS
 gtk_LIBS
 maemo_CFLAGS
@@ -1281,7 +1320,9 @@ maemo_LIBS
 pcsclite_CFLAGS
 pcsclite_LIBS
 nm_CFLAGS
-nm_LIBS'
+nm_LIBS
+CHECK_CFLAGS
+CHECK_LIBS'
 
 
 # Initialize some variables set by options.
@@ -1737,8 +1778,6 @@ target=$target_alias
 if test "x$host_alias" != x; then
   if test "x$build_alias" = x; then
     cross_compiling=maybe
-    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
-    If a cross compiler is detected then cross compile mode will be used" >&2
   elif test "x$build_alias" != "x$host_alias"; then
     cross_compiling=yes
   fi
@@ -1824,7 +1863,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.0.2 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.0.3 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1894,7 +1933,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.0.2:";;
+     short | recursive ) echo "Configuration of strongSwan 5.0.3:";;
    esac
   cat <<\_ACEOF
 
@@ -1904,6 +1943,9 @@ Optional Features:
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-curl           enable CURL fetcher plugin to fetch files via
                           libcurl. Requires libcurl.
+  --enable-unbound        enable UNBOUND resolver plugin to perform DNS
+                          queries via libunbound. Requires libldns and
+                          libunbound.
   --enable-soup           enable soup fetcher plugin to fetch from HTTP via
                           libsoup. Requires libsoup.
   --enable-ldap           enable LDAP fetching plugin to fetch files via
@@ -1931,6 +1973,7 @@ Optional Features:
   --disable-pkcs8         disable PKCS8 private key decoding plugin.
   --disable-pgp           disable PGP key decoding plugin.
   --disable-dnskey        disable DNS RR key decoding plugin.
+  --enable-ipseckey       enable IPSECKEY authentication plugin.
   --disable-pem           disable PEM decoding plugin.
   --disable-hmac          disable HMAC crypto implementation plugin.
   --disable-cmac          disable CMAC crypto implementation plugin.
@@ -1980,11 +2023,13 @@ Optional Features:
   --enable-xauth-eap      enable XAuth backend using EAP methods to verify
                           passwords.
   --enable-xauth-pam      enable XAuth backend using PAM to verify passwords.
-  --enable-tnc-ifmap      enable TNC IF-MAP module.
+  --enable-xauth-noauth   enable XAuth pseudo-backend that does not actually
+                          verify or even request any credentials.
+  --enable-tnc-ifmap      enable TNC IF-MAP module. Requires libxml
   --enable-tnc-pdp        enable TNC policy decision point module.
   --enable-tnc-imc        enable TNC IMC module.
   --enable-tnc-imv        enable TNC IMV module.
-  --enable-tnccs-11       enable TNCCS 1.1 protocol module.
+  --enable-tnccs-11       enable TNCCS 1.1 protocol module. Requires libxml
   --enable-tnccs-20       enable TNCCS 2.0 protocol module.
   --enable-tnccs-dynamic  enable dynamic TNCCS protocol discovery module.
   --enable-imc-test       enable IMC test module.
@@ -2042,7 +2087,7 @@ Optional Features:
   --enable-addrblock      enables RFC 3779 address block constraint support.
   --enable-unity          enables Cisco Unity extension plugin.
   --enable-uci            enable OpenWRT UCI configuration plugin.
-  --enable-android        enable Android specific plugin.
+  --enable-android-dns    enable Android specific DNS handler.
   --enable-android-log    enable Android specific logger plugin.
   --enable-maemo          enable Maemo specific plugin.
   --enable-nm             enable NetworkManager backend.
@@ -2053,6 +2098,8 @@ Optional Features:
   --enable-error-notify   enable error notification plugin.
   --enable-certexpire     enable CSV export of expiration dates of used
                           certificates.
+  --enable-systime-fix    enable plugin to handle cert lifetimes with invalid
+                          system time gracefully.
   --enable-led            enable plugin to control LEDs on IKEv2 activity
                           using the Linux kernel LED subsystem.
   --enable-duplicheck     advanced duplicate checking plugin using liveness
@@ -2068,6 +2115,10 @@ Optional Features:
                           of charon are assembled in libcharon.
   --enable-bfd-backtraces use binutils libbfd to resolve backtraces for memory
                           leaks and segfaults.
+  --enable-unit-tests     enable unit tests using the check test framework.
+  --enable-tkm            enable Trusted Key Manager support.
+  --disable-defaults      disable all default plugins (they can be enabled
+                          with their respective --enable options)
   --disable-dependency-tracking  speeds up one-time build
   --enable-dependency-tracking   do not reject slow dependency extractors
   --enable-shared[=PKGS]  build shared libraries [default=yes]
@@ -2168,9 +2219,6 @@ Some influential environment variables:
   soup_LIBS   linker flags for soup, overriding pkg-config
   xml_CFLAGS  C compiler flags for xml, overriding pkg-config
   xml_LIBS    linker flags for xml, overriding pkg-config
-  axis2c_CFLAGS
-              C compiler flags for axis2c, overriding pkg-config
-  axis2c_LIBS linker flags for axis2c, overriding pkg-config
   gtk_CFLAGS  C compiler flags for gtk, overriding pkg-config
   gtk_LIBS    linker flags for gtk, overriding pkg-config
   maemo_CFLAGS
@@ -2182,6 +2230,9 @@ Some influential environment variables:
               linker flags for pcsclite, overriding pkg-config
   nm_CFLAGS   C compiler flags for nm, overriding pkg-config
   nm_LIBS     linker flags for nm, overriding pkg-config
+  CHECK_CFLAGS
+              C compiler flags for CHECK, overriding pkg-config
+  CHECK_LIBS  linker flags for CHECK, overriding pkg-config
 
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
@@ -2249,10 +2300,10 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.0.2
-generated by GNU Autoconf 2.68
+strongSwan configure 5.0.3
+generated by GNU Autoconf 2.69
 
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
@@ -2438,7 +2489,7 @@ $as_echo "$ac_try_echo"; } >&5
 	 test ! -s conftest.err
        } && test -s conftest$ac_exeext && {
 	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
+	 test -x conftest$ac_exeext
        }; then :
   ac_retval=0
 else
@@ -2771,8 +2822,8 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.0.2, which was
-generated by GNU Autoconf 2.68.  Invocation command line was
+It was created by strongSwan $as_me 5.0.3, which was
+generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
 
@@ -3187,7 +3238,7 @@ case $as_dir/ in #((
     # by default.
     for ac_prog in ginstall scoinst install; do
       for ac_exec_ext in '' $ac_executable_extensions; do
-	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
+	if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
 	  if test $ac_prog = install &&
 	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
 	    # AIX install.  It has an incompatible calling convention.
@@ -3356,7 +3407,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3396,7 +3447,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_STRIP="strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3447,7 +3498,7 @@ do
   test -z "$as_dir" && as_dir=.
     for ac_prog in mkdir gmkdir; do
 	 for ac_exec_ext in '' $ac_executable_extensions; do
-	   { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue
+	   as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue
 	   case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
 	     'mkdir (GNU coreutils) '* | \
 	     'mkdir (coreutils) '* | \
@@ -3500,7 +3551,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_AWK="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3586,7 +3637,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.0.2'
+ VERSION='5.0.3'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3740,7 +3791,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3783,7 +3834,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3834,6 +3885,9 @@ $as_echo "no" >&6; }
 	fi
 fi
 
+# =================================
+#  check --enable-xxx & --with-xxx
+# =================================
 
 
 # ARG_WITH_SUBST(option, default, help)
@@ -4170,6 +4224,7 @@ ipsec_script_upper=`echo -n "$ipsec_script" | tr a-z A-Z`
 # ARG_DISBL_SET(option, help)
 # ---------------------------
 # Create a --disable-$1 option with helptext, set a variable $1 to true/false
+# All $1 are collected in the variable $enabled_by_default
 
 
 
@@ -4188,6 +4243,21 @@ else
 fi
 
 
+# Check whether --enable-unbound was given.
+if test "${enable_unbound+set}" = set; then :
+  enableval=$enable_unbound; unbound_given=true
+		if test x$enableval = xyes; then
+			unbound=true
+		 else
+			unbound=false
+		fi
+else
+  unbound=false
+		unbound_given=false
+
+fi
+
+
 # Check whether --enable-soup was given.
 if test "${enable_soup+set}" = set; then :
   enableval=$enable_soup; soup_given=true
@@ -4232,6 +4302,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" aes"
 
 # Check whether --enable-des was given.
 if test "${enable_des+set}" = set; then :
@@ -4247,6 +4318,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" des"
 
 # Check whether --enable-blowfish was given.
 if test "${enable_blowfish+set}" = set; then :
@@ -4292,6 +4364,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" md5"
 
 # Check whether --enable-sha1 was given.
 if test "${enable_sha1+set}" = set; then :
@@ -4307,6 +4380,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" sha1"
 
 # Check whether --enable-sha2 was given.
 if test "${enable_sha2+set}" = set; then :
@@ -4322,6 +4396,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" sha2"
 
 # Check whether --enable-fips-prf was given.
 if test "${enable_fips_prf+set}" = set; then :
@@ -4337,6 +4412,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" fips_prf"
 
 # Check whether --enable-gmp was given.
 if test "${enable_gmp+set}" = set; then :
@@ -4352,6 +4428,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" gmp"
 
 # Check whether --enable-rdrand was given.
 if test "${enable_rdrand+set}" = set; then :
@@ -4382,6 +4459,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" random"
 
 # Check whether --enable-nonce was given.
 if test "${enable_nonce+set}" = set; then :
@@ -4397,6 +4475,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" nonce"
 
 # Check whether --enable-x509 was given.
 if test "${enable_x509+set}" = set; then :
@@ -4412,6 +4491,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" x509"
 
 # Check whether --enable-revocation was given.
 if test "${enable_revocation+set}" = set; then :
@@ -4427,6 +4507,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" revocation"
 
 # Check whether --enable-constraints was given.
 if test "${enable_constraints+set}" = set; then :
@@ -4442,6 +4523,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" constraints"
 
 # Check whether --enable-pubkey was given.
 if test "${enable_pubkey+set}" = set; then :
@@ -4457,6 +4539,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pubkey"
 
 # Check whether --enable-pkcs1 was given.
 if test "${enable_pkcs1+set}" = set; then :
@@ -4472,6 +4555,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pkcs1"
 
 # Check whether --enable-pkcs7 was given.
 if test "${enable_pkcs7+set}" = set; then :
@@ -4487,6 +4571,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pkcs7"
 
 # Check whether --enable-pkcs8 was given.
 if test "${enable_pkcs8+set}" = set; then :
@@ -4502,6 +4587,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pkcs8"
 
 # Check whether --enable-pgp was given.
 if test "${enable_pgp+set}" = set; then :
@@ -4517,6 +4603,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pgp"
 
 # Check whether --enable-dnskey was given.
 if test "${enable_dnskey+set}" = set; then :
@@ -4530,6 +4617,22 @@ else
   dnskey=true
 		dnskey_given=false
 
+fi
+
+	enabled_by_default=${enabled_by_default}" dnskey"
+
+# Check whether --enable-ipseckey was given.
+if test "${enable_ipseckey+set}" = set; then :
+  enableval=$enable_ipseckey; ipseckey_given=true
+		if test x$enableval = xyes; then
+			ipseckey=true
+		 else
+			ipseckey=false
+		fi
+else
+  ipseckey=false
+		ipseckey_given=false
+
 fi
 
 
@@ -4547,6 +4650,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pem"
 
 # Check whether --enable-hmac was given.
 if test "${enable_hmac+set}" = set; then :
@@ -4562,6 +4666,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" hmac"
 
 # Check whether --enable-cmac was given.
 if test "${enable_cmac+set}" = set; then :
@@ -4577,6 +4682,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" cmac"
 
 # Check whether --enable-xcbc was given.
 if test "${enable_xcbc+set}" = set; then :
@@ -4592,6 +4698,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" xcbc"
 
 # Check whether --enable-af-alg was given.
 if test "${enable_af_alg+set}" = set; then :
@@ -4667,6 +4774,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" stroke"
 
 # Check whether --enable-medsrv was given.
 if test "${enable_medsrv+set}" = set; then :
@@ -5072,6 +5180,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" xauth_generic"
 
 # Check whether --enable-xauth-eap was given.
 if test "${enable_xauth_eap+set}" = set; then :
@@ -5103,6 +5212,21 @@ else
 fi
 
 
+# Check whether --enable-xauth-noauth was given.
+if test "${enable_xauth_noauth+set}" = set; then :
+  enableval=$enable_xauth_noauth; xauth_noauth_given=true
+		if test x$enableval = xyes; then
+			xauth_noauth=true
+		 else
+			xauth_noauth=false
+		fi
+else
+  xauth_noauth=false
+		xauth_noauth_given=false
+
+fi
+
+
 # Check whether --enable-tnc-ifmap was given.
 if test "${enable_tnc_ifmap+set}" = set; then :
   enableval=$enable_tnc_ifmap; tnc_ifmap_given=true
@@ -5342,6 +5466,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" kernel_netlink"
 
 # Check whether --enable-kernel-pfkey was given.
 if test "${enable_kernel_pfkey+set}" = set; then :
@@ -5417,6 +5542,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" socket_default"
 
 # Check whether --enable-socket-dynamic was given.
 if test "${enable_socket_dynamic+set}" = set; then :
@@ -5537,6 +5663,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" load_warning"
 
 # Check whether --enable-ikev1 was given.
 if test "${enable_ikev1+set}" = set; then :
@@ -5552,6 +5679,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" ikev1"
 
 # Check whether --enable-ikev2 was given.
 if test "${enable_ikev2+set}" = set; then :
@@ -5567,6 +5695,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" ikev2"
 
 # Check whether --enable-charon was given.
 if test "${enable_charon+set}" = set; then :
@@ -5582,6 +5711,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" charon"
 
 # Check whether --enable-tools was given.
 if test "${enable_tools+set}" = set; then :
@@ -5597,6 +5727,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" tools"
 
 # Check whether --enable-scripts was given.
 if test "${enable_scripts+set}" = set; then :
@@ -5612,6 +5743,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" scripts"
 
 # Check whether --enable-conftest was given.
 if test "${enable_conftest+set}" = set; then :
@@ -5642,6 +5774,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" updown"
 
 # Check whether --enable-attr was given.
 if test "${enable_attr+set}" = set; then :
@@ -5657,6 +5790,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" attr"
 
 # Check whether --enable-attr-sql was given.
 if test "${enable_attr_sql+set}" = set; then :
@@ -5702,6 +5836,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" resolve"
 
 # Check whether --enable-padlock was given.
 if test "${enable_padlock+set}" = set; then :
@@ -5868,17 +6003,17 @@ else
 fi
 
 
-# Check whether --enable-android was given.
-if test "${enable_android+set}" = set; then :
-  enableval=$enable_android; android_given=true
+# Check whether --enable-android-dns was given.
+if test "${enable_android_dns+set}" = set; then :
+  enableval=$enable_android_dns; android_dns_given=true
 		if test x$enableval = xyes; then
-			android=true
+			android_dns=true
 		 else
-			android=false
+			android_dns=false
 		fi
 else
-  android=false
-		android_given=false
+  android_dns=false
+		android_dns_given=false
 
 fi
 
@@ -6003,6 +6138,21 @@ else
 fi
 
 
+# Check whether --enable-systime-fix was given.
+if test "${enable_systime_fix+set}" = set; then :
+  enableval=$enable_systime_fix; systime_fix_given=true
+		if test x$enableval = xyes; then
+			systime_fix=true
+		 else
+			systime_fix=false
+		fi
+else
+  systime_fix=false
+		systime_fix_given=false
+
+fi
+
+
 # Check whether --enable-led was given.
 if test "${enable_led+set}" = set; then :
   enableval=$enable_led; led_given=true
@@ -6108,7 +6258,68 @@ else
 fi
 
 
+# Check whether --enable-unit-tests was given.
+if test "${enable_unit_tests+set}" = set; then :
+  enableval=$enable_unit_tests; unit_tests_given=true
+		if test x$enableval = xyes; then
+			unit_tests=true
+		 else
+			unit_tests=false
+		fi
+else
+  unit_tests=false
+		unit_tests_given=false
+
+fi
+
+
+# Check whether --enable-tkm was given.
+if test "${enable_tkm+set}" = set; then :
+  enableval=$enable_tkm; tkm_given=true
+		if test x$enableval = xyes; then
+			tkm=true
+		 else
+			tkm=false
+		fi
+else
+  tkm=false
+		tkm_given=false
+
+fi
+
+
 
+# ===================================
+#  option to disable default options
+# ===================================
+
+# Check whether --enable-defaults was given.
+if test "${enable_defaults+set}" = set; then :
+  enableval=$enable_defaults; defaults_given=true
+		if test x$enableval = xyes; then
+			defaults=true
+		 else
+			defaults=false
+		fi
+else
+  defaults=true
+		defaults_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" defaults"
+
+
+if test x$defaults = xfalse; then
+	for option in $enabled_by_default; do
+		eval test x\${${option}_given} = xtrue && continue
+		let $option=false
+	done
+fi
+
+# ===========================
+#  set up compiler and flags
+# ===========================
 
 if test -z "$CFLAGS"; then
 	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
@@ -6135,7 +6346,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="${ac_tool_prefix}gcc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6175,7 +6386,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_CC="gcc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6228,7 +6439,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="${ac_tool_prefix}cc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6269,7 +6480,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
        ac_prog_rejected=yes
        continue
@@ -6327,7 +6538,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6371,7 +6582,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_CC="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6817,8 +7028,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdarg.h>
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+struct stat;
 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
 struct buf { int x; };
 FILE * (*rcsopen) (struct buf *, struct stat *, int);
@@ -7094,6 +7304,133 @@ else
 fi
 
 
+if test "x$CC" != xcc; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC and cc understand -c and -o together" >&5
+$as_echo_n "checking whether $CC and cc understand -c and -o together... " >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc understands -c and -o together" >&5
+$as_echo_n "checking whether cc understands -c and -o together... " >&6; }
+fi
+set dummy $CC; ac_cc=`$as_echo "$2" |
+		      sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
+if eval \${ac_cv_prog_cc_${ac_cc}_c_o+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+# Make sure it works both with $CC and with simple cc.
+# We do the test twice because some compilers refuse to overwrite an
+# existing .o file with -o, though they will create one.
+ac_try='$CC -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
+rm -f conftest2.*
+if { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } &&
+   test -f conftest2.$ac_objext && { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; };
+then
+  eval ac_cv_prog_cc_${ac_cc}_c_o=yes
+  if test "x$CC" != xcc; then
+    # Test first that cc exists at all.
+    if { ac_try='cc -c conftest.$ac_ext >&5'
+  { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then
+      ac_try='cc -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
+      rm -f conftest2.*
+      if { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } &&
+	 test -f conftest2.$ac_objext && { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; };
+      then
+	# cc works too.
+	:
+      else
+	# cc exists but doesn't like -o.
+	eval ac_cv_prog_cc_${ac_cc}_c_o=no
+      fi
+    fi
+  fi
+else
+  eval ac_cv_prog_cc_${ac_cc}_c_o=no
+fi
+rm -f core conftest*
+
+fi
+if eval test \$ac_cv_prog_cc_${ac_cc}_c_o = yes; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+$as_echo "#define NO_MINUS_C_MINUS_O 1" >>confdefs.h
+
+fi
+
+# FIXME: we rely on the cache variable name because
+# there is no other way.
+set dummy $CC
+am_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
+eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
+if test "$am_t" != yes; then
+   # Losing compiler, so override with the script.
+   # FIXME: It is wrong to rewrite CC.
+   # But if we don't then we get into trouble of one sort or another.
+   # A longer-term fix would be to have automake use am__CC in this case,
+   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+   CC="$am_aux_dir/compile $CC"
+fi
+
+
+
 # Make sure we can run config.sub.
 $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
   as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5
@@ -7320,7 +7657,7 @@ do
     for ac_prog in grep ggrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+      as_fn_executable_p "$ac_path_GREP" || continue
 # Check for GNU ac_path_GREP and select it if it is found.
   # Check for GNU $ac_path_GREP
 case `"$ac_path_GREP" --version 2>&1` in
@@ -7386,7 +7723,7 @@ do
     for ac_prog in egrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+      as_fn_executable_p "$ac_path_EGREP" || continue
 # Check for GNU ac_path_EGREP and select it if it is found.
   # Check for GNU $ac_path_EGREP
 case `"$ac_path_EGREP" --version 2>&1` in
@@ -7981,7 +8318,9 @@ $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h
  esac
 
 
-
+# =========================
+#  check required programs
+# =========================
 
 case `pwd` in
   *\ * | *\	*)
@@ -8099,7 +8438,7 @@ do
     for ac_prog in sed gsed; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_SED="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue
+      as_fn_executable_p "$ac_path_SED" || continue
 # Check for GNU ac_path_SED and select it if it is found.
   # Check for GNU $ac_path_SED
 case `"$ac_path_SED" --version 2>&1` in
@@ -8178,7 +8517,7 @@ do
     for ac_prog in fgrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue
+      as_fn_executable_p "$ac_path_FGREP" || continue
 # Check for GNU ac_path_FGREP and select it if it is found.
   # Check for GNU $ac_path_FGREP
 case `"$ac_path_FGREP" --version 2>&1` in
@@ -8434,7 +8773,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8478,7 +8817,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_DUMPBIN="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8902,7 +9241,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8942,7 +9281,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_OBJDUMP="objdump"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9248,7 +9587,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9288,7 +9627,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_DLLTOOL="dlltool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9391,7 +9730,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_AR="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9435,7 +9774,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_AR="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9560,7 +9899,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9600,7 +9939,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_STRIP="strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9659,7 +9998,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9699,7 +10038,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_RANLIB="ranlib"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10348,7 +10687,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10388,7 +10727,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_MANIFEST_TOOL="mt"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10468,7 +10807,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10508,7 +10847,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10560,7 +10899,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10600,7 +10939,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_NMEDIT="nmedit"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10652,7 +10991,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_LIPO="${ac_tool_prefix}lipo"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10692,7 +11031,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_LIPO="lipo"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10744,7 +11083,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_OTOOL="${ac_tool_prefix}otool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10784,7 +11123,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_OTOOL="otool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10836,7 +11175,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10876,7 +11215,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_OTOOL64="otool64"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -15112,6 +15451,7 @@ CC="$lt_save_CC"
 # Only expand once:
 
 
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
 $as_echo_n "checking for egrep... " >&6; }
 if ${ac_cv_path_EGREP+:} false; then :
@@ -15131,7 +15471,7 @@ do
     for ac_prog in egrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+      as_fn_executable_p "$ac_path_EGREP" || continue
 # Check for GNU ac_path_EGREP and select it if it is found.
   # Check for GNU $ac_path_EGREP
 case `"$ac_path_EGREP" --version 2>&1` in
@@ -15197,7 +15537,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_AWK="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -15239,7 +15579,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_LEX="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -15271,7 +15611,8 @@ a { ECHO; }
 b { REJECT; }
 c { yymore (); }
 d { yyless (1); }
-e { yyless (input () != 0); }
+e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument.  */
+    yyless ((input () != 0)); }
 f { unput (yytext[0]); }
 . { BEGIN INITIAL; }
 %%
@@ -15397,7 +15738,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_YACC="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -15441,7 +15782,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -15482,7 +15823,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -15505,6 +15846,7 @@ fi
 
 
 
+# because gperf is not needed by end-users we just report it but do not abort on failure
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking gperf version >= 3.0.0" >&5
 $as_echo_n "checking gperf version >= 3.0.0... " >&6; }
 if test -x "$GPERF"; then
@@ -15520,6 +15862,9 @@ else
 $as_echo "not found" >&6; }
 fi
 
+# ========================
+#  dependency calculation
+# ========================
 
 if test x$xauth_generic_given = xfalse -a x$ikev1 = xfalse; then
 	xauth_generic=false;
@@ -15565,14 +15910,10 @@ if test x$fips_prf = xtrue; then
 	fi
 fi
 
-if test x$smp = xtrue -o x$tnccs_11 = xtrue; then
+if test x$smp = xtrue -o x$tnccs_11 = xtrue -o x$tnc_ifmap = xtrue; then
 	xml=true
 fi
 
-if test x$tnc_ifmap = xtrue; then
-	axis2c=true
-fi
-
 if test x$manager = xtrue; then
 	fast=true
 fi
@@ -15586,6 +15927,9 @@ if test x$medcli = xtrue; then
 	mediation=true
 fi
 
+# ===========================================
+#  check required libraries and header files
+# ===========================================
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdbool.h that conforms to C99" >&5
 $as_echo_n "checking for stdbool.h that conforms to C99... " >&6; }
@@ -15595,60 +15939,60 @@ else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-#include <stdbool.h>
-#ifndef bool
- "error: bool is not defined"
-#endif
-#ifndef false
- "error: false is not defined"
-#endif
-#if false
- "error: false is not 0"
-#endif
-#ifndef true
- "error: true is not defined"
-#endif
-#if true != 1
- "error: true is not 1"
-#endif
-#ifndef __bool_true_false_are_defined
- "error: __bool_true_false_are_defined is not defined"
-#endif
-
-	struct s { _Bool s: 1; _Bool t; } s;
-
-	char a[true == 1 ? 1 : -1];
-	char b[false == 0 ? 1 : -1];
-	char c[__bool_true_false_are_defined == 1 ? 1 : -1];
-	char d[(bool) 0.5 == true ? 1 : -1];
-	/* See body of main program for 'e'.  */
-	char f[(_Bool) 0.0 == false ? 1 : -1];
-	char g[true];
-	char h[sizeof (_Bool)];
-	char i[sizeof s.t];
-	enum { j = false, k = true, l = false * true, m = true * 256 };
-	/* The following fails for
-	   HP aC++/ANSI C B3910B A.05.55 [Dec 04 2003]. */
-	_Bool n[m];
-	char o[sizeof n == m * sizeof n[0] ? 1 : -1];
-	char p[-1 - (_Bool) 0 < 0 && -1 - (bool) 0 < 0 ? 1 : -1];
-	/* Catch a bug in an HP-UX C compiler.  See
-	   http://gcc.gnu.org/ml/gcc-patches/2003-12/msg02303.html
-	   http://lists.gnu.org/archive/html/bug-coreutils/2005-11/msg00161.html
-	 */
-	_Bool q = true;
-	_Bool *pq = &q;
+             #include <stdbool.h>
+             #ifndef bool
+              "error: bool is not defined"
+             #endif
+             #ifndef false
+              "error: false is not defined"
+             #endif
+             #if false
+              "error: false is not 0"
+             #endif
+             #ifndef true
+              "error: true is not defined"
+             #endif
+             #if true != 1
+              "error: true is not 1"
+             #endif
+             #ifndef __bool_true_false_are_defined
+              "error: __bool_true_false_are_defined is not defined"
+             #endif
+
+             struct s { _Bool s: 1; _Bool t; } s;
+
+             char a[true == 1 ? 1 : -1];
+             char b[false == 0 ? 1 : -1];
+             char c[__bool_true_false_are_defined == 1 ? 1 : -1];
+             char d[(bool) 0.5 == true ? 1 : -1];
+             /* See body of main program for 'e'.  */
+             char f[(_Bool) 0.0 == false ? 1 : -1];
+             char g[true];
+             char h[sizeof (_Bool)];
+             char i[sizeof s.t];
+             enum { j = false, k = true, l = false * true, m = true * 256 };
+             /* The following fails for
+                HP aC++/ANSI C B3910B A.05.55 [Dec 04 2003]. */
+             _Bool n[m];
+             char o[sizeof n == m * sizeof n[0] ? 1 : -1];
+             char p[-1 - (_Bool) 0 < 0 && -1 - (bool) 0 < 0 ? 1 : -1];
+             /* Catch a bug in an HP-UX C compiler.  See
+                http://gcc.gnu.org/ml/gcc-patches/2003-12/msg02303.html
+                http://lists.gnu.org/archive/html/bug-coreutils/2005-11/msg00161.html
+              */
+             _Bool q = true;
+             _Bool *pq = &q;
 
 int
 main ()
 {
 
-	bool e = &s;
-	*pq |= q;
-	*pq |= ! q;
-	/* Refer to every declared value, to avoid compiler optimizations.  */
-	return (!a + !b + !c + !d + !e + !f + !g + !h + !i + !!j + !k + !!l
-		+ !m + !n + !o + !p + !q + !pq);
+             bool e = &s;
+             *pq |= q;
+             *pq |= ! q;
+             /* Refer to every declared value, to avoid compiler optimizations.  */
+             return (!a + !b + !c + !d + !e + !f + !g + !h + !i + !!j + !k + !!l
+                     + !m + !n + !o + !p + !q + !pq);
 
   ;
   return 0;
@@ -15663,7 +16007,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdbool_h" >&5
 $as_echo "$ac_cv_header_stdbool_h" >&6; }
-ac_fn_c_check_type "$LINENO" "_Bool" "ac_cv_type__Bool" "$ac_includes_default"
+   ac_fn_c_check_type "$LINENO" "_Bool" "ac_cv_type__Bool" "$ac_includes_default"
 if test "x$ac_cv_type__Bool" = xyes; then :
 
 cat >>confdefs.h <<_ACEOF
@@ -15673,6 +16017,7 @@ _ACEOF
 
 fi
 
+
 if test $ac_cv_header_stdbool_h = yes; then
 
 $as_echo "#define HAVE_STDBOOL_H 1" >>confdefs.h
@@ -15841,23 +16186,20 @@ else
 /* end confdefs.h.  */
 $ac_includes_default
 int
-find_stack_direction ()
+find_stack_direction (int *addr, int depth)
 {
-  static char *addr = 0;
-  auto char dummy;
-  if (addr == 0)
-    {
-      addr = &dummy;
-      return find_stack_direction ();
-    }
-  else
-    return (&dummy > addr) ? 1 : -1;
+  int dir, dummy = 0;
+  if (! addr)
+    addr = &dummy;
+  *addr = addr < &dummy ? 1 : addr == &dummy ? 0 : -1;
+  dir = depth ? find_stack_direction (addr, depth - 1) : 0;
+  return dir + dummy;
 }
 
 int
-main ()
+main (int argc, char **argv)
 {
-  return find_stack_direction () < 0;
+  return find_stack_direction (0, argc + !argv + 20) < 0;
 }
 _ACEOF
 if ac_fn_c_try_run "$LINENO"; then :
@@ -15972,8 +16314,11 @@ $as_echo "#define STRERROR_R_CHAR_P 1" >>confdefs.h
 fi
 
 
+#  libraries needed on some platforms but not on others
+# ------------------------------------------------------
 saved_LIBS=$LIBS
 
+# FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
 $as_echo_n "checking for library containing dlopen... " >&6; }
@@ -16033,6 +16378,7 @@ fi
 
 
 
+# glibc's backtrace() can be replicated on FreeBSD with libexecinfo
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing backtrace" >&5
 $as_echo_n "checking for library containing backtrace... " >&6; }
@@ -16103,6 +16449,7 @@ done
 
 
 
+# OpenSolaris needs libsocket and libnsl for socket()
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing socket" >&5
 $as_echo_n "checking for library containing socket... " >&6; }
@@ -16204,6 +16551,7 @@ fi
 
 
 
+# FreeBSD has clock_gettime in libc, Linux needs librt
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
 $as_echo_n "checking for library containing clock_gettime... " >&6; }
@@ -16274,6 +16622,7 @@ done
 
 
 
+# Android has pthread_* functions in bionic (libc), others need libpthread
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing pthread_create" >&5
 $as_echo_n "checking for library containing pthread_create... " >&6; }
@@ -16334,18 +16683,19 @@ fi
 
 
 LIBS=$saved_LIBS
+# ------------------------------------------------------
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dladdr" >&5
 $as_echo_n "checking for dladdr... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
-	 #include <dlfcn.h>
+		  #include <dlfcn.h>
 int
 main ()
 {
 Dl_info* info = 0;
-	 dladdr(0, info);
+		  dladdr(0, info);
   ;
   return 0;
 }
@@ -16362,12 +16712,14 @@ $as_echo "no" >&6; }
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
+# check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
 saved_LIBS=$LIBS
 LIBS=$PTHREADLIB
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_condattr_setclock(CLOCK_MONOTONE)" >&5
 $as_echo_n "checking for pthread_condattr_setclock(CLOCK_MONOTONE)... " >&6; }
 if test "$cross_compiling" = yes; then :
-  	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
+  # Check existence of pthread_condattr_setclock if cross-compiling
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
 $as_echo "unknown" >&6; };
 	 for ac_func in pthread_condattr_setclock
 do :
@@ -16388,9 +16740,9 @@ else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <pthread.h>
-	 int main() { pthread_condattr_t attr;
-		pthread_condattr_init(&attr);
-		return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}
+		  int main() { pthread_condattr_t attr;
+			pthread_condattr_init(&attr);
+			return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}
 _ACEOF
 if ac_fn_c_try_run "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
@@ -16406,6 +16758,7 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
   conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
 
+# check if we actually are able to configure attributes on cond vars
 for ac_func in pthread_condattr_init
 do :
   ac_fn_c_check_func "$LINENO" "pthread_condattr_init" "ac_cv_func_pthread_condattr_init"
@@ -16417,6 +16770,7 @@ _ACEOF
 fi
 done
 
+# instead of pthread_condattr_setclock Android has this function
 for ac_func in pthread_cond_timedwait_monotonic
 do :
   ac_fn_c_check_func "$LINENO" "pthread_cond_timedwait_monotonic" "ac_cv_func_pthread_cond_timedwait_monotonic"
@@ -16428,6 +16782,7 @@ _ACEOF
 fi
 done
 
+# check if we can cancel threads
 for ac_func in pthread_cancel
 do :
   ac_fn_c_check_func "$LINENO" "pthread_cancel" "ac_cv_func_pthread_cancel"
@@ -16439,6 +16794,7 @@ _ACEOF
 fi
 done
 
+# check if native rwlocks are available
 for ac_func in pthread_rwlock_init
 do :
   ac_fn_c_check_func "$LINENO" "pthread_rwlock_init" "ac_cv_func_pthread_rwlock_init"
@@ -16450,6 +16806,7 @@ _ACEOF
 fi
 done
 
+# check if pthread spinlocks are available
 for ac_func in pthread_spin_init
 do :
   ac_fn_c_check_func "$LINENO" "pthread_spin_init" "ac_cv_func_pthread_spin_init"
@@ -16461,6 +16818,7 @@ _ACEOF
 fi
 done
 
+# check if we have POSIX semaphore functions, including timed-wait
 for ac_func in sem_timedwait
 do :
   ac_fn_c_check_func "$LINENO" "sem_timedwait" "ac_cv_func_sem_timedwait"
@@ -16485,13 +16843,13 @@ $as_echo_n "checking for SYS_gettid... " >&6; }
 	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
-		 #include <unistd.h>
-		 #include <sys/syscall.h>
+			  #include <unistd.h>
+			  #include <sys/syscall.h>
 int
 main ()
 {
 int main() {
-			return syscall(SYS_gettid);}
+			  return syscall(SYS_gettid);}
   ;
   return 0;
 }
@@ -16515,7 +16873,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 
-for ac_func in prctl mallinfo getpass closefrom getpwnam_r getgrnam_r
+for ac_func in prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -16556,7 +16914,11 @@ done
 
 for ac_header in netinet/ip6.h
 do :
-  ac_fn_c_check_header_mongrel "$LINENO" "netinet/ip6.h" "ac_cv_header_netinet_ip6_h" "$ac_includes_default"
+  ac_fn_c_check_header_compile "$LINENO" "netinet/ip6.h" "ac_cv_header_netinet_ip6_h" "
+	#include <sys/types.h>
+	#include <netinet/in.h>
+
+"
 if test "x$ac_cv_header_netinet_ip6_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_NETINET_IP6_H 1
@@ -16607,13 +16969,13 @@ $as_echo_n "checking for in6addr_any... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
-	#include <sys/socket.h>
-	#include <netinet/in.h>
+		  #include <sys/socket.h>
+		  #include <netinet/in.h>
 int
 main ()
 {
 struct in6_addr in6;
-	in6 = in6addr_any;
+		  in6 = in6addr_any;
   ;
   return 0;
 }
@@ -16636,17 +16998,17 @@ $as_echo_n "checking for in6_pktinfo... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
-	#include <sys/types.h>
-	#include <sys/socket.h>
-	#include <netinet/in.h>
+		  #include <sys/types.h>
+		  #include <sys/socket.h>
+		  #include <netinet/in.h>
 int
 main ()
 {
 struct in6_pktinfo pi;
-	if (pi.ipi6_ifindex)
-	{
-		return 0;
-	}
+		  if (pi.ipi6_ifindex)
+		  {
+		    return 0;
+		  }
   ;
   return 0;
 }
@@ -16669,19 +17031,19 @@ $as_echo_n "checking for IPSEC_MODE_BEET... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
-	#ifdef HAVE_NETIPSEC_IPSEC_H
-	#include <netipsec/ipsec.h>
-	#elif defined(HAVE_NETINET6_IPSEC_H)
-	#include <netinet6/ipsec.h>
-	#else
-	#include <stdint.h>
-	#include <linux/ipsec.h>
-	#endif
+		  #ifdef HAVE_NETIPSEC_IPSEC_H
+		  #include <netipsec/ipsec.h>
+		  #elif defined(HAVE_NETINET6_IPSEC_H)
+		  #include <netinet6/ipsec.h>
+		  #else
+		  #include <stdint.h>
+		  #include <linux/ipsec.h>
+		  #endif
 int
 main ()
 {
 int mode = IPSEC_MODE_BEET;
-	 return mode;
+		  return mode;
   ;
   return 0;
 }
@@ -16704,19 +17066,19 @@ $as_echo_n "checking for IPSEC_DIR_FWD... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
-	#ifdef HAVE_NETIPSEC_IPSEC_H
-	#include <netipsec/ipsec.h>
-	#elif defined(HAVE_NETINET6_IPSEC_H)
-	#include <netinet6/ipsec.h>
-	#else
-	#include <stdint.h>
-	#include <linux/ipsec.h>
-	#endif
+		  #ifdef HAVE_NETIPSEC_IPSEC_H
+		  #include <netipsec/ipsec.h>
+		  #elif defined(HAVE_NETINET6_IPSEC_H)
+		  #include <netinet6/ipsec.h>
+		  #else
+		  #include <stdint.h>
+		  #include <linux/ipsec.h>
+		  #endif
 int
 main ()
 {
 int dir = IPSEC_DIR_FWD;
-	 return dir;
+		  return dir;
   ;
   return 0;
 }
@@ -16739,13 +17101,13 @@ $as_echo_n "checking for RTA_TABLE... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/socket.h>
-	#include <linux/netlink.h>
-	#include <linux/rtnetlink.h>
+		  #include <linux/netlink.h>
+		  #include <linux/rtnetlink.h>
 int
 main ()
 {
 int rta_type = RTA_TABLE;
-	 return rta_type;
+		  return rta_type;
   ;
   return 0;
 }
@@ -16768,18 +17130,19 @@ $as_echo_n "checking for gcc atomic operations... " >&6; }
 if test "$cross_compiling" = yes; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
+
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-	int main() {
-		volatile int ref = 1;
-		__sync_fetch_and_add (&ref, 1);
-		__sync_sub_and_fetch (&ref, 1);
-		/* Make sure test fails if operations are not supported */
-		__sync_val_compare_and_swap(&ref, 1, 0);
-		return ref;
-	}
+			int main() {
+			volatile int ref = 1;
+			__sync_fetch_and_add (&ref, 1);
+			__sync_sub_and_fetch (&ref, 1);
+			/* Make sure test fails if operations are not supported */
+			__sync_val_compare_and_swap(&ref, 1, 0);
+			return ref;
+		}
 
 _ACEOF
 if ac_fn_c_try_run "$LINENO"; then :
@@ -16797,6 +17160,8 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
 fi
 
 
+# check for the new register_printf_specifier function with len argument,
+# or the deprecated register_printf_function without
 ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier"
 if test "x$ac_cv_func_register_printf_specifier" = xyes; then :
 
@@ -16857,7 +17222,6 @@ if test "x$ac_cv_lib_vstr_main" = xyes; then :
 else
   as_fn_error $? "Vstr string library not found" "$LINENO" 5
 fi
-ac_cv_lib_vstr=ac_cv_lib_vstr_main
 
 
 $as_echo "#define USE_VSTR /**/" >>confdefs.h
@@ -16906,7 +17270,6 @@ _ACEOF
 else
   as_fn_error $? "GNU Multi Precision library gmp not found" "$LINENO" 5
 fi
-ac_cv_lib_gmp=ac_cv_lib_gmp_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking mpz_powm_sec" >&5
 $as_echo_n "checking mpz_powm_sec... " >&6; }
@@ -16917,9 +17280,7 @@ $as_echo_n "checking mpz_powm_sec... " >&6; }
 int
 main ()
 {
-
-				void *x = mpz_powm_sec;
-
+void *x = mpz_powm_sec;
   ;
   return 0;
 }
@@ -16950,10 +17311,9 @@ int
 main ()
 {
 
-			#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
-				#error bad gmp
-			#endif
-
+				#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
+					#error bad gmp
+				#endif
   ;
   return 0;
 }
@@ -17005,7 +17365,6 @@ if test "x$ac_cv_lib_ldap_main" = xyes; then :
 else
   as_fn_error $? "LDAP library ldap not found" "$LINENO" 5
 fi
-ac_cv_lib_ldap=ac_cv_lib_ldap_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -llber" >&5
 $as_echo_n "checking for main in -llber... " >&6; }
@@ -17042,7 +17401,6 @@ if test "x$ac_cv_lib_lber_main" = xyes; then :
 else
   as_fn_error $? "LDAP library lber not found" "$LINENO" 5
 fi
-ac_cv_lib_lber=ac_cv_lib_lber_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "ldap.h" "ac_cv_header_ldap_h" "$ac_includes_default"
 if test "x$ac_cv_header_ldap_h" = xyes; then :
@@ -17090,7 +17448,6 @@ if test "x$ac_cv_lib_curl_main" = xyes; then :
 else
   as_fn_error $? "CURL library curl not found" "$LINENO" 5
 fi
-ac_cv_lib_curl=ac_cv_lib_curl_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "curl/curl.h" "ac_cv_header_curl_curl_h" "$ac_includes_default"
 if test "x$ac_cv_header_curl_curl_h" = xyes; then :
@@ -17100,6 +17457,99 @@ else
 fi
 
 
+fi
+
+if test x$unbound = xtrue; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lldns" >&5
+$as_echo_n "checking for main in -lldns... " >&6; }
+if ${ac_cv_lib_ldns_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lldns  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_ldns_main=yes
+else
+  ac_cv_lib_ldns_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldns_main" >&5
+$as_echo "$ac_cv_lib_ldns_main" >&6; }
+if test "x$ac_cv_lib_ldns_main" = xyes; then :
+  LIBS="$LIBS"
+else
+  as_fn_error $? "UNBOUND library ldns not found" "$LINENO" 5
+fi
+ac_cv_lib_ldns=ac_cv_lib_ldns_main
+
+	ac_fn_c_check_header_mongrel "$LINENO" "ldns/ldns.h" "ac_cv_header_ldns_ldns_h" "$ac_includes_default"
+if test "x$ac_cv_header_ldns_ldns_h" = xyes; then :
+
+else
+  as_fn_error $? "UNBOUND header ldns/ldns.h not found!" "$LINENO" 5
+fi
+
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lunbound" >&5
+$as_echo_n "checking for main in -lunbound... " >&6; }
+if ${ac_cv_lib_unbound_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lunbound  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_unbound_main=yes
+else
+  ac_cv_lib_unbound_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unbound_main" >&5
+$as_echo "$ac_cv_lib_unbound_main" >&6; }
+if test "x$ac_cv_lib_unbound_main" = xyes; then :
+  LIBS="$LIBS"
+else
+  as_fn_error $? "UNBOUND library libunbound not found" "$LINENO" 5
+fi
+ac_cv_lib_unbound=ac_cv_lib_unbound_main
+
+	ac_fn_c_check_header_mongrel "$LINENO" "unbound.h" "ac_cv_header_unbound_h" "$ac_includes_default"
+if test "x$ac_cv_header_unbound_h" = xyes; then :
+
+else
+  as_fn_error $? "UNBOUND header unbound.h not found!" "$LINENO" 5
+fi
+
+
 fi
 
 if test x$soup = xtrue; then
@@ -17292,102 +17742,6 @@ $as_echo "yes" >&6; }
 fi
 
 
-fi
-
-if test x$axis2c = xtrue; then
-
-pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for axis2c" >&5
-$as_echo_n "checking for axis2c... " >&6; }
-
-if test -n "$axis2c_CFLAGS"; then
-    pkg_cv_axis2c_CFLAGS="$axis2c_CFLAGS"
- elif test -n "$PKG_CONFIG"; then
-    if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"axis2c\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "axis2c") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
-  pkg_cv_axis2c_CFLAGS=`$PKG_CONFIG --cflags "axis2c" 2>/dev/null`
-		      test "x$?" != "x0" && pkg_failed=yes
-else
-  pkg_failed=yes
-fi
- else
-    pkg_failed=untried
-fi
-if test -n "$axis2c_LIBS"; then
-    pkg_cv_axis2c_LIBS="$axis2c_LIBS"
- elif test -n "$PKG_CONFIG"; then
-    if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"axis2c\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "axis2c") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
-  pkg_cv_axis2c_LIBS=`$PKG_CONFIG --libs "axis2c" 2>/dev/null`
-		      test "x$?" != "x0" && pkg_failed=yes
-else
-  pkg_failed=yes
-fi
- else
-    pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        axis2c_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "axis2c" 2>&1`
-        else
-	        axis2c_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "axis2c" 2>&1`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$axis2c_PKG_ERRORS" >&5
-
-	as_fn_error $? "Package requirements (axis2c) were not met:
-
-$axis2c_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables axis2c_CFLAGS
-and axis2c_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details." "$LINENO" 5
-elif test $pkg_failed = untried; then
-     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables axis2c_CFLAGS
-and axis2c_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5; }
-else
-	axis2c_CFLAGS=$pkg_cv_axis2c_CFLAGS
-	axis2c_LIBS=$pkg_cv_axis2c_LIBS
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-
-fi
-
-
 fi
 
 if test x$tss = xtrousers; then
@@ -17426,7 +17780,6 @@ if test "x$ac_cv_lib_tspi_main" = xyes; then :
 else
   as_fn_error $? "TrouSerS library libtspi not found" "$LINENO" 5
 fi
-ac_cv_lib_tspi=ac_cv_lib_tspi_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "trousers/tss.h" "ac_cv_header_trousers_tss_h" "$ac_includes_default"
 if test "x$ac_cv_header_trousers_tss_h" = xyes; then :
@@ -17553,7 +17906,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_RUBY="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -17685,7 +18038,6 @@ if test "x$ac_cv_lib_neo_cgi_main" = xyes; then :
 else
   as_fn_error $? "ClearSilver library neo_cgi not found!" "$LINENO" 5
 fi
-ac_cv_lib_neo_cgi=ac_cv_lib_neo_cgi_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_utl" >&5
 $as_echo_n "checking for main in -lneo_utl... " >&6; }
@@ -17722,7 +18074,6 @@ if test "x$ac_cv_lib_neo_utl_main" = xyes; then :
 else
   as_fn_error $? "ClearSilver library neo_utl not found!" "$LINENO" 5
 fi
-ac_cv_lib_neo_utl=ac_cv_lib_neo_utl_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking ClearSilver requires zlib" >&5
 $as_echo_n "checking ClearSilver requires zlib... " >&6; }
@@ -17736,9 +18087,7 @@ $as_echo_n "checking ClearSilver requires zlib... " >&6; }
 int
 main ()
 {
-
-			NEOERR *err = cgi_display(NULL, NULL);
-
+NEOERR *err = cgi_display(NULL, NULL);
   ;
   return 0;
 }
@@ -17756,6 +18105,8 @@ rm -f core conftest.err conftest.$ac_objext \
 
 	LIBS=$saved_LIBS
 	CFLAGS=$saved_CFLAGS
+# autoconf does not like CamelCase!? How to fix this?
+#	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lfcgi" >&5
 $as_echo_n "checking for main in -lfcgi... " >&6; }
@@ -17792,7 +18143,6 @@ if test "x$ac_cv_lib_fcgi_main" = xyes; then :
 else
   as_fn_error $? "FastCGI library fcgi not found!" "$LINENO" 5
 fi
-ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "fcgiapp.h" "ac_cv_header_fcgiapp_h" "$ac_includes_default"
 if test "x$ac_cv_header_fcgiapp_h" = xyes; then :
@@ -17824,7 +18174,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_MYSQLCONFIG="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -17891,7 +18241,6 @@ if test "x$ac_cv_lib_sqlite3_main" = xyes; then :
 else
   as_fn_error $? "SQLite library sqlite3 not found" "$LINENO" 5
 fi
-ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "sqlite3.h" "ac_cv_header_sqlite3_h" "$ac_includes_default"
 if test "x$ac_cv_header_sqlite3_h" = xyes; then :
@@ -17909,9 +18258,7 @@ $as_echo_n "checking sqlite3_prepare_v2... " >&6; }
 int
 main ()
 {
-
-			void *test = sqlite3_prepare_v2;
-
+void *test = sqlite3_prepare_v2;
   ;
   return 0;
 }
@@ -17925,6 +18272,7 @@ $as_echo "#define HAVE_SQLITE3_PREPARE_V2 /**/" >>confdefs.h
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
+
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking sqlite3.h version >= 3.3.1" >&5
@@ -17936,10 +18284,9 @@ int
 main ()
 {
 
-			#if SQLITE_VERSION_NUMBER < 3003001
-				#error bad sqlite
-			#endif
-
+				#if SQLITE_VERSION_NUMBER < 3003001
+					#error bad sqlite
+				#endif
   ;
   return 0;
 }
@@ -17950,6 +18297,7 @@ $as_echo "yes" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }; as_fn_error $? "SQLite version >= 3.3.1 required!" "$LINENO" 5
+
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
@@ -17990,7 +18338,6 @@ if test "x$ac_cv_lib_crypto_main" = xyes; then :
 else
   as_fn_error $? "OpenSSL crypto library not found" "$LINENO" 5
 fi
-ac_cv_lib_crypto=ac_cv_lib_crypto_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "openssl/evp.h" "ac_cv_header_openssl_evp_h" "$ac_includes_default"
 if test "x$ac_cv_header_openssl_evp_h" = xyes; then :
@@ -18038,7 +18385,6 @@ if test "x$ac_cv_lib_gcrypt_main" = xyes; then :
 else
   as_fn_error $? "gcrypt library not found" "$LINENO" 5
 fi
-ac_cv_lib_gcrypt=ac_cv_lib_gcrypt_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "gcrypt.h" "ac_cv_header_gcrypt_h" "$ac_includes_default"
 if test "x$ac_cv_header_gcrypt_h" = xyes; then :
@@ -18111,7 +18457,6 @@ if test "x$ac_cv_lib_uci_main" = xyes; then :
 else
   as_fn_error $? "UCI library libuci not found" "$LINENO" 5
 fi
-ac_cv_lib_uci=ac_cv_lib_uci_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "uci.h" "ac_cv_header_uci_h" "$ac_includes_default"
 if test "x$ac_cv_header_uci_h" = xyes; then :
@@ -18123,7 +18468,7 @@ fi
 
 fi
 
-if test x$android = xtrue; then
+if test x$android_dns = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcutils" >&5
 $as_echo_n "checking for main in -lcutils... " >&6; }
 if ${ac_cv_lib_cutils_main+:} false; then :
@@ -18159,7 +18504,6 @@ if test "x$ac_cv_lib_cutils_main" = xyes; then :
 else
   as_fn_error $? "Android library libcutils not found" "$LINENO" 5
 fi
-ac_cv_lib_cutils=ac_cv_lib_cutils_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "cutils/properties.h" "ac_cv_header_cutils_properties_h" "$ac_includes_default"
 if test "x$ac_cv_header_cutils_properties_h" = xyes; then :
@@ -18169,7 +18513,9 @@ else
 fi
 
 
-			DLLIB="-ldl"
+	# we have to force the use of libdl here because the autodetection
+	# above does not work correctly when cross-compiling for android.
+	DLLIB="-ldl"
 
 fi
 
@@ -18599,7 +18945,6 @@ if test "x$ac_cv_lib_pam_main" = xyes; then :
 else
   as_fn_error $? "PAM library not found" "$LINENO" 5
 fi
-ac_cv_lib_pam=ac_cv_lib_pam_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "security/pam_appl.h" "ac_cv_header_security_pam_appl_h" "$ac_includes_default"
 if test "x$ac_cv_header_security_pam_appl_h" = xyes; then :
@@ -18614,7 +18959,9 @@ fi
 if test x$capabilities = xnative; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&5
 $as_echo "$as_me: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&6;}
-			for ac_header in sys/capability.h
+	# Linux requires the following for capset(), Android does not have it,
+	# but defines capset() in unistd.h instead.
+	for ac_header in sys/capability.h
 do :
   ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
 if test "x$ac_cv_header_sys_capability_h" = xyes; then :
@@ -18674,7 +19021,6 @@ if test "x$ac_cv_lib_cap_main" = xyes; then :
 else
   as_fn_error $? "libcap library not found" "$LINENO" 5
 fi
-ac_cv_lib_cap=ac_cv_lib_cap_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
 if test "x$ac_cv_header_sys_capability_h" = xyes; then :
@@ -18697,7 +19043,7 @@ $as_echo_n "checking for dladdr()... " >&6; }
 	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
-		 #include <dlfcn.h>
+			  #include <dlfcn.h>
 int
 main ()
 {
@@ -18721,7 +19067,7 @@ $as_echo_n "checking for dl_iterate_phdr()... " >&6; }
 	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
-		 #include <link.h>
+			  #include <link.h>
 int
 main ()
 {
@@ -18778,7 +19124,6 @@ if test "x$ac_cv_lib_bfd_main" = xyes; then :
 else
   as_fn_error $? "binutils libbfd not found!" "$LINENO" 5
 fi
-ac_cv_lib_bfd=ac_cv_lib_bfd_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "bfd.h" "ac_cv_header_bfd_h" "$ac_includes_default"
 if test "x$ac_cv_header_bfd_h" = xyes; then :
@@ -18809,6 +19154,149 @@ fi
 
 CFLAGS="$CFLAGS -include `pwd`/config.h"
 
+if test x$tkm = xtrue; then
+	# Extract the first word of "gprbuild", so it can be a program name with args.
+set dummy gprbuild; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_GPRBUILD+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $GPRBUILD in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_GPRBUILD="$GPRBUILD" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_GPRBUILD="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+GPRBUILD=$ac_cv_path_GPRBUILD
+if test -n "$GPRBUILD"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GPRBUILD" >&5
+$as_echo "$GPRBUILD" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+
+if test x$unit_tests = xtrue; then
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CHECK" >&5
+$as_echo_n "checking for CHECK... " >&6; }
+
+if test -n "$CHECK_CFLAGS"; then
+    pkg_cv_CHECK_CFLAGS="$CHECK_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"check >= 0.9.4\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "check >= 0.9.4") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_CHECK_CFLAGS=`$PKG_CONFIG --cflags "check >= 0.9.4" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$CHECK_LIBS"; then
+    pkg_cv_CHECK_LIBS="$CHECK_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"check >= 0.9.4\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "check >= 0.9.4") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_CHECK_LIBS=`$PKG_CONFIG --libs "check >= 0.9.4" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        CHECK_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "check >= 0.9.4" 2>&1`
+        else
+	        CHECK_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "check >= 0.9.4" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$CHECK_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (check >= 0.9.4) were not met:
+
+$CHECK_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables CHECK_CFLAGS
+and CHECK_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables CHECK_CFLAGS
+and CHECK_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	CHECK_CFLAGS=$pkg_cv_CHECK_CFLAGS
+	CHECK_LIBS=$pkg_cv_CHECK_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
+fi
+
+# ===============================================
+#  collect plugin list for strongSwan components
+# ===============================================
 
 # ADD_PLUGIN(plugin, category list)
 # -----------------------------------
@@ -18861,6 +19349,13 @@ if test x$soup = xtrue; then
 
 	fi
 
+if test x$unbound = xtrue; then
+		s_plugins=${s_plugins}" unbound"
+		charon_plugins=${charon_plugins}" unbound"
+		scripts_plugins=${scripts_plugins}" unbound"
+
+	fi
+
 if test x$ldap = xtrue; then
 		s_plugins=${s_plugins}" ldap"
 		charon_plugins=${charon_plugins}" ldap"
@@ -19092,6 +19587,12 @@ if test x$dnskey = xtrue; then
 
 	fi
 
+if test x$ipseckey = xtrue; then
+		c_plugins=${c_plugins}" ipseckey"
+		charon_plugins=${charon_plugins}" ipseckey"
+
+	fi
+
 if test x$pem = xtrue; then
 		s_plugins=${s_plugins}" pem"
 		charon_plugins=${charon_plugins}" pem"
@@ -19458,6 +19959,12 @@ if test x$xauth_pam = xtrue; then
 
 	fi
 
+if test x$xauth_noauth = xtrue; then
+		c_plugins=${c_plugins}" xauth-noauth"
+		charon_plugins=${charon_plugins}" xauth-noauth"
+
+	fi
+
 if test x$tnc_ifmap = xtrue; then
 		c_plugins=${c_plugins}" tnc-ifmap"
 		charon_plugins=${charon_plugins}" tnc-ifmap"
@@ -19524,9 +20031,9 @@ if test x$dhcp = xtrue; then
 
 	fi
 
-if test x$android = xtrue; then
-		c_plugins=${c_plugins}" android"
-		charon_plugins=${charon_plugins}" android"
+if test x$android_dns = xtrue; then
+		c_plugins=${c_plugins}" android-dns"
+		charon_plugins=${charon_plugins}" android-dns"
 
 	fi
 
@@ -19566,6 +20073,12 @@ if test x$certexpire = xtrue; then
 
 	fi
 
+if test x$systime_fix = xtrue; then
+		c_plugins=${c_plugins}" systime-fix"
+		charon_plugins=${charon_plugins}" systime-fix"
+
+	fi
+
 if test x$led = xtrue; then
 		c_plugins=${c_plugins}" led"
 		charon_plugins=${charon_plugins}" led"
@@ -19637,8 +20150,12 @@ if test x$unit_tester = xtrue; then
 
 
 
+# ======================
+#  set Makefile.am vars
+# ======================
 
-
+#  libstrongswan plugins
+# -----------------------
  if test x$test_vectors = xtrue; then
   USE_TEST_VECTORS_TRUE=
   USE_TEST_VECTORS_FALSE='#'
@@ -19655,6 +20172,14 @@ else
   USE_CURL_FALSE=
 fi
 
+ if test x$unbound = xtrue; then
+  USE_UNBOUND_TRUE=
+  USE_UNBOUND_FALSE='#'
+else
+  USE_UNBOUND_TRUE='#'
+  USE_UNBOUND_FALSE=
+fi
+
  if test x$soup = xtrue; then
   USE_SOUP_TRUE=
   USE_SOUP_FALSE='#'
@@ -19960,6 +20485,8 @@ else
 fi
 
 
+#  charon plugins
+# ----------------
  if test x$stroke = xtrue; then
   USE_STROKE_TRUE=
   USE_STROKE_FALSE='#'
@@ -19992,12 +20519,12 @@ else
   USE_UCI_FALSE=
 fi
 
- if test x$android = xtrue; then
-  USE_ANDROID_TRUE=
-  USE_ANDROID_FALSE='#'
+ if test x$android_dns = xtrue; then
+  USE_ANDROID_DNS_TRUE=
+  USE_ANDROID_DNS_FALSE='#'
 else
-  USE_ANDROID_TRUE='#'
-  USE_ANDROID_FALSE=
+  USE_ANDROID_DNS_TRUE='#'
+  USE_ANDROID_DNS_FALSE=
 fi
 
  if test x$android_log = xtrue; then
@@ -20032,6 +20559,14 @@ else
   USE_SQL_FALSE=
 fi
 
+ if test x$ipseckey = xtrue; then
+  USE_IPSECKEY_TRUE=
+  USE_IPSECKEY_FALSE='#'
+else
+  USE_IPSECKEY_TRUE='#'
+  USE_IPSECKEY_FALSE=
+fi
+
  if test x$updown = xtrue; then
   USE_UPDOWN_TRUE=
   USE_UPDOWN_FALSE='#'
@@ -20104,6 +20639,14 @@ else
   USE_CERTEXPIRE_FALSE=
 fi
 
+ if test x$systime_fix = xtrue; then
+  USE_SYSTIME_FIX_TRUE=
+  USE_SYSTIME_FIX_FALSE='#'
+else
+  USE_SYSTIME_FIX_TRUE='#'
+  USE_SYSTIME_FIX_FALSE=
+fi
+
  if test x$led = xtrue; then
   USE_LED_TRUE=
   USE_LED_FALSE='#'
@@ -20304,6 +20847,14 @@ else
   USE_XAUTH_PAM_FALSE=
 fi
 
+ if test x$xauth_noauth = xtrue; then
+  USE_XAUTH_NOAUTH_TRUE=
+  USE_XAUTH_NOAUTH_FALSE='#'
+else
+  USE_XAUTH_NOAUTH_TRUE='#'
+  USE_XAUTH_NOAUTH_FALSE=
+fi
+
  if test x$tnc_ifmap = xtrue; then
   USE_TNC_IFMAP_TRUE=
   USE_TNC_IFMAP_FALSE='#'
@@ -20473,6 +21024,8 @@ else
 fi
 
 
+#  hydra plugins
+# ---------------
  if test x$attr = xtrue; then
   USE_ATTR_TRUE=
   USE_ATTR_FALSE='#'
@@ -20481,7 +21034,7 @@ else
   USE_ATTR_FALSE=
 fi
 
- if test x$attr_sql = xtrue -o x$sql = xtrue; then
+ if test x$attr_sql = xtrue; then
   USE_ATTR_SQL_TRUE=
   USE_ATTR_SQL_FALSE='#'
 else
@@ -20530,6 +21083,8 @@ else
 fi
 
 
+#  other options
+# ---------------
  if test x$leak_detective = xtrue; then
   USE_LEAK_DETECTIVE_TRUE=
   USE_LEAK_DETECTIVE_FALSE='#'
@@ -20666,7 +21221,7 @@ else
   USE_CONFTEST_FALSE=
 fi
 
- if test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue; then
+ if test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue; then
   USE_LIBSTRONGSWAN_TRUE=
   USE_LIBSTRONGSWAN_FALSE='#'
 else
@@ -20674,7 +21229,7 @@ else
   USE_LIBSTRONGSWAN_FALSE=
 fi
 
- if test x$charon = xtrue -o x$nm = xtrue; then
+ if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue; then
   USE_LIBHYDRA_TRUE=
   USE_LIBHYDRA_FALSE='#'
 else
@@ -20682,7 +21237,7 @@ else
   USE_LIBHYDRA_FALSE=
 fi
 
- if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue; then
+ if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue; then
   USE_LIBCHARON_TRUE=
   USE_LIBCHARON_FALSE='#'
 else
@@ -20714,6 +21269,14 @@ else
   USE_LIBTNCCS_FALSE=
 fi
 
+ if test x$tnc_tnccs = xtrue; then
+  USE_LIBPTTLS_TRUE=
+  USE_LIBPTTLS_FALSE='#'
+else
+  USE_LIBPTTLS_TRUE='#'
+  USE_LIBPTTLS_FALSE=
+fi
+
  if test x$stroke = xtrue; then
   USE_FILE_CONFIG_TRUE=
   USE_FILE_CONFIG_FALSE='#'
@@ -20802,7 +21365,26 @@ else
   MONOLITHIC_FALSE=
 fi
 
+ if test x$unit_tests = xtrue; then
+  UNITTESTS_TRUE=
+  UNITTESTS_FALSE='#'
+else
+  UNITTESTS_TRUE='#'
+  UNITTESTS_FALSE=
+fi
+
+ if test x$tkm = xtrue; then
+  USE_TKM_TRUE=
+  USE_TKM_FALSE='#'
+else
+  USE_TKM_TRUE='#'
+  USE_TKM_FALSE=
+fi
+
 
+# ========================
+#  set global definitions
+# ========================
 
 if test x$mediation = xtrue; then
 
@@ -20830,8 +21412,11 @@ $as_echo "#define USE_IKEV2 /**/" >>confdefs.h
 
 fi
 
+# =================
+#  build Makefiles
+# =================
 
-ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnc_tnccs/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnc_tnccs/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -20975,6 +21560,10 @@ if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
   as_fn_error $? "conditional \"USE_CURL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_UNBOUND_TRUE}" && test -z "${USE_UNBOUND_FALSE}"; then
+  as_fn_error $? "conditional \"USE_UNBOUND\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_SOUP_TRUE}" && test -z "${USE_SOUP_FALSE}"; then
   as_fn_error $? "conditional \"USE_SOUP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -21143,8 +21732,8 @@ if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
   as_fn_error $? "conditional \"USE_UCI\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_ANDROID_TRUE}" && test -z "${USE_ANDROID_FALSE}"; then
-  as_fn_error $? "conditional \"USE_ANDROID\" was never defined.
+if test -z "${USE_ANDROID_DNS_TRUE}" && test -z "${USE_ANDROID_DNS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_ANDROID_DNS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ANDROID_LOG_TRUE}" && test -z "${USE_ANDROID_LOG_FALSE}"; then
@@ -21163,6 +21752,10 @@ if test -z "${USE_SQL_TRUE}" && test -z "${USE_SQL_FALSE}"; then
   as_fn_error $? "conditional \"USE_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_IPSECKEY_TRUE}" && test -z "${USE_IPSECKEY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IPSECKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
   as_fn_error $? "conditional \"USE_UPDOWN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -21199,6 +21792,10 @@ if test -z "${USE_CERTEXPIRE_TRUE}" && test -z "${USE_CERTEXPIRE_FALSE}"; then
   as_fn_error $? "conditional \"USE_CERTEXPIRE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_SYSTIME_FIX_TRUE}" && test -z "${USE_SYSTIME_FIX_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SYSTIME_FIX\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_LED_TRUE}" && test -z "${USE_LED_FALSE}"; then
   as_fn_error $? "conditional \"USE_LED\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -21299,6 +21896,10 @@ if test -z "${USE_XAUTH_PAM_TRUE}" && test -z "${USE_XAUTH_PAM_FALSE}"; then
   as_fn_error $? "conditional \"USE_XAUTH_PAM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_XAUTH_NOAUTH_TRUE}" && test -z "${USE_XAUTH_NOAUTH_FALSE}"; then
+  as_fn_error $? "conditional \"USE_XAUTH_NOAUTH\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_TNC_IFMAP_TRUE}" && test -z "${USE_TNC_IFMAP_FALSE}"; then
   as_fn_error $? "conditional \"USE_TNC_IFMAP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -21503,6 +22104,10 @@ if test -z "${USE_LIBTNCCS_TRUE}" && test -z "${USE_LIBTNCCS_FALSE}"; then
   as_fn_error $? "conditional \"USE_LIBTNCCS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_LIBPTTLS_TRUE}" && test -z "${USE_LIBPTTLS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LIBPTTLS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
   as_fn_error $? "conditional \"USE_FILE_CONFIG\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -21547,6 +22152,14 @@ if test -z "${MONOLITHIC_TRUE}" && test -z "${MONOLITHIC_FALSE}"; then
   as_fn_error $? "conditional \"MONOLITHIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${UNITTESTS_TRUE}" && test -z "${UNITTESTS_FALSE}"; then
+  as_fn_error $? "conditional \"UNITTESTS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_TKM_TRUE}" && test -z "${USE_TKM_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TKM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 
 : "${CONFIG_STATUS=./config.status}"
 ac_write_fail=0
@@ -21845,16 +22458,16 @@ if (echo >conf$$.file) 2>/dev/null; then
     # ... but there are two gotchas:
     # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
     # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
+    # In both cases, we have to default to `cp -pR'.
     ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
+      as_ln_s='cp -pR'
   elif ln conf$$.file conf$$ 2>/dev/null; then
     as_ln_s=ln
   else
-    as_ln_s='cp -p'
+    as_ln_s='cp -pR'
   fi
 else
-  as_ln_s='cp -p'
+  as_ln_s='cp -pR'
 fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
@@ -21914,28 +22527,16 @@ else
   as_mkdir_p=false
 fi
 
-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in #(
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -21956,8 +22557,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.0.2, which was
-generated by GNU Autoconf 2.68.  Invocation command line was
+This file was extended by strongSwan $as_me 5.0.3, which was
+generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -22022,11 +22623,11 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.0.2
-configured by $0, generated by GNU Autoconf 2.68,
+strongSwan config.status 5.0.3
+configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 
@@ -22117,7 +22718,7 @@ fi
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 if \$ac_cs_recheck; then
-  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
   shift
   \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
   CONFIG_SHELL='$SHELL'
@@ -22464,6 +23065,7 @@ do
     "src/libstrongswan/plugins/dnskey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/dnskey/Makefile" ;;
     "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;;
     "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;;
+    "src/libstrongswan/plugins/unbound/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/unbound/Makefile" ;;
     "src/libstrongswan/plugins/soup/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/soup/Makefile" ;;
     "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;;
     "src/libstrongswan/plugins/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mysql/Makefile" ;;
@@ -22492,6 +23094,7 @@ do
     "src/libradius/Makefile") CONFIG_FILES="$CONFIG_FILES src/libradius/Makefile" ;;
     "src/libtncif/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtncif/Makefile" ;;
     "src/libtnccs/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtnccs/Makefile" ;;
+    "src/libpttls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpttls/Makefile" ;;
     "src/libpts/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/Makefile" ;;
     "src/libpts/plugins/imc_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imc_attestation/Makefile" ;;
     "src/libpts/plugins/imv_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imv_attestation/Makefile" ;;
@@ -22504,6 +23107,7 @@ do
     "src/libimcv/plugins/imv_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_os/Makefile" ;;
     "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
     "src/charon-nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-nm/Makefile" ;;
+    "src/charon-tkm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-tkm/Makefile" ;;
     "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;;
     "src/libcharon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka/Makefile" ;;
     "src/libcharon/plugins/eap_aka_3gpp2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka_3gpp2/Makefile" ;;
@@ -22526,6 +23130,7 @@ do
     "src/libcharon/plugins/xauth_generic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/xauth_generic/Makefile" ;;
     "src/libcharon/plugins/xauth_eap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/xauth_eap/Makefile" ;;
     "src/libcharon/plugins/xauth_pam/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/xauth_pam/Makefile" ;;
+    "src/libcharon/plugins/xauth_noauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/xauth_noauth/Makefile" ;;
     "src/libcharon/plugins/tnc_ifmap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_ifmap/Makefile" ;;
     "src/libcharon/plugins/tnc_pdp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_pdp/Makefile" ;;
     "src/libcharon/plugins/tnc_imc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imc/Makefile" ;;
@@ -22539,6 +23144,7 @@ do
     "src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;;
     "src/libcharon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/smp/Makefile" ;;
     "src/libcharon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/sql/Makefile" ;;
+    "src/libcharon/plugins/ipseckey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ipseckey/Makefile" ;;
     "src/libcharon/plugins/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/medsrv/Makefile" ;;
     "src/libcharon/plugins/medcli/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/medcli/Makefile" ;;
     "src/libcharon/plugins/addrblock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/addrblock/Makefile" ;;
@@ -22549,11 +23155,12 @@ do
     "src/libcharon/plugins/lookip/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/lookip/Makefile" ;;
     "src/libcharon/plugins/error_notify/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/error_notify/Makefile" ;;
     "src/libcharon/plugins/certexpire/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/certexpire/Makefile" ;;
+    "src/libcharon/plugins/systime_fix/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/systime_fix/Makefile" ;;
     "src/libcharon/plugins/led/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/led/Makefile" ;;
     "src/libcharon/plugins/duplicheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/duplicheck/Makefile" ;;
     "src/libcharon/plugins/coupling/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/coupling/Makefile" ;;
     "src/libcharon/plugins/radattr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/radattr/Makefile" ;;
-    "src/libcharon/plugins/android/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android/Makefile" ;;
+    "src/libcharon/plugins/android_dns/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_dns/Makefile" ;;
     "src/libcharon/plugins/android_log/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_log/Makefile" ;;
     "src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;;
     "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
@@ -23937,3 +24544,23 @@ if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
 fi
 
+
+# ========================
+#  report enabled plugins
+# ========================
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
+$as_echo "" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result:  strongSwan will be built with the following plugins" >&5
+$as_echo " strongSwan will be built with the following plugins" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: -----------------------------------------------------" >&5
+$as_echo "-----------------------------------------------------" >&6; }
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: libstrongswan:$s_plugins" >&5
+$as_echo "libstrongswan:$s_plugins" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: libcharon:    $c_plugins" >&5
+$as_echo "libcharon:    $c_plugins" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: libhydra:     $h_plugins" >&5
+$as_echo "libhydra:     $h_plugins" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
+$as_echo "" >&6; }
diff --git a/configure.in b/configure.in
index 2c3e739d6..1e367d094 100644
--- a/configure.in
+++ b/configure.in
@@ -1,31 +1,34 @@
-dnl  configure.in for linux strongSwan
-dnl  Copyright (C) 2006 Martin Willi
-dnl  Hochschule fuer Technik Rapperswil
-dnl
-dnl  This program is free software; you can redistribute it and/or modify it
-dnl  under the terms of the GNU General Public License as published by the
-dnl  Free Software Foundation; either version 2 of the License, or (at your
-dnl  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-dnl
-dnl  This program is distributed in the hope that it will be useful, but
-dnl  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-dnl  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-dnl  for more details.
-
-dnl ===========================
-dnl  initialize & set some vars
-dnl ===========================
-
-AC_INIT(strongSwan,5.0.2)
+#
+# Copyright (C) 2007-2013 Tobias Brunner
+# Copyright (C) 2006-2013 Andreas Steffen
+# Copyright (C) 2006-2013 Martin Willi
+# Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+
+# ============================
+#  initialize & set some vars
+# ============================
+
+AC_INIT([strongSwan],[5.0.3])
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_CONFIG_MACRO_DIR([m4/config])
 AC_CONFIG_HEADERS([config.h])
 AC_DEFINE([CONFIG_H_INCLUDED], [], [defined if config.h included])
 PKG_PROG_PKG_CONFIG
 
-dnl =================================
-dnl  check --enable-xxx & --with-xxx
-dnl =================================
+# =================================
+#  check --enable-xxx & --with-xxx
+# =================================
 
 m4_include(m4/macros/with.m4)
 
@@ -101,6 +104,7 @@ AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`])
 m4_include(m4/macros/enable-disable.m4)
 
 ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([unbound],        [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
 ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
 ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
 ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
@@ -124,6 +128,7 @@ ARG_DISBL_SET([pkcs7],          [disable PKCS7 container support plugin.])
 ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
 ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
 ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
+ARG_ENABL_SET([ipseckey],       [enable IPSECKEY authentication plugin.])
 ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
 ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
 ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
@@ -162,11 +167,12 @@ ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
 ARG_DISBL_SET([xauth-generic],  [disable generic XAuth backend.])
 ARG_ENABL_SET([xauth-eap],      [enable XAuth backend using EAP methods to verify passwords.])
 ARG_ENABL_SET([xauth-pam],      [enable XAuth backend using PAM to verify passwords.])
-ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module.])
+ARG_ENABL_SET([xauth-noauth],   [enable XAuth pseudo-backend that does not actually verify or even request any credentials.])
+ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module. Requires libxml])
 ARG_ENABL_SET([tnc-pdp],        [enable TNC policy decision point module.])
 ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
 ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
-ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module.])
+ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module. Requires libxml])
 ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
 ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.])
 ARG_ENABL_SET([imc-test],       [enable IMC test module.])
@@ -213,7 +219,7 @@ ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([unity],          [enables Cisco Unity extension plugin.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
-ARG_ENABL_SET([android],        [enable Android specific plugin.])
+ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
 ARG_ENABL_SET([android-log],    [enable Android specific logger plugin.])
 ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
@@ -222,6 +228,7 @@ ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
 ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
 ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
 ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
+ARG_ENABL_SET([systime-fix],    [enable plugin to handle cert lifetimes with invalid system time gracefully.])
 ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
 ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
 ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
@@ -229,24 +236,41 @@ ARG_ENABL_SET([radattr],        [enable plugin to inject and process custom RADI
 ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
 ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
 ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
+ARG_ENABL_SET([unit-tests],     [enable unit tests using the check test framework.])
+ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
 
-dnl =========================
-dnl  set up compiler and flags
-dnl =========================
+# ===================================
+#  option to disable default options
+# ===================================
+
+ARG_DISBL_SET([defaults],       [disable all default plugins (they can be enabled with their respective --enable options)])
+
+if test x$defaults = xfalse; then
+	for option in $enabled_by_default; do
+		eval test x\${${option}_given} = xtrue && continue
+		let $option=false
+	done
+fi
+
+# ===========================
+#  set up compiler and flags
+# ===========================
 
 if test -z "$CFLAGS"; then
 	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
 fi
 AC_PROG_CC
+AM_PROG_CC_C_O
+
 AC_LIB_PREFIX
 AC_C_BIGENDIAN
 
-dnl =========================
-dnl  check required programs
-dnl =========================
+# =========================
+#  check required programs
+# =========================
 
+LT_INIT
 AC_PROG_INSTALL
-AC_PROG_LIBTOOL
 AC_PROG_EGREP
 AC_PROG_AWK
 AC_PROG_LEX
@@ -254,7 +278,7 @@ AC_PROG_YACC
 AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 
-dnl because gperf is not needed by end-users we just report it but do not abort on failure
+# because gperf is not needed by end-users we just report it but do not abort on failure
 AC_MSG_CHECKING([gperf version >= 3.0.0])
 if test -x "$GPERF"; then
 	if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then
@@ -266,9 +290,9 @@ else
 	AC_MSG_RESULT([not found])
 fi
 
-dnl =========================
-dnl  dependency calculation
-dnl =========================
+# ========================
+#  dependency calculation
+# ========================
 
 if test x$xauth_generic_given = xfalse -a x$ikev1 = xfalse; then
 	xauth_generic=false;
@@ -314,14 +338,10 @@ if test x$fips_prf = xtrue; then
 	fi
 fi
 
-if test x$smp = xtrue -o x$tnccs_11 = xtrue; then
+if test x$smp = xtrue -o x$tnccs_11 = xtrue -o x$tnc_ifmap = xtrue; then
 	xml=true
 fi
 
-if test x$tnc_ifmap = xtrue; then
-	axis2c=true
-fi
-
 if test x$manager = xtrue; then
 	fast=true
 fi
@@ -335,91 +355,93 @@ if test x$medcli = xtrue; then
 	mediation=true
 fi
 
-dnl ===========================================
-dnl  check required libraries and header files
-dnl ===========================================
+# ===========================================
+#  check required libraries and header files
+# ===========================================
 
 AC_HEADER_STDBOOL
 AC_FUNC_ALLOCA
 AC_FUNC_STRERROR_R
 
-dnl libraries needed on some platforms but not on others
-dnl ====================================================
+#  libraries needed on some platforms but not on others
+# ------------------------------------------------------
 saved_LIBS=$LIBS
 
-dnl FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
+# FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
 LIBS=""
 AC_SEARCH_LIBS(dlopen, dl, [DLLIB=$LIBS])
 AC_SUBST(DLLIB)
 
-dnl glibc's backtrace() can be replicated on FreeBSD with libexecinfo
+# glibc's backtrace() can be replicated on FreeBSD with libexecinfo
 LIBS=""
 AC_SEARCH_LIBS(backtrace, execinfo, [BTLIB=$LIBS])
 AC_CHECK_FUNCS(backtrace)
 AC_SUBST(BTLIB)
 
-dnl OpenSolaris needs libsocket and libnsl for socket()
+# OpenSolaris needs libsocket and libnsl for socket()
 LIBS=""
 AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS],
 	[AC_CHECK_LIB(nsl, socket, [SOCKLIB="-lsocket -lnsl"], [], [-lsocket])]
 )
 AC_SUBST(SOCKLIB)
 
-dnl FreeBSD has clock_gettime in libc, Linux needs librt
+# FreeBSD has clock_gettime in libc, Linux needs librt
 LIBS=""
 AC_SEARCH_LIBS(clock_gettime, rt, [RTLIB=$LIBS])
 AC_CHECK_FUNCS(clock_gettime)
 AC_SUBST(RTLIB)
 
-dnl Android has pthread_* functions in bionic (libc), others need libpthread
+# Android has pthread_* functions in bionic (libc), others need libpthread
 LIBS=""
 AC_SEARCH_LIBS(pthread_create, pthread, [PTHREADLIB=$LIBS])
 AC_SUBST(PTHREADLIB)
 
 LIBS=$saved_LIBS
-dnl ======================
+# ------------------------------------------------------
 
 AC_MSG_CHECKING(for dladdr)
-AC_TRY_COMPILE(
-	[#define _GNU_SOURCE
-	 #include <dlfcn.h>],
-	[Dl_info* info = 0;
-	 dladdr(0, info);],
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#define _GNU_SOURCE
+		  #include <dlfcn.h>]],
+		[[Dl_info* info = 0;
+		  dladdr(0, info);]])],
 	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_DLADDR], [], [have dladdr()])],
 	[AC_MSG_RESULT([no])]
 )
 
-dnl check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
+# check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
 saved_LIBS=$LIBS
 LIBS=$PTHREADLIB
 AC_MSG_CHECKING([for pthread_condattr_setclock(CLOCK_MONOTONE)])
-AC_TRY_RUN(
-	[#include <pthread.h>
-	 int main() { pthread_condattr_t attr;
-		pthread_condattr_init(&attr);
-		return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}],
+AC_RUN_IFELSE(
+	[AC_LANG_SOURCE(
+		[[#include <pthread.h>
+		  int main() { pthread_condattr_t attr;
+			pthread_condattr_init(&attr);
+			return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}]])],
 	[AC_MSG_RESULT([yes]);
 	 AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
 			   [pthread_condattr_setclock supports CLOCK_MONOTONIC])],
 	[AC_MSG_RESULT([no])],
-	dnl Check existence of pthread_condattr_setclock if cross-compiling
+	# Check existence of pthread_condattr_setclock if cross-compiling
 	[AC_MSG_RESULT([unknown]);
 	 AC_CHECK_FUNCS(pthread_condattr_setclock,
 		[AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
 				   [have pthread_condattr_setclock()])]
 	)]
 )
-dnl check if we actually are able to configure attributes on cond vars
+# check if we actually are able to configure attributes on cond vars
 AC_CHECK_FUNCS(pthread_condattr_init)
-dnl instead of pthread_condattr_setclock Android has this function
+# instead of pthread_condattr_setclock Android has this function
 AC_CHECK_FUNCS(pthread_cond_timedwait_monotonic)
-dnl check if we can cancel threads
+# check if we can cancel threads
 AC_CHECK_FUNCS(pthread_cancel)
-dnl check if native rwlocks are available
+# check if native rwlocks are available
 AC_CHECK_FUNCS(pthread_rwlock_init)
-dnl check if pthread spinlocks are available
+# check if pthread spinlocks are available
 AC_CHECK_FUNCS(pthread_spin_init)
-dnl check if we have POSIX semaphore functions, including timed-wait
+# check if we have POSIX semaphore functions, including timed-wait
 AC_CHECK_FUNCS(sem_timedwait)
 LIBS=$saved_LIBS
 
@@ -427,12 +449,13 @@ AC_CHECK_FUNC(
 	[gettid],
 	[AC_DEFINE([HAVE_GETTID], [], [have gettid()])],
 	[AC_MSG_CHECKING([for SYS_gettid])
-	 AC_TRY_COMPILE(
-		[#define _GNU_SOURCE
-		 #include <unistd.h>
-		 #include <sys/syscall.h>],
-		[int main() {
-			return syscall(SYS_gettid);}],
+	 AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#define _GNU_SOURCE
+			  #include <unistd.h>
+			  #include <sys/syscall.h>]],
+			[[int main() {
+			  return syscall(SYS_gettid);}]])],
 		[AC_MSG_RESULT([yes]);
 		 AC_DEFINE([HAVE_GETTID], [], [have gettid()])
 		 AC_DEFINE([HAVE_SYS_GETTID], [], [have syscall(SYS_gettid)])],
@@ -440,11 +463,15 @@ AC_CHECK_FUNC(
 	)]
 )
 
-AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r)
+AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
 
 AC_CHECK_HEADERS(sys/sockio.h glob.h)
 AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
-AC_CHECK_HEADERS(netinet/ip6.h)
+AC_CHECK_HEADERS(netinet/ip6.h, [], [],
+[
+	#include <sys/types.h>
+	#include <netinet/in.h>
+])
 
 AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [],
 [
@@ -464,101 +491,107 @@ AC_CHECK_MEMBERS([struct sadb_x_policy.sadb_x_policy_priority], [], [],
 ])
 
 AC_MSG_CHECKING([for in6addr_any])
-AC_TRY_COMPILE(
-	[#include <sys/types.h>
-	#include <sys/socket.h>
-	#include <netinet/in.h>],
-	[struct in6_addr in6;
-	in6 = in6addr_any;],
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/types.h>
+		  #include <sys/socket.h>
+		  #include <netinet/in.h>]],
+		[[struct in6_addr in6;
+		  in6 = in6addr_any;]])],
 	[AC_MSG_RESULT([yes]);
 	 AC_DEFINE([HAVE_IN6ADDR_ANY], [], [have struct in6_addr in6addr_any])],
 	[AC_MSG_RESULT([no])]
 )
 
 AC_MSG_CHECKING([for in6_pktinfo])
-AC_TRY_COMPILE(
-	[#define _GNU_SOURCE
-	#include <sys/types.h>
-	#include <sys/socket.h>
-	#include <netinet/in.h>],
-	[struct in6_pktinfo pi;
-	if (pi.ipi6_ifindex)
-	{
-		return 0;
-	}],
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#define _GNU_SOURCE
+		  #include <sys/types.h>
+		  #include <sys/socket.h>
+		  #include <netinet/in.h>]],
+		[[struct in6_pktinfo pi;
+		  if (pi.ipi6_ifindex)
+		  {
+		    return 0;
+		  }]])],
 	[AC_MSG_RESULT([yes]);
 	 AC_DEFINE([HAVE_IN6_PKTINFO], [], [have struct in6_pktinfo.ipi6_ifindex])],
 	[AC_MSG_RESULT([no])]
 )
 
 AC_MSG_CHECKING([for IPSEC_MODE_BEET])
-AC_TRY_COMPILE(
-	[#include <sys/types.h>
-	#ifdef HAVE_NETIPSEC_IPSEC_H
-	#include <netipsec/ipsec.h>
-	#elif defined(HAVE_NETINET6_IPSEC_H)
-	#include <netinet6/ipsec.h>
-	#else
-	#include <stdint.h>
-	#include <linux/ipsec.h>
-	#endif],
-	[int mode = IPSEC_MODE_BEET;
-	 return mode;],
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/types.h>
+		  #ifdef HAVE_NETIPSEC_IPSEC_H
+		  #include <netipsec/ipsec.h>
+		  #elif defined(HAVE_NETINET6_IPSEC_H)
+		  #include <netinet6/ipsec.h>
+		  #else
+		  #include <stdint.h>
+		  #include <linux/ipsec.h>
+		  #endif]],
+		[[int mode = IPSEC_MODE_BEET;
+		  return mode;]])],
 	[AC_MSG_RESULT([yes]);
 	 AC_DEFINE([HAVE_IPSEC_MODE_BEET], [], [have IPSEC_MODE_BEET defined])],
 	[AC_MSG_RESULT([no])]
 )
 
 AC_MSG_CHECKING([for IPSEC_DIR_FWD])
-AC_TRY_COMPILE(
-	[#include <sys/types.h>
-	#ifdef HAVE_NETIPSEC_IPSEC_H
-	#include <netipsec/ipsec.h>
-	#elif defined(HAVE_NETINET6_IPSEC_H)
-	#include <netinet6/ipsec.h>
-	#else
-	#include <stdint.h>
-	#include <linux/ipsec.h>
-	#endif],
-	[int dir = IPSEC_DIR_FWD;
-	 return dir;],
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/types.h>
+		  #ifdef HAVE_NETIPSEC_IPSEC_H
+		  #include <netipsec/ipsec.h>
+		  #elif defined(HAVE_NETINET6_IPSEC_H)
+		  #include <netinet6/ipsec.h>
+		  #else
+		  #include <stdint.h>
+		  #include <linux/ipsec.h>
+		  #endif]],
+		[[int dir = IPSEC_DIR_FWD;
+		  return dir;]])],
 	[AC_MSG_RESULT([yes]);
 	 AC_DEFINE([HAVE_IPSEC_DIR_FWD], [], [have IPSEC_DIR_FWD defined])],
 	[AC_MSG_RESULT([no])]
 )
 
 AC_MSG_CHECKING([for RTA_TABLE])
-AC_TRY_COMPILE(
-	[#include <sys/socket.h>
-	#include <linux/netlink.h>
-	#include <linux/rtnetlink.h>],
-	[int rta_type = RTA_TABLE;
-	 return rta_type;],
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/socket.h>
+		  #include <linux/netlink.h>
+		  #include <linux/rtnetlink.h>]],
+		[[int rta_type = RTA_TABLE;
+		  return rta_type;]])],
 	[AC_MSG_RESULT([yes]);
 	 AC_DEFINE([HAVE_RTA_TABLE], [], [have netlink RTA_TABLE defined])],
 	[AC_MSG_RESULT([no])]
 )
 
 AC_MSG_CHECKING([for gcc atomic operations])
-AC_TRY_RUN(
-[
-	int main() {
-		volatile int ref = 1;
-		__sync_fetch_and_add (&ref, 1);
-		__sync_sub_and_fetch (&ref, 1);
-		/* Make sure test fails if operations are not supported */
-		__sync_val_compare_and_swap(&ref, 1, 0);
-		return ref;
-	}
-],
-[AC_MSG_RESULT([yes]);
- AC_DEFINE([HAVE_GCC_ATOMIC_OPERATIONS], [],
+AC_RUN_IFELSE([AC_LANG_SOURCE(
+	[[
+			int main() {
+			volatile int ref = 1;
+			__sync_fetch_and_add (&ref, 1);
+			__sync_sub_and_fetch (&ref, 1);
+			/* Make sure test fails if operations are not supported */
+			__sync_val_compare_and_swap(&ref, 1, 0);
+			return ref;
+		}
+	]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_GCC_ATOMIC_OPERATIONS], [],
 		   [have GCC __sync_* atomic operations])],
-[AC_MSG_RESULT([no])],
-[AC_MSG_RESULT([no])])
+	[AC_MSG_RESULT([no])],
+	[AC_MSG_RESULT([no])]
+)
 
-dnl check for the new register_printf_specifier function with len argument,
-dnl or the deprecated register_printf_function without
+# check for the new register_printf_specifier function with len argument,
+# or the deprecated register_printf_function without
 AC_CHECK_FUNC(
 	[register_printf_specifier],
 	[AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])],
@@ -573,20 +606,19 @@ AC_CHECK_FUNC(
 )
 
 if test x$vstr = xtrue; then
-	AC_HAVE_LIBRARY([vstr],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])])
+	AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
 	AC_DEFINE([USE_VSTR], [], [use vstring library for printf hooks])
 fi
 
 if test x$gmp = xtrue; then
 	saved_LIBS=$LIBS
-	AC_HAVE_LIBRARY([gmp],,[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])
+	AC_CHECK_LIB([gmp],[main],[],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])],[])
 	AC_MSG_CHECKING([mpz_powm_sec])
 	if test x$mpz_powm_sec = xyes; then
-		AC_TRY_COMPILE(
-			[#include "gmp.h"],
-			[
-				void *x = mpz_powm_sec;
-			],
+		AC_COMPILE_IFELSE(
+			[AC_LANG_PROGRAM(
+				[[#include "gmp.h"]],
+				[[void *x = mpz_powm_sec;]])],
 			[AC_MSG_RESULT([yes]);
 			 AC_DEFINE([HAVE_MPZ_POWM_SEC], [], [have mpz_mown_sec()])],
 			[AC_MSG_RESULT([no])]
@@ -596,28 +628,36 @@ if test x$gmp = xtrue; then
 	fi
 	LIBS=$saved_LIBS
 	AC_MSG_CHECKING([gmp.h version >= 4.1.4])
-	AC_TRY_COMPILE(
-		[#include "gmp.h"],
-		[
-			#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
-				#error bad gmp
-			#endif
-		],
-		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include "gmp.h"]],
+			[[
+				#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
+					#error bad gmp
+				#endif]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
 	)
 fi
 
 if test x$ldap = xtrue; then
-	AC_HAVE_LIBRARY([ldap],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])])
-	AC_HAVE_LIBRARY([lber],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])])
+	AC_CHECK_LIB([ldap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])],[])
+	AC_CHECK_LIB([lber],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])],[])
 	AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP header ldap.h not found!])])
 fi
 
 if test x$curl = xtrue; then
-	AC_HAVE_LIBRARY([curl],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])])
+	AC_CHECK_LIB([curl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])],[])
 	AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])])
 fi
 
+if test x$unbound = xtrue; then
+	AC_HAVE_LIBRARY([ldns],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library ldns not found])])
+	AC_CHECK_HEADER([ldns/ldns.h],,[AC_MSG_ERROR([UNBOUND header ldns/ldns.h not found!])])
+	AC_HAVE_LIBRARY([unbound],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library libunbound not found])])
+	AC_CHECK_HEADER([unbound.h],,[AC_MSG_ERROR([UNBOUND header unbound.h not found!])])
+fi
+
 if test x$soup = xtrue; then
 	PKG_CHECK_MODULES(soup, [libsoup-2.4])
 	AC_SUBST(soup_CFLAGS)
@@ -630,14 +670,8 @@ if test x$xml = xtrue; then
 	AC_SUBST(xml_LIBS)
 fi
 
-if test x$axis2c = xtrue; then
-	PKG_CHECK_MODULES(axis2c, [axis2c])
-	AC_SUBST(axis2c_CFLAGS)
-	AC_SUBST(axis2c_LIBS)
-fi
-
 if test x$tss = xtrousers; then
-	AC_HAVE_LIBRARY([tspi],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])])
+	AC_CHECK_LIB([tspi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
 	AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
 	AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi as TSS implementation])
 fi
@@ -683,28 +717,27 @@ if test x$dumm = xtrue; then
 fi
 
 if test x$fast = xtrue; then
-	AC_HAVE_LIBRARY([neo_cgi],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])])
-	AC_HAVE_LIBRARY([neo_utl],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])])
+	AC_CHECK_LIB([neo_cgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])],[])
+	AC_CHECK_LIB([neo_utl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])],[])
 	AC_MSG_CHECKING([ClearSilver requires zlib])
 	saved_CFLAGS=$CFLAGS
 	saved_LIBS=$LIBS
 	LIBS="-lneo_cgi -lneo_cs -lneo_utl"
 	CFLAGS="-I/usr/include/ClearSilver"
-	AC_TRY_LINK(
-		[#include <ClearSilver.h>],
-		[
-			NEOERR *err = cgi_display(NULL, NULL);
-		],
+	AC_LINK_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <ClearSilver.h>]],
+			[[NEOERR *err = cgi_display(NULL, NULL);]])],
 		[AC_MSG_RESULT([no]); clearsilver_LIBS="$LIBS"],
 		[AC_MSG_RESULT([yes]); clearsilver_LIBS="$LIBS -lz"]
 	)
 	AC_SUBST(clearsilver_LIBS)
 	LIBS=$saved_LIBS
 	CFLAGS=$saved_CFLAGS
-dnl autoconf does not like CamelCase!? How to fix this?
-dnl	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
+# autoconf does not like CamelCase!? How to fix this?
+#	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
 
-	AC_HAVE_LIBRARY([fcgi],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])])
+	AC_CHECK_LIB([fcgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])],[])
 	AC_CHECK_HEADER([fcgiapp.h],,[AC_MSG_ERROR([FastCGI header file fcgiapp.h not found!])])
 fi
 
@@ -718,40 +751,43 @@ if test x$mysql = xtrue; then
 fi
 
 if test x$sqlite = xtrue; then
-	AC_HAVE_LIBRARY([sqlite3],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])])
+	AC_CHECK_LIB([sqlite3],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])],[])
 	AC_CHECK_HEADER([sqlite3.h],,[AC_MSG_ERROR([SQLite header sqlite3.h not found!])])
 	AC_MSG_CHECKING([sqlite3_prepare_v2])
-	AC_TRY_COMPILE(
-		[#include <sqlite3.h>],
-		[
-			void *test = sqlite3_prepare_v2;
-		],
-		[AC_MSG_RESULT([yes])];
-		 AC_DEFINE([HAVE_SQLITE3_PREPARE_V2], [], [have sqlite3_prepare_v2()]),
-		[AC_MSG_RESULT([no])])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <sqlite3.h>]],
+			[[void *test = sqlite3_prepare_v2;]])],
+		[AC_MSG_RESULT([yes]);
+		 AC_DEFINE([HAVE_SQLITE3_PREPARE_V2], [], [have sqlite3_prepare_v2()])],
+		[AC_MSG_RESULT([no])]
+	)
 	AC_MSG_CHECKING([sqlite3.h version >= 3.3.1])
-	AC_TRY_COMPILE(
-		[#include <sqlite3.h>],
-		[
-			#if SQLITE_VERSION_NUMBER < 3003001
-				#error bad sqlite
-			#endif
-		],
-		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <sqlite3.h>]],
+			[[
+				#if SQLITE_VERSION_NUMBER < 3003001
+					#error bad sqlite
+				#endif]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])]
+	)
 fi
 
 if test x$openssl = xtrue; then
-	AC_HAVE_LIBRARY([crypto],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])])
+	AC_CHECK_LIB([crypto],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])],[])
 	AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
 fi
 
 if test x$gcrypt = xtrue; then
-	AC_HAVE_LIBRARY([gcrypt],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
+	AC_CHECK_LIB([gcrypt],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
 	AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
 	AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
-	AC_TRY_COMPILE(
-		[#include <gcrypt.h>],
-		[enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;],
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <gcrypt.h>]],
+			[[enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;]])],
 		[AC_MSG_RESULT([yes]);
 		 AC_DEFINE([HAVE_GCRY_CIPHER_CAMELLIA], [], [have GCRY_CIPHER_CAMELLIA128])],
 		[AC_MSG_RESULT([no])]
@@ -759,15 +795,15 @@ if test x$gcrypt = xtrue; then
 fi
 
 if test x$uci = xtrue; then
-	AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])])
+	AC_CHECK_LIB([uci],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
 	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
 fi
 
-if test x$android = xtrue; then
-	AC_HAVE_LIBRARY([cutils],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])])
+if test x$android_dns = xtrue; then
+	AC_CHECK_LIB([cutils],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
 	AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
-	dnl we have to force the use of libdl here because the autodetection
-	dnl above does not work correctly when cross-compiling for android.
+	# we have to force the use of libdl here because the autodetection
+	# above does not work correctly when cross-compiling for android.
 	DLLIB="-ldl"
 	AC_SUBST(DLLIB)
 fi
@@ -796,21 +832,21 @@ if test x$nm = xtrue; then
 fi
 
 if test x$xauth_pam = xtrue; then
-	AC_HAVE_LIBRARY([pam],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])])
+	AC_CHECK_LIB([pam],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])],[])
 	AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
 fi
 
 if test x$capabilities = xnative; then
 	AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead])
-	dnl Linux requires the following for capset(), Android does not have it,
-	dnl but defines capset() in unistd.h instead.
+	# Linux requires the following for capset(), Android does not have it,
+	# but defines capset() in unistd.h instead.
 	AC_CHECK_HEADERS([sys/capability.h])
 	AC_CHECK_FUNC(capset,,[AC_MSG_ERROR([capset() not found!])])
 	AC_DEFINE([CAPABILITIES_NATIVE], [], [have native linux capset()])
 fi
 
 if test x$capabilities = xlibcap; then
-	AC_HAVE_LIBRARY([cap],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])])
+	AC_CHECK_LIB([cap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])],[])
 	AC_CHECK_HEADER([sys/capability.h],
 		[AC_DEFINE([HAVE_SYS_CAPABILITY_H], [], [have sys/capability.h])],
 		[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
@@ -819,25 +855,29 @@ fi
 
 if test x$integrity_test = xtrue; then
 	AC_MSG_CHECKING([for dladdr()])
-	AC_TRY_COMPILE(
-		[#define _GNU_SOURCE
-		 #include <dlfcn.h>],
-		[Dl_info info; dladdr(main, &info);],
-		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#define _GNU_SOURCE
+			  #include <dlfcn.h>]],
+			[[Dl_info info; dladdr(main, &info);]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]);
 		 AC_MSG_ERROR([dladdr() not supported, required by integrity-test!])]
 	)
 	AC_MSG_CHECKING([for dl_iterate_phdr()])
-	AC_TRY_COMPILE(
-		[#define _GNU_SOURCE
-		 #include <link.h>],
-		[dl_iterate_phdr((void*)0, (void*)0);],
-		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#define _GNU_SOURCE
+			  #include <link.h>]],
+			[[dl_iterate_phdr((void*)0, (void*)0);]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]);
 		 AC_MSG_ERROR([dl_iterate_phdr() not supported, required by integrity-test!])]
 	)
 fi
 
 if test x$bfd_backtraces = xtrue; then
-	AC_HAVE_LIBRARY([bfd],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])])
+	AC_CHECK_LIB([bfd],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])],[])
 	AC_CHECK_HEADER([bfd.h],[AC_DEFINE([HAVE_BFD_H],,[have binutils bfd.h])],
 		[AC_MSG_ERROR([binutils bfd.h header not found!])])
 	BFDLIB="-lbfd"
@@ -852,9 +892,19 @@ AC_SUBST(dev_headers)
 
 CFLAGS="$CFLAGS -include `pwd`/config.h"
 
-dnl ==============================================
-dnl  collect plugin list for strongSwan components
-dnl ==============================================
+if test x$tkm = xtrue; then
+	AC_PATH_PROG([GPRBUILD], [gprbuild], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+fi
+
+if test x$unit_tests = xtrue; then
+	PKG_CHECK_MODULES(CHECK, [check >= 0.9.4])
+	AC_SUBST(CHECK_CFLAGS)
+	AC_SUBST(CHECK_LIBS)
+fi
+
+# ===============================================
+#  collect plugin list for strongSwan components
+# ===============================================
 
 m4_include(m4/macros/add-plugin.m4)
 
@@ -880,6 +930,7 @@ s_plugins=
 ADD_PLUGIN([test-vectors],         [s charon openac scepclient pki])
 ADD_PLUGIN([curl],                 [s charon scepclient scripts nm])
 ADD_PLUGIN([soup],                 [s charon scripts nm])
+ADD_PLUGIN([unbound],              [s charon scripts])
 ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm])
 ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
 ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
@@ -903,6 +954,7 @@ ADD_PLUGIN([pkcs7],                [s scepclient pki])
 ADD_PLUGIN([pkcs8],                [s charon openac scepclient pki scripts manager medsrv attest nm])
 ADD_PLUGIN([pgp],                  [s charon])
 ADD_PLUGIN([dnskey],               [s charon])
+ADD_PLUGIN([ipseckey],             [c charon])
 ADD_PLUGIN([pem],                  [s charon openac scepclient pki scripts manager medsrv attest nm])
 ADD_PLUGIN([padlock],              [s charon])
 ADD_PLUGIN([openssl],              [s charon openac scepclient pki scripts manager medsrv attest nm])
@@ -953,6 +1005,7 @@ ADD_PLUGIN([eap-tnc],              [c charon])
 ADD_PLUGIN([xauth-generic],        [c charon])
 ADD_PLUGIN([xauth-eap],            [c charon])
 ADD_PLUGIN([xauth-pam],            [c charon])
+ADD_PLUGIN([xauth-noauth],         [c charon])
 ADD_PLUGIN([tnc-ifmap],            [c charon])
 ADD_PLUGIN([tnc-pdp],              [c charon])
 ADD_PLUGIN([tnc-imc],              [c charon])
@@ -964,13 +1017,14 @@ ADD_PLUGIN([tnccs-dynamic],        [c charon])
 ADD_PLUGIN([medsrv],               [c charon])
 ADD_PLUGIN([medcli],               [c charon])
 ADD_PLUGIN([dhcp],                 [c charon])
-ADD_PLUGIN([android],              [c charon])
+ADD_PLUGIN([android-dns],          [c charon])
 ADD_PLUGIN([android-log],          [c charon])
 ADD_PLUGIN([ha],                   [c charon])
 ADD_PLUGIN([whitelist],            [c charon])
 ADD_PLUGIN([lookip],               [c charon])
 ADD_PLUGIN([error-notify],         [c charon])
 ADD_PLUGIN([certexpire],           [c charon])
+ADD_PLUGIN([systime-fix],          [c charon])
 ADD_PLUGIN([led],                  [c charon])
 ADD_PLUGIN([duplicheck],           [c charon])
 ADD_PLUGIN([coupling],             [c charon])
@@ -994,18 +1048,18 @@ AC_SUBST(medsrv_plugins)
 AC_SUBST(nm_plugins)
 
 AC_SUBST(c_plugins)
-AC_SUBST(p_plugins)
 AC_SUBST(h_plugins)
 AC_SUBST(s_plugins)
 
-dnl =========================
-dnl  set Makefile.am vars
-dnl =========================
+# ======================
+#  set Makefile.am vars
+# ======================
 
-dnl libstrongswan plugins
-dnl =====================
+#  libstrongswan plugins
+# -----------------------
 AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
 AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
+AM_CONDITIONAL(USE_UNBOUND, test x$unbound = xtrue)
 AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
 AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
 AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
@@ -1045,17 +1099,18 @@ AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
 AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
 AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
 
-dnl charon plugins
-dnl ==============
+#  charon plugins
+# ----------------
 AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
 AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
 AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
 AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
-AM_CONDITIONAL(USE_ANDROID, test x$android = xtrue)
+AM_CONDITIONAL(USE_ANDROID_DNS, test x$android_dns = xtrue)
 AM_CONDITIONAL(USE_ANDROID_LOG, test x$android_log = xtrue)
 AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
 AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
+AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue)
 AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
 AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
 AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
@@ -1065,6 +1120,7 @@ AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
 AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
 AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
 AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
+AM_CONDITIONAL(USE_SYSTIME_FIX, test x$systime_fix = xtrue)
 AM_CONDITIONAL(USE_LED, test x$led = xtrue)
 AM_CONDITIONAL(USE_DUPLICHECK, test x$duplicheck = xtrue)
 AM_CONDITIONAL(USE_COUPLING, test x$coupling = xtrue)
@@ -1090,6 +1146,7 @@ AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
 AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue)
 AM_CONDITIONAL(USE_XAUTH_EAP, test x$xauth_eap = xtrue)
 AM_CONDITIONAL(USE_XAUTH_PAM, test x$xauth_pam = xtrue)
+AM_CONDITIONAL(USE_XAUTH_NOAUTH, test x$xauth_noauth = xtrue)
 AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
 AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue)
 AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
@@ -1112,18 +1169,18 @@ AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
 AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
 AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
 
-dnl hydra plugins
-dnl =============
+#  hydra plugins
+# ---------------
 AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
-AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue)
+AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
 AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
 AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
 AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
 
-dnl other options
-dnl =============
+#  other options
+# ---------------
 AM_CONDITIONAL(USE_LEAK_DETECTIVE, test x$leak_detective = xtrue)
 AM_CONDITIONAL(USE_LOCK_PROFILER, test x$lock_profiler = xtrue)
 AM_CONDITIONAL(USE_DUMM, test x$dumm = xtrue)
@@ -1141,12 +1198,13 @@ AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
 AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
 AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue)
-AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue)
-AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue)
+AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue)
+AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue)
 AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
 AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
 AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
+AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
 AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
@@ -1158,10 +1216,12 @@ AM_CONDITIONAL(USE_IMCV, test x$imcv = xtrue)
 AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
 AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
+AM_CONDITIONAL(UNITTESTS, test x$unit_tests = xtrue)
+AM_CONDITIONAL(USE_TKM, test x$tkm = xtrue)
 
-dnl ==============================
-dnl  set global definitions
-dnl ==============================
+# ========================
+#  set global definitions
+# ========================
 
 if test x$mediation = xtrue; then
 	AC_DEFINE([ME], [], [mediation extension support])
@@ -1179,11 +1239,11 @@ if test x$ikev2 = xtrue; then
 	AC_DEFINE([USE_IKEV2], [], [support for IKEv2 protocol])
 fi
 
-dnl ==============================
-dnl  build Makefiles
-dnl ==============================
+# =================
+#  build Makefiles
+# =================
 
-AC_OUTPUT(
+AC_CONFIG_FILES([
 	Makefile
 	man/Makefile
 	init/Makefile
@@ -1217,6 +1277,7 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/dnskey/Makefile
 	src/libstrongswan/plugins/pem/Makefile
 	src/libstrongswan/plugins/curl/Makefile
+	src/libstrongswan/plugins/unbound/Makefile
 	src/libstrongswan/plugins/soup/Makefile
 	src/libstrongswan/plugins/ldap/Makefile
 	src/libstrongswan/plugins/mysql/Makefile
@@ -1245,6 +1306,7 @@ AC_OUTPUT(
 	src/libradius/Makefile
 	src/libtncif/Makefile
 	src/libtnccs/Makefile
+	src/libpttls/Makefile
 	src/libpts/Makefile
 	src/libpts/plugins/imc_attestation/Makefile
 	src/libpts/plugins/imv_attestation/Makefile
@@ -1257,6 +1319,7 @@ AC_OUTPUT(
 	src/libimcv/plugins/imv_os/Makefile
 	src/charon/Makefile
 	src/charon-nm/Makefile
+	src/charon-tkm/Makefile
 	src/libcharon/Makefile
 	src/libcharon/plugins/eap_aka/Makefile
 	src/libcharon/plugins/eap_aka_3gpp2/Makefile
@@ -1279,6 +1342,7 @@ AC_OUTPUT(
 	src/libcharon/plugins/xauth_generic/Makefile
 	src/libcharon/plugins/xauth_eap/Makefile
 	src/libcharon/plugins/xauth_pam/Makefile
+	src/libcharon/plugins/xauth_noauth/Makefile
 	src/libcharon/plugins/tnc_ifmap/Makefile
 	src/libcharon/plugins/tnc_pdp/Makefile
 	src/libcharon/plugins/tnc_imc/Makefile
@@ -1292,6 +1356,7 @@ AC_OUTPUT(
 	src/libcharon/plugins/farp/Makefile
 	src/libcharon/plugins/smp/Makefile
 	src/libcharon/plugins/sql/Makefile
+	src/libcharon/plugins/ipseckey/Makefile
 	src/libcharon/plugins/medsrv/Makefile
 	src/libcharon/plugins/medcli/Makefile
 	src/libcharon/plugins/addrblock/Makefile
@@ -1302,11 +1367,12 @@ AC_OUTPUT(
 	src/libcharon/plugins/lookip/Makefile
 	src/libcharon/plugins/error_notify/Makefile
 	src/libcharon/plugins/certexpire/Makefile
+	src/libcharon/plugins/systime_fix/Makefile
 	src/libcharon/plugins/led/Makefile
 	src/libcharon/plugins/duplicheck/Makefile
 	src/libcharon/plugins/coupling/Makefile
 	src/libcharon/plugins/radattr/Makefile
-	src/libcharon/plugins/android/Makefile
+	src/libcharon/plugins/android_dns/Makefile
 	src/libcharon/plugins/android_log/Makefile
 	src/libcharon/plugins/maemo/Makefile
 	src/libcharon/plugins/stroke/Makefile
@@ -1332,4 +1398,18 @@ AC_OUTPUT(
 	src/conftest/Makefile
 	scripts/Makefile
 	testing/Makefile
-)
+])
+AC_OUTPUT
+
+# ========================
+#  report enabled plugins
+# ========================
+
+AC_MSG_RESULT([])
+AC_MSG_RESULT([ strongSwan will be built with the following plugins])
+AC_MSG_RESULT([-----------------------------------------------------])
+
+AC_MSG_RESULT([libstrongswan:$s_plugins])
+AC_MSG_RESULT([libcharon:    $c_plugins])
+AC_MSG_RESULT([libhydra:     $h_plugins])
+AC_MSG_RESULT([])
diff --git a/depcomp b/depcomp
index bd0ac0895..25a39e6cd 100755
--- a/depcomp
+++ b/depcomp
@@ -1,10 +1,10 @@
 #! /bin/sh
 # depcomp - compile a program generating dependencies as side-effects
 
-scriptversion=2011-12-04.11; # UTC
+scriptversion=2012-03-27.16; # UTC
 
 # Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009, 2010,
-# 2011 Free Software Foundation, Inc.
+# 2011, 2012 Free Software Foundation, Inc.
 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -28,7 +28,7 @@ scriptversion=2011-12-04.11; # UTC
 
 case $1 in
   '')
-     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
+     echo "$0: No command.  Try '$0 --help' for more information." 1>&2
      exit 1;
      ;;
   -h | --h*)
@@ -40,8 +40,8 @@ as side-effects.
 
 Environment variables:
   depmode     Dependency tracking mode.
-  source      Source file read by `PROGRAMS ARGS'.
-  object      Object file output by `PROGRAMS ARGS'.
+  source      Source file read by 'PROGRAMS ARGS'.
+  object      Object file output by 'PROGRAMS ARGS'.
   DEPDIR      directory where to store dependencies.
   depfile     Dependency file to output.
   tmpdepfile  Temporary file to use when outputting dependencies.
@@ -57,6 +57,12 @@ EOF
     ;;
 esac
 
+# A tabulation character.
+tab='	'
+# A newline character.
+nl='
+'
+
 if test -z "$depmode" || test -z "$source" || test -z "$object"; then
   echo "depcomp: Variables source, object and depmode must be set" 1>&2
   exit 1
@@ -102,6 +108,12 @@ if test "$depmode" = msvc7msys; then
    depmode=msvc7
 fi
 
+if test "$depmode" = xlc; then
+   # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency informations.
+   gccflag=-qmakedep=gcc,-MF
+   depmode=gcc
+fi
+
 case "$depmode" in
 gcc3)
 ## gcc 3 implements dependency tracking that does exactly what
@@ -156,15 +168,14 @@ gcc)
 ## The second -e expression handles DOS-style file names with drive letters.
   sed -e 's/^[^:]*: / /' \
       -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
-## This next piece of magic avoids the `deleted header file' problem.
+## This next piece of magic avoids the "deleted header file" problem.
 ## The problem is that when a header file which appears in a .P file
 ## is deleted, the dependency causes make to die (because there is
 ## typically no way to rebuild the header).  We avoid this by adding
 ## dummy dependencies for each header file.  Too bad gcc doesn't do
 ## this for us directly.
-  tr ' ' '
-' < "$tmpdepfile" |
-## Some versions of gcc put a space before the `:'.  On the theory
+  tr ' ' "$nl" < "$tmpdepfile" |
+## Some versions of gcc put a space before the ':'.  On the theory
 ## that the space means something, we add a space to the output as
 ## well.  hp depmode also adds that space, but also prefixes the VPATH
 ## to the object.  Take care to not repeat it in the output.
@@ -203,18 +214,15 @@ sgi)
     # clever and replace this with sed code, as IRIX sed won't handle
     # lines with more than a fixed number of characters (4096 in
     # IRIX 6.2 sed, 8192 in IRIX 6.5).  We also remove comment lines;
-    # the IRIX cc adds comments like `#:fec' to the end of the
+    # the IRIX cc adds comments like '#:fec' to the end of the
     # dependency line.
-    tr ' ' '
-' < "$tmpdepfile" \
+    tr ' ' "$nl" < "$tmpdepfile" \
     | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
-    tr '
-' ' ' >> "$depfile"
+    tr "$nl" ' ' >> "$depfile"
     echo >> "$depfile"
 
     # The second pass generates a dummy entry for each header file.
-    tr ' ' '
-' < "$tmpdepfile" \
+    tr ' ' "$nl" < "$tmpdepfile" \
    | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
    >> "$depfile"
   else
@@ -226,10 +234,17 @@ sgi)
   rm -f "$tmpdepfile"
   ;;
 
+xlc)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
 aix)
   # The C for AIX Compiler uses -M and outputs the dependencies
   # in a .u file.  In older versions, this file always lives in the
-  # current directory.  Also, the AIX compiler puts `$object:' at the
+  # current directory.  Also, the AIX compiler puts '$object:' at the
   # start of each line; $object doesn't have directory information.
   # Version 6 uses the directory in both cases.
   dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
@@ -259,12 +274,11 @@ aix)
     test -f "$tmpdepfile" && break
   done
   if test -f "$tmpdepfile"; then
-    # Each line is of the form `foo.o: dependent.h'.
+    # Each line is of the form 'foo.o: dependent.h'.
     # Do two passes, one to just change these to
-    # `$object: dependent.h' and one to simply `dependent.h:'.
+    # '$object: dependent.h' and one to simply 'dependent.h:'.
     sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
-    # That's a tab and a space in the [].
-    sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
+    sed -e 's,^.*\.[a-z]*:['"$tab"' ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
   else
     # The sourcefile does not contain any dependencies, so just
     # store a dummy comment line, to avoid errors with the Makefile
@@ -275,23 +289,26 @@ aix)
   ;;
 
 icc)
-  # Intel's C compiler understands `-MD -MF file'.  However on
-  #    icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
+  # Intel's C compiler anf tcc (Tiny C Compiler) understand '-MD -MF file'.
+  # However on
+  #    $CC -MD -MF foo.d -c -o sub/foo.o sub/foo.c
   # ICC 7.0 will fill foo.d with something like
   #    foo.o: sub/foo.c
   #    foo.o: sub/foo.h
-  # which is wrong.  We want:
+  # which is wrong.  We want
   #    sub/foo.o: sub/foo.c
   #    sub/foo.o: sub/foo.h
   #    sub/foo.c:
   #    sub/foo.h:
   # ICC 7.1 will output
   #    foo.o: sub/foo.c sub/foo.h
-  # and will wrap long lines using \ :
+  # and will wrap long lines using '\':
   #    foo.o: sub/foo.c ... \
   #     sub/foo.h ... \
   #     ...
-
+  # tcc 0.9.26 (FIXME still under development at the moment of writing)
+  # will emit a similar output, but also prepend the continuation lines
+  # with horizontal tabulation characters.
   "$@" -MD -MF "$tmpdepfile"
   stat=$?
   if test $stat -eq 0; then :
@@ -300,15 +317,21 @@ icc)
     exit $stat
   fi
   rm -f "$depfile"
-  # Each line is of the form `foo.o: dependent.h',
-  # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
+  # Each line is of the form 'foo.o: dependent.h',
+  # or 'foo.o: dep1.h dep2.h \', or ' dep3.h dep4.h \'.
   # Do two passes, one to just change these to
-  # `$object: dependent.h' and one to simply `dependent.h:'.
-  sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
-  # Some versions of the HPUX 10.20 sed can't process this invocation
-  # correctly.  Breaking it into two sed invocations is a workaround.
-  sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
-    sed -e 's/$/ :/' >> "$depfile"
+  # '$object: dependent.h' and one to simply 'dependent.h:'.
+  sed -e "s/^[ $tab][ $tab]*/  /" -e "s,^[^:]*:,$object :," \
+    < "$tmpdepfile" > "$depfile"
+  sed '
+    s/[ '"$tab"'][ '"$tab"']*/ /g
+    s/^ *//
+    s/ *\\*$//
+    s/^[^:]*: *//
+    /^$/d
+    /:$/d
+    s/$/ :/
+  ' < "$tmpdepfile" >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
@@ -344,7 +367,7 @@ hp2)
   done
   if test -f "$tmpdepfile"; then
     sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
-    # Add `dependent.h:' lines.
+    # Add 'dependent.h:' lines.
     sed -ne '2,${
 	       s/^ *//
 	       s/ \\*$//
@@ -359,9 +382,9 @@ hp2)
 
 tru64)
    # The Tru64 compiler uses -MD to generate dependencies as a side
-   # effect.  `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
+   # effect.  'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
    # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
-   # dependencies in `foo.d' instead, so we check for that too.
+   # dependencies in 'foo.d' instead, so we check for that too.
    # Subdirectories are respected.
    dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
    test "x$dir" = "x$object" && dir=
@@ -407,8 +430,7 @@ tru64)
    done
    if test -f "$tmpdepfile"; then
       sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
-      # That's a tab and a space in the [].
-      sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
+      sed -e 's,^.*\.[a-z]*:['"$tab"' ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
    else
       echo "#dummy" > "$depfile"
    fi
@@ -443,11 +465,11 @@ msvc7)
   p
 }' | $cygpath_u | sort -u | sed -n '
 s/ /\\ /g
-s/\(.*\)/	\1 \\/p
+s/\(.*\)/'"$tab"'\1 \\/p
 s/.\(.*\) \\/\1:/
 H
 $ {
-  s/.*/	/
+  s/.*/'"$tab"'/
   G
   p
 }' >> "$depfile"
@@ -478,7 +500,7 @@ dashmstdout)
     shift
   fi
 
-  # Remove `-o $object'.
+  # Remove '-o $object'.
   IFS=" "
   for arg
   do
@@ -498,15 +520,14 @@ dashmstdout)
   done
 
   test -z "$dashmflag" && dashmflag=-M
-  # Require at least two characters before searching for `:'
+  # Require at least two characters before searching for ':'
   # in the target name.  This is to cope with DOS-style filenames:
-  # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
+  # a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
   "$@" $dashmflag |
-    sed 's:^[  ]*[^: ][^:][^:]*\:[    ]*:'"$object"'\: :' > "$tmpdepfile"
+    sed 's:^['"$tab"' ]*[^:'"$tab"' ][^:][^:]*\:['"$tab"' ]*:'"$object"'\: :' > "$tmpdepfile"
   rm -f "$depfile"
   cat < "$tmpdepfile" > "$depfile"
-  tr ' ' '
-' < "$tmpdepfile" | \
+  tr ' ' "$nl" < "$tmpdepfile" | \
 ## Some versions of the HPUX 10.20 sed can't process this invocation
 ## correctly.  Breaking it into two sed invocations is a workaround.
     sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
@@ -562,8 +583,7 @@ makedepend)
   # makedepend may prepend the VPATH from the source file name to the object.
   # No need to regex-escape $object, excess matching of '.' is harmless.
   sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
-  sed '1,2d' "$tmpdepfile" | tr ' ' '
-' | \
+  sed '1,2d' "$tmpdepfile" | tr ' ' "$nl" | \
 ## Some versions of the HPUX 10.20 sed can't process this invocation
 ## correctly.  Breaking it into two sed invocations is a workaround.
     sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
@@ -583,7 +603,7 @@ cpp)
     shift
   fi
 
-  # Remove `-o $object'.
+  # Remove '-o $object'.
   IFS=" "
   for arg
   do
@@ -652,8 +672,8 @@ msvisualcpp)
   sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
   rm -f "$depfile"
   echo "$object : \\" > "$depfile"
-  sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::	\1 \\:p' >> "$depfile"
-  echo "	" >> "$depfile"
+  sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
+  echo "$tab" >> "$depfile"
   sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
diff --git a/init/Makefile.in b/init/Makefile.in
index 7d7346e0c..7603fa066 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -61,6 +78,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -108,6 +130,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -124,6 +148,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -192,8 +217,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -249,7 +272,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -491,13 +513,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index def76088a..7b95497ab 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -54,6 +71,11 @@ CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -97,6 +119,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -113,6 +137,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -181,8 +206,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -238,7 +261,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -316,8 +338,11 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-systemdsystemunitDATA: $(systemdsystemunit_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(systemdsystemunitdir)" || $(MKDIR_P) "$(DESTDIR)$(systemdsystemunitdir)"
 	@list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(systemdsystemunitdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(systemdsystemunitdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
diff --git a/ltmain.sh b/ltmain.sh
index c2852d856..0096fe6c7 100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -70,7 +70,7 @@
 #         compiler:		$LTCC
 #         compiler flags:		$LTCFLAGS
 #         linker:		$LD (gnu? $with_gnu_ld)
-#         $progname:	(GNU libtool) 2.4.2 Debian-2.4.2-1ubuntu1
+#         $progname:	(GNU libtool) 2.4.2 Debian-2.4.2-1ubuntu2
 #         automake:	$automake_version
 #         autoconf:	$autoconf_version
 #
@@ -80,7 +80,7 @@
 
 PROGRAM=libtool
 PACKAGE=libtool
-VERSION="2.4.2 Debian-2.4.2-1ubuntu1"
+VERSION="2.4.2 Debian-2.4.2-1ubuntu2"
 TIMESTAMP=""
 package_revision=1.3337
 
diff --git a/m4/macros/enable-disable.m4 b/m4/macros/enable-disable.m4
index 3d423652f..2e4552068 100644
--- a/m4/macros/enable-disable.m4
+++ b/m4/macros/enable-disable.m4
@@ -20,6 +20,7 @@ AC_DEFUN([ARG_ENABL_SET],
 # ARG_DISBL_SET(option, help)
 # ---------------------------
 # Create a --disable-$1 option with helptext, set a variable $1 to true/false
+# All $1 are collected in the variable $enabled_by_default
 AC_DEFUN([ARG_DISBL_SET],
 	[AC_ARG_ENABLE(
 		[$1],
@@ -32,5 +33,6 @@ AC_DEFUN([ARG_DISBL_SET],
 		fi],
 		[patsubst([$1], [-], [_])=true
 		patsubst([$1], [-], [_])_given=false]
-	)]
+	)
+	enabled_by_default=${enabled_by_default}" patsubst([$1], [-], [_])"]
 )
diff --git a/man/Makefile.in b/man/Makefile.in
index e313a4fff..daebe3b90 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -54,6 +71,11 @@ CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -99,6 +121,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -115,6 +139,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -183,8 +208,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -240,7 +263,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -320,11 +342,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man5: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
+	@list1=''; \
+	list2='$(dist_man_MANS)'; \
+	test -n "$(man5dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.5[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index e24196c2b..554a6e8ca 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "5.0.2" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.0.3rc1" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -452,6 +452,11 @@ suites, the strict flag
 exclamation mark) can be used, e.g:
 .BR aes256-sha512-modp4096!
 .TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
 should last before being renegotiated. Also see EXPIRY/REKEY below.
@@ -613,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions.
 is required only if selecting the certificate with
 .B leftid
 is not sufficient, for example if multiple certificates use the same subject.
+.br
+Multiple certificate paths or PKCS#11 backends can be specified in a comma
+separated list. The daemon chooses the certificate based on the received
+certificate requests if possible before enforcing the first.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -737,6 +746,14 @@ can be used to the same effect, e.g.
 .B leftprotoport=udp/%any
 or
 .BR leftprotoport=%any/53 .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
 .TP
 .BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
 the left participant's public key for RSA signature authentication, in RFC 2537
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 2766cc4ed..e778ab773 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -452,6 +452,11 @@ suites, the strict flag
 exclamation mark) can be used, e.g:
 .BR aes256-sha512-modp4096!
 .TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
 should last before being renegotiated. Also see EXPIRY/REKEY below.
@@ -613,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions.
 is required only if selecting the certificate with
 .B leftid
 is not sufficient, for example if multiple certificates use the same subject.
+.br
+Multiple certificate paths or PKCS#11 backends can be specified in a comma
+separated list. The daemon chooses the certificate based on the received
+certificate requests if possible before enforcing the first.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -737,6 +746,14 @@ can be used to the same effect, e.g.
 .B leftprotoport=udp/%any
 or
 .BR leftprotoport=%any/53 .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
 .TP
 .BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
 the left participant's public key for RSA signature authentication, in RFC 2537
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index 127f18f20..0948e5cc9 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.2" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.3rc1" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 8a34a7f93..34dfde735 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-01-25" "5.0.2" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.3" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -416,6 +416,10 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
+Closes all IKE_SAs if communication with the RADIUS server times out. If it is
+not set only the current IKE_SA is closed.
+.TP
 .BR charon.plugins.eap-radius.dae.enable " [no]"
 Enables support for the Dynamic Authorization Extension (RFC 5176)
 .TP
@@ -539,6 +543,10 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
+.BR charon.plugins.ha.autobalance " [0]"
+Interval in seconds to automatically balance handled segments between nodes.
+Set to 0 to disable.
+.TP
 .BR charon.plugins.ha.fifo_interface " [yes]"
 
 .TP
@@ -568,6 +576,9 @@ Request peer authentication based on a client certificate
 .TP
 .BR charon.plugins.ha.segment_count " [1]"
 
+.TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs from the DNS
 .TP
 .BR charon.plugins.led.activity_led
 
@@ -616,6 +627,21 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.timeout " [0]"
+Timeout in ms for any stroke command. Use 0 to disable the timeout
+.TP
+.BR charon.plugins.systime-fix.interval " [0]"
+Interval in seconds to check system time for validity. 0 disables the check
+.TP
+.BR charon.plugins.systime-fix.reauth " [no]"
+Whether to use reauth or delete if an invalid cert lifetime is detected
+.TP
+.BR charon.plugins.systime-fix.threshold
+Threshold date where system time is considered valid. Disabled if not specified
+.TP
+.BR charon.plugins.systime-fix.threshold_format " [%Y]"
+strptime(3) format used to parse threshold option
+.TP
 .BR charon.plugins.tnccs-11.max_message_size " [45000]"
 Maximum size of a PA-TNC message (XML & Base64 encoding)
 .TP
@@ -625,23 +651,26 @@ Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
 .BR charon.plugins.tnccs-20.max_message_size " [65490]"
 Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
 .TP
+.BR charon.plugins.tnc-ifmap.client_cert
+Path to X.509 certificate file of IF-MAP client
+.TP
+.BR charon.plugins.tnc-ifmap.client_key
+Path to private key file of IF-MAP client
+.TP
 .BR charon.plugins.tnc-ifmap.device_name
-Unique name of strongSwan as a PEP and/or PDP device
+Unique name of strongSwan server as a PEP and/or PDP device
 .TP
-.BR charon.plugins.tnc-ifmap.key_file
-Concatenated client certificate and private key
+.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
+Interval in seconds between periodic IF-MAP RenewSession requests
 .TP
-.BR charon.plugins.tnc-ifmap.password
-Authentication password of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
+URI of the form [https://]servername[:port][/path]
 .TP
 .BR charon.plugins.tnc-ifmap.server_cert
-Certificate of MAP server
+Path to X.509 certificate file of IF-MAP server
 .TP
-.BR charon.plugins.tnc-ifmap.ssl_passphrase
-Passphrase protecting the private key
-.TP
-.BR charon.plugins.tnc-ifmap.username
-Authentication username of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.username_password
+Credentials of IF-MAP client of the form username:password
 .TP
 .BR charon.plugins.tnc-imc.dlclose " [yes]"
 Unload IMC after use
@@ -664,6 +693,9 @@ Shared RADIUS secret between strongSwan PDP and NAS
 .BR charon.plugins.tnc-pdp.server
 Name of the strongSwan PDP as contained in the AAA certificate
 .TP
+.BR charon.plugins.tnc-pdp.timeout
+Timeout in seconds before closing incomplete connections
+.TP
 .BR charon.plugins.updown.dns_handler " [no]"
 Whether the updown script should handle DNS serves assigned via IKEv1 Mode
 Config or IKEv2 Config Payloads (if enabled they can't be handled by other
@@ -776,6 +808,12 @@ File to read random bytes from, instead of /dev/random
 .TP
 .BR libstrongswan.plugins.random.urandom " [/dev/urandom]"
 File to read pseudo random bytes from, instead of /dev/urandom
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -1299,6 +1337,9 @@ preconfigured credentials and allows an attacker to authenticate as any user.
 Subsection that contains key/value pairs with address pools (in CIDR notation)
 to use for a specific network interface e.g. eth0 = 10.10.0.0/16
 .TP
+.BR charon.plugins.load-tester.addrs_keep " [no]"
+Whether to keep dynamic addresses even after the associated SA got terminated
+.TP
 .BR charon.plugins.load-tester.addrs_prefix " [16]"
 Network prefix length to use when installing dynamic addresses. If set to -1 the
 full address is used (i.e. 32 or 128)
@@ -1330,6 +1371,9 @@ EAP secret to use in load test
 .BR charon.plugins.load-tester.enable " [no]"
 Enable the load testing plugin
 .TP
+.BR charon.plugins.load-tester.esp " [aes128-sha1]"
+CHILD_SA proposal to use for load tests
+.TP
 .BR charon.plugins.load-tester.fake_kernel " [no]"
 Fake the kernel interface to allow load-testing against self
 .TP
@@ -1352,7 +1396,7 @@ Authentication method(s) the intiator uses
 Initiator ID used in load test
 .TP
 .BR charon.plugins.load-tester.initiator_match
-Initiator ID to to match against as responder
+Initiator ID to match against as responder
 .TP
 .BR charon.plugins.load-tester.initiator_tsi
 Traffic selector on initiator side, as proposed by initiator
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 2fafed62d..d483addbd 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-01-25" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-04-01" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -416,6 +416,10 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
+Closes all IKE_SAs if communication with the RADIUS server times out. If it is
+not set only the current IKE_SA is closed.
+.TP
 .BR charon.plugins.eap-radius.dae.enable " [no]"
 Enables support for the Dynamic Authorization Extension (RFC 5176)
 .TP
@@ -539,6 +543,10 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
+.BR charon.plugins.ha.autobalance " [0]"
+Interval in seconds to automatically balance handled segments between nodes.
+Set to 0 to disable.
+.TP
 .BR charon.plugins.ha.fifo_interface " [yes]"
 
 .TP
@@ -568,6 +576,9 @@ Request peer authentication based on a client certificate
 .TP
 .BR charon.plugins.ha.segment_count " [1]"
 
+.TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs from the DNS
 .TP
 .BR charon.plugins.led.activity_led
 
@@ -616,6 +627,21 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.timeout " [0]"
+Timeout in ms for any stroke command. Use 0 to disable the timeout
+.TP
+.BR charon.plugins.systime-fix.interval " [0]"
+Interval in seconds to check system time for validity. 0 disables the check
+.TP
+.BR charon.plugins.systime-fix.reauth " [no]"
+Whether to use reauth or delete if an invalid cert lifetime is detected
+.TP
+.BR charon.plugins.systime-fix.threshold
+Threshold date where system time is considered valid. Disabled if not specified
+.TP
+.BR charon.plugins.systime-fix.threshold_format " [%Y]"
+strptime(3) format used to parse threshold option
+.TP
 .BR charon.plugins.tnccs-11.max_message_size " [45000]"
 Maximum size of a PA-TNC message (XML & Base64 encoding)
 .TP
@@ -625,23 +651,26 @@ Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
 .BR charon.plugins.tnccs-20.max_message_size " [65490]"
 Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
 .TP
+.BR charon.plugins.tnc-ifmap.client_cert
+Path to X.509 certificate file of IF-MAP client
+.TP
+.BR charon.plugins.tnc-ifmap.client_key
+Path to private key file of IF-MAP client
+.TP
 .BR charon.plugins.tnc-ifmap.device_name
-Unique name of strongSwan as a PEP and/or PDP device
+Unique name of strongSwan server as a PEP and/or PDP device
 .TP
-.BR charon.plugins.tnc-ifmap.key_file
-Concatenated client certificate and private key
+.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
+Interval in seconds between periodic IF-MAP RenewSession requests
 .TP
-.BR charon.plugins.tnc-ifmap.password
-Authentication password of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
+URI of the form [https://]servername[:port][/path]
 .TP
 .BR charon.plugins.tnc-ifmap.server_cert
-Certificate of MAP server
+Path to X.509 certificate file of IF-MAP server
 .TP
-.BR charon.plugins.tnc-ifmap.ssl_passphrase
-Passphrase protecting the private key
-.TP
-.BR charon.plugins.tnc-ifmap.username
-Authentication username of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.username_password
+Credentials of IF-MAP client of the form username:password
 .TP
 .BR charon.plugins.tnc-imc.dlclose " [yes]"
 Unload IMC after use
@@ -664,6 +693,9 @@ Shared RADIUS secret between strongSwan PDP and NAS
 .BR charon.plugins.tnc-pdp.server
 Name of the strongSwan PDP as contained in the AAA certificate
 .TP
+.BR charon.plugins.tnc-pdp.timeout
+Timeout in seconds before closing incomplete connections
+.TP
 .BR charon.plugins.updown.dns_handler " [no]"
 Whether the updown script should handle DNS serves assigned via IKEv1 Mode
 Config or IKEv2 Config Payloads (if enabled they can't be handled by other
@@ -776,6 +808,12 @@ File to read random bytes from, instead of @DEV_RANDOM@
 .TP
 .BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
 File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -1299,6 +1337,9 @@ preconfigured credentials and allows an attacker to authenticate as any user.
 Subsection that contains key/value pairs with address pools (in CIDR notation)
 to use for a specific network interface e.g. eth0 = 10.10.0.0/16
 .TP
+.BR charon.plugins.load-tester.addrs_keep " [no]"
+Whether to keep dynamic addresses even after the associated SA got terminated
+.TP
 .BR charon.plugins.load-tester.addrs_prefix " [16]"
 Network prefix length to use when installing dynamic addresses. If set to -1 the
 full address is used (i.e. 32 or 128)
@@ -1330,6 +1371,9 @@ EAP secret to use in load test
 .BR charon.plugins.load-tester.enable " [no]"
 Enable the load testing plugin
 .TP
+.BR charon.plugins.load-tester.esp " [aes128-sha1]"
+CHILD_SA proposal to use for load tests
+.TP
 .BR charon.plugins.load-tester.fake_kernel " [no]"
 Fake the kernel interface to allow load-testing against self
 .TP
@@ -1352,7 +1396,7 @@ Authentication method(s) the intiator uses
 Initiator ID used in load test
 .TP
 .BR charon.plugins.load-tester.initiator_match
-Initiator ID to to match against as responder
+Initiator ID to match against as responder
 .TP
 .BR charon.plugins.load-tester.initiator_tsi
 Traffic selector on initiator side, as proposed by initiator
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index ea399e84c..f7ecd9ef6 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -3,7 +3,8 @@ AM_CFLAGS = \
 -DPLUGINS="\"${scripts_plugins}\""
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \
-	thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch
+	thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \
+	dnssec
 
 if USE_TLS
   noinst_PROGRAMS += tls_test
@@ -24,6 +25,7 @@ pubkey_speed_SOURCES = pubkey_speed.c
 crypt_burn_SOURCES = crypt_burn.c
 hash_burn_SOURCES = hash_burn.c
 fetch_SOURCES = fetch.c
+dnssec_SOURCES = dnssec.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -33,6 +35,7 @@ pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 hash_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 key2keyid.o :	$(top_builddir)/config.status
 
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index bb95cdf43..1aa9c2e60 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -38,7 +55,7 @@ noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
 	key2keyid$(EXEEXT) keyid2sql$(EXEEXT) oid2der$(EXEEXT) \
 	thread_analysis$(EXEEXT) dh_speed$(EXEEXT) \
 	pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) hash_burn$(EXEEXT) \
-	fetch$(EXEEXT) $(am__EXEEXT_1)
+	fetch$(EXEEXT) dnssec$(EXEEXT) $(am__EXEEXT_1)
 @USE_TLS_TRUE@am__append_1 = tls_test
 subdir = scripts
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
@@ -74,6 +91,10 @@ am_dh_speed_OBJECTS = dh_speed.$(OBJEXT)
 dh_speed_OBJECTS = $(am_dh_speed_OBJECTS)
 dh_speed_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_dnssec_OBJECTS = dnssec.$(OBJEXT)
+dnssec_OBJECTS = $(am_dnssec_OBJECTS)
+dnssec_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_fetch_OBJECTS = fetch.$(OBJEXT)
 fetch_OBJECTS = $(am_fetch_OBJECTS)
 fetch_DEPENDENCIES =  \
@@ -124,17 +145,22 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
-	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \
-	$(hash_burn_SOURCES) $(id2sql_SOURCES) $(key2keyid_SOURCES) \
-	$(keyid2sql_SOURCES) $(oid2der_SOURCES) \
+	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(dnssec_SOURCES) \
+	$(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) $(oid2der_SOURCES) \
 	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) \
 	$(tls_test_SOURCES)
 DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
-	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \
-	$(hash_burn_SOURCES) $(id2sql_SOURCES) $(key2keyid_SOURCES) \
-	$(keyid2sql_SOURCES) $(oid2der_SOURCES) \
+	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(dnssec_SOURCES) \
+	$(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) $(oid2der_SOURCES) \
 	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) \
 	$(am__tls_test_SOURCES_DIST)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -151,6 +177,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -167,6 +195,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -235,8 +264,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -292,7 +319,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -346,6 +372,7 @@ pubkey_speed_SOURCES = pubkey_speed.c
 crypt_burn_SOURCES = crypt_burn.c
 hash_burn_SOURCES = hash_burn.c
 fetch_SOURCES = fetch.c
+dnssec_SOURCES = dnssec.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -355,6 +382,7 @@ pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 hash_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
 
 .SUFFIXES:
@@ -410,6 +438,9 @@ crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) $(EXTRA_cr
 dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) $(EXTRA_dh_speed_DEPENDENCIES) 
 	@rm -f dh_speed$(EXEEXT)
 	$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
+dnssec$(EXEEXT): $(dnssec_OBJECTS) $(dnssec_DEPENDENCIES) $(EXTRA_dnssec_DEPENDENCIES) 
+	@rm -f dnssec$(EXEEXT)
+	$(LINK) $(dnssec_OBJECTS) $(dnssec_LDADD) $(LIBS)
 fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) $(EXTRA_fetch_DEPENDENCIES) 
 	@rm -f fetch$(EXEEXT)
 	$(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS)
@@ -448,6 +479,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2sql.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypt_burn.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh_speed.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnssec.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hash_burn.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@
diff --git a/scripts/crypt_burn.c b/scripts/crypt_burn.c
index 449364a1a..9633568cd 100644
--- a/scripts/crypt_burn.c
+++ b/scripts/crypt_burn.c
@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
 				break;
 			}
 		}
+		aead->destroy(aead);
 	}
 	else
 	{
@@ -101,7 +102,7 @@ int main(int argc, char *argv[])
 		}
 		bs = crypter->get_block_size(crypter);
 
-		while (i--)
+		while (TRUE)
 		{
 			if (!crypter->encrypt(crypter,
 					chunk_create(buffer, sizeof(buffer) / bs * bs),
@@ -120,6 +121,7 @@ int main(int argc, char *argv[])
 				break;
 			}
 		}
+		crypter->destroy(crypter);
 	}
 	return 0;
 }
diff --git a/scripts/dnssec.c b/scripts/dnssec.c
new file mode 100644
index 000000000..89ea56ea6
--- /dev/null
+++ b/scripts/dnssec.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+#include <library.h>
+
+int main(int argc, char *argv[])
+{
+	resolver_t *resolver;
+	resolver_response_t *response;
+	enumerator_t *enumerator;
+	rr_set_t *rrset;
+	rr_t *rr;
+	chunk_t chunk;
+
+	library_init(NULL);
+	atexit(library_deinit);
+	if (!lib->plugins->load(lib->plugins, NULL, PLUGINS))
+	{
+		return 1;
+	}
+	if (argc != 2)
+	{
+		fprintf(stderr, "usage: %s <name>\n", argv[0]);
+		return 1;
+	}
+
+	resolver = lib->resolver->create(lib->resolver);
+	if (!resolver)
+	{
+		printf("failed to create a resolver!\n");
+		return 1;
+	}
+
+	response = resolver->query(resolver, argv[1], RR_CLASS_IN, RR_TYPE_A);
+	if (!response)
+	{
+		printf("no response received!\n");
+		resolver->destroy(resolver);
+		return 1;
+	}
+
+	printf("DNS response:\n");
+	if (!response->has_data(response) || !response->query_name_exist(response))
+	{
+		if (!response->has_data(response))
+		{
+			printf("  no data in the response\n");
+		}
+		if (!response->query_name_exist(response))
+		{
+			printf("  query name does not exist\n");
+		}
+		response->destroy(response);
+		resolver->destroy(resolver);
+		return 1;
+	}
+
+	printf("  RRs in the response:\n");
+	rrset = response->get_rr_set(response);
+	if (!rrset)
+	{
+		printf("    response contains no RRset!\n");
+		response->destroy(response);
+		resolver->destroy(resolver);
+		return 1;
+	}
+
+	enumerator = rrset->create_rr_enumerator(rrset);
+	while (enumerator->enumerate(enumerator, &rr))
+	{
+		printf("    name: ");
+		printf(rr->get_name(rr));
+		printf("\n");
+	}
+
+	enumerator = rrset->create_rrsig_enumerator(rrset);
+	if (enumerator)
+	{
+		printf("  RRSIGs for the RRset:\n");
+		while (enumerator->enumerate(enumerator, &rr))
+		{
+			printf("    name: ");
+			printf(rr->get_name(rr));
+			printf("\n    RDATA: ");
+			chunk = rr->get_rdata(rr);
+			chunk = chunk_to_hex(chunk, NULL, TRUE);
+			printf(chunk.ptr);
+			printf("\n");
+		}
+	}
+
+	printf("  security status of the response: ");
+	switch (response->get_security_state(response))
+	{
+		case SECURE:
+			printf("SECURE\n\n");
+			break;
+		case INSECURE:
+			printf("INSECURE\n\n");
+			break;
+		case BOGUS:
+			printf("BOGUS\n\n");
+			break;
+		case INDETERMINATE:
+			printf("INDETERMINATE\n\n");
+			break;
+	}
+	response->destroy(response);
+	resolver->destroy(resolver);
+	return 0;
+}
diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index d0d259e60..332f13d89 100644
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -33,15 +33,59 @@
 static void usage(FILE *out, char *cmd)
 {
 	fprintf(out, "usage:\n");
-	fprintf(out, "  %s --connect <address> --port <port> [--cert <file>]+ [--times <n>]\n", cmd);
+	fprintf(out, "  %s --connect <address> --port <port> [--key <key] [--cert <file>]+ [--times <n>]\n", cmd);
 	fprintf(out, "  %s --listen <address> --port <port> --key <key> [--cert <file>]+ [--times <n>]\n", cmd);
 }
 
+/**
+ * Check, as client, if we have a client certificate with private key
+ */
+static identification_t *find_client_id()
+{
+	identification_t *client = NULL, *keyid;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *pubkey;
+	private_key_t *privkey;
+	chunk_t chunk;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_ANY, NULL, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		pubkey = cert->get_public_key(cert);
+		if (pubkey)
+		{
+			if (pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &chunk))
+			{
+				keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+				privkey = lib->credmgr->get_private(lib->credmgr,
+									pubkey->get_type(pubkey), keyid, NULL);
+				keyid->destroy(keyid);
+				if (privkey)
+				{
+					client = cert->get_subject(cert);
+					client = client->clone(client);
+					privkey->destroy(privkey);
+				}
+			}
+			pubkey->destroy(pubkey);
+		}
+		if (client)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return client;
+}
+
 /**
  * Client routine
  */
-static int client(host_t *host, identification_t *server,
-				  int times, tls_cache_t *cache)
+static int run_client(host_t *host, identification_t *server,
+					  identification_t *client, int times, tls_cache_t *cache)
 {
 	tls_socket_t *tls;
 	int fd, res;
@@ -61,7 +105,7 @@ static int client(host_t *host, identification_t *server,
 			close(fd);
 			return 1;
 		}
-		tls = tls_socket_create(FALSE, server, NULL, fd, cache);
+		tls = tls_socket_create(FALSE, server, client, fd, cache);
 		if (!tls)
 		{
 			close(fd);
@@ -224,7 +268,7 @@ int main(int argc, char *argv[])
 	char *address = NULL;
 	bool listen = FALSE;
 	int port = 0, times = -1, res;
-	identification_t *server;
+	identification_t *server, *client;
 	tls_cache_t *cache;
 	host_t *host;
 
@@ -307,11 +351,12 @@ int main(int argc, char *argv[])
 	}
 	else
 	{
-		res = client(host, server, times, cache);
+		client = find_client_id();
+		res = run_client(host, server, client, times, cache);
+		DESTROY_IF(client);
 	}
 	cache->destroy(cache);
 	host->destroy(host);
 	server->destroy(server);
 	return res;
 }
-
diff --git a/src/Makefile.am b/src/Makefile.am
index e4c0374a2..07953b0b0 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -32,6 +32,10 @@ if USE_LIBTNCCS
   SUBDIRS += libtnccs
 endif
 
+if USE_LIBPTTLS
+  SUBDIRS += libpttls
+endif
+
 if USE_IMCV
   SUBDIRS += libimcv
 endif
@@ -96,6 +100,10 @@ if USE_INTEGRITY_TEST
   SUBDIRS += checksum
 endif
 
+if USE_TKM
+  SUBDIRS += charon-tkm
+endif
+
 EXTRA_DIST = strongswan.conf
 
 install-exec-local :
diff --git a/src/Makefile.in b/src/Makefile.in
index ada684eae..a40a82cd8 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -41,22 +58,24 @@ host_triplet = @host@
 @USE_RADIUS_TRUE@am__append_6 = libradius
 @USE_LIBTNCIF_TRUE@am__append_7 = libtncif
 @USE_LIBTNCCS_TRUE@am__append_8 = libtnccs
-@USE_IMCV_TRUE@am__append_9 = libimcv
-@USE_PTS_TRUE@am__append_10 = libpts
-@USE_LIBCHARON_TRUE@am__append_11 = libcharon
-@USE_FILE_CONFIG_TRUE@am__append_12 = starter
-@USE_IPSEC_SCRIPT_TRUE@am__append_13 = ipsec _copyright
-@USE_CHARON_TRUE@am__append_14 = charon
-@USE_NM_TRUE@am__append_15 = charon-nm
-@USE_STROKE_TRUE@am__append_16 = stroke
-@USE_UPDOWN_TRUE@am__append_17 = _updown _updown_espmark
-@USE_TOOLS_TRUE@am__append_18 = openac scepclient pki
-@USE_CONFTEST_TRUE@am__append_19 = conftest
-@USE_DUMM_TRUE@am__append_20 = dumm
-@USE_FAST_TRUE@am__append_21 = libfast
-@USE_MANAGER_TRUE@am__append_22 = manager
-@USE_MEDSRV_TRUE@am__append_23 = medsrv
-@USE_INTEGRITY_TEST_TRUE@am__append_24 = checksum
+@USE_LIBPTTLS_TRUE@am__append_9 = libpttls
+@USE_IMCV_TRUE@am__append_10 = libimcv
+@USE_PTS_TRUE@am__append_11 = libpts
+@USE_LIBCHARON_TRUE@am__append_12 = libcharon
+@USE_FILE_CONFIG_TRUE@am__append_13 = starter
+@USE_IPSEC_SCRIPT_TRUE@am__append_14 = ipsec _copyright
+@USE_CHARON_TRUE@am__append_15 = charon
+@USE_NM_TRUE@am__append_16 = charon-nm
+@USE_STROKE_TRUE@am__append_17 = stroke
+@USE_UPDOWN_TRUE@am__append_18 = _updown _updown_espmark
+@USE_TOOLS_TRUE@am__append_19 = openac scepclient pki
+@USE_CONFTEST_TRUE@am__append_20 = conftest
+@USE_DUMM_TRUE@am__append_21 = dumm
+@USE_FAST_TRUE@am__append_22 = libfast
+@USE_MANAGER_TRUE@am__append_23 = manager
+@USE_MEDSRV_TRUE@am__append_24 = medsrv
+@USE_INTEGRITY_TEST_TRUE@am__append_25 = checksum
+@USE_TKM_TRUE@am__append_26 = charon-tkm
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -84,6 +103,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -92,10 +116,10 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
-	libtls libradius libtncif libtnccs libimcv libpts libcharon \
-	starter ipsec _copyright charon charon-nm stroke _updown \
-	_updown_espmark openac scepclient pki conftest dumm libfast \
-	manager medsrv checksum
+	libtls libradius libtncif libtnccs libpttls libimcv libpts \
+	libcharon starter ipsec _copyright charon charon-nm stroke \
+	_updown _updown_espmark openac scepclient pki conftest dumm \
+	libfast manager medsrv checksum charon-tkm
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -135,6 +159,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -151,6 +177,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -219,8 +246,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -276,7 +301,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -317,7 +341,8 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_13) $(am__append_14) $(am__append_15) \
 	$(am__append_16) $(am__append_17) $(am__append_18) \
 	$(am__append_19) $(am__append_20) $(am__append_21) \
-	$(am__append_22) $(am__append_23) $(am__append_24)
+	$(am__append_22) $(am__append_23) $(am__append_24) \
+	$(am__append_25) $(am__append_26)
 EXTRA_DIST = strongswan.conf
 all: all-recursive
 
@@ -526,13 +551,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 83b25bebf..87f4c4f95 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -74,6 +91,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(_copyright_SOURCES)
 DIST_SOURCES = $(_copyright_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -90,6 +112,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -106,6 +130,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -174,8 +199,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -231,7 +254,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -306,8 +328,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index d67bdb844..ad03d7d92 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -84,6 +101,11 @@ am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(ipsec_SCRIPTS)
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man8_MANS)
@@ -101,6 +123,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -117,6 +141,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -185,8 +210,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -242,7 +265,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -315,8 +337,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecSCRIPTS: $(ipsec_SCRIPTS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
@@ -353,9 +378,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man8_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
+	@list1='$(dist_man8_MANS)'; \
+	list2=''; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 88683f38b..c079690ac 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -84,6 +101,11 @@ am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(dist_ipsec_SCRIPTS)
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man8_MANS)
@@ -101,6 +123,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -117,6 +141,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -185,8 +210,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -242,7 +265,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -313,8 +335,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-dist_ipsecSCRIPTS: $(dist_ipsec_SCRIPTS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
@@ -351,9 +376,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man8_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
+	@list1='$(dist_man8_MANS)'; \
+	list2=''; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 8416455ae..b5c4e3f45 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -80,6 +97,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(charon_nm_SOURCES)
 DIST_SOURCES = $(charon_nm_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -96,6 +118,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -112,6 +136,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -180,8 +205,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -237,7 +260,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -332,8 +354,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index 5bb2ed930..c18bf992a 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -173,6 +173,10 @@ void nm_backend_register()
 		PLUGIN_CALLBACK((plugin_feature_callback_t)nm_backend_cb, NULL),
 			PLUGIN_PROVIDE(CUSTOM, "NetworkManager backend"),
 				PLUGIN_DEPENDS(CUSTOM, "libcharon"),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
 	};
 	lib->plugins->add_static_features(lib->plugins, "nm-backend", features,
 									  countof(features), TRUE);
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index eb187496d..901abd348 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -22,6 +23,7 @@
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
 #include <credentials/certificates/x509.h>
+#include <networking/tun_device.h>
 
 #include <stdio.h>
 
@@ -41,6 +43,8 @@ typedef struct {
 	nm_creds_t *creds;
 	/* attribute handler for DNS/NBNS server information */
 	nm_handler_t *handler;
+	/* dummy TUN device */
+	tun_device_t *tun;
 	/* name of the connection */
 	char *name;
 } NMStrongswanPluginPrivate;
@@ -80,23 +84,33 @@ static GValue* handler_to_val(nm_handler_t *handler,
 static void signal_ipv4_config(NMVPNPlugin *plugin,
 							   ike_sa_t *ike_sa, child_sa_t *child_sa)
 {
+	NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
 	GValue *val;
 	GHashTable *config;
+	enumerator_t *enumerator;
 	host_t *me;
 	nm_handler_t *handler;
 
 	config = g_hash_table_new(g_str_hash, g_str_equal);
-	me = ike_sa->get_my_host(ike_sa);
-	handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
+	handler = priv->handler;
 
 	/* NM requires a tundev, but netkey does not use one. Passing the physical
-	 * interface does not work, as NM fiddles around with it. Passing the
-	 * loopback seems to work, though... */
+	 * interface does not work, as NM fiddles around with it. So we pass a dummy
+	 * TUN device along for NM to play with... */
 	val = g_slice_new0 (GValue);
 	g_value_init (val, G_TYPE_STRING);
-	g_value_set_string (val, "lo");
+	g_value_set_string (val, priv->tun->get_name(priv->tun));
 	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
 
+	/* NM installs this IP address on the interface above, so we use the VIP if
+	 * we got one.
+	 */
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
+	if (!enumerator->enumerate(enumerator, &me))
+	{
+		me = ike_sa->get_my_host(ike_sa);
+	}
+	enumerator->destroy(enumerator);
 	val = g_slice_new0(GValue);
 	g_value_init(val, G_TYPE_UINT);
 	g_value_set_uint(val, *(u_int32_t*)me->get_address(me).ptr);
@@ -107,6 +121,14 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
 	g_value_set_uint(val, me->get_address(me).len * 8);
 	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
 
+	/* prevent NM from changing the default route. we set our own route in our
+	 * own routing table
+	 */
+	val = g_slice_new0(GValue);
+	g_value_init(val, G_TYPE_BOOLEAN);
+	g_value_set_boolean(val, TRUE);
+	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT, val);
+
 	val = handler_to_val(handler, INTERNAL_IP4_DNS);
 	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
 
@@ -303,6 +325,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		 priv->name);
 	DBG4(DBG_CFG, "%s",
 		 nm_setting_to_string(NM_SETTING(vpn)));
+	if (!priv->tun)
+	{
+		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+					"Failed to create dummy TUN device.");
+		gateway->destroy(gateway);
+		return FALSE;
+	}
 	address = nm_setting_vpn_get_data_item(vpn, "address");
 	if (!address || !*address)
 	{
@@ -501,7 +530,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	ike_cfg = ike_cfg_create(IKEV2, TRUE, encap, "0.0.0.0", FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
 							(char*)address, FALSE, IKEV2_UDP_PORT,
-							 FRAGMENTATION_NO);
+							 FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	peer_cfg = peer_cfg_create(priv->name, ike_cfg,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
@@ -680,6 +709,25 @@ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
 	memset(&priv->listener, 0, sizeof(listener_t));
 	priv->listener.child_updown = child_updown;
 	priv->listener.ike_rekey = ike_rekey;
+	priv->tun = tun_device_create(NULL);
+	priv->name = NULL;
+}
+
+/**
+ * Destructor
+ */
+static void nm_strongswan_plugin_dispose(GObject *obj)
+{
+	NMStrongswanPlugin *plugin;
+	NMStrongswanPluginPrivate *priv;
+
+	plugin = NM_STRONGSWAN_PLUGIN(obj);
+	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+	if (priv->tun)
+	{
+		priv->tun->destroy(priv->tun);
+		priv->tun = NULL;
+	}
 }
 
 /**
@@ -695,6 +743,7 @@ static void nm_strongswan_plugin_class_init(
 	parent_class->connect = connect_;
 	parent_class->need_secrets = need_secrets;
 	parent_class->disconnect = disconnect;
+	G_OBJECT_CLASS(strongswan_class)->dispose = nm_strongswan_plugin_dispose;
 }
 
 /**
@@ -711,11 +760,10 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
 	{
 		NMStrongswanPluginPrivate *priv;
 
+		/* the rest of the initialization happened in _init above */
 		priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
 		priv->creds = creds;
 		priv->handler = handler;
-		priv->name = NULL;
 	}
 	return plugin;
 }
-
diff --git a/src/charon-nm/nm/nm_service.h b/src/charon-nm/nm/nm_service.h
index 828d1a452..0cb23e120 100644
--- a/src/charon-nm/nm/nm_service.h
+++ b/src/charon-nm/nm/nm_service.h
@@ -29,11 +29,11 @@
 #include "nm_handler.h"
 
 #define NM_TYPE_STRONGSWAN_PLUGIN            (nm_strongswan_plugin_get_type ())
-#define NM_STRONGSWAN_PLUGIN(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPlugin))
-#define NM_STRONGSWAN_PLUGIN_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPluginClass))
+#define NM_STRONGSWAN_PLUGIN(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPlugin))
+#define NM_STRONGSWAN_PLUGIN_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginClass))
 #define NM_IS_STRONGSWAN_PLUGIN(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_STRONGSWAN_PLUGIN))
 #define NM_IS_STRONGSWAN_PLUGIN_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((obj), NM_TYPE_STRONGSWAN_PLUGIN))
-#define NM_STRONGSWAN_PLUGIN_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPluginClass))
+#define NM_STRONGSWAN_PLUGIN_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginClass))
 
 #define NM_DBUS_SERVICE_STRONGSWAN    "org.freedesktop.NetworkManager.strongswan"
 #define NM_DBUS_INTERFACE_STRONGSWAN  "org.freedesktop.NetworkManager.strongswan"
diff --git a/src/charon-tkm/Makefile.am b/src/charon-tkm/Makefile.am
new file mode 100644
index 000000000..457e5e44e
--- /dev/null
+++ b/src/charon-tkm/Makefile.am
@@ -0,0 +1,54 @@
+SRC = $(top_builddir)/src
+
+# includes relative to obj directory
+INCLUDES = \
+	-include $(top_builddir)/config.h \
+	-I../$(SRC)/libstrongswan \
+	-I../$(SRC)/libhydra \
+	-I../$(SRC)/libcharon
+
+LIBLD = \
+	-L$(SRC)/libstrongswan/.libs \
+	-L$(SRC)/libhydra/.libs \
+	-L$(SRC)/libcharon/.libs
+LIBPT = $(SRC)/libstrongswan/.libs:$(SRC)/libhydra/.libs:$(SRC)/libcharon/.libs
+LIBFL = -lstrongswan -lhydra -lcharon
+
+DEFS += -DPLUGINS=\""$(PLUGINS)\"" -DIPSEC_PIDDIR=\"${piddir}\"
+
+BUILD_OPTS = \
+	-XOBJ_DIR=$(CURDIR)/obj \
+	-cargs $(INCLUDES) $(DEFS) \
+	-largs $(LIBLD) $(LIBFL)
+
+# plugins to enable
+PLUGINS = \
+	kernel-netlink \
+	pem \
+	socket-default \
+	openssl \
+	stroke
+
+all: build_charon
+
+build_charon: build_charon.gpr src/charon-tkm.c
+	@$(GPRBUILD) -p $< $(BUILD_OPTS)
+
+build_tests: build_tests.gpr
+	@$(GPRBUILD) -p $< $(BUILD_OPTS) -cargs @CHECK_CFLAGS@ -largs @CHECK_LIBS@
+
+if UNITTESTS
+check: build_tests
+	@LD_LIBRARY_PATH=$(LIBPT) obj/test_runner
+else
+check:
+	@echo "reconfigure with --enable-unit-tests"
+endif
+
+install: build_charon
+	$(INSTALL) -m 755 obj/charon-tkm $(DESTDIR)$(ipsecdir)
+
+clean:
+	rm -rf obj
+
+EXTRA_DIST = build_charon.gpr build_common.gpr build_tests.gpr src tests
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
new file mode 100644
index 000000000..74e842115
--- /dev/null
+++ b/src/charon-tkm/Makefile.in
@@ -0,0 +1,506 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon-tkm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@ -DPLUGINS=\""$(PLUGINS)\"" -DIPSEC_PIDDIR=\"${piddir}\"
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+SRC = $(top_builddir)/src
+
+# includes relative to obj directory
+INCLUDES = \
+	-include $(top_builddir)/config.h \
+	-I../$(SRC)/libstrongswan \
+	-I../$(SRC)/libhydra \
+	-I../$(SRC)/libcharon
+
+LIBLD = \
+	-L$(SRC)/libstrongswan/.libs \
+	-L$(SRC)/libhydra/.libs \
+	-L$(SRC)/libcharon/.libs
+
+LIBPT = $(SRC)/libstrongswan/.libs:$(SRC)/libhydra/.libs:$(SRC)/libcharon/.libs
+LIBFL = -lstrongswan -lhydra -lcharon
+BUILD_OPTS = \
+	-XOBJ_DIR=$(CURDIR)/obj \
+	-cargs $(INCLUDES) $(DEFS) \
+	-largs $(LIBLD) $(LIBFL)
+
+
+# plugins to enable
+PLUGINS = \
+	kernel-netlink \
+	pem \
+	socket-default \
+	openssl \
+	stroke
+
+EXTRA_DIST = build_charon.gpr build_common.gpr build_tests.gpr src tests
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon-tkm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon-tkm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile
+installdirs:
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am
+
+
+all: build_charon
+
+build_charon: build_charon.gpr src/charon-tkm.c
+	@$(GPRBUILD) -p $< $(BUILD_OPTS)
+
+build_tests: build_tests.gpr
+	@$(GPRBUILD) -p $< $(BUILD_OPTS) -cargs @CHECK_CFLAGS@ -largs @CHECK_LIBS@
+
+@UNITTESTS_TRUE@check: build_tests
+@UNITTESTS_TRUE@	@LD_LIBRARY_PATH=$(LIBPT) obj/test_runner
+@UNITTESTS_FALSE@check:
+@UNITTESTS_FALSE@	@echo "reconfigure with --enable-unit-tests"
+
+install: build_charon
+	$(INSTALL) -m 755 obj/charon-tkm $(DESTDIR)$(ipsecdir)
+
+clean:
+	rm -rf obj
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon-tkm/build_charon.gpr b/src/charon-tkm/build_charon.gpr
new file mode 100644
index 000000000..b208667a3
--- /dev/null
+++ b/src/charon-tkm/build_charon.gpr
@@ -0,0 +1,20 @@
+with "build_common";
+
+project Build_Charon is
+
+   for Languages use ("Ada", "C");
+   for Source_Dirs use ("src/**");
+   for Main use ("charon-tkm");
+   for Object_Dir use Build_Common.Obj_Dir;
+
+   package Compiler is
+      for Default_Switches ("ada") use Build_Common.Ada_Compiler_Switches;
+      for Default_Switches ("c") use Build_Common.C_Compiler_Switches
+        & "-Werror";
+   end Compiler;
+
+   package Binder is
+      for Default_Switches ("ada") use Build_Common.Ada_Binder_Switches;
+   end Binder;
+
+end Build_Charon;
diff --git a/src/charon-tkm/build_common.gpr b/src/charon-tkm/build_common.gpr
new file mode 100644
index 000000000..ac322d713
--- /dev/null
+++ b/src/charon-tkm/build_common.gpr
@@ -0,0 +1,25 @@
+with "tkmrpc_client";
+with "tkmrpc_server-ees";
+
+project Build_Common is
+
+   for Source_Dirs use ();
+
+   Obj_Dir := "obj";
+
+   C_Compiler_Switches   := ("-W",
+                             "-Wall",
+                             "-Wno-unused-parameter");
+   Ada_Compiler_Switches := ("-gnatwale",
+                             "-gnatygAdISuxo",
+                             "-gnata",
+                             "-gnatVa",
+                             "-gnat05",
+                             "-gnatf",
+                             "-fstack-check",
+                             "-gnato",
+                             "-g");
+
+   Ada_Binder_Switches   := ("-E");
+
+end Build_Common;
diff --git a/src/charon-tkm/build_tests.gpr b/src/charon-tkm/build_tests.gpr
new file mode 100644
index 000000000..032c7969e
--- /dev/null
+++ b/src/charon-tkm/build_tests.gpr
@@ -0,0 +1,14 @@
+with "build_common";
+
+project Build_Tests is
+
+   for Languages use ("Ada", "C");
+   for Source_Dirs use ("src/ees", "src/ehandler", "src/tkm", "tests");
+   for Main use ("test_runner");
+   for Object_Dir use Build_Common.Obj_Dir;
+
+   package Compiler is
+      for Default_Switches ("c") use Build_Common.C_Compiler_Switches;
+   end Compiler;
+
+end Build_Tests;
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
new file mode 100644
index 000000000..0b39058a6
--- /dev/null
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -0,0 +1,387 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <syslog.h>
+#include <signal.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <libgen.h>
+
+#include <hydra.h>
+#include <daemon.h>
+#include <library.h>
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+#include <sa/keymat.h>
+#include <credentials/credential_manager.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+#include "tkm_diffie_hellman.h"
+#include "tkm_keymat.h"
+#include "tkm_listener.h"
+#include "tkm_kernel_ipsec.h"
+#include "tkm_public_key.h"
+#include "tkm_cred.h"
+#include "tkm_encoder.h"
+
+/**
+ * TKM bus listener for IKE authorize events.
+ */
+static tkm_listener_t *listener;
+
+/**
+ * PID file, in which charon-tkm stores its process id
+ */
+static char *pidfile_name = NULL;
+
+/**
+ * Global reference to PID file (required to truncate, if undeletable)
+ */
+static FILE *pidfile = NULL;
+
+/**
+ * Hook in library for debugging messages
+ */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * Simple logging hook for library logs, using syslog output
+ */
+static void dbg_syslog(debug_t group, level_t level, char *fmt, ...)
+{
+	if (level <= 1)
+	{
+		char buffer[8192];
+		va_list args;
+
+		va_start(args, fmt);
+		/* write in memory buffer first */
+		vsnprintf(buffer, sizeof(buffer), fmt, args);
+		syslog(LOG_DAEMON|LOG_INFO, "00[%s] %s", debug_names->names[group],
+				buffer);
+		va_end(args);
+	}
+}
+
+/**
+ * Run the daemon and handle unix signals
+ */
+static void run()
+{
+	sigset_t set;
+
+	/* handle SIGINT and SIGTERM in this handler */
+	sigemptyset(&set);
+	sigaddset(&set, SIGINT);
+	sigaddset(&set, SIGTERM);
+	sigprocmask(SIG_BLOCK, &set, NULL);
+
+	while (TRUE)
+	{
+		int sig;
+		int error;
+
+		error = sigwait(&set, &sig);
+		if (error)
+		{
+			DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+			return;
+		}
+		switch (sig)
+		{
+			case SIGINT:
+			{
+				DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return;
+			}
+			case SIGTERM:
+			{
+				DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return;
+			}
+			default:
+			{
+				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
+				break;
+			}
+		}
+	}
+}
+
+/**
+ * Handle SIGSEGV/SIGILL signals raised by threads
+ */
+static void segv_handler(int signal)
+{
+	backtrace_t *backtrace;
+
+	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
+	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, stderr, TRUE);
+	backtrace->destroy(backtrace);
+
+	DBG1(DBG_DMN, "killing ourself, received critical signal");
+	abort();
+}
+
+/**
+ * Lookup UID and GID
+ */
+static bool lookup_uid_gid()
+{
+#ifdef IPSEC_USER
+	if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+	{
+		return FALSE;
+	}
+#endif
+#ifdef IPSEC_GROUP
+	if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+	{
+		return FALSE;
+	}
+#endif
+	return TRUE;
+}
+
+/**
+ * Check/create PID file, return TRUE if already running
+ */
+static bool check_pidfile()
+{
+	struct stat stb;
+
+	if (stat(pidfile_name, &stb) == 0)
+	{
+		pidfile = fopen(pidfile_name, "r");
+		if (pidfile)
+		{
+			char buf[64];
+			pid_t pid = 0;
+
+			memset(buf, 0, sizeof(buf));
+			if (fread(buf, 1, sizeof(buf), pidfile))
+			{
+				buf[sizeof(buf) - 1] = '\0';
+				pid = atoi(buf);
+			}
+			fclose(pidfile);
+			if (pid && kill(pid, 0) == 0)
+			{	/* such a process is running */
+				return TRUE;
+			}
+		}
+		DBG1(DBG_DMN, "removing pidfile '%s', process not running", pidfile_name);
+		unlink(pidfile_name);
+	}
+
+	/* create new pidfile */
+	pidfile = fopen(pidfile_name, "w");
+	if (pidfile)
+	{
+		ignore_result(fchown(fileno(pidfile),
+							 charon->caps->get_uid(charon->caps),
+							 charon->caps->get_gid(charon->caps)));
+		fprintf(pidfile, "%d\n", getpid());
+		fflush(pidfile);
+	}
+	return FALSE;
+}
+
+/**
+ * Delete/truncate the PID file
+ */
+static void unlink_pidfile()
+{
+	/* because unlinking the PID file may fail, we truncate it to ensure the
+	 * daemon can be properly restarted.  one probable cause for this is the
+	 * combination of not running as root and the effective user lacking
+	 * permissions on the parent dir(s) of the PID file */
+	if (pidfile)
+	{
+		ignore_result(ftruncate(fileno(pidfile), 0));
+		fclose(pidfile);
+	}
+	unlink(pidfile_name);
+}
+/**
+ * Main function, starts TKM backend.
+ */
+int main(int argc, char *argv[])
+{
+	char *dmn_name;
+	if (argc > 0 && strlen(argv[0]) > 0)
+	{
+		dmn_name = basename(argv[0]);
+	}
+	else
+	{
+		dmn_name = "charon-tkm";
+	}
+
+	/* TKM credential set */
+	tkm_cred_t *creds;
+
+	struct sigaction action;
+	int status = SS_RC_INITIALIZATION_FAILED;
+
+	/* logging for library during initialization, as we have no bus yet */
+	dbg = dbg_syslog;
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		library_deinit();
+		exit(status);
+	}
+
+	if (!libhydra_init(dmn_name))
+	{
+		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
+		libhydra_deinit();
+		library_deinit();
+		exit(status);
+	}
+
+	if (!libcharon_init(dmn_name))
+	{
+		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
+		goto deinit;
+	}
+
+	if (!lookup_uid_gid())
+	{
+		dbg_syslog(DBG_DMN, 1, "invalid uid/gid - aborting %s", dmn_name);
+		goto deinit;
+	}
+
+	/* make sure we log to the DAEMON facility by default */
+	lib->settings->set_int(lib->settings, "%s.syslog.daemon.default",
+			lib->settings->get_int(lib->settings, "%s.syslog.daemon.default", 1,
+								   dmn_name), dmn_name);
+	charon->load_loggers(charon, NULL, FALSE);
+
+	DBG1(DBG_DMN, "Starting charon with TKM backend (strongSwan "VERSION")");
+
+	/* register TKM specific plugins */
+	static plugin_feature_t features[] = {
+		PLUGIN_REGISTER(NONCE_GEN, tkm_nonceg_create),
+			PLUGIN_PROVIDE(NONCE_GEN),
+		PLUGIN_REGISTER(DH, tkm_diffie_hellman_create),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
+			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
+		PLUGIN_REGISTER(PUBKEY, tkm_public_key_load, TRUE),
+			PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
+			PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
+			PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256),
+		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+	};
+	lib->plugins->add_static_features(lib->plugins, "tkm-backend", features,
+			countof(features), TRUE);
+
+	/* register TKM keymat variant */
+	keymat_register_constructor(IKEV2, (keymat_constructor_t)tkm_keymat_create);
+
+	/* initialize daemon */
+	if (!charon->initialize(charon, PLUGINS))
+	{
+		DBG1(DBG_DMN, "initialization failed - aborting %s", dmn_name);
+		goto deinit;
+	}
+
+	/* set global pidfile name depending on daemon name */
+	if (asprintf(&pidfile_name, IPSEC_PIDDIR"/%s.pid", dmn_name) < 0)
+	{
+		DBG1(DBG_DMN, "unable to set pidfile name - aborting %s", dmn_name);
+		goto deinit;
+	};
+
+	if (check_pidfile())
+	{
+		DBG1(DBG_DMN, "%s already running (\"%s\" exists)", dmn_name,
+			 pidfile_name);
+		goto deinit;
+	}
+
+	if (!charon->caps->drop(charon->caps))
+	{
+		DBG1(DBG_DMN, "capability dropping failed - aborting %s", dmn_name);
+		goto deinit;
+	}
+
+	/* initialize TKM client */
+	if (!tkm_init())
+	{
+		DBG1(DBG_DMN, "init of TKM client failed - aborting %s", dmn_name);
+		goto deinit;
+	}
+
+	/* register TKM authorization hook */
+	listener = tkm_listener_create();
+	charon->bus->add_listener(charon->bus, &listener->listener);
+
+	/* register TKM credential set */
+	creds = tkm_cred_create();
+	lib->credmgr->add_set(lib->credmgr, (credential_set_t*)creds);
+
+	/* register TKM credential encoder */
+	lib->encoding->add_encoder(lib->encoding, tkm_encoder_encode);
+
+	/* add handler for SEGV and ILL,
+	 * INT and TERM are handled by sigwait() in run() */
+	action.sa_handler = segv_handler;
+	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaddset(&action.sa_mask, SIGINT);
+	sigaddset(&action.sa_mask, SIGTERM);
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &action, NULL);
+
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+	/* start daemon (i.e. the threads in the thread-pool) */
+	charon->start(charon);
+
+	/* main thread goes to run loop */
+	run();
+
+	unlink_pidfile();
+	status = 0;
+	charon->bus->remove_listener(charon->bus, &listener->listener);
+	listener->destroy(listener);
+	creds->destroy(creds);
+	lib->encoding->remove_encoder(lib->encoding, tkm_encoder_encode);
+
+deinit:
+	libcharon_deinit();
+	libhydra_deinit();
+	library_deinit();
+	tkm_deinit();
+	return status;
+}
diff --git a/src/charon-tkm/src/ees/ees_callbacks.c b/src/charon-tkm/src/ees/ees_callbacks.c
new file mode 100644
index 000000000..2d9653837
--- /dev/null
+++ b/src/charon-tkm/src/ees/ees_callbacks.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <hydra.h>
+#include <utils/debug.h>
+#include <tkm/constants.h>
+#include <tkm/types.h>
+
+#include "ees_callbacks.h"
+
+void charon_esa_acquire(result_type *res, const sp_id_type sp_id)
+{
+	DBG1(DBG_KNL, "ees: acquire received for reqid {%d}", sp_id);
+	hydra->kernel_interface->acquire(hydra->kernel_interface, sp_id, NULL,
+									 NULL);
+	*res = TKM_OK;
+}
+
+void charon_esa_expire(result_type *res, const sp_id_type sp_id,
+					   const esp_spi_type spi_rem, const protocol_type protocol,
+					   const expiry_flag_type hard)
+{
+	DBG1(DBG_KNL, "ees: expire received for reqid {%d}", sp_id);
+	hydra->kernel_interface->expire(hydra->kernel_interface, sp_id, protocol,
+									spi_rem, hard != 0);
+	*res = TKM_OK;
+}
diff --git a/src/charon-tkm/src/ees/ees_callbacks.h b/src/charon-tkm/src/ees/ees_callbacks.h
new file mode 100644
index 000000000..b73dc6cb5
--- /dev/null
+++ b/src/charon-tkm/src/ees/ees_callbacks.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-eescallbacks ees callbacks
+ * @{ @ingroup tkm
+ *
+ * ESP SA Event Service (EES) callbacks.
+ * The xfrm-proxy forwards acquire and expire events from the kernel to
+ * charon-tkm using the EES interface. Upon reception of an event the
+ * corresponding callback is executed.
+ */
+
+#ifndef EES_CALLBACKS_H_
+#define EES_CALLBACKS_H_
+
+/**
+ * Process Acquire event for given security policy.
+ */
+void charon_esa_acquire(result_type *res, const sp_id_type sp_id);
+
+/**
+ * Process Expire event for given security policy.
+ */
+void charon_esa_expire(result_type *res, const sp_id_type sp_id,
+					   const esp_spi_type spi_rem, const protocol_type protocol,
+					   const expiry_flag_type hard);
+
+#endif /** EES_CALLBACKS_H_ @}*/
diff --git a/src/charon-tkm/src/ees/esa_event_service.adb b/src/charon-tkm/src/ees/esa_event_service.adb
new file mode 100644
index 000000000..5b5d7003b
--- /dev/null
+++ b/src/charon-tkm/src/ees/esa_event_service.adb
@@ -0,0 +1,57 @@
+--
+--  Copyright (C) 2012 Reto Buerki
+--  Copyright (C) 2012 Adrian-Ken Rueegsegger
+--  Hochschule fuer Technik Rapperswil
+--
+--  This program is free software; you can redistribute it and/or modify it
+--  under the terms of the GNU General Public License as published by the
+--  Free Software Foundation; either version 2 of the License, or (at your
+--  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+--
+--  This program is distributed in the hope that it will be useful, but
+--  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+--  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+--  for more details.
+--
+
+with Anet.Sockets.Unix;
+with Anet.Receivers.Stream;
+
+with Tkmrpc.Dispatchers.Ees;
+with Tkmrpc.Process_Stream;
+
+pragma Elaborate_All (Anet.Receivers.Stream);
+pragma Elaborate_All (Tkmrpc.Process_Stream);
+
+package body Esa_Event_Service
+is
+
+   package Unix_TCP_Receiver is new Anet.Receivers.Stream
+     (Socket_Type => Anet.Sockets.Unix.TCP_Socket_Type);
+
+   procedure Dispatch is new Tkmrpc.Process_Stream
+     (Dispatch => Tkmrpc.Dispatchers.Ees.Dispatch);
+
+   Sock     : aliased Anet.Sockets.Unix.TCP_Socket_Type;
+   Receiver : Unix_TCP_Receiver.Receiver_Type (S => Sock'Access);
+
+   -------------------------------------------------------------------------
+
+   procedure Finalize
+   is
+   begin
+      Receiver.Stop;
+   end Finalize;
+
+   -------------------------------------------------------------------------
+
+   procedure Init (Address : Interfaces.C.Strings.chars_ptr)
+   is
+      Path : constant String := Interfaces.C.Strings.Value (Address);
+   begin
+      Sock.Init;
+      Sock.Bind (Path => Anet.Sockets.Unix.Path_Type (Path));
+      Receiver.Listen (Callback => Dispatch'Access);
+   end Init;
+
+end Esa_Event_Service;
diff --git a/src/charon-tkm/src/ees/esa_event_service.ads b/src/charon-tkm/src/ees/esa_event_service.ads
new file mode 100644
index 000000000..f3630b7ac
--- /dev/null
+++ b/src/charon-tkm/src/ees/esa_event_service.ads
@@ -0,0 +1,30 @@
+--
+--  Copyright (C) 2012 Reto Buerki
+--  Copyright (C) 2012 Adrian-Ken Rueegsegger
+--  Hochschule fuer Technik Rapperswil
+--
+--  This program is free software; you can redistribute it and/or modify it
+--  under the terms of the GNU General Public License as published by the
+--  Free Software Foundation; either version 2 of the License, or (at your
+--  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+--
+--  This program is distributed in the hope that it will be useful, but
+--  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+--  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+--  for more details.
+--
+
+with Interfaces.C.Strings;
+
+package Esa_Event_Service
+is
+
+   procedure Init (Address : Interfaces.C.Strings.chars_ptr);
+   pragma Export (C, Init, "ees_server_init");
+   --  Initialize Esa Event Service (EES) with given address.
+
+   procedure Finalize;
+   pragma Export (C, Finalize, "ees_server_finalize");
+   --  Finalize EES.
+
+end Esa_Event_Service;
diff --git a/src/charon-tkm/src/ees/tkmrpc-servers-ees.adb b/src/charon-tkm/src/ees/tkmrpc-servers-ees.adb
new file mode 100644
index 000000000..2240065c2
--- /dev/null
+++ b/src/charon-tkm/src/ees/tkmrpc-servers-ees.adb
@@ -0,0 +1,65 @@
+package body Tkmrpc.Servers.Ees
+is
+
+   --------------------------------
+   -- charon callback signatures --
+   --------------------------------
+
+   procedure Charon_Esa_Acquire
+     (Result : out Results.Result_Type;
+      Sp_Id  :     Types.Sp_Id_Type);
+   pragma Import (C, Charon_Esa_Acquire, "charon_esa_acquire");
+
+   procedure Charon_Esa_Expire
+     (Result   : out Results.Result_Type;
+      Sp_Id    :     Types.Sp_Id_Type;
+      Spi_Rem  :     Types.Esp_Spi_Type;
+      Protocol :     Types.Protocol_Type;
+      Hard     :     Types.Expiry_Flag_Type);
+   pragma Import (C, Charon_Esa_Expire, "charon_esa_expire");
+
+   -------------------------------------------------------------------------
+
+   procedure Esa_Acquire
+     (Result : out Results.Result_Type;
+      Sp_Id  :     Types.Sp_Id_Type)
+   is
+   begin
+      Charon_Esa_Acquire (Result => Result,
+                          Sp_Id  => Sp_Id);
+   end Esa_Acquire;
+
+   -------------------------------------------------------------------------
+
+   procedure Esa_Expire
+     (Result   : out Results.Result_Type;
+      Sp_Id    :     Types.Sp_Id_Type;
+      Spi_Rem  :     Types.Esp_Spi_Type;
+      Protocol :     Types.Protocol_Type;
+      Hard     :     Types.Expiry_Flag_Type)
+   is
+   begin
+      Charon_Esa_Expire (Result   => Result,
+                         Sp_Id    => Sp_Id,
+                         Spi_Rem  => Spi_Rem,
+                         Protocol => Protocol,
+                         Hard     => Hard);
+   end Esa_Expire;
+
+   -------------------------------------------------------------------------
+
+   procedure Finalize
+   is
+   begin
+      null;
+   end Finalize;
+
+   -------------------------------------------------------------------------
+
+   procedure Init
+   is
+   begin
+      null;
+   end Init;
+
+end Tkmrpc.Servers.Ees;
diff --git a/src/charon-tkm/src/ehandler/eh_callbacks.c b/src/charon-tkm/src/ehandler/eh_callbacks.c
new file mode 100644
index 000000000..7dca97c3e
--- /dev/null
+++ b/src/charon-tkm/src/ehandler/eh_callbacks.c
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <signal.h>
+#include <utils/debug.h>
+
+#include "eh_callbacks.h"
+
+void charon_terminate(char *msg)
+{
+	DBG1(DBG_DMN, "critical TKM error, terminating!");
+	DBG1(DBG_DMN, msg);
+	kill(0, SIGTERM);
+}
diff --git a/src/charon-tkm/src/ehandler/eh_callbacks.h b/src/charon-tkm/src/ehandler/eh_callbacks.h
new file mode 100644
index 000000000..db325dcd2
--- /dev/null
+++ b/src/charon-tkm/src/ehandler/eh_callbacks.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-ehandler exception handler
+ * @{ @ingroup tkm
+ *
+ * The exception handler callback is registered as global exception action in
+ * the Ada runtime. If an exception is raised in Ada code this callback is
+ * executed.
+ */
+
+#ifndef EH_CALLBACKS_H_
+#define EH_CALLBACKS_H_
+
+/**
+ * Log given message and terminate charon.
+ */
+void charon_terminate(char *msg);
+
+#endif /** EH_CALLBACKS_H_ @}*/
diff --git a/src/charon-tkm/src/ehandler/exception_handler.adb b/src/charon-tkm/src/ehandler/exception_handler.adb
new file mode 100644
index 000000000..3f165e1cd
--- /dev/null
+++ b/src/charon-tkm/src/ehandler/exception_handler.adb
@@ -0,0 +1,57 @@
+--
+--  Copyright (C) 2012 Reto Buerki
+--  Copyright (C) 2012 Adrian-Ken Rueegsegger
+--  Hochschule fuer Technik Rapperswil
+--
+--  This program is free software; you can redistribute it and/or modify it
+--  under the terms of the GNU General Public License as published by the
+--  Free Software Foundation; either version 2 of the License, or (at your
+--  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+--
+--  This program is distributed in the hope that it will be useful, but
+--  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+--  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+--  for more details.
+--
+
+with Ada.Exceptions;
+
+with GNAT.Exception_Actions;
+
+with Interfaces.C.Strings;
+
+package body Exception_Handler
+is
+
+   procedure Charon_Terminate (Message : Interfaces.C.Strings.chars_ptr);
+   pragma Import (C, Charon_Terminate, "charon_terminate");
+
+   procedure Bailout (Ex : Ada.Exceptions.Exception_Occurrence);
+   --  Signal critical condition to charon daemon.
+
+   -------------------------------------------------------------------------
+
+   procedure Bailout (Ex : Ada.Exceptions.Exception_Occurrence)
+   is
+   begin
+      if Ada.Exceptions.Exception_Name (Ex) = "_ABORT_SIGNAL" then
+
+         --  Ignore runtime-internal abort signal exception.
+
+         return;
+      end if;
+
+      Charon_Terminate (Message => Interfaces.C.Strings.New_String
+                        (Ada.Exceptions.Exception_Information (Ex)));
+   end Bailout;
+
+   -------------------------------------------------------------------------
+
+   procedure Init
+   is
+   begin
+      GNAT.Exception_Actions.Register_Global_Action
+        (Action => Bailout'Access);
+   end Init;
+
+end Exception_Handler;
diff --git a/src/charon-tkm/src/ehandler/exception_handler.ads b/src/charon-tkm/src/ehandler/exception_handler.ads
new file mode 100644
index 000000000..29dd3d8f4
--- /dev/null
+++ b/src/charon-tkm/src/ehandler/exception_handler.ads
@@ -0,0 +1,24 @@
+--
+--  Copyright (C) 2012 Reto Buerki
+--  Copyright (C) 2012 Adrian-Ken Rueegsegger
+--  Hochschule fuer Technik Rapperswil
+--
+--  This program is free software; you can redistribute it and/or modify it
+--  under the terms of the GNU General Public License as published by the
+--  Free Software Foundation; either version 2 of the License, or (at your
+--  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+--
+--  This program is distributed in the hope that it will be useful, but
+--  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+--  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+--  for more details.
+--
+
+package Exception_Handler
+is
+
+   procedure Init;
+   pragma Export (C, Init, "ehandler_init");
+   --  Register last-chance exception handler.
+
+end Exception_Handler;
diff --git a/src/charon-tkm/src/tkm/.gitignore b/src/charon-tkm/src/tkm/.gitignore
new file mode 100644
index 000000000..b672fdeaf
--- /dev/null
+++ b/src/charon-tkm/src/tkm/.gitignore
@@ -0,0 +1 @@
+obj
diff --git a/src/charon-tkm/src/tkm/tkm.c b/src/charon-tkm/src/tkm/tkm.c
new file mode 100644
index 000000000..a39221dc2
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+#include <tkm/client.h>
+#include <tkm/constants.h>
+
+#include "tkm.h"
+
+#define IKE_SOCKET "/tmp/tkm.rpc.ike"
+#define EES_SOCKET "/tmp/tkm.rpc.ees"
+
+typedef struct private_tkm_t private_tkm_t;
+
+extern result_type ees_server_init(const char * const address);
+extern void ees_server_finalize(void);
+extern void ehandler_init(void);
+
+/*
+ * Private additions to tkm_t.
+ */
+struct private_tkm_t {
+
+	/**
+	 * Public members of tkm_t.
+	 */
+	tkm_t public;
+};
+
+/**
+ * Single instance of tkm_t.
+ */
+tkm_t *tkm = NULL;
+
+/**
+ * Described in header.
+ */
+bool tkm_init()
+{
+	private_tkm_t *this;
+	active_requests_type max_requests;
+	char *ikesock, *eessock;
+	tkm_limits_t limits;
+
+	/* initialize TKM client library */
+	tkmlib_init();
+	ehandler_init();
+
+	ikesock = lib->settings->get_str(lib->settings, "%s.ike_socket", IKE_SOCKET,
+									 charon->name);
+	if (ike_init(ikesock) != TKM_OK)
+	{
+		tkmlib_final();
+		return FALSE;
+	}
+	DBG1(DBG_DMN, "connected to TKM via socket '%s'", ikesock);
+
+	eessock = lib->settings->get_str(lib->settings, "%s.ees_socket", EES_SOCKET,
+									 charon->name);
+	ees_server_init(eessock);
+	DBG1(DBG_DMN, "serving EES requests on socket '%s'", eessock);
+
+	if (ike_tkm_reset() != TKM_OK)
+	{
+		ees_server_finalize();
+		tkmlib_final();
+		return FALSE;
+	}
+
+	/* get limits from tkm */
+	if (ike_tkm_limits(&max_requests, &limits[TKM_CTX_NONCE], &limits[TKM_CTX_DH],
+					   &limits[TKM_CTX_CC], &limits[TKM_CTX_AE],
+					   &limits[TKM_CTX_ISA], &limits[TKM_CTX_ESA]) != TKM_OK)
+	{
+		ees_server_finalize();
+		tkmlib_final();
+		return FALSE;
+	}
+
+	INIT(this,
+		.public = {
+			.idmgr = tkm_id_manager_create(limits),
+			.chunk_map = tkm_chunk_map_create(),
+		},
+	);
+	tkm = &this->public;
+
+	return TRUE;
+}
+
+/**
+ * Described in header.
+ */
+void tkm_deinit()
+{
+	if (!tkm)
+	{
+		return;
+	}
+	private_tkm_t *this = (private_tkm_t*)tkm;
+	this->public.idmgr->destroy(this->public.idmgr);
+	this->public.chunk_map->destroy(this->public.chunk_map);
+
+	ees_server_finalize();
+
+	tkmlib_final();
+	free(this);
+	tkm = NULL;
+}
diff --git a/src/charon-tkm/src/tkm/tkm.h b/src/charon-tkm/src/tkm/tkm.h
new file mode 100644
index 000000000..fb5acd117
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm.h
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm tkm
+ *
+ * @addtogroup tkm
+ * @{
+ *
+ * Untrusted IKEv2 component used with Trusted Key Manager for IKE
+ * disaggregation.
+ *
+ * The untrusted IKEv2 component used in conjunction with the Trusted Key
+ * Manager infrastructure is implemented as a separate charon instance located
+ * in its own directory below the strongSwan top-level source directory
+ * (src/charon-tkm). This has the advantage that the TKM code is contained and
+ * does not mix with other strongSwan files. The charon-tkm binary startup code
+ * is modeled after the charon-nm instance, a special charon daemon variant to
+ * be used with the GNOME NetworkManager project. The major difference is the
+ * registration of custom TKM plugins as the final step of the startup phase.
+ * The charon-tkm daemon does not rely on the dynamic plugin loading mechanism
+ * for its core plugins, they are statically registered before entering the main
+ * processing loop.
+ *
+ * The following diagram shows the main components of the system and how they
+ * communicate.
+   @verbatim
+
+       +------------+            +------------+             +------------+
+       | xfrm-proxy |<-[tkm-rpc->| charon-tkm |<-[tkm-rpc]->|    TKM     |
+       +------------+            +------------+             +------------+
+             ^                                                    ^
+    [Netlink | XFRM]                                        [XFRM | Netlink]
+             |                                                    v
+       +-----------------------------------------------------------------+
+       |                            Kernel                               |
+       +-----------------------------------------------------------------+
+
+   @endverbatim
+ * Since the charon-tkm code uses the tkm-rpc library written in Ada, the daemon
+ * has to be built using an Ada-aware toolchain. The integration of Ada code
+ * into the strongSwan codebase is explained in the TKM documentation, section
+ * 5.4.1: http://www.codelabs.ch/tkm#anchor-doc.
+ *
+ * The Trusted Key Manager (TKM) is a minimal Trusted Computing Base which
+ * implements security-critical functions of the IKEv2 protocol.
+ *
+ * The xfrm-proxy receives XFRM Acquire and Expiry events from the kernel and
+ * forwards them to the charon-tkm IKE daemon for further processing.
+ *
+ * The underlying concept of IKE disaggregation and the design of TKM and all
+ * related components, of which charon-tkm is one component, is presented in
+ * detail in the project documentation found at
+ * http://www.codelabs.ch/tkm#anchor-doc.
+ */
+
+#ifndef TKM_H_
+#define TKM_H_
+
+#include "tkm_id_manager.h"
+#include "tkm_chunk_map.h"
+
+typedef struct tkm_t tkm_t;
+
+/**
+ * Trusted key manager context, contains tkm related globals.
+ */
+struct tkm_t {
+
+	/**
+	 * Context ID manager.
+	 */
+	tkm_id_manager_t *idmgr;
+
+	/**
+	 * Chunk-to-ID mappings.
+	 */
+	tkm_chunk_map_t *chunk_map;
+
+};
+
+/**
+ * Initialize trusted key manager, creates "tkm" instance.
+ *
+ * @return				FALSE if initialization error occurred
+ */
+bool tkm_init();
+
+/**
+ * Deinitialize trusted key manager, destroys "tkm" instance.
+ */
+void tkm_deinit();
+
+/**
+ * Trusted key manager instance, set after tkm_init() and before tkm_deinit()
+ * calls.
+ */
+extern tkm_t *tkm;
+
+#endif /** TKM_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_chunk_map.c b/src/charon-tkm/src/tkm/tkm_chunk_map.c
new file mode 100644
index 000000000..03ff22836
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_chunk_map.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <collections/hashtable.h>
+#include <threading/rwlock.h>
+#include <utils/chunk.h>
+#include <utils/debug.h>
+
+#include "tkm_chunk_map.h"
+
+typedef struct private_tkm_chunk_map_t private_tkm_chunk_map_t;
+
+/**
+ * Private data of tkm chunk map.
+ */
+struct private_tkm_chunk_map_t {
+
+	/**
+	 * public functions
+	 */
+	tkm_chunk_map_t public;
+
+	/**
+	 * Hashtable to store mappings.
+	 */
+	hashtable_t *mappings;
+
+	/**
+	 * rwlock for table.
+	 */
+	rwlock_t *lock;
+
+};
+
+/**
+ * Entry for hashtables
+ */
+typedef struct {
+	/** Key chunk */
+	chunk_t key;
+	/** Entry value */
+	uint64_t value;
+} entry_t;
+
+/**
+ * Destroy a hashtable entry
+ */
+static void entry_destroy(entry_t *this)
+{
+	chunk_free(&this->key);
+	free(this);
+}
+
+METHOD(tkm_chunk_map_t, insert, void,
+	private_tkm_chunk_map_t * const this, const chunk_t * const data,
+	const uint64_t id)
+{
+	entry_t *entry;
+	INIT(entry,
+		.key = chunk_clone(*data),
+		.value = id
+	);
+
+	this->lock->write_lock(this->lock);
+	entry = this->mappings->put(this->mappings, (void*)&entry->key, entry);
+	this->lock->unlock(this->lock);
+
+	if (entry)
+	{
+		entry_destroy(entry);
+	}
+}
+
+METHOD(tkm_chunk_map_t, get_id, uint64_t,
+	private_tkm_chunk_map_t * const this, chunk_t *data)
+{
+	entry_t *entry;
+	this->lock->read_lock(this->lock);
+	entry = this->mappings->get(this->mappings, data);
+	this->lock->unlock(this->lock);
+
+	if (!entry)
+	{
+		return 0;
+	}
+
+	return entry->value;
+}
+
+METHOD(tkm_chunk_map_t, remove_, bool,
+	private_tkm_chunk_map_t * const this, chunk_t *data)
+{
+	entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	entry = this->mappings->remove(this->mappings, data);
+	this->lock->unlock(this->lock);
+
+	if (entry)
+	{
+		entry_destroy(entry);
+		return TRUE;
+	}
+	else
+	{
+		return FALSE;
+	}
+}
+
+METHOD(tkm_chunk_map_t, destroy, void,
+	private_tkm_chunk_map_t *this)
+{
+	entry_t *entry;
+	enumerator_t *enumerator;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->mappings->create_enumerator(this->mappings);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		entry_destroy(entry);
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	this->mappings->destroy(this->mappings);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * Hashtable hash function.
+ */
+static u_int hash(chunk_t *key)
+{
+	return chunk_hash(*key);
+}
+
+/*
+ * see header file
+ */
+tkm_chunk_map_t *tkm_chunk_map_create()
+{
+	private_tkm_chunk_map_t *this;
+
+	INIT(this,
+		.public = {
+			.insert = _insert,
+			.get_id = _get_id,
+			.remove = _remove_,
+			.destroy = _destroy,
+		},
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.mappings = hashtable_create((hashtable_hash_t)hash,
+									 (hashtable_equals_t)chunk_equals_ptr, 32),
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_chunk_map.h b/src/charon-tkm/src/tkm/tkm_chunk_map.h
new file mode 100644
index 000000000..c183937c1
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_chunk_map.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-chunk-map chunk map
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_CHUNK_MAP_H_
+#define TKM_CHUNK_MAP_H_
+
+#include <stdint.h>
+#include <utils/chunk.h>
+
+typedef struct tkm_chunk_map_t tkm_chunk_map_t;
+
+/**
+ * The tkm chunk map handles mappings of chunks to ids.
+ */
+struct tkm_chunk_map_t {
+
+	/**
+	 * Store new mapping for given chunk and id.
+	 *
+	 * @param data	data associated with id
+	 * @param id	id associated with data
+	 */
+	void (*insert)(tkm_chunk_map_t * const this, const chunk_t * const data,
+				   const uint64_t id);
+
+	/**
+	 * Get id for given chunk.
+	 *
+	 * @param data	data specifying the mapping
+	 * @return		id of given chunk, 0 if not found
+	 */
+	uint64_t (*get_id)(tkm_chunk_map_t * const this, chunk_t *data);
+
+	/**
+	 * Remove mapping for given chunk.
+	 *
+	 * @param data	data specifying the mapping to remove
+	 * @return		TRUE if mapping was removed, FALSE otherwise
+	 */
+	bool (*remove)(tkm_chunk_map_t * const this, chunk_t *data);
+
+	/**
+	 * Destroy a tkm chunk map instance.
+	 */
+	void (*destroy)(tkm_chunk_map_t *this);
+
+};
+
+/**
+ * Create a tkm chunk map instance.
+ */
+tkm_chunk_map_t *tkm_chunk_map_create();
+
+#endif /** TKM_CHUNK_MAP_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_cred.c b/src/charon-tkm/src/tkm/tkm_cred.c
new file mode 100644
index 000000000..d9517f908
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_cred.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <credentials/sets/mem_cred.h>
+#include <collections/hashtable.h>
+#include <threading/rwlock.h>
+#include <utils/debug.h>
+
+#include "tkm_private_key.h"
+#include "tkm_cred.h"
+
+typedef struct private_tkm_cred_t private_tkm_cred_t;
+
+/**
+ * Private data of a tkm_cred_t object.
+ */
+struct private_tkm_cred_t {
+
+	/**
+	 * Public tkm_cred_t interface.
+	 */
+	tkm_cred_t public;
+
+	/**
+	 * In-memory credential set.
+	 */
+	mem_cred_t *creds;
+
+	/**
+	 * Key-id hashtable.
+	 */
+	hashtable_t *known_keys;
+
+	/**
+	 * rwlock for hashtable.
+	 */
+	rwlock_t *lock;
+
+};
+
+METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
+	private_tkm_cred_t *this, key_type_t type, identification_t *id)
+{
+	identification_t *entry;
+
+	if (!id)
+	{
+		return this->known_keys->create_enumerator(this->known_keys);
+	}
+
+	this->lock->write_lock(this->lock);
+	entry = this->known_keys->get(this->known_keys, id);
+
+	if (!entry)
+	{
+		identification_t *clone = id->clone(id);
+		tkm_private_key_t *key = tkm_private_key_init(id);
+
+		DBG1(DBG_CFG, "adding private key proxy for id '%Y'", clone);
+		if (!key)
+		{
+			DBG1(DBG_CFG, "unable to create private key for id '%Y'", clone);
+			this->lock->unlock(this->lock);
+			return NULL;
+		}
+		this->creds->add_key(this->creds, (private_key_t *)key);
+		entry = this->known_keys->put(this->known_keys, clone, clone);
+	}
+	this->lock->unlock(this->lock);
+
+	return this->creds->set.create_private_enumerator(&this->creds->set,
+													  type, id);
+}
+
+METHOD(tkm_cred_t, destroy, void,
+	private_tkm_cred_t *this)
+{
+	enumerator_t *enumerator;
+	identification_t *entry;
+
+	enumerator = this->known_keys->create_enumerator(this->known_keys);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		entry->destroy(entry);
+	}
+	enumerator->destroy(enumerator);
+	this->known_keys->destroy(this->known_keys);
+
+	this->creds->destroy(this->creds);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * Hashtable hash function.
+ */
+static u_int hash(identification_t *id)
+{
+	return chunk_hash(id->get_encoding(id));
+}
+
+/**
+ * Hashtable equals function.
+ */
+static bool equals(identification_t *a, identification_t *b)
+{
+	return a->equals(a, b);
+}
+
+/**
+ * See header
+ */
+tkm_cred_t *tkm_cred_create()
+{
+	private_tkm_cred_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_shared_enumerator = (void*)return_null,
+				.create_private_enumerator = _create_private_enumerator,
+				.create_cert_enumerator = (void*)return_null,
+				.create_cdp_enumerator = (void*)return_null,
+				.cache_cert = (void*)nop,
+			},
+			.destroy = _destroy,
+		},
+		.creds = mem_cred_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.known_keys = hashtable_create((hashtable_hash_t)hash,
+									   (hashtable_equals_t)equals, 4),
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_cred.h b/src/charon-tkm/src/tkm/tkm_cred.h
new file mode 100644
index 000000000..1cfb5b9c7
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_cred.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-credential credential set
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_CRED_H_
+#define TKM_CRED_H_
+
+typedef struct tkm_cred_t tkm_cred_t;
+
+#include <credentials/credential_set.h>
+
+/**
+ * TKM in-memory credential set.
+ */
+struct tkm_cred_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy a tkm_cred_t.
+	 */
+	void (*destroy)(tkm_cred_t *this);
+
+};
+
+/**
+ * Create a tkm_cred instance.
+ */
+tkm_cred_t *tkm_cred_create();
+
+#endif /** TKM_CRED_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
new file mode 100644
index 000000000..19f57de01
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -0,0 +1,140 @@
+/*
+ * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <tkm/client.h>
+#include <tkm/constants.h>
+
+#include "tkm.h"
+#include "tkm_utils.h"
+#include "tkm_diffie_hellman.h"
+
+#include <utils/debug.h>
+
+typedef struct private_tkm_diffie_hellman_t private_tkm_diffie_hellman_t;
+
+/**
+ * Private data of a tkm_diffie_hellman_t object.
+ */
+struct private_tkm_diffie_hellman_t {
+
+	/**
+	 * Public tkm_diffie_hellman_t interface.
+	 */
+	tkm_diffie_hellman_t public;
+
+	/**
+	 * Diffie Hellman group number.
+	 */
+	u_int16_t group;
+
+	/**
+	 * Diffie Hellman public value.
+	 */
+	dh_pubvalue_type pubvalue;
+
+	/**
+	 * Context id.
+	 */
+	dh_id_type context_id;
+
+};
+
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_tkm_diffie_hellman_t *this, chunk_t *value)
+{
+	sequence_to_chunk(this->pubvalue.data, this->pubvalue.size, value);
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_tkm_diffie_hellman_t *this, chunk_t *secret)
+{
+	*secret = chunk_empty;
+	return SUCCESS;
+}
+
+
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_tkm_diffie_hellman_t *this, chunk_t value)
+{
+	// TODO: unvoid this function
+
+	dh_pubvalue_type othervalue;
+	othervalue.size = value.len;
+	memcpy(&othervalue.data, value.ptr, value.len);
+
+	ike_dh_generate_key(this->context_id, othervalue);
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_tkm_diffie_hellman_t *this)
+{
+	return this->group;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+	private_tkm_diffie_hellman_t *this)
+{
+	if (ike_dh_reset(this->context_id) != TKM_OK)
+	{
+		DBG1(DBG_LIB, "failed to reset DH context %d", this->context_id);
+	}
+
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_DH, this->context_id);
+	free(this);
+}
+
+METHOD(tkm_diffie_hellman_t, get_id, dh_id_type,
+	private_tkm_diffie_hellman_t *this)
+{
+	return this->context_id;
+}
+
+/*
+ * Described in header.
+ */
+tkm_diffie_hellman_t *tkm_diffie_hellman_create(diffie_hellman_group_t group)
+{
+	private_tkm_diffie_hellman_t *this;
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+			.get_id = _get_id,
+		},
+		.group = group,
+		.context_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_DH),
+	);
+
+	if (!this->context_id)
+	{
+		free(this);
+		return NULL;
+	}
+
+	if (ike_dh_create(this->context_id, group, &this->pubvalue) != TKM_OK)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.h b/src/charon-tkm/src/tkm/tkm_diffie_hellman.h
new file mode 100644
index 000000000..a144303fa
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-dh diffie hellman
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_DIFFIE_HELLMAN_H_
+#define TKM_DIFFIE_HELLMAN_H_
+
+typedef struct tkm_diffie_hellman_t tkm_diffie_hellman_t;
+
+#include <library.h>
+#include <tkm/types.h>
+
+/**
+ * diffie_hellman_t implementation using the trusted key manager.
+ */
+struct tkm_diffie_hellman_t {
+
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+
+	/**
+	 * Get Diffie-Hellman context id.
+	 *
+	 * @return	id of this DH context.
+	 */
+	dh_id_type (*get_id)(tkm_diffie_hellman_t * const this);
+
+};
+
+/**
+ * Creates a new tkm_diffie_hellman_t object.
+ *
+ * @param group			Diffie Hellman group number to use
+ * @return				tkm_diffie_hellman_t object, NULL if not supported
+ */
+tkm_diffie_hellman_t *tkm_diffie_hellman_create(diffie_hellman_group_t group);
+
+#endif /** TKM_DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_encoder.c b/src/charon-tkm/src/tkm/tkm_encoder.c
new file mode 100644
index 000000000..d5367ea78
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_encoder.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2013 Reto Buerki
+ * Copyright (C) 2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+#include "tkm_encoder.h"
+
+/**
+ * Build the SHA1 hash of pubkey(info) ASN.1 data.
+ */
+static bool hash_pubkey(chunk_t pubkey, chunk_t *hash)
+{
+	hasher_t *hasher;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher || !hasher->allocate_hash(hasher, pubkey, hash))
+	{
+		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, "
+			 "fingerprinting failed");
+		DESTROY_IF(hasher);
+		chunk_free(&pubkey);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+	chunk_free(&pubkey);
+	return TRUE;
+}
+
+/**
+ * Encode the public key blob into subjectPublicKeyInfo.
+ */
+static bool build_pub_info(chunk_t *encoding, va_list args)
+{
+	chunk_t blob;
+
+	if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+						   CRED_PART_END))
+	{
+		*encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+							  asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+							  asn1_bitstring("c", blob));
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKeyInfo object.
+ */
+static bool build_info_sha1(chunk_t *encoding, va_list args)
+{
+	chunk_t pubkey;
+
+	if (build_pub_info(&pubkey, args))
+	{
+		return hash_pubkey(pubkey, encoding);
+	}
+	return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKey object.
+ */
+static bool build_sha1(chunk_t *encoding, va_list args)
+{
+	chunk_t blob;
+
+	if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+						   CRED_PART_END))
+	{
+		return hash_pubkey(chunk_clone(blob), encoding);
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						va_list args)
+{
+	switch (type)
+	{
+		case KEYID_PUBKEY_INFO_SHA1:
+			return build_info_sha1(encoding, args);
+		case KEYID_PUBKEY_SHA1:
+			return build_sha1(encoding, args);
+		default:
+			return FALSE;
+	}
+}
diff --git a/src/charon-tkm/src/tkm/tkm_encoder.h b/src/charon-tkm/src/tkm/tkm_encoder.h
new file mode 100644
index 000000000..7c6a4989d
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_encoder.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2013 Reto Buerki
+ * Copyright (C) 2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-credential-enc credential encoder
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_ENCODER_H_
+#define TKM_ENCODER_H_
+
+#include <credentials/cred_encoding.h>
+
+/**
+ * Encoding function for TKM key fingerprints.
+ */
+bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						va_list args);
+
+#endif /** TKM_ENCODER_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c
new file mode 100644
index 000000000..407d0a87f
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_id_manager.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tkm_id_manager.h"
+
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+
+#define TKM_LIMIT 100
+
+ENUM_BEGIN(tkm_context_kind_names, TKM_CTX_NONCE, TKM_CTX_ESA,
+	"NONCE_CONTEXT",
+	"DH_CONTEXT",
+	"CC_CONTEXT"
+	"ISA_CONTEXT",
+	"AE_CONTEXT",
+	"ESA_CONTEXT");
+ENUM_END(tkm_context_kind_names, TKM_CTX_ESA);
+
+typedef struct private_tkm_id_manager_t private_tkm_id_manager_t;
+
+/**
+ * private data of tkm_id_manager
+ */
+struct private_tkm_id_manager_t {
+
+	/**
+	 * public functions
+	 */
+	tkm_id_manager_t public;
+
+	/**
+	 * Per-kind array of free context ids
+	 */
+	bool* ctxids[TKM_CTX_MAX];
+
+	/**
+	 * Per-kind context limits.
+	 */
+	tkm_limits_t limits;
+
+	/**
+	 * rwlocks for context id lists
+	 */
+	rwlock_t *locks[TKM_CTX_MAX];
+
+};
+
+/**
+ * Check if given kind is a valid context kind value.
+ *
+ * @param kind			context kind to check
+ * @return				TRUE if given kind is a valid context kind,
+ *						FALSE otherwise
+ */
+static bool is_valid_kind(const tkm_context_kind_t kind)
+{
+	return (int)kind >= 0 && kind < TKM_CTX_MAX;
+};
+
+METHOD(tkm_id_manager_t, acquire_id, int,
+	private_tkm_id_manager_t * const this, const tkm_context_kind_t kind)
+{
+	int id = 0;
+	uint64_t j;
+
+	if (!is_valid_kind(kind))
+	{
+		DBG1(DBG_LIB, "tried to acquire id for invalid context kind '%d'",
+			 kind);
+		return 0;
+	}
+
+	this->locks[kind]->write_lock(this->locks[kind]);
+	for (j = 0; j < this->limits[kind]; j++)
+	{
+		if (!this->ctxids[kind][j])
+		{
+			this->ctxids[kind][j] = true;
+			id = j + 1;
+			break;
+		}
+	}
+	this->locks[kind]->unlock(this->locks[kind]);
+
+	if (!id)
+	{
+		DBG1(DBG_LIB, "acquiring %N context id failed",	tkm_context_kind_names,
+			 kind);
+	}
+
+	return id;
+}
+
+METHOD(tkm_id_manager_t, release_id, bool,
+	private_tkm_id_manager_t * const this, const tkm_context_kind_t kind,
+	const int id)
+{
+	const int idx = id - 1;
+
+	if (!is_valid_kind(kind))
+	{
+		DBG1(DBG_LIB, "tried to release id %d for invalid context kind '%d'",
+			 id, kind);
+		return FALSE;
+	}
+
+	this->locks[kind]->write_lock(this->locks[kind]);
+	this->ctxids[kind][idx] = false;
+	this->locks[kind]->unlock(this->locks[kind]);
+
+	return TRUE;
+}
+
+
+METHOD(tkm_id_manager_t, destroy, void,
+	private_tkm_id_manager_t *this)
+{
+	int i;
+	for (i = 0; i < TKM_CTX_MAX; i++)
+	{
+		free(this->ctxids[i]);
+		this->locks[i]->destroy(this->locks[i]);
+	}
+	free(this);
+}
+
+/*
+ * see header file
+ */
+tkm_id_manager_t *tkm_id_manager_create(const tkm_limits_t limits)
+{
+	private_tkm_id_manager_t *this;
+	int i;
+
+	INIT(this,
+		.public = {
+			.acquire_id = _acquire_id,
+			.release_id = _release_id,
+			.destroy = _destroy,
+		},
+	);
+
+	for (i = 0; i < TKM_CTX_MAX; i++)
+	{
+		this->limits[i] = limits[i];
+		this->ctxids[i] = calloc(limits[i], sizeof(bool));
+		this->locks[i] = rwlock_create(RWLOCK_TYPE_DEFAULT);
+		DBG2(DBG_LIB, "%N initialized, %llu slot(s)", tkm_context_kind_names, i,
+			 limits[i]);
+	}
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.h b/src/charon-tkm/src/tkm/tkm_id_manager.h
new file mode 100644
index 000000000..0fc9ff8ef
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_id_manager.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-id-manager id manager
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_ID_MANAGER_H_
+#define TKM_ID_MANAGER_H_
+
+#include <library.h>
+
+typedef struct tkm_id_manager_t tkm_id_manager_t;
+typedef enum tkm_context_kind_t tkm_context_kind_t;
+
+/**
+ * Trusted key manager context kinds.
+ */
+enum tkm_context_kind_t {
+	/** Nonce context */
+	TKM_CTX_NONCE,
+	/** Diffie-Hellman context */
+	TKM_CTX_DH,
+	/** Certificate chain context */
+	TKM_CTX_CC,
+	/** IKE SA context */
+	TKM_CTX_ISA,
+	/** Authenticated Endpoint context */
+	TKM_CTX_AE,
+	/** ESP SA context */
+	TKM_CTX_ESA,
+
+	/** helper to determine the number of elements in this enum */
+	TKM_CTX_MAX,
+};
+
+/**
+ * enum name for context_kind_t.
+ */
+extern enum_name_t *tkm_context_kind_names;
+
+/**
+ * TKM context limits.
+ */
+typedef uint64_t tkm_limits_t[TKM_CTX_MAX];
+
+/**
+ * The tkm id manager hands out context ids for all context kinds (e.g. nonce).
+ */
+struct tkm_id_manager_t {
+
+	/**
+	 * Acquire new context id for a specific context kind.
+	 *
+	 * @param kind			kind of context id to acquire
+	 * @return				context id of given kind,
+	 *						0 if no id of given kind could be acquired
+	 */
+	int (*acquire_id)(tkm_id_manager_t * const this,
+					  const tkm_context_kind_t kind);
+
+	/**
+	 * Release a previously acquired context id.
+	 *
+	 * @param kind			kind of context id to release
+	 * @param id			id to release
+	 * @return				TRUE if id was released, FALSE otherwise
+	 */
+	bool (*release_id)(tkm_id_manager_t * const this,
+					   const tkm_context_kind_t kind,
+					   const int id);
+
+	/**
+	 * Destroy a tkm_id_manager instance.
+	 */
+	void (*destroy)(tkm_id_manager_t *this);
+
+};
+
+/**
+ * Create a tkm id manager instance using the given context limits.
+ */
+tkm_id_manager_t *tkm_id_manager_create(const tkm_limits_t limits);
+
+#endif /** TKM_ID_MANAGER_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
new file mode 100644
index 000000000..69aefea97
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -0,0 +1,392 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+#include <netinet/udp.h>
+#include <linux/xfrm.h>
+#include <utils/debug.h>
+#include <utils/chunk.h>
+#include <tkm/constants.h>
+#include <tkm/client.h>
+
+#include "tkm.h"
+#include "tkm_utils.h"
+#include "tkm_types.h"
+#include "tkm_keymat.h"
+#include "tkm_kernel_sad.h"
+#include "tkm_kernel_ipsec.h"
+
+/** From linux/in.h */
+#ifndef IP_XFRM_POLICY
+#define IP_XFRM_POLICY 17
+#endif
+
+typedef struct private_tkm_kernel_ipsec_t private_tkm_kernel_ipsec_t;
+
+/**
+ * Private variables and functions of TKM kernel ipsec instance.
+ */
+struct private_tkm_kernel_ipsec_t {
+
+	/**
+	 * Public tkm_kernel_ipsec interface.
+	 */
+	tkm_kernel_ipsec_t public;
+
+	/**
+	 * RNG used for SPI generation.
+	 */
+	rng_t *rng;
+
+	/**
+	 * CHILD/ESP SA database.
+	 */
+	tkm_kernel_sad_t *sad;
+
+};
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	bool result;
+
+	if (!this->rng)
+	{
+		this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		if (!this->rng)
+		{
+			DBG1(DBG_KNL, "unable to create RNG");
+			return FAILED;
+		}
+	}
+
+	DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid);
+	result = this->rng->get_bytes(this->rng, sizeof(u_int32_t),
+								  (u_int8_t *)spi);
+	return result ? SUCCESS : FAILED;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
+	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool encap, bool esn, bool inbound,
+	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
+{
+	esa_info_t esa;
+	bool initiator;
+	esp_spi_type spi_loc, spi_rem;
+	host_t *local, *peer;
+	chunk_t *nonce_loc, *nonce_rem;
+	nc_id_type nonce_loc_id;
+	esa_id_type esa_id;
+	nonce_type nc_rem;
+
+	if (enc_key.ptr == NULL)
+	{
+		DBG1(DBG_KNL, "Unable to get ESA information");
+		return FAILED;
+	}
+	esa = *(esa_info_t *)(enc_key.ptr);
+
+	/* only handle the case where we have both distinct ESP spi's available */
+	if (esa.spi_r == spi)
+	{
+		chunk_free(&esa.nonce_i);
+		chunk_free(&esa.nonce_r);
+		return SUCCESS;
+	}
+
+	/* Initiator if encr_r is passed as enc_key to the inbound add_sa call */
+	initiator = esa.is_encr_r && inbound;
+	if (initiator)
+	{
+		spi_loc = spi;
+		spi_rem = esa.spi_r;
+		local = dst;
+		peer = src;
+		nonce_loc = &esa.nonce_i;
+		nonce_rem = &esa.nonce_r;
+	}
+	else
+	{
+		spi_loc = esa.spi_r;
+		spi_rem = spi;
+		local = src;
+		peer = dst;
+		nonce_loc = &esa.nonce_r;
+		nonce_rem = &esa.nonce_i;
+	}
+
+	esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA);
+	if (!this->sad->insert(this->sad, esa_id, peer, local, spi_loc, protocol))
+	{
+		DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id);
+		goto sad_failure;
+	}
+
+	/*
+	 * creation of first CHILD SA:
+	 * no nonce and no dh contexts because the ones from the IKE SA are re-used
+	 */
+	nonce_loc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce_loc);
+	if (nonce_loc_id == 0 && esa.dh_id == 0)
+	{
+		if (ike_esa_create_first(esa_id, esa.isa_id, reqid, 1, spi_loc, spi_rem)
+			!= TKM_OK)
+		{
+			DBG1(DBG_KNL, "child SA (%llu, first) creation failed", esa_id);
+			goto failure;
+		}
+	}
+	/* creation of child SA without PFS: no dh context */
+	else if (nonce_loc_id != 0 && esa.dh_id == 0)
+	{
+		chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type));
+		if (ike_esa_create_no_pfs(esa_id, esa.isa_id, reqid, 1, nonce_loc_id,
+								  nc_rem, initiator, spi_loc, spi_rem)
+			!= TKM_OK)
+		{
+			DBG1(DBG_KNL, "child SA (%llu, no PFS) creation failed", esa_id);
+			goto failure;
+		}
+		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
+	}
+	/* creation of subsequent child SA with PFS: nonce and dh context are set */
+	else
+	{
+		chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type));
+		if (ike_esa_create(esa_id, esa.isa_id, reqid, 1, esa.dh_id, nonce_loc_id,
+						   nc_rem, initiator, spi_loc, spi_rem) != TKM_OK)
+		{
+			DBG1(DBG_KNL, "child SA (%llu) creation failed", esa_id);
+			goto failure;
+		}
+		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
+	}
+	if (ike_esa_select(esa_id) != TKM_OK)
+	{
+		DBG1(DBG_KNL, "error selecting new child SA (%llu)", esa_id);
+		if (ike_esa_reset(esa_id) != TKM_OK)
+		{
+			DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id);
+		}
+		goto failure;
+	}
+
+	DBG1(DBG_KNL, "added child SA (esa: %llu, isa: %llu, esp_spi_loc: %x, "
+		 "esp_spi_rem: %x, role: %s)", esa_id, esa.isa_id, ntohl(spi_loc),
+		 ntohl(spi_rem), initiator ? "initiator" : "responder");
+	chunk_free(&esa.nonce_i);
+	chunk_free(&esa.nonce_r);
+
+	return SUCCESS;
+
+failure:
+	this->sad->remove(this->sad, esa_id);
+sad_failure:
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
+	chunk_free(&esa.nonce_i);
+	chunk_free(&esa.nonce_r);
+	return FAILED;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes,
+	u_int64_t *packets)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+{
+	esa_id_type esa_id;
+
+	esa_id = this->sad->get_esa_id(this->sad, src, dst, spi, protocol);
+	if (esa_id)
+	{
+		DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
+			 ntohl(spi));
+		if (ike_esa_reset(esa_id) != TKM_OK)
+		{
+			DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id);
+			return FAILED;
+		}
+		this->sad->remove(this->sad, esa_id);
+		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
+	}
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_tkm_kernel_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool old_encap, bool new_encap, mark_t mark)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, flush_sas, status_t,
+	private_tkm_kernel_ipsec_t *this)
+{
+	DBG1(DBG_KNL, "flushing child SA entries");
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, policy_priority_t priority)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_tkm_kernel_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_tkm_kernel_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+	mark_t mark, policy_priority_t prio)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, flush_policies, status_t,
+	private_tkm_kernel_ipsec_t *this)
+{
+	return SUCCESS;
+}
+
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_tkm_kernel_ipsec_t *this, int fd, int family)
+{
+	struct xfrm_userpolicy_info policy;
+	u_int sol, ipsec_policy;
+
+	switch (family)
+	{
+		case AF_INET:
+			sol = SOL_IP;
+			ipsec_policy = IP_XFRM_POLICY;
+			break;
+		case AF_INET6:
+			sol = SOL_IPV6;
+			ipsec_policy = IPV6_XFRM_POLICY;
+			break;
+		default:
+			return FALSE;
+	}
+
+	memset(&policy, 0, sizeof(policy));
+	policy.action = XFRM_POLICY_ALLOW;
+	policy.sel.family = family;
+
+	policy.dir = XFRM_POLICY_OUT;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	policy.dir = XFRM_POLICY_IN;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, enable_udp_decap, bool,
+	private_tkm_kernel_ipsec_t *this, int fd, int family, u_int16_t port)
+{
+	int type = UDP_ENCAP_ESPINUDP;
+
+	if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_tkm_kernel_ipsec_t *this)
+{
+	DESTROY_IF(this->rng);
+	DESTROY_IF(this->sad);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+tkm_kernel_ipsec_t *tkm_kernel_ipsec_create()
+{
+	private_tkm_kernel_ipsec_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa  = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.flush_sas = _flush_sas,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.flush_policies = _flush_policies,
+				.bypass_socket = _bypass_socket,
+				.enable_udp_decap = _enable_udp_decap,
+				.destroy = _destroy,
+			},
+		},
+		.sad = tkm_kernel_sad_create(),
+	);
+
+	if (!this->sad)
+	{
+		DBG1(DBG_KNL, "unable to create SAD");
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.h b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.h
new file mode 100644
index 000000000..14db21266
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-kernel-ipsec kernel ipsec
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_KERNEL_IPSEC_H_
+#define TKM_KERNEL_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct tkm_kernel_ipsec_t tkm_kernel_ipsec_t;
+
+/**
+ * TKM implementation of the kernel ipsec interface.
+ */
+struct tkm_kernel_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a TKM kernel ipsec interface instance.
+ *
+ * @return			tkm_kernel_ipsec_t instance
+ */
+tkm_kernel_ipsec_t *tkm_kernel_ipsec_create();
+
+#endif /** TKM_KERNEL_IPSEC_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
new file mode 100644
index 000000000..360a47bdc
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
@@ -0,0 +1,253 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <collections/linked_list.h>
+#include <threading/mutex.h>
+#include <utils/debug.h>
+
+#include "tkm_kernel_sad.h"
+
+typedef struct private_tkm_kernel_sad_t private_tkm_kernel_sad_t;
+
+/**
+ * Private data of tkm_kernel_sad.
+ */
+struct private_tkm_kernel_sad_t {
+
+	/**
+	 * Public functions.
+	 */
+	tkm_kernel_sad_t public;
+
+	/**
+	 * Linked list of SAD entries.
+	 */
+	linked_list_t *data;
+
+	/**
+	 * Lock used to protect SA data.
+	 */
+	mutex_t *mutex;
+
+};
+
+typedef struct sad_entry_t sad_entry_t;
+
+/**
+ * Data structure holding all information of an SAD entry.
+ */
+struct sad_entry_t {
+
+	/**
+	 * ESA identifier.
+	 */
+	esa_id_type esa_id;
+
+	/**
+	 * Source address of CHILD SA.
+	 */
+	host_t *src;
+
+	/**
+	 * Destination address of CHILD SA.
+	 */
+	host_t *dst;
+
+	/**
+	 * SPI of CHILD SA.
+	 */
+	u_int32_t spi;
+
+	/**
+	 * Protocol of CHILD SA (ESP/AH).
+	 */
+	u_int8_t proto;
+
+};
+
+/**
+ * Destroy an sad_entry_t object.
+ */
+static void sad_entry_destroy(sad_entry_t *entry)
+{
+	if (entry)
+	{
+		DESTROY_IF(entry->src);
+		DESTROY_IF(entry->dst);
+		free(entry);
+	}
+}
+
+/**
+ * Find a list entry with given src, dst, spi and proto values.
+ */
+static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src,
+							const host_t * const dst, const u_int32_t * const spi,
+							const u_int8_t * const proto)
+{
+	if (entry->src == NULL || entry->dst == NULL)
+	{
+		return FALSE;
+	}
+
+	return src->ip_equals(entry->src, (host_t *)src) &&
+		   dst->ip_equals(entry->dst, (host_t *)dst) &&
+		   entry->spi == *spi && entry->proto == *proto;
+}
+
+/**
+ * Compare two SAD entries for equality.
+ */
+static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right)
+{
+	if (left->src == NULL || left->dst == NULL || right->src == NULL ||
+		right->dst == NULL)
+	{
+		return FALSE;
+	}
+	return left->esa_id == right->esa_id &&
+		   left->src->ip_equals(left->src, right->src) &&
+		   left->dst->ip_equals(left->dst, right->dst) &&
+		   left->spi == right->spi && left->proto == right->proto;
+}
+
+METHOD(tkm_kernel_sad_t, insert, bool,
+	private_tkm_kernel_sad_t * const this, const esa_id_type esa_id,
+	const host_t * const src, const host_t * const dst, const u_int32_t spi,
+	const u_int8_t proto)
+{
+	status_t result;
+	sad_entry_t *new_entry;
+
+	INIT(new_entry,
+		 .esa_id = esa_id,
+		 .src = (host_t *)src,
+		 .dst = (host_t *)dst,
+		 .spi = spi,
+		 .proto = proto,
+	);
+
+	this->mutex->lock(this->mutex);
+	result = this->data->find_first(this->data,
+									(linked_list_match_t)sad_entry_equal, NULL,
+									new_entry);
+	if (result == NOT_FOUND)
+	{
+		DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, src: %H, dst: %H, "
+			 "spi: %x, proto: %u)", esa_id, src, dst, ntohl(spi), proto);
+		new_entry->src = src->clone((host_t *)src);
+		new_entry->dst = dst->clone((host_t *)dst);
+		this->data->insert_last(this->data, new_entry);
+	}
+	else
+	{
+		DBG1(DBG_KNL, "SAD entry with esa id %llu already exists!", esa_id);
+		free(new_entry);
+	}
+	this->mutex->unlock(this->mutex);
+	return result == NOT_FOUND;
+}
+
+METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type,
+	private_tkm_kernel_sad_t * const this, const host_t * const src,
+	const host_t * const dst, const u_int32_t spi, const u_int8_t proto)
+{
+	esa_id_type id = 0;
+	sad_entry_t *entry = NULL;
+
+	this->mutex->lock(this->mutex);
+	const status_t res = this->data->find_first(this->data,
+												(linked_list_match_t)sad_entry_match,
+												(void**)&entry, src, dst, &spi,
+												&proto);
+	if (res == SUCCESS && entry)
+	{
+		id = entry->esa_id;
+		DBG3(DBG_KNL, "getting ESA id of SAD entry (esa: %llu, src: %H, "
+			 "dst: %H, spi: %x, proto: %u)", id, src, dst, ntohl(spi),
+			 proto);
+	}
+	else
+	{
+		DBG3(DBG_KNL, "no SAD entry found");
+	}
+	this->mutex->unlock(this->mutex);
+	return id;
+}
+
+METHOD(tkm_kernel_sad_t, _remove, bool,
+	private_tkm_kernel_sad_t * const this, const esa_id_type esa_id)
+{
+	sad_entry_t *current;
+	bool removed = FALSE;
+	enumerator_t *enumerator;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->data->create_enumerator(this->data);
+	while (enumerator->enumerate(enumerator, (void **)&current))
+	{
+		if (current->esa_id == esa_id)
+		{
+			this->data->remove_at(this->data, enumerator);
+			sad_entry_destroy(current);
+			removed = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (removed)
+	{
+		DBG3(DBG_KNL, "removed SAD entry (esa: %llu)", esa_id);
+	}
+	else
+	{
+		DBG1(DBG_KNL, "no SAD entry with ESA id %llu found!", esa_id);
+	}
+	this->mutex->unlock(this->mutex);
+
+	return removed;
+}
+
+
+METHOD(tkm_kernel_sad_t, destroy, void,
+	private_tkm_kernel_sad_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	this->data->destroy_function(this->data, (void*)sad_entry_destroy);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+tkm_kernel_sad_t *tkm_kernel_sad_create()
+{
+	private_tkm_kernel_sad_t *this;
+
+	INIT(this,
+		.public = {
+			.insert = _insert,
+			.get_esa_id = _get_esa_id,
+			.remove = __remove,
+			.destroy = _destroy,
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.data = linked_list_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
new file mode 100644
index 000000000..0194cd3bc
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-kernel-sad kernel sad
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_KERNEL_SAD_H_
+#define TKM_KERNEL_SAD_H_
+
+#include <networking/host.h>
+#include <tkm/types.h>
+
+typedef struct tkm_kernel_sad_t tkm_kernel_sad_t;
+
+/**
+ * The TKM kernel SAD (security association database) stores information about
+ * CHILD SAs.
+ */
+struct tkm_kernel_sad_t {
+
+	/**
+	 * Insert new SAD entry with specified parameters.
+	 *
+	 * @param esa_id		ESP SA context identifier
+	 * @param src			source address of CHILD SA
+	 * @param dst			destination address of CHILD SA
+	 * @param spi			SPI of CHILD SA
+	 * @param proto			protocol of CHILD SA (ESP/AH)
+	 * @return				TRUE if entry was inserted, FALSE otherwise
+	 */
+	bool (*insert)(tkm_kernel_sad_t * const this, const esa_id_type esa_id,
+				   const host_t * const src, const host_t * const dst,
+				   const u_int32_t spi, const u_int8_t proto);
+
+	/**
+	 * Get ESA id for entry with given parameters.
+	 *
+	 * @param src			source address of CHILD SA
+	 * @param dst			destination address of CHILD SA
+	 * @param spi			SPI of CHILD SA
+	 * @param proto			protocol of CHILD SA (ESP/AH)
+	 * @return				ESA id of entry if found, 0 otherwise
+	 */
+	esa_id_type (*get_esa_id)(tkm_kernel_sad_t * const this,
+				 const host_t * const src, const host_t * const dst,
+				 const u_int32_t spi, const u_int8_t proto);
+
+	/**
+	 * Remove entry with given ESA id from SAD.
+	 *
+	 * @param esa_id		ESA identifier of entry to remove
+	 * @return				TRUE if entry was removed, FALSE otherwise
+	 */
+	bool (*remove)(tkm_kernel_sad_t * const this, const esa_id_type esa_id);
+
+	/**
+	 * Destroy a tkm_kernel_sad instance.
+	 */
+	void (*destroy)(tkm_kernel_sad_t *this);
+
+};
+
+/**
+ * Create a TKM kernel SAD instance.
+ */
+tkm_kernel_sad_t *tkm_kernel_sad_create();
+
+#endif /** TKM_KERNEL_SAD_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
new file mode 100644
index 000000000..772fac8b0
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -0,0 +1,511 @@
+/*
+ * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+#include <tkm/constants.h>
+#include <tkm/client.h>
+
+#include "tkm.h"
+#include "tkm_types.h"
+#include "tkm_utils.h"
+#include "tkm_diffie_hellman.h"
+#include "tkm_keymat.h"
+
+typedef struct private_tkm_keymat_t private_tkm_keymat_t;
+
+/**
+ * Private data of a keymat_t object.
+ */
+struct private_tkm_keymat_t {
+
+	/**
+	 * Public tkm_keymat_t interface.
+	 */
+	tkm_keymat_t public;
+
+	/**
+	 * IKE_SA Role, initiator or responder.
+	 */
+	bool initiator;
+
+	/**
+	 * Inbound AEAD.
+	 */
+	aead_t *aead_in;
+
+	/**
+	 * Outbound AEAD.
+	 */
+	aead_t *aead_out;
+
+	/**
+	 * ISA context id.
+	 */
+	isa_id_type isa_ctx_id;
+
+	/**
+	 * AE context id.
+	 */
+	ae_id_type ae_ctx_id;
+
+	/**
+	 * AUTH payload chunk.
+	 */
+	chunk_t auth_payload;
+
+	/**
+	 * Peer init message chunk.
+	 */
+	chunk_t other_init_msg;
+
+};
+
+/**
+ * Create AEAD transforms from given key chunks.
+ *
+ * @param in			inbound AEAD transform to allocate, NULL if failed
+ * @param out			outbound AEAD transform to allocate, NULL if failed
+ * @param sk_ai			SK_ai key chunk
+ * @param sk_ar			SK_ar key chunk
+ * @param sk_ei			SK_ei key chunk
+ * @param sk_er			SK_er key chunk
+ * @param enc_alg		encryption algorithm to use
+ * @param int_alg		integrity algorithm to use
+ * @param key_size		encryption key size in bytes
+ * @param initiator		TRUE if initiator
+ */
+static void aead_create_from_keys(aead_t **in, aead_t **out,
+	   const chunk_t * const sk_ai, const chunk_t * const sk_ar,
+	   const chunk_t * const sk_ei, const chunk_t * const sk_er,
+	   const u_int16_t enc_alg, const u_int16_t int_alg,
+	   const u_int16_t key_size, bool initiator)
+{
+	*in = *out = NULL;
+	signer_t *signer_i, *signer_r;
+	crypter_t *crypter_i, *crypter_r;
+
+	signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
+	signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
+	if (signer_i == NULL || signer_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, INTEGRITY_ALGORITHM,
+			 integrity_algorithm_names, int_alg);
+		return;
+	}
+	crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
+	crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
+	if (crypter_i == NULL || crypter_r == NULL)
+	{
+		signer_i->destroy(signer_i);
+		signer_r->destroy(signer_r);
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, enc_alg, key_size);
+		return;
+	}
+
+	DBG4(DBG_IKE, "Sk_ai %B", sk_ai);
+	if (!signer_i->set_key(signer_i, *sk_ai))
+	{
+		return;
+	}
+	DBG4(DBG_IKE, "Sk_ar %B", sk_ar);
+	if (!signer_r->set_key(signer_r, *sk_ar))
+	{
+		return;
+	}
+	DBG4(DBG_IKE, "Sk_ei %B", sk_ei);
+	if (!crypter_i->set_key(crypter_i, *sk_ei))
+	{
+		return;
+	}
+	DBG4(DBG_IKE, "Sk_er %B", sk_er);
+	if (!crypter_r->set_key(crypter_r, *sk_er))
+	{
+		return;
+	}
+
+	if (initiator)
+	{
+		*in = aead_create(crypter_r, signer_r);
+		*out = aead_create(crypter_i, signer_i);
+	}
+	else
+	{
+		*in = aead_create(crypter_i, signer_i);
+		*out = aead_create(crypter_r, signer_r);
+	}
+}
+
+METHOD(keymat_t, get_version, ike_version_t,
+	private_tkm_keymat_t *this)
+{
+	return IKEV2;
+}
+
+METHOD(keymat_t, create_dh, diffie_hellman_t*,
+	private_tkm_keymat_t *this, diffie_hellman_group_t group)
+{
+	return lib->crypto->create_dh(lib->crypto, group);
+}
+
+METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
+	private_tkm_keymat_t *this)
+{
+	return lib->crypto->create_nonce_gen(lib->crypto);
+}
+
+METHOD(keymat_v2_t, derive_ike_keys, bool,
+	private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
+	pseudo_random_function_t rekey_function, chunk_t rekey_skd)
+{
+	u_int16_t enc_alg, int_alg, key_size;
+	u_int64_t nc_id, spi_loc, spi_rem;
+	chunk_t *nonce, c_ai, c_ar, c_ei, c_er;
+	tkm_diffie_hellman_t *tkm_dh;
+	dh_id_type dh_id;
+	nonce_type nonce_rem;
+	result_type res;
+	key_type sk_ai, sk_ar, sk_ei, sk_er;
+
+	/* Check encryption and integrity algorithms */
+	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg,
+								 &key_size))
+	{
+		DBG1(DBG_IKE, "no %N selected", transform_type_names,
+			 ENCRYPTION_ALGORITHM);
+		return FALSE;
+	}
+	if (encryption_algorithm_is_aead(enc_alg))
+	{
+		DBG1(DBG_IKE, "AEAD algorithm %N not supported",
+			 encryption_algorithm_names, enc_alg);
+		return FALSE;
+	}
+	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, NULL))
+	{
+		DBG1(DBG_IKE, "no %N selected", transform_type_names,
+			 INTEGRITY_ALGORITHM);
+		return FALSE;
+	}
+	if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
+		  int_alg == AUTH_HMAC_SHA2_512_256))
+	{
+		DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, "
+			 "please update your configuration");
+		return FALSE;
+	}
+
+	DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
+		 encryption_algorithm_names, enc_alg, integrity_algorithm_names,
+		 int_alg);
+
+	/* Acquire nonce context id */
+	nonce = this->initiator ? &nonce_i : &nonce_r;
+	nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce);
+	if (!nc_id)
+	{
+		DBG1(DBG_IKE, "unable to acquire context id for nonce");
+		return FALSE;
+	}
+
+	/* Get DH context id */
+	tkm_dh = (tkm_diffie_hellman_t *)dh;
+	dh_id = tkm_dh->get_id(tkm_dh);
+
+	if (this->initiator)
+	{
+		chunk_to_sequence(&nonce_r, &nonce_rem, sizeof(nonce_type));
+		spi_loc = id->get_initiator_spi(id);
+		spi_rem = id->get_responder_spi(id);
+	}
+	else
+	{
+		chunk_to_sequence(&nonce_i, &nonce_rem, sizeof(nonce_type));
+		spi_loc = id->get_responder_spi(id);
+		spi_rem = id->get_initiator_spi(id);
+	}
+
+	if (rekey_function == PRF_UNDEFINED)
+	{
+		this->ae_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_AE);
+		if (!this->ae_ctx_id)
+		{
+			DBG1(DBG_IKE, "unable to acquire ae context id");
+			return FALSE;
+		}
+		DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
+			 "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem);
+		res = ike_isa_create(this->isa_ctx_id, this->ae_ctx_id, 1, dh_id, nc_id,
+							 nonce_rem, this->initiator, spi_loc, spi_rem,
+							 &sk_ai, &sk_ar, &sk_ei, &sk_er);
+	}
+	else
+	{
+		isa_info_t isa_info;
+
+		if (rekey_skd.ptr == NULL || rekey_skd.len != sizeof(isa_info_t))
+		{
+			DBG1(DBG_IKE, "unable to retrieve parent isa info");
+			return FALSE;
+		}
+		isa_info = *((isa_info_t *)(rekey_skd.ptr));
+		DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, ae: %llu, nc: %llu,"
+			 "dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id,
+			 isa_info.ae_id, nc_id, dh_id, spi_loc, spi_rem);
+		this->ae_ctx_id = isa_info.ae_id;
+		res = ike_isa_create_child(this->isa_ctx_id, isa_info.parent_isa_id, 1,
+								   dh_id, nc_id, nonce_rem, this->initiator,
+								   spi_loc, spi_rem, &sk_ai, &sk_ar, &sk_ei,
+								   &sk_er);
+		chunk_free(&rekey_skd);
+	}
+
+	if (res != TKM_OK)
+	{
+		DBG1(DBG_IKE, "key derivation failed (isa: %llu)", this->isa_ctx_id);
+		return FALSE;
+	}
+
+	sequence_to_chunk(sk_ai.data, sk_ai.size, &c_ai);
+	sequence_to_chunk(sk_ar.data, sk_ar.size, &c_ar);
+	sequence_to_chunk(sk_ei.data, sk_ei.size, &c_ei);
+	sequence_to_chunk(sk_er.data, sk_er.size, &c_er);
+
+	aead_create_from_keys(&this->aead_in, &this->aead_out, &c_ai, &c_ar, &c_ei,
+						  &c_er, enc_alg, int_alg, key_size / 8,
+						  this->initiator);
+
+	chunk_clear(&c_ai);
+	chunk_clear(&c_ar);
+	chunk_clear(&c_ei);
+	chunk_clear(&c_er);
+
+	if (!this->aead_in || !this->aead_out)
+	{
+		DBG1(DBG_IKE, "could not initialize AEAD transforms");
+		return FALSE;
+	}
+
+	/* TODO: Add failure handler (see keymat_v2.c) */
+
+	tkm->chunk_map->remove(tkm->chunk_map, nonce);
+	if (ike_nc_reset(nc_id) != TKM_OK)
+	{
+		DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id);
+	}
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
+
+	return TRUE;
+}
+
+METHOD(keymat_v2_t, derive_child_keys, bool,
+	private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
+	chunk_t *encr_r, chunk_t *integ_r)
+{
+	esa_info_t *esa_info_i, *esa_info_r;
+	dh_id_type dh_id = 0;
+
+	if (dh)
+	{
+		dh_id = ((tkm_diffie_hellman_t *)dh)->get_id((tkm_diffie_hellman_t *)dh);
+	}
+
+	INIT(esa_info_i,
+		 .isa_id = this->isa_ctx_id,
+		 .spi_r = proposal->get_spi(proposal),
+		 .nonce_i = chunk_clone(nonce_i),
+		 .nonce_r = chunk_clone(nonce_r),
+		 .is_encr_r = FALSE,
+		 .dh_id = dh_id,
+	);
+
+	INIT(esa_info_r,
+		 .isa_id = this->isa_ctx_id,
+		 .spi_r = proposal->get_spi(proposal),
+		 .nonce_i = chunk_clone(nonce_i),
+		 .nonce_r = chunk_clone(nonce_r),
+		 .is_encr_r = TRUE,
+		 .dh_id = dh_id,
+	);
+
+	DBG1(DBG_CHD, "passing on esa info (isa: %llu, spi_r: %x, dh_id: %llu)",
+		 esa_info_i->isa_id, ntohl(esa_info_i->spi_r), esa_info_i->dh_id);
+
+	/* store ESA info in encr_i/r, which is passed to add_sa */
+	*encr_i = chunk_create((u_char *)esa_info_i, sizeof(esa_info_t));
+	*encr_r = chunk_create((u_char *)esa_info_r, sizeof(esa_info_t));
+	*integ_i = chunk_empty;
+	*integ_r = chunk_empty;
+
+	return TRUE;
+}
+
+METHOD(keymat_t, get_aead, aead_t*,
+	private_tkm_keymat_t *this, bool in)
+{
+	return in ? this->aead_in : this->aead_out;
+}
+
+METHOD(keymat_v2_t, get_auth_octets, bool,
+	private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
+	chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
+{
+	sign_info_t *sign;
+
+	if (verify)
+	{
+		/* store peer init message for authentication step */
+		this->other_init_msg = chunk_clone(ike_sa_init);
+		*octets = chunk_empty;
+		return TRUE;
+	}
+
+	INIT(sign,
+		 .isa_id = this->isa_ctx_id,
+		 .init_message = chunk_clone(ike_sa_init),
+	);
+
+	/*
+	 * store signature info in AUTH octets, which is passed to the private key
+	 * sign() operation
+	 */
+	*octets = chunk_create((u_char *)sign, sizeof(sign_info_t));
+	return TRUE;
+}
+
+METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
+	private_tkm_keymat_t *this, chunk_t *skd)
+{
+	isa_info_t *isa_info;
+
+	INIT(isa_info,
+		 .parent_isa_id = this->isa_ctx_id,
+		 .ae_id = this->ae_ctx_id,
+	);
+
+	*skd = chunk_create((u_char *)isa_info, sizeof(isa_info_t));
+
+	/*
+	 * remove ae context id, since control has now been handed over to the new
+	 * IKE SA keymat
+	 */
+	this->ae_ctx_id = 0;
+	return PRF_HMAC_SHA2_512;
+}
+
+METHOD(keymat_v2_t, get_psk_sig, bool,
+	private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
+	chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
+{
+	return FALSE;
+}
+
+METHOD(keymat_t, destroy, void,
+	private_tkm_keymat_t *this)
+{
+	if (ike_isa_reset(this->isa_ctx_id) != TKM_OK)
+	{
+		DBG1(DBG_IKE, "failed to reset ISA context %d", this->isa_ctx_id);
+	}
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ISA, this->isa_ctx_id);
+	/* only reset ae context if set */
+	if (this->ae_ctx_id != 0)
+	{
+		if (ike_ae_reset(this->ae_ctx_id) != TKM_OK)
+		{
+			DBG1(DBG_IKE, "failed to reset AE context %d", this->ae_ctx_id);
+		}
+		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id);
+	}
+
+	DESTROY_IF(this->aead_in);
+	DESTROY_IF(this->aead_out);
+	chunk_free(&this->auth_payload);
+	chunk_free(&this->other_init_msg);
+	free(this);
+}
+
+METHOD(tkm_keymat_t, get_isa_id, isa_id_type,
+	private_tkm_keymat_t *this)
+{
+	return this->isa_ctx_id;
+}
+
+METHOD(tkm_keymat_t, set_auth_payload, void,
+	private_tkm_keymat_t *this, const chunk_t * const payload)
+{
+	this->auth_payload = chunk_clone(*payload);
+}
+
+METHOD(tkm_keymat_t, get_auth_payload, chunk_t*,
+	private_tkm_keymat_t *this)
+{
+	return &this->auth_payload;
+}
+
+METHOD(tkm_keymat_t, get_peer_init_msg, chunk_t*,
+	private_tkm_keymat_t *this)
+{
+	return &this->other_init_msg;
+}
+
+/**
+ * See header.
+ */
+tkm_keymat_t *tkm_keymat_create(bool initiator)
+{
+	private_tkm_keymat_t *this;
+
+	INIT(this,
+		.public = {
+			.keymat_v2 = {
+				.keymat = {
+					.get_version = _get_version,
+					.create_dh = _create_dh,
+					.create_nonce_gen = _create_nonce_gen,
+					.get_aead = _get_aead,
+					.destroy = _destroy,
+				},
+				.derive_ike_keys = _derive_ike_keys,
+				.derive_child_keys = _derive_child_keys,
+				.get_skd = _get_skd,
+				.get_auth_octets = _get_auth_octets,
+				.get_psk_sig = _get_psk_sig,
+			},
+			.get_isa_id = _get_isa_id,
+			.set_auth_payload = _set_auth_payload,
+			.get_auth_payload = _get_auth_payload,
+			.get_peer_init_msg = _get_peer_init_msg,
+		},
+		.initiator = initiator,
+		.isa_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ISA),
+		.ae_ctx_id = 0,
+		.auth_payload = chunk_empty,
+		.other_init_msg = chunk_empty,
+	);
+
+	if (!this->isa_ctx_id)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.h b/src/charon-tkm/src/tkm/tkm_keymat.h
new file mode 100644
index 000000000..ee90bead5
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_keymat.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-keymat keymat
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_KEYMAT_H_
+#define TKM_KEYMAT_H_
+
+#include <sa/ikev2/keymat_v2.h>
+
+typedef struct tkm_keymat_t tkm_keymat_t;
+
+/**
+ * Derivation and management of sensitive keying material, TKM variant.
+ */
+struct tkm_keymat_t {
+
+	/**
+	 * Implements keymat_v2_t.
+	 */
+	keymat_v2_t keymat_v2;
+
+	/**
+	 * Get ISA context id.
+	 *
+	 * @return	id of associated ISA context.
+	 */
+	isa_id_type (*get_isa_id)(tkm_keymat_t * const this);
+
+	/**
+	 * Set IKE AUTH payload.
+	 *
+	 * @param payload		AUTH payload
+	 */
+	void (*set_auth_payload)(tkm_keymat_t *this, const chunk_t * const payload);
+
+	/**
+	 * Get IKE AUTH payload.
+	 *
+	 * @return				AUTH payload if set, chunk_empty otherwise
+	 */
+	chunk_t* (*get_auth_payload)(tkm_keymat_t * const this);
+
+	/**
+	 * Get IKE init message of peer.
+	 *
+	 * @return				init message if set, chunk_empty otherwise
+	 */
+	chunk_t* (*get_peer_init_msg)(tkm_keymat_t * const this);
+
+};
+
+/**
+ * Create TKM keymat instance.
+ *
+ * @param initiator			TRUE if we are the initiator
+ * @return					keymat instance
+ */
+tkm_keymat_t *tkm_keymat_create(bool initiator);
+
+#endif /** KEYMAT_TKM_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c
new file mode 100644
index 000000000..050586456
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_listener.c
@@ -0,0 +1,355 @@
+/*
+ * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+#include <encoding/payloads/auth_payload.h>
+#include <utils/chunk.h>
+#include <tkm/types.h>
+#include <tkm/constants.h>
+#include <tkm/client.h>
+
+#include "tkm.h"
+#include "tkm_listener.h"
+#include "tkm_keymat.h"
+#include "tkm_utils.h"
+
+typedef struct private_tkm_listener_t private_tkm_listener_t;
+
+/**
+ * Private data of a tkm_listener_t object.
+ */
+struct private_tkm_listener_t {
+
+	/**
+	 * Public tkm_listener_t interface.
+	 */
+	tkm_listener_t public;
+
+};
+
+/**
+ * Return id of remote identity.
+ *
+ * TODO: Replace this with the lookup for the remote identitiy id.
+ *
+ * Currently the reqid of the first child SA in peer config of IKE SA is
+ * returned. Might choose wrong reqid if IKE SA has multiple child configs
+ * with different reqids.
+ *
+ * @param peer_cfg	Remote peer config
+ * @return			remote identity id if found, 0 otherwise
+ */
+static ri_id_type get_remote_identity_id(peer_cfg_t *peer)
+{
+	ri_id_type remote_id = 0;
+	child_cfg_t *child;
+	enumerator_t* children;
+
+	children = peer->create_child_cfg_enumerator(peer);
+
+	/* pick the reqid of the first child, no need to enumerate all children. */
+	children->enumerate(children, &child);
+	remote_id = child->get_reqid(child);
+	children->destroy(children);
+
+	return remote_id;
+}
+
+/**
+ * Build a TKM certificate chain context with given cc id.
+ *
+ * @param ike_sa	IKE SA containing auth config to build certificate chain from
+ * @param cc_id		Certificate chain ID
+ * @return			TRUE if certificate chain was built successfully,
+ *					FALSE otherwise
+ */
+static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id)
+{
+	auth_cfg_t *auth;
+	certificate_t *cert;
+	enumerator_t *rounds;
+
+	DBG1(DBG_IKE, "building certificate chain context %llu for IKE SA %s",
+		 cc_id, ike_sa->get_name((ike_sa_t *)ike_sa));
+
+	rounds = ike_sa->create_auth_cfg_enumerator((ike_sa_t *)ike_sa, FALSE);
+	while (rounds->enumerate(rounds, &auth))
+	{
+		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+		if (cert)
+		{
+			chunk_t enc_user_cert;
+			ri_id_type ri_id;
+			certificate_type user_cert;
+			auth_rule_t rule;
+			enumerator_t *enumerator;
+
+			/* set user certificate */
+			if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_user_cert))
+			{
+				DBG1(DBG_IKE, "unable to extract encoded user certificate");
+				rounds->destroy(rounds);
+				return FALSE;
+			}
+
+			ri_id = get_remote_identity_id(ike_sa->get_peer_cfg((ike_sa_t *)ike_sa));
+			chunk_to_sequence(&enc_user_cert, &user_cert, sizeof(certificate_type));
+			chunk_free(&enc_user_cert);
+			if (ike_cc_set_user_certificate(cc_id, ri_id, 1, user_cert) != TKM_OK)
+			{
+				DBG1(DBG_IKE, "error setting user certificate of cert chain"
+					 " (cc_id: %llu)", cc_id);
+				rounds->destroy(rounds);
+				return FALSE;
+			}
+
+			/* process intermediate CA certificates */
+			enumerator = auth->create_enumerator(auth);
+			while (enumerator->enumerate(enumerator, &rule, &cert))
+			{
+				if (rule == AUTH_RULE_IM_CERT)
+				{
+					chunk_t enc_im_cert;
+					certificate_type im_cert;
+
+					if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_im_cert))
+					{
+						DBG1(DBG_IKE, "unable to extract encoded intermediate CA"
+							 " certificate");
+						rounds->destroy(rounds);
+						enumerator->destroy(enumerator);
+						return FALSE;
+					}
+
+					chunk_to_sequence(&enc_im_cert, &im_cert,
+									  sizeof(certificate_type));
+					chunk_free(&enc_im_cert);
+					if (ike_cc_add_certificate(cc_id, 1, im_cert) != TKM_OK)
+					{
+						DBG1(DBG_IKE, "error adding intermediate certificate to"
+							 " cert chain (cc_id: %llu)", cc_id);
+						rounds->destroy(rounds);
+						enumerator->destroy(enumerator);
+						return FALSE;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			/* finally add CA certificate */
+			cert = auth->get(auth, AUTH_RULE_CA_CERT);
+			if (cert)
+			{
+				const ca_id_type ca_id = 1;
+				certificate_type ca_cert;
+				chunk_t enc_ca_cert;
+
+				if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_ca_cert))
+				{
+					DBG1(DBG_IKE, "unable to extract encoded CA certificate");
+					rounds->destroy(rounds);
+					return FALSE;
+				}
+
+				chunk_to_sequence(&enc_ca_cert, &ca_cert,
+								  sizeof(certificate_type));
+				chunk_free(&enc_ca_cert);
+				if (ike_cc_add_certificate(cc_id, 1, ca_cert) != TKM_OK)
+				{
+					DBG1(DBG_IKE, "error adding CA certificate to cert chain "
+						 "(cc_id: %llu)", cc_id);
+					rounds->destroy(rounds);
+					return FALSE;
+				}
+
+				if (ike_cc_check_ca(cc_id, ca_id) != TKM_OK)
+				{
+					DBG1(DBG_IKE, "certificate chain (cc_id: %llu) not based on"
+						 " trusted CA (ca_id: %llu)", cc_id, ca_id);
+					rounds->destroy(rounds);
+					return FALSE;
+				}
+
+				rounds->destroy(rounds);
+				return TRUE;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "no CA certificate");
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "no subject certificate for remote peer");
+		}
+	}
+
+	rounds->destroy(rounds);
+	return FALSE;
+}
+
+METHOD(listener_t, alert, bool,
+	private_tkm_listener_t *this, ike_sa_t *ike_sa,
+	alert_t alert, va_list args)
+{
+	if (alert == ALERT_KEEP_ON_CHILD_SA_FAILURE)
+	{
+		tkm_keymat_t *keymat;
+		isa_id_type isa_id;
+
+		keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
+		isa_id = keymat->get_isa_id(keymat);
+
+		DBG1(DBG_IKE, "TKM alert listener called for ISA context %llu", isa_id);
+		if (ike_isa_skip_create_first(isa_id) != TKM_OK)
+		{
+			DBG1(DBG_IKE, "Skip of first child SA creation failed for ISA "
+				 "context %llu", isa_id);
+		}
+	}
+
+	return TRUE;
+}
+
+METHOD(listener_t, authorize, bool,
+	private_tkm_listener_t *this, ike_sa_t *ike_sa,
+	bool final, bool *success)
+{
+	tkm_keymat_t *keymat;
+	isa_id_type isa_id;
+	cc_id_type cc_id;
+	chunk_t *auth, *other_init_msg;
+	signature_type signature;
+	init_message_type init_msg;
+
+	if (!final)
+	{
+		return TRUE;
+	}
+
+	keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
+	isa_id = keymat->get_isa_id(keymat);
+	DBG1(DBG_IKE, "TKM authorize listener called for ISA context %llu", isa_id);
+
+	cc_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_CC);
+	if (!cc_id)
+	{
+		DBG1(DBG_IKE, "unable to acquire CC context id");
+		*success = FALSE;
+		return TRUE;
+	}
+	if (!build_cert_chain(ike_sa, cc_id))
+	{
+		DBG1(DBG_IKE, "unable to build certificate chain");
+		*success = FALSE;
+		return TRUE;
+	}
+
+	auth = keymat->get_auth_payload(keymat);
+	if (!auth->ptr)
+	{
+		DBG1(DBG_IKE, "no AUTHENTICATION data available");
+		*success = FALSE;
+	}
+
+	other_init_msg = keymat->get_peer_init_msg(keymat);
+	if (!other_init_msg->ptr)
+	{
+		DBG1(DBG_IKE, "no peer init message available");
+		*success = FALSE;
+	}
+
+	chunk_to_sequence(auth, &signature, sizeof(signature_type));
+	chunk_to_sequence(other_init_msg, &init_msg, sizeof(init_message_type));
+
+	if (ike_isa_auth(isa_id, cc_id, init_msg, signature) != TKM_OK)
+	{
+		DBG1(DBG_IKE, "TKM based authentication failed"
+			 " for ISA context %llu", isa_id);
+		*success = FALSE;
+	}
+	else
+	{
+		DBG1(DBG_IKE, "TKM based authentication successful"
+			 " for ISA context %llu", isa_id);
+		*success = TRUE;
+	}
+
+	return TRUE;
+}
+
+METHOD(listener_t, message, bool,
+	private_tkm_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming, bool plain)
+{
+	tkm_keymat_t *keymat;
+	isa_id_type isa_id;
+	auth_payload_t *auth_payload;
+
+	if (!incoming || !plain || message->get_exchange_type(message) != IKE_AUTH)
+	{
+		return TRUE;
+	}
+
+	keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
+	isa_id = keymat->get_isa_id(keymat);
+	DBG1(DBG_IKE, "saving AUTHENTICATION payload for authorize hook"
+	     " (ISA context %llu)", isa_id);
+
+	auth_payload = (auth_payload_t*)message->get_payload(message,
+														 AUTHENTICATION);
+	if (auth_payload)
+	{
+		chunk_t auth_data;
+
+		auth_data = auth_payload->get_data(auth_payload);
+		keymat->set_auth_payload(keymat, &auth_data);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "unable to extract AUTHENTICATION payload, authorize will"
+			 " fail");
+	}
+
+	return TRUE;
+}
+
+METHOD(tkm_listener_t, destroy, void,
+	private_tkm_listener_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tkm_listener_t *tkm_listener_create()
+{
+	private_tkm_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.authorize = _authorize,
+				.message = _message,
+				.alert = _alert,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_listener.h b/src/charon-tkm/src/tkm/tkm_listener.h
new file mode 100644
index 000000000..1162a77be
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_listener.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-listener listener
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_LISTENER_H_
+#define TKM_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct tkm_listener_t tkm_listener_t;
+
+/**
+ * TKM bus listener.
+ */
+struct tkm_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a tkm_listener_t.
+	 */
+	void (*destroy)(tkm_listener_t *this);
+};
+
+/**
+ * Create a tkm_listener instance.
+ *
+ * @return		listener instance
+ */
+tkm_listener_t *tkm_listener_create();
+
+#endif /** TKM_LISTENER_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.c b/src/charon-tkm/src/tkm/tkm_nonceg.c
new file mode 100644
index 000000000..a07326798
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_nonceg.c
@@ -0,0 +1,106 @@
+/*
+ * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <tkm/client.h>
+#include <tkm/constants.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+
+typedef struct private_tkm_nonceg_t private_tkm_nonceg_t;
+
+/**
+ * Private data of a tkm_nonceg_t object.
+ */
+struct private_tkm_nonceg_t {
+
+	/**
+	 * Public tkm_nonceg_t interface.
+	 */
+	tkm_nonceg_t public;
+
+	/**
+	 * Context id.
+	 */
+	nc_id_type context_id;
+
+};
+
+METHOD(nonce_gen_t, get_nonce, bool,
+	private_tkm_nonceg_t *this, size_t size, u_int8_t *buffer)
+{
+	nonce_type nonce;
+
+	if (ike_nc_create(this->context_id, size, &nonce) != TKM_OK)
+	{
+		return FALSE;
+	}
+
+	memcpy(buffer, &nonce.data, size);
+	return TRUE;
+}
+
+METHOD(nonce_gen_t, allocate_nonce, bool,
+	private_tkm_nonceg_t *this, size_t size, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(size);
+	if (get_nonce(this, chunk->len, chunk->ptr))
+	{
+		tkm->chunk_map->insert(tkm->chunk_map, chunk, this->context_id);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(nonce_gen_t, destroy, void,
+	private_tkm_nonceg_t *this)
+{
+	free(this);
+}
+
+METHOD(tkm_nonceg_t, get_id, nc_id_type,
+	private_tkm_nonceg_t *this)
+{
+	return this->context_id;
+}
+
+/*
+ * Described in header.
+ */
+tkm_nonceg_t *tkm_nonceg_create()
+{
+	private_tkm_nonceg_t *this;
+
+	INIT(this,
+		.public = {
+			.nonce_gen = {
+				.get_nonce = _get_nonce,
+				.allocate_nonce = _allocate_nonce,
+				.destroy = _destroy,
+			},
+			.get_id = _get_id,
+		},
+		.context_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_NONCE),
+	);
+
+	if (!this->context_id)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.h b/src/charon-tkm/src/tkm/tkm_nonceg.h
new file mode 100644
index 000000000..ceadb081f
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_nonceg.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-nonceg nonce generator
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_NONCEG_H_
+#define TKM_NONCEG_H_
+
+typedef struct tkm_nonceg_t tkm_nonceg_t;
+
+#include <library.h>
+#include <tkm/types.h>
+
+/**
+ * nonce_gen_t implementation using the trusted key manager.
+ */
+struct tkm_nonceg_t {
+
+	/**
+	 * Implements nonce_gen_t.
+	 */
+	nonce_gen_t nonce_gen;
+
+	/**
+	 * Get nonce context id.
+	 *
+	 * @return	context id of this nonce generator.
+	 */
+	nc_id_type (*get_id)(tkm_nonceg_t * const this);
+
+};
+
+/**
+ * Creates a tkm_nonceg_t instance.
+ *
+ * @return			created tkm_nonceg_t
+ */
+tkm_nonceg_t *tkm_nonceg_create();
+
+#endif /** TKM_NONCEG_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_private_key.c b/src/charon-tkm/src/tkm/tkm_private_key.c
new file mode 100644
index 000000000..db57ec1c7
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_private_key.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) 2012-2013 Reto Buerki
+ * Copyright (C) 2012-2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+#include <tkm/constants.h>
+#include <tkm/client.h>
+
+#include "tkm_utils.h"
+#include "tkm_types.h"
+#include "tkm_private_key.h"
+
+typedef struct private_tkm_private_key_t private_tkm_private_key_t;
+
+/**
+ * Private data of a tkm_private_key_t object.
+ */
+struct private_tkm_private_key_t {
+
+	/**
+	 * Public interface for this signer.
+	 */
+	tkm_private_key_t public;
+
+	/**
+	 * Key ID.
+	 */
+	identification_t *id;
+
+	/**
+	 * Key type.
+	 */
+	key_type_t key_type;
+
+	/**
+	 * Reference count.
+	 */
+	refcount_t ref;
+
+};
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_tkm_private_key_t *this)
+{
+	return this->key_type;
+}
+
+METHOD(private_key_t, sign, bool,
+	private_tkm_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
+{
+	signature_type sig;
+	init_message_type msg;
+	sign_info_t sign;
+	isa_id_type isa_id;
+
+	if (data.ptr == NULL)
+	{
+		DBG1(DBG_LIB, "unable to get signature information");
+		return FALSE;
+	}
+	sign = *(sign_info_t *)(data.ptr);
+
+	chunk_to_sequence(&sign.init_message, &msg, sizeof(init_message_type));
+	isa_id = sign.isa_id;
+	chunk_free(&sign.init_message);
+
+	if (ike_isa_sign(isa_id, 1, msg, &sig) != TKM_OK)
+	{
+		DBG1(DBG_LIB, "signature operation failed");
+		return FALSE;
+	}
+
+	sequence_to_chunk(sig.data, sig.size, signature);
+	return TRUE;
+}
+
+METHOD(private_key_t, decrypt, bool,
+	private_tkm_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
+{
+	return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+	private_tkm_private_key_t *this)
+{
+	return 0;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_tkm_private_key_t *this)
+{
+	return NULL;
+}
+
+METHOD(private_key_t, get_encoding, bool,
+	private_tkm_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	return FALSE;
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+	private_tkm_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+	*fp = this->id->get_encoding(this->id);
+	return TRUE;
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_tkm_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(private_key_t, destroy, void,
+	private_tkm_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->id->destroy(this->id);
+		free(this);
+	}
+}
+
+/**
+ * See header.
+ */
+tkm_private_key_t *tkm_private_key_init(identification_t * const id)
+{
+	private_tkm_private_key_t *this;
+	certificate_t *cert;
+	public_key_t *pubkey;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+		.id = id->clone(id),
+	);
+
+	/* get key type from associated public key */
+	cert = lib->credmgr->get_cert(lib->credmgr, CERT_ANY, KEY_ANY, id, FALSE);
+	if (!cert)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	pubkey = cert->get_public_key(cert);
+	if (!pubkey)
+	{
+		cert->destroy(cert);
+		destroy(this);
+		return NULL;
+	}
+	this->key_type = pubkey->get_type(pubkey);
+	pubkey->destroy(pubkey);
+	cert->destroy(cert);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_private_key.h b/src/charon-tkm/src/tkm/tkm_private_key.h
new file mode 100644
index 000000000..ded8300ca
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_private_key.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-privkey private key
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_PRIVATE_KEY_H_
+#define TKM_PRIVATE_KEY_H_
+
+#include <credentials/keys/private_key.h>
+
+typedef struct tkm_private_key_t tkm_private_key_t;
+
+/**
+ * TKM private_key_t implementation.
+ */
+struct tkm_private_key_t {
+
+	/**
+	 * Implements private_key_t interface
+	 */
+	private_key_t key;
+};
+
+/**
+ * Initialize TKM private key with given key ID.
+ */
+tkm_private_key_t *tkm_private_key_init(identification_t * const id);
+
+#endif /** TKM_PRIVATE_KEY_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_public_key.c b/src/charon-tkm/src/tkm/tkm_public_key.c
new file mode 100644
index 000000000..9ebdc29e6
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_public_key.c
@@ -0,0 +1,169 @@
+/*
+ * Copyright (C) 2012-2013 Reto Buerki
+ * Copyright (C) 2012-2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+
+#include "tkm_public_key.h"
+
+typedef struct private_tkm_public_key_t private_tkm_public_key_t;
+
+/**
+ * Private data of tkm_public_key_t object.
+ */
+struct private_tkm_public_key_t {
+
+	/**
+	 * Public interface for this signer.
+	 */
+	tkm_public_key_t public;
+
+	/**
+	 * ASN.1 blob of pubkey.
+	 */
+	chunk_t asn_blob;
+
+	/**
+	 * Key type.
+	 */
+	key_type_t key_type;
+
+	/**
+	 * Reference count.
+	 */
+	refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+	private_tkm_public_key_t *this)
+{
+	return this->key_type;
+}
+
+METHOD(public_key_t, verify, bool,
+	private_tkm_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
+{
+	return TRUE;
+}
+
+METHOD(public_key_t, encrypt_, bool,
+	private_tkm_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypto)
+{
+	return FALSE;
+}
+
+METHOD(public_key_t, get_keysize, int,
+	private_tkm_public_key_t *this)
+{
+	return 0;
+}
+
+METHOD(public_key_t, get_encoding, bool,
+	private_tkm_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	return NULL;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+	private_tkm_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
+	switch(this->key_type)
+	{
+		case KEY_RSA:
+			return lib->encoding->encode(lib->encoding, type, this, fp,
+										 CRED_PART_RSA_PUB_ASN1_DER,
+										 this->asn_blob, CRED_PART_END);
+		default:
+			DBG1(DBG_LIB, "%N public key not supported, fingerprinting failed",
+				 key_type_names, this->key_type);
+			return FALSE;
+	}
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_tkm_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(public_key_t, destroy, void,
+	private_tkm_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		chunk_free(&this->asn_blob);
+		free(this);
+	}
+}
+
+/**
+ * See header.
+ */
+tkm_public_key_t *tkm_public_key_load(key_type_t type, va_list args)
+{
+	private_tkm_public_key_t *this;
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (!blob.ptr)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+		.asn_blob = chunk_clone(blob),
+		.key_type = type,
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_public_key.h b/src/charon-tkm/src/tkm/tkm_public_key.h
new file mode 100644
index 000000000..5b21287b7
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_public_key.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2012-2013 Reto Buerki
+ * Copyright (C) 2012-2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-pubkey public key
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_PUBLIC_KEY_H_
+#define TKM_PUBLIC_KEY_H_
+
+#include <credentials/keys/public_key.h>
+
+typedef struct tkm_public_key_t tkm_public_key_t;
+
+/**
+ * TKM public_key_t implementation.
+ */
+struct tkm_public_key_t {
+
+	/**
+	 * Implements the public_key_t interface
+	 */
+	public_key_t key;
+};
+
+/**
+ * Load a TKM public key.
+ *
+ * @param type		type of the key
+ * @param args		builder_part_t argument list
+ * @return			loaded key, NULL on failure
+ */
+tkm_public_key_t *tkm_public_key_load(key_type_t type, va_list args);
+
+#endif /** TKM_PUBLIC_KEY_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_types.h b/src/charon-tkm/src/tkm/tkm_types.h
new file mode 100644
index 000000000..cef53deb3
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_types.h
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-types types
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_TYPES_H_
+#define TKM_TYPES_H_
+
+#include <tkm/types.h>
+#include <utils/chunk.h>
+
+typedef struct esa_info_t esa_info_t;
+
+/**
+ * ESP SA info data structure.
+ *
+ * This type is used to transfer ESA information from the keymat
+ * derive_child_keys to the kernel IPsec interface add_sa operation. This is
+ * necessary because the CHILD SA key derivation and installation is handled
+ * by a single exchange with the TKM (esa_create*) in add_sa.
+ * For this purpose the out parameters encr_i and encr_r of the
+ * derive_child_keys function are (ab)used and the data is stored in these
+ * data chunks. This is possible since the child SA keys are treated as opaque
+ * values and handed to the add_sa procedure of the kernel interface as-is
+ * without any processing.
+ */
+struct esa_info_t {
+
+	/**
+	 * ISA context id.
+	 */
+	isa_id_type isa_id;
+
+	/**
+	 * Responder SPI of child SA.
+	 */
+	esp_spi_type spi_r;
+
+	/**
+	 * Initiator nonce.
+	 */
+	chunk_t nonce_i;
+
+	/**
+	 * Responder nonce.
+	 */
+	chunk_t nonce_r;
+
+	/**
+	 * Flag specifying if this esa info struct is contained in encr_r.
+	 * It is set to TRUE for encr_r and FALSE for encr_i.
+	 */
+	bool is_encr_r;
+
+	/**
+	 * Diffie-Hellman context id.
+	 */
+	dh_id_type dh_id;
+
+};
+
+typedef struct isa_info_t isa_info_t;
+
+/**
+ * IKE SA info data structure.
+ *
+ * This type is used to transfer ISA information from the keymat of the parent
+ * SA to the keymat of the new IKE SA. For this purpose the skd data chunk is
+ * (ab)used. This is possible since the sk_d chunk is treated as an opaque value
+ * and handed to the derive_ike_keys procedure of the new keymat as-is without
+ * any processing.
+ */
+struct isa_info_t {
+
+	/**
+	 * Parent isa context id.
+	 */
+	isa_id_type parent_isa_id;
+
+	/**
+	 * Authenticated endpoint context id.
+	 */
+	ae_id_type ae_id;
+
+};
+
+typedef struct sign_info_t sign_info_t;
+
+/**
+ * AUTH signature info data structure.
+ *
+ * This type is used to transfer an ISA context id and the initial message
+ * from the keymat to the TKM private key sign operation. For this purpose the
+ * auth octets chunk is (ab)used and the data is stored in this chunk.
+ * This is possible since the auth octets are treated as opaque value and handed
+ * to the private key sign function as-is without any processing.
+ */
+struct sign_info_t {
+
+	/**
+	 * ISA context id.
+	 */
+	isa_id_type isa_id;
+
+	/**
+	 * Init message.
+	 */
+	chunk_t init_message;
+
+};
+
+#endif /** TKM_TYPES_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_utils.c b/src/charon-tkm/src/tkm/tkm_utils.c
new file mode 100644
index 000000000..e0692b893
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_utils.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+
+#include "tkm_utils.h"
+
+/* Generic variable-length sequence */
+struct sequence_type {
+	uint32_t size;
+	byte_t data[];
+};
+typedef struct sequence_type sequence_type;
+
+void sequence_to_chunk(const byte_t * const first, const uint32_t len,
+					   chunk_t * const chunk)
+{
+	*chunk = chunk_alloc(len);
+	memcpy(chunk->ptr, first, len);
+}
+
+void chunk_to_sequence(const chunk_t * const chunk, void *sequence,
+					   const uint32_t typelen)
+{
+	const uint32_t seqlenmax = typelen - sizeof(uint32_t);
+	sequence_type *seq = sequence;
+
+	memset(sequence, 0, typelen);
+	if (chunk->len > seqlenmax)
+	{
+		DBG1(DBG_LIB, "chunk too large to fit into sequence %d > %d, limiting"
+			 " to %d bytes", chunk->len, seqlenmax, seqlenmax);
+		seq->size = seqlenmax;
+	}
+	else
+	{
+		seq->size = chunk->len;
+	}
+	memcpy(seq->data, chunk->ptr, seq->size);
+}
diff --git a/src/charon-tkm/src/tkm/tkm_utils.h b/src/charon-tkm/src/tkm/tkm_utils.h
new file mode 100644
index 000000000..308c58fbb
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_utils.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-utils utils
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_UTILS_H_
+#define TKM_UTILS_H_
+
+#include <utils/chunk.h>
+#include <tkm/types.h>
+
+/**
+ * Convert byte sequence to chunk.
+ *
+ * @param first		pointer to first byte of sequence
+ * @param len		length of byte sequence
+ * @param chunk		pointer to chunk struct
+ */
+void sequence_to_chunk(const byte_t * const first, const uint32_t len,
+					   chunk_t * const chunk);
+
+/**
+ * Convert chunk to variable-length byte sequence.
+ *
+ * @param chunk		pointer to chunk struct
+ * @param sequence	pointer to variable-length sequence
+ * @param typelen	length of sequence type
+ */
+void chunk_to_sequence(const chunk_t * const chunk, void *sequence,
+					   const uint32_t typelen);
+
+#endif /** TKM_UTILS_H_ @}*/
diff --git a/src/charon-tkm/tests/.gitignore b/src/charon-tkm/tests/.gitignore
new file mode 100644
index 000000000..35429f617
--- /dev/null
+++ b/src/charon-tkm/tests/.gitignore
@@ -0,0 +1 @@
+test_runner
diff --git a/src/charon-tkm/tests/chunk_map_tests.c b/src/charon-tkm/tests/chunk_map_tests.c
new file mode 100644
index 000000000..6deef9a80
--- /dev/null
+++ b/src/charon-tkm/tests/chunk_map_tests.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+
+#include "tkm_chunk_map.h"
+
+START_TEST(test_chunk_map_creation)
+{
+	tkm_chunk_map_t *map = NULL;
+
+	map = tkm_chunk_map_create();
+	fail_if(map == NULL, "Error creating chunk map");
+
+	map->destroy(map);
+}
+END_TEST
+
+START_TEST(test_chunk_map_handling)
+{
+	tkm_chunk_map_t *map = NULL;
+	const int ref = 35;
+	chunk_t data = chunk_from_thing(ref);
+
+	map = tkm_chunk_map_create();
+	fail_if(map == NULL, "Error creating chunk map");
+
+	map->insert(map, &data, 24);
+	fail_if(map->get_id(map, &data) != 24, "Id mismatch");
+
+	fail_unless(map->remove(map, &data), "Unable to remove mapping");
+	fail_unless(!map->get_id(map, &data), "Error removing mapping");
+
+	map->destroy(map);
+}
+END_TEST
+
+TCase *make_chunk_map_tests(void)
+{
+	TCase *tc = tcase_create("Chunk map tests");
+	tcase_add_test(tc, test_chunk_map_creation);
+	tcase_add_test(tc, test_chunk_map_handling);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/diffie_hellman_tests.c b/src/charon-tkm/tests/diffie_hellman_tests.c
new file mode 100644
index 000000000..ffe99614d
--- /dev/null
+++ b/src/charon-tkm/tests/diffie_hellman_tests.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+
+#include "tkm_diffie_hellman.h"
+
+START_TEST(test_dh_creation)
+{
+	tkm_diffie_hellman_t *dh = NULL;
+
+	dh = tkm_diffie_hellman_create(MODP_768_BIT);
+	fail_if(dh, "MODP_768 created");
+
+	dh = tkm_diffie_hellman_create(MODP_4096_BIT);
+	fail_if(!dh, "MODP_4096 not created");
+	fail_if(!dh->get_id(dh), "Invalid context id (0)");
+
+	dh->dh.destroy(&dh->dh);
+}
+END_TEST
+
+START_TEST(test_dh_get_my_pubvalue)
+{
+	tkm_diffie_hellman_t *dh = tkm_diffie_hellman_create(MODP_4096_BIT);
+	fail_if(!dh, "Unable to create DH");
+
+	chunk_t value;
+	dh->dh.get_my_public_value(&dh->dh, &value);
+	dh->dh.destroy(&dh->dh);
+
+	fail_if(value.ptr == NULL, "Pubvalue is NULL");
+	fail_if(value.len != 512, "Pubvalue size mismatch");
+
+	chunk_free(&value);
+}
+END_TEST
+
+TCase *make_diffie_hellman_tests(void)
+{
+	TCase *tc = tcase_create("Diffie-Hellman tests");
+	tcase_add_test(tc, test_dh_creation);
+	tcase_add_test(tc, test_dh_get_my_pubvalue);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/id_manager_tests.c b/src/charon-tkm/tests/id_manager_tests.c
new file mode 100644
index 000000000..15522f118
--- /dev/null
+++ b/src/charon-tkm/tests/id_manager_tests.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+
+#include "tkm_id_manager.h"
+
+static const tkm_limits_t limits = {125, 100, 55, 30, 200, 42};
+
+START_TEST(test_id_mgr_creation)
+{
+	tkm_id_manager_t *idmgr = NULL;
+
+	idmgr = tkm_id_manager_create(limits);
+	fail_if(idmgr == NULL, "Error creating tkm id manager");
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_acquire_id)
+{
+	int i, id = 0;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	for (i = 0; i < TKM_CTX_MAX; i++)
+	{
+		id = idmgr->acquire_id(idmgr, i);
+		fail_unless(id > 0, "Error acquiring id of context kind %d", i);
+
+		/* Reset test variable */
+		id = 0;
+	}
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_acquire_id_invalid_kind)
+{
+	int id = 0;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	id = idmgr->acquire_id(idmgr, TKM_CTX_MAX);
+	fail_unless(id == 0, "Acquired id for invalid context kind %d", TKM_CTX_MAX);
+
+	/* Reset test variable */
+	id = 0;
+
+	id = idmgr->acquire_id(idmgr, -1);
+	fail_unless(id == 0, "Acquired id for invalid context kind %d", -1);
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_acquire_id_same)
+{
+	int id1 = 0, id2 = 0;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	id1 = idmgr->acquire_id(idmgr, TKM_CTX_NONCE);
+	fail_unless(id1 > 0, "Unable to acquire first id");
+
+	/* Acquire another id, must be different than first */
+	id2 = idmgr->acquire_id(idmgr, TKM_CTX_NONCE);
+	fail_unless(id2 > 0, "Unable to acquire second id");
+	fail_unless(id1 != id2, "Same id received twice");
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_release_id)
+{
+	int i, id = 0;
+	bool released = false;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	for (i = 0; i < TKM_CTX_MAX; i++)
+	{
+		id = idmgr->acquire_id(idmgr, i);
+		released = idmgr->release_id(idmgr, i, id);
+
+		fail_unless(released, "Error releasing id of context kind %d", i);
+
+		/* Reset released variable */
+		released = FALSE;
+	}
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_release_id_invalid_kind)
+{
+	bool released = TRUE;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	released = idmgr->release_id(idmgr, TKM_CTX_MAX, 1);
+	fail_if(released, "Released id for invalid context kind %d", TKM_CTX_MAX);
+
+	/* Reset test variable */
+	released = TRUE;
+
+	released = idmgr->release_id(idmgr, -1, 1);
+	fail_if(released, "Released id for invalid context kind %d", -1);
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_release_id_nonexistent)
+{
+	bool released = FALSE;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	released = idmgr->release_id(idmgr, TKM_CTX_NONCE, 1);
+	fail_unless(released, "Release of nonexistent id failed");
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+TCase *make_id_manager_tests(void)
+{
+	TCase *tc = tcase_create("Context id manager tests");
+	tcase_add_test(tc, test_id_mgr_creation);
+	tcase_add_test(tc, test_acquire_id);
+	tcase_add_test(tc, test_acquire_id_invalid_kind);
+	tcase_add_test(tc, test_acquire_id_same);
+	tcase_add_test(tc, test_release_id);
+	tcase_add_test(tc, test_release_id_invalid_kind);
+	tcase_add_test(tc, test_release_id_nonexistent);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c
new file mode 100644
index 000000000..11785602d
--- /dev/null
+++ b/src/charon-tkm/tests/kernel_sad_tests.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+
+#include "tkm_kernel_sad.h"
+
+START_TEST(test_sad_creation)
+{
+	tkm_kernel_sad_t *sad = NULL;
+
+	sad = tkm_kernel_sad_create();
+	fail_if(!sad, "Error creating tkm kernel SAD");
+
+	sad->destroy(sad);
+}
+END_TEST
+
+START_TEST(test_insert)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+
+	fail_unless(sad->insert(sad, 1, addr, addr, 42, 50),
+				"Error inserting SAD entry");
+
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_insert_duplicate)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+
+	fail_unless(sad->insert(sad, 1, addr, addr, 42, 50),
+				"Error inserting SAD entry");
+	fail_if(sad->insert(sad, 1, addr, addr, 42, 50),
+			"Expected error inserting duplicate entry");
+
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_get_esa_id)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_unless(sad->insert(sad, 23, addr, addr, 42, 50),
+				"Error inserting SAD entry");
+	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
+				"Error getting esa id");
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_get_esa_id_nonexistent)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 0,
+				"Got esa id for nonexistent SAD entry");
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_remove)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_unless(sad->insert(sad, 23, addr, addr, 42, 50),
+				"Error inserting SAD entry");
+	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
+				"Error getting esa id");
+	fail_unless(sad->remove(sad, 23),
+				"Error removing SAD entry");
+	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 0,
+				"Got esa id for removed SAD entry");
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_remove_nonexistent)
+{
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_if(sad->remove(sad, 1),
+			"Expected error removing nonexistent SAD entry");
+	sad->destroy(sad);
+}
+END_TEST
+
+TCase *make_kernel_sad_tests(void)
+{
+	TCase *tc = tcase_create("Kernel SAD tests");
+	tcase_add_test(tc, test_sad_creation);
+	tcase_add_test(tc, test_insert);
+	tcase_add_test(tc, test_insert_duplicate);
+	tcase_add_test(tc, test_get_esa_id);
+	tcase_add_test(tc, test_get_esa_id_nonexistent);
+	tcase_add_test(tc, test_remove);
+	tcase_add_test(tc, test_remove_nonexistent);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
new file mode 100644
index 000000000..2a7525d4e
--- /dev/null
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+#include <daemon.h>
+#include <hydra.h>
+#include <config/proposal.h>
+#include <encoding/payloads/ike_header.h>
+#include <tkm/client.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+#include "tkm_diffie_hellman.h"
+#include "tkm_keymat.h"
+#include "tkm_types.h"
+
+START_TEST(test_derive_ike_keys)
+{
+	proposal_t *proposal = proposal_create_from_string(PROTO_IKE,
+			"aes256-sha512-modp4096");
+	fail_if(!proposal, "Unable to create proposal");
+	ike_sa_id_t *ike_sa_id = ike_sa_id_create(IKEV2_MAJOR_VERSION,
+			123912312312, 32312313122, TRUE);
+	fail_if(!ike_sa_id, "Unable to create IKE SA ID");
+
+	tkm_keymat_t *keymat = tkm_keymat_create(TRUE);
+	fail_if(!keymat, "Unable to create keymat");
+	fail_if(!keymat->get_isa_id(keymat), "Invalid ISA context id (0)");
+
+	chunk_t nonce;
+	tkm_nonceg_t *ng = tkm_nonceg_create();
+	fail_if(!ng, "Unable to create nonce generator");
+	fail_unless(ng->nonce_gen.allocate_nonce(&ng->nonce_gen, 32, &nonce),
+			"Unable to allocate nonce");
+	ng->nonce_gen.destroy(&ng->nonce_gen);
+
+	tkm_diffie_hellman_t *dh = tkm_diffie_hellman_create(MODP_4096_BIT);
+	fail_if(!dh, "Unable to create DH");
+
+	/* Use the same pubvalue for both sides */
+	chunk_t pubvalue;
+	dh->dh.get_my_public_value(&dh->dh, &pubvalue);
+	dh->dh.set_other_public_value(&dh->dh, pubvalue);
+
+	fail_unless(keymat->keymat_v2.derive_ike_keys(&keymat->keymat_v2, proposal,
+				&dh->dh, nonce, nonce, ike_sa_id, PRF_UNDEFINED, chunk_empty),
+				"Key derivation failed");
+	chunk_free(&nonce);
+
+	aead_t * const aead = keymat->keymat_v2.keymat.get_aead(&keymat->keymat_v2.keymat, TRUE);
+	fail_if(!aead, "AEAD is NULL");
+
+	fail_if(aead->get_key_size(aead) != 96, "Key size mismatch %d",
+			aead->get_key_size(aead));
+	fail_if(aead->get_block_size(aead) != 16, "Block size mismatch %d",
+			aead->get_block_size(aead));
+
+	proposal->destroy(proposal);
+	dh->dh.destroy(&dh->dh);
+	ike_sa_id->destroy(ike_sa_id);
+	keymat->keymat_v2.keymat.destroy(&keymat->keymat_v2.keymat);
+	chunk_free(&pubvalue);
+}
+END_TEST
+
+START_TEST(test_derive_child_keys)
+{
+	tkm_diffie_hellman_t *dh = tkm_diffie_hellman_create(MODP_4096_BIT);
+	fail_if(!dh, "Unable to create DH object");
+	proposal_t *proposal = proposal_create_from_string(PROTO_ESP,
+			"aes256-sha512-modp4096");
+	fail_if(!proposal, "Unable to create proposal");
+	proposal->set_spi(proposal, 42);
+
+	tkm_keymat_t *keymat = tkm_keymat_create(TRUE);
+	fail_if(!keymat, "Unable to create keymat");
+
+	chunk_t encr_i, encr_r, integ_i, integ_r;
+	chunk_t nonce = chunk_from_chars("test chunk");
+
+	fail_unless(keymat->keymat_v2.derive_child_keys(&keymat->keymat_v2, proposal,
+													(diffie_hellman_t *)dh,
+													nonce, nonce, &encr_i,
+													&integ_i, &encr_r, &integ_r),
+				"Child key derivation failed");
+
+	esa_info_t *info = (esa_info_t *)encr_i.ptr;
+	fail_if(!info, "encr_i does not contain esa information");
+	fail_if(info->isa_id != keymat->get_isa_id(keymat),
+			"Isa context id mismatch (encr_i)");
+	fail_if(info->spi_r != 42,
+			"SPI mismatch (encr_i)");
+	fail_unless(chunk_equals(info->nonce_i, nonce),
+				"nonce_i mismatch (encr_i)");
+	fail_unless(chunk_equals(info->nonce_r, nonce),
+				"nonce_r mismatch (encr_i)");
+	fail_if(info->is_encr_r,
+			"Flag is_encr_r set for encr_i");
+	fail_if(info->dh_id != dh->get_id(dh),
+			"DH context id mismatch (encr_i)");
+	chunk_free(&info->nonce_i);
+	chunk_free(&info->nonce_r);
+
+	info = (esa_info_t *)encr_r.ptr;
+	fail_if(!info, "encr_r does not contain esa information");
+	fail_if(info->isa_id != keymat->get_isa_id(keymat),
+			"Isa context id mismatch (encr_r)");
+	fail_if(info->spi_r != 42,
+			"SPI mismatch (encr_r)");
+	fail_unless(chunk_equals(info->nonce_i, nonce),
+				"nonce_i mismatch (encr_r)");
+	fail_unless(chunk_equals(info->nonce_r, nonce),
+				"nonce_r mismatch (encr_r)");
+	fail_unless(info->is_encr_r,
+				"Flag is_encr_r set for encr_r");
+	fail_if(info->dh_id != dh->get_id(dh),
+			"DH context id mismatch (encr_i)");
+	chunk_free(&info->nonce_i);
+	chunk_free(&info->nonce_r);
+
+	proposal->destroy(proposal);
+	dh->dh.destroy(&dh->dh);
+	keymat->keymat_v2.keymat.destroy(&keymat->keymat_v2.keymat);
+	chunk_free(&encr_i);
+	chunk_free(&encr_r);
+}
+END_TEST
+
+TCase *make_keymat_tests(void)
+{
+	TCase *tc = tcase_create("Keymat tests");
+	tcase_add_test(tc, test_derive_ike_keys);
+	tcase_add_test(tc, test_derive_child_keys);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/nonceg_tests.c b/src/charon-tkm/tests/nonceg_tests.c
new file mode 100644
index 000000000..3a1effab8
--- /dev/null
+++ b/src/charon-tkm/tests/nonceg_tests.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+#include <tkm/client.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+
+START_TEST(test_nonceg_creation)
+{
+	tkm_nonceg_t *ng = NULL;
+
+	ng = tkm_nonceg_create();
+	fail_if(ng == NULL, "Error creating tkm nonce generator");
+	fail_if(ng->get_id(ng) == 0, "Invalid context id (0)");
+
+	ng->nonce_gen.destroy(&ng->nonce_gen);
+}
+END_TEST
+
+START_TEST(test_nonceg_allocate_nonce)
+{
+	tkm_nonceg_t *ng = tkm_nonceg_create();
+
+	const size_t length = 256;
+	u_int8_t zero[length];
+	memset(zero, 0, length);
+
+	chunk_t nonce;
+	const bool got_nonce = ng->nonce_gen.allocate_nonce(&ng->nonce_gen,
+			length, &nonce);
+
+	fail_unless(got_nonce, "Call to allocate_nonce failed");
+	fail_unless(nonce.len = length, "Allocated nonce length mismatch");
+	fail_if(memcmp(nonce.ptr, zero, length) == 0, "Unable to allocate nonce");
+
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, 1);
+	ike_nc_reset(1);
+
+	chunk_free(&nonce);
+	ng->nonce_gen.destroy(&ng->nonce_gen);
+}
+END_TEST
+
+START_TEST(test_nonceg_get_nonce)
+{
+	tkm_nonceg_t *ng = tkm_nonceg_create();
+
+	const size_t length = 128;
+	u_int8_t zero[length];
+	memset(zero, 0, length);
+
+	u_int8_t *buf = malloc(length + 1);
+	memset(buf, 0, length);
+	/* set end marker */
+	buf[length] = 255;
+
+	const bool got_nonce = ng->nonce_gen.get_nonce(&ng->nonce_gen, length, buf);
+	fail_unless(got_nonce, "Call to get_nonce failed");
+	fail_if(memcmp(buf, zero, length) == 0, "Unable to get nonce");
+	fail_if(buf[length] != 255, "End marker not found");
+
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, 1);
+	ike_nc_reset(1);
+
+	free(buf);
+	ng->nonce_gen.destroy(&ng->nonce_gen);
+}
+END_TEST
+
+TCase *make_nonceg_tests(void)
+{
+	TCase *tc = tcase_create("Nonce generator tests");
+	tcase_add_test(tc, test_nonceg_creation);
+	tcase_add_test(tc, test_nonceg_allocate_nonce);
+	tcase_add_test(tc, test_nonceg_get_nonce);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/test_runner.c b/src/charon-tkm/tests/test_runner.c
new file mode 100644
index 000000000..5ae032935
--- /dev/null
+++ b/src/charon-tkm/tests/test_runner.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <hydra.h>
+#include <daemon.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+#include "tkm_diffie_hellman.h"
+#include "tkm_kernel_ipsec.h"
+#include "test_runner.h"
+
+int main(void)
+{
+	library_init(NULL);
+	libhydra_init("test_runner");
+	libcharon_init("test_runner");
+
+	lib->settings->set_int(lib->settings, "test_runner.filelog.stdout.default",
+						   1);
+	charon->load_loggers(charon, NULL, FALSE);
+
+	/* Register TKM specific plugins */
+	static plugin_feature_t features[] = {
+		PLUGIN_REGISTER(NONCE_GEN, tkm_nonceg_create),
+			PLUGIN_PROVIDE(NONCE_GEN),
+		PLUGIN_REGISTER(DH, tkm_diffie_hellman_create),
+			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
+			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
+		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+	};
+	lib->plugins->add_static_features(lib->plugins, "tkm-tests", features,
+			countof(features), TRUE);
+
+	if (!charon->initialize(charon, PLUGINS))
+	{
+		fprintf(stderr, "Unable to init charon");
+		return EXIT_FAILURE;
+	}
+
+	if (!tkm_init())
+	{
+		fprintf(stderr, "Could not connect to TKM, aborting tests\n");
+		return EXIT_FAILURE;
+	}
+
+	int number_failed;
+	Suite *s = suite_create("TKM tests");
+	suite_add_tcase(s, make_id_manager_tests());
+	suite_add_tcase(s, make_chunk_map_tests());
+	suite_add_tcase(s, make_utility_tests());
+	suite_add_tcase(s, make_nonceg_tests());
+	suite_add_tcase(s, make_diffie_hellman_tests());
+	suite_add_tcase(s, make_keymat_tests());
+	suite_add_tcase(s, make_kernel_sad_tests());
+
+	SRunner *sr = srunner_create(s);
+
+	srunner_run_all(sr, CK_NORMAL);
+	number_failed = srunner_ntests_failed(sr);
+
+	tkm_deinit();
+	libcharon_deinit();
+	libhydra_deinit();
+	library_deinit();
+	srunner_free(sr);
+
+	return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+}
diff --git a/src/charon-tkm/tests/test_runner.h b/src/charon-tkm/tests/test_runner.h
new file mode 100644
index 000000000..236a7f2a6
--- /dev/null
+++ b/src/charon-tkm/tests/test_runner.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TEST_RUNNER_H_
+#define TEST_RUNNER_H_
+
+#include <check.h>
+
+TCase *make_id_manager_tests(void);
+TCase *make_chunk_map_tests(void);
+TCase *make_utility_tests(void);
+TCase *make_nonceg_tests(void);
+TCase *make_diffie_hellman_tests(void);
+TCase *make_keymat_tests(void);
+TCase *make_kernel_sad_tests(void);
+
+#endif /** TEST_RUNNER_H_ */
diff --git a/src/charon-tkm/tests/utils_tests.c b/src/charon-tkm/tests/utils_tests.c
new file mode 100644
index 000000000..b3ead7633
--- /dev/null
+++ b/src/charon-tkm/tests/utils_tests.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+#include <tkm/types.h>
+
+#include "tkm_utils.h"
+
+START_TEST(test_sequence_to_chunk)
+{
+	key_type key = {5, {0, 1, 2, 3, 4}};
+	chunk_t chunk = chunk_empty;
+
+	sequence_to_chunk(key.data, key.size, &chunk);
+	fail_if(chunk.len != key.size, "Chunk size mismatch");
+
+	uint32_t i;
+	for (i = 0; i < key.size; i++)
+	{
+		fail_if(chunk.ptr[i] != i, "Data mismatch");
+	}
+	chunk_free(&chunk);
+}
+END_TEST
+
+START_TEST(test_chunk_to_sequence)
+{
+	chunk_t chunk = chunk_from_thing("ABCDEFGH");
+	key_type key;
+
+	chunk_to_sequence(&chunk, &key, sizeof(key_type));
+	fail_if(key.size != chunk.len, "Seq size mismatch");
+
+	uint32_t i;
+	for (i = 0; i < key.size - 1; i++)
+	{
+		fail_if(key.data[i] != 65 + i, "Data mismatch (1)");
+	}
+	fail_if(key.data[key.size - 1] != 0, "Data mismatch (2)");
+}
+END_TEST
+
+TCase *make_utility_tests(void)
+{
+	TCase *tc = tcase_create("Utility tests");
+	tcase_add_test(tc, test_sequence_to_chunk);
+	tcase_add_test(tc, test_chunk_to_sequence);
+
+	return tc;
+}
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 4776b783a..a617874b7 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -78,6 +95,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(charon_SOURCES)
 DIST_SOURCES = $(charon_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -94,6 +116,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -110,6 +134,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -178,8 +203,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -235,7 +258,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -325,8 +347,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/charon/charon.c b/src/charon/charon.c
index f4bd27d34..812b7620b 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -175,6 +175,7 @@ static void segv_handler(int signal)
 
 	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
 	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, NULL, TRUE);
 	backtrace->log(backtrace, stderr, TRUE);
 	backtrace->destroy(backtrace);
 
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 8a816d626..cdb82f2b1 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -141,6 +158,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(nodist_libchecksum_la_SOURCES) $(checksum_builder_SOURCES)
 DIST_SOURCES = $(checksum_builder_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -157,6 +179,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -173,6 +197,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -241,8 +266,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -298,7 +321,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -403,7 +425,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -411,6 +432,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 960705ce1..978402e65 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -89,6 +106,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(conftest_SOURCES)
 DIST_SOURCES = $(conftest_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -105,6 +127,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -121,6 +145,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -189,8 +214,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -246,7 +269,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -341,8 +363,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/conftest/config.c b/src/conftest/config.c
index ae0d93460..7f05e9c72 100644
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@@ -107,7 +107,7 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
 		settings->get_int(settings, "configs.%s.lport", 500, config),
 		settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE,
 		settings->get_int(settings, "configs.%s.rport", 500, config),
-		FRAGMENTATION_NO);
+		FRAGMENTATION_NO, 0);
 	token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
 	if (token)
 	{
@@ -188,7 +188,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			ts = traffic_selector_create_from_cidr(token, 0, 0);
+			ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
 			if (ts)
 			{
 				child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@@ -212,7 +212,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			ts = traffic_selector_create_from_cidr(token, 0, 0);
+			ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
 			if (ts)
 			{
 				child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
diff --git a/src/conftest/config.h b/src/conftest/config.h
index 2a62b9ce0..ce9e24586 100644
--- a/src/conftest/config.h
+++ b/src/conftest/config.h
@@ -14,7 +14,7 @@
  */
 
 /**
- * @defgroup config config
+ * @defgroup config_t config
  * @{ @ingroup conftest
  */
 
diff --git a/src/conftest/hooks/hook.h b/src/conftest/hooks/hook.h
index 39a15f21b..b93711726 100644
--- a/src/conftest/hooks/hook.h
+++ b/src/conftest/hooks/hook.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup hook hook
- * @{ @ingroup hooks
+ * @defgroup hook_t hook
+ * @{ @ingroup conftest
  */
 
 #ifndef HOOK_H_
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index a2b994ec3..e8f5cf9af 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -113,6 +130,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libdumm_la_SOURCES) $(dumm_SOURCES) $(irdumm_SOURCES)
 DIST_SOURCES = $(libdumm_la_SOURCES) $(dumm_SOURCES) $(irdumm_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -129,6 +151,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -145,6 +169,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -213,8 +238,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -270,7 +293,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -356,7 +378,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -364,6 +385,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -389,8 +412,11 @@ libdumm.la: $(libdumm_la_OBJECTS) $(libdumm_la_DEPENDENCIES) $(EXTRA_libdumm_la_
 	$(LINK) -rpath $(ipseclibdir) $(libdumm_la_OBJECTS) $(libdumm_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index ccf98b280..f2b94cf0c 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -53,6 +70,11 @@ CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
@@ -67,6 +89,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -83,6 +107,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -151,8 +176,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,7 +231,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/ipsec/Android.mk b/src/ipsec/Android.mk
index d134f7fd2..c25be3ebc 100644
--- a/src/ipsec/Android.mk
+++ b/src/ipsec/Android.mk
@@ -18,13 +18,14 @@ $(GEN) : PRIVATE_CUSTOM_TOOL = sed \
 	-e "s:@IPSEC_NAME@:strongSwan:" \
 	-e "s:@IPSEC_DISTRO@::" \
 	-e "s:@IPSEC_DIR@:$(strongswan_DIR):" \
+	-e "s:@IPSEC_SCRIPT@:ipsec:" \
 	-e "s:@IPSEC_SBINDIR@:$(strongswan_SBINDIR):" \
 	-e "s:@IPSEC_CONFDIR@:$(strongswan_CONFDIR):" \
 	-e "s:@IPSEC_PIDDIR@:$(strongswan_PIDDIR):" \
 	$< > $@ && chmod +x $@
 
 $(GEN) : $(strongswan_PATH)/Android.mk
-$(GEN) : $(LOCAL_PATH)/ipsec.in
+$(GEN) : $(LOCAL_PATH)/_ipsec.in
 	$(transform-generated-source)
 
 LOCAL_GENERATED_SOURCES := $(GEN)
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index faa5f5cef..6849592e8 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -84,6 +101,11 @@ am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(sbin_SCRIPTS)
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man8_MANS)
@@ -101,6 +123,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -117,6 +141,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -185,8 +210,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -242,7 +265,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -315,8 +337,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-sbinSCRIPTS: $(sbin_SCRIPTS)
 	@$(NORMAL_INSTALL)
-	test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
 	@list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
@@ -353,9 +378,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man8_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
+	@list1='$(dist_man8_MANS)'; \
+	list2=''; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 40eeb1f3e..ad2997471 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2012-06-19" "5.0.2" "strongSwan"
+.TH IPSEC 8 "2012-06-19" "5.0.3rc1" "strongSwan"
 .SH NAME
 ipsec \- invoke IPsec utilities
 .SH SYNOPSIS
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 8b6ad660d..3742b12c7 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -18,6 +18,9 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
 export PATH
 
+# set daemon name
+[ -z "$DAEMON_NAME" ] && DAEMON_NAME="charon"
+
 # name and version of the ipsec implementation
 OS_NAME=`uname -s`
 IPSEC_NAME="@IPSEC_NAME@"
@@ -30,8 +33,8 @@ IPSEC_CONFDIR="@IPSEC_CONFDIR@"
 IPSEC_PIDDIR="@IPSEC_PIDDIR@"
 IPSEC_SCRIPT="@IPSEC_SCRIPT@"
 
-IPSEC_STARTER_PID="${IPSEC_PIDDIR}/starter.pid"
-IPSEC_CHARON_PID="${IPSEC_PIDDIR}/charon.pid"
+IPSEC_STARTER_PID="${IPSEC_PIDDIR}/starter.${DAEMON_NAME}.pid"
+IPSEC_CHARON_PID="${IPSEC_PIDDIR}/${DAEMON_NAME}.pid"
 
 IPSEC_STROKE="${IPSEC_DIR}/stroke"
 IPSEC_STARTER="${IPSEC_DIR}/starter"
@@ -59,7 +62,8 @@ case "$1" in
 	echo "	listalgs|listpubkeys|listcerts [--utc]"
 	echo "	listcacerts|listaacerts|listocspcerts [--utc]"
 	echo "	listacerts|listgroups|listcainfos [--utc]"
-	echo "	listcrls|listocsp|listcards|listplugins|listcounters|listall [--utc]"
+	echo "	listcrls|listocsp|listcards|listplugins|listall [--utc]"
+	echo "	listcounters|resetcounters [name]"
 	echo "	leases [<poolname> [<address>]]"
 	echo "	rereadsecrets|rereadgroups"
 	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
@@ -149,10 +153,10 @@ leases)
 listalgs|listpubkeys|listplugins|\
 listcerts|listcacerts|listaacerts|\
 listacerts|listgroups|listocspcerts|\
-listcainfos|listcrls|listocsp|listcounters|listall|\
+listcainfos|listcrls|listocsp|listall|\
 rereadsecrets|rereadcacerts|rereadaacerts|\
 rereadacerts|rereadocspcerts|rereadcrls|\
-rereadall|purgeocsp)
+rereadall|purgeocsp|listcounters|resetcounters)
 	op="$1"
 	rc=7
 	shift
@@ -219,7 +223,7 @@ start)
 	if [ -d /var/lock/subsys ]; then
 		touch /var/lock/subsys/ipsec
 	fi
-	exec $IPSEC_STARTER "$@"
+	exec $IPSEC_STARTER --daemon $DAEMON_NAME "$@"
 	;;
 status|statusall)
 	op="$1"
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index b2d6c3128..66606f937 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -2,7 +2,7 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+libcharon_la_SOURCES := \
 bus/bus.c bus/bus.h \
 bus/listeners/listener.h \
 bus/listeners/logger.h \
@@ -62,7 +62,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/eap/eap_method.c sa/eap/eap_method.h \
+sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
 sa/eap/eap_manager.c sa/eap/eap_manager.h \
 sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
 sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
@@ -77,7 +77,7 @@ sa/shunt_manager.c sa/shunt_manager.h \
 sa/trap_manager.c sa/trap_manager.h \
 sa/task.c sa/task.h
 
-LOCAL_SRC_FILES += \
+libcharon_la_SOURCES += \
 sa/ikev2/keymat_v2.c sa/ikev2/keymat_v2.h \
 sa/ikev2/task_manager_v2.c sa/ikev2/task_manager_v2.h \
 sa/ikev2/authenticators/eap_authenticator.c sa/ikev2/authenticators/eap_authenticator.h \
@@ -100,7 +100,7 @@ sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
 sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
 sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
 
-LOCAL_SRC_FILES += \
+libcharon_la_SOURCES += \
 sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
 sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
 sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
@@ -123,11 +123,12 @@ sa/ikev1/tasks/mode_config.c sa/ikev1/tasks/mode_config.h \
 processing/jobs/dpd_timeout_job.c processing/jobs/dpd_timeout_job.h \
 processing/jobs/adopt_children_job.c processing/jobs/adopt_children_job.h
 
+LOCAL_SRC_FILES := $(filter %.c,$(libcharon_la_SOURCES))
+
 # adding the plugin source files
 
-LOCAL_SRC_FILES += $(call add_plugin, android)
-ifneq ($(call plugin_enabled, android),)
-LOCAL_C_INCLUDES += frameworks/base/cmds/keystore
+LOCAL_SRC_FILES += $(call add_plugin, android-dns)
+ifneq ($(call plugin_enabled, android-dns),)
 LOCAL_SHARED_LIBRARIES += libcutils
 endif
 
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 5203890ff..f0736c5ca 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -60,7 +60,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/eap/eap_method.c sa/eap/eap_method.h \
+sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
 sa/eap/eap_manager.c sa/eap/eap_manager.h \
 sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
 sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
@@ -212,6 +212,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_IPSECKEY
+  SUBDIRS += plugins/ipseckey
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/ipseckey/libstrongswan-ipseckey.la
+endif
+endif
+
 if USE_UPDOWN
   SUBDIRS += plugins/updown
 if MONOLITHIC
@@ -450,10 +457,10 @@ if MONOLITHIC
 endif
 endif
 
-if USE_ANDROID
-  SUBDIRS += plugins/android
+if USE_ANDROID_DNS
+  SUBDIRS += plugins/android_dns
 if MONOLITHIC
-  libcharon_la_LIBADD += plugins/android/libstrongswan-android.la
+  libcharon_la_LIBADD += plugins/android_dns/libstrongswan-android-dns.la
 endif
 endif
 
@@ -506,6 +513,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_SYSTIME_FIX
+  SUBDIRS += plugins/systime_fix
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/systime_fix/libstrongswan-systime-fix.la
+endif
+endif
+
 if USE_LED
   SUBDIRS += plugins/led
 if MONOLITHIC
@@ -582,3 +596,10 @@ if MONOLITHIC
   libcharon_la_LIBADD += plugins/xauth_pam/libstrongswan-xauth-pam.la
 endif
 endif
+
+if USE_XAUTH_NOAUTH
+  SUBDIRS += plugins/xauth_noauth
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+endif
+endif
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 063bc6d11..e772528d1 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,108 +121,114 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_15 = plugins/smp/libstrongswan-smp.la
 @USE_SQL_TRUE@am__append_16 = plugins/sql
 @MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_17 = plugins/sql/libstrongswan-sql.la
-@USE_UPDOWN_TRUE@am__append_18 = plugins/updown
-@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_19 = plugins/updown/libstrongswan-updown.la
-@USE_EAP_IDENTITY_TRUE@am__append_20 = plugins/eap_identity
-@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_21 = plugins/eap_identity/libstrongswan-eap-identity.la
-@USE_EAP_SIM_TRUE@am__append_22 = plugins/eap_sim
-@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_23 = plugins/eap_sim/libstrongswan-eap-sim.la
-@USE_EAP_SIM_FILE_TRUE@am__append_24 = plugins/eap_sim_file
-@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_25 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
-@USE_EAP_SIM_PCSC_TRUE@am__append_26 = plugins/eap_sim_pcsc
-@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_27 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
-@USE_EAP_SIMAKA_SQL_TRUE@am__append_28 = plugins/eap_simaka_sql
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_29 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_30 = plugins/eap_simaka_pseudonym
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_31 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_32 = plugins/eap_simaka_reauth
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_33 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
-@USE_EAP_AKA_TRUE@am__append_34 = plugins/eap_aka
-@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_35 = plugins/eap_aka/libstrongswan-eap-aka.la
-@USE_EAP_AKA_3GPP2_TRUE@am__append_36 = plugins/eap_aka_3gpp2
-@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_37 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
-@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_38 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_EAP_MD5_TRUE@am__append_39 = plugins/eap_md5
-@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_40 = plugins/eap_md5/libstrongswan-eap-md5.la
-@USE_EAP_GTC_TRUE@am__append_41 = plugins/eap_gtc
-@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_42 = plugins/eap_gtc/libstrongswan-eap-gtc.la
-@USE_EAP_MSCHAPV2_TRUE@am__append_43 = plugins/eap_mschapv2
-@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_44 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
-@USE_EAP_DYNAMIC_TRUE@am__append_45 = plugins/eap_dynamic
-@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_46 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
-@USE_EAP_RADIUS_TRUE@am__append_47 = plugins/eap_radius
-@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_48 = plugins/eap_radius/libstrongswan-eap-radius.la
-@USE_EAP_TLS_TRUE@am__append_49 = plugins/eap_tls
-@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_50 = plugins/eap_tls/libstrongswan-eap-tls.la
-@USE_EAP_TTLS_TRUE@am__append_51 = plugins/eap_ttls
-@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_52 = plugins/eap_ttls/libstrongswan-eap-ttls.la
-@USE_EAP_PEAP_TRUE@am__append_53 = plugins/eap_peap
-@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_54 = plugins/eap_peap/libstrongswan-eap-peap.la
-@USE_EAP_TNC_TRUE@am__append_55 = plugins/eap_tnc
-@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_56 = plugins/eap_tnc/libstrongswan-eap-tnc.la
-@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_57 = $(top_builddir)/src/libtls/libtls.la
-@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_58 = $(top_builddir)/src/libradius/libradius.la
-@USE_TNC_IFMAP_TRUE@am__append_59 = plugins/tnc_ifmap
-@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_60 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
-@USE_TNC_PDP_TRUE@am__append_61 = plugins/tnc_pdp
-@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_62 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
-@USE_TNC_IMC_TRUE@am__append_63 = plugins/tnc_imc
-@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_64 = plugins/tnc_imc/libstrongswan-tnc-imc.la
-@USE_TNC_IMV_TRUE@am__append_65 = plugins/tnc_imv
-@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_66 = plugins/tnc_imv/libstrongswan-tnc-imv.la
-@USE_TNC_TNCCS_TRUE@am__append_67 = plugins/tnc_tnccs
-@MONOLITHIC_TRUE@@USE_TNC_TNCCS_TRUE@am__append_68 = plugins/tnc_tnccs/libstrongswan-tnc-tnccs.la
-@USE_TNCCS_11_TRUE@am__append_69 = plugins/tnccs_11
-@MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_70 = plugins/tnccs_11/libstrongswan-tnccs-11.la
-@USE_TNCCS_20_TRUE@am__append_71 = plugins/tnccs_20
-@MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_72 = plugins/tnccs_20/libstrongswan-tnccs-20.la
-@USE_TNCCS_DYNAMIC_TRUE@am__append_73 = plugins/tnccs_dynamic
-@MONOLITHIC_TRUE@@USE_TNCCS_DYNAMIC_TRUE@am__append_74 = plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la
-@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_75 = $(top_builddir)/src/libtnccs/libtnccs.la
-@USE_MEDSRV_TRUE@am__append_76 = plugins/medsrv
-@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_77 = plugins/medsrv/libstrongswan-medsrv.la
-@USE_MEDCLI_TRUE@am__append_78 = plugins/medcli
-@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_79 = plugins/medcli/libstrongswan-medcli.la
-@USE_DHCP_TRUE@am__append_80 = plugins/dhcp
-@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_81 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_ANDROID_TRUE@am__append_82 = plugins/android
-@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_83 = plugins/android/libstrongswan-android.la
-@USE_ANDROID_LOG_TRUE@am__append_84 = plugins/android_log
-@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_85 = plugins/android_log/libstrongswan-android-log.la
-@USE_MAEMO_TRUE@am__append_86 = plugins/maemo
-@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_87 = plugins/maemo/libstrongswan-maemo.la
-@USE_HA_TRUE@am__append_88 = plugins/ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_89 = plugins/ha/libstrongswan-ha.la
-@USE_WHITELIST_TRUE@am__append_90 = plugins/whitelist
-@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_91 = plugins/whitelist/libstrongswan-whitelist.la
-@USE_LOOKIP_TRUE@am__append_92 = plugins/lookip
-@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_93 = plugins/lookip/libstrongswan-lookip.la
-@USE_ERROR_NOTIFY_TRUE@am__append_94 = plugins/error_notify
-@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_95 = plugins/error_notify/libstrongswan-error-notify.la
-@USE_CERTEXPIRE_TRUE@am__append_96 = plugins/certexpire
-@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_97 = plugins/certexpire/libstrongswan-certexpire.la
-@USE_LED_TRUE@am__append_98 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_99 = plugins/led/libstrongswan-led.la
-@USE_DUPLICHECK_TRUE@am__append_100 = plugins/duplicheck
-@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_101 = plugins/duplicheck/libstrongswan-duplicheck.la
-@USE_COUPLING_TRUE@am__append_102 = plugins/coupling
-@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_103 = plugins/coupling/libstrongswan-coupling.la
-@USE_RADATTR_TRUE@am__append_104 = plugins/radattr
-@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_105 = plugins/radattr/libstrongswan-radattr.la
-@USE_UCI_TRUE@am__append_106 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_107 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_108 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_109 = plugins/addrblock/libstrongswan-addrblock.la
-@USE_UNITY_TRUE@am__append_110 = plugins/unity
-@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_111 = plugins/unity/libstrongswan-unity.la
-@USE_UNIT_TESTS_TRUE@am__append_112 = plugins/unit_tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_113 = plugins/unit_tester/libstrongswan-unit-tester.la
-@USE_XAUTH_GENERIC_TRUE@am__append_114 = plugins/xauth_generic
-@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_115 = plugins/xauth_generic/libstrongswan-xauth-generic.la
-@USE_XAUTH_EAP_TRUE@am__append_116 = plugins/xauth_eap
-@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_117 = plugins/xauth_eap/libstrongswan-xauth-eap.la
-@USE_XAUTH_PAM_TRUE@am__append_118 = plugins/xauth_pam
-@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_119 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_IPSECKEY_TRUE@am__append_18 = plugins/ipseckey
+@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_19 = plugins/ipseckey/libstrongswan-ipseckey.la
+@USE_UPDOWN_TRUE@am__append_20 = plugins/updown
+@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_21 = plugins/updown/libstrongswan-updown.la
+@USE_EAP_IDENTITY_TRUE@am__append_22 = plugins/eap_identity
+@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_23 = plugins/eap_identity/libstrongswan-eap-identity.la
+@USE_EAP_SIM_TRUE@am__append_24 = plugins/eap_sim
+@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_25 = plugins/eap_sim/libstrongswan-eap-sim.la
+@USE_EAP_SIM_FILE_TRUE@am__append_26 = plugins/eap_sim_file
+@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_27 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+@USE_EAP_SIM_PCSC_TRUE@am__append_28 = plugins/eap_sim_pcsc
+@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_29 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+@USE_EAP_SIMAKA_SQL_TRUE@am__append_30 = plugins/eap_simaka_sql
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_31 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_32 = plugins/eap_simaka_pseudonym
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_33 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_34 = plugins/eap_simaka_reauth
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_35 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+@USE_EAP_AKA_TRUE@am__append_36 = plugins/eap_aka
+@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_37 = plugins/eap_aka/libstrongswan-eap-aka.la
+@USE_EAP_AKA_3GPP2_TRUE@am__append_38 = plugins/eap_aka_3gpp2
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_39 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_40 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_EAP_MD5_TRUE@am__append_41 = plugins/eap_md5
+@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_42 = plugins/eap_md5/libstrongswan-eap-md5.la
+@USE_EAP_GTC_TRUE@am__append_43 = plugins/eap_gtc
+@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_44 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+@USE_EAP_MSCHAPV2_TRUE@am__append_45 = plugins/eap_mschapv2
+@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_46 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+@USE_EAP_DYNAMIC_TRUE@am__append_47 = plugins/eap_dynamic
+@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_48 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
+@USE_EAP_RADIUS_TRUE@am__append_49 = plugins/eap_radius
+@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_50 = plugins/eap_radius/libstrongswan-eap-radius.la
+@USE_EAP_TLS_TRUE@am__append_51 = plugins/eap_tls
+@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_52 = plugins/eap_tls/libstrongswan-eap-tls.la
+@USE_EAP_TTLS_TRUE@am__append_53 = plugins/eap_ttls
+@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_54 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+@USE_EAP_PEAP_TRUE@am__append_55 = plugins/eap_peap
+@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_56 = plugins/eap_peap/libstrongswan-eap-peap.la
+@USE_EAP_TNC_TRUE@am__append_57 = plugins/eap_tnc
+@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_58 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_59 = $(top_builddir)/src/libtls/libtls.la
+@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_60 = $(top_builddir)/src/libradius/libradius.la
+@USE_TNC_IFMAP_TRUE@am__append_61 = plugins/tnc_ifmap
+@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_62 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
+@USE_TNC_PDP_TRUE@am__append_63 = plugins/tnc_pdp
+@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_64 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
+@USE_TNC_IMC_TRUE@am__append_65 = plugins/tnc_imc
+@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_66 = plugins/tnc_imc/libstrongswan-tnc-imc.la
+@USE_TNC_IMV_TRUE@am__append_67 = plugins/tnc_imv
+@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_68 = plugins/tnc_imv/libstrongswan-tnc-imv.la
+@USE_TNC_TNCCS_TRUE@am__append_69 = plugins/tnc_tnccs
+@MONOLITHIC_TRUE@@USE_TNC_TNCCS_TRUE@am__append_70 = plugins/tnc_tnccs/libstrongswan-tnc-tnccs.la
+@USE_TNCCS_11_TRUE@am__append_71 = plugins/tnccs_11
+@MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_72 = plugins/tnccs_11/libstrongswan-tnccs-11.la
+@USE_TNCCS_20_TRUE@am__append_73 = plugins/tnccs_20
+@MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_74 = plugins/tnccs_20/libstrongswan-tnccs-20.la
+@USE_TNCCS_DYNAMIC_TRUE@am__append_75 = plugins/tnccs_dynamic
+@MONOLITHIC_TRUE@@USE_TNCCS_DYNAMIC_TRUE@am__append_76 = plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la
+@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_77 = $(top_builddir)/src/libtnccs/libtnccs.la
+@USE_MEDSRV_TRUE@am__append_78 = plugins/medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_79 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_80 = plugins/medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_81 = plugins/medcli/libstrongswan-medcli.la
+@USE_DHCP_TRUE@am__append_82 = plugins/dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_83 = plugins/dhcp/libstrongswan-dhcp.la
+@USE_ANDROID_DNS_TRUE@am__append_84 = plugins/android_dns
+@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_85 = plugins/android_dns/libstrongswan-android-dns.la
+@USE_ANDROID_LOG_TRUE@am__append_86 = plugins/android_log
+@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_87 = plugins/android_log/libstrongswan-android-log.la
+@USE_MAEMO_TRUE@am__append_88 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_89 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_90 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_91 = plugins/ha/libstrongswan-ha.la
+@USE_WHITELIST_TRUE@am__append_92 = plugins/whitelist
+@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_93 = plugins/whitelist/libstrongswan-whitelist.la
+@USE_LOOKIP_TRUE@am__append_94 = plugins/lookip
+@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_95 = plugins/lookip/libstrongswan-lookip.la
+@USE_ERROR_NOTIFY_TRUE@am__append_96 = plugins/error_notify
+@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_97 = plugins/error_notify/libstrongswan-error-notify.la
+@USE_CERTEXPIRE_TRUE@am__append_98 = plugins/certexpire
+@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_99 = plugins/certexpire/libstrongswan-certexpire.la
+@USE_SYSTIME_FIX_TRUE@am__append_100 = plugins/systime_fix
+@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_101 = plugins/systime_fix/libstrongswan-systime-fix.la
+@USE_LED_TRUE@am__append_102 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_103 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_104 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_105 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_106 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_107 = plugins/coupling/libstrongswan-coupling.la
+@USE_RADATTR_TRUE@am__append_108 = plugins/radattr
+@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_109 = plugins/radattr/libstrongswan-radattr.la
+@USE_UCI_TRUE@am__append_110 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_111 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_112 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_113 = plugins/addrblock/libstrongswan-addrblock.la
+@USE_UNITY_TRUE@am__append_114 = plugins/unity
+@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_115 = plugins/unity/libstrongswan-unity.la
+@USE_UNIT_TESTS_TRUE@am__append_116 = plugins/unit_tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_117 = plugins/unit_tester/libstrongswan-unit-tester.la
+@USE_XAUTH_GENERIC_TRUE@am__append_118 = plugins/xauth_generic
+@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_119 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+@USE_XAUTH_EAP_TRUE@am__append_120 = plugins/xauth_eap
+@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_121 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+@USE_XAUTH_PAM_TRUE@am__append_122 = plugins/xauth_pam
+@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_123 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_XAUTH_NOAUTH_TRUE@am__append_124 = plugins/xauth_noauth
+@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_125 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -261,21 +284,22 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_19) $(am__append_21) $(am__append_23) \
 	$(am__append_25) $(am__append_27) $(am__append_29) \
 	$(am__append_31) $(am__append_33) $(am__append_35) \
-	$(am__append_37) $(am__append_38) $(am__append_40) \
+	$(am__append_37) $(am__append_39) $(am__append_40) \
 	$(am__append_42) $(am__append_44) $(am__append_46) \
 	$(am__append_48) $(am__append_50) $(am__append_52) \
-	$(am__append_54) $(am__append_56) $(am__append_57) \
-	$(am__append_58) $(am__append_60) $(am__append_62) \
+	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_59) $(am__append_60) $(am__append_62) \
 	$(am__append_64) $(am__append_66) $(am__append_68) \
 	$(am__append_70) $(am__append_72) $(am__append_74) \
-	$(am__append_75) $(am__append_77) $(am__append_79) \
+	$(am__append_76) $(am__append_77) $(am__append_79) \
 	$(am__append_81) $(am__append_83) $(am__append_85) \
 	$(am__append_87) $(am__append_89) $(am__append_91) \
 	$(am__append_93) $(am__append_95) $(am__append_97) \
 	$(am__append_99) $(am__append_101) $(am__append_103) \
 	$(am__append_105) $(am__append_107) $(am__append_109) \
 	$(am__append_111) $(am__append_113) $(am__append_115) \
-	$(am__append_117) $(am__append_119)
+	$(am__append_117) $(am__append_119) $(am__append_121) \
+	$(am__append_123) $(am__append_125)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/logger.h \
 	bus/listeners/file_logger.c bus/listeners/file_logger.h \
@@ -358,7 +382,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
 	processing/jobs/inactivity_job.h sa/eap/eap_method.c \
-	sa/eap/eap_method.h sa/eap/eap_manager.c sa/eap/eap_manager.h \
+	sa/eap/eap_method.h sa/eap/eap_inner_method.h \
+	sa/eap/eap_manager.c sa/eap/eap_manager.h \
 	sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
 	sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
 	sa/authenticator.c sa/authenticator.h sa/child_sa.c \
@@ -496,6 +521,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -505,23 +535,24 @@ ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/socket_dynamic plugins/farp plugins/stroke plugins/smp \
-	plugins/sql plugins/updown plugins/eap_identity \
-	plugins/eap_sim plugins/eap_sim_file plugins/eap_sim_pcsc \
-	plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
-	plugins/eap_simaka_reauth plugins/eap_aka \
-	plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
-	plugins/eap_mschapv2 plugins/eap_dynamic plugins/eap_radius \
-	plugins/eap_tls plugins/eap_ttls plugins/eap_peap \
-	plugins/eap_tnc plugins/tnc_ifmap plugins/tnc_pdp \
-	plugins/tnc_imc plugins/tnc_imv plugins/tnc_tnccs \
-	plugins/tnccs_11 plugins/tnccs_20 plugins/tnccs_dynamic \
-	plugins/medsrv plugins/medcli plugins/dhcp plugins/android \
-	plugins/android_log plugins/maemo plugins/ha plugins/whitelist \
-	plugins/lookip plugins/error_notify plugins/certexpire \
+	plugins/sql plugins/ipseckey plugins/updown \
+	plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \
+	plugins/eap_sim_pcsc plugins/eap_simaka_sql \
+	plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \
+	plugins/eap_aka plugins/eap_aka_3gpp2 plugins/eap_md5 \
+	plugins/eap_gtc plugins/eap_mschapv2 plugins/eap_dynamic \
+	plugins/eap_radius plugins/eap_tls plugins/eap_ttls \
+	plugins/eap_peap plugins/eap_tnc plugins/tnc_ifmap \
+	plugins/tnc_pdp plugins/tnc_imc plugins/tnc_imv \
+	plugins/tnc_tnccs plugins/tnccs_11 plugins/tnccs_20 \
+	plugins/tnccs_dynamic plugins/medsrv plugins/medcli \
+	plugins/dhcp plugins/android_dns plugins/android_log \
+	plugins/maemo plugins/ha plugins/whitelist plugins/lookip \
+	plugins/error_notify plugins/certexpire plugins/systime_fix \
 	plugins/led plugins/duplicheck plugins/coupling \
 	plugins/radattr plugins/uci plugins/addrblock plugins/unity \
 	plugins/unit_tester plugins/xauth_generic plugins/xauth_eap \
-	plugins/xauth_pam
+	plugins/xauth_pam plugins/xauth_noauth
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -561,6 +592,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -577,6 +610,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -645,8 +679,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -702,7 +734,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -818,7 +849,8 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
 	processing/jobs/inactivity_job.h sa/eap/eap_method.c \
-	sa/eap/eap_method.h sa/eap/eap_manager.c sa/eap/eap_manager.h \
+	sa/eap/eap_method.h sa/eap/eap_inner_method.h \
+	sa/eap/eap_manager.c sa/eap/eap_manager.h \
 	sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
 	sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
 	sa/authenticator.c sa/authenticator.h sa/child_sa.c \
@@ -844,21 +876,22 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
 	$(am__append_17) $(am__append_19) $(am__append_21) \
 	$(am__append_23) $(am__append_25) $(am__append_27) \
 	$(am__append_29) $(am__append_31) $(am__append_33) \
-	$(am__append_35) $(am__append_37) $(am__append_38) \
+	$(am__append_35) $(am__append_37) $(am__append_39) \
 	$(am__append_40) $(am__append_42) $(am__append_44) \
 	$(am__append_46) $(am__append_48) $(am__append_50) \
 	$(am__append_52) $(am__append_54) $(am__append_56) \
-	$(am__append_57) $(am__append_58) $(am__append_60) \
+	$(am__append_58) $(am__append_59) $(am__append_60) \
 	$(am__append_62) $(am__append_64) $(am__append_66) \
 	$(am__append_68) $(am__append_70) $(am__append_72) \
-	$(am__append_74) $(am__append_75) $(am__append_77) \
+	$(am__append_74) $(am__append_76) $(am__append_77) \
 	$(am__append_79) $(am__append_81) $(am__append_83) \
 	$(am__append_85) $(am__append_87) $(am__append_89) \
 	$(am__append_91) $(am__append_93) $(am__append_95) \
 	$(am__append_97) $(am__append_99) $(am__append_101) \
 	$(am__append_103) $(am__append_105) $(am__append_107) \
 	$(am__append_109) $(am__append_111) $(am__append_113) \
-	$(am__append_115) $(am__append_117) $(am__append_119)
+	$(am__append_115) $(am__append_117) $(am__append_119) \
+	$(am__append_121) $(am__append_123) $(am__append_125)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_4) $(am__append_6) \
 @MONOLITHIC_FALSE@	$(am__append_8) $(am__append_10) \
@@ -868,16 +901,16 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_24) $(am__append_26) \
 @MONOLITHIC_FALSE@	$(am__append_28) $(am__append_30) \
 @MONOLITHIC_FALSE@	$(am__append_32) $(am__append_34) \
-@MONOLITHIC_FALSE@	$(am__append_36) $(am__append_39) \
+@MONOLITHIC_FALSE@	$(am__append_36) $(am__append_38) \
 @MONOLITHIC_FALSE@	$(am__append_41) $(am__append_43) \
 @MONOLITHIC_FALSE@	$(am__append_45) $(am__append_47) \
 @MONOLITHIC_FALSE@	$(am__append_49) $(am__append_51) \
 @MONOLITHIC_FALSE@	$(am__append_53) $(am__append_55) \
-@MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61) \
+@MONOLITHIC_FALSE@	$(am__append_57) $(am__append_61) \
 @MONOLITHIC_FALSE@	$(am__append_63) $(am__append_65) \
 @MONOLITHIC_FALSE@	$(am__append_67) $(am__append_69) \
 @MONOLITHIC_FALSE@	$(am__append_71) $(am__append_73) \
-@MONOLITHIC_FALSE@	$(am__append_76) $(am__append_78) \
+@MONOLITHIC_FALSE@	$(am__append_75) $(am__append_78) \
 @MONOLITHIC_FALSE@	$(am__append_80) $(am__append_82) \
 @MONOLITHIC_FALSE@	$(am__append_84) $(am__append_86) \
 @MONOLITHIC_FALSE@	$(am__append_88) $(am__append_90) \
@@ -887,7 +920,9 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_104) $(am__append_106) \
 @MONOLITHIC_FALSE@	$(am__append_108) $(am__append_110) \
 @MONOLITHIC_FALSE@	$(am__append_112) $(am__append_114) \
-@MONOLITHIC_FALSE@	$(am__append_116) $(am__append_118)
+@MONOLITHIC_FALSE@	$(am__append_116) $(am__append_118) \
+@MONOLITHIC_FALSE@	$(am__append_120) $(am__append_122) \
+@MONOLITHIC_FALSE@	$(am__append_124)
 
 # build optional plugins
 ########################
@@ -899,16 +934,16 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_24) $(am__append_26) \
 @MONOLITHIC_TRUE@	$(am__append_28) $(am__append_30) \
 @MONOLITHIC_TRUE@	$(am__append_32) $(am__append_34) \
-@MONOLITHIC_TRUE@	$(am__append_36) $(am__append_39) \
+@MONOLITHIC_TRUE@	$(am__append_36) $(am__append_38) \
 @MONOLITHIC_TRUE@	$(am__append_41) $(am__append_43) \
 @MONOLITHIC_TRUE@	$(am__append_45) $(am__append_47) \
 @MONOLITHIC_TRUE@	$(am__append_49) $(am__append_51) \
 @MONOLITHIC_TRUE@	$(am__append_53) $(am__append_55) \
-@MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61) \
+@MONOLITHIC_TRUE@	$(am__append_57) $(am__append_61) \
 @MONOLITHIC_TRUE@	$(am__append_63) $(am__append_65) \
 @MONOLITHIC_TRUE@	$(am__append_67) $(am__append_69) \
 @MONOLITHIC_TRUE@	$(am__append_71) $(am__append_73) \
-@MONOLITHIC_TRUE@	$(am__append_76) $(am__append_78) \
+@MONOLITHIC_TRUE@	$(am__append_75) $(am__append_78) \
 @MONOLITHIC_TRUE@	$(am__append_80) $(am__append_82) \
 @MONOLITHIC_TRUE@	$(am__append_84) $(am__append_86) \
 @MONOLITHIC_TRUE@	$(am__append_88) $(am__append_90) \
@@ -918,7 +953,9 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_104) $(am__append_106) \
 @MONOLITHIC_TRUE@	$(am__append_108) $(am__append_110) \
 @MONOLITHIC_TRUE@	$(am__append_112) $(am__append_114) \
-@MONOLITHIC_TRUE@	$(am__append_116) $(am__append_118)
+@MONOLITHIC_TRUE@	$(am__append_116) $(am__append_118) \
+@MONOLITHIC_TRUE@	$(am__append_120) $(am__append_122) \
+@MONOLITHIC_TRUE@	$(am__append_124)
 all: all-recursive
 
 .SUFFIXES:
@@ -955,7 +992,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -963,6 +999,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -2141,13 +2179,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index 4645bbde6..18d57bce1 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -103,7 +103,7 @@ enum alert_t {
 	ALERT_PARSE_ERROR_BODY,
 	/** sending a retransmit for a message, argument is packet_t */
 	ALERT_RETRANSMIT_SEND,
-	/** sending retransmits timed out, argument is packet_t */
+	/** sending retransmits timed out, argument is packet_t, if available */
 	ALERT_RETRANSMIT_SEND_TIMEOUT,
 	/** received a retransmit for a message, argument is message_t */
 	ALERT_RETRANSMIT_RECEIVE,
@@ -130,6 +130,8 @@ enum alert_t {
 	ALERT_VIP_FAILURE,
 	/** an authorize() hook failed, no argument */
 	ALERT_AUTHORIZATION_FAILED,
+	/** IKE_SA hit the hard lifetime limit before it could be rekeyed */
+	ALERT_IKE_SA_EXPIRED,
 };
 
 /**
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index 5e5fbba42..54a054e40 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -94,6 +94,11 @@ struct private_ike_cfg_t {
 	 */
 	fragmentation_t fragmentation;
 
+	/**
+	 * DSCP value to use on sent IKE packets
+	 */
+	u_int8_t dscp;
+
 	/**
 	 * List of proposals to use
 	 */
@@ -156,6 +161,12 @@ METHOD(ike_cfg_t, get_other_port, u_int16_t,
 	return this->other_port;
 }
 
+METHOD(ike_cfg_t, get_dscp, u_int8_t,
+	private_ike_cfg_t *this)
+{
+	return this->dscp;
+}
+
 METHOD(ike_cfg_t, add_proposal, void,
 	private_ike_cfg_t *this, proposal_t *proposal)
 {
@@ -312,7 +323,7 @@ METHOD(ike_cfg_t, destroy, void,
 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 						  char *me, bool my_allow_any, u_int16_t my_port,
 						  char *other, bool other_allow_any, u_int16_t other_port,
-						  fragmentation_t fragmentation)
+						  fragmentation_t fragmentation, u_int8_t dscp)
 {
 	private_ike_cfg_t *this;
 
@@ -326,6 +337,7 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 			.get_other_addr = _get_other_addr,
 			.get_my_port = _get_my_port,
 			.get_other_port = _get_other_port,
+			.get_dscp = _get_dscp,
 			.add_proposal = _add_proposal,
 			.get_proposals = _get_proposals,
 			.select_proposal = _select_proposal,
@@ -345,6 +357,7 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 		.other_allow_any = other_allow_any,
 		.my_port = my_port,
 		.other_port = other_port,
+		.dscp = dscp,
 		.proposals = linked_list_create(),
 	);
 
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index 5a7fae1e9..719ceb9dd 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -107,6 +107,13 @@ struct ike_cfg_t {
 	 */
 	u_int16_t (*get_other_port)(ike_cfg_t *this);
 
+	/**
+	 * Get the DSCP value to use for IKE packets send from connections.
+	 *
+	 * @return				DSCP value
+	 */
+	u_int8_t (*get_dscp)(ike_cfg_t *this);
+
 	/**
 	 * Adds a proposal to the list.
 	 *
@@ -205,11 +212,12 @@ struct ike_cfg_t {
  * @param other_allow_any	allow override of remote address by any address
  * @param other_port		IKE port to use as dest, 500 uses IKEv2 port floating
  * @param fragmentation		use IKEv1 fragmentation
+ * @param dscp				DSCP value to send IKE packets with
  * @return 					ike_cfg_t object.
  */
 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 						  char *me, bool my_allow_any, u_int16_t my_port,
 						  char *other, bool other_allow_any, u_int16_t other_port,
-						  fragmentation_t fragmentation);
+						  fragmentation_t fragmentation, u_int8_t dscp);
 
 #endif /** IKE_CFG_H_ @}*/
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 77d73dba9..0ee99c4b7 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -363,7 +363,10 @@ METHOD(job_t, initiate_execute, job_requeue_t,
 
 	if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS)
 	{
-		listener->status = SUCCESS;
+		if (!listener->logger.callback)
+		{
+			listener->status = SUCCESS;
+		}
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
 	else
@@ -454,7 +457,10 @@ METHOD(job_t, terminate_ike_execute, job_requeue_t,
 	}
 	else
 	{
-		listener->status = SUCCESS;
+		if (!listener->logger.callback)
+		{
+			listener->status = SUCCESS;
+		}
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
 													ike_sa);
 	}
@@ -561,7 +567,10 @@ METHOD(job_t, terminate_child_execute, job_requeue_t,
 	if (ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa),
 					child_sa->get_spi(child_sa, TRUE), FALSE) != DESTROY_ME)
 	{
-		listener->status = SUCCESS;
+		if (!listener->logger.callback)
+		{
+			listener->status = SUCCESS;
+		}
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
 	else
@@ -657,4 +666,3 @@ controller_t *controller_create(void)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 28fdda735..749c326a5 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -62,7 +62,7 @@
 /**
  * Max number of NAT-D payloads per IKEv1 message
  */
-#define MAX_NAT_D_PAYLOADS 5
+#define MAX_NAT_D_PAYLOADS 10
 
 /**
  * A payload rule defines the rules for a payload
@@ -151,7 +151,7 @@ static payload_rule_t ike_sa_init_r_rules[] = {
 	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
 	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
 	{NONCE,							1,	1,						FALSE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						FALSE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 };
 
@@ -181,7 +181,7 @@ static payload_rule_t ike_auth_i_rules[] = {
 	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
 	{ID_INITIATOR,					0,	1,						TRUE,	FALSE},
 	{CERTIFICATE,					0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						TRUE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	TRUE,	FALSE},
 	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
 #ifdef ME
 	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index d168e1c12..f7a13d728 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -65,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_
 	"ME_CONNECT_FAILED");
 ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_NOTIFY_STATUS");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -108,8 +108,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
 	"IPSEC_REPLAY_COUNTER_SYNC",
 	"SECURE PASSWORD_METHOD",
 	"PSK_PERSIST",
-	"PSK_CONFIRM");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, PSK_CONFIRM,
+	"PSK_CONFIRM",
+	"ERX_SUPPORTED");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD_R_U_THERE",
@@ -170,7 +171,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S
 	"ME_CONN_FAIL");
 ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_STATUS");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -213,8 +214,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATU
 	"RPL_CTR_SYN",
 	"SEC_PASSWD",
 	"PSK_PST",
-	"PSK_CFM");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, PSK_CONFIRM,
+	"PSK_CFM",
+	"ERX_SUP");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD",
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 498c659b1..847fddc69 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -140,9 +140,11 @@ enum notify_type_t {
 	IPSEC_REPLAY_COUNTER_SYNC = 16423,
 	/* Secure password methods, RFC 6467 */
 	SECURE_PASSWORD_METHOD = 16424,
-	/* PACE - draft-kuegler-ipsecme-pace-ikev2 */
+	/* PACE, RFC 6631 */
 	PSK_PERSIST = 16425,
 	PSK_CONFIRM = 16426,
+	/* EAP Re-authentication Extension, RFC 6867 */
+	ERX_SUPPORTED = 16427,
 	/* IKEv1 initial contact */
 	INITIAL_CONTACT_IKEV1 = 24578,
 	/* IKEv1 DPD */
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
index 15f791b95..334823db9 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
@@ -114,7 +114,11 @@ METHOD(payload_t, verify, status_t,
 {
 	if (this->start_port > this->end_port)
 	{
-		return FAILED;
+		/* OPAQUE ports are the only exception */
+		if (this->start_port != 0xffff && this->end_port != 0)
+		{
+			return FAILED;
+		}
 	}
 	switch (this->ts_type)
 	{
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index f683cf818..6b2c2bf5b 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -296,7 +296,7 @@ static bool cookie_required(private_receiver_t *this,
 		this->last_cookie = now;
 		return TRUE;
 	}
-	if (now < this->last_cookie + COOKIE_CALMDOWN_DELAY)
+	if (this->last_cookie && now < this->last_cookie + COOKIE_CALMDOWN_DELAY)
 	{
 		/* We don't disable cookies unless we haven't seen IKE_SA_INITs
 		 * for COOKIE_CALMDOWN_DELAY seconds. This avoids jittering between
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 5bc6d1ec3..52cd6186e 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_addrblock_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_addrblock_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -356,7 +378,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -364,6 +385,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/android/Makefile.am b/src/libcharon/plugins/android/Makefile.am
deleted file mode 100644
index b10cd9527..000000000
--- a/src/libcharon/plugins/android/Makefile.am
+++ /dev/null
@@ -1,20 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-android.la
-else
-plugin_LTLIBRARIES = libstrongswan-android.la
-endif
-
-libstrongswan_android_la_SOURCES = \
-	android_plugin.c android_plugin.h \
-	android_service.c android_service.h \
-	android_handler.c android_handler.h \
-	android_creds.c android_creds.h
-
-libstrongswan_android_la_LDFLAGS = -module -avoid-version
-libstrongswan_android_la_LIBADD  = -lcutils
diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in
deleted file mode 100644
index 312e63f2a..000000000
--- a/src/libcharon/plugins/android/Makefile.in
+++ /dev/null
@@ -1,640 +0,0 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
-# Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcharon/plugins/android
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_android_la_DEPENDENCIES =
-am_libstrongswan_android_la_OBJECTS = android_plugin.lo \
-	android_service.lo android_handler.lo android_creds.lo
-libstrongswan_android_la_OBJECTS =  \
-	$(am_libstrongswan_android_la_OBJECTS)
-libstrongswan_android_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_android_la_LDFLAGS) $(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_android_la_rpath = -rpath \
-@MONOLITHIC_FALSE@	$(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_android_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_android_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_android_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BFDLIB = @BFDLIB@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-charon_natt_port = @charon_natt_port@
-charon_plugins = @charon_plugins@
-charon_udp_port = @charon_udp_port@
-clearsilver_LIBS = @clearsilver_LIBS@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-dev_headers = @dev_headers@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsec_script = @ipsec_script@
-ipsec_script_upper = @ipsec_script_upper@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-nm_plugins = @nm_plugins@
-oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-systemdsystemunitdir = @systemdsystemunitdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-android.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android.la
-libstrongswan_android_la_SOURCES = \
-	android_plugin.c android_plugin.h \
-	android_service.c android_service.h \
-	android_handler.c android_handler.h \
-	android_creds.c android_creds.h
-
-libstrongswan_android_la_LDFLAGS = -module -avoid-version
-libstrongswan_android_la_LIBADD = -lcutils
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/android/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/android/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-android.la: $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_DEPENDENCIES) $(EXTRA_libstrongswan_android_la_DEPENDENCIES) 
-	$(libstrongswan_android_la_LINK) $(am_libstrongswan_android_la_rpath) $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_handler.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_service.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c
deleted file mode 100644
index 601c91e7b..000000000
--- a/src/libcharon/plugins/android/android_creds.c
+++ /dev/null
@@ -1,294 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <keystore_get.h>
-
-#include "android_creds.h"
-
-#include <daemon.h>
-#include <threading/rwlock.h>
-
-typedef struct private_android_creds_t private_android_creds_t;
-
-/**
- * Private data of an android_creds_t object
- */
-struct private_android_creds_t {
-
-	/**
-	 * Public interface
-	 */
-	android_creds_t public;
-
-	/**
-	 * List of trusted certificates, certificate_t*
-	 */
-	linked_list_t *certs;
-
-	/**
-	 * User name (ID)
-	 */
-	identification_t *user;
-
-	/**
-	 * User password
-	 */
-	char *pass;
-
-	/**
-	 * read/write lock
-	 */
-	rwlock_t *lock;
-
-};
-
-/**
- * Certificate enumerator data
- */
-typedef struct {
-	private_android_creds_t *this;
-	key_type_t key;
-	identification_t *id;
-} cert_data_t;
-
-/**
- * Filter function for certificates enumerator
- */
-static bool cert_filter(cert_data_t *data, certificate_t **in,
-						certificate_t **out)
-{
-	certificate_t *cert = *in;
-	public_key_t *public;
-
-	public = cert->get_public_key(cert);
-	if (!public)
-	{
-		return FALSE;
-	}
-	if (data->key != KEY_ANY && public->get_type(public) != data->key)
-	{
-		public->destroy(public);
-		return FALSE;
-	}
-	if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
-		public->has_fingerprint(public, data->id->get_encoding(data->id)))
-	{
-		public->destroy(public);
-		*out = cert;
-		return TRUE;
-	}
-	public->destroy(public);
-	if (data->id && !cert->has_subject(cert, data->id))
-	{
-		return FALSE;
-	}
-	*out = cert;
-	return TRUE;
-}
-
-/**
- * Destroy certificate enumerator data
- */
-static void cert_data_destroy(cert_data_t *this)
-{
-	this->this->lock->unlock(this->this->lock);
-	free(this);
-}
-
-METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
-	   private_android_creds_t *this, certificate_type_t cert, key_type_t key,
-	   identification_t *id, bool trusted)
-{
-	if (cert == CERT_X509 || cert == CERT_ANY)
-	{
-		cert_data_t *data;
-		this->lock->read_lock(this->lock);
-		INIT(data, .this = this, .id = id, .key = key);
-		return enumerator_create_filter(
-						this->certs->create_enumerator(this->certs),
-						(void*)cert_filter, data, (void*)cert_data_destroy);
-	}
-	return NULL;
-}
-
-/**
- * Shared key enumerator implementation
- */
-typedef struct {
-	enumerator_t public;
-	private_android_creds_t *this;
-	shared_key_t *key;
-	bool done;
-} shared_enumerator_t;
-
-METHOD(enumerator_t, shared_enumerate, bool,
-	   shared_enumerator_t *this, shared_key_t **key, id_match_t *me,
-	   id_match_t *other)
-{
-	if (this->done)
-	{
-		return FALSE;
-	}
-	*key = this->key;
-	*me = ID_MATCH_PERFECT;
-	*other = ID_MATCH_ANY;
-	this->done = TRUE;
-	return TRUE;
-}
-
-METHOD(enumerator_t, shared_destroy, void,
-	   shared_enumerator_t *this)
-{
-	this->key->destroy(this->key);
-	this->this->lock->unlock(this->this->lock);
-	free(this);
-}
-
-METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
-	   private_android_creds_t *this, shared_key_type_t type,
-	   identification_t *me, identification_t *other)
-{
-	shared_enumerator_t *enumerator;
-
-	this->lock->read_lock(this->lock);
-
-	if (!this->user || !this->pass)
-	{
-		this->lock->unlock(this->lock);
-		return NULL;
-	}
-	if (type != SHARED_EAP && type != SHARED_IKE)
-	{
-		this->lock->unlock(this->lock);
-		return NULL;
-	}
-	if (me && !me->equals(me, this->user))
-	{
-		this->lock->unlock(this->lock);
-		return NULL;
-	}
-
-	INIT(enumerator,
-		.public = {
-			.enumerate = (void*)_shared_enumerate,
-			.destroy = _shared_destroy,
-		},
-		.this = this,
-		.done = FALSE,
-		.key = shared_key_create(type, chunk_clone(chunk_create(this->pass,
-												   strlen(this->pass)))),
-	);
-	return &enumerator->public;
-}
-
-METHOD(android_creds_t, add_certificate, bool,
-	   private_android_creds_t *this, char *name)
-{
-	certificate_t *cert = NULL;
-	bool status = FALSE;
-	chunk_t chunk;
-#ifdef KEYSTORE_MESSAGE_SIZE
-	/* most current interface, the eclair interface (without key length) is
-	 * currently not supported */
-	char value[KEYSTORE_MESSAGE_SIZE];
-	chunk.ptr = value;
-	chunk.len = keystore_get(name, strlen(name), chunk.ptr);
-	if (chunk.len > 0)
-#else
-	/* 1.6 interface, allocates memory */
-	chunk.ptr = keystore_get(name, &chunk.len);
-	if (chunk.ptr)
-#endif /* KEYSTORE_MESSAGE_SIZE */
-	{
-		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-								  BUILD_BLOB_PEM, chunk, BUILD_END);
-		if (cert)
-		{
-			this->lock->write_lock(this->lock);
-			this->certs->insert_last(this->certs, cert);
-			this->lock->unlock(this->lock);
-			status = TRUE;
-		}
-#ifndef KEYSTORE_MESSAGE_SIZE
-		free(chunk.ptr);
-#endif /* KEYSTORE_MESSAGE_SIZE */
-	}
-	return status;
-}
-
-METHOD(android_creds_t, set_username_password, void,
-	   private_android_creds_t *this, identification_t *id, char *password)
-{
-	this->lock->write_lock(this->lock);
-	DESTROY_IF(this->user);
-	this->user = id->clone(id);
-	free(this->pass);
-	this->pass = strdupnull(password);
-	this->lock->unlock(this->lock);
-}
-
-METHOD(android_creds_t, clear, void,
-	   private_android_creds_t *this)
-{
-	certificate_t *cert;
-	this->lock->write_lock(this->lock);
-	while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
-	{
-		cert->destroy(cert);
-	}
-	DESTROY_IF(this->user);
-	free(this->pass);
-	this->user = NULL;
-	this->pass = NULL;
-	this->lock->unlock(this->lock);
-}
-
-METHOD(android_creds_t, destroy, void,
-	   private_android_creds_t *this)
-{
-	clear(this);
-	this->certs->destroy(this->certs);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/**
- * Described in header.
- */
-android_creds_t *android_creds_create()
-{
-	private_android_creds_t *this;
-
-	INIT(this,
-		.public = {
-			.set = {
-				.create_cert_enumerator = _create_cert_enumerator,
-				.create_shared_enumerator = _create_shared_enumerator,
-				.create_private_enumerator = (void*)return_null,
-				.create_cdp_enumerator = (void*)return_null,
-				.cache_cert = (void*)nop,
-			},
-			.add_certificate = _add_certificate,
-			.set_username_password = _set_username_password,
-			.clear = _clear,
-			.destroy = _destroy,
-		},
-		.certs = linked_list_create(),
-		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/android/android_creds.h b/src/libcharon/plugins/android/android_creds.h
deleted file mode 100644
index 0f7b8e0ea..000000000
--- a/src/libcharon/plugins/android/android_creds.h
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android_creds android_creds
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_CREDS_H_
-#define ANDROID_CREDS_H_
-
-#include <credentials/credential_set.h>
-
-typedef struct android_creds_t android_creds_t;
-
-/**
- * Android credentials helper.
- */
-struct android_creds_t {
-
-	/**
-	 * Implements credential_set_t
-	 */
-	credential_set_t set;
-
-	/**
-	 * Add a trusted CA certificate from the Android keystore to serve by
-	 * this set.
-	 *
-	 * @param name		name/ID of the certificate in the keystore
-	 * @return			FALSE if the certificate does not exist or is invalid
-	 */
-	bool (*add_certificate)(android_creds_t *this, char *name);
-
-	/**
-	 * Set the username and password for authentication.
-	 *
-	 * @param id		ID of the user
-	 * @param password	password to use for authentication
-	 */
-	void (*set_username_password)(android_creds_t *this, identification_t *id,
-								  char *password);
-
-	/**
-	 * Clear the stored credentials.
-	 */
-	void (*clear)(android_creds_t *this);
-
-	/**
-	 * Destroy a android_creds instance.
-	 */
-	void (*destroy)(android_creds_t *this);
-
-};
-
-/**
- * Create an android_creds instance.
- */
-android_creds_t *android_creds_create();
-
-#endif /** ANDROID_CREDS_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_handler.c b/src/libcharon/plugins/android/android_handler.c
deleted file mode 100644
index 29dbbbfd0..000000000
--- a/src/libcharon/plugins/android/android_handler.c
+++ /dev/null
@@ -1,240 +0,0 @@
-/*
- * Copyright (C) 2010-2011 Tobias Brunner
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "android_handler.h"
-
-#include <networking/host.h>
-#include <collections/linked_list.h>
-
-#include <cutils/properties.h>
-
-typedef struct private_android_handler_t private_android_handler_t;
-
-/**
- * Private data of an android_handler_t object.
- */
-struct private_android_handler_t {
-
-	/**
-	 * Public android_handler_t interface.
-	 */
-	android_handler_t public;
-
-	/**
-	 * List of registered DNS servers
-	 */
-	linked_list_t *dns;
-
-	/**
-	 * Whether the VPN frontend is used
-	 */
-	bool frontend;
-};
-
-/**
- * Prefixes to be used when installing DNS servers
- */
-#define DNS_PREFIX_DEFAULT  "net"
-#define DNS_PREFIX_FRONTEND "vpn"
-
-/**
- * Struct to store a pair of old and installed DNS servers
- */
-typedef struct {
-	/** installed dns server */
-	host_t *dns;
-	/** old dns server */
-	host_t *old;
-} dns_pair_t;
-
-/**
- * Destroy a pair of old and installed DNS servers
- */
-void destroy_dns_pair(dns_pair_t *this)
-{
-	DESTROY_IF(this->dns);
-	DESTROY_IF(this->old);
-	free(this);
-}
-
-/**
- * Filter pairs of DNS servers
- */
-bool filter_dns_pair(void *data, dns_pair_t **in, host_t **out)
-{
-	*out = (*in)->dns;
-	return TRUE;
-}
-
-/**
- * Read DNS server property with a given index
- */
-host_t *get_dns_server(private_android_handler_t *this, int index)
-{
-	host_t *dns = NULL;
-	char key[10], value[PROPERTY_VALUE_MAX],
-		 *prefix = this->frontend ? DNS_PREFIX_FRONTEND : DNS_PREFIX_DEFAULT;
-
-	if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
-	{
-		return NULL;
-	}
-
-	if (property_get(key, value, NULL) > 0)
-	{
-		dns = host_create_from_string(value, 0);
-	}
-	return dns;
-}
-
-/**
- * Set DNS server property with a given index
- */
-bool set_dns_server(private_android_handler_t *this, int index, host_t *dns)
-{
-	char key[10], value[PROPERTY_VALUE_MAX],
-		 *prefix = this->frontend ? DNS_PREFIX_FRONTEND : DNS_PREFIX_DEFAULT;
-
-	if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
-	{
-		return FALSE;
-	}
-
-	if (dns)
-	{
-		if (snprintf(value, sizeof(value), "%H", dns) >= sizeof(value))
-		{
-			return FALSE;
-		}
-	}
-	else
-	{
-		value[0] = '\0';
-	}
-
-	if (property_set(key, value) != 0)
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(attribute_handler_t, handle, bool,
-	private_android_handler_t *this, identification_t *id,
-	configuration_attribute_type_t type, chunk_t data)
-{
-	switch (type)
-	{
-		case INTERNAL_IP4_DNS:
-		{
-			host_t *dns;
-			dns_pair_t *pair;
-			int index;
-
-			dns = host_create_from_chunk(AF_INET, data, 0);
-			if (dns)
-			{
-				pair = malloc_thing(dns_pair_t);
-				pair->dns = dns;
-				index = this->dns->get_count(this->dns) + 1;
-				pair->old = get_dns_server(this, index);
-				set_dns_server(this, index, dns);
-				this->dns->insert_last(this->dns, pair);
-				return TRUE;
-			}
-			return FALSE;
-		}
-		default:
-			return FALSE;
-	}
-}
-
-METHOD(attribute_handler_t, release, void,
-	private_android_handler_t *this, identification_t *server,
-	configuration_attribute_type_t type, chunk_t data)
-{
-	if (type == INTERNAL_IP4_DNS)
-	{
-		enumerator_t *enumerator;
-		dns_pair_t *pair;
-		int index;
-
-		enumerator = this->dns->create_enumerator(this->dns);
-		for (index = 1; enumerator->enumerate(enumerator, &pair); index++)
-		{
-			if (chunk_equals(pair->dns->get_address(pair->dns), data))
-			{
-				this->dns->remove_at(this->dns, enumerator);
-				set_dns_server(this, index, pair->old);
-				destroy_dns_pair(pair);
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-}
-
-METHOD(enumerator_t, enumerate_dns, bool,
-	enumerator_t *this, configuration_attribute_type_t *type, chunk_t *data)
-{
-	*type = INTERNAL_IP4_DNS;
-	*data = chunk_empty;
-	/* stop enumeration */
-	this->enumerate = (void*)return_false;
-	return TRUE;
-}
-
-METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
-	android_handler_t *this, identification_t *id, linked_list_t *vips)
-{
-	enumerator_t *enumerator;
-
-	INIT(enumerator,
-		.enumerate = (void*)_enumerate_dns,
-		.destroy = (void*)free,
-	);
-	return enumerator;
-}
-
-METHOD(android_handler_t, destroy, void,
-	private_android_handler_t *this)
-{
-	this->dns->destroy_function(this->dns, (void*)destroy_dns_pair);
-	free(this);
-}
-
-/**
- * See header
- */
-android_handler_t *android_handler_create(bool frontend)
-{
-	private_android_handler_t *this;
-
-	INIT(this,
-		.public = {
-			.handler = {
-				.handle = _handle,
-				.release = _release,
-				.create_attribute_enumerator = _create_attribute_enumerator,
-			},
-			.destroy = _destroy,
-		},
-		.dns = linked_list_create(),
-		.frontend = frontend,
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/android/android_handler.h b/src/libcharon/plugins/android/android_handler.h
deleted file mode 100644
index 0170958ee..000000000
--- a/src/libcharon/plugins/android/android_handler.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2010-2011 Tobias Brunner
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android_handler android_handler
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_HANDLER_H_
-#define ANDROID_HANDLER_H_
-
-#include <attributes/attribute_handler.h>
-
-typedef struct android_handler_t android_handler_t;
-
-/**
- * Android specific DNS attribute handler.
- */
-struct android_handler_t {
-
-	/**
-	 * Implements attribute_handler_t.
-	 */
-	attribute_handler_t handler;
-
-	/**
-	 * Destroy a android_handler_t.
-	 */
-	void (*destroy)(android_handler_t *this);
-};
-
-/**
- * Create a android_handler instance.
- *
- * @param frontend		TRUE if the VPN frontend is used
- */
-android_handler_t *android_handler_create(bool frontend);
-
-#endif /** ANDROID_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c
deleted file mode 100644
index c0f58e9b4..000000000
--- a/src/libcharon/plugins/android/android_plugin.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "android_plugin.h"
-#include "android_handler.h"
-#include "android_creds.h"
-#include "android_service.h"
-
-#include <hydra.h>
-#include <daemon.h>
-
-typedef struct private_android_plugin_t private_android_plugin_t;
-
-/**
- * Private data of an android_plugin_t object.
- */
-struct private_android_plugin_t {
-
-	/**
-	 * Public android_plugin_t interface.
-	 */
-	android_plugin_t public;
-
-	/**
-	 * Android specific DNS handler
-	 */
-	android_handler_t *handler;
-
-	/**
-	 * Android specific credential set
-	 */
-	android_creds_t *creds;
-
-	/**
-	 * Service that interacts with the Android Settings frontend
-	 */
-	android_service_t *service;
-};
-
-METHOD(plugin_t, get_name, char*,
-	private_android_plugin_t *this)
-{
-	return "android";
-}
-
-METHOD(plugin_t, destroy, void,
-	private_android_plugin_t *this)
-{
-	hydra->attributes->remove_handler(hydra->attributes,
-									  &this->handler->handler);
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
-	this->creds->destroy(this->creds);
-	this->handler->destroy(this->handler);
-	DESTROY_IF(this->service);
-	free(this);
-}
-
-/**
- * See header
- */
-plugin_t *android_plugin_create()
-{
-	private_android_plugin_t *this;
-
-	INIT(this,
-		.public = {
-			.plugin = {
-				.get_name = _get_name,
-				.reload = (void*)return_false,
-				.destroy = _destroy,
-			},
-		},
-		.creds = android_creds_create(),
-	);
-
-	this->service = android_service_create(this->creds);
-	this->handler = android_handler_create(this->service != NULL);
-
-	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
-	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/libcharon/plugins/android/android_plugin.h b/src/libcharon/plugins/android/android_plugin.h
deleted file mode 100644
index 987f2aa37..000000000
--- a/src/libcharon/plugins/android/android_plugin.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android android
- * @ingroup cplugins
- *
- * @defgroup android_plugin android_plugin
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_PLUGIN_H_
-#define ANDROID_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct android_plugin_t android_plugin_t;
-
-/**
- * Plugin providing functionality specific to the Android platform.
- */
-struct android_plugin_t {
-
-	/**
-	 * Implements plugin interface.
-	 */
-	plugin_t plugin;
-};
-
-#endif /** ANDROID_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
deleted file mode 100644
index 6af35e5df..000000000
--- a/src/libcharon/plugins/android/android_service.c
+++ /dev/null
@@ -1,389 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <unistd.h>
-#include <cutils/sockets.h>
-#include <cutils/properties.h>
-#include <signal.h>
-
-#include "android_service.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <processing/jobs/callback_job.h>
-
-typedef struct private_android_service_t private_android_service_t;
-
-/**
- * private data of Android service
- */
-struct private_android_service_t {
-
-	/**
-	 * public interface
-	 */
-	android_service_t public;
-
-	/**
-	 * current IKE_SA
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * android credentials
-	 */
-	android_creds_t *creds;
-
-	/**
-	 * android control socket
-	 */
-	int control;
-
-};
-
-/**
- * Some of the error codes defined in VpnManager.java
- */
-typedef enum {
-	/** Error code to indicate an error from authentication. */
-	VPN_ERROR_AUTH = 51,
-	/** Error code to indicate the connection attempt failed. */
-	VPN_ERROR_CONNECTION_FAILED = 101,
-	/** Error code to indicate an error of remote server hanging up. */
-	VPN_ERROR_REMOTE_HUNG_UP = 7,
-	/** Error code to indicate an error of losing connectivity. */
-	VPN_ERROR_CONNECTION_LOST = 103,
-} android_vpn_errors_t;
-
-/**
- * send a status code back to the Android app
- */
-static void send_status(private_android_service_t *this, u_char code)
-{
-	DBG1(DBG_CFG, "status of Android plugin changed: %d", code);
-	send(this->control, &code, 1, 0);
-}
-
-METHOD(listener_t, ike_updown, bool,
-	   private_android_service_t *this, ike_sa_t *ike_sa, bool up)
-{
-	/* this callback is only registered during initiation, so if the IKE_SA
-	 * goes down we assume an authentication error */
-	if (this->ike_sa == ike_sa && !up)
-	{
-		send_status(this, VPN_ERROR_AUTH);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(listener_t, child_state_change, bool,
-	   private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-	   child_sa_state_t state)
-{
-	/* this callback is only registered during initiation, so we still have
-	 * the control socket open */
-	if (this->ike_sa == ike_sa && state == CHILD_DESTROYING)
-	{
-		send_status(this, VPN_ERROR_CONNECTION_FAILED);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Callback used to shutdown the daemon
- */
-static job_requeue_t shutdown_callback(void *data)
-{
-	kill(0, SIGTERM);
-	return JOB_REQUEUE_NONE;
-}
-
-METHOD(listener_t, child_updown, bool,
-	   private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-	   bool up)
-{
-	if (this->ike_sa == ike_sa)
-	{
-		if (up)
-		{
-			/* disable the hooks registered to catch initiation failures */
-			this->public.listener.ike_updown = NULL;
-			this->public.listener.child_state_change = NULL;
-			property_set("vpn.status", "ok");
-		}
-		else
-		{
-			callback_job_t *job;
-			/* the control socket is closed as soon as vpn.status is set to "ok"
-			 * and the daemon proxy then only checks for terminated daemons to
-			 * detect lost connections, so... */
-			DBG1(DBG_CFG, "connection lost, raising delayed SIGTERM");
-			/* to avoid any conflicts we send the SIGTERM not directly from this
-			 * callback, but from a different thread. we also delay it to avoid
-			 * a race condition during a regular shutdown */
-			job = callback_job_create(shutdown_callback, NULL, NULL, NULL);
-			lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, 1);
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-METHOD(listener_t, ike_rekey, bool,
-	   private_android_service_t *this, ike_sa_t *old, ike_sa_t *new)
-{
-	if (this->ike_sa == old)
-	{
-		this->ike_sa = new;
-	}
-	return TRUE;
-}
-
-/**
- * Read a string argument from the Android control socket
- */
-static char *read_argument(int fd, u_char length)
-{
-	int offset = 0;
-	char *data = malloc(length + 1);
-	while (offset < length)
-	{
-		int n = recv(fd, &data[offset], length - offset, 0);
-		if (n < 0)
-		{
-			DBG1(DBG_CFG, "failed to read argument from Android"
-				 " control socket: %s", strerror(errno));
-			free(data);
-			return NULL;
-		}
-		offset += n;
-	}
-	data[length] = '\0';
-	DBG3(DBG_CFG, "received argument from Android control socket: %s", data);
-	return data;
-}
-
-/**
- * handle the request received from the Android control socket
- */
-static job_requeue_t initiate(private_android_service_t *this)
-{
-	bool oldstate;
-	int fd, i = 0;
-	char *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL;
-	identification_t *gateway = NULL, *user = NULL;
-	ike_cfg_t *ike_cfg;
-	peer_cfg_t *peer_cfg;
-	child_cfg_t *child_cfg;
-	traffic_selector_t *ts;
-	ike_sa_t *ike_sa;
-	auth_cfg_t *auth;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = 10800, /* 3h */
-			.rekey = 10200, /* 2h50min */
-			.jitter = 300 /* 5min */
-		}
-	};
-
-	fd = accept(this->control, NULL, 0);
-	if (fd < 0)
-	{
-		DBG1(DBG_CFG, "accept on Android control socket failed: %s",
-			 strerror(errno));
-		return JOB_REQUEUE_NONE;
-	}
-	/* the original control socket is not used anymore */
-	close(this->control);
-	this->control = fd;
-
-	while (TRUE)
-	{
-		u_char length;
-		if (recv(fd, &length, 1, 0) != 1)
-		{
-			DBG1(DBG_CFG, "failed to read from Android control socket: %s",
-				 strerror(errno));
-			return JOB_REQUEUE_NONE;
-		}
-
-		if (length == 0xFF)
-		{	/* last argument */
-			break;
-		}
-		else
-		{
-			switch (i++)
-			{
-				case 0: /* gateway */
-					hostname = read_argument(fd, length);
-					break;
-				case 1: /* CA certificate name */
-					cacert = read_argument(fd, length);
-					break;
-				case 2: /* username */
-					username = read_argument(fd, length);
-					break;
-				case 3: /* password */
-					password = read_argument(fd, length);
-					break;
-			}
-		}
-	}
-
-	if (cacert)
-	{
-		if (!this->creds->add_certificate(this->creds, cacert))
-		{
-			DBG1(DBG_CFG, "failed to load CA certificate");
-		}
-		/* if this is a server cert we could use the cert subject as id
-		 * but we have to test first if that possible to configure */
-	}
-
-	gateway = identification_create_from_string(hostname);
-	DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway);
-
-	if (username)
-	{
-		user = identification_create_from_string(username);
-		this->creds->set_username_password(this->creds, user, password);
-	}
-
-	ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
-							 charon->socket->get_port(charon->socket, FALSE),
-							 hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
-	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-
-	peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
-							   UNIQUE_REPLACE, 1, /* keyingtries */
-							   36000, 0, /* rekey 10h, reauth none */
-							   600, 600, /* jitter, over 10min */
-							   TRUE, FALSE, /* mobike, aggressive */
-							   0, 0, /* DPD delay, timeout */
-							   FALSE, NULL, NULL); /* mediation */
-	peer_cfg->add_virtual_ip(peer_cfg,  host_create_from_string("0.0.0.0", 0));
-
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-	auth->add(auth, AUTH_RULE_IDENTITY, user);
-	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
-	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-
-	child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-								 0, 0, NULL, NULL, 0);
-	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
-											 0, "255.255.255.255", 65535);
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
-	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-
-	/* get us an IKE_SA */
-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
-														peer_cfg);
-	if (!ike_sa)
-	{
-		peer_cfg->destroy(peer_cfg);
-		send_status(this, VPN_ERROR_CONNECTION_FAILED);
-		return JOB_REQUEUE_NONE;
-	}
-
-	if (!ike_sa->get_peer_cfg(ike_sa))
-	{
-		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
-	}
-	peer_cfg->destroy(peer_cfg);
-
-	/* store the IKE_SA so we can track its progress */
-	this->ike_sa = ike_sa;
-
-	/* confirm that we received the request */
-	send_status(this, i);
-
-	/* get an additional reference because initiate consumes one */
-	child_cfg->get_ref(child_cfg);
-	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
-	{
-		DBG1(DBG_CFG, "failed to initiate tunnel");
-		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-													ike_sa);
-		send_status(this, VPN_ERROR_CONNECTION_FAILED);
-		return JOB_REQUEUE_NONE;
-	}
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	return JOB_REQUEUE_NONE;
-}
-
-METHOD(android_service_t, destroy, void,
-	   private_android_service_t *this)
-{
-	charon->bus->remove_listener(charon->bus, &this->public.listener);
-	close(this->control);
-	free(this);
-}
-
-/**
- * See header
- */
-android_service_t *android_service_create(android_creds_t *creds)
-{
-	private_android_service_t *this;
-
-	INIT(this,
-		.public = {
-			.listener = {
-				.ike_updown = _ike_updown,
-				.child_state_change = _child_state_change,
-				.child_updown = _child_updown,
-				.ike_rekey = _ike_rekey,
-			},
-			.destroy = _destroy,
-		},
-		.creds = creds,
-	);
-
-	this->control = android_get_control_socket("charon");
-	if (this->control == -1)
-	{
-		DBG1(DBG_CFG, "failed to get Android control socket");
-		free(this);
-		return NULL;
-	}
-
-	if (listen(this->control, 1) < 0)
-	{
-		DBG1(DBG_CFG, "failed to listen on Android control socket: %s",
-			 strerror(errno));
-		close(this->control);
-		free(this);
-		return NULL;
-	}
-
-	charon->bus->add_listener(charon->bus, &this->public.listener);
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create((callback_job_cb_t)initiate, this,
-									NULL, NULL));
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/android/android_service.h b/src/libcharon/plugins/android/android_service.h
deleted file mode 100644
index d096d6cd5..000000000
--- a/src/libcharon/plugins/android/android_service.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android_service android_service
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_SERVICE_H_
-#define ANDROID_SERVICE_H_
-
-typedef struct android_service_t android_service_t;
-
-#include <bus/listeners/listener.h>
-
-#include "android_creds.h"
-
-/**
- * Service that interacts with the Android Settings frontend.
- */
-struct android_service_t {
-
-	/**
-	 * Implements listener_t.
-	 */
-	listener_t listener;
-
-	/**
-	 * Destroy a android_service_t.
-	 */
-	void (*destroy)(android_service_t *this);
-
-};
-
-/**
- * Create an Android service instance.
- *
- * @param creds		Android credentials
- */
-android_service_t *android_service_create(android_creds_t *creds);
-
-#endif /** ANDROID_SERVICE_H_ @}*/
diff --git a/src/libcharon/plugins/android_dns/Makefile.am b/src/libcharon/plugins/android_dns/Makefile.am
new file mode 100644
index 000000000..0d25f11d7
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-android-dns.la
+else
+plugin_LTLIBRARIES = libstrongswan-android-dns.la
+endif
+
+libstrongswan_android_dns_la_SOURCES = \
+	android_dns_plugin.c android_dns_plugin.h \
+	android_dns_handler.c android_dns_handler.h
+
+libstrongswan_android_dns_la_LDFLAGS = -module -avoid-version
+libstrongswan_android_dns_la_LIBADD  = -lcutils
\ No newline at end of file
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
new file mode 100644
index 000000000..4a76714d2
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -0,0 +1,660 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/android_dns
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_android_dns_la_DEPENDENCIES =
+am_libstrongswan_android_dns_la_OBJECTS = android_dns_plugin.lo \
+	android_dns_handler.lo
+libstrongswan_android_dns_la_OBJECTS =  \
+	$(am_libstrongswan_android_dns_la_OBJECTS)
+libstrongswan_android_dns_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_android_dns_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_android_dns_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_android_dns_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_android_dns_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_android_dns_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-android-dns.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android-dns.la
+libstrongswan_android_dns_la_SOURCES = \
+	android_dns_plugin.c android_dns_plugin.h \
+	android_dns_handler.c android_dns_handler.h
+
+libstrongswan_android_dns_la_LDFLAGS = -module -avoid-version
+libstrongswan_android_dns_la_LIBADD = -lcutils
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/android_dns/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/android_dns/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-android-dns.la: $(libstrongswan_android_dns_la_OBJECTS) $(libstrongswan_android_dns_la_DEPENDENCIES) $(EXTRA_libstrongswan_android_dns_la_DEPENDENCIES) 
+	$(libstrongswan_android_dns_la_LINK) $(am_libstrongswan_android_dns_la_rpath) $(libstrongswan_android_dns_la_OBJECTS) $(libstrongswan_android_dns_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_dns_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_dns_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c
new file mode 100644
index 000000000..526810355
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/android_dns_handler.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) 2010-2013 Tobias Brunner
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "android_dns_handler.h"
+
+#include <networking/host.h>
+#include <collections/linked_list.h>
+
+#include <cutils/properties.h>
+
+typedef struct private_android_dns_handler_t private_android_dns_handler_t;
+
+/**
+ * Private data of an android_dns_handler_t object.
+ */
+struct private_android_dns_handler_t {
+
+	/**
+	 * Public interface
+	 */
+	android_dns_handler_t public;
+
+	/**
+	 * List of registered DNS servers
+	 */
+	linked_list_t *dns;
+};
+
+/**
+ * Prefix to be used when installing DNS servers
+ */
+#define DNS_PREFIX_DEFAULT  "net"
+
+/**
+ * Struct to store a pair of old and installed DNS servers
+ */
+typedef struct {
+	/** installed dns server */
+	host_t *dns;
+	/** old dns server */
+	host_t *old;
+} dns_pair_t;
+
+/**
+ * Destroy a pair of old and installed DNS servers
+ */
+static void destroy_dns_pair(dns_pair_t *this)
+{
+	DESTROY_IF(this->dns);
+	DESTROY_IF(this->old);
+	free(this);
+}
+
+/**
+ * Filter pairs of DNS servers
+ */
+static bool filter_dns_pair(void *data, dns_pair_t **in, host_t **out)
+{
+	*out = (*in)->dns;
+	return TRUE;
+}
+
+/**
+ * Read DNS server property with a given index
+ */
+static host_t *get_dns_server(private_android_dns_handler_t *this, int index)
+{
+	host_t *dns = NULL;
+	char key[10], value[PROPERTY_VALUE_MAX],
+		 *prefix = DNS_PREFIX_DEFAULT;
+
+	if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
+	{
+		return NULL;
+	}
+
+	if (property_get(key, value, NULL) > 0)
+	{
+		dns = host_create_from_string(value, 0);
+	}
+	return dns;
+}
+
+/**
+ * Set DNS server property with a given index
+ */
+static bool set_dns_server(private_android_dns_handler_t *this, int index,
+						   host_t *dns)
+{
+	char key[10], value[PROPERTY_VALUE_MAX],
+		 *prefix = DNS_PREFIX_DEFAULT;
+
+	if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
+	{
+		return FALSE;
+	}
+
+	if (dns)
+	{
+		if (snprintf(value, sizeof(value), "%H", dns) >= sizeof(value))
+		{
+			return FALSE;
+		}
+	}
+	else
+	{
+		value[0] = '\0';
+	}
+
+	if (property_set(key, value) != 0)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(attribute_handler_t, handle, bool,
+	private_android_dns_handler_t *this, identification_t *id,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+		{
+			host_t *dns;
+			dns_pair_t *pair;
+			int index;
+
+			dns = host_create_from_chunk(AF_INET, data, 0);
+			if (dns)
+			{
+				pair = malloc_thing(dns_pair_t);
+				pair->dns = dns;
+				index = this->dns->get_count(this->dns) + 1;
+				pair->old = get_dns_server(this, index);
+				set_dns_server(this, index, dns);
+				this->dns->insert_last(this->dns, pair);
+				return TRUE;
+			}
+			return FALSE;
+		}
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(attribute_handler_t, release, void,
+	private_android_dns_handler_t *this, identification_t *server,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	if (type == INTERNAL_IP4_DNS)
+	{
+		enumerator_t *enumerator;
+		dns_pair_t *pair;
+		int index;
+
+		enumerator = this->dns->create_enumerator(this->dns);
+		for (index = 1; enumerator->enumerate(enumerator, &pair); index++)
+		{
+			if (chunk_equals(pair->dns->get_address(pair->dns), data))
+			{
+				this->dns->remove_at(this->dns, enumerator);
+				set_dns_server(this, index, pair->old);
+				destroy_dns_pair(pair);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+METHOD(enumerator_t, enumerate_dns, bool,
+	enumerator_t *this, configuration_attribute_type_t *type, chunk_t *data)
+{
+	*type = INTERNAL_IP4_DNS;
+	*data = chunk_empty;
+	/* stop enumeration */
+	this->enumerate = (void*)return_false;
+	return TRUE;
+}
+
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
+	private_android_dns_handler_t *this, identification_t *id,
+	linked_list_t *vips)
+{
+	enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.enumerate = (void*)_enumerate_dns,
+		.destroy = (void*)free,
+	);
+	return enumerator;
+}
+
+METHOD(android_dns_handler_t, destroy, void,
+	private_android_dns_handler_t *this)
+{
+	this->dns->destroy_function(this->dns, (void*)destroy_dns_pair);
+	free(this);
+}
+
+/**
+ * See header
+ */
+android_dns_handler_t *android_dns_handler_create()
+{
+	private_android_dns_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.handle = _handle,
+				.release = _release,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.destroy = _destroy,
+		},
+		.dns = linked_list_create(),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.h b/src/libcharon/plugins/android_dns/android_dns_handler.h
new file mode 100644
index 000000000..d7b089dca
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/android_dns_handler.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2010-2011 Tobias Brunner
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_dns_handler android_dns_handler
+ * @{ @ingroup android_dns
+ */
+
+#ifndef ANDROID_DNS_HANDLER_H_
+#define ANDROID_DNS_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct android_dns_handler_t android_dns_handler_t;
+
+/**
+ * Android specific DNS attribute handler.
+ */
+struct android_dns_handler_t {
+
+	/**
+	 * Implements attribute_handler_t.
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Destroy a android_dns_handler_t.
+	 */
+	void (*destroy)(android_dns_handler_t *this);
+};
+
+/**
+ * Create an android_dns_handler_t instance.
+ */
+android_dns_handler_t *android_dns_handler_create();
+
+#endif /** ANDROID_DNS_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/android_dns/android_dns_plugin.c b/src/libcharon/plugins/android_dns/android_dns_plugin.c
new file mode 100644
index 000000000..4e2b5f58b
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/android_dns_plugin.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2010-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "android_dns_plugin.h"
+#include "android_dns_handler.h"
+
+#include <hydra.h>
+#include <daemon.h>
+
+typedef struct private_android_dns_plugin_t private_android_dns_plugin_t;
+
+/**
+ * Private data of an android_dns_plugin_t object.
+ */
+struct private_android_dns_plugin_t {
+
+	/**
+	 * Public interface
+	 */
+	android_dns_plugin_t public;
+
+	/**
+	 * Android specific DNS handler
+	 */
+	android_dns_handler_t *handler;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_android_dns_plugin_t *this)
+{
+	return "android-dns";
+}
+
+METHOD(plugin_t, destroy, void,
+	private_android_dns_plugin_t *this)
+{
+	hydra->attributes->remove_handler(hydra->attributes,
+									  &this->handler->handler);
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *android_dns_plugin_create()
+{
+	private_android_dns_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.handler = android_dns_handler_create(),
+	);
+
+	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/android_dns/android_dns_plugin.h b/src/libcharon/plugins/android_dns/android_dns_plugin.h
new file mode 100644
index 000000000..e9e57dc24
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/android_dns_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_dns android_dns
+ * @ingroup cplugins
+ *
+ * @defgroup android_dns_plugin android_dns_plugin
+ * @{ @ingroup android_dns
+ */
+
+#ifndef ANDROID_DNS_PLUGIN_H_
+#define ANDROID_DNS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct android_dns_plugin_t android_dns_plugin_t;
+
+/**
+ * Plugin providing an Android-specific handler for DNS servers.
+ */
+struct android_dns_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ANDROID_DNS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 5875e6202..73459ac92 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_android_log_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_android_log_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 50000ce5e..6868c52a1 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_certexpire_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_certexpire_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -358,7 +380,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -366,6 +387,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 7eaadf74f..e191dc6c7 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_coupling_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_coupling_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -354,7 +376,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -362,6 +383,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index f25f02845..717180379 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_dhcp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_dhcp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -353,7 +375,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -361,6 +382,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 0577b25ac..d1b5dfbe6 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -115,6 +132,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 SOURCES = $(libstrongswan_duplicheck_la_SOURCES) $(duplicheck_SOURCES)
 DIST_SOURCES = $(libstrongswan_duplicheck_la_SOURCES) \
 	$(duplicheck_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -131,6 +153,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -147,6 +171,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -215,8 +240,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -272,7 +295,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -365,7 +387,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -373,6 +394,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -398,8 +421,11 @@ libstrongswan-duplicheck.la: $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongs
 	$(libstrongswan_duplicheck_la_LINK) $(am_libstrongswan_duplicheck_la_rpath) $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_listener.c b/src/libcharon/plugins/duplicheck/duplicheck_listener.c
index 1b0df1e8b..30a723d36 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_listener.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_listener.c
@@ -60,8 +60,8 @@ struct private_duplicheck_listener_t {
 typedef struct {
 	/** peer identity */
 	identification_t *id;
-	/** IKE_SA identifier */
-	ike_sa_id_t *sa;
+	/** list of IKE_SA identifiers, ike_sa_id_t */
+	linked_list_t *sas;
 } entry_t;
 
 /**
@@ -70,7 +70,7 @@ typedef struct {
 static void entry_destroy(entry_t *this)
 {
 	this->id->destroy(this->id);
-	this->sa->destroy(this->sa);
+	this->sas->destroy_offset(this->sas, offsetof(ike_sa_id_t, destroy));
 	free(this);
 }
 
@@ -90,27 +90,101 @@ static bool equals(identification_t *a, identification_t *b)
 	return a->equals(a, b);
 }
 
-METHOD(listener_t, ike_rekey, bool,
-	private_duplicheck_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+/**
+ * Put an IKE_SA identifier to hashtable
+ */
+static void put(hashtable_t *table, identification_t *id, ike_sa_id_t *sa)
 {
-	identification_t *id;
-	ike_sa_id_t *sa;
 	entry_t *entry;
 
-	sa = new->get_id(new);
-	id = new->get_other_id(new);
+	entry = table->get(table, id);
+	if (!entry)
+	{
+		INIT(entry,
+			.id = id->clone(id),
+			.sas = linked_list_create(),
+		);
+		table->put(table, entry->id, entry);
+	}
+	entry->sas->insert_last(entry->sas, sa->clone(sa));
+}
 
-	INIT(entry,
-		.id = id->clone(id),
-		.sa = sa->clone(sa),
-	);
-	this->mutex->lock(this->mutex);
-	entry = this->active->put(this->active, entry->id, entry);
-	this->mutex->unlock(this->mutex);
+/**
+ * Purge an entry from table if it has no IKE_SA identifiers
+ */
+static void remove_if_empty(hashtable_t *table, entry_t *entry)
+{
+	if (entry->sas->get_count(entry->sas) == 0)
+	{
+		entry = table->remove(table, entry->id);
+		if (entry)
+		{
+			entry_destroy(entry);
+		}
+	}
+}
+
+/**
+ * Remove the first entry found in the table for the given id
+ */
+static ike_sa_id_t *remove_first(hashtable_t *table, identification_t *id)
+{
+	ike_sa_id_t *sa = NULL;
+	entry_t *entry;
+
+	entry = table->get(table, id);
+	if (entry)
+	{
+		entry->sas->remove_first(entry->sas, (void**)&sa);
+		remove_if_empty(table, entry);
+	}
+	return sa;
+}
+
+/**
+ * Remove a specific IKE_SA ID for the given identity
+ */
+static bool remove_specific(hashtable_t *table, identification_t *id,
+							ike_sa_id_t *sa)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	entry_t *entry;
+	ike_sa_id_t *current;
+
+	entry = table->get(table, id);
 	if (entry)
 	{
-		entry_destroy(entry);
+		enumerator = entry->sas->create_enumerator(entry->sas);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (sa->equals(sa, current))
+			{
+				entry->sas->remove_at(entry->sas, enumerator);
+				current->destroy(current);
+				found = TRUE;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (found)
+		{
+			remove_if_empty(table, entry);
+		}
 	}
+	return found;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_duplicheck_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	this->mutex->lock(this->mutex);
+
+	remove_specific(this->active, old->get_other_id(old), old->get_id(old));
+	put(this->active, new->get_other_id(new), new->get_id(new));
+
+	this->mutex->unlock(this->mutex);
+
 	return TRUE;
 }
 
@@ -119,58 +193,41 @@ METHOD(listener_t, ike_updown, bool,
 {
 	identification_t *id;
 	ike_sa_id_t *sa;
-	entry_t *entry;
-	job_t *job;
 
-	sa = ike_sa->get_id(ike_sa);
 	id = ike_sa->get_other_id(ike_sa);
 
+	this->mutex->lock(this->mutex);
 	if (up)
 	{
-		INIT(entry,
-			.id = id->clone(id),
-			.sa = sa->clone(sa),
-		);
-		this->mutex->lock(this->mutex);
-		entry = this->active->put(this->active, entry->id, entry);
-		this->mutex->unlock(this->mutex);
-		if (entry)
+		/* another IKE_SA for this identity active? */
+		sa = remove_first(this->active, id);
+		if (sa)
 		{
 			DBG1(DBG_CFG, "detected duplicate IKE_SA for '%Y', "
 				 "triggering delete for old IKE_SA", id);
-			job = (job_t*)delete_ike_sa_job_create(entry->sa, TRUE);
-			this->mutex->lock(this->mutex);
-			entry = this->checking->put(this->checking, entry->id, entry);
-			this->mutex->unlock(this->mutex);
-			lib->processor->queue_job(lib->processor, job);
-			if (entry)
-			{
-				entry_destroy(entry);
-			}
+			put(this->checking, id, sa);
+			lib->processor->queue_job(lib->processor,
+								(job_t*)delete_ike_sa_job_create(sa, TRUE));
+			sa->destroy(sa);
 		}
+		/* register IKE_SA as the new active */
+		sa = ike_sa->get_id(ike_sa);
+		put(this->active, id, sa);
 	}
 	else
 	{
-		this->mutex->lock(this->mutex);
-		entry = this->checking->remove(this->checking, id);
-		this->mutex->unlock(this->mutex);
-		if (entry)
+		sa = ike_sa->get_id(ike_sa);
+		/* check if closing an IKE_SA currently in checking state */
+		if (remove_specific(this->checking, id, sa))
 		{
 			DBG1(DBG_CFG, "delete for duplicate IKE_SA '%Y' timed out, "
 				 "keeping new IKE_SA", id);
-			entry_destroy(entry);
-		}
-		else
-		{
-			this->mutex->lock(this->mutex);
-			entry = this->active->remove(this->active, id);
-			this->mutex->unlock(this->mutex);
-			if (entry)
-			{
-				entry_destroy(entry);
-			}
 		}
+		/* check normal close of IKE_SA */
+		remove_specific(this->active, id, sa);
 	}
+	this->mutex->unlock(this->mutex);
+
 	return TRUE;
 }
 
@@ -181,29 +238,32 @@ METHOD(listener_t, message_hook, bool,
 	if (incoming && plain && !message->get_request(message))
 	{
 		identification_t *id;
-		entry_t *entry;
+		ike_sa_id_t *sa;
 
 		id = ike_sa->get_other_id(ike_sa);
+		sa = ike_sa->get_id(ike_sa);
+
 		this->mutex->lock(this->mutex);
-		entry = this->checking->remove(this->checking, id);
-		this->mutex->unlock(this->mutex);
-		if (entry)
+		if (remove_specific(this->checking, id, sa))
 		{
 			DBG1(DBG_CFG, "got a response on a duplicate IKE_SA for '%Y', "
 				 "deleting new IKE_SA", id);
 			charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
-			entry_destroy(entry);
-			this->mutex->lock(this->mutex);
-			entry = this->active->remove(this->active, id);
-			this->mutex->unlock(this->mutex);
-			if (entry)
+			sa = remove_first(this->active, id);
+			if (sa)
 			{
 				lib->processor->queue_job(lib->processor,
-						(job_t*)delete_ike_sa_job_create(entry->sa, TRUE));
-				entry_destroy(entry);
+								(job_t*)delete_ike_sa_job_create(sa, TRUE));
+				sa->destroy(sa);
 			}
+			this->mutex->unlock(this->mutex);
+
 			this->notify->send(this->notify, id);
 		}
+		else
+		{
+			this->mutex->unlock(this->mutex);
+		}
 	}
 	return TRUE;
 }
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index b0be409aa..4d162b4eb 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -357,7 +379,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -365,6 +386,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 1b805a050..947b58f01 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -360,7 +382,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -368,6 +389,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 7e55847d6..1789b28e9 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_dynamic_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_dynamic_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -354,7 +376,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -362,6 +383,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 3bff722d3..5241a5c7d 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -352,7 +374,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -360,6 +381,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index f7e768aa1..e8d2e2b64 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -354,7 +376,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -362,6 +383,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 9b344967b..1a31f27f1 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -352,7 +374,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -360,6 +381,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 82ea844a0..930f87013 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index e6ccb9e17..c0411cb1e 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -109,6 +126,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_peap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_peap_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -125,6 +147,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -141,6 +165,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -209,8 +234,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -266,7 +289,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -360,7 +382,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -368,6 +389,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am
index 181497ab5..628adbeb3 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.am
+++ b/src/libcharon/plugins/eap_radius/Makefile.am
@@ -15,6 +15,7 @@ libstrongswan_eap_radius_la_SOURCES = \
 	eap_radius_plugin.h eap_radius_plugin.c \
 	eap_radius.h eap_radius.c \
 	eap_radius_accounting.h eap_radius_accounting.c \
+	eap_radius_provider.h eap_radius_provider.c \
 	eap_radius_dae.h eap_radius_dae.c \
 	eap_radius_forward.h eap_radius_forward.c
 
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 86d26390f..a686dde90 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -84,8 +101,8 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_radius_la_DEPENDENCIES =  \
 @MONOLITHIC_FALSE@	$(top_builddir)/src/libradius/libradius.la
 am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \
-	eap_radius.lo eap_radius_accounting.lo eap_radius_dae.lo \
-	eap_radius_forward.lo
+	eap_radius.lo eap_radius_accounting.lo eap_radius_provider.lo \
+	eap_radius_dae.lo eap_radius_forward.lo
 libstrongswan_eap_radius_la_OBJECTS =  \
 	$(am_libstrongswan_eap_radius_la_OBJECTS)
 libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -312,6 +334,7 @@ libstrongswan_eap_radius_la_SOURCES = \
 	eap_radius_plugin.h eap_radius_plugin.c \
 	eap_radius.h eap_radius.c \
 	eap_radius_accounting.h eap_radius_accounting.c \
+	eap_radius_provider.h eap_radius_provider.c \
 	eap_radius_dae.h eap_radius_dae.c \
 	eap_radius_forward.h eap_radius_forward.c
 
@@ -361,7 +384,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -369,6 +391,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -404,6 +428,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_dae.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_forward.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_provider.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 6009d3a1f..59340df01 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -16,6 +16,8 @@
 #include "eap_radius.h"
 #include "eap_radius_plugin.h"
 #include "eap_radius_forward.h"
+#include "eap_radius_provider.h"
+#include "eap_radius_accounting.h"
 
 #include <radius_message.h>
 #include <radius_client.h>
@@ -155,17 +157,67 @@ static bool radius2ike(private_eap_radius_t *this,
 	return FALSE;
 }
 
+/**
+ * Add a set of RADIUS attributes to a request message
+ */
+static void add_radius_request_attrs(private_eap_radius_t *this,
+									 radius_message_t *request)
+{
+	ike_sa_t *ike_sa;
+	host_t *host;
+	char buf[40];
+	u_int32_t value;
+	chunk_t chunk;
+
+	chunk = chunk_from_str(this->id_prefix);
+	chunk = chunk_cata("cc", chunk, this->peer->get_encoding(this->peer));
+	request->add(request, RAT_USER_NAME, chunk);
+
+	/* virtual NAS-Port-Type */
+	value = htonl(5);
+	request->add(request, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
+	/* framed ServiceType */
+	value = htonl(2);
+	request->add(request, RAT_SERVICE_TYPE, chunk_from_thing(value));
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
+	{
+		value = htonl(ike_sa->get_unique_id(ike_sa));
+		request->add(request, RAT_NAS_PORT, chunk_from_thing(value));
+		request->add(request, RAT_NAS_PORT_ID,
+					 chunk_from_str(ike_sa->get_name(ike_sa)));
+
+		host = ike_sa->get_my_host(ike_sa);
+		chunk = host->get_address(host);
+		switch (host->get_family(host))
+		{
+			case AF_INET:
+				request->add(request, RAT_NAS_IP_ADDRESS, chunk);
+				break;
+			case AF_INET6:
+				request->add(request, RAT_NAS_IPV6_ADDRESS, chunk);
+			default:
+				break;
+		}
+		snprintf(buf, sizeof(buf), "%#H", host);
+		request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf));
+		host = ike_sa->get_other_host(ike_sa);
+		snprintf(buf, sizeof(buf), "%#H", host);
+		request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf));
+	}
+
+	eap_radius_forward_from_ike(request);
+}
+
 METHOD(eap_method_t, initiate, status_t,
 	private_eap_radius_t *this, eap_payload_t **out)
 {
 	radius_message_t *request, *response;
 	status_t status = FAILED;
-	chunk_t username;
 
 	request = radius_message_create(RMC_ACCESS_REQUEST);
-	username = chunk_create(this->id_prefix, strlen(this->id_prefix));
-	username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
-	request->add(request, RAT_USER_NAME, username);
+	add_radius_request_attrs(this, request);
 
 	if (this->eap_start)
 	{
@@ -175,7 +227,6 @@ METHOD(eap_method_t, initiate, status_t,
 	{
 		add_eap_identity(this, request);
 	}
-	eap_radius_forward_from_ike(request);
 
 	response = this->client->request(this->client, request);
 	if (response)
@@ -203,7 +254,7 @@ METHOD(eap_method_t, initiate, status_t,
 	}
 	else
 	{
-		charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
+		eap_radius_handle_timeout(NULL);
 	}
 	request->destroy(request);
 	return status;
@@ -303,7 +354,7 @@ static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
 }
 
 /**
- * Handle Session-Timeout attribte
+ * Handle Session-Timeout attribte and Interim updates
  */
 static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
 {
@@ -312,19 +363,78 @@ static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
 	chunk_t data;
 	int type;
 
-	enumerator = msg->create_enumerator(msg);
-	while (enumerator->enumerate(enumerator, &type, &data))
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
 	{
-		if (type == RAT_SESSION_TIMEOUT && data.len == 4)
+		enumerator = msg->create_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &type, &data))
 		{
-			ike_sa = charon->bus->get_sa(charon->bus);
-			if (ike_sa)
+			if (type == RAT_SESSION_TIMEOUT && data.len == 4)
 			{
 				ike_sa->set_auth_lifetime(ike_sa, untoh32(data.ptr));
 			}
+			else if (type == RAT_ACCT_INTERIM_INTERVAL && data.len == 4)
+			{
+				eap_radius_accounting_start_interim(ike_sa, untoh32(data.ptr));
+			}
 		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Handle Framed-IP-Address and other IKE configuration attributes
+ */
+static void process_cfg_attributes(private_eap_radius_t *this,
+								   radius_message_t *msg)
+{
+	eap_radius_provider_t *provider;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	host_t *host;
+	chunk_t data;
+	int type, vendor;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	provider = eap_radius_provider_get();
+	if (provider && ike_sa)
+	{
+		enumerator = msg->create_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &type, &data))
+		{
+			if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4)
+			{
+				host = host_create_from_chunk(AF_INET, data, 0);
+				if (host)
+				{
+					provider->add_framed_ip(provider, this->peer, host);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		enumerator = msg->create_vendor_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &vendor, &type, &data))
+		{
+			if (vendor == PEN_ALTIGA /* aka Cisco VPN3000 */)
+			{
+				switch (type)
+				{
+					case 15: /* CVPN3000-IPSec-Banner1 */
+					case 36: /* CVPN3000-IPSec-Banner2 */
+						if (ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
+						{
+							provider->add_attribute(provider, this->peer,
+													UNITY_BANNER, data);
+						}
+						break;
+					default:
+						break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
 }
 
 METHOD(eap_method_t, process, status_t,
@@ -335,7 +445,8 @@ METHOD(eap_method_t, process, status_t,
 	chunk_t data;
 
 	request = radius_message_create(RMC_ACCESS_REQUEST);
-	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
+	add_radius_request_attrs(this, request);
+
 	data = in->get_data(in);
 	DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data);
 
@@ -348,7 +459,6 @@ METHOD(eap_method_t, process, status_t,
 	}
 	request->add(request, RAT_EAP_MESSAGE, data);
 
-	eap_radius_forward_from_ike(request);
 	response = this->client->request(this->client, request);
 	if (response)
 	{
@@ -373,6 +483,7 @@ METHOD(eap_method_t, process, status_t,
 					process_filter_id(this, response);
 				}
 				process_timeout(this, response);
+				process_cfg_attributes(this, response);
 				DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
 					 this->peer);
 				status = SUCCESS;
@@ -490,4 +601,3 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 	this->server = server->clone(server);
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 3c72c122d..ec78c8ef2 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -23,6 +23,7 @@
 #include <daemon.h>
 #include <collections/hashtable.h>
 #include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
 
 typedef struct private_eap_radius_accounting_t private_eap_radius_accounting_t;
 
@@ -37,7 +38,7 @@ struct private_eap_radius_accounting_t {
 	eap_radius_accounting_t public;
 
 	/**
-	 * Hashtable with sessions, IKE_SA unique id => entry_t
+	 * Hashtable with sessions, ike_sa_id_t => entry_t
 	 */
 	hashtable_t *sessions;
 
@@ -52,20 +53,70 @@ struct private_eap_radius_accounting_t {
 	u_int32_t prefix;
 };
 
+/**
+ * Singleton instance of accounting
+ */
+static private_eap_radius_accounting_t *singleton = NULL;
+
+/**
+ * Acct-Terminate-Cause
+ */
+typedef enum {
+	ACCT_CAUSE_USER_REQUEST = 1,
+	ACCT_CAUSE_LOST_CARRIER = 2,
+	ACCT_CAUSE_LOST_SERVICE = 3,
+	ACCT_CAUSE_IDLE_TIMEOUT = 4,
+	ACCT_CAUSE_SESSION_TIMEOUT = 5,
+	ACCT_CAUSE_ADMIN_RESET = 6,
+	ACCT_CAUSE_ADMIN_REBOOT = 7,
+	ACCT_CAUSE_PORT_ERROR = 8,
+	ACCT_CAUSE_NAS_ERROR = 9,
+	ACCT_CAUSE_NAS_REQUEST = 10,
+	ACCT_CAUSE_NAS_REBOOT = 11,
+	ACCT_CAUSE_PORT_UNNEEDED = 12,
+	ACCT_CAUSE_PORT_PREEMPTED = 13,
+	ACCT_CAUSE_PORT_SUSPENDED = 14,
+	ACCT_CAUSE_SERVICE_UNAVAILABLE = 15,
+	ACCT_CAUSE_CALLBACK = 16,
+	ACCT_CAUSE_USER_ERROR = 17,
+	ACCT_CAUSE_HOST_REQUEST = 18,
+} radius_acct_terminate_cause_t;
+
 /**
  * Hashtable entry with usage stats
  */
 typedef struct {
+	/** IKE_SA identifier this entry is stored under */
+	ike_sa_id_t *id;
 	/** RADIUS accounting session ID */
 	char sid[16];
-	/** number of octets sent */
-	u_int64_t sent;
-	/** number of octets received */
-	u_int64_t received;
+	/** number of sent/received octets/packets */
+	struct {
+		u_int64_t sent;
+		u_int64_t received;
+	} bytes, packets;
 	/** session creation time */
 	time_t created;
+	/** terminate cause */
+	radius_acct_terminate_cause_t cause;
+	/* interim interval and timestamp of last update */
+	struct {
+		u_int32_t interval;
+		time_t last;
+	} interim;
+	/** did we send Accounting-Start */
+	bool start_sent;
 } entry_t;
 
+/**
+ * Destroy an entry_t
+ */
+static void destroy_entry(entry_t *this)
+{
+	this->id->destroy(this->id);
+	free(this);
+}
+
 /**
  * Accounting message status types
  */
@@ -80,17 +131,17 @@ typedef enum {
 /**
  * Hashtable hash function
  */
-static u_int hash(uintptr_t key)
+static u_int hash(ike_sa_id_t *key)
 {
-	return key;
+	return key->get_responder_spi(key);
 }
 
 /**
  * Hashtable equals function
  */
-static bool equals(uintptr_t a, uintptr_t b)
+static bool equals(ike_sa_id_t *a, ike_sa_id_t *b)
 {
-	return a == b;
+	return a->equals(a, b);
 }
 
 /**
@@ -99,19 +150,20 @@ static bool equals(uintptr_t a, uintptr_t b)
 static void update_usage(private_eap_radius_accounting_t *this,
 						 ike_sa_t *ike_sa, child_sa_t *child_sa)
 {
-	u_int64_t sent, received;
+	u_int64_t bytes_in, bytes_out, packets_in, packets_out;
 	entry_t *entry;
 
-	child_sa->get_usestats(child_sa, FALSE, NULL, &sent);
-	child_sa->get_usestats(child_sa, TRUE, NULL, &received);
+	child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, &packets_out);
+	child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, &packets_in);
 
 	this->mutex->lock(this->mutex);
-	entry = this->sessions->get(this->sessions,
-								(void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
+	entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
 	if (entry)
 	{
-		entry->sent += sent;
-		entry->received += received;
+		entry->bytes.sent += bytes_out;
+		entry->bytes.received += bytes_in;
+		entry->packets.sent += packets_out;
+		entry->packets.received += packets_in;
 	}
 	this->mutex->unlock(this->mutex);
 }
@@ -135,10 +187,6 @@ static bool send_message(private_eap_radius_accounting_t *this,
 			ack = response->get_code(response) == RMC_ACCOUNTING_RESPONSE;
 			response->destroy(response);
 		}
-		else
-		{
-			charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
-		}
 		client->destroy(client);
 	}
 	return ack;
@@ -150,14 +198,43 @@ static bool send_message(private_eap_radius_accounting_t *this,
 static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa)
 {
 	enumerator_t *enumerator;
-	host_t *vip;
+	host_t *vip, *host;
 	char buf[64];
 	chunk_t data;
+	u_int32_t value;
+
+	/* virtual NAS-Port-Type */
+	value = htonl(5);
+	message->add(message, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
+	/* framed ServiceType */
+	value = htonl(2);
+	message->add(message, RAT_SERVICE_TYPE, chunk_from_thing(value));
+
+	value = htonl(ike_sa->get_unique_id(ike_sa));
+	message->add(message, RAT_NAS_PORT, chunk_from_thing(value));
+	message->add(message, RAT_NAS_PORT_ID,
+				 chunk_from_str(ike_sa->get_name(ike_sa)));
+
+	host = ike_sa->get_my_host(ike_sa);
+	data = host->get_address(host);
+	switch (host->get_family(host))
+	{
+		case AF_INET:
+			message->add(message, RAT_NAS_IP_ADDRESS, data);
+			break;
+		case AF_INET6:
+			message->add(message, RAT_NAS_IPV6_ADDRESS, data);
+		default:
+			break;
+	}
+	snprintf(buf, sizeof(buf), "%#H", host);
+	message->add(message, RAT_CALLED_STATION_ID, chunk_from_str(buf));
+	host = ike_sa->get_other_host(ike_sa);
+	snprintf(buf, sizeof(buf), "%#H", host);
+	message->add(message, RAT_CALLING_STATION_ID, chunk_from_str(buf));
 
 	snprintf(buf, sizeof(buf), "%Y", ike_sa->get_other_eap_id(ike_sa));
-	message->add(message, RAT_USER_NAME, chunk_create(buf, strlen(buf)));
-	snprintf(buf, sizeof(buf), "%#H", ike_sa->get_other_host(ike_sa));
-	message->add(message, RAT_CALLING_STATION_ID, chunk_create(buf, strlen(buf)));
+	message->add(message, RAT_USER_NAME, chunk_from_str(buf));
 
 	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
 	while (enumerator->enumerate(enumerator, &vip))
@@ -181,6 +258,179 @@ static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa)
 	enumerator->destroy(enumerator);
 }
 
+/**
+ * Get an existing or create a new entry from the locked session table
+ */
+static entry_t* get_or_create_entry(private_eap_radius_accounting_t *this,
+									ike_sa_t *ike_sa)
+{
+	ike_sa_id_t *id;
+	entry_t *entry;
+	time_t now;
+
+	entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
+	if (!entry)
+	{
+		now = time_monotonic(NULL);
+		id = ike_sa->get_id(ike_sa);
+
+		INIT(entry,
+			.id = id->clone(id),
+			.created = now,
+			.interim = {
+				.last = now,
+			},
+			/* default terminate cause, if none other catched */
+			.cause = ACCT_CAUSE_USER_REQUEST,
+		);
+		snprintf(entry->sid, sizeof(entry->sid), "%u-%u",
+				 this->prefix, ike_sa->get_unique_id(ike_sa));
+		this->sessions->put(this->sessions, entry->id, entry);
+	}
+	return entry;
+}
+
+/* forward declaration */
+static void schedule_interim(private_eap_radius_accounting_t *this,
+							 entry_t *entry);
+
+/**
+ * Data passed to send_interim() using callback job
+ */
+typedef struct {
+	/** reference to radius accounting */
+	private_eap_radius_accounting_t *this;
+	/** IKE_SA identifier to send interim update to */
+	ike_sa_id_t *id;
+} interim_data_t;
+
+/**
+ * Clean up interim data
+ */
+void destroy_interim_data(interim_data_t *this)
+{
+	this->id->destroy(this->id);
+	free(this);
+}
+
+/**
+ * Send an interim update for entry of given IKE_SA identifier
+ */
+static job_requeue_t send_interim(interim_data_t *data)
+{
+	private_eap_radius_accounting_t *this = data->this;
+	u_int64_t bytes_in = 0, bytes_out = 0, packets_in = 0, packets_out = 0;
+	u_int64_t bytes, packets;
+	radius_message_t *message = NULL;
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	u_int32_t value;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, data->id);
+	if (!ike_sa)
+	{
+		return JOB_REQUEUE_NONE;
+	}
+	enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes, &packets);
+		bytes_out += bytes;
+		packets_out += packets;
+		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes, &packets);
+		bytes_in += bytes;
+		packets_in += packets;
+	}
+	enumerator->destroy(enumerator);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+
+	/* avoid any races by returning IKE_SA before acquiring lock */
+
+	this->mutex->lock(this->mutex);
+	entry = this->sessions->get(this->sessions, data->id);
+	if (entry)
+	{
+		entry->interim.last = time_monotonic(NULL);
+
+		bytes_in += entry->bytes.received;
+		bytes_out += entry->bytes.sent;
+		packets_in += entry->packets.received;
+		packets_out += entry->packets.sent;
+
+		message = radius_message_create(RMC_ACCOUNTING_REQUEST);
+		value = htonl(ACCT_STATUS_INTERIM_UPDATE);
+		message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
+		message->add(message, RAT_ACCT_SESSION_ID,
+					 chunk_create(entry->sid, strlen(entry->sid)));
+		add_ike_sa_parameters(message, ike_sa);
+
+		value = htonl(bytes_out);
+		message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
+		value = htonl(bytes_out >> 32);
+		if (value)
+		{
+			message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS,
+						 chunk_from_thing(value));
+		}
+		value = htonl(packets_out);
+		message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value));
+
+		value = htonl(bytes_in);
+		message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value));
+		value = htonl(bytes_in >> 32);
+		if (value)
+		{
+			message->add(message, RAT_ACCT_INPUT_GIGAWORDS,
+						 chunk_from_thing(value));
+		}
+		value = htonl(packets_in);
+		message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value));
+
+		value = htonl(entry->interim.last - entry->created);
+		message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value));
+
+		schedule_interim(this, entry);
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (message)
+	{
+		if (!send_message(this, message))
+		{
+			eap_radius_handle_timeout(data->id);
+		}
+		message->destroy(message);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedule interim update for given entry
+ */
+static void schedule_interim(private_eap_radius_accounting_t *this,
+							 entry_t *entry)
+{
+	if (entry->interim.interval)
+	{
+		interim_data_t *data;
+		timeval_t tv = {
+			.tv_sec = entry->interim.last + entry->interim.interval,
+		};
+
+		INIT(data,
+			.this = this,
+			.id = entry->id->clone(entry->id),
+		);
+		lib->scheduler->schedule_job_tv(lib->scheduler,
+			(job_t*)callback_job_create_with_prio(
+				(callback_job_cb_t)send_interim,
+				data, (void*)destroy_interim_data,
+				(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv);
+	}
+}
+
 /**
  * Send an accounting start message
  */
@@ -188,28 +438,28 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 {
 	radius_message_t *message;
 	entry_t *entry;
-	u_int32_t id, value;
+	u_int32_t value;
 
-	id = ike_sa->get_unique_id(ike_sa);
-	INIT(entry,
-		.created = time_monotonic(NULL),
-	);
-	snprintf(entry->sid, sizeof(entry->sid), "%u-%u", this->prefix, id);
+	this->mutex->lock(this->mutex);
+
+	entry = get_or_create_entry(this, ike_sa);
+	entry->start_sent = TRUE;
 
 	message = radius_message_create(RMC_ACCOUNTING_REQUEST);
 	value = htonl(ACCT_STATUS_START);
 	message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
 	message->add(message, RAT_ACCT_SESSION_ID,
 				 chunk_create(entry->sid, strlen(entry->sid)));
+
+	schedule_interim(this, entry);
+	this->mutex->unlock(this->mutex);
+
 	add_ike_sa_parameters(message, ike_sa);
-	if (send_message(this, message))
+	if (!send_message(this, message))
 	{
-		this->mutex->lock(this->mutex);
-		entry = this->sessions->put(this->sessions, (void*)(uintptr_t)id, entry);
-		this->mutex->unlock(this->mutex);
+		eap_radius_handle_timeout(ike_sa->get_id(ike_sa));
 	}
 	message->destroy(message);
-	free(entry);
 }
 
 /**
@@ -219,45 +469,91 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 {
 	radius_message_t *message;
 	entry_t *entry;
-	u_int32_t id, value;
+	u_int32_t value;
 
-	id = ike_sa->get_unique_id(ike_sa);
 	this->mutex->lock(this->mutex);
-	entry = this->sessions->remove(this->sessions, (void*)(uintptr_t)id);
+	entry = this->sessions->remove(this->sessions, ike_sa->get_id(ike_sa));
 	this->mutex->unlock(this->mutex);
 	if (entry)
 	{
+		if (!entry->start_sent)
+		{	/* we tried to authenticate this peer, but never sent a start */
+			destroy_entry(entry);
+			return;
+		}
 		message = radius_message_create(RMC_ACCOUNTING_REQUEST);
 		value = htonl(ACCT_STATUS_STOP);
 		message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
 		message->add(message, RAT_ACCT_SESSION_ID,
 					 chunk_create(entry->sid, strlen(entry->sid)));
 		add_ike_sa_parameters(message, ike_sa);
-		value = htonl(entry->sent);
+
+		value = htonl(entry->bytes.sent);
 		message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
-		value = htonl(entry->sent >> 32);
+		value = htonl(entry->bytes.sent >> 32);
 		if (value)
 		{
 			message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS,
 						 chunk_from_thing(value));
 		}
-		value = htonl(entry->received);
+		value = htonl(entry->packets.sent);
+		message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value));
+
+		value = htonl(entry->bytes.received);
 		message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value));
-		value = htonl(entry->received >> 32);
+		value = htonl(entry->bytes.received >> 32);
 		if (value)
 		{
 			message->add(message, RAT_ACCT_INPUT_GIGAWORDS,
 						 chunk_from_thing(value));
 		}
+		value = htonl(entry->packets.received);
+		message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value));
+
 		value = htonl(time_monotonic(NULL) - entry->created);
 		message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value));
 
-		send_message(this, message);
+
+		value = htonl(entry->cause);
+		message->add(message, RAT_ACCT_TERMINATE_CAUSE, chunk_from_thing(value));
+
+		if (!send_message(this, message))
+		{
+			eap_radius_handle_timeout(NULL);
+		}
 		message->destroy(message);
-		free(entry);
+		destroy_entry(entry);
 	}
 }
 
+METHOD(listener_t, alert, bool,
+	private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, alert_t alert,
+	va_list args)
+{
+	radius_acct_terminate_cause_t cause;
+	entry_t *entry;
+
+	switch (alert)
+	{
+		case ALERT_IKE_SA_EXPIRED:
+			cause = ACCT_CAUSE_SESSION_TIMEOUT;
+			break;
+		case ALERT_RETRANSMIT_SEND_TIMEOUT:
+			cause = ACCT_CAUSE_LOST_SERVICE;
+			break;
+		default:
+			return TRUE;
+	}
+	this->mutex->lock(this->mutex);
+	entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
+	if (entry)
+	{
+		entry->cause = cause;
+	}
+	this->mutex->unlock(this->mutex);
+	return TRUE;
+}
+
 METHOD(listener_t, ike_updown, bool,
 	private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, bool up)
 {
@@ -307,15 +603,20 @@ METHOD(listener_t, ike_rekey, bool,
 	entry_t *entry;
 
 	this->mutex->lock(this->mutex);
-	entry = this->sessions->remove(this->sessions,
-							(void*)(uintptr_t)old->get_unique_id(old));
+	entry = this->sessions->remove(this->sessions, old->get_id(old));
 	if (entry)
 	{
-		entry = this->sessions->put(this->sessions,
-							(void*)(uintptr_t)new->get_unique_id(new), entry);
+		/* update IKE_SA identifier */
+		entry->id->destroy(entry->id);
+		entry->id = new->get_id(new);
+		entry->id = entry->id->clone(entry->id);
+		/* fire new interim update job, old gets invalid */
+		schedule_interim(this, entry);
+
+		entry = this->sessions->put(this->sessions, entry->id, entry);
 		if (entry)
 		{
-			free(entry);
+			destroy_entry(entry);
 		}
 	}
 	this->mutex->unlock(this->mutex);
@@ -346,6 +647,8 @@ METHOD(listener_t, child_updown, bool,
 METHOD(eap_radius_accounting_t, destroy, void,
 	private_eap_radius_accounting_t *this)
 {
+	charon->bus->remove_listener(charon->bus, &this->public.listener);
+	singleton = NULL;
 	this->mutex->destroy(this->mutex);
 	this->sessions->destroy(this->sessions);
 	free(this);
@@ -361,6 +664,7 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 	INIT(this,
 		.public = {
 			.listener = {
+				.alert = _alert,
 				.ike_updown = _ike_updown,
 				.ike_rekey = _ike_rekey,
 				.message = _message_hook,
@@ -376,5 +680,28 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
+	if (lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-radius.accounting", FALSE, charon->name))
+	{
+		singleton = this;
+		charon->bus->add_listener(charon->bus, &this->public.listener);
+	}
 	return &this->public;
 }
+
+/**
+ * See header
+ */
+void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval)
+{
+	if (singleton)
+	{
+		entry_t *entry;
+
+		DBG1(DBG_CFG, "scheduling RADIUS Interim-Updates every %us", interval);
+		singleton->mutex->lock(singleton->mutex);
+		entry = get_or_create_entry(singleton, ike_sa);
+		entry->interim.interval = interval;
+		singleton->mutex->unlock(singleton->mutex);
+	}
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
index 811a5bb90..8d4f9a0e1 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
@@ -46,4 +46,12 @@ struct eap_radius_accounting_t {
  */
 eap_radius_accounting_t *eap_radius_accounting_create();
 
+/**
+ * Schedule Accounting interim updates for the given IKE_SA.
+ *
+ * @param ike_sa			IKE_SA to send updates for
+ * @param interval			interval for interim updates
+ */
+void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval);
+
 #endif /** EAP_RADIUS_ACCOUNTING_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 9d4bbe1f3..3baf46731 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -19,12 +19,15 @@
 #include "eap_radius_accounting.h"
 #include "eap_radius_dae.h"
 #include "eap_radius_forward.h"
+#include "eap_radius_provider.h"
 
 #include <radius_client.h>
 #include <radius_config.h>
 
-#include <daemon.h>
+#include <hydra.h>
 #include <threading/rwlock.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 /**
  * Default RADIUS server port for authentication
@@ -63,6 +66,11 @@ struct private_eap_radius_plugin_t {
 	 */
 	eap_radius_accounting_t *accounting;
 
+	/**
+	 * IKE attribute provider
+	 */
+	eap_radius_provider_t *provider;
+
 	/**
 	 * Dynamic authorization extensions
 	 */
@@ -207,6 +215,9 @@ METHOD(plugin_t, reload, bool,
 METHOD(plugin_t, destroy, void,
 	private_eap_radius_plugin_t *this)
 {
+	hydra->attributes->remove_provider(hydra->attributes,
+									   &this->provider->provider);
+	this->provider->destroy(this->provider);
 	if (this->forward)
 	{
 		charon->bus->remove_listener(charon->bus, &this->forward->listener);
@@ -216,7 +227,6 @@ METHOD(plugin_t, destroy, void,
 	this->configs->destroy_offset(this->configs,
 								  offsetof(radius_config_t, destroy));
 	this->lock->destroy(this->lock);
-	charon->bus->remove_listener(charon->bus, &this->accounting->listener);
 	this->accounting->destroy(this->accounting);
 	free(this);
 	instance = NULL;
@@ -242,16 +252,12 @@ plugin_t *eap_radius_plugin_create()
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.accounting = eap_radius_accounting_create(),
 		.forward = eap_radius_forward_create(),
+		.provider = eap_radius_provider_create(),
 	);
 
 	load_configs(this);
 	instance = this;
 
-	if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.accounting", FALSE, charon->name))
-	{
-		charon->bus->add_listener(charon->bus, &this->accounting->listener);
-	}
 	if (lib->settings->get_bool(lib->settings,
 					"%s.plugins.eap-radius.dae.enable", FALSE, charon->name))
 	{
@@ -261,6 +267,8 @@ plugin_t *eap_radius_plugin_create()
 	{
 		charon->bus->add_listener(charon->bus, &this->forward->listener);
 	}
+	hydra->attributes->add_provider(hydra->attributes,
+									&this->provider->provider);
 
 	return &this->public.plugin;
 }
@@ -308,3 +316,47 @@ radius_client_t *eap_radius_create_client()
 	return NULL;
 }
 
+/**
+ * Job to delete all active IKE_SAs
+ */
+static job_requeue_t delete_all_async(void *data)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+
+	enumerator = charon->ike_sa_manager->create_enumerator(
+												charon->ike_sa_manager, TRUE);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		lib->processor->queue_job(lib->processor,
+				(job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
+	}
+	enumerator->destroy(enumerator);
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * See header.
+ */
+void eap_radius_handle_timeout(ike_sa_id_t *id)
+{
+	charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
+
+	if (lib->settings->get_bool(lib->settings,
+								"%s.plugins.eap-radius.close_all_on_timeout",
+								FALSE, charon->name))
+	{
+		DBG1(DBG_CFG, "deleting all IKE_SAs after RADIUS timeout");
+		lib->processor->queue_job(lib->processor,
+				(job_t*)callback_job_create_with_prio(
+						(callback_job_cb_t)delete_all_async, NULL, NULL,
+						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	}
+	else if (id)
+	{
+		DBG1(DBG_CFG, "deleting IKE_SA after RADIUS timeout");
+		lib->processor->queue_job(lib->processor,
+				(job_t*)delete_ike_sa_job_create(id, TRUE));
+	}
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
index 1570bd566..80fa209d6 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
@@ -27,6 +27,7 @@
 #include <plugins/plugin.h>
 
 #include <radius_client.h>
+#include <daemon.h>
 
 typedef struct eap_radius_plugin_t eap_radius_plugin_t;
 
@@ -51,4 +52,14 @@ struct eap_radius_plugin_t {
  */
 radius_client_t *eap_radius_create_client();
 
+/**
+ * Handle a RADIUS request timeout.
+ *
+ * If an IKE_SA is given, it gets deleted (unless the policy says to delete
+ * any established IKE_SA).
+ *
+ * @param id		associated IKE_SA where timeout happened, or NULL
+ */
+void eap_radius_handle_timeout(ike_sa_id_t *id);
+
 #endif /** EAP_RADIUS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
new file mode 100644
index 000000000..6087313b5
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -0,0 +1,486 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_radius_provider.h"
+
+#include <daemon.h>
+#include <collections/hashtable.h>
+#include <threading/mutex.h>
+
+typedef struct private_eap_radius_provider_t private_eap_radius_provider_t;
+typedef struct private_listener_t private_listener_t;
+
+/**
+ * Private data of registered listener
+ */
+struct private_listener_t {
+
+	/**
+	 * Implements listener_t interface
+	 */
+	listener_t public;
+
+	/**
+	 * Leases not acquired yet, identification_t => entry_t
+	 */
+	hashtable_t *unclaimed;
+
+	/**
+	 * Leases acquired, identification_t => entry_t
+	 */
+	hashtable_t *claimed;
+
+	/**
+	 * Mutex to lock leases
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Private data of an eap_radius_provider_t object.
+ */
+struct private_eap_radius_provider_t {
+
+	/**
+	 * Public eap_radius_provider_t interface.
+	 */
+	eap_radius_provider_t public;
+
+	/**
+	 * Additionally implements the listener_t interface
+	 */
+	private_listener_t listener;
+};
+
+/**
+ * Singleton instance of provider
+ */
+static eap_radius_provider_t *singleton = NULL;
+
+/**
+ * Configuration attribute in an entry
+ */
+typedef struct {
+	/** type of attribute */
+	configuration_attribute_type_t type;
+	/** attribute data */
+	chunk_t data;
+} attr_t;
+
+/**
+ * Destroy an attr_t
+ */
+static void destroy_attr(attr_t *this)
+{
+	free(this->data.ptr);
+	free(this);
+}
+
+/**
+ * Hashtable entry with leases and attributes
+ */
+typedef struct {
+	/** identity we assigned the IP lease */
+	identification_t *id;
+	/** list of IP leases received from AAA, as host_t */
+	linked_list_t *addrs;
+	/** list of configuration attributes, as attr_t */
+	linked_list_t *attrs;
+} entry_t;
+
+/**
+ * destroy an entry_t
+ */
+static void destroy_entry(entry_t *this)
+{
+	this->id->destroy(this->id);
+	this->addrs->destroy_offset(this->addrs, offsetof(host_t, destroy));
+	this->attrs->destroy_function(this->attrs, (void*)destroy_attr);
+	free(this);
+}
+
+/**
+ * Get or create an entry from a locked hashtable
+ */
+static entry_t* get_or_create_entry(hashtable_t *hashtable, identification_t *id)
+{
+	entry_t *entry;
+
+	entry = hashtable->get(hashtable, id);
+	if (!entry)
+	{
+		INIT(entry,
+			.id = id->clone(id),
+			.addrs = linked_list_create(),
+			.attrs = linked_list_create(),
+		);
+		hashtable->put(hashtable, entry->id, entry);
+	}
+	return entry;
+}
+
+/**
+ * Put an entry to hashtable, or destroy it ife empty
+ */
+static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry)
+{
+	if (entry->addrs->get_count(entry->addrs) > 0 ||
+		entry->attrs->get_count(entry->attrs) > 0)
+	{
+		hashtable->put(hashtable, entry->id, entry);
+	}
+	else
+	{
+		destroy_entry(entry);
+	}
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(identification_t *id)
+{
+	return chunk_hash_inc(id->get_encoding(id), id->get_type(id));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(identification_t *a, identification_t *b)
+{
+	return a->equals(a, b);
+}
+
+/**
+ * Insert an address entry to a locked claimed/unclaimed hashtable
+ */
+static void add_addr(private_eap_radius_provider_t *this,
+					 hashtable_t *hashtable, identification_t *id, host_t *host)
+{
+	entry_t *entry;
+
+	entry = get_or_create_entry(hashtable, id);
+	entry->addrs->insert_last(entry->addrs, host);
+}
+
+/**
+ * Remove the next address from the locked hashtable stored for given id
+ */
+static host_t* remove_addr(private_eap_radius_provider_t *this,
+						   hashtable_t *hashtable, identification_t *id)
+{
+	entry_t *entry;
+	host_t *addr = NULL;
+
+	entry = hashtable->remove(hashtable, id);
+	if (entry)
+	{
+		entry->addrs->remove_first(entry->addrs, (void**)&addr);
+		put_or_destroy_entry(hashtable, entry);
+	}
+	return addr;
+}
+
+/**
+ * Insert an attribute entry to a locked claimed/unclaimed hashtable
+ */
+static void add_attr(private_eap_radius_provider_t *this,
+					 hashtable_t *hashtable, identification_t *id, attr_t *attr)
+{
+	entry_t *entry;
+
+	entry = get_or_create_entry(hashtable, id);
+	entry->attrs->insert_last(entry->attrs, attr);
+}
+
+/**
+ * Remove the next attribute from the locked hashtable stored for given id
+ */
+static attr_t* remove_attr(private_eap_radius_provider_t *this,
+						   hashtable_t *hashtable, identification_t *id)
+{
+	entry_t *entry;
+	attr_t *attr = NULL;
+
+	entry = hashtable->remove(hashtable, id);
+	if (entry)
+	{
+		entry->attrs->remove_first(entry->attrs, (void**)&attr);
+		put_or_destroy_entry(hashtable, entry);
+	}
+	return attr;
+}
+
+/**
+ * Clean up unclaimed leases assigned for an IKE_SA
+ */
+static void release_unclaimed(private_listener_t *this, ike_sa_t *ike_sa)
+{
+	identification_t *id;
+	entry_t *entry;
+
+	id = ike_sa->get_other_eap_id(ike_sa);
+	this->mutex->lock(this->mutex);
+	entry = this->unclaimed->remove(this->unclaimed, id);
+	this->mutex->unlock(this->mutex);
+	if (entry)
+	{
+		destroy_entry(entry);
+	}
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming, bool plain)
+{
+	if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+		!incoming && !message->get_request(message))
+	{
+		if ((ike_sa->get_version(ike_sa) == IKEV1 &&
+			 message->get_exchange_type(message) == TRANSACTION) ||
+			(ike_sa->get_version(ike_sa) == IKEV2 &&
+			 message->get_exchange_type(message) == IKE_AUTH))
+		{
+			/* if the addresses have not been claimed yet, they won't. Release
+			 * these resources. */
+			release_unclaimed(this, ike_sa);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+	if (!up)
+	{
+		/* if the message hook does not apply because of a failed exchange
+		 * or something, make sure we release any resources now */
+		release_unclaimed(this, ike_sa);
+	}
+	return TRUE;
+}
+
+METHOD(attribute_provider_t, acquire_address, host_t*,
+	private_eap_radius_provider_t *this, linked_list_t *pools,
+	identification_t *id, host_t *requested)
+{
+	enumerator_t *enumerator;
+	host_t *addr = NULL;
+	char *name;
+
+	enumerator = pools->create_enumerator(pools);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		if (streq(name, "radius"))
+		{
+			this->listener.mutex->lock(this->listener.mutex);
+			addr = remove_addr(this, this->listener.unclaimed, id);
+			if (addr)
+			{
+				add_addr(this, this->listener.claimed, id, addr->clone(addr));
+			}
+			this->listener.mutex->unlock(this->listener.mutex);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return addr;
+}
+
+METHOD(attribute_provider_t, release_address, bool,
+	private_eap_radius_provider_t *this, linked_list_t *pools, host_t *address,
+	identification_t *id)
+{
+	enumerator_t *enumerator;
+	host_t *found = NULL;
+	char *name;
+
+	enumerator = pools->create_enumerator(pools);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		if (streq(name, "radius"))
+		{
+			this->listener.mutex->lock(this->listener.mutex);
+			found = remove_addr(this, this->listener.claimed, id);
+			this->listener.mutex->unlock(this->listener.mutex);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (found)
+	{
+		found->destroy(found);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Enumerator implementation over attributes
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** list of attributes to enumerate */
+	linked_list_t *list;
+	/** currently enumerating attribute */
+	attr_t *current;
+} attribute_enumerator_t;
+
+
+METHOD(enumerator_t, attribute_enumerate, bool,
+	attribute_enumerator_t *this, configuration_attribute_type_t *type,
+	chunk_t *data)
+{
+	if (this->current)
+	{
+		destroy_attr(this->current);
+		this->current = NULL;
+	}
+	if (this->list->remove_first(this->list, (void**)&this->current) == SUCCESS)
+	{
+		*type = this->current->type;
+		*data = this->current->data;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, attribute_destroy, void,
+	attribute_enumerator_t *this)
+{
+	if (this->current)
+	{
+		destroy_attr(this->current);
+	}
+	this->list->destroy_function(this->list, (void*)destroy_attr);
+	free(this);
+}
+
+METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
+	private_eap_radius_provider_t *this, linked_list_t *pools,
+	identification_t *id, linked_list_t *vips)
+{
+	attribute_enumerator_t *enumerator;
+	attr_t *attr;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_attribute_enumerate,
+			.destroy = _attribute_destroy,
+		},
+		.list = linked_list_create(),
+	);
+
+	/* we forward attributes regardless of pool configurations */
+	this->listener.mutex->lock(this->listener.mutex);
+	while (TRUE)
+	{
+		attr = remove_attr(this, this->listener.unclaimed, id);
+		if (!attr)
+		{
+			break;
+		}
+		enumerator->list->insert_last(enumerator->list, attr);
+	}
+	this->listener.mutex->unlock(this->listener.mutex);
+
+	return &enumerator->public;
+}
+
+METHOD(eap_radius_provider_t, add_framed_ip, void,
+	private_eap_radius_provider_t *this, identification_t *id, host_t *ip)
+{
+	this->listener.mutex->lock(this->listener.mutex);
+	add_addr(this, this->listener.unclaimed, id, ip);
+	this->listener.mutex->unlock(this->listener.mutex);
+}
+
+METHOD(eap_radius_provider_t, add_attribute, void,
+	private_eap_radius_provider_t *this, identification_t *id,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	attr_t *attr;
+
+	INIT(attr,
+		.type = type,
+		.data = chunk_clone(data),
+	);
+	this->listener.mutex->lock(this->listener.mutex);
+	add_attr(this, this->listener.unclaimed, id, attr);
+	this->listener.mutex->unlock(this->listener.mutex);
+}
+
+METHOD(eap_radius_provider_t, destroy, void,
+	private_eap_radius_provider_t *this)
+{
+	singleton = NULL;
+	charon->bus->remove_listener(charon->bus, &this->listener.public);
+	this->listener.mutex->destroy(this->listener.mutex);
+	this->listener.claimed->destroy(this->listener.claimed);
+	this->listener.unclaimed->destroy(this->listener.unclaimed);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_radius_provider_t *eap_radius_provider_create()
+{
+	if (!singleton)
+	{
+		private_eap_radius_provider_t *this;
+
+		INIT(this,
+			.public = {
+				.provider = {
+					.acquire_address = _acquire_address,
+					.release_address = _release_address,
+					.create_attribute_enumerator = _create_attribute_enumerator,
+				},
+				.add_framed_ip = _add_framed_ip,
+				.add_attribute = _add_attribute,
+				.destroy = _destroy,
+			},
+			.listener = {
+				.public = {
+					.ike_updown = _ike_updown,
+					.message = _message_hook,
+				},
+				.claimed = hashtable_create((hashtable_hash_t)hash,
+										(hashtable_equals_t)equals, 32),
+				.unclaimed = hashtable_create((hashtable_hash_t)hash,
+										(hashtable_equals_t)equals, 32),
+				.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+			},
+		);
+
+		charon->bus->add_listener(charon->bus, &this->listener.public);
+
+		singleton = &this->public;
+	}
+	return singleton;
+}
+
+/**
+ * See header
+ */
+eap_radius_provider_t *eap_radius_provider_get()
+{
+	return singleton;
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
new file mode 100644
index 000000000..a0b4a6b62
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_radius_provider eap_radius_provider
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef EAP_RADIUS_PROVIDER_H_
+#define EAP_RADIUS_PROVIDER_H_
+
+#include <attributes/attributes.h>
+#include <attributes/attribute_provider.h>
+
+typedef struct eap_radius_provider_t eap_radius_provider_t;
+
+/**
+ * IKE configuration attribute fed by RADIUS attributes
+ */
+struct eap_radius_provider_t {
+
+	/**
+	 * Implements attribute_provider_t
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Add a received Framed-IP-Address to the provider to serve to client.
+	 *
+	 * @param id			client identity
+	 * @param ip			IP address received from RADIUS server, gets owned
+	 */
+	void (*add_framed_ip)(eap_radius_provider_t *this, identification_t *id,
+						  host_t *ip);
+
+	/**
+	 * Add a configuration attribute received from RADIUS to forward.
+	 *
+	 * @param id			client identity
+	 * @param type			attribute type
+	 * @param data			attribute data
+	 */
+	void (*add_attribute)(eap_radius_provider_t *this, identification_t *id,
+						  configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Destroy a eap_radius_provider_t.
+	 */
+	void (*destroy)(eap_radius_provider_t *this);
+};
+
+/**
+ * Create a eap_radius_provider instance.
+ */
+eap_radius_provider_t *eap_radius_provider_create();
+
+/**
+ * Get singleton instance previously created with eap_radius_provider_create().
+ */
+eap_radius_provider_t *eap_radius_provider_get();
+
+#endif /** EAP_RADIUS_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 8cf79e503..e4657bb64 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -357,7 +379,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -365,6 +386,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 781087d3b..5816de4ef 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -360,7 +382,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -368,6 +389,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 168b0e3d6..2876af72f 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -111,6 +128,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_sim_pcsc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_sim_pcsc_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -127,6 +149,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -143,6 +167,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -211,8 +236,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -268,7 +291,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -360,7 +382,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -368,6 +389,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 63ef0db8e..6f2467fad 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -111,6 +128,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -127,6 +149,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -143,6 +167,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -211,8 +236,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -268,7 +291,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -360,7 +382,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -368,6 +389,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index daf329ce2..366c554d7 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -359,7 +381,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -367,6 +388,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index b72fc42e9..0b63da04e 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -109,6 +126,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -125,6 +147,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -141,6 +165,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -209,8 +234,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -266,7 +289,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -358,7 +380,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -366,6 +387,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index 095eff6cf..bc7157e6b 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_tls_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_tls_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -354,7 +376,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -362,6 +383,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 60a6d6de6..30a858102 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_tnc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_tnc_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -363,7 +385,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -371,6 +392,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index ffa1bae39..7363ade1d 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -21,6 +21,8 @@
 #include <utils/debug.h>
 #include <daemon.h>
 
+#include <tncifimv.h>
+
 /**
  * Maximum size of an EAP-TNC message
  */
@@ -43,16 +45,51 @@ struct private_eap_tnc_t {
 	 */
 	eap_tnc_t public;
 
+	/**
+	 * Outer EAP authentication type
+	 */
+	eap_type_t auth_type;
+
 	/**
 	 * TLS stack, wrapped by EAP helper
 	 */
 	tls_eap_t *tls_eap;
+
+	/**
+	 * TNCCS instance running over EAP-TNC
+	 */
+	tnccs_t *tnccs;
+
 };
 
 METHOD(eap_method_t, initiate, status_t,
 	private_eap_tnc_t *this, eap_payload_t **out)
 {
 	chunk_t data;
+	u_int32_t auth_type;
+
+	/* Determine TNC Client Authentication Type */
+	switch (this->auth_type)
+	{
+		case EAP_TLS:
+		case EAP_TTLS:
+		case EAP_PEAP:
+			auth_type = TNC_AUTH_CERT;
+			break;
+		case EAP_MD5:
+		case EAP_MSCHAPV2:
+		case EAP_GTC:
+		case EAP_OTP:
+			auth_type = TNC_AUTH_PASSWORD;
+			break;
+		case EAP_SIM:
+		case EAP_AKA:
+			auth_type = TNC_AUTH_SIM;
+			break;
+		default:
+			auth_type = TNC_AUTH_UNKNOWN;
+	}
+	this->tnccs->set_auth_type(this->tnccs, auth_type);
 
 	if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
 	{
@@ -122,6 +159,18 @@ METHOD(eap_method_t, destroy, void,
 	free(this);
 }
 
+METHOD(eap_inner_method_t, get_auth_type, eap_type_t,
+	private_eap_tnc_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(eap_inner_method_t, set_auth_type, void,
+	private_eap_tnc_t *this, eap_type_t type)
+{
+	this->auth_type = type;
+}
+
 /**
  * Generic private constructor
  */
@@ -132,19 +181,22 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 	int max_msg_count;
 	char* protocol;
 	tnccs_type_t type;
-	tnccs_t *tnccs;
 
 	INIT(this,
 		.public = {
-			.eap_method = {
-				.initiate = _initiate,
-				.process = _process,
-				.get_type = _get_type,
-				.is_mutual = _is_mutual,
-				.get_msk = _get_msk,
-				.get_identifier = _get_identifier,
-				.set_identifier = _set_identifier,
-				.destroy = _destroy,
+			.eap_inner_method = {
+				.eap_method = {
+					.initiate = _initiate,
+					.process = _process,
+					.get_type = _get_type,
+					.is_mutual = _is_mutual,
+					.get_msk = _get_msk,
+					.get_identifier = _get_identifier,
+					.set_identifier = _set_identifier,
+					.destroy = _destroy,
+				},
+				.get_auth_type = _get_auth_type,
+				.set_auth_type = _set_auth_type,
 			},
 		},
 	);
@@ -172,10 +224,11 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 		free(this);
 		return NULL;
 	}
-	tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server);
-	this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs,
-											 EAP_TNC_MAX_MESSAGE_LEN,
-											 max_msg_count, FALSE);
+	this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
+											  server, peer, TNC_IFT_EAP_1_1);
+	this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
+								   EAP_TNC_MAX_MESSAGE_LEN,
+								   max_msg_count, FALSE);
 	if (!this->tls_eap)
 	{
 		free(this);
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.h b/src/libcharon/plugins/eap_tnc/eap_tnc.h
index 09abe60fc..8c881f6cf 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.h
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_tnc_t eap_tnc_t;
 
-#include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-TNC.
@@ -31,9 +31,9 @@ typedef struct eap_tnc_t eap_tnc_t;
 struct eap_tnc_t {
 
 	/**
-	 * Implemented eap_method_t interface.
+	 * Implemented eap_inner_method_t interface.
 	 */
-	eap_method_t eap_method;
+	eap_inner_method_t eap_inner_method;
 };
 
 /**
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index f3ec17b0f..df5bc442e 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_ttls_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_ttls_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -362,7 +384,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -370,6 +391,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
index 464de17ba..eef8d6682 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
@@ -20,6 +20,7 @@
 #include <daemon.h>
 
 #include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
 
 typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
 
@@ -108,8 +109,11 @@ static status_t start_phase2_auth(private_eap_ttls_server_t *this)
 /**
  * If configured, start EAP-TNC protocol
  */
-static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
+static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
+								 eap_type_t auth_type)
 {
+	eap_inner_method_t *inner_method;
+
 	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
 						"%s.plugins.eap-ttls.phase2_tnc", FALSE, charon->name))
 	{
@@ -121,6 +125,9 @@ static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
 			DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
 			return FAILED;
 		}
+		inner_method = (eap_inner_method_t *)this->method;
+		inner_method->set_auth_type(inner_method, auth_type);
+
 		this->start_phase2_tnc = FALSE;
 		if (this->method->initiate(this->method, &this->out) == NEED_MORE)
 		{
@@ -237,7 +244,7 @@ METHOD(tls_application_t, process, status_t,
 		if (lib->settings->get_bool(lib->settings,
 				"%s.plugins.eap-ttls.request_peer_auth", FALSE, charon->name))
 		{
-			return start_phase2_tnc(this);
+			return start_phase2_tnc(this, EAP_TLS);
 		}
 		else
 		{
@@ -265,7 +272,7 @@ METHOD(tls_application_t, process, status_t,
 			this->method = NULL;
 
 			/* continue phase2 with EAP-TNC? */
-			return start_phase2_tnc(this);
+			return start_phase2_tnc(this, type);
 		case NEED_MORE:
 			break;
 		case FAILED:
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index 814304dce..ba7ec3ecf 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -116,6 +133,11 @@ SOURCES = $(libstrongswan_error_notify_la_SOURCES) \
 	$(error_notify_SOURCES)
 DIST_SOURCES = $(libstrongswan_error_notify_la_SOURCES) \
 	$(error_notify_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -132,6 +154,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -148,6 +172,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -216,8 +241,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -273,7 +296,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -368,7 +390,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -376,6 +397,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -401,8 +424,11 @@ libstrongswan-error-notify.la: $(libstrongswan_error_notify_la_OBJECTS) $(libstr
 	$(libstrongswan_error_notify_la_LINK) $(am_libstrongswan_error_notify_la_rpath) $(libstrongswan_error_notify_la_OBJECTS) $(libstrongswan_error_notify_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c
index fe3b6355d..3ea657ba5 100644
--- a/src/libcharon/plugins/error_notify/error_notify_socket.c
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.c
@@ -176,6 +176,12 @@ static job_requeue_t accept_(private_error_notify_socket_t *this)
 METHOD(error_notify_socket_t, destroy, void,
 	private_error_notify_socket_t *this)
 {
+	uintptr_t fd;
+
+	while (this->connected->remove_last(this->connected, (void*)&fd) == SUCCESS)
+	{
+		close(fd);
+	}
 	this->connected->destroy(this->connected);
 	this->mutex->destroy(this->mutex);
 	close(this->socket);
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 2e5cf9f64..2596f9f20 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_farp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_farp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -351,7 +373,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -359,6 +380,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index aa533165f..466cce320 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_ha_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ha_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -364,7 +386,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -372,6 +393,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index 981def6a3..d26c38325 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -174,7 +174,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 	host_t *requested)
 {
 	enumerator_t *enumerator;
-	pool_t *pool;
+	pool_t *pool = NULL;
 	int offset = -1, byte, bit;
 	host_t *address;
 	char *name;
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index 688e09bdc..cab38c63d 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -90,6 +90,11 @@ struct private_ha_segments_t {
 	 * Timeout for heartbeats received from other node
 	 */
 	int heartbeat_timeout;
+
+	/**
+	 * Interval to check for autobalance, 0 to disable
+	 */
+	int autobalance;
 };
 
 /**
@@ -289,12 +294,13 @@ static void start_watchdog(private_ha_segments_t *this)
 METHOD(ha_segments_t, handle_status, void,
 	private_ha_segments_t *this, segment_mask_t mask)
 {
-	segment_mask_t missing;
+	segment_mask_t missing, twice;
 	int i;
 
 	this->mutex->lock(this->mutex);
 
 	missing = ~(this->active | mask);
+	twice = this->active & mask;
 
 	for (i = 1; i <= this->count; i++)
 	{
@@ -311,6 +317,19 @@ METHOD(ha_segments_t, handle_status, void,
 				enable_disable(this, i, FALSE, TRUE);
 			}
 		}
+		if (twice & SEGMENTS_BIT(i))
+		{
+			if (this->node == i % 2)
+			{
+				DBG1(DBG_CFG, "HA segment %d was handled twice, taking", i);
+				enable_disable(this, i, TRUE, TRUE);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "HA segment %d was handled twice, dropping", i);
+				enable_disable(this, i, FALSE, TRUE);
+			}
+		}
 	}
 
 	this->condvar->signal(this->condvar);
@@ -333,6 +352,7 @@ static job_requeue_t send_status(private_ha_segments_t *this)
 
 	message = ha_message_create(HA_STATUS);
 
+	this->mutex->lock(this->mutex);
 	for (i = 1; i <= this->count; i++)
 	{
 		if (this->active & SEGMENTS_BIT(i))
@@ -340,6 +360,7 @@ static job_requeue_t send_status(private_ha_segments_t *this)
 			message->add_attribute(message, HA_SEGMENT, i);
 		}
 	}
+	this->mutex->unlock(this->mutex);
 
 	this->socket->push(this->socket, message);
 	message->destroy(message);
@@ -348,6 +369,64 @@ static job_requeue_t send_status(private_ha_segments_t *this)
 	return JOB_RESCHEDULE_MS(this->heartbeat_delay);
 }
 
+/**
+ * Start the heartbeat sending task
+ */
+static void start_heartbeat(private_ha_segments_t *this)
+{
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_status,
+			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+}
+
+/**
+ * Take a segment if we are handling less than half of segments
+ */
+static job_requeue_t autobalance(private_ha_segments_t *this)
+{
+	int i, active = 0;
+
+	this->mutex->lock(this->mutex);
+
+	for (i = 1; i <= this->count; i++)
+	{
+		if (this->active & SEGMENTS_BIT(i))
+		{
+			active++;
+		}
+	}
+	if (active < this->count / 2)
+	{
+		for (i = 1; i <= this->count; i++)
+		{
+			if (!(this->active & SEGMENTS_BIT(i)))
+			{
+				DBG1(DBG_CFG, "autobalancing HA (%d/%d active), taking %d",
+					 active, this->count, i);
+				enable_disable(this, i, TRUE, TRUE);
+				/* we claim only one in each interval */
+				break;
+			}
+		}
+	}
+
+	this->mutex->unlock(this->mutex);
+
+	return JOB_RESCHEDULE(this->autobalance);
+}
+
+/**
+ * Schedule autobalancing
+ */
+static void start_autobalance(private_ha_segments_t *this)
+{
+	DBG1(DBG_CFG, "scheduling HA autobalance every %ds", this->autobalance);
+	lib->scheduler->schedule_job(lib->scheduler,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)autobalance,
+			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL),
+		this->autobalance);
+}
+
 METHOD(ha_segments_t, is_active, bool,
 	private_ha_segments_t *this, u_int segment)
 {
@@ -395,16 +474,21 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
 		.heartbeat_timeout = lib->settings->get_int(lib->settings,
 				"%s.plugins.ha.heartbeat_timeout", DEFAULT_HEARTBEAT_TIMEOUT,
 				charon->name),
+		.autobalance = lib->settings->get_int(lib->settings,
+				"%s.plugins.ha.autobalance", 0, charon->name),
 	);
 
 	if (monitor)
 	{
 		DBG1(DBG_CFG, "starting HA heartbeat, delay %dms, timeout %dms",
 			 this->heartbeat_delay, this->heartbeat_timeout);
-		send_status(this);
+		start_heartbeat(this);
 		start_watchdog(this);
 	}
+	if (this->autobalance)
+	{
+		start_autobalance(this);
+	}
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index 130c86e48..e6a09a76e 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -205,7 +205,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	/* create config and backend */
 	ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local, FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							 remote, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
+							 remote, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND,
 						UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, 30,
@@ -288,4 +288,3 @@ ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/ipseckey/Makefile.am b/src/libcharon/plugins/ipseckey/Makefile.am
new file mode 100644
index 000000000..0614017a0
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ipseckey.la
+else
+plugin_LTLIBRARIES = libstrongswan-ipseckey.la
+endif
+
+libstrongswan_ipseckey_la_SOURCES = \
+	ipseckey_plugin.h ipseckey_plugin.c \
+	ipseckey_cred.h ipseckey_cred.c \
+	ipseckey.h ipseckey.c
+
+libstrongswan_ipseckey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
new file mode 100644
index 000000000..fd50854fc
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -0,0 +1,662 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/ipseckey
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ipseckey_la_LIBADD =
+am_libstrongswan_ipseckey_la_OBJECTS = ipseckey_plugin.lo \
+	ipseckey_cred.lo ipseckey.lo
+libstrongswan_ipseckey_la_OBJECTS =  \
+	$(am_libstrongswan_ipseckey_la_OBJECTS)
+libstrongswan_ipseckey_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ipseckey_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ipseckey_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ipseckey_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_ipseckey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ipseckey_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ipseckey.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ipseckey.la
+libstrongswan_ipseckey_la_SOURCES = \
+	ipseckey_plugin.h ipseckey_plugin.c \
+	ipseckey_cred.h ipseckey_cred.c \
+	ipseckey.h ipseckey.c
+
+libstrongswan_ipseckey_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/ipseckey/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/ipseckey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-ipseckey.la: $(libstrongswan_ipseckey_la_OBJECTS) $(libstrongswan_ipseckey_la_DEPENDENCIES) $(EXTRA_libstrongswan_ipseckey_la_DEPENDENCIES) 
+	$(libstrongswan_ipseckey_la_LINK) $(am_libstrongswan_ipseckey_la_rpath) $(libstrongswan_ipseckey_la_OBJECTS) $(libstrongswan_ipseckey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipseckey.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipseckey_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipseckey_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/ipseckey/ipseckey.c b/src/libcharon/plugins/ipseckey/ipseckey.c
new file mode 100644
index 000000000..ca126d772
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipseckey.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <bio/bio_reader.h>
+
+typedef struct private_ipseckey_t private_ipseckey_t;
+
+/**
+* private data of the ipseckey
+*/
+struct private_ipseckey_t {
+
+	/**
+	 * public functions
+	 */
+	ipseckey_t public;
+
+	/**
+	 * Precedence
+	 */
+	u_int8_t precedence;
+
+	/**
+	 * Gateway type
+	 */
+	u_int8_t gateway_type;
+
+	/**
+	 * Algorithm
+	 */
+	u_int8_t algorithm;
+
+	/**
+	 * Gateway
+	 */
+	chunk_t gateway;
+
+	/**
+	 * Public key
+	 */
+	chunk_t public_key;
+};
+
+METHOD(ipseckey_t, get_precedence, u_int8_t,
+	private_ipseckey_t *this)
+{
+	return this->precedence;
+}
+
+METHOD(ipseckey_t, get_gateway_type, ipseckey_gw_type_t,
+	private_ipseckey_t *this)
+{
+	return this->gateway_type;
+}
+
+METHOD(ipseckey_t, get_algorithm, ipseckey_algorithm_t,
+	private_ipseckey_t *this)
+{
+	return this->algorithm;
+}
+
+METHOD(ipseckey_t, get_gateway, chunk_t,
+	private_ipseckey_t *this)
+{
+	return this->gateway;
+}
+
+METHOD(ipseckey_t, get_public_key, chunk_t,
+	private_ipseckey_t *this)
+{
+	return this->public_key;
+}
+
+METHOD(ipseckey_t, destroy, void,
+	private_ipseckey_t *this)
+{
+	chunk_free(&this->gateway);
+	chunk_free(&this->public_key);
+	free(this);
+}
+
+/*
+ * See header
+ */
+ipseckey_t *ipseckey_create_frm_rr(rr_t *rr)
+{
+	private_ipseckey_t *this;
+	bio_reader_t *reader = NULL;
+	u_int8_t label;
+	chunk_t tmp;
+
+	INIT(this,
+			.public = {
+				.get_precedence = _get_precedence,
+				.get_gateway_type = _get_gateway_type,
+				.get_algorithm = _get_algorithm,
+				.get_gateway = _get_gateway,
+				.get_public_key = _get_public_key,
+				.destroy = _destroy,
+			},
+	);
+
+	if (rr->get_type(rr) != RR_TYPE_IPSECKEY)
+	{
+		DBG1(DBG_CFG, "unable to create an ipseckey out of an RR "
+					  "whose type is not IPSECKEY");
+		free(this);
+		return NULL;
+	}
+
+	/** Parse the content (RDATA field) of the RR */
+	reader = bio_reader_create(rr->get_rdata(rr));
+	if (!reader->read_uint8(reader, &this->precedence) ||
+		!reader->read_uint8(reader, &this->gateway_type) ||
+		!reader->read_uint8(reader, &this->algorithm))
+	{
+		DBG1(DBG_CFG, "ipseckey RR has a wrong format");
+		reader->destroy(reader);
+		free(this);
+		return NULL;
+	}
+
+	switch (this->gateway_type)
+	{
+		case IPSECKEY_GW_TP_NOT_PRESENT:
+			break;
+
+		case IPSECKEY_GW_TP_IPV4:
+			if (!reader->read_data(reader, 4, &this->gateway))
+			{
+				DBG1(DBG_CFG, "ipseckey gateway field does not contain an "
+							  "IPv4 address as expected");
+				reader->destroy(reader);
+				free(this);
+				return NULL;
+			}
+			this->gateway = chunk_clone(this->gateway);
+			break;
+
+		case IPSECKEY_GW_TP_IPV6:
+			if (!reader->read_data(reader, 16, &this->gateway))
+			{
+				DBG1(DBG_CFG, "ipseckey gateway field does not contain an "
+							  "IPv6 address as expected");
+				reader->destroy(reader);
+				free(this);
+				return NULL;
+			}
+			this->gateway = chunk_clone(this->gateway);
+			break;
+
+		case IPSECKEY_GW_TP_WR_ENC_DNAME:
+			/**
+			 * Uncompressed domain name as defined in RFC 1035 chapter 3.
+			 *
+			 * TODO: Currently we ignore wire encoded domain names.
+			 *
+			 */
+			while (reader->read_uint8(reader, &label) &&
+				   label != 0 && label < 192)
+			{
+				if (!reader->read_data(reader, label, &tmp))
+				{
+					DBG1(DBG_CFG, "wrong wire encoded domain name format "
+								  "in ipseckey gateway field");
+					reader->destroy(reader);
+					free(this);
+					return NULL;
+				}
+			}
+			break;
+
+		default:
+			DBG1(DBG_CFG, "unable to parse ipseckey gateway field");
+			reader->destroy(reader);
+			free(this);
+			return NULL;
+	}
+
+	if (!reader->read_data(reader, reader->remaining(reader),
+						   &this->public_key))
+	{
+		DBG1(DBG_CFG, "failed to read ipseckey public key field");
+		reader->destroy(reader);
+		chunk_free(&this->gateway);
+		free(this);
+		return NULL;
+	}
+	this->public_key = chunk_clone(this->public_key);
+	reader->destroy(reader);
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ipseckey/ipseckey.h b/src/libcharon/plugins/ipseckey/ipseckey.h
new file mode 100644
index 000000000..5885daeee
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey.h
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey_i ipseckey
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_H_
+#define IPSECKEY_H_
+
+typedef struct ipseckey_t ipseckey_t;
+typedef enum ipseckey_algorithm_t ipseckey_algorithm_t;
+typedef enum ipseckey_gw_type_t ipseckey_gw_type_t;
+
+#include <library.h>
+
+/**
+ * IPSECKEY gateway types as defined in RFC 4025.
+ */
+enum ipseckey_gw_type_t {
+	/** No gateway is present */
+	IPSECKEY_GW_TP_NOT_PRESENT = 0,
+	/** A 4-byte IPv4 address is present */
+	IPSECKEY_GW_TP_IPV4 = 1,
+	/** A 16-byte IPv6 address is present */
+	IPSECKEY_GW_TP_IPV6 = 2,
+	/** A wire-encoded domain name is present */
+	IPSECKEY_GW_TP_WR_ENC_DNAME = 3,
+};
+
+/**
+ * IPSECKEY algorithms as defined in RFC 4025.
+ */
+enum ipseckey_algorithm_t {
+	/** No key present */
+	IPSECKEY_ALGORITHM_NONE = 0,
+	/** DSA key */
+	IPSECKEY_ALGORITHM_DSA = 1,
+	/** RSA key */
+	IPSECKEY_ALGORITHM_RSA = 2,
+};
+
+/**
+ * An IPSECKEY.
+ *
+ * Represents an IPSECKEY as defined in RFC 4025:
+ *
+ *      0                   1                   2                   3
+ *    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   |  precedence   | gateway type  |  algorithm  |     gateway     |
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+                 +
+ *   ~                            gateway                            ~
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   |                                                               /
+ *   /                          public key                           /
+ *   /                                                               /
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+ *
+ *
+ * Note: RFC 4025 defines that the algorithm field has a length of 7 bits.
+ * 		 We use 8 bits instead, because the use of 7 bits is very uncommon
+ * 		 in internet protocols and might be an error in RFC 4025
+ * 		 (also the BIND DNS server uses 8 bits for the algorithm field of the
+ * 		 IPSECKEY resource records).
+ *
+ */
+struct ipseckey_t {
+
+	/**
+	 * Get the precedence of the IPSECKEY.
+	 *
+	 * @return		precedence
+	 */
+	u_int8_t (*get_precedence)(ipseckey_t *this);
+
+	/**
+	 * Get the type of the gateway.
+	 *
+	 * The "gateway type" determines the format of the gateway field
+	 * of the IPSECKEY.
+	 *
+	 * @return		gateway type
+	 */
+	ipseckey_gw_type_t (*get_gateway_type)(ipseckey_t *this);
+
+	/**
+	 * Get the algorithm.
+	 *
+	 * The "algorithm" determines the format of the public key field
+	 * of the IPSECKEY.
+	 *
+	 * @return			algorithm
+	 */
+	ipseckey_algorithm_t (*get_algorithm)(ipseckey_t *this);
+
+	/**
+	 * Get the content of the gateway field as chunk.
+	 *
+	 * The content is in network byte order and its format depends on the
+	 * gateway type.
+	 *
+	 * The data pointed by the chunk is still owned by the IPSECKEY.
+	 * Clone it if necessary.
+	 *
+	 * @return			gateway field as chunk
+	 */
+	chunk_t (*get_gateway)(ipseckey_t *this);
+
+	/**
+	 * Get the content of the public key field as chunk.
+	 *
+	 * The format of the public key depends on the algorithm type.
+	 *
+	 * The data pointed by the chunk is still owned by the IPSECKEY.
+	 * Clone it if necessary.
+	 *
+	 * @return			public key field as chunk
+	 */
+	chunk_t (*get_public_key)(ipseckey_t *this);
+
+	/**
+	 * Destroy the IPSECKEY.
+	 */
+	void (*destroy) (ipseckey_t *this);
+};
+
+/**
+ * Create an ipseckey instance out of a resource record.
+ *
+ * @param	rr		resource record which contains an IPSECKEY
+ * @return			ipseckey, NULL on failure
+ */
+ipseckey_t *ipseckey_create_frm_rr(rr_t *rr);
+
+#endif /** IPSECKEY_H_ @}*/
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.c b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
new file mode 100644
index 000000000..e8722f12c
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+
+#include "ipseckey_cred.h"
+#include "ipseckey.h"
+
+#include <bio/bio_reader.h>
+#include <daemon.h>
+
+typedef struct private_ipseckey_cred_t private_ipseckey_cred_t;
+
+/**
+ * Private data of an ipseckey_cred_t object
+ */
+struct private_ipseckey_cred_t {
+
+	/**
+	 * Public part
+	 */
+	ipseckey_cred_t public;
+
+	/**
+	 * DNS resolver
+	 */
+	resolver_t *res;
+};
+
+/**
+ * enumerator over certificates
+ */
+typedef struct {
+	/** implements enumerator interface */
+	enumerator_t public;
+	/** inner enumerator (enumerates IPSECKEY resource records) */
+	enumerator_t *inner;
+	/** response of the DNS resolver which contains the IPSECKEYs */
+	resolver_response_t *response;
+	/* IPSECKEYs are not valid before this point in time */
+	time_t notBefore;
+	/* IPSECKEYs are not valid after this point in time */
+	time_t notAfter;
+	/* identity to which the IPSECKEY belongs */
+	identification_t *identity;
+} cert_enumerator_t;
+
+METHOD(enumerator_t, cert_enumerator_enumerate, bool,
+	cert_enumerator_t *this, certificate_t **cert)
+{
+	rr_t *cur_rr = NULL;
+	ipseckey_t *cur_ipseckey = NULL;
+	chunk_t pub_key;
+	public_key_t * key = NULL;
+	bool supported_ipseckey_found = FALSE;
+
+	/* Get the next supported IPSECKEY using the inner enumerator. */
+	while (this->inner->enumerate(this->inner, &cur_rr) &&
+		   !supported_ipseckey_found)
+	{
+		supported_ipseckey_found = TRUE;
+
+		cur_ipseckey = ipseckey_create_frm_rr(cur_rr);
+
+		if (!cur_ipseckey)
+		{
+			DBG1(DBG_CFG, "failed to parse ipseckey - skipping this key");
+			supported_ipseckey_found = FALSE;
+		}
+
+		if (cur_ipseckey &&
+			cur_ipseckey->get_algorithm(cur_ipseckey) != IPSECKEY_ALGORITHM_RSA)
+		{
+			DBG1(DBG_CFG, "unsupported ipseckey algorithm -skipping this key");
+			cur_ipseckey->destroy(cur_ipseckey);
+			supported_ipseckey_found = FALSE;
+		}
+	}
+
+	if (supported_ipseckey_found)
+	{
+		/*
+		 * Wrap the key of the IPSECKEY in a certificate and return this
+		 * certificate.
+		 */
+		pub_key = cur_ipseckey->get_public_key(cur_ipseckey);
+
+		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+								 BUILD_BLOB_DNSKEY, pub_key,
+								 BUILD_END);
+
+		if (!key)
+		{
+			DBG1(DBG_CFG, "failed to create public key from ipseckey");
+			cur_ipseckey->destroy(cur_ipseckey);
+			return FALSE;
+		}
+
+		*cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+								   CERT_TRUSTED_PUBKEY,
+								   BUILD_PUBLIC_KEY, key,
+								   BUILD_SUBJECT, this->identity,
+								   BUILD_NOT_BEFORE_TIME, this->notBefore,
+								   BUILD_NOT_AFTER_TIME, this->notAfter,
+								   BUILD_END);
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+METHOD(enumerator_t, cert_enumerator_destroy, void,
+	cert_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	this->response->destroy(this->response);
+	free(this);
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	private_ipseckey_cred_t *this, certificate_type_t cert, key_type_t key,
+	identification_t *id, bool trusted)
+{
+	char *fqdn = NULL;
+	resolver_response_t *response = NULL;
+	rr_set_t *rrset = NULL;
+	enumerator_t *rrsig_enum = NULL;
+	rr_t *rrsig = NULL;
+	bio_reader_t *reader = NULL;
+	chunk_t ignore;
+	u_int32_t nBefore, nAfter;
+	cert_enumerator_t *e;
+
+	if (id && id->get_type(id) == ID_FQDN)
+	{
+		/**	Query the DNS for the required IPSECKEY RRs */
+
+		if (0 >= asprintf(&fqdn, "%Y", id))
+		{
+			DBG1(DBG_CFG, "empty FQDN string");
+			return enumerator_create_empty();
+		}
+
+		DBG1(DBG_CFG, "performing a DNS query for IPSECKEY RRs of '%s'",
+					   fqdn);
+		response = this->res->query(this->res, fqdn, RR_CLASS_IN,
+									RR_TYPE_IPSECKEY);
+		if (!response)
+		{
+			DBG1(DBG_CFG, "  query for IPSECKEY RRs failed");
+			free(fqdn);
+			return enumerator_create_empty();
+		}
+
+		if (!response->has_data(response) ||
+			!response->query_name_exist(response))
+		{
+			DBG1(DBG_CFG, "  unable to retrieve IPSECKEY RRs from the DNS");
+			response->destroy(response);
+			free(fqdn);
+			return enumerator_create_empty();
+		}
+
+		if (!(response->get_security_state(response) == SECURE))
+		{
+			DBG1(DBG_CFG, "  DNSSEC state of IPSECKEY RRs is not secure");
+			response->destroy(response);
+			free(fqdn);
+			return enumerator_create_empty();
+		}
+
+		free(fqdn);
+
+		/** Determine the validity period of the retrieved IPSECKEYs
+		 *
+		 * We use the "Signature Inception" and "Signature Expiration" field
+		 * of the first RRSIG RR to determine the validity period of the
+		 * IPSECKEY RRs. TODO: Take multiple RRSIGs into account.
+		 */
+		rrset = response->get_rr_set(response);
+		rrsig_enum = rrset->create_rrsig_enumerator(rrset);
+		if (!rrsig_enum || !rrsig_enum->enumerate(rrsig_enum, &rrsig))
+		{
+			DBG1(DBG_CFG, "  unable to determine the validity period of "
+						  "IPSECKEY RRs because no RRSIGs are present");
+			DESTROY_IF(rrsig_enum);
+			response->destroy(response);
+			return enumerator_create_empty();
+		}
+
+		/**
+		 * Parse the RRSIG for its validity period (RFC 4034)
+		 */
+		reader = bio_reader_create(rrsig->get_rdata(rrsig));
+		reader->read_data(reader, 8, &ignore);
+		reader->read_uint32(reader, &nAfter);
+		reader->read_uint32(reader, &nBefore);
+		reader->destroy(reader);
+
+		/*Create and return an iterator over the retrieved IPSECKEYs */
+		INIT(e,
+			.public = {
+				.enumerate = (void*)_cert_enumerator_enumerate,
+				.destroy = _cert_enumerator_destroy,
+			},
+			.inner = response->get_rr_set(response)->create_rr_enumerator(
+										  response->get_rr_set(response)),
+			.response = response,
+			.notBefore = nBefore,
+			.notAfter = nAfter,
+			.identity = id,
+		);
+
+		return &e->public;
+	}
+
+
+	return enumerator_create_empty();
+}
+
+METHOD(ipseckey_cred_t, destroy, void,
+	private_ipseckey_cred_t *this)
+{
+	this->res->destroy(this->res);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipseckey_cred_t *ipseckey_cred_create(resolver_t *res)
+{
+	private_ipseckey_cred_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_private_enumerator = (void*)return_null,
+				.create_cert_enumerator = _create_cert_enumerator,
+				.create_shared_enumerator = (void*)return_null,
+				.create_cdp_enumerator = (void*)return_null,
+				.cache_cert = (void*)nop,
+			},
+			.destroy = _destroy,
+		},
+		.res = res,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.h b/src/libcharon/plugins/ipseckey/ipseckey_cred.h
new file mode 100644
index 000000000..440020f5d
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey_cred_i ipseckey_cred
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_CRED_H_
+#define IPSECKEY_CRED_H_
+
+#include <credentials/credential_set.h>
+#include <resolver/resolver.h>
+
+typedef struct ipseckey_cred_t ipseckey_cred_t;
+
+/**
+ * IPSECKEY credential set.
+ *
+ * The ipseckey credential set contains IPSECKEYs as certificates of type
+ * pubkey_cert_t.
+ */
+struct ipseckey_cred_t {
+
+	/**
+	 * Implements credential_set_t interface
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy the ipseckey_cred.
+	 */
+	void (*destroy)(ipseckey_cred_t *this);
+};
+
+/**
+ * Create an ipseckey_cred instance which uses the given resolver
+ * to query the DNS for IPSECKEY resource records.
+ *
+ * @param res		resolver to use
+ * @return			credential set
+ */
+ipseckey_cred_t *ipseckey_cred_create(resolver_t *res);
+
+#endif /** IPSECKEY_CRED_H_ @}*/
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_plugin.c b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
new file mode 100644
index 000000000..9593cf939
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipseckey_plugin.h"
+
+#include <daemon.h>
+#include "ipseckey_cred.h"
+
+typedef struct private_ipseckey_plugin_t private_ipseckey_plugin_t;
+
+
+/**
+ * private data of the ipseckey plugin
+ */
+struct private_ipseckey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	ipseckey_plugin_t public;
+
+	/**
+	 * DNS resolver instance
+	 */
+	resolver_t *res;
+
+	/**
+	 * credential set
+	 */
+	ipseckey_cred_t *cred;
+
+	/**
+	 * IPSECKEY based authentication enabled
+	 */
+	bool enabled;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_ipseckey_plugin_t *this)
+{
+	return "ipseckey";
+}
+
+METHOD(plugin_t, destroy, void,
+	private_ipseckey_plugin_t *this)
+{
+	if (this->enabled)
+	{
+		lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
+	}
+	DESTROY_IF(this->res);
+	DESTROY_IF(this->cred);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ipseckey_plugin_create()
+{
+	private_ipseckey_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.res = lib->resolver->create(lib->resolver),
+		.enabled = lib->settings->get_bool(lib->settings,
+							"%s.plugins.ipseckey.enable", FALSE, charon->name),
+	);
+
+	if (!this->res)
+	{
+		DBG1(DBG_CFG, "failed to create a DNS resolver instance");
+		destroy(this);
+		return NULL;
+	}
+
+	if (this->enabled)
+	{
+		this->cred = ipseckey_cred_create(this->res);
+		lib->credmgr->add_set(lib->credmgr, &this->cred->set);
+	}
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_plugin.h b/src/libcharon/plugins/ipseckey/ipseckey_plugin.h
new file mode 100644
index 000000000..95acc79dd
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_plugin.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey ipseckey
+ * @ingroup cplugins
+ *
+ * @defgroup ipseckey_plugin ipseckey_plugin
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_PLUGIN_H_
+#define IPSECKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ipseckey_plugin_t ipseckey_plugin_t;
+
+/**
+ * IPSECKEY plugin
+ *
+ * The IPSECKEY plugin registers a credential set for IPSECKEYs.
+ *
+ * With this credential set it is possible to authenticate tunnel endpoints
+ * using IPSECKEY resource records which are retrieved from the DNS in a secure
+ * way (DNSSEC).
+ */
+struct ipseckey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** IPSECKEY_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 63ce51f11..f10dbb96f 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_led_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_led_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -350,7 +372,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -358,6 +379,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index e238f443c..e382b266c 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -118,6 +135,11 @@ SOURCES = $(libstrongswan_load_tester_la_SOURCES) \
 	$(load_tester_SOURCES)
 DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES) \
 	$(load_tester_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -134,6 +156,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -150,6 +174,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -218,8 +243,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -275,7 +298,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -373,7 +395,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -381,6 +402,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -406,8 +429,11 @@ libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstron
 	$(libstrongswan_load_tester_la_LINK) $(am_libstrongswan_load_tester_la_rpath) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index c6288c5d9..a64affde8 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -63,6 +63,11 @@ struct private_load_tester_config_t {
 	 */
 	proposal_t *proposal;
 
+	/**
+	 * ESP proposal
+	 */
+	proposal_t *esp;
+
 	/**
 	 * Authentication method(s) to use/expect from initiator
 	 */
@@ -153,6 +158,11 @@ struct private_load_tester_config_t {
 	 */
 	int prefix;
 
+	/**
+	 * Keep addresses until shutdown?
+	 */
+	bool keep;
+
 	/**
 	 * Hashtable with leases in "pools", host_t => entry_t
 	 */
@@ -205,31 +215,77 @@ static bool equals(host_t *a, host_t *b)
  */
 static void load_addrs(private_load_tester_config_t *this)
 {
-	enumerator_t *enumerator;
-	host_t *net;
+	enumerator_t *enumerator, *tokens;
+	host_t *from, *to;
 	int bits;
-	char *iface, *cidr;
+	char *iface, *token, *pos;
 	mem_pool_t *pool;
 
-
+	this->keep = lib->settings->get_bool(lib->settings,
+						"%s.plugins.load-tester.addrs_keep", FALSE, charon->name);
 	this->prefix = lib->settings->get_int(lib->settings,
 						"%s.plugins.load-tester.addrs_prefix", 16, charon->name);
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
 						"%s.plugins.load-tester.addrs", charon->name);
-	while (enumerator->enumerate(enumerator, &iface, &cidr))
+	while (enumerator->enumerate(enumerator, &iface, &token))
 	{
-		net = host_create_from_subnet(cidr, &bits);
-		if (net)
-		{
-			DBG1(DBG_CFG, "loaded load-tester addresses %s", cidr);
-			pool = mem_pool_create(iface, net, bits);
-			net->destroy(net);
-			this->pools->insert_last(this->pools, pool);
-		}
-		else
+		tokens = enumerator_create_token(token, ",", " ");
+		while (tokens->enumerate(tokens, &token))
 		{
-			DBG1(DBG_CFG, "parsing load-tester addresses %s failed", cidr);
+			pos = strchr(token, '-');
+			if (pos)
+			{	/* range */
+				*(pos++) = '\0';
+				/* trim whitespace */
+				while (*pos == ' ')
+				{
+					pos++;
+				}
+				while (token[strlen(token) - 1] == ' ')
+				{
+					token[strlen(token) - 1] = '\0';
+				}
+				from = host_create_from_string(token, 0);
+				to = host_create_from_string(pos, 0);
+				if (from && to)
+				{
+					pool = mem_pool_create_range(iface, from, to);
+					if (pool)
+					{
+						DBG1(DBG_CFG, "loaded load-tester address range "
+							 "%H-%H on %s", from, to, iface);
+						this->pools->insert_last(this->pools, pool);
+					}
+					from->destroy(from);
+					to->destroy(to);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "parsing load-tester address range %s-%s "
+						 "failed, skipped", token, pos);
+					DESTROY_IF(from);
+					DESTROY_IF(to);
+				}
+			}
+			else
+			{	/* subnet */
+				from = host_create_from_subnet(token, &bits);
+				if (from)
+				{
+					DBG1(DBG_CFG, "loaded load-tester address pool %H/%d on %s",
+						 from, bits, iface);
+					pool = mem_pool_create(iface, from, bits);
+					from->destroy(from);
+					this->pools->insert_last(this->pools, pool);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "parsing load-tester address %s failed, "
+						 "skipped", token);
+				}
+			}
 		}
+		tokens->destroy(tokens);
 	}
 	enumerator->destroy(enumerator);
 }
@@ -369,7 +425,7 @@ static void add_ts(char *string, child_cfg_t *cfg, bool local)
 
 	if (string)
 	{
-		ts = traffic_selector_create_from_cidr(string, 0, 0);
+		ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
 		if (!ts)
 		{
 			DBG1(DBG_CFG, "parsing TS string '%s' failed", string);
@@ -450,7 +506,6 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
 	peer_cfg_t *peer_cfg;
-	proposal_t *proposal;
 	char local[32], *remote;
 	host_t *addr;
 	lifetime_cfg_t lifetime = {
@@ -491,7 +546,7 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 		ike_cfg = ike_cfg_create(this->version, TRUE, FALSE,
 								 local, FALSE, this->port + num - 1,
 								 remote, FALSE, IKEV2_NATT_PORT,
-								 FRAGMENTATION_NO);
+								 FRAGMENTATION_NO, 0);
 	}
 	else
 	{
@@ -499,7 +554,7 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 								 local, FALSE,
 								 charon->socket->get_port(charon->socket, FALSE),
 								 remote, FALSE, IKEV2_UDP_PORT,
-								 FRAGMENTATION_NO);
+								 FRAGMENTATION_NO, 0);
 	}
 	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
 	peer_cfg = peer_cfg_create("load-test", ike_cfg,
@@ -532,8 +587,7 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL,
 								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
 								 0, 0, NULL, NULL, 0);
-	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
-	child_cfg->add_proposal(child_cfg, proposal);
+	child_cfg->add_proposal(child_cfg, this->esp->clone(this->esp));
 
 	if (num)
 	{	/* initiator */
@@ -589,6 +643,11 @@ METHOD(load_tester_config_t, delete_ip, void,
 	mem_pool_t *pool;
 	entry_t *entry;
 
+	if (this->keep)
+	{
+		return;
+	}
+
 	this->mutex->lock(this->mutex);
 	entry = this->leases->remove(this->leases, ip);
 	this->mutex->unlock(this->mutex);
@@ -610,14 +669,53 @@ METHOD(load_tester_config_t, delete_ip, void,
 	}
 }
 
+/**
+ * Clean up leases for allocated external addresses, if have been kept
+ */
+static void cleanup_leases(private_load_tester_config_t *this)
+{
+	enumerator_t *pools, *leases;
+	mem_pool_t *pool;
+	identification_t *id;
+	host_t *addr;
+	entry_t *entry;
+	bool online;
+
+	pools = this->pools->create_enumerator(this->pools);
+	while (pools->enumerate(pools, &pool))
+	{
+		leases = pool->create_lease_enumerator(pool);
+		while (leases->enumerate(leases, &id, &addr, &online))
+		{
+			if (online)
+			{
+				hydra->kernel_interface->del_ip(hydra->kernel_interface,
+												addr, this->prefix, FALSE);
+				entry = this->leases->remove(this->leases, addr);
+				if (entry)
+				{
+					entry_destroy(entry);
+				}
+			}
+		}
+		leases->destroy(leases);
+	}
+	pools->destroy(pools);
+}
+
 METHOD(load_tester_config_t, destroy, void,
 	private_load_tester_config_t *this)
 {
+	if (this->keep)
+	{
+		cleanup_leases(this);
+	}
 	this->mutex->destroy(this->mutex);
 	this->leases->destroy(this->leases);
 	this->pools->destroy_offset(this->pools, offsetof(mem_pool_t, destroy));
 	this->peer_cfg->destroy(this->peer_cfg);
 	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->esp);
 	DESTROY_IF(this->vip);
 	free(this);
 }
@@ -667,6 +765,15 @@ load_tester_config_t *load_tester_config_create()
 		this->proposal = proposal_create_from_string(PROTO_IKE,
 													 "aes128-sha1-modp768");
 	}
+	this->esp = proposal_create_from_string(PROTO_ESP,
+			lib->settings->get_str(lib->settings,
+				"%s.plugins.load-tester.esp", "aes128-sha1",
+				charon->name));
+	if (!this->esp)
+	{	/* fallback */
+		this->esp = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
+	}
+
 	this->ike_rekey = lib->settings->get_int(lib->settings,
 			"%s.plugins.load-tester.ike_rekey", 0, charon->name);
 	this->child_rekey = lib->settings->get_int(lib->settings,
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index ded6b2d20..4f84845a3 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -70,7 +70,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets)
 {
 	return NOT_SUPPORTED;
 }
@@ -145,4 +146,3 @@ load_tester_ipsec_t *load_tester_ipsec_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c
index 0192c8ff9..7e832ddc0 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.c
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.c
@@ -133,4 +133,3 @@ load_tester_listener_t *load_tester_listener_create(u_int shutdown_on,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 26ab61ba8..3b7d3247c 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -113,6 +130,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_lookip_la_SOURCES) $(lookip_SOURCES)
 DIST_SOURCES = $(libstrongswan_lookip_la_SOURCES) $(lookip_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -129,6 +151,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -145,6 +169,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -213,8 +238,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -270,7 +293,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -363,7 +385,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -371,6 +392,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -396,8 +419,11 @@ libstrongswan-lookip.la: $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_look
 	$(libstrongswan_lookip_la_LINK) $(am_libstrongswan_lookip_la_rpath) $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_lookip_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index bd6f08e9b..2e511a0a8 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_maemo_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_maemo_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 DATA = $(dbusservice_DATA)
 ETAGS = etags
 CTAGS = ctags
@@ -125,6 +147,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -141,6 +165,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -209,8 +234,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -266,7 +289,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -360,7 +382,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -368,6 +389,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -429,8 +452,11 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-dbusserviceDATA: $(dbusservice_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(dbusservicedir)" || $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)"
 	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(dbusservicedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
index 806e4cd65..d7539c2da 100644
--- a/src/libcharon/plugins/maemo/maemo_service.c
+++ b/src/libcharon/plugins/maemo/maemo_service.c
@@ -325,7 +325,8 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 
 	ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							 hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
+							 hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO,
+							 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 
 	peer_cfg = peer_cfg_create(this->current, ike_cfg,
@@ -524,4 +525,3 @@ maemo_service_t *maemo_service_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index afccfee91..af003c463 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_medcli_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_medcli_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -356,7 +378,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -364,6 +385,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index 4be3dea02..2bff70307 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -63,7 +63,7 @@ static traffic_selector_t *ts_from_string(char *str)
 	{
 		traffic_selector_t *ts;
 
-		ts = traffic_selector_create_from_cidr(str, 0, 0);
+		ts = traffic_selector_create_from_cidr(str, 0, 0, 65535);
 		if (ts)
 		{
 			return ts;
@@ -105,7 +105,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 	ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
 							 "0.0.0.0", FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							 address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
+							 address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	med_cfg = peer_cfg_create(
 		"mediation", ike_cfg,
@@ -381,7 +381,7 @@ medcli_config_t *medcli_config_create(database_t *db)
 							  "0.0.0.0", FALSE,
 							  charon->socket->get_port(charon->socket, FALSE),
 							  "0.0.0.0", FALSE, IKEV2_UDP_PORT,
-							  FRAGMENTATION_NO),
+							  FRAGMENTATION_NO, 0),
 	);
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 
@@ -389,4 +389,3 @@ medcli_config_t *medcli_config_create(database_t *db)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 5d65aadc5..f679b11f1 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_medsrv_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_medsrv_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c
index be14380ea..06339220a 100644
--- a/src/libcharon/plugins/medsrv/medsrv_config.c
+++ b/src/libcharon/plugins/medsrv/medsrv_config.c
@@ -143,10 +143,9 @@ medsrv_config_t *medsrv_config_create(database_t *db)
 							  "0.0.0.0", FALSE,
 							  charon->socket->get_port(charon->socket, FALSE),
 							  "0.0.0.0", FALSE, IKEV2_UDP_PORT,
-							  FRAGMENTATION_NO),
+							  FRAGMENTATION_NO, 0),
 	);
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.h b/src/libcharon/plugins/medsrv/medsrv_config.h
index fc8b0e972..03a41a7ce 100644
--- a/src/libcharon/plugins/medsrv/medsrv_config.h
+++ b/src/libcharon/plugins/medsrv/medsrv_config.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup medsrv_config_i medsrv_config
- * @{ @ingroup medsrv
+ * @{ @ingroup medsrv_p
  */
 
 #ifndef MEDSRV_CONFIG_H_
diff --git a/src/libcharon/plugins/medsrv/medsrv_creds.h b/src/libcharon/plugins/medsrv/medsrv_creds.h
index d08adf3bf..2079601af 100644
--- a/src/libcharon/plugins/medsrv/medsrv_creds.h
+++ b/src/libcharon/plugins/medsrv/medsrv_creds.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup medsrv_creds_i medsrv_creds
- * @{ @ingroup medsrv
+ * @{ @ingroup medsrv_p
  */
 
 #ifndef MEDSRV_CREDS_H_
diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.h b/src/libcharon/plugins/medsrv/medsrv_plugin.h
index 8736822ee..179fa3b3a 100644
--- a/src/libcharon/plugins/medsrv/medsrv_plugin.h
+++ b/src/libcharon/plugins/medsrv/medsrv_plugin.h
@@ -14,11 +14,11 @@
  */
 
 /**
- * @defgroup medsrv medsrv
+ * @defgroup medsrv_p medsrv
  * @ingroup cplugins
  *
  * @defgroup medsrv_plugin medsrv_plugin
- * @{ @ingroup medsrv
+ * @{ @ingroup medsrv_p
  */
 
 #ifndef MEDSRV_PLUGIN_H_
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index b22a74e94..84faa1db6 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_radattr_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_radattr_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 433d019c1..72f7deead 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_smp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_smp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -352,7 +374,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -360,6 +381,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 5e947a7e9..e73d2003a 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_socket_default_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_socket_default_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 51432c960..c0b744a68 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -55,6 +55,9 @@
 #ifndef SOL_IPV6
 #define SOL_IPV6 IPPROTO_IPV6
 #endif
+#ifndef IPV6_TCLASS
+#define IPV6_TCLASS 67
+#endif
 
 /* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
  * previously defined IPV6_PKTINFO */
@@ -112,6 +115,26 @@ struct private_socket_default_socket_t {
 	 */
 	int ipv6_natt;
 
+	/**
+	 * DSCP value set on IPv4 socket
+	 */
+	u_int8_t dscp4;
+
+	/**
+	 * DSCP value set on IPv4 socket for NAT-T (4500 or natt)
+	 */
+	u_int8_t dscp4_natt;
+
+	/**
+	 * DSCP value set on IPv6 socket (500 or port)
+	 */
+	u_int8_t dscp6;
+
+	/**
+	 * DSCP value set on IPv6 socket for NAT-T (4500 or natt)
+	 */
+	u_int8_t dscp6_natt;
+
 	/**
 	 * Maximum packet size to receive
 	 */
@@ -310,6 +333,7 @@ METHOD(socket_t, sender, status_t,
 	struct msghdr msg;
 	struct cmsghdr *cmsg;
 	struct iovec iov;
+	u_int8_t *dscp;
 
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
@@ -322,24 +346,34 @@ METHOD(socket_t, sender, status_t,
 	family = dst->get_family(dst);
 	if (sport == 0 || sport == this->port)
 	{
-		if (family == AF_INET)
-		{
-			skt = this->ipv4;
-		}
-		else
+		switch (family)
 		{
-			skt = this->ipv6;
+			case AF_INET:
+				skt = this->ipv4;
+				dscp = &this->dscp4;
+				break;
+			case AF_INET6:
+				skt = this->ipv6;
+				dscp = &this->dscp6;
+				break;
+			default:
+				return FAILED;
 		}
 	}
 	else if (sport == this->natt)
 	{
-		if (family == AF_INET)
-		{
-			skt = this->ipv4_natt;
-		}
-		else
+		switch (family)
 		{
-			skt = this->ipv6_natt;
+			case AF_INET:
+				skt = this->ipv4_natt;
+				dscp = &this->dscp4_natt;
+				break;
+			case AF_INET6:
+				skt = this->ipv6_natt;
+				dscp = &this->dscp6_natt;
+				break;
+			default:
+				return FAILED;
 		}
 	}
 	else
@@ -348,6 +382,43 @@ METHOD(socket_t, sender, status_t,
 		return FAILED;
 	}
 
+	/* setting DSCP values per-packet in a cmsg seems not to be supported
+	 * on Linux. We instead setsockopt() before sending it, this should be
+	 * safe as only a single thread calls send(). */
+	if (*dscp != packet->get_dscp(packet))
+	{
+		if (family == AF_INET)
+		{
+			u_int8_t ds4;
+
+			ds4 = packet->get_dscp(packet) << 2;
+			if (setsockopt(skt, SOL_IP, IP_TOS, &ds4, sizeof(ds4)) == 0)
+			{
+				*dscp = packet->get_dscp(packet);
+			}
+			else
+			{
+				DBG1(DBG_NET, "unable to set IP_TOS on socket: %s",
+					 strerror(errno));
+			}
+		}
+		else
+		{
+			u_int ds6;
+
+			ds6 = packet->get_dscp(packet) << 2;
+			if (setsockopt(skt, SOL_IPV6, IPV6_TCLASS, &ds6, sizeof(ds6)) == 0)
+			{
+				*dscp = packet->get_dscp(packet);
+			}
+			else
+			{
+				DBG1(DBG_NET, "unable to set IPV6_TCLASS on socket: %s",
+					 strerror(errno));
+			}
+		}
+	}
+
 	memset(&msg, 0, sizeof(struct msghdr));
 	msg.msg_name = dst->get_sockaddr(dst);;
 	msg.msg_namelen = *dst->get_sockaddr_len(dst);
@@ -433,22 +504,24 @@ static int open_socket(private_socket_default_socket_t *this,
 					   int family, u_int16_t *port)
 {
 	int on = TRUE;
-	struct sockaddr_storage addr;
+	union {
+		struct sockaddr sockaddr;
+		struct sockaddr_in sin;
+		struct sockaddr_in6 sin6;
+	} addr;
 	socklen_t addrlen;
 	u_int sol, pktinfo = 0;
 	int skt;
 
 	memset(&addr, 0, sizeof(addr));
-	addr.ss_family = family;
+	addr.sockaddr.sa_family = family;
 	/* precalculate constants depending on address family */
 	switch (family)
 	{
 		case AF_INET:
-		{
-			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
-			htoun32(&sin->sin_addr.s_addr, INADDR_ANY);
-			htoun16(&sin->sin_port, *port);
-			addrlen = sizeof(struct sockaddr_in);
+			addr.sin.sin_addr.s_addr = htonl(INADDR_ANY);
+			addr.sin.sin_port = htons(*port);
+			addrlen = sizeof(addr.sin);
 			sol = SOL_IP;
 #ifdef IP_PKTINFO
 			pktinfo = IP_PKTINFO;
@@ -456,17 +529,13 @@ static int open_socket(private_socket_default_socket_t *this,
 			pktinfo = IP_RECVDSTADDR;
 #endif
 			break;
-		}
 		case AF_INET6:
-		{
-			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
-			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
-			htoun16(&sin6->sin6_port, *port);
-			addrlen = sizeof(struct sockaddr_in6);
+			memcpy(&addr.sin6.sin6_addr, &in6addr_any, sizeof(in6addr_any));
+			addr.sin6.sin6_port = htons(*port);
+			addrlen = sizeof(addr.sin6);
 			sol = SOL_IPV6;
 			pktinfo = IPV6_RECVPKTINFO;
 			break;
-		}
 		default:
 			return 0;
 	}
@@ -485,7 +554,7 @@ static int open_socket(private_socket_default_socket_t *this,
 	}
 
 	/* bind the socket */
-	if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
+	if (bind(skt, &addr.sockaddr, addrlen) < 0)
 	{
 		DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
 		close(skt);
@@ -495,7 +564,7 @@ static int open_socket(private_socket_default_socket_t *this,
 	/* retrieve randomly allocated port if needed */
 	if (*port == 0)
 	{
-		if (getsockname(skt, (struct sockaddr *)&addr, &addrlen) < 0)
+		if (getsockname(skt, &addr.sockaddr, &addrlen) < 0)
 		{
 			DBG1(DBG_NET, "unable to determine port: %s", strerror(errno));
 			close(skt);
@@ -504,17 +573,11 @@ static int open_socket(private_socket_default_socket_t *this,
 		switch (family)
 		{
 			case AF_INET:
-			{
-				struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
-				*port = untoh16(&sin->sin_port);
+				*port = ntohs(addr.sin.sin_port);
 				break;
-			}
 			case AF_INET6:
-			{
-				struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
-				*port = untoh16(&sin6->sin6_port);
+				*port = ntohs(addr.sin6.sin6_port);
 				break;
-			}
 		}
 	}
 
@@ -642,4 +705,3 @@ socket_default_socket_t *socket_default_socket_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index e3fe4334a..855c307a8 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_socket_dynamic_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_socket_dynamic_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 22868fce7..95fe34802 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_sql_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sql_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -351,7 +373,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -359,6 +380,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index 37bd86671..c3471a078 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -262,7 +262,7 @@ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e,
 								 local, FALSE,
 								 charon->socket->get_port(charon->socket, FALSE),
 								 remote, FALSE, IKEV2_UDP_PORT,
-								 FRAGMENTATION_NO);
+								 FRAGMENTATION_NO, 0);
 		add_ike_proposals(this, ike_cfg, id);
 		return ike_cfg;
 	}
@@ -620,4 +620,3 @@ sql_config_t *sql_config_create(database_t *db)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 38924708a..77497e2b9 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -109,6 +126,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_stroke_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_stroke_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -125,6 +147,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -141,6 +165,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -209,8 +234,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -266,7 +289,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -368,7 +390,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -376,6 +397,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 9f6124dc9..86f0fe431 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -234,7 +234,8 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 							 msg->add_conn.other.address,
 							 msg->add_conn.other.allow_any,
 							 msg->add_conn.other.ikeport,
-							 msg->add_conn.fragmentation);
+							 msg->add_conn.fragmentation,
+							 msg->add_conn.ikedscp);
 	add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
 	return ike_cfg;
 }
@@ -447,39 +448,43 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	identity = identification_create_from_string(id);
 	if (cert)
 	{
-		certificate = this->cred->load_peer(this->cred, cert);
-		if (certificate)
+		enumerator_t *enumerator;
+		bool has_subject = FALSE;
+		certificate_t *first = NULL;
+
+		enumerator = enumerator_create_token(cert, ",", " ");
+		while (enumerator->enumerate(enumerator, &cert))
 		{
-			if (local)
-			{
-				this->ca->check_for_hash_and_url(this->ca, certificate);
-			}
-			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
-			if (identity->get_type(identity) == ID_ANY ||
-				!certificate->has_subject(certificate, identity))
+			certificate = this->cred->load_peer(this->cred, cert);
+			if (certificate)
 			{
-				DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
-					 "defaulting to '%Y'", identity,
-					 certificate->get_subject(certificate));
-				identity->destroy(identity);
-				identity = certificate->get_subject(certificate);
-				identity = identity->clone(identity);
+				if (local)
+				{
+					this->ca->check_for_hash_and_url(this->ca, certificate);
+				}
+				cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
+				if (!first)
+				{
+					first = certificate;
+				}
+				if (identity->get_type(identity) != ID_ANY &&
+					certificate->has_subject(certificate, identity))
+				{
+					has_subject = TRUE;
+				}
 			}
 		}
-	}
-	if (identity->get_type(identity) != ID_ANY)
-	{
-		cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
-		if (loose)
+		enumerator->destroy(enumerator);
+
+		if (first && !has_subject)
 		{
-			cfg->add(cfg, AUTH_RULE_IDENTITY_LOOSE, TRUE);
+			DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
+				 "defaulting to '%Y'", identity, first->get_subject(first));
+			identity->destroy(identity);
+			identity = first->get_subject(first);
+			identity = identity->clone(identity);
 		}
 	}
-	else
-	{
-		identity->destroy(identity);
-	}
-
 	/* add raw RSA public key */
 	pubkey = end->rsakey;
 	if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
@@ -491,6 +496,18 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
 		}
 	}
+	if (identity->get_type(identity) != ID_ANY)
+	{
+		cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
+		if (loose)
+		{
+			cfg->add(cfg, AUTH_RULE_IDENTITY_LOOSE, TRUE);
+		}
+	}
+	else
+	{
+		identity->destroy(identity);
+	}
 
 	/* CA constraint */
 	if (ca)
@@ -877,7 +894,7 @@ static void add_ts(private_stroke_config_t *this,
 	if (end->tohost)
 	{
 		ts = traffic_selector_create_dynamic(end->protocol,
-					end->port ? end->port : 0, end->port ? end->port : 65535);
+											 end->from_port, end->to_port);
 		child_cfg->add_traffic_selector(child_cfg, local, ts);
 	}
 	else
@@ -890,7 +907,7 @@ static void add_ts(private_stroke_config_t *this,
 			if (net)
 			{
 				ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
-														 end->port);
+												end->from_port, end->to_port);
 				child_cfg->add_traffic_selector(child_cfg, local, ts);
 			}
 		}
@@ -902,8 +919,8 @@ static void add_ts(private_stroke_config_t *this,
 			enumerator = enumerator_create_token(end->subnets, ",", " ");
 			while (enumerator->enumerate(enumerator, &subnet))
 			{
-				ts = traffic_selector_create_from_cidr(subnet,
-													end->protocol, end->port);
+				ts = traffic_selector_create_from_cidr(subnet, end->protocol,
+												end->from_port, end->to_port);
 				if (ts)
 				{
 					child_cfg->add_traffic_selector(child_cfg, local, ts);
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 233d4088f..91130d1ee 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -33,6 +33,11 @@ struct private_stroke_control_t {
 	 * public functions
 	 */
 	stroke_control_t public;
+
+	/**
+	 * Timeout for stroke commands, im ms
+	 */
+	u_int timeout;
 };
 
 
@@ -97,8 +102,8 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
 /**
  * call the charon controller to initiate the connection
  */
-static void charon_initiate(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
-							stroke_msg_t *msg, FILE *out)
+static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg,
+							child_cfg_t *child_cfg, stroke_msg_t *msg, FILE *out)
 {
 	if (msg->output_verbosity < 0)
 	{
@@ -108,9 +113,27 @@ static void charon_initiate(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 	else
 	{
 		stroke_log_info_t info = { msg->output_verbosity, out };
+		status_t status;
 
-		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-									 (controller_cb_t)stroke_log, &info, 0);
+		status = charon->controller->initiate(charon->controller,
+							peer_cfg, child_cfg, (controller_cb_t)stroke_log,
+							&info, this->timeout);
+		switch (status)
+		{
+			case SUCCESS:
+				fprintf(out, "connection '%s' established successfully\n",
+						msg->initiate.name);
+				break;
+			case OUT_OF_RES:
+				fprintf(out, "connection '%s' not established after %dms, "
+						"detaching\n", msg->initiate.name, this->timeout);
+				break;
+			default:
+			case FAILED:
+				fprintf(out, "establishing connection '%s' failed\n",
+						msg->initiate.name);
+				break;
+		}
 	}
 }
 
@@ -133,7 +156,7 @@ METHOD(stroke_control_t, initiate, void,
 			while (enumerator->enumerate(enumerator, &child_cfg))
 			{
 				empty = FALSE;
-				charon_initiate(peer_cfg->get_ref(peer_cfg),
+				charon_initiate(this, peer_cfg->get_ref(peer_cfg),
 								child_cfg->get_ref(child_cfg), msg, out);
 			}
 			enumerator->destroy(enumerator);
@@ -169,7 +192,7 @@ METHOD(stroke_control_t, initiate, void,
 			return;
 		}
 	}
-	charon_initiate(peer_cfg, child_cfg, msg, out);
+	charon_initiate(this, peer_cfg, child_cfg, msg, out);
 }
 
 /**
@@ -239,6 +262,41 @@ static bool parse_specifier(char *string, u_int32_t *id,
 	return TRUE;
 }
 
+/**
+ * Report the result of a terminate() call to console
+ */
+static void report_terminate_status(private_stroke_control_t *this,
+						status_t status, FILE *out, u_int32_t id, bool child)
+{
+	char *prefix, *postfix;
+
+	if (child)
+	{
+		prefix = "CHILD_SA {";
+		postfix = "}";
+	}
+	else
+	{
+		prefix = "IKE_SA [";
+		postfix = "]";
+	}
+
+	switch (status)
+	{
+		case SUCCESS:
+			fprintf(out, "%s%d%s closed successfully\n", prefix, id, postfix);
+			break;
+		case OUT_OF_RES:
+			fprintf(out, "%s%d%s not closed after %dms, detaching\n",
+					prefix, id, postfix, this->timeout);
+			break;
+		default:
+		case FAILED:
+			fprintf(out, "closing %s%d%s failed\n", prefix, id, postfix);
+			break;
+	}
+}
+
 METHOD(stroke_control_t, terminate, void,
 	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
@@ -250,6 +308,7 @@ METHOD(stroke_control_t, terminate, void,
 	linked_list_t *ike_list, *child_list;
 	stroke_log_info_t info;
 	uintptr_t del;
+	status_t status;
 
 	if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all))
 	{
@@ -264,15 +323,15 @@ METHOD(stroke_control_t, terminate, void,
 	{
 		if (child)
 		{
-			charon->controller->terminate_child(charon->controller, id,
-									(controller_cb_t)stroke_log, &info, 0);
+			status = charon->controller->terminate_child(charon->controller, id,
+							(controller_cb_t)stroke_log, &info, this->timeout);
 		}
 		else
 		{
-			charon->controller->terminate_ike(charon->controller, id,
-									(controller_cb_t)stroke_log, &info, 0);
+			status = charon->controller->terminate_ike(charon->controller, id,
+							(controller_cb_t)stroke_log, &info, this->timeout);
 		}
-		return;
+		return report_terminate_status(this, status, out, id, child);
 	}
 
 	ike_list = linked_list_create();
@@ -320,16 +379,18 @@ METHOD(stroke_control_t, terminate, void,
 	enumerator = child_list->create_enumerator(child_list);
 	while (enumerator->enumerate(enumerator, &del))
 	{
-		charon->controller->terminate_child(charon->controller, del,
-									(controller_cb_t)stroke_log, &info, 0);
+		status = charon->controller->terminate_child(charon->controller, del,
+							(controller_cb_t)stroke_log, &info, this->timeout);
+		report_terminate_status(this, status, out, del, TRUE);
 	}
 	enumerator->destroy(enumerator);
 
 	enumerator = ike_list->create_enumerator(ike_list);
 	while (enumerator->enumerate(enumerator, &del))
 	{
-		charon->controller->terminate_ike(charon->controller, del,
-									(controller_cb_t)stroke_log, &info, 0);
+		status = charon->controller->terminate_ike(charon->controller, del,
+							(controller_cb_t)stroke_log, &info, this->timeout);
+		report_terminate_status(this, status, out, del, FALSE);
 	}
 	enumerator->destroy(enumerator);
 
@@ -487,6 +548,7 @@ METHOD(stroke_control_t, purge_ike, void,
 	linked_list_t *list;
 	uintptr_t del;
 	stroke_log_info_t info;
+	status_t status;
 
 	info.out = out;
 	info.level = msg->output_verbosity;
@@ -509,8 +571,9 @@ METHOD(stroke_control_t, purge_ike, void,
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, &del))
 	{
-		charon->controller->terminate_ike(charon->controller, del,
-									(controller_cb_t)stroke_log, &info, 0);
+		status = charon->controller->terminate_ike(charon->controller, del,
+							(controller_cb_t)stroke_log, &info, this->timeout);
+		report_terminate_status(this, status, out, del, TRUE);
 	}
 	enumerator->destroy(enumerator);
 	list->destroy(list);
@@ -670,8 +733,9 @@ stroke_control_t *stroke_control_create()
 			.unroute = _unroute,
 			.destroy = _destroy,
 		},
+		.timeout = lib->settings->get_int(lib->settings,
+								"%s.plugins.stroke.timeout", 0, charon->name),
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_counter.c b/src/libcharon/plugins/stroke/stroke_counter.c
index 56eda945a..5fa1fb165 100644
--- a/src/libcharon/plugins/stroke/stroke_counter.c
+++ b/src/libcharon/plugins/stroke/stroke_counter.c
@@ -16,6 +16,7 @@
 #include "stroke_counter.h"
 
 #include <threading/spinlock.h>
+#include <collections/hashtable.h>
 
 ENUM(stroke_counter_type_names,
 	COUNTER_INIT_IKE_SA_REKEY, COUNTER_OUT_INFORMATIONAL_RSP,
@@ -55,16 +56,98 @@ struct private_stroke_counter_t {
 	stroke_counter_t public;
 
 	/**
-	 * Counter values
+	 * Global counter values
 	 */
 	u_int64_t counter[COUNTER_MAX];
 
+	/**
+	 * Counters for specific connection names, char* => entry_t
+	 */
+	hashtable_t *conns;
+
 	/**
 	 * Lock for counter values
 	 */
 	spinlock_t *lock;
 };
 
+/**
+ * Counters for a specific connection name
+ */
+typedef struct {
+	/** connection name */
+	char *name;
+	/** counter values for connection */
+	u_int64_t counter[COUNTER_MAX];
+} entry_t;
+
+/**
+ * Destroy named entry
+ */
+static void destroy_entry(entry_t *this)
+{
+	free(this->name);
+	free(this);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(char *name)
+{
+	return chunk_hash(chunk_from_str(name));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(char *a, char *b)
+{
+	return streq(a, b);
+}
+
+/**
+ * Get the name of an IKE_SA, but return NULL if it is not known yet
+ */
+static char *get_ike_sa_name(ike_sa_t *ike_sa)
+{
+	peer_cfg_t *peer_cfg;
+
+	if (ike_sa)
+	{
+		peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+		if (peer_cfg)
+		{
+			return peer_cfg->get_name(peer_cfg);
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Increase a counter for a named entry
+ */
+static void count_named(private_stroke_counter_t *this,
+						ike_sa_t *ike_sa, stroke_counter_type_t type)
+{
+	entry_t *entry;
+	char *name;
+
+	name = get_ike_sa_name(ike_sa);
+	if (name)
+	{
+		entry = this->conns->get(this->conns, name);
+		if (!entry)
+		{
+			INIT(entry,
+				.name = strdup(name),
+			);
+			this->conns->put(this->conns, entry->name, entry);
+		}
+		entry->counter[type]++;
+	}
+}
+
 METHOD(listener_t, alert, bool,
 	private_stroke_counter_t *this, ike_sa_t *ike_sa,
 	alert_t alert, va_list args)
@@ -86,6 +169,7 @@ METHOD(listener_t, alert, bool,
 
 	this->lock->lock(this->lock);
 	this->counter[type]++;
+	count_named(this, ike_sa, type);
 	this->lock->unlock(this->lock);
 
 	return TRUE;
@@ -109,6 +193,7 @@ METHOD(listener_t, ike_rekey, bool,
 
 	this->lock->lock(this->lock);
 	this->counter[type]++;
+	count_named(this, old, type);
 	this->lock->unlock(this->lock);
 
 	return TRUE;
@@ -120,6 +205,7 @@ METHOD(listener_t, child_rekey, bool,
 {
 	this->lock->lock(this->lock);
 	this->counter[COUNTER_CHILD_SA_REKEY]++;
+	count_named(this, ike_sa, COUNTER_CHILD_SA_REKEY);
 	this->lock->unlock(this->lock);
 
 	return TRUE;
@@ -194,18 +280,94 @@ METHOD(listener_t, message_hook, bool,
 
 	this->lock->lock(this->lock);
 	this->counter[type]++;
+	count_named(this, ike_sa, type);
 	this->lock->unlock(this->lock);
 
 	return TRUE;
 }
 
-METHOD(stroke_counter_t, print, void,
-	private_stroke_counter_t *this, FILE *out)
+/**
+ * Print a single counter value to out
+ */
+static void print_counter(FILE *out, stroke_counter_type_t type,
+						  u_int64_t counter)
+{
+	fprintf(out, "%-18N %12llu\n", stroke_counter_type_names, type, counter);
+}
+
+/**
+ * Print IKE counters for a specific connection
+ */
+static void print_one(private_stroke_counter_t *this, FILE *out, char *name)
+{
+	u_int64_t counter[COUNTER_MAX];
+	entry_t *entry;
+	int i;
+
+	this->lock->lock(this->lock);
+	entry = this->conns->get(this->conns, name);
+	if (entry)
+	{
+		for (i = 0; i < countof(this->counter); i++)
+		{
+			counter[i] = entry->counter[i];
+		}
+	}
+	this->lock->unlock(this->lock);
+
+	if (entry)
+	{
+		fprintf(out, "\nList of IKE counters for '%s':\n\n", name);
+		for (i = 0; i < countof(this->counter); i++)
+		{
+			print_counter(out, i, counter[i]);
+		}
+	}
+	else
+	{
+		fprintf(out, "No IKE counters found for '%s'\n", name);
+	}
+}
+
+/**
+ * Print counters for all connections
+ */
+static void print_all(private_stroke_counter_t *this, FILE *out)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	linked_list_t *list;
+	char *name;
+
+	list = linked_list_create();
+
+	this->lock->lock(this->lock);
+	enumerator = this->conns->create_enumerator(this->conns);
+	while (enumerator->enumerate(enumerator, &name, &entry))
+	{
+		list->insert_last(list, strdup(name));
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		print_one(this, out, name);
+	}
+	enumerator->destroy(enumerator);
+
+	list->destroy_function(list, free);
+}
+
+/**
+ * Print global counters
+ */
+static void print_global(private_stroke_counter_t *this, FILE *out)
 {
 	u_int64_t counter[COUNTER_MAX];
 	int i;
 
-	/* Take a snapshot to have congruent results, */
 	this->lock->lock(this->lock);
 	for (i = 0; i < countof(this->counter); i++)
 	{
@@ -215,16 +377,61 @@ METHOD(stroke_counter_t, print, void,
 
 	fprintf(out, "\nList of IKE counters:\n\n");
 
-	/* but do blocking write without the lock. */
 	for (i = 0; i < countof(this->counter); i++)
 	{
-		fprintf(out, "%-18N %12llu\n", stroke_counter_type_names, i, counter[i]);
+		print_counter(out, i, counter[i]);
 	}
 }
 
+METHOD(stroke_counter_t, print, void,
+	private_stroke_counter_t *this, FILE *out, char *name)
+{
+	if (name)
+	{
+		if (streq(name, "all"))
+		{
+			return print_all(this, out);
+		}
+		return print_one(this, out, name);
+	}
+	return print_global(this, out);
+}
+
+METHOD(stroke_counter_t, reset, void,
+	private_stroke_counter_t *this, char *name)
+{
+	this->lock->lock(this->lock);
+	if (name)
+	{
+		entry_t *entry;
+
+		entry = this->conns->remove(this->conns, name);
+		if (entry)
+		{
+			destroy_entry(entry);
+		}
+	}
+	else
+	{
+		memset(&this->counter, 0, sizeof(this->counter));
+	}
+	this->lock->unlock(this->lock);
+}
+
 METHOD(stroke_counter_t, destroy, void,
 	private_stroke_counter_t *this)
 {
+	enumerator_t *enumerator;
+	char *name;
+	entry_t *entry;
+
+	enumerator = this->conns->create_enumerator(this->conns);
+	while (enumerator->enumerate(enumerator, &name, &entry))
+	{
+		destroy_entry(entry);
+	}
+	enumerator->destroy(enumerator);
+	this->conns->destroy(this->conns);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -245,8 +452,11 @@ stroke_counter_t *stroke_counter_create()
 				.message = _message_hook,
 			},
 			.print = _print,
+			.reset = _reset,
 			.destroy = _destroy,
 		},
+		.conns = hashtable_create((hashtable_hash_t)hash,
+								  (hashtable_equals_t)equals, 4),
 		.lock = spinlock_create(),
 	);
 
diff --git a/src/libcharon/plugins/stroke/stroke_counter.h b/src/libcharon/plugins/stroke/stroke_counter.h
index efaae0d6f..fecf39f56 100644
--- a/src/libcharon/plugins/stroke/stroke_counter.h
+++ b/src/libcharon/plugins/stroke/stroke_counter.h
@@ -87,8 +87,16 @@ struct stroke_counter_t {
 	 * Print counter values to an output stream.
 	 *
 	 * @param out		output stream to write to
+	 * @param name		connection name to get counters for, NULL for global
 	 */
-	void (*print)(stroke_counter_t *this, FILE *out);
+	void (*print)(stroke_counter_t *this, FILE *out, char *name);
+
+	/**
+	 * Reset global or connection specific counters.
+	 *
+	 * @param name		name of connection counters to reset, NULL for global
+	 */
+	void (*reset)(stroke_counter_t *this, char *name);
 
 	/**
 	 * Destroy a stroke_counter_t.
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index c401bc6f1..eda746f7e 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -701,7 +701,7 @@ static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type,
 /**
  * Load a smartcard with a PIN
  */
-static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
+static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 					 FILE *prompt)
 {
 	chunk_t sc = chunk_empty, secret = chunk_empty;
@@ -796,7 +796,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	if (key)
 	{
 		DBG1(DBG_CFG, "  loaded private key from %.*s", (int)sc.len, sc.ptr);
-		this->creds->add_key(this->creds, key);
+		secrets->add_key(secrets, key);
 	}
 	return TRUE;
 }
@@ -804,7 +804,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 /**
  * Load a private key
  */
-static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
+static bool load_private(mem_cred_t *secrets, chunk_t line, int line_nr,
 						 FILE *prompt, key_type_t key_type)
 {
 	char path[PATH_MAX];
@@ -894,7 +894,7 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	{
 		DBG1(DBG_CFG, "  loaded %N private key from '%s'",
 			 key_type_names, key->get_type(key), path);
-		this->creds->add_key(this->creds, key);
+		secrets->add_key(secrets, key);
 	}
 	else
 	{
@@ -906,7 +906,7 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
 /**
  * Load a shared key
  */
-static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr,
+static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr,
 						shared_key_type_t type, chunk_t ids)
 {
 	shared_key_t *shared_key;
@@ -961,15 +961,15 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		owners->insert_last(owners,
 					identification_create_from_encoding(ID_ANY, chunk_empty));
 	}
-	this->creds->add_shared_list(this->creds, shared_key, owners);
+	secrets->add_shared_list(secrets, shared_key, owners);
 	return TRUE;
 }
 
 /**
  * reload ipsec.secrets
  */
-static void load_secrets(private_stroke_cred_t *this, char *file, int level,
-						 FILE *prompt)
+static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
+						 char *file, int level, FILE *prompt)
 {
 	int line_nr = 0, fd;
 	chunk_t src, line;
@@ -991,6 +991,11 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 		close(fd);
 		return;
 	}
+	if (sb.st_size == 0)
+	{	/* skip empty files, as mmap() complains */
+		close(fd);
+		return;
+	}
 	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
 	if (addr == MAP_FAILED)
 	{
@@ -1000,9 +1005,9 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 	}
 	src = chunk_create(addr, sb.st_size);
 
-	if (level == 0)
-	{	/* flush secrets on non-recursive invocation */
-		this->creds->clear_secrets(this->creds);
+	if (!secrets)
+	{
+		secrets = mem_cred_create();
 	}
 
 	while (fetchline(&src, &line))
@@ -1072,14 +1077,15 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 				{
 					for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
 					{
-						load_secrets(this, *expanded, level + 1, prompt);
+						load_secrets(this, secrets, *expanded, level + 1,
+									 prompt);
 					}
 				}
 				globfree(&buf);
 			}
 #else /* HAVE_GLOB_H */
 			/* if glob(3) is not available, try to load pattern directly */
-			load_secrets(this, pattern, level + 1, prompt);
+			load_secrets(this, secrets, pattern, level + 1, prompt);
 #endif /* HAVE_GLOB_H */
 			continue;
 		}
@@ -1109,7 +1115,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 		}
 		if (match("RSA", &token) || match("ECDSA", &token))
 		{
-			if (!load_private(this, line, line_nr, prompt,
+			if (!load_private(secrets, line, line_nr, prompt,
 							  match("RSA", &token) ? KEY_RSA : KEY_ECDSA))
 			{
 				break;
@@ -1117,7 +1123,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 		}
 		else if (match("PIN", &token))
 		{
-			if (!load_pin(this, line, line_nr, prompt))
+			if (!load_pin(secrets, line, line_nr, prompt))
 			{
 				break;
 			}
@@ -1127,7 +1133,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 				 (match("NTLM", &token) && (type = SHARED_NT_HASH)) ||
 				 (match("XAUTH", &token) && (type = SHARED_EAP)))
 		{
-			if (!load_shared(this, line, line_nr, type, ids))
+			if (!load_shared(secrets, line, line_nr, type, ids))
 			{
 				break;
 			}
@@ -1141,6 +1147,12 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 	}
 	munmap(addr, sb.st_size);
 	close(fd);
+
+	if (level == 0)
+	{	/* replace secrets in active credential set */
+		this->creds->replace_secrets(this->creds, secrets, FALSE);
+		secrets->destroy(secrets);
+	}
 }
 
 /**
@@ -1175,7 +1187,7 @@ METHOD(stroke_cred_t, reread, void,
 	if (msg->reread.flags & REREAD_SECRETS)
 	{
 		DBG1(DBG_CFG, "rereading secrets");
-		load_secrets(this, SECRETS_FILE, 0, prompt);
+		load_secrets(this, NULL, SECRETS_FILE, 0, prompt);
 	}
 	if (msg->reread.flags & REREAD_CACERTS)
 	{
@@ -1258,8 +1270,7 @@ stroke_cred_t *stroke_cred_create()
 						FALSE, charon->name);
 
 	load_certs(this);
-	load_secrets(this, SECRETS_FILE, 0, NULL);
+	load_secrets(this, NULL, SECRETS_FILE, 0, NULL);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index b3a20a6c7..a2e1c80a5 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -205,7 +205,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 {
 	time_t use_in, use_out, rekey, now;
-	u_int64_t bytes_in, bytes_out;
+	u_int64_t bytes_in, bytes_out, packets_in, packets_out;
 	proposal_t *proposal;
 	child_cfg_t *config = child_sa->get_config(child_sa);
 
@@ -273,18 +273,24 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 				}
 			}
 
-			child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in);
+			child_sa->get_usestats(child_sa, TRUE,
+								   &use_in, &bytes_in, &packets_in);
 			fprintf(out, ", %" PRIu64 " bytes_i", bytes_in);
 			if (use_in)
 			{
-				fprintf(out, " (%" PRIu64 "s ago)", (u_int64_t)(now - use_in));
+				fprintf(out, " (%" PRIu64 " pkt%s, %" PRIu64 "s ago)",
+						packets_in, (packets_in == 1) ? "": "s",
+						(u_int64_t)(now - use_in));
 			}
 
-			child_sa->get_usestats(child_sa, FALSE, &use_out, &bytes_out);
+			child_sa->get_usestats(child_sa, FALSE,
+								   &use_out, &bytes_out, &packets_out);
 			fprintf(out, ", %" PRIu64 " bytes_o", bytes_out);
 			if (use_out)
 			{
-				fprintf(out, " (%" PRIu64 "s ago)", (u_int64_t)(now - use_out));
+				fprintf(out, " (%" PRIu64 " pkt%s, %" PRIu64 "s ago)",
+						packets_out, (packets_out == 1) ? "": "s",
+						(u_int64_t)(now - use_out));
 			}
 			fprintf(out, ", rekeying ");
 
@@ -1242,7 +1248,7 @@ static void list_algs(FILE *out)
 	int len;
 
 	fprintf(out, "\n");
-	fprintf(out, "List of registered IKEv2 Algorithms:\n");
+	fprintf(out, "List of registered IKE algorithms:\n");
 	fprintf(out, "\n  encryption:");
 	len = 13;
 	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
@@ -1541,4 +1547,3 @@ stroke_list_t *stroke_list_create(stroke_attribute_t *attribute)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 2771f0146..aa5c73b8b 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -388,17 +388,14 @@ static void stroke_status(private_stroke_socket_t *this,
 /**
  * list various information
  */
-static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg,
+						FILE *out)
 {
 	if (msg->list.flags & LIST_CAINFOS)
 	{
 		this->ca->list(this->ca, msg, out);
 	}
 	this->list->list(this->list, msg, out);
-	if (msg->list.flags & LIST_COUNTERS)
-	{
-		this->counter->print(this->counter, out);
-	}
 }
 
 /**
@@ -504,6 +501,24 @@ static void stroke_user_creds(private_stroke_socket_t *this,
 	this->config->set_user_credentials(this->config, msg, out);
 }
 
+/**
+ * Print stroke counter values
+ */
+static void stroke_counters(private_stroke_socket_t *this,
+							  stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->counters.name);
+
+	if (msg->counters.reset)
+	{
+		this->counter->reset(this->counter, msg->counters.name);
+	}
+	else
+	{
+		this->counter->print(this->counter, out, msg->counters.name);
+	}
+}
+
 /**
  * set the verbosity debug output
  */
@@ -516,11 +531,18 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
 		 msg->loglevel.level, msg->loglevel.type);
 
-	group = enum_from_name(debug_names, msg->loglevel.type);
-	if ((int)group < 0)
+	if (strcaseeq(msg->loglevel.type, "any"))
 	{
-		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
-		return;
+		group = DBG_ANY;
+	}
+	else
+	{
+		group = enum_from_name(debug_names, msg->loglevel.type);
+		if ((int)group < 0)
+		{
+			fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
+			return;
+		}
 	}
 	charon->set_level(charon, group, msg->loglevel.level);
 }
@@ -665,6 +687,9 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 		case STR_USER_CREDS:
 			stroke_user_creds(this, msg, out);
 			break;
+		case STR_COUNTERS:
+			stroke_counters(this, msg, out);
+			break;
 		default:
 			DBG1(DBG_CFG, "received unknown stroke");
 			break;
@@ -855,4 +880,3 @@ stroke_socket_t *stroke_socket_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/systime_fix/Makefile.am b/src/libcharon/plugins/systime_fix/Makefile.am
new file mode 100644
index 000000000..a1f843db7
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/Makefile.am
@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-systime-fix.la
+else
+plugin_LTLIBRARIES = libstrongswan-systime-fix.la
+endif
+
+libstrongswan_systime_fix_la_SOURCES = \
+	systime_fix_validator.h systime_fix_validator.c \
+	systime_fix_plugin.h systime_fix_plugin.c
+
+libstrongswan_systime_fix_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
new file mode 100644
index 000000000..56dc0b366
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -0,0 +1,658 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/systime_fix
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_systime_fix_la_LIBADD =
+am_libstrongswan_systime_fix_la_OBJECTS = systime_fix_validator.lo \
+	systime_fix_plugin.lo
+libstrongswan_systime_fix_la_OBJECTS =  \
+	$(am_libstrongswan_systime_fix_la_OBJECTS)
+libstrongswan_systime_fix_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_systime_fix_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_systime_fix_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_systime_fix_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_systime_fix_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_systime_fix_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-systime-fix.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-systime-fix.la
+libstrongswan_systime_fix_la_SOURCES = \
+	systime_fix_validator.h systime_fix_validator.c \
+	systime_fix_plugin.h systime_fix_plugin.c
+
+libstrongswan_systime_fix_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/systime_fix/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/systime_fix/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-systime-fix.la: $(libstrongswan_systime_fix_la_OBJECTS) $(libstrongswan_systime_fix_la_DEPENDENCIES) $(EXTRA_libstrongswan_systime_fix_la_DEPENDENCIES) 
+	$(libstrongswan_systime_fix_la_LINK) $(am_libstrongswan_systime_fix_la_rpath) $(libstrongswan_systime_fix_la_OBJECTS) $(libstrongswan_systime_fix_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/systime_fix_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/systime_fix_validator.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
new file mode 100644
index 000000000..7727ba03b
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "systime_fix_plugin.h"
+#include "systime_fix_validator.h"
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+
+#include <time.h>
+
+/**
+ * Defining _XOPEN_SOURCE is difficult with libstrongswan includes,
+ * declare function explicitly.
+ */
+char *strptime(const char *s, const char *format, struct tm *tm);
+
+typedef struct private_systime_fix_plugin_t private_systime_fix_plugin_t;
+
+/**
+ * Private data of systime_fix plugin
+ */
+struct private_systime_fix_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	systime_fix_plugin_t public;
+
+	/**
+	 * Certificate lifetime validator
+	 */
+	systime_fix_validator_t *validator;
+
+	/**
+	 * Interval we check for a now-valid system time, in seconds. 0 if disabled
+	 */
+	u_int interval;
+
+	/**
+	 * Timestamp where we start considering system time valid
+	 */
+	time_t threshold;
+
+	/**
+	 * Do we trigger reauth or delete when finding expired certificates?
+	 */
+	bool reauth;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_systime_fix_plugin_t *this)
+{
+	return "systime-fix";
+}
+
+METHOD(plugin_t, destroy, void,
+	private_systime_fix_plugin_t *this)
+{
+	if (this->validator)
+	{
+		lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+		this->validator->destroy(this->validator);
+	}
+	free(this);
+}
+
+/**
+ * Check if all certificates associated to an IKE_SA have valid lifetimes
+ */
+static bool has_invalid_certs(ike_sa_t *ike_sa)
+{
+	enumerator_t *cfgs, *items;
+	certificate_t *cert;
+	auth_rule_t type;
+	auth_cfg_t *auth;
+	time_t not_before, not_after;
+	bool valid = TRUE;
+
+	cfgs = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+	while (valid && cfgs->enumerate(cfgs, &auth))
+	{
+		items = auth->create_enumerator(auth);
+		while (valid && items->enumerate(items, &type, &cert))
+		{
+			switch (type)
+			{
+				case AUTH_RULE_SUBJECT_CERT:
+				case AUTH_RULE_IM_CERT:
+				case AUTH_RULE_CA_CERT:
+					if (!cert->get_validity(cert, NULL, &not_before, &not_after))
+					{
+						DBG1(DBG_CFG, "certificate '%Y' invalid "
+							"(valid from %T to %T)", cert->get_subject(cert),
+							 &not_before, FALSE, &not_after, FALSE);
+						valid = FALSE;
+					}
+					break;
+				default:
+					break;
+			}
+		}
+		items->destroy(items);
+	}
+	cfgs->destroy(cfgs);
+
+	if (valid)
+	{
+		DBG1(DBG_CFG, "all certificates have valid lifetimes");
+	}
+	return !valid;
+}
+
+/**
+ * Check system time, reevaluate certificates
+ */
+static job_requeue_t check_systime(private_systime_fix_plugin_t *this)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	char *action;
+	job_t *job;
+
+	if (time(NULL) < this->threshold)
+	{
+		DBG2(DBG_CFG, "systime not valid, rechecking in %ds", this->interval);
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+					callback_job_create((callback_job_cb_t)check_systime, this,
+										NULL, NULL), this->interval);
+		return JOB_REQUEUE_NONE;
+	}
+
+	DBG1(DBG_CFG, "system time got valid, rechecking certificates");
+
+	enumerator = charon->ike_sa_manager->create_enumerator(
+												charon->ike_sa_manager, TRUE);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (has_invalid_certs(ike_sa))
+		{
+			if (this->reauth)
+			{
+				action = "reauthenticating";
+				job = &rekey_ike_sa_job_create(ike_sa->get_id(ike_sa),
+											   TRUE)->job_interface;
+			}
+			else
+			{
+				action = "deleting";
+				job = &delete_ike_sa_job_create(ike_sa->get_id(ike_sa),
+												TRUE)->job_interface;
+			}
+			DBG1(DBG_CFG, "%s[%d] has certificates not valid, %s IKE_SA",
+				 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+				 action);
+			lib->processor->queue_job(lib->processor, job);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Load cert lifetime validator configuration
+ */
+static bool load_validator(private_systime_fix_plugin_t *this)
+{
+	struct tm tm = {
+		.tm_mday = 1,
+	};
+	char *str, *fmt;
+
+	fmt = lib->settings->get_str(lib->settings,
+			"%s.plugins.%s.threshold_format", "%Y", charon->name, get_name(this));
+	str = lib->settings->get_str(lib->settings,
+			"%s.plugins.%s.threshold", NULL, charon->name, get_name(this));
+	if (!str)
+	{
+		DBG1(DBG_CFG, "no threshold configured for %s, disabled",
+			 get_name(this));
+		return FALSE;
+	}
+	if (strptime(str, fmt, &tm) == NULL)
+	{
+		DBG1(DBG_CFG, "threshold for %s invalid, disabled", get_name(this));
+		return FALSE;
+	}
+	this->threshold = mktime(&tm);
+	if (this->threshold == -1)
+	{
+		DBG1(DBG_CFG, "converting threshold for %s failed, disabled",
+			 get_name(this));
+		return FALSE;
+	}
+	if (time(NULL) >= this->threshold)
+	{
+		DBG1(DBG_CFG, "system time looks good, disabling %s", get_name(this));
+		return FALSE;
+	}
+
+	DBG1(DBG_CFG, "enabling %s, threshold: %s", get_name(this), asctime(&tm));
+	this->validator = systime_fix_validator_create(this->threshold);
+	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+
+	return TRUE;
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *systime_fix_plugin_create()
+{
+	private_systime_fix_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.interval = lib->settings->get_int(lib->settings,
+				"%s.plugins.%s.interval", 0, charon->name, get_name(this)),
+		.reauth = lib->settings->get_bool(lib->settings,
+				"%s.plugins.%s.reauth", FALSE, charon->name, get_name(this)),
+	);
+
+	if (load_validator(this))
+	{
+		if (this->interval != 0)
+		{
+			DBG1(DBG_CFG, "starting systime check, interval: %ds",
+				 this->interval);
+			lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+					callback_job_create((callback_job_cb_t)check_systime, this,
+										NULL, NULL), this->interval);
+		}
+	}
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.h b/src/libcharon/plugins/systime_fix/systime_fix_plugin.h
new file mode 100644
index 000000000..402659539
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup systime_fix systime_fix
+ * @ingroup cplugins
+ *
+ * @defgroup systime_fix_plugin systime_fix_plugin
+ * @{ @ingroup systime_fix
+ */
+
+#ifndef SYSTIME_FIX_PLUGIN_H_
+#define SYSTIME_FIX_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct systime_fix_plugin_t systime_fix_plugin_t;
+
+/**
+ * Plugin handling cert lifetimes gracefully if system time is out of sync.
+ */
+struct systime_fix_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** SYSTIME_FIX_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_validator.c b/src/libcharon/plugins/systime_fix/systime_fix_validator.c
new file mode 100644
index 000000000..340e86cbc
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/systime_fix_validator.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "systime_fix_validator.h"
+
+#include <errno.h>
+#include <time.h>
+
+#include <daemon.h>
+
+typedef struct private_systime_fix_validator_t private_systime_fix_validator_t;
+
+/**
+ * Private data of an systime_fix_validator_t object.
+ */
+struct private_systime_fix_validator_t {
+
+	/**
+	 * Public systime_fix_validator_t interface.
+	 */
+	systime_fix_validator_t public;
+
+	/**
+	 * Timestamp where we start to consider system time valid
+	 */
+	time_t threshold;
+};
+
+METHOD(cert_validator_t, check_lifetime, status_t,
+	private_systime_fix_validator_t *this, certificate_t *cert,
+	int pathlen, bool anchor, auth_cfg_t *auth)
+{
+	if (time(NULL) < this->threshold)
+	{
+		/* our system time seems to be invalid, accept certificate */
+		if (pathlen)
+		{	/* report only once per validated chain */
+			DBG1(DBG_CFG, "system time out of sync, skipping certificate "
+				 "lifetime check");
+		}
+		return SUCCESS;
+	}
+	/* validate this certificate normally */
+	return NEED_MORE;
+}
+
+METHOD(systime_fix_validator_t, destroy, void,
+	private_systime_fix_validator_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+systime_fix_validator_t *systime_fix_validator_create(time_t threshold)
+{
+	private_systime_fix_validator_t *this;
+
+	INIT(this,
+		.public = {
+			.validator = {
+				.check_lifetime = _check_lifetime,
+			},
+			.destroy = _destroy,
+		},
+		.threshold = threshold,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_validator.h b/src/libcharon/plugins/systime_fix/systime_fix_validator.h
new file mode 100644
index 000000000..3e651fd91
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/systime_fix_validator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup systime_fix_validator systime_fix_validator
+ * @{ @ingroup systime_fix
+ */
+
+#ifndef SYSTIME_FIX_VALIDATOR_H_
+#define SYSTIME_FIX_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct systime_fix_validator_t systime_fix_validator_t;
+
+/**
+ * Validator that accepts cert lifetimes if system time is out of sync.
+ */
+struct systime_fix_validator_t {
+
+	/**
+	 * Implements cert_validator_t interface.
+	 */
+	cert_validator_t validator;
+
+	/**
+	 * Destroy a systime_fix_validator_t.
+	 */
+	void (*destroy)(systime_fix_validator_t *this);
+};
+
+/**
+ * Create a systime_fix_validator instance.
+ */
+systime_fix_validator_t *systime_fix_validator_create();
+
+#endif /** SYSTIME_FIX_VALIDATOR_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.am b/src/libcharon/plugins/tnc_ifmap/Makefile.am
index b8a57b119..36d9316d7 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.am
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.am
@@ -1,21 +1,29 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${axis2c_CFLAGS}
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	${xml_CFLAGS}
 
 AM_CFLAGS = -rdynamic
 
-libstrongswan_tnc_ifmap_la_LIBADD = ${axis2c_LIBS} -laxutil -laxis2_engine -laxis2_http_sender
-
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-ifmap.la
 else
 plugin_LTLIBRARIES = libstrongswan-tnc-ifmap.la
 endif
 
+libstrongswan_tnc_ifmap_la_LIBADD = \
+	$(top_builddir)/src/libtls/libtls.la ${xml_LIBS}
+
 libstrongswan_tnc_ifmap_la_SOURCES = \
 	tnc_ifmap_plugin.h tnc_ifmap_plugin.c \
 	tnc_ifmap_listener.h tnc_ifmap_listener.c \
-	tnc_ifmap_soap.h tnc_ifmap_soap.c
+	tnc_ifmap_soap.h tnc_ifmap_soap.c \
+	tnc_ifmap_soap_msg.h tnc_ifmap_soap_msg.c \
+	tnc_ifmap_http.h tnc_ifmap_http.c \
+	tnc_ifmap_renew_session_job.h tnc_ifmap_renew_session_job.c
 
 libstrongswan_tnc_ifmap_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 6d2802c65..96912c618 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -82,9 +99,11 @@ am__uninstall_files_from_dir = { \
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
-libstrongswan_tnc_ifmap_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+libstrongswan_tnc_ifmap_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libtls/libtls.la $(am__DEPENDENCIES_1)
 am_libstrongswan_tnc_ifmap_la_OBJECTS = tnc_ifmap_plugin.lo \
-	tnc_ifmap_listener.lo tnc_ifmap_soap.lo
+	tnc_ifmap_listener.lo tnc_ifmap_soap.lo tnc_ifmap_soap_msg.lo \
+	tnc_ifmap_http.lo tnc_ifmap_renew_session_job.lo
 libstrongswan_tnc_ifmap_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_ifmap_la_OBJECTS)
 libstrongswan_tnc_ifmap_la_LINK = $(LIBTOOL) --tag=CC \
@@ -109,6 +128,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_tnc_ifmap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_ifmap_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -125,6 +149,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -141,6 +167,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -209,8 +236,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -266,7 +291,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -300,17 +324,26 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${axis2c_CFLAGS}
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	${xml_CFLAGS}
 
 AM_CFLAGS = -rdynamic
-libstrongswan_tnc_ifmap_la_LIBADD = ${axis2c_LIBS} -laxutil -laxis2_engine -laxis2_http_sender
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-ifmap.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-ifmap.la
+libstrongswan_tnc_ifmap_la_LIBADD = \
+	$(top_builddir)/src/libtls/libtls.la ${xml_LIBS}
+
 libstrongswan_tnc_ifmap_la_SOURCES = \
 	tnc_ifmap_plugin.h tnc_ifmap_plugin.c \
 	tnc_ifmap_listener.h tnc_ifmap_listener.c \
-	tnc_ifmap_soap.h tnc_ifmap_soap.c
+	tnc_ifmap_soap.h tnc_ifmap_soap.c \
+	tnc_ifmap_soap_msg.h tnc_ifmap_soap_msg.c \
+	tnc_ifmap_http.h tnc_ifmap_http.c \
+	tnc_ifmap_renew_session_job.h tnc_ifmap_renew_session_job.c
 
 libstrongswan_tnc_ifmap_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -358,7 +391,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -366,6 +398,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -396,9 +430,12 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_http.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_listener.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_renew_session_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_soap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_soap_msg.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c
new file mode 100644
index 000000000..9105b7b4d
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c
@@ -0,0 +1,244 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE /* for asprintf() */
+
+#include "tnc_ifmap_http.h"
+
+#include <utils/debug.h>
+#include <utils/lexparser.h>
+
+#include <stdio.h>
+
+typedef struct private_tnc_ifmap_http_t private_tnc_ifmap_http_t;
+
+/**
+ * Private data of an tnc_ifmap_http_t object.
+ */
+struct private_tnc_ifmap_http_t {
+
+	/**
+	 * Public tnc_ifmap_http_t interface.
+	 */
+	tnc_ifmap_http_t public;
+
+	/**
+	 * HTTPS Server URI with https:// prefix removed
+	 */
+	char *uri;
+
+	/**
+	 * Optional base64-encoded username:password for HTTP Basic Authentication
+	 */
+	chunk_t user_pass;
+
+	/**
+	 * HTTP chunked mode
+	 */
+	bool chunked;
+
+};
+
+METHOD(tnc_ifmap_http_t, build, status_t,
+	private_tnc_ifmap_http_t *this, chunk_t *in, chunk_t *out)
+{
+	char *host, *path, *request, auth[128];
+	int len;
+
+	/* Duplicate host[/path] string since we are going to manipulate it */
+	len = strlen(this->uri) + 2;
+	host = malloc(len);
+	memset(host, '\0', len);
+	strcpy(host, this->uri);
+
+	/* Extract appended path or set to root */
+	path = strchr(host, '/');
+	if (!path)
+	{
+		path = host + len - 2;
+		*path = '/';
+	}
+
+	/* Use Basic Authentication? */
+	if (this->user_pass.len)
+	{
+		snprintf(auth, sizeof(auth), "Authorization: Basic %.*s\r\n",
+				 this->user_pass.len, this->user_pass.ptr);
+	}
+	else
+	{
+		*auth = '\0';
+	}
+
+	/* Write HTTP POST request, TODO break up into chunks */
+	len = asprintf(&request,
+			"POST %s HTTP/1.1\r\n"
+			"Host: %.*s\r\n"
+			"%s"
+			"Content-Type: application/soap+xml;charset=utf-8\r\n"
+			"Content-Length: %d\r\n"
+			"\r\n"
+			"%.*s", path, (path-host), host, auth, in->len, in->len, in->ptr);
+	free(host);
+
+	if (len == -1)
+	{
+		return FAILED;
+	}
+	*out = chunk_create(request, len);
+	DBG3(DBG_TLS, "sending HTTP POST request %B", out);
+
+	return SUCCESS;
+}
+
+static bool process_header(chunk_t *in, bool *chunked, u_int *content_len)
+{
+	chunk_t line, version, parameter;
+	int code;
+	u_int len;
+
+	/* Process HTTP protocol version */
+	if (!fetchline(in, &line) || !extract_token(&version, ' ', &line) ||
+		!match("HTTP/1.1", &version) || sscanf(line.ptr, "%d", &code) != 1)
+	{
+		DBG1(DBG_TNC, "malformed http response header");
+		return FALSE;
+	}
+	if (code != 200)
+	{
+		DBG1(DBG_TNC, "http response returns error code %d", code);
+		return FALSE;
+	}	
+
+	*content_len = 0;
+	*chunked = FALSE;
+
+	/* Process HTTP header line by line until the HTTP body is reached */
+	while (fetchline(in, &line))
+	{
+		if (line.len == 0)
+		{
+			break;
+		}
+		if (extract_token(&parameter, ':', &line) && eat_whitespace(&line))
+		{
+			if (match("Content-Length", &parameter))
+			{
+				if (sscanf(line.ptr, "%u", &len) == 1)
+	 			{
+					*content_len = len;
+				}
+			}
+			else if (match("Transfer-Encoding", &parameter) &&
+					 match("chunked", &line))
+			{
+				*chunked = TRUE;
+			}
+		}
+	}
+
+	return TRUE;
+}
+
+METHOD(tnc_ifmap_http_t, process, status_t,
+	private_tnc_ifmap_http_t *this, chunk_t *in, chunk_t *out)
+{
+	u_int len = 0;
+	chunk_t line, out_chunk;
+
+	DBG3(DBG_TLS, "receiving HTTP response %B", in);
+
+	if (!this->chunked)
+	{
+		if (!process_header(in, &this->chunked, &len))
+		{
+			return FAILED;
+		}
+	}
+
+	while (in->len)
+	{
+		if (this->chunked)
+		{
+			if (!fetchline(in, &line) || sscanf(line.ptr, "%x", &len) != 1)
+			{
+				return FAILED;
+			}
+			DBG3(DBG_TLS, "received HTTP response is chunked (%u bytes)", len);
+
+			/* Received last chunk? */
+			if (len == 0)
+			{
+				return SUCCESS;
+			}
+		}
+
+		/* Check size of of remaining HTTP body */
+		if (len > in->len)
+		{
+			DBG1(DBG_TNC, "insufficient data in HTTP body");
+			return FAILED;
+		}
+
+		if (this->chunked)
+		{
+			out_chunk = *in;
+			out_chunk.len = len;
+			*out = chunk_cat("mc", *out, out_chunk); 
+			*in = chunk_skip(*in, len);
+			if (!fetchline(in, &line) || line.len > 0)
+			{
+				return FAILED;
+			}		
+		}
+		else
+		{
+			if (len)
+			{
+				in->len = len;
+			}
+			*out = chunk_clone(*in);
+			return SUCCESS;
+		}
+	}
+	return NEED_MORE;
+}
+
+METHOD(tnc_ifmap_http_t, destroy, void,
+	private_tnc_ifmap_http_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tnc_ifmap_http_t *tnc_ifmap_http_create(char *uri, chunk_t user_pass)
+{
+	private_tnc_ifmap_http_t *this;
+
+	INIT(this,
+		.public = {
+			.build = _build,
+			.process = _process,
+			.destroy = _destroy,
+		},
+		.uri = uri,
+		.user_pass = user_pass,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.h
new file mode 100644
index 000000000..3d3084744
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_ifmap_http tnc_ifmap_http
+ * @{ @ingroup tnc_ifmap 
+ */
+
+#ifndef TNC_IFMAP_HTTP_H_
+#define TNC_IFMAP_HTTP_H_
+
+#include <library.h>
+#include <tls_socket.h>
+
+#include <libxml/parser.h>
+
+typedef struct tnc_ifmap_http_t tnc_ifmap_http_t;
+
+/**
+ * Interface for building and processing HTTP messages
+ */
+struct tnc_ifmap_http_t {
+
+	/**
+	 * Build a HTTP POST message
+	 *
+	 * @param in			input data
+	 * @param out			HTTP POST request
+	 * @result				status return code
+	 */
+	status_t (*build)(tnc_ifmap_http_t *this, chunk_t *in, chunk_t *out);
+
+	/**
+	 * Receive a HTTP [chunked] response
+	 *
+	 * @param in			[chunked] HTTP response
+	 * @param out			output data
+	 * @result				status return code
+	 */
+	status_t (*process)(tnc_ifmap_http_t *this, chunk_t *in, chunk_t *out);
+
+	/**
+	 * Destroy a tnc_ifmap_http_t object.
+	 */
+	void (*destroy)(tnc_ifmap_http_t *this);
+};
+
+/**
+ * Create a tnc_ifmap_http instance.
+ *
+ * @param uri			HTTPS URI with https:// prefix removed
+ * @param user_pass		Optional username:password for HTTP Basic Authentication
+ */
+tnc_ifmap_http_t *tnc_ifmap_http_create(char *uri, chunk_t user_pass);
+
+#endif /** TNC_IFMAP_HTTP_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
index 9cd1ec381..4b2538e34 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,11 +15,14 @@
 
 #include "tnc_ifmap_listener.h"
 #include "tnc_ifmap_soap.h"
+#include "tnc_ifmap_renew_session_job.h"
 
 #include <daemon.h>
 #include <hydra.h>
 #include <utils/debug.h>
 
+#define IFMAP_RENEW_SESSION_INTERVAL	150
+
 typedef struct private_tnc_ifmap_listener_t private_tnc_ifmap_listener_t;
 
 /**
@@ -117,7 +120,14 @@ METHOD(listener_t, alert, bool,
 METHOD(tnc_ifmap_listener_t, destroy, void,
 	private_tnc_ifmap_listener_t *this)
 {
-	DESTROY_IF(this->ifmap);
+	if (this->ifmap)
+	{
+		if (this->ifmap->get_session_id(this->ifmap))
+		{
+			this->ifmap->endSession(this->ifmap);
+		}
+		this->ifmap->destroy(this->ifmap);
+	}
 	free(this);
 }
 
@@ -127,6 +137,8 @@ METHOD(tnc_ifmap_listener_t, destroy, void,
 tnc_ifmap_listener_t *tnc_ifmap_listener_create(bool reload)
 {
 	private_tnc_ifmap_listener_t *this;
+	job_t *job;
+	u_int32_t reschedule;
 
 	INIT(this,
 		.public = {
@@ -168,6 +180,15 @@ tnc_ifmap_listener_t *tnc_ifmap_listener_create(bool reload)
 		}
 	}
 
+	/* schedule periodic transmission of IF-MAP renewSession request */
+	reschedule =  lib->settings->get_int(lib->settings,
+						"%s.plugins.tnc-ifmap.renew_session_interval",
+						 IFMAP_RENEW_SESSION_INTERVAL, charon->name);
+
+	job = (job_t*)tnc_ifmap_renew_session_job_create(
+						this->ifmap->get_ref(this->ifmap), reschedule);
+	lib->scheduler->schedule_job(lib->scheduler, job, reschedule);
+
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.h
index 878505b38..4ecccf4df 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.h
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c
index de4d12e0b..85ad49bd8 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -42,6 +42,46 @@ METHOD(plugin_t, get_name, char*,
 	return "tnc-ifmap";
 }
 
+/**
+ * Register tnc_ifmap plugin features
+ */
+static bool register_tnc_ifmap(private_tnc_ifmap_plugin_t *this,
+								plugin_feature_t *feature, bool reg, void *data)
+{
+	if (reg)
+	{
+		this->listener = tnc_ifmap_listener_create(FALSE);
+		if (!this->listener)
+		{
+			return FALSE;
+		}
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		if (this->listener)
+		{
+			charon->bus->remove_listener(charon->bus, &this->listener->listener);
+			this->listener->destroy(this->listener);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	tnc_ifmap_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)register_tnc_ifmap, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "tnc-ifmap-2.1"),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
+				PLUGIN_SDEPEND(CUSTOM, "stroke"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, reload, bool,
 	private_tnc_ifmap_plugin_t *this)
 {
@@ -56,19 +96,14 @@ METHOD(plugin_t, reload, bool,
 	{
 		return FALSE;
 	}
-
 	charon->bus->add_listener(charon->bus, &this->listener->listener);
+
 	return TRUE;
 }
 
 METHOD(plugin_t, destroy, void,
 	private_tnc_ifmap_plugin_t *this)
 {
-	if (this->listener)
-	{
-		charon->bus->remove_listener(charon->bus, &this->listener->listener);
-		this->listener->destroy(this->listener);
-	}
 	free(this);
 }
 
@@ -83,17 +118,13 @@ plugin_t *tnc_ifmap_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
+				.get_features = _get_features,
 				.reload = _reload,
 				.destroy = _destroy,
 			},
 		},
-		.listener = tnc_ifmap_listener_create(FALSE),
 	);
 
-	if (this->listener)
-	{
-		charon->bus->add_listener(charon->bus, &this->listener->listener);
-	}
 	return &this->public.plugin;
 }
 
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.h
index 8172be7c9..d3bba7f9c 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.h
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c
new file mode 100644
index 000000000..f2c00a528
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "tnc_ifmap_renew_session_job.h"
+
+#include <daemon.h>
+
+
+typedef struct private_tnc_ifmap_renew_session_job_t private_tnc_ifmap_renew_session_job_t;
+
+/**
+ * Private data
+ */
+struct private_tnc_ifmap_renew_session_job_t {
+
+	/**
+	 * public tnc_ifmap_renew_session_job_t interface
+	 */
+	tnc_ifmap_renew_session_job_t public;
+
+	/**
+	 * TNC IF-MAP 2.0 SOAP interface
+	 */
+	tnc_ifmap_soap_t *ifmap;
+
+	/**
+	 * Reschedule time interval in seconds
+	 */
+	u_int32_t reschedule;
+};
+
+METHOD(job_t, destroy, void,
+	private_tnc_ifmap_renew_session_job_t *this)
+{
+	this->ifmap->destroy(this->ifmap);
+	free(this);
+}
+
+METHOD(job_t, execute, job_requeue_t,
+	private_tnc_ifmap_renew_session_job_t *this)
+{
+	char *session_id;
+
+	if (this->ifmap->orphaned(this->ifmap))
+	{
+		session_id = this->ifmap->get_session_id(this->ifmap);
+		DBG2(DBG_TNC, "removing orphaned ifmap renewSession job for '%s'",
+					   session_id);
+		return JOB_REQUEUE_NONE;
+	}
+	else
+	{
+		if (!this->ifmap->renewSession(this->ifmap))
+		{
+			DBG1(DBG_TNC, "sending ifmap renewSession failed");
+			/* TODO take some action */
+		}
+		return JOB_RESCHEDULE(this->reschedule);
+	}
+}
+
+METHOD(job_t, get_priority, job_priority_t,
+	private_tnc_ifmap_renew_session_job_t *this)
+{
+	return JOB_PRIO_MEDIUM;
+}
+
+/*
+ * Described in header
+ */
+tnc_ifmap_renew_session_job_t *tnc_ifmap_renew_session_job_create(
+								tnc_ifmap_soap_t *ifmap, u_int32_t reschedule)
+{
+	private_tnc_ifmap_renew_session_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.get_priority = _get_priority,
+				.destroy = _destroy,
+			},
+		},
+		.ifmap = ifmap,
+		.reschedule = reschedule,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h
new file mode 100644
index 000000000..91e8fe404
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_ifmap_renew_session_job tnc_ifmap_renew_session_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef TNC_IFMAP_RENEW_SESSION_JOB_H_
+#define TNC_IFMAP_RENEW_SESSION_JOB_H_
+
+typedef struct tnc_ifmap_renew_session_job_t tnc_ifmap_renew_session_job_t;
+
+#include "tnc_ifmap_soap.h"
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Job periodically sending an IF-MAP RenewSession request.
+ */
+struct tnc_ifmap_renew_session_job_t {
+
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates an tnc_ifmap_renew_session job.
+ *
+ * @param ifmap		TNC IF-MAP object
+ * @param reschedule	reschedule time in seconds
+ */
+tnc_ifmap_renew_session_job_t *tnc_ifmap_renew_session_job_create(
+								tnc_ifmap_soap_t *ifmap, u_int32_t reschedule);
+
+#endif /** TNC_IFMAP_RENEW_SESSION_JOB_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index 33480bb85..8d5da5812 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,20 +14,23 @@
  */
 
 #include "tnc_ifmap_soap.h"
+#include "tnc_ifmap_soap_msg.h"
 
 #include <utils/debug.h>
+#include <credentials/sets/mem_cred.h>
 #include <daemon.h>
 
-#include <axis2_util.h>
-#include <axis2_client.h>
-#include <axis2_http_transport.h>
-#include <axis2_http_transport_sender.h>
-#include <axiom_soap.h>
+#include <tls_socket.h>
 
-#define IFMAP_NS	  "http://www.trustedcomputinggroup.org/2010/IFMAP/2"
-#define IFMAP_META_NS "http://www.trustedcomputinggroup.org/2010/IFMAP-METADATA/2"
-#define IFMAP_LOGFILE "strongswan_ifmap.log"
-#define IFMAP_SERVER  "https://localhost:8443/"
+#include <errno.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#define IFMAP_NS		"http://www.trustedcomputinggroup.org/2010/IFMAP/2"
+#define IFMAP_META_NS	"http://www.trustedcomputinggroup.org/2010/IFMAP-METADATA/2"
+#define IFMAP_URI		"https://localhost:8444/imap"
+#define IFMAP_NO_FD		-1
 
 typedef struct private_tnc_ifmap_soap_t private_tnc_ifmap_soap_t;
 
@@ -42,116 +45,91 @@ struct private_tnc_ifmap_soap_t {
 	tnc_ifmap_soap_t public;
 
 	/**
-	 * Axis2/C environment
+	 * SOAP Session ID
 	 */
-	axutil_env_t *env;
+	xmlChar *session_id;
 
 	/**
-	 * Axis2 service client
+	 * IF-MAP Publisher ID
 	 */
-	axis2_svc_client_t* svc_client;
+	xmlChar *ifmap_publisher_id;
 
 	/**
-	 * SOAP Session ID
+	 * IF-MAP namespace
 	 */
-	char *session_id;
+	xmlNsPtr ns;
 
 	/**
-	 * IF-MAP Publisher ID
+	 * IF-MAP metadata namespace
 	 */
-	char *ifmap_publisher_id;
+	xmlNsPtr ns_meta;
 
 	/**
 	 * PEP and PDP device name
 	 */
 	char *device_name;
 
-};
-
-/**
- * Send request and receive result via SOAP
- */
-static axiom_element_t* send_receive(private_tnc_ifmap_soap_t *this,
-									 char *request_qname, axiom_node_t *request,
-									 char *receipt_qname, axiom_node_t **result)
-
-{
-    axiom_node_t *parent, *node;
-    axiom_element_t *parent_el, *el;
-	axutil_qname_t *qname;
+	/**
+	 * HTTPS Server URI with https:// prefix removed
+	 */
+	char *uri;
 
-	/* send request and receive result */
-	DBG2(DBG_TNC, "sending  ifmap %s", request_qname);
+	/**
+	 * Optional base64-encoded username:password for HTTP Basic Authentication
+	 */
+	chunk_t user_pass;
 
-	parent = axis2_svc_client_send_receive(this->svc_client, this->env, request);
-	if (!parent)
-	{
-		DBG1(DBG_TNC, "no ifmap %s received from MAP server", receipt_qname);
-		return NULL;
-	}
-	DBG2(DBG_TNC, "received ifmap %s", receipt_qname);
+	/**
+	 * IF-MAP Server (IP address and port)
+	 */
+	host_t *host;
 
-	/* extract the parent element */
-	parent_el = (axiom_element_t*)axiom_node_get_data_element(parent, this->env);
+	/**
+	 * TLS socket
+	 */
+	tls_socket_t *tls;
 
-	/* look for a child node with the given receipt qname */
-	qname = axutil_qname_create_from_string(this->env, strdup(receipt_qname));
-	el = axiom_element_get_first_child_with_qname(parent_el, this->env, qname,
-												  parent, &node);
-	axutil_qname_free(qname, this->env);
+	/**
+	 * File descriptor for secure TCP socket
+	 */
+	int fd;
 
-	if (el)
-	{
-		if (result)
-		{
-			*result = parent;
-		}
-		else
-		{
-			/* no further processing requested */
-			axiom_node_free_tree(parent, this->env);
-		}
-		return el;
-	}
-	DBG1(DBG_TNC, "child node with qname '%s' not found", receipt_qname);
+	/**
+	 * In memory credential set
+	 */
+	mem_cred_t *creds;
 
-	/* free parent in the error case */
-	axiom_node_free_tree(parent, this->env);
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
 
-	return NULL;
-}
+};
 
 METHOD(tnc_ifmap_soap_t, newSession, bool,
 	private_tnc_ifmap_soap_t *this)
 {
-    axiom_node_t *request, *result;
-    axiom_element_t *el;
-	axiom_namespace_t *ns;
-	axis2_char_t *value;
-
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request, result;
 
-	/* build newSession request */
-    ns = axiom_namespace_create(this->env, IFMAP_NS, "ifmap");
-    el = axiom_element_create(this->env, NULL, "newSession", ns, &request);
+	/*build newSession request */
+	request = xmlNewNode(NULL, "newSession");
+	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
+	xmlSetNs(request, this->ns);
 
-	/* send newSession request and receive newSessionResult */
-	el = send_receive(this, "newSession", request, "newSessionResult", &result);
-	if (!el)
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	if (!soap_msg->post(soap_msg, request, "newSessionResult", &result))
 	{
+		soap_msg->destroy(soap_msg);
 		return FALSE;
 	}
 
-	/* get session-id */
-	value = axiom_element_get_attribute_value_by_name(el, this->env,
-								 "session-id");
-	this->session_id = strdup(value);
-
-	/* get ifmap-publisher-id */
-	value = axiom_element_get_attribute_value_by_name(el, this->env,
-								 "ifmap-publisher-id");
-	this->ifmap_publisher_id = strdup(value);
+	/* get session-id and ifmap-publisher-id properties */
+	this->session_id = xmlGetProp(result, "session-id");
+	this->ifmap_publisher_id = xmlGetProp(result, "ifmap-publisher-id");
+	soap_msg->destroy(soap_msg);
 
-	DBG1(DBG_TNC, "session-id: %s, ifmap-publisher-id: %s",
+	DBG1(DBG_TNC, "created ifmap session '%s' as publisher '%s'",
 				   this->session_id, this->ifmap_publisher_id);
 
 	/* set PEP and PDP device name (defaults to IF-MAP Publisher ID) */
@@ -160,51 +138,63 @@ METHOD(tnc_ifmap_soap_t, newSession, bool,
 									 this->ifmap_publisher_id, charon->name);
 	this->device_name = strdup(this->device_name);
 
-	/* free result */
-	axiom_node_free_tree(result, this->env);
-
     return this->session_id && this->ifmap_publisher_id;
 }
 
+METHOD(tnc_ifmap_soap_t, renewSession, bool,
+	private_tnc_ifmap_soap_t *this)
+{
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request;
+	bool success;
+
+	/* build renewSession request */
+	request = xmlNewNode(NULL, "renewSession");
+	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
+	xmlSetNs(request, this->ns);
+	xmlNewProp(request, "session-id", this->session_id);
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "renewSessionResult", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
+}
+
 METHOD(tnc_ifmap_soap_t, purgePublisher, bool,
 	private_tnc_ifmap_soap_t *this)
 {
-	axiom_node_t *request;
-	axiom_element_t *el;
-	axiom_namespace_t *ns;
-	axiom_attribute_t *attr;
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request;
+	bool success;
 
 	/* build purgePublisher request */
-	ns = axiom_namespace_create(this->env, IFMAP_NS, "ifmap");
-	el = axiom_element_create(this->env, NULL, "purgePublisher", ns, &request);
-	attr = axiom_attribute_create(this->env, "session-id",
-								  this->session_id, NULL);
-	axiom_element_add_attribute(el, this->env, attr, request);
-	attr = axiom_attribute_create(this->env, "ifmap-publisher-id",
-								  this->ifmap_publisher_id, NULL);
-	axiom_element_add_attribute(el, this->env, attr, request);
-
-	/* send purgePublisher request and receive purgePublisherReceived */
-	return send_receive(this, "purgePublisher", request,
-							  "purgePublisherReceived", NULL);
+	request = xmlNewNode(NULL, "purgePublisher");
+	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
+	xmlSetNs(request, this->ns);
+	xmlNewProp(request, "session-id", this->session_id);
+	xmlNewProp(request, "ifmap-publisher-id", this->ifmap_publisher_id);
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "purgePublisherReceived", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
 }
 
 /**
  * Create an access-request based on device_name and ike_sa_id
  */
-static axiom_node_t* create_access_request(private_tnc_ifmap_soap_t *this,
-										   u_int32_t id)
+static xmlNodePtr create_access_request(private_tnc_ifmap_soap_t *this,
+										u_int32_t id)
 {
-	axiom_element_t *el;
-	axiom_node_t *node;
-	axiom_attribute_t *attr;
+	xmlNodePtr node;
 	char buf[BUF_LEN];
 
-	el = axiom_element_create(this->env, NULL, "access-request", NULL, &node);
+	node = xmlNewNode(NULL, "access-request");
 
 	snprintf(buf, BUF_LEN, "%s:%d", this->device_name, id);
-	attr = axiom_attribute_create(this->env, "name", buf, NULL);
-	axiom_element_add_attribute(el, this->env, attr, node);
+	xmlNewProp(node, "name", buf);
 
 	return node;
 }
@@ -212,27 +202,22 @@ static axiom_node_t* create_access_request(private_tnc_ifmap_soap_t *this,
 /**
  * Create an identity
  */
-static axiom_node_t* create_identity(private_tnc_ifmap_soap_t *this,
-									 identification_t *id, bool is_user)
+static xmlNodePtr create_identity(private_tnc_ifmap_soap_t *this,
+								  identification_t *id, bool is_user)
 {
-	axiom_element_t *el;
-	axiom_node_t *node;
-	axiom_attribute_t *attr;
+	xmlNodePtr node;
 	char buf[BUF_LEN], *id_type;
 
-	el = axiom_element_create(this->env, NULL, "identity", NULL, &node);
+	node = xmlNewNode(NULL, "identity");
 
 	snprintf(buf, BUF_LEN, "%Y", id);
-	attr = axiom_attribute_create(this->env, "name", buf, NULL);
-	axiom_element_add_attribute(el, this->env, attr, node);
+	xmlNewProp(node, "name", buf);
 
 	switch (id->get_type(id))
 	{
 		case ID_IPV4_ADDR:
 			id_type = "other";
-			attr = axiom_attribute_create(this->env, "other-type-definition",
-										  "36906:ipv4-address", NULL);
-			axiom_element_add_attribute(el, this->env, attr, node);
+			xmlNewProp(node, "other-type-definition", "36906:ipv4-address");
 			break;
 		case ID_FQDN:
 			id_type = is_user ? "username" : "dns-name";
@@ -242,27 +227,93 @@ static axiom_node_t* create_identity(private_tnc_ifmap_soap_t *this,
 			break;
 		case ID_IPV6_ADDR:
 			id_type = "other";
-			attr = axiom_attribute_create(this->env, "other-type-definition",
-										  "36906:ipv6-address", NULL);
-			axiom_element_add_attribute(el, this->env, attr, node);
+			xmlNewProp(node, "other-type-definition", "36906:ipv6-address");
 			break;
 		case ID_DER_ASN1_DN:
 			id_type = "distinguished-name";
 			break;
 		case ID_KEY_ID:
 			id_type = "other";
-			attr = axiom_attribute_create(this->env, "other-type-definition",
-										  "36906:key-id", NULL);
-			axiom_element_add_attribute(el, this->env, attr, node);
+			xmlNewProp(node, "other-type-definition", "36906:key-id");
 			break;
 		default:
 			id_type = "other";
-			attr = axiom_attribute_create(this->env, "other-type-definition",
-										  "36906:other", NULL);
-			axiom_element_add_attribute(el, this->env, attr, node);
+			xmlNewProp(node, "other-type-definition", "36906:other");
 	}
-	attr = axiom_attribute_create(this->env, "type", id_type, NULL);
-	axiom_element_add_attribute(el, this->env, attr, node);
+	xmlNewProp(node, "type", id_type);
+
+	return node;
+}
+
+/**
+ * Create enforcement-report metadata
+ */
+static xmlNodePtr create_enforcement_report(private_tnc_ifmap_soap_t *this,
+											xmlChar *action, xmlChar *reason)
+{
+	xmlNodePtr node, node2, node3;
+
+	node = xmlNewNode(NULL, "metadata");
+	node2 = xmlNewNode(this->ns_meta, "enforcement-report");
+	xmlAddChild(node, node2);
+	xmlNewProp(node2, "ifmap-cardinality", "multiValue");
+
+	node3 = xmlNewNode(NULL, "enforcement-action");
+	xmlAddChild(node2, node3);
+	xmlNodeAddContent(node3, action);
+
+	node3 = xmlNewNode(NULL, "enforcement-reason");
+	xmlAddChild(node2, node3);
+	xmlNodeAddContent(node3, reason);
+
+    return node;
+}
+
+/**
+ * Create delete filter
+ */
+static xmlNodePtr create_delete_filter(private_tnc_ifmap_soap_t *this,
+									   char *metadata)
+{
+	xmlNodePtr node;
+	char buf[BUF_LEN];
+
+	node = xmlNewNode(NULL, "delete");
+
+	snprintf(buf, BUF_LEN, "meta:%s[@ifmap-publisher-id='%s']",
+			 metadata, this->ifmap_publisher_id);
+	xmlNewProp(node, "filter", buf);
+
+	return node;
+}
+
+/**
+ * Create a publish request
+ */
+static xmlNodePtr create_publish_request(private_tnc_ifmap_soap_t *this)
+{
+	xmlNodePtr request;
+
+	request = xmlNewNode(NULL, "publish");
+	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
+	xmlSetNs(request, this->ns);
+	this->ns_meta = xmlNewNs(request, IFMAP_META_NS, "meta");
+	xmlNewProp(request, "session-id", this->session_id);
+
+	return request;
+}
+
+/**
+ * Create a device
+ */
+static xmlNodePtr create_device(private_tnc_ifmap_soap_t *this)
+{
+	xmlNodePtr node, node2;
+
+	node = xmlNewNode(NULL, "device");
+	node2 = xmlNewNode(NULL, "name");
+	xmlAddChild(node, node2);
+	xmlNodeAddContent(node2, this->device_name);
 
 	return node;
 }
@@ -270,15 +321,13 @@ static axiom_node_t* create_identity(private_tnc_ifmap_soap_t *this,
 /**
  * Create an ip-address
  */
-static axiom_node_t* create_ip_address(private_tnc_ifmap_soap_t *this,
-									   host_t *host)
+static xmlNodePtr create_ip_address(private_tnc_ifmap_soap_t *this,
+									host_t *host)
 {
-	axiom_element_t *el;
-	axiom_node_t *node;
-	axiom_attribute_t *attr;
+	xmlNodePtr node;
 	char buf[BUF_LEN];
 
-	el = axiom_element_create(this->env, NULL, "ip-address", NULL, &node);
+	node = xmlNewNode(NULL, "ip-address");
 
 	if (host->get_family(host) == AF_INET6)
 	{
@@ -309,29 +358,9 @@ static axiom_node_t* create_ip_address(private_tnc_ifmap_soap_t *this,
 	{
 		snprintf(buf, BUF_LEN, "%H", host);
 	}
-	attr = axiom_attribute_create(this->env, "value", buf, NULL);
-	axiom_element_add_attribute(el, this->env, attr, node);
-
-	attr = axiom_attribute_create(this->env, "type",
-				 host->get_family(host) == AF_INET ? "IPv4" : "IPv6", NULL);
-	axiom_element_add_attribute(el, this->env, attr, node);
-
-	return node;
-}
-
-/**
- * Create a device
- */
-static axiom_node_t* create_device(private_tnc_ifmap_soap_t *this)
-{
-	axiom_element_t *el;
-	axiom_node_t *node, *node2, *node3;
-	axiom_text_t *text;
 
-	el = axiom_element_create(this->env, NULL, "device", NULL, &node);
-	el = axiom_element_create(this->env, NULL, "name", NULL, &node2);
-	axiom_node_add_child(node, this->env, node2);
-	text = axiom_text_create(this->env, node2, this->device_name, &node3);
+	xmlNewProp(node, "value", buf);
+	xmlNewProp(node, "type", host->get_family(host) == AF_INET ? "IPv4" : "IPv6");
 
 	return node;
 }
@@ -339,22 +368,15 @@ static axiom_node_t* create_device(private_tnc_ifmap_soap_t *this)
 /**
  * Create metadata
  */
-static axiom_node_t* create_metadata(private_tnc_ifmap_soap_t *this,
-									 char *metadata)
+static xmlNodePtr create_metadata(private_tnc_ifmap_soap_t *this,
+								  xmlChar *metadata)
 {
-	axiom_element_t *el;
-	axiom_node_t *node, *node2;
-	axiom_attribute_t *attr;
-	axiom_namespace_t *ns_meta;
-
-	el = axiom_element_create(this->env, NULL, "metadata", NULL, &node);
-	ns_meta = axiom_namespace_create(this->env, IFMAP_META_NS, "meta");
+	xmlNodePtr node, node2;
 
-	el = axiom_element_create(this->env, NULL, metadata, ns_meta, &node2);
-	axiom_node_add_child(node, this->env, node2);
-	attr = axiom_attribute_create(this->env, "ifmap-cardinality", "singleValue",
-								  NULL);
-	axiom_element_add_attribute(el, this->env, attr, node2);
+	node = xmlNewNode(NULL, "metadata");
+	node2 = xmlNewNode(this->ns_meta, metadata);
+	xmlAddChild(node, node2);
+	xmlNewProp(node2, "ifmap-cardinality", "singleValue");
 
 	return node;
 }
@@ -362,130 +384,45 @@ static axiom_node_t* create_metadata(private_tnc_ifmap_soap_t *this,
 /**
  * Create capability metadata
  */
-static axiom_node_t* create_capability(private_tnc_ifmap_soap_t *this,
-									   identification_t *name)
+static xmlNodePtr create_capability(private_tnc_ifmap_soap_t *this,
+									identification_t *name)
 {
-	axiom_element_t *el;
-	axiom_node_t *node, *node2, *node3;
-	axiom_namespace_t *ns_meta;
-	axiom_attribute_t *attr;
-	axiom_text_t *text;
+	xmlNodePtr node, node2;
 	char buf[BUF_LEN];
 
-	ns_meta = axiom_namespace_create(this->env, IFMAP_META_NS, "meta");
-	el = axiom_element_create(this->env, NULL, "capability", ns_meta, &node);
-	attr = axiom_attribute_create(this->env, "ifmap-cardinality", "multiValue",
-								  NULL);
-	axiom_element_add_attribute(el, this->env, attr, node);
+	node = xmlNewNode(this->ns_meta, "capability");
+	xmlNewProp(node, "ifmap-cardinality", "multiValue");
 
-	el = axiom_element_create(this->env, NULL, "name", NULL, &node2);
-	axiom_node_add_child(node, this->env, node2);
+	node2 = xmlNewNode(NULL, "name");
+	xmlAddChild(node, node2);
 	snprintf(buf, BUF_LEN, "%Y", name);
-	text = axiom_text_create(this->env, node2, buf, &node3);
+	xmlNodeAddContent(node2, buf);
 
-	el = axiom_element_create(this->env, NULL, "administrative-domain", NULL, &node2);
-	axiom_node_add_child(node, this->env, node2);
-	text = axiom_text_create(this->env, node2, "strongswan", &node3);
+	node2 = xmlNewNode(NULL, "administrative-domain");
+	xmlAddChild(node, node2);
+	xmlNodeAddContent(node2, "strongswan");
 
 	return node;
 }
 
-/**
- * Create enforcement-report metadata
- */
-static axiom_node_t* create_enforcement_report(private_tnc_ifmap_soap_t *this,
-											   char *action, char *reason)
-{
-	axiom_element_t *el;
-	axiom_node_t *node, *node2, *node3, *node4;
-	axiom_namespace_t *ns_meta;
-	axiom_attribute_t *attr;
-	axiom_text_t *text;
-
-	el = axiom_element_create(this->env, NULL, "metadata", NULL, &node);
-
-	ns_meta = axiom_namespace_create(this->env, IFMAP_META_NS, "meta");
-	el = axiom_element_create(this->env, NULL, "enforcement-report", ns_meta,
-							  &node2);
-	attr = axiom_attribute_create(this->env, "ifmap-cardinality",
-								  "multiValue", NULL);
-	axiom_element_add_attribute(el, this->env, attr, node2);
-	axiom_node_add_child(node, this->env, node2);
-
-	el = axiom_element_create(this->env, NULL, "enforcement-action", NULL,
-							  &node3);
-	axiom_node_add_child(node2, this->env, node3);
-	text = axiom_text_create(this->env, node3, action, &node4);
-
-	el = axiom_element_create(this->env, NULL, "enforcement-reason", NULL,
-							  &node3);
-	axiom_node_add_child(node2, this->env, node3);
-	text = axiom_text_create(this->env, node3, reason, &node4);
-
-    return node;
-}
-
-/**
- * Create delete filter
- */
-static axiom_node_t* create_delete_filter(private_tnc_ifmap_soap_t *this,
-										  char *metadata)
-{
-	axiom_element_t *el;
-	axiom_node_t *node;
-	axiom_attribute_t *attr;
-	char buf[BUF_LEN];
-
-	el = axiom_element_create(this->env, NULL, "delete", NULL, &node);
-
-	snprintf(buf, BUF_LEN, "meta:%s[@ifmap-publisher-id='%s']",
-			 metadata, this->ifmap_publisher_id);
-	attr = axiom_attribute_create(this->env, "filter", buf, NULL);
-	axiom_element_add_attribute(el, this->env, attr, node);
-
-	return node;
-}
-
-/**
- * Create a publish request
- */
-static axiom_node_t* create_publish_request(private_tnc_ifmap_soap_t *this)
-{
-	axiom_element_t *el;
-	axiom_node_t *request;
-	axiom_namespace_t *ns, *ns_meta;
-	axiom_attribute_t *attr;
-
-	ns = axiom_namespace_create(this->env, IFMAP_NS, "ifmap");
-	el = axiom_element_create(this->env, NULL, "publish", ns, &request);
-	ns_meta = axiom_namespace_create(this->env, IFMAP_META_NS, "meta");
-	axiom_element_declare_namespace(el, this->env, request, ns_meta);
-	attr = axiom_attribute_create(this->env, "session-id", this->session_id,
-								  NULL);
-	axiom_element_add_attribute(el, this->env, attr, request);
-
-	return request;
-}
-
 METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 	private_tnc_ifmap_soap_t *this, ike_sa_t *ike_sa, bool up)
 {
-	axiom_node_t *request, *node, *node2;
-	axiom_element_t *el;
-
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request, node, node2 = NULL;
 	enumerator_t *e1, *e2;
 	auth_rule_t type;
 	identification_t *id, *eap_id, *group;
 	host_t *host;
 	auth_cfg_t *auth;
 	u_int32_t ike_sa_id;
-	bool is_user = FALSE, first = TRUE;
+	bool is_user = FALSE, first = TRUE, success;
 
 	/* extract relevant data from IKE_SA*/
 	ike_sa_id = ike_sa->get_unique_id(ike_sa);
+	host = ike_sa->get_other_host(ike_sa);
 	id = ike_sa->get_other_id(ike_sa);
 	eap_id = ike_sa->get_other_eap_id(ike_sa);
-	host = ike_sa->get_other_host(ike_sa);
 
 	/* in the presence of an EAP Identity, treat it as a username */
 	if (!id->equals(id, eap_id))
@@ -501,11 +438,9 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 	if (up)
 	{
 		node = create_delete_filter(this, "enforcement-report");
-		axiom_node_add_child(request, this->env, node);
-		axiom_node_add_child(node, this->env,
-							 create_ip_address(this, host));
-		axiom_node_add_child(node, this->env,
-							 create_device(this));
+		xmlAddChild(request, node);
+		xmlAddChild(node, create_ip_address(this, host));
+		xmlAddChild(node, create_device(this));
 	}
 
 	/**
@@ -513,47 +448,41 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 	 */
 	if (up)
 	{
-		el = axiom_element_create(this->env, NULL, "update", NULL, &node);
+		node = xmlNewNode(NULL, "update");
 	}
 	else
 	{
 		node = create_delete_filter(this, "authenticated-as");
 	}
-	axiom_node_add_child(request, this->env, node);
+	xmlAddChild(request, node);
 
 	/* add access-request, identity and [if up] metadata */
-	axiom_node_add_child(node, this->env,
-							 create_access_request(this, ike_sa_id));
-	axiom_node_add_child(node, this->env,
-							 create_identity(this, id, is_user));
+	xmlAddChild(node, create_access_request(this, ike_sa_id));
+	xmlAddChild(node, create_identity(this, id, is_user));
 	if (up)
 	{
-		axiom_node_add_child(node, this->env,
-							 create_metadata(this, "authenticated-as"));
+		xmlAddChild(node, create_metadata(this, "authenticated-as"));
 	}
 
 	/**
-	 * update or delete access-request-ip metadata
+	 * update or delete access-request-ip metadata for physical IP address
 	 */
 	if (up)
 	{
-		el = axiom_element_create(this->env, NULL, "update", NULL, &node);
+		node = xmlNewNode(NULL, "update");
 	}
 	else
 	{
 		node = create_delete_filter(this, "access-request-ip");
 	}
-	axiom_node_add_child(request, this->env, node);
+	xmlAddChild(request, node);
 
 	/* add access-request, ip-address and [if up] metadata */
-	axiom_node_add_child(node, this->env,
-							 create_access_request(this, ike_sa_id));
-	axiom_node_add_child(node, this->env,
-							 create_ip_address(this, host));
+	xmlAddChild(node, create_access_request(this, ike_sa_id));
+	xmlAddChild(node, create_ip_address(this, host));
 	if (up)
 	{
-		axiom_node_add_child(node, this->env,
-							 create_metadata(this, "access-request-ip"));
+		xmlAddChild(node, create_metadata(this, "access-request-ip"));
 	}
 
 	/**
@@ -561,23 +490,20 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 	 */
 	if (up)
 	{
-		el = axiom_element_create(this->env, NULL, "update", NULL, &node);
+		node = xmlNewNode(NULL, "update");
 	}
 	else
 	{
 		node = create_delete_filter(this, "authenticated-by");
 	}
-	axiom_node_add_child(request, this->env, node);
+	xmlAddChild(request, node);
 
 	/* add access-request, device and [if up] metadata */
-	axiom_node_add_child(node, this->env,
-							 create_access_request(this, ike_sa_id));
-	axiom_node_add_child(node, this->env,
-							 create_device(this));
+	xmlAddChild(node, create_access_request(this, ike_sa_id));
+	xmlAddChild(node, create_device(this));
 	if (up)
 	{
-		axiom_node_add_child(node, this->env,
-							 create_metadata(this, "authenticated-by"));
+		xmlAddChild(node, create_metadata(this, "authenticated-by"));
 	}
 
 	/**
@@ -598,230 +524,315 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 
 					if (up)
 					{
-						el = axiom_element_create(this->env, NULL, "update",
-												  NULL, &node);
+						node = xmlNewNode(NULL, "update");
 					}
 					else
 					{
 						node = create_delete_filter(this, "capability");
 					}
-					axiom_node_add_child(request, this->env, node);
+					xmlAddChild(request, node);
 
 					/* add access-request */
-					axiom_node_add_child(node, this->env,
-									 create_access_request(this, ike_sa_id));
+					xmlAddChild(node, create_access_request(this, ike_sa_id));
 					if (!up)
 					{
 						break;
 					}
-					el = axiom_element_create(this->env, NULL, "metadata", NULL,
-											  &node2);
-					axiom_node_add_child(node, this->env, node2);
+					node2 = xmlNewNode(NULL, "metadata");
+					xmlAddChild(node, node2);
 				}
-				axiom_node_add_child(node2, this->env,
-									 create_capability(this, group));
+				xmlAddChild(node2, create_capability(this, group));
 			}
 		}
 		e2->destroy(e2);
 	}
 	e1->destroy(e1);
 
-	/* send publish request and receive publishReceived */
-	return send_receive(this, "publish", request, "publishReceived", NULL);
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
 }
 
 METHOD(tnc_ifmap_soap_t, publish_device_ip, bool,
 	private_tnc_ifmap_soap_t *this, host_t *host)
 {
-	axiom_node_t *request, *node;
-	axiom_element_t *el;
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request, update;
+	bool success;
 
 	/* build publish update request */
 	request = create_publish_request(this);
-	el = axiom_element_create(this->env, NULL, "update", NULL, &node);
-	axiom_node_add_child(request, this->env, node);
+	update = xmlNewNode(NULL, "update");
+	xmlAddChild(request, update);
 
 	/* add device, ip-address and metadata */
-	axiom_node_add_child(node, this->env,
-						 create_device(this));
-	axiom_node_add_child(node, this->env,
-						 create_ip_address(this, host));
-	axiom_node_add_child(node, this->env,
-						 create_metadata(this, "device-ip"));
-
-	/* send publish request and receive publishReceived */
-	return send_receive(this, "publish", request, "publishReceived", NULL);
+	xmlAddChild(update, create_device(this));
+	xmlAddChild(update, create_ip_address(this, host));
+	xmlAddChild(update, create_metadata(this, "device-ip"));
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
 }
 
 METHOD(tnc_ifmap_soap_t, publish_enforcement_report, bool,
 	private_tnc_ifmap_soap_t *this, host_t *host, char *action, char *reason)
 {
-	axiom_node_t *request, *node;
-	axiom_element_t *el;
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request, update;
+	bool success;
 
 	/* build publish update request */
 	request = create_publish_request(this);
-	el = axiom_element_create(this->env, NULL, "update", NULL, &node);
-	axiom_node_add_child(request, this->env, node);
+	update = xmlNewNode(NULL, "update");
+	xmlAddChild(request, update);
 
 	/* add ip-address and metadata */
-	axiom_node_add_child(node, this->env,
-						 create_ip_address(this, host));
-	axiom_node_add_child(node, this->env,
-						 create_device(this));
-	axiom_node_add_child(node, this->env,
-						 create_enforcement_report(this, action, reason));
-
-	/* send publish request and receive publishReceived */
-	return send_receive(this, "publish", request, "publishReceived", NULL);
+	xmlAddChild(update, create_ip_address(this, host));
+	xmlAddChild(update, create_device(this));
+	xmlAddChild(update, create_enforcement_report(this, action, reason));
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
 }
 
 METHOD(tnc_ifmap_soap_t, endSession, bool,
 	private_tnc_ifmap_soap_t *this)
 {
-	axiom_node_t *request;
-	axiom_element_t *el;
-	axiom_namespace_t *ns;
-	axiom_attribute_t *attr;
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request;
+	bool success;
 
 	/* build endSession request */
-	ns = axiom_namespace_create(this->env, IFMAP_NS, "ifmap");
-	el = axiom_element_create(this->env, NULL, "endSession", ns, &request);
-	attr = axiom_attribute_create(this->env, "session-id", this->session_id, NULL);
-	axiom_element_add_attribute(el, this->env, attr, request);
+	request = xmlNewNode(NULL, "endSession");
+	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
+	xmlSetNs(request, this->ns);
+	xmlNewProp(request, "session-id", this->session_id);
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "endSessionResult", NULL);
+	soap_msg->destroy(soap_msg);
+
+	DBG1(DBG_TNC, "ended ifmap session '%s' as publisher '%s'",
+				   this->session_id, this->ifmap_publisher_id);
 
-	/* send endSession request and receive end SessionResult */
-	return send_receive(this, "endSession", request, "endSessionResult", NULL);
+	return success;
+}
+
+METHOD(tnc_ifmap_soap_t, get_session_id, char*,
+	private_tnc_ifmap_soap_t *this)
+{
+	return this->session_id;
+}
+
+METHOD(tnc_ifmap_soap_t, orphaned, bool,
+	private_tnc_ifmap_soap_t *this)
+{
+	return this->ref == 1;
+}
+
+METHOD(tnc_ifmap_soap_t, get_ref, tnc_ifmap_soap_t*,
+	private_tnc_ifmap_soap_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
 }
 
 METHOD(tnc_ifmap_soap_t, destroy, void,
 	private_tnc_ifmap_soap_t *this)
 {
-	if (this->session_id)
-	{
-		endSession(this);
-		free(this->session_id);
-		free(this->ifmap_publisher_id);
-		free(this->device_name);
-	}
-	if (this->svc_client)
+	if (ref_put(&this->ref))
 	{
-		axis2_svc_client_free(this->svc_client, this->env);
-	}
-	if (this->env)
-	{
-		axutil_env_free(this->env);
+		if (this->session_id)
+		{
+			xmlFree(this->session_id);
+			xmlFree(this->ifmap_publisher_id);
+			free(this->device_name);
+		}
+		DESTROY_IF(this->tls);
+		DESTROY_IF(this->host);
+
+		if (this->fd != IFMAP_NO_FD)
+		{
+			close(this->fd);
+		}
+		lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+		this->creds->destroy(this->creds);
+		free(this->user_pass.ptr);
+		free(this);
 	}
-	free(this);
 }
 
-static bool axis2c_init(private_tnc_ifmap_soap_t *this)
+static bool soap_init(private_tnc_ifmap_soap_t *this)
 {
-	axis2_char_t *server, *server_cert, *key_file, *client_home;
-	axis2_char_t *ssl_passphrase, *username, *password;
-	axis2_endpoint_ref_t* endpoint_ref = NULL;
-	axis2_options_t *options = NULL;
-	axis2_transport_in_desc_t *transport_in;
-	axis2_transport_out_desc_t *transport_out;
-	axis2_transport_sender_t *transport_sender;
-	axutil_property_t* property;
-
-	/* Getting configuration parameters from strongswan.conf */
-	client_home = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.client_home",
-					AXIS2_GETENV("AXIS2C_HOME"), charon->name);
-	server = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.server", IFMAP_SERVER, charon->name);
+	char *server_uri, *server_str, *port_str, *uri_str;
+	char *server_cert, *client_cert, *client_key, *user_pass;
+	int port;
+	auth_cfg_t *auth;
+	certificate_t *cert;
+	private_key_t *key;
+	identification_t *server_id, *client_id = NULL;
+
+	/* getting configuration parameters from strongswan.conf */
+	server_uri =  lib->settings->get_str(lib->settings,
+					"%s.plugins.tnc-ifmap.server_uri", IFMAP_URI, charon->name);
 	server_cert = lib->settings->get_str(lib->settings,
 					"%s.plugins.tnc-ifmap.server_cert", NULL, charon->name);
-	key_file = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.key_file", NULL, charon->name);
-	ssl_passphrase = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.ssl_passphrase", NULL, charon->name);
-	username = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.username", NULL, charon->name);
-	password = lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.password", NULL, charon->name);
-
+	client_cert = lib->settings->get_str(lib->settings,
+					"%s.plugins.tnc-ifmap.client_cert", NULL, charon->name);
+	client_key =  lib->settings->get_str(lib->settings,
+					"%s.plugins.tnc-ifmap.client_key", NULL, charon->name);
+	user_pass =   lib->settings->get_str(lib->settings,
+					"%s.plugins.tnc-ifmap.username_password", NULL, charon->name);
+
+	/* load [self-signed] MAP server certificate */
 	if (!server_cert)
 	{
 		DBG1(DBG_TNC, "MAP server certificate not defined");
 		return FALSE;
 	}
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, server_cert, BUILD_END);
+	if (!cert)
+	{
+		DBG1(DBG_TNC, "loading MAP server certificate from '%s' failed",
+					   server_cert);
+		return FALSE;
+	}
+	DBG1(DBG_TNC, "loaded MAP server certificate from '%s'", server_cert);
+	server_id = cert->get_subject(cert);
+	this->creds->add_cert(this->creds, TRUE, cert);
 
-	if (!key_file && (!username || !password))
+	/* check availability of client credentials */
+	if (!client_cert && !user_pass)
 	{
-		DBG1(DBG_TNC, "MAP client keyfile or %s%s%s not defined",
-			(!username) ? "username" : "",
-			(!username && ! password) ? " and " : "",
-			(!password) ? "password" : "");
+		DBG1(DBG_TNC, "neither MAP client certificate "
+					  "nor username:password defined");
 		return FALSE;
 	}
 
-	/* Create Axis2/C environment and options */
-	this->env = axutil_env_create_all(IFMAP_LOGFILE, AXIS2_LOG_LEVEL_TRACE);
-	options = axis2_options_create(this->env);
+	if (client_cert)
+	{
+		/* load MAP client certificate */
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, client_cert, BUILD_END);
+		if (!cert)
+		{
+			DBG1(DBG_TNC, "loading MAP client certificate from '%s' failed",
+						   client_cert);
+			return FALSE;
+		}
+		DBG1(DBG_TNC, "loaded MAP client certificate from '%s'", client_cert);
+		this->creds->add_cert(this->creds, TRUE, cert);
+
+		/* load MAP client private key */
+		if (client_key)
+		{
+			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+									  BUILD_FROM_FILE, client_key, BUILD_END);
+			if (!key)
+			{
+				DBG1(DBG_TNC, "loading MAP client private key from '%s' failed",
+							   client_key);
+				return FALSE;
+			}
+			DBG1(DBG_TNC, "loaded MAP client RSA private key from '%s'",
+						   client_key);
+			this->creds->add_key(this->creds, key);
+		}
+
+		/* set client ID to certificate distinguished name */
+		client_id = cert->get_subject(cert);
+
+		/* check if we have a private key matching the certificate */
+		auth = auth_cfg_create();
+		auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
+		key = lib->credmgr->get_private(lib->credmgr, KEY_RSA, client_id, auth);
+		auth->destroy(auth);
+		if (!key)
+		{
+			DBG1(DBG_TNC, "no RSA private key matching MAP client certificate");
+			return FALSE;
+		}
+	}
+	else
+	{
+		/* set base64-encoded username:password for HTTP Basic Authentication */
+		this->user_pass = chunk_to_base64(chunk_from_str(user_pass), NULL);
+	}
+
+	/* remove HTTPS prefix if any */
+	if (strlen(server_uri) >= 8 && strncaseeq(server_uri, "https://", 8))
+	{
+		server_uri += 8;
+	}
+	this->uri = server_uri;
 
-	/* Set path to the MAP server certificate */
-	property =axutil_property_create_with_args(this->env, 0, 0, 0,
-											   server_cert);
-	axis2_options_set_property(options, this->env,
-							   AXIS2_SSL_SERVER_CERT, property);
+	/* duplicate server string since we are going to manipulate it */
+	server_str = strdup(server_uri);
 
-	if (key_file)
+	/* extract server name and port from server URI */
+	port_str = strchr(server_str, ':');
+	if (port_str)
 	{
-		/* Set path to the MAP client certificate */
-		property =axutil_property_create_with_args(this->env, 0, 0, 0,
-												   key_file);
-		axis2_options_set_property(options, this->env,
-								   AXIS2_SSL_KEY_FILE, property);
-		if (ssl_passphrase)
+		*port_str++ = '\0';
+		if (sscanf(port_str, "%d", &port) != 1)
 		{
-			/* Provide SSL passphrase */
-			property =axutil_property_create_with_args(this->env, 0, 0, 0,
-                                                   ssl_passphrase);
-			axis2_options_set_property(options, this->env,
-									   AXIS2_SSL_PASSPHRASE, property);
+			DBG1(DBG_TNC, "parsing server port %s failed", port_str);
+			free(server_str);
+			return FALSE;
 		}
 	}
 	else
 	{
-		/* Set up HTTP Basic MAP client authentication */
-		axis2_options_set_http_auth_info(options, this->env,
-										 username, password, "Basic");
+		/* use default https port */
+		port = 443;
+		uri_str = strchr(server_str, '/');
+		if (uri_str)
+		{
+			*uri_str = '\0';
+		}
 	}
 
-	/* Define the MAP server as the to endpoint reference */
-	endpoint_ref = axis2_endpoint_ref_create(this->env, server);
-	axis2_options_set_to(options, this->env, endpoint_ref);
-
-	/* Set up https transport */
-	transport_in = axis2_transport_in_desc_create(this->env,
-												  AXIS2_TRANSPORT_ENUM_HTTPS);
-	transport_out = axis2_transport_out_desc_create(this->env,
-												  AXIS2_TRANSPORT_ENUM_HTTPS);
-	transport_sender = axis2_http_transport_sender_create(this->env);
-	axis2_transport_out_desc_set_sender(transport_out, this->env,
-										transport_sender);
-	axis2_options_set_transport_in(options, this->env, transport_in);
-	axis2_options_set_transport_out(options, this->env, transport_out);
-
-	/* Create the axis2 service client */
-	this->svc_client = axis2_svc_client_create(this->env, client_home);
-	if (!this->svc_client)
+	/* open TCP socket and connect to MAP server */
+	this->host = host_create_from_dns(server_str, 0, port);
+	if (!this->host)
 	{
-		DBG1(DBG_TNC, "could not create axis2 service client");
-		AXIS2_LOG_ERROR(this->env->log, AXIS2_LOG_SI,
-					    "Stub invoke FAILED: Error code: %d :: %s",
-						this->env->error->error_number,
-						AXIS2_ERROR_GET_MESSAGE(this->env->error));
-		destroy(this);
+		DBG1(DBG_TNC, "resolving hostname %s failed", server_str);
+		free(server_str);
 		return FALSE;
 	}
+	free(server_str);
 
-	axis2_svc_client_set_options(this->svc_client, this->env, options);
-	DBG1(DBG_TNC, "connecting as MAP client '%s' to MAP server at '%s'",
-				   username, server);
+	this->fd = socket(this->host->get_family(this->host), SOCK_STREAM, 0);
+	if (this->fd == IFMAP_NO_FD)
+	{
+		DBG1(DBG_TNC, "opening socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+
+	if (connect(this->fd, this->host->get_sockaddr(this->host),
+						 *this->host->get_sockaddr_len(this->host)) == -1)
+	{
+		DBG1(DBG_TNC, "connecting to %#H failed: %s",
+					   this->host, strerror(errno));
+		return FALSE;
+	}
+
+	/* open TLS socket */
+	this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, NULL);
+	if (!this->tls)
+	{
+		DBG1(DBG_TNC, "creating TLS socket failed");
+		return FALSE;
+	}
 
 	return TRUE;
 }
@@ -836,16 +847,25 @@ tnc_ifmap_soap_t *tnc_ifmap_soap_create()
 	INIT(this,
 		.public = {
 			.newSession = _newSession,
+			.renewSession = _renewSession,
 			.purgePublisher = _purgePublisher,
 			.publish_ike_sa = _publish_ike_sa,
 			.publish_device_ip = _publish_device_ip,
 			.publish_enforcement_report = _publish_enforcement_report,
 			.endSession = _endSession,
+			.get_session_id = _get_session_id,
+			.orphaned = _orphaned,
+			.get_ref = _get_ref,
 			.destroy = _destroy,
 		},
+		.fd = IFMAP_NO_FD,
+		.creds = mem_cred_create(),
+		.ref = 1,
 	);
 
-	if (!axis2c_init(this))
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+
+	if (!soap_init(this))
 	{
 		destroy(this);
 		return NULL;
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
index 4efdc779f..4a0434a54 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -39,6 +39,13 @@ struct tnc_ifmap_soap_t {
 	 */
 	bool (*newSession)(tnc_ifmap_soap_t *this);
 
+	/**
+	 * Check if the IF-MAP session is still active
+	 *
+	 * @return				TRUE if command was successful
+	 */
+	bool (*renewSession)(tnc_ifmap_soap_t *this);
+
 	/**
 	 * Purges all metadata published by this publisher
 	 *
@@ -81,6 +88,27 @@ struct tnc_ifmap_soap_t {
 	 */
 	bool (*endSession)(tnc_ifmap_soap_t *this);
 
+	/**
+	 * Get ID of IF-MAP session
+	 *
+	 * @return				IF-MAP session ID
+	 */
+	char* (*get_session_id)(tnc_ifmap_soap_t *this);
+
+	/**
+	 * Check for an orphaned IF-MAP session
+	 *
+	 * @return				TRUE if IF-MAP session is orphaned
+	 */
+	bool (*orphaned)(tnc_ifmap_soap_t *this);
+
+	/**
+	 * Get a reference to an IF-MAP session
+	 *
+	 * @return				referenced IF-MAP session
+	 */
+	tnc_ifmap_soap_t* (*get_ref)(tnc_ifmap_soap_t *this);
+
 	/**
 	 * Destroy a tnc_ifmap_soap_t.
 	 */
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.c
new file mode 100644
index 000000000..b86288683
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_ifmap_soap_msg.h"
+#include "tnc_ifmap_http.h"
+
+#include <utils/debug.h>
+
+#define SOAP_NS		"http://www.w3.org/2003/05/soap-envelope"
+
+typedef struct private_tnc_ifmap_soap_msg_t private_tnc_ifmap_soap_msg_t;
+
+/**
+ * Private data of an tnc_ifmap_soap_msg_t object.
+ */
+struct private_tnc_ifmap_soap_msg_t {
+
+	/**
+	 * Public tnc_ifmap_soap_msg_t interface.
+	 */
+	tnc_ifmap_soap_msg_t public;
+
+	/**
+	 * HTTP POST request builder and response processing
+	 */
+	tnc_ifmap_http_t *http;
+
+	/**
+	 * TLS socket
+	 */
+	tls_socket_t *tls;
+
+	/**
+	 * XML Document
+	 */
+	xmlDocPtr doc;
+
+};
+
+/**
+ * Find a child node with a given name
+ */
+static xmlNodePtr find_child(xmlNodePtr parent, const xmlChar* name)
+{
+	xmlNodePtr child;
+	
+	child = parent->xmlChildrenNode;
+	while (child)
+	{
+		if (xmlStrcmp(child->name, name) == 0)
+		{
+			return child;
+		}
+		child = child->next;
+	}
+
+	DBG1(DBG_TNC, "child node \"%s\" not found", name);
+	return NULL;
+}
+
+METHOD(tnc_ifmap_soap_msg_t, post, bool,
+	private_tnc_ifmap_soap_msg_t *this, xmlNodePtr request, char *result_name,
+	xmlNodePtr *result)
+{
+	xmlDocPtr doc;
+	xmlNodePtr env, body, cur, response;
+	xmlNsPtr ns;
+	xmlChar *xml_str, *errorCode, *errorString;
+	int xml_len, len, written;
+	chunk_t xml, http;
+	char buf[4096];
+	status_t status;
+
+	DBG2(DBG_TNC, "sending ifmap %s", request->name);
+
+	/* Generate XML Document containing SOAP Envelope */
+	doc = xmlNewDoc("1.0");
+	env =xmlNewNode(NULL, "Envelope");
+	ns = xmlNewNs(env, SOAP_NS, "env");
+	xmlSetNs(env, ns);
+	xmlDocSetRootElement(doc, env);
+
+	/* Add SOAP Body containing IF-MAP request */
+	body = xmlNewNode(ns, "Body");
+	xmlAddChild(body, request);
+	xmlAddChild(env, body);
+
+	/* Convert XML Document into a character string */
+	xmlDocDumpFormatMemory(doc, &xml_str, &xml_len, 1);
+	xmlFreeDoc(doc);
+	DBG3(DBG_TNC, "%.*s", xml_len, xml_str);
+	xml = chunk_create(xml_str, xml_len);
+
+	/* Send SOAP-XML request via HTTPS POST */
+	do
+	{
+		status = this->http->build(this->http, &xml, &http);
+		if (status == FAILED)
+		{
+			break;
+		}
+		written = this->tls->write(this->tls, http.ptr, http.len);
+		free(http.ptr);
+		if (written != http.len)
+		{
+			status = FAILED;
+			break;
+		}
+	}
+	while (status == NEED_MORE);
+
+	xmlFree(xml_str);
+	if (status != SUCCESS)
+	{
+		return FALSE;
+	}
+
+	/* Receive SOAP-XML response via [chunked] HTTPS */
+	xml = chunk_empty;
+	do
+	{
+		len = this->tls->read(this->tls, buf, sizeof(buf), TRUE);
+		if (len <= 0)
+		{
+			return FALSE;
+		}
+		http = chunk_create(buf, len);
+
+		status = this->http->process(this->http, &http, &xml);
+		if (status == FAILED)
+		{
+			free(xml.ptr);
+			return FALSE;
+		}
+	}
+	while (status == NEED_MORE);
+
+	DBG3(DBG_TNC, "parsing XML message %B", &xml);
+	this->doc = xmlParseMemory(xml.ptr, xml.len);
+	free(xml.ptr);
+	
+	if (!this->doc)
+	{
+		DBG1(DBG_TNC, "failed to parse XML message");
+		return FALSE;
+	}
+
+	/* check out XML document */
+	cur = xmlDocGetRootElement(this->doc);
+	if (!cur)
+	{
+		DBG1(DBG_TNC, "empty XML message");
+		return FALSE;
+	}
+
+	/* get XML Document type is a SOAP Envelope */
+	if (xmlStrcmp(cur->name, "Envelope"))
+	{
+		DBG1(DBG_TNC, "XML message does not contain a SOAP Envelope");
+		return FALSE;
+	}
+
+	/* get SOAP Body */
+	cur = find_child(cur, "Body");
+	if (!cur)
+	{
+		return FALSE;
+	}
+
+	/* get IF-MAP response */
+	response = find_child(cur, "response");
+	if (!response)
+	{
+		return FALSE;
+	}
+
+	/* get IF-MAP result */
+	cur = find_child(response, result_name);
+	if (!cur)
+	{
+		cur = find_child(response, "errorResult");
+		if (cur)
+		{
+			DBG1(DBG_TNC, "received errorResult");
+
+			errorCode = xmlGetProp(cur, "errorCode");
+			if (errorCode)
+			{
+				DBG1(DBG_TNC, "  %s", errorCode);
+				xmlFree(errorCode);
+			}
+
+			cur = find_child(cur, "errorString");
+			if (cur)
+			{
+				errorString = xmlNodeGetContent(cur);
+				if (errorString)
+				{
+					DBG1(DBG_TNC, "  %s", errorString);
+					xmlFree(errorString);
+				}
+			}
+		}
+		return FALSE;
+	}
+
+	if (result)
+	{
+		*result = cur;
+	}
+	return TRUE;
+}
+
+METHOD(tnc_ifmap_soap_msg_t, destroy, void,
+	private_tnc_ifmap_soap_msg_t *this)
+{
+	this->http->destroy(this->http);
+	if (this->doc)
+	{
+		xmlFreeDoc(this->doc);
+	}
+	free(this);
+}
+
+/**
+ * See header
+ */
+tnc_ifmap_soap_msg_t *tnc_ifmap_soap_msg_create(char *uri, chunk_t user_pass,
+												tls_socket_t *tls)
+{
+	private_tnc_ifmap_soap_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.post = _post,
+			.destroy = _destroy,
+		},
+		.http = tnc_ifmap_http_create(uri, user_pass),
+		.tls = tls,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.h
new file mode 100644
index 000000000..4f809ba1a
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_ifmap_soap_msg tnc_ifmap_soap_msg
+ * @{ @ingroup tnc_ifmap 
+ */
+
+#ifndef TNC_IFMAP_SOAP_MSG_H_
+#define TNC_IFMAP_SOAP_MSG_H_
+
+#include <library.h>
+#include <tls_socket.h>
+
+#include <libxml/parser.h>
+
+typedef struct tnc_ifmap_soap_msg_t tnc_ifmap_soap_msg_t;
+
+/**
+ * Interface for sending and receiving SOAP-XML messages
+ */
+struct tnc_ifmap_soap_msg_t {
+
+	/**
+	 * Post an IF-MAP request in a SOAP-XML message and return a result
+	 *
+	 * @param request		XML-encoded IF-MAP request
+	 * @param result_name	name of the IF-MAP result
+	 * @param result		XML-encoded IF-MAP result
+	 */
+	bool (*post)(tnc_ifmap_soap_msg_t *this, xmlNodePtr request,
+				 char *result_name, xmlNodePtr* result);
+
+	/**
+	 * Destroy a tnc_ifmap_soap_msg_t object.
+	 */
+	void (*destroy)(tnc_ifmap_soap_msg_t *this);
+};
+
+/**
+ * Create a tnc_ifmap_soap_msg instance.
+ *
+ * @param uri			HTTPS URI with https:// prefix removed
+ * @param user_pass		Optional username:password for HTTP Basic Authentication
+ * @param tls			TLS socket protecting the SOAP message
+ */
+tnc_ifmap_soap_msg_t *tnc_ifmap_soap_msg_create(char *uri, chunk_t user_pass,
+												tls_socket_t *tls);
+
+#endif /** TNC_IFMAP_SOAP_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am
index 5e2c30df9..eba280690 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.am
+++ b/src/libcharon/plugins/tnc_imc/Makefile.am
@@ -4,7 +4,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in
index b21cbb348..4e0a18310 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.in
+++ b/src/libcharon/plugins/tnc_imc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -109,6 +126,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_tnc_imc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_imc_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -125,6 +147,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -141,6 +165,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -209,8 +234,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -266,7 +289,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -305,7 +327,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
@@ -364,7 +387,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -372,6 +394,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am
index eca3b377b..90b3507ce 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.am
+++ b/src/libcharon/plugins/tnc_imv/Makefile.am
@@ -4,7 +4,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
index 6e0133c2d..37964757f 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.in
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_tnc_imv_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_imv_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -306,7 +328,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
@@ -366,7 +389,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -374,6 +396,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index ac764a163..0db60a288 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_tnc_pdp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_pdp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -365,7 +387,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -373,6 +394,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 39939d34e..422c28bc9 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -378,7 +378,10 @@ static void process_eap(private_tnc_pdp_t *this, radius_message_t *request,
 			}
 			this->connections->add(this->connections, nas_id, user_name, peer,
 								   method);
-			method->initiate(method, &out);
+			if (method->initiate(method, &out) == NEED_MORE)
+			{
+				send_response(this, request, code, out, group, msk, source);
+			}
 		}
 		else
 		{
@@ -428,16 +431,16 @@ static void process_eap(private_tnc_pdp_t *this, radius_message_t *request,
 												  in->get_identifier(in));
 			}
 			charon->bus->set_sa(charon->bus, NULL);
+			send_response(this, request, code, out, group, msk, source);
+			this->connections->unlock(this->connections);
 		}
 
-		send_response(this, request, code, out, group, msk, source);
-		out->destroy(out);
-
 		if (code == RMC_ACCESS_ACCEPT || code == RMC_ACCESS_REJECT)
 		{
 			this->connections->remove(this->connections, nas_id, user_name);
 		}
 
+		out->destroy(out);
 end:
 		free(message.ptr);
 		in->destroy(in);
@@ -648,4 +651,3 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
index 0a960635b..f789c31d2 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
@@ -17,6 +17,15 @@
 
 #include <collections/linked_list.h>
 #include <utils/debug.h>
+#include <threading/rwlock.h>
+#include <processing/jobs/callback_job.h>
+
+#include <daemon.h>
+
+/**
+ * Default PDP connection timeout, in s
+ */
+#define DEFAULT_TIMEOUT 30
 
 typedef struct private_tnc_pdp_connections_t private_tnc_pdp_connections_t;
 typedef struct entry_t entry_t;
@@ -32,9 +41,19 @@ struct private_tnc_pdp_connections_t {
 	tnc_pdp_connections_t public;
 
 	/**
-	 * List of TNC PEP RADIUS Connections
+	 * TNC PEP RADIUS Connections
 	 */
 	linked_list_t *list;
+
+	/**
+	 * Lock to access PEP connection list
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * Connection timeout before we kill non-completed connections, in s
+	 */
+	int timeout;
 };
 
 /**
@@ -61,6 +80,11 @@ struct entry_t {
 	 * IKE SA used for bus communication
 	 */
 	ike_sa_t *ike_sa;
+
+	/**
+	 * Timestamp this entry has been created
+	 */
+	time_t created;
 };
 
 /**
@@ -105,6 +129,35 @@ static void dbg_nas_user(chunk_t nas_id, chunk_t user_name, bool not, char *op)
 	}
 }
 
+/**
+ * Check if any connection has timed out
+ */
+static job_requeue_t check_timeouts(private_tnc_pdp_connections_t *this)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	time_t now;
+
+	now = time_monotonic(NULL);
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->created + this->timeout <= now)
+		{
+			DBG1(DBG_CFG, "RADIUS connection timed out after %d seconds",
+				 this->timeout);
+			this->list->remove_at(this->list, enumerator);
+			free_entry(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return JOB_REQUEUE_NONE;
+}
+
 METHOD(tnc_pdp_connections_t, add, void,
 	private_tnc_pdp_connections_t *this, chunk_t nas_id, chunk_t user_name,
 	identification_t *peer, eap_method_t *method)
@@ -120,6 +173,7 @@ METHOD(tnc_pdp_connections_t, add, void,
 	ike_sa_id->destroy(ike_sa_id);
 	ike_sa->set_other_id(ike_sa, peer);
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->list->create_enumerator(this->list);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -131,20 +185,33 @@ METHOD(tnc_pdp_connections_t, add, void,
 			DBG1(DBG_CFG, "removed stale RADIUS connection");
 			entry->method = method;
 			entry->ike_sa = ike_sa;
+			entry->created = time_monotonic(NULL);
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	if (!found)
 	{
-		entry = malloc_thing(entry_t);
-		entry->nas_id = chunk_clone(nas_id);
-		entry->user_name = chunk_clone(user_name);
-		entry->method = method;
-		entry->ike_sa = ike_sa;
+		INIT(entry,
+			.nas_id = chunk_clone(nas_id),
+			.user_name = chunk_clone(user_name),
+			.method = method,
+			.ike_sa = ike_sa,
+			.created = time_monotonic(NULL),
+		);
+		this->lock->write_lock(this->lock);
 		this->list->insert_last(this->list, entry);
+		this->lock->unlock(this->lock);
 	}
+
+	/* schedule timeout checking */
+	lib->scheduler->schedule_job_ms(lib->scheduler,
+				(job_t*)callback_job_create((callback_job_cb_t)check_timeouts,
+					this, NULL, (callback_job_cancel_t)return_false),
+				this->timeout * 1000);
+
 	dbg_nas_user(nas_id, user_name, FALSE, "created");
 }
 
@@ -154,6 +221,7 @@ METHOD(tnc_pdp_connections_t, remove_, void,
 	enumerator_t *enumerator;
 	entry_t *entry;
 
+	this->lock->write_lock(this->lock);
 	enumerator = this->list->create_enumerator(this->list);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -166,6 +234,7 @@ METHOD(tnc_pdp_connections_t, remove_, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(tnc_pdp_connections_t, get_state, eap_method_t*,
@@ -176,6 +245,7 @@ METHOD(tnc_pdp_connections_t, get_state, eap_method_t*,
 	entry_t *entry;
 	eap_method_t *found = NULL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->list->create_enumerator(this->list);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -187,14 +257,25 @@ METHOD(tnc_pdp_connections_t, get_state, eap_method_t*,
 		}
 	}
 	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		this->lock->unlock(this->lock);
+	}
 
 	dbg_nas_user(nas_id, user_name, !found, "found");
 	return found;
 }
 
+METHOD(tnc_pdp_connections_t, unlock, void,
+	private_tnc_pdp_connections_t *this)
+{
+	this->lock->unlock(this->lock);
+}
+
 METHOD(tnc_pdp_connections_t, destroy, void,
 	private_tnc_pdp_connections_t *this)
 {
+	this->lock->destroy(this->lock);
 	this->list->destroy_function(this->list, (void*)free_entry);
 	free(this);
 }
@@ -211,11 +292,14 @@ tnc_pdp_connections_t *tnc_pdp_connections_create(void)
 			.add = _add,
 			.remove = _remove_,
 			.get_state = _get_state,
+			.unlock = _unlock,
 			.destroy = _destroy,
 		},
 		.list = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.timeout = lib->settings->get_int(lib->settings,
+				"%s.plugins.tnc-pdp.timeout", DEFAULT_TIMEOUT, charon->name),
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h
index 16492020e..442f29ce9 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h
@@ -53,7 +53,10 @@ struct tnc_pdp_connections_t {
 				   chunk_t user_name);
 
 	/**
-	 * Get the EAP method and IKE_SA of a registered TNC PEP RADIUS Connection
+	 * Get the EAP method and IKE_SA of a registered TNC PEP RADIUS Connection.
+	 *
+	 * If this call succeeds, the connection manager is locked. Call unlock
+	 * after using the return objects.
 	 *
 	 * @param nas_id		NAS identifier of Policy Enforcement Point
 	 * @param user_name		User name of TNC Client
@@ -63,6 +66,11 @@ struct tnc_pdp_connections_t {
 	eap_method_t* (*get_state)(tnc_pdp_connections_t *this, chunk_t nas_id,
 							   chunk_t user_name, ike_sa_t **ike_sa);
 
+	/**
+	 * Unlock connections after successfully calling get_state().
+	 */
+	void (*unlock)(tnc_pdp_connections_t *this);
+
 	/**
 	 * Destroys a tnc_pdp_connections_t object.
 	 */
diff --git a/src/libcharon/plugins/tnc_tnccs/Makefile.am b/src/libcharon/plugins/tnc_tnccs/Makefile.am
index c7fc02f7c..9ee9e86ad 100644
--- a/src/libcharon/plugins/tnc_tnccs/Makefile.am
+++ b/src/libcharon/plugins/tnc_tnccs/Makefile.am
@@ -1,6 +1,7 @@
 
 INCLUDES = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
diff --git a/src/libcharon/plugins/tnc_tnccs/Makefile.in b/src/libcharon/plugins/tnc_tnccs/Makefile.in
index f4bc7a6e5..7ca6df3c8 100644
--- a/src/libcharon/plugins/tnc_tnccs/Makefile.in
+++ b/src/libcharon/plugins/tnc_tnccs/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_tnc_tnccs_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_tnccs_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -303,6 +325,7 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
@@ -363,7 +386,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -371,6 +393,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
index 0b623d6ff..8db3731b2 100644
--- a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
+++ b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,6 +13,8 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for asprintf() */
+
 #include "tnc_tnccs_manager.h"
 
 #include <tnc/tnc.h>
@@ -20,10 +22,18 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/imv/imv_manager.h>
 
+#include <tncif_identity.h>
+
+#include <tls.h>
+
 #include <utils/debug.h>
+#include <pen/pen.h>
+#include <bio/bio_writer.h>
 #include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
+#include <stdio.h>
+
 typedef struct private_tnc_tnccs_manager_t private_tnc_tnccs_manager_t;
 typedef struct tnccs_entry_t tnccs_entry_t;
 typedef struct tnccs_connection_entry_t tnccs_connection_entry_t;
@@ -158,7 +168,9 @@ METHOD(tnccs_manager_t, remove_method, void,
 }
 
 METHOD(tnccs_manager_t, create_instance, tnccs_t*,
-	private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server)
+	private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server,
+	identification_t *server, identification_t *peer,
+	tnc_ift_type_t transport)
 {
 	enumerator_t *enumerator;
 	tnccs_entry_t *entry;
@@ -170,7 +182,7 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*,
 	{
 		if (type == entry->type)
 		{
-			protocol = entry->constructor(is_server);
+			protocol = entry->constructor(is_server, server, peer, transport);
 			if (protocol)
 			{
 				break;
@@ -442,6 +454,44 @@ static TNC_Result str_attribute(TNC_UInt32 buffer_len,
 	}
 }
 
+/**
+ * Write the value of a TNC identity list into the buffer
+ */
+static TNC_Result identity_attribute(TNC_UInt32 buffer_len,
+									 TNC_BufferReference buffer,
+									 TNC_UInt32 *value_len,
+									 linked_list_t *list)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	u_int32_t count;
+	chunk_t value;
+	tncif_identity_t *tnc_id;
+	TNC_Result result = TNC_RESULT_INVALID_PARAMETER;
+
+	count = list->get_count(list);
+	writer = bio_writer_create(4 + TNCIF_IDENTITY_MIN_SIZE * count);
+	writer->write_uint32(writer, count);
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &tnc_id))
+	{
+		tnc_id->build(tnc_id, writer);
+	}
+	enumerator->destroy(enumerator);
+
+	value = writer->get_buf(writer);
+	*value_len = value.len;
+	if (buffer && buffer_len >= value.len)
+	{
+		memcpy(buffer, value.ptr, value.len);
+		result = TNC_RESULT_SUCCESS;
+	}
+	writer->destroy(writer);
+
+	return result;
+}
+
 METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 	private_tnc_tnccs_manager_t *this, bool is_imc,
 									   TNC_UInt32 imcv_id,
@@ -487,6 +537,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 
 			/* these attributes are supported */
 			case TNC_ATTRIBUTEID_PRIMARY_IMV_ID:
+			case TNC_ATTRIBUTEID_AR_IDENTITIES:
 				attribute_match = TRUE;
 				break;
 
@@ -616,15 +667,110 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 					version = "1.0";
 					break;
 				default:
-				return TNC_RESULT_INVALID_PARAMETER;
+					return TNC_RESULT_INVALID_PARAMETER;
 			}
 			return str_attribute(buffer_len, buffer, value_len, version);
 		}
 		case TNC_ATTRIBUTEID_IFT_PROTOCOL:
-			return str_attribute(buffer_len, buffer, value_len,
-										 "IF-T for Tunneled EAP");
+		{
+			char *protocol;
+
+			switch (entry->tnccs->get_transport(entry->tnccs))
+			{
+				case TNC_IFT_EAP_1_0:
+				case TNC_IFT_EAP_1_1:
+				case TNC_IFT_EAP_2_0:
+					protocol = "IF-T for Tunneled EAP";
+					break;
+				case TNC_IFT_TLS_1_0:
+				case TNC_IFT_TLS_2_0:
+					protocol = "IF-T for TLS";
+					break;
+				default:
+					return TNC_RESULT_INVALID_PARAMETER;
+			}
+			return str_attribute(buffer_len, buffer, value_len, protocol);
+		}
  		case TNC_ATTRIBUTEID_IFT_VERSION:
-			return str_attribute(buffer_len, buffer, value_len, "1.1");
+		{
+			char *version;
+
+			switch (entry->tnccs->get_transport(entry->tnccs))
+			{
+				case TNC_IFT_EAP_1_0:
+				case TNC_IFT_TLS_1_0:
+					version = "1.0";
+					break;
+				case TNC_IFT_EAP_1_1:
+					version = "1.1";
+					break;
+				case TNC_IFT_EAP_2_0:
+				case TNC_IFT_TLS_2_0:
+					version = "2.0";
+					break;
+				default:
+					return TNC_RESULT_INVALID_PARAMETER;
+			}
+			return str_attribute(buffer_len, buffer, value_len, version);
+		}
+		case TNC_ATTRIBUTEID_AR_IDENTITIES:
+		{
+			linked_list_t *list;
+			identification_t *peer;
+			tnccs_t *tnccs;
+			tncif_identity_t *tnc_id;
+			u_int32_t id_type, subject_type;
+			chunk_t id_value;
+			char *id_str;
+			TNC_Result result;
+
+			list = linked_list_create();
+			tnccs = entry->tnccs;
+			peer = tnccs->tls.get_peer_id(&tnccs->tls);
+			if (peer)
+			{
+				switch (peer->get_type(peer))
+				{
+					case ID_IPV4_ADDR:
+						id_type = TNC_ID_IPV4_ADDR;
+						subject_type = TNC_SUBJECT_MACHINE;
+						break;
+					case ID_IPV6_ADDR:
+						id_type = TNC_ID_IPV6_ADDR;
+						subject_type = TNC_SUBJECT_MACHINE;
+						break;
+					case ID_FQDN:
+						id_type = TNC_ID_USERNAME;
+						subject_type = TNC_SUBJECT_USER;
+						break;
+					case ID_RFC822_ADDR:
+						id_type = TNC_ID_RFC822_ADDR;
+						subject_type = TNC_SUBJECT_USER;
+						break;
+					case ID_DER_ASN1_DN:
+						id_type = TNC_ID_ASN1_DN;
+						subject_type = TNC_SUBJECT_USER;
+						break;
+					default:
+						id_type = TNC_ID_UNKNOWN;
+						subject_type = TNC_SUBJECT_UNKNOWN;
+				}
+				if (id_type != TNC_ID_UNKNOWN &&
+					asprintf(&id_str, "%Y", peer) >= 0)
+				{
+					id_value = chunk_from_str(id_str);
+					tnc_id = tncif_identity_create(
+								pen_type_create(PEN_TCG, id_type), id_value,
+								pen_type_create(PEN_TCG, subject_type),
+								pen_type_create(PEN_TCG,
+												tnccs->get_auth_type(tnccs)));
+					list->insert_last(list, tnc_id);
+				}
+			}
+			result = identity_attribute(buffer_len, buffer, value_len, list);
+			list->destroy_offset(list, offsetof(tncif_identity_t, destroy));
+			return result;
+		}
 		default:
 			return TNC_RESULT_INVALID_PARAMETER;
 	 }
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in
index be091b134..c74704f2d 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.in
+++ b/src/libcharon/plugins/tnccs_11/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -116,6 +133,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_tnccs_11_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnccs_11_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -132,6 +154,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -148,6 +172,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -216,8 +241,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -273,7 +296,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -377,7 +399,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -385,6 +406,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
index b27458fde..660ba179d 100644
--- a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
+++ b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
@@ -23,6 +23,10 @@
 
 #include <libxml/parser.h>
 
+#define TNCCS_NS	"http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#"
+#define SCHEMA_NS	"http://www.w3.org/2001/XMLSchema-instance"
+#define TNCCS_XSD	"https://www.trustedcomputinggroup.org/XML/SCHEMA/TNCCS_1.0.xsd"
+
 typedef struct private_tnccs_batch_t private_tnccs_batch_t;
 
 /**
@@ -91,7 +95,7 @@ METHOD(tnccs_batch_t, build, void,
 	int buf_size;
 
 	xmlDocDumpFormatMemory(this->doc, &xmlbuf, &buf_size, 1);
-	this->encoding = chunk_create((u_char*)xmlbuf, buf_size);
+	this->encoding = chunk_create(xmlbuf, buf_size);
 	this->encoding = chunk_clone(this->encoding);
 	xmlFree(xmlbuf);
 }
@@ -125,8 +129,7 @@ METHOD(tnccs_batch_t, process, status_t,
 	}
 
 	/* check TNCCS namespace */
-	ns = xmlSearchNsByHref(this->doc, cur, (const xmlChar*)
-				"http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#");
+	ns = xmlSearchNsByHref(this->doc, cur, TNCCS_NS);
 	if (!ns)
 	{
 		error_type = TNCCS_ERROR_MALFORMED_BATCH;
@@ -135,7 +138,7 @@ METHOD(tnccs_batch_t, process, status_t,
 	}
 
 	/* check XML document type */
-	if (xmlStrcmp(cur->name, (const xmlChar*)"TNCCS-Batch"))
+	if (xmlStrcmp(cur->name, "TNCCS-Batch"))
 	{
 		error_type = TNCCS_ERROR_MALFORMED_BATCH;
 		error_msg = buf;
@@ -145,7 +148,7 @@ METHOD(tnccs_batch_t, process, status_t,
 	}
 
 	/* check presence of BatchID property */
-	batchid = xmlGetProp(cur, (const xmlChar*)"BatchId");
+	batchid = xmlGetProp(cur, "BatchId");
 	if (!batchid)
 	{
 		error_type = TNCCS_ERROR_INVALID_BATCH_ID;
@@ -166,7 +169,7 @@ METHOD(tnccs_batch_t, process, status_t,
 	}
 
 	/* check presence of Recipient property */
-	recipient = xmlGetProp(cur, (const xmlChar*)"Recipient");
+	recipient = xmlGetProp(cur, "Recipient");
 	if (!recipient)
 	{
 		error_type = TNCCS_ERROR_INVALID_RECIPIENT_TYPE;
@@ -175,12 +178,12 @@ METHOD(tnccs_batch_t, process, status_t,
 	}
 
 	/* check recipient */
-	if (!streq((char*)recipient, this->is_server ? "TNCS" : "TNCC"))
+	if (!streq(recipient, this->is_server ? "TNCS" : "TNCC"))
 	{
 		error_type = TNCCS_ERROR_INVALID_RECIPIENT_TYPE;
 		error_msg =	buf;
 		snprintf(buf, BUF_LEN, "message recipient expected '%s', got '%s'",
-				 this->is_server ? "TNCS" : "TNCC", (char*)recipient);
+				 this->is_server ? "TNCS" : "TNCC", recipient);
 		xmlFree(recipient);
 		goto fatal;
 	}
@@ -201,7 +204,7 @@ METHOD(tnccs_batch_t, process, status_t,
 		if (cur->ns != ns)
 		{
 			DBG1(DBG_TNC, "ignoring message node '%s' having wrong namespace",
-						  (char*)cur->name);
+						  cur->name);
 			continue;
 		}
 
@@ -260,8 +263,8 @@ tnccs_batch_t* tnccs_batch_create(bool is_server, int batch_id)
 {
 	private_tnccs_batch_t *this;
 	xmlNodePtr n;
+	xmlNsPtr ns_xsi;
 	char buf[12];
-	const char *recipient;
 
 	INIT(this,
 		.public = {
@@ -277,19 +280,17 @@ tnccs_batch_t* tnccs_batch_create(bool is_server, int batch_id)
 		.messages = linked_list_create(),
 		.errors = linked_list_create(),
 		.batch_id = batch_id,
-		.doc = xmlNewDoc(BAD_CAST "1.0"),
+		.doc = xmlNewDoc("1.0"),
 	);
 
 	DBG2(DBG_TNC, "creating TNCCS Batch #%d", this->batch_id);
-	n = xmlNewNode(NULL, BAD_CAST "TNCCS-Batch");
+	n = xmlNewNode(NULL, "TNCCS-Batch");
+	xmlNewNs(n, TNCCS_NS, NULL);
+	ns_xsi = xmlNewNs(n, SCHEMA_NS, "xsi");
 	snprintf(buf, sizeof(buf), "%d", batch_id);
-	recipient = this->is_server ? "TNCC" : "TNCS";
-	xmlNewProp(n, BAD_CAST "BatchId", BAD_CAST buf);
-	xmlNewProp(n, BAD_CAST "Recipient", BAD_CAST recipient);
-	xmlNewProp(n, BAD_CAST "xmlns", BAD_CAST "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#");
-	xmlNewProp(n, BAD_CAST "xmlns:xsi", BAD_CAST "http://www.w3.org/2001/XMLSchema-instance");
-	xmlNewProp(n, BAD_CAST "xsi:schemaLocation", BAD_CAST "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS# "
-														  "https://www.trustedcomputinggroup.org/XML/SCHEMA/TNCCS_1.0.xsd");
+	xmlNewProp(n, "BatchId", buf);
+	xmlNewProp(n, "Recipient", this->is_server ? "TNCC" : "TNCS");
+	xmlNewNsProp(n, ns_xsi, "schemaLocation", TNCCS_NS " " TNCCS_XSD);
 	xmlDocSetRootElement(this->doc, n);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
index cf3e58451..f0e821c8c 100644
--- a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
@@ -181,16 +181,16 @@ tnccs_msg_t *imc_imv_msg_create_from_node(xmlNodePtr node, linked_list_t *errors
 	cur = node->xmlChildrenNode;
 	while (cur)
 	{
-		if (streq((char*)cur->name, "Type") && cur->ns == ns)
+		if (streq(cur->name, "Type") && cur->ns == ns)
 		{
 			content = xmlNodeGetContent(cur);
-			this->msg_type = strtoul((char*)content, NULL, 16);
+			this->msg_type = strtoul(content, NULL, 16);
 			xmlFree(content);
 		}
-		else if (streq((char*)cur->name, "Base64") && cur->ns == ns)
+		else if (streq(cur->name, "Base64") && cur->ns == ns)
 		{
 			content = xmlNodeGetContent(cur);
-			b64_body = chunk_create((char*)content, strlen((char*)content));
+			b64_body = chunk_create(content, strlen(content));
 			this->msg_body = decode_base64(b64_body);
 			xmlFree(content);
 		}
@@ -221,21 +221,21 @@ tnccs_msg_t *imc_imv_msg_create(TNC_MessageType msg_type, chunk_t msg_body)
 			.get_msg_body = _get_msg_body,
 		},
 		.type = IMC_IMV_MSG,
-		.node = xmlNewNode(NULL, BAD_CAST "IMC-IMV-Message"),
+		.node = xmlNewNode(NULL, "IMC-IMV-Message"),
 		.msg_type = msg_type,
 		.msg_body = chunk_clone(msg_body),
 	);
 
 	/* add the message type number in hex */
-	n = xmlNewNode(NULL, BAD_CAST "Type");
+	n = xmlNewNode(NULL, "Type");
 	snprintf(buf, 10, "%08x", this->msg_type);
-	xmlNodeSetContent(n, BAD_CAST buf);
+	xmlNodeSetContent(n, buf);
 	xmlAddChild(this->node, n);
 
 	/* encode the message as a Base64 node */
-	n = xmlNewNode(NULL, BAD_CAST "Base64");
+	n = xmlNewNode(NULL, "Base64");
 	b64_body = encode_base64(this->msg_body);
-	xmlNodeSetContent(n, BAD_CAST b64_body.ptr);
+	xmlNodeSetContent(n, b64_body.ptr);
 	xmlAddChild(this->node, n);
 	free(b64_body.ptr);
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
index ba92c26b1..86b7c6aa5 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
@@ -125,11 +125,11 @@ tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node)
 		.error_type = TNCCS_ERROR_OTHER,
 	);
 
-	error_type_name = xmlGetProp(node, (const xmlChar*)"type");
+	error_type_name = xmlGetProp(node, "type");
 	if (error_type_name)
 	{
 		this->error_type = enum_from_name(tnccs_error_type_names,
-										  (char*)error_type_name);
+										  error_type_name);
 		if (this->error_type == -1)
 		{
 			this->error_type = TNCCS_ERROR_OTHER;
@@ -140,7 +140,7 @@ tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node)
 	error_msg = xmlNodeGetContent(node);
 	if (error_msg)
 	{
-		this->error_msg = strdup((char*)error_msg);
+		this->error_msg = strdup(error_msg);
 		xmlFree(error_msg);
 	}
 
@@ -167,24 +167,23 @@ tnccs_msg_t *tnccs_error_msg_create(tnccs_error_type_t type, char *msg)
 		},
 		.type = TNCCS_MSG_ERROR,
 		.ref = 1,
-		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.node =  xmlNewNode(NULL, "TNCC-TNCS-Message"),
 		.error_type = type,
 		.error_msg  = strdup(msg),
 	);
 
 	DBG1(DBG_TNC, "%s", msg);
 
-	n = xmlNewNode(NULL, BAD_CAST "Type");
-	xmlNodeSetContent(n, BAD_CAST "00000002");
+	n = xmlNewNode(NULL, "Type");
+	xmlNodeSetContent(n, "00000002");
 	xmlAddChild(this->node, n);
 
-	n = xmlNewNode(NULL, BAD_CAST "XML");
+	n = xmlNewNode(NULL, "XML");
 	xmlAddChild(this->node, n);
 
-	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
-	xmlNewProp(n2, BAD_CAST "type",
-				   BAD_CAST enum_to_name(tnccs_error_type_names, type));
-	xmlNodeSetContent(n2, BAD_CAST msg);
+	n2 = xmlNewNode(NULL, enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNewProp(n2, "type", enum_to_name(tnccs_error_type_names, type));
+	xmlNodeSetContent(n2, msg);
 	xmlAddChild(n, n2);
 
 	return &this->public.tnccs_msg_interface;
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
index 79c663905..fa5ce8239 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
@@ -57,15 +57,15 @@ tnccs_msg_t* tnccs_msg_create_from_node(xmlNodePtr node, linked_list_t *errors)
 
 		while (cur)
 		{
-			if (streq((char*)cur->name, "Type") && cur->ns == ns)
+			if (streq(cur->name, "Type") && cur->ns == ns)
 			{
 				xmlChar *content = xmlNodeGetContent(cur);
 
-				type = strtol((char*)content, NULL, 16);
+				type = strtol(content, NULL, 16);
 				xmlFree(content);
 				found = TRUE;
 			}
-			else if (streq((char*)cur->name, "XML") && cur->ns == ns)
+			else if (streq(cur->name, "XML") && cur->ns == ns)
 			{
 				xml_msg_node = cur->xmlChildrenNode;
 			}
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
index e1c193e18..710269ba9 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
@@ -93,7 +93,7 @@ tnccs_msg_t *tnccs_preferred_language_msg_create_from_node(xmlNodePtr node,
 	);
 
 	language = xmlNodeGetContent(node);
-	this->preferred_language = strdup((char*)language);
+	this->preferred_language = strdup(language);
 	xmlFree(language);
 
 	return &this->public.tnccs_msg_interface;
@@ -117,20 +117,20 @@ tnccs_msg_t *tnccs_preferred_language_msg_create(char *language)
 			.get_preferred_language = _get_preferred_language,
 		},
 		.type = TNCCS_MSG_PREFERRED_LANGUAGE,
-		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.node =  xmlNewNode(NULL, "TNCC-TNCS-Message"),
 		.preferred_language = strdup(language),
 	);
 
 	/* add the message type number in hex */
-	n = xmlNewNode(NULL, BAD_CAST "Type");
-	xmlNodeSetContent(n, BAD_CAST "00000003");
+	n = xmlNewNode(NULL, "Type");
+	xmlNodeSetContent(n, "00000003");
 	xmlAddChild(this->node, n);
 
-	n = xmlNewNode(NULL, BAD_CAST "XML");
+	n = xmlNewNode(NULL, "XML");
 	xmlAddChild(this->node, n);
 
-	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
-	xmlNodeSetContent(n2, BAD_CAST language);
+	n2 = xmlNewNode(NULL, enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNodeSetContent(n2, language);
 	xmlAddChild(n, n2);
 
 	return &this->public.tnccs_msg_interface;
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
index cf3c367d8..7c2f9b3f9 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
@@ -104,7 +104,7 @@ tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node,
 		.node = node,
 	);
 
-	if (xmlStrcmp(node->name, (const xmlChar*)"TNCCS-ReasonStrings"))
+	if (xmlStrcmp(node->name, "TNCCS-ReasonStrings"))
 	{
 		error_msg = "TNCCS-ReasonStrings tag expected";
 		goto fatal;
@@ -118,7 +118,7 @@ tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node,
 			child = child->next;
 			continue;
 		}
-		if (xmlStrcmp(child->name, (const xmlChar*)"ReasonString"))
+		if (xmlStrcmp(child->name, "ReasonString"))
 		{
 			error_msg = "ReasonString tag expected";
 			goto fatal;
@@ -126,15 +126,17 @@ tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node,
 		break;
 	}
 
-	lang_string = (char*)xmlGetProp(child, (const xmlChar*)"lang");
+	lang_string = xmlGetProp(child, "lang");
 	if (!lang_string)
 	{
-		lang_string = "";
+		lang_string = strdup("");
 	}
-	this->language = chunk_create(strdup(lang_string), strlen(lang_string));
+	this->language = chunk_clone(chunk_from_str(lang_string));
+	xmlFree(lang_string);
 
-	reason_string = (char*)xmlNodeGetContent(child);
-	this->reason = chunk_create(strdup(reason_string), strlen(reason_string));
+	reason_string = xmlNodeGetContent(child);
+	this->reason = chunk_clone(chunk_from_str(reason_string));
+	xmlFree(reason_string);
 
 	return &this->public.tnccs_msg_interface;
 
@@ -163,7 +165,7 @@ tnccs_msg_t *tnccs_reason_strings_msg_create(chunk_t reason, chunk_t language)
 			.get_reason = _get_reason,
 		},
 		.type = TNCCS_MSG_REASON_STRINGS,
-		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.node =  xmlNewNode(NULL, "TNCC-TNCS-Message"),
 		.reason = chunk_create_clone(malloc(reason.len + 1), reason),
 		.language = chunk_create_clone(malloc(language.len + 1), language),
 	);
@@ -173,20 +175,20 @@ tnccs_msg_t *tnccs_reason_strings_msg_create(chunk_t reason, chunk_t language)
 	this->language.ptr[this->language.len] = '\0';
 
 	/* add the message type number in hex */
-	n = xmlNewNode(NULL, BAD_CAST "Type");
-	xmlNodeSetContent(n, BAD_CAST "00000004");
+	n = xmlNewNode(NULL, "Type");
+	xmlNodeSetContent(n, "00000004");
 	xmlAddChild(this->node, n);
 
-	n = xmlNewNode(NULL, BAD_CAST "XML");
+	n = xmlNewNode(NULL, "XML");
 	xmlAddChild(this->node, n);
 
-	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
+	n2 = xmlNewNode(NULL, enum_to_name(tnccs_msg_type_names, this->type));
 
 	/* could add multiple reasons here, if we had them */
 
-	n3 = xmlNewNode(NULL, BAD_CAST "ReasonString");
-	xmlNewProp(n3, BAD_CAST "xml:lang", BAD_CAST this->language.ptr);
-	xmlNodeSetContent(n3, BAD_CAST this->reason.ptr);
+	n3 = xmlNewNode(NULL, "ReasonString");
+	xmlNewProp(n3, "xml:lang", this->language.ptr);
+	xmlNodeSetContent(n3, this->reason.ptr);
 	xmlAddChild(n2, n3);
 	xmlAddChild(n, n2);
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
index 32e123b2e..013e0c7ed 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
@@ -95,21 +95,21 @@ tnccs_msg_t *tnccs_recommendation_msg_create_from_node(xmlNodePtr node,
 		.node = node,
 	);
 
-	rec_string = xmlGetProp(node, (const xmlChar*)"type");
+	rec_string = xmlGetProp(node, "type");
 	if (!rec_string)
 	{
 		error_msg = "type property in TNCCS-Recommendation is missing";
 		goto fatal;
 	}
-	else if (streq((char*)rec_string, "allow"))
+	else if (streq(rec_string, "allow"))
 	{
 		this->rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
 	}
-	else if (streq((char*)rec_string, "isolate"))
+	else if (streq(rec_string, "isolate"))
 	{
 		this->rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
 	}
-	else if (streq((char*)rec_string, "none"))
+	else if (streq(rec_string, "none"))
 	{
 		this->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
 	}
@@ -151,16 +151,16 @@ tnccs_msg_t *tnccs_recommendation_msg_create(TNC_IMV_Action_Recommendation rec)
 			.get_recommendation = _get_recommendation,
 		},
 		.type = TNCCS_MSG_RECOMMENDATION,
-		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.node =  xmlNewNode(NULL, "TNCC-TNCS-Message"),
 		.rec = rec,
 	);
 
 	/* add the message type number in hex */
-	n = xmlNewNode(NULL, BAD_CAST "Type");
-	xmlNodeSetContent(n, BAD_CAST "00000001");
+	n = xmlNewNode(NULL, "Type");
+	xmlNodeSetContent(n, "00000001");
 	xmlAddChild(this->node, n);
 
-	n = xmlNewNode(NULL, BAD_CAST "XML");
+	n = xmlNewNode(NULL, "XML");
 	xmlAddChild(this->node, n);
 
 	switch (rec)
@@ -177,8 +177,8 @@ tnccs_msg_t *tnccs_recommendation_msg_create(TNC_IMV_Action_Recommendation rec)
 			rec_string = "none";
 	}
 
-	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
-	xmlNewProp(n2, BAD_CAST "type", BAD_CAST rec_string);
+	n2 = xmlNewNode(NULL, enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNewProp(n2, BAD_CAST "type", rec_string);
 	xmlNodeSetContent(n2, "");
 	xmlAddChild(n, n2);
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
index fe288f01d..0d3e1c2a0 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
@@ -97,20 +97,20 @@ tnccs_msg_t *tnccs_tncs_contact_info_msg_create(void)
 			},
 		},
 		.type = TNCCS_MSG_TNCS_CONTACT_INFO,
-		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.node =  xmlNewNode(NULL, "TNCC-TNCS-Message"),
 	);
 
 	/* add the message type number in hex */
-	n = xmlNewNode(NULL, BAD_CAST "Type");
-	xmlNodeSetContent(n, BAD_CAST "00000005");
+	n = xmlNewNode(NULL, "Type");
+	xmlNodeSetContent(n, "00000005");
 	xmlAddChild(this->node, n);
 
-	n = xmlNewNode(NULL, BAD_CAST "XML");
+	n = xmlNewNode(NULL, "XML");
 	xmlAddChild(this->node, n);
 
 /* TODO
-	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
-	xmlNodeSetContent(n2, BAD_CAST language);
+	n2 = xmlNewNode(NULL, enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNodeSetContent(n2, language);
 	xmlAddChild(n, n2);
 */
 
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c
index cfc29d6ab..53817c710 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11.c
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -43,15 +43,35 @@ typedef struct private_tnccs_11_t private_tnccs_11_t;
 struct private_tnccs_11_t {
 
 	/**
-	 * Public tls_t interface.
+	 * Public tnccs_t interface.
 	 */
-	tls_t public;
+	tnccs_t public;
 
 	/**
 	 * TNCC if TRUE, TNCS if FALSE
 	 */
 	bool is_server;
 
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Client identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * Underlying TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t transport;
+
+	/**
+	 * Type of TNC client authentication
+	 */
+	u_int32_t auth_type;
+
 	/**
 	 * Connection ID assigned to this TNCCS connection
 	 */
@@ -495,6 +515,18 @@ METHOD(tls_t, is_server, bool,
 	return this->is_server;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tnccs_11_t *this)
+{
+	return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tnccs_11_t *this)
+{
+	return this->peer;
+}
+
 METHOD(tls_t, get_purpose, tls_purpose_t,
 	private_tnccs_11_t *this)
 {
@@ -528,29 +560,69 @@ METHOD(tls_t, destroy, void,
 {
 	tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
 											  this->is_server);
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
 	this->mutex->destroy(this->mutex);
 	DESTROY_IF(this->batch);
 	free(this);
 }
 
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+	private_tnccs_11_t *this)
+{
+	return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+	private_tnccs_11_t *this, tnc_ift_type_t transport)
+{
+	this->transport = transport;
+}
+
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+	private_tnccs_11_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+	private_tnccs_11_t *this, u_int32_t auth_type)
+{
+	this->auth_type = auth_type;
+}
+
 /**
  * See header
  */
-tls_t *tnccs_11_create(bool is_server)
+tnccs_t* tnccs_11_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport)
 {
 	private_tnccs_11_t *this;
 
 	INIT(this,
 		.public = {
-			.process = _process,
-			.build = _build,
-			.is_server = _is_server,
-			.get_purpose = _get_purpose,
-			.is_complete = _is_complete,
-			.get_eap_msk = _get_eap_msk,
-			.destroy = _destroy,
+			.tls = {
+				.process = _process,
+				.build = _build,
+				.is_server = _is_server,
+				.get_server_id = _get_server_id,
+				.get_peer_id = _get_peer_id,
+				.get_purpose = _get_purpose,
+				.is_complete = _is_complete,
+				.get_eap_msk = _get_eap_msk,
+				.destroy = _destroy,
+			},
+			.get_transport = _get_transport,
+			.set_transport = _set_transport,
+			.get_auth_type = _get_auth_type,
+			.set_auth_type = _set_auth_type,
 		},
 		.is_server = is_server,
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.transport = transport,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.max_msg_len = lib->settings->get_int(lib->settings,
 								"%s.plugins.tnccs-11.max_message_size", 45000,
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.h b/src/libcharon/plugins/tnccs_11/tnccs_11.h
index 7331fc8cd..531ebb611 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11.h
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,14 +23,20 @@
 
 #include <library.h>
 
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
 
 /**
  * Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
  *
- * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
- * @return					TNC_IF_TNCCS 1.1 protocol stack
+ * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
+ * @param server		Server identity
+ * @param peer			Client identity
+ * @param transport		Underlying IF-T transport protocol
+ * @return				TNC_IF_TNCCS 1.1 protocol stack
  */
-tls_t *tnccs_11_create(bool is_server);
+tnccs_t* tnccs_11_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport);
 
 #endif /** TNCCS_11_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
index cd95afb1e..f534af008 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
@@ -30,8 +30,6 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(tnccs_method_register, tnccs_11_create),
 			PLUGIN_PROVIDE(CUSTOM, "tnccs-1.1"),
-				PLUGIN_DEPENDS(EAP_SERVER, EAP_TNC),
-				PLUGIN_DEPENDS(EAP_PEER, EAP_TNC),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
 	};
 	*features = f;
@@ -61,4 +59,3 @@ plugin_t *tnccs_11_plugin_create()
 
 	return &this->plugin;
 }
-
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in
index 60c8e562e..f0cb9fa54 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.in
+++ b/src/libcharon/plugins/tnccs_20/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -114,6 +131,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_tnccs_20_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnccs_20_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -130,6 +152,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -146,6 +170,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -214,8 +239,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -271,7 +294,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -380,7 +402,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -388,6 +409,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
index 3a2c70f5a..d87e0ccea 100644
--- a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
+++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
@@ -201,7 +201,7 @@ METHOD(pb_tnc_batch_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->encoding = chunk_clone(writer->get_buf(writer));
+	this->encoding = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -386,6 +386,13 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 	}
 	else
 	{
+		if (msg_type == PB_MSG_EXPERIMENTAL && noskip_flag)
+		{
+			DBG1(DBG_TNC, "reject PB-Experimental message with NOSKIP flag set");
+			msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF,
+							PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset);
+			goto fatal;
+		}
 		if (pb_tnc_msg_infos[msg_type].has_noskip_flag != TRUE_OR_FALSE &&
 			pb_tnc_msg_infos[msg_type].has_noskip_flag != noskip_flag)
 		{
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
index 2d2c1316b..aa5e9c723 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
@@ -166,6 +166,7 @@ METHOD(pb_tnc_msg_t, process, status_t,
 	{
 		DBG1(DBG_TNC, "PA Subtype 0x%08x is reserved", PA_RESERVED_SUBTYPE);
 		*offset = 4;
+		return FAILED;
 	}
 
 	return SUCCESS;
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
index 63d94b94d..2ef8dd6cd 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
@@ -66,24 +66,24 @@ struct private_pb_remediation_parameters_msg_t {
 	pb_tnc_msg_type_t type;
 
 	/**
-	 * Remediation Parameters Vendor ID
+	 * Remediation Parameters Type
 	 */
-	u_int32_t vendor_id;
+	pen_type_t parameters_type;
 
 	/**
-	 * Remediation Parameters Type
+	 * Remediation Parameters
 	 */
-	u_int32_t parameters_type;
+	chunk_t parameters;
 
 	/**
-	 * Remediation Parameters string
+	 * Remediation String
 	 */
-	chunk_t remediation_string;
+	chunk_t string;
 
 	/**
-	 * Language code
+	 * Remediation Language Code
 	 */
-	chunk_t language_code;
+	chunk_t lang_code;
 
 	/**
 	 * Encoded message
@@ -113,10 +113,9 @@ METHOD(pb_tnc_msg_t, build, void,
 		return;
 	}
 	writer = bio_writer_create(64);
-	writer->write_uint32(writer, this->vendor_id);
-	writer->write_uint32(writer, this->parameters_type);
-	writer->write_data32(writer, this->remediation_string);
-	writer->write_data8 (writer, this->language_code);
+	writer->write_uint32(writer, this->parameters_type.vendor_id);
+	writer->write_uint32(writer, this->parameters_type.type);
+	writer->write_data32(writer, this->parameters);
 
 	this->encoding = writer->get_buf(writer);
 	this->encoding = chunk_clone(this->encoding);
@@ -127,83 +126,103 @@ METHOD(pb_tnc_msg_t, process, status_t,
 	private_pb_remediation_parameters_msg_t *this, u_int32_t *offset)
 {
 	bio_reader_t *reader;
+	u_int8_t reserved;
+	status_t status = SUCCESS;
+	u_char *pos;
+
+	*offset = 0;
 
 	/* process message */
 	reader = bio_reader_create(this->encoding);
-	reader->read_uint32(reader, &this->vendor_id);
-	reader->read_uint32(reader, &this->parameters_type);
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &this->parameters_type.vendor_id);
+	reader->read_uint32(reader, &this->parameters_type.type);
+	reader->read_data  (reader, reader->remaining(reader), &this->parameters);
 
-	if (!reader->read_data32(reader, &this->remediation_string))
+	this->parameters = chunk_clone(this->parameters);
+	reader->destroy(reader);
+
+	if (this->parameters_type.vendor_id == PEN_IETF &&
+		this->parameters_type.type == PB_REMEDIATION_STRING)
 	{
-		DBG1(DBG_TNC, "could not parse remediation string");
-		reader->destroy(reader);
+		reader = bio_reader_create(this->parameters);
+		status = FAILED;
 		*offset = 8;
-		return FAILED;
-	};
-	this->remediation_string = chunk_clone(this->remediation_string);
 
-	if (this->remediation_string.len &&
-		this->remediation_string.ptr[this->remediation_string.len-1] == '\0')
-	{
-		DBG1(DBG_TNC, "remediation string must not be null terminated");
+		if (!reader->read_data32(reader, &this->string))
+		{
+			DBG1(DBG_TNC, "insufficient data for remediation string");
+			goto end;
+		};
+		*offset += 4;
+
+		pos = memchr(this->string.ptr, '\0', this->string.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in remediation string");
+			*offset += (pos - this->string.ptr);
+			goto end;
+		}
+		*offset += this->string.len;
+
+		if (!reader->read_data8(reader, &this->lang_code))
+		{
+			DBG1(DBG_TNC, "insufficient data for remediation string lang code");
+			goto end;
+		};
+		*offset += 1;
+
+		pos = memchr(this->lang_code.ptr, '\0', this->lang_code.len);
+
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in remediation string lang code");
+			*offset += (pos - this->lang_code.ptr);
+			goto end;
+		}
+		status = SUCCESS;
+
+end:
 		reader->destroy(reader);
-		*offset = 11 + this->remediation_string.len;
-		return FAILED;
 	}
-
-	if (!reader->read_data8(reader, &this->language_code))
-	{
-		DBG1(DBG_TNC, "could not parse language code");
-		reader->destroy(reader);
-		*offset = 12 + this->remediation_string.len;
-		return FAILED;
-	};
-	this->language_code = chunk_clone(this->language_code);
-	reader->destroy(reader);
-
-	if (this->language_code.len &&
-		this->language_code.ptr[this->language_code.len-1] == '\0')
-	{
-		DBG1(DBG_TNC, "language code must not be null terminated");
-		*offset = 12 + this->remediation_string.len + this->language_code.len;
-		return FAILED;
-	}
-
-	return SUCCESS;
+	return status;
 }
 
 METHOD(pb_tnc_msg_t, destroy, void,
 	private_pb_remediation_parameters_msg_t *this)
 {
 	free(this->encoding.ptr);
-	free(this->remediation_string.ptr);
-	free(this->language_code.ptr);
+	free(this->parameters.ptr);
 	free(this);
 }
 
-METHOD(pb_remediation_parameters_msg_t, get_vendor_id, u_int32_t,
-	private_pb_remediation_parameters_msg_t *this, u_int32_t *type)
+METHOD(pb_remediation_parameters_msg_t, get_parameters_type, pen_type_t,
+	private_pb_remediation_parameters_msg_t *this)
 {
-	*type = this->parameters_type;
-	return this->vendor_id;
+	return this->parameters_type;
 }
 
-METHOD(pb_remediation_parameters_msg_t, get_remediation_string, chunk_t,
+METHOD(pb_remediation_parameters_msg_t, get_parameters, chunk_t,
 	private_pb_remediation_parameters_msg_t *this)
 {
-	return this->remediation_string;
+	return this->parameters;
 }
 
-METHOD(pb_remediation_parameters_msg_t, get_language_code, chunk_t,
-	private_pb_remediation_parameters_msg_t *this)
+METHOD(pb_remediation_parameters_msg_t, get_string, chunk_t,
+	private_pb_remediation_parameters_msg_t *this, chunk_t *lang_code)
 {
-	return this->language_code;
+	if (lang_code)
+	{
+		*lang_code = this->lang_code;
+	}
+	return this->string;
 }
 
 /**
  * See header
  */
-pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data)
+pb_tnc_msg_t* pb_remediation_parameters_msg_create(pen_type_t parameters_type,
+												   chunk_t parameters)
 {
 	private_pb_remediation_parameters_msg_t *this;
 
@@ -216,24 +235,56 @@ pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data)
 				.process = _process,
 				.destroy = _destroy,
 			},
-			.get_vendor_id = _get_vendor_id,
-			.get_remediation_string = _get_remediation_string,
-			.get_language_code = _get_language_code,
+			.get_parameters_type = _get_parameters_type,
+			.get_parameters = _get_parameters,
+			.get_uri = _get_parameters,
+			.get_string = _get_string,
 		},
-		.type = PB_MSG_REASON_STRING,
-		.encoding = chunk_clone(data),
+		.type = PB_MSG_REMEDIATION_PARAMETERS,
+		.parameters_type = parameters_type,
+		.parameters = chunk_clone(parameters),
 	);
 
 	return &this->public.pb_interface;
 }
 
+/**
+ * Described in header.
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_uri(chunk_t uri)
+{
+	pen_type_t type = { PEN_IETF, PB_REMEDIATION_URI };
+
+	return pb_remediation_parameters_msg_create(type, uri);
+}
+
+/**
+ * Described in header.
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_string(chunk_t string,
+															   chunk_t lang_code)
+{
+	pb_tnc_msg_t *msg;
+	bio_writer_t *writer;
+	pen_type_t type = { PEN_IETF, PB_REMEDIATION_STRING };
+
+	/* limit language code to 255 octets */
+	lang_code.len = min(255, lang_code.len);
+
+	writer = bio_writer_create(4 + string.len + 1 + lang_code.len);
+	writer->write_data32(writer, string);
+	writer->write_data8 (writer, lang_code);
+
+	msg = pb_remediation_parameters_msg_create(type, writer->get_buf(writer));
+	writer->destroy(writer);
+
+	return msg;
+}
+
 /**
  * See header
  */
-pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id,
-												   u_int32_t type,
-												   chunk_t remediation_string,
-												   chunk_t language_code)
+pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data)
 {
 	private_pb_remediation_parameters_msg_t *this;
 
@@ -246,16 +297,15 @@ pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id,
 				.process = _process,
 				.destroy = _destroy,
 			},
-			.get_vendor_id = _get_vendor_id,
-			.get_remediation_string = _get_remediation_string,
-			.get_language_code = _get_language_code,
+			.get_parameters_type = _get_parameters_type,
+			.get_parameters = _get_parameters,
+			.get_uri = _get_parameters,
+			.get_string = _get_string,
 		},
-		.type = PB_MSG_REASON_STRING,
-		.vendor_id = vendor_id,
-		.parameters_type = type,
-		.remediation_string = chunk_clone(remediation_string),
-		.language_code = chunk_clone(language_code),
+		.type = PB_MSG_REMEDIATION_PARAMETERS,
+		.encoding = chunk_clone(data),
 	);
 
 	return &this->public.pb_interface;
 }
+
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h
index 258d495ec..f3a1c1009 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@ typedef struct pb_remediation_parameters_msg_t pb_remediation_parameters_msg_t;
 
 #include "pb_tnc_msg.h"
 
+#include <pen/pen.h>
+
 /**
  * PB-TNC Remediation Parameter Types as defined in section 4.8.1 of RFC 5793
  */
@@ -50,41 +52,61 @@ struct pb_remediation_parameters_msg_t {
 	pb_tnc_msg_t pb_interface;
 
 	/**
-	 * Get Remediation Parameters Vendor ID and Type
+	 * Get the Remediation Parameters Type (Vendor ID and Type)
 	 *
-	 * @param type				Remediation Parameters Type
-	 * @return					Remediation Parameters Vendor ID
+	 * @return				Remediation Parameters Type
 	 */
-	u_int32_t (*get_vendor_id)(pb_remediation_parameters_msg_t *this,
-							   u_int32_t *type);
+	pen_type_t (*get_parameters_type)(pb_remediation_parameters_msg_t *this);
 
 	/**
-	 * Get Remediation String
+	 * Get the Remediation Parameters
 	 *
-	 * @return					Remediation String
+	 * @return				Remediation Parameters
 	 */
-	chunk_t (*get_remediation_string)(pb_remediation_parameters_msg_t *this);
+	chunk_t (*get_parameters)(pb_remediation_parameters_msg_t *this);
 
 	/**
-	 * Get Reason String Language Code
+	 * Get the Remediation URI
 	 *
-	 * @return					Language Code
+	 * @return				Remediation URI
 	 */
-	chunk_t (*get_language_code)(pb_remediation_parameters_msg_t *this);
+	chunk_t (*get_uri)(pb_remediation_parameters_msg_t *this);
+
+	/**
+	 * Get the Remediation String
+	 *
+	 * @param lang_code		Optional Language Code
+	 * @return				Remediation String
+	 */
+	chunk_t (*get_string)(pb_remediation_parameters_msg_t *this,
+						  chunk_t *lang_code);
+
 };
 
 /**
- * Create a PB-Remediation-Parameters message from parameters
+ * Create a general PB-Remediation-Parameters message
+ *
+ * @param parameters_type	Remediation Parameters Type
+ * @param parameters		Remediation Parameters
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create(pen_type_t parameters_type,
+												   chunk_t parameters);
+
+/**
+ * Create a PB-Remediation-Parameters message of IETF Type Remediation URI
+ *
+ * @param uri				Remediation URI
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_uri(chunk_t uri);
+
+/**
+ * Create a PB-Remediation-Parameters message of IETF Type Remediation String
  *
- * @param vendor_id				Remediation Parameters Vendor ID
- * @param type					Remediation Parameters Type		
- * @param remediation_string	Remediation String
- * @param language_code			Language Code
+ * @param string			Remediation String
+ * @param lang_code			Remediation String Language Code
  */
-pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id,
-												   u_int32_t type,
-												   chunk_t remediation_string,
-												   chunk_t language_code);
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_string(chunk_t string,
+															   chunk_t lang_code);
 
 /**
  * Create an unprocessed PB-Remediation-Parameters message from raw data
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
index 6239b152d..29a161e69 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Sansar Choinyanbuu
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -48,15 +48,35 @@ typedef struct private_tnccs_20_t private_tnccs_20_t;
 struct private_tnccs_20_t {
 
 	/**
-	 * Public tls_t interface.
+	 * Public tnccs_t interface.
 	 */
-	tls_t public;
+	tnccs_t public;
 
 	/**
 	 * TNCC if TRUE, TNCS if FALSE
 	 */
 	bool is_server;
 
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Client identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * Underlying TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t transport;
+
+	/**
+	 * Type of TNC client authentication
+	 */
+	u_int32_t auth_type;
+
 	/**
 	 * PB-TNC State Machine
 	 */
@@ -291,7 +311,36 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
 		}
 		case PB_MSG_REMEDIATION_PARAMETERS:
 		{
-			/* TODO : Remediation parameters message processing */
+			pb_remediation_parameters_msg_t *rem_msg;
+			pen_type_t parameters_type;
+			chunk_t parameters, string, lang_code;
+
+			rem_msg = (pb_remediation_parameters_msg_t*)msg;
+			parameters_type = rem_msg->get_parameters_type(rem_msg);
+			parameters = rem_msg->get_parameters(rem_msg);
+
+			if (parameters_type.vendor_id == PEN_IETF)
+			{
+				switch (parameters_type.type)
+				{
+					case PB_REMEDIATION_URI:
+						DBG1(DBG_TNC, "remediation uri: %.*s",
+									   parameters.len, parameters.ptr);
+						break;
+					case PB_REMEDIATION_STRING:
+						string = rem_msg->get_string(rem_msg, &lang_code);
+						DBG1(DBG_TNC, "remediation string: [%.*s]\n%.*s",
+									   lang_code.len, lang_code.ptr,
+									   string.len, string.ptr);
+						break;
+					default:
+						DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
+				}
+			}
+			else
+			{
+				DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
+			}
 			break;
 		}
 		case PB_MSG_ERROR:
@@ -356,9 +405,12 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
 			lang_msg = (pb_language_preference_msg_t*)msg;
 			lang = lang_msg->get_language_preference(lang_msg);
 
-			DBG2(DBG_TNC, "setting language preference to '%.*s'",
-						   (int)lang.len, lang.ptr);
-			this->recs->set_preferred_language(this->recs, lang);
+			if (this->recs)
+			{
+				DBG2(DBG_TNC, "setting language preference to '%.*s'",
+					 (int)lang.len, lang.ptr);
+				this->recs->set_preferred_language(this->recs, lang);
+			}
 			break;
 		}
 		case PB_MSG_REASON_STRING:
@@ -759,6 +811,18 @@ METHOD(tls_t, is_server, bool,
 	return this->is_server;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tnccs_20_t *this)
+{
+	return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tnccs_20_t *this)
+{
+	return this->peer;
+}
+
 METHOD(tls_t, get_purpose, tls_purpose_t,
 	private_tnccs_20_t *this)
 {
@@ -792,6 +856,8 @@ METHOD(tls_t, destroy, void,
 {
 	tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
 											  this->is_server);
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
 	this->state_machine->destroy(this->state_machine);
 	this->mutex->destroy(this->mutex);
 	this->messages->destroy_offset(this->messages,
@@ -799,24 +865,62 @@ METHOD(tls_t, destroy, void,
 	free(this);
 }
 
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+	private_tnccs_20_t *this)
+{
+	return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+	private_tnccs_20_t *this, tnc_ift_type_t transport)
+{
+	this->transport = transport;
+}
+
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+	private_tnccs_20_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+	private_tnccs_20_t *this, u_int32_t auth_type)
+{
+	this->auth_type = auth_type;
+}
+
 /**
  * See header
  */
-tls_t *tnccs_20_create(bool is_server)
+tnccs_t* tnccs_20_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport)
 {
 	private_tnccs_20_t *this;
 
 	INIT(this,
 		.public = {
-			.process = _process,
-			.build = _build,
-			.is_server = _is_server,
-			.get_purpose = _get_purpose,
-			.is_complete = _is_complete,
-			.get_eap_msk = _get_eap_msk,
-			.destroy = _destroy,
+			.tls = {
+				.process = _process,
+				.build = _build,
+				.is_server = _is_server,
+				.get_server_id = _get_server_id,
+				.get_peer_id = _get_peer_id,
+				.get_purpose = _get_purpose,
+				.is_complete = _is_complete,
+				.get_eap_msk = _get_eap_msk,
+				.destroy = _destroy,
+			},
+			.get_transport = _get_transport,
+			.set_transport = _set_transport,
+			.get_auth_type = _get_auth_type,
+			.set_auth_type = _set_auth_type,
 		},
 		.is_server = is_server,
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.transport = transport,
 		.state_machine = pb_tnc_state_machine_create(is_server),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.messages = linked_list_create(),
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.h b/src/libcharon/plugins/tnccs_20/tnccs_20.h
index 400d1dc12..314935069 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.h
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,14 +23,20 @@
 
 #include <library.h>
 
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
 
 /**
  * Create an instance of the TNC IF-TNCCS 2.0 protocol handler.
  *
- * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
- * @return					TNC_IF_TNCCS 2.0 protocol stack
+ * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
+ * @param server		Server identity
+ * @param peer			Client identity
+ * @param transport		Underlying IF-T transport protocol
+ * @return				TNC_IF_TNCCS 2.0 protocol stack
  */
-tls_t *tnccs_20_create(bool is_server);
+tnccs_t* tnccs_20_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport);
 
 #endif /** TNCCS_20_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
index 4f419ecf0..f74306c8c 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
@@ -30,8 +30,6 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(tnccs_method_register, tnccs_20_create),
 			PLUGIN_PROVIDE(CUSTOM, "tnccs-2.0"),
-				PLUGIN_DEPENDS(EAP_SERVER, EAP_TNC),
-				PLUGIN_DEPENDS(EAP_PEER, EAP_TNC),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
 	};
 	*features = f;
@@ -61,4 +59,3 @@ plugin_t *tnccs_20_plugin_create()
 
 	return &this->plugin;
 }
-
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
index b17afda82..5f375516b 100644
--- a/src/libcharon/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -363,7 +385,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -371,6 +392,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
index 03795a947..d4fc6a6f7 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -27,14 +27,35 @@ typedef struct private_tnccs_dynamic_t private_tnccs_dynamic_t;
 struct private_tnccs_dynamic_t {
 
 	/**
-	 * Public tls_t interface.
+	 * Public tnccs_t interface.
 	 */
-	tls_t public;
+	tnccs_t public;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Client identity
+	 */
+	identification_t *peer;
 
 	/**
 	 * Detected TNC IF-TNCCS stack
 	 */
 	tls_t *tls;
+
+	/**
+	 * Underlying TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t transport;
+
+	/**
+	 * Type of TNC client authentication
+	 */
+	u_int32_t auth_type;
+
 };
 
 /**
@@ -66,6 +87,7 @@ METHOD(tls_t, process, status_t,
 	private_tnccs_dynamic_t *this, void *buf, size_t buflen)
 {
 	tnccs_type_t type;
+	tnccs_t *tnccs;
 
 	if (!this->tls)
 	{
@@ -76,12 +98,15 @@ METHOD(tls_t, process, status_t,
 		type = determine_tnccs_protocol(*(char*)buf);
 		DBG1(DBG_TNC, "%N protocol detected dynamically",
 					   tnccs_type_names, type);
-		this->tls = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, type, TRUE);
-		if (!this->tls)
+		tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
+							this->server, this->peer, this->transport);
+		if (!tnccs)
 		{
 			DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
 			return FAILED;
 		}
+		tnccs->set_auth_type(tnccs, this->auth_type);
+		this->tls = &tnccs->tls;
 	}
 	return this->tls->process(this->tls, buf, buflen);
 }
@@ -98,6 +123,18 @@ METHOD(tls_t, is_server, bool,
 	return TRUE;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tnccs_dynamic_t *this)
+{
+	return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tnccs_dynamic_t *this)
+{
+	return this->peer;
+}
+
 METHOD(tls_t, get_purpose, tls_purpose_t,
 	private_tnccs_dynamic_t *this)
 {
@@ -120,26 +157,66 @@ METHOD(tls_t, destroy, void,
 	private_tnccs_dynamic_t *this)
 {
 	DESTROY_IF(this->tls);
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
 	free(this);
 }
 
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+	private_tnccs_dynamic_t *this)
+{
+	return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+	private_tnccs_dynamic_t *this, tnc_ift_type_t transport)
+{
+	this->transport = transport;
+}
+
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+	private_tnccs_dynamic_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+	private_tnccs_dynamic_t *this, u_int32_t auth_type)
+{
+	this->auth_type = auth_type;
+}
+
 /**
  * See header
  */
-tls_t *tnccs_dynamic_create(bool is_server)
+tnccs_t* tnccs_dynamic_create(bool is_server,
+							  identification_t *server,
+							  identification_t *peer,
+							  tnc_ift_type_t transport)
 {
 	private_tnccs_dynamic_t *this;
 
 	INIT(this,
 		.public = {
-			.process = _process,
-			.build = _build,
-			.is_server = _is_server,
-			.get_purpose = _get_purpose,
-			.is_complete = _is_complete,
-			.get_eap_msk = _get_eap_msk,
-			.destroy = _destroy,
+			.tls = {
+				.process = _process,
+				.build = _build,
+				.is_server = _is_server,
+				.get_server_id = _get_server_id,
+				.get_peer_id = _get_peer_id,
+				.get_purpose = _get_purpose,
+				.is_complete = _is_complete,
+				.get_eap_msk = _get_eap_msk,
+				.destroy = _destroy,
+			},
+			.get_transport = _get_transport,
+			.set_transport = _set_transport,
+			.get_auth_type = _get_auth_type,
+			.set_auth_type = _set_auth_type,
 		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.transport = transport,
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
index 42410b17f..e4cff74b8 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,14 +23,20 @@
 
 #include <library.h>
 
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
 
 /**
  * Create an instance of a dynamic TNC IF-TNCCS protocol handler.
  *
- * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
- * @return					dynamic TNC IF-TNCCS protocol stack
+ * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
+ * @param server		Server identity
+ * @param peer			Client identity
+ * @param transport		Underlying IF-T transport protocol
+ * @return				dynamic TNC IF-TNCCS protocol stack
  */
-tls_t *tnccs_dynamic_create(bool is_server);
+tnccs_t* tnccs_dynamic_create(bool is_server,
+							  identification_t *server,
+							  identification_t *peer,
+							  tnc_ift_type_t transport);
 
 #endif /** TNCCS_DYNAMIC_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
index 6f581c543..aac57813a 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
@@ -32,8 +32,6 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(CUSTOM, "tnccs-dynamic"),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-1.1"),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-2.0"),
-				PLUGIN_DEPENDS(EAP_SERVER, EAP_TNC),
-				PLUGIN_DEPENDS(EAP_PEER, EAP_TNC),
 	};
 	*features = f;
 	return countof(f);
@@ -62,4 +60,3 @@ plugin_t *tnccs_dynamic_plugin_create()
 
 	return &this->plugin;
 }
-
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index aff566c08..b8e03e0a8 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_uci_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_uci_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -354,7 +376,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -362,6 +383,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
index de0bf91af..b58d120c1 100644
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -89,7 +89,7 @@ static traffic_selector_t *create_ts(char *string)
 	{
 		traffic_selector_t *ts;
 
-		ts = traffic_selector_create_from_cidr(string, 0, 0);
+		ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
 		if (ts)
 		{
 			return ts;
@@ -156,7 +156,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 								 local_addr, FALSE,
 								 charon->socket->get_port(charon->socket, FALSE),
 								 remote_addr, FALSE, IKEV2_UDP_PORT,
-								 FRAGMENTATION_NO);
+								 FRAGMENTATION_NO, 0);
 		ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
 		this->peer_cfg = peer_cfg_create(
 					name, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
@@ -255,7 +255,7 @@ METHOD(enumerator_t, ike_enumerator_enumerate, bool,
 								local_addr, FALSE,
 								charon->socket->get_port(charon->socket, FALSE),
 								remote_addr, FALSE, IKEV2_UDP_PORT,
-								FRAGMENTATION_NO);
+								FRAGMENTATION_NO, 0);
 		this->ike_cfg->add_proposal(this->ike_cfg,
 									create_proposal(ike_proposal, PROTO_IKE));
 
@@ -343,4 +343,3 @@ uci_config_t *uci_config_create(uci_parser_t *parser)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 8e60d97b2..175cece27 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -111,6 +128,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -127,6 +149,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -143,6 +167,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -211,8 +236,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -268,7 +291,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -371,7 +393,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -379,6 +400,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 5cb81fd51..4a9a81847 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_unity_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_unity_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index 31d13add2..9d145b93f 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -174,7 +174,6 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 	ike_sa_t *ike_sa;
 	char name[128];
 	host_t *host;
-	bool has_vip = FALSE;
 
 	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
 													entry->sa, FALSE);
@@ -187,23 +186,21 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 									 FALSE, 0, 0, NULL, NULL, FALSE);
 		child_cfg->add_traffic_selector(child_cfg, FALSE,
 										entry->ts->clone(entry->ts));
+		host = ike_sa->get_my_host(ike_sa);
+		child_cfg->add_traffic_selector(child_cfg, TRUE,
+				traffic_selector_create_from_subnet(host->clone(host),
+													32, 0, 0, 65535));
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+
 		enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
 		while (enumerator->enumerate(enumerator, &host))
 		{
-			has_vip = TRUE;
 			child_cfg->add_traffic_selector(child_cfg, TRUE,
-				traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0));
+				traffic_selector_create_from_subnet(host->clone(host),
+													32, 0, 0, 65535));
 		}
 		enumerator->destroy(enumerator);
 
-		if (!has_vip)
-		{
-			host = ike_sa->get_my_host(ike_sa);
-			child_cfg->add_traffic_selector(child_cfg, TRUE,
-				traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0));
-		}
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-
 		charon->shunts->install(charon->shunts, child_cfg);
 		child_cfg->destroy(child_cfg);
 
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index f8df24116..25505db0b 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_updown_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_updown_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 5ca4fd36d..ca3c027ae 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -115,6 +132,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 SOURCES = $(libstrongswan_whitelist_la_SOURCES) $(whitelist_SOURCES)
 DIST_SOURCES = $(libstrongswan_whitelist_la_SOURCES) \
 	$(whitelist_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -131,6 +153,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -147,6 +171,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -215,8 +240,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -272,7 +295,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -365,7 +387,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -373,6 +394,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -398,8 +421,11 @@ libstrongswan-whitelist.la: $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswa
 	$(libstrongswan_whitelist_la_LINK) $(am_libstrongswan_whitelist_la_rpath) $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index f5edbaeeb..0a74b2926 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_xauth_eap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_xauth_eap_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index ecd480fb5..7348ab8de 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_xauth_generic_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_xauth_generic_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.am b/src/libcharon/plugins/xauth_noauth/Makefile.am
new file mode 100644
index 000000000..b838af63a
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la
+else
+plugin_LTLIBRARIES = libstrongswan-xauth-noauth.la
+endif
+
+libstrongswan_xauth_noauth_la_SOURCES = \
+	xauth_noauth_plugin.h xauth_noauth_plugin.c \
+	xauth_noauth.h xauth_noauth.c
+
+libstrongswan_xauth_noauth_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
new file mode 100644
index 000000000..c8f7a6a33
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -0,0 +1,659 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/xauth_noauth
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_xauth_noauth_la_LIBADD =
+am_libstrongswan_xauth_noauth_la_OBJECTS = xauth_noauth_plugin.lo \
+	xauth_noauth.lo
+libstrongswan_xauth_noauth_la_OBJECTS =  \
+	$(am_libstrongswan_xauth_noauth_la_OBJECTS)
+libstrongswan_xauth_noauth_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_xauth_noauth_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_xauth_noauth_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_xauth_noauth_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_xauth_noauth_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_xauth_noauth_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-noauth.la
+libstrongswan_xauth_noauth_la_SOURCES = \
+	xauth_noauth_plugin.h xauth_noauth_plugin.c \
+	xauth_noauth.h xauth_noauth.c
+
+libstrongswan_xauth_noauth_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_noauth/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_noauth/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-xauth-noauth.la: $(libstrongswan_xauth_noauth_la_OBJECTS) $(libstrongswan_xauth_noauth_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_noauth_la_DEPENDENCIES) 
+	$(libstrongswan_xauth_noauth_la_LINK) $(am_libstrongswan_xauth_noauth_la_rpath) $(libstrongswan_xauth_noauth_la_OBJECTS) $(libstrongswan_xauth_noauth_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_noauth.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_noauth_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c
new file mode 100644
index 000000000..a9d95126a
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_noauth.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_xauth_noauth_t private_xauth_noauth_t;
+
+/**
+ * Private data of an xauth_noauth_t object.
+ */
+struct private_xauth_noauth_t {
+
+	/**
+	 * Public interface.
+	 */
+	xauth_noauth_t public;
+
+	/**
+	 * ID of the peer (not really used here)
+	 */
+	identification_t *peer;
+
+};
+
+METHOD(xauth_method_t, initiate, status_t,
+	private_xauth_noauth_t *this, cp_payload_t **out)
+{
+	/* XAuth task handles the details for us */
+	return SUCCESS;
+}
+
+METHOD(xauth_method_t, process, status_t,
+	private_xauth_noauth_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	/* this should never be called */
+	return FAILED;
+}
+
+METHOD(xauth_method_t, get_identity, identification_t*,
+	private_xauth_noauth_t *this)
+{
+	/* this should never be called, but lets still return a valid ID */
+	return this->peer;
+}
+
+METHOD(xauth_method_t, destroy, void,
+	private_xauth_noauth_t *this)
+{
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_noauth_t *xauth_noauth_create_server(identification_t *server,
+										   identification_t *peer)
+{
+	private_xauth_noauth_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_identity = _get_identity,
+				.destroy = _destroy,
+			},
+		},
+		.peer = identification_create_from_string("%any"),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h
new file mode 100644
index 000000000..8984b0a7c
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_noauth_i xauth_noauth
+ * @{ @ingroup xauth_noauth
+ */
+
+#ifndef XAUTH_NOAUTH_H_
+#define XAUTH_NOAUTH_H_
+
+typedef struct xauth_noauth_t xauth_noauth_t;
+
+#include <sa/xauth/xauth_method.h>
+
+/**
+ * Implementation of the xauth_method_t interface that does not actually do
+ * any authentication but simply concludes the XAuth exchange successfully.
+ */
+struct xauth_noauth_t {
+
+	/**
+	 * Implemented xauth_method_t interface.
+	 */
+	xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the noauth XAuth method, acting as server.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_noauth_t object
+ */
+xauth_noauth_t *xauth_noauth_create_server(identification_t *server,
+										   identification_t *peer);
+
+#endif /** XAUTH_NOAUTH_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c
new file mode 100644
index 000000000..e7ee4dfe3
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_noauth_plugin.h"
+#include "xauth_noauth.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+	xauth_noauth_plugin_t *this)
+{
+	return "xauth-noauth";
+}
+
+METHOD(plugin_t, get_features, int,
+	xauth_noauth_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(xauth_method_register, xauth_noauth_create_server),
+			PLUGIN_PROVIDE(XAUTH_SERVER, "noauth"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	xauth_noauth_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_noauth_plugin_create()
+{
+	xauth_noauth_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.get_name = _get_name,
+			.get_features = _get_features,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->plugin;
+}
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h
new file mode 100644
index 000000000..d174ac29c
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_noauth xauth_noauth
+ * @ingroup cplugins
+ *
+ * @defgroup xauth_noauth_plugin xauth_noauth_plugin
+ * @{ @ingroup xauth_noauth
+ */
+
+#ifndef XAUTH_NOAUTH_PLUGIN_H_
+#define XAUTH_NOAUTH_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_noauth_plugin_t xauth_noauth_plugin_t;
+
+/**
+ * XAuth plugin that does not actually do any authentication but simply
+ * concludes the XAuth exchange successfully.  This could be used to implement
+ * basic RSA authentication in cases where the client does not offer an option
+ * to disable XAuth.
+ */
+struct xauth_noauth_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** XAUTH_NOAUTH_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index b249b418f..0538a028f 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_xauth_pam_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_xauth_pam_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c
index 3a8c2e1cd..a394e9df9 100644
--- a/src/libcharon/processing/jobs/delete_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c
@@ -76,11 +76,21 @@ METHOD(job_t, execute, job_requeue_t,
 		}
 		else
 		{
-			/* destroy IKE_SA did not complete connecting phase */
+			/* destroy IKE_SA only if it did not complete connecting phase */
 			if (ike_sa->get_state(ike_sa) != IKE_CONNECTING)
 			{
 				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 			}
+			else if (ike_sa->get_version(ike_sa) == IKEV1 &&
+					 ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
+			{	/* as initiator we waited for the peer to initiate e.g. an
+				 * XAuth exchange, reauth the SA to eventually trigger DPD */
+				DBG1(DBG_JOB, "peer did not initiate expected exchange, "
+					 "reestablishing IKE_SA");
+				ike_sa->reauth(ike_sa);
+				charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
+			}
 			else
 			{
 				DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
diff --git a/src/libcharon/processing/jobs/dpd_timeout_job.c b/src/libcharon/processing/jobs/dpd_timeout_job.c
index 64a9785a6..9cdce5cab 100644
--- a/src/libcharon/processing/jobs/dpd_timeout_job.c
+++ b/src/libcharon/processing/jobs/dpd_timeout_job.c
@@ -68,7 +68,7 @@ METHOD(job_t, execute, job_requeue_t,
 		enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
 		while (enumerator->enumerate(enumerator, &child_sa))
 		{
-			child_sa->get_usestats(child_sa, TRUE, &current, NULL);
+			child_sa->get_usestats(child_sa, TRUE, &current, NULL, NULL);
 			use_time = max(use_time, current);
 		}
 		enumerator->destroy(enumerator);
@@ -77,6 +77,7 @@ METHOD(job_t, execute, job_requeue_t,
 		if (use_time < this->check)
 		{
 			DBG1(DBG_JOB, "DPD check timed out, enforcing DPD action");
+			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, NULL);
 			charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
 			ike_sa->reestablish(ike_sa);
 			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 3c56b0cd7..9ab69b417 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -75,8 +75,8 @@ METHOD(job_t, execute, job_requeue_t,
 			{
 				time_t in, out, diff;
 
-				child_sa->get_usestats(child_sa, TRUE, &in, NULL);
-				child_sa->get_usestats(child_sa, FALSE, &out, NULL);
+				child_sa->get_usestats(child_sa, TRUE, &in, NULL, NULL);
+				child_sa->get_usestats(child_sa, FALSE, &out, NULL, NULL);
 
 				diff = time_monotonic(NULL) - max(in, out);
 
@@ -155,4 +155,3 @@ inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index f02d836cf..463ad2e22 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -182,6 +182,16 @@ struct private_child_sa_t {
 	 * last number of outbound bytes
 	 */
 	u_int64_t other_usebytes;
+
+	/**
+	 * last number of inbound packets
+	 */
+	u_int64_t my_usepackets;
+
+	/**
+	 * last number of outbound bytes
+	 */
+	u_int64_t other_usepackets;
 };
 
 /**
@@ -413,7 +423,7 @@ METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
 static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 {
 	status_t status = FAILED;
-	u_int64_t bytes;
+	u_int64_t bytes, packets;
 
 	if (inbound)
 	{
@@ -422,12 +432,13 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
 							this->other_addr, this->my_addr, this->my_spi,
 							proto_ike2ip(this->protocol), this->mark_in,
-							&bytes);
+							&bytes, &packets);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->my_usebytes)
 				{
 					this->my_usebytes = bytes;
+					this->my_usepackets = packets;
 					return SUCCESS;
 				}
 				return FAILED;
@@ -441,12 +452,13 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
 							this->my_addr, this->other_addr, this->other_spi,
 							proto_ike2ip(this->protocol), this->mark_out,
-							&bytes);
+							&bytes, &packets);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->other_usebytes)
 				{
 					this->other_usebytes = bytes;
+					this->other_usepackets = packets;
 					return SUCCESS;
 				}
 				return FAILED;
@@ -512,7 +524,8 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 }
 
 METHOD(child_sa_t, get_usestats, void,
-	   private_child_sa_t *this, bool inbound, time_t *time, u_int64_t *bytes)
+	private_child_sa_t *this, bool inbound,
+	time_t *time, u_int64_t *bytes, u_int64_t *packets)
 {
 	if (update_usebytes(this, inbound) != FAILED)
 	{
@@ -529,6 +542,10 @@ METHOD(child_sa_t, get_usestats, void,
 	{
 		*bytes = inbound ? this->my_usebytes : this->other_usebytes;
 	}
+	if (packets)
+	{
+		*packets = inbound ? this->my_usepackets : this->other_usepackets;
+	}
 }
 
 METHOD(child_sa_t, get_mark, mark_t,
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index dae3f2c18..44511edf8 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -270,9 +270,10 @@ struct child_sa_t {
 	 * @param inbound		TRUE for inbound traffic, FALSE for outbound
 	 * @param[out] time		time of last use in seconds (NULL to ignore)
 	 * @param[out] bytes	number of processed bytes (NULL to ignore)
+	 * @param[out] packets	number of processed packets (NULL to ignore)
 	 */
 	void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
-						 u_int64_t *bytes);
+						 u_int64_t *bytes, u_int64_t *packets);
 
 	/**
 	 * Get the mark used with this CHILD_SA.
diff --git a/src/libcharon/sa/eap/eap_inner_method.h b/src/libcharon/sa/eap/eap_inner_method.h
new file mode 100644
index 000000000..500852965
--- /dev/null
+++ b/src/libcharon/sa/eap/eap_inner_method.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_inner_method eap_inner_method
+ * @{ @ingroup eap
+ */
+
+#ifndef EAP_INNER_METHOD_H_
+#define EAP_INNER_METHOD_H_
+
+typedef struct eap_inner_method_t eap_inner_method_t;
+
+#include <library.h>
+
+#include "eap_method.h"
+
+/**
+ * Interface of a weak inner EAP method like EAP-TNC or PT-EAP
+ * that must be encapsulated in a strong TLS-based EAP method 
+ */
+struct eap_inner_method_t {
+
+	/*
+	 * Public EAP method interface
+	 */
+	eap_method_t eap_method;
+
+	/*
+	 * Get type of outer EAP authentication method
+	 *
+	 * @return			outer EAP authentication type
+	 */
+	eap_type_t (*get_auth_type)(eap_inner_method_t *this); 
+
+	/*
+	 * Set type of outer EAP Client/Server authentication
+	 *
+	 * @param type		outer EAP authentication type
+	 */
+	void (*set_auth_type)(eap_inner_method_t *this, eap_type_t type); 
+
+};
+
+#endif /** EAP_INNER_METHOD_H_ @}*/
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 4029db11d..8c4dabd81 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -285,7 +285,7 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 	enumerator = this->child_sas->create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, &child_sa))
 	{
-		child_sa->get_usestats(child_sa, inbound, &current, NULL);
+		child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
 		use_time = max(use_time, current);
 	}
 	enumerator->destroy(enumerator);
@@ -900,7 +900,7 @@ METHOD(ike_sa_t, update_hosts, void,
 	else
 	{
 		/* update our address in any case */
-		if (!me->equals(me, this->my_host))
+		if (force && !me->equals(me, this->my_host))
 		{
 			set_my_host(this, me->clone(me));
 			update = TRUE;
@@ -909,7 +909,8 @@ METHOD(ike_sa_t, update_hosts, void,
 		if (!other->equals(other, this->other_host))
 		{
 			/* update others address if we are NOT NATed */
-			if (force || !has_condition(this, COND_NAT_HERE))
+			if ((has_condition(this, COND_NAT_THERE) &&
+				 !has_condition(this, COND_NAT_HERE)) || force )
 			{
 				set_other_host(this, other->clone(other));
 				update = TRUE;
@@ -939,14 +940,38 @@ METHOD(ike_sa_t, update_hosts, void,
 	}
 }
 
+/**
+ * Set configured DSCP value on packet
+ */
+static void set_dscp(private_ike_sa_t *this, packet_t *packet)
+{
+	ike_cfg_t *ike_cfg;
+
+	/* prefer IKE config on peer_cfg, as its selection is more accurate
+	 * then the initial IKE config */
+	if (this->peer_cfg)
+	{
+		ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
+	}
+	else
+	{
+		ike_cfg = this->ike_cfg;
+	}
+	if (ike_cfg)
+	{
+		packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
+	}
+}
+
 METHOD(ike_sa_t, generate_message, status_t,
 	private_ike_sa_t *this, message_t *message, packet_t **packet)
 {
 	status_t status;
 
 	if (message->is_encoded(message))
-	{	/* already done */
+	{	/* already encoded in task, but set DSCP value */
 		*packet = message->get_packet(message);
+		set_dscp(this, *packet);
 		return SUCCESS;
 	}
 	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
@@ -955,6 +980,7 @@ METHOD(ike_sa_t, generate_message, status_t,
 	status = message->generate(message, this->keymat, packet);
 	if (status == SUCCESS)
 	{
+		set_dscp(this, *packet);
 		charon->bus->message(charon->bus, message, FALSE, FALSE);
 	}
 	return status;
@@ -1225,24 +1251,6 @@ METHOD(ike_sa_t, process_message, status_t,
 	{	/* do not handle messages in passive state */
 		return FAILED;
 	}
-	switch (message->get_exchange_type(message))
-	{
-		case ID_PROT:
-		case AGGRESSIVE:
-		case IKE_SA_INIT:
-		case IKE_AUTH:
-			if (this->state != IKE_CREATED &&
-				this->state != IKE_CONNECTING &&
-				message->get_first_payload_type(message) != FRAGMENT_V1)
-			{
-				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
-					 exchange_type_names, message->get_exchange_type(message));
-				return FAILED;
-			}
-			break;
-		default:
-			break;
-	}
 	if (message->get_major_version(message) != this->version)
 	{
 		DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
@@ -1437,6 +1445,10 @@ METHOD(ike_sa_t, delete_, status_t,
 			}
 			/* FALL */
 		case IKE_ESTABLISHED:
+			if (time_monotonic(NULL) >= this->stats[STAT_DELETE])
+			{	/* IKE_SA hard lifetime hit */
+				charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
+			}
 			this->task_manager->queue_ike_delete(this->task_manager);
 			return this->task_manager->initiate(this->task_manager);
 		case IKE_CREATED:
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 2ac8c3123..4fbc4da8e 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -108,9 +108,9 @@ struct entry_t {
 	identification_t *other_id;
 
 	/**
-	 * message ID currently processing, if any
+	 * message ID or hash of currently processing message, -1 if none
 	 */
-	u_int32_t message_id;
+	u_int32_t processing;
 };
 
 /**
@@ -135,23 +135,12 @@ static status_t entry_destroy(entry_t *this)
  */
 static entry_t *entry_create()
 {
-	entry_t *this = malloc_thing(entry_t);
-
-	this->waiting_threads = 0;
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-
-	/* we set checkout flag when we really give it out */
-	this->checked_out = FALSE;
-	this->driveout_new_threads = FALSE;
-	this->driveout_waiting_threads = FALSE;
-	this->message_id = -1;
-	this->init_hash = chunk_empty;
-	this->other = NULL;
-	this->half_open = FALSE;
-	this->my_id = NULL;
-	this->other_id = NULL;
-	this->ike_sa_id = NULL;
-	this->ike_sa = NULL;
+	entry_t *this;
+
+	INIT(this,
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.processing = -1,
+	);
 
 	return this;
 }
@@ -1171,6 +1160,20 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*,
 	return ike_sa;
 }
 
+/**
+ * Get the message ID or message hash to detect early retransmissions
+ */
+static u_int32_t get_message_id_or_hash(message_t *message)
+{
+	/* Use the message ID, or the message hash in IKEv1 Main/Aggressive mode */
+	if (message->get_major_version(message) == IKEV1_MAJOR_VERSION &&
+		message->get_message_id(message) == 0)
+	{
+		return chunk_hash(message->get_packet_data(message));
+	}
+	return message->get_message_id(message);
+}
+
 METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 	private_ike_sa_manager_t* this, message_t *message)
 {
@@ -1246,7 +1249,7 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 						entry->checked_out = TRUE;
 						unlock_single_segment(this, segment);
 
-						entry->message_id = message->get_message_id(message);
+						entry->processing = get_message_id_or_hash(message);
 						entry->init_hash = hash;
 
 						DBG2(DBG_MGR, "created IKE_SA %s[%u]",
@@ -1290,12 +1293,11 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 
 	if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS)
 	{
-		/* only check out in IKEv2 if we are not already processing it */
-		if (message->get_request(message) &&
-			message->get_message_id(message) == entry->message_id)
+		/* only check out if we are not already processing it. */
+		if (entry->processing == get_message_id_or_hash(message))
 		{
 			DBG1(DBG_MGR, "ignoring request with ID %u, already processing",
-				 entry->message_id);
+				 entry->processing);
 		}
 		else if (wait_for_entry(this, entry, segment))
 		{
@@ -1305,7 +1307,7 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 			entry->checked_out = TRUE;
 			if (message->get_first_payload_type(message) != FRAGMENT_V1)
 			{
-				entry->message_id = message->get_message_id(message);
+				entry->processing = get_message_id_or_hash(message);
 			}
 			if (ike_id->get_responder_spi(ike_id) == 0)
 			{
@@ -1564,7 +1566,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 		entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
 		/* signal waiting threads */
 		entry->checked_out = FALSE;
-		entry->message_id = -1;
+		entry->processing = -1;
 		/* check if this SA is half-open */
 		if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING)
 		{
@@ -1745,6 +1747,23 @@ METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*,
 									 (void*)id_enumerator_cleanup, ids);
 }
 
+/**
+ * Move all CHILD_SAs from old to new
+ */
+static void adopt_children(ike_sa_t *old, ike_sa_t *new)
+{
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+
+	enumerator = old->create_child_sa_enumerator(old);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		old->remove_child_sa(old, enumerator);
+		new->add_child_sa(new, child_sa);
+	}
+	enumerator->destroy(enumerator);
+}
+
 METHOD(ike_sa_manager_t, check_uniqueness, bool,
 	private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace)
 {
@@ -1782,6 +1801,7 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
 		{
 			DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', "
 				 "received INITIAL_CONTACT", other);
+			charon->bus->ike_updown(charon->bus, duplicate, FALSE);
 			checkin_and_destroy(this, duplicate);
 			continue;
 		}
@@ -1796,6 +1816,10 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
 					{
 						case UNIQUE_REPLACE:
 							charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
+							if (duplicate->get_version(duplicate) == IKEV1)
+							{
+								adopt_children(duplicate, ike_sa);
+							}
 							DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
 									"'%Y' due to uniqueness policy", other);
 							status = duplicate->delete(duplicate);
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index eb642109b..39e4cad20 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -431,6 +431,7 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
 	{
 		case AUTH_PSK:
 		case AUTH_XAUTH_INIT_PSK:
+		case AUTH_XAUTH_RESP_PSK:
 		{	/* SKEYID = prf(pre-shared-key, Ni_b | Nr_b) */
 			chunk_t psk;
 			if (!shared_key)
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 8a4761d5c..709033cb5 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -411,7 +411,7 @@ static bool send_fragment(private_task_manager_t *this, bool request,
 static bool send_packet(private_task_manager_t *this, bool request,
 						packet_t *packet)
 {
-	fragmentation_t fragmentation = FRAGMENTATION_NO;
+	bool use_frags = FALSE;
 	ike_cfg_t *ike_cfg;
 	host_t *src, *dst;
 	chunk_t data;
@@ -419,12 +419,21 @@ static bool send_packet(private_task_manager_t *this, bool request,
 	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 	if (ike_cfg)
 	{
-		fragmentation = ike_cfg->fragmentation(ike_cfg);
+		switch (ike_cfg->fragmentation(ike_cfg))
+		{
+			case FRAGMENTATION_FORCE:
+				use_frags = TRUE;
+				break;
+			case FRAGMENTATION_YES:
+				use_frags = this->ike_sa->supports_extension(this->ike_sa,
+														EXT_IKE_FRAGMENTATION);
+				break;
+			default:
+				break;
+		}
 	}
 	data = packet->get_data(packet);
-	if (data.len > this->frag.size && (fragmentation == FRAGMENTATION_FORCE ||
-	   (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_FRAGMENTATION) &&
-		fragmentation == FRAGMENTATION_YES)))
+	if (data.len > this->frag.size && use_frags)
 	{
 		fragment_payload_t *fragment;
 		u_int8_t num, count;
@@ -1163,6 +1172,15 @@ static status_t process_response(private_task_manager_t *this,
 
 	if (message->get_exchange_type(message) != this->initiating.type)
 	{
+		/* Windows server sends a fourth quick mode message having an initial
+		 * contact notify. Ignore this message for compatibility. */
+		if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED &&
+			message->get_exchange_type(message) == QUICK_MODE &&
+			message->get_notify(message, INITIAL_CONTACT))
+		{
+			DBG1(DBG_IKE, "ignoring fourth Quick Mode message");
+			return SUCCESS;
+		}
 		DBG1(DBG_IKE, "received %N response, but expected %N",
 			 exchange_type_names, message->get_exchange_type(message),
 			 exchange_type_names, this->initiating.type);
@@ -1471,6 +1489,21 @@ METHOD(task_manager_t, process_message, status_t,
 			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
 			return SUCCESS;
 		}
+
+		/* reject Main/Aggressive Modes once established */
+		if (msg->get_exchange_type(msg) == ID_PROT ||
+			msg->get_exchange_type(msg) == AGGRESSIVE)
+		{
+			if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
+				this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
+				msg->get_first_payload_type(msg) != FRAGMENT_V1)
+			{
+				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+					 exchange_type_names, msg->get_exchange_type(msg));
+				return FAILED;
+			}
+		}
+
 		if (msg->get_exchange_type(msg) == TRANSACTION &&
 			this->active_tasks->get_count(this->active_tasks))
 		{	/* main mode not yet complete, queue XAuth/Mode config tasks */
@@ -2030,4 +2063,3 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 7336d5d64..6b00706bf 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -30,6 +30,7 @@
 #include <sa/ikev1/tasks/informational.h>
 #include <sa/ikev1/tasks/isakmp_delete.h>
 #include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_aggressive_mode_t private_aggressive_mode_t;
 
@@ -299,8 +300,14 @@ METHOD(task_t, build_i, status_t,
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
-					/* wait for XAUTH request */
+				{	/* wait for XAUTH request, since this may never come,
+					 * we queue a timeout */
+					job_t *job = (job_t*)delete_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), FALSE);
+					lib->scheduler->schedule_job(lib->scheduler, job,
+												 HALF_OPEN_IKE_SA_TIMEOUT);
 					break;
+				}
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
 				case AUTH_HYBRID_RESP_RSA:
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index bc9d4bbc3..441bd7a78 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -30,6 +30,7 @@
 #include <sa/ikev1/tasks/informational.h>
 #include <sa/ikev1/tasks/isakmp_delete.h>
 #include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_main_mode_t private_main_mode_t;
 
@@ -638,8 +639,14 @@ METHOD(task_t, process_i, status_t,
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
-					/* wait for XAUTH request */
+				{	/* wait for XAUTH request, since this may never come,
+					 * we queue a timeout */
+					job_t *job = (job_t*)delete_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), FALSE);
+					lib->scheduler->schedule_job(lib->scheduler, job,
+												 HALF_OPEN_IKE_SA_TIMEOUT);
 					break;
+				}
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
 				case AUTH_HYBRID_RESP_RSA:
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index db48bc58e..e9f06cbe3 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -97,8 +97,8 @@ static bool delete_child(private_quick_delete_t *this,
 	}
 	else
 	{
-		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
-		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
+		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, NULL);
+		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL);
 
 		DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs "
 			 "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 1eae6aa93..7a0fb5788 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -576,12 +576,12 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 	if (!tsi)
 	{
 		tsi = traffic_selector_create_from_subnet(hsi->clone(hsi),
-							hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0);
+					hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0, 65535);
 	}
 	if (!tsr)
 	{
 		tsr = traffic_selector_create_from_subnet(hsr->clone(hsr),
-							hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0);
+					hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0, 65535);
 	}
 	if (this->mode == MODE_TRANSPORT && this->udp &&
 	   (!tsi->is_host(tsi, hsi) || !tsr->is_host(tsr, hsr)))
@@ -594,20 +594,27 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 
 	if (this->initiator)
 	{
+		traffic_selector_t *tsisub, *tsrsub;
+
 		/* check if peer selection is valid */
-		if (!tsr->is_contained_in(tsr, this->tsr) ||
-			!tsi->is_contained_in(tsi, this->tsi))
+		tsisub = this->tsi->get_subset(this->tsi, tsi);
+		tsrsub = this->tsr->get_subset(this->tsr, tsr);
+		if (!tsisub || !tsrsub)
 		{
 			DBG1(DBG_IKE, "peer selected invalid traffic selectors: "
 				 "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);
+			DESTROY_IF(tsisub);
+			DESTROY_IF(tsrsub);
 			tsi->destroy(tsi);
 			tsr->destroy(tsr);
 			return FALSE;
 		}
+		tsi->destroy(tsi);
+		tsr->destroy(tsr);
 		this->tsi->destroy(this->tsi);
 		this->tsr->destroy(this->tsr);
-		this->tsi = tsi;
-		this->tsr = tsr;
+		this->tsi = tsisub;
+		this->tsr = tsrsub;
 	}
 	else
 	{
@@ -914,30 +921,37 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
 	enumerator_t *enumerator, *policies;
 	traffic_selector_t *local, *remote;
 	child_sa_t *child_sa;
+	proposal_t *proposal;
+	char *name;
 
+	name = this->config->get_name(this->config);
 	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
 	while (this->reqid == 0 && enumerator->enumerate(enumerator, &child_sa))
 	{
-		if (child_sa->get_state(child_sa) == CHILD_INSTALLED &&
-			streq(child_sa->get_name(child_sa),
-				  this->config->get_name(this->config)))
+		if (streq(child_sa->get_name(child_sa), name))
 		{
-			policies = child_sa->create_policy_enumerator(child_sa);
-			if (policies->enumerate(policies, &local, &remote))
+			proposal = child_sa->get_proposal(child_sa);
+			switch (child_sa->get_state(child_sa))
 			{
-				if (local->equals(local, this->tsr) &&
-					remote->equals(remote, this->tsi) &&
-					this->proposal->equals(this->proposal,
-										   child_sa->get_proposal(child_sa)))
-				{
-					this->reqid = child_sa->get_reqid(child_sa);
-					this->rekey = child_sa->get_spi(child_sa, TRUE);
-					child_sa->set_state(child_sa, CHILD_REKEYING);
-					DBG1(DBG_IKE, "detected rekeying of CHILD_SA %s{%u}",
-						 child_sa->get_name(child_sa), this->reqid);
-				}
+				case CHILD_INSTALLED:
+				case CHILD_REKEYING:
+					policies = child_sa->create_policy_enumerator(child_sa);
+					if (policies->enumerate(policies, &local, &remote) &&
+						local->equals(local, this->tsr) &&
+						remote->equals(remote, this->tsi) &&
+						this->proposal->equals(this->proposal, proposal))
+					{
+						this->reqid = child_sa->get_reqid(child_sa);
+						this->rekey = child_sa->get_spi(child_sa, TRUE);
+						child_sa->set_state(child_sa, CHILD_REKEYING);
+						DBG1(DBG_IKE, "detected rekeying of CHILD_SA %s{%u}",
+							 child_sa->get_name(child_sa), this->reqid);
+					}
+					policies->destroy(policies);
+				break;
+			default:
+				break;
 			}
-			policies->destroy(policies);
 		}
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index 10bea5636..31114e592 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -286,21 +286,55 @@ METHOD(task_t, build_i_status, status_t,
 	return NEED_MORE;
 }
 
+METHOD(task_t, process_i_status, status_t,
+	private_xauth_t *this, message_t *message)
+{
+	cp_payload_t *cp;
+
+	cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
+	if (!cp || cp->get_type(cp) != CFG_ACK)
+	{
+		DBG1(DBG_IKE, "received invalid XAUTH status response");
+		return FAILED;
+	}
+	if (this->status != XAUTH_OK)
+	{
+		DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
+		return FAILED;
+	}
+	if (!establish(this))
+	{
+		return FAILED;
+	}
+	this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
+	lib->processor->queue_job(lib->processor, (job_t*)
+				adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
+	return SUCCESS;
+}
+
 METHOD(task_t, build_i, status_t,
 	private_xauth_t *this, message_t *message)
 {
 	if (!this->xauth)
 	{
-		cp_payload_t *cp;
+		cp_payload_t *cp = NULL;
 
 		this->xauth = load_method(this);
 		if (!this->xauth)
 		{
 			return FAILED;
 		}
-		if (this->xauth->initiate(this->xauth, &cp) != NEED_MORE)
+		switch (this->xauth->initiate(this->xauth, &cp))
 		{
-			return FAILED;
+			case NEED_MORE:
+				break;
+			case SUCCESS:
+				DESTROY_IF(cp);
+				this->status = XAUTH_OK;
+				this->public.task.process = _process_i_status;
+				return build_i_status(this, message);
+			default:
+				return FAILED;
 		}
 		message->add_payload(message, (payload_t *)cp);
 		return NEED_MORE;
@@ -411,32 +445,6 @@ METHOD(task_t, build_r, status_t,
 	return NEED_MORE;
 }
 
-METHOD(task_t, process_i_status, status_t,
-	private_xauth_t *this, message_t *message)
-{
-	cp_payload_t *cp;
-
-	cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
-	if (!cp || cp->get_type(cp) != CFG_ACK)
-	{
-		DBG1(DBG_IKE, "received invalid XAUTH status response");
-		return FAILED;
-	}
-	if (this->status != XAUTH_OK)
-	{
-		DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
-		return FAILED;
-	}
-	if (!establish(this))
-	{
-		return FAILED;
-	}
-	this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
-	lib->processor->queue_job(lib->processor, (job_t*)
-				adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
-	return SUCCESS;
-}
-
 METHOD(task_t, process_i, status_t,
 	private_xauth_t *this, message_t *message)
 {
diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index aa0644033..b8359cc88 100644
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -667,6 +667,16 @@ METHOD(authenticator_t, build_client, status_t,
 METHOD(authenticator_t, is_mutual, bool,
 	private_eap_authenticator_t *this)
 {
+	if (this->method)
+	{
+		u_int32_t vendor;
+
+		if (this->method->get_type(this->method, &vendor) != EAP_IDENTITY ||
+			vendor != 0)
+		{
+			return this->method->is_mutual(this->method);
+		}
+	}
 	/* we don't know yet, but insist on it after EAP is complete */
 	this->require_mutual = TRUE;
 	return TRUE;
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index ea0117c54..5298abf79 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -475,6 +475,7 @@ METHOD(task_manager_t, initiate, status_t,
 				break;
 			case FAILED:
 			default:
+				this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
 				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
 				{
 					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
@@ -1123,6 +1124,18 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (mid == this->responding.mid)
 		{
+			/* reject initial messages once established */
+			if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
+				msg->get_exchange_type(msg) == IKE_AUTH)
+			{
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
+					this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				{
+					DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+						 exchange_type_names, msg->get_exchange_type(msg));
+					return FAILED;
+				}
+			}
 			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
 				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
 				msg->get_exchange_type(msg) != IKE_SA_INIT)
@@ -1163,6 +1176,10 @@ METHOD(task_manager_t, process_message, status_t,
 		{
 			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
 				 mid, this->responding.mid);
+			if (msg->get_exchange_type(msg) == IKE_SA_INIT)
+			{	/* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */
+				return DESTROY_ME;
+			}
 		}
 	}
 	else
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index eb3972c29..32c0e8c4a 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -18,6 +18,7 @@
 #include "child_create.h"
 
 #include <daemon.h>
+#include <hydra.h>
 #include <sa/ikev2/keymat_v2.h>
 #include <crypto/diffie_hellman.h>
 #include <credentials/certificates/x509.h>
@@ -615,6 +616,7 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 	nonce_payload_t *nonce_payload;
 	ke_payload_t *ke_payload;
 	ts_payload_t *ts_payload;
+	kernel_feature_t features;
 
 	/* add SA payload */
 	if (this->initiator)
@@ -661,6 +663,13 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 		default:
 			break;
 	}
+
+	features = hydra->kernel_interface->get_features(hydra->kernel_interface);
+	if (!(features & KERNEL_ESP_V3_TFC))
+	{
+		message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED,
+							chunk_empty);
+	}
 }
 
 /**
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index 644af782c..8652942ad 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -264,8 +264,8 @@ static void log_children(private_child_delete_t *this)
 		}
 		else
 		{
-			child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
-			child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
+			child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, NULL);
+			child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL);
 
 			DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs %.8x_i "
 				 "(%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index f8c2ed141..262cb10e0 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -86,6 +86,24 @@ struct private_child_rekey_t {
 	bool other_child_destroyed;
 };
 
+/**
+ * Schedule a retry if rekeying temporary failed
+ */
+static void schedule_delayed_rekey(private_child_rekey_t *this)
+{
+	u_int32_t retry;
+	job_t *job;
+
+	retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
+	job = (job_t*)rekey_child_sa_job_create(
+						this->child_sa->get_reqid(this->child_sa),
+						this->child_sa->get_protocol(this->child_sa),
+						this->child_sa->get_spi(this->child_sa, TRUE));
+	DBG1(DBG_IKE, "CHILD_SA rekeying failed, trying again in %d seconds", retry);
+	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+	lib->scheduler->schedule_job(lib->scheduler, job, retry);
+}
+
 /**
  * Implementation of task_t.build for initiator, after rekeying
  */
@@ -166,8 +184,13 @@ METHOD(task_t, build_i, status_t,
 	}
 	reqid = this->child_sa->get_reqid(this->child_sa);
 	this->child_create->use_reqid(this->child_create, reqid);
-	this->child_create->task.build(&this->child_create->task, message);
 
+	if (this->child_create->task.build(&this->child_create->task,
+									   message) != NEED_MORE)
+	{
+		schedule_delayed_rekey(this);
+		return FAILED;
+	}
 	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
 
 	return NEED_MORE;
@@ -316,17 +339,7 @@ METHOD(task_t, process_i, status_t,
 		if (!(this->collision &&
 			  this->collision->get_type(this->collision) == TASK_CHILD_DELETE))
 		{
-			job_t *job;
-			u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
-
-			job = (job_t*)rekey_child_sa_job_create(
-								this->child_sa->get_reqid(this->child_sa),
-								this->child_sa->get_protocol(this->child_sa),
-								this->child_sa->get_spi(this->child_sa, TRUE));
-			DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
-								"trying again in %d seconds", retry);
-			this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-			lib->scheduler->schedule_job(lib->scheduler, job, retry);
+			schedule_delayed_rekey(this);
 		}
 		return SUCCESS;
 	}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 70efcd7af..942f97cf5 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -222,6 +222,18 @@ static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
 	return next;
 }
 
+/**
+ * Move the currently active auth config to the auth configs completed
+ */
+static void apply_auth_cfg(private_ike_auth_t *this, bool local)
+{
+	auth_cfg_t *cfg;
+
+	cfg = auth_cfg_create();
+	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, local), local);
+	this->ike_sa->add_auth_cfg(this->ike_sa, local, cfg);
+}
+
 /**
  * Check if we have should initiate another authentication round
  */
@@ -307,7 +319,7 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
 	{
 		if (this->peer_cfg)
 		{
-			bool complies = TRUE;
+			char *comply_error = NULL;
 			enumerator_t *e1, *e2, *tmp;
 			auth_cfg_t *c1, *c2;
 
@@ -324,22 +336,30 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
 			while (e1->enumerate(e1, &c1))
 			{
 				/* check if done authentications comply to configured ones */
-				if ((!e2->enumerate(e2, &c2)) ||
-					(!strict && !c1->complies(c1, c2, TRUE)) ||
-					(strict && !c2->complies(c2, c1, TRUE)))
+				if (!e2->enumerate(e2, &c2))
+				{
+					comply_error = "insufficient authentication rounds";
+					break;
+				}
+				if (!strict && !c1->complies(c1, c2, TRUE))
 				{
-					complies = FALSE;
+					comply_error = "non-matching authentication done";
+					break;
+				}
+				if (strict && !c2->complies(c2, c1, TRUE))
+				{
+					comply_error = "constraint checking failed";
 					break;
 				}
 			}
 			e1->destroy(e1);
 			e2->destroy(e2);
-			if (complies)
+			if (!comply_error)
 			{
 				break;
 			}
-			DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
-				 this->peer_cfg->get_name(this->peer_cfg));
+			DBG1(DBG_CFG, "selected peer config '%s' inacceptable: %s",
+				 this->peer_cfg->get_name(this->peer_cfg), comply_error);
 			this->peer_cfg->destroy(this->peer_cfg);
 		}
 		if (this->candidates->remove_first(this->candidates,
@@ -464,10 +484,7 @@ METHOD(task_t, build_i, status_t,
 	switch (this->my_auth->build(this->my_auth, message))
 	{
 		case SUCCESS:
-			/* authentication step complete, reset authenticator */
-			cfg = auth_cfg_create();
-			cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
-			this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+			apply_auth_cfg(this, TRUE);
 			this->my_auth->destroy(this->my_auth);
 			this->my_auth = NULL;
 			break;
@@ -640,10 +657,7 @@ METHOD(task_t, process_r, status_t,
 		return NEED_MORE;
 	}
 
-	/* store authentication information */
-	cfg = auth_cfg_create();
-	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-	this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+	apply_auth_cfg(this, FALSE);
 
 	if (!update_cfg_candidates(this, FALSE))
 	{
@@ -778,10 +792,7 @@ METHOD(task_t, build_r, status_t,
 		switch (this->my_auth->build(this->my_auth, message))
 		{
 			case SUCCESS:
-				cfg = auth_cfg_create();
-				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
-						   TRUE);
-				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+				apply_auth_cfg(this, TRUE);
 				this->my_auth->destroy(this->my_auth);
 				this->my_auth = NULL;
 				break;
@@ -969,10 +980,10 @@ METHOD(task_t, process_i, status_t,
 			goto peer_auth_failed;
 		}
 
-		/* store authentication information, reset authenticator */
-		cfg = auth_cfg_create();
-		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-		this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+		if (!mutual_eap)
+		{
+			apply_auth_cfg(this, FALSE);
+		}
 	}
 
 	if (this->my_auth)
@@ -980,10 +991,11 @@ METHOD(task_t, process_i, status_t,
 		switch (this->my_auth->process(this->my_auth, message))
 		{
 			case SUCCESS:
-				cfg = auth_cfg_create();
-				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
-						   TRUE);
-				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+				apply_auth_cfg(this, TRUE);
+				if (this->my_auth->is_mutual(this->my_auth))
+				{
+					apply_auth_cfg(this, FALSE);
+				}
 				this->my_auth->destroy(this->my_auth);
 				this->my_auth = NULL;
 				this->do_another_auth = do_another_auth(this);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_dpd.c b/src/libcharon/sa/ikev2/tasks/ike_dpd.c
index 28ccc2efe..7a33f7938 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_dpd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_dpd.c
@@ -37,12 +37,6 @@ METHOD(task_t, return_need_more, status_t,
 	return NEED_MORE;
 }
 
-METHOD(task_t, return_success, status_t,
-	private_ike_dpd_t *this, message_t *message)
-{
-	return SUCCESS;
-}
-
 METHOD(task_t, get_type, task_type_t,
 	private_ike_dpd_t *this)
 {
@@ -82,11 +76,11 @@ ike_dpd_t *ike_dpd_create(bool initiator)
 	if (initiator)
 	{
 		this->public.task.build = _return_need_more;
-		this->public.task.process = _return_success;
+		this->public.task.process = (void*)return_success;
 	}
 	else
 	{
-		this->public.task.build = _return_success;
+		this->public.task.build = (void*)return_success;
 		this->public.task.process = _return_need_more;
 	}
 
diff --git a/src/libcharon/sa/xauth/xauth_manager.c b/src/libcharon/sa/xauth/xauth_manager.c
index f0602a673..5709dc652 100644
--- a/src/libcharon/sa/xauth/xauth_manager.c
+++ b/src/libcharon/sa/xauth/xauth_manager.c
@@ -112,8 +112,11 @@ METHOD(xauth_manager_t, create_instance, xauth_method_t*,
 	enumerator = this->methods->create_enumerator(this->methods);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (role == entry->role &&
-			(!name || streq(name, entry->name)))
+		if (!name && streq(entry->name, "noauth"))
+		{	/* xauth-noauth has to be configured explicitly */
+			continue;
+		}
+		if (role == entry->role && (!name || streq(name, entry->name)))
 		{
 			method = entry->constructor(server, peer);
 			if (method)
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 906ea2119..2733a91b4 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libfast_la_SOURCES)
 DIST_SOURCES = $(libfast_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__nobase_fast_include_HEADERS_DIST = context.h controller.h \
 	dispatcher.h filter.h request.h session.h smtp.h
 HEADERS = $(nobase_fast_include_HEADERS)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -348,7 +370,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +377,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -419,15 +442,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-nobase_fast_includeHEADERS: $(nobase_fast_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(fast_includedir)" || $(MKDIR_P) "$(DESTDIR)$(fast_includedir)"
 	@list='$(nobase_fast_include_HEADERS)'; test -n "$(fast_includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(fast_includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(fast_includedir)" || exit 1; \
+	fi; \
 	$(am__nobase_list) | while read dir files; do \
 	  xfiles=; for file in $$files; do \
 	    if test -f "$$file"; then xfiles="$$xfiles $$file"; \
 	    else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \
 	  test -z "$$xfiles" || { \
 	    test "x$$dir" = x. || { \
-	      echo "$(MKDIR_P) '$(DESTDIR)$(fast_includedir)/$$dir'"; \
+	      echo " $(MKDIR_P) '$(DESTDIR)$(fast_includedir)/$$dir'"; \
 	      $(MKDIR_P) "$(DESTDIR)$(fast_includedir)/$$dir"; }; \
 	    echo " $(INSTALL_HEADER) $$xfiles '$(DESTDIR)$(fast_includedir)/$$dir'"; \
 	    $(INSTALL_HEADER) $$xfiles "$(DESTDIR)$(fast_includedir)/$$dir" || exit $$?; }; \
diff --git a/src/libfast/controller.h b/src/libfast/controller.h
index 1edf72e90..7a7efc706 100644
--- a/src/libfast/controller.h
+++ b/src/libfast/controller.h
@@ -14,7 +14,7 @@
  */
 
 /**
- * @defgroup controller_i controller
+ * @defgroup controller controller
  * @{ @ingroup libfast
  */
 
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
index 075f8dbcb..429feed55 100644
--- a/src/libhydra/Android.mk
+++ b/src/libhydra/Android.mk
@@ -2,7 +2,7 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+libhydra_la_SOURCES := \
 hydra.c hydra.h \
 attributes/attributes.c attributes/attributes.h \
 attributes/attribute_provider.h attributes/attribute_handler.h \
@@ -13,6 +13,8 @@ kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
 kernel/kernel_net.c kernel/kernel_net.h \
 kernel/kernel_listener.h
 
+LOCAL_SRC_FILES := $(filter %.c,$(libhydra_la_SOURCES))
+
 # adding the plugin source files
 
 LOCAL_SRC_FILES += $(call add_plugin, attr)
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index f433b24dc..4504822ad 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -123,6 +140,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -172,6 +194,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -188,6 +212,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -256,8 +281,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -313,7 +336,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -416,7 +438,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -424,6 +445,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -698,13 +721,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
index af53e10de..c82b1d02f 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libhydra/attributes/mem_pool.c
@@ -21,7 +21,7 @@
 #include <collections/linked_list.h>
 #include <threading/mutex.h>
 
-#define POOL_LIMIT (sizeof(uintptr_t)*8)
+#define POOL_LIMIT (sizeof(u_int)*8 - 1)
 
 typedef struct private_mem_pool_t private_mem_pool_t;
 
@@ -513,12 +513,11 @@ METHOD(mem_pool_t, destroy, void,
 }
 
 /**
- * Described in header
+ * Generic constructor
  */
-mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
+static private_mem_pool_t *create_generic(char *name)
 {
 	private_mem_pool_t *this;
-	int addr_bits;
 
 	INIT(this,
 		.public = {
@@ -538,6 +537,18 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
+	return this;
+}
+
+/**
+ * Described in header
+ */
+mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
+{
+	private_mem_pool_t *this;
+	int addr_bits;
+
+	this = create_generic(name);
 	if (base)
 	{
 		addr_bits = base->get_family(base) == AF_INET ? 32 : 128;
@@ -550,7 +561,7 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 			DBG1(DBG_CFG, "virtual IP pool too large, limiting to %H/%d",
 				 base, addr_bits - bits);
 		}
-		this->size = 1 << (bits);
+		this->size = 1 << bits;
 
 		if (this->size > 2)
 		{	/* do not use first and last addresses of a block */
@@ -563,3 +574,37 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 	return &this->public;
 }
 
+/**
+ * Described in header
+ */
+mem_pool_t *mem_pool_create_range(char *name, host_t *from, host_t *to)
+{
+	private_mem_pool_t *this;
+	chunk_t fromaddr, toaddr;
+	u_int32_t diff;
+
+	fromaddr = from->get_address(from);
+	toaddr = to->get_address(to);
+
+	if (from->get_family(from) != to->get_family(to) ||
+		fromaddr.len != toaddr.len || fromaddr.len < sizeof(diff) ||
+		memcmp(fromaddr.ptr, toaddr.ptr, toaddr.len) > 0)
+	{
+		DBG1(DBG_CFG, "invalid IP address range: %H-%H", from, to);
+		return NULL;
+	}
+	if (fromaddr.len > sizeof(diff) &&
+		!chunk_equals(chunk_create(fromaddr.ptr, fromaddr.len - sizeof(diff)),
+					  chunk_create(toaddr.ptr, toaddr.len - sizeof(diff))))
+	{
+		DBG1(DBG_CFG, "IP address range too large: %H-%H", from, to);
+		return NULL;
+	}
+	this = create_generic(name);
+	this->base = from->clone(from);
+	diff = untoh32(toaddr.ptr + toaddr.len - sizeof(diff)) -
+		   untoh32(fromaddr.ptr + fromaddr.len - sizeof(diff));
+	this->size = diff + 1;
+
+	return &this->public;
+}
diff --git a/src/libhydra/attributes/mem_pool.h b/src/libhydra/attributes/mem_pool.h
index 692885ecd..7347bb547 100644
--- a/src/libhydra/attributes/mem_pool.h
+++ b/src/libhydra/attributes/mem_pool.h
@@ -89,7 +89,7 @@ struct mem_pool_t {
 	 *
 	 * @param id		the id to acquire an address for
 	 * @param requested	acquire this address, if possible
-	 * @param existing	TRUE to look for an existing lease, FALSE for a new one
+	 * @param operation	acquire operation to perform, see above
 	 * @return			the acquired address
 	 */
 	host_t* (*acquire_address)(mem_pool_t *this, identification_t *id,
@@ -128,9 +128,19 @@ struct mem_pool_t {
  *
  * @param name		name of this pool
  * @param base		base address of this pool, NULL to create an empty pool
- * @param bits		net mask
+ * @param bits		number of non-network bits in base, as in CIDR notation
+ * @return			memory pool instance
  */
 mem_pool_t *mem_pool_create(char *name, host_t *base, int bits);
 
-#endif /** MEM_POOL_H_ @} */
+/**
+ * Create an in-memory IP address from a range.
+ *
+ * @param name		name of this pool
+ * @param from		start of ranged pool
+ * @param to		end of ranged pool
+ * @return			memory pool instance, NULL if range invalid
+ */
+mem_pool_t *mem_pool_create_range(char *name, host_t *from, host_t *to);
 
+#endif /** MEM_POOL_H_ @} */
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 8948e0561..53b8324b7 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -137,6 +137,22 @@ struct private_kernel_interface_t {
 	bool ifaces_exclude;
 };
 
+METHOD(kernel_interface_t, get_features, kernel_feature_t,
+	private_kernel_interface_t *this)
+{
+	kernel_feature_t features = 0;
+
+	if (this->ipsec && this->ipsec->get_features)
+	{
+		features |= this->ipsec->get_features(this->ipsec);
+	}
+	if (this->net && this->net->get_features)
+	{
+		features |= this->net->get_features(this->net);
+	}
+	return features;
+}
+
 METHOD(kernel_interface_t, get_spi, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
 	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
@@ -191,13 +207,15 @@ METHOD(kernel_interface_t, update_sa, status_t,
 
 METHOD(kernel_interface_t, query_sa, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, bytes);
+	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark,
+								 bytes, packets);
 }
 
 METHOD(kernel_interface_t, del_sa, status_t,
@@ -682,6 +700,7 @@ kernel_interface_t *kernel_interface_create()
 
 	INIT(this,
 		.public = {
+			.get_features = _get_features,
 			.get_spi = _get_spi,
 			.get_cpi = _get_cpi,
 			.add_sa = _add_sa,
@@ -757,4 +776,3 @@ kernel_interface_t *kernel_interface_create()
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 8d8ef2e83..1d2253b94 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -47,6 +47,7 @@
 #define KERNEL_INTERFACE_H_
 
 typedef struct kernel_interface_t kernel_interface_t;
+typedef enum kernel_feature_t kernel_feature_t;
 
 #include <networking/host.h>
 #include <crypto/prf_plus.h>
@@ -55,6 +56,17 @@ typedef struct kernel_interface_t kernel_interface_t;
 #include <kernel/kernel_ipsec.h>
 #include <kernel/kernel_net.h>
 
+/**
+ * Bitfield of optional features a kernel backend supports.
+ *
+ * This feature-set is for both, kernel_ipsec_t and kernel_net_t. Each
+ * backend returns a subset of these features.
+ */
+enum kernel_feature_t {
+	/** IPsec can process ESPv3 (RFC 4303) TFC padded packets */
+	KERNEL_ESP_V3_TFC = (1<<0),
+};
+
 /**
  * Constructor function for ipsec kernel interface
  */
@@ -73,6 +85,13 @@ typedef kernel_net_t* (*kernel_net_constructor_t)(void);
  */
 struct kernel_interface_t {
 
+	/**
+	 * Get the feature set supported by the net and ipsec kernel backends.
+	 *
+	 * @return				ORed feature-set of backends
+	 */
+	kernel_feature_t (*get_features)(kernel_interface_t *this);
+
 	/**
 	 * Get a SPI from the kernel.
 	 *
@@ -175,11 +194,12 @@ struct kernel_interface_t {
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param mark			optional mark for this SA
 	 * @param[out] bytes	the number of bytes processed by SA
+	 * @param[out] packets	number of packets processed by SA
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
 						  u_int32_t spi, u_int8_t protocol, mark_t mark,
-						  u_int64_t *bytes);
+						  u_int64_t *bytes, u_int64_t *packets);
 
 	/**
 	 * Delete a previously installed SA from the SAD.
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index 1da0805cb..ba67238e5 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -30,6 +30,7 @@ typedef struct kernel_ipsec_t kernel_ipsec_t;
 #include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
 #include <plugins/plugin.h>
+#include <kernel/kernel_interface.h>
 
 /**
  * Interface to the ipsec subsystem of the kernel.
@@ -44,6 +45,13 @@ typedef struct kernel_ipsec_t kernel_ipsec_t;
  */
 struct kernel_ipsec_t {
 
+	/**
+	 * Get the feature set supported by this kernel backend.
+	 *
+	 * @return				ORed feature-set of backend
+	 */
+	kernel_feature_t (*get_features)(kernel_ipsec_t *this);
+
 	/**
 	 * Get a SPI from the kernel.
 	 *
@@ -146,11 +154,12 @@ struct kernel_ipsec_t {
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param mark			optional mark for this SA
 	 * @param[out] bytes	the number of bytes processed by SA
+	 * @param[out] packets	number of packets processed by SA
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
 						  u_int32_t spi, u_int8_t protocol, mark_t mark,
-						  u_int64_t *bytes);
+						  u_int64_t *bytes, u_int64_t *packets);
 
 	/**
 	 * Delete a previusly installed SA from the SAD.
diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h
index 6a3b2cee7..0d3417f1d 100644
--- a/src/libhydra/kernel/kernel_net.h
+++ b/src/libhydra/kernel/kernel_net.h
@@ -28,6 +28,7 @@ typedef enum kernel_address_type_t kernel_address_type_t;
 #include <collections/enumerator.h>
 #include <networking/host.h>
 #include <plugins/plugin.h>
+#include <kernel/kernel_interface.h>
 
 /**
  * Type of addresses (e.g. when enumerating them)
@@ -55,6 +56,13 @@ enum kernel_address_type_t {
  */
 struct kernel_net_t {
 
+	/**
+	 * Get the feature set supported by this kernel backend.
+	 *
+	 * @return				ORed feature-set of backend
+	 */
+	kernel_feature_t (*get_features)(kernel_net_t *this);
+
 	/**
 	 * Get our outgoing source address for a destination.
 	 *
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index 9dc84880a..cb2cf1eaf 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_attr_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_attr_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -349,7 +371,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -357,6 +378,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index 1f333d03f..329f317dd 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -185,6 +185,7 @@ static void load_entries(private_attr_provider_t *this)
 		configuration_attribute_type_t type;
 		attribute_type_key_t *mapped = NULL;
 		attribute_entry_t *entry;
+		chunk_t data;
 		host_t *host;
 		char *pos;
 		int i, mask = -1, family;
@@ -218,34 +219,44 @@ static void load_entries(private_attr_provider_t *this)
 			host = host_create_from_string(token, 0);
 			if (!host)
 			{
-				DBG1(DBG_CFG, "invalid host in key %s: %s", key, token);
-				continue;
-			}
-			family = host->get_family(host);
-			entry = malloc_thing(attribute_entry_t);
-			entry->type = type ?: (family == AF_INET ? mapped->v4 : mapped->v6);
-			if (mask == -1)
-			{
-				entry->value = chunk_clone(host->get_address(host));
+				if (!type)
+				{
+					DBG1(DBG_CFG, "invalid host in key %s: %s", key, token);
+					continue;
+				}
+				/* store numeric attributes that are no IP addresses as strings */
+				data = chunk_clone(chunk_from_str(token));
 			}
 			else
 			{
-				if (family == AF_INET)
-				{	/* IPv4 attributes contain a subnet mask */
-					u_int32_t netmask;
-
-					mask = 32 - mask;
-					netmask = htonl((0xFFFFFFFF >> mask) << mask);
-					entry->value = chunk_cat("cc", host->get_address(host),
-											 chunk_from_thing(netmask));
+				family = host->get_family(host);
+				if (mask == -1)
+				{
+					data = chunk_clone(host->get_address(host));
 				}
 				else
-				{	/* IPv6 addresses the prefix only */
-					entry->value = chunk_cat("cc", host->get_address(host),
-											 chunk_from_chars(mask));
+				{
+					if (family == AF_INET)
+					{	/* IPv4 attributes contain a subnet mask */
+						u_int32_t netmask;
+
+						mask = 32 - mask;
+						netmask = htonl((0xFFFFFFFF >> mask) << mask);
+						data = chunk_cat("cc", host->get_address(host),
+										 chunk_from_thing(netmask));
+					}
+					else
+					{	/* IPv6 addresses the prefix only */
+						data = chunk_cat("cc", host->get_address(host),
+										 chunk_from_chars(mask));
+					}
 				}
+				host->destroy(host);
 			}
-			host->destroy(host);
+			INIT(entry,
+				.type = type ?: (family == AF_INET ? mapped->v4 : mapped->v6),
+				.value = data,
+			);
 			DBG2(DBG_CFG, "loaded attribute %N: %#B",
 				 configuration_attribute_type_names, entry->type, &entry->value);
 			this->attributes->insert_last(this->attributes, entry);
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 416712f3d..155db8581 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -117,6 +134,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
 DIST_SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -133,6 +155,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -149,6 +173,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -217,8 +242,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -274,7 +297,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -371,7 +393,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -379,6 +400,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -404,8 +427,11 @@ libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_
 	$(libstrongswan_attr_sql_la_LINK) $(am_libstrongswan_attr_sql_la_rpath) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c
index f355e96e2..880af61dc 100644
--- a/src/libhydra/plugins/attr_sql/pool.c
+++ b/src/libhydra/plugins/attr_sql/pool.c
@@ -495,6 +495,21 @@ static void add_addresses(char *pool, char *path, int timeout)
 		fclose(file);
 	}
 
+	if (family == AF_INET6)
+	{	/* update address family if necessary */
+		addr = host_create_from_string("%any6", 0);
+		if (db->execute(db, NULL,
+					"UPDATE pools SET start = ?, end = ? WHERE id = ?",
+					DB_BLOB, addr->get_address(addr),
+					DB_BLOB, addr->get_address(addr), DB_UINT, pool_id) <= 0)
+		{
+			addr->destroy(addr);
+			fprintf(stderr, "updating pool address family failed.\n");
+			exit(EXIT_FAILURE);
+		}
+		addr->destroy(addr);
+	}
+
 	commit_transaction();
 
 	printf("%d addresses done.\n", count);
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c
index 1a4ee7a51..e91e1ed15 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.c
+++ b/src/libhydra/plugins/attr_sql/sql_attribute.c
@@ -94,19 +94,26 @@ static u_int get_attr_pool(private_sql_attribute_t *this, char *name)
 }
 
 /**
- * Lookup pool by name
+ * Lookup pool by name and address family
  */
-static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
+static u_int get_pool(private_sql_attribute_t *this, char *name, int family,
+					  u_int *timeout)
 {
 	enumerator_t *e;
+	chunk_t start;
 	u_int pool;
 
-	e = this->db->query(this->db, "SELECT id, timeout FROM pools WHERE name = ?",
-						DB_TEXT, name, DB_UINT, DB_UINT);
-	if (e && e->enumerate(e, &pool, timeout))
+	e = this->db->query(this->db,
+						"SELECT id, start, timeout FROM pools WHERE name = ?",
+						DB_TEXT, name, DB_UINT, DB_BLOB, DB_UINT);
+	if (e && e->enumerate(e, &pool, &start, timeout))
 	{
-		e->destroy(e);
-		return pool;
+		if ((family == AF_INET  && start.len == 4) ||
+			(family == AF_INET6 && start.len == 16))
+		{
+			e->destroy(e);
+			return pool;
+		}
 	}
 	DESTROY_IF(e);
 	return 0;
@@ -240,15 +247,17 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 	host_t *address = NULL;
 	u_int identity, pool, timeout;
 	char *name;
+	int family;
 
 	identity = get_identity(this, id);
 	if (identity)
 	{
+		family = requested->get_family(requested);
 		/* check for an existing lease in all pools */
 		enumerator = pools->create_enumerator(pools);
 		while (enumerator->enumerate(enumerator, &name))
 		{
-			pool = get_pool(this, name, &timeout);
+			pool = get_pool(this, name, family, &timeout);
 			if (pool)
 			{
 				address = check_lease(this, name, pool, identity);
@@ -266,7 +275,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 			enumerator = pools->create_enumerator(pools);
 			while (enumerator->enumerate(enumerator, &name))
 			{
-				pool = get_pool(this, name, &timeout);
+				pool = get_pool(this, name, family, &timeout);
 				if (pool)
 				{
 					address = get_lease(this, name, pool, timeout, identity);
@@ -291,11 +300,13 @@ METHOD(attribute_provider_t, release_address, bool,
 	time_t now = time(NULL);
 	bool found = FALSE;
 	char *name;
+	int family;
 
+	family = address->get_family(address);
 	enumerator = pools->create_enumerator(pools);
 	while (enumerator->enumerate(enumerator, &name))
 	{
-		pool = get_pool(this, name, &timeout);
+		pool = get_pool(this, name, family, &timeout);
 		if (!pool)
 		{
 			continue;
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index d62261d0b..514bb402a 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -353,7 +375,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -361,6 +382,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index 431174e72..a120b3d00 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1910,7 +1910,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets)
 {
 	return NOT_SUPPORTED;  /* TODO */
 }
@@ -2648,4 +2649,3 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index f0b3c9cfc..b5a327906 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -109,6 +126,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -125,6 +147,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -141,6 +165,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -209,8 +234,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -266,7 +289,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -361,7 +383,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -369,6 +390,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index f9b2634a0..9b4ade533 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -94,12 +94,6 @@
  */
 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + \
 										   NLMSG_ALIGN(sizeof(x))))
-/**
- * Returns a pointer to the next rtattr following rta.
- * !!! Do not use this to parse messages. Use RTA_NEXT and RTA_OK instead !!!
- */
-#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + \
-											 RTA_ALIGN((rta)->rta_len)))
 /**
  * Returns the total size of attached rta data
  * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
@@ -176,8 +170,6 @@ ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_REPLAY_ESN_VAL,
 	"XFRMA_REPLAY_ESN_VAL",
 );
 
-#define END_OF_LIST -1
-
 /**
  * Algorithms for encryption
  */
@@ -208,7 +200,6 @@ static kernel_algorithm_t encryption_algs[] = {
 /*	{ENCR_CAMELLIA_CCM_ICV16,	"***"				}, */
 	{ENCR_SERPENT_CBC,			"serpent"			},
 	{ENCR_TWOFISH_CBC,			"twofish"			},
-	{END_OF_LIST,				NULL				}
 };
 
 /**
@@ -226,7 +217,6 @@ static kernel_algorithm_t integrity_algs[] = {
 /*	{AUTH_DES_MAC,				"***"				}, */
 /*	{AUTH_KPDK_MD5,				"***"				}, */
 	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
-	{END_OF_LIST,				NULL				}
 };
 
 /**
@@ -237,7 +227,6 @@ static kernel_algorithm_t compression_algs[] = {
 	{IPCOMP_DEFLATE,			"deflate"			},
 	{IPCOMP_LZS,				"lzs"				},
 	{IPCOMP_LZJH,				"lzjh"				},
-	{END_OF_LIST,				NULL				}
 };
 
 /**
@@ -246,33 +235,39 @@ static kernel_algorithm_t compression_algs[] = {
 static char* lookup_algorithm(transform_type_t type, int ikev2)
 {
 	kernel_algorithm_t *list;
-	char *name = NULL;
+	int i, count;
+	char *name;
 
 	switch (type)
 	{
 		case ENCRYPTION_ALGORITHM:
 			list = encryption_algs;
+			count = countof(encryption_algs);
 			break;
 		case INTEGRITY_ALGORITHM:
 			list = integrity_algs;
+			count = countof(integrity_algs);
 			break;
 		case COMPRESSION_ALGORITHM:
 			list = compression_algs;
+			count = countof(compression_algs);
 			break;
 		default:
 			return NULL;
 	}
-	while (list->ikev2 != END_OF_LIST)
+	for (i = 0; i < count; i++)
 	{
-		if (list->ikev2 == ikev2)
+		if (list[i].ikev2 == ikev2)
 		{
-			return list->name;
+			return list[i].name;
 		}
-		list++;
 	}
-	hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface, ikev2,
-											  type, NULL, &name);
-	return name;
+	if (hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface,
+												  ikev2, type, NULL, &name))
+	{
+		return name;
+	}
+	return NULL;
 }
 
 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
@@ -787,7 +782,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
 	if (host)
 	{
 		return traffic_selector_create_from_subnet(host, prefixlen,
-												   sel->proto, port);
+											sel->proto, port, port ?: 65535);
 	}
 	return NULL;
 }
@@ -1036,6 +1031,12 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
 	return JOB_REQUEUE_DIRECT;
 }
 
+METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
+	private_kernel_netlink_ipsec_t *this)
+{
+	return KERNEL_ESP_V3_TFC;
+}
+
 /**
  * Get an SPI for a specific protocol from the kernel.
  */
@@ -1144,6 +1145,26 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 	return SUCCESS;
 }
 
+/**
+ * Add a XFRM mark to message if required
+ */
+static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
+{
+	if (mark.value)
+	{
+		struct xfrm_mark *xmrk;
+
+		xmrk = netlink_reserve(hdr, buflen, XFRMA_MARK, sizeof(*xmrk));
+		if (!xmrk)
+		{
+			return FALSE;
+		}
+		xmrk->v = mark.value;
+		xmrk->m = mark.mask;
+	}
+	return TRUE;
+}
+
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
@@ -1216,8 +1237,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	sa->lft.soft_use_expires_seconds = 0;
 	sa->lft.hard_use_expires_seconds = 0;
 
-	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
-
 	switch (enc_alg)
 	{
 		case ENCR_UNDEFINED:
@@ -1250,23 +1269,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
 				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
 
-			rthdr->rta_type = XFRMA_ALG_AEAD;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) +
-										enc_key.len);
-			hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-			if (hdr->nlmsg_len > sizeof(request))
+			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AEAD,
+								   sizeof(*algo) + enc_key.len);
+			if (!algo)
 			{
 				goto failed;
 			}
-
-			algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
 			algo->alg_key_len = enc_key.len * 8;
 			algo->alg_icv_len = icv_size;
 			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
 			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
 			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-
-			rthdr = XFRM_RTA_NEXT(rthdr);
 			break;
 		}
 		default:
@@ -1283,21 +1296,16 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
 				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
 
-			rthdr->rta_type = XFRMA_ALG_CRYPT;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
-			hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-			if (hdr->nlmsg_len > sizeof(request))
+			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_CRYPT,
+								   sizeof(*algo) + enc_key.len);
+			if (!algo)
 			{
 				goto failed;
 			}
-
-			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
 			algo->alg_key_len = enc_key.len * 8;
 			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
 			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
 			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-
-			rthdr = XFRM_RTA_NEXT(rthdr);
 		}
 	}
 
@@ -1335,17 +1343,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			/* the kernel uses SHA256 with 96 bit truncation by default,
 			 * use specified truncation size supported by newer kernels.
 			 * also use this for untruncated MD5 and SHA1. */
-			rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) +
-										int_key.len);
-
-			hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-			if (hdr->nlmsg_len > sizeof(request))
+			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH_TRUNC,
+								   sizeof(*algo) + int_key.len);
+			if (!algo)
 			{
 				goto failed;
 			}
-
-			algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
 			algo->alg_key_len = int_key.len * 8;
 			algo->alg_trunc_len = trunc_len;
 			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
@@ -1356,27 +1359,23 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		{
 			struct xfrm_algo* algo;
 
-			rthdr->rta_type = XFRMA_ALG_AUTH;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
-
-			hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-			if (hdr->nlmsg_len > sizeof(request))
+			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH,
+								   sizeof(*algo) + int_key.len);
+			if (!algo)
 			{
 				goto failed;
 			}
-
-			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
 			algo->alg_key_len = int_key.len * 8;
 			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
 			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
 			memcpy(algo->alg_key, int_key.ptr, int_key.len);
 		}
-		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
 	if (ipcomp != IPCOMP_NONE)
 	{
-		rthdr->rta_type = XFRMA_ALG_COMP;
+		struct xfrm_algo* algo;
+
 		alg_name = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp);
 		if (alg_name == NULL)
 		{
@@ -1387,35 +1386,26 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		DBG2(DBG_KNL, "  using compression algorithm %N",
 			 ipcomp_transform_names, ipcomp);
 
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_COMP,
+							   sizeof(*algo));
+		if (!algo)
 		{
 			goto failed;
 		}
-
-		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
 		algo->alg_key_len = 0;
 		strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
 		algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
-
-		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
 	if (encap)
 	{
 		struct xfrm_encap_tmpl *tmpl;
 
-		rthdr->rta_type = XFRMA_ENCAP;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
+		if (!tmpl)
 		{
 			goto failed;
 		}
-
-		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
 		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
 		tmpl->encap_sport = htons(src->get_port(src));
 		tmpl->encap_dport = htons(dst->get_port(dst));
@@ -1430,44 +1420,24 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		 * No. The reason the kernel ignores NAT-OA is that it recomputes
 		 * (or, rather, just ignores) the checksum. If packets pass the IPsec
 		 * checks it marks them "checksum ok" so OA isn't needed. */
-		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			goto failed;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
-		rthdr = XFRM_RTA_NEXT(rthdr);
+		goto failed;
 	}
 
 	if (tfc)
 	{
 		u_int32_t *tfcpad;
 
-		rthdr->rta_type = XFRMA_TFCPAD;
-		rthdr->rta_len = RTA_LENGTH(sizeof(u_int32_t));
-
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD,
+								 sizeof(*tfcpad));
+		if (!tfcpad)
 		{
 			goto failed;
 		}
-
-		tfcpad = (u_int32_t*)RTA_DATA(rthdr);
 		*tfcpad = tfc;
-		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
 	if (protocol != IPPROTO_COMP)
@@ -1478,24 +1448,18 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			 * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
 			struct xfrm_replay_state_esn *replay;
 
-			rthdr->rta_type = XFRMA_REPLAY_ESN_VAL;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state_esn) +
-										(this->replay_window + 7) / 8);
-
-			hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-			if (hdr->nlmsg_len > sizeof(request))
+			replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
+							sizeof(*replay) + (this->replay_window + 7) / 8);
+			if (!replay)
 			{
 				goto failed;
 			}
-
-			replay = (struct xfrm_replay_state_esn*)RTA_DATA(rthdr);
 			/* bmp_len contains number uf __u32's */
 			replay->bmp_len = this->replay_bmp;
 			replay->replay_window = this->replay_window;
 			DBG2(DBG_KNL, "  using replay window of %u packets",
 				 this->replay_window);
 
-			rthdr = XFRM_RTA_NEXT(rthdr);
 			if (esn)
 			{
 				DBG2(DBG_KNL, "  using extended sequence numbers (ESN)");
@@ -1567,22 +1531,9 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 	aevent_id->sa_id.proto = protocol;
 	aevent_id->sa_id.family = dst->get_family(dst);
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
+		return;
 	}
 
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
@@ -1643,7 +1594,8 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *out = NULL, *hdr;
@@ -1668,22 +1620,9 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
+		return FAILED;
 	}
 
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
@@ -1733,7 +1672,14 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	}
 	else
 	{
-		*bytes = sa->curlft.bytes;
+		if (bytes)
+		{
+			*bytes = sa->curlft.bytes;
+		}
+		if (packets)
+		{
+			*packets = sa->curlft.packets;
+		}
 		status = SUCCESS;
 	}
 	memwipe(out, len);
@@ -1771,22 +1717,9 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
+		return FAILED;
 	}
 
 	switch (this->socket_xfrm->send_ack(this->socket_xfrm, hdr))
@@ -1818,7 +1751,6 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	bool old_encap, bool new_encap, mark_t mark)
 {
 	netlink_buf_t request;
-	u_char *pos;
 	struct nlmsghdr *hdr, *out = NULL;
 	struct xfrm_usersa_id *sa_id;
 	struct xfrm_usersa_info *out_sa = NULL, *sa;
@@ -1853,22 +1785,9 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
+		return FAILED;
 	}
 
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
@@ -1919,11 +1838,11 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 				   ntohl(spi), src, dst, new_src, new_dst);
 	/* copy over the SA from out to request */
 	hdr = (struct nlmsghdr*)request;
-	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_NEWSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
 	sa = NLMSG_DATA(hdr);
+	memcpy(sa, NLMSG_DATA(out), sizeof(struct xfrm_usersa_info));
 	sa->family = new_dst->get_family(new_dst);
 
 	if (!src->ip_equals(src, new_src))
@@ -1937,75 +1856,60 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 	rta = XFRM_RTA(out, struct xfrm_usersa_info);
 	rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
-	pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
-	while(RTA_OK(rta, rtasize))
+	while (RTA_OK(rta, rtasize))
 	{
 		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
 		if (rta->rta_type != XFRMA_ENCAP || new_encap)
 		{
 			if (rta->rta_type == XFRMA_ENCAP)
 			{	/* update encap tmpl */
-				tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
+				tmpl = RTA_DATA(rta);
 				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
 				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
 			}
-			memcpy(pos, rta, rta->rta_len);
-			pos += RTA_ALIGN(rta->rta_len);
-			hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
+			netlink_add_attribute(hdr, rta->rta_type,
+								  chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)),
+								  sizeof(request));
 		}
 		rta = RTA_NEXT(rta, rtasize);
 	}
 
-	rta = (struct rtattr*)pos;
 	if (tmpl == NULL && new_encap)
 	{	/* add tmpl if we are enabling it */
-		rta->rta_type = XFRMA_ENCAP;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-
-		hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
+		if (!tmpl)
 		{
 			goto failed;
 		}
-
-		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
 		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
 		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
 		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
 		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-
-		rta = XFRM_RTA_NEXT(rta);
 	}
 
 	if (replay_esn)
 	{
-		rta->rta_type = XFRMA_REPLAY_ESN_VAL;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state_esn) +
-								  this->replay_bmp);
+		struct xfrm_replay_state_esn *state;
 
-		hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
+								sizeof(*state) + this->replay_bmp);
+		if (!state)
 		{
 			goto failed;
 		}
-		memcpy(RTA_DATA(rta), replay_esn,
-			   sizeof(struct xfrm_replay_state_esn) + this->replay_bmp);
-
-		rta = XFRM_RTA_NEXT(rta);
+		memcpy(state, replay_esn, sizeof(*state) + this->replay_bmp);
 	}
 	else if (replay)
 	{
-		rta->rta_type = XFRMA_REPLAY_VAL;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
+		struct xfrm_replay_state *state;
 
-		hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_VAL,
+								sizeof(*state));
+		if (!state)
 		{
 			goto failed;
 		}
-		memcpy(RTA_DATA(rta), replay, sizeof(struct xfrm_replay_state));
-
-		rta = XFRM_RTA_NEXT(rta);
+		memcpy(state, replay, sizeof(*state));
 	}
 	else
 	{
@@ -2102,11 +2006,9 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 	policy_info->lft.soft_use_expires_seconds = 0;
 	policy_info->lft.hard_use_expires_seconds = 0;
 
-	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
-
 	if (mapping->type == POLICY_IPSEC)
 	{
-		struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
+		struct xfrm_user_tmpl *tmpl;
 		struct {
 			u_int8_t proto;
 			bool use;
@@ -2116,25 +2018,29 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 			{ IPPROTO_AH, ipsec->cfg.ah.use },
 		};
 		ipsec_mode_t proto_mode = ipsec->cfg.mode;
-
-		rthdr->rta_type = XFRMA_TMPL;
-		rthdr->rta_len = 0; /* actual length is set below */
+		int count = 0;
 
 		for (i = 0; i < countof(protos); i++)
 		{
-			if (!protos[i].use)
+			if (protos[i].use)
 			{
-				continue;
+				count++;
 			}
+		}
+		tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_TMPL,
+							   count * sizeof(*tmpl));
+		if (!tmpl)
+		{
+			this->mutex->unlock(this->mutex);
+			return FAILED;
+		}
 
-			rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-			hdr->nlmsg_len += RTA_ALIGN(RTA_LENGTH(sizeof(struct xfrm_user_tmpl)));
-			if (hdr->nlmsg_len > sizeof(request))
+		for (i = 0; i < countof(protos); i++)
+		{
+			if (!protos[i].use)
 			{
-				this->mutex->unlock(this->mutex);
-				return FAILED;
+				continue;
 			}
-
 			tmpl->reqid = ipsec->cfg.reqid;
 			tmpl->id.proto = protos[i].proto;
 			tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
@@ -2154,27 +2060,12 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 			/* use transport mode for other SAs */
 			proto_mode = MODE_TRANSPORT;
 		}
-
-		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
-	if (ipsec->mark.value)
+	if (!add_mark(hdr, sizeof(request), ipsec->mark))
 	{
-		struct xfrm_mark *mrk;
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			this->mutex->unlock(this->mutex);
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = ipsec->mark.value;
-		mrk->m = ipsec->mark.mask;
+		this->mutex->unlock(this->mutex);
+		return FAILED;
 	}
 	this->mutex->unlock(this->mutex);
 
@@ -2196,14 +2087,15 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 
 	/* install a route, if:
 	 * - this is a forward policy (to just get one for each child)
-	 * - we are in tunnel/BEET mode
+	 * - we are in tunnel/BEET mode or install a bypass policy
 	 * - routing is not disabled via strongswan.conf
 	 */
-	if (policy->direction == POLICY_FWD &&
-		ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
+	if (policy->direction == POLICY_FWD && this->install_routes &&
+		(mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
 	{
 		policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
 		route_entry_t *route;
+		host_t *iface;
 
 		INIT(route,
 			.prefixlen = policy->sel.prefixlen_s,
@@ -2219,9 +2111,17 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
 			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
 
+			/* get the interface to install the route for. If we have a local
+			 * address, use it. Otherwise (for shunt policies) use the
+			 * routes source address. */
+			iface = ipsec->dst;
+			if (iface->is_anyaddr(iface))
+			{
+				iface = route->src_ip;
+			}
 			/* install route via outgoing interface */
 			if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												ipsec->dst, &route->if_name))
+														iface, &route->if_name))
 			{
 				this->mutex->unlock(this->mutex);
 				route_entry_destroy(route);
@@ -2392,23 +2292,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 	policy_id->sel = ts2selector(src_ts, dst_ts);
 	policy_id->dir = direction;
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
+		return FAILED;
 	}
 
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
@@ -2564,23 +2450,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	policy_id->sel = current->sel;
 	policy_id->dir = direction;
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			this->mutex->unlock(this->mutex);
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
+		return FAILED;
 	}
 
 	if (current->route)
@@ -2734,6 +2606,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	INIT(this,
 		.public = {
 			.interface = {
+				.get_features = _get_features,
 				.get_spi = _get_spi,
 				.get_cpi = _get_cpi,
 				.add_sa  = _add_sa,
@@ -2822,4 +2695,3 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index e47887859..3e0725a35 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1757,6 +1757,10 @@ METHOD(kernel_net_t, add_ip, status_t,
 				DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip,
 					 entry->iface->ifname);
 				this->lock->unlock(this->lock);
+				/* during IKEv1 reauthentication, children get moved from
+				 * old the new SA before the virtual IP is available. This
+				 * kills the route for our virtual IP, reinstall. */
+				queue_route_reinstall(this, strdup(entry->iface->ifname));
 				return SUCCESS;
 			}
 		}
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
index 561e8529d..fd00c23af 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -292,7 +292,7 @@ void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
 {
 	struct rtattr *rta;
 
-	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
+	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_LENGTH(data.len) > buflen)
 	{
 		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
 		return;
@@ -304,3 +304,24 @@ void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
 	memcpy(RTA_DATA(rta), data.ptr, data.len);
 	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
 }
+
+/**
+ * Described in header.
+ */
+void* netlink_reserve(struct nlmsghdr *hdr, int buflen, int type, int len)
+{
+	struct rtattr *rta;
+
+	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_LENGTH(len) > buflen)
+	{
+		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
+		return NULL;
+	}
+
+	rta = ((void*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len);
+	rta->rta_type = type;
+	rta->rta_len = RTA_LENGTH(len);
+	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
+
+	return RTA_DATA(rta);
+}
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
index dfd27a21a..8be935bc3 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -42,7 +42,8 @@ struct netlink_socket_t {
 	 * @param	out 	received netlink message
 	 * @param	out_len	length of the received message
 	 */
-	status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len);
+	status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in,
+					 struct nlmsghdr **out, size_t *out_len);
 
 	/**
 	 * Send a netlink message and wait for its acknowledge.
@@ -67,11 +68,23 @@ netlink_socket_t *netlink_socket_create(int protocol);
 /**
  * Creates an rtattr and adds it to the given netlink message.
  *
- * @param	hdr			netlink message
- * @param	rta_type	type of the rtattr
- * @param	data		data to add to the rtattr
- * @param	buflen		length of the netlink message buffer
+ * @param hdr			netlink message
+ * @param rta_type		type of the rtattr
+ * @param data			data to add to the rtattr
+ * @param buflen		length of the netlink message buffer
  */
-void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, size_t buflen);
+void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
+						   size_t buflen);
+
+/**
+ * Reserve space in a netlink message for given size and type, returning buffer.
+ *
+ * @param hdr			netlink message
+ * @param buflen		size of full netlink buffer
+ * @param type			RTA type
+ * @param len			length of RTA data
+ * @return				buffer to len bytes of attribute data, NULL on error
+ */
+void* netlink_reserve(struct nlmsghdr *hdr, int buflen, int type, int len);
 
 #endif /* KERNEL_NETLINK_SHARED_H_ */
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 5f3a3c590..c9d4be0fd 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 71bdbbe2b..2521af87d 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -810,7 +810,7 @@ static kernel_algorithm_t compression_algs[] = {
 static int lookup_algorithm(transform_type_t type, int ikev2)
 {
 	kernel_algorithm_t *list;
-	int alg = 0;
+	u_int16_t alg = 0;
 
 	switch (type)
 	{
@@ -953,7 +953,8 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
 	ts = traffic_selector_create_from_subnet(host,
 											 address->sadb_address_prefixlen,
 											 address->sadb_address_proto,
-											 host->get_port(host));
+											 host->get_port(host),
+											 host->get_port(host) ?: 65535);
 	return ts;
 }
 
@@ -1766,7 +1767,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1815,7 +1817,15 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 		free(out);
 		return FAILED;
 	}
-	*bytes = response.lft_current->sadb_lifetime_bytes;
+	if (bytes)
+	{
+		*bytes = response.lft_current->sadb_lifetime_bytes;
+	}
+	if (packets)
+	{
+		/* not supported by PF_KEY */
+		*packets = 0;
+	}
 
 	free(out);
 	return SUCCESS;
@@ -2654,4 +2664,3 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 56ba5aac7..ad3ca468a 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -355,7 +377,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -363,6 +384,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index f26c04fbe..509479c81 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_resolve_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -354,7 +376,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -362,6 +383,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 4263d0a74..d9a27c12d 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -124,6 +141,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -172,6 +194,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -188,6 +212,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -256,8 +281,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -313,7 +336,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -421,7 +443,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -429,6 +450,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -887,13 +910,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
diff --git a/src/libimcv/ietf/ietf_attr.h b/src/libimcv/ietf/ietf_attr.h
index a1ba42565..d22175d94 100644
--- a/src/libimcv/ietf/ietf_attr.h
+++ b/src/libimcv/ietf/ietf_attr.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup ietf_attrt ietf_attr
- * @{ @ingroup ietf_attr
+ * @defgroup ietf_attr ietf_attr
+ * @{ @ingroup libimcv
  */
 
 #ifndef IETF_ATTR_H_
diff --git a/src/libimcv/ietf/ietf_attr_assess_result.c b/src/libimcv/ietf/ietf_attr_assess_result.c
index 1c0d6b0eb..55226e3bb 100644
--- a/src/libimcv/ietf/ietf_attr_assess_result.c
+++ b/src/libimcv/ietf/ietf_attr_assess_result.c
@@ -106,7 +106,7 @@ METHOD(pa_tnc_attr_t, build, void,
 
 	writer = bio_writer_create(ASSESS_RESULT_SIZE);
 	writer->write_uint32(writer, this->result);
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_assess_result.h b/src/libimcv/ietf/ietf_attr_assess_result.h
index fab8bc3f0..e94b57b88 100644
--- a/src/libimcv/ietf/ietf_attr_assess_result.h
+++ b/src/libimcv/ietf/ietf_attr_assess_result.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_assess_resultt ietf_attr_assess_result
- * @{ @ingroup ietf
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_ASSESS_RESULT_H_
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.c b/src/libimcv/ietf/ietf_attr_attr_request.c
index c93c9276e..5dc487030 100644
--- a/src/libimcv/ietf/ietf_attr_attr_request.c
+++ b/src/libimcv/ietf/ietf_attr_attr_request.c
@@ -125,7 +125,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.h b/src/libimcv/ietf/ietf_attr_attr_request.h
index 387ba345d..fc9e08676 100644
--- a/src/libimcv/ietf/ietf_attr_attr_request.h
+++ b/src/libimcv/ietf/ietf_attr_attr_request.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_attr_requestt ietf_attr_attr_request
- * @{ @ingroup ietf
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_ATTR_REQUEST_H_
diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
index 2022f45cf..2c6b3d542 100644
--- a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
+++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
@@ -106,7 +106,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(DEFAULT_PWD_ENABLED_SIZE);
 	writer->write_uint32(writer, this->status);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
index f6026b0e8..6fe1a02b1 100644
--- a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
+++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_default_pwd_enabled ietf_attr_default_pwd_enabled
- * @{ @ingroup ietf
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_PWD_ENABLED_H_
diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.c b/src/libimcv/ietf/ietf_attr_fwd_enabled.c
index 911ee5b89..a906b2258 100644
--- a/src/libimcv/ietf/ietf_attr_fwd_enabled.c
+++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.c
@@ -106,7 +106,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(FORWARDING_ENABLED_SIZE);
 	writer->write_uint32(writer, this->fwd_status);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.h b/src/libimcv/ietf/ietf_attr_fwd_enabled.h
index bfde1a7b1..41714380e 100644
--- a/src/libimcv/ietf/ietf_attr_fwd_enabled.h
+++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_fwd_enabled ietf_attr_fwd_enabled
- * @{ @ingroup ietf
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_FWD_ENABLED_H_
diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.c b/src/libimcv/ietf/ietf_attr_installed_packages.c
index 72a3c1344..462805e38 100644
--- a/src/libimcv/ietf/ietf_attr_installed_packages.c
+++ b/src/libimcv/ietf/ietf_attr_installed_packages.c
@@ -144,7 +144,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.h b/src/libimcv/ietf/ietf_attr_installed_packages.h
index a9f6768e0..b79c4040c 100644
--- a/src/libimcv/ietf/ietf_attr_installed_packages.h
+++ b/src/libimcv/ietf/ietf_attr_installed_packages.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_installed_packagest ietf_attr_installed_packages
- * @{ @ingroup ietf_attr_installed_packages
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_INSTALLED_PACKAGES_H_
diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.c b/src/libimcv/ietf/ietf_attr_numeric_version.c
index 797205473..739256457 100644
--- a/src/libimcv/ietf/ietf_attr_numeric_version.c
+++ b/src/libimcv/ietf/ietf_attr_numeric_version.c
@@ -137,7 +137,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, this->service_pack_major);
 	writer->write_uint16(writer, this->service_pack_minor);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.h b/src/libimcv/ietf/ietf_attr_numeric_version.h
index f7d6c909d..bbda6b895 100644
--- a/src/libimcv/ietf/ietf_attr_numeric_version.h
+++ b/src/libimcv/ietf/ietf_attr_numeric_version.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_numeric_versiont ietf_attr_numeric_version
- * @{ @ingroup ietf
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_NUMERIC_VERSION_H_
diff --git a/src/libimcv/ietf/ietf_attr_op_status.c b/src/libimcv/ietf/ietf_attr_op_status.c
index d9610b29d..23530684a 100644
--- a/src/libimcv/ietf/ietf_attr_op_status.c
+++ b/src/libimcv/ietf/ietf_attr_op_status.c
@@ -153,7 +153,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, 0x0000);
 	writer->write_data  (writer, chunk_create(last_use, 20));
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_op_status.h b/src/libimcv/ietf/ietf_attr_op_status.h
index 2e14148c4..b70fab608 100644
--- a/src/libimcv/ietf/ietf_attr_op_status.h
+++ b/src/libimcv/ietf/ietf_attr_op_status.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_op_statust ietf_attr_op_status
- * @{ @ingroup ietf
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_OP_STATUS_H_
@@ -40,7 +40,7 @@ enum op_status_t {
 };
 
 extern enum_name_t *op_status_names;
- 
+
 /**
  * Operational Result type
  */
@@ -92,7 +92,7 @@ struct ietf_attr_op_status_t {
  *
  * @param status			Operational Status
  * @param result			Operational Result
- * @param last_use			Time of last use 
+ * @param last_use			Time of last use
  */
 pa_tnc_attr_t* ietf_attr_op_status_create(u_int8_t status, u_int8_t result,
 										  time_t last_use);
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
index f92022fe0..5f20f8958 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
@@ -206,7 +206,7 @@ METHOD(pa_tnc_attr_t, build, void,
 				break;
 		}
 	}
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -325,22 +325,12 @@ METHOD(ietf_attr_pa_tnc_error_t, get_offset, u_int32_t,
 }
 
 /**
- * Described in header.
+ * Generic constructor
  */
-pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_type_t error_code,
-											 chunk_t msg_info)
+static private_ietf_attr_pa_tnc_error_t* create_generic()
 {
 	private_ietf_attr_pa_tnc_error_t *this;
 
-	if (error_code.vendor_id == PEN_IETF)
-	{
-		msg_info.len = PA_ERROR_MSG_INFO_SIZE;
-	}
-	else if (msg_info.len > PA_ERROR_MSG_INFO_MAX_SIZE)
-	{
-		msg_info.len = PA_ERROR_MSG_INFO_MAX_SIZE;
-	}
-
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
@@ -360,11 +350,33 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_type_t error_code,
 			.get_offset = _get_offset,
 		},
 		.type = { PEN_IETF, IETF_ATTR_PA_TNC_ERROR },
-		.error_code = error_code,
-		.msg_info = chunk_clone(msg_info),
 		.ref = 1,
 	);
 
+	return this;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_type_t error_code,
+											 chunk_t msg_info)
+{
+	private_ietf_attr_pa_tnc_error_t *this;
+
+	if (error_code.vendor_id == PEN_IETF)
+	{
+		msg_info.len = PA_ERROR_MSG_INFO_SIZE;
+	}
+	else if (msg_info.len > PA_ERROR_MSG_INFO_MAX_SIZE)
+	{
+		msg_info.len = PA_ERROR_MSG_INFO_MAX_SIZE;
+	}
+
+	this = create_generic();
+	this->error_code = error_code;
+	this->msg_info = chunk_clone(msg_info);
+
 	return &this->public.pa_tnc_attribute;
 }
 
@@ -380,30 +392,10 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_with_offset(pen_type_t error_code,
 	/* the first 8 bytes of the erroneous PA-TNC message are sent back */
 	msg_info.len = PA_ERROR_MSG_INFO_SIZE;
 
-	INIT(this,
-		.public = {
-			.pa_tnc_attribute = {
-				.get_type = _get_type,
-				.get_value = _get_value,
-				.get_noskip_flag = _get_noskip_flag,
-				.set_noskip_flag = _set_noskip_flag,
-				.build = _build,
-				.process = _process,
-				.get_ref = _get_ref,
-				.destroy = _destroy,
-			},
-			.get_error_code = _get_error_code,
-			.get_msg_info = _get_msg_info,
-			.get_attr_info = _get_attr_info,
-			.set_attr_info = _set_attr_info,
-			.get_offset = _get_offset,
-		},
-		.type = { PEN_IETF, IETF_ATTR_PA_TNC_ERROR },
-		.error_code = error_code,
-		.msg_info = chunk_clone(msg_info),
-		.error_offset = error_offset,
-		.ref = 1,
-	);
+	this = create_generic();
+	this->error_code = error_code;
+	this->msg_info = chunk_clone(msg_info);
+	this->error_offset = error_offset;
 
 	return &this->public.pa_tnc_attribute;
 }
@@ -415,30 +407,8 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data)
 {
 	private_ietf_attr_pa_tnc_error_t *this;
 
-	INIT(this,
-		.public = {
-			.pa_tnc_attribute = {
-				.get_type = _get_type,
-				.get_value = _get_value,
-				.get_noskip_flag = _get_noskip_flag,
-				.set_noskip_flag = _set_noskip_flag,
-				.build = _build,
-				.process = _process,
-				.get_ref = _get_ref,
-				.destroy = _destroy,
-			},
-			.get_error_code = _get_error_code,
-			.get_msg_info = _get_msg_info,
-			.get_attr_info = _get_attr_info,
-			.set_attr_info = _set_attr_info,
-			.get_offset = _get_offset,
-		},
-		.type = { PEN_IETF, IETF_ATTR_PA_TNC_ERROR },
-		.value = chunk_clone(data),
-		.ref = 1,
-	);
+	this = create_generic();
+	this->value = chunk_clone(data);
 
 	return &this->public.pa_tnc_attribute;
 }
-
-
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
index a5a10d470..faa38f8f9 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_pa_tnc_errort ietf_attr_pa_tnc_error
- * @{ @ingroup ietf_attr_pa_tnc_error
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_PA_TNC_ERROR_H_
@@ -96,7 +96,7 @@ struct ietf_attr_pa_tnc_error_t {
  *
  * @param error_code		Vendor-specific PA-TNC error code
  * @param header			PA-TNC message header (first 8 bytes)
- * 
+ *
  */
 pa_tnc_attr_t* ietf_attr_pa_tnc_error_create(pen_type_t error_code,
 											 chunk_t header);
@@ -107,7 +107,7 @@ pa_tnc_attr_t* ietf_attr_pa_tnc_error_create(pen_type_t error_code,
  * @param error_code		Vendor-specifica PA-TNC error code
  * @param header			PA-TNC message header (first 8 bytes)
  * @param error_offset		PA-TNC error offset in bytes
- * 
+ *
  */
 pa_tnc_attr_t* ietf_attr_pa_tnc_error_create_with_offset(pen_type_t error_code,
 														 chunk_t header,
diff --git a/src/libimcv/ietf/ietf_attr_port_filter.c b/src/libimcv/ietf/ietf_attr_port_filter.c
index 8b8da3a41..1d516a51f 100644
--- a/src/libimcv/ietf/ietf_attr_port_filter.c
+++ b/src/libimcv/ietf/ietf_attr_port_filter.c
@@ -130,7 +130,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_port_filter.h b/src/libimcv/ietf/ietf_attr_port_filter.h
index ad5553417..93b696e45 100644
--- a/src/libimcv/ietf/ietf_attr_port_filter.h
+++ b/src/libimcv/ietf/ietf_attr_port_filter.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_port_filtert ietf_attr_port_filter
- * @{ @ingroup ietf_attr_port_filter
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_PORT_FILTER_H_
diff --git a/src/libimcv/ietf/ietf_attr_product_info.c b/src/libimcv/ietf/ietf_attr_product_info.c
index 115f00130..a107c27d3 100644
--- a/src/libimcv/ietf/ietf_attr_product_info.c
+++ b/src/libimcv/ietf/ietf_attr_product_info.c
@@ -119,7 +119,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, this->product_id);
 	writer->write_data  (writer, this->product_name);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_product_info.h b/src/libimcv/ietf/ietf_attr_product_info.h
index dfaa67d6c..d0b2d2a84 100644
--- a/src/libimcv/ietf/ietf_attr_product_info.h
+++ b/src/libimcv/ietf/ietf_attr_product_info.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_product_infot ietf_attr_product_info
- * @{ @ingroup ietf
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_PRODUCT_INFO_H_
diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.c b/src/libimcv/ietf/ietf_attr_remediation_instr.c
index f3b4e83dd..5d85e5d89 100644
--- a/src/libimcv/ietf/ietf_attr_remediation_instr.c
+++ b/src/libimcv/ietf/ietf_attr_remediation_instr.c
@@ -154,7 +154,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint32(writer, this->parameters_type.type);
 	writer->write_data  (writer, this->parameters);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -194,14 +194,16 @@ METHOD(pa_tnc_attr_t, process, status_t,
 			DBG1(DBG_TNC, "insufficient data for IETF remediation string");
 			goto end;
 		}
+		*offset += 4;
+
 		pos = memchr(this->string.ptr, '\0', this->string.len);
 		if (pos)
 		{
 			DBG1(DBG_TNC, "nul termination in IETF remediation string");
-			*offset += 1 + (pos - this->string.ptr);
+			*offset += (pos - this->string.ptr);
 			goto end;
 		}
-		*offset += 4 + this->string.len;
+		*offset += this->string.len;
 
 		if (!reader->read_data8(reader, &this->lang_code))
 		{
@@ -246,12 +248,6 @@ METHOD(ietf_attr_remediation_instr_t, get_parameters, chunk_t,
 	return this->parameters;
 }
 
-METHOD(ietf_attr_remediation_instr_t, get_uri, chunk_t,
-	private_ietf_attr_remediation_instr_t *this)
-{
-	return this->parameters;
-}
-
 METHOD(ietf_attr_remediation_instr_t, get_string, chunk_t,
 	private_ietf_attr_remediation_instr_t *this, chunk_t *lang_code)
 {
@@ -284,7 +280,7 @@ pa_tnc_attr_t *ietf_attr_remediation_instr_create(pen_type_t parameters_type,
 			},
 			.get_parameters_type = _get_parameters_type,
 			.get_parameters = _get_parameters,
-			.get_uri = _get_uri,
+			.get_uri = _get_parameters,
 			.get_string = _get_string,
 		},
 		.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
@@ -350,7 +346,7 @@ pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_data(chunk_t data)
 			},
 			.get_parameters_type = _get_parameters_type,
 			.get_parameters = _get_parameters,
-			.get_uri = _get_uri,
+			.get_uri = _get_parameters,
 			.get_string = _get_string,
 		},
 		.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.h b/src/libimcv/ietf/ietf_attr_remediation_instr.h
index 473280c33..5c7c8891b 100644
--- a/src/libimcv/ietf/ietf_attr_remediation_instr.h
+++ b/src/libimcv/ietf/ietf_attr_remediation_instr.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_remediation_instrt ietf_attr_remediation_instr
- * @{ @ingroup ietf
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_REMEDIATION_INSTR_H_
diff --git a/src/libimcv/ietf/ietf_attr_string_version.c b/src/libimcv/ietf/ietf_attr_string_version.c
index 8f4129eac..68adde612 100644
--- a/src/libimcv/ietf/ietf_attr_string_version.c
+++ b/src/libimcv/ietf/ietf_attr_string_version.c
@@ -123,7 +123,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_data8(writer, this->build);
 	writer->write_data8(writer, this->config);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_string_version.h b/src/libimcv/ietf/ietf_attr_string_version.h
index 5ffbea8e0..9ccc1f0ee 100644
--- a/src/libimcv/ietf/ietf_attr_string_version.h
+++ b/src/libimcv/ietf/ietf_attr_string_version.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_string_versiont ietf_attr_string_version
- * @{ @ingroup ietf
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_STRING_VERSION_H_
diff --git a/src/libimcv/imc/imc_agent.c b/src/libimcv/imc/imc_agent.c
index 161623477..f309abe74 100644
--- a/src/libimcv/imc/imc_agent.c
+++ b/src/libimcv/imc/imc_agent.c
@@ -190,8 +190,6 @@ METHOD(imc_agent_t, bind_functions, TNC_Result,
 	{
 		this->reserve_additional_id = NULL;
 	}
-	DBG2(DBG_IMC, "IMC %u \"%s\" provided with bind function",
-				  this->id, this->name);
 
 	if (this->report_message_types_long)
 	{
diff --git a/src/libimcv/imc/imc_agent.h b/src/libimcv/imc/imc_agent.h
index aef10c0d7..0a1638f47 100644
--- a/src/libimcv/imc/imc_agent.h
+++ b/src/libimcv/imc/imc_agent.h
@@ -16,7 +16,7 @@
 /**
  *
  * @defgroup imc_agent_t imc_agent
- * @{ @ingroup imc_agent
+ * @{ @ingroup libimcv_imc
  */
 
 #ifndef IMC_AGENT_H_
diff --git a/src/libimcv/imc/imc_msg.c b/src/libimcv/imc/imc_msg.c
index 050e63f32..1fc3d3be5 100644
--- a/src/libimcv/imc/imc_msg.c
+++ b/src/libimcv/imc/imc_msg.c
@@ -91,6 +91,12 @@ METHOD(imc_msg_t, get_dst_id, TNC_UInt32,
 	return this->dst_id;
 }
 
+METHOD(imc_msg_t, get_msg_type, pen_type_t,
+	private_imc_msg_t *this)
+{
+	return this->msg_type;
+}
+
 METHOD(imc_msg_t, send_, TNC_Result,
 	private_imc_msg_t *this, bool excl)
 {
@@ -380,6 +386,7 @@ imc_msg_t *imc_msg_create(imc_agent_t *agent, imc_state_t *state,
 		.public = {
 			.get_src_id = _get_src_id,
 			.get_dst_id = _get_dst_id,
+			.get_msg_type = _get_msg_type,
 			.send = _send_,
 			.receive = _receive,
 			.add_attribute = _add_attribute,
@@ -454,4 +461,3 @@ imc_msg_t *imc_msg_create_from_long_data(imc_agent_t *agent, imc_state_t *state,
 
 	return &this->public;
 }
-
diff --git a/src/libimcv/imc/imc_msg.h b/src/libimcv/imc/imc_msg.h
index 6dd712e84..588225dbe 100644
--- a/src/libimcv/imc/imc_msg.h
+++ b/src/libimcv/imc/imc_msg.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup imc_msg imc_msg
- * @{ @ingroup libimcv
+ * @{ @ingroup libimcv_imc
  */
 
 #ifndef IMC_MSG_H_
@@ -47,6 +47,13 @@ struct imc_msg_t {
 	 */
 	TNC_UInt32 (*get_dst_id)(imc_msg_t *this);
 
+	/**
+	 * Get the PA-TNC message type.
+	 *
+	 * @return					message type
+	 */
+	pen_type_t (*get_msg_type)(imc_msg_t *this);
+
 	/**
 	 * Sends one or multiple PA-TNC messages
 	 *
@@ -134,7 +141,6 @@ imc_msg_t* imc_msg_create_from_data(imc_agent_t *agent, imc_state_t *state,
  * @param connection_id			connection ID
  * @param src_id				source IMV ID
  * @param dst_id				destination IMC ID
- * @param msg_flags				PA-TNC message flags
  * @param msg_vid				PA-TNC message vendor ID
  * @param msg_subtype			PA-TNC subtype
  * @param msg					received PA-TNC message blob
diff --git a/src/libimcv/imc/imc_state.h b/src/libimcv/imc/imc_state.h
index c34441f0f..7e763fbe1 100644
--- a/src/libimcv/imc/imc_state.h
+++ b/src/libimcv/imc/imc_state.h
@@ -16,7 +16,7 @@
 /**
  *
  * @defgroup imc_state_t imc_state
- * @{ @ingroup imc_state
+ * @{ @ingroup libimcv_imc
  */
 
 #ifndef IMC_STATE_H_
@@ -68,7 +68,7 @@ struct imc_state_t {
 	/**
 	 * Set the maximum size of a PA-TNC message for this TNCCS connection
 	 *
-	 * @max_msg_len			maximum size of a PA-TNC message
+	 * @param max_msg_len	maximum size of a PA-TNC message
 	 */
 	void (*set_max_msg_len)(imc_state_t *this, u_int32_t max_msg_len);
 
diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c
index e1b828d10..6cee0ad8f 100644
--- a/src/libimcv/imcv.c
+++ b/src/libimcv/imcv.c
@@ -107,13 +107,6 @@ bool libimcv_init(void)
 			return FALSE;
 		}
 
-		if (!lib->plugins->load(lib->plugins, NULL,
-							"sha1 sha2 random nonce gmp pubkey x509"))
-		{
-			library_deinit();
-			return FALSE;
-		}
-
 		/* set the debug level and stderr output */
 		imcv_debug_level =  lib->settings->get_int(lib->settings,
 									"libimcv.debug_level", IMCV_DEBUG_LEVEL);
@@ -123,6 +116,13 @@ bool libimcv_init(void)
 		/* activate the imcv debugging hook */
 		dbg = imcv_dbg;
 		openlog("imcv", 0, LOG_DAEMON);
+
+		if (!lib->plugins->load(lib->plugins, NULL,
+							"sha1 sha2 random nonce gmp pubkey x509"))
+		{
+			library_deinit();
+			return FALSE;
+		}
 	}
 	ref_get(&libstrongswan_ref);
 
diff --git a/src/libimcv/imcv.h b/src/libimcv/imcv.h
index a1a5a5f43..3a37e3d8c 100644
--- a/src/libimcv/imcv.h
+++ b/src/libimcv/imcv.h
@@ -15,7 +15,16 @@
 /**
  * @defgroup libimcv libimcv
  *
- * @defgroup iplugins plugins
+ * @defgroup libimcv_imc imc
+ * @ingroup libimcv
+ *
+ * @defgroup libimcv_imv imv
+ * @ingroup libimcv
+ *
+ * @defgroup pa_tnc pa_tnc
+ * @ingroup libimcv
+ *
+ * @defgroup libimcv_plugins plugins
  * @ingroup libimcv
  *
  * @addtogroup libimcv
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index 6a33e396c..879a0103a 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,8 +18,11 @@
 #include "ietf/ietf_attr_assess_result.h"
 
 #include <tncif_names.h>
+#include <tncif_identity.h>
 
 #include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <bio/bio_reader.h>
 #include <threading/rwlock.h>
 
 typedef struct private_imv_agent_t private_imv_agent_t;
@@ -210,8 +213,6 @@ METHOD(imv_agent_t, bind_functions, TNC_Result,
 	{
 		this->reserve_additional_id = NULL;
 	}
-	DBG2(DBG_IMV, "IMV %u \"%s\" provided with bind function",
-				  this->id, this->name);
 
 	if (this->report_message_types_long)
 	{
@@ -352,12 +353,59 @@ static u_int32_t get_uint_attribute(private_imv_agent_t *this, TNC_ConnectionID
 	return 0;
  }
 
+/**
+ * Read a TNC identity attribute
+ */
+static linked_list_t* get_identity_attribute(private_imv_agent_t *this,
+											 TNC_ConnectionID id,
+											 TNC_AttributeID attribute_id)
+{
+	TNC_UInt32 len;
+	char buf[2048];
+	u_int32_t count;
+	tncif_identity_t *tnc_id;
+	bio_reader_t *reader;
+	linked_list_t *list;
+
+	list = linked_list_create();
+
+	if (!this->get_attribute ||
+		 this->get_attribute(this->id, id, attribute_id, sizeof(buf), buf, &len)
+				!= TNC_RESULT_SUCCESS || len > sizeof(buf))
+	{
+		return list;
+	}
+
+	reader = bio_reader_create(chunk_create(buf, len));
+	if (!reader->read_uint32(reader, &count))
+	{
+			goto end;
+	}
+	while (count--)
+	{
+		tnc_id = tncif_identity_create_empty();
+		if (!tnc_id->process(tnc_id, reader))
+		{
+			tnc_id->destroy(tnc_id);
+			goto end;
+		}
+		list->insert_last(list, tnc_id);
+	}
+
+end:
+	reader->destroy(reader);
+	return list;
+ }
+
 METHOD(imv_agent_t, create_state, TNC_Result,
 	private_imv_agent_t *this, imv_state_t *state)
 {
 	TNC_ConnectionID conn_id;
 	char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL;
 	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE;
+	linked_list_t *ar_identities;
+	enumerator_t *enumerator;
+	tncif_identity_t *tnc_id;
 	u_int32_t max_msg_len;
 
 	conn_id = state->get_connection_id(state);
@@ -378,6 +426,7 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
 	t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
 	max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
+	ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES);
 
 	state->set_flags(state, has_long, has_excl);
 	state->set_max_msg_len(state, max_msg_len);
@@ -389,6 +438,36 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	DBG2(DBG_IMV, "  over %s %s with maximum PA-TNC message size of %u bytes",
 				  t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
 
+	enumerator = ar_identities->create_enumerator(ar_identities);
+	while (enumerator->enumerate(enumerator, &tnc_id))
+	{
+		pen_type_t id_type, subject_type, auth_type;
+		u_int32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
+		chunk_t id_value;
+
+		id_type = tnc_id->get_identity_type(tnc_id);
+		id_value = tnc_id->get_identity_value(tnc_id);
+		subject_type = tnc_id->get_subject_type(tnc_id);
+		auth_type = tnc_id->get_auth_type(tnc_id);
+
+		tcg_id_type =      (id_type.vendor_id == PEN_TCG) ?
+							id_type.type : TNC_ID_UNKNOWN;
+		tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
+							subject_type.type : TNC_SUBJECT_UNKNOWN;
+		tcg_auth_type =    (auth_type.vendor_id == PEN_TCG) ?
+							auth_type.type : TNC_AUTH_UNKNOWN;
+
+
+		DBG2(DBG_IMV, "  %N AR identity '%.*s' authenticated by %N",
+			 TNC_Subject_names, tcg_subject_type,
+			 id_value.len, id_value.ptr,
+			 TNC_Authentication_names, tcg_auth_type);
+		state->set_ar_id(state, tcg_id_type, id_value);
+	}
+	enumerator->destroy(enumerator);
+
+	ar_identities->destroy_offset(ar_identities,
+						   offsetof(tncif_identity_t, destroy));
 	free(tnccs_p);
 	free(tnccs_v);
 	free(t_p);
diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h
index 5b2cffefe..6f3d2b4b7 100644
--- a/src/libimcv/imv/imv_agent.h
+++ b/src/libimcv/imv/imv_agent.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,7 +16,7 @@
 /**
  *
  * @defgroup imv_agent_t imv_agent
- * @{ @ingroup imv_agent
+ * @{ @ingroup libimcv_imv
  */
 
 #ifndef IMV_AGENT_H_
diff --git a/src/libimcv/imv/imv_lang_string.h b/src/libimcv/imv/imv_lang_string.h
index 90a66db76..56b4572f8 100644
--- a/src/libimcv/imv/imv_lang_string.h
+++ b/src/libimcv/imv/imv_lang_string.h
@@ -16,7 +16,7 @@
 /**
  *
  * @defgroup imv_lang_string_t imv_lang_string
- * @{ @ingroup imv_lang_string
+ * @{ @ingroup libimcv_imv
  */
 
 #ifndef IMV_LANG_STRING_H_
diff --git a/src/libimcv/imv/imv_msg.c b/src/libimcv/imv/imv_msg.c
index 4ed19dd13..496d0ee1c 100644
--- a/src/libimcv/imv/imv_msg.c
+++ b/src/libimcv/imv/imv_msg.c
@@ -102,6 +102,12 @@ METHOD(imv_msg_t, set_msg_type, void,
 	}
 }
 
+METHOD(imv_msg_t, get_msg_type, pen_type_t,
+	private_imv_msg_t *this)
+{
+	return this->msg_type;
+}
+
 METHOD(imv_msg_t, add_attribute, void,
 	private_imv_msg_t *this, pa_tnc_attr_t *attr)
 {
@@ -352,6 +358,7 @@ imv_msg_t *imv_msg_create(imv_agent_t *agent, imv_state_t *state,
 			.get_src_id = _get_src_id,
 			.get_dst_id = _get_dst_id,
 			.set_msg_type = _set_msg_type,
+			.get_msg_type = _get_msg_type,
 			.send = _send_,
 			.send_assessment = _send_assessment,
 			.receive = _receive,
diff --git a/src/libimcv/imv/imv_msg.h b/src/libimcv/imv/imv_msg.h
index b639712e8..9e56d9fe7 100644
--- a/src/libimcv/imv/imv_msg.h
+++ b/src/libimcv/imv/imv_msg.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup imv_msg imv_msg
- * @{ @ingroup libimcv
+ * @defgroup imv_msg_t imv_msg
+ * @{ @ingroup libimcv_imv
  */
 
 #ifndef IMV_MSG_H_
@@ -54,6 +54,13 @@ struct imv_msg_t {
 	 */
 	void (*set_msg_type)(imv_msg_t *this, pen_type_t msg_type);
 
+	/**
+	 * Get the type of a PA-TNC message.
+	 *
+	 * @return					message type
+	 */
+	pen_type_t (*get_msg_type)(imv_msg_t *this);
+
 	/**
 	 * Sends one or multiple PA-TNC messages
 	 *
@@ -148,7 +155,6 @@ imv_msg_t* imv_msg_create_from_data(imv_agent_t *agent, imv_state_t *state,
  * @param connection_id			connection ID
  * @param src_id				source IMC ID
  * @param dst_id				destination IMV ID
- * @param msg_flags				PA-TNC message flags
  * @param msg_vid				PA-TNC message vendor ID
  * @param msg_subtype			PA-TNC subtype
  * @param msg					received PA-TNC message blob
diff --git a/src/libimcv/imv/imv_reason_string.c b/src/libimcv/imv/imv_reason_string.c
index 18eade01b..d1447ec35 100644
--- a/src/libimcv/imv/imv_reason_string.c
+++ b/src/libimcv/imv/imv_reason_string.c
@@ -51,7 +51,7 @@ METHOD(imv_reason_string_t, add_reason, void,
 	if (this->reasons.len)
 	{
 		/* append any further reasons */
-		this->reasons = chunk_cat("cm", this->reasons, chunk_from_chars('\n'),
+		this->reasons = chunk_cat("mcc", this->reasons, chunk_from_chars('\n'),
 								  chunk_create(s_reason, strlen(s_reason)));
 	}
 	else
diff --git a/src/libimcv/imv/imv_reason_string.h b/src/libimcv/imv/imv_reason_string.h
index 320b2476a..cb4c27f93 100644
--- a/src/libimcv/imv/imv_reason_string.h
+++ b/src/libimcv/imv/imv_reason_string.h
@@ -16,7 +16,7 @@
 /**
  *
  * @defgroup imv_reason_string_t imv_reason_string
- * @{ @ingroup imv_reason_string
+ * @{ @ingroup libimcv_imv
  */
 
 #ifndef IMV_REASON_STRING_H_
diff --git a/src/libimcv/imv/imv_remediation_string.h b/src/libimcv/imv/imv_remediation_string.h
index 9249c2aab..605013abb 100644
--- a/src/libimcv/imv/imv_remediation_string.h
+++ b/src/libimcv/imv/imv_remediation_string.h
@@ -16,7 +16,7 @@
 /**
  *
  * @defgroup imv_remediation_string_t imv_remediation_string
- * @{ @ingroup imv_remediation_string
+ * @{ @ingroup libimcv_imv
  */
 
 #ifndef IMV_REMEDIATION_STRING_H_
diff --git a/src/libimcv/imv/imv_state.h b/src/libimcv/imv/imv_state.h
index f40402e2b..d1a87d2d7 100644
--- a/src/libimcv/imv/imv_state.h
+++ b/src/libimcv/imv/imv_state.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,7 +16,7 @@
 /**
  *
  * @defgroup imv_state_t imv_state
- * @{ @ingroup imv_state
+ * @{ @ingroup libimcv_imv
  */
 
 #ifndef IMV_STATE_H_
@@ -66,7 +66,7 @@ struct imv_state_t {
 	/**
 	 * Set the maximum size of a PA-TNC message for this TNCCS connection
 	 *
-	 * @max_msg_len			maximum size of a PA-TNC message
+	 * @param max_msg_len	maximum size of a PA-TNC message
 	 */
 	void (*set_max_msg_len)(imv_state_t *this, u_int32_t max_msg_len);
 
@@ -77,6 +77,23 @@ struct imv_state_t {
 	 */
 	u_int32_t (*get_max_msg_len)(imv_state_t *this);
 
+	/**
+	 * Set Access Requestor ID
+	 *
+	 * @param id_type		Access Requestor TCG Standard ID Type
+	 * @param id_value		Access Requestor TCG Standard ID Value
+	 *
+	 */
+	void (*set_ar_id)(imv_state_t *this, u_int32_t id_type, chunk_t id_value);
+
+	/**
+	 * Get Access Requestor ID
+	 *
+	 * @param id_type		Access Requestor TCG Standard ID Type
+	 * @return				Access Requestor TCG Standard ID Value
+	 */
+	chunk_t (*get_ar_id)(imv_state_t *this, u_int32_t *id_type);
+
 	/**
 	 * Change the connection state
 	 *
diff --git a/src/libimcv/ita/ita_attr.c b/src/libimcv/ita/ita_attr.c
index 09754aed6..590bc9b5a 100644
--- a/src/libimcv/ita/ita_attr.c
+++ b/src/libimcv/ita/ita_attr.c
@@ -20,13 +20,14 @@
 #include "ita/ita_attr_settings.h"
 #include "ita/ita_attr_angel.h"
 
-ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_STOP_ANGEL,
+ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_ECHO,
 	"Command",
 	"Dummy",
 	"Get Settings",
 	"Settings",
 	"Start Angel",
-	"Stop Angel"
+	"Stop Angel",
+	"Echo"
 );
 
 /**
diff --git a/src/libimcv/ita/ita_attr.h b/src/libimcv/ita/ita_attr.h
index d7b06146f..446fa032a 100644
--- a/src/libimcv/ita/ita_attr.h
+++ b/src/libimcv/ita/ita_attr.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup ita_attrt ita_attr
- * @{ @ingroup ita_attr
+ * @defgroup ita_attr ita_attr
+ * @{ @ingroup libimcv
  */
 
 #ifndef ITA_ATTR_H_
@@ -36,7 +36,8 @@ enum ita_attr_t {
 	ITA_ATTR_GET_SETTINGS = 3,
 	ITA_ATTR_SETTINGS = 4,
 	ITA_ATTR_START_ANGEL = 5,
-	ITA_ATTR_STOP_ANGEL = 6
+	ITA_ATTR_STOP_ANGEL = 6,
+	ITA_ATTR_ECHO = 7
 };
 
 /**
diff --git a/src/libimcv/ita/ita_attr_angel.h b/src/libimcv/ita/ita_attr_angel.h
index c392f7927..d42e7119a 100644
--- a/src/libimcv/ita/ita_attr_angel.h
+++ b/src/libimcv/ita/ita_attr_angel.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup ita_attr_angelt ita_attr_angel
- * @{ @ingroup ita_attr_angel
+ * @defgroup ita_attr_angel ita_attr_angel
+ * @{ @ingroup ita_attr
  */
 
 #ifndef ITA_ATTR_ANGEL_H_
diff --git a/src/libimcv/ita/ita_attr_command.h b/src/libimcv/ita/ita_attr_command.h
index 372355197..3926c3887 100644
--- a/src/libimcv/ita/ita_attr_command.h
+++ b/src/libimcv/ita/ita_attr_command.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup ita_attr_commandt ita_attr_command
- * @{ @ingroup ita_attr_command
+ * @defgroup ita_attr_command ita_attr_command
+ * @{ @ingroup ita_attr
  */
 
 #ifndef ITA_ATTR_COMMAND_H_
@@ -54,7 +54,7 @@ pa_tnc_attr_t* ita_attr_command_create(char *command);
 /**
  * Creates an ita_attr_command_t object from received data
  *
- * @param command			ITA command string
+ * @param value				binary value blob
  */
 pa_tnc_attr_t* ita_attr_command_create_from_data(chunk_t value);
 
diff --git a/src/libimcv/ita/ita_attr_dummy.h b/src/libimcv/ita/ita_attr_dummy.h
index afd543b52..1f85ece54 100644
--- a/src/libimcv/ita/ita_attr_dummy.h
+++ b/src/libimcv/ita/ita_attr_dummy.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup ita_attr_dummyt ita_attr_dummy
- * @{ @ingroup ita_attr_dummy
+ * @defgroup ita_attr_dummy ita_attr_dummy
+ * @{ @ingroup ita_attr
  */
 
 #ifndef ITA_ATTR_DUMMY_H_
@@ -47,14 +47,14 @@ struct ita_attr_dummy_t {
 /**
  * Creates an ita_attr_dummy_t object with a given size
  *
- * @param size				size of dummy attribute value 
+ * @param size				size of dummy attribute value
  */
 pa_tnc_attr_t* ita_attr_dummy_create(int size);
 
 /**
  * Creates an ita_attr_dummy_t object from received data
  *
- * @param command			ITA command string
+ * @param value				binary value blob
  */
 pa_tnc_attr_t* ita_attr_dummy_create_from_data(chunk_t value);
 
diff --git a/src/libimcv/ita/ita_attr_get_settings.c b/src/libimcv/ita/ita_attr_get_settings.c
index 8016b761d..0695af314 100644
--- a/src/libimcv/ita/ita_attr_get_settings.c
+++ b/src/libimcv/ita/ita_attr_get_settings.c
@@ -128,7 +128,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ita/ita_attr_get_settings.h b/src/libimcv/ita/ita_attr_get_settings.h
index cc5c18140..55306ecc8 100644
--- a/src/libimcv/ita/ita_attr_get_settings.h
+++ b/src/libimcv/ita/ita_attr_get_settings.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup ita_attr_get_settingst ita_attr_get_settings
- * @{ @ingroup ita_attr_get_settings
+ * @defgroup ita_attr_get_settings ita_attr_get_settings
+ * @{ @ingroup ita_attr
  */
 
 #ifndef ITA_ATTR_GET_SETTINGS_H_
diff --git a/src/libimcv/ita/ita_attr_settings.c b/src/libimcv/ita/ita_attr_settings.c
index 7941cf69e..9ce253d28 100644
--- a/src/libimcv/ita/ita_attr_settings.c
+++ b/src/libimcv/ita/ita_attr_settings.c
@@ -157,7 +157,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libimcv/ita/ita_attr_settings.h b/src/libimcv/ita/ita_attr_settings.h
index f3d1fd438..eb7eedae3 100644
--- a/src/libimcv/ita/ita_attr_settings.h
+++ b/src/libimcv/ita/ita_attr_settings.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup ita_attr_settingst ita_attr_settings
- * @{ @ingroup ita_attr_settings
+ * @defgroup ita_attr_settings ita_attr_settings
+ * @{ @ingroup ita_attr
  */
 
 #ifndef ITA_ATTR_SETTINGS_H_
diff --git a/src/libimcv/os_info/os_info.c b/src/libimcv/os_info/os_info.c
index 13374c876..2c49cb01d 100644
--- a/src/libimcv/os_info/os_info.c
+++ b/src/libimcv/os_info/os_info.c
@@ -156,7 +156,7 @@ METHOD(os_info_t, get_uptime, time_t,
 {
 	const char proc_uptime[] = "/proc/uptime";
 	FILE *file;
-	time_t uptime;
+	u_int uptime;
 
 	file = fopen(proc_uptime, "r");
 	if (!file)
diff --git a/src/libimcv/pa_tnc/pa_tnc_attr.h b/src/libimcv/pa_tnc/pa_tnc_attr.h
index 9abdba78c..e2ce06ee4 100644
--- a/src/libimcv/pa_tnc/pa_tnc_attr.h
+++ b/src/libimcv/pa_tnc/pa_tnc_attr.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup pa_tnc_attr pa_tnc_attr
- * @{ @ingroup libimcv
+ * @{ @ingroup pa_tnc
  */
 
 #ifndef PA_TNC_ATTR_H_
diff --git a/src/libimcv/pa_tnc/pa_tnc_attr_manager.h b/src/libimcv/pa_tnc/pa_tnc_attr_manager.h
index 40c3ab335..121be7f90 100644
--- a/src/libimcv/pa_tnc/pa_tnc_attr_manager.h
+++ b/src/libimcv/pa_tnc/pa_tnc_attr_manager.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup pa_tnc_attr_manager pa_tnc_attr_manager
- * @{ @ingroup libimcv
+ * @{ @ingroup pa_tnc
  */
 
 #ifndef PA_TNC_ATTR_MANAGER_H_
@@ -56,7 +56,7 @@ struct pa_tnc_attr_manager_t {
 	 * Return the PA-TNC attribute names for a given vendor ID
 	 *
 	 * @param vendor_id		Private Enterprise Number (PEN)
-	 * @return 				PA-TNC attribute names if found, NULL else
+	 * @return				PA-TNC attribute names if found, NULL else
 	 */
 	enum_name_t* (*get_names)(pa_tnc_attr_manager_t *this, pen_t vendor_id);
 
@@ -66,7 +66,7 @@ struct pa_tnc_attr_manager_t {
 	 * @param vendor_id		Private Enterprise Number (PEN)
 	 * @param type			PA-TNC attribute type
 	 * @param value			PA-TNC attribute value as encoded data
-	 * @return 				PA-TNC attribute object if supported, NULL else
+	 * @return				PA-TNC attribute object if supported, NULL else
 	 */
 	pa_tnc_attr_t* (*create)(pa_tnc_attr_manager_t *this, pen_t vendor_id,
 							 u_int32_t type, chunk_t value);
diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c
index 63445f3a1..140463b83 100644
--- a/src/libimcv/pa_tnc/pa_tnc_msg.c
+++ b/src/libimcv/pa_tnc/pa_tnc_msg.c
@@ -194,7 +194,7 @@ METHOD(pa_tnc_msg_t, build, bool,
 	enumerator->destroy(enumerator);
 
 	free(this->encoding.ptr);
-	this->encoding = chunk_clone(writer->get_buf(writer));
+	this->encoding = writer->extract_buf(writer);
 	writer->destroy(writer);
 
 	return TRUE;
@@ -284,6 +284,18 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		}
 		DBG3(DBG_TNC, "%B", &value);
 
+		if (vendor_id == PEN_RESERVED)
+		{
+			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
+						this->encoding, offset + 1);
+			goto err;
+		}
+		if (type == IETF_ATTR_RESERVED)
+		{
+			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
+						this->encoding, offset + 4);
+			goto err;
+		}
 		attr = imcv_pa_tnc_attributes->create(imcv_pa_tnc_attributes,
 											  vendor_id, type, value);
 		if (!attr)
diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.h b/src/libimcv/pa_tnc/pa_tnc_msg.h
index 332f2506f..218d3d673 100644
--- a/src/libimcv/pa_tnc/pa_tnc_msg.h
+++ b/src/libimcv/pa_tnc/pa_tnc_msg.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup pa_tnc_msg pa_tnc_msg
- * @{ @ingroup libimcv
+ * @{ @ingroup pa_tnc
  */
 
 #ifndef PA_TNC_MSG_H_
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 7b871df2a..3f1a5fe32 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -103,6 +120,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(imc_os_la_SOURCES)
 DIST_SOURCES = $(imc_os_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -119,6 +141,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -135,6 +159,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -203,8 +228,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -260,7 +283,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -340,7 +362,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +369,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
diff --git a/src/libimcv/plugins/imc_os/imc_os_state.h b/src/libimcv/plugins/imc_os/imc_os_state.h
index 1fe23175a..366e2b60c 100644
--- a/src/libimcv/plugins/imc_os/imc_os_state.h
+++ b/src/libimcv/plugins/imc_os/imc_os_state.h
@@ -14,9 +14,11 @@
  */
 
 /**
+ * @defgroup imc_os imc_os
+ * @ingroup libimcv_plugins
  *
  * @defgroup imc_os_state_t imc_os_state
- * @{ @ingroup imc_os_state
+ * @{ @ingroup imc_os
  */
 
 #ifndef IMC_OS_STATE_H_
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index c865544f6..bd5e97065 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -103,6 +120,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(imc_scanner_la_SOURCES)
 DIST_SOURCES = $(imc_scanner_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -119,6 +141,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -135,6 +159,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -203,8 +228,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -260,7 +283,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -340,7 +362,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +369,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner_state.h b/src/libimcv/plugins/imc_scanner/imc_scanner_state.h
index 76aa4165b..3b40575e3 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner_state.h
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner_state.h
@@ -13,9 +13,11 @@
  */
 
 /**
+ * @defgroup imc_scanner imc_scanner
+ * @ingroup libimcv_plugins
  *
  * @defgroup imc_scanner_state_t imc_scanner_state
- * @{ @ingroup imc_scanner_state
+ * @{ @ingroup imc_scanner
  */
 
 #ifndef IMC_SCANNER_STATE_H_
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 51878adc0..9e541e0e9 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -103,6 +120,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(imc_test_la_SOURCES)
 DIST_SOURCES = $(imc_test_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -119,6 +141,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -135,6 +159,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -203,8 +228,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -260,7 +283,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -340,7 +362,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +369,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
diff --git a/src/libimcv/plugins/imc_test/imc_test_state.h b/src/libimcv/plugins/imc_test/imc_test_state.h
index 402fd14b3..5f9ee2537 100644
--- a/src/libimcv/plugins/imc_test/imc_test_state.h
+++ b/src/libimcv/plugins/imc_test/imc_test_state.h
@@ -13,9 +13,11 @@
  */
 
 /**
+ * @defgroup imc_test imc_test
+ * @ingroup libimcv_plugins
  *
  * @defgroup imc_test_state_t imc_test_state
- * @{ @ingroup imc_test_state
+ * @{ @ingroup imc_test
  */
 
 #ifndef IMC_TEST_STATE_H_
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index 53a547a4d..b4e2a3a4f 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES)
 DIST_SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -353,7 +375,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -361,6 +382,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
@@ -386,8 +409,11 @@ imv-os.la: $(imv_os_la_OBJECTS) $(imv_os_la_DEPENDENCIES) $(EXTRA_imv_os_la_DEPE
 	$(imv_os_la_LINK) -rpath $(imcvdir) $(imv_os_la_OBJECTS) $(imv_os_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/libimcv/plugins/imv_os/imv_os.c b/src/libimcv/plugins/imv_os/imv_os.c
index 65538df07..f1cb74e50 100644
--- a/src/libimcv/plugins/imv_os/imv_os.c
+++ b/src/libimcv/plugins/imv_os/imv_os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -360,7 +360,9 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 		out_msg->add_attribute(out_msg, attr);
 	}
 
-	if (fatal_error)
+	if (fatal_error ||
+	   (os_state->get_attribute_request(os_state) &&
+		os_state->get_info(os_state, NULL, NULL, NULL) == NULL))
 	{
 		state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
@@ -371,10 +373,13 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 	/* If all Installed Packages attributes were received, go to assessment */
 	if (!assessment &&
 		!os_state->get_package_request(os_state) &&
-		!os_state->get_angel_count(os_state))
+		!os_state->get_angel_count(os_state) &&
+		 os_state->get_info(os_state, NULL, NULL, NULL))
 	{
 		int device_id, count, count_update, count_blacklist, count_ok;
 		u_int os_settings;
+		u_int32_t id_type;
+		chunk_t id_value;
 
 		os_settings = os_state->get_os_settings(os_state);
 		os_state->get_count(os_state, &count, &count_update, &count_blacklist,
@@ -385,9 +390,10 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 
 		/* Store device information in database */
 		device_id = os_state->get_device_id(os_state);
+		id_value = state->get_ar_id(state, &id_type);
 		if (os_db && device_id)
 		{
-			os_db->set_device_info(os_db, device_id,
+			os_db->set_device_info(os_db, device_id, id_type, id_value,
 						os_state->get_info(os_state, NULL, NULL, NULL),
 						count, count_update, count_blacklist, os_settings);
 		}
@@ -518,6 +524,8 @@ TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
 {
 	imv_state_t *state;
 	imv_os_state_t *os_state;
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
 	TNC_Result result = TNC_RESULT_SUCCESS;
 
 	if (!imv_os)
@@ -531,6 +539,18 @@ TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
 	}
 	os_state = (imv_os_state_t*)state;
 
+	state->get_recommendation(state, &rec, &eval);
+
+	/*
+	 * Don't send an attribute request if an evaluation is available 
+	 * or if an attribute request has already been sent
+	 */
+	if (eval != TNC_IMV_EVALUATION_RESULT_DONT_KNOW ||
+		os_state->get_attribute_request(os_state))
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+
 	if (os_state->get_info(os_state, NULL, NULL, NULL) == NULL)
 	{
 		imv_msg_t *out_msg;
@@ -548,6 +568,7 @@ TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
 		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FORWARDING_ENABLED);
 		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED);
 		out_msg->add_attribute(out_msg, attr);
+		os_state->set_attribute_request(os_state, TRUE);
 
 		/* send PA-TNC message with excl flag not set */
 		result = out_msg->send(out_msg, FALSE);
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c
index c6db9953f..dff414497 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.c
+++ b/src/libimcv/plugins/imv_os/imv_os_database.c
@@ -214,12 +214,14 @@ METHOD(imv_os_database_t, get_device_id, int,
 }
 
 METHOD(imv_os_database_t, set_device_info, void,
-	private_imv_os_database_t *this,  int device_id, char *os_info,
-	int count, int count_update, int count_blacklist, u_int flags)
+	private_imv_os_database_t *this,  int device_id, u_int32_t ar_id_type,
+	chunk_t ar_id_value, char *os_info, int count, int count_update,
+	int count_blacklist, u_int flags)
 {
 	enumerator_t *e;
 	time_t last_time;
-	int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0;
+	int pid = 0, last_pid = 0, iid = 0, last_iid;
+	int last_count_update = 0, last_count_blacklist = 0;
 	u_int last_flags;
 	bool found = FALSE;
 
@@ -233,26 +235,45 @@ METHOD(imv_os_database_t, set_device_info, void,
 		e->destroy(e);
 	}
 
-	/* if OS ifo string has not been found - register it */
+	/* if OS info string has not been found - register it */
 	if (!pid)
 	{
 		this->db->execute(this->db, &pid,
 			"INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info);
 	}
 
+	/* get primary key of AR identity if it exists */
+	e = this->db->query(this->db,
+			"SELECT id FROM identities WHERE type = ? AND data = ?",
+			 DB_INT,  ar_id_type, DB_BLOB, ar_id_value, DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &iid);
+		e->destroy(e);
+	}
+
+	/* if AR identity has not been found - register it */
+	if (!iid)
+	{
+		this->db->execute(this->db, &iid,
+			"INSERT INTO identities (type, data) VALUES (?, ?)",
+			 DB_INT, ar_id_type, DB_BLOB, ar_id_value);
+	}
+
 	/* get latest device info record if it exists */
 	e = this->db->query(this->db,
-			"SELECT time, product, count_update, count_blacklist, flags "
+			"SELECT time, ar_id, product, count_update, count_blacklist, flags "
 			"FROM device_infos WHERE device = ? ORDER BY time DESC",
-			 DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT);
+			 DB_INT, device_id, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_UINT);
 	if (e)
 	{
-		found = e->enumerate(e, &last_time, &last_pid, &last_count_update,
-								&last_count_blacklist, &last_flags);
+		found = e->enumerate(e, &last_time, &last_iid, &last_pid,
+								&last_count_update, &last_count_blacklist,
+								&last_flags);
 		e->destroy(e);
 	}
 	if (found && !last_count_update && !last_count_blacklist && !last_flags &&
-		pid == last_pid)
+		iid == last_iid && pid == last_pid)
 	{
 		/* update device info */
 		this->db->execute(this->db, NULL,
@@ -266,9 +287,10 @@ METHOD(imv_os_database_t, set_device_info, void,
 	{
 		/* insert device info */
 		this->db->execute(this->db, NULL,
-			"INSERT INTO device_infos (device, time, product, count, "
-			"count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)",
-			 DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid,
+			"INSERT INTO device_infos (device, time, ar_id, product, count, "
+			"count_update, count_blacklist, flags) "
+			"VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
+			 DB_INT, device_id, DB_UINT, time(NULL), DB_INT, iid, DB_INT, pid,
 			 DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
 			 DB_UINT, flags);
 	}
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.h b/src/libimcv/plugins/imv_os/imv_os_database.h
index 9ce748f9b..01d7e84a2 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.h
+++ b/src/libimcv/plugins/imv_os/imv_os_database.h
@@ -14,9 +14,8 @@
  */
 
 /**
- *
  * @defgroup imv_os_database_t imv_os_database
- * @{ @ingroup imv_os_database
+ * @{ @ingroup imv_os
  */
 
 #ifndef IMV_OS_DATABASE_H_
@@ -53,15 +52,18 @@ struct imv_os_database_t {
 	* Set health infos for a given  device
 	*
 	* @param device_id				Device ID primary key
+	* @param ar_id_type				Access Requestor ID Type
+	* @param ar_id_value			Access Requestor ID Value
 	* @param os_info				OS info string
 	* @param count					Number of installed packages
 	* @param count_update			Number of packages to be updated
 	* @param count_blacklist		Number of blacklisted packages
 	* @param flags					Various flags, e.g. illegal OS settings
 	*/
-	void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info,
-							int count, int count_update, int count_blacklist,
-							u_int flags);
+	void (*set_device_info)(imv_os_database_t *this, int device_id,
+							u_int32_t ar_id_type, chunk_t ar_id_value,
+							char *os_info, int count, int count_update,
+							int count_blacklist, u_int flags);
 
 	/**
 	* Destroys an imv_os_database_t object.
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c
index ca6e050f7..073d7133a 100644
--- a/src/libimcv/plugins/imv_os/imv_os_state.c
+++ b/src/libimcv/plugins/imv_os/imv_os_state.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -61,6 +61,16 @@ struct private_imv_os_state_t {
 	 */
 	u_int32_t max_msg_len;
 
+	/**
+	 * Access Requestor ID Type
+	 */
+	u_int32_t ar_id_type;
+
+	/**
+	 * Access Requestor ID Value
+	 */
+	chunk_t ar_id_value;
+
 	/**
 	 * IMV action recommendation
 	 */
@@ -136,6 +146,11 @@ struct private_imv_os_state_t {
 	 */
 	int count_ok;
 
+	/**
+	 * Attribute request sent - mandatory response expected
+	 */
+	bool attribute_request;
+
 	/**
 	 * OS Installed Package request sent - mandatory response expected
 	 */
@@ -314,6 +329,23 @@ METHOD(imv_state_t, get_max_msg_len, u_int32_t,
 	return this->max_msg_len;
 }
 
+METHOD(imv_state_t, set_ar_id, void,
+	private_imv_os_state_t *this, u_int32_t id_type, chunk_t id_value)
+{
+	this->ar_id_type = id_type;
+	this->ar_id_value = chunk_clone(id_value);
+}
+
+METHOD(imv_state_t, get_ar_id, chunk_t,
+	private_imv_os_state_t *this, u_int32_t *id_type)
+{
+	if (id_type)
+	{
+		*id_type = this->ar_id_type;
+	}
+	return this->ar_id_value;
+}
+
 METHOD(imv_state_t, change_state, void,
 	private_imv_os_state_t *this, TNC_ConnectionState new_state)
 {
@@ -437,6 +469,7 @@ METHOD(imv_state_t, destroy, void,
 	free(this->info);
 	free(this->name.ptr);
 	free(this->version.ptr);
+	free(this->ar_id_value.ptr);
 	free(this);
 }
 
@@ -506,6 +539,18 @@ METHOD(imv_os_state_t, get_count, void,
 	}
 }
 
+METHOD(imv_os_state_t, set_attribute_request, void,
+	private_imv_os_state_t *this, bool set)
+{
+	this->attribute_request = set;
+}
+
+METHOD(imv_os_state_t, get_attribute_request, bool,
+	private_imv_os_state_t *this)
+{
+	return this->attribute_request;
+}
+
 METHOD(imv_os_state_t, set_package_request, void,
 	private_imv_os_state_t *this, bool set)
 {
@@ -586,6 +631,8 @@ imv_state_t *imv_os_state_create(TNC_ConnectionID connection_id)
 				.set_flags = _set_flags,
 				.set_max_msg_len = _set_max_msg_len,
 				.get_max_msg_len = _get_max_msg_len,
+				.set_ar_id = _set_ar_id,
+				.get_ar_id = _get_ar_id,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
@@ -597,6 +644,8 @@ imv_state_t *imv_os_state_create(TNC_ConnectionID connection_id)
 			.get_info = _get_info,
 			.set_count = _set_count,
 			.get_count = _get_count,
+			.set_attribute_request = _set_attribute_request,
+			.get_attribute_request = _get_attribute_request,
 			.set_package_request = _set_package_request,
 			.get_package_request = _get_package_request,
 			.set_device_id = _set_device_id,
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h
index 05abdbb6c..1c2adeaf9 100644
--- a/src/libimcv/plugins/imv_os/imv_os_state.h
+++ b/src/libimcv/plugins/imv_os/imv_os_state.h
@@ -14,9 +14,11 @@
  */
 
 /**
+ * @defgroup imv_os imv_os
+ * @ingroup libimcv_plugins
  *
  * @defgroup imv_os_state_t imv_os_state
- * @{ @ingroup imv_os_state
+ * @{ @ingroup imv_os
  */
 
 #ifndef IMV_OS_STATE_H_
@@ -61,7 +63,7 @@ struct imv_os_state_t {
 	 * @param type			OS type (enumerated)
 	 * @param name			OS name (string)
 	 * @param version		OS version
-	 * @return				OS name & version as a concatenated string 
+	 * @return				OS name & version as a concatenated string
 	 */
 	char* (*get_info)(imv_os_state_t *this, os_type_t *os_type,
 					  chunk_t *name, chunk_t *version);
@@ -87,6 +89,21 @@ struct imv_os_state_t {
 	 */
 	void (*get_count)(imv_os_state_t *this, int *count, int *count_update,
 					  int *count_blacklist, int *count_ok);
+
+	/**
+	 * Set/reset attribute request status
+	 *
+	 * @param set			TRUE to set, FALSE to clear
+	 */
+	void (*set_attribute_request)(imv_os_state_t *this, bool set);
+
+	/**
+	 * Get attribute request status
+	 *
+	 * @return				TRUE if set, FALSE if unset
+	 */
+	bool (*get_attribute_request)(imv_os_state_t *this);
+
 	/**
 	 * Set/reset OS Installed Packages request status
 	 *
diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c
index f5f52885d..25e63760b 100644
--- a/src/libimcv/plugins/imv_os/pacman.c
+++ b/src/libimcv/plugins/imv_os/pacman.c
@@ -131,6 +131,7 @@ static void process_packages(char *filename, char *product, bool update)
 	char *uri, line[12288], *pos;
 	int count = 0, errored = 0, vulnerable = 0, new_packages = 0;
 	int new_versions = 0, updated_versions = 0, deleted_versions = 0;
+	time_t gen_time;
 	u_int32_t pid = 0;
 	enumerator_t *e;
 	database_t *db;
@@ -192,7 +193,7 @@ static void process_packages(char *filename, char *product, bool update)
 		bool security, add_version = TRUE;
 		int cur_security, security_update = 0, security_delete = 0;
 		u_int32_t gid = 0, vid = 0, vid_update = 0, vid_delete = 0;
-		time_t gen_time, cur_time;
+		time_t cur_time;
 
 		count++;
 		if (count == 1)
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index da797a9b0..8a4460bee 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -103,6 +120,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(imv_scanner_la_SOURCES)
 DIST_SOURCES = $(imv_scanner_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -119,6 +141,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -135,6 +159,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -203,8 +228,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -260,7 +283,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -340,7 +362,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +369,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
index 108e5ff6f..2123af7a8 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -58,6 +58,16 @@ struct private_imv_scanner_state_t {
 	 */
 	u_int32_t max_msg_len;
 
+	/**
+	 * Access Requestor ID Type
+	 */
+	u_int32_t ar_id_type;
+
+	/**
+	 * Access Requestor ID Value
+	 */
+	chunk_t ar_id_value;
+
 	/**
 	 * IMV action recommendation
 	 */
@@ -165,6 +175,23 @@ METHOD(imv_state_t, get_max_msg_len, u_int32_t,
 	return this->max_msg_len;
 }
 
+METHOD(imv_state_t, set_ar_id, void,
+	private_imv_scanner_state_t *this, u_int32_t id_type, chunk_t id_value)
+{
+	this->ar_id_type = id_type;
+	this->ar_id_value = chunk_clone(id_value);
+}
+
+METHOD(imv_state_t, get_ar_id, chunk_t,
+	private_imv_scanner_state_t *this, u_int32_t *id_type)
+{
+	if (id_type)
+	{
+		*id_type = this->ar_id_type;
+	}
+	return this->ar_id_value;
+}
+
 METHOD(imv_state_t, change_state, void,
 	private_imv_scanner_state_t *this, TNC_ConnectionState new_state)
 {
@@ -241,6 +268,7 @@ METHOD(imv_state_t, destroy, void,
 	DESTROY_IF(this->reason_string);
 	DESTROY_IF(this->remediation_string);
 	this->violating_ports->destroy_function(this->violating_ports, free);
+	free(this->ar_id_value.ptr);
 	free(this);
 }
 
@@ -266,6 +294,8 @@ imv_state_t *imv_scanner_state_create(TNC_ConnectionID connection_id)
 				.set_flags = _set_flags,
 				.set_max_msg_len = _set_max_msg_len,
 				.get_max_msg_len = _get_max_msg_len,
+				.set_ar_id = _set_ar_id,
+				.get_ar_id = _get_ar_id,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
index 9a0930396..a15eb0778 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
@@ -13,9 +13,11 @@
  */
 
 /**
+ * @defgroup imv_scanner imv_scanner
+ * @ingroup libimcv_plugins
  *
  * @defgroup imv_scanner_state_t imv_scanner_state
- * @{ @ingroup imv_scanner_state
+ * @{ @ingroup imv_scanner
  */
 
 #ifndef IMV_SCANNER_STATE_H_
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 04b750973..946fffc45 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -103,6 +120,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(imv_test_la_SOURCES)
 DIST_SOURCES = $(imv_test_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -119,6 +141,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -135,6 +159,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -203,8 +228,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -260,7 +283,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -340,7 +362,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +369,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
diff --git a/src/libimcv/plugins/imv_test/imv_test_state.c b/src/libimcv/plugins/imv_test/imv_test_state.c
index 9b9344bf6..41da44d67 100644
--- a/src/libimcv/plugins/imv_test/imv_test_state.c
+++ b/src/libimcv/plugins/imv_test/imv_test_state.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -58,6 +58,16 @@ struct private_imv_test_state_t {
 	 */
 	u_int32_t max_msg_len;
 
+	/**
+	 * Access Requestor ID Type
+	 */
+	u_int32_t ar_id_type;
+
+	/**
+	 * Access Requestor ID Value
+	 */
+	chunk_t ar_id_value;
+
 	/**
 	 * IMV action recommendation
 	 */
@@ -143,6 +153,23 @@ METHOD(imv_state_t, get_max_msg_len, u_int32_t,
 	return this->max_msg_len;
 }
 
+METHOD(imv_state_t, set_ar_id, void,
+	private_imv_test_state_t *this, u_int32_t id_type, chunk_t id_value)
+{
+	this->ar_id_type = id_type;
+	this->ar_id_value = chunk_clone(id_value);
+}
+
+METHOD(imv_state_t, get_ar_id, chunk_t,
+	private_imv_test_state_t *this, u_int32_t *id_type)
+{
+	if (id_type)
+	{
+		*id_type = this->ar_id_type;
+	}
+	return this->ar_id_value;
+}
+
 METHOD(imv_state_t, change_state, void,
 	private_imv_test_state_t *this, TNC_ConnectionState new_state)
 {
@@ -193,6 +220,7 @@ METHOD(imv_state_t, destroy, void,
 {
 	DESTROY_IF(this->reason_string);
 	this->imcs->destroy_function(this->imcs, free);
+	free(this->ar_id_value.ptr);
 	free(this);
 }
 
@@ -277,6 +305,8 @@ imv_state_t *imv_test_state_create(TNC_ConnectionID connection_id)
 				.set_flags = _set_flags,
 				.set_max_msg_len = _set_max_msg_len,
 				.get_max_msg_len = _get_max_msg_len,
+				.set_ar_id = _set_ar_id,
+				.get_ar_id = _get_ar_id,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
diff --git a/src/libimcv/plugins/imv_test/imv_test_state.h b/src/libimcv/plugins/imv_test/imv_test_state.h
index af78d1470..2de5b6ffc 100644
--- a/src/libimcv/plugins/imv_test/imv_test_state.h
+++ b/src/libimcv/plugins/imv_test/imv_test_state.h
@@ -13,9 +13,11 @@
  */
 
 /**
+ * @defgroup imv_test imv_test
+ * @ingroup libimcv_plugins
  *
  * @defgroup imv_test_state_t imv_test_state
- * @{ @ingroup imv_test_state
+ * @{ @ingroup imv_test
  */
 
 #ifndef IMV_TEST_STATE_H_
diff --git a/src/libipsec/Android.mk b/src/libipsec/Android.mk
index 81f4632ef..37f400fc3 100644
--- a/src/libipsec/Android.mk
+++ b/src/libipsec/Android.mk
@@ -2,7 +2,7 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+libipsec_la_SOURCES := \
 ipsec.c ipsec.h \
 esp_context.c esp_context.h \
 esp_packet.c esp_packet.h \
@@ -15,6 +15,8 @@ ipsec_processor.c ipsec_processor.h \
 ipsec_sa.c ipsec_sa.h \
 ipsec_sa_mgr.c ipsec_sa_mgr.h
 
+LOCAL_SRC_FILES := $(filter %.c,$(libipsec_la_SOURCES))
+
 # build libipsec ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 628857cbe..7a64713a7 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -109,6 +126,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -156,6 +178,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -172,6 +196,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -240,8 +265,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -297,7 +320,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -391,7 +413,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -399,6 +420,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -634,13 +657,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c
index 16cc687ef..43a3c2a97 100644
--- a/src/libipsec/esp_packet.c
+++ b/src/libipsec/esp_packet.c
@@ -97,6 +97,18 @@ METHOD(packet_t, set_data, void,
 	return this->packet->set_data(this->packet, data);
 }
 
+METHOD(packet_t, get_dscp, u_int8_t,
+	private_esp_packet_t *this)
+{
+	return this->packet->get_dscp(this->packet);
+}
+
+METHOD(packet_t, set_dscp, void,
+	private_esp_packet_t *this, u_int8_t value)
+{
+	this->packet->set_dscp(this->packet, value);
+}
+
 METHOD(packet_t, skip_bytes, void,
 	private_esp_packet_t *this, size_t bytes)
 {
@@ -411,6 +423,8 @@ static private_esp_packet_t *esp_packet_create_internal(packet_t *packet)
 				.get_destination = _get_destination,
 				.get_data = _get_data,
 				.set_data = _set_data,
+				.get_dscp = _get_dscp,
+				.set_dscp = _set_dscp,
 				.skip_bytes = _skip_bytes,
 				.clone = _clone,
 				.destroy = _destroy,
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index 5c8cc2e3e..d08e09057 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -19,6 +19,7 @@
 #include <library.h>
 #include <utils/debug.h>
 
+#include <sys/types.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #ifdef HAVE_NETINET_IP6_H
diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
index 66f43a408..e142157f8 100644
--- a/src/libipsec/ipsec_processor.c
+++ b/src/libipsec/ipsec_processor.c
@@ -196,7 +196,7 @@ static job_requeue_t process_outbound(private_ipsec_processor_t *this)
 	policy = ipsec->policies->find_by_packet(ipsec->policies, packet, FALSE);
 	if (!policy)
 	{
-		DBG1(DBG_ESP, "no matching outbound IPsec policy for %H == %H",
+		DBG2(DBG_ESP, "no matching outbound IPsec policy for %H == %H",
 			 packet->get_source(packet), packet->get_destination(packet));
 		packet->destroy(packet);
 		return JOB_REQUEUE_DIRECT;
diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index d275a8b2b..1420a95dc 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -128,6 +145,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -175,6 +197,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -191,6 +215,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -259,8 +284,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -316,7 +339,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -434,7 +456,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -442,6 +463,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -956,13 +979,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
diff --git a/src/libpts/libpts.h b/src/libpts/libpts.h
index 7b2959728..0846aaea2 100644
--- a/src/libpts/libpts.h
+++ b/src/libpts/libpts.h
@@ -15,7 +15,7 @@
 /**
  * @defgroup libpts libpts
  *
- * @defgroup iplugins plugins
+ * @defgroup libpts_plugins plugins
  * @ingroup libpts
  *
  * @addtogroup libpts
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index 15028d677..181dbc272 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(imc_attestation_la_SOURCES)
 DIST_SOURCES = $(imc_attestation_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -347,7 +369,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -355,6 +376,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.h b/src/libpts/plugins/imc_attestation/imc_attestation_process.h
index 5ada104fa..a2f1b4e3c 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_process.h
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.h
@@ -14,9 +14,8 @@
  */
 
 /**
- *
  * @defgroup imc_attestation_process_t imc_attestation_process
- * @{ @ingroup imc_attestation_process
+ * @{ @ingroup imc_attestation
  */
 
 #ifndef IMC_ATTESTATION_PROCESS_H_
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.h b/src/libpts/plugins/imc_attestation/imc_attestation_state.h
index e4fca71bb..4b93931c3 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_state.h
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.h
@@ -14,9 +14,11 @@
  */
 
 /**
+ * @defgroup imc_attestation imc_attestation
+ * @ingroup libpts_plugins
  *
  * @defgroup imc_attestation_state_t imc_attestation_state
- * @{ @ingroup imc_attestation_state
+ * @{ @ingroup imc_attestation
  */
 
 #ifndef IMC_ATTESTATION_STATE_H_
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index 59ef5311e..2e75807b4 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -116,6 +133,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(imv_attestation_la_SOURCES) $(attest_SOURCES)
 DIST_SOURCES = $(imv_attestation_la_SOURCES) $(attest_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -132,6 +154,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -148,6 +172,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -216,8 +241,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -273,7 +296,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -373,7 +395,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -381,6 +402,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
@@ -406,8 +429,11 @@ imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENC
 	$(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index 91e9766d0..81445acbf 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -804,26 +804,28 @@ METHOD(attest_db_t, list_components, void,
 METHOD(attest_db_t, list_devices, void,
 	private_attest_db_t *this)
 {
-	enumerator_t *e;
-	chunk_t value;
+	enumerator_t *e, *e_ar;
+	chunk_t value, ar_id_value = chunk_empty;
 	char *product;
 	time_t timestamp;
-	int id, last_id = 0, device_count = 0;
+	int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0;
 	int count, count_update, count_blacklist;
+	u_int32_t ar_id_type;
 	u_int tstamp, flags = 0;
 
 	e = this->db->query(this->db,
 			"SELECT d.id, d.value, i.time, i.count, i.count_update, "
-			"i.count_blacklist, i.flags, p.name FROM devices AS d "
+			"i.count_blacklist, i.flags, i.ar_id, p.name FROM devices AS d "
 			"JOIN device_infos AS i ON d.id = i.device "
 			"JOIN products AS p ON p.id = i.product "
 			"ORDER BY d.value, i.time DESC",
-			 DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT);
+			 DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT,
+			 DB_INT, DB_TEXT);
 
 	if (e)
 	{
 		while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
-							   &count_blacklist, &flags, &product))
+							   &count_blacklist, &flags, &ar_id, &product))
 		{
 			if (id != last_id)
 			{
@@ -832,10 +834,32 @@ METHOD(attest_db_t, list_devices, void,
 				last_id = id;
 			}
 			timestamp = tstamp;
-			printf("      %T, %4d, %3d, %3d, %1u, '%s'\n", &timestamp, this->utc,
+			printf("      %T, %4d, %3d, %3d, %1u, '%s'", &timestamp, this->utc,
 				   count, count_update, count_blacklist, flags, product);
+			if (ar_id)
+			{
+				if (ar_id != last_ar_id)
+				{
+					chunk_free(&ar_id_value);
+					e_ar = this->db->query(this->db,
+								"SELECT type, data FROM identities "
+								"WHERE id = ?", DB_INT, ar_id, DB_INT, DB_BLOB);
+					if (e_ar)
+					{
+						e_ar->enumerate(e_ar, &ar_id_type, &ar_id_value);
+						e_ar->destroy(e_ar);
+					}
+				}
+				if (ar_id_value.len)
+				{
+					printf(" %.*s", (int)ar_id_value.len, ar_id_value.ptr);
+				}
+			}
+			printf("\n");
 		}
 		e->destroy(e);
+		free(ar_id_value.ptr);
+
 		printf("%d device%s found\n", device_count,
 									 (device_count == 1) ? "" : "s");
 	}
diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h
index e2297d0c4..a20023fcd 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.h
+++ b/src/libpts/plugins/imv_attestation/attest_db.h
@@ -14,9 +14,8 @@
  */
 
 /**
- *
  * @defgroup attest_db_t attest_db
- * @{ @ingroup attest_db
+ * @{ @ingroup libpts
  */
 
 #ifndef ATTEST_DB_H_
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
index 0fc10f0ce..108f6f923 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
@@ -14,9 +14,8 @@
  */
 
 /**
- *
  * @defgroup imv_attestation_build_t imv_attestation_build
- * @{ @ingroup imv_attestation_build
+ * @{ @ingroup imv_attestation
  */
 
 #ifndef IMV_ATTESTATION_BUILD_H_
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.h b/src/libpts/plugins/imv_attestation/imv_attestation_process.h
index 73b4251e0..74e4644b4 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.h
@@ -14,9 +14,8 @@
  */
 
 /**
- *
  * @defgroup imv_attestation_process_t imv_attestation_process
- * @{ @ingroup imv_attestation_process
+ * @{ @ingroup imv_attestation
  */
 
 #ifndef IMV_ATTESTATION_PROCESS_H_
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
index 93da9aee5..fc4246614 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
+ * Copyright (C) 2011-2012 Sansar Choinyambuu
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -62,6 +63,16 @@ struct private_imv_attestation_state_t {
 	 */
 	u_int32_t max_msg_len;
 
+	/**
+	 * Access Requestor ID Type
+	 */
+	u_int32_t ar_id_type;
+
+	/**
+	 * Access Requestor ID Value
+	 */
+	chunk_t ar_id_value;
+
 	/**
 	 * IMV Attestation handshake state
 	 */
@@ -215,6 +226,23 @@ METHOD(imv_state_t, get_max_msg_len, u_int32_t,
 	return this->max_msg_len;
 }
 
+METHOD(imv_state_t, set_ar_id, void,
+	private_imv_attestation_state_t *this, u_int32_t id_type, chunk_t id_value)
+{
+	this->ar_id_type = id_type;
+	this->ar_id_value = chunk_clone(id_value);
+}
+
+METHOD(imv_state_t, get_ar_id, chunk_t,
+	private_imv_attestation_state_t *this, u_int32_t *id_type)
+{
+	if (id_type)
+	{
+		*id_type = this->ar_id_type;
+	}
+	return this->ar_id_value;
+}
+
 METHOD(imv_state_t, change_state, void,
 	private_imv_attestation_state_t *this, TNC_ConnectionState new_state)
 {
@@ -292,6 +320,7 @@ METHOD(imv_state_t, destroy, void,
 	this->file_meas_requests->destroy_function(this->file_meas_requests, free);
 	this->components->destroy_function(this->components, (void *)free_func_comp);
 	this->pts->destroy(this->pts);
+	free(this->ar_id_value.ptr);
 	free(this);
 }
 
@@ -479,6 +508,8 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 				.set_flags = _set_flags,
 				.set_max_msg_len = _set_max_msg_len,
 				.get_max_msg_len = _get_max_msg_len,
+				.set_ar_id = _set_ar_id,
+				.get_ar_id = _get_ar_id,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
index f64314e71..ab77d3042 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
@@ -14,9 +14,11 @@
  */
 
 /**
+ * @defgroup imv_attestation imv_attestation
+ * @ingroup libpts_plugins
  *
  * @defgroup imv_attestation_state_t imv_attestation_state
- * @{ @ingroup imv_attestation_state
+ * @{ @ingroup imv_attestation
  */
 
 #ifndef IMV_ATTESTATION_STATE_H_
@@ -73,7 +75,7 @@ struct imv_attestation_state_t {
 	 */
 	imv_attestation_handshake_state_t (*get_handshake_state)(
 		imv_attestation_state_t *this);
-	
+
 	/**
 	 * Set state of the handshake
 	 *
@@ -133,7 +135,7 @@ struct imv_attestation_state_t {
 	/**
 	 * Get a Functional Component with a given name
 	 *
-	 * @param name			 	Name of the requested Functional Component
+	 * @param name				Name of the requested Functional Component
 	 * @return					Functional Component if found, NULL otherwise
 	 */
 	pts_component_t* (*get_component)(imv_attestation_state_t *this,
diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql
index 8a79ea7cf..0c038d365 100644
--- a/src/libpts/plugins/imv_attestation/tables.sql
+++ b/src/libpts/plugins/imv_attestation/tables.sql
@@ -126,13 +126,21 @@ CREATE INDEX devices_value ON devices (
 
 DROP TABLE IF EXISTS device_infos;
 CREATE TABLE device_infos (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
   device INTEGER NOT NULL,
   time INTEGER NOT NULL,
+  ar_id INTEGER DEFAULT 0,
   product INTEGER DEFAULT 0,
   count INTEGER DEFAULT 0,
   count_update INTEGER DEFAULT 0,
   count_blacklist INTEGER DEFAULT 0,
-  flags INTEGER DEFAULT 0,
-  PRIMARY KEY (device, time)
+  flags INTEGER DEFAULT 0
 );
 
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL,
+  UNIQUE (type, data)
+);
diff --git a/src/libpts/pts/components/pts_comp_func_name.h b/src/libpts/pts/components/pts_comp_func_name.h
index a3ffa1ba9..90ad7083f 100644
--- a/src/libpts/pts/components/pts_comp_func_name.h
+++ b/src/libpts/pts/components/pts_comp_func_name.h
@@ -95,7 +95,7 @@ struct pts_comp_func_name_t {
  *
  * @param vid				PTS Component Functional Name Vendor ID
  * @param name				PTS Component Functional Name
- * @param					PTS Component Functional Name Qualifier
+ * @param qualifier			PTS Component Functional Name Qualifier
  */
 pts_comp_func_name_t* pts_comp_func_name_create(u_int32_t vid, u_int32_t name,
 												u_int8_t qualifier);
diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c
index 84a9961c8..f646d67e1 100644
--- a/src/libpts/pts/pts.c
+++ b/src/libpts/pts/pts.c
@@ -1043,7 +1043,7 @@ METHOD(pts_t, get_quote_info, bool,
 	}
 
 	/* TPM Quote Info */
-	*out_quote_info = chunk_clone(writer->get_buf(writer));
+	*out_quote_info = writer->extract_buf(writer);
 	DBG3(DBG_PTS, "constructed TPM Quote Info: %B", out_quote_info);
 
 	writer->destroy(writer);
diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h
index 423a4c802..11154aa38 100644
--- a/src/libpts/pts/pts.h
+++ b/src/libpts/pts/pts.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup pts pts
- * @{ @ingroup pts
+ * @{ @ingroup libpts
  */
 
 #ifndef PTS_H_
diff --git a/src/libpts/pts/pts_dh_group.h b/src/libpts/pts/pts_dh_group.h
index 8664a4b84..2aab90263 100644
--- a/src/libpts/pts/pts_dh_group.h
+++ b/src/libpts/pts/pts_dh_group.h
@@ -48,12 +48,12 @@ enum pts_dh_group_t {
  * Diffie-Hellman Group Values
  * see section 3.8.6 of PTS Protocol: Binding to TNC IF-M Specification
  *
- *					   1
- *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 
+ *                       1
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |1|2|3|4|5|R|R|R|R|R|R|R|R|R|R|R|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 /**
@@ -90,8 +90,8 @@ bool pts_dh_group_update(char *dh_group, pts_dh_group_t *dh_groups);
  * @param offered_groups	set of offered DH groups
  * @return					selected DH group
  */
-pts_dh_group_t pts_dh_group_select(pts_dh_group_t supported_dh_groups,
-								   pts_dh_group_t offered_dh_groups);
+pts_dh_group_t pts_dh_group_select(pts_dh_group_t supported_groups,
+								   pts_dh_group_t offered_groups);
 
 /**
  * Convert pts_dh_group_t to diffie_hellman_group_t
diff --git a/src/libpts/pts/pts_file_meas.h b/src/libpts/pts/pts_file_meas.h
index 71efd5026..a13bb29ba 100644
--- a/src/libpts/pts/pts_file_meas.h
+++ b/src/libpts/pts/pts_file_meas.h
@@ -57,7 +57,7 @@ struct pts_file_meas_t {
 	/**
 	  * Create a PTS File Measurement enumerator
 	  *
-	  * @return				Enumerator returning filename and measurement 
+	  * @return				Enumerator returning filename and measurement
 	  */
 	enumerator_t* (*create_enumerator)(pts_file_meas_t *this);
 
@@ -76,7 +76,7 @@ struct pts_file_meas_t {
 	 * Verify stored hashes against PTS File Measurements
 	 *
 	 * @param e_hash		Hash enumerator
-	 * @paraem is_dir		TRUE for directory contents hashes
+	 * @param is_dir		TRUE for directory contents hashes
 	 * @return				TRUE if all hashes match a measurement
 	 */
 	bool (*verify)(pts_file_meas_t *this, enumerator_t *e_hash, bool is_dir);
diff --git a/src/libpts/tcg/tcg_attr.c b/src/libpts/tcg/tcg_attr.c
index 656791a8f..b91bf8283 100644
--- a/src/libpts/tcg/tcg_attr.c
+++ b/src/libpts/tcg/tcg_attr.c
@@ -31,8 +31,23 @@
 #include "tcg/tcg_pts_attr_req_file_meta.h"
 #include "tcg/tcg_pts_attr_unix_file_meta.h"
 
-ENUM_BEGIN(tcg_attr_names,	TCG_PTS_REQ_FUNC_COMP_EVID,
+ENUM_BEGIN(tcg_attr_names,	TCG_SCAP_REFERENCES,
+							TCG_SCAP_SUMMARY_RESULTS,
+	"SCAP References",
+	"SCAP Capabilities and Inventory",
+	"SCAP Content",
+	"SCAP Assessment",
+	"SCAP Results",
+	"SCAP Summary Results");
+ENUM_NEXT(tcg_attr_names,	TCG_SWID_INVENTORY_REQUEST,
+							TCG_SWID_TAG_IDENTIFIER_RESPONSE,
+							TCG_SCAP_SUMMARY_RESULTS,
+	"SWID Inventory Request",
+	"SWID Tag Response",
+	"SWID Tag Identifier Response");
+ENUM_NEXT(tcg_attr_names,	TCG_PTS_REQ_FUNC_COMP_EVID,
 							TCG_PTS_REQ_FUNC_COMP_EVID,
+							TCG_SWID_TAG_IDENTIFIER_RESPONSE,
 	"Request Functional Component Evidence");
 ENUM_NEXT(tcg_attr_names,	TCG_PTS_GEN_ATTEST_EVID,
 							TCG_PTS_GEN_ATTEST_EVID,
diff --git a/src/libpts/tcg/tcg_attr.h b/src/libpts/tcg/tcg_attr.h
index b45e1488f..ed6c97619 100644
--- a/src/libpts/tcg/tcg_attr.h
+++ b/src/libpts/tcg/tcg_attr.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup tcg_attrt tcg_attr
- * @{ @ingroup tcg_attr
+ * @defgroup tcg_attr tcg_attr
+ * @{ @ingroup libpts
  */
 
 #ifndef TCG_ATTR_H_
@@ -31,6 +31,19 @@ typedef enum tcg_attr_t tcg_attr_t;
  */
 enum tcg_attr_t {
 
+	/* SCAP Messages */
+	TCG_SCAP_REFERENCES =                 0x00000001,
+	TCG_SCAP_CAPS_AND_INVENTORY =         0x00000002,
+	TCG_SCAP_CONTENT =                    0x00000003,
+	TCG_SCAP_ASSESSMENT =                 0x00000004,
+	TCG_SCAP_RESULTS =                    0x00000005,
+	TCG_SCAP_SUMMARY_RESULTS =            0x00000006,
+
+	/* SWID Messages */
+	TCG_SWID_INVENTORY_REQUEST =          0x00000011,
+	TCG_SWID_TAG_RESPONSE =               0x00000012,
+	TCG_SWID_TAG_IDENTIFIER_RESPONSE =    0x00000013,
+
 	/* PTS Protocol Negotiations */
 	TCG_PTS_REQ_PROTO_CAPS =              0x01000000,
 	TCG_PTS_PROTO_CAPS =                  0x02000000,
diff --git a/src/libpts/tcg/tcg_pts_attr_aik.c b/src/libpts/tcg/tcg_pts_attr_aik.c
index d5bbdc9cd..17a8db5d6 100644
--- a/src/libpts/tcg/tcg_pts_attr_aik.c
+++ b/src/libpts/tcg/tcg_pts_attr_aik.c
@@ -123,9 +123,9 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_AIK_SIZE);
 	writer->write_uint8(writer, flags);
 	writer->write_data (writer, aik_blob);
-	this->value = chunk_clone(writer->get_buf(writer));
-	free(aik_blob.ptr);
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
+	free(aik_blob.ptr);
 }
 
 METHOD(pa_tnc_attr_t, process, status_t,
diff --git a/src/libpts/tcg/tcg_pts_attr_aik.h b/src/libpts/tcg/tcg_pts_attr_aik.h
index 96e90582b..758fd58db 100644
--- a/src/libpts/tcg/tcg_pts_attr_aik.h
+++ b/src/libpts/tcg/tcg_pts_attr_aik.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_aik tcg_pts_attr_aik
- * @{ @ingroup tcg_pts_attr_aik
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_AIK_H_
@@ -38,7 +38,7 @@ struct tcg_pts_attr_aik_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get AIK
 	 *
@@ -50,7 +50,7 @@ struct tcg_pts_attr_aik_t {
 
 /**
  * Creates an tcg_pts_attr_aik_t object
- * 
+ *
  * @param aik				Attestation Identity Key
  */
 pa_tnc_attr_t* tcg_pts_attr_aik_create(certificate_t *aik);
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
index 4d7281243..6119b4973 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
@@ -128,7 +128,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_data  (writer, this->initiator_value);
 	writer->write_data  (writer, this->initiator_nonce);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h
index 7148065c5..57cb5a9b6 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_dh_nonce_finish tcg_pts_attr_dh_nonce_finish
- * @{ @ingroup tcg_pts_attr_dh_nonce_finish
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_DH_NONCE_FINISH_H_
@@ -64,7 +64,7 @@ struct tcg_pts_attr_dh_nonce_finish_t {
 	 * @return				DH Initiator Nonce
 	 */
 	chunk_t (*get_initiator_nonce)(tcg_pts_attr_dh_nonce_finish_t *this);
-	
+
 };
 
 /**
@@ -76,7 +76,7 @@ struct tcg_pts_attr_dh_nonce_finish_t {
  */
 pa_tnc_attr_t* tcg_pts_attr_dh_nonce_finish_create(
 										pts_meas_algorithms_t hash_algo,
-   										chunk_t initiator_value,
+										chunk_t initiator_value,
 										chunk_t initiator_nonce);
 
 /**
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
index 7796dbaab..7761b977d 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
@@ -117,7 +117,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint8 (writer, this->min_nonce_len);
 	writer->write_uint16(writer, this->dh_groups);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h
index 170077156..22e1bd189 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_dh_nonce_params_req tcg_pts_attr_dh_nonce_params_req
- * @{ @ingroup tcg_pts_attr_dh_nonce_params_req
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_DH_NONCE_PARAMS_REQ_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
index 1e82e7098..eb0d0e533 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
@@ -136,7 +136,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_data  (writer, this->responder_nonce);
 	writer->write_data  (writer, this->responder_value);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h
index d2141f8b9..aaf85ef37 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_dh_nonce_params_resp tcg_pts_attr_dh_nonce_params_resp
- * @{ @ingroup tcg_pts_attr_dh_nonce_params_resp
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_DH_NONCE_PARAMS_RESP_H_
@@ -67,7 +67,7 @@ struct tcg_pts_attr_dh_nonce_params_resp_t {
 	 * @return				DH Responder Public Value
 	 */
 	chunk_t (*get_responder_value)(tcg_pts_attr_dh_nonce_params_resp_t *this);
-	
+
 };
 
 /**
@@ -76,11 +76,11 @@ struct tcg_pts_attr_dh_nonce_params_resp_t {
  * @param dh_group					Selected DH group
  * @param hash_algo_set				Set of supported hash algorithms
  * @param responder_nonce			DH Responder Nonce
- * @param responder_pub_val			DH Responder Public value
+ * @param responder_value			DH Responder Public value
  */
 pa_tnc_attr_t* tcg_pts_attr_dh_nonce_params_resp_create(pts_dh_group_t dh_group,
 											pts_meas_algorithms_t hash_algo_set,
-   											chunk_t responder_nonce,
+											chunk_t responder_nonce,
 											chunk_t responder_value);
 
 /**
diff --git a/src/libpts/tcg/tcg_pts_attr_file_meas.c b/src/libpts/tcg/tcg_pts_attr_file_meas.c
index 1daac70e5..b9095f5be 100644
--- a/src/libpts/tcg/tcg_pts_attr_file_meas.c
+++ b/src/libpts/tcg/tcg_pts_attr_file_meas.c
@@ -154,7 +154,7 @@ METHOD(pa_tnc_attr_t, build, void,
 		writer->write_uint16(writer, 0);
 	}
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_file_meas.h b/src/libpts/tcg/tcg_pts_attr_file_meas.h
index c432ba9a9..8d50cd9c6 100644
--- a/src/libpts/tcg/tcg_pts_attr_file_meas.h
+++ b/src/libpts/tcg/tcg_pts_attr_file_meas.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_file_meas tcg_pts_attr_file_meas
- * @{ @ingroup tcg_pts_attr_file_meas
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_FILE_MEAS_H_
@@ -38,19 +38,19 @@ struct tcg_pts_attr_file_meas_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get PTS File Measurements
 	 *
 	 * @return					PTS File Measurements
 	 */
 	pts_file_meas_t* (*get_measurements)(tcg_pts_attr_file_meas_t *this);
-	
+
 };
 
 /**
  * Creates an tcg_pts_attr_file_meas_t object
- * 
+ *
  * @param measurements			PTS File Measurements
  */
 pa_tnc_attr_t* tcg_pts_attr_file_meas_create(pts_file_meas_t *measurements);
diff --git a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
index 9103e06b2..f263747a3 100644
--- a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
@@ -106,7 +106,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_GEN_ATTEST_EVID_SIZE);
 	writer->write_uint32 (writer, PTS_GEN_ATTEST_EVID_RESERVED);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h
index 0a65f2143..88f070406 100644
--- a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h
+++ b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_gen_attest_evid tcg_pts_attr_gen_attest_evid
- * @{ @ingroup tcg_pts_attr_gen_attest_evid
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_GEN_ATTEST_EVID_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_get_aik.c b/src/libpts/tcg/tcg_pts_attr_get_aik.c
index 6f35f5419..cf944d2a9 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_aik.c
+++ b/src/libpts/tcg/tcg_pts_attr_get_aik.c
@@ -103,7 +103,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_GET_AIK_SIZE);
 	writer->write_uint32 (writer, PTS_GET_AIK_RESERVED);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_get_aik.h b/src/libpts/tcg/tcg_pts_attr_get_aik.h
index e5c74b4dc..aca890a20 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_aik.h
+++ b/src/libpts/tcg/tcg_pts_attr_get_aik.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_get_aik tcg_pts_attr_get_aik
- * @{ @ingroup tcg_pts_attr_get_aik
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_GET_AIK_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
index 4dd64e3a7..647c426ed 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
+++ b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
@@ -106,7 +106,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_GET_TPM_VER_INFO_SIZE);
 	writer->write_uint32 (writer, PTS_GET_TPM_VER_INFO_RESERVED);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h
index 1b693402a..360049690 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h
+++ b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_get_tpm_version_info tcg_pts_attr_get_tpm_version_info
- * @{ @ingroup tcg_pts_attr_get_tpm_version_info
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_GET_TPM_VERSION_INFO_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_meas_algo.c b/src/libpts/tcg/tcg_pts_attr_meas_algo.c
index abef45bdd..a4dac9070 100644
--- a/src/libpts/tcg/tcg_pts_attr_meas_algo.c
+++ b/src/libpts/tcg/tcg_pts_attr_meas_algo.c
@@ -109,7 +109,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_MEAS_ALGO_SIZE);
 	writer->write_uint16(writer, PTS_MEAS_ALGO_RESERVED);
 	writer->write_uint16(writer, this->algorithms);
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_meas_algo.h b/src/libpts/tcg/tcg_pts_attr_meas_algo.h
index 885e2c16b..758100bbc 100644
--- a/src/libpts/tcg/tcg_pts_attr_meas_algo.h
+++ b/src/libpts/tcg/tcg_pts_attr_meas_algo.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_meas_algo tcg_pts_attr_meas_algo
- * @{ @ingroup tcg_pts_attr_meas_algo
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_MEAS_ALGO_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_proto_caps.c b/src/libpts/tcg/tcg_pts_attr_proto_caps.c
index 360883282..6473ea808 100644
--- a/src/libpts/tcg/tcg_pts_attr_proto_caps.c
+++ b/src/libpts/tcg/tcg_pts_attr_proto_caps.c
@@ -110,7 +110,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, PTS_PROTO_CAPS_RESERVED);
 	writer->write_uint16(writer, this->flags);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_proto_caps.h b/src/libpts/tcg/tcg_pts_attr_proto_caps.h
index 15cfbc7cb..cc59f4ef1 100644
--- a/src/libpts/tcg/tcg_pts_attr_proto_caps.h
+++ b/src/libpts/tcg/tcg_pts_attr_proto_caps.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_proto_caps tcg_pts_attr_proto_caps
- * @{ @ingroup tcg_pts_attr_proto_caps
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_PROTO_CAPS_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
index 8b4bfe54d..f0bc7cf60 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
@@ -143,7 +143,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, this->request_id);
 	writer->write_uint32(writer, this->delimiter);
 	writer->write_data  (writer, pathname);
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meas.h b/src/libpts/tcg/tcg_pts_attr_req_file_meas.h
index 19d189eff..85a6b9a43 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meas.h
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meas.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_req_file_meas tcg_pts_attr_req_file_meas
- * @{ @ingroup tcg_pts_attr_req_file_meas
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_REQ_FILE_MEAS_H_
@@ -36,7 +36,7 @@ struct tcg_pts_attr_req_file_meas_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get flag for PTS Request File Measurement
 	 *
@@ -50,7 +50,6 @@ struct tcg_pts_attr_req_file_meas_t {
 	 * @return				Request ID
 	 */
 	u_int16_t (*get_request_id)(tcg_pts_attr_req_file_meas_t *this);
-	
 
 	/**
 	 * Get Delimiter
@@ -58,19 +57,19 @@ struct tcg_pts_attr_req_file_meas_t {
 	 * @return				UTF-8 encoding of a Delimiter Character
 	 */
 	u_int32_t (*get_delimiter)(tcg_pts_attr_req_file_meas_t *this);
-	
+
 	/**
 	 * Get Fully Qualified File Pathname
 	 *
 	 * @return				Pathname
 	 */
 	char* (*get_pathname)(tcg_pts_attr_req_file_meas_t *this);
-	
+
 };
 
 /**
  * Creates an tcg_pts_attr_req_file_meas_t object
- * 
+ *
  * @param directory_flag	Directory Contents Flag
  * @param request_id		Request ID
  * @param delimiter			Delimiter Character
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
index ff5581435..e475cd35b 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
@@ -136,7 +136,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, PTS_REQ_FILE_META_RESERVED);
 
 	writer->write_data  (writer, pathname);
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meta.h b/src/libpts/tcg/tcg_pts_attr_req_file_meta.h
index 7620c50ab..311418be2 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meta.h
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meta.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_req_file_meta tcg_pts_attr_req_file_meta
- * @{ @ingroup tcg_pts_attr_req_file_meta
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_REQ_FILE_META_H_
@@ -36,7 +36,7 @@ struct tcg_pts_attr_req_file_meta_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get directory flag for PTS Request File Metadata
 	 *
@@ -50,19 +50,19 @@ struct tcg_pts_attr_req_file_meta_t {
 	 * @return				UTF-8 encoding of a Delimiter Character
 	 */
 	u_int8_t (*get_delimiter)(tcg_pts_attr_req_file_meta_t *this);
-	
+
 	/**
 	 * Get Fully Qualified File Pathname
 	 *
 	 * @return				Pathname
 	 */
 	char* (*get_pathname)(tcg_pts_attr_req_file_meta_t *this);
-	
+
 };
 
 /**
  * Creates an tcg_pts_attr_req_file_meta_t object
- * 
+ *
  * @param directory_flag	Directory Contents Flag
  * @param delimiter			Delimiter Character
  * @param pathname			File Pathname
diff --git a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
index 8bb43aef8..5249fa2ad 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
@@ -183,7 +183,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h
index 031955aca..749413c2e 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h
+++ b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_req_func_comp_evid tcg_pts_attr_req_func_comp_evid
- * @{ @ingroup tcg_pts_attr_req_func_comp_evid
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_REQ_FUNC_COMP_EVID_H_
@@ -37,7 +37,7 @@ struct tcg_pts_attr_req_func_comp_evid_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Add a component to the Functional Component Evidence Request
 	 *
@@ -62,7 +62,7 @@ struct tcg_pts_attr_req_func_comp_evid_t {
 	 * @return					Entry enumerator
 	 */
 	enumerator_t* (*create_enumerator)(tcg_pts_attr_req_func_comp_evid_t *this);
-	
+
 };
 
 /**
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
index c659443b7..40f380ab4 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
@@ -242,7 +242,7 @@ METHOD(pa_tnc_attr_t, build, void,
 
 	writer->write_data(writer, measurement);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h
index 3a80904c8..494418261 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h
+++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_simple_comp_evid tcg_pts_attr_simple_comp_evid
- * @{ @ingroup tcg_pts_attr_simple_comp_evid
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_SIMPLE_COMP_EVID_H_
@@ -24,7 +24,7 @@
 typedef struct tcg_pts_attr_simple_comp_evid_t tcg_pts_attr_simple_comp_evid_t;
 
 #include "tcg_attr.h"
-#include "pts/components/pts_comp_evidence.h" 
+#include "pts/components/pts_comp_evidence.h"
 #include "pa_tnc/pa_tnc_attr.h"
 
 /**
@@ -44,12 +44,12 @@ struct tcg_pts_attr_simple_comp_evid_t {
 	 * @return					Component Evidence
 	 */
 	pts_comp_evidence_t* (*get_comp_evidence)(tcg_pts_attr_simple_comp_evid_t *this);
-	
+
 };
 
 /**
  * Creates an tcg_pts_attr_simple_comp_evid_t object
- * 
+ *
  * @param evid					Component Evidence
  */
 pa_tnc_attr_t* tcg_pts_attr_simple_comp_evid_create(pts_comp_evidence_t *evid);
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
index 8c76651d6..baadd943f 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
+++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
@@ -194,7 +194,7 @@ METHOD(pa_tnc_attr_t, build, void,
 		writer->write_data (writer, this->evid_sig);
 	}
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h
index 3d98bfce7..6778afbdc 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h
+++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_simple_evid_final tcg_pts_attr_simple_evid_final
- * @{ @ingroup tcg_pts_attr_simple_evid_final
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_SIMPLE_EVID_FINAL_H_
@@ -44,27 +44,29 @@ struct tcg_pts_attr_simple_evid_final_t {
 	 * @param comp_hash_algo	Optional Composite Hash Algorithm
 	 * @param pcr_comp			Optional PCR Composite
 	 * @param tpm_quote sig		Optional TPM Quote Signature
-	 * @return					PTS_SIMPLE_EVID_FINAL flags		
+	 * @return					PTS_SIMPLE_EVID_FINAL flags
 	 */
 	u_int8_t (*get_quote_info)(tcg_pts_attr_simple_evid_final_t *this,
 							   pts_meas_algorithms_t *comp_hash_algo,
 							   chunk_t *pcr_comp, chunk_t *tpm_quote_sig);
-	
+
 	/**
 	 * Get Optional Evidence Signature
 	 *
-	 * @evid_sig				Optional Evidence Signature
+	 * @param evid_sig			Optional Evidence Signature
 	 * @return					TRUE if Evidence Signature is available
 	 */
-	bool (*get_evid_sig)(tcg_pts_attr_simple_evid_final_t *this, chunk_t *evid_sig);
+	bool (*get_evid_sig)(tcg_pts_attr_simple_evid_final_t *this,
+						 chunk_t *evid_sig);
 
 	/**
 	 * Set Optional Evidence Signature
 	 *
-	 * @evid_sig				Optional Evidence Signature
+	 * @param vid_sig			Optional Evidence Signature
 	 */
-	void (*set_evid_sig)(tcg_pts_attr_simple_evid_final_t *this, chunk_t evid_sig);
-	
+	void (*set_evid_sig)(tcg_pts_attr_simple_evid_final_t *this,
+						 chunk_t evid_sig);
+
 };
 
 /**
diff --git a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
index 5143e1676..b776cb662 100644
--- a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
+++ b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
@@ -110,7 +110,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_TPM_VER_INFO_SIZE);
 	writer->write_data(writer, this->tpm_version_info);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h
index 2c12bb068..4ac18fb9e 100644
--- a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h
+++ b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_tpm_version_info tcg_pts_attr_tpm_version_info
- * @{ @ingroup tcg_pts_attr_tpm_version_info
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_TPM_VERSION_INFO_H_
@@ -36,7 +36,7 @@ struct tcg_pts_attr_tpm_version_info_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get TPM Version Info
 	 *
@@ -55,7 +55,7 @@ struct tcg_pts_attr_tpm_version_info_t {
 
 /**
  * Creates an tcg_pts_attr_tpm_version_info_t object
- * 
+ *
  * @param tpm_version_info		TPM version info
  */
 pa_tnc_attr_t* tcg_pts_attr_tpm_version_info_create(chunk_t tpm_version_info);
diff --git a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
index 56686d8ca..f96371b8b 100644
--- a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
+++ b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
@@ -166,7 +166,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
diff --git a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h
index 8a594eab5..ad9794b45 100644
--- a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h
+++ b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_unix_file_meta tcg_pts_attr_unix_file_meta
- * @{ @ingroup tcg_pts_attr_unix_file_meta
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_UNIX_FILE_META_H_
@@ -38,19 +38,19 @@ struct tcg_pts_attr_file_meta_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get PTS File Metadata
 	 *
 	 * @return					PTS File Metadata
 	 */
 	pts_file_meta_t* (*get_metadata)(tcg_pts_attr_file_meta_t *this);
-	
+
 };
 
 /**
  * Creates an tcg_pts_attr_file_meta_t object
- * 
+ *
  * @param metadata			PTS File Metadata
  */
 pa_tnc_attr_t* tcg_pts_attr_unix_file_meta_create(pts_file_meta_t *metadata);
diff --git a/src/libpttls/Makefile.am b/src/libpttls/Makefile.am
new file mode 100644
index 000000000..48123181b
--- /dev/null
+++ b/src/libpttls/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs
+
+ipseclib_LTLIBRARIES = libpttls.la
+libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libpttls_la_SOURCES = pt_tls.c pt_tls.h \
+	pt_tls_client.c pt_tls_client.h \
+	pt_tls_server.c pt_tls_server.h \
+	pt_tls_dispatcher.c pt_tls_dispatcher.h \
+	sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
+	sasl/sasl_mechanism.c sasl/sasl_mechanism.h
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
new file mode 100644
index 000000000..aec424f1a
--- /dev/null
+++ b/src/libpttls/Makefile.in
@@ -0,0 +1,660 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libpttls
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(ipseclibdir)"
+LTLIBRARIES = $(ipseclib_LTLIBRARIES)
+libpttls_la_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la
+am_libpttls_la_OBJECTS = pt_tls.lo pt_tls_client.lo pt_tls_server.lo \
+	pt_tls_dispatcher.lo sasl_plain.lo sasl_mechanism.lo
+libpttls_la_OBJECTS = $(am_libpttls_la_OBJECTS)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libpttls_la_SOURCES)
+DIST_SOURCES = $(libpttls_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs
+
+ipseclib_LTLIBRARIES = libpttls.la
+libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libpttls_la_SOURCES = pt_tls.c pt_tls.h \
+	pt_tls_client.c pt_tls_client.h \
+	pt_tls_server.c pt_tls_server.h \
+	pt_tls_dispatcher.c pt_tls_dispatcher.h \
+	sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
+	sasl/sasl_mechanism.c sasl/sasl_mechanism.h
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libpttls/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libpttls/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
+	}
+
+uninstall-ipseclibLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipseclibdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipseclibdir)/$$f"; \
+	done
+
+clean-ipseclibLTLIBRARIES:
+	-test -z "$(ipseclib_LTLIBRARIES)" || rm -f $(ipseclib_LTLIBRARIES)
+	@list='$(ipseclib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libpttls.la: $(libpttls_la_OBJECTS) $(libpttls_la_DEPENDENCIES) $(EXTRA_libpttls_la_DEPENDENCIES) 
+	$(LINK) -rpath $(ipseclibdir) $(libpttls_la_OBJECTS) $(libpttls_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_client.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_dispatcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_server.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_mechanism.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_plain.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+sasl_plain.lo: sasl/sasl_plain/sasl_plain.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_plain.lo -MD -MP -MF $(DEPDIR)/sasl_plain.Tpo -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sasl_plain.Tpo $(DEPDIR)/sasl_plain.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sasl/sasl_plain/sasl_plain.c' object='sasl_plain.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
+
+sasl_mechanism.lo: sasl/sasl_mechanism.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_mechanism.lo -MD -MP -MF $(DEPDIR)/sasl_mechanism.Tpo -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sasl_mechanism.Tpo $(DEPDIR)/sasl_mechanism.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sasl/sasl_mechanism.c' object='sasl_mechanism.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipseclibLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipseclibLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipseclibLTLIBRARIES clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipseclibLTLIBRARIES install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libpttls/pt_tls.c b/src/libpttls/pt_tls.c
new file mode 100644
index 000000000..0fee343b8
--- /dev/null
+++ b/src/libpttls/pt_tls.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls.h"
+
+#include <utils/debug.h>
+
+/*
+ * PT-TNC Message format:
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Reserved   |           Message Type Vendor ID              |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                          Message Type                         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Message Length                        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                       Message Identifier                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                Message Value (e.g. PB-TNC Batch) . . .        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Read a chunk of data from TLS, returning a reader for it
+ */
+static bio_reader_t* read_tls(tls_socket_t *tls, size_t len)
+{
+	ssize_t got, total = 0;
+	char *buf;
+
+	buf = malloc(len);
+	while (total < len)
+	{
+		got = tls->read(tls, buf + total, len - total, TRUE);
+		if (got <= 0)
+		{
+			free(buf);
+			return NULL;
+		}
+		total += got;
+	}
+	return bio_reader_create_own(chunk_create(buf, len));
+}
+
+/**
+ * Read a PT-TLS message, return header data
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+						  u_int32_t *type, u_int32_t *identifier)
+{
+	bio_reader_t *reader;
+	u_int32_t len;
+	u_int8_t reserved;
+
+	reader = read_tls(tls, PT_TLS_HEADER_LEN);
+	if (!reader)
+	{
+		return NULL;
+	}
+	if (!reader->read_uint8(reader, &reserved) ||
+		!reader->read_uint24(reader, vendor) ||
+		!reader->read_uint32(reader, type) ||
+		!reader->read_uint32(reader, &len) ||
+		!reader->read_uint32(reader, identifier))
+	{
+		reader->destroy(reader);
+		return NULL;
+	}
+	reader->destroy(reader);
+
+	if (len < PT_TLS_HEADER_LEN)
+	{
+		DBG1(DBG_TNC, "received short PT-TLS header (%d bytes)", len);
+		return NULL;
+	}
+	return read_tls(tls, len - PT_TLS_HEADER_LEN);
+}
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+				  pt_tls_message_type_t type, u_int32_t identifier)
+{
+	bio_writer_t *header;
+	ssize_t len;
+	chunk_t data;
+
+	data =  writer->get_buf(writer);
+	len = PT_TLS_HEADER_LEN + data.len;
+	header = bio_writer_create(len);
+	header->write_uint8(header, 0);
+	header->write_uint24(header, 0);
+	header->write_uint32(header, type);
+	header->write_uint32(header, len);
+	header->write_uint32(header, identifier);
+
+	header->write_data(header, data);
+	writer->destroy(writer);
+
+	data = header->get_buf(header);
+	len = tls->write(tls, data.ptr, data.len);
+	header->destroy(header);
+
+	return len == data.len;
+}
diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h
new file mode 100644
index 000000000..cb8bde05c
--- /dev/null
+++ b/src/libpttls/pt_tls.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls pt_tls
+ *
+ * @addtogroup pt_tls
+ * @{
+ */
+
+#ifndef PT_TLS_H_
+#define PT_TLS_H_
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <tls_socket.h>
+
+/**
+ * PT-TLS version we support
+ */
+#define PT_TLS_VERSION 1
+
+/**
+ * Length of a PT-TLS header
+ */
+#define PT_TLS_HEADER_LEN 16
+
+typedef enum pt_tls_message_type_t pt_tls_message_type_t;
+typedef enum pt_tls_sasl_result_t pt_tls_sasl_result_t;
+typedef enum pt_tls_auth_t pt_tls_auth_t;
+
+/**
+ * Message types, as defined by NEA PT-TLS
+ */
+enum pt_tls_message_type_t {
+	PT_TLS_EXPERIMENTAL = 0,
+	PT_TLS_VERSION_REQUEST = 1,
+	PT_TLS_VERSION_RESPONSE = 2,
+	PT_TLS_SASL_MECHS = 3,
+	PT_TLS_SASL_MECH_SELECTION = 4,
+	PT_TLS_SASL_AUTH_DATA = 5,
+	PT_TLS_SASL_RESULT = 6,
+	PT_TLS_PB_TNC_BATCH = 7,
+	PT_TLS_ERROR = 8,
+};
+
+/**
+ * Result code for a single SASL mechansim, as sent in PT_TLS_SASL_RESULT
+ */
+enum pt_tls_sasl_result_t {
+	PT_TLS_SASL_RESULT_SUCCESS = 0,
+	PT_TLS_SASL_RESULT_FAILURE = 1,
+	PT_TLS_SASL_RESULT_ABORT = 2,
+	PT_TLS_SASL_RESULT_MECH_FAILURE = 3,
+};
+
+/**
+ * Client authentication to require as PT-TLS server.
+ */
+enum pt_tls_auth_t {
+	/** don't require TLS client certificate or request SASL authentication */
+	PT_TLS_AUTH_NONE,
+	/** require TLS certificate authentication, no SASL */
+	PT_TLS_AUTH_TLS,
+	/** do SASL regardless of TLS certificate authentication */
+	PT_TLS_AUTH_SASL,
+	/* if client does not authenticate with a TLS certificate, request SASL */
+	PT_TLS_AUTH_TLS_OR_SASL,
+	/* require both, TLS certificate authentication and SASL */
+	PT_TLS_AUTH_TLS_AND_SASL,
+};
+
+/**
+ * Read a PT-TLS message, create reader over Message Value.
+ *
+ * @param tls			TLS socket to read from
+ * @param vendor		receives Message Type Vendor ID from header
+ * @param type			receives Message Type from header
+ * @param identifier	receives Message Identifer
+ * @return				reader over message value, NULL on error
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+						  u_int32_t *type, u_int32_t *identifier);
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer.
+ *
+ * @param tls			TLS socket to write to
+ * @param writer		prepared Message value to write
+ * @param type			Message Type to write
+ * @param identifier	Message Identifier to write
+ * @return				TRUE if data written successfully
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+				  pt_tls_message_type_t type, u_int32_t identifier);
+
+#endif /** PT_TLS_H_ @}*/
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
new file mode 100644
index 000000000..d3ac936a2
--- /dev/null
+++ b/src/libpttls/pt_tls_client.c
@@ -0,0 +1,497 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_client.h"
+#include "pt_tls.h"
+
+#include <sasl/sasl_mechanism.h>
+
+#include <tls_socket.h>
+#include <utils/debug.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+
+typedef struct private_pt_tls_client_t private_pt_tls_client_t;
+
+/**
+ * Private data of an pt_tls_client_t object.
+ */
+struct private_pt_tls_client_t {
+
+	/**
+	 * Public pt_tls_client_t interface.
+	 */
+	pt_tls_client_t public;
+
+	/**
+	 * TLS secured socket used by PT-TLS
+	 */
+	tls_socket_t *tls;
+
+	/**
+	 * Server address/port
+	 */
+	host_t *address;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Client authentication identity
+	 */
+	identification_t *client;
+
+	/**
+	 * Current PT-TLS message identifier
+	 */
+	u_int32_t identifier;
+};
+
+/**
+ * Establish TLS secured TCP connection to TNC server
+ */
+static bool make_connection(private_pt_tls_client_t *this)
+{
+	int fd;
+
+	fd = socket(this->address->get_family(this->address), SOCK_STREAM, 0);
+	if (fd == -1)
+	{
+		DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	if (connect(fd, this->address->get_sockaddr(this->address),
+				*this->address->get_sockaddr_len(this->address)) == -1)
+	{
+		DBG1(DBG_TNC, "connecting to PT-TLS server failed: %s", strerror(errno));
+		close(fd);
+		return FALSE;
+	}
+
+	this->tls = tls_socket_create(FALSE, this->server, this->client, fd, NULL);
+	if (!this->tls)
+	{
+		close(fd);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Negotiate PT-TLS version
+ */
+static bool negotiate_version(private_pt_tls_client_t *this)
+{
+	bio_writer_t *writer;
+	bio_reader_t *reader;
+	u_int32_t type, vendor, identifier, reserved;
+	u_int8_t version;
+
+	DBG1(DBG_TNC, "sending offer for PT-TLS version %d", PT_TLS_VERSION);
+
+	writer = bio_writer_create(4);
+	writer->write_uint8(writer, 0);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+	if (!pt_tls_write(this->tls, writer, PT_TLS_VERSION_REQUEST,
+					  this->identifier++))
+	{
+		return FALSE;
+	}
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FALSE;
+	}
+	if (vendor != 0 || type != PT_TLS_VERSION_RESPONSE ||
+		!reader->read_uint24(reader, &reserved) ||
+		!reader->read_uint8(reader, &version) ||
+		version != PT_TLS_VERSION)
+	{
+		DBG1(DBG_TNC, "PT-TLS version negotiation failed");
+		reader->destroy(reader);
+		return FALSE;
+	}
+	reader->destroy(reader);
+	return TRUE;
+}
+
+/**
+ * Run a SASL mechanism
+ */
+static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl)
+{
+	u_int32_t type, vendor, identifier;
+	u_int8_t result;
+	bio_reader_t *reader;
+	bio_writer_t *writer;
+	chunk_t data;
+
+	writer = bio_writer_create(32);
+	writer->write_data8(writer, chunk_from_str(sasl->get_name(sasl)));
+	switch (sasl->build(sasl, &data))
+	{
+		case INVALID_STATE:
+			break;
+		case NEED_MORE:
+			writer->write_data(writer, data);
+			free(data.ptr);
+			break;
+		case SUCCESS:
+			/* shouldn't happen */
+			free(data.ptr);
+			/* FALL */
+		case FAILED:
+		default:
+			writer->destroy(writer);
+			return FAILED;
+	}
+	if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_MECH_SELECTION,
+					  this->identifier++))
+	{
+		return FAILED;
+	}
+	while (TRUE)
+	{
+		reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+		if (!reader)
+		{
+			return FAILED;
+		}
+		if (vendor != 0)
+		{
+			reader->destroy(reader);
+			return FAILED;
+		}
+		switch (type)
+		{
+			case PT_TLS_SASL_AUTH_DATA:
+				switch (sasl->process(sasl, reader->peek(reader)))
+				{
+					case NEED_MORE:
+						reader->destroy(reader);
+						break;
+					case SUCCESS:
+						/* should not happen, as it would come in a RESULT */
+					case FAILED:
+					default:
+						reader->destroy(reader);
+						return FAILED;
+				}
+				break;
+			case PT_TLS_SASL_RESULT:
+				if (!reader->read_uint8(reader, &result))
+				{
+					reader->destroy(reader);
+					return FAILED;
+				}
+				switch (result)
+				{
+					case PT_TLS_SASL_RESULT_ABORT:
+						DBG1(DBG_TNC, "received SASL abort result");
+						reader->destroy(reader);
+						return FAILED;
+					case PT_TLS_SASL_RESULT_SUCCESS:
+						DBG1(DBG_TNC, "received SASL success result");
+						switch (sasl->process(sasl, reader->peek(reader)))
+						{
+							case SUCCESS:
+								reader->destroy(reader);
+								return SUCCESS;
+							case NEED_MORE:
+								/* inacceptable, it won't get more. FALL */
+							case FAILED:
+							default:
+								reader->destroy(reader);
+								return FAILED;
+						}
+						break;
+					case PT_TLS_SASL_RESULT_MECH_FAILURE:
+					case PT_TLS_SASL_RESULT_FAILURE:
+						DBG1(DBG_TNC, "received SASL failure result");
+						/* non-fatal failure, try again */
+						reader->destroy(reader);
+						return NEED_MORE;
+				}
+				/* fall-through */
+			default:
+				reader->destroy(reader);
+				return FAILED;
+		}
+
+		writer = bio_writer_create(32);
+		switch (sasl->build(sasl, &data))
+		{
+			case INVALID_STATE:
+				break;
+			case SUCCESS:
+				/* shoudln't happen, continue until we get a result */
+			case NEED_MORE:
+				writer->write_data(writer, data);
+				free(data.ptr);
+				break;
+			case FAILED:
+			default:
+				writer->destroy(writer);
+				return FAILED;
+		}
+		if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA,
+						  this->identifier++))
+		{
+			return FAILED;
+		}
+	}
+}
+
+/**
+ * Read SASL mechanism list, select and run mechanism
+ */
+static status_t select_and_do_sasl(private_pt_tls_client_t *this)
+{
+	bio_reader_t *reader;
+	sasl_mechanism_t *sasl = NULL;
+	u_int32_t type, vendor, identifier;
+	u_int8_t len;
+	chunk_t chunk;
+	char buf[21];
+	status_t status = NEED_MORE;
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FAILED;
+	}
+	if (vendor != 0 || type != PT_TLS_SASL_MECHS)
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	if (!reader->remaining(reader))
+	{	/* mechanism list empty, SASL completed */
+		DBG1(DBG_TNC, "PT-TLS authentication complete");
+		reader->destroy(reader);
+		return SUCCESS;
+	}
+	while (reader->remaining(reader))
+	{
+		if (!reader->read_uint8(reader, &len) ||
+			!reader->read_data(reader, len & 0x1F, &chunk))
+		{
+			reader->destroy(reader);
+			return FAILED;
+		}
+		snprintf(buf, sizeof(buf), "%.*s", (int)chunk.len, chunk.ptr);
+		sasl = sasl_mechanism_create(buf, this->client);
+		if (sasl)
+		{
+			break;
+		}
+	}
+	reader->destroy(reader);
+
+	if (!sasl)
+	{
+		/* TODO: send PT-TLS error (5) */
+		return FAILED;
+	}
+	while (status == NEED_MORE)
+	{
+		status = do_sasl(this, sasl);
+	}
+	sasl->destroy(sasl);
+	if (status == SUCCESS)
+	{	/* continue until we receive empty SASL mechanism list */
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+/**
+ * Authenticate session using SASL
+ */
+static bool authenticate(private_pt_tls_client_t *this)
+{
+	while (TRUE)
+	{
+		switch (select_and_do_sasl(this))
+		{
+			case NEED_MORE:
+				continue;
+			case SUCCESS:
+				return TRUE;
+			case FAILED:
+			default:
+				return FALSE;
+		}
+	}
+}
+
+/**
+ * Perform assessment
+ */
+static bool assess(private_pt_tls_client_t *this, tls_t *tnccs)
+{
+	while (TRUE)
+	{
+		bio_writer_t *writer;
+		bio_reader_t *reader;
+		u_int32_t vendor, type, identifier;
+		chunk_t data;
+
+		writer = bio_writer_create(32);
+		while (TRUE)
+		{
+			char buf[2048];
+			size_t buflen, msglen;
+
+			buflen = sizeof(buf);
+			switch (tnccs->build(tnccs, buf, &buflen, &msglen))
+			{
+				case SUCCESS:
+					writer->destroy(writer);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					writer->destroy(writer);
+					return FALSE;
+				case INVALID_STATE:
+					writer->destroy(writer);
+					break;
+				case NEED_MORE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					continue;
+				case ALREADY_DONE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH,
+									  this->identifier++))
+					{
+						return FALSE;
+					}
+					writer = bio_writer_create(32);
+					continue;
+			}
+			break;
+		}
+
+		reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+		if (!reader)
+		{
+			return FALSE;
+		}
+		if (vendor == 0)
+		{
+			if (type == PT_TLS_ERROR)
+			{
+				DBG1(DBG_TNC, "received PT-TLS error");
+				reader->destroy(reader);
+				return FALSE;
+			}
+			if (type != PT_TLS_PB_TNC_BATCH)
+			{
+				DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type);
+				reader->destroy(reader);
+				return FALSE;
+			}
+			data = reader->peek(reader);
+			switch (tnccs->process(tnccs, data.ptr, data.len))
+			{
+				case SUCCESS:
+					reader->destroy(reader);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					reader->destroy(reader);
+					return FALSE;
+				case NEED_MORE:
+					break;
+			}
+		}
+		else
+		{
+			DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message");
+		}
+		reader->destroy(reader);
+	}
+}
+
+METHOD(pt_tls_client_t, run_assessment, status_t,
+	private_pt_tls_client_t *this, tnccs_t *tnccs)
+{
+	if (!this->tls)
+	{
+		if (!make_connection(this))
+		{
+			return FAILED;
+		}
+	}
+	if (!negotiate_version(this))
+	{
+		return FAILED;
+	}
+	if (!authenticate(this))
+	{
+		return FAILED;
+	}
+	if (!assess(this, (tls_t*)tnccs))
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+
+METHOD(pt_tls_client_t, destroy, void,
+	private_pt_tls_client_t *this)
+{
+	if (this->tls)
+	{
+		int fd;
+
+		fd = this->tls->get_fd(this->tls);
+		this->tls->destroy(this->tls);
+		close(fd);
+	}
+	this->address->destroy(this->address);
+	this->server->destroy(this->server);
+	this->client->destroy(this->client);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *server,
+									  identification_t *client)
+{
+	private_pt_tls_client_t *this;
+
+	INIT(this,
+		.public = {
+			.run_assessment = _run_assessment,
+			.destroy = _destroy,
+		},
+		.address = address,
+		.server = server,
+		.client = client,
+	);
+
+	return &this->public;
+}
diff --git a/src/libpttls/pt_tls_client.h b/src/libpttls/pt_tls_client.h
new file mode 100644
index 000000000..1d418d181
--- /dev/null
+++ b/src/libpttls/pt_tls_client.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_client pt_tls_client
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_CLIENT_H_
+#define PT_TLS_CLIENT_H_
+
+#include <networking/host.h>
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+typedef struct pt_tls_client_t pt_tls_client_t;
+
+/**
+ * IF-T for TLS aka PT-TLS transport client.
+ */
+struct pt_tls_client_t {
+
+	/**
+	 * Perform an assessment.
+	 *
+	 * @param tnccs		upper layer TNC client used for assessment
+	 * @return			status of assessment
+	 */
+	status_t (*run_assessment)(pt_tls_client_t *this, tnccs_t *tnccs);
+
+	/**
+	 * Destroy a pt_tls_client_t.
+	 */
+	void (*destroy)(pt_tls_client_t *this);
+};
+
+/**
+ * Create a pt_tls_client instance.
+ *
+ * The client identity is used for:
+ * - TLS authentication if an appropirate certificate is found
+ * - SASL authentication if requested from the server
+ *
+ * @param address		address/port to run assessments against, gets owned
+ * @param server		server identity to use for authentication, gets owned
+ * @param client		client identity to use for authentication, gets owned
+ * @return				PT-TLS context
+ */
+pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *server,
+									  identification_t *client);
+
+#endif /** PT_TLS_CLIENT_H_ @}*/
diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c
new file mode 100644
index 000000000..469951616
--- /dev/null
+++ b/src/libpttls/pt_tls_dispatcher.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_dispatcher.h"
+#include "pt_tls_server.h"
+
+#include <threading/thread.h>
+#include <utils/debug.h>
+#include <processing/jobs/callback_job.h>
+
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+typedef struct private_pt_tls_dispatcher_t private_pt_tls_dispatcher_t;
+
+/**
+ * Private data of an pt_tls_dispatcher_t object.
+ */
+struct private_pt_tls_dispatcher_t {
+
+	/**
+	 * Public pt_tls_dispatcher_t interface.
+	 */
+	pt_tls_dispatcher_t public;
+
+	/**
+	 * Listening socket
+	 */
+	int fd;
+
+	/**
+	 * Client authentication requirements
+	 */
+	pt_tls_auth_t auth;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * TNCCS protocol handler constructor
+	 */
+	pt_tls_tnccs_constructor_t *create;
+};
+
+/**
+ * Open listening server socket
+ */
+static bool open_socket(private_pt_tls_dispatcher_t *this, host_t *host)
+{
+	this->fd = socket(AF_INET, SOCK_STREAM, 0);
+	if (this->fd == -1)
+	{
+		DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	if (bind(this->fd, host->get_sockaddr(host),
+			 *host->get_sockaddr_len(host)) == -1)
+	{
+		DBG1(DBG_TNC, "binding to PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	if (listen(this->fd, 5) == -1)
+	{
+		DBG1(DBG_TNC, "listen on PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Handle a single PT-TLS client connection
+ */
+static job_requeue_t handle(pt_tls_server_t *connection)
+{
+	while (TRUE)
+	{
+		switch (connection->handle(connection))
+		{
+			case NEED_MORE:
+				continue;
+			case FAILED:
+			case SUCCESS:
+			default:
+				break;
+		}
+		break;
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Clean up connection state
+ */
+static void cleanup(pt_tls_server_t *connection)
+{
+	int fd;
+
+	fd = connection->get_fd(connection);
+	connection->destroy(connection);
+	close(fd);
+}
+
+METHOD(pt_tls_dispatcher_t, dispatch, void,
+	private_pt_tls_dispatcher_t *this,
+	pt_tls_tnccs_constructor_t *create)
+{
+	while (TRUE)
+	{
+		pt_tls_server_t *connection;
+		tnccs_t *tnccs;
+		bool old;
+		int fd;
+
+		old = thread_cancelability(TRUE);
+		fd = accept(this->fd, NULL, NULL);
+		thread_cancelability(old);
+		if (fd == -1)
+		{
+			DBG1(DBG_TNC, "accepting PT-TLS failed: %s", strerror(errno));
+			continue;
+		}
+
+		tnccs = create(this->server, this->peer);
+		if (!tnccs)
+		{
+			close(fd);
+			continue;
+		}
+		connection = pt_tls_server_create(this->server, fd, this->auth, tnccs);
+		if (!connection)
+		{
+			close(fd);
+			continue;
+		}
+		lib->processor->queue_job(lib->processor,
+				(job_t*)callback_job_create_with_prio((callback_job_cb_t)handle,
+										connection, (void*)cleanup,
+										(callback_job_cancel_t)return_false,
+										JOB_PRIO_CRITICAL));
+	}
+}
+
+METHOD(pt_tls_dispatcher_t, destroy, void,
+	private_pt_tls_dispatcher_t *this)
+{
+	if (this->fd != -1)
+	{
+		close(this->fd);
+	}
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
+									identification_t *id, pt_tls_auth_t auth)
+{
+	private_pt_tls_dispatcher_t *this;
+
+	INIT(this,
+		.public = {
+			.dispatch = _dispatch,
+			.destroy = _destroy,
+		},
+		.server = id,
+		/* we currently don't authenticate the peer, use %any identity */
+		.peer = identification_create_from_encoding(ID_ANY, chunk_empty),
+		.fd = -1,
+		.auth = auth,
+	);
+
+	if (!open_socket(this, address))
+	{
+		address->destroy(address);
+		destroy(this);
+		return NULL;
+	}
+	address->destroy(address);
+
+	return &this->public;
+}
diff --git a/src/libpttls/pt_tls_dispatcher.h b/src/libpttls/pt_tls_dispatcher.h
new file mode 100644
index 000000000..080197263
--- /dev/null
+++ b/src/libpttls/pt_tls_dispatcher.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_dispatcher pt_tls_dispatcher
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_DISPATCHER_H_
+#define PT_TLS_DISPATCHER_H_
+
+#include <networking/host.h>
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "pt_tls.h"
+
+typedef struct pt_tls_dispatcher_t pt_tls_dispatcher_t;
+
+/**
+ * Constructor callback to create TNCCS to use within PT-TLS.
+ *
+ * @param server			server identity
+ * @param peer				peer identity
+ */
+typedef tnccs_t* (pt_tls_tnccs_constructor_t)(identification_t *server,
+											  identification_t *peer);
+
+/**
+ * PT-TLS dispatcher service, handles PT-TLS connections as a server.
+ */
+struct pt_tls_dispatcher_t {
+
+	/**
+	 * Dispatch and handle PT-TLS connections.
+	 *
+	 * This call is blocking and a thread cancellation point. The passed
+	 * constructor gets called for each dispatched connection.
+	 *
+	 * @param create		TNCCS constructor function to use
+	 */
+	void (*dispatch)(pt_tls_dispatcher_t *this,
+					 pt_tls_tnccs_constructor_t *create);
+
+	/**
+	 * Destroy a pt_tls_dispatcher_t.
+	 */
+	void (*destroy)(pt_tls_dispatcher_t *this);
+};
+
+/**
+ * Create a pt_tls_dispatcher instance.
+ *
+ * @param address		server address with port to listen on, gets owned
+ * @param id			TLS server identity, gets owned
+ * @param auth			client authentication to perform
+ * @return				dispatcher service
+ */
+pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
+									identification_t *id, pt_tls_auth_t auth);
+
+#endif /** PT_TLS_DISPATCHER_H_ @}*/
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
new file mode 100644
index 000000000..3e134f0dd
--- /dev/null
+++ b/src/libpttls/pt_tls_server.c
@@ -0,0 +1,544 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_server.h"
+
+#include <sasl/sasl_mechanism.h>
+
+#include <utils/debug.h>
+
+typedef struct private_pt_tls_server_t private_pt_tls_server_t;
+
+/**
+ * Private data of an pt_tls_server_t object.
+ */
+struct private_pt_tls_server_t {
+
+	/**
+	 * Public pt_tls_server_t interface.
+	 */
+	pt_tls_server_t public;
+
+	/**
+	 * TLS protected socket
+	 */
+	tls_socket_t *tls;
+
+	/**
+	 * Client authentication requirements
+	 */
+	pt_tls_auth_t auth;
+
+	enum {
+		/* expecting version negotiation */
+		PT_TLS_SERVER_VERSION,
+		/* expecting an SASL exchange */
+		PT_TLS_SERVER_AUTH,
+		/* expecting TNCCS exchange */
+		PT_TLS_SERVER_TNCCS,
+		/* terminating state */
+		PT_TLS_SERVER_END,
+	} state;
+
+	/**
+	 * Message Identifier
+	 */
+	u_int32_t identifier;
+
+	/**
+	 * TNCCS protocol handler, implemented as tls_t
+	 */
+	tls_t *tnccs;
+};
+
+/**
+ * Negotiate PT-TLS version
+ */
+static bool negotiate_version(private_pt_tls_server_t *this)
+{
+	bio_reader_t *reader;
+	bio_writer_t *writer;
+	u_int32_t vendor, type, identifier;
+	u_int8_t reserved, vmin, vmax, vpref;
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FALSE;
+	}
+	if (vendor != 0 || type != PT_TLS_VERSION_REQUEST ||
+		!reader->read_uint8(reader, &reserved) ||
+		!reader->read_uint8(reader, &vmin) ||
+		!reader->read_uint8(reader, &vmax) ||
+		!reader->read_uint8(reader, &vpref))
+	{
+		DBG1(DBG_TNC, "PT-TLS version negotiation failed");
+		reader->destroy(reader);
+		return FALSE;
+	}
+	reader->destroy(reader);
+
+	if (vmin > PT_TLS_VERSION || vmax < PT_TLS_VERSION)
+	{
+		/* TODO: send error */
+		return FALSE;
+	}
+
+	writer = bio_writer_create(4);
+	writer->write_uint24(writer, 0);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+
+	return pt_tls_write(this->tls, writer, PT_TLS_VERSION_RESPONSE,
+						this->identifier++);
+}
+
+/**
+ * Process SASL data, send result
+ */
+static status_t process_sasl(private_pt_tls_server_t *this,
+							 sasl_mechanism_t *sasl, chunk_t data)
+{
+	bio_writer_t *writer;
+
+	switch (sasl->process(sasl, data))
+	{
+		case NEED_MORE:
+			return NEED_MORE;
+		case SUCCESS:
+			DBG1(DBG_TNC, "SASL %s authentication successful",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1);
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS);
+			if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+							 this->identifier++))
+			{
+				return SUCCESS;
+			}
+			return FAILED;
+		case FAILED:
+		default:
+			DBG1(DBG_TNC, "SASL %s authentication failed",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1);
+			/* sending abort does not allow the client to retry */
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT);
+			pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+						 this->identifier++);
+			return FAILED;
+	}
+}
+
+/**
+ * Read a SASL message and process it
+ */
+static status_t read_sasl(private_pt_tls_server_t *this,
+						  sasl_mechanism_t *sasl)
+{
+	u_int32_t vendor, type, identifier;
+	bio_reader_t *reader;
+	status_t status;
+	chunk_t data;
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FAILED;
+	}
+	if (vendor != 0 || type != PT_TLS_SASL_AUTH_DATA ||
+		!reader->read_data(reader, reader->remaining(reader), &data))
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	status = process_sasl(this, sasl, data);
+	reader->destroy(reader);
+	return status;
+}
+
+/**
+ * Build and write SASL message, or result message
+ */
+static status_t write_sasl(private_pt_tls_server_t *this,
+						   sasl_mechanism_t *sasl)
+{
+	bio_writer_t *writer;
+	chunk_t chunk;
+
+	switch (sasl->build(sasl, &chunk))
+	{
+		case NEED_MORE:
+			writer = bio_writer_create(chunk.len);
+			writer->write_data(writer, chunk);
+			free(chunk.ptr);
+			if (pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA,
+							 this->identifier++))
+			{
+				return NEED_MORE;
+			}
+			return FAILED;
+		case SUCCESS:
+			DBG1(DBG_TNC, "SASL %s authentication successful",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1 + chunk.len);
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS);
+			writer->write_data(writer, chunk);
+			free(chunk.ptr);
+			if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+							 this->identifier++))
+			{
+				return SUCCESS;
+			}
+			return FAILED;
+		case FAILED:
+		default:
+			DBG1(DBG_TNC, "SASL %s authentication failed",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1);
+			/* sending abort does not allow the client to retry */
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT);
+			pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+						 this->identifier++);
+			return FAILED;
+	}
+}
+
+/**
+ * Send the list of supported SASL mechanisms
+ */
+static bool send_sasl_mechs(private_pt_tls_server_t *this)
+{
+	enumerator_t *enumerator;
+	bio_writer_t *writer = NULL;
+	char *name;
+
+	enumerator = sasl_mechanism_create_enumerator(TRUE);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		if (!writer)
+		{
+			writer = bio_writer_create(32);
+		}
+		DBG1(DBG_TNC, "offering SASL %s", name);
+		writer->write_data8(writer, chunk_from_str(name));
+	}
+	enumerator->destroy(enumerator);
+
+	if (!writer)
+	{	/* no mechanisms available? */
+		return FALSE;
+	}
+	return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS,
+						this->identifier++);
+}
+
+/**
+ * Read the selected SASL mechanism, and process piggybacked data
+ */
+static status_t read_sasl_mech_selection(private_pt_tls_server_t *this,
+										 sasl_mechanism_t **out)
+{
+	u_int32_t vendor, type, identifier;
+	sasl_mechanism_t *sasl;
+	bio_reader_t *reader;
+	chunk_t chunk;
+	u_int8_t len;
+	char buf[21];
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FAILED;
+	}
+	if (vendor != 0 || type != PT_TLS_SASL_MECH_SELECTION ||
+		!reader->read_uint8(reader, &len) ||
+		!reader->read_data(reader, len & 0x1F, &chunk))
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	snprintf(buf, sizeof(buf), "%.*s", (int)chunk.len, chunk.ptr);
+
+	DBG1(DBG_TNC, "client starts SASL %s authentication", buf);
+
+	sasl = sasl_mechanism_create(buf, NULL);
+	if (!sasl)
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	/* initial SASL data piggybacked? */
+	if (reader->remaining(reader))
+	{
+		switch (process_sasl(this, sasl, reader->peek(reader)))
+		{
+			case NEED_MORE:
+				break;
+			case SUCCESS:
+				reader->destroy(reader);
+				*out = sasl;
+				return SUCCESS;
+			case FAILED:
+			default:
+				reader->destroy(reader);
+				sasl->destroy(sasl);
+				return FAILED;
+		}
+	}
+	reader->destroy(reader);
+	*out = sasl;
+	return NEED_MORE;
+}
+
+/**
+ * Do a single SASL exchange
+ */
+static bool do_sasl(private_pt_tls_server_t *this)
+{
+	sasl_mechanism_t *sasl;
+	status_t status;
+
+	switch (this->auth)
+	{
+		case PT_TLS_AUTH_NONE:
+			return TRUE;
+		case PT_TLS_AUTH_TLS:
+			if (this->tls->get_peer_id(this->tls))
+			{
+				return TRUE;
+			}
+			DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+			return FALSE;
+		case PT_TLS_AUTH_SASL:
+			break;
+		case PT_TLS_AUTH_TLS_OR_SASL:
+			if (this->tls->get_peer_id(this->tls))
+			{
+				DBG1(DBG_TNC, "skipping SASL, client authenticated with TLS "
+					 "certificate");
+				return TRUE;
+			}
+			break;
+		case PT_TLS_AUTH_TLS_AND_SASL:
+		default:
+			if (!this->tls->get_peer_id(this->tls))
+			{
+				DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+				return FALSE;
+			}
+			break;
+	}
+
+	if (!send_sasl_mechs(this))
+	{
+		return FALSE;
+	}
+	status = read_sasl_mech_selection(this, &sasl);
+	if (status == FAILED)
+	{
+		return FALSE;
+	}
+	while (status == NEED_MORE)
+	{
+		status = write_sasl(this, sasl);
+		if (status == NEED_MORE)
+		{
+			status = read_sasl(this, sasl);
+		}
+	}
+	sasl->destroy(sasl);
+	return status == SUCCESS;
+}
+
+/**
+ * Authenticated PT-TLS session with a single SASL method
+ */
+static bool authenticate(private_pt_tls_server_t *this)
+{
+	if (do_sasl(this))
+	{
+		/* complete SASL with emtpy mechanism list */
+		bio_writer_t *writer;
+
+		writer = bio_writer_create(0);
+		return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS,
+							this->identifier++);
+	}
+	return FALSE;
+}
+
+/**
+ * Perform assessment
+ */
+static bool assess(private_pt_tls_server_t *this, tls_t *tnccs)
+{
+	while (TRUE)
+	{
+		bio_writer_t *writer;
+		bio_reader_t *reader;
+		u_int32_t vendor, type, identifier;
+		chunk_t data;
+
+		writer = bio_writer_create(32);
+		while (TRUE)
+		{
+			char buf[2048];
+			size_t buflen, msglen;
+
+			buflen = sizeof(buf);
+			switch (tnccs->build(tnccs, buf, &buflen, &msglen))
+			{
+				case SUCCESS:
+					writer->destroy(writer);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					writer->destroy(writer);
+					return FALSE;
+				case INVALID_STATE:
+					writer->destroy(writer);
+					break;
+				case NEED_MORE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					continue;
+				case ALREADY_DONE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH,
+									  this->identifier++))
+					{
+						return FALSE;
+					}
+					writer = bio_writer_create(32);
+					continue;
+			}
+			break;
+		}
+
+		reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+		if (!reader)
+		{
+			return FALSE;
+		}
+		if (vendor == 0)
+		{
+			if (type == PT_TLS_ERROR)
+			{
+				DBG1(DBG_TNC, "received PT-TLS error");
+				reader->destroy(reader);
+				return FALSE;
+			}
+			if (type != PT_TLS_PB_TNC_BATCH)
+			{
+				DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type);
+				reader->destroy(reader);
+				return FALSE;
+			}
+			data = reader->peek(reader);
+			switch (tnccs->process(tnccs, data.ptr, data.len))
+			{
+				case SUCCESS:
+					reader->destroy(reader);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					reader->destroy(reader);
+					return FALSE;
+				case NEED_MORE:
+					break;
+			}
+		}
+		else
+		{
+			DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message");
+		}
+		reader->destroy(reader);
+	}
+}
+
+METHOD(pt_tls_server_t, handle, status_t,
+	private_pt_tls_server_t *this)
+{
+	switch (this->state)
+	{
+		case PT_TLS_SERVER_VERSION:
+			if (!negotiate_version(this))
+			{
+				return FAILED;
+			}
+			DBG1(DBG_TNC, "negotiated PT-TLS version %d", PT_TLS_VERSION);
+			this->state = PT_TLS_SERVER_AUTH;
+			break;
+		case PT_TLS_SERVER_AUTH:
+			if (!authenticate(this))
+			{
+				return FAILED;
+			}
+			this->state = PT_TLS_SERVER_TNCCS;
+			break;
+		case PT_TLS_SERVER_TNCCS:
+			if (!assess(this, (tls_t*)this->tnccs))
+			{
+				return FAILED;
+			}
+			this->state = PT_TLS_SERVER_END;
+			return SUCCESS;
+		default:
+			return FAILED;
+	}
+	return NEED_MORE;
+}
+
+METHOD(pt_tls_server_t, get_fd, int,
+	private_pt_tls_server_t *this)
+{
+	return this->tls->get_fd(this->tls);
+}
+
+METHOD(pt_tls_server_t, destroy, void,
+	private_pt_tls_server_t *this)
+{
+	this->tnccs->destroy(this->tnccs);
+	this->tls->destroy(this->tls);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
+									  pt_tls_auth_t auth, tnccs_t *tnccs)
+{
+	private_pt_tls_server_t *this;
+
+	INIT(this,
+		.public = {
+			.handle = _handle,
+			.get_fd = _get_fd,
+			.destroy = _destroy,
+		},
+		.state = PT_TLS_SERVER_VERSION,
+		.tls = tls_socket_create(TRUE, server, NULL, fd, NULL),
+		.tnccs = (tls_t*)tnccs,
+		.auth = auth,
+	);
+
+	if (!this->tls)
+	{
+		this->tnccs->destroy(this->tnccs);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libpttls/pt_tls_server.h b/src/libpttls/pt_tls_server.h
new file mode 100644
index 000000000..3e18aee8f
--- /dev/null
+++ b/src/libpttls/pt_tls_server.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_server pt_tls_server
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_SERVER_H_
+#define PT_TLS_SERVER_H_
+
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "pt_tls.h"
+
+typedef struct pt_tls_server_t pt_tls_server_t;
+
+/**
+ * IF-T for TLS aka PT-TLS transport server.
+ */
+struct pt_tls_server_t {
+
+	/**
+	 * Handle assessment data read from socket.
+	 *
+	 * @return
+	 *						- NEED_MORE if more exchanges required,
+	 *						- SUCCESS if assessment complete
+	 *						- FAILED if assessment failed
+	 */
+	status_t (*handle)(pt_tls_server_t *this);
+
+	/**
+	 * Get the underlying client connection socket.
+	 *
+	 * @return			socket fd, suitable to select()
+	 */
+	int (*get_fd)(pt_tls_server_t *this);
+
+	/**
+	 * Destroy a pt_tls_server_t.
+	 */
+	void (*destroy)(pt_tls_server_t *this);
+};
+
+/**
+ * Create a pt_tls_server connection instance.
+ *
+ * @param server	TLS server identity
+ * @param fd		client connection socket
+ * @param auth		client authentication requirements
+ * @param tnccs		inner TNCCS protocol handler to use for this connection
+ * @return			PT-TLS server
+ */
+pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
+									  pt_tls_auth_t auth, tnccs_t *tnccs);
+
+#endif /** PT_TLS_SERVER_H_ @}*/
diff --git a/src/libpttls/sasl/sasl_mechanism.c b/src/libpttls/sasl/sasl_mechanism.c
new file mode 100644
index 000000000..05a02e56d
--- /dev/null
+++ b/src/libpttls/sasl/sasl_mechanism.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sasl_mechanism.h"
+
+#include "sasl_plain/sasl_plain.h"
+
+/**
+ * Available SASL mechanisms.
+ */
+static struct {
+	char *name;
+	bool server;
+	sasl_mechanism_constructor_t create;
+} mechs[] = {
+	{ "PLAIN",		TRUE,	(sasl_mechanism_constructor_t)sasl_plain_create	},
+	{ "PLAIN",		FALSE,	(sasl_mechanism_constructor_t)sasl_plain_create	},
+};
+
+/**
+ * See header.
+ */
+sasl_mechanism_t *sasl_mechanism_create(char *name, identification_t *client)
+{
+	int i;
+
+	for (i = 0; i < countof(mechs); i++)
+	{
+		if (streq(mechs[i].name, name) && mechs[i].server == (client == NULL))
+		{
+			return mechs[i].create(name, client);
+		}
+	}
+	return NULL;
+}
+
+/**
+ * SASL mechanism enumerator
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** looking for client or server? */
+	bool server;
+	/** position in mechs[] */
+	int i;
+} mech_enumerator_t;
+
+METHOD(enumerator_t, mech_enumerate, bool,
+	mech_enumerator_t *this, char **name)
+{
+	while (this->i < countof(mechs))
+	{
+		if (mechs[this->i].server == this->server)
+		{
+			*name = mechs[this->i].name;
+			this->i++;
+			return TRUE;
+		}
+		this->i++;
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+enumerator_t* sasl_mechanism_create_enumerator(bool server)
+{
+	mech_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_mech_enumerate,
+			.destroy = (void*)free,
+		},
+		.server = server,
+	);
+	return &enumerator->public;
+}
diff --git a/src/libpttls/sasl/sasl_mechanism.h b/src/libpttls/sasl/sasl_mechanism.h
new file mode 100644
index 000000000..1a23a119e
--- /dev/null
+++ b/src/libpttls/sasl/sasl_mechanism.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sasl_mechanism sasl_mechanism
+ * @{ @ingroup sasl
+ */
+
+#ifndef SASL_MECHANISM_H_
+#define SASL_MECHANISM_H_
+
+typedef struct sasl_mechanism_t sasl_mechanism_t;
+
+#include <library.h>
+
+/**
+ * Constructor function for SASL mechansims.
+ *
+ * @param name			name of the requested SASL mechanism
+ * @param client		client identity, NULL to act as server
+ * @return				SASL mechanism, NULL on failure
+ */
+typedef sasl_mechanism_t*(*sasl_mechanism_constructor_t)(char *name,
+													identification_t *client);
+
+/**
+ * Generic interface for SASL mechanisms.
+ */
+struct sasl_mechanism_t {
+
+	/**
+	 * Get the name of this SASL mechanism.
+	 *
+	 * @return			name of SASL mechanism
+	 */
+	char* (*get_name)(sasl_mechanism_t *this);
+
+	/**
+	 * Build a SASL message to send to remote host.
+	 *
+	 * A message is returned if the return value is NEED_MORE or SUCCESS. A
+	 * client MUST NOT return SUCCESS in build(), as the final message
+	 * is always from server to client (even if it is an empty result message).
+	 *
+	 * @param message	receives allocated SASL message, to free
+	 * @return
+	 *					- FAILED if mechanism failed
+	 *					- NEED_MORE if additional exchanges required
+	 *					- INVALID_STATE if currently nothing to build
+	 *					- SUCCESS if mechanism authenticated successfully
+	 */
+	status_t (*build)(sasl_mechanism_t *this, chunk_t *message);
+
+	/**
+	 * Process a SASL message received from remote host.
+	 *
+	 * If a server returns SUCCESS during process(), an empty result message
+	 * is sent to complete the SASL exchange.
+	 *
+	 * @param message	received SASL message to process
+	 * @return
+	 *					- FAILED if mechanism failed
+	 *					- NEED_MORE if additional exchanges required
+	 *					- SUCCESS if mechanism authenticated successfully
+	 */
+	status_t (*process)(sasl_mechanism_t *this, chunk_t message);
+
+	/**
+	 * Destroy a sasl_mechanism_t.
+	 */
+	void (*destroy)(sasl_mechanism_t *this);
+};
+
+/**
+ * Create a sasl_mechanism instance.
+ *
+ * @param name			name of SASL mechanism to create
+ * @param client		client identity, NULL to act as server
+ * @return				SASL mechanism instance, NULL if not found
+ */
+sasl_mechanism_t *sasl_mechanism_create(char *name, identification_t *client);
+
+/**
+ * Create an enumerator over supported SASL mechanism names.
+ *
+ * @param server		TRUE for server instance, FALSE for client
+ * @return				enumerator over char*
+ */
+enumerator_t* sasl_mechanism_create_enumerator(bool server);
+
+#endif /** SASL_MECHANISM_H_ @}*/
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c
new file mode 100644
index 000000000..e8d6dc80b
--- /dev/null
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sasl_plain.h"
+
+#include <utils/debug.h>
+
+typedef struct private_sasl_plain_t private_sasl_plain_t;
+
+/**
+ * Private data of an sasl_plain_t object.
+ */
+struct private_sasl_plain_t {
+
+	/**
+	 * Public sasl_plain_t interface.
+	 */
+	sasl_plain_t public;
+
+	/**
+	 * Client identity
+	 */
+	identification_t *client;
+};
+
+METHOD(sasl_mechanism_t, get_name, char*,
+	private_sasl_plain_t *this)
+{
+	return "PLAIN";
+}
+
+METHOD(sasl_mechanism_t, build_server, status_t,
+	private_sasl_plain_t *this, chunk_t *message)
+{
+	/* gets never called */
+	return FAILED;
+}
+
+METHOD(sasl_mechanism_t, process_server, status_t,
+	private_sasl_plain_t *this, chunk_t message)
+{
+	chunk_t authz, authi, password;
+	identification_t *id;
+	shared_key_t *shared;
+	u_char *pos;
+
+	pos = memchr(message.ptr, 0, message.len);
+	if (!pos)
+	{
+		DBG1(DBG_CFG, "invalid authz encoding");
+		return FAILED;
+	}
+	authz = chunk_create(message.ptr, pos - message.ptr);
+	message = chunk_skip(message, authz.len + 1);
+	pos = memchr(message.ptr, 0, message.len);
+	if (!pos)
+	{
+		DBG1(DBG_CFG, "invalid authi encoding");
+		return FAILED;
+	}
+	authi = chunk_create(message.ptr, pos - message.ptr);
+	password = chunk_skip(message, authi.len + 1);
+	id = identification_create_from_data(authi);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
+	if (!shared)
+	{
+		DBG1(DBG_CFG, "no shared secret found for '%Y'", id);
+		id->destroy(id);
+		return FAILED;
+	}
+	if (!chunk_equals(shared->get_key(shared), password))
+	{
+		DBG1(DBG_CFG, "shared secret for '%Y' does not match", id);
+		id->destroy(id);
+		shared->destroy(shared);
+		return FAILED;
+	}
+	id->destroy(id);
+	shared->destroy(shared);
+	return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, build_client, status_t,
+	private_sasl_plain_t *this, chunk_t *message)
+{
+	shared_key_t *shared;
+	chunk_t password;
+	char buf[256];
+	ssize_t len;
+
+	/* we currently use the EAP type of shared secret */
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
+									  this->client, NULL);
+	if (!shared)
+	{
+		DBG1(DBG_CFG, "no shared secret found for %Y", this->client);
+		return FAILED;
+	}
+
+	password = shared->get_key(shared);
+	len = snprintf(buf, sizeof(buf), "%s%c%Y%c%.*s",
+				   "", 0, this->client, 0,
+				   (int)password.len, password.ptr);
+	if (len < 0 || len >= sizeof(buf))
+	{
+		return FAILED;
+	}
+	*message = chunk_clone(chunk_create(buf, len));
+	return NEED_MORE;
+}
+
+METHOD(sasl_mechanism_t, process_client, status_t,
+	private_sasl_plain_t *this, chunk_t message)
+{
+	/* if the server sends a result, authentication successful */
+	return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, destroy, void,
+	private_sasl_plain_t *this)
+{
+	DESTROY_IF(this->client);
+	free(this);
+}
+
+/**
+ * See header
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client)
+{
+	private_sasl_plain_t *this;
+
+	if (!streq(get_name(NULL), name))
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.sasl = {
+				.get_name = _get_name,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	if (client)
+	{
+		this->public.sasl.build = _build_client;
+		this->public.sasl.process = _process_client;
+		this->client = client->clone(client);
+	}
+	else
+	{
+		this->public.sasl.build = _build_server;
+		this->public.sasl.process = _process_server;
+	}
+	return &this->public;
+}
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.h b/src/libpttls/sasl/sasl_plain/sasl_plain.h
new file mode 100644
index 000000000..08b7fc76f
--- /dev/null
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sasl_plain sasl_plain
+ * @{ @ingroup sasl
+ */
+
+#ifndef SASL_PLAIN_H_
+#define SASL_PLAIN_H_
+
+#include <sasl/sasl_mechanism.h>
+
+typedef struct sasl_plain_t sasl_plain_t;
+
+/**
+ * SASL Mechanism implementing PLAIN.
+ */
+struct sasl_plain_t {
+
+	/**
+	 * Implements sasl_mechanism_t
+	 */
+	sasl_mechanism_t sasl;
+};
+
+/**
+ * Create a sasl_plain instance.
+ *
+ * @param name			name of mechanism, must be "PLAIN"
+ * @param client		client identity, NULL to act as server
+ * @return				mechanism implementing PLAIN, NULL on error
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client);
+
+#endif /** SASL_PLAIN_H_ @}*/
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index ea306d748..efccbe905 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -100,6 +117,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libradius_la_SOURCES)
 DIST_SOURCES = $(libradius_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -116,6 +138,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -132,6 +156,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -200,8 +225,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -257,7 +280,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -336,7 +358,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -344,6 +365,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
diff --git a/src/libradius/radius_client.c b/src/libradius/radius_client.c
index 1478c3d9e..d44c5a2e3 100644
--- a/src/libradius/radius_client.c
+++ b/src/libradius/radius_client.c
@@ -81,13 +81,10 @@ static void save_state(private_radius_client_t *this, radius_message_t *msg)
 METHOD(radius_client_t, request, radius_message_t*,
 	private_radius_client_t *this, radius_message_t *req)
 {
-	char virtual[] = {0x00,0x00,0x00,0x05};
 	radius_socket_t *socket;
 	radius_message_t *res;
 	chunk_t data;
 
-	/* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */
-	req->add(req, RAT_NAS_PORT_TYPE, chunk_create(virtual, sizeof(virtual)));
 	/* add our NAS-Identifier */
 	req->add(req, RAT_NAS_IDENTIFIER,
 			 this->config->get_nas_identifier(this->config));
diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
index 059dcda4b..e7717ff7a 100644
--- a/src/libradius/radius_message.c
+++ b/src/libradius/radius_message.c
@@ -16,6 +16,7 @@
 #include "radius_message.h"
 
 #include <utils/debug.h>
+#include <bio/bio_reader.h>
 #include <crypto/hashers/hasher.h>
 
 typedef struct private_radius_message_t private_radius_message_t;
@@ -271,6 +272,85 @@ METHOD(radius_message_t, create_enumerator, enumerator_t*,
 	return &e->public;
 }
 
+/**
+ * Vendor attribute enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator interface */
+	enumerator_t public;
+	/** inner attribute enumerator */
+	enumerator_t *inner;
+	/** current vendor ID */
+	u_int32_t vendor;
+	/** reader for current vendor ID */
+	bio_reader_t *reader;
+} vendor_enumerator_t;
+
+METHOD(enumerator_t, vendor_enumerate, bool,
+	vendor_enumerator_t *this, int *vendor, int *type, chunk_t *data)
+{
+	chunk_t inner_data;
+	int inner_type;
+	u_int8_t type8, len;
+
+	while (TRUE)
+	{
+		if (this->reader)
+		{
+			if (this->reader->remaining(this->reader) >= 2 &&
+				this->reader->read_uint8(this->reader, &type8) &&
+				this->reader->read_uint8(this->reader, &len) && len >= 2 &&
+				this->reader->read_data(this->reader, len - 2, data))
+			{
+				*vendor = this->vendor;
+				*type = type8;
+				return TRUE;
+			}
+			this->reader->destroy(this->reader);
+			this->reader = NULL;
+		}
+		if (this->inner->enumerate(this->inner, &inner_type, &inner_data))
+		{
+			if (inner_type == RAT_VENDOR_SPECIFIC)
+			{
+				this->reader = bio_reader_create(inner_data);
+				if (!this->reader->read_uint32(this->reader, &this->vendor))
+				{
+					this->reader->destroy(this->reader);
+					this->reader = NULL;
+				}
+			}
+		}
+		else
+		{
+			return FALSE;
+		}
+	}
+}
+METHOD(enumerator_t, vendor_destroy, void,
+	vendor_enumerator_t *this)
+{
+	DESTROY_IF(this->reader);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+METHOD(radius_message_t, create_vendor_enumerator, enumerator_t*,
+	private_radius_message_t *this)
+{
+	vendor_enumerator_t *e;
+
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_vendor_enumerate,
+			.destroy = _vendor_destroy,
+		},
+		.inner = create_enumerator(this),
+	);
+
+	return &e->public;
+}
+
 METHOD(radius_message_t, add, void,
 	private_radius_message_t *this, radius_attribute_type_t type, chunk_t data)
 {
@@ -474,6 +554,7 @@ static private_radius_message_t *radius_message_create_empty()
 	INIT(this,
 		.public = {
 			.create_enumerator = _create_enumerator,
+			.create_vendor_enumerator = _create_vendor_enumerator,
 			.add = _add,
 			.get_code = _get_code,
 			.get_identifier = _get_identifier,
diff --git a/src/libradius/radius_message.h b/src/libradius/radius_message.h
index f9c57c5ef..c49323490 100644
--- a/src/libradius/radius_message.h
+++ b/src/libradius/radius_message.h
@@ -27,6 +27,7 @@
 #define RADIUS_MESSAGE_H_
 
 #include <library.h>
+#include <pen/pen.h>
 
 #define MAX_RADIUS_ATTRIBUTE_SIZE	253
 
@@ -204,6 +205,16 @@ struct radius_message_t {
 	 */
 	enumerator_t* (*create_enumerator)(radius_message_t *this);
 
+	/**
+	 * Create an enumerator over contained RADIUS Vendor-ID attributes.
+	 *
+	 * This enumerator parses only vendor specific attributes in the format
+	 * recommended in RFC2865.
+	 *
+	 * @return				enumerator over (int vendor, int type, chunk_t data)
+	 */
+	enumerator_t* (*create_vendor_enumerator)(radius_message_t *this);
+
 	/**
 	 * Add a RADIUS attribute to the message.
 	 *
@@ -279,11 +290,6 @@ struct radius_message_t {
 	void (*destroy)(radius_message_t *this);
 };
 
-/**
- * Dummy libradius initialization function needed for integrity test
- */
-void libradius_init(void);
-
 /**
  * Create an empty RADIUS message.
  *
@@ -300,4 +306,13 @@ radius_message_t *radius_message_create(radius_message_code_t code);
  */
 radius_message_t *radius_message_parse(chunk_t data);
 
+/**
+ * @}
+ * @addtogroup libradius
+ * @{
+ *
+ * Dummy libradius initialization function needed for integrity test
+ */
+void libradius_init(void);
+
 #endif /** RADIUS_MESSAGE_H_ @}*/
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index cf9bd61d8..4ed190cf3 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -100,6 +117,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libsimaka_la_SOURCES)
 DIST_SOURCES = $(libsimaka_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -116,6 +138,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -132,6 +156,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -200,8 +225,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -257,7 +280,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -333,7 +355,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -341,6 +362,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
diff --git a/src/libsimaka/simaka_manager.h b/src/libsimaka/simaka_manager.h
index 810cb0685..bdd50296e 100644
--- a/src/libsimaka/simaka_manager.h
+++ b/src/libsimaka/simaka_manager.h
@@ -278,11 +278,6 @@ struct simaka_manager_t {
 	void (*destroy)(simaka_manager_t *this);
 };
 
-/**
- * Dummy libsimaka initialization function needed for integrity test
- */
-void libsimaka_init(void);
-
 /**
  * Create an SIM/AKA manager to handle multiple (U)SIM cards/providers.
  *
@@ -312,4 +307,13 @@ typedef void* (*simaka_manager_register_cb_t)(plugin_t *plugin);
 bool simaka_manager_register(plugin_t *plugin, plugin_feature_t *feature,
 							 bool reg, void *data);
 
+/**
+ * @}
+ * @addtogroup libsimaka
+ * @{
+ *
+ * Dummy libsimaka initialization function needed for integrity test
+ */
+void libsimaka_init(void);
+
 #endif /** SIMAKA_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 65cfe5292..a46b0d9a1 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -28,6 +28,7 @@ networking/host.c networking/host_resolver.c networking/packet.c \
 networking/tun_device.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
+resolver/resolver_manager.c resolver/rr_set.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 9c4665eeb..8d6c4583a 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -26,6 +26,7 @@ networking/host.c networking/host_resolver.c networking/packet.c \
 networking/tun_device.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
+resolver/resolver_manager.c resolver/rr_set.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
@@ -63,6 +64,8 @@ database/database.h database/database_factory.h fetcher/fetcher.h \
 fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
 networking/host.h networking/host_resolver.h networking/packet.h \
 networking/tun_device.h \
+resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \
+resolver/rr.h resolver/resolver_manager.h \
 plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
 processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
 processing/scheduler.h selectors/traffic_selector.h \
@@ -323,6 +326,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_UNBOUND
+  SUBDIRS += plugins/unbound
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/unbound/libstrongswan-unbound.la
+endif
+endif
+
 if USE_SOUP
   SUBDIRS += plugins/soup
 if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 6c0ce7a88..15219c4f3 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -94,34 +111,36 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_57 = plugins/pem/libstrongswan-pem.la
 @USE_CURL_TRUE@am__append_58 = plugins/curl
 @MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_59 = plugins/curl/libstrongswan-curl.la
-@USE_SOUP_TRUE@am__append_60 = plugins/soup
-@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_61 = plugins/soup/libstrongswan-soup.la
-@USE_LDAP_TRUE@am__append_62 = plugins/ldap
-@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_63 = plugins/ldap/libstrongswan-ldap.la
-@USE_MYSQL_TRUE@am__append_64 = plugins/mysql
-@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_65 = plugins/mysql/libstrongswan-mysql.la
-@USE_SQLITE_TRUE@am__append_66 = plugins/sqlite
-@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_67 = plugins/sqlite/libstrongswan-sqlite.la
-@USE_PADLOCK_TRUE@am__append_68 = plugins/padlock
-@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_69 = plugins/padlock/libstrongswan-padlock.la
-@USE_OPENSSL_TRUE@am__append_70 = plugins/openssl
-@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_71 = plugins/openssl/libstrongswan-openssl.la
-@USE_GCRYPT_TRUE@am__append_72 = plugins/gcrypt
-@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_73 = plugins/gcrypt/libstrongswan-gcrypt.la
-@USE_FIPS_PRF_TRUE@am__append_74 = plugins/fips_prf
-@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_75 = plugins/fips_prf/libstrongswan-fips-prf.la
-@USE_AGENT_TRUE@am__append_76 = plugins/agent
-@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_77 = plugins/agent/libstrongswan-agent.la
-@USE_PKCS11_TRUE@am__append_78 = plugins/pkcs11
-@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_79 = plugins/pkcs11/libstrongswan-pkcs11.la
-@USE_CTR_TRUE@am__append_80 = plugins/ctr
-@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_81 = plugins/ctr/libstrongswan-ctr.la
-@USE_CCM_TRUE@am__append_82 = plugins/ccm
-@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_83 = plugins/ccm/libstrongswan-ccm.la
-@USE_GCM_TRUE@am__append_84 = plugins/gcm
-@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_85 = plugins/gcm/libstrongswan-gcm.la
-@USE_TEST_VECTORS_TRUE@am__append_86 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_87 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_UNBOUND_TRUE@am__append_60 = plugins/unbound
+@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_61 = plugins/unbound/libstrongswan-unbound.la
+@USE_SOUP_TRUE@am__append_62 = plugins/soup
+@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_63 = plugins/soup/libstrongswan-soup.la
+@USE_LDAP_TRUE@am__append_64 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_65 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_66 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_67 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_68 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_69 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_70 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_71 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_72 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_73 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_74 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_75 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_76 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_77 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_78 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_79 = plugins/agent/libstrongswan-agent.la
+@USE_PKCS11_TRUE@am__append_80 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_81 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_82 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_83 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_84 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_85 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_86 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_87 = plugins/gcm/libstrongswan-gcm.la
+@USE_TEST_VECTORS_TRUE@am__append_88 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_89 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(am__nobase_strongswan_include_HEADERS_DIST) \
 	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
@@ -189,7 +208,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_67) $(am__append_69) $(am__append_71) \
 	$(am__append_73) $(am__append_75) $(am__append_77) \
 	$(am__append_79) $(am__append_81) $(am__append_83) \
-	$(am__append_85) $(am__append_87)
+	$(am__append_85) $(am__append_87) $(am__append_89)
 am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
 	bio/bio_writer.c collections/blocking_queue.c \
@@ -221,7 +240,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	networking/tun_device.c pen/pen.c plugins/plugin_loader.c \
 	plugins/plugin_feature.c processing/jobs/job.c \
 	processing/jobs/callback_job.c processing/processor.c \
-	processing/scheduler.c selectors/traffic_selector.c \
+	processing/scheduler.c resolver/resolver_manager.c \
+	resolver/rr_set.c selectors/traffic_selector.c \
 	threading/thread.c threading/thread_value.c threading/mutex.c \
 	threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
@@ -246,11 +266,12 @@ am_libstrongswan_la_OBJECTS = library.lo asn1.lo asn1_parser.lo oid.lo \
 	fetcher.lo fetcher_manager.lo eap.lo ipsec_types.lo host.lo \
 	host_resolver.lo packet.lo tun_device.lo pen.lo \
 	plugin_loader.lo plugin_feature.lo job.lo callback_job.lo \
-	processor.lo scheduler.lo traffic_selector.lo thread.lo \
-	thread_value.lo mutex.lo semaphore.lo rwlock.lo spinlock.lo \
-	utils.lo chunk.lo debug.lo enum.lo identification.lo \
-	lexparser.lo optionsfrom.lo capabilities.lo backtrace.lo \
-	printf_hook.lo settings.lo $(am__objects_1) $(am__objects_2)
+	processor.lo scheduler.lo resolver_manager.lo rr_set.lo \
+	traffic_selector.lo thread.lo thread_value.lo mutex.lo \
+	semaphore.lo rwlock.lo spinlock.lo utils.lo chunk.lo debug.lo \
+	enum.lo identification.lo lexparser.lo optionsfrom.lo \
+	capabilities.lo backtrace.lo printf_hook.lo settings.lo \
+	$(am__objects_1) $(am__objects_2)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -274,6 +295,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h \
 	bio/bio_writer.h collections/blocking_queue.h \
@@ -310,7 +336,9 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	fetcher/fetcher.h fetcher/fetcher_manager.h eap/eap.h \
 	pen/pen.h ipsec/ipsec_types.h networking/host.h \
 	networking/host_resolver.h networking/packet.h \
-	networking/tun_device.h plugins/plugin_loader.h \
+	networking/tun_device.h resolver/resolver.h \
+	resolver/resolver_response.h resolver/rr_set.h resolver/rr.h \
+	resolver/resolver_manager.h plugins/plugin_loader.h \
 	plugins/plugin.h plugins/plugin_feature.h \
 	processing/jobs/job.h processing/jobs/callback_job.h \
 	processing/processor.h processing/scheduler.h \
@@ -337,8 +365,8 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
 	plugins/x509 plugins/revocation plugins/constraints \
 	plugins/pubkey plugins/pkcs1 plugins/pkcs7 plugins/pkcs8 \
 	plugins/pgp plugins/dnskey plugins/pem plugins/curl \
-	plugins/soup plugins/ldap plugins/mysql plugins/sqlite \
-	plugins/padlock plugins/openssl plugins/gcrypt \
+	plugins/unbound plugins/soup plugins/ldap plugins/mysql \
+	plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \
 	plugins/fips_prf plugins/agent plugins/pkcs11 plugins/ctr \
 	plugins/ccm plugins/gcm plugins/test_vectors
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -380,6 +408,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -396,6 +426,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -464,8 +495,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -521,7 +550,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -587,7 +615,8 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 	networking/tun_device.c pen/pen.c plugins/plugin_loader.c \
 	plugins/plugin_feature.c processing/jobs/job.c \
 	processing/jobs/callback_job.c processing/processor.c \
-	processing/scheduler.c selectors/traffic_selector.c \
+	processing/scheduler.c resolver/resolver_manager.c \
+	resolver/rr_set.c selectors/traffic_selector.c \
 	threading/thread.c threading/thread_value.c threading/mutex.c \
 	threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
@@ -624,6 +653,8 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 @USE_DEV_HEADERS_TRUE@fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
 @USE_DEV_HEADERS_TRUE@networking/host.h networking/host_resolver.h networking/packet.h \
 @USE_DEV_HEADERS_TRUE@networking/tun_device.h \
+@USE_DEV_HEADERS_TRUE@resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \
+@USE_DEV_HEADERS_TRUE@resolver/rr.h resolver/resolver_manager.h \
 @USE_DEV_HEADERS_TRUE@plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
 @USE_DEV_HEADERS_TRUE@processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
 @USE_DEV_HEADERS_TRUE@processing/scheduler.h selectors/traffic_selector.h \
@@ -649,7 +680,7 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_69) $(am__append_71) $(am__append_73) \
 	$(am__append_75) $(am__append_77) $(am__append_79) \
 	$(am__append_81) $(am__append_83) $(am__append_85) \
-	$(am__append_87)
+	$(am__append_87) $(am__append_89)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
@@ -688,7 +719,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_FALSE@	$(am__append_72) $(am__append_74) \
 @MONOLITHIC_FALSE@	$(am__append_76) $(am__append_78) \
 @MONOLITHIC_FALSE@	$(am__append_80) $(am__append_82) \
-@MONOLITHIC_FALSE@	$(am__append_84) $(am__append_86)
+@MONOLITHIC_FALSE@	$(am__append_84) $(am__append_86) \
+@MONOLITHIC_FALSE@	$(am__append_88)
 
 # build plugins with their own Makefile
 #######################################
@@ -711,7 +743,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_TRUE@	$(am__append_72) $(am__append_74) \
 @MONOLITHIC_TRUE@	$(am__append_76) $(am__append_78) \
 @MONOLITHIC_TRUE@	$(am__append_80) $(am__append_82) \
-@MONOLITHIC_TRUE@	$(am__append_84) $(am__append_86)
+@MONOLITHIC_TRUE@	$(am__append_84) $(am__append_86) \
+@MONOLITHIC_TRUE@	$(am__append_88)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -749,7 +782,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -757,6 +789,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -853,7 +887,9 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_keywords.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_keywords_static.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolver_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rng.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rr_set.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rwlock.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/semaphore.Plo@am__quote@
@@ -1302,6 +1338,20 @@ scheduler.lo: processing/scheduler.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
 
+resolver_manager.lo: resolver/resolver_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT resolver_manager.lo -MD -MP -MF $(DEPDIR)/resolver_manager.Tpo -c -o resolver_manager.lo `test -f 'resolver/resolver_manager.c' || echo '$(srcdir)/'`resolver/resolver_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/resolver_manager.Tpo $(DEPDIR)/resolver_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='resolver/resolver_manager.c' object='resolver_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o resolver_manager.lo `test -f 'resolver/resolver_manager.c' || echo '$(srcdir)/'`resolver/resolver_manager.c
+
+rr_set.lo: resolver/rr_set.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rr_set.lo -MD -MP -MF $(DEPDIR)/rr_set.Tpo -c -o rr_set.lo `test -f 'resolver/rr_set.c' || echo '$(srcdir)/'`resolver/rr_set.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rr_set.Tpo $(DEPDIR)/rr_set.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='resolver/rr_set.c' object='rr_set.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rr_set.lo `test -f 'resolver/rr_set.c' || echo '$(srcdir)/'`resolver/rr_set.c
+
 traffic_selector.lo: selectors/traffic_selector.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.lo -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Plo
@@ -1449,15 +1499,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-nobase_strongswan_includeHEADERS: $(nobase_strongswan_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(strongswan_includedir)" || $(MKDIR_P) "$(DESTDIR)$(strongswan_includedir)"
 	@list='$(nobase_strongswan_include_HEADERS)'; test -n "$(strongswan_includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(strongswan_includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(strongswan_includedir)" || exit 1; \
+	fi; \
 	$(am__nobase_list) | while read dir files; do \
 	  xfiles=; for file in $$files; do \
 	    if test -f "$$file"; then xfiles="$$xfiles $$file"; \
 	    else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \
 	  test -z "$$xfiles" || { \
 	    test "x$$dir" = x. || { \
-	      echo "$(MKDIR_P) '$(DESTDIR)$(strongswan_includedir)/$$dir'"; \
+	      echo " $(MKDIR_P) '$(DESTDIR)$(strongswan_includedir)/$$dir'"; \
 	      $(MKDIR_P) "$(DESTDIR)$(strongswan_includedir)/$$dir"; }; \
 	    echo " $(INSTALL_HEADER) $$xfiles '$(DESTDIR)$(strongswan_includedir)/$$dir'"; \
 	    $(INSTALL_HEADER) $$xfiles "$(DESTDIR)$(strongswan_includedir)/$$dir" || exit $$?; }; \
@@ -1636,13 +1689,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index ec60be811..686233fa3 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -179,8 +179,8 @@ const oid_t oid_names[] = {
  {              0x02,         167, 0,  7, "ecdsa-with-SHA256"         }, /* 166 */
  {              0x03,         168, 0,  7, "ecdsa-with-SHA384"         }, /* 167 */
  {              0x04,           0, 0,  7, "ecdsa-with-SHA512"         }, /* 168 */
- {0x2B,                       323, 1,  0, ""                          }, /* 169 */
- {  0x06,                     237, 1,  1, "dod"                       }, /* 170 */
+ {0x2B,                       329, 1,  0, ""                          }, /* 169 */
+ {  0x06,                     243, 1,  1, "dod"                       }, /* 170 */
  {    0x01,                     0, 1,  2, "internet"                  }, /* 171 */
  {      0x04,                 194, 1,  3, "private"                   }, /* 172 */
  {        0x01,                 0, 1,  4, "enterprise"                }, /* 173 */
@@ -206,7 +206,7 @@ const oid_t oid_names[] = {
  {                      0x4B,   0, 0, 11, "TCGID"                     }, /* 193 */
  {      0x05,                   0, 1,  3, "security"                  }, /* 194 */
  {        0x05,                 0, 1,  4, "mechanisms"                }, /* 195 */
- {          0x07,             234, 1,  5, "id-pkix"                   }, /* 196 */
+ {          0x07,             240, 1,  5, "id-pkix"                   }, /* 196 */
  {            0x01,           201, 1,  6, "id-pe"                     }, /* 197 */
  {              0x01,         199, 0,  7, "authorityInfoAccess"       }, /* 198 */
  {              0x03,         200, 0,  7, "qcStatements"              }, /* 199 */
@@ -224,169 +224,175 @@ const oid_t oid_names[] = {
  {              0x07,         212, 0,  7, "ipsecUser"                 }, /* 211 */
  {              0x08,         213, 0,  7, "timeStamping"              }, /* 212 */
  {              0x09,           0, 0,  7, "ocspSigning"               }, /* 213 */
- {            0x08,           216, 1,  6, "id-otherNames"             }, /* 214 */
- {              0x05,           0, 0,  7, "xmppAddr"                  }, /* 215 */
- {            0x0A,           221, 1,  6, "id-aca"                    }, /* 216 */
- {              0x01,         218, 0,  7, "authenticationInfo"        }, /* 217 */
- {              0x02,         219, 0,  7, "accessIdentity"            }, /* 218 */
- {              0x03,         220, 0,  7, "chargingIdentity"          }, /* 219 */
- {              0x04,           0, 0,  7, "group"                     }, /* 220 */
- {            0x0B,           222, 0,  6, "subjectInfoAccess"         }, /* 221 */
- {            0x30,             0, 1,  6, "id-ad"                     }, /* 222 */
- {              0x01,         231, 1,  7, "ocsp"                      }, /* 223 */
- {                0x01,       225, 0,  8, "basic"                     }, /* 224 */
- {                0x02,       226, 0,  8, "nonce"                     }, /* 225 */
- {                0x03,       227, 0,  8, "crl"                       }, /* 226 */
- {                0x04,       228, 0,  8, "response"                  }, /* 227 */
- {                0x05,       229, 0,  8, "noCheck"                   }, /* 228 */
- {                0x06,       230, 0,  8, "archiveCutoff"             }, /* 229 */
- {                0x07,         0, 0,  8, "serviceLocator"            }, /* 230 */
- {              0x02,         232, 0,  7, "caIssuers"                 }, /* 231 */
- {              0x03,         233, 0,  7, "timeStamping"              }, /* 232 */
- {              0x05,           0, 0,  7, "caRepository"              }, /* 233 */
- {          0x08,               0, 1,  5, "ipsec"                     }, /* 234 */
- {            0x02,             0, 1,  6, "certificate"               }, /* 235 */
- {              0x02,           0, 0,  7, "iKEIntermediate"           }, /* 236 */
- {  0x0E,                     243, 1,  1, "oiw"                       }, /* 237 */
- {    0x03,                     0, 1,  2, "secsig"                    }, /* 238 */
- {      0x02,                   0, 1,  3, "algorithms"                }, /* 239 */
- {        0x07,               241, 0,  4, "des-cbc"                   }, /* 240 */
- {        0x1A,               242, 0,  4, "sha-1"                     }, /* 241 */
- {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"     }, /* 242 */
- {  0x24,                     289, 1,  1, "TeleTrusT"                 }, /* 243 */
- {    0x03,                     0, 1,  2, "algorithm"                 }, /* 244 */
- {      0x03,                   0, 1,  3, "signatureAlgorithm"        }, /* 245 */
- {        0x01,               250, 1,  4, "rsaSignature"              }, /* 246 */
- {          0x02,             248, 0,  5, "rsaSigWithripemd160"       }, /* 247 */
- {          0x03,             249, 0,  5, "rsaSigWithripemd128"       }, /* 248 */
- {          0x04,               0, 0,  5, "rsaSigWithripemd256"       }, /* 249 */
- {        0x02,                 0, 1,  4, "ecSign"                    }, /* 250 */
- {          0x01,             252, 0,  5, "ecSignWithsha1"            }, /* 251 */
- {          0x02,             253, 0,  5, "ecSignWithripemd160"       }, /* 252 */
- {          0x03,             254, 0,  5, "ecSignWithmd2"             }, /* 253 */
- {          0x04,             255, 0,  5, "ecSignWithmd5"             }, /* 254 */
- {          0x05,             272, 1,  5, "ttt-ecg"                   }, /* 255 */
- {            0x01,           260, 1,  6, "fieldType"                 }, /* 256 */
- {              0x01,           0, 1,  7, "characteristictwoField"    }, /* 257 */
- {                0x01,         0, 1,  8, "basisType"                 }, /* 258 */
- {                  0x01,       0, 0,  9, "ipBasis"                   }, /* 259 */
- {            0x02,           262, 1,  6, "keyType"                   }, /* 260 */
- {              0x01,           0, 0,  7, "ecgPublicKey"              }, /* 261 */
- {            0x03,           263, 0,  6, "curve"                     }, /* 262 */
- {            0x04,           270, 1,  6, "signatures"                }, /* 263 */
- {              0x01,         265, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 264 */
- {              0x02,         266, 0,  7, "ecgdsa-with-SHA1"          }, /* 265 */
- {              0x03,         267, 0,  7, "ecgdsa-with-SHA224"        }, /* 266 */
- {              0x04,         268, 0,  7, "ecgdsa-with-SHA256"        }, /* 267 */
- {              0x05,         269, 0,  7, "ecgdsa-with-SHA384"        }, /* 268 */
- {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"        }, /* 269 */
- {            0x05,             0, 1,  6, "module"                    }, /* 270 */
- {              0x01,           0, 0,  7, "1"                         }, /* 271 */
- {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 272 */
- {            0x01,             0, 1,  6, "ellipticCurve"             }, /* 273 */
- {              0x01,           0, 1,  7, "versionOne"                }, /* 274 */
- {                0x01,       276, 0,  8, "brainpoolP160r1"           }, /* 275 */
- {                0x02,       277, 0,  8, "brainpoolP160t1"           }, /* 276 */
- {                0x03,       278, 0,  8, "brainpoolP192r1"           }, /* 277 */
- {                0x04,       279, 0,  8, "brainpoolP192t1"           }, /* 278 */
- {                0x05,       280, 0,  8, "brainpoolP224r1"           }, /* 279 */
- {                0x06,       281, 0,  8, "brainpoolP224t1"           }, /* 280 */
- {                0x07,       282, 0,  8, "brainpoolP256r1"           }, /* 281 */
- {                0x08,       283, 0,  8, "brainpoolP256t1"           }, /* 282 */
- {                0x09,       284, 0,  8, "brainpoolP320r1"           }, /* 283 */
- {                0x0A,       285, 0,  8, "brainpoolP320t1"           }, /* 284 */
- {                0x0B,       286, 0,  8, "brainpoolP384r1"           }, /* 285 */
- {                0x0C,       287, 0,  8, "brainpoolP384t1"           }, /* 286 */
- {                0x0D,       288, 0,  8, "brainpoolP512r1"           }, /* 287 */
- {                0x0E,         0, 0,  8, "brainpoolP512t1"           }, /* 288 */
- {  0x81,                       0, 1,  1, ""                          }, /* 289 */
- {    0x04,                     0, 1,  2, "Certicom"                  }, /* 290 */
- {      0x00,                   0, 1,  3, "curve"                     }, /* 291 */
- {        0x01,               293, 0,  4, "sect163k1"                 }, /* 292 */
- {        0x02,               294, 0,  4, "sect163r1"                 }, /* 293 */
- {        0x03,               295, 0,  4, "sect239k1"                 }, /* 294 */
- {        0x04,               296, 0,  4, "sect113r1"                 }, /* 295 */
- {        0x05,               297, 0,  4, "sect113r2"                 }, /* 296 */
- {        0x06,               298, 0,  4, "secp112r1"                 }, /* 297 */
- {        0x07,               299, 0,  4, "secp112r2"                 }, /* 298 */
- {        0x08,               300, 0,  4, "secp160r1"                 }, /* 299 */
- {        0x09,               301, 0,  4, "secp160k1"                 }, /* 300 */
- {        0x0A,               302, 0,  4, "secp256k1"                 }, /* 301 */
- {        0x0F,               303, 0,  4, "sect163r2"                 }, /* 302 */
- {        0x10,               304, 0,  4, "sect283k1"                 }, /* 303 */
- {        0x11,               305, 0,  4, "sect283r1"                 }, /* 304 */
- {        0x16,               306, 0,  4, "sect131r1"                 }, /* 305 */
- {        0x17,               307, 0,  4, "sect131r2"                 }, /* 306 */
- {        0x18,               308, 0,  4, "sect193r1"                 }, /* 307 */
- {        0x19,               309, 0,  4, "sect193r2"                 }, /* 308 */
- {        0x1A,               310, 0,  4, "sect233k1"                 }, /* 309 */
- {        0x1B,               311, 0,  4, "sect233r1"                 }, /* 310 */
- {        0x1C,               312, 0,  4, "secp128r1"                 }, /* 311 */
- {        0x1D,               313, 0,  4, "secp128r2"                 }, /* 312 */
- {        0x1E,               314, 0,  4, "secp160r2"                 }, /* 313 */
- {        0x1F,               315, 0,  4, "secp192k1"                 }, /* 314 */
- {        0x20,               316, 0,  4, "secp224k1"                 }, /* 315 */
- {        0x21,               317, 0,  4, "secp224r1"                 }, /* 316 */
- {        0x22,               318, 0,  4, "secp384r1"                 }, /* 317 */
- {        0x23,               319, 0,  4, "secp521r1"                 }, /* 318 */
- {        0x24,               320, 0,  4, "sect409k1"                 }, /* 319 */
- {        0x25,               321, 0,  4, "sect409r1"                 }, /* 320 */
- {        0x26,               322, 0,  4, "sect571k1"                 }, /* 321 */
- {        0x27,                 0, 0,  4, "sect571r1"                 }, /* 322 */
- {0x60,                       371, 1,  0, ""                          }, /* 323 */
- {  0x86,                       0, 1,  1, ""                          }, /* 324 */
- {    0x48,                     0, 1,  2, ""                          }, /* 325 */
- {      0x01,                   0, 1,  3, "organization"              }, /* 326 */
- {        0x65,               347, 1,  4, "gov"                       }, /* 327 */
- {          0x03,               0, 1,  5, "csor"                      }, /* 328 */
- {            0x04,             0, 1,  6, "nistalgorithm"             }, /* 329 */
- {              0x01,         340, 1,  7, "aes"                       }, /* 330 */
- {                0x02,       332, 0,  8, "id-aes128-CBC"             }, /* 331 */
- {                0x06,       333, 0,  8, "id-aes128-GCM"             }, /* 332 */
- {                0x07,       334, 0,  8, "id-aes128-CCM"             }, /* 333 */
- {                0x16,       335, 0,  8, "id-aes192-CBC"             }, /* 334 */
- {                0x1A,       336, 0,  8, "id-aes192-GCM"             }, /* 335 */
- {                0x1B,       337, 0,  8, "id-aes192-CCM"             }, /* 336 */
- {                0x2A,       338, 0,  8, "id-aes256-CBC"             }, /* 337 */
- {                0x2E,       339, 0,  8, "id-aes256-GCM"             }, /* 338 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"             }, /* 339 */
- {              0x02,           0, 1,  7, "hashalgs"                  }, /* 340 */
- {                0x01,       342, 0,  8, "id-SHA-256"                }, /* 341 */
- {                0x02,       343, 0,  8, "id-SHA-384"                }, /* 342 */
- {                0x03,       344, 0,  8, "id-SHA-512"                }, /* 343 */
- {                0x04,       345, 0,  8, "id-SHA-224"                }, /* 344 */
- {                0x05,       346, 0,  8, "id-SHA-512-224"            }, /* 345 */
- {                0x06,         0, 0,  8, "id-SHA-512-256"            }, /* 346 */
- {        0x86,                 0, 1,  4, ""                          }, /* 347 */
- {          0xf8,               0, 1,  5, ""                          }, /* 348 */
- {            0x42,           361, 1,  6, "netscape"                  }, /* 349 */
- {              0x01,         356, 1,  7, ""                          }, /* 350 */
- {                0x01,       352, 0,  8, "nsCertType"                }, /* 351 */
- {                0x03,       353, 0,  8, "nsRevocationUrl"           }, /* 352 */
- {                0x04,       354, 0,  8, "nsCaRevocationUrl"         }, /* 353 */
- {                0x08,       355, 0,  8, "nsCaPolicyUrl"             }, /* 354 */
- {                0x0d,         0, 0,  8, "nsComment"                 }, /* 355 */
- {              0x03,         359, 1,  7, "directory"                 }, /* 356 */
- {                0x01,         0, 1,  8, ""                          }, /* 357 */
- {                  0x03,       0, 0,  9, "employeeNumber"            }, /* 358 */
- {              0x04,           0, 1,  7, "policy"                    }, /* 359 */
- {                0x01,         0, 0,  8, "nsSGC"                     }, /* 360 */
- {            0x45,             0, 1,  6, "verisign"                  }, /* 361 */
- {              0x01,           0, 1,  7, "pki"                       }, /* 362 */
- {                0x09,         0, 1,  8, "attributes"                }, /* 363 */
- {                  0x02,     365, 0,  9, "messageType"               }, /* 364 */
- {                  0x03,     366, 0,  9, "pkiStatus"                 }, /* 365 */
- {                  0x04,     367, 0,  9, "failInfo"                  }, /* 366 */
- {                  0x05,     368, 0,  9, "senderNonce"               }, /* 367 */
- {                  0x06,     369, 0,  9, "recipientNonce"            }, /* 368 */
- {                  0x07,     370, 0,  9, "transID"                   }, /* 369 */
- {                  0x08,       0, 0,  9, "extensionReq"              }, /* 370 */
- {0x67,                         0, 1,  0, ""                          }, /* 371 */
- {  0x81,                       0, 1,  1, ""                          }, /* 372 */
- {    0x05,                     0, 1,  2, ""                          }, /* 373 */
- {      0x02,                   0, 1,  3, "tcg-attribute"             }, /* 374 */
- {        0x01,               376, 0,  4, "tcg-at-tpmManufacturer"    }, /* 375 */
- {        0x02,               377, 0,  4, "tcg-at-tpmModel"           }, /* 376 */
- {        0x03,               378, 0,  4, "tcg-at-tpmVersion"         }, /* 377 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"         }  /* 378 */
+ {            0x08,           222, 1,  6, "id-otherNames"             }, /* 214 */
+ {              0x01,         216, 0,  7, "personalData"              }, /* 215 */
+ {              0x02,         217, 0,  7, "userGroup"                 }, /* 216 */
+ {              0x03,         218, 0,  7, "id-on-permanentIdentifier" }, /* 217 */
+ {              0x04,         219, 0,  7, "id-on-hardwareModuleName"  }, /* 218 */
+ {              0x05,         220, 0,  7, "xmppAddr"                  }, /* 219 */
+ {              0x06,         221, 0,  7, "id-on-SIM"                 }, /* 220 */
+ {              0x07,           0, 0,  7, "id-on-dnsSRV"              }, /* 221 */
+ {            0x0A,           227, 1,  6, "id-aca"                    }, /* 222 */
+ {              0x01,         224, 0,  7, "authenticationInfo"        }, /* 223 */
+ {              0x02,         225, 0,  7, "accessIdentity"            }, /* 224 */
+ {              0x03,         226, 0,  7, "chargingIdentity"          }, /* 225 */
+ {              0x04,           0, 0,  7, "group"                     }, /* 226 */
+ {            0x0B,           228, 0,  6, "subjectInfoAccess"         }, /* 227 */
+ {            0x30,             0, 1,  6, "id-ad"                     }, /* 228 */
+ {              0x01,         237, 1,  7, "ocsp"                      }, /* 229 */
+ {                0x01,       231, 0,  8, "basic"                     }, /* 230 */
+ {                0x02,       232, 0,  8, "nonce"                     }, /* 231 */
+ {                0x03,       233, 0,  8, "crl"                       }, /* 232 */
+ {                0x04,       234, 0,  8, "response"                  }, /* 233 */
+ {                0x05,       235, 0,  8, "noCheck"                   }, /* 234 */
+ {                0x06,       236, 0,  8, "archiveCutoff"             }, /* 235 */
+ {                0x07,         0, 0,  8, "serviceLocator"            }, /* 236 */
+ {              0x02,         238, 0,  7, "caIssuers"                 }, /* 237 */
+ {              0x03,         239, 0,  7, "timeStamping"              }, /* 238 */
+ {              0x05,           0, 0,  7, "caRepository"              }, /* 239 */
+ {          0x08,               0, 1,  5, "ipsec"                     }, /* 240 */
+ {            0x02,             0, 1,  6, "certificate"               }, /* 241 */
+ {              0x02,           0, 0,  7, "iKEIntermediate"           }, /* 242 */
+ {  0x0E,                     249, 1,  1, "oiw"                       }, /* 243 */
+ {    0x03,                     0, 1,  2, "secsig"                    }, /* 244 */
+ {      0x02,                   0, 1,  3, "algorithms"                }, /* 245 */
+ {        0x07,               247, 0,  4, "des-cbc"                   }, /* 246 */
+ {        0x1A,               248, 0,  4, "sha-1"                     }, /* 247 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"     }, /* 248 */
+ {  0x24,                     295, 1,  1, "TeleTrusT"                 }, /* 249 */
+ {    0x03,                     0, 1,  2, "algorithm"                 }, /* 250 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"        }, /* 251 */
+ {        0x01,               256, 1,  4, "rsaSignature"              }, /* 252 */
+ {          0x02,             254, 0,  5, "rsaSigWithripemd160"       }, /* 253 */
+ {          0x03,             255, 0,  5, "rsaSigWithripemd128"       }, /* 254 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"       }, /* 255 */
+ {        0x02,                 0, 1,  4, "ecSign"                    }, /* 256 */
+ {          0x01,             258, 0,  5, "ecSignWithsha1"            }, /* 257 */
+ {          0x02,             259, 0,  5, "ecSignWithripemd160"       }, /* 258 */
+ {          0x03,             260, 0,  5, "ecSignWithmd2"             }, /* 259 */
+ {          0x04,             261, 0,  5, "ecSignWithmd5"             }, /* 260 */
+ {          0x05,             278, 1,  5, "ttt-ecg"                   }, /* 261 */
+ {            0x01,           266, 1,  6, "fieldType"                 }, /* 262 */
+ {              0x01,           0, 1,  7, "characteristictwoField"    }, /* 263 */
+ {                0x01,         0, 1,  8, "basisType"                 }, /* 264 */
+ {                  0x01,       0, 0,  9, "ipBasis"                   }, /* 265 */
+ {            0x02,           268, 1,  6, "keyType"                   }, /* 266 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"              }, /* 267 */
+ {            0x03,           269, 0,  6, "curve"                     }, /* 268 */
+ {            0x04,           276, 1,  6, "signatures"                }, /* 269 */
+ {              0x01,         271, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 270 */
+ {              0x02,         272, 0,  7, "ecgdsa-with-SHA1"          }, /* 271 */
+ {              0x03,         273, 0,  7, "ecgdsa-with-SHA224"        }, /* 272 */
+ {              0x04,         274, 0,  7, "ecgdsa-with-SHA256"        }, /* 273 */
+ {              0x05,         275, 0,  7, "ecgdsa-with-SHA384"        }, /* 274 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"        }, /* 275 */
+ {            0x05,             0, 1,  6, "module"                    }, /* 276 */
+ {              0x01,           0, 0,  7, "1"                         }, /* 277 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 278 */
+ {            0x01,             0, 1,  6, "ellipticCurve"             }, /* 279 */
+ {              0x01,           0, 1,  7, "versionOne"                }, /* 280 */
+ {                0x01,       282, 0,  8, "brainpoolP160r1"           }, /* 281 */
+ {                0x02,       283, 0,  8, "brainpoolP160t1"           }, /* 282 */
+ {                0x03,       284, 0,  8, "brainpoolP192r1"           }, /* 283 */
+ {                0x04,       285, 0,  8, "brainpoolP192t1"           }, /* 284 */
+ {                0x05,       286, 0,  8, "brainpoolP224r1"           }, /* 285 */
+ {                0x06,       287, 0,  8, "brainpoolP224t1"           }, /* 286 */
+ {                0x07,       288, 0,  8, "brainpoolP256r1"           }, /* 287 */
+ {                0x08,       289, 0,  8, "brainpoolP256t1"           }, /* 288 */
+ {                0x09,       290, 0,  8, "brainpoolP320r1"           }, /* 289 */
+ {                0x0A,       291, 0,  8, "brainpoolP320t1"           }, /* 290 */
+ {                0x0B,       292, 0,  8, "brainpoolP384r1"           }, /* 291 */
+ {                0x0C,       293, 0,  8, "brainpoolP384t1"           }, /* 292 */
+ {                0x0D,       294, 0,  8, "brainpoolP512r1"           }, /* 293 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"           }, /* 294 */
+ {  0x81,                       0, 1,  1, ""                          }, /* 295 */
+ {    0x04,                     0, 1,  2, "Certicom"                  }, /* 296 */
+ {      0x00,                   0, 1,  3, "curve"                     }, /* 297 */
+ {        0x01,               299, 0,  4, "sect163k1"                 }, /* 298 */
+ {        0x02,               300, 0,  4, "sect163r1"                 }, /* 299 */
+ {        0x03,               301, 0,  4, "sect239k1"                 }, /* 300 */
+ {        0x04,               302, 0,  4, "sect113r1"                 }, /* 301 */
+ {        0x05,               303, 0,  4, "sect113r2"                 }, /* 302 */
+ {        0x06,               304, 0,  4, "secp112r1"                 }, /* 303 */
+ {        0x07,               305, 0,  4, "secp112r2"                 }, /* 304 */
+ {        0x08,               306, 0,  4, "secp160r1"                 }, /* 305 */
+ {        0x09,               307, 0,  4, "secp160k1"                 }, /* 306 */
+ {        0x0A,               308, 0,  4, "secp256k1"                 }, /* 307 */
+ {        0x0F,               309, 0,  4, "sect163r2"                 }, /* 308 */
+ {        0x10,               310, 0,  4, "sect283k1"                 }, /* 309 */
+ {        0x11,               311, 0,  4, "sect283r1"                 }, /* 310 */
+ {        0x16,               312, 0,  4, "sect131r1"                 }, /* 311 */
+ {        0x17,               313, 0,  4, "sect131r2"                 }, /* 312 */
+ {        0x18,               314, 0,  4, "sect193r1"                 }, /* 313 */
+ {        0x19,               315, 0,  4, "sect193r2"                 }, /* 314 */
+ {        0x1A,               316, 0,  4, "sect233k1"                 }, /* 315 */
+ {        0x1B,               317, 0,  4, "sect233r1"                 }, /* 316 */
+ {        0x1C,               318, 0,  4, "secp128r1"                 }, /* 317 */
+ {        0x1D,               319, 0,  4, "secp128r2"                 }, /* 318 */
+ {        0x1E,               320, 0,  4, "secp160r2"                 }, /* 319 */
+ {        0x1F,               321, 0,  4, "secp192k1"                 }, /* 320 */
+ {        0x20,               322, 0,  4, "secp224k1"                 }, /* 321 */
+ {        0x21,               323, 0,  4, "secp224r1"                 }, /* 322 */
+ {        0x22,               324, 0,  4, "secp384r1"                 }, /* 323 */
+ {        0x23,               325, 0,  4, "secp521r1"                 }, /* 324 */
+ {        0x24,               326, 0,  4, "sect409k1"                 }, /* 325 */
+ {        0x25,               327, 0,  4, "sect409r1"                 }, /* 326 */
+ {        0x26,               328, 0,  4, "sect571k1"                 }, /* 327 */
+ {        0x27,                 0, 0,  4, "sect571r1"                 }, /* 328 */
+ {0x60,                       377, 1,  0, ""                          }, /* 329 */
+ {  0x86,                       0, 1,  1, ""                          }, /* 330 */
+ {    0x48,                     0, 1,  2, ""                          }, /* 331 */
+ {      0x01,                   0, 1,  3, "organization"              }, /* 332 */
+ {        0x65,               353, 1,  4, "gov"                       }, /* 333 */
+ {          0x03,               0, 1,  5, "csor"                      }, /* 334 */
+ {            0x04,             0, 1,  6, "nistalgorithm"             }, /* 335 */
+ {              0x01,         346, 1,  7, "aes"                       }, /* 336 */
+ {                0x02,       338, 0,  8, "id-aes128-CBC"             }, /* 337 */
+ {                0x06,       339, 0,  8, "id-aes128-GCM"             }, /* 338 */
+ {                0x07,       340, 0,  8, "id-aes128-CCM"             }, /* 339 */
+ {                0x16,       341, 0,  8, "id-aes192-CBC"             }, /* 340 */
+ {                0x1A,       342, 0,  8, "id-aes192-GCM"             }, /* 341 */
+ {                0x1B,       343, 0,  8, "id-aes192-CCM"             }, /* 342 */
+ {                0x2A,       344, 0,  8, "id-aes256-CBC"             }, /* 343 */
+ {                0x2E,       345, 0,  8, "id-aes256-GCM"             }, /* 344 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"             }, /* 345 */
+ {              0x02,           0, 1,  7, "hashalgs"                  }, /* 346 */
+ {                0x01,       348, 0,  8, "id-SHA-256"                }, /* 347 */
+ {                0x02,       349, 0,  8, "id-SHA-384"                }, /* 348 */
+ {                0x03,       350, 0,  8, "id-SHA-512"                }, /* 349 */
+ {                0x04,       351, 0,  8, "id-SHA-224"                }, /* 350 */
+ {                0x05,       352, 0,  8, "id-SHA-512-224"            }, /* 351 */
+ {                0x06,         0, 0,  8, "id-SHA-512-256"            }, /* 352 */
+ {        0x86,                 0, 1,  4, ""                          }, /* 353 */
+ {          0xf8,               0, 1,  5, ""                          }, /* 354 */
+ {            0x42,           367, 1,  6, "netscape"                  }, /* 355 */
+ {              0x01,         362, 1,  7, ""                          }, /* 356 */
+ {                0x01,       358, 0,  8, "nsCertType"                }, /* 357 */
+ {                0x03,       359, 0,  8, "nsRevocationUrl"           }, /* 358 */
+ {                0x04,       360, 0,  8, "nsCaRevocationUrl"         }, /* 359 */
+ {                0x08,       361, 0,  8, "nsCaPolicyUrl"             }, /* 360 */
+ {                0x0d,         0, 0,  8, "nsComment"                 }, /* 361 */
+ {              0x03,         365, 1,  7, "directory"                 }, /* 362 */
+ {                0x01,         0, 1,  8, ""                          }, /* 363 */
+ {                  0x03,       0, 0,  9, "employeeNumber"            }, /* 364 */
+ {              0x04,           0, 1,  7, "policy"                    }, /* 365 */
+ {                0x01,         0, 0,  8, "nsSGC"                     }, /* 366 */
+ {            0x45,             0, 1,  6, "verisign"                  }, /* 367 */
+ {              0x01,           0, 1,  7, "pki"                       }, /* 368 */
+ {                0x09,         0, 1,  8, "attributes"                }, /* 369 */
+ {                  0x02,     371, 0,  9, "messageType"               }, /* 370 */
+ {                  0x03,     372, 0,  9, "pkiStatus"                 }, /* 371 */
+ {                  0x04,     373, 0,  9, "failInfo"                  }, /* 372 */
+ {                  0x05,     374, 0,  9, "senderNonce"               }, /* 373 */
+ {                  0x06,     375, 0,  9, "recipientNonce"            }, /* 374 */
+ {                  0x07,     376, 0,  9, "transID"                   }, /* 375 */
+ {                  0x08,       0, 0,  9, "extensionReq"              }, /* 376 */
+ {0x67,                         0, 1,  0, ""                          }, /* 377 */
+ {  0x81,                       0, 1,  1, ""                          }, /* 378 */
+ {    0x05,                     0, 1,  2, ""                          }, /* 379 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"             }, /* 380 */
+ {        0x01,               382, 0,  4, "tcg-at-tpmManufacturer"    }, /* 381 */
+ {        0x02,               383, 0,  4, "tcg-at-tpmModel"           }, /* 382 */
+ {        0x03,               384, 0,  4, "tcg-at-tpmVersion"         }, /* 383 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"         }  /* 384 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index d9838ccd8..085e09ceb 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -136,91 +136,91 @@ extern const oid_t oid_names[];
 #define OID_SERVER_AUTH						205
 #define OID_CLIENT_AUTH						206
 #define OID_OCSP_SIGNING					213
-#define OID_XMPP_ADDR						215
-#define OID_AUTHENTICATION_INFO				217
-#define OID_ACCESS_IDENTITY					218
-#define OID_CHARGING_IDENTITY				219
-#define OID_GROUP							220
-#define OID_OCSP							223
-#define OID_BASIC							224
-#define OID_NONCE							225
-#define OID_CRL								226
-#define OID_RESPONSE						227
-#define OID_NO_CHECK						228
-#define OID_ARCHIVE_CUTOFF					229
-#define OID_SERVICE_LOCATOR					230
-#define OID_CA_ISSUERS						231
-#define OID_IKE_INTERMEDIATE				236
-#define OID_DES_CBC							240
-#define OID_SHA1							241
-#define OID_SHA1_WITH_RSA_OIW				242
-#define OID_ECGDSA_PUBKEY					261
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		264
-#define OID_ECGDSA_SIG_WITH_SHA1			265
-#define OID_ECGDSA_SIG_WITH_SHA224			266
-#define OID_ECGDSA_SIG_WITH_SHA256			267
-#define OID_ECGDSA_SIG_WITH_SHA384			268
-#define OID_ECGDSA_SIG_WITH_SHA512			269
-#define OID_SECT163K1						292
-#define OID_SECT163R1						293
-#define OID_SECT239K1						294
-#define OID_SECT113R1						295
-#define OID_SECT113R2						296
-#define OID_SECT112R1						297
-#define OID_SECT112R2						298
-#define OID_SECT160R1						299
-#define OID_SECT160K1						300
-#define OID_SECT256K1						301
-#define OID_SECT163R2						302
-#define OID_SECT283K1						303
-#define OID_SECT283R1						304
-#define OID_SECT131R1						305
-#define OID_SECT131R2						306
-#define OID_SECT193R1						307
-#define OID_SECT193R2						308
-#define OID_SECT233K1						309
-#define OID_SECT233R1						310
-#define OID_SECT128R1						311
-#define OID_SECT128R2						312
-#define OID_SECT160R2						313
-#define OID_SECT192K1						314
-#define OID_SECT224K1						315
-#define OID_SECT224R1						316
-#define OID_SECT384R1						317
-#define OID_SECT521R1						318
-#define OID_SECT409K1						319
-#define OID_SECT409R1						320
-#define OID_SECT571K1						321
-#define OID_SECT571R1						322
-#define OID_AES128_CBC						331
-#define OID_AES128_GCM						332
-#define OID_AES128_CCM						333
-#define OID_AES192_CBC						334
-#define OID_AES192_GCM						335
-#define OID_AES192_CCM						336
-#define OID_AES256_CBC						337
-#define OID_AES256_GCM						338
-#define OID_AES256_CCM						339
-#define OID_SHA256							341
-#define OID_SHA384							342
-#define OID_SHA512							343
-#define OID_SHA224							344
-#define OID_NS_REVOCATION_URL				352
-#define OID_NS_CA_REVOCATION_URL			353
-#define OID_NS_CA_POLICY_URL				354
-#define OID_NS_COMMENT						355
-#define OID_EMPLOYEE_NUMBER					358
-#define OID_PKI_MESSAGE_TYPE				364
-#define OID_PKI_STATUS						365
-#define OID_PKI_FAIL_INFO					366
-#define OID_PKI_SENDER_NONCE				367
-#define OID_PKI_RECIPIENT_NONCE				368
-#define OID_PKI_TRANS_ID					369
-#define OID_TPM_MANUFACTURER				375
-#define OID_TPM_MODEL						376
-#define OID_TPM_VERSION						377
-#define OID_TPM_ID_LABEL					378
+#define OID_XMPP_ADDR						219
+#define OID_AUTHENTICATION_INFO				223
+#define OID_ACCESS_IDENTITY					224
+#define OID_CHARGING_IDENTITY				225
+#define OID_GROUP							226
+#define OID_OCSP							229
+#define OID_BASIC							230
+#define OID_NONCE							231
+#define OID_CRL								232
+#define OID_RESPONSE						233
+#define OID_NO_CHECK						234
+#define OID_ARCHIVE_CUTOFF					235
+#define OID_SERVICE_LOCATOR					236
+#define OID_CA_ISSUERS						237
+#define OID_IKE_INTERMEDIATE				242
+#define OID_DES_CBC							246
+#define OID_SHA1							247
+#define OID_SHA1_WITH_RSA_OIW				248
+#define OID_ECGDSA_PUBKEY					267
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		270
+#define OID_ECGDSA_SIG_WITH_SHA1			271
+#define OID_ECGDSA_SIG_WITH_SHA224			272
+#define OID_ECGDSA_SIG_WITH_SHA256			273
+#define OID_ECGDSA_SIG_WITH_SHA384			274
+#define OID_ECGDSA_SIG_WITH_SHA512			275
+#define OID_SECT163K1						298
+#define OID_SECT163R1						299
+#define OID_SECT239K1						300
+#define OID_SECT113R1						301
+#define OID_SECT113R2						302
+#define OID_SECT112R1						303
+#define OID_SECT112R2						304
+#define OID_SECT160R1						305
+#define OID_SECT160K1						306
+#define OID_SECT256K1						307
+#define OID_SECT163R2						308
+#define OID_SECT283K1						309
+#define OID_SECT283R1						310
+#define OID_SECT131R1						311
+#define OID_SECT131R2						312
+#define OID_SECT193R1						313
+#define OID_SECT193R2						314
+#define OID_SECT233K1						315
+#define OID_SECT233R1						316
+#define OID_SECT128R1						317
+#define OID_SECT128R2						318
+#define OID_SECT160R2						319
+#define OID_SECT192K1						320
+#define OID_SECT224K1						321
+#define OID_SECT224R1						322
+#define OID_SECT384R1						323
+#define OID_SECT521R1						324
+#define OID_SECT409K1						325
+#define OID_SECT409R1						326
+#define OID_SECT571K1						327
+#define OID_SECT571R1						328
+#define OID_AES128_CBC						337
+#define OID_AES128_GCM						338
+#define OID_AES128_CCM						339
+#define OID_AES192_CBC						340
+#define OID_AES192_GCM						341
+#define OID_AES192_CCM						342
+#define OID_AES256_CBC						343
+#define OID_AES256_GCM						344
+#define OID_AES256_CCM						345
+#define OID_SHA256							347
+#define OID_SHA384							348
+#define OID_SHA512							349
+#define OID_SHA224							350
+#define OID_NS_REVOCATION_URL				358
+#define OID_NS_CA_REVOCATION_URL			359
+#define OID_NS_CA_POLICY_URL				360
+#define OID_NS_COMMENT						361
+#define OID_EMPLOYEE_NUMBER					364
+#define OID_PKI_MESSAGE_TYPE				370
+#define OID_PKI_STATUS						371
+#define OID_PKI_FAIL_INFO					372
+#define OID_PKI_SENDER_NONCE				373
+#define OID_PKI_RECIPIENT_NONCE				374
+#define OID_PKI_TRANS_ID					375
+#define OID_TPM_MANUFACTURER				381
+#define OID_TPM_MODEL						382
+#define OID_TPM_VERSION						383
+#define OID_TPM_ID_LABEL					384
 
-#define OID_MAX								379
+#define OID_MAX								385
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index c4677a537..49ef1cdf2 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -213,7 +213,13 @@
               0x08           "timeStamping"
               0x09           "ocspSigning"				OID_OCSP_SIGNING
             0x08             "id-otherNames"
+              0x01           "personalData"
+              0x02           "userGroup"
+              0x03           "id-on-permanentIdentifier"
+              0x04           "id-on-hardwareModuleName"
               0x05           "xmppAddr"					OID_XMPP_ADDR
+              0x06           "id-on-SIM"
+              0x07           "id-on-dnsSRV"
             0x0A             "id-aca"
               0x01           "authenticationInfo"		OID_AUTHENTICATION_INFO
               0x02           "accessIdentity"			OID_ACCESS_IDENTITY
diff --git a/src/libstrongswan/bio/bio_reader.c b/src/libstrongswan/bio/bio_reader.c
index 17815d6c0..29b9e7279 100644
--- a/src/libstrongswan/bio/bio_reader.c
+++ b/src/libstrongswan/bio/bio_reader.c
@@ -36,6 +36,11 @@ struct private_bio_reader_t {
 	 * Remaining data to process
 	 */
 	chunk_t buf;
+
+	/**
+	 * Optional data to free during destruction
+	 */
+	chunk_t cleanup;
 };
 
 METHOD(bio_reader_t, remaining, u_int32_t,
@@ -302,6 +307,7 @@ METHOD(bio_reader_t, read_data32, bool,
 METHOD(bio_reader_t, destroy, void,
 	private_bio_reader_t *this)
 {
+	free(this->cleanup.ptr);
 	free(this);
 }
 
@@ -339,3 +345,17 @@ bio_reader_t *bio_reader_create(chunk_t data)
 
 	return &this->public;
 }
+
+/**
+ * See header
+ */
+bio_reader_t *bio_reader_create_own(chunk_t data)
+{
+	private_bio_reader_t *this;
+
+	this = (private_bio_reader_t*)bio_reader_create(data);
+
+	this->cleanup = data;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/bio/bio_reader.h b/src/libstrongswan/bio/bio_reader.h
index 3162f3eda..475422428 100644
--- a/src/libstrongswan/bio/bio_reader.h
+++ b/src/libstrongswan/bio/bio_reader.h
@@ -187,7 +187,18 @@ struct bio_reader_t {
 
 /**
  * Create a bio_reader instance.
+ *
+ * @param data			data buffer, must survive lifetime of reader
+ * @return				reader
  */
 bio_reader_t *bio_reader_create(chunk_t data);
 
-#endif /** bio_reader_H_ @}*/
+/**
+ * Create a bio_reader instance owning buffer.
+ *
+ * @param data			data buffer, gets freed with destroy()
+ * @return				reader
+ */
+bio_reader_t *bio_reader_create_own(chunk_t data);
+
+#endif /** BIO_READER_H_ @}*/
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index a718de3dc..d2d0a7d72 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -76,7 +76,6 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_RULE_AAA_IDENTITY:
 		case AUTH_RULE_XAUTH_IDENTITY:
 		case AUTH_RULE_XAUTH_BACKEND:
-		case AUTH_RULE_SUBJECT_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
 		case AUTH_RULE_MAX:
@@ -84,6 +83,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_RULE_OCSP_VALIDATION:
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_GROUP:
+		case AUTH_RULE_SUBJECT_CERT:
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_CERT_POLICY:
@@ -503,8 +503,9 @@ METHOD(auth_cfg_t, complies, bool,
 	private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error)
 {
 	enumerator_t *e1, *e2;
-	bool success = TRUE, group_match = FALSE;
+	bool success = TRUE, group_match = FALSE, cert_match = FALSE;
 	identification_t *require_group = NULL;
+	certificate_t *require_cert = NULL;
 	signature_scheme_t scheme = SIGN_UNKNOWN;
 	u_int strength = 0;
 	auth_rule_t t1, t2;
@@ -542,20 +543,21 @@ METHOD(auth_cfg_t, complies, bool,
 			}
 			case AUTH_RULE_SUBJECT_CERT:
 			{
-				certificate_t *c1, *c2;
+				certificate_t *cert;
 
-				c1 = (certificate_t*)value;
-				c2 = get(this, AUTH_RULE_SUBJECT_CERT);
-				if (!c2 || !c1->equals(c1, c2))
+				/* for certs, a match of a single cert is sufficient */
+				require_cert = (certificate_t*)value;
+
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &cert))
 				{
-					success = FALSE;
-					if (log_error)
+					if (t2 == AUTH_RULE_SUBJECT_CERT &&
+						cert->equals(cert, require_cert))
 					{
-						DBG1(DBG_CFG, "constraint check failed: peer not "
-							 "authenticated with peer cert '%Y'.",
-							 c1->get_subject(c1));
+						cert_match = TRUE;
 					}
 				}
+				e2->destroy(e2);
 				break;
 			}
 			case AUTH_RULE_CRL_VALIDATION:
@@ -828,6 +830,17 @@ METHOD(auth_cfg_t, complies, bool,
 		}
 		return FALSE;
 	}
+
+	if (require_cert && !cert_match)
+	{
+		if (log_error)
+		{
+			DBG1(DBG_CFG, "constraint check failed: peer not "
+				 "authenticated with peer cert '%Y'.",
+				 require_cert->get_subject(require_cert));
+		}
+		return FALSE;
+	}
 	return success;
 }
 
@@ -999,14 +1012,15 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 {
 	enumerator_t *enumerator;
 	auth_cfg_t *clone;
-	entry_t *entry;
+	auth_rule_t type;
+	void *value;
 
 	clone = auth_cfg_create();
 	/* this enumerator skips duplicates for rules we expect only once */
-	enumerator = this->entries->create_enumerator(this->entries);
-	while (enumerator->enumerate(enumerator, &entry))
+	enumerator = create_enumerator(this);
+	while (enumerator->enumerate(enumerator, &type, &value))
 	{
-		switch (entry->type)
+		switch (type)
 		{
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
@@ -1014,8 +1028,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_RULE_GROUP:
 			case AUTH_RULE_XAUTH_IDENTITY:
 			{
-				identification_t *id = (identification_t*)entry->value;
-				clone->add(clone, entry->type, id->clone(id));
+				identification_t *id = (identification_t*)value;
+				clone->add(clone, type, id->clone(id));
 				break;
 			}
 			case AUTH_RULE_CA_CERT:
@@ -1025,8 +1039,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_REVOCATION_CERT:
 			{
-				certificate_t *cert = (certificate_t*)entry->value;
-				clone->add(clone, entry->type, cert->get_ref(cert));
+				certificate_t *cert = (certificate_t*)value;
+				clone->add(clone, type, cert->get_ref(cert));
 				break;
 			}
 			case AUTH_RULE_XAUTH_BACKEND:
@@ -1034,7 +1048,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
 			{
-				clone->add(clone, entry->type, strdup(entry->value));
+				clone->add(clone, type, strdup(value));
 				break;
 			}
 			case AUTH_RULE_IDENTITY_LOOSE:
@@ -1046,7 +1060,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_RULE_RSA_STRENGTH:
 			case AUTH_RULE_ECDSA_STRENGTH:
 			case AUTH_RULE_SIGNATURE_SCHEME:
-				clone->add(clone, entry->type, (uintptr_t)entry->value);
+				clone->add(clone, type, (uintptr_t)value);
 				break;
 			case AUTH_RULE_MAX:
 				break;
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h
index 00e30d7a0..325fa0af3 100644
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -34,6 +34,22 @@ typedef struct cert_validator_t cert_validator_t;
  */
 struct cert_validator_t {
 
+	/**
+	 * Check the lifetime of a certificate.
+	 *
+	 * If this function returns SUCCESS or FAILED, the certificate lifetime is
+	 * considered definitely (in-)valid, without asking other validators.
+	 * If all registered validaters return NEED_MORE, the default
+	 * lifetime check is performed.
+	 *
+	 * @param cert			certificate to check lifetime
+	 * @param pathlen		the current length of the path bottom-up
+	 * @param anchor		is certificate trusted root anchor?
+	 * @param auth			container for resulting authentication info
+	 * @return				SUCCESS, FAILED or NEED_MORE to ask next validator
+	 */
+	status_t (*check_lifetime)(cert_validator_t *this, certificate_t *cert,
+							   int pathlen, bool anchor, auth_cfg_t *auth);
 	/**
 	 * Validate a subject certificate in relation to its issuer.
 	 *
@@ -43,6 +59,7 @@ struct cert_validator_t {
 	 * @param pathlen		the current length of the path bottom-up
 	 * @param anchor		is issuer trusted root anchor
 	 * @param auth			container for resulting authentication info
+	 * @return				TRUE if subject certificate valid
 	 */
 	bool (*validate)(cert_validator_t *this, certificate_t *subject,
 					 certificate_t *issuer, bool online, u_int pathlen,
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
index b029fe2ac..41481f376 100644
--- a/src/libstrongswan/credentials/cred_encoding.h
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -85,6 +85,8 @@ enum cred_encoding_type_t {
 	/** PGP key encoding */
 	PUBKEY_PGP,
 	PRIVKEY_PGP,
+	/** DNSKEY encoding */
+	PUBKEY_DNSKEY,
 
 	/** ASN.1 DER encoded certificate */
 	CERT_ASN1_DER,
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 9e40c5a10..f4cd9b9e6 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -514,6 +514,52 @@ static void cache_queue(private_credential_manager_t *this)
 	this->queue_mutex->unlock(this->queue_mutex);
 }
 
+/**
+ * Use validators to check the lifetime of certificates
+ */
+static bool check_lifetime(private_credential_manager_t *this,
+						   certificate_t *cert, char *label,
+						   int pathlen, bool trusted, auth_cfg_t *auth)
+{
+	time_t not_before, not_after;
+	cert_validator_t *validator;
+	enumerator_t *enumerator;
+	status_t status = NEED_MORE;
+
+	enumerator = this->validators->create_enumerator(this->validators);
+	while (enumerator->enumerate(enumerator, &validator))
+	{
+		if (!validator->check_lifetime)
+		{
+			continue;
+		}
+		status = validator->check_lifetime(validator, cert,
+										   pathlen, trusted, auth);
+		if (status != NEED_MORE)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	switch (status)
+	{
+		case NEED_MORE:
+			if (!cert->get_validity(cert, NULL, &not_before, &not_after))
+			{
+				DBG1(DBG_CFG, "%s certificate invalid (valid from %T to %T)",
+					 label, &not_before, FALSE, &not_after, FALSE);
+				return FALSE;
+			}
+			return TRUE;
+		case SUCCESS:
+			return TRUE;
+		case FAILED:
+		default:
+			return FALSE;
+	}
+}
+
 /**
  * check a certificate for its lifetime
  */
@@ -521,26 +567,22 @@ static bool check_certificate(private_credential_manager_t *this,
 				certificate_t *subject, certificate_t *issuer, bool online,
 				int pathlen, bool trusted, auth_cfg_t *auth)
 {
-	time_t not_before, not_after;
 	cert_validator_t *validator;
 	enumerator_t *enumerator;
 
-	if (!subject->get_validity(subject, NULL, &not_before, &not_after))
+	if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) ||
+		!check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth))
 	{
-		DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
-			 &not_before, FALSE, &not_after, FALSE);
-		return FALSE;
-	}
-	if (!issuer->get_validity(issuer, NULL, &not_before, &not_after))
-	{
-		DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)",
-			 &not_before, FALSE, &not_after, FALSE);
 		return FALSE;
 	}
 
 	enumerator = this->validators->create_enumerator(this->validators);
 	while (enumerator->enumerate(enumerator, &validator))
 	{
+		if (!validator->validate)
+		{
+			continue;
+		}
 		if (!validator->validate(validator, subject, issuer,
 								 online, pathlen, trusted, auth))
 		{
@@ -1041,6 +1083,29 @@ static private_key_t *get_private_by_cert(private_credential_manager_t *this,
 	return private;
 }
 
+/**
+ * Move the actually used certificate to front, so it gets returned with get()
+ */
+static void prefer_cert(auth_cfg_t *auth, certificate_t *cert)
+{
+	enumerator_t *enumerator;
+	auth_rule_t rule;
+	certificate_t *current;
+
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &rule, &current))
+	{
+		if (rule == AUTH_RULE_SUBJECT_CERT)
+		{
+			current->get_ref(current);
+			auth->replace(auth, enumerator, AUTH_RULE_SUBJECT_CERT, cert);
+			cert = current;
+		}
+	}
+	enumerator->destroy(enumerator);
+	auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
+}
+
 METHOD(credential_manager_t, get_private, private_key_t*,
 	private_credential_manager_t *this, key_type_t type, identification_t *id,
 	auth_cfg_t *auth)
@@ -1049,6 +1114,7 @@ METHOD(credential_manager_t, get_private, private_key_t*,
 	certificate_t *cert;
 	private_key_t *private = NULL;
 	auth_cfg_t *trustchain;
+	auth_rule_t rule;
 
 	/* check if this is a lookup by key ID, and do it if so */
 	if (id && id->get_type(id) == ID_KEY_ID)
@@ -1062,7 +1128,35 @@ METHOD(credential_manager_t, get_private, private_key_t*,
 
 	if (auth)
 	{
-		/* if a specific certificate is preferred, check for a matching key */
+		/* try to find a trustchain with one of the configured subject certs */
+		enumerator = auth->create_enumerator(auth);
+		while (enumerator->enumerate(enumerator, &rule, &cert))
+		{
+			if (rule == AUTH_RULE_SUBJECT_CERT)
+			{
+				private = get_private_by_cert(this, cert, type);
+				if (private)
+				{
+					trustchain = build_trustchain(this, cert, auth);
+					if (trustchain)
+					{
+						auth->merge(auth, trustchain, FALSE);
+						prefer_cert(auth, cert->get_ref(cert));
+						trustchain->destroy(trustchain);
+						break;
+					}
+					private->destroy(private);
+					private = NULL;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (private)
+		{
+			return private;
+		}
+
+		/* if none yielded a trustchain, enforce the first configured cert */
 		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
 		if (cert)
 		{
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index d697a56ef..b8da3f620 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperwsil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -555,14 +555,66 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
 
 }
 
-METHOD(mem_cred_t, clear_secrets, void,
-	private_mem_cred_t *this)
+static void reset_secrets(private_mem_cred_t *this)
 {
-	this->lock->write_lock(this->lock);
 	this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy));
 	this->shared->destroy_function(this->shared, (void*)shared_entry_destroy);
 	this->keys = linked_list_create();
 	this->shared = linked_list_create();
+}
+
+METHOD(mem_cred_t, replace_secrets, void,
+	private_mem_cred_t *this, mem_cred_t *other_set, bool clone)
+{
+	private_mem_cred_t *other = (private_mem_cred_t*)other_set;
+	enumerator_t *enumerator;
+	shared_entry_t *entry, *new_entry;
+	private_key_t *key;
+
+	this->lock->write_lock(this->lock);
+
+	reset_secrets(this);
+
+	if (clone)
+	{
+		enumerator = other->keys->create_enumerator(other->keys);
+		while (enumerator->enumerate(enumerator, &key))
+		{
+			this->keys->insert_last(this->keys, key->get_ref(key));
+		}
+		enumerator->destroy(enumerator);
+		enumerator = other->shared->create_enumerator(other->shared);
+		while (enumerator->enumerate(enumerator, &entry))
+		{
+			INIT(new_entry,
+				.shared = entry->shared->get_ref(entry->shared),
+				.owners = entry->owners->clone_offset(entry->owners,
+											offsetof(identification_t, clone)),
+			);
+			this->shared->insert_last(this->shared, new_entry);
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		while (other->keys->remove_first(other->keys, (void**)&key) == SUCCESS)
+		{
+			this->keys->insert_last(this->keys, key);
+		}
+		while (other->shared->remove_first(other->shared,
+										  (void**)&entry) == SUCCESS)
+		{
+			this->shared->insert_last(this->shared, entry);
+		}
+	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(mem_cred_t, clear_secrets, void,
+	private_mem_cred_t *this)
+{
+	this->lock->write_lock(this->lock);
+	reset_secrets(this);
 	this->lock->unlock(this->lock);
 }
 
@@ -619,6 +671,7 @@ mem_cred_t *mem_cred_create()
 			.add_shared = _add_shared,
 			.add_shared_list = _add_shared_list,
 			.add_cdp = _add_cdp,
+			.replace_secrets = _replace_secrets,
 			.clear = _clear_,
 			.clear_secrets = _clear_secrets,
 			.destroy = _destroy,
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index 20447207c..d0dd51da1 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -100,6 +100,16 @@ struct mem_cred_t {
 	void (*add_cdp)(mem_cred_t *this, certificate_type_t type,
 					identification_t *id, char *uri);
 
+	/**
+	 * Replace all secrets (private and shared keys) in this credential set
+	 * with those of another.
+	 *
+	 * @param other			credential set to get secrets from
+	 * @param clone			TRUE to clone secrets, FALSE to adopt them (they
+	 *						get removed from the other set)
+	 */
+	void (*replace_secrets)(mem_cred_t *this, mem_cred_t *other, bool clone);
+
 	/**
 	 * Clear all credentials from the credential set.
 	 */
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 08b226468..12db0961b 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -451,7 +451,10 @@ METHOD(crypto_tester_t, test_aead, bool,
 failure:
 		aead->destroy(aead);
 		chunk_free(&cipher);
-		chunk_free(&plain);
+		if (plain.ptr != vector->plain)
+		{
+			chunk_free(&plain);
+		}
 		if (failed)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 30a7774df..819c6808e 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -91,6 +91,7 @@ void library_deinit()
 	this->public.crypto->destroy(this->public.crypto);
 	this->public.proposal->destroy(this->public.proposal);
 	this->public.fetcher->destroy(this->public.fetcher);
+	this->public.resolver->destroy(this->public.resolver);
 	this->public.db->destroy(this->public.db);
 	this->public.printf_hook->destroy(this->public.printf_hook);
 	this->objects->destroy(this->objects);
@@ -214,6 +215,7 @@ bool library_init(char *settings)
 	this->public.credmgr = credential_manager_create();
 	this->public.encoding = cred_encoding_create();
 	this->public.fetcher = fetcher_manager_create();
+	this->public.resolver = resolver_manager_create();
 	this->public.db = database_factory_create();
 	this->public.processor = processor_create();
 	this->public.scheduler = scheduler_create();
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index f164a6052..3b6d02002 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -49,6 +49,9 @@
  * @defgroup fetcher fetcher
  * @ingroup libstrongswan
  *
+ * @defgroup resolver resolver
+ * @ingroup libstrongswan
+ *
  * @defgroup ipsec ipsec
  * @ingroup libstrongswan
  *
@@ -92,6 +95,7 @@
 #include "crypto/crypto_factory.h"
 #include "crypto/proposal/proposal_keywords.h"
 #include "fetcher/fetcher_manager.h"
+#include "resolver/resolver_manager.h"
 #include "database/database_factory.h"
 #include "credentials/credential_factory.h"
 #include "credentials/credential_manager.h"
@@ -161,6 +165,11 @@ struct library_t {
 	 */
 	fetcher_manager_t *fetcher;
 
+	/**
+	 * Manager for DNS resolvers
+	 */
+	 resolver_manager_t *resolver;
+
 	/**
 	 * database construction factory
 	 */
diff --git a/src/libstrongswan/networking/packet.c b/src/libstrongswan/networking/packet.c
index a2c329d60..4ff7fc48b 100644
--- a/src/libstrongswan/networking/packet.c
+++ b/src/libstrongswan/networking/packet.c
@@ -39,6 +39,11 @@ struct private_packet_t {
 	 */
 	host_t *destination;
 
+	/**
+	 * DSCP value on packet
+	 */
+	u_int8_t dscp;
+
 	 /**
 	  * message data
 	  */
@@ -89,6 +94,17 @@ METHOD(packet_t, set_data, void,
 	this->adjusted_data = this->data = data;
 }
 
+METHOD(packet_t, get_dscp, u_int8_t,
+	private_packet_t *this)
+{
+	return this->dscp;
+}
+METHOD(packet_t, set_dscp, void,
+	private_packet_t *this, u_int8_t value)
+{
+	this->dscp = value;
+}
+
 METHOD(packet_t, skip_bytes, void,
 	private_packet_t *this, size_t bytes)
 {
@@ -123,6 +139,7 @@ METHOD(packet_t, clone_, packet_t*,
 	{
 		other->set_data(other, chunk_clone(this->adjusted_data));
 	}
+	other->set_dscp(other, this->dscp);
 	return other;
 }
 
@@ -141,6 +158,8 @@ packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data)
 			.get_source = _get_source,
 			.set_destination = _set_destination,
 			.get_destination = _get_destination,
+			.get_dscp = _get_dscp,
+			.set_dscp = _set_dscp,
 			.skip_bytes = _skip_bytes,
 			.clone = _clone_,
 			.destroy = _destroy,
diff --git a/src/libstrongswan/networking/packet.h b/src/libstrongswan/networking/packet.h
index 6fb9cece2..a96a4b84f 100644
--- a/src/libstrongswan/networking/packet.h
+++ b/src/libstrongswan/networking/packet.h
@@ -75,6 +75,20 @@ struct packet_t {
 	 */
 	void (*set_data)(packet_t *packet, chunk_t data);
 
+	/**
+	 * Get the DiffServ Code Point set on this packet.
+	 *
+	 * @return			DSCP value
+	 */
+	u_int8_t (*get_dscp)(packet_t *this);
+
+	/**
+	 * Set the DiffServ Code Point to use on this packet.
+	 *
+	 * @param value		DSCP value
+	 */
+	void (*set_dscp)(packet_t *this, u_int8_t value);
+
 	/**
 	 * Increase the offset where the actual packet data starts.
 	 *
diff --git a/src/libstrongswan/networking/tun_device.c b/src/libstrongswan/networking/tun_device.c
index d07327e5c..1da87df05 100644
--- a/src/libstrongswan/networking/tun_device.c
+++ b/src/libstrongswan/networking/tun_device.c
@@ -88,7 +88,6 @@ static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask)
 		case AF_INET:
 		{
 			struct sockaddr_in *addr = (struct sockaddr_in*)&ifr->ifr_addr;
-			addr->sin_family = AF_INET;
 			target = (char*)&addr->sin_addr;
 			len = 4;
 			break;
@@ -96,7 +95,6 @@ static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask)
 		case AF_INET6:
 		{
 			struct sockaddr_in6 *addr = (struct sockaddr_in6*)&ifr->ifr_addr;
-			addr->sin6_family = AF_INET6;
 			target = (char*)&addr->sin6_addr;
 			len = 16;
 			break;
@@ -105,6 +103,8 @@ static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask)
 			return;
 	}
 
+	ifr->ifr_addr.sa_family = family;
+
 	bytes = (netmask + 7) / 8;
 	bits = (bytes * 8) - netmask;
 
diff --git a/src/libstrongswan/pen/pen.c b/src/libstrongswan/pen/pen.c
index b1b0731d4..474a7a876 100644
--- a/src/libstrongswan/pen/pen.c
+++ b/src/libstrongswan/pen/pen.c
@@ -22,8 +22,10 @@ ENUM_NEXT(pen_names, PEN_IBM, PEN_IBM, PEN_IETF,
 ENUM_NEXT(pen_names, PEN_MICROSOFT, PEN_MICROSOFT, PEN_IBM,
 	"Microsoft");
 ENUM_NEXT(pen_names, PEN_REDHAT, PEN_REDHAT, PEN_MICROSOFT,
-    "Redhat");
-ENUM_NEXT(pen_names, PEN_OSC, PEN_OSC, PEN_REDHAT,
+	"Redhat");
+ENUM_NEXT(pen_names, PEN_ALTIGA, PEN_ALTIGA, PEN_REDHAT,
+	"Altiga");
+ENUM_NEXT(pen_names, PEN_OSC, PEN_OSC, PEN_ALTIGA,
 	"OSC");
 ENUM_NEXT(pen_names, PEN_DEBIAN, PEN_DEBIAN, PEN_OSC,
 	"Debian Project");
@@ -32,7 +34,7 @@ ENUM_NEXT(pen_names, PEN_GOOGLE, PEN_GOOGLE, PEN_DEBIAN,
 ENUM_NEXT(pen_names, PEN_TCG, PEN_TCG, PEN_GOOGLE,
 	"TCG");
 ENUM_NEXT(pen_names, PEN_CANONICAL, PEN_CANONICAL, PEN_TCG,
-    "Canonical");
+	"Canonical");
 ENUM_NEXT(pen_names, PEN_FEDORA, PEN_FEDORA, PEN_CANONICAL,
 	"Fedora Project");
 ENUM_NEXT(pen_names, PEN_FHH, PEN_FHH, PEN_FEDORA,
@@ -41,7 +43,7 @@ ENUM_NEXT(pen_names, PEN_ITA, PEN_ITA, PEN_FHH,
 	"ITA-HSR");
 ENUM_NEXT(pen_names, PEN_OPENPTS, PEN_OPENPTS, PEN_ITA,
 	"OpenPTS");
-ENUM_NEXT(pen_names, PEN_RESERVED, PEN_RESERVED, PEN_OPENPTS,
+ENUM_NEXT(pen_names, PEN_UNASSIGNED, PEN_RESERVED, PEN_OPENPTS,
+	"Unassigned",
 	"Reserved");
 ENUM_END(pen_names, PEN_RESERVED);
-
diff --git a/src/libstrongswan/pen/pen.h b/src/libstrongswan/pen/pen.h
index 9d5df7d49..1760a0578 100644
--- a/src/libstrongswan/pen/pen.h
+++ b/src/libstrongswan/pen/pen.h
@@ -29,25 +29,32 @@
 typedef enum pen_t pen_t;
 typedef struct pen_type_t pen_type_t;
 
+/**
+ * Private enterprise numbers allocated by IANA.
+ *
+ * http://www.iana.org/assignments/enterprise-numbers
+ */
 enum pen_t {
-	PEN_IETF =		0x000000,	/*        0 */
-	PEN_IBM	=		0x000002,	/*        2 */
-	PEN_MICROSOFT = 0x000137,	/*      311 */
-	PEN_REDHAT =	0x000908,	/*     2312 */
-	PEN_OSC =		0x002358,	/*     9048 */
-	PEN_DEBIAN =	0x002572,	/*     9586 */
-	PEN_GOOGLE =    0x002B79,	/*    11129 */
-	PEN_TCG =		0x005597,	/*    21911 */
-	PEN_CANONICAL = 0x007132,	/*    28978 */
-	PEN_FEDORA =	0x0076C1,	/*    30401 */
-	PEN_FHH =		0x0080ab,	/*    32939 */
-	PEN_ITA =		0x00902a,	/*    36906 */
-	PEN_OPENPTS =	0x00950e,	/*    38158 */
-	PEN_RESERVED =	0xffffff,	/* 16777215 */
+	PEN_IETF =			0x000000,	/*        0 */
+	PEN_IBM =			0x000002,	/*        2 */
+	PEN_MICROSOFT =		0x000137,	/*      311 */
+	PEN_REDHAT =		0x000908,	/*     2312 */
+	PEN_ALTIGA =		0x000c04,	/*     3076 */
+	PEN_OSC =			0x002358,	/*     9048 */
+	PEN_DEBIAN =		0x002572,	/*     9586 */
+	PEN_GOOGLE =		0x002B79,	/*    11129 */
+	PEN_TCG =			0x005597,	/*    21911 */
+	PEN_CANONICAL =		0x007132,	/*    28978 */
+	PEN_FEDORA =		0x0076C1,	/*    30401 */
+	PEN_FHH =			0x0080ab,	/*    32939 */
+	PEN_ITA =			0x00902a,	/*    36906 */
+	PEN_OPENPTS =		0x00950e,	/*    38158 */
+	PEN_UNASSIGNED = 	0xfffffe,	/* 16777214 */
+	PEN_RESERVED =		0xffffff,	/* 16777215 */
 };
 
 /**
- * Vendor specific type
+ * Vendor specific type in vendor specific namespace.
  */
 struct pen_type_t {
 	pen_t vendor_id;
@@ -56,13 +63,43 @@ struct pen_type_t {
 
 /**
  * Create a pen_type_t struct
+ *
+ * @param vendor_id		vendor ID to create a pen_type_t
+ * @param type			type to create a pen_type_t
+ * @return				created pen_type_t
  */
 static inline pen_type_t pen_type_create(pen_t vendor_id, u_int32_t type)
 {
-	pen_type_t pen_type = {vendor_id, type};
+	pen_type_t pen_type = { vendor_id, type };
 	return pen_type;
 }
 
+/**
+ * Check two pen_type_t for equality.
+ *
+ * @param a				first pen_type_t to compare
+ * @param b				second pen_type_t to compare
+ * @return				TRUE if a == b
+ */
+static inline bool pen_type_equals(pen_type_t a, pen_type_t b)
+{
+	return a.vendor_id == b.vendor_id && a.type == b.type;
+}
+
+/**
+ * Check if a pen_type_t matches vendor and type.
+ *
+ * @param pen_type		pen_type_t to compare
+ * @param vendor_id		vendor to check in pen_type
+ * @param type			type to check in pen_type
+ * @return				TRUE if vendor_id and type matches pen_type
+ */
+static inline bool pen_type_is(pen_type_t pen_type,
+							   pen_t vendor_id, u_int32_t type)
+{
+	return pen_type.vendor_id == vendor_id && pen_type.type == type;
+}
+
 /**
  * enum names for pen_t.
  */
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 99cc71e2c..6010b9c9c 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_aes_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_aes_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -348,7 +370,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +377,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index 66b525016..aab2cd847 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_af_alg_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_af_alg_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -357,7 +379,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -365,6 +386,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index ec98cacb9..e7280adcb 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_agent_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_agent_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -351,7 +373,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -359,6 +380,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 7904719a4..2727a55b1 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_blowfish_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_blowfish_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -353,7 +375,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -361,6 +382,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 2b00c4c46..311f04b87 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_ccm_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ccm_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -349,7 +371,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -357,6 +378,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h
index d5e302f94..79ab31804 100644
--- a/src/libstrongswan/plugins/ccm/ccm_aead.h
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.h
@@ -42,8 +42,8 @@ struct ccm_aead_t {
 /**
  * Create a ccm_aead instance.
  *
- * @param key_size		key size in bytes
  * @param algo			algorithm to implement, a CCM mode
+ * @param key_size		key size in bytes
  * @return				aead, NULL if not supported
  */
 ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 883469557..b771d76d9 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_cmac_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_cmac_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -348,7 +370,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +377,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 65f36db54..e01f1397e 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_constraints_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_constraints_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -353,7 +375,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -361,6 +382,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 8b4ee6771..7d930d7aa 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_ctr_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ctr_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -349,7 +371,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -357,6 +378,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 93b9ba114..ace838923 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_curl_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_curl_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -349,7 +371,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -357,6 +378,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index c68b74f96..b49961a90 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -21,7 +21,7 @@
 
 #include "curl_fetcher.h"
 
-#define DEFAULT_TIMEOUT 10
+#define CONNECT_TIMEOUT 10
 
 typedef struct private_curl_fetcher_t private_curl_fetcher_t;
 
@@ -48,6 +48,11 @@ struct private_curl_fetcher_t {
 	 * Callback function
 	 */
 	fetcher_callback_t cb;
+
+	/**
+	 * Timeout for a transfer
+	 */
+	long timeout;
 };
 
 /**
@@ -94,7 +99,11 @@ METHOD(fetcher_t, fetch, status_t,
 	curl_easy_setopt(this->curl, CURLOPT_ERRORBUFFER, error);
 	curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
 	curl_easy_setopt(this->curl, CURLOPT_NOSIGNAL, TRUE);
-	curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, DEFAULT_TIMEOUT);
+	if (this->timeout)
+	{
+		curl_easy_setopt(this->curl, CURLOPT_TIMEOUT, this->timeout);
+	}
+	curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, CONNECT_TIMEOUT);
 	curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, (void*)curl_cb);
 	curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, &data);
 	if (this->headers)
@@ -160,8 +169,7 @@ METHOD(fetcher_t, set_option, bool,
 		}
 		case FETCH_TIMEOUT:
 		{
-			curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT,
-							 va_arg(args, u_int));
+			this->timeout = va_arg(args, u_int);
 			break;
 		}
 		case FETCH_CALLBACK:
@@ -211,4 +219,3 @@ curl_fetcher_t *curl_fetcher_create()
 	}
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 49d9f6b6f..8a8e8fe66 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_des_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_des_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -348,7 +370,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +377,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.am b/src/libstrongswan/plugins/dnskey/Makefile.am
index fbba95e0a..0f2e554c1 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.am
+++ b/src/libstrongswan/plugins/dnskey/Makefile.am
@@ -11,6 +11,7 @@ endif
 
 libstrongswan_dnskey_la_SOURCES = \
 	dnskey_plugin.h dnskey_plugin.c \
-	dnskey_builder.h dnskey_builder.c
+	dnskey_builder.h dnskey_builder.c \
+	dnskey_encoder.h dnskey_encoder.c
 
 libstrongswan_dnskey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index d49cac8a7..c30dcb530 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -83,7 +100,7 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_dnskey_la_LIBADD =
 am_libstrongswan_dnskey_la_OBJECTS = dnskey_plugin.lo \
-	dnskey_builder.lo
+	dnskey_builder.lo dnskey_encoder.lo
 libstrongswan_dnskey_la_OBJECTS =  \
 	$(am_libstrongswan_dnskey_la_OBJECTS)
 libstrongswan_dnskey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_dnskey_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_dnskey_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -304,7 +326,8 @@ AM_CFLAGS = -rdynamic
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-dnskey.la
 libstrongswan_dnskey_la_SOURCES = \
 	dnskey_plugin.h dnskey_plugin.c \
-	dnskey_builder.h dnskey_builder.c
+	dnskey_builder.h dnskey_builder.c \
+	dnskey_encoder.h dnskey_encoder.c
 
 libstrongswan_dnskey_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -352,7 +375,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -360,6 +382,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -391,6 +415,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey_encoder.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey_plugin.Plo@am__quote@
 
 .c.o:
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_builder.c b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
index b8a451500..71040437d 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_builder.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
@@ -39,8 +39,14 @@ enum dnskey_algorithm_t {
 	DNSKEY_ALG_RSA_MD5 = 1,
 	DNSKEY_ALG_DH = 2,
 	DNSKEY_ALG_DSA = 3,
-	DNSKEY_ALG_ECC = 4,
 	DNSKEY_ALG_RSA_SHA1 = 5,
+	DNSKEY_ALG_DSA_NSEC3_SHA1 = 6,
+	DNSKEY_ALG_RSA_SHA1_NSEC3_SHA1 = 7,
+	DNSKEY_ALG_RSA_SHA256 = 8,
+	DNSKEY_ALG_RSA_SHA512 = 10,
+	DNSKEY_ALG_ECC_GOST = 12,
+	DNSKEY_ALG_ECDSA_P256_SHA256 = 13,
+	DNSKEY_ALG_ECDSA_P384_SHA384 = 14
 };
 
 /**
@@ -59,7 +65,11 @@ static dnskey_public_key_t *parse_public_key(chunk_t blob)
 
 	switch (rr->algorithm)
 	{
+		case DNSKEY_ALG_RSA_MD5:
 		case DNSKEY_ALG_RSA_SHA1:
+		case DNSKEY_ALG_RSA_SHA1_NSEC3_SHA1:
+		case DNSKEY_ALG_RSA_SHA256:
+		case DNSKEY_ALG_RSA_SHA512:
 			return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
 									  BUILD_BLOB_DNSKEY, blob, BUILD_END);
 		default:
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_encoder.c b/src/libstrongswan/plugins/dnskey/dnskey_encoder.c
new file mode 100644
index 000000000..3214f3899
--- /dev/null
+++ b/src/libstrongswan/plugins/dnskey/dnskey_encoder.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "dnskey_encoder.h"
+
+#include <utils/debug.h>
+
+/**
+ * Encode an RSA public key in DNSKEY format (RFC 3110)
+ */
+static bool build_pub(chunk_t *encoding, va_list args)
+{
+	chunk_t n, e, pubkey;
+	size_t exp_len;
+	u_char *pos;
+
+	if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n,
+						   CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END))
+	{
+		/* remove leading zeros in exponent and modulus */
+		while (*e.ptr == 0)
+		{
+			e = chunk_skip(e, 1);
+		}
+		while (*n.ptr == 0)
+		{
+			n = chunk_skip(n, 1);
+		}
+
+		if (e.len < 256)
+		{
+			/* exponent length fits into a single octet */
+			exp_len = 1;
+			pubkey = chunk_alloc(exp_len + e.len + n.len);
+			pubkey.ptr[0] = (char)e.len;
+		}
+		else if (e.len < 65536)
+		{
+			/* exponent length fits into two octets preceded by zero octet */
+			exp_len = 3;
+			pubkey = chunk_alloc(exp_len + e.len + n.len);
+			pubkey.ptr[0] = 0x00;
+			htoun16(pubkey.ptr + 1, e.len);
+		}
+		else
+		{
+			/* exponent length is too large */
+			return FALSE;
+		}
+
+		/* copy exponent and modulus and convert to base64 format */
+		pos = pubkey.ptr + exp_len;
+		memcpy(pos, e.ptr, e.len);
+		pos += e.len;
+		memcpy(pos, n.ptr, n.len);
+		*encoding = chunk_to_base64(pubkey, NULL);
+		chunk_free(&pubkey);
+
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool dnskey_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						   va_list args)
+{
+	switch (type)
+	{
+		case PUBKEY_DNSKEY:
+			return build_pub(encoding, args);
+		default:
+			return FALSE;
+	}
+}
+
+
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_encoder.h b/src/libstrongswan/plugins/dnskey/dnskey_encoder.h
new file mode 100644
index 000000000..127260308
--- /dev/null
+++ b/src/libstrongswan/plugins/dnskey/dnskey_encoder.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup dnskey_encoder dnskey_encoder
+ * @{ @ingroup dnskey_p
+ */
+
+#ifndef DNSKEY_ENCODER_H_
+#define DNSKEY_ENCODER_H_
+
+#include <credentials/cred_encoding.h>
+
+/**
+ * Encoding function for DNSKEY (RFC 3110) public key format.
+ */
+bool dnskey_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						  va_list args);
+
+#endif /** DNSKEY_ENCODER_H_ @}*/
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
index b6863e8e3..9a4f6252f 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
@@ -17,6 +17,7 @@
 
 #include <library.h>
 #include "dnskey_builder.h"
+#include "dnskey_encoder.h"
 
 typedef struct private_dnskey_plugin_t private_dnskey_plugin_t;
 
@@ -53,6 +54,8 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
 	private_dnskey_plugin_t *this)
 {
+	lib->encoding->remove_encoder(lib->encoding, dnskey_encoder_encode);
+
 	free(this);
 }
 
@@ -73,6 +76,8 @@ plugin_t *dnskey_plugin_create()
 		},
 	);
 
+	lib->encoding->add_encoder(lib->encoding, dnskey_encoder_encode);
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 8192b7f37..6a34c8a7b 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_fips_prf_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_fips_prf_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -351,7 +373,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -359,6 +380,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index e8f89a7c5..a690613e4 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_gcm_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_gcm_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -349,7 +371,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -357,6 +378,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h
index db4be2442..846c3c76c 100644
--- a/src/libstrongswan/plugins/gcm/gcm_aead.h
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.h
@@ -42,8 +42,8 @@ struct gcm_aead_t {
 /**
  * Create a gcm_aead instance.
  *
- * @param key_size		key size in bytes
  * @param algo			algorithm to implement, a gcm mode
+ * @param key_size		key size in bytes
  * @return				aead, NULL if not supported
  */
 gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index ee300b8f3..f866cbb1f 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_gcrypt_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_gcrypt_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -359,7 +381,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -367,6 +388,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index aeb48ff8a..13fcd7ab5 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_gmp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_gmp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -353,7 +375,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -361,6 +382,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index 6af056617..59c15f7c0 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_hmac_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_hmac_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -348,7 +370,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +377,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 95c1932bc..11755b04c 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_ldap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ldap_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -349,7 +371,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -357,6 +378,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 1abdfecd6..fd25eb78a 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_md4_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_md4_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -348,7 +370,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +377,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 2e005e084..e22be6523 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_md5_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_md5_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -348,7 +370,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +377,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 347b57e11..d054952bd 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_mysql_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_mysql_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -352,7 +374,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -360,6 +381,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 7e1da683e..789f12f20 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -143,7 +143,7 @@ void mysql_database_deinit()
 {
 	initialized->destroy(initialized);
 	mysql_thread_end();
-	/* mysql_library_end(); would be the clean way, however, it hangs... */
+	mysql_library_end();
 }
 
 /**
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 03ccb8119..4f651a8f8 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_nonce_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_nonce_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -350,7 +372,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -358,6 +379,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index f971a5e08..e71567311 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -25,7 +25,8 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_crl.c openssl_crl.h \
 	openssl_pkcs7.c openssl_pkcs7.h \
 	openssl_rng.c openssl_rng.h \
-	openssl_hmac.c openssl_hmac.h
+	openssl_hmac.c openssl_hmac.h \
+	openssl_gcm.c openssl_gcm.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD  = -lcrypto
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 6d4e2b0d8..5eca47a1c 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -88,7 +105,7 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
 	openssl_rsa_private_key.lo openssl_rsa_public_key.lo \
 	openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \
 	openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo \
-	openssl_pkcs7.lo openssl_rng.lo openssl_hmac.lo
+	openssl_pkcs7.lo openssl_rng.lo openssl_hmac.lo openssl_gcm.lo
 libstrongswan_openssl_la_OBJECTS =  \
 	$(am_libstrongswan_openssl_la_OBJECTS)
 libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -112,6 +129,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_openssl_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_openssl_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -128,6 +150,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -144,6 +168,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -212,8 +237,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -269,7 +292,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -323,7 +345,8 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_crl.c openssl_crl.h \
 	openssl_pkcs7.c openssl_pkcs7.h \
 	openssl_rng.c openssl_rng.h \
-	openssl_hmac.c openssl_hmac.h
+	openssl_hmac.c openssl_hmac.h \
+	openssl_gcm.c openssl_gcm.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD = -lcrypto
@@ -372,7 +395,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -380,6 +402,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -416,6 +440,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_private_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_gcm.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hmac.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_pkcs7.Plo@am__quote@
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index 4dc5663f1..ff3382473 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -14,6 +14,10 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_DH
+
 #include <openssl/dh.h>
 
 #include "openssl_diffie_hellman.h"
@@ -193,3 +197,5 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(
 
 	return &this->public;
 }
+
+#endif /* OPENSSL_NO_DH */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index d350d050b..12f264267 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -16,7 +16,7 @@
 
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDSA
 
 #include "openssl_ec_private_key.h"
 #include "openssl_ec_public_key.h"
@@ -423,5 +423,4 @@ error:
 	destroy(this);
 	return NULL;
 }
-#endif /* OPENSSL_NO_EC */
-
+#endif /* OPENSSL_NO_ECDSA */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 3f5125b31..c8a45f79a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -16,7 +16,7 @@
 
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDSA
 
 #include "openssl_ec_public_key.h"
 #include "openssl_util.h"
@@ -360,5 +360,5 @@ openssl_ec_public_key_t *openssl_ec_public_key_load(key_type_t type,
 	}
 	return &this->public;
 }
-#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_ECDSA */
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.c b/src/libstrongswan/plugins/openssl/openssl_gcm.c
new file mode 100644
index 000000000..89d1cd589
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/opensslv.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+
+#include "openssl_gcm.h"
+
+#include <openssl/evp.h>
+
+/** as defined in RFC 4106 */
+#define IV_LEN		8
+#define SALT_LEN	4
+#define NONCE_LEN	(IV_LEN + SALT_LEN)
+
+typedef struct private_aead_t private_aead_t;
+
+/**
+ * Private data of aead_t
+ */
+struct private_aead_t {
+
+	/**
+	 * Public interface
+	 */
+	aead_t public;
+
+	/**
+	 * The encryption key
+	 */
+	chunk_t	key;
+
+	/**
+	 * Salt value
+	 */
+	char salt[SALT_LEN];
+
+	/**
+	 * Size of the integrity check value
+	 */
+	size_t icv_size;
+
+	/**
+	 * The cipher to use
+	 */
+	const EVP_CIPHER *cipher;
+};
+
+/**
+ * Do the actual en/decryption in an EVP context
+ */
+static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv,
+				  u_char *out, int enc)
+{
+	EVP_CIPHER_CTX ctx;
+	u_char nonce[NONCE_LEN];
+	bool success = FALSE;
+	int len;
+
+	memcpy(nonce, this->salt, SALT_LEN);
+	memcpy(nonce + SALT_LEN, iv.ptr, IV_LEN);
+
+	EVP_CIPHER_CTX_init(&ctx);
+	EVP_CIPHER_CTX_set_padding(&ctx, 0);
+	if (!EVP_CipherInit_ex(&ctx, this->cipher, NULL, NULL, NULL, enc) ||
+		!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, NONCE_LEN, NULL) ||
+		!EVP_CipherInit_ex(&ctx, NULL, NULL, this->key.ptr, nonce, enc))
+	{
+		goto done;
+	}
+	if (!enc && !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, this->icv_size,
+									 data.ptr + data.len))
+	{	/* set ICV for verification on decryption */
+		goto done;
+	}
+	if (assoc.len && !EVP_CipherUpdate(&ctx, NULL, &len, assoc.ptr, assoc.len))
+	{	/* set AAD if specified */
+		goto done;
+	}
+	if (!EVP_CipherUpdate(&ctx, out, &len, data.ptr, data.len) ||
+		!EVP_CipherFinal_ex(&ctx, out + len, &len))
+	{	/* EVP_CipherFinal_ex fails if ICV is incorrect on decryption */
+		goto done;
+	}
+	if (enc && !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, this->icv_size,
+									out + data.len))
+	{	/* copy back the ICV when encrypting */
+		goto done;
+	}
+	success = TRUE;
+
+done:
+	EVP_CIPHER_CTX_cleanup(&ctx);
+	return success;
+}
+
+METHOD(aead_t, encrypt, bool,
+	private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	u_char *out;
+
+	out = plain.ptr;
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(plain.len + this->icv_size);
+		out = encrypted->ptr;
+	}
+	return crypt(this, plain, assoc, iv, out, 1);
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	u_char *out;
+
+	if (encrypted.len < this->icv_size)
+	{
+		return FALSE;
+	}
+	encrypted.len -= this->icv_size;
+
+	out = encrypted.ptr;
+	if (plain)
+	{
+		*plain = chunk_alloc(encrypted.len);
+		out = plain->ptr;
+	}
+	return crypt(this, encrypted, assoc, iv, out, 0);
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_aead_t *this)
+{
+	return this->cipher->block_size;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_aead_t *this)
+{
+	return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_aead_t *this)
+{
+	return IV_LEN;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_aead_t *this)
+{
+	return this->key.len + SALT_LEN;
+}
+
+METHOD(aead_t, set_key, bool,
+	private_aead_t *this, chunk_t key)
+{
+	if (key.len != get_key_size(this))
+	{
+		return FALSE;
+	}
+	memcpy(this->salt, key.ptr + key.len - SALT_LEN, SALT_LEN);
+	memcpy(this->key.ptr, key.ptr, this->key.len);
+	return TRUE;
+}
+
+METHOD(aead_t, destroy, void,
+	private_aead_t *this)
+{
+	chunk_clear(&this->key);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_block_size = _get_block_size,
+			.get_icv_size = _get_icv_size,
+			.get_iv_size = _get_iv_size,
+			.get_key_size = _get_key_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+	);
+
+	switch (algo)
+	{
+		case ENCR_AES_GCM_ICV8:
+			this->icv_size = 8;
+			break;
+		case ENCR_AES_GCM_ICV12:
+			this->icv_size = 12;
+			break;
+		case ENCR_AES_GCM_ICV16:
+			this->icv_size = 16;
+			break;
+		default:
+			free(this);
+			return NULL;
+	}
+
+	switch (algo)
+	{
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+			switch (key_size)
+			{
+				case 0:
+					key_size = 16;
+					/* FALL */
+				case 16:
+					this->cipher = EVP_get_cipherbyname("aes-128-gcm");
+					break;
+				case 24:
+					this->cipher = EVP_get_cipherbyname("aes-192-gcm");
+					break;
+				case 32:
+					this->cipher = EVP_get_cipherbyname("aes-256-gcm");
+					break;
+				default:
+					free(this);
+					return NULL;
+			}
+			break;
+		default:
+			free(this);
+			return NULL;
+	}
+
+	if (!this->cipher)
+	{
+		free(this);
+		return NULL;
+	}
+
+	this->key = chunk_alloc(key_size);
+
+	return &this->public;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER */
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.h b/src/libstrongswan/plugins/openssl/openssl_gcm.h
new file mode 100644
index 000000000..12d2e8ab6
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Implements the aead_t interface using OpenSSL in GCM mode.
+ *
+ * @defgroup openssl_gcm openssl_gcm
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_GCM_H_
+#define OPENSSL_GCM_H_
+
+#include <crypto/aead.h>
+
+/**
+ * Constructor to create aead_t implementation.
+ *
+ * @param algo			algorithm to implement
+ * @param key_size		key size in bytes
+ * @return				aead_t object, NULL if not supported
+ */
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** OPENSSL_GCM_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_hmac.c b/src/libstrongswan/plugins/openssl/openssl_hmac.c
index 5d05425d3..4f0bcc7c3 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hmac.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hmac.c
@@ -35,6 +35,10 @@
  * THE SOFTWARE.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_HMAC
+
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 
@@ -189,3 +193,4 @@ signer_t *openssl_hmac_signer_create(integrity_algorithm_t algo)
 	return NULL;
 }
 
+#endif /* OPENSSL_NO_HMAC */
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
index ccc426235..9c3c4040c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
@@ -13,8 +13,10 @@
  * for more details.
  */
 
+#include <openssl/opensslv.h>
 #include <openssl/opensslconf.h>
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090807fL
 #ifndef OPENSSL_NO_CMS
 
 #include "openssl_pkcs7.h"
@@ -788,3 +790,4 @@ pkcs7_t *openssl_pkcs7_load(container_type_t type, va_list args)
 }
 
 #endif /* OPENSSL_NO_CMS */
+#endif /* OPENSSL_VERSION_NUMBER */
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index dd6a379d2..915082234 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -43,6 +43,7 @@
 #include "openssl_pkcs7.h"
 #include "openssl_rng.h"
 #include "openssl_hmac.h"
+#include "openssl_gcm.h"
 
 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
 
@@ -304,6 +305,21 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
 #endif
 #endif /* OPENSSL_NO_HMAC */
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+#ifndef OPENSSL_NO_AES
+		/* AES GCM */
+		PLUGIN_REGISTER(AEAD, openssl_gcm_create),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
+#endif /* OPENSSL_NO_AES */
+#endif /* OPENSSL_VERSION_NUMBER */
 #ifndef OPENSSL_NO_DH
 		/* MODP DH groups */
 		PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
@@ -366,10 +382,12 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
 		PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
+#if OPENSSL_VERSION_NUMBER >= 0x0090807fL
 #ifndef OPENSSL_NO_CMS
 		PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
 			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
 #endif /* OPENSSL_NO_CMS */
+#endif /* OPENSSL_VERSION_NUMBER */
 #ifndef OPENSSL_NO_ECDH
 		/* EC DH groups */
 		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
@@ -470,4 +488,3 @@ plugin_t *openssl_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 926e5928c..fb86a6bf1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -14,6 +14,10 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_RSA
+
 #include "openssl_rsa_private_key.h"
 #include "openssl_rsa_public_key.h"
 
@@ -599,3 +603,4 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 #endif /* OPENSSL_NO_ENGINE */
 }
 
+#endif /* OPENSSL_NO_RSA */
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 0da5d2514..bf71d7901 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -14,6 +14,10 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_RSA
+
 #include "openssl_rsa_public_key.h"
 
 #include <utils/debug.h>
@@ -388,3 +392,5 @@ openssl_rsa_public_key_t *openssl_rsa_public_key_load(key_type_t type,
 	destroy(this);
 	return NULL;
 }
+
+#endif /* OPENSSL_NO_RSA */
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
index 8501e2cd4..8c00e6a57 100644
--- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
@@ -13,6 +13,10 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_SHA1
+
 #include "openssl_sha1_prf.h"
 
 #include <openssl/sha.h>
@@ -143,3 +147,4 @@ openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo)
 	return &this->public;
 }
 
+#endif /* OPENSSL_NO_SHA1 */
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 94feb11f9..e9ac1d5e3 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_padlock_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_padlock_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -354,7 +376,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -362,6 +383,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 580b39caf..bb346b373 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_pem_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pem_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -351,7 +373,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -359,6 +380,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index ed0a880f6..a96c6259f 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_pgp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pgp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -353,7 +375,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -361,6 +382,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 58989e574..b4e78cd37 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_pkcs1_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs1_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -352,7 +374,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -360,6 +381,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
index 60f0ca757..2c3bf6e7c 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
@@ -22,7 +22,7 @@
 /**
  * Encode a public key in PKCS#1/ASN.1 DER
  */
-bool build_pub(chunk_t *encoding, va_list args)
+static bool build_pub(chunk_t *encoding, va_list args)
 {
 	chunk_t n, e;
 
@@ -40,7 +40,7 @@ bool build_pub(chunk_t *encoding, va_list args)
 /**
  * Encode a public key in PKCS#1/ASN.1 DER, contained in subjectPublicKeyInfo
  */
-bool build_pub_info(chunk_t *encoding, va_list args)
+static bool build_pub_info(chunk_t *encoding, va_list args)
 {
 	chunk_t n, e;
 
@@ -61,7 +61,7 @@ bool build_pub_info(chunk_t *encoding, va_list args)
 /**
  * Encode a private key in PKCS#1/ASN.1 DER
  */
-bool build_priv(chunk_t *encoding, va_list args)
+static bool build_priv(chunk_t *encoding, va_list args)
 {
 	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index 75faadcf1..aab1ae9de 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -109,6 +126,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -125,6 +147,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -141,6 +165,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -209,8 +234,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -266,7 +289,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -361,7 +383,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -369,6 +390,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index ef45de39d..38781d34d 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_pkcs7_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs7_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -356,7 +378,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -364,6 +385,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 45a1e16e8..ea62a7d44 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_pkcs8_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs8_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -350,7 +372,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -358,6 +379,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 165314993..2b54fd426 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_pubkey_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pubkey_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -351,7 +373,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -359,6 +380,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 07e5dba40..12eaa8a47 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_random_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_random_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -354,7 +376,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -362,6 +383,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index 9da0ae0c2..e2d9e1a6b 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_rdrand_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_rdrand_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -351,7 +373,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -359,6 +380,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_rng.h b/src/libstrongswan/plugins/rdrand/rdrand_rng.h
index d15a48224..3fb49ce6e 100644
--- a/src/libstrongswan/plugins/rdrand/rdrand_rng.h
+++ b/src/libstrongswan/plugins/rdrand/rdrand_rng.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup rdrand_rng rdrand_rng
- * @{ @ingroup rdrand
+ * @{ @ingroup rdrand_p
  */
 
 #ifndef RDRAND_RNG_H_
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index df94dc36e..c0008c5b4 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,6 +125,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_revocation_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_revocation_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -124,6 +146,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +164,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -208,8 +233,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -265,7 +288,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -353,7 +375,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -361,6 +382,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index bfc35d1b8..0308e1b26 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_sha1_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sha1_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -350,7 +372,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -358,6 +379,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 1b9d7b717..3d4e915b2 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_sha2_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sha2_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -348,7 +370,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +377,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 41cd7bac5..035747700 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_soup_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_soup_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -350,7 +372,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -358,6 +379,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 8e5b21e49..1a9b21407 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -107,6 +124,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_sqlite_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sqlite_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -123,6 +145,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -139,6 +163,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -207,8 +232,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -264,7 +287,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -353,7 +375,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -361,6 +382,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index f7ac9f9d0..6cce8686b 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -113,6 +130,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_test_vectors_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_test_vectors_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -129,6 +151,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -145,6 +169,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -213,8 +238,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -270,7 +293,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -385,7 +407,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -393,6 +414,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/unbound/Makefile.am b/src/libstrongswan/plugins/unbound/Makefile.am
new file mode 100644
index 000000000..efb313407
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/Makefile.am
@@ -0,0 +1,20 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-unbound.la
+else
+plugin_LTLIBRARIES = libstrongswan-unbound.la
+endif
+
+libstrongswan_unbound_la_SOURCES = \
+	unbound_plugin.h unbound_plugin.c \
+	unbound_resolver.c unbound_resolver.h \
+	unbound_rr.h unbound_rr.c \
+	unbound_response.h unbound_response.c
+
+libstrongswan_unbound_la_LDFLAGS = -module -avoid-version
+libstrongswan_unbound_la_LIBADD  = -lunbound -lldns
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
new file mode 100644
index 000000000..f1a37bb03
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -0,0 +1,661 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/unbound
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_unbound_la_DEPENDENCIES =
+am_libstrongswan_unbound_la_OBJECTS = unbound_plugin.lo \
+	unbound_resolver.lo unbound_rr.lo unbound_response.lo
+libstrongswan_unbound_la_OBJECTS =  \
+	$(am_libstrongswan_unbound_la_OBJECTS)
+libstrongswan_unbound_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_unbound_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_unbound_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_unbound_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_unbound_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_unbound_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unbound.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unbound.la
+libstrongswan_unbound_la_SOURCES = \
+	unbound_plugin.h unbound_plugin.c \
+	unbound_resolver.c unbound_resolver.h \
+	unbound_rr.h unbound_rr.c \
+	unbound_response.h unbound_response.c
+
+libstrongswan_unbound_la_LDFLAGS = -module -avoid-version
+libstrongswan_unbound_la_LIBADD = -lunbound -lldns
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/unbound/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/unbound/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-unbound.la: $(libstrongswan_unbound_la_OBJECTS) $(libstrongswan_unbound_la_DEPENDENCIES) $(EXTRA_libstrongswan_unbound_la_DEPENDENCIES) 
+	$(libstrongswan_unbound_la_LINK) $(am_libstrongswan_unbound_la_rpath) $(libstrongswan_unbound_la_OBJECTS) $(libstrongswan_unbound_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unbound_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unbound_resolver.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unbound_response.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unbound_rr.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/unbound/unbound_plugin.c b/src/libstrongswan/plugins/unbound/unbound_plugin.c
new file mode 100644
index 000000000..90b95330a
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_plugin.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "unbound_plugin.h"
+
+#include <library.h>
+#include "unbound_resolver.h"
+
+typedef struct private_unbound_plugin_t private_unbound_plugin_t;
+
+/**
+ * private data of unbound_plugin
+ */
+struct private_unbound_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	unbound_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_unbound_plugin_t *this)
+{
+	return "unbound";
+}
+
+METHOD(plugin_t, destroy, void,
+	private_unbound_plugin_t *this)
+{
+	lib->resolver->remove_resolver(lib->resolver, unbound_resolver_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *unbound_plugin_create()
+{
+	private_unbound_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	lib->resolver->add_resolver(lib->resolver, unbound_resolver_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/unbound/unbound_plugin.h b/src/libstrongswan/plugins/unbound/unbound_plugin.h
new file mode 100644
index 000000000..1f0d36454
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_p unbound
+ * @ingroup plugins
+ *
+ * @defgroup unbound_plugin unbound_plugin
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef unbound_PLUGIN_H_
+#define unbound_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct unbound_plugin_t unbound_plugin_t;
+
+/**
+ * Plugin implementing the resolver interface using the libunbound DNS library.
+ */
+struct unbound_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** unbound_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/unbound/unbound_resolver.c b/src/libstrongswan/plugins/unbound/unbound_resolver.c
new file mode 100644
index 000000000..44a2c764b
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_resolver.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unbound.h>
+#include <errno.h>
+#include <ldns/ldns.h>
+#include <string.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include "unbound_resolver.h"
+#include "unbound_response.h"
+
+/* DNS resolver configuration and DNSSEC trust anchors */
+#define RESOLV_CONF_FILE	"/etc/resolv.conf"
+#define TRUST_ANCHOR_FILE	IPSEC_CONFDIR "/ipsec.d/dnssec.keys"
+
+typedef struct private_resolver_t private_resolver_t;
+
+/**
+ * private data of a unbound_resolver_t object.
+ */
+struct private_resolver_t {
+
+	/**
+	 * Public data
+	 */
+	resolver_t public;
+
+	/**
+	 * private unbound resolver handle (unbound context)
+	 */
+	struct ub_ctx *ctx;
+};
+
+/**
+ * query method implementation
+ */
+METHOD(resolver_t, query, resolver_response_t*,
+	private_resolver_t *this, char *domain, rr_class_t rr_class,
+	rr_type_t rr_type)
+{
+	unbound_response_t *response = NULL;
+	struct ub_result *result = NULL;
+	int ub_retval;
+
+	ub_retval = ub_resolve(this->ctx, domain, rr_type, rr_class, &result);
+	if (ub_retval)
+	{
+		DBG1(DBG_LIB, "unbound resolver error: %s", ub_strerror(ub_retval));
+		ub_resolve_free(result);
+		return NULL;
+	}
+
+	response = unbound_response_create_frm_libub_response(result);
+	if (!response)
+	{
+		DBG1(DBG_LIB, "unbound resolver failed to create response");
+		ub_resolve_free(result);
+		return NULL;
+	}
+	ub_resolve_free(result);
+
+	return (resolver_response_t*)response;
+}
+
+/**
+ * destroy method implementation
+ */
+METHOD(resolver_t, destroy, void,
+	private_resolver_t *this)
+{
+	ub_ctx_delete(this->ctx);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+resolver_t *unbound_resolver_create(void)
+{
+	private_resolver_t *this;
+	int ub_retval = 0;
+	char *resolv_conf_file;
+	char *trust_anchor_file;
+
+	resolv_conf_file = lib->settings->get_str(lib->settings,
+						"libstrongswan.plugins.unbound.resolv_conf",
+						RESOLV_CONF_FILE);
+
+	trust_anchor_file = lib->settings->get_str(lib->settings,
+						"libstrongswan.plugins.unbound.trust_anchors",
+						TRUST_ANCHOR_FILE);
+
+	INIT(this,
+		.public = {
+			.query = _query,
+			.destroy = _destroy,
+		},
+	);
+
+	this->ctx = ub_ctx_create();
+	if (!this->ctx)
+	{
+		DBG1(DBG_LIB, "failed to create unbound resolver context");
+		destroy(this);
+		return NULL;
+	}
+
+	DBG1(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf_file);
+	ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf_file);
+	if (ub_retval)
+	{
+		DBG1(DBG_CFG, "failed to read the resolver config: %s (%s)",
+					   ub_strerror(ub_retval), strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+
+	DBG1(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchor_file);
+	ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchor_file);
+	if (ub_retval)
+	{
+		DBG1(DBG_CFG, "failed to load trust anchors: %s (%s)",
+					   ub_strerror(ub_retval), strerror(errno));
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/unbound/unbound_resolver.h b/src/libstrongswan/plugins/unbound/unbound_resolver.h
new file mode 100644
index 000000000..818a717b8
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_resolver.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_resolver unbound_resolver
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef unbound_RESOLVER_H_
+#define unbound_RESOLVER_H_
+
+/**
+ * Create a resolver_t instance.
+ */
+resolver_t *unbound_resolver_create(void);
+
+#endif /** LIBunbound_RESOLVER_H_ @}*/
diff --git a/src/libstrongswan/plugins/unbound/unbound_response.c b/src/libstrongswan/plugins/unbound/unbound_response.c
new file mode 100644
index 000000000..6f6c25e89
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_response.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <resolver/resolver_response.h>
+#include <resolver/rr.h>
+#include "unbound_rr.h"
+#include "unbound_response.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <unbound.h>
+#include <ldns/ldns.h>
+
+typedef struct private_unbound_response_t private_unbound_response_t;
+
+/**
+ * private data of an unbound_response_t object.
+ */
+struct private_unbound_response_t {
+
+	/**
+	 * Public data
+	 */
+	unbound_response_t public;
+
+	/**
+	 * Original question string
+	 */
+	char* query_name;
+
+	/**
+	 * Canonical name of the response
+	 */
+	char* canon_name;
+
+	/**
+	 * Are the some RRs in the RRset of this response?
+	 */
+	bool has_data;
+
+	/*
+	 * Does the queried name exist?
+	 */
+	bool query_name_exist;
+
+	/**
+	 * DNSSEC security state
+	 */
+	dnssec_status_t security_state;
+
+	/**
+	 * RRset
+	 */
+	rr_set_t *rr_set;
+};
+
+METHOD(resolver_response_t, get_query_name, char*,
+	private_unbound_response_t *this)
+{
+	return this->query_name;
+}
+
+METHOD(resolver_response_t, get_canon_name, char*,
+	private_unbound_response_t *this)
+{
+	return this->canon_name;
+}
+
+METHOD(resolver_response_t, has_data, bool,
+	private_unbound_response_t *this)
+{
+	return this->has_data;
+}
+
+METHOD(resolver_response_t, query_name_exist, bool,
+	private_unbound_response_t *this)
+{
+	return this->query_name_exist;
+}
+
+METHOD(resolver_response_t, get_security_state, dnssec_status_t,
+	private_unbound_response_t *this)
+{
+	return this->security_state;
+}
+
+METHOD(resolver_response_t, get_rr_set, rr_set_t*,
+	private_unbound_response_t *this)
+{
+	return this->rr_set;
+}
+
+METHOD(resolver_response_t, destroy, void,
+	private_unbound_response_t *this)
+{
+	free(this->query_name);
+	free(this->canon_name);
+	DESTROY_IF(this->rr_set);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+unbound_response_t *unbound_response_create_frm_libub_response(
+											struct ub_result *libub_response)
+{
+	private_unbound_response_t *this = NULL;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_query_name = _get_query_name,
+				.get_canon_name = _get_canon_name,
+				.has_data = _has_data,
+				.query_name_exist = _query_name_exist,
+				.get_security_state = _get_security_state,
+				.get_rr_set = _get_rr_set,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	this->query_name = strdup(libub_response->qname);
+
+	if (libub_response->canonname)
+	{
+		this->canon_name = strdup(libub_response->canonname);
+	}
+
+	this->has_data = libub_response->havedata;
+
+	this->query_name_exist = !(libub_response->nxdomain);
+
+	if (libub_response->secure)
+	{
+		this->security_state = SECURE;
+	}
+	else if (libub_response->bogus)
+	{
+		this->security_state = BOGUS;
+	}
+	else
+	{
+		this->security_state = INDETERMINATE;
+	}
+
+	/**
+	* Create RRset
+	*/
+	if (this->query_name_exist && this->has_data)
+	{
+		ldns_pkt *dns_pkt = NULL;
+		ldns_rr_list *orig_rr_list = NULL;
+		size_t orig_rr_count;
+		ldns_rr *orig_rr = NULL;
+		ldns_rdf *orig_rdf = NULL;
+		ldns_status status;
+		linked_list_t *rr_list = NULL, *rrsig_list = NULL;
+		unbound_rr_t *rr = NULL;
+		int i;
+
+		/**Parse the received DNS packet using the ldns library */
+		status = ldns_wire2pkt(&dns_pkt, libub_response->answer_packet,
+							   libub_response->answer_len);
+
+		if (status != LDNS_STATUS_OK)
+		{
+			DBG1(DBG_LIB, "failed to parse DNS packet");
+			destroy(this);
+			return NULL;
+		}
+
+		/* Create a list with the queried RRs. If there are corresponding RRSIGs
+		 * create also a list with these.
+		 */
+		rr_list = linked_list_create();
+
+		orig_rr_list = ldns_pkt_get_section_clone(dns_pkt, LDNS_SECTION_ANSWER);
+		orig_rr_count = ldns_rr_list_rr_count(orig_rr_list);
+
+		for (i = 0; i < orig_rr_count; i++)
+		{
+			orig_rr = ldns_rr_list_rr(orig_rr_list, i);
+
+			if (ldns_rr_get_type(orig_rr) == libub_response->qtype &&
+				ldns_rr_get_class(orig_rr) == libub_response->qclass)
+			{
+				/* RR is part of the queried RRset.
+				 * => add it to the list of Resource Records.
+				 */
+				rr = unbound_rr_create_frm_ldns_rr(orig_rr);
+				if (rr)
+				{
+					rr_list->insert_last(rr_list, rr);
+				}
+				else
+				{
+					DBG1(DBG_LIB, "failed to create RR");
+				}
+			}
+
+			if (ldns_rr_get_type(orig_rr) == LDNS_RR_TYPE_RRSIG)
+			{
+				orig_rdf = ldns_rr_rrsig_typecovered(orig_rr);
+				if (!orig_rdf)
+				{
+					DBG1(DBG_LIB, "failed to get the type covered by an RRSIG");
+				}
+				else if (ldns_rdf2native_int16(orig_rdf) == libub_response->qtype)
+				{
+					/* The current RR represent a signature (RRSIG)
+					 * which belongs to the queried RRset.
+					 * => add it to the list of signatures.
+					 */
+					rr = unbound_rr_create_frm_ldns_rr(orig_rr);
+					if (rr)
+					{
+						if (!rrsig_list)
+						{
+							rrsig_list = linked_list_create();
+						}
+						rrsig_list->insert_last(rrsig_list, rr);
+					}
+					else
+					{
+						DBG1(DBG_LIB, "failed to create RRSIG");
+					}
+				}
+				else
+				{
+					DBG1(DBG_LIB, "failed to determine the RR type "
+								  "covered by RRSIG RR");
+				}
+			}
+		}
+		/**
+		 * Create the RRset for which the query was performed.
+		 */
+		this->rr_set = rr_set_create(rr_list, rrsig_list);
+
+		ldns_pkt_free(dns_pkt);
+		ldns_rr_list_free(orig_rr_list);
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/unbound/unbound_response.h b/src/libstrongswan/plugins/unbound/unbound_response.h
new file mode 100644
index 000000000..c82f39d45
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_response.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_response unbound_response
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef UNBOUND_RESPONSE_H_
+#define UNBOUND_RESPONSE_H_
+
+#include <resolver/resolver_response.h>
+#include <unbound.h>
+
+typedef struct unbound_response_t unbound_response_t;
+
+/**
+ * Implementation of the resolver_response interface using libunbound.
+ *
+ */
+struct unbound_response_t {
+
+	/**
+	 * Implements the resolver_response interface
+	 */
+	resolver_response_t interface;
+};
+
+/**
+ * Create an unbound_response instance from a response of the unbound library.
+ *
+ * @param	response	a response of the unbound library
+ * @return				an unbound_response conforming to the resolver_response
+ * 						interface, or NULL on failure
+ */
+unbound_response_t *unbound_response_create_frm_libub_response(
+													struct ub_result *response);
+
+#endif /** UNBOUND_RESPONSE_H_ @}*/
diff --git a/src/libstrongswan/plugins/unbound/unbound_rr.c b/src/libstrongswan/plugins/unbound/unbound_rr.c
new file mode 100644
index 000000000..97c3b1933
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_rr.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <resolver/rr.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "unbound_rr.h"
+
+typedef struct private_unbound_rr_t private_unbound_rr_t;
+
+/**
+ * private data of an unbound_rr_t object.
+ */
+struct private_unbound_rr_t {
+
+	/**
+	 * Public data
+	 */
+	unbound_rr_t public;
+
+	/**
+	 * Owner name
+	 */
+	char* name;
+
+	/**
+	 * Type
+	 */
+	rr_type_t type;
+
+	/**
+	 * Class
+	 */
+	rr_class_t class;
+
+	/**
+	 * TTL
+	 */
+	uint32_t ttl;
+
+	/**
+	 * Size of the rdata field in octets
+	 */
+	uint16_t size;
+
+	/**
+	 * RDATA field (array of bytes in network order)
+	 */
+	u_char *rdata;
+};
+
+METHOD(rr_t, get_name, char *,
+	private_unbound_rr_t *this)
+{
+	return this->name;
+}
+
+METHOD(rr_t, get_type, rr_type_t,
+	private_unbound_rr_t *this)
+{
+	return this->type;
+}
+
+METHOD(rr_t, get_class, rr_class_t,
+	private_unbound_rr_t *this)
+{
+	return this->class;
+}
+
+METHOD(rr_t, get_ttl, uint32_t,
+	private_unbound_rr_t *this)
+{
+	return this->ttl;
+}
+
+METHOD(rr_t, get_rdata, chunk_t,
+	private_unbound_rr_t *this)
+{
+	return chunk_create(this->rdata, this->size);
+}
+
+METHOD(rr_t, destroy, void,
+	private_unbound_rr_t *this)
+{
+	free(this->name);
+	free(this->rdata);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+unbound_rr_t *unbound_rr_create_frm_ldns_rr(ldns_rr *rr)
+{
+	private_unbound_rr_t *this;
+	ldns_status status;
+	ldns_buffer *buf;
+	int i;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_name = _get_name,
+				.get_type = _get_type,
+				.get_class = _get_class,
+				.get_ttl = _get_ttl,
+				.get_rdata = _get_rdata,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	this->name = ldns_rdf2str(ldns_rr_owner(rr));
+	if (!this->name)
+	{
+		DBG1(DBG_LIB, "failed to parse the owner name of a DNS RR");
+		_destroy(this);
+		return NULL;
+	}
+
+	this->type = ldns_rr_get_type(rr);
+	this->class = ldns_rr_get_class(rr);
+	this->ttl = ldns_rr_ttl(rr);
+	for(i = 0; i < ldns_rr_rd_count(rr); i++)
+	{
+		this->size += ldns_rdf_size(ldns_rr_rdf(rr, i));
+	}
+
+	/**
+	 * The ldns library splits the RDATA field of a RR in various rdf.
+	 * Here we reassemble these rdf to get the RDATA field of the RR.
+	 */
+	buf = ldns_buffer_new(LDNS_MIN_BUFLEN);
+	/* The buffer will be resized automatically by ldns_rr_rdata2buffer_wire() */
+	status = ldns_rr_rdata2buffer_wire(buf, rr);
+
+	if (status != LDNS_STATUS_OK)
+	{
+		DBG1(DBG_LIB, "failed to get the RDATA field of a DNS RR");
+		_destroy(this);
+		return NULL;
+	}
+
+	this->rdata = ldns_buffer_export(buf);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/unbound/unbound_rr.h b/src/libstrongswan/plugins/unbound/unbound_rr.h
new file mode 100644
index 000000000..d7c114f86
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_rr.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_rr unbound_rr
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef UNBOUND_RR_H_
+#define UNBOUND_RR_H_
+
+#include <resolver/rr.h>
+#include <ldns/ldns.h>
+
+typedef struct unbound_rr_t unbound_rr_t;
+
+/**
+ * Implementation of the Resource Record interface using libunbound and libldns.
+ */
+struct unbound_rr_t {
+
+	/**
+	 * Implements the Resource Record interface
+	 */
+	rr_t interface;
+};
+
+/**
+ * Create an unbound_rr instance from a Resource Record given by
+ * a ldns_struct_rr from the ldns library.
+ *
+ * @return		Resource Record, NULL on error
+ */
+unbound_rr_t *unbound_rr_create_frm_ldns_rr(ldns_rr *rr);
+
+#endif /** UNBOUND_RR_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 5c1258986..a0fcfd8ad 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -106,6 +123,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_x509_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_x509_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -122,6 +144,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +162,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -206,8 +231,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -263,7 +286,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -356,7 +378,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -364,6 +385,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index b29989c9d..8730ba3fa 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -104,6 +121,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_xcbc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_xcbc_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -120,6 +142,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +160,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -204,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -261,7 +284,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -348,7 +370,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +377,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
diff --git a/src/libstrongswan/resolver/resolver.h b/src/libstrongswan/resolver/resolver.h
new file mode 100644
index 000000000..5be52b8b1
--- /dev/null
+++ b/src/libstrongswan/resolver/resolver.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolveri resolver
+ * @{ @ingroup resolver
+ */
+
+#ifndef RESOLVER_H_
+#define RESOLVER_H_
+
+typedef struct resolver_t resolver_t;
+
+/**
+ * Constructor function which creates DNS resolver instances.
+ */
+typedef resolver_t* (*resolver_constructor_t)(void);
+
+#include <resolver/resolver_response.h>
+#include <resolver/rr_set.h>
+#include <resolver/rr.h>
+
+/**
+ * Interface of a security-aware DNS resolver.
+ *
+ */
+struct resolver_t {
+
+	/**
+	 * Perform a DNS query.
+	 *
+	 * @param domain		domain (FQDN) to query
+	 * @param rr_class		class of the desired RRs
+	 * @param rr_type		type of the desired RRs
+	 * @return				response to the query, NULL on failure
+	 */
+	resolver_response_t *(*query)(resolver_t *this, char *domain,
+								  rr_class_t rr_class, rr_type_t rr_type);
+
+	/**
+	 * Destroy the resolver instance.
+	 */
+	void (*destroy)(resolver_t *this);
+};
+
+#endif /** RESOLVER_H_ @}*/
diff --git a/src/libstrongswan/resolver/resolver_manager.c b/src/libstrongswan/resolver/resolver_manager.c
new file mode 100644
index 000000000..55531e157
--- /dev/null
+++ b/src/libstrongswan/resolver/resolver_manager.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolver_manager.h"
+
+#include <utils/debug.h>
+
+typedef struct private_resolver_manager_t private_resolver_manager_t;
+
+/**
+ * private data of resolver_manager
+ */
+struct private_resolver_manager_t {
+
+	/**
+	 * public functions
+	 */
+	resolver_manager_t public;
+
+	/**
+	 * constructor function to create resolver instances
+	 */
+	resolver_constructor_t constructor;
+};
+
+METHOD(resolver_manager_t, add_resolver, void,
+	private_resolver_manager_t *this, resolver_constructor_t constructor)
+{
+	if (!this->constructor)
+	{
+		this->constructor = constructor;
+	}
+}
+
+METHOD(resolver_manager_t, remove_resolver, void,
+	private_resolver_manager_t *this, resolver_constructor_t constructor)
+{
+	if (this->constructor == constructor)
+	{
+		this->constructor = NULL;
+	}
+}
+
+METHOD(resolver_manager_t, create, resolver_t*,
+	private_resolver_manager_t *this)
+{
+	if (this->constructor)
+	{
+		return this->constructor();
+	}
+	return NULL;
+}
+
+METHOD(resolver_manager_t, destroy, void,
+	private_resolver_manager_t *this)
+{
+	free(this);
+}
+
+/*
+ * See header
+ */
+resolver_manager_t *resolver_manager_create()
+{
+	private_resolver_manager_t *this;
+
+	INIT(this,
+			.public = {
+				.add_resolver = _add_resolver,
+				.remove_resolver = _remove_resolver,
+				.create = _create,
+				.destroy = _destroy,
+			},
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/resolver/resolver_manager.h b/src/libstrongswan/resolver/resolver_manager.h
new file mode 100644
index 000000000..6ea22aa24
--- /dev/null
+++ b/src/libstrongswan/resolver/resolver_manager.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+* @defgroup resolver_manager resolver_manager
+* @{ @ingroup resolver
+*/
+
+#ifndef RESOLVER_MANAGER_H_
+#define RESOLVER_MANAGER_H_
+
+typedef struct resolver_manager_t resolver_manager_t;
+
+#include <resolver/resolver.h>
+
+/**
+ * The resolver_manager manages the resolver implementations and
+ * creates instances of them.
+ *
+ * A resolver plugin is registered by providing its constructor function
+ * to the manager. The manager creates instances of the resolver plugin
+ * using the registered constructor function.
+ */
+struct resolver_manager_t {
+
+	/**
+	 * Register a resolver implementation.
+	 *
+	 * @param constructor	resolver constructor function
+	 */
+	void (*add_resolver)(resolver_manager_t *this,
+						 resolver_constructor_t constructor);
+
+	/**
+	 * Unregister a previously registered resolver implementation.
+	 *
+	 * @param constructor	resolver constructor function to unregister
+	 */
+	void (*remove_resolver)(resolver_manager_t *this,
+							resolver_constructor_t constructor);
+
+	/**
+	 * Get a new resolver instance.
+	 *
+	 * @return 				resolver instance.
+	 */
+	resolver_t* (*create)(resolver_manager_t *this);
+
+	/**
+	 * Destroy a resolver_manager instance.
+	 */
+	void (*destroy)(resolver_manager_t *this);
+};
+
+/**
+ * Create a resolver_manager instance.
+ */
+resolver_manager_t *resolver_manager_create();
+
+#endif /** RESOLVER_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/resolver/resolver_response.h b/src/libstrongswan/resolver/resolver_response.h
new file mode 100644
index 000000000..e45fb6401
--- /dev/null
+++ b/src/libstrongswan/resolver/resolver_response.h
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rsolver_response resolver_response
+ * @{ @ingroup resolver
+ */
+
+#ifndef RESOLVER_RESPONSE_H_
+#define RESOLVER_RESPONSE_H_
+
+typedef struct resolver_response_t resolver_response_t;
+typedef enum dnssec_status_t dnssec_status_t;
+
+#include <library.h>
+#include <resolver/rr_set.h>
+
+/**
+ * DNSSEC security state.
+ *
+ * DNSSEC security state, which a security aware resolver is able determine
+ * according to RFC 4033.
+ */
+enum dnssec_status_t {
+	/**
+	 * The validating resolver has a trust anchor, has a chain of
+	 * trust, and is able to verify all the signatures in the response.
+	 * [RFC4033]
+	 */
+	SECURE,
+	/**
+	 * The validating resolver has a trust anchor, a chain of
+	 * trust, and, at some delegation point, signed proof of the
+	 * non-existence of a DS record.  This indicates that subsequent
+	 * branches in the tree are provably insecure.  A validating resolver
+	 * may have a local policy to mark parts of the domain space as
+	 * insecure. [RFC4033]
+	 */
+	INSECURE,
+	/**
+	 * The validating resolver has a trust anchor and a secure
+	 * delegation indicating that subsidiary data is signed, but the
+	 * response fails to validate for some reason: missing signatures,
+	 * expired signatures, signatures with unsupported algorithms, data
+	 * missing that the relevant NSEC RR says should be present, and so
+	 * forth. [RFC4033]
+	 */
+	BOGUS,
+	/**
+	 * There is no trust anchor that would indicate that a
+	 * specific portion of the tree is secure.  This is the default
+	 * operation mode. [RFC4033]
+	 */
+	INDETERMINATE,
+};
+
+
+/**
+ * A response of the DNS resolver to a DNS query.
+ *
+ * A response represents the answer of the Domain Name System to a query.
+ * It contains the RRset with the queried Resource Records and additional
+ * information.
+ */
+struct resolver_response_t {
+
+    /**
+     * Get the original question string.
+     *
+     * The string to which the returned pointer points, is still owned
+	 * by the resolver_response. Clone it if necessary.
+     *
+     * @return			the queried name
+     */
+	char *(*get_query_name)(resolver_response_t *this);
+
+	/**
+	 * Get the canonical name of the result.
+	 *
+	 * The string to which the returned pointer points, is still owned
+	 * by the resolver_response. Clone it if necessary.
+	 *
+	 * @return			- canonical name of result
+	 * 					- NULL, if result has no canonical name
+	 */
+	char *(*get_canon_name)(resolver_response_t *this);
+
+	/**
+	 * Does the RRset of this response contain some Resource Records?
+	 *
+	 * Returns TRUE if the RRset of this response contains some RRs
+	 * (RRSIG Resource Records are ignored).
+	 *
+	 * @return
+	 * 					- TRUE, if there are some RRs in the RRset
+	 * 					- FALSE, otherwise
+	 */
+	bool (*has_data)(resolver_response_t *this);
+
+	/**
+	 * Does the queried name exist?
+	 *
+	 * @return
+	 * 					- TRUE, if the queried name exists
+	 * 					- FALSE, otherwise
+	 */
+	bool (*query_name_exist)(resolver_response_t *this);
+
+	/**
+	 * Get the DNSSEC security state of the response.
+	 *
+	 * @return			DNSSEC security state
+	 */
+	dnssec_status_t (*get_security_state)(resolver_response_t *this);
+
+	/**
+	 * Get the RRset with all Resource Records of this response.
+	 *
+	 * @return			- RRset
+	 * 					- NULL if there is no data or the query name
+	 * 					  does not exist
+	 */
+	rr_set_t *(*get_rr_set)(resolver_response_t *this);
+
+	/**
+	 * Destroy this response.
+	 */
+	void (*destroy) (resolver_response_t *this);
+};
+
+#endif /** RR_SET_H_ @}*/
diff --git a/src/libstrongswan/resolver/rr.h b/src/libstrongswan/resolver/rr.h
new file mode 100644
index 000000000..109ec5135
--- /dev/null
+++ b/src/libstrongswan/resolver/rr.h
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rr rr
+ * @{ @ingroup resolver
+ */
+
+#ifndef RR_H_
+#define RR_H_
+
+typedef struct rr_t rr_t;
+typedef enum rr_type_t rr_type_t;
+typedef enum rr_class_t rr_class_t;
+
+#include <library.h>
+
+/**
+ * Resource Record types.
+ *
+ * According to www.iana.org/assignments/dns-parameters (version 2012-03-13).
+ */
+enum rr_type_t {
+	/** a host address */
+	RR_TYPE_A = 1,
+	/** an authoritative name server */
+	RR_TYPE_NS = 2,
+	//** a mail destination (OBSOLETE - use MX */
+	RR_TYPE_MD = 3,
+	/** a mail forwarder (OBSOLETE - use MX) */
+	RR_TYPE_MF = 4,
+	/** the canonical name for an alias */
+	RR_TYPE_CNAME = 5,
+	/** marks the start of a zone of authority */
+	RR_TYPE_SOA = 6,
+	/** a mailbox domain name (EXPERIMENTAL) */
+	RR_TYPE_MB = 7,
+	/** a mail group member (EXPERIMENTAL) */
+	RR_TYPE_MG = 8,
+	/** a mail rename domain name (EXPERIMENTAL) */
+	RR_TYPE_MR = 9,
+	/** a null RR (EXPERIMENTAL) */
+	RR_TYPE_NULL = 10,
+	/** a well known service description */
+	RR_TYPE_WKS = 11,
+	/**  a domain name pointer */
+	RR_TYPE_PTR = 12,
+	/**  host information */
+	RR_TYPE_HINFO = 13,
+	/**  mailbox or mail list information */
+	RR_TYPE_MINFO = 14,
+	/**  mail exchange */
+	RR_TYPE_MX = 15,
+	/**  text strings */
+	RR_TYPE_TXT = 16,
+	/** for Responsible Person */
+	RR_TYPE_RP = 17,
+	/** for AFS Data Base location */
+	RR_TYPE_AFSDB = 18,
+	/** for X.25 PSDN address */
+	RR_TYPE_X25 = 19,
+	/** for ISDN address */
+	RR_TYPE_ISDN = 20,
+	/** for Route Through */
+	RR_TYPE_RT = 21,
+	/** for NSAP address, NSAP style A record */
+	RR_TYPE_NSAP = 22,
+	/** for domain name pointer, NSAP style  */
+	RR_TYPE_NSAP_PTR = 23,
+	/** for security signature */
+	RR_TYPE_SIG = 24,
+	/** for security key */
+	RR_TYPE_KEY = 25,
+	/** X.400 mail mapping information  */
+	RR_TYPE_PX = 26,
+	/**  Geographical Position  */
+	RR_TYPE_GPOS = 27,
+	/** ipv6 address */
+	RR_TYPE_AAAA = 28,
+	/** Location Information  */
+	RR_TYPE_LOC = 29,
+	/** Next Domain (OBSOLETE) */
+	RR_TYPE_NXT = 30,
+	/** Endpoint Identifier  */
+	RR_TYPE_EID = 31,
+	/** Nimrod Locator */
+	RR_TYPE_NIMLOC = 32,
+	/** Server Selection */
+	RR_TYPE_SRV = 33,
+	/** ATM Address */
+	RR_TYPE_ATMA = 34,
+	/** Naming Authority Pointer */
+	RR_TYPE_NAPTR = 35,
+	/** Key Exchanger */
+	RR_TYPE_KX = 36,
+	/** CERT */
+	RR_TYPE_CERT = 37,
+	/** A6 (OBSOLETE - use AAAA) */
+	RR_TYPE_A6 = 38,
+	/** DNAME */
+	RR_TYPE_DNAME = 39,
+	/** SINK */
+	RR_TYPE_SINK = 40,
+	/** OPT */
+	RR_TYPE_OPT = 41,
+	/** APL */
+	RR_TYPE_APL = 42,
+	/** Delegation Signer */
+	RR_TYPE_DS = 43,
+	/** SSH Key Fingerprint */
+	RR_TYPE_SSHFP = 44,
+	/** IPSECKEY */
+	RR_TYPE_IPSECKEY = 45,
+	/** RRSIG */
+	RR_TYPE_RRSIG = 46,
+	/** NSEC */
+	RR_TYPE_NSEC = 47,
+	/** DNSKEY */
+	RR_TYPE_DNSKEY = 48,
+	/** DHCID */
+	RR_TYPE_DHCID = 49,
+	/** NSEC3 */
+	RR_TYPE_NSEC3 = 50,
+	/** NSEC3PARAM */
+	RR_TYPE_NSEC3PARAM = 51,
+
+	/** Unassigned   52-54 */
+
+	/** Host Identity Protocol */
+	RR_TYPE_HIP =  55,
+	/** NINFO */
+	RR_TYPE_NINFO = 56,
+	/** RKEY */
+	RR_TYPE_RKEY = 57,
+	/** Trust Anchor LINK */
+	RR_TYPE_TALINK = 58,
+	/** Child DS */
+	RR_TYPE_CDS = 59,
+
+	/** Unassigned   60-98 */
+
+	/** SPF */
+	RR_TYPE_SPF = 99,
+	/** UINFO */
+	RR_TYPE_UINFO = 100,
+	/** UID */
+	RR_TYPE_UID = 101,
+	/** GID */
+	RR_TYPE_GID = 102,
+	/** UNSPEC */
+	RR_TYPE_UNSPEC = 103,
+
+	/** Unassigned   104-248 */
+
+	/** Transaction Key */
+	RR_TYPE_TKEY = 249,
+	/** Transaction Signature */
+	RR_TYPE_TSIG = 250,
+	/** incremental transfer */
+	RR_TYPE_IXFR = 251,
+	/** transfer of an entire zone */
+	RR_TYPE_AXFR = 252,
+	/** mailbox-related RRs (MB, MG or MR) */
+	RR_TYPE_MAILB = 253,
+	/** mail agent RRs (OBSOLETE - see MX) */
+	RR_TYPE_MAILA = 254,
+	/** A request for all records */
+	RR_TYPE_ANY = 255,
+	/** URI */
+	RR_TYPE_URI = 256,
+	/** Certification Authority Authorization */
+	RR_TYPE_CAA = 257,
+
+	/** Unassigned   258-32767 */
+
+	/** DNSSEC Trust Authorities */
+	RR_TYPE_TA = 32768,
+	/** DNSSEC Lookaside Validation */
+	RR_TYPE_DLV = 32769,
+
+	/** Unassigned   32770-65279 */
+
+	/** Private use  65280-65534 */
+
+	/** Reserved     65535 */
+};
+
+
+/**
+ * Resource Record CLASSes
+ */
+enum rr_class_t {
+	/** Internet */
+	RR_CLASS_IN = 1,
+	/** Chaos */
+	RR_CLASS_CH = 3,
+	/** Hesiod */
+	RR_CLASS_HS = 4,
+	/** further CLASSes: http://wwwiana.org/assignments/dns-parameters */
+};
+
+
+/**
+ * A DNS Resource Record.
+ *
+ * Represents a Resource Record of the Domain Name System
+ * as defined in RFC 1035.
+ *
+ */
+struct rr_t {
+
+	/**
+	 * Get the NAME of the owner of this RR.
+	 *
+	 * @return			owner name as string
+	 */
+	char *(*get_name)(rr_t *this);
+
+	/**
+	 * Get the type of this RR.
+	 *
+	 * @return			RR type
+	 */
+	rr_type_t (*get_type)(rr_t *this);
+
+	/**
+	 * Get the class of this RR.
+	 *
+	 * @return			RR class
+	 */
+	rr_class_t (*get_class)(rr_t *this);
+
+	/**
+	 * Get the Time to Live (TTL) of this RR.
+	 *
+	 * @return			Time to Live
+	 */
+	uint32_t (*get_ttl)(rr_t *this);
+
+	/**
+	 * Get the content of the RDATA field as chunk.
+	 *
+	 * The data pointed by the chunk is still owned by the RR.
+	 * Clone it if needed.
+	 *
+	 * @return			RDATA field as chunk
+	 */
+	chunk_t (*get_rdata)(rr_t *this);
+
+	/**
+	 * Destroy the Resource Record.
+	 */
+	void (*destroy) (rr_t *this);
+};
+
+#endif /** RR_H_ @}*/
diff --git a/src/libstrongswan/resolver/rr_set.c b/src/libstrongswan/resolver/rr_set.c
new file mode 100644
index 000000000..dea5c4086
--- /dev/null
+++ b/src/libstrongswan/resolver/rr_set.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rr_set.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef struct private_rr_set_t private_rr_set_t;
+
+/**
+* private data of the rr_set
+*/
+struct private_rr_set_t {
+
+	/**
+	 * public functions
+	 */
+	rr_set_t public;
+
+	/**
+	 * List of Resource Records which form the RRset
+	 */
+	linked_list_t *rr_list;
+
+	/**
+	 * List of the signatures (RRSIGs) of the Resource Records contained in
+	 * this set
+	 */
+	linked_list_t *rrsig_list;
+};
+
+METHOD(rr_set_t, create_rr_enumerator, enumerator_t*,
+	private_rr_set_t *this)
+{
+	return this->rr_list->create_enumerator(this->rr_list);
+}
+
+METHOD(rr_set_t, create_rrsig_enumerator, enumerator_t*,
+	private_rr_set_t *this)
+{
+	if (this->rrsig_list)
+	{
+		return this->rrsig_list->create_enumerator(this->rrsig_list);
+	}
+	return NULL;
+}
+
+METHOD(rr_set_t, destroy, void,
+	private_rr_set_t *this)
+{
+	this->rr_list->destroy_offset(this->rr_list,
+								  offsetof(rr_t, destroy));
+	if (this->rrsig_list)
+	{
+		this->rrsig_list->destroy_offset(this->rrsig_list,
+										 offsetof(rr_t, destroy));
+	}
+	free(this);
+}
+
+/*
+ * see header
+ */
+rr_set_t *rr_set_create(linked_list_t *list_of_rr, linked_list_t *list_of_rrsig)
+{
+	private_rr_set_t *this;
+
+	INIT(this,
+		.public = {
+			.create_rr_enumerator = _create_rr_enumerator,
+			.create_rrsig_enumerator = _create_rrsig_enumerator,
+			.destroy = _destroy,
+		},
+	);
+
+	if (list_of_rr == NULL)
+	{
+		DBG1(DBG_LIB, "could not create a rr_set without a list_of_rr");
+		_destroy(this);
+		return NULL;
+	}
+	this->rr_list = list_of_rr;
+	this->rrsig_list = list_of_rrsig;
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/resolver/rr_set.h b/src/libstrongswan/resolver/rr_set.h
new file mode 100644
index 000000000..5a1737a05
--- /dev/null
+++ b/src/libstrongswan/resolver/rr_set.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rr_set rr_set
+ * @{ @ingroup resolver
+ */
+
+#ifndef RR_SET_H_
+#define RR_SET_H_
+
+typedef struct rr_set_t rr_set_t;
+
+#include <library.h>
+#include <collections/enumerator.h>
+#include <collections/linked_list.h>
+
+/**
+ * A set of DNS Resource Records.
+ *
+ * Represents a RRset as defined in RFC 2181. This RRset consists of a set of
+ * Resource Records with the same label, class and type but different data.
+ *
+ * The DNSSEC signature Resource Records (RRSIGs) which sign the RRs of this set
+ * are also part of an object of this type.
+ */
+struct rr_set_t {
+
+	/**
+	 * Create an enumerator over all Resource Records of this RRset.
+	 *
+	 * @note The enumerator's position is invalid before the first call
+	 * to enumerate().
+	 *
+	 * @return			enumerator over Resource Records
+	 */
+	enumerator_t *(*create_rr_enumerator)(rr_set_t *this);
+
+	/**
+	 * Create an enumerator over all RRSIGs of this RRset
+	 *
+	 * @note The enumerator's position is invalid before the first call
+	 * to enumerate().
+	 *
+	 * @return			enumerator over RRSIG Resource Records,
+	 * 					NULL if there are no RRSIGs for this RRset
+	 */
+	enumerator_t *(*create_rrsig_enumerator)(rr_set_t *this);
+
+	/**
+	 * Destroy this RRset with all its Resource Records.
+	 */
+	void (*destroy) (rr_set_t *this);
+};
+
+/**
+ * Create an rr_set instance.
+ *
+ * @param list_of_rr		list of Resource Records which form this RRset
+ * @param list_of_rrsig		list of the signatures (RRSIGs) of the
+ * 							Resource Records of this set
+ * @return					Resource Record set, NULL on failure
+ */
+rr_set_t *rr_set_create(linked_list_t *list_of_rr,
+						linked_list_t *list_of_rrsig);
+
+#endif /** RR_SET_H_ @}*/
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index 87e57095c..ff8285f8c 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -174,7 +174,24 @@ static u_int8_t calc_netbits(private_traffic_selector_t *this)
 /**
  * internal generic constructor
  */
-static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
+						ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+
+/**
+ * Check if TS contains "opaque" ports
+ */
+static bool is_opaque(private_traffic_selector_t *this)
+{
+	return this->from_port == 0xffff && this->to_port == 0;
+}
+
+/**
+ * Check if TS contains "any" ports
+ */
+static bool is_any(private_traffic_selector_t *this)
+{
+	return this->from_port == 0 && this->to_port == 0xffff;
+}
 
 /**
  * Described in header.
@@ -248,7 +265,7 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 
 	/* check if we have protocol and/or port selectors */
 	has_proto = this->protocol != 0;
-	has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF);
+	has_ports = !is_any(this);
 
 	if (!has_proto && !has_ports)
 	{
@@ -283,8 +300,9 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 	{
 		if (this->from_port == this->to_port)
 		{
-			struct servent *serv = getservbyport(htons(this->from_port), serv_proto);
+			struct servent *serv;
 
+			serv = getservbyport(htons(this->from_port), serv_proto);
 			if (serv)
 			{
 				written += print_in_hook(data, "%s", serv->s_name);
@@ -294,9 +312,14 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 				written += print_in_hook(data, "%d", this->from_port);
 			}
 		}
+		else if (is_opaque(this))
+		{
+			written += print_in_hook(data, "OPAQUE");
+		}
 		else
 		{
-			written += print_in_hook(data, "%d-%d", this->from_port, this->to_port);
+			written += print_in_hook(data, "%d-%d",
+									 this->from_port, this->to_port);
 		}
 	}
 
@@ -305,24 +328,55 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 	return written;
 }
 
-/**
- * Implements traffic_selector_t.get_subset
- */
-static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_traffic_selector_t *other)
+METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
+	private_traffic_selector_t *this, traffic_selector_t *other_public)
 {
+	private_traffic_selector_t *other, *subset;
+	u_int16_t from_port, to_port;
+	u_char *from, *to;
+	u_int8_t protocol;
+	size_t size;
+
+	other = (private_traffic_selector_t*)other_public;
+
 	if (this->dynamic || other->dynamic)
 	{	/* no set_address() applied, TS has no subset */
 		return NULL;
 	}
-	if (this->type == other->type && (this->protocol == other->protocol ||
-								this->protocol == 0 || other->protocol == 0))
+
+	if (this->type != other->type)
+	{
+		return NULL;
+	}
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			size = sizeof(this->from4);
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			size = sizeof(this->from6);
+			break;
+		default:
+			return NULL;
+	}
+
+	if (this->protocol != other->protocol &&
+		this->protocol != 0 && other->protocol != 0)
 	{
-		u_int16_t from_port, to_port;
-		u_char *from, *to;
-		u_int8_t protocol;
-		size_t size;
-		private_traffic_selector_t *new_ts;
+		return NULL;
+	}
+	/* select protocol, which is not zero */
+	protocol = max(this->protocol, other->protocol);
 
+	if ((is_opaque(this) && is_opaque(other)) ||
+		(is_opaque(this) && is_any(other)) ||
+		(is_opaque(other) && is_any(this)))
+	{
+		from_port = 0xffff;
+		to_port = 0;
+	}
+	else
+	{
 		/* calculate the maximum port range allowed for both */
 		from_port = max(this->from_port, other->from_port);
 		to_port = min(this->to_port, other->to_port);
@@ -330,60 +384,46 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
 		{
 			return NULL;
 		}
-		/* select protocol, which is not zero */
-		protocol = max(this->protocol, other->protocol);
-
-		switch (this->type)
-		{
-			case TS_IPV4_ADDR_RANGE:
-				size = sizeof(this->from4);
-				break;
-			case TS_IPV6_ADDR_RANGE:
-				size = sizeof(this->from6);
-				break;
-			default:
-				return NULL;
-		}
+	}
+	/* get higher from-address */
+	if (memcmp(this->from, other->from, size) > 0)
+	{
+		from = this->from;
+	}
+	else
+	{
+		from = other->from;
+	}
+	/* get lower to-address */
+	if (memcmp(this->to, other->to, size) > 0)
+	{
+		to = other->to;
+	}
+	else
+	{
+		to = this->to;
+	}
+	/* if "from" > "to", we don't have a match */
+	if (memcmp(from, to, size) > 0)
+	{
+		return NULL;
+	}
 
-		/* get higher from-address */
-		if (memcmp(this->from, other->from, size) > 0)
-		{
-			from = this->from;
-		}
-		else
-		{
-			from = other->from;
-		}
-		/* get lower to-address */
-		if (memcmp(this->to, other->to, size) > 0)
-		{
-			to = other->to;
-		}
-		else
-		{
-			to = this->to;
-		}
-		/* if "from" > "to", we don't have a match */
-		if (memcmp(from, to, size) > 0)
-		{
-			return NULL;
-		}
+	/* we have a match in protocol, port, and address: return it... */
+	subset = traffic_selector_create(protocol, this->type, from_port, to_port);
+	memcpy(subset->from, from, size);
+	memcpy(subset->to, to, size);
+	calc_netbits(subset);
 
-		/* we have a match in protocol, port, and address: return it... */
-		new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
-		memcpy(new_ts->from, from, size);
-		memcpy(new_ts->to, to, size);
-		calc_netbits(new_ts);
-		return &new_ts->public;
-	}
-	return NULL;
+	return &subset->public;
 }
 
-/**
- * Implements traffic_selector_t.equals
- */
-static bool equals(private_traffic_selector_t *this, private_traffic_selector_t *other)
+METHOD(traffic_selector_t, equals, bool,
+	private_traffic_selector_t *this, traffic_selector_t *other_public)
 {
+	private_traffic_selector_t *other;
+
+	other = (private_traffic_selector_t*)other_public;
 	if (this->type != other->type)
 	{
 		return FALSE;
@@ -535,11 +575,8 @@ METHOD(traffic_selector_t, set_address, void,
 	}
 }
 
-/**
- * Implements traffic_selector_t.is_contained_in.
- */
-static bool is_contained_in(private_traffic_selector_t *this,
-							private_traffic_selector_t *other)
+METHOD(traffic_selector_t, is_contained_in, bool,
+	private_traffic_selector_t *this, traffic_selector_t *other)
 {
 	private_traffic_selector_t *subset;
 	bool contained_in = FALSE;
@@ -548,7 +585,7 @@ static bool is_contained_in(private_traffic_selector_t *this,
 
 	if (subset)
 	{
-		if (equals(subset, this))
+		if (equals(subset, &this->public))
 		{
 			contained_in = TRUE;
 		}
@@ -739,12 +776,13 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
  * see header
  */
 traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
-							u_int8_t netbits, u_int8_t protocol, u_int16_t port)
+							u_int8_t netbits, u_int8_t protocol,
+							u_int16_t from_port, u_int16_t to_port)
 {
 	private_traffic_selector_t *this;
 	chunk_t from;
 
-	this = traffic_selector_create(protocol, 0, 0, 65535);
+	this = traffic_selector_create(protocol, 0, from_port, to_port);
 
 	switch (net->get_family(net))
 	{
@@ -763,11 +801,6 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
 	memcpy(this->from, from.ptr, from.len);
 	netbits = min(netbits, this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
 	calc_range(this, netbits);
-	if (port)
-	{
-		this->from_port = port;
-		this->to_port = port;
-	}
 	net->destroy(net);
 
 	return &this->public;
@@ -818,8 +851,9 @@ traffic_selector_t *traffic_selector_create_from_string(
 /*
  * see header
  */
-traffic_selector_t *traffic_selector_create_from_cidr(char *string,
-									u_int8_t protocol, u_int16_t port)
+traffic_selector_t *traffic_selector_create_from_cidr(
+										char *string, u_int8_t protocol,
+										u_int16_t from_port, u_int16_t to_port)
 {
 	host_t *net;
 	int bits;
@@ -827,7 +861,8 @@ traffic_selector_t *traffic_selector_create_from_cidr(char *string,
 	net = host_create_from_subnet(string, &bits);
 	if (net)
 	{
-		return traffic_selector_create_from_subnet(net, bits, protocol, port);
+		return traffic_selector_create_from_subnet(net, bits, protocol,
+												   from_port, to_port);
 	}
 	return NULL;
 }
@@ -859,8 +894,8 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 
 	INIT(this,
 		.public = {
-			.get_subset = (traffic_selector_t*(*)(traffic_selector_t*,traffic_selector_t*))get_subset,
-			.equals = (bool(*)(traffic_selector_t*,traffic_selector_t*))equals,
+			.get_subset = _get_subset,
+			.equals = _equals,
 			.get_from_address = _get_from_address,
 			.get_to_address = _get_to_address,
 			.get_from_port = _get_from_port,
@@ -869,7 +904,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 			.get_protocol = _get_protocol,
 			.is_host = _is_host,
 			.is_dynamic = _is_dynamic,
-			.is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in,
+			.is_contained_in = _is_contained_in,
 			.includes = _includes,
 			.set_address = _set_address,
 			.to_subnet = _to_subnet,
@@ -884,4 +919,3 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 
 	return this;
 }
-
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index b6da391aa..0de358b99 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -238,11 +238,13 @@ traffic_selector_t *traffic_selector_create_from_string(
  *
  * @param string		CIDR string, such as 10.1.0.0/16
  * @param protocol		protocol for this ts, such as TCP or UDP
- * @param port			single port for this TS, 0 for any port
+ * @param from_port		start of allowed port range
+ * @param to_port		end of port range
  * @return				traffic selector, NULL if string invalid
  */
-traffic_selector_t *traffic_selector_create_from_cidr(char *string,
-									u_int8_t protocol, u_int16_t port);
+traffic_selector_t *traffic_selector_create_from_cidr(
+										char *string, u_int8_t protocol,
+										u_int16_t from_port, u_int16_t to_port);
 
 /**
  * Create a new traffic selector using data read from the net.
@@ -288,14 +290,15 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
  * @param net			subnet to use
  * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
  * @param protocol		protocol for this ts, such as TCP or UDP
- * @param port			port number, host order
+ * @param from_port		start of allowed port range
+ * @param to_port		end of port range
  * @return
  *						- traffic_selector_t object
  *						- NULL if address family of net not supported
  */
 traffic_selector_t *traffic_selector_create_from_subnet(
-									host_t *net, u_int8_t netbits,
-									u_int8_t protocol, u_int16_t port);
+							host_t *net, u_int8_t netbits, u_int8_t protocol,
+							u_int16_t from_port, u_int16_t to_port);
 
 /**
  * Create a traffic selector for host-to-host cases.
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index e524409c7..d6d98d1ef 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -129,7 +129,11 @@ static thread_value_t *current_thread;
 
 #ifndef HAVE_PTHREAD_CANCEL
 /* if pthread_cancel is not available, we emulate it using a signal */
+#ifdef ANDROID
+#define SIG_CANCEL SIGUSR2
+#else
 #define SIG_CANCEL (SIGRTMIN+7)
+#endif
 
 /* the signal handler for SIG_CANCEL uses pthread_exit to terminate the
  * "cancelled" thread */
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index 0b6683233..77137f9f1 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -27,6 +27,8 @@
 
 #include "backtrace.h"
 
+#include <utils/debug.h>
+
 typedef struct private_backtrace_t private_backtrace_t;
 
 /**
@@ -50,7 +52,42 @@ struct private_backtrace_t {
 	void *frames[];
 };
 
+/**
+ * Write a format string with arguments to a FILE line, if it is NULL to DBG
+ */
+static void println(FILE *file, char *format, ...)
+{
+	char buf[512];
+	va_list args;
+
+	va_start(args, format);
+	if (file)
+	{
+		vfprintf(file, format, args);
+		fputs("\n", file);
+	}
+	else
+	{
+		vsnprintf(buf, sizeof(buf), format, args);
+		DBG1(DBG_LIB, "%s", buf);
+	}
+	va_end(args);
+}
+
 #ifdef HAVE_DLADDR
+
+/**
+ * Same as tty_escape_get(), but for a potentially NULL FILE*
+ */
+static char* esc(FILE *file, tty_escape_t escape)
+{
+	if (file)
+	{
+		return tty_escape_get(fileno(file), escape);
+	}
+	return "";
+}
+
 #ifdef HAVE_BFD_H
 
 #include <bfd.h>
@@ -158,6 +195,7 @@ static void find_addr(bfd *abfd, asection *section, bfd_find_data_t *data)
 	bfd_vma vma;
 	const char *source;
 	const char *function;
+	char fbuf[512] = "", sbuf[512] = "";
 	u_int line;
 
 	if (!data->found || (bfd_get_section_flags(abfd, section) & SEC_ALLOC) != 0)
@@ -175,16 +213,18 @@ static void find_addr(bfd *abfd, asection *section, bfd_find_data_t *data)
 				{
 					if (source || function)
 					{
-						fprintf(data->file, "    -> ");
 						if (function)
 						{
-							fprintf(data->file, "\e[34m%s() ", function);
+							snprintf(fbuf, sizeof(fbuf), "%s%s() ",
+								esc(data->file, TTY_FG_BLUE), function);
 						}
 						if (source)
 						{
-							fprintf(data->file, "\e[32m@ %s:%d", source, line);
+							snprintf(sbuf, sizeof(sbuf), "%s@ %s:%d",
+								esc(data->file, TTY_FG_GREEN), source, line);
 						}
-						fprintf(data->file, "\e[0m\n");
+						println(data->file, "    -> %s%s%s", fbuf, sbuf,
+								esc(data->file, TTY_FG_DEF));
 					}
 				}
 			}
@@ -296,26 +336,28 @@ void backtrace_deinit() {}
  */
 static void print_sourceline(FILE *file, char *filename, void *ptr)
 {
-	char cmd[1024];
+	char buf[1024];
 	FILE *output;
-	int c;
+	int c, i = 0;
 
-	snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", filename, ptr);
-	output = popen(cmd, "r");
+	snprintf(buf, sizeof(buf), "addr2line -e %s %p", filename, ptr);
+	output = popen(buf, "r");
 	if (output)
 	{
-		fprintf(file, "    -> \e[32m");
-		while (TRUE)
+		while (i < sizeof(buf))
 		{
 			c = getc(output);
 			if (c == '\n' || c == EOF)
 			{
+				buf[i++] = 0;
 				break;
 			}
-			fputc(c, file);
+			buf[i++] = c;
 		}
 		pclose(output);
-		fprintf(file, "\e[0m\n");
+
+		println(file, "    -> %s%s%s", esc(file, TTY_FG_GREEN), buf,
+				esc(file, TTY_FG_DEF));
 	}
 }
 
@@ -337,7 +379,7 @@ METHOD(backtrace_t, log_, void,
 
 	strings = backtrace_symbols(this->frames, this->frame_count);
 
-	fprintf(file, " dumping %d stack frame addresses:\n", this->frame_count);
+	println(file, " dumping %d stack frame addresses:", this->frame_count);
 	for (i = 0; i < this->frame_count; i++)
 	{
 #ifdef HAVE_DLADDR
@@ -353,16 +395,20 @@ METHOD(backtrace_t, log_, void,
 			}
 			if (info.dli_sname)
 			{
-				fprintf(file, "  \e[33m%s\e[0m @ %p (\e[31m%s\e[0m+0x%tx) [%p]\n",
-						info.dli_fname, info.dli_fbase, info.dli_sname,
-						this->frames[i] - info.dli_saddr, this->frames[i]);
+				println(file, "  %s%s%s @ %p (%s%s%s+0x%tx) [%p]",
+						esc(file, TTY_FG_YELLOW), info.dli_fname,
+						esc(file, TTY_FG_DEF), info.dli_fbase,
+						esc(file, TTY_FG_RED), info.dli_sname,
+						esc(file, TTY_FG_DEF), this->frames[i] - info.dli_saddr,
+						this->frames[i]);
 			}
 			else
 			{
-				fprintf(file, "  \e[33m%s\e[0m @ %p [%p]\n", info.dli_fname,
-						info.dli_fbase, this->frames[i]);
+				println(file, "  %s%s%s @ %p [%p]",
+						esc(file, TTY_FG_YELLOW), info.dli_fname,
+						esc(file, TTY_FG_DEF), info.dli_fbase, this->frames[i]);
 			}
-			if (detailed)
+			if (detailed && info.dli_fname[0])
 			{
 				print_sourceline(file, (char*)info.dli_fname, ptr);
 			}
@@ -370,12 +416,12 @@ METHOD(backtrace_t, log_, void,
 		else
 #endif /* HAVE_DLADDR */
 		{
-			fprintf(file, "    %s\n", strings[i]);
+			println(file, "    %s", strings[i]);
 		}
 	}
 	free (strings);
 #else /* !HAVE_BACKTRACE */
-	fprintf(file, "C library does not support backtrace().\n");
+	println(file, "C library does not support backtrace().");
 #endif /* HAVE_BACKTRACE */
 }
 
@@ -511,9 +557,8 @@ void backtrace_dump(char *label, FILE *file, bool detailed)
 
 	if (label)
 	{
-		fprintf(file, "Debug backtrace: %s\n", label);
+		println(file, "Debug backtrace: %s", label);
 	}
 	backtrace->log(backtrace, file, detailed);
 	backtrace->destroy(backtrace);
 }
-
diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h
index aeeba4dd6..62104238d 100644
--- a/src/libstrongswan/utils/backtrace.h
+++ b/src/libstrongswan/utils/backtrace.h
@@ -35,7 +35,10 @@ struct backtrace_t {
 	/**
 	 * Log the backtrace to a FILE stream.
 	 *
-	 * @param file		FILE to log backtrace to
+	 * If no file pointer is given, the backtrace is reported over the debug
+	 * framework to the registered dbg() callback function.
+	 *
+	 * @param file		FILE to log backtrace to, NULL for dbg() function
 	 * @param detailed	TRUE to resolve line/file using addr2line (slow)
 	 */
 	void (*log)(backtrace_t *this, FILE *file, bool detailed);
@@ -81,7 +84,7 @@ backtrace_t *backtrace_create(int skip);
  * Create a backtrace, dump it and clean it up.
  *
  * @param label		description to print for this backtrace, or NULL
- * @param file		FILE to log backtrace to
+ * @param file		FILE to log backtrace to, NULL to dbg() function
  * @param detailed	TRUE to resolve line/file using addr2line (slow)
  */
 void backtrace_dump(char *label, FILE *file, bool detailed);
diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c
index c36a76efe..44a14496c 100644
--- a/src/libstrongswan/utils/capabilities.c
+++ b/src/libstrongswan/utils/capabilities.c
@@ -29,7 +29,9 @@
 
 #include <utils/debug.h>
 
-#if !defined(HAVE_GETPWNAM_R) || !defined(HAVE_GETGRNAM_R)
+#if !defined(HAVE_GETPWNAM_R) || \
+    !defined(HAVE_GETGRNAM_R) || \
+    !defined(HAVE_GETPWUID_R)
 # include <threading/mutex.h>
 # define EMULATE_R_FUNCS
 #endif
@@ -188,6 +190,34 @@ METHOD(capabilities_t, resolve_gid, bool,
 	return FALSE;
 }
 
+/**
+ * Initialize supplementary groups for unprivileged user
+ */
+static bool init_supplementary_groups(private_capabilities_t *this)
+{
+	struct passwd *pwp;
+	int res = -1;
+
+#ifdef HAVE_GETPWUID_R
+	struct passwd pwd;
+	char buf[1024];
+
+	if (getpwuid_r(this->uid, &pwd, buf, sizeof(buf), &pwp) == 0 && pwp)
+	{
+		res = initgroups(pwp->pw_name, this->gid);
+	}
+#else /* HAVE_GETPWUID_R */
+	this->mutex->lock(this->mutex);
+	pwp = getpwuid(this->uid);
+	if (pwp)
+	{
+		res = initgroups(pwp->pw_name, this->gid);
+	}
+	this->mutex->unlock(this->mutex);
+#endif /* HAVE_GETPWUID_R */
+	return res == 0;
+}
+
 METHOD(capabilities_t, drop, bool,
 	private_capabilities_t *this)
 {
@@ -195,6 +225,12 @@ METHOD(capabilities_t, drop, bool,
 	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
 #endif
 
+	if (!init_supplementary_groups(this))
+	{
+		DBG1(DBG_LIB, "initializing supplementary groups for %u failed",
+			 this->uid);
+		return FALSE;
+	}
 	if (this->gid && setgid(this->gid) != 0)
 	{
 		DBG1(DBG_LIB, "change to unprivileged group %u failed: %s",
diff --git a/src/libstrongswan/utils/chunk.h b/src/libstrongswan/utils/chunk.h
index 67848eec1..bc14b7394 100644
--- a/src/libstrongswan/utils/chunk.h
+++ b/src/libstrongswan/utils/chunk.h
@@ -190,6 +190,11 @@ static inline void chunk_clear(chunk_t *chunk)
  */
 #define chunk_from_thing(thing) chunk_create((char*)&(thing), sizeof(thing))
 
+/**
+ * Initialize a chunk from a static string, not containing 0-terminator
+ */
+#define chunk_from_str(str) chunk_create(str, strlen(str))
+
 /**
  * Allocate a chunk on the heap
  */
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 2669c2da6..4176320dc 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -49,10 +49,10 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
 	"ID_DER_ASN1_DN",
 	"ID_DER_ASN1_GN",
 	"ID_KEY_ID");
-ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
+ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_USER_ID, ID_KEY_ID,
 	"ID_DER_ASN1_GN_URI",
-	"ID_MYID");
-ENUM_END(id_type_names, ID_MYID);
+	"ID_USER_ID");
+ENUM_END(id_type_names, ID_USER_ID);
 
 /**
  * coding of X.501 distinguished name
@@ -790,6 +790,7 @@ int identification_printf_hook(printf_hook_data_t *data,
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
+		case ID_USER_ID:
 			chunk_printable(this->encoded, &proper, '?');
 			snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
 			chunk_free(&proper);
@@ -812,9 +813,6 @@ int identification_printf_hook(printf_hook_data_t *data,
 				snprintf(buf, sizeof(buf), "%#B", &this->encoded);
 			}
 			break;
-		case ID_MYID:
-			snprintf(buf, sizeof(buf), "%%myid");
-			break;
 		default:
 			snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
 			break;
@@ -873,6 +871,7 @@ static private_identification_t *identification_create(id_type_t type)
 			break;
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
+		case ID_USER_ID:
 			this->public.matches = _matches_string;
 			this->public.equals = _equals_strcasecmp;
 			this->public.contains_wildcards = _contains_wildcards_memchr;
@@ -1023,9 +1022,16 @@ identification_t * identification_create_from_data(chunk_t data)
 {
 	char buf[data.len + 1];
 
-	/* use string constructor */
-	snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
-	return identification_create_from_string(buf);
+	if (is_asn1(data))
+	{
+		return identification_create_from_encoding(ID_DER_ASN1_DN, data);
+	}
+	else
+	{
+		/* use string constructor */
+		snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
+		return identification_create_from_string(buf);
+	}
 }
 
 /*
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index cdf229127..00d740765 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -126,14 +126,14 @@ enum id_type_t {
 	ID_KEY_ID = 11,
 
 	/**
-	 * private type which represents a GeneralName of type URI
+	 * Private ID type which represents a GeneralName of type URI
 	 */
 	ID_DER_ASN1_GN_URI = 201,
 
 	/**
-	 * Private ID used by the pluto daemon for opportunistic encryption
+	 * Private ID type which represents a user ID
 	 */
-	ID_MYID = 203,
+	ID_USER_ID = 202
 };
 
 /**
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 2b0be1661..6bf4d63cd 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -226,6 +226,8 @@ char *whitelist[] = {
 	"setpwent",
 	"endpwent",
 	"getspnam_r",
+	"getpwuid_r",
+	"initgroups",
 	/* ignore dlopen, as we do not dlclose to get proper leak reports */
 	"dlopen",
 	"dlerror",
diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c
index bf0224c5f..2f38d8a93 100644
--- a/src/libstrongswan/utils/utils.c
+++ b/src/libstrongswan/utils/utils.c
@@ -194,6 +194,69 @@ bool mkdir_p(const char *path, mode_t mode)
 	return TRUE;
 }
 
+ENUM(tty_color_names, TTY_RESET, TTY_BG_DEF,
+	"\e[0m",
+	"\e[1m",
+	"\e[4m",
+	"\e[5m",
+	"\e[30m",
+	"\e[31m",
+	"\e[32m",
+	"\e[33m",
+	"\e[34m",
+	"\e[35m",
+	"\e[36m",
+	"\e[37m",
+	"\e[39m",
+	"\e[40m",
+	"\e[41m",
+	"\e[42m",
+	"\e[43m",
+	"\e[44m",
+	"\e[45m",
+	"\e[46m",
+	"\e[47m",
+	"\e[49m",
+);
+
+/**
+ * Get the escape string for a given TTY color, empty string on non-tty FILE
+ */
+char* tty_escape_get(int fd, tty_escape_t escape)
+{
+	if (!isatty(fd))
+	{
+		return "";
+	}
+	switch (escape)
+	{
+		case TTY_RESET:
+		case TTY_BOLD:
+		case TTY_UNDERLINE:
+		case TTY_BLINKING:
+		case TTY_FG_BLACK:
+		case TTY_FG_RED:
+		case TTY_FG_GREEN:
+		case TTY_FG_YELLOW:
+		case TTY_FG_BLUE:
+		case TTY_FG_MAGENTA:
+		case TTY_FG_CYAN:
+		case TTY_FG_WHITE:
+		case TTY_FG_DEF:
+		case TTY_BG_BLACK:
+		case TTY_BG_RED:
+		case TTY_BG_GREEN:
+		case TTY_BG_YELLOW:
+		case TTY_BG_BLUE:
+		case TTY_BG_MAGENTA:
+		case TTY_BG_CYAN:
+		case TTY_BG_WHITE:
+		case TTY_BG_DEF:
+			return enum_to_name(tty_color_names, escape);
+		/* warn if a excape code is missing */
+	}
+	return "";
+}
 
 /**
  * The size of the thread-specific error buffer
@@ -386,6 +449,14 @@ status_t return_failed()
 	return FAILED;
 }
 
+/**
+ * returns SUCCESS
+ */
+status_t return_success()
+{
+	return SUCCESS;
+}
+
 /**
  * nop operation
  */
@@ -460,7 +531,7 @@ int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 	bool utc = *((bool*)(args[1]));;
 	struct tm t;
 
-	if (time == UNDEFINED_TIME)
+	if (*time == UNDEFINED_TIME)
 	{
 		return print_in_hook(data, "--- -- --:--:--%s----",
 							 utc ? " UTC " : " ");
diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h
index 7b1beb93a..c66c665e0 100644
--- a/src/libstrongswan/utils/utils.h
+++ b/src/libstrongswan/utils/utils.h
@@ -314,6 +314,46 @@ enum status_t {
  */
 extern enum_name_t *status_names;
 
+typedef enum tty_escape_t tty_escape_t;
+
+/**
+ * Excape codes for tty colors
+ */
+enum tty_escape_t {
+	/** text properties */
+	TTY_RESET,
+	TTY_BOLD,
+	TTY_UNDERLINE,
+	TTY_BLINKING,
+
+	/** foreground colors */
+	TTY_FG_BLACK,
+	TTY_FG_RED,
+	TTY_FG_GREEN,
+	TTY_FG_YELLOW,
+	TTY_FG_BLUE,
+	TTY_FG_MAGENTA,
+	TTY_FG_CYAN,
+	TTY_FG_WHITE,
+	TTY_FG_DEF,
+
+	/** background colors */
+	TTY_BG_BLACK,
+	TTY_BG_RED,
+	TTY_BG_GREEN,
+	TTY_BG_YELLOW,
+	TTY_BG_BLUE,
+	TTY_BG_MAGENTA,
+	TTY_BG_CYAN,
+	TTY_BG_WHITE,
+	TTY_BG_DEF,
+};
+
+/**
+ * Get the escape string for a given TTY color, empty string on non-tty fd
+ */
+char* tty_escape_get(int fd, tty_escape_t escape);
+
 /**
  * deprecated pluto style return value:
  * error message, NULL for success
@@ -495,6 +535,11 @@ bool return_false();
  */
 status_t return_failed();
 
+/**
+ * returns SUCCESS
+ */
+status_t return_success();
+
 /**
  * Write a 16-bit host order value in network order to an unaligned address.
  *
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index d54545aac..a98c5a6d6 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -105,6 +122,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libtls_la_SOURCES)
 DIST_SOURCES = $(libtls_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__nobase_tls_include_HEADERS_DIST = tls_protection.h \
 	tls_compression.h tls_fragmentation.h tls_alert.h tls_crypto.h \
 	tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -350,7 +372,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -358,6 +379,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -429,15 +452,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-nobase_tls_includeHEADERS: $(nobase_tls_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(tls_includedir)" || $(MKDIR_P) "$(DESTDIR)$(tls_includedir)"
 	@list='$(nobase_tls_include_HEADERS)'; test -n "$(tls_includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(tls_includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(tls_includedir)" || exit 1; \
+	fi; \
 	$(am__nobase_list) | while read dir files; do \
 	  xfiles=; for file in $$files; do \
 	    if test -f "$$file"; then xfiles="$$xfiles $$file"; \
 	    else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \
 	  test -z "$$xfiles" || { \
 	    test "x$$dir" = x. || { \
-	      echo "$(MKDIR_P) '$(DESTDIR)$(tls_includedir)/$$dir'"; \
+	      echo " $(MKDIR_P) '$(DESTDIR)$(tls_includedir)/$$dir'"; \
 	      $(MKDIR_P) "$(DESTDIR)$(tls_includedir)/$$dir"; }; \
 	    echo " $(INSTALL_HEADER) $$xfiles '$(DESTDIR)$(tls_includedir)/$$dir'"; \
 	    $(INSTALL_HEADER) $$xfiles "$(DESTDIR)$(tls_includedir)/$$dir" || exit $$?; }; \
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index dea08e3eb..6d33d843d 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -106,16 +106,6 @@ struct private_tls_t {
 	 */
 	bool is_server;
 
-	/**
-	 * Server identity
-	 */
-	identification_t *server;
-
-	/**
-	 * Peer identity
-	 */
-	identification_t *peer;
-
 	/**
 	 * Negotiated TLS version
 	 */
@@ -359,6 +349,18 @@ METHOD(tls_t, is_server, bool,
 	return this->is_server;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tls_t *this)
+{
+	return this->handshake->get_server_id(this->handshake);
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tls_t *this)
+{
+	return this->handshake->get_peer_id(this->handshake);
+}
+
 METHOD(tls_t, get_version, tls_version_t,
 	private_tls_t *this)
 {
@@ -421,8 +423,6 @@ METHOD(tls_t, destroy, void,
 	this->fragmentation->destroy(this->fragmentation);
 	this->crypto->destroy(this->crypto);
 	this->handshake->destroy(this->handshake);
-	DESTROY_IF(this->peer);
-	this->server->destroy(this->server);
 	DESTROY_IF(this->application);
 	this->alert->destroy(this->alert);
 
@@ -457,6 +457,8 @@ tls_t *tls_create(bool is_server, identification_t *server,
 			.process = _process,
 			.build = _build,
 			.is_server = _is_server,
+			.get_server_id = _get_server_id,
+			.get_peer_id = _get_peer_id,
 			.get_version = _get_version,
 			.set_version = _set_version,
 			.get_purpose = _get_purpose,
@@ -466,8 +468,6 @@ tls_t *tls_create(bool is_server, identification_t *server,
 		},
 		.is_server = is_server,
 		.version = TLS_1_2,
-		.server = server->clone(server),
-		.peer = peer ? peer->clone(peer) : NULL,
 		.application = application,
 		.purpose = purpose,
 	);
@@ -477,12 +477,12 @@ tls_t *tls_create(bool is_server, identification_t *server,
 	if (is_server)
 	{
 		this->handshake = &tls_server_create(&this->public, this->crypto,
-							this->alert, this->server, this->peer)->handshake;
+										this->alert, server, peer)->handshake;
 	}
 	else
 	{
 		this->handshake = &tls_peer_create(&this->public, this->crypto,
-							this->alert, this->peer, this->server)->handshake;
+										this->alert, peer, server)->handshake;
 	}
 	this->fragmentation = tls_fragmentation_create(this->handshake, this->alert,
 												   this->application);
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index 6b4876f73..7f45b1e09 100644
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -192,6 +192,20 @@ struct tls_t {
 	 */
 	bool (*is_server)(tls_t *this);
 
+	/**
+	 * Return the server identity.
+	 *
+	 * @return			server identity
+	 */
+	identification_t* (*get_server_id)(tls_t *this);
+
+	/**
+	 * Return the peer identity.
+	 *
+	 * @return			peer identity
+	 */
+	identification_t* (*get_peer_id)(tls_t *this);
+
 	/**
 	 * Get the negotiated TLS/SSL version.
 	 *
diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
index c76376b43..6e4347e3c 100644
--- a/src/libtls/tls_fragmentation.c
+++ b/src/libtls/tls_fragmentation.c
@@ -223,7 +223,7 @@ static status_t process_application(private_tls_fragmentation_t *this,
 				continue;
 			case SUCCESS:
 				this->application_finished = TRUE;
-				return SUCCESS;
+				/* FALL */
 			case FAILED:
 			default:
 				this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY);
@@ -368,7 +368,7 @@ static status_t build_application(private_tls_fragmentation_t *this)
 				break;
 			case SUCCESS:
 				this->application_finished = TRUE;
-				break;
+				/* FALL */
 			case FAILED:
 			default:
 				this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY);
@@ -391,6 +391,10 @@ METHOD(tls_fragmentation_t, build, status_t,
 			this->state = ALERT_SENT;
 			return INVALID_STATE;
 		case ALERT_SENT:
+			if (this->application_finished)
+			{
+				return SUCCESS;
+			}
 			return FAILED;
 		case ALERT_NONE:
 			break;
diff --git a/src/libtls/tls_handshake.h b/src/libtls/tls_handshake.h
index bea0024eb..7fa660c58 100644
--- a/src/libtls/tls_handshake.h
+++ b/src/libtls/tls_handshake.h
@@ -83,6 +83,20 @@ struct tls_handshake_t {
 	 */
 	bool (*finished)(tls_handshake_t *this);
 
+	/**
+	 * Get the peer identity authenticated/to authenticate during handshake.
+	 *
+	 * @return			peer identity
+	 */
+	identification_t* (*get_peer_id)(tls_handshake_t *this);
+
+	/**
+	 * Get the server identity authenticated/to authenticate during handshake.
+	 *
+	 * @return			server identity
+	 */
+	identification_t* (*get_server_id)(tls_handshake_t *this);
+
 	/**
 	 * Destroy a tls_handshake_t.
 	 */
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 622df4035..b429da300 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -665,6 +665,8 @@ METHOD(tls_handshake_t, process, status_t,
 			{
 				return process_certreq(this, reader);
 			}
+			/* no cert request, server does not want to authenticate us */
+			DESTROY_IF(this->peer);
 			this->peer = NULL;
 			/* fall through since TLS_CERTIFICATE_REQUEST is optional */
 		case STATE_CERTREQ_RECEIVED:
@@ -850,6 +852,7 @@ static status_t send_certificate(private_tls_peer_t *this,
 	{
 		DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
 			 "skipping client authentication", this->peer);
+		this->peer->destroy(this->peer);
 		this->peer = NULL;
 	}
 
@@ -1132,11 +1135,25 @@ METHOD(tls_handshake_t, finished, bool,
 	return this->state == STATE_FINISHED_RECEIVED;
 }
 
+METHOD(tls_handshake_t, get_peer_id, identification_t*,
+	private_tls_peer_t *this)
+{
+	return this->peer;
+}
+
+METHOD(tls_handshake_t, get_server_id, identification_t*,
+	private_tls_peer_t *this)
+{
+	return this->server;
+}
+
 METHOD(tls_handshake_t, destroy, void,
 	private_tls_peer_t *this)
 {
 	DESTROY_IF(this->private);
 	DESTROY_IF(this->dh);
+	DESTROY_IF(this->peer);
+	this->server->destroy(this->server);
 	this->peer_auth->destroy(this->peer_auth);
 	this->server_auth->destroy(this->server_auth);
 	free(this->hashsig.ptr);
@@ -1161,6 +1178,8 @@ tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert
 				.cipherspec_changed = _cipherspec_changed,
 				.change_cipherspec = _change_cipherspec,
 				.finished = _finished,
+				.get_peer_id = _get_peer_id,
+				.get_server_id = _get_server_id,
 				.destroy = _destroy,
 			},
 		},
@@ -1168,8 +1187,8 @@ tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert
 		.tls = tls,
 		.crypto = crypto,
 		.alert = alert,
-		.peer = peer,
-		.server = server,
+		.peer = peer ? peer->clone(peer) : NULL,
+		.server = server->clone(server),
 		.peer_auth = auth_cfg_create(),
 		.server_auth = auth_cfg_create(),
 	);
diff --git a/src/libtls/tls_peer.h b/src/libtls/tls_peer.h
index f773ea72e..e4ff6f83c 100644
--- a/src/libtls/tls_peer.h
+++ b/src/libtls/tls_peer.h
@@ -41,11 +41,15 @@ struct tls_peer_t {
 
 /**
  * Create a tls_peer instance.
-*
+ *
+ * If a peer identity is given, but the client does not get requested or is
+ * otherwise unable to perform client authentication, NULL is returned in
+ * tls_handshake_t.get_peer_id() instead of the peer identity.
+ *
  * @param tls		TLS stack
  * @param crypto	TLS crypto helper
  * @param alert		TLS alert handler
- * @param peer		peer identity
+ * @param peer		peer identity, NULL to skip client authentication
  * @param server	server identity
  */
 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index ec42b67fc..aeb5a714f 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -79,6 +79,11 @@ struct private_tls_server_t {
 	 */
 	identification_t *peer;
 
+	/**
+	 * Is it acceptable if we couldn't verify the peer certificate?
+	 */
+	bool peer_auth_optional;
+
 	/**
 	 * State we are in
 	 */
@@ -367,6 +372,12 @@ static status_t process_certificate(private_tls_server_t *this,
 				DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
 					 cert->get_subject(cert));
 				first = FALSE;
+				if (this->peer == NULL)
+				{	/* apply identity to authenticate */
+					this->peer = cert->get_subject(cert);
+					this->peer = this->peer->clone(this->peer);
+					this->peer_auth_optional = TRUE;
+				}
 			}
 			else
 			{
@@ -550,13 +561,22 @@ static status_t process_cert_verify(private_tls_server_t *this,
 	{
 		DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
 			 this->peer);
-		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
-		return NEED_MORE;
+		if (!this->peer_auth_optional)
+		{	/* client authentication is required */
+			this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+			return NEED_MORE;
+		}
+		/* reset peer identity, we couldn't authenticate it */
+		this->peer->destroy(this->peer);
+		this->peer = NULL;
+		this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	}
+	else
+	{
+		this->state = STATE_CERT_VERIFY_RECEIVED;
 	}
-
 	this->crypto->append_handshake(this->crypto,
 								   TLS_CERTIFICATE_VERIFY, reader->peek(reader));
-	this->state = STATE_CERT_VERIFY_RECEIVED;
 	return NEED_MORE;
 }
 
@@ -979,11 +999,7 @@ METHOD(tls_handshake_t, build, status_t,
 			}
 			/* otherwise fall through to next state */
 		case STATE_KEY_EXCHANGE_SENT:
-			if (this->peer)
-			{
-				return send_certificate_request(this, type, writer);
-			}
-			/* otherwise fall through to next state */
+			return send_certificate_request(this, type, writer);
 		case STATE_CERTREQ_SENT:
 			return send_hello_done(this, type, writer);
 		case STATE_CIPHERSPEC_CHANGED_OUT:
@@ -1045,11 +1061,25 @@ METHOD(tls_handshake_t, finished, bool,
 	return this->state == STATE_FINISHED_SENT;
 }
 
+METHOD(tls_handshake_t, get_peer_id, identification_t*,
+	private_tls_server_t *this)
+{
+	return this->peer;
+}
+
+METHOD(tls_handshake_t, get_server_id, identification_t*,
+	private_tls_server_t *this)
+{
+	return this->server;
+}
+
 METHOD(tls_handshake_t, destroy, void,
 	private_tls_server_t *this)
 {
 	DESTROY_IF(this->private);
 	DESTROY_IF(this->dh);
+	DESTROY_IF(this->peer);
+	this->server->destroy(this->server);
 	this->peer_auth->destroy(this->peer_auth);
 	this->server_auth->destroy(this->server_auth);
 	free(this->hashsig.ptr);
@@ -1075,14 +1105,16 @@ tls_server_t *tls_server_create(tls_t *tls,
 				.cipherspec_changed = _cipherspec_changed,
 				.change_cipherspec = _change_cipherspec,
 				.finished = _finished,
+				.get_peer_id = _get_peer_id,
+				.get_server_id = _get_server_id,
 				.destroy = _destroy,
 			},
 		},
 		.tls = tls,
 		.crypto = crypto,
 		.alert = alert,
-		.server = server,
-		.peer = peer,
+		.server = server->clone(server),
+		.peer = peer ? peer->clone(peer) : NULL,
 		.state = STATE_INIT,
 		.peer_auth = auth_cfg_create(),
 		.server_auth = auth_cfg_create(),
diff --git a/src/libtls/tls_server.h b/src/libtls/tls_server.h
index 6289dc8eb..d6b8de153 100644
--- a/src/libtls/tls_server.h
+++ b/src/libtls/tls_server.h
@@ -42,11 +42,16 @@ struct tls_server_t {
 /**
  * Create a tls_server instance.
  *
+ * If a peer identity is given, the client must authenticate with a valid
+ * certificate for this identity, or the connection fails. If peer is NULL,
+ * but the client authenticates nonetheless, the authenticated identity
+ * gets returned by tls_handshake_t.get_peer_id().
+ *
  * @param tls		TLS stack
  * @param crypto	TLS crypto helper
  * @param alert		TLS alert handler
  * @param server	server identity
- * @param peer		peer identity
+ * @param peer		peer identity, or NULL
  */
 tls_server_t *tls_server_create(tls_t *tls,
 						tls_crypto_t *crypto, tls_alert_t *alert,
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 75b714e30..4ba964000 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -42,14 +42,39 @@ struct private_tls_application_t {
 	tls_application_t application;
 
 	/**
-	 * Chunk of data to send
+	 * Output buffer to write to
 	 */
 	chunk_t out;
 
 	/**
-	 * Chunk of data received
+	 * Number of bytes written to out
+	 */
+	size_t out_done;
+
+	/**
+	 * Input buffer to read to
 	 */
 	chunk_t in;
+
+	/**
+	 * Number of bytes read to in
+	 */
+	size_t in_done;
+
+	/**
+	 * Cached input data
+	 */
+	chunk_t cache;
+
+	/**
+	 * Bytes consumed in cache
+	 */
+	size_t cache_done;
+
+	/**
+	 * Close TLS connection?
+	 */
+	bool close;
 };
 
 /**
@@ -82,22 +107,44 @@ METHOD(tls_application_t, process, status_t,
 	private_tls_application_t *this, bio_reader_t *reader)
 {
 	chunk_t data;
+	size_t len;
 
-	if (!reader->read_data(reader, reader->remaining(reader), &data))
+	if (this->close)
 	{
-		return FAILED;
+		return SUCCESS;
+	}
+	len = min(reader->remaining(reader), this->in.len - this->in_done);
+	if (len)
+	{	/* copy to read buffer as much as fits in */
+		if (!reader->read_data(reader, len, &data))
+		{
+			return FAILED;
+		}
+		memcpy(this->in.ptr + this->in_done, data.ptr, data.len);
+		this->in_done += data.len;
+	}
+	else
+	{	/* read buffer is full, cache for next read */
+		if (!reader->read_data(reader, reader->remaining(reader), &data))
+		{
+			return FAILED;
+		}
+		this->cache = chunk_cat("mc", this->cache, data);
 	}
-	this->in = chunk_cat("mc", this->in, data);
 	return NEED_MORE;
 }
 
 METHOD(tls_application_t, build, status_t,
 	private_tls_application_t *this, bio_writer_t *writer)
 {
-	if (this->out.len)
+	if (this->close)
+	{
+		return SUCCESS;
+	}
+	if (this->out.len > this->out_done)
 	{
 		writer->write_data(writer, this->out);
-		this->out = chunk_empty;
+		this->out_done = this->out.len;
 		return NEED_MORE;
 	}
 	return INVALID_STATE;
@@ -106,11 +153,12 @@ METHOD(tls_application_t, build, status_t,
 /**
  * TLS data exchange loop
  */
-static bool exchange(private_tls_socket_t *this, bool wr)
+static bool exchange(private_tls_socket_t *this, bool wr, bool block)
 {
 	char buf[CRYPTO_BUF_SIZE], *pos;
-	ssize_t len, out;
-	int round = 0;
+	ssize_t in, out;
+	size_t len;
+	int round = 0, flags;
 
 	for (round = 0; TRUE; round++)
 	{
@@ -137,6 +185,8 @@ static bool exchange(private_tls_socket_t *this, bool wr)
 					continue;
 				case INVALID_STATE:
 					break;
+				case SUCCESS:
+					return TRUE;
 				default:
 					return FALSE;
 			}
@@ -144,55 +194,97 @@ static bool exchange(private_tls_socket_t *this, bool wr)
 		}
 		if (wr)
 		{
-			if (this->app.out.len == 0)
+			if (this->app.out_done == this->app.out.len)
 			{	/* all data written */
 				return TRUE;
 			}
 		}
 		else
 		{
-			if (this->app.in.len)
-			{	/* some data received */
+			if (this->app.in_done == this->app.in.len)
+			{	/* buffer fully received */
 				return TRUE;
 			}
-			if (round > 0)
-			{	/* did some handshaking, return empty chunk to not block */
-				return TRUE;
+		}
+
+		flags = 0;
+		if (this->app.out_done == this->app.out.len)
+		{
+			if (!block || this->app.in_done)
+			{
+				flags |= MSG_DONTWAIT;
 			}
 		}
-		len = read(this->fd, buf, sizeof(buf));
-		if (len <= 0)
+		in = recv(this->fd, buf, sizeof(buf), flags);
+		if (in < 0)
 		{
+			if (errno == EAGAIN || errno == EWOULDBLOCK)
+			{
+				if (this->app.in_done == 0)
+				{
+					/* reading, nothing got yet, and call would block */
+					errno = EWOULDBLOCK;
+					this->app.in_done = -1;
+				}
+				return TRUE;
+			}
 			return FALSE;
 		}
-		if (this->tls->process(this->tls, buf, len) != NEED_MORE)
+		if (in == 0)
+		{	/* EOF */
+			return TRUE;
+		}
+		switch (this->tls->process(this->tls, buf, in))
 		{
-			return FALSE;
+			case NEED_MORE:
+				break;
+			case SUCCESS:
+				return TRUE;
+			default:
+				return FALSE;
 		}
 	}
 }
 
-METHOD(tls_socket_t, read_, bool,
-	private_tls_socket_t *this, chunk_t *buf)
+METHOD(tls_socket_t, read_, ssize_t,
+	private_tls_socket_t *this, void *buf, size_t len, bool block)
 {
-	if (exchange(this, FALSE))
+	if (this->app.cache.len)
 	{
-		*buf = this->app.in;
-		this->app.in = chunk_empty;
-		return TRUE;
+		size_t cache;
+
+		cache = min(len, this->app.cache.len - this->app.cache_done);
+		memcpy(buf, this->app.cache.ptr + this->app.cache_done, cache);
+
+		this->app.cache_done += cache;
+		if (this->app.cache_done == this->app.cache.len)
+		{
+			chunk_free(&this->app.cache);
+			this->app.cache_done = 0;
+		}
+		return cache;
 	}
-	return FALSE;
+	this->app.in.ptr = buf;
+	this->app.in.len = len;
+	this->app.in_done = 0;
+	if (exchange(this, FALSE, block))
+	{
+		return this->app.in_done;
+	}
+	return -1;
 }
 
-METHOD(tls_socket_t, write_, bool,
-	private_tls_socket_t *this, chunk_t buf)
+METHOD(tls_socket_t, write_, ssize_t,
+	private_tls_socket_t *this, void *buf, size_t len)
 {
-	this->app.out = buf;
-	if (exchange(this, TRUE))
+	this->app.out.ptr = buf;
+	this->app.out.len = len;
+	this->app.out_done = 0;
+	if (exchange(this, TRUE, FALSE))
 	{
-		return TRUE;
+		return this->app.out_done;
 	}
-	return FALSE;
+	return -1;
 }
 
 METHOD(tls_socket_t, splice, bool,
@@ -200,68 +292,85 @@ METHOD(tls_socket_t, splice, bool,
 {
 	char buf[PLAIN_BUF_SIZE], *pos;
 	fd_set set;
-	chunk_t data;
-	ssize_t len;
-	bool old;
+	ssize_t in, out;
+	bool old, plain_eof = FALSE, crypto_eof = FALSE;
 
-	while (TRUE)
+	while (!plain_eof && !crypto_eof)
 	{
 		FD_ZERO(&set);
 		FD_SET(rfd, &set);
 		FD_SET(this->fd, &set);
 
 		old = thread_cancelability(TRUE);
-		len = select(max(rfd, this->fd) + 1, &set, NULL, NULL, NULL);
+		in = select(max(rfd, this->fd) + 1, &set, NULL, NULL, NULL);
 		thread_cancelability(old);
-		if (len == -1)
+		if (in == -1)
 		{
 			DBG1(DBG_TLS, "TLS select error: %s", strerror(errno));
 			return FALSE;
 		}
-		if (FD_ISSET(this->fd, &set))
+		while (!plain_eof && FD_ISSET(this->fd, &set))
 		{
-			if (!read_(this, &data))
-			{
-				DBG2(DBG_TLS, "TLS read error/disconnect");
-				return TRUE;
-			}
-			pos = data.ptr;
-			while (data.len)
+			in = read_(this, buf, sizeof(buf), FALSE);
+			switch (in)
 			{
-				len = write(wfd, pos, data.len);
-				if (len == -1)
-				{
-					free(data.ptr);
-					DBG1(DBG_TLS, "TLS plain write error: %s", strerror(errno));
-					return FALSE;
-				}
-				data.len -= len;
-				pos += len;
+				case 0:
+					plain_eof = TRUE;
+					break;
+				case -1:
+					if (errno != EWOULDBLOCK)
+					{
+						DBG1(DBG_TLS, "TLS read error: %s", strerror(errno));
+						return FALSE;
+					}
+					break;
+				default:
+					pos = buf;
+					while (in)
+					{
+						out = write(wfd, pos, in);
+						if (out == -1)
+						{
+							DBG1(DBG_TLS, "TLS plain write error: %s",
+								 strerror(errno));
+							return FALSE;
+						}
+						in -= out;
+						pos += out;
+					}
+					continue;
 			}
-			free(data.ptr);
+			break;
 		}
-		if (FD_ISSET(rfd, &set))
+		if (!crypto_eof && FD_ISSET(rfd, &set))
 		{
-			len = read(rfd, buf, sizeof(buf));
-			if (len > 0)
-			{
-				if (!write_(this, chunk_create(buf, len)))
-				{
-					DBG1(DBG_TLS, "TLS write error");
-					return FALSE;
-				}
-			}
-			else
+			in = read(rfd, buf, sizeof(buf));
+			switch (in)
 			{
-				if (len < 0)
-				{
+				case 0:
+					crypto_eof = TRUE;
+					break;
+				case -1:
 					DBG1(DBG_TLS, "TLS plain read error: %s", strerror(errno));
 					return FALSE;
-				}
-				return TRUE;
+				default:
+					pos = buf;
+					while (in)
+					{
+						out = write_(this, pos, in);
+						if (out == -1)
+						{
+							DBG1(DBG_TLS, "TLS write error");
+							return FALSE;
+						}
+						in -= out;
+						pos += out;
+					}
+					break;
 			}
 		}
 	}
+	return TRUE;
 }
 
 METHOD(tls_socket_t, get_fd, int,
@@ -270,11 +379,26 @@ METHOD(tls_socket_t, get_fd, int,
 	return this->fd;
 }
 
+METHOD(tls_socket_t, get_server_id, identification_t*,
+	private_tls_socket_t *this)
+{
+	return this->tls->get_server_id(this->tls);
+}
+
+METHOD(tls_socket_t, get_peer_id, identification_t*,
+	private_tls_socket_t *this)
+{
+	return this->tls->get_peer_id(this->tls);
+}
+
 METHOD(tls_socket_t, destroy, void,
 	private_tls_socket_t *this)
 {
+	/* send a TLS close notify if not done yet */
+	this->app.close = TRUE;
+	write_(this, NULL, 0);
+	free(this->app.cache.ptr);
 	this->tls->destroy(this->tls);
-	free(this->app.in.ptr);
 	free(this);
 }
 
@@ -292,6 +416,8 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 			.write = _write_,
 			.splice = _splice,
 			.get_fd = _get_fd,
+			.get_server_id = _get_server_id,
+			.get_peer_id = _get_peer_id,
 			.destroy = _destroy,
 		},
 		.app = {
diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h
index edd05fd29..75130a4d3 100644
--- a/src/libtls/tls_socket.h
+++ b/src/libtls/tls_socket.h
@@ -35,24 +35,27 @@ typedef struct tls_socket_t tls_socket_t;
 struct tls_socket_t {
 
 	/**
-	 * Read data from secured socket, return allocated chunk.
+	 * Read data from secured socket.
 	 *
 	 * This call is blocking, you may use select() on the underlying socket to
-	 * wait for data. If the there was non-application data available, the
-	 * read function can return an empty chunk.
+	 * wait for data. If "block" is FALSE and no application data is available,
+	 * the function returns -1 and sets errno to EWOULDBLOCK.
 	 *
-	 * @param data		pointer to allocate received data
-	 * @return			TRUE if data received successfully
+	 * @param buf		buffer to write received data to
+	 * @param len		size of buffer
+	 * @param block		TRUE to block this call, FALSE to fail if it would block
+	 * @return			number of bytes read, 0 on EOF, -1 on error
 	 */
-	bool (*read)(tls_socket_t *this, chunk_t *data);
+	ssize_t (*read)(tls_socket_t *this, void *buf, size_t len, bool block);
 
 	/**
-	 * Write a chunk of data over the secured socket.
+	 * Write data over the secured socket.
 	 *
-	 * @param data		data to send
-	 * @return			TRUE if data sent successfully
+	 * @param buf		data to send
+	 * @param len		number of bytes to write from buf
+	 * @return			number of bytes written, -1 on error
 	 */
-	bool (*write)(tls_socket_t *this, chunk_t data);
+	ssize_t (*write)(tls_socket_t *this, void *buf, size_t len);
 
 	/**
 	 * Read/write plain data from file descriptor.
@@ -73,6 +76,20 @@ struct tls_socket_t {
 	 */
 	int (*get_fd)(tls_socket_t *this);
 
+	/**
+	 * Return the server identity.
+	 *
+	 * @return			server identity
+	 */
+	identification_t* (*get_server_id)(tls_socket_t *this);
+
+	/**
+	 * Return the peer identity.
+	 *
+	 * @return			peer identity
+	 */
+	identification_t* (*get_peer_id)(tls_socket_t *this);
+
 	/**
 	 * Destroy a tls_socket_t.
 	 */
diff --git a/src/libtnccs/Android.mk b/src/libtnccs/Android.mk
index a4bbc13f5..ad12e754d 100644
--- a/src/libtnccs/Android.mk
+++ b/src/libtnccs/Android.mk
@@ -2,7 +2,7 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+libtnccs_la_SOURCES := \
 tnc/tnc.h tnc/tnc.c \
 tnc/imc/imc.h tnc/imc/imc_manager.h \
 tnc/imv/imv.h tnc/imv/imv_manager.h \
@@ -10,10 +10,13 @@ tnc/imv/imv_recommendations.h tnc/imv/imv_recommendations.c \
 tnc/tnccs/tnccs.h tnc/tnccs/tnccs.c \
 tnc/tnccs/tnccs_manager.h tnc/tnccs/tnccs_manager.c
 
+LOCAL_SRC_FILES := $(filter %.c,$(libtnccs_la_SOURCES))
+
 # build libtncif ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
 	$(libvstr_PATH) \
+	$(strongswan_PATH)/src/libtls \
 	$(strongswan_PATH)/src/libtncif \
 	$(strongswan_PATH)/src/libstrongswan
 
diff --git a/src/libtnccs/Makefile.am b/src/libtnccs/Makefile.am
index 449d32d92..c6492d8d3 100644
--- a/src/libtnccs/Makefile.am
+++ b/src/libtnccs/Makefile.am
@@ -1,5 +1,8 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libtls
 
 ipseclib_LTLIBRARIES = libtnccs.la
 
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index 1e9f639f8..46f92341b 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -100,6 +117,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libtnccs_la_SOURCES)
 DIST_SOURCES = $(libtnccs_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -116,6 +138,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -132,6 +156,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -200,8 +225,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -257,7 +280,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -291,7 +313,11 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libtls
+
 ipseclib_LTLIBRARIES = libtnccs.la
 libtnccs_la_LIBADD = $(top_builddir)/src/libtncif/libtncif.la
 libtnccs_la_SOURCES = \
@@ -339,7 +365,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -347,6 +372,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
diff --git a/src/libtnccs/tnc/tnccs/tnccs.h b/src/libtnccs/tnc/tnccs/tnccs.h
index c3020d7c3..fd3e5cabb 100644
--- a/src/libtnccs/tnc/tnccs/tnccs.h
+++ b/src/libtnccs/tnc/tnccs/tnccs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2011 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 
 typedef struct tnccs_t tnccs_t;
 typedef enum tnccs_type_t tnccs_type_t;
+typedef enum tnc_ift_type_t tnc_ift_type_t;
 
 #include <tncif.h>
 #include <tncifimc.h>
@@ -34,6 +35,8 @@ typedef enum tnccs_type_t tnccs_type_t;
 #include <library.h>
 #include <plugins/plugin.h>
 
+#include <tls.h>
+
 /**
  * Type of TNC Client/Server protocol
  */
@@ -45,18 +48,76 @@ enum tnccs_type_t {
 	TNCCS_DYNAMIC
 };
 
+/**
+ * Type of TNC Transport protocol
+ */
+enum tnc_ift_type_t {
+	TNC_IFT_UNKNOWN,
+	TNC_IFT_EAP_1_0,
+	TNC_IFT_EAP_1_1,
+	TNC_IFT_EAP_2_0,
+	TNC_IFT_TLS_1_0,
+	TNC_IFT_TLS_2_0
+};
+
 /**
  * enum names for tnccs_type_t.
  */
 extern enum_name_t *tnccs_type_names;
 
+/**
+ * TNCCS public interface
+ */
+struct tnccs_t {
+
+	/**
+	 * Implements tls_t
+	 */
+	tls_t tls;
+
+	/**
+	 * Get underlying TNC IF-T transport protocol
+	 *
+	 * @return				TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t (*get_transport)(tnccs_t *this);
+
+	/**
+	 * Set underlying TNC IF-T transport protocol
+	 *
+	 * @param transport		TNC IF-T transport protocol
+	 */
+	void (*set_transport)(tnccs_t *this, tnc_ift_type_t transport);
+
+	/**
+	 * Get type of TNC Client authentication
+	 *
+	 * @return				TNC Client authentication type
+	 */
+	u_int32_t (*get_auth_type)(tnccs_t *this);
+
+	/**
+	 * Set type of TNC Client authentication
+	 *
+	 * @param auth_type		TNC Client authentication type
+	 */
+	void (*set_auth_type)(tnccs_t *this, u_int32_t auth_type);
+
+};
+
 /**
  * Constructor definition for a pluggable TNCCS protocol implementation.
  *
  * @param is_server		TRUE if TNC Server, FALSE if TNC Client
+ * @param server		Server identity
+ * @param peer			Client identity
+ * @param transport		Underlying TNC IF-T transport protocol used
  * @return				implementation of the tnccs_t interface
  */
-typedef tnccs_t *(*tnccs_constructor_t)(bool is_server);
+typedef tnccs_t *(*tnccs_constructor_t)(bool is_server,
+										identification_t *server,
+										identification_t *peer,
+										tnc_ift_type_t transport);
 
 /**
  * Callback function adding a message to a TNCCS batch
diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.h b/src/libtnccs/tnc/tnccs/tnccs_manager.h
index cbf2dc0e9..4ab9d7e18 100644
--- a/src/libtnccs/tnc/tnccs/tnccs_manager.h
+++ b/src/libtnccs/tnc/tnccs/tnccs_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -56,10 +56,15 @@ struct tnccs_manager_t {
 	 *
 	 * @param type		  type of the TNCCS protocol
 	 * @param is_server	  TRUE if TNC Server, FALSE if TNC Client
+	 * @param server	  Server identity
+	 * @param peer		  Client identity
+	 * @param transport	  Underlying TNC IF-T transport protocol used
 	 * @return			  TNCCS protocol instance, NULL if no constructor found
 	 */
 	tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
-								bool is_server);
+								bool is_server, identification_t *server,
+								identification_t *peer,
+								tnc_ift_type_t transport);
 
 	/**
 	 * Create a TNCCS connection and assign a unique connection ID as well a
diff --git a/src/libtncif/Android.mk b/src/libtncif/Android.mk
index ef406dd59..9a9bfa9ad 100644
--- a/src/libtncif/Android.mk
+++ b/src/libtncif/Android.mk
@@ -2,10 +2,13 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+libtncif_la_SOURCES := \
 tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
+tncif_identity.h tncif_identity.c \
 tncif_pa_subtypes.h tncif_pa_subtypes.c
 
+LOCAL_SRC_FILES := $(filter %.c,$(libtncif_la_SOURCES))
+
 # build libtncif ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
diff --git a/src/libtncif/Makefile.am b/src/libtncif/Makefile.am
index cc262ffca..6da1201f3 100644
--- a/src/libtncif/Makefile.am
+++ b/src/libtncif/Makefile.am
@@ -4,6 +4,7 @@ noinst_LTLIBRARIES = libtncif.la
 
 libtncif_la_SOURCES = \
 tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
+tncif_identity.h tncif_identity.c \
 tncif_pa_subtypes.h tncif_pa_subtypes.c
 
 EXTRA_DIST = Android.mk
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index e2add7ab0..d7b4660fb 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -54,7 +71,8 @@ CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 LTLIBRARIES = $(noinst_LTLIBRARIES)
 libtncif_la_LIBADD =
-am_libtncif_la_OBJECTS = tncif_names.lo tncif_pa_subtypes.lo
+am_libtncif_la_OBJECTS = tncif_names.lo tncif_identity.lo \
+	tncif_pa_subtypes.lo
 libtncif_la_OBJECTS = $(am_libtncif_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -71,6 +89,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libtncif_la_SOURCES)
 DIST_SOURCES = $(libtncif_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -87,6 +110,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -103,6 +128,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -171,8 +197,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -228,7 +252,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -266,6 +289,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 noinst_LTLIBRARIES = libtncif.la
 libtncif_la_SOURCES = \
 tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
+tncif_identity.h tncif_identity.c \
 tncif_pa_subtypes.h tncif_pa_subtypes.c
 
 EXTRA_DIST = Android.mk
@@ -321,6 +345,7 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_identity.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_names.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_pa_subtypes.Plo@am__quote@
 
diff --git a/src/libtncif/tncif_identity.c b/src/libtncif/tncif_identity.c
new file mode 100644
index 000000000..7ee215c77
--- /dev/null
+++ b/src/libtncif/tncif_identity.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tncif_identity.h"
+
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_tncif_identity_t private_tncif_identity_t;
+
+/**
+ * TNC Identity List Attribute Format (TCG TNC IF-IMV 1.4 Draft)
+ *
+ *                      1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Identity Count                         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |   RESERVED    |            Identity Type Vendor ID            |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Identity Type                         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Identity Value Length                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                                                               |
+ *  ~                         Identity Value                        ~
+ *  |                                                               |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |   RESERVED    |            Subject Type Vendor ID             |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Subject Type                          |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |   RESERVED    |        Authentication Method Vendor ID        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Authentication Method                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Private data of a tncif_identity_t object.
+ *
+ */
+struct private_tncif_identity_t {
+
+	/**
+	 * Public tncif_identity_t interface.
+	 */
+	tncif_identity_t public;
+
+	/**
+	 * Identity Type
+	 */
+	pen_type_t identity_type;
+
+	/**
+	 * Identity Value
+	 */
+	chunk_t identity_value;
+
+	/**
+	 * Subject Type
+	 */
+	pen_type_t subject_type;
+
+	/**
+	 * Authentication Type
+	 */
+	pen_type_t auth_type;
+};
+
+METHOD(tncif_identity_t, get_identity_type, pen_type_t,
+	private_tncif_identity_t *this)
+{
+	return this->identity_type;
+}
+
+METHOD(tncif_identity_t, get_identity_value, chunk_t,
+	private_tncif_identity_t *this)
+{
+	return this->identity_value;
+}
+
+METHOD(tncif_identity_t, get_subject_type, pen_type_t,
+	private_tncif_identity_t *this)
+{
+	return this->subject_type;
+}
+
+METHOD(tncif_identity_t, get_auth_type, pen_type_t,
+	private_tncif_identity_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tncif_identity_t, build, void,
+	private_tncif_identity_t *this, bio_writer_t *writer)
+{
+	writer->write_uint32(writer, this->identity_type.vendor_id);
+	writer->write_uint32(writer, this->identity_type.type);
+	writer->write_data32(writer, this->identity_value);
+	writer->write_uint32(writer, this->subject_type.vendor_id);
+	writer->write_uint32(writer, this->subject_type.type);
+	writer->write_uint32(writer, this->auth_type.vendor_id);
+	writer->write_uint32(writer, this->auth_type.type);
+}
+
+METHOD(tncif_identity_t, process, bool,
+	private_tncif_identity_t *this, bio_reader_t *reader)
+{
+	u_int8_t reserved;
+	u_int32_t vendor_id, type;
+	chunk_t identity_value;
+
+	if (reader->remaining(reader) < TNCIF_IDENTITY_MIN_SIZE)
+	{
+		return FALSE;
+	}
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &vendor_id);
+	reader->read_uint32(reader, &type);
+	this->identity_type = pen_type_create(vendor_id, type);
+
+	if (!reader->read_data32(reader, &identity_value) ||
+		 reader->remaining(reader) < 16)
+	{
+		return FALSE;
+	}
+	this->identity_value = chunk_clone(identity_value);
+
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &vendor_id);
+	reader->read_uint32(reader, &type);
+	this->subject_type = pen_type_create(vendor_id, type);		
+
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &vendor_id);
+	reader->read_uint32(reader, &type);
+	this->auth_type = pen_type_create(vendor_id, type);
+
+	return TRUE;
+}
+
+METHOD(tncif_identity_t, destroy, void,
+	private_tncif_identity_t *this)
+{
+	free(this->identity_value.ptr);
+	free(this);
+}
+
+
+/**
+ * See header
+ */
+tncif_identity_t *tncif_identity_create_empty(void)
+{
+	private_tncif_identity_t *this;
+
+	INIT(this,
+		.public = {
+			.get_identity_type = _get_identity_type,
+			.get_identity_value = _get_identity_value,
+			.get_subject_type = _get_subject_type,
+			.get_auth_type = _get_auth_type,
+			.build = _build,
+			.process = _process,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+tncif_identity_t *tncif_identity_create(pen_type_t identity_type,
+										chunk_t identity_value,
+										pen_type_t subject_type,
+										pen_type_t auth_type)
+{
+	private_tncif_identity_t *this;
+
+	this = (private_tncif_identity_t*)tncif_identity_create_empty();
+	this->identity_type = identity_type;
+	this->identity_value = identity_value;
+	this->subject_type = subject_type;
+	this->auth_type = auth_type;
+
+	return &this->public;
+}
+
diff --git a/src/libtncif/tncif_identity.h b/src/libtncif/tncif_identity.h
new file mode 100644
index 000000000..ad872166f
--- /dev/null
+++ b/src/libtncif/tncif_identity.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libtncif libtncif
+ *
+ * @addtogroup libtncif
+ * TNC interface definitions
+ *
+ * @defgroup tnc_identities tnc_identities
+ * @{ @ingroup libtncif
+ */
+
+#ifndef TNCIF_IDENTITY_H_
+#define TNCIF_IDENTITY_H_
+
+#include <library.h>
+
+#include <pen/pen.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+
+#define TNCIF_IDENTITY_MIN_SIZE			28
+
+typedef struct tncif_identity_t tncif_identity_t;
+
+/**
+ * Public interface of a TNC Identity object
+ */
+struct tncif_identity_t {
+
+	/**
+	 * Get the TNC Identity Type
+	 *
+	 * @return					TNC Identity Type
+	 */
+	pen_type_t (*get_identity_type)(tncif_identity_t *this);
+
+	/**
+	 * Get the TNC Identity Value
+	 *
+	 * @return					TNC Identity Value
+	 */
+	chunk_t (*get_identity_value)(tncif_identity_t *this);
+
+	/**
+	 * Get the TNC Subject Type
+	 *
+	 * @return					TNC Subject Type
+	 */
+	pen_type_t (*get_subject_type)(tncif_identity_t *this);
+
+	/**
+	 * Get the TNC Authentication Type
+	 *
+	 * @return					TNC Authentication Type
+	 */
+	pen_type_t (*get_auth_type)(tncif_identity_t *this);
+
+	/**
+	 * Build the IF-IMV TNC Identity attribute encoding
+	 *
+	 * @param writer			writer to write encoded data to
+	 */
+	void (*build)(tncif_identity_t *this, bio_writer_t *writer);
+
+	/**
+	 * Process the IF-IMV TNC Identity attribute encoding
+	 *
+	 * @param reader			reader to read encoded data from
+	 * @return					TRUE if successful
+	 */
+	bool (*process)(tncif_identity_t *this, bio_reader_t *reader);
+
+	/**
+	 * Destroys a tncif_identity_t object.
+	 */
+	void (*destroy)(tncif_identity_t *this);
+
+};
+
+/**
+ * Create an empty TNC Identity object
+ */
+tncif_identity_t* tncif_identity_create_empty(void);
+
+/**
+ * Create an TNC Identity object from its components
+ *
+ * @param identity_type			TNC Identity Type
+ * @param identity_value		TNC Identity Value (not cloned by constructor)
+ * @param subject_type			TNC Subject Type
+ * @param auth_type				TNC Authentication Type
+ */
+tncif_identity_t* tncif_identity_create(pen_type_t identity_type,
+										chunk_t identity_value,
+										pen_type_t subject_type,
+										pen_type_t auth_type);
+
+#endif /** TNCIF_IDENTITY_H_ @}*/
diff --git a/src/libtncif/tncif_names.c b/src/libtncif/tncif_names.c
index c108776ec..ac948c8ba 100644
--- a/src/libtncif/tncif_names.c
+++ b/src/libtncif/tncif_names.c
@@ -45,3 +45,20 @@ ENUM(TNC_IMV_Evaluation_Result_names,
 	"error",
 	"don't know"
 );
+
+ENUM(TNC_Subject_names,
+	TNC_SUBJECT_UNKNOWN,
+	TNC_SUBJECT_USER,
+	"unknown",
+	"machine",
+	"user"
+);
+
+ENUM(TNC_Authentication_names,
+	TNC_AUTH_UNKNOWN,
+	TNC_AUTH_SIM,
+	"unknown method",
+	"certificate",
+	"password",
+	"SIM card"
+);
diff --git a/src/libtncif/tncif_names.h b/src/libtncif/tncif_names.h
index 9b50a34e9..75458f960 100644
--- a/src/libtncif/tncif_names.h
+++ b/src/libtncif/tncif_names.h
@@ -30,5 +30,7 @@
 extern enum_name_t *TNC_Connection_State_names;
 extern enum_name_t *TNC_IMV_Action_Recommendation_names;
 extern enum_name_t *TNC_IMV_Evaluation_Result_names;
+extern enum_name_t *TNC_Subject_names;
+extern enum_name_t *TNC_Authentication_names;
 
 #endif /** TNCIF_NAME_H_ @}*/
diff --git a/src/libtncif/tncif_pa_subtypes.c b/src/libtncif/tncif_pa_subtypes.c
index 135be3c31..bf1e999b3 100644
--- a/src/libtncif/tncif_pa_subtypes.c
+++ b/src/libtncif/tncif_pa_subtypes.c
@@ -33,11 +33,13 @@ ENUM_NEXT(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY, PA_SUBTYPE_IETF_ANY,
 );
 ENUM_END(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY);
 
-ENUM_BEGIN(pa_subtype_tcg_names, PA_SUBTYPE_TCG_PTS, PA_SUBTYPE_TCG_PTS,
-	"PTS"
+ENUM_BEGIN(pa_subtype_tcg_names, PA_SUBTYPE_TCG_PTS, PA_SUBTYPE_TCG_SWID,
+	"PTS",
+	"SCAP",
+	"SWID"
 );
 ENUM_NEXT(pa_subtype_tcg_names, PA_SUBTYPE_TCG_ANY, PA_SUBTYPE_TCG_ANY,
-								PA_SUBTYPE_TCG_PTS,
+								PA_SUBTYPE_TCG_SWID,
 	"ANY"
 );
 ENUM_END(pa_subtype_tcg_names, PA_SUBTYPE_TCG_ANY);
@@ -61,11 +63,12 @@ ENUM_NEXT(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY, PA_SUBTYPE_FHH_ANY,
 );
 ENUM_END(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY);
 
-ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_TEST,
-	"Test"
+ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_ECHO,
+	"Test",
+	"Echo"
 );
 ENUM_NEXT(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY, PA_SUBTYPE_ITA_ANY,
-								PA_SUBTYPE_ITA_TEST,
+								PA_SUBTYPE_ITA_ECHO,
 	"ANY"
 );
 ENUM_END(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY);
diff --git a/src/libtncif/tncif_pa_subtypes.h b/src/libtncif/tncif_pa_subtypes.h
index 2dc4c9220..0855d1df3 100644
--- a/src/libtncif/tncif_pa_subtypes.h
+++ b/src/libtncif/tncif_pa_subtypes.h
@@ -54,6 +54,8 @@ extern enum_name_t *pa_subtype_ietf_names;
  */
  enum pa_subtype_tcg_t {
 	PA_SUBTYPE_TCG_PTS =				0x01,
+	PA_SUBTYPE_TCG_SCAP =				0x02,
+	PA_SUBTYPE_TCG_SWID =				0x03,
 	PA_SUBTYPE_TCG_ANY =				0xff
 };
 
@@ -84,6 +86,7 @@ extern enum_name_t *pa_subtype_fhh_names;
  */
  enum pa_subtype_ita_t {
 	PA_SUBTYPE_ITA_TEST =				0x01,
+	PA_SUBTYPE_ITA_ECHO =				0x02,
 	PA_SUBTYPE_ITA_ANY =				0xff
 };
 
diff --git a/src/libtncif/tncifimv.h b/src/libtncif/tncifimv.h
index 3c9db0055..945012dc0 100644
--- a/src/libtncif/tncifimv.h
+++ b/src/libtncif/tncifimv.h
@@ -209,6 +209,30 @@ typedef TNC_Result (*TNC_IMV_ProvideBindFunctionPointer)(
 #define TNC_ATTRIBUTEID_SOH ((TNC_AttributeID) 0x00559706)
 #define TNC_ATTRIBUTEID_SSOH ((TNC_AttributeID) 0x00559707)
 #define TNC_ATTRIBUTEID_PRIMARY_IMV_ID ((TNC_AttributeID) 0x00559710)
+#define TNC_ATTRIBUTEID_AR_IDENTITIES ((TNC_AttributeID) 0x00559712)
+
+/* TNC Identity Types */
+
+#define TNC_ID_UNKNOWN 0
+#define TNC_ID_IPV4_ADDR 1
+#define TNC_ID_IPV6_ADDR 2
+#define TNC_ID_FQDN 3
+#define TNC_ID_RFC822_ADDR 4
+#define TNC_ID_USERNAME 5
+#define TNC_ID_ASN1_DN 6
+
+/* TNC Subject Types */
+
+#define TNC_SUBJECT_UNKNOWN 0
+#define TNC_SUBJECT_MACHINE 1
+#define TNC_SUBJECT_USER 2
+
+/* TNC Authentication Types */
+
+#define TNC_AUTH_UNKNOWN 0
+#define TNC_AUTH_CERT 1
+#define TNC_AUTH_PASSWORD 2
+#define TNC_AUTH_SIM 3
 
 /* IMV Functions */
 
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 7aeed94f8..4ed11faca 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -88,6 +105,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(manager_fcgi_SOURCES)
 DIST_SOURCES = $(manager_fcgi_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -137,6 +159,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -153,6 +177,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -221,8 +246,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -278,7 +301,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -398,8 +420,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-managerPROGRAMS: $(manager_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(managerdir)" || $(MKDIR_P) "$(DESTDIR)$(managerdir)"
 	@list='$(manager_PROGRAMS)'; test -n "$(managerdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(managerdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(managerdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -558,8 +583,11 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-manager_templatesDATA: $(manager_templates_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templatesdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templatesdir)"
 	@list='$(manager_templates_DATA)'; test -n "$(manager_templatesdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templatesdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templatesdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -576,8 +604,11 @@ uninstall-manager_templatesDATA:
 	dir='$(DESTDIR)$(manager_templatesdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_authDATA: $(manager_templates_auth_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_authdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_authdir)"
 	@list='$(manager_templates_auth_DATA)'; test -n "$(manager_templates_authdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_authdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_authdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -594,8 +625,11 @@ uninstall-manager_templates_authDATA:
 	dir='$(DESTDIR)$(manager_templates_authdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_configDATA: $(manager_templates_config_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_configdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_configdir)"
 	@list='$(manager_templates_config_DATA)'; test -n "$(manager_templates_configdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_configdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_configdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -612,8 +646,11 @@ uninstall-manager_templates_configDATA:
 	dir='$(DESTDIR)$(manager_templates_configdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_controlDATA: $(manager_templates_control_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_controldir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_controldir)"
 	@list='$(manager_templates_control_DATA)'; test -n "$(manager_templates_controldir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_controldir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_controldir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -630,8 +667,11 @@ uninstall-manager_templates_controlDATA:
 	dir='$(DESTDIR)$(manager_templates_controldir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_gatewayDATA: $(manager_templates_gateway_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_gatewaydir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_gatewaydir)"
 	@list='$(manager_templates_gateway_DATA)'; test -n "$(manager_templates_gatewaydir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_gatewaydir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_gatewaydir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -648,8 +688,11 @@ uninstall-manager_templates_gatewayDATA:
 	dir='$(DESTDIR)$(manager_templates_gatewaydir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_ikesaDATA: $(manager_templates_ikesa_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_ikesadir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_ikesadir)"
 	@list='$(manager_templates_ikesa_DATA)'; test -n "$(manager_templates_ikesadir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_ikesadir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_ikesadir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -666,8 +709,11 @@ uninstall-manager_templates_ikesaDATA:
 	dir='$(DESTDIR)$(manager_templates_ikesadir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_staticDATA: $(manager_templates_static_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_staticdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_staticdir)"
 	@list='$(manager_templates_static_DATA)'; test -n "$(manager_templates_staticdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_staticdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_staticdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
diff --git a/src/manager/controller/auth_controller.h b/src/manager/controller/auth_controller.h
index 41e669fd0..8489d9dd3 100644
--- a/src/manager/controller/auth_controller.h
+++ b/src/manager/controller/auth_controller.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup auth_controller auth_controller
- * @{ @ingroup controller
+ * @{ @ingroup manager_controller
  */
 
 #ifndef AUTH_CONTROLLER_H_
diff --git a/src/manager/controller/config_controller.h b/src/manager/controller/config_controller.h
index 07cafd4ff..a84678c9a 100644
--- a/src/manager/controller/config_controller.h
+++ b/src/manager/controller/config_controller.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup config_controller config_controller
- * @{ @ingroup controller
+ * @{ @ingroup manager_controller
  */
 
 #ifndef CONFIG_CONTROLLER_H_
diff --git a/src/manager/controller/control_controller.h b/src/manager/controller/control_controller.h
index c9bc1e4b3..22e3a7022 100644
--- a/src/manager/controller/control_controller.h
+++ b/src/manager/controller/control_controller.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup control_controller control_controller
- * @{ @ingroup controller
+ * @{ @ingroup manager_controller
  */
 
 #ifndef CONTROL_CONTROLLER_H_
diff --git a/src/manager/controller/gateway_controller.h b/src/manager/controller/gateway_controller.h
index 7d77bdccb..a0999295e 100644
--- a/src/manager/controller/gateway_controller.h
+++ b/src/manager/controller/gateway_controller.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup gateway_controller gateway_controller
- * @{ @ingroup controller
+ * @{ @ingroup manager_controller
  */
 
 #ifndef GATEWAY_CONTROLLER_H_
diff --git a/src/manager/controller/ikesa_controller.h b/src/manager/controller/ikesa_controller.h
index 3f6779629..72f8242f1 100644
--- a/src/manager/controller/ikesa_controller.h
+++ b/src/manager/controller/ikesa_controller.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ikesa_controller ikesa_controller
- * @{ @ingroup controller
+ * @{ @ingroup manager_controller
  */
 
 #ifndef IKESA_CONTROLLER_H_
diff --git a/src/manager/manager.h b/src/manager/manager.h
index f7620833a..a72801f1b 100644
--- a/src/manager/manager.h
+++ b/src/manager/manager.h
@@ -16,7 +16,7 @@
 /**
  * @defgroup manager manager
  *
- * @defgroup controller controller
+ * @defgroup manager_controller controller
  * @ingroup manager
  *
  * @defgroup manager_i manager
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index de602300a..829915407 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -82,6 +99,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(medsrv_fcgi_SOURCES)
 DIST_SOURCES = $(medsrv_fcgi_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -127,6 +149,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -143,6 +167,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -211,8 +236,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -268,7 +291,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -375,8 +397,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-medsrvPROGRAMS: $(medsrv_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(medsrvdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrvdir)"
 	@list='$(medsrv_PROGRAMS)'; test -n "$(medsrvdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(medsrvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(medsrvdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -502,8 +527,11 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-medsrv_templatesDATA: $(medsrv_templates_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(medsrv_templatesdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templatesdir)"
 	@list='$(medsrv_templates_DATA)'; test -n "$(medsrv_templatesdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(medsrv_templatesdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(medsrv_templatesdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -520,8 +548,11 @@ uninstall-medsrv_templatesDATA:
 	dir='$(DESTDIR)$(medsrv_templatesdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_peerDATA: $(medsrv_templates_peer_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(medsrv_templates_peerdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_peerdir)"
 	@list='$(medsrv_templates_peer_DATA)'; test -n "$(medsrv_templates_peerdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(medsrv_templates_peerdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_peerdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -538,8 +569,11 @@ uninstall-medsrv_templates_peerDATA:
 	dir='$(DESTDIR)$(medsrv_templates_peerdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_staticDATA: $(medsrv_templates_static_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(medsrv_templates_staticdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_staticdir)"
 	@list='$(medsrv_templates_static_DATA)'; test -n "$(medsrv_templates_staticdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(medsrv_templates_staticdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_staticdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -556,8 +590,11 @@ uninstall-medsrv_templates_staticDATA:
 	dir='$(DESTDIR)$(medsrv_templates_staticdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_userDATA: $(medsrv_templates_user_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(medsrv_templates_userdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_userdir)"
 	@list='$(medsrv_templates_user_DATA)'; test -n "$(medsrv_templates_userdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(medsrv_templates_userdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_userdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
diff --git a/src/medsrv/controller/peer_controller.h b/src/medsrv/controller/peer_controller.h
index f25c30281..b5a5e0bb8 100644
--- a/src/medsrv/controller/peer_controller.h
+++ b/src/medsrv/controller/peer_controller.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup peer_controller_server peer_controller
- * @{ @ingroup controller_server
+ * @{ @ingroup medsrv
  */
 
 #ifndef PEER_CONTROLLER_H_
@@ -45,4 +45,4 @@ struct peer_controller_t {
  */
 controller_t *peer_controller_create(user_t *user, database_t *db);
 
-#endif /* PEER_CONTROLLER_H_ @} */
+#endif /** PEER_CONTROLLER_H_ @}*/
diff --git a/src/medsrv/controller/user_controller.h b/src/medsrv/controller/user_controller.h
index 9d23795d7..540dc74a2 100644
--- a/src/medsrv/controller/user_controller.h
+++ b/src/medsrv/controller/user_controller.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup user_controller_server user_controller
- * @{ @ingroup controller_server
+ * @{ @ingroup medsrv
  */
 
 #ifndef USER_CONTROLLER_H_
@@ -45,4 +45,4 @@ struct user_controller_t {
  */
 controller_t *user_controller_create(user_t *user, database_t *db);
 
-#endif /* USER_CONTROLLER_H_ @} */
+#endif /** USER_CONTROLLER_H_ @}*/
diff --git a/src/medsrv/filter/auth_filter.h b/src/medsrv/filter/auth_filter.h
index c46de40a5..beae27965 100644
--- a/src/medsrv/filter/auth_filter.h
+++ b/src/medsrv/filter/auth_filter.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup auth_filter_server auth_filter
- * @{ @ingroup filter_server
+ * @{ @ingroup medsrv
  */
 
 #ifndef AUTH_FILTER_H_
@@ -45,4 +45,4 @@ struct auth_filter_t {
  */
 filter_t *auth_filter_create(user_t *user, database_t *db);
 
-#endif /* AUTH_FILTER_H_  @}*/
+#endif /** AUTH_FILTER_H_  @}*/
diff --git a/src/medsrv/user.h b/src/medsrv/user.h
index f14650f03..beeed6ec1 100644
--- a/src/medsrv/user.h
+++ b/src/medsrv/user.h
@@ -13,6 +13,13 @@
  * for more details.
  */
 
+/**
+ * @defgroup medsrv medsrv
+ *
+ * @defgroup user user
+ * @{ @ingroup medsrv
+ */
+
 #ifndef USER_H_
 #define USER_H_
 
@@ -47,4 +54,4 @@ struct user_t {
  */
 user_t *user_create(void *param);
 
-#endif /* USER_H_ @} */
+#endif /** USER_H_ @} */
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 0315adf08..fbd973876 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -75,6 +92,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(openac_SOURCES)
 DIST_SOURCES = $(openac_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -340,8 +362,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -421,11 +446,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
+	@list1=''; \
+	list2='$(dist_man_MANS)'; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index bc38e96c0..b4cb38592 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -76,6 +93,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(pki_SOURCES)
 DIST_SOURCES = $(pki_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -92,6 +114,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -108,6 +132,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -176,8 +201,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -233,7 +256,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -320,8 +342,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/pki/command.h b/src/pki/command.h
index a6f8bc758..1a884fb73 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -92,4 +92,4 @@ int command_dispatch(int argc, char *argv[]);
  */
 int command_usage(char *error);
 
-#endif /* COMMAND_H_ @}*/
+#endif /** COMMAND_H_ @}*/
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index 30078a8fa..9912061f4 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -158,7 +158,7 @@ static void __attribute__ ((constructor))reg()
 		pub, 'p', "pub",
 		"extract the public key from a private key/certificate",
 		{"[--in file|--keyid hex] [--type rsa|ecdsa|pkcs10|x509]",
-		 "[--outform der|pem|pgp]"},
+		 "[--outform der|pem|pgp|dnskey]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 3f77c5e8d..429517b92 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -76,6 +76,17 @@ bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type)
 				return FALSE;
 		}
 	}
+	else if (streq(form, "dnskey"))
+	{
+		switch (type)
+		{
+			case CRED_PUBLIC_KEY:
+				*enc =PUBKEY_DNSKEY;
+				return TRUE;
+			default:
+				return FALSE;
+		}
+	}
 	return FALSE;
 }
 
diff --git a/src/pki/pki.h b/src/pki/pki.h
index f72b1804c..09c50c6c2 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -15,7 +15,9 @@
 
 /**
  * @defgroup pki pki
- * @{ @ingroup pki
+ *
+ * @addtogroup pki
+ * @{
  */
 
 #ifndef PKI_H_
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index e67c8ebc3..7b11ae171 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -75,6 +92,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(scepclient_SOURCES)
 DIST_SOURCES = $(scepclient_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -347,8 +369,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -429,11 +454,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
+	@list1=''; \
+	list2='$(dist_man_MANS)'; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index f2090274c..3fdcd6c28 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -151,8 +151,7 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 	chunk_t digest = chunk_alloca(HASH_SIZE_MD5);
 	chunk_t keyEncoding = chunk_empty, keyInfo;
 	hasher_t *hasher;
-	bool msb_set;
-	u_char *pos;
+	int zeros = 0, msb_set = 0;
 
 	key->get_encoding(key, PUBKEY_ASN1_DER, &keyEncoding);
 
@@ -168,20 +167,27 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 	DESTROY_IF(hasher);
 	free(keyInfo.ptr);
 
-	/* is the most significant bit of the digest set? */
-	msb_set = (*digest.ptr & 0x80) == 0x80;
-
-	/* allocate space for the serialNumber */
-	serialNumber->len = msb_set + digest.len;
-	serialNumber->ptr = malloc(serialNumber->len);
-
-	/* the serial number as the two's complement of the digest */
-	pos = serialNumber->ptr;
+	/* the serialNumber should be valid ASN1 integer content:
+	 * remove leading zeros, add one if MSB is set (two's complement) */
+	while (zeros < digest.len)
+	{
+		if (digest.ptr[zeros])
+		{
+			if (digest.ptr[zeros] & 0x80)
+			{
+				msb_set = 1;
+			}
+			break;
+		}
+		zeros++;
+	}
+	*serialNumber = chunk_alloc(digest.len - zeros + msb_set);
 	if (msb_set)
 	{
-		*pos++ = 0x00;
+		serialNumber->ptr[0] = 0x00;
 	}
-	memcpy(pos, digest.ptr, digest.len);
+	memcpy(serialNumber->ptr + msb_set, digest.ptr + zeros,
+		   digest.len - zeros);
 
 	/* the transaction id is the serial number in hex format */
 	*transID = chunk_to_hex(digest, NULL, TRUE);
@@ -333,7 +339,7 @@ static char* escape_http_request(chunk_t req)
  * Send a SCEP request via HTTP and wait for a response
  */
 bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
-					   bool http_get_request, chunk_t *response)
+					   bool http_get_request, u_int timeout, chunk_t *response)
 {
 	int len;
 	status_t status;
@@ -361,6 +367,7 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 										 FETCH_HTTP_VERSION_1_0,
+										 FETCH_TIMEOUT, timeout,
 										 FETCH_REQUEST_HEADER, "Pragma:",
 										 FETCH_REQUEST_HEADER, "Host:",
 										 FETCH_REQUEST_HEADER, "Accept:",
@@ -375,6 +382,7 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 										 FETCH_HTTP_VERSION_1_0,
+										 FETCH_TIMEOUT, timeout,
 										 FETCH_REQUEST_DATA, msg,
 										 FETCH_REQUEST_TYPE, "",
 										 FETCH_REQUEST_HEADER, "Expect:",
@@ -403,6 +411,7 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 
 		status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 									 FETCH_HTTP_VERSION_1_0,
+									 FETCH_TIMEOUT, timeout,
 									 FETCH_END);
 	}
 
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index 30551d2db..ec8fa6515 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -79,7 +79,7 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
 						size_t key_size, certificate_t *signer_cert,
 						hash_algorithm_t digest_alg, private_key_t *private_key);
 bool scep_http_request(const char *url, chunk_t message, scep_op_t op,
-					   bool http_get_request, chunk_t *response);
+					   bool http_get_request, u_int timeout, chunk_t *response);
 err_t scep_parse_response(chunk_t response, chunk_t transID,
 						  container_t **out, scep_attributes_t *attrs);
 
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 83b5d6219..26f210d12 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -113,6 +113,9 @@ long crl_check_interval = 0;
 /* by default pluto logs out after every smartcard use */
 bool pkcs11_keep_state = FALSE;
 
+/* by default HTTP fetch timeout is 30s */
+static u_int http_timeout = 30;
+
 /* options read by optionsfrom */
 options_t *options;
 
@@ -344,6 +347,7 @@ static void usage(const char *message)
 		"                                   - if no filename is given, default is used\n"
 		" --optionsfrom (-+) <filename>     reads additional options from given file\n"
 		" --force (-f)                      force existing file(s)\n"
+		" --httptimeout (-T)                timeout for HTTP operations (default: 30s)\n"
 		"\n"
 		"Options for key generation (pkcs1):\n"
 		" --keylength (-k) <bits>           key length for RSA key generation\n"
@@ -518,6 +522,7 @@ int main(int argc, char **argv)
 			{ "in", required_argument, NULL, 'i' },
 			{ "out", required_argument, NULL, 'o' },
 			{ "force", no_argument, NULL, 'f' },
+			{ "httptimeout", required_argument, NULL, 'T' },
 			{ "keylength", required_argument, NULL, 'k' },
 			{ "dn", required_argument, NULL, 'd' },
 			{ "days", required_argument, NULL, 'D' },
@@ -662,6 +667,14 @@ int main(int argc, char **argv)
 				force = TRUE;
 				continue;
 
+			case 'T':       /* --httptimeout */
+				http_timeout = atoi(optarg);
+				if (http_timeout <= 0)
+				{
+					usage("invalid httptimeout specified");
+				}
+				continue;
+
 			case '+':       /* --optionsfrom <filename> */
 				if (!options->from(options, optarg, &argc, &argv, optind))
 				{
@@ -939,7 +952,8 @@ int main(int argc, char **argv)
 		pkcs7_t *pkcs7;
 
 		if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
-							SCEP_GET_CA_CERT, http_get_request, &scep_response))
+							   SCEP_GET_CA_CERT, http_get_request,
+							   http_timeout, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
@@ -1317,7 +1331,7 @@ int main(int argc, char **argv)
 		creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
 
 		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
-				http_get_request, &scep_response))
+							   http_get_request, http_timeout, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
@@ -1337,7 +1351,7 @@ int main(int argc, char **argv)
 			poll_start = time_monotonic(NULL);
 			issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
 									issuer->get_encoding(issuer),
-									subject);
+									subject->get_encoding(subject));
 		}
 		while (attrs.pkiStatus == SCEP_PENDING)
 		{
@@ -1367,7 +1381,7 @@ int main(int argc, char **argv)
 				exit_scepclient("failed to build scep request");
 			}
 			if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
-				http_get_request, &scep_response))
+							http_get_request, http_timeout, &scep_response))
 			{
 				exit_scepclient("did not receive a valid scep response");
 			}
@@ -1458,5 +1472,3 @@ int main(int argc, char **argv)
 	exit_scepclient(NULL);
 	return -1; /* should never be reached */
 }
-
-
diff --git a/src/starter/Android.mk b/src/starter/Android.mk
index c7e81d284..91575c9ba 100644
--- a/src/starter/Android.mk
+++ b/src/starter/Android.mk
@@ -2,13 +2,15 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am (update for LEX/YACC)
-LOCAL_SRC_FILES := \
+starter_SOURCES := \
 parser.c lexer.c ipsec-parser.h netkey.c args.h netkey.h \
 starterstroke.c confread.c \
 starterstroke.h confread.h args.c \
 keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
 invokecharon.h klips.c klips.h
 
+LOCAL_SRC_FILES := $(filter %.c,$(starter_SOURCES))
+
 # build starter ----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index b2c86384e..2e43f7000 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -91,6 +108,11 @@ LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
 SOURCES = $(starter_SOURCES)
 DIST_SOURCES = $(starter_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -107,6 +129,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -123,6 +147,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -191,8 +216,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -248,7 +271,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -343,8 +365,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/starter/args.c b/src/starter/args.c
index 390062a99..5fbf51856 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -33,6 +33,7 @@ typedef enum {
 	ARG_TIME,
 	ARG_ULNG,
 	ARG_ULLI,
+	ARG_UBIN,
 	ARG_PCNT,
 	ARG_STR,
 	ARG_LST,
@@ -146,6 +147,7 @@ static const token_info_t token_info[] =
 	{ ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
 	{ ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
 	{ ARG_ENUM, offsetof(starter_conn_t, fragmentation), LST_fragmentation         },
+	{ ARG_UBIN, offsetof(starter_conn_t, ikedscp), NULL                            },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
@@ -399,6 +401,21 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 			}
 		}
 		break;
+	case ARG_UBIN:
+		{
+			char *endptr;
+			u_int *u = (u_int *)p;
+
+			*u = strtoul(kw->value, &endptr, 2);
+
+			if (*endptr != '\0')
+			{
+				DBG1(DBG_APP, "# bad binary value: %s=%s", kw->entry->name,
+					 kw->value);
+				return FALSE;
+			}
+		}
+		break;
 	case ARG_TIME:
 		{
 			char *endptr;
diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index aaba7b11d..cea864a4a 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -27,7 +27,8 @@ static bool starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
 		return FALSE;
 
 	VARCMP(modecfg);
-	VARCMP(port);
+	VARCMP(from_port);
+	VARCMP(to_port);
 	VARCMP(protocol);
 
 	return cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);
@@ -63,4 +64,3 @@ bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2)
 
 	return cmp_args(KW_CA_NAME, KW_CA_LAST, (char *)c1, (char *)c2);
 }
-
diff --git a/src/starter/confread.c b/src/starter/confread.c
index fecb998df..f0f05b036 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -142,6 +142,9 @@ static void default_values(starter_config_t *cfg)
 	cfg->conn_default.left.ikeport = 500;
 	cfg->conn_default.right.ikeport = 500;
 
+	cfg->conn_default.left.to_port = 0xffff;
+	cfg->conn_default.right.to_port = 0xffff;
+
 	cfg->ca_default.seen = SEEN_NONE;
 }
 
@@ -187,7 +190,7 @@ static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
 	/* verify the executables are actually available */
 #ifdef START_CHARON
 	cfg->setup.charonstart = cfg->setup.charonstart &&
-							 daemon_exists("charon", CHARON_CMD);
+							 daemon_exists(daemon_name, cmd);
 #else
 	cfg->setup.charonstart = FALSE;
 #endif
@@ -292,24 +295,46 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
 		}
 		if (streq(port, "%any"))
 		{
-			end->port = 0;
+			end->from_port = 0;
+			end->to_port = 0xffff;
 		}
-		else
+		else if (streq(port, "%opaque"))
+		{
+			end->from_port = 0xffff;
+			end->to_port = 0;
+		}
+		else if (*port)
 		{
 			svc = getservbyname(port, NULL);
 			if (svc)
 			{
-				end->port = ntohs(svc->s_port);
+				end->from_port = end->to_port = ntohs(svc->s_port);
 			}
 			else
 			{
 				p = strtol(port, &endptr, 0);
-				if ((*port && *endptr) || p < 0 || p > 0xffff)
+				if (p < 0 || p > 0xffff)
+				{
+					DBG1(DBG_APP, "# bad port: %s=%s", name, port);
+					goto err;
+				}
+				end->from_port = p;
+				if (*endptr == '-')
+				{
+					port = endptr + 1;
+					p = strtol(port, &endptr, 0);
+					if (p < 0 || p > 0xffff)
+					{
+						DBG1(DBG_APP, "# bad port: %s=%s", name, port);
+						goto err;
+					}
+				}
+				end->to_port = p;
+				if (*endptr)
 				{
-					DBG1(DBG_APP, "# bad port: %s=%s", name, value);
+					DBG1(DBG_APP, "# bad port: %s=%s", name, port);
 					goto err;
 				}
-				end->port = (u_int16_t)p;
 			}
 		}
 		if (sep)
diff --git a/src/starter/confread.h b/src/starter/confread.h
index a0f6234f9..0690bed4e 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -115,7 +115,8 @@ struct starter_end {
 		bool            hostaccess;
 		bool            allow_any;
 		char            *updown;
-		u_int16_t       port;
+		u_int16_t       from_port;
+		u_int16_t       to_port;
 		u_int8_t        protocol;
 		char            *sourceip;
 		char            *dns;
@@ -148,6 +149,7 @@ struct starter_conn {
 		ipsec_mode_t    mode;
 		bool            proxy_mode;
 		fragmentation_t fragmentation;
+		u_int           ikedscp;
 		sa_option_t     options;
 		time_t          sa_ike_life_seconds;
 		time_t          sa_ipsec_life_seconds;
@@ -246,4 +248,3 @@ extern starter_config_t *confread_load(const char *file);
 extern void confread_free(starter_config_t *cfg);
 
 #endif /* _IPSEC_CONFREAD_H_ */
-
diff --git a/src/starter/files.h b/src/starter/files.h
index 96b76fdf1..76cdaa986 100644
--- a/src/starter/files.h
+++ b/src/starter/files.h
@@ -15,8 +15,6 @@
 #ifndef _STARTER_FILES_H_
 #define _STARTER_FILES_H_
 
-#define STARTER_PID_FILE IPSEC_PIDDIR "/starter.pid"
-
 #define PROC_NETKEY             "/proc/net/pfkey"
 #define PROC_KLIPS              "/proc/net/pf_key"
 #define PROC_MODULES    "/proc/modules"
@@ -24,9 +22,11 @@
 #define CONFIG_FILE     IPSEC_CONFDIR "/ipsec.conf"
 #define SECRETS_FILE    IPSEC_CONFDIR "/ipsec.secrets"
 
-#define CHARON_CMD      IPSEC_DIR "/charon"
 #define CHARON_CTL_FILE IPSEC_PIDDIR "/charon.ctl"
-#define CHARON_PID_FILE IPSEC_PIDDIR "/charon.pid"
+
+extern char *daemon_name;
+extern char *cmd;
+extern char *pid_file;
 
 #define DYNIP_DIR       IPSEC_PIDDIR "/dynip"
 
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 1c93381f7..d981f6c17 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -46,22 +46,22 @@ void starter_charon_sigchild(pid_t pid, int status)
 		if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY ||
 			status == SS_RC_DAEMON_INTEGRITY)
 		{
-			DBG1(DBG_APP, "charon has quit: integrity test of %s failed",
-				 (status == 64) ? "libstrongswan" : "charon");
+			DBG1(DBG_APP, "%s has quit: integrity test of %s failed",
+				 daemon_name, (status == 64) ? "libstrongswan" : daemon_name);
 			_stop_requested = 1;
 		}
 		else if (status == SS_RC_INITIALIZATION_FAILED)
 		{
-			DBG1(DBG_APP, "charon has quit: initialization failed");
+			DBG1(DBG_APP, "%s has quit: initialization failed", daemon_name);
 			_stop_requested = 1;
 		}
 		if (!_stop_requested)
 		{
-			DBG1(DBG_APP, "charon has died -- restart scheduled (%dsec)",
-				 CHARON_RESTART_DELAY);
+			DBG1(DBG_APP, "%s has died -- restart scheduled (%dsec)",
+				 daemon_name, CHARON_RESTART_DELAY);
 			alarm(CHARON_RESTART_DELAY);   // restart in 5 sec
 		}
-		unlink(CHARON_PID_FILE);
+		unlink(pid_file);
 	}
 }
 
@@ -88,7 +88,8 @@ int starter_stop_charon (void)
 			else if (i == 40)
 			{
 				kill(pid, SIGKILL);
-				DBG1(DBG_APP, "starter_stop_charon(): charon does not respond, sending KILL");
+				DBG1(DBG_APP, "starter_stop_charon(): %s does not respond, sending KILL",
+					 daemon_name);
 			}
 			else
 			{
@@ -98,15 +99,15 @@ int starter_stop_charon (void)
 		}
 		if (_charon_pid == 0)
 		{
-			DBG1(DBG_APP, "charon stopped after %d ms", 200*i);
+			DBG1(DBG_APP, "%s stopped after %d ms", daemon_name, 200*i);
 			return 0;
 		}
-		DBG1(DBG_APP, "starter_stop_charon(): can't stop charon !!!");
+		DBG1(DBG_APP, "starter_stop_charon(): can't stop %s !!!", daemon_name);
 		return -1;
 	}
 	else
 	{
-		DBG1(DBG_APP, "stater_stop_charon(): charon was not started...");
+		DBG1(DBG_APP, "stater_stop_charon(): %s was not started...", daemon_name);
 	}
 	return -1;
 }
@@ -119,7 +120,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 	char buffer[BUF_LEN];
 	int argc = 1;
 	char *arg[] = {
-		CHARON_CMD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+		cmd, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
@@ -130,7 +131,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 		argc = 0;
 		arg[argc++] = "/usr/bin/gdb";
 		arg[argc++] = "--args";
-		arg[argc++] = CHARON_CMD;
+		arg[argc++] = cmd;
 		}
 	if (!no_fork)
 	{
@@ -172,7 +173,8 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 
 	if (_charon_pid)
 	{
-		DBG1(DBG_APP, "starter_start_charon(): charon already started...");
+		DBG1(DBG_APP, "starter_start_charon(): %s already started...",
+			 daemon_name);
 		return -1;
 	}
 	else
@@ -203,9 +205,9 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 			{
 				/* wait for charon for a maximum of 500 x 20 ms = 10 s */
 				usleep(20000);
-				if (stat(CHARON_PID_FILE, &stb) == 0)
+				if (stat(pid_file, &stb) == 0)
 				{
-					DBG1(DBG_APP, "charon (%d) started after %d ms",
+					DBG1(DBG_APP, "%s (%d) started after %d ms", daemon_name,
 						 _charon_pid, 20*(i+1));
 					return 0;
 				}
@@ -213,7 +215,8 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 			if (_charon_pid)
 			{
 				/* If charon is started but with no ctl file, stop it */
-				DBG1(DBG_APP, "charon too long to start... - kill kill");
+				DBG1(DBG_APP, "%s too long to start... - kill kill",
+					 daemon_name);
 				for (i = 0; i < 20 && (pid = _charon_pid) != 0; i++)
 				{
 					if (i == 0)
@@ -233,7 +236,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 			}
 			else
 			{
-				DBG1(DBG_APP, "charon refused to be started");
+				DBG1(DBG_APP, "%s refused to be started", daemon_name);
 			}
 			return -1;
 		}
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index b75ff1395..3692c2cdd 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -54,7 +54,7 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 135
+#define TOTAL_KEYWORDS 136
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
 #define MIN_HASH_VALUE 10
@@ -79,15 +79,15 @@ hash (str, len)
       260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
       260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
       260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260,  15,
+      260, 260, 260, 260, 260, 260, 260, 260, 260,   8,
        99, 260, 260, 260, 260, 260, 260, 260, 260, 260,
       260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
       260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
       260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260,  11, 260,  11,   2,  80,
-       55,   6,   3,   2, 114,   2, 260,  83,  70,   6,
-       22,  81,  51,   7,  14,   2,   7, 122,   2, 260,
-      260,  43,  19, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260,   4, 260,  11,   4,  80,
+       55,   6,   3,   2, 114,   2, 260, 114,  70,  33,
+       22,  81,  51,   7,  14,   2,   7, 122,   8, 260,
+      260,  43,   4, 260, 260, 260, 260, 260, 260, 260,
       260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
       260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
       260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
@@ -163,8 +163,8 @@ static const struct kw_entry wordlist[] =
     {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
     {"rightprotoport",    KW_RIGHTPROTOPORT},
     {"leftnexthop",       KW_LEFT_DEPRECATED},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
     {"me_peerid",         KW_ME_PEERID},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
     {"inactivity",        KW_INACTIVITY},
     {"rightnexthop",      KW_RIGHT_DEPRECATED},
     {"rightfirewall",     KW_RIGHTFIREWALL},
@@ -172,55 +172,52 @@ static const struct kw_entry wordlist[] =
     {"leftupdown",        KW_LEFTUPDOWN},
     {"leftfirewall",      KW_LEFTFIREWALL},
     {"crluri",            KW_CRLURI},
-    {"ike",               KW_IKE},
     {"mediation",         KW_MEDIATION},
     {"rightcert",         KW_RIGHTCERT},
-    {"mobike",	           KW_MOBIKE},
+    {"crluri1",           KW_CRLURI},
     {"rightca",           KW_RIGHTCA},
-    {"compress",          KW_COMPRESS},
+    {"mobike",	           KW_MOBIKE},
     {"type",              KW_TYPE},
     {"ocspuri",           KW_OCSPURI},
     {"lefthostaccess",    KW_LEFTHOSTACCESS},
     {"esp",               KW_ESP},
-    {"crluri1",           KW_CRLURI},
-    {"ikelifetime",       KW_IKELIFETIME},
-    {"leftikeport",       KW_LEFTIKEPORT},
     {"cacert",            KW_CACERT},
-    {"mark",              KW_MARK},
+    {"ocspuri1",          KW_OCSPURI},
     {"rightid2",          KW_RIGHTID2},
     {"forceencaps",       KW_FORCEENCAPS},
     {"nat_traversal",     KW_SETUP_DEPRECATED},
     {"eap",               KW_CONN_DEPRECATED},
     {"rightgroups2",      KW_RIGHTGROUPS2},
     {"packetdefault",     KW_SETUP_DEPRECATED},
-    {"ocspuri1",          KW_OCSPURI},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"force_keepalive",   KW_SETUP_DEPRECATED},
     {"mark_out",          KW_MARK_OUT},
     {"mediated_by",       KW_MEDIATED_BY},
     {"leftcert2",         KW_LEFTCERT2},
     {"rightauth2",        KW_RIGHTAUTH2},
     {"leftid",            KW_LEFTID},
     {"leftca2",           KW_LEFTCA2},
-    {"force_keepalive",   KW_SETUP_DEPRECATED},
-    {"rekeymargin",       KW_REKEYMARGIN},
-    {"dpdtimeout",        KW_DPDTIMEOUT},
+    {"ike",               KW_IKE},
+    {"compress",          KW_COMPRESS},
     {"aaa_identity",      KW_AAA_IDENTITY},
     {"leftgroups2",       KW_LEFTGROUPS2},
     {"leftallowany",      KW_LEFTALLOWANY},
     {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"rekey",             KW_REKEY},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
     {"rightauth",         KW_RIGHTAUTH},
     {"klipsdebug",        KW_SETUP_DEPRECATED},
+    {"ikelifetime",       KW_IKELIFETIME},
+    {"leftikeport",       KW_LEFTIKEPORT},
     {"rightcertpolicy",   KW_RIGHTCERTPOLICY},
-    {"overridemtu",       KW_SETUP_DEPRECATED},
+    {"mark",              KW_MARK},
     {"dpdaction",         KW_DPDACTION},
     {"pfsgroup",          KW_PFS_DEPRECATED},
     {"keyexchange",       KW_KEYEXCHANGE},
     {"hidetos",           KW_SETUP_DEPRECATED},
     {"leftsubnet",        KW_LEFTSUBNET},
+    {"overridemtu",       KW_SETUP_DEPRECATED},
     {"installpolicy",     KW_INSTALLPOLICY},
-    {"dumpdir",           KW_SETUP_DEPRECATED},
     {"leftsourceip",      KW_LEFTSOURCEIP},
+    {"dpdtimeout",        KW_DPDTIMEOUT},
     {"also",              KW_ALSO},
     {"rightupdown",       KW_RIGHTUPDOWN},
     {"charondebug",       KW_CHARONDEBUG},
@@ -228,35 +225,39 @@ static const struct kw_entry wordlist[] =
     {"fragicmp",          KW_SETUP_DEPRECATED},
     {"charonstart",       KW_SETUP_DEPRECATED},
     {"tfc",               KW_TFC},
+    {"rekey",             KW_REKEY},
     {"leftsubnetwithin",  KW_LEFTSUBNET},
     {"leftid2",           KW_LEFTID2},
     {"eap_identity",      KW_EAP_IDENTITY},
     {"crlcheckinterval",  KW_SETUP_DEPRECATED},
+    {"dumpdir",           KW_SETUP_DEPRECATED},
     {"cachecrls",         KW_CACHECRLS},
+    {"rekeymargin",       KW_REKEYMARGIN},
     {"rightca2",          KW_RIGHTCA2},
     {"crluri2",           KW_CRLURI2},
     {"rightcert2",        KW_RIGHTCERT2},
-    {"pkcs11initargs",    KW_PKCS11_DEPRECATED},
-    {"closeaction",       KW_CLOSEACTION},
-    {"pkcs11module",      KW_PKCS11_DEPRECATED},
-    {"pkcs11keepstate",   KW_PKCS11_DEPRECATED},
     {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"closeaction",       KW_CLOSEACTION},
     {"ocspuri2",          KW_OCSPURI2},
     {"plutostderrlog",    KW_SETUP_DEPRECATED},
     {"plutostart",        KW_SETUP_DEPRECATED},
     {"auto",              KW_AUTO},
+    {"pkcs11initargs",    KW_PKCS11_DEPRECATED},
+    {"pkcs11module",      KW_PKCS11_DEPRECATED},
     {"authby",            KW_AUTHBY},
+    {"pkcs11keepstate",   KW_PKCS11_DEPRECATED},
     {"dpddelay",          KW_DPDDELAY},
     {"modeconfig",        KW_MODECONFIG},
     {"nocrsend",          KW_SETUP_DEPRECATED},
     {"prepluto",          KW_SETUP_DEPRECATED},
-    {"pkcs11proxy",       KW_PKCS11_DEPRECATED},
     {"leftauth2",         KW_LEFTAUTH2},
     {"postpluto",         KW_SETUP_DEPRECATED},
     {"auth",              KW_AUTH},
     {"reauth",            KW_REAUTH},
     {"xauth",             KW_XAUTH},
     {"leftauth",          KW_LEFTAUTH},
+    {"pkcs11proxy",       KW_PKCS11_DEPRECATED},
+    {"ikedscp",           KW_IKEDSCP,},
     {"plutodebug",        KW_SETUP_DEPRECATED}
   };
 
@@ -270,24 +271,24 @@ static const short lookup[] =
      -1,  21,  -1,  -1,  -1,  -1,  22,  -1,  -1,  23,
      24,  -1,  25,  26,  27,  28,  29,  30,  31,  32,
      33,  34,  35,  36,  -1,  37,  38,  39,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  40,  41,  42,  43,
-     44,  45,  46,  47,  48,  -1,  -1,  -1,  49,  50,
-     51,  52,  53,  54,  55,  56,  57,  58,  59,  60,
-     61,  62,  63,  64,  65,  66,  67,  68,  69,  70,
-     71,  72,  73,  74,  75,  76,  77,  78,  79,  80,
-     -1,  -1,  81,  82,  83,  84,  -1,  85,  86,  87,
-     -1,  -1,  88,  89,  90,  91,  92,  93,  94,  -1,
-     95,  96,  -1,  97,  -1,  -1,  -1,  98,  -1,  99,
-    100,  -1, 101,  -1, 102, 103, 104,  -1,  -1, 105,
-    106,  -1, 107,  -1,  -1,  -1, 108,  -1,  -1,  -1,
-     -1,  -1, 109,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1, 110, 111, 112, 113, 114, 115,  -1,  -1, 116,
-     -1, 117,  -1, 118,  -1,  -1,  -1,  -1,  -1,  -1,
-    119, 120,  -1,  -1, 121,  -1,  -1,  -1,  -1,  -1,
-     -1, 122,  -1,  -1,  -1,  -1,  -1, 123,  -1, 124,
-    125, 126, 127,  -1,  -1,  -1,  -1,  -1,  -1, 128,
-     -1,  -1,  -1, 129,  -1,  -1,  -1, 130,  -1,  -1,
-     -1, 131, 132, 133,  -1,  -1,  -1,  -1,  -1, 134
+     40,  -1,  -1,  -1,  -1,  -1,  41,  -1,  42,  43,
+     44,  45,  46,  47,  48,  -1,  -1,  -1,  -1,  49,
+     50,  51,  52,  53,  54,  55,  56,  57,  -1,  -1,
+     -1,  58,  59,  60,  61,  62,  63,  64,  65,  -1,
+     66,  67,  68,  69,  70,  71,  72,  -1,  -1,  73,
+     74,  -1,  75,  76,  77,  78,  79,  -1,  80,  81,
+     82,  83,  84,  85,  86,  87,  88,  89,  90,  91,
+     92,  -1,  -1,  93,  -1,  -1,  94,  95,  -1,  96,
+     97,  -1,  98,  -1,  99, 100, 101,  -1, 102, 103,
+    104,  -1, 105,  -1,  -1,  -1, 106,  -1, 107,  -1,
+     -1,  -1, 108,  -1,  -1,  -1, 109,  -1,  -1,  -1,
+     -1, 110, 111, 112, 113, 114,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1, 115,  -1,  -1,  -1,  -1,  -1,  -1,
+    116, 117,  -1,  -1, 118,  -1,  -1,  -1, 119,  -1,
+    120, 121,  -1, 122,  -1,  -1,  -1, 123,  -1, 124,
+    125, 126,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 127,
+     -1,  -1,  -1, 128,  -1,  -1,  -1, 129,  -1,  -1,
+     -1, 130, 131, 132,  -1,  -1, 133,  -1, 134, 135
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index f776f33c9..4a96a418c 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -43,6 +43,7 @@ typedef enum {
 	KW_MOBIKE,
 	KW_FORCEENCAPS,
 	KW_FRAGMENTATION,
+	KW_IKEDSCP,
 	KW_IKELIFETIME,
 	KW_KEYLIFE,
 	KW_REKEYMARGIN,
@@ -186,4 +187,3 @@ typedef enum {
 } kw_token_t;
 
 #endif /* _KEYWORDS_H_ */
-
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 1f1641287..cd964b0e3 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -41,6 +41,7 @@ aaa_identity,      KW_AAA_IDENTITY
 mobike,	           KW_MOBIKE
 forceencaps,       KW_FORCEENCAPS
 fragmentation,     KW_FRAGMENTATION
+ikedscp,           KW_IKEDSCP,
 ikelifetime,       KW_IKELIFETIME
 lifetime,          KW_KEYLIFE
 keylife,           KW_KEYLIFE
diff --git a/src/starter/starter.c b/src/starter/starter.c
index ae6863fd7..917e52d68 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -12,6 +12,8 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
+
 #include <sys/select.h>
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -50,6 +52,15 @@
 
 #define CHARON_RESTART_DELAY 5
 
+static const char* cmd_default = IPSEC_DIR "/charon";
+static const char* pid_file_default = IPSEC_PIDDIR "/charon.pid";
+static const char* starter_pid_file_default = IPSEC_PIDDIR "/starter.pid";
+
+char *daemon_name = NULL;
+char *cmd = NULL;
+char *pid_file = NULL;
+char *starter_pid_file = NULL;
+
 /* logging */
 static bool log_to_stderr = TRUE;
 static bool log_to_syslog = TRUE;
@@ -162,7 +173,10 @@ static void signal_handler(int signal)
 			{
 				if (pid == starter_charon_pid())
 				{
-					name = " (Charon)";
+					if (asprintf(&name, " (%s)", daemon_name) < 0)
+					{
+						 name = NULL;
+					}
 				}
 				if (WIFSIGNALED(status))
 				{
@@ -193,6 +207,11 @@ static void signal_handler(int signal)
 					starter_charon_sigchild(pid, exit_status);
 				}
 			}
+
+			if (name)
+			{
+				free(name);
+			}
 		}
 		break;
 
@@ -325,11 +344,56 @@ static bool check_pid(char *pid_file)
 	return FALSE;
 }
 
+/* Set daemon name and adjust command and pid filenames accordingly */
+static bool set_daemon_name()
+{
+	if (!daemon_name)
+	{
+		daemon_name = "charon";
+	}
+
+	if (asprintf(&cmd, IPSEC_DIR"/%s", daemon_name) < 0)
+	{
+		 cmd = (char*)cmd_default;
+	}
+
+	if (asprintf(&pid_file, IPSEC_PIDDIR"/%s.pid", daemon_name) < 0)
+	{
+		 pid_file = (char*)pid_file_default;
+	}
+
+	if (asprintf(&starter_pid_file, IPSEC_PIDDIR"/starter.%s.pid",
+				 daemon_name) < 0)
+	{
+		 starter_pid_file = (char*)starter_pid_file_default;
+	}
+
+	return TRUE;
+}
+
+static void cleanup()
+{
+	if (cmd != cmd_default)
+	{
+		free(cmd);
+	}
+
+	if (pid_file != pid_file_default)
+	{
+		free(pid_file);
+	}
+
+	if (starter_pid_file != starter_pid_file_default)
+	{
+		free(starter_pid_file);
+	}
+}
+
 static void usage(char *name)
 {
 	fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>]\n"
 			"               [--debug|--debug-more|--debug-all|--nolog]\n"
-			"               [--attach-gdb]\n");
+			"               [--attach-gdb] [--daemon <name>]\n");
 	exit(LSB_RC_INVALID_ARGUMENT);
 }
 
@@ -392,12 +456,22 @@ int main (int argc, char **argv)
 			if (!auto_update)
 				usage(argv[0]);
 		}
+		else if (streq(argv[i], "--daemon") && i+1 < argc)
+		{
+			daemon_name = argv[++i];
+		}
 		else
 		{
 			usage(argv[0]);
 		}
 	}
 
+	if (!set_daemon_name())
+	{
+		DBG1(DBG_APP, "unable to set daemon name");
+		exit(LSB_RC_FAILURE);
+	}
+
 	init_log("ipsec_starter");
 
 	DBG1(DBG_APP, "Starting %sSwan "VERSION" IPsec [starter]...",
@@ -423,13 +497,14 @@ int main (int argc, char **argv)
 	if (getuid() != 0)
 	{
 		DBG1(DBG_APP, "permission denied (must be superuser)");
+		cleanup();
 		exit(LSB_RC_NOT_ALLOWED);
 	}
 
-	if (check_pid(CHARON_PID_FILE))
+	if (check_pid(pid_file))
 	{
-		DBG1(DBG_APP, "charon is already running (%s exists) -- skipping charon start",
-			 CHARON_PID_FILE);
+		DBG1(DBG_APP, "%s is already running (%s exists) -- skipping daemon start",
+			 daemon_name, pid_file);
 	}
 	else
 	{
@@ -438,12 +513,14 @@ int main (int argc, char **argv)
 	if (stat(DEV_RANDOM, &stb) != 0)
 	{
 		DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
+		cleanup();
 		exit(LSB_RC_FAILURE);
 	}
 
 	if (stat(DEV_URANDOM, &stb)!= 0)
 	{
 		DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
+		cleanup();
 		exit(LSB_RC_FAILURE);
 	}
 
@@ -455,6 +532,7 @@ int main (int argc, char **argv)
 		{
 			confread_free(cfg);
 		}
+		cleanup();
 		exit(LSB_RC_INVALID_ARGUMENT);
 	}
 
@@ -471,11 +549,12 @@ int main (int argc, char **argv)
 
 	last_reload = time_monotonic(NULL);
 
-	if (check_pid(STARTER_PID_FILE))
+	if (check_pid(starter_pid_file))
 	{
 		DBG1(DBG_APP, "starter is already running (%s exists) -- no fork done",
-			 STARTER_PID_FILE);
+			 starter_pid_file);
 		confread_free(cfg);
+		cleanup();
 		exit(LSB_RC_SUCCESS);
 	}
 
@@ -515,13 +594,14 @@ int main (int argc, char **argv)
 				break;
 			default:
 				confread_free(cfg);
+				cleanup();
 				exit(LSB_RC_SUCCESS);
 		}
 	}
 
-	/* save pid file in /var/run/starter.pid */
+	/* save pid file in /var/run/starter[.daemon_name].pid */
 	{
-		FILE *fd = fopen(STARTER_PID_FILE, "w");
+		FILE *fd = fopen(starter_pid_file, "w");
 
 		if (fd)
 		{
@@ -576,7 +656,8 @@ int main (int argc, char **argv)
 			}
 			starter_netkey_cleanup();
 			confread_free(cfg);
-			unlink(STARTER_PID_FILE);
+			unlink(starter_pid_file);
+			cleanup();
 			DBG1(DBG_APP, "ipsec starter stopped");
 			close_log();
 			exit(LSB_RC_SUCCESS);
@@ -709,13 +790,13 @@ int main (int argc, char **argv)
 		}
 
 		/*
-		 * Start charon
+		 * Start daemon
 		 */
 		if (_action_ & FLAG_ACTION_START_CHARON)
 		{
 			if (cfg->setup.charonstart && !starter_charon_pid())
 			{
-				DBG2(DBG_APP, "Attempting to start charon...");
+				DBG2(DBG_APP, "Attempting to start %s...", daemon_name);
 				if (starter_start_charon(cfg, no_fork, attach_gdb))
 				{
 					/* schedule next try */
@@ -807,7 +888,8 @@ int main (int argc, char **argv)
 		/*
 		 * Wait for something to happen
 		 */
-		if (pselect(0, NULL, NULL, NULL, auto_update ? &ts : NULL,
+		if (!_action_ &&
+			pselect(0, NULL, NULL, NULL, auto_update ? &ts : NULL,
 					&action.sa_mask) == 0)
 		{
 			/* timeout -> auto_update */
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 4f9e8fb14..cc447c41f 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -146,7 +146,8 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->tohost = !conn_end->subnet;
 	msg_end->allow_any = conn_end->allow_any;
 	msg_end->protocol = conn_end->protocol;
-	msg_end->port = conn_end->port;
+	msg_end->from_port = conn_end->from_port;
+	msg_end->to_port = conn_end->to_port;
 }
 
 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
@@ -181,6 +182,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
 	msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
 	msg.add_conn.fragmentation = conn->fragmentation;
+	msg.add_conn.ikedscp = conn->ikedscp;
 	msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
 	msg.add_conn.install_policy = conn->install_policy;
 	msg.add_conn.aggressive = conn->aggressive;
@@ -330,4 +332,3 @@ int starter_stroke_configure(starter_config_t *cfg)
 	}
 	return 0;
 }
-
diff --git a/src/stroke/Android.mk b/src/stroke/Android.mk
index 69b3e54ca..320314c4d 100644
--- a/src/stroke/Android.mk
+++ b/src/stroke/Android.mk
@@ -2,9 +2,11 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+stroke_SOURCES := \
 stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
 
+LOCAL_SRC_FILES := $(filter %.c,$(stroke_SOURCES))
+
 # build stroke -----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 01288296e..779dafd7c 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -76,6 +93,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(stroke_SOURCES)
 DIST_SOURCES = $(stroke_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -92,6 +114,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -108,6 +132,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -176,8 +201,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -233,7 +256,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -313,8 +335,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index e289296c1..3273aedf2 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -151,12 +151,14 @@ static int add_connection(char *name,
 	msg.add_conn.me.ikeport = 500;
 	msg.add_conn.me.subnets = push_string(&msg, my_nets);
 	msg.add_conn.me.sendcert = 1;
+	msg.add_conn.me.to_port = 65535;
 
 	msg.add_conn.other.id = push_string(&msg, other_id);
 	msg.add_conn.other.address = push_string(&msg, other_addr);
 	msg.add_conn.other.ikeport = 500;
 	msg.add_conn.other.subnets = push_string(&msg, other_nets);
 	msg.add_conn.other.sendcert = 1;
+	msg.add_conn.other.to_port = 65535;
 
 	return send_stroke_msg(&msg);
 }
@@ -266,7 +268,6 @@ static int list_flags[] = {
 	LIST_OCSP,
 	LIST_ALGS,
 	LIST_PLUGINS,
-	LIST_COUNTERS,
 	LIST_ALL
 };
 
@@ -365,6 +366,18 @@ static int user_credentials(char *name, char *user, char *pass)
 	return send_stroke_msg(&msg);
 }
 
+static int counters(int reset, char *name)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_COUNTERS;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.counters.name = push_string(&msg, name);
+	msg.counters.reset = reset;
+
+	return send_stroke_msg(&msg);
+}
+
 static int set_loglevel(char *type, u_int level)
 {
 	stroke_msg_t msg;
@@ -419,7 +432,7 @@ static void exit_usage(char *error)
 	printf("  Show list of authority and attribute certificates:\n");
 	printf("    stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
 	printf("  Show list of end entity certificates, ca info records  and crls:\n");
-	printf("    stroke listcerts|listcainfos|listcrls|listcounters|listall\n");
+	printf("    stroke listcerts|listcainfos|listcrls|listall\n");
 	printf("  Show list of supported algorithms:\n");
 	printf("    stroke listalgs\n");
 	printf("  Reload authority and attribute certificates:\n");
@@ -445,6 +458,8 @@ static void exit_usage(char *error)
 	printf("    where: NAME is a connection name added with \"stroke add\"\n");
 	printf("           USERNAME is the username\n");
 	printf("           PASSWORD is the optional password, you'll be asked to enter it if not given\n");
+	printf("  Show IKE counters:\n");
+	printf("    stroke listcounters [connection-name]\n");
 	exit_error(error);
 }
 
@@ -553,7 +568,6 @@ int main(int argc, char *argv[])
 		case STROKE_LIST_OCSP:
 		case STROKE_LIST_ALGS:
 		case STROKE_LIST_PLUGINS:
-		case STROKE_LIST_COUNTERS:
 		case STROKE_LIST_ALL:
 			res = list(token->kw, argc > 2 && strcmp(argv[2], "--utc") == 0);
 			break;
@@ -594,6 +608,11 @@ int main(int argc, char *argv[])
 			}
 			res = user_credentials(argv[2], argv[3], argc > 4 ? argv[4] : NULL);
 			break;
+		case STROKE_COUNTERS:
+		case STROKE_COUNTERS_RESET:
+			res = counters(token->kw == STROKE_COUNTERS_RESET,
+						   argc > 2 ? argv[2] : NULL);
+			break;
 		default:
 			exit_usage(NULL);
 	}
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index 3f53b7fa8..084df986d 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -54,12 +54,12 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 42
+#define TOTAL_KEYWORDS 43
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
 #define MIN_HASH_VALUE 4
-#define MAX_HASH_VALUE 49
-/* maximum key range = 46, duplicates = 0 */
+#define MAX_HASH_VALUE 50
+/* maximum key range = 47, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 19, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50,  1, 12,  2,
-       2, 16, 50, 14, 50, 11, 50, 16,  1,  8,
-      50, 18,  7, 50,  6, 12,  1, 11, 50, 50,
-       4,  3, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
-      50, 50, 50, 50, 50, 50
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 19, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51,  1, 29,  2,
+       2, 16, 51, 21, 51, 11, 51, 16,  1,  1,
+      51, 18,  7, 51,  6, 12,  6, 11, 51, 51,
+       4, 13, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+      51, 51, 51, 51, 51, 51
     };
   register int hval = len;
 
@@ -128,11 +128,10 @@ static const struct stroke_token wordlist[] =
     {"add",             STROKE_ADD},
     {"del",             STROKE_DEL},
     {"down",            STROKE_DOWN},
-    {"delete",          STROKE_DELETE},
     {"listall",         STROKE_LIST_ALL},
     {"listcrls",        STROKE_LIST_CRLS},
     {"up",              STROKE_UP},
-    {"rekey",           STROKE_REKEY},
+    {"delete",          STROKE_DELETE},
     {"listaacerts",     STROKE_LIST_AACERTS},
     {"listcacerts",     STROKE_LIST_CACERTS},
     {"rereadall",       STROKE_REREAD_ALL},
@@ -142,14 +141,14 @@ static const struct stroke_token wordlist[] =
     {"rereadaacerts",   STROKE_REREAD_AACERTS},
     {"rereadcacerts",   STROKE_REREAD_CACERTS},
     {"leases",          STROKE_LEASES},
-    {"listalgs",        STROKE_LIST_ALGS},
+    {"rekey",           STROKE_REKEY},
     {"listcainfos",     STROKE_LIST_CAINFOS},
-    {"listcounters",    STROKE_LIST_COUNTERS},
+    {"listcounters",    STROKE_COUNTERS},
     {"route",           STROKE_ROUTE},
     {"listacerts",      STROKE_LIST_ACERTS},
     {"status",          STROKE_STATUS},
     {"listplugins",     STROKE_LIST_PLUGINS},
-    {"listpubkeys",     STROKE_LIST_PUBKEYS},
+    {"listalgs",        STROKE_LIST_ALGS},
     {"rereadsecrets",   STROKE_REREAD_SECRETS},
     {"statusall",       STROKE_STATUSALL},
     {"purgeocsp",       STROKE_PURGE_OCSP},
@@ -161,20 +160,22 @@ static const struct stroke_token wordlist[] =
     {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
     {"loglevel",        STROKE_LOGLEVEL},
     {"memusage",        STROKE_MEMUSAGE},
-    {"listgroups",      STROKE_LIST_GROUPS},
+    {"resetcounters",   STROKE_COUNTERS_RESET},
     {"listocspcerts",   STROKE_LIST_OCSPCERTS},
     {"unroute",         STROKE_UNROUTE},
     {"user-creds",      STROKE_USER_CREDS},
     {"purgeike",        STROKE_PURGE_IKE},
-    {"purgecerts",      STROKE_PURGE_CERTS}
+    {"listpubkeys",     STROKE_LIST_PUBKEYS},
+    {"purgecerts",      STROKE_PURGE_CERTS},
+    {"listgroups",      STROKE_LIST_GROUPS}
   };
 
 static const short lookup[] =
   {
-    -1, -1, -1, -1,  0,  1,  2, -1, -1,  3,  4, -1,  5,  6,
-     7,  8,  9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
-    21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34,
-    35, 36, 37, 38, 39, 40, -1, 41
+    -1, -1, -1, -1,  0,  1,  2, -1, -1, -1,  3, -1,  4,  5,
+     6,  7,  8,  9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19,
+    20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33,
+    34, 35, 36, 37, 38, 39, 40, 41, 42
   };
 
 #ifdef __GNUC__
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 0ad87b705..f5979a0e5 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -42,7 +42,6 @@ typedef enum {
 	STROKE_LIST_OCSP,
 	STROKE_LIST_ALGS,
 	STROKE_LIST_PLUGINS,
-	STROKE_LIST_COUNTERS,
 	STROKE_LIST_ALL,
 	STROKE_REREAD_SECRETS,
 	STROKE_REREAD_CACERTS,
@@ -59,6 +58,8 @@ typedef enum {
 	STROKE_LEASES,
 	STROKE_MEMUSAGE,
 	STROKE_USER_CREDS,
+	STROKE_COUNTERS,
+	STROKE_COUNTERS_RESET,
 } stroke_keyword_t;
 
 #define STROKE_LIST_FIRST		STROKE_LIST_PUBKEYS
@@ -71,4 +72,3 @@ typedef struct stroke_token stroke_token_t;
 extern const stroke_token_t* in_word_set(register const char *str, register unsigned int len);
 
 #endif /* _STROKE_KEYWORDS_H_ */
-
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 95b2981d9..5d2ebd9e2 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -49,7 +49,6 @@ listcrls,        STROKE_LIST_CRLS
 listocsp,        STROKE_LIST_OCSP
 listalgs,        STROKE_LIST_ALGS
 listplugins,     STROKE_LIST_PLUGINS
-listcounters,    STROKE_LIST_COUNTERS
 listall,         STROKE_LIST_ALL
 rereadsecrets,   STROKE_REREAD_SECRETS
 rereadcacerts,   STROKE_REREAD_CACERTS
@@ -66,3 +65,5 @@ exportx509,      STROKE_EXPORT_X509
 leases,          STROKE_LEASES
 memusage,        STROKE_MEMUSAGE
 user-creds,      STROKE_USER_CREDS
+listcounters,    STROKE_COUNTERS
+resetcounters,   STROKE_COUNTERS_RESET
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index e972a5984..5cee916cd 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -67,10 +67,8 @@ enum list_flag_t {
 	LIST_ALGS =			0x0400,
 	/** list plugin information */
 	LIST_PLUGINS =		0x0800,
-	/** list IKE counters */
-	LIST_COUNTERS =		0x1000,
 	/** all list options */
-	LIST_ALL =			0x1FFF,
+	LIST_ALL =			0x0FFF,
 };
 
 typedef enum reread_flag_t reread_flag_t;
@@ -167,7 +165,8 @@ struct stroke_end_t {
 	int tohost;
 	int allow_any;
 	u_int8_t protocol;
-	u_int16_t port;
+	u_int16_t from_port;
+	u_int16_t to_port;
 };
 
 typedef struct stroke_msg_t stroke_msg_t;
@@ -225,6 +224,8 @@ struct stroke_msg_t {
 		STR_MEMUSAGE,
 		/* set username and password for a connection */
 		STR_USER_CREDS,
+		/* print/reset counters */
+		STR_COUNTERS,
 		/* more to come */
 	} type;
 
@@ -262,6 +263,7 @@ struct stroke_msg_t {
 			int close_action;
 			u_int32_t reqid;
 			u_int32_t tfc;
+			u_int8_t ikedscp;
 
 			crl_policy_t crl_policy;
 			int unique;
@@ -354,6 +356,13 @@ struct stroke_msg_t {
 			char *username;
 			char *password;
 		} user_creds;
+
+		/* data for STR_COUNTERS */
+		struct {
+			/* reset or print counters? */
+			int reset;
+			char *name;
+		} counters;
 	};
 	char buffer[STROKE_BUF_LEN];
 };
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 0f7ada07d..c7b90ef58 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -53,6 +70,11 @@ CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
@@ -67,6 +89,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -83,6 +107,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -151,8 +176,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,7 +231,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/testing/config/kernel/config-3.8 b/testing/config/kernel/config-3.8
new file mode 100644
index 000000000..bbd423ecf
--- /dev/null
+++ b/testing/config/kernel/config-3.8
@@ -0,0 +1,1863 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86_64 3.8.1 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_DEFAULT_IDLE=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_HAVE_IRQ_WORK=y
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_EXPERIMENTAL=y
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+# CONFIG_FHANDLE is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_HOTPLUG=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_GENERIC_SIGALTSTACK=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_PARAVIRT_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+# CONFIG_XEN is not set
+# CONFIG_XEN_PRIVILEGED_GUEST is not set
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_CLOCK=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_INITRD_TABLE_OVERRIDE is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_QUEUE=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_WAN_ROUTER is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_VMWARE_BALLOON is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_ARM_AT91_ETHER is not set
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_ZNET is not set
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+# CONFIG_SEEQ8005 is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_ARC is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_RTC is not set
+# CONFIG_GEN_RTC is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PTP_1588_CLOCK_PCH is not set
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_FAIR_SHARE is not set
+CONFIG_STEP_WISE=y
+# CONFIG_USER_SPACE is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_STUB_POULSBO is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+# CONFIG_USB_GADGET is not set
+
+#
+# OTG and related infrastructure
+#
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers (EXPERIMENTAL)
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers (EXPERIMENTAL)
+#
+# CONFIG_VIRT_DRIVERS is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_PERCPU_RWSEM=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kvm/alice.xml b/testing/config/kvm/alice.xml
index 6ca78f861..620ce5116 100644
--- a/testing/config/kvm/alice.xml
+++ b/testing/config/kvm/alice.xml
@@ -5,7 +5,7 @@
   <currentMemory unit='KiB'>131072</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+    <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
     <cmdline>root=/dev/vda1 loglevel=1</cmdline>
     <boot dev='hd'/>
@@ -38,12 +38,14 @@
     <interface type='network'>
       <mac address='52:54:00:9a:e2:de'/>
       <source network='vnet2'/>
+      <target dev='alice-eth0'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
     </interface>
     <interface type='network'>
       <mac address='52:54:00:3b:0c:d7'/>
       <source network='vnet1'/>
+      <target dev='alice-eth1'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
     </interface>
diff --git a/testing/config/kvm/bob.xml b/testing/config/kvm/bob.xml
index d9a9b4c05..caa1631cf 100644
--- a/testing/config/kvm/bob.xml
+++ b/testing/config/kvm/bob.xml
@@ -5,7 +5,7 @@
   <currentMemory unit='KiB'>131072</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+    <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
     <cmdline>root=/dev/vda1 loglevel=1</cmdline>
     <boot dev='hd'/>
@@ -38,6 +38,7 @@
     <interface type='network'>
       <mac address='52:54:00:40:85:6b'/>
       <source network='vnet3'/>
+      <target dev='bob-eth0'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
     </interface>
diff --git a/testing/config/kvm/carol.xml b/testing/config/kvm/carol.xml
index fbdabe2e4..8f768ff5c 100644
--- a/testing/config/kvm/carol.xml
+++ b/testing/config/kvm/carol.xml
@@ -5,7 +5,7 @@
   <currentMemory unit='KiB'>131072</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+    <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
     <cmdline>root=/dev/vda1 loglevel=1</cmdline>
     <boot dev='hd'/>
@@ -38,6 +38,7 @@
     <interface type='network'>
       <mac address='52:54:00:ae:f1:f8'/>
       <source network='vnet1'/>
+      <target dev='carol-eth0'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
     </interface>
diff --git a/testing/config/kvm/dave.xml b/testing/config/kvm/dave.xml
index bfebe9b60..3ae1da021 100644
--- a/testing/config/kvm/dave.xml
+++ b/testing/config/kvm/dave.xml
@@ -5,7 +5,7 @@
   <currentMemory unit='KiB'>131072</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+    <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
     <cmdline>root=/dev/vda1 loglevel=1</cmdline>
     <boot dev='hd'/>
@@ -38,6 +38,7 @@
     <interface type='network'>
       <mac address='52:54:00:b9:15:a9'/>
       <source network='vnet1'/>
+      <target dev='dave-eth0'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
     </interface>
diff --git a/testing/config/kvm/moon.xml b/testing/config/kvm/moon.xml
index e019fcea5..975e3cec6 100644
--- a/testing/config/kvm/moon.xml
+++ b/testing/config/kvm/moon.xml
@@ -5,7 +5,7 @@
   <currentMemory unit='KiB'>131072</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+    <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
     <cmdline>root=/dev/vda1 loglevel=1</cmdline>
     <boot dev='hd'/>
@@ -38,12 +38,14 @@
     <interface type='network'>
       <mac address='52:54:00:43:e3:35'/>
       <source network='vnet2'/>
+      <target dev='moon-eth1'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
     </interface>
     <interface type='network'>
       <mac address='52:54:00:c7:b8:b0'/>
       <source network='vnet1'/>
+      <target dev='moon-eth0'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
     </interface>
diff --git a/testing/config/kvm/sun.xml b/testing/config/kvm/sun.xml
index 5ed1a47ea..9d05027f9 100644
--- a/testing/config/kvm/sun.xml
+++ b/testing/config/kvm/sun.xml
@@ -5,7 +5,7 @@
   <currentMemory unit='KiB'>131072</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+    <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
     <cmdline>root=/dev/vda1 loglevel=1</cmdline>
     <boot dev='hd'/>
@@ -38,12 +38,14 @@
     <interface type='network'>
       <mac address='52:54:00:77:43:ea'/>
       <source network='vnet1'/>
+      <target dev='sun-eth0'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
     </interface>
     <interface type='network'>
       <mac address='52:54:00:0f:97:db'/>
       <source network='vnet3'/>
+      <target dev='sun-eth1'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
     </interface>
diff --git a/testing/config/kvm/venus.xml b/testing/config/kvm/venus.xml
index 77a333655..7a65ace75 100644
--- a/testing/config/kvm/venus.xml
+++ b/testing/config/kvm/venus.xml
@@ -5,7 +5,7 @@
   <currentMemory unit='KiB'>131072</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+    <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
     <cmdline>root=/dev/vda1 loglevel=1</cmdline>
     <boot dev='hd'/>
@@ -38,6 +38,7 @@
     <interface type='network'>
       <mac address='52:54:00:69:d3:80'/>
       <source network='vnet2'/>
+      <target dev='venus-eth0'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
     </interface>
diff --git a/testing/config/kvm/vnet1.xml b/testing/config/kvm/vnet1.xml
index f9d979be1..94097ab6f 100644
--- a/testing/config/kvm/vnet1.xml
+++ b/testing/config/kvm/vnet1.xml
@@ -4,7 +4,7 @@
   <forward dev='lo' mode='route'>
     <interface dev='lo'/>
   </forward>
-  <bridge name='virbr1' stp='on' delay='0' />
+  <bridge name='test-br0' stp='on' delay='0' />
   <mac address='52:54:00:97:F9:FD'/>
   <ip address='192.168.0.254' netmask='255.255.255.0'>
   </ip>
diff --git a/testing/config/kvm/vnet2.xml b/testing/config/kvm/vnet2.xml
index 7d125bfc6..b21e7ed1f 100644
--- a/testing/config/kvm/vnet2.xml
+++ b/testing/config/kvm/vnet2.xml
@@ -4,7 +4,7 @@
   <forward dev='lo' mode='route'>
     <interface dev='lo'/>
   </forward>
-  <bridge name='virbr2' stp='on' delay='0' />
+  <bridge name='test-br1' stp='on' delay='0' />
   <mac address='52:54:00:05:F3:34'/>
   <ip address='10.1.0.254' netmask='255.255.0.0'>
   </ip>
diff --git a/testing/config/kvm/vnet3.xml b/testing/config/kvm/vnet3.xml
index 1da06c448..f46d9ec09 100644
--- a/testing/config/kvm/vnet3.xml
+++ b/testing/config/kvm/vnet3.xml
@@ -4,7 +4,7 @@
   <forward dev='lo' mode='route'>
     <interface dev='lo'/>
   </forward>
-  <bridge name='virbr3' stp='on' delay='0' />
+  <bridge name='test-br2' stp='on' delay='0' />
   <mac address='52:54:00:62:4C:69'/>
   <ip address='10.2.0.254' netmask='255.255.0.0'>
   </ip>
diff --git a/testing/config/kvm/winnetou.xml b/testing/config/kvm/winnetou.xml
index 99d5deb99..9410c73b8 100644
--- a/testing/config/kvm/winnetou.xml
+++ b/testing/config/kvm/winnetou.xml
@@ -5,7 +5,7 @@
   <currentMemory unit='KiB'>131072</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+    <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
     <cmdline>root=/dev/vda1 loglevel=1</cmdline>
     <boot dev='hd'/>
@@ -38,6 +38,7 @@
     <interface type='network'>
       <mac address='52:54:00:4b:23:fa'/>
       <source network='vnet1'/>
+      <target dev='winnetou-eth0'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
     </interface>
diff --git a/testing/do-tests b/testing/do-tests
index fafbe6e89..d70c12c51 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -17,6 +17,7 @@
 DIR=$(dirname `readlink -f $0`)
 . $DIR/testing.conf
 . $DIR/scripts/function.sh
+SSHCONF="-F $DIR/ssh_config"
 
 [ -d $DIR/hosts ] || die "Directory 'hosts' not found"
 [ -d $DIR/tests ] || die "Directory 'tests' not found"
@@ -643,7 +644,7 @@ do
 	for host in $IPSECHOSTS
 	do
 	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated' \
+	    ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv' \
 		/var/log/auth.log" >> $TESTRESULTDIR/${host}.auth.log
 	done
 
@@ -655,7 +656,7 @@ do
 	for host in $IPSECHOSTS
 	do
 	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated' \
+	    ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv' \
 		/var/log/daemon.log" >> $TESTRESULTDIR/${host}.daemon.log
 	done
 
diff --git a/testing/hosts/default/etc/ld.so.conf.d/strongswan.conf b/testing/hosts/default/etc/ld.so.conf.d/strongswan.conf
new file mode 100644
index 000000000..8648d0185
--- /dev/null
+++ b/testing/hosts/default/etc/ld.so.conf.d/strongswan.conf
@@ -0,0 +1 @@
+/usr/local/lib/ipsec
diff --git a/testing/hosts/default/usr/local/bin/expect-file b/testing/hosts/default/usr/local/bin/expect-file
new file mode 100755
index 000000000..6921b6638
--- /dev/null
+++ b/testing/hosts/default/usr/local/bin/expect-file
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# Wait until a given file appears
+#
+# Params:
+# $1 - filename
+# $2 - maximum time to wait in seconds, default is 5 seconds
+
+if [[ $# -lt 1 || $# -gt 2 ]]
+then
+	echo "invalid arguments"
+	exit 1
+fi
+
+secs=$2
+[ ! $secs ] && secs=5
+
+let steps=$secs*10
+for i in `seq 1 $steps`
+do
+	# -f does not work for special files (e.g. UNIX domain sockets), use ls
+	# instead
+	ls $1 >/dev/null 2>&1
+	[ $? -eq 0 ] && exit 0
+	sleep 0.1
+done
+
+echo "File '$1' not available after $secs second(s)"
+exit 1
diff --git a/testing/hosts/winnetou/etc/bind/K.+008+32329.key b/testing/hosts/winnetou/etc/bind/K.+008+32329.key
new file mode 100644
index 000000000..9f4e5ea5d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/K.+008+32329.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 32329, for .
+; Created: 20130213194956 (Wed Feb 13 20:49:56 2013)
+; Publish: 20130213194956 (Wed Feb 13 20:49:56 2013)
+; Activate: 20130213194956 (Wed Feb 13 20:49:56 2013)
+. IN DNSKEY 257 3 8 AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO O9fOgGnjzAk=
diff --git a/testing/hosts/winnetou/etc/bind/K.+008+32329.private b/testing/hosts/winnetou/etc/bind/K.+008+32329.private
new file mode 100644
index 000000000..8ad5cd6ae
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/K.+008+32329.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: tyyRqtq0WC+C9eXRs2rgjjdkHN32Nieg+qwhwDRqGpeVRNRr5zZfM3aZLsMZwjhnkaf7y/8iHiVAlCuV/0j9zYeOigICwrVsDlxFLYOJT5svoZ7Scu2805/gLQwcYutZwM42DlCgvQ5wW8xe5S068OSggx218NgNJzET29KiRz3xLHnnf8xPGmyxd4z2L45q4aqiEhlT4xVF1bC8k+J4IvsxrhsC22Ab4pJtDLvH+pc8hKirPAZC8LGwv3d+8P9ymn4rOKoDSgf4N+vK9zmdZ0J2triBjPtYIUXBxjU9bo9svmJ7iOeOXdZbGim7NPjocpE7EOET4U47186AaePMCQ==
+PublicExponent: AQAB
+PrivateExponent: cOOQ6uFa4DZ32aBHuvGVb1CH7JqHER0fQx4utswW0Ei3f/IChj6mMYtYIM+w4lfszIHg1vpoRnfi8u5hxTFw6egvWrKejO1OqRMIt2Inj94uXscJIDeQdkRD3r9mBzjQ2di8y9m5For9iDXODiPv/WKJ4gS/iq08ffjrKkEILirduFpG+EcopBy4MJeAMAkATkRsATEHgEbyqulP7gMwAnQ6vXFbTybfZQWWSgANabGikKMmGroJMChBGJ2Q9c7mHVpXu2IhMqYRKHWmBA5v/OrEc21dNxRGXsZuq+iu3P8o5MLHgX6YDB9nB3OVb47Prg/BxHYdQid2PwX0A0qZeQ==
+Prime1: 2ovikMXe1sTJ2xYPHgofDMmDXUwgpHu/nsCbdDHhyHIMllLXWsefuAFGQug/DDDg69oZGhNkah53uU9XAEyy6uiFJKgnzBTqCg+QmuZnuiuiQ4QjZ/g2x6R2MvzTZLOAQOaOLA3GVsgOh5msyO1kaatES4m2Pbp3xF6CYkhVRlc=
+Prime2: 1pDSXUoE/dwWCebwJHyKLQ3RSGn1o3EHeKZKnqZpABMSPs7imeoVQVZomidjUjHxkB9jbE8nqN15U/Ui4WuZKM+LPbiknaC+h2Y8v6p3u5XQSR0l1cWwdo7BZtdUkcuqSwpL0mnwnmLc6ZQrr13GXnk3qm1ymXST3MFWCWjyRJ8=
+Exponent1: 02q1b8XrT6qpd2a8kxvJc85RZWTqwxPviDzdZaeHuygRYy6apHgu24toE/umWj3CqIag9+fAoSP+P+cvy9tmzfbILnD5puSoj7kE88RmnePuIhBnTAIDxFgl/Cc2vNkk/iPLb3SX5YW9AJK6Ytm75LlI5SZAhTCpAe9HhJpi3Bs=
+Exponent2: deHfEY3nLCnMmegdK46Yw6QBxU0hvYgN2MVT3dIDghz4OzWi3Xjz8I+urHLTaIcz9kCoeQsL+QSk8fGOFlbtMLTGBUT6e/eidfU/jvXzDkaCxoiTDt2r05cevoezWN6SUuP3QEUgA4TBZjsXvSNCJwlmAeZbvd+ElRZLVKQp5nU=
+Coefficient: mtSrbS9kgU1yoTaaY4C6jTnfa43wvHi9pGHW5TUSjRQ9YnCsxy6GiuhmCcKB4iDUzWvIHehfGF5A8UaIF4GvIWcSj1FYO1uBrre5mKMxk89Y7oGtwF2qVbpPHAL4GKHPOUzmfr0vR+nT1PFs1Gr1BF+hkYgluh05KEu0flOZoAk=
+Created: 20130213194956
+Publish: 20130213194956
+Activate: 20130213194956
diff --git a/testing/hosts/winnetou/etc/bind/K.+008+43749.key b/testing/hosts/winnetou/etc/bind/K.+008+43749.key
new file mode 100644
index 000000000..de00dec2d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/K.+008+43749.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 43749, for .
+; Created: 20130213194939 (Wed Feb 13 20:49:39 2013)
+; Publish: 20130213194939 (Wed Feb 13 20:49:39 2013)
+; Activate: 20130213194939 (Wed Feb 13 20:49:39 2013)
+. IN DNSKEY 256 3 8 AwEAAdMS+CyW9m8yB6rwrqsdfMW41AWim1T/ehg4Un/9qADFEZN9T7NK 9PI+DD3Dr72Z2ZO4hrKXB2Xe0nlvsCUjTfCwdGqgz9YLv2WfXzqRksxF gQXmzAdG7JGH+7YmXq7AAF3246caa+wMXAGRdUUCiQf87CnAaZXJ1kUz wHw3Arp5
diff --git a/testing/hosts/winnetou/etc/bind/K.+008+43749.private b/testing/hosts/winnetou/etc/bind/K.+008+43749.private
new file mode 100644
index 000000000..fb0f442f3
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/K.+008+43749.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 0xL4LJb2bzIHqvCuqx18xbjUBaKbVP96GDhSf/2oAMURk31Ps0r08j4MPcOvvZnZk7iGspcHZd7SeW+wJSNN8LB0aqDP1gu/ZZ9fOpGSzEWBBebMB0bskYf7tiZersAAXfbjpxpr7AxcAZF1RQKJB/zsKcBplcnWRTPAfDcCunk=
+PublicExponent: AQAB
+PrivateExponent: MWEqtiPLG1B1AsSz2ExZuFf5IihcdpIeGjRy+IZ7G1L/PaX/U06h51okuv5gytaHVEvDF1zF2ks6qjY62zVbMhr69/a6XjP6QWtiDmJgAnOjRqnKs8ZfEE3rsdauDtPPUIclNr9LnJtOz32oVlvxQXn/zVCE421eKlIKZIS0AEE=
+Prime1: 8iaE9VEf9lmYEBM7m5Z/maTvP+RjYvmVx7gdnBDzHkw1ZZkc/27sSI1bvgPZ55ZSiH+324OHwQp3A5m2P9th1Q==
+Prime2: 3yVw5TpfBOSteVUMtkvUqI7o0TnUoMeGuKZyXUo8GfQz8oGKoZgmdBJTETmmV4gXPtaEMFUxD4PhJw5ralrkFQ==
+Exponent1: QPWeY2Tw6xhb16whKHr2HhSF7iDpnIqR6LL2loBhh/YvuOKbSdbK4iexvcawtRS5bU691tBxIZMaHEgnAPhsRQ==
+Exponent2: iw5B9BcT73CxydJ+QXuv4fpsizWGk0rDYX4X9pq0KVhMpuqjAWBXVi21Jh7O0e00zyvO5G+ySwDb5gLOXVCWoQ==
+Coefficient: b46+74v/ETHVVKxqdXZWf9r5RL/08AyxScYrT5qDXhJ+QeGZa1jRxrWp469FWltzliP68jLh2om6F4IjAK5o0g==
+Created: 20130213194939
+Publish: 20130213194939
+Activate: 20130213194939
diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+24285.key b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.key
new file mode 100644
index 000000000..44043b485
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 24285, for org.
+; Created: 20130213191908 (Wed Feb 13 20:19:08 2013)
+; Publish: 20130213191908 (Wed Feb 13 20:19:08 2013)
+; Activate: 20130213191908 (Wed Feb 13 20:19:08 2013)
+org. IN DNSKEY 256 3 8 AwEAAa6IO30MFlgyj0hJLe0vqvHLr1/4kRCNl/Biz7VYwgzRkiYxHxLJ U+i8/r9rEWU85Q6WEt77xQ+HyxzwmoXpSaMtymYifNFZnvwl31CbkzIB FTtBUQ3BCKZjv0WgpLExDqAKgclCWBZ1PrHvDn1HTl6mMgCpiWothzkn zoNbB0g9
diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+24285.private b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.private
new file mode 100644
index 000000000..e707bb6bb
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: rog7fQwWWDKPSEkt7S+q8cuvX/iREI2X8GLPtVjCDNGSJjEfEslT6Lz+v2sRZTzlDpYS3vvFD4fLHPCahelJoy3KZiJ80Vme/CXfUJuTMgEVO0FRDcEIpmO/RaCksTEOoAqByUJYFnU+se8OfUdOXqYyAKmJai2HOSfOg1sHSD0=
+PublicExponent: AQAB
+PrivateExponent: Enac/HSL5Jasq7P6JM5XIi8vBVMRXZPtD+QUHxYdqSd+c4XcyKr9snBT7sIP3AreHHXp1ycBSMxPw2b8oc/1Fx5UcCdfL2Sygw2l9oDG2nVWX5taLZgNe1t+Bbsf7fqUxBu0fYHx42xvRHPNwV+8VsDa2TDGRImH8MlPuVbHt2E=
+Prime1: 375Bu+m6egBN6k2P82oE8mUuLVYnJDOQ90ipG6Vcfxy7HTzObX+Ismw171oMASLrwMV8UWohp8cbFiira/4ruQ==
+Prime2: x7G7d58Pycz+Wox3ez8/livTQ4wXYb/ykUzgycOVJaPPRX9siz10rVfl5Y3sXQlsR4xFSl6GKFAc11MbmS7qpQ==
+Exponent1: aPk+pgd28h6Kb8+MJkwrnf5St/qfyqBW924jyVDAIPM95u3MfBtF61BRzcaVs0LLEVqWhSwiNjF4R+E07CoIIQ==
+Exponent2: T3kaZJb3D5b3u02f13rqcXdrkrxUKeDcRptT8rhVyS8SNFRr/FYu8zXCFsOOx9ASOb9HbDuGJNENSVyX5TTYyQ==
+Coefficient: GsFR4s38eNTqazXvDLcSG+166dSIRRWUrIMR85veIchQY7lsFTRFEmwKX43OsXvSZUMIE2svwIgclhP/FefcUw==
+Created: 20130213191908
+Publish: 20130213191908
+Activate: 20130213191908
diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+51859.key b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.key
new file mode 100644
index 000000000..7a617ecbe
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 51859, for org.
+; Created: 20130213191920 (Wed Feb 13 20:19:20 2013)
+; Publish: 20130213191920 (Wed Feb 13 20:19:20 2013)
+; Activate: 20130213191920 (Wed Feb 13 20:19:20 2013)
+org. IN DNSKEY 257 3 8 AwEAAfAyiINF1/fIyebiAZhG3kFxv1+j3D3TxNBPccbiVUgYSnse95mb mn40KgguCljoi6kDu10Qo+XUwpR78dGJiqvKfej7cz6wbIr5qu9Kv7f8 lJPRQ2igxZ/0ZCLXGbozRuQGy39klQeG98fwxNkzHqXRxkhyAgpY8E2B umRsi2Cca/vKF+6OpNx9b8RXIBcUTdhx0Vjg+3gYhSRR1rPB160sbaL+ v3Fxv9ZzOIY9ekforNxuqV9/U0DCiOhgpZC7H+5ShPb0VNzYvv0IwIAG VPVEJdh5SNPQ0LclPXcR3av+DpjvdY5oAOn/mLPCHjxBnzOl7Q3P43dL DtYdKb9mGnk=
diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+51859.private b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.private
new file mode 100644
index 000000000..698cb4f80
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 8DKIg0XX98jJ5uIBmEbeQXG/X6PcPdPE0E9xxuJVSBhKex73mZuafjQqCC4KWOiLqQO7XRCj5dTClHvx0YmKq8p96PtzPrBsivmq70q/t/yUk9FDaKDFn/RkItcZujNG5AbLf2SVB4b3x/DE2TMepdHGSHICCljwTYG6ZGyLYJxr+8oX7o6k3H1vxFcgFxRN2HHRWOD7eBiFJFHWs8HXrSxtov6/cXG/1nM4hj16R+is3G6pX39TQMKI6GClkLsf7lKE9vRU3Ni+/QjAgAZU9UQl2HlI09DQtyU9dxHdq/4OmO91jmgA6f+Ys8IePEGfM6XtDc/jd0sO1h0pv2YaeQ==
+PublicExponent: AQAB
+PrivateExponent: pJ69mNqhbZ0bYzW6Shcn9Ep1EqNHKsictvf7zocIU+TyBvfuUkSm2Z/+vqRvSwf1z9xS6TGiYr4yrXlU/nr5o0ugh7DuByT6/zSlxmLAiuR9H+HoBSlKyJnCl248n7TM/TL6/VB+Iy6JW2rUPtgeRR9EehpI87aI21Xx3SnXTFoUTP7Z9HwoWEPOaU1SfYvBDLjZ0GTtMJ4i/LRB/rC6sbetqru4MTCAhsr8VrcH6YsFu5JrlmG+/dTEi005DrZPUOnKaDf4w3TbgSeTfbFJmvpfOoJObGm+Pc1PtxgfVUVdDWGK/LSNbTdqPQkPGlOI1sUETFNMKOY0S66H5q44QQ==
+Prime1: /y8kGw8mAtAuvISUtlUao7srcSphvvMLpxvgOB22u2wgzD51VdPRr2Inv1SJN7SGoJ9ERNLnfBnc1KFBOqtvf5uOwHD4++U80H+qWS+1aNgmMEa+IQ5WamQSPvUWFkhF6TjJnwY4rATfK2FGh00n6O3IOMjDxYyDs/M/j62/VQ0=
+Prime2: 8PcgSGgYGveDwkocfVkF0uuWRMVtfY3O/tiYSuCfkFP/++7eKMXQekmBay+5a5YUSZ6UwDFqduC/tYIuvGBi0rv+lzZJ8ydz/sdmQ+aqS3/g6oerGaTUjRV560OKWCwiMIfwQqaN+ivXdBFgGCJnaah65wiQ9W0xeTJqORQxWB0=
+Exponent1: dL3+SJrPiu3u07PbzOZ2P317TFRVT2QlapfoJgQB+xBmmMniKBe1kATZpkBoXiGqjYUPWGUcHbw/OM9k5hBT/A8QaZ3FaoffIIunRRH8bjCkl+VlSf4jLp0Fc+Pv7NW3lhCyvJu+BYRdDJ1+BJwZrAhMVx4R4ih8gDDCXVrhc2k=
+Exponent2: QQvEuCb5UtY7yAevdxq/2rbjon7U1o6gMOUQ/y1xhUlXkY9igwkbBNewytlgKS2jHlhjeRodzidPONUCfrFaG97Jk9IA1lVxF3aGIZAzqhvEACtNQafgBJGmjp51yuVm+UjIz4UcUErjZx6FnR40Yi4rtw/16XpnX3r/d5b+1vU=
+Coefficient: hAE0/Fdc6enFMymrfGW8o4lDauKQj7yQ16hw3IoOlrRLUpXqLiEnk+J6kzkSqgiW+ZC2v5Qq8mTC/3Q//ddWgaLX/LlbItitTlhQCS7hlV33ZkyvLBBjonYztnI+LHnIkj/omjumEzeQGR40TAh4FAgByRNXG2IOrLavfR/iPC8=
+Created: 20130213191920
+Publish: 20130213191920
+Activate: 20130213191920
diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key
new file mode 100644
index 000000000..a2d755ff4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 481, for strongswan.org.
+; Created: 20130213175556 (Wed Feb 13 18:55:56 2013)
+; Publish: 20130213175556 (Wed Feb 13 18:55:56 2013)
+; Activate: 20130213175556 (Wed Feb 13 18:55:56 2013)
+strongswan.org. IN DNSKEY 257 3 8 AwEAAcXfcWvCGzQq80q9JX1Wvz0lwA/fi1XZmega350wGR8WdFCklvmK fAzNaf1CrvN3bH9Gl2VEEhkYMF6h6kVFTU7taspq5t0bLwgCK/nS8QzK TLWvzWdyVayiHfij1PPwnQV5FADBTE5mMEkmn82+PKg6jaKs3ANsc0BP bGSsGIxhUKliLxJEd+6KSl/+ouQD9RfCD5sz9NIF+IXv1ZGp2Rjf+6vK bPO8f0hmttwE/OzKyBgysLBbd6fw2pKOBhunVFmUYPaHM9zLTydzuSIA X9iSeM6HtAvlKgK0JGgPEFrX+jPG6wDvJfzzakx85rMkRGc31NFiFLqM ooWxy1674/U=
diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private
new file mode 100644
index 000000000..cfa7e83c4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: xd9xa8IbNCrzSr0lfVa/PSXAD9+LVdmZ6BrfnTAZHxZ0UKSW+Yp8DM1p/UKu83dsf0aXZUQSGRgwXqHqRUVNTu1qymrm3RsvCAIr+dLxDMpMta/NZ3JVrKId+KPU8/CdBXkUAMFMTmYwSSafzb48qDqNoqzcA2xzQE9sZKwYjGFQqWIvEkR37opKX/6i5AP1F8IPmzP00gX4he/VkanZGN/7q8ps87x/SGa23AT87MrIGDKwsFt3p/Dako4GG6dUWZRg9ocz3MtPJ3O5IgBf2JJ4zoe0C+UqArQkaA8QWtf6M8brAO8l/PNqTHzmsyREZzfU0WIUuoyihbHLXrvj9Q==
+PublicExponent: AQAB
+PrivateExponent: SIEdgEy5xx3N1B8Gs6yrmm5QuABDgAuh94iRU3miWt/RcxM8NuflmJNUOPbMQG4MFX76TqLotsVERAi0XPmN4FPig5U0TuR9EUQqdPo0VWlzPkfSzgr5Fa65qLfvegs6nhzFlZk+qqOLIeLDP5Jri4EZEPiiDacZfAEeSK0+uYDxxNCSShcYFqd9kIcqFS9pk0tcqVOZY55xjEHlk35+N08TvC+H6OnFyppz24TAuU9vqxtdGYEt6+BXnwG8MI6hCv16PkHJKeJVeC3tIl+cO+TYMMaWeI+8MXX+GIfyAOaAGj0pi3BnpUOiiLtwO0P3mi7mxB2/0Jzx2c8lLvLqaQ==
+Prime1: 8UFH1F2bt+1B2ssTHiPq+nqw/VYMTVUw+Hju79hVg2TugP0OEat00BqmZU4+bI1YscpwmWHZAU8wHvhMyjomol4+KplqxALXes3WMTijs9qXZIAX48yuakWyOrPLgUdNYwnvtcrC0vxJXk9G1lhOXDzHxmLD+HVd37SlUGvFvy8=
+Prime2: 0fdlpeBJzmDDLYz7GP2oCLhuxvUXl4xFKDDJMAikdjgpZI8wTHAyNOY9BQMZGDUkrozrxWzYpcDLyEuhVfQFl7fvlOy6c8cnHPar6JPLFhcV1g2tSiXGnUVfusVytwtDdApAPKVtFeaC3HX+jil0SmO4uqw6wXtkwwsH7aeMZhs=
+Exponent1: Utd/usSJ/BZUTrT805Sx02Dd9Z/eiY9/SVL9eQ5oDr5Rx6kdc6PUcME18gN0HAJNOn+xOnoG8hQnCftpIufk7ExAPJCBwNzY8SpNKomwbMnawn/ZtDdMjOFx2gZzEulRAXkf/uSpEZnf96pxQJkCD1ovn0e600459d8qBPt847E=
+Exponent2: Y+w99rwPw+Su3j2qvhDxZ/0F0y+O47OAsgjNpktmoVBG+rFeRfJbImuz/G+mAKxB4cP07IbJb9CZ6p97j2FLTBHgNdqXPUQ47ALEezHiw4eG/9CQeKoTpIMAdO1Ek7ILjuzV90au7G5ANtT8qQE3c7OTlVsjtzKXGG9mfYZwPaM=
+Coefficient: zqyn6OSkR2j10qY+a+Yma8kiOnUdcqvk1TW8CpG9+ch9T0mlCSiB7wPkWiIqkK8fP0qVkuurIvsxEARa0FFDTZDM5g5nJ8G26LsoNj1LA8hp0xH/UB/2pSXzo1Coc3f2VAuZEunFoNxEq0XBaZm4XLbPc3cOvVeL8WmSrf2K6lU=
+Created: 20130213175556
+Publish: 20130213175556
+Activate: 20130213175556
diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key
new file mode 100644
index 000000000..6f8eb8c70
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 9396, for strongswan.org.
+; Created: 20130213175239 (Wed Feb 13 18:52:39 2013)
+; Publish: 20130213175239 (Wed Feb 13 18:52:39 2013)
+; Activate: 20130213175239 (Wed Feb 13 18:52:39 2013)
+strongswan.org. IN DNSKEY 256 3 8 AwEAAa5Lb6qTxuy4ZJBDoDStnmstIU5nAsliu6UKZ6imLEg2ufAXfz7f fOtIh2/QECp80GgUDBStMvVJfRjXeJUgavM8d0Ob/rJfl1uH/buyO7Yj D+64n9t29pEuFKSAR+tYyUYk5iTidqE/CNltNkps9wc1wBAxK8ouSVXd bNvV9pvZ
diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private
new file mode 100644
index 000000000..2a91d9106
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: rktvqpPG7LhkkEOgNK2eay0hTmcCyWK7pQpnqKYsSDa58Bd/Pt9860iHb9AQKnzQaBQMFK0y9Ul9GNd4lSBq8zx3Q5v+sl+XW4f9u7I7tiMP7rif23b2kS4UpIBH61jJRiTmJOJ2oT8I2W02Smz3BzXAEDEryi5JVd1s29X2m9k=
+PublicExponent: AQAB
+PrivateExponent: rT8wnPZNGgnjc/60ZQha2p++ZodAHtt0N4XTKbEbfSBgzEUe52kQa3LppPvExebQ5VNf+sF6UJSesy2in2DczIqBOo2iftjKHXXWlnZN6ApN0v+oVmWxbvsEzODbeMOYklAzZd/QHvcNJCVHr+6WzxFlu5vnRwwF3vAEbFw+hIE=
+Prime1: 59ugOWNLFlyOP/m7iYkr3vrei7vhT0c1IvIlBYiDSX6Ns98reI21KFXHjAl7jfx0DjJXZBK4VYCfFm7/nFS7KQ==
+Prime2: wHFpgOLWd6AQfDscdkE7+rCHiaYKBADAUZ7smJni1rWFfQix+wm4qZRyrFjgT3mIZdWICJiFjh0qdrM9SvqhMQ==
+Exponent1: ndmuiaOKGV1GE1QoU4ip75MINEXjLSAjkvkcL1ozV7PrMUx8wgRoE1/jDPnfvljjgk7PpHgCO2Pn61QCfiJJkQ==
+Exponent2: vUKMdQIh1DIqJFNqEW7kkw5rrdcKwJcQjPUUUJv/OBP7fVVA3NfZsYVaJd+ecureVvBiwblml7ZdXbG3VPcZ8Q==
+Coefficient: D6wuDQKGBlZjXQov//tXMrwhWMFhNzXfBbZCSz7td3RLspi7TJkDBFIXmJolXCLpB+Y5TNOa/3FDA8rWEIQm9w==
+Created: 20130213175239
+Publish: 20130213175239
+Activate: 20130213175239
diff --git a/testing/hosts/winnetou/etc/bind/bind.keys b/testing/hosts/winnetou/etc/bind/bind.keys
new file mode 100644
index 000000000..b991fa3c4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/bind.keys
@@ -0,0 +1,46 @@
+/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */
+# The bind.keys file is used to override the built-in DNSSEC trust anchors
+# which are included as part of BIND 9.  As of the current release, the only
+# trust anchors it contains are those for the DNS root zone ("."), and for
+# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
+# for any other zones MUST be configured elsewhere; if they are configured
+# here, they will not be recognized or used by named.
+#
+# The built-in trust anchors are provided for convenience of configuration.
+# They are not activated within named.conf unless specifically switched on.
+# To use the built-in root key, set "dnssec-validation auto;" in
+# named.conf options.  To use the built-in DLV key, set
+# "dnssec-lookaside auto;".  Without these options being set,
+# the keys in this file are ignored.
+#
+# This file is NOT expected to be user-configured.
+#
+# These keys are current as of January 2011.  If any key fails to
+# initialize correctly, it may have expired.  In that event you should
+# replace this file with a current version.  The latest version of
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
+managed-keys {
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.
+        # NOTE: This key is activated by setting "dnssec-lookaside auto;"
+        # in named.conf.
+	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+		TDN0YUuWrBNh";
+
+	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
+	# for current trust anchor information.
+        # NOTE: This key is activated by setting "dnssec-validation auto;"
+        # in named.conf.
+	. initial-key 257 3 8 "AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+		XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+		L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+		E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+		AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+		nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+		O9fOgGnjzAk=";
+};
diff --git a/testing/hosts/winnetou/etc/bind/db.org b/testing/hosts/winnetou/etc/bind/db.org
new file mode 100644
index 000000000..ecd2c23c1
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/db.org
@@ -0,0 +1,40 @@
+;
+; Zonefile for the org zone
+;
+$TTL	604800
+@		IN	SOA	ns1.org.	root.org. (
+				     1		; Serial
+				 604800		; Refresh
+				  86400		; Retry	
+				2419200		; Expire
+				 604800 )	; Negative Cache TTL
+;
+@		IN	NS	ns1.org.
+ns1		IN	A	192.168.0.150
+ns1		IN	AAAA	fe80::fcfd:c0ff:fea8:96
+;
+strongswan	IN	NS	ns1.strongswan.org.
+ns1.strongswan	IN	A	192.168.0.150
+ns1.strongswan	IN	AAAA	fe80::fcfd:c0ff:fea8:96
+;
+strongswan.org.	IN	DS	481 8 1 5B239B124E38890C1853F5ECF299DEDEB5537E55
+strongswan.org.	IN	DS	481 8 2 FEE6842CA2322347D818318D278A929E0B9FD82353B84AE94A6A4C7B 1DFB4FEE
+;
+; This is a zone-signing key, keyid 24285, for org.
+org.		IN	DNSKEY	256 3 8	(
+				AwEAAa6IO30MFlgyj0hJLe0vqvHLr1/4kRCNl/Biz7VYwgzRkiYxHxLJ
+				U+i8/r9rEWU85Q6WEt77xQ+HyxzwmoXpSaMtymYifNFZnvwl31CbkzIB
+				FTtBUQ3BCKZjv0WgpLExDqAKgclCWBZ1PrHvDn1HTl6mMgCpiWothzkn
+				zoNbB0g9
+				)
+;
+; This is a key-signing key, keyid 51859, for org.
+org.		IN	DNSKEY	257 3 8 (
+				AwEAAfAyiINF1/fIyebiAZhG3kFxv1+j3D3TxNBPccbiVUgYSnse95mb
+				mn40KgguCljoi6kDu10Qo+XUwpR78dGJiqvKfej7cz6wbIr5qu9Kv7f8
+				lJPRQ2igxZ/0ZCLXGbozRuQGy39klQeG98fwxNkzHqXRxkhyAgpY8E2B
+				umRsi2Cca/vKF+6OpNx9b8RXIBcUTdhx0Vjg+3gYhSRR1rPB160sbaL+
+				v3Fxv9ZzOIY9ekforNxuqV9/U0DCiOhgpZC7H+5ShPb0VNzYvv0IwIAG
+				VPVEJdh5SNPQ0LclPXcR3av+DpjvdY5oAOn/mLPCHjxBnzOl7Q3P43dL
+				DtYdKb9mGnk=
+				)
diff --git a/testing/hosts/winnetou/etc/bind/db.root b/testing/hosts/winnetou/etc/bind/db.root
new file mode 100644
index 000000000..cfbbbc8bf
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/db.root
@@ -0,0 +1,40 @@
+;
+; Zonefile for the root zone
+;
+$TTL	604800
+@		IN	SOA	ns1.	root. (
+				     1		; Serial
+				 604800		; Refresh
+				  86400		; Retry	
+				2419200		; Expire
+				 604800 )	; Negative Cache TTL
+;
+@		IN	NS	ns1.
+ns1		IN	A	192.168.0.150
+ns1		IN	AAAA	fe80::fcfd:c0ff:fea8:96
+;
+org		IN	NS	ns1.org.
+ns1.org		IN	A	192.168.0.150
+ns1.org		IN	AAAA	fe80::fcfd:c0ff:fea8:96
+;
+org.		IN	DS 	51859 8 1 5075E7B1185CFCC744364EC45D2E03CBA6178929
+org.		IN	DS 	51859 8 2 9122D2557F70A8CE5CB14E85BF5D966848FC7016A0E2E021012F33B8 398770A9
+;
+; This is a zone-signing key, keyid 43749, for .
+.		IN	DNSKEY	256 3 8	(
+				AwEAAdMS+CyW9m8yB6rwrqsdfMW41AWim1T/ehg4Un/9qADFEZN9T7NK
+				9PI+DD3Dr72Z2ZO4hrKXB2Xe0nlvsCUjTfCwdGqgz9YLv2WfXzqRksxF
+				gQXmzAdG7JGH+7YmXq7AAF3246caa+wMXAGRdUUCiQf87CnAaZXJ1kUz
+				wHw3Arp5
+				)
+;
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/hosts/winnetou/etc/bind/db.strongswan.org b/testing/hosts/winnetou/etc/bind/db.strongswan.org
new file mode 100644
index 000000000..dfd2705cb
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/db.strongswan.org
@@ -0,0 +1,88 @@
+;
+; Zonefile for the strongswan.org zone
+;
+$TTL	604800
+@		IN	SOA	ns1.strongswan.org.	root.strongswan.org. (
+				     1			; Serial
+				 604800			; Refresh
+				  86400			; Retry	
+				2419200			; Expire
+				 604800 )		; Negative Cache TTL
+;
+@		IN	NS	ns1.strongswan.org.
+ns1		IN	A	192.168.0.150	
+ns1		IN	AAAA	fe80::fcfd:c0ff:fea8:96
+;
+moon		IN	A	192.168.0.1
+sun		IN	A	192.168.0.2
+mars		IN	A	192.168.0.5
+alice1		IN	A	192.168.0.50
+carol		IN	A	192.168.0.100
+winnetou	IN	A	192.168.0.150
+dave		IN	A	192.168.0.200
+;
+ip6-moon	IN	AAAA	fe80::fcfd:c0ff:fea8:01
+ip6-sun		IN	AAAA	fe80::fcfd:c0ff:fea8:02
+ip6-carol	IN	AAAA	fe80::fcfd:c0ff:fea8:64
+ip6-winnetou	IN	AAAA	fe80::fcfd:c0ff:fea8:96
+ip6-dave	IN	AAAA	fe80::fcfd:c0ff:fea8:c8
+;
+crl		IN	CNAME	winnetou.strongswan.org.
+ldap		IN	CNAME	winnetou.strongswan.org.
+ocsp		IN	CNAME	winnetou.strongswan.org.
+;
+moon		IN	IPSECKEY ( 10 1 2 192.168.0.1
+				AwEAAcovYz3Uu7oFhiFbFaAxL3P1MxJPCzObmuE7tkiwK0xGjg8B5jD7
+				75IZe3cI9dv/6n5JYoaWbXWs8TvV5Dd6GCHYLeEC6t+ZY7SJBBoLD592
+				t54hUKo5Ag4/pSpnfbuHnJhikeTxVC/i8ElOnFyVTU+qdaF6p7VmUvGx
+				bvvctGaX99C39SC8mQIFNlk40s0x8r7tMOdhpWwC2dyC8M3vydQ0R7ap
+				j3YortKsEnpKlQSDj2bnUX5eCwZyyBZUdLzmifc6b8bjxyssRUmN27w
+				LF7BJFWBv6U8lbMd3xCxTRWD/u+WqzdlEzI200quviilK9VsDpqAaVNe
+				EMKt4OJdTwoc=
+				)
+sun		IN	IPSECKEY ( 10 1 2 192.168.0.2
+				AwEAAd+VVIpn6Q5jaU//EN6p6A5cSfUfhBK0mFa2laFFZh/Y0h66AXqq
+				rQ3X917h7YNsSk68oowY9h9I3gOx7hNVBsJr2VjdYC+b0q5NTha09/A5
+				mimv/prYj6o0yawxoPjoDs9Yh7D7Kf+F8fkgk0stlHJZX66J7dNrFXbg
+				1xBld+Ep5Or2FbEZ9QWUpRQTuhdpNt/49YuxQ59DemY9IRbwsrKCHH0m
+				GrJsDdqeb0ap+8QvSXHjCt1fr9MNKWaAFAQLKQI4e0da1ntPCEQLeE83
+				3+NNRBgGufk0KqGT3eAXqrxa9AEIUJnVcPexQdqUMjcUpXFb8WNzRWB8
+				Egh3BDK6FsE=
+				)
+carol		IN	IPSECKEY ( 10 1 2 192.168.0.100
+				AwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuukt
+				gXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo
+				5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6
+				q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF
+				5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5P
+				UdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3
+				WEKTAmsZrVE=
+				)
+dave		IN	IPSECKEY ( 10 1 2 192.168.0.200
+				AwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO0
+				4jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4b
+				V2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH
+				10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GK
+				qmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3
+				Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K
+				0J4a81Paq3U=
+				)
+;
+; This is a zone-signing key, keyid 9396, for strongswan.org.
+strongswan.org.	IN	DNSKEY	256 3 8	(
+				AwEAAa5Lb6qTxuy4ZJBDoDStnmstIU5nAsliu6UKZ6imLEg2ufAXfz7f
+				fOtIh2/QECp80GgUDBStMvVJfRjXeJUgavM8d0Ob/rJfl1uH/buyO7Yj
+				D+64n9t29pEuFKSAR+tYyUYk5iTidqE/CNltNkps9wc1wBAxK8ouSVXd
+				bNvV9pvZ
+				)
+;
+; This is a key-signing key, keyid 481, for strongswan.org.
+strongswan.org.	IN	DNSKEY	257 3 8	(
+				AwEAAcXfcWvCGzQq80q9JX1Wvz0lwA/fi1XZmega350wGR8WdFCklvmK
+			 	fAzNaf1CrvN3bH9Gl2VEEhkYMF6h6kVFTU7taspq5t0bLwgCK/nS8QzK
+				TLWvzWdyVayiHfij1PPwnQV5FADBTE5mMEkmn82+PKg6jaKs3ANsc0BP
+				bGSsGIxhUKliLxJEd+6KSl/+ouQD9RfCD5sz9NIF+IXv1ZGp2Rjf+6vK
+				bPO8f0hmttwE/OzKyBgysLBbd6fw2pKOBhunVFmUYPaHM9zLTydzuSIA
+				X9iSeM6HtAvlKgK0JGgPEFrX+jPG6wDvJfzzakx85rMkRGc31NFiFLqM
+				ooWxy1674/U=
+				)
diff --git a/testing/hosts/winnetou/etc/bind/named.conf.default-zones b/testing/hosts/winnetou/etc/bind/named.conf.default-zones
new file mode 100644
index 000000000..52a1e4c7c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/named.conf.default-zones
@@ -0,0 +1,23 @@
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};
+
diff --git a/testing/hosts/winnetou/etc/bind/named.conf.local b/testing/hosts/winnetou/etc/bind/named.conf.local
new file mode 100644
index 000000000..fa26fa9e5
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/named.conf.local
@@ -0,0 +1,18 @@
+//
+// Do any local configuration here
+//
+
+zone "." {
+        type master;
+        file "/etc/bind/db.root.signed";
+};
+
+zone "org" {
+        type master;
+        file "/etc/bind/db.org.signed";
+};
+
+zone "strongswan.org" {
+        type master;
+        file "/etc/bind/db.strongswan.org.signed";
+};
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
index 1355d7a05..c426f0af5 100755
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@@ -15,10 +15,11 @@ INC=build-essential,gperf,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool
 INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc
 INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev
 INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core
-INC=$INC,less,acpid,acpi-support-base
-SERVICES="apache2 dbus isc-dhcp-server slapd"
+INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen
+INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
+INC=$INC,libalog0.4.1-base-dev,hostapd
+SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
 INC=$INC,${SERVICES// /,}
-EXC=iptables
 
 CACHEDIR=$BUILDDIR/cache
 APTCACHE=$LOOPDIR/var/cache/apt/archives
@@ -65,7 +66,10 @@ execute "mount -o bind $CACHEDIR $APTCACHE"
 do_on_exit graceful_umount $APTCACHE
 
 log_action "Running debootstrap ($BASEIMGSUITE, $BASEIMGARCH)"
-execute "debootstrap --arch=$BASEIMGARCH --include=$INC --exclude $EXC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR"
+execute "debootstrap --arch=$BASEIMGARCH --include=$INC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR"
+
+execute "mount -t proc none $LOOPDIR/proc"
+do_on_exit graceful_umount $LOOPDIR/proc
 
 for service in $SERVICES
 do
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
index f5669040e..f7fb1f85c 100755
--- a/testing/scripts/build-guestimages
+++ b/testing/scripts/build-guestimages
@@ -46,6 +46,8 @@ do
 	execute "mount $NBDPARTITION $LOOPDIR" 0
 	execute "cp -rf $HOSTSDIR/${host}/etc $LOOPDIR" 0
 	execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
+	execute_chroot "ldconfig" 0
+
 	if [ "$host" = "winnetou" ]
 	then
 		execute "mkdir $LOOPDIR/var/log/apache2/ocsp" 0
@@ -57,9 +59,13 @@ do
 		execute_chroot "rm -rf /var/lib/ldap/*" 0
 		execute_chroot "slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf" 0
 		execute_chroot "chown -R openldap:openldap /var/lib/ldap" 0
+		execute_chroot "dnssec-signzone -K /etc/bind -o strongswan.org. /etc/bind/db.strongswan.org" 0
+		execute_chroot "dnssec-signzone -K /etc/bind -o org. /etc/bind/db.org" 0
+		execute_chroot "dnssec-signzone -K /etc/bind -o . /etc/bind/db.root" 0
+		execute_chroot "update-rc.d bind9 defaults" 0
 	fi
 	sync
-	execute "umount $LOOPDIR" 0
+	execute "umount -l $LOOPDIR" 0
 	execute "qemu-nbd -d $NBDEV" 0
 	log_status 0
 done
diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig
index 0ea4fbf00..5f35c129e 100755
--- a/testing/scripts/load-testconfig
+++ b/testing/scripts/load-testconfig
@@ -17,6 +17,7 @@
 DIR=$(dirname `readlink -f $0`)
 . $DIR/../testing.conf
 . $DIR/function.sh
+SSHCONF="-F $DIR/../ssh_config"
 
 ##########################################################################
 # load-testconfig requires a testname as an argument
@@ -59,11 +60,12 @@ done
 
 
 ##########################################################################
-# clear radius.log on FreeRadius servers
+# clear daemon.log and radius.log on FreeRadius servers
 #
 
 for host in $RADIUSHOSTS
 do
     eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/freeradius/radius.log' > /dev/null 2>&1
+    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/daemon.log /var/log/freeradius/radius.log; \
+		    kill -SIGHUP `cat /var/run/rsyslogd.pid`' > /dev/null 2>&1
 done
diff --git a/testing/scripts/recipes/004_iptables.mk b/testing/scripts/recipes/004_iptables.mk
deleted file mode 100644
index 51200201a..000000000
--- a/testing/scripts/recipes/004_iptables.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/usr/bin/make
-
-PV  = 1.4.16.3
-PKG = iptables-$(PV)
-TAR = $(PKG).tar.bz2
-SRC = http://www.netfilter.org/projects/iptables/files/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS =
-
-PATCHES = \
-	iptables-xfrm-hooks
-
-all: install
-
-$(TAR):
-	wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
-	tar xfj $(TAR)
-	@touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
-	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
-	@touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
-	cd $(PKG) && ./configure $(CONFIG_OPTS)
-	@touch $@
-
-.$(PKG)-built: .$(PKG)-configured
-	cd $(PKG) && make -j $(NUM_CPUS)
-	@touch $@
-
-install: .$(PKG)-built
-	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/004_wpa_supplicant.mk b/testing/scripts/recipes/004_wpa_supplicant.mk
new file mode 100644
index 000000000..14b64ea78
--- /dev/null
+++ b/testing/scripts/recipes/004_wpa_supplicant.mk
@@ -0,0 +1,39 @@
+#!/usr/bin/make
+
+PV  = 2.0
+PKG = wpa_supplicant-$(PV)
+TAR = $(PKG).tar.gz
+SRC = http://hostap.epitest.fi/releases/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS =
+
+PATCHES = \
+	wpa_supplicant-eap-tnc
+
+SUBDIR = wpa_supplicant
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+.$(PKG)-unpacked: $(TAR)
+	tar xfz $(TAR)
+	@touch $@
+
+.$(PKG)-patches-applied: .$(PKG)-unpacked
+	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-patches-applied
+	cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG)/$(SUBDIR) && make install
diff --git a/testing/scripts/recipes/005_anet.mk b/testing/scripts/recipes/005_anet.mk
new file mode 100644
index 000000000..2a3023c42
--- /dev/null
+++ b/testing/scripts/recipes/005_anet.mk
@@ -0,0 +1,21 @@
+#!/usr/bin/make
+
+PKG = anet
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.2.2
+
+PREFIX = /usr/local/ada
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make LIBRARY_KIND=static
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make PREFIX=$(PREFIX) LIBRARY_KIND=static install
diff --git a/testing/scripts/recipes/005_strongswan.mk b/testing/scripts/recipes/005_strongswan.mk
deleted file mode 100644
index 76d2d0882..000000000
--- a/testing/scripts/recipes/005_strongswan.mk
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/usr/bin/make
-
-PV  = $(SWANVERSION)
-PKG = strongswan-$(PV)
-TAR = $(PKG).tar.bz2
-SRC = http://download.strongswan.org/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
-	--sysconfdir=/etc \
-	--with-random-device=/dev/urandom \
-	--disable-load-warning \
-	--enable-curl \
-	--enable-ldap \
-	--enable-eap-aka \
-	--enable-eap-aka-3gpp2 \
-	--enable-eap-sim \
-	--enable-eap-sim-file \
-	--enable-eap-md5 \
-	--enable-md4 \
-	--enable-eap-mschapv2 \
-	--enable-eap-identity \
-	--enable-eap-radius \
-	--enable-eap-dynamic \
-	--enable-eap-tls \
-	--enable-eap-ttls \
-	--enable-eap-peap \
-	--enable-eap-tnc \
-	--enable-tnc-pdp \
-	--enable-tnc-imc \
-	--enable-tnc-imv \
-	--enable-tnccs-11 \
-	--enable-tnccs-20 \
-	--enable-tnccs-dynamic \
-	--enable-imc-test \
-	--enable-imv-test \
-	--enable-imc-scanner \
-	--enable-imv-scanner \
-	--enable-imc-os \
-	--enable-imv-os \
-	--enable-imc-attestation \
-	--enable-imv-attestation \
-	--enable-sql \
-	--enable-sqlite \
-	--enable-mediation \
-	--enable-openssl \
-	--enable-blowfish \
-	--enable-kernel-pfkey \
-	--enable-integrity-test \
-	--enable-leak-detective \
-	--enable-load-tester \
-	--enable-test-vectors \
-	--enable-gcrypt \
-	--enable-socket-default \
-	--enable-socket-dynamic \
-	--enable-dhcp \
-	--enable-farp \
-	--enable-addrblock \
-	--enable-ctr \
-	--enable-ccm \
-	--enable-gcm \
-	--enable-cmac \
-	--enable-ha \
-	--enable-af-alg \
-	--enable-whitelist \
-	--enable-xauth-generic \
-	--enable-xauth-eap \
-	--enable-pkcs8 \
-	--enable-unity
-
-all: install
-
-$(TAR):
-	wget $(SRC)
-
-$(PKG): $(TAR)
-	tar xfj $(TAR)
-
-configure: $(PKG)
-	cd $(PKG) && ./configure $(CONFIG_OPTS)
-
-build: configure
-	cd $(PKG) && make -j $(NUM_CPUS)
-
-install: build
-	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/006_tkm-rpc.mk b/testing/scripts/recipes/006_tkm-rpc.mk
new file mode 100644
index 000000000..dc6847ca5
--- /dev/null
+++ b/testing/scripts/recipes/006_tkm-rpc.mk
@@ -0,0 +1,23 @@
+#!/usr/bin/make
+
+PKG = tkm-rpc
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+PREFIX = /usr/local/ada
+
+export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make tests && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make PREFIX=$(PREFIX) install
diff --git a/testing/scripts/recipes/007_x509-ada.mk b/testing/scripts/recipes/007_x509-ada.mk
new file mode 100644
index 000000000..121a14414
--- /dev/null
+++ b/testing/scripts/recipes/007_x509-ada.mk
@@ -0,0 +1,21 @@
+#!/usr/bin/make
+
+PKG = x509-ada
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+PREFIX = /usr/local/ada
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make tests && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make PREFIX=$(PREFIX) install
diff --git a/testing/scripts/recipes/008_xfrm-ada.mk b/testing/scripts/recipes/008_xfrm-ada.mk
new file mode 100644
index 000000000..6ad451340
--- /dev/null
+++ b/testing/scripts/recipes/008_xfrm-ada.mk
@@ -0,0 +1,23 @@
+#!/usr/bin/make
+
+PKG = xfrm-ada
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+PREFIX = /usr/local/ada
+
+export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make PREFIX=$(PREFIX) install
diff --git a/testing/scripts/recipes/009_tkm.mk b/testing/scripts/recipes/009_tkm.mk
new file mode 100644
index 000000000..971cd170f
--- /dev/null
+++ b/testing/scripts/recipes/009_tkm.mk
@@ -0,0 +1,21 @@
+#!/usr/bin/make
+
+PKG = tkm
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make tests && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/010_strongswan.mk b/testing/scripts/recipes/010_strongswan.mk
new file mode 100644
index 000000000..94abb9ddb
--- /dev/null
+++ b/testing/scripts/recipes/010_strongswan.mk
@@ -0,0 +1,94 @@
+#!/usr/bin/make
+
+PV  = $(SWANVERSION)
+PKG = strongswan-$(PV)
+TAR = $(PKG).tar.bz2
+SRC = http://download.strongswan.org/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--sysconfdir=/etc \
+	--with-random-device=/dev/urandom \
+	--disable-load-warning \
+	--enable-curl \
+	--enable-ldap \
+	--enable-eap-aka \
+	--enable-eap-aka-3gpp2 \
+	--enable-eap-sim \
+	--enable-eap-sim-file \
+	--enable-eap-md5 \
+	--enable-md4 \
+	--enable-eap-mschapv2 \
+	--enable-eap-identity \
+	--enable-eap-radius \
+	--enable-eap-dynamic \
+	--enable-eap-tls \
+	--enable-eap-ttls \
+	--enable-eap-peap \
+	--enable-eap-tnc \
+	--enable-tnc-ifmap \
+	--enable-tnc-pdp \
+	--enable-tnc-imc \
+	--enable-tnc-imv \
+	--enable-tnccs-11 \
+	--enable-tnccs-20 \
+	--enable-tnccs-dynamic \
+	--enable-imc-test \
+	--enable-imv-test \
+	--enable-imc-scanner \
+	--enable-imv-scanner \
+	--enable-imc-os \
+	--enable-imv-os \
+	--enable-imc-attestation \
+	--enable-imv-attestation \
+	--enable-sql \
+	--enable-sqlite \
+	--enable-attr-sql \
+	--enable-mediation \
+	--enable-openssl \
+	--enable-blowfish \
+	--enable-kernel-pfkey \
+	--enable-integrity-test \
+	--enable-leak-detective \
+	--enable-load-tester \
+	--enable-test-vectors \
+	--enable-gcrypt \
+	--enable-socket-default \
+	--enable-socket-dynamic \
+	--enable-dhcp \
+	--enable-farp \
+	--enable-addrblock \
+	--enable-ctr \
+	--enable-ccm \
+	--enable-gcm \
+	--enable-cmac \
+	--enable-ha \
+	--enable-af-alg \
+	--enable-whitelist \
+	--enable-xauth-generic \
+	--enable-xauth-eap \
+	--enable-pkcs8 \
+	--enable-unity \
+	--enable-unbound \
+	--enable-ipseckey \
+	--enable-tkm
+
+export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+$(PKG): $(TAR)
+	tar xfj $(TAR)
+
+configure: $(PKG)
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+
+build: configure
+	cd $(PKG) && make -j $(NUM_CPUS)
+
+install: build
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/011_xfrm-proxy.mk b/testing/scripts/recipes/011_xfrm-proxy.mk
new file mode 100644
index 000000000..569fbfe3c
--- /dev/null
+++ b/testing/scripts/recipes/011_xfrm-proxy.mk
@@ -0,0 +1,21 @@
+#!/usr/bin/make
+
+PKG = xfrm-proxy
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/patches/iptables-xfrm-hooks b/testing/scripts/recipes/patches/iptables-xfrm-hooks
deleted file mode 100644
index baa4a65c1..000000000
--- a/testing/scripts/recipes/patches/iptables-xfrm-hooks
+++ /dev/null
@@ -1,61 +0,0 @@
-From 4553ba0130bb9f0aa266cc1e4c3288a52f34eed6 Mon Sep 17 00:00:00 2001
-From: Martin Willi <martin@revosec.ch>
-Date: Wed, 7 Apr 2010 11:40:15 +0200
-Subject: [PATCH] Added XFRM hooks to iptables headers
-
----
- include/linux/netfilter.h      |    2 ++
- include/linux/netfilter_ipv4.h |    6 +++++-
- include/linux/netfilter_ipv6.h |    6 +++++-
- 3 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
-index 2eb00b6..b692c67 100644
---- a/include/linux/netfilter.h
-+++ b/include/linux/netfilter.h
-@@ -35,6 +35,8 @@ enum nf_inet_hooks {
- 	NF_INET_FORWARD,
- 	NF_INET_LOCAL_OUT,
- 	NF_INET_POST_ROUTING,
-+	NF_INET_XFRM_IN,
-+	NF_INET_XFRM_OUT,
- 	NF_INET_NUMHOOKS
- };
- 
-diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
-index 4d7ba3e..28d3ca9 100644
---- a/include/linux/netfilter_ipv4.h
-+++ b/include/linux/netfilter_ipv4.h
-@@ -47,7 +47,11 @@
- #define NF_IP_LOCAL_OUT		3
- /* Packets about to hit the wire. */
- #define NF_IP_POST_ROUTING	4
--#define NF_IP_NUMHOOKS		5
-+/* Packets going into XFRM input transformation. */
-+#define NF_IP_XFRM_IN		5
-+/* Packets going into XFRM output transformation. */
-+#define NF_IP_XFRM_OUT		6
-+#define NF_IP_NUMHOOKS		7
- 
- enum nf_ip_hook_priorities {
- 	NF_IP_PRI_FIRST = INT_MIN,
-diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
-index 7430b39..18590a5 100644
---- a/include/linux/netfilter_ipv6.h
-+++ b/include/linux/netfilter_ipv6.h
-@@ -51,7 +51,11 @@
- #define NF_IP6_LOCAL_OUT		3
- /* Packets about to hit the wire. */
- #define NF_IP6_POST_ROUTING	4
--#define NF_IP6_NUMHOOKS		5
-+/* Packets going into XFRM input transformation. */
-+#define NF_IP6_XFRM_IN		5
-+/* Packets going into XFRM output transformation. */
-+#define NF_IP6_XFRM_OUT		6
-+#define NF_IP6_NUMHOOKS		7
- 
- 
- enum nf_ip6_hook_priorities {
--- 
-1.6.3.3
-
diff --git a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc b/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
new file mode 100644
index 000000000..2e00e5b44
--- /dev/null
+++ b/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
@@ -0,0 +1,47 @@
+diff -urN wpa_supplicant-2.0.ori/src/eap_peer/tncc.c wpa_supplicant-2.0/src/eap_peer/tncc.c
+--- wpa_supplicant-2.0.ori/src/eap_peer/tncc.c	2013-01-12 16:42:53.000000000 +0100
++++ wpa_supplicant-2.0/src/eap_peer/tncc.c	2013-03-23 13:10:22.151059154 +0100
+@@ -465,7 +465,7 @@
+ 		return -1;
+ 	}
+ #else /* CONFIG_NATIVE_WINDOWS */
+-	imc->dlhandle = dlopen(imc->path, RTLD_LAZY);
++	imc->dlhandle = dlopen(imc->path, RTLD_LAZY | RTLD_GLOBAL);
+ 	if (imc->dlhandle == NULL) {
+ 		wpa_printf(MSG_ERROR, "TNC: Failed to open IMC '%s' (%s): %s",
+ 			   imc->name, imc->path, dlerror());
+diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/defconfig wpa_supplicant-2.0/wpa_supplicant/defconfig
+--- wpa_supplicant-2.0.ori/wpa_supplicant/defconfig	2013-01-12 16:42:53.000000000 +0100
++++ wpa_supplicant-2.0/wpa_supplicant/defconfig	2013-03-23 13:06:08.759052370 +0100
+@@ -86,7 +86,7 @@
+ CONFIG_DRIVER_WEXT=y
+ 
+ # Driver interface for Linux drivers using the nl80211 kernel interface
+-CONFIG_DRIVER_NL80211=y
++#CONFIG_DRIVER_NL80211=y
+ 
+ # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
+ #CONFIG_DRIVER_BSD=y
+@@ -193,7 +193,7 @@
+ #CONFIG_EAP_GPSK_SHA256=y
+ 
+ # EAP-TNC and related Trusted Network Connect support (experimental)
+-#CONFIG_EAP_TNC=y
++CONFIG_EAP_TNC=y
+ 
+ # Wi-Fi Protected Setup (WPS)
+ #CONFIG_WPS=y
+diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/Makefile wpa_supplicant-2.0/wpa_supplicant/Makefile
+--- wpa_supplicant-2.0.ori/wpa_supplicant/Makefile	2013-01-12 16:42:53.000000000 +0100
++++ wpa_supplicant-2.0/wpa_supplicant/Makefile	2013-03-23 13:06:08.759052370 +0100
+@@ -6,8 +6,8 @@
+ CFLAGS = -MMD -O2 -Wall -g
+ endif
+ 
+-export LIBDIR ?= /usr/local/lib/
+-export BINDIR ?= /usr/local/sbin/
++export LIBDIR ?= /usr/lib/
++export BINDIR ?= /usr/sbin/
+ PKG_CONFIG ?= pkg-config
+ 
+ CFLAGS += -I../src
diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults
index 953548a1b..173baf820 100755
--- a/testing/scripts/restore-defaults
+++ b/testing/scripts/restore-defaults
@@ -17,6 +17,7 @@
 DIR=$(dirname `readlink -f $0`)
 . $DIR/../testing.conf
 . $DIR/function.sh
+SSHCONF="-F $DIR/../ssh_config"
 
 testname=$1
 
diff --git a/testing/start-testing b/testing/start-testing
index 183729423..45cf4c9b9 100755
--- a/testing/start-testing
+++ b/testing/start-testing
@@ -9,13 +9,13 @@ CONFDIR=$DIR/config/kvm
 KNLSRC=$BUILDDIR/$KERNEL/arch/x86/boot/bzImage
 KNLTARGET=/var/run/kvm-swan-kernel
 HOSTFSTARGET=/var/run/kvm-swan-hostfs
-MCASTBRS="virbr1 virbr2"
+MCASTBRS="test-br0 test-br1"
 
 echo "Starting test environment"
 
 [ `id -u` -eq 0 ] || die "You must be root to run $0"
 
-check_commands virsh
+check_commands kvm virsh
 
 log_action "Deploying kernel $KERNEL"
 execute "ln -fs $KNLSRC $KNLTARGET"
@@ -41,8 +41,11 @@ done
 for br in $MCASTBRS
 do
 	cd /sys/devices/virtual/net/$br/brif
-	for vnet in `find . -name "vnet*"`
+	for vnet in `find . -name "*eth?"`
 	do
 		echo 2 > $vnet/multicast_router
 	done
 done
+
+echo 0x08 > /sys/devices/virtual/net/test-br0/bridge/group_fwd_mask
+
diff --git a/testing/testing.conf b/testing/testing.conf
index 960d3f63e..7929dba3a 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -18,14 +18,14 @@
 TESTDIR=/srv/strongswan-testing
 
 # Kernel configuration
-KERNELVERSION=3.5.3
+KERNELVERSION=3.8.1
 KERNEL=linux-$KERNELVERSION
 KERNELTARBALL=$KERNEL.tar.bz2
-KERNELCONFIG=$DIR/../config/kernel/config-3.5
-KERNELPATCH=ha-3.0.patch.bz2
+KERNELCONFIG=$DIR/../config/kernel/config-3.8
+KERNELPATCH=ha-3.8-abicompat.patch.bz2
 
 # strongSwan version used in tests
-SWANVERSION=5.0.2dr4
+SWANVERSION=5.0.3
 
 # Build directory where the guest kernel and images will be built
 BUILDDIR=$TESTDIR/build
@@ -65,9 +65,6 @@ KVMGROUP=kvm
 # Directory where test results will be stored
 TESTRESULTSDIR=$TESTDIR/testresults
 
-# SSH configuration (speedup SSH)
-SSHCONF="-F $TESTDIR/testing/ssh_config"
-
 ##############################################################
 # Enable particular steps in the make-testing
 #
diff --git a/testing/tests/ikev1/net2net-fragmentation/description.txt b/testing/tests/ikev1/net2net-fragmentation/description.txt
new file mode 100644
index 000000000..6fe773299
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/description.txt
@@ -0,0 +1,9 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. The proprietary IKEv1 fragmentation
+protocol prevents the IP fragmentation of the IKEv1 messages carrying the large X.509
+certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
new file mode 100644
index 000000000..876787495
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
@@ -0,0 +1,15 @@
+moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
+sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
+moon::cat /var/log/daemon.log::sending IKE message with length of 1468 bytes in 2 fragments::YES
+sun::cat /var/log/daemon.log::sending IKE message with length of 1388 bytes in 2 fragments::YES
+moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
+moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
+sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
+sun::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..cdd430408
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	fragmentation=yes
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9caf4fa37
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..448525bf7
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+	fragmentation=yes
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..9caf4fa37
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-fragmentation/posttest.dat b/testing/tests/ikev1/net2net-fragmentation/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1/net2net-fragmentation/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-fragmentation/test.conf b/testing/tests/ikev1/net2net-fragmentation/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt
new file mode 100644
index 000000000..7e8e7a69b
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt
@@ -0,0 +1,5 @@
+The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests
+both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using
+<b>leftsourceip=%config4,%config6</b>. Gateway <b>moon</b> assigns virtual IPs addresses
+from persistent pools stored in an SQL database using the <b>rightsourceip</b> option.
+The established tunnel carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel.
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
new file mode 100644
index 000000000..0bf3500b5
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
+carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..d19399def
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config4,%config6
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0.0.0.0/0,::/0
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..04a74fd44
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16,fec1::0/16
+	rightsourceip=%v4_pool,%v6_pool
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..73b0cb7be
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql
+}
+
+libhydra {
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
new file mode 100644
index 000000000..311e9f21d
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
@@ -0,0 +1,5 @@
+alice::ip -6 route del default via fec1:\:1
+carol::ipsec stop
+moon::ipsec stop
+moon::conntrack -F
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
new file mode 100644
index 000000000..e3d8f4a78
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
@@ -0,0 +1,9 @@
+moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null 
+moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout  48 2> /dev/null
+alice::ip -6 route add default via fec1:\:1
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf
new file mode 100644
index 000000000..cd03759f0
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/net2net-dnssec/description.txt b/testing/tests/ikev2/net2net-dnssec/description.txt
new file mode 100644
index 000000000..9893359c0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
+resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-dnssec/evaltest.dat b/testing/tests/ikev2/net2net-dnssec/evaltest.dat
new file mode 100644
index 000000000..389cac7f3
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/evaltest.dat
@@ -0,0 +1,9 @@
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*sun.strongswan.org::YES
+sun::  cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..6c11645f9
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+	
+conn net-net
+	left=PH_IP_MOON
+	leftid=moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftrsasigkey=moonPub.der
+	leftauth=pubkey
+	leftfirewall=yes
+	right=sun.strongswan.org
+	rightid=sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
new file mode 100644
index 000000000..71571044c
Binary files /dev/null and b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der differ
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..44a54a9dd
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
+
+libstrongswan {
+  plugins {
+    unbound {
+      # trust_anchors = /etc/ipsec.d/dnssec.keys
+      # resolv_conf = /etc/resolv.conf
+    }
+  }
+}
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..76e41cd47
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+	
+conn net-net
+	left=PH_IP_SUN
+	leftid=sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftrsasigkey=sunPub.der
+	leftauth=pubkey
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der
new file mode 100644
index 000000000..cc99934db
Binary files /dev/null and b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der differ
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..44a54a9dd
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
+
+libstrongswan {
+  plugins {
+    unbound {
+      # trust_anchors = /etc/ipsec.d/dnssec.keys
+      # resolv_conf = /etc/resolv.conf
+    }
+  }
+}
diff --git a/testing/tests/ikev2/net2net-dnssec/posttest.dat b/testing/tests/ikev2/net2net-dnssec/posttest.dat
new file mode 100644
index 000000000..c594c4dc8
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/resolv.conf
+sun::rm /etc/resolv.conf
+moon::rm /etc/ipsec.d/dnssec.keys
+sun::rm /etc/ipsec.d/dnssec.keys
diff --git a/testing/tests/ikev2/net2net-dnssec/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat
new file mode 100644
index 000000000..0f4ae0f4f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-dnssec/test.conf b/testing/tests/ikev2/net2net-dnssec/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/rw-dnssec/description.txt b/testing/tests/ikev2/rw-dnssec/description.txt
new file mode 100644
index 000000000..0135f078c
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
+resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
+</p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
+and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/rw-dnssec/evaltest.dat b/testing/tests/ikev2/rw-dnssec/evaltest.dat
new file mode 100644
index 000000000..49183fb42
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/evaltest.dat
@@ -0,0 +1,24 @@
+carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave.strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..70deaa036
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftsourceip=%config
+	leftid=carol.strongswan.org
+	leftrsasigkey="0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
+	leftauth=pubkey
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..825af9dd0
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..24ffdd3b1
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftsourceip=%config
+	leftid=dave.strongswan.org
+	leftrsasigkey="0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
+	leftauth=pubkey
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..825af9dd0
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..a199a4824
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default 
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw 
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=moon.strongswan.org
+	leftauth=pubkey
+	leftrsasigkey=moonPub.der
+	leftfirewall=yes
+	right=%any
+	rightauth=pubkey
+	rightsourceip=10.3.0.0/24
+	auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
new file mode 100644
index 000000000..71571044c
Binary files /dev/null and b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der differ
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..644ac3d6a
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 dnskey pubkey unbound ipseckey gmp random nonce hmac stroke kernel-netlink socket-default updown attr
+
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-dnssec/posttest.dat b/testing/tests/ikev2/rw-dnssec/posttest.dat
new file mode 100644
index 000000000..3d55e09f9
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/posttest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon:rm /etc/resolv.conf
+carol:rm /etc/resolv.conf
+dave:rm /etc/resolv.conf
+moon:rm /etc/ipsec.d/dnssec.key
+carol:rm /etc/ipsec.d/dnssec.key
+dave:rm /etc/ipse.cd/dnssec.key
diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat
new file mode 100644
index 000000000..40eaede87
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-dnssec/test.conf b/testing/tests/ikev2/rw-dnssec/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt
new file mode 100644
index 000000000..46ffc0611
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. At the outset the gateway authenticates itself to the client by
+sending an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate
+against the gateway <b>moon</b>.
+<p/>
+The roadwarriors <b>carol</b> and <b>dave</b> request a virtual IP which is
+assigned by the RADIUS server <b>alice</b> using the <b>Framed-IP-Address</b>
+RADIUS attribute.
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
new file mode 100644
index 000000000..1460ec8f9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
+dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave ::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..ba92f0080
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,4 @@
+carol	Cleartext-Password := "Ar3etTnp"
+		Framed-IP-Address = 10.3.0.1
+dave	Cleartext-Password := "W7R0g3do"
+		Framed-IP-Address = 10.3.0.2
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..ed908db4d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	leftsourceip=%config
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..23d79cf2e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..97aa8bbff
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	leftsourceip=%config
+	eap_identity=dave
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..02e0c9963
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..a3299393a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	rightsendcert=never
+	rightauth=eap-radius
+	rightsourceip=%radius
+	eap_identity=%any
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4297a3056
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  plugins {
+    eap-radius {
+      class_group = yes
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
new file mode 100644
index 000000000..670d2e72f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
new file mode 100644
index 000000000..698a719f7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home 
+dave::ipsec up home 
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf
new file mode 100644
index 000000000..5dfb41723
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
index 881971e80..438e1c14c 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
@@ -15,6 +15,7 @@ conn home
 	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
+	leftsourceip=%config,%config6
 	eap_identity=carol
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
index 8ce1721f5..7d4f94f48 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
@@ -19,6 +19,7 @@ conn rw-eap
 	rightid=*@strongswan.org
 	rightsendcert=never
 	rightauth=eap-radius
+	rightsourceip=10.3.0.0/24,fec3::0/120
 	eap_identity=%any
 	right=%any
 	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
new file mode 100644
index 000000000..cfa7a11b9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
@@ -0,0 +1,16 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
+functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp hmac gcm</b> and <b>x509</b>.
+<p/>
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-prfsha512-modp2048</b>
+(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
+respectively.
+<p/>
+Roadwarrior <b>dave</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_GCM_16_128</b> both for IKE and ESP by defining <b>ike=aes128gcm16-prfsha256-modp1536</b>
+(or alternatively <b>aes128gcm128</b>) and <b>esp=aes128gcm16-modp1536</b> in ipsec.conf,
+respectively.
+<p/>
+A ping by <b>carol</b> and <b>dave</b> to <b>alice</b> successfully checks the established tunnels.
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
new file mode 100644
index 000000000..4cf89b765
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
@@ -0,0 +1,26 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1].*IKE proposal: AES_GCM_16_256::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2].*IKE proposal: AES_GCM_16_128::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_128::YES
+moon:: ipsec statusall 2> /dev/null::rw[{]1}.*AES_GCM_16_256,::YES
+moon:: ipsec statusall 2> /dev/null::rw[{]2}.*AES_GCM_16_128,::YES
+carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
+dave:: ipsec statusall 2> /dev/null::AES_GCM_16_128,::YES
+moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
+carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
+dave:: ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
+
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..c0016ff61
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha512-modp2048!
+	esp=aes256gcm128-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5481f7b72
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random nonce revocation openssl stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..335eda02c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-modp1536!
+	esp=aes128gcm128-modp1536!
+
+conn home
+	left=PH_IP_DAVE
+	leftfirewall=yes
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..564e4ea8c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..566298bed
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm16-prfsha512-modp2048,aes128gcm16-prfsha256-modp1536!
+	esp=aes256gcm16-modp2048,aes128gcm16-modp1536!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5481f7b72
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random nonce revocation openssl stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
new file mode 100644
index 000000000..972d93053
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf
new file mode 100644
index 000000000..c3f38054b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol dave winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/tkm/host2host-initiator/description.txt b/testing/tests/tkm/host2host-initiator/description.txt
new file mode 100644
index 000000000..467693b1e
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/description.txt
@@ -0,0 +1,3 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is set up. The host
+<b>moon</b> uses the Trusted Key Manager (TKM) and is the initiator of the
+transport connection. The authentication is based on X.509 certificates.
diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat
new file mode 100644
index 000000000..d8d44dff6
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
Binary files /dev/null and b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der differ
diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
Binary files /dev/null and b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der differ
diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..2619c0089
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..4ad0aa7db
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/host2host-initiator/posttest.dat b/testing/tests/tkm/host2host-initiator/posttest.dat
new file mode 100644
index 000000000..34037bc23
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/host2host-initiator/pretest.dat b/testing/tests/tkm/host2host-initiator/pretest.dat
new file mode 100644
index 000000000..7cb90ac26
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+sun::ipsec start
+sun::expect-connection host-host
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::DAEMON_NAME=charon-tkm ipsec up conn1
diff --git a/testing/tests/tkm/host2host-initiator/test.conf b/testing/tests/tkm/host2host-initiator/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/host2host-responder/description.txt b/testing/tests/tkm/host2host-responder/description.txt
new file mode 100644
index 000000000..72eabdb6c
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/description.txt
@@ -0,0 +1,3 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is set up. The host
+<b>moon</b> uses the Trusted Key Manager (TKM) and is the responder of the
+transport connection. The authentication is based on X.509 certificates.
diff --git a/testing/tests/tkm/host2host-responder/evaltest.dat b/testing/tests/tkm/host2host-responder/evaltest.dat
new file mode 100644
index 000000000..d8d44dff6
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
Binary files /dev/null and b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der differ
diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
Binary files /dev/null and b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der differ
diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..2619c0089
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..6681dad11
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
+	type=transport
diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/host2host-responder/posttest.dat b/testing/tests/tkm/host2host-responder/posttest.dat
new file mode 100644
index 000000000..34037bc23
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/host2host-responder/pretest.dat b/testing/tests/tkm/host2host-responder/pretest.dat
new file mode 100644
index 000000000..40e84453f
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+sun::ipsec start
+sun::expect-connection host-host
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::ipsec up host-host
diff --git a/testing/tests/tkm/host2host-responder/test.conf b/testing/tests/tkm/host2host-responder/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/host2host-xfrmproxy/description.txt b/testing/tests/tkm/host2host-xfrmproxy/description.txt
new file mode 100644
index 000000000..b728a317d
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/description.txt
@@ -0,0 +1,5 @@
+A transport connection between the hosts <b>moon</b> and <b>sun</b> is set up.
+The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada XFRM
+proxy, which relays XFRM kernel messages to charon. The authentication is based
+on X.509 certificates. The connection is initiated by a ping from <b>moon</b> to
+<b>sun</b>.
diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
new file mode 100644
index 000000000..7c8c6b24a
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
@@ -0,0 +1,13 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
Binary files /dev/null and b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der differ
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
Binary files /dev/null and b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der differ
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..2619c0089
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..4ad0aa7db
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/host2host-xfrmproxy/posttest.dat b/testing/tests/tkm/host2host-xfrmproxy/posttest.dat
new file mode 100644
index 000000000..99efe7b00
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/posttest.dat
@@ -0,0 +1,5 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall xfrm_proxy
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/host2host-xfrmproxy/pretest.dat b/testing/tests/tkm/host2host-xfrmproxy/pretest.dat
new file mode 100644
index 000000000..d645ddbfe
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/pretest.dat
@@ -0,0 +1,12 @@
+sun::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+moon::expect-file /tmp/tkm.rpc.ees
+moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::expect-connection host-host
+moon::ping -c 3 192.168.0.2
diff --git a/testing/tests/tkm/host2host-xfrmproxy/test.conf b/testing/tests/tkm/host2host-xfrmproxy/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/multiple-clients/description.txt b/testing/tests/tkm/multiple-clients/description.txt
new file mode 100644
index 000000000..c8e72d51d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/description.txt
@@ -0,0 +1,5 @@
+Two transport connections to gateway <b>sun</b> are set up, one from client
+<b>carol</b> and the other from client <b>dave</b>. The gateway <b>sun</b> uses
+the Trusted Key Manager (TKM) and is the responder for both connections. The
+authentication is based on X.509 certificates. In order to test the connections,
+both <b>carol</b> and <b>dave</b> ping gateway <b>sun</b>.
diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat
new file mode 100644
index 000000000..8e0042102
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/evaltest.dat
@@ -0,0 +1,23 @@
+sun::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*sun.strongswan.org.*carol.strongswan.org::YES
+sun::ipsec stroke status 2> /dev/null::conn2.*ESTABLISHED.*sun.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*carol.strongswan.org.*sun.strongswan.org::YES
+dave::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*dave.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec stroke status 2> /dev/null::conn2.*INSTALLED, TRANSPORT::YES
+carol::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+dave::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+carol::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+dave::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES
+dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
+sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES
+sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES
+sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES
+sun::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+sun::cat /tmp/tkm.log::Checked CA certificate of CC context 2::YES
+sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
+sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+sun::cat /tmp/tkm.log::Adding SA \[ 2, 192.168.0.2 <-> 192.168.0.200, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..10ee3e89d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn host-host
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_SUN
+	rightid=sun.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca23c6971
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..6ba0a97ce
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn host-host
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	right=PH_IP_SUN
+	rightid=sun.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca23c6971
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
Binary files /dev/null and b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der differ
diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der
new file mode 100644
index 000000000..4c47db093
Binary files /dev/null and b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der differ
diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf
new file mode 100644
index 000000000..216625e4c
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf
@@ -0,0 +1,36 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>sun.strongswan.org</identity>
+        <certificate>sunCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.2</ip>
+        </local>
+        <remote>
+            <identity>carol@strongswan.org</identity>
+            <ip>192.168.0.100</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+    <policy id="2">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.2</ip>
+        </local>
+        <remote>
+            <identity>dave@strongswan.org</identity>
+            <ip>192.168.0.200</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/multiple-clients/posttest.dat b/testing/tests/tkm/multiple-clients/posttest.dat
new file mode 100644
index 000000000..9a4a9bc9d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/posttest.dat
@@ -0,0 +1,5 @@
+sun::DAEMON_NAME=charon-tkm ipsec stop
+sun::killall tkm_keymanager
+sun::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+carol::ipsec stop
+dave::ipsec stop
diff --git a/testing/tests/tkm/multiple-clients/pretest.dat b/testing/tests/tkm/multiple-clients/pretest.dat
new file mode 100644
index 000000000..ec83662f5
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/pretest.dat
@@ -0,0 +1,14 @@
+sun::rm /etc/ipsec.secrets
+sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+sun::cat /etc/ipsec.conf
+sun::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/sunKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+sun::expect-file /tmp/tkm.rpc.ike
+sun::DAEMON_NAME=charon-tkm ipsec start
+carol::ipsec start
+carol::expect-connection host-host
+dave::ipsec start
+dave::expect-connection host-host
+sun::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::DAEMON_NAME=charon-tkm expect-connection conn2
+carol::ipsec up host-host
+dave::ipsec up host-host
diff --git a/testing/tests/tkm/multiple-clients/test.conf b/testing/tests/tkm/multiple-clients/test.conf
new file mode 100644
index 000000000..1dd36309d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="carol dave sun winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol dave sun"
diff --git a/testing/tests/tkm/net2net-initiator/description.txt b/testing/tests/tkm/net2net-initiator/description.txt
new file mode 100644
index 000000000..40f2a8013
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/description.txt
@@ -0,0 +1,5 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up. The host <b>moon</b> uses the Trusted Key Manager (TKM) and is the
+initiator of the tunnel connection. The authentication is based on X.509
+certificates. In order to test the tunnel, client <b>alice</b> behind gateway
+<b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/tkm/net2net-initiator/evaltest.dat b/testing/tests/tkm/net2net-initiator/evaltest.dat
new file mode 100644
index 000000000..8d4794f0d
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES
+sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
Binary files /dev/null and b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der differ
diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..717b0a6f4
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,23 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>tunnel</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+            <net mask="16">10.1.0.0</net>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+            <net mask="16">10.2.0.0</net>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..21b613d20
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..94e0b2a62
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/tkm/net2net-initiator/posttest.dat b/testing/tests/tkm/net2net-initiator/posttest.dat
new file mode 100644
index 000000000..34037bc23
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/net2net-initiator/pretest.dat b/testing/tests/tkm/net2net-initiator/pretest.dat
new file mode 100644
index 000000000..f84c8fcd2
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+sun::ipsec start
+sun::expect-connection net-net
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::DAEMON_NAME=charon-tkm ipsec up conn1
diff --git a/testing/tests/tkm/net2net-initiator/test.conf b/testing/tests/tkm/net2net-initiator/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/net2net-xfrmproxy/description.txt b/testing/tests/tkm/net2net-xfrmproxy/description.txt
new file mode 100644
index 000000000..b42c89c52
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up. The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada
+XFRM proxy, which relays XFRM kernel messages to charon. The authentication is
+based on X.509 certificates. In order to test the tunnel, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway
+<b>sun</b>.
diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
new file mode 100644
index 000000000..a38dba0ee
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
@@ -0,0 +1,13 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES
+sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
Binary files /dev/null and b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der differ
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
Binary files /dev/null and b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der differ
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..717b0a6f4
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,23 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>tunnel</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+            <net mask="16">10.1.0.0</net>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+            <net mask="16">10.2.0.0</net>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..21b613d20
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..94e0b2a62
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/tkm/net2net-xfrmproxy/posttest.dat b/testing/tests/tkm/net2net-xfrmproxy/posttest.dat
new file mode 100644
index 000000000..24544307a
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/net2net-xfrmproxy/pretest.dat b/testing/tests/tkm/net2net-xfrmproxy/pretest.dat
new file mode 100644
index 000000000..4732a37f6
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/pretest.dat
@@ -0,0 +1,12 @@
+sun::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+moon::expect-file /tmp/tkm.rpc.ees
+moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::expect-connection net-net
+alice::ping -c 3 PH_IP_BOB
diff --git a/testing/tests/tkm/net2net-xfrmproxy/test.conf b/testing/tests/tkm/net2net-xfrmproxy/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
index 997c70a8e..8fab1fb6c 100644
--- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
@@ -6,9 +6,9 @@ carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 carol::cat /etc/tnc/dummyimc.file
 dave::cat /etc/tnc/dummyimc.file
-moon::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
index c8f2139a8..96163aa36 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
@@ -6,8 +6,8 @@ alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius
 alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 moon::ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
index 8f79c776a..71dff71b7 100644
--- a/testing/tests/tnc/tnccs-11-radius/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat
@@ -8,8 +8,8 @@ alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 moon::ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat
index 7bfcf0d07..cac1cfafc 100644
--- a/testing/tests/tnc/tnccs-11/pretest.dat
+++ b/testing/tests/tnc/tnccs-11/pretest.dat
@@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::LEAK_DETECTIVE_DISABLE=1 ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
index e969774c5..f028ec609 100644
--- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
@@ -7,9 +7,11 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::Y
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
 moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
index 96b9a8dd5..11d45cd14 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
@@ -2,5 +2,5 @@
 
 : RSA aaaKey.pem
 
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
+carol : EAP "Ar3etTnp"
+dave  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
index e9152e0d8..59563730b 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
@@ -12,12 +12,12 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightauth=pubkey
+	eap_identity=carol
 	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
index 74942afda..23d79cf2e 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-carol@strongswan.org : EAP "Ar3etTnp"
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
index 25589bcf1..8c27c78d2 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
@@ -12,12 +12,12 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightauth=pubkey
+	eap_identity=dave
 	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
index 5496df7ad..02e0c9963 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-dave@strongswan.org : EAP "W7R0g3do"
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
index 294964fe7..02ada5665 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
@@ -28,6 +28,6 @@ conn rw-eap
 	leftauth=pubkey
 	leftfirewall=yes
 	rightauth=eap-radius
-	rightid=*@strongswan.org
 	rightsendcert=never
 	right=%any
+	eap_identity=%any
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
index 15655daf2..d32951866 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
index bac7294b2..40d5e24d5 100644
--- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
@@ -7,9 +7,9 @@ dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
index e9b78bc01..eece9f294 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
index 75d84e25a..362042656 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
index 2ffc7e9ae..0ec930286 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
@@ -29,6 +29,6 @@ conn rw-eap
 	leftauth=eap-ttls
 	leftfirewall=yes
 	rightauth=eap-ttls
-	rightid=*@strongswan.org
+	rightid="C=CH, O=Linux strongSwan, OU=*, CN=*"
 	rightsendcert=never
 	right=%any
-- 
cgit v1.2.3


From c83921a2b566aa9d55d8ccc7258f04fca6292ee6 Mon Sep 17 00:00:00 2001
From: Yves-Alexis Perez <corsac@debian.org>
Date: Tue, 30 Apr 2013 17:51:33 +0200
Subject: Imported Upstream version 5.0.4

---
 Android.common.mk                                  |   2 +-
 Makefile.in                                        |   1 +
 NEWS                                               |  22 ++++
 configure                                          |  36 +++--
 configure.in                                       |   3 +-
 init/Makefile.in                                   |   1 +
 init/systemd/Makefile.in                           |   1 +
 ltmain.sh                                          |   4 +-
 m4/config/libtool.m4                               |  40 +++---
 man/Makefile.in                                    |   1 +
 man/ipsec.conf.5                                   |   2 +-
 man/ipsec.secrets.5                                |   2 +-
 man/strongswan.conf.5                              |   8 +-
 man/strongswan.conf.5.in                           |   6 +
 scripts/Makefile.in                                |   1 +
 scripts/dnssec.c                                   |  41 ++++--
 src/Makefile.in                                    |   1 +
 src/_copyright/Makefile.in                         |   1 +
 src/_updown/Makefile.in                            |   1 +
 src/_updown_espmark/Makefile.in                    |   1 +
 src/charon-nm/Makefile.in                          |   1 +
 src/charon-tkm/Makefile.in                         |   1 +
 src/charon/Makefile.in                             |   1 +
 src/checksum/Makefile.am                           |   2 +-
 src/checksum/Makefile.in                           |   5 +-
 src/conftest/Makefile.in                           |   1 +
 src/dumm/Makefile.in                               |   1 +
 src/include/Makefile.in                            |   1 +
 src/ipsec/Makefile.in                              |   1 +
 src/ipsec/_ipsec.8                                 |   2 +-
 src/libcharon/Makefile.in                          |   1 +
 src/libcharon/bus/bus.c                            |  28 ++++
 src/libcharon/bus/bus.h                            |   8 ++
 src/libcharon/bus/listeners/listener.h             |  13 ++
 src/libcharon/network/receiver.c                   |  12 +-
 src/libcharon/plugins/addrblock/Makefile.in        |   1 +
 src/libcharon/plugins/android_dns/Makefile.in      |   1 +
 src/libcharon/plugins/android_log/Makefile.in      |   1 +
 src/libcharon/plugins/certexpire/Makefile.in       |   1 +
 src/libcharon/plugins/coupling/Makefile.in         |   1 +
 src/libcharon/plugins/dhcp/Makefile.in             |   1 +
 src/libcharon/plugins/duplicheck/Makefile.in       |   1 +
 src/libcharon/plugins/eap_aka/Makefile.in          |   1 +
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |   1 +
 src/libcharon/plugins/eap_dynamic/Makefile.in      |   1 +
 src/libcharon/plugins/eap_gtc/Makefile.in          |   1 +
 src/libcharon/plugins/eap_identity/Makefile.in     |   1 +
 src/libcharon/plugins/eap_md5/Makefile.in          |   1 +
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |   1 +
 src/libcharon/plugins/eap_peap/Makefile.in         |   1 +
 src/libcharon/plugins/eap_radius/Makefile.in       |   1 +
 src/libcharon/plugins/eap_radius/eap_radius.c      |  18 ++-
 .../plugins/eap_radius/eap_radius_accounting.c     |  28 +++-
 .../plugins/eap_radius/eap_radius_plugin.c         |   2 +-
 src/libcharon/plugins/eap_sim/Makefile.in          |   1 +
 src/libcharon/plugins/eap_sim_file/Makefile.in     |   1 +
 src/libcharon/plugins/eap_sim_pcsc/Makefile.in     |   1 +
 .../plugins/eap_simaka_pseudonym/Makefile.in       |   1 +
 .../plugins/eap_simaka_reauth/Makefile.in          |   1 +
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |   1 +
 src/libcharon/plugins/eap_tls/Makefile.in          |   1 +
 src/libcharon/plugins/eap_tnc/Makefile.in          |   1 +
 src/libcharon/plugins/eap_ttls/Makefile.in         |   1 +
 src/libcharon/plugins/error_notify/Makefile.in     |   1 +
 src/libcharon/plugins/farp/Makefile.in             |   1 +
 src/libcharon/plugins/ha/Makefile.in               |   1 +
 src/libcharon/plugins/ipseckey/Makefile.in         |   1 +
 src/libcharon/plugins/led/Makefile.in              |   1 +
 src/libcharon/plugins/load_tester/Makefile.in      |   1 +
 src/libcharon/plugins/lookip/Makefile.in           |   1 +
 src/libcharon/plugins/maemo/Makefile.in            |   1 +
 src/libcharon/plugins/medcli/Makefile.in           |   1 +
 src/libcharon/plugins/medsrv/Makefile.in           |   1 +
 src/libcharon/plugins/radattr/Makefile.in          |   1 +
 src/libcharon/plugins/smp/Makefile.in              |   1 +
 src/libcharon/plugins/socket_default/Makefile.in   |   1 +
 src/libcharon/plugins/socket_dynamic/Makefile.in   |   1 +
 src/libcharon/plugins/sql/Makefile.in              |   1 +
 src/libcharon/plugins/stroke/Makefile.in           |   1 +
 src/libcharon/plugins/systime_fix/Makefile.in      |   1 +
 src/libcharon/plugins/tnc_ifmap/Makefile.in        |   1 +
 .../plugins/tnc_ifmap/tnc_ifmap_listener.c         |  13 +-
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c   |  50 +++++++
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h   |  12 +-
 src/libcharon/plugins/tnc_imc/Makefile.in          |   1 +
 src/libcharon/plugins/tnc_imv/Makefile.in          |   1 +
 src/libcharon/plugins/tnc_pdp/Makefile.in          |   1 +
 src/libcharon/plugins/tnc_tnccs/Makefile.in        |   1 +
 src/libcharon/plugins/tnccs_11/Makefile.in         |   1 +
 src/libcharon/plugins/tnccs_20/Makefile.in         |   1 +
 src/libcharon/plugins/tnccs_dynamic/Makefile.in    |   1 +
 src/libcharon/plugins/uci/Makefile.in              |   1 +
 src/libcharon/plugins/unit_tester/Makefile.in      |   1 +
 src/libcharon/plugins/unity/Makefile.in            |   1 +
 src/libcharon/plugins/unity/unity_handler.c        |   3 +-
 src/libcharon/plugins/updown/Makefile.in           |   1 +
 src/libcharon/plugins/whitelist/Makefile.in        |   1 +
 src/libcharon/plugins/xauth_eap/Makefile.in        |   1 +
 src/libcharon/plugins/xauth_generic/Makefile.in    |   1 +
 src/libcharon/plugins/xauth_noauth/Makefile.in     |   1 +
 src/libcharon/plugins/xauth_pam/Makefile.in        |   1 +
 src/libcharon/sa/ike_sa.c                          |   8 ++
 src/libcharon/sa/ikev2/tasks/ike_config.c          |   2 +
 src/libfast/Makefile.in                            |   1 +
 src/libhydra/Makefile.in                           |   1 +
 src/libhydra/plugins/attr/Makefile.in              |   1 +
 src/libhydra/plugins/attr_sql/Makefile.in          |   1 +
 src/libhydra/plugins/kernel_klips/Makefile.in      |   1 +
 src/libhydra/plugins/kernel_netlink/Makefile.in    |   1 +
 src/libhydra/plugins/kernel_pfkey/Makefile.in      |   1 +
 src/libhydra/plugins/kernel_pfroute/Makefile.in    |   1 +
 src/libhydra/plugins/resolve/Makefile.in           |   1 +
 src/libimcv/Makefile.in                            |   1 +
 src/libimcv/plugins/imc_os/Makefile.in             |   1 +
 src/libimcv/plugins/imc_scanner/Makefile.in        |   1 +
 src/libimcv/plugins/imc_test/Makefile.in           |   1 +
 src/libimcv/plugins/imv_os/Makefile.in             |   1 +
 src/libimcv/plugins/imv_os/imv_os_database.c       |   1 +
 src/libimcv/plugins/imv_scanner/Makefile.in        |   1 +
 src/libimcv/plugins/imv_test/Makefile.in           |   1 +
 src/libipsec/Makefile.in                           |   1 +
 src/libpts/Makefile.in                             |   1 +
 src/libpts/plugins/imc_attestation/Makefile.in     |   1 +
 src/libpts/plugins/imv_attestation/Makefile.in     |   1 +
 src/libpts/plugins/imv_attestation/attest_db.c     |   9 +-
 src/libpttls/Makefile.in                           |   1 +
 src/libpttls/sasl/sasl_mechanism.h                 |   3 +
 src/libradius/Makefile.in                          |   1 +
 src/libsimaka/Makefile.in                          |   1 +
 src/libstrongswan/Makefile.in                      |   1 +
 src/libstrongswan/library.c                        |  52 +++++++-
 src/libstrongswan/plugins/aes/Makefile.in          |   1 +
 src/libstrongswan/plugins/af_alg/Makefile.in       |   1 +
 src/libstrongswan/plugins/agent/Makefile.in        |   1 +
 src/libstrongswan/plugins/blowfish/Makefile.in     |   1 +
 src/libstrongswan/plugins/ccm/Makefile.in          |   1 +
 src/libstrongswan/plugins/cmac/Makefile.in         |   1 +
 src/libstrongswan/plugins/constraints/Makefile.in  |   1 +
 src/libstrongswan/plugins/ctr/Makefile.in          |   1 +
 src/libstrongswan/plugins/curl/Makefile.in         |   1 +
 src/libstrongswan/plugins/des/Makefile.in          |   1 +
 src/libstrongswan/plugins/dnskey/Makefile.in       |   1 +
 src/libstrongswan/plugins/fips_prf/Makefile.in     |   1 +
 src/libstrongswan/plugins/gcm/Makefile.in          |   1 +
 src/libstrongswan/plugins/gcrypt/Makefile.in       |   1 +
 src/libstrongswan/plugins/gmp/Makefile.in          |   1 +
 src/libstrongswan/plugins/hmac/Makefile.in         |   1 +
 src/libstrongswan/plugins/ldap/Makefile.in         |   1 +
 src/libstrongswan/plugins/md4/Makefile.in          |   1 +
 src/libstrongswan/plugins/md5/Makefile.in          |   1 +
 src/libstrongswan/plugins/mysql/Makefile.in        |   1 +
 src/libstrongswan/plugins/nonce/Makefile.in        |   1 +
 src/libstrongswan/plugins/openssl/Makefile.am      |   2 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |   3 +-
 .../plugins/openssl/openssl_ec_public_key.c        |   2 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |  19 +++
 src/libstrongswan/plugins/openssl/openssl_rng.c    |   2 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |   4 +-
 .../plugins/openssl/openssl_rsa_public_key.c       |  17 ++-
 .../plugins/openssl/openssl_sha1_prf.c             |  14 ++
 src/libstrongswan/plugins/padlock/Makefile.in      |   1 +
 src/libstrongswan/plugins/pem/Makefile.in          |   1 +
 src/libstrongswan/plugins/pgp/Makefile.in          |   1 +
 src/libstrongswan/plugins/pkcs1/Makefile.in        |   1 +
 src/libstrongswan/plugins/pkcs11/Makefile.in       |   1 +
 src/libstrongswan/plugins/pkcs7/Makefile.in        |   1 +
 src/libstrongswan/plugins/pkcs8/Makefile.in        |   1 +
 src/libstrongswan/plugins/pubkey/Makefile.in       |   1 +
 src/libstrongswan/plugins/random/Makefile.in       |   1 +
 src/libstrongswan/plugins/rdrand/Makefile.in       |   1 +
 src/libstrongswan/plugins/revocation/Makefile.in   |   1 +
 src/libstrongswan/plugins/sha1/Makefile.in         |   1 +
 src/libstrongswan/plugins/sha2/Makefile.in         |   1 +
 src/libstrongswan/plugins/soup/Makefile.in         |   1 +
 src/libstrongswan/plugins/sqlite/Makefile.in       |   1 +
 src/libstrongswan/plugins/test_vectors/Makefile.in |   1 +
 src/libstrongswan/plugins/unbound/Makefile.in      |   1 +
 src/libstrongswan/plugins/x509/Makefile.in         |   1 +
 src/libstrongswan/plugins/xcbc/Makefile.in         |   1 +
 src/libtls/Makefile.in                             |   1 +
 src/libtnccs/Makefile.in                           |   1 +
 src/libtncif/Makefile.in                           |   1 +
 src/manager/Makefile.in                            |   1 +
 src/medsrv/Makefile.in                             |   1 +
 src/openac/Makefile.in                             |   1 +
 src/pki/Makefile.in                                |   1 +
 src/scepclient/Makefile.in                         |   1 +
 src/starter/Makefile.in                            |   1 +
 src/stroke/Makefile.in                             |   1 +
 testing/Makefile.in                                |   1 +
 testing/hosts/default/etc/pts/data.sql             | 107 +++++++++++++++
 testing/hosts/default/etc/pts/data.sql~            | 107 +++++++++++++++
 testing/hosts/default/etc/pts/tables.sql           | 146 +++++++++++++++++++++
 testing/scripts/build-baseimage                    |   2 +-
 testing/scripts/recipes/009_tkm.mk                 |  21 ---
 testing/scripts/recipes/009_xfrm-proxy.mk          |  21 +++
 testing/scripts/recipes/010_strongswan.mk          |  94 -------------
 testing/scripts/recipes/010_tkm.mk                 |  21 +++
 testing/scripts/recipes/011_openssl-fips.mk        |  23 ++++
 testing/scripts/recipes/011_xfrm-proxy.mk          |  21 ---
 testing/scripts/recipes/012_openssl.mk             |  13 ++
 testing/scripts/recipes/013_strongswan.mk          |  95 ++++++++++++++
 .../tests/ikev1/rw-initiator-only/description.txt  |  10 ++
 testing/tests/ikev1/rw-initiator-only/evaltest.dat |   8 ++
 .../rw-initiator-only/hosts/carol/etc/ipsec.conf   |  20 +++
 .../hosts/carol/etc/strongswan.conf                |   7 +
 .../rw-initiator-only/hosts/dave/etc/ipsec.conf    |  19 +++
 .../hosts/dave/etc/strongswan.conf                 |   9 ++
 .../rw-initiator-only/hosts/moon/etc/ipsec.conf    |  18 +++
 .../hosts/moon/etc/strongswan.conf                 |   5 +
 testing/tests/ikev1/rw-initiator-only/posttest.dat |   6 +
 testing/tests/ikev1/rw-initiator-only/pretest.dat  |   9 ++
 testing/tests/ikev1/rw-initiator-only/test.conf    |  21 +++
 .../tests/ikev2/rw-initiator-only/description.txt  |  10 ++
 testing/tests/ikev2/rw-initiator-only/evaltest.dat |   8 ++
 .../rw-initiator-only/hosts/carol/etc/ipsec.conf   |  20 +++
 .../hosts/carol/etc/strongswan.conf                |   7 +
 .../rw-initiator-only/hosts/dave/etc/ipsec.conf    |  19 +++
 .../hosts/dave/etc/strongswan.conf                 |   9 ++
 .../rw-initiator-only/hosts/moon/etc/ipsec.conf    |  19 +++
 .../hosts/moon/etc/strongswan.conf                 |   5 +
 testing/tests/ikev2/rw-initiator-only/posttest.dat |   6 +
 testing/tests/ikev2/rw-initiator-only/pretest.dat  |   9 ++
 testing/tests/ikev2/rw-initiator-only/test.conf    |  21 +++
 testing/tests/openssl-ikev2/rw-cpa/description.txt |   9 ++
 testing/tests/openssl-ikev2/rw-cpa/evaltest.dat    |  11 ++
 .../rw-cpa/hosts/carol/etc/ipsec.conf              |  22 ++++
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |  17 +++
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |  18 +++
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   5 +
 .../rw-cpa/hosts/carol/etc/ipsec.secrets           |   3 +
 .../rw-cpa/hosts/carol/etc/iptables.flush          |  21 +++
 .../rw-cpa/hosts/carol/etc/iptables.rules          |  32 +++++
 .../rw-cpa/hosts/carol/etc/strongswan.conf         |  20 +++
 .../openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf |  21 +++
 .../dave/etc/ipsec.d/cacerts/strongswanCert.pem    |  17 +++
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |  19 +++
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   6 +
 .../rw-cpa/hosts/dave/etc/ipsec.secrets            |   3 +
 .../rw-cpa/hosts/dave/etc/iptables.flush           |  21 +++
 .../rw-cpa/hosts/dave/etc/iptables.rules           |  32 +++++
 .../rw-cpa/hosts/dave/etc/strongswan.conf          |  23 ++++
 .../openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf |  21 +++
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |  17 +++
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |  20 +++
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |   7 +
 .../rw-cpa/hosts/moon/etc/ipsec.secrets            |   3 +
 .../rw-cpa/hosts/moon/etc/iptables.flush           |  21 +++
 .../rw-cpa/hosts/moon/etc/iptables.rules           |  32 +++++
 .../rw-cpa/hosts/moon/etc/strongswan.conf          |  18 +++
 testing/tests/openssl-ikev2/rw-cpa/posttest.dat    |   6 +
 testing/tests/openssl-ikev2/rw-cpa/pretest.dat     |   9 ++
 testing/tests/openssl-ikev2/rw-cpa/test.conf       |  21 +++
 testing/tests/tnc/tnccs-20-os/evaltest.dat         |   3 +-
 .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf |   9 +-
 testing/tests/tnc/tnccs-20-os/posttest.dat         |   1 +
 testing/tests/tnc/tnccs-20-os/pretest.dat          |   4 +
 257 files changed, 1848 insertions(+), 231 deletions(-)
 create mode 100644 testing/hosts/default/etc/pts/data.sql
 create mode 100644 testing/hosts/default/etc/pts/data.sql~
 create mode 100644 testing/hosts/default/etc/pts/tables.sql
 delete mode 100644 testing/scripts/recipes/009_tkm.mk
 create mode 100644 testing/scripts/recipes/009_xfrm-proxy.mk
 delete mode 100644 testing/scripts/recipes/010_strongswan.mk
 create mode 100644 testing/scripts/recipes/010_tkm.mk
 create mode 100644 testing/scripts/recipes/011_openssl-fips.mk
 delete mode 100644 testing/scripts/recipes/011_xfrm-proxy.mk
 create mode 100644 testing/scripts/recipes/012_openssl.mk
 create mode 100644 testing/scripts/recipes/013_strongswan.mk
 create mode 100644 testing/tests/ikev1/rw-initiator-only/description.txt
 create mode 100644 testing/tests/ikev1/rw-initiator-only/evaltest.dat
 create mode 100644 testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-initiator-only/posttest.dat
 create mode 100644 testing/tests/ikev1/rw-initiator-only/pretest.dat
 create mode 100644 testing/tests/ikev1/rw-initiator-only/test.conf
 create mode 100644 testing/tests/ikev2/rw-initiator-only/description.txt
 create mode 100644 testing/tests/ikev2/rw-initiator-only/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-initiator-only/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-initiator-only/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-initiator-only/test.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/description.txt
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/evaltest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-cpa/test.conf

(limited to 'man')

diff --git a/Android.common.mk b/Android.common.mk
index 21dbbb9ce..4dce2e3d3 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -15,5 +15,5 @@ add_plugin = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.0.3"
+strongswan_VERSION := "5.0.4"
 
diff --git a/Makefile.in b/Makefile.in
index a457a4519..61541b2e4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -287,6 +287,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/NEWS b/NEWS
index b95698d91..2c58ee97c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,25 @@
+strongswan-5.0.4
+----------------
+
+- Fixed a security vulnerability in the openssl plugin which was reported by
+  Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944.
+  Before the fix, if the openssl plugin's ECDSA signature verification was used,
+  due to a misinterpretation of the error code returned by the OpenSSL
+  ECDSA_verify() function, an empty or zeroed signature was accepted as a
+  legitimate one.
+
+- The handling of a couple of other non-security relevant openssl return codes
+  was fixed as well.
+
+- The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its
+  TCG TNC IF-MAP 2.1 interface.
+
+- The charon.initiator_only option causes charon to ignore IKE initiation
+  requests.
+
+- The openssl plugin can now use the openssl-fips library.
+
+
 strongswan-5.0.3
 ----------------
 
diff --git a/configure b/configure
index 178f9c9ca..fca9ca824 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.0.3.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.0.4.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.0.3'
-PACKAGE_STRING='strongSwan 5.0.3'
+PACKAGE_VERSION='5.0.4'
+PACKAGE_STRING='strongSwan 5.0.4'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1045,6 +1045,7 @@ ipsecuser
 systemdsystemunitdir
 HAVE_SYSTEMD_FALSE
 HAVE_SYSTEMD_TRUE
+fips_mode
 ipsec_script
 routing_table_prio
 routing_table
@@ -1140,6 +1141,7 @@ with_linux_headers
 with_routing_table
 with_routing_table_prio
 with_ipsec_script
+with_fips_mode
 with_tss
 with_capabilities
 with_mpz_powm_sec
@@ -1863,7 +1865,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.0.3 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.0.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1933,7 +1935,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.0.3:";;
+     short | recursive ) echo "Configuration of strongSwan 5.0.4:";;
    esac
   cat <<\_ACEOF
 
@@ -2164,6 +2166,8 @@ Optional Packages:
                           set priority for IPsec routing table (default: 220).
   --with-ipsec-script=arg change the name of the ipsec script (default:
                           ipsec).
+  --with-fips-mode=arg    set openssl FIPS mode: disabled(0), enabled(1),
+                          Suite B enabled(2) (default: 0).
   --with-tss=arg          set implementation of the Trusted Computing Group's
                           Software Stack (TSS). Currently the only supported
                           value is "trousers" (default: no).
@@ -2300,7 +2304,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.0.3
+strongSwan configure 5.0.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2822,7 +2826,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.0.3, which was
+It was created by strongSwan $as_me 5.0.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3637,7 +3641,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.0.3'
+ VERSION='5.0.4'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -4070,6 +4074,18 @@ fi
 
 
 
+# Check whether --with-fips-mode was given.
+if test "${with_fips_mode+set}" = set; then :
+  withval=$with_fips_mode; fips_mode="$withval"
+
+else
+  fips_mode="0"
+
+
+fi
+
+
+
 
 # Check whether --with-tss was given.
 if test "${with_tss+set}" = set; then :
@@ -22557,7 +22573,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.0.3, which was
+This file was extended by strongSwan $as_me 5.0.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22623,7 +22639,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.0.3
+strongSwan config.status 5.0.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.in b/configure.in
index 1e367d094..9a00b6256 100644
--- a/configure.in
+++ b/configure.in
@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.0.3])
+AC_INIT([strongSwan],[5.0.4])
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_CONFIG_MACRO_DIR([m4/config])
 AC_CONFIG_HEADERS([config.h])
@@ -46,6 +46,7 @@ ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set director
 ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
 ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
 ARG_WITH_SUBST([ipsec-script],       [ipsec], [change the name of the ipsec script])
+ARG_WITH_SUBST([fips-mode],          [0], [set openssl FIPS mode: disabled(0), enabled(1), Suite B enabled(2)])
 
 ARG_WITH_SET([tss],                  [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"])
 ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
diff --git a/init/Makefile.in b/init/Makefile.in
index 7603fa066..a4e2c4445 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -236,6 +236,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index 7b95497ab..0486da5e4 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -225,6 +225,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/ltmain.sh b/ltmain.sh
index 0096fe6c7..b9205eeb4 100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -70,7 +70,7 @@
 #         compiler:		$LTCC
 #         compiler flags:		$LTCFLAGS
 #         linker:		$LD (gnu? $with_gnu_ld)
-#         $progname:	(GNU libtool) 2.4.2 Debian-2.4.2-1ubuntu2
+#         $progname:	(GNU libtool) 2.4.2 Debian-2.4.2-1.2ubuntu1
 #         automake:	$automake_version
 #         autoconf:	$autoconf_version
 #
@@ -80,7 +80,7 @@
 
 PROGRAM=libtool
 PACKAGE=libtool
-VERSION="2.4.2 Debian-2.4.2-1ubuntu2"
+VERSION="2.4.2 Debian-2.4.2-1.2ubuntu1"
 TIMESTAMP=""
 package_revision=1.3337
 
diff --git a/m4/config/libtool.m4 b/m4/config/libtool.m4
index 828104cfd..02b4bbec5 100644
--- a/m4/config/libtool.m4
+++ b/m4/config/libtool.m4
@@ -1324,7 +1324,14 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
 	    LD="${LD-ld} -m elf_i386_fbsd"
 	    ;;
 	  x86_64-*linux*)
-	    LD="${LD-ld} -m elf_i386"
+	    case `/usr/bin/file conftest.o` in
+	      *x86-64*)
+		LD="${LD-ld} -m elf32_x86_64"
+		;;
+	      *)
+		LD="${LD-ld} -m elf_i386"
+		;;
+	    esac
 	    ;;
 	  ppc64-*linux*|powerpc64-*linux*)
 	    LD="${LD-ld} -m elf32ppclinux"
@@ -1688,7 +1695,8 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     ;;
   *)
     lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
-    if test -n "$lt_cv_sys_max_cmd_len"; then
+    if test -n "$lt_cv_sys_max_cmd_len" && \
+	test undefined != "$lt_cv_sys_max_cmd_len"; then
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
     else
@@ -2512,17 +2520,6 @@ freebsd* | dragonfly*)
   esac
   ;;
 
-gnu*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
 haiku*)
   version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
@@ -2639,7 +2636,7 @@ linux*oldld* | linux*aout* | linux*coff*)
   ;;
 
 # This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
@@ -3255,10 +3252,6 @@ freebsd* | dragonfly*)
   fi
   ;;
 
-gnu*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
 haiku*)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -3297,7 +3290,7 @@ irix5* | irix6* | nonstopux*)
   ;;
 
 # This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -4049,7 +4042,7 @@ m4_if([$1], [CXX], [
 	    ;;
 	esac
 	;;
-      linux* | k*bsd*-gnu | kopensolaris*-gnu)
+      linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
 	case $cc_basename in
 	  KCC*)
 	    # KAI C++ Compiler
@@ -4348,7 +4341,7 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
       ;;
 
-    linux* | k*bsd*-gnu | kopensolaris*-gnu)
+    linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
       case $cc_basename in
       # old Intel for x86_64 which still supported -KPIC.
       ecc*)
@@ -6241,9 +6234,6 @@ if test "$_lt_caught_CXX_error" != yes; then
         _LT_TAGVAR(ld_shlibs, $1)=yes
         ;;
 
-      gnu*)
-        ;;
-
       haiku*)
         _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
         _LT_TAGVAR(link_all_deplibs, $1)=yes
@@ -6405,7 +6395,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         _LT_TAGVAR(inherit_rpath, $1)=yes
         ;;
 
-      linux* | k*bsd*-gnu | kopensolaris*-gnu)
+      linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
         case $cc_basename in
           KCC*)
 	    # Kuck and Associates, Inc. (KAI) C++ Compiler
diff --git a/man/Makefile.in b/man/Makefile.in
index daebe3b90..50b7144a1 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -227,6 +227,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index 554a6e8ca..981b53dba 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "5.0.3rc1" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.0.4" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index 0948e5cc9..9b3d19190 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.3rc1" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.4" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 34dfde735..3c820dbf9 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.3" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.4" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -203,6 +203,9 @@ IKE_SA_INIT DROPPING).
 Limit new connections based on the number of jobs currently queued for
 processing (see IKE_SA_INIT DROPPING).
 .TP
+.BR charon.initiator_only " [no]"
+Causes charon daemon to ignore IKE initiation requests.
+.TP
 .BR charon.install_routes " [yes]"
 Install routes into a separate routing table for established IPsec tunnels
 .TP
@@ -777,6 +780,9 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 .BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
 ENGINE ID to use in the OpenSSL plugin
 .TP
+.BR libstrongswan.plugins.openssl.fips_mode " [0]"
+Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2)
+.TP
 .BR libstrongswan.plugins.pkcs11.modules
 List of available PKCS#11 modules
 .TP
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index d483addbd..44fe330e8 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -203,6 +203,9 @@ IKE_SA_INIT DROPPING).
 Limit new connections based on the number of jobs currently queued for
 processing (see IKE_SA_INIT DROPPING).
 .TP
+.BR charon.initiator_only " [no]"
+Causes charon daemon to ignore IKE initiation requests.
+.TP
 .BR charon.install_routes " [yes]"
 Install routes into a separate routing table for established IPsec tunnels
 .TP
@@ -777,6 +780,9 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 .BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
 ENGINE ID to use in the OpenSSL plugin
 .TP
+.BR libstrongswan.plugins.openssl.fips_mode " [0]"
+Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2)
+.TP
 .BR libstrongswan.plugins.pkcs11.modules
 List of available PKCS#11 modules
 .TP
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 1aa9c2e60..390c820aa 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -283,6 +283,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/scripts/dnssec.c b/scripts/dnssec.c
index 89ea56ea6..315a14618 100644
--- a/scripts/dnssec.c
+++ b/scripts/dnssec.c
@@ -16,25 +16,47 @@
 #include <stdio.h>
 
 #include <library.h>
+#include <utils/debug.h>
+
+/**
+ * Define debug level
+ */
+static level_t dbg_level = 1;
+
+static void dbg_dnssec(debug_t group, level_t level, char *fmt, ...)
+{
+	if ((level <= dbg_level) || level <= 1)
+	{
+		va_list args;
+
+		va_start(args, fmt);
+		vfprintf(stderr, fmt, args);
+		fprintf(stderr, "\n");
+		va_end(args);
+	}
+}
 
 int main(int argc, char *argv[])
 {
 	resolver_t *resolver;
 	resolver_response_t *response;
 	enumerator_t *enumerator;
+	chunk_t rdata;
 	rr_set_t *rrset;
 	rr_t *rr;
-	chunk_t chunk;
 
 	library_init(NULL);
 	atexit(library_deinit);
+
+	dbg = dbg_dnssec;
+
 	if (!lib->plugins->load(lib->plugins, NULL, PLUGINS))
 	{
 		return 1;
 	}
 	if (argc != 2)
 	{
-		fprintf(stderr, "usage: %s <name>\n", argv[0]);
+		fprintf(stderr, "usage: dnssec <name>\n");
 		return 1;
 	}
 
@@ -82,9 +104,7 @@ int main(int argc, char *argv[])
 	enumerator = rrset->create_rr_enumerator(rrset);
 	while (enumerator->enumerate(enumerator, &rr))
 	{
-		printf("    name: ");
-		printf(rr->get_name(rr));
-		printf("\n");
+		printf("    name: %s\n", rr->get_name(rr));
 	}
 
 	enumerator = rrset->create_rrsig_enumerator(rrset);
@@ -93,13 +113,10 @@ int main(int argc, char *argv[])
 		printf("  RRSIGs for the RRset:\n");
 		while (enumerator->enumerate(enumerator, &rr))
 		{
-			printf("    name: ");
-			printf(rr->get_name(rr));
-			printf("\n    RDATA: ");
-			chunk = rr->get_rdata(rr);
-			chunk = chunk_to_hex(chunk, NULL, TRUE);
-			printf(chunk.ptr);
-			printf("\n");
+			rdata = rr->get_rdata(rr);
+
+			printf("    name: %s\n", rr->get_name(rr));
+			printf("    RDATA: %#B\n", &rdata);
 		}
 	}
 
diff --git a/src/Makefile.in b/src/Makefile.in
index a40a82cd8..d9227f5f3 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -265,6 +265,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 87f4c4f95..8908c9856 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -218,6 +218,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index ad03d7d92..312ee3e47 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -229,6 +229,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index c079690ac..2b959d109 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -229,6 +229,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index b5c4e3f45..e26dd5586 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -224,6 +224,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index 74e842115..ebca82f7d 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -195,6 +195,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index a617874b7..941fff697 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -222,6 +222,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index 1405fcd05..9f6945087 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -18,7 +18,7 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 AM_CFLAGS = \
-	-DPLUGINDIR=\"${plugindir}\" \
+	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" \
 	-rdynamic
 
 # we keep track of build dependencies in deps and use libs to store the paths
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index cdb82f2b1..ac2787473 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -285,6 +285,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -373,8 +374,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -DPLUGINDIR=\"${plugindir}\" -rdynamic $(am__append_1) \
-	$(am__append_4) $(am__append_22)
+AM_CFLAGS = -DPLUGINDIR=\"${DESTDIR}${plugindir}\" -rdynamic \
+	$(am__append_1) $(am__append_4) $(am__append_22)
 
 # we keep track of build dependencies in deps and use libs to store the paths
 # to the installed libraries. for executables we use the built files directly
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 978402e65..11b20e3a3 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -233,6 +233,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index e8f5cf9af..86b0822a7 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -257,6 +257,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index f2b94cf0c..b52639bb8 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -195,6 +195,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 6849592e8..fe65cc484 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -229,6 +229,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index ad2997471..0dbaf937b 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2012-06-19" "5.0.3rc1" "strongSwan"
+.TH IPSEC 8 "2012-06-19" "5.0.4" "strongSwan"
 .SH NAME
 ipsec \- invoke IPsec utilities
 .SH SYNOPSIS
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index e772528d1..f55db9379 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -698,6 +698,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index b5cdaaa89..0db5a8a9c 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -759,6 +759,33 @@ METHOD(bus_t, narrow, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(bus_t, assign_vips, void,
+	private_bus_t *this, ike_sa_t *ike_sa, bool assign)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->assign_vips)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->assign_vips(entry->listener, ike_sa, assign);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
 METHOD(bus_t, destroy, void,
 	private_bus_t *this)
 {
@@ -807,6 +834,7 @@ bus_t *bus_create()
 			.child_rekey = _child_rekey,
 			.authorize = _authorize,
 			.narrow = _narrow,
+			.assign_vips = _assign_vips,
 			.destroy = _destroy,
 		},
 		.listeners = linked_list_create(),
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index 18d57bce1..75244d6bf 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -385,6 +385,14 @@ struct bus_t {
 	 */
 	void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new);
 
+	/**
+	 * Virtual IP assignment hook.
+	 *
+	 * @param ike_sa	IKE_SA the VIPs are assigned to
+	 * @param assign	TRUE if assigned to IKE_SA, FALSE if released
+	 */
+	void (*assign_vips)(bus_t *this, ike_sa_t *ike_sa, bool assign);
+
 	/**
 	 * Destroy the event bus.
 	 */
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index 782289302..ef4daced2 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -190,6 +190,19 @@ struct listener_t {
 	 */
 	bool (*narrow)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
 				narrow_hook_t type, linked_list_t *local, linked_list_t *remote);
+
+	/**
+	 * Virtual IP address assignment hook
+	 *
+	 * This hook gets invoked when a a Virtual IP address is assigned to an
+	 * IKE_SA (assign = TRUE) and again when it is released (assign = FALSE)
+	 *
+	 * @param ike_sa	IKE_SA the VIPs are assigned to
+	 * @param assign	TRUE if assigned to IKE_SA, FALSE if released
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*assign_vips)(listener_t *this, ike_sa_t *ike_sa, bool assign);
+
 };
 
 #endif /** LISTENER_H_ @}*/
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index 6b2c2bf5b..2ca721a85 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -148,6 +148,12 @@ struct private_receiver_t {
 	 * Delay response messages?
 	 */
 	bool receive_delay_response;
+
+	/**
+	 * Endpoint is allowed to act as an initiator only
+	 */
+	bool initiator_only;
+
 };
 
 /**
@@ -541,7 +547,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 	if (message->get_request(message) &&
 		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
-		if (drop_ike_sa_init(this, message))
+		if (this->initiator_only || drop_ike_sa_init(this, message))
 		{
 			message->destroy(message);
 			return JOB_REQUEUE_DIRECT;
@@ -552,7 +558,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 	{
 		id = message->get_ike_sa_id(message);
 		if (id->get_responder_spi(id) == 0 &&
-			drop_ike_sa_init(this, message))
+		   (this->initiator_only || drop_ike_sa_init(this, message)))
 		{
 			message->destroy(message);
 			return JOB_REQUEUE_DIRECT;
@@ -650,6 +656,8 @@ receiver_t *receiver_create()
 				"%s.receive_delay_request", TRUE, charon->name),
 	this->receive_delay_response = lib->settings->get_bool(lib->settings,
 				"%s.receive_delay_response", TRUE, charon->name),
+	this->initiator_only = lib->settings->get_bool(lib->settings,
+				"%s.initiator_only", FALSE, charon->name),
 
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
 	if (!this->hasher)
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 52cd6186e..7b2b19bcc 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 4a76714d2..41f42ffec 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 73459ac92..698935436 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 6868c52a1..72e2ad601 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index e191dc6c7..886624123 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 717180379..504aa5f93 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index d1b5dfbe6..f4efc5f6e 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -259,6 +259,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 4d162b4eb..99ec32471 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 947b58f01..0ddc9915b 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 1789b28e9..0579c4989 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 5241a5c7d..95837fc3a 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index e8d2e2b64..3eb99bb89 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 1a31f27f1..6dd09c55d 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 930f87013..97e03fde9 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index c0411cb1e..ae8a289bf 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -253,6 +253,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index a686dde90..aa2cf3da5 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 59340df01..c9e1cdaad 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -85,6 +85,11 @@ struct private_eap_radius_t {
 	 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
 	 */
 	bool filter_id;
+
+	/**
+	 * Format string we use for Called/Calling-Station-Id for a host
+	 */
+	char *station_id_fmt;
 };
 
 /**
@@ -200,10 +205,10 @@ static void add_radius_request_attrs(private_eap_radius_t *this,
 			default:
 				break;
 		}
-		snprintf(buf, sizeof(buf), "%#H", host);
+		snprintf(buf, sizeof(buf), this->station_id_fmt, host);
 		request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf));
 		host = ike_sa->get_other_host(ike_sa);
-		snprintf(buf, sizeof(buf), "%#H", host);
+		snprintf(buf, sizeof(buf), this->station_id_fmt, host);
 		request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf));
 	}
 
@@ -591,6 +596,15 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 									"%s.plugins.eap-radius.filter_id", FALSE,
 									charon->name),
 	);
+	if (lib->settings->get_bool(lib->settings,
+			"%s.plugins.eap-radius.station_id_with_port", TRUE, charon->name))
+	{
+		this->station_id_fmt = "%#H";
+	}
+	else
+	{
+		this->station_id_fmt = "%H";
+	}
 	this->client = eap_radius_create_client();
 	if (!this->client)
 	{
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index ec78c8ef2..e9843470a 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -51,6 +51,11 @@ struct private_eap_radius_accounting_t {
 	 * Session ID prefix
 	 */
 	u_int32_t prefix;
+
+	/**
+	 * Format string we use for Called/Calling-Station-Id for a host
+	 */
+	char *station_id_fmt;
 };
 
 /**
@@ -195,7 +200,8 @@ static bool send_message(private_eap_radius_accounting_t *this,
 /**
  * Add common IKE_SA parameters to RADIUS account message
  */
-static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa)
+static void add_ike_sa_parameters(private_eap_radius_accounting_t *this,
+								  radius_message_t *message, ike_sa_t *ike_sa)
 {
 	enumerator_t *enumerator;
 	host_t *vip, *host;
@@ -227,10 +233,10 @@ static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa)
 		default:
 			break;
 	}
-	snprintf(buf, sizeof(buf), "%#H", host);
+	snprintf(buf, sizeof(buf), this->station_id_fmt, host);
 	message->add(message, RAT_CALLED_STATION_ID, chunk_from_str(buf));
 	host = ike_sa->get_other_host(ike_sa);
-	snprintf(buf, sizeof(buf), "%#H", host);
+	snprintf(buf, sizeof(buf), this->station_id_fmt, host);
 	message->add(message, RAT_CALLING_STATION_ID, chunk_from_str(buf));
 
 	snprintf(buf, sizeof(buf), "%Y", ike_sa->get_other_eap_id(ike_sa));
@@ -364,7 +370,7 @@ static job_requeue_t send_interim(interim_data_t *data)
 		message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
 		message->add(message, RAT_ACCT_SESSION_ID,
 					 chunk_create(entry->sid, strlen(entry->sid)));
-		add_ike_sa_parameters(message, ike_sa);
+		add_ike_sa_parameters(this, message, ike_sa);
 
 		value = htonl(bytes_out);
 		message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
@@ -454,7 +460,7 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 	schedule_interim(this, entry);
 	this->mutex->unlock(this->mutex);
 
-	add_ike_sa_parameters(message, ike_sa);
+	add_ike_sa_parameters(this, message, ike_sa);
 	if (!send_message(this, message))
 	{
 		eap_radius_handle_timeout(ike_sa->get_id(ike_sa));
@@ -486,7 +492,7 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 		message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
 		message->add(message, RAT_ACCT_SESSION_ID,
 					 chunk_create(entry->sid, strlen(entry->sid)));
-		add_ike_sa_parameters(message, ike_sa);
+		add_ike_sa_parameters(this, message, ike_sa);
 
 		value = htonl(entry->bytes.sent);
 		message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
@@ -679,7 +685,15 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 									 (hashtable_equals_t)equals, 32),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
-
+	if (lib->settings->get_bool(lib->settings,
+			"%s.plugins.eap-radius.station_id_with_port", TRUE, charon->name))
+	{
+		this->station_id_fmt = "%#H";
+	}
+	else
+	{
+		this->station_id_fmt = "%H";
+	}
 	if (lib->settings->get_bool(lib->settings,
 					"%s.plugins.eap-radius.accounting", FALSE, charon->name))
 	{
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 3baf46731..e186cb0fe 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -105,7 +105,7 @@ static void load_configs(private_eap_radius_plugin_t *this)
 					"%s.plugins.eap-radius.secret", NULL, charon->name);
 		if (!secret)
 		{
-			DBG1(DBG_CFG, "no RADUIS secret defined");
+			DBG1(DBG_CFG, "no RADIUS secret defined");
 			return;
 		}
 		nas_identifier = lib->settings->get_str(lib->settings,
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index e4657bb64..9c183bc29 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 5816de4ef..f0eaf8766 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 2876af72f..18cce4e2c 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -255,6 +255,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 6f2467fad..bc0c77f43 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -255,6 +255,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 366c554d7..b01e4b973 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 0b63da04e..1937428ec 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -253,6 +253,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index bc7157e6b..5c2a94ae0 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 30a858102..a687e8b3d 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index df5bc442e..2a4fd35fe 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index ba7ec3ecf..b06fdf430 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -260,6 +260,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 2596f9f20..5dbc49939 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 466cce320..ae99e143f 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index fd50854fc..f204b7236 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index f10dbb96f..5296fc0f2 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index e382b266c..189116bb5 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -262,6 +262,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 3b7d3247c..24eb31feb 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -257,6 +257,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index 2e511a0a8..c907e9e2d 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -253,6 +253,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index af003c463..283b0401f 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index f679b11f1..770cd8ce0 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index 84faa1db6..e3b359174 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 72f7deead..0edca4959 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index e73d2003a..2e04d6627 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 855c307a8..a12e4a893 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 95fe34802..96f83b4d1 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 77497e2b9..7d1100c08 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -253,6 +253,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index 56dc0b366..ab4d1b9ad 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 96912c618..ed3775e9d 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -255,6 +255,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
index 4b2538e34..4ad19c530 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
@@ -71,8 +71,8 @@ static bool publish_device_ip_addresses(private_tnc_ifmap_listener_t *this)
  */
 static bool reload_metadata(private_tnc_ifmap_listener_t *this)
 {
-	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
+	enumerator_t *enumerator;
 	bool success = TRUE;
 
 	enumerator = charon->controller->create_ike_sa_enumerator(
@@ -83,7 +83,8 @@ static bool reload_metadata(private_tnc_ifmap_listener_t *this)
 		{
 			continue;
 		}
-		if (!this->ifmap->publish_ike_sa(this->ifmap, ike_sa, TRUE))
+		if (!this->ifmap->publish_ike_sa(this->ifmap, ike_sa, TRUE) ||
+			!this->ifmap->publish_virtual_ips(this->ifmap, ike_sa, TRUE))
 		{
 			success = FALSE;
 			break;
@@ -104,6 +105,13 @@ METHOD(listener_t, ike_updown, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, assign_vips, bool,
+	private_tnc_ifmap_listener_t *this, ike_sa_t *ike_sa, bool assign)
+{
+	this->ifmap->publish_virtual_ips(this->ifmap, ike_sa, assign);
+	return TRUE;
+}
+
 METHOD(listener_t, alert, bool,
 	private_tnc_ifmap_listener_t *this, ike_sa_t *ike_sa, alert_t alert,
 	va_list args)
@@ -144,6 +152,7 @@ tnc_ifmap_listener_t *tnc_ifmap_listener_create(bool reload)
 		.public = {
 			.listener = {
 				.ike_updown = _ike_updown,
+				.assign_vips = _assign_vips,
 				.alert = _alert,
 			},
 			.destroy = _destroy,
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index 8d5da5812..df7d2e2a1 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -579,6 +579,55 @@ METHOD(tnc_ifmap_soap_t, publish_device_ip, bool,
 	return success;
 }
 
+METHOD(tnc_ifmap_soap_t, publish_virtual_ips, bool,
+	private_tnc_ifmap_soap_t *this, ike_sa_t *ike_sa, bool assign)
+{
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request, node;
+	u_int32_t ike_sa_id;
+	enumerator_t *enumerator;
+	host_t *vip;
+	bool success;
+
+	/* extract relevant data from IKE_SA*/
+	ike_sa_id = ike_sa->get_unique_id(ike_sa);
+
+	/* build publish request */
+	request = create_publish_request(this);
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		/**
+		 * update or delete access-request-ip metadata for a virtual IP address
+		 */
+		if (assign)
+		{
+			node = xmlNewNode(NULL, "update");
+		}
+		else
+		{
+			node = create_delete_filter(this, "access-request-ip");
+		}
+		xmlAddChild(request, node);
+
+		/* add access-request, virtual ip-address and [if assign] metadata */
+			xmlAddChild(node, create_access_request(this, ike_sa_id));
+			xmlAddChild(node, create_ip_address(this, vip));
+			if (assign)
+		{
+			xmlAddChild(node, create_metadata(this, "access-request-ip"));
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
+}
+
 METHOD(tnc_ifmap_soap_t, publish_enforcement_report, bool,
 	private_tnc_ifmap_soap_t *this, host_t *host, char *action, char *reason)
 {
@@ -851,6 +900,7 @@ tnc_ifmap_soap_t *tnc_ifmap_soap_create()
 			.purgePublisher = _purgePublisher,
 			.publish_ike_sa = _publish_ike_sa,
 			.publish_device_ip = _publish_device_ip,
+			.publish_virtual_ips = _publish_virtual_ips,
 			.publish_enforcement_report = _publish_enforcement_report,
 			.endSession = _endSession,
 			.get_session_id = _get_session_id,
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
index 4a0434a54..fbc65a2b1 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
@@ -56,7 +56,7 @@ struct tnc_ifmap_soap_t {
 	/**
 	 * Publish metadata about established/deleted IKE_SAs
 	 *
-	 * @param ike_sa		IKE_SA for which metadate is published
+	 * @param ike_sa		IKE_SA for which metadata is published
 	 * @param up			TRUE if IKE_SEA is up, FALSE if down
 	 * @return				TRUE if command was successful
 	 */
@@ -70,6 +70,16 @@ struct tnc_ifmap_soap_t {
 	 */
 	bool (*publish_device_ip)(tnc_ifmap_soap_t *this, host_t *host);
 
+	/**
+	 * Publish Virtual IP access-request-ip metadata
+	 *
+	 * @param ike_sa		IKE_SA for which Virtual IP metadata is published
+	 * @param assign		TRUE if assigned, FALSE if removed
+	 * @return				TRUE if command was successful
+	 */
+	bool (*publish_virtual_ips)(tnc_ifmap_soap_t *this, ike_sa_t *ike_sa,
+								bool assign);
+
 	/**
 	 * Publish enforcement-report metadata
 	 *
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in
index 4e0a18310..7fb2e563c 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.in
+++ b/src/libcharon/plugins/tnc_imc/Makefile.in
@@ -253,6 +253,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
index 37964757f..8b175a993 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.in
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index 0db60a288..87e6ed928 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/tnc_tnccs/Makefile.in b/src/libcharon/plugins/tnc_tnccs/Makefile.in
index 7ca6df3c8..4179dcaae 100644
--- a/src/libcharon/plugins/tnc_tnccs/Makefile.in
+++ b/src/libcharon/plugins/tnc_tnccs/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in
index c74704f2d..19538feb0 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.in
+++ b/src/libcharon/plugins/tnccs_11/Makefile.in
@@ -260,6 +260,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in
index f0cb9fa54..3c9a34a2f 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.in
+++ b/src/libcharon/plugins/tnccs_20/Makefile.in
@@ -258,6 +258,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
index 5f375516b..820870dd7 100644
--- a/src/libcharon/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index b8e03e0a8..6c5be9830 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 175cece27..8b5b98db5 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -255,6 +255,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 4a9a81847..85c5fc97e 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index 9d145b93f..3dec7a3b6 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -190,8 +190,6 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 		child_cfg->add_traffic_selector(child_cfg, TRUE,
 				traffic_selector_create_from_subnet(host->clone(host),
 													32, 0, 0, 65535));
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-
 		enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
 		while (enumerator->enumerate(enumerator, &host))
 		{
@@ -200,6 +198,7 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 													32, 0, 0, 65535));
 		}
 		enumerator->destroy(enumerator);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 
 		charon->shunts->install(charon->shunts, child_cfg);
 		child_cfg->destroy(child_cfg);
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 25505db0b..f40eab065 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index ca3c027ae..7c6f8cd06 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -259,6 +259,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index 0a74b2926..aecc871f4 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 7348ab8de..a7088a2d0 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index c8f7a6a33..358875197 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 0538a028f..34ebb37b9 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 8c4dabd81..63c04d9c0 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -776,6 +776,10 @@ METHOD(ike_sa_t, clear_virtual_ips, void,
 	linked_list_t *vips = local ? this->my_vips : this->other_vips;
 	host_t *vip;
 
+	if (!local && vips->get_count(vips))
+	{
+		charon->bus->assign_vips(charon->bus, &this->public, FALSE);
+	}
 	while (vips->remove_first(vips, (void**)&vip) == SUCCESS)
 	{
 		if (local)
@@ -2105,6 +2109,10 @@ METHOD(ike_sa_t, destroy, void,
 		vip->destroy(vip);
 	}
 	this->my_vips->destroy(this->my_vips);
+	if (this->other_vips->get_count(this->other_vips))
+	{
+		charon->bus->assign_vips(charon->bus, &this->public, FALSE);
+	}
 	while (this->other_vips->remove_last(this->other_vips,
 										 (void**)&vip) == SUCCESS)
 	{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c
index d637c26fe..17132feee 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_config.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.c
@@ -387,6 +387,8 @@ METHOD(task_t, build_r, status_t,
 			pools->destroy(pools);
 			return SUCCESS;
 		}
+		charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE);
+
 		if (pools->get_count(pools) && !this->vips->get_count(this->vips))
 		{
 			DBG1(DBG_IKE, "expected a virtual IP request, sending %N",
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 2733a91b4..cadf76d8f 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index 4504822ad..395b55aca 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -300,6 +300,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index cb2cf1eaf..113a66039 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 155db8581..0d7d55790 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -261,6 +261,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index 514bb402a..5bc67de27 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index b5a327906..9702010bb 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -253,6 +253,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index c9d4be0fd..b00f74473 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index ad3ca468a..a4895df2a 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index 509479c81..1e5ff16b7 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index d9a27c12d..f560a5230 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -300,6 +300,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 3f1a5fe32..351e659ad 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -247,6 +247,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index bd5e97065..7ac9e0812 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -247,6 +247,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 9e541e0e9..1a3e64e38 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -247,6 +247,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index b4e2a3a4f..e375f7cbb 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c
index dff414497..a7f9f2eed 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.c
+++ b/src/libimcv/plugins/imv_os/imv_os_database.c
@@ -206,6 +206,7 @@ METHOD(imv_os_database_t, get_device_id, int,
 		e->destroy(e);
 		return id;
 	}
+	e->destroy(e);
 
 	/* register new device ID in database and return primary key */
 	return (this->db->execute(this->db, &id,
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 8a4460bee..cfd4463a2 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -247,6 +247,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 946fffc45..4cf92ddf5 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -247,6 +247,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 7a64713a7..24940df7c 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -284,6 +284,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index 1420a95dc..f0b89c68f 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -303,6 +303,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index 181dbc272..c30945b79 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index 2e75807b4..153865d30 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -260,6 +260,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index 81445acbf..b2116c0ff 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -847,6 +847,7 @@ METHOD(attest_db_t, list_devices, void,
 					if (e_ar)
 					{
 						e_ar->enumerate(e_ar, &ar_id_type, &ar_id_value);
+						ar_id_value = chunk_clone(ar_id_value);
 						e_ar->destroy(e_ar);
 					}
 				}
@@ -854,6 +855,7 @@ METHOD(attest_db_t, list_devices, void,
 				{
 					printf(" %.*s", (int)ar_id_value.len, ar_id_value.ptr);
 				}
+				last_ar_id = ar_id;
 			}
 			printf("\n");
 		}
@@ -973,8 +975,8 @@ METHOD(attest_db_t, list_packages, void,
 	enumerator_t *e;
 	char *package, *version;
 	os_package_state_t security;
-	int gid, gid_old = 0, spaces, count = 0;
-	time_t t;
+	int gid, gid_old = 0, spaces, count = 0, t;
+	time_t timestamp;
 
 	if (this->pid)
 	{
@@ -1000,7 +1002,8 @@ METHOD(attest_db_t, list_packages, void,
 						printf(" ");
 					}
 				}
-				printf(" %T (%s)%N\n", &t, this->utc, version,
+				timestamp = t;
+				printf(" %T (%s)%N\n", &timestamp, this->utc, version,
 					 os_package_state_names, security);
 				count++;
 			}
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index aec424f1a..89e2b5a3f 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -244,6 +244,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libpttls/sasl/sasl_mechanism.h b/src/libpttls/sasl/sasl_mechanism.h
index 1a23a119e..fb1d08097 100644
--- a/src/libpttls/sasl/sasl_mechanism.h
+++ b/src/libpttls/sasl/sasl_mechanism.h
@@ -14,6 +14,9 @@
  */
 
 /**
+ * @defgroup sasl sasl
+ * @ingroup pt_tls
+ *
  * @defgroup sasl_mechanism sasl_mechanism
  * @{ @ingroup sasl
  */
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index efccbe905..4dabbbdbc 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -244,6 +244,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index 4ed190cf3..a2ccc28e3 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -244,6 +244,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 15219c4f3..5435de406 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -514,6 +514,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 819c6808e..4dec61203 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -150,6 +150,51 @@ static bool equals(char *a, char *b)
 	return streq(a, b);
 }
 
+/**
+ * Write magic to memory, and try to clear it with memwipe()
+ */
+__attribute__((noinline))
+static void do_magic(int magic, int **stack)
+{
+	int buf[32], i;
+
+	/* tell caller where callee stack is (but don't point to buf) */
+	*stack = &i;
+	for (i = 0; i < countof(buf); i++)
+	{
+		buf[i] = magic;
+	}
+	/* passing buf to dbg should make sure the compiler can't optimize out buf.
+	 * we use directly dbg(3), as DBG3() might be stripped with DEBUG_LEVEL. */
+	dbg(DBG_LIB, 3, "memwipe() pre: %b", buf, sizeof(buf));
+	memwipe(buf, sizeof(buf));
+}
+
+/**
+ * Check if memwipe works as expected
+ */
+static bool check_memwipe()
+{
+	int magic = 0xCAFEBABE, *ptr, *deeper, i, stackdir = 1;
+
+	do_magic(magic, &deeper);
+
+	ptr = &magic;
+	if (deeper < ptr)
+	{	/* stack grows down */
+		stackdir = -1;
+	}
+	for (i = 0; i < 128; i++)
+	{
+		ptr = ptr + stackdir;
+		if (*ptr == magic)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
 /*
  * see header file
  */
@@ -221,6 +266,12 @@ bool library_init(char *settings)
 	this->public.scheduler = scheduler_create();
 	this->public.plugins = plugin_loader_create();
 
+	if (!check_memwipe())
+	{
+		DBG1(DBG_LIB, "memwipe() check failed");
+		return FALSE;
+	}
+
 	if (lib->settings->get_bool(lib->settings,
 								"libstrongswan.integrity_test", FALSE))
 	{
@@ -239,4 +290,3 @@ bool library_init(char *settings)
 
 	return !this->integrity_failed;
 }
-
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 6010b9c9c..71e25a6a1 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index aab2cd847..eff6aec83 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index e7280adcb..b17a69a76 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 2727a55b1..9c0390c96 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 311f04b87..ee7f386dd 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index b771d76d9..12131c65c 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index e01f1397e..72517e9a1 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 7d930d7aa..18abf3a38 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index ace838923..73f180c29 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 8a8e8fe66..22241cccd 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index c30dcb530..402143106 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 6a34c8a7b..878713157 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index a690613e4..660813f25 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index f866cbb1f..3716a09fe 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 13fcd7ab5..74c19a734 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index 59c15f7c0..cc4e8b108 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 11755b04c..0b8e68e4e 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index fd25eb78a..3243b2643 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index e22be6523..68a4244ba 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index d054952bd..5e73813d5 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 4f651a8f8..bd04ab901 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index e71567311..0ca27983f 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -1,7 +1,7 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode}
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-openssl.la
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 5eca47a1c..ba45e4bbc 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -256,6 +256,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -326,7 +327,7 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode}
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-openssl.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-openssl.la
 libstrongswan_openssl_la_SOURCES = \
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index c8a45f79a..38cc8bedf 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -124,7 +124,7 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this,
 	if (openssl_hash_chunk(nid_hash, data, &hash))
 	{
 		valid = ECDSA_verify(0, hash.ptr, hash.len,
-							 signature.ptr, signature.len, this->ec);
+							 signature.ptr, signature.len, this->ec) == 1;
 		free(hash.ptr);
 	}
 	return valid;
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 915082234..ce6610ad6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -457,6 +457,25 @@ METHOD(plugin_t, destroy, void,
 plugin_t *openssl_plugin_create()
 {
 	private_openssl_plugin_t *this;
+	int fips_mode;
+
+	fips_mode = lib->settings->get_int(lib->settings,
+						"libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
+#ifdef OPENSSL_FIPS
+	if (!FIPS_mode_set(fips_mode))
+	{
+		DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
+		return NULL;
+	}
+	DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode,
+				   fips_mode ? "en" : "dis");
+#else
+	DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
+	if (fips_mode)
+	{
+		return NULL;
+	}
+#endif
 
 	INIT(this,
 		.public = {
diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c
index d3d64f5e8..10db6293a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rng.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rng.c
@@ -57,7 +57,7 @@ METHOD(rng_t, get_bytes, bool,
 	{
 		ret = RAND_pseudo_bytes((char*)buffer, bytes);
 	}
-	return ret != 0;
+	return ret == 1;
 }
 
 METHOD(rng_t, allocate_bytes, bool,
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index fb86a6bf1..036f53d23 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -428,7 +428,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 	if (blob.ptr)
 	{
 		this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
-		if (this->rsa && RSA_check_key(this->rsa))
+		if (this->rsa && RSA_check_key(this->rsa) == 1)
 		{
 			return &this->public;
 		}
@@ -450,7 +450,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 			this->rsa->dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL);
 		}
 		this->rsa->iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL);
-		if (RSA_check_key(this->rsa))
+		if (RSA_check_key(this->rsa) == 1)
 		{
 			return &this->public;
 		}
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index bf71d7901..48beedef6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -48,8 +48,6 @@ struct private_openssl_rsa_public_key_t {
 	refcount_t ref;
 };
 
-
-
 /**
  * Verification of an EMPSA PKCS1 signature described in PKCS#1
  */
@@ -67,12 +65,17 @@ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
 
 	if (type == NID_undef)
 	{
-		chunk_t hash = chunk_alloc(rsa_size);
+		char *buf;
+		int len;
 
-		hash.len = RSA_public_decrypt(signature.len, signature.ptr, hash.ptr,
-									  this->rsa, RSA_PKCS1_PADDING);
-		valid = chunk_equals(data, hash);
-		free(hash.ptr);
+		buf = malloc(rsa_size);
+		len = RSA_public_decrypt(signature.len, signature.ptr, buf, this->rsa,
+								 RSA_PKCS1_PADDING);
+		if (len != -1)
+		{
+			valid = chunk_equals(data, chunk_create(buf, len));
+		}
+		free(buf);
 	}
 	else
 	{
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
index 8c00e6a57..446c93e2b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
@@ -42,7 +42,14 @@ struct private_openssl_sha1_prf_t {
 METHOD(prf_t, get_bytes, bool,
 	private_openssl_sha1_prf_t *this, chunk_t seed, u_int8_t *bytes)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+	if (!SHA1_Update(&this->ctx, seed.ptr, seed.len))
+	{
+		return FALSE;
+	}
+#else /* OPENSSL_VERSION_NUMBER < 1.0 */
 	SHA1_Update(&this->ctx, seed.ptr, seed.len);
+#endif
 
 	if (bytes)
 	{
@@ -84,7 +91,14 @@ METHOD(prf_t, get_key_size, size_t,
 METHOD(prf_t, set_key, bool,
 	private_openssl_sha1_prf_t *this, chunk_t key)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+	if (!SHA1_Init(&this->ctx))
+	{
+		return FALSE;
+	}
+#else /* OPENSSL_VERSION_NUMBER < 1.0 */
 	SHA1_Init(&this->ctx);
+#endif
 
 	if (key.len % 4)
 	{
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index e9ac1d5e3..a82e8d578 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index bb346b373..fa7e3891e 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index a96c6259f..897adfcc7 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index b4e78cd37..18af15599 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index aab1ae9de..90a0ae97c 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -253,6 +253,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index 38781d34d..a4ef63364 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index ea62a7d44..879020383 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 2b54fd426..cecba00ba 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 12eaa8a47..4909f4c8a 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index e2d9e1a6b..b611821a8 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index c0008c5b4..bc92c6ed1 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -252,6 +252,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 0308e1b26..4cb0a0907 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 3d4e915b2..09fed2bdb 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 035747700..8220dcaff 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 1a9b21407..580cae7f1 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 6cce8686b..f468cc3fd 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -257,6 +257,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index f1a37bb03..4dfb2f31c 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -251,6 +251,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index a0fcfd8ad..0e5520149 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -250,6 +250,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 8730ba3fa..a679ce313 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -248,6 +248,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index a98c5a6d6..fa910ecca 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -254,6 +254,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index 46f92341b..58ddf401c 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -244,6 +244,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index d7b4660fb..320faf616 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -216,6 +216,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 4ed11faca..029df6120 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -265,6 +265,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 829915407..27065e2f0 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -255,6 +255,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index fbd973876..d5e041387 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index b4cb38592..f86c6596d 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -220,6 +220,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 7b11ae171..fc796328c 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -249,6 +249,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 2e43f7000..c50d4622b 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -235,6 +235,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 779dafd7c..e73489058 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -220,6 +220,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/testing/Makefile.in b/testing/Makefile.in
index c7b90ef58..1083ae45a 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -195,6 +195,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
diff --git a/testing/hosts/default/etc/pts/data.sql b/testing/hosts/default/etc/pts/data.sql
new file mode 100644
index 000000000..dde7c9fa5
--- /dev/null
+++ b/testing/hosts/default/etc/pts/data.sql
@@ -0,0 +1,107 @@
+/* Products */
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Debian 7.0'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.04'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.10'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+/* Packages */
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  1, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  2, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  3, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  4, 1, '1.0.1e-2', 1366531494
+);
diff --git a/testing/hosts/default/etc/pts/data.sql~ b/testing/hosts/default/etc/pts/data.sql~
new file mode 100644
index 000000000..b08d035ab
--- /dev/null
+++ b/testing/hosts/default/etc/pts/data.sql~
@@ -0,0 +1,107 @@
+/* Products */
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Debian 7.0'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.04'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.10'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  1, 1, '1.0.1e-2', 1366531494
+);
+
+/* Packages */
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  2, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  3, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  4, 1, '1.0.1e-2', 1366531494
+);
diff --git a/testing/hosts/default/etc/pts/tables.sql b/testing/hosts/default/etc/pts/tables.sql
new file mode 100644
index 000000000..0c038d365
--- /dev/null
+++ b/testing/hosts/default/etc/pts/tables.sql
@@ -0,0 +1,146 @@
+/* PTS SQLite database */
+
+DROP TABLE IF EXISTS files;
+CREATE TABLE files (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  path TEXT NOT NULL
+);
+DROP INDEX IF EXISTS files_path;
+CREATE INDEX files_path ON files (
+  path
+);
+
+DROP TABLE IF EXISTS products;
+CREATE TABLE products (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS products_name;
+CREATE INDEX products_name ON products (
+  name
+);
+
+DROP TABLE IF EXISTS product_file;
+CREATE TABLE product_file (
+  product INTEGER NOT NULL,
+  file INTEGER NOT NULL,
+  measurement INTEGER DEFAULT 0,
+  metadata INTEGER DEFAULT 0,
+  PRIMARY KEY (product, file)
+);
+
+DROP TABLE IF EXISTS file_hashes;
+CREATE TABLE file_hashes (
+  file INTEGER NOT NULL,
+  directory INTEGER DEFAULT 0,
+  product INTEGER NOT NULL,
+  key INTEGER DEFAULT 0,
+  algo INTEGER NOT NULL,
+  hash BLOB NOT NULL,
+  PRIMARY KEY(file, directory, product, algo)
+);
+
+DROP TABLE IF EXISTS keys;
+CREATE TABLE keys (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  keyid BLOB NOT NULL,
+  owner TEXT NOT NULL
+);
+DROP INDEX IF EXISTS keys_keyid;
+CREATE INDEX keys_keyid ON keys (
+  keyid
+);
+DROP INDEX IF EXISTS keys_owner;
+CREATE INDEX keys_owner ON keys (
+  owner
+);
+
+DROP TABLE IF EXISTS components;
+CREATE TABLE components (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  vendor_id INTEGER NOT NULL,
+  name INTEGER NOT NULL,
+  qualifier INTEGER DEFAULT 0
+);
+
+
+DROP TABLE IF EXISTS key_component;
+CREATE TABLE key_component (
+  key INTEGER NOT NULL,
+  component INTEGER NOT NULL,
+  depth INTEGER DEFAULT 0,
+  seq_no INTEGER DEFAULT 0,
+  PRIMARY KEY (key, component)
+);
+
+
+DROP TABLE IF EXISTS component_hashes;
+CREATE TABLE component_hashes (
+  component INTEGER NOT NULL,
+  key INTEGER NOT NULL,
+  seq_no INTEGER NOT NULL,
+  pcr INTEGER NOT NULL,
+  algo INTEGER NOT NULL,
+  hash BLOB NOT NULL,
+  PRIMARY KEY(component, key, seq_no, algo)
+);
+
+DROP TABLE IF EXISTS packages;
+CREATE TABLE packages (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS packages_name;
+CREATE INDEX packages_name ON packages (
+  name
+);
+
+DROP TABLE IF EXISTS versions;
+CREATE TABLE versions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  package INTEGER NOT NULL,
+  product INTEGER NOT NULL,
+  release TEXT NOT NULL,
+  security INTEGER DEFAULT 0,
+  time INTEGER DEFAULT 0
+);
+DROP INDEX IF EXISTS versions_release;
+CREATE INDEX versions_release ON versions (
+  release
+);
+DROP INDEX IF EXISTS versions_package_product;
+CREATE INDEX versions_package_product ON versions (
+  package, product
+);
+
+DROP TABLE IF EXISTS devices;
+CREATE TABLE devices (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  value BLOB NOT NULL
+);
+DROP INDEX IF EXISTS devices_id;
+CREATE INDEX devices_value ON devices (
+  value
+);
+
+DROP TABLE IF EXISTS device_infos;
+CREATE TABLE device_infos (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  device INTEGER NOT NULL,
+  time INTEGER NOT NULL,
+  ar_id INTEGER DEFAULT 0,
+  product INTEGER DEFAULT 0,
+  count INTEGER DEFAULT 0,
+  count_update INTEGER DEFAULT 0,
+  count_blacklist INTEGER DEFAULT 0,
+  flags INTEGER DEFAULT 0
+);
+
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL,
+  UNIQUE (type, data)
+);
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
index c426f0af5..354b48bd7 100755
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@@ -17,7 +17,7 @@ INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev
 INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core
 INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen
 INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
-INC=$INC,libalog0.4.1-base-dev,hostapd
+INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev
 SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
 INC=$INC,${SERVICES// /,}
 
diff --git a/testing/scripts/recipes/009_tkm.mk b/testing/scripts/recipes/009_tkm.mk
deleted file mode 100644
index 971cd170f..000000000
--- a/testing/scripts/recipes/009_tkm.mk
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/make
-
-PKG = tkm
-SRC = http://git.codelabs.ch/git/$(PKG).git
-REV = v0.1
-
-export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
-
-all: install
-
-.$(PKG)-cloned:
-	git clone $(SRC) $(PKG)
-	cd $(PKG) && git checkout $(REV)
-	@touch $@
-
-.$(PKG)-built: .$(PKG)-cloned
-	cd $(PKG) && make tests && make
-	@touch $@
-
-install: .$(PKG)-built
-	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/009_xfrm-proxy.mk b/testing/scripts/recipes/009_xfrm-proxy.mk
new file mode 100644
index 000000000..569fbfe3c
--- /dev/null
+++ b/testing/scripts/recipes/009_xfrm-proxy.mk
@@ -0,0 +1,21 @@
+#!/usr/bin/make
+
+PKG = xfrm-proxy
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/010_strongswan.mk b/testing/scripts/recipes/010_strongswan.mk
deleted file mode 100644
index 94abb9ddb..000000000
--- a/testing/scripts/recipes/010_strongswan.mk
+++ /dev/null
@@ -1,94 +0,0 @@
-#!/usr/bin/make
-
-PV  = $(SWANVERSION)
-PKG = strongswan-$(PV)
-TAR = $(PKG).tar.bz2
-SRC = http://download.strongswan.org/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
-	--sysconfdir=/etc \
-	--with-random-device=/dev/urandom \
-	--disable-load-warning \
-	--enable-curl \
-	--enable-ldap \
-	--enable-eap-aka \
-	--enable-eap-aka-3gpp2 \
-	--enable-eap-sim \
-	--enable-eap-sim-file \
-	--enable-eap-md5 \
-	--enable-md4 \
-	--enable-eap-mschapv2 \
-	--enable-eap-identity \
-	--enable-eap-radius \
-	--enable-eap-dynamic \
-	--enable-eap-tls \
-	--enable-eap-ttls \
-	--enable-eap-peap \
-	--enable-eap-tnc \
-	--enable-tnc-ifmap \
-	--enable-tnc-pdp \
-	--enable-tnc-imc \
-	--enable-tnc-imv \
-	--enable-tnccs-11 \
-	--enable-tnccs-20 \
-	--enable-tnccs-dynamic \
-	--enable-imc-test \
-	--enable-imv-test \
-	--enable-imc-scanner \
-	--enable-imv-scanner \
-	--enable-imc-os \
-	--enable-imv-os \
-	--enable-imc-attestation \
-	--enable-imv-attestation \
-	--enable-sql \
-	--enable-sqlite \
-	--enable-attr-sql \
-	--enable-mediation \
-	--enable-openssl \
-	--enable-blowfish \
-	--enable-kernel-pfkey \
-	--enable-integrity-test \
-	--enable-leak-detective \
-	--enable-load-tester \
-	--enable-test-vectors \
-	--enable-gcrypt \
-	--enable-socket-default \
-	--enable-socket-dynamic \
-	--enable-dhcp \
-	--enable-farp \
-	--enable-addrblock \
-	--enable-ctr \
-	--enable-ccm \
-	--enable-gcm \
-	--enable-cmac \
-	--enable-ha \
-	--enable-af-alg \
-	--enable-whitelist \
-	--enable-xauth-generic \
-	--enable-xauth-eap \
-	--enable-pkcs8 \
-	--enable-unity \
-	--enable-unbound \
-	--enable-ipseckey \
-	--enable-tkm
-
-export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
-
-all: install
-
-$(TAR):
-	wget $(SRC)
-
-$(PKG): $(TAR)
-	tar xfj $(TAR)
-
-configure: $(PKG)
-	cd $(PKG) && ./configure $(CONFIG_OPTS)
-
-build: configure
-	cd $(PKG) && make -j $(NUM_CPUS)
-
-install: build
-	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk
new file mode 100644
index 000000000..971cd170f
--- /dev/null
+++ b/testing/scripts/recipes/010_tkm.mk
@@ -0,0 +1,21 @@
+#!/usr/bin/make
+
+PKG = tkm
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make tests && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/011_openssl-fips.mk b/testing/scripts/recipes/011_openssl-fips.mk
new file mode 100644
index 000000000..5d28b181e
--- /dev/null
+++ b/testing/scripts/recipes/011_openssl-fips.mk
@@ -0,0 +1,23 @@
+#!/usr/bin/make
+
+PV  = 2.0.3
+PKG = openssl-fips-$(PV)
+TAR = $(PKG).tar.gz
+SRC = http://www.openssl.org/source/$(TAR)
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+$(PKG): $(TAR)
+	tar xfz $(TAR)
+
+configure: $(PKG)
+	cd $(PKG) && ./config
+
+build: configure
+	cd $(PKG) && make
+
+install: build
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/011_xfrm-proxy.mk b/testing/scripts/recipes/011_xfrm-proxy.mk
deleted file mode 100644
index 569fbfe3c..000000000
--- a/testing/scripts/recipes/011_xfrm-proxy.mk
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/make
-
-PKG = xfrm-proxy
-SRC = http://git.codelabs.ch/git/$(PKG).git
-REV = v0.1
-
-export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
-
-all: install
-
-.$(PKG)-cloned:
-	git clone $(SRC) $(PKG)
-	cd $(PKG) && git checkout $(REV)
-	@touch $@
-
-.$(PKG)-built: .$(PKG)-cloned
-	cd $(PKG) && make
-	@touch $@
-
-install: .$(PKG)-built
-	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/012_openssl.mk b/testing/scripts/recipes/012_openssl.mk
new file mode 100644
index 000000000..9312445ce
--- /dev/null
+++ b/testing/scripts/recipes/012_openssl.mk
@@ -0,0 +1,13 @@
+#!/usr/bin/make
+
+PV  = 1.0.1e
+PKG = openssl-$(PV)
+SRC = http://download.strongswan.org/testing/openssl-fips/
+
+all: install
+
+$(PKG):
+	wget -r $(SRC) --no-directories --directory-prefix $(PKG) --accept deb
+
+install: $(PKG)
+	cd $(PKG) && dpkg -i *.deb
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
new file mode 100644
index 000000000..14fdebbc9
--- /dev/null
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -0,0 +1,95 @@
+#!/usr/bin/make
+
+PV  = $(SWANVERSION)
+PKG = strongswan-$(PV)
+TAR = $(PKG).tar.bz2
+SRC = http://download.strongswan.org/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--sysconfdir=/etc \
+	--with-random-device=/dev/urandom \
+	--disable-load-warning \
+	--enable-curl \
+	--enable-soup \
+	--enable-ldap \
+	--enable-eap-aka \
+	--enable-eap-aka-3gpp2 \
+	--enable-eap-sim \
+	--enable-eap-sim-file \
+	--enable-eap-md5 \
+	--enable-md4 \
+	--enable-eap-mschapv2 \
+	--enable-eap-identity \
+	--enable-eap-radius \
+	--enable-eap-dynamic \
+	--enable-eap-tls \
+	--enable-eap-ttls \
+	--enable-eap-peap \
+	--enable-eap-tnc \
+	--enable-tnc-ifmap \
+	--enable-tnc-pdp \
+	--enable-tnc-imc \
+	--enable-tnc-imv \
+	--enable-tnccs-11 \
+	--enable-tnccs-20 \
+	--enable-tnccs-dynamic \
+	--enable-imc-test \
+	--enable-imv-test \
+	--enable-imc-scanner \
+	--enable-imv-scanner \
+	--enable-imc-os \
+	--enable-imv-os \
+	--enable-imc-attestation \
+	--enable-imv-attestation \
+	--enable-sql \
+	--enable-sqlite \
+	--enable-attr-sql \
+	--enable-mediation \
+	--enable-openssl \
+	--enable-blowfish \
+	--enable-kernel-pfkey \
+	--enable-integrity-test \
+	--enable-leak-detective \
+	--enable-load-tester \
+	--enable-test-vectors \
+	--enable-gcrypt \
+	--enable-socket-default \
+	--enable-socket-dynamic \
+	--enable-dhcp \
+	--enable-farp \
+	--enable-addrblock \
+	--enable-ctr \
+	--enable-ccm \
+	--enable-gcm \
+	--enable-cmac \
+	--enable-ha \
+	--enable-af-alg \
+	--enable-whitelist \
+	--enable-xauth-generic \
+	--enable-xauth-eap \
+	--enable-pkcs8 \
+	--enable-unity \
+	--enable-unbound \
+	--enable-ipseckey \
+	--enable-tkm
+
+export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+$(PKG): $(TAR)
+	tar xfj $(TAR)
+
+configure: $(PKG)
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+
+build: configure
+	cd $(PKG) && make -j $(NUM_CPUS)
+
+install: build
+	cd $(PKG) && make install
diff --git a/testing/tests/ikev1/rw-initiator-only/description.txt b/testing/tests/ikev1/rw-initiator-only/description.txt
new file mode 100644
index 000000000..478004162
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-initiator-only/evaltest.dat b/testing/tests/ikev1/rw-initiator-only/evaltest.dat
new file mode 100644
index 000000000..80fd7c5be
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/evaltest.dat
@@ -0,0 +1,8 @@
+dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..58914391c
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc900c4f2
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..b262ecbea
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..9251921ff
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..4c5df8825
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7f31b170b
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/posttest.dat b/testing/tests/ikev1/rw-initiator-only/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-initiator-only/test.conf b/testing/tests/ikev1/rw-initiator-only/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-initiator-only/description.txt b/testing/tests/ikev2/rw-initiator-only/description.txt
new file mode 100644
index 000000000..478004162
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-initiator-only/evaltest.dat b/testing/tests/ikev2/rw-initiator-only/evaltest.dat
new file mode 100644
index 000000000..80fd7c5be
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/evaltest.dat
@@ -0,0 +1,8 @@
+dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..dd2ceea60
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc900c4f2
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..b417977c9
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..9251921ff
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..acc2ef758
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7f31b170b
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/posttest.dat b/testing/tests/ikev2/rw-initiator-only/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/ikev2/rw-initiator-only/test.conf b/testing/tests/ikev2/rw-initiator-only/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-cpa/description.txt b/testing/tests/openssl-ikev2/rw-cpa/description.txt
new file mode 100644
index 000000000..aaebb1843
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/description.txt
@@ -0,0 +1,9 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on <b>X.509 ECDSA certificates</b>.
+Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
+an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
+<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-cpa/evaltest.dat b/testing/tests/openssl-ikev2/rw-cpa/evaltest.dat
new file mode 100644
index 000000000..7169a091d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/evaltest.dat
@@ -0,0 +1,11 @@
+dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..61e13df41
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..29709926a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
+4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
+BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
+MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
+sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
+ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
+s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..43621f711
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIK+8T+EmoyNMwjq+GDC7UnYrx4TR8hu7h85IgNiTOQUNoAoGCCqGSM49
+AwEHoUQDQgAEIKf2fxoM71Qg3VXCGKhEZpdCq6GRGlaohfLsvHZU0uJsTbOrJw3R
+Fofy8103dzVZwooU9l4B8TpPDa1+IQTDGA==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..128d4f2d9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..22fcb3eb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..075d8f1e5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
+IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
+zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
+A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
+atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
+dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
+MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
+LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
+ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
+wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
+g+Z+grJzTppAqpwRpg==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..f628f88e5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
++BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
+t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
+JDBocD1n1eCSwM67KOfouuPmOML0QgU=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..958a502c2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f7044e51d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..5178c7f38
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
+PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
+5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
+BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
+Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
+Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
+j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
+VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
+SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
+l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
+mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
+CI9WpQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..beab0485f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
+yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
+1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
+tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
+pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..cc12d1659
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fc49f9fd2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cpa/posttest.dat b/testing/tests/openssl-ikev2/rw-cpa/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-cpa/pretest.dat b/testing/tests/openssl-ikev2/rw-cpa/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-cpa/test.conf b/testing/tests/openssl-ikev2/rw-cpa/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cpa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat
index 3c13e5ffa..c780c4a48 100644
--- a/testing/tests/tnc/tnccs-20-os/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat
@@ -6,8 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --devices 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --devices 2> /dev/null::Windows 1.2.3.*dave@strongswan.org::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
@@ -16,4 +18,3 @@ carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
-
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
index b11617cb2..0927c88b0 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
   multiple_authentication=no
   plugins {
     eap-ttls {
@@ -18,7 +18,14 @@ charon {
 libimcv {
   plugins {
     imv-os {
+      database = sqlite:///etc/pts/config.db
       request_installed_packages = yes 
     }
   }
 }
+
+attest {
+  load = random nonce openssl sqlite
+  database = sqlite:///etc/pts/config.db
+}
+
diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat
index 74b902c69..48514d6e0 100644
--- a/testing/tests/tnc/tnccs-20-os/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-os/posttest.dat
@@ -5,3 +5,4 @@ moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
 carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
index 8169afab2..28f2f339c 100644
--- a/testing/tests/tnc/tnccs-20-os/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -2,6 +2,8 @@ moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
 carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
@@ -12,3 +14,5 @@ carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
 dave::sleep 1
+moon::ipsec attest --packages --product 'Debian 7.0'
+moon::ipsec attest --devices
-- 
cgit v1.2.3


From 6b99c8d9cff7b3e8ae8f3204b99e7ea40f791349 Mon Sep 17 00:00:00 2001
From: Yves-Alexis Perez <corsac@debian.org>
Date: Sun, 25 Aug 2013 15:37:26 +0200
Subject: Imported Upstream version 5.1.0

---
 Android.common.mk                                  |   13 +-
 Android.common.mk.in                               |   11 +
 Android.mk                                         |    3 +-
 Makefile.am                                        |   44 +-
 Makefile.in                                        |   53 +-
 NEWS                                               |   83 +
 aclocal.m4                                         |   57 +
 config.h.in                                        |    5 +-
 configure                                          |  669 ++++++-
 configure.ac                                       | 1486 +++++++++++++++
 configure.in                                       | 1416 --------------
 init/Makefile.in                                   |   15 +-
 init/systemd/Makefile.am                           |    1 +
 init/systemd/Makefile.in                           |   16 +-
 man/Makefile.am                                    |    2 +-
 man/Makefile.in                                    |   16 +-
 man/ipsec.conf.5                                   |   80 +-
 man/ipsec.conf.5.in                                |   78 +-
 man/ipsec.secrets.5                                |   23 +-
 man/ipsec.secrets.5.in                             |   21 +-
 man/strongswan.conf.5                              |  138 +-
 man/strongswan.conf.5.in                           |  138 +-
 scripts/Makefile.am                                |   11 +-
 scripts/Makefile.in                                |  115 +-
 scripts/crypt_burn.c                               |    2 +-
 scripts/dh_speed.c                                 |    2 +-
 scripts/dnssec.c                                   |    2 +-
 scripts/fetch.c                                    |    2 +-
 scripts/hash_burn.c                                |    2 +-
 scripts/key2keyid.c                                |    2 +-
 scripts/keyid2sql.c                                |    2 +-
 scripts/malloc_speed.c                             |   85 +
 scripts/pubkey_speed.c                             |    2 +-
 scripts/tls_test.c                                 |    2 +-
 src/Makefile.am                                    |    4 +
 src/Makefile.in                                    |   20 +-
 src/_copyright/Makefile.am                         |    4 +-
 src/_copyright/Makefile.in                         |   67 +-
 src/_updown/Makefile.am                            |    1 +
 src/_updown/Makefile.in                            |   16 +-
 src/_updown/_updown.in                             |    3 +
 src/_updown_espmark/Makefile.in                    |   15 +-
 src/charon-cmd/Makefile.am                         |   32 +
 src/charon-cmd/Makefile.in                         |  812 ++++++++
 src/charon-cmd/charon-cmd.8                        |  161 ++
 src/charon-cmd/charon-cmd.8.in                     |  161 ++
 src/charon-cmd/charon-cmd.c                        |  404 ++++
 src/charon-cmd/cmd/cmd_connection.c                |  498 +++++
 src/charon-cmd/cmd/cmd_connection.h                |   60 +
 src/charon-cmd/cmd/cmd_creds.c                     |  291 +++
 src/charon-cmd/cmd/cmd_creds.h                     |   55 +
 src/charon-cmd/cmd/cmd_options.c                   |   65 +
 src/charon-cmd/cmd/cmd_options.h                   |   76 +
 src/charon-nm/Makefile.am                          |   18 +-
 src/charon-nm/Makefile.in                          |  145 +-
 src/charon-nm/charon-nm.c                          |   28 +-
 src/charon-nm/nm/nm_backend.c                      |    9 +-
 src/charon-tkm/Makefile.am                         |    4 +-
 src/charon-tkm/Makefile.in                         |   19 +-
 src/charon-tkm/src/charon-tkm.c                    |   11 +-
 src/charon-tkm/src/tkm/tkm_kernel_ipsec.c          |    5 +-
 src/charon/Makefile.am                             |    7 +-
 src/charon/Makefile.in                             |   69 +-
 src/charon/charon.c                                |   32 +-
 src/checksum/Makefile.am                           |   18 +-
 src/checksum/Makefile.in                           |   93 +-
 src/conftest/Makefile.am                           |   10 +-
 src/conftest/Makefile.in                           |  441 ++---
 src/conftest/conftest.c                            |    4 +-
 src/dumm/Makefile.am                               |   10 +-
 src/dumm/Makefile.in                               |   77 +-
 src/dumm/bridge.c                                  |    2 +-
 src/dumm/ext/dumm.c                                |    1 +
 src/dumm/ext/lib/dumm.rb                           |    3 +-
 src/include/Makefile.in                            |   15 +-
 src/ipsec/Makefile.am                              |    2 +
 src/ipsec/Makefile.in                              |   17 +-
 src/ipsec/_ipsec.8                                 |    8 +-
 src/ipsec/_ipsec.8.in                              |    8 +-
 src/ipsec/_ipsec.in                                |    6 +-
 src/libcharon/Android.mk                           |   33 +-
 src/libcharon/Makefile.am                          |   20 +-
 src/libcharon/Makefile.in                          | 1126 +++++------
 src/libcharon/bus/bus.c                            |  102 +-
 src/libcharon/bus/bus.h                            |   20 +-
 src/libcharon/bus/listeners/listener.h             |    2 +-
 src/libcharon/bus/listeners/logger.h               |   28 +-
 src/libcharon/bus/listeners/sys_logger.c           |    1 +
 src/libcharon/config/child_cfg.c                   |   31 +-
 src/libcharon/config/child_cfg.h                   |   10 +-
 src/libcharon/config/peer_cfg.c                    |   12 +-
 src/libcharon/config/peer_cfg.h                    |    4 +-
 src/libcharon/config/proposal.c                    |  505 ++---
 src/libcharon/control/controller.c                 |    9 +-
 src/libcharon/daemon.c                             |   12 +-
 src/libcharon/daemon.h                             |    6 -
 src/libcharon/encoding/message.c                   |  188 +-
 src/libcharon/encoding/message.h                   |   10 +-
 .../encoding/payloads/proposal_substructure.c      |    6 +-
 src/libcharon/encoding/payloads/sa_payload.c       |    5 +
 src/libcharon/network/receiver.c                   |    6 +-
 src/libcharon/network/socket.h                     |   43 +-
 src/libcharon/network/socket_manager.c             |   14 +
 src/libcharon/network/socket_manager.h             |   15 +-
 src/libcharon/plugins/addrblock/Makefile.am        |    8 +-
 src/libcharon/plugins/addrblock/Makefile.in        |   73 +-
 src/libcharon/plugins/addrblock/addrblock_plugin.c |   39 +-
 .../plugins/addrblock/addrblock_validator.c        |    7 +-
 src/libcharon/plugins/android_dns/Makefile.am      |   10 +-
 src/libcharon/plugins/android_dns/Makefile.in      |   73 +-
 .../plugins/android_dns/android_dns_plugin.c       |   36 +-
 src/libcharon/plugins/android_log/Makefile.am      |    8 +-
 src/libcharon/plugins/android_log/Makefile.in      |   73 +-
 .../plugins/android_log/android_log_plugin.c       |   14 +-
 src/libcharon/plugins/certexpire/Makefile.am       |   12 +-
 src/libcharon/plugins/certexpire/Makefile.in       |   76 +-
 .../plugins/certexpire/certexpire_export.c         |   98 +-
 .../plugins/certexpire/certexpire_plugin.c         |   34 +-
 src/libcharon/plugins/coupling/Makefile.am         |    8 +-
 src/libcharon/plugins/coupling/Makefile.in         |   73 +-
 src/libcharon/plugins/coupling/coupling_plugin.c   |   52 +-
 .../plugins/coupling/coupling_validator.c          |    4 +
 src/libcharon/plugins/dhcp/Makefile.am             |    8 +-
 src/libcharon/plugins/dhcp/Makefile.in             |   78 +-
 src/libcharon/plugins/dhcp/dhcp_plugin.c           |   74 +-
 src/libcharon/plugins/dhcp/dhcp_provider.c         |    7 +-
 src/libcharon/plugins/dhcp/dhcp_socket.c           |   20 +-
 src/libcharon/plugins/duplicheck/Makefile.am       |   15 +-
 src/libcharon/plugins/duplicheck/Makefile.in       |   81 +-
 src/libcharon/plugins/duplicheck/duplicheck.c      |   89 +-
 src/libcharon/plugins/duplicheck/duplicheck_msg.h  |   43 +
 .../plugins/duplicheck/duplicheck_notify.c         |  116 +-
 .../plugins/duplicheck/duplicheck_plugin.c         |   32 +-
 src/libcharon/plugins/eap_aka/Makefile.am          |   11 +-
 src/libcharon/plugins/eap_aka/Makefile.in          |   81 +-
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.am    |   11 +-
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |   76 +-
 src/libcharon/plugins/eap_dynamic/Makefile.am      |    8 +-
 src/libcharon/plugins/eap_dynamic/Makefile.in      |   73 +-
 src/libcharon/plugins/eap_gtc/Makefile.am          |    8 +-
 src/libcharon/plugins/eap_gtc/Makefile.in          |   78 +-
 src/libcharon/plugins/eap_identity/Makefile.am     |    8 +-
 src/libcharon/plugins/eap_identity/Makefile.in     |   73 +-
 src/libcharon/plugins/eap_md5/Makefile.am          |    8 +-
 src/libcharon/plugins/eap_md5/Makefile.in          |   78 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.am     |    8 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |   73 +-
 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c  |   14 +-
 src/libcharon/plugins/eap_peap/Makefile.am         |   11 +-
 src/libcharon/plugins/eap_peap/Makefile.in         |   76 +-
 src/libcharon/plugins/eap_peap/eap_peap_plugin.h   |    5 -
 src/libcharon/plugins/eap_radius/Makefile.am       |   12 +-
 src/libcharon/plugins/eap_radius/Makefile.in       |   82 +-
 src/libcharon/plugins/eap_radius/eap_radius.c      |  116 +-
 src/libcharon/plugins/eap_radius/eap_radius.h      |   22 +
 .../plugins/eap_radius/eap_radius_accounting.c     |   30 +
 src/libcharon/plugins/eap_radius/eap_radius_dae.c  |   18 +-
 .../plugins/eap_radius/eap_radius_forward.c        |    3 +-
 .../plugins/eap_radius/eap_radius_plugin.c         |   79 +-
 .../plugins/eap_radius/eap_radius_provider.c       |  118 +-
 .../plugins/eap_radius/eap_radius_provider.h       |    8 +-
 .../plugins/eap_radius/eap_radius_xauth.c          |  202 ++
 .../plugins/eap_radius/eap_radius_xauth.h          |   49 +
 src/libcharon/plugins/eap_sim/Makefile.am          |   11 +-
 src/libcharon/plugins/eap_sim/Makefile.in          |   81 +-
 src/libcharon/plugins/eap_sim_file/Makefile.am     |   12 +-
 src/libcharon/plugins/eap_sim_file/Makefile.in     |   77 +-
 src/libcharon/plugins/eap_sim_pcsc/Makefile.am     |   12 +-
 src/libcharon/plugins/eap_sim_pcsc/Makefile.in     |   77 +-
 .../plugins/eap_sim_pcsc/eap_sim_pcsc_card.c       |    3 +-
 .../plugins/eap_simaka_pseudonym/Makefile.am       |   11 +-
 .../plugins/eap_simaka_pseudonym/Makefile.in       |   80 +-
 .../plugins/eap_simaka_reauth/Makefile.am          |   11 +-
 .../plugins/eap_simaka_reauth/Makefile.in          |   80 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.am   |   12 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |   77 +-
 src/libcharon/plugins/eap_tls/Makefile.am          |   11 +-
 src/libcharon/plugins/eap_tls/Makefile.in          |   81 +-
 src/libcharon/plugins/eap_tls/eap_tls_plugin.h     |    5 -
 src/libcharon/plugins/eap_tnc/Makefile.am          |    6 +-
 src/libcharon/plugins/eap_tnc/Makefile.in          |   76 +-
 src/libcharon/plugins/eap_tnc/eap_tnc.c            |    2 +-
 src/libcharon/plugins/eap_ttls/Makefile.am         |   11 +-
 src/libcharon/plugins/eap_ttls/Makefile.in         |   76 +-
 src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h   |    5 -
 src/libcharon/plugins/error_notify/Makefile.am     |   12 +-
 src/libcharon/plugins/error_notify/Makefile.in     |   78 +-
 src/libcharon/plugins/error_notify/error_notify.c  |   79 +-
 .../plugins/error_notify/error_notify_listener.c   |   54 +-
 .../plugins/error_notify/error_notify_msg.h        |    9 +-
 .../plugins/error_notify/error_notify_plugin.c     |   38 +-
 .../plugins/error_notify/error_notify_socket.c     |  112 +-
 src/libcharon/plugins/farp/Makefile.am             |    8 +-
 src/libcharon/plugins/farp/Makefile.in             |   78 +-
 src/libcharon/plugins/farp/farp_listener.c         |   24 +-
 src/libcharon/plugins/farp/farp_plugin.c           |   41 +-
 src/libcharon/plugins/farp/farp_spoofer.c          |   17 +-
 src/libcharon/plugins/ha/Makefile.am               |   12 +-
 src/libcharon/plugins/ha/Makefile.in               |   81 +-
 src/libcharon/plugins/ha/ha_child.c                |   16 +-
 src/libcharon/plugins/ha/ha_ctl.c                  |    4 +-
 src/libcharon/plugins/ha/ha_dispatcher.c           |   12 +-
 src/libcharon/plugins/ha/ha_kernel.c               |    4 +-
 src/libcharon/plugins/ha/ha_plugin.c               |   53 +-
 src/libcharon/plugins/ha/ha_tunnel.c               |    2 +-
 src/libcharon/plugins/ipseckey/Makefile.am         |    6 +-
 src/libcharon/plugins/ipseckey/Makefile.in         |   70 +-
 src/libcharon/plugins/ipseckey/ipseckey_cred.h     |    2 +-
 src/libcharon/plugins/ipseckey/ipseckey_plugin.c   |   95 +-
 src/libcharon/plugins/kernel_libipsec/Makefile.am  |   23 +
 src/libcharon/plugins/kernel_libipsec/Makefile.in  |  693 +++++++
 .../kernel_libipsec/kernel_libipsec_ipsec.c        |  701 +++++++
 .../kernel_libipsec/kernel_libipsec_ipsec.h        |   47 +
 .../kernel_libipsec/kernel_libipsec_plugin.c       |  149 ++
 .../kernel_libipsec/kernel_libipsec_plugin.h       |   44 +
 .../kernel_libipsec/kernel_libipsec_router.c       |  365 ++++
 .../kernel_libipsec/kernel_libipsec_router.h       |   65 +
 src/libcharon/plugins/led/Makefile.am              |    8 +-
 src/libcharon/plugins/led/Makefile.in              |   78 +-
 src/libcharon/plugins/led/led_plugin.c             |   33 +-
 src/libcharon/plugins/load_tester/Makefile.am      |   12 +-
 src/libcharon/plugins/load_tester/Makefile.in      |   78 +-
 src/libcharon/plugins/load_tester/load_tester.c    |    2 +-
 .../plugins/load_tester/load_tester_config.c       |    2 +-
 .../plugins/load_tester/load_tester_control.c      |  118 +-
 .../plugins/load_tester/load_tester_ipsec.c        |    4 +-
 .../plugins/load_tester/load_tester_plugin.c       |    1 -
 src/libcharon/plugins/lookip/Makefile.am           |   12 +-
 src/libcharon/plugins/lookip/Makefile.in           |   83 +-
 src/libcharon/plugins/lookip/lookip.c              |   89 +-
 src/libcharon/plugins/lookip/lookip_listener.c     |   21 +
 src/libcharon/plugins/lookip/lookip_listener.h     |    7 +
 src/libcharon/plugins/lookip/lookip_msg.h          |    6 +-
 src/libcharon/plugins/lookip/lookip_plugin.c       |   39 +-
 src/libcharon/plugins/lookip/lookip_socket.c       |  429 ++---
 src/libcharon/plugins/maemo/Makefile.am            |   13 +-
 src/libcharon/plugins/maemo/Makefile.in            |   82 +-
 src/libcharon/plugins/maemo/maemo_plugin.c         |   14 +-
 src/libcharon/plugins/medcli/Makefile.am           |    8 +-
 src/libcharon/plugins/medcli/Makefile.in           |   78 +-
 src/libcharon/plugins/medcli/medcli_plugin.c       |   95 +-
 src/libcharon/plugins/medsrv/Makefile.am           |    8 +-
 src/libcharon/plugins/medsrv/Makefile.in           |   78 +-
 src/libcharon/plugins/medsrv/medsrv_plugin.c       |   87 +-
 src/libcharon/plugins/osx_attr/Makefile.am         |   20 +
 src/libcharon/plugins/osx_attr/Makefile.in         |  689 +++++++
 src/libcharon/plugins/osx_attr/osx_attr_handler.c  |  246 +++
 src/libcharon/plugins/osx_attr/osx_attr_handler.h  |   49 +
 src/libcharon/plugins/osx_attr/osx_attr_plugin.c   |  102 +
 src/libcharon/plugins/osx_attr/osx_attr_plugin.h   |   42 +
 src/libcharon/plugins/radattr/Makefile.am          |   11 +-
 src/libcharon/plugins/radattr/Makefile.in          |   81 +-
 src/libcharon/plugins/radattr/radattr_plugin.c     |   33 +-
 src/libcharon/plugins/smp/Makefile.am              |   12 +-
 src/libcharon/plugins/smp/Makefile.in              |   82 +-
 src/libcharon/plugins/smp/smp.c                    |   28 +-
 src/libcharon/plugins/socket_default/Makefile.am   |   11 +-
 src/libcharon/plugins/socket_default/Makefile.in   |   76 +-
 .../plugins/socket_default/socket_default_plugin.c |    1 +
 .../plugins/socket_default/socket_default_socket.c |  159 +-
 src/libcharon/plugins/socket_dynamic/Makefile.am   |   11 +-
 src/libcharon/plugins/socket_dynamic/Makefile.in   |   76 +-
 .../plugins/socket_dynamic/socket_dynamic_plugin.c |    1 +
 .../plugins/socket_dynamic/socket_dynamic_socket.c |  138 +-
 src/libcharon/plugins/sql/Makefile.am              |    8 +-
 src/libcharon/plugins/sql/Makefile.in              |   77 +-
 src/libcharon/plugins/sql/sql_plugin.c             |   95 +-
 src/libcharon/plugins/stroke/Makefile.am           |   14 +-
 src/libcharon/plugins/stroke/Makefile.in           |   83 +-
 src/libcharon/plugins/stroke/stroke_config.c       |  136 +-
 src/libcharon/plugins/stroke/stroke_control.c      |    2 +-
 src/libcharon/plugins/stroke/stroke_cred.c         |  241 ++-
 src/libcharon/plugins/stroke/stroke_cred.h         |    7 +-
 src/libcharon/plugins/stroke/stroke_list.c         |   14 +-
 src/libcharon/plugins/stroke/stroke_plugin.c       |    4 +-
 src/libcharon/plugins/stroke/stroke_socket.c       |  346 ++--
 src/libcharon/plugins/systime_fix/Makefile.am      |    5 +-
 src/libcharon/plugins/systime_fix/Makefile.in      |   69 +-
 .../plugins/systime_fix/systime_fix_plugin.c       |   75 +-
 src/libcharon/plugins/tnc_ifmap/Makefile.am        |   11 +-
 src/libcharon/plugins/tnc_ifmap/Makefile.in        |   75 +-
 src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c   |   11 +-
 src/libcharon/plugins/tnc_imc/Makefile.am          |    7 +-
 src/libcharon/plugins/tnc_imc/Makefile.in          |   76 +-
 src/libcharon/plugins/tnc_imv/Makefile.am          |    7 +-
 src/libcharon/plugins/tnc_imv/Makefile.in          |   76 +-
 src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c     |    1 +
 .../plugins/tnc_imv/tnc_imv_recommendations.c      |   52 +-
 src/libcharon/plugins/tnc_pdp/Makefile.am          |    8 +-
 src/libcharon/plugins/tnc_pdp/Makefile.in          |   78 +-
 src/libcharon/plugins/tnc_pdp/tnc_pdp.c            |  159 +-
 src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c     |   31 +-
 src/libcharon/plugins/tnc_tnccs/Makefile.am        |    6 +-
 src/libcharon/plugins/tnc_tnccs/Makefile.in        |   71 +-
 .../plugins/tnc_tnccs/tnc_tnccs_manager.c          |    4 +-
 src/libcharon/plugins/tnccs_11/Makefile.am         |   11 +-
 src/libcharon/plugins/tnccs_11/Makefile.in         |  139 +-
 src/libcharon/plugins/tnccs_20/Makefile.am         |    6 +-
 src/libcharon/plugins/tnccs_20/Makefile.in         |  159 +-
 src/libcharon/plugins/tnccs_20/tnccs_20.c          |    8 +
 src/libcharon/plugins/tnccs_dynamic/Makefile.am    |    6 +-
 src/libcharon/plugins/tnccs_dynamic/Makefile.in    |   71 +-
 src/libcharon/plugins/uci/Makefile.am              |    8 +-
 src/libcharon/plugins/uci/Makefile.in              |   78 +-
 src/libcharon/plugins/uci/uci_control.c            |    8 +-
 src/libcharon/plugins/uci/uci_plugin.c             |   39 +-
 src/libcharon/plugins/unit_tester/Makefile.am      |   16 +-
 src/libcharon/plugins/unit_tester/Makefile.in      |  199 +-
 src/libcharon/plugins/unit_tester/tests.h          |   14 -
 .../plugins/unit_tester/tests/test_chunk.c         |   82 -
 .../plugins/unit_tester/tests/test_enumerator.c    |  306 ---
 .../plugins/unit_tester/tests/test_hashtable.c     |  111 --
 src/libcharon/plugins/unit_tester/tests/test_id.c  |  249 ---
 .../plugins/unit_tester/tests/test_mutex.c         |  100 -
 .../plugins/unit_tester/tests/test_rsa_gen.c       |  120 --
 src/libcharon/plugins/unit_tester/unit_tester.c    |   32 +-
 src/libcharon/plugins/unity/Makefile.am            |    8 +-
 src/libcharon/plugins/unity/Makefile.in            |   78 +-
 src/libcharon/plugins/unity/unity_handler.c        |  147 +-
 src/libcharon/plugins/unity/unity_narrow.c         |   43 +-
 src/libcharon/plugins/unity/unity_plugin.c         |   49 +-
 src/libcharon/plugins/unity/unity_provider.c       |    1 +
 src/libcharon/plugins/updown/Makefile.am           |    8 +-
 src/libcharon/plugins/updown/Makefile.in           |   78 +-
 src/libcharon/plugins/updown/updown_listener.c     |    3 +-
 src/libcharon/plugins/updown/updown_plugin.c       |   64 +-
 src/libcharon/plugins/whitelist/Makefile.am        |   12 +-
 src/libcharon/plugins/whitelist/Makefile.in        |   78 +-
 src/libcharon/plugins/whitelist/whitelist.c        |   95 +-
 .../plugins/whitelist/whitelist_control.c          |  171 +-
 src/libcharon/plugins/whitelist/whitelist_msg.h    |    2 +-
 src/libcharon/plugins/whitelist/whitelist_plugin.c |   39 +-
 src/libcharon/plugins/xauth_eap/Makefile.am        |    8 +-
 src/libcharon/plugins/xauth_eap/Makefile.in        |   73 +-
 src/libcharon/plugins/xauth_generic/Makefile.am    |    8 +-
 src/libcharon/plugins/xauth_generic/Makefile.in    |   73 +-
 src/libcharon/plugins/xauth_noauth/Makefile.am     |    8 +-
 src/libcharon/plugins/xauth_noauth/Makefile.in     |   73 +-
 src/libcharon/plugins/xauth_pam/Makefile.am        |    8 +-
 src/libcharon/plugins/xauth_pam/Makefile.in        |   73 +-
 src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c |   10 +-
 src/libcharon/processing/jobs/start_action_job.c   |    2 +-
 src/libcharon/sa/child_sa.c                        |  221 ++-
 src/libcharon/sa/child_sa.h                        |   21 +-
 src/libcharon/sa/ike_sa.c                          |  305 +--
 src/libcharon/sa/ike_sa.h                          |   12 +-
 src/libcharon/sa/ike_sa_id.h                       |    2 +-
 src/libcharon/sa/ikev1/task_manager_v1.c           |   70 +-
 src/libcharon/sa/ikev1/tasks/isakmp_delete.c       |    5 +
 src/libcharon/sa/ikev1/tasks/isakmp_natd.c         |   18 +-
 src/libcharon/sa/ikev1/tasks/isakmp_vendor.c       |   83 +-
 src/libcharon/sa/ikev1/tasks/quick_delete.c        |   70 +-
 src/libcharon/sa/ikev1/tasks/quick_mode.c          |  100 +-
 src/libcharon/sa/ikev2/task_manager_v2.c           |  210 ++-
 src/libcharon/sa/ikev2/tasks/child_create.c        |  301 ++-
 src/libcharon/sa/ikev2/tasks/child_delete.c        |   32 +-
 src/libcharon/sa/ikev2/tasks/child_rekey.c         |   17 +-
 src/libcharon/sa/ikev2/tasks/ike_auth.c            |   30 +
 src/libcharon/sa/ikev2/tasks/ike_cert_pre.h        |    2 +-
 src/libcharon/sa/ikev2/tasks/ike_delete.c          |    8 +
 src/libcharon/sa/ikev2/tasks/ike_init.c            |   20 +
 src/libcharon/sa/ikev2/tasks/ike_natd.c            |   19 +-
 src/libcharon/sa/keymat.h                          |    2 +-
 src/libcharon/sa/task.h                            |    2 +-
 src/libcharon/sa/task_manager.h                    |    9 +-
 src/libcharon/sa/trap_manager.c                    |   40 +-
 src/libcharon/sa/trap_manager.h                    |   11 +-
 src/libfast/Makefile.am                            |   14 +-
 src/libfast/Makefile.in                            |   93 +-
 src/libfast/context.h                              |   42 -
 src/libfast/controller.h                           |   77 -
 src/libfast/dispatcher.c                           |  456 -----
 src/libfast/dispatcher.h                           |  137 --
 src/libfast/fast_context.h                         |   42 +
 src/libfast/fast_controller.h                      |   78 +
 src/libfast/fast_dispatcher.c                      |  460 +++++
 src/libfast/fast_dispatcher.h                      |  137 ++
 src/libfast/fast_filter.h                          |   64 +
 src/libfast/fast_request.c                         |  509 +++++
 src/libfast/fast_request.h                         |  217 +++
 src/libfast/fast_session.c                         |  228 +++
 src/libfast/fast_session.h                         |   77 +
 src/libfast/fast_smtp.c                            |  187 ++
 src/libfast/fast_smtp.h                            |   56 +
 src/libfast/filter.h                               |   63 -
 src/libfast/request.c                              |  499 -----
 src/libfast/request.h                              |  217 ---
 src/libfast/session.c                              |  227 ---
 src/libfast/session.h                              |   77 -
 src/libfast/smtp.c                                 |  188 --
 src/libfast/smtp.h                                 |   56 -
 src/libhydra/Makefile.am                           |   11 +-
 src/libhydra/Makefile.in                           |  121 +-
 src/libhydra/attributes/mem_pool.c                 |  135 +-
 src/libhydra/hydra.c                               |    1 -
 src/libhydra/kernel/kernel_interface.c             |   58 +-
 src/libhydra/kernel/kernel_interface.h             |   31 +-
 src/libhydra/kernel/kernel_ipsec.h                 |    6 +-
 src/libhydra/kernel/kernel_listener.h              |   16 +-
 src/libhydra/kernel/kernel_net.h                   |   18 +-
 src/libhydra/plugins/attr/Makefile.am              |    8 +-
 src/libhydra/plugins/attr/Makefile.in              |   79 +-
 src/libhydra/plugins/attr/attr_plugin.c            |   34 +-
 src/libhydra/plugins/attr/attr_provider.c          |   17 +-
 src/libhydra/plugins/attr_sql/Makefile.am          |    9 +-
 src/libhydra/plugins/attr_sql/Makefile.in          |   76 +-
 src/libhydra/plugins/attr_sql/attr_sql_plugin.c    |   77 +-
 src/libhydra/plugins/attr_sql/pool.c               |    2 +-
 src/libhydra/plugins/attr_sql/pool_attributes.c    |    2 +
 src/libhydra/plugins/kernel_klips/Makefile.am      |    8 +-
 src/libhydra/plugins/kernel_klips/Makefile.in      |   74 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.c      |   17 +-
 src/libhydra/plugins/kernel_netlink/Makefile.am    |   14 +-
 src/libhydra/plugins/kernel_netlink/Makefile.in    |   78 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |   82 +-
 .../plugins/kernel_netlink/kernel_netlink_net.c    |   80 +-
 .../plugins/kernel_netlink/kernel_netlink_plugin.c |    8 +
 src/libhydra/plugins/kernel_pfkey/Makefile.am      |    8 +-
 src/libhydra/plugins/kernel_pfkey/Makefile.in      |   73 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |  465 +++--
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.c     |    6 +
 src/libhydra/plugins/kernel_pfroute/Makefile.am    |    8 +-
 src/libhydra/plugins/kernel_pfroute/Makefile.in    |   73 +-
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    | 1209 ++++++++++--
 src/libhydra/plugins/resolve/Makefile.am           |   10 +-
 src/libhydra/plugins/resolve/Makefile.in           |   78 +-
 src/libhydra/plugins/resolve/resolve_handler.c     |    2 +-
 src/libhydra/plugins/resolve/resolve_plugin.c      |   34 +-
 src/libimcv/Makefile.am                            |   22 +-
 src/libimcv/Makefile.in                            |  524 ++++--
 src/libimcv/ietf/ietf_attr_attr_request.c          |    6 +-
 src/libimcv/imc/imc_agent.c                        |    2 +-
 src/libimcv/imcv.c                                 |   33 +-
 src/libimcv/imcv.h                                 |    9 +-
 src/libimcv/imv/_imv_policy                        |   39 +
 src/libimcv/imv/data.sql                           |  846 +++++++++
 src/libimcv/imv/imv_agent.c                        |   38 +-
 src/libimcv/imv/imv_agent.h                        |    1 +
 src/libimcv/imv/imv_agent_if.h                     |  115 ++
 src/libimcv/imv/imv_database.c                     |  381 ++++
 src/libimcv/imv/imv_database.h                     |  125 ++
 src/libimcv/imv/imv_if.h                           |  167 ++
 src/libimcv/imv/imv_msg.c                          |    7 +
 src/libimcv/imv/imv_msg.h                          |    7 +
 src/libimcv/imv/imv_policy_manager.c               |  359 ++++
 src/libimcv/imv/imv_policy_manager_usage.c         |   29 +
 src/libimcv/imv/imv_policy_manager_usage.h         |   24 +
 src/libimcv/imv/imv_session.c                      |  171 ++
 src/libimcv/imv/imv_session.h                      |  113 ++
 src/libimcv/imv/imv_state.h                        |   45 +-
 src/libimcv/imv/imv_workitem.c                     |  213 +++
 src/libimcv/imv/imv_workitem.h                     |  138 ++
 src/libimcv/imv/tables.sql                         |  234 +++
 src/libimcv/ita/ita_attr.c                         |    8 +-
 src/libimcv/ita/ita_attr.h                         |    3 +-
 src/libimcv/ita/ita_attr_device_id.c               |  144 ++
 src/libimcv/ita/ita_attr_device_id.h               |   55 +
 src/libimcv/ita/ita_attr_get_settings.c            |    6 +-
 src/libimcv/ita/ita_attr_get_settings.h            |    6 +-
 src/libimcv/os_info/os_info.c                      |    4 +-
 src/libimcv/plugins/imc_os/Makefile.am             |    9 +-
 src/libimcv/plugins/imc_os/Makefile.in             |   73 +-
 src/libimcv/plugins/imc_os/imc_os.c                |   99 +-
 src/libimcv/plugins/imc_scanner/Makefile.am        |    9 +-
 src/libimcv/plugins/imc_scanner/Makefile.in        |   78 +-
 src/libimcv/plugins/imc_test/Makefile.am           |    9 +-
 src/libimcv/plugins/imc_test/Makefile.in           |   73 +-
 src/libimcv/plugins/imv_os/Makefile.am             |   12 +-
 src/libimcv/plugins/imv_os/Makefile.in             |   82 +-
 src/libimcv/plugins/imv_os/imv_os.c                |  597 +-----
 src/libimcv/plugins/imv_os/imv_os_agent.c          |  805 ++++++++
 src/libimcv/plugins/imv_os/imv_os_agent.h          |   36 +
 src/libimcv/plugins/imv_os/imv_os_database.c       |  175 +-
 src/libimcv/plugins/imv_os/imv_os_database.h       |   41 +-
 src/libimcv/plugins/imv_os/imv_os_state.c          |  141 +-
 src/libimcv/plugins/imv_os/imv_os_state.h          |   72 +-
 src/libimcv/plugins/imv_os/pacman.c                |  489 +++--
 src/libimcv/plugins/imv_os/pacman.sh               |  162 +-
 src/libimcv/plugins/imv_scanner/Makefile.am        |   13 +-
 src/libimcv/plugins/imv_scanner/Makefile.in        |   87 +-
 src/libimcv/plugins/imv_scanner/imv_scanner.c      |  430 +----
 .../plugins/imv_scanner/imv_scanner_agent.c        |  526 ++++++
 .../plugins/imv_scanner/imv_scanner_agent.h        |   36 +
 .../plugins/imv_scanner/imv_scanner_state.c        |  103 +-
 .../plugins/imv_scanner/imv_scanner_state.h        |   46 +-
 src/libimcv/plugins/imv_test/Makefile.am           |   13 +-
 src/libimcv/plugins/imv_test/Makefile.in           |   82 +-
 src/libimcv/plugins/imv_test/imv_test.c            |  348 +---
 src/libimcv/plugins/imv_test/imv_test_agent.c      |  321 ++++
 src/libimcv/plugins/imv_test/imv_test_agent.h      |   36 +
 src/libimcv/plugins/imv_test/imv_test_state.c      |   31 +
 src/libipsec/Makefile.am                           |    3 +-
 src/libipsec/Makefile.in                           |   65 +-
 src/libipsec/esp_context.c                         |  160 +-
 src/libipsec/esp_context.h                         |   18 +-
 src/libipsec/esp_packet.c                          |   67 +-
 src/libipsec/ipsec_event_relay.c                   |    1 +
 src/libipsec/ipsec_sa_mgr.c                        |    7 +-
 src/libipsec/ipsec_sa_mgr.h                        |    6 +-
 src/libpts/Makefile.am                             |    6 +-
 src/libpts/Makefile.in                             |  357 ++--
 src/libpts/plugins/imc_attestation/Makefile.am     |   12 +-
 src/libpts/plugins/imc_attestation/Makefile.in     |   81 +-
 src/libpts/plugins/imv_attestation/Makefile.am     |   13 +-
 src/libpts/plugins/imv_attestation/Makefile.in     |   90 +-
 src/libpts/plugins/imv_attestation/attest.c        |   53 +-
 src/libpts/plugins/imv_attestation/attest_db.c     |  937 ++++++----
 src/libpts/plugins/imv_attestation/attest_db.h     |   14 +-
 src/libpts/plugins/imv_attestation/data.sql        | 1666 -----------------
 .../plugins/imv_attestation/imv_attestation.c      |  484 +----
 .../imv_attestation/imv_attestation_agent.c        |  616 ++++++
 .../imv_attestation/imv_attestation_agent.h        |   36 +
 .../imv_attestation/imv_attestation_build.c        |   88 +-
 .../imv_attestation/imv_attestation_process.c      |  130 +-
 .../imv_attestation/imv_attestation_process.h      |    4 +-
 .../imv_attestation/imv_attestation_state.c        |  123 +-
 .../imv_attestation/imv_attestation_state.h        |   40 +-
 src/libpts/plugins/imv_attestation/tables.sql      |  146 --
 src/libpts/pts/pts_database.c                      |  214 ++-
 src/libpts/pts/pts_database.h                      |   45 +-
 src/libpts/pts/pts_file_meas.c                     |   18 +-
 src/libpttls/Makefile.am                           |    8 +-
 src/libpttls/Makefile.in                           |   86 +-
 src/libpttls/pt_tls.h                              |    2 +-
 src/libradius/Makefile.am                          |    5 +-
 src/libradius/Makefile.in                          |   67 +-
 src/libradius/radius_message.c                     |   89 +
 src/libradius/radius_message.h                     |   16 +
 src/libradius/radius_socket.c                      |   51 +-
 src/libsimaka/Makefile.am                          |    6 +-
 src/libsimaka/Makefile.in                          |   69 +-
 src/libstrongswan/Android.mk                       |   11 +-
 src/libstrongswan/Makefile.am                      |   79 +-
 src/libstrongswan/Makefile.in                      | 1154 ++++++------
 src/libstrongswan/asn1/asn1.c                      |   21 +
 src/libstrongswan/asn1/asn1.h                      |    9 +
 src/libstrongswan/asn1/oid.c                       |  789 ++++----
 src/libstrongswan/asn1/oid.h                       |  274 +--
 src/libstrongswan/asn1/oid.pl                      |    2 -
 src/libstrongswan/asn1/oid.txt                     |   23 +-
 src/libstrongswan/bio/bio_writer.c                 |   78 +-
 src/libstrongswan/collections/array.c              |  416 +++++
 src/libstrongswan/collections/array.h              |  195 ++
 src/libstrongswan/collections/enumerator.c         |   14 +-
 src/libstrongswan/collections/hashtable.c          |   36 +-
 src/libstrongswan/collections/hashtable.h          |   35 +-
 src/libstrongswan/collections/linked_list.c        |   70 +-
 src/libstrongswan/collections/linked_list.h        |   49 +-
 src/libstrongswan/credentials/auth_cfg.c           |   61 +-
 src/libstrongswan/credentials/builder.c            |    1 +
 src/libstrongswan/credentials/builder.h            |    2 +
 src/libstrongswan/credentials/cert_validator.h     |    3 +
 .../credentials/certificates/certificate.c         |    5 +-
 .../credentials/certificates/certificate.h         |    4 -
 .../credentials/containers/container.c             |    4 +-
 .../credentials/containers/container.h             |   15 +-
 src/libstrongswan/credentials/containers/pkcs12.c  |  173 ++
 src/libstrongswan/credentials/containers/pkcs12.h  |   78 +
 src/libstrongswan/credentials/credential_manager.c |   53 +-
 src/libstrongswan/credentials/credential_manager.h |   54 +
 src/libstrongswan/credentials/keys/public_key.h    |    2 +-
 src/libstrongswan/crypto/aead.h                    |    4 +-
 src/libstrongswan/crypto/crypters/crypter.c        |    7 +-
 src/libstrongswan/crypto/crypters/crypter.h        |   13 +-
 src/libstrongswan/crypto/crypto_factory.c          |   63 +-
 src/libstrongswan/crypto/crypto_factory.h          |   40 +-
 src/libstrongswan/crypto/crypto_tester.c           |    5 +-
 src/libstrongswan/crypto/hashers/hasher.c          |   72 +
 src/libstrongswan/crypto/hashers/hasher.h          |   11 +
 src/libstrongswan/crypto/pkcs5.c                   |  653 +++++++
 src/libstrongswan/crypto/pkcs5.h                   |   61 +
 src/libstrongswan/crypto/signers/signer.c          |    1 +
 src/libstrongswan/crypto/signers/signer.h          |    4 +-
 src/libstrongswan/fetcher/fetcher.h                |    6 +
 src/libstrongswan/fetcher/fetcher_manager.c        |   10 +-
 src/libstrongswan/library.c                        |   37 +-
 src/libstrongswan/library.h                        |   21 +
 src/libstrongswan/networking/host.c                |   90 +-
 src/libstrongswan/networking/host.h                |   31 +-
 src/libstrongswan/networking/host_resolver.c       |   20 +-
 src/libstrongswan/networking/streams/stream.c      |  426 +++++
 src/libstrongswan/networking/streams/stream.h      |  199 ++
 .../networking/streams/stream_manager.c            |  235 +++
 .../networking/streams/stream_manager.h            |   96 +
 .../networking/streams/stream_service.c            |  332 ++++
 .../networking/streams/stream_service.h            |  104 ++
 src/libstrongswan/networking/tun_device.c          |  109 +-
 src/libstrongswan/networking/tun_device.h          |   15 +
 src/libstrongswan/plugins/aes/Makefile.am          |    7 +-
 src/libstrongswan/plugins/aes/Makefile.in          |   78 +-
 src/libstrongswan/plugins/af_alg/Makefile.am       |    8 +-
 src/libstrongswan/plugins/af_alg/Makefile.in       |   79 +-
 src/libstrongswan/plugins/af_alg/af_alg_signer.c   |    1 +
 src/libstrongswan/plugins/af_alg/af_alg_signer.h   |    2 +-
 src/libstrongswan/plugins/agent/Makefile.am        |    7 +-
 src/libstrongswan/plugins/agent/Makefile.in        |   78 +-
 src/libstrongswan/plugins/agent/agent_plugin.c     |    2 +
 .../plugins/agent/agent_private_key.c              |  120 +-
 src/libstrongswan/plugins/blowfish/Makefile.am     |    7 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |   73 +-
 .../plugins/blowfish/blowfish_plugin.c             |   21 +-
 src/libstrongswan/plugins/ccm/Makefile.am          |    7 +-
 src/libstrongswan/plugins/ccm/Makefile.in          |   78 +-
 src/libstrongswan/plugins/cmac/Makefile.am         |    7 +-
 src/libstrongswan/plugins/cmac/Makefile.in         |   78 +-
 src/libstrongswan/plugins/constraints/Makefile.am  |    7 +-
 src/libstrongswan/plugins/constraints/Makefile.in  |   73 +-
 .../plugins/constraints/constraints_plugin.c       |   34 +-
 .../plugins/constraints/constraints_validator.c    |    8 +
 src/libstrongswan/plugins/ctr/Makefile.am          |    7 +-
 src/libstrongswan/plugins/ctr/Makefile.in          |   78 +-
 src/libstrongswan/plugins/curl/Makefile.am         |    7 +-
 src/libstrongswan/plugins/curl/Makefile.in         |   78 +-
 src/libstrongswan/plugins/curl/curl_fetcher.c      |    9 +
 src/libstrongswan/plugins/des/Makefile.am          |    7 +-
 src/libstrongswan/plugins/des/Makefile.in          |   78 +-
 src/libstrongswan/plugins/dnskey/Makefile.am       |    7 +-
 src/libstrongswan/plugins/dnskey/Makefile.in       |   78 +-
 src/libstrongswan/plugins/fips_prf/Makefile.am     |    7 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |   73 +-
 src/libstrongswan/plugins/gcm/Makefile.am          |    7 +-
 src/libstrongswan/plugins/gcm/Makefile.in          |   78 +-
 src/libstrongswan/plugins/gcrypt/Makefile.am       |    7 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |   78 +-
 src/libstrongswan/plugins/gmp/Makefile.am          |    7 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |   78 +-
 src/libstrongswan/plugins/hmac/Makefile.am         |    7 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |   78 +-
 src/libstrongswan/plugins/hmac/hmac_plugin.c       |    2 +
 src/libstrongswan/plugins/keychain/Makefile.am     |   17 +
 src/libstrongswan/plugins/keychain/Makefile.in     |  683 +++++++
 .../plugins/keychain/keychain_creds.c              |  206 +++
 .../plugins/keychain/keychain_creds.h              |   44 +
 .../plugins/keychain/keychain_plugin.c             |   98 +
 .../plugins/keychain/keychain_plugin.h             |   42 +
 src/libstrongswan/plugins/ldap/Makefile.am         |    7 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |   78 +-
 src/libstrongswan/plugins/ldap/ldap_fetcher.c      |    2 +-
 src/libstrongswan/plugins/md4/Makefile.am          |    7 +-
 src/libstrongswan/plugins/md4/Makefile.in          |   78 +-
 src/libstrongswan/plugins/md5/Makefile.am          |    7 +-
 src/libstrongswan/plugins/md5/Makefile.in          |   78 +-
 src/libstrongswan/plugins/mysql/Makefile.am        |    9 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |   79 +-
 src/libstrongswan/plugins/mysql/mysql_database.c   |    2 +-
 src/libstrongswan/plugins/nonce/Makefile.am        |    7 +-
 src/libstrongswan/plugins/nonce/Makefile.in        |   78 +-
 src/libstrongswan/plugins/openssl/Makefile.am      |   10 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |   84 +-
 src/libstrongswan/plugins/openssl/openssl_crl.c    |    4 +
 src/libstrongswan/plugins/openssl/openssl_pkcs12.c |  266 +++
 src/libstrongswan/plugins/openssl/openssl_pkcs12.h |   37 +
 src/libstrongswan/plugins/openssl/openssl_plugin.c |  104 +-
 src/libstrongswan/plugins/openssl/openssl_rng.c    |   15 +-
 src/libstrongswan/plugins/openssl/openssl_x509.c   |  194 +-
 src/libstrongswan/plugins/padlock/Makefile.am      |    7 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |   78 +-
 src/libstrongswan/plugins/padlock/padlock_plugin.c |   82 +-
 src/libstrongswan/plugins/pem/Makefile.am          |    7 +-
 src/libstrongswan/plugins/pem/Makefile.in          |   78 +-
 src/libstrongswan/plugins/pem/pem_builder.c        |    8 +
 src/libstrongswan/plugins/pem/pem_builder.h        |   11 +
 src/libstrongswan/plugins/pem/pem_plugin.c         |    9 +-
 src/libstrongswan/plugins/pgp/Makefile.am          |    7 +-
 src/libstrongswan/plugins/pgp/Makefile.in          |   78 +-
 src/libstrongswan/plugins/pkcs1/Makefile.am        |    7 +-
 src/libstrongswan/plugins/pkcs1/Makefile.in        |   78 +-
 src/libstrongswan/plugins/pkcs11/Makefile.am       |    7 +-
 src/libstrongswan/plugins/pkcs11/Makefile.in       |   78 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c   |   29 +-
 src/libstrongswan/plugins/pkcs12/Makefile.am       |   17 +
 src/libstrongswan/plugins/pkcs12/Makefile.in       |  684 +++++++
 src/libstrongswan/plugins/pkcs12/pkcs12_decode.c   |  581 ++++++
 src/libstrongswan/plugins/pkcs12/pkcs12_decode.h   |   38 +
 src/libstrongswan/plugins/pkcs12/pkcs12_plugin.c   |   83 +
 src/libstrongswan/plugins/pkcs12/pkcs12_plugin.h   |   42 +
 src/libstrongswan/plugins/pkcs7/Makefile.am        |    8 +-
 src/libstrongswan/plugins/pkcs7/Makefile.in        |   85 +-
 .../plugins/pkcs7/pkcs7_encrypted_data.c           |  216 +++
 .../plugins/pkcs7/pkcs7_encrypted_data.h           |   36 +
 src/libstrongswan/plugins/pkcs7/pkcs7_generic.c    |    3 +
 src/libstrongswan/plugins/pkcs8/Makefile.am        |    7 +-
 src/libstrongswan/plugins/pkcs8/Makefile.in        |   78 +-
 src/libstrongswan/plugins/pkcs8/pkcs8_builder.c    |  471 +----
 src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c     |    1 +
 src/libstrongswan/plugins/plugin_feature.c         |   62 +-
 src/libstrongswan/plugins/plugin_feature.h         |   40 +-
 src/libstrongswan/plugins/plugin_loader.c          |  828 ++++++---
 src/libstrongswan/plugins/plugin_loader.h          |   48 +-
 src/libstrongswan/plugins/pubkey/Makefile.am       |    7 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |   78 +-
 src/libstrongswan/plugins/pubkey/pubkey_cert.c     |   12 +-
 src/libstrongswan/plugins/random/Makefile.am       |   11 +-
 src/libstrongswan/plugins/random/Makefile.in       |   81 +-
 src/libstrongswan/plugins/rc2/Makefile.am          |   16 +
 src/libstrongswan/plugins/rc2/Makefile.in          |  681 +++++++
 src/libstrongswan/plugins/rc2/rc2_crypter.c        |  349 ++++
 src/libstrongswan/plugins/rc2/rc2_crypter.h        |   50 +
 src/libstrongswan/plugins/rc2/rc2_plugin.c         |   76 +
 src/libstrongswan/plugins/rc2/rc2_plugin.h         |   42 +
 src/libstrongswan/plugins/rdrand/Makefile.am       |    7 +-
 src/libstrongswan/plugins/rdrand/Makefile.in       |   78 +-
 src/libstrongswan/plugins/revocation/Makefile.am   |    7 +-
 src/libstrongswan/plugins/revocation/Makefile.in   |   73 +-
 .../plugins/revocation/revocation_plugin.c         |   38 +-
 .../plugins/revocation/revocation_validator.c      |    6 +
 src/libstrongswan/plugins/sha1/Makefile.am         |    7 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |   78 +-
 src/libstrongswan/plugins/sha2/Makefile.am         |    7 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |   78 +-
 src/libstrongswan/plugins/soup/Makefile.am         |    8 +-
 src/libstrongswan/plugins/soup/Makefile.in         |   79 +-
 src/libstrongswan/plugins/soup/soup_plugin.c       |    2 +
 src/libstrongswan/plugins/sqlite/Makefile.am       |    8 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |   78 +-
 src/libstrongswan/plugins/sqlite/sqlite_database.c |    2 +-
 src/libstrongswan/plugins/sshkey/Makefile.am       |   17 +
 src/libstrongswan/plugins/sshkey/Makefile.in       |  685 +++++++
 src/libstrongswan/plugins/sshkey/sshkey_builder.c  |  153 ++
 src/libstrongswan/plugins/sshkey/sshkey_builder.h  |   51 +
 src/libstrongswan/plugins/sshkey/sshkey_plugin.c   |   75 +
 src/libstrongswan/plugins/sshkey/sshkey_plugin.h   |   42 +
 src/libstrongswan/plugins/test_vectors/Makefile.am |    8 +-
 src/libstrongswan/plugins/test_vectors/Makefile.in |  312 ++--
 .../plugins/test_vectors/test_vectors.h            |    8 +
 .../plugins/test_vectors/test_vectors/rc2.c        |  109 ++
 .../plugins/test_vectors/test_vectors_plugin.c     |   13 +-
 src/libstrongswan/plugins/unbound/Makefile.am      |    9 +-
 src/libstrongswan/plugins/unbound/Makefile.in      |   79 +-
 src/libstrongswan/plugins/unbound/unbound_plugin.c |   15 +-
 src/libstrongswan/plugins/x509/Makefile.am         |    7 +-
 src/libstrongswan/plugins/x509/Makefile.in         |   78 +-
 src/libstrongswan/plugins/x509/x509_crl.c          |    3 +
 src/libstrongswan/plugins/xcbc/Makefile.am         |    7 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |   78 +-
 src/libstrongswan/processing/processor.c           |  251 ++-
 src/libstrongswan/processing/processor.h           |   10 +
 src/libstrongswan/processing/watcher.c             |  462 +++++
 src/libstrongswan/processing/watcher.h             |  101 +
 src/libstrongswan/selectors/traffic_selector.c     |   40 +-
 src/libstrongswan/tests/Makefile.am                |   23 +
 src/libstrongswan/tests/Makefile.in                |  992 ++++++++++
 src/libstrongswan/tests/test_array.c               |  360 ++++
 src/libstrongswan/tests/test_bio_reader.c          |  450 +++++
 src/libstrongswan/tests/test_bio_writer.c          |  386 ++++
 src/libstrongswan/tests/test_chunk.c               |  863 +++++++++
 src/libstrongswan/tests/test_ecdsa.c               |  237 +++
 src/libstrongswan/tests/test_enum.c                |  248 +++
 src/libstrongswan/tests/test_enumerator.c          |  409 ++++
 src/libstrongswan/tests/test_hashtable.c           |  346 ++++
 src/libstrongswan/tests/test_host.c                |  645 +++++++
 src/libstrongswan/tests/test_identification.c      |  715 +++++++
 src/libstrongswan/tests/test_linked_list.c         |  386 ++++
 .../tests/test_linked_list_enumerator.c            |  361 ++++
 src/libstrongswan/tests/test_rsa.c                 |  393 ++++
 src/libstrongswan/tests/test_runner.c              |  105 ++
 src/libstrongswan/tests/test_runner.h              |   38 +
 src/libstrongswan/tests/test_suite.h               |  101 +
 src/libstrongswan/tests/test_threading.c           |  110 ++
 src/libstrongswan/tests/test_utils.c               |  464 +++++
 src/libstrongswan/tests/test_vectors.c             |   41 +
 src/libstrongswan/threading/semaphore.h            |    5 +
 src/libstrongswan/threading/thread.c               |   15 +-
 src/libstrongswan/utils/backtrace.c                |  117 +-
 src/libstrongswan/utils/backtrace.h                |    8 +
 src/libstrongswan/utils/capabilities.c             |  152 +-
 src/libstrongswan/utils/capabilities.h             |   36 +-
 src/libstrongswan/utils/chunk.c                    |  251 ++-
 src/libstrongswan/utils/chunk.h                    |   60 +-
 src/libstrongswan/utils/enum.c                     |    2 +-
 src/libstrongswan/utils/identification.c           |  101 +-
 src/libstrongswan/utils/identification.h           |    1 -
 src/libstrongswan/utils/integrity_checker.c        |    4 +-
 src/libstrongswan/utils/leak_detective.c           |  660 +++++--
 src/libstrongswan/utils/leak_detective.h           |   10 +-
 src/libstrongswan/utils/printf_hook.c              |    1 -
 src/libstrongswan/utils/settings.c                 |   21 +
 src/libstrongswan/utils/settings.h                 |   10 +
 src/libstrongswan/utils/utils.c                    |   28 +-
 src/libstrongswan/utils/utils.h                    |   71 +-
 src/libtls/Makefile.am                             |    4 +-
 src/libtls/Makefile.in                             |   67 +-
 src/libtnccs/Makefile.am                           |    3 +-
 src/libtnccs/Makefile.in                           |   97 +-
 src/libtnccs/tnc/tnc.c                             |    5 +
 src/libtncif/Android.mk                            |    3 +-
 src/libtncif/Makefile.am                           |    6 +-
 src/libtncif/Makefile.in                           |   73 +-
 src/libtncif/tncif_policy.c                        |  106 ++
 src/libtncif/tncif_policy.h                        |   53 +
 src/libtncif/tncifimv.h                            |    6 +-
 src/manager/Makefile.am                            |   15 +-
 src/manager/Makefile.in                            |  158 +-
 src/manager/controller/auth_controller.c           |   17 +-
 src/manager/controller/auth_controller.h           |    7 +-
 src/manager/controller/config_controller.c         |   16 +-
 src/manager/controller/config_controller.h         |    8 +-
 src/manager/controller/control_controller.c        |   18 +-
 src/manager/controller/control_controller.h        |    8 +-
 src/manager/controller/gateway_controller.c        |   16 +-
 src/manager/controller/gateway_controller.h        |    8 +-
 src/manager/controller/ikesa_controller.c          |   17 +-
 src/manager/controller/ikesa_controller.h          |    7 +-
 src/manager/main.c                                 |   13 +-
 src/manager/manager.c                              |    3 +-
 src/manager/manager.h                              |    4 +-
 src/medsrv/Makefile.am                             |   14 +-
 src/medsrv/Makefile.in                             |  125 +-
 src/medsrv/controller/peer_controller.c            |   23 +-
 src/medsrv/controller/peer_controller.h            |    6 +-
 src/medsrv/controller/user_controller.c            |   26 +-
 src/medsrv/controller/user_controller.h            |    6 +-
 src/medsrv/filter/auth_filter.c                    |    9 +-
 src/medsrv/filter/auth_filter.h                    |    6 +-
 src/medsrv/main.c                                  |   17 +-
 src/medsrv/user.c                                  |    3 +-
 src/medsrv/user.h                                  |    4 +-
 src/openac/Makefile.am                             |    9 +-
 src/openac/Makefile.in                             |   71 +-
 src/openac/openac.c                                |    2 +-
 src/pki/Makefile.am                                |    4 +-
 src/pki/Makefile.in                                |  227 ++-
 src/pki/pki.c                                      |    2 +-
 src/scepclient/Makefile.am                         |   13 +-
 src/scepclient/Makefile.in                         |   75 +-
 src/scepclient/scep.c                              |   13 +-
 src/scepclient/scep.h                              |    5 +-
 src/scepclient/scepclient.c                        |   20 +-
 src/starter/Makefile.am                            |   37 +-
 src/starter/Makefile.in                            |   97 +-
 src/starter/confread.c                             |    2 +-
 src/starter/keywords.c                             |  312 ++--
 src/starter/keywords.h                             |    6 +-
 src/starter/keywords.txt                           |    6 +-
 src/starter/netkey.c                               |    2 +-
 src/starter/starter.c                              |   28 +-
 src/stroke/Makefile.am                             |    6 +-
 src/stroke/Makefile.in                             |   70 +-
 src/stroke/stroke.c                                |   34 +-
 src/stroke/stroke_keywords.c                       |  108 +-
 src/stroke/stroke_keywords.h                       |    4 +
 src/stroke/stroke_keywords.txt                     |    5 +
 src/stroke/stroke_msg.h                            |    4 +
 testing/Makefile.in                                |   15 +-
 testing/config/kernel/config-3.10                  | 1952 ++++++++++++++++++++
 testing/config/kernel/config-3.9                   | 1892 +++++++++++++++++++
 testing/do-tests                                   |    2 +-
 testing/hosts/default/etc/pts/data.sql             |  791 +++++++-
 testing/hosts/default/etc/pts/data.sql~            |  107 --
 testing/hosts/default/etc/pts/tables.sql           |  166 +-
 testing/hosts/default/root/.bashrc                 |   11 +
 testing/hosts/winnetou/etc/openssl/ecdsa/index.txt |   15 +-
 .../winnetou/etc/openssl/ecdsa/newcerts/08.pem     |   16 +
 .../winnetou/etc/openssl/ecdsa/newcerts/09.pem     |   15 +
 .../winnetou/etc/openssl/ecdsa/newcerts/0A.pem     |   16 +
 .../winnetou/etc/openssl/ecdsa/newcerts/0B.pem     |   15 +
 .../winnetou/etc/openssl/ecdsa/newcerts/0C.pem     |   16 +
 .../winnetou/etc/openssl/ecdsa/newcerts/0D.pem     |   17 +
 testing/hosts/winnetou/etc/openssl/ecdsa/serial    |    2 +-
 testing/scripts/recipes/006_tkm-rpc.mk             |    2 +-
 testing/scripts/recipes/010_tkm.mk                 |    2 +-
 testing/scripts/recipes/013_strongswan.mk          |    3 +
 testing/testing.conf                               |    2 +-
 .../hosts/moon/etc/ipsec.conf                      |    2 +-
 .../tests/ikev1/xauth-rsa-radius/description.txt   |    7 +
 testing/tests/ikev1/xauth-rsa-radius/evaltest.dat  |    9 +
 .../hosts/alice/etc/freeradius/eap.conf            |    5 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   39 +
 .../hosts/alice/etc/freeradius/users               |    1 +
 .../xauth-rsa-radius/hosts/carol/etc/ipsec.conf    |   23 +
 .../xauth-rsa-radius/hosts/carol/etc/ipsec.secrets |    5 +
 .../hosts/carol/etc/strongswan.conf                |    9 +
 .../xauth-rsa-radius/hosts/moon/etc/ipsec.conf     |   22 +
 .../xauth-rsa-radius/hosts/moon/etc/ipsec.secrets  |    3 +
 .../xauth-rsa-radius/hosts/moon/etc/iptables.rules |   32 +
 .../hosts/moon/etc/strongswan.conf                 |   11 +
 testing/tests/ikev1/xauth-rsa-radius/posttest.dat  |    5 +
 testing/tests/ikev1/xauth-rsa-radius/pretest.dat   |    8 +
 testing/tests/ikev1/xauth-rsa-radius/test.conf     |   25 +
 .../hosts/venus/etc/dhcp/dhcpd.conf                |    4 +-
 .../dhcp-static-mac/hosts/venus/etc/dnsmasq.conf   |    4 +-
 testing/tests/ikev2/nat-rw/pretest.dat             |    1 +
 .../ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf |    2 +-
 .../ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf  |    2 +-
 testing/tests/ikev2/net2net-pkcs12/description.txt |    8 +
 testing/tests/ikev2/net2net-pkcs12/evaltest.dat    |    7 +
 .../ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf |   21 +
 .../hosts/moon/etc/ipsec.d/private/moonCert.p12    |  Bin 0 -> 3766 bytes
 .../net2net-pkcs12/hosts/moon/etc/ipsec.secrets    |    3 +
 .../net2net-pkcs12/hosts/moon/etc/strongswan.conf  |    6 +
 .../ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf  |   21 +
 .../hosts/sun/etc/ipsec.d/private/sunCert.p12      |  Bin 0 -> 3764 bytes
 .../net2net-pkcs12/hosts/sun/etc/ipsec.secrets     |    8 +
 .../net2net-pkcs12/hosts/sun/etc/strongswan.conf   |    6 +
 testing/tests/ikev2/net2net-pkcs12/posttest.dat    |    6 +
 testing/tests/ikev2/net2net-pkcs12/pretest.dat     |   10 +
 testing/tests/ikev2/net2net-pkcs12/test.conf       |   21 +
 .../ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf |    4 +-
 .../ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf  |    4 +-
 .../ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf    |    4 +-
 .../ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf     |    4 +-
 .../ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf     |    2 +-
 .../ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf      |    2 +-
 .../ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf      |    2 +-
 .../ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf |    1 +
 .../host2host-ikev1/hosts/moon/etc/strongswan.conf |    2 +
 .../ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf  |    1 +
 .../host2host-ikev1/hosts/sun/etc/strongswan.conf  |    2 +
 .../ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf   |    1 +
 .../net2net-ikev1/hosts/moon/etc/strongswan.conf   |    2 +
 .../ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf    |    1 +
 .../net2net-ikev1/hosts/sun/etc/strongswan.conf    |    2 +
 .../hosts/moon/etc/ipsec.conf                      |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +
 .../hosts/sun/etc/ipsec.conf                       |    1 +
 .../hosts/sun/etc/strongswan.conf                  |    2 +
 .../tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf |    1 +
 .../ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf  |    2 +
 .../tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf  |    1 +
 .../ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf   |    2 +
 .../tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf  |    1 +
 .../ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf   |    2 +
 .../ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf |    1 +
 .../transport-ikev1/hosts/moon/etc/strongswan.conf |    2 +
 .../ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf  |    1 +
 .../transport-ikev1/hosts/sun/etc/strongswan.conf  |    2 +
 .../tests/libipsec/net2net-cert/description.txt    |    8 +
 testing/tests/libipsec/net2net-cert/evaltest.dat   |    7 +
 .../net2net-cert/hosts/moon/etc/ipsec.conf         |   22 +
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    6 +
 .../libipsec/net2net-cert/hosts/moon/etc/updown    |  705 +++++++
 .../libipsec/net2net-cert/hosts/sun/etc/ipsec.conf |   22 +
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    6 +
 .../libipsec/net2net-cert/hosts/sun/etc/updown     |  705 +++++++
 testing/tests/libipsec/net2net-cert/posttest.dat   |    4 +
 testing/tests/libipsec/net2net-cert/pretest.dat    |    6 +
 testing/tests/libipsec/net2net-cert/test.conf      |   21 +
 testing/tests/libipsec/rw-suite-b/description.txt  |   10 +
 testing/tests/libipsec/rw-suite-b/evaltest.dat     |   19 +
 .../libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf |   23 +
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |   17 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   15 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    5 +
 .../rw-suite-b/hosts/carol/etc/ipsec.secrets       |    3 +
 .../rw-suite-b/hosts/carol/etc/strongswan.conf     |   15 +
 .../libipsec/rw-suite-b/hosts/carol/etc/updown     |  746 ++++++++
 .../libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf  |   23 +
 .../dave/etc/ipsec.d/cacerts/strongswanCert.pem    |   17 +
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   15 +
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |    5 +
 .../rw-suite-b/hosts/dave/etc/ipsec.secrets        |    3 +
 .../rw-suite-b/hosts/dave/etc/iptables.flush       |   21 +
 .../rw-suite-b/hosts/dave/etc/iptables.rules       |   32 +
 .../rw-suite-b/hosts/dave/etc/strongswan.conf      |   15 +
 .../libipsec/rw-suite-b/hosts/dave/etc/updown      |  746 ++++++++
 .../libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf  |   22 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |   17 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   15 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |    5 +
 .../rw-suite-b/hosts/moon/etc/ipsec.secrets        |    3 +
 .../rw-suite-b/hosts/moon/etc/strongswan.conf      |   13 +
 .../libipsec/rw-suite-b/hosts/moon/etc/updown      |  746 ++++++++
 testing/tests/libipsec/rw-suite-b/posttest.dat     |    6 +
 testing/tests/libipsec/rw-suite-b/pretest.dat      |    9 +
 testing/tests/libipsec/rw-suite-b/test.conf        |   21 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   29 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    8 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   31 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |    8 +-
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   31 +-
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |   10 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   29 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    8 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   31 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |    8 +-
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   31 +-
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |   10 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   29 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    8 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   31 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   12 +-
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   31 +-
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |   12 +-
 .../openssl-ikev2/net2net-pkcs12/description.txt   |    8 +
 .../openssl-ikev2/net2net-pkcs12/evaltest.dat      |    7 +
 .../net2net-pkcs12/hosts/moon/etc/ipsec.conf       |   21 +
 .../hosts/moon/etc/ipsec.d/private/moonCert.p12    |  Bin 0 -> 3766 bytes
 .../net2net-pkcs12/hosts/moon/etc/ipsec.secrets    |    3 +
 .../net2net-pkcs12/hosts/moon/etc/strongswan.conf  |    6 +
 .../net2net-pkcs12/hosts/sun/etc/ipsec.conf        |   21 +
 .../hosts/sun/etc/ipsec.d/private/sunCert.p12      |  Bin 0 -> 3764 bytes
 .../net2net-pkcs12/hosts/sun/etc/ipsec.secrets     |    8 +
 .../net2net-pkcs12/hosts/sun/etc/strongswan.conf   |    6 +
 .../openssl-ikev2/net2net-pkcs12/posttest.dat      |    6 +
 .../tests/openssl-ikev2/net2net-pkcs12/pretest.dat |   10 +
 .../tests/openssl-ikev2/net2net-pkcs12/test.conf   |   21 +
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 testing/tests/openssl-ikev2/rw-cpa/description.txt |    9 -
 testing/tests/openssl-ikev2/rw-cpa/evaltest.dat    |   11 -
 .../rw-cpa/hosts/carol/etc/ipsec.conf              |   22 -
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |   17 -
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   18 -
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    5 -
 .../rw-cpa/hosts/carol/etc/ipsec.secrets           |    3 -
 .../rw-cpa/hosts/carol/etc/iptables.flush          |   21 -
 .../rw-cpa/hosts/carol/etc/iptables.rules          |   32 -
 .../rw-cpa/hosts/carol/etc/strongswan.conf         |   20 -
 .../openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf |   21 -
 .../dave/etc/ipsec.d/cacerts/strongswanCert.pem    |   17 -
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   19 -
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |    6 -
 .../rw-cpa/hosts/dave/etc/ipsec.secrets            |    3 -
 .../rw-cpa/hosts/dave/etc/iptables.flush           |   21 -
 .../rw-cpa/hosts/dave/etc/iptables.rules           |   32 -
 .../rw-cpa/hosts/dave/etc/strongswan.conf          |   23 -
 .../openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf |   21 -
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |   17 -
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   20 -
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |    7 -
 .../rw-cpa/hosts/moon/etc/ipsec.secrets            |    3 -
 .../rw-cpa/hosts/moon/etc/iptables.flush           |   21 -
 .../rw-cpa/hosts/moon/etc/iptables.rules           |   32 -
 .../rw-cpa/hosts/moon/etc/strongswan.conf          |   18 -
 testing/tests/openssl-ikev2/rw-cpa/posttest.dat    |    6 -
 testing/tests/openssl-ikev2/rw-cpa/pretest.dat     |    9 -
 testing/tests/openssl-ikev2/rw-cpa/test.conf       |   21 -
 .../openssl-ikev2/rw-eap-tls-only/evaltest.dat     |    2 +-
 .../rw-eap-tls-only/hosts/carol/etc/ipsec.conf     |    2 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   29 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    8 +-
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   31 +-
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |   10 +-
 .../openssl-ikev2/rw-suite-b-128/description.txt   |   12 +
 .../openssl-ikev2/rw-suite-b-128/evaltest.dat      |   11 +
 .../rw-suite-b-128/hosts/carol/etc/ipsec.conf      |   22 +
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |   17 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   15 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    5 +
 .../rw-suite-b-128/hosts/carol/etc/ipsec.secrets   |    3 +
 .../rw-suite-b-128/hosts/carol/etc/iptables.flush  |   21 +
 .../rw-suite-b-128/hosts/carol/etc/iptables.rules  |   32 +
 .../rw-suite-b-128/hosts/carol/etc/strongswan.conf |   20 +
 .../rw-suite-b-128/hosts/dave/etc/ipsec.conf       |   21 +
 .../dave/etc/ipsec.d/cacerts/strongswanCert.pem    |   17 +
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   15 +
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |    5 +
 .../rw-suite-b-128/hosts/dave/etc/ipsec.secrets    |    3 +
 .../rw-suite-b-128/hosts/dave/etc/iptables.flush   |   21 +
 .../rw-suite-b-128/hosts/dave/etc/iptables.rules   |   32 +
 .../rw-suite-b-128/hosts/dave/etc/strongswan.conf  |   23 +
 .../rw-suite-b-128/hosts/moon/etc/ipsec.conf       |   21 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |   17 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   15 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |    5 +
 .../rw-suite-b-128/hosts/moon/etc/ipsec.secrets    |    3 +
 .../rw-suite-b-128/hosts/moon/etc/iptables.flush   |   21 +
 .../rw-suite-b-128/hosts/moon/etc/iptables.rules   |   32 +
 .../rw-suite-b-128/hosts/moon/etc/strongswan.conf  |   18 +
 .../openssl-ikev2/rw-suite-b-128/posttest.dat      |    6 +
 .../tests/openssl-ikev2/rw-suite-b-128/pretest.dat |    9 +
 .../tests/openssl-ikev2/rw-suite-b-128/test.conf   |   21 +
 .../openssl-ikev2/rw-suite-b-192/description.txt   |   12 +
 .../openssl-ikev2/rw-suite-b-192/evaltest.dat      |   11 +
 .../rw-suite-b-192/hosts/carol/etc/ipsec.conf      |   22 +
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |   17 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   16 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    6 +
 .../rw-suite-b-192/hosts/carol/etc/ipsec.secrets   |    3 +
 .../rw-suite-b-192/hosts/carol/etc/iptables.flush  |   21 +
 .../rw-suite-b-192/hosts/carol/etc/iptables.rules  |   32 +
 .../rw-suite-b-192/hosts/carol/etc/strongswan.conf |   20 +
 .../rw-suite-b-192/hosts/dave/etc/ipsec.conf       |   21 +
 .../dave/etc/ipsec.d/cacerts/strongswanCert.pem    |   17 +
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   16 +
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |    6 +
 .../rw-suite-b-192/hosts/dave/etc/ipsec.secrets    |    3 +
 .../rw-suite-b-192/hosts/dave/etc/iptables.flush   |   21 +
 .../rw-suite-b-192/hosts/dave/etc/iptables.rules   |   32 +
 .../rw-suite-b-192/hosts/dave/etc/strongswan.conf  |   23 +
 .../rw-suite-b-192/hosts/moon/etc/ipsec.conf       |   21 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |   17 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   16 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |    6 +
 .../rw-suite-b-192/hosts/moon/etc/ipsec.secrets    |    3 +
 .../rw-suite-b-192/hosts/moon/etc/iptables.flush   |   21 +
 .../rw-suite-b-192/hosts/moon/etc/iptables.rules   |   32 +
 .../rw-suite-b-192/hosts/moon/etc/strongswan.conf  |   18 +
 .../openssl-ikev2/rw-suite-b-192/posttest.dat      |    6 +
 .../tests/openssl-ikev2/rw-suite-b-192/pretest.dat |    9 +
 .../tests/openssl-ikev2/rw-suite-b-192/test.conf   |   21 +
 .../host2host-initiator/hosts/sun/etc/ipsec.conf   |    1 +
 .../host2host-xfrmproxy/hosts/sun/etc/ipsec.conf   |    1 +
 .../hosts/dave/etc/strongswan.conf                 |    8 +
 .../tests/tnc/tnccs-11-radius-pts/description.txt  |   14 +
 testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat |   19 +
 .../hosts/alice/etc/freeradius/eap.conf            |   25 +
 .../hosts/alice/etc/freeradius/proxy.conf          |    5 +
 .../alice/etc/freeradius/sites-available/default   |   43 +
 .../etc/freeradius/sites-available/inner-tunnel    |   32 +
 .../freeradius/sites-available/inner-tunnel-second |   36 +
 .../hosts/alice/etc/freeradius/users               |    2 +
 .../hosts/alice/etc/pts/data.sql                   |  873 +++++++++
 .../hosts/alice/etc/strongswan.conf                |   13 +
 .../hosts/alice/etc/tnc/log4cxx.properties         |   15 +
 .../tnccs-11-radius-pts/hosts/alice/etc/tnc_config |    4 +
 .../tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf |   23 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |   14 +
 .../tnccs-11-radius-pts/hosts/carol/etc/tnc_config |    4 +
 .../tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf  |   23 +
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |   17 +
 .../tnccs-11-radius-pts/hosts/dave/etc/tnc_config  |    4 +
 .../tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf  |   33 +
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/iptables.rules                  |   32 +
 .../hosts/moon/etc/strongswan.conf                 |   13 +
 testing/tests/tnc/tnccs-11-radius-pts/posttest.dat |   10 +
 testing/tests/tnc/tnccs-11-radius-pts/pretest.dat  |   21 +
 testing/tests/tnc/tnccs-11-radius-pts/test.conf    |   26 +
 .../hosts/alice/etc/strongswan.conf                |    5 -
 .../tnccs-11-radius/hosts/dave/etc/strongswan.conf |    3 +
 .../tnc/tnccs-11/hosts/dave/etc/strongswan.conf    |    3 +
 .../tnc/tnccs-11/hosts/moon/etc/strongswan.conf    |    5 -
 .../tnccs-20-block/hosts/dave/etc/strongswan.conf  |    8 +
 .../hosts/dave/etc/strongswan.conf                 |    3 +
 testing/tests/tnc/tnccs-20-os/description.txt      |   13 +-
 testing/tests/tnc/tnccs-20-os/evaltest.dat         |    4 +-
 .../tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf |    4 -
 .../tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql    |  892 +++++++++
 .../tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~   |  852 +++++++++
 .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf |    9 +-
 testing/tests/tnc/tnccs-20-os/pretest.dat          |    3 +-
 .../tnccs-20-pdp/hosts/alice/etc/strongswan.conf   |    5 -
 .../tnccs-20-pdp/hosts/dave/etc/strongswan.conf    |    3 +
 testing/tests/tnc/tnccs-20-pts/description.txt     |   22 +
 testing/tests/tnc/tnccs-20-pts/evaltest.dat        |   20 +
 .../tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf    |   23 +
 .../tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets |    3 +
 .../tnccs-20-pts/hosts/carol/etc/strongswan.conf   |   19 +
 .../tnc/tnccs-20-pts/hosts/carol/etc/tnc_config    |    4 +
 .../tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf     |   23 +
 .../tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets  |    3 +
 .../tnccs-20-pts/hosts/dave/etc/strongswan.conf    |   22 +
 .../tnc/tnccs-20-pts/hosts/dave/etc/tnc_config     |    4 +
 .../tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf     |   34 +
 .../tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets  |    6 +
 .../tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql   |  873 +++++++++
 .../tnccs-20-pts/hosts/moon/etc/strongswan.conf    |   32 +
 .../tnc/tnccs-20-pts/hosts/moon/etc/tnc_config     |    4 +
 testing/tests/tnc/tnccs-20-pts/posttest.dat        |    8 +
 testing/tests/tnc/tnccs-20-pts/pretest.dat         |   18 +
 testing/tests/tnc/tnccs-20-pts/test.conf           |   26 +
 .../hosts/dave/etc/strongswan.conf                 |    3 +
 .../tnccs-20-tls/hosts/dave/etc/strongswan.conf    |    3 +
 .../tnc/tnccs-20/hosts/dave/etc/strongswan.conf    |    3 +
 .../tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql |  793 ++++++++
 .../tnccs-dynamic/hosts/dave/etc/strongswan.conf   |    3 +
 1160 files changed, 72806 insertions(+), 22725 deletions(-)
 create mode 100644 configure.ac
 delete mode 100644 configure.in
 create mode 100644 scripts/malloc_speed.c
 create mode 100644 src/charon-cmd/Makefile.am
 create mode 100644 src/charon-cmd/Makefile.in
 create mode 100644 src/charon-cmd/charon-cmd.8
 create mode 100644 src/charon-cmd/charon-cmd.8.in
 create mode 100644 src/charon-cmd/charon-cmd.c
 create mode 100644 src/charon-cmd/cmd/cmd_connection.c
 create mode 100644 src/charon-cmd/cmd/cmd_connection.h
 create mode 100644 src/charon-cmd/cmd/cmd_creds.c
 create mode 100644 src/charon-cmd/cmd/cmd_creds.h
 create mode 100644 src/charon-cmd/cmd/cmd_options.c
 create mode 100644 src/charon-cmd/cmd/cmd_options.h
 create mode 100644 src/libcharon/plugins/duplicheck/duplicheck_msg.h
 create mode 100644 src/libcharon/plugins/eap_radius/eap_radius_xauth.c
 create mode 100644 src/libcharon/plugins/eap_radius/eap_radius_xauth.h
 create mode 100644 src/libcharon/plugins/kernel_libipsec/Makefile.am
 create mode 100644 src/libcharon/plugins/kernel_libipsec/Makefile.in
 create mode 100644 src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
 create mode 100644 src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.h
 create mode 100644 src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
 create mode 100644 src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.h
 create mode 100644 src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
 create mode 100644 src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.h
 create mode 100644 src/libcharon/plugins/osx_attr/Makefile.am
 create mode 100644 src/libcharon/plugins/osx_attr/Makefile.in
 create mode 100644 src/libcharon/plugins/osx_attr/osx_attr_handler.c
 create mode 100644 src/libcharon/plugins/osx_attr/osx_attr_handler.h
 create mode 100644 src/libcharon/plugins/osx_attr/osx_attr_plugin.c
 create mode 100644 src/libcharon/plugins/osx_attr/osx_attr_plugin.h
 delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_chunk.c
 delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_enumerator.c
 delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_hashtable.c
 delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_id.c
 delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_mutex.c
 delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
 delete mode 100644 src/libfast/context.h
 delete mode 100644 src/libfast/controller.h
 delete mode 100644 src/libfast/dispatcher.c
 delete mode 100644 src/libfast/dispatcher.h
 create mode 100644 src/libfast/fast_context.h
 create mode 100644 src/libfast/fast_controller.h
 create mode 100644 src/libfast/fast_dispatcher.c
 create mode 100644 src/libfast/fast_dispatcher.h
 create mode 100644 src/libfast/fast_filter.h
 create mode 100644 src/libfast/fast_request.c
 create mode 100644 src/libfast/fast_request.h
 create mode 100644 src/libfast/fast_session.c
 create mode 100644 src/libfast/fast_session.h
 create mode 100644 src/libfast/fast_smtp.c
 create mode 100644 src/libfast/fast_smtp.h
 delete mode 100644 src/libfast/filter.h
 delete mode 100644 src/libfast/request.c
 delete mode 100644 src/libfast/request.h
 delete mode 100644 src/libfast/session.c
 delete mode 100644 src/libfast/session.h
 delete mode 100644 src/libfast/smtp.c
 delete mode 100644 src/libfast/smtp.h
 create mode 100755 src/libimcv/imv/_imv_policy
 create mode 100644 src/libimcv/imv/data.sql
 create mode 100644 src/libimcv/imv/imv_agent_if.h
 create mode 100644 src/libimcv/imv/imv_database.c
 create mode 100644 src/libimcv/imv/imv_database.h
 create mode 100644 src/libimcv/imv/imv_if.h
 create mode 100644 src/libimcv/imv/imv_policy_manager.c
 create mode 100644 src/libimcv/imv/imv_policy_manager_usage.c
 create mode 100644 src/libimcv/imv/imv_policy_manager_usage.h
 create mode 100644 src/libimcv/imv/imv_session.c
 create mode 100644 src/libimcv/imv/imv_session.h
 create mode 100644 src/libimcv/imv/imv_workitem.c
 create mode 100644 src/libimcv/imv/imv_workitem.h
 create mode 100644 src/libimcv/imv/tables.sql
 create mode 100644 src/libimcv/ita/ita_attr_device_id.c
 create mode 100644 src/libimcv/ita/ita_attr_device_id.h
 create mode 100644 src/libimcv/plugins/imv_os/imv_os_agent.c
 create mode 100644 src/libimcv/plugins/imv_os/imv_os_agent.h
 create mode 100644 src/libimcv/plugins/imv_scanner/imv_scanner_agent.c
 create mode 100644 src/libimcv/plugins/imv_scanner/imv_scanner_agent.h
 create mode 100644 src/libimcv/plugins/imv_test/imv_test_agent.c
 create mode 100644 src/libimcv/plugins/imv_test/imv_test_agent.h
 delete mode 100644 src/libpts/plugins/imv_attestation/data.sql
 create mode 100644 src/libpts/plugins/imv_attestation/imv_attestation_agent.c
 create mode 100644 src/libpts/plugins/imv_attestation/imv_attestation_agent.h
 delete mode 100644 src/libpts/plugins/imv_attestation/tables.sql
 create mode 100644 src/libstrongswan/collections/array.c
 create mode 100644 src/libstrongswan/collections/array.h
 create mode 100644 src/libstrongswan/credentials/containers/pkcs12.c
 create mode 100644 src/libstrongswan/credentials/containers/pkcs12.h
 create mode 100644 src/libstrongswan/crypto/pkcs5.c
 create mode 100644 src/libstrongswan/crypto/pkcs5.h
 create mode 100644 src/libstrongswan/networking/streams/stream.c
 create mode 100644 src/libstrongswan/networking/streams/stream.h
 create mode 100644 src/libstrongswan/networking/streams/stream_manager.c
 create mode 100644 src/libstrongswan/networking/streams/stream_manager.h
 create mode 100644 src/libstrongswan/networking/streams/stream_service.c
 create mode 100644 src/libstrongswan/networking/streams/stream_service.h
 create mode 100644 src/libstrongswan/plugins/keychain/Makefile.am
 create mode 100644 src/libstrongswan/plugins/keychain/Makefile.in
 create mode 100644 src/libstrongswan/plugins/keychain/keychain_creds.c
 create mode 100644 src/libstrongswan/plugins/keychain/keychain_creds.h
 create mode 100644 src/libstrongswan/plugins/keychain/keychain_plugin.c
 create mode 100644 src/libstrongswan/plugins/keychain/keychain_plugin.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_pkcs12.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_pkcs12.h
 create mode 100644 src/libstrongswan/plugins/pkcs12/Makefile.am
 create mode 100644 src/libstrongswan/plugins/pkcs12/Makefile.in
 create mode 100644 src/libstrongswan/plugins/pkcs12/pkcs12_decode.c
 create mode 100644 src/libstrongswan/plugins/pkcs12/pkcs12_decode.h
 create mode 100644 src/libstrongswan/plugins/pkcs12/pkcs12_plugin.c
 create mode 100644 src/libstrongswan/plugins/pkcs12/pkcs12_plugin.h
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c
 create mode 100644 src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.h
 create mode 100644 src/libstrongswan/plugins/rc2/Makefile.am
 create mode 100644 src/libstrongswan/plugins/rc2/Makefile.in
 create mode 100644 src/libstrongswan/plugins/rc2/rc2_crypter.c
 create mode 100644 src/libstrongswan/plugins/rc2/rc2_crypter.h
 create mode 100644 src/libstrongswan/plugins/rc2/rc2_plugin.c
 create mode 100644 src/libstrongswan/plugins/rc2/rc2_plugin.h
 create mode 100644 src/libstrongswan/plugins/sshkey/Makefile.am
 create mode 100644 src/libstrongswan/plugins/sshkey/Makefile.in
 create mode 100644 src/libstrongswan/plugins/sshkey/sshkey_builder.c
 create mode 100644 src/libstrongswan/plugins/sshkey/sshkey_builder.h
 create mode 100644 src/libstrongswan/plugins/sshkey/sshkey_plugin.c
 create mode 100644 src/libstrongswan/plugins/sshkey/sshkey_plugin.h
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/rc2.c
 create mode 100644 src/libstrongswan/processing/watcher.c
 create mode 100644 src/libstrongswan/processing/watcher.h
 create mode 100644 src/libstrongswan/tests/Makefile.am
 create mode 100644 src/libstrongswan/tests/Makefile.in
 create mode 100644 src/libstrongswan/tests/test_array.c
 create mode 100644 src/libstrongswan/tests/test_bio_reader.c
 create mode 100644 src/libstrongswan/tests/test_bio_writer.c
 create mode 100644 src/libstrongswan/tests/test_chunk.c
 create mode 100644 src/libstrongswan/tests/test_ecdsa.c
 create mode 100644 src/libstrongswan/tests/test_enum.c
 create mode 100644 src/libstrongswan/tests/test_enumerator.c
 create mode 100644 src/libstrongswan/tests/test_hashtable.c
 create mode 100644 src/libstrongswan/tests/test_host.c
 create mode 100644 src/libstrongswan/tests/test_identification.c
 create mode 100644 src/libstrongswan/tests/test_linked_list.c
 create mode 100644 src/libstrongswan/tests/test_linked_list_enumerator.c
 create mode 100644 src/libstrongswan/tests/test_rsa.c
 create mode 100644 src/libstrongswan/tests/test_runner.c
 create mode 100644 src/libstrongswan/tests/test_runner.h
 create mode 100644 src/libstrongswan/tests/test_suite.h
 create mode 100644 src/libstrongswan/tests/test_threading.c
 create mode 100644 src/libstrongswan/tests/test_utils.c
 create mode 100644 src/libstrongswan/tests/test_vectors.c
 create mode 100644 src/libtncif/tncif_policy.c
 create mode 100644 src/libtncif/tncif_policy.h
 create mode 100644 testing/config/kernel/config-3.10
 create mode 100644 testing/config/kernel/config-3.9
 delete mode 100644 testing/hosts/default/etc/pts/data.sql~
 create mode 100644 testing/hosts/default/root/.bashrc
 create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/08.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/09.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0A.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0B.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0C.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0D.pem
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/description.txt
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/posttest.dat
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/pretest.dat
 create mode 100644 testing/tests/ikev1/xauth-rsa-radius/test.conf
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/description.txt
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/evaltest.dat
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/posttest.dat
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/pretest.dat
 create mode 100644 testing/tests/ikev2/net2net-pkcs12/test.conf
 create mode 100644 testing/tests/libipsec/net2net-cert/description.txt
 create mode 100644 testing/tests/libipsec/net2net-cert/evaltest.dat
 create mode 100644 testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
 create mode 100644 testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
 create mode 100755 testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
 create mode 100644 testing/tests/libipsec/net2net-cert/posttest.dat
 create mode 100644 testing/tests/libipsec/net2net-cert/pretest.dat
 create mode 100644 testing/tests/libipsec/net2net-cert/test.conf
 create mode 100644 testing/tests/libipsec/rw-suite-b/description.txt
 create mode 100644 testing/tests/libipsec/rw-suite-b/evaltest.dat
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
 create mode 100644 testing/tests/libipsec/rw-suite-b/posttest.dat
 create mode 100644 testing/tests/libipsec/rw-suite-b/pretest.dat
 create mode 100644 testing/tests/libipsec/rw-suite-b/test.conf
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/description.txt
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/evaltest.dat
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/posttest.dat
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/pretest.dat
 delete mode 100644 testing/tests/openssl-ikev2/rw-cpa/test.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/test.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/test.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/description.txt
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
 create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/test.conf
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql
 create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~
 create mode 100644 testing/tests/tnc/tnccs-20-pts/description.txt
 create mode 100644 testing/tests/tnc/tnccs-20-pts/evaltest.dat
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/tnc_config
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/tnc_config
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
 create mode 100644 testing/tests/tnc/tnccs-20-pts/posttest.dat
 create mode 100644 testing/tests/tnc/tnccs-20-pts/pretest.dat
 create mode 100644 testing/tests/tnc/tnccs-20-pts/test.conf
 create mode 100644 testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql

(limited to 'man')

diff --git a/Android.common.mk b/Android.common.mk
index 4dce2e3d3..7f2790ce4 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -13,7 +13,18 @@ add_plugin = $(if $(call plugin_enabled,$(1)), \
                   ) \
                 ) \
               )
+add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
+               $(patsubst $(LOCAL_PATH)/%,%, \
+                 $(wildcard \
+                   $(subst %,$(subst -,_,$(strip $(1))), \
+                     $(addprefix $(LOCAL_PATH)/plugins/%/,$(addsuffix /*.c, \
+                       $(strip $(2)) \
+                      )) \
+                    ) \
+                  ) \
+                ) \
+              )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.0.4"
+strongswan_VERSION := "5.1.0"
 
diff --git a/Android.common.mk.in b/Android.common.mk.in
index 1bc8a8304..9f8849d7e 100644
--- a/Android.common.mk.in
+++ b/Android.common.mk.in
@@ -13,6 +13,17 @@ add_plugin = $(if $(call plugin_enabled,$(1)), \
                   ) \
                 ) \
               )
+add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
+               $(patsubst $(LOCAL_PATH)/%,%, \
+                 $(wildcard \
+                   $(subst %,$(subst -,_,$(strip $(1))), \
+                     $(addprefix $(LOCAL_PATH)/plugins/%/,$(addsuffix /*.c, \
+                       $(strip $(2)) \
+                      )) \
+                    ) \
+                  ) \
+                ) \
+              )
 
 # strongSwan version, replaced by top Makefile
 strongswan_VERSION := "@PACKAGE_VERSION@"
diff --git a/Android.mk b/Android.mk
index e762fe955..aa61cc0e7 100644
--- a/Android.mk
+++ b/Android.mk
@@ -100,7 +100,8 @@ strongswan_BUILD := \
 	libhydra \
 	libstrongswan \
 	libtncif \
-	libtnccs
+	libtnccs \
+	libimcv
 
 ifneq ($(strongswan_BUILD_STARTER),)
 strongswan_BUILD += \
diff --git a/Makefile.am b/Makefile.am
index 8a558c150..0e08794c1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,6 +4,10 @@ if USE_SCRIPTS
   SUBDIRS += scripts
 endif
 
+if USE_SILENT_RULES
+  AM_MAKEFLAGS = -s
+endif
+
 ACLOCAL_AMFLAGS = -I m4/config
 
 EXTRA_DIST = Doxyfile.in LICENSE Android.common.mk.in Android.common.mk Android.mk
@@ -16,12 +20,14 @@ config_includedir = $(ipseclibdir)/include
 nodist_config_include_HEADERS = config.h
 endif
 
-Android.common.mk :	Android.common.mk.in configure.in
+Android.common.mk :	Android.common.mk.in configure.ac
+		$(AM_V_GEN) \
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		$(srcdir)/$@.in > $@
 
 Doxyfile :	Doxyfile.in
+		$(AM_V_GEN) \
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
@@ -31,5 +37,37 @@ Doxyfile :	Doxyfile.in
 apidoc :	Doxyfile
 		doxygen
 
-clean-local:
-		rm -rf apidoc
+cov-reset-common:
+		@rm -rf $(top_builddir)/coverage
+		@find $(top_builddir)/{src,scripts} -name "*.gcda" -delete
+
+if COVERAGE
+cov-reset: cov-reset-common
+		@lcov --zerocounters --directory $(top_builddir)
+
+cov-report:
+		@mkdir $(top_builddir)/coverage
+		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir)
+		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
+			 -o $(top_builddir)/coverage/coverage.cleaned.info
+		genhtml --num-spaces 4 --legend \
+				-t "$(PACKAGE_STRING)" \
+				-o $(top_builddir)/coverage/html \
+				-p `readlink -m $(abs_top_srcdir)`/src \
+				$(top_builddir)/coverage/coverage.cleaned.info
+		@echo "Coverage Report at $(top_builddir)/coverage/html" >&2
+
+coverage:
+		@$(MAKE) cov-reset
+		@$(MAKE) check
+		@$(MAKE) cov-report
+else
+coverage:
+		@echo "reconfigure with --enable-coverage"
+endif
+
+clean-local: cov-reset-common
+		@find $(top_builddir)/{src,scripts} -name "*.gcno" -delete
+		@rm -rf apidoc
+
+.PHONY: cov-reset-common cov-reset cov-report coverage
diff --git a/Makefile.in b/Makefile.in
index 61541b2e4..7792802e2 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -68,7 +68,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
@@ -77,6 +77,12 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = config.h
 CONFIG_CLEAN_FILES = src/dumm/ext/extconf.rb
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -171,6 +177,7 @@ distcleancheck_listfiles = find . -type f -print
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -183,6 +190,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -198,6 +207,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -206,6 +216,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -252,6 +263,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -280,6 +292,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -358,6 +371,7 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 SUBDIRS = src man init testing $(am__append_1)
+@USE_SILENT_RULES_TRUE@AM_MAKEFLAGS = -s
 ACLOCAL_AMFLAGS = -I m4/config
 EXTRA_DIST = Doxyfile.in LICENSE Android.common.mk.in Android.common.mk Android.mk
 CLEANFILES = Doxyfile
@@ -909,12 +923,14 @@ uninstall-am: uninstall-nodist_config_includeHEADERS
 	uninstall-nodist_config_includeHEADERS
 
 
-Android.common.mk :	Android.common.mk.in configure.in
+Android.common.mk :	Android.common.mk.in configure.ac
+		$(AM_V_GEN) \
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		$(srcdir)/$@.in > $@
 
 Doxyfile :	Doxyfile.in
+		$(AM_V_GEN) \
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
@@ -924,8 +940,37 @@ Doxyfile :	Doxyfile.in
 apidoc :	Doxyfile
 		doxygen
 
-clean-local:
-		rm -rf apidoc
+cov-reset-common:
+		@rm -rf $(top_builddir)/coverage
+		@find $(top_builddir)/{src,scripts} -name "*.gcda" -delete
+
+@COVERAGE_TRUE@cov-reset: cov-reset-common
+@COVERAGE_TRUE@		@lcov --zerocounters --directory $(top_builddir)
+
+@COVERAGE_TRUE@cov-report:
+@COVERAGE_TRUE@		@mkdir $(top_builddir)/coverage
+@COVERAGE_TRUE@		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir)
+@COVERAGE_TRUE@		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
+@COVERAGE_TRUE@			 -o $(top_builddir)/coverage/coverage.cleaned.info
+@COVERAGE_TRUE@		genhtml --num-spaces 4 --legend \
+@COVERAGE_TRUE@				-t "$(PACKAGE_STRING)" \
+@COVERAGE_TRUE@				-o $(top_builddir)/coverage/html \
+@COVERAGE_TRUE@				-p `readlink -m $(abs_top_srcdir)`/src \
+@COVERAGE_TRUE@				$(top_builddir)/coverage/coverage.cleaned.info
+@COVERAGE_TRUE@		@echo "Coverage Report at $(top_builddir)/coverage/html" >&2
+
+@COVERAGE_TRUE@coverage:
+@COVERAGE_TRUE@		@$(MAKE) cov-reset
+@COVERAGE_TRUE@		@$(MAKE) check
+@COVERAGE_TRUE@		@$(MAKE) cov-report
+@COVERAGE_FALSE@coverage:
+@COVERAGE_FALSE@		@echo "reconfigure with --enable-coverage"
+
+clean-local: cov-reset-common
+		@find $(top_builddir)/{src,scripts} -name "*.gcno" -delete
+		@rm -rf apidoc
+
+.PHONY: cov-reset-common cov-reset cov-report coverage
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/NEWS b/NEWS
index 2c58ee97c..fb0b4a2c8 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,86 @@
+strongswan-5.1.0
+----------------
+
+- Fixed a denial-of-service vulnerability triggered by specific XAuth usernames
+  and EAP identities (since 5.0.3), and PEM files (since 4.1.11).  The crash
+  was caused by insufficient error handling in the is_asn1() function.
+  The vulnerability has been registered as CVE-2013-5018.
+
+- The new charon-cmd command line IKE client can establish road warrior
+  connections using IKEv1 or IKEv2 with different authentication profiles.
+  It does not depend on any configuration files and can be configured using a
+  few simple command line options.
+
+- The kernel-pfroute networking backend has been greatly improved. It now
+  can install virtual IPs on TUN devices on OS X and FreeBSD, allowing these
+  systems to act as a client in common road warrior scenarios.
+
+- The new kernel-libipsec plugin uses TUN devices and libipsec to provide IPsec
+  processing in userland on Linux, FreeBSD and Mac OS X.
+
+- The eap-radius plugin can now serve as an XAuth backend called xauth-radius,
+  directly verifying XAuth credentials using RADIUS User-Name/User-Password
+  attributes. This is more efficient than the existing xauth-eap+eap-radius
+  combination, and allows RADIUS servers without EAP support to act as AAA
+  backend for IKEv1.
+
+- The new osx-attr plugin installs configuration attributes (currently DNS
+  servers) via SystemConfiguration on Mac OS X. The keychain plugin provides
+  certificates from the OS X keychain service.
+
+- The sshkey plugin parses SSH public keys, which, together with the --agent
+  option for charon-cmd, allows the use of ssh-agent for authentication.
+  To configure SSH keys in ipsec.conf the left|rightrsasigkey options are
+  replaced with left|rightsigkey, which now take public keys in one of three
+  formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and
+  PKCS#1 (the default, no prefix).
+
+- Extraction of certificates and private keys from PKCS#12 files is now provided
+  by the new pkcs12 plugin or the openssl plugin.  charon-cmd (--p12) as well
+  as charon (via P12 token in ipsec.secrets) can make use of this.
+
+- IKEv2 can now negotiate transport mode and IPComp in NAT situations.
+
+- IKEv2 exchange initiators now properly close an established IKE or CHILD_SA
+  on error conditions using an additional exchange, keeping state in sync
+  between peers.
+
+- Using a SQL database interface a Trusted Network Connect (TNC) Policy Manager
+  can  generate specific measurement workitems for an arbitrary number of
+  Integrity Measurement Verifiers (IMVs) based on the history of the VPN user
+  and/or device.
+
+- Several core classes in libstrongswan are now tested with unit tests.  These
+  can be enabled with --enable-unit-tests and run with 'make check'.  Coverage
+  reports can be generated with --enable-coverage and 'make coverage' (this
+  disables any optimization, so it should not be enabled when building
+  production releases).
+
+- The leak-detective developer tool has been greatly improved. It works much
+  faster/stabler with multiple threads, does not use deprecated malloc hooks
+  anymore and has been ported to OS X.
+
+- chunk_hash() is now based on SipHash-2-4 with a random key.  This provides
+  better distribution and prevents hash flooding attacks when used with
+  hashtables.
+
+- All default plugins implement the get_features() method to define features
+  and their dependencies.  The plugin loader has been improved, so that plugins
+  in a custom load statement can be ordered freely or to express preferences
+  without being affected by dependencies between plugin features.
+
+- A centralized thread can take care for watching multiple file descriptors
+  concurrently. This removes the need for a dedicated listener threads in
+  various plugins. The number of "reserved" threads for such tasks has been
+  reduced to about five, depending on the plugin configuration.
+
+- Plugins that can be controlled by a UNIX socket IPC mechanism gained network
+  transparency. Third party applications querying these plugins now can use
+  TCP connections from a different host.
+
+- libipsec now supports AES-GCM.
+
+
 strongswan-5.0.4
 ----------------
 
diff --git a/aclocal.m4 b/aclocal.m4
index b2938b090..871193eef 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1262,6 +1262,63 @@ Check your system clock])
 fi
 AC_MSG_RESULT(yes)])
 
+# Copyright (C) 2009, 2011  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 2
+
+# AM_SILENT_RULES([DEFAULT])
+# --------------------------
+# Enable less verbose build rules; with the default set to DEFAULT
+# (`yes' being less verbose, `no' or empty being verbose).
+AC_DEFUN([AM_SILENT_RULES],
+[AC_ARG_ENABLE([silent-rules],
+[  --enable-silent-rules          less verbose build output (undo: `make V=1')
+  --disable-silent-rules         verbose build output (undo: `make V=0')])
+case $enable_silent_rules in
+yes) AM_DEFAULT_VERBOSITY=0;;
+no)  AM_DEFAULT_VERBOSITY=1;;
+*)   AM_DEFAULT_VERBOSITY=m4_if([$1], [yes], [0], [1]);;
+esac
+dnl
+dnl A few `make' implementations (e.g., NonStop OS and NextStep)
+dnl do not support nested variable expansions.
+dnl See automake bug#9928 and bug#10237.
+am_make=${MAKE-make}
+AC_CACHE_CHECK([whether $am_make supports nested variables],
+   [am_cv_make_support_nested_variables],
+   [if AS_ECHO([['TRUE=$(BAR$(V))
+BAR0=false
+BAR1=true
+V=1
+am__doit:
+	@$(TRUE)
+.PHONY: am__doit']]) | $am_make -f - >/dev/null 2>&1; then
+  am_cv_make_support_nested_variables=yes
+else
+  am_cv_make_support_nested_variables=no
+fi])
+if test $am_cv_make_support_nested_variables = yes; then
+  dnl Using `$V' instead of `$(V)' breaks IRIX make.
+  AM_V='$(V)'
+  AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)'
+else
+  AM_V=$AM_DEFAULT_VERBOSITY
+  AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY
+fi
+AC_SUBST([AM_V])dnl
+AM_SUBST_NOTMAKE([AM_V])dnl
+AC_SUBST([AM_DEFAULT_V])dnl
+AM_SUBST_NOTMAKE([AM_DEFAULT_V])dnl
+AC_SUBST([AM_DEFAULT_VERBOSITY])dnl
+AM_BACKSLASH='\'
+AC_SUBST([AM_BACKSLASH])dnl
+_AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl
+])
+
 # Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
diff --git a/config.h.in b/config.h.in
index a761227f3..62c3ee5b8 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,4 +1,4 @@
-/* config.h.in.  Generated from configure.in by autoheader.  */
+/* config.h.in.  Generated from configure.ac by autoheader.  */
 
 /* Define if building universal (internal helper macro) */
 #undef AC_APPLE_UNIVERSAL_BUILD
@@ -103,6 +103,9 @@
 /* Define to 1 if you have the `gmp' library (-lgmp). */
 #undef HAVE_LIBGMP
 
+/* have libunwind.h */
+#undef HAVE_LIBUNWIND_H
+
 /* Define to 1 if you have the <linux/udp.h> header file. */
 #undef HAVE_LINUX_UDP_H
 
diff --git a/configure b/configure
index fca9ca824..7f4469fe9 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.0.4.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.1.0.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.0.4'
-PACKAGE_STRING='strongSwan 5.0.4'
+PACKAGE_VERSION='5.1.0'
+PACKAGE_STRING='strongSwan 5.1.0'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -632,10 +632,16 @@ ac_subst_vars='am__EXEEXT_FALSE
 am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
+USE_CMD_FALSE
+USE_CMD_TRUE
 USE_TKM_FALSE
 USE_TKM_TRUE
+COVERAGE_FALSE
+COVERAGE_TRUE
 UNITTESTS_FALSE
 UNITTESTS_TRUE
+USE_SILENT_RULES_FALSE
+USE_SILENT_RULES_TRUE
 MONOLITHIC_FALSE
 MONOLITHIC_TRUE
 USE_TROUSERS_FALSE
@@ -824,6 +830,8 @@ USE_LOOKIP_FALSE
 USE_LOOKIP_TRUE
 USE_WHITELIST_FALSE
 USE_WHITELIST_TRUE
+USE_KERNEL_LIBIPSEC_FALSE
+USE_KERNEL_LIBIPSEC_TRUE
 USE_HA_FALSE
 USE_HA_TRUE
 USE_LOAD_TESTER_FALSE
@@ -846,6 +854,8 @@ USE_ANDROID_LOG_FALSE
 USE_ANDROID_LOG_TRUE
 USE_ANDROID_DNS_FALSE
 USE_ANDROID_DNS_TRUE
+USE_OSX_ATTR_FALSE
+USE_OSX_ATTR_TRUE
 USE_UCI_FALSE
 USE_UCI_TRUE
 USE_MEDCLI_FALSE
@@ -864,6 +874,8 @@ USE_CTR_FALSE
 USE_CTR_TRUE
 USE_PKCS11_FALSE
 USE_PKCS11_TRUE
+USE_KEYCHAIN_FALSE
+USE_KEYCHAIN_TRUE
 USE_AGENT_FALSE
 USE_AGENT_TRUE
 USE_GCRYPT_FALSE
@@ -884,10 +896,14 @@ USE_HMAC_FALSE
 USE_HMAC_TRUE
 USE_PEM_FALSE
 USE_PEM_TRUE
+USE_SSHKEY_FALSE
+USE_SSHKEY_TRUE
 USE_DNSKEY_FALSE
 USE_DNSKEY_TRUE
 USE_PGP_FALSE
 USE_PGP_TRUE
+USE_PKCS12_FALSE
+USE_PKCS12_TRUE
 USE_PKCS8_FALSE
 USE_PKCS8_TRUE
 USE_PKCS7_FALSE
@@ -920,6 +936,8 @@ USE_MD5_FALSE
 USE_MD5_TRUE
 USE_MD4_FALSE
 USE_MD4_TRUE
+USE_RC2_FALSE
+USE_RC2_TRUE
 USE_BLOWFISH_FALSE
 USE_BLOWFISH_TRUE
 USE_DES_FALSE
@@ -939,6 +957,7 @@ USE_TEST_VECTORS_TRUE
 s_plugins
 h_plugins
 c_plugins
+cmd_plugins
 nm_plugins
 medsrv_plugins
 manager_plugins
@@ -950,12 +969,17 @@ attest_plugins
 pool_plugins
 starter_plugins
 charon_plugins
+COVERAGE_LDFLAGS
+COVERAGE_CFLAGS
+GENHTML
+LCOV
 CHECK_LIBS
 CHECK_CFLAGS
 GPRBUILD
 dev_headers
 USE_DEV_HEADERS_FALSE
 USE_DEV_HEADERS_TRUE
+UNWINDLIB
 BFDLIB
 nm_LIBS
 nm_CFLAGS
@@ -1063,6 +1087,10 @@ random_device
 PKG_CONFIG_LIBDIR
 PKG_CONFIG_PATH
 PKG_CONFIG
+AM_BACKSLASH
+AM_DEFAULT_VERBOSITY
+AM_DEFAULT_V
+AM_V
 am__untar
 am__tar
 AMTAR
@@ -1127,6 +1155,7 @@ SHELL'
 ac_subst_files=''
 ac_user_opts='
 enable_option_checking
+enable_silent_rules
 with_random_device
 with_urandom_device
 with_strongswan_conf
@@ -1158,6 +1187,7 @@ enable_ldap
 enable_aes
 enable_des
 enable_blowfish
+enable_rc2
 enable_md4
 enable_md5
 enable_sha1
@@ -1174,8 +1204,10 @@ enable_pubkey
 enable_pkcs1
 enable_pkcs7
 enable_pkcs8
+enable_pkcs12
 enable_pgp
 enable_dnskey
+enable_sshkey
 enable_ipseckey
 enable_pem
 enable_hmac
@@ -1235,6 +1267,7 @@ enable_kernel_netlink
 enable_kernel_pfkey
 enable_kernel_pfroute
 enable_kernel_klips
+enable_kernel_libipsec
 enable_libipsec
 enable_socket_default
 enable_socket_dynamic
@@ -1260,6 +1293,7 @@ enable_padlock
 enable_openssl
 enable_gcrypt
 enable_agent
+enable_keychain
 enable_pkcs11
 enable_ctr
 enable_ccm
@@ -1267,6 +1301,7 @@ enable_gcm
 enable_addrblock
 enable_unity
 enable_uci
+enable_osx_attr
 enable_android_dns
 enable_android_log
 enable_maemo
@@ -1284,8 +1319,11 @@ enable_radattr
 enable_vstr
 enable_monolithic
 enable_bfd_backtraces
+enable_unwind_backtraces
 enable_unit_tests
+enable_coverage
 enable_tkm
+enable_cmd
 enable_defaults
 enable_dependency_tracking
 with_lib_prefix
@@ -1865,7 +1903,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.0.4 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.1.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1935,7 +1973,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.0.4:";;
+     short | recursive ) echo "Configuration of strongSwan 5.1.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1943,6 +1981,8 @@ Optional Features:
   --disable-option-checking  ignore unrecognized --enable/--with options
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --enable-silent-rules          less verbose build output (undo: `make V=1')
+  --disable-silent-rules         verbose build output (undo: `make V=0')
   --enable-curl           enable CURL fetcher plugin to fetch files via
                           libcurl. Requires libcurl.
   --enable-unbound        enable UNBOUND resolver plugin to perform DNS
@@ -1955,6 +1995,7 @@ Optional Features:
   --disable-aes           disable AES software implementation plugin.
   --disable-des           disable DES/3DES software implementation plugin.
   --enable-blowfish       enable Blowfish software implementation plugin.
+  --disable-rc2           disable RC2 software implementation plugin.
   --enable-md4            enable MD4 software implementation plugin.
   --disable-md5           disable MD5 software implementation plugin.
   --disable-sha1          disable SHA1 software implementation plugin.
@@ -1973,8 +2014,10 @@ Optional Features:
   --disable-pkcs1         disable PKCS1 key decoding plugin.
   --disable-pkcs7         disable PKCS7 container support plugin.
   --disable-pkcs8         disable PKCS8 private key decoding plugin.
+  --disable-pkcs12        disable PKCS12 container support plugin.
   --disable-pgp           disable PGP key decoding plugin.
   --disable-dnskey        disable DNS RR key decoding plugin.
+  --disable-sshkey        disable SSH key decoding plugin.
   --enable-ipseckey       enable IPSECKEY authentication plugin.
   --disable-pem           disable PEM decoding plugin.
   --disable-hmac          disable HMAC crypto implementation plugin.
@@ -2049,6 +2092,8 @@ Optional Features:
   --enable-kernel-pfkey   enable the PF_KEY kernel interface.
   --enable-kernel-pfroute enable the PF_ROUTE kernel interface.
   --enable-kernel-klips   enable the KLIPS kernel interface.
+  --enable-kernel-libipsec
+                          enable the libipsec kernel interface.
   --enable-libipsec       enable user space IPsec implementation.
   --disable-socket-default
                           disable default socket implementation for charon.
@@ -2082,6 +2127,7 @@ Optional Features:
   --enable-openssl        enables the OpenSSL crypto plugin.
   --enable-gcrypt         enables the libgcrypt plugin.
   --enable-agent          enables the ssh-agent signing plugin.
+  --enable-keychain       enables OS X Keychain Services credential set.
   --enable-pkcs11         enables the PKCS11 token support plugin.
   --enable-ctr            enables the Counter Mode wrapper crypto plugin.
   --enable-ccm            enables the CCM AEAD wrapper crypto plugin.
@@ -2089,6 +2135,7 @@ Optional Features:
   --enable-addrblock      enables RFC 3779 address block constraint support.
   --enable-unity          enables Cisco Unity extension plugin.
   --enable-uci            enable OpenWRT UCI configuration plugin.
+  --enable-osx-attr       enable OS X SystemConfiguration attribute handler.
   --enable-android-dns    enable Android specific DNS handler.
   --enable-android-log    enable Android specific logger plugin.
   --enable-maemo          enable Maemo specific plugin.
@@ -2117,8 +2164,13 @@ Optional Features:
                           of charon are assembled in libcharon.
   --enable-bfd-backtraces use binutils libbfd to resolve backtraces for memory
                           leaks and segfaults.
+  --enable-unwind-backtraces
+                          use libunwind to create backtraces for memory leaks
+                          and segfaults.
   --enable-unit-tests     enable unit tests using the check test framework.
+  --enable-coverage       enable lcov coverage report generation.
   --enable-tkm            enable Trusted Key Manager support.
+  --enable-cmd            enable the command line IKE client charon-cmd.
   --disable-defaults      disable all default plugins (they can be enabled
                           with their respective --enable options)
   --disable-dependency-tracking  speeds up one-time build
@@ -2304,7 +2356,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.0.4
+strongSwan configure 5.1.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2826,7 +2878,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.0.4, which was
+It was created by strongSwan $as_me 5.1.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3641,7 +3693,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.0.4'
+ VERSION='5.1.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3762,6 +3814,45 @@ $as_echo "$am_cv_prog_tar_ustar" >&6; }
 
 
 
+# Check whether --enable-silent-rules was given.
+if test "${enable_silent_rules+set}" = set; then :
+  enableval=$enable_silent_rules;
+fi
+
+case $enable_silent_rules in
+yes) AM_DEFAULT_VERBOSITY=0;;
+no)  AM_DEFAULT_VERBOSITY=1;;
+*)   AM_DEFAULT_VERBOSITY=1;;
+esac
+am_make=${MAKE-make}
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5
+$as_echo_n "checking whether $am_make supports nested variables... " >&6; }
+if ${am_cv_make_support_nested_variables+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if $as_echo 'TRUE=$(BAR$(V))
+BAR0=false
+BAR1=true
+V=1
+am__doit:
+	@$(TRUE)
+.PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then
+  am_cv_make_support_nested_variables=yes
+else
+  am_cv_make_support_nested_variables=no
+fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5
+$as_echo "$am_cv_make_support_nested_variables" >&6; }
+if test $am_cv_make_support_nested_variables = yes; then
+    AM_V='$(V)'
+  AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)'
+else
+  AM_V=$AM_DEFAULT_VERBOSITY
+  AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY
+fi
+AM_BACKSLASH='\'
+
 
 ac_config_headers="$ac_config_headers config.h"
 
@@ -4351,6 +4442,22 @@ else
 fi
 
 
+# Check whether --enable-rc2 was given.
+if test "${enable_rc2+set}" = set; then :
+  enableval=$enable_rc2; rc2_given=true
+		if test x$enableval = xyes; then
+			rc2=true
+		 else
+			rc2=false
+		fi
+else
+  rc2=true
+		rc2_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" rc2"
+
 # Check whether --enable-md4 was given.
 if test "${enable_md4+set}" = set; then :
   enableval=$enable_md4; md4_given=true
@@ -4605,6 +4712,22 @@ fi
 
 	enabled_by_default=${enabled_by_default}" pkcs8"
 
+# Check whether --enable-pkcs12 was given.
+if test "${enable_pkcs12+set}" = set; then :
+  enableval=$enable_pkcs12; pkcs12_given=true
+		if test x$enableval = xyes; then
+			pkcs12=true
+		 else
+			pkcs12=false
+		fi
+else
+  pkcs12=true
+		pkcs12_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" pkcs12"
+
 # Check whether --enable-pgp was given.
 if test "${enable_pgp+set}" = set; then :
   enableval=$enable_pgp; pgp_given=true
@@ -4637,6 +4760,22 @@ fi
 
 	enabled_by_default=${enabled_by_default}" dnskey"
 
+# Check whether --enable-sshkey was given.
+if test "${enable_sshkey+set}" = set; then :
+  enableval=$enable_sshkey; sshkey_given=true
+		if test x$enableval = xyes; then
+			sshkey=true
+		 else
+			sshkey=false
+		fi
+else
+  sshkey=true
+		sshkey_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" sshkey"
+
 # Check whether --enable-ipseckey was given.
 if test "${enable_ipseckey+set}" = set; then :
   enableval=$enable_ipseckey; ipseckey_given=true
@@ -5529,6 +5668,21 @@ else
 fi
 
 
+# Check whether --enable-kernel-libipsec was given.
+if test "${enable_kernel_libipsec+set}" = set; then :
+  enableval=$enable_kernel_libipsec; kernel_libipsec_given=true
+		if test x$enableval = xyes; then
+			kernel_libipsec=true
+		 else
+			kernel_libipsec=false
+		fi
+else
+  kernel_libipsec=false
+		kernel_libipsec_given=false
+
+fi
+
+
 # Check whether --enable-libipsec was given.
 if test "${enable_libipsec+set}" = set; then :
   enableval=$enable_libipsec; libipsec_given=true
@@ -5914,6 +6068,21 @@ else
 fi
 
 
+# Check whether --enable-keychain was given.
+if test "${enable_keychain+set}" = set; then :
+  enableval=$enable_keychain; keychain_given=true
+		if test x$enableval = xyes; then
+			keychain=true
+		 else
+			keychain=false
+		fi
+else
+  keychain=false
+		keychain_given=false
+
+fi
+
+
 # Check whether --enable-pkcs11 was given.
 if test "${enable_pkcs11+set}" = set; then :
   enableval=$enable_pkcs11; pkcs11_given=true
@@ -6019,6 +6188,21 @@ else
 fi
 
 
+# Check whether --enable-osx-attr was given.
+if test "${enable_osx_attr+set}" = set; then :
+  enableval=$enable_osx_attr; osx_attr_given=true
+		if test x$enableval = xyes; then
+			osx_attr=true
+		 else
+			osx_attr=false
+		fi
+else
+  osx_attr=false
+		osx_attr_given=false
+
+fi
+
+
 # Check whether --enable-android-dns was given.
 if test "${enable_android_dns+set}" = set; then :
   enableval=$enable_android_dns; android_dns_given=true
@@ -6274,6 +6458,21 @@ else
 fi
 
 
+# Check whether --enable-unwind-backtraces was given.
+if test "${enable_unwind_backtraces+set}" = set; then :
+  enableval=$enable_unwind_backtraces; unwind_backtraces_given=true
+		if test x$enableval = xyes; then
+			unwind_backtraces=true
+		 else
+			unwind_backtraces=false
+		fi
+else
+  unwind_backtraces=false
+		unwind_backtraces_given=false
+
+fi
+
+
 # Check whether --enable-unit-tests was given.
 if test "${enable_unit_tests+set}" = set; then :
   enableval=$enable_unit_tests; unit_tests_given=true
@@ -6289,6 +6488,21 @@ else
 fi
 
 
+# Check whether --enable-coverage was given.
+if test "${enable_coverage+set}" = set; then :
+  enableval=$enable_coverage; coverage_given=true
+		if test x$enableval = xyes; then
+			coverage=true
+		 else
+			coverage=false
+		fi
+else
+  coverage=false
+		coverage_given=false
+
+fi
+
+
 # Check whether --enable-tkm was given.
 if test "${enable_tkm+set}" = set; then :
   enableval=$enable_tkm; tkm_given=true
@@ -6304,6 +6518,21 @@ else
 fi
 
 
+# Check whether --enable-cmd was given.
+if test "${enable_cmd+set}" = set; then :
+  enableval=$enable_cmd; cmd_given=true
+		if test x$enableval = xyes; then
+			cmd=true
+		 else
+			cmd=false
+		fi
+else
+  cmd=false
+		cmd_given=false
+
+fi
+
+
 
 # ===================================
 #  option to disable default options
@@ -9022,7 +9251,8 @@ else
     ;;
   *)
     lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
-    if test -n "$lt_cv_sys_max_cmd_len"; then
+    if test -n "$lt_cv_sys_max_cmd_len" && \
+	test undefined != "$lt_cv_sys_max_cmd_len"; then
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
     else
@@ -9423,10 +9653,6 @@ freebsd* | dragonfly*)
   fi
   ;;
 
-gnu*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
 haiku*)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -9465,7 +9691,7 @@ irix5* | irix6* | nonstopux*)
   ;;
 
 # This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -10562,7 +10788,14 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
 	    LD="${LD-ld} -m elf_i386_fbsd"
 	    ;;
 	  x86_64-*linux*)
-	    LD="${LD-ld} -m elf_i386"
+	    case `/usr/bin/file conftest.o` in
+	      *x86-64*)
+		LD="${LD-ld} -m elf32_x86_64"
+		;;
+	      *)
+		LD="${LD-ld} -m elf_i386"
+		;;
+	    esac
 	    ;;
 	  ppc64-*linux*|powerpc64-*linux*)
 	    LD="${LD-ld} -m elf32ppclinux"
@@ -12124,7 +12357,7 @@ lt_prog_compiler_static=
       lt_prog_compiler_static='-non_shared'
       ;;
 
-    linux* | k*bsd*-gnu | kopensolaris*-gnu)
+    linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
       case $cc_basename in
       # old Intel for x86_64 which still supported -KPIC.
       ecc*)
@@ -14294,17 +14527,6 @@ freebsd* | dragonfly*)
   esac
   ;;
 
-gnu*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
 haiku*)
   version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
@@ -14421,7 +14643,7 @@ linux*oldld* | linux*aout* | linux*coff*)
   ;;
 
 # This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
@@ -15886,6 +16108,10 @@ if test x$xauth_generic_given = xfalse -a x$ikev1 = xfalse; then
 	xauth_generic=false;
 fi
 
+if test x$kernel_libipsec = xtrue; then
+	libipsec=true;
+fi
+
 if test x$eap_aka_3gpp2 = xtrue; then
 	gmp=true;
 fi
@@ -15943,6 +16169,10 @@ if test x$medcli = xtrue; then
 	mediation=true
 fi
 
+if test x$coverage = xtrue; then
+	unit_tests=true
+fi
+
 # ===========================================
 #  check required libraries and header files
 # ===========================================
@@ -19153,6 +19383,57 @@ fi
 
 	BFDLIB="-lbfd"
 
+fi
+
+if test x$unwind_backtraces = xtrue; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lunwind" >&5
+$as_echo_n "checking for main in -lunwind... " >&6; }
+if ${ac_cv_lib_unwind_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lunwind  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_unwind_main=yes
+else
+  ac_cv_lib_unwind_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unwind_main" >&5
+$as_echo "$ac_cv_lib_unwind_main" >&6; }
+if test "x$ac_cv_lib_unwind_main" = xyes; then :
+  LIBS="$LIBS"
+else
+  as_fn_error $? "libunwind not found!" "$LINENO" 5
+fi
+
+	ac_fn_c_check_header_mongrel "$LINENO" "libunwind.h" "ac_cv_header_libunwind_h" "$ac_includes_default"
+if test "x$ac_cv_header_libunwind_h" = xyes; then :
+
+$as_echo "#define HAVE_LIBUNWIND_H /**/" >>confdefs.h
+
+else
+  as_fn_error $? "libunwind.h header not found!" "$LINENO" 5
+fi
+
+
+	UNWINDLIB="-lunwind"
+
 fi
 
  if test "x$dev_headers" != xno; then
@@ -19310,6 +19591,106 @@ fi
 
 fi
 
+if test x$coverage = xtrue; then
+	# Extract the first word of "lcov", so it can be a program name with args.
+set dummy lcov; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_LCOV+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $LCOV in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_LCOV="$LCOV" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_LCOV="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+LCOV=$ac_cv_path_LCOV
+if test -n "$LCOV"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LCOV" >&5
+$as_echo "$LCOV" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+	if test x$LCOV = x; then
+		as_fn_error $? "lcov not found" "$LINENO" 5
+	fi
+	# Extract the first word of "genhtml", so it can be a program name with args.
+set dummy genhtml; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_GENHTML+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $GENHTML in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_GENHTML="$GENHTML" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_GENHTML="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+GENHTML=$ac_cv_path_GENHTML
+if test -n "$GENHTML"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GENHTML" >&5
+$as_echo "$GENHTML" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+	if test x$GENHTML = x; then
+		as_fn_error $? "genhtml not found" "$LINENO" 5
+	fi
+
+	COVERAGE_CFLAGS="-fprofile-arcs -ftest-coverage"
+	COVERAGE_LDFLAGS="-fprofile-arcs"
+
+
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: coverage enabled, adding \"-g -O0\" to CFLAGS" >&5
+$as_echo "$as_me: coverage enabled, adding \"-g -O0\" to CFLAGS" >&6;}
+	CFLAGS="${CFLAGS} -g -O0"
+fi
+
 # ===============================================
 #  collect plugin list for strongSwan components
 # ===============================================
@@ -19332,6 +19713,7 @@ scripts_plugins=
 manager_plugins=
 medsrv_plugins=
 nm_plugins=
+cmd_plugins=
 
 # location specific lists for checksumming,
 # for src/libcharon, src/libhydra and src/libstrongswan
@@ -19354,6 +19736,7 @@ if test x$curl = xtrue; then
 		scepclient_plugins=${scepclient_plugins}" curl"
 		scripts_plugins=${scripts_plugins}" curl"
 		nm_plugins=${nm_plugins}" curl"
+		cmd_plugins=${cmd_plugins}" curl"
 
 	fi
 
@@ -19362,6 +19745,7 @@ if test x$soup = xtrue; then
 		charon_plugins=${charon_plugins}" soup"
 		scripts_plugins=${scripts_plugins}" soup"
 		nm_plugins=${nm_plugins}" soup"
+		cmd_plugins=${cmd_plugins}" soup"
 
 	fi
 
@@ -19378,6 +19762,7 @@ if test x$ldap = xtrue; then
 		scepclient_plugins=${scepclient_plugins}" ldap"
 		scripts_plugins=${scripts_plugins}" ldap"
 		nm_plugins=${nm_plugins}" ldap"
+		cmd_plugins=${cmd_plugins}" ldap"
 
 	fi
 
@@ -19406,6 +19791,7 @@ if test x$pkcs11 = xtrue; then
 		charon_plugins=${charon_plugins}" pkcs11"
 		pki_plugins=${pki_plugins}" pkcs11"
 		nm_plugins=${nm_plugins}" pkcs11"
+		cmd_plugins=${cmd_plugins}" pkcs11"
 
 	fi
 
@@ -19417,6 +19803,7 @@ if test x$aes = xtrue; then
 		pki_plugins=${pki_plugins}" aes"
 		scripts_plugins=${scripts_plugins}" aes"
 		nm_plugins=${nm_plugins}" aes"
+		cmd_plugins=${cmd_plugins}" aes"
 
 	fi
 
@@ -19428,6 +19815,7 @@ if test x$des = xtrue; then
 		pki_plugins=${pki_plugins}" des"
 		scripts_plugins=${scripts_plugins}" des"
 		nm_plugins=${nm_plugins}" des"
+		cmd_plugins=${cmd_plugins}" des"
 
 	fi
 
@@ -19439,6 +19827,19 @@ if test x$blowfish = xtrue; then
 		pki_plugins=${pki_plugins}" blowfish"
 		scripts_plugins=${scripts_plugins}" blowfish"
 		nm_plugins=${nm_plugins}" blowfish"
+		cmd_plugins=${cmd_plugins}" blowfish"
+
+	fi
+
+if test x$rc2 = xtrue; then
+		s_plugins=${s_plugins}" rc2"
+		charon_plugins=${charon_plugins}" rc2"
+		openac_plugins=${openac_plugins}" rc2"
+		scepclient_plugins=${scepclient_plugins}" rc2"
+		pki_plugins=${pki_plugins}" rc2"
+		scripts_plugins=${scripts_plugins}" rc2"
+		nm_plugins=${nm_plugins}" rc2"
+		cmd_plugins=${cmd_plugins}" rc2"
 
 	fi
 
@@ -19452,6 +19853,7 @@ if test x$sha1 = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" sha1"
 		attest_plugins=${attest_plugins}" sha1"
 		nm_plugins=${nm_plugins}" sha1"
+		cmd_plugins=${cmd_plugins}" sha1"
 
 	fi
 
@@ -19465,6 +19867,7 @@ if test x$sha2 = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" sha2"
 		attest_plugins=${attest_plugins}" sha2"
 		nm_plugins=${nm_plugins}" sha2"
+		cmd_plugins=${cmd_plugins}" sha2"
 
 	fi
 
@@ -19476,6 +19879,7 @@ if test x$md4 = xtrue; then
 		scepclient_plugins=${scepclient_plugins}" md4"
 		pki_plugins=${pki_plugins}" md4"
 		nm_plugins=${nm_plugins}" md4"
+		cmd_plugins=${cmd_plugins}" md4"
 
 	fi
 
@@ -19488,6 +19892,7 @@ if test x$md5 = xtrue; then
 		scripts_plugins=${scripts_plugins}" md5"
 		attest_plugins=${attest_plugins}" md5"
 		nm_plugins=${nm_plugins}" md5"
+		cmd_plugins=${cmd_plugins}" md5"
 
 	fi
 
@@ -19501,6 +19906,7 @@ if test x$rdrand = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" rdrand"
 		attest_plugins=${attest_plugins}" rdrand"
 		nm_plugins=${nm_plugins}" rdrand"
+		cmd_plugins=${cmd_plugins}" rdrand"
 
 	fi
 
@@ -19514,6 +19920,7 @@ if test x$random = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" random"
 		attest_plugins=${attest_plugins}" random"
 		nm_plugins=${nm_plugins}" random"
+		cmd_plugins=${cmd_plugins}" random"
 
 	fi
 
@@ -19521,6 +19928,7 @@ if test x$nonce = xtrue; then
 		s_plugins=${s_plugins}" nonce"
 		charon_plugins=${charon_plugins}" nonce"
 		nm_plugins=${nm_plugins}" nonce"
+		cmd_plugins=${cmd_plugins}" nonce"
 
 	fi
 
@@ -19533,6 +19941,7 @@ if test x$x509 = xtrue; then
 		scripts_plugins=${scripts_plugins}" x509"
 		attest_plugins=${attest_plugins}" x509"
 		nm_plugins=${nm_plugins}" x509"
+		cmd_plugins=${cmd_plugins}" x509"
 
 	fi
 
@@ -19540,6 +19949,7 @@ if test x$revocation = xtrue; then
 		s_plugins=${s_plugins}" revocation"
 		charon_plugins=${charon_plugins}" revocation"
 		nm_plugins=${nm_plugins}" revocation"
+		cmd_plugins=${cmd_plugins}" revocation"
 
 	fi
 
@@ -19547,12 +19957,14 @@ if test x$constraints = xtrue; then
 		s_plugins=${s_plugins}" constraints"
 		charon_plugins=${charon_plugins}" constraints"
 		nm_plugins=${nm_plugins}" constraints"
+		cmd_plugins=${cmd_plugins}" constraints"
 
 	fi
 
 if test x$pubkey = xtrue; then
 		s_plugins=${s_plugins}" pubkey"
 		charon_plugins=${charon_plugins}" pubkey"
+		cmd_plugins=${cmd_plugins}" pubkey"
 
 	fi
 
@@ -19567,13 +19979,18 @@ if test x$pkcs1 = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" pkcs1"
 		attest_plugins=${attest_plugins}" pkcs1"
 		nm_plugins=${nm_plugins}" pkcs1"
+		cmd_plugins=${cmd_plugins}" pkcs1"
 
 	fi
 
 if test x$pkcs7 = xtrue; then
 		s_plugins=${s_plugins}" pkcs7"
+		charon_plugins=${charon_plugins}" pkcs7"
 		scepclient_plugins=${scepclient_plugins}" pkcs7"
 		pki_plugins=${pki_plugins}" pkcs7"
+		scripts_plugins=${scripts_plugins}" pkcs7"
+		nm_plugins=${nm_plugins}" pkcs7"
+		cmd_plugins=${cmd_plugins}" pkcs7"
 
 	fi
 
@@ -19588,6 +20005,17 @@ if test x$pkcs8 = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" pkcs8"
 		attest_plugins=${attest_plugins}" pkcs8"
 		nm_plugins=${nm_plugins}" pkcs8"
+		cmd_plugins=${cmd_plugins}" pkcs8"
+
+	fi
+
+if test x$pkcs12 = xtrue; then
+		s_plugins=${s_plugins}" pkcs12"
+		charon_plugins=${charon_plugins}" pkcs12"
+		scepclient_plugins=${scepclient_plugins}" pkcs12"
+		pki_plugins=${pki_plugins}" pkcs12"
+		scripts_plugins=${scripts_plugins}" pkcs12"
+		cmd_plugins=${cmd_plugins}" pkcs12"
 
 	fi
 
@@ -19603,6 +20031,14 @@ if test x$dnskey = xtrue; then
 
 	fi
 
+if test x$sshkey = xtrue; then
+		s_plugins=${s_plugins}" sshkey"
+		charon_plugins=${charon_plugins}" sshkey"
+		nm_plugins=${nm_plugins}" sshkey"
+		cmd_plugins=${cmd_plugins}" sshkey"
+
+	fi
+
 if test x$ipseckey = xtrue; then
 		c_plugins=${c_plugins}" ipseckey"
 		charon_plugins=${charon_plugins}" ipseckey"
@@ -19620,6 +20056,7 @@ if test x$pem = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" pem"
 		attest_plugins=${attest_plugins}" pem"
 		nm_plugins=${nm_plugins}" pem"
+		cmd_plugins=${cmd_plugins}" pem"
 
 	fi
 
@@ -19640,6 +20077,7 @@ if test x$openssl = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" openssl"
 		attest_plugins=${attest_plugins}" openssl"
 		nm_plugins=${nm_plugins}" openssl"
+		cmd_plugins=${cmd_plugins}" openssl"
 
 	fi
 
@@ -19654,6 +20092,7 @@ if test x$gcrypt = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" gcrypt"
 		attest_plugins=${attest_plugins}" gcrypt"
 		nm_plugins=${nm_plugins}" gcrypt"
+		cmd_plugins=${cmd_plugins}" gcrypt"
 
 	fi
 
@@ -19667,6 +20106,7 @@ if test x$af_alg = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" af-alg"
 		attest_plugins=${attest_plugins}" af-alg"
 		nm_plugins=${nm_plugins}" af-alg"
+		cmd_plugins=${cmd_plugins}" af-alg"
 
 	fi
 
@@ -19674,6 +20114,7 @@ if test x$fips_prf = xtrue; then
 		s_plugins=${s_plugins}" fips-prf"
 		charon_plugins=${charon_plugins}" fips-prf"
 		nm_plugins=${nm_plugins}" fips-prf"
+		cmd_plugins=${cmd_plugins}" fips-prf"
 
 	fi
 
@@ -19688,6 +20129,7 @@ if test x$gmp = xtrue; then
 		medsrv_plugins=${medsrv_plugins}" gmp"
 		attest_plugins=${attest_plugins}" gmp"
 		nm_plugins=${nm_plugins}" gmp"
+		cmd_plugins=${cmd_plugins}" gmp"
 
 	fi
 
@@ -19695,6 +20137,14 @@ if test x$agent = xtrue; then
 		s_plugins=${s_plugins}" agent"
 		charon_plugins=${charon_plugins}" agent"
 		nm_plugins=${nm_plugins}" agent"
+		cmd_plugins=${cmd_plugins}" agent"
+
+	fi
+
+if test x$keychain = xtrue; then
+		s_plugins=${s_plugins}" keychain"
+		charon_plugins=${charon_plugins}" keychain"
+		cmd_plugins=${cmd_plugins}" keychain"
 
 	fi
 
@@ -19702,6 +20152,7 @@ if test x$xcbc = xtrue; then
 		s_plugins=${s_plugins}" xcbc"
 		charon_plugins=${charon_plugins}" xcbc"
 		nm_plugins=${nm_plugins}" xcbc"
+		cmd_plugins=${cmd_plugins}" xcbc"
 
 	fi
 
@@ -19709,6 +20160,7 @@ if test x$cmac = xtrue; then
 		s_plugins=${s_plugins}" cmac"
 		charon_plugins=${charon_plugins}" cmac"
 		nm_plugins=${nm_plugins}" cmac"
+		cmd_plugins=${cmd_plugins}" cmac"
 
 	fi
 
@@ -19717,6 +20169,7 @@ if test x$hmac = xtrue; then
 		charon_plugins=${charon_plugins}" hmac"
 		scripts_plugins=${scripts_plugins}" hmac"
 		nm_plugins=${nm_plugins}" hmac"
+		cmd_plugins=${cmd_plugins}" hmac"
 
 	fi
 
@@ -19725,6 +20178,7 @@ if test x$ctr = xtrue; then
 		charon_plugins=${charon_plugins}" ctr"
 		scripts_plugins=${scripts_plugins}" ctr"
 		nm_plugins=${nm_plugins}" ctr"
+		cmd_plugins=${cmd_plugins}" ctr"
 
 	fi
 
@@ -19733,6 +20187,7 @@ if test x$ccm = xtrue; then
 		charon_plugins=${charon_plugins}" ccm"
 		scripts_plugins=${scripts_plugins}" ccm"
 		nm_plugins=${nm_plugins}" ccm"
+		cmd_plugins=${cmd_plugins}" ccm"
 
 	fi
 
@@ -19741,6 +20196,7 @@ if test x$gcm = xtrue; then
 		charon_plugins=${charon_plugins}" gcm"
 		scripts_plugins=${scripts_plugins}" gcm"
 		nm_plugins=${nm_plugins}" gcm"
+		cmd_plugins=${cmd_plugins}" gcm"
 
 	fi
 
@@ -19762,11 +20218,19 @@ if test x$load_tester = xtrue; then
 
 	fi
 
+if test x$kernel_libipsec = xtrue; then
+		c_plugins=${c_plugins}" kernel-libipsec"
+		charon_plugins=${charon_plugins}" kernel-libipsec"
+		cmd_plugins=${cmd_plugins}" kernel-libipsec"
+
+	fi
+
 if test x$kernel_pfkey = xtrue; then
 		h_plugins=${h_plugins}" kernel-pfkey"
 		charon_plugins=${charon_plugins}" kernel-pfkey"
 		starter_plugins=${starter_plugins}" kernel-pfkey"
 		nm_plugins=${nm_plugins}" kernel-pfkey"
+		cmd_plugins=${cmd_plugins}" kernel-pfkey"
 
 	fi
 
@@ -19775,6 +20239,7 @@ if test x$kernel_pfroute = xtrue; then
 		charon_plugins=${charon_plugins}" kernel-pfroute"
 		starter_plugins=${starter_plugins}" kernel-pfroute"
 		nm_plugins=${nm_plugins}" kernel-pfroute"
+		cmd_plugins=${cmd_plugins}" kernel-pfroute"
 
 	fi
 
@@ -19790,12 +20255,14 @@ if test x$kernel_netlink = xtrue; then
 		charon_plugins=${charon_plugins}" kernel-netlink"
 		starter_plugins=${starter_plugins}" kernel-netlink"
 		nm_plugins=${nm_plugins}" kernel-netlink"
+		cmd_plugins=${cmd_plugins}" kernel-netlink"
 
 	fi
 
 if test x$resolve = xtrue; then
 		h_plugins=${h_plugins}" resolve"
 		charon_plugins=${charon_plugins}" resolve"
+		cmd_plugins=${cmd_plugins}" resolve"
 
 	fi
 
@@ -19803,12 +20270,14 @@ if test x$socket_default = xtrue; then
 		c_plugins=${c_plugins}" socket-default"
 		charon_plugins=${charon_plugins}" socket-default"
 		nm_plugins=${nm_plugins}" socket-default"
+		cmd_plugins=${cmd_plugins}" socket-default"
 
 	fi
 
 if test x$socket_dynamic = xtrue; then
 		c_plugins=${c_plugins}" socket-dynamic"
 		charon_plugins=${charon_plugins}" socket-dynamic"
+		cmd_plugins=${cmd_plugins}" socket-dynamic"
 
 	fi
 
@@ -19846,6 +20315,7 @@ if test x$eap_identity = xtrue; then
 		c_plugins=${c_plugins}" eap-identity"
 		charon_plugins=${charon_plugins}" eap-identity"
 		nm_plugins=${nm_plugins}" eap-identity"
+		cmd_plugins=${cmd_plugins}" eap-identity"
 
 	fi
 
@@ -19901,6 +20371,7 @@ if test x$eap_md5 = xtrue; then
 		c_plugins=${c_plugins}" eap-md5"
 		charon_plugins=${charon_plugins}" eap-md5"
 		nm_plugins=${nm_plugins}" eap-md5"
+		cmd_plugins=${cmd_plugins}" eap-md5"
 
 	fi
 
@@ -19908,6 +20379,7 @@ if test x$eap_gtc = xtrue; then
 		c_plugins=${c_plugins}" eap-gtc"
 		charon_plugins=${charon_plugins}" eap-gtc"
 		nm_plugins=${nm_plugins}" eap-gtc"
+		cmd_plugins=${cmd_plugins}" eap-gtc"
 
 	fi
 
@@ -19915,6 +20387,7 @@ if test x$eap_mschapv2 = xtrue; then
 		c_plugins=${c_plugins}" eap-mschapv2"
 		charon_plugins=${charon_plugins}" eap-mschapv2"
 		nm_plugins=${nm_plugins}" eap-mschapv2"
+		cmd_plugins=${cmd_plugins}" eap-mschapv2"
 
 	fi
 
@@ -19934,6 +20407,7 @@ if test x$eap_tls = xtrue; then
 		c_plugins=${c_plugins}" eap-tls"
 		charon_plugins=${charon_plugins}" eap-tls"
 		nm_plugins=${nm_plugins}" eap-tls"
+		cmd_plugins=${cmd_plugins}" eap-tls"
 
 	fi
 
@@ -19941,6 +20415,7 @@ if test x$eap_ttls = xtrue; then
 		c_plugins=${c_plugins}" eap-ttls"
 		charon_plugins=${charon_plugins}" eap-ttls"
 		nm_plugins=${nm_plugins}" eap-ttls"
+		cmd_plugins=${cmd_plugins}" eap-ttls"
 
 	fi
 
@@ -19948,6 +20423,7 @@ if test x$eap_peap = xtrue; then
 		c_plugins=${c_plugins}" eap-peap"
 		charon_plugins=${charon_plugins}" eap-peap"
 		nm_plugins=${nm_plugins}" eap-peap"
+		cmd_plugins=${cmd_plugins}" eap-peap"
 
 	fi
 
@@ -19960,6 +20436,7 @@ if test x$eap_tnc = xtrue; then
 if test x$xauth_generic = xtrue; then
 		c_plugins=${c_plugins}" xauth-generic"
 		charon_plugins=${charon_plugins}" xauth-generic"
+		cmd_plugins=${cmd_plugins}" xauth-generic"
 
 	fi
 
@@ -20047,6 +20524,13 @@ if test x$dhcp = xtrue; then
 
 	fi
 
+if test x$osx_attr = xtrue; then
+		c_plugins=${c_plugins}" osx-attr"
+		charon_plugins=${charon_plugins}" osx-attr"
+		cmd_plugins=${cmd_plugins}" osx-attr"
+
+	fi
+
 if test x$android_dns = xtrue; then
 		c_plugins=${c_plugins}" android-dns"
 		charon_plugins=${charon_plugins}" android-dns"
@@ -20166,6 +20650,7 @@ if test x$unit_tester = xtrue; then
 
 
 
+
 # ======================
 #  set Makefile.am vars
 # ======================
@@ -20236,6 +20721,14 @@ else
   USE_BLOWFISH_FALSE=
 fi
 
+ if test x$rc2 = xtrue; then
+  USE_RC2_TRUE=
+  USE_RC2_FALSE='#'
+else
+  USE_RC2_TRUE='#'
+  USE_RC2_FALSE=
+fi
+
  if test x$md4 = xtrue; then
   USE_MD4_TRUE=
   USE_MD4_FALSE='#'
@@ -20364,6 +20857,14 @@ else
   USE_PKCS8_FALSE=
 fi
 
+ if test x$pkcs12 = xtrue; then
+  USE_PKCS12_TRUE=
+  USE_PKCS12_FALSE='#'
+else
+  USE_PKCS12_TRUE='#'
+  USE_PKCS12_FALSE=
+fi
+
  if test x$pgp = xtrue; then
   USE_PGP_TRUE=
   USE_PGP_FALSE='#'
@@ -20380,6 +20881,14 @@ else
   USE_DNSKEY_FALSE=
 fi
 
+ if test x$sshkey = xtrue; then
+  USE_SSHKEY_TRUE=
+  USE_SSHKEY_FALSE='#'
+else
+  USE_SSHKEY_TRUE='#'
+  USE_SSHKEY_FALSE=
+fi
+
  if test x$pem = xtrue; then
   USE_PEM_TRUE=
   USE_PEM_FALSE='#'
@@ -20460,6 +20969,14 @@ else
   USE_AGENT_FALSE=
 fi
 
+ if test x$keychain = xtrue; then
+  USE_KEYCHAIN_TRUE=
+  USE_KEYCHAIN_FALSE='#'
+else
+  USE_KEYCHAIN_TRUE='#'
+  USE_KEYCHAIN_FALSE=
+fi
+
  if test x$pkcs11 = xtrue; then
   USE_PKCS11_TRUE=
   USE_PKCS11_FALSE='#'
@@ -20535,6 +21052,14 @@ else
   USE_UCI_FALSE=
 fi
 
+ if test x$osx_attr = xtrue; then
+  USE_OSX_ATTR_TRUE=
+  USE_OSX_ATTR_FALSE='#'
+else
+  USE_OSX_ATTR_TRUE='#'
+  USE_OSX_ATTR_FALSE=
+fi
+
  if test x$android_dns = xtrue; then
   USE_ANDROID_DNS_TRUE=
   USE_ANDROID_DNS_FALSE='#'
@@ -20623,6 +21148,14 @@ else
   USE_HA_FALSE=
 fi
 
+ if test x$kernel_libipsec = xtrue; then
+  USE_KERNEL_LIBIPSEC_TRUE=
+  USE_KERNEL_LIBIPSEC_FALSE='#'
+else
+  USE_KERNEL_LIBIPSEC_TRUE='#'
+  USE_KERNEL_LIBIPSEC_FALSE=
+fi
+
  if test x$whitelist = xtrue; then
   USE_WHITELIST_TRUE=
   USE_WHITELIST_FALSE='#'
@@ -21237,7 +21770,7 @@ else
   USE_CONFTEST_FALSE=
 fi
 
- if test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue; then
+ if test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue; then
   USE_LIBSTRONGSWAN_TRUE=
   USE_LIBSTRONGSWAN_FALSE='#'
 else
@@ -21245,7 +21778,7 @@ else
   USE_LIBSTRONGSWAN_FALSE=
 fi
 
- if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue; then
+ if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue; then
   USE_LIBHYDRA_TRUE=
   USE_LIBHYDRA_FALSE='#'
 else
@@ -21253,7 +21786,7 @@ else
   USE_LIBHYDRA_FALSE=
 fi
 
- if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue; then
+ if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue; then
   USE_LIBCHARON_TRUE=
   USE_LIBCHARON_FALSE='#'
 else
@@ -21381,6 +21914,14 @@ else
   MONOLITHIC_FALSE=
 fi
 
+ if test x$enable_silent_rules = xyes; then
+  USE_SILENT_RULES_TRUE=
+  USE_SILENT_RULES_FALSE='#'
+else
+  USE_SILENT_RULES_TRUE='#'
+  USE_SILENT_RULES_FALSE=
+fi
+
  if test x$unit_tests = xtrue; then
   UNITTESTS_TRUE=
   UNITTESTS_FALSE='#'
@@ -21389,6 +21930,14 @@ else
   UNITTESTS_FALSE=
 fi
 
+ if test x$coverage = xtrue; then
+  COVERAGE_TRUE=
+  COVERAGE_FALSE='#'
+else
+  COVERAGE_TRUE='#'
+  COVERAGE_FALSE=
+fi
+
  if test x$tkm = xtrue; then
   USE_TKM_TRUE=
   USE_TKM_FALSE='#'
@@ -21397,6 +21946,14 @@ else
   USE_TKM_FALSE=
 fi
 
+ if test x$cmd = xtrue; then
+  USE_CMD_TRUE=
+  USE_CMD_FALSE='#'
+else
+  USE_CMD_TRUE='#'
+  USE_CMD_FALSE=
+fi
+
 
 # ========================
 #  set global definitions
@@ -21432,7 +21989,7 @@ fi
 #  build Makefiles
 # =================
 
-ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnc_tnccs/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnc_tnccs/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -21600,6 +22157,10 @@ if test -z "${USE_BLOWFISH_TRUE}" && test -z "${USE_BLOWFISH_FALSE}"; then
   as_fn_error $? "conditional \"USE_BLOWFISH\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_RC2_TRUE}" && test -z "${USE_RC2_FALSE}"; then
+  as_fn_error $? "conditional \"USE_RC2\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_MD4_TRUE}" && test -z "${USE_MD4_FALSE}"; then
   as_fn_error $? "conditional \"USE_MD4\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -21664,6 +22225,10 @@ if test -z "${USE_PKCS8_TRUE}" && test -z "${USE_PKCS8_FALSE}"; then
   as_fn_error $? "conditional \"USE_PKCS8\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_PKCS12_TRUE}" && test -z "${USE_PKCS12_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PKCS12\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PGP_TRUE}" && test -z "${USE_PGP_FALSE}"; then
   as_fn_error $? "conditional \"USE_PGP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -21672,6 +22237,10 @@ if test -z "${USE_DNSKEY_TRUE}" && test -z "${USE_DNSKEY_FALSE}"; then
   as_fn_error $? "conditional \"USE_DNSKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_SSHKEY_TRUE}" && test -z "${USE_SSHKEY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SSHKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PEM_TRUE}" && test -z "${USE_PEM_FALSE}"; then
   as_fn_error $? "conditional \"USE_PEM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -21712,6 +22281,10 @@ if test -z "${USE_AGENT_TRUE}" && test -z "${USE_AGENT_FALSE}"; then
   as_fn_error $? "conditional \"USE_AGENT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_KEYCHAIN_TRUE}" && test -z "${USE_KEYCHAIN_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KEYCHAIN\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PKCS11_TRUE}" && test -z "${USE_PKCS11_FALSE}"; then
   as_fn_error $? "conditional \"USE_PKCS11\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -21748,6 +22321,10 @@ if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
   as_fn_error $? "conditional \"USE_UCI\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_OSX_ATTR_TRUE}" && test -z "${USE_OSX_ATTR_FALSE}"; then
+  as_fn_error $? "conditional \"USE_OSX_ATTR\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_ANDROID_DNS_TRUE}" && test -z "${USE_ANDROID_DNS_FALSE}"; then
   as_fn_error $? "conditional \"USE_ANDROID_DNS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -21792,6 +22369,10 @@ if test -z "${USE_HA_TRUE}" && test -z "${USE_HA_FALSE}"; then
   as_fn_error $? "conditional \"USE_HA\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_KERNEL_LIBIPSEC_TRUE}" && test -z "${USE_KERNEL_LIBIPSEC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_LIBIPSEC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_WHITELIST_TRUE}" && test -z "${USE_WHITELIST_FALSE}"; then
   as_fn_error $? "conditional \"USE_WHITELIST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -22168,14 +22749,26 @@ if test -z "${MONOLITHIC_TRUE}" && test -z "${MONOLITHIC_FALSE}"; then
   as_fn_error $? "conditional \"MONOLITHIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_SILENT_RULES_TRUE}" && test -z "${USE_SILENT_RULES_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SILENT_RULES\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${UNITTESTS_TRUE}" && test -z "${UNITTESTS_FALSE}"; then
   as_fn_error $? "conditional \"UNITTESTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${COVERAGE_TRUE}" && test -z "${COVERAGE_FALSE}"; then
+  as_fn_error $? "conditional \"COVERAGE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_TKM_TRUE}" && test -z "${USE_TKM_FALSE}"; then
   as_fn_error $? "conditional \"USE_TKM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_CMD_TRUE}" && test -z "${USE_CMD_FALSE}"; then
+  as_fn_error $? "conditional \"USE_CMD\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 
 : "${CONFIG_STATUS=./config.status}"
 ac_write_fail=0
@@ -22573,7 +23166,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.0.4, which was
+This file was extended by strongSwan $as_me 5.1.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22639,7 +23232,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.0.4
+strongSwan config.status 5.1.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -23059,6 +23652,7 @@ do
     "src/libstrongswan/plugins/cmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/cmac/Makefile" ;;
     "src/libstrongswan/plugins/des/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/des/Makefile" ;;
     "src/libstrongswan/plugins/blowfish/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/blowfish/Makefile" ;;
+    "src/libstrongswan/plugins/rc2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rc2/Makefile" ;;
     "src/libstrongswan/plugins/md4/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md4/Makefile" ;;
     "src/libstrongswan/plugins/md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md5/Makefile" ;;
     "src/libstrongswan/plugins/sha1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha1/Makefile" ;;
@@ -23077,8 +23671,10 @@ do
     "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;;
     "src/libstrongswan/plugins/pkcs7/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs7/Makefile" ;;
     "src/libstrongswan/plugins/pkcs8/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs8/Makefile" ;;
+    "src/libstrongswan/plugins/pkcs12/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs12/Makefile" ;;
     "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;;
     "src/libstrongswan/plugins/dnskey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/dnskey/Makefile" ;;
+    "src/libstrongswan/plugins/sshkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sshkey/Makefile" ;;
     "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;;
     "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;;
     "src/libstrongswan/plugins/unbound/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/unbound/Makefile" ;;
@@ -23090,12 +23686,14 @@ do
     "src/libstrongswan/plugins/openssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/openssl/Makefile" ;;
     "src/libstrongswan/plugins/gcrypt/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcrypt/Makefile" ;;
     "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
+    "src/libstrongswan/plugins/keychain/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/keychain/Makefile" ;;
     "src/libstrongswan/plugins/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs11/Makefile" ;;
     "src/libstrongswan/plugins/ctr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ctr/Makefile" ;;
     "src/libstrongswan/plugins/ccm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ccm/Makefile" ;;
     "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;;
     "src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
+    "src/libstrongswan/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/tests/Makefile" ;;
     "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
     "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;;
     "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;;
@@ -23124,6 +23722,7 @@ do
     "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
     "src/charon-nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-nm/Makefile" ;;
     "src/charon-tkm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-tkm/Makefile" ;;
+    "src/charon-cmd/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-cmd/Makefile" ;;
     "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;;
     "src/libcharon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka/Makefile" ;;
     "src/libcharon/plugins/eap_aka_3gpp2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka_3gpp2/Makefile" ;;
@@ -23167,6 +23766,7 @@ do
     "src/libcharon/plugins/unity/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unity/Makefile" ;;
     "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
     "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
+    "src/libcharon/plugins/kernel_libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_libipsec/Makefile" ;;
     "src/libcharon/plugins/whitelist/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/whitelist/Makefile" ;;
     "src/libcharon/plugins/lookip/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/lookip/Makefile" ;;
     "src/libcharon/plugins/error_notify/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/error_notify/Makefile" ;;
@@ -23176,6 +23776,7 @@ do
     "src/libcharon/plugins/duplicheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/duplicheck/Makefile" ;;
     "src/libcharon/plugins/coupling/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/coupling/Makefile" ;;
     "src/libcharon/plugins/radattr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/radattr/Makefile" ;;
+    "src/libcharon/plugins/osx_attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/osx_attr/Makefile" ;;
     "src/libcharon/plugins/android_dns/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_dns/Makefile" ;;
     "src/libcharon/plugins/android_log/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_log/Makefile" ;;
     "src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;;
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 000000000..a2be84495
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,1486 @@
+#
+# Copyright (C) 2007-2013 Tobias Brunner
+# Copyright (C) 2006-2013 Andreas Steffen
+# Copyright (C) 2006-2013 Martin Willi
+# Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+
+# ============================
+#  initialize & set some vars
+# ============================
+
+AC_INIT([strongSwan],[5.1.0])
+AM_INIT_AUTOMAKE(tar-ustar)
+m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
+AC_CONFIG_MACRO_DIR([m4/config])
+AC_CONFIG_HEADERS([config.h])
+AC_DEFINE([CONFIG_H_INCLUDED], [], [defined if config.h included])
+PKG_PROG_PKG_CONFIG
+
+# =================================
+#  check --enable-xxx & --with-xxx
+# =================================
+
+m4_include(m4/macros/with.m4)
+
+ARG_WITH_SUBST([random-device],      [/dev/random], [set the device to read real random data from])
+ARG_WITH_SUBST([urandom-device],     [/dev/urandom], [set the device to read pseudo random data from])
+ARG_WITH_SUBST([strongswan-conf],    [${sysconfdir}/strongswan.conf], [set the strongswan.conf file location])
+ARG_WITH_SUBST([resolv-conf],        [${sysconfdir}/resolv.conf], [set the file to use in DNS handler plugin])
+ARG_WITH_SUBST([piddir],             [/var/run], [set path for PID and UNIX socket files])
+ARG_WITH_SUBST([ipsecdir],           [${libexecdir%/}/ipsec], [set installation path for ipsec tools])
+ARG_WITH_SUBST([ipseclibdir],        [${libdir%/}/ipsec], [set installation path for ipsec libraries])
+ARG_WITH_SUBST([plugindir],          [${ipseclibdir%/}/plugins], [set the installation path of plugins])
+ARG_WITH_SUBST([imcvdir],            [${ipseclibdir%/}/imcvs], [set the installation path of IMC and IMV dynamic librariers])
+ARG_WITH_SUBST([nm-ca-dir],          [/usr/share/ca-certificates], [directory the NM backend uses to look up trusted root certificates])
+ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set directory of linux header files to use])
+ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
+ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
+ARG_WITH_SUBST([ipsec-script],       [ipsec], [change the name of the ipsec script])
+ARG_WITH_SUBST([fips-mode],          [0], [set openssl FIPS mode: disabled(0), enabled(1), Suite B enabled(2)])
+
+ARG_WITH_SET([tss],                  [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"])
+ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
+ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
+ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
+
+if test -n "$PKG_CONFIG"; then
+	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
+fi
+ARG_WITH_SET([systemdsystemunitdir], [$systemdsystemunitdir_default], [directory for systemd service files])
+AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno])
+AC_SUBST(systemdsystemunitdir)
+
+AC_ARG_WITH(
+	[user],
+	AS_HELP_STRING([--with-user=user],[change user of the daemons to "user" after startup (default is "root").]),
+	[AC_DEFINE_UNQUOTED([IPSEC_USER], "$withval", [username to run daemon with])
+	 AC_SUBST(ipsecuser, "$withval")],
+	[AC_SUBST(ipsecuser, "root")]
+)
+
+AC_ARG_WITH(
+	[group],
+	AS_HELP_STRING([--with-group=group],[change group of the daemons to "group" after startup (default is "root").]),
+	[AC_DEFINE_UNQUOTED(IPSEC_GROUP, "$withval", [groupname to run daemon with])
+	 AC_SUBST(ipsecgroup, "$withval")],
+	[AC_SUBST(ipsecgroup, "root")]
+)
+
+AC_ARG_WITH(
+	[charon-udp-port],
+	AS_HELP_STRING([--with-charon-udp-port=port],[UDP port used by charon locally (default 500). Set to 0 to allocate randomly.]),
+	[AC_DEFINE_UNQUOTED(CHARON_UDP_PORT, [$withval], [UDP port used by charon locally])
+	 AC_SUBST(charon_udp_port, [$withval])],
+	[AC_SUBST(charon_udp_port, 500)]
+)
+
+AC_ARG_WITH(
+	[charon-natt-port],
+	AS_HELP_STRING([--with-charon-natt-port=port],[UDP port used by charon locally in case a NAT is detected (must be different from charon-udp-port, default 4500). Set to 0 to allocate randomly.]),
+	[AC_DEFINE_UNQUOTED(CHARON_NATT_PORT, [$withval], [UDP post used by charon locally in case a NAT is detected])
+	 AC_SUBST(charon_natt_port, [$withval])],
+	[AC_SUBST(charon_natt_port, 4500)]
+)
+
+AC_MSG_CHECKING([configured UDP ports ($charon_udp_port, $charon_natt_port)])
+if test x$charon_udp_port != x0 -a x$charon_udp_port = x$charon_natt_port; then
+	AC_MSG_ERROR(the ports have to be different)
+else
+	AC_MSG_RESULT(ok)
+fi
+
+# convert script name to uppercase
+AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`])
+
+m4_include(m4/macros/enable-disable.m4)
+
+ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([unbound],        [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
+ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
+ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
+ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
+ARG_DISBL_SET([des],            [disable DES/3DES software implementation plugin.])
+ARG_ENABL_SET([blowfish],       [enable Blowfish software implementation plugin.])
+ARG_DISBL_SET([rc2],            [disable RC2 software implementation plugin.])
+ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
+ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
+ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
+ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
+ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
+ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_ENABL_SET([rdrand],         [enable Intel RDRAND random generator plugin.])
+ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
+ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
+ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
+ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.])
+ARG_DISBL_SET([constraints],    [disable advanced X509 constraint checking plugin.])
+ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
+ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
+ARG_DISBL_SET([pkcs7],          [disable PKCS7 container support plugin.])
+ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
+ARG_DISBL_SET([pkcs12],         [disable PKCS12 container support plugin.])
+ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
+ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
+ARG_DISBL_SET([sshkey],         [disable SSH key decoding plugin.])
+ARG_ENABL_SET([ipseckey],       [enable IPSECKEY authentication plugin.])
+ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
+ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
+ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
+ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
+ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
+ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
+ARG_ENABL_SET([mysql],          [enable MySQL database support. Requires libmysqlclient_r.])
+ARG_ENABL_SET([sqlite],         [enable SQLite database support. Requires libsqlite3.])
+ARG_DISBL_SET([stroke],         [disable charons stroke configuration backend.])
+ARG_ENABL_SET([medsrv],         [enable mediation server web frontend and daemon plugin.])
+ARG_ENABL_SET([medcli],         [enable mediation client configuration database plugin.])
+ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
+ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
+ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
+ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
+ARG_ENABL_SET([unit-tester],    [enable unit tests on IKEv2 daemon startup.])
+ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
+ARG_ENABL_SET([eap-sim],        [enable SIM authentication module for EAP.])
+ARG_ENABL_SET([eap-sim-file],   [enable EAP-SIM backend based on a triplet file.])
+ARG_ENABL_SET([eap-sim-pcsc],   [enable EAP-SIM backend based on a smartcard reader. Requires libpcsclite.])
+ARG_ENABL_SET([eap-aka],        [enable EAP AKA authentication module.])
+ARG_ENABL_SET([eap-aka-3gpp2],  [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.])
+ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
+ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
+ARG_ENABL_SET([eap-simaka-reauth],    [enable EAP-SIM/AKA reauthentication data storage plugin.])
+ARG_ENABL_SET([eap-identity],   [enable EAP module providing EAP-Identity helper.])
+ARG_ENABL_SET([eap-md5],        [enable EAP MD5 (CHAP) authentication module.])
+ARG_ENABL_SET([eap-gtc],        [enable EAP GTC authentication module.])
+ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authentication module.])
+ARG_ENABL_SET([eap-tls],        [enable EAP TLS authentication module.])
+ARG_ENABL_SET([eap-ttls],       [enable EAP TTLS authentication module.])
+ARG_ENABL_SET([eap-peap],       [enable EAP PEAP authentication module.])
+ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
+ARG_ENABL_SET([eap-dynamic],    [enable dynamic EAP proxy module.])
+ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
+ARG_DISBL_SET([xauth-generic],  [disable generic XAuth backend.])
+ARG_ENABL_SET([xauth-eap],      [enable XAuth backend using EAP methods to verify passwords.])
+ARG_ENABL_SET([xauth-pam],      [enable XAuth backend using PAM to verify passwords.])
+ARG_ENABL_SET([xauth-noauth],   [enable XAuth pseudo-backend that does not actually verify or even request any credentials.])
+ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module. Requires libxml])
+ARG_ENABL_SET([tnc-pdp],        [enable TNC policy decision point module.])
+ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
+ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
+ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module. Requires libxml])
+ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
+ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.])
+ARG_ENABL_SET([imc-test],       [enable IMC test module.])
+ARG_ENABL_SET([imv-test],       [enable IMV test module.])
+ARG_ENABL_SET([imc-scanner],    [enable IMC port scanner module.])
+ARG_ENABL_SET([imv-scanner],    [enable IMV port scanner module.])
+ARG_ENABL_SET([imc-os],         [enable IMC operating system module.])
+ARG_ENABL_SET([imv-os],         [enable IMV operating system module.])
+ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.])
+ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.])
+ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
+ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
+ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
+ARG_ENABL_SET([kernel-klips],   [enable the KLIPS kernel interface.])
+ARG_ENABL_SET([kernel-libipsec],[enable the libipsec kernel interface.])
+ARG_ENABL_SET([libipsec],       [enable user space IPsec implementation.])
+ARG_DISBL_SET([socket-default], [disable default socket implementation for charon.])
+ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon])
+ARG_ENABL_SET([farp],           [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
+ARG_ENABL_SET([dumm],           [enable the DUMM UML test framework.])
+ARG_ENABL_SET([fast],           [enable libfast (FastCGI Application Server w/ templates.])
+ARG_ENABL_SET([manager],        [enable web management console (proof of concept).])
+ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
+ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
+ARG_DISBL_SET([load-warning],   [disable the charon plugin load option warning in starter.])
+ARG_DISBL_SET([ikev1],          [disable IKEv1 protocol support in charon.])
+ARG_DISBL_SET([ikev2],          [disable IKEv2 protocol support in charon.])
+ARG_DISBL_SET([charon],         [disable the IKEv1/IKEv2 keying daemon charon.])
+ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
+ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
+ARG_ENABL_SET([conftest],       [enforce Suite B conformance test framework.])
+ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
+ARG_DISBL_SET([attr],           [disable strongswan.conf based configuration attribute plugin.])
+ARG_ENABL_SET([attr-sql],       [enable SQL based configuration attribute plugin.])
+ARG_ENABL_SET([dhcp],           [enable DHCP based attribute provider plugin.])
+ARG_DISBL_SET([resolve],        [disable resolve DNS handler plugin.])
+ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
+ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
+ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
+ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
+ARG_ENABL_SET([keychain],       [enables OS X Keychain Services credential set.])
+ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
+ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
+ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
+ARG_ENABL_SET([unity],          [enables Cisco Unity extension plugin.])
+ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
+ARG_ENABL_SET([osx-attr],       [enable OS X SystemConfiguration attribute handler.])
+ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
+ARG_ENABL_SET([android-log],    [enable Android specific logger plugin.])
+ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
+ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
+ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
+ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
+ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
+ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
+ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
+ARG_ENABL_SET([systime-fix],    [enable plugin to handle cert lifetimes with invalid system time gracefully.])
+ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
+ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
+ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
+ARG_ENABL_SET([radattr],        [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.])
+ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
+ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
+ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
+ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.])
+ARG_ENABL_SET([unit-tests],     [enable unit tests using the check test framework.])
+ARG_ENABL_SET([coverage],       [enable lcov coverage report generation.])
+ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
+ARG_ENABL_SET([cmd],            [enable the command line IKE client charon-cmd.])
+
+# ===================================
+#  option to disable default options
+# ===================================
+
+ARG_DISBL_SET([defaults],       [disable all default plugins (they can be enabled with their respective --enable options)])
+
+if test x$defaults = xfalse; then
+	for option in $enabled_by_default; do
+		eval test x\${${option}_given} = xtrue && continue
+		let $option=false
+	done
+fi
+
+# ===========================
+#  set up compiler and flags
+# ===========================
+
+if test -z "$CFLAGS"; then
+	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
+fi
+AC_PROG_CC
+AM_PROG_CC_C_O
+
+AC_LIB_PREFIX
+AC_C_BIGENDIAN
+
+# =========================
+#  check required programs
+# =========================
+
+LT_INIT
+AC_PROG_INSTALL
+AC_PROG_EGREP
+AC_PROG_AWK
+AC_PROG_LEX
+AC_PROG_YACC
+AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+
+# because gperf is not needed by end-users we just report it but do not abort on failure
+AC_MSG_CHECKING([gperf version >= 3.0.0])
+if test -x "$GPERF"; then
+	if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then
+		AC_MSG_RESULT([yes])
+	else
+		AC_MSG_RESULT([no])
+	fi
+else
+	AC_MSG_RESULT([not found])
+fi
+
+# ========================
+#  dependency calculation
+# ========================
+
+if test x$xauth_generic_given = xfalse -a x$ikev1 = xfalse; then
+	xauth_generic=false;
+fi
+
+if test x$kernel_libipsec = xtrue; then
+	libipsec=true;
+fi
+
+if test x$eap_aka_3gpp2 = xtrue; then
+	gmp=true;
+fi
+
+if test x$eap_aka = xtrue; then
+	fips_prf=true;
+	simaka=true;
+fi
+
+if test x$eap_sim = xtrue; then
+	fips_prf=true;
+	simaka=true;
+fi
+
+if test x$eap_tls = xtrue -o x$eap_ttls = xtrue -o x$eap_peap = xtrue; then
+	tls=true;
+fi
+
+if test x$eap_radius = xtrue -o x$radattr = xtrue -o x$tnc_pdp = xtrue; then
+	radius=true;
+fi
+
+if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_dynamic = xtrue -o x$eap_tnc = xtrue; then
+	tnc_tnccs=true;
+fi
+
+if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_os = xtrue -o x$imv_os = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+	imcv=true;
+fi
+
+if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+	pts=true;
+fi
+
+if test x$fips_prf = xtrue; then
+	if test x$openssl = xfalse; then
+		sha1=true;
+	fi
+fi
+
+if test x$smp = xtrue -o x$tnccs_11 = xtrue -o x$tnc_ifmap = xtrue; then
+	xml=true
+fi
+
+if test x$manager = xtrue; then
+	fast=true
+fi
+
+if test x$medsrv = xtrue; then
+	mediation=true
+	fast=true
+fi
+
+if test x$medcli = xtrue; then
+	mediation=true
+fi
+
+if test x$coverage = xtrue; then
+	unit_tests=true
+fi
+
+# ===========================================
+#  check required libraries and header files
+# ===========================================
+
+AC_HEADER_STDBOOL
+AC_FUNC_ALLOCA
+AC_FUNC_STRERROR_R
+
+#  libraries needed on some platforms but not on others
+# ------------------------------------------------------
+saved_LIBS=$LIBS
+
+# FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
+LIBS=""
+AC_SEARCH_LIBS(dlopen, dl, [DLLIB=$LIBS])
+AC_SUBST(DLLIB)
+
+# glibc's backtrace() can be replicated on FreeBSD with libexecinfo
+LIBS=""
+AC_SEARCH_LIBS(backtrace, execinfo, [BTLIB=$LIBS])
+AC_CHECK_FUNCS(backtrace)
+AC_SUBST(BTLIB)
+
+# OpenSolaris needs libsocket and libnsl for socket()
+LIBS=""
+AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS],
+	[AC_CHECK_LIB(nsl, socket, [SOCKLIB="-lsocket -lnsl"], [], [-lsocket])]
+)
+AC_SUBST(SOCKLIB)
+
+# FreeBSD has clock_gettime in libc, Linux needs librt
+LIBS=""
+AC_SEARCH_LIBS(clock_gettime, rt, [RTLIB=$LIBS])
+AC_CHECK_FUNCS(clock_gettime)
+AC_SUBST(RTLIB)
+
+# Android has pthread_* functions in bionic (libc), others need libpthread
+LIBS=""
+AC_SEARCH_LIBS(pthread_create, pthread, [PTHREADLIB=$LIBS])
+AC_SUBST(PTHREADLIB)
+
+LIBS=$saved_LIBS
+# ------------------------------------------------------
+
+AC_MSG_CHECKING(for dladdr)
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#define _GNU_SOURCE
+		  #include <dlfcn.h>]],
+		[[Dl_info* info = 0;
+		  dladdr(0, info);]])],
+	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_DLADDR], [], [have dladdr()])],
+	[AC_MSG_RESULT([no])]
+)
+
+# check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
+saved_LIBS=$LIBS
+LIBS=$PTHREADLIB
+AC_MSG_CHECKING([for pthread_condattr_setclock(CLOCK_MONOTONE)])
+AC_RUN_IFELSE(
+	[AC_LANG_SOURCE(
+		[[#include <pthread.h>
+		  int main() { pthread_condattr_t attr;
+			pthread_condattr_init(&attr);
+			return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
+			   [pthread_condattr_setclock supports CLOCK_MONOTONIC])],
+	[AC_MSG_RESULT([no])],
+	# Check existence of pthread_condattr_setclock if cross-compiling
+	[AC_MSG_RESULT([unknown]);
+	 AC_CHECK_FUNCS(pthread_condattr_setclock,
+		[AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
+				   [have pthread_condattr_setclock()])]
+	)]
+)
+# check if we actually are able to configure attributes on cond vars
+AC_CHECK_FUNCS(pthread_condattr_init)
+# instead of pthread_condattr_setclock Android has this function
+AC_CHECK_FUNCS(pthread_cond_timedwait_monotonic)
+# check if we can cancel threads
+AC_CHECK_FUNCS(pthread_cancel)
+# check if native rwlocks are available
+AC_CHECK_FUNCS(pthread_rwlock_init)
+# check if pthread spinlocks are available
+AC_CHECK_FUNCS(pthread_spin_init)
+# check if we have POSIX semaphore functions, including timed-wait
+AC_CHECK_FUNCS(sem_timedwait)
+LIBS=$saved_LIBS
+
+AC_CHECK_FUNC(
+	[gettid],
+	[AC_DEFINE([HAVE_GETTID], [], [have gettid()])],
+	[AC_MSG_CHECKING([for SYS_gettid])
+	 AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#define _GNU_SOURCE
+			  #include <unistd.h>
+			  #include <sys/syscall.h>]],
+			[[int main() {
+			  return syscall(SYS_gettid);}]])],
+		[AC_MSG_RESULT([yes]);
+		 AC_DEFINE([HAVE_GETTID], [], [have gettid()])
+		 AC_DEFINE([HAVE_SYS_GETTID], [], [have syscall(SYS_gettid)])],
+		[AC_MSG_RESULT([no])]
+	)]
+)
+
+AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
+
+AC_CHECK_HEADERS(sys/sockio.h glob.h)
+AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
+AC_CHECK_HEADERS(netinet/ip6.h, [], [],
+[
+	#include <sys/types.h>
+	#include <netinet/in.h>
+])
+
+AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [],
+[
+	#include <sys/types.h>
+	#include <sys/socket.h>
+])
+
+AC_CHECK_MEMBERS([struct sadb_x_policy.sadb_x_policy_priority], [], [],
+[
+	#include <sys/types.h>
+	#ifdef HAVE_NET_PFKEYV2_H
+	#include <net/pfkeyv2.h>
+	#else
+	#include <stdint.h>
+	#include <linux/pfkeyv2.h>
+	#endif
+])
+
+AC_MSG_CHECKING([for in6addr_any])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/types.h>
+		  #include <sys/socket.h>
+		  #include <netinet/in.h>]],
+		[[struct in6_addr in6;
+		  in6 = in6addr_any;]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_IN6ADDR_ANY], [], [have struct in6_addr in6addr_any])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for in6_pktinfo])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#define _GNU_SOURCE
+		  #include <sys/types.h>
+		  #include <sys/socket.h>
+		  #include <netinet/in.h>]],
+		[[struct in6_pktinfo pi;
+		  if (pi.ipi6_ifindex)
+		  {
+		    return 0;
+		  }]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_IN6_PKTINFO], [], [have struct in6_pktinfo.ipi6_ifindex])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for IPSEC_MODE_BEET])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/types.h>
+		  #ifdef HAVE_NETIPSEC_IPSEC_H
+		  #include <netipsec/ipsec.h>
+		  #elif defined(HAVE_NETINET6_IPSEC_H)
+		  #include <netinet6/ipsec.h>
+		  #else
+		  #include <stdint.h>
+		  #include <linux/ipsec.h>
+		  #endif]],
+		[[int mode = IPSEC_MODE_BEET;
+		  return mode;]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_IPSEC_MODE_BEET], [], [have IPSEC_MODE_BEET defined])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for IPSEC_DIR_FWD])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/types.h>
+		  #ifdef HAVE_NETIPSEC_IPSEC_H
+		  #include <netipsec/ipsec.h>
+		  #elif defined(HAVE_NETINET6_IPSEC_H)
+		  #include <netinet6/ipsec.h>
+		  #else
+		  #include <stdint.h>
+		  #include <linux/ipsec.h>
+		  #endif]],
+		[[int dir = IPSEC_DIR_FWD;
+		  return dir;]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_IPSEC_DIR_FWD], [], [have IPSEC_DIR_FWD defined])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for RTA_TABLE])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/socket.h>
+		  #include <linux/netlink.h>
+		  #include <linux/rtnetlink.h>]],
+		[[int rta_type = RTA_TABLE;
+		  return rta_type;]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_RTA_TABLE], [], [have netlink RTA_TABLE defined])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for gcc atomic operations])
+AC_RUN_IFELSE([AC_LANG_SOURCE(
+	[[
+			int main() {
+			volatile int ref = 1;
+			__sync_fetch_and_add (&ref, 1);
+			__sync_sub_and_fetch (&ref, 1);
+			/* Make sure test fails if operations are not supported */
+			__sync_val_compare_and_swap(&ref, 1, 0);
+			return ref;
+		}
+	]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_GCC_ATOMIC_OPERATIONS], [],
+		   [have GCC __sync_* atomic operations])],
+	[AC_MSG_RESULT([no])],
+	[AC_MSG_RESULT([no])]
+)
+
+# check for the new register_printf_specifier function with len argument,
+# or the deprecated register_printf_function without
+AC_CHECK_FUNC(
+	[register_printf_specifier],
+	[AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])],
+	[AC_CHECK_FUNC(
+		[register_printf_function],
+		[AC_DEFINE([HAVE_PRINTF_FUNCTION], [], [have register_printf_function()])],
+		[
+			AC_MSG_NOTICE([printf does not support custom format specifiers!])
+			vstr=true
+		]
+	)]
+)
+
+if test x$vstr = xtrue; then
+	AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
+	AC_DEFINE([USE_VSTR], [], [use vstring library for printf hooks])
+fi
+
+if test x$gmp = xtrue; then
+	saved_LIBS=$LIBS
+	AC_CHECK_LIB([gmp],[main],[],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])],[])
+	AC_MSG_CHECKING([mpz_powm_sec])
+	if test x$mpz_powm_sec = xyes; then
+		AC_COMPILE_IFELSE(
+			[AC_LANG_PROGRAM(
+				[[#include "gmp.h"]],
+				[[void *x = mpz_powm_sec;]])],
+			[AC_MSG_RESULT([yes]);
+			 AC_DEFINE([HAVE_MPZ_POWM_SEC], [], [have mpz_mown_sec()])],
+			[AC_MSG_RESULT([no])]
+		)
+	else
+		AC_MSG_RESULT([disabled])
+	fi
+	LIBS=$saved_LIBS
+	AC_MSG_CHECKING([gmp.h version >= 4.1.4])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include "gmp.h"]],
+			[[
+				#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
+					#error bad gmp
+				#endif]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
+	)
+fi
+
+if test x$ldap = xtrue; then
+	AC_CHECK_LIB([ldap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])],[])
+	AC_CHECK_LIB([lber],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])],[])
+	AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP header ldap.h not found!])])
+fi
+
+if test x$curl = xtrue; then
+	AC_CHECK_LIB([curl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])],[])
+	AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])])
+fi
+
+if test x$unbound = xtrue; then
+	AC_HAVE_LIBRARY([ldns],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library ldns not found])])
+	AC_CHECK_HEADER([ldns/ldns.h],,[AC_MSG_ERROR([UNBOUND header ldns/ldns.h not found!])])
+	AC_HAVE_LIBRARY([unbound],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library libunbound not found])])
+	AC_CHECK_HEADER([unbound.h],,[AC_MSG_ERROR([UNBOUND header unbound.h not found!])])
+fi
+
+if test x$soup = xtrue; then
+	PKG_CHECK_MODULES(soup, [libsoup-2.4])
+	AC_SUBST(soup_CFLAGS)
+	AC_SUBST(soup_LIBS)
+fi
+
+if test x$xml = xtrue; then
+	PKG_CHECK_MODULES(xml, [libxml-2.0])
+	AC_SUBST(xml_CFLAGS)
+	AC_SUBST(xml_LIBS)
+fi
+
+if test x$tss = xtrousers; then
+	AC_CHECK_LIB([tspi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
+	AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
+	AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi as TSS implementation])
+fi
+
+if test x$dumm = xtrue; then
+	PKG_CHECK_MODULES(gtk, [gtk+-2.0 vte])
+	AC_SUBST(gtk_CFLAGS)
+	AC_SUBST(gtk_LIBS)
+	AC_CHECK_PROGS(RUBY, ruby)
+	AC_MSG_CHECKING([for Ruby header files])
+	if test -n "$RUBY"; then
+		RUBYINCLUDE=
+		RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["rubyhdrdir"]] || ""') 2>/dev/null`
+		if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+			RUBYARCH=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["arch"]] || ""') 2>/dev/null`
+			if test -n "$RUBYARCH"; then
+				AC_MSG_RESULT([$RUBYDIR])
+				RUBYINCLUDE="-I$RUBYDIR -I$RUBYDIR/$RUBYARCH"
+			fi
+		else
+			RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["archdir"]] || ""') 2>/dev/null`
+			if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+				AC_MSG_RESULT([$RUBYDIR])
+				RUBYINCLUDE="-I$RUBYDIR"
+			fi
+		fi
+		if test -z "$RUBYINCLUDE"; then
+			AC_MSG_ERROR([ruby.h not found])
+		fi
+		AC_SUBST(RUBYINCLUDE)
+	else
+		AC_MSG_ERROR([don't know how to run ruby])
+	fi
+	AC_MSG_CHECKING([for libruby])
+	saved_LIBS=$LIBS
+	LIBS=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["LIBRUBYARG_SHARED"]] || ""') 2>/dev/null`
+	AC_TRY_LINK_FUNC(ruby_init,
+		[AC_MSG_RESULT([$LIBS]); RUBYLIB=$LIBS],
+		[AC_MSG_ERROR([not found])])
+	AC_SUBST(RUBYLIB)
+	AC_CHECK_FUNCS(rb_errinfo)
+	LIBS=$saved_LIBS
+fi
+
+if test x$fast = xtrue; then
+	AC_CHECK_LIB([neo_cgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])],[])
+	AC_CHECK_LIB([neo_utl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])],[])
+	AC_MSG_CHECKING([ClearSilver requires zlib])
+	saved_CFLAGS=$CFLAGS
+	saved_LIBS=$LIBS
+	LIBS="-lneo_cgi -lneo_cs -lneo_utl"
+	CFLAGS="-I/usr/include/ClearSilver"
+	AC_LINK_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <ClearSilver.h>]],
+			[[NEOERR *err = cgi_display(NULL, NULL);]])],
+		[AC_MSG_RESULT([no]); clearsilver_LIBS="$LIBS"],
+		[AC_MSG_RESULT([yes]); clearsilver_LIBS="$LIBS -lz"]
+	)
+	AC_SUBST(clearsilver_LIBS)
+	LIBS=$saved_LIBS
+	CFLAGS=$saved_CFLAGS
+# autoconf does not like CamelCase!? How to fix this?
+#	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
+
+	AC_CHECK_LIB([fcgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])],[])
+	AC_CHECK_HEADER([fcgiapp.h],,[AC_MSG_ERROR([FastCGI header file fcgiapp.h not found!])])
+fi
+
+if test x$mysql = xtrue; then
+	AC_PATH_PROG([MYSQLCONFIG], [mysql_config], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+	if test x$MYSQLCONFIG = x; then
+		AC_MSG_ERROR([mysql_config not found!])
+	fi
+	AC_SUBST(MYSQLLIB, `$MYSQLCONFIG --libs_r`)
+	AC_SUBST(MYSQLCFLAG, `$MYSQLCONFIG --cflags`)
+fi
+
+if test x$sqlite = xtrue; then
+	AC_CHECK_LIB([sqlite3],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])],[])
+	AC_CHECK_HEADER([sqlite3.h],,[AC_MSG_ERROR([SQLite header sqlite3.h not found!])])
+	AC_MSG_CHECKING([sqlite3_prepare_v2])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <sqlite3.h>]],
+			[[void *test = sqlite3_prepare_v2;]])],
+		[AC_MSG_RESULT([yes]);
+		 AC_DEFINE([HAVE_SQLITE3_PREPARE_V2], [], [have sqlite3_prepare_v2()])],
+		[AC_MSG_RESULT([no])]
+	)
+	AC_MSG_CHECKING([sqlite3.h version >= 3.3.1])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <sqlite3.h>]],
+			[[
+				#if SQLITE_VERSION_NUMBER < 3003001
+					#error bad sqlite
+				#endif]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])]
+	)
+fi
+
+if test x$openssl = xtrue; then
+	AC_CHECK_LIB([crypto],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])],[])
+	AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
+fi
+
+if test x$gcrypt = xtrue; then
+	AC_CHECK_LIB([gcrypt],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
+	AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
+	AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <gcrypt.h>]],
+			[[enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;]])],
+		[AC_MSG_RESULT([yes]);
+		 AC_DEFINE([HAVE_GCRY_CIPHER_CAMELLIA], [], [have GCRY_CIPHER_CAMELLIA128])],
+		[AC_MSG_RESULT([no])]
+	)
+fi
+
+if test x$uci = xtrue; then
+	AC_CHECK_LIB([uci],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
+	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
+fi
+
+if test x$android_dns = xtrue; then
+	AC_CHECK_LIB([cutils],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
+	AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
+	# we have to force the use of libdl here because the autodetection
+	# above does not work correctly when cross-compiling for android.
+	DLLIB="-ldl"
+	AC_SUBST(DLLIB)
+fi
+
+if test x$maemo = xtrue; then
+	PKG_CHECK_MODULES(maemo, [glib-2.0 gthread-2.0 libosso osso-af-settings])
+	AC_SUBST(maemo_CFLAGS)
+	AC_SUBST(maemo_LIBS)
+	dbusservicedir="/usr/share/dbus-1/system-services"
+	AC_SUBST(dbusservicedir)
+fi
+
+if test x$eap_sim_pcsc = xtrue; then
+	PKG_CHECK_MODULES(pcsclite, [libpcsclite])
+	AC_SUBST(pcsclite_CFLAGS)
+	AC_SUBST(pcsclite_LIBS)
+fi
+
+if test x$nm = xtrue; then
+	PKG_CHECK_EXISTS([libnm-glib],
+		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn])],
+		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn])]
+	)
+	AC_SUBST(nm_CFLAGS)
+	AC_SUBST(nm_LIBS)
+fi
+
+if test x$xauth_pam = xtrue; then
+	AC_CHECK_LIB([pam],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])],[])
+	AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
+fi
+
+if test x$capabilities = xnative; then
+	AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead])
+	# Linux requires the following for capset(), Android does not have it,
+	# but defines capset() in unistd.h instead.
+	AC_CHECK_HEADERS([sys/capability.h])
+	AC_CHECK_FUNC(capset,,[AC_MSG_ERROR([capset() not found!])])
+	AC_DEFINE([CAPABILITIES_NATIVE], [], [have native linux capset()])
+fi
+
+if test x$capabilities = xlibcap; then
+	AC_CHECK_LIB([cap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])],[])
+	AC_CHECK_HEADER([sys/capability.h],
+		[AC_DEFINE([HAVE_SYS_CAPABILITY_H], [], [have sys/capability.h])],
+		[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
+	AC_DEFINE([CAPABILITIES_LIBCAP], [], [have libpcap library])
+fi
+
+if test x$integrity_test = xtrue; then
+	AC_MSG_CHECKING([for dladdr()])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#define _GNU_SOURCE
+			  #include <dlfcn.h>]],
+			[[Dl_info info; dladdr(main, &info);]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]);
+		 AC_MSG_ERROR([dladdr() not supported, required by integrity-test!])]
+	)
+	AC_MSG_CHECKING([for dl_iterate_phdr()])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#define _GNU_SOURCE
+			  #include <link.h>]],
+			[[dl_iterate_phdr((void*)0, (void*)0);]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]);
+		 AC_MSG_ERROR([dl_iterate_phdr() not supported, required by integrity-test!])]
+	)
+fi
+
+if test x$bfd_backtraces = xtrue; then
+	AC_CHECK_LIB([bfd],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])],[])
+	AC_CHECK_HEADER([bfd.h],[AC_DEFINE([HAVE_BFD_H],,[have binutils bfd.h])],
+		[AC_MSG_ERROR([binutils bfd.h header not found!])])
+	BFDLIB="-lbfd"
+	AC_SUBST(BFDLIB)
+fi
+
+if test x$unwind_backtraces = xtrue; then
+	AC_CHECK_LIB([unwind],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libunwind not found!])],[])
+	AC_CHECK_HEADER([libunwind.h],[AC_DEFINE([HAVE_LIBUNWIND_H],,[have libunwind.h])],
+		[AC_MSG_ERROR([libunwind.h header not found!])])
+	UNWINDLIB="-lunwind"
+	AC_SUBST(UNWINDLIB)
+fi
+
+AM_CONDITIONAL(USE_DEV_HEADERS, [test "x$dev_headers" != xno])
+if test x$dev_headers = xyes; then
+	dev_headers="$includedir/strongswan"
+fi
+AC_SUBST(dev_headers)
+
+CFLAGS="$CFLAGS -include `pwd`/config.h"
+
+if test x$tkm = xtrue; then
+	AC_PATH_PROG([GPRBUILD], [gprbuild], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+fi
+
+if test x$unit_tests = xtrue; then
+	PKG_CHECK_MODULES(CHECK, [check >= 0.9.4])
+	AC_SUBST(CHECK_CFLAGS)
+	AC_SUBST(CHECK_LIBS)
+fi
+
+if test x$coverage = xtrue; then
+	AC_PATH_PROG([LCOV], [lcov], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+	if test x$LCOV = x; then
+		AC_MSG_ERROR([lcov not found])
+	fi
+	AC_PATH_PROG([GENHTML], [genhtml], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+	if test x$GENHTML = x; then
+		AC_MSG_ERROR([genhtml not found])
+	fi
+
+	COVERAGE_CFLAGS="-fprofile-arcs -ftest-coverage"
+	COVERAGE_LDFLAGS="-fprofile-arcs"
+	AC_SUBST(COVERAGE_CFLAGS)
+	AC_SUBST(COVERAGE_LDFLAGS)
+
+	AC_MSG_NOTICE([coverage enabled, adding "-g -O0" to CFLAGS])
+	CFLAGS="${CFLAGS} -g -O0"
+fi
+
+# ===============================================
+#  collect plugin list for strongSwan components
+# ===============================================
+
+m4_include(m4/macros/add-plugin.m4)
+
+# plugin lists for all components
+charon_plugins=
+starter_plugins=
+pool_plugins=
+attest_plugins=
+openac_plugins=
+scepclient_plugins=
+pki_plugins=
+scripts_plugins=
+manager_plugins=
+medsrv_plugins=
+nm_plugins=
+cmd_plugins=
+
+# location specific lists for checksumming,
+# for src/libcharon, src/libhydra and src/libstrongswan
+c_plugins=
+h_plugins=
+s_plugins=
+
+ADD_PLUGIN([test-vectors],         [s charon openac scepclient pki])
+ADD_PLUGIN([curl],                 [s charon scepclient scripts nm cmd])
+ADD_PLUGIN([soup],                 [s charon scripts nm cmd])
+ADD_PLUGIN([unbound],              [s charon scripts])
+ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm cmd])
+ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
+ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
+ADD_PLUGIN([pkcs11],               [s charon pki nm cmd])
+ADD_PLUGIN([aes],                  [s charon openac scepclient pki scripts nm cmd])
+ADD_PLUGIN([des],                  [s charon openac scepclient pki scripts nm cmd])
+ADD_PLUGIN([blowfish],             [s charon openac scepclient pki scripts nm cmd])
+ADD_PLUGIN([rc2],                  [s charon openac scepclient pki scripts nm cmd])
+ADD_PLUGIN([sha1],                 [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([sha2],                 [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([md4],                  [s charon openac manager scepclient pki nm cmd])
+ADD_PLUGIN([md5],                  [s charon openac scepclient pki scripts attest nm cmd])
+ADD_PLUGIN([rdrand],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([random],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([nonce],                [s charon nm cmd])
+ADD_PLUGIN([x509],                 [s charon openac scepclient pki scripts attest nm cmd])
+ADD_PLUGIN([revocation],           [s charon nm cmd])
+ADD_PLUGIN([constraints],          [s charon nm cmd])
+ADD_PLUGIN([pubkey],               [s charon cmd])
+ADD_PLUGIN([pkcs1],                [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pkcs7],                [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([pkcs8],                [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pkcs12],               [s charon scepclient pki scripts cmd])
+ADD_PLUGIN([pgp],                  [s charon])
+ADD_PLUGIN([dnskey],               [s charon])
+ADD_PLUGIN([sshkey],               [s charon nm cmd])
+ADD_PLUGIN([ipseckey],             [c charon])
+ADD_PLUGIN([pem],                  [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([padlock],              [s charon])
+ADD_PLUGIN([openssl],              [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([gcrypt],               [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([af-alg],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([fips-prf],             [s charon nm cmd])
+ADD_PLUGIN([gmp],                  [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([agent],                [s charon nm cmd])
+ADD_PLUGIN([keychain],             [s charon cmd])
+ADD_PLUGIN([xcbc],                 [s charon nm cmd])
+ADD_PLUGIN([cmac],                 [s charon nm cmd])
+ADD_PLUGIN([hmac],                 [s charon scripts nm cmd])
+ADD_PLUGIN([ctr],                  [s charon scripts nm cmd])
+ADD_PLUGIN([ccm],                  [s charon scripts nm cmd])
+ADD_PLUGIN([gcm],                  [s charon scripts nm cmd])
+ADD_PLUGIN([attr],                 [h charon])
+ADD_PLUGIN([attr-sql],             [h charon])
+ADD_PLUGIN([load-tester],          [c charon])
+ADD_PLUGIN([kernel-libipsec],      [c charon cmd])
+ADD_PLUGIN([kernel-pfkey],         [h charon starter nm cmd])
+ADD_PLUGIN([kernel-pfroute],       [h charon starter nm cmd])
+ADD_PLUGIN([kernel-klips],         [h charon starter])
+ADD_PLUGIN([kernel-netlink],       [h charon starter nm cmd])
+ADD_PLUGIN([resolve],              [h charon cmd])
+ADD_PLUGIN([socket-default],       [c charon nm cmd])
+ADD_PLUGIN([socket-dynamic],       [c charon cmd])
+ADD_PLUGIN([farp],                 [c charon])
+ADD_PLUGIN([stroke],               [c charon])
+ADD_PLUGIN([smp],                  [c charon])
+ADD_PLUGIN([sql],                  [c charon])
+ADD_PLUGIN([updown],               [c charon])
+ADD_PLUGIN([eap-identity],         [c charon nm cmd])
+ADD_PLUGIN([eap-sim],              [c charon])
+ADD_PLUGIN([eap-sim-file],         [c charon])
+ADD_PLUGIN([eap-sim-pcsc],         [c charon])
+ADD_PLUGIN([eap-aka],              [c charon])
+ADD_PLUGIN([eap-aka-3gpp2],        [c charon])
+ADD_PLUGIN([eap-simaka-sql],       [c charon])
+ADD_PLUGIN([eap-simaka-pseudonym], [c charon])
+ADD_PLUGIN([eap-simaka-reauth],    [c charon])
+ADD_PLUGIN([eap-md5],              [c charon nm cmd])
+ADD_PLUGIN([eap-gtc],              [c charon nm cmd])
+ADD_PLUGIN([eap-mschapv2],         [c charon nm cmd])
+ADD_PLUGIN([eap-dynamic],          [c charon])
+ADD_PLUGIN([eap-radius],           [c charon])
+ADD_PLUGIN([eap-tls],              [c charon nm cmd])
+ADD_PLUGIN([eap-ttls],             [c charon nm cmd])
+ADD_PLUGIN([eap-peap],             [c charon nm cmd])
+ADD_PLUGIN([eap-tnc],              [c charon])
+ADD_PLUGIN([xauth-generic],        [c charon cmd])
+ADD_PLUGIN([xauth-eap],            [c charon])
+ADD_PLUGIN([xauth-pam],            [c charon])
+ADD_PLUGIN([xauth-noauth],         [c charon])
+ADD_PLUGIN([tnc-ifmap],            [c charon])
+ADD_PLUGIN([tnc-pdp],              [c charon])
+ADD_PLUGIN([tnc-imc],              [c charon])
+ADD_PLUGIN([tnc-imv],              [c charon])
+ADD_PLUGIN([tnc-tnccs],            [c charon])
+ADD_PLUGIN([tnccs-20],             [c charon])
+ADD_PLUGIN([tnccs-11],             [c charon])
+ADD_PLUGIN([tnccs-dynamic],        [c charon])
+ADD_PLUGIN([medsrv],               [c charon])
+ADD_PLUGIN([medcli],               [c charon])
+ADD_PLUGIN([dhcp],                 [c charon])
+ADD_PLUGIN([osx-attr],             [c charon cmd])
+ADD_PLUGIN([android-dns],          [c charon])
+ADD_PLUGIN([android-log],          [c charon])
+ADD_PLUGIN([ha],                   [c charon])
+ADD_PLUGIN([whitelist],            [c charon])
+ADD_PLUGIN([lookip],               [c charon])
+ADD_PLUGIN([error-notify],         [c charon])
+ADD_PLUGIN([certexpire],           [c charon])
+ADD_PLUGIN([systime-fix],          [c charon])
+ADD_PLUGIN([led],                  [c charon])
+ADD_PLUGIN([duplicheck],           [c charon])
+ADD_PLUGIN([coupling],             [c charon])
+ADD_PLUGIN([radattr],              [c charon])
+ADD_PLUGIN([maemo],                [c charon])
+ADD_PLUGIN([uci],                  [c charon])
+ADD_PLUGIN([addrblock],            [c charon])
+ADD_PLUGIN([unity],                [c charon])
+ADD_PLUGIN([unit-tester],          [c charon])
+
+AC_SUBST(charon_plugins)
+AC_SUBST(starter_plugins)
+AC_SUBST(pool_plugins)
+AC_SUBST(attest_plugins)
+AC_SUBST(openac_plugins)
+AC_SUBST(scepclient_plugins)
+AC_SUBST(pki_plugins)
+AC_SUBST(scripts_plugins)
+AC_SUBST(manager_plugins)
+AC_SUBST(medsrv_plugins)
+AC_SUBST(nm_plugins)
+AC_SUBST(cmd_plugins)
+
+AC_SUBST(c_plugins)
+AC_SUBST(h_plugins)
+AC_SUBST(s_plugins)
+
+# ======================
+#  set Makefile.am vars
+# ======================
+
+#  libstrongswan plugins
+# -----------------------
+AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
+AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
+AM_CONDITIONAL(USE_UNBOUND, test x$unbound = xtrue)
+AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
+AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
+AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
+AM_CONDITIONAL(USE_DES, test x$des = xtrue)
+AM_CONDITIONAL(USE_BLOWFISH, test x$blowfish = xtrue)
+AM_CONDITIONAL(USE_RC2, test x$rc2 = xtrue)
+AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue)
+AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
+AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
+AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
+AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
+AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
+AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
+AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
+AM_CONDITIONAL(USE_NONCE, test x$nonce = xtrue)
+AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
+AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue)
+AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue)
+AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
+AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
+AM_CONDITIONAL(USE_PKCS7, test x$pkcs7 = xtrue)
+AM_CONDITIONAL(USE_PKCS8, test x$pkcs8 = xtrue)
+AM_CONDITIONAL(USE_PKCS12, test x$pkcs12 = xtrue)
+AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
+AM_CONDITIONAL(USE_DNSKEY, test x$dnskey = xtrue)
+AM_CONDITIONAL(USE_SSHKEY, test x$sshkey = xtrue)
+AM_CONDITIONAL(USE_PEM, test x$pem = xtrue)
+AM_CONDITIONAL(USE_HMAC, test x$hmac = xtrue)
+AM_CONDITIONAL(USE_CMAC, test x$cmac = xtrue)
+AM_CONDITIONAL(USE_XCBC, test x$xcbc = xtrue)
+AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue)
+AM_CONDITIONAL(USE_SQLITE, test x$sqlite = xtrue)
+AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
+AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
+AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
+AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
+AM_CONDITIONAL(USE_KEYCHAIN, test x$keychain = xtrue)
+AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
+AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
+AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
+AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
+AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
+
+#  charon plugins
+# ----------------
+AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
+AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
+AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
+AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
+AM_CONDITIONAL(USE_OSX_ATTR, test x$osx_attr = xtrue)
+AM_CONDITIONAL(USE_ANDROID_DNS, test x$android_dns = xtrue)
+AM_CONDITIONAL(USE_ANDROID_LOG, test x$android_log = xtrue)
+AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
+AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
+AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
+AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue)
+AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
+AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
+AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
+AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
+AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
+AM_CONDITIONAL(USE_KERNEL_LIBIPSEC, test x$kernel_libipsec = xtrue)
+AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
+AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
+AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
+AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
+AM_CONDITIONAL(USE_SYSTIME_FIX, test x$systime_fix = xtrue)
+AM_CONDITIONAL(USE_LED, test x$led = xtrue)
+AM_CONDITIONAL(USE_DUPLICHECK, test x$duplicheck = xtrue)
+AM_CONDITIONAL(USE_COUPLING, test x$coupling = xtrue)
+AM_CONDITIONAL(USE_RADATTR, test x$radattr = xtrue)
+AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
+AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
+AM_CONDITIONAL(USE_EAP_SIM_PCSC, test x$eap_sim_pcsc = xtrue)
+AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue)
+AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue)
+AM_CONDITIONAL(USE_EAP_SIMAKA_REAUTH, test x$eap_simaka_reauth = xtrue)
+AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
+AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
+AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
+AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
+AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue)
+AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
+AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue)
+AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
+AM_CONDITIONAL(USE_EAP_PEAP, test x$eap_peap = xtrue)
+AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
+AM_CONDITIONAL(USE_EAP_DYNAMIC, test x$eap_dynamic = xtrue)
+AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
+AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue)
+AM_CONDITIONAL(USE_XAUTH_EAP, test x$xauth_eap = xtrue)
+AM_CONDITIONAL(USE_XAUTH_PAM, test x$xauth_pam = xtrue)
+AM_CONDITIONAL(USE_XAUTH_NOAUTH, test x$xauth_noauth = xtrue)
+AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
+AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue)
+AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
+AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
+AM_CONDITIONAL(USE_TNC_TNCCS, test x$tnc_tnccs = xtrue)
+AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue)
+AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue)
+AM_CONDITIONAL(USE_TNCCS_DYNAMIC, test x$tnccs_dynamic = xtrue)
+AM_CONDITIONAL(USE_IMC_TEST, test x$imc_test = xtrue)
+AM_CONDITIONAL(USE_IMV_TEST, test x$imv_test = xtrue)
+AM_CONDITIONAL(USE_IMC_SCANNER, test x$imc_scanner = xtrue)
+AM_CONDITIONAL(USE_IMV_SCANNER, test x$imv_scanner = xtrue)
+AM_CONDITIONAL(USE_IMC_OS, test x$imc_os = xtrue)
+AM_CONDITIONAL(USE_IMV_OS, test x$imv_os = xtrue)
+AM_CONDITIONAL(USE_IMC_ATTESTATION, test x$imc_attestation = xtrue)
+AM_CONDITIONAL(USE_IMV_ATTESTATION, test x$imv_attestation = xtrue)
+AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
+AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
+AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
+AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
+AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
+
+#  hydra plugins
+# ---------------
+AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
+AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
+AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
+AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
+AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
+
+#  other options
+# ---------------
+AM_CONDITIONAL(USE_LEAK_DETECTIVE, test x$leak_detective = xtrue)
+AM_CONDITIONAL(USE_LOCK_PROFILER, test x$lock_profiler = xtrue)
+AM_CONDITIONAL(USE_DUMM, test x$dumm = xtrue)
+AM_CONDITIONAL(USE_FAST, test x$fast = xtrue)
+AM_CONDITIONAL(USE_MANAGER, test x$manager = xtrue)
+AM_CONDITIONAL(USE_ME, test x$mediation = xtrue)
+AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
+AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue)
+AM_CONDITIONAL(USE_IKEV1, test x$ikev1 = xtrue)
+AM_CONDITIONAL(USE_IKEV2, test x$ikev2 = xtrue)
+AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
+AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
+AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
+AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
+AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
+AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
+AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue)
+AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue)
+AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue)
+AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
+AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
+AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
+AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
+AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
+AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
+AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
+AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
+AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
+AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
+AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue)
+AM_CONDITIONAL(USE_IMCV, test x$imcv = xtrue)
+AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
+AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers)
+AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
+AM_CONDITIONAL(USE_SILENT_RULES, test x$enable_silent_rules = xyes)
+AM_CONDITIONAL(UNITTESTS, test x$unit_tests = xtrue)
+AM_CONDITIONAL(COVERAGE, test x$coverage = xtrue)
+AM_CONDITIONAL(USE_TKM, test x$tkm = xtrue)
+AM_CONDITIONAL(USE_CMD, test x$cmd = xtrue)
+
+# ========================
+#  set global definitions
+# ========================
+
+if test x$mediation = xtrue; then
+	AC_DEFINE([ME], [], [mediation extension support])
+fi
+if test x$capabilities = xlibcap -o x$capabilities = xnative; then
+	AC_DEFINE([CAPABILITIES], [], [capability dropping support])
+fi
+if test x$monolithic = xtrue; then
+	AC_DEFINE([MONOLITHIC], [], [monolithic build embedding plugins])
+fi
+if test x$ikev1 = xtrue; then
+	AC_DEFINE([USE_IKEV1], [], [support for IKEv1 protocol])
+fi
+if test x$ikev2 = xtrue; then
+	AC_DEFINE([USE_IKEV2], [], [support for IKEv2 protocol])
+fi
+
+# =================
+#  build Makefiles
+# =================
+
+AC_CONFIG_FILES([
+	Makefile
+	man/Makefile
+	init/Makefile
+	init/systemd/Makefile
+	src/Makefile
+	src/include/Makefile
+	src/libstrongswan/Makefile
+	src/libstrongswan/plugins/aes/Makefile
+	src/libstrongswan/plugins/cmac/Makefile
+	src/libstrongswan/plugins/des/Makefile
+	src/libstrongswan/plugins/blowfish/Makefile
+	src/libstrongswan/plugins/rc2/Makefile
+	src/libstrongswan/plugins/md4/Makefile
+	src/libstrongswan/plugins/md5/Makefile
+	src/libstrongswan/plugins/sha1/Makefile
+	src/libstrongswan/plugins/sha2/Makefile
+	src/libstrongswan/plugins/fips_prf/Makefile
+	src/libstrongswan/plugins/gmp/Makefile
+	src/libstrongswan/plugins/rdrand/Makefile
+	src/libstrongswan/plugins/random/Makefile
+	src/libstrongswan/plugins/nonce/Makefile
+	src/libstrongswan/plugins/hmac/Makefile
+	src/libstrongswan/plugins/xcbc/Makefile
+	src/libstrongswan/plugins/x509/Makefile
+	src/libstrongswan/plugins/revocation/Makefile
+	src/libstrongswan/plugins/constraints/Makefile
+	src/libstrongswan/plugins/pubkey/Makefile
+	src/libstrongswan/plugins/pkcs1/Makefile
+	src/libstrongswan/plugins/pkcs7/Makefile
+	src/libstrongswan/plugins/pkcs8/Makefile
+	src/libstrongswan/plugins/pkcs12/Makefile
+	src/libstrongswan/plugins/pgp/Makefile
+	src/libstrongswan/plugins/dnskey/Makefile
+	src/libstrongswan/plugins/sshkey/Makefile
+	src/libstrongswan/plugins/pem/Makefile
+	src/libstrongswan/plugins/curl/Makefile
+	src/libstrongswan/plugins/unbound/Makefile
+	src/libstrongswan/plugins/soup/Makefile
+	src/libstrongswan/plugins/ldap/Makefile
+	src/libstrongswan/plugins/mysql/Makefile
+	src/libstrongswan/plugins/sqlite/Makefile
+	src/libstrongswan/plugins/padlock/Makefile
+	src/libstrongswan/plugins/openssl/Makefile
+	src/libstrongswan/plugins/gcrypt/Makefile
+	src/libstrongswan/plugins/agent/Makefile
+	src/libstrongswan/plugins/keychain/Makefile
+	src/libstrongswan/plugins/pkcs11/Makefile
+	src/libstrongswan/plugins/ctr/Makefile
+	src/libstrongswan/plugins/ccm/Makefile
+	src/libstrongswan/plugins/gcm/Makefile
+	src/libstrongswan/plugins/af_alg/Makefile
+	src/libstrongswan/plugins/test_vectors/Makefile
+	src/libstrongswan/tests/Makefile
+	src/libhydra/Makefile
+	src/libhydra/plugins/attr/Makefile
+	src/libhydra/plugins/attr_sql/Makefile
+	src/libhydra/plugins/kernel_klips/Makefile
+	src/libhydra/plugins/kernel_netlink/Makefile
+	src/libhydra/plugins/kernel_pfkey/Makefile
+	src/libhydra/plugins/kernel_pfroute/Makefile
+	src/libhydra/plugins/resolve/Makefile
+	src/libipsec/Makefile
+	src/libsimaka/Makefile
+	src/libtls/Makefile
+	src/libradius/Makefile
+	src/libtncif/Makefile
+	src/libtnccs/Makefile
+	src/libpttls/Makefile
+	src/libpts/Makefile
+	src/libpts/plugins/imc_attestation/Makefile
+	src/libpts/plugins/imv_attestation/Makefile
+	src/libimcv/Makefile
+	src/libimcv/plugins/imc_test/Makefile
+	src/libimcv/plugins/imv_test/Makefile
+	src/libimcv/plugins/imc_scanner/Makefile
+	src/libimcv/plugins/imv_scanner/Makefile
+	src/libimcv/plugins/imc_os/Makefile
+	src/libimcv/plugins/imv_os/Makefile
+	src/charon/Makefile
+	src/charon-nm/Makefile
+	src/charon-tkm/Makefile
+	src/charon-cmd/Makefile
+	src/libcharon/Makefile
+	src/libcharon/plugins/eap_aka/Makefile
+	src/libcharon/plugins/eap_aka_3gpp2/Makefile
+	src/libcharon/plugins/eap_dynamic/Makefile
+	src/libcharon/plugins/eap_identity/Makefile
+	src/libcharon/plugins/eap_md5/Makefile
+	src/libcharon/plugins/eap_gtc/Makefile
+	src/libcharon/plugins/eap_sim/Makefile
+	src/libcharon/plugins/eap_sim_file/Makefile
+	src/libcharon/plugins/eap_sim_pcsc/Makefile
+	src/libcharon/plugins/eap_simaka_sql/Makefile
+	src/libcharon/plugins/eap_simaka_pseudonym/Makefile
+	src/libcharon/plugins/eap_simaka_reauth/Makefile
+	src/libcharon/plugins/eap_mschapv2/Makefile
+	src/libcharon/plugins/eap_tls/Makefile
+	src/libcharon/plugins/eap_ttls/Makefile
+	src/libcharon/plugins/eap_peap/Makefile
+	src/libcharon/plugins/eap_tnc/Makefile
+	src/libcharon/plugins/eap_radius/Makefile
+	src/libcharon/plugins/xauth_generic/Makefile
+	src/libcharon/plugins/xauth_eap/Makefile
+	src/libcharon/plugins/xauth_pam/Makefile
+	src/libcharon/plugins/xauth_noauth/Makefile
+	src/libcharon/plugins/tnc_ifmap/Makefile
+	src/libcharon/plugins/tnc_pdp/Makefile
+	src/libcharon/plugins/tnc_imc/Makefile
+	src/libcharon/plugins/tnc_imv/Makefile
+	src/libcharon/plugins/tnc_tnccs/Makefile
+	src/libcharon/plugins/tnccs_11/Makefile
+	src/libcharon/plugins/tnccs_20/Makefile
+	src/libcharon/plugins/tnccs_dynamic/Makefile
+	src/libcharon/plugins/socket_default/Makefile
+	src/libcharon/plugins/socket_dynamic/Makefile
+	src/libcharon/plugins/farp/Makefile
+	src/libcharon/plugins/smp/Makefile
+	src/libcharon/plugins/sql/Makefile
+	src/libcharon/plugins/ipseckey/Makefile
+	src/libcharon/plugins/medsrv/Makefile
+	src/libcharon/plugins/medcli/Makefile
+	src/libcharon/plugins/addrblock/Makefile
+	src/libcharon/plugins/unity/Makefile
+	src/libcharon/plugins/uci/Makefile
+	src/libcharon/plugins/ha/Makefile
+	src/libcharon/plugins/kernel_libipsec/Makefile
+	src/libcharon/plugins/whitelist/Makefile
+	src/libcharon/plugins/lookip/Makefile
+	src/libcharon/plugins/error_notify/Makefile
+	src/libcharon/plugins/certexpire/Makefile
+	src/libcharon/plugins/systime_fix/Makefile
+	src/libcharon/plugins/led/Makefile
+	src/libcharon/plugins/duplicheck/Makefile
+	src/libcharon/plugins/coupling/Makefile
+	src/libcharon/plugins/radattr/Makefile
+	src/libcharon/plugins/osx_attr/Makefile
+	src/libcharon/plugins/android_dns/Makefile
+	src/libcharon/plugins/android_log/Makefile
+	src/libcharon/plugins/maemo/Makefile
+	src/libcharon/plugins/stroke/Makefile
+	src/libcharon/plugins/updown/Makefile
+	src/libcharon/plugins/dhcp/Makefile
+	src/libcharon/plugins/unit_tester/Makefile
+	src/libcharon/plugins/load_tester/Makefile
+	src/stroke/Makefile
+	src/ipsec/Makefile
+	src/starter/Makefile
+	src/_updown/Makefile
+	src/_updown_espmark/Makefile
+	src/_copyright/Makefile
+	src/openac/Makefile
+	src/scepclient/Makefile
+	src/pki/Makefile
+	src/dumm/Makefile
+	src/dumm/ext/extconf.rb
+	src/libfast/Makefile
+	src/manager/Makefile
+	src/medsrv/Makefile
+	src/checksum/Makefile
+	src/conftest/Makefile
+	scripts/Makefile
+	testing/Makefile
+])
+AC_OUTPUT
+
+# ========================
+#  report enabled plugins
+# ========================
+
+AC_MSG_RESULT([])
+AC_MSG_RESULT([ strongSwan will be built with the following plugins])
+AC_MSG_RESULT([-----------------------------------------------------])
+
+AC_MSG_RESULT([libstrongswan:$s_plugins])
+AC_MSG_RESULT([libcharon:    $c_plugins])
+AC_MSG_RESULT([libhydra:     $h_plugins])
+AC_MSG_RESULT([])
diff --git a/configure.in b/configure.in
deleted file mode 100644
index 9a00b6256..000000000
--- a/configure.in
+++ /dev/null
@@ -1,1416 +0,0 @@
-#
-# Copyright (C) 2007-2013 Tobias Brunner
-# Copyright (C) 2006-2013 Andreas Steffen
-# Copyright (C) 2006-2013 Martin Willi
-# Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-
-# ============================
-#  initialize & set some vars
-# ============================
-
-AC_INIT([strongSwan],[5.0.4])
-AM_INIT_AUTOMAKE(tar-ustar)
-AC_CONFIG_MACRO_DIR([m4/config])
-AC_CONFIG_HEADERS([config.h])
-AC_DEFINE([CONFIG_H_INCLUDED], [], [defined if config.h included])
-PKG_PROG_PKG_CONFIG
-
-# =================================
-#  check --enable-xxx & --with-xxx
-# =================================
-
-m4_include(m4/macros/with.m4)
-
-ARG_WITH_SUBST([random-device],      [/dev/random], [set the device to read real random data from])
-ARG_WITH_SUBST([urandom-device],     [/dev/urandom], [set the device to read pseudo random data from])
-ARG_WITH_SUBST([strongswan-conf],    [${sysconfdir}/strongswan.conf], [set the strongswan.conf file location])
-ARG_WITH_SUBST([resolv-conf],        [${sysconfdir}/resolv.conf], [set the file to use in DNS handler plugin])
-ARG_WITH_SUBST([piddir],             [/var/run], [set path for PID and UNIX socket files])
-ARG_WITH_SUBST([ipsecdir],           [${libexecdir%/}/ipsec], [set installation path for ipsec tools])
-ARG_WITH_SUBST([ipseclibdir],        [${libdir%/}/ipsec], [set installation path for ipsec libraries])
-ARG_WITH_SUBST([plugindir],          [${ipseclibdir%/}/plugins], [set the installation path of plugins])
-ARG_WITH_SUBST([imcvdir],            [${ipseclibdir%/}/imcvs], [set the installation path of IMC and IMV dynamic librariers])
-ARG_WITH_SUBST([nm-ca-dir],          [/usr/share/ca-certificates], [directory the NM backend uses to look up trusted root certificates])
-ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set directory of linux header files to use])
-ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
-ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
-ARG_WITH_SUBST([ipsec-script],       [ipsec], [change the name of the ipsec script])
-ARG_WITH_SUBST([fips-mode],          [0], [set openssl FIPS mode: disabled(0), enabled(1), Suite B enabled(2)])
-
-ARG_WITH_SET([tss],                  [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"])
-ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
-ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
-ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
-
-if test -n "$PKG_CONFIG"; then
-	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
-fi
-ARG_WITH_SET([systemdsystemunitdir], [$systemdsystemunitdir_default], [directory for systemd service files])
-AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno])
-AC_SUBST(systemdsystemunitdir)
-
-AC_ARG_WITH(
-	[user],
-	AS_HELP_STRING([--with-user=user],[change user of the daemons to "user" after startup (default is "root").]),
-	[AC_DEFINE_UNQUOTED([IPSEC_USER], "$withval", [username to run daemon with])
-	 AC_SUBST(ipsecuser, "$withval")],
-	[AC_SUBST(ipsecuser, "root")]
-)
-
-AC_ARG_WITH(
-	[group],
-	AS_HELP_STRING([--with-group=group],[change group of the daemons to "group" after startup (default is "root").]),
-	[AC_DEFINE_UNQUOTED(IPSEC_GROUP, "$withval", [groupname to run daemon with])
-	 AC_SUBST(ipsecgroup, "$withval")],
-	[AC_SUBST(ipsecgroup, "root")]
-)
-
-AC_ARG_WITH(
-	[charon-udp-port],
-	AS_HELP_STRING([--with-charon-udp-port=port],[UDP port used by charon locally (default 500). Set to 0 to allocate randomly.]),
-	[AC_DEFINE_UNQUOTED(CHARON_UDP_PORT, [$withval], [UDP port used by charon locally])
-	 AC_SUBST(charon_udp_port, [$withval])],
-	[AC_SUBST(charon_udp_port, 500)]
-)
-
-AC_ARG_WITH(
-	[charon-natt-port],
-	AS_HELP_STRING([--with-charon-natt-port=port],[UDP port used by charon locally in case a NAT is detected (must be different from charon-udp-port, default 4500). Set to 0 to allocate randomly.]),
-	[AC_DEFINE_UNQUOTED(CHARON_NATT_PORT, [$withval], [UDP post used by charon locally in case a NAT is detected])
-	 AC_SUBST(charon_natt_port, [$withval])],
-	[AC_SUBST(charon_natt_port, 4500)]
-)
-
-AC_MSG_CHECKING([configured UDP ports ($charon_udp_port, $charon_natt_port)])
-if test x$charon_udp_port != x0 -a x$charon_udp_port = x$charon_natt_port; then
-	AC_MSG_ERROR(the ports have to be different)
-else
-	AC_MSG_RESULT(ok)
-fi
-
-# convert script name to uppercase
-AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`])
-
-m4_include(m4/macros/enable-disable.m4)
-
-ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
-ARG_ENABL_SET([unbound],        [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
-ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
-ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
-ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
-ARG_DISBL_SET([des],            [disable DES/3DES software implementation plugin.])
-ARG_ENABL_SET([blowfish],       [enable Blowfish software implementation plugin.])
-ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
-ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
-ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
-ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
-ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
-ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
-ARG_ENABL_SET([rdrand],         [enable Intel RDRAND random generator plugin.])
-ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
-ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
-ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
-ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.])
-ARG_DISBL_SET([constraints],    [disable advanced X509 constraint checking plugin.])
-ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
-ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
-ARG_DISBL_SET([pkcs7],          [disable PKCS7 container support plugin.])
-ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
-ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
-ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
-ARG_ENABL_SET([ipseckey],       [enable IPSECKEY authentication plugin.])
-ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
-ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
-ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
-ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
-ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
-ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
-ARG_ENABL_SET([mysql],          [enable MySQL database support. Requires libmysqlclient_r.])
-ARG_ENABL_SET([sqlite],         [enable SQLite database support. Requires libsqlite3.])
-ARG_DISBL_SET([stroke],         [disable charons stroke configuration backend.])
-ARG_ENABL_SET([medsrv],         [enable mediation server web frontend and daemon plugin.])
-ARG_ENABL_SET([medcli],         [enable mediation client configuration database plugin.])
-ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
-ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
-ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
-ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
-ARG_ENABL_SET([unit-tester],    [enable unit tests on IKEv2 daemon startup.])
-ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
-ARG_ENABL_SET([eap-sim],        [enable SIM authentication module for EAP.])
-ARG_ENABL_SET([eap-sim-file],   [enable EAP-SIM backend based on a triplet file.])
-ARG_ENABL_SET([eap-sim-pcsc],   [enable EAP-SIM backend based on a smartcard reader. Requires libpcsclite.])
-ARG_ENABL_SET([eap-aka],        [enable EAP AKA authentication module.])
-ARG_ENABL_SET([eap-aka-3gpp2],  [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.])
-ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
-ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
-ARG_ENABL_SET([eap-simaka-reauth],    [enable EAP-SIM/AKA reauthentication data storage plugin.])
-ARG_ENABL_SET([eap-identity],   [enable EAP module providing EAP-Identity helper.])
-ARG_ENABL_SET([eap-md5],        [enable EAP MD5 (CHAP) authentication module.])
-ARG_ENABL_SET([eap-gtc],        [enable EAP GTC authentication module.])
-ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authentication module.])
-ARG_ENABL_SET([eap-tls],        [enable EAP TLS authentication module.])
-ARG_ENABL_SET([eap-ttls],       [enable EAP TTLS authentication module.])
-ARG_ENABL_SET([eap-peap],       [enable EAP PEAP authentication module.])
-ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
-ARG_ENABL_SET([eap-dynamic],    [enable dynamic EAP proxy module.])
-ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
-ARG_DISBL_SET([xauth-generic],  [disable generic XAuth backend.])
-ARG_ENABL_SET([xauth-eap],      [enable XAuth backend using EAP methods to verify passwords.])
-ARG_ENABL_SET([xauth-pam],      [enable XAuth backend using PAM to verify passwords.])
-ARG_ENABL_SET([xauth-noauth],   [enable XAuth pseudo-backend that does not actually verify or even request any credentials.])
-ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module. Requires libxml])
-ARG_ENABL_SET([tnc-pdp],        [enable TNC policy decision point module.])
-ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
-ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
-ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module. Requires libxml])
-ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
-ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.])
-ARG_ENABL_SET([imc-test],       [enable IMC test module.])
-ARG_ENABL_SET([imv-test],       [enable IMV test module.])
-ARG_ENABL_SET([imc-scanner],    [enable IMC port scanner module.])
-ARG_ENABL_SET([imv-scanner],    [enable IMV port scanner module.])
-ARG_ENABL_SET([imc-os],         [enable IMC operating system module.])
-ARG_ENABL_SET([imv-os],         [enable IMV operating system module.])
-ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.])
-ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.])
-ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
-ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
-ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
-ARG_ENABL_SET([kernel-klips],   [enable the KLIPS kernel interface.])
-ARG_ENABL_SET([libipsec],       [enable user space IPsec implementation.])
-ARG_DISBL_SET([socket-default], [disable default socket implementation for charon.])
-ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon])
-ARG_ENABL_SET([farp],           [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
-ARG_ENABL_SET([dumm],           [enable the DUMM UML test framework.])
-ARG_ENABL_SET([fast],           [enable libfast (FastCGI Application Server w/ templates.])
-ARG_ENABL_SET([manager],        [enable web management console (proof of concept).])
-ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
-ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
-ARG_DISBL_SET([load-warning],   [disable the charon plugin load option warning in starter.])
-ARG_DISBL_SET([ikev1],          [disable IKEv1 protocol support in charon.])
-ARG_DISBL_SET([ikev2],          [disable IKEv2 protocol support in charon.])
-ARG_DISBL_SET([charon],         [disable the IKEv1/IKEv2 keying daemon charon.])
-ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
-ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
-ARG_ENABL_SET([conftest],       [enforce Suite B conformance test framework.])
-ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
-ARG_DISBL_SET([attr],           [disable strongswan.conf based configuration attribute plugin.])
-ARG_ENABL_SET([attr-sql],       [enable SQL based configuration attribute plugin.])
-ARG_ENABL_SET([dhcp],           [enable DHCP based attribute provider plugin.])
-ARG_DISBL_SET([resolve],        [disable resolve DNS handler plugin.])
-ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
-ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
-ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
-ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
-ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
-ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
-ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
-ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
-ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
-ARG_ENABL_SET([unity],          [enables Cisco Unity extension plugin.])
-ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
-ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
-ARG_ENABL_SET([android-log],    [enable Android specific logger plugin.])
-ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
-ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
-ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
-ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
-ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
-ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
-ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
-ARG_ENABL_SET([systime-fix],    [enable plugin to handle cert lifetimes with invalid system time gracefully.])
-ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
-ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
-ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
-ARG_ENABL_SET([radattr],        [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.])
-ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
-ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
-ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
-ARG_ENABL_SET([unit-tests],     [enable unit tests using the check test framework.])
-ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
-
-# ===================================
-#  option to disable default options
-# ===================================
-
-ARG_DISBL_SET([defaults],       [disable all default plugins (they can be enabled with their respective --enable options)])
-
-if test x$defaults = xfalse; then
-	for option in $enabled_by_default; do
-		eval test x\${${option}_given} = xtrue && continue
-		let $option=false
-	done
-fi
-
-# ===========================
-#  set up compiler and flags
-# ===========================
-
-if test -z "$CFLAGS"; then
-	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
-fi
-AC_PROG_CC
-AM_PROG_CC_C_O
-
-AC_LIB_PREFIX
-AC_C_BIGENDIAN
-
-# =========================
-#  check required programs
-# =========================
-
-LT_INIT
-AC_PROG_INSTALL
-AC_PROG_EGREP
-AC_PROG_AWK
-AC_PROG_LEX
-AC_PROG_YACC
-AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-
-# because gperf is not needed by end-users we just report it but do not abort on failure
-AC_MSG_CHECKING([gperf version >= 3.0.0])
-if test -x "$GPERF"; then
-	if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then
-		AC_MSG_RESULT([yes])
-	else
-		AC_MSG_RESULT([no])
-	fi
-else
-	AC_MSG_RESULT([not found])
-fi
-
-# ========================
-#  dependency calculation
-# ========================
-
-if test x$xauth_generic_given = xfalse -a x$ikev1 = xfalse; then
-	xauth_generic=false;
-fi
-
-if test x$eap_aka_3gpp2 = xtrue; then
-	gmp=true;
-fi
-
-if test x$eap_aka = xtrue; then
-	fips_prf=true;
-	simaka=true;
-fi
-
-if test x$eap_sim = xtrue; then
-	fips_prf=true;
-	simaka=true;
-fi
-
-if test x$eap_tls = xtrue -o x$eap_ttls = xtrue -o x$eap_peap = xtrue; then
-	tls=true;
-fi
-
-if test x$eap_radius = xtrue -o x$radattr = xtrue -o x$tnc_pdp = xtrue; then
-	radius=true;
-fi
-
-if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_dynamic = xtrue -o x$eap_tnc = xtrue; then
-	tnc_tnccs=true;
-fi
-
-if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_os = xtrue -o x$imv_os = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
-	imcv=true;
-fi
-
-if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
-	pts=true;
-fi
-
-if test x$fips_prf = xtrue; then
-	if test x$openssl = xfalse; then
-		sha1=true;
-	fi
-fi
-
-if test x$smp = xtrue -o x$tnccs_11 = xtrue -o x$tnc_ifmap = xtrue; then
-	xml=true
-fi
-
-if test x$manager = xtrue; then
-	fast=true
-fi
-
-if test x$medsrv = xtrue; then
-	mediation=true
-	fast=true
-fi
-
-if test x$medcli = xtrue; then
-	mediation=true
-fi
-
-# ===========================================
-#  check required libraries and header files
-# ===========================================
-
-AC_HEADER_STDBOOL
-AC_FUNC_ALLOCA
-AC_FUNC_STRERROR_R
-
-#  libraries needed on some platforms but not on others
-# ------------------------------------------------------
-saved_LIBS=$LIBS
-
-# FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
-LIBS=""
-AC_SEARCH_LIBS(dlopen, dl, [DLLIB=$LIBS])
-AC_SUBST(DLLIB)
-
-# glibc's backtrace() can be replicated on FreeBSD with libexecinfo
-LIBS=""
-AC_SEARCH_LIBS(backtrace, execinfo, [BTLIB=$LIBS])
-AC_CHECK_FUNCS(backtrace)
-AC_SUBST(BTLIB)
-
-# OpenSolaris needs libsocket and libnsl for socket()
-LIBS=""
-AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS],
-	[AC_CHECK_LIB(nsl, socket, [SOCKLIB="-lsocket -lnsl"], [], [-lsocket])]
-)
-AC_SUBST(SOCKLIB)
-
-# FreeBSD has clock_gettime in libc, Linux needs librt
-LIBS=""
-AC_SEARCH_LIBS(clock_gettime, rt, [RTLIB=$LIBS])
-AC_CHECK_FUNCS(clock_gettime)
-AC_SUBST(RTLIB)
-
-# Android has pthread_* functions in bionic (libc), others need libpthread
-LIBS=""
-AC_SEARCH_LIBS(pthread_create, pthread, [PTHREADLIB=$LIBS])
-AC_SUBST(PTHREADLIB)
-
-LIBS=$saved_LIBS
-# ------------------------------------------------------
-
-AC_MSG_CHECKING(for dladdr)
-AC_COMPILE_IFELSE(
-	[AC_LANG_PROGRAM(
-		[[#define _GNU_SOURCE
-		  #include <dlfcn.h>]],
-		[[Dl_info* info = 0;
-		  dladdr(0, info);]])],
-	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_DLADDR], [], [have dladdr()])],
-	[AC_MSG_RESULT([no])]
-)
-
-# check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
-saved_LIBS=$LIBS
-LIBS=$PTHREADLIB
-AC_MSG_CHECKING([for pthread_condattr_setclock(CLOCK_MONOTONE)])
-AC_RUN_IFELSE(
-	[AC_LANG_SOURCE(
-		[[#include <pthread.h>
-		  int main() { pthread_condattr_t attr;
-			pthread_condattr_init(&attr);
-			return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}]])],
-	[AC_MSG_RESULT([yes]);
-	 AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
-			   [pthread_condattr_setclock supports CLOCK_MONOTONIC])],
-	[AC_MSG_RESULT([no])],
-	# Check existence of pthread_condattr_setclock if cross-compiling
-	[AC_MSG_RESULT([unknown]);
-	 AC_CHECK_FUNCS(pthread_condattr_setclock,
-		[AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
-				   [have pthread_condattr_setclock()])]
-	)]
-)
-# check if we actually are able to configure attributes on cond vars
-AC_CHECK_FUNCS(pthread_condattr_init)
-# instead of pthread_condattr_setclock Android has this function
-AC_CHECK_FUNCS(pthread_cond_timedwait_monotonic)
-# check if we can cancel threads
-AC_CHECK_FUNCS(pthread_cancel)
-# check if native rwlocks are available
-AC_CHECK_FUNCS(pthread_rwlock_init)
-# check if pthread spinlocks are available
-AC_CHECK_FUNCS(pthread_spin_init)
-# check if we have POSIX semaphore functions, including timed-wait
-AC_CHECK_FUNCS(sem_timedwait)
-LIBS=$saved_LIBS
-
-AC_CHECK_FUNC(
-	[gettid],
-	[AC_DEFINE([HAVE_GETTID], [], [have gettid()])],
-	[AC_MSG_CHECKING([for SYS_gettid])
-	 AC_COMPILE_IFELSE(
-		[AC_LANG_PROGRAM(
-			[[#define _GNU_SOURCE
-			  #include <unistd.h>
-			  #include <sys/syscall.h>]],
-			[[int main() {
-			  return syscall(SYS_gettid);}]])],
-		[AC_MSG_RESULT([yes]);
-		 AC_DEFINE([HAVE_GETTID], [], [have gettid()])
-		 AC_DEFINE([HAVE_SYS_GETTID], [], [have syscall(SYS_gettid)])],
-		[AC_MSG_RESULT([no])]
-	)]
-)
-
-AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
-
-AC_CHECK_HEADERS(sys/sockio.h glob.h)
-AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
-AC_CHECK_HEADERS(netinet/ip6.h, [], [],
-[
-	#include <sys/types.h>
-	#include <netinet/in.h>
-])
-
-AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [],
-[
-	#include <sys/types.h>
-	#include <sys/socket.h>
-])
-
-AC_CHECK_MEMBERS([struct sadb_x_policy.sadb_x_policy_priority], [], [],
-[
-	#include <sys/types.h>
-	#ifdef HAVE_NET_PFKEYV2_H
-	#include <net/pfkeyv2.h>
-	#else
-	#include <stdint.h>
-	#include <linux/pfkeyv2.h>
-	#endif
-])
-
-AC_MSG_CHECKING([for in6addr_any])
-AC_COMPILE_IFELSE(
-	[AC_LANG_PROGRAM(
-		[[#include <sys/types.h>
-		  #include <sys/socket.h>
-		  #include <netinet/in.h>]],
-		[[struct in6_addr in6;
-		  in6 = in6addr_any;]])],
-	[AC_MSG_RESULT([yes]);
-	 AC_DEFINE([HAVE_IN6ADDR_ANY], [], [have struct in6_addr in6addr_any])],
-	[AC_MSG_RESULT([no])]
-)
-
-AC_MSG_CHECKING([for in6_pktinfo])
-AC_COMPILE_IFELSE(
-	[AC_LANG_PROGRAM(
-		[[#define _GNU_SOURCE
-		  #include <sys/types.h>
-		  #include <sys/socket.h>
-		  #include <netinet/in.h>]],
-		[[struct in6_pktinfo pi;
-		  if (pi.ipi6_ifindex)
-		  {
-		    return 0;
-		  }]])],
-	[AC_MSG_RESULT([yes]);
-	 AC_DEFINE([HAVE_IN6_PKTINFO], [], [have struct in6_pktinfo.ipi6_ifindex])],
-	[AC_MSG_RESULT([no])]
-)
-
-AC_MSG_CHECKING([for IPSEC_MODE_BEET])
-AC_COMPILE_IFELSE(
-	[AC_LANG_PROGRAM(
-		[[#include <sys/types.h>
-		  #ifdef HAVE_NETIPSEC_IPSEC_H
-		  #include <netipsec/ipsec.h>
-		  #elif defined(HAVE_NETINET6_IPSEC_H)
-		  #include <netinet6/ipsec.h>
-		  #else
-		  #include <stdint.h>
-		  #include <linux/ipsec.h>
-		  #endif]],
-		[[int mode = IPSEC_MODE_BEET;
-		  return mode;]])],
-	[AC_MSG_RESULT([yes]);
-	 AC_DEFINE([HAVE_IPSEC_MODE_BEET], [], [have IPSEC_MODE_BEET defined])],
-	[AC_MSG_RESULT([no])]
-)
-
-AC_MSG_CHECKING([for IPSEC_DIR_FWD])
-AC_COMPILE_IFELSE(
-	[AC_LANG_PROGRAM(
-		[[#include <sys/types.h>
-		  #ifdef HAVE_NETIPSEC_IPSEC_H
-		  #include <netipsec/ipsec.h>
-		  #elif defined(HAVE_NETINET6_IPSEC_H)
-		  #include <netinet6/ipsec.h>
-		  #else
-		  #include <stdint.h>
-		  #include <linux/ipsec.h>
-		  #endif]],
-		[[int dir = IPSEC_DIR_FWD;
-		  return dir;]])],
-	[AC_MSG_RESULT([yes]);
-	 AC_DEFINE([HAVE_IPSEC_DIR_FWD], [], [have IPSEC_DIR_FWD defined])],
-	[AC_MSG_RESULT([no])]
-)
-
-AC_MSG_CHECKING([for RTA_TABLE])
-AC_COMPILE_IFELSE(
-	[AC_LANG_PROGRAM(
-		[[#include <sys/socket.h>
-		  #include <linux/netlink.h>
-		  #include <linux/rtnetlink.h>]],
-		[[int rta_type = RTA_TABLE;
-		  return rta_type;]])],
-	[AC_MSG_RESULT([yes]);
-	 AC_DEFINE([HAVE_RTA_TABLE], [], [have netlink RTA_TABLE defined])],
-	[AC_MSG_RESULT([no])]
-)
-
-AC_MSG_CHECKING([for gcc atomic operations])
-AC_RUN_IFELSE([AC_LANG_SOURCE(
-	[[
-			int main() {
-			volatile int ref = 1;
-			__sync_fetch_and_add (&ref, 1);
-			__sync_sub_and_fetch (&ref, 1);
-			/* Make sure test fails if operations are not supported */
-			__sync_val_compare_and_swap(&ref, 1, 0);
-			return ref;
-		}
-	]])],
-	[AC_MSG_RESULT([yes]);
-	 AC_DEFINE([HAVE_GCC_ATOMIC_OPERATIONS], [],
-		   [have GCC __sync_* atomic operations])],
-	[AC_MSG_RESULT([no])],
-	[AC_MSG_RESULT([no])]
-)
-
-# check for the new register_printf_specifier function with len argument,
-# or the deprecated register_printf_function without
-AC_CHECK_FUNC(
-	[register_printf_specifier],
-	[AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])],
-	[AC_CHECK_FUNC(
-		[register_printf_function],
-		[AC_DEFINE([HAVE_PRINTF_FUNCTION], [], [have register_printf_function()])],
-		[
-			AC_MSG_NOTICE([printf does not support custom format specifiers!])
-			vstr=true
-		]
-	)]
-)
-
-if test x$vstr = xtrue; then
-	AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
-	AC_DEFINE([USE_VSTR], [], [use vstring library for printf hooks])
-fi
-
-if test x$gmp = xtrue; then
-	saved_LIBS=$LIBS
-	AC_CHECK_LIB([gmp],[main],[],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])],[])
-	AC_MSG_CHECKING([mpz_powm_sec])
-	if test x$mpz_powm_sec = xyes; then
-		AC_COMPILE_IFELSE(
-			[AC_LANG_PROGRAM(
-				[[#include "gmp.h"]],
-				[[void *x = mpz_powm_sec;]])],
-			[AC_MSG_RESULT([yes]);
-			 AC_DEFINE([HAVE_MPZ_POWM_SEC], [], [have mpz_mown_sec()])],
-			[AC_MSG_RESULT([no])]
-		)
-	else
-		AC_MSG_RESULT([disabled])
-	fi
-	LIBS=$saved_LIBS
-	AC_MSG_CHECKING([gmp.h version >= 4.1.4])
-	AC_COMPILE_IFELSE(
-		[AC_LANG_PROGRAM(
-			[[#include "gmp.h"]],
-			[[
-				#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
-					#error bad gmp
-				#endif]])],
-		[AC_MSG_RESULT([yes])],
-		[AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
-	)
-fi
-
-if test x$ldap = xtrue; then
-	AC_CHECK_LIB([ldap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])],[])
-	AC_CHECK_LIB([lber],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])],[])
-	AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP header ldap.h not found!])])
-fi
-
-if test x$curl = xtrue; then
-	AC_CHECK_LIB([curl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])],[])
-	AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])])
-fi
-
-if test x$unbound = xtrue; then
-	AC_HAVE_LIBRARY([ldns],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library ldns not found])])
-	AC_CHECK_HEADER([ldns/ldns.h],,[AC_MSG_ERROR([UNBOUND header ldns/ldns.h not found!])])
-	AC_HAVE_LIBRARY([unbound],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library libunbound not found])])
-	AC_CHECK_HEADER([unbound.h],,[AC_MSG_ERROR([UNBOUND header unbound.h not found!])])
-fi
-
-if test x$soup = xtrue; then
-	PKG_CHECK_MODULES(soup, [libsoup-2.4])
-	AC_SUBST(soup_CFLAGS)
-	AC_SUBST(soup_LIBS)
-fi
-
-if test x$xml = xtrue; then
-	PKG_CHECK_MODULES(xml, [libxml-2.0])
-	AC_SUBST(xml_CFLAGS)
-	AC_SUBST(xml_LIBS)
-fi
-
-if test x$tss = xtrousers; then
-	AC_CHECK_LIB([tspi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
-	AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
-	AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi as TSS implementation])
-fi
-
-if test x$dumm = xtrue; then
-	PKG_CHECK_MODULES(gtk, [gtk+-2.0 vte])
-	AC_SUBST(gtk_CFLAGS)
-	AC_SUBST(gtk_LIBS)
-	AC_CHECK_PROGS(RUBY, ruby)
-	AC_MSG_CHECKING([for Ruby header files])
-	if test -n "$RUBY"; then
-		RUBYINCLUDE=
-		RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["rubyhdrdir"]] || ""') 2>/dev/null`
-		if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
-			RUBYARCH=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["arch"]] || ""') 2>/dev/null`
-			if test -n "$RUBYARCH"; then
-				AC_MSG_RESULT([$RUBYDIR])
-				RUBYINCLUDE="-I$RUBYDIR -I$RUBYDIR/$RUBYARCH"
-			fi
-		else
-			RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["archdir"]] || ""') 2>/dev/null`
-			if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
-				AC_MSG_RESULT([$RUBYDIR])
-				RUBYINCLUDE="-I$RUBYDIR"
-			fi
-		fi
-		if test -z "$RUBYINCLUDE"; then
-			AC_MSG_ERROR([ruby.h not found])
-		fi
-		AC_SUBST(RUBYINCLUDE)
-	else
-		AC_MSG_ERROR([don't know how to run ruby])
-	fi
-	AC_MSG_CHECKING([for libruby])
-	saved_LIBS=$LIBS
-	LIBS=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["LIBRUBYARG_SHARED"]] || ""') 2>/dev/null`
-	AC_TRY_LINK_FUNC(ruby_init,
-		[AC_MSG_RESULT([$LIBS]); RUBYLIB=$LIBS],
-		[AC_MSG_ERROR([not found])])
-	AC_SUBST(RUBYLIB)
-	AC_CHECK_FUNCS(rb_errinfo)
-	LIBS=$saved_LIBS
-fi
-
-if test x$fast = xtrue; then
-	AC_CHECK_LIB([neo_cgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])],[])
-	AC_CHECK_LIB([neo_utl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])],[])
-	AC_MSG_CHECKING([ClearSilver requires zlib])
-	saved_CFLAGS=$CFLAGS
-	saved_LIBS=$LIBS
-	LIBS="-lneo_cgi -lneo_cs -lneo_utl"
-	CFLAGS="-I/usr/include/ClearSilver"
-	AC_LINK_IFELSE(
-		[AC_LANG_PROGRAM(
-			[[#include <ClearSilver.h>]],
-			[[NEOERR *err = cgi_display(NULL, NULL);]])],
-		[AC_MSG_RESULT([no]); clearsilver_LIBS="$LIBS"],
-		[AC_MSG_RESULT([yes]); clearsilver_LIBS="$LIBS -lz"]
-	)
-	AC_SUBST(clearsilver_LIBS)
-	LIBS=$saved_LIBS
-	CFLAGS=$saved_CFLAGS
-# autoconf does not like CamelCase!? How to fix this?
-#	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
-
-	AC_CHECK_LIB([fcgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])],[])
-	AC_CHECK_HEADER([fcgiapp.h],,[AC_MSG_ERROR([FastCGI header file fcgiapp.h not found!])])
-fi
-
-if test x$mysql = xtrue; then
-	AC_PATH_PROG([MYSQLCONFIG], [mysql_config], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-	if test x$MYSQLCONFIG = x; then
-		AC_MSG_ERROR([mysql_config not found!])
-	fi
-	AC_SUBST(MYSQLLIB, `$MYSQLCONFIG --libs_r`)
-	AC_SUBST(MYSQLCFLAG, `$MYSQLCONFIG --cflags`)
-fi
-
-if test x$sqlite = xtrue; then
-	AC_CHECK_LIB([sqlite3],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])],[])
-	AC_CHECK_HEADER([sqlite3.h],,[AC_MSG_ERROR([SQLite header sqlite3.h not found!])])
-	AC_MSG_CHECKING([sqlite3_prepare_v2])
-	AC_COMPILE_IFELSE(
-		[AC_LANG_PROGRAM(
-			[[#include <sqlite3.h>]],
-			[[void *test = sqlite3_prepare_v2;]])],
-		[AC_MSG_RESULT([yes]);
-		 AC_DEFINE([HAVE_SQLITE3_PREPARE_V2], [], [have sqlite3_prepare_v2()])],
-		[AC_MSG_RESULT([no])]
-	)
-	AC_MSG_CHECKING([sqlite3.h version >= 3.3.1])
-	AC_COMPILE_IFELSE(
-		[AC_LANG_PROGRAM(
-			[[#include <sqlite3.h>]],
-			[[
-				#if SQLITE_VERSION_NUMBER < 3003001
-					#error bad sqlite
-				#endif]])],
-		[AC_MSG_RESULT([yes])],
-		[AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])]
-	)
-fi
-
-if test x$openssl = xtrue; then
-	AC_CHECK_LIB([crypto],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])],[])
-	AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
-fi
-
-if test x$gcrypt = xtrue; then
-	AC_CHECK_LIB([gcrypt],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
-	AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
-	AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
-	AC_COMPILE_IFELSE(
-		[AC_LANG_PROGRAM(
-			[[#include <gcrypt.h>]],
-			[[enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;]])],
-		[AC_MSG_RESULT([yes]);
-		 AC_DEFINE([HAVE_GCRY_CIPHER_CAMELLIA], [], [have GCRY_CIPHER_CAMELLIA128])],
-		[AC_MSG_RESULT([no])]
-	)
-fi
-
-if test x$uci = xtrue; then
-	AC_CHECK_LIB([uci],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
-	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
-fi
-
-if test x$android_dns = xtrue; then
-	AC_CHECK_LIB([cutils],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
-	AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
-	# we have to force the use of libdl here because the autodetection
-	# above does not work correctly when cross-compiling for android.
-	DLLIB="-ldl"
-	AC_SUBST(DLLIB)
-fi
-
-if test x$maemo = xtrue; then
-	PKG_CHECK_MODULES(maemo, [glib-2.0 gthread-2.0 libosso osso-af-settings])
-	AC_SUBST(maemo_CFLAGS)
-	AC_SUBST(maemo_LIBS)
-	dbusservicedir="/usr/share/dbus-1/system-services"
-	AC_SUBST(dbusservicedir)
-fi
-
-if test x$eap_sim_pcsc = xtrue; then
-	PKG_CHECK_MODULES(pcsclite, [libpcsclite])
-	AC_SUBST(pcsclite_CFLAGS)
-	AC_SUBST(pcsclite_LIBS)
-fi
-
-if test x$nm = xtrue; then
-	PKG_CHECK_EXISTS([libnm-glib],
-		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn])],
-		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn])]
-	)
-	AC_SUBST(nm_CFLAGS)
-	AC_SUBST(nm_LIBS)
-fi
-
-if test x$xauth_pam = xtrue; then
-	AC_CHECK_LIB([pam],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])],[])
-	AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
-fi
-
-if test x$capabilities = xnative; then
-	AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead])
-	# Linux requires the following for capset(), Android does not have it,
-	# but defines capset() in unistd.h instead.
-	AC_CHECK_HEADERS([sys/capability.h])
-	AC_CHECK_FUNC(capset,,[AC_MSG_ERROR([capset() not found!])])
-	AC_DEFINE([CAPABILITIES_NATIVE], [], [have native linux capset()])
-fi
-
-if test x$capabilities = xlibcap; then
-	AC_CHECK_LIB([cap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])],[])
-	AC_CHECK_HEADER([sys/capability.h],
-		[AC_DEFINE([HAVE_SYS_CAPABILITY_H], [], [have sys/capability.h])],
-		[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
-	AC_DEFINE([CAPABILITIES_LIBCAP], [], [have libpcap library])
-fi
-
-if test x$integrity_test = xtrue; then
-	AC_MSG_CHECKING([for dladdr()])
-	AC_COMPILE_IFELSE(
-		[AC_LANG_PROGRAM(
-			[[#define _GNU_SOURCE
-			  #include <dlfcn.h>]],
-			[[Dl_info info; dladdr(main, &info);]])],
-		[AC_MSG_RESULT([yes])],
-		[AC_MSG_RESULT([no]);
-		 AC_MSG_ERROR([dladdr() not supported, required by integrity-test!])]
-	)
-	AC_MSG_CHECKING([for dl_iterate_phdr()])
-	AC_COMPILE_IFELSE(
-		[AC_LANG_PROGRAM(
-			[[#define _GNU_SOURCE
-			  #include <link.h>]],
-			[[dl_iterate_phdr((void*)0, (void*)0);]])],
-		[AC_MSG_RESULT([yes])],
-		[AC_MSG_RESULT([no]);
-		 AC_MSG_ERROR([dl_iterate_phdr() not supported, required by integrity-test!])]
-	)
-fi
-
-if test x$bfd_backtraces = xtrue; then
-	AC_CHECK_LIB([bfd],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])],[])
-	AC_CHECK_HEADER([bfd.h],[AC_DEFINE([HAVE_BFD_H],,[have binutils bfd.h])],
-		[AC_MSG_ERROR([binutils bfd.h header not found!])])
-	BFDLIB="-lbfd"
-	AC_SUBST(BFDLIB)
-fi
-
-AM_CONDITIONAL(USE_DEV_HEADERS, [test "x$dev_headers" != xno])
-if test x$dev_headers = xyes; then
-	dev_headers="$includedir/strongswan"
-fi
-AC_SUBST(dev_headers)
-
-CFLAGS="$CFLAGS -include `pwd`/config.h"
-
-if test x$tkm = xtrue; then
-	AC_PATH_PROG([GPRBUILD], [gprbuild], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-fi
-
-if test x$unit_tests = xtrue; then
-	PKG_CHECK_MODULES(CHECK, [check >= 0.9.4])
-	AC_SUBST(CHECK_CFLAGS)
-	AC_SUBST(CHECK_LIBS)
-fi
-
-# ===============================================
-#  collect plugin list for strongSwan components
-# ===============================================
-
-m4_include(m4/macros/add-plugin.m4)
-
-# plugin lists for all components
-charon_plugins=
-starter_plugins=
-pool_plugins=
-attest_plugins=
-openac_plugins=
-scepclient_plugins=
-pki_plugins=
-scripts_plugins=
-manager_plugins=
-medsrv_plugins=
-nm_plugins=
-
-# location specific lists for checksumming,
-# for src/libcharon, src/libhydra and src/libstrongswan
-c_plugins=
-h_plugins=
-s_plugins=
-
-ADD_PLUGIN([test-vectors],         [s charon openac scepclient pki])
-ADD_PLUGIN([curl],                 [s charon scepclient scripts nm])
-ADD_PLUGIN([soup],                 [s charon scripts nm])
-ADD_PLUGIN([unbound],              [s charon scripts])
-ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm])
-ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
-ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
-ADD_PLUGIN([pkcs11],               [s charon pki nm])
-ADD_PLUGIN([aes],                  [s charon openac scepclient pki scripts nm])
-ADD_PLUGIN([des],                  [s charon openac scepclient pki scripts nm])
-ADD_PLUGIN([blowfish],             [s charon openac scepclient pki scripts nm])
-ADD_PLUGIN([sha1],                 [s charon openac scepclient pki scripts medsrv attest nm])
-ADD_PLUGIN([sha2],                 [s charon openac scepclient pki scripts medsrv attest nm])
-ADD_PLUGIN([md4],                  [s charon openac manager scepclient pki nm])
-ADD_PLUGIN([md5],                  [s charon openac scepclient pki scripts attest nm])
-ADD_PLUGIN([rdrand],               [s charon openac scepclient pki scripts medsrv attest nm])
-ADD_PLUGIN([random],               [s charon openac scepclient pki scripts medsrv attest nm])
-ADD_PLUGIN([nonce],                [s charon nm])
-ADD_PLUGIN([x509],                 [s charon openac scepclient pki scripts attest nm])
-ADD_PLUGIN([revocation],           [s charon nm])
-ADD_PLUGIN([constraints],          [s charon nm])
-ADD_PLUGIN([pubkey],               [s charon])
-ADD_PLUGIN([pkcs1],                [s charon openac scepclient pki scripts manager medsrv attest nm])
-ADD_PLUGIN([pkcs7],                [s scepclient pki])
-ADD_PLUGIN([pkcs8],                [s charon openac scepclient pki scripts manager medsrv attest nm])
-ADD_PLUGIN([pgp],                  [s charon])
-ADD_PLUGIN([dnskey],               [s charon])
-ADD_PLUGIN([ipseckey],             [c charon])
-ADD_PLUGIN([pem],                  [s charon openac scepclient pki scripts manager medsrv attest nm])
-ADD_PLUGIN([padlock],              [s charon])
-ADD_PLUGIN([openssl],              [s charon openac scepclient pki scripts manager medsrv attest nm])
-ADD_PLUGIN([gcrypt],               [s charon openac scepclient pki scripts manager medsrv attest nm])
-ADD_PLUGIN([af-alg],               [s charon openac scepclient pki scripts medsrv attest nm])
-ADD_PLUGIN([fips-prf],             [s charon nm])
-ADD_PLUGIN([gmp],                  [s charon openac scepclient pki scripts manager medsrv attest nm])
-ADD_PLUGIN([agent],                [s charon nm])
-ADD_PLUGIN([xcbc],                 [s charon nm])
-ADD_PLUGIN([cmac],                 [s charon nm])
-ADD_PLUGIN([hmac],                 [s charon scripts nm])
-ADD_PLUGIN([ctr],                  [s charon scripts nm])
-ADD_PLUGIN([ccm],                  [s charon scripts nm])
-ADD_PLUGIN([gcm],                  [s charon scripts nm])
-ADD_PLUGIN([attr],                 [h charon])
-ADD_PLUGIN([attr-sql],             [h charon])
-ADD_PLUGIN([load-tester],          [c charon])
-ADD_PLUGIN([kernel-pfkey],         [h charon starter nm])
-ADD_PLUGIN([kernel-pfroute],       [h charon starter nm])
-ADD_PLUGIN([kernel-klips],         [h charon starter])
-ADD_PLUGIN([kernel-netlink],       [h charon starter nm])
-ADD_PLUGIN([resolve],              [h charon])
-ADD_PLUGIN([socket-default],       [c charon nm])
-ADD_PLUGIN([socket-dynamic],       [c charon])
-ADD_PLUGIN([farp],                 [c charon])
-ADD_PLUGIN([stroke],               [c charon])
-ADD_PLUGIN([smp],                  [c charon])
-ADD_PLUGIN([sql],                  [c charon])
-ADD_PLUGIN([updown],               [c charon])
-ADD_PLUGIN([eap-identity],         [c charon nm])
-ADD_PLUGIN([eap-sim],              [c charon])
-ADD_PLUGIN([eap-sim-file],         [c charon])
-ADD_PLUGIN([eap-sim-pcsc],         [c charon])
-ADD_PLUGIN([eap-aka],              [c charon])
-ADD_PLUGIN([eap-aka-3gpp2],        [c charon])
-ADD_PLUGIN([eap-simaka-sql],       [c charon])
-ADD_PLUGIN([eap-simaka-pseudonym], [c charon])
-ADD_PLUGIN([eap-simaka-reauth],    [c charon])
-ADD_PLUGIN([eap-md5],              [c charon nm])
-ADD_PLUGIN([eap-gtc],              [c charon nm])
-ADD_PLUGIN([eap-mschapv2],         [c charon nm])
-ADD_PLUGIN([eap-dynamic],          [c charon])
-ADD_PLUGIN([eap-radius],           [c charon])
-ADD_PLUGIN([eap-tls],              [c charon nm])
-ADD_PLUGIN([eap-ttls],             [c charon nm])
-ADD_PLUGIN([eap-peap],             [c charon nm])
-ADD_PLUGIN([eap-tnc],              [c charon])
-ADD_PLUGIN([xauth-generic],        [c charon])
-ADD_PLUGIN([xauth-eap],            [c charon])
-ADD_PLUGIN([xauth-pam],            [c charon])
-ADD_PLUGIN([xauth-noauth],         [c charon])
-ADD_PLUGIN([tnc-ifmap],            [c charon])
-ADD_PLUGIN([tnc-pdp],              [c charon])
-ADD_PLUGIN([tnc-imc],              [c charon])
-ADD_PLUGIN([tnc-imv],              [c charon])
-ADD_PLUGIN([tnc-tnccs],            [c charon])
-ADD_PLUGIN([tnccs-20],             [c charon])
-ADD_PLUGIN([tnccs-11],             [c charon])
-ADD_PLUGIN([tnccs-dynamic],        [c charon])
-ADD_PLUGIN([medsrv],               [c charon])
-ADD_PLUGIN([medcli],               [c charon])
-ADD_PLUGIN([dhcp],                 [c charon])
-ADD_PLUGIN([android-dns],          [c charon])
-ADD_PLUGIN([android-log],          [c charon])
-ADD_PLUGIN([ha],                   [c charon])
-ADD_PLUGIN([whitelist],            [c charon])
-ADD_PLUGIN([lookip],               [c charon])
-ADD_PLUGIN([error-notify],         [c charon])
-ADD_PLUGIN([certexpire],           [c charon])
-ADD_PLUGIN([systime-fix],          [c charon])
-ADD_PLUGIN([led],                  [c charon])
-ADD_PLUGIN([duplicheck],           [c charon])
-ADD_PLUGIN([coupling],             [c charon])
-ADD_PLUGIN([radattr],              [c charon])
-ADD_PLUGIN([maemo],                [c charon])
-ADD_PLUGIN([uci],                  [c charon])
-ADD_PLUGIN([addrblock],            [c charon])
-ADD_PLUGIN([unity],                [c charon])
-ADD_PLUGIN([unit-tester],          [c charon])
-
-AC_SUBST(charon_plugins)
-AC_SUBST(starter_plugins)
-AC_SUBST(pool_plugins)
-AC_SUBST(attest_plugins)
-AC_SUBST(openac_plugins)
-AC_SUBST(scepclient_plugins)
-AC_SUBST(pki_plugins)
-AC_SUBST(scripts_plugins)
-AC_SUBST(manager_plugins)
-AC_SUBST(medsrv_plugins)
-AC_SUBST(nm_plugins)
-
-AC_SUBST(c_plugins)
-AC_SUBST(h_plugins)
-AC_SUBST(s_plugins)
-
-# ======================
-#  set Makefile.am vars
-# ======================
-
-#  libstrongswan plugins
-# -----------------------
-AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
-AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
-AM_CONDITIONAL(USE_UNBOUND, test x$unbound = xtrue)
-AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
-AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
-AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
-AM_CONDITIONAL(USE_DES, test x$des = xtrue)
-AM_CONDITIONAL(USE_BLOWFISH, test x$blowfish = xtrue)
-AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue)
-AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
-AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
-AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
-AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
-AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
-AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
-AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
-AM_CONDITIONAL(USE_NONCE, test x$nonce = xtrue)
-AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
-AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue)
-AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue)
-AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
-AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
-AM_CONDITIONAL(USE_PKCS7, test x$pkcs7 = xtrue)
-AM_CONDITIONAL(USE_PKCS8, test x$pkcs8 = xtrue)
-AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
-AM_CONDITIONAL(USE_DNSKEY, test x$dnskey = xtrue)
-AM_CONDITIONAL(USE_PEM, test x$pem = xtrue)
-AM_CONDITIONAL(USE_HMAC, test x$hmac = xtrue)
-AM_CONDITIONAL(USE_CMAC, test x$cmac = xtrue)
-AM_CONDITIONAL(USE_XCBC, test x$xcbc = xtrue)
-AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue)
-AM_CONDITIONAL(USE_SQLITE, test x$sqlite = xtrue)
-AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
-AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
-AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
-AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
-AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
-AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
-AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
-AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
-AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
-
-#  charon plugins
-# ----------------
-AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
-AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
-AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
-AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
-AM_CONDITIONAL(USE_ANDROID_DNS, test x$android_dns = xtrue)
-AM_CONDITIONAL(USE_ANDROID_LOG, test x$android_log = xtrue)
-AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
-AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
-AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
-AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue)
-AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
-AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
-AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
-AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
-AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
-AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
-AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
-AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
-AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
-AM_CONDITIONAL(USE_SYSTIME_FIX, test x$systime_fix = xtrue)
-AM_CONDITIONAL(USE_LED, test x$led = xtrue)
-AM_CONDITIONAL(USE_DUPLICHECK, test x$duplicheck = xtrue)
-AM_CONDITIONAL(USE_COUPLING, test x$coupling = xtrue)
-AM_CONDITIONAL(USE_RADATTR, test x$radattr = xtrue)
-AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
-AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
-AM_CONDITIONAL(USE_EAP_SIM_PCSC, test x$eap_sim_pcsc = xtrue)
-AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue)
-AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue)
-AM_CONDITIONAL(USE_EAP_SIMAKA_REAUTH, test x$eap_simaka_reauth = xtrue)
-AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
-AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
-AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
-AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
-AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue)
-AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
-AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue)
-AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
-AM_CONDITIONAL(USE_EAP_PEAP, test x$eap_peap = xtrue)
-AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
-AM_CONDITIONAL(USE_EAP_DYNAMIC, test x$eap_dynamic = xtrue)
-AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
-AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue)
-AM_CONDITIONAL(USE_XAUTH_EAP, test x$xauth_eap = xtrue)
-AM_CONDITIONAL(USE_XAUTH_PAM, test x$xauth_pam = xtrue)
-AM_CONDITIONAL(USE_XAUTH_NOAUTH, test x$xauth_noauth = xtrue)
-AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
-AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue)
-AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
-AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
-AM_CONDITIONAL(USE_TNC_TNCCS, test x$tnc_tnccs = xtrue)
-AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue)
-AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue)
-AM_CONDITIONAL(USE_TNCCS_DYNAMIC, test x$tnccs_dynamic = xtrue)
-AM_CONDITIONAL(USE_IMC_TEST, test x$imc_test = xtrue)
-AM_CONDITIONAL(USE_IMV_TEST, test x$imv_test = xtrue)
-AM_CONDITIONAL(USE_IMC_SCANNER, test x$imc_scanner = xtrue)
-AM_CONDITIONAL(USE_IMV_SCANNER, test x$imv_scanner = xtrue)
-AM_CONDITIONAL(USE_IMC_OS, test x$imc_os = xtrue)
-AM_CONDITIONAL(USE_IMV_OS, test x$imv_os = xtrue)
-AM_CONDITIONAL(USE_IMC_ATTESTATION, test x$imc_attestation = xtrue)
-AM_CONDITIONAL(USE_IMV_ATTESTATION, test x$imv_attestation = xtrue)
-AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
-AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
-AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
-AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
-AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
-
-#  hydra plugins
-# ---------------
-AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
-AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
-AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
-AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
-AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
-AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
-AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
-
-#  other options
-# ---------------
-AM_CONDITIONAL(USE_LEAK_DETECTIVE, test x$leak_detective = xtrue)
-AM_CONDITIONAL(USE_LOCK_PROFILER, test x$lock_profiler = xtrue)
-AM_CONDITIONAL(USE_DUMM, test x$dumm = xtrue)
-AM_CONDITIONAL(USE_FAST, test x$fast = xtrue)
-AM_CONDITIONAL(USE_MANAGER, test x$manager = xtrue)
-AM_CONDITIONAL(USE_ME, test x$mediation = xtrue)
-AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
-AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue)
-AM_CONDITIONAL(USE_IKEV1, test x$ikev1 = xtrue)
-AM_CONDITIONAL(USE_IKEV2, test x$ikev2 = xtrue)
-AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
-AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
-AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
-AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
-AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
-AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
-AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue)
-AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue)
-AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue)
-AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
-AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
-AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
-AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
-AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
-AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
-AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
-AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
-AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
-AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue)
-AM_CONDITIONAL(USE_IMCV, test x$imcv = xtrue)
-AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
-AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers)
-AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
-AM_CONDITIONAL(UNITTESTS, test x$unit_tests = xtrue)
-AM_CONDITIONAL(USE_TKM, test x$tkm = xtrue)
-
-# ========================
-#  set global definitions
-# ========================
-
-if test x$mediation = xtrue; then
-	AC_DEFINE([ME], [], [mediation extension support])
-fi
-if test x$capabilities = xlibcap -o x$capabilities = xnative; then
-	AC_DEFINE([CAPABILITIES], [], [capability dropping support])
-fi
-if test x$monolithic = xtrue; then
-	AC_DEFINE([MONOLITHIC], [], [monolithic build embedding plugins])
-fi
-if test x$ikev1 = xtrue; then
-	AC_DEFINE([USE_IKEV1], [], [support for IKEv1 protocol])
-fi
-if test x$ikev2 = xtrue; then
-	AC_DEFINE([USE_IKEV2], [], [support for IKEv2 protocol])
-fi
-
-# =================
-#  build Makefiles
-# =================
-
-AC_CONFIG_FILES([
-	Makefile
-	man/Makefile
-	init/Makefile
-	init/systemd/Makefile
-	src/Makefile
-	src/include/Makefile
-	src/libstrongswan/Makefile
-	src/libstrongswan/plugins/aes/Makefile
-	src/libstrongswan/plugins/cmac/Makefile
-	src/libstrongswan/plugins/des/Makefile
-	src/libstrongswan/plugins/blowfish/Makefile
-	src/libstrongswan/plugins/md4/Makefile
-	src/libstrongswan/plugins/md5/Makefile
-	src/libstrongswan/plugins/sha1/Makefile
-	src/libstrongswan/plugins/sha2/Makefile
-	src/libstrongswan/plugins/fips_prf/Makefile
-	src/libstrongswan/plugins/gmp/Makefile
-	src/libstrongswan/plugins/rdrand/Makefile
-	src/libstrongswan/plugins/random/Makefile
-	src/libstrongswan/plugins/nonce/Makefile
-	src/libstrongswan/plugins/hmac/Makefile
-	src/libstrongswan/plugins/xcbc/Makefile
-	src/libstrongswan/plugins/x509/Makefile
-	src/libstrongswan/plugins/revocation/Makefile
-	src/libstrongswan/plugins/constraints/Makefile
-	src/libstrongswan/plugins/pubkey/Makefile
-	src/libstrongswan/plugins/pkcs1/Makefile
-	src/libstrongswan/plugins/pkcs7/Makefile
-	src/libstrongswan/plugins/pkcs8/Makefile
-	src/libstrongswan/plugins/pgp/Makefile
-	src/libstrongswan/plugins/dnskey/Makefile
-	src/libstrongswan/plugins/pem/Makefile
-	src/libstrongswan/plugins/curl/Makefile
-	src/libstrongswan/plugins/unbound/Makefile
-	src/libstrongswan/plugins/soup/Makefile
-	src/libstrongswan/plugins/ldap/Makefile
-	src/libstrongswan/plugins/mysql/Makefile
-	src/libstrongswan/plugins/sqlite/Makefile
-	src/libstrongswan/plugins/padlock/Makefile
-	src/libstrongswan/plugins/openssl/Makefile
-	src/libstrongswan/plugins/gcrypt/Makefile
-	src/libstrongswan/plugins/agent/Makefile
-	src/libstrongswan/plugins/pkcs11/Makefile
-	src/libstrongswan/plugins/ctr/Makefile
-	src/libstrongswan/plugins/ccm/Makefile
-	src/libstrongswan/plugins/gcm/Makefile
-	src/libstrongswan/plugins/af_alg/Makefile
-	src/libstrongswan/plugins/test_vectors/Makefile
-	src/libhydra/Makefile
-	src/libhydra/plugins/attr/Makefile
-	src/libhydra/plugins/attr_sql/Makefile
-	src/libhydra/plugins/kernel_klips/Makefile
-	src/libhydra/plugins/kernel_netlink/Makefile
-	src/libhydra/plugins/kernel_pfkey/Makefile
-	src/libhydra/plugins/kernel_pfroute/Makefile
-	src/libhydra/plugins/resolve/Makefile
-	src/libipsec/Makefile
-	src/libsimaka/Makefile
-	src/libtls/Makefile
-	src/libradius/Makefile
-	src/libtncif/Makefile
-	src/libtnccs/Makefile
-	src/libpttls/Makefile
-	src/libpts/Makefile
-	src/libpts/plugins/imc_attestation/Makefile
-	src/libpts/plugins/imv_attestation/Makefile
-	src/libimcv/Makefile
-	src/libimcv/plugins/imc_test/Makefile
-	src/libimcv/plugins/imv_test/Makefile
-	src/libimcv/plugins/imc_scanner/Makefile
-	src/libimcv/plugins/imv_scanner/Makefile
-	src/libimcv/plugins/imc_os/Makefile
-	src/libimcv/plugins/imv_os/Makefile
-	src/charon/Makefile
-	src/charon-nm/Makefile
-	src/charon-tkm/Makefile
-	src/libcharon/Makefile
-	src/libcharon/plugins/eap_aka/Makefile
-	src/libcharon/plugins/eap_aka_3gpp2/Makefile
-	src/libcharon/plugins/eap_dynamic/Makefile
-	src/libcharon/plugins/eap_identity/Makefile
-	src/libcharon/plugins/eap_md5/Makefile
-	src/libcharon/plugins/eap_gtc/Makefile
-	src/libcharon/plugins/eap_sim/Makefile
-	src/libcharon/plugins/eap_sim_file/Makefile
-	src/libcharon/plugins/eap_sim_pcsc/Makefile
-	src/libcharon/plugins/eap_simaka_sql/Makefile
-	src/libcharon/plugins/eap_simaka_pseudonym/Makefile
-	src/libcharon/plugins/eap_simaka_reauth/Makefile
-	src/libcharon/plugins/eap_mschapv2/Makefile
-	src/libcharon/plugins/eap_tls/Makefile
-	src/libcharon/plugins/eap_ttls/Makefile
-	src/libcharon/plugins/eap_peap/Makefile
-	src/libcharon/plugins/eap_tnc/Makefile
-	src/libcharon/plugins/eap_radius/Makefile
-	src/libcharon/plugins/xauth_generic/Makefile
-	src/libcharon/plugins/xauth_eap/Makefile
-	src/libcharon/plugins/xauth_pam/Makefile
-	src/libcharon/plugins/xauth_noauth/Makefile
-	src/libcharon/plugins/tnc_ifmap/Makefile
-	src/libcharon/plugins/tnc_pdp/Makefile
-	src/libcharon/plugins/tnc_imc/Makefile
-	src/libcharon/plugins/tnc_imv/Makefile
-	src/libcharon/plugins/tnc_tnccs/Makefile
-	src/libcharon/plugins/tnccs_11/Makefile
-	src/libcharon/plugins/tnccs_20/Makefile
-	src/libcharon/plugins/tnccs_dynamic/Makefile
-	src/libcharon/plugins/socket_default/Makefile
-	src/libcharon/plugins/socket_dynamic/Makefile
-	src/libcharon/plugins/farp/Makefile
-	src/libcharon/plugins/smp/Makefile
-	src/libcharon/plugins/sql/Makefile
-	src/libcharon/plugins/ipseckey/Makefile
-	src/libcharon/plugins/medsrv/Makefile
-	src/libcharon/plugins/medcli/Makefile
-	src/libcharon/plugins/addrblock/Makefile
-	src/libcharon/plugins/unity/Makefile
-	src/libcharon/plugins/uci/Makefile
-	src/libcharon/plugins/ha/Makefile
-	src/libcharon/plugins/whitelist/Makefile
-	src/libcharon/plugins/lookip/Makefile
-	src/libcharon/plugins/error_notify/Makefile
-	src/libcharon/plugins/certexpire/Makefile
-	src/libcharon/plugins/systime_fix/Makefile
-	src/libcharon/plugins/led/Makefile
-	src/libcharon/plugins/duplicheck/Makefile
-	src/libcharon/plugins/coupling/Makefile
-	src/libcharon/plugins/radattr/Makefile
-	src/libcharon/plugins/android_dns/Makefile
-	src/libcharon/plugins/android_log/Makefile
-	src/libcharon/plugins/maemo/Makefile
-	src/libcharon/plugins/stroke/Makefile
-	src/libcharon/plugins/updown/Makefile
-	src/libcharon/plugins/dhcp/Makefile
-	src/libcharon/plugins/unit_tester/Makefile
-	src/libcharon/plugins/load_tester/Makefile
-	src/stroke/Makefile
-	src/ipsec/Makefile
-	src/starter/Makefile
-	src/_updown/Makefile
-	src/_updown_espmark/Makefile
-	src/_copyright/Makefile
-	src/openac/Makefile
-	src/scepclient/Makefile
-	src/pki/Makefile
-	src/dumm/Makefile
-	src/dumm/ext/extconf.rb
-	src/libfast/Makefile
-	src/manager/Makefile
-	src/medsrv/Makefile
-	src/checksum/Makefile
-	src/conftest/Makefile
-	scripts/Makefile
-	testing/Makefile
-])
-AC_OUTPUT
-
-# ========================
-#  report enabled plugins
-# ========================
-
-AC_MSG_RESULT([])
-AC_MSG_RESULT([ strongSwan will be built with the following plugins])
-AC_MSG_RESULT([-----------------------------------------------------])
-
-AC_MSG_RESULT([libstrongswan:$s_plugins])
-AC_MSG_RESULT([libcharon:    $c_plugins])
-AC_MSG_RESULT([libhydra:     $h_plugins])
-AC_MSG_RESULT([])
diff --git a/init/Makefile.in b/init/Makefile.in
index a4e2c4445..d9b475638 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -62,13 +62,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -120,6 +126,7 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -132,6 +139,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -147,6 +156,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -155,6 +165,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -201,6 +212,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -229,6 +241,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index bdbf502e4..e4b7166d6 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -5,6 +5,7 @@ CLEANFILES = strongswan.service
 systemdsystemunit_DATA = strongswan.service
 
 strongswan.service : strongswan.service.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@SBINDIR@:$(sbindir):" \
 	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index 0486da5e4..e9fd2443d 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -62,13 +62,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
@@ -109,6 +115,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -121,6 +128,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -136,6 +145,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -144,6 +154,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -190,6 +201,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -218,6 +230,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -516,6 +529,7 @@ uninstall-am: uninstall-systemdsystemunitDATA
 
 
 strongswan.service : strongswan.service.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@SBINDIR@:$(sbindir):" \
 	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \
diff --git a/man/Makefile.am b/man/Makefile.am
index ea04303bd..0becd24c7 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -5,9 +5,9 @@ CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
 SUFFIXES = .in
 
 .in:
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
 	-e "s:@DEV_URANDOM@:$(urandom_device):" \
 	-e "s:@DEV_RANDOM@:$(random_device):" \
 	$(srcdir)/$@.in > $@
-
diff --git a/man/Makefile.in b/man/Makefile.in
index 50b7144a1..0bc64a6eb 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -62,13 +62,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
@@ -111,6 +117,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -123,6 +130,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +147,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -146,6 +156,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -192,6 +203,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -220,6 +232,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -556,6 +569,7 @@ uninstall-man: uninstall-man5
 
 
 .in:
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
 	-e "s:@DEV_URANDOM@:$(urandom_device):" \
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index 981b53dba..76bef614f 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "5.0.4" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.1.0" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -300,8 +300,7 @@ for meaning of values).
 A
 .B closeaction should not be
 used if the peer uses reauthentication or uniquids checking, as these events
-might trigger the defined action when not desired. Currently not supported with
-IKEv1.
+might trigger the defined action when not desired.
 .TP
 .BR compress " = yes | " no
 whether IPComp compression of content is proposed on the connection
@@ -731,34 +730,23 @@ different from the default additionally requires a socket implementation that
 listens on this port.
 .TP
 .BR leftprotoport " = <protocol>/<port>"
-restrict the traffic selector to a single protocol and/or port.
-Examples:
-.B leftprotoport=tcp/http
-or
-.B leftprotoport=6/80
-or
-.B leftprotoport=udp
+restrict the traffic selector to a single protocol and/or port. This option
+is now deprecated, protocol/port information can be defined for each subnet
+directly in
+.BR leftsubnet .
+.TP
+.BR leftsigkey " = <raw public key> | <path to public key>"
+the left participant's public key for public key signature authentication,
+in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
+optional
+.B dns:
 or
-.BR leftprotoport=/53 .
-Instead of omitting either value
-.B %any
-can be used to the same effect, e.g.
-.B leftprotoport=udp/%any
-or
-.BR leftprotoport=%any/53 .
-
-The port value can alternatively take the value
-.B %opaque
-for RFC 4301 OPAQUE selectors, or a numerical range in the form
-.BR 1024-65535 .
-None of the kernel backends currently supports opaque or port ranges and uses
-.B %any
-for policy installation instead.
-.TP
-.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
-the left participant's public key for RSA signature authentication, in RFC 2537
-format using hex (0x prefix) or base64 (0s prefix) encoding. Also accepted is
-the path to a file containing the public key in PEM or DER encoding.
+.B ssh:
+prefix in front of 0x or 0s, the public key is expected to be in either
+the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+respectively.
+Also accepted is the path to a file containing the public key in PEM or DER
+encoding.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
@@ -799,7 +787,7 @@ echoed back. Also supported are address pools expressed as
 or the use of an external IP address pool using %\fIpoolname\fR,
 where \fIpoolname\fR is the name of the IP address pool used for the lookup.
 .TP
-.BR leftsubnet " = <ip subnet>"
+.BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]"
 private subnet behind the left participant, expressed as
 \fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
@@ -810,6 +798,36 @@ implementations, make sure to configure identical subnets in such
 configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
 interprets the first subnet of such a definition, unless the Cisco Unity
 extension plugin is enabled.
+
+The optional part after each subnet enclosed in square brackets specifies a
+protocol/port to restrict the selector for that subnet.
+
+Examples:
+.BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or"
+.BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] .
+Instead of omitting either value
+.B %any
+can be used to the same effect, e.g.
+.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
+
+Instead of specifying a subnet,
+.B %dynamic
+can be used to replace it with the IKE address, having the same effect
+as omitting
+.B leftsubnet
+completely. Using
+.B %dynamic
+can be used to define multiple dynamic selectors, each having a potentially
+different protocol/port definition.
+
 .TP
 .BR leftupdown " = <path>"
 what ``updown'' script to run to adjust routing and/or firewalling
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index e778ab773..4c64e86ca 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -300,8 +300,7 @@ for meaning of values).
 A
 .B closeaction should not be
 used if the peer uses reauthentication or uniquids checking, as these events
-might trigger the defined action when not desired. Currently not supported with
-IKEv1.
+might trigger the defined action when not desired.
 .TP
 .BR compress " = yes | " no
 whether IPComp compression of content is proposed on the connection
@@ -731,34 +730,23 @@ different from the default additionally requires a socket implementation that
 listens on this port.
 .TP
 .BR leftprotoport " = <protocol>/<port>"
-restrict the traffic selector to a single protocol and/or port.
-Examples:
-.B leftprotoport=tcp/http
-or
-.B leftprotoport=6/80
-or
-.B leftprotoport=udp
+restrict the traffic selector to a single protocol and/or port. This option
+is now deprecated, protocol/port information can be defined for each subnet
+directly in
+.BR leftsubnet .
+.TP
+.BR leftsigkey " = <raw public key> | <path to public key>"
+the left participant's public key for public key signature authentication,
+in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
+optional
+.B dns:
 or
-.BR leftprotoport=/53 .
-Instead of omitting either value
-.B %any
-can be used to the same effect, e.g.
-.B leftprotoport=udp/%any
-or
-.BR leftprotoport=%any/53 .
-
-The port value can alternatively take the value
-.B %opaque
-for RFC 4301 OPAQUE selectors, or a numerical range in the form
-.BR 1024-65535 .
-None of the kernel backends currently supports opaque or port ranges and uses
-.B %any
-for policy installation instead.
-.TP
-.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
-the left participant's public key for RSA signature authentication, in RFC 2537
-format using hex (0x prefix) or base64 (0s prefix) encoding. Also accepted is
-the path to a file containing the public key in PEM or DER encoding.
+.B ssh:
+prefix in front of 0x or 0s, the public key is expected to be in either
+the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+respectively.
+Also accepted is the path to a file containing the public key in PEM or DER
+encoding.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
@@ -799,7 +787,7 @@ echoed back. Also supported are address pools expressed as
 or the use of an external IP address pool using %\fIpoolname\fR,
 where \fIpoolname\fR is the name of the IP address pool used for the lookup.
 .TP
-.BR leftsubnet " = <ip subnet>"
+.BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]"
 private subnet behind the left participant, expressed as
 \fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
@@ -810,6 +798,36 @@ implementations, make sure to configure identical subnets in such
 configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
 interprets the first subnet of such a definition, unless the Cisco Unity
 extension plugin is enabled.
+
+The optional part after each subnet enclosed in square brackets specifies a
+protocol/port to restrict the selector for that subnet.
+
+Examples:
+.BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or"
+.BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] .
+Instead of omitting either value
+.B %any
+can be used to the same effect, e.g.
+.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
+
+Instead of specifying a subnet,
+.B %dynamic
+can be used to replace it with the IKE address, having the same effect
+as omitting
+.B leftsubnet
+completely. Using
+.B %dynamic
+can be used to define multiple dynamic selectors, each having a potentially
+different protocol/port definition.
+
 .TP
 .BR leftupdown " = <path>"
 what ``updown'' script to run to adjust routing and/or firewalling
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index 9b3d19190..a4a58f261 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.4" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.1.0rc1" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
@@ -91,6 +91,9 @@ defines an RSA private key
 .B ECDSA
 defines an ECDSA private key
 .TP
+.B P12
+defines a PKCS#12 container
+.TP
 .B EAP
 defines EAP credentials
 .TP
@@ -133,16 +136,26 @@ Similarly, a character sequence beginning with
 .B 0s
 is interpreted as Base64 encoded binary data.
 .TP
-.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.B : RSA <private key file> [ <passphrase> | %prompt ]
 .TQ
-.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+.B : ECDSA <private key file> [ <passphrase> | %prompt ]
 For the private key file both absolute paths or paths relative to
 \fI/etc/ipsec.d/private\fP are accepted. If the private key file is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
-can be used which then causes the daemons to ask the user for the password
+can be used which then causes the daemon to ask the user for the password
 whenever it is required to decrypt the key.
 .TP
+.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
+For the PKCS#12 file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the container is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemon to ask the user for the password
+whenever it is required to decrypt the container. Private keys, client and CA
+certificates are extracted from the container. To use such a client certificate
+in a connection set leftid to one of the subjects of the certificate.
+.TP
 .B <user id> : EAP <secret>
 The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
 .br
@@ -165,7 +178,7 @@ key. The slot number defines the slot on the token, the module name refers to
 the module name defined in strongswan.conf(5).
 Instead of specifying the pin code statically,
 .B %prompt
-can be specified, which causes the daemons to ask the user for the pin code.
+can be specified, which causes the daemon to ask the user for the pin code.
 .LP
 
 .SH FILES
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index 319d4856b..ee20c9670 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -91,6 +91,9 @@ defines an RSA private key
 .B ECDSA
 defines an ECDSA private key
 .TP
+.B P12
+defines a PKCS#12 container
+.TP
 .B EAP
 defines EAP credentials
 .TP
@@ -133,16 +136,26 @@ Similarly, a character sequence beginning with
 .B 0s
 is interpreted as Base64 encoded binary data.
 .TP
-.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.B : RSA <private key file> [ <passphrase> | %prompt ]
 .TQ
-.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+.B : ECDSA <private key file> [ <passphrase> | %prompt ]
 For the private key file both absolute paths or paths relative to
 \fI/etc/ipsec.d/private\fP are accepted. If the private key file is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
-can be used which then causes the daemons to ask the user for the password
+can be used which then causes the daemon to ask the user for the password
 whenever it is required to decrypt the key.
 .TP
+.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
+For the PKCS#12 file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the container is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemon to ask the user for the password
+whenever it is required to decrypt the container. Private keys, client and CA
+certificates are extracted from the container. To use such a client certificate
+in a connection set leftid to one of the subjects of the certificate.
+.TP
 .B <user id> : EAP <secret>
 The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
 .br
@@ -165,7 +178,7 @@ key. The slot number defines the slot on the token, the module name refers to
 the module name defined in strongswan.conf(5).
 Instead of specifying the pin code statically,
 .B %prompt
-can be specified, which causes the daemons to ask the user for the pin code.
+can be specified, which causes the daemon to ask the user for the pin code.
 .LP
 
 .SH FILES
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 3c820dbf9..fc99c8c47 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.4" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-07-22" "5.1.0" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -133,8 +133,14 @@ Path to database with file measurement information
 .TP
 .BR attest.load
 Plugins to load in ipsec attest tool
+
 .SS charon section
 .TP
+.BR Note :
+Many of these options also apply to \fBcharon\-cmd\fR and other
+\fBcharon\fR derivatives. Just use their respective name (e.g.
+\fIcharon\-cmd\fR) instead of  \fIcharon\fR.
+.TP
 .BR charon.block_threshold " [5]"
 Maximum number of half-open IKE_SAs for a single peer IP
 .TP
@@ -168,6 +174,9 @@ used certificates.
 Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
 fragmentation extension.
 .TP
+.BR charon.group
+Name of the group the daemon changes to after startup
+.TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .TP
@@ -311,6 +320,9 @@ Section to define syslog loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.threads " [16]"
 Number of worker threads in charon
+.TP
+.BR charon.user
+Name of the user the daemon changes to after startup
 .SS charon.plugins subsection
 .TP
 .BR charon.plugins.android_log.loglevel " [1]"
@@ -323,6 +335,18 @@ configuration payload (CP)
 .BR charon.plugins.certexpire.csv.cron
 Cron style string specifying CSV export times
 .TP
+.BR charon.plugins.certexpire.csv.empty_string
+String to use in empty intermediate CA fields
+.TP
+.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
+Use a fixed intermediate CA field count
+.TP
+.BR charon.plugins.certexpire.csv.force " [yes]"
+Force export of all trustchains we have a private key for
+.TP
+.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
+strftime(3) format string to export expiration dates as
+.TP
 .BR charon.plugins.certexpire.csv.local
 strftime(3) format string for the CSV file name to export local certificates to
 .TP
@@ -332,15 +356,6 @@ strftime(3) format string for the CSV file name to export remote certificates to
 .BR charon.plugins.certexpire.csv.separator " [,]"
 CSV field separator
 .TP
-.BR charon.plugins.certexpire.csv.empty_string
-String to use in empty intermediate CA fields
-.TP
-.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
-strftime(3) format string to export expiration dates as
-.TP
-.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
-Use a fixed intermediate CA field count
-.TP
 .BR charon.plugins.coupling.file
 File to store coupling list to
 .TP
@@ -367,6 +382,9 @@ DHCP server unicast or broadcast IP address
 .BR charon.plugins.duplicheck.enable " [yes]"
 Enable duplicheck plugin (if loaded)
 .TP
+.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
+Socket provided by the duplicheck plugin
+.TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
 .TP
@@ -410,6 +428,9 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.eap-radius.accounting " [no]"
 Send RADIUS accounting information to RADIUS servers.
 .TP
+.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
+If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP
+.TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
 .I class
@@ -546,6 +567,9 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
+.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
+Socket provided by the error-notify plugin
+.TP
 .BR charon.plugins.ha.autobalance " [0]"
 Interval in seconds to automatically balance handled segments between nodes.
 Set to 0 to disable.
@@ -581,7 +605,7 @@ Set to 0 to disable.
 
 .TP
 .BR charon.plugins.ipseckey.enable " [no]"
-Enable the fetching of IPSECKEY RRs from the DNS
+Enable the fetching of IPSECKEY RRs via DNS
 .TP
 .BR charon.plugins.led.activity_led
 
@@ -595,9 +619,18 @@ Number of ipsecN devices
 .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
 Set MTU of ipsecN device
 .TP
+.BR charon.plugins.kernel-netlink.roam_events " [yes]"
+Whether to trigger roam events when interfaces, addresses or routes change
+.TP
+.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
+Time in ms to wait until virtual IP addresses appear/disappear before failing.
+.TP
 .BR charon.plugins.load-tester
 Section to configure the load-tester plugin, see LOAD TESTS
 .TP
+.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
+Socket provided by the lookip plugin
+.TP
 .BR charon.plugins.radattr.dir
 Directory where RADIUS attributes are stored in client-ID specific files.
 .TP
@@ -617,6 +650,12 @@ have a high priority according to the order defined in interface-order(5).
 .BR charon.plugins.socket-default.set_source " [yes]"
 Set source address on outbound packets, if possible.
 .TP
+.BR charon.plugins.socket-default.use_ipv4 " [yes]"
+Listen on IPv4, if possible.
+.TP
+.BR charon.plugins.socket-default.use_ipv6 " [yes]"
+Listen on IPv6, if possible.
+.TP
 .BR charon.plugins.sql.database
 Database URI for charons SQL plugin
 .TP
@@ -630,6 +669,9 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
+Socket provided by the stroke plugin
+.TP
 .BR charon.plugins.stroke.timeout " [0]"
 Timeout in ms for any stroke command. Use 0 to disable the timeout
 .TP
@@ -707,6 +749,9 @@ plugins, like resolve)
 .BR charon.plugins.whitelist.enable " [yes]"
 Enable loaded whitelist plugin
 .TP
+.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
+Socket provided by the whitelist plugin
+.TP
 .BR charon.plugins.xauth-eap.backend " [radius]"
 EAP plugin to be used as backend for XAuth credential verification
 .TP
@@ -760,6 +805,9 @@ Includes source file names and line numbers in leak detective output
 .BR libstrongswan.leak_detective.usage_threshold " [10240]"
 Threshold in bytes for leaks to be reported (0 to report all)
 .TP
+.BR libstrongswan.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all)
+.TP
 .BR libstrongswan.processor.priority_threads
 Subsection to configure the number of reserved threads per priority class
 see JOB PRIORITY MANAGEMENT
@@ -820,6 +868,19 @@ File to read DNS resolver configuration from
 .TP
 .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
 File to read DNSSEC trust anchors from (usually root zone KSK)
+.SS libtls section
+.TP
+.BR libtls.cipher
+List of TLS encryption ciphers
+.TP
+.BR libtls.key_exchange
+List of TLS key exchange methods
+.TP
+.BR libtls.mac
+List of TLS MAC algorithms
+.TP
+.BR libtls.suites
+List of TLS cipher suites
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -829,17 +890,27 @@ TNC IMC/IMV configuration directory
 .BR libimcv.assessment_result " [yes]"
 Whether IMVs send a standard IETF Assessment Result attribute
 .TP
+.BR libimcv.database
+Global IMV policy database URI
+.TP
 .BR libimcv.debug_level " [1]"
 Debug level for a stand-alone libimcv library
 .TP
-.BR libimcv.stderr_quiet " [no]"
-Disable output to stderr with a stand-alone libimcv library
+.BR libimcv.load " [random nonce gmp pubkey x509]"
+Plugins to load in IMC/IMVs
 .TP
 .BR libimcv.os_info.name
 Manually set the name of the client OS (e.g. Ubuntu)
 .TP
 .BR libimcv.os_info.version
 Manually set the version of the client OS (e.g. 12.04 i686)
+.TP
+.BR libimcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies
+.TP
+.BR libimcv.stderr_quiet " [no]"
+isable output to stderr with a stand-alone libimcv library
+.PP
 .SS libimcv plugins section
 .TP
 .BR libimcv.plugins.imc-attestation.aik_blob
@@ -860,9 +931,6 @@ Use Quote2 AIK signature instead of Quote signature
 .BR libimcv.plugins.imv-attestation.cadir
 Path to directory with AIK cacerts
 .TP
-.BR libimcv.plugins.imv-attestation.database
-Path to database with file measurement information
-.TP
 .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
 Preferred Diffie-Hellman group
 .TP
@@ -878,27 +946,15 @@ URI pointing to attestation remediation instructions
 .BR libimcv.plugins.imc-os.push_info " [yes]"
 Send operating system info without being prompted
 .TP
-.BR libimcv.plugins.imv-os.database
-Database URI for the database that stores operating system information
-.TP
 .BR libimcv.plugins.imv-os.remediation_uri
 URI pointing to operating system remediation instructions
 .TP
 .BR libimcv.plugins.imc-scanner.push_info " [yes]"
 Send open listening ports without being prompted
 .TP
-.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
-By default all ports must be closed (yes) or can be open (no)
-.TP
 .BR libimcv.plugins.imv-scanner.remediation_uri
 URI pointing to scanner remediation instructions
 .TP
-.BR libimcv.plugins.imv-scanner.tcp_ports
-List of TCP ports that can be open or must be closed
-.TP
-.BR libimcv.plugins.imv-scanner.udp_ports
-List of UDP ports that can be open or must be closed
-.TP
 .BR libimcv.plugins.imc-test.additional_ids " [0]"
 Number of additional IMC IDs
 .TP
@@ -908,30 +964,17 @@ Command to be sent to the Test IMV
 .BR libimcv.plugins.imc-test.dummy_size " [0]"
 Size of dummy attribute to be sent to the Test IMV (0 = disabled)
 .TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
 .BR libimcv.plugins.imc-test.retry " [no]"
 Do a handshake retry
 .TP
 .BR libimcv.plugins.imc-test.retry_command
 Command to be sent to the Test IMV in the handshake retry
 .TP
-.BR libimcv.plugins.imv-test.remediation_uri
-URI pointing to test remediation instructions
-.TP
 .BR libimcv.plugins.imv-test.rounds " [0]"
 Number of IMC-IMV retry rounds
-.SS libtls section
-.TP
-.BR libtls.cipher
-List of TLS encryption ciphers
-.TP
-.BR libtls.key_exchange
-List of TLS key exchange methods
-.TP
-.BR libtls.mac
-List of TLS MAC algorithms
-.TP
-.BR libtls.suites
-List of TLS cipher suites
 .SS manager section
 .TP
 .BR manager.database
@@ -1450,9 +1493,13 @@ Request an INTERNAL_IPV4_ADDR from the server
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
 .TP
+.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
+Socket provided by the load-tester plugin
+.TP
 .BR charon.plugins.load-tester.version " [0]"
 IKE version to use (0 means use IKEv2 as initiator and accept any version as
 responder)
+.PP
 .SS Configuration details
 For public key authentication, the responder uses the
 .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
@@ -1608,7 +1655,8 @@ giving up	76s	165s
 /etc/strongswan.conf
 
 .SH SEE ALSO
-ipsec.conf(5), ipsec.secrets(5), ipsec(8)
+\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
+
 .SH HISTORY
 Written for the
 .UR http://www.strongswan.org
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 44fe330e8..847d9d520 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-04-01" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-07-22" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -133,8 +133,14 @@ Path to database with file measurement information
 .TP
 .BR attest.load
 Plugins to load in ipsec attest tool
+
 .SS charon section
 .TP
+.BR Note :
+Many of these options also apply to \fBcharon\-cmd\fR and other
+\fBcharon\fR derivatives. Just use their respective name (e.g.
+\fIcharon\-cmd\fR) instead of  \fIcharon\fR.
+.TP
 .BR charon.block_threshold " [5]"
 Maximum number of half-open IKE_SAs for a single peer IP
 .TP
@@ -168,6 +174,9 @@ used certificates.
 Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
 fragmentation extension.
 .TP
+.BR charon.group
+Name of the group the daemon changes to after startup
+.TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .TP
@@ -311,6 +320,9 @@ Section to define syslog loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.threads " [16]"
 Number of worker threads in charon
+.TP
+.BR charon.user
+Name of the user the daemon changes to after startup
 .SS charon.plugins subsection
 .TP
 .BR charon.plugins.android_log.loglevel " [1]"
@@ -323,6 +335,18 @@ configuration payload (CP)
 .BR charon.plugins.certexpire.csv.cron
 Cron style string specifying CSV export times
 .TP
+.BR charon.plugins.certexpire.csv.empty_string
+String to use in empty intermediate CA fields
+.TP
+.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
+Use a fixed intermediate CA field count
+.TP
+.BR charon.plugins.certexpire.csv.force " [yes]"
+Force export of all trustchains we have a private key for
+.TP
+.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
+strftime(3) format string to export expiration dates as
+.TP
 .BR charon.plugins.certexpire.csv.local
 strftime(3) format string for the CSV file name to export local certificates to
 .TP
@@ -332,15 +356,6 @@ strftime(3) format string for the CSV file name to export remote certificates to
 .BR charon.plugins.certexpire.csv.separator " [,]"
 CSV field separator
 .TP
-.BR charon.plugins.certexpire.csv.empty_string
-String to use in empty intermediate CA fields
-.TP
-.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
-strftime(3) format string to export expiration dates as
-.TP
-.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
-Use a fixed intermediate CA field count
-.TP
 .BR charon.plugins.coupling.file
 File to store coupling list to
 .TP
@@ -367,6 +382,9 @@ DHCP server unicast or broadcast IP address
 .BR charon.plugins.duplicheck.enable " [yes]"
 Enable duplicheck plugin (if loaded)
 .TP
+.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
+Socket provided by the duplicheck plugin
+.TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
 .TP
@@ -410,6 +428,9 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.eap-radius.accounting " [no]"
 Send RADIUS accounting information to RADIUS servers.
 .TP
+.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
+If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP
+.TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
 .I class
@@ -546,6 +567,9 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
+.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
+Socket provided by the error-notify plugin
+.TP
 .BR charon.plugins.ha.autobalance " [0]"
 Interval in seconds to automatically balance handled segments between nodes.
 Set to 0 to disable.
@@ -581,7 +605,7 @@ Set to 0 to disable.
 
 .TP
 .BR charon.plugins.ipseckey.enable " [no]"
-Enable the fetching of IPSECKEY RRs from the DNS
+Enable the fetching of IPSECKEY RRs via DNS
 .TP
 .BR charon.plugins.led.activity_led
 
@@ -595,9 +619,18 @@ Number of ipsecN devices
 .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
 Set MTU of ipsecN device
 .TP
+.BR charon.plugins.kernel-netlink.roam_events " [yes]"
+Whether to trigger roam events when interfaces, addresses or routes change
+.TP
+.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
+Time in ms to wait until virtual IP addresses appear/disappear before failing.
+.TP
 .BR charon.plugins.load-tester
 Section to configure the load-tester plugin, see LOAD TESTS
 .TP
+.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
+Socket provided by the lookip plugin
+.TP
 .BR charon.plugins.radattr.dir
 Directory where RADIUS attributes are stored in client-ID specific files.
 .TP
@@ -617,6 +650,12 @@ have a high priority according to the order defined in interface-order(5).
 .BR charon.plugins.socket-default.set_source " [yes]"
 Set source address on outbound packets, if possible.
 .TP
+.BR charon.plugins.socket-default.use_ipv4 " [yes]"
+Listen on IPv4, if possible.
+.TP
+.BR charon.plugins.socket-default.use_ipv6 " [yes]"
+Listen on IPv6, if possible.
+.TP
 .BR charon.plugins.sql.database
 Database URI for charons SQL plugin
 .TP
@@ -630,6 +669,9 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
+Socket provided by the stroke plugin
+.TP
 .BR charon.plugins.stroke.timeout " [0]"
 Timeout in ms for any stroke command. Use 0 to disable the timeout
 .TP
@@ -707,6 +749,9 @@ plugins, like resolve)
 .BR charon.plugins.whitelist.enable " [yes]"
 Enable loaded whitelist plugin
 .TP
+.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
+Socket provided by the whitelist plugin
+.TP
 .BR charon.plugins.xauth-eap.backend " [radius]"
 EAP plugin to be used as backend for XAuth credential verification
 .TP
@@ -760,6 +805,9 @@ Includes source file names and line numbers in leak detective output
 .BR libstrongswan.leak_detective.usage_threshold " [10240]"
 Threshold in bytes for leaks to be reported (0 to report all)
 .TP
+.BR libstrongswan.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all)
+.TP
 .BR libstrongswan.processor.priority_threads
 Subsection to configure the number of reserved threads per priority class
 see JOB PRIORITY MANAGEMENT
@@ -820,6 +868,19 @@ File to read DNS resolver configuration from
 .TP
 .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
 File to read DNSSEC trust anchors from (usually root zone KSK)
+.SS libtls section
+.TP
+.BR libtls.cipher
+List of TLS encryption ciphers
+.TP
+.BR libtls.key_exchange
+List of TLS key exchange methods
+.TP
+.BR libtls.mac
+List of TLS MAC algorithms
+.TP
+.BR libtls.suites
+List of TLS cipher suites
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -829,17 +890,27 @@ TNC IMC/IMV configuration directory
 .BR libimcv.assessment_result " [yes]"
 Whether IMVs send a standard IETF Assessment Result attribute
 .TP
+.BR libimcv.database
+Global IMV policy database URI
+.TP
 .BR libimcv.debug_level " [1]"
 Debug level for a stand-alone libimcv library
 .TP
-.BR libimcv.stderr_quiet " [no]"
-Disable output to stderr with a stand-alone libimcv library
+.BR libimcv.load " [random nonce gmp pubkey x509]"
+Plugins to load in IMC/IMVs
 .TP
 .BR libimcv.os_info.name
 Manually set the name of the client OS (e.g. Ubuntu)
 .TP
 .BR libimcv.os_info.version
 Manually set the version of the client OS (e.g. 12.04 i686)
+.TP
+.BR libimcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies
+.TP
+.BR libimcv.stderr_quiet " [no]"
+isable output to stderr with a stand-alone libimcv library
+.PP
 .SS libimcv plugins section
 .TP
 .BR libimcv.plugins.imc-attestation.aik_blob
@@ -860,9 +931,6 @@ Use Quote2 AIK signature instead of Quote signature
 .BR libimcv.plugins.imv-attestation.cadir
 Path to directory with AIK cacerts
 .TP
-.BR libimcv.plugins.imv-attestation.database
-Path to database with file measurement information
-.TP
 .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
 Preferred Diffie-Hellman group
 .TP
@@ -878,27 +946,15 @@ URI pointing to attestation remediation instructions
 .BR libimcv.plugins.imc-os.push_info " [yes]"
 Send operating system info without being prompted
 .TP
-.BR libimcv.plugins.imv-os.database
-Database URI for the database that stores operating system information
-.TP
 .BR libimcv.plugins.imv-os.remediation_uri
 URI pointing to operating system remediation instructions
 .TP
 .BR libimcv.plugins.imc-scanner.push_info " [yes]"
 Send open listening ports without being prompted
 .TP
-.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
-By default all ports must be closed (yes) or can be open (no)
-.TP
 .BR libimcv.plugins.imv-scanner.remediation_uri
 URI pointing to scanner remediation instructions
 .TP
-.BR libimcv.plugins.imv-scanner.tcp_ports
-List of TCP ports that can be open or must be closed
-.TP
-.BR libimcv.plugins.imv-scanner.udp_ports
-List of UDP ports that can be open or must be closed
-.TP
 .BR libimcv.plugins.imc-test.additional_ids " [0]"
 Number of additional IMC IDs
 .TP
@@ -908,30 +964,17 @@ Command to be sent to the Test IMV
 .BR libimcv.plugins.imc-test.dummy_size " [0]"
 Size of dummy attribute to be sent to the Test IMV (0 = disabled)
 .TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
 .BR libimcv.plugins.imc-test.retry " [no]"
 Do a handshake retry
 .TP
 .BR libimcv.plugins.imc-test.retry_command
 Command to be sent to the Test IMV in the handshake retry
 .TP
-.BR libimcv.plugins.imv-test.remediation_uri
-URI pointing to test remediation instructions
-.TP
 .BR libimcv.plugins.imv-test.rounds " [0]"
 Number of IMC-IMV retry rounds
-.SS libtls section
-.TP
-.BR libtls.cipher
-List of TLS encryption ciphers
-.TP
-.BR libtls.key_exchange
-List of TLS key exchange methods
-.TP
-.BR libtls.mac
-List of TLS MAC algorithms
-.TP
-.BR libtls.suites
-List of TLS cipher suites
 .SS manager section
 .TP
 .BR manager.database
@@ -1450,9 +1493,13 @@ Request an INTERNAL_IPV4_ADDR from the server
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
 .TP
+.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
+Socket provided by the load-tester plugin
+.TP
 .BR charon.plugins.load-tester.version " [0]"
 IKE version to use (0 means use IKEv2 as initiator and accept any version as
 responder)
+.PP
 .SS Configuration details
 For public key authentication, the responder uses the
 .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
@@ -1608,7 +1655,8 @@ giving up	76s	165s
 /etc/strongswan.conf
 
 .SH SEE ALSO
-ipsec.conf(5), ipsec.secrets(5), ipsec(8)
+\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
+
 .SH HISTORY
 Written for the
 .UR http://www.strongswan.org
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index f7ecd9ef6..06d4609cf 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -1,10 +1,11 @@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls
-AM_CFLAGS = \
--DPLUGINS="\"${scripts_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-DPLUGINS="\"${scripts_plugins}\""
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \
 	thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \
-	dnssec
+	dnssec malloc_speed
 
 if USE_TLS
   noinst_PROGRAMS += tls_test
@@ -24,6 +25,7 @@ dh_speed_SOURCES = dh_speed.c
 pubkey_speed_SOURCES = pubkey_speed.c
 crypt_burn_SOURCES = crypt_burn.c
 hash_burn_SOURCES = hash_burn.c
+malloc_speed_SOURCES = malloc_speed.c
 fetch_SOURCES = fetch.c
 dnssec_SOURCES = dnssec.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -34,6 +36,7 @@ dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 hash_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+malloc_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 390c820aa..6808d2436 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -55,7 +55,8 @@ noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
 	key2keyid$(EXEEXT) keyid2sql$(EXEEXT) oid2der$(EXEEXT) \
 	thread_analysis$(EXEEXT) dh_speed$(EXEEXT) \
 	pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) hash_burn$(EXEEXT) \
-	fetch$(EXEEXT) dnssec$(EXEEXT) $(am__EXEEXT_1)
+	fetch$(EXEEXT) dnssec$(EXEEXT) malloc_speed$(EXEEXT) \
+	$(am__EXEEXT_1)
 @USE_TLS_TRUE@am__append_1 = tls_test
 subdir = scripts
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
@@ -68,7 +69,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -80,6 +81,9 @@ PROGRAMS = $(noinst_PROGRAMS)
 am_bin2array_OBJECTS = bin2array.$(OBJEXT)
 bin2array_OBJECTS = $(am_bin2array_OBJECTS)
 bin2array_LDADD = $(LDADD)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 am_bin2sql_OBJECTS = bin2sql.$(OBJEXT)
 bin2sql_OBJECTS = $(am_bin2sql_OBJECTS)
 bin2sql_LDADD = $(LDADD)
@@ -115,6 +119,10 @@ am_keyid2sql_OBJECTS = keyid2sql.$(OBJEXT)
 keyid2sql_OBJECTS = $(am_keyid2sql_OBJECTS)
 keyid2sql_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_malloc_speed_OBJECTS = malloc_speed.$(OBJEXT)
+malloc_speed_OBJECTS = $(am_malloc_speed_OBJECTS)
+malloc_speed_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_oid2der_OBJECTS = oid2der.$(OBJEXT)
 oid2der_OBJECTS = $(am_oid2der_OBJECTS)
 oid2der_DEPENDENCIES =  \
@@ -137,23 +145,38 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
 	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(dnssec_SOURCES) \
 	$(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \
-	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) $(oid2der_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(malloc_speed_SOURCES) $(oid2der_SOURCES) \
 	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) \
 	$(tls_test_SOURCES)
 DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
 	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(dnssec_SOURCES) \
 	$(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \
-	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) $(oid2der_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(malloc_speed_SOURCES) $(oid2der_SOURCES) \
 	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) \
 	$(am__tls_test_SOURCES_DIST)
 am__can_run_installinfo = \
@@ -167,6 +190,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -179,6 +203,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -194,6 +220,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -202,6 +229,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -248,6 +276,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -276,6 +305,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -353,9 +383,10 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls
-AM_CFLAGS = \
--DPLUGINS="\"${scripts_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-DPLUGINS="\"${scripts_plugins}\""
 
 @USE_TLS_TRUE@tls_test_SOURCES = tls_test.c
 @USE_TLS_TRUE@tls_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
@@ -372,6 +403,7 @@ dh_speed_SOURCES = dh_speed.c
 pubkey_speed_SOURCES = pubkey_speed.c
 crypt_burn_SOURCES = crypt_burn.c
 hash_burn_SOURCES = hash_burn.c
+malloc_speed_SOURCES = malloc_speed.c
 fetch_SOURCES = fetch.c
 dnssec_SOURCES = dnssec.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -382,6 +414,7 @@ dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 hash_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+malloc_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
@@ -429,46 +462,49 @@ clean-noinstPROGRAMS:
 	rm -f $$list
 bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES) $(EXTRA_bin2array_DEPENDENCIES) 
 	@rm -f bin2array$(EXEEXT)
-	$(LINK) $(bin2array_OBJECTS) $(bin2array_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(bin2array_OBJECTS) $(bin2array_LDADD) $(LIBS)
 bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) $(EXTRA_bin2sql_DEPENDENCIES) 
 	@rm -f bin2sql$(EXEEXT)
-	$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
 crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) $(EXTRA_crypt_burn_DEPENDENCIES) 
 	@rm -f crypt_burn$(EXEEXT)
-	$(LINK) $(crypt_burn_OBJECTS) $(crypt_burn_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(crypt_burn_OBJECTS) $(crypt_burn_LDADD) $(LIBS)
 dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) $(EXTRA_dh_speed_DEPENDENCIES) 
 	@rm -f dh_speed$(EXEEXT)
-	$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
 dnssec$(EXEEXT): $(dnssec_OBJECTS) $(dnssec_DEPENDENCIES) $(EXTRA_dnssec_DEPENDENCIES) 
 	@rm -f dnssec$(EXEEXT)
-	$(LINK) $(dnssec_OBJECTS) $(dnssec_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(dnssec_OBJECTS) $(dnssec_LDADD) $(LIBS)
 fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) $(EXTRA_fetch_DEPENDENCIES) 
 	@rm -f fetch$(EXEEXT)
-	$(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS)
 hash_burn$(EXEEXT): $(hash_burn_OBJECTS) $(hash_burn_DEPENDENCIES) $(EXTRA_hash_burn_DEPENDENCIES) 
 	@rm -f hash_burn$(EXEEXT)
-	$(LINK) $(hash_burn_OBJECTS) $(hash_burn_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(hash_burn_OBJECTS) $(hash_burn_LDADD) $(LIBS)
 id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) $(EXTRA_id2sql_DEPENDENCIES) 
 	@rm -f id2sql$(EXEEXT)
-	$(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS)
 key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) $(EXTRA_key2keyid_DEPENDENCIES) 
 	@rm -f key2keyid$(EXEEXT)
-	$(LINK) $(key2keyid_OBJECTS) $(key2keyid_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(key2keyid_OBJECTS) $(key2keyid_LDADD) $(LIBS)
 keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) $(EXTRA_keyid2sql_DEPENDENCIES) 
 	@rm -f keyid2sql$(EXEEXT)
-	$(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS)
+malloc_speed$(EXEEXT): $(malloc_speed_OBJECTS) $(malloc_speed_DEPENDENCIES) $(EXTRA_malloc_speed_DEPENDENCIES) 
+	@rm -f malloc_speed$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(malloc_speed_OBJECTS) $(malloc_speed_LDADD) $(LIBS)
 oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) $(EXTRA_oid2der_DEPENDENCIES) 
 	@rm -f oid2der$(EXEEXT)
-	$(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS)
 pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) $(EXTRA_pubkey_speed_DEPENDENCIES) 
 	@rm -f pubkey_speed$(EXEEXT)
-	$(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS)
 thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) $(EXTRA_thread_analysis_DEPENDENCIES) 
 	@rm -f thread_analysis$(EXEEXT)
-	$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS)
 tls_test$(EXEEXT): $(tls_test_OBJECTS) $(tls_test_DEPENDENCIES) $(EXTRA_tls_test_DEPENDENCIES) 
 	@rm -f tls_test$(EXEEXT)
-	$(LINK) $(tls_test_OBJECTS) $(tls_test_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(tls_test_OBJECTS) $(tls_test_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -486,31 +522,32 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid2sql.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/malloc_speed.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid2der.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_speed.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_analysis.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_test.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/scripts/crypt_burn.c b/scripts/crypt_burn.c
index 9633568cd..8101f9cbd 100644
--- a/scripts/crypt_burn.c
+++ b/scripts/crypt_burn.c
@@ -27,7 +27,7 @@ int main(int argc, char *argv[])
 
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
 	printf("loaded: %s\n", PLUGINS);
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index 588807597..dc0a2870f 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -119,7 +119,7 @@ int main(int argc, char *argv[])
 	}
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, argv[1]);
+	lib->plugins->load(lib->plugins, argv[1]);
 	atexit(library_deinit);
 
 	rounds = atoi(argv[2]);
diff --git a/scripts/dnssec.c b/scripts/dnssec.c
index 315a14618..0cddfc47e 100644
--- a/scripts/dnssec.c
+++ b/scripts/dnssec.c
@@ -50,7 +50,7 @@ int main(int argc, char *argv[])
 
 	dbg = dbg_dnssec;
 
-	if (!lib->plugins->load(lib->plugins, NULL, PLUGINS))
+	if (!lib->plugins->load(lib->plugins, PLUGINS))
 	{
 		return 1;
 	}
diff --git a/scripts/fetch.c b/scripts/fetch.c
index 23f857246..f58b37f89 100644
--- a/scripts/fetch.c
+++ b/scripts/fetch.c
@@ -37,7 +37,7 @@ int main(int argc, char *argv[])
 
 	library_init(NULL);
 	atexit(library_deinit);
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 
 	if (argc != 3 || (!streq(argv[1], "a") && !streq(argv[1], "s")))
 	{
diff --git a/scripts/hash_burn.c b/scripts/hash_burn.c
index e616d6d5a..20e5642d4 100644
--- a/scripts/hash_burn.c
+++ b/scripts/hash_burn.c
@@ -26,7 +26,7 @@ int main(int argc, char *argv[])
 	int limit = 0, i = 0;
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
 	printf("loaded: %s\n", PLUGINS);
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
index aba96a8c1..31f3bee82 100644
--- a/scripts/key2keyid.c
+++ b/scripts/key2keyid.c
@@ -31,7 +31,7 @@ int main(int argc, char *argv[])
 	int read;
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
 	read = fread(buf, 1, sizeof(buf), stdin);
diff --git a/scripts/keyid2sql.c b/scripts/keyid2sql.c
index 26427ab3d..6e9a1334e 100644
--- a/scripts/keyid2sql.c
+++ b/scripts/keyid2sql.c
@@ -31,7 +31,7 @@ int main(int argc, char *argv[])
 	int read, n;
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
 	read = fread(buf, 1, sizeof(buf), stdin);
diff --git a/scripts/malloc_speed.c b/scripts/malloc_speed.c
new file mode 100644
index 000000000..85d51a281
--- /dev/null
+++ b/scripts/malloc_speed.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec aG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include <library.h>
+#include <utils/debug.h>
+
+#ifdef HAVE_MALLINFO
+#include <malloc.h>
+#endif /* HAVE_MALLINFO */
+
+static void start_timing(struct timespec *start)
+{
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, start);
+}
+
+static double end_timing(struct timespec *start)
+{
+	struct timespec end;
+
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
+	return (end.tv_nsec - start->tv_nsec) / 1000000000.0 +
+			(end.tv_sec - start->tv_sec) * 1.0;
+}
+
+static void print_mallinfo()
+{
+#ifdef HAVE_MALLINFO
+	struct mallinfo mi = mallinfo();
+
+	printf("malloc: sbrk %d, mmap %d, used %d, free %d\n",
+		   mi.arena, mi.hblkhd, mi.uordblks, mi.fordblks);
+#endif /* HAVE_MALLINFO */
+}
+
+#define ALLOCS 1024
+#define ROUNDS 2048
+
+int main(int argc, char *argv[])
+{
+	struct timespec timing;
+	int i, round;
+	void *m[ALLOCS];
+	/* a random set of allocations we test */
+	int sizes[16] = { 1, 13, 100, 1000, 16, 10000, 50, 17,
+					  123, 32, 8, 64, 8096, 1024, 123, 9 };
+
+	library_init(NULL);
+	atexit(library_deinit);
+
+	print_mallinfo();
+
+	start_timing(&timing);
+
+	for (round = 0; round < ROUNDS; round++)
+	{
+		for (i = 0; i < ALLOCS; i++)
+		{
+			m[i] = malloc(sizes[(round + i) % countof(sizes)]);
+		}
+		for (i = 0; i < ALLOCS; i++)
+		{
+			free(m[i]);
+		}
+	}
+	printf("time for %d malloc/frees, repeating %d rounds: %.4fs\n",
+		   ALLOCS, ROUNDS, end_timing(&timing));
+
+	print_mallinfo();
+
+	return 0;
+}
diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c
index 32c6e8f49..ba3ad1f5e 100644
--- a/scripts/pubkey_speed.c
+++ b/scripts/pubkey_speed.c
@@ -58,7 +58,7 @@ int main(int argc, char *argv[])
 	}
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, argv[1]);
+	lib->plugins->load(lib->plugins, argv[1]);
 	atexit(library_deinit);
 
 	keydata = chunk_create(buf, 0);
diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index 332f13d89..e1e8ca82b 100644
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -255,7 +255,7 @@ static void init()
 
 	dbg = dbg_tls;
 
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 
 	creds = mem_cred_create();
 	lib->credmgr->add_set(lib->credmgr, &creds->set);
diff --git a/src/Makefile.am b/src/Makefile.am
index 07953b0b0..47299b03c 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -104,6 +104,10 @@ if USE_TKM
   SUBDIRS += charon-tkm
 endif
 
+if USE_CMD
+  SUBDIRS += charon-cmd
+endif
+
 EXTRA_DIST = strongswan.conf
 
 install-exec-local :
diff --git a/src/Makefile.in b/src/Makefile.in
index d9227f5f3..00055e34b 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -76,6 +76,7 @@ host_triplet = @host@
 @USE_MEDSRV_TRUE@am__append_24 = medsrv
 @USE_INTEGRITY_TEST_TRUE@am__append_25 = checksum
 @USE_TKM_TRUE@am__append_26 = charon-tkm
+@USE_CMD_TRUE@am__append_27 = charon-cmd
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -87,13 +88,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -119,7 +126,7 @@ DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
 	libtls libradius libtncif libtnccs libpttls libimcv libpts \
 	libcharon starter ipsec _copyright charon charon-nm stroke \
 	_updown _updown_espmark openac scepclient pki conftest dumm \
-	libfast manager medsrv checksum charon-tkm
+	libfast manager medsrv checksum charon-tkm charon-cmd
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -149,6 +156,7 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -161,6 +169,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -176,6 +186,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -184,6 +195,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -230,6 +242,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -258,6 +271,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -343,7 +357,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_16) $(am__append_17) $(am__append_18) \
 	$(am__append_19) $(am__append_20) $(am__append_21) \
 	$(am__append_22) $(am__append_23) $(am__append_24) \
-	$(am__append_25) $(am__append_26)
+	$(am__append_25) $(am__append_26) $(am__append_27)
 EXTRA_DIST = strongswan.conf
 all: all-recursive
 
diff --git a/src/_copyright/Makefile.am b/src/_copyright/Makefile.am
index 915b57421..62baf94da 100644
--- a/src/_copyright/Makefile.am
+++ b/src/_copyright/Makefile.am
@@ -1,7 +1,7 @@
 ipsec_PROGRAMS = _copyright
 _copyright_SOURCES = _copyright.c
 
-INCLUDES = \
--I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
 _copyright_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 8908c9856..2a0d6779d 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -76,19 +76,35 @@ am__copyright_OBJECTS = _copyright.$(OBJEXT)
 _copyright_OBJECTS = $(am__copyright_OBJECTS)
 _copyright_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(_copyright_SOURCES)
 DIST_SOURCES = $(_copyright_SOURCES)
 am__can_run_installinfo = \
@@ -102,6 +118,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -114,6 +131,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -129,6 +148,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -137,6 +157,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -183,6 +204,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -211,6 +233,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -289,8 +312,8 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 _copyright_SOURCES = _copyright.c
-INCLUDES = \
--I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
 _copyright_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
@@ -375,7 +398,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 _copyright$(EXEEXT): $(_copyright_OBJECTS) $(_copyright_DEPENDENCIES) $(EXTRA__copyright_DEPENDENCIES) 
 	@rm -f _copyright$(EXEEXT)
-	$(LINK) $(_copyright_OBJECTS) $(_copyright_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(_copyright_OBJECTS) $(_copyright_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -386,25 +409,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/_copyright.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/_updown/Makefile.am b/src/_updown/Makefile.am
index 116322e1e..b6a81f547 100644
--- a/src/_updown/Makefile.am
+++ b/src/_updown/Makefile.am
@@ -4,6 +4,7 @@ dist_man8_MANS = _updown.8
 EXTRA_DIST = _updown.in
 
 _updown : _updown.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:\@sbindir\@:$(sbindir):" \
 	-e "s:\@routing_table\@:$(routing_table):" \
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 312ee3e47..9a9e66f88 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -99,6 +99,12 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(ipsec_SCRIPTS)
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
@@ -113,6 +119,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -125,6 +132,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +149,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -148,6 +158,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -194,6 +205,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -222,6 +234,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -591,6 +604,7 @@ uninstall-man: uninstall-man8
 
 
 _updown : _updown.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:\@sbindir\@:$(sbindir):" \
 	-e "s:\@routing_table\@:$(routing_table):" \
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 3a40e2110..7320a80fb 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -51,6 +51,9 @@
 #       PLUTO_REQID
 #              is the requid of the ESP policy
 #
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
 #       PLUTO_ME
 #              is the IP address of our host.
 #
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 2b959d109..1b1458d3f 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -99,6 +99,12 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(dist_ipsec_SCRIPTS)
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
@@ -113,6 +119,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -125,6 +132,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +149,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -148,6 +158,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -194,6 +205,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -222,6 +234,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
diff --git a/src/charon-cmd/Makefile.am b/src/charon-cmd/Makefile.am
new file mode 100644
index 000000000..9ed82be5e
--- /dev/null
+++ b/src/charon-cmd/Makefile.am
@@ -0,0 +1,32 @@
+sbin_PROGRAMS = charon-cmd
+CLEANFILES = charon-cmd.8
+dist_man8_MANS = charon-cmd.8
+EXTRA_DIST = charon-cmd.8.in
+
+charon_cmd_SOURCES = \
+	cmd/cmd_options.h cmd/cmd_options.c \
+	cmd/cmd_connection.h cmd/cmd_connection.c \
+	cmd/cmd_creds.h cmd/cmd_creds.c \
+	charon-cmd.c
+
+charon-cmd.o :	$(top_builddir)/config.status
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${cmd_plugins}\""
+
+charon_cmd_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	-lm $(PTHREADLIB) $(DLLIB)
+
+charon-cmd.8 : charon-cmd.8.in
+	$(AM_V_GEN) \
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
new file mode 100644
index 000000000..aa18e05c7
--- /dev/null
+++ b/src/charon-cmd/Makefile.in
@@ -0,0 +1,812 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+sbin_PROGRAMS = charon-cmd$(EXEEXT)
+subdir = src/charon-cmd
+DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
+PROGRAMS = $(sbin_PROGRAMS)
+am_charon_cmd_OBJECTS = cmd_options.$(OBJEXT) cmd_connection.$(OBJEXT) \
+	cmd_creds.$(OBJEXT) charon-cmd.$(OBJEXT)
+charon_cmd_OBJECTS = $(am_charon_cmd_OBJECTS)
+am__DEPENDENCIES_1 =
+charon_cmd_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(charon_cmd_SOURCES)
+DIST_SOURCES = $(charon_cmd_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man8_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+CLEANFILES = charon-cmd.8
+dist_man8_MANS = charon-cmd.8
+EXTRA_DIST = charon-cmd.8.in
+charon_cmd_SOURCES = \
+	cmd/cmd_options.h cmd/cmd_options.c \
+	cmd/cmd_connection.h cmd/cmd_connection.c \
+	cmd/cmd_creds.h cmd/cmd_creds.c \
+	charon-cmd.c
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${cmd_plugins}\""
+
+charon_cmd_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	-lm $(PTHREADLIB) $(DLLIB)
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon-cmd/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon-cmd/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(sbindir)" && rm -f $$files
+
+clean-sbinPROGRAMS:
+	@list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+charon-cmd$(EXEEXT): $(charon_cmd_OBJECTS) $(charon_cmd_DEPENDENCIES) $(EXTRA_charon_cmd_DEPENDENCIES) 
+	@rm -f charon-cmd$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(charon_cmd_OBJECTS) $(charon_cmd_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/charon-cmd.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmd_connection.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmd_creds.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmd_options.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+cmd_options.o: cmd/cmd_options.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_options.o -MD -MP -MF $(DEPDIR)/cmd_options.Tpo -c -o cmd_options.o `test -f 'cmd/cmd_options.c' || echo '$(srcdir)/'`cmd/cmd_options.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_options.Tpo $(DEPDIR)/cmd_options.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_options.c' object='cmd_options.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_options.o `test -f 'cmd/cmd_options.c' || echo '$(srcdir)/'`cmd/cmd_options.c
+
+cmd_options.obj: cmd/cmd_options.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_options.obj -MD -MP -MF $(DEPDIR)/cmd_options.Tpo -c -o cmd_options.obj `if test -f 'cmd/cmd_options.c'; then $(CYGPATH_W) 'cmd/cmd_options.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_options.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_options.Tpo $(DEPDIR)/cmd_options.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_options.c' object='cmd_options.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_options.obj `if test -f 'cmd/cmd_options.c'; then $(CYGPATH_W) 'cmd/cmd_options.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_options.c'; fi`
+
+cmd_connection.o: cmd/cmd_connection.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_connection.o -MD -MP -MF $(DEPDIR)/cmd_connection.Tpo -c -o cmd_connection.o `test -f 'cmd/cmd_connection.c' || echo '$(srcdir)/'`cmd/cmd_connection.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_connection.Tpo $(DEPDIR)/cmd_connection.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_connection.c' object='cmd_connection.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_connection.o `test -f 'cmd/cmd_connection.c' || echo '$(srcdir)/'`cmd/cmd_connection.c
+
+cmd_connection.obj: cmd/cmd_connection.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_connection.obj -MD -MP -MF $(DEPDIR)/cmd_connection.Tpo -c -o cmd_connection.obj `if test -f 'cmd/cmd_connection.c'; then $(CYGPATH_W) 'cmd/cmd_connection.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_connection.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_connection.Tpo $(DEPDIR)/cmd_connection.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_connection.c' object='cmd_connection.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_connection.obj `if test -f 'cmd/cmd_connection.c'; then $(CYGPATH_W) 'cmd/cmd_connection.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_connection.c'; fi`
+
+cmd_creds.o: cmd/cmd_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_creds.o -MD -MP -MF $(DEPDIR)/cmd_creds.Tpo -c -o cmd_creds.o `test -f 'cmd/cmd_creds.c' || echo '$(srcdir)/'`cmd/cmd_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_creds.Tpo $(DEPDIR)/cmd_creds.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_creds.c' object='cmd_creds.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_creds.o `test -f 'cmd/cmd_creds.c' || echo '$(srcdir)/'`cmd/cmd_creds.c
+
+cmd_creds.obj: cmd/cmd_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_creds.obj -MD -MP -MF $(DEPDIR)/cmd_creds.Tpo -c -o cmd_creds.obj `if test -f 'cmd/cmd_creds.c'; then $(CYGPATH_W) 'cmd/cmd_creds.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_creds.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_creds.Tpo $(DEPDIR)/cmd_creds.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_creds.c' object='cmd_creds.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_creds.obj `if test -f 'cmd/cmd_creds.c'; then $(CYGPATH_W) 'cmd/cmd_creds.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_creds.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-man8: $(dist_man8_MANS)
+	@$(NORMAL_INSTALL)
+	@list1='$(dist_man8_MANS)'; \
+	list2=''; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+	  fi; \
+	done; \
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+	done; }
+
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-sbinPROGRAMS
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man: install-man8
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man uninstall-sbinPROGRAMS
+
+uninstall-man: uninstall-man8
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-sbinPROGRAMS ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-man8 install-pdf install-pdf-am install-ps \
+	install-ps-am install-sbinPROGRAMS install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-man uninstall-man8 \
+	uninstall-sbinPROGRAMS
+
+
+charon-cmd.o :	$(top_builddir)/config.status
+
+charon-cmd.8 : charon-cmd.8.in
+	$(AM_V_GEN) \
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon-cmd/charon-cmd.8 b/src/charon-cmd/charon-cmd.8
new file mode 100644
index 000000000..e93cbcf6f
--- /dev/null
+++ b/src/charon-cmd/charon-cmd.8
@@ -0,0 +1,161 @@
+.TH CHARON\-CMD 8 "2013-06-21" "5.1.0" "strongSwan"
+.SH "NAME"
+charon\-cmd \- Simple IKE client (IPsec VPN client)
+.SH SYNOPSIS
+.B charon\-cmd
+.B \-\-host
+.I hostname
+.B \-\-identity
+.I identity
+.B [ options ]
+.PP
+.SH "DESCRIPTION"
+.B charon\-cmd
+is a program for setting up IPsec VPN connections using the Internet Key
+Exchange protocol (IKE) in version 1 and 2.  It supports a number of different
+road-warrior scenarios.
+.PP
+Like the IKE daemon
+.BR charon ,
+.B charon\-cmd
+has to be run as
+.B root
+(or more specifically as a user with
+.B CAP_NET_ADMIN
+capability).
+.PP
+Of the following options at least
+.I \-\-host
+and
+.I \-\-identity
+are required. Depending on the selected authentication
+.I profile
+credentials also have to be provided with their respective options.
+.PP
+Many of the
+.BR charon -specific
+configuration options in
+.I strongswan.conf
+also apply to
+.BR charon\-cmd .
+For instance, to configure customized logging to
+.B stdout
+the following snippet can be used:
+.PP
+.EX
+	charon-cmd {
+		filelog {
+			stdout {
+				default = 1
+				ike = 2
+				cfg = 2
+			}
+		}
+	}
+.EE
+.PP
+.SH "OPTIONS"
+.TP
+.B "\-\-help"
+Prints usage information and a short summary of the available options.
+.TP
+.B "\-\-version"
+Prints the strongSwan version.
+.TP
+.BI "\-\-debug " level
+Sets the default log level (defaults to 1).
+.I level
+is a number between -1 and 4.
+Refer to
+.I strongswan.conf
+for options that allow a more fine-grained configuration of the logging
+output.
+.TP
+.BI "\-\-host " hostname
+DNS name or IP address to connect to.
+.TP
+.BI "\-\-identity " identity
+Identity the client uses for the IKE exchange.
+.TP
+.BI "\-\-eap\-identity " identity
+Identity the client uses for EAP authentication.
+.TP
+.BI "\-\-xauth\-username " username
+Username the client uses for XAuth authentication.
+.TP
+.BI "\-\-remote\-identity " identity
+Server identity to expect, defaults to
+.IR hostname .
+.TP
+.BI "\-\-cert " path
+Trusted certificate, either for authentication or trust chain validation.
+To provide more than one certificate multiple
+.B \-\-cert
+options can be used.
+.TP
+.BI "\-\-rsa " path
+RSA private key to use for authentication (if a password is required, it will
+be requested on demand).
+.TP
+.BI "\-\-p12 " path
+PKCS#12 file with private key and certificates to use for authentication and
+trust chain validation (if a password is required it will be requested on
+demand).
+.TP
+.RI "\fB\-\-agent\fR[=" socket ]
+Use SSH agent for authentication. If
+.I socket
+is not specified it is read from the
+.B SSH_AUTH_SOCK
+environment variable.
+.TP
+.BI "\-\-local\-ts " subnet
+Additional traffic selector to propose for our side, the requested virtual IP
+address will always be proposed.
+.TP
+.BI "\-\-remote\-ts " subnet
+Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
+.TP
+.BI "\-\-profile " name
+Authentication profile to use, the list of supported profiles can be found
+in the
+.B Authentication Profiles
+sections below. Defaults to
+.B ikev2\-pub
+if a private key was supplied, and to
+.B ikev2\-eap
+otherwise.
+.PP
+.SS "IKEv2 Authentication Profiles"
+.TP
+.B "ikev2\-pub"
+IKEv2 with public key client and server authentication
+.TP
+.B "ikev2\-eap"
+IKEv2 with EAP client authentication and public key server authentication
+.TP
+.B "ikev2\-pub\-eap"
+IKEv2 with public key and EAP client authentication (RFC 4739) and public key
+server authentication
+.PP
+.SS "IKEv1 Authentication Profiles"
+The following authentication profiles use either Main Mode or Aggressive Mode,
+the latter is denoted with a \fB\-am\fR suffix.
+.TP
+.BR "ikev1\-pub" ", " "ikev1\-pub\-am"
+IKEv1 with public key client and server authentication
+.TP
+.BR "ikev1\-xauth" ", " "ikev1\-xauth\-am"
+IKEv1 with public key client and server authentication, followed by client XAuth
+authentication
+.TP
+.BR "ikev1\-xauth\-psk" ", " "ikev1\-xauth\-psk\-am"
+IKEv1 with pre-shared key (PSK) client and server authentication, followed by
+client XAuth authentication (INSECURE!)
+.TP
+.BR "ikev1\-hybrid" ", " "ikev1\-hybrid\-am"
+IKEv1 with public key server authentication only, followed by client XAuth
+authentication
+.PP
+.SH "SEE ALSO"
+\fBstrongswan.conf\fR(5), \fBipsec\fR(8)
diff --git a/src/charon-cmd/charon-cmd.8.in b/src/charon-cmd/charon-cmd.8.in
new file mode 100644
index 000000000..c9d52c92f
--- /dev/null
+++ b/src/charon-cmd/charon-cmd.8.in
@@ -0,0 +1,161 @@
+.TH CHARON\-CMD 8 "2013-06-21" "@IPSEC_VERSION@" "strongSwan"
+.SH "NAME"
+charon\-cmd \- Simple IKE client (IPsec VPN client)
+.SH SYNOPSIS
+.B charon\-cmd
+.B \-\-host
+.I hostname
+.B \-\-identity
+.I identity
+.B [ options ]
+.PP
+.SH "DESCRIPTION"
+.B charon\-cmd
+is a program for setting up IPsec VPN connections using the Internet Key
+Exchange protocol (IKE) in version 1 and 2.  It supports a number of different
+road-warrior scenarios.
+.PP
+Like the IKE daemon
+.BR charon ,
+.B charon\-cmd
+has to be run as
+.B root
+(or more specifically as a user with
+.B CAP_NET_ADMIN
+capability).
+.PP
+Of the following options at least
+.I \-\-host
+and
+.I \-\-identity
+are required. Depending on the selected authentication
+.I profile
+credentials also have to be provided with their respective options.
+.PP
+Many of the
+.BR charon -specific
+configuration options in
+.I strongswan.conf
+also apply to
+.BR charon\-cmd .
+For instance, to configure customized logging to
+.B stdout
+the following snippet can be used:
+.PP
+.EX
+	charon-cmd {
+		filelog {
+			stdout {
+				default = 1
+				ike = 2
+				cfg = 2
+			}
+		}
+	}
+.EE
+.PP
+.SH "OPTIONS"
+.TP
+.B "\-\-help"
+Prints usage information and a short summary of the available options.
+.TP
+.B "\-\-version"
+Prints the strongSwan version.
+.TP
+.BI "\-\-debug " level
+Sets the default log level (defaults to 1).
+.I level
+is a number between -1 and 4.
+Refer to
+.I strongswan.conf
+for options that allow a more fine-grained configuration of the logging
+output.
+.TP
+.BI "\-\-host " hostname
+DNS name or IP address to connect to.
+.TP
+.BI "\-\-identity " identity
+Identity the client uses for the IKE exchange.
+.TP
+.BI "\-\-eap\-identity " identity
+Identity the client uses for EAP authentication.
+.TP
+.BI "\-\-xauth\-username " username
+Username the client uses for XAuth authentication.
+.TP
+.BI "\-\-remote\-identity " identity
+Server identity to expect, defaults to
+.IR hostname .
+.TP
+.BI "\-\-cert " path
+Trusted certificate, either for authentication or trust chain validation.
+To provide more than one certificate multiple
+.B \-\-cert
+options can be used.
+.TP
+.BI "\-\-rsa " path
+RSA private key to use for authentication (if a password is required, it will
+be requested on demand).
+.TP
+.BI "\-\-p12 " path
+PKCS#12 file with private key and certificates to use for authentication and
+trust chain validation (if a password is required it will be requested on
+demand).
+.TP
+.RI "\fB\-\-agent\fR[=" socket ]
+Use SSH agent for authentication. If
+.I socket
+is not specified it is read from the
+.B SSH_AUTH_SOCK
+environment variable.
+.TP
+.BI "\-\-local\-ts " subnet
+Additional traffic selector to propose for our side, the requested virtual IP
+address will always be proposed.
+.TP
+.BI "\-\-remote\-ts " subnet
+Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
+.TP
+.BI "\-\-profile " name
+Authentication profile to use, the list of supported profiles can be found
+in the
+.B Authentication Profiles
+sections below. Defaults to
+.B ikev2\-pub
+if a private key was supplied, and to
+.B ikev2\-eap
+otherwise.
+.PP
+.SS "IKEv2 Authentication Profiles"
+.TP
+.B "ikev2\-pub"
+IKEv2 with public key client and server authentication
+.TP
+.B "ikev2\-eap"
+IKEv2 with EAP client authentication and public key server authentication
+.TP
+.B "ikev2\-pub\-eap"
+IKEv2 with public key and EAP client authentication (RFC 4739) and public key
+server authentication
+.PP
+.SS "IKEv1 Authentication Profiles"
+The following authentication profiles use either Main Mode or Aggressive Mode,
+the latter is denoted with a \fB\-am\fR suffix.
+.TP
+.BR "ikev1\-pub" ", " "ikev1\-pub\-am"
+IKEv1 with public key client and server authentication
+.TP
+.BR "ikev1\-xauth" ", " "ikev1\-xauth\-am"
+IKEv1 with public key client and server authentication, followed by client XAuth
+authentication
+.TP
+.BR "ikev1\-xauth\-psk" ", " "ikev1\-xauth\-psk\-am"
+IKEv1 with pre-shared key (PSK) client and server authentication, followed by
+client XAuth authentication (INSECURE!)
+.TP
+.BR "ikev1\-hybrid" ", " "ikev1\-hybrid\-am"
+IKEv1 with public key server authentication only, followed by client XAuth
+authentication
+.PP
+.SH "SEE ALSO"
+\fBstrongswan.conf\fR(5), \fBipsec\fR(8)
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
new file mode 100644
index 000000000..5f4787b58
--- /dev/null
+++ b/src/charon-cmd/charon-cmd.c
@@ -0,0 +1,404 @@
+/*
+ * Copyright (C) 2006-2013 Tobias Brunner
+ * Copyright (C) 2005-2013 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */
+#include <signal.h>
+#undef _POSIX_PTHREAD_SEMANTICS
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+#include <unistd.h>
+#include <getopt.h>
+
+#include <library.h>
+#include <hydra.h>
+#include <daemon.h>
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+
+#include "cmd/cmd_options.h"
+#include "cmd/cmd_connection.h"
+#include "cmd/cmd_creds.h"
+
+/**
+ * Default loglevel
+ */
+static level_t default_loglevel = LEVEL_CTRL;
+
+/**
+ * Loglevel configuration
+ */
+static level_t levels[DBG_MAX];
+
+/**
+ * Connection to initiate
+ */
+static cmd_connection_t *conn;
+
+/**
+ * Credential backend
+ */
+static cmd_creds_t *creds;
+
+/**
+ * hook in library for debugging messages
+ */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * Logging hook for library logs, using stderr output
+ */
+static void dbg_stderr(debug_t group, level_t level, char *fmt, ...)
+{
+	va_list args;
+
+	if (level <= default_loglevel)
+	{
+		va_start(args, fmt);
+		fprintf(stderr, "00[%N] ", debug_names, group);
+		vfprintf(stderr, fmt, args);
+		fprintf(stderr, "\n");
+		va_end(args);
+	}
+}
+
+/**
+ * Clean up connection definition atexit()
+ */
+static void cleanup_conn()
+{
+	DESTROY_IF(conn);
+}
+
+/**
+ * Clean up credentials atexit()
+ */
+static void cleanup_creds()
+{
+	DESTROY_IF(creds);
+}
+
+/**
+ * Run the daemon and handle unix signals
+ */
+static int run()
+{
+	sigset_t set;
+
+	/* handle SIGINT, SIGHUP and SIGTERM in this handler */
+	sigemptyset(&set);
+	sigaddset(&set, SIGINT);
+	sigaddset(&set, SIGHUP);
+	sigaddset(&set, SIGTERM);
+	sigaddset(&set, SIGUSR1);
+	sigprocmask(SIG_BLOCK, &set, NULL);
+
+	while (TRUE)
+	{
+		int sig;
+		int error;
+
+		error = sigwait(&set, &sig);
+		if (error)
+		{
+			DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+			return 1;
+		}
+		switch (sig)
+		{
+			case SIGHUP:
+			{
+				DBG1(DBG_DMN, "signal of type SIGHUP received. Reloading "
+					 "configuration");
+				if (lib->settings->load_files(lib->settings, NULL, FALSE))
+				{
+					charon->load_loggers(charon, levels, TRUE);
+					lib->plugins->reload(lib->plugins, NULL);
+				}
+				else
+				{
+					DBG1(DBG_DMN, "reloading config failed, keeping old");
+				}
+				break;
+			}
+			case SIGINT:
+			{
+				DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return 0;
+			}
+			case SIGTERM:
+			{
+				DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return 0;
+			}
+			case SIGUSR1:
+			{	/* an error occurred */
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return 1;
+			}
+			default:
+			{
+				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
+				break;
+			}
+		}
+	}
+}
+
+/**
+ * lookup UID and GID
+ */
+static bool lookup_uid_gid()
+{
+#ifdef IPSEC_USER
+	if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
+	{
+		return FALSE;
+	}
+#endif
+#ifdef IPSEC_GROUP
+	if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
+	{
+		return FALSE;
+	}
+#endif
+	return TRUE;
+}
+
+/**
+ * Handle SIGSEGV/SIGILL signals raised by threads
+ */
+static void segv_handler(int signal)
+{
+	backtrace_t *backtrace;
+
+	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
+	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, stderr, TRUE);
+	backtrace->destroy(backtrace);
+
+	DBG1(DBG_DMN, "killing ourself, received critical signal");
+	abort();
+}
+
+/**
+ * Print command line usage and exit
+ */
+static void usage(FILE *out, char *msg, char *binary)
+{
+	static const int padto = 18;
+	char cmd[64], *pre, *post;
+	int i, line, pad;
+
+	if (msg)
+	{
+		fprintf(out, "%s\n", msg);
+	}
+	fprintf(out, "Usage: %s\n", binary);
+	for (i = 0; i < CMD_OPT_COUNT; i++)
+	{
+		switch (cmd_options[i].has_arg)
+		{
+			case required_argument:
+				pre = " <";
+				post = ">";
+				break;
+			case optional_argument:
+				pre = "[=";
+				post = "]";
+				break;
+			case no_argument:
+			default:
+				pre = "  ";
+				post = " ";
+				break;
+		}
+		snprintf(cmd, sizeof(cmd), "  --%s%s%s%s", cmd_options[i].name,
+				 pre, cmd_options[i].arg, post);
+		pad = padto - strlen(cmd);
+		if (pad >= 1)
+		{
+			fprintf(out, "%s%-*s%s\n", cmd, pad, "", cmd_options[i].desc);
+		}
+		else
+		{	/* write description to a separate line */
+			fprintf(out, "%s\n%-*s%s\n", cmd, padto, "", cmd_options[i].desc);
+		}
+		for (line = 0; line < countof(cmd_options[i].lines); line++)
+		{
+			if (cmd_options[i].lines[line])
+			{
+				fprintf(out, "%-*s%s\n", padto, "", cmd_options[i].lines[line]);
+			}
+		}
+	}
+}
+
+/**
+ * Handle command line options, if simple is TRUE only arguments like --help
+ * and --version are handled.
+ */
+static void handle_arguments(int argc, char *argv[], bool simple)
+{
+	struct option long_opts[CMD_OPT_COUNT + 1] = {};
+	int i, opt;
+
+	for (i = 0; i < CMD_OPT_COUNT; i++)
+	{
+		long_opts[i].name = cmd_options[i].name;
+		long_opts[i].val = cmd_options[i].id;
+		long_opts[i].has_arg = cmd_options[i].has_arg;
+	}
+	/* reset option parser */
+	optind = 1;
+	while (TRUE)
+	{
+		bool handled = FALSE;
+
+		opt = getopt_long(argc, argv, "", long_opts, NULL);
+		switch (opt)
+		{
+			case EOF:
+				break;
+			case CMD_OPT_HELP:
+				usage(stdout, NULL, argv[0]);
+				exit(0);
+			case CMD_OPT_VERSION:
+				printf("%s, strongSwan %s\n", "charon-cmd", VERSION);
+				exit(0);
+			case CMD_OPT_DEBUG:
+				default_loglevel = atoi(optarg);
+				continue;
+			default:
+				if (simple)
+				{
+					continue;
+				}
+				handled |= conn->handle(conn, opt, optarg);
+				handled |= creds->handle(creds, opt, optarg);
+				if (handled)
+				{
+					continue;
+				}
+				/* fall-through */
+			case '?':
+				/* missing argument, unrecognized option */
+				usage(stderr, NULL, argv[0]);
+				exit(1);
+		}
+		break;
+	}
+}
+
+/**
+ * Main function, starts the daemon.
+ */
+int main(int argc, char *argv[])
+{
+	struct sigaction action;
+	struct utsname utsname;
+	int group;
+
+	/* handle simple arguments */
+	handle_arguments(argc, argv, TRUE);
+
+	dbg = dbg_stderr;
+	atexit(library_deinit);
+	if (!library_init(NULL))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity)
+	{
+		if (!lib->integrity->check_file(lib->integrity, "charon-cmd", argv[0]))
+		{
+			exit(SS_RC_DAEMON_INTEGRITY);
+		}
+	}
+	atexit(libhydra_deinit);
+	if (!libhydra_init("charon-cmd"))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	atexit(libcharon_deinit);
+	if (!libcharon_init("charon-cmd"))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		levels[group] = default_loglevel;
+	}
+	charon->load_loggers(charon, levels, TRUE);
+
+	if (!lookup_uid_gid())
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	lib->settings->set_default_str(lib->settings, "charon-cmd.port", "0");
+	lib->settings->set_default_str(lib->settings, "charon-cmd.port_nat_t", "0");
+	if (!charon->initialize(charon,
+			lib->settings->get_str(lib->settings, "charon-cmd.load", PLUGINS)))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	if (!lib->caps->drop(lib->caps))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	conn = cmd_connection_create();
+	atexit(cleanup_conn);
+	creds = cmd_creds_create();
+	atexit(cleanup_creds);
+
+	/* handle all arguments */
+	handle_arguments(argc, argv, FALSE);
+
+	if (uname(&utsname) != 0)
+	{
+		memset(&utsname, 0, sizeof(utsname));
+	}
+	DBG1(DBG_DMN, "Starting charon-cmd IKE client (strongSwan %s, %s %s, %s)",
+		 VERSION, utsname.sysname, utsname.release, utsname.machine);
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
+	/* add handler for SEGV and ILL,
+	 * INT, TERM and HUP are handled by sigwait() in run() */
+	action.sa_handler = segv_handler;
+	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaddset(&action.sa_mask, SIGINT);
+	sigaddset(&action.sa_mask, SIGTERM);
+	sigaddset(&action.sa_mask, SIGHUP);
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &action, NULL);
+
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+	/* start daemon with thread-pool */
+	charon->start(charon);
+	/* wait for signal */
+	return run();
+}
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
new file mode 100644
index 000000000..5c459f99f
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_connection.c
@@ -0,0 +1,498 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cmd_connection.h"
+
+#include <signal.h>
+#include <unistd.h>
+
+#include <utils/debug.h>
+#include <processing/jobs/callback_job.h>
+#include <threading/thread.h>
+#include <daemon.h>
+
+typedef enum profile_t profile_t;
+typedef struct private_cmd_connection_t private_cmd_connection_t;
+
+/**
+ * Connection profiles we support
+ */
+enum profile_t {
+	PROF_UNDEF,
+	PROF_V2_PUB,
+	PROF_V2_EAP,
+	PROF_V2_PUB_EAP,
+	PROF_V1_PUB,
+	PROF_V1_PUB_AM,
+	PROF_V1_XAUTH,
+	PROF_V1_XAUTH_AM,
+	PROF_V1_XAUTH_PSK,
+	PROF_V1_XAUTH_PSK_AM,
+	PROF_V1_HYBRID,
+	PROF_V1_HYBRID_AM,
+};
+
+ENUM(profile_names, PROF_V2_PUB, PROF_V1_HYBRID_AM,
+	"ikev2-pub",
+	"ikev2-eap",
+	"ikev2-pub-eap",
+	"ikev1-pub",
+	"ikev1-pub-am",
+	"ikev1-xauth",
+	"ikev1-xauth-am",
+	"ikev1-xauth-psk",
+	"ikev1-xauth-psk-am",
+	"ikev1-hybrid",
+	"ikev1-hybrid-am",
+);
+
+/**
+ * Private data of an cmd_connection_t object.
+ */
+struct private_cmd_connection_t {
+
+	/**
+	 * Public cmd_connection_t interface.
+	 */
+	cmd_connection_t public;
+
+	/**
+	 * Process ID to terminate on failure
+	 */
+	pid_t pid;
+
+	/**
+	 * List of local traffic selectors
+	 */
+	linked_list_t *local_ts;
+
+	/**
+	 * List of remote traffic selectors
+	 */
+	linked_list_t *remote_ts;
+
+	/**
+	 * Hostname to connect to
+	 */
+	char *host;
+
+	/**
+	 * Server identity, or NULL to use host
+	 */
+	char *server;
+
+	/**
+	 * Local identity
+	 */
+	char *identity;
+
+	/**
+	 * XAuth/EAP identity
+	 */
+	char *xautheap;
+
+	/**
+	 * Is a private key configured
+	 */
+	bool key_seen;
+
+	/**
+	 * Selected connection profile
+	 */
+	profile_t profile;
+};
+
+/**
+ * Shut down application
+ */
+static void terminate(pid_t pid)
+{
+	kill(pid, SIGUSR1);
+}
+
+/**
+ * Create peer config with associated ike config
+ */
+static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
+{
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	u_int16_t local_port, remote_port = IKEV2_UDP_PORT;
+	ike_version_t version = IKE_ANY;
+	bool aggressive = FALSE;
+
+	switch (this->profile)
+	{
+		case PROF_UNDEF:
+		case PROF_V2_PUB:
+		case PROF_V2_EAP:
+		case PROF_V2_PUB_EAP:
+			version = IKEV2;
+			break;
+		case PROF_V1_PUB_AM:
+		case PROF_V1_XAUTH_AM:
+		case PROF_V1_XAUTH_PSK_AM:
+		case PROF_V1_HYBRID_AM:
+			aggressive = TRUE;
+			/* FALL */
+		case PROF_V1_PUB:
+		case PROF_V1_XAUTH:
+		case PROF_V1_XAUTH_PSK:
+		case PROF_V1_HYBRID:
+			version = IKEV1;
+			break;
+	}
+
+	local_port = charon->socket->get_port(charon->socket, FALSE);
+	if (local_port != IKEV2_UDP_PORT)
+	{
+		remote_port = IKEV2_NATT_PORT;
+	}
+	ike_cfg = ike_cfg_create(version, TRUE, FALSE, "0.0.0.0", FALSE, local_port,
+					this->host, FALSE, remote_port, FRAGMENTATION_NO, 0);
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	peer_cfg = peer_cfg_create("cmd", ike_cfg,
+					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
+					36000, 0, /* rekey 10h, reauth none */
+					600, 600, /* jitter, over 10min */
+					TRUE, aggressive, /* mobike, aggressive */
+					30, 0, /* DPD delay, timeout */
+					FALSE, NULL, NULL); /* mediation */
+	peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
+
+	return peer_cfg;
+}
+
+/**
+ * Add a single auth cfg of given class to peer cfg
+ */
+static void add_auth_cfg(private_cmd_connection_t *this, peer_cfg_t *peer_cfg,
+						 bool local, auth_class_t class)
+{
+	identification_t *id;
+	auth_cfg_t *auth;
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
+	if (local)
+	{
+		id = identification_create_from_string(this->identity);
+		if (this->xautheap)
+		{
+			switch (class)
+			{
+				case AUTH_CLASS_EAP:
+					auth->add(auth, AUTH_RULE_EAP_IDENTITY,
+							identification_create_from_string(this->xautheap));
+					break;
+				case AUTH_CLASS_XAUTH:
+					auth->add(auth, AUTH_RULE_XAUTH_IDENTITY,
+							identification_create_from_string(this->xautheap));
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	else
+	{
+		if (this->server)
+		{
+			id = identification_create_from_string(this->server);
+		}
+		else
+		{
+			id = identification_create_from_string(this->host);
+		}
+		auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
+	}
+	auth->add(auth, AUTH_RULE_IDENTITY, id);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, local);
+}
+
+/**
+ * Attach authentication configs to peer config
+ */
+static bool add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg)
+{
+	if (this->profile == PROF_UNDEF)
+	{
+		if (this->key_seen)
+		{
+			this->profile = PROF_V2_PUB;
+		}
+		else
+		{
+			this->profile = PROF_V2_EAP;
+		}
+	}
+	switch (this->profile)
+	{
+		case PROF_V2_PUB:
+		case PROF_V2_PUB_EAP:
+		case PROF_V1_PUB:
+		case PROF_V1_XAUTH:
+		case PROF_V1_PUB_AM:
+		case PROF_V1_XAUTH_AM:
+			if (!this->key_seen)
+			{
+				DBG1(DBG_CFG, "missing private key for profile %N",
+					 profile_names, this->profile);
+				return FALSE;
+			}
+			break;
+		default:
+			break;
+	}
+
+	switch (this->profile)
+	{
+		case PROF_V2_PUB:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
+			break;
+		case PROF_V2_EAP:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_EAP);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
+			break;
+		case PROF_V2_PUB_EAP:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_EAP);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
+			break;
+		case PROF_V1_PUB:
+		case PROF_V1_PUB_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
+			break;
+		case PROF_V1_XAUTH:
+		case PROF_V1_XAUTH_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
+			break;
+		case PROF_V1_XAUTH_PSK:
+		case PROF_V1_XAUTH_PSK_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PSK);
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PSK);
+			break;
+		case PROF_V1_HYBRID:
+		case PROF_V1_HYBRID_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
+			break;
+		default:
+			return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Attach child config to peer config
+ */
+static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
+{
+	child_cfg_t *child_cfg;
+	traffic_selector_t *ts;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = 10800 /* 3h */,
+			.rekey = 10200 /* 2h50min */,
+			.jitter = 300 /* 5min */
+		}
+	};
+
+	child_cfg = child_cfg_create("cmd", &lifetime,
+								 NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
+								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
+								 0, 0, NULL, NULL, 0);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS)
+	{
+		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	}
+	if (this->remote_ts->get_count(this->remote_ts) == 0)
+	{
+		/* add a 0.0.0.0/0 TS for remote side if none given */
+		ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
+									"0.0.0.0", 0, "255.255.255.255", 65535);
+		this->remote_ts->insert_last(this->remote_ts, ts);
+	}
+	while (this->remote_ts->remove_first(this->remote_ts,
+										 (void**)&ts) == SUCCESS)
+	{
+		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	}
+
+	return child_cfg;
+}
+
+/**
+ * Initiate the configured connection
+ */
+static job_requeue_t initiate(private_cmd_connection_t *this)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	pid_t pid = this->pid;
+
+	if (!this->host)
+	{
+		DBG1(DBG_CFG, "unable to initiate, missing --host option");
+		terminate(pid);
+		return JOB_REQUEUE_NONE;
+	}
+	if (!this->identity)
+	{
+		DBG1(DBG_CFG, "unable to initiate, missing --identity option");
+		terminate(pid);
+		return JOB_REQUEUE_NONE;
+	}
+
+	peer_cfg = create_peer_cfg(this);
+
+	if (!add_auth_cfgs(this, peer_cfg))
+	{
+		peer_cfg->destroy(peer_cfg);
+		terminate(pid);
+		return JOB_REQUEUE_NONE;
+	}
+
+	child_cfg = create_child_cfg(this);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
+
+	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+									 controller_cb_empty, NULL, 0) != SUCCESS)
+	{
+		terminate(pid);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Create a traffic selector from string, add to list
+ */
+static void add_ts(private_cmd_connection_t *this,
+				   linked_list_t *list, char *string)
+{
+	traffic_selector_t *ts;
+
+	ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
+	if (!ts)
+	{
+		DBG1(DBG_CFG, "invalid traffic selector: %s", string);
+		exit(1);
+	}
+	list->insert_last(list, ts);
+}
+
+/**
+ * Parse profile name identifier
+ */
+static void set_profile(private_cmd_connection_t *this, char *name)
+{
+	int profile;
+
+	profile = enum_from_name(profile_names, name);
+	if (profile == -1)
+	{
+		DBG1(DBG_CFG, "unknown connection profile: %s", name);
+		exit(1);
+	}
+	this->profile = profile;
+}
+
+METHOD(cmd_connection_t, handle, bool,
+	private_cmd_connection_t *this, cmd_option_type_t opt, char *arg)
+{
+	switch (opt)
+	{
+		case CMD_OPT_HOST:
+			this->host = arg;
+			break;
+		case CMD_OPT_REMOTE_IDENTITY:
+			this->server = arg;
+			break;
+		case CMD_OPT_IDENTITY:
+			this->identity = arg;
+			break;
+		case CMD_OPT_EAP_IDENTITY:
+		case CMD_OPT_XAUTH_USER:
+			this->xautheap = arg;
+			break;
+		case CMD_OPT_RSA:
+		case CMD_OPT_AGENT:
+		case CMD_OPT_PKCS12:
+			this->key_seen = TRUE;
+			break;
+		case CMD_OPT_LOCAL_TS:
+			add_ts(this, this->local_ts, arg);
+			break;
+		case CMD_OPT_REMOTE_TS:
+			add_ts(this, this->remote_ts, arg);
+			break;
+		case CMD_OPT_PROFILE:
+			set_profile(this, arg);
+			break;
+		default:
+			return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(cmd_connection_t, destroy, void,
+	private_cmd_connection_t *this)
+{
+	this->local_ts->destroy_offset(this->local_ts,
+								offsetof(traffic_selector_t, destroy));
+	this->remote_ts->destroy_offset(this->remote_ts,
+								offsetof(traffic_selector_t, destroy));
+	free(this);
+}
+
+/**
+ * See header
+ */
+cmd_connection_t *cmd_connection_create()
+{
+	private_cmd_connection_t *this;
+
+	INIT(this,
+		.public = {
+			.handle = _handle,
+			.destroy = _destroy,
+		},
+		.pid = getpid(),
+		.local_ts = linked_list_create(),
+		.remote_ts = linked_list_create(),
+		.profile = PROF_UNDEF,
+	);
+
+	/* always include the virtual IP in traffic selector list */
+	this->local_ts->insert_last(this->local_ts,
+								traffic_selector_create_dynamic(0, 0, 65535));
+
+	/* queue job, gets initiated as soon as we are up and running */
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio(
+			(callback_job_cb_t)initiate, this, NULL,
+			(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+
+	return &this->public;
+}
diff --git a/src/charon-cmd/cmd/cmd_connection.h b/src/charon-cmd/cmd/cmd_connection.h
new file mode 100644
index 000000000..221802617
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_connection.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup charon-cmd charon-cmd
+ *
+ * @defgroup cmd cmd
+ * @ingroup charon-cmd
+ *
+ * @defgroup cmd_connection cmd_connection
+ * @{ @ingroup cmd
+ */
+
+#ifndef CMD_CONNECTION_H_
+#define CMD_CONNECTION_H_
+
+#include <library.h>
+
+#include "cmd_options.h"
+
+typedef struct cmd_connection_t cmd_connection_t;
+
+/**
+ * Connection definition to construct and initiate.
+ */
+struct cmd_connection_t {
+
+	/**
+	 * Handle a command line option.
+	 *
+	 * @param opt		option to handle
+	 * @param arg		option argument
+	 * @return			TRUE if option handled
+	 */
+	bool (*handle)(cmd_connection_t *this, cmd_option_type_t opt, char *arg);
+
+	/**
+	 * Destroy a cmd_connection_t.
+	 */
+	void (*destroy)(cmd_connection_t *this);
+};
+
+/**
+ * Create a cmd_connection instance.
+ */
+cmd_connection_t *cmd_connection_create();
+
+#endif /** CMD_CONNECTION_H_ @}*/
diff --git a/src/charon-cmd/cmd/cmd_creds.c b/src/charon-cmd/cmd/cmd_creds.c
new file mode 100644
index 000000000..526ff7c9c
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_creds.c
@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cmd_creds.h"
+
+#include <unistd.h>
+
+#include <utils/debug.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/containers/pkcs12.h>
+#include <credentials/sets/callback_cred.h>
+
+typedef struct private_cmd_creds_t private_cmd_creds_t;
+
+/**
+ * Private data of an cmd_creds_t object.
+ */
+struct private_cmd_creds_t {
+
+	/**
+	 * Public cmd_creds_t interface.
+	 */
+	cmd_creds_t public;
+
+	/**
+	 * Reused in-memory credential set
+	 */
+	mem_cred_t *creds;
+
+	/**
+	 * Callback credential set to get secrets
+	 */
+	callback_cred_t *cb;
+
+	/**
+	 * Already prompted for password?
+	 */
+	bool prompted;
+
+	/**
+	 * Path to ssh-agent socket
+	 */
+	char *agent;
+
+	/**
+	 * Local identity
+	 */
+	char *identity;
+};
+
+/**
+ * Callback function to prompt for secret
+ */
+static shared_key_t* callback_shared(private_cmd_creds_t *this,
+								shared_key_type_t type,
+								identification_t *me, identification_t *other,
+								id_match_t *match_me, id_match_t *match_other)
+{
+	shared_key_t *shared;
+	char *label, *pwd;
+
+	if (this->prompted)
+	{
+		return NULL;
+	}
+	switch (type)
+	{
+		case SHARED_EAP:
+			label = "EAP password: ";
+			break;
+		case SHARED_IKE:
+			label = "Preshared Key: ";
+			break;
+		case SHARED_PRIVATE_KEY_PASS:
+			label = "Password: ";
+			break;
+		default:
+			return NULL;
+	}
+	pwd = getpass(label);
+	if (!pwd || strlen(pwd) == 0)
+	{
+		return NULL;
+	}
+	this->prompted = TRUE;
+	if (match_me)
+	{
+		*match_me = ID_MATCH_PERFECT;
+	}
+	if (match_other)
+	{
+		*match_other = ID_MATCH_PERFECT;
+	}
+	shared = shared_key_create(type, chunk_clone(chunk_from_str(pwd)));
+	/* cache password in case it is required more than once */
+	this->creds->add_shared(this->creds, shared, NULL);
+	return shared->get_ref(shared);
+}
+
+/**
+ * Load a trusted certificate from path
+ */
+static void load_cert(private_cmd_creds_t *this, char *path)
+{
+	certificate_t *cert;
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, path, BUILD_END);
+	if (!cert)
+	{
+		DBG1(DBG_CFG, "loading certificate from '%s' failed", path);
+		exit(1);
+	}
+	this->creds->add_cert(this->creds, TRUE, cert);
+}
+
+/**
+ * Load a private key of given kind from path
+ */
+static void load_key(private_cmd_creds_t *this, key_type_t type, char *path)
+{
+	private_key_t *privkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+	if (!privkey)
+	{
+		DBG1(DBG_CFG, "loading %N private key from '%s' failed",
+			 key_type_names, type, path);
+		exit(1);
+	}
+	this->creds->add_key(this->creds, privkey);
+}
+
+/**
+ * Load a private and public key via ssh-agent
+ */
+static void load_agent(private_cmd_creds_t *this)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+	identification_t *id;
+	certificate_t *cert;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+								 BUILD_AGENT_SOCKET, this->agent, BUILD_END);
+	if (!privkey)
+	{
+		DBG1(DBG_CFG, "failed to load private key from ssh-agent");
+		exit(1);
+	}
+	pubkey = privkey->get_public_key(privkey);
+	if (!pubkey)
+	{
+		DBG1(DBG_CFG, "failed to load public key from ssh-agent");
+		privkey->destroy(privkey);
+		exit(1);
+	}
+	id = identification_create_from_string(this->identity);
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+							  CERT_TRUSTED_PUBKEY, BUILD_PUBLIC_KEY, pubkey,
+							  BUILD_SUBJECT, id, BUILD_END);
+	pubkey->destroy(pubkey);
+	id->destroy(id);
+	if (!cert)
+	{
+		DBG1(DBG_CFG, "failed to create certificate for ssh-agent public key");
+		privkey->destroy(privkey);
+		exit(1);
+	}
+	this->creds->add_cert(this->creds, TRUE, cert);
+	this->creds->add_key(this->creds, privkey);
+}
+
+/**
+ * Load a PKCS#12 file from path
+ */
+static void load_pkcs12(private_cmd_creds_t *this, char *path)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	private_key_t *key;
+	container_t *container;
+	pkcs12_t *pkcs12;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS12,
+								   BUILD_FROM_FILE, path, BUILD_END);
+	if (!container)
+	{
+		DBG1(DBG_CFG, "loading PKCS#12 file '%s' failed", path);
+		exit(1);
+	}
+	pkcs12 = (pkcs12_t*)container;
+	enumerator = pkcs12->create_cert_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		this->creds->add_cert(this->creds, TRUE, cert->get_ref(cert));
+	}
+	enumerator->destroy(enumerator);
+	enumerator = pkcs12->create_key_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &key))
+	{
+		this->creds->add_key(this->creds, key->get_ref(key));
+	}
+	enumerator->destroy(enumerator);
+	container->destroy(container);
+}
+
+METHOD(cmd_creds_t, handle, bool,
+	private_cmd_creds_t *this, cmd_option_type_t opt, char *arg)
+{
+	switch (opt)
+	{
+		case CMD_OPT_CERT:
+			load_cert(this, arg);
+			break;
+		case CMD_OPT_RSA:
+			load_key(this, KEY_RSA, arg);
+			break;
+		case CMD_OPT_PKCS12:
+			load_pkcs12(this, arg);
+			break;
+		case CMD_OPT_IDENTITY:
+			this->identity = arg;
+			break;
+		case CMD_OPT_AGENT:
+			this->agent = arg ?: getenv("SSH_AUTH_SOCK");
+			if (!this->agent)
+			{
+				DBG1(DBG_CFG, "no ssh-agent socket defined");
+				exit(1);
+			}
+			break;
+		default:
+			return FALSE;
+	}
+	if (this->agent && this->identity)
+	{
+		load_agent(this);
+		/* only do this once */
+		this->agent = NULL;
+	}
+	return TRUE;
+}
+
+METHOD(cmd_creds_t, destroy, void,
+	private_cmd_creds_t *this)
+{
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->cb->set);
+	this->creds->destroy(this->creds);
+	this->cb->destroy(this->cb);
+	free(this);
+}
+
+/**
+ * See header
+ */
+cmd_creds_t *cmd_creds_create()
+{
+	private_cmd_creds_t *this;
+
+	INIT(this,
+		.public = {
+			.handle = _handle,
+			.destroy = _destroy,
+		},
+		.creds = mem_cred_create(),
+	);
+	this->cb = callback_cred_create_shared((void*)callback_shared, this);
+
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+	lib->credmgr->add_set(lib->credmgr, &this->cb->set);
+
+	return &this->public;
+}
diff --git a/src/charon-cmd/cmd/cmd_creds.h b/src/charon-cmd/cmd/cmd_creds.h
new file mode 100644
index 000000000..053e596a5
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_creds.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup cmd_creds cmd_creds
+ * @{ @ingroup cmd
+ */
+
+#ifndef CMD_CREDS_H_
+#define CMD_CREDS_H_
+
+#include <library.h>
+
+#include "cmd_options.h"
+
+typedef struct cmd_creds_t cmd_creds_t;
+
+/**
+ * Credential backend providing certificates, private keys and shared secrets.
+ */
+struct cmd_creds_t {
+
+	/**
+	 * Handle a command line options related to credentials.
+	 *
+	 * @param opt		option to handle
+	 * @param arg		option argument
+	 * @return			TRUE if option handled
+	 */
+	bool (*handle)(cmd_creds_t *this, cmd_option_type_t opt, char *arg);
+
+	/**
+	 * Destroy a cmd_creds_t.
+	 */
+	void (*destroy)(cmd_creds_t *this);
+};
+
+/**
+ * Create a cmd_creds instance.
+ */
+cmd_creds_t *cmd_creds_create();
+
+#endif /** CMD_CREDS_H_ @}*/
diff --git a/src/charon-cmd/cmd/cmd_options.c b/src/charon-cmd/cmd/cmd_options.c
new file mode 100644
index 000000000..597ccda1f
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_options.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cmd_options.h"
+
+#include <getopt.h>
+
+/**
+ * See header.
+ */
+cmd_option_t cmd_options[CMD_OPT_COUNT] = {
+	{ CMD_OPT_HELP, "help", no_argument, "",
+	  "print this usage information and exit", {}},
+	{ CMD_OPT_VERSION, "version", no_argument, "",
+	  "show version information and exit", {}},
+	{ CMD_OPT_DEBUG, "debug", required_argument, "level",
+	  "set the default log level (-1..4, default: 1)", {}},
+	{ CMD_OPT_HOST, "host", required_argument, "hostname",
+	  "DNS name or address to connect to", {}},
+	{ CMD_OPT_IDENTITY, "identity", required_argument, "identity",
+	  "identity the client uses for the IKE exchange", {}},
+	{ CMD_OPT_EAP_IDENTITY, "eap-identity", required_argument, "eap-identity",
+	  "identity the client uses for EAP authentication", {}},
+	{ CMD_OPT_XAUTH_USER, "xauth-username", required_argument, "xauth-username",
+	  "username the client uses for XAuth authentication", {}},
+	{ CMD_OPT_REMOTE_IDENTITY, "remote-identity", required_argument, "identity",
+	  "server identity to expect, defaults to host", {}},
+	{ CMD_OPT_CERT, "cert", required_argument, "path",
+	  "certificate for authentication or trust chain validation", {}},
+	{ CMD_OPT_RSA, "rsa", required_argument, "path",
+	  "RSA private key to use for authentication", {}},
+	{ CMD_OPT_PKCS12, "p12", required_argument, "path",
+	  "PKCS#12 file with private key and certificates to use for ", {
+		"authentication and trust chain validation"
+	}},
+	{ CMD_OPT_AGENT, "agent", optional_argument, "socket",
+	  "use SSH agent for authentication. If socket is not specified", {
+		"it is read from the SSH_AUTH_SOCK environment variable",
+	}},
+	{ CMD_OPT_LOCAL_TS, "local-ts", required_argument, "subnet",
+	  "additional traffic selector to propose for our side", {}},
+	{ CMD_OPT_REMOTE_TS, "remote-ts", required_argument, "subnet",
+	  "traffic selector to propose for remote side", {}},
+	{ CMD_OPT_PROFILE, "profile", required_argument, "name",
+	  "authentication profile to use, where name is one of:", {
+		"  ikev2-pub, ikev2-eap, ikev2-pub-eap",
+		"  ikev1-pub[-am], ikev1-xauth[-am],",
+		"  ikev1-xauth-psk[-am], ikev1-hybrid[-am]",
+	}},
+};
diff --git a/src/charon-cmd/cmd/cmd_options.h b/src/charon-cmd/cmd/cmd_options.h
new file mode 100644
index 000000000..6b8b04cdf
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_options.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup cmd_option cmd_option
+ * @{ @ingroup cmd
+ */
+
+#ifndef CMD_OPTION_H_
+#define CMD_OPTION_H_
+
+typedef struct cmd_option_t cmd_option_t;
+typedef enum cmd_option_type_t cmd_option_type_t;
+
+/**
+ * Command line options
+ */
+enum cmd_option_type_t {
+	CMD_OPT_HELP,
+	CMD_OPT_VERSION,
+	CMD_OPT_DEBUG,
+	CMD_OPT_HOST,
+	CMD_OPT_IDENTITY,
+	CMD_OPT_EAP_IDENTITY,
+	CMD_OPT_XAUTH_USER,
+	CMD_OPT_REMOTE_IDENTITY,
+	CMD_OPT_CERT,
+	CMD_OPT_RSA,
+	CMD_OPT_PKCS12,
+	CMD_OPT_AGENT,
+	CMD_OPT_LOCAL_TS,
+	CMD_OPT_REMOTE_TS,
+	CMD_OPT_PROFILE,
+
+	CMD_OPT_COUNT
+};
+
+/**
+ * Command line arguments, similar to "struct option", but with descriptions
+ */
+struct cmd_option_t {
+	/** option identifier */
+	cmd_option_type_t id;
+	/** long option name */
+	const char *name;
+	/** takes argument */
+	int has_arg;
+	/** decription of argument */
+	const char *arg;
+	/** short description to option */
+	const char *desc;
+	/** additional description lines */
+	const char *lines[12];
+};
+
+/**
+ * Registered CMD options.
+ */
+extern cmd_option_t cmd_options[CMD_OPT_COUNT];
+
+#endif /** CMD_OPTION_H_ @}*/
diff --git a/src/charon-nm/Makefile.am b/src/charon-nm/Makefile.am
index 80fc13ba1..d3630ffd5 100644
--- a/src/charon-nm/Makefile.am
+++ b/src/charon-nm/Makefile.am
@@ -1,24 +1,24 @@
 ipsec_PROGRAMS = charon-nm
 
 charon_nm_SOURCES = \
-charon-nm.c \
-nm/nm_backend.c nm/nm_backend.h \
-nm/nm_creds.c nm/nm_creds.h \
-nm/nm_handler.c nm/nm_handler.h \
-nm/nm_service.c nm/nm_service.h
+	charon-nm.c \
+	nm/nm_backend.c nm/nm_backend.h \
+	nm/nm_creds.c nm/nm_creds.h \
+	nm/nm_handler.c nm/nm_handler.h \
+	nm/nm_service.c nm/nm_service.h
 
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
-	${nm_CFLAGS}
-
-AM_CFLAGS = \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
 	-DNM_CA_DIR=\"${nm_ca_dir}\" \
 	-DPLUGINS=\""${nm_plugins}\""
 
+AM_CFLAGS = \
+	${nm_CFLAGS}
+
 charon_nm_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la \
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index e26dd5586..6eb52f947 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -82,19 +82,35 @@ charon_nm_DEPENDENCIES =  \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(charon_nm_SOURCES)
 DIST_SOURCES = $(charon_nm_SOURCES)
 am__can_run_installinfo = \
@@ -108,6 +124,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -120,6 +137,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -135,6 +154,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -143,6 +163,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -189,6 +210,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -217,6 +239,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -295,24 +318,24 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 charon_nm_SOURCES = \
-charon-nm.c \
-nm/nm_backend.c nm/nm_backend.h \
-nm/nm_creds.c nm/nm_creds.h \
-nm/nm_handler.c nm/nm_handler.h \
-nm/nm_service.c nm/nm_service.h
+	charon-nm.c \
+	nm/nm_backend.c nm/nm_backend.h \
+	nm/nm_creds.c nm/nm_creds.h \
+	nm/nm_handler.c nm/nm_handler.h \
+	nm/nm_service.c nm/nm_service.h
 
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
-	${nm_CFLAGS}
-
-AM_CFLAGS = \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
 	-DNM_CA_DIR=\"${nm_ca_dir}\" \
 	-DPLUGINS=\""${nm_plugins}\""
 
+AM_CFLAGS = \
+	${nm_CFLAGS}
+
 charon_nm_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la \
@@ -401,7 +424,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 charon-nm$(EXEEXT): $(charon_nm_OBJECTS) $(charon_nm_DEPENDENCIES) $(EXTRA_charon_nm_DEPENDENCIES) 
 	@rm -f charon-nm$(EXEEXT)
-	$(LINK) $(charon_nm_OBJECTS) $(charon_nm_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(charon_nm_OBJECTS) $(charon_nm_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -416,81 +439,81 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_service.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 nm_backend.o: nm/nm_backend.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_backend.o -MD -MP -MF $(DEPDIR)/nm_backend.Tpo -c -o nm_backend.o `test -f 'nm/nm_backend.c' || echo '$(srcdir)/'`nm/nm_backend.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nm_backend.Tpo $(DEPDIR)/nm_backend.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='nm/nm_backend.c' object='nm_backend.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_backend.o -MD -MP -MF $(DEPDIR)/nm_backend.Tpo -c -o nm_backend.o `test -f 'nm/nm_backend.c' || echo '$(srcdir)/'`nm/nm_backend.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_backend.Tpo $(DEPDIR)/nm_backend.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_backend.c' object='nm_backend.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_backend.o `test -f 'nm/nm_backend.c' || echo '$(srcdir)/'`nm/nm_backend.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_backend.o `test -f 'nm/nm_backend.c' || echo '$(srcdir)/'`nm/nm_backend.c
 
 nm_backend.obj: nm/nm_backend.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_backend.obj -MD -MP -MF $(DEPDIR)/nm_backend.Tpo -c -o nm_backend.obj `if test -f 'nm/nm_backend.c'; then $(CYGPATH_W) 'nm/nm_backend.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_backend.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nm_backend.Tpo $(DEPDIR)/nm_backend.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='nm/nm_backend.c' object='nm_backend.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_backend.obj -MD -MP -MF $(DEPDIR)/nm_backend.Tpo -c -o nm_backend.obj `if test -f 'nm/nm_backend.c'; then $(CYGPATH_W) 'nm/nm_backend.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_backend.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_backend.Tpo $(DEPDIR)/nm_backend.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_backend.c' object='nm_backend.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_backend.obj `if test -f 'nm/nm_backend.c'; then $(CYGPATH_W) 'nm/nm_backend.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_backend.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_backend.obj `if test -f 'nm/nm_backend.c'; then $(CYGPATH_W) 'nm/nm_backend.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_backend.c'; fi`
 
 nm_creds.o: nm/nm_creds.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_creds.o -MD -MP -MF $(DEPDIR)/nm_creds.Tpo -c -o nm_creds.o `test -f 'nm/nm_creds.c' || echo '$(srcdir)/'`nm/nm_creds.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nm_creds.Tpo $(DEPDIR)/nm_creds.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='nm/nm_creds.c' object='nm_creds.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_creds.o -MD -MP -MF $(DEPDIR)/nm_creds.Tpo -c -o nm_creds.o `test -f 'nm/nm_creds.c' || echo '$(srcdir)/'`nm/nm_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_creds.Tpo $(DEPDIR)/nm_creds.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_creds.c' object='nm_creds.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_creds.o `test -f 'nm/nm_creds.c' || echo '$(srcdir)/'`nm/nm_creds.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_creds.o `test -f 'nm/nm_creds.c' || echo '$(srcdir)/'`nm/nm_creds.c
 
 nm_creds.obj: nm/nm_creds.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_creds.obj -MD -MP -MF $(DEPDIR)/nm_creds.Tpo -c -o nm_creds.obj `if test -f 'nm/nm_creds.c'; then $(CYGPATH_W) 'nm/nm_creds.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_creds.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nm_creds.Tpo $(DEPDIR)/nm_creds.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='nm/nm_creds.c' object='nm_creds.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_creds.obj -MD -MP -MF $(DEPDIR)/nm_creds.Tpo -c -o nm_creds.obj `if test -f 'nm/nm_creds.c'; then $(CYGPATH_W) 'nm/nm_creds.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_creds.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_creds.Tpo $(DEPDIR)/nm_creds.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_creds.c' object='nm_creds.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_creds.obj `if test -f 'nm/nm_creds.c'; then $(CYGPATH_W) 'nm/nm_creds.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_creds.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_creds.obj `if test -f 'nm/nm_creds.c'; then $(CYGPATH_W) 'nm/nm_creds.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_creds.c'; fi`
 
 nm_handler.o: nm/nm_handler.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_handler.o -MD -MP -MF $(DEPDIR)/nm_handler.Tpo -c -o nm_handler.o `test -f 'nm/nm_handler.c' || echo '$(srcdir)/'`nm/nm_handler.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nm_handler.Tpo $(DEPDIR)/nm_handler.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='nm/nm_handler.c' object='nm_handler.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_handler.o -MD -MP -MF $(DEPDIR)/nm_handler.Tpo -c -o nm_handler.o `test -f 'nm/nm_handler.c' || echo '$(srcdir)/'`nm/nm_handler.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_handler.Tpo $(DEPDIR)/nm_handler.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_handler.c' object='nm_handler.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_handler.o `test -f 'nm/nm_handler.c' || echo '$(srcdir)/'`nm/nm_handler.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_handler.o `test -f 'nm/nm_handler.c' || echo '$(srcdir)/'`nm/nm_handler.c
 
 nm_handler.obj: nm/nm_handler.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_handler.obj -MD -MP -MF $(DEPDIR)/nm_handler.Tpo -c -o nm_handler.obj `if test -f 'nm/nm_handler.c'; then $(CYGPATH_W) 'nm/nm_handler.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_handler.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nm_handler.Tpo $(DEPDIR)/nm_handler.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='nm/nm_handler.c' object='nm_handler.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_handler.obj -MD -MP -MF $(DEPDIR)/nm_handler.Tpo -c -o nm_handler.obj `if test -f 'nm/nm_handler.c'; then $(CYGPATH_W) 'nm/nm_handler.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_handler.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_handler.Tpo $(DEPDIR)/nm_handler.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_handler.c' object='nm_handler.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_handler.obj `if test -f 'nm/nm_handler.c'; then $(CYGPATH_W) 'nm/nm_handler.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_handler.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_handler.obj `if test -f 'nm/nm_handler.c'; then $(CYGPATH_W) 'nm/nm_handler.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_handler.c'; fi`
 
 nm_service.o: nm/nm_service.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_service.o -MD -MP -MF $(DEPDIR)/nm_service.Tpo -c -o nm_service.o `test -f 'nm/nm_service.c' || echo '$(srcdir)/'`nm/nm_service.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nm_service.Tpo $(DEPDIR)/nm_service.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='nm/nm_service.c' object='nm_service.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_service.o -MD -MP -MF $(DEPDIR)/nm_service.Tpo -c -o nm_service.o `test -f 'nm/nm_service.c' || echo '$(srcdir)/'`nm/nm_service.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_service.Tpo $(DEPDIR)/nm_service.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_service.c' object='nm_service.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_service.o `test -f 'nm/nm_service.c' || echo '$(srcdir)/'`nm/nm_service.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_service.o `test -f 'nm/nm_service.c' || echo '$(srcdir)/'`nm/nm_service.c
 
 nm_service.obj: nm/nm_service.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_service.obj -MD -MP -MF $(DEPDIR)/nm_service.Tpo -c -o nm_service.obj `if test -f 'nm/nm_service.c'; then $(CYGPATH_W) 'nm/nm_service.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_service.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nm_service.Tpo $(DEPDIR)/nm_service.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='nm/nm_service.c' object='nm_service.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_service.obj -MD -MP -MF $(DEPDIR)/nm_service.Tpo -c -o nm_service.obj `if test -f 'nm/nm_service.c'; then $(CYGPATH_W) 'nm/nm_service.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_service.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_service.Tpo $(DEPDIR)/nm_service.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_service.c' object='nm_service.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_service.obj `if test -f 'nm/nm_service.c'; then $(CYGPATH_W) 'nm/nm_service.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_service.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_service.obj `if test -f 'nm/nm_service.c'; then $(CYGPATH_W) 'nm/nm_service.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_service.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index 61f2937ce..9ce6dbaeb 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -28,6 +28,17 @@
 
 #include <nm/nm_backend.h>
 
+/**
+ * Default user and group
+ */
+#ifndef IPSEC_USER
+#define IPSEC_USER NULL
+#endif
+
+#ifndef IPSEC_GROUP
+#define IPSEC_GROUP NULL
+#endif
+
 /**
  * Hook in library for debugging messages
  */
@@ -121,18 +132,20 @@ static void segv_handler(int signal)
  */
 static bool lookup_uid_gid()
 {
-#ifdef IPSEC_USER
-	if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+	char *name;
+
+	name = lib->settings->get_str(lib->settings, "charon-nm.user",
+								  IPSEC_USER);
+	if (name && !lib->caps->resolve_uid(lib->caps, name))
 	{
 		return FALSE;
 	}
-#endif
-#ifdef IPSEC_GROUP
-	if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+	name = lib->settings->get_str(lib->settings, "charon-nm.group",
+								  IPSEC_GROUP);
+	if (name && !lib->caps->resolve_gid(lib->caps, name))
 	{
 		return FALSE;
 	}
-#endif
 	return TRUE;
 }
 
@@ -212,8 +225,9 @@ int main(int argc, char *argv[])
 		DBG1(DBG_DMN, "initialization failed - aborting charon-nm");
 		goto deinit;
 	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
-	if (!charon->caps->drop(charon->caps))
+	if (!lib->caps->drop(lib->caps))
 	{
 		DBG1(DBG_DMN, "capability dropping failed - aborting charon-nm");
 		goto deinit;
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index c18bf992a..f474dad60 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -116,7 +116,9 @@ static bool nm_backend_init()
 {
 	nm_backend_t *this;
 
+#if !GLIB_CHECK_VERSION(2,36,0)
 	g_type_init ();
+#endif
 
 #if !GLIB_CHECK_VERSION(2,23,0)
 	if (!g_thread_supported())
@@ -142,7 +144,12 @@ static bool nm_backend_init()
 	}
 
 	/* bypass file permissions to read from users ssh-agent */
-	charon->caps->keep(charon->caps, CAP_DAC_OVERRIDE);
+	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
+	{
+		DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
+		nm_backend_deinit();
+		return FALSE;
+	}
 
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
diff --git a/src/charon-tkm/Makefile.am b/src/charon-tkm/Makefile.am
index 457e5e44e..0fef1f62d 100644
--- a/src/charon-tkm/Makefile.am
+++ b/src/charon-tkm/Makefile.am
@@ -1,7 +1,7 @@
 SRC = $(top_builddir)/src
 
 # includes relative to obj directory
-INCLUDES = \
+AM_CPPFLAGS = \
 	-include $(top_builddir)/config.h \
 	-I../$(SRC)/libstrongswan \
 	-I../$(SRC)/libhydra \
@@ -18,7 +18,7 @@ DEFS += -DPLUGINS=\""$(PLUGINS)\"" -DIPSEC_PIDDIR=\"${piddir}\"
 
 BUILD_OPTS = \
 	-XOBJ_DIR=$(CURDIR)/obj \
-	-cargs $(INCLUDES) $(DEFS) \
+	-cargs $(AM_CPPFLAGS) $(DEFS) \
 	-largs $(LIBLD) $(LIBFL)
 
 # plugins to enable
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index ebca82f7d..e32a01e1b 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -61,13 +61,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
@@ -79,6 +85,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -91,6 +98,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -106,6 +115,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -114,6 +124,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -160,6 +171,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +200,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -268,7 +281,7 @@ xml_LIBS = @xml_LIBS@
 SRC = $(top_builddir)/src
 
 # includes relative to obj directory
-INCLUDES = \
+AM_CPPFLAGS = \
 	-include $(top_builddir)/config.h \
 	-I../$(SRC)/libstrongswan \
 	-I../$(SRC)/libhydra \
@@ -283,7 +296,7 @@ LIBPT = $(SRC)/libstrongswan/.libs:$(SRC)/libhydra/.libs:$(SRC)/libcharon/.libs
 LIBFL = -lstrongswan -lhydra -lcharon
 BUILD_OPTS = \
 	-XOBJ_DIR=$(CURDIR)/obj \
-	-cargs $(INCLUDES) $(DEFS) \
+	-cargs $(AM_CPPFLAGS) $(DEFS) \
 	-largs $(LIBLD) $(LIBFL)
 
 
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 0b39058a6..14a735590 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -151,13 +151,13 @@ static void segv_handler(int signal)
 static bool lookup_uid_gid()
 {
 #ifdef IPSEC_USER
-	if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+	if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
 	{
 		return FALSE;
 	}
 #endif
 #ifdef IPSEC_GROUP
-	if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+	if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
 	{
 		return FALSE;
 	}
@@ -201,8 +201,8 @@ static bool check_pidfile()
 	if (pidfile)
 	{
 		ignore_result(fchown(fileno(pidfile),
-							 charon->caps->get_uid(charon->caps),
-							 charon->caps->get_gid(charon->caps)));
+							 lib->caps->get_uid(lib->caps),
+							 lib->caps->get_gid(lib->caps)));
 		fprintf(pidfile, "%d\n", getpid());
 		fflush(pidfile);
 	}
@@ -311,6 +311,7 @@ int main(int argc, char *argv[])
 		DBG1(DBG_DMN, "initialization failed - aborting %s", dmn_name);
 		goto deinit;
 	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
 	/* set global pidfile name depending on daemon name */
 	if (asprintf(&pidfile_name, IPSEC_PIDDIR"/%s.pid", dmn_name) < 0)
@@ -326,7 +327,7 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
-	if (!charon->caps->drop(charon->caps))
+	if (!lib->caps->drop(lib->caps))
 	{
 		DBG1(DBG_DMN, "capability dropping failed - aborting %s", dmn_name);
 		goto deinit;
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
index 69aefea97..1d070fd5f 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -92,7 +92,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool esn, bool inbound,
+	u_int16_t cpi, bool _initiator, bool encap, bool esn, bool inbound,
 	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
 	esa_info_t esa;
@@ -120,6 +120,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	}
 
 	/* Initiator if encr_r is passed as enc_key to the inbound add_sa call */
+	/* TODO: does the new _initiator parameter have the same meaning? */
 	initiator = esa.is_encr_r && inbound;
 	if (initiator)
 	{
@@ -216,7 +217,7 @@ sad_failure:
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes,
-	u_int64_t *packets)
+	u_int64_t *packets, u_int32_t *time)
 {
 	return NOT_SUPPORTED;
 }
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 0ca15cb10..6c5b88eb8 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -5,12 +5,10 @@ charon.c
 
 charon.o :	$(top_builddir)/config.status
 
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
 	-DPLUGINS=\""${charon_plugins}\""
@@ -22,4 +20,3 @@ charon_LDADD = \
 	-lm $(PTHREADLIB) $(DLLIB)
 
 EXTRA_DIST = Android.mk
-
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 941fff697..9da6d604b 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -80,19 +80,35 @@ charon_DEPENDENCIES =  \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(charon_SOURCES)
 DIST_SOURCES = $(charon_SOURCES)
 am__can_run_installinfo = \
@@ -106,6 +122,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -118,6 +135,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -133,6 +152,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -141,6 +161,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -187,6 +208,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -215,6 +237,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -295,12 +318,10 @@ xml_LIBS = @xml_LIBS@
 charon_SOURCES = \
 charon.c
 
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
 	-DPLUGINS=\""${charon_plugins}\""
@@ -394,7 +415,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 charon$(EXEEXT): $(charon_OBJECTS) $(charon_DEPENDENCIES) $(EXTRA_charon_DEPENDENCIES) 
 	@rm -f charon$(EXEEXT)
-	$(LINK) $(charon_OBJECTS) $(charon_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(charon_OBJECTS) $(charon_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -405,25 +426,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/charon.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 812b7620b..340f852cd 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -43,6 +43,17 @@
  */
 #define PID_FILE IPSEC_PIDDIR "/charon.pid"
 
+/**
+ * Default user and group
+ */
+#ifndef IPSEC_USER
+#define IPSEC_USER NULL
+#endif
+
+#ifndef IPSEC_GROUP
+#define IPSEC_GROUP NULL
+#endif
+
 /**
  * Global reference to PID file (required to truncate, if undeletable)
  */
@@ -148,20 +159,20 @@ static void run()
  */
 static bool lookup_uid_gid()
 {
-#ifdef IPSEC_USER
-	if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+	char *name;
+
+	name = lib->settings->get_str(lib->settings, "charon.user", IPSEC_USER);
+	if (name && !lib->caps->resolve_uid(lib->caps, name))
 	{
 		return FALSE;
 	}
-#endif
-#ifdef IPSEC_GROUP
-	if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+	name = lib->settings->get_str(lib->settings, "charon.group", IPSEC_GROUP);
+	if (name && !lib->caps->resolve_gid(lib->caps, name))
 	{
 		return FALSE;
 	}
-#endif
 #ifdef ANDROID
-	charon->caps->set_uid(charon->caps, AID_VPN);
+	lib->caps->set_uid(lib->caps, AID_VPN);
 #endif
 	return TRUE;
 }
@@ -219,8 +230,8 @@ static bool check_pidfile()
 	if (pidfile)
 	{
 		ignore_result(fchown(fileno(pidfile),
-							 charon->caps->get_uid(charon->caps),
-							 charon->caps->get_gid(charon->caps)));
+							 lib->caps->get_uid(lib->caps),
+							 lib->caps->get_gid(lib->caps)));
 		fprintf(pidfile, "%d\n", getpid());
 		fflush(pidfile);
 	}
@@ -398,6 +409,7 @@ int main(int argc, char *argv[])
 		DBG1(DBG_DMN, "initialization failed - aborting charon");
 		goto deinit;
 	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
 	if (check_pidfile())
 	{
@@ -405,7 +417,7 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
-	if (!charon->caps->drop(charon->caps))
+	if (!lib->caps->drop(lib->caps))
 	{
 		DBG1(DBG_DMN, "capability dropping failed - aborting charon");
 		goto deinit;
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index 9f6945087..ddb0ea65b 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -13,12 +13,14 @@ checksum_builder_LDADD = \
 	$(DLLIB)
 
 CLEANFILES = checksum.c
-INCLUDES = \
+
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+	-I$(top_srcdir)/src/libcharon \
+	-DPLUGINDIR=\"${DESTDIR}${plugindir}\"
+
 AM_CFLAGS = \
-	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" \
 	-rdynamic
 
 # we keep track of build dependencies in deps and use libs to store the paths
@@ -29,14 +31,14 @@ libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so
 exes =
 
 if !MONOLITHIC
-  AM_CFLAGS += -DS_PLUGINS=\""${s_plugins}\""
+  AM_CPPFLAGS += -DS_PLUGINS=\""${s_plugins}\""
 endif
 
 if USE_LIBHYDRA
   deps += $(top_builddir)/src/libhydra/libhydra.la
   libs += $(DESTDIR)$(ipseclibdir)/libhydra.so
 if !MONOLITHIC
-  AM_CFLAGS += -DH_PLUGINS=\""${h_plugins}\""
+  AM_CPPFLAGS += -DH_PLUGINS=\""${h_plugins}\""
 endif
 endif
 
@@ -80,10 +82,14 @@ if USE_CHARON
   libs += $(DESTDIR)$(ipseclibdir)/libcharon.so
   exes += $(top_builddir)/src/charon/.libs/charon
 if !MONOLITHIC
-  AM_CFLAGS += -DC_PLUGINS=\""${c_plugins}\""
+  AM_CPPFLAGS += -DC_PLUGINS=\""${c_plugins}\""
 endif
 endif
 
+if USE_CMD
+  exes += $(top_builddir)/src/charon-cmd/.libs/charon-cmd
+endif
+
 if USE_TOOLS
   exes += $(top_builddir)/src/openac/.libs/openac
   exes += $(top_builddir)/src/pki/.libs/pki
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index ac2787473..b45879f94 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -75,12 +75,13 @@ noinst_PROGRAMS = checksum_builder$(EXEEXT)
 @USE_CHARON_TRUE@am__append_20 = $(DESTDIR)$(ipseclibdir)/libcharon.so
 @USE_CHARON_TRUE@am__append_21 = $(top_builddir)/src/charon/.libs/charon
 @MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_22 = -DC_PLUGINS=\""${c_plugins}\""
-@USE_TOOLS_TRUE@am__append_23 =  \
+@USE_CMD_TRUE@am__append_23 = $(top_builddir)/src/charon-cmd/.libs/charon-cmd
+@USE_TOOLS_TRUE@am__append_24 =  \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/openac/.libs/openac \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/pki/.libs/pki \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/scepclient/.libs/scepclient
-@USE_ATTR_SQL_TRUE@am__append_24 = $(top_builddir)/src/libhydra/plugins/attr_sql/.libs/pool
-@USE_IMV_ATTESTATION_TRUE@am__append_25 = $(top_builddir)/src/libpts/plugins/imv_attestation/.libs/attest
+@USE_ATTR_SQL_TRUE@am__append_25 = $(top_builddir)/src/libhydra/plugins/attr_sql/.libs/pool
+@USE_IMV_ATTESTATION_TRUE@am__append_26 = $(top_builddir)/src/libpts/plugins/imv_attestation/.libs/attest
 subdir = src/checksum
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -92,7 +93,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -131,9 +132,13 @@ LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libchecksum_la_LIBADD =
 nodist_libchecksum_la_OBJECTS = checksum.lo
 libchecksum_la_OBJECTS = $(nodist_libchecksum_la_OBJECTS)
-libchecksum_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libchecksum_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libchecksum_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libchecksum_la_LDFLAGS) $(LDFLAGS) -o \
+	$@
 PROGRAMS = $(noinst_PROGRAMS)
 am_checksum_builder_OBJECTS = checksum_builder.$(OBJEXT)
 checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS)
@@ -149,13 +154,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(nodist_libchecksum_la_SOURCES) $(checksum_builder_SOURCES)
 DIST_SOURCES = $(checksum_builder_SOURCES)
 am__can_run_installinfo = \
@@ -169,6 +187,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -181,6 +200,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -196,6 +217,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -204,6 +226,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -250,6 +273,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -278,6 +302,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -369,13 +394,13 @@ checksum_builder_LDADD = \
 	$(DLLIB)
 
 CLEANFILES = checksum.c
-INCLUDES = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon \
+	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
+	$(am__append_4) $(am__append_22)
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -DPLUGINDIR=\"${DESTDIR}${plugindir}\" -rdynamic \
-	$(am__append_1) $(am__append_4) $(am__append_22)
 
 # we keep track of build dependencies in deps and use libs to store the paths
 # to the installed libraries. for executables we use the built files directly
@@ -389,7 +414,7 @@ libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \
 	$(am__append_12) $(am__append_14) $(am__append_16) \
 	$(am__append_18) $(am__append_20)
 exes = $(am__append_21) $(am__append_23) $(am__append_24) \
-	$(am__append_25)
+	$(am__append_25) $(am__append_26)
 all: all-am
 
 .SUFFIXES:
@@ -457,7 +482,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) $(EXTRA_libchecksum_la_DEPENDENCIES) 
-	$(libchecksum_la_LINK)  $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libchecksum_la_LINK)  $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
 
 clean-noinstPROGRAMS:
 	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
@@ -469,7 +494,7 @@ clean-noinstPROGRAMS:
 	rm -f $$list
 checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) $(EXTRA_checksum_builder_DEPENDENCIES) 
 	@rm -f checksum_builder$(EXEEXT)
-	$(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -481,25 +506,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/checksum_builder.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/conftest/Makefile.am b/src/conftest/Makefile.am
index 64a2cc6d3..2aafc7a6f 100644
--- a/src/conftest/Makefile.am
+++ b/src/conftest/Makefile.am
@@ -1,6 +1,9 @@
 ipsec_PROGRAMS = conftest
 
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = -rdynamic \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
 conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
@@ -13,11 +16,6 @@ conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 	hooks/set_ike_request.c hooks/set_reserved.c hooks/set_ike_initiator.c \
 	hooks/log_ts.c hooks/rebuild_auth.c hooks/reset_seq.c
 
-INCLUDES = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
 conftest_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la \
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 11b20e3a3..5e3713aa3 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -91,19 +91,35 @@ conftest_DEPENDENCIES =  \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(conftest_SOURCES)
 DIST_SOURCES = $(conftest_SOURCES)
 am__can_run_installinfo = \
@@ -117,6 +133,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -129,6 +146,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -144,6 +163,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -152,6 +172,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -198,6 +219,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -226,6 +248,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -303,7 +326,10 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = -rdynamic \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
 conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
@@ -316,11 +342,6 @@ conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 	hooks/set_ike_request.c hooks/set_reserved.c hooks/set_ike_initiator.c \
 	hooks/log_ts.c hooks/rebuild_auth.c hooks/reset_seq.c
 
-INCLUDES = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
 conftest_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la \
@@ -410,7 +431,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) $(EXTRA_conftest_DEPENDENCIES) 
 	@rm -f conftest$(EXEEXT)
-	$(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -446,347 +467,347 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unsort_message.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 ike_auth_fill.o: hooks/ike_auth_fill.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.o -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ike_auth_fill.c' object='ike_auth_fill.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.o -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/ike_auth_fill.c' object='ike_auth_fill.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c
 
 ike_auth_fill.obj: hooks/ike_auth_fill.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.obj -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ike_auth_fill.c' object='ike_auth_fill.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.obj -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/ike_auth_fill.c' object='ike_auth_fill.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi`
 
 unsort_message.o: hooks/unsort_message.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.o -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unsort_message.c' object='unsort_message.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.o -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/unsort_message.c' object='unsort_message.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c
 
 unsort_message.obj: hooks/unsort_message.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.obj -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unsort_message.c' object='unsort_message.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.obj -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/unsort_message.c' object='unsort_message.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi`
 
 add_notify.o: hooks/add_notify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.o -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_notify.c' object='add_notify.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.o -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/add_notify.c' object='add_notify.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c
 
 add_notify.obj: hooks/add_notify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.obj -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_notify.c' object='add_notify.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.obj -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/add_notify.c' object='add_notify.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi`
 
 unencrypted_notify.o: hooks/unencrypted_notify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.o -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unencrypted_notify.c' object='unencrypted_notify.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.o -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/unencrypted_notify.c' object='unencrypted_notify.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c
 
 unencrypted_notify.obj: hooks/unencrypted_notify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.obj -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unencrypted_notify.c' object='unencrypted_notify.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.obj -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/unencrypted_notify.c' object='unencrypted_notify.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi`
 
 ignore_message.o: hooks/ignore_message.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.o -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ignore_message.c' object='ignore_message.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.o -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/ignore_message.c' object='ignore_message.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c
 
 ignore_message.obj: hooks/ignore_message.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.obj -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ignore_message.c' object='ignore_message.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.obj -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/ignore_message.c' object='ignore_message.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi`
 
 add_payload.o: hooks/add_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.o -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_payload.c' object='add_payload.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.o -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/add_payload.c' object='add_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c
 
 add_payload.obj: hooks/add_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.obj -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_payload.c' object='add_payload.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.obj -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/add_payload.c' object='add_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi`
 
 set_critical.o: hooks/set_critical.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.o -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_critical.c' object='set_critical.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.o -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_critical.c' object='set_critical.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c
 
 set_critical.obj: hooks/set_critical.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.obj -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_critical.c' object='set_critical.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.obj -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_critical.c' object='set_critical.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi`
 
 force_cookie.o: hooks/force_cookie.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.o -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/force_cookie.c' object='force_cookie.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.o -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/force_cookie.c' object='force_cookie.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c
 
 force_cookie.obj: hooks/force_cookie.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.obj -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/force_cookie.c' object='force_cookie.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.obj -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/force_cookie.c' object='force_cookie.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi`
 
 set_ike_version.o: hooks/set_ike_version.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.o -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_version.c' object='set_ike_version.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.o -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_version.c' object='set_ike_version.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c
 
 set_ike_version.obj: hooks/set_ike_version.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.obj -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_version.c' object='set_ike_version.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.obj -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_version.c' object='set_ike_version.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi`
 
 pretend_auth.o: hooks/pretend_auth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.o -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/pretend_auth.c' object='pretend_auth.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.o -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/pretend_auth.c' object='pretend_auth.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c
 
 pretend_auth.obj: hooks/pretend_auth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.obj -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/pretend_auth.c' object='pretend_auth.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.obj -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/pretend_auth.c' object='pretend_auth.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi`
 
 set_length.o: hooks/set_length.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.o -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_length.c' object='set_length.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.o -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_length.c' object='set_length.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c
 
 set_length.obj: hooks/set_length.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.obj -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_length.c' object='set_length.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.obj -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_length.c' object='set_length.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi`
 
 log_proposals.o: hooks/log_proposals.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.o -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_proposals.c' object='log_proposals.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.o -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_proposals.c' object='log_proposals.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c
 
 log_proposals.obj: hooks/log_proposals.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.obj -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_proposals.c' object='log_proposals.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.obj -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_proposals.c' object='log_proposals.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi`
 
 set_proposal_number.o: hooks/set_proposal_number.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.o -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_proposal_number.c' object='set_proposal_number.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.o -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_proposal_number.c' object='set_proposal_number.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c
 
 set_proposal_number.obj: hooks/set_proposal_number.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.obj -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_proposal_number.c' object='set_proposal_number.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.obj -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_proposal_number.c' object='set_proposal_number.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi`
 
 log_ke.o: hooks/log_ke.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.o -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ke.c' object='log_ke.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.o -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_ke.c' object='log_ke.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c
 
 log_ke.obj: hooks/log_ke.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.obj -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ke.c' object='log_ke.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.obj -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_ke.c' object='log_ke.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi`
 
 log_id.o: hooks/log_id.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.o -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_id.c' object='log_id.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.o -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_id.c' object='log_id.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c
 
 log_id.obj: hooks/log_id.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.obj -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_id.c' object='log_id.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.obj -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_id.c' object='log_id.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi`
 
 custom_proposal.o: hooks/custom_proposal.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.o -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/custom_proposal.c' object='custom_proposal.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.o -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/custom_proposal.c' object='custom_proposal.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c
 
 custom_proposal.obj: hooks/custom_proposal.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.obj -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/custom_proposal.c' object='custom_proposal.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.obj -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/custom_proposal.c' object='custom_proposal.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi`
 
 set_ike_spi.o: hooks/set_ike_spi.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.o -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_spi.c' object='set_ike_spi.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.o -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_spi.c' object='set_ike_spi.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c
 
 set_ike_spi.obj: hooks/set_ike_spi.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.obj -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_spi.c' object='set_ike_spi.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.obj -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_spi.c' object='set_ike_spi.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi`
 
 set_ike_request.o: hooks/set_ike_request.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.o -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_request.c' object='set_ike_request.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.o -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_request.c' object='set_ike_request.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c
 
 set_ike_request.obj: hooks/set_ike_request.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.obj -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_request.c' object='set_ike_request.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.obj -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_request.c' object='set_ike_request.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi`
 
 set_reserved.o: hooks/set_reserved.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.o -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_reserved.c' object='set_reserved.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.o -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_reserved.c' object='set_reserved.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c
 
 set_reserved.obj: hooks/set_reserved.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.obj -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_reserved.c' object='set_reserved.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.obj -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_reserved.c' object='set_reserved.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi`
 
 set_ike_initiator.o: hooks/set_ike_initiator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.o -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_initiator.c' object='set_ike_initiator.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.o -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_initiator.c' object='set_ike_initiator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c
 
 set_ike_initiator.obj: hooks/set_ike_initiator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.obj -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_initiator.c' object='set_ike_initiator.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.obj -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_initiator.c' object='set_ike_initiator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi`
 
 log_ts.o: hooks/log_ts.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.o -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ts.c' object='log_ts.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.o -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_ts.c' object='log_ts.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c
 
 log_ts.obj: hooks/log_ts.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.obj -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ts.c' object='log_ts.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.obj -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_ts.c' object='log_ts.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi`
 
 rebuild_auth.o: hooks/rebuild_auth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.o -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/rebuild_auth.c' object='rebuild_auth.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.o -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/rebuild_auth.c' object='rebuild_auth.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c
 
 rebuild_auth.obj: hooks/rebuild_auth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.obj -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/rebuild_auth.c' object='rebuild_auth.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.obj -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/rebuild_auth.c' object='rebuild_auth.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi`
 
 reset_seq.o: hooks/reset_seq.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.o -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/reset_seq.c' object='reset_seq.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.o -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/reset_seq.c' object='reset_seq.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c
 
 reset_seq.obj: hooks/reset_seq.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.obj -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/reset_seq.c' object='reset_seq.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.obj -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/reset_seq.c' object='reset_seq.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index c2251effa..8d2060c66 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -509,7 +509,7 @@ int main(int argc, char *argv[])
 	}
 	load_loggers(logger);
 
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			conftest->test->get_str(conftest->test, "preload", "")))
 	{
 		return 1;
@@ -518,6 +518,8 @@ int main(int argc, char *argv[])
 	{
 		return 1;
 	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
 	if (!load_certs(conftest->test, conftest->suite_dir))
 	{
 		return 1;
diff --git a/src/dumm/Makefile.am b/src/dumm/Makefile.am
index 3e4625ec8..1c6a68f58 100644
--- a/src/dumm/Makefile.am
+++ b/src/dumm/Makefile.am
@@ -13,9 +13,13 @@ libdumm_la_LIBADD = -lbridge -lfuse -lutil $(top_builddir)/src/libstrongswan/lib
 dumm_LDADD = libdumm.la ${gtk_LIBS} $(top_builddir)/src/libstrongswan/libstrongswan.la
 irdumm_LDADD = libdumm.la ${RUBYLIB} $(top_builddir)/src/libstrongswan/libstrongswan.la
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
-  ${RUBYINCLUDE}
-AM_CFLAGS = -D_FILE_OFFSET_BITS=64
+AM_CPPFLAGS = \
+	-D_FILE_OFFSET_BITS=64 \
+	-I$(top_srcdir)/src/libstrongswan \
+	${RUBYINCLUDE}
+
+AM_CFLAGS = \
+	${gtk_CFLAGS}
 
 all-local: ext
 
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 86b0822a7..6467dc439 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,6 +105,9 @@ libdumm_la_DEPENDENCIES =  \
 am_libdumm_la_OBJECTS = dumm.lo guest.lo iface.lo bridge.lo \
 	mconsole.lo cowfs.lo
 libdumm_la_OBJECTS = $(am_libdumm_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 PROGRAMS = $(ipsec_PROGRAMS)
 am_dumm_OBJECTS = main.$(OBJEXT)
 dumm_OBJECTS = $(am_dumm_OBJECTS)
@@ -121,13 +124,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libdumm_la_SOURCES) $(dumm_SOURCES) $(irdumm_SOURCES)
 DIST_SOURCES = $(libdumm_la_SOURCES) $(dumm_SOURCES) $(irdumm_SOURCES)
 am__can_run_installinfo = \
@@ -141,6 +157,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -153,6 +170,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -168,6 +187,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -176,6 +196,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -222,6 +243,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -250,6 +272,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -339,10 +362,14 @@ irdumm_SOURCES = irdumm.c
 libdumm_la_LIBADD = -lbridge -lfuse -lutil $(top_builddir)/src/libstrongswan/libstrongswan.la
 dumm_LDADD = libdumm.la ${gtk_LIBS} $(top_builddir)/src/libstrongswan/libstrongswan.la
 irdumm_LDADD = libdumm.la ${RUBYLIB} $(top_builddir)/src/libstrongswan/libstrongswan.la
-INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
-  ${RUBYINCLUDE}
+AM_CPPFLAGS = \
+	-D_FILE_OFFSET_BITS=64 \
+	-I$(top_srcdir)/src/libstrongswan \
+	${RUBYINCLUDE}
+
+AM_CFLAGS = \
+	${gtk_CFLAGS}
 
-AM_CFLAGS = -D_FILE_OFFSET_BITS=64
 all: all-am
 
 .SUFFIXES:
@@ -410,7 +437,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libdumm.la: $(libdumm_la_OBJECTS) $(libdumm_la_DEPENDENCIES) $(EXTRA_libdumm_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libdumm_la_OBJECTS) $(libdumm_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libdumm_la_OBJECTS) $(libdumm_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
@@ -459,10 +486,10 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 dumm$(EXEEXT): $(dumm_OBJECTS) $(dumm_DEPENDENCIES) $(EXTRA_dumm_DEPENDENCIES) 
 	@rm -f dumm$(EXEEXT)
-	$(LINK) $(dumm_OBJECTS) $(dumm_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(dumm_OBJECTS) $(dumm_LDADD) $(LIBS)
 irdumm$(EXEEXT): $(irdumm_OBJECTS) $(irdumm_DEPENDENCIES) $(EXTRA_irdumm_DEPENDENCIES) 
 	@rm -f irdumm$(EXEEXT)
-	$(LINK) $(irdumm_OBJECTS) $(irdumm_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(irdumm_OBJECTS) $(irdumm_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -480,25 +507,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mconsole.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/dumm/bridge.c b/src/dumm/bridge.c
index d00e49b3e..c76b3acda 100644
--- a/src/dumm/bridge.c
+++ b/src/dumm/bridge.c
@@ -14,6 +14,7 @@
  */
 
 #include <sys/types.h>
+#include <netinet/in.h>
 #include <libbridge.h>
 
 #include <utils/debug.h>
@@ -178,4 +179,3 @@ bridge_t *bridge_create(char *name)
 	instances++;
 	return &this->public;
 }
-
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index 603fac088..5acda3a9c 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -740,6 +740,7 @@ static VALUE template_each(int argc, VALUE *argv, VALUE class)
 static void template_init()
 {
 	rbc_template = rb_define_class_under(rbm_dumm , "Template", rb_cObject);
+	rb_include_module(rb_class_of(rbc_template), rb_mEnumerable);
 
 	rb_define_singleton_method(rbc_template, "load", template_load, 1);
 	rb_define_singleton_method(rbc_template, "unload", template_unload, 0);
diff --git a/src/dumm/ext/lib/dumm.rb b/src/dumm/ext/lib/dumm.rb
index bb60aad8f..959ec87df 100644
--- a/src/dumm/ext/lib/dumm.rb
+++ b/src/dumm/ext/lib/dumm.rb
@@ -34,8 +34,9 @@ module Dumm
     if name
       Template.load name
     else
-      Template.each {|t| puts t }
+      Template.sort.each {|t| puts t }
     end
+    return Dumm
   end
   
   # unload template/overlays, reset all guests and delete bridges
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index b52639bb8..18af82a9f 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -61,13 +61,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
@@ -79,6 +85,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -91,6 +98,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -106,6 +115,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -114,6 +124,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -160,6 +171,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +200,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
index 8be28eff8..73427c0fa 100644
--- a/src/ipsec/Makefile.am
+++ b/src/ipsec/Makefile.am
@@ -4,6 +4,7 @@ dist_man8_MANS = _ipsec.8
 EXTRA_DIST = _ipsec.in _ipsec.8.in Android.mk
 
 _ipsec.8 : _ipsec.8.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
 	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
@@ -11,6 +12,7 @@ _ipsec.8 : _ipsec.8.in
 	$(srcdir)/$@.in > $@
 
 _ipsec : _ipsec.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_SHELL@:/bin/sh:" \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index fe65cc484..58072f20a 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -99,6 +99,12 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(sbin_SCRIPTS)
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
@@ -113,6 +119,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -125,6 +132,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -140,6 +149,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -148,6 +158,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -194,6 +205,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -222,6 +234,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -596,6 +609,7 @@ uninstall-man: uninstall-man8
 
 
 _ipsec.8 : _ipsec.8.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
 	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
@@ -603,6 +617,7 @@ _ipsec.8 : _ipsec.8.in
 	$(srcdir)/$@.in > $@
 
 _ipsec : _ipsec.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_SHELL@:/bin/sh:" \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 0dbaf937b..02aeaace3 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2012-06-19" "5.0.4" "strongSwan"
+.TH IPSEC 8 "2013-07-22" "5.1.0" "strongSwan"
 .SH NAME
 ipsec \- invoke IPsec utilities
 .SH SYNOPSIS
@@ -259,6 +259,10 @@ returns the \fILIBEXECDIR\fP directory as defined by the configure options.
 .TP
 .B "\-\-confdir"
 returns the \fISYSCONFDIR\fP directory as defined by the configure options.
+.PP
+.TP
+.B "\-\-piddir"
+returns the \fIPIDDIR\fP directory as defined by the configure options.
 .SH FILES
 /usr/local/lib/ipsec	usual utilities directory
 .SH ENVIRONMENT
@@ -274,7 +278,7 @@ command sets them if they are not already set.
 IPSEC_DIR               directory containing ipsec programs and utilities
 IPSEC_SBINDIR           directory containing \fBipsec\fP command
 IPSEC_CONFDIR           directory containing configuration files
-IPSEC_PIDDIR            directory containing PID files
+IPSEC_PIDDIR            directory containing PID/socket files
 IPSEC_SCRIPT            name of the ipsec script
 IPSEC_NAME              name of ipsec distribution
 IPSEC_VERSION           version numer of ipsec userland and kernel
diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
index a190fa568..4cbc89686 100644
--- a/src/ipsec/_ipsec.8.in
+++ b/src/ipsec/_ipsec.8.in
@@ -1,4 +1,4 @@
-.TH @IPSEC_SCRIPT_UPPER@ 8 "2012-06-19" "@IPSEC_VERSION@" "strongSwan"
+.TH @IPSEC_SCRIPT_UPPER@ 8 "2013-07-22" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 @IPSEC_SCRIPT@ \- invoke IPsec utilities
 .SH SYNOPSIS
@@ -259,6 +259,10 @@ returns the \fILIBEXECDIR\fP directory as defined by the configure options.
 .TP
 .B "\-\-confdir"
 returns the \fISYSCONFDIR\fP directory as defined by the configure options.
+.PP
+.TP
+.B "\-\-piddir"
+returns the \fIPIDDIR\fP directory as defined by the configure options.
 .SH FILES
 /usr/local/lib/ipsec	usual utilities directory
 .SH ENVIRONMENT
@@ -274,7 +278,7 @@ command sets them if they are not already set.
 IPSEC_DIR               directory containing ipsec programs and utilities
 IPSEC_SBINDIR           directory containing \fBipsec\fP command
 IPSEC_CONFDIR           directory containing configuration files
-IPSEC_PIDDIR            directory containing PID files
+IPSEC_PIDDIR            directory containing PID/socket files
 IPSEC_SCRIPT            name of the ipsec script
 IPSEC_NAME              name of ipsec distribution
 IPSEC_VERSION           version numer of ipsec userland and kernel
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 3742b12c7..03ddb744d 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -76,7 +76,7 @@ case "$1" in
 	echo "	version"
 	echo "	stroke"
 	echo
-	echo "Some of these functions have their own manual pages, e.g. ipsec_scepclient(8)."
+	echo "Some of these functions have their own manual pages, e.g. scepclient(8)."
 	exit 0
 	;;
 --versioncode)
@@ -91,6 +91,10 @@ case "$1" in
 	echo "$IPSEC_CONFDIR"
 	exit 0
 	;;
+--piddir)
+	echo "$IPSEC_PIDDIR"
+	exit 0
+	;;
 copyright|--copyright)
 	set _copyright
 	# and fall through, invoking "ipsec _copyright"
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 66606f937..75cf74fa4 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -186,8 +186,11 @@ endif
 
 LOCAL_SRC_FILES += $(call add_plugin, eap-peap)
 
-# adding libtls if any of the three plugins above is enabled
-ifneq ($(or $(call plugin_enabled, eap-tls), $(call plugin_enabled, eap-ttls), $(call plugin_enabled, eap-peap)),)
+LOCAL_SRC_FILES += $(call add_plugin, eap-tnc)
+
+# adding libtls if any of the four plugins above is enabled
+ifneq ($(or $(call plugin_enabled, eap-tls), $(call plugin_enabled, eap-ttls), \
+			$(call plugin_enabled, eap-peap), $(call plugin_enabled, eap-tnc)),)
 LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libtls/
 LOCAL_SRC_FILES += $(addprefix ../libtls/, \
 		tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
@@ -207,6 +210,32 @@ ifneq ($(call plugin_enabled, stroke),)
 LOCAL_C_INCLUDES += $(LOCAL_PATH)/../stroke/
 endif
 
+LOCAL_SRC_FILES += $(call add_plugin, tnc-imc)
+ifneq ($(call plugin_enabled, tnc-imc),)
+LOCAL_SHARED_LIBRARIES += libdl
+endif
+
+LOCAL_SRC_FILES += $(call add_plugin, tnc-tnccs)
+
+LOCAL_SRC_FILES += $(call add_plugin, tnccs-20)
+LOCAL_SRC_FILES += $(call add_plugin_subdirs, tnccs-20, batch messages state_machine)
+ifneq ($(call plugin_enabled, tnccs-20),)
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/plugins/tnccs_20/
+# for tls.h
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libtls/
+endif
+
+ifneq ($(or $(call plugin_enabled, eap-tnc), $(call plugin_enabled, tnc-imc), \
+			$(call plugin_enabled, tnc-tnccs), $(call plugin_enabled, tnccs-20)),)
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libtnccs/
+LOCAL_SHARED_LIBRARIES += libtnccs
+endif
+
+ifneq ($(or $(call plugin_enabled, tnc-imc), $(call plugin_enabled, tnc-tnccs), \
+			$(call plugin_enabled, tnccs-20)),)
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libtncif/
+LOCAL_SHARED_LIBRARIES += libtncif
+endif
 
 # build libcharon --------------------------------------------------------------
 
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index f0736c5ca..10d0b04cb 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -128,13 +128,11 @@ endif
 
 daemon.lo :		$(top_builddir)/config.status
 
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
@@ -457,6 +455,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_OSX_ATTR
+  SUBDIRS += plugins/osx_attr
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/osx_attr/libstrongswan-osx-attr.la
+endif
+endif
+
 if USE_ANDROID_DNS
   SUBDIRS += plugins/android_dns
 if MONOLITHIC
@@ -485,6 +490,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_KERNEL_LIBIPSEC
+  SUBDIRS += plugins/kernel_libipsec
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+endif
+endif
+
 if USE_WHITELIST
   SUBDIRS += plugins/whitelist
 if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index f55db9379..e224605ad 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -187,48 +187,52 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_81 = plugins/medcli/libstrongswan-medcli.la
 @USE_DHCP_TRUE@am__append_82 = plugins/dhcp
 @MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_83 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_ANDROID_DNS_TRUE@am__append_84 = plugins/android_dns
-@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_85 = plugins/android_dns/libstrongswan-android-dns.la
-@USE_ANDROID_LOG_TRUE@am__append_86 = plugins/android_log
-@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_87 = plugins/android_log/libstrongswan-android-log.la
-@USE_MAEMO_TRUE@am__append_88 = plugins/maemo
-@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_89 = plugins/maemo/libstrongswan-maemo.la
-@USE_HA_TRUE@am__append_90 = plugins/ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_91 = plugins/ha/libstrongswan-ha.la
-@USE_WHITELIST_TRUE@am__append_92 = plugins/whitelist
-@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_93 = plugins/whitelist/libstrongswan-whitelist.la
-@USE_LOOKIP_TRUE@am__append_94 = plugins/lookip
-@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_95 = plugins/lookip/libstrongswan-lookip.la
-@USE_ERROR_NOTIFY_TRUE@am__append_96 = plugins/error_notify
-@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_97 = plugins/error_notify/libstrongswan-error-notify.la
-@USE_CERTEXPIRE_TRUE@am__append_98 = plugins/certexpire
-@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_99 = plugins/certexpire/libstrongswan-certexpire.la
-@USE_SYSTIME_FIX_TRUE@am__append_100 = plugins/systime_fix
-@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_101 = plugins/systime_fix/libstrongswan-systime-fix.la
-@USE_LED_TRUE@am__append_102 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_103 = plugins/led/libstrongswan-led.la
-@USE_DUPLICHECK_TRUE@am__append_104 = plugins/duplicheck
-@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_105 = plugins/duplicheck/libstrongswan-duplicheck.la
-@USE_COUPLING_TRUE@am__append_106 = plugins/coupling
-@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_107 = plugins/coupling/libstrongswan-coupling.la
-@USE_RADATTR_TRUE@am__append_108 = plugins/radattr
-@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_109 = plugins/radattr/libstrongswan-radattr.la
-@USE_UCI_TRUE@am__append_110 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_111 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_112 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_113 = plugins/addrblock/libstrongswan-addrblock.la
-@USE_UNITY_TRUE@am__append_114 = plugins/unity
-@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_115 = plugins/unity/libstrongswan-unity.la
-@USE_UNIT_TESTS_TRUE@am__append_116 = plugins/unit_tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_117 = plugins/unit_tester/libstrongswan-unit-tester.la
-@USE_XAUTH_GENERIC_TRUE@am__append_118 = plugins/xauth_generic
-@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_119 = plugins/xauth_generic/libstrongswan-xauth-generic.la
-@USE_XAUTH_EAP_TRUE@am__append_120 = plugins/xauth_eap
-@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_121 = plugins/xauth_eap/libstrongswan-xauth-eap.la
-@USE_XAUTH_PAM_TRUE@am__append_122 = plugins/xauth_pam
-@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_123 = plugins/xauth_pam/libstrongswan-xauth-pam.la
-@USE_XAUTH_NOAUTH_TRUE@am__append_124 = plugins/xauth_noauth
-@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_125 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+@USE_OSX_ATTR_TRUE@am__append_84 = plugins/osx_attr
+@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_85 = plugins/osx_attr/libstrongswan-osx-attr.la
+@USE_ANDROID_DNS_TRUE@am__append_86 = plugins/android_dns
+@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_87 = plugins/android_dns/libstrongswan-android-dns.la
+@USE_ANDROID_LOG_TRUE@am__append_88 = plugins/android_log
+@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_89 = plugins/android_log/libstrongswan-android-log.la
+@USE_MAEMO_TRUE@am__append_90 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_91 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_92 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_93 = plugins/ha/libstrongswan-ha.la
+@USE_KERNEL_LIBIPSEC_TRUE@am__append_94 = plugins/kernel_libipsec
+@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_95 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+@USE_WHITELIST_TRUE@am__append_96 = plugins/whitelist
+@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_97 = plugins/whitelist/libstrongswan-whitelist.la
+@USE_LOOKIP_TRUE@am__append_98 = plugins/lookip
+@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_99 = plugins/lookip/libstrongswan-lookip.la
+@USE_ERROR_NOTIFY_TRUE@am__append_100 = plugins/error_notify
+@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_101 = plugins/error_notify/libstrongswan-error-notify.la
+@USE_CERTEXPIRE_TRUE@am__append_102 = plugins/certexpire
+@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_103 = plugins/certexpire/libstrongswan-certexpire.la
+@USE_SYSTIME_FIX_TRUE@am__append_104 = plugins/systime_fix
+@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_105 = plugins/systime_fix/libstrongswan-systime-fix.la
+@USE_LED_TRUE@am__append_106 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_107 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_108 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_109 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_110 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_111 = plugins/coupling/libstrongswan-coupling.la
+@USE_RADATTR_TRUE@am__append_112 = plugins/radattr
+@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_113 = plugins/radattr/libstrongswan-radattr.la
+@USE_UCI_TRUE@am__append_114 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_115 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_116 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_117 = plugins/addrblock/libstrongswan-addrblock.la
+@USE_UNITY_TRUE@am__append_118 = plugins/unity
+@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_119 = plugins/unity/libstrongswan-unity.la
+@USE_UNIT_TESTS_TRUE@am__append_120 = plugins/unit_tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_121 = plugins/unit_tester/libstrongswan-unit-tester.la
+@USE_XAUTH_GENERIC_TRUE@am__append_122 = plugins/xauth_generic
+@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_123 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+@USE_XAUTH_EAP_TRUE@am__append_124 = plugins/xauth_eap
+@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_125 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+@USE_XAUTH_PAM_TRUE@am__append_126 = plugins/xauth_pam
+@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_127 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_XAUTH_NOAUTH_TRUE@am__append_128 = plugins/xauth_noauth
+@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_129 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -240,7 +244,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -299,7 +303,8 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_105) $(am__append_107) $(am__append_109) \
 	$(am__append_111) $(am__append_113) $(am__append_115) \
 	$(am__append_117) $(am__append_119) $(am__append_121) \
-	$(am__append_123) $(am__append_125)
+	$(am__append_123) $(am__append_125) $(am__append_127) \
+	$(am__append_129)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/logger.h \
 	bus/listeners/file_logger.c bus/listeners/file_logger.h \
@@ -499,19 +504,35 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \
 	trap_manager.lo task.lo $(am__objects_1) $(am__objects_2) \
 	$(am__objects_3)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libcharon_la_SOURCES)
 DIST_SOURCES = $(am__libcharon_la_SOURCES_DIST)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -546,8 +567,9 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/tnc_pdp plugins/tnc_imc plugins/tnc_imv \
 	plugins/tnc_tnccs plugins/tnccs_11 plugins/tnccs_20 \
 	plugins/tnccs_dynamic plugins/medsrv plugins/medcli \
-	plugins/dhcp plugins/android_dns plugins/android_log \
-	plugins/maemo plugins/ha plugins/whitelist plugins/lookip \
+	plugins/dhcp plugins/osx_attr plugins/android_dns \
+	plugins/android_log plugins/maemo plugins/ha \
+	plugins/kernel_libipsec plugins/whitelist plugins/lookip \
 	plugins/error_notify plugins/certexpire plugins/systime_fix \
 	plugins/led plugins/duplicheck plugins/coupling \
 	plugins/radattr plugins/uci plugins/addrblock plugins/unity \
@@ -582,6 +604,7 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -594,6 +617,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -609,6 +634,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -617,6 +643,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -663,6 +690,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -691,6 +719,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -861,13 +890,11 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
 	sa/trap_manager.h sa/task.c sa/task.h $(am__append_1) \
 	$(am__append_2) $(am__append_3)
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
@@ -892,7 +919,8 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
 	$(am__append_103) $(am__append_105) $(am__append_107) \
 	$(am__append_109) $(am__append_111) $(am__append_113) \
 	$(am__append_115) $(am__append_117) $(am__append_119) \
-	$(am__append_121) $(am__append_123) $(am__append_125)
+	$(am__append_121) $(am__append_123) $(am__append_125) \
+	$(am__append_127) $(am__append_129)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_4) $(am__append_6) \
 @MONOLITHIC_FALSE@	$(am__append_8) $(am__append_10) \
@@ -923,7 +951,8 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_112) $(am__append_114) \
 @MONOLITHIC_FALSE@	$(am__append_116) $(am__append_118) \
 @MONOLITHIC_FALSE@	$(am__append_120) $(am__append_122) \
-@MONOLITHIC_FALSE@	$(am__append_124)
+@MONOLITHIC_FALSE@	$(am__append_124) $(am__append_126) \
+@MONOLITHIC_FALSE@	$(am__append_128)
 
 # build optional plugins
 ########################
@@ -956,7 +985,8 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_112) $(am__append_114) \
 @MONOLITHIC_TRUE@	$(am__append_116) $(am__append_118) \
 @MONOLITHIC_TRUE@	$(am__append_120) $(am__append_122) \
-@MONOLITHIC_TRUE@	$(am__append_124)
+@MONOLITHIC_TRUE@	$(am__append_124) $(am__append_126) \
+@MONOLITHIC_TRUE@	$(am__append_128)
 all: all-recursive
 
 .SUFFIXES:
@@ -1024,7 +1054,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) $(EXTRA_libcharon_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libcharon_la_OBJECTS) $(libcharon_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libcharon_la_OBJECTS) $(libcharon_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -1154,858 +1184,858 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_method.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 bus.lo: bus/bus.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.lo -MD -MP -MF $(DEPDIR)/bus.Tpo -c -o bus.lo `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/bus.c' object='bus.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.lo -MD -MP -MF $(DEPDIR)/bus.Tpo -c -o bus.lo `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bus/bus.c' object='bus.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.lo `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.lo `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
 
 file_logger.lo: bus/listeners/file_logger.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.lo -MD -MP -MF $(DEPDIR)/file_logger.Tpo -c -o file_logger.lo `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/file_logger.c' object='file_logger.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.lo -MD -MP -MF $(DEPDIR)/file_logger.Tpo -c -o file_logger.lo `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bus/listeners/file_logger.c' object='file_logger.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.lo `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.lo `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
 
 sys_logger.lo: bus/listeners/sys_logger.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.lo -MD -MP -MF $(DEPDIR)/sys_logger.Tpo -c -o sys_logger.lo `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.lo -MD -MP -MF $(DEPDIR)/sys_logger.Tpo -c -o sys_logger.lo `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bus/listeners/sys_logger.c' object='sys_logger.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.lo `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.lo `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
 
 backend_manager.lo: config/backend_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.lo -MD -MP -MF $(DEPDIR)/backend_manager.Tpo -c -o backend_manager.lo `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/backend_manager.c' object='backend_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.lo -MD -MP -MF $(DEPDIR)/backend_manager.Tpo -c -o backend_manager.lo `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config/backend_manager.c' object='backend_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.lo `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.lo `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
 
 child_cfg.lo: config/child_cfg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.lo -MD -MP -MF $(DEPDIR)/child_cfg.Tpo -c -o child_cfg.lo `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/child_cfg.c' object='child_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.lo -MD -MP -MF $(DEPDIR)/child_cfg.Tpo -c -o child_cfg.lo `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config/child_cfg.c' object='child_cfg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.lo `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.lo `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
 
 ike_cfg.lo: config/ike_cfg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.lo -MD -MP -MF $(DEPDIR)/ike_cfg.Tpo -c -o ike_cfg.lo `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/ike_cfg.c' object='ike_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.lo -MD -MP -MF $(DEPDIR)/ike_cfg.Tpo -c -o ike_cfg.lo `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config/ike_cfg.c' object='ike_cfg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.lo `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.lo `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
 
 peer_cfg.lo: config/peer_cfg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.lo -MD -MP -MF $(DEPDIR)/peer_cfg.Tpo -c -o peer_cfg.lo `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/peer_cfg.c' object='peer_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.lo -MD -MP -MF $(DEPDIR)/peer_cfg.Tpo -c -o peer_cfg.lo `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config/peer_cfg.c' object='peer_cfg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.lo `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.lo `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
 
 proposal.lo: config/proposal.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.lo -MD -MP -MF $(DEPDIR)/proposal.Tpo -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/proposal.c' object='proposal.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.lo -MD -MP -MF $(DEPDIR)/proposal.Tpo -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config/proposal.c' object='proposal.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
 
 controller.lo: control/controller.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.lo -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/controller.c' object='controller.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.lo -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='control/controller.c' object='controller.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
 
 generator.lo: encoding/generator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.lo -MD -MP -MF $(DEPDIR)/generator.Tpo -c -o generator.lo `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.lo -MD -MP -MF $(DEPDIR)/generator.Tpo -c -o generator.lo `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/generator.c' object='generator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.lo `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.lo `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
 
 message.lo: encoding/message.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.lo -MD -MP -MF $(DEPDIR)/message.Tpo -c -o message.lo `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/message.Tpo $(DEPDIR)/message.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.lo -MD -MP -MF $(DEPDIR)/message.Tpo -c -o message.lo `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/message.Tpo $(DEPDIR)/message.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/message.c' object='message.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.lo `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.lo `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
 
 parser.lo: encoding/parser.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.lo -MD -MP -MF $(DEPDIR)/parser.Tpo -c -o parser.lo `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.lo -MD -MP -MF $(DEPDIR)/parser.Tpo -c -o parser.lo `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/parser.c' object='parser.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.lo `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.lo `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
 
 auth_payload.lo: encoding/payloads/auth_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.lo -MD -MP -MF $(DEPDIR)/auth_payload.Tpo -c -o auth_payload.lo `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.lo -MD -MP -MF $(DEPDIR)/auth_payload.Tpo -c -o auth_payload.lo `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/auth_payload.c' object='auth_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.lo `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.lo `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
 
 cert_payload.lo: encoding/payloads/cert_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.lo -MD -MP -MF $(DEPDIR)/cert_payload.Tpo -c -o cert_payload.lo `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.lo -MD -MP -MF $(DEPDIR)/cert_payload.Tpo -c -o cert_payload.lo `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/cert_payload.c' object='cert_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.lo `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.lo `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
 
 certreq_payload.lo: encoding/payloads/certreq_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.lo -MD -MP -MF $(DEPDIR)/certreq_payload.Tpo -c -o certreq_payload.lo `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.lo -MD -MP -MF $(DEPDIR)/certreq_payload.Tpo -c -o certreq_payload.lo `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/certreq_payload.c' object='certreq_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.lo `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.lo `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
 
 configuration_attribute.lo: encoding/payloads/configuration_attribute.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.lo -MD -MP -MF $(DEPDIR)/configuration_attribute.Tpo -c -o configuration_attribute.lo `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.lo -MD -MP -MF $(DEPDIR)/configuration_attribute.Tpo -c -o configuration_attribute.lo `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.lo `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.lo `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
 
 cp_payload.lo: encoding/payloads/cp_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.lo -MD -MP -MF $(DEPDIR)/cp_payload.Tpo -c -o cp_payload.lo `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.lo -MD -MP -MF $(DEPDIR)/cp_payload.Tpo -c -o cp_payload.lo `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/cp_payload.c' object='cp_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.lo `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.lo `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
 
 delete_payload.lo: encoding/payloads/delete_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.lo -MD -MP -MF $(DEPDIR)/delete_payload.Tpo -c -o delete_payload.lo `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.lo -MD -MP -MF $(DEPDIR)/delete_payload.Tpo -c -o delete_payload.lo `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/delete_payload.c' object='delete_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.lo `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.lo `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
 
 eap_payload.lo: encoding/payloads/eap_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.lo -MD -MP -MF $(DEPDIR)/eap_payload.Tpo -c -o eap_payload.lo `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.lo -MD -MP -MF $(DEPDIR)/eap_payload.Tpo -c -o eap_payload.lo `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/eap_payload.c' object='eap_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.lo `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.lo `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
 
 encodings.lo: encoding/payloads/encodings.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.lo -MD -MP -MF $(DEPDIR)/encodings.Tpo -c -o encodings.lo `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.lo -MD -MP -MF $(DEPDIR)/encodings.Tpo -c -o encodings.lo `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/encodings.c' object='encodings.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.lo `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.lo `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
 
 encryption_payload.lo: encoding/payloads/encryption_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.lo -MD -MP -MF $(DEPDIR)/encryption_payload.Tpo -c -o encryption_payload.lo `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.lo -MD -MP -MF $(DEPDIR)/encryption_payload.Tpo -c -o encryption_payload.lo `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/encryption_payload.c' object='encryption_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.lo `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.lo `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
 
 id_payload.lo: encoding/payloads/id_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.lo -MD -MP -MF $(DEPDIR)/id_payload.Tpo -c -o id_payload.lo `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.lo -MD -MP -MF $(DEPDIR)/id_payload.Tpo -c -o id_payload.lo `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/id_payload.c' object='id_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.lo `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.lo `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
 
 ike_header.lo: encoding/payloads/ike_header.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.lo -MD -MP -MF $(DEPDIR)/ike_header.Tpo -c -o ike_header.lo `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.lo -MD -MP -MF $(DEPDIR)/ike_header.Tpo -c -o ike_header.lo `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/ike_header.c' object='ike_header.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.lo `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.lo `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
 
 ke_payload.lo: encoding/payloads/ke_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.lo -MD -MP -MF $(DEPDIR)/ke_payload.Tpo -c -o ke_payload.lo `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.lo -MD -MP -MF $(DEPDIR)/ke_payload.Tpo -c -o ke_payload.lo `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/ke_payload.c' object='ke_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.lo `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.lo `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
 
 nonce_payload.lo: encoding/payloads/nonce_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.lo -MD -MP -MF $(DEPDIR)/nonce_payload.Tpo -c -o nonce_payload.lo `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.lo -MD -MP -MF $(DEPDIR)/nonce_payload.Tpo -c -o nonce_payload.lo `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/nonce_payload.c' object='nonce_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.lo `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.lo `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
 
 notify_payload.lo: encoding/payloads/notify_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.lo -MD -MP -MF $(DEPDIR)/notify_payload.Tpo -c -o notify_payload.lo `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.lo -MD -MP -MF $(DEPDIR)/notify_payload.Tpo -c -o notify_payload.lo `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/notify_payload.c' object='notify_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.lo `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.lo `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
 
 payload.lo: encoding/payloads/payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.lo -MD -MP -MF $(DEPDIR)/payload.Tpo -c -o payload.lo `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.lo -MD -MP -MF $(DEPDIR)/payload.Tpo -c -o payload.lo `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/payload.c' object='payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.lo `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.lo `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
 
 proposal_substructure.lo: encoding/payloads/proposal_substructure.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.lo -MD -MP -MF $(DEPDIR)/proposal_substructure.Tpo -c -o proposal_substructure.lo `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.lo -MD -MP -MF $(DEPDIR)/proposal_substructure.Tpo -c -o proposal_substructure.lo `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.lo `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.lo `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
 
 sa_payload.lo: encoding/payloads/sa_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.lo -MD -MP -MF $(DEPDIR)/sa_payload.Tpo -c -o sa_payload.lo `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.lo -MD -MP -MF $(DEPDIR)/sa_payload.Tpo -c -o sa_payload.lo `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/sa_payload.c' object='sa_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.lo `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.lo `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
 
 traffic_selector_substructure.lo: encoding/payloads/traffic_selector_substructure.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.lo -MD -MP -MF $(DEPDIR)/traffic_selector_substructure.Tpo -c -o traffic_selector_substructure.lo `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.lo -MD -MP -MF $(DEPDIR)/traffic_selector_substructure.Tpo -c -o traffic_selector_substructure.lo `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.lo `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.lo `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
 
 transform_attribute.lo: encoding/payloads/transform_attribute.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.lo -MD -MP -MF $(DEPDIR)/transform_attribute.Tpo -c -o transform_attribute.lo `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_attribute.c' object='transform_attribute.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.lo -MD -MP -MF $(DEPDIR)/transform_attribute.Tpo -c -o transform_attribute.lo `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/transform_attribute.c' object='transform_attribute.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.lo `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.lo `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
 
 transform_substructure.lo: encoding/payloads/transform_substructure.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.lo -MD -MP -MF $(DEPDIR)/transform_substructure.Tpo -c -o transform_substructure.lo `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_substructure.c' object='transform_substructure.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.lo -MD -MP -MF $(DEPDIR)/transform_substructure.Tpo -c -o transform_substructure.lo `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/transform_substructure.c' object='transform_substructure.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.lo `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.lo `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
 
 ts_payload.lo: encoding/payloads/ts_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.lo -MD -MP -MF $(DEPDIR)/ts_payload.Tpo -c -o ts_payload.lo `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.lo -MD -MP -MF $(DEPDIR)/ts_payload.Tpo -c -o ts_payload.lo `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/ts_payload.c' object='ts_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.lo `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.lo `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
 
 unknown_payload.lo: encoding/payloads/unknown_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.lo -MD -MP -MF $(DEPDIR)/unknown_payload.Tpo -c -o unknown_payload.lo `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.lo -MD -MP -MF $(DEPDIR)/unknown_payload.Tpo -c -o unknown_payload.lo `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/unknown_payload.c' object='unknown_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.lo `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.lo `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
 
 vendor_id_payload.lo: encoding/payloads/vendor_id_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.lo -MD -MP -MF $(DEPDIR)/vendor_id_payload.Tpo -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.lo -MD -MP -MF $(DEPDIR)/vendor_id_payload.Tpo -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
 
 hash_payload.lo: encoding/payloads/hash_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hash_payload.lo -MD -MP -MF $(DEPDIR)/hash_payload.Tpo -c -o hash_payload.lo `test -f 'encoding/payloads/hash_payload.c' || echo '$(srcdir)/'`encoding/payloads/hash_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hash_payload.Tpo $(DEPDIR)/hash_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/hash_payload.c' object='hash_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hash_payload.lo -MD -MP -MF $(DEPDIR)/hash_payload.Tpo -c -o hash_payload.lo `test -f 'encoding/payloads/hash_payload.c' || echo '$(srcdir)/'`encoding/payloads/hash_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hash_payload.Tpo $(DEPDIR)/hash_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/hash_payload.c' object='hash_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hash_payload.lo `test -f 'encoding/payloads/hash_payload.c' || echo '$(srcdir)/'`encoding/payloads/hash_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hash_payload.lo `test -f 'encoding/payloads/hash_payload.c' || echo '$(srcdir)/'`encoding/payloads/hash_payload.c
 
 fragment_payload.lo: encoding/payloads/fragment_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fragment_payload.lo -MD -MP -MF $(DEPDIR)/fragment_payload.Tpo -c -o fragment_payload.lo `test -f 'encoding/payloads/fragment_payload.c' || echo '$(srcdir)/'`encoding/payloads/fragment_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fragment_payload.Tpo $(DEPDIR)/fragment_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/fragment_payload.c' object='fragment_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fragment_payload.lo -MD -MP -MF $(DEPDIR)/fragment_payload.Tpo -c -o fragment_payload.lo `test -f 'encoding/payloads/fragment_payload.c' || echo '$(srcdir)/'`encoding/payloads/fragment_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/fragment_payload.Tpo $(DEPDIR)/fragment_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/fragment_payload.c' object='fragment_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fragment_payload.lo `test -f 'encoding/payloads/fragment_payload.c' || echo '$(srcdir)/'`encoding/payloads/fragment_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fragment_payload.lo `test -f 'encoding/payloads/fragment_payload.c' || echo '$(srcdir)/'`encoding/payloads/fragment_payload.c
 
 kernel_handler.lo: kernel/kernel_handler.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_handler.lo -MD -MP -MF $(DEPDIR)/kernel_handler.Tpo -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_handler.Tpo $(DEPDIR)/kernel_handler.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_handler.c' object='kernel_handler.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_handler.lo -MD -MP -MF $(DEPDIR)/kernel_handler.Tpo -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/kernel_handler.Tpo $(DEPDIR)/kernel_handler.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kernel/kernel_handler.c' object='kernel_handler.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
 
 receiver.lo: network/receiver.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.lo -MD -MP -MF $(DEPDIR)/receiver.Tpo -c -o receiver.lo `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/receiver.c' object='receiver.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.lo -MD -MP -MF $(DEPDIR)/receiver.Tpo -c -o receiver.lo `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='network/receiver.c' object='receiver.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.lo `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.lo `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
 
 sender.lo: network/sender.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.lo -MD -MP -MF $(DEPDIR)/sender.Tpo -c -o sender.lo `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/sender.c' object='sender.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.lo -MD -MP -MF $(DEPDIR)/sender.Tpo -c -o sender.lo `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='network/sender.c' object='sender.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.lo `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.lo `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
 
 socket.lo: network/socket.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.lo -MD -MP -MF $(DEPDIR)/socket.Tpo -c -o socket.lo `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket.Tpo $(DEPDIR)/socket.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.lo -MD -MP -MF $(DEPDIR)/socket.Tpo -c -o socket.lo `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/socket.Tpo $(DEPDIR)/socket.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='network/socket.c' object='socket.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.lo `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.lo `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
 
 socket_manager.lo: network/socket_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket_manager.lo -MD -MP -MF $(DEPDIR)/socket_manager.Tpo -c -o socket_manager.lo `test -f 'network/socket_manager.c' || echo '$(srcdir)/'`network/socket_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket_manager.Tpo $(DEPDIR)/socket_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket_manager.c' object='socket_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket_manager.lo -MD -MP -MF $(DEPDIR)/socket_manager.Tpo -c -o socket_manager.lo `test -f 'network/socket_manager.c' || echo '$(srcdir)/'`network/socket_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/socket_manager.Tpo $(DEPDIR)/socket_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='network/socket_manager.c' object='socket_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket_manager.lo `test -f 'network/socket_manager.c' || echo '$(srcdir)/'`network/socket_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket_manager.lo `test -f 'network/socket_manager.c' || echo '$(srcdir)/'`network/socket_manager.c
 
 acquire_job.lo: processing/jobs/acquire_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.lo -MD -MP -MF $(DEPDIR)/acquire_job.Tpo -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/acquire_job.c' object='acquire_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.lo -MD -MP -MF $(DEPDIR)/acquire_job.Tpo -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/acquire_job.c' object='acquire_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
 
 delete_child_sa_job.lo: processing/jobs/delete_child_sa_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
 
 delete_ike_sa_job.lo: processing/jobs/delete_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_ike_sa_job.Tpo -c -o delete_ike_sa_job.lo `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_ike_sa_job.Tpo -c -o delete_ike_sa_job.lo `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.lo `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.lo `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
 
 migrate_job.lo: processing/jobs/migrate_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.lo -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.lo `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/migrate_job.c' object='migrate_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.lo -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.lo `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/migrate_job.c' object='migrate_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.lo `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.lo `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
 
 process_message_job.lo: processing/jobs/process_message_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.lo -MD -MP -MF $(DEPDIR)/process_message_job.Tpo -c -o process_message_job.lo `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/process_message_job.c' object='process_message_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.lo -MD -MP -MF $(DEPDIR)/process_message_job.Tpo -c -o process_message_job.lo `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/process_message_job.c' object='process_message_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.lo `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.lo `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
 
 rekey_child_sa_job.lo: processing/jobs/rekey_child_sa_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.lo -MD -MP -MF $(DEPDIR)/rekey_child_sa_job.Tpo -c -o rekey_child_sa_job.lo `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.lo -MD -MP -MF $(DEPDIR)/rekey_child_sa_job.Tpo -c -o rekey_child_sa_job.lo `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.lo `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.lo `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
 
 rekey_ike_sa_job.lo: processing/jobs/rekey_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.lo -MD -MP -MF $(DEPDIR)/rekey_ike_sa_job.Tpo -c -o rekey_ike_sa_job.lo `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.lo -MD -MP -MF $(DEPDIR)/rekey_ike_sa_job.Tpo -c -o rekey_ike_sa_job.lo `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.lo `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.lo `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
 
 retransmit_job.lo: processing/jobs/retransmit_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.lo -MD -MP -MF $(DEPDIR)/retransmit_job.Tpo -c -o retransmit_job.lo `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/retransmit_job.c' object='retransmit_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.lo -MD -MP -MF $(DEPDIR)/retransmit_job.Tpo -c -o retransmit_job.lo `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/retransmit_job.c' object='retransmit_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.lo `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.lo `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
 
 retry_initiate_job.lo: processing/jobs/retry_initiate_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retry_initiate_job.lo -MD -MP -MF $(DEPDIR)/retry_initiate_job.Tpo -c -o retry_initiate_job.lo `test -f 'processing/jobs/retry_initiate_job.c' || echo '$(srcdir)/'`processing/jobs/retry_initiate_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/retry_initiate_job.Tpo $(DEPDIR)/retry_initiate_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/retry_initiate_job.c' object='retry_initiate_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retry_initiate_job.lo -MD -MP -MF $(DEPDIR)/retry_initiate_job.Tpo -c -o retry_initiate_job.lo `test -f 'processing/jobs/retry_initiate_job.c' || echo '$(srcdir)/'`processing/jobs/retry_initiate_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/retry_initiate_job.Tpo $(DEPDIR)/retry_initiate_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/retry_initiate_job.c' object='retry_initiate_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retry_initiate_job.lo `test -f 'processing/jobs/retry_initiate_job.c' || echo '$(srcdir)/'`processing/jobs/retry_initiate_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retry_initiate_job.lo `test -f 'processing/jobs/retry_initiate_job.c' || echo '$(srcdir)/'`processing/jobs/retry_initiate_job.c
 
 send_dpd_job.lo: processing/jobs/send_dpd_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.lo -MD -MP -MF $(DEPDIR)/send_dpd_job.Tpo -c -o send_dpd_job.lo `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_dpd_job.c' object='send_dpd_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.lo -MD -MP -MF $(DEPDIR)/send_dpd_job.Tpo -c -o send_dpd_job.lo `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/send_dpd_job.c' object='send_dpd_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.lo `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.lo `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
 
 send_keepalive_job.lo: processing/jobs/send_keepalive_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.lo -MD -MP -MF $(DEPDIR)/send_keepalive_job.Tpo -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.lo -MD -MP -MF $(DEPDIR)/send_keepalive_job.Tpo -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
 
 start_action_job.lo: processing/jobs/start_action_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT start_action_job.lo -MD -MP -MF $(DEPDIR)/start_action_job.Tpo -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/start_action_job.Tpo $(DEPDIR)/start_action_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/start_action_job.c' object='start_action_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT start_action_job.lo -MD -MP -MF $(DEPDIR)/start_action_job.Tpo -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/start_action_job.Tpo $(DEPDIR)/start_action_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/start_action_job.c' object='start_action_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c
 
 roam_job.lo: processing/jobs/roam_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.lo -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/roam_job.c' object='roam_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.lo -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/roam_job.c' object='roam_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
 
 update_sa_job.lo: processing/jobs/update_sa_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.lo -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.lo `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/update_sa_job.c' object='update_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.lo -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.lo `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/update_sa_job.c' object='update_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.lo `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.lo `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
 
 inactivity_job.lo: processing/jobs/inactivity_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT inactivity_job.lo -MD -MP -MF $(DEPDIR)/inactivity_job.Tpo -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/inactivity_job.Tpo $(DEPDIR)/inactivity_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/inactivity_job.c' object='inactivity_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT inactivity_job.lo -MD -MP -MF $(DEPDIR)/inactivity_job.Tpo -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/inactivity_job.Tpo $(DEPDIR)/inactivity_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/inactivity_job.c' object='inactivity_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
 
 eap_method.lo: sa/eap/eap_method.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.lo -MD -MP -MF $(DEPDIR)/eap_method.Tpo -c -o eap_method.lo `test -f 'sa/eap/eap_method.c' || echo '$(srcdir)/'`sa/eap/eap_method.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/eap/eap_method.c' object='eap_method.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.lo -MD -MP -MF $(DEPDIR)/eap_method.Tpo -c -o eap_method.lo `test -f 'sa/eap/eap_method.c' || echo '$(srcdir)/'`sa/eap/eap_method.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/eap/eap_method.c' object='eap_method.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.lo `test -f 'sa/eap/eap_method.c' || echo '$(srcdir)/'`sa/eap/eap_method.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.lo `test -f 'sa/eap/eap_method.c' || echo '$(srcdir)/'`sa/eap/eap_method.c
 
 eap_manager.lo: sa/eap/eap_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_manager.lo -MD -MP -MF $(DEPDIR)/eap_manager.Tpo -c -o eap_manager.lo `test -f 'sa/eap/eap_manager.c' || echo '$(srcdir)/'`sa/eap/eap_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/eap/eap_manager.c' object='eap_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_manager.lo -MD -MP -MF $(DEPDIR)/eap_manager.Tpo -c -o eap_manager.lo `test -f 'sa/eap/eap_manager.c' || echo '$(srcdir)/'`sa/eap/eap_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/eap/eap_manager.c' object='eap_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_manager.lo `test -f 'sa/eap/eap_manager.c' || echo '$(srcdir)/'`sa/eap/eap_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_manager.lo `test -f 'sa/eap/eap_manager.c' || echo '$(srcdir)/'`sa/eap/eap_manager.c
 
 xauth_method.lo: sa/xauth/xauth_method.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_method.lo -MD -MP -MF $(DEPDIR)/xauth_method.Tpo -c -o xauth_method.lo `test -f 'sa/xauth/xauth_method.c' || echo '$(srcdir)/'`sa/xauth/xauth_method.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/xauth_method.Tpo $(DEPDIR)/xauth_method.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/xauth/xauth_method.c' object='xauth_method.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_method.lo -MD -MP -MF $(DEPDIR)/xauth_method.Tpo -c -o xauth_method.lo `test -f 'sa/xauth/xauth_method.c' || echo '$(srcdir)/'`sa/xauth/xauth_method.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/xauth_method.Tpo $(DEPDIR)/xauth_method.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/xauth/xauth_method.c' object='xauth_method.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_method.lo `test -f 'sa/xauth/xauth_method.c' || echo '$(srcdir)/'`sa/xauth/xauth_method.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_method.lo `test -f 'sa/xauth/xauth_method.c' || echo '$(srcdir)/'`sa/xauth/xauth_method.c
 
 xauth_manager.lo: sa/xauth/xauth_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.lo -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.lo `test -f 'sa/xauth/xauth_manager.c' || echo '$(srcdir)/'`sa/xauth/xauth_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/xauth/xauth_manager.c' object='xauth_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.lo -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.lo `test -f 'sa/xauth/xauth_manager.c' || echo '$(srcdir)/'`sa/xauth/xauth_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/xauth/xauth_manager.c' object='xauth_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.lo `test -f 'sa/xauth/xauth_manager.c' || echo '$(srcdir)/'`sa/xauth/xauth_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.lo `test -f 'sa/xauth/xauth_manager.c' || echo '$(srcdir)/'`sa/xauth/xauth_manager.c
 
 authenticator.lo: sa/authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.lo -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.lo `test -f 'sa/authenticator.c' || echo '$(srcdir)/'`sa/authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticator.c' object='authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.lo -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.lo `test -f 'sa/authenticator.c' || echo '$(srcdir)/'`sa/authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/authenticator.c' object='authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.lo `test -f 'sa/authenticator.c' || echo '$(srcdir)/'`sa/authenticator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.lo `test -f 'sa/authenticator.c' || echo '$(srcdir)/'`sa/authenticator.c
 
 child_sa.lo: sa/child_sa.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.lo -MD -MP -MF $(DEPDIR)/child_sa.Tpo -c -o child_sa.lo `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.lo -MD -MP -MF $(DEPDIR)/child_sa.Tpo -c -o child_sa.lo `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/child_sa.c' object='child_sa.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.lo `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.lo `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
 
 ike_sa.lo: sa/ike_sa.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.lo -MD -MP -MF $(DEPDIR)/ike_sa.Tpo -c -o ike_sa.lo `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.lo -MD -MP -MF $(DEPDIR)/ike_sa.Tpo -c -o ike_sa.lo `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ike_sa.c' object='ike_sa.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.lo `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.lo `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
 
 ike_sa_id.lo: sa/ike_sa_id.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.lo -MD -MP -MF $(DEPDIR)/ike_sa_id.Tpo -c -o ike_sa_id.lo `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.lo -MD -MP -MF $(DEPDIR)/ike_sa_id.Tpo -c -o ike_sa_id.lo `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ike_sa_id.c' object='ike_sa_id.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.lo `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.lo `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
 
 keymat.lo: sa/keymat.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.lo -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.lo `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/keymat.c' object='keymat.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.lo -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.lo `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/keymat.c' object='keymat.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.lo `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.lo `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
 
 ike_sa_manager.lo: sa/ike_sa_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.lo -MD -MP -MF $(DEPDIR)/ike_sa_manager.Tpo -c -o ike_sa_manager.lo `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.lo -MD -MP -MF $(DEPDIR)/ike_sa_manager.Tpo -c -o ike_sa_manager.lo `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ike_sa_manager.c' object='ike_sa_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.lo `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.lo `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
 
 task_manager.lo: sa/task_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.lo -MD -MP -MF $(DEPDIR)/task_manager.Tpo -c -o task_manager.lo `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.lo -MD -MP -MF $(DEPDIR)/task_manager.Tpo -c -o task_manager.lo `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/task_manager.c' object='task_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.lo `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.lo `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
 
 shunt_manager.lo: sa/shunt_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT shunt_manager.lo -MD -MP -MF $(DEPDIR)/shunt_manager.Tpo -c -o shunt_manager.lo `test -f 'sa/shunt_manager.c' || echo '$(srcdir)/'`sa/shunt_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/shunt_manager.Tpo $(DEPDIR)/shunt_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/shunt_manager.c' object='shunt_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT shunt_manager.lo -MD -MP -MF $(DEPDIR)/shunt_manager.Tpo -c -o shunt_manager.lo `test -f 'sa/shunt_manager.c' || echo '$(srcdir)/'`sa/shunt_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/shunt_manager.Tpo $(DEPDIR)/shunt_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/shunt_manager.c' object='shunt_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shunt_manager.lo `test -f 'sa/shunt_manager.c' || echo '$(srcdir)/'`sa/shunt_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shunt_manager.lo `test -f 'sa/shunt_manager.c' || echo '$(srcdir)/'`sa/shunt_manager.c
 
 trap_manager.lo: sa/trap_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.lo -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.lo `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/trap_manager.c' object='trap_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.lo -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.lo `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/trap_manager.c' object='trap_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.lo `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.lo `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
 
 task.lo: sa/task.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.lo -MD -MP -MF $(DEPDIR)/task.Tpo -c -o task.lo `test -f 'sa/task.c' || echo '$(srcdir)/'`sa/task.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task.Tpo $(DEPDIR)/task.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task.c' object='task.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.lo -MD -MP -MF $(DEPDIR)/task.Tpo -c -o task.lo `test -f 'sa/task.c' || echo '$(srcdir)/'`sa/task.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/task.Tpo $(DEPDIR)/task.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/task.c' object='task.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/task.c' || echo '$(srcdir)/'`sa/task.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/task.c' || echo '$(srcdir)/'`sa/task.c
 
 keymat_v2.lo: sa/ikev2/keymat_v2.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat_v2.lo -MD -MP -MF $(DEPDIR)/keymat_v2.Tpo -c -o keymat_v2.lo `test -f 'sa/ikev2/keymat_v2.c' || echo '$(srcdir)/'`sa/ikev2/keymat_v2.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keymat_v2.Tpo $(DEPDIR)/keymat_v2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/keymat_v2.c' object='keymat_v2.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat_v2.lo -MD -MP -MF $(DEPDIR)/keymat_v2.Tpo -c -o keymat_v2.lo `test -f 'sa/ikev2/keymat_v2.c' || echo '$(srcdir)/'`sa/ikev2/keymat_v2.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keymat_v2.Tpo $(DEPDIR)/keymat_v2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/keymat_v2.c' object='keymat_v2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat_v2.lo `test -f 'sa/ikev2/keymat_v2.c' || echo '$(srcdir)/'`sa/ikev2/keymat_v2.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat_v2.lo `test -f 'sa/ikev2/keymat_v2.c' || echo '$(srcdir)/'`sa/ikev2/keymat_v2.c
 
 task_manager_v2.lo: sa/ikev2/task_manager_v2.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager_v2.lo -MD -MP -MF $(DEPDIR)/task_manager_v2.Tpo -c -o task_manager_v2.lo `test -f 'sa/ikev2/task_manager_v2.c' || echo '$(srcdir)/'`sa/ikev2/task_manager_v2.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task_manager_v2.Tpo $(DEPDIR)/task_manager_v2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/task_manager_v2.c' object='task_manager_v2.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager_v2.lo -MD -MP -MF $(DEPDIR)/task_manager_v2.Tpo -c -o task_manager_v2.lo `test -f 'sa/ikev2/task_manager_v2.c' || echo '$(srcdir)/'`sa/ikev2/task_manager_v2.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/task_manager_v2.Tpo $(DEPDIR)/task_manager_v2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/task_manager_v2.c' object='task_manager_v2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager_v2.lo `test -f 'sa/ikev2/task_manager_v2.c' || echo '$(srcdir)/'`sa/ikev2/task_manager_v2.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager_v2.lo `test -f 'sa/ikev2/task_manager_v2.c' || echo '$(srcdir)/'`sa/ikev2/task_manager_v2.c
 
 eap_authenticator.lo: sa/ikev2/authenticators/eap_authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.lo -MD -MP -MF $(DEPDIR)/eap_authenticator.Tpo -c -o eap_authenticator.lo `test -f 'sa/ikev2/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/eap_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/authenticators/eap_authenticator.c' object='eap_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.lo -MD -MP -MF $(DEPDIR)/eap_authenticator.Tpo -c -o eap_authenticator.lo `test -f 'sa/ikev2/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/eap_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/authenticators/eap_authenticator.c' object='eap_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.lo `test -f 'sa/ikev2/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/eap_authenticator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.lo `test -f 'sa/ikev2/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/eap_authenticator.c
 
 psk_authenticator.lo: sa/ikev2/authenticators/psk_authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.lo -MD -MP -MF $(DEPDIR)/psk_authenticator.Tpo -c -o psk_authenticator.lo `test -f 'sa/ikev2/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/psk_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/authenticators/psk_authenticator.c' object='psk_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.lo -MD -MP -MF $(DEPDIR)/psk_authenticator.Tpo -c -o psk_authenticator.lo `test -f 'sa/ikev2/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/psk_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/authenticators/psk_authenticator.c' object='psk_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.lo `test -f 'sa/ikev2/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/psk_authenticator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.lo `test -f 'sa/ikev2/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/psk_authenticator.c
 
 pubkey_authenticator.lo: sa/ikev2/authenticators/pubkey_authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_authenticator.lo -MD -MP -MF $(DEPDIR)/pubkey_authenticator.Tpo -c -o pubkey_authenticator.lo `test -f 'sa/ikev2/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/pubkey_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/authenticators/pubkey_authenticator.c' object='pubkey_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_authenticator.lo -MD -MP -MF $(DEPDIR)/pubkey_authenticator.Tpo -c -o pubkey_authenticator.lo `test -f 'sa/ikev2/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/pubkey_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/authenticators/pubkey_authenticator.c' object='pubkey_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_authenticator.lo `test -f 'sa/ikev2/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/pubkey_authenticator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_authenticator.lo `test -f 'sa/ikev2/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/pubkey_authenticator.c
 
 child_create.lo: sa/ikev2/tasks/child_create.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.lo -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.lo `test -f 'sa/ikev2/tasks/child_create.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_create.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/child_create.c' object='child_create.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.lo -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.lo `test -f 'sa/ikev2/tasks/child_create.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_create.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/child_create.c' object='child_create.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.lo `test -f 'sa/ikev2/tasks/child_create.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_create.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.lo `test -f 'sa/ikev2/tasks/child_create.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_create.c
 
 child_delete.lo: sa/ikev2/tasks/child_delete.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.lo -MD -MP -MF $(DEPDIR)/child_delete.Tpo -c -o child_delete.lo `test -f 'sa/ikev2/tasks/child_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_delete.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/child_delete.c' object='child_delete.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.lo -MD -MP -MF $(DEPDIR)/child_delete.Tpo -c -o child_delete.lo `test -f 'sa/ikev2/tasks/child_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/child_delete.c' object='child_delete.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.lo `test -f 'sa/ikev2/tasks/child_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_delete.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.lo `test -f 'sa/ikev2/tasks/child_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_delete.c
 
 child_rekey.lo: sa/ikev2/tasks/child_rekey.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.lo -MD -MP -MF $(DEPDIR)/child_rekey.Tpo -c -o child_rekey.lo `test -f 'sa/ikev2/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_rekey.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/child_rekey.c' object='child_rekey.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.lo -MD -MP -MF $(DEPDIR)/child_rekey.Tpo -c -o child_rekey.lo `test -f 'sa/ikev2/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/child_rekey.c' object='child_rekey.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.lo `test -f 'sa/ikev2/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_rekey.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.lo `test -f 'sa/ikev2/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_rekey.c
 
 ike_auth.lo: sa/ikev2/tasks/ike_auth.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.lo -MD -MP -MF $(DEPDIR)/ike_auth.Tpo -c -o ike_auth.lo `test -f 'sa/ikev2/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_auth.c' object='ike_auth.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.lo -MD -MP -MF $(DEPDIR)/ike_auth.Tpo -c -o ike_auth.lo `test -f 'sa/ikev2/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_auth.c' object='ike_auth.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.lo `test -f 'sa/ikev2/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.lo `test -f 'sa/ikev2/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth.c
 
 ike_cert_pre.lo: sa/ikev2/tasks/ike_cert_pre.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_pre.lo -MD -MP -MF $(DEPDIR)/ike_cert_pre.Tpo -c -o ike_cert_pre.lo `test -f 'sa/ikev2/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_pre.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_cert_pre.c' object='ike_cert_pre.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_pre.lo -MD -MP -MF $(DEPDIR)/ike_cert_pre.Tpo -c -o ike_cert_pre.lo `test -f 'sa/ikev2/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_pre.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_cert_pre.c' object='ike_cert_pre.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_pre.lo `test -f 'sa/ikev2/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_pre.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_pre.lo `test -f 'sa/ikev2/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_pre.c
 
 ike_cert_post.lo: sa/ikev2/tasks/ike_cert_post.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_post.lo -MD -MP -MF $(DEPDIR)/ike_cert_post.Tpo -c -o ike_cert_post.lo `test -f 'sa/ikev2/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_post.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_cert_post.c' object='ike_cert_post.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_post.lo -MD -MP -MF $(DEPDIR)/ike_cert_post.Tpo -c -o ike_cert_post.lo `test -f 'sa/ikev2/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_post.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_cert_post.c' object='ike_cert_post.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_post.lo `test -f 'sa/ikev2/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_post.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_post.lo `test -f 'sa/ikev2/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_post.c
 
 ike_config.lo: sa/ikev2/tasks/ike_config.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.lo -MD -MP -MF $(DEPDIR)/ike_config.Tpo -c -o ike_config.lo `test -f 'sa/ikev2/tasks/ike_config.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_config.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_config.c' object='ike_config.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.lo -MD -MP -MF $(DEPDIR)/ike_config.Tpo -c -o ike_config.lo `test -f 'sa/ikev2/tasks/ike_config.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_config.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_config.c' object='ike_config.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.lo `test -f 'sa/ikev2/tasks/ike_config.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_config.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.lo `test -f 'sa/ikev2/tasks/ike_config.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_config.c
 
 ike_delete.lo: sa/ikev2/tasks/ike_delete.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.lo -MD -MP -MF $(DEPDIR)/ike_delete.Tpo -c -o ike_delete.lo `test -f 'sa/ikev2/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_delete.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_delete.c' object='ike_delete.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.lo -MD -MP -MF $(DEPDIR)/ike_delete.Tpo -c -o ike_delete.lo `test -f 'sa/ikev2/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_delete.c' object='ike_delete.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.lo `test -f 'sa/ikev2/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_delete.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.lo `test -f 'sa/ikev2/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_delete.c
 
 ike_dpd.lo: sa/ikev2/tasks/ike_dpd.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.lo -MD -MP -MF $(DEPDIR)/ike_dpd.Tpo -c -o ike_dpd.lo `test -f 'sa/ikev2/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_dpd.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_dpd.c' object='ike_dpd.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.lo -MD -MP -MF $(DEPDIR)/ike_dpd.Tpo -c -o ike_dpd.lo `test -f 'sa/ikev2/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_dpd.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_dpd.c' object='ike_dpd.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.lo `test -f 'sa/ikev2/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_dpd.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.lo `test -f 'sa/ikev2/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_dpd.c
 
 ike_init.lo: sa/ikev2/tasks/ike_init.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.lo -MD -MP -MF $(DEPDIR)/ike_init.Tpo -c -o ike_init.lo `test -f 'sa/ikev2/tasks/ike_init.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_init.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_init.c' object='ike_init.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.lo -MD -MP -MF $(DEPDIR)/ike_init.Tpo -c -o ike_init.lo `test -f 'sa/ikev2/tasks/ike_init.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_init.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_init.c' object='ike_init.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.lo `test -f 'sa/ikev2/tasks/ike_init.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_init.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.lo `test -f 'sa/ikev2/tasks/ike_init.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_init.c
 
 ike_natd.lo: sa/ikev2/tasks/ike_natd.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.lo -MD -MP -MF $(DEPDIR)/ike_natd.Tpo -c -o ike_natd.lo `test -f 'sa/ikev2/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_natd.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_natd.c' object='ike_natd.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.lo -MD -MP -MF $(DEPDIR)/ike_natd.Tpo -c -o ike_natd.lo `test -f 'sa/ikev2/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_natd.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_natd.c' object='ike_natd.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.lo `test -f 'sa/ikev2/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_natd.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.lo `test -f 'sa/ikev2/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_natd.c
 
 ike_mobike.lo: sa/ikev2/tasks/ike_mobike.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.lo -MD -MP -MF $(DEPDIR)/ike_mobike.Tpo -c -o ike_mobike.lo `test -f 'sa/ikev2/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_mobike.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_mobike.c' object='ike_mobike.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.lo -MD -MP -MF $(DEPDIR)/ike_mobike.Tpo -c -o ike_mobike.lo `test -f 'sa/ikev2/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_mobike.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_mobike.c' object='ike_mobike.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.lo `test -f 'sa/ikev2/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_mobike.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.lo `test -f 'sa/ikev2/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_mobike.c
 
 ike_rekey.lo: sa/ikev2/tasks/ike_rekey.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.lo -MD -MP -MF $(DEPDIR)/ike_rekey.Tpo -c -o ike_rekey.lo `test -f 'sa/ikev2/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_rekey.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_rekey.c' object='ike_rekey.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.lo -MD -MP -MF $(DEPDIR)/ike_rekey.Tpo -c -o ike_rekey.lo `test -f 'sa/ikev2/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_rekey.c' object='ike_rekey.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.lo `test -f 'sa/ikev2/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_rekey.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.lo `test -f 'sa/ikev2/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_rekey.c
 
 ike_reauth.lo: sa/ikev2/tasks/ike_reauth.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.lo -MD -MP -MF $(DEPDIR)/ike_reauth.Tpo -c -o ike_reauth.lo `test -f 'sa/ikev2/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_reauth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_reauth.c' object='ike_reauth.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.lo -MD -MP -MF $(DEPDIR)/ike_reauth.Tpo -c -o ike_reauth.lo `test -f 'sa/ikev2/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_reauth.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_reauth.c' object='ike_reauth.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.lo `test -f 'sa/ikev2/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_reauth.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.lo `test -f 'sa/ikev2/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_reauth.c
 
 ike_auth_lifetime.lo: sa/ikev2/tasks/ike_auth_lifetime.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_lifetime.lo -MD -MP -MF $(DEPDIR)/ike_auth_lifetime.Tpo -c -o ike_auth_lifetime.lo `test -f 'sa/ikev2/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth_lifetime.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_auth_lifetime.c' object='ike_auth_lifetime.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_lifetime.lo -MD -MP -MF $(DEPDIR)/ike_auth_lifetime.Tpo -c -o ike_auth_lifetime.lo `test -f 'sa/ikev2/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth_lifetime.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_auth_lifetime.c' object='ike_auth_lifetime.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_lifetime.lo `test -f 'sa/ikev2/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth_lifetime.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_lifetime.lo `test -f 'sa/ikev2/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth_lifetime.c
 
 ike_vendor.lo: sa/ikev2/tasks/ike_vendor.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_vendor.lo -MD -MP -MF $(DEPDIR)/ike_vendor.Tpo -c -o ike_vendor.lo `test -f 'sa/ikev2/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_vendor.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_vendor.Tpo $(DEPDIR)/ike_vendor.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_vendor.c' object='ike_vendor.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_vendor.lo -MD -MP -MF $(DEPDIR)/ike_vendor.Tpo -c -o ike_vendor.lo `test -f 'sa/ikev2/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_vendor.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_vendor.Tpo $(DEPDIR)/ike_vendor.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_vendor.c' object='ike_vendor.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_vendor.lo `test -f 'sa/ikev2/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_vendor.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_vendor.lo `test -f 'sa/ikev2/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_vendor.c
 
 keymat_v1.lo: sa/ikev1/keymat_v1.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat_v1.lo -MD -MP -MF $(DEPDIR)/keymat_v1.Tpo -c -o keymat_v1.lo `test -f 'sa/ikev1/keymat_v1.c' || echo '$(srcdir)/'`sa/ikev1/keymat_v1.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keymat_v1.Tpo $(DEPDIR)/keymat_v1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/keymat_v1.c' object='keymat_v1.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat_v1.lo -MD -MP -MF $(DEPDIR)/keymat_v1.Tpo -c -o keymat_v1.lo `test -f 'sa/ikev1/keymat_v1.c' || echo '$(srcdir)/'`sa/ikev1/keymat_v1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keymat_v1.Tpo $(DEPDIR)/keymat_v1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/keymat_v1.c' object='keymat_v1.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat_v1.lo `test -f 'sa/ikev1/keymat_v1.c' || echo '$(srcdir)/'`sa/ikev1/keymat_v1.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat_v1.lo `test -f 'sa/ikev1/keymat_v1.c' || echo '$(srcdir)/'`sa/ikev1/keymat_v1.c
 
 task_manager_v1.lo: sa/ikev1/task_manager_v1.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager_v1.lo -MD -MP -MF $(DEPDIR)/task_manager_v1.Tpo -c -o task_manager_v1.lo `test -f 'sa/ikev1/task_manager_v1.c' || echo '$(srcdir)/'`sa/ikev1/task_manager_v1.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task_manager_v1.Tpo $(DEPDIR)/task_manager_v1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/task_manager_v1.c' object='task_manager_v1.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager_v1.lo -MD -MP -MF $(DEPDIR)/task_manager_v1.Tpo -c -o task_manager_v1.lo `test -f 'sa/ikev1/task_manager_v1.c' || echo '$(srcdir)/'`sa/ikev1/task_manager_v1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/task_manager_v1.Tpo $(DEPDIR)/task_manager_v1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/task_manager_v1.c' object='task_manager_v1.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager_v1.lo `test -f 'sa/ikev1/task_manager_v1.c' || echo '$(srcdir)/'`sa/ikev1/task_manager_v1.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager_v1.lo `test -f 'sa/ikev1/task_manager_v1.c' || echo '$(srcdir)/'`sa/ikev1/task_manager_v1.c
 
 psk_v1_authenticator.lo: sa/ikev1/authenticators/psk_v1_authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_v1_authenticator.lo -MD -MP -MF $(DEPDIR)/psk_v1_authenticator.Tpo -c -o psk_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/psk_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/psk_v1_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/psk_v1_authenticator.Tpo $(DEPDIR)/psk_v1_authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/authenticators/psk_v1_authenticator.c' object='psk_v1_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_v1_authenticator.lo -MD -MP -MF $(DEPDIR)/psk_v1_authenticator.Tpo -c -o psk_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/psk_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/psk_v1_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/psk_v1_authenticator.Tpo $(DEPDIR)/psk_v1_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/authenticators/psk_v1_authenticator.c' object='psk_v1_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/psk_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/psk_v1_authenticator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/psk_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/psk_v1_authenticator.c
 
 pubkey_v1_authenticator.lo: sa/ikev1/authenticators/pubkey_v1_authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_v1_authenticator.lo -MD -MP -MF $(DEPDIR)/pubkey_v1_authenticator.Tpo -c -o pubkey_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/pubkey_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/pubkey_v1_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pubkey_v1_authenticator.Tpo $(DEPDIR)/pubkey_v1_authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/authenticators/pubkey_v1_authenticator.c' object='pubkey_v1_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_v1_authenticator.lo -MD -MP -MF $(DEPDIR)/pubkey_v1_authenticator.Tpo -c -o pubkey_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/pubkey_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/pubkey_v1_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pubkey_v1_authenticator.Tpo $(DEPDIR)/pubkey_v1_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/authenticators/pubkey_v1_authenticator.c' object='pubkey_v1_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/pubkey_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/pubkey_v1_authenticator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/pubkey_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/pubkey_v1_authenticator.c
 
 hybrid_authenticator.lo: sa/ikev1/authenticators/hybrid_authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hybrid_authenticator.lo -MD -MP -MF $(DEPDIR)/hybrid_authenticator.Tpo -c -o hybrid_authenticator.lo `test -f 'sa/ikev1/authenticators/hybrid_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/hybrid_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hybrid_authenticator.Tpo $(DEPDIR)/hybrid_authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/authenticators/hybrid_authenticator.c' object='hybrid_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hybrid_authenticator.lo -MD -MP -MF $(DEPDIR)/hybrid_authenticator.Tpo -c -o hybrid_authenticator.lo `test -f 'sa/ikev1/authenticators/hybrid_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/hybrid_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hybrid_authenticator.Tpo $(DEPDIR)/hybrid_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/authenticators/hybrid_authenticator.c' object='hybrid_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hybrid_authenticator.lo `test -f 'sa/ikev1/authenticators/hybrid_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/hybrid_authenticator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hybrid_authenticator.lo `test -f 'sa/ikev1/authenticators/hybrid_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/hybrid_authenticator.c
 
 phase1.lo: sa/ikev1/phase1.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT phase1.lo -MD -MP -MF $(DEPDIR)/phase1.Tpo -c -o phase1.lo `test -f 'sa/ikev1/phase1.c' || echo '$(srcdir)/'`sa/ikev1/phase1.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/phase1.Tpo $(DEPDIR)/phase1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/phase1.c' object='phase1.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT phase1.lo -MD -MP -MF $(DEPDIR)/phase1.Tpo -c -o phase1.lo `test -f 'sa/ikev1/phase1.c' || echo '$(srcdir)/'`sa/ikev1/phase1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/phase1.Tpo $(DEPDIR)/phase1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/phase1.c' object='phase1.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o phase1.lo `test -f 'sa/ikev1/phase1.c' || echo '$(srcdir)/'`sa/ikev1/phase1.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o phase1.lo `test -f 'sa/ikev1/phase1.c' || echo '$(srcdir)/'`sa/ikev1/phase1.c
 
 main_mode.lo: sa/ikev1/tasks/main_mode.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT main_mode.lo -MD -MP -MF $(DEPDIR)/main_mode.Tpo -c -o main_mode.lo `test -f 'sa/ikev1/tasks/main_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/main_mode.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/main_mode.Tpo $(DEPDIR)/main_mode.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/main_mode.c' object='main_mode.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT main_mode.lo -MD -MP -MF $(DEPDIR)/main_mode.Tpo -c -o main_mode.lo `test -f 'sa/ikev1/tasks/main_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/main_mode.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/main_mode.Tpo $(DEPDIR)/main_mode.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/main_mode.c' object='main_mode.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o main_mode.lo `test -f 'sa/ikev1/tasks/main_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/main_mode.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o main_mode.lo `test -f 'sa/ikev1/tasks/main_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/main_mode.c
 
 aggressive_mode.lo: sa/ikev1/tasks/aggressive_mode.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aggressive_mode.lo -MD -MP -MF $(DEPDIR)/aggressive_mode.Tpo -c -o aggressive_mode.lo `test -f 'sa/ikev1/tasks/aggressive_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/aggressive_mode.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aggressive_mode.Tpo $(DEPDIR)/aggressive_mode.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/aggressive_mode.c' object='aggressive_mode.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aggressive_mode.lo -MD -MP -MF $(DEPDIR)/aggressive_mode.Tpo -c -o aggressive_mode.lo `test -f 'sa/ikev1/tasks/aggressive_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/aggressive_mode.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aggressive_mode.Tpo $(DEPDIR)/aggressive_mode.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/aggressive_mode.c' object='aggressive_mode.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aggressive_mode.lo `test -f 'sa/ikev1/tasks/aggressive_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/aggressive_mode.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aggressive_mode.lo `test -f 'sa/ikev1/tasks/aggressive_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/aggressive_mode.c
 
 informational.lo: sa/ikev1/tasks/informational.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT informational.lo -MD -MP -MF $(DEPDIR)/informational.Tpo -c -o informational.lo `test -f 'sa/ikev1/tasks/informational.c' || echo '$(srcdir)/'`sa/ikev1/tasks/informational.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/informational.Tpo $(DEPDIR)/informational.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/informational.c' object='informational.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT informational.lo -MD -MP -MF $(DEPDIR)/informational.Tpo -c -o informational.lo `test -f 'sa/ikev1/tasks/informational.c' || echo '$(srcdir)/'`sa/ikev1/tasks/informational.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/informational.Tpo $(DEPDIR)/informational.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/informational.c' object='informational.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o informational.lo `test -f 'sa/ikev1/tasks/informational.c' || echo '$(srcdir)/'`sa/ikev1/tasks/informational.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o informational.lo `test -f 'sa/ikev1/tasks/informational.c' || echo '$(srcdir)/'`sa/ikev1/tasks/informational.c
 
 isakmp_cert_pre.lo: sa/ikev1/tasks/isakmp_cert_pre.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_cert_pre.lo -MD -MP -MF $(DEPDIR)/isakmp_cert_pre.Tpo -c -o isakmp_cert_pre.lo `test -f 'sa/ikev1/tasks/isakmp_cert_pre.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_pre.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/isakmp_cert_pre.Tpo $(DEPDIR)/isakmp_cert_pre.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/isakmp_cert_pre.c' object='isakmp_cert_pre.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_cert_pre.lo -MD -MP -MF $(DEPDIR)/isakmp_cert_pre.Tpo -c -o isakmp_cert_pre.lo `test -f 'sa/ikev1/tasks/isakmp_cert_pre.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_pre.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_cert_pre.Tpo $(DEPDIR)/isakmp_cert_pre.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_cert_pre.c' object='isakmp_cert_pre.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_cert_pre.lo `test -f 'sa/ikev1/tasks/isakmp_cert_pre.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_pre.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_cert_pre.lo `test -f 'sa/ikev1/tasks/isakmp_cert_pre.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_pre.c
 
 isakmp_cert_post.lo: sa/ikev1/tasks/isakmp_cert_post.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_cert_post.lo -MD -MP -MF $(DEPDIR)/isakmp_cert_post.Tpo -c -o isakmp_cert_post.lo `test -f 'sa/ikev1/tasks/isakmp_cert_post.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_post.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/isakmp_cert_post.Tpo $(DEPDIR)/isakmp_cert_post.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/isakmp_cert_post.c' object='isakmp_cert_post.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_cert_post.lo -MD -MP -MF $(DEPDIR)/isakmp_cert_post.Tpo -c -o isakmp_cert_post.lo `test -f 'sa/ikev1/tasks/isakmp_cert_post.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_post.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_cert_post.Tpo $(DEPDIR)/isakmp_cert_post.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_cert_post.c' object='isakmp_cert_post.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_cert_post.lo `test -f 'sa/ikev1/tasks/isakmp_cert_post.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_post.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_cert_post.lo `test -f 'sa/ikev1/tasks/isakmp_cert_post.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_post.c
 
 isakmp_natd.lo: sa/ikev1/tasks/isakmp_natd.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_natd.lo -MD -MP -MF $(DEPDIR)/isakmp_natd.Tpo -c -o isakmp_natd.lo `test -f 'sa/ikev1/tasks/isakmp_natd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_natd.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/isakmp_natd.Tpo $(DEPDIR)/isakmp_natd.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/isakmp_natd.c' object='isakmp_natd.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_natd.lo -MD -MP -MF $(DEPDIR)/isakmp_natd.Tpo -c -o isakmp_natd.lo `test -f 'sa/ikev1/tasks/isakmp_natd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_natd.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_natd.Tpo $(DEPDIR)/isakmp_natd.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_natd.c' object='isakmp_natd.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_natd.lo `test -f 'sa/ikev1/tasks/isakmp_natd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_natd.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_natd.lo `test -f 'sa/ikev1/tasks/isakmp_natd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_natd.c
 
 isakmp_vendor.lo: sa/ikev1/tasks/isakmp_vendor.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_vendor.lo -MD -MP -MF $(DEPDIR)/isakmp_vendor.Tpo -c -o isakmp_vendor.lo `test -f 'sa/ikev1/tasks/isakmp_vendor.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_vendor.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/isakmp_vendor.Tpo $(DEPDIR)/isakmp_vendor.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/isakmp_vendor.c' object='isakmp_vendor.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_vendor.lo -MD -MP -MF $(DEPDIR)/isakmp_vendor.Tpo -c -o isakmp_vendor.lo `test -f 'sa/ikev1/tasks/isakmp_vendor.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_vendor.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_vendor.Tpo $(DEPDIR)/isakmp_vendor.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_vendor.c' object='isakmp_vendor.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_vendor.lo `test -f 'sa/ikev1/tasks/isakmp_vendor.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_vendor.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_vendor.lo `test -f 'sa/ikev1/tasks/isakmp_vendor.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_vendor.c
 
 isakmp_delete.lo: sa/ikev1/tasks/isakmp_delete.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_delete.lo -MD -MP -MF $(DEPDIR)/isakmp_delete.Tpo -c -o isakmp_delete.lo `test -f 'sa/ikev1/tasks/isakmp_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_delete.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/isakmp_delete.Tpo $(DEPDIR)/isakmp_delete.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/isakmp_delete.c' object='isakmp_delete.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_delete.lo -MD -MP -MF $(DEPDIR)/isakmp_delete.Tpo -c -o isakmp_delete.lo `test -f 'sa/ikev1/tasks/isakmp_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_delete.Tpo $(DEPDIR)/isakmp_delete.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_delete.c' object='isakmp_delete.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_delete.lo `test -f 'sa/ikev1/tasks/isakmp_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_delete.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_delete.lo `test -f 'sa/ikev1/tasks/isakmp_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_delete.c
 
 isakmp_dpd.lo: sa/ikev1/tasks/isakmp_dpd.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_dpd.lo -MD -MP -MF $(DEPDIR)/isakmp_dpd.Tpo -c -o isakmp_dpd.lo `test -f 'sa/ikev1/tasks/isakmp_dpd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_dpd.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/isakmp_dpd.Tpo $(DEPDIR)/isakmp_dpd.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/isakmp_dpd.c' object='isakmp_dpd.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_dpd.lo -MD -MP -MF $(DEPDIR)/isakmp_dpd.Tpo -c -o isakmp_dpd.lo `test -f 'sa/ikev1/tasks/isakmp_dpd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_dpd.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_dpd.Tpo $(DEPDIR)/isakmp_dpd.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_dpd.c' object='isakmp_dpd.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_dpd.lo `test -f 'sa/ikev1/tasks/isakmp_dpd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_dpd.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_dpd.lo `test -f 'sa/ikev1/tasks/isakmp_dpd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_dpd.c
 
 xauth.lo: sa/ikev1/tasks/xauth.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth.lo -MD -MP -MF $(DEPDIR)/xauth.Tpo -c -o xauth.lo `test -f 'sa/ikev1/tasks/xauth.c' || echo '$(srcdir)/'`sa/ikev1/tasks/xauth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/xauth.Tpo $(DEPDIR)/xauth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/xauth.c' object='xauth.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth.lo -MD -MP -MF $(DEPDIR)/xauth.Tpo -c -o xauth.lo `test -f 'sa/ikev1/tasks/xauth.c' || echo '$(srcdir)/'`sa/ikev1/tasks/xauth.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/xauth.Tpo $(DEPDIR)/xauth.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/xauth.c' object='xauth.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth.lo `test -f 'sa/ikev1/tasks/xauth.c' || echo '$(srcdir)/'`sa/ikev1/tasks/xauth.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth.lo `test -f 'sa/ikev1/tasks/xauth.c' || echo '$(srcdir)/'`sa/ikev1/tasks/xauth.c
 
 quick_mode.lo: sa/ikev1/tasks/quick_mode.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT quick_mode.lo -MD -MP -MF $(DEPDIR)/quick_mode.Tpo -c -o quick_mode.lo `test -f 'sa/ikev1/tasks/quick_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_mode.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/quick_mode.Tpo $(DEPDIR)/quick_mode.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/quick_mode.c' object='quick_mode.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT quick_mode.lo -MD -MP -MF $(DEPDIR)/quick_mode.Tpo -c -o quick_mode.lo `test -f 'sa/ikev1/tasks/quick_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_mode.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/quick_mode.Tpo $(DEPDIR)/quick_mode.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/quick_mode.c' object='quick_mode.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o quick_mode.lo `test -f 'sa/ikev1/tasks/quick_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_mode.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o quick_mode.lo `test -f 'sa/ikev1/tasks/quick_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_mode.c
 
 quick_delete.lo: sa/ikev1/tasks/quick_delete.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT quick_delete.lo -MD -MP -MF $(DEPDIR)/quick_delete.Tpo -c -o quick_delete.lo `test -f 'sa/ikev1/tasks/quick_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_delete.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/quick_delete.Tpo $(DEPDIR)/quick_delete.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/quick_delete.c' object='quick_delete.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT quick_delete.lo -MD -MP -MF $(DEPDIR)/quick_delete.Tpo -c -o quick_delete.lo `test -f 'sa/ikev1/tasks/quick_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/quick_delete.Tpo $(DEPDIR)/quick_delete.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/quick_delete.c' object='quick_delete.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o quick_delete.lo `test -f 'sa/ikev1/tasks/quick_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_delete.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o quick_delete.lo `test -f 'sa/ikev1/tasks/quick_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_delete.c
 
 mode_config.lo: sa/ikev1/tasks/mode_config.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mode_config.lo -MD -MP -MF $(DEPDIR)/mode_config.Tpo -c -o mode_config.lo `test -f 'sa/ikev1/tasks/mode_config.c' || echo '$(srcdir)/'`sa/ikev1/tasks/mode_config.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mode_config.Tpo $(DEPDIR)/mode_config.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev1/tasks/mode_config.c' object='mode_config.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mode_config.lo -MD -MP -MF $(DEPDIR)/mode_config.Tpo -c -o mode_config.lo `test -f 'sa/ikev1/tasks/mode_config.c' || echo '$(srcdir)/'`sa/ikev1/tasks/mode_config.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mode_config.Tpo $(DEPDIR)/mode_config.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/mode_config.c' object='mode_config.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mode_config.lo `test -f 'sa/ikev1/tasks/mode_config.c' || echo '$(srcdir)/'`sa/ikev1/tasks/mode_config.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mode_config.lo `test -f 'sa/ikev1/tasks/mode_config.c' || echo '$(srcdir)/'`sa/ikev1/tasks/mode_config.c
 
 dpd_timeout_job.lo: processing/jobs/dpd_timeout_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT dpd_timeout_job.lo -MD -MP -MF $(DEPDIR)/dpd_timeout_job.Tpo -c -o dpd_timeout_job.lo `test -f 'processing/jobs/dpd_timeout_job.c' || echo '$(srcdir)/'`processing/jobs/dpd_timeout_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/dpd_timeout_job.Tpo $(DEPDIR)/dpd_timeout_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/dpd_timeout_job.c' object='dpd_timeout_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT dpd_timeout_job.lo -MD -MP -MF $(DEPDIR)/dpd_timeout_job.Tpo -c -o dpd_timeout_job.lo `test -f 'processing/jobs/dpd_timeout_job.c' || echo '$(srcdir)/'`processing/jobs/dpd_timeout_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/dpd_timeout_job.Tpo $(DEPDIR)/dpd_timeout_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/dpd_timeout_job.c' object='dpd_timeout_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o dpd_timeout_job.lo `test -f 'processing/jobs/dpd_timeout_job.c' || echo '$(srcdir)/'`processing/jobs/dpd_timeout_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o dpd_timeout_job.lo `test -f 'processing/jobs/dpd_timeout_job.c' || echo '$(srcdir)/'`processing/jobs/dpd_timeout_job.c
 
 adopt_children_job.lo: processing/jobs/adopt_children_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT adopt_children_job.lo -MD -MP -MF $(DEPDIR)/adopt_children_job.Tpo -c -o adopt_children_job.lo `test -f 'processing/jobs/adopt_children_job.c' || echo '$(srcdir)/'`processing/jobs/adopt_children_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/adopt_children_job.Tpo $(DEPDIR)/adopt_children_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/adopt_children_job.c' object='adopt_children_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT adopt_children_job.lo -MD -MP -MF $(DEPDIR)/adopt_children_job.Tpo -c -o adopt_children_job.lo `test -f 'processing/jobs/adopt_children_job.c' || echo '$(srcdir)/'`processing/jobs/adopt_children_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/adopt_children_job.Tpo $(DEPDIR)/adopt_children_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/adopt_children_job.c' object='adopt_children_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o adopt_children_job.lo `test -f 'processing/jobs/adopt_children_job.c' || echo '$(srcdir)/'`processing/jobs/adopt_children_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o adopt_children_job.lo `test -f 'processing/jobs/adopt_children_job.c' || echo '$(srcdir)/'`processing/jobs/adopt_children_job.c
 
 endpoint_notify.lo: encoding/payloads/endpoint_notify.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/endpoint_notify.c' object='endpoint_notify.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/endpoint_notify.c' object='endpoint_notify.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
 
 initiate_mediation_job.lo: processing/jobs/initiate_mediation_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_mediation_job.lo -MD -MP -MF $(DEPDIR)/initiate_mediation_job.Tpo -c -o initiate_mediation_job.lo `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/initiate_mediation_job.c' object='initiate_mediation_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_mediation_job.lo -MD -MP -MF $(DEPDIR)/initiate_mediation_job.Tpo -c -o initiate_mediation_job.lo `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/initiate_mediation_job.c' object='initiate_mediation_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_mediation_job.lo `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_mediation_job.lo `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
 
 mediation_job.lo: processing/jobs/mediation_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_job.lo -MD -MP -MF $(DEPDIR)/mediation_job.Tpo -c -o mediation_job.lo `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/mediation_job.c' object='mediation_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_job.lo -MD -MP -MF $(DEPDIR)/mediation_job.Tpo -c -o mediation_job.lo `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/mediation_job.c' object='mediation_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_job.lo `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_job.lo `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
 
 connect_manager.lo: sa/ikev2/connect_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connect_manager.lo -MD -MP -MF $(DEPDIR)/connect_manager.Tpo -c -o connect_manager.lo `test -f 'sa/ikev2/connect_manager.c' || echo '$(srcdir)/'`sa/ikev2/connect_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/connect_manager.c' object='connect_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connect_manager.lo -MD -MP -MF $(DEPDIR)/connect_manager.Tpo -c -o connect_manager.lo `test -f 'sa/ikev2/connect_manager.c' || echo '$(srcdir)/'`sa/ikev2/connect_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/connect_manager.c' object='connect_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connect_manager.lo `test -f 'sa/ikev2/connect_manager.c' || echo '$(srcdir)/'`sa/ikev2/connect_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connect_manager.lo `test -f 'sa/ikev2/connect_manager.c' || echo '$(srcdir)/'`sa/ikev2/connect_manager.c
 
 mediation_manager.lo: sa/ikev2/mediation_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_manager.lo -MD -MP -MF $(DEPDIR)/mediation_manager.Tpo -c -o mediation_manager.lo `test -f 'sa/ikev2/mediation_manager.c' || echo '$(srcdir)/'`sa/ikev2/mediation_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/mediation_manager.c' object='mediation_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_manager.lo -MD -MP -MF $(DEPDIR)/mediation_manager.Tpo -c -o mediation_manager.lo `test -f 'sa/ikev2/mediation_manager.c' || echo '$(srcdir)/'`sa/ikev2/mediation_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/mediation_manager.c' object='mediation_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_manager.lo `test -f 'sa/ikev2/mediation_manager.c' || echo '$(srcdir)/'`sa/ikev2/mediation_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_manager.lo `test -f 'sa/ikev2/mediation_manager.c' || echo '$(srcdir)/'`sa/ikev2/mediation_manager.c
 
 ike_me.lo: sa/ikev2/tasks/ike_me.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_me.lo -MD -MP -MF $(DEPDIR)/ike_me.Tpo -c -o ike_me.lo `test -f 'sa/ikev2/tasks/ike_me.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_me.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ikev2/tasks/ike_me.c' object='ike_me.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_me.lo -MD -MP -MF $(DEPDIR)/ike_me.Tpo -c -o ike_me.lo `test -f 'sa/ikev2/tasks/ike_me.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_me.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_me.c' object='ike_me.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_me.lo `test -f 'sa/ikev2/tasks/ike_me.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_me.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_me.lo `test -f 'sa/ikev2/tasks/ike_me.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_me.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index 0db5a8a9c..b46184809 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -52,6 +52,11 @@ struct private_bus_t {
 	 */
 	level_t max_level[DBG_MAX + 1];
 
+	/**
+	 * Same as max level, but for loggers using the vlog() method.
+	 */
+	level_t max_vlevel[DBG_MAX + 1];
+
 	/**
 	 * Mutex for the list of listeners, recursively.
 	 */
@@ -166,7 +171,14 @@ static inline void register_logger(private_bus_t *this, debug_t group,
 	loggers->insert_before(loggers, enumerator, entry);
 	enumerator->destroy(enumerator);
 
-	this->max_level[group] = max(this->max_level[group], level);
+	if (entry->logger->log)
+	{
+		this->max_level[group] = max(this->max_level[group], level);
+	}
+	if (entry->logger->vlog)
+	{
+		this->max_vlevel[group] = max(this->max_vlevel[group], level);
+	}
 }
 
 /**
@@ -194,6 +206,7 @@ static inline void unregister_logger(private_bus_t *this, logger_t *logger)
 	if (found)
 	{
 		debug_t group;
+
 		for (group = 0; group < DBG_MAX; group++)
 		{
 			if (found->levels[group] > LEVEL_SILENT)
@@ -202,9 +215,11 @@ static inline void unregister_logger(private_bus_t *this, logger_t *logger)
 				loggers->remove(loggers, found, NULL);
 
 				this->max_level[group] = LEVEL_SILENT;
+				this->max_vlevel[group] = LEVEL_SILENT;
 				if (loggers->get_first(loggers, (void**)&entry) == SUCCESS)
 				{
 					this->max_level[group] = entry->levels[group];
+					this->max_vlevel[group] = entry->levels[group];
 				}
 			}
 		}
@@ -268,8 +283,10 @@ typedef struct {
 	debug_t group;
 	/** debug level */
 	level_t level;
-	/** message */
+	/** message/fmt */
 	char *message;
+	/** argument list if message is a format string for vlog() */
+	va_list args;
 } log_data_t;
 
 /**
@@ -277,24 +294,41 @@ typedef struct {
  */
 static void log_cb(log_entry_t *entry, log_data_t *data)
 {
-	if (entry->levels[data->group] < data->level)
+	if (entry->logger->log && entry->levels[data->group] >= data->level)
+	{
+		entry->logger->log(entry->logger, data->group, data->level,
+						   data->thread, data->ike_sa, data->message);
+	}
+}
+
+/**
+ * logger->vlog() invocation as a invoke_function callback
+ */
+static void vlog_cb(log_entry_t *entry, log_data_t *data)
+{
+	if (entry->logger->vlog && entry->levels[data->group] >= data->level)
 	{
-		return;
+		va_list copy;
+
+		va_copy(copy, data->args);
+		entry->logger->vlog(entry->logger, data->group, data->level,
+							data->thread, data->ike_sa, data->message, copy);
+		va_end(copy);
 	}
-	entry->logger->log(entry->logger, data->group, data->level,
-					   data->thread, data->ike_sa, data->message);
 }
 
 METHOD(bus_t, vlog, void,
 	private_bus_t *this, debug_t group, level_t level,
 	char* format, va_list args)
 {
+	linked_list_t *loggers;
+	log_data_t data;
+
 	this->log_lock->read_lock(this->log_lock);
+	loggers = this->loggers[group];
+
 	if (this->max_level[group] >= level)
 	{
-		linked_list_t *loggers = this->loggers[group];
-		log_data_t data;
-		va_list copy;
 		char buf[1024];
 		ssize_t len;
 
@@ -304,9 +338,9 @@ METHOD(bus_t, vlog, void,
 		data.level = level;
 		data.message = buf;
 
-		va_copy(copy, args);
-		len = vsnprintf(data.message, sizeof(buf), format, copy);
-		va_end(copy);
+		va_copy(data.args, args);
+		len = vsnprintf(data.message, sizeof(buf), format, data.args);
+		va_end(data.args);
 		if (len >= sizeof(buf))
 		{
 			len++;
@@ -323,6 +357,19 @@ METHOD(bus_t, vlog, void,
 			free(data.message);
 		}
 	}
+	if (this->max_vlevel[group] >= level)
+	{
+		data.ike_sa = this->thread_sa->get(this->thread_sa);
+		data.thread = thread_current_id();
+		data.group = group;
+		data.level = level;
+		data.message = format;
+
+		va_copy(data.args, args);
+		loggers->invoke_function(loggers, (linked_list_invoke_t)vlog_cb, &data);
+		va_end(data.args);
+	}
+
 	this->log_lock->unlock(this->log_lock);
 }
 
@@ -786,10 +833,37 @@ METHOD(bus_t, assign_vips, void,
 	this->mutex->unlock(this->mutex);
 }
 
+/**
+ * Credential manager hook function to forward bus alerts
+ */
+static void hook_creds(private_bus_t *this, credential_hook_type_t type,
+					   certificate_t *cert)
+{
+	switch (type)
+	{
+		case CRED_HOOK_EXPIRED:
+			return alert(this, ALERT_CERT_EXPIRED, cert);
+		case CRED_HOOK_REVOKED:
+			return alert(this, ALERT_CERT_REVOKED, cert);
+		case CRED_HOOK_VALIDATION_FAILED:
+			return alert(this, ALERT_CERT_VALIDATION_FAILED, cert);
+		case CRED_HOOK_NO_ISSUER:
+			return alert(this, ALERT_CERT_NO_ISSUER, cert);
+		case CRED_HOOK_UNTRUSTED_ROOT:
+			return alert(this, ALERT_CERT_UNTRUSTED_ROOT, cert);
+		case CRED_HOOK_EXCEEDED_PATH_LEN:
+			return alert(this, ALERT_CERT_EXCEEDED_PATH_LEN, cert);
+		case CRED_HOOK_POLICY_VIOLATION:
+			return alert(this, ALERT_CERT_POLICY_VIOLATION, cert);
+	}
+}
+
 METHOD(bus_t, destroy, void,
 	private_bus_t *this)
 {
 	debug_t group;
+
+	lib->credmgr->set_hook(lib->credmgr, NULL, NULL);
 	for (group = 0; group < DBG_MAX; group++)
 	{
 		this->loggers[group]->destroy(this->loggers[group]);
@@ -847,8 +921,10 @@ bus_t *bus_create()
 	{
 		this->loggers[group] = linked_list_create();
 		this->max_level[group] = LEVEL_SILENT;
+		this->max_vlevel[group] = LEVEL_SILENT;
 	}
 
+	lib->credmgr->set_hook(lib->credmgr, (credential_hook_t)hook_creds, this);
+
 	return &this->public;
 }
-
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index 75244d6bf..4a0ac68e3 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -86,7 +86,7 @@ enum alert_t {
 	ALERT_RADIUS_NOT_RESPONDING,
 	/** a shutdown signal has been received, argument is the signal (int) */
 	ALERT_SHUTDOWN_SIGNAL,
-	/** creating local authentication data failed, no arguments */
+	/** local peer authentication failed (by us or by peer), no arguments */
 	ALERT_LOCAL_AUTH_FAILED,
 	/** peer authentication failed, no arguments */
 	ALERT_PEER_AUTH_FAILED,
@@ -116,6 +116,10 @@ enum alert_t {
 	/** traffic selectors do not match, arguments are two linked_list_t
 	 *  containing traffic_selector_t for initiator and for responder */
 	ALERT_TS_MISMATCH,
+	/** traffic selectors have been narrowed by the peer, arguments are
+	 *  an int (TRUE for local TS), a linked_list_t* (final TS list), and the
+	 *  child_cfg_t*. */
+	ALERT_TS_NARROWED,
 	/** Installation of IPsec SAs failed, argument is child_sa_t */
 	ALERT_INSTALL_CHILD_SA_FAILED,
 	/** Installation of IPsec Policy failed, argument is child_sa_t */
@@ -132,6 +136,20 @@ enum alert_t {
 	ALERT_AUTHORIZATION_FAILED,
 	/** IKE_SA hit the hard lifetime limit before it could be rekeyed */
 	ALERT_IKE_SA_EXPIRED,
+	/** Certificate rejected; it has expired, certificate_t */
+	ALERT_CERT_EXPIRED,
+	/** Certificate rejected; it has been revoked, certificate_t */
+	ALERT_CERT_REVOKED,
+	/** Validating certificate status failed, certificate_t */
+	ALERT_CERT_VALIDATION_FAILED,
+	/** Certificate rejected; no trusted issuer found, certificate_t */
+	ALERT_CERT_NO_ISSUER,
+	/** Certificate rejected; root not trusted, certificate_t */
+	ALERT_CERT_UNTRUSTED_ROOT,
+	/** Certificate rejected; trustchain length exceeds limit, certificate_t */
+	ALERT_CERT_EXCEEDED_PATH_LEN,
+	/** Certificate rejected; other policy violation, certificate_t */
+	ALERT_CERT_POLICY_VIOLATION,
 };
 
 /**
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index ef4daced2..57445df01 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -31,7 +31,7 @@ typedef struct listener_t listener_t;
 struct listener_t {
 
 	/**
-	 * Hook called if a critical alert is risen.
+	 * Hook called if a critical alert is raised.
 	 *
 	 * @param ike_sa	IKE_SA associated to the alert, if any
 	 * @param alert		kind of alert
diff --git a/src/libcharon/bus/listeners/logger.h b/src/libcharon/bus/listeners/logger.h
index 3b99e7dc1..d5432d3a8 100644
--- a/src/libcharon/bus/listeners/logger.h
+++ b/src/libcharon/bus/listeners/logger.h
@@ -27,12 +27,33 @@ typedef struct logger_t logger_t;
 
 /**
  * Logger interface, listens for log events on the bus.
+ *
+ * Calls to bus_t.log() are handled separately from calls to other functions.
+ * Logger functions may be called concurrently by multiple threads. Also
+ * recursive calls are not prevented, loggers that may cause recursive log
+ * messages are responsible to avoid infinite loops.
+ *
+ * Both the log() and the vlog() methods are optional to implement. With many
+ * loggers, using log() may be faster as printf() format substitution is done
+ * only once for all loggers.
  */
 struct logger_t {
 
 	/**
 	 * Log a debugging message.
 	 *
+	 * @param group		kind of the signal (up, down, rekeyed, ...)
+	 * @param level		verbosity level of the signal
+	 * @param thread	ID of the thread raised this signal
+	 * @param ike_sa	IKE_SA associated to the event
+	 * @param message	log message
+	 */
+	void (*log)(logger_t *this, debug_t group, level_t level, int thread,
+				ike_sa_t *ike_sa, const char *message);
+
+	/**
+	 * Log a debugging message with a format string.
+	 *
 	 * @note Calls to bus_t.log() are handled separately from calls to
 	 * other functions.  This callback may be called concurrently by
 	 * multiple threads.  Also recursive calls are not prevented, loggers that
@@ -42,10 +63,11 @@ struct logger_t {
 	 * @param level		verbosity level of the signal
 	 * @param thread	ID of the thread raised this signal
 	 * @param ike_sa	IKE_SA associated to the event
-	 * @param message	log message
+	 * @param fmt		log message format string
+	 * @param args		variable arguments to format string
 	 */
-	void (*log)(logger_t *this, debug_t group, level_t level, int thread,
-				ike_sa_t *ike_sa, const char *message);
+	void (*vlog)(logger_t *this, debug_t group, level_t level, int thread,
+				 ike_sa_t *ike_sa, const char *fmt, va_list args);
 
 	/**
 	 * Get the desired log level for a debug group.  This is called during
diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c
index 82e2c8e4c..4aeb1c048 100644
--- a/src/libcharon/bus/listeners/sys_logger.c
+++ b/src/libcharon/bus/listeners/sys_logger.c
@@ -173,6 +173,7 @@ sys_logger_t *sys_logger_create(int facility)
 	);
 
 	set_level(this, DBG_ANY, LEVEL_SILENT);
+	setlogmask(LOG_UPTO(LOG_INFO));
 
 	return &this->public;
 }
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 33d47a41e..6fe7d44b8 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -286,15 +286,17 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 			DBG2(DBG_CFG, " %R", ts1);
 			result->insert_last(result, ts1);
 		}
+		derived->destroy(derived);
 	}
 	else
 	{
-		e1 = supplied->create_enumerator(supplied);
+		e1 = derived->create_enumerator(derived);
+		e2 = supplied->create_enumerator(supplied);
 		/* enumerate all configured/derived selectors */
-		while (derived->remove_first(derived, (void**)&ts1) == SUCCESS)
+		while (e1->enumerate(e1, &ts1))
 		{
 			/* enumerate all supplied traffic selectors */
-			while (e1->enumerate(e1, &ts2))
+			while (e2->enumerate(e2, &ts2))
 			{
 				selected = ts1->get_subset(ts1, ts2);
 				if (selected)
@@ -309,12 +311,28 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 						 ts1, ts2);
 				}
 			}
-			supplied->reset_enumerator(supplied, e1);
-			ts1->destroy(ts1);
+			supplied->reset_enumerator(supplied, e2);
+		}
+		e1->destroy(e1);
+		e2->destroy(e2);
+
+		/* check if we/peer did any narrowing, raise alert */
+		e1 = derived->create_enumerator(derived);
+		e2 = result->create_enumerator(result);
+		while (e1->enumerate(e1, &ts1))
+		{
+			if (!e2->enumerate(e2, &ts2) || !ts1->equals(ts1, ts2))
+			{
+				charon->bus->alert(charon->bus, ALERT_TS_NARROWED,
+								   local, result, this);
+				break;
+			}
 		}
 		e1->destroy(e1);
+		e2->destroy(e2);
+
+		derived->destroy_offset(derived, offsetof(traffic_selector_t, destroy));
 	}
-	derived->destroy(derived);
 
 	/* remove any redundant traffic selectors in the list */
 	e1 = result->create_enumerator(result);
@@ -573,4 +591,3 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 6e8829a47..20d1fa811 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -213,14 +213,14 @@ struct child_cfg_t {
 	u_int32_t (*get_inactivity)(child_cfg_t *this);
 
 	/**
-	 * Specific reqid to use for CHILD_SA
+	 * Specific reqid to use for CHILD_SA.
 	 *
 	 * @return				reqid
 	 */
 	u_int32_t (*get_reqid)(child_cfg_t *this);
 
 	/**
-	 * Optional mark for CHILD_SA
+	 * Optional mark for CHILD_SA.
 	 *
 	 * @param inbound		TRUE for inbound, FALSE for outbound
 	 * @return				mark
@@ -235,7 +235,7 @@ struct child_cfg_t {
 	u_int32_t (*get_tfc)(child_cfg_t *this);
 
 	/**
-	 * Sets two options needed for Mobile IPv6 interoperability
+	 * Sets two options needed for Mobile IPv6 interoperability.
 	 *
 	 * @param proxy_mode	use IPsec transport proxy mode (default FALSE)
 	 * @param install_policy install IPsec kernel policies (default TRUE)
@@ -244,7 +244,7 @@ struct child_cfg_t {
 												 bool install_policy);
 
 	/**
-	 * Check whether IPsec transport SA should be set up in proxy mode
+	 * Check whether IPsec transport SA should be set up in proxy mode.
 	 *
 	 * @return				TRUE, if proxy mode should be used
 	 *						FALSE, otherwise
@@ -252,7 +252,7 @@ struct child_cfg_t {
 	bool (*use_proxy_mode)(child_cfg_t *this);
 
 	/**
-	 * Check whether IPsec policies should be installed in the kernel
+	 * Check whether IPsec policies should be installed in the kernel.
 	 *
 	 * @return				TRUE, if IPsec kernel policies should be installed
 	 *						FALSE, otherwise
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index 8de7d1289..eb983199b 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -249,7 +249,7 @@ static int get_ts_match(child_cfg_t *cfg, bool local,
 {
 	linked_list_t *cfg_list;
 	enumerator_t *sup_enum, *cfg_enum;
-	traffic_selector_t *sup_ts, *cfg_ts;
+	traffic_selector_t *sup_ts, *cfg_ts, *subset;
 	int match = 0, round;
 
 	/* fetch configured TS list, narrowing dynamic TS */
@@ -268,10 +268,14 @@ static int get_ts_match(child_cfg_t *cfg, bool local,
 			{	/* equality is honored better than matches */
 				match += round * 5;
 			}
-			else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) ||
-					 sup_ts->is_contained_in(sup_ts, cfg_ts))
+			else
 			{
-				match += round * 1;
+				subset = cfg_ts->get_subset(cfg_ts, sup_ts);
+				if (subset)
+				{
+					subset->destroy(subset);
+					match += round * 1;
+				}
 			}
 		}
 		cfg_enum->destroy(cfg_enum);
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 80913beba..e62e03ec5 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -176,7 +176,7 @@ struct peer_cfg_t {
 	/**
 	 * Add an authentication config to the peer configuration.
 	 *
-	 * @param config		config to add
+	 * @param cfg			config to add
 	 * @param local			TRUE for local rules, FALSE for remote constraints
 	 */
 	void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
@@ -190,7 +190,7 @@ struct peer_cfg_t {
 	enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
 
 	/**
-	 * Should be sent a certificate for this connection?
+	 * Should a certificate be sent for this connection?
 	 *
 	 * @return			certificate sending policy
 	 */
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 4803c7be2..0b702e014 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -19,7 +19,7 @@
 #include "proposal.h"
 
 #include <daemon.h>
-#include <collections/linked_list.h>
+#include <collections/array.h>
 #include <utils/identification.h>
 
 #include <crypto/transform.h>
@@ -36,7 +36,6 @@ ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP,
 );
 
 typedef struct private_proposal_t private_proposal_t;
-typedef struct algorithm_t algorithm_t;
 
 /**
  * Private data of an proposal_t object
@@ -54,29 +53,9 @@ struct private_proposal_t {
 	protocol_id_t protocol;
 
 	/**
-	 * priority ordered list of encryption algorithms
+	 * Priority ordered list of transforms, as entry_t
 	 */
-	linked_list_t *encryption_algos;
-
-	/**
-	 * priority ordered list of integrity algorithms
-	 */
-	linked_list_t *integrity_algos;
-
-	/**
-	 * priority ordered list of pseudo random functions
-	 */
-	linked_list_t *prf_algos;
-
-	/**
-	 * priority ordered list of dh groups
-	 */
-	linked_list_t *dh_groups;
-
-	/**
-	 * priority ordered list of extended sequence number flags
-	 */
-	linked_list_t *esns;
+	array_t *transforms;
 
 	/**
 	 * senders SPI
@@ -92,68 +71,47 @@ struct private_proposal_t {
 /**
  * Struct used to store different kinds of algorithms.
  */
-struct algorithm_t {
-	/**
-	 * Value from an encryption_algorithm_t/integrity_algorithm_t/...
-	 */
-	u_int16_t algorithm;
-
-	/**
-	 * the associated key size in bits, or zero if not needed
-	 */
+typedef struct {
+	/** Type of the transform */
+	transform_type_t type;
+	/** algorithm identifier */
+	u_int16_t alg;
+	/** key size in bits, or zero if not needed */
 	u_int16_t key_size;
-};
-
-/**
- * Add algorithm/keysize to a algorithm list
- */
-static void add_algo(linked_list_t *list, u_int16_t algo, u_int16_t key_size)
-{
-	algorithm_t *algo_key;
-
-	algo_key = malloc_thing(algorithm_t);
-	algo_key->algorithm = algo;
-	algo_key->key_size = key_size;
-	list->insert_last(list, (void*)algo_key);
-}
+} entry_t;
 
 METHOD(proposal_t, add_algorithm, void,
 	private_proposal_t *this, transform_type_t type,
-	u_int16_t algo, u_int16_t key_size)
+	u_int16_t alg, u_int16_t key_size)
 {
-	switch (type)
-	{
-		case ENCRYPTION_ALGORITHM:
-			add_algo(this->encryption_algos, algo, key_size);
-			break;
-		case INTEGRITY_ALGORITHM:
-			add_algo(this->integrity_algos, algo, key_size);
-			break;
-		case PSEUDO_RANDOM_FUNCTION:
-			add_algo(this->prf_algos, algo, key_size);
-			break;
-		case DIFFIE_HELLMAN_GROUP:
-			add_algo(this->dh_groups, algo, 0);
-			break;
-		case EXTENDED_SEQUENCE_NUMBERS:
-			add_algo(this->esns, algo, 0);
-			break;
-		default:
-			break;
-	}
+	entry_t entry = {
+		.type = type,
+		.alg = alg,
+		.key_size = key_size,
+	};
+
+	array_insert(this->transforms, ARRAY_TAIL, &entry);
 }
 
 /**
  * filter function for peer configs
  */
-static bool alg_filter(void *null, algorithm_t **in, u_int16_t *alg,
+static bool alg_filter(uintptr_t type, entry_t **in, u_int16_t *alg,
 					   void **unused, u_int16_t *key_size)
 {
-	algorithm_t *algo = *in;
-	*alg = algo->algorithm;
+	entry_t *entry = *in;
+
+	if (entry->type != type)
+	{
+		return FALSE;
+	}
+	if (alg)
+	{
+		*alg = entry->alg;
+	}
 	if (key_size)
 	{
-		*key_size = algo->key_size;
+		*key_size = entry->key_size;
 	}
 	return TRUE;
 }
@@ -161,30 +119,9 @@ static bool alg_filter(void *null, algorithm_t **in, u_int16_t *alg,
 METHOD(proposal_t, create_enumerator, enumerator_t*,
 	private_proposal_t *this, transform_type_t type)
 {
-	linked_list_t *list;
-
-	switch (type)
-	{
-		case ENCRYPTION_ALGORITHM:
-			list = this->encryption_algos;
-			break;
-		case INTEGRITY_ALGORITHM:
-			list = this->integrity_algos;
-			break;
-		case PSEUDO_RANDOM_FUNCTION:
-			list = this->prf_algos;
-			break;
-		case DIFFIE_HELLMAN_GROUP:
-			list = this->dh_groups;
-			break;
-		case EXTENDED_SEQUENCE_NUMBERS:
-			list = this->esns;
-			break;
-		default:
-			return NULL;
-	}
-	return enumerator_create_filter(list->create_enumerator(list),
-									(void*)alg_filter, NULL, NULL);
+	return enumerator_create_filter(
+						array_create_enumerator(this->transforms),
+						(void*)alg_filter, (void*)(uintptr_t)type, NULL);
 }
 
 METHOD(proposal_t, get_algorithm, bool,
@@ -200,84 +137,91 @@ METHOD(proposal_t, get_algorithm, bool,
 		found = TRUE;
 	}
 	enumerator->destroy(enumerator);
+
 	return found;
 }
 
 METHOD(proposal_t, has_dh_group, bool,
 	private_proposal_t *this, diffie_hellman_group_t group)
 {
-	bool result = FALSE;
+	bool found = FALSE, any = FALSE;
+	enumerator_t *enumerator;
+	u_int16_t current;
 
-	if (this->dh_groups->get_count(this->dh_groups))
+	enumerator = create_enumerator(this, DIFFIE_HELLMAN_GROUP);
+	while (enumerator->enumerate(enumerator, &current, NULL))
 	{
-		algorithm_t *current;
-		enumerator_t *enumerator;
-
-		enumerator = this->dh_groups->create_enumerator(this->dh_groups);
-		while (enumerator->enumerate(enumerator, (void**)&current))
+		any = TRUE;
+		if (current == group)
 		{
-			if (current->algorithm == group)
-			{
-				result = TRUE;
-				break;
-			}
+			found = TRUE;
+			break;
 		}
-		enumerator->destroy(enumerator);
 	}
-	else if (group == MODP_NONE)
+	enumerator->destroy(enumerator);
+
+	if (!any && group == MODP_NONE)
 	{
-		result = TRUE;
+		found = TRUE;
 	}
-	return result;
+	return found;
 }
 
 METHOD(proposal_t, strip_dh, void,
 	private_proposal_t *this, diffie_hellman_group_t keep)
 {
 	enumerator_t *enumerator;
-	algorithm_t *alg;
+	entry_t *entry;
 
-	enumerator = this->dh_groups->create_enumerator(this->dh_groups);
-	while (enumerator->enumerate(enumerator, (void**)&alg))
+	enumerator = array_create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (alg->algorithm != keep)
+		if (entry->type == DIFFIE_HELLMAN_GROUP &&
+			entry->alg != keep)
 		{
-			this->dh_groups->remove_at(this->dh_groups, enumerator);
-			free(alg);
+			array_remove_at(this->transforms, enumerator);
 		}
 	}
 	enumerator->destroy(enumerator);
 }
 
 /**
- * Find a matching alg/keysize in two linked lists
+ * Select a matching proposal from this and other, insert into selected.
  */
-static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
-						bool *add, u_int16_t *alg, size_t *key_size)
+static bool select_algo(private_proposal_t *this, proposal_t *other,
+						proposal_t *selected, transform_type_t type, bool priv)
 {
 	enumerator_t *e1, *e2;
-	algorithm_t *alg1, *alg2;
+	u_int16_t alg1, alg2, ks1, ks2;
+	bool found = FALSE;
 
-	/* if in both are zero algorithms specified, we HAVE a match */
-	if (first->get_count(first) == 0 && second->get_count(second) == 0)
+	if (type == INTEGRITY_ALGORITHM &&
+		selected->get_algorithm(selected, ENCRYPTION_ALGORITHM, &alg1, NULL) &&
+		encryption_algorithm_is_aead(alg1))
 	{
-		*add = FALSE;
+		/* no integrity algorithm required, we have an AEAD */
 		return TRUE;
 	}
 
-	e1 = first->create_enumerator(first);
-	e2 = second->create_enumerator(second);
+	e1 = create_enumerator(this, type);
+	e2 = other->create_enumerator(other, type);
+	if (!e1->enumerate(e1, NULL, NULL) && !e2->enumerate(e2, NULL, NULL))
+	{
+		found = TRUE;
+	}
+
+	e1->destroy(e1);
+	e1 = create_enumerator(this, type);
 	/* compare algs, order of algs in "first" is preferred */
-	while (e1->enumerate(e1, &alg1))
+	while (!found && e1->enumerate(e1, &alg1, &ks1))
 	{
 		e2->destroy(e2);
-		e2 = second->create_enumerator(second);
-		while (e2->enumerate(e2, &alg2))
+		e2 = other->create_enumerator(other, type);
+		while (e2->enumerate(e2, &alg2, &ks2))
 		{
-			if (alg1->algorithm == alg2->algorithm &&
-				alg1->key_size == alg2->key_size)
+			if (alg1 == alg2 && ks1 == ks2)
 			{
-				if (!priv && alg1->algorithm >= 1024)
+				if (!priv && alg1 >= 1024)
 				{
 					/* accept private use algorithms only if requested */
 					DBG1(DBG_CFG, "an algorithm from private space would match, "
@@ -285,132 +229,52 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
 					continue;
 				}
 				/* ok, we have an algorithm */
-				*alg = alg1->algorithm;
-				*key_size = alg1->key_size;
-				*add = TRUE;
-				e1->destroy(e1);
-				e2->destroy(e2);
-				return TRUE;
+				selected->add_algorithm(selected, type, alg1, ks1);
+				found = TRUE;
+				break;
 			}
 		}
 	}
 	/* no match in all comparisons */
 	e1->destroy(e1);
 	e2->destroy(e2);
-	return FALSE;
+
+	if (!found)
+	{
+		DBG2(DBG_CFG, "  no acceptable %N found", transform_type_names, type);
+	}
+	return found;
 }
 
 METHOD(proposal_t, select_proposal, proposal_t*,
-	private_proposal_t *this, proposal_t *other_pub, bool private)
+	private_proposal_t *this, proposal_t *other, bool private)
 {
-	private_proposal_t *other = (private_proposal_t*)other_pub;
 	proposal_t *selected;
-	u_int16_t algo;
-	size_t key_size;
-	bool add;
 
 	DBG2(DBG_CFG, "selecting proposal:");
 
-	/* check protocol */
-	if (this->protocol != other->protocol)
+	if (this->protocol != other->get_protocol(other))
 	{
 		DBG2(DBG_CFG, "  protocol mismatch, skipping");
 		return NULL;
 	}
 
-	selected = proposal_create(this->protocol, other->number);
+	selected = proposal_create(this->protocol, other->get_number(other));
 
-	/* select encryption algorithm */
-	if (select_algo(this->encryption_algos, other->encryption_algos, private,
-					&add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, ENCRYPTION_ALGORITHM,
-									algo, key_size);
-		}
-	}
-	else
+	if (!select_algo(this, other, selected, ENCRYPTION_ALGORITHM, private) ||
+		!select_algo(this, other, selected, PSEUDO_RANDOM_FUNCTION, private) ||
+		!select_algo(this, other, selected, INTEGRITY_ALGORITHM, private) ||
+		!select_algo(this, other, selected, DIFFIE_HELLMAN_GROUP, private) ||
+		!select_algo(this, other, selected, EXTENDED_SEQUENCE_NUMBERS, private))
 	{
 		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, ENCRYPTION_ALGORITHM);
-		return NULL;
-	}
-	/* select integrity algorithm */
-	if (!encryption_algorithm_is_aead(algo))
-	{
-		if (select_algo(this->integrity_algos, other->integrity_algos, private,
-						&add, &algo, &key_size))
-		{
-			if (add)
-			{
-				selected->add_algorithm(selected, INTEGRITY_ALGORITHM,
-										algo, key_size);
-			}
-		}
-		else
-		{
-			selected->destroy(selected);
-			DBG2(DBG_CFG, "  no acceptable %N found",
-				 transform_type_names, INTEGRITY_ALGORITHM);
-			return NULL;
-		}
-	}
-	/* select prf algorithm */
-	if (select_algo(this->prf_algos, other->prf_algos, private,
-					&add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, PSEUDO_RANDOM_FUNCTION,
-									algo, key_size);
-		}
-	}
-	else
-	{
-		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
-		return NULL;
-	}
-	/* select a DH-group */
-	if (select_algo(this->dh_groups, other->dh_groups, private,
-					&add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, DIFFIE_HELLMAN_GROUP, algo, 0);
-		}
-	}
-	else
-	{
-		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, DIFFIE_HELLMAN_GROUP);
-		return NULL;
-	}
-	/* select if we use ESNs (has no private use space) */
-	if (select_algo(this->esns, other->esns, TRUE, &add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, EXTENDED_SEQUENCE_NUMBERS, algo, 0);
-		}
-	}
-	else
-	{
-		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, EXTENDED_SEQUENCE_NUMBERS);
 		return NULL;
 	}
+
 	DBG2(DBG_CFG, "  proposal matches");
 
-	/* apply SPI from "other" */
-	selected->set_spi(selected, other->spi);
+	selected->set_spi(selected, other->get_spi(other));
 
-	/* everything matched, return new proposal */
 	return selected;
 }
 
@@ -433,50 +297,39 @@ METHOD(proposal_t, get_spi, u_int64_t,
 }
 
 /**
- * Clone a algorithm list
+ * Check if two proposals have the same algorithms for a given transform type
  */
-static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list)
-{
-	algorithm_t *algo, *clone_algo;
-	enumerator_t *enumerator;
-
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, &algo))
-	{
-		clone_algo = malloc_thing(algorithm_t);
-		memcpy(clone_algo, algo, sizeof(algorithm_t));
-		clone_list->insert_last(clone_list, (void*)clone_algo);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * check if an algorithm list equals
- */
-static bool algo_list_equals(linked_list_t *l1, linked_list_t *l2)
+static bool algo_list_equals(private_proposal_t *this, proposal_t *other,
+							 transform_type_t type)
 {
 	enumerator_t *e1, *e2;
-	algorithm_t *alg1, *alg2;
+	u_int16_t alg1, alg2, ks1, ks2;
 	bool equals = TRUE;
 
-	if (l1->get_count(l1) != l2->get_count(l2))
-	{
-		return FALSE;
-	}
-
-	e1 = l1->create_enumerator(l1);
-	e2 = l2->create_enumerator(l2);
-	while (e1->enumerate(e1, &alg1) && e2->enumerate(e2, &alg2))
+	e1 = create_enumerator(this, type);
+	e2 = other->create_enumerator(other, type);
+	while (e1->enumerate(e1, &alg1, &ks1))
 	{
-		if (alg1->algorithm != alg2->algorithm ||
-			alg1->key_size != alg2->key_size)
+		if (!e2->enumerate(e2, &alg2, &ks2))
+		{
+			/* this has more algs */
+			equals = FALSE;
+			break;
+		}
+		if (alg1 != alg2 || ks1 != ks2)
 		{
 			equals = FALSE;
 			break;
 		}
 	}
+	if (e2->enumerate(e2, &alg2, ks2))
+	{
+		/* other has more algs */
+		equals = FALSE;
+	}
 	e1->destroy(e1);
 	e2->destroy(e2);
+
 	return equals;
 }
 
@@ -487,33 +340,35 @@ METHOD(proposal_t, get_number, u_int,
 }
 
 METHOD(proposal_t, equals, bool,
-	private_proposal_t *this, proposal_t *other_pub)
+	private_proposal_t *this, proposal_t *other)
 {
-	private_proposal_t *other = (private_proposal_t*)other_pub;
-
-	if (this == other)
+	if (&this->public == other)
 	{
 		return TRUE;
 	}
 	return (
-		algo_list_equals(this->encryption_algos, other->encryption_algos) &&
-		algo_list_equals(this->integrity_algos, other->integrity_algos) &&
-		algo_list_equals(this->prf_algos, other->prf_algos) &&
-		algo_list_equals(this->dh_groups, other->dh_groups) &&
-		algo_list_equals(this->esns, other->esns));
+		algo_list_equals(this, other, ENCRYPTION_ALGORITHM) &&
+		algo_list_equals(this, other, INTEGRITY_ALGORITHM) &&
+		algo_list_equals(this, other, PSEUDO_RANDOM_FUNCTION) &&
+		algo_list_equals(this, other, DIFFIE_HELLMAN_GROUP) &&
+		algo_list_equals(this, other, EXTENDED_SEQUENCE_NUMBERS));
 }
 
 METHOD(proposal_t, clone_, proposal_t*,
 	private_proposal_t *this)
 {
 	private_proposal_t *clone;
+	enumerator_t *enumerator;
+	entry_t *entry;
 
 	clone = (private_proposal_t*)proposal_create(this->protocol, 0);
-	clone_algo_list(this->encryption_algos, clone->encryption_algos);
-	clone_algo_list(this->integrity_algos, clone->integrity_algos);
-	clone_algo_list(this->prf_algos, clone->prf_algos);
-	clone_algo_list(this->dh_groups, clone->dh_groups);
-	clone_algo_list(this->esns, clone->esns);
+
+	enumerator = array_create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		array_insert(clone->transforms, ARRAY_TAIL, entry);
+	}
+	enumerator->destroy(enumerator);
 
 	clone->spi = this->spi;
 	clone->number = this->number;
@@ -544,34 +399,40 @@ static const struct {
 static void check_proposal(private_proposal_t *this)
 {
 	enumerator_t *e;
-	algorithm_t *alg;
+	entry_t *entry;
+	u_int16_t alg, ks;
 	bool all_aead = TRUE;
 	int i;
 
-	if (this->protocol == PROTO_IKE &&
-		this->prf_algos->get_count(this->prf_algos) == 0)
-	{	/* No explicit PRF found. We assume the same algorithm as used
-		 * for integrity checking */
-		e = this->integrity_algos->create_enumerator(this->integrity_algos);
-		while (e->enumerate(e, &alg))
+	if (this->protocol == PROTO_IKE)
+	{
+		e = create_enumerator(this, PSEUDO_RANDOM_FUNCTION);
+		if (!e->enumerate(e, &alg, &ks))
 		{
-			for (i = 0; i < countof(integ_prf_map); i++)
+			/* No explicit PRF found. We assume the same algorithm as used
+			 * for integrity checking */
+			e->destroy(e);
+			e = create_enumerator(this, INTEGRITY_ALGORITHM);
+			while (e->enumerate(e, &alg, &ks))
 			{
-				if (alg->algorithm == integ_prf_map[i].integ)
+				for (i = 0; i < countof(integ_prf_map); i++)
 				{
-					add_algorithm(this, PSEUDO_RANDOM_FUNCTION,
-								  integ_prf_map[i].prf, 0);
-					break;
+					if (alg == integ_prf_map[i].integ)
+					{
+						add_algorithm(this, PSEUDO_RANDOM_FUNCTION,
+									  integ_prf_map[i].prf, 0);
+						break;
+					}
 				}
 			}
 		}
 		e->destroy(e);
 	}
 
-	e = this->encryption_algos->create_enumerator(this->encryption_algos);
-	while (e->enumerate(e, &alg))
+	e = create_enumerator(this, ENCRYPTION_ALGORITHM);
+	while (e->enumerate(e, &alg, &ks))
 	{
-		if (!encryption_algorithm_is_aead(alg->algorithm))
+		if (!encryption_algorithm_is_aead(alg))
 		{
 			all_aead = FALSE;
 			break;
@@ -581,24 +442,30 @@ static void check_proposal(private_proposal_t *this)
 
 	if (all_aead)
 	{
-		/* if all encryption algorithms in the proposal are authenticated encryption
-		 * algorithms we MUST NOT propose any integrity algorithms */
-		while (this->integrity_algos->remove_last(this->integrity_algos,
-												  (void**)&alg) == SUCCESS)
+		/* if all encryption algorithms in the proposal are AEADs,
+		 * we MUST NOT propose any integrity algorithms */
+		e = array_create_enumerator(this->transforms);
+		while (e->enumerate(e, &entry))
 		{
-			free(alg);
+			if (entry->type == INTEGRITY_ALGORITHM)
+			{
+				array_remove_at(this->transforms, e);
+			}
 		}
+		e->destroy(e);
 	}
 
 	if (this->protocol == PROTO_AH || this->protocol == PROTO_ESP)
 	{
-		e = this->esns->create_enumerator(this->esns);
-		if (!e->enumerate(e, &alg))
+		e = create_enumerator(this, EXTENDED_SEQUENCE_NUMBERS);
+		if (!e->enumerate(e, NULL, NULL))
 		{	/* ESN not specified, assume not supported */
 			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 		}
 		e->destroy(e);
 	}
+
+	array_compress(this->transforms);
 }
 
 /**
@@ -704,11 +571,7 @@ int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 METHOD(proposal_t, destroy, void,
 	private_proposal_t *this)
 {
-	this->encryption_algos->destroy_function(this->encryption_algos, free);
-	this->integrity_algos->destroy_function(this->integrity_algos, free);
-	this->prf_algos->destroy_function(this->prf_algos, free);
-	this->dh_groups->destroy_function(this->dh_groups, free);
-	this->esns->destroy_function(this->esns, free);
+	array_destroy(this->transforms);
 	free(this);
 }
 
@@ -737,11 +600,7 @@ proposal_t *proposal_create(protocol_id_t protocol, u_int number)
 		},
 		.protocol = protocol,
 		.number = number,
-		.encryption_algos = linked_list_create(),
-		.integrity_algos = linked_list_create(),
-		.prf_algos = linked_list_create(),
-		.dh_groups = linked_list_create(),
-		.esns = linked_list_create(),
+		.transforms = array_create(sizeof(entry_t), 0),
 	);
 
 	return &this->public;
@@ -768,6 +627,28 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 			case ENCR_AES_CTR:
 			case ENCR_CAMELLIA_CBC:
 			case ENCR_CAMELLIA_CTR:
+				/* we assume that we support all AES/Camellia sizes */
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+				break;
+			case ENCR_3DES:
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
+				break;
+			case ENCR_DES:
+				/* no, thanks */
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+	{
+		switch (encryption)
+		{
 			case ENCR_AES_CCM_ICV8:
 			case ENCR_AES_CCM_ICV12:
 			case ENCR_AES_CCM_ICV16:
@@ -782,12 +663,6 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
 				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
 				break;
-			case ENCR_3DES:
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
-				break;
-			case ENCR_DES:
-				/* no, thanks */
-				break;
 			default:
 				break;
 		}
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 0ee99c4b7..c546da544 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -412,6 +412,7 @@ METHOD(controller_t, initiate, status_t,
 		.refcount = 1,
 	);
 	job->listener.logger.listener = &job->listener;
+	thread_cleanup_push((void*)destroy_job, job);
 
 	if (callback == NULL)
 	{
@@ -425,7 +426,7 @@ METHOD(controller_t, initiate, status_t,
 		}
 	}
 	status = job->listener.status;
-	destroy_job(job);
+	thread_cleanup_pop(TRUE);
 	return status;
 }
 
@@ -500,6 +501,7 @@ METHOD(controller_t, terminate_ike, status_t,
 		.refcount = 1,
 	);
 	job->listener.logger.listener = &job->listener;
+	thread_cleanup_push((void*)destroy_job, job);
 
 	if (callback == NULL)
 	{
@@ -513,7 +515,7 @@ METHOD(controller_t, terminate_ike, status_t,
 		}
 	}
 	status = job->listener.status;
-	destroy_job(job);
+	thread_cleanup_pop(TRUE);
 	return status;
 }
 
@@ -615,6 +617,7 @@ METHOD(controller_t, terminate_child, status_t,
 		.refcount = 1,
 	);
 	job->listener.logger.listener = &job->listener;
+	thread_cleanup_push((void*)destroy_job, job);
 
 	if (callback == NULL)
 	{
@@ -628,7 +631,7 @@ METHOD(controller_t, terminate_child, status_t,
 		}
 	}
 	status = job->listener.status;
-	destroy_job(job);
+	thread_cleanup_pop(TRUE);
 	return status;
 }
 
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index b27e1776a..5e3ae72b9 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -33,10 +33,6 @@
 #include <processing/jobs/start_action_job.h>
 #include <threading/mutex.h>
 
-#ifndef CAP_NET_ADMIN
-#define CAP_NET_ADMIN 12
-#endif
-
 #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
 #define LOG_AUTHPRIV LOG_AUTH
 #endif
@@ -471,7 +467,6 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.xauth);
 	DESTROY_IF(this->public.backends);
 	DESTROY_IF(this->public.socket);
-	DESTROY_IF(this->public.caps);
 
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_old;
@@ -534,12 +529,10 @@ METHOD(daemon_t, initialize, bool,
 									  countof(features), TRUE);
 
 	/* load plugins, further infrastructure may need it */
-	if (!lib->plugins->load(lib->plugins, NULL, plugins))
+	if (!lib->plugins->load(lib->plugins, plugins))
 	{
 		return FALSE;
 	}
-	DBG1(DBG_DMN, "loaded plugins: %s",
-		 lib->plugins->loaded_plugins(lib->plugins));
 
 	this->public.ike_sa_manager = ike_sa_manager_create();
 	if (this->public.ike_sa_manager == NULL)
@@ -583,7 +576,6 @@ private_daemon_t *daemon_create(const char *name)
 		.ref = 1,
 	);
 	charon = &this->public;
-	this->public.caps = capabilities_create();
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
 	this->public.xauth = xauth_manager_create();
@@ -593,8 +585,6 @@ private_daemon_t *daemon_create(const char *name)
 	this->public.shunts = shunt_manager_create();
 	this->kernel_handler = kernel_handler_create();
 
-	this->public.caps->keep(this->public.caps, CAP_NET_ADMIN);
-
 	return this;
 }
 
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 2926d945b..24e623c44 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -163,7 +163,6 @@ typedef struct daemon_t daemon_t;
 #include <config/backend_manager.h>
 #include <sa/eap/eap_manager.h>
 #include <sa/xauth/xauth_manager.h>
-#include <utils/capabilities.h>
 
 #ifdef ME
 #include <sa/ikev2/connect_manager.h>
@@ -272,11 +271,6 @@ struct daemon_t {
 	mediation_manager_t *mediation_manager;
 #endif /* ME */
 
-	/**
-	 * POSIX capability dropping
-	 */
-	capabilities_t *caps;
-
 	/**
 	 * Name of the binary that uses the library (used for settings etc.)
 	 */
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 749c326a5..9bb8e5145 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2011 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  * Copyright (C) 2006 Daniel Roethlisberger
@@ -1409,7 +1409,7 @@ static encryption_payload_t* wrap_payloads(private_message_t *this)
 		}
 		if (encrypt || this->is_encrypted)
 		{	/* encryption is forced for IKEv1 */
-			DBG2(DBG_ENC, "insert payload %N to encryption payload",
+			DBG2(DBG_ENC, "insert payload %N into encrypted payload",
 				 payload_type_names, type);
 			encryption->add_payload(encryption, current);
 		}
@@ -1799,15 +1799,15 @@ static status_t parse_payloads(private_message_t *this)
 			return VERIFY_ERROR;
 		}
 
-		DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
+		DBG2(DBG_ENC, "%N payload verified, adding to payload list",
 			 payload_type_names, type);
 		this->payloads->insert_last(this->payloads, payload);
 
-		/* an encryption payload is the last one, so STOP here. decryption is
+		/* an encrypted payload is the last one, so STOP here. decryption is
 		 * done later */
 		if (type == ENCRYPTED)
 		{
-			DBG2(DBG_ENC, "%N payload found. Stop parsing",
+			DBG2(DBG_ENC, "%N payload found, stop parsing",
 				 payload_type_names, type);
 			break;
 		}
@@ -1816,18 +1816,102 @@ static status_t parse_payloads(private_message_t *this)
 	return SUCCESS;
 }
 
+/**
+ * Decrypt an encrypted payload and extract all contained payloads.
+ */
+static status_t decrypt_and_extract(private_message_t *this, keymat_t *keymat,
+						payload_t *previous, encryption_payload_t *encryption)
+{
+	payload_t *encrypted;
+	payload_type_t type;
+	chunk_t chunk;
+	aead_t *aead;
+	size_t bs;
+	status_t status = SUCCESS;
+
+	if (!keymat)
+	{
+		DBG1(DBG_ENC, "found encrypted payload, but no keymat");
+		return INVALID_ARG;
+	}
+	aead = keymat->get_aead(keymat, TRUE);
+	if (!aead)
+	{
+		DBG1(DBG_ENC, "found encrypted payload, but no transform set");
+		return INVALID_ARG;
+	}
+	bs = aead->get_block_size(aead);
+	encryption->set_transform(encryption, aead);
+	chunk = this->packet->get_data(this->packet);
+	if (chunk.len < encryption->get_length(encryption) ||
+		chunk.len < bs)
+	{
+		DBG1(DBG_ENC, "invalid payload length");
+		return VERIFY_ERROR;
+	}
+	if (keymat->get_version(keymat) == IKEV1)
+	{	/* instead of associated data we provide the IV, we also update
+		 * the IV with the last encrypted block */
+		keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
+		chunk_t iv;
+
+		if (keymat_v1->get_iv(keymat_v1, this->message_id, &iv))
+		{
+			status = encryption->decrypt(encryption, iv);
+			if (status == SUCCESS)
+			{
+				if (!keymat_v1->update_iv(keymat_v1, this->message_id,
+						chunk_create(chunk.ptr + chunk.len - bs, bs)))
+				{
+					status = FAILED;
+				}
+			}
+		}
+		else
+		{
+			status = FAILED;
+		}
+	}
+	else
+	{
+		chunk.len -= encryption->get_length(encryption);
+		status = encryption->decrypt(encryption, chunk);
+	}
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+
+	while ((encrypted = encryption->remove_payload(encryption)))
+	{
+		type = encrypted->get_type(encrypted);
+		if (previous)
+		{
+			previous->set_next_type(previous, type);
+		}
+		else
+		{
+			this->first_payload = type;
+		}
+		DBG2(DBG_ENC, "insert decrypted payload of type %N at end of list",
+			 payload_type_names, type);
+		this->payloads->insert_last(this->payloads, encrypted);
+		previous = encrypted;
+	}
+	return SUCCESS;
+}
+
 /**
  * Decrypt payload from the encryption payload
  */
 static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
 {
-	bool was_encrypted = FALSE;
 	payload_t *payload, *previous = NULL;
 	enumerator_t *enumerator;
 	payload_rule_t *rule;
 	payload_type_t type;
-	aead_t *aead;
 	status_t status = SUCCESS;
+	bool was_encrypted = FALSE;
 
 	enumerator = this->payloads->create_enumerator(this->payloads);
 	while (enumerator->enumerate(enumerator, &payload))
@@ -1839,97 +1923,35 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
 		if (type == ENCRYPTED || type == ENCRYPTED_V1)
 		{
 			encryption_payload_t *encryption;
-			payload_t *encrypted;
-			chunk_t chunk;
-			size_t bs;
-
-			encryption = (encryption_payload_t*)payload;
 
-			DBG2(DBG_ENC, "found an encryption payload");
-
-			if (this->payloads->has_more(this->payloads, enumerator))
+			if (was_encrypted)
 			{
-				DBG1(DBG_ENC, "encrypted payload is not last payload");
+				DBG1(DBG_ENC, "encrypted payload can't contain other payloads "
+					 "of type %N", payload_type_names, type);
 				status = VERIFY_ERROR;
 				break;
 			}
-			if (!keymat)
-			{
-				DBG1(DBG_ENC, "found encryption payload, but no keymat");
-				status = INVALID_ARG;
-				break;
-			}
-			aead = keymat->get_aead(keymat, TRUE);
-			if (!aead)
-			{
-				DBG1(DBG_ENC, "found encryption payload, but no transform set");
-				status = INVALID_ARG;
-				break;
-			}
-			bs = aead->get_block_size(aead);
-			encryption->set_transform(encryption, aead);
-			chunk = this->packet->get_data(this->packet);
-			if (chunk.len < encryption->get_length(encryption) ||
-				chunk.len < bs)
+
+			DBG2(DBG_ENC, "found an encrypted payload");
+			encryption = (encryption_payload_t*)payload;
+			this->payloads->remove_at(this->payloads, enumerator);
+
+			if (enumerator->enumerate(enumerator, NULL))
 			{
-				DBG1(DBG_ENC, "invalid payload length");
+				DBG1(DBG_ENC, "encrypted payload is not last payload");
+				encryption->destroy(encryption);
 				status = VERIFY_ERROR;
 				break;
 			}
-			if (keymat->get_version(keymat) == IKEV1)
-			{	/* instead of associated data we provide the IV, we also update
-				 * the IV with the last encrypted block */
-				keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
-				chunk_t iv;
-
-				if (keymat_v1->get_iv(keymat_v1, this->message_id, &iv))
-				{
-					status = encryption->decrypt(encryption, iv);
-					if (status == SUCCESS)
-					{
-						if (!keymat_v1->update_iv(keymat_v1, this->message_id,
-								chunk_create(chunk.ptr + chunk.len - bs, bs)))
-						{
-							status = FAILED;
-						}
-					}
-				}
-				else
-				{
-					status = FAILED;
-				}
-			}
-			else
-			{
-				chunk.len -= encryption->get_length(encryption);
-				status = encryption->decrypt(encryption, chunk);
-			}
+			status = decrypt_and_extract(this, keymat, previous, encryption);
+			encryption->destroy(encryption);
 			if (status != SUCCESS)
 			{
 				break;
 			}
-
 			was_encrypted = TRUE;
-			this->payloads->remove_at(this->payloads, enumerator);
-
-			while ((encrypted = encryption->remove_payload(encryption)))
-			{
-				type = encrypted->get_type(encrypted);
-				if (previous)
-				{
-					previous->set_next_type(previous, type);
-				}
-				else
-				{
-					this->first_payload = type;
-				}
-				DBG2(DBG_ENC, "insert decrypted payload of type "
-					 "%N at end of list", payload_type_names, type);
-				this->payloads->insert_last(this->payloads, encrypted);
-				previous = encrypted;
-			}
-			encryption->destroy(encryption);
 		}
+
 		if (payload_is_known(type) && !was_encrypted &&
 			!is_connectivity_check(this, payload) &&
 			this->exchange_type != AGGRESSIVE)
diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h
index 2c11e4581..7631a7c3a 100644
--- a/src/libcharon/encoding/message.h
+++ b/src/libcharon/encoding/message.h
@@ -49,7 +49,7 @@ struct message_t {
 	 *
 	 * @param major_version	major version to set
 	 */
-	void (*set_major_version) (message_t *this,u_int8_t major_version);
+	void (*set_major_version) (message_t *this, u_int8_t major_version);
 
 	/**
 	 * Gets the IKE major version of the message.
@@ -63,7 +63,7 @@ struct message_t {
 	 *
 	 * @param minor_version	minor version to set
 	 */
-	void (*set_minor_version) (message_t *this,u_int8_t minor_version);
+	void (*set_minor_version) (message_t *this, u_int8_t minor_version);
 
 	/**
 	 * Gets the IKE minor version of the message.
@@ -77,7 +77,7 @@ struct message_t {
 	 *
 	 * @param message_id	message_id to set
 	 */
-	void (*set_message_id) (message_t *this,u_int32_t message_id);
+	void (*set_message_id) (message_t *this, u_int32_t message_id);
 
 	/**
 	 * Gets the Message ID of the message.
@@ -107,7 +107,7 @@ struct message_t {
 	 *
 	 * @param ike_sa_id		ike_sa_id to set
 	 */
-	void (*set_ike_sa_id) (message_t *this, ike_sa_id_t * ike_sa_id);
+	void (*set_ike_sa_id) (message_t *this, ike_sa_id_t *ike_sa_id);
 
 	/**
 	 * Gets the IKE_SA ID of the message.
@@ -123,7 +123,7 @@ struct message_t {
 	 *
 	 * @param exchange_type	exchange_type to set
 	 */
-	void (*set_exchange_type) (message_t *this,exchange_type_t exchange_type);
+	void (*set_exchange_type) (message_t *this, exchange_type_t exchange_type);
 
 	/**
 	 * Gets the exchange type of the message.
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index ae0fce991..3cf22aefd 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -1224,7 +1224,7 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
 												number, IKEV1_TRANSID_KEY_IKE);
 
 	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
-	if (enumerator->enumerate(enumerator, &alg, &key_size))
+	while (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
 		alg = get_ikev1_from_alg(ENCRYPTION_ALGORITHM, alg);
 		if (alg)
@@ -1238,13 +1238,14 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
 					transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
 										TATTR_PH1_KEY_LENGTH, key_size));
 			}
+			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 
 	/* encode the integrity algorithm as hash and assume use the same PRF */
 	enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
-	if (enumerator->enumerate(enumerator, &alg, &key_size))
+	while (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
 		alg = get_ikev1_from_alg(INTEGRITY_ALGORITHM, alg);
 		if (alg)
@@ -1252,6 +1253,7 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
 			transform->add_transform_attribute(transform,
 				transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
 									TATTR_PH1_HASH_ALGORITHM, alg));
+			break;
 		}
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index a588d4e97..613412014 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -560,6 +560,11 @@ sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
 
 	this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION_V1);
 
+	if (!proposals || !proposals->get_count(proposals))
+	{
+		return &this->public;
+	}
+
 	/* IKEv1 encodes multiple proposals in a single substructure
 	 * TODO-IKEv1: Encode ESP+AH proposals in two substructs with same num */
 	substruct = proposal_substructure_create_from_proposals_v1(proposals,
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index 2ca721a85..b8eb8419d 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -261,15 +261,13 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
  */
 static bool check_cookie(private_receiver_t *this, message_t *message)
 {
-	packet_t *packet;
 	chunk_t data;
 
 	/* check for a cookie. We don't use our parser here and do it
 	 * quick and dirty for performance reasons.
 	 * we assume the cookie is the first payload (which is a MUST), and
 	 * the cookie's SPI length is zero. */
-	packet = message->get_packet(message);
-	data = packet->get_data(packet);
+	data = message->get_packet_data(message);
 	if (data.len <
 		 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
 		 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
@@ -277,7 +275,6 @@ static bool check_cookie(private_receiver_t *this, message_t *message)
 		*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
 	{
 		/* no cookie found */
-		packet->destroy(packet);
 		return FALSE;
 	}
 	data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
@@ -285,7 +282,6 @@ static bool check_cookie(private_receiver_t *this, message_t *message)
 	if (!cookie_verify(this, message, data))
 	{
 		DBG2(DBG_NET, "found cookie, but content invalid");
-		packet->destroy(packet);
 		return FALSE;
 	}
 	return TRUE;
diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h
index f6c8a8660..e3cda3bea 100644
--- a/src/libcharon/network/socket.h
+++ b/src/libcharon/network/socket.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -25,6 +25,7 @@
 #define SOCKET_H_
 
 typedef struct socket_t socket_t;
+typedef enum socket_family_t socket_family_t;
 
 #include <library.h>
 #include <networking/packet.h>
@@ -36,6 +37,31 @@ typedef struct socket_t socket_t;
  */
 typedef socket_t *(*socket_constructor_t)();
 
+/**
+ * Address families supported by socket implementations.
+ */
+enum socket_family_t {
+	/**
+	 * No address families supported
+	 */
+	SOCKET_FAMILY_NONE = 0,
+
+	/**
+	 * IPv4
+	 */
+	SOCKET_FAMILY_IPV4 = (1 << 0),
+
+	/**
+	 * IPv6
+	 */
+	SOCKET_FAMILY_IPV6 = (1 << 1),
+
+	/**
+	 * Both address families supported
+	 */
+	SOCKET_FAMILY_BOTH = (1 << 2) - 1,
+};
+
 /**
  * Socket interface definition.
  */
@@ -52,7 +78,7 @@ struct socket_t {
 	 *						- SUCCESS when packet successfully received
 	 *						- FAILED when unable to receive
 	 */
-	status_t (*receive) (socket_t *this, packet_t **packet);
+	status_t (*receive)(socket_t *this, packet_t **packet);
 
 	/**
 	 * Send a packet.
@@ -65,7 +91,7 @@ struct socket_t {
 	 *						- SUCCESS when packet successfully sent
 	 *						- FAILED when unable to send
 	 */
-	status_t (*send) (socket_t *this, packet_t *packet);
+	status_t (*send)(socket_t *this, packet_t *packet);
 
 	/**
 	 * Get the port this socket is listening on.
@@ -73,12 +99,19 @@ struct socket_t {
 	 * @param nat_t			TRUE to get the port used to float in case of NAT-T
 	 * @return				the port
 	 */
-	u_int16_t (*get_port) (socket_t *this, bool nat_t);
+	u_int16_t (*get_port)(socket_t *this, bool nat_t);
+
+	/**
+	 * Get the address families this socket is listening on.
+	 *
+	 * @return				supported families
+	 */
+	socket_family_t (*supported_families)(socket_t *this);
 
 	/**
 	 * Destroy a socket implementation.
 	 */
-	void (*destroy) (socket_t *this);
+	void (*destroy)(socket_t *this);
 };
 
 /**
diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c
index bf1fe5ba2..2a07e503c 100644
--- a/src/libcharon/network/socket_manager.c
+++ b/src/libcharon/network/socket_manager.c
@@ -102,6 +102,19 @@ METHOD(socket_manager_t, get_port, u_int16_t,
 	return port;
 }
 
+METHOD(socket_manager_t, supported_families, socket_family_t,
+	private_socket_manager_t *this)
+{
+	socket_family_t families = SOCKET_FAMILY_NONE;
+	this->lock->read_lock(this->lock);
+	if (this->socket)
+	{
+		families = this->socket->supported_families(this->socket);
+	}
+	this->lock->unlock(this->lock);
+	return families;
+}
+
 static void create_socket(private_socket_manager_t *this)
 {
 	socket_constructor_t create;
@@ -167,6 +180,7 @@ socket_manager_t *socket_manager_create()
 			.send = _sender,
 			.receive = _receiver,
 			.get_port = _get_port,
+			.supported_families = _supported_families,
 			.add_socket = _add_socket,
 			.remove_socket = _remove_socket,
 			.destroy = _destroy,
diff --git a/src/libcharon/network/socket_manager.h b/src/libcharon/network/socket_manager.h
index 1909d1f25..a07d0804c 100644
--- a/src/libcharon/network/socket_manager.h
+++ b/src/libcharon/network/socket_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -40,7 +40,7 @@ struct socket_manager_t {
 	 *						- SUCCESS when packet successfully received
 	 *						- FAILED when unable to receive
 	 */
-	status_t (*receive) (socket_manager_t *this, packet_t **packet);
+	status_t (*receive)(socket_manager_t *this, packet_t **packet);
 
 	/**
 	 * Send a packet using the registered socket.
@@ -50,7 +50,7 @@ struct socket_manager_t {
 	 *						- SUCCESS when packet successfully sent
 	 *						- FAILED when unable to send
 	 */
-	status_t (*send) (socket_manager_t *this, packet_t *packet);
+	status_t (*send)(socket_manager_t *this, packet_t *packet);
 
 	/**
 	 * Get the port the registered socket is listening on.
@@ -58,7 +58,14 @@ struct socket_manager_t {
 	 * @param nat_t			TRUE to get the port used to float in case of NAT-T
 	 * @return				the port, or 0, if no socket is registered
 	 */
-	u_int16_t (*get_port) (socket_manager_t *this, bool nat_t);
+	u_int16_t (*get_port)(socket_manager_t *this, bool nat_t);
+
+	/**
+	 * Get the address families the registered socket is listening on.
+	 *
+	 * @return				address families
+	 */
+	socket_family_t (*supported_families)(socket_manager_t *this);
 
 	/**
 	 * Register a socket constructor.
diff --git a/src/libcharon/plugins/addrblock/Makefile.am b/src/libcharon/plugins/addrblock/Makefile.am
index 50d0457f8..407f22d71 100644
--- a/src/libcharon/plugins/addrblock/Makefile.am
+++ b/src/libcharon/plugins/addrblock/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-addrblock.la
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 7b2b19bcc..45df4ea24 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_addrblock_la_OBJECTS = addrblock_plugin.lo \
 	addrblock_narrow.lo addrblock_validator.lo
 libstrongswan_addrblock_la_OBJECTS =  \
 	$(am_libstrongswan_addrblock_la_OBJECTS)
-libstrongswan_addrblock_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_addrblock_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_addrblock_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_addrblock_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_addrblock_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-addrblock.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-addrblock.la
 libstrongswan_addrblock_la_SOURCES = \
@@ -410,7 +437,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-addrblock.la: $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_DEPENDENCIES) $(EXTRA_libstrongswan_addrblock_la_DEPENDENCIES) 
-	$(libstrongswan_addrblock_la_LINK) $(am_libstrongswan_addrblock_la_rpath) $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_addrblock_la_LINK) $(am_libstrongswan_addrblock_la_rpath) $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -423,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_validator.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.c b/src/libcharon/plugins/addrblock/addrblock_plugin.c
index 72c551f0f..723747d8e 100644
--- a/src/libcharon/plugins/addrblock/addrblock_plugin.c
+++ b/src/libcharon/plugins/addrblock/addrblock_plugin.c
@@ -16,6 +16,7 @@
 #include "addrblock_plugin.h"
 
 #include <daemon.h>
+#include <plugins/plugin_feature.h>
 
 #include "addrblock_validator.h"
 #include "addrblock_narrow.h"
@@ -49,11 +50,41 @@ METHOD(plugin_t, get_name, char*,
 	return "addrblock";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_addrblock_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+		charon->bus->add_listener(charon->bus, &this->narrower->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->narrower->listener);
+		lib->credmgr->remove_validator(lib->credmgr,
+									   &this->validator->validator);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_addrblock_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "addrblock"),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_addrblock_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->narrower->listener);
-	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
 	this->narrower->destroy(this->narrower);
 	this->validator->destroy(this->validator);
 	free(this);
@@ -70,15 +101,13 @@ plugin_t *addrblock_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.validator = addrblock_validator_create(),
 		.narrower = addrblock_narrow_create(),
 	);
-	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
-	charon->bus->add_listener(charon->bus, &this->narrower->listener);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
index 65f4ed08c..372c978a2 100644
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -94,7 +94,12 @@ METHOD(cert_validator_t, validate, bool,
 	if (subject->get_type(subject) == CERT_X509 &&
 		issuer->get_type(issuer) == CERT_X509)
 	{
-		return check_addrblock((x509_t*)subject, (x509_t*)issuer);
+		if (!check_addrblock((x509_t*)subject, (x509_t*)issuer))
+		{
+			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
+									subject);
+			return FALSE;
+		}
 	}
 	return TRUE;
 }
diff --git a/src/libcharon/plugins/android_dns/Makefile.am b/src/libcharon/plugins/android_dns/Makefile.am
index 0d25f11d7..ebad963bb 100644
--- a/src/libcharon/plugins/android_dns/Makefile.am
+++ b/src/libcharon/plugins/android_dns/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-android-dns.la
@@ -15,4 +17,4 @@ libstrongswan_android_dns_la_SOURCES = \
 	android_dns_handler.c android_dns_handler.h
 
 libstrongswan_android_dns_la_LDFLAGS = -module -avoid-version
-libstrongswan_android_dns_la_LIBADD  = -lcutils
\ No newline at end of file
+libstrongswan_android_dns_la_LIBADD  = -lcutils
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 41f42ffec..dbc69b922 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_android_dns_la_OBJECTS = android_dns_plugin.lo \
 	android_dns_handler.lo
 libstrongswan_android_dns_la_OBJECTS =  \
 	$(am_libstrongswan_android_dns_la_OBJECTS)
-libstrongswan_android_dns_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_android_dns_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_android_dns_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_android_dns_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_android_dns_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-android-dns.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android-dns.la
 libstrongswan_android_dns_la_SOURCES = \
@@ -410,7 +437,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-android-dns.la: $(libstrongswan_android_dns_la_OBJECTS) $(libstrongswan_android_dns_la_DEPENDENCIES) $(EXTRA_libstrongswan_android_dns_la_DEPENDENCIES) 
-	$(libstrongswan_android_dns_la_LINK) $(am_libstrongswan_android_dns_la_rpath) $(libstrongswan_android_dns_la_OBJECTS) $(libstrongswan_android_dns_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_android_dns_la_LINK) $(am_libstrongswan_android_dns_la_rpath) $(libstrongswan_android_dns_la_OBJECTS) $(libstrongswan_android_dns_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -422,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_dns_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/android_dns/android_dns_plugin.c b/src/libcharon/plugins/android_dns/android_dns_plugin.c
index 4e2b5f58b..b8eb11b57 100644
--- a/src/libcharon/plugins/android_dns/android_dns_plugin.c
+++ b/src/libcharon/plugins/android_dns/android_dns_plugin.c
@@ -43,11 +43,39 @@ METHOD(plugin_t, get_name, char*,
 	return "android-dns";
 }
 
+/**
+ * Register handler
+ */
+static bool plugin_cb(private_android_dns_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		hydra->attributes->add_handler(hydra->attributes,
+									   &this->handler->handler);
+	}
+	else
+	{
+		hydra->attributes->remove_handler(hydra->attributes,
+										  &this->handler->handler);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_android_dns_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "android-dns"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_android_dns_plugin_t *this)
 {
-	hydra->attributes->remove_handler(hydra->attributes,
-									  &this->handler->handler);
 	this->handler->destroy(this->handler);
 	free(this);
 }
@@ -63,14 +91,12 @@ plugin_t *android_dns_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.handler = android_dns_handler_create(),
 	);
 
-	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
-
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/android_log/Makefile.am b/src/libcharon/plugins/android_log/Makefile.am
index 3c180f1db..4d8b4850b 100644
--- a/src/libcharon/plugins/android_log/Makefile.am
+++ b/src/libcharon/plugins/android_log/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-android-log.la
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 698935436..3821f9afc 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_android_log_la_OBJECTS = android_log_plugin.lo \
 	android_log_logger.lo
 libstrongswan_android_log_la_OBJECTS =  \
 	$(am_libstrongswan_android_log_la_OBJECTS)
-libstrongswan_android_log_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_android_log_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_android_log_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_android_log_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_android_log_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-android-log.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android-log.la
 libstrongswan_android_log_la_SOURCES = \
@@ -409,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-android-log.la: $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_DEPENDENCIES) $(EXTRA_libstrongswan_android_log_la_DEPENDENCIES) 
-	$(libstrongswan_android_log_la_LINK) $(am_libstrongswan_android_log_la_rpath) $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_android_log_la_LINK) $(am_libstrongswan_android_log_la_rpath) $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_log_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/android_log/android_log_plugin.c b/src/libcharon/plugins/android_log/android_log_plugin.c
index 6757c2210..515917a22 100644
--- a/src/libcharon/plugins/android_log/android_log_plugin.c
+++ b/src/libcharon/plugins/android_log/android_log_plugin.c
@@ -43,6 +43,17 @@ METHOD(plugin_t, get_name, char*,
 	return "android-log";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_android_log_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_NOOP,
+			PLUGIN_PROVIDE(CUSTOM, "android-log"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_android_log_plugin_t *this)
 {
@@ -62,7 +73,7 @@ plugin_t *android_log_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -73,4 +84,3 @@ plugin_t *android_log_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/certexpire/Makefile.am b/src/libcharon/plugins/certexpire/Makefile.am
index 9aa0daad3..2bfad9497 100644
--- a/src/libcharon/plugins/certexpire/Makefile.am
+++ b/src/libcharon/plugins/certexpire/Makefile.am
@@ -1,10 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-certexpire.la
 else
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 72e2ad601..d74cb09f9 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_certexpire_la_OBJECTS = certexpire_plugin.lo \
 	certexpire_listener.lo certexpire_export.lo certexpire_cron.lo
 libstrongswan_certexpire_la_OBJECTS =  \
 	$(am_libstrongswan_certexpire_la_OBJECTS)
-libstrongswan_certexpire_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_certexpire_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_certexpire_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_certexpire_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_certexpire_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,12 +345,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-certexpire.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-certexpire.la
 libstrongswan_certexpire_la_SOURCES = certexpire_plugin.h certexpire_plugin.c \
@@ -412,7 +438,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-certexpire.la: $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_DEPENDENCIES) $(EXTRA_libstrongswan_certexpire_la_DEPENDENCIES) 
-	$(libstrongswan_certexpire_la_LINK) $(am_libstrongswan_certexpire_la_rpath) $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_certexpire_la_LINK) $(am_libstrongswan_certexpire_la_rpath) $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -426,25 +452,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certexpire_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/certexpire/certexpire_export.c b/src/libcharon/plugins/certexpire/certexpire_export.c
index e339b8004..f1205cfd8 100644
--- a/src/libcharon/plugins/certexpire/certexpire_export.c
+++ b/src/libcharon/plugins/certexpire/certexpire_export.c
@@ -88,6 +88,11 @@ struct private_certexpire_export_t {
 	 * String to use in empty fields, if using fixed_fields
 	 */
 	char *empty_string;
+
+	/**
+	 * Force export of all trustchains we have a private key for
+	 */
+	bool force;
 };
 
 /**
@@ -184,21 +189,6 @@ static void export_csv(private_certexpire_export_t *this, char *path,
 	}
 }
 
-/**
- * Export cached trustchain expiration dates to CSV files
- */
-static void cron_export(private_certexpire_export_t *this)
-{
-	if (this->local_path)
-	{
-		export_csv(this, this->local_path, this->local);
-	}
-	if (this->remote_path)
-	{
-		export_csv(this, this->remote_path, this->remote);
-	}
-}
-
 METHOD(certexpire_export_t, add, void,
 	private_certexpire_export_t *this, linked_list_t *trustchain, bool local)
 {
@@ -320,6 +310,81 @@ METHOD(certexpire_export_t, add, void,
 	enumerator->destroy(enumerator);
 }
 
+/**
+ * Add trustchains we have a private key for to the list
+ */
+static void add_local_certs(private_certexpire_export_t *this)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_ANY, NULL, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		linked_list_t *trustchain;
+		private_key_t *private;
+		public_key_t *public;
+		identification_t *keyid;
+		chunk_t chunk;
+		x509_t *x509 = (x509_t*)cert;
+
+		trustchain = linked_list_create();
+
+		public = cert->get_public_key(cert);
+		if (public)
+		{
+			if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
+			{
+				keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+				private = lib->credmgr->get_private(lib->credmgr,
+										public->get_type(public), keyid, NULL);
+				keyid->destroy(keyid);
+				if (private)
+				{
+					trustchain->insert_last(trustchain, cert->get_ref(cert));
+
+					while (!(x509->get_flags(x509) & X509_SELF_SIGNED))
+					{
+						cert = lib->credmgr->get_cert(lib->credmgr, CERT_X509,
+										KEY_ANY, cert->get_issuer(cert), FALSE);
+						if (!cert)
+						{
+							break;
+						}
+						x509 = (x509_t*)cert;
+						trustchain->insert_last(trustchain, cert);
+					}
+					private->destroy(private);
+				}
+			}
+			public->destroy(public);
+		}
+		add(this, trustchain, TRUE);
+		trustchain->destroy_offset(trustchain, offsetof(certificate_t, destroy));
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Export cached trustchain expiration dates to CSV files
+ */
+static void cron_export(private_certexpire_export_t *this)
+{
+	if (this->local_path)
+	{
+		if (this->force)
+		{
+			add_local_certs(this);
+		}
+		export_csv(this, this->local_path, this->local);
+	}
+	if (this->remote_path)
+	{
+		export_csv(this, this->remote_path, this->remote);
+	}
+}
+
 METHOD(certexpire_export_t, destroy, void,
 	private_certexpire_export_t *this)
 {
@@ -382,6 +447,9 @@ certexpire_export_t *certexpire_export_create()
 		.empty_string = lib->settings->get_str(lib->settings,
 								"%s.plugins.certexpire.csv.empty_string",
 								"", charon->name),
+		.force = lib->settings->get_bool(lib->settings,
+								"%s.plugins.certexpire.csv.force",
+								TRUE, charon->name),
 	);
 
 	cron = lib->settings->get_str(lib->settings,
diff --git a/src/libcharon/plugins/certexpire/certexpire_plugin.c b/src/libcharon/plugins/certexpire/certexpire_plugin.c
index 2b4c0b68b..985fb0d76 100644
--- a/src/libcharon/plugins/certexpire/certexpire_plugin.c
+++ b/src/libcharon/plugins/certexpire/certexpire_plugin.c
@@ -49,10 +49,37 @@ METHOD(plugin_t, get_name, char*,
 	return "certexpire";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_certexpire_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_certexpire_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "certexpire"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_certexpire_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	this->export->destroy(this->export);
 	free(this);
@@ -69,14 +96,13 @@ plugin_t *certexpire_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.export = certexpire_export_create(),
 	);
-	this->listener = certexpire_listener_create(this->export),
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
+	this->listener = certexpire_listener_create(this->export);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/coupling/Makefile.am b/src/libcharon/plugins/coupling/Makefile.am
index 642ce820c..cbc06a6b7 100644
--- a/src/libcharon/plugins/coupling/Makefile.am
+++ b/src/libcharon/plugins/coupling/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-coupling.la
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 886624123..12c1f331d 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_coupling_la_OBJECTS = coupling_plugin.lo \
 	coupling_validator.lo
 libstrongswan_coupling_la_OBJECTS =  \
 	$(am_libstrongswan_coupling_la_OBJECTS)
-libstrongswan_coupling_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_coupling_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_coupling_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_coupling_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_coupling_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-coupling.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-coupling.la
 libstrongswan_coupling_la_SOURCES = coupling_plugin.h coupling_plugin.c \
@@ -408,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-coupling.la: $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_DEPENDENCIES) $(EXTRA_libstrongswan_coupling_la_DEPENDENCIES) 
-	$(libstrongswan_coupling_la_LINK) $(am_libstrongswan_coupling_la_rpath) $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_coupling_la_LINK) $(am_libstrongswan_coupling_la_rpath) $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -420,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/coupling_validator.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/coupling/coupling_plugin.c b/src/libcharon/plugins/coupling/coupling_plugin.c
index 7ccc51db5..cd46ddd11 100644
--- a/src/libcharon/plugins/coupling/coupling_plugin.c
+++ b/src/libcharon/plugins/coupling/coupling_plugin.c
@@ -43,11 +43,48 @@ METHOD(plugin_t, get_name, char*,
 	return "coupling";
 }
 
+/**
+ * Since the validator instantiates a hasher we create it as plugin feature.
+ * The default is SHA1 which we soft depend but depending on the plugin order
+ * there is no guarantee that the configured algorithm is registered.
+ */
+static bool plugin_cb(private_coupling_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		this->validator = coupling_validator_create();
+
+		if (!this->validator)
+		{
+			return FALSE;
+		}
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+	}
+	else
+	{
+		lib->credmgr->remove_validator(lib->credmgr,
+									   &this->validator->validator);
+		this->validator->destroy(this->validator);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_coupling_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "coupling"),
+				PLUGIN_SDEPEND(HASHER, HASH_SHA1),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_coupling_plugin_t *this)
 {
-	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
-	this->validator->destroy(this->validator);
 	free(this);
 }
 
@@ -62,20 +99,11 @@ plugin_t *coupling_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
-		.validator = coupling_validator_create(),
 	);
 
-	if (!this->validator)
-	{
-		free(this);
-		return NULL;
-	}
-
-	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
-
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/coupling/coupling_validator.c b/src/libcharon/plugins/coupling/coupling_validator.c
index 539be7548..958bd2b6d 100644
--- a/src/libcharon/plugins/coupling/coupling_validator.c
+++ b/src/libcharon/plugins/coupling/coupling_validator.c
@@ -167,6 +167,8 @@ METHOD(cert_validator_t, validate, bool,
 			{
 				DBG1(DBG_CFG, "coupling new certificate '%Y' failed",
 					 subject->get_subject(subject));
+				lib->credmgr->call_hook(lib->credmgr,
+										CRED_HOOK_POLICY_VIOLATION, subject);
 			}
 		}
 		else
@@ -174,6 +176,8 @@ METHOD(cert_validator_t, validate, bool,
 			DBG1(DBG_CFG, "coupling new certificate '%Y' failed, limit of %d "
 				 "couplings reached", subject->get_subject(subject),
 				 this->max_couplings);
+			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
+									subject);
 		}
 		this->mutex->unlock(this->mutex);
 	}
diff --git a/src/libcharon/plugins/dhcp/Makefile.am b/src/libcharon/plugins/dhcp/Makefile.am
index 45d7536be..e0e857eed 100644
--- a/src/libcharon/plugins/dhcp/Makefile.am
+++ b/src/libcharon/plugins/dhcp/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-dhcp.la
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 504aa5f93..29aca266f 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_dhcp_la_LIBADD =
 am_libstrongswan_dhcp_la_OBJECTS = dhcp_plugin.lo dhcp_provider.lo \
 	dhcp_socket.lo dhcp_transaction.lo
 libstrongswan_dhcp_la_OBJECTS = $(am_libstrongswan_dhcp_la_OBJECTS)
-libstrongswan_dhcp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_dhcp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_dhcp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_dhcp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_dhcp_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_dhcp_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_dhcp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_dhcp_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,10 +343,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-dhcp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-dhcp.la
 libstrongswan_dhcp_la_SOURCES = dhcp_plugin.h dhcp_plugin.c \
@@ -407,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-dhcp.la: $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_DEPENDENCIES) $(EXTRA_libstrongswan_dhcp_la_DEPENDENCIES) 
-	$(libstrongswan_dhcp_la_LINK) $(am_libstrongswan_dhcp_la_rpath) $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_dhcp_la_LINK) $(am_libstrongswan_dhcp_la_rpath) $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcp_transaction.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index f8782c2a4..c36c60d28 100644
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -17,6 +20,7 @@
 
 #include <hydra.h>
 #include <daemon.h>
+#include <plugins/plugin_feature.h>
 
 #include "dhcp_socket.h"
 #include "dhcp_provider.h"
@@ -50,13 +54,49 @@ METHOD(plugin_t, get_name, char*,
 	return "dhcp";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_dhcp_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		this->socket = dhcp_socket_create();
+
+		if (!this->socket)
+		{
+			return FALSE;
+		}
+		this->provider = dhcp_provider_create(this->socket);
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->provider->provider);
+	}
+	else
+	{
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->provider->provider);
+		this->provider->destroy(this->provider);
+		this->socket->destroy(this->socket);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_dhcp_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "dhcp"),
+				PLUGIN_DEPENDS(RNG, RNG_WEAK),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_dhcp_plugin_t *this)
 {
-	hydra->attributes->remove_provider(hydra->attributes,
-									   &this->provider->provider);
-	this->provider->destroy(this->provider);
-	this->socket->destroy(this->socket);
 	free(this);
 }
 
@@ -67,27 +107,27 @@ plugin_t *dhcp_plugin_create()
 {
 	private_dhcp_plugin_t *this;
 
+	if (!lib->caps->check(lib->caps, CAP_NET_BIND_SERVICE))
+	{	/* required to bind DHCP socket (port 68) */
+		DBG1(DBG_NET, "dhcp plugin requires CAP_NET_BIND_SERVICE capability");
+		return NULL;
+	}
+	else if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+	{	/* required to open DHCP receive socket (AF_PACKET). according to
+		 * capabilities(7) it is also required to use the socket */
+		DBG1(DBG_NET, "dhcp plugin requires CAP_NET_RAW capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
-		.socket = dhcp_socket_create(),
 	);
 
-	if (!this->socket)
-	{
-		free(this);
-		return NULL;
-	}
-
-	this->provider = dhcp_provider_create(this->socket);
-	hydra->attributes->add_provider(hydra->attributes,
-									&this->provider->provider);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c
index f83efda5d..e092771f4 100644
--- a/src/libcharon/plugins/dhcp/dhcp_provider.c
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.c
@@ -162,6 +162,12 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	enumerator_t *enumerator;
 	host_t *vip;
 
+	if (pools->find_first(pools, (linked_list_match_t)streq,
+						  NULL, "dhcp") != SUCCESS)
+	{
+		return NULL;
+	}
+
 	this->mutex->lock(this->mutex);
 	enumerator = vips->create_enumerator(vips);
 	while (enumerator->enumerate(enumerator, &vip))
@@ -225,4 +231,3 @@ dhcp_provider_t *dhcp_provider_create(dhcp_socket_t *socket)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index 46d4c64ef..044c8a819 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -227,7 +227,7 @@ static int prepare_dhcp(private_dhcp_socket_t *this,
 	/* with ID specific postfix */
 	if (this->identity_lease)
 	{
-		id = htonl(chunk_hash(chunk));
+		id = htonl(chunk_hash_static(chunk));
 	}
 	else
 	{
@@ -562,7 +562,8 @@ static void handle_ack(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 /**
  * Receive DHCP responses
  */
-static job_requeue_t receive_dhcp(private_dhcp_socket_t *this)
+static bool receive_dhcp(private_dhcp_socket_t *this, int fd,
+						 watcher_event_t event)
 {
 	struct sockaddr_ll addr;
 	socklen_t addr_len = sizeof(addr);
@@ -571,14 +572,12 @@ static job_requeue_t receive_dhcp(private_dhcp_socket_t *this)
 		struct udphdr udp;
 		dhcp_t dhcp;
 	} packet;
-	int oldstate, optlen, origoptlen, optsize, optpos = 0;
+	int optlen, origoptlen, optsize, optpos = 0;
 	ssize_t len;
 	dhcp_option_t *option;
 
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->receive, &packet, sizeof(packet), 0,
+	len = recvfrom(fd, &packet, sizeof(packet), MSG_DONTWAIT,
 					(struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
 
 	if (len >= sizeof(struct iphdr) + sizeof(struct udphdr) +
 		offsetof(dhcp_t, options))
@@ -611,7 +610,7 @@ static job_requeue_t receive_dhcp(private_dhcp_socket_t *this)
 			optpos += optsize;
 		}
 	}
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 METHOD(dhcp_socket_t, destroy, void,
@@ -627,6 +626,7 @@ METHOD(dhcp_socket_t, destroy, void,
 	}
 	if (this->receive > 0)
 	{
+		lib->watcher->remove(lib->watcher, this->receive);
 		close(this->receive);
 	}
 	this->mutex->destroy(this->mutex);
@@ -767,10 +767,8 @@ dhcp_socket_t *dhcp_socket_create()
 		return NULL;
 	}
 
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_dhcp,
-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	lib->watcher->add(lib->watcher, this->receive, WATCHER_READ,
+					  (watcher_cb_t)receive_dhcp, this);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/duplicheck/Makefile.am b/src/libcharon/plugins/duplicheck/Makefile.am
index 63c91dfab..4ea2becf3 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.am
+++ b/src/libcharon/plugins/duplicheck/Makefile.am
@@ -1,10 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-duplicheck.la
 else
@@ -13,7 +15,8 @@ endif
 
 libstrongswan_duplicheck_la_SOURCES = duplicheck_plugin.h duplicheck_plugin.c \
 	duplicheck_listener.h duplicheck_listener.c \
-	duplicheck_notify.h duplicheck_notify.c
+	duplicheck_notify.h duplicheck_notify.c \
+	duplicheck_msg.h
 
 libstrongswan_duplicheck_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index f4efc5f6e..7e480ffac 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,7 +105,10 @@ am_libstrongswan_duplicheck_la_OBJECTS = duplicheck_plugin.lo \
 	duplicheck_listener.lo duplicheck_notify.lo
 libstrongswan_duplicheck_la_OBJECTS =  \
 	$(am_libstrongswan_duplicheck_la_OBJECTS)
-libstrongswan_duplicheck_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_duplicheck_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_duplicheck_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -122,13 +125,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_duplicheck_la_SOURCES) $(duplicheck_SOURCES)
 DIST_SOURCES = $(libstrongswan_duplicheck_la_SOURCES) \
 	$(duplicheck_SOURCES)
@@ -143,6 +159,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -155,6 +172,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -170,6 +189,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -178,6 +198,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -224,6 +245,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -252,6 +274,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -329,17 +352,21 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-duplicheck.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-duplicheck.la
 libstrongswan_duplicheck_la_SOURCES = duplicheck_plugin.h duplicheck_plugin.c \
 	duplicheck_listener.h duplicheck_listener.c \
-	duplicheck_notify.h duplicheck_notify.c
+	duplicheck_notify.h duplicheck_notify.c \
+	duplicheck_msg.h
 
 libstrongswan_duplicheck_la_LDFLAGS = -module -avoid-version
 duplicheck_SOURCES = duplicheck.c
@@ -419,7 +446,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-duplicheck.la: $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_DEPENDENCIES) $(EXTRA_libstrongswan_duplicheck_la_DEPENDENCIES) 
-	$(libstrongswan_duplicheck_la_LINK) $(am_libstrongswan_duplicheck_la_rpath) $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_duplicheck_la_LINK) $(am_libstrongswan_duplicheck_la_rpath) $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
@@ -468,7 +495,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 duplicheck$(EXEEXT): $(duplicheck_OBJECTS) $(duplicheck_DEPENDENCIES) $(EXTRA_duplicheck_DEPENDENCIES) 
 	@rm -f duplicheck$(EXEEXT)
-	$(LINK) $(duplicheck_OBJECTS) $(duplicheck_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(duplicheck_OBJECTS) $(duplicheck_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -482,25 +509,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/duplicheck_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/duplicheck/duplicheck.c b/src/libcharon/plugins/duplicheck/duplicheck.c
index 99731a22b..508e8e386 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck.c
@@ -16,44 +16,99 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <unistd.h>
+#include <stdlib.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <errno.h>
+#include <arpa/inet.h>
 
-#define DUPLICHECK_SOCKET IPSEC_PIDDIR "/charon.dck"
+#include "duplicheck_msg.h"
 
-int main(int argc, char *argv[])
+/**
+ * Connect to the daemon, return FD
+ */
+static int make_connection()
 {
-	struct sockaddr_un addr;
-	char buf[128];
+	union {
+		struct sockaddr_un un;
+		struct sockaddr_in in;
+		struct sockaddr sa;
+	} addr;
 	int fd, len;
 
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, DUPLICHECK_SOCKET);
+	if (getenv("TCP_PORT"))
+	{
+		addr.in.sin_family = AF_INET;
+		addr.in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+		addr.in.sin_port = htons(atoi(getenv("TCP_PORT")));
+		len = sizeof(addr.in);
+	}
+	else
+	{
+		addr.un.sun_family = AF_UNIX;
+		strcpy(addr.un.sun_path, DUPLICHECK_SOCKET);
 
-	fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+		len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.un.sun_path);
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
 	if (fd < 0)
 	{
 		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
-		return 1;
+		return -1;
 	}
-	if (connect(fd, (struct sockaddr *)&addr,
-			offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+	if (connect(fd, &addr.sa, len) < 0)
 	{
-		fprintf(stderr, "connecting to %s failed: %s\n",
-				DUPLICHECK_SOCKET, strerror(errno));
+		fprintf(stderr, "connecting failed: %s\n", strerror(errno));
 		close(fd);
+		return -1;
+	}
+	return fd;
+}
+
+int main(int argc, char *argv[])
+{
+	char buf[128];
+	int fd, len;
+	u_int16_t msglen;
+
+	fd = make_connection();
+	if (fd < 0)
+	{
 		return 1;
 	}
 	while (1)
 	{
-		len = recv(fd, &buf, sizeof(buf) - 1, 0);
+		len = recv(fd, &msglen, sizeof(msglen), 0);
+		if (len != sizeof(msglen))
+		{
+			break;
+		}
+		msglen = ntohs(msglen);
+		while (msglen)
+		{
+			if (sizeof(buf) > msglen)
+			{
+				len = msglen;
+			}
+			else
+			{
+				len = sizeof(buf);
+			}
+			len = recv(fd, &buf, len, 0);
+			if (len < 0)
+			{
+				break;
+			}
+			msglen -= len;
+			printf("%.*s", len, buf);
+		}
+		printf("\n");
 		if (len < 0)
 		{
-			fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
-			close(fd);
-			return 1;
+			break;
 		}
-		printf("%.*s\n", len, buf);
 	}
+	fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
+	close(fd);
+	return 1;
 }
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_msg.h b/src/libcharon/plugins/duplicheck/duplicheck_msg.h
new file mode 100644
index 000000000..99e297104
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/duplicheck_msg.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup duplicheck_msg duplicheck_msg
+ * @{ @ingroup duplicheck
+ */
+
+#ifndef DUPLICHECK_MSG_H_
+#define DUPLICHECK_MSG_H_
+
+#include <sys/types.h>
+
+/**
+ * Default Unix socket to connect to
+ */
+#define DUPLICHECK_SOCKET IPSEC_PIDDIR "/charon.dck"
+
+typedef struct duplicheck_msg_t duplicheck_msg_t;
+
+/**
+ * Message exchanged over duplicheck socket
+ */
+struct duplicheck_msg_t {
+	/** length of the identity following, in network order (excluding len). */
+	u_int16_t len;
+	/** identity string, not null terminated */
+	char identity[];
+} __attribute__((__packed__));
+
+#endif /** DUPLICHECK_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
index cd5d4970b..e3a4e17b7 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
@@ -14,6 +14,7 @@
  */
 
 #include "duplicheck_notify.h"
+#include "duplicheck_msg.h"
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -28,7 +29,6 @@
 #include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
-#define DUPLICHECK_SOCKET IPSEC_PIDDIR "/charon.dck"
 
 typedef struct private_duplicheck_notify_t private_duplicheck_notify_t;
 
@@ -48,108 +48,53 @@ struct private_duplicheck_notify_t {
 	mutex_t *mutex;
 
 	/**
-	 * List of connected sockets
+	 * List of connected clients, as stream_t
 	 */
 	linked_list_t *connected;
 
 	/**
-	 * Socket dispatching connections
+	 * stream service accepting connections
 	 */
-	int socket;
+	stream_service_t *service;
 };
 
-/**
- * Open duplicheck unix socket
- */
-static bool open_socket(private_duplicheck_notify_t *this)
-{
-	struct sockaddr_un addr;
-	mode_t old;
-
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, DUPLICHECK_SOCKET);
-
-	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "creating duplicheck socket failed");
-		return FALSE;
-	}
-	unlink(addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_CFG, "binding duplicheck socket failed: %s", strerror(errno));
-		close(this->socket);
-		return FALSE;
-	}
-	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
-	{
-		DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s",
-			 strerror(errno));
-	}
-	if (listen(this->socket, 3) < 0)
-	{
-		DBG1(DBG_CFG, "listening on duplicheck socket failed: %s",
-			 strerror(errno));
-		close(this->socket);
-		unlink(addr.sun_path);
-		return FALSE;
-	}
-	return TRUE;
-}
-
 /**
  * Accept duplicheck notification connections
  */
-static job_requeue_t receive(private_duplicheck_notify_t *this)
+static bool on_accept(private_duplicheck_notify_t *this, stream_t *stream)
 {
-	struct sockaddr_un addr;
-	int len = sizeof(addr);
-	uintptr_t fd;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	fd = accept(this->socket, (struct sockaddr*)&addr, &len);
-	thread_cancelability(oldstate);
+	this->mutex->lock(this->mutex);
+	this->connected->insert_last(this->connected, stream);
+	this->mutex->unlock(this->mutex);
 
-	if (fd != -1)
-	{
-		this->mutex->lock(this->mutex);
-		this->connected->insert_last(this->connected, (void*)fd);
-		this->mutex->unlock(this->mutex);
-	 }
-	 else
-	 {
-		 DBG1(DBG_CFG, "accepting duplicheck connection failed: %s",
-			  strerror(errno));
-	 }
-	 return JOB_REQUEUE_FAIR;
+	return TRUE;
 }
 
 METHOD(duplicheck_notify_t, send_, void,
 	private_duplicheck_notify_t *this, identification_t *id)
 {
-	char buf[128];
 	enumerator_t *enumerator;
-	uintptr_t fd;
+	stream_t *stream;
+	u_int16_t nlen;
+	char buf[512];
 	int len;
 
 	len = snprintf(buf, sizeof(buf), "%Y", id);
 	if (len > 0 && len < sizeof(buf))
 	{
+		nlen = htons(len);
+
 		this->mutex->lock(this->mutex);
 		enumerator = this->connected->create_enumerator(this->connected);
-		while (enumerator->enumerate(enumerator, &fd))
+		while (enumerator->enumerate(enumerator, &stream))
 		{
-			if (send(fd, &buf, len + 1, 0) != len + 1)
+			if (!stream->write_all(stream, &nlen, sizeof(nlen)) ||
+				!stream->write_all(stream, buf, len))
 			{
 				DBG1(DBG_CFG, "sending duplicheck notify failed: %s",
 					 strerror(errno));
 				this->connected->remove_at(this->connected, enumerator);
-				close(fd);
+				stream->destroy(stream);
 			}
 		}
 		enumerator->destroy(enumerator);
@@ -160,16 +105,8 @@ METHOD(duplicheck_notify_t, send_, void,
 METHOD(duplicheck_notify_t, destroy, void,
 	private_duplicheck_notify_t *this)
 {
-	enumerator_t *enumerator;
-	uintptr_t fd;
-
-	enumerator = this->connected->create_enumerator(this->connected);
-	while (enumerator->enumerate(enumerator, &fd))
-	{
-		close(fd);
-	}
-	enumerator->destroy(enumerator);
-	this->connected->destroy(this->connected);
+	DESTROY_IF(this->service);
+	this->connected->destroy_offset(this->connected, offsetof(stream_t, destroy));
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
@@ -180,6 +117,7 @@ METHOD(duplicheck_notify_t, destroy, void,
 duplicheck_notify_t *duplicheck_notify_create()
 {
 	private_duplicheck_notify_t *this;
+	char *uri;
 
 	INIT(this,
 		.public = {
@@ -190,14 +128,18 @@ duplicheck_notify_t *duplicheck_notify_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
-	if (!open_socket(this))
+	uri = lib->settings->get_str(lib->settings,
+					"%s.plugins.duplicheck.socket", "unix://" DUPLICHECK_SOCKET,
+					charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 3);
+	if (!this->service)
 	{
+		DBG1(DBG_CFG, "creating duplicheck socket failed");
 		destroy(this);
 		return NULL;
 	}
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, this,
-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+							 this, JOB_PRIO_CRITICAL, 1);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
index 100ef0c2d..4d018dbef 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -49,10 +49,37 @@ METHOD(plugin_t, get_name, char*,
 	return "duplicheck";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_duplicheck_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_duplicheck_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "duplicheck"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_duplicheck_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->notify->destroy(this->notify);
 	this->listener->destroy(this->listener);
 	free(this);
@@ -75,7 +102,7 @@ plugin_t *duplicheck_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -88,7 +115,6 @@ plugin_t *duplicheck_plugin_create()
 		return NULL;
 	}
 	this->listener = duplicheck_listener_create(this->notify);
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/eap_aka/Makefile.am b/src/libcharon/plugins/eap_aka/Makefile.am
index d37d1691c..ba6e66039 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.am
+++ b/src/libcharon/plugins/eap_aka/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-aka.la
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 99ec32471..7b2ac73c5 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,9 +104,13 @@ am_libstrongswan_eap_aka_la_OBJECTS = eap_aka_plugin.lo \
 	eap_aka_peer.lo eap_aka_server.lo
 libstrongswan_eap_aka_la_OBJECTS =  \
 	$(am_libstrongswan_eap_aka_la_OBJECTS)
-libstrongswan_eap_aka_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_aka_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_aka_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_aka_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_aka_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_aka_la_rpath =
@@ -116,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +346,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-aka.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-aka.la
 @MONOLITHIC_FALSE@libstrongswan_eap_aka_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -411,7 +440,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-aka.la: $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_aka_la_DEPENDENCIES) 
-	$(libstrongswan_eap_aka_la_LINK) $(am_libstrongswan_eap_aka_la_rpath) $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_aka_la_LINK) $(am_libstrongswan_eap_aka_la_rpath) $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -424,25 +453,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_server.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
index b4d6dc1d2..4e2b207d2 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 0ddc9915b..7718ea8a4 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,7 +105,10 @@ am_libstrongswan_eap_aka_3gpp2_la_OBJECTS = eap_aka_3gpp2_plugin.lo \
 	eap_aka_3gpp2_functions.lo
 libstrongswan_eap_aka_3gpp2_la_OBJECTS =  \
 	$(am_libstrongswan_eap_aka_3gpp2_la_OBJECTS)
-libstrongswan_eap_aka_3gpp2_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_aka_3gpp2_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_aka_3gpp2_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -118,13 +121,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,10 +347,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp $(am__append_1)
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-aka-3gpp2.la
@@ -414,7 +442,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-aka-3gpp2.la: $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) 
-	$(libstrongswan_eap_aka_3gpp2_la_LINK) $(am_libstrongswan_eap_aka_3gpp2_la_rpath) $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_aka_3gpp2_la_LINK) $(am_libstrongswan_eap_aka_3gpp2_la_rpath) $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -428,25 +456,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.am b/src/libcharon/plugins/eap_dynamic/Makefile.am
index 0d07fbf35..13b4d10b1 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.am
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-dynamic.la
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 0579c4989..a1bbb4bbb 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_eap_dynamic_la_OBJECTS = eap_dynamic_plugin.lo \
 	eap_dynamic.lo
 libstrongswan_eap_dynamic_la_OBJECTS =  \
 	$(am_libstrongswan_eap_dynamic_la_OBJECTS)
-libstrongswan_eap_dynamic_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_dynamic_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_dynamic_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_dynamic_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_dynamic_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-dynamic.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-dynamic.la
 libstrongswan_eap_dynamic_la_SOURCES = \
@@ -408,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-dynamic.la: $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_dynamic_la_DEPENDENCIES) 
-	$(libstrongswan_eap_dynamic_la_LINK) $(am_libstrongswan_eap_dynamic_la_rpath) $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_dynamic_la_LINK) $(am_libstrongswan_eap_dynamic_la_rpath) $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -420,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_dynamic_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.am b/src/libcharon/plugins/eap_gtc/Makefile.am
index e4234fab2..811366a94 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.am
+++ b/src/libcharon/plugins/eap_gtc/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-gtc.la
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 95837fc3a..9b53c539f 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_eap_gtc_la_LIBADD =
 am_libstrongswan_eap_gtc_la_OBJECTS = eap_gtc_plugin.lo eap_gtc.lo
 libstrongswan_eap_gtc_la_OBJECTS =  \
 	$(am_libstrongswan_eap_gtc_la_OBJECTS)
-libstrongswan_eap_gtc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_gtc_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_gtc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_gtc_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_gtc_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_gtc_la_rpath =
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,10 +344,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-gtc.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-gtc.la
 libstrongswan_eap_gtc_la_SOURCES = \
@@ -406,7 +434,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-gtc.la: $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_gtc_la_DEPENDENCIES) 
-	$(libstrongswan_eap_gtc_la_LINK) $(am_libstrongswan_eap_gtc_la_rpath) $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_gtc_la_LINK) $(am_libstrongswan_eap_gtc_la_rpath) $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -418,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_gtc_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_identity/Makefile.am b/src/libcharon/plugins/eap_identity/Makefile.am
index 2a7c764b0..1c155866d 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.am
+++ b/src/libcharon/plugins/eap_identity/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS =  \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-identity.la
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 3eb99bb89..426f6d5e5 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_eap_identity_la_OBJECTS = eap_identity_plugin.lo \
 	eap_identity.lo
 libstrongswan_eap_identity_la_OBJECTS =  \
 	$(am_libstrongswan_eap_identity_la_OBJECTS)
-libstrongswan_eap_identity_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_identity_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_identity_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-identity.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-identity.la
 libstrongswan_eap_identity_la_SOURCES = \
@@ -408,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-identity.la: $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_identity_la_DEPENDENCIES) 
-	$(libstrongswan_eap_identity_la_LINK) $(am_libstrongswan_eap_identity_la_rpath) $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_identity_la_LINK) $(am_libstrongswan_eap_identity_la_rpath) $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -420,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_identity_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_md5/Makefile.am b/src/libcharon/plugins/eap_md5/Makefile.am
index e9936c925..583598342 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.am
+++ b/src/libcharon/plugins/eap_md5/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-md5.la
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 6dd09c55d..7e0e01b3e 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_eap_md5_la_LIBADD =
 am_libstrongswan_eap_md5_la_OBJECTS = eap_md5_plugin.lo eap_md5.lo
 libstrongswan_eap_md5_la_OBJECTS =  \
 	$(am_libstrongswan_eap_md5_la_OBJECTS)
-libstrongswan_eap_md5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_md5_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_md5_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_md5_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_md5_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_md5_la_rpath =
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,10 +344,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-md5.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-md5.la
 libstrongswan_eap_md5_la_SOURCES = \
@@ -406,7 +434,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-md5.la: $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_md5_la_DEPENDENCIES) 
-	$(libstrongswan_eap_md5_la_LINK) $(am_libstrongswan_eap_md5_la_rpath) $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_md5_la_LINK) $(am_libstrongswan_eap_md5_la_rpath) $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -418,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_md5_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.am b/src/libcharon/plugins/eap_mschapv2/Makefile.am
index b9555b3c1..030682d3e 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.am
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-mschapv2.la
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 97e03fde9..8f42f3a14 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_eap_mschapv2_la_OBJECTS = eap_mschapv2_plugin.lo \
 	eap_mschapv2.lo
 libstrongswan_eap_mschapv2_la_OBJECTS =  \
 	$(am_libstrongswan_eap_mschapv2_la_OBJECTS)
-libstrongswan_eap_mschapv2_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_mschapv2_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_mschapv2_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-mschapv2.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la
 libstrongswan_eap_mschapv2_la_SOURCES = \
@@ -409,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_mschapv2_la_DEPENDENCIES) 
-	$(libstrongswan_eap_mschapv2_la_LINK) $(am_libstrongswan_eap_mschapv2_la_rpath) $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_mschapv2_la_LINK) $(am_libstrongswan_eap_mschapv2_la_rpath) $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_mschapv2_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 96f437583..49e3dd142 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -782,7 +782,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 	enumerator = enumerator_create_token(message, " ", " ");
 	while (enumerator->enumerate(enumerator, &token))
 	{
-		if (strneq(token, "S=", 2))
+		if (strpfx(token, "S="))
 		{
 			chunk_t hex;
 			token += 2;
@@ -795,7 +795,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 			hex = chunk_create(token, AUTH_RESPONSE_LEN - 2);
 			auth_string = chunk_from_hex(hex, NULL);
 		}
-		else if (strneq(token, "M=", 2))
+		else if (strpfx(token, "M="))
 		{
 			token += 2;
 			msg = strdup(token);
@@ -864,16 +864,16 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 	enumerator = enumerator_create_token(message, " ", " ");
 	while (enumerator->enumerate(enumerator, &token))
 	{
-		if (strneq(token, "E=", 2))
+		if (strpfx(token, "E="))
 		{
 			token += 2;
 			error = atoi(token);
 		}
-		else if (strneq(token, "R=", 2))
+		else if (strpfx(token, "R="))
 		{
 			/* ignore retriable */
 		}
-		else if (strneq(token, "C=", 2))
+		else if (strpfx(token, "C="))
 		{
 			chunk_t hex;
 			token += 2;
@@ -886,11 +886,11 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 			hex = chunk_create(token, 2 * CHALLENGE_LEN);
 			challenge = chunk_from_hex(hex, NULL);
 		}
-		else if (strneq(token, "V=", 2))
+		else if (strpfx(token, "V="))
 		{
 			/* ignore version */
 		}
-		else if (strneq(token, "M=", 2))
+		else if (strpfx(token, "M="))
 		{
 			token += 2;
 			msg = strdup(token);
diff --git a/src/libcharon/plugins/eap_peap/Makefile.am b/src/libcharon/plugins/eap_peap/Makefile.am
index 81f2575c7..19410a408 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.am
+++ b/src/libcharon/plugins/eap_peap/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-peap.la
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index ae8a289bf..86c96925c 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,7 +104,10 @@ am_libstrongswan_eap_peap_la_OBJECTS = eap_peap_plugin.lo eap_peap.lo \
 	eap_peap_peer.lo eap_peap_server.lo eap_peap_avp.lo
 libstrongswan_eap_peap_la_OBJECTS =  \
 	$(am_libstrongswan_eap_peap_la_OBJECTS)
-libstrongswan_eap_peap_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_peap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_peap_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -117,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_peap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_peap_la_SOURCES)
 am__can_run_installinfo = \
@@ -137,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -149,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -164,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -172,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -218,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -246,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -323,10 +346,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-peap.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-peap.la
 @MONOLITHIC_FALSE@libstrongswan_eap_peap_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
@@ -414,7 +442,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-peap.la: $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_peap_la_DEPENDENCIES) 
-	$(libstrongswan_eap_peap_la_LINK) $(am_libstrongswan_eap_peap_la_rpath) $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_peap_la_LINK) $(am_libstrongswan_eap_peap_la_rpath) $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -429,25 +457,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_peap_server.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_plugin.h b/src/libcharon/plugins/eap_peap/eap_peap_plugin.h
index 75bb504e1..0c3c571ef 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_plugin.h
+++ b/src/libcharon/plugins/eap_peap/eap_peap_plugin.h
@@ -39,9 +39,4 @@ struct eap_peap_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a eap_peap_plugin instance.
- */
-plugin_t *eap_peap_plugin_create();
-
 #endif /** EAP_PEAP_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am
index 628adbeb3..6fdb0d099 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.am
+++ b/src/libcharon/plugins/eap_radius/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libradius
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libradius
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-radius.la
@@ -14,6 +17,7 @@ endif
 libstrongswan_eap_radius_la_SOURCES = \
 	eap_radius_plugin.h eap_radius_plugin.c \
 	eap_radius.h eap_radius.c \
+	eap_radius_xauth.h eap_radius_xauth.c \
 	eap_radius_accounting.h eap_radius_accounting.c \
 	eap_radius_provider.h eap_radius_provider.c \
 	eap_radius_dae.h eap_radius_dae.c \
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index aa2cf3da5..24818d4fb 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,11 +101,14 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_radius_la_DEPENDENCIES =  \
 @MONOLITHIC_FALSE@	$(top_builddir)/src/libradius/libradius.la
 am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \
-	eap_radius.lo eap_radius_accounting.lo eap_radius_provider.lo \
-	eap_radius_dae.lo eap_radius_forward.lo
+	eap_radius.lo eap_radius_xauth.lo eap_radius_accounting.lo \
+	eap_radius_provider.lo eap_radius_dae.lo eap_radius_forward.lo
 libstrongswan_eap_radius_la_OBJECTS =  \
 	$(am_libstrongswan_eap_radius_la_OBJECTS)
-libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_radius_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_radius_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -118,13 +121,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,16 +347,22 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libradius
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libradius
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-radius.la
 @MONOLITHIC_FALSE@libstrongswan_eap_radius_la_LIBADD = $(top_builddir)/src/libradius/libradius.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-radius.la
 libstrongswan_eap_radius_la_SOURCES = \
 	eap_radius_plugin.h eap_radius_plugin.c \
 	eap_radius.h eap_radius.c \
+	eap_radius_xauth.h eap_radius_xauth.c \
 	eap_radius_accounting.h eap_radius_accounting.c \
 	eap_radius_provider.h eap_radius_provider.c \
 	eap_radius_dae.h eap_radius_dae.c \
@@ -416,7 +445,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_radius_la_DEPENDENCIES) 
-	$(libstrongswan_eap_radius_la_LINK) $(am_libstrongswan_eap_radius_la_rpath) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_radius_la_LINK) $(am_libstrongswan_eap_radius_la_rpath) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -430,27 +459,28 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_forward.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_provider.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_xauth.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index c9e1cdaad..b06b6c392 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -75,21 +75,6 @@ struct private_eap_radius_t {
 	 * Prefix to prepend to EAP identity
 	 */
 	char *id_prefix;
-
-	/**
-	 * Handle the Class attribute as group membership information?
-	 */
-	bool class_group;
-
-	/**
-	 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
-	 */
-	bool filter_id;
-
-	/**
-	 * Format string we use for Called/Calling-Station-Id for a host
-	 */
-	char *station_id_fmt;
 };
 
 /**
@@ -163,21 +148,16 @@ static bool radius2ike(private_eap_radius_t *this,
 }
 
 /**
- * Add a set of RADIUS attributes to a request message
+ * See header.
  */
-static void add_radius_request_attrs(private_eap_radius_t *this,
-									 radius_message_t *request)
+void eap_radius_build_attributes(radius_message_t *request)
 {
 	ike_sa_t *ike_sa;
 	host_t *host;
-	char buf[40];
+	char buf[40], *station_id_fmt;;
 	u_int32_t value;
 	chunk_t chunk;
 
-	chunk = chunk_from_str(this->id_prefix);
-	chunk = chunk_cata("cc", chunk, this->peer->get_encoding(this->peer));
-	request->add(request, RAT_USER_NAME, chunk);
-
 	/* virtual NAS-Port-Type */
 	value = htonl(5);
 	request->add(request, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
@@ -205,13 +185,37 @@ static void add_radius_request_attrs(private_eap_radius_t *this,
 			default:
 				break;
 		}
-		snprintf(buf, sizeof(buf), this->station_id_fmt, host);
+		if (lib->settings->get_bool(lib->settings,
+									"%s.plugins.eap-radius.station_id_with_port",
+									TRUE, charon->name))
+		{
+			station_id_fmt = "%#H";
+		}
+		else
+		{
+			station_id_fmt = "%H";
+		}
+		snprintf(buf, sizeof(buf), station_id_fmt, host);
 		request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf));
 		host = ike_sa->get_other_host(ike_sa);
-		snprintf(buf, sizeof(buf), this->station_id_fmt, host);
+		snprintf(buf, sizeof(buf), station_id_fmt, host);
 		request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf));
 	}
+}
+
+/**
+ * Add a set of RADIUS attributes to a request message
+ */
+static void add_radius_request_attrs(private_eap_radius_t *this,
+									 radius_message_t *request)
+{
+	chunk_t chunk;
 
+	chunk = chunk_from_str(this->id_prefix);
+	chunk = chunk_cata("cc", chunk, this->peer->get_encoding(this->peer));
+	request->add(request, RAT_USER_NAME, chunk);
+
+	eap_radius_build_attributes(request);
 	eap_radius_forward_from_ike(request);
 }
 
@@ -268,7 +272,7 @@ METHOD(eap_method_t, initiate, status_t,
 /**
  * Handle the Class attribute as group membership information
  */
-static void process_class(private_eap_radius_t *this, radius_message_t *msg)
+static void process_class(radius_message_t *msg)
 {
 	enumerator_t *enumerator;
 	chunk_t data;
@@ -305,7 +309,7 @@ static void process_class(private_eap_radius_t *this, radius_message_t *msg)
 /**
  * Handle the Filter-Id attribute as IPsec CHILD_SA name
  */
-static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
+static void process_filter_id(radius_message_t *msg)
 {
 	enumerator_t *enumerator;
 	int type;
@@ -361,7 +365,7 @@ static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
 /**
  * Handle Session-Timeout attribte and Interim updates
  */
-static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
+static void process_timeout(radius_message_t *msg)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
@@ -390,8 +394,7 @@ static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
 /**
  * Handle Framed-IP-Address and other IKE configuration attributes
  */
-static void process_cfg_attributes(private_eap_radius_t *this,
-								   radius_message_t *msg)
+static void process_cfg_attributes(radius_message_t *msg)
 {
 	eap_radius_provider_t *provider;
 	enumerator_t *enumerator;
@@ -412,7 +415,8 @@ static void process_cfg_attributes(private_eap_radius_t *this,
 				host = host_create_from_chunk(AF_INET, data, 0);
 				if (host)
 				{
-					provider->add_framed_ip(provider, this->peer, host);
+					provider->add_framed_ip(provider,
+									ike_sa->get_unique_id(ike_sa), host);
 				}
 			}
 		}
@@ -429,8 +433,9 @@ static void process_cfg_attributes(private_eap_radius_t *this,
 					case 36: /* CVPN3000-IPSec-Banner2 */
 						if (ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
 						{
-							provider->add_attribute(provider, this->peer,
-													UNITY_BANNER, data);
+							provider->add_attribute(provider,
+												ike_sa->get_unique_id(ike_sa),
+												UNITY_BANNER, data);
 						}
 						break;
 					default:
@@ -442,6 +447,25 @@ static void process_cfg_attributes(private_eap_radius_t *this,
 	}
 }
 
+/**
+ * See header.
+ */
+void eap_radius_process_attributes(radius_message_t *message)
+{
+	if (lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-radius.class_group", FALSE, charon->name))
+	{
+		process_class(message);
+	}
+	if (lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-radius.filter_id", FALSE, charon->name))
+	{
+		process_filter_id(message);
+	}
+	process_timeout(message);
+	process_cfg_attributes(message);
+}
+
 METHOD(eap_method_t, process, status_t,
 	private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
 {
@@ -479,16 +503,7 @@ METHOD(eap_method_t, process, status_t,
 				status = FAILED;
 				break;
 			case RMC_ACCESS_ACCEPT:
-				if (this->class_group)
-				{
-					process_class(this, response);
-				}
-				if (this->filter_id)
-				{
-					process_filter_id(this, response);
-				}
-				process_timeout(this, response);
-				process_cfg_attributes(this, response);
+				eap_radius_process_attributes(response);
 				DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
 					 this->peer);
 				status = SUCCESS;
@@ -589,22 +604,7 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 		.id_prefix = lib->settings->get_str(lib->settings,
 									"%s.plugins.eap-radius.id_prefix", "",
 									charon->name),
-		.class_group = lib->settings->get_bool(lib->settings,
-									"%s.plugins.eap-radius.class_group", FALSE,
-									charon->name),
-		.filter_id = lib->settings->get_bool(lib->settings,
-									"%s.plugins.eap-radius.filter_id", FALSE,
-									charon->name),
 	);
-	if (lib->settings->get_bool(lib->settings,
-			"%s.plugins.eap-radius.station_id_with_port", TRUE, charon->name))
-	{
-		this->station_id_fmt = "%#H";
-	}
-	else
-	{
-		this->station_id_fmt = "%H";
-	}
 	this->client = eap_radius_create_client();
 	if (!this->client)
 	{
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.h b/src/libcharon/plugins/eap_radius/eap_radius.h
index 875543554..ce583ac44 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius.h
@@ -24,6 +24,7 @@
 typedef struct eap_radius_t eap_radius_t;
 
 #include <sa/eap/eap_method.h>
+#include <radius_message.h>
 
 /**
  * Implementation of the eap_method_t interface using a RADIUS server.
@@ -45,4 +46,25 @@ struct eap_radius_t {
  */
 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer);
 
+/**
+ * Process additional attributes from an Access-Accept.
+ *
+ * Parses and applies additional authorization attributes from an Accept
+ * message, such as group membership information or IKE configuration
+ * attributes.
+ *
+ * @param message	Access-Accept message to process
+ */
+void eap_radius_process_attributes(radius_message_t *message);
+
+/**
+ * Build additional attributes for an Access-Request.
+ *
+ * Adds additional RADIUS attributes to use with Access-Request, such as
+ * different NAS specific attributes.
+ *
+ * @param message	Access-Request message to add attributes to
+ */
+void eap_radius_build_attributes(radius_message_t *message);
+
 #endif /** EAP_RADIUS_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index e9843470a..e004589da 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -56,6 +56,11 @@ struct private_eap_radius_accounting_t {
 	 * Format string we use for Called/Calling-Station-Id for a host
 	 */
 	char *station_id_fmt;
+
+	/**
+	 * Disable accounting unless IKE_SA has at least one virtual IP
+	 */
+	bool acct_req_vip;
 };
 
 /**
@@ -437,6 +442,22 @@ static void schedule_interim(private_eap_radius_accounting_t *this,
 	}
 }
 
+/**
+ * Check if an IKE_SA has assigned a virtual IP (to peer)
+ */
+static bool has_vip(ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	host_t *host;
+	bool found;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	found = enumerator->enumerate(enumerator, &host);
+	enumerator->destroy(enumerator);
+
+	return found;
+}
+
 /**
  * Send an accounting start message
  */
@@ -446,6 +467,11 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 	entry_t *entry;
 	u_int32_t value;
 
+	if (this->acct_req_vip && !has_vip(ike_sa))
+	{
+		return;
+	}
+
 	this->mutex->lock(this->mutex);
 
 	entry = get_or_create_entry(this, ike_sa);
@@ -700,6 +726,10 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 		singleton = this;
 		charon->bus->add_listener(charon->bus, &this->public.listener);
 	}
+	this->acct_req_vip = lib->settings->get_bool(lib->settings,
+							"%s.plugins.eap-radius.accounting_requires_vip",
+							FALSE, charon->name);
+
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_dae.c b/src/libcharon/plugins/eap_radius/eap_radius_dae.c
index 2ea2b059c..f22ddc56f 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_dae.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_dae.c
@@ -379,21 +379,17 @@ static void process_coa(private_eap_radius_dae_t *this,
 /**
  * Receive RADIUS DAE requests
  */
-static job_requeue_t receive(private_eap_radius_dae_t *this)
+static bool receive(private_eap_radius_dae_t *this)
 {
 	struct sockaddr_storage addr;
 	socklen_t addr_len = sizeof(addr);
 	radius_message_t *request;
 	char buf[2048];
 	ssize_t len;
-	bool oldstate;
 	host_t *client;
 
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->fd, buf, sizeof(buf), 0,
+	len = recvfrom(this->fd, buf, sizeof(buf), MSG_DONTWAIT,
 				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
-
 	if (len > 0)
 	{
 		request = radius_message_parse(chunk_create(buf, len));
@@ -433,11 +429,11 @@ static job_requeue_t receive(private_eap_radius_dae_t *this)
 			DBG1(DBG_NET, "ignoring invalid RADIUS DAE request");
 		}
 	}
-	else
+	else if (errno != EWOULDBLOCK)
 	{
 		DBG1(DBG_NET, "receiving RADIUS DAE request failed: %s", strerror(errno));
 	}
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 /**
@@ -483,6 +479,7 @@ METHOD(eap_radius_dae_t, destroy, void,
 {
 	if (this->fd != -1)
 	{
+		lib->watcher->remove(lib->watcher, this->fd);
 		close(this->fd);
 	}
 	DESTROY_IF(this->signer);
@@ -533,9 +530,8 @@ eap_radius_dae_t *eap_radius_dae_create(eap_radius_accounting_t *accounting)
 		return NULL;
 	}
 
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive,
-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	lib->watcher->add(lib->watcher, this->fd, WATCHER_READ,
+					  (watcher_cb_t)receive, this);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
index e9124877c..3e80e8918 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
@@ -248,7 +248,8 @@ static void ike2queue(message_t *message, linked_list_t *queue,
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
-		if (payload->get_type(payload) == NOTIFY)
+		if (payload->get_type(payload) == NOTIFY ||
+			payload->get_type(payload) == NOTIFY_V1)
 		{
 			notify = (notify_payload_t*)payload;
 			if (notify->get_notify_type(notify) == RADIUS_ATTRIBUTE)
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index e186cb0fe..90a4ef6de 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -16,6 +17,7 @@
 #include "eap_radius_plugin.h"
 
 #include "eap_radius.h"
+#include "eap_radius_xauth.h"
 #include "eap_radius_accounting.h"
 #include "eap_radius_dae.h"
 #include "eap_radius_forward.h"
@@ -186,12 +188,60 @@ METHOD(plugin_t, get_name, char*,
 	return "eap-radius";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_eap_radius_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		this->accounting = eap_radius_accounting_create();
+		this->forward = eap_radius_forward_create();
+		this->provider = eap_radius_provider_create();
+
+		load_configs(this);
+
+		if (lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-radius.dae.enable", FALSE, charon->name))
+		{
+			this->dae = eap_radius_dae_create(this->accounting);
+		}
+		if (this->forward)
+		{
+			charon->bus->add_listener(charon->bus, &this->forward->listener);
+		}
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->provider->provider);
+	}
+	else
+	{
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->provider->provider);
+		if (this->forward)
+		{
+			charon->bus->remove_listener(charon->bus, &this->forward->listener);
+			this->forward->destroy(this->forward);
+		}
+		DESTROY_IF(this->dae);
+		this->provider->destroy(this->provider);
+		this->accounting->destroy(this->accounting);
+	}
+	return TRUE;
+}
+
 METHOD(plugin_t, get_features, int,
-	eap_radius_plugin_t *this, plugin_feature_t *features[])
+	private_eap_radius_plugin_t *this, plugin_feature_t *features[])
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(eap_method_register, eap_radius_create),
 			PLUGIN_PROVIDE(EAP_SERVER, EAP_RADIUS),
+				PLUGIN_DEPENDS(CUSTOM, "eap-radius"),
+		PLUGIN_CALLBACK(xauth_method_register, eap_radius_xauth_create_server),
+			PLUGIN_PROVIDE(XAUTH_SERVER, "radius"),
+				PLUGIN_DEPENDS(CUSTOM, "eap-radius"),
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "eap-radius"),
 				PLUGIN_DEPENDS(HASHER, HASH_MD5),
 				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_MD5_128),
 				PLUGIN_DEPENDS(RNG, RNG_WEAK),
@@ -215,19 +265,9 @@ METHOD(plugin_t, reload, bool,
 METHOD(plugin_t, destroy, void,
 	private_eap_radius_plugin_t *this)
 {
-	hydra->attributes->remove_provider(hydra->attributes,
-									   &this->provider->provider);
-	this->provider->destroy(this->provider);
-	if (this->forward)
-	{
-		charon->bus->remove_listener(charon->bus, &this->forward->listener);
-		this->forward->destroy(this->forward);
-	}
-	DESTROY_IF(this->dae);
 	this->configs->destroy_offset(this->configs,
 								  offsetof(radius_config_t, destroy));
 	this->lock->destroy(this->lock);
-	this->accounting->destroy(this->accounting);
 	free(this);
 	instance = NULL;
 }
@@ -250,26 +290,9 @@ plugin_t *eap_radius_plugin_create()
 		},
 		.configs = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-		.accounting = eap_radius_accounting_create(),
-		.forward = eap_radius_forward_create(),
-		.provider = eap_radius_provider_create(),
 	);
-
-	load_configs(this);
 	instance = this;
 
-	if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.dae.enable", FALSE, charon->name))
-	{
-		this->dae = eap_radius_dae_create(this->accounting);
-	}
-	if (this->forward)
-	{
-		charon->bus->add_listener(charon->bus, &this->forward->listener);
-	}
-	hydra->attributes->add_provider(hydra->attributes,
-									&this->provider->provider);
-
 	return &this->public.plugin;
 }
 
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
index 6087313b5..7c794616b 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -92,8 +92,8 @@ static void destroy_attr(attr_t *this)
  * Hashtable entry with leases and attributes
  */
 typedef struct {
-	/** identity we assigned the IP lease */
-	identification_t *id;
+	/** IKE_SA uniqe id we assign the IP lease */
+	uintptr_t id;
 	/** list of IP leases received from AAA, as host_t */
 	linked_list_t *addrs;
 	/** list of configuration attributes, as attr_t */
@@ -105,7 +105,6 @@ typedef struct {
  */
 static void destroy_entry(entry_t *this)
 {
-	this->id->destroy(this->id);
 	this->addrs->destroy_offset(this->addrs, offsetof(host_t, destroy));
 	this->attrs->destroy_function(this->attrs, (void*)destroy_attr);
 	free(this);
@@ -114,19 +113,19 @@ static void destroy_entry(entry_t *this)
 /**
  * Get or create an entry from a locked hashtable
  */
-static entry_t* get_or_create_entry(hashtable_t *hashtable, identification_t *id)
+static entry_t* get_or_create_entry(hashtable_t *hashtable, uintptr_t id)
 {
 	entry_t *entry;
 
-	entry = hashtable->get(hashtable, id);
+	entry = hashtable->get(hashtable, (void*)id);
 	if (!entry)
 	{
 		INIT(entry,
-			.id = id->clone(id),
+			.id = id,
 			.addrs = linked_list_create(),
 			.attrs = linked_list_create(),
 		);
-		hashtable->put(hashtable, entry->id, entry);
+		hashtable->put(hashtable, (void*)id, entry);
 	}
 	return entry;
 }
@@ -139,7 +138,7 @@ static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry)
 	if (entry->addrs->get_count(entry->addrs) > 0 ||
 		entry->attrs->get_count(entry->attrs) > 0)
 	{
-		hashtable->put(hashtable, entry->id, entry);
+		hashtable->put(hashtable, (void*)entry->id, entry);
 	}
 	else
 	{
@@ -150,24 +149,24 @@ static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry)
 /**
  * Hashtable hash function
  */
-static u_int hash(identification_t *id)
+static u_int hash(uintptr_t id)
 {
-	return chunk_hash_inc(id->get_encoding(id), id->get_type(id));
+	return id;
 }
 
 /**
  * Hashtable equals function
  */
-static bool equals(identification_t *a, identification_t *b)
+static bool equals(uintptr_t a, uintptr_t b)
 {
-	return a->equals(a, b);
+	return a == b;
 }
 
 /**
  * Insert an address entry to a locked claimed/unclaimed hashtable
  */
 static void add_addr(private_eap_radius_provider_t *this,
-					 hashtable_t *hashtable, identification_t *id, host_t *host)
+					 hashtable_t *hashtable, uintptr_t id, host_t *host)
 {
 	entry_t *entry;
 
@@ -179,12 +178,12 @@ static void add_addr(private_eap_radius_provider_t *this,
  * Remove the next address from the locked hashtable stored for given id
  */
 static host_t* remove_addr(private_eap_radius_provider_t *this,
-						   hashtable_t *hashtable, identification_t *id)
+						   hashtable_t *hashtable, uintptr_t id)
 {
 	entry_t *entry;
 	host_t *addr = NULL;
 
-	entry = hashtable->remove(hashtable, id);
+	entry = hashtable->remove(hashtable, (void*)id);
 	if (entry)
 	{
 		entry->addrs->remove_first(entry->addrs, (void**)&addr);
@@ -197,7 +196,7 @@ static host_t* remove_addr(private_eap_radius_provider_t *this,
  * Insert an attribute entry to a locked claimed/unclaimed hashtable
  */
 static void add_attr(private_eap_radius_provider_t *this,
-					 hashtable_t *hashtable, identification_t *id, attr_t *attr)
+					 hashtable_t *hashtable, uintptr_t id, attr_t *attr)
 {
 	entry_t *entry;
 
@@ -209,12 +208,12 @@ static void add_attr(private_eap_radius_provider_t *this,
  * Remove the next attribute from the locked hashtable stored for given id
  */
 static attr_t* remove_attr(private_eap_radius_provider_t *this,
-						   hashtable_t *hashtable, identification_t *id)
+						   hashtable_t *hashtable, uintptr_t id)
 {
 	entry_t *entry;
 	attr_t *attr = NULL;
 
-	entry = hashtable->remove(hashtable, id);
+	entry = hashtable->remove(hashtable, (void*)id);
 	if (entry)
 	{
 		entry->attrs->remove_first(entry->attrs, (void**)&attr);
@@ -228,12 +227,12 @@ static attr_t* remove_attr(private_eap_radius_provider_t *this,
  */
 static void release_unclaimed(private_listener_t *this, ike_sa_t *ike_sa)
 {
-	identification_t *id;
+	uintptr_t id;
 	entry_t *entry;
 
-	id = ike_sa->get_other_eap_id(ike_sa);
+	id = ike_sa->get_unique_id(ike_sa);
 	this->mutex->lock(this->mutex);
-	entry = this->unclaimed->remove(this->unclaimed, id);
+	entry = this->unclaimed->remove(this->unclaimed, (void*)id);
 	this->mutex->unlock(this->mutex);
 	if (entry)
 	{
@@ -273,24 +272,70 @@ METHOD(listener_t, ike_updown, bool,
 	return TRUE;
 }
 
+/**
+ * Migrate an entry in hashtable from old to new id
+ */
+static void migrate_entry(hashtable_t *table, uintptr_t old, uintptr_t new)
+{
+	entry_t *entry;
+
+	entry = table->remove(table, (void*)old);
+	if (entry)
+	{
+		entry->id = new;
+		entry = table->put(table, (void*)new, entry);
+		if (entry)
+		{	/* shouldn't happen */
+			destroy_entry(entry);
+		}
+	}
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	uintptr_t old_id, new_id;
+
+	old_id = old->get_unique_id(old);
+	new_id = new->get_unique_id(new);
+
+	this->mutex->lock(this->mutex);
+
+	migrate_entry(this->unclaimed, old_id, new_id);
+	migrate_entry(this->claimed, old_id, new_id);
+
+	this->mutex->unlock(this->mutex);
+
+	return TRUE;
+}
+
 METHOD(attribute_provider_t, acquire_address, host_t*,
 	private_eap_radius_provider_t *this, linked_list_t *pools,
 	identification_t *id, host_t *requested)
 {
 	enumerator_t *enumerator;
 	host_t *addr = NULL;
+	ike_sa_t *ike_sa;
+	uintptr_t sa;
 	char *name;
 
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return NULL;
+	}
+	sa = ike_sa->get_unique_id(ike_sa);
+
 	enumerator = pools->create_enumerator(pools);
 	while (enumerator->enumerate(enumerator, &name))
 	{
 		if (streq(name, "radius"))
 		{
 			this->listener.mutex->lock(this->listener.mutex);
-			addr = remove_addr(this, this->listener.unclaimed, id);
+			addr = remove_addr(this, this->listener.unclaimed, sa);
 			if (addr)
 			{
-				add_addr(this, this->listener.claimed, id, addr->clone(addr));
+				add_addr(this, this->listener.claimed, sa, addr->clone(addr));
 			}
 			this->listener.mutex->unlock(this->listener.mutex);
 			break;
@@ -307,15 +352,24 @@ METHOD(attribute_provider_t, release_address, bool,
 {
 	enumerator_t *enumerator;
 	host_t *found = NULL;
+	ike_sa_t *ike_sa;
+	uintptr_t sa;
 	char *name;
 
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return FALSE;
+	}
+	sa = ike_sa->get_unique_id(ike_sa);
+
 	enumerator = pools->create_enumerator(pools);
 	while (enumerator->enumerate(enumerator, &name))
 	{
 		if (streq(name, "radius"))
 		{
 			this->listener.mutex->lock(this->listener.mutex);
-			found = remove_addr(this, this->listener.claimed, id);
+			found = remove_addr(this, this->listener.claimed, sa);
 			this->listener.mutex->unlock(this->listener.mutex);
 			break;
 		}
@@ -378,6 +432,15 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 {
 	attribute_enumerator_t *enumerator;
 	attr_t *attr;
+	ike_sa_t *ike_sa;
+	uintptr_t sa;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return NULL;
+	}
+	sa = ike_sa->get_unique_id(ike_sa);
 
 	INIT(enumerator,
 		.public = {
@@ -391,7 +454,7 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	this->listener.mutex->lock(this->listener.mutex);
 	while (TRUE)
 	{
-		attr = remove_attr(this, this->listener.unclaimed, id);
+		attr = remove_attr(this, this->listener.unclaimed, sa);
 		if (!attr)
 		{
 			break;
@@ -404,7 +467,7 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 }
 
 METHOD(eap_radius_provider_t, add_framed_ip, void,
-	private_eap_radius_provider_t *this, identification_t *id, host_t *ip)
+	private_eap_radius_provider_t *this, u_int32_t id, host_t *ip)
 {
 	this->listener.mutex->lock(this->listener.mutex);
 	add_addr(this, this->listener.unclaimed, id, ip);
@@ -412,7 +475,7 @@ METHOD(eap_radius_provider_t, add_framed_ip, void,
 }
 
 METHOD(eap_radius_provider_t, add_attribute, void,
-	private_eap_radius_provider_t *this, identification_t *id,
+	private_eap_radius_provider_t *this, u_int32_t id,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	attr_t *attr;
@@ -460,6 +523,7 @@ eap_radius_provider_t *eap_radius_provider_create()
 			.listener = {
 				.public = {
 					.ike_updown = _ike_updown,
+					.ike_rekey = _ike_rekey,
 					.message = _message_hook,
 				},
 				.claimed = hashtable_create((hashtable_hash_t)hash,
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
index a0b4a6b62..5a62f4a38 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
@@ -39,20 +39,20 @@ struct eap_radius_provider_t {
 	/**
 	 * Add a received Framed-IP-Address to the provider to serve to client.
 	 *
-	 * @param id			client identity
+	 * @param id			IKE_SA unique identifier
 	 * @param ip			IP address received from RADIUS server, gets owned
 	 */
-	void (*add_framed_ip)(eap_radius_provider_t *this, identification_t *id,
+	void (*add_framed_ip)(eap_radius_provider_t *this, u_int32_t id,
 						  host_t *ip);
 
 	/**
 	 * Add a configuration attribute received from RADIUS to forward.
 	 *
-	 * @param id			client identity
+	 * @param id			IKE_SA unique identifier
 	 * @param type			attribute type
 	 * @param data			attribute data
 	 */
-	void (*add_attribute)(eap_radius_provider_t *this, identification_t *id,
+	void (*add_attribute)(eap_radius_provider_t *this, u_int32_t id,
 						  configuration_attribute_type_t type, chunk_t data);
 
 	/**
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
new file mode 100644
index 000000000..bd960d2bc
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_radius_xauth.h"
+#include "eap_radius_plugin.h"
+#include "eap_radius.h"
+#include "eap_radius_forward.h"
+
+#include <daemon.h>
+#include <radius_client.h>
+
+
+typedef struct private_eap_radius_xauth_t private_eap_radius_xauth_t;
+
+/**
+ * Private data of an eap_radius_xauth_t object.
+ */
+struct private_eap_radius_xauth_t {
+
+	/**
+	 * Public interface.
+	 */
+	eap_radius_xauth_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+	/**
+	 * RADIUS connection
+	 */
+	radius_client_t *client;
+};
+
+METHOD(xauth_method_t, initiate, status_t,
+	private_eap_radius_xauth_t *this, cp_payload_t **out)
+{
+	cp_payload_t *cp;
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST);
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, chunk_empty));
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, chunk_empty));
+	*out = cp;
+	return NEED_MORE;
+}
+
+/**
+ * Verify a password using RADIUS User-Name/User-Password attributes
+ */
+static status_t verify_radius(private_eap_radius_xauth_t *this, chunk_t pass)
+{
+	radius_message_t *request, *response;
+	status_t status = FAILED;
+
+	request = radius_message_create(RMC_ACCESS_REQUEST);
+	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
+	request->add(request, RAT_USER_PASSWORD, pass);
+
+	eap_radius_build_attributes(request);
+	eap_radius_forward_from_ike(request);
+
+	response = this->client->request(this->client, request);
+	if (response)
+	{
+		eap_radius_forward_to_ike(response);
+		switch (response->get_code(response))
+		{
+			case RMC_ACCESS_ACCEPT:
+				eap_radius_process_attributes(response);
+				status = SUCCESS;
+				break;
+			case RMC_ACCESS_CHALLENGE:
+				DBG1(DBG_IKE, "RADIUS Access-Challenge not supported");
+				/* FALL */
+			case RMC_ACCESS_REJECT:
+			default:
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
+					 this->peer);
+				break;
+		}
+		response->destroy(response);
+	}
+	else
+	{
+		eap_radius_handle_timeout(NULL);
+	}
+	request->destroy(request);
+	return status;
+}
+
+METHOD(xauth_method_t, process, status_t,
+	private_eap_radius_xauth_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	configuration_attribute_t *attr;
+	enumerator_t *enumerator;
+	identification_t *id;
+	chunk_t user = chunk_empty, pass = chunk_empty;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		switch (attr->get_type(attr))
+		{
+			case XAUTH_USER_NAME:
+				user = attr->get_chunk(attr);
+				break;
+			case XAUTH_USER_PASSWORD:
+				pass = attr->get_chunk(attr);
+				/* trim password to any null termination. As User-Password
+				 * uses null padding, we can't have any null in it, and some
+				 * clients actually send null terminated strings (Android). */
+				pass.len = strnlen(pass.ptr, pass.len);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!user.ptr || !pass.ptr)
+	{
+		DBG1(DBG_IKE, "peer did not respond to our XAuth request");
+		return FAILED;
+	}
+	if (user.len)
+	{
+		id = identification_create_from_data(user);
+		if (!id)
+		{
+			DBG1(DBG_IKE, "failed to parse provided XAuth username");
+			return FAILED;
+		}
+		this->peer->destroy(this->peer);
+		this->peer = id;
+	}
+	return verify_radius(this, pass);
+}
+
+METHOD(xauth_method_t, get_identity, identification_t*,
+	private_eap_radius_xauth_t *this)
+{
+	return this->peer;
+}
+
+METHOD(xauth_method_t, destroy, void,
+	private_eap_radius_xauth_t *this)
+{
+	DESTROY_IF(this->client);
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_radius_xauth_t *eap_radius_xauth_create_server(identification_t *server,
+												   identification_t *peer)
+{
+	private_eap_radius_xauth_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_identity = _get_identity,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.client = eap_radius_create_client(),
+	);
+
+	if (!this->client)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.h b/src/libcharon/plugins/eap_radius/eap_radius_xauth.h
new file mode 100644
index 000000000..8571bbc9f
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_radius_xauth eap_radius_xauth
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef EAP_RADIUS_XAUTH_H_
+#define EAP_RADIUS_XAUTH_H_
+
+#include <sa/xauth/xauth_method.h>
+
+typedef struct eap_radius_xauth_t eap_radius_xauth_t;
+
+/**
+ * XAuth backend using plain RADIUS authentication (no EAP involved).
+ */
+struct eap_radius_xauth_t {
+
+	/**
+	 * Implements XAuth module interface
+	 */
+	xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the RADIUS XAuth method, acting as server.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_generic_t object
+ */
+eap_radius_xauth_t *eap_radius_xauth_create_server(identification_t *server,
+												   identification_t *peer);
+
+#endif /** EAP_RADIUS_XAUTH_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim/Makefile.am b/src/libcharon/plugins/eap_sim/Makefile.am
index a0cb72f5f..2e9dad1b8 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.am
+++ b/src/libcharon/plugins/eap_sim/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-sim.la
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 9c183bc29..da96c1976 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,9 +104,13 @@ am_libstrongswan_eap_sim_la_OBJECTS = eap_sim_plugin.lo \
 	eap_sim_peer.lo eap_sim_server.lo
 libstrongswan_eap_sim_la_OBJECTS =  \
 	$(am_libstrongswan_eap_sim_la_OBJECTS)
-libstrongswan_eap_sim_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_sim_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_sim_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_sim_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_sim_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_sim_la_rpath =
@@ -116,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +346,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-sim.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-sim.la
 @MONOLITHIC_FALSE@libstrongswan_eap_sim_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -411,7 +440,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-sim.la: $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_la_DEPENDENCIES) 
-	$(libstrongswan_eap_sim_la_LINK) $(am_libstrongswan_eap_sim_la_rpath) $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_sim_la_LINK) $(am_libstrongswan_eap_sim_la_rpath) $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -424,25 +453,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_server.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.am b/src/libcharon/plugins/eap_sim_file/Makefile.am
index d76cdc5ca..0d4da07d5 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.am
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.am
@@ -1,8 +1,12 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-sim-file.la
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index f0eaf8766..c98a44d50 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,7 +105,10 @@ am_libstrongswan_eap_sim_file_la_OBJECTS = eap_sim_file_plugin.lo \
 	eap_sim_file_triplets.lo
 libstrongswan_eap_sim_file_la_OBJECTS =  \
 	$(am_libstrongswan_eap_sim_file_la_OBJECTS)
-libstrongswan_eap_sim_file_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_sim_file_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_sim_file_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -118,13 +121,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,10 +347,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-sim-file.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-sim-file.la
 @MONOLITHIC_FALSE@libstrongswan_eap_sim_file_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -414,7 +443,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-sim-file.la: $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_file_la_DEPENDENCIES) 
-	$(libstrongswan_eap_sim_file_la_LINK) $(am_libstrongswan_eap_sim_file_la_rpath) $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_sim_file_la_LINK) $(am_libstrongswan_eap_sim_file_la_rpath) $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -428,25 +457,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_triplets.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
index fae6fccfc..e5e9d01ca 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
@@ -1,8 +1,12 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic ${pcsclite_CFLAGS}
+AM_CFLAGS = \
+	${pcsclite_CFLAGS} \
+	-rdynamic
 
 libstrongswan_eap_sim_pcsc_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_sim_pcsc_la_LIBADD  = ${pcsclite_LIBS}
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 18cce4e2c..9f5d709bc 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -106,7 +106,10 @@ am_libstrongswan_eap_sim_pcsc_la_OBJECTS = eap_sim_pcsc_plugin.lo \
 	eap_sim_pcsc_card.lo
 libstrongswan_eap_sim_pcsc_la_OBJECTS =  \
 	$(am_libstrongswan_eap_sim_pcsc_la_OBJECTS)
-libstrongswan_eap_sim_pcsc_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_sim_pcsc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_sim_pcsc_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -119,13 +122,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_sim_pcsc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_sim_pcsc_la_SOURCES)
 am__can_run_installinfo = \
@@ -139,6 +155,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -151,6 +168,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -166,6 +185,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -174,6 +194,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -220,6 +241,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -248,6 +270,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -325,10 +348,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	${pcsclite_CFLAGS} \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic ${pcsclite_CFLAGS}
 libstrongswan_eap_sim_pcsc_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_sim_pcsc_la_LIBADD = ${pcsclite_LIBS} \
 	$(am__append_1)
@@ -414,7 +443,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-sim-pcsc.la: $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) 
-	$(libstrongswan_eap_sim_pcsc_la_LINK) $(am_libstrongswan_eap_sim_pcsc_la_rpath) $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_sim_pcsc_la_LINK) $(am_libstrongswan_eap_sim_pcsc_la_rpath) $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -426,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_pcsc_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c
index c3f0f24b3..dbf660889 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c
+++ b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c
@@ -133,7 +133,7 @@ METHOD(simaka_card_t, get_triplet, bool,
 		 cur_reader += strlen(cur_reader) + 1)
 	{
 		DWORD dwActiveProtocol = -1;
-		SCARD_IO_REQUEST *pioSendPci;
+		const SCARD_IO_REQUEST *pioSendPci;
 		SCARD_IO_REQUEST pioRecvPci;
 		BYTE pbRecvBuffer[64];
 		DWORD dwRecvLength;
@@ -394,4 +394,3 @@ eap_sim_pcsc_card_t *eap_sim_pcsc_card_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
index a8e03f650..0f21c6849 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index bc0c77f43..835b865e0 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,9 +105,12 @@ am_libstrongswan_eap_simaka_pseudonym_la_OBJECTS =  \
 	eap_simaka_pseudonym_provider.lo
 libstrongswan_eap_simaka_pseudonym_la_OBJECTS =  \
 	$(am_libstrongswan_eap_simaka_pseudonym_la_OBJECTS)
-libstrongswan_eap_simaka_pseudonym_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_simaka_pseudonym_la_LINK = $(LIBTOOL) $(AM_V_lt) \
+	--tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link \
+	$(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_simaka_pseudonym_la_LDFLAGS) $(LDFLAGS) -o \
 	$@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_simaka_pseudonym_la_rpath =  \
@@ -119,13 +122,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
 am__can_run_installinfo = \
@@ -139,6 +155,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -151,6 +168,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -166,6 +185,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -174,6 +194,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -220,6 +241,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -248,6 +270,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -325,10 +348,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_pseudonym_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -414,7 +442,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-simaka-pseudonym.la: $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) 
-	$(libstrongswan_eap_simaka_pseudonym_la_LINK) $(am_libstrongswan_eap_simaka_pseudonym_la_rpath) $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_simaka_pseudonym_la_LINK) $(am_libstrongswan_eap_simaka_pseudonym_la_rpath) $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -427,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
index 0b35c7521..be000c6d5 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index b01e4b973..6581531ba 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,9 +105,12 @@ am_libstrongswan_eap_simaka_reauth_la_OBJECTS =  \
 	eap_simaka_reauth_provider.lo
 libstrongswan_eap_simaka_reauth_la_OBJECTS =  \
 	$(am_libstrongswan_eap_simaka_reauth_la_OBJECTS)
-libstrongswan_eap_simaka_reauth_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_simaka_reauth_la_LINK = $(LIBTOOL) $(AM_V_lt) \
+	--tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link \
+	$(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_simaka_reauth_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_simaka_reauth_la_rpath =  \
 @MONOLITHIC_FALSE@	-rpath $(plugindir)
@@ -118,13 +121,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,10 +347,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_reauth_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -413,7 +441,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-simaka-reauth.la: $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) 
-	$(libstrongswan_eap_simaka_reauth_la_LINK) $(am_libstrongswan_eap_simaka_reauth_la_rpath) $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_simaka_reauth_la_LINK) $(am_libstrongswan_eap_simaka_reauth_la_rpath) $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -426,25 +454,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.am b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
index c83267e67..9a52bd8ab 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
@@ -1,8 +1,12 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 1937428ec..33e685f08 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,7 +104,10 @@ am_libstrongswan_eap_simaka_sql_la_OBJECTS = eap_simaka_sql_plugin.lo \
 	eap_simaka_sql_card.lo eap_simaka_sql_provider.lo
 libstrongswan_eap_simaka_sql_la_OBJECTS =  \
 	$(am_libstrongswan_eap_simaka_sql_la_OBJECTS)
-libstrongswan_eap_simaka_sql_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_simaka_sql_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_simaka_sql_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -117,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES)
 am__can_run_installinfo = \
@@ -137,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -149,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -164,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -172,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -218,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -246,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -323,10 +346,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_sql_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -412,7 +441,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-simaka-sql.la: $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_sql_la_DEPENDENCIES) 
-	$(libstrongswan_eap_simaka_sql_la_LINK) $(am_libstrongswan_eap_simaka_sql_la_rpath) $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_simaka_sql_la_LINK) $(am_libstrongswan_eap_simaka_sql_la_rpath) $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -425,25 +454,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_tls/Makefile.am b/src/libcharon/plugins/eap_tls/Makefile.am
index 29ddd822b..c4944fca1 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.am
+++ b/src/libcharon/plugins/eap_tls/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-tls.la
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index 5c2a94ae0..3158e67b6 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,9 +103,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am_libstrongswan_eap_tls_la_OBJECTS = eap_tls_plugin.lo eap_tls.lo
 libstrongswan_eap_tls_la_OBJECTS =  \
 	$(am_libstrongswan_eap_tls_la_OBJECTS)
-libstrongswan_eap_tls_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_tls_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_tls_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_tls_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_tls_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_tls_la_rpath =
@@ -115,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_tls_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_tls_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,10 +345,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tls.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tls.la
 @MONOLITHIC_FALSE@libstrongswan_eap_tls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
@@ -408,7 +437,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_tls_la_DEPENDENCIES) 
-	$(libstrongswan_eap_tls_la_LINK) $(am_libstrongswan_eap_tls_la_rpath) $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_tls_la_LINK) $(am_libstrongswan_eap_tls_la_rpath) $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -420,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tls_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_tls/eap_tls_plugin.h b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h
index 5ea719603..33d0dfbaf 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls_plugin.h
+++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h
@@ -39,9 +39,4 @@ struct eap_tls_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a eap_tls_plugin instance.
- */
-plugin_t *eap_tls_plugin_create();
-
 #endif /** EAP_TLS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.am b/src/libcharon/plugins/eap_tnc/Makefile.am
index 0e10f7d9c..9586bef14 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.am
+++ b/src/libcharon/plugins/eap_tnc/Makefile.am
@@ -1,5 +1,4 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
@@ -7,7 +6,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index a687e8b3d..89571ad86 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,9 +104,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am_libstrongswan_eap_tnc_la_OBJECTS = eap_tnc_plugin.lo eap_tnc.lo
 libstrongswan_eap_tnc_la_OBJECTS =  \
 	$(am_libstrongswan_eap_tnc_la_OBJECTS)
-libstrongswan_eap_tnc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_tnc_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_tnc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_tnc_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_tnc_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_tnc_la_rpath =
@@ -116,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_tnc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_tnc_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,7 +346,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
@@ -330,7 +354,9 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tnc.la
 @MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_LIBADD = \
@@ -417,7 +443,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_tnc_la_DEPENDENCIES) 
-	$(libstrongswan_eap_tnc_la_LINK) $(am_libstrongswan_eap_tnc_la_rpath) $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_tnc_la_LINK) $(am_libstrongswan_eap_tnc_la_rpath) $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -429,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tnc_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 7363ade1d..839425d59 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -74,7 +74,7 @@ METHOD(eap_method_t, initiate, status_t,
 		case EAP_TLS:
 		case EAP_TTLS:
 		case EAP_PEAP:
-			auth_type = TNC_AUTH_CERT;
+			auth_type = TNC_AUTH_X509_CERT;
 			break;
 		case EAP_MD5:
 		case EAP_MSCHAPV2:
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.am b/src/libcharon/plugins/eap_ttls/Makefile.am
index 8cc82cc2e..81776d800 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.am
+++ b/src/libcharon/plugins/eap_ttls/Makefile.am
@@ -1,9 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libradius
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-ttls.la
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 2a4fd35fe..c9eb76e10 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,7 +105,10 @@ am_libstrongswan_eap_ttls_la_OBJECTS = eap_ttls_plugin.lo \
 	eap_ttls_server.lo
 libstrongswan_eap_ttls_la_OBJECTS =  \
 	$(am_libstrongswan_eap_ttls_la_OBJECTS)
-libstrongswan_eap_ttls_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_ttls_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_ttls_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -118,13 +121,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_ttls_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_ttls_la_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,11 +347,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libradius
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-ttls.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-ttls.la
 @MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
@@ -416,7 +444,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_ttls_la_DEPENDENCIES) 
-	$(libstrongswan_eap_ttls_la_LINK) $(am_libstrongswan_eap_ttls_la_rpath) $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_eap_ttls_la_LINK) $(am_libstrongswan_eap_ttls_la_rpath) $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -431,25 +459,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_server.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
index 2abc82931..ca84ad7bb 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
@@ -39,9 +39,4 @@ struct eap_ttls_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a eap_ttls_plugin instance.
- */
-plugin_t *eap_ttls_plugin_create();
-
 #endif /** EAP_TTLS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/Makefile.am b/src/libcharon/plugins/error_notify/Makefile.am
index fccd25201..980fe1fbd 100644
--- a/src/libcharon/plugins/error_notify/Makefile.am
+++ b/src/libcharon/plugins/error_notify/Makefile.am
@@ -1,10 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-error-notify.la
 else
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index b06fdf430..db20f0532 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,7 +105,10 @@ am_libstrongswan_error_notify_la_OBJECTS = error_notify_plugin.lo \
 	error_notify_socket.lo error_notify_listener.lo
 libstrongswan_error_notify_la_OBJECTS =  \
 	$(am_libstrongswan_error_notify_la_OBJECTS)
-libstrongswan_error_notify_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_error_notify_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_error_notify_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -122,13 +125,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_error_notify_la_SOURCES) \
 	$(error_notify_SOURCES)
 DIST_SOURCES = $(libstrongswan_error_notify_la_SOURCES) \
@@ -144,6 +160,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -156,6 +173,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -171,6 +190,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -179,6 +199,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -225,6 +246,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -253,6 +275,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -330,12 +353,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-error-notify.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-error-notify.la
 libstrongswan_error_notify_la_SOURCES = \
@@ -422,7 +448,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-error-notify.la: $(libstrongswan_error_notify_la_OBJECTS) $(libstrongswan_error_notify_la_DEPENDENCIES) $(EXTRA_libstrongswan_error_notify_la_DEPENDENCIES) 
-	$(libstrongswan_error_notify_la_LINK) $(am_libstrongswan_error_notify_la_rpath) $(libstrongswan_error_notify_la_OBJECTS) $(libstrongswan_error_notify_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_error_notify_la_LINK) $(am_libstrongswan_error_notify_la_rpath) $(libstrongswan_error_notify_la_OBJECTS) $(libstrongswan_error_notify_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
@@ -471,7 +497,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 error-notify$(EXEEXT): $(error_notify_OBJECTS) $(error_notify_DEPENDENCIES) $(EXTRA_error_notify_DEPENDENCIES) 
 	@rm -f error-notify$(EXEEXT)
-	$(LINK) $(error_notify_OBJECTS) $(error_notify_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(error_notify_OBJECTS) $(error_notify_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -485,25 +511,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/error_notify/error_notify.c b/src/libcharon/plugins/error_notify/error_notify.c
index fec35a45d..e68f8a4a5 100644
--- a/src/libcharon/plugins/error_notify/error_notify.c
+++ b/src/libcharon/plugins/error_notify/error_notify.c
@@ -16,46 +16,89 @@
 #include "error_notify_msg.h"
 
 #include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
 #include <unistd.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <errno.h>
+#include <arpa/inet.h>
 
 /**
- * Example of a simple notification listener
+ * Connect to the daemon, return FD
  */
-int main(int argc, char *argv[])
+static int make_connection()
 {
-	struct sockaddr_un addr;
-	error_notify_msg_t msg;
-	int s;
+	union {
+		struct sockaddr_un un;
+		struct sockaddr_in in;
+		struct sockaddr sa;
+	} addr;
+	int fd, len;
 
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, ERROR_NOTIFY_SOCKET);
+	if (getenv("TCP_PORT"))
+	{
+		addr.in.sin_family = AF_INET;
+		addr.in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+		addr.in.sin_port = htons(atoi(getenv("TCP_PORT")));
+		len = sizeof(addr.in);
+	}
+	else
+	{
+		addr.un.sun_family = AF_UNIX;
+		strcpy(addr.un.sun_path, ERROR_NOTIFY_SOCKET);
 
-	s = socket(AF_UNIX, SOCK_SEQPACKET, 0);
-	if (s < 0)
+		len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.un.sun_path);
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
+	if (fd < 0)
 	{
 		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
-		return 1;
+		return -1;
+	}
+	if (connect(fd, &addr.sa, len) < 0)
+	{
+		fprintf(stderr, "connecting failed: %s\n", strerror(errno));
+		close(fd);
+		return -1;
 	}
-	if (connect(s, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	return fd;
+}
+
+/**
+ * Example of a simple notification listener
+ */
+int main(int argc, char *argv[])
+{
+	error_notify_msg_t msg;
+	int s, len, total;
+	void *pos;
+
+	s = make_connection();
+	if (s < 0)
 	{
-		fprintf(stderr, "connect failed: %s\n", strerror(errno));
-		close(s);
 		return 1;
 	}
 	while (1)
 	{
-		if (read(s, &msg, sizeof(msg)) != sizeof(msg))
+		total = 0;
+		pos = &msg;
+
+		while (total < sizeof(msg))
 		{
-			fprintf(stderr, "read failed: %s\n", strerror(errno));
-			close(s);
-			return 1;
+			len = read(s, pos, sizeof(msg) - total);
+			if (len < 0)
+			{
+				fprintf(stderr, "read failed: %s\n", strerror(errno));
+				close(s);
+				return 1;
+			}
+			total += len;
+			pos += len;
 		}
 		printf("%d %s %s %s %s\n",
-			   msg.type, msg.name, msg.id, msg.ip, msg.str);
+			   ntohl(msg.type), msg.name, msg.id, msg.ip, msg.str);
 	}
 	close(s);
 	return 0;
diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c
index 9a6383cbe..13860fe50 100644
--- a/src/libcharon/plugins/error_notify/error_notify_listener.c
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.c
@@ -45,6 +45,8 @@ METHOD(listener_t, alert, bool,
 	identification_t *id;
 	linked_list_t *list, *list2;
 	peer_cfg_t *peer_cfg;
+	certificate_t *cert;
+	time_t not_before, not_after;
 
 	if (!this->socket->has_listeners(this->socket))
 	{
@@ -56,80 +58,80 @@ METHOD(listener_t, alert, bool,
 	switch (alert)
 	{
 		case ALERT_RADIUS_NOT_RESPONDING:
-			msg.type = ERROR_NOTIFY_RADIUS_NOT_RESPONDING;
+			msg.type = htonl(ERROR_NOTIFY_RADIUS_NOT_RESPONDING);
 			snprintf(msg.str, sizeof(msg.str),
 					 "a RADIUS request message timed out");
 			break;
 		case ALERT_LOCAL_AUTH_FAILED:
-			msg.type = ERROR_NOTIFY_LOCAL_AUTH_FAILED;
+			msg.type = htonl(ERROR_NOTIFY_LOCAL_AUTH_FAILED);
 			snprintf(msg.str, sizeof(msg.str),
 					 "creating local authentication data failed");
 			break;
 		case ALERT_PEER_AUTH_FAILED:
-			msg.type = ERROR_NOTIFY_PEER_AUTH_FAILED;
+			msg.type = htonl(ERROR_NOTIFY_PEER_AUTH_FAILED);
 			snprintf(msg.str, sizeof(msg.str), "peer authentication failed");
 			break;
 		case ALERT_PARSE_ERROR_HEADER:
-			msg.type = ERROR_NOTIFY_PARSE_ERROR_HEADER;
+			msg.type = htonl(ERROR_NOTIFY_PARSE_ERROR_HEADER);
 			message = va_arg(args, message_t*);
 			snprintf(msg.str, sizeof(msg.str), "parsing IKE header from "
 					 "%#H failed", message->get_source(message));
 			break;
 		case ALERT_PARSE_ERROR_BODY:
-			msg.type = ERROR_NOTIFY_PARSE_ERROR_BODY;
+			msg.type = htonl(ERROR_NOTIFY_PARSE_ERROR_BODY);
 			message = va_arg(args, message_t*);
 			snprintf(msg.str, sizeof(msg.str), "parsing IKE message from "
 					 "%#H failed", message->get_source(message));
 			break;
 		case ALERT_RETRANSMIT_SEND_TIMEOUT:
-			msg.type = ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT;
+			msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT);
 			snprintf(msg.str, sizeof(msg.str),
 					 "IKE message retransmission timed out");
 			break;
 		case ALERT_HALF_OPEN_TIMEOUT:
-			msg.type = ERROR_NOTIFY_HALF_OPEN_TIMEOUT;
+			msg.type = htonl(ERROR_NOTIFY_HALF_OPEN_TIMEOUT);
 			snprintf(msg.str, sizeof(msg.str), "IKE_SA timed out before it "
 					 "could be established");
 			break;
 		case ALERT_PROPOSAL_MISMATCH_IKE:
-			msg.type = ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE;
+			msg.type = htonl(ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE);
 			list = va_arg(args, linked_list_t*);
 			snprintf(msg.str, sizeof(msg.str), "the received IKE_SA poposals "
 					 "did not match: %#P", list);
 			break;
 		case ALERT_PROPOSAL_MISMATCH_CHILD:
-			msg.type = ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD;
+			msg.type = htonl(ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD);
 			list = va_arg(args, linked_list_t*);
 			snprintf(msg.str, sizeof(msg.str), "the received CHILD_SA poposals "
 					 "did not match: %#P", list);
 			break;
 		case ALERT_TS_MISMATCH:
-			msg.type = ERROR_NOTIFY_TS_MISMATCH;
+			msg.type = htonl(ERROR_NOTIFY_TS_MISMATCH);
 			list = va_arg(args, linked_list_t*);
 			list2 = va_arg(args, linked_list_t*);
 			snprintf(msg.str, sizeof(msg.str), "the received traffic selectors "
 					 "did not match: %#R=== %#R", list, list2);
 			break;
 		case ALERT_INSTALL_CHILD_SA_FAILED:
-			msg.type = ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED;
+			msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED);
 			snprintf(msg.str, sizeof(msg.str), "installing IPsec SA failed");
 			break;
 		case ALERT_INSTALL_CHILD_POLICY_FAILED:
-			msg.type = ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED;
+			msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED);
 			snprintf(msg.str, sizeof(msg.str), "installing IPsec policy failed");
 			break;
 		case ALERT_UNIQUE_REPLACE:
-			msg.type = ERROR_NOTIFY_UNIQUE_REPLACE;
+			msg.type = htonl(ERROR_NOTIFY_UNIQUE_REPLACE);
 			snprintf(msg.str, sizeof(msg.str),
 					 "replaced old IKE_SA due to uniqueness policy");
 			break;
 		case ALERT_UNIQUE_KEEP:
-			msg.type = ERROR_NOTIFY_UNIQUE_KEEP;
+			msg.type = htonl(ERROR_NOTIFY_UNIQUE_KEEP);
 			snprintf(msg.str, sizeof(msg.str), "keep existing in favor of "
 					 "rejected new IKE_SA due to uniqueness policy");
 			break;
 		case ALERT_VIP_FAILURE:
-			msg.type = ERROR_NOTIFY_VIP_FAILURE;
+			msg.type = htonl(ERROR_NOTIFY_VIP_FAILURE);
 			list = va_arg(args, linked_list_t*);
 			if (list->get_first(list, (void**)&host) == SUCCESS)
 			{
@@ -143,10 +145,30 @@ METHOD(listener_t, alert, bool,
 			}
 			break;
 		case ALERT_AUTHORIZATION_FAILED:
-			msg.type = ERROR_NOTIFY_AUTHORIZATION_FAILED;
+			msg.type = htonl(ERROR_NOTIFY_AUTHORIZATION_FAILED);
 			snprintf(msg.str, sizeof(msg.str), "an authorization plugin "
 					 "prevented establishment of an IKE_SA");
 			break;
+		case ALERT_CERT_EXPIRED:
+			msg.type = htonl(ERROR_NOTIFY_CERT_EXPIRED);
+			cert = va_arg(args, certificate_t*);
+			cert->get_validity(cert, NULL, &not_before, &not_after);
+			snprintf(msg.str, sizeof(msg.str), "certificiate expired: '%Y' "
+					 "(valid from %T to %T)", cert->get_subject(cert),
+					 &not_before, TRUE, &not_after, TRUE);
+			break;
+		case ALERT_CERT_REVOKED:
+			msg.type = htonl(ERROR_NOTIFY_CERT_REVOKED);
+			cert = va_arg(args, certificate_t*);
+			snprintf(msg.str, sizeof(msg.str), "certificiate revoked: '%Y'",
+					 cert->get_subject(cert));
+			break;
+		case ALERT_CERT_NO_ISSUER:
+			msg.type = htonl(ERROR_NOTIFY_NO_ISSUER_CERT);
+			cert = va_arg(args, certificate_t*);
+			snprintf(msg.str, sizeof(msg.str), "no trusted issuer certificate "
+					 "found: '%Y'", cert->get_issuer(cert));
+			break;
 		default:
 			return TRUE;
 	}
diff --git a/src/libcharon/plugins/error_notify/error_notify_msg.h b/src/libcharon/plugins/error_notify/error_notify_msg.h
index e3cdd67e9..c66080276 100644
--- a/src/libcharon/plugins/error_notify/error_notify_msg.h
+++ b/src/libcharon/plugins/error_notify/error_notify_msg.h
@@ -45,6 +45,9 @@ enum {
 	ERROR_NOTIFY_UNIQUE_KEEP = 14,
 	ERROR_NOTIFY_VIP_FAILURE = 15,
 	ERROR_NOTIFY_AUTHORIZATION_FAILED = 16,
+	ERROR_NOTIFY_CERT_EXPIRED = 17,
+	ERROR_NOTIFY_CERT_REVOKED = 18,
+	ERROR_NOTIFY_NO_ISSUER_CERT = 19,
 };
 
 /**
@@ -54,13 +57,13 @@ struct error_notify_msg_t {
 	/** message type */
 	int type;
 	/** string with an error description */
-	char str[128];
+	char str[384];
 	/** connection name, if known */
 	char name[64];
 	/** peer identity, if known */
-	char id[128];
+	char id[256];
 	/** peer address and port, if known */
 	char ip[60];
-};
+} __attribute__((packed));
 
 #endif /** ERROR_NOTIFY_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c
index f4f0647fb..40ace6014 100644
--- a/src/libcharon/plugins/error_notify/error_notify_plugin.c
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c
@@ -49,10 +49,37 @@ METHOD(plugin_t, get_name, char*,
 	return "error-notify";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_error_notify_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_error_notify_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "error-notify"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_error_notify_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	this->socket->destroy(this->socket);
 	free(this);
@@ -69,15 +96,20 @@ plugin_t *error_notify_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.socket = error_notify_socket_create(),
 	);
 
+	if (!this->socket)
+	{
+		free(this);
+		return NULL;
+	}
+
 	this->listener = error_notify_listener_create(this->socket);
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c
index 3ea657ba5..aafd0a4cd 100644
--- a/src/libcharon/plugins/error_notify/error_notify_socket.c
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.c
@@ -43,12 +43,12 @@ struct private_error_notify_socket_t {
 	error_notify_socket_t public;
 
 	/**
-	 * Unix socket file descriptor
+	 * Service accepting connections
 	 */
-	int socket;
+	stream_service_t *service;
 
 	/**
-	 * List of connected clients, as uintptr_t FD
+	 * List of connected clients, as stream_t
 	 */
 	linked_list_t *connected;
 
@@ -58,48 +58,6 @@ struct private_error_notify_socket_t {
 	mutex_t *mutex;
 };
 
-/**
- * Open error notify unix socket
- */
-static bool open_socket(private_error_notify_socket_t *this)
-{
-	struct sockaddr_un addr;
-	mode_t old;
-
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, ERROR_NOTIFY_SOCKET);
-
-	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "creating notify socket failed");
-		return FALSE;
-	}
-	unlink(addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_CFG, "binding notify socket failed: %s", strerror(errno));
-		close(this->socket);
-		return FALSE;
-	}
-	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
-	{
-		DBG1(DBG_CFG, "changing notify socket permissions failed: %s",
-			 strerror(errno));
-	}
-	if (listen(this->socket, 10) < 0)
-	{
-		DBG1(DBG_CFG, "listening on notify socket failed: %s", strerror(errno));
-		close(this->socket);
-		unlink(addr.sun_path);
-		return FALSE;
-	}
-	return TRUE;
-}
-
 METHOD(error_notify_socket_t, has_listeners, bool,
 	private_error_notify_socket_t *this)
 {
@@ -116,23 +74,21 @@ METHOD(error_notify_socket_t, notify, void,
 	private_error_notify_socket_t *this, error_notify_msg_t *msg)
 {
 	enumerator_t *enumerator;
-	uintptr_t fd;
+	stream_t *stream;
 
 	this->mutex->lock(this->mutex);
 	enumerator = this->connected->create_enumerator(this->connected);
-	while (enumerator->enumerate(enumerator, (void*)&fd))
+	while (enumerator->enumerate(enumerator, &stream))
 	{
-		while (send(fd, msg, sizeof(*msg), 0) <= 0)
+		if (!stream->write_all(stream, msg, sizeof(*msg)))
 		{
 			switch (errno)
 			{
-				case EINTR:
-					continue;
 				case ECONNRESET:
 				case EPIPE:
 					/* disconnect, remove this listener */
 					this->connected->remove_at(this->connected, enumerator);
-					close(fd);
+					stream->destroy(stream);
 					break;
 				default:
 					DBG1(DBG_CFG, "sending notify failed: %s", strerror(errno));
@@ -146,45 +102,23 @@ METHOD(error_notify_socket_t, notify, void,
 }
 
 /**
- * Accept client connections, dispatch
+ * Accept client connections
  */
-static job_requeue_t accept_(private_error_notify_socket_t *this)
+static bool on_accept(private_error_notify_socket_t *this, stream_t *stream)
 {
-	struct sockaddr_un addr;
-	int fd, len;
-	bool oldstate;
-
-	len = sizeof(addr);
-	oldstate = thread_cancelability(TRUE);
-	fd = accept(this->socket, (struct sockaddr*)&addr, &len);
-	thread_cancelability(oldstate);
+	this->mutex->lock(this->mutex);
+	this->connected->insert_last(this->connected, stream);
+	this->mutex->unlock(this->mutex);
 
-	if (fd != -1)
-	{
-		this->mutex->lock(this->mutex);
-		this->connected->insert_last(this->connected, (void*)(uintptr_t)fd);
-		this->mutex->unlock(this->mutex);
-	}
-	else
-	{
-		DBG1(DBG_CFG, "accepting notify connection failed: %s",
-			 strerror(errno));
-	}
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 METHOD(error_notify_socket_t, destroy, void,
 	private_error_notify_socket_t *this)
 {
-	uintptr_t fd;
-
-	while (this->connected->remove_last(this->connected, (void*)&fd) == SUCCESS)
-	{
-		close(fd);
-	}
-	this->connected->destroy(this->connected);
+	DESTROY_IF(this->service);
+	this->connected->destroy_offset(this->connected, offsetof(stream_t, destroy));
 	this->mutex->destroy(this->mutex);
-	close(this->socket);
 	free(this);
 }
 
@@ -194,6 +128,7 @@ METHOD(error_notify_socket_t, destroy, void,
 error_notify_socket_t *error_notify_socket_create()
 {
 	private_error_notify_socket_t *this;
+	char *uri;
 
 	INIT(this,
 		.public = {
@@ -205,15 +140,18 @@ error_notify_socket_t *error_notify_socket_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
-	if (!open_socket(this))
+	uri = lib->settings->get_str(lib->settings,
+				"%s.plugins.error-notify.socket", "unix://" ERROR_NOTIFY_SOCKET,
+				charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 10);
+	if (!this->service)
 	{
-		free(this);
+		DBG1(DBG_CFG, "creating duplicheck socket failed");
+		destroy(this);
 		return NULL;
 	}
-
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)accept_, this,
-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+							 this, JOB_PRIO_CRITICAL, 1);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/farp/Makefile.am b/src/libcharon/plugins/farp/Makefile.am
index 42cd31879..95e57d8e6 100644
--- a/src/libcharon/plugins/farp/Makefile.am
+++ b/src/libcharon/plugins/farp/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-farp.la
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 5dbc49939..47d82502a 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_farp_la_LIBADD =
 am_libstrongswan_farp_la_OBJECTS = farp_plugin.lo farp_listener.lo \
 	farp_spoofer.lo
 libstrongswan_farp_la_OBJECTS = $(am_libstrongswan_farp_la_OBJECTS)
-libstrongswan_farp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_farp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_farp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_farp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_farp_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_farp_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_farp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_farp_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,10 +343,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-farp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-farp.la
 libstrongswan_farp_la_SOURCES = farp_plugin.h farp_plugin.c \
@@ -405,7 +433,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-farp.la: $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_DEPENDENCIES) $(EXTRA_libstrongswan_farp_la_DEPENDENCIES) 
-	$(libstrongswan_farp_la_LINK) $(am_libstrongswan_farp_la_rpath) $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_farp_la_LINK) $(am_libstrongswan_farp_la_rpath) $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -418,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/farp_spoofer.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/farp/farp_listener.c b/src/libcharon/plugins/farp/farp_listener.c
index 81d5d2405..87c84359c 100644
--- a/src/libcharon/plugins/farp/farp_listener.c
+++ b/src/libcharon/plugins/farp/farp_listener.c
@@ -58,19 +58,30 @@ METHOD(listener_t, child_updown, bool,
 	bool up)
 {
 	enumerator_t *enumerator;
+	traffic_selector_t *ts;
 	entry_t *entry;
 
 	if (up)
 	{
 		INIT(entry,
-			.local = child_sa->get_traffic_selectors(child_sa, TRUE),
-			.remote = child_sa->get_traffic_selectors(child_sa, FALSE),
+			.local = linked_list_create(),
+			.remote = linked_list_create(),
 			.reqid = child_sa->get_reqid(child_sa),
 		);
-		entry->local = entry->local->clone_offset(entry->local,
-										offsetof(traffic_selector_t, clone));
-		entry->remote = entry->remote->clone_offset(entry->remote,
-										offsetof(traffic_selector_t, clone));
+
+		enumerator = child_sa->create_ts_enumerator(child_sa, TRUE);
+		while (enumerator->enumerate(enumerator, &ts))
+		{
+			entry->local->insert_last(entry->local, ts->clone(ts));
+		}
+		enumerator->destroy(enumerator);
+
+		enumerator = child_sa->create_ts_enumerator(child_sa, FALSE);
+		while (enumerator->enumerate(enumerator, &ts))
+		{
+			entry->remote->insert_last(entry->remote, ts->clone(ts));
+		}
+		enumerator->destroy(enumerator);
 
 		this->lock->write_lock(this->lock);
 		this->entries->insert_last(this->entries, entry);
@@ -160,4 +171,3 @@ farp_listener_t *farp_listener_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c
index a30c11962..4b74da3b9 100644
--- a/src/libcharon/plugins/farp/farp_plugin.c
+++ b/src/libcharon/plugins/farp/farp_plugin.c
@@ -49,11 +49,38 @@ METHOD(plugin_t, get_name, char*,
 	return "farp";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_farp_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_farp_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "farp"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_farp_plugin_t *this)
 {
 	DESTROY_IF(this->spoofer);
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	free(this);
 }
@@ -65,19 +92,24 @@ plugin_t *farp_plugin_create()
 {
 	private_farp_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+	{	/* required to open ARP socket (AF_PACKET). according to capabilities(7)
+		 * it is also require to use the socket */
+		DBG1(DBG_NET, "farp plugin requires CAP_NET_RAW capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.listener = farp_listener_create(),
 	);
 
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	this->spoofer = farp_spoofer_create(this->listener);
 	if (!this->spoofer)
 	{
@@ -86,4 +118,3 @@ plugin_t *farp_plugin_create()
 	}
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c
index 52b037c19..9f66d7407 100644
--- a/src/libcharon/plugins/farp/farp_spoofer.c
+++ b/src/libcharon/plugins/farp/farp_spoofer.c
@@ -96,20 +96,16 @@ static void send_arp(private_farp_spoofer_t *this,
 /**
  * ARP request receiving
  */
-static job_requeue_t receive_arp(private_farp_spoofer_t *this)
+static bool receive_arp(private_farp_spoofer_t *this)
 {
 	struct sockaddr_ll addr;
 	socklen_t addr_len = sizeof(addr);
 	arp_t arp;
-	int oldstate;
 	ssize_t len;
 	host_t *local, *remote;
 
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->skt, &arp, sizeof(arp), 0,
+	len = recvfrom(this->skt, &arp, sizeof(arp), MSG_DONTWAIT,
 				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
-
 	if (len == sizeof(arp))
 	{
 		local = host_create_from_chunk(AF_INET,
@@ -124,12 +120,13 @@ static job_requeue_t receive_arp(private_farp_spoofer_t *this)
 		remote->destroy(remote);
 	}
 
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 METHOD(farp_spoofer_t, destroy, void,
 	private_farp_spoofer_t *this)
 {
+	lib->watcher->remove(lib->watcher, this->skt);
 	close(this->skt);
 	free(this);
 }
@@ -183,10 +180,8 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
 		return NULL;
 	}
 
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_arp,
-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	lib->watcher->add(lib->watcher, this->skt, WATCHER_READ,
+					  (watcher_cb_t)receive_arp, this);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/ha/Makefile.am b/src/libcharon/plugins/ha/Makefile.am
index bc1b49d48..c10f7f903 100644
--- a/src/libcharon/plugins/ha/Makefile.am
+++ b/src/libcharon/plugins/ha/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ha.la
@@ -24,4 +27,3 @@ libstrongswan_ha_la_SOURCES = \
   ha_child.h ha_child.c \
   ha_attribute.h ha_attribute.c
 libstrongswan_ha_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index ae99e143f..302ad0fab 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,9 +104,13 @@ am_libstrongswan_ha_la_OBJECTS = ha_plugin.lo ha_message.lo \
 	ha_cache.lo ha_kernel.lo ha_ctl.lo ha_ike.lo ha_child.lo \
 	ha_attribute.lo
 libstrongswan_ha_la_OBJECTS = $(am_libstrongswan_ha_la_OBJECTS)
-libstrongswan_ha_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_ha_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_ha_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ha_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_ha_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_ha_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -115,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_ha_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ha_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,10 +345,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ha.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ha.la
 libstrongswan_ha_la_SOURCES = \
@@ -418,7 +447,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-ha.la: $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_DEPENDENCIES) $(EXTRA_libstrongswan_ha_la_DEPENDENCIES) 
-	$(libstrongswan_ha_la_LINK) $(am_libstrongswan_ha_la_rpath) $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_ha_la_LINK) $(am_libstrongswan_ha_la_rpath) $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -440,25 +469,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_tunnel.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
index 707add94d..c166d72ac 100644
--- a/src/libcharon/plugins/ha/ha_child.c
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -103,18 +103,22 @@ METHOD(listener_t, child_keys, bool,
 		chunk_clear(&secret);
 	}
 
-	local_ts = child_sa->get_traffic_selectors(child_sa, TRUE);
-	enumerator = local_ts->create_enumerator(local_ts);
+	local_ts = linked_list_create();
+	remote_ts = linked_list_create();
+
+	enumerator = child_sa->create_ts_enumerator(child_sa, TRUE);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
 		m->add_attribute(m, HA_LOCAL_TS, ts);
+		local_ts->insert_last(local_ts, ts);
 	}
 	enumerator->destroy(enumerator);
-	remote_ts = child_sa->get_traffic_selectors(child_sa, FALSE);
-	enumerator = remote_ts->create_enumerator(remote_ts);
+
+	enumerator = child_sa->create_ts_enumerator(child_sa, FALSE);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
 		m->add_attribute(m, HA_REMOTE_TS, ts);
+		remote_ts->insert_last(remote_ts, ts);
 	}
 	enumerator->destroy(enumerator);
 
@@ -128,6 +132,9 @@ METHOD(listener_t, child_keys, bool,
 		seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
 		seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");
 
+	local_ts->destroy(local_ts);
+	remote_ts->destroy(remote_ts);
+
 	this->socket->push(this->socket, m);
 	m->destroy(m);
 
@@ -195,4 +202,3 @@ ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
index cb9af3aed..178a0349b 100644
--- a/src/libcharon/plugins/ha/ha_ctl.c
+++ b/src/libcharon/plugins/ha/ha_ctl.c
@@ -129,8 +129,8 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
 		}
 		umask(old);
 	}
-	if (chown(HA_FIFO, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(HA_FIFO, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s",
 			 strerror(errno));
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 97ed13111..1ce9d3a16 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -794,9 +794,11 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	if (initiator)
 	{
 		if (child_sa->install(child_sa, encr_r, integ_r, inbound_spi,
-					inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS ||
+							  inbound_cpi, initiator, TRUE, TRUE,
+							  local_ts, remote_ts) != SUCCESS ||
 			child_sa->install(child_sa, encr_i, integ_i, outbound_spi,
-					outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS)
+							  outbound_cpi, initiator, FALSE, TRUE,
+							  local_ts, remote_ts) != SUCCESS)
 		{
 			failed = TRUE;
 		}
@@ -804,9 +806,11 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	else
 	{
 		if (child_sa->install(child_sa, encr_i, integ_i, inbound_spi,
-					inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS ||
+							  inbound_cpi, initiator, TRUE, TRUE,
+							  local_ts, remote_ts) != SUCCESS ||
 			child_sa->install(child_sa, encr_r, integ_r, outbound_spi,
-					outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS)
+							  outbound_cpi, initiator, FALSE, TRUE,
+							  local_ts, remote_ts) != SUCCESS)
 		{
 			failed = TRUE;
 		}
diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c
index c45339690..eed89e0bf 100644
--- a/src/libcharon/plugins/ha/ha_kernel.c
+++ b/src/libcharon/plugins/ha/ha_kernel.c
@@ -316,8 +316,8 @@ static void disable_all(private_ha_kernel_t *this)
 	{
 		while (enumerator->enumerate(enumerator, NULL, &file, NULL))
 		{
-			if (chown(file, charon->caps->get_uid(charon->caps),
-					  charon->caps->get_gid(charon->caps)) != 0)
+			if (chown(file, lib->caps->get_uid(lib->caps),
+					  lib->caps->get_gid(lib->caps)) != 0)
 			{
 				DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s",
 					 strerror(errno));
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index 255eeafc0..5d4cc6184 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -97,14 +97,46 @@ METHOD(plugin_t, get_name, char*,
 	return "ha";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_ha_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->segments->listener);
+		charon->bus->add_listener(charon->bus, &this->ike->listener);
+		charon->bus->add_listener(charon->bus, &this->child->listener);
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->attr->provider);
+	}
+	else
+	{
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->attr->provider);
+		charon->bus->remove_listener(charon->bus, &this->segments->listener);
+		charon->bus->remove_listener(charon->bus, &this->ike->listener);
+		charon->bus->remove_listener(charon->bus, &this->child->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_ha_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "ha"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_ha_plugin_t *this)
 {
 	DESTROY_IF(this->ctl);
-	hydra->attributes->remove_provider(hydra->attributes, &this->attr->provider);
-	charon->bus->remove_listener(charon->bus, &this->segments->listener);
-	charon->bus->remove_listener(charon->bus, &this->ike->listener);
-	charon->bus->remove_listener(charon->bus, &this->child->listener);
 	this->ike->destroy(this->ike);
 	this->child->destroy(this->child);
 	this->dispatcher->destroy(this->dispatcher);
@@ -147,11 +179,18 @@ plugin_t *ha_plugin_create()
 		return NULL;
 	}
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket, ha_kernel also needs it at
+		 * runtime */
+		DBG1(DBG_CFG, "ha plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -182,10 +221,6 @@ plugin_t *ha_plugin_create()
 	this->ike = ha_ike_create(this->socket, this->tunnel, this->cache);
 	this->child = ha_child_create(this->socket, this->tunnel, this->segments,
 								  this->kernel);
-	charon->bus->add_listener(charon->bus, &this->segments->listener);
-	charon->bus->add_listener(charon->bus, &this->ike->listener);
-	charon->bus->add_listener(charon->bus, &this->child->listener);
-	hydra->attributes->add_provider(hydra->attributes, &this->attr->provider);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index e6a09a76e..4e656e73b 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -245,7 +245,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	charon->backends->add_backend(charon->backends, &this->backend.public);
 
 	/* install an acquiring trap */
-	this->trap = charon->traps->install(charon->traps, peer_cfg, child_cfg);
+	this->trap = charon->traps->install(charon->traps, peer_cfg, child_cfg, 0);
 }
 
 METHOD(ha_tunnel_t, destroy, void,
diff --git a/src/libcharon/plugins/ipseckey/Makefile.am b/src/libcharon/plugins/ipseckey/Makefile.am
index 0614017a0..3a69e521f 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.am
+++ b/src/libcharon/plugins/ipseckey/Makefile.am
@@ -1,9 +1,11 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ipseckey.la
 else
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index f204b7236..cb9e9a82e 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_ipseckey_la_OBJECTS = ipseckey_plugin.lo \
 	ipseckey_cred.lo ipseckey.lo
 libstrongswan_ipseckey_la_OBJECTS =  \
 	$(am_libstrongswan_ipseckey_la_OBJECTS)
-libstrongswan_ipseckey_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_ipseckey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ipseckey_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_ipseckey_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ipseckey_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,11 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ipseckey.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ipseckey.la
 libstrongswan_ipseckey_la_SOURCES = \
@@ -411,7 +437,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-ipseckey.la: $(libstrongswan_ipseckey_la_OBJECTS) $(libstrongswan_ipseckey_la_DEPENDENCIES) $(EXTRA_libstrongswan_ipseckey_la_DEPENDENCIES) 
-	$(libstrongswan_ipseckey_la_LINK) $(am_libstrongswan_ipseckey_la_rpath) $(libstrongswan_ipseckey_la_OBJECTS) $(libstrongswan_ipseckey_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_ipseckey_la_LINK) $(am_libstrongswan_ipseckey_la_rpath) $(libstrongswan_ipseckey_la_OBJECTS) $(libstrongswan_ipseckey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -424,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipseckey_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.h b/src/libcharon/plugins/ipseckey/ipseckey_cred.h
index 440020f5d..f0f52fd6a 100644
--- a/src/libcharon/plugins/ipseckey/ipseckey_cred.h
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.h
@@ -49,7 +49,7 @@ struct ipseckey_cred_t {
  * Create an ipseckey_cred instance which uses the given resolver
  * to query the DNS for IPSECKEY resource records.
  *
- * @param res		resolver to use
+ * @param res		resolver to use (gets adopted)
  * @return			credential set
  */
 ipseckey_cred_t *ipseckey_cred_create(resolver_t *res);
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_plugin.c b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
index 9593cf939..2fd820f94 100644
--- a/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
+++ b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2012 Reto Guadagnini
  * Hochschule fuer Technik Rapperswil
  *
@@ -31,11 +32,6 @@ struct private_ipseckey_plugin_t {
 	 */
 	ipseckey_plugin_t public;
 
-	/**
-	 * DNS resolver instance
-	 */
-	resolver_t *res;
-
 	/**
 	 * credential set
 	 */
@@ -53,15 +49,74 @@ METHOD(plugin_t, get_name, char*,
 	return "ipseckey";
 }
 
-METHOD(plugin_t, destroy, void,
+METHOD(plugin_t, reload, bool,
 	private_ipseckey_plugin_t *this)
 {
-	if (this->enabled)
+	bool enabled = lib->settings->get_bool(lib->settings,
+							"%s.plugins.ipseckey.enable", FALSE, charon->name);
+
+	if (enabled != this->enabled)
+	{
+		if (enabled)
+		{
+			lib->credmgr->add_set(lib->credmgr, &this->cred->set);
+		}
+		else
+		{
+			lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
+		}
+		this->enabled = enabled;
+	}
+	DBG1(DBG_CFG, "ipseckey plugin is %sabled", this->enabled ? "en" : "dis");
+	return TRUE;
+}
+
+/**
+ * Create resolver and register credential set
+ */
+static bool plugin_cb(private_ipseckey_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		resolver_t *res;
+
+		res = lib->resolver->create(lib->resolver);
+		if (!res)
+		{
+			DBG1(DBG_CFG, "failed to create a DNS resolver instance");
+			return FALSE;
+		}
+
+		this->cred = ipseckey_cred_create(res);
+		reload(this);
+	}
+	else
 	{
-		lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
+		if (this->enabled)
+		{
+			lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
+		}
+		this->cred->destroy(this->cred);
 	}
-	DESTROY_IF(this->res);
-	DESTROY_IF(this->cred);
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_ipseckey_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "ipseckey"),
+				PLUGIN_DEPENDS(RESOLVER),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_ipseckey_plugin_t *this)
+{
 	free(this);
 }
 
@@ -76,28 +131,12 @@ plugin_t *ipseckey_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
+				.reload = _reload,
 				.destroy = _destroy,
 			},
 		},
-		.res = lib->resolver->create(lib->resolver),
-		.enabled = lib->settings->get_bool(lib->settings,
-							"%s.plugins.ipseckey.enable", FALSE, charon->name),
 	);
 
-	if (!this->res)
-	{
-		DBG1(DBG_CFG, "failed to create a DNS resolver instance");
-		destroy(this);
-		return NULL;
-	}
-
-	if (this->enabled)
-	{
-		this->cred = ipseckey_cred_create(this->res);
-		lib->credmgr->add_set(lib->credmgr, &this->cred->set);
-	}
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.am b/src/libcharon/plugins/kernel_libipsec/Makefile.am
new file mode 100644
index 000000000..a39d06753
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.am
@@ -0,0 +1,23 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libipsec
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-libipsec.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-libipsec.la
+endif
+
+libstrongswan_kernel_libipsec_la_SOURCES = \
+	kernel_libipsec_plugin.h kernel_libipsec_plugin.c \
+	kernel_libipsec_ipsec.h kernel_libipsec_ipsec.c \
+	kernel_libipsec_router.h kernel_libipsec_router.c
+
+libstrongswan_kernel_libipsec_la_LIBADD = $(top_builddir)/src/libipsec/libipsec.la
+
+libstrongswan_kernel_libipsec_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
new file mode 100644
index 000000000..e5af6e089
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -0,0 +1,693 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/kernel_libipsec
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_libipsec_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libipsec/libipsec.la
+am_libstrongswan_kernel_libipsec_la_OBJECTS =  \
+	kernel_libipsec_plugin.lo kernel_libipsec_ipsec.lo \
+	kernel_libipsec_router.lo
+libstrongswan_kernel_libipsec_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_libipsec_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_kernel_libipsec_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_libipsec_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_libipsec_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_libipsec_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_kernel_libipsec_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_libipsec_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libipsec
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-libipsec.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-libipsec.la
+libstrongswan_kernel_libipsec_la_SOURCES = \
+	kernel_libipsec_plugin.h kernel_libipsec_plugin.c \
+	kernel_libipsec_ipsec.h kernel_libipsec_ipsec.c \
+	kernel_libipsec_router.h kernel_libipsec_router.c
+
+libstrongswan_kernel_libipsec_la_LIBADD = $(top_builddir)/src/libipsec/libipsec.la
+libstrongswan_kernel_libipsec_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_libipsec/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_libipsec/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-libipsec.la: $(libstrongswan_kernel_libipsec_la_OBJECTS) $(libstrongswan_kernel_libipsec_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_libipsec_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_kernel_libipsec_la_LINK) $(am_libstrongswan_kernel_libipsec_la_rpath) $(libstrongswan_kernel_libipsec_la_OBJECTS) $(libstrongswan_kernel_libipsec_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_libipsec_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_libipsec_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_libipsec_router.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
new file mode 100644
index 000000000..40f253d5a
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -0,0 +1,701 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.  *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "kernel_libipsec_ipsec.h"
+#include "kernel_libipsec_router.h"
+
+#include <library.h>
+#include <ipsec.h>
+#include <hydra.h>
+#include <networking/tun_device.h>
+#include <threading/mutex.h>
+#include <utils/debug.h>
+
+typedef struct private_kernel_libipsec_ipsec_t private_kernel_libipsec_ipsec_t;
+
+struct private_kernel_libipsec_ipsec_t {
+
+	/**
+	 * Public libipsec_ipsec interface
+	 */
+	kernel_libipsec_ipsec_t public;
+
+	/**
+	 * Listener for lifetime expire events
+	 */
+	ipsec_event_listener_t ipsec_listener;
+
+	/**
+	 * Mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * List of installed policies (policy_entry_t)
+	 */
+	linked_list_t *policies;
+
+	/**
+	 * List of exclude routes (exclude_route_t)
+	 */
+	linked_list_t *excludes;
+};
+
+typedef struct exclude_route_t exclude_route_t;
+
+/**
+ * Exclude route definition
+ */
+struct exclude_route_t {
+	/** Destination address to exclude */
+	host_t *dst;
+	/** Source address for route */
+	host_t *src;
+	/** Nexthop exclude has been installed */
+	host_t *gtw;
+	/** References to this route */
+	int refs;
+};
+
+/**
+ * Clean up an exclude route entry
+ */
+static void exclude_route_destroy(exclude_route_t *this)
+{
+	this->dst->destroy(this->dst);
+	this->src->destroy(this->src);
+	this->gtw->destroy(this->gtw);
+	free(this);
+}
+
+/**
+ * Find an exclude route entry by destination address
+ */
+static bool exclude_route_match(exclude_route_t *current,
+								host_t *dst)
+{
+	return dst->ip_equals(dst, current->dst);
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * Installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+	/** Source IP of the route */
+	host_t *src_ip;
+	/** Gateway of the route */
+	host_t *gateway;
+	/** Destination net */
+	chunk_t dst_net;
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+	/** Reference to exclude route, if any */
+	exclude_route_t *exclude;
+};
+
+/**
+ * Destroy a route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	DESTROY_IF(this->src_ip);
+	DESTROY_IF(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+/**
+ * Compare two route_entry_t objects
+ */
+static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
+{
+	if ((!a->src_ip && !b->src_ip) || (a->src_ip && b->src_ip &&
+		  a->src_ip->ip_equals(a->src_ip, b->src_ip)))
+	{
+		if ((!a->gateway && !b->gateway) || (a->gateway && b->gateway &&
+			  a->gateway->ip_equals(a->gateway, b->gateway)))
+		{
+			return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
+				   chunk_equals(a->dst_net, b->dst_net) &&
+				   a->prefixlen == b->prefixlen;
+		}
+	}
+	return FALSE;
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * Installed policy
+ */
+struct policy_entry_t {
+	/** Direction of this policy: in, out, forward */
+	u_int8_t direction;
+	/** Parameters of installed policy */
+	struct {
+		/** Subnet and port */
+		host_t *net;
+		/** Subnet mask */
+		u_int8_t mask;
+		/** Protocol */
+		u_int8_t proto;
+	} src, dst;
+	/** Associated route installed for this policy */
+	route_entry_t *route;
+	/** References to this policy */
+	int refs;
+};
+
+/**
+ * Create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+										   traffic_selector_t *dst_ts,
+										   policy_dir_t dir)
+{
+	policy_entry_t *this;
+	INIT(this,
+		.direction = dir,
+	);
+
+	src_ts->to_subnet(src_ts, &this->src.net, &this->src.mask);
+	dst_ts->to_subnet(dst_ts, &this->dst.net, &this->dst.mask);
+
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	this->src.proto = max(src_ts->get_protocol(src_ts),
+						  dst_ts->get_protocol(dst_ts));
+	this->src.proto = this->src.proto ? this->src.proto : 0;
+	this->dst.proto = this->src.proto;
+	return this;
+}
+
+/**
+ * Destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+	if (this->route)
+	{
+		route_entry_destroy(this->route);
+	}
+	DESTROY_IF(this->src.net);
+	DESTROY_IF(this->dst.net);
+	free(this);
+}
+
+/**
+ * Compare two policy_entry_t objects
+ */
+static inline bool policy_entry_equals(policy_entry_t *a,
+									   policy_entry_t *b)
+{
+	return a->direction == b->direction &&
+		   a->src.proto == b->src.proto &&
+		   a->dst.proto == b->dst.proto &&
+		   a->src.mask == b->src.mask &&
+		   a->dst.mask == b->dst.mask &&
+		   a->src.net->equals(a->src.net, b->src.net) &&
+		   a->dst.net->equals(a->dst.net, b->dst.net);
+}
+
+/**
+ * Expiration callback
+ */
+static void expire(u_int32_t reqid, u_int8_t protocol, u_int32_t spi, bool hard)
+{
+	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
+									spi, hard);
+}
+
+METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
+	private_kernel_libipsec_ipsec_t *this)
+{
+	return KERNEL_REQUIRE_UDP_ENCAPSULATION;
+}
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, reqid, spi);
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
+	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
+							  tfc, lifetime, enc_alg, enc_key, int_alg, int_key,
+							  mode, ipcomp, cpi, initiator, encap, esn, inbound,
+							  src_ts, dst_ts);
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_kernel_libipsec_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap, mark_t mark)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes,
+	u_int64_t *packets, u_int32_t *time)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+{
+	return ipsec->sas->del_sa(ipsec->sas, src, dst, spi, protocol, cpi, mark);
+}
+
+METHOD(kernel_ipsec_t, flush_sas, status_t,
+	private_kernel_libipsec_ipsec_t *this)
+{
+	return ipsec->sas->flush_sas(ipsec->sas);
+}
+
+/**
+ * Add an explicit exclude route to a routing entry
+ */
+static void add_exclude_route(private_kernel_libipsec_ipsec_t *this,
+							  route_entry_t *route, host_t *src, host_t *dst)
+{
+	exclude_route_t *exclude;
+	host_t *gtw;
+
+	if (this->excludes->find_first(this->excludes,
+								  (linked_list_match_t)exclude_route_match,
+								  (void**)&exclude, dst) == SUCCESS)
+	{
+		route->exclude = exclude;
+		exclude->refs++;
+	}
+
+	if (!route->exclude)
+	{
+		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
+		gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
+												   dst, NULL);
+		if (gtw)
+		{
+			char *if_name = NULL;
+
+			if (hydra->kernel_interface->get_interface(
+									hydra->kernel_interface, src, &if_name) &&
+				hydra->kernel_interface->add_route(hydra->kernel_interface,
+									dst->get_address(dst),
+									dst->get_family(dst) == AF_INET ? 32 : 128,
+									gtw, src, if_name) == SUCCESS)
+			{
+				INIT(exclude,
+					.dst = dst->clone(dst),
+					.src = src->clone(src),
+					.gtw = gtw->clone(gtw),
+					.refs = 1,
+				);
+				route->exclude = exclude;
+				this->excludes->insert_last(this->excludes, exclude);
+			}
+			else
+			{
+				DBG1(DBG_KNL, "installing exclude route for %H failed", dst);
+			}
+			gtw->destroy(gtw);
+			free(if_name);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "gateway lookup for %H failed", dst);
+		}
+	}
+}
+
+/**
+ * Remove an exclude route attached to a routing entry
+ */
+static void remove_exclude_route(private_kernel_libipsec_ipsec_t *this,
+								 route_entry_t *route)
+{
+	char *if_name = NULL;
+	host_t *dst;
+
+	if (!route->exclude || --route->exclude->refs > 0)
+	{
+		return;
+	}
+	this->excludes->remove(this->excludes, route->exclude, NULL);
+
+	dst = route->exclude->dst;
+	DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
+		 dst, route->exclude->src);
+	if (hydra->kernel_interface->get_interface(
+									hydra->kernel_interface,
+									route->exclude->src, &if_name) &&
+		hydra->kernel_interface->del_route(hydra->kernel_interface,
+									dst->get_address(dst),
+									dst->get_family(dst) == AF_INET ? 32 : 128,
+									route->exclude->gtw, route->exclude->src,
+									if_name) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst);
+	}
+	exclude_route_destroy(route->exclude);
+	route->exclude = NULL;
+	free(if_name);
+}
+
+/**
+ * Install a route for the given policy
+ *
+ * this->mutex is released by this function
+ */
+static bool install_route(private_kernel_libipsec_ipsec_t *this,
+	host_t *src, host_t *dst, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_entry_t *policy)
+{
+	route_entry_t *route, *old;
+	host_t *src_ip;
+	bool is_virtual;
+
+	if (policy->direction != POLICY_OUT)
+	{
+		this->mutex->unlock(this->mutex);
+		return TRUE;
+	}
+
+	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
+									src_ts, &src_ip, &is_virtual) != SUCCESS)
+	{
+		traffic_selector_t *multicast, *broadcast = NULL;
+		bool ignore = FALSE;
+
+		this->mutex->unlock(this->mutex);
+		switch (src_ts->get_type(src_ts))
+		{
+			case TS_IPV4_ADDR_RANGE:
+				multicast = traffic_selector_create_from_cidr("224.0.0.0/4",
+															  0, 0, 0xffff);
+				broadcast = traffic_selector_create_from_cidr("255.255.255.255/32",
+															  0, 0, 0xffff);
+				break;
+			case TS_IPV6_ADDR_RANGE:
+				multicast = traffic_selector_create_from_cidr("ff00::/8",
+															  0, 0, 0xffff);
+				break;
+			default:
+				return FALSE;
+		}
+		ignore = src_ts->is_contained_in(src_ts, multicast);
+		ignore |= broadcast && src_ts->is_contained_in(src_ts, broadcast);
+		multicast->destroy(multicast);
+		DESTROY_IF(broadcast);
+		if (!ignore)
+		{
+			DBG1(DBG_KNL, "error installing route with policy %R === %R %N",
+				 src_ts, dst_ts, policy_dir_names, policy->direction);
+		}
+		return ignore;
+	}
+
+	INIT(route,
+		.if_name = router->get_tun_name(router, is_virtual ? src_ip : NULL),
+		.src_ip = src_ip,
+		.dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net)),
+		.prefixlen = policy->dst.mask,
+	);
+#ifndef __linux__
+	/* on Linux we cant't install a gateway */
+	route->gateway = hydra->kernel_interface->get_nexthop(
+											hydra->kernel_interface, dst, src);
+#endif
+
+	if (policy->route)
+	{
+		old = policy->route;
+
+		if (route_entry_equals(old, route))
+		{	/* such a route already exists */
+			route_entry_destroy(route);
+			this->mutex->unlock(this->mutex);
+			return TRUE;
+		}
+		/* uninstall previously installed route */
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+									old->dst_net, old->prefixlen, old->gateway,
+									old->src_ip, old->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with policy "
+				 "%R === %R %N", src_ts, dst_ts, policy_dir_names,
+				 policy->direction);
+		}
+		route_entry_destroy(old);
+		policy->route = NULL;
+	}
+
+	if (dst_ts->is_host(dst_ts, dst))
+	{
+		DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts with "
+			 "IKE traffic", src_ts, dst_ts, policy_dir_names,
+			 policy->direction);
+		route_entry_destroy(route);
+		this->mutex->unlock(this->mutex);
+		return FALSE;
+	}
+	/* if remote traffic selector covers the IKE peer, add an exclude route */
+	if (dst_ts->includes(dst_ts, dst))
+	{
+		/* add exclude route for peer */
+		add_exclude_route(this, route, src, dst);
+	}
+
+	DBG2(DBG_KNL, "installing route: %R src %H dev %s",
+		 dst_ts, route->src_ip, route->if_name);
+
+	switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
+							route->dst_net, route->prefixlen, route->gateway,
+							route->src_ip, route->if_name))
+	{
+		case ALREADY_DONE:
+			/* route exists, do not uninstall */
+			remove_exclude_route(this, route);
+			route_entry_destroy(route);
+			this->mutex->unlock(this->mutex);
+			return TRUE;
+		case SUCCESS:
+			/* cache the installed route */
+			policy->route = route;
+			this->mutex->unlock(this->mutex);
+			return TRUE;
+		default:
+			DBG1(DBG_KNL, "installing route failed: %R src %H dev %s",
+				 dst_ts, route->src_ip, route->if_name);
+			remove_exclude_route(this, route);
+			route_entry_destroy(route);
+			this->mutex->unlock(this->mutex);
+			return FALSE;
+	}
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
+	policy_priority_t priority)
+{
+	policy_entry_t *policy, *found = NULL;
+	status_t status;
+
+	if (type != POLICY_IPSEC)
+	{
+		return SUCCESS;
+	}
+
+	status = ipsec->policies->add_policy(ipsec->policies, src, dst, src_ts,
+								dst_ts, direction, type, sa, mark, priority);
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+	/* we track policies in order to install routes */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+								  (linked_list_match_t)policy_entry_equals,
+								  (void**)&found, policy) == SUCCESS)
+	{
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{	/* use the new one, if we have no such policy */
+		this->policies->insert_last(this->policies, policy);
+	}
+	policy->refs++;
+
+	if (!install_route(this, src, dst, src_ts, dst_ts, policy))
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_kernel_libipsec_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_kernel_libipsec_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+	mark_t mark, policy_priority_t priority)
+{
+	policy_entry_t *policy, *found = NULL;
+	status_t status;
+
+	status = ipsec->policies->del_policy(ipsec->policies, src_ts, dst_ts,
+										 direction, reqid, mark, priority);
+
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+								  (linked_list_match_t)policy_entry_equals,
+								  (void**)&found, policy) != SUCCESS)
+	{
+		policy_entry_destroy(policy);
+		this->mutex->unlock(this->mutex);
+		return status;
+	}
+	policy_entry_destroy(policy);
+	policy = found;
+
+	if (--policy->refs > 0)
+	{	/* policy is still in use */
+		this->mutex->unlock(this->mutex);
+		return status;
+	}
+
+	if (policy->route)
+	{
+		route_entry_t *route = policy->route;
+
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway, route->src_ip,
+				route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with "
+						  "policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}
+		remove_exclude_route(this, route);
+	}
+	this->policies->remove(this->policies, policy, NULL);
+	policy_entry_destroy(policy);
+	this->mutex->unlock(this->mutex);
+	return status;
+}
+
+METHOD(kernel_ipsec_t, flush_policies, status_t,
+	private_kernel_libipsec_ipsec_t *this)
+{
+	policy_entry_t *pol;
+	status_t status;
+
+	status = ipsec->policies->flush_policies(ipsec->policies);
+
+	this->mutex->lock(this->mutex);
+	while (this->policies->remove_first(this->policies, (void*)&pol) == SUCCESS)
+	{
+		if (pol->route)
+		{
+			route_entry_t *route = pol->route;
+
+			hydra->kernel_interface->del_route(hydra->kernel_interface,
+					route->dst_net, route->prefixlen, route->gateway,
+					route->src_ip, route->if_name);
+			remove_exclude_route(this, route);
+		}
+		policy_entry_destroy(pol);
+	}
+	this->mutex->unlock(this->mutex);
+	return status;
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_kernel_libipsec_ipsec_t *this, int fd, int family)
+{
+	/* we use exclude routes for this */
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, enable_udp_decap, bool,
+	private_kernel_libipsec_ipsec_t *this, int fd, int family, u_int16_t port)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_kernel_libipsec_ipsec_t *this)
+{
+	ipsec->events->unregister_listener(ipsec->events, &this->ipsec_listener);
+	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+	this->excludes->destroy(this->excludes);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_libipsec_ipsec_t *kernel_libipsec_ipsec_create()
+{
+	private_kernel_libipsec_ipsec_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_features = _get_features,
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa  = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.flush_sas = _flush_sas,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.flush_policies = _flush_policies,
+				.bypass_socket = _bypass_socket,
+				.enable_udp_decap = _enable_udp_decap,
+				.destroy = _destroy,
+			},
+		},
+		.ipsec_listener = {
+			.expire = expire,
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.policies = linked_list_create(),
+		.excludes = linked_list_create(),
+	);
+
+	ipsec->events->register_listener(ipsec->events, &this->ipsec_listener);
+
+	return &this->public;
+};
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.h b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.h
new file mode 100644
index 000000000..0a4936706
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_libipsec_ipsec kernel_libipsec_ipsec
+ * @{ @ingroup kernel_libipsec
+ */
+
+#ifndef KERNEL_LIBIPSEC_IPSEC_H_
+#define KERNEL_LIBIPSEC_IPSEC_H_
+
+#include <library.h>
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_libipsec_ipsec_t kernel_libipsec_ipsec_t;
+
+/**
+ * Implementation of the ipsec interface using libipsec
+ */
+struct kernel_libipsec_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a libipsec ipsec interface instance.
+ *
+ * @return			kernel_libipsec_ipsec_t instance
+ */
+kernel_libipsec_ipsec_t *kernel_libipsec_ipsec_create();
+
+#endif /** KERNEL_LIBIPSEC_IPSEC_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
new file mode 100644
index 000000000..56f526217
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "kernel_libipsec_plugin.h"
+#include "kernel_libipsec_ipsec.h"
+#include "kernel_libipsec_router.h"
+
+#include <daemon.h>
+#include <ipsec.h>
+#include <networking/tun_device.h>
+
+#define TUN_DEFAULT_MTU 1400
+
+typedef struct private_kernel_libipsec_plugin_t private_kernel_libipsec_plugin_t;
+
+/**
+ * private data of "kernel" libipsec plugin
+ */
+struct private_kernel_libipsec_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	kernel_libipsec_plugin_t public;
+
+	/**
+	 * TUN device created by this plugin
+	 */
+	tun_device_t *tun;
+
+	/**
+	 * Packet router
+	 */
+	kernel_libipsec_router_t *router;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_kernel_libipsec_plugin_t *this)
+{
+	return "kernel-libipsec";
+}
+
+/**
+ * Create the kernel_libipsec_router_t instance
+ */
+static bool create_router(private_kernel_libipsec_plugin_t *this,
+						  plugin_feature_t *feature, bool reg, void *arg)
+{
+	if (reg)
+	{	/* registers as packet handler etc. */
+		this->router = kernel_libipsec_router_create();
+	}
+	else
+	{
+		DESTROY_IF(this->router);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_kernel_libipsec_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(kernel_ipsec_register, kernel_libipsec_ipsec_create),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+		PLUGIN_CALLBACK((plugin_feature_callback_t)create_router, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-libipsec-router"),
+				PLUGIN_DEPENDS(CUSTOM, "libcharon-receiver"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_kernel_libipsec_plugin_t *this)
+{
+	if (this->tun)
+	{
+		lib->set(lib, "kernel-libipsec-tun", NULL);
+		this->tun->destroy(this->tun);
+	}
+	libipsec_deinit();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_libipsec_plugin_create()
+{
+	private_kernel_libipsec_plugin_t *this;
+
+	if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
+	{	/* required to create TUN devices */
+		DBG1(DBG_KNL, "kernel-libipsec plugin requires CAP_NET_ADMIN "
+			 "capability");
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	if (!libipsec_init())
+	{
+		DBG1(DBG_LIB, "initialization of libipsec failed");
+		destroy(this);
+		return NULL;
+	}
+
+	this->tun = tun_device_create("ipsec%d");
+	if (!this->tun)
+	{
+		DBG1(DBG_KNL, "failed to create TUN device");
+		destroy(this);
+		return NULL;
+	}
+	if (!this->tun->set_mtu(this->tun, TUN_DEFAULT_MTU) ||
+		!this->tun->up(this->tun))
+	{
+		DBG1(DBG_KNL, "failed to configure TUN device");
+		destroy(this);
+		return NULL;
+	}
+	lib->set(lib, "kernel-libipsec-tun", this->tun);
+
+	/* set TUN device as default to install VIPs */
+	lib->settings->set_str(lib->settings, "%s.install_virtual_ip_on",
+						   this->tun->get_name(this->tun), charon->name);
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.h b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.h
new file mode 100644
index 000000000..a14426b4e
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_libipsec kernel_libipsec
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_libipsec_plugin kernel_libipsec_plugin
+ * @{ @ingroup kernel_libipsec
+ */
+
+#ifndef KERNEL_LIBIPSEC_PLUGIN_H_
+#define KERNEL_LIBIPSEC_PLUGIN_H_
+
+#include <library.h>
+#include <plugins/plugin.h>
+
+typedef struct kernel_libipsec_plugin_t kernel_libipsec_plugin_t;
+
+/**
+ * libipsec "kernel" interface plugin
+ */
+struct kernel_libipsec_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+
+};
+
+#endif /** KERNEL_LIBIPSEC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
new file mode 100644
index 000000000..6ce1d4eb0
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unistd.h>
+#include <fcntl.h>
+
+#include "kernel_libipsec_router.h"
+
+#include <daemon.h>
+#include <hydra.h>
+#include <ipsec.h>
+#include <collections/hashtable.h>
+#include <networking/tun_device.h>
+#include <threading/rwlock.h>
+#include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_kernel_libipsec_router_t private_kernel_libipsec_router_t;
+
+/**
+ * Entry in the TUN device map
+ */
+typedef struct {
+	/** virtual IP (points to internal data of tun) */
+	host_t *addr;
+	/** underlying TUN file descriptor (cached from tun) */
+	int fd;
+	/** TUN device */
+	tun_device_t *tun;
+} tun_entry_t;
+
+/**
+ * Single instance of the router
+ */
+kernel_libipsec_router_t *router;
+
+/**
+ * Private data
+ */
+struct private_kernel_libipsec_router_t {
+
+	/**
+	 * Public interface
+	 */
+	kernel_libipsec_router_t public;
+
+	/**
+	 * Default TUN device if kernel interface does not require separate TUN
+	 * devices per VIP or for tunnels without VIP.
+	 */
+	tun_entry_t tun;
+
+	/**
+	 * Hashtable that maps virtual IPs to TUN devices (tun_entry_t).
+	 */
+	hashtable_t *tuns;
+
+	/**
+	 * Lock for TUN device map
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * Pipe to signal handle_plain() about changes regarding TUN devices
+	 */
+	int notify[2];
+};
+
+/**
+ * Hash function for TUN device map
+ */
+static u_int tun_entry_hash(tun_entry_t *entry)
+{
+	return chunk_hash(entry->addr->get_address(entry->addr));
+}
+
+/**
+ * Comparison function for TUN device map
+ */
+static bool tun_entry_equals(tun_entry_t *a, tun_entry_t *b)
+{
+	return a->addr->ip_equals(a->addr, b->addr);
+}
+
+/**
+ * Outbound callback
+ */
+static void send_esp(void *data, esp_packet_t *packet)
+{
+	charon->sender->send_no_marker(charon->sender, (packet_t*)packet);
+}
+
+/**
+ * Receiver callback
+ */
+static void receiver_esp_cb(void *data, packet_t *packet)
+{
+	ipsec->processor->queue_inbound(ipsec->processor,
+									esp_packet_create_from_packet(packet));
+}
+
+/**
+ * Inbound callback
+ */
+static void deliver_plain(private_kernel_libipsec_router_t *this,
+						  ip_packet_t *packet)
+{
+	tun_device_t *tun;
+	tun_entry_t *entry, lookup = {
+		.addr = packet->get_destination(packet),
+	};
+
+	this->lock->read_lock(this->lock);
+	entry = this->tuns->get(this->tuns, &lookup);
+	tun = entry ? entry->tun : this->tun.tun;
+	tun->write_packet(tun, packet->get_encoding(packet));
+	this->lock->unlock(this->lock);
+	packet->destroy(packet);
+}
+
+/**
+ * Create an FD set covering all TUN devices and the read end of the notify pipe
+ */
+static int collect_fds(private_kernel_libipsec_router_t *this, fd_set *fds)
+{
+	enumerator_t *enumerator;
+	tun_entry_t *entry;
+	int maxfd;
+
+	FD_ZERO(fds);
+	FD_SET(this->notify[0], fds);
+	maxfd = this->notify[0];
+
+	FD_SET(this->tun.fd, fds);
+	maxfd = max(maxfd, this->tun.fd);
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->tuns->create_enumerator(this->tuns);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		FD_SET(entry->fd, fds);
+		maxfd = max(maxfd, entry->fd);
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return maxfd + 1;
+}
+
+/**
+ * Read and process outbound plaintext packet for the given TUN device
+ */
+static void process_plain(tun_device_t *tun)
+{
+	chunk_t raw;
+
+	if (tun->read_packet(tun, &raw))
+	{
+		ip_packet_t *packet;
+
+		packet = ip_packet_create(raw);
+		if (packet)
+		{
+			ipsec->processor->queue_outbound(ipsec->processor, packet);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "invalid IP packet read from TUN device");
+		}
+	}
+}
+
+/**
+ * Handle waiting data for any TUN device
+ */
+static void handle_tuns(private_kernel_libipsec_router_t *this, fd_set *fds)
+{
+	enumerator_t *enumerator;
+	tun_entry_t *entry;
+
+	if (FD_ISSET(this->tun.fd, fds))
+	{
+		process_plain(this->tun.tun);
+	}
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->tuns->create_enumerator(this->tuns);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		if (FD_ISSET(entry->fd, fds))
+		{
+			process_plain(entry->tun);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Job handling outbound plaintext packets
+ */
+static job_requeue_t handle_plain(private_kernel_libipsec_router_t *this)
+{
+	bool oldstate;
+	fd_set fds;
+	int maxfd;
+
+	maxfd = collect_fds(this, &fds);
+
+	oldstate = thread_cancelability(TRUE);
+	if (select(maxfd, &fds, NULL, NULL, NULL) <= 0)
+	{
+		thread_cancelability(oldstate);
+		return JOB_REQUEUE_FAIR;
+	}
+	thread_cancelability(oldstate);
+
+	if (FD_ISSET(this->notify[0], &fds))
+	{	/* list of TUN devices changed, read notification data, rebuild FDs */
+		char buf[1];
+		while (read(this->notify[0], &buf, sizeof(buf)) == sizeof(buf));
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	handle_tuns(this, &fds);
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(kernel_listener_t, tun, bool,
+	private_kernel_libipsec_router_t *this, tun_device_t *tun, bool created)
+{
+	tun_entry_t *entry, lookup;
+	char buf[] = {0x01};
+
+	this->lock->write_lock(this->lock);
+	if (created)
+	{
+		INIT(entry,
+			.addr = tun->get_address(tun, NULL),
+			.fd = tun->get_fd(tun),
+			.tun = tun,
+		);
+		this->tuns->put(this->tuns, entry, entry);
+	}
+	else
+	{
+		lookup.addr = tun->get_address(tun, NULL);
+		entry = this->tuns->remove(this->tuns, &lookup);
+		free(entry);
+	}
+	/* notify handler thread to recreate FD set */
+	ignore_result(write(this->notify[1], buf, sizeof(buf)));
+	this->lock->unlock(this->lock);
+	return TRUE;
+}
+
+METHOD(kernel_libipsec_router_t, get_tun_name, char*,
+	private_kernel_libipsec_router_t *this, host_t *vip)
+{
+	tun_entry_t *entry, lookup = {
+		.addr = vip,
+	};
+	tun_device_t *tun;
+	char *name;
+
+	if (!vip)
+	{
+		return strdup(this->tun.tun->get_name(this->tun.tun));
+	}
+	this->lock->read_lock(this->lock);
+	entry = this->tuns->get(this->tuns, &lookup);
+	tun = entry ? entry->tun : this->tun.tun;
+	name = strdup(tun->get_name(tun));
+	this->lock->unlock(this->lock);
+	return name;
+}
+
+METHOD(kernel_libipsec_router_t, destroy, void,
+	private_kernel_libipsec_router_t *this)
+{
+	charon->receiver->del_esp_cb(charon->receiver,
+								(receiver_esp_cb_t)receiver_esp_cb);
+	ipsec->processor->unregister_outbound(ipsec->processor,
+										 (ipsec_outbound_cb_t)send_esp);
+	ipsec->processor->unregister_inbound(ipsec->processor,
+										 (ipsec_inbound_cb_t)deliver_plain);
+	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
+											 &this->public.listener);
+	this->lock->destroy(this->lock);
+	this->tuns->destroy(this->tuns);
+	close(this->notify[0]);
+	close(this->notify[1]);
+	router = NULL;
+	free(this);
+}
+
+/**
+ * Set O_NONBLOCK on the given socket.
+ */
+static bool set_nonblock(int socket)
+{
+	int flags = fcntl(socket, F_GETFL);
+	return flags != -1 && fcntl(socket, F_SETFL, flags | O_NONBLOCK) != -1;
+}
+
+/*
+ * See header file
+ */
+kernel_libipsec_router_t *kernel_libipsec_router_create()
+{
+	private_kernel_libipsec_router_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.tun = _tun,
+			},
+			.get_tun_name = _get_tun_name,
+			.destroy = _destroy,
+		},
+		.tun = {
+			.tun = lib->get(lib, "kernel-libipsec-tun"),
+		}
+	);
+
+	if (pipe(this->notify) != 0 ||
+		!set_nonblock(this->notify[0]) || !set_nonblock(this->notify[1]))
+	{
+		DBG1(DBG_KNL, "creating notify pipe for kernel-libipsec router failed");
+		free(this);
+		return NULL;
+	}
+
+	this->tun.fd = this->tun.tun->get_fd(this->tun.tun);
+
+	this->tuns = hashtable_create((hashtable_hash_t)tun_entry_hash,
+								  (hashtable_equals_t)tun_entry_equals, 4);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	hydra->kernel_interface->add_listener(hydra->kernel_interface,
+										  &this->public.listener);
+	ipsec->processor->register_outbound(ipsec->processor, send_esp, NULL);
+	ipsec->processor->register_inbound(ipsec->processor,
+									(ipsec_inbound_cb_t)deliver_plain, this);
+	charon->receiver->add_esp_cb(charon->receiver,
+									(receiver_esp_cb_t)receiver_esp_cb, NULL);
+	lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create((callback_job_cb_t)handle_plain, this,
+									NULL, (callback_job_cancel_t)return_false));
+
+	router = &this->public;
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.h b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.h
new file mode 100644
index 000000000..7b2f3c6c5
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_libipsec_router kernel_libipsec_router
+ * @{ @ingroup kernel_libipsec
+ */
+
+#ifndef KERNEL_LIBIPSEC_ROUTER_H_
+#define KERNEL_LIBIPSEC_ROUTER_H_
+
+#include <kernel/kernel_listener.h>
+
+typedef struct kernel_libipsec_router_t kernel_libipsec_router_t;
+
+/**
+ * Class that routes the network packets between TUN device, libipsec and
+ * charon's IKE socket.
+ */
+struct kernel_libipsec_router_t {
+
+	/**
+	 * Implements kernel_listener_t interface
+	 */
+	kernel_listener_t listener;
+
+	/**
+	 * Get the name of the TUN device to be used with the given virtual IP.
+	 *
+	 * @param vip	virtual IP
+	 * @return		allocated name
+	 */
+	char *(*get_tun_name)(kernel_libipsec_router_t *this, host_t *vip);
+
+	/**
+	 * Destroy the given instance
+	 */
+	void (*destroy)(kernel_libipsec_router_t *this);
+};
+
+/**
+ * Single instance of this class, if created
+ */
+extern kernel_libipsec_router_t *router;
+
+/**
+ * Create a kernel_libipsec_router_t instance.
+ *
+ * @return			kernel_libipsec_router_t instance
+ */
+kernel_libipsec_router_t *kernel_libipsec_router_create();
+
+#endif /** KERNEL_LIBIPSEC_ROUTER_H_ @}*/
diff --git a/src/libcharon/plugins/led/Makefile.am b/src/libcharon/plugins/led/Makefile.am
index 6428361fc..fbe779dd6 100644
--- a/src/libcharon/plugins/led/Makefile.am
+++ b/src/libcharon/plugins/led/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-led.la
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 5296fc0f2..e16ac801d 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_led_la_LIBADD =
 am_libstrongswan_led_la_OBJECTS = led_plugin.lo led_listener.lo
 libstrongswan_led_la_OBJECTS = $(am_libstrongswan_led_la_OBJECTS)
-libstrongswan_led_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_led_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_led_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_led_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_led_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_led_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_led_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_led_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,10 +342,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-led.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-led.la
 libstrongswan_led_la_SOURCES = led_plugin.h led_plugin.c \
@@ -404,7 +432,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) $(EXTRA_libstrongswan_led_la_DEPENDENCIES) 
-	$(libstrongswan_led_la_LINK) $(am_libstrongswan_led_la_rpath) $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_led_la_LINK) $(am_libstrongswan_led_la_rpath) $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -416,25 +444,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/led_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/led/led_plugin.c b/src/libcharon/plugins/led/led_plugin.c
index b6b69b466..9149fb263 100644
--- a/src/libcharon/plugins/led/led_plugin.c
+++ b/src/libcharon/plugins/led/led_plugin.c
@@ -43,10 +43,37 @@ METHOD(plugin_t, get_name, char*,
 	return "led";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_led_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_led_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "led"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_led_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	free(this);
 }
@@ -62,14 +89,12 @@ plugin_t *led_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.listener = led_listener_create(),
 	);
 
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/load_tester/Makefile.am b/src/libcharon/plugins/load_tester/Makefile.am
index 0a5cada43..e7c08783f 100644
--- a/src/libcharon/plugins/load_tester/Makefile.am
+++ b/src/libcharon/plugins/load_tester/Makefile.am
@@ -1,10 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-load-tester.la
 else
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 189116bb5..2e1ebc800 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -107,7 +107,10 @@ am_libstrongswan_load_tester_la_OBJECTS = load_tester_plugin.lo \
 	load_tester_control.lo load_tester_diffie_hellman.lo
 libstrongswan_load_tester_la_OBJECTS =  \
 	$(am_libstrongswan_load_tester_la_OBJECTS)
-libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_load_tester_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_load_tester_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -124,13 +127,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_load_tester_la_SOURCES) \
 	$(load_tester_SOURCES)
 DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES) \
@@ -146,6 +162,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -158,6 +175,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -173,6 +192,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -181,6 +201,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -227,6 +248,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -255,6 +277,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -332,12 +355,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-load-tester.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-load-tester.la
 libstrongswan_load_tester_la_SOURCES = \
@@ -427,7 +453,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_load_tester_la_DEPENDENCIES) 
-	$(libstrongswan_load_tester_la_LINK) $(am_libstrongswan_load_tester_la_rpath) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_load_tester_la_LINK) $(am_libstrongswan_load_tester_la_rpath) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
@@ -476,7 +502,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 load-tester$(EXEEXT): $(load_tester_OBJECTS) $(load_tester_DEPENDENCIES) $(EXTRA_load_tester_DEPENDENCIES) 
 	@rm -f load-tester$(EXEEXT)
-	$(LINK) $(load_tester_OBJECTS) $(load_tester_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(load_tester_OBJECTS) $(load_tester_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -494,25 +520,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/load_tester/load_tester.c b/src/libcharon/plugins/load_tester/load_tester.c
index f7361e606..b7b971ee8 100644
--- a/src/libcharon/plugins/load_tester/load_tester.c
+++ b/src/libcharon/plugins/load_tester/load_tester.c
@@ -35,7 +35,7 @@ static FILE* make_connection()
 	addr.sun_family = AF_UNIX;
 	strcpy(addr.sun_path, LOAD_TESTER_SOCKET);
 
-	fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
 	if (fd < 0)
 	{
 		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index a64affde8..ebadf44ca 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -355,7 +355,7 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 				}
 			}
 		}
-		else if (strneq(str, "eap", strlen("eap")))
+		else if (strpfx(str, "eap"))
 		{	/* EAP authentication, use a NAI */
 			class = AUTH_CLASS_EAP;
 			if (*(str + strlen("eap")) == '-')
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
index 0c21c23ca..f9ec9142f 100644
--- a/src/libcharon/plugins/load_tester/load_tester_control.c
+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
@@ -43,9 +43,9 @@ struct private_load_tester_control_t {
 	load_tester_control_t public;
 
 	/**
-	 * Load tester unix socket file descriptor
+	 * Load tester control stream service
 	 */
-	int socket;
+	stream_service_t *service;
 };
 
 /**
@@ -84,48 +84,6 @@ struct init_listener_t {
 	condvar_t *condvar;
 };
 
-/**
- * Open load-tester listening socket
- */
-static bool open_socket(private_load_tester_control_t *this)
-{
-	struct sockaddr_un addr;
-	mode_t old;
-
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, LOAD_TESTER_SOCKET);
-
-	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "creating load-tester socket failed");
-		return FALSE;
-	}
-	unlink(addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_CFG, "binding load-tester socket failed: %s", strerror(errno));
-		close(this->socket);
-		return FALSE;
-	}
-	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
-	{
-		DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s",
-			 strerror(errno));
-	}
-	if (listen(this->socket, 10) < 0)
-	{
-		DBG1(DBG_CFG, "listening on load-tester socket failed: %s", strerror(errno));
-		close(this->socket);
-		unlink(addr.sun_path);
-		return FALSE;
-	}
-	return TRUE;
-}
-
 /**
  * Hashtable hash function
  */
@@ -215,9 +173,9 @@ static bool initiate_cb(init_listener_t *this, debug_t group, level_t level,
 }
 
 /**
- * Initiate load-test, write progress to stream
+ * Accept connections, initiate load-test, write progress to stream
  */
-static job_requeue_t initiate(FILE *stream)
+static bool on_accept(private_load_tester_control_t *this, stream_t *io)
 {
 	init_listener_t *listener;
 	enumerator_t *enumerator;
@@ -225,15 +183,23 @@ static job_requeue_t initiate(FILE *stream)
 	child_cfg_t *child_cfg;
 	u_int i, count, failed = 0, delay = 0;
 	char buf[16] = "";
+	FILE *stream;
 
+	stream = io->get_file(io);
+	if (!stream)
+	{
+		return FALSE;
+	}
 	fflush(stream);
 	if (fgets(buf, sizeof(buf), stream) == NULL)
 	{
-		return JOB_REQUEUE_NONE;
+		fclose(stream);
+		return FALSE;
 	}
 	if (sscanf(buf, "%u %u", &count, &delay) < 1)
 	{
-		return JOB_REQUEUE_NONE;
+		fclose(stream);
+		return FALSE;
 	}
 
 	INIT(listener,
@@ -308,50 +274,15 @@ static job_requeue_t initiate(FILE *stream)
 	free(listener);
 
 	fprintf(stream, "\n");
+	fclose(stream);
 
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Accept load-tester control connections, dispatch
- */
-static job_requeue_t receive(private_load_tester_control_t *this)
-{
-	struct sockaddr_un addr;
-	int fd, len = sizeof(addr);
-	bool oldstate;
-	FILE *stream;
-
-	oldstate = thread_cancelability(TRUE);
-	fd = accept(this->socket, (struct sockaddr*)&addr, &len);
-	thread_cancelability(oldstate);
-
-	if (fd != -1)
-	{
-		stream = fdopen(fd, "r+");
-		if (stream)
-		{
-			DBG1(DBG_CFG, "client connected");
-			lib->processor->queue_job(lib->processor,
-				(job_t*)callback_job_create_with_prio(
-					(callback_job_cb_t)initiate, stream, (void*)fclose,
-					(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
-		}
-		else
-		{
-			close(fd);
-		}
-	}
-	return JOB_REQUEUE_FAIR;
+	return FALSE;
 }
 
 METHOD(load_tester_control_t, destroy, void,
 	private_load_tester_control_t *this)
 {
-	if (this->socket != -1)
-	{
-		close(this->socket);
-	}
+	DESTROY_IF(this->service);
 	free(this);
 }
 
@@ -361,6 +292,7 @@ METHOD(load_tester_control_t, destroy, void,
 load_tester_control_t *load_tester_control_create()
 {
 	private_load_tester_control_t *this;
+	char *uri;
 
 	INIT(this,
 		.public = {
@@ -368,16 +300,18 @@ load_tester_control_t *load_tester_control_create()
 		},
 	);
 
-	if (open_socket(this))
+	uri = lib->settings->get_str(lib->settings,
+				"%s.plugins.load-tester.socket", "unix://" LOAD_TESTER_SOCKET,
+				charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 10);
+	if (this->service)
 	{
-		lib->processor->queue_job(lib->processor, (job_t*)
-			callback_job_create_with_prio((callback_job_cb_t)receive, this, NULL,
-						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+		this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+								 this, JOB_PRIO_CRITICAL, 0);
 	}
 	else
 	{
-		this->socket = -1;
+		DBG1(DBG_CFG, "creating load-tester control socket failed");
 	}
-
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index 4f84845a3..bf08d2c9c 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -54,7 +54,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool esn, bool inbound,
+	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	return SUCCESS;
@@ -71,7 +71,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, mark_t mark,
-	u_int64_t *bytes, u_int64_t *packets)
+	u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
 {
 	return NOT_SUPPORTED;
 }
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 6fee2bf3b..03557a269 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -298,4 +298,3 @@ plugin_t *load_tester_plugin_create()
 	}
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/lookip/Makefile.am b/src/libcharon/plugins/lookip/Makefile.am
index 450995c9c..6d71c8c13 100644
--- a/src/libcharon/plugins/lookip/Makefile.am
+++ b/src/libcharon/plugins/lookip/Makefile.am
@@ -1,10 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-lookip.la
 else
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 24eb31feb..630ec4a1c 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,9 +105,13 @@ am_libstrongswan_lookip_la_OBJECTS = lookip_plugin.lo \
 	lookip_listener.lo lookip_socket.lo
 libstrongswan_lookip_la_OBJECTS =  \
 	$(am_libstrongswan_lookip_la_OBJECTS)
-libstrongswan_lookip_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_lookip_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_lookip_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_lookip_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_lookip_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_lookip_la_rpath =
@@ -121,13 +125,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_lookip_la_SOURCES) $(lookip_SOURCES)
 DIST_SOURCES = $(libstrongswan_lookip_la_SOURCES) $(lookip_SOURCES)
 am__can_run_installinfo = \
@@ -141,6 +158,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -153,6 +171,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -168,6 +188,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -176,6 +197,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -222,6 +244,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -250,6 +273,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -327,12 +351,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-lookip.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-lookip.la
 libstrongswan_lookip_la_SOURCES = lookip_plugin.h lookip_plugin.c \
@@ -417,7 +444,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-lookip.la: $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_lookip_la_DEPENDENCIES) $(EXTRA_libstrongswan_lookip_la_DEPENDENCIES) 
-	$(libstrongswan_lookip_la_LINK) $(am_libstrongswan_lookip_la_rpath) $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_lookip_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_lookip_la_LINK) $(am_libstrongswan_lookip_la_rpath) $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_lookip_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
@@ -466,7 +493,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 lookip$(EXEEXT): $(lookip_OBJECTS) $(lookip_DEPENDENCIES) $(EXTRA_lookip_DEPENDENCIES) 
 	@rm -f lookip$(EXEEXT)
-	$(LINK) $(lookip_OBJECTS) $(lookip_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(lookip_OBJECTS) $(lookip_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -480,25 +507,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/lookip/lookip.c b/src/libcharon/plugins/lookip/lookip.c
index 9887a3a92..d473c7022 100644
--- a/src/libcharon/plugins/lookip/lookip.c
+++ b/src/libcharon/plugins/lookip/lookip.c
@@ -20,51 +20,112 @@
 #include <unistd.h>
 #include <stddef.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <errno.h>
 #include <getopt.h>
+#include <arpa/inet.h>
 
 /**
  * Connect to the daemon, return FD
  */
 static int make_connection()
 {
-	struct sockaddr_un addr;
-	int fd;
+	union {
+		struct sockaddr_un un;
+		struct sockaddr_in in;
+		struct sockaddr sa;
+	} addr;
+	int fd, len;
 
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, LOOKIP_SOCKET);
+	if (getenv("TCP_PORT"))
+	{
+		addr.in.sin_family = AF_INET;
+		addr.in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+		addr.in.sin_port = htons(atoi(getenv("TCP_PORT")));
+		len = sizeof(addr.in);
+	}
+	else
+	{
+		addr.un.sun_family = AF_UNIX;
+		strcpy(addr.un.sun_path, LOOKIP_SOCKET);
 
-	fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+		len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.un.sun_path);
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
 	if (fd < 0)
 	{
 		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
 		return -1;
 	}
-	if (connect(fd, (struct sockaddr *)&addr,
-			offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+	if (connect(fd, &addr.sa, len) < 0)
 	{
-		fprintf(stderr, "connecting to %s failed: %s\n",
-				LOOKIP_SOCKET, strerror(errno));
+		fprintf(stderr, "connecting failed: %s\n", strerror(errno));
 		close(fd);
 		return -1;
 	}
 	return fd;
 }
 
+static int read_all(int fd, void *buf, size_t len, int flags)
+{
+	ssize_t ret, done = 0;
+
+	while (done < len)
+	{
+		ret = recv(fd, buf, len - done, flags);
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		if (ret == 0)
+		{
+			return 0;
+		}
+		if (ret < 0)
+		{
+			return -1;
+		}
+		done += ret;
+		buf += ret;
+	}
+	return len;
+}
+
+static int write_all(int fd, void *buf, size_t len)
+{
+	ssize_t ret, done = 0;
+
+	while (done < len)
+	{
+		ret = write(fd, buf, len - done);
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		if (ret < 0)
+		{
+			return -1;
+		}
+		done += ret;
+		buf += ret;
+	}
+	return len;
+}
+
 /**
  * Send a request message
  */
 static int send_request(int fd, int type, char *vip)
 {
 	lookip_request_t req = {
-		.type = type,
+		.type = htonl(type),
 	};
 
 	if (vip)
 	{
 		snprintf(req.vip, sizeof(req.vip), "%s", vip);
 	}
-	if (send(fd, &req, sizeof(req), 0) != sizeof(req))
+	if (write_all(fd, &req, sizeof(req)) != sizeof(req))
 	{
 		fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
 		return 2;
@@ -83,7 +144,7 @@ static int receive(int fd, int block, int loop)
 
 	do
 	{
-		res = recv(fd, &resp, sizeof(resp), block ? 0 : MSG_DONTWAIT);
+		res = read_all(fd, &resp, sizeof(resp), block ? 0 : MSG_DONTWAIT);
 		if (res == 0)
 		{	/* closed by server */
 			return 0;
@@ -97,7 +158,7 @@ static int receive(int fd, int block, int loop)
 			fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
 			return 1;
 		}
-		switch (resp.type)
+		switch (ntohl(resp.type))
 		{
 			case LOOKIP_ENTRY:
 				label = "lookup:";
@@ -120,7 +181,7 @@ static int receive(int fd, int block, int loop)
 		resp.id[sizeof(resp.id) - 1] = '\0';
 		resp.name[sizeof(resp.name) - 1] = '\0';
 
-		snprintf(name, sizeof(name), "%s[%u]", resp.name, resp.unique_id);
+		snprintf(name, sizeof(name), "%s[%u]", resp.name, ntohl(resp.unique_id));
 		printf("%-12s %16s %16s %20s %s\n",
 			   label, resp.vip, resp.ip, name, resp.id);
 	}
diff --git a/src/libcharon/plugins/lookip/lookip_listener.c b/src/libcharon/plugins/lookip/lookip_listener.c
index caf336a2e..d5eab1f6c 100644
--- a/src/libcharon/plugins/lookip/lookip_listener.c
+++ b/src/libcharon/plugins/lookip/lookip_listener.c
@@ -290,6 +290,26 @@ METHOD(lookip_listener_t, add_listener, void,
 	this->lock->unlock(this->lock);
 }
 
+METHOD(lookip_listener_t, remove_listener, void,
+	private_lookip_listener_t *this, void *user)
+{
+	listener_entry_t *listener;
+	enumerator_t *enumerator;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->user == user)
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+			free(listener);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
 METHOD(lookip_listener_t, destroy, void,
 	private_lookip_listener_t *this)
 {
@@ -315,6 +335,7 @@ lookip_listener_t *lookip_listener_create()
 			},
 			.lookup = _lookup,
 			.add_listener = _add_listener,
+			.remove_listener = _remove_listener,
 			.destroy = _destroy,
 		},
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
diff --git a/src/libcharon/plugins/lookip/lookip_listener.h b/src/libcharon/plugins/lookip/lookip_listener.h
index 56f74ed48..f6612b324 100644
--- a/src/libcharon/plugins/lookip/lookip_listener.h
+++ b/src/libcharon/plugins/lookip/lookip_listener.h
@@ -74,6 +74,13 @@ struct lookip_listener_t {
 	void (*add_listener)(lookip_listener_t *this,
 						 lookip_callback_t cb, void *user);
 
+	/**
+	 * Unregister a listener by the user data.
+	 *
+	 * @param user		user data, as passed during add_listener()
+	 */
+	void (*remove_listener)(lookip_listener_t *this, void *user);
+
 	/**
 	 * Destroy a lookip_listener_t.
 	 */
diff --git a/src/libcharon/plugins/lookip/lookip_msg.h b/src/libcharon/plugins/lookip/lookip_msg.h
index d5789c29f..83b765ece 100644
--- a/src/libcharon/plugins/lookip/lookip_msg.h
+++ b/src/libcharon/plugins/lookip/lookip_msg.h
@@ -69,7 +69,7 @@ struct lookip_request_t {
 	int type;
 	/** null terminated string representation of virtual IP */
 	char vip[40];
-};
+} __attribute__((packed));
 
 /**
  * Response message sent to client.
@@ -86,11 +86,11 @@ struct lookip_response_t {
 	/** null terminated string representation of outer IP */
 	char ip[40];
 	/** null terminated peer identity */
-	char id[128];
+	char id[256];
 	/** null terminated connection name */
 	char name[40];
 	/** unique connection id */
 	unsigned int unique_id;
-};
+} __attribute__((packed));
 
 #endif /** LOOKIP_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
index 360864849..a6c32d65d 100644
--- a/src/libcharon/plugins/lookip/lookip_plugin.c
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -49,11 +49,38 @@ METHOD(plugin_t, get_name, char*,
 	return "lookip";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_lookip_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_lookip_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "lookip"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_lookip_plugin_t *this)
 {
-	this->socket->destroy(this->socket);
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	DESTROY_IF(this->socket);
 	this->listener->destroy(this->listener);
 	free(this);
 }
@@ -69,15 +96,19 @@ plugin_t *lookip_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.listener = lookip_listener_create(),
 	);
 
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
 	this->socket = lookip_socket_create(this->listener);
+	if (!this->socket)
+	{
+		destroy(this);
+		return NULL;
+	}
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/lookip/lookip_socket.c b/src/libcharon/plugins/lookip/lookip_socket.c
index f2a469e92..d25573bf4 100644
--- a/src/libcharon/plugins/lookip/lookip_socket.c
+++ b/src/libcharon/plugins/lookip/lookip_socket.c
@@ -48,17 +48,12 @@ struct private_lookip_socket_t {
 	lookip_listener_t *listener;
 
 	/**
-	 * lookip unix socket file descriptor
+	 * stream service accepting connections
 	 */
-	int socket;
+	stream_service_t *service;
 
 	/**
-	 * List of registered listeners, as entry_t
-	 */
-	linked_list_t *registered;
-
-	/**
-	 * List of connected clients, as uintptr_t FD
+	 * List of connected clients, as entry_t
 	 */
 	linked_list_t *connected;
 
@@ -69,88 +64,80 @@ struct private_lookip_socket_t {
 };
 
 /**
- * Open lookip unix socket
- */
-static bool open_socket(private_lookip_socket_t *this)
-{
-	struct sockaddr_un addr;
-	mode_t old;
-
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, LOOKIP_SOCKET);
-
-	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "creating lookip socket failed");
-		return FALSE;
-	}
-	unlink(addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_CFG, "binding lookip socket failed: %s", strerror(errno));
-		close(this->socket);
-		return FALSE;
-	}
-	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
-	{
-		DBG1(DBG_CFG, "changing lookip socket permissions failed: %s",
-			 strerror(errno));
-	}
-	if (listen(this->socket, 10) < 0)
-	{
-		DBG1(DBG_CFG, "listening on lookip socket failed: %s", strerror(errno));
-		close(this->socket);
-		unlink(addr.sun_path);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Listener callback entry
+ * List entry for a connected stream
  */
 typedef struct {
-	/* FD to write to */
-	int fd;
-	/* message type to send */
-	int type;
-	/* back pointer to socket, only for subscriptions */
+	/* stream to write to */
+	stream_t *stream;
+	/* registered for up events? */
+	bool up;
+	/* registered for down events? */
+	bool down;
+	/** backref to this for unregistration */
 	private_lookip_socket_t *this;
 } entry_t;
 
 /**
- * Destroy entry
+ * Clean up a connection entry
  */
-static void entry_destroy(entry_t *this)
+static void entry_destroy(entry_t *entry)
 {
-	close(this->fd);
-	free(this);
+	entry->stream->destroy(entry->stream);
+	free(entry);
+}
+
+/**
+ * Disconnect a stream, remove connection entry
+ */
+static void disconnect(private_lookip_socket_t *this, stream_t *stream)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->stream == stream)
+		{
+			this->connected->remove_at(this->connected, enumerator);
+			if (entry->up || entry->down)
+			{
+				this->listener->remove_listener(this->listener, entry);
+			}
+			entry_destroy(entry);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
- * Callback function for listener
+ * Callback function for listener up/down events
  */
-static bool listener_cb(entry_t *entry, bool up, host_t *vip,
-						host_t *other, identification_t *id,
-						char *name, u_int unique_id)
+static bool event_cb(entry_t *entry, bool up, host_t *vip, host_t *other,
+					 identification_t *id, char *name, u_int unique_id)
 {
 	lookip_response_t resp = {
-		.type = entry->type,
-		.unique_id = unique_id,
+		.unique_id = htonl(unique_id),
 	};
 
-	/* filter events */
-	if (up && entry->type == LOOKIP_NOTIFY_DOWN)
+	if (up)
 	{
-		return TRUE;
+		if (!entry->up)
+		{
+			return TRUE;
+		}
+		resp.type = htonl(LOOKIP_NOTIFY_UP);
 	}
-	if (!up && entry->type == LOOKIP_NOTIFY_UP)
+	else
 	{
-		return TRUE;
+		if (!entry->down)
+		{
+			return TRUE;
+		}
+		resp.type = htonl(LOOKIP_NOTIFY_DOWN);
 	}
 
 	snprintf(resp.vip, sizeof(resp.vip), "%H", vip);
@@ -158,37 +145,66 @@ static bool listener_cb(entry_t *entry, bool up, host_t *vip,
 	snprintf(resp.id, sizeof(resp.id), "%Y", id);
 	snprintf(resp.name, sizeof(resp.name), "%s", name);
 
-	switch (send(entry->fd, &resp, sizeof(resp), 0))
+	if (entry->stream->write_all(entry->stream, &resp, sizeof(resp)))
 	{
-		case sizeof(resp):
-			return TRUE;
-		case 0:
+		return TRUE;
+	}
+	switch (errno)
+	{
+		case ECONNRESET:
+		case EPIPE:
 			/* client disconnected, adios */
 			break;
 		default:
-			DBG1(DBG_CFG, "sending lookip response failed: %s", strerror(errno));
+			DBG1(DBG_CFG, "sending lookip event failed: %s", strerror(errno));
 			break;
 	}
-	if (entry->this)
-	{	/* unregister listener */
-		entry->this->mutex->lock(entry->this->mutex);
-		entry->this->registered->remove(entry->this->registered, entry, NULL);
-		entry->this->mutex->unlock(entry->this->mutex);
+	/* don't unregister, as we return FALSE */
+	entry->up = entry->down = FALSE;
+	disconnect(entry->this, entry->stream);
+	return FALSE;
+}
+
+/**
+ * Callback function for queries
+ */
+static bool query_cb(stream_t *stream, bool up, host_t *vip, host_t *other,
+					 identification_t *id, char *name, u_int unique_id)
+{
+	lookip_response_t resp = {
+		.type = htonl(LOOKIP_ENTRY),
+		.unique_id = htonl(unique_id),
+	};
 
-		entry_destroy(entry);
+	snprintf(resp.vip, sizeof(resp.vip), "%H", vip);
+	snprintf(resp.ip, sizeof(resp.ip), "%H", other);
+	snprintf(resp.id, sizeof(resp.id), "%Y", id);
+	snprintf(resp.name, sizeof(resp.name), "%s", name);
+
+	if (stream->write_all(stream, &resp, sizeof(resp)))
+	{
+		return TRUE;
+	}
+	switch (errno)
+	{
+		case ECONNRESET:
+		case EPIPE:
+			/* client disconnected, adios */
+			break;
+		default:
+			DBG1(DBG_CFG, "sending lookip response failed: %s", strerror(errno));
+			break;
 	}
 	return FALSE;
 }
 
 /**
- * Perform a entry lookup
+ * Perform a lookup
  */
-static void query(private_lookip_socket_t *this, int fd, lookip_request_t *req)
+static void query(private_lookip_socket_t *this, stream_t *stream,
+				  lookip_request_t *req)
 {
-	entry_t entry = {
-		.fd = fd,
-		.type = LOOKIP_ENTRY,
-	};
+
 	host_t *vip = NULL;
 	int matches = 0;
 
@@ -199,17 +215,17 @@ static void query(private_lookip_socket_t *this, int fd, lookip_request_t *req)
 		if (vip)
 		{
 			matches = this->listener->lookup(this->listener, vip,
-											 (void*)listener_cb, &entry);
+											 (void*)query_cb, stream);
 			vip->destroy(vip);
 		}
 		if (matches == 0)
 		{
 			lookip_response_t resp = {
-				.type = LOOKIP_NOT_FOUND,
+				.type = htonl(LOOKIP_NOT_FOUND),
 			};
 
 			snprintf(resp.vip, sizeof(resp.vip), "%s", req->vip);
-			if (send(fd, &resp, sizeof(resp), 0) < 0)
+			if (!stream->write_all(stream, &resp, sizeof(resp)))
 			{
 				DBG1(DBG_CFG, "sending lookip not-found failed: %s",
 					 strerror(errno));
@@ -219,214 +235,143 @@ static void query(private_lookip_socket_t *this, int fd, lookip_request_t *req)
 	else
 	{	/* dump */
 		this->listener->lookup(this->listener, NULL,
-							   (void*)listener_cb, &entry);
+							   (void*)query_cb, stream);
 	}
 }
 
 /**
  * Subscribe to virtual IP events
  */
-static void subscribe(private_lookip_socket_t *this, int fd, int type)
-{
-	entry_t *entry;
-
-	INIT(entry,
-		.fd = fd,
-		.type = type,
-		.this = this,
-	);
-
-	this->mutex->lock(this->mutex);
-	this->registered->insert_last(this->registered, entry);
-	this->mutex->unlock(this->mutex);
-
-	this->listener->add_listener(this->listener, (void*)listener_cb, entry);
-}
-
-/**
- * Check if a client is subscribed for notifications
- */
-static bool subscribed(private_lookip_socket_t *this, int fd)
+static void subscribe(private_lookip_socket_t *this, stream_t *stream, bool up)
 {
 	enumerator_t *enumerator;
-	bool subscribed = FALSE;
 	entry_t *entry;
 
 	this->mutex->lock(this->mutex);
-	enumerator = this->registered->create_enumerator(this->registered);
+	enumerator = this->connected->create_enumerator(this->connected);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->fd == fd)
+		if (entry->stream == stream)
 		{
-			subscribed = TRUE;
-			break;
+			if (!entry->up && !entry->down)
+			{	/* newly registered */
+				this->listener->add_listener(this->listener,
+											 (void*)event_cb, entry);
+			}
+			if (up)
+			{
+				entry->up = TRUE;
+			}
+			else
+			{
+				entry->down = TRUE;
+			}
 		}
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
-
-	return subscribed;
 }
 
 /**
- * Create a fd_set from all bound sockets
- */
-static int build_fds(private_lookip_socket_t *this, fd_set *fds)
-{
-	enumerator_t *enumerator;
-	uintptr_t fd;
-	int maxfd;
-
-	FD_ZERO(fds);
-	FD_SET(this->socket, fds);
-	maxfd = this->socket;
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->connected->create_enumerator(this->connected);
-	while (enumerator->enumerate(enumerator, &fd))
-	{
-		FD_SET(fd, fds);
-		maxfd = max(maxfd, fd);
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-
-	return maxfd + 1;
-}
-
-/**
- * Find the socket select()ed
+ * Check if a client is subscribed for notifications
  */
-static int scan_fds(private_lookip_socket_t *this, fd_set *fds)
+static bool subscribed(private_lookip_socket_t *this, stream_t *stream)
 {
 	enumerator_t *enumerator;
-	uintptr_t fd;
-	int selected = -1;
+	bool subscribed = FALSE;
+	entry_t *entry;
 
 	this->mutex->lock(this->mutex);
 	enumerator = this->connected->create_enumerator(this->connected);
-	while (enumerator->enumerate(enumerator, &fd))
+	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (FD_ISSET(fd, fds))
+		if (entry->stream == stream)
 		{
-			selected = fd;
+			subscribed = entry->up || entry->down;
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
 
-	return selected;
+	return subscribed;
 }
 
 /**
- * Dispatch from a socket, return TRUE to end communication
+ * Dispatch from a socket, on-read callback
  */
-static bool dispatch(private_lookip_socket_t *this, int fd)
+static bool on_read(private_lookip_socket_t *this, stream_t *stream)
 {
 	lookip_request_t req;
-	int len;
 
-	len = recv(fd, &req, sizeof(req), 0);
-	if (len != sizeof(req))
+	if (stream->read_all(stream, &req, sizeof(req)))
 	{
-		if (len != 0)
+		switch (ntohl(req.type))
+		{
+			case LOOKIP_LOOKUP:
+				query(this, stream, &req);
+				return TRUE;
+			case LOOKIP_DUMP:
+				query(this, stream, NULL);
+				return TRUE;
+			case LOOKIP_REGISTER_UP:
+				subscribe(this, stream, TRUE);
+				return TRUE;
+			case LOOKIP_REGISTER_DOWN:
+				subscribe(this, stream, FALSE);
+				return TRUE;
+			case LOOKIP_END:
+				break;
+			default:
+				DBG1(DBG_CFG, "received unknown lookip command");
+				break;
+		}
+	}
+	else
+	{
+		if (errno != ECONNRESET)
 		{
 			DBG1(DBG_CFG, "receiving lookip request failed: %s",
 				 strerror(errno));
 		}
-		return TRUE;
+		disconnect(this, stream);
+		return FALSE;
 	}
-	switch (req.type)
+	if (subscribed(this, stream))
 	{
-		case LOOKIP_LOOKUP:
-			query(this, fd, &req);
-			return FALSE;
-		case LOOKIP_DUMP:
-			query(this, fd, NULL);
-			return FALSE;
-		case LOOKIP_REGISTER_UP:
-			subscribe(this, fd, LOOKIP_NOTIFY_UP);
-			return FALSE;
-		case LOOKIP_REGISTER_DOWN:
-			subscribe(this, fd, LOOKIP_NOTIFY_DOWN);
-			return FALSE;
-		case LOOKIP_END:
-			return TRUE;
-		default:
-			DBG1(DBG_CFG, "received unknown lookip command");
-			return TRUE;
+		return TRUE;
 	}
+	disconnect(this, stream);
+	return FALSE;
 }
 
 /**
  * Accept client connections, dispatch
  */
-static job_requeue_t receive(private_lookip_socket_t *this)
+static bool on_accept(private_lookip_socket_t *this, stream_t *stream)
 {
-	struct sockaddr_un addr;
-	int fd, maxfd, len;
-	bool oldstate;
-	fd_set fds;
+	entry_t *entry;
 
-	while (TRUE)
-	{
-		maxfd = build_fds(this, &fds);
-		oldstate = thread_cancelability(TRUE);
-		if (select(maxfd, &fds, NULL, NULL, NULL) <= 0)
-		{
-			thread_cancelability(oldstate);
-			DBG1(DBG_CFG, "selecting lookip sockets failed: %s",
-				 strerror(errno));
-			break;
-		}
-		thread_cancelability(oldstate);
+	INIT(entry,
+		.stream = stream,
+		.this = this,
+	);
 
-		if (FD_ISSET(this->socket, &fds))
-		{	/* new connection, accept() */
-			len = sizeof(addr);
-			fd = accept(this->socket, (struct sockaddr*)&addr, &len);
-			if (fd != -1)
-			{
-				this->mutex->lock(this->mutex);
-				this->connected->insert_last(this->connected,
-											 (void*)(uintptr_t)fd);
-				this->mutex->unlock(this->mutex);
-			}
-			else
-			{
-				DBG1(DBG_CFG, "accepting lookip connection failed: %s",
-					 strerror(errno));
-			}
-			continue;
-		}
+	this->mutex->lock(this->mutex);
+	this->connected->insert_last(this->connected, entry);
+	this->mutex->unlock(this->mutex);
 
-		fd = scan_fds(this, &fds);
-		if (fd == -1)
-		{
-			continue;
-		}
-		if (dispatch(this, fd))
-		{
-			this->mutex->lock(this->mutex);
-			this->connected->remove(this->connected, (void*)(uintptr_t)fd, NULL);
-			this->mutex->unlock(this->mutex);
-			if (!subscribed(this, fd))
-			{
-				close(fd);
-			}
-		}
-	}
-	return JOB_REQUEUE_FAIR;
+	stream->on_read(stream, (void*)on_read, this);
+
+	return TRUE;
 }
 
 METHOD(lookip_socket_t, destroy, void,
 	private_lookip_socket_t *this)
 {
-	this->registered->destroy_function(this->registered, (void*)entry_destroy);
-	this->connected->destroy(this->connected);
+	DESTROY_IF(this->service);
+	this->connected->destroy_function(this->connected, (void*)entry_destroy);
 	this->mutex->destroy(this->mutex);
-	close(this->socket);
 	free(this);
 }
 
@@ -436,26 +381,30 @@ METHOD(lookip_socket_t, destroy, void,
 lookip_socket_t *lookip_socket_create(lookip_listener_t *listener)
 {
 	private_lookip_socket_t *this;
+	char *uri;
 
 	INIT(this,
 		.public = {
 			.destroy = _destroy,
 		},
 		.listener = listener,
-		.registered = linked_list_create(),
 		.connected = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
-	if (!open_socket(this))
+	uri = lib->settings->get_str(lib->settings,
+				"%s.plugins.lookip.socket", "unix://" LOOKIP_SOCKET,
+				charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 10);
+	if (!this->service)
 	{
-		free(this);
+		DBG1(DBG_CFG, "creating lookip socket failed");
+		destroy(this);
 		return NULL;
 	}
 
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, this,
-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+							 this, JOB_PRIO_CRITICAL, 1);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am
index 0bf7fad5d..c3c55ba41 100644
--- a/src/libcharon/plugins/maemo/Makefile.am
+++ b/src/libcharon/plugins/maemo/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${maemo_CFLAGS}
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	${maemo_CFLAGS} \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-maemo.la
@@ -20,8 +23,8 @@ libstrongswan_maemo_la_LIBADD  = ${maemo_LIBS}
 dbusservice_DATA = org.strongswan.charon.service
 
 org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in
+	$(AM_V_GEN) \
 	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@
 
 EXTRA_DIST = org.strongswan.charon.service.in
 CLEANFILES = $(dbusservice_DATA)
-
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index c907e9e2d..f4d78bfb9 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,9 +104,13 @@ am__DEPENDENCIES_1 =
 libstrongswan_maemo_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_maemo_la_OBJECTS = maemo_plugin.lo maemo_service.lo
 libstrongswan_maemo_la_OBJECTS = $(am_libstrongswan_maemo_la_OBJECTS)
-libstrongswan_maemo_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_maemo_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_maemo_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_maemo_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_maemo_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_maemo_la_rpath =
@@ -116,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_maemo_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_maemo_la_SOURCES)
 am__can_run_installinfo = \
@@ -137,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -149,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -164,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -172,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -218,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -246,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -323,10 +347,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${maemo_CFLAGS}
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	${maemo_CFLAGS} \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-maemo.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-maemo.la
 libstrongswan_maemo_la_SOURCES = \
@@ -414,7 +443,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) $(EXTRA_libstrongswan_maemo_la_DEPENDENCIES) 
-	$(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -426,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/maemo_service.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -684,6 +713,7 @@ uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES
 
 
 org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in
+	$(AM_V_GEN) \
 	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libcharon/plugins/maemo/maemo_plugin.c b/src/libcharon/plugins/maemo/maemo_plugin.c
index 38cb031b5..ddf9cdb5b 100644
--- a/src/libcharon/plugins/maemo/maemo_plugin.c
+++ b/src/libcharon/plugins/maemo/maemo_plugin.c
@@ -42,6 +42,17 @@ METHOD(plugin_t, get_name, char*,
 	return "maemo";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_maemo_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_NOOP,
+			PLUGIN_PROVIDE(CUSTOM, "maemo"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_maemo_plugin_t *this)
 {
@@ -60,7 +71,7 @@ plugin_t *maemo_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -74,4 +85,3 @@ plugin_t *maemo_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/medcli/Makefile.am b/src/libcharon/plugins/medcli/Makefile.am
index cdff8d854..f645be27e 100644
--- a/src/libcharon/plugins/medcli/Makefile.am
+++ b/src/libcharon/plugins/medcli/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-medcli.la
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 283b0401f..01368050a 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,9 +103,13 @@ am_libstrongswan_medcli_la_OBJECTS = medcli_plugin.lo medcli_creds.lo \
 	medcli_config.lo medcli_listener.lo
 libstrongswan_medcli_la_OBJECTS =  \
 	$(am_libstrongswan_medcli_la_OBJECTS)
-libstrongswan_medcli_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_medcli_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_medcli_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_medcli_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_medcli_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_medcli_la_rpath =
@@ -115,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_medcli_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_medcli_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-medcli.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-medcli.la
 libstrongswan_medcli_la_SOURCES = \
@@ -410,7 +438,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-medcli.la: $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_DEPENDENCIES) $(EXTRA_libstrongswan_medcli_la_DEPENDENCIES) 
-	$(libstrongswan_medcli_la_LINK) $(am_libstrongswan_medcli_la_rpath) $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_medcli_la_LINK) $(am_libstrongswan_medcli_la_rpath) $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -424,25 +452,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medcli_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/medcli/medcli_plugin.c b/src/libcharon/plugins/medcli/medcli_plugin.c
index 469915476..e6a8a8981 100644
--- a/src/libcharon/plugins/medcli/medcli_plugin.c
+++ b/src/libcharon/plugins/medcli/medcli_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -60,16 +61,67 @@ METHOD(plugin_t, get_name, char*,
 	return "medcli";
 }
 
+/**
+ * Connect to database
+ */
+static bool open_database(private_medcli_plugin_t *this,
+						  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		char *uri;
+
+		uri = lib->settings->get_str(lib->settings,
+									 "medcli.database", NULL);
+		if (!uri)
+		{
+			DBG1(DBG_CFG, "mediation client database URI not defined, skipped");
+			return FALSE;
+		}
+
+		this->db = lib->db->create(lib->db, uri);
+		if (this->db == NULL)
+		{
+			DBG1(DBG_CFG, "opening mediation client database failed");
+			return FALSE;
+		}
+
+		this->creds = medcli_creds_create(this->db);
+		this->config = medcli_config_create(this->db);
+		this->listener = medcli_listener_create(this->db);
+
+		lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+		charon->backends->add_backend(charon->backends, &this->config->backend);
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+		charon->backends->remove_backend(charon->backends, &this->config->backend);
+		lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+		this->listener->destroy(this->listener);
+		this->config->destroy(this->config);
+		this->creds->destroy(this->creds);
+		this->db->destroy(this->db);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_medcli_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "medcli"),
+				PLUGIN_DEPENDS(DATABASE, DB_ANY),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_medcli_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
-	this->listener->destroy(this->listener);
-	this->config->destroy(this->config);
-	this->creds->destroy(this->creds);
-	this->db->destroy(this->db);
 	free(this);
 }
 
@@ -78,44 +130,17 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *medcli_plugin_create()
 {
-	char *uri;
 	private_medcli_plugin_t *this;
 
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	uri = lib->settings->get_str(lib->settings,
-								 "medcli.database", NULL);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "mediation client database URI not defined, skipped");
-		free(this);
-		return NULL;
-	}
-
-	this->db = lib->db->create(lib->db, uri);
-	if (this->db == NULL)
-	{
-		DBG1(DBG_CFG, "opening mediation client database failed");
-		free(this);
-		return NULL;
-	}
-
-	this->creds = medcli_creds_create(this->db);
-	this->config = medcli_config_create(this->db);
-	this->listener = medcli_listener_create(this->db);
-
-	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/medsrv/Makefile.am b/src/libcharon/plugins/medsrv/Makefile.am
index 7f5c8e2b3..ec305da21 100644
--- a/src/libcharon/plugins/medsrv/Makefile.am
+++ b/src/libcharon/plugins/medsrv/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-medsrv.la
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 770cd8ce0..3582acbcc 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,9 +103,13 @@ am_libstrongswan_medsrv_la_OBJECTS = medsrv_plugin.lo medsrv_creds.lo \
 	medsrv_config.lo
 libstrongswan_medsrv_la_OBJECTS =  \
 	$(am_libstrongswan_medsrv_la_OBJECTS)
-libstrongswan_medsrv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_medsrv_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_medsrv_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_medsrv_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_medsrv_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_medsrv_la_rpath =
@@ -115,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_medsrv_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_medsrv_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-medsrv.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-medsrv.la
 libstrongswan_medsrv_la_SOURCES = \
@@ -409,7 +437,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-medsrv.la: $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_DEPENDENCIES) $(EXTRA_libstrongswan_medsrv_la_DEPENDENCIES) 
-	$(libstrongswan_medsrv_la_LINK) $(am_libstrongswan_medsrv_la_rpath) $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_medsrv_la_LINK) $(am_libstrongswan_medsrv_la_rpath) $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -422,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medsrv_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.c b/src/libcharon/plugins/medsrv/medsrv_plugin.c
index 5df46d04f..fcc8502f8 100644
--- a/src/libcharon/plugins/medsrv/medsrv_plugin.c
+++ b/src/libcharon/plugins/medsrv/medsrv_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -54,14 +55,63 @@ METHOD(plugin_t, get_name, char*,
 	return "medsrv";
 }
 
+/**
+ * Connect to database
+ */
+static bool open_database(private_medsrv_plugin_t *this,
+						  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		char *uri;
+
+		uri = lib->settings->get_str(lib->settings,
+									 "medsrv.database", NULL);
+		if (!uri)
+		{
+			DBG1(DBG_CFG, "mediation database URI not defined, skipped");
+			return FALSE;
+		}
+
+		this->db = lib->db->create(lib->db, uri);
+		if (this->db == NULL)
+		{
+			DBG1(DBG_CFG, "opening mediation server database failed");
+			return FALSE;
+		}
+
+		this->creds = medsrv_creds_create(this->db);
+		this->config = medsrv_config_create(this->db);
+
+		lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+		charon->backends->add_backend(charon->backends, &this->config->backend);
+	}
+	else
+	{
+		charon->backends->remove_backend(charon->backends, &this->config->backend);
+		lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+		this->config->destroy(this->config);
+		this->creds->destroy(this->creds);
+		this->db->destroy(this->db);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_medsrv_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "medsrv"),
+				PLUGIN_DEPENDS(DATABASE, DB_ANY),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_medsrv_plugin_t *this)
 {
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
-	this->config->destroy(this->config);
-	this->creds->destroy(this->creds);
-	this->db->destroy(this->db);
 	free(this);
 }
 
@@ -70,42 +120,17 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *medsrv_plugin_create()
 {
-	char *uri;
 	private_medsrv_plugin_t *this;
 
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	uri = lib->settings->get_str(lib->settings,
-								 "medsrv.database", NULL);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "mediation database URI not defined, skipped");
-		free(this);
-		return NULL;
-	}
-
-	this->db = lib->db->create(lib->db, uri);
-	if (this->db == NULL)
-	{
-		DBG1(DBG_CFG, "opening mediation server database failed");
-		free(this);
-		return NULL;
-	}
-
-	this->creds = medsrv_creds_create(this->db);
-	this->config = medsrv_config_create(this->db);
-
-	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/osx_attr/Makefile.am b/src/libcharon/plugins/osx_attr/Makefile.am
new file mode 100644
index 000000000..f1ff22e60
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/Makefile.am
@@ -0,0 +1,20 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-osx-attr.la
+else
+plugin_LTLIBRARIES = libstrongswan-osx-attr.la
+endif
+
+libstrongswan_osx_attr_la_SOURCES = \
+	osx_attr_plugin.c osx_attr_plugin.h \
+	osx_attr_handler.c osx_attr_handler.h
+
+libstrongswan_osx_attr_la_LDFLAGS = -module -avoid-version \
+	-framework SystemConfiguration -framework CoreFoundation
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
new file mode 100644
index 000000000..2e21111c7
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -0,0 +1,689 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/osx_attr
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_osx_attr_la_LIBADD =
+am_libstrongswan_osx_attr_la_OBJECTS = osx_attr_plugin.lo \
+	osx_attr_handler.lo
+libstrongswan_osx_attr_la_OBJECTS =  \
+	$(am_libstrongswan_osx_attr_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_osx_attr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_osx_attr_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_osx_attr_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_osx_attr_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_osx_attr_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_osx_attr_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-osx-attr.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-osx-attr.la
+libstrongswan_osx_attr_la_SOURCES = \
+	osx_attr_plugin.c osx_attr_plugin.h \
+	osx_attr_handler.c osx_attr_handler.h
+
+libstrongswan_osx_attr_la_LDFLAGS = -module -avoid-version \
+	-framework SystemConfiguration -framework CoreFoundation
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/osx_attr/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/osx_attr/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-osx-attr.la: $(libstrongswan_osx_attr_la_OBJECTS) $(libstrongswan_osx_attr_la_DEPENDENCIES) $(EXTRA_libstrongswan_osx_attr_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_osx_attr_la_LINK) $(am_libstrongswan_osx_attr_la_rpath) $(libstrongswan_osx_attr_la_OBJECTS) $(libstrongswan_osx_attr_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/osx_attr_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/osx_attr_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.c b/src/libcharon/plugins/osx_attr/osx_attr_handler.c
new file mode 100644
index 000000000..9a3b2701d
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.c
@@ -0,0 +1,246 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "osx_attr_handler.h"
+
+#include <networking/host.h>
+#include <utils/debug.h>
+
+#include <SystemConfiguration/SCDynamicStore.h>
+
+typedef struct private_osx_attr_handler_t private_osx_attr_handler_t;
+
+/**
+ * Private data of an osx_attr_handler_t object.
+ */
+struct private_osx_attr_handler_t {
+
+	/**
+	 * Public interface
+	 */
+	osx_attr_handler_t public;
+};
+
+/**
+ * Create a path to the DNS configuration of the Primary IPv4 Service
+ */
+static CFStringRef create_dns_path(SCDynamicStoreRef store)
+{
+	CFStringRef service, path = NULL;
+	CFDictionaryRef dict;
+
+	/* get primary service */
+	dict = SCDynamicStoreCopyValue(store, CFSTR("State:/Network/Global/IPv4"));
+	if (dict)
+	{
+		service = CFDictionaryGetValue(dict, CFSTR("PrimaryService"));
+		if (service)
+		{
+			path = CFStringCreateWithFormat(NULL, NULL,
+								CFSTR("State:/Network/Service/%@/DNS"), service);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "SystemConfiguration PrimaryService not known");
+		}
+		CFRelease(dict);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "getting global IPv4 SystemConfiguration failed");
+	}
+	return path;
+}
+
+/**
+ * Create a mutable dictionary from path, a new one if not found
+ */
+static CFMutableDictionaryRef get_dictionary(SCDynamicStoreRef store,
+											 CFStringRef path)
+{
+	CFDictionaryRef dict;
+	CFMutableDictionaryRef mut = NULL;
+
+	dict = SCDynamicStoreCopyValue(store, path);
+	if (dict)
+	{
+		if (CFGetTypeID(dict) == CFDictionaryGetTypeID())
+		{
+			mut = CFDictionaryCreateMutableCopy(NULL, 0, dict);
+		}
+		CFRelease(dict);
+	}
+	if (!mut)
+	{
+		mut = CFDictionaryCreateMutable(NULL, 0,
+										&kCFTypeDictionaryKeyCallBacks,
+										&kCFTypeDictionaryValueCallBacks);
+	}
+	return mut;
+}
+
+/**
+ * Create a mutable array from dictionary path, a new one if not found
+ */
+static CFMutableArrayRef get_array_from_dict(CFDictionaryRef dict,
+											 CFStringRef name)
+{
+	CFArrayRef arr;
+
+	arr = CFDictionaryGetValue(dict, name);
+	if (arr && CFGetTypeID(arr) == CFArrayGetTypeID())
+	{
+		return CFArrayCreateMutableCopy(NULL, 0, arr);
+	}
+	return CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+}
+
+/**
+ * Add/Remove a DNS server to the configuration
+ */
+static bool manage_dns(int family, chunk_t data, bool add)
+{
+	SCDynamicStoreRef store;
+	CFStringRef path, dns;
+	CFMutableArrayRef arr;
+	CFMutableDictionaryRef dict;
+	CFIndex i;
+	host_t *server;
+	char buf[64];
+	bool success = FALSE;
+
+	server = host_create_from_chunk(family, data, 0);
+	if (!server)
+	{
+		return FALSE;
+	}
+	snprintf(buf, sizeof(buf), "%H", server);
+	server->destroy(server);
+
+	store = SCDynamicStoreCreate(NULL, CFSTR("osx-attr"), NULL, NULL);
+	path = create_dns_path(store);
+	if (path)
+	{
+		dict = get_dictionary(store, path);
+		arr = get_array_from_dict(dict, CFSTR("ServerAddresses"));
+		dns = CFStringCreateWithCString(NULL, buf, kCFStringEncodingUTF8);
+		if (add)
+		{
+			DBG1(DBG_CFG, "installing %s as DNS server", buf);
+			CFArrayInsertValueAtIndex(arr, 0, dns);
+		}
+		else
+		{
+			i = CFArrayGetFirstIndexOfValue(arr,
+									CFRangeMake(0, CFArrayGetCount(arr)), dns);
+			if (i >= 0)
+			{
+				DBG1(DBG_CFG, "removing %s from DNS servers (%d)", buf, i);
+				CFArrayRemoveValueAtIndex(arr, i);
+			}
+		}
+		CFRelease(dns);
+		CFDictionarySetValue(dict, CFSTR("ServerAddresses"), arr);
+		CFRelease(arr);
+
+		success = SCDynamicStoreSetValue(store, path, dict);
+		CFRelease(dict);
+		CFRelease(path);
+	}
+	CFRelease(store);
+
+	if (!success)
+	{
+		DBG1(DBG_CFG, "adding DNS server to SystemConfiguration failed");
+	}
+	return success;
+}
+
+METHOD(attribute_handler_t, handle, bool,
+	private_osx_attr_handler_t *this, identification_t *id,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			return manage_dns(AF_INET, data, TRUE);
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(attribute_handler_t, release, void,
+	private_osx_attr_handler_t *this, identification_t *server,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			manage_dns(AF_INET, data, FALSE);
+			break;
+		default:
+			break;
+	}
+}
+
+METHOD(enumerator_t, enumerate_dns, bool,
+	enumerator_t *this, configuration_attribute_type_t *type, chunk_t *data)
+{
+	*type = INTERNAL_IP4_DNS;
+	*data = chunk_empty;
+	/* stop enumeration */
+	this->enumerate = (void*)return_false;
+	return TRUE;
+}
+
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
+	private_osx_attr_handler_t *this, identification_t *id,
+	linked_list_t *vips)
+{
+	enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.enumerate = (void*)_enumerate_dns,
+		.destroy = (void*)free,
+	);
+	return enumerator;
+}
+
+METHOD(osx_attr_handler_t, destroy, void,
+	private_osx_attr_handler_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+osx_attr_handler_t *osx_attr_handler_create()
+{
+	private_osx_attr_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.handle = _handle,
+				.release = _release,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.h b/src/libcharon/plugins/osx_attr/osx_attr_handler.h
new file mode 100644
index 000000000..c1f979bcd
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup osx_attr_handler osx_attr_handler
+ * @{ @ingroup osx_attr
+ */
+
+#ifndef OSX_ATTR_HANDLER_H_
+#define OSX_ATTR_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct osx_attr_handler_t osx_attr_handler_t;
+
+/**
+ * OS X specific attribute handler, using SystemConfiguration framework.
+ */
+struct osx_attr_handler_t {
+
+	/**
+	 * Implements attribute_handler_t.
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Destroy a osx_attr_handler_t.
+	 */
+	void (*destroy)(osx_attr_handler_t *this);
+};
+
+/**
+ * Create an osx_attr_handler_t instance.
+ */
+osx_attr_handler_t *osx_attr_handler_create();
+
+#endif /** OSX_ATTR_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_plugin.c b/src/libcharon/plugins/osx_attr/osx_attr_plugin.c
new file mode 100644
index 000000000..380483c23
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/osx_attr_plugin.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "osx_attr_plugin.h"
+#include "osx_attr_handler.h"
+
+#include <hydra.h>
+#include <daemon.h>
+
+typedef struct private_osx_attr_plugin_t private_osx_attr_plugin_t;
+
+/**
+ * Private data of an osx_attr_plugin_t object.
+ */
+struct private_osx_attr_plugin_t {
+
+	/**
+	 * Public interface
+	 */
+	osx_attr_plugin_t public;
+
+	/**
+	 * Android specific DNS handler
+	 */
+	osx_attr_handler_t *handler;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_osx_attr_plugin_t *this)
+{
+	return "osx-attr";
+}
+
+/**
+ * Register handler
+ */
+static bool plugin_cb(private_osx_attr_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		hydra->attributes->add_handler(hydra->attributes,
+									   &this->handler->handler);
+	}
+	else
+	{
+		hydra->attributes->remove_handler(hydra->attributes,
+										  &this->handler->handler);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_osx_attr_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "osx-attr"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_osx_attr_plugin_t *this)
+{
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *osx_attr_plugin_create()
+{
+	private_osx_attr_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.handler = osx_attr_handler_create(),
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_plugin.h b/src/libcharon/plugins/osx_attr/osx_attr_plugin.h
new file mode 100644
index 000000000..761379386
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/osx_attr_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup osx_attr osx_attr
+ * @ingroup cplugins
+ *
+ * @defgroup osx_attr_plugin osx_attr_plugin
+ * @{ @ingroup osx_attr
+ */
+
+#ifndef OSX_ATTR_PLUGIN_H_
+#define OSX_ATTR_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct osx_attr_plugin_t osx_attr_plugin_t;
+
+/**
+ * Plugin providing an OS X specific configuration attribute handler.
+ */
+struct osx_attr_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** OSX_ATTR_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/radattr/Makefile.am b/src/libcharon/plugins/radattr/Makefile.am
index 0ea8df5d1..a0b0584d6 100644
--- a/src/libcharon/plugins/radattr/Makefile.am
+++ b/src/libcharon/plugins/radattr/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libradius
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libradius
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-radattr.la
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index e3b359174..36052f025 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,9 +104,13 @@ am_libstrongswan_radattr_la_OBJECTS = radattr_plugin.lo \
 	radattr_listener.lo
 libstrongswan_radattr_la_OBJECTS =  \
 	$(am_libstrongswan_radattr_la_OBJECTS)
-libstrongswan_radattr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_radattr_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_radattr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_radattr_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_radattr_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_radattr_la_rpath =
@@ -116,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_radattr_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_radattr_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +346,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libradius
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libradius
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-radattr.la
 @MONOLITHIC_FALSE@libstrongswan_radattr_la_LIBADD = $(top_builddir)/src/libradius/libradius.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-radattr.la
@@ -409,7 +438,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-radattr.la: $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_DEPENDENCIES) $(EXTRA_libstrongswan_radattr_la_DEPENDENCIES) 
-	$(libstrongswan_radattr_la_LINK) $(am_libstrongswan_radattr_la_rpath) $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_radattr_la_LINK) $(am_libstrongswan_radattr_la_rpath) $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radattr_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/radattr/radattr_plugin.c b/src/libcharon/plugins/radattr/radattr_plugin.c
index 85ea326ac..0400449ab 100644
--- a/src/libcharon/plugins/radattr/radattr_plugin.c
+++ b/src/libcharon/plugins/radattr/radattr_plugin.c
@@ -43,10 +43,37 @@ METHOD(plugin_t, get_name, char*,
 	return "radattr";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_radattr_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_radattr_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "radattr"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_radattr_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	free(this);
 }
@@ -62,14 +89,12 @@ plugin_t *radattr_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.listener = radattr_listener_create(),
 	);
 
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/smp/Makefile.am b/src/libcharon/plugins/smp/Makefile.am
index f17235835..67b4b2a6d 100644
--- a/src/libcharon/plugins/smp/Makefile.am
+++ b/src/libcharon/plugins/smp/Makefile.am
@@ -1,8 +1,12 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${xml_CFLAGS}
-
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-smp.la
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 0edca4959..84848db54 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ am__DEPENDENCIES_1 =
 libstrongswan_smp_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_smp_la_OBJECTS = smp.lo
 libstrongswan_smp_la_OBJECTS = $(am_libstrongswan_smp_la_OBJECTS)
-libstrongswan_smp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_smp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_smp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_smp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_smp_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_smp_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_smp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_smp_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,10 +343,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${xml_CFLAGS}
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-smp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-smp.la
 libstrongswan_smp_la_SOURCES = \
@@ -406,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-smp.la: $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_DEPENDENCIES) $(EXTRA_libstrongswan_smp_la_DEPENDENCIES) 
-	$(libstrongswan_smp_la_LINK) $(am_libstrongswan_smp_la_rpath) $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_smp_la_LINK) $(am_libstrongswan_smp_la_rpath) $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -417,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smp.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index db5295230..a92e571de 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -165,8 +165,10 @@ static void write_childend(xmlTextWriterPtr writer, child_sa_t *child, bool loca
 
 	xmlTextWriterWriteFormatElement(writer, "spi", "%x",
 									htonl(child->get_spi(child, local)));
-	list = child->get_traffic_selectors(child, local);
+	list = linked_list_create_from_enumerator(
+									child->create_ts_enumerator(child, local));
 	write_networks(writer, "networks", list);
+	list->destroy(list);
 }
 
 /**
@@ -712,6 +714,17 @@ METHOD(plugin_t, get_name, char*,
 	return "smp";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_smp_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_NOOP,
+			PLUGIN_PROVIDE(CUSTOM, "smp"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_smp_t *this)
 {
@@ -728,11 +741,17 @@ plugin_t *smp_plugin_create()
 	private_smp_t *this;
 	mode_t old;
 
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "smp plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -757,8 +776,8 @@ plugin_t *smp_plugin_create()
 		return NULL;
 	}
 	umask(old);
-	if (chown(unix_addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(unix_addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
 	}
@@ -777,4 +796,3 @@ plugin_t *smp_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/socket_default/Makefile.am b/src/libcharon/plugins/socket_default/Makefile.am
index 635a1c548..d734b313f 100644
--- a/src/libcharon/plugins/socket_default/Makefile.am
+++ b/src/libcharon/plugins/socket_default/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-socket-default.la
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 2e04d6627..2e0140298 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_socket_default_la_OBJECTS = socket_default_socket.lo \
 	socket_default_plugin.lo
 libstrongswan_socket_default_la_OBJECTS =  \
 	$(am_libstrongswan_socket_default_la_OBJECTS)
-libstrongswan_socket_default_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_socket_default_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_socket_default_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_socket_default_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_socket_default_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-socket-default.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-socket-default.la
 libstrongswan_socket_default_la_SOURCES = \
@@ -409,7 +437,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-socket-default.la: $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_DEPENDENCIES) $(EXTRA_libstrongswan_socket_default_la_DEPENDENCIES) 
-	$(libstrongswan_socket_default_la_LINK) $(am_libstrongswan_socket_default_la_rpath) $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_socket_default_la_LINK) $(am_libstrongswan_socket_default_la_rpath) $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_default_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/socket_default/socket_default_plugin.c b/src/libcharon/plugins/socket_default/socket_default_plugin.c
index 01d9473bf..e89b74279 100644
--- a/src/libcharon/plugins/socket_default/socket_default_plugin.c
+++ b/src/libcharon/plugins/socket_default/socket_default_plugin.c
@@ -52,6 +52,7 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(socket_register, socket_default_socket_create),
 			PLUGIN_PROVIDE(CUSTOM, "socket"),
+				PLUGIN_SDEPEND(CUSTOM, "kernel-ipsec"),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index c0b744a68..4139afe5a 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -162,23 +162,26 @@ METHOD(socket_t, receiver, status_t,
 
 	FD_ZERO(&rfds);
 
-	if (this->ipv4)
+	if (this->ipv4 != -1)
 	{
 		FD_SET(this->ipv4, &rfds);
+		max_fd = max(max_fd, this->ipv4);
 	}
-	if (this->ipv4_natt)
+	if (this->ipv4_natt != -1)
 	{
 		FD_SET(this->ipv4_natt, &rfds);
+		max_fd = max(max_fd, this->ipv4_natt);
 	}
-	if (this->ipv6)
+	if (this->ipv6 != -1)
 	{
 		FD_SET(this->ipv6, &rfds);
+		max_fd = max(max_fd, this->ipv6);
 	}
-	if (this->ipv6_natt)
+	if (this->ipv6_natt != -1)
 	{
 		FD_SET(this->ipv6_natt, &rfds);
+		max_fd = max(max_fd, this->ipv6_natt);
 	}
-	max_fd = max(max(this->ipv4, this->ipv4_natt), max(this->ipv6, this->ipv6_natt));
 
 	DBG2(DBG_NET, "waiting for data on sockets");
 	oldstate = thread_cancelability(TRUE);
@@ -189,22 +192,22 @@ METHOD(socket_t, receiver, status_t,
 	}
 	thread_cancelability(oldstate);
 
-	if (FD_ISSET(this->ipv4, &rfds))
+	if (this->ipv4 != -1 && FD_ISSET(this->ipv4, &rfds))
 	{
 		port = this->port;
 		selected = this->ipv4;
 	}
-	if (FD_ISSET(this->ipv4_natt, &rfds))
+	if (this->ipv4_natt != -1 && FD_ISSET(this->ipv4_natt, &rfds))
 	{
 		port = this->natt;
 		selected = this->ipv4_natt;
 	}
-	if (FD_ISSET(this->ipv6, &rfds))
+	if (this->ipv6 != -1 && FD_ISSET(this->ipv6, &rfds))
 	{
 		port = this->port;
 		selected = this->ipv6;
 	}
-	if (FD_ISSET(this->ipv6_natt, &rfds))
+	if (this->ipv6_natt != -1 && FD_ISSET(this->ipv6_natt, &rfds))
 	{
 		port = this->natt;
 		selected = this->ipv6_natt;
@@ -326,7 +329,7 @@ METHOD(socket_t, receiver, status_t,
 METHOD(socket_t, sender, status_t,
 	private_socket_default_socket_t *this, packet_t *packet)
 {
-	int sport, skt, family;
+	int sport, skt = -1, family;
 	ssize_t bytes_sent;
 	chunk_t data;
 	host_t *src, *dst;
@@ -376,9 +379,10 @@ METHOD(socket_t, sender, status_t,
 				return FAILED;
 		}
 	}
-	else
+	if (skt == -1)
 	{
-		DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
+		DBG1(DBG_NET, "no socket found to send IPv%d packet from port %d",
+			 family == AF_INET ? 4 : 6, sport);
 		return FAILED;
 	}
 
@@ -497,6 +501,22 @@ METHOD(socket_t, get_port, u_int16_t,
 	return nat_t ? this->natt : this->port;
 }
 
+METHOD(socket_t, supported_families, socket_family_t,
+	private_socket_default_socket_t *this)
+{
+	socket_family_t families = SOCKET_FAMILY_NONE;
+
+	if (this->ipv4 != -1 || this->ipv4_natt != -1)
+	{
+		families |= SOCKET_FAMILY_IPV4;
+	}
+	if (this->ipv6 != -1 || this->ipv6_natt != -1)
+	{
+		families |= SOCKET_FAMILY_IPV6;
+	}
+	return families;
+}
+
 /**
  * open a socket to send and receive packets
  */
@@ -537,20 +557,20 @@ static int open_socket(private_socket_default_socket_t *this,
 			pktinfo = IPV6_RECVPKTINFO;
 			break;
 		default:
-			return 0;
+			return -1;
 	}
 
 	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
 	if (skt < 0)
 	{
 		DBG1(DBG_NET, "could not open socket: %s", strerror(errno));
-		return 0;
+		return -1;
 	}
 	if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
 	{
 		DBG1(DBG_NET, "unable to set SO_REUSEADDR on socket: %s", strerror(errno));
 		close(skt);
-		return 0;
+		return -1;
 	}
 
 	/* bind the socket */
@@ -558,7 +578,7 @@ static int open_socket(private_socket_default_socket_t *this,
 	{
 		DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
 		close(skt);
-		return 0;
+		return -1;
 	}
 
 	/* retrieve randomly allocated port if needed */
@@ -568,7 +588,7 @@ static int open_socket(private_socket_default_socket_t *this,
 		{
 			DBG1(DBG_NET, "unable to determine port: %s", strerror(errno));
 			close(skt);
-			return 0;
+			return -1;
 		}
 		switch (family)
 		{
@@ -588,7 +608,7 @@ static int open_socket(private_socket_default_socket_t *this,
 		{
 			DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
 			close(skt);
-			return 0;
+			return -1;
 		}
 	}
 
@@ -610,22 +630,69 @@ static int open_socket(private_socket_default_socket_t *this,
 	return skt;
 }
 
+/**
+ * Check if we should use the given family
+ */
+static bool use_family(int family)
+{
+	switch (family)
+	{
+		case AF_INET:
+			return lib->settings->get_bool(lib->settings,
+					"%s.plugins.socket-default.use_ipv4", TRUE, charon->name);
+		case AF_INET6:
+			return lib->settings->get_bool(lib->settings,
+					"%s.plugins.socket-default.use_ipv6", TRUE, charon->name);
+		default:
+			return FALSE;
+	}
+}
+
+/**
+ * Open a socket pair (normal and NAT traversal) for a given address family
+ */
+static void open_socketpair(private_socket_default_socket_t *this, int family,
+							int *skt, int *skt_natt, char *label)
+{
+	if (!use_family(family))
+	{
+		*skt = -1;
+		*skt_natt = -1;
+		return;
+	}
+
+	*skt = open_socket(this, family, &this->port);
+	if (*skt == -1)
+	{
+		*skt_natt = -1;
+		DBG1(DBG_NET, "could not open %s socket, %s disabled", label, label);
+	}
+	else
+	{
+		*skt_natt = open_socket(this, family, &this->natt);
+		if (*skt_natt == -1)
+		{
+			DBG1(DBG_NET, "could not open %s NAT-T socket", label);
+		}
+	}
+}
+
 METHOD(socket_t, destroy, void,
 	private_socket_default_socket_t *this)
 {
-	if (this->ipv4)
+	if (this->ipv4 != -1)
 	{
 		close(this->ipv4);
 	}
-	if (this->ipv4_natt)
+	if (this->ipv4_natt != -1)
 	{
 		close(this->ipv4_natt);
 	}
-	if (this->ipv6)
+	if (this->ipv6 != -1)
 	{
 		close(this->ipv6);
 	}
-	if (this->ipv6_natt)
+	if (this->ipv6_natt != -1)
 	{
 		close(this->ipv6_natt);
 	}
@@ -645,6 +712,7 @@ socket_default_socket_t *socket_default_socket_create()
 				.send = _sender,
 				.receive = _receiver,
 				.get_port = _get_port,
+				.supported_families = _supported_families,
 				.destroy = _destroy,
 			},
 		},
@@ -666,37 +734,30 @@ socket_default_socket_t *socket_default_socket_create()
 		this->natt = 0;
 	}
 
-	/* we allocate IPv6 sockets first as that will reserve randomly allocated
-	 * ports also for IPv4 */
-	this->ipv6 = open_socket(this, AF_INET6, &this->port);
-	if (this->ipv6 == 0)
-	{
-		DBG1(DBG_NET, "could not open IPv6 socket, IPv6 disabled");
-	}
-	else
-	{
-		this->ipv6_natt = open_socket(this, AF_INET6, &this->natt);
-		if (this->ipv6_natt == 0)
-		{
-			DBG1(DBG_NET, "could not open IPv6 NAT-T socket");
-		}
-	}
-
-	this->ipv4 = open_socket(this, AF_INET, &this->port);
-	if (this->ipv4 == 0)
-	{
-		DBG1(DBG_NET, "could not open IPv4 socket, IPv4 disabled");
-	}
-	else
+	if ((this->port && this->port < 1024) || (this->natt && this->natt < 1024))
 	{
-		this->ipv4_natt = open_socket(this, AF_INET, &this->natt);
-		if (this->ipv4_natt == 0)
+		if (!lib->caps->check(lib->caps, CAP_NET_BIND_SERVICE))
 		{
-			DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
+			/* required to bind ports < 1024 */
+			DBG1(DBG_NET, "socket-default plugin requires CAP_NET_BIND_SERVICE "
+				 "capability");
+			destroy(this);
+			return NULL;
 		}
 	}
 
-	if (!this->ipv4 && !this->ipv6)
+	/* we allocate IPv6 sockets first as that will reserve randomly allocated
+	 * ports also for IPv4. On OS X, we have to do it the other way round
+	 * for the same effect. */
+#ifdef __APPLE__
+	open_socketpair(this, AF_INET, &this->ipv4, &this->ipv4_natt, "IPv4");
+	open_socketpair(this, AF_INET6, &this->ipv6, &this->ipv6_natt, "IPv6");
+#else /* !__APPLE__ */
+	open_socketpair(this, AF_INET6, &this->ipv6, &this->ipv6_natt, "IPv6");
+	open_socketpair(this, AF_INET, &this->ipv4, &this->ipv4_natt, "IPv4");
+#endif /* __APPLE__ */
+
+	if (this->ipv4 == -1 && this->ipv6 == -1)
 	{
 		DBG1(DBG_NET, "could not create any sockets");
 		destroy(this);
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.am b/src/libcharon/plugins/socket_dynamic/Makefile.am
index 914945535..04973e5ba 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.am
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-socket-dynamic.la
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index a12e4a893..e976e9902 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_socket_dynamic_la_OBJECTS = socket_dynamic_plugin.lo \
 	socket_dynamic_socket.lo
 libstrongswan_socket_dynamic_la_OBJECTS =  \
 	$(am_libstrongswan_socket_dynamic_la_OBJECTS)
-libstrongswan_socket_dynamic_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_socket_dynamic_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_socket_dynamic_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_socket_dynamic_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_socket_dynamic_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-socket-dynamic.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-socket-dynamic.la
 libstrongswan_socket_dynamic_la_SOURCES = \
@@ -409,7 +437,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-socket-dynamic.la: $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_socket_dynamic_la_DEPENDENCIES) 
-	$(libstrongswan_socket_dynamic_la_LINK) $(am_libstrongswan_socket_dynamic_la_rpath) $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_socket_dynamic_la_LINK) $(am_libstrongswan_socket_dynamic_la_rpath) $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_dynamic_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
index c21d5240e..fdc9a7cf9 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
@@ -40,6 +40,7 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(socket_register, socket_dynamic_socket_create),
 			PLUGIN_PROVIDE(CUSTOM, "socket"),
+				PLUGIN_SDEPEND(CUSTOM, "kernel-ipsec"),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index a5e919348..abbc8bad2 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -325,14 +325,61 @@ METHOD(socket_t, receiver, status_t,
 	return FAILED;
 }
 
+/**
+ * Get the port allocated dynamically using bind()
+ */
+static bool get_dynamic_port(int fd, int family, u_int16_t *port)
+{
+	union {
+		struct sockaddr_storage ss;
+		struct sockaddr s;
+		struct sockaddr_in sin;
+		struct sockaddr_in6 sin6;
+	} addr;
+	socklen_t addrlen;
+
+	addrlen = sizeof(addr);
+	if (getsockname(fd, &addr.s, &addrlen) != 0)
+	{
+		DBG1(DBG_NET, "unable to getsockname: %s", strerror(errno));
+		return FALSE;
+	}
+	switch (family)
+	{
+		case AF_INET:
+			if (addrlen != sizeof(addr.sin) || addr.sin.sin_family != family)
+			{
+				break;
+			}
+			*port = ntohs(addr.sin.sin_port);
+			return TRUE;
+		case AF_INET6:
+			if (addrlen != sizeof(addr.sin6) || addr.sin6.sin6_family != family)
+			{
+				break;
+			}
+			*port = ntohs(addr.sin6.sin6_port);
+			return TRUE;
+		default:
+			return FALSE;
+	}
+	DBG1(DBG_NET, "received invalid getsockname() result");
+	return FALSE;
+}
+
 /**
  * open a socket to send and receive packets
  */
 static int open_socket(private_socket_dynamic_socket_t *this,
-					   int family, u_int16_t port)
+					   int family, u_int16_t *port)
 {
+	union {
+		struct sockaddr_storage ss;
+		struct sockaddr s;
+		struct sockaddr_in sin;
+		struct sockaddr_in6 sin6;
+	} addr;
 	int on = TRUE;
-	struct sockaddr_storage addr;
 	socklen_t addrlen;
 	u_int sol, pktinfo = 0;
 	int fd;
@@ -342,27 +389,21 @@ static int open_socket(private_socket_dynamic_socket_t *this,
 	switch (family)
 	{
 		case AF_INET:
-		{
-			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
-			sin->sin_family = AF_INET;
-			sin->sin_addr.s_addr = INADDR_ANY;
-			sin->sin_port = htons(port);
-			addrlen = sizeof(struct sockaddr_in);
+			addr.sin.sin_family = AF_INET;
+			addr.sin.sin_addr.s_addr = INADDR_ANY;
+			addr.sin.sin_port = htons(*port);
+			addrlen = sizeof(addr.sin);
 			sol = SOL_IP;
 			pktinfo = IP_PKTINFO;
 			break;
-		}
 		case AF_INET6:
-		{
-			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
-			sin6->sin6_family = AF_INET6;
-			memset(&sin6->sin6_addr, 0, sizeof(sin6->sin6_addr));
-			sin6->sin6_port = htons(port);
-			addrlen = sizeof(struct sockaddr_in6);
+			addr.sin6.sin6_family = AF_INET6;
+			memset(&addr.sin6.sin6_addr, 0, sizeof(addr.sin6.sin6_addr));
+			addr.sin6.sin6_port = htons(*port);
+			addrlen = sizeof(addr.sin6);
 			sol = SOL_IPV6;
 			pktinfo = IPV6_RECVPKTINFO;
 			break;
-		}
 		default:
 			return 0;
 	}
@@ -380,13 +421,17 @@ static int open_socket(private_socket_dynamic_socket_t *this,
 		return 0;
 	}
 
-	/* bind the socket */
-	if (bind(fd, (struct sockaddr *)&addr, addrlen) < 0)
+	if (bind(fd, &addr.s, addrlen) < 0)
 	{
 		DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
 		close(fd);
 		return 0;
 	}
+	if (*port == 0 && !get_dynamic_port(fd, family, port))
+	{
+		close(fd);
+		return 0;
+	}
 
 	/* get additional packet info on receive */
 	if (setsockopt(fd, sol, pktinfo, &on, sizeof(on)) < 0)
@@ -404,15 +449,40 @@ static int open_socket(private_socket_dynamic_socket_t *this,
 
 	/* enable UDP decapsulation on each socket */
 	if (!hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface,
-												   fd, family, port))
+												   fd, family, *port))
 	{
 		DBG1(DBG_NET, "enabling UDP decapsulation for %s on port %d failed",
-			 family == AF_INET ? "IPv4" : "IPv6", port);
+			 family == AF_INET ? "IPv4" : "IPv6", *port);
 	}
 
 	return fd;
 }
 
+/**
+ * Get the first usable socket for an address family
+ */
+static dynsock_t *get_any_socket(private_socket_dynamic_socket_t *this,
+								 int family)
+{
+	dynsock_t *key, *value, *found = NULL;
+	enumerator_t *enumerator;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->sockets->create_enumerator(this->sockets);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		if (value->family == family)
+		{
+			found = value;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return found;
+}
+
 /**
  * Find/Create a socket to send from host
  */
@@ -433,7 +503,15 @@ static dynsock_t *find_socket(private_socket_dynamic_socket_t *this,
 	{
 		return skt;
 	}
-	fd = open_socket(this, family, port);
+	if (!port)
+	{
+		skt = get_any_socket(this, family);
+		if (skt)
+		{
+			return skt;
+		}
+	}
+	fd = open_socket(this, family, &port);
 	if (!fd)
 	{
 		return NULL;
@@ -457,7 +535,7 @@ METHOD(socket_t, sender, status_t,
 {
 	dynsock_t *skt;
 	host_t *src, *dst;
-	int port, family;
+	int family;
 	ssize_t len;
 	chunk_t data;
 	struct msghdr msg;
@@ -467,9 +545,7 @@ METHOD(socket_t, sender, status_t,
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
 	family = src->get_family(src);
-	port = src->get_port(src);
-	port = port ?: CHARON_UDP_PORT;
-	skt = find_socket(this, family, port);
+	skt = find_socket(this, family, src->get_port(src));
 	if (!skt)
 	{
 		return FAILED;
@@ -544,6 +620,14 @@ METHOD(socket_t, get_port, u_int16_t,
 	return 0;
 }
 
+METHOD(socket_t, supported_families, socket_family_t,
+	private_socket_dynamic_socket_t *this)
+{
+	/* we could return only the families of the opened sockets, but it could
+	 * be that both families are supported even if no socket is yet open */
+	return SOCKET_FAMILY_BOTH;
+}
+
 METHOD(socket_t, destroy, void,
 	private_socket_dynamic_socket_t *this)
 {
@@ -578,6 +662,7 @@ socket_dynamic_socket_t *socket_dynamic_socket_create()
 				.send = _sender,
 				.receive = _receiver,
 				.get_port = _get_port,
+				.supported_families = _supported_families,
 				.destroy = _destroy,
 			},
 		},
@@ -597,4 +682,3 @@ socket_dynamic_socket_t *socket_dynamic_socket_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/sql/Makefile.am b/src/libcharon/plugins/sql/Makefile.am
index 37b87117c..fd5693123 100644
--- a/src/libcharon/plugins/sql/Makefile.am
+++ b/src/libcharon/plugins/sql/Makefile.am
@@ -1,7 +1,11 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-sql.la
 else
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 96f83b4d1..dd3c2e165 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_sql_la_LIBADD =
 am_libstrongswan_sql_la_OBJECTS = sql_plugin.lo sql_config.lo \
 	sql_cred.lo sql_logger.lo
 libstrongswan_sql_la_OBJECTS = $(am_libstrongswan_sql_la_OBJECTS)
-libstrongswan_sql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_sql_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_sql_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sql_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_sql_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_sql_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_sql_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sql_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,9 +343,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sql.la
 libstrongswan_sql_la_SOURCES = \
@@ -405,7 +434,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-sql.la: $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_sql_la_DEPENDENCIES) 
-	$(libstrongswan_sql_la_LINK) $(am_libstrongswan_sql_la_rpath) $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_sql_la_LINK) $(am_libstrongswan_sql_la_rpath) $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -419,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c
index afbb89c83..c1b4461d2 100644
--- a/src/libcharon/plugins/sql/sql_plugin.c
+++ b/src/libcharon/plugins/sql/sql_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -16,6 +17,8 @@
 #include "sql_plugin.h"
 
 #include <daemon.h>
+#include <plugins/plugin_feature.h>
+
 #include "sql_config.h"
 #include "sql_cred.h"
 #include "sql_logger.h"
@@ -59,16 +62,67 @@ METHOD(plugin_t, get_name, char*,
 	return "sql";
 }
 
+/**
+ * Connect to database
+ */
+static bool open_database(private_sql_plugin_t *this,
+						  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		char *uri;
+
+		uri = lib->settings->get_str(lib->settings, "%s.plugins.sql.database",
+									 NULL, charon->name);
+		if (!uri)
+		{
+			DBG1(DBG_CFG, "sql plugin: database URI not set");
+			return FALSE;
+		}
+
+		this->db = lib->db->create(lib->db, uri);
+		if (!this->db)
+		{
+			DBG1(DBG_CFG, "sql plugin failed to connect to database");
+			return FALSE;
+		}
+		this->config = sql_config_create(this->db);
+		this->cred = sql_cred_create(this->db);
+		this->logger = sql_logger_create(this->db);
+
+		charon->backends->add_backend(charon->backends, &this->config->backend);
+		lib->credmgr->add_set(lib->credmgr, &this->cred->set);
+		charon->bus->add_logger(charon->bus, &this->logger->logger);
+	}
+	else
+	{
+		charon->backends->remove_backend(charon->backends,
+										 &this->config->backend);
+		lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
+		charon->bus->remove_logger(charon->bus, &this->logger->logger);
+		this->config->destroy(this->config);
+		this->cred->destroy(this->cred);
+		this->logger->destroy(this->logger);
+		this->db->destroy(this->db);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_sql_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "sql"),
+				PLUGIN_DEPENDS(DATABASE, DB_ANY),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_sql_plugin_t *this)
 {
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
-	charon->bus->remove_logger(charon->bus, &this->logger->logger);
-	this->config->destroy(this->config);
-	this->cred->destroy(this->cred);
-	this->logger->destroy(this->logger);
-	this->db->destroy(this->db);
 	free(this);
 }
 
@@ -77,42 +131,17 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *sql_plugin_create()
 {
-	char *uri;
 	private_sql_plugin_t *this;
 
-	uri = lib->settings->get_str(lib->settings, "%s.plugins.sql.database",
-								 NULL, charon->name);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "sql plugin: database URI not set");
-		return NULL;
-	}
-
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
-		.db = lib->db->create(lib->db, uri),
 	);
 
-	if (!this->db)
-	{
-		DBG1(DBG_CFG, "sql plugin failed to connect to database");
-		free(this);
-		return NULL;
-	}
-	this->config = sql_config_create(this->db);
-	this->cred = sql_cred_create(this->db);
-	this->logger = sql_logger_create(this->db);
-
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	lib->credmgr->add_set(lib->credmgr, &this->cred->set);
-	charon->bus->add_logger(charon->bus, &this->logger->logger);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am
index 39b3e79d2..9509b1bd3 100644
--- a/src/libcharon/plugins/stroke/Makefile.am
+++ b/src/libcharon/plugins/stroke/Makefile.am
@@ -1,11 +1,13 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/stroke
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/stroke \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
--rdynamic \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DIPSEC_PIDDIR=\"${piddir}\"
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-stroke.la
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 7d1100c08..151e7ba69 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,9 +105,13 @@ am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \
 	stroke_list.lo
 libstrongswan_stroke_la_OBJECTS =  \
 	$(am_libstrongswan_stroke_la_OBJECTS)
-libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_stroke_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_stroke_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_stroke_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_stroke_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_stroke_la_rpath =
@@ -117,13 +121,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_stroke_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_stroke_la_SOURCES)
 am__can_run_installinfo = \
@@ -137,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -149,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -164,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -172,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -218,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -246,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -323,13 +347,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/stroke
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/stroke \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
--rdynamic \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DIPSEC_PIDDIR=\"${piddir}\"
+	-rdynamic
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-stroke.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-stroke.la
@@ -422,7 +449,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-stroke.la: $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_DEPENDENCIES) $(EXTRA_libstrongswan_stroke_la_DEPENDENCIES) 
-	$(libstrongswan_stroke_la_LINK) $(am_libstrongswan_stroke_la_rpath) $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_stroke_la_LINK) $(am_libstrongswan_stroke_la_rpath) $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -442,25 +469,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 86f0fe431..079e65f11 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -21,6 +21,8 @@
 #include <threading/mutex.h>
 #include <utils/lexparser.h>
 
+#include <netdb.h>
+
 typedef struct private_stroke_config_t private_stroke_config_t;
 
 /**
@@ -489,8 +491,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	pubkey = end->rsakey;
 	if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
 	{
-		certificate = this->cred->load_pubkey(this->cred, KEY_RSA, pubkey,
-											  identity);
+		certificate = this->cred->load_pubkey(this->cred, pubkey, identity);
 		if (certificate)
 		{
 			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
@@ -558,9 +559,9 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	}
 
 	/* authentication metod (class, actually) */
-	if (strneq(auth, "pubkey", strlen("pubkey")) ||
-		strneq(auth, "rsa", strlen("rsa")) ||
-		strneq(auth, "ecdsa", strlen("ecdsa")))
+	if (strpfx(auth, "pubkey") ||
+		strpfx(auth, "rsa") ||
+		strpfx(auth, "ecdsa"))
 	{
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
@@ -571,7 +572,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	{
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
 	}
-	else if (strneq(auth, "xauth", 5))
+	else if (strpfx(auth, "xauth"))
 	{
 		char *pos;
 
@@ -587,7 +588,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 				identification_create_from_string(msg->add_conn.xauth_identity));
 		}
 	}
-	else if (strneq(auth, "eap", 3))
+	else if (strpfx(auth, "eap"))
 	{
 		eap_vendor_type_t *type;
 
@@ -883,6 +884,96 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	return peer_cfg;
 }
 
+/**
+ * Parse a protoport specifier
+ */
+static bool parse_protoport(char *token, u_int16_t *from_port,
+							u_int16_t *to_port, u_int8_t *protocol)
+{
+	char *sep, *port = "", *endptr;
+	struct protoent *proto;
+	struct servent *svc;
+	long int p;
+
+	sep = strrchr(token, ']');
+	if (!sep)
+	{
+		return FALSE;
+	}
+	*sep = '\0';
+
+	sep = strchr(token, '/');
+	if (sep)
+	{	/* protocol/port */
+		*sep = '\0';
+		port = sep + 1;
+	}
+
+	if (streq(token, "%any"))
+	{
+		*protocol = 0;
+	}
+	else
+	{
+		proto = getprotobyname(token);
+		if (proto)
+		{
+			*protocol = proto->p_proto;
+		}
+		else
+		{
+			p = strtol(token, &endptr, 0);
+			if ((*token && *endptr) || p < 0 || p > 0xff)
+			{
+				return FALSE;
+			}
+			*protocol = (u_int8_t)p;
+		}
+	}
+	if (streq(port, "%any"))
+	{
+		*from_port = 0;
+		*to_port = 0xffff;
+	}
+	else if (streq(port, "%opaque"))
+	{
+		*from_port = 0xffff;
+		*to_port = 0;
+	}
+	else if (*port)
+	{
+		svc = getservbyname(port, NULL);
+		if (svc)
+		{
+			*from_port = *to_port = ntohs(svc->s_port);
+		}
+		else
+		{
+			p = strtol(port, &endptr, 0);
+			if (p < 0 || p > 0xffff)
+			{
+				return FALSE;
+			}
+			*from_port = p;
+			if (*endptr == '-')
+			{
+				port = endptr + 1;
+				p = strtol(port, &endptr, 0);
+				if (p < 0 || p > 0xffff)
+				{
+					return FALSE;
+				}
+			}
+			*to_port = p;
+			if (*endptr)
+			{
+				return FALSE;
+			}
+		}
+	}
+	return TRUE;
+}
+
 /**
  * build a traffic selector from a stroke_end
  */
@@ -914,13 +1005,38 @@ static void add_ts(private_stroke_config_t *this,
 		else
 		{
 			enumerator_t *enumerator;
-			char *subnet;
+			char *subnet, *pos;
+			u_int16_t from_port, to_port;
+			u_int8_t proto;
 
 			enumerator = enumerator_create_token(end->subnets, ",", " ");
 			while (enumerator->enumerate(enumerator, &subnet))
 			{
-				ts = traffic_selector_create_from_cidr(subnet, end->protocol,
-												end->from_port, end->to_port);
+				from_port = end->from_port;
+				to_port = end->to_port;
+				proto = end->protocol;
+
+				pos = strchr(subnet, '[');
+				if (pos)
+				{
+					*(pos++) = '\0';
+					if (!parse_protoport(pos, &from_port, &to_port, &proto))
+					{
+						DBG1(DBG_CFG, "invalid proto/port: %s, skipped subnet",
+							 pos);
+						continue;
+					}
+				}
+				if (streq(subnet, "%dynamic"))
+				{
+					ts = traffic_selector_create_dynamic(proto,
+														 from_port, to_port);
+				}
+				else
+				{
+					ts = traffic_selector_create_from_cidr(subnet, proto,
+														   from_port, to_port);
+				}
 				if (ts)
 				{
 					child_cfg->add_traffic_selector(child_cfg, local, ts);
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 91130d1ee..fdd1635a6 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -603,7 +603,7 @@ static void charon_route(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 	}
 	else
 	{
-		if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
+		if (charon->traps->install(charon->traps, peer_cfg, child_cfg, 0))
 		{
 			fprintf(out, "'%s' routed\n", name);
 		}
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index eda746f7e..8d0001271 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -32,6 +32,7 @@
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/ac.h>
+#include <credentials/containers/pkcs12.h>
 #include <credentials/sets/mem_cred.h>
 #include <credentials/sets/callback_cred.h>
 #include <collections/linked_list.h>
@@ -72,7 +73,7 @@ struct private_stroke_cred_t {
 
 	/**
 	 * ignore missing CA basic constraint (i.e. treat all certificates in
-	 * ipsec.conf ca sections and ipsec.d/cacert as CA certificates)
+	 * ipsec.conf ca sections and ipsec.d/cacerts as CA certificates)
 	 */
 	bool force_ca_cert;
 
@@ -174,7 +175,7 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
 	certificate_t *cert = NULL;
 	char path[PATH_MAX];
 
-	if (strneq(filename, "%smartcard", strlen("%smartcard")))
+	if (strpfx(filename, "%smartcard"))
 	{
 		smartcard_format_t format;
 		char module[SC_PART_LEN], keyid[SC_PART_LEN];
@@ -225,7 +226,7 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
 			cert->destroy(cert);
 			return NULL;
 		}
-		DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s",
+		DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
 			 cert->get_subject(cert), filename);
 		return this->creds->add_cert_ref(this->creds, TRUE, cert);
 	}
@@ -238,7 +239,7 @@ METHOD(stroke_cred_t, load_peer, certificate_t*,
 	certificate_t *cert = NULL;
 	char path[PATH_MAX];
 
-	if (strneq(filename, "%smartcard", strlen("%smartcard")))
+	if (strpfx(filename, "%smartcard"))
 	{
 		smartcard_format_t format;
 		char module[SC_PART_LEN], keyid[SC_PART_LEN];
@@ -279,29 +280,45 @@ METHOD(stroke_cred_t, load_peer, certificate_t*,
 }
 
 METHOD(stroke_cred_t, load_pubkey, certificate_t*,
-	private_stroke_cred_t *this, key_type_t type, char *filename,
-	identification_t *identity)
+	private_stroke_cred_t *this, char *filename, identification_t *identity)
 {
 	certificate_t *cert;
+	public_key_t *key;
 	char path[PATH_MAX];
+	builder_part_t build_part;
+	key_type_t type = KEY_ANY;
 
 	if (streq(filename, "%dns"))
 	{
-
+		return NULL;
+	}
+	if (strncaseeq(filename, "dns:", 4))
+	{	/* RFC 3110 format */
+		build_part = BUILD_BLOB_DNSKEY;
+		/* not a complete RR, only RSA supported */
+		type = KEY_RSA;
+		filename += 4;
+	}
+	else if (strncaseeq(filename, "ssh:", 4))
+	{	/* SSH key */
+		build_part = BUILD_BLOB_SSHKEY;
+		filename += 4;
+	}
+	else
+	{	/* try PKCS#1 by default */
+		build_part = BUILD_BLOB_ASN1_DER;
 	}
-	else if (strncaseeq(filename, "0x", 2) || strncaseeq(filename, "0s", 2))
+	if (strncaseeq(filename, "0x", 2) || strncaseeq(filename, "0s", 2))
 	{
-		chunk_t printable_key, rfc3110_key;
-		public_key_t *key;
+		chunk_t printable_key, raw_key;
 
 		printable_key = chunk_create(filename + 2, strlen(filename) - 2);
-		rfc3110_key = strncaseeq(filename, "0x", 2) ?
+		raw_key = strncaseeq(filename, "0x", 2) ?
 								 chunk_from_hex(printable_key, NULL) :
 								 chunk_from_base64(printable_key, NULL);
-		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-								 BUILD_BLOB_DNSKEY, rfc3110_key,
-								 BUILD_END);
-		free(rfc3110_key.ptr);
+		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type,
+								 build_part, raw_key, BUILD_END);
+		chunk_free(&raw_key);
 		if (key)
 		{
 			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
@@ -309,6 +326,7 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 									  BUILD_PUBLIC_KEY, key,
 									  BUILD_SUBJECT, identity,
 									  BUILD_END);
+			type = key->get_type(key);
 			key->destroy(key);
 			if (cert)
 			{
@@ -318,8 +336,7 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 				return cert;
 			}
 		}
-		DBG1(DBG_CFG, "  loading %N public key for \"%Y\" failed",
-			 key_type_names, type, identity);
+		DBG1(DBG_CFG, "  loading public key for \"%Y\" failed", identity);
 	}
 	else
 	{
@@ -340,12 +357,15 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 		if (cert)
 		{
 			cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
+			key = cert->get_public_key(cert);
+			type = key->get_type(key);
+			key->destroy(key);
 			DBG1(DBG_CFG, "  loaded %N public key for \"%Y\" from '%s'",
 				 key_type_names, type, identity, filename);
 			return cert;
 		}
-		DBG1(DBG_CFG, "  loading %N public key for \"%Y\" from '%s' failed",
-			 key_type_names, type, identity, filename);
+		DBG1(DBG_CFG, "  loading public key for \"%Y\" from '%s' failed",
+			 identity, filename);
 	}
 	return NULL;
 }
@@ -580,8 +600,12 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line)
  * Data for passphrase callback
  */
 typedef struct {
+	/** cached passphrases */
+	mem_cred_t *cache;
 	/** socket we use for prompting */
 	FILE *prompt;
+	/** type of secret to unlock */
+	int type;
 	/** private key file */
 	char *path;
 	/** number of tries */
@@ -589,13 +613,15 @@ typedef struct {
 } passphrase_cb_data_t;
 
 /**
- * Callback function to receive Passphrases
+ * Callback function to receive passphrases
  */
 static shared_key_t* passphrase_cb(passphrase_cb_data_t *data,
-								shared_key_type_t type,
-								identification_t *me, identification_t *other,
-								id_match_t *match_me, id_match_t *match_other)
+								   shared_key_type_t type, identification_t *me,
+								   identification_t *other, id_match_t *match_me,
+								   id_match_t *match_other)
 {
+	static const int max_tries = 3;
+	shared_key_t *shared;
 	chunk_t secret;
 	char buf[256];
 
@@ -604,17 +630,23 @@ static shared_key_t* passphrase_cb(passphrase_cb_data_t *data,
 		return NULL;
 	}
 
+	data->try++;
+	if (data->try > max_tries + 1)
+	{	/* another builder might call this after we gave up, fail silently */
+		return NULL;
+	}
+	if (data->try > max_tries)
+	{
+		fprintf(data->prompt, "Passphrase invalid, giving up.\n");
+		return NULL;
+	}
 	if (data->try > 1)
 	{
-		if (data->try > 5)
-		{
-			fprintf(data->prompt, "PIN invalid, giving up.\n");
-			return NULL;
-		}
-		fprintf(data->prompt, "PIN invalid!\n");
+		fprintf(data->prompt, "Passphrase invalid!\n");
 	}
-	data->try++;
-	fprintf(data->prompt, "Private key '%s' is encrypted.\n", data->path);
+	fprintf(data->prompt, "%s '%s' is encrypted.\n",
+			data->type == CRED_PRIVATE_KEY ? "Private key" : "PKCS#12 file",
+			data->path);
 	fprintf(data->prompt, "Passphrase:\n");
 	if (fgets(buf, sizeof(buf), data->prompt))
 	{
@@ -630,7 +662,10 @@ static shared_key_t* passphrase_cb(passphrase_cb_data_t *data,
 			{
 				*match_other = ID_MATCH_NONE;
 			}
-			return shared_key_create(SHARED_PRIVATE_KEY_PASS, chunk_clone(secret));
+			shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
+									   chunk_clone(secret));
+			data->cache->add_shared(data->cache, shared->get_ref(shared), NULL);
+			return shared;
 		}
 	}
 	return NULL;
@@ -670,12 +705,12 @@ static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type,
 		return NULL;
 	}
 
+	data->try++;
 	if (data->try > 1)
 	{
 		fprintf(data->prompt, "PIN invalid, aborting.\n");
 		return NULL;
 	}
-	data->try++;
 	fprintf(data->prompt, "Login to '%s' required\n", data->card);
 	fprintf(data->prompt, "PIN:\n");
 	if (fgets(buf, sizeof(buf), data->prompt))
@@ -752,7 +787,7 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 	}
 
 	chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
-	if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
+	if (secret.len == 7 && strpfx(secret.ptr, "%prompt"))
 	{
 		free(secret.ptr);
 		if (!prompt)
@@ -764,7 +799,7 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 		pin_data.prompt = prompt;
 		pin_data.card = smartcard;
 		pin_data.keyid = chunk;
-		pin_data.try = 1;
+		pin_data.try = 0;
 		cb = callback_cred_create_shared((void*)pin_cb, &pin_data);
 		lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
 	}
@@ -802,15 +837,14 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 }
 
 /**
- * Load a private key
+ * Load a private key or PKCS#12 container from a file
  */
-static bool load_private(mem_cred_t *secrets, chunk_t line, int line_nr,
-						 FILE *prompt, key_type_t key_type)
+static bool load_from_file(chunk_t line, int line_nr, FILE *prompt,
+						   char *path, int type, int subtype,
+						   void **result)
 {
-	char path[PATH_MAX];
 	chunk_t filename;
 	chunk_t secret = chunk_empty;
-	private_key_t *key;
 
 	err_t ugh = extract_value(&filename, &line);
 
@@ -827,12 +861,12 @@ static bool load_private(mem_cred_t *secrets, chunk_t line, int line_nr,
 	if (*filename.ptr == '/')
 	{
 		/* absolute path name */
-		snprintf(path, sizeof(path), "%.*s", (int)filename.len, filename.ptr);
+		snprintf(path, PATH_MAX, "%.*s", (int)filename.len, filename.ptr);
 	}
 	else
 	{
 		/* relative path name */
-		snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
+		snprintf(path, PATH_MAX, "%s/%.*s", PRIVATE_KEY_DIR,
 				 (int)filename.len, filename.ptr);
 	}
 
@@ -846,32 +880,37 @@ static bool load_private(mem_cred_t *secrets, chunk_t line, int line_nr,
 			return FALSE;
 		}
 	}
-	if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
+	if (secret.len == 7 && strpfx(secret.ptr, "%prompt"))
 	{
-		callback_cred_t *cb = NULL;
+		callback_cred_t *cb;
 		passphrase_cb_data_t pp_data = {
 			.prompt = prompt,
+			.type = type,
 			.path = path,
-			.try = 1,
+			.try = 0,
 		};
 
 		free(secret.ptr);
 		if (!prompt)
 		{
+			*result = NULL;
 			return TRUE;
 		}
+		/* add cache first so if valid passphrases are needed multiple times
+		 * the callback is not called anymore */
+		pp_data.cache = mem_cred_create();
+		lib->credmgr->add_local_set(lib->credmgr, &pp_data.cache->set, FALSE);
 		/* use callback credential set to prompt for the passphrase */
-		pp_data.prompt = prompt;
-		pp_data.path = path;
-		pp_data.try = 1;
 		cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data);
 		lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
 
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
-								 BUILD_FROM_FILE, path, BUILD_END);
+		*result = lib->creds->create(lib->creds, type, subtype,
+									 BUILD_FROM_FILE, path, BUILD_END);
 
 		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
 		cb->destroy(cb);
+		lib->credmgr->remove_local_set(lib->credmgr, &pp_data.cache->set);
+		pp_data.cache->destroy(pp_data.cache);
 	}
 	else
 	{
@@ -882,14 +921,44 @@ static bool load_private(mem_cred_t *secrets, chunk_t line, int line_nr,
 		shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret);
 		mem = mem_cred_create();
 		mem->add_shared(mem, shared, NULL);
+		if (eat_whitespace(&line))
+		{	/* if there is a second passphrase add that too, could be needed for
+			 * PKCS#12 files using different passwords for MAC and encryption */
+			ugh = extract_secret(&secret, &line);
+			if (ugh != NULL)
+			{
+				DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
+				mem->destroy(mem);
+				return FALSE;
+			}
+			shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret);
+			mem->add_shared(mem, shared, NULL);
+		}
 		lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
 
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
-								 BUILD_FROM_FILE, path, BUILD_END);
+		*result = lib->creds->create(lib->creds, type, subtype,
+									 BUILD_FROM_FILE, path, BUILD_END);
 
 		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
 		mem->destroy(mem);
 	}
+	return TRUE;
+}
+
+/**
+ * Load a private key
+ */
+static bool load_private(mem_cred_t *secrets, chunk_t line, int line_nr,
+						 FILE *prompt, key_type_t key_type)
+{
+	char path[PATH_MAX];
+	private_key_t *key;
+
+	if (!load_from_file(line, line_nr, prompt, path, CRED_PRIVATE_KEY,
+						key_type, (void**)&key))
+	{
+		return FALSE;
+	}
 	if (key)
 	{
 		DBG1(DBG_CFG, "  loaded %N private key from '%s'",
@@ -903,6 +972,58 @@ static bool load_private(mem_cred_t *secrets, chunk_t line, int line_nr,
 	return TRUE;
 }
 
+/**
+ * Load a PKCS#12 container
+ */
+static bool load_pkcs12(private_stroke_cred_t *this, mem_cred_t *secrets,
+						chunk_t line, int line_nr, FILE *prompt)
+{
+	enumerator_t *enumerator;
+	char path[PATH_MAX];
+	certificate_t *cert;
+	private_key_t *key;
+	pkcs12_t *pkcs12;
+
+	if (!load_from_file(line, line_nr, prompt, path, CRED_CONTAINER,
+						CONTAINER_PKCS12, (void**)&pkcs12))
+	{
+		return FALSE;
+	}
+	if (!pkcs12)
+	{
+		DBG1(DBG_CFG, "  loading credentials from '%s' failed", path);
+		return TRUE;
+	}
+	enumerator = pkcs12->create_cert_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		x509_t *x509 = (x509_t*)cert;
+
+		if (x509->get_flags(x509) & X509_CA)
+		{
+			DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
+				 cert->get_subject(cert), path);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
+				 cert->get_subject(cert), path);
+		}
+		this->creds->add_cert(this->creds, TRUE, cert->get_ref(cert));
+	}
+	enumerator->destroy(enumerator);
+	enumerator = pkcs12->create_key_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &key))
+	{
+		DBG1(DBG_CFG, "  loaded %N private key from '%s'",
+			 key_type_names, key->get_type(key), path);
+		secrets->add_key(secrets, key->get_ref(key));
+	}
+	enumerator->destroy(enumerator);
+	pkcs12->container.destroy(&pkcs12->container);
+	return TRUE;
+}
+
 /**
  * Load a shared key
  */
@@ -1021,8 +1142,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 		{
 			continue;
 		}
-		if (line.len > strlen("include ") &&
-			strneq(line.ptr, "include ", strlen("include ")))
+		if (line.len > strlen("include ") && strpfx(line.ptr, "include "))
 		{
 			char **expanded, *dir, pattern[PATH_MAX];
 			u_char *pos;
@@ -1090,7 +1210,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 			continue;
 		}
 
-		if (line.len > 2 && strneq(": ", line.ptr, 2))
+		if (line.len > 2 && strpfx(line.ptr, ": "))
 		{
 			/* no ids, skip the ':' */
 			ids = chunk_empty;
@@ -1121,6 +1241,13 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 				break;
 			}
 		}
+		else if (match("P12", &token))
+		{
+			if (!load_pkcs12(this, secrets, line, line_nr, prompt))
+			{
+				break;
+			}
+		}
 		else if (match("PIN", &token))
 		{
 			if (!load_pin(secrets, line, line_nr, prompt))
@@ -1141,7 +1268,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 		else
 		{
 			DBG1(DBG_CFG, "line %d: token must be either "
-				 "RSA, ECDSA, PSK, EAP, XAUTH or PIN", line_nr);
+				 "RSA, ECDSA, P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
 			break;
 		}
 	}
diff --git a/src/libcharon/plugins/stroke/stroke_cred.h b/src/libcharon/plugins/stroke/stroke_cred.h
index c37d05808..f6fbb96d3 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.h
+++ b/src/libcharon/plugins/stroke/stroke_cred.h
@@ -68,13 +68,12 @@ struct stroke_cred_t {
 	/**
 	 * Load a raw public key and serve it through the credential_set.
 	 *
-	 * @param type			type of the raw public key (RSA or ECDSA)
-	 * @param filename		file to load raw public key from
+	 * @param filename		encoding or file to load raw public key from
 	 * @param identity		identity of the raw public key owner
 	 * @return				reference to loaded raw public key, or NULL
 	 */
-	certificate_t* (*load_pubkey)(stroke_cred_t *this, key_type_t type,
-								  char *filename, identification_t *identity);
+	certificate_t* (*load_pubkey)(stroke_cred_t *this, char *filename,
+								  identification_t *identity);
 
 	/**
 	 * Add a shared secret to serve through the credential_set.
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index a2e1c80a5..e81f3fc32 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -207,8 +207,10 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 	time_t use_in, use_out, rekey, now;
 	u_int64_t bytes_in, bytes_out, packets_in, packets_out;
 	proposal_t *proposal;
-	child_cfg_t *config = child_sa->get_config(child_sa);
+	linked_list_t *my_ts, *other_ts;
+	child_cfg_t *config;
 
+	config = child_sa->get_config(child_sa);
 	now = time_monotonic(NULL);
 
 	fprintf(out, "%12s{%d}:  %N, %N%s",
@@ -319,10 +321,15 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 		fprintf(out, ", expires in %V", &now, &rekey);
 	}
 
+	my_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, TRUE));
+	other_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, FALSE));
 	fprintf(out, "\n%12s{%d}:   %#R=== %#R\n",
 			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
-			child_sa->get_traffic_selectors(child_sa, TRUE),
-			child_sa->get_traffic_selectors(child_sa, FALSE));
+			my_ts, other_ts);
+	my_ts->destroy(my_ts);
+	other_ts->destroy(other_ts);
 }
 
 /**
@@ -1364,6 +1371,7 @@ static void list_plugins(FILE *out)
 				free(str);
 			}
 		}
+		list->destroy(list);
 	}
 	enumerator->destroy(enumerator);
 }
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 4e47a120d..31df1f99b 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -51,12 +51,13 @@ static bool register_stroke(private_stroke_plugin_t *this,
 	if (reg)
 	{
 		this->socket = stroke_socket_create();
+		return this->socket != NULL;
 	}
 	else
 	{
 		DESTROY_IF(this->socket);
+		return TRUE;
 	}
-	return TRUE;
 }
 
 METHOD(plugin_t, get_features, int,
@@ -104,4 +105,3 @@ plugin_t *stroke_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index aa5c73b8b..88f73f3b0 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -26,11 +26,6 @@
 
 #include <hydra.h>
 #include <daemon.h>
-#include <threading/mutex.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <collections/linked_list.h>
-#include <processing/jobs/callback_job.h>
 
 #include "stroke_config.h"
 #include "stroke_control.h"
@@ -61,34 +56,9 @@ struct private_stroke_socket_t {
 	stroke_socket_t public;
 
 	/**
-	 * Unix socket to listen for strokes
+	 * Service accepting stroke connections
 	 */
-	int socket;
-
-	/**
-	 * queued stroke commands
-	 */
-	linked_list_t *commands;
-
-	/**
-	 * lock for command list
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * condvar to signal the arrival or completion of commands
-	 */
-	condvar_t *condvar;
-
-	/**
-	 * the number of currently handled commands
-	 */
-	u_int handling;
-
-	/**
-	 * the maximum number of concurrently handled commands
-	 */
-	u_int max_concurrent;
+	stream_service_t *service;
 
 	/**
 	 * configuration backend
@@ -131,22 +101,6 @@ struct private_stroke_socket_t {
 	stroke_counter_t *counter;
 };
 
-/**
- * job context to pass to processing thread
- */
-struct stroke_job_context_t {
-
-	/**
-	 * file descriptor to read from
-	 */
-	int fd;
-
-	/**
-	 * global stroke interface
-	 */
-	private_stroke_socket_t *this;
-};
-
 /**
  * Helper function which corrects the string pointers
  * in a stroke_msg_t. Strings in a stroke_msg sent over "wire"
@@ -431,6 +385,20 @@ static void stroke_purge(private_stroke_socket_t *this,
 	}
 }
 
+/**
+ * Print a certificate in PEM to out
+ */
+static void print_pem_cert(FILE *out, certificate_t *cert)
+{
+	chunk_t encoded;
+
+	if (cert->get_encoding(cert, CERT_PEM, &encoded))
+	{
+		fprintf(out, "%.*s", (int)encoded.len, encoded.ptr);
+		free(encoded.ptr);
+	}
+}
+
 /**
  * Export in-memory credentials
  */
@@ -444,22 +412,67 @@ static void stroke_export(private_stroke_socket_t *this,
 		enumerator_t *enumerator;
 		identification_t *id;
 		certificate_t *cert;
-		chunk_t encoded;
 
 		id = identification_create_from_string(msg->export.selector);
 		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
 												CERT_X509, KEY_ANY, id, FALSE);
 		while (enumerator->enumerate(enumerator, &cert))
 		{
-			if (cert->get_encoding(cert, CERT_PEM, &encoded))
-			{
-				fprintf(out, "%.*s", (int)encoded.len, encoded.ptr);
-				free(encoded.ptr);
-			}
+			print_pem_cert(out, cert);
 		}
 		enumerator->destroy(enumerator);
 		id->destroy(id);
 	}
+
+	if (msg->export.flags & (EXPORT_CONN_CERT | EXPORT_CONN_CHAIN))
+	{
+		enumerator_t *sas, *auths, *certs;
+		ike_sa_t *ike_sa;
+		auth_cfg_t *auth;
+		certificate_t *cert;
+		auth_rule_t rule;
+
+		sas = charon->ike_sa_manager->create_enumerator(
+												charon->ike_sa_manager, TRUE);
+		while (sas->enumerate(sas, &ike_sa))
+		{
+			if (streq(msg->export.selector, ike_sa->get_name(ike_sa)))
+			{
+				auths = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+				while (auths->enumerate(auths, &auth))
+				{
+					bool got_subject = FALSE;
+
+					certs = auth->create_enumerator(auth);
+					while (certs->enumerate(certs, &rule, &cert))
+					{
+						switch (rule)
+						{
+							case AUTH_RULE_CA_CERT:
+							case AUTH_RULE_IM_CERT:
+								if (msg->export.flags & EXPORT_CONN_CHAIN)
+								{
+									print_pem_cert(out, cert);
+								}
+								break;
+							case AUTH_RULE_SUBJECT_CERT:
+								if (!got_subject)
+								{
+									print_pem_cert(out, cert);
+									got_subject = TRUE;
+								}
+								break;
+							default:
+								break;
+						}
+					}
+					certs->destroy(certs);
+				}
+				auths->destroy(auths);
+			}
+		}
+		sas->destroy(sas);
+	}
 }
 
 /**
@@ -557,68 +570,47 @@ static void stroke_config(private_stroke_socket_t *this,
 }
 
 /**
- * destroy a job context
- */
-static void stroke_job_context_destroy(stroke_job_context_t *this)
-{
-	if (this->fd)
-	{
-		close(this->fd);
-	}
-	free(this);
-}
-
-/**
- * called to signal the completion of a command
- */
-static inline job_requeue_t job_processed(private_stroke_socket_t *this)
-{
-	this->mutex->lock(this->mutex);
-	this->handling--;
-	this->condvar->signal(this->condvar);
-	this->mutex->unlock(this->mutex);
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * process a stroke request from the socket pointed by "fd"
+ * process a stroke request
  */
-static job_requeue_t process(stroke_job_context_t *ctx)
+static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
 {
 	stroke_msg_t *msg;
-	u_int16_t msg_length;
-	ssize_t bytes_read;
+	u_int16_t len;
 	FILE *out;
-	private_stroke_socket_t *this = ctx->this;
-	int strokefd = ctx->fd;
 
-	/* peek the length */
-	bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
-	if (bytes_read != sizeof(msg_length))
+	/* read length */
+	if (!stream->read_all(stream, &len, sizeof(len)))
 	{
-		DBG1(DBG_CFG, "reading length of stroke message failed: %s",
-			 strerror(errno));
-		return job_processed(this);
+		if (errno != EWOULDBLOCK)
+		{
+			DBG1(DBG_CFG, "reading length of stroke message failed: %s",
+				 strerror(errno));
+		}
+		return FALSE;
 	}
 
 	/* read message */
-	msg = alloca(msg_length);
-	bytes_read = recv(strokefd, msg, msg_length, 0);
-	if (bytes_read != msg_length)
+	msg = malloc(len);
+	msg->length = len;
+	if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len)))
 	{
-		DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
-		return job_processed(this);
+		if (errno != EWOULDBLOCK)
+		{
+			DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
+		}
+		free(msg);
+		return FALSE;
 	}
 
-	out = fdopen(strokefd, "w+");
-	if (out == NULL)
+	DBG3(DBG_CFG, "stroke message %b", (void*)msg, len);
+
+	out = stream->get_file(stream);
+	if (!out)
 	{
-		DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno));
-		return job_processed(this);
+		DBG1(DBG_CFG, "creating stroke output stream failed");
+		free(msg);
+		return FALSE;
 	}
-
-	DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
-
 	switch (msg->type)
 	{
 		case STR_INITIATE:
@@ -694,123 +686,15 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 			DBG1(DBG_CFG, "received unknown stroke");
 			break;
 	}
+	free(msg);
 	fclose(out);
-	/* fclose() closes underlying FD */
-	ctx->fd = 0;
-	return job_processed(this);
-}
-
-/**
- * Handle queued stroke commands
- */
-static job_requeue_t handle(private_stroke_socket_t *this)
-{
-	stroke_job_context_t *ctx;
-	callback_job_t *job;
-	bool oldstate;
-
-	this->mutex->lock(this->mutex);
-	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
-	oldstate = thread_cancelability(TRUE);
-	while (this->commands->get_count(this->commands) == 0 ||
-		   this->handling >= this->max_concurrent)
-	{
-		this->condvar->wait(this->condvar, this->mutex);
-	}
-	thread_cancelability(oldstate);
-	this->commands->remove_first(this->commands, (void**)&ctx);
-	this->handling++;
-	thread_cleanup_pop(TRUE);
-	job = callback_job_create_with_prio((callback_job_cb_t)process, ctx,
-			(void*)stroke_job_context_destroy, NULL, JOB_PRIO_HIGH);
-	lib->processor->queue_job(lib->processor, (job_t*)job);
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Accept stroke commands and queue them to be handled
- */
-static job_requeue_t receive(private_stroke_socket_t *this)
-{
-	struct sockaddr_un strokeaddr;
-	int strokeaddrlen = sizeof(strokeaddr);
-	int strokefd;
-	bool oldstate;
-	stroke_job_context_t *ctx;
-
-	oldstate = thread_cancelability(TRUE);
-	strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
-	thread_cancelability(oldstate);
-
-	if (strokefd < 0)
-	{
-		DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
-		return JOB_REQUEUE_FAIR;
-	}
-
-	INIT(ctx,
-		.fd = strokefd,
-		.this = this,
-	);
-	this->mutex->lock(this->mutex);
-	this->commands->insert_last(this->commands, ctx);
-	this->condvar->signal(this->condvar);
-	this->mutex->unlock(this->mutex);
-
-	return JOB_REQUEUE_FAIR;
-}
-
-/**
- * initialize and open stroke socket
- */
-static bool open_socket(private_stroke_socket_t *this)
-{
-	struct sockaddr_un socket_addr;
-	mode_t old;
-
-	socket_addr.sun_family = AF_UNIX;
-	strcpy(socket_addr.sun_path, STROKE_SOCKET);
-
-	/* set up unix socket */
-	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "could not create stroke socket");
-		return FALSE;
-	}
-
-	unlink(socket_addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
-	{
-		DBG1(DBG_CFG, "could not bind stroke socket: %s", strerror(errno));
-		close(this->socket);
-		return FALSE;
-	}
-	umask(old);
-	if (chown(socket_addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
-	{
-		DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
-			 strerror(errno));
-	}
-
-	if (listen(this->socket, 10) < 0)
-	{
-		DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno));
-		close(this->socket);
-		unlink(socket_addr.sun_path);
-		return FALSE;
-	}
-	return TRUE;
+	return FALSE;
 }
 
 METHOD(stroke_socket_t, destroy, void,
 	private_stroke_socket_t *this)
 {
-	this->commands->destroy_function(this->commands, (void*)stroke_job_context_destroy);
-	this->condvar->destroy(this->condvar);
-	this->mutex->destroy(this->mutex);
+	DESTROY_IF(this->service);
 	lib->credmgr->remove_set(lib->credmgr, &this->ca->set);
 	lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
@@ -834,6 +718,8 @@ METHOD(stroke_socket_t, destroy, void,
 stroke_socket_t *stroke_socket_create()
 {
 	private_stroke_socket_t *this;
+	int max_concurrent;
+	char *uri;
 
 	INIT(this,
 		.public = {
@@ -841,12 +727,6 @@ stroke_socket_t *stroke_socket_create()
 		},
 	);
 
-	if (!open_socket(this))
-	{
-		free(this);
-		return NULL;
-	}
-
 	this->cred = stroke_cred_create();
 	this->attribute = stroke_attribute_create();
 	this->handler = stroke_handler_create();
@@ -856,13 +736,6 @@ stroke_socket_t *stroke_socket_create()
 	this->list = stroke_list_create(this->attribute);
 	this->counter = stroke_counter_create();
 
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->commands = linked_list_create();
-	this->max_concurrent = lib->settings->get_int(lib->settings,
-					"%s.plugins.stroke.max_concurrent", MAX_CONCURRENT_DEFAULT,
-					charon->name);
-
 	lib->credmgr->add_set(lib->credmgr, &this->ca->set);
 	lib->credmgr->add_set(lib->credmgr, &this->cred->set);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
@@ -870,13 +743,20 @@ stroke_socket_t *stroke_socket_create()
 	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
 	charon->bus->add_listener(charon->bus, &this->counter->listener);
 
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, this,
-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
-
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)handle, this,
-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	max_concurrent = lib->settings->get_int(lib->settings,
+			"%s.plugins.stroke.max_concurrent", MAX_CONCURRENT_DEFAULT,
+			charon->name);
+	uri = lib->settings->get_str(lib->settings,
+			"%s.plugins.stroke.socket", "unix://" STROKE_SOCKET, charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 10);
+	if (!this->service)
+	{
+		DBG1(DBG_CFG, "creating stroke socket failed");
+		destroy(this);
+		return NULL;
+	}
+	this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+							 this, JOB_PRIO_CRITICAL, max_concurrent);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/systime_fix/Makefile.am b/src/libcharon/plugins/systime_fix/Makefile.am
index a1f843db7..40a346440 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.am
+++ b/src/libcharon/plugins/systime_fix/Makefile.am
@@ -1,5 +1,6 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 if MONOLITHIC
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index ab4d1b9ad..de4ef8b36 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_systime_fix_la_OBJECTS = systime_fix_validator.lo \
 	systime_fix_plugin.lo
 libstrongswan_systime_fix_la_OBJECTS =  \
 	$(am_libstrongswan_systime_fix_la_OBJECTS)
-libstrongswan_systime_fix_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_systime_fix_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_systime_fix_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_systime_fix_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_systime_fix_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,7 +345,9 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-systime-fix.la
@@ -408,7 +433,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-systime-fix.la: $(libstrongswan_systime_fix_la_OBJECTS) $(libstrongswan_systime_fix_la_DEPENDENCIES) $(EXTRA_libstrongswan_systime_fix_la_DEPENDENCIES) 
-	$(libstrongswan_systime_fix_la_LINK) $(am_libstrongswan_systime_fix_la_rpath) $(libstrongswan_systime_fix_la_OBJECTS) $(libstrongswan_systime_fix_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_systime_fix_la_LINK) $(am_libstrongswan_systime_fix_la_rpath) $(libstrongswan_systime_fix_la_OBJECTS) $(libstrongswan_systime_fix_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -420,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/systime_fix_validator.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
index 7727ba03b..c8596114c 100644
--- a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
+++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -68,17 +71,6 @@ METHOD(plugin_t, get_name, char*,
 	return "systime-fix";
 }
 
-METHOD(plugin_t, destroy, void,
-	private_systime_fix_plugin_t *this)
-{
-	if (this->validator)
-	{
-		lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
-		this->validator->destroy(this->validator);
-	}
-	free(this);
-}
-
 /**
  * Check if all certificates associated to an IKE_SA have valid lifetimes
  */
@@ -215,11 +207,57 @@ static bool load_validator(private_systime_fix_plugin_t *this)
 
 	DBG1(DBG_CFG, "enabling %s, threshold: %s", get_name(this), asctime(&tm));
 	this->validator = systime_fix_validator_create(this->threshold);
-	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+	return TRUE;
+}
 
+/**
+ * Load validator
+ */
+static bool plugin_cb(private_systime_fix_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		if (!load_validator(this))
+		{
+			return FALSE;
+		}
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+		if (this->interval != 0)
+		{
+			DBG1(DBG_CFG, "starting systime check, interval: %ds",
+				 this->interval);
+			lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+					callback_job_create((callback_job_cb_t)check_systime,
+										this, NULL, NULL), this->interval);
+		}
+	}
+	else
+	{
+		lib->credmgr->remove_validator(lib->credmgr,
+									   &this->validator->validator);
+		this->validator->destroy(this->validator);
+	}
 	return TRUE;
 }
 
+METHOD(plugin_t, get_features, int,
+	private_systime_fix_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "systime-fix"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_systime_fix_plugin_t *this)
+{
+	free(this);
+}
+
 /**
  * Plugin constructor
  */
@@ -231,7 +269,7 @@ plugin_t *systime_fix_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -241,16 +279,5 @@ plugin_t *systime_fix_plugin_create()
 				"%s.plugins.%s.reauth", FALSE, charon->name, get_name(this)),
 	);
 
-	if (load_validator(this))
-	{
-		if (this->interval != 0)
-		{
-			DBG1(DBG_CFG, "starting systime check, interval: %ds",
-				 this->interval);
-			lib->scheduler->schedule_job(lib->scheduler, (job_t*)
-					callback_job_create((callback_job_cb_t)check_systime, this,
-										NULL, NULL), this->interval);
-		}
-	}
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.am b/src/libcharon/plugins/tnc_ifmap/Makefile.am
index 36d9316d7..dfbb1b632 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.am
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.am
@@ -1,12 +1,12 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon \
-	${xml_CFLAGS}
+	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-ifmap.la
@@ -26,4 +26,3 @@ libstrongswan_tnc_ifmap_la_SOURCES = \
 	tnc_ifmap_renew_session_job.h tnc_ifmap_renew_session_job.c
 
 libstrongswan_tnc_ifmap_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index ed3775e9d..6bb68b32c 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -106,7 +106,10 @@ am_libstrongswan_tnc_ifmap_la_OBJECTS = tnc_ifmap_plugin.lo \
 	tnc_ifmap_http.lo tnc_ifmap_renew_session_job.lo
 libstrongswan_tnc_ifmap_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_ifmap_la_OBJECTS)
-libstrongswan_tnc_ifmap_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnc_ifmap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnc_ifmap_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -119,13 +122,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnc_ifmap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_ifmap_la_SOURCES)
 am__can_run_installinfo = \
@@ -139,6 +155,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -151,6 +168,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -166,6 +185,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -174,6 +194,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -220,6 +241,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -248,6 +270,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -325,14 +348,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon \
-	${xml_CFLAGS}
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-ifmap.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-ifmap.la
 libstrongswan_tnc_ifmap_la_LIBADD = \
@@ -423,7 +448,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-tnc-ifmap.la: $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_ifmap_la_DEPENDENCIES) 
-	$(libstrongswan_tnc_ifmap_la_LINK) $(am_libstrongswan_tnc_ifmap_la_rpath) $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_tnc_ifmap_la_LINK) $(am_libstrongswan_tnc_ifmap_la_rpath) $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -439,25 +464,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_soap_msg.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c
index 9105b7b4d..001a3fbee 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c
@@ -75,7 +75,7 @@ METHOD(tnc_ifmap_http_t, build, status_t,
 	if (this->user_pass.len)
 	{
 		snprintf(auth, sizeof(auth), "Authorization: Basic %.*s\r\n",
-				 this->user_pass.len, this->user_pass.ptr);
+				(int)this->user_pass.len, this->user_pass.ptr);
 	}
 	else
 	{
@@ -90,7 +90,8 @@ METHOD(tnc_ifmap_http_t, build, status_t,
 			"Content-Type: application/soap+xml;charset=utf-8\r\n"
 			"Content-Length: %d\r\n"
 			"\r\n"
-			"%.*s", path, (path-host), host, auth, in->len, in->len, in->ptr);
+			"%.*s", path, (int)(path-host), host, auth, (int)in->len,
+			(int)in->len, in->ptr);
 	free(host);
 
 	if (len == -1)
@@ -120,7 +121,7 @@ static bool process_header(chunk_t *in, bool *chunked, u_int *content_len)
 	{
 		DBG1(DBG_TNC, "http response returns error code %d", code);
 		return FALSE;
-	}	
+	}
 
 	*content_len = 0;
 	*chunked = FALSE;
@@ -196,12 +197,12 @@ METHOD(tnc_ifmap_http_t, process, status_t,
 		{
 			out_chunk = *in;
 			out_chunk.len = len;
-			*out = chunk_cat("mc", *out, out_chunk); 
+			*out = chunk_cat("mc", *out, out_chunk);
 			*in = chunk_skip(*in, len);
 			if (!fetchline(in, &line) || line.len > 0)
 			{
 				return FAILED;
-			}		
+			}
 		}
 		else
 		{
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am
index eba280690..6e2b83fa0 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.am
+++ b/src/libcharon/plugins/tnc_imc/Makefile.am
@@ -1,5 +1,4 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
@@ -7,7 +6,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libtnccs \
 	-I$(top_srcdir)/src/libtls
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
@@ -23,4 +23,3 @@ libstrongswan_tnc_imc_la_SOURCES = \
 	tnc_imc_manager.h tnc_imc_manager.c tnc_imc_bind_function.c
 
 libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in
index 7fb2e563c..538af847a 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.in
+++ b/src/libcharon/plugins/tnc_imc/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,9 +105,13 @@ am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo tnc_imc.lo \
 	tnc_imc_manager.lo tnc_imc_bind_function.lo
 libstrongswan_tnc_imc_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_imc_la_OBJECTS)
-libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_tnc_imc_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnc_imc_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnc_imc_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnc_imc_la_rpath =
@@ -117,13 +121,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnc_imc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_imc_la_SOURCES)
 am__can_run_installinfo = \
@@ -137,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -149,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -164,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -172,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -218,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -246,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -323,7 +347,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
@@ -331,7 +355,9 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libtnccs \
 	-I$(top_srcdir)/src/libtls
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imc.la
 @MONOLITHIC_FALSE@libstrongswan_tnc_imc_la_LIBADD = \
@@ -419,7 +445,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_imc_la_DEPENDENCIES) 
-	$(libstrongswan_tnc_imc_la_LINK) $(am_libstrongswan_tnc_imc_la_rpath) $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_tnc_imc_la_LINK) $(am_libstrongswan_tnc_imc_la_rpath) $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -433,25 +459,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am
index 90b3507ce..49efe3be4 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.am
+++ b/src/libcharon/plugins/tnc_imv/Makefile.am
@@ -1,5 +1,4 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
@@ -7,7 +6,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libtnccs \
 	-I$(top_srcdir)/src/libtls
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
@@ -24,4 +24,3 @@ libstrongswan_tnc_imv_la_SOURCES = \
 	tnc_imv_recommendations.h tnc_imv_recommendations.c
 
 libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
index 8b175a993..118dd6d2d 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.in
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -106,9 +106,13 @@ am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo tnc_imv.lo \
 	tnc_imv_recommendations.lo
 libstrongswan_tnc_imv_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_imv_la_OBJECTS)
-libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_tnc_imv_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnc_imv_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnc_imv_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnc_imv_la_rpath =
@@ -118,13 +122,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnc_imv_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_imv_la_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +155,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +168,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +185,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +194,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +241,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +270,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,7 +348,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
@@ -332,7 +356,9 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libtnccs \
 	-I$(top_srcdir)/src/libtls
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
 @MONOLITHIC_FALSE@libstrongswan_tnc_imv_la_LIBADD = \
@@ -421,7 +447,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_imv_la_DEPENDENCIES) 
-	$(libstrongswan_tnc_imv_la_LINK) $(am_libstrongswan_tnc_imv_la_rpath) $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_tnc_imv_la_LINK) $(am_libstrongswan_tnc_imv_la_rpath) $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -436,25 +462,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_recommendations.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
index 612c98add..d06c2fcaf 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
@@ -49,6 +49,7 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_TRUSTED_PUBKEY),
+				PLUGIN_SDEPEND(DATABASE, DB_ANY),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
index b39d9cbc9..a9dbb2b9f 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
@@ -15,6 +15,7 @@
 
 #include <tncifimv.h>
 #include <tncif_names.h>
+#include <tncif_policy.h>
 
 #include <tnc/tnc.h>
 #include <tnc/imv/imv.h>
@@ -157,53 +158,10 @@ METHOD(recommendations_t, have_recommendation, bool,
 		switch (policy)
 		{
 			case RECOMMENDATION_POLICY_DEFAULT:
-				switch (entry->rec)
-				{
-					case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
-						final_rec = entry->rec;
-						break;
-					case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
-						if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS)
-						{
-							final_rec = entry->rec;
-						};
-						break;
-					case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
-						if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
-						{
-							final_rec = entry->rec;
-						};
-						break;
-					case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
-						break;
-				}
-				switch (entry->eval)
-				{
-					case TNC_IMV_EVALUATION_RESULT_ERROR:
-						final_eval = entry->eval;
-						break;
-					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
-						if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR)
-						{
-							final_eval = entry->eval;
-						}
-						break;
-					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
-						if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR &&
-							final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR)
-						{
-							final_eval = entry->eval;
-						}
-						break;
-					case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
-						if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
-						{
-							final_eval = entry->eval;
-						}
-						break;
-					case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
-						break;
-				}
+				final_rec = tncif_policy_update_recommendation(final_rec,
+															   entry->rec);
+				final_eval = tncif_policy_update_evaluation(final_eval,
+															entry->eval);
 				break;
 
 			case RECOMMENDATION_POLICY_ALL:
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.am b/src/libcharon/plugins/tnc_pdp/Makefile.am
index 2d4c4d55a..ce0ddce06 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.am
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.am
@@ -1,11 +1,11 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-pdp.la
@@ -19,6 +19,6 @@ endif
 
 libstrongswan_tnc_pdp_la_SOURCES = \
 	tnc_pdp_plugin.h tnc_pdp_plugin.c \
-	tnc_pdp.h tnc_pdp.c tnc_pdp_connections.h tnc_pdp_connections.c 
+	tnc_pdp.h tnc_pdp.c tnc_pdp_connections.h tnc_pdp_connections.c
 
 libstrongswan_tnc_pdp_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index 87e6ed928..76607081a 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -106,9 +106,13 @@ am_libstrongswan_tnc_pdp_la_OBJECTS = tnc_pdp_plugin.lo tnc_pdp.lo \
 	tnc_pdp_connections.lo
 libstrongswan_tnc_pdp_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_pdp_la_OBJECTS)
-libstrongswan_tnc_pdp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_tnc_pdp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnc_pdp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnc_pdp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnc_pdp_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnc_pdp_la_rpath =
@@ -118,13 +122,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnc_pdp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_pdp_la_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +155,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +168,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +185,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +194,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +241,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +270,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,13 +348,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-pdp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la
 @MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_LIBADD = \
@@ -340,7 +366,7 @@ AM_CFLAGS = -rdynamic
 
 libstrongswan_tnc_pdp_la_SOURCES = \
 	tnc_pdp_plugin.h tnc_pdp_plugin.c \
-	tnc_pdp.h tnc_pdp.c tnc_pdp_connections.h tnc_pdp_connections.c 
+	tnc_pdp.h tnc_pdp.c tnc_pdp_connections.h tnc_pdp_connections.c
 
 libstrongswan_tnc_pdp_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -419,7 +445,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-tnc-pdp.la: $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_pdp_la_DEPENDENCIES) 
-	$(libstrongswan_tnc_pdp_la_LINK) $(am_libstrongswan_tnc_pdp_la_rpath) $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_tnc_pdp_la_LINK) $(am_libstrongswan_tnc_pdp_la_rpath) $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -432,25 +458,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_pdp_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 422c28bc9..a30d89535 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -450,102 +450,61 @@ end:
 /**
  * Process packets received on the RADIUS socket
  */
-static job_requeue_t receive(private_tnc_pdp_t *this)
+static bool receive(private_tnc_pdp_t *this, int fd, watcher_event_t event)
 {
-	while (TRUE)
+	radius_message_t *request;
+	char buffer[MAX_PACKET];
+	int bytes_read = 0;
+	host_t *source;
+	union {
+		struct sockaddr_in in4;
+		struct sockaddr_in6 in6;
+	} src;
+	struct iovec iov = {
+		.iov_base = buffer,
+		.iov_len = MAX_PACKET,
+	};
+	struct msghdr msg = {
+		.msg_name = &src,
+		.msg_namelen = sizeof(src),
+		.msg_iov = &iov,
+		.msg_iovlen = 1,
+	};
+
+	/* read received packet */
+	bytes_read = recvmsg(fd, &msg, 0);
+	if (bytes_read < 0)
 	{
-		radius_message_t *request;
-		char buffer[MAX_PACKET];
-		int max_fd = 0, selected = 0, bytes_read = 0;
-		fd_set rfds;
-		bool oldstate;
-		host_t *source;
-		struct msghdr msg;
-		struct iovec iov;
-		union {
-			struct sockaddr_in in4;
-			struct sockaddr_in6 in6;
-		} src;
-
-		FD_ZERO(&rfds);
-
-		if (this->ipv4)
-		{
-			FD_SET(this->ipv4, &rfds);
-		}
-		if (this->ipv6)
-		{
-			FD_SET(this->ipv6, &rfds);
-		}
-		max_fd = max(this->ipv4, this->ipv6);
-
-		DBG2(DBG_CFG, "waiting for data on RADIUS sockets");
-		oldstate = thread_cancelability(TRUE);
-		if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
-		{
-			thread_cancelability(oldstate);
-			continue;
-		}
-		thread_cancelability(oldstate);
-
-		if (FD_ISSET(this->ipv4, &rfds))
-		{
-			selected = this->ipv4;
-		}
-		else if (FD_ISSET(this->ipv6, &rfds))
-		{
-			selected = this->ipv6;
-		}
-		else
-		{
-			/* oops, shouldn't happen */
-			continue;
-		}
-
-		/* read received packet */
-		msg.msg_name = &src;
-		msg.msg_namelen = sizeof(src);
-		iov.iov_base = buffer;
-		iov.iov_len = MAX_PACKET;
-		msg.msg_iov = &iov;
-		msg.msg_iovlen = 1;
-		msg.msg_flags = 0;
-
-		bytes_read = recvmsg(selected, &msg, 0);
-		if (bytes_read < 0)
-		{
-			DBG1(DBG_CFG, "error reading RADIUS socket: %s", strerror(errno));
-			continue;
-		}
-		if (msg.msg_flags & MSG_TRUNC)
-		{
-			DBG1(DBG_CFG, "receive buffer too small, RADIUS packet discarded");
-			continue;
-		}
-		source = host_create_from_sockaddr((sockaddr_t*)&src);
-		DBG2(DBG_CFG, "received RADIUS packet from %#H", source);
-		DBG3(DBG_CFG, "%b", buffer, bytes_read);
-		request = radius_message_parse(chunk_create(buffer, bytes_read));
-		if (request)
-		{
-			DBG1(DBG_CFG, "received RADIUS %N from client '%H'",
-				 radius_message_code_names, request->get_code(request), source);
-
-			if (request->verify(request, NULL, this->secret, this->hasher,
-											   this->signer))
-			{
-				process_eap(this, request, source);
-			}
-			request->destroy(request);
+		DBG1(DBG_CFG, "error reading RADIUS socket: %s", strerror(errno));
+		return FALSE;
+	}
+	if (msg.msg_flags & MSG_TRUNC)
+	{
+		DBG1(DBG_CFG, "receive buffer too small, RADIUS packet discarded");
+		return FALSE;
+	}
+	source = host_create_from_sockaddr((sockaddr_t*)&src);
+	DBG2(DBG_CFG, "received RADIUS packet from %#H", source);
+	DBG3(DBG_CFG, "%b", buffer, bytes_read);
+	request = radius_message_parse(chunk_create(buffer, bytes_read));
+	if (request)
+	{
+		DBG1(DBG_CFG, "received RADIUS %N from client '%H'",
+		radius_message_code_names, request->get_code(request), source);
 
-		}
-		else
+		if (request->verify(request, NULL, this->secret, this->hasher,
+										   this->signer))
 		{
-			DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+			process_eap(this, request, source);
 		}
-		source->destroy(source);
+		request->destroy(request);
 	}
-	return JOB_REQUEUE_FAIR;
+	else
+	{
+		DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+	}
+	source->destroy(source);
+	return TRUE;
 }
 
 METHOD(tnc_pdp_t, destroy, void,
@@ -553,10 +512,12 @@ METHOD(tnc_pdp_t, destroy, void,
 {
 	if (this->ipv4)
 	{
+		lib->watcher->remove(lib->watcher, this->ipv4);
 		close(this->ipv4);
 	}
 	if (this->ipv6)
 	{
+		lib->watcher->remove(lib->watcher, this->ipv6);
 		close(this->ipv6);
 	}
 	DESTROY_IF(this->server);
@@ -599,11 +560,21 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
 		destroy(this);
 		return NULL;
 	}
-	if (!this->ipv4)
+	if (this->ipv4)
+	{
+		lib->watcher->add(lib->watcher, this->ipv4, WATCHER_READ,
+						 (watcher_cb_t)receive, this);
+	}
+	else
 	{
 		DBG1(DBG_NET, "could not open IPv4 RADIUS socket, IPv4 disabled");
 	}
-	if (!this->ipv6)
+	if (this->ipv6)
+	{
+		lib->watcher->add(lib->watcher, this->ipv6, WATCHER_READ,
+						 (watcher_cb_t)receive, this);
+	}
+	else
 	{
 		DBG1(DBG_NET, "could not open IPv6 RADIUS socket, IPv6 disabled");
 	}
@@ -645,9 +616,5 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
 	}
 	DBG1(DBG_IKE, "eap method %N selected", eap_type_names, this->type);
 
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, this,
-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
-
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c
index 295c7a5d6..e35ba9ead 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c
@@ -48,12 +48,37 @@ METHOD(plugin_t, get_name, char*,
 	return "tnc-pdp";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_tnc_pdp_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		int port;
+
+		port = lib->settings->get_int(lib->settings,
+						"%s.plugins.tnc-pdp.port", RADIUS_PORT, charon->name);
+		this->pdp = tnc_pdp_create(port);
+	}
+	else
+	{
+		DESTROY_IF(this->pdp);
+	}
+	return TRUE;
+}
+
 METHOD(plugin_t, get_features, int,
 	private_tnc_pdp_plugin_t *this, plugin_feature_t *features[])
 {
 	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
 			PLUGIN_PROVIDE(CUSTOM, "tnc-pdp"),
 				PLUGIN_DEPENDS(CUSTOM, "imv-manager"),
+				PLUGIN_DEPENDS(HASHER, HASH_MD5),
+				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_MD5_128),
+				PLUGIN_DEPENDS(NONCE_GEN),
 	};
 	*features = f;
 	return countof(f);
@@ -62,7 +87,6 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
 	private_tnc_pdp_plugin_t *this)
 {
-	DESTROY_IF(this->pdp);
 	free(this);
 }
 
@@ -72,10 +96,6 @@ METHOD(plugin_t, destroy, void,
 plugin_t *tnc_pdp_plugin_create()
 {
 	private_tnc_pdp_plugin_t *this;
-	int port;
-
-	port = lib->settings->get_int(lib->settings,
-						"%s.plugins.tnc_pdp.port", RADIUS_PORT, charon->name);
 
 	INIT(this,
 		.public = {
@@ -85,7 +105,6 @@ plugin_t *tnc_pdp_plugin_create()
 				.destroy = _destroy,
 			},
 		},
-		.pdp = tnc_pdp_create(port),
 	);
 
 	return &this->public.plugin;
diff --git a/src/libcharon/plugins/tnc_tnccs/Makefile.am b/src/libcharon/plugins/tnc_tnccs/Makefile.am
index 9ee9e86ad..f16bf8e1b 100644
--- a/src/libcharon/plugins/tnc_tnccs/Makefile.am
+++ b/src/libcharon/plugins/tnc_tnccs/Makefile.am
@@ -1,11 +1,11 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-tnccs.la
diff --git a/src/libcharon/plugins/tnc_tnccs/Makefile.in b/src/libcharon/plugins/tnc_tnccs/Makefile.in
index 4179dcaae..eea0044a0 100644
--- a/src/libcharon/plugins/tnc_tnccs/Makefile.in
+++ b/src/libcharon/plugins/tnc_tnccs/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,7 +105,10 @@ am_libstrongswan_tnc_tnccs_la_OBJECTS = tnc_tnccs_plugin.lo \
 	tnc_tnccs_manager.lo
 libstrongswan_tnc_tnccs_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_tnccs_la_OBJECTS)
-libstrongswan_tnc_tnccs_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnc_tnccs_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnc_tnccs_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -118,13 +121,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnc_tnccs_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_tnccs_la_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,13 +347,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-tnccs.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-tnccs.la
 @MONOLITHIC_FALSE@libstrongswan_tnc_tnccs_la_LIBADD = \
@@ -418,7 +443,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-tnc-tnccs.la: $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_tnccs_la_DEPENDENCIES) 
-	$(libstrongswan_tnc_tnccs_la_LINK) $(am_libstrongswan_tnc_tnccs_la_rpath) $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_tnc_tnccs_la_LINK) $(am_libstrongswan_tnc_tnccs_la_rpath) $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -430,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_tnccs_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
index 8db3731b2..60f6bc3c1 100644
--- a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
+++ b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
@@ -744,11 +744,11 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 						subject_type = TNC_SUBJECT_USER;
 						break;
 					case ID_RFC822_ADDR:
-						id_type = TNC_ID_RFC822_ADDR;
+						id_type = TNC_ID_EMAIL_ADDR;
 						subject_type = TNC_SUBJECT_USER;
 						break;
 					case ID_DER_ASN1_DN:
-						id_type = TNC_ID_ASN1_DN;
+						id_type = TNC_ID_X500_DN;
 						subject_type = TNC_SUBJECT_USER;
 						break;
 					default:
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.am b/src/libcharon/plugins/tnccs_11/Makefile.am
index 1d29460f8..4c0e0f7c8 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.am
+++ b/src/libcharon/plugins/tnccs_11/Makefile.am
@@ -1,14 +1,14 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs \
-	${xml_CFLAGS}
+	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
 libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS}
 
@@ -33,4 +33,3 @@ libstrongswan_tnccs_11_la_SOURCES = \
 	messages/tnccs_tncs_contact_info_msg.h messages/tnccs_tncs_contact_info_msg.c
 
 libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in
index 19538feb0..8d572b74a 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.in
+++ b/src/libcharon/plugins/tnccs_11/Makefile.in
@@ -66,7 +66,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -111,7 +111,10 @@ am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo \
 	tnccs_recommendation_msg.lo tnccs_tncs_contact_info_msg.lo
 libstrongswan_tnccs_11_la_OBJECTS =  \
 	$(am_libstrongswan_tnccs_11_la_OBJECTS)
-libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_11_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -124,13 +127,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnccs_11_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnccs_11_la_SOURCES)
 am__can_run_installinfo = \
@@ -144,6 +160,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -156,6 +173,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -171,6 +190,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -179,6 +199,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -225,6 +246,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -253,6 +275,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -330,16 +353,18 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs \
-	${xml_CFLAGS}
+	-I$(top_srcdir)/src/libtnccs
+
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS} $(am__append_1)
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-11.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-11.la
@@ -431,7 +456,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_11_la_DEPENDENCIES) 
-	$(libstrongswan_tnccs_11_la_LINK) $(am_libstrongswan_tnccs_11_la_rpath) $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_tnccs_11_la_LINK) $(am_libstrongswan_tnccs_11_la_rpath) $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -451,81 +476,81 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_tncs_contact_info_msg.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 tnccs_batch.lo: batch/tnccs_batch.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_batch.lo -MD -MP -MF $(DEPDIR)/tnccs_batch.Tpo -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_batch.Tpo $(DEPDIR)/tnccs_batch.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='batch/tnccs_batch.c' object='tnccs_batch.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_batch.lo -MD -MP -MF $(DEPDIR)/tnccs_batch.Tpo -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_batch.Tpo $(DEPDIR)/tnccs_batch.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='batch/tnccs_batch.c' object='tnccs_batch.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c
 
 tnccs_msg.lo: messages/tnccs_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_msg.Tpo -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_msg.Tpo $(DEPDIR)/tnccs_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_msg.c' object='tnccs_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_msg.Tpo -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_msg.Tpo $(DEPDIR)/tnccs_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_msg.c' object='tnccs_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c
 
 imc_imv_msg.lo: messages/imc_imv_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_imv_msg.lo -MD -MP -MF $(DEPDIR)/imc_imv_msg.Tpo -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imc_imv_msg.Tpo $(DEPDIR)/imc_imv_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/imc_imv_msg.c' object='imc_imv_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_imv_msg.lo -MD -MP -MF $(DEPDIR)/imc_imv_msg.Tpo -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imc_imv_msg.Tpo $(DEPDIR)/imc_imv_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/imc_imv_msg.c' object='imc_imv_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c
 
 tnccs_error_msg.lo: messages/tnccs_error_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_error_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_error_msg.Tpo -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_error_msg.Tpo $(DEPDIR)/tnccs_error_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_error_msg.c' object='tnccs_error_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_error_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_error_msg.Tpo -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_error_msg.Tpo $(DEPDIR)/tnccs_error_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_error_msg.c' object='tnccs_error_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c
 
 tnccs_preferred_language_msg.lo: messages/tnccs_preferred_language_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_preferred_language_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_preferred_language_msg.Tpo -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_preferred_language_msg.Tpo $(DEPDIR)/tnccs_preferred_language_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_preferred_language_msg.c' object='tnccs_preferred_language_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_preferred_language_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_preferred_language_msg.Tpo -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_preferred_language_msg.Tpo $(DEPDIR)/tnccs_preferred_language_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_preferred_language_msg.c' object='tnccs_preferred_language_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c
 
 tnccs_reason_strings_msg.lo: messages/tnccs_reason_strings_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_reason_strings_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_reason_strings_msg.Tpo -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_reason_strings_msg.Tpo $(DEPDIR)/tnccs_reason_strings_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_reason_strings_msg.c' object='tnccs_reason_strings_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_reason_strings_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_reason_strings_msg.Tpo -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_reason_strings_msg.Tpo $(DEPDIR)/tnccs_reason_strings_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_reason_strings_msg.c' object='tnccs_reason_strings_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c
 
 tnccs_recommendation_msg.lo: messages/tnccs_recommendation_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_recommendation_msg.Tpo -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_recommendation_msg.Tpo $(DEPDIR)/tnccs_recommendation_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_recommendation_msg.c' object='tnccs_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_recommendation_msg.Tpo -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_recommendation_msg.Tpo $(DEPDIR)/tnccs_recommendation_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_recommendation_msg.c' object='tnccs_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c
 
 tnccs_tncs_contact_info_msg.lo: messages/tnccs_tncs_contact_info_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_tncs_contact_info_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo $(DEPDIR)/tnccs_tncs_contact_info_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_tncs_contact_info_msg.c' object='tnccs_tncs_contact_info_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_tncs_contact_info_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo $(DEPDIR)/tnccs_tncs_contact_info_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_tncs_contact_info_msg.c' object='tnccs_tncs_contact_info_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am
index da924b412..7a2b6c9c2 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.am
+++ b/src/libcharon/plugins/tnccs_20/Makefile.am
@@ -1,5 +1,4 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libhydra \
@@ -7,7 +6,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnccs-20.la
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in
index 3c9a34a2f..9bf68ea53 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.in
+++ b/src/libcharon/plugins/tnccs_20/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -109,7 +109,10 @@ am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \
 	pb_remediation_parameters_msg.lo pb_tnc_state_machine.lo
 libstrongswan_tnccs_20_la_OBJECTS =  \
 	$(am_libstrongswan_tnccs_20_la_OBJECTS)
-libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_20_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -122,13 +125,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnccs_20_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnccs_20_la_SOURCES)
 am__can_run_installinfo = \
@@ -142,6 +158,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -154,6 +171,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -169,6 +188,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -177,6 +197,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -223,6 +244,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -251,6 +273,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -328,7 +351,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libhydra \
@@ -336,7 +359,9 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-20.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-20.la
 @MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_LIBADD = \
@@ -434,7 +459,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_20_la_DEPENDENCIES) 
-	$(libstrongswan_tnccs_20_la_LINK) $(am_libstrongswan_tnccs_20_la_rpath) $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_tnccs_20_la_LINK) $(am_libstrongswan_tnccs_20_la_rpath) $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -457,102 +482,102 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 pb_tnc_batch.lo: batch/pb_tnc_batch.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_batch.lo -MD -MP -MF $(DEPDIR)/pb_tnc_batch.Tpo -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_tnc_batch.Tpo $(DEPDIR)/pb_tnc_batch.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='batch/pb_tnc_batch.c' object='pb_tnc_batch.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_batch.lo -MD -MP -MF $(DEPDIR)/pb_tnc_batch.Tpo -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_tnc_batch.Tpo $(DEPDIR)/pb_tnc_batch.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='batch/pb_tnc_batch.c' object='pb_tnc_batch.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c
 
 pb_tnc_msg.lo: messages/pb_tnc_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pb_tnc_msg.Tpo -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_tnc_msg.Tpo $(DEPDIR)/pb_tnc_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_tnc_msg.c' object='pb_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pb_tnc_msg.Tpo -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_tnc_msg.Tpo $(DEPDIR)/pb_tnc_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_tnc_msg.c' object='pb_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c
 
 pb_experimental_msg.lo: messages/pb_experimental_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_experimental_msg.lo -MD -MP -MF $(DEPDIR)/pb_experimental_msg.Tpo -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_experimental_msg.Tpo $(DEPDIR)/pb_experimental_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_experimental_msg.c' object='pb_experimental_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_experimental_msg.lo -MD -MP -MF $(DEPDIR)/pb_experimental_msg.Tpo -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_experimental_msg.Tpo $(DEPDIR)/pb_experimental_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_experimental_msg.c' object='pb_experimental_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c
 
 pb_pa_msg.lo: messages/pb_pa_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_pa_msg.lo -MD -MP -MF $(DEPDIR)/pb_pa_msg.Tpo -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_pa_msg.Tpo $(DEPDIR)/pb_pa_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_pa_msg.c' object='pb_pa_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_pa_msg.lo -MD -MP -MF $(DEPDIR)/pb_pa_msg.Tpo -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_pa_msg.Tpo $(DEPDIR)/pb_pa_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_pa_msg.c' object='pb_pa_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c
 
 pb_assessment_result_msg.lo: messages/pb_assessment_result_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_assessment_result_msg.lo -MD -MP -MF $(DEPDIR)/pb_assessment_result_msg.Tpo -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_assessment_result_msg.Tpo $(DEPDIR)/pb_assessment_result_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_assessment_result_msg.c' object='pb_assessment_result_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_assessment_result_msg.lo -MD -MP -MF $(DEPDIR)/pb_assessment_result_msg.Tpo -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_assessment_result_msg.Tpo $(DEPDIR)/pb_assessment_result_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_assessment_result_msg.c' object='pb_assessment_result_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c
 
 pb_access_recommendation_msg.lo: messages/pb_access_recommendation_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_access_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/pb_access_recommendation_msg.Tpo -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_access_recommendation_msg.Tpo $(DEPDIR)/pb_access_recommendation_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_access_recommendation_msg.c' object='pb_access_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_access_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/pb_access_recommendation_msg.Tpo -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_access_recommendation_msg.Tpo $(DEPDIR)/pb_access_recommendation_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_access_recommendation_msg.c' object='pb_access_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c
 
 pb_error_msg.lo: messages/pb_error_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_error_msg.lo -MD -MP -MF $(DEPDIR)/pb_error_msg.Tpo -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_error_msg.Tpo $(DEPDIR)/pb_error_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_error_msg.c' object='pb_error_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_error_msg.lo -MD -MP -MF $(DEPDIR)/pb_error_msg.Tpo -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_error_msg.Tpo $(DEPDIR)/pb_error_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_error_msg.c' object='pb_error_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c
 
 pb_language_preference_msg.lo: messages/pb_language_preference_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_language_preference_msg.lo -MD -MP -MF $(DEPDIR)/pb_language_preference_msg.Tpo -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_language_preference_msg.Tpo $(DEPDIR)/pb_language_preference_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_language_preference_msg.c' object='pb_language_preference_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_language_preference_msg.lo -MD -MP -MF $(DEPDIR)/pb_language_preference_msg.Tpo -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_language_preference_msg.Tpo $(DEPDIR)/pb_language_preference_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_language_preference_msg.c' object='pb_language_preference_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c
 
 pb_reason_string_msg.lo: messages/pb_reason_string_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_reason_string_msg.lo -MD -MP -MF $(DEPDIR)/pb_reason_string_msg.Tpo -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_reason_string_msg.Tpo $(DEPDIR)/pb_reason_string_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_reason_string_msg.c' object='pb_reason_string_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_reason_string_msg.lo -MD -MP -MF $(DEPDIR)/pb_reason_string_msg.Tpo -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_reason_string_msg.Tpo $(DEPDIR)/pb_reason_string_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_reason_string_msg.c' object='pb_reason_string_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c
 
 pb_remediation_parameters_msg.lo: messages/pb_remediation_parameters_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_remediation_parameters_msg.lo -MD -MP -MF $(DEPDIR)/pb_remediation_parameters_msg.Tpo -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_remediation_parameters_msg.Tpo $(DEPDIR)/pb_remediation_parameters_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_remediation_parameters_msg.c' object='pb_remediation_parameters_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_remediation_parameters_msg.lo -MD -MP -MF $(DEPDIR)/pb_remediation_parameters_msg.Tpo -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_remediation_parameters_msg.Tpo $(DEPDIR)/pb_remediation_parameters_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_remediation_parameters_msg.c' object='pb_remediation_parameters_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c
 
 pb_tnc_state_machine.lo: state_machine/pb_tnc_state_machine.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_state_machine.lo -MD -MP -MF $(DEPDIR)/pb_tnc_state_machine.Tpo -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_tnc_state_machine.Tpo $(DEPDIR)/pb_tnc_state_machine.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='state_machine/pb_tnc_state_machine.c' object='pb_tnc_state_machine.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_state_machine.lo -MD -MP -MF $(DEPDIR)/pb_tnc_state_machine.Tpo -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_tnc_state_machine.Tpo $(DEPDIR)/pb_tnc_state_machine.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='state_machine/pb_tnc_state_machine.c' object='pb_tnc_state_machine.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
index 29a161e69..4c8f3a925 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -583,6 +583,7 @@ static void check_and_build_recommendation(private_tnccs_20_t *this)
 {
 	TNC_IMV_Action_Recommendation rec;
 	TNC_IMV_Evaluation_Result eval;
+	TNC_ConnectionState state;
 	TNC_IMVID id;
 	chunk_t reason, language;
 	enumerator_t *enumerator;
@@ -602,20 +603,27 @@ static void check_and_build_recommendation(private_tnccs_20_t *this)
 
 		/**
 		 * Map IMV Action Recommendation codes to PB Access Recommendation codes
+		 * and communicate Access Recommendation to IMVs
 		 */
 		switch (rec)
 		{
 			case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+				state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
 				pb_rec = PB_REC_ACCESS_ALLOWED;
 				break;
 			case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+				state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
 				pb_rec = PB_REC_QUARANTINED;
 				break;
 			case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
 			case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
 			default:
+				state = TNC_CONNECTION_STATE_ACCESS_NONE;
 				pb_rec = PB_REC_ACCESS_DENIED;
 		}
+		tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+											state);
+
 		msg = pb_access_recommendation_msg_create(pb_rec);
 		this->messages->insert_last(this->messages, msg);
 
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.am b/src/libcharon/plugins/tnccs_dynamic/Makefile.am
index 57c2baaf0..1a2887816 100644
--- a/src/libcharon/plugins/tnccs_dynamic/Makefile.am
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.am
@@ -1,11 +1,11 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnccs-dynamic.la
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
index 820870dd7..bf5e9c1b8 100644
--- a/src/libcharon/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,7 +105,10 @@ am_libstrongswan_tnccs_dynamic_la_OBJECTS = tnccs_dynamic_plugin.lo \
 	tnccs_dynamic.lo
 libstrongswan_tnccs_dynamic_la_OBJECTS =  \
 	$(am_libstrongswan_tnccs_dynamic_la_OBJECTS)
-libstrongswan_tnccs_dynamic_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnccs_dynamic_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_tnccs_dynamic_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -118,13 +121,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,13 +347,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-dynamic.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-dynamic.la
 @MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_LIBADD = \
@@ -417,7 +442,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-tnccs-dynamic.la: $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_dynamic_la_DEPENDENCIES) 
-	$(libstrongswan_tnccs_dynamic_la_LINK) $(am_libstrongswan_tnccs_dynamic_la_rpath) $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_tnccs_dynamic_la_LINK) $(am_libstrongswan_tnccs_dynamic_la_rpath) $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -429,25 +454,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_dynamic_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/uci/Makefile.am b/src/libcharon/plugins/uci/Makefile.am
index 6decdb9da..1fcd9ed25 100644
--- a/src/libcharon/plugins/uci/Makefile.am
+++ b/src/libcharon/plugins/uci/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-uci.la
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 6c5be9830..224b3e67f 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_uci_la_DEPENDENCIES =
 am_libstrongswan_uci_la_OBJECTS = uci_plugin.lo uci_parser.lo \
 	uci_config.lo uci_creds.lo uci_control.lo
 libstrongswan_uci_la_OBJECTS = $(am_libstrongswan_uci_la_OBJECTS)
-libstrongswan_uci_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_uci_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_uci_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_uci_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_uci_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_uci_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_uci_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_uci_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,10 +343,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-uci.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-uci.la
 libstrongswan_uci_la_SOURCES = \
@@ -408,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-uci.la: $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_DEPENDENCIES) $(EXTRA_libstrongswan_uci_la_DEPENDENCIES) 
-	$(libstrongswan_uci_la_LINK) $(am_libstrongswan_uci_la_rpath) $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_uci_la_LINK) $(am_libstrongswan_uci_la_rpath) $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -423,25 +451,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
index 53221b786..cebc389e7 100644
--- a/src/libcharon/plugins/uci/uci_control.c
+++ b/src/libcharon/plugins/uci/uci_control.c
@@ -72,6 +72,7 @@ static void write_fifo(private_uci_control_t *this, char *format, ...)
 static void status(private_uci_control_t *this, char *name)
 {
 	enumerator_t *configs, *sas, *children;
+	linked_list_t *list;
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
 	peer_cfg_t *peer_cfg;
@@ -108,8 +109,10 @@ static void status(private_uci_control_t *this, char *name)
 			children = ike_sa->create_child_sa_enumerator(ike_sa);
 			while (children->enumerate(children, (void**)&child_sa))
 			{
-				fprintf(out, "%#R",
-						child_sa->get_traffic_selectors(child_sa, FALSE));
+				list = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, FALSE));
+				fprintf(out, "%#R", list);
+				list->destroy(list);
 			}
 			children->destroy(children);
 			fprintf(out, "\n");
@@ -296,4 +299,3 @@ uci_control_t *uci_control_create()
 	}
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/uci/uci_plugin.c b/src/libcharon/plugins/uci/uci_plugin.c
index 497c473a4..cc0836b7a 100644
--- a/src/libcharon/plugins/uci/uci_plugin.c
+++ b/src/libcharon/plugins/uci/uci_plugin.c
@@ -64,11 +64,40 @@ METHOD(plugin_t, get_name, char*,
 	return "uci";
 }
 
+/**
+ * Register backend
+ */
+static bool plugin_cb(private_uci_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->backends->add_backend(charon->backends, &this->config->backend);
+		lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
+	}
+	else
+	{
+		charon->backends->remove_backend(charon->backends,
+										 &this->config->backend);
+		lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_uci_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "uci"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_uci_plugin_t *this)
 {
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
 	this->config->destroy(this->config);
 	this->creds->destroy(this->creds);
 	this->parser->destroy(this->parser);
@@ -87,7 +116,7 @@ plugin_t *uci_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -97,9 +126,5 @@ plugin_t *uci_plugin_create()
 	this->config = uci_config_create(this->parser);
 	this->creds = uci_creds_create(this->parser);
 
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/unit_tester/Makefile.am b/src/libcharon/plugins/unit_tester/Makefile.am
index c46d2b85d..21cf08c61 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.am
+++ b/src/libcharon/plugins/unit_tester/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-unit-tester.la
@@ -12,19 +14,13 @@ endif
 
 libstrongswan_unit_tester_la_SOURCES = \
 	unit_tester.c unit_tester.h tests.h \
-	tests/test_enumerator.c \
 	tests/test_auth_info.c \
 	tests/test_curl.c \
 	tests/test_mysql.c \
 	tests/test_sqlite.c \
-	tests/test_mutex.c \
-	tests/test_rsa_gen.c \
 	tests/test_cert.c \
 	tests/test_med_db.c \
-	tests/test_chunk.c \
 	tests/test_pool.c \
-	tests/test_agent.c \
-	tests/test_id.c \
-	tests/test_hashtable.c
+	tests/test_agent.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 8b5b98db5..0e22c1db1 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -100,13 +100,14 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_unit_tester_la_LIBADD =
 am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
-	test_enumerator.lo test_auth_info.lo test_curl.lo \
-	test_mysql.lo test_sqlite.lo test_mutex.lo test_rsa_gen.lo \
-	test_cert.lo test_med_db.lo test_chunk.lo test_pool.lo \
-	test_agent.lo test_id.lo test_hashtable.lo
+	test_auth_info.lo test_curl.lo test_mysql.lo test_sqlite.lo \
+	test_cert.lo test_med_db.lo test_pool.lo test_agent.lo
 libstrongswan_unit_tester_la_OBJECTS =  \
 	$(am_libstrongswan_unit_tester_la_OBJECTS)
-libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_unit_tester_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unit_tester_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -119,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
 am__can_run_installinfo = \
@@ -139,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -151,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -166,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -174,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -220,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -248,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -325,28 +346,26 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unit-tester.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unit-tester.la
 libstrongswan_unit_tester_la_SOURCES = \
 	unit_tester.c unit_tester.h tests.h \
-	tests/test_enumerator.c \
 	tests/test_auth_info.c \
 	tests/test_curl.c \
 	tests/test_mysql.c \
 	tests/test_sqlite.c \
-	tests/test_mutex.c \
-	tests/test_rsa_gen.c \
 	tests/test_cert.c \
 	tests/test_med_db.c \
-	tests/test_chunk.c \
 	tests/test_pool.c \
-	tests/test_agent.c \
-	tests/test_id.c \
-	tests/test_hashtable.c
+	tests/test_agent.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -425,7 +444,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_unit_tester_la_DEPENDENCIES) 
-	$(libstrongswan_unit_tester_la_LINK) $(am_libstrongswan_unit_tester_la_rpath) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_unit_tester_la_LINK) $(am_libstrongswan_unit_tester_la_rpath) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -436,137 +455,89 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_auth_info.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cert.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_enumerator.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_hashtable.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_id.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_med_db.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mysql.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pool.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rsa_gen.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_sqlite.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-test_enumerator.lo: tests/test_enumerator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_enumerator.lo -MD -MP -MF $(DEPDIR)/test_enumerator.Tpo -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_enumerator.Tpo $(DEPDIR)/test_enumerator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_enumerator.c' object='test_enumerator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 test_auth_info.lo: tests/test_auth_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_auth_info.lo -MD -MP -MF $(DEPDIR)/test_auth_info.Tpo -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_auth_info.Tpo $(DEPDIR)/test_auth_info.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_auth_info.c' object='test_auth_info.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_auth_info.lo -MD -MP -MF $(DEPDIR)/test_auth_info.Tpo -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_auth_info.Tpo $(DEPDIR)/test_auth_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_auth_info.c' object='test_auth_info.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
 
 test_curl.lo: tests/test_curl.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_curl.lo -MD -MP -MF $(DEPDIR)/test_curl.Tpo -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_curl.Tpo $(DEPDIR)/test_curl.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_curl.c' object='test_curl.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_curl.lo -MD -MP -MF $(DEPDIR)/test_curl.Tpo -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_curl.Tpo $(DEPDIR)/test_curl.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_curl.c' object='test_curl.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
 
 test_mysql.lo: tests/test_mysql.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mysql.lo -MD -MP -MF $(DEPDIR)/test_mysql.Tpo -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_mysql.Tpo $(DEPDIR)/test_mysql.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_mysql.c' object='test_mysql.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mysql.lo -MD -MP -MF $(DEPDIR)/test_mysql.Tpo -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_mysql.Tpo $(DEPDIR)/test_mysql.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_mysql.c' object='test_mysql.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
 
 test_sqlite.lo: tests/test_sqlite.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_sqlite.lo -MD -MP -MF $(DEPDIR)/test_sqlite.Tpo -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_sqlite.Tpo $(DEPDIR)/test_sqlite.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_sqlite.c' object='test_sqlite.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
-
-test_mutex.lo: tests/test_mutex.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mutex.lo -MD -MP -MF $(DEPDIR)/test_mutex.Tpo -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_mutex.Tpo $(DEPDIR)/test_mutex.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_mutex.c' object='test_mutex.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
-
-test_rsa_gen.lo: tests/test_rsa_gen.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_rsa_gen.lo -MD -MP -MF $(DEPDIR)/test_rsa_gen.Tpo -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_rsa_gen.Tpo $(DEPDIR)/test_rsa_gen.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_rsa_gen.c' object='test_rsa_gen.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_sqlite.lo -MD -MP -MF $(DEPDIR)/test_sqlite.Tpo -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_sqlite.Tpo $(DEPDIR)/test_sqlite.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_sqlite.c' object='test_sqlite.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
 
 test_cert.lo: tests/test_cert.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_cert.lo -MD -MP -MF $(DEPDIR)/test_cert.Tpo -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_cert.Tpo $(DEPDIR)/test_cert.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_cert.c' object='test_cert.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_cert.lo -MD -MP -MF $(DEPDIR)/test_cert.Tpo -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_cert.Tpo $(DEPDIR)/test_cert.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_cert.c' object='test_cert.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
 
 test_med_db.lo: tests/test_med_db.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_med_db.lo -MD -MP -MF $(DEPDIR)/test_med_db.Tpo -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_med_db.Tpo $(DEPDIR)/test_med_db.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_med_db.c' object='test_med_db.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
-
-test_chunk.lo: tests/test_chunk.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_chunk.lo -MD -MP -MF $(DEPDIR)/test_chunk.Tpo -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_chunk.Tpo $(DEPDIR)/test_chunk.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_chunk.c' object='test_chunk.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_med_db.lo -MD -MP -MF $(DEPDIR)/test_med_db.Tpo -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_med_db.Tpo $(DEPDIR)/test_med_db.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_med_db.c' object='test_med_db.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
 
 test_pool.lo: tests/test_pool.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_pool.lo -MD -MP -MF $(DEPDIR)/test_pool.Tpo -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_pool.Tpo $(DEPDIR)/test_pool.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_pool.c' object='test_pool.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_pool.lo -MD -MP -MF $(DEPDIR)/test_pool.Tpo -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_pool.Tpo $(DEPDIR)/test_pool.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_pool.c' object='test_pool.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
 
 test_agent.lo: tests/test_agent.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_agent.lo -MD -MP -MF $(DEPDIR)/test_agent.Tpo -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_agent.Tpo $(DEPDIR)/test_agent.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_agent.c' object='test_agent.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
-
-test_id.lo: tests/test_id.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_id.lo -MD -MP -MF $(DEPDIR)/test_id.Tpo -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_id.Tpo $(DEPDIR)/test_id.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_id.c' object='test_id.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
-
-test_hashtable.lo: tests/test_hashtable.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_hashtable.lo -MD -MP -MF $(DEPDIR)/test_hashtable.Tpo -c -o test_hashtable.lo `test -f 'tests/test_hashtable.c' || echo '$(srcdir)/'`tests/test_hashtable.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_hashtable.Tpo $(DEPDIR)/test_hashtable.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_hashtable.c' object='test_hashtable.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_agent.lo -MD -MP -MF $(DEPDIR)/test_agent.Tpo -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_agent.Tpo $(DEPDIR)/test_agent.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_agent.c' object='test_agent.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_hashtable.lo `test -f 'tests/test_hashtable.c' || echo '$(srcdir)/'`tests/test_hashtable.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/unit_tester/tests.h b/src/libcharon/plugins/unit_tester/tests.h
index cd38c8a99..169292e9b 100644
--- a/src/libcharon/plugins/unit_tester/tests.h
+++ b/src/libcharon/plugins/unit_tester/tests.h
@@ -18,27 +18,13 @@
  * @{ @ingroup unit_tester
  */
 
-DEFINE_TEST("linked_list_t->remove()", test_list_remove, FALSE)
-DEFINE_TEST("hashtable_t->remove_at()", test_hashtable_remove_at, FALSE)
-DEFINE_TEST("simple enumerator", test_enumerate, FALSE)
-DEFINE_TEST("nested enumerator", test_enumerate_nested, FALSE)
-DEFINE_TEST("filtered enumerator", test_enumerate_filtered, FALSE)
-DEFINE_TEST("token enumerator", test_enumerate_token, FALSE)
 DEFINE_TEST("auth cfg", test_auth_cfg, FALSE)
 DEFINE_TEST("CURL get", test_curl_get, FALSE)
 DEFINE_TEST("MySQL operations", test_mysql, FALSE)
 DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
-DEFINE_TEST("mutex primitive", test_mutex, FALSE)
-DEFINE_TEST("RSA key generation", test_rsa_gen, FALSE)
-DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, FALSE)
 DEFINE_TEST("X509 certificate", test_cert_x509, FALSE)
 DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE)
-DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
 DEFINE_TEST("IP pool", test_pool, FALSE)
 DEFINE_TEST("SSH agent", test_agent, FALSE)
-DEFINE_TEST("ID parts", test_id_parts, FALSE)
-DEFINE_TEST("ID wildcards", test_id_wildcards, FALSE)
-DEFINE_TEST("ID equals", test_id_equals, FALSE)
-DEFINE_TEST("ID matches", test_id_matches, FALSE)
 
 /** @}*/
diff --git a/src/libcharon/plugins/unit_tester/tests/test_chunk.c b/src/libcharon/plugins/unit_tester/tests/test_chunk.c
deleted file mode 100644
index 2e0905b2c..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_chunk.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * Base64 encoding/decoding test
- ******************************************************************************/
-bool test_chunk_base64()
-{
-	/* test vectors from RFC4648:
-	 *
-	 * BASE64("") = ""
-	 * BASE64("f") = "Zg=="
-	 * BASE64("fo") = "Zm8="
-	 * BASE64("foo") = "Zm9v"
-	 * BASE64("foob") = "Zm9vYg=="
-	 * BASE64("fooba") = "Zm9vYmE="
-	 * BASE64("foobar") = "Zm9vYmFy"
-	 */
-
-	typedef struct {
-		char *in;
-		char *out;
-	} testdata_t;
-
-	testdata_t test[] = {
-		{"", ""},
-		{"f", "Zg=="},
-		{"fo", "Zm8="},
-		{"foo", "Zm9v"},
-		{"foob", "Zm9vYg=="},
-		{"fooba", "Zm9vYmE="},
-		{"foobar", "Zm9vYmFy"},
-	};
-	int i;
-
-	for (i = 0; i < countof(test); i++)
-	{
-		chunk_t out;
-
-		out = chunk_to_base64(chunk_create(test[i].in, strlen(test[i].in)), NULL);
-
-		if (!streq(out.ptr, test[i].out))
-		{
-			DBG1(DBG_CFG, "base64 conversion error - should %s, is %s",
-				test[i].out, out.ptr);
-			return FALSE;
-		}
-		free(out.ptr);
-	}
-
-	for (i = 0; i < countof(test); i++)
-	{
-		chunk_t out;
-
-		out = chunk_from_base64(chunk_create(test[i].out, strlen(test[i].out)), NULL);
-
-		if (!strneq(out.ptr, test[i].in, out.len))
-		{
-			DBG1(DBG_CFG, "base64 conversion error - should %s, is %#B",
-				test[i].in, &out);
-			return FALSE;
-		}
-		free(out.ptr);
-	}
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_enumerator.c b/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
deleted file mode 100644
index 83b78c092..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
+++ /dev/null
@@ -1,306 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <collections/linked_list.h>
-
-
-/*******************************************************************************
- * linked list remove test
- ******************************************************************************/
-bool test_list_remove()
-{
-	void *a = (void*)1, *b = (void*)2;
-	linked_list_t *list;
-
-	list = linked_list_create();
-	list->insert_last(list, a);
-	if (list->remove(list, a, NULL) != 1)
-	{
-		return FALSE;
-	}
-	list->insert_last(list, a);
-	list->insert_first(list, a);
-	list->insert_last(list, a);
-	list->insert_last(list, b);
-	if (list->remove(list, a, NULL) != 3)
-	{
-		return FALSE;
-	}
-	if (list->remove(list, a, NULL) != 0)
-	{
-		return FALSE;
-	}
-	if (list->get_count(list) != 1)
-	{
-		return FALSE;
-	}
-	if (list->remove(list, b, NULL) != 1)
-	{
-		return FALSE;
-	}
-	if (list->remove(list, b, NULL) != 0)
-	{
-		return FALSE;
-	}
-	list->destroy(list);
-	return TRUE;
-}
-
-/*******************************************************************************
- * Simple insert first/last and enumerate test
- ******************************************************************************/
-bool test_enumerate()
-{
-	int round, x;
-	void *a = (void*)4, *b = (void*)3, *c = (void*)2, *d = (void*)5, *e = (void*)1;
-	linked_list_t *list;
-	enumerator_t *enumerator;
-
-	list = linked_list_create();
-
-	list->insert_last(list, a);
-	list->insert_first(list, b);
-	list->insert_first(list, c);
-	list->insert_last(list, d);
-	list->insert_first(list, e);
-
-	round = 1;
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, &x))
-	{
-		if (round != x)
-		{
-			return FALSE;
-		}
-		round++;
-	}
-	enumerator->destroy(enumerator);
-
-	list->destroy(list);
-	return TRUE;
-}
-
-/*******************************************************************************
- * nested enumerator test
- ******************************************************************************/
-
-static bool bad_data;
-
-static enumerator_t* create_inner(linked_list_t *outer, void *data)
-{
-	if (data != (void*)101)
-	{
-		bad_data = TRUE;
-	}
-	return outer->create_enumerator(outer);
-}
-
-
-static void destroy_data(void *data)
-{
-	if (data != (void*)101)
-	{
-		bad_data = TRUE;
-	}
-}
-
-bool test_enumerate_nested()
-{
-	int round, x;
-	void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
-	linked_list_t *list, *l1, *l2, *l3;
-	enumerator_t *enumerator;
-
-	bad_data = FALSE;
-	list = linked_list_create();
-	l1 = linked_list_create();
-	l2 = linked_list_create();
-	l3 = linked_list_create();
-	list->insert_last(list, l1);
-	list->insert_last(list, l2);
-	list->insert_last(list, l3);
-
-	l1->insert_last(l1, a);
-	l1->insert_last(l1, b);
-	l3->insert_last(l3, c);
-	l3->insert_last(l3, d);
-	l3->insert_last(l3, e);
-
-	round = 1;
-	enumerator = enumerator_create_nested(list->create_enumerator(list),
-					(void*)create_inner, (void*)101, destroy_data);
-	while (enumerator->enumerate(enumerator, &x))
-	{
-		if (round != x)
-		{
-			return FALSE;
-		}
-		round++;
-	}
-	enumerator->destroy(enumerator);
-
-	list->destroy(list);
-	l1->destroy(l1);
-	l2->destroy(l2);
-	l3->destroy(l3);
-	return !bad_data;
-}
-
-
-/*******************************************************************************
- * filtered enumerator test
- ******************************************************************************/
-static bool filter(void *data, int *v, int *vo, int *w, int *wo,
-				   int *x, int *xo, int *y, int *yo, int *z, int *zo)
-{
-	int val = *v;
-
-	*vo = val++;
-	*wo = val++;
-	*xo = val++;
-	*yo = val++;
-	*zo = val++;
-	if (data != (void*)101)
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-bool test_enumerate_filtered()
-{
-	int round, v, w, x, y, z;
-	void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
-	linked_list_t *list;
-	enumerator_t *enumerator;
-
-	bad_data = FALSE;
-	list = linked_list_create();
-
-	list->insert_last(list, a);
-	list->insert_last(list, b);
-	list->insert_last(list, c);
-	list->insert_last(list, d);
-	list->insert_last(list, e);
-
-	round = 1;
-	enumerator = enumerator_create_filter(list->create_enumerator(list),
-									(void*)filter, (void*)101, destroy_data);
-	while (enumerator->enumerate(enumerator, &v, &w, &x, &y, &z))
-	{
-		if (v != round || w != round + 1 || x != round + 2 ||
-			y != round + 3 || z != round + 4)
-		{
-			return FALSE;
-		}
-		round++;
-	}
-	enumerator->destroy(enumerator);
-
-	list->destroy(list);
-	return !bad_data;
-}
-
-/*******************************************************************************
- * token parser test
- ******************************************************************************/
-
-bool test_enumerate_token()
-{
-	enumerator_t *enumerator;
-	char *token;
-	int i, num;
-	struct {
-		char *string;
-		char *sep;
-		char *trim;
-	} tests1[] = {
-		{"abc, cde, efg", ",", " "},
-		{" abc 1:2 cde;3  4efg5.  ", ":;.,", " 12345"},
-		{"abc.cde,efg", ",.", ""},
-		{"  abc   cde  efg  ", " ", " "},
-		{"a'abc' c 'cde' cefg", " ", " abcd"},
-		{"'abc' abc 'cde'd 'efg'", " ", " abcd"},
-	}, tests2[] = {
-		{"a, b, c", ",", " "},
-		{"a,b,c", ",", " "},
-		{" a 1:2 b;3  4c5.  ", ":;.,", " 12345"},
-		{"a.b,c", ",.", ""},
-		{"  a   b  c  ", " ", " "},
-	};
-
-	for (num = 0; num < countof(tests1); num++)
-	{
-		i = 0;
-		enumerator = enumerator_create_token(tests1[num].string,
-											 tests1[num].sep, tests1[num].trim);
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			switch (i)
-			{
-				case 0:
-					if (!streq(token, "abc")) return FALSE;
-					break;
-				case 1:
-					if (!streq(token, "cde")) return FALSE;
-					break;
-				case 2:
-					if (!streq(token, "efg")) return FALSE;
-					break;
-				default:
-					return FALSE;
-			}
-			i++;
-		}
-		if (i != 3)
-		{
-			return FALSE;
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	for (num = 0; num < countof(tests2); num++)
-	{
-		i = 0;
-		enumerator = enumerator_create_token(tests2[num].string,
-											 tests2[num].sep, tests2[num].trim);
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			switch (i)
-			{
-				case 0:
-					if (!streq(token, "a")) return FALSE;
-					break;
-				case 1:
-					if (!streq(token, "b")) return FALSE;
-					break;
-				case 2:
-					if (!streq(token, "c")) return FALSE;
-					break;
-				default:
-					return FALSE;
-			}
-			i++;
-		}
-		if (i != 3)
-		{
-			return FALSE;
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
deleted file mode 100644
index 5513f6707..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <collections/hashtable.h>
-
-static u_int hash(char *key)
-{
-	return chunk_hash(chunk_create(key, strlen(key)));
-}
-
-static u_int equals(char *key1, char *key2)
-{
-	return streq(key1, key2);
-}
-
-/**
- * Test the remove_at method
- */
-bool test_hashtable_remove_at()
-{
-	char *k1 = "key1", *k2 = "key2", *k3 = "key3", *key;
-	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
-	enumerator_t *enumerator;
-	hashtable_t *ht = hashtable_create((hashtable_hash_t)hash,
-									   (hashtable_equals_t)equals, 0);
-
-	ht->put(ht, k1, v1);
-	ht->put(ht, k2, v2);
-	ht->put(ht, k3, v3);
-
-	if (ht->get_count(ht) != 3)
-	{
-		return FALSE;
-	}
-
-	enumerator = ht->create_enumerator(ht);
-	while (enumerator->enumerate(enumerator, &key, &value))
-	{
-		if (streq(key, k2))
-		{
-			ht->remove_at(ht, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (ht->get_count(ht) != 2)
-	{
-		return FALSE;
-	}
-
-	if (ht->get(ht, k1) == NULL ||
-		ht->get(ht, k3) == NULL)
-	{
-		return FALSE;
-	}
-
-	if (ht->get(ht, k2) != NULL)
-	{
-		return FALSE;
-	}
-
-	ht->put(ht, k2, v2);
-
-	if (ht->get_count(ht) != 3)
-	{
-		return FALSE;
-	}
-
-	if (ht->get(ht, k1) == NULL ||
-		ht->get(ht, k2) == NULL ||
-		ht->get(ht, k3) == NULL)
-	{
-		return FALSE;
-	}
-
-	enumerator = ht->create_enumerator(ht);
-	while (enumerator->enumerate(enumerator, &key, &value))
-	{
-		ht->remove_at(ht, enumerator);
-	}
-	enumerator->destroy(enumerator);
-
-	if (ht->get_count(ht) != 0)
-	{
-		return FALSE;
-	}
-
-	if (ht->get(ht, k1) != NULL ||
-		ht->get(ht, k2) != NULL ||
-		ht->get(ht, k3) != NULL)
-	{
-		return FALSE;
-	}
-
-	ht->destroy(ht);
-
-	return TRUE;
-}
diff --git a/src/libcharon/plugins/unit_tester/tests/test_id.c b/src/libcharon/plugins/unit_tester/tests/test_id.c
deleted file mode 100644
index 868a2ca8b..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_id.c
+++ /dev/null
@@ -1,249 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-
-/*******************************************************************************
- * identification part enumeration test
- ******************************************************************************/
-bool test_id_parts()
-{
-	identification_t *id;
-	enumerator_t *enumerator;
-	id_part_t part;
-	chunk_t data;
-	int i = 0;
-
-	id = identification_create_from_string("C=CH, O=strongSwan, CN=tester");
-
-	enumerator = id->create_part_enumerator(id);
-	while (enumerator->enumerate(enumerator, &part, &data))
-	{
-		switch (i++)
-		{
-			case 0:
-				if (part != ID_PART_RDN_C ||
-					!chunk_equals(data, chunk_create("CH", 2)))
-				{
-					return FALSE;
-				}
-				break;
-			case 1:
-				if (part != ID_PART_RDN_O ||
-					!chunk_equals(data, chunk_create("strongSwan", 10)))
-				{
-					return FALSE;
-				}
-				break;
-			case 2:
-				if (part != ID_PART_RDN_CN ||
-					!chunk_equals(data, chunk_create("tester", 6)))
-				{
-					return FALSE;
-				}
-				break;
-			default:
-				return FALSE;
-		}
-	}
-	if (i < 3)
-	{
-		return FALSE;
-	}
-	enumerator->destroy(enumerator);
-	id->destroy(id);
-	return TRUE;
-}
-
-/*******************************************************************************
- * identification contains_wildcards() test
- ******************************************************************************/
-
-static bool test_id_wildcards_has(char *string)
-{
-	identification_t *id;
-	bool contains;
-
-	id = identification_create_from_string(string);
-	contains = id->contains_wildcards(id);
-	id->destroy(id);
-	return contains;
-}
-
-bool test_id_wildcards()
-{
-	if (!test_id_wildcards_has("C=*, O=strongSwan, CN=gw"))
-	{
-		return FALSE;
-	}
-	if (!test_id_wildcards_has("C=CH, O=strongSwan, CN=*"))
-	{
-		return FALSE;
-	}
-	if (test_id_wildcards_has("C=**, O=a*, CN=*a"))
-	{
-		return FALSE;
-	}
-	if (!test_id_wildcards_has("*@strongswan.org"))
-	{
-		return FALSE;
-	}
-	if (!test_id_wildcards_has("*.strongswan.org"))
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/*******************************************************************************
- * identification equals test
- ******************************************************************************/
-
-static bool test_id_equals_one(identification_t *a, char *b_str)
-{
-	identification_t *b;
-	bool equals;
-
-	b = identification_create_from_string(b_str);
-	equals = a->equals(a, b);
-	b->destroy(b);
-	return equals;
-}
-
-bool test_id_equals()
-{
-	identification_t *a;
-	chunk_t encoding, fuzzed;
-	int i;
-
-	a = identification_create_from_string(
-							   "C=CH, E=martin@strongswan.org, CN=martin");
-
-	if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
-	{
-		return FALSE;
-	}
-	if (!test_id_equals_one(a, "C=ch, E=martin@STRONGSWAN.ORG, CN=Martin"))
-	{
-		return FALSE;
-	}
-	if (test_id_equals_one(a, "C=CN, E=martin@strongswan.org, CN=martin"))
-	{
-		return FALSE;
-	}
-	if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
-	{
-		return FALSE;
-	}
-	if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
-	{
-		return FALSE;
-	}
-	encoding = chunk_clone(a->get_encoding(a));
-	a->destroy(a);
-
-	/* simple fuzzing, increment each byte of encoding */
-	for (i = 0; i < encoding.len; i++)
-	{
-		if (i == 11 || i == 30 || i == 62)
-		{	/* skip ASN.1 type fields, as equals() handles them graceful */
-			continue;
-		}
-		fuzzed = chunk_clone(encoding);
-		fuzzed.ptr[i]++;
-		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
-		if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
-		{
-			return FALSE;
-		}
-		a->destroy(a);
-		free(fuzzed.ptr);
-	}
-
-	/* and decrement each byte of encoding */
-	for (i = 0; i < encoding.len; i++)
-	{
-		if (i == 11 || i == 30 || i == 62)
-		{
-			continue;
-		}
-		fuzzed = chunk_clone(encoding);
-		fuzzed.ptr[i]--;
-		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
-		if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
-		{
-			return FALSE;
-		}
-		a->destroy(a);
-		free(fuzzed.ptr);
-	}
-	free(encoding.ptr);
-	return TRUE;
-}
-
-/*******************************************************************************
- * identification matches test
- ******************************************************************************/
-
-static id_match_t test_id_matches_one(identification_t *a, char *b_str)
-{
-	identification_t *b;
-	id_match_t match;
-
-	b = identification_create_from_string(b_str);
-	match = a->matches(a, b);
-	b->destroy(b);
-	return match;
-}
-
-bool test_id_matches()
-{
-	identification_t *a;
-
-	a = identification_create_from_string(
-							   "C=CH, E=martin@strongswan.org, CN=martin");
-
-	if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin")
-															!= ID_MATCH_PERFECT)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=CH, E=*, CN=martin") != ID_MATCH_ONE_WILDCARD)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=CH, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 1)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 2)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=*, CN=*, O=BADInc") != ID_MATCH_NONE)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=*") != ID_MATCH_NONE)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=a@b.c, CN=*") != ID_MATCH_NONE)
-	{
-		return FALSE;
-	}
-	a->destroy(a);
-	return TRUE;
-}
diff --git a/src/libcharon/plugins/unit_tester/tests/test_mutex.c b/src/libcharon/plugins/unit_tester/tests/test_mutex.c
deleted file mode 100644
index 77085cb2f..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_mutex.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <threading/mutex.h>
-
-#include <unistd.h>
-#include <sched.h>
-#include <pthread.h>
-
-
-static mutex_t *mutex;
-
-static int locked = 0;
-
-static bool failed = FALSE;
-
-static pthread_barrier_t barrier;
-
-static void* run(void* null)
-{
-	int i;
-
-	/* wait for all threads before getting in action */
-	pthread_barrier_wait(&barrier);
-
-	for (i = 0; i < 100; i++)
-	{
-		mutex->lock(mutex);
-		mutex->lock(mutex);
-		mutex->lock(mutex);
-		locked++;
-		sched_yield();
-		if (locked > 1)
-		{
-			failed = TRUE;
-		}
-		locked--;
-		mutex->unlock(mutex);
-		mutex->unlock(mutex);
-		mutex->unlock(mutex);
-	}
-	return NULL;
-}
-
-#define THREADS 20
-
-/*******************************************************************************
- * mutex test
- ******************************************************************************/
-bool test_mutex()
-{
-	int i;
-	pthread_t threads[THREADS];
-
-	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-
-	for (i = 0; i < 10; i++)
-	{
-		mutex->lock(mutex);
-		mutex->unlock(mutex);
-	}
-	for (i = 0; i < 10; i++)
-	{
-		mutex->lock(mutex);
-	}
-	for (i = 0; i < 10; i++)
-	{
-		mutex->unlock(mutex);
-	}
-
-	pthread_barrier_init(&barrier, NULL, THREADS);
-
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_create(&threads[i], NULL, run, NULL);
-	}
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_join(threads[i], NULL);
-	}
-	pthread_barrier_destroy(&barrier);
-
-	mutex->destroy(mutex);
-
-	return !failed;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
deleted file mode 100644
index 6ba5769b5..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * RSA key generation and signature
- ******************************************************************************/
-bool test_rsa_gen()
-{
-	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
-	chunk_t sig, crypt, plain;
-	private_key_t *private;
-	public_key_t *public;
-	u_int key_size;
-
-	for (key_size = 512; key_size <= 2048; key_size *= 2)
-	{
-		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-									 BUILD_KEY_SIZE, key_size, BUILD_END);
-		if (!private)
-		{
-			DBG1(DBG_CFG, "generating %d bit RSA key failed");
-			return FALSE;
-		}
-		public = private->get_public_key(private);
-		if (!public)
-		{
-			DBG1(DBG_CFG, "generating public from private key failed");
-			return FALSE;
-		}
-		if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
-		{
-			DBG1(DBG_CFG, "creating RSA signature failed");
-			return FALSE;
-		}
-		if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
-		{
-			DBG1(DBG_CFG, "verifying RSA signature failed");
-			return FALSE;
-		}
-		sig.ptr[sig.len-1]++;
-		if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
-		{
-			DBG1(DBG_CFG, "verifying faked RSA signature succeeded!");
-			return FALSE;
-		}
-		free(sig.ptr);
-		if (!public->encrypt(public, ENCRYPT_RSA_PKCS1, data, &crypt))
-		{
-			DBG1(DBG_CFG, "encrypting data with RSA failed");
-			return FALSE;
-		}
-		if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, crypt, &plain))
-		{
-			DBG1(DBG_CFG, "decrypting data with RSA failed");
-			return FALSE;
-		}
-		if (!chunk_equals(data, plain))
-		{
-			DBG1(DBG_CFG, "decrpyted data invalid, expected %B, got %B", &
-				 data, &plain);
-			return FALSE;
-		}
-		chunk_clear(&crypt);
-		chunk_clear(&plain);
-		public->destroy(public);
-		private->destroy(private);
-	}
-	return TRUE;
-}
-
-bool test_rsa_load_any()
-{
-	chunk_t chunk = chunk_from_chars(
-		0x30,0x82,0x01,0x20,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
-		0x01,0x05,0x00,0x03,0x82,0x01,0x0d,0x00,0x30,0x82,0x01,0x08,0x02,0x82,0x01,0x01,
-		0x00,0xc6,0x68,0x99,0x1d,0xc8,0x06,0xdb,0xcf,0x1c,0x66,0xbb,0x91,0xc3,0xd4,0x10,
-		0xb2,0x08,0xa9,0xc5,0x71,0x39,0x1c,0xbe,0x5b,0x1d,0xce,0xfd,0x1b,0xfa,0xec,0x04,
-		0x89,0x9f,0x79,0xc8,0x46,0x00,0xd2,0x71,0xfb,0x22,0x16,0x52,0x2f,0xda,0xbf,0x0f,
-		0xe7,0x16,0xb1,0xd7,0x6a,0xa5,0xa5,0xfc,0xee,0xff,0x84,0x4c,0x81,0x3f,0xab,0x84,
-		0x0e,0xed,0x4a,0x26,0x59,0xd0,0x9b,0xb5,0xe1,0xec,0x61,0xc4,0xd3,0x15,0x4c,0x29,
-		0x51,0xa0,0xde,0x33,0x07,0x58,0x6c,0x36,0x1b,0x18,0x61,0xd9,0x56,0x18,0x39,0x54,
-		0x8b,0xd2,0xea,0x4e,0x87,0x28,0x58,0xb9,0x88,0x3d,0x30,0xbc,0xfc,0x6d,0xad,0xab,
-		0x43,0x26,0x09,0x48,0x4e,0x6e,0x8a,0x8b,0x88,0xb3,0xf0,0x29,0x25,0x79,0xb6,0xb6,
-		0x71,0x3c,0x93,0x59,0xd2,0x36,0x94,0xd5,0xfc,0xf3,0x62,0x2b,0x69,0xa3,0x7a,0x47,
-		0x4e,0x53,0xa2,0x35,0x1b,0x26,0x89,0xaa,0x09,0xfd,0x56,0xd7,0x75,0x2a,0xd4,0x91,
-		0xc0,0xf2,0x78,0xd7,0x05,0xca,0x12,0x1d,0xd9,0xd4,0x81,0x23,0xb2,0x3c,0x38,0xd9,
-		0xb4,0xdc,0x21,0xe0,0xe5,0x2d,0xd4,0xbe,0x61,0x39,0x8a,0x46,0x90,0x46,0x73,0x31,
-		0xba,0x48,0xbb,0x51,0xbb,0x91,0xd5,0x62,0xad,0xd1,0x53,0x5b,0x85,0xc9,0x1d,0xa7,
-		0xf6,0xa0,0xe1,0x0e,0x6c,0x22,0x5d,0x29,0x9a,0xe7,0x0f,0xe8,0x0a,0x50,0xa7,0x19,
-		0x11,0xc2,0x8b,0xe0,0x8a,0xfd,0x2b,0x94,0x31,0x7a,0x78,0x9c,0x9b,0x75,0x63,0x49,
-		0xa9,0xe5,0x58,0xe6,0x3a,0x99,0xcb,0x2b,0xdd,0x0e,0xdc,0x7d,0x1b,0x98,0x80,0xc3,
-		0x9f,0x02,0x01,0x23);
-	public_key_t *public;
-
-	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-								BUILD_BLOB_ASN1_DER, chunk,
-								BUILD_END);
-	if (!public || public->get_keysize(public) != 2048)
-	{
-		return FALSE;
-	}
-	public->destroy(public);
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/unit_tester.c b/src/libcharon/plugins/unit_tester/unit_tester.c
index ad7dba7a5..ea7ffca04 100644
--- a/src/libcharon/plugins/unit_tester/unit_tester.c
+++ b/src/libcharon/plugins/unit_tester/unit_tester.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -98,6 +99,32 @@ METHOD(plugin_t, get_name, char*,
 	return "unit-tester";
 }
 
+/**
+ * We currently don't depend explicitly on any plugin features.  But in case
+ * activated tests depend on such features we at least try to run them in plugin
+ * order.
+ */
+static bool plugin_cb(private_unit_tester_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		run_tests(this);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_unit_tester_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "unit-tester"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_unit_tester_t *this)
 {
@@ -115,14 +142,11 @@ plugin_t *unit_tester_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	run_tests(this);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/unity/Makefile.am b/src/libcharon/plugins/unity/Makefile.am
index b23143fd6..b50dc9a03 100644
--- a/src/libcharon/plugins/unity/Makefile.am
+++ b/src/libcharon/plugins/unity/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-unity.la
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 85c5fc97e..09ea080bf 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_unity_la_LIBADD =
 am_libstrongswan_unity_la_OBJECTS = unity_plugin.lo unity_handler.lo \
 	unity_narrow.lo unity_provider.lo
 libstrongswan_unity_la_OBJECTS = $(am_libstrongswan_unity_la_OBJECTS)
-libstrongswan_unity_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_unity_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_unity_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unity_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_unity_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_unity_la_rpath =
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_unity_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_unity_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,10 +344,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unity.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unity.la
 libstrongswan_unity_la_SOURCES = \
@@ -409,7 +437,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-unity.la: $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_DEPENDENCIES) $(EXTRA_libstrongswan_unity_la_DEPENDENCIES) 
-	$(libstrongswan_unity_la_LINK) $(am_libstrongswan_unity_la_rpath) $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_unity_la_LINK) $(am_libstrongswan_unity_la_rpath) $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -423,25 +451,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unity_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index 3dec7a3b6..bcef0dc25 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
  *
@@ -70,12 +73,8 @@ static traffic_selector_t *create_ts(chunk_t subnet)
 	chunk_t net, mask;
 	int i;
 
-	if (subnet.len != 8)
-	{
-		return NULL;
-	}
 	net = chunk_create(subnet.ptr, 4);
-	mask = chunk_clonea(chunk_skip(subnet, 4));
+	mask = chunk_clonea(chunk_create(subnet.ptr + 4, 4));
 	for (i = 0; i < net.len; i++)
 	{
 		mask.ptr[i] = (mask.ptr[i] ^ 0xFF) | net.ptr[i];
@@ -85,11 +84,37 @@ static traffic_selector_t *create_ts(chunk_t subnet)
 }
 
 /**
- * Store a subnet to include in tunnels under this IKE_SA
+ * Parse a unity attribute and extract all subnets as traffic selectors
+ */
+static linked_list_t *parse_subnets(chunk_t data)
+{
+	linked_list_t *list = NULL;
+	traffic_selector_t *ts;
+
+	while (data.len >= 8)
+	{	/* the padding is optional */
+		ts = create_ts(data);
+		if (ts)
+		{
+			if (!list)
+			{
+				list = linked_list_create();
+			}
+			list->insert_last(list, ts);
+		}
+		/* skip address, mask and 6 bytes of padding */
+		data = chunk_skip(data, 14);
+	}
+	return list;
+}
+
+/**
+ * Store a list of subnets to include in tunnels under this IKE_SA
  */
-static bool add_include(private_unity_handler_t *this, chunk_t subnet)
+static bool add_include(private_unity_handler_t *this, chunk_t data)
 {
 	traffic_selector_t *ts;
+	linked_list_t *list;
 	ike_sa_t *ike_sa;
 	entry_t *entry;
 
@@ -98,29 +123,34 @@ static bool add_include(private_unity_handler_t *this, chunk_t subnet)
 	{
 		return FALSE;
 	}
-	ts = create_ts(subnet);
-	if (!ts)
+	list = parse_subnets(data);
+	if (!list)
 	{
 		return FALSE;
 	}
-	INIT(entry,
-		.sa = ike_sa->get_unique_id(ike_sa),
-		.ts = ts,
-	);
-
-	this->mutex->lock(this->mutex);
-	this->include->insert_last(this->include, entry);
-	this->mutex->unlock(this->mutex);
+	while (list->remove_first(list, (void**)&ts) == SUCCESS)
+	{
+		INIT(entry,
+			.sa = ike_sa->get_unique_id(ike_sa),
+			.ts = ts,
+		);
+
+		this->mutex->lock(this->mutex);
+		this->include->insert_last(this->include, entry);
+		this->mutex->unlock(this->mutex);
+	}
+	list->destroy(list);
 	return TRUE;
 }
 
 /**
- * Remove a subnet from the inclusion list for this IKE_SA
+ * Remove a list of subnets from the inclusion list for this IKE_SA
  */
-static bool remove_include(private_unity_handler_t *this, chunk_t subnet)
+static bool remove_include(private_unity_handler_t *this, chunk_t data)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
+	linked_list_t *list;
 	ike_sa_t *ike_sa;
 	entry_t *entry;
 
@@ -129,27 +159,31 @@ static bool remove_include(private_unity_handler_t *this, chunk_t subnet)
 	{
 		return FALSE;
 	}
-	ts = create_ts(subnet);
-	if (!ts)
+	list = parse_subnets(data);
+	if (!list)
 	{
 		return FALSE;
 	}
 
 	this->mutex->lock(this->mutex);
-	enumerator = this->include->create_enumerator(this->include);
-	while (enumerator->enumerate(enumerator, &entry))
+	while (list->remove_first(list, (void**)&ts) == SUCCESS)
 	{
-		if (entry->sa == ike_sa->get_unique_id(ike_sa) &&
-			ts->equals(ts, entry->ts))
+		enumerator = this->include->create_enumerator(this->include);
+		while (enumerator->enumerate(enumerator, &entry))
 		{
-			this->include->remove_at(this->include, enumerator);
-			entry_destroy(entry);
-			break;
+			if (entry->sa == ike_sa->get_unique_id(ike_sa) &&
+				ts->equals(ts, entry->ts))
+			{
+				this->include->remove_at(this->include, enumerator);
+				entry_destroy(entry);
+				break;
+			}
 		}
+		enumerator->destroy(enumerator);
+		ts->destroy(ts);
 	}
-	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
-	ts->destroy(ts);
+	list->destroy(list);
 	return TRUE;
 }
 
@@ -212,9 +246,10 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 /**
  * Add a bypass policy for a given subnet
  */
-static bool add_exclude(private_unity_handler_t *this, chunk_t subnet)
+static bool add_exclude(private_unity_handler_t *this, chunk_t data)
 {
 	traffic_selector_t *ts;
+	linked_list_t *list;
 	ike_sa_t *ike_sa;
 	entry_t *entry;
 
@@ -223,48 +258,60 @@ static bool add_exclude(private_unity_handler_t *this, chunk_t subnet)
 	{
 		return FALSE;
 	}
-	ts = create_ts(subnet);
-	if (!ts)
+	list = parse_subnets(data);
+	if (!list)
 	{
 		return FALSE;
 	}
-	INIT(entry,
-		.sa = ike_sa->get_unique_id(ike_sa),
-		.ts = ts,
-	);
 
-	/* we can't install the shunt policy yet, as we don't know the virtual IP.
-	 * Defer installation using an async callback. */
-	lib->processor->queue_job(lib->processor, (job_t*)
-						callback_job_create((void*)add_exclude_async, entry,
-											(void*)entry_destroy, NULL));
+	while (list->remove_first(list, (void**)&ts) == SUCCESS)
+	{
+		INIT(entry,
+			.sa = ike_sa->get_unique_id(ike_sa),
+			.ts = ts,
+		);
+
+		/* we can't install the shunt policy yet, as we don't know the virtual IP.
+		 * Defer installation using an async callback. */
+		lib->processor->queue_job(lib->processor, (job_t*)
+							callback_job_create((void*)add_exclude_async, entry,
+												(void*)entry_destroy, NULL));
+	}
+	list->destroy(list);
 	return TRUE;
 }
 
 /**
  * Remove a bypass policy for a given subnet
  */
-static bool remove_exclude(private_unity_handler_t *this, chunk_t subnet)
+static bool remove_exclude(private_unity_handler_t *this, chunk_t data)
 {
 	traffic_selector_t *ts;
+	linked_list_t *list;
 	ike_sa_t *ike_sa;
 	char name[128];
+	bool success = TRUE;
 
 	ike_sa = charon->bus->get_sa(charon->bus);
 	if (!ike_sa)
 	{
 		return FALSE;
 	}
-	ts = create_ts(subnet);
-	if (!ts)
+	list = parse_subnets(data);
+	if (!list)
 	{
 		return FALSE;
 	}
-	create_shunt_name(ike_sa, ts, name, sizeof(name));
-	DBG1(DBG_IKE, "uninstalling %N bypass policy for %R",
-		 configuration_attribute_type_names, UNITY_LOCAL_LAN, ts);
-	ts->destroy(ts);
-	return charon->shunts->uninstall(charon->shunts, name);
+	while (list->remove_first(list, (void**)&ts) == SUCCESS)
+	{
+		create_shunt_name(ike_sa, ts, name, sizeof(name));
+		DBG1(DBG_IKE, "uninstalling %N bypass policy for %R",
+			 configuration_attribute_type_names, UNITY_LOCAL_LAN, ts);
+		ts->destroy(ts);
+		success = charon->shunts->uninstall(charon->shunts, name) && success;
+	}
+	list->destroy(list);
+	return success;
 }
 
 METHOD(attribute_handler_t, handle, bool,
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
index 56de0028f..edff51a08 100644
--- a/src/libcharon/plugins/unity/unity_narrow.c
+++ b/src/libcharon/plugins/unity/unity_narrow.c
@@ -35,6 +35,26 @@ struct private_unity_narrow_t {
 	unity_handler_t *handler;
 };
 
+/**
+ * Narrow the given received traffic selector with the child configuration and
+ * put them into the given list of TS
+ */
+static void narrow_ts(child_cfg_t *cfg, traffic_selector_t *ts,
+					  linked_list_t *list)
+{
+	linked_list_t *received, *selected;
+
+	received = linked_list_create();
+	received->insert_last(received, ts);
+	selected = cfg->get_traffic_selectors(cfg, FALSE, received, NULL);
+	while (selected->remove_first(selected, (void**)&ts) == SUCCESS)
+	{
+		list->insert_last(list, ts);
+	}
+	selected->destroy(selected);
+	received->destroy(received);
+}
+
 /**
  * Narrow TS as initiator to Unity Split-Include/Local-LAN
  */
@@ -42,7 +62,6 @@ static void narrow_initiator(private_unity_narrow_t *this, ike_sa_t *ike_sa,
 							 child_cfg_t *cfg, linked_list_t *remote)
 {
 	traffic_selector_t *current, *orig = NULL;
-	linked_list_t *received, *selected;
 	enumerator_t *enumerator;
 
 	enumerator = this->handler->create_include_enumerator(this->handler,
@@ -56,16 +75,7 @@ static void narrow_initiator(private_unity_narrow_t *this, ike_sa_t *ike_sa,
 				break;
 			}
 		}
-		/* narrow received Unity TS with the child configuration */
-		received = linked_list_create();
-		received->insert_last(received, current);
-		selected = cfg->get_traffic_selectors(cfg, FALSE, received, NULL);
-		while (selected->remove_first(selected, (void**)&current) == SUCCESS)
-		{
-			remote->insert_last(remote, current);
-		}
-		selected->destroy(selected);
-		received->destroy(received);
+		narrow_ts(cfg, current, remote);
 	}
 	enumerator->destroy(enumerator);
 	if (orig)
@@ -75,6 +85,15 @@ static void narrow_initiator(private_unity_narrow_t *this, ike_sa_t *ike_sa,
 			 UNITY_SPLIT_INCLUDE, remote);
 		orig->destroy(orig);
 	}
+	else
+	{	/* since we originally changed the traffic selector to 0.0.0.0/0 local
+		 * narrowing is not applied if no Split-Include attrs are received */
+		if (remote->remove_first(remote, (void**)&orig) == SUCCESS)
+		{
+			narrow_ts(cfg, orig, remote);
+			orig->destroy(orig);
+		}
+	}
 }
 
 /**
@@ -93,6 +112,8 @@ static void narrow_initiator_pre(linked_list_t *list)
 											 "255.255.255.255", 65535);
 	if (ts)
 	{
+		DBG2(DBG_CFG, "changing proposed traffic selectors for other:");
+		DBG2(DBG_CFG, " %R", ts);
 		list->insert_last(list, ts);
 	}
 }
diff --git a/src/libcharon/plugins/unity/unity_plugin.c b/src/libcharon/plugins/unity/unity_plugin.c
index 9e21bd9ed..9e4571d34 100644
--- a/src/libcharon/plugins/unity/unity_plugin.c
+++ b/src/libcharon/plugins/unity/unity_plugin.c
@@ -55,14 +55,47 @@ METHOD(plugin_t, get_name, char*,
 	return "unity";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_unity_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		hydra->attributes->add_handler(hydra->attributes,
+									   &this->handler->handler);
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->provider->provider);
+		charon->bus->add_listener(charon->bus, &this->narrower->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->narrower->listener);
+		hydra->attributes->remove_handler(hydra->attributes,
+										  &this->handler->handler);
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->provider->provider);
+
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_unity_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "unity"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_unity_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->narrower->listener);
 	this->narrower->destroy(this->narrower);
-	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
-	hydra->attributes->remove_provider(hydra->attributes,
-									   &this->provider->provider);
 	this->handler->destroy(this->handler);
 	this->provider->destroy(this->provider);
 	free(this);
@@ -79,18 +112,14 @@ plugin_t *unity_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.handler = unity_handler_create(),
 		.provider = unity_provider_create(),
 	);
-	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
-	hydra->attributes->add_provider(hydra->attributes, &this->provider->provider);
-
-	this->narrower = unity_narrow_create(this->handler),
-	charon->bus->add_listener(charon->bus, &this->narrower->listener);
+	this->narrower = unity_narrow_create(this->handler);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c
index 655b8724a..ac6f93d69 100644
--- a/src/libcharon/plugins/unity/unity_provider.c
+++ b/src/libcharon/plugins/unity/unity_provider.c
@@ -60,6 +60,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 		}
 		if (ts->to_subnet(ts, &net, &mask))
 		{
+			ts->destroy(ts);
 			break;
 		}
 		ts->destroy(ts);
diff --git a/src/libcharon/plugins/updown/Makefile.am b/src/libcharon/plugins/updown/Makefile.am
index 30683d83e..a35909408 100644
--- a/src/libcharon/plugins/updown/Makefile.am
+++ b/src/libcharon/plugins/updown/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-updown.la
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index f40eab065..b8ceceae4 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,9 +103,13 @@ am_libstrongswan_updown_la_OBJECTS = updown_plugin.lo \
 	updown_handler.lo updown_listener.lo
 libstrongswan_updown_la_OBJECTS =  \
 	$(am_libstrongswan_updown_la_OBJECTS)
-libstrongswan_updown_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_updown_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_updown_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_updown_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_updown_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_updown_la_rpath =
@@ -115,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_updown_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_updown_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-updown.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-updown.la
 libstrongswan_updown_la_SOURCES = \
@@ -409,7 +437,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES) $(EXTRA_libstrongswan_updown_la_DEPENDENCIES) 
-	$(libstrongswan_updown_la_LINK) $(am_libstrongswan_updown_la_rpath) $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_updown_la_LINK) $(am_libstrongswan_updown_la_rpath) $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -422,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 617618057..2a6933e12 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -312,6 +312,7 @@ METHOD(listener_t, child_updown, bool,
 				"PLUTO_CONNECTION='%s' "
 				"PLUTO_INTERFACE='%s' "
 				"PLUTO_REQID='%u' "
+				"PLUTO_UNIQUEID='%u' "
 				"PLUTO_ME='%H' "
 				"PLUTO_MY_ID='%Y' "
 				"PLUTO_MY_CLIENT='%H/%u' "
@@ -336,6 +337,7 @@ METHOD(listener_t, child_updown, bool,
 				 config->get_name(config),
 				 iface ? iface : "unknown",
 				 child_sa->get_reqid(child_sa),
+				 ike_sa->get_unique_id(ike_sa),
 				 me, ike_sa->get_my_id(ike_sa),
 				 my_client, my_client_mask,
 				 my_ts->get_from_port(my_ts),
@@ -426,4 +428,3 @@ updown_listener_t *updown_listener_create(updown_handler_t *handler)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/updown/updown_plugin.c b/src/libcharon/plugins/updown/updown_plugin.c
index e1f0d1380..3c1aba5cc 100644
--- a/src/libcharon/plugins/updown/updown_plugin.c
+++ b/src/libcharon/plugins/updown/updown_plugin.c
@@ -49,17 +49,52 @@ METHOD(plugin_t, get_name, char*,
 	return "updown";
 }
 
-METHOD(plugin_t, destroy, void,
-	private_updown_plugin_t *this)
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_updown_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
-	this->listener->destroy(this->listener);
-	if (this->handler)
+	if (reg)
 	{
-		hydra->attributes->remove_handler(hydra->attributes,
-										  &this->handler->handler);
-		this->handler->destroy(this->handler);
+		if (lib->settings->get_bool(lib->settings,
+									"charon.plugins.updown.dns_handler", FALSE))
+		{
+			this->handler = updown_handler_create();
+			hydra->attributes->add_handler(hydra->attributes,
+										   &this->handler->handler);
+		}
+		this->listener = updown_listener_create(this->handler);
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
 	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+		this->listener->destroy(this->listener);
+		if (this->handler)
+		{
+			this->handler->destroy(this->handler);
+			hydra->attributes->remove_handler(hydra->attributes,
+											  &this->handler->handler);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_updown_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "updown"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_updown_plugin_t *this)
+{
 	free(this);
 }
 
@@ -74,22 +109,11 @@ plugin_t *updown_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	if (lib->settings->get_bool(lib->settings,
-								"charon.plugins.updown.dns_handler", FALSE))
-	{
-		this->handler = updown_handler_create();
-		hydra->attributes->add_handler(hydra->attributes,
-									   &this->handler->handler);
-	}
-	this->listener = updown_listener_create(this->handler);
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/whitelist/Makefile.am b/src/libcharon/plugins/whitelist/Makefile.am
index 064a759dd..e02b4a041 100644
--- a/src/libcharon/plugins/whitelist/Makefile.am
+++ b/src/libcharon/plugins/whitelist/Makefile.am
@@ -1,10 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-whitelist.la
 else
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 7c6f8cd06..1f1377ccc 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,7 +105,10 @@ am_libstrongswan_whitelist_la_OBJECTS = whitelist_plugin.lo \
 	whitelist_listener.lo whitelist_control.lo
 libstrongswan_whitelist_la_OBJECTS =  \
 	$(am_libstrongswan_whitelist_la_OBJECTS)
-libstrongswan_whitelist_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_whitelist_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_whitelist_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -122,13 +125,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_whitelist_la_SOURCES) $(whitelist_SOURCES)
 DIST_SOURCES = $(libstrongswan_whitelist_la_SOURCES) \
 	$(whitelist_SOURCES)
@@ -143,6 +159,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -155,6 +172,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -170,6 +189,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -178,6 +198,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -224,6 +245,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -252,6 +274,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -329,12 +352,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-whitelist.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-whitelist.la
 libstrongswan_whitelist_la_SOURCES = whitelist_plugin.h whitelist_plugin.c \
@@ -419,7 +445,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-whitelist.la: $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_DEPENDENCIES) $(EXTRA_libstrongswan_whitelist_la_DEPENDENCIES) 
-	$(libstrongswan_whitelist_la_LINK) $(am_libstrongswan_whitelist_la_rpath) $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_whitelist_la_LINK) $(am_libstrongswan_whitelist_la_rpath) $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
@@ -468,7 +494,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 whitelist$(EXEEXT): $(whitelist_OBJECTS) $(whitelist_DEPENDENCIES) $(EXTRA_whitelist_DEPENDENCIES) 
 	@rm -f whitelist$(EXEEXT)
-	$(LINK) $(whitelist_OBJECTS) $(whitelist_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(whitelist_OBJECTS) $(whitelist_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -482,25 +508,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whitelist_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/whitelist/whitelist.c b/src/libcharon/plugins/whitelist/whitelist.c
index 0a3a34459..ef1ed9c3a 100644
--- a/src/libcharon/plugins/whitelist/whitelist.c
+++ b/src/libcharon/plugins/whitelist/whitelist.c
@@ -18,45 +18,104 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <unistd.h>
+#include <stdlib.h>
 #include <stddef.h>
 #include <stdio.h>
+#include <string.h>
 #include <errno.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
 
 /**
  * Connect to the daemon, return FD
  */
 static int make_connection()
 {
-	struct sockaddr_un addr;
-	int fd;
+	union {
+		struct sockaddr_un un;
+		struct sockaddr_in in;
+		struct sockaddr sa;
+	} addr;
+	int fd, len;
 
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, WHITELIST_SOCKET);
+	if (getenv("TCP_PORT"))
+	{
+		addr.in.sin_family = AF_INET;
+		addr.in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+		addr.in.sin_port = htons(atoi(getenv("TCP_PORT")));
+		len = sizeof(addr.in);
+	}
+	else
+	{
+		addr.un.sun_family = AF_UNIX;
+		strcpy(addr.un.sun_path, WHITELIST_SOCKET);
 
-	fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+		len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.un.sun_path);
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
 	if (fd < 0)
 	{
 		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
 		return -1;
 	}
-	if (connect(fd, (struct sockaddr *)&addr,
-			offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+	if (connect(fd, &addr.sa, len) < 0)
 	{
-		fprintf(stderr, "connecting to %s failed: %s\n",
-				WHITELIST_SOCKET, strerror(errno));
+		fprintf(stderr, "connecting failed: %s\n", strerror(errno));
 		close(fd);
 		return -1;
 	}
 	return fd;
 }
 
+static int read_all(int fd, void *buf, size_t len)
+{
+	ssize_t ret, done = 0;
+
+	while (done < len)
+	{
+		ret = read(fd, buf, len - done);
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		if (ret < 0)
+		{
+			return -1;
+		}
+		done += ret;
+		buf += ret;
+	}
+	return len;
+}
+
+static int write_all(int fd, void *buf, size_t len)
+{
+	ssize_t ret, done = 0;
+
+	while (done < len)
+	{
+		ret = write(fd, buf, len - done);
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		if (ret < 0)
+		{
+			return -1;
+		}
+		done += ret;
+		buf += ret;
+	}
+	return len;
+}
+
 /**
  * Send a single message
  */
 static int send_msg(int type, char *id)
 {
 	whitelist_msg_t msg = {
-		.type = type,
+		.type = htonl(type),
 	};
 	int fd;
 
@@ -66,7 +125,7 @@ static int send_msg(int type, char *id)
 		return 2;
 	}
 	snprintf(msg.id, sizeof(msg.id), "%s", id);
-	if (send(fd, &msg, sizeof(msg), 0) != sizeof(msg))
+	if (write_all(fd, &msg, sizeof(msg)) != sizeof(msg))
 	{
 		fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
 		close(fd);
@@ -74,9 +133,15 @@ static int send_msg(int type, char *id)
 	}
 	if (type == WHITELIST_LIST)
 	{
-		while (recv(fd, &msg, sizeof(msg), 0) == sizeof(msg))
+		while (1)
 		{
-			if (msg.type != WHITELIST_LIST)
+			if (read_all(fd, &msg, sizeof(msg)) != sizeof(msg))
+			{
+				fprintf(stderr, "reading failed: %s\n", strerror(errno));
+				close(fd);
+				return 2;
+			}
+			if (ntohl(msg.type) != WHITELIST_LIST)
 			{
 				break;
 			}
@@ -94,7 +159,7 @@ static int send_msg(int type, char *id)
 static int send_batch(int type, char *file)
 {
 	whitelist_msg_t msg = {
-		.type = type,
+		.type = htonl(type),
 	};
 	FILE *f = stdin;
 	int fd, len;
@@ -125,7 +190,7 @@ static int send_batch(int type, char *file)
 		{
 			msg.id[len-1] = '\0';
 		}
-		if (send(fd, &msg, sizeof(msg), 0) != sizeof(msg))
+		if (write_all(fd, &msg, sizeof(msg)) != sizeof(msg))
 		{
 			fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
 			if (f != stdin)
diff --git a/src/libcharon/plugins/whitelist/whitelist_control.c b/src/libcharon/plugins/whitelist/whitelist_control.c
index a75ea9aee..e97885c8f 100644
--- a/src/libcharon/plugins/whitelist/whitelist_control.c
+++ b/src/libcharon/plugins/whitelist/whitelist_control.c
@@ -23,8 +23,7 @@
 #include <errno.h>
 
 #include <daemon.h>
-#include <threading/thread.h>
-#include <processing/jobs/callback_job.h>
+#include <collections/linked_list.h>
 
 #include "whitelist_msg.h"
 
@@ -46,65 +45,68 @@ struct private_whitelist_control_t {
 	whitelist_listener_t *listener;
 
 	/**
-	 * Whitelist unix socket file descriptor
+	 * Whitelist stream service
 	 */
-	int socket;
+	stream_service_t *service;
 };
 
-/**
- * Open whitelist unix socket
+/*
+ * List whitelist entries using a read-copy
  */
-static bool open_socket(private_whitelist_control_t *this)
+static void list(private_whitelist_control_t *this,
+				 stream_t *stream, identification_t *id)
 {
-	struct sockaddr_un addr;
-	mode_t old;
-
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, WHITELIST_SOCKET);
-
-	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "creating whitelist socket failed");
-		return FALSE;
-	}
-	unlink(addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_CFG, "binding whitelist socket failed: %s", strerror(errno));
-		close(this->socket);
-		return FALSE;
-	}
-	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	identification_t *current;
+	enumerator_t *enumerator;
+	linked_list_t *list;
+	whitelist_msg_t msg = {
+		.type = htonl(WHITELIST_LIST),
+	};
+
+	list = linked_list_create();
+	enumerator = this->listener->create_enumerator(this->listener);
+	while (enumerator->enumerate(enumerator, &current))
 	{
-		DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s",
-			 strerror(errno));
+		if (current->matches(current, id))
+		{
+			list->insert_last(list, current->clone(current));
+		}
 	}
-	if (listen(this->socket, 10) < 0)
+	enumerator->destroy(enumerator);
+
+	while (list->remove_first(list, (void**)&current) == SUCCESS)
 	{
-		DBG1(DBG_CFG, "listening on whitelist socket failed: %s", strerror(errno));
-		close(this->socket);
-		unlink(addr.sun_path);
-		return FALSE;
+		snprintf(msg.id, sizeof(msg.id), "%Y", current);
+		current->destroy(current);
+		if (!stream->write_all(stream, &msg, sizeof(msg)))
+		{
+			DBG1(DBG_CFG, "listing whitelist failed: %s", strerror(errno));
+			break;
+		}
 	}
-	return TRUE;
+	list->destroy_offset(list, offsetof(identification_t, destroy));
+
+	msg.type = htonl(WHITELIST_END);
+	memset(msg.id, 0, sizeof(msg.id));
+	stream->write_all(stream, &msg, sizeof(msg));
 }
 
 /**
  * Dispatch a received message
  */
-static void dispatch(private_whitelist_control_t *this,
-					 int fd, whitelist_msg_t *msg)
+static bool on_accept(private_whitelist_control_t *this, stream_t *stream)
 {
-	identification_t *id, *current;
-	enumerator_t *enumerator;
+	identification_t *id;
+	whitelist_msg_t msg;
+
+	if (!stream->read_all(stream, &msg, sizeof(msg)))
+	{
+		return FALSE;
+	}
 
-	msg->id[sizeof(msg->id)-1] = 0;
-	id = identification_create_from_string(msg->id);
-	switch (msg->type)
+	msg.id[sizeof(msg.id) - 1] = 0;
+	id = identification_create_from_string(msg.id);
+	switch (ntohl(msg.type))
 	{
 		case WHITELIST_ADD:
 			this->listener->add(this->listener, id);
@@ -113,23 +115,7 @@ static void dispatch(private_whitelist_control_t *this,
 			this->listener->remove(this->listener, id);
 			break;
 		case WHITELIST_LIST:
-			enumerator = this->listener->create_enumerator(this->listener);
-			while (enumerator->enumerate(enumerator, &current))
-			{
-				if (current->matches(current, id))
-				{
-					snprintf(msg->id, sizeof(msg->id), "%Y", current);
-					if (send(fd, msg, sizeof(*msg), 0) != sizeof(*msg))
-					{
-						DBG1(DBG_CFG, "listing whitelist failed");
-						break;
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
-			msg->type = WHITELIST_END;
-			memset(msg->id, 0, sizeof(msg->id));
-			send(fd, msg, sizeof(*msg), 0);
+			list(this, stream, id);
 			break;
 		case WHITELIST_FLUSH:
 			this->listener->flush(this->listener, id);
@@ -145,58 +131,14 @@ static void dispatch(private_whitelist_control_t *this,
 			break;
 	}
 	id->destroy(id);
-}
-
-/**
- * Accept whitelist control connections, dispatch
- */
-static job_requeue_t receive(private_whitelist_control_t *this)
-{
-	struct sockaddr_un addr;
-	int fd, len = sizeof(addr);
-	whitelist_msg_t msg;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	fd = accept(this->socket, (struct sockaddr*)&addr, &len);
-	thread_cancelability(oldstate);
 
-	if (fd != -1)
-	{
-		while (TRUE)
-		{
-			oldstate = thread_cancelability(TRUE);
-			len = recv(fd, &msg, sizeof(msg), 0);
-			thread_cancelability(oldstate);
-
-			if (len == sizeof(msg))
-			{
-				dispatch(this, fd, &msg);
-			}
-			else
-			{
-				if (len != 0)
-				{
-					DBG1(DBG_CFG, "receiving whitelist msg failed: %s",
-						 strerror(errno));
-				}
-				break;
-			}
-		}
-		close(fd);
-	}
-	else
-	{
-		DBG1(DBG_CFG, "accepting whitelist connection failed: %s",
-			 strerror(errno));
-	}
-	return JOB_REQUEUE_FAIR;
+	return FALSE;
 }
 
 METHOD(whitelist_control_t, destroy, void,
 	private_whitelist_control_t *this)
 {
-	close(this->socket);
+	this->service->destroy(this->service);
 	free(this);
 }
 
@@ -206,6 +148,7 @@ METHOD(whitelist_control_t, destroy, void,
 whitelist_control_t *whitelist_control_create(whitelist_listener_t *listener)
 {
 	private_whitelist_control_t *this;
+	char *uri;
 
 	INIT(this,
 		.public = {
@@ -214,15 +157,19 @@ whitelist_control_t *whitelist_control_create(whitelist_listener_t *listener)
 		.listener = listener,
 	);
 
-	if (!open_socket(this))
+	uri = lib->settings->get_str(lib->settings,
+				"%s.plugins.whitelist.socket", "unix://" WHITELIST_SOCKET,
+				charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 10);
+	if (!this->service)
 	{
+		DBG1(DBG_CFG, "creating whitelist socket failed");
 		free(this);
 		return NULL;
 	}
 
-	lib->processor->queue_job(lib->processor,
-		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, this,
-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+							 this, JOB_PRIO_CRITICAL, 0);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/whitelist/whitelist_msg.h b/src/libcharon/plugins/whitelist/whitelist_msg.h
index 65b922996..595fb6ffb 100644
--- a/src/libcharon/plugins/whitelist/whitelist_msg.h
+++ b/src/libcharon/plugins/whitelist/whitelist_msg.h
@@ -53,6 +53,6 @@ struct whitelist_msg_t {
 	int type;
 	/** null terminated identity */
 	char id[128];
-};
+} __attribute__((packed));
 
 #endif /** WHITELIST_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.c b/src/libcharon/plugins/whitelist/whitelist_plugin.c
index fca9d293f..3ea45723c 100644
--- a/src/libcharon/plugins/whitelist/whitelist_plugin.c
+++ b/src/libcharon/plugins/whitelist/whitelist_plugin.c
@@ -49,10 +49,37 @@ METHOD(plugin_t, get_name, char*,
 	return "whitelist";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_whitelist_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_whitelist_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "whitelist"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_whitelist_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	DESTROY_IF(this->control);
 	free(this);
@@ -69,15 +96,19 @@ plugin_t *whitelist_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.listener = whitelist_listener_create(),
 	);
-	this->control = whitelist_control_create(this->listener);
 
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
+	this->control = whitelist_control_create(this->listener);
+	if (!this->control)
+	{
+		destroy(this);
+		return NULL;
+	}
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.am b/src/libcharon/plugins/xauth_eap/Makefile.am
index f2cb0e26c..21f8d0297 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.am
+++ b/src/libcharon/plugins/xauth_eap/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-xauth-eap.la
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index aecc871f4..600a99bf9 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_xauth_eap_la_OBJECTS = xauth_eap_plugin.lo \
 	xauth_eap.lo
 libstrongswan_xauth_eap_la_OBJECTS =  \
 	$(am_libstrongswan_xauth_eap_la_OBJECTS)
-libstrongswan_xauth_eap_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_xauth_eap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_xauth_eap_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_xauth_eap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_xauth_eap_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xauth-eap.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-eap.la
 libstrongswan_xauth_eap_la_SOURCES = \
@@ -409,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-xauth-eap.la: $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_eap_la_DEPENDENCIES) 
-	$(libstrongswan_xauth_eap_la_LINK) $(am_libstrongswan_xauth_eap_la_rpath) $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_xauth_eap_la_LINK) $(am_libstrongswan_xauth_eap_la_rpath) $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_eap_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.am b/src/libcharon/plugins/xauth_generic/Makefile.am
index 0f25e74a2..d48e52ddd 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.am
+++ b/src/libcharon/plugins/xauth_generic/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-xauth-generic.la
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index a7088a2d0..27d891d14 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_xauth_generic_la_OBJECTS = xauth_generic_plugin.lo \
 	xauth_generic.lo
 libstrongswan_xauth_generic_la_OBJECTS =  \
 	$(am_libstrongswan_xauth_generic_la_OBJECTS)
-libstrongswan_xauth_generic_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_xauth_generic_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_xauth_generic_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_xauth_generic_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_xauth_generic_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xauth-generic.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-generic.la
 libstrongswan_xauth_generic_la_SOURCES = \
@@ -409,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-xauth-generic.la: $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_generic_la_DEPENDENCIES) 
-	$(libstrongswan_xauth_generic_la_LINK) $(am_libstrongswan_xauth_generic_la_rpath) $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_xauth_generic_la_LINK) $(am_libstrongswan_xauth_generic_la_rpath) $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_generic_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.am b/src/libcharon/plugins/xauth_noauth/Makefile.am
index b838af63a..f1581ba67 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.am
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index 358875197..a806aee79 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_xauth_noauth_la_OBJECTS = xauth_noauth_plugin.lo \
 	xauth_noauth.lo
 libstrongswan_xauth_noauth_la_OBJECTS =  \
 	$(am_libstrongswan_xauth_noauth_la_OBJECTS)
-libstrongswan_xauth_noauth_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_xauth_noauth_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_xauth_noauth_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_xauth_noauth_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_xauth_noauth_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-noauth.la
 libstrongswan_xauth_noauth_la_SOURCES = \
@@ -409,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-xauth-noauth.la: $(libstrongswan_xauth_noauth_la_OBJECTS) $(libstrongswan_xauth_noauth_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_noauth_la_DEPENDENCIES) 
-	$(libstrongswan_xauth_noauth_la_LINK) $(am_libstrongswan_xauth_noauth_la_rpath) $(libstrongswan_xauth_noauth_la_OBJECTS) $(libstrongswan_xauth_noauth_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_xauth_noauth_la_LINK) $(am_libstrongswan_xauth_noauth_la_rpath) $(libstrongswan_xauth_noauth_la_OBJECTS) $(libstrongswan_xauth_noauth_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_noauth_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.am b/src/libcharon/plugins/xauth_pam/Makefile.am
index 47521a3ff..a7d4f6436 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.am
+++ b/src/libcharon/plugins/xauth_pam/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-xauth-pam.la
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 34ebb37b9..68afa861b 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_xauth_pam_la_OBJECTS = xauth_pam_plugin.lo \
 	xauth_pam.lo
 libstrongswan_xauth_pam_la_OBJECTS =  \
 	$(am_libstrongswan_xauth_pam_la_OBJECTS)
-libstrongswan_xauth_pam_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_xauth_pam_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_xauth_pam_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_xauth_pam_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_xauth_pam_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xauth-pam.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-pam.la
 libstrongswan_xauth_pam_la_SOURCES = \
@@ -409,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-xauth-pam.la: $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_pam_la_DEPENDENCIES) 
-	$(libstrongswan_xauth_pam_la_LINK) $(am_libstrongswan_xauth_pam_la_rpath) $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_xauth_pam_la_LINK) $(am_libstrongswan_xauth_pam_la_rpath) $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
index b9ba0b5ac..2ef9a6c8f 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
@@ -52,6 +52,13 @@ plugin_t *xauth_pam_plugin_create()
 {
 	xauth_pam_plugin_t *this;
 
+	/* required for PAM authentication */
+	if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
+	{
+		DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.plugin = {
 			.get_name = _get_name,
@@ -60,8 +67,5 @@ plugin_t *xauth_pam_plugin_create()
 		},
 	);
 
-	/* required for PAM authentication */
-	charon->caps->keep(charon->caps, CAP_AUDIT_WRITE);
-
 	return &this->plugin;
 }
diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
index bc4aaf6d6..981473b5c 100644
--- a/src/libcharon/processing/jobs/start_action_job.c
+++ b/src/libcharon/processing/jobs/start_action_job.c
@@ -73,7 +73,7 @@ METHOD(job_t, execute, job_requeue_t,
 					else
 					{
 						charon->traps->install(charon->traps, peer_cfg,
-															  child_cfg);
+											   child_cfg, 0);
 					}
 					break;
 				case ACTION_NONE:
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 463ad2e22..46e4b6f7b 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -25,6 +25,7 @@
 
 #include <hydra.h>
 #include <daemon.h>
+#include <collections/array.h>
 
 ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
 	"CREATED",
@@ -79,14 +80,14 @@ struct private_child_sa_t {
 	u_int16_t other_cpi;
 
 	/**
-	 * List for local traffic selectors
+	 * Array for local traffic selectors
 	 */
-	linked_list_t *my_ts;
+	array_t *my_ts;
 
 	/**
-	 * List for remote traffic selectors
+	 * Array for remote traffic selectors
 	 */
-	linked_list_t *other_ts;
+	array_t *other_ts;
 
 	/**
 	 * Protocol used to protect this SA, ESP|AH
@@ -331,10 +332,14 @@ METHOD(child_sa_t, set_proposal, void,
 	this->proposal = proposal->clone(proposal);
 }
 
-METHOD(child_sa_t, get_traffic_selectors, linked_list_t*,
-	   private_child_sa_t *this, bool local)
+METHOD(child_sa_t, create_ts_enumerator, enumerator_t*,
+	private_child_sa_t *this, bool local)
 {
-	return local ? this->my_ts : this->other_ts;
+	if (local)
+	{
+		return array_create_enumerator(this->my_ts);
+	}
+	return array_create_enumerator(this->other_ts);
 }
 
 typedef struct policy_enumerator_t policy_enumerator_t;
@@ -349,8 +354,8 @@ struct policy_enumerator_t {
 	enumerator_t *mine;
 	/** enumerator over others TS */
 	enumerator_t *other;
-	/** list of others TS, to recreate enumerator */
-	linked_list_t *list;
+	/** array of others TS, to recreate enumerator */
+	array_t *array;
 	/** currently enumerating TS for "me" side */
 	traffic_selector_t *ts;
 };
@@ -366,7 +371,7 @@ METHOD(enumerator_t, policy_enumerate, bool,
 		if (!this->other->enumerate(this->other, &other_ts))
 		{	/* end of others list, restart with new of mine */
 			this->other->destroy(this->other);
-			this->other = this->list->create_enumerator(this->list);
+			this->other = array_create_enumerator(this->array);
 			this->ts = NULL;
 			continue;
 		}
@@ -405,9 +410,9 @@ METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
 			.enumerate = (void*)_policy_enumerate,
 			.destroy = _policy_destroy,
 		},
-		.mine = this->my_ts->create_enumerator(this->my_ts),
-		.other = this->other_ts->create_enumerator(this->other_ts),
-		.list = this->other_ts,
+		.mine = array_create_enumerator(this->my_ts),
+		.other = array_create_enumerator(this->other_ts),
+		.array = this->other_ts,
 		.ts = NULL,
 	);
 
@@ -424,6 +429,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 {
 	status_t status = FAILED;
 	u_int64_t bytes, packets;
+	u_int32_t time;
 
 	if (inbound)
 	{
@@ -432,13 +438,17 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
 							this->other_addr, this->my_addr, this->my_spi,
 							proto_ike2ip(this->protocol), this->mark_in,
-							&bytes, &packets);
+							&bytes, &packets, &time);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->my_usebytes)
 				{
 					this->my_usebytes = bytes;
 					this->my_usepackets = packets;
+					if (time)
+					{
+						this->my_usetime = time;
+					}
 					return SUCCESS;
 				}
 				return FAILED;
@@ -452,13 +462,17 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
 							this->my_addr, this->other_addr, this->other_spi,
 							proto_ike2ip(this->protocol), this->mark_out,
-							&bytes, &packets);
+							&bytes, &packets, &time);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->other_usebytes)
 				{
 					this->other_usebytes = bytes;
 					this->other_usepackets = packets;
+					if (time)
+					{
+						this->other_usetime = time;
+					}
 					return SUCCESS;
 				}
 				return FAILED;
@@ -471,7 +485,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 /**
  * updates the cached usetime
  */
-static void update_usetime(private_child_sa_t *this, bool inbound)
+static bool update_usetime(private_child_sa_t *this, bool inbound)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
@@ -511,7 +525,7 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 
 	if (last_use == 0)
 	{
-		return;
+		return FALSE;
 	}
 	if (inbound)
 	{
@@ -521,18 +535,26 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 	{
 		this->other_usetime = last_use;
 	}
+	return TRUE;
 }
 
 METHOD(child_sa_t, get_usestats, void,
 	private_child_sa_t *this, bool inbound,
 	time_t *time, u_int64_t *bytes, u_int64_t *packets)
 {
-	if (update_usebytes(this, inbound) != FAILED)
+	if ((!bytes && !packets) || update_usebytes(this, inbound) != FAILED)
 	{
 		/* there was traffic since last update or the kernel interface
 		 * does not support querying the number of usebytes.
 		 */
-		update_usetime(this, inbound);
+		if (time)
+		{
+			if (!update_usetime(this, inbound) && !bytes && !packets)
+			{
+				/* if policy query did not yield a usetime, query SAs instead */
+				update_usebytes(this, inbound);
+			}
+		}
 	}
 	if (time)
 	{
@@ -590,9 +612,9 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t,
 }
 
 METHOD(child_sa_t, install, status_t,
-	   private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
-	   u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts,
-	   linked_list_t *other_ts)
+	private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
+	u_int16_t cpi, bool initiator, bool inbound, bool tfcv3,
+	linked_list_t *my_ts, linked_list_t *other_ts)
 {
 	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
 	u_int16_t esn = NO_EXT_SEQ_NUMBERS;
@@ -668,28 +690,26 @@ METHOD(child_sa_t, install, status_t,
 		lifetime->time.rekey = 0;
 	}
 
-	if (this->mode == MODE_BEET || this->mode == MODE_TRANSPORT)
+	/* BEET requires the bound address from the traffic selectors.
+	 * TODO: We add just the first traffic selector for now, as the
+	 * kernel accepts a single TS per SA only */
+	if (inbound)
 	{
-		/* BEET requires the bound address from the traffic selectors.
-		 * TODO: We add just the first traffic selector for now, as the
-		 * kernel accepts a single TS per SA only */
-		if (inbound)
-		{
-			my_ts->get_first(my_ts, (void**)&dst_ts);
-			other_ts->get_first(other_ts, (void**)&src_ts);
-		}
-		else
-		{
-			my_ts->get_first(my_ts, (void**)&src_ts);
-			other_ts->get_first(other_ts, (void**)&dst_ts);
-		}
+		my_ts->get_first(my_ts, (void**)&dst_ts);
+		other_ts->get_first(other_ts, (void**)&src_ts);
+	}
+	else
+	{
+		my_ts->get_first(my_ts, (void**)&src_ts);
+		other_ts->get_first(other_ts, (void**)&dst_ts);
 	}
 
 	status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
 				src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
 				inbound ? this->mark_in : this->mark_out, tfc,
 				lifetime, enc_alg, encr, int_alg, integ, this->mode,
-				this->ipcomp, cpi, this->encap, esn, update, src_ts, dst_ts);
+				this->ipcomp, cpi, initiator, this->encap, esn, update,
+				src_ts, dst_ts);
 
 	free(lifetime);
 
@@ -757,13 +777,13 @@ METHOD(child_sa_t, add_policies, status_t,
 	enumerator = my_ts_list->create_enumerator(my_ts_list);
 	while (enumerator->enumerate(enumerator, &my_ts))
 	{
-		this->my_ts->insert_last(this->my_ts, my_ts->clone(my_ts));
+		array_insert(this->my_ts, ARRAY_TAIL, my_ts->clone(my_ts));
 	}
 	enumerator->destroy(enumerator);
 	enumerator = other_ts_list->create_enumerator(other_ts_list);
 	while (enumerator->enumerate(enumerator, &other_ts))
 	{
-		this->other_ts->insert_last(this->other_ts, other_ts->clone(other_ts));
+		array_insert(this->other_ts, ARRAY_TAIL, other_ts->clone(other_ts));
 	}
 	enumerator->destroy(enumerator);
 
@@ -1054,8 +1074,8 @@ METHOD(child_sa_t, destroy, void,
 		enumerator->destroy(enumerator);
 	}
 
-	this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
-	this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
+	array_destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
+	array_destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
 	this->my_addr->destroy(this->my_addr);
 	this->other_addr->destroy(this->other_addr);
 	DESTROY_IF(this->proposal);
@@ -1063,13 +1083,48 @@ METHOD(child_sa_t, destroy, void,
 	free(this);
 }
 
+/**
+ * Get proxy address for one side, if any
+ */
+static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local)
+{
+	host_t *host = NULL;
+	u_int8_t mask;
+	enumerator_t *enumerator;
+	linked_list_t *ts_list, *list;
+	traffic_selector_t *ts;
+
+	list = linked_list_create_with_items(ike, NULL);
+	ts_list = config->get_traffic_selectors(config, local, NULL, list);
+	list->destroy(list);
+
+	enumerator = ts_list->create_enumerator(ts_list);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		if (ts->is_host(ts, NULL) && ts->to_subnet(ts, &host, &mask))
+		{
+			DBG1(DBG_CHD, "%s address: %H is a transport mode proxy for %H",
+				 local ? "my" : "other", ike, host);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
+
+	if (!host)
+	{
+		host = ike->clone(ike);
+	}
+	return host;
+}
+
 /**
  * Described in header.
  */
 child_sa_t * child_sa_create(host_t *me, host_t* other,
 							 child_cfg_t *config, u_int32_t rekey, bool encap)
 {
-	static u_int32_t reqid = 0;
+	static refcount_t reqid = 0;
 	private_child_sa_t *this;
 
 	INIT(this,
@@ -1102,17 +1157,15 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 			.install = _install,
 			.update = _update,
 			.add_policies = _add_policies,
-			.get_traffic_selectors = _get_traffic_selectors,
+			.create_ts_enumerator = _create_ts_enumerator,
 			.create_policy_enumerator = _create_policy_enumerator,
 			.destroy = _destroy,
 		},
-		.my_addr = me->clone(me),
-		.other_addr = other->clone(other),
 		.encap = encap,
 		.ipcomp = IPCOMP_NONE,
 		.state = CHILD_CREATED,
-		.my_ts = linked_list_create(),
-		.other_ts = linked_list_create(),
+		.my_ts = array_create(0, 0),
+		.other_ts = array_create(0, 0),
 		.protocol = PROTO_NONE,
 		.mode = MODE_TUNNEL,
 		.close_action = config->get_close_action(config),
@@ -1128,7 +1181,18 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	if (!this->reqid)
 	{
 		/* reuse old reqid if we are rekeying an existing CHILD_SA */
-		this->reqid = rekey ? rekey : ++reqid;
+		if (rekey)
+		{
+			this->reqid = rekey;
+		}
+		else
+		{
+			this->reqid = charon->traps->find_reqid(charon->traps, config);
+			if (!this->reqid)
+			{
+				this->reqid = ref_get(&reqid);
+			}
+		}
 	}
 
 	if (this->mark_in.value == MARK_REQID)
@@ -1144,62 +1208,15 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	if (config->get_mode(config) == MODE_TRANSPORT &&
 		config->use_proxy_mode(config))
 	{
-		ts_type_t type;
-		int family;
-		chunk_t addr;
-		host_t *host;
-		enumerator_t *enumerator;
-		linked_list_t *my_ts_list, *other_ts_list, *list;
-		traffic_selector_t *my_ts, *other_ts;
-
 		this->mode = MODE_TRANSPORT;
 
-		list = linked_list_create_with_items(me, NULL);
-		my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, list);
-		list->destroy(list);
-		enumerator = my_ts_list->create_enumerator(my_ts_list);
-		if (enumerator->enumerate(enumerator, &my_ts))
-		{
-			if (my_ts->is_host(my_ts, NULL) &&
-			   !my_ts->is_host(my_ts, this->my_addr))
-			{
-				type = my_ts->get_type(my_ts);
-				family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-				addr = my_ts->get_from_address(my_ts);
-				host = host_create_from_chunk(family, addr, 0);
-				free(addr.ptr);
-				DBG1(DBG_CHD, "my address: %H is a transport mode proxy for %H",
-							   this->my_addr, host);
-				this->my_addr->destroy(this->my_addr);
-				this->my_addr = host;
-			}
-		}
-		enumerator->destroy(enumerator);
-		my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy));
-
-		list = linked_list_create_with_items(other, NULL);
-		other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, list);
-		list->destroy(list);
-		enumerator = other_ts_list->create_enumerator(other_ts_list);
-		if (enumerator->enumerate(enumerator, &other_ts))
-		{
-			if (other_ts->is_host(other_ts, NULL) &&
-			   !other_ts->is_host(other_ts, this->other_addr))
-			{
-				type = other_ts->get_type(other_ts);
-				family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-				addr = other_ts->get_from_address(other_ts);
-				host = host_create_from_chunk(family, addr, 0);
-				free(addr.ptr);
-				DBG1(DBG_CHD, "other address: %H is a transport mode proxy for %H",
-							   this->other_addr, host);
-				this->other_addr->destroy(this->other_addr);
-				this->other_addr = host;
-			}
-		}
-		enumerator->destroy(enumerator);
-		other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy));
+		this->my_addr = get_proxy_addr(config, me, TRUE);
+		this->other_addr = get_proxy_addr(config, other, FALSE);
+	}
+	else
+	{
+		this->my_addr = me->clone(me);
+		this->other_addr = other->clone(other);
 	}
-
 	return &this->public;
 }
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index 44511edf8..ed52d60b1 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -231,7 +231,7 @@ struct child_sa_t {
 	/**
 	 * Override the DPD action specified by the CHILD_SA config.
 	 *
-	 * @param			close action to enforce
+	 * @param			dpd action to enforce
 	 */
 	void (*set_dpd_action)(child_sa_t *this, action_t action);
 
@@ -284,17 +284,20 @@ struct child_sa_t {
 	mark_t (*get_mark)(child_sa_t *this, bool inbound);
 
 	/**
-	 * Get the traffic selectors list added for one side.
+	 * Create an enumerator over traffic selectors of one side.
 	 *
-	 * @param local		TRUE for own traffic selectors, FALSE for remote
-	 * @return			list of traffic selectors
+	 * @param local		TRUE for own traffic selectors, FALSE for remote.
+	 * @return			enumerator over traffic_selector_t*
 	 */
-	linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
+	enumerator_t* (*create_ts_enumerator)(child_sa_t *this, bool local);
 
 	/**
 	 * Create an enumerator over installed policies.
 	 *
-	 * @return			enumerator over pairs of traffic selectors.
+	 * The enumerated traffic selectors is a full mesh of compatible local
+	 * and remote traffic selectors.
+	 *
+	 * @return			enumerator over a pair of traffic_selector_t*
 	 */
 	enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
 
@@ -321,6 +324,7 @@ struct child_sa_t {
 	 * @param integ		integrity key
 	 * @param spi		SPI to use, allocated for inbound
 	 * @param cpi		CPI to use, allocated for outbound
+	 * @param initiator	TRUE if initiator of exchange resulting in this SA
 	 * @param inbound	TRUE to install an inbound SA, FALSE for outbound
 	 * @param tfcv3		TRUE if peer supports ESPv3 TFC
 	 * @param my_ts		negotiated local traffic selector list
@@ -328,7 +332,8 @@ struct child_sa_t {
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi, bool inbound, bool tfcv3,
+						u_int32_t spi, u_int16_t cpi,
+						bool initiator, bool inbound, bool tfcv3,
 						linked_list_t *my_ts, linked_list_t *other_ts);
 	/**
 	 * Install the policies using some traffic selectors.
@@ -348,7 +353,7 @@ struct child_sa_t {
 	 * @param me		the new local host
 	 * @param other		the new remote host
 	 * @param vips		list of local virtual IPs
-	 * @param			TRUE to use UDP encapsulation for NAT traversal
+	 * @param encap		TRUE to use UDP encapsulation for NAT traversal
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*update)(child_sa_t *this, host_t *me, host_t *other,
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 63c04d9c0..2f4e1123c 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -26,7 +26,7 @@
 #include <library.h>
 #include <hydra.h>
 #include <daemon.h>
-#include <collections/linked_list.h>
+#include <collections/array.h>
 #include <utils/lexparser.h>
 #include <processing/jobs/retransmit_job.h>
 #include <processing/jobs/delete_ike_sa_job.h>
@@ -95,24 +95,24 @@ struct private_ike_sa_t {
 	peer_cfg_t *peer_cfg;
 
 	/**
-	 * currently used authentication ruleset, local (as auth_cfg_t)
+	 * currently used authentication ruleset, local
 	 */
 	auth_cfg_t *my_auth;
 
 	/**
-	 * list of completed local authentication rounds
+	 * currently used authentication constraints, remote
 	 */
-	linked_list_t *my_auths;
+	auth_cfg_t *other_auth;
 
 	/**
-	 * list of completed remote authentication rounds
+	 * Array of completed local authentication rounds (as auth_cfg_t)
 	 */
-	linked_list_t *other_auths;
+	array_t *my_auths;
 
 	/**
-	 * currently used authentication constraints, remote (as auth_cfg_t)
+	 * Array of completed remote authentication rounds (as auth_cfg_t)
 	 */
-	auth_cfg_t *other_auth;
+	array_t *other_auths;
 
 	/**
 	 * Selected IKE proposal
@@ -172,9 +172,9 @@ struct private_ike_sa_t {
 	ike_condition_t conditions;
 
 	/**
-	 * Linked List containing the child sa's of the current IKE_SA.
+	 * Array containing the child sa's of the current IKE_SA.
 	 */
-	linked_list_t *child_sas;
+	array_t *child_sas;
 
 	/**
 	 * keymat of this IKE_SA
@@ -184,22 +184,22 @@ struct private_ike_sa_t {
 	/**
 	 * Virtual IPs on local host
 	 */
-	linked_list_t *my_vips;
+	array_t *my_vips;
 
 	/**
 	 * Virtual IPs on remote host
 	 */
-	linked_list_t *other_vips;
+	array_t *other_vips;
 
 	/**
 	 * List of configuration attributes (attribute_entry_t)
 	 */
-	linked_list_t *attributes;
+	array_t *attributes;
 
 	/**
 	 * list of peer's addresses, additional ones transmitted via MOBIKE
 	 */
-	linked_list_t *peer_addresses;
+	array_t *peer_addresses;
 
 	/**
 	 * previously value of received DESTINATION_IP hash
@@ -282,7 +282,8 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 	{
 		use_time = this->stats[STAT_OUTBOUND];
 	}
-	enumerator = this->child_sas->create_enumerator(this->child_sas);
+
+	enumerator = array_create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, &child_sa))
 	{
 		child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
@@ -389,11 +390,11 @@ METHOD(ike_sa_t, add_auth_cfg, void,
 {
 	if (local)
 	{
-		this->my_auths->insert_last(this->my_auths, cfg);
+		array_insert(this->my_auths, ARRAY_TAIL, cfg);
 	}
 	else
 	{
-		this->other_auths->insert_last(this->other_auths, cfg);
+		array_insert(this->other_auths, ARRAY_TAIL, cfg);
 	}
 }
 
@@ -402,9 +403,9 @@ METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
 {
 	if (local)
 	{
-		return this->my_auths->create_enumerator(this->my_auths);
+		return array_create_enumerator(this->my_auths);
 	}
-	return this->other_auths->create_enumerator(this->other_auths);
+	return array_create_enumerator(this->other_auths);
 }
 
 /**
@@ -417,13 +418,11 @@ static void flush_auth_cfgs(private_ike_sa_t *this)
 	this->my_auth->purge(this->my_auth, FALSE);
 	this->other_auth->purge(this->other_auth, FALSE);
 
-	while (this->my_auths->remove_last(this->my_auths,
-									   (void**)&cfg) == SUCCESS)
+	while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
 	{
 		cfg->destroy(cfg);
 	}
-	while (this->other_auths->remove_last(this->other_auths,
-										  (void**)&cfg) == SUCCESS)
+	while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
 	{
 		cfg->destroy(cfg);
 	}
@@ -750,7 +749,7 @@ METHOD(ike_sa_t, add_virtual_ip, void,
 			if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
 												ip, -1, iface) == SUCCESS)
 			{
-				this->my_vips->insert_last(this->my_vips, ip->clone(ip));
+				array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
 			}
 			else
 			{
@@ -765,7 +764,7 @@ METHOD(ike_sa_t, add_virtual_ip, void,
 	}
 	else
 	{
-		this->other_vips->insert_last(this->other_vips, ip->clone(ip));
+		array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
 	}
 }
 
@@ -773,14 +772,15 @@ METHOD(ike_sa_t, add_virtual_ip, void,
 METHOD(ike_sa_t, clear_virtual_ips, void,
 	private_ike_sa_t *this, bool local)
 {
-	linked_list_t *vips = local ? this->my_vips : this->other_vips;
+	array_t *vips;
 	host_t *vip;
 
-	if (!local && vips->get_count(vips))
+	vips = local ? this->my_vips : this->other_vips;
+	if (!local && array_count(vips))
 	{
 		charon->bus->assign_vips(charon->bus, &this->public, FALSE);
 	}
-	while (vips->remove_first(vips, (void**)&vip) == SUCCESS)
+	while (array_remove(vips, ARRAY_HEAD, &vip))
 	{
 		if (local)
 		{
@@ -796,23 +796,23 @@ METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
 {
 	if (local)
 	{
-		return this->my_vips->create_enumerator(this->my_vips);
+		return array_create_enumerator(this->my_vips);
 	}
-	return this->other_vips->create_enumerator(this->other_vips);
+	return array_create_enumerator(this->other_vips);
 }
 
 METHOD(ike_sa_t, add_peer_address, void,
 	private_ike_sa_t *this, host_t *host)
 {
-	this->peer_addresses->insert_last(this->peer_addresses, host);
+	array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
 }
 
 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
 	private_ike_sa_t *this)
 {
-	if (this->peer_addresses->get_count(this->peer_addresses))
+	if (this->peer_addresses)
 	{
-		return this->peer_addresses->create_enumerator(this->peer_addresses);
+		return array_create_enumerator(this->peer_addresses);
 	}
 	/* in case we don't have MOBIKE */
 	return enumerator_create_single(this->other_host, NULL);
@@ -821,17 +821,8 @@ METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
 METHOD(ike_sa_t, clear_peer_addresses, void,
 	private_ike_sa_t *this)
 {
-	enumerator_t *enumerator;
-	host_t *host;
-
-	enumerator = this->peer_addresses->create_enumerator(this->peer_addresses);
-	while (enumerator->enumerate(enumerator, (void**)&host))
-	{
-		this->peer_addresses->remove_at(this->peer_addresses,
-										enumerator);
-		host->destroy(host);
-	}
-	enumerator->destroy(enumerator);
+	array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
+	this->peer_addresses = NULL;
 }
 
 METHOD(ike_sa_t, has_mapping_changed, bool,
@@ -927,13 +918,16 @@ METHOD(ike_sa_t, update_hosts, void,
 	{
 		enumerator_t *enumerator;
 		child_sa_t *child_sa;
+		linked_list_t *vips;
 
-		enumerator = this->child_sas->create_enumerator(this->child_sas);
-		while (enumerator->enumerate(enumerator, (void**)&child_sa))
+		vips = linked_list_create_from_enumerator(
+									array_create_enumerator(this->my_vips));
+
+		enumerator = array_create_enumerator(this->child_sas);
+		while (enumerator->enumerate(enumerator, &child_sa))
 		{
-			if (child_sa->update(child_sa, this->my_host,
-						this->other_host, this->my_vips,
-						has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
+			if (child_sa->update(child_sa, this->my_host, this->other_host,
+					vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
 			{
 				this->public.rekey_child_sa(&this->public,
 						child_sa->get_protocol(child_sa),
@@ -941,6 +935,8 @@ METHOD(ike_sa_t, update_hosts, void,
 			}
 		}
 		enumerator->destroy(enumerator);
+
+		vips->destroy(vips);
 	}
 }
 
@@ -1081,6 +1077,20 @@ METHOD(ike_sa_t, initiate_mediated, status_t,
 static void resolve_hosts(private_ike_sa_t *this)
 {
 	host_t *host;
+	int family = 0;
+
+	switch (charon->socket->supported_families(charon->socket))
+	{
+		case SOCKET_FAMILY_IPV4:
+			family = AF_INET;
+			break;
+		case SOCKET_FAMILY_IPV6:
+			family = AF_INET6;
+			break;
+		case SOCKET_FAMILY_BOTH:
+		case SOCKET_FAMILY_NONE:
+			break;
+	}
 
 	if (this->remote_host)
 	{
@@ -1094,7 +1104,7 @@ static void resolve_hosts(private_ike_sa_t *this)
 
 		other_addr = this->ike_cfg->get_other_addr(this->ike_cfg, NULL);
 		other_port = this->ike_cfg->get_other_port(this->ike_cfg);
-		host = host_create_from_dns(other_addr, 0, other_port);
+		host = host_create_from_dns(other_addr, family, other_port);
 	}
 	if (host)
 	{
@@ -1110,7 +1120,6 @@ static void resolve_hosts(private_ike_sa_t *this)
 	{
 		char *my_addr;
 		u_int16_t my_port;
-		int family = 0;
 
 		/* use same address family as for other */
 		if (!this->other_host->is_anyaddr(this->other_host))
@@ -1133,7 +1142,7 @@ static void resolve_hosts(private_ike_sa_t *this)
 			}
 			else
 			{	/* fallback to address family specific %any(6), if configured */
-				host = host_create_from_dns(my_addr, 0, my_port);
+				host = host_create_from_dns(my_addr, family, my_port);
 			}
 		}
 	}
@@ -1313,7 +1322,7 @@ METHOD(ike_sa_t, get_other_eap_id, identification_t*,
 	enumerator_t *enumerator;
 	auth_cfg_t *cfg;
 
-	enumerator = this->other_auths->create_enumerator(this->other_auths);
+	enumerator = array_create_enumerator(this->other_auths);
 	while (enumerator->enumerate(enumerator, &cfg))
 	{
 		/* prefer EAP-Identity of last round */
@@ -1350,7 +1359,7 @@ METHOD(ike_sa_t, set_other_id, void,
 METHOD(ike_sa_t, add_child_sa, void,
 	private_ike_sa_t *this, child_sa_t *child_sa)
 {
-	this->child_sas->insert_last(this->child_sas, child_sa);
+	array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
 }
 
 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
@@ -1359,7 +1368,7 @@ METHOD(ike_sa_t, get_child_sa, child_sa_t*,
 	enumerator_t *enumerator;
 	child_sa_t *current, *found = NULL;
 
-	enumerator = this->child_sas->create_enumerator(this->child_sas);
+	enumerator = array_create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
 		if (current->get_spi(current, inbound) == spi &&
@@ -1375,19 +1384,19 @@ METHOD(ike_sa_t, get_child_sa, child_sa_t*,
 METHOD(ike_sa_t, get_child_count, int,
 	private_ike_sa_t *this)
 {
-	return this->child_sas->get_count(this->child_sas);
+	return array_count(this->child_sas);
 }
 
 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
 	private_ike_sa_t *this)
 {
-	return this->child_sas->create_enumerator(this->child_sas);
+	return array_create_enumerator(this->child_sas);
 }
 
 METHOD(ike_sa_t, remove_child_sa, void,
 	private_ike_sa_t *this, enumerator_t *enumerator)
 {
-	this->child_sas->remove_at(this->child_sas, enumerator);
+	array_remove_at(this->child_sas, enumerator);
 }
 
 METHOD(ike_sa_t, rekey_child_sa, status_t,
@@ -1420,13 +1429,13 @@ METHOD(ike_sa_t, destroy_child_sa, status_t,
 	child_sa_t *child_sa;
 	status_t status = NOT_FOUND;
 
-	enumerator = this->child_sas->create_enumerator(this->child_sas);
+	enumerator = array_create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
 	{
 		if (child_sa->get_protocol(child_sa) == protocol &&
 			child_sa->get_spi(child_sa, TRUE) == spi)
 		{
-			this->child_sas->remove_at(this->child_sas, enumerator);
+			array_remove_at(this->child_sas, enumerator);
 			child_sa->destroy(child_sa);
 			status = SUCCESS;
 			break;
@@ -1493,7 +1502,7 @@ METHOD(ike_sa_t, reauth, status_t,
 	if (!has_condition(this, COND_ORIGINAL_INITIATOR))
 	{
 		DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
-		if (this->other_vips->get_count(this->other_vips) != 0 ||
+		if (array_count(this->other_vips) != 0 ||
 			has_condition(this, COND_XAUTH_AUTHENTICATED) ||
 			has_condition(this, COND_EAP_AUTHENTICATED)
 #ifdef ME
@@ -1526,6 +1535,30 @@ METHOD(ike_sa_t, reauth, status_t,
 	return this->task_manager->initiate(this->task_manager);
 }
 
+/**
+ * Check if tasks to create CHILD_SAs are queued in the given queue
+ */
+static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+	bool found = FALSE;
+
+	enumerator = this->task_manager->create_task_enumerator(this->task_manager,
+															queue);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == TASK_CHILD_CREATE ||
+			task->get_type(task) == TASK_QUICK_MODE)
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
 METHOD(ike_sa_t, reestablish, status_t,
 	private_ike_sa_t *this)
 {
@@ -1540,7 +1573,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 
 	if (has_condition(this, COND_REAUTHENTICATING))
 	{	/* only reauthenticate if we have children */
-		if (this->child_sas->get_count(this->child_sas) == 0
+		if (array_count(this->child_sas) == 0
 #ifdef ME
 			/* allow reauth of mediation connections without CHILD_SAs */
 			&& !this->peer_cfg->is_mediation(this->peer_cfg)
@@ -1557,7 +1590,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 	}
 	else
 	{	/* check if we have children to keep up at all */
-		enumerator = this->child_sas->create_enumerator(this->child_sas);
+		enumerator = array_create_enumerator(this->child_sas);
 		while (enumerator->enumerate(enumerator, (void**)&child_sa))
 		{
 			if (this->state == IKE_DELETING)
@@ -1575,13 +1608,20 @@ METHOD(ike_sa_t, reestablish, status_t,
 					break;
 				case ACTION_ROUTE:
 					charon->traps->install(charon->traps, this->peer_cfg,
-										   child_sa->get_config(child_sa));
+										   child_sa->get_config(child_sa),
+										   child_sa->get_reqid(child_sa));
 					break;
 				default:
 					break;
 			}
 		}
 		enumerator->destroy(enumerator);
+		/* check if we have tasks that recreate children */
+		if (!restart)
+		{
+			restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
+					  is_child_queued(this, TASK_QUEUE_QUEUED);
+		}
 #ifdef ME
 		/* mediation connections have no children, keep them up anyway */
 		if (this->peer_cfg->is_mediation(this->peer_cfg))
@@ -1597,7 +1637,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 
 	/* check if we are able to reestablish this IKE_SA */
 	if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
-		(this->other_vips->get_count(this->other_vips) != 0 ||
+		(array_count(this->other_vips) != 0 ||
 		 has_condition(this, COND_EAP_AUTHENTICATED)
 #ifdef ME
 		 || this->is_mediation_server
@@ -1620,7 +1660,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 	host = this->my_host;
 	new->set_my_host(new, host->clone(host));
 	/* if we already have a virtual IP, we reuse it */
-	enumerator = this->my_vips->create_enumerator(this->my_vips);
+	enumerator = array_create_enumerator(this->my_vips);
 	while (enumerator->enumerate(enumerator, &host))
 	{
 		new->add_virtual_ip(new, TRUE, host);
@@ -1635,7 +1675,8 @@ METHOD(ike_sa_t, reestablish, status_t,
 	else
 #endif /* ME */
 	{
-		enumerator = this->child_sas->create_enumerator(this->child_sas);
+		/* handle existing CHILD_SAs */
+		enumerator = array_create_enumerator(this->child_sas);
 		while (enumerator->enumerate(enumerator, (void**)&child_sa))
 		{
 			if (has_condition(this, COND_REAUTHENTICATING))
@@ -1644,7 +1685,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 				{
 					case CHILD_ROUTED:
 					{	/* move routed child directly */
-						this->child_sas->remove_at(this->child_sas, enumerator);
+						array_remove_at(this->child_sas, enumerator);
 						new->add_child_sa(new, child_sa);
 						action = ACTION_NONE;
 						break;
@@ -1674,7 +1715,8 @@ METHOD(ike_sa_t, reestablish, status_t,
 					DBG1(DBG_IKE, "restarting CHILD_SA %s",
 						 child_cfg->get_name(child_cfg));
 					child_cfg->get_ref(child_cfg);
-					status = new->initiate(new, child_cfg, 0, NULL, NULL);
+					status = new->initiate(new, child_cfg,
+									child_sa->get_reqid(child_sa), NULL, NULL);
 					break;
 				default:
 					continue;
@@ -1685,6 +1727,16 @@ METHOD(ike_sa_t, reestablish, status_t,
 			}
 		}
 		enumerator->destroy(enumerator);
+		/* adopt any active or queued CHILD-creating tasks */
+		if (status != DESTROY_ME)
+		{
+			task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
+			other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
+			if (new->get_state(new) == IKE_CREATED)
+			{
+				status = new->initiate(new, NULL, 0, NULL, NULL);
+			}
+		}
 	}
 
 	if (status == DESTROY_ME)
@@ -1774,7 +1826,7 @@ METHOD(ike_sa_t, set_auth_lifetime, status_t,
 	 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
 	send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
 				  !has_condition(this, COND_ORIGINAL_INITIATOR) &&
-				  (this->other_vips->get_count(this->other_vips) != 0 ||
+				  (array_count(this->other_vips) != 0 ||
 				  has_condition(this, COND_EAP_AUTHENTICATED));
 
 	if (lifetime < diff)
@@ -1948,13 +2000,12 @@ METHOD(ike_sa_t, add_configuration_attribute, void,
 	private_ike_sa_t *this, attribute_handler_t *handler,
 	configuration_attribute_type_t type, chunk_t data)
 {
-	attribute_entry_t *entry = malloc_thing(attribute_entry_t);
-
-	entry->handler = handler;
-	entry->type = type;
-	entry->data = chunk_clone(data);
-
-	this->attributes->insert_last(this->attributes, entry);
+	attribute_entry_t entry = {
+		.handler = handler,
+		.type = type,
+		.data = chunk_clone(data),
+	};
+	array_insert(this->attributes, ARRAY_TAIL, &entry);
 }
 
 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
@@ -1980,8 +2031,8 @@ METHOD(ike_sa_t, inherit, void,
 {
 	private_ike_sa_t *other = (private_ike_sa_t*)other_public;
 	child_sa_t *child_sa;
-	attribute_entry_t *entry;
 	enumerator_t *enumerator;
+	attribute_entry_t entry;
 	auth_cfg_t *cfg;
 	host_t *vip;
 
@@ -1996,35 +2047,33 @@ METHOD(ike_sa_t, inherit, void,
 	this->other_id = other->other_id->clone(other->other_id);
 
 	/* apply assigned virtual IPs... */
-	while (other->my_vips->remove_last(other->my_vips, (void**)&vip) == SUCCESS)
+	while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
 	{
-		this->my_vips->insert_first(this->my_vips, vip);
+		array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
 	}
-	while (other->other_vips->remove_last(other->other_vips,
-										  (void**)&vip) == SUCCESS)
+	while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
 	{
-		this->other_vips->insert_first(this->other_vips, vip);
+		array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
 	}
 
 	/* authentication information */
-	enumerator = other->my_auths->create_enumerator(other->my_auths);
+	enumerator = array_create_enumerator(other->my_auths);
 	while (enumerator->enumerate(enumerator, &cfg))
 	{
-		this->my_auths->insert_last(this->my_auths, cfg->clone(cfg));
+		array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
 	}
 	enumerator->destroy(enumerator);
-	enumerator = other->other_auths->create_enumerator(other->other_auths);
+	enumerator = array_create_enumerator(other->other_auths);
 	while (enumerator->enumerate(enumerator, &cfg))
 	{
-		this->other_auths->insert_last(this->other_auths, cfg->clone(cfg));
+		array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
 	}
 	enumerator->destroy(enumerator);
 
 	/* ... and configuration attributes */
-	while (other->attributes->remove_last(other->attributes,
-										  (void**)&entry) == SUCCESS)
+	while (array_remove(other->attributes, ARRAY_HEAD, &entry))
 	{
-		this->attributes->insert_first(this->attributes, entry);
+		array_insert(this->attributes, ARRAY_TAIL, &entry);
 	}
 
 	/* inherit all conditions */
@@ -2047,10 +2096,9 @@ METHOD(ike_sa_t, inherit, void,
 #endif /* ME */
 
 	/* adopt all children */
-	while (other->child_sas->remove_last(other->child_sas,
-										 (void**)&child_sa) == SUCCESS)
+	while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
 	{
-		this->child_sas->insert_first(this->child_sas, (void*)child_sa);
+		array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
 	}
 
 	/* move pending tasks to the new IKE_SA */
@@ -2077,7 +2125,8 @@ METHOD(ike_sa_t, inherit, void,
 METHOD(ike_sa_t, destroy, void,
 	private_ike_sa_t *this)
 {
-	attribute_entry_t *entry;
+	attribute_entry_t entry;
+	child_sa_t *child_sa;
 	host_t *vip;
 
 	charon->bus->set_sa(charon->bus, &this->public);
@@ -2086,35 +2135,28 @@ METHOD(ike_sa_t, destroy, void,
 	DESTROY_IF(this->task_manager);
 
 	/* remove attributes first, as we pass the IKE_SA to the handler */
-	while (this->attributes->remove_last(this->attributes,
-										 (void**)&entry) == SUCCESS)
+	while (array_remove(this->attributes, ARRAY_TAIL, &entry))
 	{
-		hydra->attributes->release(hydra->attributes, entry->handler,
-								   this->other_id, entry->type, entry->data);
-		free(entry->data.ptr);
-		free(entry);
+		hydra->attributes->release(hydra->attributes, entry.handler,
+								   this->other_id, entry.type, entry.data);
+		free(entry.data.ptr);
 	}
-	this->attributes->destroy(this->attributes);
-
-	this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
-
-	/* unset SA after here to avoid usage by the listeners */
-	charon->bus->set_sa(charon->bus, NULL);
-
-	DESTROY_IF(this->keymat);
-
-	while (this->my_vips->remove_last(this->my_vips, (void**)&vip) == SUCCESS)
+	/* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
+	 * routes that the CHILD_SA tries to uninstall. */
+	while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
+	{
+		child_sa->destroy(child_sa);
+	}
+	while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
 	{
 		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
 		vip->destroy(vip);
 	}
-	this->my_vips->destroy(this->my_vips);
-	if (this->other_vips->get_count(this->other_vips))
+	if (array_count(this->other_vips))
 	{
 		charon->bus->assign_vips(charon->bus, &this->public, FALSE);
 	}
-	while (this->other_vips->remove_last(this->other_vips,
-										 (void**)&vip) == SUCCESS)
+	while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
 	{
 		if (this->peer_cfg)
 		{
@@ -2129,9 +2171,16 @@ METHOD(ike_sa_t, destroy, void,
 		}
 		vip->destroy(vip);
 	}
-	this->other_vips->destroy(this->other_vips);
-	this->peer_addresses->destroy_offset(this->peer_addresses,
-										 offsetof(host_t, destroy));
+
+	/* unset SA after here to avoid usage by the listeners */
+	charon->bus->set_sa(charon->bus, NULL);
+
+	array_destroy(this->child_sas);
+	DESTROY_IF(this->keymat);
+	array_destroy(this->attributes);
+	array_destroy(this->my_vips);
+	array_destroy(this->other_vips);
+	array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
 #ifdef ME
 	if (this->is_mediation_server)
 	{
@@ -2155,10 +2204,8 @@ METHOD(ike_sa_t, destroy, void,
 	DESTROY_IF(this->proposal);
 	this->my_auth->destroy(this->my_auth);
 	this->other_auth->destroy(this->other_auth);
-	this->my_auths->destroy_offset(this->my_auths,
-								   offsetof(auth_cfg_t, destroy));
-	this->other_auths->destroy_offset(this->other_auths,
-									  offsetof(auth_cfg_t, destroy));
+	array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
+	array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
 
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	free(this);
@@ -2171,7 +2218,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 						 ike_version_t version)
 {
 	private_ike_sa_t *this;
-	static u_int32_t unique_id = 0;
+	static refcount_t unique_id = 0;
 
 	if (version == IKE_ANY)
 	{	/* prefer IKEv2 if protocol not specified */
@@ -2270,7 +2317,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 		},
 		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
 		.version = version,
-		.child_sas = linked_list_create(),
 		.my_host = host_create_any(AF_INET),
 		.other_host = host_create_any(AF_INET),
 		.my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
@@ -2281,13 +2327,10 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 		.stats[STAT_OUTBOUND] = time_monotonic(NULL),
 		.my_auth = auth_cfg_create(),
 		.other_auth = auth_cfg_create(),
-		.my_auths = linked_list_create(),
-		.other_auths = linked_list_create(),
-		.unique_id = ++unique_id,
-		.peer_addresses = linked_list_create(),
-		.my_vips = linked_list_create(),
-		.other_vips = linked_list_create(),
-		.attributes = linked_list_create(),
+		.my_auths = array_create(0, 0),
+		.other_auths = array_create(0, 0),
+		.attributes = array_create(sizeof(attribute_entry_t), 0),
+		.unique_id = ref_get(&unique_id),
 		.keepalive_interval = lib->settings->get_time(lib->settings,
 							"%s.keep_alive", KEEPALIVE_INTERVAL, charon->name),
 		.retry_initiate_interval = lib->settings->get_time(lib->settings,
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 625859a3f..00c16c05e 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -200,11 +200,11 @@ enum ike_condition_t {
 enum statistic_t {
 	/** Timestamp of SA establishement */
 	STAT_ESTABLISHED = 0,
-	/** Timestamp of scheudled rekeying */
+	/** Timestamp of scheduled rekeying */
 	STAT_REKEY,
-	/** Timestamp of scheudled reauthentication */
+	/** Timestamp of scheduled reauthentication */
 	STAT_REAUTH,
-	/** Timestamp of scheudled delete */
+	/** Timestamp of scheduled delete */
 	STAT_DELETE,
 	/** Timestamp of last inbound IKE packet */
 	STAT_INBOUND,
@@ -812,10 +812,8 @@ struct ike_sa_t {
 	/**
 	 * Sends a keep alive packet.
 	 *
-	 * To refresh NAT tables in a NAT router
-	 * between the peers, periodic empty
-	 * UDP packets are sent if no other traffic
-	 * was sent.
+	 * To refresh NAT tables in a NAT router between the peers, periodic empty
+	 * UDP packets are sent if no other traffic was sent.
 	 */
 	void (*send_keepalive) (ike_sa_t *this);
 
diff --git a/src/libcharon/sa/ike_sa_id.h b/src/libcharon/sa/ike_sa_id.h
index 227683d1c..5eb754e95 100644
--- a/src/libcharon/sa/ike_sa_id.h
+++ b/src/libcharon/sa/ike_sa_id.h
@@ -86,7 +86,7 @@ struct ike_sa_id_t {
 	bool (*equals) (ike_sa_id_t *this, ike_sa_id_t *other);
 
 	/**
-	 * Replace all values of a given ike_sa_id_t object with values.
+	 * Replace all values of a given ike_sa_id_t object with values
 	 * from another ike_sa_id_t object.
 	 *
 	 * After calling this function, both objects are equal.
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 709033cb5..857cb027e 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1753,21 +1753,22 @@ METHOD(task_manager_t, queue_child, void,
 /**
  * Check if two CHILD_SAs have the same traffic selector
  */
-static bool have_equal_ts(child_sa_t *a, child_sa_t *b, bool local)
+static bool have_equal_ts(child_sa_t *child1, child_sa_t *child2, bool local)
 {
-	linked_list_t *list;
-	traffic_selector_t *ts_a, *ts_b;
+	enumerator_t *e1, *e2;
+	traffic_selector_t *ts1, *ts2;
+	bool equal = FALSE;
 
-	list = a->get_traffic_selectors(a, local);
-	if (list->get_first(list, (void**)&ts_a) == SUCCESS)
+	e1 = child1->create_ts_enumerator(child1, local);
+	e2 = child2->create_ts_enumerator(child2, local);
+	if (e1->enumerate(e1, &ts1) && e2->enumerate(e2, &ts2))
 	{
-		list = b->get_traffic_selectors(b, local);
-		if (list->get_first(list, (void**)&ts_b) == SUCCESS)
-		{
-			return ts_a->equals(ts_a, ts_b);
-		}
+		equal = ts1->equals(ts1, ts2);
 	}
-	return FALSE;
+	e1->destroy(e1);
+	e1->destroy(e1);
+
+	return equal;
 }
 
 /**
@@ -1806,14 +1807,13 @@ static bool is_redundant(private_task_manager_t *this, child_sa_t *child_sa)
 static traffic_selector_t* get_first_ts(child_sa_t *child_sa, bool local)
 {
 	traffic_selector_t *ts = NULL;
-	linked_list_t *list;
+	enumerator_t *enumerator;
 
-	list = child_sa->get_traffic_selectors(child_sa, local);
-	if (list->get_first(list, (void**)&ts) == SUCCESS)
-	{
-		return ts;
-	}
-	return NULL;
+	enumerator = child_sa->create_ts_enumerator(child_sa, local);
+	enumerator->enumerate(enumerator, &ts);
+	enumerator->destroy(enumerator);
+
+	return ts;
 }
 
 METHOD(task_manager_t, queue_child_rekey, void,
@@ -1900,6 +1900,39 @@ METHOD(task_manager_t, adopt_tasks, void,
 	}
 }
 
+/**
+ * Migrates child-creating tasks from src to dst
+ */
+static void migrate_child_tasks(private_task_manager_t *this,
+								linked_list_t *src, linked_list_t *dst)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+
+	enumerator = src->create_enumerator(src);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == TASK_QUICK_MODE)
+		{
+			src->remove_at(src, enumerator);
+			task->migrate(task, this->ike_sa);
+			dst->insert_last(dst, task);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(task_manager_t, adopt_child_tasks, void,
+	private_task_manager_t *this, task_manager_t *other_public)
+{
+	private_task_manager_t *other = (private_task_manager_t*)other_public;
+
+	/* move active child tasks from other to this */
+	migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
+	/* do the same for queued tasks */
+	migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
+}
+
 METHOD(task_manager_t, busy, bool,
 	private_task_manager_t *this)
 {
@@ -2014,6 +2047,7 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 				.incr_mid = _incr_mid,
 				.reset = _reset,
 				.adopt_tasks = _adopt_tasks,
+				.adopt_child_tasks = _adopt_child_tasks,
 				.busy = _busy,
 				.create_task_enumerator = _create_task_enumerator,
 				.flush_queue = _flush_queue,
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
index 0640d13b1..a44f3c4a9 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
@@ -85,6 +85,11 @@ METHOD(task_t, process_r, status_t,
 		 this->ike_sa->get_other_host(this->ike_sa),
 		 this->ike_sa->get_other_id(this->ike_sa));
 
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{
+		this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+		this->ike_sa->reestablish(this->ike_sa);
+	}
 	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
 	charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 	return DESTROY_ME;
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
index 5a779ff62..fc6ac0771 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
@@ -96,6 +96,20 @@ struct private_isakmp_natd_t {
 	bool dst_matched;
 };
 
+/**
+ * Check if UDP encapsulation has to be forced either by config or required
+ * by the kernel interface
+ */
+static bool force_encap(ike_cfg_t *ike_cfg)
+{
+	if (!ike_cfg->force_encap(ike_cfg))
+	{
+		return hydra->kernel_interface->get_features(hydra->kernel_interface) &
+					KERNEL_REQUIRE_UDP_ENCAPSULATION;
+	}
+	return TRUE;
+}
+
 /**
  * Get NAT-D payload type (RFC 3947 or RFC 3947 drafts).
  */
@@ -183,7 +197,7 @@ static hash_payload_t *build_natd_payload(private_isakmp_natd_t *this, bool src,
 	chunk_t hash;
 
 	config = this->ike_sa->get_ike_cfg(this->ike_sa);
-	if (src && config->force_encap(config))
+	if (src && force_encap(config))
 	{
 		hash = generate_natd_hash_faked(this);
 	}
@@ -297,7 +311,7 @@ static void process_payloads(private_isakmp_natd_t *this, message_t *message)
 									!this->src_matched);
 		config = this->ike_sa->get_ike_cfg(this->ike_sa);
 		if (this->dst_matched && this->src_matched &&
-			config->force_encap(config))
+			force_encap(config))
 		{
 			this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
 		}
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 2ff2b55e9..11155b287 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -67,6 +67,11 @@ struct private_isakmp_vendor_t {
 	 * Index of best nat traversal VID found
 	 */
 	int best_natt_ext;
+
+	/**
+	 * Number of times we have been invoked
+	 */
+	int count;
 };
 
 /**
@@ -175,8 +180,10 @@ static bool fragmentation_supported(chunk_t data, int i)
 	return FALSE;
 }
 
-METHOD(task_t, build, status_t,
-	private_isakmp_vendor_t *this, message_t *message)
+/**
+ * Add supported vendor ID payloads
+ */
+static void build(private_isakmp_vendor_t *this, message_t *message)
 {
 	vendor_id_payload_t *vid_payload;
 	bool strongswan, cisco_unity, fragmentation;
@@ -219,11 +226,12 @@ METHOD(task_t, build, status_t,
 			message->add_payload(message, &vid_payload->payload_interface);
 		}
 	}
-	return this->initiator ? NEED_MORE : SUCCESS;
 }
 
-METHOD(task_t, process, status_t,
-	private_isakmp_vendor_t *this, message_t *message)
+/**
+ * Process vendor ID payloads
+ */
+static void process(private_isakmp_vendor_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
@@ -289,14 +297,64 @@ METHOD(task_t, process, status_t,
 		this->ike_sa->enable_extension(this->ike_sa,
 								vendor_natt_ids[this->best_natt_ext].extension);
 	}
+}
 
-	return this->initiator ? SUCCESS : NEED_MORE;
+METHOD(task_t, build_i, status_t,
+	private_isakmp_vendor_t *this, message_t *message)
+{
+	if (this->count++ == 0)
+	{
+		build(this, message);
+	}
+	if (message->get_exchange_type(message) == AGGRESSIVE && this->count > 1)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_isakmp_vendor_t *this, message_t *message)
+{
+	this->count++;
+	process(this, message);
+	if (message->get_exchange_type(message) == AGGRESSIVE && this->count > 1)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_isakmp_vendor_t *this, message_t *message)
+{
+	if (this->count == 1)
+	{
+		build(this, message);
+	}
+	if (message->get_exchange_type(message) == ID_PROT && this->count > 2)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_isakmp_vendor_t *this, message_t *message)
+{
+	process(this, message);
+	if (message->get_exchange_type(message) == ID_PROT && this->count > 2)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
 }
 
 METHOD(task_t, migrate, void,
 	private_isakmp_vendor_t *this, ike_sa_t *ike_sa)
 {
 	this->ike_sa = ike_sa;
+	this->count = 0;
 }
 
 METHOD(task_t, get_type, task_type_t,
@@ -321,8 +379,6 @@ isakmp_vendor_t *isakmp_vendor_create(ike_sa_t *ike_sa, bool initiator)
 	INIT(this,
 		.public = {
 			.task = {
-				.build = _build,
-				.process = _process,
 				.migrate = _migrate,
 				.get_type = _get_type,
 				.destroy = _destroy,
@@ -333,5 +389,16 @@ isakmp_vendor_t *isakmp_vendor_create(ike_sa_t *ike_sa, bool initiator)
 		.best_natt_ext = -1,
 	);
 
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
 	return &this->public;
 }
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index e9f06cbe3..1a2cdb777 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -12,6 +12,27 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
+/*
+ * Copyright (C) 2013 Oliver Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 
 #include "quick_delete.h"
 
@@ -64,11 +85,13 @@ struct private_quick_delete_t {
 /**
  * Delete the specified CHILD_SA, if found
  */
-static bool delete_child(private_quick_delete_t *this,
-						 protocol_id_t protocol, u_int32_t spi)
+static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
+						 u_int32_t spi, bool remote_close)
 {
 	u_int64_t bytes_in, bytes_out;
 	child_sa_t *child_sa;
+	linked_list_t *my_ts, *other_ts;
+	child_cfg_t *child_cfg;
 	bool rekeyed;
 
 	child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, TRUE);
@@ -85,15 +108,17 @@ static bool delete_child(private_quick_delete_t *this,
 	rekeyed = child_sa->get_state(child_sa) == CHILD_REKEYING;
 	child_sa->set_state(child_sa, CHILD_DELETING);
 
+	my_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, TRUE));
+	other_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, FALSE));
 	if (this->expired)
 	{
 		DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
 			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
 			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
 			 ntohl(child_sa->get_spi(child_sa, TRUE)),
-			 ntohl(child_sa->get_spi(child_sa, FALSE)),
-			 child_sa->get_traffic_selectors(child_sa, TRUE),
-			 child_sa->get_traffic_selectors(child_sa, FALSE));
+			 ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
 	}
 	else
 	{
@@ -105,18 +130,39 @@ static bool delete_child(private_quick_delete_t *this,
 			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
 			 ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
 			 ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
-			 child_sa->get_traffic_selectors(child_sa, TRUE),
-			 child_sa->get_traffic_selectors(child_sa, FALSE));
+			 my_ts, other_ts);
 	}
+	my_ts->destroy(my_ts);
+	other_ts->destroy(other_ts);
 
 	if (!rekeyed)
 	{
 		charon->bus->child_updown(charon->bus, child_sa, FALSE);
-	}
 
-	this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
+		if (remote_close)
+		{
+			child_cfg = child_sa->get_config(child_sa);
+			child_cfg->get_ref(child_cfg);
 
-	/* TODO-IKEv1: handle close action? */
+			switch (child_sa->get_close_action(child_sa))
+			{
+				case ACTION_RESTART:
+					child_cfg->get_ref(child_cfg);
+					this->ike_sa->initiate(this->ike_sa, child_cfg,
+									child_sa->get_reqid(child_sa), NULL, NULL);
+					break;
+				case ACTION_ROUTE:
+					charon->traps->install(charon->traps,
+									this->ike_sa->get_peer_cfg(this->ike_sa),
+									child_cfg, child_sa->get_reqid(child_sa));
+					break;
+				default:
+					break;
+			}
+			child_cfg->destroy(child_cfg);
+		}
+	}
+	this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
 
 	return TRUE;
 }
@@ -124,7 +170,7 @@ static bool delete_child(private_quick_delete_t *this,
 METHOD(task_t, build_i, status_t,
 	private_quick_delete_t *this, message_t *message)
 {
-	if (delete_child(this, this->protocol, this->spi) || this->force)
+	if (delete_child(this, this->protocol, this->spi, FALSE) || this->force)
 	{
 		delete_payload_t *delete_payload;
 
@@ -172,7 +218,7 @@ METHOD(task_t, process_r, status_t,
 			{
 				DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
 					 protocol_id_names, protocol, ntohl(spi));
-				if (!delete_child(this, protocol, spi))
+				if (!delete_child(this, protocol, spi, TRUE))
 				{
 					DBG1(DBG_IKE, "CHILD_SA not found, ignored");
 					continue;
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 7a0fb5788..6271e5b05 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -259,7 +259,7 @@ static bool install(private_quick_mode_t *this)
 {
 	status_t status, status_i, status_o;
 	chunk_t encr_i, encr_r, integ_i, integ_r;
-	linked_list_t *tsi, *tsr;
+	linked_list_t *tsi, *tsr, *my_ts, *other_ts;
 	child_sa_t *old = NULL;
 
 	this->child_sa->set_proposal(this->child_sa, this->proposal);
@@ -306,17 +306,21 @@ static bool install(private_quick_mode_t *this)
 	{
 		if (this->initiator)
 		{
-			status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
-							this->spi_i, this->cpi_i, TRUE, FALSE, tsi, tsr);
-			status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
-							this->spi_r, this->cpi_r, FALSE, FALSE, tsi, tsr);
+			status_i = this->child_sa->install(this->child_sa,
+									encr_r, integ_r, this->spi_i, this->cpi_i,
+									this->initiator, TRUE, FALSE, tsi, tsr);
+			status_o = this->child_sa->install(this->child_sa,
+									encr_i, integ_i, this->spi_r, this->cpi_r,
+									this->initiator, FALSE, FALSE, tsi, tsr);
 		}
 		else
 		{
-			status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
-							this->spi_r, this->cpi_r, TRUE, FALSE, tsr, tsi);
-			status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
-							this->spi_i, this->cpi_i, FALSE, FALSE, tsr, tsi);
+			status_i = this->child_sa->install(this->child_sa,
+									encr_i, integ_i, this->spi_r, this->cpi_r,
+									this->initiator, TRUE, FALSE, tsr, tsi);
+			status_o = this->child_sa->install(this->child_sa,
+									encr_r, integ_r, this->spi_i, this->cpi_i,
+									this->initiator, FALSE, FALSE, tsr, tsi);
 		}
 	}
 	chunk_clear(&integ_i);
@@ -358,14 +362,20 @@ static bool install(private_quick_mode_t *this)
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
 	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
 
+	my_ts = linked_list_create_from_enumerator(
+				this->child_sa->create_ts_enumerator(this->child_sa, TRUE));
+	other_ts = linked_list_create_from_enumerator(
+				this->child_sa->create_ts_enumerator(this->child_sa, FALSE));
+
 	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
 		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
 		 this->child_sa->get_name(this->child_sa),
 		 this->child_sa->get_reqid(this->child_sa),
 		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
-		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
-		 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
-		 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts);
+
+	my_ts->destroy(my_ts);
+	other_ts->destroy(other_ts);
 
 	if (this->rekey)
 	{
@@ -500,33 +510,11 @@ static traffic_selector_t* select_ts(private_quick_mode_t *this, bool local,
 static void add_ts(private_quick_mode_t *this, message_t *message)
 {
 	id_payload_t *id_payload;
-	host_t *hsi, *hsr;
 
-	if (this->initiator)
-	{
-		hsi = this->ike_sa->get_my_host(this->ike_sa);
-		hsr = this->ike_sa->get_other_host(this->ike_sa);
-	}
-	else
-	{
-		hsr = this->ike_sa->get_my_host(this->ike_sa);
-		hsi = this->ike_sa->get_other_host(this->ike_sa);
-	}
-	/* add ID payload only if negotiating non host2host tunnels */
-	if (!this->tsi->is_host(this->tsi, hsi) ||
-		!this->tsr->is_host(this->tsr, hsr) ||
-		this->tsi->get_protocol(this->tsi) ||
-		this->tsr->get_protocol(this->tsr) ||
-		this->tsi->get_from_port(this->tsi) ||
-		this->tsr->get_from_port(this->tsr) ||
-		this->tsi->get_to_port(this->tsi) != 65535 ||
-		this->tsr->get_to_port(this->tsr) != 65535)
-	{
-		id_payload = id_payload_create_from_ts(this->tsi);
-		message->add_payload(message, &id_payload->payload_interface);
-		id_payload = id_payload_create_from_ts(this->tsr);
-		message->add_payload(message, &id_payload->payload_interface);
-	}
+	id_payload = id_payload_create_from_ts(this->tsi);
+	message->add_payload(message, &id_payload->payload_interface);
+	id_payload = id_payload_create_from_ts(this->tsr);
+	message->add_payload(message, &id_payload->payload_interface);
 }
 
 /**
@@ -774,19 +762,11 @@ METHOD(task_t, build_i, status_t,
 
 			if (this->config->use_ipcomp(this->config))
 			{
-				if (this->udp)
-				{
-					DBG1(DBG_IKE, "IPComp is not supported if either peer is "
-						 "natted, IPComp disabled");
-				}
-				else
+				this->cpi_i = this->child_sa->alloc_cpi(this->child_sa);
+				if (!this->cpi_i)
 				{
-					this->cpi_i = this->child_sa->alloc_cpi(this->child_sa);
-					if (!this->cpi_i)
-					{
-						DBG1(DBG_IKE, "unable to allocate a CPI from kernel, "
-							 "IPComp disabled");
-					}
+					DBG1(DBG_IKE, "unable to allocate a CPI from kernel, "
+						 "IPComp disabled");
 				}
 			}
 
@@ -1009,21 +989,13 @@ METHOD(task_t, process_r, status_t,
 
 			if (this->config->use_ipcomp(this->config))
 			{
-				if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-				{
-					DBG1(DBG_IKE, "IPComp is not supported if either peer is "
-						 "natted, IPComp disabled");
-				}
-				else
+				list = sa_payload->get_ipcomp_proposals(sa_payload,
+														&this->cpi_i);
+				if (!list->get_count(list))
 				{
-					list = sa_payload->get_ipcomp_proposals(sa_payload,
-															&this->cpi_i);
-					if (!list->get_count(list))
-					{
-						DBG1(DBG_IKE, "expected IPComp proposal but peer did "
-							 "not send one, IPComp disabled");
-						this->cpi_i = 0;
-					}
+					DBG1(DBG_IKE, "expected IPComp proposal but peer did "
+						 "not send one, IPComp disabled");
+					this->cpi_i = 0;
 				}
 			}
 			if (!list || !list->get_count(list))
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 5298abf79..a6af744fc 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -18,6 +18,7 @@
 
 #include <math.h>
 
+#include <collections/array.h>
 #include <daemon.h>
 #include <sa/ikev2/tasks/ike_init.h>
 #include <sa/ikev2/tasks/ike_natd.h>
@@ -122,19 +123,19 @@ struct private_task_manager_t {
 	} initiating;
 
 	/**
-	 * List of queued tasks not yet in action
+	 * Array of queued tasks not yet in action
 	 */
-	linked_list_t *queued_tasks;
+	array_t *queued_tasks;
 
 	/**
-	 * List of active tasks, initiated by ourselve
+	 * Array of active tasks, initiated by ourselve
 	 */
-	linked_list_t *active_tasks;
+	array_t *active_tasks;
 
 	/**
-	 * List of tasks initiated by peer
+	 * Array of tasks initiated by peer
 	 */
-	linked_list_t *passive_tasks;
+	array_t *passive_tasks;
 
 	/**
 	 * the task manager has been reset
@@ -160,24 +161,24 @@ struct private_task_manager_t {
 METHOD(task_manager_t, flush_queue, void,
 	private_task_manager_t *this, task_queue_t queue)
 {
-	linked_list_t *list;
+	array_t *array;
 	task_t *task;
 
 	switch (queue)
 	{
 		case TASK_QUEUE_ACTIVE:
-			list = this->active_tasks;
+			array = this->active_tasks;
 			break;
 		case TASK_QUEUE_PASSIVE:
-			list = this->passive_tasks;
+			array = this->passive_tasks;
 			break;
 		case TASK_QUEUE_QUEUED:
-			list = this->queued_tasks;
+			array = this->queued_tasks;
 			break;
 		default:
 			return;
 	}
-	while (list->remove_last(list, (void**)&task) == SUCCESS)
+	while (array_remove(array, ARRAY_TAIL, &task))
 	{
 		task->destroy(task);
 	}
@@ -202,14 +203,14 @@ static bool activate_task(private_task_manager_t *this, task_type_t type)
 	task_t *task;
 	bool found = FALSE;
 
-	enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
+	enumerator = array_create_enumerator(this->queued_tasks);
 	while (enumerator->enumerate(enumerator, (void**)&task))
 	{
 		if (task->get_type(task) == type)
 		{
 			DBG2(DBG_IKE, "  activating %N task", task_type_names, type);
-			this->queued_tasks->remove_at(this->queued_tasks, enumerator);
-			this->active_tasks->insert_last(this->active_tasks, task);
+			array_remove_at(this->queued_tasks, enumerator);
+			array_insert(this->active_tasks, ARRAY_TAIL, task);
 			found = TRUE;
 			break;
 		}
@@ -231,7 +232,7 @@ METHOD(task_manager_t, retransmit, status_t,
 		ike_mobike_t *mobike = NULL;
 
 		/* check if we are retransmitting a MOBIKE routability check */
-		enumerator = this->active_tasks->create_enumerator(this->active_tasks);
+		enumerator = array_create_enumerator(this->active_tasks);
 		while (enumerator->enumerate(enumerator, (void*)&task))
 		{
 			if (task->get_type(task) == TASK_IKE_MOBIKE)
@@ -319,7 +320,7 @@ METHOD(task_manager_t, initiate, status_t,
 		return SUCCESS;
 	}
 
-	if (this->active_tasks->get_count(this->active_tasks) == 0)
+	if (array_count(this->active_tasks) == 0)
 	{
 		DBG2(DBG_IKE, "activating new tasks");
 		switch (this->ike_sa->get_state(this->ike_sa))
@@ -414,8 +415,8 @@ METHOD(task_manager_t, initiate, status_t,
 	else
 	{
 		DBG2(DBG_IKE, "reinitiating already active tasks");
-		enumerator = this->active_tasks->create_enumerator(this->active_tasks);
-		while (enumerator->enumerate(enumerator, (void**)&task))
+		enumerator = array_create_enumerator(this->active_tasks);
+		while (enumerator->enumerate(enumerator, &task))
 		{
 			DBG2(DBG_IKE, "  %N task", task_type_names, task->get_type(task));
 			switch (task->get_type(task))
@@ -460,14 +461,14 @@ METHOD(task_manager_t, initiate, status_t,
 	this->initiating.type = exchange;
 	this->initiating.retransmitted = 0;
 
-	enumerator = this->active_tasks->create_enumerator(this->active_tasks);
-	while (enumerator->enumerate(enumerator, (void*)&task))
+	enumerator = array_create_enumerator(this->active_tasks);
+	while (enumerator->enumerate(enumerator, &task))
 	{
 		switch (task->build(task, message))
 		{
 			case SUCCESS:
 				/* task completed, remove it */
-				this->active_tasks->remove_at(this->active_tasks, enumerator);
+				array_remove_at(this->active_tasks, enumerator);
 				task->destroy(task);
 				break;
 			case NEED_MORE:
@@ -507,6 +508,9 @@ METHOD(task_manager_t, initiate, status_t,
 	}
 	message->destroy(message);
 
+	array_compress(this->active_tasks);
+	array_compress(this->queued_tasks);
+
 	return retransmit(this, this->initiating.mid);
 }
 
@@ -530,14 +534,14 @@ static status_t process_response(private_task_manager_t *this,
 
 	/* catch if we get resetted while processing */
 	this->reset = FALSE;
-	enumerator = this->active_tasks->create_enumerator(this->active_tasks);
-	while (enumerator->enumerate(enumerator, (void*)&task))
+	enumerator = array_create_enumerator(this->active_tasks);
+	while (enumerator->enumerate(enumerator, &task))
 	{
 		switch (task->process(task, message))
 		{
 			case SUCCESS:
 				/* task completed, remove it */
-				this->active_tasks->remove_at(this->active_tasks, enumerator);
+				array_remove_at(this->active_tasks, enumerator);
 				task->destroy(task);
 				break;
 			case NEED_MORE:
@@ -549,7 +553,7 @@ static status_t process_response(private_task_manager_t *this,
 				/* FALL */
 			case DESTROY_ME:
 				/* critical failure, destroy IKE_SA */
-				this->active_tasks->remove_at(this->active_tasks, enumerator);
+				array_remove_at(this->active_tasks, enumerator);
 				enumerator->destroy(enumerator);
 				task->destroy(task);
 				return DESTROY_ME;
@@ -568,6 +572,8 @@ static status_t process_response(private_task_manager_t *this,
 	this->initiating.packet->destroy(this->initiating.packet);
 	this->initiating.packet = NULL;
 
+	array_compress(this->active_tasks);
+
 	return initiate(this);
 }
 
@@ -588,8 +594,8 @@ static bool handle_collisions(private_task_manager_t *this, task_t *task)
 		type == TASK_IKE_REAUTH)
 	{
 		/* find an exchange collision, and notify these tasks */
-		enumerator = this->active_tasks->create_enumerator(this->active_tasks);
-		while (enumerator->enumerate(enumerator, (void**)&active))
+		enumerator = array_create_enumerator(this->active_tasks);
+		while (enumerator->enumerate(enumerator, &active))
 		{
 			switch (active->get_type(active))
 			{
@@ -646,14 +652,14 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	message->set_message_id(message, this->responding.mid);
 	message->set_request(message, FALSE);
 
-	enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
+	enumerator = array_create_enumerator(this->passive_tasks);
 	while (enumerator->enumerate(enumerator, (void*)&task))
 	{
 		switch (task->build(task, message))
 		{
 			case SUCCESS:
 				/* task completed, remove it */
-				this->passive_tasks->remove_at(this->passive_tasks, enumerator);
+				array_remove_at(this->passive_tasks, enumerator);
 				if (!handle_collisions(this, task))
 				{
 					task->destroy(task);
@@ -663,8 +669,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 				/* processed, but task needs another exchange */
 				if (handle_collisions(this, task))
 				{
-					this->passive_tasks->remove_at(this->passive_tasks,
-												   enumerator);
+					array_remove_at(this->passive_tasks, enumerator);
 				}
 				break;
 			case FAILED:
@@ -721,6 +726,9 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 		}
 		return DESTROY_ME;
 	}
+
+	array_compress(this->passive_tasks);
+
 	return SUCCESS;
 }
 
@@ -736,37 +744,37 @@ static status_t process_request(private_task_manager_t *this,
 	notify_payload_t *notify;
 	delete_payload_t *delete;
 
-	if (this->passive_tasks->get_count(this->passive_tasks) == 0)
+	if (array_count(this->passive_tasks) == 0)
 	{	/* create tasks depending on request type, if not already some queued */
 		switch (message->get_exchange_type(message))
 		{
 			case IKE_SA_INIT:
 			{
 				task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 #ifdef ME
 				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 #endif /* ME */
 				task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				task = (task_t*)ike_config_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
 													NULL, NULL);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				break;
 			}
 			case CREATE_CHILD_SA:
@@ -817,7 +825,7 @@ static status_t process_request(private_task_manager_t *this,
 				{
 					task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
 				}
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				break;
 			}
 			case INFORMATIONAL:
@@ -849,6 +857,12 @@ static status_t process_request(private_task_manager_t *this,
 									task = (task_t*)ike_auth_lifetime_create(
 															this->ike_sa, FALSE);
 									break;
+								case AUTHENTICATION_FAILED:
+									/* initiator failed to authenticate us.
+									 * We use ike_delete to handle this, which
+									 * invokes all the required hooks. */
+									task = (task_t*)ike_delete_create(
+														this->ike_sa, FALSE);
 								default:
 									break;
 							}
@@ -883,14 +897,14 @@ static status_t process_request(private_task_manager_t *this,
 				{
 					task = (task_t*)ike_dpd_create(FALSE);
 				}
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				break;
 			}
 #ifdef ME
 			case ME_CONNECT:
 			{
 				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 			}
 #endif /* ME */
 			default:
@@ -899,14 +913,14 @@ static status_t process_request(private_task_manager_t *this,
 	}
 
 	/* let the tasks process the message */
-	enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
+	enumerator = array_create_enumerator(this->passive_tasks);
 	while (enumerator->enumerate(enumerator, (void*)&task))
 	{
 		switch (task->process(task, message))
 		{
 			case SUCCESS:
 				/* task completed, remove it */
-				this->passive_tasks->remove_at(this->passive_tasks, enumerator);
+				array_remove_at(this->passive_tasks, enumerator);
 				task->destroy(task);
 				break;
 			case NEED_MORE:
@@ -918,7 +932,7 @@ static status_t process_request(private_task_manager_t *this,
 				/* FALL */
 			case DESTROY_ME:
 				/* critical failure, destroy IKE_SA */
-				this->passive_tasks->remove_at(this->passive_tasks, enumerator);
+				array_remove_at(this->passive_tasks, enumerator);
 				enumerator->destroy(enumerator);
 				task->destroy(task);
 				return DESTROY_ME;
@@ -1078,6 +1092,7 @@ METHOD(task_manager_t, process_message, status_t,
 	host_t *me, *other;
 	status_t status;
 	u_int32_t mid;
+	bool schedule_delete_job = FALSE;
 
 	charon->bus->message(charon->bus, msg, TRUE, FALSE);
 	status = parse_message(this, msg);
@@ -1092,9 +1107,8 @@ METHOD(task_manager_t, process_message, status_t,
 	/* if this IKE_SA is virgin, we check for a config */
 	if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
 	{
-		ike_sa_id_t *ike_sa_id;
 		ike_cfg_t *ike_cfg;
-		job_t *job;
+
 		ike_cfg = charon->backends->get_ike_cfg(charon->backends,
 												me, other, IKEV2);
 		if (ike_cfg == NULL)
@@ -1109,12 +1123,7 @@ METHOD(task_manager_t, process_message, status_t,
 		this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
 		ike_cfg->destroy(ike_cfg);
 		/* add a timeout if peer does not establish it completely */
-		ike_sa_id = this->ike_sa->get_id(this->ike_sa);
-		job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
-		lib->scheduler->schedule_job(lib->scheduler, job,
-				lib->settings->get_int(lib->settings,
-						"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
-						charon->name));
+		schedule_delete_job = TRUE;
 	}
 	this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
 								time_monotonic(NULL));
@@ -1213,6 +1222,19 @@ METHOD(task_manager_t, process_message, status_t,
 			return SUCCESS;
 		}
 	}
+
+	if (schedule_delete_job)
+	{
+		ike_sa_id_t *ike_sa_id;
+		job_t *job;
+
+		ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+		job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
+		lib->scheduler->schedule_job(lib->scheduler, job,
+				lib->settings->get_int(lib->settings,
+						"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
+						charon->name));
+	}
 	return SUCCESS;
 }
 
@@ -1224,8 +1246,8 @@ METHOD(task_manager_t, queue_task, void,
 		enumerator_t *enumerator;
 		task_t *current;
 
-		enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
-		while (enumerator->enumerate(enumerator, (void**)&current))
+		enumerator = array_create_enumerator(this->queued_tasks);
+		while (enumerator->enumerate(enumerator, &current))
 		{
 			if (current->get_type(current) == TASK_IKE_MOBIKE)
 			{
@@ -1237,7 +1259,7 @@ METHOD(task_manager_t, queue_task, void,
 		enumerator->destroy(enumerator);
 	}
 	DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
-	this->queued_tasks->insert_last(this->queued_tasks, task);
+	array_insert(this->queued_tasks, ARRAY_TAIL, task);
 }
 
 /**
@@ -1249,7 +1271,7 @@ static bool has_queued(private_task_manager_t *this, task_type_t type)
 	bool found = FALSE;
 	task_t *task;
 
-	enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
+	enumerator = array_create_enumerator(this->queued_tasks);
 	while (enumerator->enumerate(enumerator, &task))
 	{
 		if (task->get_type(task) == type)
@@ -1404,19 +1426,51 @@ METHOD(task_manager_t, adopt_tasks, void,
 	task_t *task;
 
 	/* move queued tasks from other to this */
-	while (other->queued_tasks->remove_last(other->queued_tasks,
-												(void**)&task) == SUCCESS)
+	while (array_remove(other->queued_tasks, ARRAY_TAIL, &task))
 	{
 		DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
 		task->migrate(task, this->ike_sa);
-		this->queued_tasks->insert_first(this->queued_tasks, task);
+		array_insert(this->queued_tasks, ARRAY_HEAD, task);
+	}
+}
+
+/**
+ * Migrates child-creating tasks from src to dst
+ */
+static void migrate_child_tasks(private_task_manager_t *this,
+								array_t *src, array_t *dst)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+
+	enumerator = array_create_enumerator(src);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == TASK_CHILD_CREATE)
+		{
+			array_remove_at(src, enumerator);
+			task->migrate(task, this->ike_sa);
+			array_insert(dst, ARRAY_TAIL, task);
+		}
 	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(task_manager_t, adopt_child_tasks, void,
+	private_task_manager_t *this, task_manager_t *other_public)
+{
+	private_task_manager_t *other = (private_task_manager_t*)other_public;
+
+	/* move active child tasks from other to this */
+	migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
+	/* do the same for queued tasks */
+	migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
 }
 
 METHOD(task_manager_t, busy, bool,
 	private_task_manager_t *this)
 {
-	return (this->active_tasks->get_count(this->active_tasks) > 0);
+	return array_count(this->active_tasks) > 0;
 }
 
 METHOD(task_manager_t, reset, void,
@@ -1441,7 +1495,7 @@ METHOD(task_manager_t, reset, void,
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
 
 	/* reset queued tasks */
-	enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
+	enumerator = array_create_enumerator(this->queued_tasks);
 	while (enumerator->enumerate(enumerator, &task))
 	{
 		task->migrate(task, this->ike_sa);
@@ -1449,11 +1503,10 @@ METHOD(task_manager_t, reset, void,
 	enumerator->destroy(enumerator);
 
 	/* reset active tasks */
-	while (this->active_tasks->remove_last(this->active_tasks,
-										   (void**)&task) == SUCCESS)
+	while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
 	{
 		task->migrate(task, this->ike_sa);
-		this->queued_tasks->insert_first(this->queued_tasks, task);
+		array_insert(this->queued_tasks, ARRAY_HEAD, task);
 	}
 
 	this->reset = TRUE;
@@ -1465,11 +1518,11 @@ METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
 	switch (queue)
 	{
 		case TASK_QUEUE_ACTIVE:
-			return this->active_tasks->create_enumerator(this->active_tasks);
+			return array_create_enumerator(this->active_tasks);
 		case TASK_QUEUE_PASSIVE:
-			return this->passive_tasks->create_enumerator(this->passive_tasks);
+			return array_create_enumerator(this->passive_tasks);
 		case TASK_QUEUE_QUEUED:
-			return this->queued_tasks->create_enumerator(this->queued_tasks);
+			return array_create_enumerator(this->queued_tasks);
 		default:
 			return enumerator_create_empty();
 	}
@@ -1480,9 +1533,9 @@ METHOD(task_manager_t, destroy, void,
 {
 	flush(this);
 
-	this->active_tasks->destroy(this->active_tasks);
-	this->queued_tasks->destroy(this->queued_tasks);
-	this->passive_tasks->destroy(this->passive_tasks);
+	array_destroy(this->active_tasks);
+	array_destroy(this->queued_tasks);
+	array_destroy(this->passive_tasks);
 
 	DESTROY_IF(this->responding.packet);
 	DESTROY_IF(this->initiating.packet);
@@ -1515,6 +1568,7 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 				.incr_mid = _incr_mid,
 				.reset = _reset,
 				.adopt_tasks = _adopt_tasks,
+				.adopt_child_tasks = _adopt_child_tasks,
 				.busy = _busy,
 				.create_task_enumerator = _create_task_enumerator,
 				.flush_queue = _flush_queue,
@@ -1523,9 +1577,9 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 		},
 		.ike_sa = ike_sa,
 		.initiating.type = EXCHANGE_TYPE_UNDEFINED,
-		.queued_tasks = linked_list_create(),
-		.active_tasks = linked_list_create(),
-		.passive_tasks = linked_list_create(),
+		.queued_tasks = array_create(0, 0),
+		.active_tasks = array_create(0, 0),
+		.passive_tasks = array_create(0, 0),
 		.retransmit_tries = lib->settings->get_int(lib->settings,
 					"%s.retransmit_tries", RETRANSMIT_TRIES, charon->name),
 		.retransmit_timeout = lib->settings->get_double(lib->settings,
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 32c0e8c4a..8ae36af84 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -27,6 +27,7 @@
 #include <encoding/payloads/ts_payload.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/notify_payload.h>
+#include <encoding/payloads/delete_payload.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 #include <processing/jobs/inactivity_job.h>
 
@@ -341,6 +342,79 @@ static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
 	return list;
 }
 
+/**
+ * Substitude any host address with NATed address in traffic selector
+ */
+static linked_list_t* get_transport_nat_ts(private_child_create_t *this,
+										   bool local, linked_list_t *in)
+{
+	enumerator_t *enumerator;
+	linked_list_t *out;
+	traffic_selector_t *ts;
+	host_t *ike, *first = NULL;
+	u_int8_t mask;
+
+	if (local)
+	{
+		ike = this->ike_sa->get_my_host(this->ike_sa);
+	}
+	else
+	{
+		ike = this->ike_sa->get_other_host(this->ike_sa);
+	}
+
+	out = linked_list_create();
+
+	enumerator = in->create_enumerator(in);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		/* require that all selectors match the first "host" selector */
+		if (ts->is_host(ts, first))
+		{
+			if (!first)
+			{
+				ts->to_subnet(ts, &first, &mask);
+			}
+			ts = ts->clone(ts);
+			ts->set_address(ts, ike);
+			out->insert_last(out, ts);
+		}
+	}
+	enumerator->destroy(enumerator);
+	DESTROY_IF(first);
+
+	return out;
+}
+
+/**
+ * Narrow received traffic selectors with configuration
+ */
+static linked_list_t* narrow_ts(private_child_create_t *this, bool local,
+								linked_list_t *in)
+{
+	linked_list_t *hosts, *nat, *ts;
+	ike_condition_t cond;
+
+	cond = local ? COND_NAT_HERE : COND_NAT_THERE;
+	hosts = get_dynamic_hosts(this->ike_sa, local);
+
+	if (this->mode == MODE_TRANSPORT &&
+		this->ike_sa->has_condition(this->ike_sa, cond))
+	{
+		nat = get_transport_nat_ts(this, local, in);
+		ts = this->config->get_traffic_selectors(this->config, local, nat, hosts);
+		nat->destroy_offset(nat, offsetof(traffic_selector_t, destroy));
+	}
+	else
+	{
+		ts = this->config->get_traffic_selectors(this->config, local, in, hosts);
+	}
+
+	hosts->destroy(hosts);
+
+	return ts;
+}
+
 /**
  * Install a CHILD_SA for usage, return value:
  * - FAILED: no acceptable proposal
@@ -354,7 +428,7 @@ static status_t select_and_install(private_child_create_t *this,
 	chunk_t nonce_i, nonce_r;
 	chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
 	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
-	linked_list_t *my_ts, *other_ts, *list;
+	linked_list_t *my_ts, *other_ts;
 	host_t *me, *other;
 	bool private;
 
@@ -415,24 +489,16 @@ static status_t select_and_install(private_child_create_t *this,
 	{
 		nonce_i = this->my_nonce;
 		nonce_r = this->other_nonce;
-		my_ts = this->tsi;
-		other_ts = this->tsr;
+		my_ts = narrow_ts(this, TRUE, this->tsi);
+		other_ts = narrow_ts(this, FALSE, this->tsr);
 	}
 	else
 	{
 		nonce_r = this->my_nonce;
 		nonce_i = this->other_nonce;
-		my_ts = this->tsr;
-		other_ts = this->tsi;
+		my_ts = narrow_ts(this, TRUE, this->tsr);
+		other_ts = narrow_ts(this, FALSE, this->tsi);
 	}
-	list = get_dynamic_hosts(this->ike_sa, TRUE);
-	my_ts = this->config->get_traffic_selectors(this->config,
-												TRUE, my_ts, list);
-	list->destroy(list);
-	list = get_dynamic_hosts(this->ike_sa, FALSE);
-	other_ts = this->config->get_traffic_selectors(this->config,
-												FALSE, other_ts, list);
-	list->destroy(list);
 
 	if (this->initiator)
 	{
@@ -489,10 +555,9 @@ static status_t select_and_install(private_child_create_t *this,
 					this->mode = MODE_TUNNEL;
 					DBG1(DBG_IKE, "not using transport mode, not host-to-host");
 				}
-				else if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+				if (this->config->get_mode(this->config) != MODE_TRANSPORT)
 				{
 					this->mode = MODE_TUNNEL;
-					DBG1(DBG_IKE, "not using transport mode, connection NATed");
 				}
 				break;
 			case MODE_BEET:
@@ -502,6 +567,10 @@ static status_t select_and_install(private_child_create_t *this,
 					this->mode = MODE_TUNNEL;
 					DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
 				}
+				if (this->config->get_mode(this->config) != MODE_BEET)
+				{
+					this->mode = MODE_TUNNEL;
+				}
 				break;
 			default:
 				break;
@@ -525,20 +594,20 @@ static status_t select_and_install(private_child_create_t *this,
 	{
 		if (this->initiator)
 		{
-			status_i = this->child_sa->install(this->child_sa,
-							encr_r, integ_r, this->my_spi, this->my_cpi,
+			status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
+							this->my_spi, this->my_cpi, this->initiator,
 							TRUE, this->tfcv3, my_ts, other_ts);
-			status_o = this->child_sa->install(this->child_sa,
-							encr_i, integ_i, this->other_spi, this->other_cpi,
+			status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
+							this->other_spi, this->other_cpi, this->initiator,
 							FALSE, this->tfcv3, my_ts, other_ts);
 		}
 		else
 		{
-			status_i = this->child_sa->install(this->child_sa,
-							encr_i, integ_i, this->my_spi, this->my_cpi,
+			status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
+							this->my_spi, this->my_cpi, this->initiator,
 							TRUE, this->tfcv3, my_ts, other_ts);
-			status_o = this->child_sa->install(this->child_sa,
-							encr_r, integ_r, this->other_spi, this->other_cpi,
+			status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
+							this->other_spi, this->other_cpi, this->initiator,
 							FALSE, this->tfcv3, my_ts, other_ts);
 		}
 	}
@@ -604,6 +673,22 @@ static status_t select_and_install(private_child_create_t *this,
 	{	/* a rekeyed SA uses the same reqid, no need for a new job */
 		schedule_inactivity_timeout(this);
 	}
+
+	my_ts = linked_list_create_from_enumerator(
+				this->child_sa->create_ts_enumerator(this->child_sa, TRUE));
+	other_ts = linked_list_create_from_enumerator(
+				this->child_sa->create_ts_enumerator(this->child_sa, FALSE));
+
+	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
+		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+		 this->child_sa->get_name(this->child_sa),
+		 this->child_sa->get_reqid(this->child_sa),
+		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts);
+
+	my_ts->destroy(my_ts);
+	other_ts->destroy(other_ts);
+
 	return SUCCESS;
 }
 
@@ -678,13 +763,6 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 static void add_ipcomp_notify(private_child_create_t *this,
 								  message_t *message, u_int8_t ipcomp)
 {
-	if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-	{
-		DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
-			 "IPComp disabled");
-		return;
-	}
-
 	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
 	if (this->my_cpi)
 	{
@@ -901,12 +979,6 @@ METHOD(task_t, build_i, status_t,
 	this->proposals = this->config->get_proposals(this->config,
 												  this->dh_group == MODP_NONE);
 	this->mode = this->config->get_mode(this->config);
-	if (this->mode == MODE_TRANSPORT &&
-		this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-	{
-		this->mode = MODE_TUNNEL;
-		DBG1(DBG_IKE, "not using transport mode, connection NATed");
-	}
 
 	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
 			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
@@ -1002,10 +1074,77 @@ static void handle_child_sa_failure(private_child_create_t *this,
 	}
 }
 
+/**
+ * Substitute transport mode NAT selectors, if applicable
+ */
+static linked_list_t* get_ts_if_nat_transport(private_child_create_t *this,
+											  bool local, linked_list_t *in)
+{
+	linked_list_t *out = NULL;
+	ike_condition_t cond;
+
+	if (this->mode == MODE_TRANSPORT)
+	{
+		cond = local ? COND_NAT_HERE : COND_NAT_THERE;
+		if (this->ike_sa->has_condition(this->ike_sa, cond))
+		{
+			out = get_transport_nat_ts(this, local, in);
+			if (out->get_count(out) == 0)
+			{
+				out->destroy(out);
+				out = NULL;
+			}
+		}
+	}
+	return out;
+}
+
+/**
+ * Select a matching CHILD config as responder
+ */
+static child_cfg_t* select_child_cfg(private_child_create_t *this)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg = NULL;;
+
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg && this->tsi && this->tsr)
+	{
+		linked_list_t *listr, *listi, *tsr, *tsi;
+
+		tsr = get_ts_if_nat_transport(this, TRUE, this->tsr);
+		tsi = get_ts_if_nat_transport(this, FALSE, this->tsi);
+
+		listr = get_dynamic_hosts(this->ike_sa, TRUE);
+		listi = get_dynamic_hosts(this->ike_sa, FALSE);
+		child_cfg = peer_cfg->select_child_cfg(peer_cfg,
+											tsr ?: this->tsr, tsi ?: this->tsi,
+											listr, listi);
+		if ((tsi || tsr) && child_cfg &&
+			child_cfg->get_mode(child_cfg) != MODE_TRANSPORT)
+		{
+			/* found a CHILD config, but it doesn't use transport mode */
+			child_cfg->destroy(child_cfg);
+			child_cfg = NULL;
+		}
+		if (!child_cfg && (tsi || tsr))
+		{
+			/* no match for the substituted NAT selectors, try it without */
+			child_cfg = peer_cfg->select_child_cfg(peer_cfg,
+											this->tsr, this->tsi, listr, listi);
+		}
+		listr->destroy(listr);
+		listi->destroy(listi);
+		DESTROY_OFFSET_IF(tsi, offsetof(traffic_selector_t, destroy));
+		DESTROY_OFFSET_IF(tsr, offsetof(traffic_selector_t, destroy));
+	}
+
+	return child_cfg;
+}
+
 METHOD(task_t, build_r, status_t,
 	private_child_create_t *this, message_t *message)
 {
-	peer_cfg_t *peer_cfg;
 	payload_t *payload;
 	enumerator_t *enumerator;
 	bool no_dh = TRUE, ike_auth = FALSE;
@@ -1040,19 +1179,10 @@ METHOD(task_t, build_r, status_t,
 		return SUCCESS;
 	}
 
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (!this->config && peer_cfg && this->tsi && this->tsr)
+	if (this->config == NULL)
 	{
-		linked_list_t *listr, *listi;
-
-		listr = get_dynamic_hosts(this->ike_sa, TRUE);
-		listi = get_dynamic_hosts(this->ike_sa, FALSE);
-		this->config = peer_cfg->select_child_cfg(peer_cfg,
-											this->tsr, this->tsi, listr, listi);
-		listr->destroy(listr);
-		listi->destroy(listi);
+		this->config = select_child_cfg(this);
 	}
-
 	if (this->config == NULL)
 	{
 		DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
@@ -1131,15 +1261,6 @@ METHOD(task_t, build_r, status_t,
 
 	build_payloads(this, message);
 
-	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
-		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-		 this->child_sa->get_name(this->child_sa),
-		 this->child_sa->get_reqid(this->child_sa),
-		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
-		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
-		 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
-		 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-
 	if (!this->rekey)
 	{	/* invoke the child_up() hook if we are not rekeying */
 		charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
@@ -1147,6 +1268,57 @@ METHOD(task_t, build_r, status_t,
 	return SUCCESS;
 }
 
+/**
+ * Raise alerts for received notify errors
+ */
+static void raise_alerts(private_child_create_t *this, notify_type_t type)
+{
+	linked_list_t *list;
+
+	switch (type)
+	{
+		case NO_PROPOSAL_CHOSEN:
+			list = this->config->get_proposals(this->config, FALSE);
+			charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD, list);
+			list->destroy_offset(list, offsetof(proposal_t, destroy));
+			break;
+		default:
+			break;
+	}
+}
+
+METHOD(task_t, build_i_delete, status_t,
+	private_child_create_t *this, message_t *message)
+{
+	message->set_exchange_type(message, INFORMATIONAL);
+	if (this->child_sa && this->proposal)
+	{
+		protocol_id_t proto;
+		delete_payload_t *del;
+		u_int32_t spi;
+
+		proto = this->proposal->get_protocol(this->proposal);
+		spi = this->child_sa->get_spi(this->child_sa, TRUE);
+		del = delete_payload_create(DELETE, proto);
+		del->add_spi(del, spi);
+		message->add_payload(message, (payload_t*)del);
+
+		DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+			 protocol_id_names, proto, ntohl(spi));
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Change task to delete the failed CHILD_SA as initiator
+ */
+static status_t delete_failed_sa(private_child_create_t *this)
+{
+	this->public.task.build = _build_i_delete;
+	this->public.task.process = (void*)return_success;
+	return NEED_MORE;
+}
+
 METHOD(task_t, process_i, status_t,
 	private_child_create_t *this, message_t *message)
 {
@@ -1195,6 +1367,7 @@ METHOD(task_t, process_i, status_t,
 					DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
 						 notify_type_names, type);
 					enumerator->destroy(enumerator);
+					raise_alerts(this, type);
 					handle_child_sa_failure(this, message);
 					/* an error in CHILD_SA creation is not critical */
 					return SUCCESS;
@@ -1247,7 +1420,7 @@ METHOD(task_t, process_i, status_t,
 		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
 			 " one, no CHILD_SA built");
 		handle_child_sa_failure(this, message);
-		return SUCCESS;
+		return delete_failed_sa(this);
 	}
 	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
 	{
@@ -1260,20 +1433,11 @@ METHOD(task_t, process_i, status_t,
 		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
 			 "no CHILD_SA built");
 		handle_child_sa_failure(this, message);
-		return SUCCESS;
+		return delete_failed_sa(this);
 	}
 
 	if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
 	{
-		DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
-			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-			 this->child_sa->get_name(this->child_sa),
-			 this->child_sa->get_reqid(this->child_sa),
-			 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
-			 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
-			 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
-			 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-
 		if (!this->rekey)
 		{	/* invoke the child_up() hook if we are not rekeying */
 			charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
@@ -1282,6 +1446,7 @@ METHOD(task_t, process_i, status_t,
 	else
 	{
 		handle_child_sa_failure(this, message);
+		return delete_failed_sa(this);
 	}
 	return SUCCESS;
 }
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index 8652942ad..eaaca2039 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -177,8 +177,11 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 					default:
 						break;
 				}
-
-				this->child_sas->insert_last(this->child_sas, child_sa);
+				if (this->child_sas->find_first(this->child_sas, NULL,
+												(void**)&child_sa) != SUCCESS)
+				{
+					this->child_sas->insert_last(this->child_sas, child_sa);
+				}
 			}
 			spis->destroy(spis);
 		}
@@ -219,12 +222,13 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 			{
 				case ACTION_RESTART:
 					child_cfg->get_ref(child_cfg);
-					status = this->ike_sa->initiate(this->ike_sa, child_cfg, 0,
-													NULL, NULL);
+					status = this->ike_sa->initiate(this->ike_sa, child_cfg,
+									child_sa->get_reqid(child_sa), NULL, NULL);
 					break;
 				case ACTION_ROUTE:
 					charon->traps->install(charon->traps,
-							this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg);
+							this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg,
+							child_sa->get_reqid(child_sa));
 					break;
 				default:
 					break;
@@ -245,6 +249,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
  */
 static void log_children(private_child_delete_t *this)
 {
+	linked_list_t *my_ts, *other_ts;
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
 	u_int64_t bytes_in, bytes_out;
@@ -252,15 +257,17 @@ static void log_children(private_child_delete_t *this)
 	enumerator = this->child_sas->create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
 	{
+		my_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, TRUE));
+		other_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, FALSE));
 		if (this->expired)
 		{
 			DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
 				 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
 				 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
 				 ntohl(child_sa->get_spi(child_sa, TRUE)),
-				 ntohl(child_sa->get_spi(child_sa, FALSE)),
-				 child_sa->get_traffic_selectors(child_sa, TRUE),
-				 child_sa->get_traffic_selectors(child_sa, FALSE));
+				 ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
 		}
 		else
 		{
@@ -272,9 +279,10 @@ static void log_children(private_child_delete_t *this)
 				 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
 				 ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
 				 ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
-				 child_sa->get_traffic_selectors(child_sa, TRUE),
-				 child_sa->get_traffic_selectors(child_sa, FALSE));
+				 my_ts, other_ts);
 		}
+		my_ts->destroy(my_ts);
+		other_ts->destroy(other_ts);
 	}
 	enumerator->destroy(enumerator);
 }
@@ -310,10 +318,6 @@ METHOD(task_t, build_i, status_t,
 METHOD(task_t, process_i, status_t,
 	private_child_delete_t *this, message_t *message)
 {
-	/* flush the list before adding new SAs */
-	this->child_sas->destroy(this->child_sas);
-	this->child_sas = linked_list_create();
-
 	process_payloads(this, message);
 	DBG1(DBG_IKE, "CHILD_SA closed");
 	return destroy_and_reestablish(this);
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index 262cb10e0..d2003bb45 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -399,12 +399,19 @@ METHOD(child_rekey_t, collide, void,
 	else if (other->get_type(other) == TASK_CHILD_DELETE)
 	{
 		child_delete_t *del = (child_delete_t*)other;
-		if (del->get_child(del) == this->child_create->get_child(this->child_create))
+		if (this->collision &&
+			this->collision->get_type(this->collision) == TASK_CHILD_REKEY)
 		{
-			/* peer deletes redundant child created in collision */
-			this->other_child_destroyed = TRUE;
-			other->destroy(other);
-			return;
+			private_child_rekey_t *rekey;
+
+			rekey = (private_child_rekey_t*)this->collision;
+			if (del->get_child(del) == rekey->child_create->get_child(rekey->child_create))
+			{
+				/* peer deletes redundant child created in collision */
+				this->other_child_destroyed = TRUE;
+				other->destroy(other);
+				return;
+			}
 		}
 		if (del->get_child(del) != this->child_sa)
 		{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 942f97cf5..8f83c4884 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -852,6 +852,33 @@ local_auth_failed:
 	return FAILED;
 }
 
+/**
+ * Send an INFORMATIONAL message with an AUTH_FAILED before closing IKE_SA
+ */
+static void send_auth_failed_informational(private_ike_auth_t *this,
+										   message_t *reply)
+{
+	message_t *message;
+	packet_t *packet;
+	host_t *host;
+
+	message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
+	message->set_message_id(message, reply->get_message_id(reply) + 1);
+	host = this->ike_sa->get_my_host(this->ike_sa);
+	message->set_source(message, host->clone(host));
+	host = this->ike_sa->get_other_host(this->ike_sa);
+	message->set_destination(message, host->clone(host));
+	message->set_exchange_type(message, INFORMATIONAL);
+	message->add_notify(message, FALSE, AUTHENTICATION_FAILED, chunk_empty);
+
+	if (this->ike_sa->generate_message(this->ike_sa, message,
+									   &packet) == SUCCESS)
+	{
+		charon->sender->send(charon->sender, packet);
+	}
+	message->destroy(message);
+}
+
 METHOD(task_t, process_i, status_t,
 	private_ike_auth_t *this, message_t *message)
 {
@@ -908,6 +935,7 @@ METHOD(task_t, process_i, status_t,
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
 						enumerator->destroy(enumerator);
+						charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
 						return FAILED;
 					}
 					DBG2(DBG_IKE, "received %N notify",
@@ -1004,6 +1032,7 @@ METHOD(task_t, process_i, status_t,
 				break;
 			default:
 				charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
+				send_auth_failed_informational(this, message);
 				return FAILED;
 		}
 	}
@@ -1048,6 +1077,7 @@ METHOD(task_t, process_i, status_t,
 
 peer_auth_failed:
 	charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
+	send_auth_failed_informational(this, message);
 	return FAILED;
 }
 
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h
index ac1a85c29..c1f8635ce 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h
@@ -28,7 +28,7 @@ typedef struct ike_cert_pre_t ike_cert_pre_t;
 #include <sa/task.h>
 
 /**
- * Task of type ike_cert_post, certificate processing before authentication.
+ * Task of type ike_cert_pre, certificate processing before authentication.
  */
 struct ike_cert_pre_t {
 
diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.c b/src/libcharon/sa/ikev2/tasks/ike_delete.c
index f127b0c15..9bc62bf2a 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_delete.c
@@ -109,6 +109,14 @@ METHOD(task_t, process_r, status_t,
 		 this->ike_sa->get_other_host(this->ike_sa),
 		 this->ike_sa->get_other_id(this->ike_sa));
 
+	if (message->get_exchange_type(message) == INFORMATIONAL &&
+		message->get_notify(message, AUTHENTICATION_FAILED))
+	{
+		/* a late AUTHENTICATION_FAILED notify from the initiator after
+		 * we have established the IKE_SA: signal auth failure */
+		charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
+	}
+
 	switch (this->ike_sa->get_state(this->ike_sa))
 	{
 		case IKE_ESTABLISHED:
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 7542937b3..278bdc3f2 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -420,6 +420,25 @@ METHOD(task_t, build_r, status_t,
 	return SUCCESS;
 }
 
+/**
+ * Raise alerts for received notify errors
+ */
+static void raise_alerts(private_ike_init_t *this, notify_type_t type)
+{
+	linked_list_t *list;
+
+	switch (type)
+	{
+		case NO_PROPOSAL_CHOSEN:
+			list = this->config->get_proposals(this->config);
+			charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE, list);
+			list->destroy_offset(list, offsetof(proposal_t, destroy));
+			break;
+		default:
+			break;
+	}
+}
+
 METHOD(task_t, process_i, status_t,
 	private_ike_init_t *this, message_t *message)
 {
@@ -482,6 +501,7 @@ METHOD(task_t, process_i, status_t,
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
 						enumerator->destroy(enumerator);
+						raise_alerts(this, type);
 						return FAILED;
 					}
 					DBG2(DBG_IKE, "received %N notify",
diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c
index 0a93db9ed..4fc968f25 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_natd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c
@@ -78,6 +78,19 @@ struct private_ike_natd_t {
 	bool mapping_changed;
 };
 
+/**
+ * Check if UDP encapsulation has to be forced either by config or required
+ * by the kernel interface
+ */
+static bool force_encap(ike_cfg_t *ike_cfg)
+{
+	if (!ike_cfg->force_encap(ike_cfg))
+	{
+		return hydra->kernel_interface->get_features(hydra->kernel_interface) &
+					KERNEL_REQUIRE_UDP_ENCAPSULATION;
+	}
+	return TRUE;
+}
 
 /**
  * Build NAT detection hash for a host
@@ -147,7 +160,7 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
 
 	ike_sa_id = this->ike_sa->get_id(this->ike_sa);
 	config = this->ike_sa->get_ike_cfg(this->ike_sa);
-	if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
+	if (force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
 	{
 		hash = generate_natd_hash_faked(this);
 	}
@@ -256,7 +269,7 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 									!this->src_matched);
 		config = this->ike_sa->get_ike_cfg(this->ike_sa);
 		if (this->dst_matched && this->src_matched &&
-			config->force_encap(config))
+			force_encap(config))
 		{
 			this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
 		}
@@ -316,7 +329,7 @@ METHOD(task_t, build_i, status_t,
 	 * 3. Include all possbile addresses
 	 */
 	host = message->get_source(message);
-	if (!host->is_anyaddr(host) || ike_cfg->force_encap(ike_cfg))
+	if (!host->is_anyaddr(host) || force_encap(ike_cfg))
 	{	/* 1. or if we force UDP encap, as it doesn't matter if it's %any */
 		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
 		if (notify)
diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h
index 02db5ca58..bc40b3d92 100644
--- a/src/libcharon/sa/keymat.h
+++ b/src/libcharon/sa/keymat.h
@@ -79,7 +79,7 @@ struct keymat_t {
 	 */
 	nonce_gen_t* (*create_nonce_gen)(keymat_t *this);
 
-	/*
+	/**
 	 * Get a AEAD transform to en-/decrypt and sign/verify IKE messages.
 	 *
 	 * @param in		TRUE for inbound (decrypt), FALSE for outbound (encrypt)
diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h
index c37221a77..f2c4299cc 100644
--- a/src/libcharon/sa/task.h
+++ b/src/libcharon/sa/task.h
@@ -67,7 +67,7 @@ enum task_type_t {
 	TASK_CHILD_CREATE,
 	/** delete an established CHILD_SA */
 	TASK_CHILD_DELETE,
-	/** rekey an CHILD_SA */
+	/** rekey a CHILD_SA */
 	TASK_CHILD_REKEY,
 	/** IKEv1 main mode */
 	TASK_MAIN_MODE,
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index c649cf78e..a1ebb4117 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -202,7 +202,7 @@ struct task_manager_t {
 	status_t (*retransmit) (task_manager_t *this, u_int32_t message_id);
 
 	/**
-	 * Migrate all tasks from other to this.
+	 * Migrate all queued tasks from other to this.
 	 *
 	 * To rekey or reestablish an IKE_SA completely, all queued or active
 	 * tasks should get migrated to the new IKE_SA.
@@ -211,6 +211,13 @@ struct task_manager_t {
 	 */
 	void (*adopt_tasks) (task_manager_t *this, task_manager_t *other);
 
+	/**
+	 * Migrate all active or queued CHILD_SA-creating tasks from other to this.
+	 *
+	 * @param other			manager which gives away its tasks
+	 */
+	void (*adopt_child_tasks) (task_manager_t *this, task_manager_t *other);
+
 	/**
 	 * Increment a message ID counter, in- or outbound.
 	 *
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 6c0ae19c7..37426fc47 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -92,7 +92,8 @@ static void destroy_entry(entry_t *entry)
 }
 
 METHOD(trap_manager_t, install, u_int32_t,
-	private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child)
+	private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child,
+	u_int32_t reqid)
 {
 	entry_t *entry, *found = NULL;
 	ike_cfg_t *ike_cfg;
@@ -101,7 +102,6 @@ METHOD(trap_manager_t, install, u_int32_t,
 	linked_list_t *my_ts, *other_ts, *list;
 	enumerator_t *enumerator;
 	status_t status;
-	u_int32_t reqid = 0;
 
 	/* try to resolve addresses */
 	ike_cfg = peer->get_ike_cfg(peer);
@@ -109,6 +109,7 @@ METHOD(trap_manager_t, install, u_int32_t,
 								 0, ike_cfg->get_other_port(ike_cfg));
 	if (!other || other->is_anyaddr(other))
 	{
+		DESTROY_IF(other);
 		DBG1(DBG_CFG, "installing trap failed, remote address unknown");
 		return 0;
 	}
@@ -141,6 +142,8 @@ METHOD(trap_manager_t, install, u_int32_t,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
 	if (found)
 	{	/* config might have changed so update everything */
 		DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'",
@@ -179,10 +182,11 @@ METHOD(trap_manager_t, install, u_int32_t,
 			.child_sa = child_sa,
 			.peer_cfg = peer->get_ref(peer),
 		);
+		this->lock->write_lock(this->lock);
 		this->traps->insert_last(this->traps, entry);
+		this->lock->unlock(this->lock);
 		reqid = child_sa->get_reqid(child_sa);
 	}
-	this->lock->unlock(this->lock);
 
 	if (status != SUCCESS)
 	{
@@ -251,6 +255,31 @@ METHOD(trap_manager_t, create_enumerator, enumerator_t*,
 									(void*)this->lock->unlock);
 }
 
+METHOD(trap_manager_t, find_reqid, u_int32_t,
+	private_trap_manager_t *this, child_cfg_t *child)
+{
+	enumerator_t *enumerator;
+	child_cfg_t *current;
+	entry_t *entry;
+	u_int32_t reqid = 0;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		current = entry->child_sa->get_config(entry->child_sa);
+		if (streq(current->get_name(current), child->get_name(child)))
+		{
+			reqid = entry->child_sa->get_reqid(entry->child_sa);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return reqid;
+}
+
 METHOD(trap_manager_t, acquire, void,
 	private_trap_manager_t *this, u_int32_t reqid,
 	traffic_selector_t *src, traffic_selector_t *dst)
@@ -319,8 +348,7 @@ METHOD(trap_manager_t, acquire, void,
 		}
 		else
 		{
-			charon->ike_sa_manager->checkin_and_destroy(
-												charon->ike_sa_manager, ike_sa);
+			ike_sa->destroy(ike_sa);
 		}
 	}
 	peer->destroy(peer);
@@ -417,6 +445,7 @@ trap_manager_t *trap_manager_create(void)
 			.install = _install,
 			.uninstall = _uninstall,
 			.create_enumerator = _create_enumerator,
+			.find_reqid = _find_reqid,
 			.acquire = _acquire,
 			.flush = _flush,
 			.destroy = _destroy,
@@ -435,4 +464,3 @@ trap_manager_t *trap_manager_create(void)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/trap_manager.h b/src/libcharon/sa/trap_manager.h
index e3d355662..0491107fd 100644
--- a/src/libcharon/sa/trap_manager.h
+++ b/src/libcharon/sa/trap_manager.h
@@ -37,10 +37,11 @@ struct trap_manager_t {
 	 *
 	 * @param peer		peer configuration to initiate on trap
 	 * @param child 	child configuration to install as a trap
+	 * @param reqid		optional reqid to use
 	 * @return			reqid of installed CHILD_SA, 0 if failed
 	 */
 	u_int32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
-						 child_cfg_t *child);
+						 child_cfg_t *child, u_int32_t reqid);
 
 	/**
 	 * Uninstall a trap policy.
@@ -57,6 +58,14 @@ struct trap_manager_t {
 	 */
 	enumerator_t* (*create_enumerator)(trap_manager_t *this);
 
+	/**
+	 * Find the reqid of a child config installed as a trap.
+	 *
+	 * @param child		CHILD_SA config to get the reqid for
+	 * @return			reqid of trap, 0 if not found
+	 */
+	u_int32_t (*find_reqid)(trap_manager_t *this, child_cfg_t *child);
+
 	/**
 	 * Acquire an SA triggered by an installed trap.
 	 *
diff --git a/src/libfast/Makefile.am b/src/libfast/Makefile.am
index df5b650ce..edc2ab1ca 100644
--- a/src/libfast/Makefile.am
+++ b/src/libfast/Makefile.am
@@ -1,15 +1,21 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I/usr/include/ClearSilver
+
+AM_CFLAGS = \
+	-rdynamic
+
 ipseclib_LTLIBRARIES = libfast.la
 
 libfast_la_SOURCES = \
-	dispatcher.c request.c session.c smtp.c
+	fast_dispatcher.c fast_request.c fast_session.c fast_smtp.c
 
 if USE_DEV_HEADERS
 fast_includedir = ${dev_headers}/fast
 nobase_fast_include_HEADERS = \
-	context.h controller.h dispatcher.h filter.h request.h session.h smtp.h
+	fast_context.h fast_controller.h fast_dispatcher.h fast_filter.h \
+	fast_request.h fast_session.h fast_smtp.h
 endif
 
 libfast_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
   -lfcgi $(clearsilver_LIBS) $(PTHREADLIB)
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I/usr/include/ClearSilver
-AM_CFLAGS = -rdynamic
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index cadf76d8f..d5b511e56 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,21 +105,38 @@ am__DEPENDENCIES_1 =
 libfast_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_libfast_la_OBJECTS = dispatcher.lo request.lo session.lo smtp.lo
+am_libfast_la_OBJECTS = fast_dispatcher.lo fast_request.lo \
+	fast_session.lo fast_smtp.lo
 libfast_la_OBJECTS = $(am_libfast_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libfast_la_SOURCES)
 DIST_SOURCES = $(libfast_la_SOURCES)
 am__can_run_installinfo = \
@@ -127,8 +144,9 @@ am__can_run_installinfo = \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
-am__nobase_fast_include_HEADERS_DIST = context.h controller.h \
-	dispatcher.h filter.h request.h session.h smtp.h
+am__nobase_fast_include_HEADERS_DIST = fast_context.h \
+	fast_controller.h fast_dispatcher.h fast_filter.h \
+	fast_request.h fast_session.h fast_smtp.h
 HEADERS = $(nobase_fast_include_HEADERS)
 ETAGS = etags
 CTAGS = ctags
@@ -136,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,19 +347,25 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I/usr/include/ClearSilver
+
+AM_CFLAGS = \
+	-rdynamic
+
 ipseclib_LTLIBRARIES = libfast.la
 libfast_la_SOURCES = \
-	dispatcher.c request.c session.c smtp.c
+	fast_dispatcher.c fast_request.c fast_session.c fast_smtp.c
 
 @USE_DEV_HEADERS_TRUE@fast_includedir = ${dev_headers}/fast
 @USE_DEV_HEADERS_TRUE@nobase_fast_include_HEADERS = \
-@USE_DEV_HEADERS_TRUE@	context.h controller.h dispatcher.h filter.h request.h session.h smtp.h
+@USE_DEV_HEADERS_TRUE@	fast_context.h fast_controller.h fast_dispatcher.h fast_filter.h \
+@USE_DEV_HEADERS_TRUE@	fast_request.h fast_session.h fast_smtp.h
 
 libfast_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
   -lfcgi $(clearsilver_LIBS) $(PTHREADLIB)
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I/usr/include/ClearSilver
-AM_CFLAGS = -rdynamic
 all: all-am
 
 .SUFFIXES:
@@ -402,7 +433,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libfast.la: $(libfast_la_OBJECTS) $(libfast_la_DEPENDENCIES) $(EXTRA_libfast_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libfast_la_OBJECTS) $(libfast_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libfast_la_OBJECTS) $(libfast_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -410,31 +441,31 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dispatcher.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/request.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/session.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smtp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fast_dispatcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fast_request.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fast_session.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fast_smtp.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libfast/context.h b/src/libfast/context.h
deleted file mode 100644
index 4f8d11d2c..000000000
--- a/src/libfast/context.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup context context
- * @{ @ingroup libfast
- */
-
-#ifndef CONTEXT_H_
-#define CONTEXT_H_
-
-typedef struct context_t context_t;
-
-/**
- * Constructor function for a user specific context.
- */
-typedef context_t *(*context_constructor_t)(void *param);
-
-/**
- * User specific session context, to extend.
- */
-struct context_t {
-
-	/**
-	 * Destroy the context_t.
-	 */
-	void (*destroy) (context_t *this);
-};
-
-#endif /** CONTEXT_H_ @}*/
diff --git a/src/libfast/controller.h b/src/libfast/controller.h
deleted file mode 100644
index 7a7efc706..000000000
--- a/src/libfast/controller.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup controller controller
- * @{ @ingroup libfast
- */
-
-#ifndef CONTROLLER_H_
-#define CONTROLLER_H_
-
-#include "request.h"
-#include "context.h"
-
-typedef struct controller_t controller_t;
-
-/**
- * Constructor function for a controller.
- *
- * @param context		session specific context, implements context_t
- * @param param			user supplied param, as registered to the dispatcher
- */
-typedef controller_t *(*controller_constructor_t)(context_t* context, void *param);
-
-/**
- * Controller interface, to be implemented by users controllers.
- *
- * Controller instances get created per session, so each session has an
- * associated set of private controller instances.
- * The controller handle function is called for each incoming request.
- */
-struct controller_t {
-
-	/**
-	 * Get the name of the controller.
-	 *
-	 * @return				name of the controller
-	 */
-	char* (*get_name)(controller_t *this);
-
-	/**
-	 * Handle a HTTP request for that controller.
-	 *
-	 * Request URLs are parsed in the form
-	 * controller_name/p1/p2/p3/p4/p5 with a maximum of 5 parameters. Each
-	 * parameter not found in the request URL is set to NULL.
-	 *
-	 * @param request		HTTP request
-	 * @param p1			first parameter
-	 * @param p2			second parameter
-	 * @param p3			third parameter
-	 * @param p4			forth parameter
-	 * @param p5			fifth parameter
-	 * @return
-	 */
-	void (*handle)(controller_t *this, request_t *request,
-				   char *p1, char *p2, char *p3, char *p4, char *p5);
-
-	/**
-	 * Destroy the controller instance.
-	 */
-	void (*destroy) (controller_t *this);
-};
-
-#endif /** CONTROLLER_H_ @}*/
diff --git a/src/libfast/dispatcher.c b/src/libfast/dispatcher.c
deleted file mode 100644
index e5a02c63b..000000000
--- a/src/libfast/dispatcher.c
+++ /dev/null
@@ -1,456 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "dispatcher.h"
-
-#include "request.h"
-#include "session.h"
-
-#include <fcgiapp.h>
-#include <signal.h>
-#include <unistd.h>
-
-#include <utils/debug.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-#include <collections/linked_list.h>
-#include <collections/hashtable.h>
-
-/** Intervall to check for expired sessions, in seconds */
-#define CLEANUP_INTERVAL 30
-
-typedef struct private_dispatcher_t private_dispatcher_t;
-
-/**
- * private data of the task manager
- */
-struct private_dispatcher_t {
-
-	/**
-	 * public functions
-	 */
-	dispatcher_t public;
-
-	/**
-	 * fcgi socket fd
-	 */
-	int fd;
-
-	/**
-	 * thread list
-	 */
-	thread_t **threads;
-
-	/**
-	 * number of threads in "threads"
-	 */
-	int thread_count;
-
-	/**
-	 * session locking mutex
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Hahstable with active sessions
-	 */
-	hashtable_t *sessions;
-
-	/**
-	 * session timeout
-	 */
-	time_t timeout;
-
-	/**
-	 * timestamp of last session cleanup round
-	 */
-	time_t last_cleanup;
-
-	/**
-	 * running in debug mode?
-	 */
-	bool debug;
-
-	/**
-	 * List of controllers controller_constructor_t
-	 */
-	linked_list_t *controllers;
-
-	/**
-	 * List of filters filter_constructor_t
-	 */
-	linked_list_t *filters;
-
-	/**
-	 * constructor function to create session context (in controller_entry_t)
-	 */
-	context_constructor_t context_constructor;
-
-	/**
-	 * user param to context constructor
-	 */
-	void *param;
-};
-
-typedef struct {
-	/** constructor function */
-	controller_constructor_t constructor;
-	/** parameter to constructor */
-	void *param;
-} controller_entry_t;
-
-typedef struct {
-	/** constructor function */
-	filter_constructor_t constructor;
-	/** parameter to constructor */
-	void *param;
-} filter_entry_t;
-
-typedef struct {
-	/** session instance */
-	session_t *session;
-	/** condvar to wait for session */
-	condvar_t *cond;
-	/** client host address, to prevent session hijacking */
-	char *host;
-	/** TRUE if session is in use */
-	bool in_use;
-	/** last use of the session */
-	time_t used;
-	/** has the session been closed by the handler? */
-	bool closed;
-} session_entry_t;
-
-/**
- * create a session and instanciate controllers
- */
-static session_t* load_session(private_dispatcher_t *this)
-{
-	enumerator_t *enumerator;
-	controller_entry_t *centry;
-	filter_entry_t *fentry;
-	session_t *session;
-	context_t *context = NULL;
-	controller_t *controller;
-	filter_t *filter;
-
-	if (this->context_constructor)
-	{
-		context = this->context_constructor(this->param);
-	}
-	session = session_create(context);
-
-	enumerator = this->controllers->create_enumerator(this->controllers);
-	while (enumerator->enumerate(enumerator, &centry))
-	{
-		controller = centry->constructor(context, centry->param);
-		session->add_controller(session, controller);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = this->filters->create_enumerator(this->filters);
-	while (enumerator->enumerate(enumerator, &fentry))
-	{
-		filter = fentry->constructor(context, fentry->param);
-		session->add_filter(session, filter);
-	}
-	enumerator->destroy(enumerator);
-
-	return session;
-}
-
-/**
- * create a new session entry
- */
-static session_entry_t *session_entry_create(private_dispatcher_t *this,
-											 char *host)
-{
-	session_entry_t *entry;
-	session_t *session;
-
-	session = load_session(this);
-	if (!session)
-	{
-		return NULL;
-	}
-	INIT(entry,
-		.cond = condvar_create(CONDVAR_TYPE_DEFAULT),
-		.session = session,
-		.host = strdup(host),
-		.used = time_monotonic(NULL),
-	);
-	return entry;
-}
-
-/**
- * destroy a session
- */
-static void session_entry_destroy(session_entry_t *entry)
-{
-	entry->session->destroy(entry->session);
-	entry->cond->destroy(entry->cond);
-	free(entry->host);
-	free(entry);
-}
-
-METHOD(dispatcher_t, add_controller, void,
-	private_dispatcher_t *this, controller_constructor_t constructor,
-	void *param)
-{
-	controller_entry_t *entry;
-
-	INIT(entry,
-		.constructor = constructor,
-		.param = param,
-	);
-	this->controllers->insert_last(this->controllers, entry);
-}
-
-METHOD(dispatcher_t, add_filter, void,
-	private_dispatcher_t *this, filter_constructor_t constructor, void *param)
-{
-	filter_entry_t *entry;
-
-	INIT(entry,
-		.constructor = constructor,
-		.param = param,
-	);
-	this->filters->insert_last(this->filters, entry);
-}
-
-/**
- * Hashtable hash function
- */
-static u_int session_hash(char *sid)
-{
-	return chunk_hash(chunk_create(sid, strlen(sid)));
-}
-
-/**
- * Hashtable equals function
- */
-static bool session_equals(char *sid1, char *sid2)
-{
-	return streq(sid1, sid2);
-}
-
-/**
- * Cleanup unused sessions
- */
-static void cleanup_sessions(private_dispatcher_t *this, time_t now)
-{
-	if (this->last_cleanup < now - CLEANUP_INTERVAL)
-	{
-		char *sid;
-		session_entry_t *entry;
-		enumerator_t *enumerator;
-		linked_list_t *remove;
-
-		this->last_cleanup = now;
-		remove = linked_list_create();
-		enumerator = this->sessions->create_enumerator(this->sessions);
-		while (enumerator->enumerate(enumerator, &sid, &entry))
-		{
-			/* check all sessions for timeout or close flag */
-			if (!entry->in_use &&
-				(entry->used < now - this->timeout || entry->closed))
-			{
-				remove->insert_last(remove, sid);
-			}
-		}
-		enumerator->destroy(enumerator);
-
-		while (remove->remove_last(remove, (void**)&sid) == SUCCESS)
-		{
-			entry = this->sessions->remove(this->sessions, sid);
-			if (entry)
-			{
-				session_entry_destroy(entry);
-			}
-		}
-		remove->destroy(remove);
-	}
-}
-
-/**
- * Actual dispatching code
- */
-static void dispatch(private_dispatcher_t *this)
-{
-	thread_cancelability(FALSE);
-
-	while (TRUE)
-	{
-		request_t *request;
-		session_entry_t *found = NULL;
-		time_t now;
-		char *sid;
-
-		thread_cancelability(TRUE);
-		request = request_create(this->fd, this->debug);
-		thread_cancelability(FALSE);
-
-		if (request == NULL)
-		{
-			continue;
-		}
-		now = time_monotonic(NULL);
-		sid = request->get_cookie(request, "SID");
-
-		this->mutex->lock(this->mutex);
-		if (sid)
-		{
-			found = this->sessions->get(this->sessions, sid);
-		}
-		if (found && !streq(found->host, request->get_host(request)))
-		{
-			found = NULL;
-		}
-		if (found)
-		{
-			/* wait until session is unused */
-			while (found->in_use)
-			{
-				found->cond->wait(found->cond, this->mutex);
-			}
-		}
-		else
-		{	/* create a new session if not found */
-			found = session_entry_create(this, request->get_host(request));
-			if (!found)
-			{
-				request->destroy(request);
-				this->mutex->unlock(this->mutex);
-				continue;
-			}
-			sid = found->session->get_sid(found->session);
-			this->sessions->put(this->sessions, sid, found);
-		}
-		found->in_use = TRUE;
-		this->mutex->unlock(this->mutex);
-
-		/* start processing */
-		found->session->process(found->session, request);
-		found->used = time_monotonic(NULL);
-
-		/* release session */
-		this->mutex->lock(this->mutex);
-		found->in_use = FALSE;
-		found->closed = request->session_closed(request);
-		found->cond->signal(found->cond);
-		cleanup_sessions(this, now);
-		this->mutex->unlock(this->mutex);
-
-		request->destroy(request);
-	}
-}
-
-METHOD(dispatcher_t, run, void,
-	private_dispatcher_t *this, int threads)
-{
-	this->thread_count = threads;
-	this->threads = malloc(sizeof(thread_t*) * threads);
-	while (threads)
-	{
-		this->threads[threads - 1] = thread_create((thread_main_t)dispatch,
-												   this);
-		if (this->threads[threads - 1])
-		{
-			threads--;
-		}
-	}
-}
-
-METHOD(dispatcher_t, waitsignal, void,
-	private_dispatcher_t *this)
-{
-	sigset_t set;
-	int sig;
-
-	sigemptyset(&set);
-	sigaddset(&set, SIGINT);
-	sigaddset(&set, SIGTERM);
-	sigaddset(&set, SIGHUP);
-	sigprocmask(SIG_BLOCK, &set, NULL);
-	sigwait(&set, &sig);
-}
-
-METHOD(dispatcher_t, destroy, void,
-	private_dispatcher_t *this)
-{
-	char *sid;
-	session_entry_t *entry;
-	enumerator_t *enumerator;
-
-	FCGX_ShutdownPending();
-	while (this->thread_count--)
-	{
-		thread_t *thread = this->threads[this->thread_count];
-		thread->cancel(thread);
-		thread->join(thread);
-	}
-	enumerator = this->sessions->create_enumerator(this->sessions);
-	while (enumerator->enumerate(enumerator, &sid, &entry))
-	{
-		session_entry_destroy(entry);
-	}
-	enumerator->destroy(enumerator);
-	this->sessions->destroy(this->sessions);
-	this->controllers->destroy_function(this->controllers, free);
-	this->filters->destroy_function(this->filters, free);
-	this->mutex->destroy(this->mutex);
-	free(this->threads);
-	free(this);
-}
-
-/*
- * see header file
- */
-dispatcher_t *dispatcher_create(char *socket, bool debug, int timeout,
-								context_constructor_t constructor, void *param)
-{
-	private_dispatcher_t *this;
-
-	INIT(this,
-		.public = {
-			.add_controller = _add_controller,
-			.add_filter = _add_filter,
-			.run = _run,
-			.waitsignal = _waitsignal,
-			.destroy = _destroy,
-		},
-		.sessions = hashtable_create((void*)session_hash,
-									 (void*)session_equals, 4096),
-		.controllers = linked_list_create(),
-		.filters = linked_list_create(),
-		.context_constructor = constructor,
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.param = param,
-		.timeout = timeout,
-		.last_cleanup = time_monotonic(NULL),
-		.debug = debug,
-	);
-
-	FCGX_Init();
-
-	if (socket)
-	{
-		unlink(socket);
-		this->fd = FCGX_OpenSocket(socket, 10);
-	}
-	return &this->public;
-}
-
diff --git a/src/libfast/dispatcher.h b/src/libfast/dispatcher.h
deleted file mode 100644
index 16223fe76..000000000
--- a/src/libfast/dispatcher.h
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup libfast libfast
- * @{
- * FastCGI Application Server w/ templates.
- *
- * Libfast is a framework to write web applications in an MVC fashion. It uses
- * the ClearSilver template engine and communicates through FastCGI with
- * the webserver. It is multithreaded and really fast.
- *
- * The application has a global context and a session context. The global
- * context is accessed from all sessions simultaneously and therefore
- * needs to be threadsave. Often a database wrapper is the global context.
- * The session context is instanciated per session. Sessions are managed
- * automatically through session cookies. The session context is kept alive
- * until the session times out. It must implement the context_t interface and
- * a #context_constructor_t is needed to create instances. To each session,
- * a set of controllers gets instanciated. The controller instances are per
- * session, so you can hold private data for each user.
- * Controllers need to implement the controller_t interface and need a
- * #controller_constructor_t function to create instances.
- *
- * A small example shows how to set up libfast:
- * @code
-	dispatcher_t *dispatcher;
-	your_global_context_implementation_t *global;
-
-	global = initialize_your_global_context();
-
-	dispatcher = dispatcher_create(NULL, FALSE, 180,
-			(context_constructor_t)your_session_context_create, global);
-	dispatcher->add_controller(dispatcher, your_controller1_create, param1);
-	dispatcher->add_controller(dispatcher, your_controller2_create, param2);
-
-	dispatcher->run(dispatcher, 20);
-
-	dispatcher->waitsignal(dispatcher);
-
-	dispatcher->destroy(dispatcher);
-	global->destroy();
-   @endcode
- * @}
- *
- * @defgroup dispatcher dispatcher
- * @{ @ingroup libfast
- */
-
-#ifndef DISPATCHER_H_
-#define DISPATCHER_H_
-
-#include "controller.h"
-#include "filter.h"
-
-typedef struct dispatcher_t dispatcher_t;
-
-/**
- * Dispatcher, accepts connections using multiple threads.
- *
- * The dispatcher creates a session for each client (using SID cookies). In
- * each session, a session context is created using the context constructor.
- * Each controller is instanciated in the session using the controller
- * constructor added with add_controller.
- */
-struct dispatcher_t {
-
-	/**
-	 * Register a controller to the dispatcher.
-	 *
-	 * The first controller added serves as default controller. Client's
-	 * get redirected to it if no other controller matches.
-	 *
-	 * @param constructor	constructor function to the conntroller
-	 * @param param			param to pass to constructor
-	 */
-	void (*add_controller)(dispatcher_t *this,
-						   controller_constructor_t constructor, void *param);
-
-	/**
-	 * Add a filter to the dispatcher.
-	 *
-	 * @param constructor	constructor to create filter in session
-	 * @param param			param to pass to constructor
-	 */
-	void (*add_filter)(dispatcher_t *this,
-					   filter_constructor_t constructor, void *param);
-
-	/**
-	 * Start with dispatching.
-	 *
-	 * Instanciate a constant thread pool and start dispatching requests.
-	 *
-	 * @param threads		number of dispatching threads
-	 */
-	void (*run)(dispatcher_t *this, int threads);
-
-	/**
-	 * Wait for a relevant signal action.
-	 *
-	 */
-	void (*waitsignal)(dispatcher_t *this);
-
-	/**
-	 * Destroy the dispatcher_t.
-	 */
-	void (*destroy) (dispatcher_t *this);
-};
-
-/**
- * Create a dispatcher.
- *
- * The context constructor is invoked to create a session context for
- * each session.
- *
- * @param socket		FastCGI socket path, NULL for dynamic
- * @param debug			no stripping, no compression, timing information
- * @param timeout		session timeout
- * @param constructor	construction function for session context
- * @param param			parameter to supply to context constructor
- */
-dispatcher_t *dispatcher_create(char *socket, bool debug, int timeout,
-								context_constructor_t constructor, void *param);
-
-#endif /** DISPATCHER_H_ @}*/
diff --git a/src/libfast/fast_context.h b/src/libfast/fast_context.h
new file mode 100644
index 000000000..4922703ca
--- /dev/null
+++ b/src/libfast/fast_context.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fast_context fast_context
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_CONTEXT_H_
+#define FAST_CONTEXT_H_
+
+typedef struct fast_context_t fast_context_t;
+
+/**
+ * Constructor function for a user specific context.
+ */
+typedef fast_context_t *(*fast_context_constructor_t)(void *param);
+
+/**
+ * User specific session context, to extend.
+ */
+struct fast_context_t {
+
+	/**
+	 * Destroy the fast_context_t.
+	 */
+	void (*destroy) (fast_context_t *this);
+};
+
+#endif /** FAST_CONTEXT_H_ @}*/
diff --git a/src/libfast/fast_controller.h b/src/libfast/fast_controller.h
new file mode 100644
index 000000000..bbd0214fc
--- /dev/null
+++ b/src/libfast/fast_controller.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fast_controller fast_controller
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_CONTROLLER_H_
+#define FAST_CONTROLLER_H_
+
+#include "fast_request.h"
+#include "fast_context.h"
+
+typedef struct fast_controller_t fast_controller_t;
+
+/**
+ * Constructor function for a controller.
+ *
+ * @param context		session specific context, implements context_t
+ * @param param			user supplied param, as registered to the dispatcher
+ */
+typedef fast_controller_t *(*fast_controller_constructor_t)(
+										fast_context_t* context, void *param);
+
+/**
+ * Controller interface, to be implemented by users controllers.
+ *
+ * Controller instances get created per session, so each session has an
+ * associated set of private controller instances.
+ * The controller handle function is called for each incoming request.
+ */
+struct fast_controller_t {
+
+	/**
+	 * Get the name of the controller.
+	 *
+	 * @return				name of the controller
+	 */
+	char* (*get_name)(fast_controller_t *this);
+
+	/**
+	 * Handle a HTTP request for that controller.
+	 *
+	 * Request URLs are parsed in the form
+	 * controller_name/p1/p2/p3/p4/p5 with a maximum of 5 parameters. Each
+	 * parameter not found in the request URL is set to NULL.
+	 *
+	 * @param request		HTTP request
+	 * @param p1			first parameter
+	 * @param p2			second parameter
+	 * @param p3			third parameter
+	 * @param p4			forth parameter
+	 * @param p5			fifth parameter
+	 * @return
+	 */
+	void (*handle)(fast_controller_t *this, fast_request_t *request,
+				   char *p1, char *p2, char *p3, char *p4, char *p5);
+
+	/**
+	 * Destroy the controller instance.
+	 */
+	void (*destroy) (fast_controller_t *this);
+};
+
+#endif /** FAST_CONTROLLER_H_ @}*/
diff --git a/src/libfast/fast_dispatcher.c b/src/libfast/fast_dispatcher.c
new file mode 100644
index 000000000..4daf91905
--- /dev/null
+++ b/src/libfast/fast_dispatcher.c
@@ -0,0 +1,460 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "fast_dispatcher.h"
+
+#include "fast_request.h"
+#include "fast_session.h"
+
+#include <fcgiapp.h>
+#include <signal.h>
+#include <unistd.h>
+
+#include <utils/debug.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
+
+/** Intervall to check for expired sessions, in seconds */
+#define CLEANUP_INTERVAL 30
+
+typedef struct private_fast_dispatcher_t private_fast_dispatcher_t;
+
+/**
+ * private data of the task manager
+ */
+struct private_fast_dispatcher_t {
+
+	/**
+	 * public functions
+	 */
+	fast_dispatcher_t public;
+
+	/**
+	 * fcgi socket fd
+	 */
+	int fd;
+
+	/**
+	 * thread list
+	 */
+	thread_t **threads;
+
+	/**
+	 * number of threads in "threads"
+	 */
+	int thread_count;
+
+	/**
+	 * session locking mutex
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Hahstable with active sessions
+	 */
+	hashtable_t *sessions;
+
+	/**
+	 * session timeout
+	 */
+	time_t timeout;
+
+	/**
+	 * timestamp of last session cleanup round
+	 */
+	time_t last_cleanup;
+
+	/**
+	 * running in debug mode?
+	 */
+	bool debug;
+
+	/**
+	 * List of controllers controller_constructor_t
+	 */
+	linked_list_t *controllers;
+
+	/**
+	 * List of filters filter_constructor_t
+	 */
+	linked_list_t *filters;
+
+	/**
+	 * constructor function to create session context (in controller_entry_t)
+	 */
+	fast_context_constructor_t context_constructor;
+
+	/**
+	 * user param to context constructor
+	 */
+	void *param;
+};
+
+typedef struct {
+	/** constructor function */
+	fast_controller_constructor_t constructor;
+	/** parameter to constructor */
+	void *param;
+} controller_entry_t;
+
+typedef struct {
+	/** constructor function */
+	fast_filter_constructor_t constructor;
+	/** parameter to constructor */
+	void *param;
+} filter_entry_t;
+
+typedef struct {
+	/** session instance */
+	fast_session_t *session;
+	/** condvar to wait for session */
+	condvar_t *cond;
+	/** client host address, to prevent session hijacking */
+	char *host;
+	/** TRUE if session is in use */
+	bool in_use;
+	/** last use of the session */
+	time_t used;
+	/** has the session been closed by the handler? */
+	bool closed;
+} session_entry_t;
+
+/**
+ * create a session and instanciate controllers
+ */
+static fast_session_t* load_session(private_fast_dispatcher_t *this)
+{
+	enumerator_t *enumerator;
+	controller_entry_t *centry;
+	filter_entry_t *fentry;
+	fast_session_t *session;
+	fast_context_t *context = NULL;
+	fast_controller_t *controller;
+	fast_filter_t *filter;
+
+	if (this->context_constructor)
+	{
+		context = this->context_constructor(this->param);
+	}
+	session = fast_session_create(context);
+	if (!session)
+	{
+		return NULL;
+	}
+
+	enumerator = this->controllers->create_enumerator(this->controllers);
+	while (enumerator->enumerate(enumerator, &centry))
+	{
+		controller = centry->constructor(context, centry->param);
+		session->add_controller(session, controller);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->filters->create_enumerator(this->filters);
+	while (enumerator->enumerate(enumerator, &fentry))
+	{
+		filter = fentry->constructor(context, fentry->param);
+		session->add_filter(session, filter);
+	}
+	enumerator->destroy(enumerator);
+
+	return session;
+}
+
+/**
+ * create a new session entry
+ */
+static session_entry_t *session_entry_create(private_fast_dispatcher_t *this,
+											 char *host)
+{
+	session_entry_t *entry;
+	fast_session_t *session;
+
+	session = load_session(this);
+	if (!session)
+	{
+		return NULL;
+	}
+	INIT(entry,
+		.cond = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.session = session,
+		.host = strdup(host),
+		.used = time_monotonic(NULL),
+	);
+	return entry;
+}
+
+/**
+ * destroy a session
+ */
+static void session_entry_destroy(session_entry_t *entry)
+{
+	entry->session->destroy(entry->session);
+	entry->cond->destroy(entry->cond);
+	free(entry->host);
+	free(entry);
+}
+
+METHOD(fast_dispatcher_t, add_controller, void,
+	private_fast_dispatcher_t *this, fast_controller_constructor_t constructor,
+	void *param)
+{
+	controller_entry_t *entry;
+
+	INIT(entry,
+		.constructor = constructor,
+		.param = param,
+	);
+	this->controllers->insert_last(this->controllers, entry);
+}
+
+METHOD(fast_dispatcher_t, add_filter, void,
+	private_fast_dispatcher_t *this, fast_filter_constructor_t constructor,
+	void *param)
+{
+	filter_entry_t *entry;
+
+	INIT(entry,
+		.constructor = constructor,
+		.param = param,
+	);
+	this->filters->insert_last(this->filters, entry);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int session_hash(char *sid)
+{
+	return chunk_hash(chunk_create(sid, strlen(sid)));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool session_equals(char *sid1, char *sid2)
+{
+	return streq(sid1, sid2);
+}
+
+/**
+ * Cleanup unused sessions
+ */
+static void cleanup_sessions(private_fast_dispatcher_t *this, time_t now)
+{
+	if (this->last_cleanup < now - CLEANUP_INTERVAL)
+	{
+		char *sid;
+		session_entry_t *entry;
+		enumerator_t *enumerator;
+		linked_list_t *remove;
+
+		this->last_cleanup = now;
+		remove = linked_list_create();
+		enumerator = this->sessions->create_enumerator(this->sessions);
+		while (enumerator->enumerate(enumerator, &sid, &entry))
+		{
+			/* check all sessions for timeout or close flag */
+			if (!entry->in_use &&
+				(entry->used < now - this->timeout || entry->closed))
+			{
+				remove->insert_last(remove, sid);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		while (remove->remove_last(remove, (void**)&sid) == SUCCESS)
+		{
+			entry = this->sessions->remove(this->sessions, sid);
+			if (entry)
+			{
+				session_entry_destroy(entry);
+			}
+		}
+		remove->destroy(remove);
+	}
+}
+
+/**
+ * Actual dispatching code
+ */
+static void dispatch(private_fast_dispatcher_t *this)
+{
+	thread_cancelability(FALSE);
+
+	while (TRUE)
+	{
+		fast_request_t *request;
+		session_entry_t *found = NULL;
+		time_t now;
+		char *sid;
+
+		thread_cancelability(TRUE);
+		request = fast_request_create(this->fd, this->debug);
+		thread_cancelability(FALSE);
+
+		if (request == NULL)
+		{
+			break;
+		}
+		now = time_monotonic(NULL);
+		sid = request->get_cookie(request, "SID");
+
+		this->mutex->lock(this->mutex);
+		if (sid)
+		{
+			found = this->sessions->get(this->sessions, sid);
+		}
+		if (found && !streq(found->host, request->get_host(request)))
+		{
+			found = NULL;
+		}
+		if (found)
+		{
+			/* wait until session is unused */
+			while (found->in_use)
+			{
+				found->cond->wait(found->cond, this->mutex);
+			}
+		}
+		else
+		{	/* create a new session if not found */
+			found = session_entry_create(this, request->get_host(request));
+			if (!found)
+			{
+				request->destroy(request);
+				this->mutex->unlock(this->mutex);
+				continue;
+			}
+			sid = found->session->get_sid(found->session);
+			this->sessions->put(this->sessions, sid, found);
+		}
+		found->in_use = TRUE;
+		this->mutex->unlock(this->mutex);
+
+		/* start processing */
+		found->session->process(found->session, request);
+		found->used = time_monotonic(NULL);
+
+		/* release session */
+		this->mutex->lock(this->mutex);
+		found->in_use = FALSE;
+		found->closed = request->session_closed(request);
+		found->cond->signal(found->cond);
+		cleanup_sessions(this, now);
+		this->mutex->unlock(this->mutex);
+
+		request->destroy(request);
+	}
+}
+
+METHOD(fast_dispatcher_t, run, void,
+	private_fast_dispatcher_t *this, int threads)
+{
+	this->thread_count = threads;
+	this->threads = malloc(sizeof(thread_t*) * threads);
+	while (threads)
+	{
+		this->threads[threads - 1] = thread_create((thread_main_t)dispatch,
+												   this);
+		if (this->threads[threads - 1])
+		{
+			threads--;
+		}
+	}
+}
+
+METHOD(fast_dispatcher_t, waitsignal, void,
+	private_fast_dispatcher_t *this)
+{
+	sigset_t set;
+	int sig;
+
+	sigemptyset(&set);
+	sigaddset(&set, SIGINT);
+	sigaddset(&set, SIGTERM);
+	sigaddset(&set, SIGHUP);
+	sigprocmask(SIG_BLOCK, &set, NULL);
+	sigwait(&set, &sig);
+}
+
+METHOD(fast_dispatcher_t, destroy, void,
+	private_fast_dispatcher_t *this)
+{
+	char *sid;
+	session_entry_t *entry;
+	enumerator_t *enumerator;
+
+	FCGX_ShutdownPending();
+	while (this->thread_count--)
+	{
+		thread_t *thread = this->threads[this->thread_count];
+		thread->cancel(thread);
+		thread->join(thread);
+	}
+	enumerator = this->sessions->create_enumerator(this->sessions);
+	while (enumerator->enumerate(enumerator, &sid, &entry))
+	{
+		session_entry_destroy(entry);
+	}
+	enumerator->destroy(enumerator);
+	this->sessions->destroy(this->sessions);
+	this->controllers->destroy_function(this->controllers, free);
+	this->filters->destroy_function(this->filters, free);
+	this->mutex->destroy(this->mutex);
+	free(this->threads);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+fast_dispatcher_t *fast_dispatcher_create(char *socket, bool debug, int timeout,
+							fast_context_constructor_t constructor, void *param)
+{
+	private_fast_dispatcher_t *this;
+
+	INIT(this,
+		.public = {
+			.add_controller = _add_controller,
+			.add_filter = _add_filter,
+			.run = _run,
+			.waitsignal = _waitsignal,
+			.destroy = _destroy,
+		},
+		.sessions = hashtable_create((void*)session_hash,
+									 (void*)session_equals, 4096),
+		.controllers = linked_list_create(),
+		.filters = linked_list_create(),
+		.context_constructor = constructor,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.param = param,
+		.timeout = timeout,
+		.last_cleanup = time_monotonic(NULL),
+		.debug = debug,
+	);
+
+	FCGX_Init();
+
+	if (socket)
+	{
+		unlink(socket);
+		this->fd = FCGX_OpenSocket(socket, 10);
+	}
+	return &this->public;
+}
diff --git a/src/libfast/fast_dispatcher.h b/src/libfast/fast_dispatcher.h
new file mode 100644
index 000000000..6546385c6
--- /dev/null
+++ b/src/libfast/fast_dispatcher.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libfast libfast
+ * @{
+ * FastCGI Application Server w/ templates.
+ *
+ * Libfast is a framework to write web applications in an MVC fashion. It uses
+ * the ClearSilver template engine and communicates through FastCGI with
+ * the webserver. It is multithreaded and really fast.
+ *
+ * The application has a global context and a session context. The global
+ * context is accessed from all sessions simultaneously and therefore
+ * needs to be threadsave. Often a database wrapper is the global context.
+ * The session context is instanciated per session. Sessions are managed
+ * automatically through session cookies. The session context is kept alive
+ * until the session times out. It must implement the context_t interface and
+ * a #fast_context_constructor_t is needed to create instances. To each session,
+ * a set of controllers gets instanciated. The controller instances are per
+ * session, so you can hold private data for each user.
+ * Controllers need to implement the controller_t interface and need a
+ * #fast_controller_constructor_t function to create instances.
+ *
+ * A small example shows how to set up libfast:
+ * @code
+	fast_fast_dispatcher_t *dispatcher;
+	your_global_context_implementation_t *global;
+
+	global = initialize_your_global_context();
+
+	dispatcher = fast_dispatcher_create(NULL, FALSE, 180,
+			(context_constructor_t)your_session_context_create, global);
+	dispatcher->add_controller(dispatcher, your_controller1_create, param1);
+	dispatcher->add_controller(dispatcher, your_controller2_create, param2);
+
+	dispatcher->run(dispatcher, 20);
+
+	dispatcher->waitsignal(dispatcher);
+
+	dispatcher->destroy(dispatcher);
+	global->destroy();
+   @endcode
+ * @}
+ *
+ * @defgroup fast_dispatcher fast_dispatcher
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_DISPATCHER_H_
+#define FAST_DISPATCHER_H_
+
+#include "fast_controller.h"
+#include "fast_filter.h"
+
+typedef struct fast_dispatcher_t fast_dispatcher_t;
+
+/**
+ * Dispatcher, accepts connections using multiple threads.
+ *
+ * The dispatcher creates a session for each client (using SID cookies). In
+ * each session, a session context is created using the context constructor.
+ * Each controller is instanciated in the session using the controller
+ * constructor added with add_controller.
+ */
+struct fast_dispatcher_t {
+
+	/**
+	 * Register a controller to the dispatcher.
+	 *
+	 * The first controller added serves as default controller. Client's
+	 * get redirected to it if no other controller matches.
+	 *
+	 * @param constructor	constructor function to the conntroller
+	 * @param param			param to pass to constructor
+	 */
+	void (*add_controller)(fast_dispatcher_t *this,
+						   fast_controller_constructor_t constructor,
+						   void *param);
+
+	/**
+	 * Add a filter to the dispatcher.
+	 *
+	 * @param constructor	constructor to create filter in session
+	 * @param param			param to pass to constructor
+	 */
+	void (*add_filter)(fast_dispatcher_t *this,
+					   fast_filter_constructor_t constructor, void *param);
+
+	/**
+	 * Start with dispatching.
+	 *
+	 * Instanciate a constant thread pool and start dispatching requests.
+	 *
+	 * @param threads		number of dispatching threads
+	 */
+	void (*run)(fast_dispatcher_t *this, int threads);
+
+	/**
+	 * Wait for a relevant signal action.
+	 */
+	void (*waitsignal)(fast_dispatcher_t *this);
+
+	/**
+	 * Destroy the fast_dispatcher_t.
+	 */
+	void (*destroy) (fast_dispatcher_t *this);
+};
+
+/**
+ * Create a dispatcher.
+ *
+ * The context constructor is invoked to create a session context for
+ * each session.
+ *
+ * @param socket		FastCGI socket path, NULL for dynamic
+ * @param debug			no stripping, no compression, timing information
+ * @param timeout		session timeout
+ * @param constructor	construction function for session context
+ * @param param			parameter to supply to context constructor
+ */
+fast_dispatcher_t *fast_dispatcher_create(char *socket, bool debug, int timeout,
+							fast_context_constructor_t constructor, void *param);
+
+#endif /** FAST_DISPATCHER_H_ @}*/
diff --git a/src/libfast/fast_filter.h b/src/libfast/fast_filter.h
new file mode 100644
index 000000000..57367bd5a
--- /dev/null
+++ b/src/libfast/fast_filter.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * @defgroup fast_filter fast_filter
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_FILTER_H_
+#define FAST_FILTER_H_
+
+#include "fast_request.h"
+#include "fast_context.h"
+#include "fast_controller.h"
+
+typedef struct fast_filter_t fast_filter_t;
+
+/**
+ * Constructor function for a filter
+ *
+ * @param context		session specific context
+ * @param param			user supplied param
+ */
+typedef fast_filter_t *(*fast_filter_constructor_t)(fast_context_t* context,
+													void *param);
+
+/**
+ * Filter interface, to be implemented by users filters.
+ */
+struct fast_filter_t {
+
+	/**
+	 * Called before the controller handles the request.
+	 *
+	 * @param request		HTTP request
+	 * @param p1			first parameter
+	 * @param p2			second parameter
+	 * @param p3			third parameter
+	 * @param p4			forth parameter
+	 * @param p5			fifth parameter
+	 * @return				TRUE to continue request handling
+	 */
+	bool (*run)(fast_filter_t *this, fast_request_t *request,
+				char *p0, char *p1, char *p2, char *p3, char *p4, char *p5);
+
+	/**
+	 * Destroy the filter instance.
+	 */
+	void (*destroy) (fast_filter_t *this);
+};
+
+#endif /* FAST_FILTER_H_ @} */
diff --git a/src/libfast/fast_request.c b/src/libfast/fast_request.c
new file mode 100644
index 000000000..0673750b7
--- /dev/null
+++ b/src/libfast/fast_request.c
@@ -0,0 +1,509 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include "fast_request.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include <ClearSilver/ClearSilver.h>
+
+#include <threading/thread.h>
+#include <threading/thread_value.h>
+
+typedef struct private_fast_request_t private_fast_request_t;
+
+/**
+ * private data of the task manager
+ */
+struct private_fast_request_t {
+
+	/**
+	 * public functions
+	 */
+	fast_request_t public;
+
+	/**
+	 * FastCGI request object
+	 */
+	FCGX_Request req;
+
+	/**
+	 * length of the req.envp array
+	 */
+	int req_env_len;
+
+	/**
+	 * ClearSilver CGI Kit context
+	 */
+	CGI *cgi;
+
+	/**
+	 * ClearSilver HDF dataset for this request
+	 */
+	HDF *hdf;
+
+	/**
+	 * close the session?
+	 */
+	bool closed;
+
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * ClearSilver cgiwrap is not threadsave, so we use a private
+ * context for each thread.
+ */
+static thread_value_t *thread_this;
+
+/**
+ * control variable for pthread_once
+ */
+pthread_once_t once = PTHREAD_ONCE_INIT;
+
+/**
+ * fcgiwrap read callback
+ */
+static int read_cb(void *null, char *buf, int size)
+{
+	private_fast_request_t *this;
+
+	this = (private_fast_request_t*)thread_this->get(thread_this);
+
+	return FCGX_GetStr(buf, size, this->req.in);
+}
+
+/**
+ * fcgiwrap writef callback
+ */
+static int writef_cb(void *null, const char *format, va_list args)
+{
+	private_fast_request_t *this;
+
+	this = (private_fast_request_t*)thread_this->get(thread_this);
+
+	FCGX_VFPrintF(this->req.out, format, args);
+	return 0;
+}
+/**
+ * fcgiwrap write callback
+ */
+static int write_cb(void *null, const char *buf, int size)
+{
+	private_fast_request_t *this;
+
+	this = (private_fast_request_t*)thread_this->get(thread_this);
+
+	return FCGX_PutStr(buf, size, this->req.out);
+}
+
+/**
+ * fcgiwrap getenv callback
+ */
+static char *getenv_cb(void *null, const char *key)
+{
+	char *value;
+	private_fast_request_t *this;
+
+	this = (private_fast_request_t*)thread_this->get(thread_this);
+
+	value = FCGX_GetParam(key, this->req.envp);
+	return strdupnull(value);
+}
+
+/**
+ * fcgiwrap getenv callback
+ */
+static int putenv_cb(void *null, const char *key, const char *value)
+{
+	/* not supported */
+	return 1;
+}
+
+/**
+ * fcgiwrap iterenv callback
+ */
+static int iterenv_cb(void *null, int num, char **key, char **value)
+{
+	private_fast_request_t *this;
+
+	*key = NULL;
+	*value = NULL;
+	this = (private_fast_request_t*)thread_this->get(thread_this);
+
+	if (num < this->req_env_len)
+	{
+		char *eq;
+
+		eq = strchr(this->req.envp[num], '=');
+		if (eq)
+		{
+			*key = strndup(this->req.envp[num], eq - this->req.envp[num]);
+			*value = strdup(eq + 1);
+		}
+		if (*key == NULL || *value == NULL)
+		{
+			free(*key);
+			free(*value);
+			return 1;
+		}
+	}
+	return 0;
+}
+
+METHOD(fast_request_t, get_cookie, char*,
+	private_fast_request_t *this, char *name)
+{
+	return hdf_get_valuef(this->hdf, "Cookie.%s", name);
+}
+
+METHOD(fast_request_t, get_path, char*,
+	private_fast_request_t *this)
+{
+	char *path = FCGX_GetParam("PATH_INFO", this->req.envp);
+	return path ? path : "";
+}
+
+METHOD(fast_request_t, get_host, char*,
+	private_fast_request_t *this)
+{
+	char *addr = FCGX_GetParam("REMOTE_ADDR", this->req.envp);
+	return addr ? addr : "";
+}
+
+METHOD(fast_request_t, get_user_agent, char*,
+	private_fast_request_t *this)
+{
+	char *agent = FCGX_GetParam("HTTP_USER_AGENT", this->req.envp);
+	return agent ? agent : "";
+}
+
+METHOD(fast_request_t, get_query_data, char*,
+	private_fast_request_t *this, char *name)
+{
+	return hdf_get_valuef(this->hdf, "Query.%s", name);
+}
+
+METHOD(fast_request_t, get_env_var, char*,
+	private_fast_request_t *this, char *name)
+{
+	return FCGX_GetParam(name, this->req.envp);
+}
+
+METHOD(fast_request_t, read_data, int,
+	private_fast_request_t *this, char *buf, int len)
+{
+	return FCGX_GetStr(buf, len, this->req.in);
+}
+
+METHOD(fast_request_t, get_base, char*,
+	private_fast_request_t *this)
+{
+	return FCGX_GetParam("SCRIPT_NAME", this->req.envp);
+}
+
+METHOD(fast_request_t, add_cookie, void,
+	private_fast_request_t *this, char *name, char *value)
+{
+	thread_this->set(thread_this, this);
+	cgi_cookie_set(this->cgi, name, value, NULL, NULL, NULL, 0, 0);
+}
+
+METHOD(fast_request_t, redirect, void,
+	private_fast_request_t *this, char *fmt, ...)
+{
+	va_list args;
+
+	FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
+	FCGX_FPrintF(this->req.out, "Location: %s%s", get_base(this),
+				 *fmt == '/' ? "" : "/");
+	va_start(args, fmt);
+	FCGX_VFPrintF(this->req.out, fmt, args);
+	va_end(args);
+	FCGX_FPrintF(this->req.out, "\n\n");
+}
+
+METHOD(fast_request_t, get_referer, char*,
+	private_fast_request_t *this)
+{
+	return FCGX_GetParam("HTTP_REFERER", this->req.envp);
+}
+
+METHOD(fast_request_t, to_referer, void,
+	private_fast_request_t *this)
+{
+	char *referer;
+
+	referer = get_referer(this);
+	if (referer)
+	{
+		FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
+		FCGX_FPrintF(this->req.out, "Location: %s\n\n", referer);
+	}
+	else
+	{
+		redirect(this, "/");
+	}
+}
+
+METHOD(fast_request_t, session_closed, bool,
+	private_fast_request_t *this)
+{
+	return this->closed;
+}
+
+METHOD(fast_request_t, close_session, void,
+	private_fast_request_t *this)
+{
+	this->closed = TRUE;
+}
+
+METHOD(fast_request_t, serve, void,
+	private_fast_request_t *this, char *headers, chunk_t chunk)
+{
+	FCGX_FPrintF(this->req.out, "%s\n\n", headers);
+
+	FCGX_PutStr(chunk.ptr, chunk.len, this->req.out);
+}
+
+METHOD(fast_request_t, sendfile, bool,
+	private_fast_request_t *this, char *path, char *mime)
+{
+	struct stat sb;
+	chunk_t data;
+	void *addr;
+	int fd, written;
+	char buf[24];
+
+	fd = open(path, O_RDONLY);
+	if (fd == -1)
+	{
+		return FALSE;
+	}
+	if (fstat(fd, &sb) == -1)
+	{
+		close(fd);
+		return FALSE;
+	}
+	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+	if (addr == MAP_FAILED)
+	{
+		close(fd);
+		return FALSE;
+	}
+
+	/* FCGX does not like large integers, print to a buffer using libc */
+	snprintf(buf, sizeof(buf), "%lld", (int64_t)sb.st_size);
+	FCGX_FPrintF(this->req.out, "Content-Length: %s\n", buf);
+	if (mime)
+	{
+		FCGX_FPrintF(this->req.out, "Content-Type: %s\n", mime);
+	}
+	FCGX_FPrintF(this->req.out, "\n");
+
+	data = chunk_create(addr, sb.st_size);
+
+	while (data.len)
+	{
+		written = FCGX_PutStr(data.ptr, data.len, this->req.out);
+		if (written == -1)
+		{
+			munmap(addr, sb.st_size);
+			close(fd);
+			return FALSE;
+		}
+		data = chunk_skip(data, written);
+	}
+
+	munmap(addr, sb.st_size);
+	close(fd);
+	return TRUE;
+}
+
+METHOD(fast_request_t, render, void,
+	private_fast_request_t *this, char *template)
+{
+	NEOERR* err;
+
+	thread_this->set(thread_this, this);
+	err = cgi_display(this->cgi, template);
+	if (err)
+	{
+		cgi_neo_error(this->cgi, err);
+		nerr_log_error(err);
+	}
+}
+
+METHOD(fast_request_t, streamf, int,
+	private_fast_request_t *this, char *format, ...)
+{
+	va_list args;
+	int written;
+
+	va_start(args, format);
+	written = FCGX_VFPrintF(this->req.out, format, args);
+	va_end(args);
+	if (written >= 0 &&
+		FCGX_FFlush(this->req.out) == -1)
+	{
+		return -1;
+	}
+	return written;
+}
+
+METHOD(fast_request_t, set, void,
+	private_fast_request_t *this, char *key, char *value)
+{
+	hdf_set_value(this->hdf, key, value);
+}
+
+METHOD(fast_request_t, setf, void,
+	private_fast_request_t *this, char *format, ...)
+{
+	va_list args;
+
+	va_start(args, format);
+	hdf_set_valuevf(this->hdf, format, args);
+	va_end(args);
+}
+
+METHOD(fast_request_t, get_ref, fast_request_t*,
+	private_fast_request_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
+}
+
+METHOD(fast_request_t, destroy, void,
+	private_fast_request_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		thread_this->set(thread_this, this);
+		cgi_destroy(&this->cgi);
+		FCGX_Finish_r(&this->req);
+		free(this);
+	}
+}
+
+/**
+ * This initialization method is guaranteed to run only once
+ * for all threads.
+ */
+static void init(void)
+{
+	cgiwrap_init_emu(NULL, read_cb, writef_cb, write_cb,
+					 getenv_cb, putenv_cb, iterenv_cb);
+	thread_this = thread_value_create(NULL);
+}
+
+/*
+ * see header file
+ */
+fast_request_t *fast_request_create(int fd, bool debug)
+{
+	NEOERR* err;
+	private_fast_request_t *this;
+	bool failed = FALSE;
+
+	INIT(this,
+		.public = {
+			.get_path = _get_path,
+			.get_base = _get_base,
+			.get_host = _get_host,
+			.get_user_agent = _get_user_agent,
+			.add_cookie = _add_cookie,
+			.get_cookie = _get_cookie,
+			.get_query_data = _get_query_data,
+			.get_env_var = _get_env_var,
+			.read_data = _read_data,
+			.session_closed = _session_closed,
+			.close_session = _close_session,
+			.redirect = _redirect,
+			.get_referer = _get_referer,
+			.to_referer = _to_referer,
+			.render = _render,
+			.streamf = _streamf,
+			.serve = _serve,
+			.sendfile = _sendfile,
+			.set = _set,
+			.setf = _setf,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.ref = 1,
+	);
+
+	thread_cleanup_push(free, this);
+	if (FCGX_InitRequest(&this->req, fd, 0) != 0 ||
+		FCGX_Accept_r(&this->req) != 0)
+	{
+		failed = TRUE;
+	}
+	thread_cleanup_pop(failed);
+	if (failed)
+	{
+		return NULL;
+	}
+
+	pthread_once(&once, init);
+	thread_this->set(thread_this, this);
+
+	while (this->req.envp[this->req_env_len] != NULL)
+	{
+		this->req_env_len++;
+	}
+
+	err = hdf_init(&this->hdf);
+	if (!err)
+	{
+		hdf_set_value(this->hdf, "base", get_base(this));
+		hdf_set_value(this->hdf, "Config.NoCache", "true");
+		if (!debug)
+		{
+			hdf_set_value(this->hdf, "Config.TimeFooter", "0");
+			hdf_set_value(this->hdf, "Config.CompressionEnabled", "1");
+			hdf_set_value(this->hdf, "Config.WhiteSpaceStrip", "2");
+		}
+
+		err = cgi_init(&this->cgi, this->hdf);
+		if (!err)
+		{
+			err = cgi_parse(this->cgi);
+			if (!err)
+			{
+				return &this->public;
+			}
+			cgi_destroy(&this->cgi);
+		}
+	}
+	nerr_log_error(err);
+	FCGX_Finish_r(&this->req);
+	free(this);
+	return NULL;
+}
diff --git a/src/libfast/fast_request.h b/src/libfast/fast_request.h
new file mode 100644
index 000000000..678cf54d5
--- /dev/null
+++ b/src/libfast/fast_request.h
@@ -0,0 +1,217 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fast_request fast_request
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_REQUEST_H_
+#define FAST_REQUEST_H_
+
+#include <fcgiapp.h>
+#include <library.h>
+
+typedef struct fast_request_t fast_request_t;
+
+/**
+ * A HTTP request, encapsulates FCGX_Request.
+ *
+ * The response is also handled through the request object.
+ */
+struct fast_request_t {
+
+	/**
+	 * Add a cookie to the reply (Set-Cookie header).
+	 *
+	 * @param name		name of the cookie to set
+	 * @param value		value of the cookie
+	 */
+	void (*add_cookie)(fast_request_t *this, char *name, char *value);
+
+	/**
+	 * Get a cookie the client sent in the request.
+	 *
+	 * @param name		name of the cookie
+	 * @return			cookie value, NULL if no such cookie found
+	 */
+	char* (*get_cookie)(fast_request_t *this, char *name);
+
+	/**
+	 * Get the request path relative to the application.
+	 *
+	 * @return			path
+	 */
+	char* (*get_path)(fast_request_t *this);
+
+	/**
+	 * Get the base path of the application.
+	 *
+	 * @return			base path
+	 */
+	char* (*get_base)(fast_request_t *this);
+
+	/**
+	 * Get the remote host address of this request.
+	 *
+	 * @return			host address as string
+	 */
+	char* (*get_host)(fast_request_t *this);
+
+	/**
+	 * Get the user agent string.
+	 *
+	 * @return			user agent string
+	 */
+	char* (*get_user_agent)(fast_request_t *this);
+
+	/**
+	 * Get a post/get variable included in the request.
+	 *
+	 * @param name		name of the POST/GET variable
+	 * @return			value, NULL if not found
+	 */
+	char* (*get_query_data)(fast_request_t *this, char *name);
+
+	/**
+	 * Get an arbitrary environment variable.
+	 *
+	 * @param name		name of the environment variable
+	 * @return			value, NULL if not found
+	 */
+	char* (*get_env_var)(fast_request_t *this, char *name);
+
+	/**
+	 * Read raw POST/PUT data from HTTP request.
+	 *
+	 * @param buf		buffer to read data into
+	 * @param len		size of the supplied buffer
+	 * @return			number of bytes read, < 0 on error
+	 */
+	int (*read_data)(fast_request_t *this, char *buf, int len);
+
+	/**
+	 * Close the session and it's context after handling.
+	 */
+	void (*close_session)(fast_request_t *this);
+
+	/**
+	 * Has the session been closed by close_session()?
+	 *
+	 * @return			TRUE if session has been closed
+	 */
+	bool (*session_closed)(fast_request_t *this);
+
+	/**
+	 * Redirect the client to another location.
+	 *
+	 * @param fmt		location format string
+	 * @param ...		variable argument for fmt
+	 */
+	void (*redirect)(fast_request_t *this, char *fmt, ...);
+
+	/**
+	 * Get the HTTP referer.
+	 *
+	 * @return			HTTP referer
+	 */
+	char* (*get_referer)(fast_request_t *this);
+
+	/**
+	 * Redirect back to the referer.
+	 */
+	void (*to_referer)(fast_request_t *this);
+
+	/**
+	 * Set a template value.
+	 *
+	 * @param key		key to set
+	 * @param value		value to set key to
+	 */
+	void (*set)(fast_request_t *this, char *key, char *value);
+
+	/**
+	 * Set a template value using format strings.
+	 *
+	 * Format string is in the form "key=value", where printf like format
+	 * substitution occurs over the whole string.
+	 *
+	 * @param format	printf like format string
+	 * @param ...		variable argument list
+	 */
+	void (*setf)(fast_request_t *this, char *format, ...);
+
+	/**
+	 * Render a template.
+	 *
+	 * The render() function additionally sets a HDF variable "base"
+	 * which points to the root of the web application and allows to point to
+	 * other targets without to worry about path location.
+	 *
+	 * @param template	clearsilver template file location
+	 */
+	void (*render)(fast_request_t *this, char *template);
+
+	/**
+	 * Stream a format string to the client.
+	 *
+	 * Stream is not closed and may be called multiple times to allow
+	 * server-push functionality.
+	 *
+	 * @param format	printf like format string
+	 * @param ...		argmuent list to format string
+	 * @return			number of streamed bytes, < 0 if stream closed
+	 */
+	int (*streamf)(fast_request_t *this, char *format, ...);
+
+	/**
+	 * Serve a request with headers and a body.
+	 *
+	 * @param headers	HTTP headers, \n separated
+	 * @param chunk		body to write to output
+	 */
+	void (*serve)(fast_request_t *this, char *headers, chunk_t chunk);
+
+	/**
+	 * Send a file from the file system.
+	 *
+	 * @param path		path to file to serve
+	 * @param mime		mime type of file to send, or NULL
+	 * @return			TRUE if file served successfully
+	 */
+	bool (*sendfile)(fast_request_t *this, char *path, char *mime);
+
+	/**
+	 * Increase the reference count to the stream.
+	 *
+	 * @return			this with increased refcount
+	 */
+	fast_request_t* (*get_ref)(fast_request_t *this);
+
+	/**
+	 * Destroy the fast_request_t.
+	 */
+	void (*destroy) (fast_request_t *this);
+};
+
+/**
+ * Create a request from the fastcgi struct.
+ *
+ * @param fd			file descripter opened with FCGX_OpenSocket
+ * @param debug			no stripping, no compression, timing information
+ */
+fast_request_t *fast_request_create(int fd, bool debug);
+
+#endif /** REQUEST_H_ @}*/
diff --git a/src/libfast/fast_session.c b/src/libfast/fast_session.c
new file mode 100644
index 000000000..56d4a0443
--- /dev/null
+++ b/src/libfast/fast_session.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include "fast_session.h"
+
+#include <string.h>
+#include <fcgiapp.h>
+#include <stdio.h>
+
+#include <collections/linked_list.h>
+
+#define COOKIE_LEN 16
+
+typedef struct private_fast_session_t private_fast_session_t;
+
+/**
+ * private data of the task manager
+ */
+struct private_fast_session_t {
+
+	/**
+	 * public functions
+	 */
+	fast_session_t public;
+
+	/**
+	 * session ID
+	 */
+	char sid[COOKIE_LEN * 2 + 1];
+
+	/**
+	 * have we sent the session cookie?
+	 */
+	bool cookie_sent;
+
+	/**
+	 * list of controller instances controller_t
+	 */
+	linked_list_t *controllers;
+
+	/**
+	 * list of filter instances filter_t
+	 */
+	linked_list_t *filters;
+
+	/**
+	 * user defined session context
+	 */
+	fast_context_t *context;
+};
+
+METHOD(fast_session_t, add_controller, void,
+	private_fast_session_t *this, fast_controller_t *controller)
+{
+	this->controllers->insert_last(this->controllers, controller);
+}
+
+METHOD(fast_session_t, add_filter, void,
+	private_fast_session_t *this, fast_filter_t *filter)
+{
+	this->filters->insert_last(this->filters, filter);
+}
+
+/**
+ * Create a session ID and a cookie
+ */
+static bool create_sid(private_fast_session_t *this)
+{
+	char buf[COOKIE_LEN];
+	rng_t *rng;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		return FALSE;
+	}
+	if (!rng->get_bytes(rng, sizeof(buf), buf))
+	{
+		rng->destroy(rng);
+		return FALSE;
+	}
+	rng->destroy(rng);
+	chunk_to_hex(chunk_create(buf, sizeof(buf)), this->sid, FALSE);
+	return TRUE;
+}
+
+/**
+ * run all registered filters
+ */
+static bool run_filter(private_fast_session_t *this, fast_request_t *request,
+					char *p0, char *p1, char *p2, char *p3, char *p4, char *p5)
+{
+	enumerator_t *enumerator;
+	fast_filter_t *filter;
+
+	enumerator = this->filters->create_enumerator(this->filters);
+	while (enumerator->enumerate(enumerator, &filter))
+	{
+		if (!filter->run(filter, request, p0, p1, p2, p3, p4, p5))
+		{
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return TRUE;
+}
+
+METHOD(fast_session_t, process, void,
+	private_fast_session_t *this, fast_request_t *request)
+{
+	char *pos, *start, *param[6] = {NULL, NULL, NULL, NULL, NULL, NULL};
+	enumerator_t *enumerator;
+	bool handled = FALSE;
+	fast_controller_t *current;
+	int i = 0;
+
+	if (!this->cookie_sent)
+	{
+		request->add_cookie(request, "SID", this->sid);
+		this->cookie_sent = TRUE;
+	}
+
+	start = request->get_path(request);
+	if (start)
+	{
+		if (*start == '/')
+		{
+			start++;
+		}
+		while ((pos = strchr(start, '/')) != NULL && i < 5)
+		{
+			param[i++] = strndupa(start, pos - start);
+			start = pos + 1;
+		}
+		param[i] = strdupa(start);
+
+		if (run_filter(this, request, param[0], param[1], param[2], param[3],
+						param[4], param[5]))
+		{
+			enumerator = this->controllers->create_enumerator(this->controllers);
+			while (enumerator->enumerate(enumerator, &current))
+			{
+				if (streq(current->get_name(current), param[0]))
+				{
+					current->handle(current, request, param[1], param[2],
+									param[3], param[4], param[5]);
+					handled = TRUE;
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		else
+		{
+			handled = TRUE;
+		}
+	}
+	if (!handled)
+	{
+		if (this->controllers->get_first(this->controllers,
+										 (void**)&current) == SUCCESS)
+		{
+			request->streamf(request,
+				"Status: 301 Moved permanently\nLocation: %s/%s\n\n",
+				request->get_base(request), current->get_name(current));
+		}
+	}
+}
+
+METHOD(fast_session_t, get_sid, char*,
+	private_fast_session_t *this)
+{
+	return this->sid;
+}
+
+METHOD(fast_session_t, destroy, void,
+	private_fast_session_t *this)
+{
+	this->controllers->destroy_offset(this->controllers,
+									  offsetof(fast_controller_t, destroy));
+	this->filters->destroy_offset(this->filters,
+									  offsetof(fast_filter_t, destroy));
+	DESTROY_IF(this->context);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+fast_session_t *fast_session_create(fast_context_t *context)
+{
+	private_fast_session_t *this;
+
+	INIT(this,
+		.public = {
+			.add_controller = _add_controller,
+			.add_filter = _add_filter,
+			.process = _process,
+			.get_sid = _get_sid,
+			.destroy = _destroy,
+		},
+		.controllers = linked_list_create(),
+		.filters = linked_list_create(),
+		.context = context,
+	);
+	if (!create_sid(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libfast/fast_session.h b/src/libfast/fast_session.h
new file mode 100644
index 000000000..2ff450b93
--- /dev/null
+++ b/src/libfast/fast_session.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fast_session fast_session
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_SESSION_H_
+#define FAST_SESSION_H_
+
+#include "fast_request.h"
+#include "fast_controller.h"
+#include "fast_filter.h"
+
+typedef struct fast_session_t fast_session_t;
+
+/**
+ * Session handling class, instanciated for each user session.
+ */
+struct fast_session_t {
+
+	/**
+	 * Get the session ID of the session.
+	 *
+	 * @return				session ID
+	 */
+	char* (*get_sid)(fast_session_t *this);
+
+	/**
+	 * Add a controller instance to the session.
+	 *
+	 * @param controller	controller to add
+	 */
+	void (*add_controller)(fast_session_t *this, fast_controller_t *controller);
+
+	/**
+	 * Add a filter instance to the session.
+	 *
+	 * @param filter		filter to add
+	 */
+	void (*add_filter)(fast_session_t *this, fast_filter_t *filter);
+
+	/**
+	 * Process a request in this session.
+	 *
+	 * @param request		request to process
+	 */
+	void (*process)(fast_session_t *this, fast_request_t *request);
+
+	/**
+	 * Destroy the fast_session_t.
+	 */
+	void (*destroy) (fast_session_t *this);
+};
+
+/**
+ * Create a session new session.
+ *
+ * @param context		user defined session context instance
+ * @return				client session, NULL on error
+ */
+fast_session_t *fast_session_create(fast_context_t *context);
+
+#endif /** SESSION_H_ @}*/
diff --git a/src/libfast/fast_smtp.c b/src/libfast/fast_smtp.c
new file mode 100644
index 000000000..89e74d79b
--- /dev/null
+++ b/src/libfast/fast_smtp.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "fast_smtp.h"
+
+#include <unistd.h>
+#include <errno.h>
+
+#include <utils/debug.h>
+
+typedef struct private_fast_smtp_t private_fast_smtp_t;
+
+/**
+ * Private data of an fast_smtp_t object.
+ */
+struct private_fast_smtp_t {
+
+	/**
+	 * Public fast_smtp_t interface.
+	 */
+	fast_smtp_t public;
+
+	/**
+	 * file stream to SMTP server
+	 */
+	FILE *f;
+};
+
+/**
+ * Read the response code from an SMTP server
+ */
+static int read_response(private_fast_smtp_t *this)
+{
+	char buf[256], *end;
+	int res = 0;
+
+	while (TRUE)
+	{
+		if (!fgets(buf, sizeof(buf), this->f))
+		{
+			return 0;
+		}
+		res = strtol(buf, &end, 10);
+		switch (*end)
+		{
+			case '-':
+				continue;
+			case ' ':
+			case '\0':
+			case '\n':
+				break;
+			default:
+				return 0;
+		}
+		break;
+	}
+	return res;
+}
+
+/**
+ * write a SMTP command to the server, read response code
+ */
+static int write_cmd(private_fast_smtp_t *this, char *fmt, ...)
+{
+	char buf[256];
+	va_list args;
+
+	va_start(args, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, args);
+	va_end(args);
+
+	if (fprintf(this->f, "%s\n", buf) < 1)
+	{
+		DBG1(DBG_LIB, "sending SMTP command failed");
+		return 0;
+	}
+	return read_response(this);
+}
+
+METHOD(fast_smtp_t, send_mail, bool,
+	private_fast_smtp_t *this, char *from, char *to, char *subject, char *fmt, ...)
+{
+	va_list args;
+
+	if (write_cmd(this, "MAIL FROM:<%s>", from) != 250)
+	{
+		DBG1(DBG_LIB, "SMTP MAIL FROM failed");
+		return FALSE;
+	}
+	if (write_cmd(this, "RCPT TO:<%s>", to) != 250)
+	{
+		DBG1(DBG_LIB, "SMTP RCPT TO failed");
+		return FALSE;
+	}
+	if (write_cmd(this, "DATA") != 354)
+	{
+		DBG1(DBG_LIB, "SMTP DATA failed");
+		return FALSE;
+	}
+
+	fprintf(this->f, "From: %s\n", from);
+	fprintf(this->f, "To: %s\n", to);
+	fprintf(this->f, "Subject: %s\n", subject);
+	fprintf(this->f, "\n");
+	va_start(args, fmt);
+	vfprintf(this->f, fmt, args);
+	va_end(args);
+	fprintf(this->f, "\n.\n");
+	return read_response(this) == 250;
+}
+
+
+METHOD(fast_smtp_t, destroy, void,
+	private_fast_smtp_t *this)
+{
+	write_cmd(this, "QUIT");
+	fclose(this->f);
+	free(this);
+}
+
+/**
+ * See header
+ */
+fast_smtp_t *fast_smtp_create()
+{
+	private_fast_smtp_t *this;
+	struct sockaddr_in addr = {
+		.sin_family = AF_INET,
+		.sin_port = htons(25),
+		.sin_addr = {
+			.s_addr = htonl(INADDR_LOOPBACK),
+		},
+	};
+	int s;
+
+	INIT(this,
+		.public = {
+			.send_mail = _send_mail,
+			.destroy = _destroy,
+		},
+	);
+
+	s = socket(AF_INET, SOCK_STREAM, 0);
+	if (s < 0)
+	{
+		DBG1(DBG_LIB, "opening SMTP socket failed: %s", strerror(errno));
+		free(this);
+		return NULL;
+	}
+	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_LIB, "connecting to SMTP server failed: %s", strerror(errno));
+		close(s);
+		free(this);
+		return NULL;
+	}
+	this->f = fdopen(s, "a+");
+	if (!this->f)
+	{
+		DBG1(DBG_LIB, "opening stream to SMTP server failed: %s",
+			 strerror(errno));
+		close(s);
+		free(this);
+		return NULL;
+	}
+	if (read_response(this) != 220 ||
+		write_cmd(this, "EHLO localhost") != 250)
+	{
+		DBG1(DBG_LIB, "SMTP EHLO failed");
+		fclose(this->f);
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libfast/fast_smtp.h b/src/libfast/fast_smtp.h
new file mode 100644
index 000000000..962ba2cc7
--- /dev/null
+++ b/src/libfast/fast_smtp.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fast_smtp fast_smtp
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_SMTP_H_
+#define FAST_SMTP_H_
+
+typedef struct fast_smtp_t fast_smtp_t;
+
+#include <library.h>
+
+/**
+ * Ultra-minimalistic SMTP client. Works at most with Exim on localhost.
+ */
+struct fast_smtp_t {
+
+	/**
+	 * Send an e-mail message.
+	 *
+	 * @param from		sender address
+	 * @param to		recipient address
+	 * @param subject	mail subject
+	 * @param fmt		mail body format string
+	 * @param ...		arguments for body format string
+	 */
+	bool (*send_mail)(fast_smtp_t *this, char *from, char *to,
+					  char *subject, char *fmt, ...);
+
+	/**
+	 * Destroy a fast_smtp_t.
+	 */
+	void (*destroy)(fast_smtp_t *this);
+};
+
+/**
+ * Create a smtp instance.
+ */
+fast_smtp_t *fast_smtp_create();
+
+#endif /** FAST_SMTP_H_ @}*/
diff --git a/src/libfast/filter.h b/src/libfast/filter.h
deleted file mode 100644
index 305a8bb6e..000000000
--- a/src/libfast/filter.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/*
- * @defgroup filter filter
- * @{ @ingroup libfast
- */
-
-#ifndef FILTER_H_
-#define FILTER_H_
-
-#include "request.h"
-#include "context.h"
-#include "controller.h"
-
-typedef struct filter_t filter_t;
-
-/**
- * Constructor function for a filter
- *
- * @param context		session specific context
- * @param param			user supplied param
- */
-typedef filter_t *(*filter_constructor_t)(context_t* context, void *param);
-
-/**
- * Filter interface, to be implemented by users filters.
- */
-struct filter_t {
-
-	/**
-	 * Called before the controller handles the request.
-	 *
-	 * @param request		HTTP request
-	 * @param p1			first parameter
-	 * @param p2			second parameter
-	 * @param p3			third parameter
-	 * @param p4			forth parameter
-	 * @param p5			fifth parameter
-	 * @return				TRUE to continue request handling
-	 */
-	bool (*run)(filter_t *this, request_t *request,
-				char *p0, char *p1, char *p2, char *p3, char *p4, char *p5);
-
-	/**
-	 * Destroy the filter instance.
-	 */
-	void (*destroy) (filter_t *this);
-};
-
-#endif /* FILTER_H_ @} */
diff --git a/src/libfast/request.c b/src/libfast/request.c
deleted file mode 100644
index 5d03227af..000000000
--- a/src/libfast/request.c
+++ /dev/null
@@ -1,499 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-
-#include "request.h"
-
-#include <library.h>
-#include <utils/debug.h>
-#include <stdlib.h>
-#include <pthread.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/mman.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-
-#include <ClearSilver/ClearSilver.h>
-
-#include <threading/thread.h>
-#include <threading/thread_value.h>
-
-typedef struct private_request_t private_request_t;
-
-/**
- * private data of the task manager
- */
-struct private_request_t {
-
-	/**
-	 * public functions
-	 */
-	request_t public;
-
-	/**
-	 * FastCGI request object
-	 */
-	FCGX_Request req;
-
-	/**
-	 * length of the req.envp array
-	 */
-	int req_env_len;
-
-	/**
-	 * ClearSilver CGI Kit context
-	 */
-	CGI *cgi;
-
-	/**
-	 * ClearSilver HDF dataset for this request
-	 */
-	HDF *hdf;
-
-	/**
-	 * close the session?
-	 */
-	bool closed;
-
-	/**
-	 * reference count
-	 */
-	refcount_t ref;
-};
-
-/**
- * ClearSilver cgiwrap is not threadsave, so we use a private
- * context for each thread.
- */
-static thread_value_t *thread_this;
-
-/**
- * control variable for pthread_once
- */
-pthread_once_t once = PTHREAD_ONCE_INIT;
-
-/**
- * fcgiwrap read callback
- */
-static int read_cb(void *null, char *buf, int size)
-{
-	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
-
-	return FCGX_GetStr(buf, size, this->req.in);
-}
-
-/**
- * fcgiwrap writef callback
- */
-static int writef_cb(void *null, const char *format, va_list args)
-{
-	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
-
-	FCGX_VFPrintF(this->req.out, format, args);
-	return 0;
-}
-/**
- * fcgiwrap write callback
- */
-static int write_cb(void *null, const char *buf, int size)
-{
-	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
-
-	return FCGX_PutStr(buf, size, this->req.out);
-}
-
-/**
- * fcgiwrap getenv callback
- */
-static char *getenv_cb(void *null, const char *key)
-{
-	char *value;
-	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
-
-	value = FCGX_GetParam(key, this->req.envp);
-	return strdupnull(value);
-}
-
-/**
- * fcgiwrap getenv callback
- */
-static int putenv_cb(void *null, const char *key, const char *value)
-{
-	/* not supported */
-	return 1;
-}
-
-/**
- * fcgiwrap iterenv callback
- */
-static int iterenv_cb(void *null, int num, char **key, char **value)
-{
-	*key = NULL;
-	*value = NULL;
-	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
-	if (num < this->req_env_len)
-	{
-		char *eq;
-
-		eq = strchr(this->req.envp[num], '=');
-		if (eq)
-		{
-			*key = strndup(this->req.envp[num], eq - this->req.envp[num]);
-			*value = strdup(eq + 1);
-		}
-		if (*key == NULL || *value == NULL)
-		{
-			free(*key);
-			free(*value);
-			return 1;
-		}
-	}
-	return 0;
-}
-
-METHOD(request_t, get_cookie, char*,
-	private_request_t *this, char *name)
-{
-	return hdf_get_valuef(this->hdf, "Cookie.%s", name);
-}
-
-METHOD(request_t, get_path, char*,
-	private_request_t *this)
-{
-	char * path = FCGX_GetParam("PATH_INFO", this->req.envp);
-	return path ? path : "";
-}
-
-METHOD(request_t, get_host, char*,
-	private_request_t *this)
-{
-	char *addr = FCGX_GetParam("REMOTE_ADDR", this->req.envp);
-	return addr ? addr : "";
-}
-
-METHOD(request_t, get_user_agent, char*,
-	private_request_t *this)
-{
-	char *agent = FCGX_GetParam("HTTP_USER_AGENT", this->req.envp);
-	return agent ? agent : "";
-}
-
-METHOD(request_t, get_query_data, char*,
-	private_request_t *this, char *name)
-{
-	return hdf_get_valuef(this->hdf, "Query.%s", name);
-}
-
-METHOD(request_t, get_env_var, char*,
-	private_request_t *this, char *name)
-{
-	return FCGX_GetParam(name, this->req.envp);
-}
-
-METHOD(request_t, read_data, int,
-	private_request_t *this, char *buf, int len)
-{
-	return FCGX_GetStr(buf, len, this->req.in);
-}
-
-METHOD(request_t, get_base, char*,
-	private_request_t *this)
-{
-	return FCGX_GetParam("SCRIPT_NAME", this->req.envp);
-}
-
-METHOD(request_t, add_cookie, void,
-	private_request_t *this, char *name, char *value)
-{
-	thread_this->set(thread_this, this);
-	cgi_cookie_set(this->cgi, name, value, NULL, NULL, NULL, 0, 0);
-}
-
-METHOD(request_t, redirect, void,
-	private_request_t *this, char *fmt, ...)
-{
-	va_list args;
-
-	FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
-	FCGX_FPrintF(this->req.out, "Location: %s%s", get_base(this),
-				 *fmt == '/' ? "" : "/");
-	va_start(args, fmt);
-	FCGX_VFPrintF(this->req.out, fmt, args);
-	va_end(args);
-	FCGX_FPrintF(this->req.out, "\n\n");
-}
-
-METHOD(request_t, get_referer, char*,
-	private_request_t *this)
-{
-	return FCGX_GetParam("HTTP_REFERER", this->req.envp);
-}
-
-METHOD(request_t, to_referer, void,
-	private_request_t *this)
-{
-	char *referer;
-
-	referer = get_referer(this);
-	if (referer)
-	{
-		FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
-		FCGX_FPrintF(this->req.out, "Location: %s\n\n", referer);
-	}
-	else
-	{
-		redirect(this, "/");
-	}
-}
-
-METHOD(request_t, session_closed, bool,
-	private_request_t *this)
-{
-	return this->closed;
-}
-
-METHOD(request_t, close_session, void,
-	private_request_t *this)
-{
-	this->closed = TRUE;
-}
-
-METHOD(request_t, serve, void,
-	private_request_t *this, char *headers, chunk_t chunk)
-{
-	FCGX_FPrintF(this->req.out, "%s\n\n", headers);
-
-	FCGX_PutStr(chunk.ptr, chunk.len, this->req.out);
-}
-
-METHOD(request_t, sendfile, bool,
-	private_request_t *this, char *path, char *mime)
-{
-	struct stat sb;
-	chunk_t data;
-	void *addr;
-	int fd, written;
-	char buf[24];
-
-	fd = open(path, O_RDONLY);
-	if (fd == -1)
-	{
-		return FALSE;
-	}
-	if (fstat(fd, &sb) == -1)
-	{
-		close(fd);
-		return FALSE;
-	}
-	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-	if (addr == MAP_FAILED)
-	{
-		close(fd);
-		return FALSE;
-	}
-
-	/* FCGX does not like large integers, print to a buffer using libc */
-	snprintf(buf, sizeof(buf), "%lld", (int64_t)sb.st_size);
-	FCGX_FPrintF(this->req.out, "Content-Length: %s\n", buf);
-	if (mime)
-	{
-		FCGX_FPrintF(this->req.out, "Content-Type: %s\n", mime);
-	}
-	FCGX_FPrintF(this->req.out, "\n");
-
-	data = chunk_create(addr, sb.st_size);
-
-	while (data.len)
-	{
-		written = FCGX_PutStr(data.ptr, data.len, this->req.out);
-		if (written == -1)
-		{
-			munmap(addr, sb.st_size);
-			close(fd);
-			return FALSE;
-		}
-		data = chunk_skip(data, written);
-	}
-
-	munmap(addr, sb.st_size);
-	close(fd);
-	return TRUE;
-}
-
-METHOD(request_t, render, void,
-	private_request_t *this, char *template)
-{
-	NEOERR* err;
-
-	thread_this->set(thread_this, this);
-	err = cgi_display(this->cgi, template);
-	if (err)
-	{
-		cgi_neo_error(this->cgi, err);
-		nerr_log_error(err);
-	}
-}
-
-METHOD(request_t, streamf, int,
-	private_request_t *this, char *format, ...)
-{
-	va_list args;
-	int written;
-
-	va_start(args, format);
-	written = FCGX_VFPrintF(this->req.out, format, args);
-	va_end(args);
-	if (written >= 0 &&
-		FCGX_FFlush(this->req.out) == -1)
-	{
-		return -1;
-	}
-	return written;
-}
-
-METHOD(request_t, set, void,
-	private_request_t *this, char *key, char *value)
-{
-	hdf_set_value(this->hdf, key, value);
-}
-
-METHOD(request_t, setf, void,
-	private_request_t *this, char *format, ...)
-{
-	va_list args;
-
-	va_start(args, format);
-	hdf_set_valuevf(this->hdf, format, args);
-	va_end(args);
-}
-
-METHOD(request_t, get_ref, request_t*,
-	private_request_t *this)
-{
-	ref_get(&this->ref);
-	return &this->public;
-}
-
-METHOD(request_t, destroy, void,
-	private_request_t *this)
-{
-	if (ref_put(&this->ref))
-	{
-		thread_this->set(thread_this, this);
-		cgi_destroy(&this->cgi);
-		FCGX_Finish_r(&this->req);
-		free(this);
-	}
-}
-
-/**
- * This initialization method is guaranteed to run only once
- * for all threads.
- */
-static void init(void)
-{
-	cgiwrap_init_emu(NULL, read_cb, writef_cb, write_cb,
-					 getenv_cb, putenv_cb, iterenv_cb);
-	thread_this = thread_value_create(NULL);
-}
-
-/*
- * see header file
- */
-request_t *request_create(int fd, bool debug)
-{
-	NEOERR* err;
-	private_request_t *this;
-	bool failed = FALSE;
-
-	INIT(this,
-		.public = {
-			.get_path = _get_path,
-			.get_base = _get_base,
-			.get_host = _get_host,
-			.get_user_agent = _get_user_agent,
-			.add_cookie = _add_cookie,
-			.get_cookie = _get_cookie,
-			.get_query_data = _get_query_data,
-			.get_env_var = _get_env_var,
-			.read_data = _read_data,
-			.session_closed = _session_closed,
-			.close_session = _close_session,
-			.redirect = _redirect,
-			.get_referer = _get_referer,
-			.to_referer = _to_referer,
-			.render = _render,
-			.streamf = _streamf,
-			.serve = _serve,
-			.sendfile = _sendfile,
-			.set = _set,
-			.setf = _setf,
-			.get_ref = _get_ref,
-			.destroy = _destroy,
-		},
-		.ref = 1,
-	);
-
-	thread_cleanup_push(free, this);
-	if (FCGX_InitRequest(&this->req, fd, 0) != 0 ||
-		FCGX_Accept_r(&this->req) != 0)
-	{
-		failed = TRUE;
-	}
-	thread_cleanup_pop(failed);
-	if (failed)
-	{
-		return NULL;
-	}
-
-	pthread_once(&once, init);
-	thread_this->set(thread_this, this);
-
-	while (this->req.envp[this->req_env_len] != NULL)
-	{
-		this->req_env_len++;
-	}
-
-	err = hdf_init(&this->hdf);
-	if (!err)
-	{
-		hdf_set_value(this->hdf, "base", get_base(this));
-		hdf_set_value(this->hdf, "Config.NoCache", "true");
-		if (!debug)
-		{
-			hdf_set_value(this->hdf, "Config.TimeFooter", "0");
-			hdf_set_value(this->hdf, "Config.CompressionEnabled", "1");
-			hdf_set_value(this->hdf, "Config.WhiteSpaceStrip", "2");
-		}
-
-		err = cgi_init(&this->cgi, this->hdf);
-		if (!err)
-		{
-			err = cgi_parse(this->cgi);
-			if (!err)
-			{
-				return &this->public;
-			}
-			cgi_destroy(&this->cgi);
-		}
-	}
-	nerr_log_error(err);
-	FCGX_Finish_r(&this->req);
-	free(this);
-	return NULL;
-}
-
diff --git a/src/libfast/request.h b/src/libfast/request.h
deleted file mode 100644
index 63a465bb8..000000000
--- a/src/libfast/request.h
+++ /dev/null
@@ -1,217 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup request request
- * @{ @ingroup libfast
- */
-
-#ifndef REQUEST_H_
-#define REQUEST_H_
-
-#include <fcgiapp.h>
-#include <library.h>
-
-typedef struct request_t request_t;
-
-/**
- * A HTTP request, encapsulates FCGX_Request.
- *
- * The response is also handled through the request object.
- */
-struct request_t {
-
-	/**
-	 * Add a cookie to the reply (Set-Cookie header).
-	 *
-	 * @param name		name of the cookie to set
-	 * @param value		value of the cookie
-	 */
-	void (*add_cookie)(request_t *this, char *name, char *value);
-
-	/**
-	 * Get a cookie the client sent in the request.
-	 *
-	 * @param name		name of the cookie
-	 * @return			cookie value, NULL if no such cookie found
-	 */
-	char* (*get_cookie)(request_t *this, char *name);
-
-	/**
-	 * Get the request path relative to the application.
-	 *
-	 * @return			path
-	 */
-	char* (*get_path)(request_t *this);
-
-	/**
-	 * Get the base path of the application.
-	 *
-	 * @return			base path
-	 */
-	char* (*get_base)(request_t *this);
-
-	/**
-	 * Get the remote host address of this request.
-	 *
-	 * @return			host address as string
-	 */
-	char* (*get_host)(request_t *this);
-
-	/**
-	 * Get the user agent string.
-	 *
-	 * @return			user agent string
-	 */
-	char* (*get_user_agent)(request_t *this);
-
-	/**
-	 * Get a post/get variable included in the request.
-	 *
-	 * @param name		name of the POST/GET variable
-	 * @return			value, NULL if not found
-	 */
-	char* (*get_query_data)(request_t *this, char *name);
-
-	/**
-	 * Get an arbitrary environment variable.
-	 *
-	 * @param name		name of the environment variable
-	 * @return			value, NULL if not found
-	 */
-	char* (*get_env_var)(request_t *this, char *name);
-
-	/**
-	 * Read raw POST/PUT data from HTTP request.
-	 *
-	 * @param buf		buffer to read data into
-	 * @param len		size of the supplied buffer
-	 * @return			number of bytes read, < 0 on error
-	 */
-	int (*read_data)(request_t *this, char *buf, int len);
-
-	/**
-	 * Close the session and it's context after handling.
-	 */
-	void (*close_session)(request_t *this);
-
-	/**
-	 * Has the session been closed by close_session()?
-	 *
-	 * @return			TRUE if session has been closed
-	 */
-	bool (*session_closed)(request_t *this);
-
-	/**
-	 * Redirect the client to another location.
-	 *
-	 * @param fmt		location format string
-	 * @param ...		variable argument for fmt
-	 */
-	void (*redirect)(request_t *this, char *fmt, ...);
-
-	/**
-	 * Get the HTTP referer.
-	 *
-	 * @return			HTTP referer
-	 */
-	char* (*get_referer)(request_t *this);
-
-	/**
-	 * Redirect back to the referer.
-	 */
-	void (*to_referer)(request_t *this);
-
-	/**
-	 * Set a template value.
-	 *
-	 * @param key		key to set
-	 * @param value		value to set key to
-	 */
-	void (*set)(request_t *this, char *key, char *value);
-
-	/**
-	 * Set a template value using format strings.
-	 *
-	 * Format string is in the form "key=value", where printf like format
-	 * substitution occurs over the whole string.
-	 *
-	 * @param format	printf like format string
-	 * @param ...		variable argument list
-	 */
-	void (*setf)(request_t *this, char *format, ...);
-
-	/**
-	 * Render a template.
-	 *
-	 * The render() function additionally sets a HDF variable "base"
-	 * which points to the root of the web application and allows to point to
-	 * other targets without to worry about path location.
-	 *
-	 * @param template	clearsilver template file location
-	 */
-	void (*render)(request_t *this, char *template);
-
-	/**
-	 * Stream a format string to the client.
-	 *
-	 * Stream is not closed and may be called multiple times to allow
-	 * server-push functionality.
-	 *
-	 * @param format	printf like format string
-	 * @param ...		argmuent list to format string
-	 * @return			number of streamed bytes, < 0 if stream closed
-	 */
-	int (*streamf)(request_t *this, char *format, ...);
-
-	/**
-	 * Serve a request with headers and a body.
-	 *
-	 * @param headers	HTTP headers, \n separated
-	 * @param chunk		body to write to output
-	 */
-	void (*serve)(request_t *this, char *headers, chunk_t chunk);
-
-	/**
-	 * Send a file from the file system.
-	 *
-	 * @param path		path to file to serve
-	 * @param mime		mime type of file to send, or NULL
-	 * @return			TRUE if file served successfully
-	 */
-	bool (*sendfile)(request_t *this, char *path, char *mime);
-
-	/**
-	 * Increase the reference count to the stream.
-	 *
-	 * @return			this with increased refcount
-	 */
-	request_t* (*get_ref)(request_t *this);
-
-	/**
-	 * Destroy the request_t.
-	 */
-	void (*destroy) (request_t *this);
-};
-
-/**
- * Create a request from the fastcgi struct.
- *
- * @param fd			file descripter opened with FCGX_OpenSocket
- * @param debug			no stripping, no compression, timing information
- */
-request_t *request_create(int fd, bool debug);
-
-#endif /** REQUEST_H_ @}*/
diff --git a/src/libfast/session.c b/src/libfast/session.c
deleted file mode 100644
index 87a157b61..000000000
--- a/src/libfast/session.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-
-#include "session.h"
-
-#include <string.h>
-#include <fcgiapp.h>
-#include <stdio.h>
-
-#include <collections/linked_list.h>
-
-#define COOKIE_LEN 16
-
-typedef struct private_session_t private_session_t;
-
-/**
- * private data of the task manager
- */
-struct private_session_t {
-
-	/**
-	 * public functions
-	 */
-	session_t public;
-
-	/**
-	 * session ID
-	 */
-	char sid[COOKIE_LEN * 2 + 1];
-
-	/**
-	 * have we sent the session cookie?
-	 */
-	bool cookie_sent;
-
-	/**
-	 * list of controller instances controller_t
-	 */
-	linked_list_t *controllers;
-
-	/**
-	 * list of filter instances filter_t
-	 */
-	linked_list_t *filters;
-
-	/**
-	 * user defined session context
-	 */
-	context_t *context;
-};
-
-METHOD(session_t, add_controller, void,
-	private_session_t *this, controller_t *controller)
-{
-	this->controllers->insert_last(this->controllers, controller);
-}
-
-METHOD(session_t, add_filter, void,
-	private_session_t *this, filter_t *filter)
-{
-	this->filters->insert_last(this->filters, filter);
-}
-
-/**
- * Create a session ID and a cookie
- */
-static bool create_sid(private_session_t *this)
-{
-	char buf[COOKIE_LEN];
-	rng_t *rng;
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		return FALSE;
-	}
-	if (!rng->get_bytes(rng, sizeof(buf), buf))
-	{
-		rng->destroy(rng);
-		return FALSE;
-	}
-	rng->destroy(rng);
-	chunk_to_hex(chunk_create(buf, sizeof(buf)), this->sid, FALSE);
-	return TRUE;
-}
-
-/**
- * run all registered filters
- */
-static bool run_filter(private_session_t *this, request_t *request, char *p0,
-					   char *p1, char *p2, char *p3, char *p4, char *p5)
-{
-	enumerator_t *enumerator;
-	filter_t *filter;
-
-	enumerator = this->filters->create_enumerator(this->filters);
-	while (enumerator->enumerate(enumerator, &filter))
-	{
-		if (!filter->run(filter, request, p0, p1, p2, p3, p4, p5))
-		{
-			enumerator->destroy(enumerator);
-			return FALSE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return TRUE;
-}
-
-METHOD(session_t, process, void,
-	private_session_t *this, request_t *request)
-{
-	char *pos, *start, *param[6] = {NULL, NULL, NULL, NULL, NULL, NULL};
-	enumerator_t *enumerator;
-	bool handled = FALSE;
-	controller_t *current;
-	int i = 0;
-
-	if (!this->cookie_sent)
-	{
-		request->add_cookie(request, "SID", this->sid);
-		this->cookie_sent = TRUE;
-	}
-
-	start = request->get_path(request);
-	if (start)
-	{
-		if (*start == '/')
-		{
-			start++;
-		}
-		while ((pos = strchr(start, '/')) != NULL && i < 5)
-		{
-			param[i++] = strndupa(start, pos - start);
-			start = pos + 1;
-		}
-		param[i] = strdupa(start);
-
-		if (run_filter(this, request, param[0], param[1], param[2], param[3],
-						param[4], param[5]))
-		{
-			enumerator = this->controllers->create_enumerator(this->controllers);
-			while (enumerator->enumerate(enumerator, &current))
-			{
-				if (streq(current->get_name(current), param[0]))
-				{
-					current->handle(current, request, param[1], param[2],
-									param[3], param[4], param[5]);
-					handled = TRUE;
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-		else
-		{
-			handled = TRUE;
-		}
-	}
-	if (!handled)
-	{
-		if (this->controllers->get_first(this->controllers,
-										 (void**)&current) == SUCCESS)
-		{
-			request->streamf(request,
-				"Status: 301 Moved permanently\nLocation: %s/%s\n\n",
-				request->get_base(request), current->get_name(current));
-		}
-	}
-}
-
-METHOD(session_t, get_sid, char*,
-	private_session_t *this)
-{
-	return this->sid;
-}
-
-METHOD(session_t, destroy, void,
-	private_session_t *this)
-{
-	this->controllers->destroy_offset(this->controllers, offsetof(controller_t, destroy));
-	this->filters->destroy_offset(this->filters, offsetof(filter_t, destroy));
-	DESTROY_IF(this->context);
-	free(this);
-}
-
-/*
- * see header file
- */
-session_t *session_create(context_t *context)
-{
-	private_session_t *this;
-
-	INIT(this,
-		.public = {
-			.add_controller = _add_controller,
-			.add_filter = _add_filter,
-			.process = _process,
-			.get_sid = _get_sid,
-			.destroy = _destroy,
-		},
-		.controllers = linked_list_create(),
-		.filters = linked_list_create(),
-		.context = context,
-	);
-	if (!create_sid(this))
-	{
-		destroy(this);
-		return NULL;
-	}
-
-	return &this->public;
-}
-
diff --git a/src/libfast/session.h b/src/libfast/session.h
deleted file mode 100644
index acbab8964..000000000
--- a/src/libfast/session.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup session session
- * @{ @ingroup libfast
- */
-
-#ifndef SESSION_H_
-#define SESSION_H_
-
-#include "request.h"
-#include "controller.h"
-#include "filter.h"
-
-typedef struct session_t session_t;
-
-/**
- * Session handling class, instanciated for each user session.
- */
-struct session_t {
-
-	/**
-	 * Get the session ID of the session.
-	 *
-	 * @return				session ID
-	 */
-	char* (*get_sid)(session_t *this);
-
-	/**
-	 * Add a controller instance to the session.
-	 *
-	 * @param controller	controller to add
-	 */
-	void (*add_controller)(session_t *this, controller_t *controller);
-
-	/**
-	 * Add a filter instance to the session.
-	 *
-	 * @param filter		filter to add
-	 */
-	void (*add_filter)(session_t *this, filter_t *filter);
-
-	/**
-	 * Process a request in this session.
-	 *
-	 * @param request		request to process
-	 */
-	void (*process)(session_t *this, request_t *request);
-
-	/**
-	 * Destroy the session_t.
-	 */
-	void (*destroy) (session_t *this);
-};
-
-/**
- * Create a session new session.
- *
- * @param context		user defined session context instance
- * @return				client session, NULL on error
- */
-session_t *session_create(context_t *context);
-
-#endif /** SESSION_H_ @}*/
diff --git a/src/libfast/smtp.c b/src/libfast/smtp.c
deleted file mode 100644
index a6ca67ddc..000000000
--- a/src/libfast/smtp.c
+++ /dev/null
@@ -1,188 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "smtp.h"
-
-#include <unistd.h>
-#include <errno.h>
-
-#include <utils/debug.h>
-
-typedef struct private_smtp_t private_smtp_t;
-
-/**
- * Private data of an smtp_t object.
- */
-struct private_smtp_t {
-
-	/**
-	 * Public smtp_t interface.
-	 */
-	smtp_t public;
-
-	/**
-	 * file stream to SMTP server
-	 */
-	FILE *f;
-};
-
-/**
- * Read the response code from an SMTP server
- */
-static int read_response(private_smtp_t *this)
-{
-	char buf[256], *end;
-	int res = 0;
-
-	while (TRUE)
-	{
-		if (!fgets(buf, sizeof(buf), this->f))
-		{
-			return 0;
-		}
-		res = strtol(buf, &end, 10);
-		switch (*end)
-		{
-			case '-':
-				continue;
-			case ' ':
-			case '\0':
-			case '\n':
-				break;
-			default:
-				return 0;
-		}
-		break;
-	}
-	return res;
-}
-
-/**
- * write a SMTP command to the server, read response code
- */
-static int write_cmd(private_smtp_t *this, char *fmt, ...)
-{
-	char buf[256];
-	va_list args;
-
-	va_start(args, fmt);
-	vsnprintf(buf, sizeof(buf), fmt, args);
-	va_end(args);
-
-	if (fprintf(this->f, "%s\n", buf) < 1)
-	{
-		DBG1(DBG_LIB, "sending SMTP command failed");
-		return 0;
-	}
-	return read_response(this);
-}
-
-METHOD(smtp_t, send_mail, bool,
-	private_smtp_t *this, char *from, char *to, char *subject, char *fmt, ...)
-{
-	va_list args;
-
-	if (write_cmd(this, "MAIL FROM:<%s>", from) != 250)
-	{
-		DBG1(DBG_LIB, "SMTP MAIL FROM failed");
-		return FALSE;
-	}
-	if (write_cmd(this, "RCPT TO:<%s>", to) != 250)
-	{
-		DBG1(DBG_LIB, "SMTP RCPT TO failed");
-		return FALSE;
-	}
-	if (write_cmd(this, "DATA") != 354)
-	{
-		DBG1(DBG_LIB, "SMTP DATA failed");
-		return FALSE;
-	}
-
-	fprintf(this->f, "From: %s\n", from);
-	fprintf(this->f, "To: %s\n", to);
-	fprintf(this->f, "Subject: %s\n", subject);
-	fprintf(this->f, "\n");
-	va_start(args, fmt);
-	vfprintf(this->f, fmt, args);
-	va_end(args);
-	fprintf(this->f, "\n.\n");
-	return read_response(this) == 250;
-}
-
-
-METHOD(smtp_t, destroy, void,
-	private_smtp_t *this)
-{
-	write_cmd(this, "QUIT");
-	fclose(this->f);
-	free(this);
-}
-
-/**
- * See header
- */
-smtp_t *smtp_create()
-{
-	private_smtp_t *this;
-	struct sockaddr_in addr = {
-		.sin_family = AF_INET,
-		.sin_port = htons(25),
-		.sin_addr = {
-			.s_addr = htonl(INADDR_LOOPBACK),
-		},
-	};
-	int s;
-
-	INIT(this,
-		.public = {
-			.send_mail = _send_mail,
-			.destroy = _destroy,
-		},
-	);
-
-	s = socket(AF_INET, SOCK_STREAM, 0);
-	if (s < 0)
-	{
-		DBG1(DBG_LIB, "opening SMTP socket failed: %s", strerror(errno));
-		free(this);
-		return NULL;
-	}
-	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_LIB, "connecting to SMTP server failed: %s", strerror(errno));
-		close(s);
-		free(this);
-		return NULL;
-	}
-	this->f = fdopen(s, "a+");
-	if (!this->f)
-	{
-		DBG1(DBG_LIB, "opening stream to SMTP server failed: %s",
-			 strerror(errno));
-		close(s);
-		free(this);
-		return NULL;
-	}
-	if (read_response(this) != 220 ||
-		write_cmd(this, "EHLO localhost") != 250)
-	{
-		DBG1(DBG_LIB, "SMTP EHLO failed");
-		fclose(this->f);
-		free(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
diff --git a/src/libfast/smtp.h b/src/libfast/smtp.h
deleted file mode 100644
index 9589ea2a6..000000000
--- a/src/libfast/smtp.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup smtp smtp
- * @{ @ingroup libfast
- */
-
-#ifndef SMTP_H_
-#define SMTP_H_
-
-typedef struct smtp_t smtp_t;
-
-#include <library.h>
-
-/**
- * Ultra-minimalistic SMTP client. Works at most with Exim on localhost.
- */
-struct smtp_t {
-
-	/**
-	 * Send an e-mail message.
-	 *
-	 * @param from		sender address
-	 * @param to		recipient address
-	 * @param subject	mail subject
-	 * @param fmt		mail body format string
-	 * @param ...		arguments for body format string
-	 */
-	bool (*send_mail)(smtp_t *this, char *from, char *to,
-					  char *subject, char *fmt, ...);
-
-	/**
-	 * Destroy a smtp_t.
-	 */
-	void (*destroy)(smtp_t *this);
-};
-
-/**
- * Create a smtp instance.
- */
-smtp_t *smtp_create();
-
-#endif /** SMTP_H_ @}*/
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
index 1c7b3ba43..a2a164bd9 100644
--- a/src/libhydra/Makefile.am
+++ b/src/libhydra/Makefile.am
@@ -13,11 +13,11 @@ kernel/kernel_listener.h
 
 libhydra_la_LIBADD =
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
--DIPSEC_DIR=\"${ipsecdir}\" \
--DPLUGINDIR=\"${plugindir}\" \
--DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DPLUGINDIR=\"${plugindir}\" \
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
 
 EXTRA_DIST = Android.mk
 
@@ -78,4 +78,3 @@ if MONOLITHIC
   libhydra_la_LIBADD += plugins/resolve/libstrongswan-resolve.la
 endif
 endif
-
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index 395b55aca..80da51c16 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -76,7 +76,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -118,19 +118,35 @@ libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \
 am_libhydra_la_OBJECTS = hydra.lo attributes.lo attribute_manager.lo \
 	mem_pool.lo kernel_interface.lo kernel_ipsec.lo kernel_net.lo
 libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libhydra_la_SOURCES)
 DIST_SOURCES = $(libhydra_la_SOURCES)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -184,6 +200,7 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -196,6 +213,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -211,6 +230,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -219,6 +239,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -265,6 +286,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -293,6 +315,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -385,11 +408,11 @@ kernel/kernel_listener.h
 libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6) \
 	$(am__append_8) $(am__append_10) $(am__append_12) \
 	$(am__append_14)
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
--DIPSEC_DIR=\"${ipsecdir}\" \
--DPLUGINDIR=\"${plugindir}\" \
--DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DPLUGINDIR=\"${plugindir}\" \
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
 
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3) \
@@ -470,7 +493,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) $(EXTRA_libhydra_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libhydra_la_OBJECTS) $(libhydra_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libhydra_la_OBJECTS) $(libhydra_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -487,67 +510,67 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem_pool.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 attributes.lo: attributes/attributes.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attributes.lo -MD -MP -MF $(DEPDIR)/attributes.Tpo -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/attributes.Tpo $(DEPDIR)/attributes.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/attributes.c' object='attributes.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attributes.lo -MD -MP -MF $(DEPDIR)/attributes.Tpo -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/attributes.Tpo $(DEPDIR)/attributes.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='attributes/attributes.c' object='attributes.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
 
 attribute_manager.lo: attributes/attribute_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attribute_manager.lo -MD -MP -MF $(DEPDIR)/attribute_manager.Tpo -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/attribute_manager.Tpo $(DEPDIR)/attribute_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/attribute_manager.c' object='attribute_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attribute_manager.lo -MD -MP -MF $(DEPDIR)/attribute_manager.Tpo -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/attribute_manager.Tpo $(DEPDIR)/attribute_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='attributes/attribute_manager.c' object='attribute_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
 
 mem_pool.lo: attributes/mem_pool.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_pool.lo -MD -MP -MF $(DEPDIR)/mem_pool.Tpo -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mem_pool.Tpo $(DEPDIR)/mem_pool.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/mem_pool.c' object='mem_pool.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_pool.lo -MD -MP -MF $(DEPDIR)/mem_pool.Tpo -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mem_pool.Tpo $(DEPDIR)/mem_pool.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='attributes/mem_pool.c' object='mem_pool.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
 
 kernel_interface.lo: kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
 
 kernel_ipsec.lo: kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
 
 kernel_net.lo: kernel/kernel_net.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_net.lo -MD -MP -MF $(DEPDIR)/kernel_net.Tpo -c -o kernel_net.lo `test -f 'kernel/kernel_net.c' || echo '$(srcdir)/'`kernel/kernel_net.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_net.Tpo $(DEPDIR)/kernel_net.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_net.c' object='kernel_net.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_net.lo -MD -MP -MF $(DEPDIR)/kernel_net.Tpo -c -o kernel_net.lo `test -f 'kernel/kernel_net.c' || echo '$(srcdir)/'`kernel/kernel_net.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/kernel_net.Tpo $(DEPDIR)/kernel_net.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kernel/kernel_net.c' object='kernel_net.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_net.lo `test -f 'kernel/kernel_net.c' || echo '$(srcdir)/'`kernel/kernel_net.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_net.lo `test -f 'kernel/kernel_net.c' || echo '$(srcdir)/'`kernel/kernel_net.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
index c82b1d02f..77567ce48 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libhydra/attributes/mem_pool.c
@@ -16,9 +16,11 @@
 
 #include "mem_pool.h"
 
+#include <library.h>
+#include <hydra.h>
 #include <utils/debug.h>
 #include <collections/hashtable.h>
-#include <collections/linked_list.h>
+#include <collections/array.h>
 #include <threading/mutex.h>
 
 #define POOL_LIMIT (sizeof(u_int)*8 - 1)
@@ -63,6 +65,11 @@ struct private_mem_pool_t {
 	 * lock to safely access the pool
 	 */
 	mutex_t *mutex;
+
+	/**
+	 * Do we reassign online leases to the same identity, if requested?
+	 */
+	bool reassign_online;
 };
 
 /**
@@ -71,12 +78,27 @@ struct private_mem_pool_t {
 typedef struct {
 	/* identitiy reference */
 	identification_t *id;
-	/* list of online leases, as offset */
-	linked_list_t *online;
-	/* list of offline leases, as offset */
-	linked_list_t *offline;
+	/* array of online leases, as u_int offset */
+	array_t *online;
+	/* array of offline leases, as u_int offset */
+	array_t *offline;
 } entry_t;
 
+/**
+ * Create a new entry
+ */
+static entry_t* entry_create(identification_t *id)
+{
+	entry_t *entry;
+
+	INIT(entry,
+		.id = id->clone(id),
+		.online = array_create(sizeof(u_int), 0),
+		.offline = array_create(sizeof(u_int), 0),
+	);
+	return entry;
+}
+
 /**
  * hashtable hash function for identities
  */
@@ -185,7 +207,7 @@ METHOD(mem_pool_t, get_online, u_int,
 	enumerator = this->leases->create_enumerator(this->leases);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		count += entry->online->get_count(entry->online);
+		count += array_count(entry->online);
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
@@ -204,7 +226,7 @@ METHOD(mem_pool_t, get_offline, u_int,
 	enumerator = this->leases->create_enumerator(this->leases);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		count += entry->offline->get_count(entry->offline);
+		count += array_count(entry->offline);
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
@@ -219,7 +241,7 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
 						host_t *requested)
 {
 	enumerator_t *enumerator;
-	uintptr_t current;
+	u_int *current;
 	entry_t *entry;
 	int offset = 0;
 
@@ -230,12 +252,12 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
 	}
 
 	/* check for a valid offline lease, refresh */
-	enumerator = entry->offline->create_enumerator(entry->offline);
+	enumerator = array_create_enumerator(entry->offline);
 	if (enumerator->enumerate(enumerator, &current))
 	{
-		entry->offline->remove_at(entry->offline, enumerator);
-		entry->online->insert_last(entry->online, (void*)current);
-		offset = current;
+		offset = *current;
+		array_insert(entry->online, ARRAY_TAIL, current);
+		array_remove_at(entry->offline, enumerator);
 	}
 	enumerator->destroy(enumerator);
 	if (offset)
@@ -243,14 +265,19 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
 		DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
 		return offset;
 	}
-
+	if (!this->reassign_online)
+	{
+		return 0;
+	}
 	/* check for a valid online lease to reassign */
-	enumerator = entry->online->create_enumerator(entry->online);
+	enumerator = array_create_enumerator(entry->online);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (current == host2offset(this, requested))
+		if (*current == host2offset(this, requested))
 		{
-			offset = current;
+			offset = *current;
+			/* add an additional "online" entry */
+			array_insert(entry->online, ARRAY_TAIL, current);
 			break;
 		}
 	}
@@ -268,23 +295,19 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
 static int get_new(private_mem_pool_t *this, identification_t *id)
 {
 	entry_t *entry;
-	uintptr_t offset = 0;
+	u_int offset = 0;
 
 	if (this->unused < this->size)
 	{
 		entry = this->leases->get(this->leases, id);
 		if (!entry)
 		{
-			INIT(entry,
-				.id = id->clone(id),
-				.online = linked_list_create(),
-				.offline = linked_list_create(),
-			);
+			entry = entry_create(id);
 			this->leases->put(this->leases, entry->id, entry);
 		}
 		/* assigning offset, starting by 1 */
 		offset = ++this->unused;
-		entry->online->insert_last(entry->online, (void*)offset);
+		array_insert(entry->online, ARRAY_TAIL, &offset);
 		DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
 	}
 	return offset;
@@ -297,13 +320,12 @@ static int get_reassigned(private_mem_pool_t *this, identification_t *id)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
-	uintptr_t current, offset = 0;
+	u_int current, offset = 0;
 
 	enumerator = this->leases->create_enumerator(this->leases);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		if (entry->offline->remove_first(entry->offline,
-										 (void**)&current) == SUCCESS)
+		if (array_remove(entry->offline, ARRAY_HEAD, &current))
 		{
 			offset = current;
 			DBG1(DBG_CFG, "reassigning existing offline lease by '%Y'"
@@ -315,12 +337,8 @@ static int get_reassigned(private_mem_pool_t *this, identification_t *id)
 
 	if (offset)
 	{
-		INIT(entry,
-			.id = id->clone(id),
-			.online = linked_list_create(),
-			.offline = linked_list_create(),
-		);
-		entry->online->insert_last(entry->online, (void*)offset);
+		entry = entry_create(id);
+		array_insert(entry->online, ARRAY_TAIL, &offset);
 		this->leases->put(this->leases, entry->id, entry);
 	}
 	return offset;
@@ -377,9 +395,10 @@ METHOD(mem_pool_t, acquire_address, host_t*,
 METHOD(mem_pool_t, release_address, bool,
 	private_mem_pool_t *this, host_t *address, identification_t *id)
 {
-	bool found = FALSE;
+	enumerator_t *enumerator;
+	bool found = FALSE, more = FALSE;
 	entry_t *entry;
-	uintptr_t offset;
+	u_int offset, *current;
 
 	if (this->size != 0)
 	{
@@ -388,11 +407,31 @@ METHOD(mem_pool_t, release_address, bool,
 		if (entry)
 		{
 			offset = host2offset(this, address);
-			if (entry->online->remove(entry->online, (void*)offset, NULL) > 0)
+
+			enumerator = array_create_enumerator(entry->online);
+			while (enumerator->enumerate(enumerator, &current))
+			{
+				if (*current == offset)
+				{
+					if (!found)
+					{	/* remove the first entry only */
+						array_remove_at(entry->online, enumerator);
+						found = TRUE;
+					}
+					else
+					{	/* but check for more entries */
+						more = TRUE;
+						break;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			if (found && !more)
 			{
+				/* no tunnels are online anymore for this lease, make offline */
+				array_insert(entry->offline, ARRAY_TAIL, &offset);
 				DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id);
-				entry->offline->insert_last(entry->offline, (void*)offset);
-				found = TRUE;
 			}
 		}
 		this->mutex->unlock(this->mutex);
@@ -423,7 +462,7 @@ typedef struct {
 METHOD(enumerator_t, lease_enumerate, bool,
 	lease_enumerator_t *this, identification_t **id, host_t **addr, bool *online)
 {
-	uintptr_t offset;
+	u_int *offset;
 
 	DESTROY_IF(this->addr);
 	this->addr = NULL;
@@ -432,17 +471,17 @@ METHOD(enumerator_t, lease_enumerate, bool,
 	{
 		if (this->entry)
 		{
-			if (this->online->enumerate(this->online, (void**)&offset))
+			if (this->online->enumerate(this->online, &offset))
 			{
 				*id = this->entry->id;
-				*addr = this->addr = offset2host(this->pool, offset);
+				*addr = this->addr = offset2host(this->pool, *offset);
 				*online = TRUE;
 				return TRUE;
 			}
-			if (this->offline->enumerate(this->offline, (void**)&offset))
+			if (this->offline->enumerate(this->offline, &offset))
 			{
 				*id = this->entry->id;
-				*addr = this->addr = offset2host(this->pool, offset);
+				*addr = this->addr = offset2host(this->pool, *offset);
 				*online = FALSE;
 				return TRUE;
 			}
@@ -454,10 +493,8 @@ METHOD(enumerator_t, lease_enumerate, bool,
 		{
 			return FALSE;
 		}
-		this->online = this->entry->online->create_enumerator(
-														this->entry->online);
-		this->offline = this->entry->offline->create_enumerator(
-														this->entry->offline);
+		this->online = array_create_enumerator(this->entry->online);
+		this->offline = array_create_enumerator(this->entry->offline);
 	}
 }
 
@@ -499,8 +536,8 @@ METHOD(mem_pool_t, destroy, void,
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
 		entry->id->destroy(entry->id);
-		entry->online->destroy(entry->online);
-		entry->offline->destroy(entry->offline);
+		array_destroy(entry->online);
+		array_destroy(entry->offline);
 		free(entry);
 	}
 	enumerator->destroy(enumerator);
@@ -535,6 +572,8 @@ static private_mem_pool_t *create_generic(char *name)
 		.leases = hashtable_create((hashtable_hash_t)id_hash,
 								   (hashtable_equals_t)id_equals, 16),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.reassign_online = lib->settings->get_bool(lib->settings,
+							"%s.mem-pool.reassign_online", FALSE, hydra->daemon),
 	);
 
 	return this;
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index b199b2ffb..f531bd5f4 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -97,4 +97,3 @@ bool libhydra_init(const char *daemon)
 	}
 	return !this->integrity_failed;
 }
-
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 53b8324b7..90637fa06 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -180,7 +180,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key,	ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool esn, bool inbound,
+	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	if (!this->ipsec)
@@ -189,7 +189,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
 	}
 	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
 			mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
-			ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts);
+			ipcomp, cpi, initiator, encap, esn, inbound, src_ts, dst_ts);
 }
 
 METHOD(kernel_interface_t, update_sa, status_t,
@@ -208,14 +208,14 @@ METHOD(kernel_interface_t, update_sa, status_t,
 METHOD(kernel_interface_t, query_sa, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, mark_t mark,
-	u_int64_t *bytes, u_int64_t *packets)
+	u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark,
-								 bytes, packets);
+								 bytes, packets, time);
 }
 
 METHOD(kernel_interface_t, del_sa, status_t,
@@ -415,7 +415,8 @@ METHOD(kernel_interface_t, all_interfaces_usable, bool,
 }
 
 METHOD(kernel_interface_t, get_address_by_ts, status_t,
-	private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip)
+	private_kernel_interface_t *this, traffic_selector_t *ts,
+	host_t **ip, bool *vip)
 {
 	enumerator_t *addrs;
 	host_t *host;
@@ -446,18 +447,41 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t,
 	}
 	host->destroy(host);
 
-	addrs = create_address_enumerator(this, ADDR_TYPE_ALL);
+	addrs = create_address_enumerator(this, ADDR_TYPE_VIRTUAL);
 	while (addrs->enumerate(addrs, (void**)&host))
 	{
 		if (ts->includes(ts, host))
 		{
 			found = TRUE;
 			*ip = host->clone(host);
+			if (vip)
+			{
+				*vip = TRUE;
+			}
 			break;
 		}
 	}
 	addrs->destroy(addrs);
 
+	if (!found)
+	{
+		addrs = create_address_enumerator(this, ADDR_TYPE_REGULAR);
+		while (addrs->enumerate(addrs, (void**)&host))
+		{
+			if (ts->includes(ts, host))
+			{
+				found = TRUE;
+				*ip = host->clone(host);
+				if (vip)
+				{
+					*vip = FALSE;
+				}
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+	}
+
 	if (!found)
 	{
 		DBG2(DBG_KNL, "no local address found in traffic selector %R", ts);
@@ -620,6 +644,25 @@ METHOD(kernel_interface_t, roam, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(kernel_interface_t, tun, void,
+	private_kernel_interface_t *this, tun_device_t *tun, bool created)
+{
+	kernel_listener_t *listener;
+	enumerator_t *enumerator;
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->tun &&
+			!listener->tun(listener, tun, created))
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
 METHOD(kernel_interface_t, register_algorithm, void,
 	private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type,
 	u_int16_t kernel_id, char *kernel_name)
@@ -740,6 +783,7 @@ kernel_interface_t *kernel_interface_create()
 			.mapping = _mapping,
 			.migrate = _migrate,
 			.roam = _roam,
+			.tun = _tun,
 			.destroy = _destroy,
 		},
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 1d2253b94..1d96f1c35 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -65,6 +65,10 @@ typedef enum kernel_feature_t kernel_feature_t;
 enum kernel_feature_t {
 	/** IPsec can process ESPv3 (RFC 4303) TFC padded packets */
 	KERNEL_ESP_V3_TFC = (1<<0),
+	/** Networking requires an "exclude" route for IKE/ESP packets */
+	KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1),
+	/** IPsec implementation requires UDP encapsulation of ESP packets */
+	KERNEL_REQUIRE_UDP_ENCAPSULATION = (1<<2),
 };
 
 /**
@@ -141,6 +145,7 @@ struct kernel_interface_t {
 	 * @param mode			mode of the SA (tunnel, transport)
 	 * @param ipcomp		IPComp transform to use
 	 * @param cpi			CPI for IPComp
+	 * @param initiator		TRUE if initiator of the exchange creating this SA
 	 * @param encap			enable UDP encapsulation for NAT traversal
 	 * @param esn			TRUE to use Extended Sequence Numbers
 	 * @param inbound		TRUE if this is an inbound SA
@@ -155,7 +160,7 @@ struct kernel_interface_t {
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						bool encap, bool esn, bool inbound,
+						bool initiator, bool encap, bool esn, bool inbound,
 						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
 
 	/**
@@ -195,11 +200,12 @@ struct kernel_interface_t {
 	 * @param mark			optional mark for this SA
 	 * @param[out] bytes	the number of bytes processed by SA
 	 * @param[out] packets	number of packets processed by SA
+	 * @param[out] time		last time of SA use
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
 						  u_int32_t spi, u_int8_t protocol, mark_t mark,
-						  u_int64_t *bytes, u_int64_t *packets);
+						  u_int64_t *bytes, u_int64_t *packets, u_int32_t *time);
 
 	/**
 	 * Delete a previously installed SA from the SAD.
@@ -367,7 +373,7 @@ struct kernel_interface_t {
 	 *
 	 * The kernel interface uses refcounting, see add_ip().
 	 *
-	 * @param virtual_ip	virtual ip address to assign
+	 * @param virtual_ip	virtual ip address to remove
 	 * @param prefix		prefix length of the IP to uninstall, -1 for auto
 	 * @param wait			TRUE to wait untily IP is gone
 	 * @return				SUCCESS if operation completed
@@ -381,7 +387,7 @@ struct kernel_interface_t {
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
+	 * @param src_ip		source ip of the route
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
 	 *						ALREADY_DONE if the route already exists
@@ -396,7 +402,7 @@ struct kernel_interface_t {
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
+	 * @param src_ip		source ip of the route
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
 	 */
@@ -451,10 +457,11 @@ struct kernel_interface_t {
 	 *
 	 * @param ts			traffic selector
 	 * @param ip			returned IP address (has to be destroyed)
+	 * @param vip			set to TRUE if returned address is a virtual IP
 	 * @return				SUCCESS if address found
 	 */
 	status_t (*get_address_by_ts)(kernel_interface_t *this,
-								  traffic_selector_t *ts, host_t **ip);
+								  traffic_selector_t *ts, host_t **ip, bool *vip);
 
 	/**
 	 * Register an ipsec kernel interface constructor on the manager.
@@ -556,6 +563,14 @@ struct kernel_interface_t {
 	 */
 	void (*roam)(kernel_interface_t *this, bool address);
 
+	/**
+	 * Raise a tun event.
+	 *
+	 * @param tun			TUN device
+	 * @param created		TRUE if created, FALSE if going to be destroyed
+	 */
+	void (*tun)(kernel_interface_t *this, tun_device_t *tun, bool created);
+
 	/**
 	 * Register a new algorithm with the kernel interface.
 	 *
@@ -583,7 +598,7 @@ struct kernel_interface_t {
 							 char **kernel_name);
 
 	/**
-	 * Destroys a kernel_interface_manager_t object.
+	 * Destroys a kernel_interface_t object.
 	 */
 	void (*destroy) (kernel_interface_t *this);
 };
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index ba67238e5..413e5920f 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -101,6 +101,7 @@ struct kernel_ipsec_t {
 	 * @param mode			mode of the SA (tunnel, transport)
 	 * @param ipcomp		IPComp transform to use
 	 * @param cpi			CPI for IPComp
+	 * @param initiator		TRUE if initiator of the exchange creating this SA
 	 * @param encap			enable UDP encapsulation for NAT traversal
 	 * @param esn			TRUE to use Extended Sequence Numbers
 	 * @param inbound		TRUE if this is an inbound SA
@@ -115,7 +116,7 @@ struct kernel_ipsec_t {
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						bool encap, bool esn, bool inbound,
+						bool initiator, bool encap, bool esn, bool inbound,
 						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
 
 	/**
@@ -155,11 +156,12 @@ struct kernel_ipsec_t {
 	 * @param mark			optional mark for this SA
 	 * @param[out] bytes	the number of bytes processed by SA
 	 * @param[out] packets	number of packets processed by SA
+	 * @param[out] time		last time of SA use
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
 						  u_int32_t spi, u_int8_t protocol, mark_t mark,
-						  u_int64_t *bytes, u_int64_t *packets);
+						  u_int64_t *bytes, u_int64_t *packets, u_int32_t *time);
 
 	/**
 	 * Delete a previusly installed SA from the SAD.
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h
index 27ea947eb..4382a43fd 100644
--- a/src/libhydra/kernel/kernel_listener.h
+++ b/src/libhydra/kernel/kernel_listener.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,9 +23,10 @@
 
 typedef struct kernel_listener_t kernel_listener_t;
 
-#include <kernel/kernel_ipsec.h>
-#include <selectors/traffic_selector.h>
 #include <networking/host.h>
+#include <networking/tun_device.h>
+#include <selectors/traffic_selector.h>
+#include <kernel/kernel_ipsec.h>
 
 /**
  * Interface for components interested in kernel events.
@@ -91,6 +92,15 @@ struct kernel_listener_t {
 	 * @return				TRUE to remain registered, FALSE to unregister
 	 */
 	bool (*roam)(kernel_listener_t *this, bool address);
+
+	/**
+	 * Hook called after a TUN device was created for a virtual IP address, or
+	 * before such a device gets destroyed.
+	 *
+	 * @param tun			TUN device
+	 * @param created		TRUE if created, FALSE if going to be destroyed
+	 */
+	bool (*tun)(kernel_listener_t *this, tun_device_t *tun, bool created);
 };
 
 #endif /** KERNEL_LISTENER_H_ @}*/
diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h
index 0d3417f1d..8c448ddbc 100644
--- a/src/libhydra/kernel/kernel_net.h
+++ b/src/libhydra/kernel/kernel_net.h
@@ -35,17 +35,17 @@ typedef enum kernel_address_type_t kernel_address_type_t;
  */
 enum kernel_address_type_t {
 	/** normal addresses (on regular, up, non-ignored) interfaces */
-	ADDR_TYPE_REGULAR = 0,
+	ADDR_TYPE_REGULAR = (1 << 0),
 	/** addresses on down interfaces */
-	ADDR_TYPE_DOWN =  (1 << 0),
+	ADDR_TYPE_DOWN =  (1 << 1),
 	/** addresses on ignored interfaces */
-	ADDR_TYPE_IGNORED = (1 << 1),
+	ADDR_TYPE_IGNORED = (1 << 2),
 	/** addresses on loopback interfaces */
-	ADDR_TYPE_LOOPBACK = (1 << 2),
+	ADDR_TYPE_LOOPBACK = (1 << 3),
 	/** virtual IP addresses */
-	ADDR_TYPE_VIRTUAL = (1 << 3),
+	ADDR_TYPE_VIRTUAL = (1 << 4),
 	/** to enumerate all available addresses */
-	ADDR_TYPE_ALL = (1 << 4) - 1,
+	ADDR_TYPE_ALL = (1 << 5) - 1,
 };
 
 /**
@@ -134,7 +134,7 @@ struct kernel_net_t {
 	 *
 	 * The kernel interface uses refcounting, see add_ip().
 	 *
-	 * @param virtual_ip	virtual ip address to assign
+	 * @param virtual_ip	virtual ip address to remove
 	 * @param prefix		prefix length of the IP to uninstall, -1 for auto
 	 * @param wait			TRUE to wait until IP is gone
 	 * @return				SUCCESS if operation completed
@@ -148,7 +148,7 @@ struct kernel_net_t {
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
+	 * @param src_ip		source ip of the route
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
 	 *						ALREADY_DONE if the route already exists
@@ -163,7 +163,7 @@ struct kernel_net_t {
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
+	 * @param src_ip		source ip of the route
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
 	 */
diff --git a/src/libhydra/plugins/attr/Makefile.am b/src/libhydra/plugins/attr/Makefile.am
index fe0c39ebd..5989beae4 100644
--- a/src/libhydra/plugins/attr/Makefile.am
+++ b/src/libhydra/plugins/attr/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-attr.la
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index 113a66039..0d935ead3 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_attr_la_LIBADD =
 am_libstrongswan_attr_la_OBJECTS = attr_plugin.lo attr_provider.lo
 libstrongswan_attr_la_OBJECTS = $(am_libstrongswan_attr_la_OBJECTS)
-libstrongswan_attr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_attr_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_attr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_attr_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_attr_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_attr_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_attr_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr.la
 libstrongswan_attr_la_SOURCES = \
@@ -403,7 +432,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_la_DEPENDENCIES) 
-	$(libstrongswan_attr_la_LINK) $(am_libstrongswan_attr_la_rpath) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_attr_la_LINK) $(am_libstrongswan_attr_la_rpath) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -415,25 +444,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libhydra/plugins/attr/attr_plugin.c
index cb14495af..72fcd6dff 100644
--- a/src/libhydra/plugins/attr/attr_plugin.c
+++ b/src/libhydra/plugins/attr/attr_plugin.c
@@ -42,6 +42,36 @@ METHOD(plugin_t, get_name, char*,
 	return "attr";
 }
 
+/**
+ * Register provider
+ */
+static bool plugin_cb(private_attr_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->provider->provider);
+	}
+	else
+	{
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->provider->provider);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_attr_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "attr"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, reload, bool,
 	private_attr_plugin_t *this)
 {
@@ -52,7 +82,6 @@ METHOD(plugin_t, reload, bool,
 METHOD(plugin_t, destroy, void,
 	private_attr_plugin_t *this)
 {
-	hydra->attributes->remove_provider(hydra->attributes, &this->provider->provider);
 	this->provider->destroy(this->provider);
 	free(this);
 }
@@ -68,14 +97,13 @@ plugin_t *attr_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
+				.get_features = _get_features,
 				.reload = _reload,
 				.destroy = _destroy,
 			},
 		},
 		.provider = attr_provider_create(),
 	);
-	hydra->attributes->add_provider(hydra->attributes, &this->provider->provider);
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index 329f317dd..1a2fa7f28 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -219,7 +219,7 @@ static void load_entries(private_attr_provider_t *this)
 			host = host_create_from_string(token, 0);
 			if (!host)
 			{
-				if (!type)
+				if (mapped)
 				{
 					DBG1(DBG_CFG, "invalid host in key %s: %s", key, token);
 					continue;
@@ -252,9 +252,21 @@ static void load_entries(private_attr_provider_t *this)
 					}
 				}
 				host->destroy(host);
+				if (mapped)
+				{
+					switch (family)
+					{
+						case AF_INET:
+							type = mapped->v4;
+							break;
+						case AF_INET6:
+							type = mapped->v6;
+							break;
+					}
+				}
 			}
 			INIT(entry,
-				.type = type ?: (family == AF_INET ? mapped->v4 : mapped->v6),
+				.type = type,
 				.value = data,
 			);
 			DBG2(DBG_CFG, "loaded attribute %N: %#B",
@@ -308,4 +320,3 @@ attr_provider_t *attr_provider_create(database_t *db)
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am
index 7491debcd..4c369a2bd 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.am
+++ b/src/libhydra/plugins/attr_sql/Makefile.am
@@ -1,9 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-DPLUGINS=\""${pool_plugins}\""
 
 AM_CFLAGS = \
-	-rdynamic \
-	-DPLUGINS=\""${pool_plugins}\""
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-attr-sql.la
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 0d7d55790..935740b28 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,7 +105,10 @@ am_libstrongswan_attr_sql_la_OBJECTS = attr_sql_plugin.lo \
 	sql_attribute.lo
 libstrongswan_attr_sql_la_OBJECTS =  \
 	$(am_libstrongswan_attr_sql_la_OBJECTS)
-libstrongswan_attr_sql_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_attr_sql_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_sql_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -125,13 +128,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
 DIST_SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
 am__can_run_installinfo = \
@@ -145,6 +161,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -157,6 +174,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -172,6 +191,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -180,6 +200,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -226,6 +247,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -254,6 +276,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -331,11 +354,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-AM_CFLAGS = \
-	-rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-DPLUGINS=\""${pool_plugins}\""
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr-sql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr-sql.la
 libstrongswan_attr_sql_la_SOURCES = \
@@ -425,7 +451,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_sql_la_DEPENDENCIES) 
-	$(libstrongswan_attr_sql_la_LINK) $(am_libstrongswan_attr_sql_la_rpath) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_attr_sql_la_LINK) $(am_libstrongswan_attr_sql_la_rpath) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
@@ -474,7 +500,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) $(EXTRA_pool_DEPENDENCIES) 
 	@rm -f pool$(EXEEXT)
-	$(LINK) $(pool_OBJECTS) $(pool_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(pool_OBJECTS) $(pool_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -489,25 +515,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
index 69e6f7be6..702872c57 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
+++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -15,6 +16,7 @@
 
 #include <hydra.h>
 #include <utils/debug.h>
+#include <plugins/plugin_feature.h>
 
 #include "attr_sql_plugin.h"
 #include "sql_attribute.h"
@@ -48,12 +50,59 @@ METHOD(plugin_t, get_name, char*,
 	return "attr-sql";
 }
 
+/**
+ * Connect to database
+ */
+static bool open_database(private_attr_sql_plugin_t *this,
+						  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		char *uri;
+
+		uri = lib->settings->get_str(lib->settings,
+								"libhydra.plugins.attr-sql.database", NULL);
+		if (!uri)
+		{
+			DBG1(DBG_CFG, "attr-sql plugin: database URI not set");
+			return FALSE;
+		}
+
+		this->db = lib->db->create(lib->db, uri);
+		if (!this->db)
+		{
+			DBG1(DBG_CFG, "attr-sql plugin failed to connect to database");
+			return FALSE;
+		}
+		this->attribute = sql_attribute_create(this->db);
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->attribute->provider);
+	}
+	else
+	{
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->attribute->provider);
+		this->attribute->destroy(this->attribute);
+		this->db->destroy(this->db);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_attr_sql_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "attr-sql"),
+				PLUGIN_DEPENDS(DATABASE, DB_ANY),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_attr_sql_plugin_t *this)
 {
-	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
-	this->attribute->destroy(this->attribute);
-	this->db->destroy(this->db);
 	free(this);
 }
 
@@ -63,36 +112,16 @@ METHOD(plugin_t, destroy, void,
 plugin_t *attr_sql_plugin_create()
 {
 	private_attr_sql_plugin_t *this;
-	char *uri;
-
-	uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database",
-												 NULL);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "attr-sql plugin: database URI not set");
-		return NULL;
-	}
 
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
-		.db = lib->db->create(lib->db, uri),
 	);
 
-	if (!this->db)
-	{
-		DBG1(DBG_CFG, "attr-sql plugin failed to connect to database");
-		free(this);
-		return NULL;
-	}
-	this->attribute = sql_attribute_create(this->db);
-	hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c
index 880af61dc..4e7c48e23 100644
--- a/src/libhydra/plugins/attr_sql/pool.c
+++ b/src/libhydra/plugins/attr_sql/pool.c
@@ -1260,7 +1260,7 @@ int main(int argc, char *argv[])
 		fprintf(stderr, "integrity check of pool failed\n");
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "pool.load", PLUGINS)))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.c b/src/libhydra/plugins/attr_sql/pool_attributes.c
index 5dcfe85ed..1d1ba8f58 100644
--- a/src/libhydra/plugins/attr_sql/pool_attributes.c
+++ b/src/libhydra/plugins/attr_sql/pool_attributes.c
@@ -75,6 +75,7 @@ static const attr_info_t attr_info[] = {
 	{ "unity_def_domain",     VALUE_STRING, UNITY_DEF_DOMAIN,     0 },
 	{ "unity_splitdns_name",  VALUE_STRING, UNITY_SPLITDNS_NAME,  0 },
 	{ "unity_split_include",  VALUE_SUBNET, UNITY_SPLIT_INCLUDE,  0 },
+	{ "unity_split_exclude",  VALUE_SUBNET, UNITY_LOCAL_LAN,      0 },
 	{ "unity_local_lan",      VALUE_SUBNET, UNITY_LOCAL_LAN,      0 },
 };
 
@@ -153,6 +154,7 @@ static bool parse_attributes(char *name, char *value, value_type_t *value_type,
 				memcpy(pos_addr,     addr_chunk.ptr, 4);
 				memcpy(pos_addr + 4, mask_chunk.ptr, 4);
 				addr->destroy(addr);
+				addr = NULL;
 				mask->destroy(mask);
 				chunk_free(blob);
 				*blob = blob_next;
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.am b/src/libhydra/plugins/kernel_klips/Makefile.am
index df639b255..1b98cab06 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.am
+++ b/src/libhydra/plugins/kernel_klips/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index 5bc67de27..81208b5ca 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_kernel_klips_la_OBJECTS = kernel_klips_plugin.lo \
 	kernel_klips_ipsec.lo
 libstrongswan_kernel_klips_la_OBJECTS =  \
 	$(am_libstrongswan_kernel_klips_la_OBJECTS)
-libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_kernel_klips_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,8 +345,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
 libstrongswan_kernel_klips_la_SOURCES = \
@@ -407,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_klips_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_klips_la_LINK) $(am_libstrongswan_kernel_klips_la_rpath) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_kernel_klips_la_LINK) $(am_libstrongswan_kernel_klips_la_rpath) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -419,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index a120b3d00..82f80fd4c 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -78,7 +78,7 @@
 /** this is the default number of ipsec devices */
 #define DEFAULT_IPSEC_DEV_COUNT 4
 /** TRUE if the given name matches an ipsec device */
-#define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1))
+#define IS_IPSEC_DEV(name) (strpfx((name), IPSEC_DEV_PREFIX))
 
 /** the following stuff is from ipsec_tunnel.h */
 struct ipsectunnelconf
@@ -1682,8 +1682,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn,
+	bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1911,7 +1911,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, mark_t mark,
-	u_int64_t *bytes, u_int64_t *packets)
+	u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
 {
 	return NOT_SUPPORTED;  /* TODO */
 }
@@ -2022,7 +2022,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	else
 	{
 		/* apply the new one, if we have no such policy */
-		this->policies->insert_last(this->policies, policy);
+		this->policies->insert_first(this->policies, policy);
 	}
 
 	if (priority == POLICY_PRIORITY_ROUTED)
@@ -2088,7 +2088,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	this->mutex->lock(this->mutex);
 
 	/* we try to find the policy again and install the route if needed */
-	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
+	if (this->policies->find_first(this->policies, NULL,
+								  (void**)&policy) != SUCCESS)
 	{
 		this->mutex->unlock(this->mutex);
 		DBG2(DBG_KNL, "the policy %R === %R %N is already gone, ignoring",
@@ -2118,7 +2119,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 			this->install_routes)
 		{
 			hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-													   src_ts, &route->src_ip);
+												src_ts, &route->src_ip, NULL);
 		}
 
 		if (!route->src_ip)
@@ -2332,7 +2333,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 	while (fgets(line, sizeof(line), file))
 	{
-		if (strneq(line, said, strlen(said)))
+		if (strpfx(line, said))
 		{
 			/* fine we found the correct line, now find the idle time */
 			u_int32_t idle_time;
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.am b/src/libhydra/plugins/kernel_netlink/Makefile.am
index 1ad379421..ad573523e 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.am
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.am
@@ -1,10 +1,12 @@
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-DROUTING_TABLE=${routing_table} \
+	-DROUTING_TABLE_PRIO=${routing_table_prio}
 
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
-
-AM_CFLAGS = -rdynamic \
--DROUTING_TABLE=${routing_table} \
--DROUTING_TABLE_PRIO=${routing_table_prio}
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index 9702010bb..9cb988c8d 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,7 +104,10 @@ am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \
 	kernel_netlink_shared.lo
 libstrongswan_kernel_netlink_la_OBJECTS =  \
 	$(am_libstrongswan_kernel_netlink_la_OBJECTS)
-libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_kernel_netlink_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -117,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
 am__can_run_installinfo = \
@@ -137,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -149,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -164,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -172,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -218,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -246,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -323,12 +346,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-DROUTING_TABLE=${routing_table} \
+	-DROUTING_TABLE_PRIO=${routing_table_prio}
 
-AM_CFLAGS = -rdynamic \
--DROUTING_TABLE=${routing_table} \
--DROUTING_TABLE_PRIO=${routing_table_prio}
+AM_CFLAGS = \
+	-rdynamic
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
@@ -415,7 +441,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_netlink_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -429,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 9b4ade533..b34fa149c 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -37,11 +37,9 @@
 
 #include <hydra.h>
 #include <utils/debug.h>
-#include <threading/thread.h>
 #include <threading/mutex.h>
 #include <collections/hashtable.h>
 #include <collections/linked_list.h>
-#include <processing/jobs/callback_job.h>
 
 /** Required for Linux 2.6.26 kernel and later */
 #ifndef XFRM_STATE_AF_UNSPEC
@@ -558,6 +556,9 @@ struct policy_entry_t {
 
 	/** List of SAs this policy is used by, ordered by priority */
 	linked_list_t *used_by;
+
+	/** reqid for this policy */
+	u_int32_t reqid;
 };
 
 /**
@@ -969,40 +970,37 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
 /**
  * Receives events from kernel
  */
-static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
+static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
+						   watcher_event_t event)
 {
 	char response[1024];
 	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
 	struct sockaddr_nl addr;
 	socklen_t addr_len = sizeof(addr);
 	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
-				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
 
+	len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
+				   MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
 	if (len < 0)
 	{
 		switch (errno)
 		{
 			case EINTR:
 				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			case EAGAIN:
 				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			default:
 				DBG1(DBG_KNL, "unable to receive from xfrm event socket");
 				sleep(1);
-				return JOB_REQUEUE_FAIR;
+				return TRUE;
 		}
 	}
 
 	if (addr.nl_pid != 0)
 	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
+		return TRUE;
 	}
 
 	while (NLMSG_OK(hdr, len))
@@ -1028,7 +1026,7 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
 		}
 		hdr = NLMSG_NEXT(hdr, len);
 	}
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
@@ -1170,7 +1168,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool esn, bool inbound,
+	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
 	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
 	netlink_buf_t request;
@@ -1187,7 +1185,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
 		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
 			   tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
-			   chunk_empty, mode, ipcomp, 0, FALSE, FALSE, inbound, NULL, NULL);
+			   chunk_empty, mode, ipcomp, 0, initiator, FALSE, FALSE, inbound,
+			   NULL, NULL);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
 		mode = MODE_TRANSPORT;
@@ -1220,6 +1219,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			if(src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
+				/* don't install proto/port on SA. This would break
+				 * potential secondary SAs for the same address using a
+				 * different prot/port. */
+				sa->sel.proto = 0;
+				sa->sel.dport = sa->sel.dport_mask = 0;
+				sa->sel.sport = sa->sel.sport_mask = 0;
 			}
 			break;
 		default:
@@ -1595,7 +1600,7 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, mark_t mark,
-	u_int64_t *bytes, u_int64_t *packets)
+	u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *out = NULL, *hdr;
@@ -1680,6 +1685,12 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 		{
 			*packets = sa->curlft.packets;
 		}
+		if (time)
+		{	/* curlft contains an "use" time, but that contains a timestamp
+			 * of the first use, not the last. Last use time must be queried
+			 * on the policy on Linux */
+			*time = 0;
+		}
 		status = SUCCESS;
 	}
 	memwipe(out, len);
@@ -2041,7 +2052,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 			{
 				continue;
 			}
-			tmpl->reqid = ipsec->cfg.reqid;
+			tmpl->reqid = policy->reqid;
 			tmpl->id.proto = protos[i].proto;
 			tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
 			tmpl->mode = mode2kernel(proto_mode);
@@ -2049,7 +2060,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 							 policy->direction != POLICY_OUT;
 			tmpl->family = ipsec->src->get_family(ipsec->src);
 
-			if (proto_mode == MODE_TUNNEL)
+			if (proto_mode == MODE_TUNNEL || proto_mode == MODE_BEET)
 			{	/* only for tunnel mode */
 				host2xfrm(ipsec->src, &tmpl->saddr);
 				host2xfrm(ipsec->dst, &tmpl->id.daddr);
@@ -2102,7 +2113,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 		);
 
 		if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-				fwd->dst_ts, &route->src_ip) == SUCCESS)
+				fwd->dst_ts, &route->src_ip, NULL) == SUCCESS)
 		{
 			/* get the nexthop to src (src as we are in POLICY_FWD) */
 			route->gateway = hydra->kernel_interface->get_nexthop(
@@ -2197,6 +2208,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		.sel = ts2selector(src_ts, dst_ts),
 		.mark = mark.value & mark.mask,
 		.direction = direction,
+		.reqid = sa->reqid,
 	);
 
 	/* find the policy, which matches EXACTLY */
@@ -2204,6 +2216,16 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	current = this->policies->get(this->policies, policy);
 	if (current)
 	{
+		if (current->reqid != sa->reqid)
+		{
+			DBG1(DBG_CFG, "unable to install policy %R === %R %N (mark "
+				 "%u/0x%08x) for reqid %u, the same policy for reqid %u exists",
+				 src_ts, dst_ts, policy_dir_names, direction,
+				 mark.value, mark.mask, sa->reqid, current->reqid);
+			policy_entry_destroy(this, policy);
+			this->mutex->unlock(this->mutex);
+			return INVALID_STATE;
+		}
 		/* use existing policy */
 		DBG2(DBG_KNL, "policy %R === %R %N  (mark %u/0x%08x) "
 					  "already exists, increasing refcount",
@@ -2375,7 +2397,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	/* find the policy */
 	this->mutex->lock(this->mutex);
 	current = this->policies->get(this->policies, &policy);
-	if (!current)
+	if (!current || current->reqid != reqid)
 	{
 		if (mark.value)
 		{
@@ -2398,8 +2420,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 		enumerator = current->used_by->create_enumerator(current->used_by);
 		while (enumerator->enumerate(enumerator, (void**)&mapping))
 		{
-			if (reqid == mapping->sa->cfg.reqid &&
-				priority == mapping->priority)
+			if (priority == mapping->priority)
 			{
 				current->used_by->remove_at(current->used_by, enumerator);
 				policy_sa_destroy(mapping, &direction, this);
@@ -2579,6 +2600,7 @@ METHOD(kernel_ipsec_t, destroy, void,
 
 	if (this->socket_xfrm_events > 0)
 	{
+		lib->watcher->remove(lib->watcher, this->socket_xfrm_events);
 		close(this->socket_xfrm_events);
 	}
 	DESTROY_IF(this->socket_xfrm);
@@ -2638,13 +2660,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	this->replay_bmp = (this->replay_window + sizeof(u_int32_t) * 8 - 1) /
 													(sizeof(u_int32_t) * 8);
 
-	if (streq(hydra->daemon, "pluto"))
-	{	/* no routes for pluto, they are installed via updown script */
-		this->install_routes = FALSE;
-		/* no policy history for pluto */
-		this->policy_history = FALSE;
-	}
-	else if (streq(hydra->daemon, "starter"))
+	if (streq(hydra->daemon, "starter"))
 	{	/* starter has no threads, so we do not register for kernel events */
 		register_for_events = FALSE;
 	}
@@ -2687,10 +2703,8 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 			destroy(this);
 			return NULL;
 		}
-		lib->processor->queue_job(lib->processor,
-			(job_t*)callback_job_create_with_prio(
-					(callback_job_cb_t)receive_events, this, NULL,
-					(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+		lib->watcher->add(lib->watcher, this->socket_xfrm_events, WATCHER_READ,
+						  (watcher_cb_t)receive_events, this);
 	}
 
 	return &this->public;
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index 3e0725a35..e129ab131 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -50,7 +50,6 @@
 
 #include <hydra.h>
 #include <utils/debug.h>
-#include <threading/thread.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
 #include <threading/rwlock_condvar.h>
@@ -68,6 +67,14 @@
 /** maximum recursion when searching for addresses in get_route() */
 #define MAX_ROUTE_RECURSION 2
 
+#ifndef ROUTING_TABLE
+#define ROUTING_TABLE 0
+#endif
+
+#ifndef ROUTING_TABLE_PRIO
+#define ROUTING_TABLE_PRIO 0
+#endif
+
 typedef struct addr_entry_t addr_entry_t;
 
 /**
@@ -257,7 +264,7 @@ static route_entry_t *route_entry_clone(route_entry_t *this)
 	INIT(route,
 		.if_name = strdup(this->if_name),
 		.src_ip = this->src_ip->clone(this->src_ip),
-		.gateway = this->gateway->clone(this->gateway),
+		.gateway = this->gateway ? this->gateway->clone(this->gateway) : NULL,
 		.dst_net = chunk_clone(this->dst_net),
 		.prefixlen = this->prefixlen,
 	);
@@ -290,10 +297,14 @@ static u_int route_entry_hash(route_entry_t *this)
  */
 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
 {
-	return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
-		   a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
-		   a->gateway->ip_equals(a->gateway, b->gateway) &&
-		   chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
+	if (a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
+		a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
+		chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen)
+	{
+		return (!a->gateway && !b->gateway) || (a->gateway && b->gateway &&
+					a->gateway->ip_equals(a->gateway, b->gateway));
+	}
+	return FALSE;
 }
 
 typedef struct net_change_t net_change_t;
@@ -427,6 +438,11 @@ struct private_kernel_netlink_net_t {
 	 */
 	bool process_route;
 
+	/**
+	 * whether to trigger roam events
+	 */
+	bool roam_events;
+
 	/**
 	 * whether to actually install virtual IPs
 	 */
@@ -695,6 +711,11 @@ static void fire_roam_event(private_kernel_netlink_net_t *this, bool address)
 	timeval_t now;
 	job_t *job;
 
+	if (!this->roam_events)
+	{
+		return;
+	}
+
 	time_monotonic(&now);
 	this->roam_lock->lock(this->roam_lock);
 	if (!timercmp(&now, &this->next_roam, >))
@@ -1057,40 +1078,37 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
 /**
  * Receives events from kernel
  */
-static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
+static bool receive_events(private_kernel_netlink_net_t *this, int fd,
+						   watcher_event_t event)
 {
 	char response[1024];
 	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
 	struct sockaddr_nl addr;
 	socklen_t addr_len = sizeof(addr);
 	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, response, sizeof(response), 0,
-				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
 
+	len = recvfrom(this->socket_events, response, sizeof(response),
+				   MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
 	if (len < 0)
 	{
 		switch (errno)
 		{
 			case EINTR:
 				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			case EAGAIN:
 				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			default:
 				DBG1(DBG_KNL, "unable to receive from rt event socket");
 				sleep(1);
-				return JOB_REQUEUE_FAIR;
+				return TRUE;
 		}
 	}
 
 	if (addr.nl_pid != 0)
 	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
+		return TRUE;
 	}
 
 	while (NLMSG_OK(hdr, len))
@@ -1118,7 +1136,7 @@ static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
 		}
 		hdr = NLMSG_NEXT(hdr, len);
 	}
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 /** enumerator over addresses */
@@ -1147,6 +1165,10 @@ static bool filter_addresses(address_enumerator_t *data,
 	{	/* skip virtual interfaces added by us */
 		return FALSE;
 	}
+	if (!(data->which & ADDR_TYPE_REGULAR) && !(*in)->refcount)
+	{	/* address is regular, but not requested */
+		return FALSE;
+	}
 	if ((*in)->scope >= RT_SCOPE_LINK)
 	{	/* skip addresses with a unusable scope */
 		return FALSE;
@@ -1191,9 +1213,12 @@ static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in,
 METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
 	private_kernel_netlink_net_t *this, kernel_address_type_t which)
 {
-	address_enumerator_t *data = malloc_thing(address_enumerator_t);
-	data->this = this;
-	data->which = which;
+	address_enumerator_t *data;
+
+	INIT(data,
+		.this = this,
+		.which = which,
+	);
 
 	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(
@@ -1237,7 +1262,7 @@ METHOD(kernel_net_t, get_interface_name, bool,
 		if (name)
 		{
 			*name = strdup(entry->iface->ifname);
-			DBG2(DBG_KNL, "virtual %H is on interface %s", ip, *name);
+			DBG2(DBG_KNL, "virtual IP %H is on interface %s", ip, *name);
 		}
 		this->lock->unlock(this->lock);
 		return TRUE;
@@ -2146,6 +2171,7 @@ METHOD(kernel_net_t, destroy, void,
 	}
 	if (this->socket_events > 0)
 	{
+		lib->watcher->remove(lib->watcher, this->socket_events);
 		close(this->socket_events);
 	}
 	enumerator = this->routes->create_enumerator(this->routes);
@@ -2227,6 +2253,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 				"%s.install_virtual_ip", TRUE, hydra->daemon),
 		.install_virtual_ip_on = lib->settings->get_str(lib->settings,
 				"%s.install_virtual_ip_on", NULL, hydra->daemon),
+		.roam_events = lib->settings->get_bool(lib->settings,
+				"%s.plugins.kernel-netlink.roam_events", TRUE, hydra->daemon),
 	);
 	timerclear(&this->last_route_reinstall);
 	timerclear(&this->next_roam);
@@ -2283,10 +2311,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 			return NULL;
 		}
 
-		lib->processor->queue_job(lib->processor,
-			(job_t*)callback_job_create_with_prio(
-					(callback_job_cb_t)receive_events, this, NULL,
-					(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+		lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ,
+						  (watcher_cb_t)receive_events, this);
 	}
 
 	if (init_address_list(this) != SUCCESS)
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
index 0eb00dadf..8d5a0d5e8 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -65,6 +65,14 @@ plugin_t *kernel_netlink_plugin_create()
 {
 	private_kernel_netlink_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	{	/* required to bind/use XFRM sockets / create/modify routing tables, but
+		 * not if only the read-only parts of kernel-netlink-net are used, so
+		 * we don't fail here */
+		DBG1(DBG_KNL, "kernel-netlink plugin might require CAP_NET_ADMIN "
+			 "capability");
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.am b/src/libhydra/plugins/kernel_pfkey/Makefile.am
index 1d1488a6b..bb5d0d7f7 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.am
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index b00f74473..fd95afd09 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \
 	kernel_pfkey_ipsec.lo
 libstrongswan_kernel_pfkey_la_OBJECTS =  \
 	$(am_libstrongswan_kernel_pfkey_la_OBJECTS)
-libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
 libstrongswan_kernel_pfkey_la_SOURCES = \
@@ -409,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 2521af87d..668c581e1 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -62,9 +62,7 @@
 #include <networking/host.h>
 #include <collections/linked_list.h>
 #include <collections/hashtable.h>
-#include <threading/thread.h>
 #include <threading/mutex.h>
-#include <processing/jobs/callback_job.h>
 
 /** non linux specific */
 #ifndef IPPROTO_COMP
@@ -179,6 +177,11 @@ struct private_kernel_pfkey_ipsec_t
 	 */
 	linked_list_t *policies;
 
+	/**
+	 * List of exclude routes (exclude_route_t)
+	 */
+	linked_list_t *excludes;
+
 	/**
 	 * Hash table of IPsec SAs using policies (ipsec_sa_t)
 	 */
@@ -210,6 +213,33 @@ struct private_kernel_pfkey_ipsec_t
 	int seq;
 };
 
+typedef struct exclude_route_t exclude_route_t;
+
+/**
+ * Exclude route definition
+ */
+struct exclude_route_t {
+	/** destination address of exclude */
+	host_t *dst;
+	/** source address for route */
+	host_t *src;
+	/** nexthop exclude has been installed */
+	host_t *gtw;
+	/** references to this route */
+	int refs;
+};
+
+/**
+ * clean up a route exclude entry
+ */
+static void exclude_route_destroy(exclude_route_t *this)
+{
+	this->dst->destroy(this->dst);
+	this->src->destroy(this->src);
+	this->gtw->destroy(this->gtw);
+	free(this);
+}
+
 typedef struct route_entry_t route_entry_t;
 
 /**
@@ -230,6 +260,9 @@ struct route_entry_t {
 
 	/** destination net prefixlen */
 	u_int8_t prefixlen;
+
+	/** reference to exclude route, if any */
+	exclude_route_t *exclude;
 };
 
 /**
@@ -251,6 +284,7 @@ static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
 {
 	return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
 		   a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
+		   a->gateway && b->gateway &&
 		   a->gateway->ip_equals(a->gateway, b->gateway) &&
 		   chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
 }
@@ -339,7 +373,7 @@ static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this,
 }
 
 typedef struct policy_sa_t policy_sa_t;
-typedef struct policy_sa_fwd_t policy_sa_fwd_t;
+typedef struct policy_sa_in_t policy_sa_in_t;
 
 /**
  * Mapping between a policy and an IPsec SA.
@@ -356,10 +390,10 @@ struct policy_sa_t {
 };
 
 /**
- * For forward policies we also cache the traffic selectors in order to install
+ * For input policies we also cache the traffic selectors in order to install
  * the route.
  */
-struct policy_sa_fwd_t {
+struct policy_sa_in_t {
 	/** Generic interface */
 	policy_sa_t generic;
 
@@ -371,7 +405,7 @@ struct policy_sa_fwd_t {
 };
 
 /**
- * Create a policy_sa(_fwd)_t object
+ * Create a policy_sa(_in)_t object
  */
 static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
 	policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
@@ -379,14 +413,14 @@ static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
 {
 	policy_sa_t *policy;
 
-	if (dir == POLICY_FWD)
+	if (dir == POLICY_IN)
 	{
-		policy_sa_fwd_t *fwd;
-		INIT(fwd,
+		policy_sa_in_t *in;
+		INIT(in,
 			.src_ts = src_ts->clone(src_ts),
 			.dst_ts = dst_ts->clone(dst_ts),
 		);
-		policy = &fwd->generic;
+		policy = &in->generic;
 	}
 	else
 	{
@@ -398,16 +432,16 @@ static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
 }
 
 /**
- * Destroy a policy_sa(_fwd)_t object
+ * Destroy a policy_sa(_in)_t object
  */
 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
 							  private_kernel_pfkey_ipsec_t *this)
 {
-	if (*dir == POLICY_FWD)
+	if (*dir == POLICY_IN)
 	{
-		policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
-		fwd->src_ts->destroy(fwd->src_ts);
-		fwd->dst_ts->destroy(fwd->dst_ts);
+		policy_sa_in_t *in = (policy_sa_in_t*)policy;
+		in->src_ts->destroy(in->src_ts);
+		in->dst_ts->destroy(in->dst_ts);
 	}
 	ipsec_sa_destroy(this, policy->sa);
 	free(policy);
@@ -945,6 +979,10 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
 {
 	traffic_selector_t *ts;
 	host_t *host;
+	u_int8_t proto;
+
+	proto = address->sadb_address_proto;
+	proto = proto == IPSEC_PROTO_ANY ? 0 : proto;
 
 	/* The Linux 2.6 kernel does not set the protocol and port information
 	 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
@@ -952,8 +990,7 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
 	host = host_create_from_sockaddr((sockaddr_t*)&address[1]);
 	ts = traffic_selector_create_from_subnet(host,
 											 address->sadb_address_prefixlen,
-											 address->sadb_address_proto,
-											 host->get_port(host),
+											 proto, host->get_port(host),
 											 host->get_port(host) ?: 65535);
 	return ts;
 }
@@ -1090,7 +1127,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 		}
 		if (msg->sadb_msg_seq != this->seq)
 		{
-			DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
+			DBG2(DBG_KNL, "received PF_KEY message with unexpected sequence "
 						  "number, was %d expected %d", msg->sadb_msg_seq,
 						  this->seq);
 			if (msg->sadb_msg_seq == 0)
@@ -1346,31 +1383,28 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
 /**
  * Receives events from kernel
  */
-static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
+static bool receive_events(private_kernel_pfkey_ipsec_t *this, int fd,
+						   watcher_event_t event)
 {
 	unsigned char buf[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg = (struct sadb_msg*)buf;
-	bool oldstate;
 	int len;
 
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-	thread_cancelability(oldstate);
-
+	len = recvfrom(this->socket_events, buf, sizeof(buf), MSG_DONTWAIT, NULL, 0);
 	if (len < 0)
 	{
 		switch (errno)
 		{
 			case EINTR:
 				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			case EAGAIN:
 				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			default:
 				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
 				sleep(1);
-				return JOB_REQUEUE_FAIR;
+				return TRUE;
 		}
 	}
 
@@ -1378,17 +1412,17 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
 	{
 		DBG2(DBG_KNL, "received corrupted PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
+		return TRUE;
 	}
 	if (msg->sadb_msg_pid != 0)
 	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
+		return TRUE;
 	}
 	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
 	{
 		DBG1(DBG_KNL, "buffer was too small to receive the complete "
 					  "PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
+		return TRUE;
 	}
 
 	switch (msg->sadb_msg_type)
@@ -1413,7 +1447,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 			break;
 	}
 
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
@@ -1487,8 +1521,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn,
+	bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1768,7 +1802,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, mark_t mark,
-	u_int64_t *bytes, u_int64_t *packets)
+	u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1826,6 +1860,18 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 		/* not supported by PF_KEY */
 		*packets = 0;
 	}
+	if (time)
+	{
+#ifdef __APPLE__
+		/* OS X uses the "last" time of use in usetime */
+		*time = response.lft_current->sadb_lifetime_usetime;
+#else /* !__APPLE__ */
+		/* on Linux, sadb_lifetime_usetime is set to the "first" time of use,
+		 * which is actually correct according to PF_KEY. We have to query
+		 * policies for the last usetime. */
+		*time = 0;
+#endif /* !__APPLE__ */
+	}
 
 	free(out);
 	return SUCCESS;
@@ -1914,6 +1960,228 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
 	return SUCCESS;
 }
 
+/**
+ * Add an explicit exclude route to a routing entry
+ */
+static void add_exclude_route(private_kernel_pfkey_ipsec_t *this,
+							  route_entry_t *route, host_t *src, host_t *dst)
+{
+	enumerator_t *enumerator;
+	exclude_route_t *exclude;
+	host_t *gtw;
+
+	enumerator = this->excludes->create_enumerator(this->excludes);
+	while (enumerator->enumerate(enumerator, &exclude))
+	{
+		if (dst->ip_equals(dst, exclude->dst))
+		{
+			route->exclude = exclude;
+			exclude->refs++;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!route->exclude)
+	{
+		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
+		gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
+												   dst, NULL);
+		if (gtw)
+		{
+			char *if_name = NULL;
+
+			if (hydra->kernel_interface->get_interface(
+									hydra->kernel_interface, src, &if_name) &&
+				hydra->kernel_interface->add_route(hydra->kernel_interface,
+									dst->get_address(dst),
+									dst->get_family(dst) == AF_INET ? 32 : 128,
+									gtw, src, if_name) == SUCCESS)
+			{
+				INIT(exclude,
+					.dst = dst->clone(dst),
+					.src = src->clone(src),
+					.gtw = gtw->clone(gtw),
+					.refs = 1,
+				);
+				route->exclude = exclude;
+				this->excludes->insert_last(this->excludes, exclude);
+			}
+			else
+			{
+				DBG1(DBG_KNL, "installing exclude route for %H failed", dst);
+			}
+			gtw->destroy(gtw);
+			free(if_name);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "gateway lookup for for %H failed", dst);
+		}
+	}
+}
+
+/**
+ * Remove an exclude route attached to a routing entry
+ */
+static void remove_exclude_route(private_kernel_pfkey_ipsec_t *this,
+								 route_entry_t *route)
+{
+	if (route->exclude)
+	{
+		enumerator_t *enumerator;
+		exclude_route_t *exclude;
+		bool removed = FALSE;
+		host_t *dst;
+
+		enumerator = this->excludes->create_enumerator(this->excludes);
+		while (enumerator->enumerate(enumerator, &exclude))
+		{
+			if (route->exclude == exclude)
+			{
+				if (--exclude->refs == 0)
+				{
+					this->excludes->remove_at(this->excludes, enumerator);
+					removed = TRUE;
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (removed)
+		{
+			char *if_name = NULL;
+
+			dst = route->exclude->dst;
+			DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
+				 dst, route->exclude->src);
+			if (hydra->kernel_interface->get_interface(
+									hydra->kernel_interface,
+									route->exclude->src, &if_name) &&
+				hydra->kernel_interface->del_route(hydra->kernel_interface,
+									dst->get_address(dst),
+									dst->get_family(dst) == AF_INET ? 32 : 128,
+									route->exclude->gtw, route->exclude->src,
+									if_name) != SUCCESS)
+			{
+				DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst);
+			}
+			exclude_route_destroy(route->exclude);
+			free(if_name);
+		}
+		route->exclude = NULL;
+	}
+}
+
+/**
+ * Try to install a route to the given inbound policy
+ */
+static bool install_route(private_kernel_pfkey_ipsec_t *this,
+						  policy_entry_t *policy, policy_sa_in_t *in)
+{
+	route_entry_t *route, *old;
+	host_t *host, *src, *dst;
+	bool is_virtual;
+
+	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
+									in->dst_ts, &host, &is_virtual) != SUCCESS)
+	{
+		return FALSE;
+	}
+
+	/* switch src/dst, as we handle an IN policy */
+	src = in->generic.sa->dst;
+	dst = in->generic.sa->src;
+
+	INIT(route,
+		.prefixlen = policy->src.mask,
+		.src_ip = host,
+		.gateway = hydra->kernel_interface->get_nexthop(
+											hydra->kernel_interface, dst, src),
+		.dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
+	);
+
+	/* if the IP is virtual, we install the route over the interface it has
+	 * been installed on. Otherwise we use the interface we use for IKE, as
+	 * this is required for example on Linux. */
+	if (is_virtual)
+	{
+		src = route->src_ip;
+	}
+
+	/* get interface for route, using source address */
+	if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
+												src, &route->if_name))
+	{
+		route_entry_destroy(route);
+		return FALSE;
+	}
+
+	if (policy->route)
+	{
+		old = policy->route;
+
+		if (route_entry_equals(old, route))
+		{	/* such a route already exists */
+			route_entry_destroy(route);
+			return TRUE;
+		}
+		/* uninstall previously installed route */
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+									old->dst_net, old->prefixlen, old->gateway,
+									old->src_ip, old->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with policy "
+				 "%R === %R %N", in->src_ts, in->dst_ts,
+				policy_dir_names, policy->direction);
+		}
+		route_entry_destroy(old);
+		policy->route = NULL;
+	}
+
+	/* if remote traffic selector covers the IKE peer, add an exclude route */
+	if (hydra->kernel_interface->get_features(
+					hydra->kernel_interface) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
+	{
+		if (in->src_ts->is_host(in->src_ts, dst))
+		{
+			DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts "
+				 "with IKE traffic", in->src_ts, in->dst_ts, policy_dir_names,
+				 policy->direction);
+			route_entry_destroy(route);
+			return FALSE;
+		}
+		if (in->src_ts->includes(in->src_ts, dst))
+		{
+			add_exclude_route(this, route, in->generic.sa->dst, dst);
+		}
+	}
+
+	DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
+		 in->src_ts, route->gateway, route->src_ip, route->if_name);
+
+	switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
+							route->dst_net, route->prefixlen, route->gateway,
+							route->src_ip, route->if_name))
+	{
+		case ALREADY_DONE:
+			/* route exists, do not uninstall */
+			remove_exclude_route(this, route);
+			route_entry_destroy(route);
+			return TRUE;
+		case SUCCESS:
+			/* cache the installed route */
+			policy->route = route;
+			return TRUE;
+		default:
+			DBG1(DBG_KNL, "installing route failed: %R via %H src %H dev %s",
+				 in->src_ts, route->gateway, route->src_ip, route->if_name);
+			remove_exclude_route(this, route);
+			route_entry_destroy(route);
+			return FALSE;
+	}
+}
+
 /**
  * Add or update a policy in the kernel.
  *
@@ -2010,8 +2278,8 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
 
 	/* we try to find the policy again and update the kernel index */
 	this->mutex->lock(this->mutex);
-	if (this->policies->find_last(this->policies, NULL,
-								 (void**)&policy) != SUCCESS)
+	if (this->policies->find_first(this->policies, NULL,
+								  (void**)&policy) != SUCCESS)
 	{
 		DBG2(DBG_KNL, "unable to update index, the policy is already gone, "
 					  "ignoring");
@@ -2027,83 +2295,10 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
 	 * - we are in tunnel mode
 	 * - routing is not disabled via strongswan.conf
 	 */
-	if (policy->direction == POLICY_FWD &&
+	if (policy->direction == POLICY_IN &&
 		ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
 	{
-		policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
-		route_entry_t *route;
-
-		INIT(route,
-			.prefixlen = policy->src.mask,
-		);
-
-		if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-				fwd->dst_ts, &route->src_ip) == SUCCESS)
-		{
-			/* get the nexthop to src (src as we are in POLICY_FWD).*/
-			route->gateway = hydra->kernel_interface->get_nexthop(
-											hydra->kernel_interface, ipsec->src,
-											ipsec->dst);
-			route->dst_net = chunk_clone(policy->src.net->get_address(
-											policy->src.net));
-
-			/* install route via outgoing interface */
-			if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												ipsec->dst, &route->if_name))
-			{
-				this->mutex->unlock(this->mutex);
-				route_entry_destroy(route);
-				return SUCCESS;
-			}
-
-			if (policy->route)
-			{
-				route_entry_t *old = policy->route;
-				if (route_entry_equals(old, route))
-				{
-					this->mutex->unlock(this->mutex);
-					route_entry_destroy(route);
-					return SUCCESS;
-				}
-				/* uninstall previously installed route */
-				if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-						old->dst_net, old->prefixlen, old->gateway,
-						old->src_ip, old->if_name) != SUCCESS)
-				{
-					DBG1(DBG_KNL, "error uninstalling route installed with "
-								  "policy %R === %R %N", fwd->src_ts,
-								   fwd->dst_ts, policy_dir_names,
-								   policy->direction);
-				}
-				route_entry_destroy(old);
-				policy->route = NULL;
-			}
-
-			DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
-				 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
-			switch (hydra->kernel_interface->add_route(
-								hydra->kernel_interface, route->dst_net,
-								route->prefixlen, route->gateway,
-								route->src_ip, route->if_name))
-			{
-				default:
-					DBG1(DBG_KNL, "unable to install source route for %H",
-								   route->src_ip);
-					/* FALL */
-				case ALREADY_DONE:
-					/* route exists, do not uninstall */
-					route_entry_destroy(route);
-					break;
-				case SUCCESS:
-					/* cache the installed route */
-					policy->route = route;
-					break;
-			}
-		}
-		else
-		{
-			free(route);
-		}
+		install_route(this, policy, (policy_sa_in_t*)mapping);
 	}
 	this->mutex->unlock(this->mutex);
 	return SUCCESS;
@@ -2141,7 +2336,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	}
 	else
 	{	/* use the new one, if we have no such policy */
-		this->policies->insert_last(this->policies, policy);
+		this->policies->insert_first(this->policies, policy);
 		policy->used_by = linked_list_create();
 	}
 
@@ -2269,7 +2464,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 	}
 	else if (response.lft_current == NULL)
 	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
+		DBG2(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
 					  "use time", src_ts, dst_ts, policy_dir_names, direction);
 		free(out);
 		return FAILED;
@@ -2298,9 +2493,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	struct sadb_msg *msg, *out;
 	struct sadb_x_policy *pol;
 	policy_entry_t *policy, *found = NULL;
-	policy_sa_t *mapping;
+	policy_sa_t *mapping, *to_remove = NULL;
 	enumerator_t *enumerator;
-	bool is_installed = TRUE;
+	bool first = TRUE, is_installed = TRUE;
 	u_int32_t priority;
 	size_t len;
 
@@ -2330,19 +2525,31 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	policy_entry_destroy(policy, this);
 	policy = found;
 
-	/* remove mapping to SA by reqid and priority */
+	/* remove mapping to SA by reqid and priority, if multiple match, which
+	 * could happen when rekeying due to an address change, remove the oldest */
 	priority = get_priority(policy, prio);
 	enumerator = policy->used_by->create_enumerator(policy->used_by);
 	while (enumerator->enumerate(enumerator, (void**)&mapping))
 	{
 		if (reqid == mapping->sa->cfg.reqid && priority == mapping->priority)
 		{
-			policy->used_by->remove_at(policy->used_by, enumerator);
+			to_remove = mapping;
+			is_installed = first;
+		}
+		else if (priority < mapping->priority)
+		{
 			break;
 		}
-		is_installed = FALSE;
+		first = FALSE;
 	}
 	enumerator->destroy(enumerator);
+	if (!to_remove)
+	{	/* sanity check */
+		this->mutex->unlock(this->mutex);
+		return SUCCESS;
+	}
+	policy->used_by->remove(policy->used_by, to_remove, NULL);
+	mapping = to_remove;
 
 	if (policy->used_by->get_count(policy->used_by) > 0)
 	{	/* policy is used by more SAs, keep in kernel */
@@ -2398,6 +2605,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 						  "policy %R === %R %N", src_ts, dst_ts,
 						   policy_dir_names, direction);
 		}
+		remove_exclude_route(this, route);
 	}
 
 	this->policies->remove(this->policies, found, NULL);
@@ -2548,8 +2756,10 @@ METHOD(kernel_ipsec_t, enable_udp_decap, bool,
 		return FALSE;
 	}
 #else /* __APPLE__ */
-	if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &port,
-					 sizeof(port)) != 0)
+	int intport = port;
+
+	if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &intport,
+					 sizeof(intport)) != 0)
 	{
 		DBG1(DBG_KNL, "could not set net.inet.ipsec.esp_port to %d: %s",
 			 port, strerror(errno));
@@ -2569,12 +2779,14 @@ METHOD(kernel_ipsec_t, destroy, void,
 	}
 	if (this->socket_events > 0)
 	{
+		lib->watcher->remove(lib->watcher, this->socket_events);
 		close(this->socket_events);
 	}
 	this->policies->invoke_function(this->policies,
 								   (linked_list_invoke_t)policy_entry_destroy,
 									this);
 	this->policies->destroy(this->policies);
+	this->excludes->destroy(this->excludes);
 	this->sas->destroy(this->sas);
 	this->mutex->destroy(this->mutex);
 	this->mutex_pfkey->destroy(this->mutex_pfkey);
@@ -2609,6 +2821,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 			},
 		},
 		.policies = linked_list_create(),
+		.excludes = linked_list_create(),
 		.sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
 								(hashtable_equals_t)ipsec_sa_equals, 32),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
@@ -2618,11 +2831,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 												  hydra->daemon),
 	);
 
-	if (streq(hydra->daemon, "pluto"))
-	{	/* no routes for pluto, they are installed via updown script */
-		this->install_routes = FALSE;
-	}
-	else if (streq(hydra->daemon, "starter"))
+	if (streq(hydra->daemon, "starter"))
 	{	/* starter has no threads, so we do not register for kernel events */
 		register_for_events = FALSE;
 	}
@@ -2656,10 +2865,8 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 			return NULL;
 		}
 
-		lib->processor->queue_job(lib->processor,
-			(job_t*)callback_job_create_with_prio(
-					(callback_job_cb_t)receive_events, this, NULL,
-					(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+		lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ,
+						  (watcher_cb_t)receive_events, this);
 	}
 
 	return &this->public;
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 894175402..61d576547 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -62,6 +62,12 @@ plugin_t *kernel_pfkey_plugin_create()
 {
 	private_kernel_pfkey_plugin_t *this;
 
+	if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
+	{	/* required to open PF_KEY sockets */
+		DBG1(DBG_KNL, "kernel-pfkey plugin requires CAP_NET_ADMIN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.am b/src/libhydra/plugins/kernel_pfroute/Makefile.am
index df3109eb8..9d1621366 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.am
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index a4895df2a..b0324ac18 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_kernel_pfroute_la_OBJECTS = kernel_pfroute_plugin.lo \
 	kernel_pfroute_net.lo
 libstrongswan_kernel_pfroute_la_OBJECTS =  \
 	$(am_libstrongswan_kernel_pfroute_la_OBJECTS)
-libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_kernel_pfroute_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
 libstrongswan_kernel_pfroute_la_SOURCES = \
@@ -409,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_pfroute_la_LINK) $(am_libstrongswan_kernel_pfroute_la_rpath) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_kernel_pfroute_la_LINK) $(am_libstrongswan_kernel_pfroute_la_rpath) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index 7ac3e8a3c..976170c57 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2012 Tobias Brunner
+ * Copyright (C) 2009-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,6 +16,7 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <net/if.h>
+#include <net/if_dl.h>
 #include <ifaddrs.h>
 #include <net/route.h>
 #include <unistd.h>
@@ -26,8 +27,10 @@
 #include <hydra.h>
 #include <utils/debug.h>
 #include <networking/host.h>
+#include <networking/tun_device.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
+#include <threading/condvar.h>
 #include <threading/rwlock.h>
 #include <collections/hashtable.h>
 #include <collections/linked_list.h>
@@ -37,11 +40,21 @@
 #error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
 #endif
 
+/** properly align sockaddrs */
+#ifdef __APPLE__
+/* Apple always uses 4 bytes */
+#define SA_ALIGN 4
+#else
+/* while on other platforms like FreeBSD it depends on the architecture */
+#define SA_ALIGN sizeof(long)
+#endif
+#define SA_LEN(len) ((len) > 0 ? (((len)+SA_ALIGN-1) & ~(SA_ALIGN-1)) : SA_ALIGN)
+
 /** delay before firing roam events (ms) */
 #define ROAM_DELAY 100
 
-/** buffer size for PF_ROUTE messages */
-#define PFROUTE_BUFFER_SIZE 4096
+/** delay before reinstalling routes (ms) */
+#define ROUTE_DELAY 100
 
 typedef struct addr_entry_t addr_entry_t;
 
@@ -55,9 +68,6 @@ struct addr_entry_t {
 
 	/** virtual IP managed by us */
 	bool virtual;
-
-	/** Number of times this IP is used, if virtual */
-	u_int refcount;
 };
 
 /**
@@ -126,6 +136,9 @@ struct addr_map_entry_t {
 	/** The IP address */
 	host_t *ip;
 
+	/** The address entry for this IP address */
+	addr_entry_t *addr;
+
 	/** The interface this address is installed on */
 	iface_entry_t *iface;
 };
@@ -156,8 +169,17 @@ static bool addr_map_entry_equals(addr_map_entry_t *a, addr_map_entry_t *b)
 static bool addr_map_entry_match_up_and_usable(addr_map_entry_t *a,
 											   addr_map_entry_t *b)
 {
-	return iface_entry_up_and_usable(b->iface) &&
-		   a->ip->ip_equals(a->ip, b->ip);
+	return !b->addr->virtual && iface_entry_up_and_usable(b->iface) &&
+			a->ip->ip_equals(a->ip, b->ip);
+}
+
+/**
+ * Used with get_match this finds an address entry if it is installed as virtual
+ * IP address
+ */
+static bool addr_map_entry_match_virtual(addr_map_entry_t *a, addr_map_entry_t *b)
+{
+	return b->addr->virtual && a->ip->ip_equals(a->ip, b->ip);
 }
 
 /**
@@ -166,7 +188,112 @@ static bool addr_map_entry_match_up_and_usable(addr_map_entry_t *a,
  */
 static bool addr_map_entry_match_up(addr_map_entry_t *a, addr_map_entry_t *b)
 {
-	return iface_entry_up(b->iface) && a->ip->ip_equals(a->ip, b->ip);
+	return !b->addr->virtual && iface_entry_up(b->iface) &&
+			a->ip->ip_equals(a->ip, b->ip);
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * Installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+
+	/** Gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * Clone a route_entry_t object.
+ */
+static route_entry_t *route_entry_clone(route_entry_t *this)
+{
+	route_entry_t *route;
+
+	INIT(route,
+		.if_name = strdup(this->if_name),
+		.gateway = this->gateway ? this->gateway->clone(this->gateway) : NULL,
+		.dst_net = chunk_clone(this->dst_net),
+		.prefixlen = this->prefixlen,
+	);
+	return route;
+}
+
+/**
+ * Destroy a route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	DESTROY_IF(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+/**
+ * Hash a route_entry_t object
+ */
+static u_int route_entry_hash(route_entry_t *this)
+{
+	return chunk_hash_inc(chunk_from_thing(this->prefixlen),
+						  chunk_hash(this->dst_net));
+}
+
+/**
+ * Compare two route_entry_t objects
+ */
+static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
+{
+	if (a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
+		chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen)
+	{
+		return (!a->gateway && !b->gateway) || (a->gateway && b->gateway &&
+					a->gateway->ip_equals(a->gateway, b->gateway));
+	}
+	return FALSE;
+}
+
+typedef struct net_change_t net_change_t;
+
+/**
+ * Queued network changes
+ */
+struct net_change_t {
+	/** Name of the interface that got activated (or an IP appeared on) */
+	char *if_name;
+};
+
+/**
+ * Destroy a net_change_t object
+ */
+static void net_change_destroy(net_change_t *this)
+{
+	free(this->if_name);
+	free(this);
+}
+
+/**
+ * Hash a net_change_t object
+ */
+static u_int net_change_hash(net_change_t *this)
+{
+	return chunk_hash(chunk_create(this->if_name, strlen(this->if_name)));
+}
+
+/**
+ * Compare two net_change_t objects
+ */
+static bool net_change_equals(net_change_t *a, net_change_t *b)
+{
+	return streq(a->if_name, b->if_name);
 }
 
 typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
@@ -197,31 +324,176 @@ struct private_kernel_pfroute_net_t
 	hashtable_t *addrs;
 
 	/**
-	 * mutex to lock access to the PF_ROUTE socket
+	 * List of tun devices we installed for virtual IPs
 	 */
-	mutex_t *mutex_pfroute;
+	linked_list_t *tuns;
 
 	/**
-	 * PF_ROUTE socket to communicate with the kernel
+	 * mutex to communicate exclusively with PF_KEY
 	 */
-	int socket;
+	mutex_t *mutex;
+
+	/**
+	 * condvar to signal if PF_KEY query got a response
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * installed routes
+	 */
+	hashtable_t *routes;
+
+	/**
+	 * mutex for routes
+	 */
+	mutex_t *routes_lock;
+
+	/**
+	 * interface changes which may trigger route reinstallation
+	 */
+	hashtable_t *net_changes;
+
+	/**
+	 * mutex for route reinstallation triggers
+	 */
+	mutex_t *net_changes_lock;
+
+	/**
+	 * time of last route reinstallation
+	 */
+	timeval_t last_route_reinstall;
+
+	/**
+	 * pid to send PF_ROUTE messages with
+	 */
+	pid_t pid;
 
 	/**
-	 * PF_ROUTE socket to receive events
+	 * PF_ROUTE socket to communicate with the kernel
 	 */
-	int socket_events;
+	int socket;
 
 	/**
 	 * sequence number for messages sent to the kernel
 	 */
 	int seq;
 
+	/**
+	 * Sequence number a query is waiting for
+	 */
+	int waiting_seq;
+
+	/**
+	 * Allocated reply message from kernel
+	 */
+	struct rt_msghdr *reply;
+
 	/**
 	 * time of last roam event
 	 */
 	timeval_t last_roam;
+
+	/**
+	 * Time in ms to wait for IP addresses to appear/disappear
+	 */
+	int vip_wait;
 };
 
+
+/**
+ * Forward declaration
+ */
+static status_t manage_route(private_kernel_pfroute_net_t *this, int op,
+							 chunk_t dst_net, u_int8_t prefixlen,
+							 host_t *gateway, char *if_name);
+
+/**
+ * Clear the queued network changes.
+ */
+static void net_changes_clear(private_kernel_pfroute_net_t *this)
+{
+	enumerator_t *enumerator;
+	net_change_t *change;
+
+	enumerator = this->net_changes->create_enumerator(this->net_changes);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&change))
+	{
+		this->net_changes->remove_at(this->net_changes, enumerator);
+		net_change_destroy(change);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Act upon queued network changes.
+ */
+static job_requeue_t reinstall_routes(private_kernel_pfroute_net_t *this)
+{
+	enumerator_t *enumerator;
+	route_entry_t *route;
+
+	this->net_changes_lock->lock(this->net_changes_lock);
+	this->routes_lock->lock(this->routes_lock);
+
+	enumerator = this->routes->create_enumerator(this->routes);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&route))
+	{
+		net_change_t *change, lookup = {
+			.if_name = route->if_name,
+		};
+		/* check if a change for the outgoing interface is queued */
+		change = this->net_changes->get(this->net_changes, &lookup);
+		if (change)
+		{
+			manage_route(this, RTM_ADD, route->dst_net, route->prefixlen,
+						 route->gateway, route->if_name);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->routes_lock->unlock(this->routes_lock);
+
+	net_changes_clear(this);
+	this->net_changes_lock->unlock(this->net_changes_lock);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Queue route reinstallation caused by network changes for a given interface.
+ *
+ * The route reinstallation is delayed for a while and only done once for
+ * several calls during this delay, in order to avoid doing it too often.
+ * The interface name is freed.
+ */
+static void queue_route_reinstall(private_kernel_pfroute_net_t *this,
+								  char *if_name)
+{
+	net_change_t *update, *found;
+	timeval_t now;
+	job_t *job;
+
+	INIT(update,
+		.if_name = if_name
+	);
+
+	this->net_changes_lock->lock(this->net_changes_lock);
+	found = this->net_changes->put(this->net_changes, update, update);
+	if (found)
+	{
+		net_change_destroy(found);
+	}
+	time_monotonic(&now);
+	if (timercmp(&now, &this->last_route_reinstall, >))
+	{
+		timeval_add_ms(&now, ROUTE_DELAY);
+		this->last_route_reinstall = now;
+
+		job = (job_t*)callback_job_create((callback_job_cb_t)reinstall_routes,
+										  this, NULL, NULL);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, ROUTE_DELAY);
+	}
+	this->net_changes_lock->unlock(this->net_changes_lock);
+}
+
 /**
  * Add an address map entry
  */
@@ -230,13 +502,9 @@ static void addr_map_entry_add(private_kernel_pfroute_net_t *this,
 {
 	addr_map_entry_t *entry;
 
-	if (addr->virtual)
-	{	/* don't map virtual IPs */
-		return;
-	}
-
 	INIT(entry,
 		.ip = addr->ip,
+		.addr = addr,
 		.iface = iface,
 	);
 	entry = this->addrs->put(this->addrs, entry, entry);
@@ -252,14 +520,10 @@ static void addr_map_entry_remove(addr_entry_t *addr, iface_entry_t *iface,
 {
 	addr_map_entry_t *entry, lookup = {
 		.ip = addr->ip,
+		.addr = addr,
 		.iface = iface,
 	};
 
-	if (addr->virtual)
-	{	/* these are never mapped, but this check avoid problems if a virtual IP
-		 * equals a regular one */
-		return;
-	}
 	entry = this->addrs->remove(this->addrs, &lookup);
 	free(entry);
 }
@@ -295,36 +559,115 @@ static void fire_roam_event(private_kernel_pfroute_net_t *this, bool address)
 	}
 }
 
+/**
+ * Data for enumerator over rtmsg sockaddrs
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** copy of attribute bitfield */
+	int types;
+	/** bytes remaining in buffer */
+	int remaining;
+	/** next sockaddr to enumerate */
+	struct sockaddr *addr;
+} rt_enumerator_t;
+
+METHOD(enumerator_t, rt_enumerate, bool,
+	rt_enumerator_t *this, int *xtype, struct sockaddr **addr)
+{
+	int i, type;
+
+	if (this->remaining < sizeof(this->addr->sa_len) ||
+		this->remaining < this->addr->sa_len)
+	{
+		return FALSE;
+	}
+	for (i = 0; i < RTAX_MAX; i++)
+	{
+		type = (1 << i);
+		if (this->types & type)
+		{
+			this->types &= ~type;
+			*addr = this->addr;
+			*xtype = i;
+			this->remaining -= SA_LEN(this->addr->sa_len);
+			this->addr = (struct sockaddr*)((char*)this->addr +
+											SA_LEN(this->addr->sa_len));
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Create an enumerator over sockaddrs in rt/if messages
+ */
+static enumerator_t *create_rt_enumerator(int types, int remaining,
+										  struct sockaddr *addr)
+{
+	rt_enumerator_t *this;
+
+	INIT(this,
+		.public = {
+			.enumerate = (void*)_rt_enumerate,
+			.destroy = (void*)free,
+		},
+		.types = types,
+		.remaining = remaining,
+		.addr = addr,
+	);
+	return &this->public;
+}
+
+/**
+ * Create a safe enumerator over sockaddrs in rt_msghdr
+ */
+static enumerator_t *create_rtmsg_enumerator(struct rt_msghdr *hdr)
+{
+	return create_rt_enumerator(hdr->rtm_addrs, hdr->rtm_msglen - sizeof(*hdr),
+								(struct sockaddr *)(hdr + 1));
+}
+
+/**
+ * Create a safe enumerator over sockaddrs in ifa_msghdr
+ */
+static enumerator_t *create_ifamsg_enumerator(struct ifa_msghdr *hdr)
+{
+	return create_rt_enumerator(hdr->ifam_addrs, hdr->ifam_msglen - sizeof(*hdr),
+								(struct sockaddr *)(hdr + 1));
+}
+
 /**
  * Process an RTM_*ADDR message from the kernel
  */
 static void process_addr(private_kernel_pfroute_net_t *this,
-						 struct rt_msghdr *msg)
+						 struct ifa_msghdr *ifa)
 {
-	struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
-	sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
+	struct sockaddr *sockaddr;
 	host_t *host = NULL;
 	enumerator_t *ifaces, *addrs;
 	iface_entry_t *iface;
 	addr_entry_t *addr;
 	bool found = FALSE, changed = FALSE, roam = FALSE;
-	int i;
+	enumerator_t *enumerator;
+	char *ifname = NULL;
+	int type;
 
-	for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
+	enumerator = create_ifamsg_enumerator(ifa);
+	while (enumerator->enumerate(enumerator, &type, &sockaddr))
 	{
-		if (ifa->ifam_addrs & i)
+		if (type == RTAX_IFA)
 		{
-			if (RTA_IFA & i)
-			{
-				host = host_create_from_sockaddr(sockaddr);
-				break;
-			}
-			sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
+			host = host_create_from_sockaddr(sockaddr);
+			break;
 		}
 	}
+	enumerator->destroy(enumerator);
 
-	if (!host)
+	if (!host || host->is_anyaddr(host))
 	{
+		DESTROY_IF(host);
 		return;
 	}
 
@@ -352,21 +695,17 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 						addr_map_entry_remove(addr, iface, this);
 						addr_entry_destroy(addr);
 					}
-					else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
-					{
-						addr->refcount = 1;
-					}
 				}
 			}
 			addrs->destroy(addrs);
 
 			if (!found && ifa->ifam_type == RTM_NEWADDR)
 			{
+				INIT(addr,
+					.ip = host->clone(host),
+				);
 				changed = TRUE;
-				addr = malloc_thing(addr_entry_t);
-				addr->ip = host->clone(host);
-				addr->virtual = FALSE;
-				addr->refcount = 1;
+				ifname = strdup(iface->ifname);
 				iface->addrs->insert_last(iface->addrs, addr);
 				addr_map_entry_add(this, addr, iface);
 				if (iface->usable)
@@ -386,22 +725,70 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 	this->lock->unlock(this->lock);
 	host->destroy(host);
 
+	if (roam && ifname)
+	{
+		queue_route_reinstall(this, ifname);
+	}
+	else
+	{
+		free(ifname);
+	}
+
 	if (roam)
 	{
 		fire_roam_event(this, TRUE);
 	}
 }
 
+/**
+ * Re-initialize address list of an interface if it changes state
+ */
+static void repopulate_iface(private_kernel_pfroute_net_t *this,
+							 iface_entry_t *iface)
+{
+	struct ifaddrs *ifap, *ifa;
+	addr_entry_t *addr;
+
+	while (iface->addrs->remove_last(iface->addrs, (void**)&addr) == SUCCESS)
+	{
+		addr_map_entry_remove(addr, iface, this);
+		addr_entry_destroy(addr);
+	}
+
+	if (getifaddrs(&ifap) == 0)
+	{
+		for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
+		{
+			if (ifa->ifa_addr && streq(ifa->ifa_name, iface->ifname))
+			{
+				switch (ifa->ifa_addr->sa_family)
+				{
+					case AF_INET:
+					case AF_INET6:
+						INIT(addr,
+							.ip = host_create_from_sockaddr(ifa->ifa_addr),
+						);
+						iface->addrs->insert_last(iface->addrs, addr);
+						addr_map_entry_add(this, addr, iface);
+						break;
+					default:
+						break;
+				}
+			}
+		}
+		freeifaddrs(ifap);
+	}
+}
+
 /**
  * Process an RTM_IFINFO message from the kernel
  */
 static void process_link(private_kernel_pfroute_net_t *this,
-						 struct rt_msghdr *hdr)
+						 struct if_msghdr *msg)
 {
-	struct if_msghdr *msg = (struct if_msghdr*)hdr;
 	enumerator_t *enumerator;
 	iface_entry_t *iface;
-	bool roam = FALSE;
+	bool roam = FALSE, found = FALSE, update_routes = FALSE;
 
 	this->lock->write_lock(this->lock);
 	enumerator = this->ifaces->create_enumerator(this->ifaces);
@@ -413,7 +800,7 @@ static void process_link(private_kernel_pfroute_net_t *this,
 			{
 				if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
 				{
-					roam = TRUE;
+					roam = update_routes = TRUE;
 					DBG1(DBG_KNL, "interface %s activated", iface->ifname);
 				}
 				else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
@@ -423,12 +810,44 @@ static void process_link(private_kernel_pfroute_net_t *this,
 				}
 			}
 			iface->flags = msg->ifm_flags;
+			repopulate_iface(this, iface);
+			found = TRUE;
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		INIT(iface,
+			.ifindex = msg->ifm_index,
+			.flags = msg->ifm_flags,
+			.addrs = linked_list_create(),
+		);
+		if (if_indextoname(iface->ifindex, iface->ifname))
+		{
+			DBG1(DBG_KNL, "interface %s appeared", iface->ifname);
+			iface->usable = hydra->kernel_interface->is_interface_usable(
+										hydra->kernel_interface, iface->ifname);
+			repopulate_iface(this, iface);
+			this->ifaces->insert_last(this->ifaces, iface);
+			if (iface->usable)
+			{
+				roam = update_routes = TRUE;
+			}
+		}
+		else
+		{
+			free(iface);
+		}
+	}
 	this->lock->unlock(this->lock);
 
+	if (update_routes)
+	{
+		queue_route_reinstall(this, strdup(iface->ifname));
+	}
+
 	if (roam)
 	{
 		fire_roam_event(this, TRUE);
@@ -445,61 +864,98 @@ static void process_route(private_kernel_pfroute_net_t *this,
 }
 
 /**
- * Receives events from kernel
+ * Receives PF_ROUTE messages from kernel
  */
-static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
+static bool receive_events(private_kernel_pfroute_net_t *this, int fd,
+						   watcher_event_t event)
 {
-	unsigned char buf[PFROUTE_BUFFER_SIZE];
-	struct rt_msghdr *msg = (struct rt_msghdr*)buf;
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-	thread_cancelability(oldstate);
-
+	struct {
+		union {
+			struct rt_msghdr rtm;
+			struct if_msghdr ifm;
+			struct ifa_msghdr ifam;
+		};
+		char buf[sizeof(struct sockaddr_storage) * RTAX_MAX];
+	} msg;
+	int len, hdrlen;
+
+	len = recv(this->socket, &msg, sizeof(msg), MSG_DONTWAIT);
 	if (len < 0)
 	{
 		switch (errno)
 		{
 			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
 			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			default:
 				DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
 				sleep(1);
-				return JOB_REQUEUE_FAIR;
+				return TRUE;
 		}
 	}
 
-	if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
-		msg->rtm_version != RTM_VERSION)
+	if (len < offsetof(struct rt_msghdr, rtm_flags) || len < msg.rtm.rtm_msglen)
 	{
-		DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
-		return JOB_REQUEUE_DIRECT;
+		DBG1(DBG_KNL, "received invalid PF_ROUTE message");
+		return TRUE;
 	}
-
-	switch (msg->rtm_type)
+	if (msg.rtm.rtm_version != RTM_VERSION)
+	{
+		DBG1(DBG_KNL, "received PF_ROUTE message with unsupported version: %d",
+			 msg.rtm.rtm_version);
+		return TRUE;
+	}
+	switch (msg.rtm.rtm_type)
 	{
 		case RTM_NEWADDR:
 		case RTM_DELADDR:
-			process_addr(this, msg);
+			hdrlen = sizeof(msg.ifam);
 			break;
 		case RTM_IFINFO:
-		/*case RTM_IFANNOUNCE <- what about this*/
-			process_link(this, msg);
+			hdrlen = sizeof(msg.ifm);
 			break;
 		case RTM_ADD:
 		case RTM_DELETE:
-			process_route(this, msg);
+		case RTM_GET:
+			hdrlen = sizeof(msg.rtm);
+			break;
 		default:
+			return TRUE;
+	}
+	if (msg.rtm.rtm_msglen < hdrlen)
+	{
+		DBG1(DBG_KNL, "ignoring short PF_ROUTE message");
+		return TRUE;
+	}
+	switch (msg.rtm.rtm_type)
+	{
+		case RTM_NEWADDR:
+		case RTM_DELADDR:
+			process_addr(this, &msg.ifam);
 			break;
+		case RTM_IFINFO:
+			process_link(this, &msg.ifm);
+			break;
+		case RTM_ADD:
+		case RTM_DELETE:
+			process_route(this, &msg.rtm);
+			break;
+		default:
+			break;
+	}
+
+	this->mutex->lock(this->mutex);
+	if (msg.rtm.rtm_pid == this->pid && msg.rtm.rtm_seq == this->waiting_seq)
+	{
+		/* seems like the message someone is waiting for, deliver */
+		this->reply = realloc(this->reply, msg.rtm.rtm_msglen);
+		memcpy(this->reply, &msg, msg.rtm.rtm_msglen);
 	}
+	/* signal on any event, add_ip()/del_ip() might wait for it */
+	this->condvar->broadcast(this->condvar);
+	this->mutex->unlock(this->mutex);
 
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 
@@ -530,6 +986,10 @@ static bool filter_addresses(address_enumerator_t *data,
 	{   /* skip virtual interfaces added by us */
 		return FALSE;
 	}
+	if (!(data->which & ADDR_TYPE_REGULAR) && !(*in)->virtual)
+	{	/* address is regular, but not requested */
+		return FALSE;
+	}
 	ip = (*in)->ip;
 	if (ip->get_family(ip) == AF_INET6)
 	{
@@ -578,9 +1038,12 @@ static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in,
 METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
 	private_kernel_pfroute_net_t *this, kernel_address_type_t which)
 {
-	address_enumerator_t *data = malloc_thing(address_enumerator_t);
-	data->this = this;
-	data->which = which;
+	address_enumerator_t *data;
+
+	INIT(data,
+		.this = this,
+		.which = which,
+	);
 
 	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(
@@ -591,6 +1054,12 @@ METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
 				(void*)address_enumerator_destroy);
 }
 
+METHOD(kernel_net_t, get_features, kernel_feature_t,
+	private_kernel_pfroute_net_t *this)
+{
+	return KERNEL_REQUIRE_EXCLUDE_ROUTE;
+}
+
 METHOD(kernel_net_t, get_interface_name, bool,
 	private_kernel_pfroute_net_t *this, host_t* ip, char **name)
 {
@@ -616,6 +1085,19 @@ METHOD(kernel_net_t, get_interface_name, bool,
 		this->lock->unlock(this->lock);
 		return TRUE;
 	}
+	/* check if it is a virtual IP */
+	entry = this->addrs->get_match(this->addrs, &lookup,
+								  (void*)addr_map_entry_match_virtual);
+	if (entry)
+	{
+		if (name)
+		{
+			*name = strdup(entry->iface->ifname);
+			DBG2(DBG_KNL, "virtual IP %H is on interface %s", ip, *name);
+		}
+		this->lock->unlock(this->lock);
+		return TRUE;
+	}
 	/* maybe it is installed on an ignored interface */
 	entry = this->addrs->get_match(this->addrs, &lookup,
 								  (void*)addr_map_entry_match_up);
@@ -627,44 +1109,484 @@ METHOD(kernel_net_t, get_interface_name, bool,
 	return FALSE;
 }
 
-METHOD(kernel_net_t, get_source_addr, host_t*,
-	private_kernel_pfroute_net_t *this, host_t *dest, host_t *src)
+METHOD(kernel_net_t, add_ip, status_t,
+	private_kernel_pfroute_net_t *this, host_t *vip, int prefix,
+	char *ifname)
+{
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	tun_device_t *tun;
+	bool timeout = FALSE;
+
+	tun = tun_device_create(NULL);
+	if (!tun)
+	{
+		return FAILED;
+	}
+	if (prefix == -1)
+	{
+		prefix = vip->get_address(vip).len * 8;
+	}
+	if (!tun->up(tun) || !tun->set_address(tun, vip, prefix))
+	{
+		tun->destroy(tun);
+		return FAILED;
+	}
+
+	/* wait until address appears */
+	this->mutex->lock(this->mutex);
+	while (!timeout && !get_interface_name(this, vip, NULL))
+	{
+		timeout = this->condvar->timed_wait(this->condvar, this->mutex,
+											this->vip_wait);
+	}
+	this->mutex->unlock(this->mutex);
+	if (timeout)
+	{
+		DBG1(DBG_KNL, "virtual IP %H did not appear on %s",
+			 vip, tun->get_name(tun));
+		tun->destroy(tun);
+		return FAILED;
+	}
+
+	this->lock->write_lock(this->lock);
+	this->tuns->insert_last(this->tuns, tun);
+
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (streq(iface->ifname, tun->get_name(tun)))
+		{
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
+			{
+				if (addr->ip->ip_equals(addr->ip, vip))
+				{
+					addr->virtual = TRUE;
+				}
+			}
+			addrs->destroy(addrs);
+			/* during IKEv1 reauthentication, children get moved from
+			 * old the new SA before the virtual IP is available. This
+			 * kills the route for our virtual IP, reinstall. */
+			queue_route_reinstall(this, strdup(iface->ifname));
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	/* lets do this while holding the lock, thus preventing another thread
+	 * from deleting the TUN device concurrently, hopefully listeners are quick
+	 * and cause no deadlocks */
+	hydra->kernel_interface->tun(hydra->kernel_interface, tun, TRUE);
+	this->lock->unlock(this->lock);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_net_t, del_ip, status_t,
+	private_kernel_pfroute_net_t *this, host_t *vip, int prefix,
+	bool wait)
 {
-	return NULL;
+	enumerator_t *enumerator;
+	tun_device_t *tun;
+	host_t *addr;
+	bool timeout = FALSE, found = FALSE;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->tuns->create_enumerator(this->tuns);
+	while (enumerator->enumerate(enumerator, &tun))
+	{
+		addr = tun->get_address(tun, NULL);
+		if (addr && addr->ip_equals(addr, vip))
+		{
+			this->tuns->remove_at(this->tuns, enumerator);
+			hydra->kernel_interface->tun(hydra->kernel_interface, tun,
+										 FALSE);
+			tun->destroy(tun);
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	if (!found)
+	{
+		return NOT_FOUND;
+	}
+	/* wait until address disappears */
+	if (wait)
+	{
+		this->mutex->lock(this->mutex);
+		while (!timeout && get_interface_name(this, vip, NULL))
+		{
+			timeout = this->condvar->timed_wait(this->condvar, this->mutex,
+												this->vip_wait);
+		}
+		this->mutex->unlock(this->mutex);
+		if (timeout)
+		{
+			DBG1(DBG_KNL, "virtual IP %H did not disappear from tun", vip);
+			return FAILED;
+		}
+	}
+	return SUCCESS;
 }
 
-METHOD(kernel_net_t, get_nexthop, host_t*,
-	private_kernel_pfroute_net_t *this, host_t *dest, host_t *src)
+/**
+ * Append a sockaddr_in/in6 of given type to routing message
+ */
+static void add_rt_addr(struct rt_msghdr *hdr, int type, host_t *addr)
 {
-	return NULL;
+	if (addr)
+	{
+		int len;
+
+		len = *addr->get_sockaddr_len(addr);
+		memcpy((char*)hdr + hdr->rtm_msglen, addr->get_sockaddr(addr), len);
+		hdr->rtm_msglen += SA_LEN(len);
+		hdr->rtm_addrs |= type;
+	}
 }
 
-METHOD(kernel_net_t, add_ip, status_t,
-	private_kernel_pfroute_net_t *this, host_t *virtual_ip, int prefix,
-	char *iface)
+/**
+ * Append a subnet mask sockaddr using the given prefix to routing message
+ */
+static void add_rt_mask(struct rt_msghdr *hdr, int type, int family, int prefix)
 {
-	return FAILED;
+	host_t *mask;
+
+	mask = host_create_netmask(family, prefix);
+	if (mask)
+	{
+		add_rt_addr(hdr, type, mask);
+		mask->destroy(mask);
+	}
 }
 
-METHOD(kernel_net_t, del_ip, status_t,
-	private_kernel_pfroute_net_t *this, host_t *virtual_ip, int prefix,
-	bool wait)
+/**
+ * Append an interface name sockaddr_dl to routing message
+ */
+static void add_rt_ifname(struct rt_msghdr *hdr, int type, char *name)
 {
-	return FAILED;
+	struct sockaddr_dl sdl = {
+		.sdl_len = sizeof(struct sockaddr_dl),
+		.sdl_family = AF_LINK,
+		.sdl_nlen = strlen(name),
+	};
+
+	if (strlen(name) <= sizeof(sdl.sdl_data))
+	{
+		memcpy(sdl.sdl_data, name, sdl.sdl_nlen);
+		memcpy((char*)hdr + hdr->rtm_msglen, &sdl, sdl.sdl_len);
+		hdr->rtm_msglen += SA_LEN(sdl.sdl_len);
+		hdr->rtm_addrs |= type;
+	}
+}
+
+/**
+ * Add or remove a route
+ */
+static status_t manage_route(private_kernel_pfroute_net_t *this, int op,
+							 chunk_t dst_net, u_int8_t prefixlen,
+							 host_t *gateway, char *if_name)
+{
+	struct {
+		struct rt_msghdr hdr;
+		char buf[sizeof(struct sockaddr_storage) * RTAX_MAX];
+	} msg = {
+		.hdr = {
+			.rtm_version = RTM_VERSION,
+			.rtm_type = op,
+			.rtm_flags = RTF_UP | RTF_STATIC,
+			.rtm_pid = this->pid,
+			.rtm_seq = ref_get(&this->seq),
+		},
+	};
+	host_t *dst;
+	int type;
+
+	if (prefixlen == 0 && dst_net.len)
+	{
+		status_t status;
+		chunk_t half;
+
+		half = chunk_clonea(dst_net);
+		half.ptr[0] |= 0x80;
+		prefixlen = 1;
+		status = manage_route(this, op, half, prefixlen, gateway, if_name);
+		if (status != SUCCESS)
+		{
+			return status;
+		}
+	}
+
+	dst = host_create_from_chunk(AF_UNSPEC, dst_net, 0);
+	if (!dst)
+	{
+		return FAILED;
+	}
+
+	if ((dst->get_family(dst) == AF_INET && prefixlen == 32) ||
+		(dst->get_family(dst) == AF_INET6 && prefixlen == 128))
+	{
+		msg.hdr.rtm_flags |= RTF_HOST | RTF_GATEWAY;
+	}
+
+	msg.hdr.rtm_msglen = sizeof(struct rt_msghdr);
+	for (type = 0; type < RTAX_MAX; type++)
+	{
+		switch (type)
+		{
+			case RTAX_DST:
+				add_rt_addr(&msg.hdr, RTA_DST, dst);
+				break;
+			case RTAX_NETMASK:
+				if (!(msg.hdr.rtm_flags & RTF_HOST))
+				{
+					add_rt_mask(&msg.hdr, RTA_NETMASK,
+								dst->get_family(dst), prefixlen);
+				}
+				break;
+			case RTAX_IFP:
+				if (if_name)
+				{
+					add_rt_ifname(&msg.hdr, RTA_IFP, if_name);
+				}
+				break;
+			case RTAX_GATEWAY:
+				if (gateway)
+				{
+					add_rt_addr(&msg.hdr, RTA_GATEWAY, gateway);
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	dst->destroy(dst);
+
+	if (send(this->socket, &msg, msg.hdr.rtm_msglen, 0) != msg.hdr.rtm_msglen)
+	{
+		if (errno == EEXIST)
+		{
+			return ALREADY_DONE;
+		}
+		DBG1(DBG_KNL, "%s PF_ROUTE route failed: %s",
+			 op == RTM_ADD ? "adding" : "deleting", strerror(errno));
+		return FAILED;
+	}
+	return SUCCESS;
 }
 
 METHOD(kernel_net_t, add_route, status_t,
 	private_kernel_pfroute_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
 	host_t *gateway, host_t *src_ip, char *if_name)
 {
-	return FAILED;
+	status_t status;
+	route_entry_t *found, route = {
+		.dst_net = dst_net,
+		.prefixlen = prefixlen,
+		.gateway = gateway,
+		.if_name = if_name,
+	};
+
+	this->routes_lock->lock(this->routes_lock);
+	found = this->routes->get(this->routes, &route);
+	if (found)
+	{
+		this->routes_lock->unlock(this->routes_lock);
+		return ALREADY_DONE;
+	}
+	found = route_entry_clone(&route);
+	this->routes->put(this->routes, found, found);
+	status = manage_route(this, RTM_ADD, dst_net, prefixlen, gateway, if_name);
+	this->routes_lock->unlock(this->routes_lock);
+	return status;
 }
 
 METHOD(kernel_net_t, del_route, status_t,
 	private_kernel_pfroute_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
 	host_t *gateway, host_t *src_ip, char *if_name)
 {
-	return FAILED;
+	status_t status;
+	route_entry_t *found, route = {
+		.dst_net = dst_net,
+		.prefixlen = prefixlen,
+		.gateway = gateway,
+		.if_name = if_name,
+	};
+
+	this->routes_lock->lock(this->routes_lock);
+	found = this->routes->get(this->routes, &route);
+	if (!found)
+	{
+		this->routes_lock->unlock(this->routes_lock);
+		return NOT_FOUND;
+	}
+	this->routes->remove(this->routes, found);
+	route_entry_destroy(found);
+	status = manage_route(this, RTM_DELETE, dst_net, prefixlen, gateway,
+						  if_name);
+	this->routes_lock->unlock(this->routes_lock);
+	return status;
+}
+
+/**
+ * Do a route lookup for dest and return either the nexthop or the source
+ * address.
+ */
+static host_t *get_route(private_kernel_pfroute_net_t *this, bool nexthop,
+						 host_t *dest, host_t *src)
+{
+	struct {
+		struct rt_msghdr hdr;
+		char buf[sizeof(struct sockaddr_storage) * RTAX_MAX];
+	} msg = {
+		.hdr = {
+			.rtm_version = RTM_VERSION,
+			.rtm_type = RTM_GET,
+			.rtm_pid = this->pid,
+			.rtm_seq = ref_get(&this->seq),
+		},
+	};
+	host_t *host = NULL;
+	enumerator_t *enumerator;
+	struct sockaddr *addr;
+	bool failed = FALSE;
+	int type;
+
+retry:
+	msg.hdr.rtm_msglen = sizeof(struct rt_msghdr);
+	for (type = 0; type < RTAX_MAX; type++)
+	{
+		switch (type)
+		{
+			case RTAX_DST:
+				add_rt_addr(&msg.hdr, RTA_DST, dest);
+				break;
+			case RTAX_IFA:
+				add_rt_addr(&msg.hdr, RTA_IFA, src);
+				break;
+			case RTAX_IFP:
+				if (!nexthop)
+				{	/* add an empty IFP to ensure we get a source address */
+					add_rt_ifname(&msg.hdr, RTA_IFP, "");
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	this->mutex->lock(this->mutex);
+
+	while (this->waiting_seq)
+	{
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+	this->waiting_seq = msg.hdr.rtm_seq;
+	if (send(this->socket, &msg, msg.hdr.rtm_msglen, 0) == msg.hdr.rtm_msglen)
+	{
+		while (TRUE)
+		{
+			if (this->condvar->timed_wait(this->condvar, this->mutex, 1000))
+			{	/* timed out? */
+				break;
+			}
+			if (this->reply->rtm_msglen < sizeof(*this->reply) ||
+				msg.hdr.rtm_seq != this->reply->rtm_seq)
+			{
+				continue;
+			}
+			enumerator = create_rtmsg_enumerator(this->reply);
+			while (enumerator->enumerate(enumerator, &type, &addr))
+			{
+				if (nexthop)
+				{
+					if (type == RTAX_DST && this->reply->rtm_flags & RTF_HOST)
+					{	/* probably a cloned/cached direct route, only use that
+						 * as fallback if no gateway is found */
+						host = host ?: host_create_from_sockaddr(addr);
+					}
+					if (type == RTAX_GATEWAY)
+					{	/* could actually be a MAC address */
+						host_t *gtw = host_create_from_sockaddr(addr);
+						if (gtw)
+						{
+							DESTROY_IF(host);
+							host = gtw;
+						}
+					}
+				}
+				else
+				{
+					if (type == RTAX_IFA)
+					{
+						host = host_create_from_sockaddr(addr);
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+			break;
+		}
+	}
+	else
+	{
+		failed = TRUE;
+	}
+	/* signal completion of query to a waiting thread */
+	this->waiting_seq = 0;
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+
+	if (failed)
+	{
+		if (src)
+		{	/* the given source address might be gone, try again without */
+			src = NULL;
+			msg.hdr.rtm_seq = ref_get(&this->seq);
+			msg.hdr.rtm_addrs = 0;
+			memset(msg.buf, sizeof(msg.buf), 0);
+			goto retry;
+		}
+		DBG1(DBG_KNL, "PF_ROUTE lookup failed: %s", strerror(errno));
+	}
+	if (!host)
+	{
+		return NULL;
+	}
+	if (!nexthop)
+	{	/* make sure the source address is not virtual and usable */
+		addr_entry_t *entry, lookup = {
+			.ip = host,
+		};
+
+		this->lock->read_lock(this->lock);
+		entry = this->addrs->get_match(this->addrs, &lookup,
+									(void*)addr_map_entry_match_up_and_usable);
+		this->lock->unlock(this->lock);
+		if (!entry)
+		{
+			host->destroy(host);
+			return NULL;
+		}
+	}
+	DBG2(DBG_KNL, "using %H as %s to reach %H", host,
+		 nexthop ? "nexthop" : "address", dest);
+	return host;
+}
+
+METHOD(kernel_net_t, get_source_addr, host_t*,
+	private_kernel_pfroute_net_t *this, host_t *dest, host_t *src)
+{
+	return get_route(this, FALSE, dest, src);
+}
+
+METHOD(kernel_net_t, get_nexthop, host_t*,
+	private_kernel_pfroute_net_t *this, host_t *dest, host_t *src)
+{
+	return get_route(this, TRUE, dest, src);
 }
 
 /**
@@ -711,22 +1633,22 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 
 				if (!iface)
 				{
-					iface = malloc_thing(iface_entry_t);
+					INIT(iface,
+						.ifindex = if_nametoindex(ifa->ifa_name),
+						.flags = ifa->ifa_flags,
+						.addrs = linked_list_create(),
+						.usable = hydra->kernel_interface->is_interface_usable(
+										hydra->kernel_interface, ifa->ifa_name),
+					);
 					memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
-					iface->ifindex = if_nametoindex(ifa->ifa_name);
-					iface->flags = ifa->ifa_flags;
-					iface->addrs = linked_list_create();
-					iface->usable = hydra->kernel_interface->is_interface_usable(
-										hydra->kernel_interface, ifa->ifa_name);
 					this->ifaces->insert_last(this->ifaces, iface);
 				}
 
 				if (ifa->ifa_addr->sa_family != AF_LINK)
 				{
-					addr = malloc_thing(addr_entry_t);
-					addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
-					addr->virtual = FALSE;
-					addr->refcount = 1;
+					INIT(addr,
+						.ip = host_create_from_sockaddr(ifa->ifa_addr),
+					);
 					iface->addrs->insert_last(iface->addrs, addr);
 					addr_map_entry_add(this, addr, iface);
 				}
@@ -758,16 +1680,30 @@ METHOD(kernel_net_t, destroy, void,
 	private_kernel_pfroute_net_t *this)
 {
 	enumerator_t *enumerator;
+	route_entry_t *route;
 	addr_entry_t *addr;
 
-	if (this->socket > 0)
+	enumerator = this->routes->create_enumerator(this->routes);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&route))
 	{
-		close(this->socket);
+		manage_route(this, RTM_DELETE, route->dst_net, route->prefixlen,
+					 route->gateway, route->if_name);
+		route_entry_destroy(route);
 	}
-	if (this->socket_events)
+	enumerator->destroy(enumerator);
+	this->routes->destroy(this->routes);
+	this->routes_lock->destroy(this->routes_lock);
+
+	if (this->socket != -1)
 	{
-		close(this->socket_events);
+		lib->watcher->remove(lib->watcher, this->socket);
+		close(this->socket);
 	}
+
+	net_changes_clear(this);
+	this->net_changes->destroy(this->net_changes);
+	this->net_changes_lock->destroy(this->net_changes_lock);
+
 	enumerator = this->addrs->create_enumerator(this->addrs);
 	while (enumerator->enumerate(enumerator, NULL, (void**)&addr))
 	{
@@ -776,8 +1712,11 @@ METHOD(kernel_net_t, destroy, void,
 	enumerator->destroy(enumerator);
 	this->addrs->destroy(this->addrs);
 	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	this->tuns->destroy(this->tuns);
 	this->lock->destroy(this->lock);
-	this->mutex_pfroute->destroy(this->mutex_pfroute);
+	this->mutex->destroy(this->mutex);
+	this->condvar->destroy(this->condvar);
+	free(this->reply);
 	free(this);
 }
 
@@ -787,11 +1726,11 @@ METHOD(kernel_net_t, destroy, void,
 kernel_pfroute_net_t *kernel_pfroute_net_create()
 {
 	private_kernel_pfroute_net_t *this;
-	bool register_for_events = TRUE;
 
 	INIT(this,
 		.public = {
 			.interface = {
+				.get_features = _get_features,
 				.get_interface = _get_interface_name,
 				.create_address_enumerator = _create_address_enumerator,
 				.get_source_addr = _get_source_addr,
@@ -803,45 +1742,51 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 				.destroy = _destroy,
 			},
 		},
+		.pid = getpid(),
 		.ifaces = linked_list_create(),
 		.addrs = hashtable_create(
 								(hashtable_hash_t)addr_map_entry_hash,
 								(hashtable_equals_t)addr_map_entry_equals, 16),
+		.routes = hashtable_create((hashtable_hash_t)route_entry_hash,
+								   (hashtable_equals_t)route_entry_equals, 16),
+		.net_changes = hashtable_create(
+								   (hashtable_hash_t)net_change_hash,
+								   (hashtable_equals_t)net_change_equals, 16),
+		.tuns = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-		.mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.routes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
+		.net_changes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
+		.vip_wait = lib->settings->get_int(lib->settings,
+					"%s.plugins.kernel-pfroute.vip_wait", 1000, hydra->daemon),
 	);
-
-	if (streq(hydra->daemon, "starter"))
-	{   /* starter has no threads, so we do not register for kernel events */
-		register_for_events = FALSE;
-	}
+	timerclear(&this->last_route_reinstall);
+	timerclear(&this->last_roam);
 
 	/* create a PF_ROUTE socket to communicate with the kernel */
 	this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
-	if (this->socket < 0)
+	if (this->socket == -1)
 	{
 		DBG1(DBG_KNL, "unable to create PF_ROUTE socket");
 		destroy(this);
 		return NULL;
 	}
 
-	if (register_for_events)
+	if (streq(hydra->daemon, "starter"))
 	{
-		/* create a PF_ROUTE socket to receive events */
-		this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
-		if (this->socket_events < 0)
+		/* starter has no threads, so we do not register for kernel events */
+		if (shutdown(this->socket, SHUT_RD) != 0)
 		{
-			DBG1(DBG_KNL, "unable to create PF_ROUTE event socket");
-			destroy(this);
-			return NULL;
+			DBG1(DBG_KNL, "closing read end of PF_ROUTE socket failed: %s",
+				 strerror(errno));
 		}
-
-		lib->processor->queue_job(lib->processor,
-			(job_t*)callback_job_create_with_prio(
-					(callback_job_cb_t)receive_events, this, NULL,
-					(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 	}
-
+	else
+	{
+		lib->watcher->add(lib->watcher, this->socket, WATCHER_READ,
+						  (watcher_cb_t)receive_events, this);
+	}
 	if (init_address_list(this) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to get interface list");
diff --git a/src/libhydra/plugins/resolve/Makefile.am b/src/libhydra/plugins/resolve/Makefile.am
index a05c84061..4cbf65fc0 100644
--- a/src/libhydra/plugins/resolve/Makefile.am
+++ b/src/libhydra/plugins/resolve/Makefile.am
@@ -1,9 +1,11 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-resolve.la
 else
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index 1e5ff16b7..1dc4df294 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,9 +103,13 @@ am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \
 	resolve_handler.lo
 libstrongswan_resolve_la_OBJECTS =  \
 	$(am_libstrongswan_resolve_la_OBJECTS)
-libstrongswan_resolve_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_resolve_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_resolve_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_resolve_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_resolve_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_resolve_la_rpath =
@@ -115,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_resolve_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-resolve.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-resolve.la
 libstrongswan_resolve_la_SOURCES = \
@@ -408,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) $(EXTRA_libstrongswan_resolve_la_DEPENDENCIES) 
-	$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -420,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c
index 6b8d6be7f..6c57fa0bf 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.c
+++ b/src/libhydra/plugins/resolve/resolve_handler.c
@@ -126,7 +126,7 @@ static void remove_nameserver(private_resolve_handler_t *this,
 			/* copy all, but matching line */
 			while (fgets(line, sizeof(line), in))
 			{
-				if (strneq(line, matcher, strlen(matcher)))
+				if (strpfx(line, matcher))
 				{
 					DBG1(DBG_IKE, "removing DNS server %H from %s",
 						 addr, this->file);
diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c
index f95827ed9..2fef09a49 100644
--- a/src/libhydra/plugins/resolve/resolve_plugin.c
+++ b/src/libhydra/plugins/resolve/resolve_plugin.c
@@ -42,10 +42,39 @@ METHOD(plugin_t, get_name, char*,
 	return "resolve";
 }
 
+/**
+ * Register handler
+ */
+static bool plugin_cb(private_resolve_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		hydra->attributes->add_handler(hydra->attributes,
+									   &this->handler->handler);
+	}
+	else
+	{
+		hydra->attributes->remove_handler(hydra->attributes,
+										  &this->handler->handler);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_resolve_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "resolve"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_resolve_plugin_t *this)
 {
-	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
 	this->handler->destroy(this->handler);
 	free(this);
 }
@@ -61,13 +90,12 @@ plugin_t *resolve_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.handler = resolve_handler_create(),
 	);
-	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
 
 	return &this->public.plugin;
 }
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index 51a7be046..e1e6541aa 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -1,5 +1,6 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif
 
 ipseclib_LTLIBRARIES = libimcv.la
 
@@ -10,10 +11,15 @@ libimcv_la_SOURCES = \
 	imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \
 	imc/imc_msg.h imc/imc_msg.c \
 	imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \
+	imv/imv_agent_if.h imv/imv_if.h \
+	imv/imv_database.h imv/imv_database.c \
 	imv/imv_msg.h imv/imv_msg.c \
 	imv/imv_lang_string.h imv/imv_lang_string.c \
 	imv/imv_reason_string.h imv/imv_reason_string.c \
 	imv/imv_remediation_string.h imv/imv_remediation_string.c \
+	imv/imv_session.h imv/imv_session.c \
+	imv/imv_workitem.h imv/imv_workitem.c \
+	imv/tables.sql imv/data.sql \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
 	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
 	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
@@ -33,11 +39,23 @@ libimcv_la_SOURCES = \
 	ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \
 	ita/ita_attr_settings.h ita/ita_attr_settings.c \
 	ita/ita_attr_angel.h ita/ita_attr_angel.c \
+	ita/ita_attr_device_id.h ita/ita_attr_device_id.c \
 	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
 	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
 
+ipsec_SCRIPTS = imv/_imv_policy
+EXTRA_DIST = imv/_imv_policy
+
+ipsec_PROGRAMS = imv_policy_manager
+imv_policy_manager_SOURCES = \
+	imv/imv_policy_manager.c \
+	imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
+imv_policy_manager_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+#imv/imv_policy_manager.o :	$(top_builddir)/config.status
+
 SUBDIRS = .
 
 if USE_IMC_TEST
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index f560a5230..296f422fe 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -15,6 +15,8 @@
 
 @SET_MAKE@
 
+
+
 VPATH = @srcdir@
 am__make_dryrun = \
   { \
@@ -51,6 +53,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+ipsec_PROGRAMS = imv_policy_manager$(EXEEXT)
 @USE_IMC_TEST_TRUE@am__append_1 = plugins/imc_test
 @USE_IMV_TEST_TRUE@am__append_2 = plugins/imv_test
 @USE_IMC_SCANNER_TRUE@am__append_3 = plugins/imc_scanner
@@ -68,7 +71,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,38 +105,63 @@ am__uninstall_files_from_dir = { \
     || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
          $(am__cd) "$$dir" && rm -f $$files; }; \
   }
-am__installdirs = "$(DESTDIR)$(ipseclibdir)"
+am__installdirs = "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" \
+	"$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libimcv_la_DEPENDENCIES = $(top_builddir)/src/libtncif/libtncif.la
 am_libimcv_la_OBJECTS = imcv.lo imc_agent.lo imc_msg.lo imv_agent.lo \
-	imv_msg.lo imv_lang_string.lo imv_reason_string.lo \
-	imv_remediation_string.lo ietf_attr.lo \
-	ietf_attr_assess_result.lo ietf_attr_attr_request.lo \
-	ietf_attr_fwd_enabled.lo ietf_attr_default_pwd_enabled.lo \
+	imv_database.lo imv_msg.lo imv_lang_string.lo \
+	imv_reason_string.lo imv_remediation_string.lo imv_session.lo \
+	imv_workitem.lo ietf_attr.lo ietf_attr_assess_result.lo \
+	ietf_attr_attr_request.lo ietf_attr_fwd_enabled.lo \
+	ietf_attr_default_pwd_enabled.lo \
 	ietf_attr_installed_packages.lo ietf_attr_numeric_version.lo \
 	ietf_attr_op_status.lo ietf_attr_pa_tnc_error.lo \
 	ietf_attr_port_filter.lo ietf_attr_product_info.lo \
 	ietf_attr_remediation_instr.lo ietf_attr_string_version.lo \
 	ita_attr.lo ita_attr_command.lo ita_attr_dummy.lo \
 	ita_attr_get_settings.lo ita_attr_settings.lo \
-	ita_attr_angel.lo os_info.lo pa_tnc_msg.lo \
-	pa_tnc_attr_manager.lo
+	ita_attr_angel.lo ita_attr_device_id.lo os_info.lo \
+	pa_tnc_msg.lo pa_tnc_attr_manager.lo
 libimcv_la_OBJECTS = $(am_libimcv_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+PROGRAMS = $(ipsec_PROGRAMS)
+am_imv_policy_manager_OBJECTS = imv_policy_manager.$(OBJEXT) \
+	imv_policy_manager_usage.$(OBJEXT)
+imv_policy_manager_OBJECTS = $(am_imv_policy_manager_OBJECTS)
+imv_policy_manager_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+SCRIPTS = $(ipsec_SCRIPTS)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libimcv_la_SOURCES)
-DIST_SOURCES = $(libimcv_la_SOURCES)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libimcv_la_SOURCES) $(imv_policy_manager_SOURCES)
+DIST_SOURCES = $(libimcv_la_SOURCES) $(imv_policy_manager_SOURCES)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
 	install-dvi-recursive install-exec-recursive \
@@ -184,6 +212,7 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -196,6 +225,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -211,6 +242,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -219,6 +251,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -265,6 +298,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -293,6 +327,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -370,7 +405,10 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif
+
 ipseclib_LTLIBRARIES = libimcv.la
 libimcv_la_LIBADD = $(top_builddir)/src/libtncif/libtncif.la
 libimcv_la_SOURCES = \
@@ -378,10 +416,15 @@ libimcv_la_SOURCES = \
 	imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \
 	imc/imc_msg.h imc/imc_msg.c \
 	imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \
+	imv/imv_agent_if.h imv/imv_if.h \
+	imv/imv_database.h imv/imv_database.c \
 	imv/imv_msg.h imv/imv_msg.c \
 	imv/imv_lang_string.h imv/imv_lang_string.c \
 	imv/imv_reason_string.h imv/imv_reason_string.c \
 	imv/imv_remediation_string.h imv/imv_remediation_string.c \
+	imv/imv_session.h imv/imv_session.c \
+	imv/imv_workitem.h imv/imv_workitem.c \
+	imv/tables.sql imv/data.sql \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
 	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
 	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
@@ -401,11 +444,22 @@ libimcv_la_SOURCES = \
 	ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \
 	ita/ita_attr_settings.h ita/ita_attr_settings.c \
 	ita/ita_attr_angel.h ita/ita_attr_angel.c \
+	ita/ita_attr_device_id.h ita/ita_attr_device_id.c \
 	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
 	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
 
+ipsec_SCRIPTS = imv/_imv_policy
+EXTRA_DIST = imv/_imv_policy
+imv_policy_manager_SOURCES = \
+	imv/imv_policy_manager.c \
+	imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
+
+imv_policy_manager_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+#imv/imv_policy_manager.o :	$(top_builddir)/config.status
 SUBDIRS = . $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5) $(am__append_6)
 all: all-recursive
@@ -475,7 +529,91 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libimcv.la: $(libimcv_la_OBJECTS) $(libimcv_la_DEPENDENCIES) $(EXTRA_libimcv_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libimcv_la_OBJECTS) $(libimcv_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libimcv_la_OBJECTS) $(libimcv_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+imv_policy_manager$(EXEEXT): $(imv_policy_manager_OBJECTS) $(imv_policy_manager_DEPENDENCIES) $(EXTRA_imv_policy_manager_DEPENDENCIES) 
+	@rm -f imv_policy_manager$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(imv_policy_manager_OBJECTS) $(imv_policy_manager_LDADD) $(LIBS)
+install-ipsecSCRIPTS: $(ipsec_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n' \
+	    -e 'h;s|.*|.|' \
+	    -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) { files[d] = files[d] " " $$1; \
+	      if (++n[d] == $(am__install_max)) { \
+		print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
+	    else { print "f", d "/" $$4, $$1 } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	     if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	     test -z "$$files" || { \
+	       echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	       $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	     } \
+	; done
+
+uninstall-ipsecSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	       sed -e 's,.*/,,;$(transform)'`; \
+	dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -500,13 +638,19 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_msg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imcv.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_agent.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_database.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_lang_string.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_policy_manager.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_policy_manager_usage.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_reason_string.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_remediation_string.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_session.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_workitem.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_angel.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_command.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_device_id.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_dummy.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_get_settings.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_settings.Plo@am__quote@
@@ -515,228 +659,284 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pa_tnc_msg.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 imc_agent.lo: imc/imc_agent.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_agent.lo -MD -MP -MF $(DEPDIR)/imc_agent.Tpo -c -o imc_agent.lo `test -f 'imc/imc_agent.c' || echo '$(srcdir)/'`imc/imc_agent.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imc_agent.Tpo $(DEPDIR)/imc_agent.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imc/imc_agent.c' object='imc_agent.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_agent.lo -MD -MP -MF $(DEPDIR)/imc_agent.Tpo -c -o imc_agent.lo `test -f 'imc/imc_agent.c' || echo '$(srcdir)/'`imc/imc_agent.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imc_agent.Tpo $(DEPDIR)/imc_agent.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imc/imc_agent.c' object='imc_agent.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_agent.lo `test -f 'imc/imc_agent.c' || echo '$(srcdir)/'`imc/imc_agent.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_agent.lo `test -f 'imc/imc_agent.c' || echo '$(srcdir)/'`imc/imc_agent.c
 
 imc_msg.lo: imc/imc_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_msg.lo -MD -MP -MF $(DEPDIR)/imc_msg.Tpo -c -o imc_msg.lo `test -f 'imc/imc_msg.c' || echo '$(srcdir)/'`imc/imc_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imc_msg.Tpo $(DEPDIR)/imc_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imc/imc_msg.c' object='imc_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_msg.lo -MD -MP -MF $(DEPDIR)/imc_msg.Tpo -c -o imc_msg.lo `test -f 'imc/imc_msg.c' || echo '$(srcdir)/'`imc/imc_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imc_msg.Tpo $(DEPDIR)/imc_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imc/imc_msg.c' object='imc_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_msg.lo `test -f 'imc/imc_msg.c' || echo '$(srcdir)/'`imc/imc_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_msg.lo `test -f 'imc/imc_msg.c' || echo '$(srcdir)/'`imc/imc_msg.c
 
 imv_agent.lo: imv/imv_agent.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_agent.lo -MD -MP -MF $(DEPDIR)/imv_agent.Tpo -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_agent.Tpo $(DEPDIR)/imv_agent.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_agent.c' object='imv_agent.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_agent.lo -MD -MP -MF $(DEPDIR)/imv_agent.Tpo -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_agent.Tpo $(DEPDIR)/imv_agent.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_agent.c' object='imv_agent.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
+
+imv_database.lo: imv/imv_database.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_database.lo -MD -MP -MF $(DEPDIR)/imv_database.Tpo -c -o imv_database.lo `test -f 'imv/imv_database.c' || echo '$(srcdir)/'`imv/imv_database.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_database.Tpo $(DEPDIR)/imv_database.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_database.c' object='imv_database.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_database.lo `test -f 'imv/imv_database.c' || echo '$(srcdir)/'`imv/imv_database.c
 
 imv_msg.lo: imv/imv_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_msg.lo -MD -MP -MF $(DEPDIR)/imv_msg.Tpo -c -o imv_msg.lo `test -f 'imv/imv_msg.c' || echo '$(srcdir)/'`imv/imv_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_msg.Tpo $(DEPDIR)/imv_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_msg.c' object='imv_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_msg.lo -MD -MP -MF $(DEPDIR)/imv_msg.Tpo -c -o imv_msg.lo `test -f 'imv/imv_msg.c' || echo '$(srcdir)/'`imv/imv_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_msg.Tpo $(DEPDIR)/imv_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_msg.c' object='imv_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_msg.lo `test -f 'imv/imv_msg.c' || echo '$(srcdir)/'`imv/imv_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_msg.lo `test -f 'imv/imv_msg.c' || echo '$(srcdir)/'`imv/imv_msg.c
 
 imv_lang_string.lo: imv/imv_lang_string.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_lang_string.lo -MD -MP -MF $(DEPDIR)/imv_lang_string.Tpo -c -o imv_lang_string.lo `test -f 'imv/imv_lang_string.c' || echo '$(srcdir)/'`imv/imv_lang_string.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_lang_string.Tpo $(DEPDIR)/imv_lang_string.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_lang_string.c' object='imv_lang_string.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_lang_string.lo -MD -MP -MF $(DEPDIR)/imv_lang_string.Tpo -c -o imv_lang_string.lo `test -f 'imv/imv_lang_string.c' || echo '$(srcdir)/'`imv/imv_lang_string.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_lang_string.Tpo $(DEPDIR)/imv_lang_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_lang_string.c' object='imv_lang_string.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_lang_string.lo `test -f 'imv/imv_lang_string.c' || echo '$(srcdir)/'`imv/imv_lang_string.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_lang_string.lo `test -f 'imv/imv_lang_string.c' || echo '$(srcdir)/'`imv/imv_lang_string.c
 
 imv_reason_string.lo: imv/imv_reason_string.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_reason_string.lo -MD -MP -MF $(DEPDIR)/imv_reason_string.Tpo -c -o imv_reason_string.lo `test -f 'imv/imv_reason_string.c' || echo '$(srcdir)/'`imv/imv_reason_string.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_reason_string.Tpo $(DEPDIR)/imv_reason_string.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_reason_string.c' object='imv_reason_string.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_reason_string.lo -MD -MP -MF $(DEPDIR)/imv_reason_string.Tpo -c -o imv_reason_string.lo `test -f 'imv/imv_reason_string.c' || echo '$(srcdir)/'`imv/imv_reason_string.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_reason_string.Tpo $(DEPDIR)/imv_reason_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_reason_string.c' object='imv_reason_string.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_reason_string.lo `test -f 'imv/imv_reason_string.c' || echo '$(srcdir)/'`imv/imv_reason_string.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_reason_string.lo `test -f 'imv/imv_reason_string.c' || echo '$(srcdir)/'`imv/imv_reason_string.c
 
 imv_remediation_string.lo: imv/imv_remediation_string.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_remediation_string.lo -MD -MP -MF $(DEPDIR)/imv_remediation_string.Tpo -c -o imv_remediation_string.lo `test -f 'imv/imv_remediation_string.c' || echo '$(srcdir)/'`imv/imv_remediation_string.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_remediation_string.Tpo $(DEPDIR)/imv_remediation_string.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_remediation_string.c' object='imv_remediation_string.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_remediation_string.lo -MD -MP -MF $(DEPDIR)/imv_remediation_string.Tpo -c -o imv_remediation_string.lo `test -f 'imv/imv_remediation_string.c' || echo '$(srcdir)/'`imv/imv_remediation_string.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_remediation_string.Tpo $(DEPDIR)/imv_remediation_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_remediation_string.c' object='imv_remediation_string.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_remediation_string.lo `test -f 'imv/imv_remediation_string.c' || echo '$(srcdir)/'`imv/imv_remediation_string.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_remediation_string.lo `test -f 'imv/imv_remediation_string.c' || echo '$(srcdir)/'`imv/imv_remediation_string.c
+
+imv_session.lo: imv/imv_session.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_session.lo -MD -MP -MF $(DEPDIR)/imv_session.Tpo -c -o imv_session.lo `test -f 'imv/imv_session.c' || echo '$(srcdir)/'`imv/imv_session.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_session.Tpo $(DEPDIR)/imv_session.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_session.c' object='imv_session.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_session.lo `test -f 'imv/imv_session.c' || echo '$(srcdir)/'`imv/imv_session.c
+
+imv_workitem.lo: imv/imv_workitem.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_workitem.lo -MD -MP -MF $(DEPDIR)/imv_workitem.Tpo -c -o imv_workitem.lo `test -f 'imv/imv_workitem.c' || echo '$(srcdir)/'`imv/imv_workitem.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_workitem.Tpo $(DEPDIR)/imv_workitem.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_workitem.c' object='imv_workitem.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_workitem.lo `test -f 'imv/imv_workitem.c' || echo '$(srcdir)/'`imv/imv_workitem.c
 
 ietf_attr.lo: ietf/ietf_attr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr.lo -MD -MP -MF $(DEPDIR)/ietf_attr.Tpo -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr.Tpo $(DEPDIR)/ietf_attr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr.c' object='ietf_attr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr.lo -MD -MP -MF $(DEPDIR)/ietf_attr.Tpo -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr.Tpo $(DEPDIR)/ietf_attr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr.c' object='ietf_attr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
 
 ietf_attr_assess_result.lo: ietf/ietf_attr_assess_result.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_assess_result.lo -MD -MP -MF $(DEPDIR)/ietf_attr_assess_result.Tpo -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_assess_result.Tpo $(DEPDIR)/ietf_attr_assess_result.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_assess_result.c' object='ietf_attr_assess_result.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_assess_result.lo -MD -MP -MF $(DEPDIR)/ietf_attr_assess_result.Tpo -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_assess_result.Tpo $(DEPDIR)/ietf_attr_assess_result.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_assess_result.c' object='ietf_attr_assess_result.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
 
 ietf_attr_attr_request.lo: ietf/ietf_attr_attr_request.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_attr_request.lo -MD -MP -MF $(DEPDIR)/ietf_attr_attr_request.Tpo -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_attr_request.Tpo $(DEPDIR)/ietf_attr_attr_request.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_attr_request.c' object='ietf_attr_attr_request.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_attr_request.lo -MD -MP -MF $(DEPDIR)/ietf_attr_attr_request.Tpo -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_attr_request.Tpo $(DEPDIR)/ietf_attr_attr_request.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_attr_request.c' object='ietf_attr_attr_request.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
 
 ietf_attr_fwd_enabled.lo: ietf/ietf_attr_fwd_enabled.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_fwd_enabled.lo -MD -MP -MF $(DEPDIR)/ietf_attr_fwd_enabled.Tpo -c -o ietf_attr_fwd_enabled.lo `test -f 'ietf/ietf_attr_fwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_fwd_enabled.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_fwd_enabled.Tpo $(DEPDIR)/ietf_attr_fwd_enabled.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_fwd_enabled.c' object='ietf_attr_fwd_enabled.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_fwd_enabled.lo -MD -MP -MF $(DEPDIR)/ietf_attr_fwd_enabled.Tpo -c -o ietf_attr_fwd_enabled.lo `test -f 'ietf/ietf_attr_fwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_fwd_enabled.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_fwd_enabled.Tpo $(DEPDIR)/ietf_attr_fwd_enabled.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_fwd_enabled.c' object='ietf_attr_fwd_enabled.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_fwd_enabled.lo `test -f 'ietf/ietf_attr_fwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_fwd_enabled.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_fwd_enabled.lo `test -f 'ietf/ietf_attr_fwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_fwd_enabled.c
 
 ietf_attr_default_pwd_enabled.lo: ietf/ietf_attr_default_pwd_enabled.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_default_pwd_enabled.lo -MD -MP -MF $(DEPDIR)/ietf_attr_default_pwd_enabled.Tpo -c -o ietf_attr_default_pwd_enabled.lo `test -f 'ietf/ietf_attr_default_pwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_default_pwd_enabled.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_default_pwd_enabled.Tpo $(DEPDIR)/ietf_attr_default_pwd_enabled.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_default_pwd_enabled.c' object='ietf_attr_default_pwd_enabled.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_default_pwd_enabled.lo -MD -MP -MF $(DEPDIR)/ietf_attr_default_pwd_enabled.Tpo -c -o ietf_attr_default_pwd_enabled.lo `test -f 'ietf/ietf_attr_default_pwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_default_pwd_enabled.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_default_pwd_enabled.Tpo $(DEPDIR)/ietf_attr_default_pwd_enabled.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_default_pwd_enabled.c' object='ietf_attr_default_pwd_enabled.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_default_pwd_enabled.lo `test -f 'ietf/ietf_attr_default_pwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_default_pwd_enabled.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_default_pwd_enabled.lo `test -f 'ietf/ietf_attr_default_pwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_default_pwd_enabled.c
 
 ietf_attr_installed_packages.lo: ietf/ietf_attr_installed_packages.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_installed_packages.lo -MD -MP -MF $(DEPDIR)/ietf_attr_installed_packages.Tpo -c -o ietf_attr_installed_packages.lo `test -f 'ietf/ietf_attr_installed_packages.c' || echo '$(srcdir)/'`ietf/ietf_attr_installed_packages.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_installed_packages.Tpo $(DEPDIR)/ietf_attr_installed_packages.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_installed_packages.c' object='ietf_attr_installed_packages.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_installed_packages.lo -MD -MP -MF $(DEPDIR)/ietf_attr_installed_packages.Tpo -c -o ietf_attr_installed_packages.lo `test -f 'ietf/ietf_attr_installed_packages.c' || echo '$(srcdir)/'`ietf/ietf_attr_installed_packages.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_installed_packages.Tpo $(DEPDIR)/ietf_attr_installed_packages.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_installed_packages.c' object='ietf_attr_installed_packages.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_installed_packages.lo `test -f 'ietf/ietf_attr_installed_packages.c' || echo '$(srcdir)/'`ietf/ietf_attr_installed_packages.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_installed_packages.lo `test -f 'ietf/ietf_attr_installed_packages.c' || echo '$(srcdir)/'`ietf/ietf_attr_installed_packages.c
 
 ietf_attr_numeric_version.lo: ietf/ietf_attr_numeric_version.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_numeric_version.lo -MD -MP -MF $(DEPDIR)/ietf_attr_numeric_version.Tpo -c -o ietf_attr_numeric_version.lo `test -f 'ietf/ietf_attr_numeric_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_numeric_version.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_numeric_version.Tpo $(DEPDIR)/ietf_attr_numeric_version.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_numeric_version.c' object='ietf_attr_numeric_version.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_numeric_version.lo -MD -MP -MF $(DEPDIR)/ietf_attr_numeric_version.Tpo -c -o ietf_attr_numeric_version.lo `test -f 'ietf/ietf_attr_numeric_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_numeric_version.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_numeric_version.Tpo $(DEPDIR)/ietf_attr_numeric_version.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_numeric_version.c' object='ietf_attr_numeric_version.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_numeric_version.lo `test -f 'ietf/ietf_attr_numeric_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_numeric_version.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_numeric_version.lo `test -f 'ietf/ietf_attr_numeric_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_numeric_version.c
 
 ietf_attr_op_status.lo: ietf/ietf_attr_op_status.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_op_status.lo -MD -MP -MF $(DEPDIR)/ietf_attr_op_status.Tpo -c -o ietf_attr_op_status.lo `test -f 'ietf/ietf_attr_op_status.c' || echo '$(srcdir)/'`ietf/ietf_attr_op_status.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_op_status.Tpo $(DEPDIR)/ietf_attr_op_status.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_op_status.c' object='ietf_attr_op_status.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_op_status.lo -MD -MP -MF $(DEPDIR)/ietf_attr_op_status.Tpo -c -o ietf_attr_op_status.lo `test -f 'ietf/ietf_attr_op_status.c' || echo '$(srcdir)/'`ietf/ietf_attr_op_status.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_op_status.Tpo $(DEPDIR)/ietf_attr_op_status.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_op_status.c' object='ietf_attr_op_status.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_op_status.lo `test -f 'ietf/ietf_attr_op_status.c' || echo '$(srcdir)/'`ietf/ietf_attr_op_status.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_op_status.lo `test -f 'ietf/ietf_attr_op_status.c' || echo '$(srcdir)/'`ietf/ietf_attr_op_status.c
 
 ietf_attr_pa_tnc_error.lo: ietf/ietf_attr_pa_tnc_error.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_pa_tnc_error.lo -MD -MP -MF $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo -c -o ietf_attr_pa_tnc_error.lo `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo $(DEPDIR)/ietf_attr_pa_tnc_error.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_pa_tnc_error.c' object='ietf_attr_pa_tnc_error.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_pa_tnc_error.lo -MD -MP -MF $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo -c -o ietf_attr_pa_tnc_error.lo `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo $(DEPDIR)/ietf_attr_pa_tnc_error.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_pa_tnc_error.c' object='ietf_attr_pa_tnc_error.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_pa_tnc_error.lo `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_pa_tnc_error.lo `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
 
 ietf_attr_port_filter.lo: ietf/ietf_attr_port_filter.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_port_filter.lo -MD -MP -MF $(DEPDIR)/ietf_attr_port_filter.Tpo -c -o ietf_attr_port_filter.lo `test -f 'ietf/ietf_attr_port_filter.c' || echo '$(srcdir)/'`ietf/ietf_attr_port_filter.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_port_filter.Tpo $(DEPDIR)/ietf_attr_port_filter.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_port_filter.c' object='ietf_attr_port_filter.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_port_filter.lo -MD -MP -MF $(DEPDIR)/ietf_attr_port_filter.Tpo -c -o ietf_attr_port_filter.lo `test -f 'ietf/ietf_attr_port_filter.c' || echo '$(srcdir)/'`ietf/ietf_attr_port_filter.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_port_filter.Tpo $(DEPDIR)/ietf_attr_port_filter.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_port_filter.c' object='ietf_attr_port_filter.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_port_filter.lo `test -f 'ietf/ietf_attr_port_filter.c' || echo '$(srcdir)/'`ietf/ietf_attr_port_filter.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_port_filter.lo `test -f 'ietf/ietf_attr_port_filter.c' || echo '$(srcdir)/'`ietf/ietf_attr_port_filter.c
 
 ietf_attr_product_info.lo: ietf/ietf_attr_product_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_product_info.lo -MD -MP -MF $(DEPDIR)/ietf_attr_product_info.Tpo -c -o ietf_attr_product_info.lo `test -f 'ietf/ietf_attr_product_info.c' || echo '$(srcdir)/'`ietf/ietf_attr_product_info.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_product_info.Tpo $(DEPDIR)/ietf_attr_product_info.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_product_info.c' object='ietf_attr_product_info.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_product_info.lo -MD -MP -MF $(DEPDIR)/ietf_attr_product_info.Tpo -c -o ietf_attr_product_info.lo `test -f 'ietf/ietf_attr_product_info.c' || echo '$(srcdir)/'`ietf/ietf_attr_product_info.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_product_info.Tpo $(DEPDIR)/ietf_attr_product_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_product_info.c' object='ietf_attr_product_info.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_product_info.lo `test -f 'ietf/ietf_attr_product_info.c' || echo '$(srcdir)/'`ietf/ietf_attr_product_info.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_product_info.lo `test -f 'ietf/ietf_attr_product_info.c' || echo '$(srcdir)/'`ietf/ietf_attr_product_info.c
 
 ietf_attr_remediation_instr.lo: ietf/ietf_attr_remediation_instr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_remediation_instr.lo -MD -MP -MF $(DEPDIR)/ietf_attr_remediation_instr.Tpo -c -o ietf_attr_remediation_instr.lo `test -f 'ietf/ietf_attr_remediation_instr.c' || echo '$(srcdir)/'`ietf/ietf_attr_remediation_instr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_remediation_instr.Tpo $(DEPDIR)/ietf_attr_remediation_instr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_remediation_instr.c' object='ietf_attr_remediation_instr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_remediation_instr.lo -MD -MP -MF $(DEPDIR)/ietf_attr_remediation_instr.Tpo -c -o ietf_attr_remediation_instr.lo `test -f 'ietf/ietf_attr_remediation_instr.c' || echo '$(srcdir)/'`ietf/ietf_attr_remediation_instr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_remediation_instr.Tpo $(DEPDIR)/ietf_attr_remediation_instr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_remediation_instr.c' object='ietf_attr_remediation_instr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_remediation_instr.lo `test -f 'ietf/ietf_attr_remediation_instr.c' || echo '$(srcdir)/'`ietf/ietf_attr_remediation_instr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_remediation_instr.lo `test -f 'ietf/ietf_attr_remediation_instr.c' || echo '$(srcdir)/'`ietf/ietf_attr_remediation_instr.c
 
 ietf_attr_string_version.lo: ietf/ietf_attr_string_version.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_string_version.lo -MD -MP -MF $(DEPDIR)/ietf_attr_string_version.Tpo -c -o ietf_attr_string_version.lo `test -f 'ietf/ietf_attr_string_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_string_version.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_string_version.Tpo $(DEPDIR)/ietf_attr_string_version.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_string_version.c' object='ietf_attr_string_version.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_string_version.lo -MD -MP -MF $(DEPDIR)/ietf_attr_string_version.Tpo -c -o ietf_attr_string_version.lo `test -f 'ietf/ietf_attr_string_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_string_version.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_string_version.Tpo $(DEPDIR)/ietf_attr_string_version.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_string_version.c' object='ietf_attr_string_version.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_string_version.lo `test -f 'ietf/ietf_attr_string_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_string_version.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_string_version.lo `test -f 'ietf/ietf_attr_string_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_string_version.c
 
 ita_attr.lo: ita/ita_attr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr.lo -MD -MP -MF $(DEPDIR)/ita_attr.Tpo -c -o ita_attr.lo `test -f 'ita/ita_attr.c' || echo '$(srcdir)/'`ita/ita_attr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr.Tpo $(DEPDIR)/ita_attr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr.c' object='ita_attr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr.lo -MD -MP -MF $(DEPDIR)/ita_attr.Tpo -c -o ita_attr.lo `test -f 'ita/ita_attr.c' || echo '$(srcdir)/'`ita/ita_attr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr.Tpo $(DEPDIR)/ita_attr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr.c' object='ita_attr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr.lo `test -f 'ita/ita_attr.c' || echo '$(srcdir)/'`ita/ita_attr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr.lo `test -f 'ita/ita_attr.c' || echo '$(srcdir)/'`ita/ita_attr.c
 
 ita_attr_command.lo: ita/ita_attr_command.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_command.lo -MD -MP -MF $(DEPDIR)/ita_attr_command.Tpo -c -o ita_attr_command.lo `test -f 'ita/ita_attr_command.c' || echo '$(srcdir)/'`ita/ita_attr_command.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_command.Tpo $(DEPDIR)/ita_attr_command.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_command.c' object='ita_attr_command.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_command.lo -MD -MP -MF $(DEPDIR)/ita_attr_command.Tpo -c -o ita_attr_command.lo `test -f 'ita/ita_attr_command.c' || echo '$(srcdir)/'`ita/ita_attr_command.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_command.Tpo $(DEPDIR)/ita_attr_command.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_command.c' object='ita_attr_command.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_command.lo `test -f 'ita/ita_attr_command.c' || echo '$(srcdir)/'`ita/ita_attr_command.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_command.lo `test -f 'ita/ita_attr_command.c' || echo '$(srcdir)/'`ita/ita_attr_command.c
 
 ita_attr_dummy.lo: ita/ita_attr_dummy.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_dummy.lo -MD -MP -MF $(DEPDIR)/ita_attr_dummy.Tpo -c -o ita_attr_dummy.lo `test -f 'ita/ita_attr_dummy.c' || echo '$(srcdir)/'`ita/ita_attr_dummy.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_dummy.Tpo $(DEPDIR)/ita_attr_dummy.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_dummy.c' object='ita_attr_dummy.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_dummy.lo -MD -MP -MF $(DEPDIR)/ita_attr_dummy.Tpo -c -o ita_attr_dummy.lo `test -f 'ita/ita_attr_dummy.c' || echo '$(srcdir)/'`ita/ita_attr_dummy.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_dummy.Tpo $(DEPDIR)/ita_attr_dummy.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_dummy.c' object='ita_attr_dummy.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_dummy.lo `test -f 'ita/ita_attr_dummy.c' || echo '$(srcdir)/'`ita/ita_attr_dummy.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_dummy.lo `test -f 'ita/ita_attr_dummy.c' || echo '$(srcdir)/'`ita/ita_attr_dummy.c
 
 ita_attr_get_settings.lo: ita/ita_attr_get_settings.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_get_settings.lo -MD -MP -MF $(DEPDIR)/ita_attr_get_settings.Tpo -c -o ita_attr_get_settings.lo `test -f 'ita/ita_attr_get_settings.c' || echo '$(srcdir)/'`ita/ita_attr_get_settings.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_get_settings.Tpo $(DEPDIR)/ita_attr_get_settings.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_get_settings.c' object='ita_attr_get_settings.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_get_settings.lo -MD -MP -MF $(DEPDIR)/ita_attr_get_settings.Tpo -c -o ita_attr_get_settings.lo `test -f 'ita/ita_attr_get_settings.c' || echo '$(srcdir)/'`ita/ita_attr_get_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_get_settings.Tpo $(DEPDIR)/ita_attr_get_settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_get_settings.c' object='ita_attr_get_settings.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_get_settings.lo `test -f 'ita/ita_attr_get_settings.c' || echo '$(srcdir)/'`ita/ita_attr_get_settings.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_get_settings.lo `test -f 'ita/ita_attr_get_settings.c' || echo '$(srcdir)/'`ita/ita_attr_get_settings.c
 
 ita_attr_settings.lo: ita/ita_attr_settings.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_settings.lo -MD -MP -MF $(DEPDIR)/ita_attr_settings.Tpo -c -o ita_attr_settings.lo `test -f 'ita/ita_attr_settings.c' || echo '$(srcdir)/'`ita/ita_attr_settings.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_settings.Tpo $(DEPDIR)/ita_attr_settings.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_settings.c' object='ita_attr_settings.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_settings.lo -MD -MP -MF $(DEPDIR)/ita_attr_settings.Tpo -c -o ita_attr_settings.lo `test -f 'ita/ita_attr_settings.c' || echo '$(srcdir)/'`ita/ita_attr_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_settings.Tpo $(DEPDIR)/ita_attr_settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_settings.c' object='ita_attr_settings.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_settings.lo `test -f 'ita/ita_attr_settings.c' || echo '$(srcdir)/'`ita/ita_attr_settings.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_settings.lo `test -f 'ita/ita_attr_settings.c' || echo '$(srcdir)/'`ita/ita_attr_settings.c
 
 ita_attr_angel.lo: ita/ita_attr_angel.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_angel.lo -MD -MP -MF $(DEPDIR)/ita_attr_angel.Tpo -c -o ita_attr_angel.lo `test -f 'ita/ita_attr_angel.c' || echo '$(srcdir)/'`ita/ita_attr_angel.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_angel.Tpo $(DEPDIR)/ita_attr_angel.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_angel.c' object='ita_attr_angel.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_angel.lo -MD -MP -MF $(DEPDIR)/ita_attr_angel.Tpo -c -o ita_attr_angel.lo `test -f 'ita/ita_attr_angel.c' || echo '$(srcdir)/'`ita/ita_attr_angel.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_angel.Tpo $(DEPDIR)/ita_attr_angel.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_angel.c' object='ita_attr_angel.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_angel.lo `test -f 'ita/ita_attr_angel.c' || echo '$(srcdir)/'`ita/ita_attr_angel.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_angel.lo `test -f 'ita/ita_attr_angel.c' || echo '$(srcdir)/'`ita/ita_attr_angel.c
+
+ita_attr_device_id.lo: ita/ita_attr_device_id.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_device_id.lo -MD -MP -MF $(DEPDIR)/ita_attr_device_id.Tpo -c -o ita_attr_device_id.lo `test -f 'ita/ita_attr_device_id.c' || echo '$(srcdir)/'`ita/ita_attr_device_id.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_device_id.Tpo $(DEPDIR)/ita_attr_device_id.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_device_id.c' object='ita_attr_device_id.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_device_id.lo `test -f 'ita/ita_attr_device_id.c' || echo '$(srcdir)/'`ita/ita_attr_device_id.c
 
 os_info.lo: os_info/os_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT os_info.lo -MD -MP -MF $(DEPDIR)/os_info.Tpo -c -o os_info.lo `test -f 'os_info/os_info.c' || echo '$(srcdir)/'`os_info/os_info.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/os_info.Tpo $(DEPDIR)/os_info.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='os_info/os_info.c' object='os_info.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT os_info.lo -MD -MP -MF $(DEPDIR)/os_info.Tpo -c -o os_info.lo `test -f 'os_info/os_info.c' || echo '$(srcdir)/'`os_info/os_info.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/os_info.Tpo $(DEPDIR)/os_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='os_info/os_info.c' object='os_info.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o os_info.lo `test -f 'os_info/os_info.c' || echo '$(srcdir)/'`os_info/os_info.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o os_info.lo `test -f 'os_info/os_info.c' || echo '$(srcdir)/'`os_info/os_info.c
 
 pa_tnc_msg.lo: pa_tnc/pa_tnc_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pa_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pa_tnc_msg.Tpo -c -o pa_tnc_msg.lo `test -f 'pa_tnc/pa_tnc_msg.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pa_tnc_msg.Tpo $(DEPDIR)/pa_tnc_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pa_tnc/pa_tnc_msg.c' object='pa_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pa_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pa_tnc_msg.Tpo -c -o pa_tnc_msg.lo `test -f 'pa_tnc/pa_tnc_msg.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pa_tnc_msg.Tpo $(DEPDIR)/pa_tnc_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pa_tnc/pa_tnc_msg.c' object='pa_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pa_tnc_msg.lo `test -f 'pa_tnc/pa_tnc_msg.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pa_tnc_msg.lo `test -f 'pa_tnc/pa_tnc_msg.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_msg.c
 
 pa_tnc_attr_manager.lo: pa_tnc/pa_tnc_attr_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pa_tnc_attr_manager.lo -MD -MP -MF $(DEPDIR)/pa_tnc_attr_manager.Tpo -c -o pa_tnc_attr_manager.lo `test -f 'pa_tnc/pa_tnc_attr_manager.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_attr_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pa_tnc_attr_manager.Tpo $(DEPDIR)/pa_tnc_attr_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pa_tnc/pa_tnc_attr_manager.c' object='pa_tnc_attr_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pa_tnc_attr_manager.lo -MD -MP -MF $(DEPDIR)/pa_tnc_attr_manager.Tpo -c -o pa_tnc_attr_manager.lo `test -f 'pa_tnc/pa_tnc_attr_manager.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_attr_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pa_tnc_attr_manager.Tpo $(DEPDIR)/pa_tnc_attr_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pa_tnc/pa_tnc_attr_manager.c' object='pa_tnc_attr_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pa_tnc_attr_manager.lo `test -f 'pa_tnc/pa_tnc_attr_manager.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_attr_manager.c
+
+imv_policy_manager.o: imv/imv_policy_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_policy_manager.o -MD -MP -MF $(DEPDIR)/imv_policy_manager.Tpo -c -o imv_policy_manager.o `test -f 'imv/imv_policy_manager.c' || echo '$(srcdir)/'`imv/imv_policy_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_policy_manager.Tpo $(DEPDIR)/imv_policy_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_policy_manager.c' object='imv_policy_manager.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_policy_manager.o `test -f 'imv/imv_policy_manager.c' || echo '$(srcdir)/'`imv/imv_policy_manager.c
+
+imv_policy_manager.obj: imv/imv_policy_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_policy_manager.obj -MD -MP -MF $(DEPDIR)/imv_policy_manager.Tpo -c -o imv_policy_manager.obj `if test -f 'imv/imv_policy_manager.c'; then $(CYGPATH_W) 'imv/imv_policy_manager.c'; else $(CYGPATH_W) '$(srcdir)/imv/imv_policy_manager.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_policy_manager.Tpo $(DEPDIR)/imv_policy_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_policy_manager.c' object='imv_policy_manager.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_policy_manager.obj `if test -f 'imv/imv_policy_manager.c'; then $(CYGPATH_W) 'imv/imv_policy_manager.c'; else $(CYGPATH_W) '$(srcdir)/imv/imv_policy_manager.c'; fi`
+
+imv_policy_manager_usage.o: imv/imv_policy_manager_usage.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_policy_manager_usage.o -MD -MP -MF $(DEPDIR)/imv_policy_manager_usage.Tpo -c -o imv_policy_manager_usage.o `test -f 'imv/imv_policy_manager_usage.c' || echo '$(srcdir)/'`imv/imv_policy_manager_usage.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_policy_manager_usage.Tpo $(DEPDIR)/imv_policy_manager_usage.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_policy_manager_usage.c' object='imv_policy_manager_usage.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_policy_manager_usage.o `test -f 'imv/imv_policy_manager_usage.c' || echo '$(srcdir)/'`imv/imv_policy_manager_usage.c
+
+imv_policy_manager_usage.obj: imv/imv_policy_manager_usage.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_policy_manager_usage.obj -MD -MP -MF $(DEPDIR)/imv_policy_manager_usage.Tpo -c -o imv_policy_manager_usage.obj `if test -f 'imv/imv_policy_manager_usage.c'; then $(CYGPATH_W) 'imv/imv_policy_manager_usage.c'; else $(CYGPATH_W) '$(srcdir)/imv/imv_policy_manager_usage.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_policy_manager_usage.Tpo $(DEPDIR)/imv_policy_manager_usage.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_policy_manager_usage.c' object='imv_policy_manager_usage.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pa_tnc_attr_manager.lo `test -f 'pa_tnc/pa_tnc_attr_manager.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_attr_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_policy_manager_usage.obj `if test -f 'imv/imv_policy_manager_usage.c'; then $(CYGPATH_W) 'imv/imv_policy_manager_usage.c'; else $(CYGPATH_W) '$(srcdir)/imv/imv_policy_manager_usage.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -936,10 +1136,10 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-recursive
-all-am: Makefile $(LTLIBRARIES)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS)
 installdirs: installdirs-recursive
 installdirs-am:
-	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
+	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-recursive
@@ -974,8 +1174,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-recursive
 
-clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
-	mostlyclean-am
+clean-am: clean-generic clean-ipsecPROGRAMS clean-ipseclibLTLIBRARIES \
+	clean-libtool mostlyclean-am
 
 distclean: distclean-recursive
 	-rm -rf ./$(DEPDIR)
@@ -995,7 +1195,8 @@ info: info-recursive
 
 info-am:
 
-install-data-am: install-ipseclibLTLIBRARIES
+install-data-am: install-ipsecPROGRAMS install-ipsecSCRIPTS \
+	install-ipseclibLTLIBRARIES
 
 install-dvi: install-dvi-recursive
 
@@ -1041,26 +1242,29 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-ipseclibLTLIBRARIES
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-ipsecSCRIPTS \
+	uninstall-ipseclibLTLIBRARIES
 
 .MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
 	install-am install-strip tags-recursive
 
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am check check-am clean clean-generic \
-	clean-ipseclibLTLIBRARIES clean-libtool ctags ctags-recursive \
-	distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipseclibLTLIBRARIES install-man \
+	clean-ipsecPROGRAMS clean-ipseclibLTLIBRARIES clean-libtool \
+	ctags ctags-recursive distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS \
+	install-ipsecSCRIPTS install-ipseclibLTLIBRARIES install-man \
 	install-pdf install-pdf-am install-ps install-ps-am \
 	install-strip installcheck installcheck-am installdirs \
 	installdirs-am maintainer-clean maintainer-clean-generic \
 	mostlyclean mostlyclean-compile mostlyclean-generic \
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
-	uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+	uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-ipsecSCRIPTS uninstall-ipseclibLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.c b/src/libimcv/ietf/ietf_attr_attr_request.c
index 5dc487030..3b4fd26cd 100644
--- a/src/libimcv/ietf/ietf_attr_attr_request.c
+++ b/src/libimcv/ietf/ietf_attr_attr_request.c
@@ -234,7 +234,11 @@ pa_tnc_attr_t *ietf_attr_attr_request_create(pen_t vendor_id, u_int32_t type)
 		.list = linked_list_create(),
 		.ref = 1,
 	);
-	add(this, vendor_id, type);
+
+	if (vendor_id != PEN_RESERVED)
+	{
+		add(this, vendor_id, type);
+	}
 
 	return &this->public.pa_tnc_attribute;
 }
diff --git a/src/libimcv/imc/imc_agent.c b/src/libimcv/imc/imc_agent.c
index f309abe74..7dc3abddd 100644
--- a/src/libimcv/imc/imc_agent.c
+++ b/src/libimcv/imc/imc_agent.c
@@ -533,7 +533,7 @@ imc_agent_t *imc_agent_create(const char *name,
 	private_imc_agent_t *this;
 
 	/* initialize  or increase the reference count */
-	if (!libimcv_init())
+	if (!libimcv_init(FALSE))
 	{
 		return NULL;
 	}
diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c
index 6cee0ad8f..b5862daee 100644
--- a/src/libimcv/imcv.c
+++ b/src/libimcv/imcv.c
@@ -22,13 +22,20 @@
 
 #include <syslog.h>
 
-#define IMCV_DEBUG_LEVEL	1
+#define IMCV_DEBUG_LEVEL			1
+#define IMCV_DEFAULT_POLICY_SCRIPT	"ipsec _imv_policy"
+
 
 /**
  * PA-TNC attribute manager
  */
 pa_tnc_attr_manager_t *imcv_pa_tnc_attributes;
 
+/**
+ * Global IMV database
+ */
+imv_database_t *imcv_db;
+
 /**
  * Reference count for libimcv
  */
@@ -88,7 +95,7 @@ static void imcv_dbg(debug_t group, level_t level, char *fmt, ...)
 /**
  * Described in header.
  */
-bool libimcv_init(void)
+bool libimcv_init(bool is_imv)
 {
 	/* initialize libstrongswan library only once */
 	if (lib)
@@ -117,8 +124,9 @@ bool libimcv_init(void)
 		dbg = imcv_dbg;
 		openlog("imcv", 0, LOG_DAEMON);
 
-		if (!lib->plugins->load(lib->plugins, NULL,
-							"sha1 sha2 random nonce gmp pubkey x509"))
+		if (!lib->plugins->load(lib->plugins,
+				lib->settings->get_str(lib->settings, "libimcv.load",
+					"random nonce gmp pubkey x509")))
 		{
 			library_deinit();
 			return FALSE;
@@ -128,12 +136,27 @@ bool libimcv_init(void)
 
 	if (libimcv_ref == 0)
 	{
+		char *uri, *script;
+
 		/* initialize the PA-TNC attribute manager */
 	 	imcv_pa_tnc_attributes = pa_tnc_attr_manager_create();
 		imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_IETF,
 							ietf_attr_create_from_data, ietf_attr_names);
 		imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_ITA,
 							ita_attr_create_from_data, ita_attr_names);
+
+		/* attach global IMV database */
+		if (is_imv)
+		{
+			uri = lib->settings->get_str(lib->settings,
+						"libimcv.database", NULL);
+			script = lib->settings->get_str(lib->settings,
+						"libimcv.policy_script", IMCV_DEFAULT_POLICY_SCRIPT);
+			if (uri)
+			{
+				imcv_db = imv_database_create(uri, script);
+			}
+		}
 		DBG1(DBG_LIB, "libimcv initialized");
 	}
 	ref_get(&libimcv_ref);
@@ -151,6 +174,8 @@ void libimcv_deinit(void)
 		imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_IETF);
 		imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_ITA);
 		DESTROY_IF(imcv_pa_tnc_attributes);
+		imcv_pa_tnc_attributes = NULL;
+		DESTROY_IF(imcv_db);
 		DBG1(DBG_LIB, "libimcv terminated");
 	}
 	if (ref_put(&libstrongswan_ref))
diff --git a/src/libimcv/imcv.h b/src/libimcv/imcv.h
index 3a37e3d8c..10c66e65a 100644
--- a/src/libimcv/imcv.h
+++ b/src/libimcv/imcv.h
@@ -35,15 +35,17 @@
 #define IMCV_H_
 
 #include "pa_tnc/pa_tnc_attr_manager.h"
+#include "imv/imv_database.h"
 
 #include <library.h>
 
 /**
  * Initialize libimcv.
  *
+ * @param is_imv		TRUE if called by IMV, FALSE if by IMC
  * @return				FALSE if initialization failed
  */
-bool libimcv_init(void);
+bool libimcv_init(bool is_imv);
 
 /**
  * Deinitialize libimcv.
@@ -55,4 +57,9 @@ void libimcv_deinit(void);
  */
 extern pa_tnc_attr_manager_t* imcv_pa_tnc_attributes;
 
+/**
+ * Global IMV database object
+ */
+extern imv_database_t* imcv_db;
+
 #endif /** IMCV_H_ @}*/
diff --git a/src/libimcv/imv/_imv_policy b/src/libimcv/imv/_imv_policy
new file mode 100755
index 000000000..68a963c27
--- /dev/null
+++ b/src/libimcv/imv/_imv_policy
@@ -0,0 +1,39 @@
+#! /bin/sh
+# default TNC policy command script
+#
+# Copyright 2013 Andreas Steffen
+# HSR Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the "libimcv.policy_script = " option in strongswan.conf
+# to make strongSwan use yours instead of this default one.
+
+# Environment variables that this script gets 
+#
+#    TNC_SESSION_ID 
+#         unique session ID used as a reference by the policy 
+#         manager. 
+#
+case "$1" in
+start)
+	echo "start session $TNC_SESSION_ID"
+	;;
+stop)
+	echo "stop session $TNC_SESSION_ID"
+	;;
+*)	echo "$0: unknown command '$1'"
+	exit 1
+	;;
+esac
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
new file mode 100644
index 000000000..35fd65753
--- /dev/null
+++ b/src/libimcv/imv/data.sql
@@ -0,0 +1,846 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 1, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  3, 2, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index 879a0103a..435c25a3c 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -15,6 +15,8 @@
 
 #include "imcv.h"
 #include "imv_agent.h"
+#include "imv_session.h"
+
 #include "ietf/ietf_attr_assess_result.h"
 
 #include <tncif_names.h>
@@ -283,6 +285,7 @@ static bool delete_connection(private_imv_agent_t *this, TNC_ConnectionID id)
 {
 	enumerator_t *enumerator;
 	imv_state_t *state;
+	imv_session_t *session;
 	bool found = FALSE;
 
 	this->connection_lock->write_lock(this->connection_lock);
@@ -292,6 +295,11 @@ static bool delete_connection(private_imv_agent_t *this, TNC_ConnectionID id)
 		if (id == state->get_connection_id(state))
 		{
 			found = TRUE;
+			session = state->get_session(state);
+			if (session)
+			{
+				imcv_db->remove_session(imcv_db, session);
+			}
 			state->destroy(state);
 			this->connections->remove_at(this->connections, enumerator);
 			break;
@@ -402,11 +410,14 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 {
 	TNC_ConnectionID conn_id;
 	char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL;
-	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE;
+	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE, first = TRUE;
 	linked_list_t *ar_identities;
 	enumerator_t *enumerator;
 	tncif_identity_t *tnc_id;
+	imv_session_t *session;
 	u_int32_t max_msg_len;
+	u_int32_t ar_id_type = TNC_ID_UNKNOWN;
+	chunk_t ar_id_value = chunk_empty;
 
 	conn_id = state->get_connection_id(state);
 	if (find_connection(this, conn_id))
@@ -462,10 +473,31 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 			 TNC_Subject_names, tcg_subject_type,
 			 id_value.len, id_value.ptr,
 			 TNC_Authentication_names, tcg_auth_type);
-		state->set_ar_id(state, tcg_id_type, id_value);
+
+		if (first)
+		{
+			ar_id_type = tcg_id_type;
+			ar_id_value = id_value;
+			state->set_ar_id(state, ar_id_type, ar_id_value);
+			first = FALSE;
+		}
 	}
 	enumerator->destroy(enumerator);
 
+	if (imcv_db)
+	{
+		session = imcv_db->add_session(imcv_db, conn_id, ar_id_type, ar_id_value);
+		if (session)
+		{
+			DBG2(DBG_IMV, "  assigned session ID %d",
+				 session->get_session_id(session));
+			state->set_session(state, session);
+		}
+		else
+		{
+			DBG1(DBG_IMV, "  no session ID assigned");
+		}
+	}
 	ar_identities->destroy_offset(ar_identities,
 						   offsetof(tncif_identity_t, destroy));
 	free(tnccs_p);
@@ -774,7 +806,7 @@ imv_agent_t *imv_agent_create(const char *name,
 	private_imv_agent_t *this;
 
 	/* initialize  or increase the reference count */
-	if (!libimcv_init())
+	if (!libimcv_init(TRUE))
 	{
 		return NULL;
 	}
diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h
index 6f3d2b4b7..d58af260b 100644
--- a/src/libimcv/imv/imv_agent.h
+++ b/src/libimcv/imv/imv_agent.h
@@ -23,6 +23,7 @@
 #define IMV_AGENT_H_
 
 #include "imv_state.h"
+#include "imv_database.h"
 #include "pa_tnc/pa_tnc_msg.h"
 
 #include <tncifimv.h>
diff --git a/src/libimcv/imv/imv_agent_if.h b/src/libimcv/imv/imv_agent_if.h
new file mode 100644
index 000000000..db188793a
--- /dev/null
+++ b/src/libimcv/imv/imv_agent_if.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_agent_if_t imv_agent_if
+ * @{ @ingroup imv_os
+ */
+
+#ifndef IMV_AGENT_IF_H_
+#define IMV_AGENT_IF_H_
+
+#include <tncifimv.h>
+
+#include <library.h>
+
+typedef struct imv_agent_if_t imv_agent_if_t;
+
+/**
+ * IF-IMV interface for IMV agents
+ */
+struct imv_agent_if_t {
+
+	/**
+	 * Implements the TNC_IMV_ProvideBindFunction function of the IMV
+	 *
+	 * @param bind_function		Function offered by the TNCS
+	 * @return					TNC result code
+	 */
+	TNC_Result (*bind_functions)(imv_agent_if_t *this,
+								 TNC_TNCS_BindFunctionPointer bind_function);
+
+	/**
+	 * Implements the TNC_IMV_NotifyConnectionChange() function of the IMV
+	 *
+	 * @param id				Network connection ID assigned by TNCS
+	 * @param new_state			New connection state to be set
+	 * @return					TNC result code
+	 */
+	TNC_Result (*notify_connection_change)(imv_agent_if_t *this,
+										   TNC_ConnectionID id,
+										   TNC_ConnectionState new_state);
+
+	/**
+	 * Implements the TNC_IMV_ReceiveMessage() function of the IMV
+	 *
+	 * @param id				Network connection ID assigned by TNCS
+	 * @param msg_type			PA-TNC message type
+	 * @param msg				Received message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive_message)(imv_agent_if_t *this, TNC_ConnectionID id,
+								  TNC_MessageType msg_type, chunk_t msg);
+
+	/**
+	 * Implements the TNC_IMV_ReceiveMessageLong() function of the IMV
+	 *
+	 * @param id				Network connection ID assigned by TNCS
+	 * @param src_imc_id		ID of source IMC
+	 * @param dst_imv_id		ID of destination IMV
+	 * @param msg_vid			Vendor ID of message type
+	 * @param msg_subtype		PA-TNC message subtype
+	 * @param msg				Received message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive_message_long)(imv_agent_if_t *this,
+									   TNC_ConnectionID id,
+									   TNC_UInt32 src_imc_id,
+									   TNC_UInt32 dst_imv_id,
+									   TNC_VendorID msg_vid,
+									   TNC_MessageSubtype msg_subtype,
+									   chunk_t msg);
+
+	/**
+	 * Implements the TNC_IMV_BatchEnding() function of the IMV
+	 *
+	 * @param id				Network connection ID assigned by TNCS
+	 * @return					TNC result code
+	 */
+	TNC_Result (*batch_ending)(imv_agent_if_t *this, TNC_ConnectionID id);
+
+	/**
+	 * Implements the TNC_IMV_SolicitRecommendation() function of the IMV
+	 *
+	 * @param id				Network connection ID assigned by TNCS
+	 * @return					TNC result code
+	 */
+	TNC_Result (*solicit_recommendation)(imv_agent_if_t *this,
+										 TNC_ConnectionID id);
+
+	/**
+	 * Destroys an imv_agent_if_t object
+	 */
+	void (*destroy)(imv_agent_if_t *this);
+
+};
+
+/**
+ * Constructor template
+ */
+typedef imv_agent_if_t* (*imv_agent_create_t)(const char* name, TNC_IMVID id,
+											  TNC_Version *actual_version);
+
+#endif /** IMV_AGENT_IF_H_ @}*/
diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c
new file mode 100644
index 000000000..dc7edd7aa
--- /dev/null
+++ b/src/libimcv/imv/imv_database.c
@@ -0,0 +1,381 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+
+#include "imv_database.h"
+
+#include <utils/debug.h>
+#include <threading/mutex.h>
+
+typedef struct private_imv_database_t private_imv_database_t;
+
+/**
+ * Private data of a imv_database_t object.
+ */
+struct private_imv_database_t {
+
+	/**
+	 * Public imv_database_t interface.
+	 */
+	imv_database_t public;
+
+	/**
+	 * database instance
+	 */
+	database_t *db;
+
+	/**
+	 * policy script
+	 */
+	char *script;
+
+	/**
+	 * Session list
+	 */
+	linked_list_t *sessions;
+
+	/**
+	 * mutex used to lock session list
+	 */
+	mutex_t *mutex;
+
+};
+
+METHOD(imv_database_t, add_session, imv_session_t*,
+	private_imv_database_t *this, TNC_ConnectionID conn_id,
+	u_int32_t ar_id_type, chunk_t ar_id_value)
+{
+	enumerator_t *enumerator, *e;
+	imv_session_t *current, *session = NULL;
+	int ar_id = 0, session_id;
+	u_int created;
+
+	this->mutex->lock(this->mutex);
+
+	/* check if a session has already been assigned */
+	enumerator = this->sessions->create_enumerator(this->sessions);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (conn_id == current->get_connection_id(current))
+		{
+			session = current;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* session already exists */
+	if (session)
+	{
+		this->mutex->unlock(this->mutex);
+		return session->get_ref(session);
+	}
+
+	if (ar_id_value.len)
+	{
+		/* get primary key of AR identity if it exists */
+		e = this->db->query(this->db,
+				"SELECT id FROM identities WHERE type = ? AND value = ?",
+				DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT);
+		if (e)
+		{
+			e->enumerate(e, &ar_id);
+			e->destroy(e);
+		}
+
+		/* if AR identity has not been found - register it */
+		if (!ar_id)
+		{
+			this->db->execute(this->db, &ar_id,
+				"INSERT INTO identities (type, value) VALUES (?, ?)",
+				 DB_INT, ar_id_type, DB_BLOB, ar_id_value);
+		}
+	}
+	/* create a new session entry */
+	created = time(NULL);
+	this->db->execute(this->db, &session_id,
+				"INSERT INTO sessions (time, connection, identity) "
+				"VALUES (?, ?, ?)",
+				DB_UINT, created, DB_INT, conn_id, DB_INT, ar_id);
+	session = imv_session_create(session_id, conn_id);
+	this->sessions->insert_last(this->sessions, session);
+
+	this->mutex->unlock(this->mutex);
+
+	return session;
+}
+
+METHOD(imv_database_t, remove_session, void,
+	private_imv_database_t *this, imv_session_t *session)
+{
+	enumerator_t *enumerator;
+	imv_session_t *current;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->sessions->create_enumerator(this->sessions);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current == session)
+		{
+			this->sessions->remove_at(this->sessions, enumerator);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(imv_database_t, add_product, int,
+	private_imv_database_t *this, imv_session_t *session, char *product)
+{
+	enumerator_t *e;
+	int pid = 0;
+
+	/* get primary key of product info string if it exists */
+	e = this->db->query(this->db,
+			"SELECT id FROM products WHERE name = ?", DB_TEXT, product, DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &pid);
+		e->destroy(e);
+	}
+
+	/* if product info string has not been found - register it */
+	if (!pid)
+	{
+		this->db->execute(this->db, &pid,
+			"INSERT INTO products (name) VALUES (?)", DB_TEXT, product);
+	}
+	
+	/* add product reference to session */
+	if (pid)
+	{
+		this->db->execute(this->db, NULL,
+			"UPDATE sessions SET product = ? WHERE id = ?",
+			 DB_INT, pid, DB_INT, session->get_session_id(session));
+	}
+
+	return pid;
+}
+
+METHOD(imv_database_t, add_device, int,
+	private_imv_database_t *this, imv_session_t *session, chunk_t device)
+{
+	enumerator_t *e;
+	char *device_str;
+	int pid = 0, did = 0;
+
+	/* get primary key of product from session */
+	e = this->db->query(this->db,
+			"SELECT product FROM sessions WHERE id = ?",
+			 DB_INT, session->get_session_id(session), DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &pid);
+		e->destroy(e);
+	}
+
+	/* some IMV policy manager expect a text string */
+	device_str = strndup(device.ptr, device.len);
+
+	/* get primary key of device identification if it exists */
+	e = this->db->query(this->db,
+			"SELECT id FROM devices WHERE value = ? AND product = ?",
+			 DB_TEXT, device_str, DB_INT, pid, DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &did);
+		e->destroy(e);
+	}
+
+	/* if device identification has not been found - register it */
+	if (!did)
+	{
+		this->db->execute(this->db, &did,
+			"INSERT INTO devices (value, product) VALUES (?, ?)",
+			 DB_TEXT, device_str, DB_INT, pid);
+	}
+	free(device_str);
+	
+	/* add device reference to session */
+	if (did)
+	{
+		this->db->execute(this->db, NULL,
+			"UPDATE sessions SET device = ? WHERE id = ?",
+			 DB_INT, did, DB_INT, session->get_session_id(session));
+	}
+
+	return did;
+}
+
+METHOD(imv_database_t, add_recommendation, void,
+	private_imv_database_t *this, imv_session_t *session,
+	TNC_IMV_Action_Recommendation rec)
+{
+	/* add final recommendation to session */
+	this->db->execute(this->db, NULL,
+			"UPDATE sessions SET rec = ? WHERE id = ?",
+			 DB_INT, rec, DB_INT, session->get_session_id(session));
+}
+
+METHOD(imv_database_t, policy_script, bool,
+	private_imv_database_t *this, imv_session_t *session, bool start)
+{
+	imv_workitem_t *workitem;
+	imv_workitem_type_t type;
+	int id, session_id, arg_int, rec_fail, rec_noresult;
+	enumerator_t *e;
+	char command[512], resp[128], *last, *arg_str;
+	FILE *shell;
+
+	session_id = session->get_session_id(session);
+
+	snprintf(command, sizeof(command), "2>&1 TNC_SESSION_ID='%d' %s %s",
+			 session_id, this->script, start ? "start" : "stop");
+	DBG3(DBG_IMV, "running policy script: %s", command);
+
+	shell = popen(command, "r");
+	if (shell == NULL)
+	{
+		DBG1(DBG_IMV, "could not execute policy script '%s'",
+			 this->script);
+		return FALSE;
+	}
+	while (TRUE)
+	{
+		if (fgets(resp, sizeof(resp), shell) == NULL)
+		{
+			if (ferror(shell))
+			{
+				DBG1(DBG_IMV, "error reading output from policy script");
+			}
+			break;
+		}
+		else
+		{
+			last = resp + strlen(resp) - 1;
+			if (last >= resp && *last == '\n')
+			{
+				/* replace trailing '\n' */
+				*last = '\0';
+			}
+			DBG1(DBG_IMV, "policy: %s", resp);
+		}
+	}
+	pclose(shell);
+
+	if (start && !session->get_policy_started(session))
+	{
+		/* get workitem list generated by policy manager */
+		e = this->db->query(this->db,
+				"SELECT id, type, arg_str, arg_int, rec_fail, rec_noresult "
+				"FROM workitems WHERE session = ?",	DB_INT, session_id,
+				 DB_INT, DB_INT, DB_TEXT, DB_INT,DB_INT, DB_INT);
+		if (!e)
+		{
+			DBG1(DBG_IMV, "no workitem enumerator returned");
+			return FALSE;
+		}
+		while (e->enumerate(e, &id, &type, &arg_str, &arg_int, &rec_fail,
+							   &rec_noresult))
+		{
+			workitem = imv_workitem_create(id, type, arg_str, arg_int, rec_fail,
+										   rec_noresult);
+			session->insert_workitem(session, workitem);
+		}
+		e->destroy(e);
+
+		session->set_policy_started(session, TRUE);
+	}
+	else if (!start && session->get_policy_started(session))
+	{
+		session->set_policy_started(session, FALSE);
+	}
+
+	return TRUE;
+}
+
+METHOD(imv_database_t, finalize_workitem, bool,
+	private_imv_database_t *this, imv_workitem_t *workitem)
+{
+	char *result;
+	int rec;
+
+	rec = workitem->get_result(workitem, &result);
+
+	return this->db->execute(this->db, NULL,
+				"UPDATE workitems SET result = ?, rec_final = ? WHERE id = ?",
+				DB_TEXT, result, DB_INT, rec,
+				DB_INT, workitem->get_id(workitem)) == 1;
+}
+
+METHOD(imv_database_t, get_database, database_t*,
+	private_imv_database_t *this)
+{
+	return this->db;
+}
+
+METHOD(imv_database_t, destroy, void,
+	private_imv_database_t *this)
+{
+	DESTROY_IF(this->db);
+	this->sessions->destroy_offset(this->sessions,
+							offsetof(imv_session_t, destroy));
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_database_t *imv_database_create(char *uri, char *script)
+{
+	private_imv_database_t *this;
+
+	INIT(this,
+		.public = {
+			.add_session = _add_session,
+			.remove_session = _remove_session,
+			.add_product = _add_product,
+			.add_device = _add_device,
+			.add_recommendation = _add_recommendation,
+			.policy_script = _policy_script,
+			.finalize_workitem = _finalize_workitem,
+			.get_database = _get_database,
+			.destroy = _destroy,
+		},
+		.db = lib->db->create(lib->db, uri),
+		.script = script,
+		.sessions = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	if (!this->db)
+	{
+		DBG1(DBG_IMV,
+			 "failed to connect to IMV database '%s'", uri);
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_database.h b/src/libimcv/imv/imv_database.h
new file mode 100644
index 000000000..48a3ded9e
--- /dev/null
+++ b/src/libimcv/imv/imv_database.h
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_database_t imv_database
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef IMV_DATABASE_H_
+#define IMV_DATABASE_H_
+
+#include "imv_session.h"
+#include "imv_workitem.h"
+
+#include <tncifimv.h>
+
+#include <library.h>
+
+typedef struct imv_database_t imv_database_t;
+
+/**
+ * IMV database interface 
+ */
+struct imv_database_t {
+
+	/**
+	 * Create or get a session associated with a TNCCS connection
+	 *
+	 * @param conn_id		TNCCS Connection ID
+	 * @param ar_id_type	Access Requestor identity type
+	 * @param ar_id_value	Access Requestor identity value
+	 * @return				Session associated with TNCCS Connection
+	 */
+	 imv_session_t* (*add_session)(imv_database_t *this,
+								   TNC_ConnectionID conn_id,
+								   u_int32_t ar_id_type, chunk_t ar_id_value);
+
+	/**
+	 * Remove and delete a session
+	 *
+	 * @param session		Session
+	 */
+	 void (*remove_session)(imv_database_t *this, imv_session_t *session);
+
+	/**
+	 * Add product information string to a session database entry
+	 *
+	 * @param session		Session
+	 * @param product		Product information string
+	 * @return				Product ID
+	 */
+	 int (*add_product)(imv_database_t *this, imv_session_t *session,
+						char *product);
+
+	/**
+	 * Add device identification to a session database entry
+	 *
+	 * @param session		Session
+	 * @param device		Device identification
+	 * @return				Device ID
+	 */
+	 int (*add_device)(imv_database_t *this, imv_session_t *session,
+					   chunk_t device);
+
+	/**
+	 * Add final recommendation to a session database entry
+	 *
+	 * @param session		Session
+	 * @param rec			Final recommendation
+	 */
+	 void (*add_recommendation)(imv_database_t *this, imv_session_t *session,
+								TNC_IMV_Action_Recommendation rec);
+
+	/**
+	 * Announce session start/stop to policy script
+	 *
+	 * @param session		Session
+	 * @param start			TRUE if session start, FALSE if session stop
+	 * @return				TRUE if command successful, FALSE otherwise
+	 */
+	 bool (*policy_script)(imv_database_t *this, imv_session_t *session,
+						   bool start);
+
+	/**
+	 * Finalize a workitem
+	 *
+	 * @param workitem		Workitem to be finalized
+	 */
+	bool (*finalize_workitem)(imv_database_t *this, imv_workitem_t *workitem);
+
+	/**
+	 * Get database handle
+	 *
+	 * @return				Database handle
+	 */
+	 database_t* (*get_database)(imv_database_t *this);
+
+	/**
+	 * Destroys an imv_database_t object
+	 */
+	void (*destroy)(imv_database_t *this);
+};
+
+/**
+ * Create an imv_database_t instance
+ *
+ * @param uri				Database uri
+ * @param script			Policy Manager script
+ */
+imv_database_t* imv_database_create(char *uri, char *script);
+
+#endif /** IMV_DATABASE_H_ @}*/
diff --git a/src/libimcv/imv/imv_if.h b/src/libimcv/imv/imv_if.h
new file mode 100644
index 000000000..fa9765b11
--- /dev/null
+++ b/src/libimcv/imv/imv_if.h
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2012-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Define the following two static constants externally:
+ * static const char imv_name[] = "xx";
+ * static const imv_agent_create_t imv_agent_create = imv_xx_agent_create;
+ */
+
+#include <utils/debug.h>
+
+static imv_agent_if_t *imv_agent;
+
+/*
+ * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
+							  TNC_Version min_version,
+							  TNC_Version max_version,
+							  TNC_Version *actual_version)
+{
+	if (imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
+		return TNC_RESULT_ALREADY_INITIALIZED;
+	}
+
+	imv_agent = imv_agent_create(imv_name, imv_id, actual_version);
+
+	if (!imv_agent)
+	{
+		return TNC_RESULT_FATAL;
+	}
+	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
+	{
+		DBG1(DBG_IMV, "no common IF-IMV version");
+		return TNC_RESULT_NO_COMMON_VERSION;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_ConnectionState new_state)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->notify_connection_change(imv_agent, connection_id,
+											   new_state);
+}
+
+/**
+ * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
+								  TNC_ConnectionID connection_id,
+								  TNC_BufferReference msg,
+								  TNC_UInt32 msg_len,
+								  TNC_MessageType msg_type)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->receive_message(imv_agent, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+}
+
+/**
+ * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
+									  TNC_ConnectionID connection_id,
+									  TNC_UInt32 msg_flags,
+									  TNC_BufferReference msg,
+									  TNC_UInt32 msg_len,
+									  TNC_VendorID msg_vid,
+									  TNC_MessageSubtype msg_subtype,
+									  TNC_UInt32 src_imc_id,
+									  TNC_UInt32 dst_imv_id)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->receive_message_long(imv_agent, connection_id,
+							src_imc_id, dst_imv_id,
+							msg_vid, msg_subtype, chunk_create(msg, msg_len));
+}
+
+/**
+ * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
+										 TNC_ConnectionID connection_id)
+{
+
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->solicit_recommendation(imv_agent, connection_id);
+}
+
+/**
+ * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, TNC_ConnectionID connection_id)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->batch_ending(imv_agent, connection_id);
+}
+
+/**
+ * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	imv_agent->destroy(imv_agent);
+	imv_agent = NULL;
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
+									   TNC_TNCS_BindFunctionPointer bind_function)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->bind_functions(imv_agent, bind_function);
+}
diff --git a/src/libimcv/imv/imv_msg.c b/src/libimcv/imv/imv_msg.c
index 496d0ee1c..642b47935 100644
--- a/src/libimcv/imv/imv_msg.c
+++ b/src/libimcv/imv/imv_msg.c
@@ -318,6 +318,12 @@ METHOD(imv_msg_t, receive, TNC_Result,
 	return TNC_RESULT_SUCCESS;
 }
 
+METHOD(imv_msg_t, get_attribute_count, int,
+	private_imv_msg_t *this)
+{
+	return this->attr_list->get_count(this->attr_list);
+}
+
 METHOD(imv_msg_t, create_attribute_enumerator, enumerator_t*,
 	private_imv_msg_t *this)
 {
@@ -363,6 +369,7 @@ imv_msg_t *imv_msg_create(imv_agent_t *agent, imv_state_t *state,
 			.send_assessment = _send_assessment,
 			.receive = _receive,
 			.add_attribute = _add_attribute,
+			.get_attribute_count = _get_attribute_count,
 			.create_attribute_enumerator = _create_attribute_enumerator,
 			.get_encoding = _get_encoding,
 			.destroy = _destroy,
diff --git a/src/libimcv/imv/imv_msg.h b/src/libimcv/imv/imv_msg.h
index 9e56d9fe7..dfec169cc 100644
--- a/src/libimcv/imv/imv_msg.h
+++ b/src/libimcv/imv/imv_msg.h
@@ -91,6 +91,13 @@ struct imv_msg_t {
 	 */
 	void (*add_attribute)(imv_msg_t *this, pa_tnc_attr_t *attr);
 
+	/**
+	 * Get the number of PA-TNC attributes in the send queue
+	 *
+	 * @return					number of PA-TNC attribute in send queue
+	 */
+	int (*get_attribute_count)(imv_msg_t *this);
+
 	/**
 	 * Enumerator over PA-TNC attributes contained in the PA-TNC message
 	 *
diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
new file mode 100644
index 000000000..61e0cd05b
--- /dev/null
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_policy_manager_usage.h"
+#include "imv_workitem.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <time.h>
+
+/* The default policy group #1 is assumed to always exist */
+#define DEFAULT_GROUP_ID	1
+
+/**
+ * global debug output variables
+ */
+static int debug_level = 1;
+static bool stderr_quiet = FALSE;
+
+/**
+ * attest dbg function
+ */
+static void stderr_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+	va_list args;
+
+	if (level <= debug_level)
+	{
+		if (!stderr_quiet)
+		{
+			va_start(args, fmt);
+			vfprintf(stderr, fmt, args);
+			fprintf(stderr, "\n");
+			va_end(args);
+		}
+	}
+}
+
+/**
+ * Collect all enforcements by iterating up through parent groups
+ */
+static bool iterate_enforcements(database_t *db, int device_id, int session_id,
+								 int group_id)
+{
+	int id, type, file, dir, arg_int, parent, policy, max_age;
+	int p_rec_fail, p_rec_noresult, e_rec_fail, e_rec_noresult, latest_rec;
+	bool latest_success;
+	char *argument;
+	time_t now;
+	enumerator_t *e, *e1, *e2;
+
+	now = time(NULL);
+
+	while (group_id)
+	{
+		e1 = db->query(db,
+				"SELECT e.id, p.type, p.argument, p.file, p.dir, p.rec_fail, "
+				"p.rec_noresult, e.policy, e.max_age, e.rec_fail, e.rec_noresult "
+				"FROM enforcements AS e JOIN policies as p ON e.policy = p.id "
+				"WHERE e.group_id = ?", DB_INT, group_id,
+				 DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT,
+				 DB_INT, DB_INT, DB_INT, DB_INT);
+		if (!e1)
+		{
+			return FALSE;
+		}
+		while (e1->enumerate(e1, &id, &type, &argument, &file, &dir,
+								 &p_rec_fail, &p_rec_noresult, &policy, &max_age,
+								 &e_rec_fail, &e_rec_noresult))
+		{
+			/* check if the latest measurement of the device was successful */
+			latest_success = FALSE;
+
+			if (device_id)
+			{
+				e2 = db->query(db,
+						"SELECT r.rec FROM results AS r "
+						"JOIN sessions AS s ON s.id = r.session "
+						"WHERE r.policy = ? AND s.device = ? AND s.time > ? "
+						"ORDER BY s.time DESC",
+						DB_INT, policy, DB_INT, device_id,
+						DB_UINT, now - max_age,	DB_INT);
+				if (!e2)
+				{
+					e1->destroy(e1);
+					return FALSE;
+				}
+				if (e2->enumerate(e2, &latest_rec) &&
+					latest_rec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
+				{
+					latest_success = TRUE;
+				}
+				e2->destroy(e2);
+			}
+
+			if (latest_success)
+			{
+				/*skipping enforcement */
+				printf("skipping enforcment %d\n", id);
+				continue;
+			}
+
+			/* determine arg_int */
+			switch ((imv_workitem_type_t)type)
+			{
+				case IMV_WORKITEM_FILE_REF_MEAS:
+				case IMV_WORKITEM_FILE_MEAS:
+				case IMV_WORKITEM_FILE_META:
+					arg_int = file;
+					break;
+				case IMV_WORKITEM_DIR_REF_MEAS:
+				case IMV_WORKITEM_DIR_MEAS:
+				case IMV_WORKITEM_DIR_META:
+					arg_int = dir;
+					break;
+				default:
+					arg_int = 0;
+			}
+
+			/* insert a workitem */
+			if (db->execute(db, NULL,
+				"INSERT INTO workitems (session, enforcement, type, arg_str, "
+				"arg_int, rec_fail, rec_noresult) VALUES (?, ?, ?, ?, ?, ?, ?)",
+				DB_INT, session_id, DB_INT, id, DB_INT, type, DB_TEXT, argument,
+				DB_INT, arg_int, DB_INT, e_rec_fail ? e_rec_fail : p_rec_fail,
+				DB_INT, e_rec_noresult ? e_rec_noresult : p_rec_noresult) != 1)
+			{
+				e1->destroy(e1);
+				fprintf(stderr, "could not insert workitem\n");
+				return FALSE;
+			}
+		}
+		e1->destroy(e1);
+
+		e = db->query(db,
+				"SELECT parent FROM groups WHERE id = ?",
+				 DB_INT, group_id, DB_INT);
+		if (!e)
+		{
+			return FALSE;
+		}
+		if (e->enumerate(e, &parent))
+		{
+			group_id = parent;
+		}
+		else
+		{
+			fprintf(stderr, "group information not found\n");
+			group_id = 0;
+		}
+		e->destroy(e);
+	}
+	return TRUE;
+}
+
+static bool policy_start(database_t *db, int session_id)
+{
+	enumerator_t *e;
+	int device_id, product_id, gid, group_id = DEFAULT_GROUP_ID;
+	u_int created;
+
+	/* get session data */
+	e = db->query(db,
+			"SELECT s.device, s.product, d.created FROM sessions AS s "
+			"LEFT JOIN devices AS d ON s.device = d.id WHERE s.id = ?",
+			 DB_INT, session_id, DB_INT, DB_INT, DB_UINT);
+	if (!e || !e->enumerate(e, &device_id, &product_id, &created))
+	{
+		DESTROY_IF(e);
+		fprintf(stderr, "session %d not found\n", session_id);
+		return FALSE;
+	}
+	e->destroy(e);
+
+	/* if a device ID with a creation date exists, get all group memberships */
+	if (device_id & created)
+	{
+		e = db->query(db,
+				"SELECT group_id FROM groups_members WHERE device_id = ?",
+				 DB_INT, device_id, DB_INT);
+		if (!e)
+		{
+			return FALSE;
+		}
+		while (e->enumerate(e, &group_id))
+		{
+			if (!iterate_enforcements(db, device_id, session_id, group_id))
+			{
+				e->destroy(e);
+				return FALSE;
+			}
+		}
+		e->destroy(e);
+
+		return TRUE;
+	}
+
+	/* determine if a default product group exists */
+	e = db->query(db,
+			"SELECT group_id FROM groups_product_defaults "
+			"WHERE product_id = ?", DB_INT, product_id, DB_INT);
+	if (!e)
+	{
+		return FALSE;
+	}
+	if (e->enumerate(e, &gid))
+	{
+		group_id = gid;
+	}
+	e->destroy(e);
+
+	if (device_id && !created)
+	{
+		/* assign a newly created device to a default group */
+		if (db->execute(db, NULL,
+			"INSERT INTO groups_members (device_id, group_id) "
+			"VALUES (?, ?)", DB_INT, device_id, DB_INT, group_id) != 1)
+		{
+			fprintf(stderr, "could not assign device to a default group\n");
+			return FALSE;
+		}
+
+		/* set the creation date if it hasn't been set yet */
+		if (db->execute(db, NULL,
+				"UPDATE devices SET created = ? WHERE id = ?",
+				DB_UINT, time(NULL), DB_INT, device_id) != 1)
+		{
+			fprintf(stderr, "creation date of device could not be set\n");
+			return FALSE;
+		}
+	}
+
+	return iterate_enforcements(db, device_id, session_id, group_id);
+}
+
+static bool policy_stop(database_t *db, int session_id)
+{
+	enumerator_t *e;
+	int rec, policy;
+	char *result;
+
+	e = db->query(db,
+			"SELECT w.rec_final, w.result, e.policy FROM workitems AS w "
+			"JOIN enforcements AS e ON w.enforcement = e.id "
+			"WHERE w.session = ? AND w.result IS NOT NULL",
+			 DB_INT, session_id, DB_INT, DB_TEXT, DB_INT);
+	if (e)
+	{
+		while (e->enumerate(e, &rec, &result, &policy))
+		{
+			db->execute(db, NULL,
+				"INSERT INTO results (session, policy, rec, result) "
+				"VALUES (?, ?, ?, ?)", DB_INT, session_id, DB_INT, policy,
+				 DB_INT, rec, DB_TEXT, result);
+		}
+		e->destroy(e);
+	}
+	return db->execute(db, NULL,
+				"DELETE FROM workitems WHERE session = ?",
+				DB_UINT, session_id) >= 0;
+}
+
+int main(int argc, char *argv[])
+{
+	database_t *db;
+	char *uri, *tnc_session_id;
+	int session_id;
+	bool start, success;
+
+	/* enable attest debugging hook */
+	dbg = stderr_dbg;
+
+	atexit(library_deinit);
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (!lib->plugins->load(lib->plugins,
+			lib->settings->get_str(lib->settings, "imv_policy_manager.load",
+				 "sqlite")))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	if (argc < 2)
+	{
+		usage();
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	if (streq(argv[1], "start"))
+	{
+		start = TRUE;
+	}
+	else if (streq(argv[1], "stop"))
+	{
+		start = FALSE;
+	}
+	else
+	{
+		usage();
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	/* get session ID */
+	tnc_session_id = getenv("TNC_SESSION_ID");
+	if (!tnc_session_id)
+	{
+		fprintf(stderr, "environment variable TNC_SESSION_ID is not defined\n");
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	session_id = atoi(tnc_session_id);
+
+	/* attach IMV database */
+	uri = lib->settings->get_str(lib->settings, "libimcv.database", NULL);
+	if (!uri)
+	{
+		fprintf(stderr, "database uri not defined.\n");
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	db = lib->db->create(lib->db, uri);
+	if (!db)
+	{
+		fprintf(stderr, "opening database failed.\n");
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	if (start)
+	{
+		success = policy_start(db, session_id);
+	}
+	else
+	{
+		success = policy_stop(db, session_id);
+	}
+	db->destroy(db);
+
+	fprintf(stderr, "imv_policy_manager %s %s\n", start ? "start" : "stop",
+			success ? "successful" : "failed");
+
+	exit(EXIT_SUCCESS);
+}
diff --git a/src/libimcv/imv/imv_policy_manager_usage.c b/src/libimcv/imv/imv_policy_manager_usage.c
new file mode 100644
index 000000000..3167a5441
--- /dev/null
+++ b/src/libimcv/imv/imv_policy_manager_usage.c
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+#include "imv_policy_manager_usage.h"
+
+/**
+ * print imv_policy_manager usage info
+ */
+void usage(void)
+{
+	printf("\
+Usage:\n\
+  imv_policy_manager start|stop\n");
+}
+
diff --git a/src/libimcv/imv/imv_policy_manager_usage.h b/src/libimcv/imv/imv_policy_manager_usage.h
new file mode 100644
index 000000000..9c90d40c6
--- /dev/null
+++ b/src/libimcv/imv/imv_policy_manager_usage.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IMV_POLICY_MANAGER_USAGE_H_
+#define IMV_POLICY_MANAGER_USAGE_H_
+
+/**
+ * print imv_policy_manager usage info
+ */
+void usage(void);
+
+#endif /* IMV_POLICY_MANAGER_USAGE_H_ */
diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c
new file mode 100644
index 000000000..754f1f74c
--- /dev/null
+++ b/src/libimcv/imv/imv_session.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_session.h"
+
+#include <utils/debug.h>
+
+typedef struct private_imv_session_t private_imv_session_t;
+
+/**
+ * Private data of a imv_session_t object.
+ */
+struct private_imv_session_t {
+
+	/**
+	 * Public imv_session_t interface.
+	 */
+	imv_session_t public;
+
+	/**
+	 * Unique Session ID
+	 */
+	int session_id;
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID conn_id;
+
+	/**
+	 * Have the workitems been generated?
+	 */
+	bool policy_started;
+
+	/**
+	 * List of worklist items
+	 */
+	linked_list_t *workitems;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+
+};
+
+METHOD(imv_session_t, get_session_id, int,
+	private_imv_session_t *this)
+{
+	return this->session_id;
+}
+
+METHOD(imv_session_t, get_connection_id, TNC_ConnectionID,
+	private_imv_session_t *this)
+{
+	return this->conn_id;
+}
+
+METHOD(imv_session_t, set_policy_started, void,
+	private_imv_session_t *this, bool start)
+{
+	this->policy_started = start;
+}
+
+METHOD(imv_session_t, get_policy_started, bool,
+	private_imv_session_t *this)
+{
+	return this->policy_started;
+}
+
+METHOD(imv_session_t, insert_workitem, void,
+	private_imv_session_t *this, imv_workitem_t *workitem)
+{
+	this->workitems->insert_last(this->workitems, workitem);
+}
+
+METHOD(imv_session_t, remove_workitem, void,
+	private_imv_session_t *this, enumerator_t *enumerator)
+{
+	this->workitems->remove_at(this->workitems, enumerator);
+}
+
+METHOD(imv_session_t, create_workitem_enumerator, enumerator_t*,
+	private_imv_session_t *this)
+{
+	if (!this->policy_started)
+	{
+		return NULL;
+	}
+	return this->workitems->create_enumerator(this->workitems);
+}
+
+METHOD(imv_session_t, get_workitem_count, int,
+	private_imv_session_t *this, TNC_IMVID imv_id)
+{
+	enumerator_t *enumerator;
+	imv_workitem_t *workitem;
+	int count = 0;
+
+	enumerator = this->workitems->create_enumerator(this->workitems);
+	while (enumerator->enumerate(enumerator, &workitem))
+	{
+		if (workitem->get_imv_id(workitem) == imv_id)
+		{
+			count++;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return count;
+}
+
+METHOD(imv_session_t, get_ref, imv_session_t*,
+	private_imv_session_t *this)
+{
+	ref_get(&this->ref);
+
+	return &this->public;
+}
+
+METHOD(imv_session_t, destroy, void,
+	private_imv_session_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->workitems->destroy_offset(this->workitems,
+								 offsetof(imv_workitem_t, destroy));
+		free(this);
+	}
+}
+
+/**
+ * See header
+ */
+imv_session_t *imv_session_create(int session_id, TNC_ConnectionID conn_id)
+{
+	private_imv_session_t *this;
+
+	INIT(this,
+		.public = {
+			.get_session_id = _get_session_id,
+			.get_connection_id = _get_connection_id,
+			.set_policy_started = _set_policy_started,
+			.get_policy_started = _get_policy_started,
+			.insert_workitem = _insert_workitem,
+			.remove_workitem = _remove_workitem,
+			.create_workitem_enumerator = _create_workitem_enumerator,
+			.get_workitem_count = _get_workitem_count,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.session_id = session_id,
+		.conn_id = conn_id,
+		.workitems = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public;
+}
diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h
new file mode 100644
index 000000000..6b94523b8
--- /dev/null
+++ b/src/libimcv/imv/imv_session.h
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_session_t imv_session
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef  IMV_SESSION_H_
+#define  IMV_SESSION_H_
+
+#include "imv_workitem.h"
+
+#include <tncifimv.h>
+
+#include <library.h>
+
+typedef struct imv_session_t imv_session_t;
+
+/**
+ * IMV session interface
+ */
+struct imv_session_t {
+
+	/**
+	 * Get unique session ID
+	 *
+	 * @return				Session ID
+	 */
+	int (*get_session_id)(imv_session_t *this);
+
+	/**
+	 * Get TNCCS Connection ID
+	 *
+	 * @return				TNCCS Connection ID
+	 */
+	TNC_ConnectionID (*get_connection_id)(imv_session_t *this);
+
+	/**
+	 * Set policy_started status
+	 *
+	 * @param start			TRUE if policy started, FALSE if policy stopped
+	 */
+	void (*set_policy_started)(imv_session_t *this, bool start);
+
+	/**
+	 * Get policy_started status
+	 *
+	 * @return				TRUE if policy started, FALSE if policy stopped
+	 */
+	bool (*get_policy_started)(imv_session_t *this);
+
+	/**
+	 * Insert workitem into list
+	 *
+	 * @param workitem		Workitem to be inserted
+	 */
+	void (*insert_workitem)(imv_session_t *this, imv_workitem_t *workitem);
+
+	/**
+	 * Remove workitem from list
+	 *
+	 * @param enumerator	Enumerator pointing to workitem to be removed
+	 */
+	void (*remove_workitem)(imv_session_t *this, enumerator_t *enumerator);
+
+	/**
+	 * Create workitem enumerator
+	 *
+	 */
+	 enumerator_t* (*create_workitem_enumerator)(imv_session_t *this);
+
+	/**
+	 * Get number of workitem allocated to a given IMV
+	 *
+	 * @param imv_id		IMV ID
+	 * @return				Number of workitems assigned to given IMV
+	 */
+	 int (*get_workitem_count)(imv_session_t *this, TNC_IMVID imv_id);
+
+	/**
+	 * Get reference to session
+	 */
+	imv_session_t* (*get_ref)(imv_session_t*);
+
+	/**
+	 * Destroys an imv_session_t object
+	 */
+	void (*destroy)(imv_session_t *this);
+};
+
+/**
+ * Create an imv_session_t instance
+ *
+ * @param session_id		Unique Session ID
+ * @param id				Associated Connection ID
+ */
+imv_session_t* imv_session_create(int session_id, TNC_ConnectionID id);
+
+#endif /**  IMV_SESSION_H_ @}*/
diff --git a/src/libimcv/imv/imv_state.h b/src/libimcv/imv/imv_state.h
index d1a87d2d7..791846bb1 100644
--- a/src/libimcv/imv/imv_state.h
+++ b/src/libimcv/imv/imv_state.h
@@ -22,6 +22,8 @@
 #ifndef IMV_STATE_H_
 #define IMV_STATE_H_
 
+#include "imv_session.h"
+
 #include <tncifimv.h>
 
 #include <library.h>
@@ -34,9 +36,9 @@ typedef struct imv_state_t imv_state_t;
 struct imv_state_t {
 
 	/**
-	 * Get the TNCS connection ID attached to the state
+	 * Get the TNCCS connection ID attached to the state
 	 *
-	 * @return				TNCS connection ID of the state
+	 * @return				TNCCS connection ID of the state
 	 */
 	 TNC_ConnectionID (*get_connection_id)(imv_state_t *this);
 
@@ -77,6 +79,20 @@ struct imv_state_t {
 	 */
 	u_int32_t (*get_max_msg_len)(imv_state_t *this);
 
+	/**
+	 * Set flags for completed actions
+	 *
+	 * @param flags			Flags to be set
+	 */
+	void (*set_action_flags)(imv_state_t *this, u_int32_t flags);
+
+	/**
+	 * Get flags set for completed actions
+	 *
+	 * @return				Flags set for completed actions
+	 */
+	u_int32_t (*get_action_flags)(imv_state_t *this);
+
 	/**
 	 * Set Access Requestor ID
 	 *
@@ -94,6 +110,20 @@ struct imv_state_t {
 	 */
 	chunk_t (*get_ar_id)(imv_state_t *this, u_int32_t *id_type);
 
+	/**
+	 * Set session associated with TNCCS Connection
+	 *
+	 * @param session		Session associated with TNCCS Connection
+	 */
+	void (*set_session)(imv_state_t *this, imv_session_t *session);
+
+	/**
+	 * Get session associated with TNCCS Connection
+	 *
+	 * @return				Session associated with TNCCS Connection
+	 */
+	imv_session_t* (*get_session)(imv_state_t *this);
+
 	/**
 	 * Change the connection state
 	 *
@@ -123,6 +153,17 @@ struct imv_state_t {
 							   TNC_IMV_Action_Recommendation rec,
 							   TNC_IMV_Evaluation_Result eval);
 
+	/**
+	 * Update IMV action recommendation and evaluation result
+	 *
+	 * @param rec			IMV action recommendation
+	 * @param eval			IMV evaluation result
+	 *
+	 */
+	void (*update_recommendation)(imv_state_t *this,
+								  TNC_IMV_Action_Recommendation rec,
+								  TNC_IMV_Evaluation_Result eval);
+
 	/**
 	 * Get reason string based on the preferred language
 	 *
diff --git a/src/libimcv/imv/imv_workitem.c b/src/libimcv/imv/imv_workitem.c
new file mode 100644
index 000000000..a61a826bc
--- /dev/null
+++ b/src/libimcv/imv/imv_workitem.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_workitem.h"
+
+#include <utils/debug.h>
+#include <tncif_names.h>
+
+typedef struct private_imv_workitem_t private_imv_workitem_t;
+
+ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_UDP_PORT_BLOCK,
+	"PCKGS",
+	"UNSRC",
+	"FWDEN",
+	"PWDEN",
+	"FREFM",
+	"FMEAS",
+	"FMETA",
+	"DREFM",
+	"DMEAS",
+	"DMETA",
+	"TCPOP",
+	"TCPBL",
+	"UDPOP",
+	"UDPBL"
+);
+
+/**
+ * Private data of a imv_workitem_t object.
+ *
+ */
+struct private_imv_workitem_t {
+
+	/**
+	 * Public imv_workitem_t interface.
+	 */
+	imv_workitem_t public;
+
+	/**
+	 * Primary workitem key
+	 */
+	int id;
+
+	/**
+	 * IMV ID
+	 */
+	TNC_IMVID imv_id;
+
+	/**
+	 * Workitem type
+	 */
+	imv_workitem_type_t type;
+
+	/**
+	 * Argument string
+	 */
+	char *arg_str;
+
+	/**
+	 * Argument integer
+	 */
+	int arg_int;
+
+	/**
+	 * Result string
+	 */
+	char *result;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec_fail;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec_noresult;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec_final;
+
+};
+
+METHOD(imv_workitem_t, get_id, int,
+	private_imv_workitem_t *this)
+{
+	return this->id;
+}
+
+METHOD(imv_workitem_t, set_imv_id, void,
+	private_imv_workitem_t *this, TNC_IMVID imv_id)
+{
+	this->imv_id = imv_id;
+}
+
+METHOD(imv_workitem_t, get_imv_id, TNC_IMVID,
+	private_imv_workitem_t *this)
+{
+	return this->imv_id;
+}
+
+METHOD(imv_workitem_t, get_type, imv_workitem_type_t,
+	private_imv_workitem_t *this)
+{
+	return this->type;
+}
+
+METHOD(imv_workitem_t, get_arg_str, char*,
+	private_imv_workitem_t *this)
+{
+	return this->arg_str;
+}
+
+METHOD(imv_workitem_t, get_arg_int, int,
+	private_imv_workitem_t *this)
+{
+	return this->arg_int;
+}
+
+METHOD(imv_workitem_t, set_result, TNC_IMV_Action_Recommendation,
+	private_imv_workitem_t *this, char *result, TNC_IMV_Evaluation_Result eval)
+{
+	this->result = strdup(result);
+	switch (eval)
+	{
+		case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
+			this->rec_final = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
+			break;
+		case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+		case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+			this->rec_final = this->rec_fail;
+			break;
+		case TNC_IMV_EVALUATION_RESULT_ERROR:
+		case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
+		default:
+			this->rec_final = this->rec_noresult;
+			break;
+	}
+	DBG2(DBG_IMV, "IMV %d handled %N workitem %d: %N%s%s", this->imv_id,
+		 imv_workitem_type_names, this->type, this->id,
+		 TNC_IMV_Action_Recommendation_names, this->rec_final,
+		 strlen(result) ? " - " : "", result);
+
+	return this->rec_final;	
+}
+
+METHOD(imv_workitem_t, get_result, TNC_IMV_Action_Recommendation,
+	private_imv_workitem_t *this, char **result)
+{
+	if (result)
+	{
+		*result = this->result;
+	}
+	return this->rec_final;
+}
+
+METHOD(imv_workitem_t, destroy, void,
+	private_imv_workitem_t *this)
+{
+	free(this->arg_str);
+	free(this->result);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_workitem_t *imv_workitem_create(int id, imv_workitem_type_t type,
+									char *arg_str, int arg_int,
+									TNC_IMV_Action_Recommendation rec_fail,
+									TNC_IMV_Action_Recommendation rec_noresult)
+{
+	private_imv_workitem_t *this;
+
+	INIT(this,
+		.public = {
+			.get_id = _get_id,
+			.set_imv_id = _set_imv_id,
+			.get_imv_id = _get_imv_id,
+			.get_type = _get_type,
+			.get_arg_str = _get_arg_str,
+			.get_arg_int = _get_arg_int,
+			.set_result = _set_result,
+			.get_result = _get_result,
+			.destroy = _destroy,
+		},
+		.id = id,
+		.imv_id = TNC_IMVID_ANY,
+		.type = type,
+		.arg_str = arg_str ? strdup(arg_str) : NULL,
+		.arg_int = arg_int,
+		.rec_fail = rec_fail,
+		.rec_noresult = rec_noresult,
+		.rec_final = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_workitem.h b/src/libimcv/imv/imv_workitem.h
new file mode 100644
index 000000000..f6ca3ea68
--- /dev/null
+++ b/src/libimcv/imv/imv_workitem.h
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_workitem_t imv_workitem
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef IMV_WORKITEM_H_
+#define IMV_WORKITEM_H_
+
+#include <tncifimv.h>
+
+#include <library.h>
+
+typedef struct imv_workitem_t imv_workitem_t;
+typedef enum imv_workitem_type_t imv_workitem_type_t;
+
+enum imv_workitem_type_t {
+	IMV_WORKITEM_PACKAGES =        1,
+	IMV_WORKITEM_UNKNOWN_SOURCE =  2,
+	IMV_WORKITEM_FORWARDING =      3,
+	IMV_WORKITEM_DEFAULT_PWD =     4,
+	IMV_WORKITEM_FILE_REF_MEAS =   5,
+	IMV_WORKITEM_FILE_MEAS =       6,
+	IMV_WORKITEM_FILE_META =       7,
+	IMV_WORKITEM_DIR_REF_MEAS =    8,
+	IMV_WORKITEM_DIR_MEAS =        9,
+	IMV_WORKITEM_DIR_META =       10,
+	IMV_WORKITEM_TCP_PORT_OPEN =  11,
+	IMV_WORKITEM_TCP_PORT_BLOCK = 12,
+	IMV_WORKITEM_UDP_PORT_OPEN =  13,
+	IMV_WORKITEM_UDP_PORT_BLOCK = 14
+};
+
+extern enum_name_t *imv_workitem_type_names;
+
+/**
+ * IMV database interface 
+ */
+struct imv_workitem_t {
+
+	/**
+	 * Get primary workitem key 
+	 *
+	 * @return				Primary workitem key
+	 */
+	 int (*get_id)(imv_workitem_t *this);
+
+	/**
+	 * Get workitem type
+	 *
+	 * @return				Workitem type
+	 */
+	 imv_workitem_type_t (*get_type)(imv_workitem_t *this);
+
+	/**
+	 * Set IMV ID
+	 *
+	 * @param id			IMV ID
+	 */
+	 void (*set_imv_id)(imv_workitem_t *this, TNC_IMVID imv_id);
+
+	/**
+	 * Get IMV ID
+	 *
+	 * @return				IMV ID
+	 */
+	 TNC_IMVID (*get_imv_id)(imv_workitem_t *this);
+
+	/**
+	 * Get string argument
+	 *
+	 * @return				Argument string
+	 */
+	 char* (*get_arg_str)(imv_workitem_t *this);
+
+	/**
+	 * Get integer argument
+	 *
+	 * @return				Argument integer
+	 */
+	 int (*get_arg_int)(imv_workitem_t *this);
+
+	/**
+	 * Set result string
+	 *
+	 * @param result		Result string
+	 * @param eval			Evaluation Result
+	 * @return				Action Recommendation
+	 */
+	 TNC_IMV_Action_Recommendation (*set_result)(imv_workitem_t *this, 
+						char *result, TNC_IMV_Evaluation_Result eval);
+
+	/**
+	 * Set result string
+	 *
+	 * @param result		Result string
+	 * @return				Action Recommendatino
+	 */
+	 TNC_IMV_Action_Recommendation (*get_result)(imv_workitem_t *this, 
+												 char **result);
+
+	/**
+	 * Destroys an imv_workitem_t object
+	 */
+	void (*destroy)(imv_workitem_t *this);
+};
+
+/**
+ * Create an imv_workitem_t instance
+ *
+ * @param id				Primary workitem key
+ * @param type				Workitem type
+ * @param arg_str			String argument
+ * @param arg_int			Integer argument
+ * @param rec_fail			Recommendation with minor/major non-compliance case
+ * @param rec_noresult		Recommendation in don't know/error case
+ */
+imv_workitem_t *imv_workitem_create(int id, imv_workitem_type_t type,
+									char *arg_str, int arg_int,
+									TNC_IMV_Action_Recommendation rec_fail,
+									TNC_IMV_Action_Recommendation rec_noresult);
+
+#endif /** IMV_WORKITEM_H_ @}*/
diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql
new file mode 100644
index 000000000..4cc959e09
--- /dev/null
+++ b/src/libimcv/imv/tables.sql
@@ -0,0 +1,234 @@
+/* IMV PTS SQLite database */
+
+DROP TABLE IF EXISTS directories;
+CREATE TABLE directories (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  path TEXT NOT NULL
+);
+DROP INDEX IF EXISTS directories_path;
+CREATE INDEX directories_path ON directories (
+  path
+);
+
+DROP TABLE IF EXISTS files;
+CREATE TABLE files (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  dir INTEGER DEFAULT 0 REFERENCES directories(id),
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS files_name;
+CREATE INDEX files_name ON files (
+  name
+);
+
+DROP TABLE IF EXISTS products;
+CREATE TABLE products (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS products_name;
+CREATE INDEX products_name ON products (
+  name
+);
+
+DROP TABLE IF EXISTS algorithms;
+CREATE TABLE algorithms (
+  id INTEGER PRIMARY KEY,
+  name VARCHAR(20) not NULL
+);
+
+DROP TABLE IF EXISTS file_hashes;
+CREATE TABLE file_hashes (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  file INTEGER NOT NULL REFERENCES files(id),
+  product INTEGER NOT NULL REFERENCES products(id),
+  device INTEGER DEFAULT 0,
+  key INTEGER DEFAULT 0 REFERENCES keys(id),
+  algo INTEGER NOT NULL REFERENCES algorithms(id),
+  hash BLOB NOT NULL
+);
+
+DROP TABLE IF EXISTS keys;
+CREATE TABLE keys (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  keyid BLOB NOT NULL,
+  owner TEXT NOT NULL
+);
+DROP INDEX IF EXISTS keys_keyid;
+CREATE INDEX keys_keyid ON keys (
+  keyid
+);
+DROP INDEX IF EXISTS keys_owner;
+CREATE INDEX keys_owner ON keys (
+  owner
+);
+
+DROP TABLE IF EXISTS groups;
+CREATE TABLE groups (
+  id INTEGER NOT NULL PRIMARY KEY,
+  name VARCHAR(50) NOT NULL UNIQUE,
+  parent INTEGER
+);
+
+DROP TABLE IF EXISTS groups_members;
+CREATE TABLE groups_members (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  device_id INTEGER NOT NULL REFERENCES devices(id),
+  UNIQUE (group_id, device_id)
+);
+
+DROP TABLE IF EXISTS groups_product_defaults;
+CREATE TABLE groups_product_defaults (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  product_id INTEGER NOT NULL REFERENCES products(id),
+  UNIQUE (group_id, product_id)
+);
+
+DROP TABLE IF EXISTS policies;
+CREATE TABLE policies (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  name VARCHAR(100) NOT NULL UNIQUE,
+  argument TEXT DEFAULT '' NOT NULL,
+  rec_fail INTEGER NOT NULL,
+  rec_noresult INTEGER NOT NULL,
+  file INTEGER DEFAULT 0 REFERENCES files(id),
+  dir INTEGER DEFAULT 0 REFERENCES directories(id)
+);
+
+DROP TABLE IF EXISTS enforcements;
+CREATE TABLE enforcements (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  policy INTEGER NOT NULL REFERENCES policies(id),
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  rec_fail INTEGER,
+  rec_noresult INTEGER,
+  max_age INTEGER NOT NULL,
+  UNIQUE (policy, group_id)
+);
+
+DROP TABLE IF EXISTS sessions;
+CREATE TABLE sessions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  time INTEGER NOT NULL,
+  connection INTEGER NOT NULL,
+  identity INTEGER DEFAULT 0 REFERENCES identities(id),
+  device INTEGER DEFAULT 0 REFERENCES devices(id),
+  product INTEGER DEFAULT 0 REFERENCES products(id),
+  rec INTEGER DEFAULT 3
+);
+
+DROP TABLE IF EXISTS workitems;
+CREATE TABLE workitems (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session INTEGER NOT NULL REFERENCES sessions(id),
+  enforcement INTEGER NOT NULL REFERENCES enforcements(id),
+  type INTEGER NOT NULL,
+  arg_str TEXT,
+  arg_int INTEGER DEFAULT 0,
+  rec_fail INTEGER NOT NULL,
+  rec_noresult INTEGER NOT NULL,
+  rec_final INTEGER,
+  result TEXT
+);
+DROP INDEX IF EXISTS workitems_session;
+CREATE INDEX workitems_sessions ON workitems (
+  session
+);
+
+DROP TABLE IF EXISTS results;
+CREATE TABLE results (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session INTEGER NOT NULL REFERENCES measurements(id),
+  policy INTEGER NOT NULL REFERENCES policies(id),
+  rec INTEGER NOT NULL,
+  result TEXT NOT NULL
+);
+DROP INDEX IF EXISTS results_session;
+CREATE INDEX results_session ON results (
+  session
+);
+
+DROP TABLE IF EXISTS components;
+CREATE TABLE components (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  vendor_id INTEGER NOT NULL,
+  name INTEGER NOT NULL,
+  qualifier INTEGER DEFAULT 0
+);
+
+
+DROP TABLE IF EXISTS key_component;
+CREATE TABLE key_component (
+  key INTEGER NOT NULL,
+  component INTEGER NOT NULL,
+  depth INTEGER DEFAULT 0,
+  seq_no INTEGER DEFAULT 0,
+  PRIMARY KEY (key, component)
+);
+
+
+DROP TABLE IF EXISTS component_hashes;
+CREATE TABLE component_hashes (
+  component INTEGER NOT NULL,
+  key INTEGER NOT NULL,
+  seq_no INTEGER NOT NULL,
+  pcr INTEGER NOT NULL,
+  algo INTEGER NOT NULL,
+  hash BLOB NOT NULL,
+  PRIMARY KEY(component, key, seq_no, algo)
+);
+
+DROP TABLE IF EXISTS packages;
+CREATE TABLE packages (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL,
+  blacklist INTEGER DEFAULT 0
+);
+DROP INDEX IF EXISTS packages_name;
+CREATE INDEX packages_name ON packages (
+  name
+);
+
+DROP TABLE IF EXISTS versions;
+CREATE TABLE versions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  package INTEGER NOT NULL REFERENCES packages(id),
+  product INTEGER NOT NULL REFERENCES products(id),
+  release TEXT NOT NULL,
+  security INTEGER DEFAULT 0,
+  blacklist INTEGER DEFAULT 0,
+  time INTEGER DEFAULT 0
+);
+DROP INDEX IF EXISTS versions_release;
+CREATE INDEX versions_release ON versions (
+  release
+);
+DROP INDEX IF EXISTS versions_package_product;
+CREATE INDEX versions_package_product ON versions (
+  package, product
+);
+
+DROP TABLE IF EXISTS devices;
+CREATE TABLE devices (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  description TEXT DEFAULT '',
+  value TEXT NOT NULL,
+  product INTEGER REFERENCES products(id),
+  created INTEGER
+);
+DROP INDEX IF EXISTS devices_id;
+CREATE INDEX devices_value ON devices (
+  value
+);
+
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  value BLOB NOT NULL,
+  UNIQUE (type, value)
+);
+
diff --git a/src/libimcv/ita/ita_attr.c b/src/libimcv/ita/ita_attr.c
index 590bc9b5a..f3956717d 100644
--- a/src/libimcv/ita/ita_attr.c
+++ b/src/libimcv/ita/ita_attr.c
@@ -19,15 +19,17 @@
 #include "ita/ita_attr_get_settings.h"
 #include "ita/ita_attr_settings.h"
 #include "ita/ita_attr_angel.h"
+#include "ita/ita_attr_device_id.h"
 
-ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_ECHO,
+ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_DEVICE_ID,
 	"Command",
 	"Dummy",
 	"Get Settings",
 	"Settings",
 	"Start Angel",
 	"Stop Angel",
-	"Echo"
+	"Echo",
+	"Device ID"
 );
 
 /**
@@ -49,6 +51,8 @@ pa_tnc_attr_t* ita_attr_create_from_data(u_int32_t type, chunk_t value)
 			return ita_attr_angel_create_from_data(TRUE, value);
 		case ITA_ATTR_STOP_ANGEL:
 			return ita_attr_angel_create_from_data(FALSE, value);
+		case ITA_ATTR_DEVICE_ID:
+			return ita_attr_device_id_create_from_data(value);
 		default:
 			return NULL;
 	}
diff --git a/src/libimcv/ita/ita_attr.h b/src/libimcv/ita/ita_attr.h
index 446fa032a..ac5d8abaa 100644
--- a/src/libimcv/ita/ita_attr.h
+++ b/src/libimcv/ita/ita_attr.h
@@ -37,7 +37,8 @@ enum ita_attr_t {
 	ITA_ATTR_SETTINGS = 4,
 	ITA_ATTR_START_ANGEL = 5,
 	ITA_ATTR_STOP_ANGEL = 6,
-	ITA_ATTR_ECHO = 7
+	ITA_ATTR_ECHO = 7,
+	ITA_ATTR_DEVICE_ID = 8
 };
 
 /**
diff --git a/src/libimcv/ita/ita_attr_device_id.c b/src/libimcv/ita/ita_attr_device_id.c
new file mode 100644
index 000000000..36907eb34
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_device_id.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_device_id.h"
+
+#include <pen/pen.h>
+
+#include <utils/debug.h>
+
+typedef struct private_ita_attr_device_id_t private_ita_attr_device_id_t;
+
+/**
+ * Private data of an ita_attr_device_id_t object.
+ */
+struct private_ita_attr_device_id_t {
+
+	/**
+	 * Public members of ita_attr_device_id_t
+	 */
+	ita_attr_device_id_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_device_id_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_device_id_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_device_id_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_device_id_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_device_id_t *this)
+{
+	return;
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_device_id_t *this, u_int32_t *offset)
+{
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_device_id_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_device_id_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_device_id_create_from_data(chunk_t value)
+{
+	private_ita_attr_device_id_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = { PEN_ITA, ITA_ATTR_DEVICE_ID },
+		.value = chunk_clone(value),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_device_id_create(chunk_t value)
+{
+	return ita_attr_device_id_create_from_data(value);
+}
+
diff --git a/src/libimcv/ita/ita_attr_device_id.h b/src/libimcv/ita/ita_attr_device_id.h
new file mode 100644
index 000000000..ffacdba1e
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_device_id.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_device_id ita_attr_device_id
+ * @{ @ingroup ita_attr
+ */
+
+#ifndef ITA_ATTR_DEVICE_ID_H_
+#define ITA_ATTR_DEVICE_ID_H_
+
+typedef struct ita_attr_device_id_t ita_attr_device_id_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Device ID PA-TNC attribute.
+ *
+ */
+struct ita_attr_device_id_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+};
+
+/**
+ * Creates an ita_attr_device_id_t object
+ *
+ * @param value				ITA Device ID attribute value
+ */
+pa_tnc_attr_t* ita_attr_device_id_create(chunk_t value);
+
+/**
+ * Creates an ita_attr_device_id_t object from received data
+ *
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_device_id_create_from_data(chunk_t value);
+
+#endif /** ITA_ATTR_DEVICE_ID_H_ @}*/
diff --git a/src/libimcv/ita/ita_attr_get_settings.c b/src/libimcv/ita/ita_attr_get_settings.c
index 0695af314..196613153 100644
--- a/src/libimcv/ita/ita_attr_get_settings.c
+++ b/src/libimcv/ita/ita_attr_get_settings.c
@@ -203,7 +203,7 @@ METHOD(ita_attr_get_settings_t, create_enumerator, enumerator_t*,
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ita_attr_get_settings_create(void)
+pa_tnc_attr_t *ita_attr_get_settings_create(char *name)
 {
 	private_ita_attr_get_settings_t *this;
 
@@ -227,6 +227,10 @@ pa_tnc_attr_t *ita_attr_get_settings_create(void)
 		.ref = 1,
 	);
 
+	if (name)
+	{
+		add(this, name);
+	}
 	return &this->public.pa_tnc_attribute;
 }
 
diff --git a/src/libimcv/ita/ita_attr_get_settings.h b/src/libimcv/ita/ita_attr_get_settings.h
index 55306ecc8..975fd0d9d 100644
--- a/src/libimcv/ita/ita_attr_get_settings.h
+++ b/src/libimcv/ita/ita_attr_get_settings.h
@@ -52,9 +52,11 @@ struct ita_attr_get_settings_t {
 };
 
 /**
- * Creates an ita_attr_get_settings_t object with an empty settings list
+ * Creates an ita_attr_get_settings_t object with an optional first entry
+ *
+ * @param name				name of the requested setting or NULL
  */
-pa_tnc_attr_t* ita_attr_get_settings_create(void);
+pa_tnc_attr_t* ita_attr_get_settings_create(char *name);
 
 /**
  * Creates an ita_attr_get_settings_t object from received data
diff --git a/src/libimcv/os_info/os_info.c b/src/libimcv/os_info/os_info.c
index 2c49cb01d..17000cd27 100644
--- a/src/libimcv/os_info/os_info.c
+++ b/src/libimcv/os_info/os_info.c
@@ -182,8 +182,8 @@ METHOD(os_info_t, get_setting, chunk_t,
 	size_t i = 0;
 	chunk_t value;
 
-	if (!strneq(name, "/etc/", 5) && !strneq(name, "/proc/", 6) &&
-		!strneq(name, "/sys/", 5) && !strneq(name, "/var/", 5))
+	if (!strpfx(name, "/etc/") && !strpfx(name, "/proc/") &&
+		!strpfx(name, "/sys/") && !strpfx(name, "/var/"))
 	{
 		/**
 		 * In order to guarantee privacy, only settings from the
diff --git a/src/libimcv/plugins/imc_os/Makefile.am b/src/libimcv/plugins/imc_os/Makefile.am
index 0bfe776a5..83c46558b 100644
--- a/src/libimcv/plugins/imc_os/Makefile.am
+++ b/src/libimcv/plugins/imc_os/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imc-os.la
 
@@ -12,4 +14,3 @@ imc_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 imc_os_la_SOURCES = imc_os.c imc_os_state.h imc_os_state.c
 
 imc_os_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 351e659ad..729fa8478 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,7 +102,10 @@ imc_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_imc_os_la_OBJECTS = imc_os.lo imc_os_state.lo
 imc_os_la_OBJECTS = $(am_imc_os_la_OBJECTS)
-imc_os_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imc_os_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(imc_os_la_LDFLAGS) $(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -111,13 +114,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imc_os_la_SOURCES)
 DIST_SOURCES = $(imc_os_la_SOURCES)
 am__can_run_installinfo = \
@@ -131,6 +147,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -143,6 +160,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -158,6 +177,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -166,6 +186,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -212,6 +233,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -240,6 +262,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -317,10 +340,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 imcv_LTLIBRARIES = imc-os.la
 imc_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -394,7 +421,7 @@ clean-imcvLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 imc-os.la: $(imc_os_la_OBJECTS) $(imc_os_la_DEPENDENCIES) $(EXTRA_imc_os_la_DEPENDENCIES) 
-	$(imc_os_la_LINK) -rpath $(imcvdir) $(imc_os_la_OBJECTS) $(imc_os_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(imc_os_la_LINK) -rpath $(imcvdir) $(imc_os_la_OBJECTS) $(imc_os_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -406,25 +433,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_os_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c
index f6e205ce7..2558be9f8 100644
--- a/src/libimcv/plugins/imc_os/imc_os.c
+++ b/src/libimcv/plugins/imc_os/imc_os.c
@@ -30,6 +30,7 @@
 #include <ita/ita_attr_get_settings.h>
 #include <ita/ita_attr_settings.h>
 #include <ita/ita_attr_angel.h>
+#include <ita/ita_attr_device_id.h>
 #include <os_info/os_info.h>
 
 #include <tncif_pa_subtypes.h>
@@ -213,7 +214,7 @@ static void add_fwd_enabled(imc_msg_t *msg)
 	os_fwd_status_t fwd_status;
 
 	fwd_status = os->get_fwd_status(os);
-	DBG1(DBG_IMC, "IPv4 forwarding status: %N",
+	DBG1(DBG_IMC, "IPv4 forwarding is %N",
 				   os_fwd_status_names, fwd_status);
 	attr = ietf_attr_fwd_enabled_create(fwd_status);
 	msg->add_attribute(msg, attr);
@@ -226,11 +227,42 @@ static void add_default_pwd_enabled(imc_msg_t *msg)
 {
 	pa_tnc_attr_t *attr;
 
-	DBG1(DBG_IMC, "factory default password: disabled");
+	DBG1(DBG_IMC, "factory default password is disabled");
 	attr = ietf_attr_default_pwd_enabled_create(FALSE);
 	msg->add_attribute(msg, attr);
 }
 
+/**
+ * Add ITA Device ID attribute to the send queue
+ */
+static void add_device_id(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	chunk_t value;
+	char *name;
+
+	name = os->get_type(os) == OS_TYPE_ANDROID ?
+				  "android_id" : "/var/lib/dbus/machine-id";
+	value = os->get_setting(os, name);
+
+	if (value.len == 0)
+	{
+		DBG1(DBG_IMC, "no device ID available");
+		return;
+	}
+
+	/* trim trailing newline character */
+	if (value.ptr[value.len - 1] == '\n')
+	{
+		value.len--;
+	}
+
+	DBG1(DBG_IMC, "device ID is %.*s", value.len, value.ptr);
+	attr = ita_attr_device_id_create(value);
+	msg->add_attribute(msg, attr);
+	free(value.ptr);
+}
+
 /**
  * Add an IETF Installed Packages attribute to the send queue
  */
@@ -365,6 +397,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 		add_op_status(out_msg);
 		add_fwd_enabled(out_msg);
 		add_default_pwd_enabled(out_msg);
+		add_device_id(out_msg);
 
 		/* send PA-TNC message with the excl flag not set */
 		result = out_msg->send(out_msg, FALSE);
@@ -410,35 +443,45 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
 				e = attr_cast->create_enumerator(attr_cast);
 				while (e->enumerate(e, &entry))
 				{
-					if (entry->vendor_id != PEN_IETF)
+					if (entry->vendor_id == PEN_IETF)
 					{
-						continue;
+						switch (entry->type)
+						{
+							case IETF_ATTR_PRODUCT_INFORMATION:
+								add_product_info(out_msg);
+								break;
+							case IETF_ATTR_STRING_VERSION:
+								add_string_version(out_msg);
+								break;
+							case IETF_ATTR_NUMERIC_VERSION:
+								add_numeric_version(out_msg);
+								break;
+							case IETF_ATTR_OPERATIONAL_STATUS:
+								add_op_status(out_msg);
+								break;
+							case IETF_ATTR_FORWARDING_ENABLED:
+								add_fwd_enabled(out_msg);
+								break;
+							case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+								add_default_pwd_enabled(out_msg);
+								break;
+							case IETF_ATTR_INSTALLED_PACKAGES:
+								add_installed_packages(state, out_msg);
+								break;
+							default:
+								break;
+						}
 					}
-					switch (entry->type)
+					else if (entry->vendor_id == PEN_ITA)
 					{
-						case IETF_ATTR_PRODUCT_INFORMATION:
-							add_product_info(out_msg);
-							break;
-						case IETF_ATTR_STRING_VERSION:
-							add_string_version(out_msg);
-							break;
-						case IETF_ATTR_NUMERIC_VERSION:
-							add_numeric_version(out_msg);
-							break;
-						case IETF_ATTR_OPERATIONAL_STATUS:
-							add_op_status(out_msg);
-							break;
-						case IETF_ATTR_FORWARDING_ENABLED:
-							add_fwd_enabled(out_msg);
-							break;
-						case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
-							add_default_pwd_enabled(out_msg);
-							break;
-						case IETF_ATTR_INSTALLED_PACKAGES:
-							add_installed_packages(state, out_msg);
-							break;
-						default:
-							break;
+						switch (entry->type)
+						{
+							case ITA_ATTR_DEVICE_ID:
+								add_device_id(out_msg);
+								break;
+							default:
+								break;
+						}
 					}
 				}
 				e->destroy(e);
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.am b/src/libimcv/plugins/imc_scanner/Makefile.am
index f27d73b67..b294541c4 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.am
+++ b/src/libimcv/plugins/imc_scanner/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imc-scanner.la
 
@@ -12,4 +14,3 @@ imc_scanner_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 imc_scanner_la_SOURCES = imc_scanner.c imc_scanner_state.h imc_scanner_state.c
 
 imc_scanner_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 7ac9e0812..39d3ae685 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,22 +102,39 @@ imc_scanner_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_imc_scanner_la_OBJECTS = imc_scanner.lo imc_scanner_state.lo
 imc_scanner_la_OBJECTS = $(am_imc_scanner_la_OBJECTS)
-imc_scanner_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(imc_scanner_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imc_scanner_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(imc_scanner_la_LDFLAGS) $(LDFLAGS) -o \
+	$@
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imc_scanner_la_SOURCES)
 DIST_SOURCES = $(imc_scanner_la_SOURCES)
 am__can_run_installinfo = \
@@ -131,6 +148,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -143,6 +161,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -158,6 +178,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -166,6 +187,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -212,6 +234,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -240,6 +263,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -317,10 +341,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 imcv_LTLIBRARIES = imc-scanner.la
 imc_scanner_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -394,7 +422,7 @@ clean-imcvLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 imc-scanner.la: $(imc_scanner_la_OBJECTS) $(imc_scanner_la_DEPENDENCIES) $(EXTRA_imc_scanner_la_DEPENDENCIES) 
-	$(imc_scanner_la_LINK) -rpath $(imcvdir) $(imc_scanner_la_OBJECTS) $(imc_scanner_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(imc_scanner_la_LINK) -rpath $(imcvdir) $(imc_scanner_la_OBJECTS) $(imc_scanner_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -406,25 +434,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_scanner_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libimcv/plugins/imc_test/Makefile.am b/src/libimcv/plugins/imc_test/Makefile.am
index b55e7bcd4..b1a719ab4 100644
--- a/src/libimcv/plugins/imc_test/Makefile.am
+++ b/src/libimcv/plugins/imc_test/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imc-test.la
 
@@ -12,4 +14,3 @@ imc_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 imc_test_la_SOURCES = imc_test.c imc_test_state.h imc_test_state.c
 
 imc_test_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 1a3e64e38..5cc1f0d7b 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,7 +102,10 @@ imc_test_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_imc_test_la_OBJECTS = imc_test.lo imc_test_state.lo
 imc_test_la_OBJECTS = $(am_imc_test_la_OBJECTS)
-imc_test_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imc_test_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(imc_test_la_LDFLAGS) $(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -111,13 +114,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imc_test_la_SOURCES)
 DIST_SOURCES = $(imc_test_la_SOURCES)
 am__can_run_installinfo = \
@@ -131,6 +147,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -143,6 +160,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -158,6 +177,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -166,6 +186,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -212,6 +233,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -240,6 +262,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -317,10 +340,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 imcv_LTLIBRARIES = imc-test.la
 imc_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -394,7 +421,7 @@ clean-imcvLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 imc-test.la: $(imc_test_la_OBJECTS) $(imc_test_la_DEPENDENCIES) $(EXTRA_imc_test_la_DEPENDENCIES) 
-	$(imc_test_la_LINK) -rpath $(imcvdir) $(imc_test_la_OBJECTS) $(imc_test_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(imc_test_la_LINK) -rpath $(imcvdir) $(imc_test_la_OBJECTS) $(imc_test_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -406,25 +433,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_test_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libimcv/plugins/imv_os/Makefile.am b/src/libimcv/plugins/imv_os/Makefile.am
index 58edc6963..4713b0913 100644
--- a/src/libimcv/plugins/imv_os/Makefile.am
+++ b/src/libimcv/plugins/imv_os/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imv-os.la
 
@@ -11,14 +13,14 @@ imv_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 
 imv_os_la_SOURCES = \
 	imv_os.c imv_os_state.h imv_os_state.c \
+	imv_os_agent.h imv_os_agent.c \
 	imv_os_database.c imv_os_database.h
 
 imv_os_la_LDFLAGS = -module -avoid-version
 
 ipsec_PROGRAMS = pacman
-pacman_SOURCES = pacman.c 
+pacman_SOURCES = pacman.c
 pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 pacman.o :	$(top_builddir)/config.status
 
 EXTRA_DIST = pacman.sh
-
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index e375f7cbb..1718be000 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-am_imv_os_la_OBJECTS = imv_os.lo imv_os_state.lo imv_os_database.lo
+am_imv_os_la_OBJECTS = imv_os.lo imv_os_state.lo imv_os_agent.lo \
+	imv_os_database.lo
 imv_os_la_OBJECTS = $(am_imv_os_la_OBJECTS)
-imv_os_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imv_os_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(imv_os_la_LDFLAGS) $(LDFLAGS) -o $@
 PROGRAMS = $(ipsec_PROGRAMS)
@@ -118,13 +122,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES)
 DIST_SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +155,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +168,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +185,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +194,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +241,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +270,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,20 +348,25 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 imcv_LTLIBRARIES = imv-os.la
 imv_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
 imv_os_la_SOURCES = \
 	imv_os.c imv_os_state.h imv_os_state.c \
+	imv_os_agent.h imv_os_agent.c \
 	imv_os_database.c imv_os_database.h
 
 imv_os_la_LDFLAGS = -module -avoid-version
-pacman_SOURCES = pacman.c 
+pacman_SOURCES = pacman.c
 pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 EXTRA_DIST = pacman.sh
 all: all-am
@@ -407,7 +436,7 @@ clean-imcvLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 imv-os.la: $(imv_os_la_OBJECTS) $(imv_os_la_DEPENDENCIES) $(EXTRA_imv_os_la_DEPENDENCIES) 
-	$(imv_os_la_LINK) -rpath $(imcvdir) $(imv_os_la_OBJECTS) $(imv_os_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(imv_os_la_LINK) -rpath $(imcvdir) $(imv_os_la_OBJECTS) $(imv_os_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
@@ -456,7 +485,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 pacman$(EXEEXT): $(pacman_OBJECTS) $(pacman_DEPENDENCIES) $(EXTRA_pacman_DEPENDENCIES) 
 	@rm -f pacman$(EXEEXT)
-	$(LINK) $(pacman_OBJECTS) $(pacman_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(pacman_OBJECTS) $(pacman_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -465,30 +494,31 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_database.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_state.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pacman.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libimcv/plugins/imv_os/imv_os.c b/src/libimcv/plugins/imv_os/imv_os.c
index f1cb74e50..ba0fa8153 100644
--- a/src/libimcv/plugins/imv_os/imv_os.c
+++ b/src/libimcv/plugins/imv_os/imv_os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2013 Andreas Steffen
+ * Copyright (C) 2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,599 +13,12 @@
  * for more details.
  */
 
-#include "imv_os_state.h"
-#include "imv_os_database.h"
-
-#include <imv/imv_agent.h>
-#include <imv/imv_msg.h>
-#include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_attr_request.h>
-#include <ietf/ietf_attr_default_pwd_enabled.h>
-#include <ietf/ietf_attr_fwd_enabled.h>
-#include <ietf/ietf_attr_installed_packages.h>
-#include <ietf/ietf_attr_numeric_version.h>
-#include <ietf/ietf_attr_op_status.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
-#include <ietf/ietf_attr_product_info.h>
-#include <ietf/ietf_attr_remediation_instr.h>
-#include <ietf/ietf_attr_string_version.h>
-#include <ita/ita_attr.h>
-#include <ita/ita_attr_get_settings.h>
-#include <ita/ita_attr_settings.h>
-#include <ita/ita_attr_angel.h>
-
-#include <tncif_names.h>
-#include <tncif_pa_subtypes.h>
-
-#include <pen/pen.h>
-#include <collections/linked_list.h>
-#include <utils/debug.h>
-#include <utils/lexparser.h>
-
-/* IMV definitions */
+#include "imv_os_agent.h"
 
 static const char imv_name[] = "OS";
+static const imv_agent_create_t imv_agent_create = imv_os_agent_create;
 
-static pen_type_t msg_types[] = {
-	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
-};
-
-static imv_agent_t *imv_os;
-
-/**
- * IMV OS database
- */
-static imv_os_database_t *os_db;
-
-/*
- * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
-							  TNC_Version min_version,
-							  TNC_Version max_version,
-							  TNC_Version *actual_version)
-{
-	char *uri;
-
-	if (imv_os)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
-		return TNC_RESULT_ALREADY_INITIALIZED;
-	}
-	imv_os = imv_agent_create(imv_name, msg_types, countof(msg_types),
-							  imv_id, actual_version);
-	if (!imv_os)
-	{
-		return TNC_RESULT_FATAL;
-	}
-	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
-	{
-		DBG1(DBG_IMV, "no common IF-IMV version");
-		return TNC_RESULT_NO_COMMON_VERSION;
-	}
-
-	/* attach OS database */
-	uri = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-os.database", NULL);
-	if (uri)
-	{
-		os_db = imv_os_database_create(uri);
-	}
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
-										  TNC_ConnectionID connection_id,
-										  TNC_ConnectionState new_state)
-{
-	imv_state_t *state;
-
-	if (!imv_os)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	switch (new_state)
-	{
-		case TNC_CONNECTION_STATE_CREATE:
-			state = imv_os_state_create(connection_id);
-			return imv_os->create_state(imv_os, state);
-		case TNC_CONNECTION_STATE_DELETE:
-			return imv_os->delete_state(imv_os, connection_id);
-		default:
-			return imv_os->change_state(imv_os, connection_id,
-											 new_state, NULL);
-	}
-}
-
-static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
-{
-	imv_msg_t *out_msg;
-	imv_os_state_t *os_state;
-	enumerator_t *enumerator;
-	pa_tnc_attr_t *attr;
-	pen_type_t type;
-	TNC_Result result;
-	chunk_t os_name = chunk_empty;
-	chunk_t os_version = chunk_empty;
-	bool fatal_error = FALSE, assessment = FALSE;
-	char non_market_apps_str[] = "install_non_market_apps";
-	char android_id_str[] = "android_id";
-	char machine_id_str[] = "/var/lib/dbus/machine-id";
-
-	os_state = (imv_os_state_t*)state;
-
-	/* parse received PA-TNC message and handle local and remote errors */
-	result = in_msg->receive(in_msg, &fatal_error);
-	if (result != TNC_RESULT_SUCCESS)
-	{
-		return result;
-	}
-
-	out_msg = imv_msg_create_as_reply(in_msg);
-
-	/* analyze PA-TNC attributes */
-	enumerator = in_msg->create_attribute_enumerator(in_msg);
-	while (enumerator->enumerate(enumerator, &attr))
-	{
-		type = attr->get_type(attr);
-
-		if (type.vendor_id == PEN_IETF)
-		{
-			switch (type.type)
-			{
-				case IETF_ATTR_PRODUCT_INFORMATION:
-				{
-					ietf_attr_product_info_t *attr_cast;
-					pen_t vendor_id;
-
-					attr_cast = (ietf_attr_product_info_t*)attr;
-					os_name = attr_cast->get_info(attr_cast, &vendor_id, NULL);
-					if (vendor_id != PEN_IETF)
-					{
-						DBG1(DBG_IMV, "operating system name is '%.*s' "
-									  "from vendor %N", os_name.len, os_name.ptr,
-									   pen_names, vendor_id);
-					}
-					else
-					{
-						DBG1(DBG_IMV, "operating system name is '%.*s'",
-									   os_name.len, os_name.ptr);
-					}
-					break;
-				}
-				case IETF_ATTR_STRING_VERSION:
-				{
-					ietf_attr_string_version_t *attr_cast;
-
-					attr_cast = (ietf_attr_string_version_t*)attr;
-					os_version = attr_cast->get_version(attr_cast, NULL, NULL);
-					if (os_version.len)
-					{
-						DBG1(DBG_IMV, "operating system version is '%.*s'",
-									   os_version.len, os_version.ptr);
-					}
-					break;
-				}
-				case IETF_ATTR_NUMERIC_VERSION:
-				{
-					ietf_attr_numeric_version_t *attr_cast;
-					u_int32_t major, minor;
-
-					attr_cast = (ietf_attr_numeric_version_t*)attr;
-					attr_cast->get_version(attr_cast, &major, &minor);
-					DBG1(DBG_IMV, "operating system numeric version is %d.%d",
-								   major, minor);
-					break;
-				}
-				case IETF_ATTR_OPERATIONAL_STATUS:
-				{
-					ietf_attr_op_status_t *attr_cast;
-					op_status_t op_status;
-					op_result_t op_result;
-					time_t last_boot;
-
-					attr_cast = (ietf_attr_op_status_t*)attr;
-					op_status = attr_cast->get_status(attr_cast);
-					op_result = attr_cast->get_result(attr_cast);
-					last_boot = attr_cast->get_last_use(attr_cast);
-					DBG1(DBG_IMV, "operational status: %N, result: %N",
-						 op_status_names, op_status, op_result_names, op_result);
-					DBG1(DBG_IMV, "last boot: %T", &last_boot, TRUE);
-					break;
-				}
-				case IETF_ATTR_FORWARDING_ENABLED:
-				{
-					ietf_attr_fwd_enabled_t *attr_cast;
-					os_fwd_status_t fwd_status;
-
-					attr_cast = (ietf_attr_fwd_enabled_t*)attr;
-					fwd_status = attr_cast->get_status(attr_cast);
-					DBG1(DBG_IMV, "IPv4 forwarding status: %N",
-								   os_fwd_status_names, fwd_status);
-					if (fwd_status == OS_FWD_ENABLED)
-					{
-						os_state->set_os_settings(os_state,
-											OS_SETTINGS_FWD_ENABLED);
-					}
-					break;
-				}
-				case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
-				{
-					ietf_attr_default_pwd_enabled_t *attr_cast;
-					bool default_pwd_status;
-
-					attr_cast = (ietf_attr_default_pwd_enabled_t*)attr;
-					default_pwd_status = attr_cast->get_status(attr_cast);
-					DBG1(DBG_IMV, "factory default password: %sabled",
-								   default_pwd_status ? "en":"dis");
-					if (default_pwd_status)
-					{
-						os_state->set_os_settings(os_state,
-											OS_SETTINGS_DEFAULT_PWD_ENABLED);
-					}
-					break;
-				}
-				case IETF_ATTR_INSTALLED_PACKAGES:
-				{
-					ietf_attr_installed_packages_t *attr_cast;
-					enumerator_t *e;
-					status_t status;
-
-					/* Received at least one Installed Packages attribute */
-					os_state->set_package_request(os_state, FALSE);
-
-					if (!os_db)
-					{
-						break;
-					}
-					attr_cast = (ietf_attr_installed_packages_t*)attr;
-
-					e = attr_cast->create_enumerator(attr_cast);
-					status = os_db->check_packages(os_db, os_state, e);
-					e->destroy(e);
-
-					if (status == FAILED)
-					{
-						state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-						assessment = TRUE;
-					}
-					break;
-				}
-				default:
-					break;
-			}
-		}
-		else if (type.vendor_id == PEN_ITA)
-		{
-			switch (type.type)
-			{
-				case ITA_ATTR_SETTINGS:
-				{
-					ita_attr_settings_t *attr_cast;
-					enumerator_t *e;
-					char *name;
-					chunk_t value;
-
-					attr_cast = (ita_attr_settings_t*)attr;
-					e = attr_cast->create_enumerator(attr_cast);
-					while (e->enumerate(e, &name, &value))
-					{
-						if (streq(name, non_market_apps_str) &&
-							chunk_equals(value, chunk_from_chars('1')))
-						{
-							os_state->set_os_settings(os_state,
-												OS_SETTINGS_NON_MARKET_APPS);
-						}
-						else if ((streq(name, android_id_str) ||
-								  streq(name, machine_id_str)) && os_db)
-						{
-							os_state->set_device_id(os_state,
-										os_db->get_device_id(os_db, value));
-						}
-						DBG1(DBG_IMV, "setting '%s'\n  %.*s",
-							 name, value.len, value.ptr);
-					}
-					e->destroy(e);
-					break;
-				}
-				case ITA_ATTR_START_ANGEL:
-					os_state->set_angel_count(os_state, TRUE);
-					break;
-				case ITA_ATTR_STOP_ANGEL:
-					os_state->set_angel_count(os_state, FALSE);
-					break;
-				default:
-					break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (os_name.len && os_version.len)
-	{
-		os_type_t os_type;
-		ita_attr_get_settings_t *attr_cast;
-
-		/* set the OS type, name and version */
-		os_type = os_type_from_name(os_name);
-		os_state->set_info(os_state,os_type, os_name, os_version);
+/* include generic TGC TNC IF-IMV API code below */
 
-		/* requesting installed packages */
-		os_state->set_package_request(os_state, TRUE);
-		attr = ietf_attr_attr_request_create(PEN_IETF,
-											 IETF_ATTR_INSTALLED_PACKAGES);
-		out_msg->add_attribute(out_msg, attr);
+#include <imv/imv_if.h>
 
-		/* requesting Android or Linux settings */
-		attr = ita_attr_get_settings_create();
-		attr_cast = (ita_attr_get_settings_t*)attr;
-
-		if (os_type == OS_TYPE_ANDROID)
-		{
-			attr_cast->add(attr_cast, android_id_str);
-			attr_cast->add(attr_cast, non_market_apps_str);
-		}
-		else
-		{
-			attr_cast->add(attr_cast, machine_id_str);
-			attr_cast->add(attr_cast, "/proc/sys/kernel/tainted");
-		}
-		out_msg->add_attribute(out_msg, attr);
-	}
-
-	if (fatal_error ||
-	   (os_state->get_attribute_request(os_state) &&
-		os_state->get_info(os_state, NULL, NULL, NULL) == NULL))
-	{
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-		assessment = TRUE;
-	}
-
-	/* If all Installed Packages attributes were received, go to assessment */
-	if (!assessment &&
-		!os_state->get_package_request(os_state) &&
-		!os_state->get_angel_count(os_state) &&
-		 os_state->get_info(os_state, NULL, NULL, NULL))
-	{
-		int device_id, count, count_update, count_blacklist, count_ok;
-		u_int os_settings;
-		u_int32_t id_type;
-		chunk_t id_value;
-
-		os_settings = os_state->get_os_settings(os_state);
-		os_state->get_count(os_state, &count, &count_update, &count_blacklist,
-									  &count_ok);
-		DBG1(DBG_IMV, "processed %d packages: %d not updated, %d blacklisted, "
-			 "%d ok, %d not found", count, count_update, count_blacklist,
-			 count_ok, count - count_update - count_blacklist - count_ok);
-
-		/* Store device information in database */
-		device_id = os_state->get_device_id(os_state);
-		id_value = state->get_ar_id(state, &id_type);
-		if (os_db && device_id)
-		{
-			os_db->set_device_info(os_db, device_id, id_type, id_value,
-						os_state->get_info(os_state, NULL, NULL, NULL),
-						count, count_update, count_blacklist, os_settings);
-		}
-
-		if (count_update || count_blacklist || os_settings)
-		{
-			state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
-		}
-		else
-		{
-			state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
-		}
-		assessment = TRUE;
-	}
-
-	if (assessment)
-	{
-		result = out_msg->send_assessment(out_msg);
-		out_msg->destroy(out_msg);
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			return result;
-		}  
-		return imv_os->provide_recommendation(imv_os, state);
-	}
-
-	/* send PA-TNC message with excl flag set */ 
-	result = out_msg->send(out_msg, TRUE);
-	out_msg->destroy(out_msg);
-
-	return result;
- }
-
-/**
- * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_BufferReference msg,
-								  TNC_UInt32 msg_len,
-								  TNC_MessageType msg_type)
-{
-	imv_state_t *state;
-	imv_msg_t *in_msg;
-	TNC_Result result;
-
-	if (!imv_os)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_os->get_state(imv_os, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	in_msg = imv_msg_create_from_data(imv_os, state, connection_id, msg_type,
-									  chunk_create(msg, msg_len));
-	result = receive_message(state, in_msg);
-	in_msg->destroy(in_msg);
-
-	return result;
-}
-
-/**
- * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
-									  TNC_ConnectionID connection_id,
-									  TNC_UInt32 msg_flags,
-									  TNC_BufferReference msg,
-									  TNC_UInt32 msg_len,
-									  TNC_VendorID msg_vid,
-									  TNC_MessageSubtype msg_subtype,
-									  TNC_UInt32 src_imc_id,
-									  TNC_UInt32 dst_imv_id)
-{
-	imv_state_t *state;
-	imv_msg_t *in_msg;
-	TNC_Result result;
-
-	if (!imv_os)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_os->get_state(imv_os, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	in_msg = imv_msg_create_from_long_data(imv_os, state, connection_id,
-								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
-								chunk_create(msg, msg_len));
-	result =receive_message(state, in_msg);
-	in_msg->destroy(in_msg);
-
-	return result;
-}
-
-/**
- * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
-										 TNC_ConnectionID connection_id)
-{
-	imv_state_t *state;
-
-	if (!imv_os)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_os->get_state(imv_os, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	return imv_os->provide_recommendation(imv_os, state);
-}
-
-/**
- * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
-							   TNC_ConnectionID connection_id)
-{
-	imv_state_t *state;
-	imv_os_state_t *os_state;
-	TNC_IMV_Action_Recommendation rec;
-	TNC_IMV_Evaluation_Result eval;
-	TNC_Result result = TNC_RESULT_SUCCESS;
-
-	if (!imv_os)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_os->get_state(imv_os, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	os_state = (imv_os_state_t*)state;
-
-	state->get_recommendation(state, &rec, &eval);
-
-	/*
-	 * Don't send an attribute request if an evaluation is available 
-	 * or if an attribute request has already been sent
-	 */
-	if (eval != TNC_IMV_EVALUATION_RESULT_DONT_KNOW ||
-		os_state->get_attribute_request(os_state))
-	{
-		return TNC_RESULT_SUCCESS;
-	}
-
-	if (os_state->get_info(os_state, NULL, NULL, NULL) == NULL)
-	{
-		imv_msg_t *out_msg;
-		pa_tnc_attr_t *attr;
-		ietf_attr_attr_request_t *attr_cast;
-
-		out_msg = imv_msg_create(imv_os, state, connection_id, imv_id,
-								 TNC_IMCID_ANY, msg_types[0]);
-		attr = ietf_attr_attr_request_create(PEN_IETF,
-											 IETF_ATTR_PRODUCT_INFORMATION);
-		attr_cast = (ietf_attr_attr_request_t*)attr;
-		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION);
-		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_NUMERIC_VERSION);
-		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS);
-		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FORWARDING_ENABLED);
-		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED);
-		out_msg->add_attribute(out_msg, attr);
-		os_state->set_attribute_request(os_state, TRUE);
-
-		/* send PA-TNC message with excl flag not set */
-		result = out_msg->send(out_msg, FALSE);
-		out_msg->destroy(out_msg);
-	}
-
-	return result;
-}
-
-/**
- * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
-{
-	if (!imv_os)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	DESTROY_IF(os_db);
-
-	imv_os->destroy(imv_os);
-	imv_os = NULL;
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
-									   TNC_TNCS_BindFunctionPointer bind_function)
-{
-	if (!imv_os)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return imv_os->bind_functions(imv_os, bind_function);
-}
diff --git a/src/libimcv/plugins/imv_os/imv_os_agent.c b/src/libimcv/plugins/imv_os/imv_os_agent.c
new file mode 100644
index 000000000..ba3f3afc6
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_agent.c
@@ -0,0 +1,805 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#include "imv_os_agent.h"
+#include "imv_os_state.h"
+#include "imv_os_database.h"
+
+#include <imcv.h>
+#include <imv/imv_agent.h>
+#include <imv/imv_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_default_pwd_enabled.h>
+#include <ietf/ietf_attr_fwd_enabled.h>
+#include <ietf/ietf_attr_installed_packages.h>
+#include <ietf/ietf_attr_numeric_version.h>
+#include <ietf/ietf_attr_op_status.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_remediation_instr.h>
+#include <ietf/ietf_attr_string_version.h>
+#include <ita/ita_attr.h>
+#include <ita/ita_attr_get_settings.h>
+#include <ita/ita_attr_settings.h>
+#include <ita/ita_attr_angel.h>
+#include <ita/ita_attr_device_id.h>
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_imv_os_agent_t private_imv_os_agent_t;
+typedef enum imv_os_attr_t imv_os_attr_t;
+
+/* Subscribed PA-TNC message subtypes */
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
+
+static char unknown_source_str[] = "install_non_market_apps";
+
+/**
+ * Flag set when corresponding attribute has been received
+ */
+enum imv_os_attr_t {
+	IMV_OS_ATTR_PRODUCT_INFORMATION =         (1<<0),
+	IMV_OS_ATTR_STRING_VERSION =              (1<<1),
+	IMV_OS_ATTR_NUMERIC_VERSION =             (1<<2),
+	IMV_OS_ATTR_OPERATIONAL_STATUS =          (1<<3),
+	IMV_OS_ATTR_FORWARDING_ENABLED =          (1<<4),
+	IMV_OS_ATTR_FACTORY_DEFAULT_PWD_ENABLED = (1<<5),
+	IMV_OS_ATTR_DEVICE_ID =                   (1<<6),
+	IMV_OS_ATTR_MUST =                        (1<<7)-1,
+	IMV_OS_ATTR_INSTALLED_PACKAGES =          (1<<7),
+	IMV_OS_ATTR_SETTINGS =                    (1<<8)
+};
+
+/**
+ * Private data of an imv_os_agent_t object.
+ */
+struct private_imv_os_agent_t {
+
+	/**
+	 * Public members of imv_os_agent_t
+	 */
+	imv_agent_if_t public;
+
+	/**
+	 * IMV agent responsible for generic functions
+	 */
+	imv_agent_t *agent;
+
+	/**
+	 * IMV OS database
+	 */
+	imv_os_database_t *db;
+
+};
+
+METHOD(imv_agent_if_t, bind_functions, TNC_Result,
+	private_imv_os_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function)
+{
+	return this->agent->bind_functions(this->agent, bind_function);
+}
+
+METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
+	private_imv_os_agent_t *this, TNC_ConnectionID id,
+	TNC_ConnectionState new_state)
+{
+	TNC_IMV_Action_Recommendation rec;
+	imv_state_t *state;
+	imv_session_t *session;
+
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imv_os_state_create(id);
+			return this->agent->create_state(this->agent, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return this->agent->delete_state(this->agent, id);
+		case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+		case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+		case TNC_CONNECTION_STATE_ACCESS_NONE:
+			if (imcv_db && this->agent->get_state(this->agent, id, &state))
+			{
+				switch (new_state)
+				{
+					case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+						rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
+						break;
+					case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+						rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
+						break;
+					case TNC_CONNECTION_STATE_ACCESS_NONE:
+					default:
+						rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
+				}
+				session = state->get_session(state);
+				imcv_db->add_recommendation(imcv_db, session, rec);
+				imcv_db->policy_script(imcv_db, session, FALSE);
+			}
+			/* fall through to default state */
+		default:
+			return this->agent->change_state(this->agent, id, new_state, NULL);
+	}
+}
+
+/**
+ * Process a received message
+ */
+static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state,
+							  imv_msg_t *in_msg)
+{
+	imv_msg_t *out_msg;
+	imv_os_state_t *os_state;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	bool fatal_error = FALSE, assessment = FALSE;
+
+	os_state = (imv_os_state_t*)state;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	out_msg = imv_msg_create_as_reply(in_msg);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF)
+		{
+			switch (type.type)
+			{
+				case IETF_ATTR_PRODUCT_INFORMATION:
+				{
+					ietf_attr_product_info_t *attr_cast;
+					pen_t vendor_id;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_PRODUCT_INFORMATION);
+					attr_cast = (ietf_attr_product_info_t*)attr;
+					os_name = attr_cast->get_info(attr_cast, &vendor_id, NULL);
+					if (vendor_id != PEN_IETF)
+					{
+						DBG1(DBG_IMV, "operating system name is '%.*s' "
+									  "from vendor %N", os_name.len, os_name.ptr,
+									   pen_names, vendor_id);
+					}
+					else
+					{
+						DBG1(DBG_IMV, "operating system name is '%.*s'",
+									   os_name.len, os_name.ptr);
+					}
+					break;
+				}
+				case IETF_ATTR_STRING_VERSION:
+				{
+					ietf_attr_string_version_t *attr_cast;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_STRING_VERSION);
+					attr_cast = (ietf_attr_string_version_t*)attr;
+					os_version = attr_cast->get_version(attr_cast, NULL, NULL);
+					if (os_version.len)
+					{
+						DBG1(DBG_IMV, "operating system version is '%.*s'",
+									   os_version.len, os_version.ptr);
+					}
+					break;
+				}
+				case IETF_ATTR_NUMERIC_VERSION:
+				{
+					ietf_attr_numeric_version_t *attr_cast;
+					u_int32_t major, minor;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_NUMERIC_VERSION);
+					attr_cast = (ietf_attr_numeric_version_t*)attr;
+					attr_cast->get_version(attr_cast, &major, &minor);
+					DBG1(DBG_IMV, "operating system numeric version is %d.%d",
+								   major, minor);
+					break;
+				}
+				case IETF_ATTR_OPERATIONAL_STATUS:
+				{
+					ietf_attr_op_status_t *attr_cast;
+					op_status_t op_status;
+					op_result_t op_result;
+					time_t last_boot;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_OPERATIONAL_STATUS);
+					attr_cast = (ietf_attr_op_status_t*)attr;
+					op_status = attr_cast->get_status(attr_cast);
+					op_result = attr_cast->get_result(attr_cast);
+					last_boot = attr_cast->get_last_use(attr_cast);
+					DBG1(DBG_IMV, "operational status: %N, result: %N",
+						 op_status_names, op_status, op_result_names, op_result);
+					DBG1(DBG_IMV, "last boot: %T", &last_boot, TRUE);
+					break;
+				}
+				case IETF_ATTR_FORWARDING_ENABLED:
+				{
+					ietf_attr_fwd_enabled_t *attr_cast;
+					os_fwd_status_t fwd_status;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_FORWARDING_ENABLED);
+					attr_cast = (ietf_attr_fwd_enabled_t*)attr;
+					fwd_status = attr_cast->get_status(attr_cast);
+					DBG1(DBG_IMV, "IPv4 forwarding is %N",
+								   os_fwd_status_names, fwd_status);
+					if (fwd_status == OS_FWD_ENABLED)
+					{
+						os_state->set_os_settings(os_state,
+											OS_SETTINGS_FWD_ENABLED);
+					}
+					break;
+				}
+				case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+				{
+					ietf_attr_default_pwd_enabled_t *attr_cast;
+					bool default_pwd_status;
+
+					state->set_action_flags(state,
+									IMV_OS_ATTR_FACTORY_DEFAULT_PWD_ENABLED);
+					attr_cast = (ietf_attr_default_pwd_enabled_t*)attr;
+					default_pwd_status = attr_cast->get_status(attr_cast);
+					DBG1(DBG_IMV, "factory default password is %sabled",
+								   default_pwd_status ? "en":"dis");
+					if (default_pwd_status)
+					{
+						os_state->set_os_settings(os_state,
+											OS_SETTINGS_DEFAULT_PWD_ENABLED);
+					}
+					break;
+				}
+				case IETF_ATTR_INSTALLED_PACKAGES:
+				{
+					ietf_attr_installed_packages_t *attr_cast;
+					enumerator_t *e;
+					status_t status;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_INSTALLED_PACKAGES);
+					if (!this->db)
+					{
+						break;
+					}
+					attr_cast = (ietf_attr_installed_packages_t*)attr;
+
+					e = attr_cast->create_enumerator(attr_cast);
+					status = this->db->check_packages(this->db, os_state, e);
+					e->destroy(e);
+
+					if (status == FAILED)
+					{
+						state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+						assessment = TRUE;
+					}
+					break;
+				}
+				default:
+					break;
+			}
+		}
+		else if (type.vendor_id == PEN_ITA)
+		{
+			switch (type.type)
+			{
+				case ITA_ATTR_SETTINGS:
+				{
+					ita_attr_settings_t *attr_cast;
+					enumerator_t *e;
+					char *name;
+					chunk_t value;
+
+					state->set_action_flags(state, IMV_OS_ATTR_SETTINGS);
+
+					attr_cast = (ita_attr_settings_t*)attr;
+					e = attr_cast->create_enumerator(attr_cast);
+					while (e->enumerate(e, &name, &value))
+					{
+						if (streq(name, unknown_source_str) &&
+							chunk_equals(value, chunk_from_chars('1')))
+						{
+							os_state->set_os_settings(os_state,
+												OS_SETTINGS_UNKNOWN_SOURCE);
+						}
+						DBG1(DBG_IMV, "setting '%s'\n  %.*s",
+							 name, value.len, value.ptr);
+					}
+					e->destroy(e);
+					break;
+				}
+				case ITA_ATTR_DEVICE_ID:
+				{
+					chunk_t value;
+
+					state->set_action_flags(state, IMV_OS_ATTR_DEVICE_ID);
+
+					value = attr->get_value(attr);
+					os_state->set_device_id(os_state, value);
+					DBG1(DBG_IMV, "device ID is %.*s", value.len, value.ptr);
+					break;
+				}
+				case ITA_ATTR_START_ANGEL:
+					os_state->set_angel_count(os_state, TRUE);
+					break;
+				case ITA_ATTR_STOP_ANGEL:
+					os_state->set_angel_count(os_state, FALSE);
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/**
+	 * The IETF Product Information and String Version attributes
+	 * are supposed to arrive in the same PA-TNC message
+	 */
+	if (os_name.len && os_version.len)
+	{
+		os_type_t os_type;
+
+		/* set the OS type, name and version */
+		os_type = os_type_from_name(os_name);
+		os_state->set_info(os_state,os_type, os_name, os_version);
+
+		if (imcv_db)
+		{
+			imcv_db->add_product(imcv_db, state->get_session(state),
+					os_state->get_info(os_state, NULL, NULL, NULL));
+		}
+	}
+
+	if (fatal_error)
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		assessment = TRUE;
+	}
+
+	if (assessment)
+	{
+		os_state->set_handshake_state(os_state, IMV_OS_STATE_END);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* send PA-TNC message with excl flag set */
+	result = out_msg->send(out_msg, TRUE);
+	out_msg->destroy(out_msg);
+
+	return result;
+ }
+
+METHOD(imv_agent_if_t, receive_message, TNC_Result,
+	private_imv_os_agent_t *this, TNC_ConnectionID id,
+	TNC_MessageType msg_type, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
+	private_imv_os_agent_t *this, TNC_ConnectionID id,
+	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
+	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(this->agent, state, id,
+					src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+
+}
+
+/**
+ * Build an IETF Attribute Request attribute for missing attributes
+ */
+static pa_tnc_attr_t* build_attr_request(u_int32_t received)
+{
+	pa_tnc_attr_t *attr;
+	ietf_attr_attr_request_t *attr_cast;
+
+	attr = ietf_attr_attr_request_create(PEN_RESERVED, 0);
+	attr_cast = (ietf_attr_attr_request_t*)attr;
+
+	if (!(received & IMV_OS_ATTR_PRODUCT_INFORMATION) ||
+		!(received & IMV_OS_ATTR_STRING_VERSION))
+	{
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION);
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION);
+	}
+	if (!(received & IMV_OS_ATTR_NUMERIC_VERSION))
+	{
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_NUMERIC_VERSION);
+	}
+	if (!(received & IMV_OS_ATTR_OPERATIONAL_STATUS))
+	{
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS);
+	}
+	if (!(received & IMV_OS_ATTR_FORWARDING_ENABLED))
+	{
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FORWARDING_ENABLED);
+	}
+	if (!(received & IMV_OS_ATTR_FACTORY_DEFAULT_PWD_ENABLED))
+	{
+		attr_cast->add(attr_cast, PEN_IETF,
+								  IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED);
+	}
+	if (!(received & IMV_OS_ATTR_DEVICE_ID))
+	{
+		attr_cast->add(attr_cast, PEN_ITA,  ITA_ATTR_DEVICE_ID);
+	}
+
+	return attr;
+}
+
+METHOD(imv_agent_if_t, batch_ending, TNC_Result,
+	private_imv_os_agent_t *this, TNC_ConnectionID id)
+{
+	imv_msg_t *out_msg;
+	imv_state_t *state;
+	imv_session_t *session;
+	imv_workitem_t *workitem;
+	imv_os_state_t *os_state;
+	imv_os_handshake_state_t handshake_state;
+	pa_tnc_attr_t *attr;
+	TNC_IMVID imv_id;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	bool no_workitems = TRUE;
+	enumerator_t *enumerator;
+	u_int32_t received;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	os_state = (imv_os_state_t*)state;
+	handshake_state = os_state->get_handshake_state(os_state);
+	received = state->get_action_flags(state);
+	session = state->get_session(state);
+	imv_id = this->agent->get_id(this->agent);
+
+	if (handshake_state == IMV_OS_STATE_END)
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+
+	/* create an empty out message - we might need it */
+	out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+							 msg_types[0]);
+
+	if (handshake_state == IMV_OS_STATE_INIT)
+	{
+		if ((received & IMV_OS_ATTR_MUST) != IMV_OS_ATTR_MUST)
+		{
+			/* create attribute request for missing mandatory attributes */
+			out_msg->add_attribute(out_msg, build_attr_request(received));
+		}
+	}
+
+	if (handshake_state < IMV_OS_STATE_POLICY_START)
+	{
+		if (((received & IMV_OS_ATTR_PRODUCT_INFORMATION) &&
+			 (received & IMV_OS_ATTR_STRING_VERSION)) &&
+			((received & IMV_OS_ATTR_DEVICE_ID) ||
+			 (handshake_state == IMV_OS_STATE_ATTR_REQ)))
+		{
+			if (imcv_db)
+			{
+				imcv_db->add_device(imcv_db, session,
+								os_state->get_device_id(os_state));
+
+				/* trigger the policy manager */
+				imcv_db->policy_script(imcv_db, session, TRUE);
+			}
+			else
+			{
+				DBG2(DBG_IMV, "no workitems available - no evaluation possible");
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			}
+			handshake_state = IMV_OS_STATE_POLICY_START;
+		}
+		else if (handshake_state == IMV_OS_STATE_ATTR_REQ)
+		{
+			/**
+			 * both the IETF Product Information and IETF String Version
+			 * attribute should have been present
+			 */
+			state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+
+			/* send assessment */
+			result = out_msg->send_assessment(out_msg);
+			out_msg->destroy(out_msg);
+
+			if (result != TNC_RESULT_SUCCESS)
+			{
+				return result;
+			}  
+			return this->agent->provide_recommendation(this->agent, state);
+		}
+		else
+		{
+			handshake_state = IMV_OS_STATE_ATTR_REQ;
+		}
+		os_state->set_handshake_state(os_state, handshake_state);
+	}
+
+	if (handshake_state == IMV_OS_STATE_POLICY_START && session)
+	{
+		enumerator = session->create_workitem_enumerator(session);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, &workitem))
+			{
+				if (workitem->get_imv_id(workitem) != TNC_IMVID_ANY)
+				{
+					continue;
+				}
+
+				switch (workitem->get_type(workitem))
+				{
+					case IMV_WORKITEM_PACKAGES:
+						attr = ietf_attr_attr_request_create(PEN_IETF,
+										IETF_ATTR_INSTALLED_PACKAGES);
+						out_msg->add_attribute(out_msg, attr);
+						break;
+					case IMV_WORKITEM_UNKNOWN_SOURCE:
+						attr = ita_attr_get_settings_create(unknown_source_str);
+						out_msg->add_attribute(out_msg, attr);
+						break;
+					case IMV_WORKITEM_FORWARDING:
+					case IMV_WORKITEM_DEFAULT_PWD:
+						break;
+					default:
+						continue;
+				}
+				workitem->set_imv_id(workitem, imv_id);
+				no_workitems = FALSE;
+			}
+			enumerator->destroy(enumerator);
+
+			if (no_workitems)
+			{
+				DBG2(DBG_IMV, "IMV %d has no workitems - "
+							  "no evaluation requested", imv_id);
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			}
+			handshake_state = IMV_OS_STATE_WORKITEMS;
+			os_state->set_handshake_state(os_state, handshake_state);
+		}
+	}
+
+	if (handshake_state == IMV_OS_STATE_WORKITEMS && session)
+	{
+		TNC_IMV_Evaluation_Result eval;
+		TNC_IMV_Action_Recommendation rec;
+		char result_str[BUF_LEN];
+		bool fail;
+
+		enumerator = session->create_workitem_enumerator(session);
+		while (enumerator->enumerate(enumerator, &workitem))
+		{
+			if (workitem->get_imv_id(workitem) != imv_id)
+			{
+				continue;
+			}
+			eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+
+			switch (workitem->get_type(workitem))
+			{
+				case IMV_WORKITEM_PACKAGES:
+				{
+					int count, count_update, count_blacklist, count_ok;
+
+					if (!(received & IMV_OS_ATTR_INSTALLED_PACKAGES) ||
+						os_state->get_angel_count(os_state))
+					{
+						continue;
+					}
+					os_state->get_count(os_state, &count, &count_update,
+										&count_blacklist, &count_ok);
+					fail = count_update || count_blacklist;
+					eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR :
+								  TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+					snprintf(result_str, BUF_LEN, "processed %d packages: "
+							"%d not updated, %d blacklisted, %d ok, "
+							"%d not found",
+							count, count_update, count_blacklist, count_ok,
+							count - count_update - count_blacklist - count_ok);
+					break;
+				}
+				case IMV_WORKITEM_UNKNOWN_SOURCE:
+					if (!(received & IMV_OS_ATTR_SETTINGS))
+					{
+						continue;
+					}
+					fail = os_state->get_os_settings(os_state) &
+								OS_SETTINGS_UNKNOWN_SOURCE;
+					eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR :
+								  TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+					snprintf(result_str, BUF_LEN, "unknown sources%s enabled",
+							 fail ? "" : " not");
+					break;					
+				case IMV_WORKITEM_FORWARDING:
+					if (!(received & IMV_OS_ATTR_FORWARDING_ENABLED))
+					{
+						continue;
+					}
+					fail = os_state->get_os_settings(os_state) &
+								OS_SETTINGS_FWD_ENABLED;
+					eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR :
+								  TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+					snprintf(result_str, BUF_LEN, "forwarding%s enabled",
+							 fail ? "" : " not");
+					break;
+				case IMV_WORKITEM_DEFAULT_PWD:
+					if (!(received & IMV_OS_ATTR_FACTORY_DEFAULT_PWD_ENABLED))
+					{
+						continue;
+					}
+					fail = os_state->get_os_settings(os_state) &
+								OS_SETTINGS_DEFAULT_PWD_ENABLED;
+					eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR :
+								  TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+					snprintf(result_str, BUF_LEN, "factory default password%s enabled",
+							 fail ? "" : " not");
+					break;
+				default:
+					continue;
+			}
+			if (eval != TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
+			{
+				session->remove_workitem(session, enumerator);
+				rec = workitem->set_result(workitem, result_str, eval);
+				state->update_recommendation(state, rec, eval);
+				imcv_db->finalize_workitem(imcv_db, workitem);
+				workitem->destroy(workitem);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* finalized all workitems ? */
+		if (session->get_workitem_count(session, imv_id) == 0)
+		{
+			os_state->set_handshake_state(os_state, IMV_OS_STATE_END);
+
+			result = out_msg->send_assessment(out_msg);
+			out_msg->destroy(out_msg);
+			if (result != TNC_RESULT_SUCCESS)
+			{
+				return result;
+			}
+			return this->agent->provide_recommendation(this->agent, state);
+		}		
+	}
+
+	/* send non-empty PA-TNC message with excl flag not set */
+	if (out_msg->get_attribute_count(out_msg))
+	{
+		result = out_msg->send(out_msg, FALSE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
+	private_imv_os_agent_t *this, TNC_ConnectionID id)
+{
+	imv_state_t *state;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return this->agent->provide_recommendation(this->agent, state);
+}
+
+METHOD(imv_agent_if_t, destroy, void,
+	private_imv_os_agent_t *this)
+{
+	DESTROY_IF(this->agent);
+	DESTROY_IF(this->db);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_agent_if_t *imv_os_agent_create(const char *name, TNC_IMVID id,
+									TNC_Version *actual_version)
+{
+	private_imv_os_agent_t *this;
+
+	INIT(this,
+		.public = {
+			.bind_functions = _bind_functions,
+			.notify_connection_change = _notify_connection_change,
+			.receive_message = _receive_message,
+			.receive_message_long = _receive_message_long,
+			.batch_ending = _batch_ending,
+			.solicit_recommendation = _solicit_recommendation,
+			.destroy = _destroy,
+		},
+		.agent = imv_agent_create(name, msg_types, countof(msg_types), id,
+								 actual_version),
+		.db = imv_os_database_create(imcv_db),
+	);
+
+	if (!this->agent)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libimcv/plugins/imv_os/imv_os_agent.h b/src/libimcv/plugins/imv_os/imv_os_agent.h
new file mode 100644
index 000000000..cec1b1f20
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_agent.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_os_agent_t imv_os_agent
+ * @{ @ingroup imv_os
+ */
+
+#ifndef IMV_OS_AGENT_H_
+#define IMV_OS_AGENT_H_
+
+#include <imv/imv_agent_if.h>
+
+/**
+ * Creates an OS IMV agent
+ *
+ * @param name					Name of the IMV
+ * @param id					ID of the IMV
+ * @param actual_version		TNC IF-IMV version
+ */
+imv_agent_if_t* imv_os_agent_create(const char* name, TNC_IMVID id,
+									TNC_Version *actual_version);
+
+#endif /** IMV_OS_AGENT_H_ @}*/
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c
index a7f9f2eed..d2a08b0fa 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.c
+++ b/src/libimcv/plugins/imv_os/imv_os_database.c
@@ -44,32 +44,20 @@ METHOD(imv_os_database_t, check_packages, status_t,
 	enumerator_t *package_enumerator)
 {
 	char *product, *package, *release, *cur_release;
-	u_char *pos;
-	chunk_t os_name, os_version, name, version;
+	chunk_t name, version;
 	os_type_t os_type;
-	size_t os_version_len;
-	os_package_state_t package_state;
-	int pid, gid;
+	int pid, gid, security, blacklist;
 	int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0;
 	enumerator_t *e;
 	status_t status = SUCCESS;
 	bool found, match;
 
-	state->get_info(state, &os_type, &os_name, &os_version);
+	product = state->get_info(state, &os_type, NULL, NULL);
 
 	if (os_type == OS_TYPE_ANDROID)
 	{
 		/*no package dependency on Android version */
-		product = strdup(enum_to_name(os_type_names, os_type));
-	}
-	else
-	{
-		/* remove appended platform info */
-		pos = memchr(os_version.ptr, ' ', os_version.len);
-		os_version_len = pos ? (pos - os_version.ptr) : os_version.len;
-		product = malloc(os_name.len + 1 + os_version_len + 1);
-		sprintf(product, "%.*s %.*s", (int)os_name.len, os_name.ptr,
-									  (int)os_version_len, os_version.ptr);
+		product = enum_to_name(os_type_names, os_type);
 	}
 	DBG1(DBG_IMV, "processing installed '%s' packages", product);
 
@@ -79,13 +67,11 @@ METHOD(imv_os_database_t, check_packages, status_t,
 				DB_TEXT, product, DB_INT);
 	if (!e)
 	{
-		free(product);
 		return FAILED;
 	}
 	if (!e->enumerate(e, &pid))
 	{
 		e->destroy(e);
-		free(product);
 		return NOT_FOUND;
 	}
 	e->destroy(e);
@@ -102,7 +88,6 @@ METHOD(imv_os_database_t, check_packages, status_t,
 					DB_TEXT, package, DB_INT);
 		if (!e)
 		{
-			free(product);
 			free(package);
 			return FAILED;
 		}
@@ -125,12 +110,11 @@ METHOD(imv_os_database_t, check_packages, status_t,
 
 		/* Enumerate over all acceptable versions */
 		e = this->db->query(this->db,
-				"SELECT release, security FROM versions "
+				"SELECT release, security, blacklist FROM versions "
 				"WHERE product = ? AND package = ?",
-				DB_INT, pid, DB_INT, gid, DB_TEXT, DB_INT);
+				DB_INT, pid, DB_INT, gid, DB_TEXT, DB_INT, DB_INT);
 		if (!e)
 		{
-			free(product);
 			free(package);
 			free(release);
 			return FAILED;
@@ -138,7 +122,7 @@ METHOD(imv_os_database_t, check_packages, status_t,
 		found = FALSE;
 		match = FALSE;
 
-		while (e->enumerate(e, &cur_release, &package_state))
+		while (e->enumerate(e, &cur_release, &security, &blacklist))
 		{
 			found = TRUE;
 			if (streq(release, cur_release) || streq("*", cur_release))
@@ -153,17 +137,18 @@ METHOD(imv_os_database_t, check_packages, status_t,
 		{
 			if (match)
 			{
-				if (package_state == OS_PACKAGE_STATE_BLACKLIST)
+				if (blacklist)
 				{
 					DBG2(DBG_IMV, "package '%s' (%s) is blacklisted",
 								   package, release);
 					count_blacklist++;
-					state->add_bad_package(state, package, package_state);
+					state->add_bad_package(state, package,
+										   OS_PACKAGE_STATE_BLACKLIST);
 				}
 				else
 				{
-					DBG2(DBG_IMV, "package '%s' (%s)%N is ok", package, release,
-								   os_package_state_names, package_state);
+					DBG2(DBG_IMV, "package '%s' (%s)%s is ok", package, release,
+								   security ? " [s]" : "");
 					count_ok++;
 				}
 			}
@@ -171,7 +156,8 @@ METHOD(imv_os_database_t, check_packages, status_t,
 			{
 				DBG1(DBG_IMV, "package '%s' (%s) no match", package, release);
 				count_no_match++;
-				state->add_bad_package(state, package, package_state);
+				state->add_bad_package(state, package,
+									   OS_PACKAGE_STATE_SECURITY);
 			}
 		}
 		else
@@ -181,154 +167,49 @@ METHOD(imv_os_database_t, check_packages, status_t,
 		free(package);
 		free(release);
 	}
-	free(product);
 	state->set_count(state, count, count_no_match, count_blacklist, count_ok);
 
 	return status;
 }
 
-METHOD(imv_os_database_t, get_device_id, int,
-	private_imv_os_database_t *this, chunk_t value)
-{
-	enumerator_t *e;
-	int id;
-
-	/* get primary key of device ID */
-	e = this->db->query(this->db, "SELECT id FROM devices WHERE value = ?",
-						DB_BLOB, value, DB_INT);
-	if (!e)
-	{
-		return 0;
-	}
-	if (e->enumerate(e, &id))
-	{
-		/* device ID already exists in database - return primary key */
-		e->destroy(e);
-		return id;
-	}
-	e->destroy(e);
-
-	/* register new device ID in database and return primary key */
-	return (this->db->execute(this->db, &id,
-			"INSERT INTO devices (value) VALUES (?)", DB_BLOB, value) == 1) ?
-			id : 0;
-}
-
 METHOD(imv_os_database_t, set_device_info, void,
-	private_imv_os_database_t *this,  int device_id, u_int32_t ar_id_type,
-	chunk_t ar_id_value, char *os_info, int count, int count_update,
-	int count_blacklist, u_int flags)
+	private_imv_os_database_t *this,  int session_id, int count,
+	int count_update, int count_blacklist, u_int flags)
 {
-	enumerator_t *e;
-	time_t last_time;
-	int pid = 0, last_pid = 0, iid = 0, last_iid;
-	int last_count_update = 0, last_count_blacklist = 0;
-	u_int last_flags;
-	bool found = FALSE;
-
-	/* get primary key of OS info string if it exists */
-	e = this->db->query(this->db,
-			"SELECT id FROM products WHERE name = ?", DB_TEXT, os_info,
-			 DB_INT);
-	if (e)
-	{
-		e->enumerate(e, &pid);
-		e->destroy(e);
-	}
-
-	/* if OS info string has not been found - register it */
-	if (!pid)
-	{
-		this->db->execute(this->db, &pid,
-			"INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info);
-	}
-
-	/* get primary key of AR identity if it exists */
-	e = this->db->query(this->db,
-			"SELECT id FROM identities WHERE type = ? AND data = ?",
-			 DB_INT,  ar_id_type, DB_BLOB, ar_id_value, DB_INT);
-	if (e)
-	{
-		e->enumerate(e, &iid);
-		e->destroy(e);
-	}
-
-	/* if AR identity has not been found - register it */
-	if (!iid)
-	{
-		this->db->execute(this->db, &iid,
-			"INSERT INTO identities (type, data) VALUES (?, ?)",
-			 DB_INT, ar_id_type, DB_BLOB, ar_id_value);
-	}
-
-	/* get latest device info record if it exists */
-	e = this->db->query(this->db,
-			"SELECT time, ar_id, product, count_update, count_blacklist, flags "
-			"FROM device_infos WHERE device = ? ORDER BY time DESC",
-			 DB_INT, device_id, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_UINT);
-	if (e)
-	{
-		found = e->enumerate(e, &last_time, &last_iid, &last_pid,
-								&last_count_update, &last_count_blacklist,
-								&last_flags);
-		e->destroy(e);
-	}
-	if (found && !last_count_update && !last_count_blacklist && !last_flags &&
-		iid == last_iid && pid == last_pid)
-	{
-		/* update device info */
-		this->db->execute(this->db, NULL,
-			"UPDATE device_infos SET time = ?, count = ?, count_update = ?, "
-			"count_blacklist = ?, flags = ? WHERE device = ? AND time = ?",
-			 DB_UINT, time(NULL), DB_INT, count, DB_INT, count_update,
-			 DB_INT, count_blacklist, DB_UINT, flags,
-			 DB_INT, device_id, DB_UINT, last_time);
-	}
-	else
-	{
-		/* insert device info */
-		this->db->execute(this->db, NULL,
-			"INSERT INTO device_infos (device, time, ar_id, product, count, "
-			"count_update, count_blacklist, flags) "
-			"VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
-			 DB_INT, device_id, DB_UINT, time(NULL), DB_INT, iid, DB_INT, pid,
-			 DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
-			 DB_UINT, flags);
-	}
+	this->db->execute(this->db, NULL,
+			"INSERT INTO device_infos (session, count, count_update, "
+			"count_blacklist, flags) VALUES (?, ?, ?, ?, ?)",
+			 DB_INT, session_id, DB_INT, count, DB_INT, count_update,
+			 DB_INT, count_blacklist, DB_UINT, flags);
 }
 
 METHOD(imv_os_database_t, destroy, void,
 	private_imv_os_database_t *this)
 {
-	this->db->destroy(this->db);
 	free(this);
 }
 
 /**
  * See header
  */
-imv_os_database_t *imv_os_database_create(char *uri)
+imv_os_database_t *imv_os_database_create(imv_database_t *imv_db)
 {
 	private_imv_os_database_t *this;
 
+	if (!imv_db)
+	{
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.check_packages = _check_packages,
-			.get_device_id = _get_device_id,
 			.set_device_info = _set_device_info,
 			.destroy = _destroy,
 		},
-		.db = lib->db->create(lib->db, uri),
+		.db = imv_db->get_database(imv_db),
 	);
 
-	if (!this->db)
-	{
-		DBG1(DBG_IMV,
-			 "failed to connect to OS database '%s'", uri);
-		free(this);
-		return NULL;
-	}
-
 	return &this->public;
 }
 
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.h b/src/libimcv/plugins/imv_os/imv_os_database.h
index 01d7e84a2..7b9ef3c33 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.h
+++ b/src/libimcv/plugins/imv_os/imv_os_database.h
@@ -22,6 +22,7 @@
 #define IMV_OS_DATABASE_H_
 
 #include "imv_os_state.h"
+#include "imv/imv_database.h"
 
 #include <library.h>
 
@@ -42,32 +43,20 @@ struct imv_os_database_t {
 							   enumerator_t *package_enumerator);
 
 	/**
-	* Get the primary database key of the device ID
-	*
-	* @param value					Device ID value
-	*/
-	int (*get_device_id)(imv_os_database_t *this, chunk_t value);
-
-	/**
-	* Set health infos for a given  device
-	*
-	* @param device_id				Device ID primary key
-	* @param ar_id_type				Access Requestor ID Type
-	* @param ar_id_value			Access Requestor ID Value
-	* @param os_info				OS info string
-	* @param count					Number of installed packages
-	* @param count_update			Number of packages to be updated
-	* @param count_blacklist		Number of blacklisted packages
-	* @param flags					Various flags, e.g. illegal OS settings
-	*/
-	void (*set_device_info)(imv_os_database_t *this, int device_id,
-							u_int32_t ar_id_type, chunk_t ar_id_value,
-							char *os_info, int count, int count_update,
-							int count_blacklist, u_int flags);
+	 * Set health infos for a given  device
+	 *
+	 * @param sesson_id				Session ID
+	 * @param count					Number of installed packages
+	 * @param count_update			Number of packages to be updated
+	 * @param count_blacklist		Number of blacklisted packages
+	 * @param flags					Various flags, e.g. illegal OS settings
+	 */
+	void (*set_device_info)(imv_os_database_t *this, int session_id, int count,
+							int count_update, int count_blacklist, u_int flags);
 
 	/**
-	* Destroys an imv_os_database_t object.
-	*/
+	 * Destroys an imv_os_database_t object.
+	 */
 	void (*destroy)(imv_os_database_t *this);
 
 };
@@ -75,8 +64,8 @@ struct imv_os_database_t {
 /**
  * Create an imv_os_database_t instance
  *
- * @param uri			database uri
+ * @param imv_db			Already attached IMV database
  */
-imv_os_database_t* imv_os_database_create(char *uri);
+imv_os_database_t* imv_os_database_create(imv_database_t *imv_db);
 
 #endif /** IMV_OS_DATABASE_H_ @}*/
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c
index 073d7133a..f6d904c3c 100644
--- a/src/libimcv/plugins/imv_os/imv_os_state.c
+++ b/src/libimcv/plugins/imv_os/imv_os_state.c
@@ -14,10 +14,13 @@
  */
 
 #include "imv_os_state.h"
+
 #include "imv/imv_lang_string.h"
 #include "imv/imv_reason_string.h"
 #include "imv/imv_remediation_string.h"
 
+#include <tncif_policy.h>
+
 #include <utils/debug.h>
 #include <collections/linked_list.h>
 
@@ -61,6 +64,11 @@ struct private_imv_os_state_t {
 	 */
 	u_int32_t max_msg_len;
 
+	/**
+	 * Flags set for completed actions
+	 */
+	u_int32_t action_flags;
+
 	/**
 	 * Access Requestor ID Type
 	 */
@@ -71,6 +79,11 @@ struct private_imv_os_state_t {
 	 */
 	chunk_t ar_id_value;
 
+	/**
+	 * IMV database session associated with TNCCS connection
+	 */
+	imv_session_t *session;
+
 	/**
 	 * IMV action recommendation
 	 */
@@ -81,6 +94,11 @@ struct private_imv_os_state_t {
 	 */
 	TNC_IMV_Evaluation_Result eval;
 
+	/**
+	 * IMV OS handshake state
+	 */
+	imv_os_handshake_state_t handshake_state;
+
 	/**
 	 * OS Product Information (concatenation of OS Name and Version)
 	 */
@@ -122,9 +140,9 @@ struct private_imv_os_state_t {
 	imv_remediation_string_t *remediation_string;
 
 	/**
-	 * Primary database key of device ID
+	 * Dgevice ID
 	 */
-	int device_id;
+	chunk_t device_id;
 
 	/**
 	 * Number of processed packages
@@ -146,16 +164,6 @@ struct private_imv_os_state_t {
 	 */
 	int count_ok;
 
-	/**
-	 * Attribute request sent - mandatory response expected
-	 */
-	bool attribute_request;
-
-	/**
-	 * OS Installed Package request sent - mandatory response expected
-	 */
-	bool package_request;
-
 	/**
 	 * OS Settings
 	 */
@@ -276,16 +284,16 @@ static imv_lang_string_t instr_default_pwd_enabled_descr[] = {
 };
 
 /**
- * Instruction strings for  "Install Non-Market Apps"
+ * Instruction strings for  "Unknown Source"
  */
-static imv_lang_string_t instr_non_market_apps_title[] = {
+static imv_lang_string_t instr_unknown_source_title[] = {
 	{ "en", "Unknown Software Origin" },
 	{ "de", "Unbekannte Softwareherkunft" },
 	{ "pl", "Nieznane pochodzenie softwaru" },
 	{ NULL, NULL }
 };
 
-static imv_lang_string_t instr_non_market_apps_descr[] = {
+static imv_lang_string_t instr_unknown_source_descr[] = {
 	{ "en", "Do not allow the installation of apps from unknown sources" },
 	{ "de", "Erlauben Sie nicht die Installation von Apps aus unbekannten Quellen" },
 	{ "pl", "Proszę nie dopuszczać do instalacji Apps z nieznanych źródeł" },
@@ -329,6 +337,18 @@ METHOD(imv_state_t, get_max_msg_len, u_int32_t,
 	return this->max_msg_len;
 }
 
+METHOD(imv_state_t, set_action_flags, void,
+	private_imv_os_state_t *this, u_int32_t flags)
+{
+	this->action_flags |= flags;
+}
+
+METHOD(imv_state_t, get_action_flags, u_int32_t,
+	private_imv_os_state_t *this)
+{
+	return this->action_flags;
+}
+
 METHOD(imv_state_t, set_ar_id, void,
 	private_imv_os_state_t *this, u_int32_t id_type, chunk_t id_value)
 {
@@ -346,15 +366,21 @@ METHOD(imv_state_t, get_ar_id, chunk_t,
 	return this->ar_id_value;
 }
 
-METHOD(imv_state_t, change_state, void,
-	private_imv_os_state_t *this, TNC_ConnectionState new_state)
+METHOD(imv_state_t, set_session, void,
+	private_imv_os_state_t *this, imv_session_t *session)
 {
-	this->state = new_state;
+	this->session = session;
+}
+
+METHOD(imv_state_t, get_session, imv_session_t*,
+	private_imv_os_state_t *this)
+{
+	return this->session;
 }
 
 METHOD(imv_state_t, get_recommendation, void,
 	private_imv_os_state_t *this, TNC_IMV_Action_Recommendation *rec,
-									TNC_IMV_Evaluation_Result *eval)
+								  TNC_IMV_Evaluation_Result *eval)
 {
 	*rec = this->rec;
 	*eval = this->eval;
@@ -362,12 +388,26 @@ METHOD(imv_state_t, get_recommendation, void,
 
 METHOD(imv_state_t, set_recommendation, void,
 	private_imv_os_state_t *this, TNC_IMV_Action_Recommendation rec,
-									TNC_IMV_Evaluation_Result eval)
+								  TNC_IMV_Evaluation_Result eval)
 {
 	this->rec = rec;
 	this->eval = eval;
 }
 
+METHOD(imv_state_t, update_recommendation, void,
+	private_imv_os_state_t *this, TNC_IMV_Action_Recommendation rec,
+								  TNC_IMV_Evaluation_Result eval)
+{
+	this->rec  = tncif_policy_update_recommendation(this->rec, rec);
+	this->eval = tncif_policy_update_evaluation(this->eval, eval);
+}
+
+METHOD(imv_state_t, change_state, void,
+	private_imv_os_state_t *this, TNC_ConnectionState new_state)
+{
+	this->state = new_state;
+}
+
 METHOD(imv_state_t, get_reason_string, bool,
 	private_imv_os_state_t *this, enumerator_t *language_enumerator,
 	chunk_t *reason_string, char **reason_language)
@@ -445,11 +485,11 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
 							instr_default_pwd_enabled_title,
 							instr_default_pwd_enabled_descr, NULL, NULL);
 	}
-	if (this->os_settings & OS_SETTINGS_NON_MARKET_APPS)
+	if (this->os_settings & OS_SETTINGS_UNKNOWN_SOURCE)
 	{
 		this->remediation_string->add_instruction(this->remediation_string,
-							instr_non_market_apps_title,
-							instr_non_market_apps_descr, NULL, NULL);
+							instr_unknown_source_title,
+							instr_unknown_source_descr, NULL, NULL);
 	}
 
 	*string = this->remediation_string->get_encoding(this->remediation_string);
@@ -462,6 +502,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
 METHOD(imv_state_t, destroy, void,
 	private_imv_os_state_t *this)
 {
+	DESTROY_IF(this->session);
 	DESTROY_IF(this->reason_string);
 	DESTROY_IF(this->remediation_string);
 	this->update_packages->destroy_function(this->update_packages, free);
@@ -470,9 +511,22 @@ METHOD(imv_state_t, destroy, void,
 	free(this->name.ptr);
 	free(this->version.ptr);
 	free(this->ar_id_value.ptr);
+	free(this->device_id.ptr);
 	free(this);
 }
 
+METHOD(imv_os_state_t, set_handshake_state, void,
+	private_imv_os_state_t *this, imv_os_handshake_state_t new_state)
+{
+	this->handshake_state = new_state;
+}
+
+METHOD(imv_os_state_t, get_handshake_state, imv_os_handshake_state_t,
+	private_imv_os_state_t *this)
+{
+	return this->handshake_state;
+}
+
 METHOD(imv_os_state_t, set_info, void,
 	private_imv_os_state_t *this, os_type_t type, chunk_t name, chunk_t version)
 {
@@ -539,37 +593,13 @@ METHOD(imv_os_state_t, get_count, void,
 	}
 }
 
-METHOD(imv_os_state_t, set_attribute_request, void,
-	private_imv_os_state_t *this, bool set)
-{
-	this->attribute_request = set;
-}
-
-METHOD(imv_os_state_t, get_attribute_request, bool,
-	private_imv_os_state_t *this)
-{
-	return this->attribute_request;
-}
-
-METHOD(imv_os_state_t, set_package_request, void,
-	private_imv_os_state_t *this, bool set)
-{
-	this->package_request = set;
-}
-
-METHOD(imv_os_state_t, get_package_request, bool,
-	private_imv_os_state_t *this)
-{
-	return this->package_request;
-}
-
 METHOD(imv_os_state_t, set_device_id, void,
-	private_imv_os_state_t *this, int id)
+	private_imv_os_state_t *this, chunk_t id)
 {
-	this->device_id = id;
+	this->device_id = chunk_clone(id);
 }
 
-METHOD(imv_os_state_t, get_device_id, int,
+METHOD(imv_os_state_t, get_device_id, chunk_t,
 	private_imv_os_state_t *this)
 {
 	return this->device_id;
@@ -631,23 +661,26 @@ imv_state_t *imv_os_state_create(TNC_ConnectionID connection_id)
 				.set_flags = _set_flags,
 				.set_max_msg_len = _set_max_msg_len,
 				.get_max_msg_len = _get_max_msg_len,
+				.set_action_flags = _set_action_flags,
+				.get_action_flags = _get_action_flags,
 				.set_ar_id = _set_ar_id,
 				.get_ar_id = _get_ar_id,
+				.set_session = _set_session,
+				.get_session = _get_session,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
+				.update_recommendation = _update_recommendation,
 				.get_reason_string = _get_reason_string,
 				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
+			.set_handshake_state = _set_handshake_state,
+			.get_handshake_state = _get_handshake_state,
 			.set_info = _set_info,
 			.get_info = _get_info,
 			.set_count = _set_count,
 			.get_count = _get_count,
-			.set_attribute_request = _set_attribute_request,
-			.get_attribute_request = _get_attribute_request,
-			.set_package_request = _set_package_request,
-			.get_package_request = _get_package_request,
 			.set_device_id = _set_device_id,
 			.get_device_id = _get_device_id,
 			.set_os_settings = _set_os_settings,
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h
index 1c2adeaf9..97f695319 100644
--- a/src/libimcv/plugins/imv_os/imv_os_state.h
+++ b/src/libimcv/plugins/imv_os/imv_os_state.h
@@ -29,12 +29,27 @@
 #include <library.h>
 
 typedef struct imv_os_state_t imv_os_state_t;
+typedef enum imv_os_handshake_state_t imv_os_handshake_state_t;
 typedef enum os_settings_t os_settings_t;
 
+/**
+ * IMV OS Handshake States (state machine)
+ */
+enum imv_os_handshake_state_t {
+	IMV_OS_STATE_INIT,
+	IMV_OS_STATE_ATTR_REQ,
+	IMV_OS_STATE_POLICY_START,
+	IMV_OS_STATE_WORKITEMS,
+	IMV_OS_STATE_END
+};
+
+/**
+ * Flags for detected OS Settings
+ */
 enum os_settings_t {
-	OS_SETTINGS_FWD_ENABLED =         1,
-	OS_SETTINGS_DEFAULT_PWD_ENABLED = 2,
-	OS_SETTINGS_NON_MARKET_APPS =     4
+	OS_SETTINGS_FWD_ENABLED =         (1<<0),
+	OS_SETTINGS_DEFAULT_PWD_ENABLED = (1<<1),
+	OS_SETTINGS_UNKNOWN_SOURCE =      (1<<2)
 };
 
 /**
@@ -47,6 +62,21 @@ struct imv_os_state_t {
 	 */
 	imv_state_t interface;
 
+	/**
+	 * Set state of the handshake
+	 *
+	 * @param new_state			the handshake state of IMV
+	 */
+	void (*set_handshake_state)(imv_os_state_t *this,
+								imv_os_handshake_state_t new_state);
+
+	/**
+	 * Get state of the handshake
+	 *
+	 * @return					the handshake state of IMV
+	 */
+	imv_os_handshake_state_t (*get_handshake_state)(imv_os_state_t *this);
+
 	/**
 	 * Set OS Product Information
 	 *
@@ -90,47 +120,19 @@ struct imv_os_state_t {
 	void (*get_count)(imv_os_state_t *this, int *count, int *count_update,
 					  int *count_blacklist, int *count_ok);
 
-	/**
-	 * Set/reset attribute request status
-	 *
-	 * @param set			TRUE to set, FALSE to clear
-	 */
-	void (*set_attribute_request)(imv_os_state_t *this, bool set);
-
-	/**
-	 * Get attribute request status
-	 *
-	 * @return				TRUE if set, FALSE if unset
-	 */
-	bool (*get_attribute_request)(imv_os_state_t *this);
-
-	/**
-	 * Set/reset OS Installed Packages request status
-	 *
-	 * @param set			TRUE to set, FALSE to clear
-	 */
-	void (*set_package_request)(imv_os_state_t *this, bool set);
-
-	/**
-	 * Get OS Installed Packages request status
-	 *
-	 * @return				TRUE if set, FALSE if unset
-	 */
-	bool (*get_package_request)(imv_os_state_t *this);
-
 	/**
 	 * Set device ID
 	 *
-	 * @param device_id		Device ID primary database key
+	 * @param device_id		Device ID
 	 */
-	void (*set_device_id)(imv_os_state_t *this, int id);
+	void (*set_device_id)(imv_os_state_t *this, chunk_t id);
 
 	/**
 	 * Get device ID
 	 *
-	 * @return				Device ID primary database key
+	 * @return				Device ID
 	 */
-	int (*get_device_id)(imv_os_state_t *this);
+	chunk_t (*get_device_id)(imv_os_state_t *this);
 
 	/**
 	 * Set OS settings
diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c
index 25e63760b..57cc62a08 100644
--- a/src/libimcv/plugins/imv_os/pacman.c
+++ b/src/libimcv/plugins/imv_os/pacman.c
@@ -21,12 +21,33 @@
 #include <errno.h>
 #include <syslog.h>
 #include <time.h>
+#include <sys/stat.h>
 
 #include "imv_os_state.h"
 
 #include <library.h>
 #include <utils/debug.h>
 
+typedef enum pacman_state_t pacman_state_t;
+
+enum pacman_state_t {
+	PACMAN_STATE_BEGIN_PACKAGE,
+	PACMAN_STATE_VERSION,
+	PACMAN_STATE_END_PACKAGE
+};
+
+typedef struct stats_t stats_t;
+
+struct stats_t {
+	time_t release;
+	int product;
+	int packages;
+	int new_packages;
+	int new_versions;
+	int updated_versions;
+	int deleted_versions;
+};
+
 /**
  * global debug output variables
  */
@@ -88,54 +109,186 @@ static void usage(void)
 }
 
 /**
- * Extract the time the package file was generated
+ * Update the package database
  */
-static time_t extract_time(char *line)
+static bool update_database(database_t *db, char *package, char *version,
+							bool security, stats_t *stats)
 {
-	struct tm t;
-	char wday[4], mon[4];
-	char* months[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
-					   "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
-	int i;
-
-	if (sscanf(line, "Generated: %3s %3s %2d %2d:%2d:%2d %4d UTC", wday, mon,
-			   &t.tm_mday, &t.tm_hour, &t.tm_min, &t.tm_sec, &t.tm_year) != 7)
+	char *cur_version, *version_update = NULL, *version_delete = NULL;
+	int cur_security, security_update = 0, security_delete = 0;
+	int pac_id = 0, vid = 0, vid_update = 0, vid_delete = 0;
+	u_int cur_time;
+	bool add_version = TRUE;
+	enumerator_t *e;
+
+	/* increment package count */
+	stats->packages++;
+
+	/* check if package is already in database */
+	e = db->query(db, "SELECT id FROM packages WHERE name = ?",
+					  DB_TEXT, package, DB_INT);
+	if (!e)
 	{
-		return UNDEFINED_TIME;
+		return FALSE;
 	}
-	t.tm_isdst = 0;
-	t.tm_year -= 1900;
-	t.tm_mon = 12;
+	if (!e->enumerate(e, &pac_id))
+	{
+		pac_id = 0;
+	}
+	e->destroy(e);
 
-	for (i = 0; i < countof(months); i++)
+	if (!pac_id && security)
 	{
-		if (streq(mon, months[i]))
+		if (db->execute(db, &pac_id, "INSERT INTO packages (name) VALUES (?)",
+						DB_TEXT, package) != 1)
 		{
-			t.tm_mon = i;
+			fprintf(stderr, "could not store package '%s' to database\n",
+							 package);
+			return FALSE;
+		}
+		stats->new_packages++;
+	}
+
+	/* check for package versions already in database */
+	e = db->query(db,
+			"SELECT id, release, security, time FROM versions "
+			"WHERE package = ? AND product = ?", DB_INT, pac_id,
+			 DB_INT, stats->product, DB_INT, DB_TEXT, DB_INT, DB_UINT);
+	if (!e)
+	{
+		return FALSE;
+	}
+
+	while (e->enumerate(e, &vid, &cur_version, &cur_security, &cur_time))
+	{
+		if (streq(version, cur_version))
+		{
+			/* already in data base */
+			add_version = FALSE;
 			break;
 		}
+		else if (stats->release >= cur_time)
+		{
+			if (security)
+			{
+				if (cur_security)
+				{
+					vid_update = vid;
+					version_update = strdup(cur_version);
+					security_update = cur_security;
+				}
+				else
+				{
+					vid_delete = vid;
+					version_delete = strdup(cur_version);
+					security_delete = cur_security;
+				}
+			}
+			else
+			{
+				if (!cur_security)
+				{
+					vid_update = vid;
+					version_update = strdup(cur_version);
+					security_update = cur_security;
+				}
+			}
+		}
+		else
+		{
+			if (security == cur_security)
+			{
+				add_version = FALSE;
+			}
+		}
+	}
+	e->destroy(e);
+
+	if ((!vid && !security) || (vid && !add_version))
+	{
+		free(version_update);
+		free(version_delete);
+		return TRUE;
+	}
+
+	if ((!vid && security) || (vid && !vid_update))
+	{
+		printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
+
+		if (db->execute(db, &vid,
+			"INSERT INTO versions "
+			"(package, product, release, security, time) "
+			"VALUES (?, ?, ?, ?, ?)", DB_INT, pac_id, DB_INT, stats->product,
+			DB_TEXT, version, DB_INT, security, DB_INT, stats->release) != 1)
+		{
+			fprintf(stderr, "could not store version '%s' to database\n",
+							 version);
+			free(version_update);
+			free(version_delete);
+			return FALSE;
+		}
+		stats->new_versions++;
+	}
+	else
+	{
+		printf("%s (%s) %s updated by\n",
+			   package, version_update, security_update ? "[s]" : "");
+		printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
+
+		if (db->execute(db, NULL,
+			"UPDATE versions SET release = ?, time = ? WHERE id = ?",
+			DB_TEXT, version, DB_INT, stats->release, DB_INT, vid_update) <= 0)
+		{
+			fprintf(stderr, "could not update version '%s' to database\n",
+							 version);
+			free(version_update);
+			free(version_delete);
+			return FALSE;
+		}
+		stats->updated_versions++;
 	}
-	if (t.tm_mon == 12)
+
+	if (vid_delete)
 	{
-		return UNDEFINED_TIME;
+		printf("%s (%s) %s deleted\n",
+			   package, version_delete, security_delete ? "[s]" : "");
+			if (db->execute(db, NULL,
+			"DELETE FROM  versions WHERE id = ?",
+			DB_INT, vid_delete) <= 0)
+		{
+			fprintf(stderr, "could not delete version '%s' from database\n",
+							 version_delete);
+			free(version_update);
+			free(version_delete);
+			return FALSE;
+		}
+		stats->deleted_versions++;
 	}
+	free(version_update);
+	free(version_delete);
 
-	return mktime(&t) - timezone;
+	return TRUE;
 }
 
 /**
  * Process a package file and store updates in the database
  */
-static void process_packages(char *filename, char *product, bool update)
+static void process_packages(char *filename, char *product, bool security)
 {
-	char *uri, line[12288], *pos;
-	int count = 0, errored = 0, vulnerable = 0, new_packages = 0;
-	int new_versions = 0, updated_versions = 0, deleted_versions = 0;
-	time_t gen_time;
-	u_int32_t pid = 0;
+	char *uri, line[BUF_LEN], *pos, *package = NULL, *version = NULL;
+	pacman_state_t pacman_state;
 	enumerator_t *e;
 	database_t *db;
+	int pid;
 	FILE *file;
+	stats_t stats;
+	bool success;
+
+	/* initialize statistics */
+	memset(&stats, 0x00, sizeof(stats_t));
+
+	/* Set release date to current time */
+	stats.release = time(NULL);
 
 	/* opening package file */
 	printf("loading\"%s\"\n", filename);
@@ -167,13 +320,13 @@ static void process_packages(char *filename, char *product, bool update)
 				  DB_TEXT, product, DB_INT);
 	if (e)
 	{
-		if (!e->enumerate(e, &pid))
+		if (e->enumerate(e, &pid))
 		{
-			pid = 0;
+			stats.product = pid;
 		}
 		e->destroy(e);
 	}
-	if (!pid)
+	if (!stats.product)
 	{
 		if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)",
 						DB_TEXT, product) != 1)
@@ -184,248 +337,78 @@ static void process_packages(char *filename, char *product, bool update)
 			db->destroy(db);
 			exit(EXIT_FAILURE);
 		}
+		stats.product = pid;
 	}
 
+	pacman_state = PACMAN_STATE_BEGIN_PACKAGE;
+
 	while (fgets(line, sizeof(line), file))
 	{
-		char *package, *version;
-		char *cur_version, *version_update = NULL, *version_delete = NULL;
-		bool security, add_version = TRUE;
-		int cur_security, security_update = 0, security_delete = 0;
-		u_int32_t gid = 0, vid = 0, vid_update = 0, vid_delete = 0;
-		time_t cur_time;
-
-		count++;
-		if (count == 1)
-		{
-			printf("%s", line);
-		}
-		if (count == 3)
-		{
-			gen_time = extract_time(line);
-
-			if (gen_time == UNDEFINED_TIME)
-			{
-				fprintf(stderr, "could not extract generation time\n");
-				fclose(file);
-				db->destroy(db);
-				exit(EXIT_FAILURE);
-			}
-			printf("Generated: %T\n", &gen_time, TRUE);
-		}
-		if (count < 7)
-		{
-			continue;
-		}
+		/* set read pointer to beginning of line */
+		pos = line;
 
-		/* look for the package name */
-		pos = strchr(line, ' ');
-		if (!pos)
+		switch (pacman_state)
 		{
-			fprintf(stderr, "could not extract package name from '%.*s'\n",
-					(int)(strlen(line)-1), line);
-			errored++;
-			continue;
-		}
-		*pos++ = '\0';
-		package = line;
-
-		/* look for version string in parentheses */
-		if (*pos == '(')
-		{
-			version = ++pos;
-			pos = strchr(pos, ')');
-			if (pos)
-			{
-				*pos++ = '\0';
-			}
-			else
-			{
-				fprintf(stderr, "could not extract package version from "
-						"'%.*s'\n", (int)(strlen(line)-1), line);
-				errored++;
-				continue;
-			}
-		}
-		else
-		{
-			/* no version information, skip entry */
-			continue;
-		}
-		security = (strstr(pos, "[security]") != NULL);
-		if (security)
-		{
-			vulnerable++;
-		}
-
-		/* handle non-security packages in update mode only */
-		if (!update && !security)
-		{
-			continue;
-		}
-
-		/* check if package is already in database */
-		e = db->query(db, "SELECT id FROM packages WHERE name = ?",
-						  DB_TEXT, package, DB_INT);
-		if (e)
-		{
-			if (!e->enumerate(e, &gid))
-			{
-				gid = 0;
-			}
-			e->destroy(e);
-		}
-		if (!gid && security)
-		{
-			if (db->execute(db, &gid, "INSERT INTO packages (name) VALUES (?)",
-								DB_TEXT, package) != 1)
-			{
-				fprintf(stderr, "could not store package '%s' to database\n",
-								 package);
-				fclose(file);
-				db->destroy(db);
-				exit(EXIT_FAILURE);
-			}
-			new_packages++;
-		}
-
-		/* check for package versions already in database */
-		e = db->query(db,
-				"SELECT id, release, security, time FROM versions "
-				"WHERE package = ? AND product = ?",
-				DB_INT, gid, DB_INT, pid, DB_INT, DB_TEXT, DB_INT, DB_INT);
-		if (!e)
-		{
-			break;
-		}
-		while (e->enumerate(e, &vid, &cur_version, &cur_security, &cur_time))
-		{
-			if (streq(version, cur_version))
-			{
-				/* already in data base */
-				add_version = FALSE;
+			case PACMAN_STATE_BEGIN_PACKAGE:
+				pos = strstr(pos, "Package: ");
+				if (!pos)
+				{
+					continue;
+				}
+				pos += 9;
+				package = pos;
+				pos = strchr(pos, '\n');
+				if (pos)
+				{
+					package = strndup(package, pos - package);
+					pacman_state = PACMAN_STATE_VERSION;
+				}
 				break;
-			}
-			else if (gen_time > cur_time)
-			{
-				if (security)
+			case PACMAN_STATE_VERSION:
+				pos = strstr(pos, "Version: ");
+				if (!pos)
 				{
-					if (cur_security)
-					{
-						vid_update = vid;
-						version_update = strdup(cur_version);
-						security_update = cur_security;
-					}
-					else
-					{
-						vid_delete = vid;
-						version_delete = strdup(cur_version);
-						security_delete = cur_security;
-					}
+					continue;
 				}
-				else
+				pos += 9;
+				version = pos;
+				pos = strchr(pos, '\n');
+				if (pos)
 				{
-					if (!cur_security)
-					{
-						vid_update = vid;
-						version_update = strdup(cur_version);
-						security_update = cur_security;
-					}
+					version = strndup(version, pos - version);
+					pacman_state = PACMAN_STATE_END_PACKAGE;
 				}
-			}
-			else
-			{
-				if (security == cur_security)
+				break;
+			case PACMAN_STATE_END_PACKAGE:
+				if (*pos != '\n')
 				{
-					add_version = FALSE;
+					continue;
 				}
-			}
-		}
-		e->destroy(e);
-
-		if ((!vid && !security) || (vid && !add_version))
-		{
-			free(version_update);
-			free(version_delete);
-			continue;
-		}
-
-		if ((!vid && security) || (vid && !vid_update))
-		{
-			printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
-
-			if (db->execute(db, &vid,
-				"INSERT INTO versions "
-				"(package, product, release, security, time) "
-				"VALUES (?, ?, ?, ?, ?)", DB_INT, gid, DB_INT, pid,
-				DB_TEXT, version, DB_INT, security, DB_INT, gen_time) != 1)
-			{
-				fprintf(stderr, "could not store version '%s' to database\n",
-								 version);
-				free(version_update);
-				free(version_delete);
-				fclose(file);
-				db->destroy(db);
-				exit(EXIT_FAILURE);
-			}
-			new_versions++;
-		}
-		else
-		{
-			printf("%s (%s) %s updated by\n",
-				   package, version_update, security_update ? "[s]" : "");
-			printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
-
-			if (db->execute(db, NULL,
-				"UPDATE versions SET release = ?, time = ? WHERE id = ?",
-				DB_TEXT, version, DB_INT, gen_time, DB_INT, vid_update) <= 0)
-			{
-				fprintf(stderr, "could not update version '%s' to database\n",
-								 version);
-				free(version_update);
-				free(version_delete);
-				fclose(file);
-				db->destroy(db);
-				exit(EXIT_FAILURE);
-			}
-			updated_versions++;
-		}
-
-		if (vid_delete)
-		{
-			printf("%s (%s) %s deleted\n",
-				   package, version_delete, security_delete ? "[s]" : "");
-
-			if (db->execute(db, NULL,
-				"DELETE FROM  versions WHERE id = ?",
-				DB_INT, vid_delete) <= 0)
-			{
-				fprintf(stderr, "could not delete version '%s' from database\n",
-								 version_delete);
-				free(version_update);
-				free(version_delete);
-				fclose(file);
-				db->destroy(db);
-				exit(EXIT_FAILURE);
-			}
-			deleted_versions++;
+				success = update_database(db, package, version, security, &stats);
+				free(package);
+				free(version);
+				if (!success)
+				{
+					fclose(file);
+					db->destroy(db);
+					exit(EXIT_FAILURE);
+				}
+				pacman_state = PACMAN_STATE_BEGIN_PACKAGE;
 		}
-		free(version_update);
-		free(version_delete);
 	}
 	fclose(file);
 	db->destroy(db);
 
-	printf("processed %d packages, %d security, %d new packages, "
-		   "%d new versions, %d updated versions, %d deleted versions, "
-		   "%d errored\n", count - 6, vulnerable, new_packages, new_versions,
-		   updated_versions, deleted_versions, errored);
+	printf("processed %d packages, %d new packages, %d new versions, "
+		   "%d updated versions, %d deleted versions\n",
+			stats.packages, stats.new_packages, stats.new_versions,
+			stats.updated_versions, stats.deleted_versions);
 }
 
 static void do_args(int argc, char *argv[])
 {
 	char *filename = NULL, *product = NULL;
-	bool update = FALSE;
+	bool security = FALSE;
 
 	/* reinit getopt state */
 	optind = 0;
@@ -438,7 +421,7 @@ static void do_args(int argc, char *argv[])
 			{ "help", no_argument, NULL, 'h' },
 			{ "file", required_argument, NULL, 'f' },
 			{ "product", required_argument, NULL, 'p' },
-			{ "update", no_argument, NULL, 'u' },
+			{ "security", no_argument, NULL, 's' },
 			{ 0,0,0,0 }
 		};
 
@@ -456,8 +439,8 @@ static void do_args(int argc, char *argv[])
 			case 'p':
 				product = optarg;
 				continue;
-			case 'u':
-				update = TRUE;
+			case 's':
+				security = TRUE;
 				continue;
 		}
 		break;
@@ -465,7 +448,7 @@ static void do_args(int argc, char *argv[])
 
 	if (filename && product)
 	{
-		process_packages(filename, product, update);
+		process_packages(filename, product, security);
 	}
 	else
 	{
@@ -487,7 +470,7 @@ int main(int argc, char *argv[])
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "attest.load", "sqlite")))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh
index e9134ea5d..e99de0cb5 100755
--- a/src/libimcv/plugins/imv_os/pacman.sh
+++ b/src/libimcv/plugins/imv_os/pacman.sh
@@ -1,40 +1,160 @@
 #!/bin/sh
 
-DATE=`date +%Y%m%d`
-DEBIAN=http://packages.debian.org
-UBUNTU=http://packages.ubuntu.com
-UBUNTU_VERSIONS="quantal precise oneiric lucid"
-PACKAGES=allpackages?format=txt.gz
+DIR="/etc/pts"
+DATE=`date +%Y%m%d-%H%M`
+UBUNTU="http://security.ubuntu.com/ubuntu/dists"
+UBUNTU_VERSIONS="raring quantal precise lucid"
+UBUNTU_DIRS="main multiverse restricted universe"
+UBUNTU_ARCH="binary-amd64 binary-i386"
+DEBIAN="http://security.debian.org/dists"
+DEBIAN_VERSIONS="jessie wheezy squeeze"
+DEBIAN_DIRS="main contrib non-free"
+DEBIAN_ARCH="binary-amd64 binary-i386"
 PACMAN=/usr/libexec/ipsec/pacman
-DIR=/etc/pts
+PACMAN_LOG="$DIR/$DATE-pacman.log"
 
-cd $DIR
+cd $DIR/dists
 
 for v in $UBUNTU_VERSIONS
 do
-  wget $UBUNTU/$v/$PACKAGES -O $DATE-$v.txt.gz
-  wget $UBUNTU/$v-updates/$PACKAGES -O $DATE-$v-updates.txt.gz
+  for a in $UBUNTU_ARCH
+  do
+    mkdir -p $v-security/$a $v-updates/$a
+    for d in $UBUNTU_DIRS
+    do
+  	  wget $UBUNTU/$v-security/$d/$a/Packages.bz2 -O $v-security/$a/Packages-$d.bz2
+      bunzip2 -f $v-security/$a/Packages-$d.bz2
+  	  wget $UBUNTU/$v-updates/$d/$a/Packages.bz2  -O $v-updates/$a/Packages-$d.bz2
+      bunzip2 -f $v-updates/$a/Packages-$d.bz2
+	done
+  done
 done
 
-wget $DEBIAN/stable/$PACKAGES -O $DATE-squeeze.txt.gz
-gunzip *.gz
+for v in $DEBIAN_VERSIONS
+do
+  for a in $DEBIAN_ARCH
+  do
+    mkdir -p $v-updates/$a
+    for d in $DEBIAN_DIRS
+    do
+  	  wget $DEBIAN/$v/updates/$d/$a/Packages.bz2  -O $v-updates/$a/Packages-$d.bz2
+      bunzip2 -f $v-updates/$a/Packages-$d.bz2
+	done
+  done
+done
+
+for f in raring-security/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 13.04 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in raring-updates/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 13.04 x86_64" --file $f >> $PACMAN_LOG
+done
+echo
+for f in raring-security/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 13.04 i686" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in raring-updates/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 13.04 i686" --file $f >> $PACMAN_LOG
+done
+echo
 
-$PACMAN --product "Ubuntu 12.10" --file $DATE-quantal.txt
+for f in quantal-security/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 12.10 x86_64" --file $f --security >> $PACMAN_LOG
+done
 echo
-$PACMAN --product "Ubuntu 12.10" --file $DATE-quantal-updates.txt --update
+for f in quantal-updates/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 12.10 x86_64" --file $f >> $PACMAN_LOG
+done
 echo
-$PACMAN --product "Ubuntu 12.04" --file $DATE-precise.txt
+for f in quantal-security/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 12.10 i686" --file $f --security >> $PACMAN_LOG
+done
 echo
-$PACMAN --product "Ubuntu 12.04" --file $DATE-precise-updates.txt --update
+for f in quantal-updates/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 12.10 i686" --file $f >> $PACMAN_LOG
+done
 echo
-$PACMAN --product "Ubuntu 11.10" --file $DATE-oneiric.txt
+
+for f in precise-security/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 12.04 x86_64" --file $f --security >> $PACMAN_LOG
+done
 echo
-$PACMAN --product "Ubuntu 11.10" --file $DATE-oneiric-updates.txt --update
+for f in precise-updates/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 12.04 x86_64" --file $f >> $PACMAN_LOG
+done
 echo
-$PACMAN --product "Ubuntu 10.04" --file $DATE-lucid.txt
+for f in precise-security/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 12.04 i686" --file $f --security >> $PACMAN_LOG
+done
 echo
-$PACMAN --product "Ubuntu 10.04" --file $DATE-lucid-updates.txt --update
+for f in precise-updates/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 12.04 i686" --file $f >> $PACMAN_LOG
+done
 echo
-$PACMAN --product "Debian squeeze" --file $DATE-squeeze.txt
 
-cp config.db config.db-$DATE
+for f in lucid-security/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 10.04 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in lucid-updates/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 10.04 x86_64" --file $f >> $PACMAN_LOG
+done
+echo
+for f in lucid-security/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 10.04 i686" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in lucid-updates/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 10.04 i686" --file $f >> $PACMAN_LOG
+done
+echo
+
+for f in jessie-updates/binary-amd64/*
+do
+  $PACMAN --product "Debian 8.0 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in jessie-updates/binary-i386/*
+do
+  $PACMAN --product "Debian 8.0 i686" --file $f --security >> $PACMAN_LOG
+done
+
+for f in wheezy-updates/binary-amd64/*
+do
+  $PACMAN --product "Debian 7.0 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in wheezy-updates/binary-i386/*
+do
+  $PACMAN --product "Debian 7.0 i686" --file $f --security >> $PACMAN_LOG
+done
+
+for f in squeeze-updates/binary-amd64/*
+do
+  $PACMAN --product "Debian 6.0 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in squeeze-updates/binary-i386/*
+do
+  $PACMAN --product "Debian 6.0 i686" --file $f --security >> $PACMAN_LOG
+done
+
+cp $DIR/config.db $DIR/config.db-$DATE
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.am b/src/libimcv/plugins/imv_scanner/Makefile.am
index df2158e72..625e62316 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.am
+++ b/src/libimcv/plugins/imv_scanner/Makefile.am
@@ -1,15 +1,18 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imv-scanner.la
 
 imv_scanner_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
-imv_scanner_la_SOURCES = imv_scanner.c imv_scanner_state.h imv_scanner_state.c
+imv_scanner_la_SOURCES = \
+	imv_scanner.c imv_scanner_state.h imv_scanner_state.c \
+	imv_scanner_agent.h imv_scanner_agent.c
 
 imv_scanner_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index cfd4463a2..e336b86bb 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -100,24 +100,42 @@ am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_scanner_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-am_imv_scanner_la_OBJECTS = imv_scanner.lo imv_scanner_state.lo
+am_imv_scanner_la_OBJECTS = imv_scanner.lo imv_scanner_state.lo \
+	imv_scanner_agent.lo
 imv_scanner_la_OBJECTS = $(am_imv_scanner_la_OBJECTS)
-imv_scanner_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(imv_scanner_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imv_scanner_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(imv_scanner_la_LDFLAGS) $(LDFLAGS) -o \
+	$@
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imv_scanner_la_SOURCES)
 DIST_SOURCES = $(imv_scanner_la_SOURCES)
 am__can_run_installinfo = \
@@ -131,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -143,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -158,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -166,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -212,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -240,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -317,15 +342,22 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 imcv_LTLIBRARIES = imv-scanner.la
 imv_scanner_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
-imv_scanner_la_SOURCES = imv_scanner.c imv_scanner_state.h imv_scanner_state.c
+imv_scanner_la_SOURCES = \
+	imv_scanner.c imv_scanner_state.h imv_scanner_state.c \
+	imv_scanner_agent.h imv_scanner_agent.c
+
 imv_scanner_la_LDFLAGS = -module -avoid-version
 all: all-am
 
@@ -394,7 +426,7 @@ clean-imcvLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 imv-scanner.la: $(imv_scanner_la_OBJECTS) $(imv_scanner_la_DEPENDENCIES) $(EXTRA_imv_scanner_la_DEPENDENCIES) 
-	$(imv_scanner_la_LINK) -rpath $(imcvdir) $(imv_scanner_la_OBJECTS) $(imv_scanner_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(imv_scanner_la_LINK) -rpath $(imcvdir) $(imv_scanner_la_OBJECTS) $(imv_scanner_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -403,28 +435,29 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_scanner.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_scanner_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_scanner_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner.c b/src/libimcv/plugins/imv_scanner/imv_scanner.c
index 16ce0863f..6f5e82355 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,432 +13,12 @@
  * for more details.
  */
 
-#include "imv_scanner_state.h"
-
-#include <imv/imv_agent.h>
-#include <imv/imv_msg.h>
-#include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_attr_request.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
-#include <ietf/ietf_attr_port_filter.h>
-
-#include <tncif_names.h>
-#include <tncif_pa_subtypes.h>
-
-#include <pen/pen.h>
-#include <collections/linked_list.h>
-#include <utils/lexparser.h>
-#include <utils/debug.h>
-
-/* IMV definitions */
+#include "imv_scanner_agent.h"
 
 static const char imv_name[] = "Scanner";
+static const imv_agent_create_t imv_agent_create = imv_scanner_agent_create;
 
-static pen_type_t msg_types[] = {
-	{ PEN_IETF, PA_SUBTYPE_IETF_VPN }
-};
-
-static imv_agent_t *imv_scanner;
-
-typedef struct port_range_t port_range_t;
-
-struct port_range_t {
-	u_int16_t start, stop;
-};
-
-
-/**
- * Default port policy
- *
- * TRUE:  all server ports on the TNC client must be closed
- * FALSE: any server port on the TNC client is allowed to be open
- */
-static bool closed_port_policy = TRUE;
-
-/**
- * List of TCP and UDP port ranges
- *
- * TRUE:  server ports on the TNC client that are allowed to be open
- * FALSE: server ports on the TNC client that must be closed
- */
-static linked_list_t *tcp_ports, *udp_ports;
-
-/**
- * Get a TCP or UDP port list from strongswan.conf
- */
-static linked_list_t* get_port_list(char *label)
-{
-	char key[40], *value;
-	linked_list_t *list;
-	chunk_t port_list, port_item, port_start;
-	port_range_t *port_range;
-
-	list = linked_list_create();
-
-	snprintf(key, sizeof(key), "libimcv.plugins.imv-scanner.%s_ports", label);
-	value = lib->settings->get_str(lib->settings, key, NULL);
-	if (!value)
-	{
-		DBG1(DBG_IMV, "%s not defined", key);
-		return list;
-	}
-	port_list = chunk_create(value, strlen(value));
-	DBG2(DBG_IMV, "list of %s ports that %s:", label,
-		 closed_port_policy ? "are allowed to be open" : "must be closed");
-
-	while (eat_whitespace(&port_list))
-	{
-		if (!extract_token(&port_item, ' ', &port_list))
-		{
-			/* reached last port item */
-			port_item = port_list;
-			port_list = chunk_empty;
-		}
-		port_range = malloc_thing(port_range_t);
-		port_range->start = atoi(port_item.ptr);
-
-		if (extract_token(&port_start, '-', &port_item) && port_item.len)
-		{
-			port_range->stop = atoi(port_item.ptr);
-		}
-		else
-		{
-			port_range->stop = port_range->start;
-		}
-		DBG2(DBG_IMV, "%5u - %5u", port_range->start, port_range->stop);
-		list->insert_last(list, port_range);
-	}
-
-	return list;
-}
-
-
-/*
- * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
-							  TNC_Version min_version,
-							  TNC_Version max_version,
-							  TNC_Version *actual_version)
-{
-	if (imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
-		return TNC_RESULT_ALREADY_INITIALIZED;
-	}
-	imv_scanner = imv_agent_create(imv_name, msg_types, countof(msg_types),
-								   imv_id, actual_version);
-	if (!imv_scanner)
-	{
-		return TNC_RESULT_FATAL;
-	}
-	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
-	{
-		DBG1(DBG_IMV, "no common IF-IMV version");
-		return TNC_RESULT_NO_COMMON_VERSION;
-	}
-
-	/* set the default port policy to closed (TRUE) or open (FALSE) */
-	closed_port_policy = lib->settings->get_bool(lib->settings,
-						"libimcv.plugins.imv-scanner.closed_port_policy", TRUE);
-	DBG2(DBG_IMV, "default port policy is %s ports",
-						closed_port_policy ? "closed" : "open");
-
-	/* get the list of open|closed ports */
-	tcp_ports = get_port_list("tcp");
-	udp_ports = get_port_list("udp");
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
-										  TNC_ConnectionID connection_id,
-										  TNC_ConnectionState new_state)
-{
-	imv_state_t *state;
-
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	switch (new_state)
-	{
-		case TNC_CONNECTION_STATE_CREATE:
-			state = imv_scanner_state_create(connection_id);
-			return imv_scanner->create_state(imv_scanner, state);
-		case TNC_CONNECTION_STATE_DELETE:
-			return imv_scanner->delete_state(imv_scanner, connection_id);
-		default:
-			return imv_scanner->change_state(imv_scanner, connection_id,
-											 new_state, NULL);
-	}
-}
-
-static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
-{
-	imv_msg_t *out_msg;
-	enumerator_t *enumerator;
-	pa_tnc_attr_t *attr;
-	pen_type_t type;
-	TNC_Result result;
-	bool fatal_error = FALSE;
+/* include generic TGC TNC IF-IMV API code below */
 
-	/* parse received PA-TNC message and handle local and remote errors */
-	result = in_msg->receive(in_msg, &fatal_error);
-	if (result != TNC_RESULT_SUCCESS)
-	{
-		return result;
-	}
+#include <imv/imv_if.h>
 
-	/* analyze PA-TNC attributes */
-	enumerator = in_msg->create_attribute_enumerator(in_msg);
-	while (enumerator->enumerate(enumerator, &attr))
-	{
-		type = attr->get_type(attr);
-
-		if (type.vendor_id == PEN_IETF && type.type == IETF_ATTR_PORT_FILTER)
-		{
-			imv_scanner_state_t *imv_scanner_state;
-			ietf_attr_port_filter_t *attr_port_filter;
-			enumerator_t *enumerator;
-			u_int8_t protocol;
-			u_int16_t port;
-			bool blocked, compliant = TRUE;
-
-
-			imv_scanner_state = (imv_scanner_state_t*)state;
-			attr_port_filter = (ietf_attr_port_filter_t*)attr;
-			enumerator = attr_port_filter->create_port_enumerator(attr_port_filter);
-			while (enumerator->enumerate(enumerator, &blocked, &protocol, &port))
-			{
-				enumerator_t *e;
-				port_range_t *port_range;
-				bool passed, found = FALSE;
-				char buf[20];
-
-				if (blocked)
-				{
-					/* ignore closed ports */
-					continue;
-				}
-
-				e = (protocol == IPPROTO_TCP) ?
-							tcp_ports->create_enumerator(tcp_ports) :
-							udp_ports->create_enumerator(udp_ports);
-				while (e->enumerate(e, &port_range))
-				{
-					if (port >= port_range->start && port <= port_range->stop)
-					{
-						found = TRUE;
-						break;
-					}
-				}
-				e->destroy(e);
-
-				passed = (closed_port_policy == found);
-				DBG2(DBG_IMV, "%s port %5u %s: %s",
-					(protocol == IPPROTO_TCP) ? "tcp" : "udp", port,
-					 blocked ? "closed" : "open", passed ? "ok" : "fatal");
-				if (!passed)
-				{
-					compliant = FALSE;
-					snprintf(buf, sizeof(buf), "%s/%u",
-							(protocol == IPPROTO_TCP) ? "tcp" : "udp", port);
-					imv_scanner_state->add_violating_port(imv_scanner_state,
-														  strdup(buf));
-				}
-			}
-			enumerator->destroy(enumerator);
-
-			if (compliant)
-			{
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
-			}
-			else
-			{
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (fatal_error)
-	{
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-	}
-
-	out_msg = imv_msg_create_as_reply(in_msg);
-	result = out_msg->send_assessment(out_msg);
-	out_msg->destroy(out_msg);
-	if (result != TNC_RESULT_SUCCESS)
-	{
-		return result;
-	}  
-	return imv_scanner->provide_recommendation(imv_scanner, state);
- }
-
-/**
- * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_BufferReference msg,
-								  TNC_UInt32 msg_len,
-								  TNC_MessageType msg_type)
-{
-	imv_state_t *state;
-	imv_msg_t *in_msg;
-	TNC_Result result;
-
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	in_msg = imv_msg_create_from_data(imv_scanner, state, connection_id, msg_type,
-									  chunk_create(msg, msg_len));
-	result = receive_message(state, in_msg);
-	in_msg->destroy(in_msg);
-
-	return result;
-}
-
-/**
- * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
-									  TNC_ConnectionID connection_id,
-									  TNC_UInt32 msg_flags,
-									  TNC_BufferReference msg,
-									  TNC_UInt32 msg_len,
-									  TNC_VendorID msg_vid,
-									  TNC_MessageSubtype msg_subtype,
-									  TNC_UInt32 src_imc_id,
-									  TNC_UInt32 dst_imv_id)
-{
-	imv_state_t *state;
-	imv_msg_t *in_msg;
-	TNC_Result result;
-
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	in_msg = imv_msg_create_from_long_data(imv_scanner, state, connection_id,
-								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
-								chunk_create(msg, msg_len));
-	result =receive_message(state, in_msg);
-	in_msg->destroy(in_msg);
-
-	return result;
-}
-
-/**
- * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
-										 TNC_ConnectionID connection_id)
-{
-	imv_state_t *state;
-
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	return imv_scanner->provide_recommendation(imv_scanner, state);
-}
-
-/**
- * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
-							   TNC_ConnectionID connection_id)
-{
-	imv_state_t *state;
-	imv_msg_t *out_msg;
-	pa_tnc_attr_t *attr;
-	TNC_IMV_Action_Recommendation rec;
-	TNC_IMV_Evaluation_Result eval;
-	TNC_Result result = TNC_RESULT_SUCCESS;
-
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	state->get_recommendation(state, &rec, &eval);
-	if (rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
-	{
-		out_msg = imv_msg_create(imv_scanner, state, connection_id, imv_id,
-								 TNC_IMCID_ANY, msg_types[0]);
-		attr = ietf_attr_attr_request_create(PEN_IETF, IETF_ATTR_PORT_FILTER);
-		out_msg->add_attribute(out_msg, attr);
-
-		/* send PA-TNC message with excl flag not set */
-		result = out_msg->send(out_msg, FALSE);
-		out_msg->destroy(out_msg);
-
-	}
-	return result;
-}
-
-/**
- * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
-{
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	tcp_ports->destroy_function(tcp_ports, free);
-	udp_ports->destroy_function(udp_ports, free);
-	imv_scanner->destroy(imv_scanner);
-	imv_scanner = NULL;
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
-									   TNC_TNCS_BindFunctionPointer bind_function)
-{
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return imv_scanner->bind_functions(imv_scanner, bind_function);
-}
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c
new file mode 100644
index 000000000..d1e093137
--- /dev/null
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c
@@ -0,0 +1,526 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_scanner_agent.h"
+#include "imv_scanner_state.h"
+
+#include <imcv.h>
+#include <imv/imv_agent.h>
+#include <imv/imv_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_port_filter.h>
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+#include <utils/lexparser.h>
+
+typedef struct private_imv_scanner_agent_t private_imv_scanner_agent_t;
+
+/* Subscribed PA-TNC message subtypes */
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_VPN }
+};
+
+/**
+ * Private data of an imv_scanner_agent_t object.
+ */
+struct private_imv_scanner_agent_t {
+
+	/**
+	 * Public members of imv_scanner_agent_t
+	 */
+	imv_agent_if_t public;
+
+	/**
+	 * IMV agent responsible for generic functions
+	 */
+	imv_agent_t *agent;
+
+};
+
+METHOD(imv_agent_if_t, bind_functions, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function)
+{
+	return this->agent->bind_functions(this->agent, bind_function);
+}
+
+METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_ConnectionID id,
+	TNC_ConnectionState new_state)
+{
+	imv_state_t *state;
+
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imv_scanner_state_create(id);
+			return this->agent->create_state(this->agent, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return this->agent->delete_state(this->agent, id);
+		default:
+			return this->agent->change_state(this->agent, id, new_state, NULL);
+	}
+}
+
+/**
+ * Process a received message
+ */
+static TNC_Result receive_msg(private_imv_scanner_agent_t *this,
+							  imv_state_t *state, imv_msg_t *in_msg)
+{
+	imv_msg_t *out_msg;
+	imv_scanner_state_t *scanner_state;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	ietf_attr_port_filter_t *port_filter_attr;
+	bool fatal_error = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF && type.type == IETF_ATTR_PORT_FILTER)
+		{
+			scanner_state = (imv_scanner_state_t*)state;
+			port_filter_attr = (ietf_attr_port_filter_t*)attr->get_ref(attr);
+			scanner_state->set_port_filter_attr(scanner_state, port_filter_attr);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (fatal_error)
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		out_msg = imv_msg_create_as_reply(in_msg);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imv_agent_if_t, receive_message, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_ConnectionID id,
+	TNC_MessageType msg_type, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_ConnectionID id,
+	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
+	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(this->agent, state, id,
+					src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+
+}
+
+typedef struct port_range_t port_range_t;
+
+struct port_range_t {
+	u_int16_t start, stop;
+};
+
+/**
+ * Parse a TCP or UDP port list from an argument string
+ */
+static linked_list_t* get_port_list(u_int8_t protocol_family,
+									bool closed_port_policy, char *arg_str)
+{
+	chunk_t port_list, port_item, port_start;
+	port_range_t *port_range;
+	linked_list_t *list;
+
+	list = linked_list_create();
+
+	port_list = chunk_from_str(arg_str);
+	DBG2(DBG_IMV, "list of %s ports that %s:",
+		 (protocol_family == IPPROTO_TCP) ? "tcp" : "udp",
+		 closed_port_policy ? "are allowed to be open" : "must be closed");
+
+	while (eat_whitespace(&port_list))
+	{
+		if (!extract_token(&port_item, ' ', &port_list))
+		{
+			/* reached last port item */
+			port_item = port_list;
+			port_list = chunk_empty;
+		}
+		port_range = malloc_thing(port_range_t);
+		port_range->start = atoi(port_item.ptr);
+
+		if (extract_token(&port_start, '-', &port_item) && port_item.len)
+		{
+			port_range->stop = atoi(port_item.ptr);
+		}
+		else
+		{
+			port_range->stop = port_range->start;
+		}
+		DBG2(DBG_IMV, "%5u - %5u", port_range->start, port_range->stop);
+		list->insert_last(list, port_range);
+	}
+
+	return list;
+}
+
+METHOD(imv_agent_if_t, batch_ending, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_ConnectionID id)
+{
+	imv_msg_t *out_msg;
+	imv_state_t *state;
+	imv_session_t *session;
+	imv_workitem_t *workitem;
+	imv_scanner_state_t *scanner_state;
+	imv_scanner_handshake_state_t handshake_state;
+	pa_tnc_attr_t *attr;
+	ietf_attr_port_filter_t *port_filter_attr;
+	TNC_IMVID imv_id;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	bool no_workitems = TRUE;
+	enumerator_t *enumerator;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	scanner_state = (imv_scanner_state_t*)state;
+	handshake_state = scanner_state->get_handshake_state(scanner_state);
+	port_filter_attr = scanner_state->get_port_filter_attr(scanner_state);
+	session = state->get_session(state);
+	imv_id = this->agent->get_id(this->agent);
+
+	if (handshake_state == IMV_SCANNER_STATE_END)
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+
+	/* create an empty out message - we might need it */
+	out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+							 msg_types[0]);
+
+	if (!session)
+	{
+		DBG2(DBG_IMV, "no workitems available - no evaluation possible");
+		state->set_recommendation(state,
+							TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+							TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		scanner_state->set_handshake_state(scanner_state, IMV_SCANNER_STATE_END);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	if (handshake_state == IMV_SCANNER_STATE_INIT)
+	{
+		enumerator = session->create_workitem_enumerator(session);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, &workitem))
+			{
+				if (workitem->get_imv_id(workitem) != TNC_IMVID_ANY)
+				{
+					continue;
+				}
+
+				switch (workitem->get_type(workitem))
+				{
+					case IMV_WORKITEM_TCP_PORT_OPEN:
+					case IMV_WORKITEM_TCP_PORT_BLOCK:
+					case IMV_WORKITEM_UDP_PORT_OPEN:
+					case IMV_WORKITEM_UDP_PORT_BLOCK:
+						if (!port_filter_attr &&
+							handshake_state != IMV_SCANNER_STATE_ATTR_REQ)
+						{
+							attr = ietf_attr_attr_request_create(PEN_IETF,
+											IETF_ATTR_PORT_FILTER);
+							out_msg->add_attribute(out_msg, attr);
+							handshake_state = IMV_SCANNER_STATE_ATTR_REQ;
+						}
+						break;
+					default:
+						continue;
+				}
+				workitem->set_imv_id(workitem, imv_id);
+				no_workitems = FALSE;
+			}
+			enumerator->destroy(enumerator);
+
+			if (no_workitems)
+			{
+				DBG2(DBG_IMV, "IMV %d has no workitems - "
+							  "no evaluation requested", imv_id);
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			}
+			handshake_state = IMV_SCANNER_STATE_WORKITEMS;
+			scanner_state->set_handshake_state(scanner_state, handshake_state);
+		}
+	}
+
+	if (handshake_state == IMV_SCANNER_STATE_WORKITEMS && port_filter_attr)
+	{
+		TNC_IMV_Evaluation_Result eval;
+		TNC_IMV_Action_Recommendation rec;
+		u_int8_t protocol_family, protocol;
+		u_int16_t port;
+		bool closed_port_policy, blocked, first;
+		char result_str[BUF_LEN], *pos, *protocol_str;
+		size_t len;
+		int written;
+		linked_list_t *port_list;
+		enumerator_t *e1, *e2;
+
+		enumerator = session->create_workitem_enumerator(session);
+		while (enumerator->enumerate(enumerator, &workitem))
+		{
+			if (workitem->get_imv_id(workitem) != imv_id)
+			{
+				continue;
+			}
+			eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+
+			switch (workitem->get_type(workitem))
+			{
+				case IMV_WORKITEM_TCP_PORT_OPEN:
+					protocol_family = IPPROTO_TCP;
+					closed_port_policy = TRUE;
+					break;
+				case IMV_WORKITEM_TCP_PORT_BLOCK:
+					protocol_family = IPPROTO_TCP;
+					closed_port_policy = FALSE;
+					break;
+				case IMV_WORKITEM_UDP_PORT_OPEN:
+					protocol_family = IPPROTO_UDP;
+					closed_port_policy = TRUE;
+					break;
+				case IMV_WORKITEM_UDP_PORT_BLOCK:
+					protocol_family = IPPROTO_UDP;
+					closed_port_policy = FALSE;
+					break;
+				default:
+					continue;
+			}
+			port_list = get_port_list(protocol_family, closed_port_policy,
+									  workitem->get_arg_str(workitem));
+			protocol_str = (protocol_family == IPPROTO_TCP) ? "tcp" : "udp";
+			result_str[0] = '\0';
+			pos = result_str;
+			len = BUF_LEN;
+			first = TRUE;
+
+			e1 = port_filter_attr->create_port_enumerator(port_filter_attr);
+			while (e1->enumerate(e1, &blocked, &protocol, &port))
+			{
+				port_range_t *port_range;
+				bool passed, found = FALSE;
+				char buf[20];
+
+				if (blocked || protocol != protocol_family)
+				{
+					/* ignore closed ports or non-matching protocols */
+					continue;
+				}
+
+				e2 = port_list->create_enumerator(port_list);
+				while (e2->enumerate(e2, &port_range))
+				{
+					if (port >= port_range->start && port <= port_range->stop)
+					{
+						found = TRUE;
+						break;
+					}
+				}
+				e2->destroy(e2);
+
+				passed = (closed_port_policy == found);
+				DBG2(DBG_IMV, "%s port %5u open: %s", protocol_str, port,
+							   passed ? "ok" : "fatal");
+				if (!passed)
+				{
+					eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
+					snprintf(buf, sizeof(buf), "%s/%u", protocol_str, port);
+					scanner_state->add_violating_port(scanner_state, strdup(buf));
+					if (first)
+					{
+						written = snprintf(pos, len, "violating %s ports:",
+													  protocol_str);
+						if (written > 0 && written < len)
+						{
+							pos += written;
+							len -= written;
+						}
+						first = FALSE;
+					}
+					written = snprintf(pos, len, " %u", port);
+					if (written < 0 || written >= len)
+					{
+						pos += len - 1;
+						*pos = '\0';
+					}
+					else
+					{
+						pos += written;
+						len -= written;
+					}
+				}
+			}
+			e1->destroy(e1);
+
+			if (first)
+			{
+				snprintf(pos, len, "no violating %s ports", protocol_str);
+			}
+			port_list->destroy(port_list);
+
+			session->remove_workitem(session, enumerator);
+			rec = workitem->set_result(workitem, result_str, eval);
+			state->update_recommendation(state, rec, eval);
+			imcv_db->finalize_workitem(imcv_db, workitem);
+			workitem->destroy(workitem);
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	/* finalized all workitems ? */
+	if (handshake_state == IMV_SCANNER_STATE_WORKITEMS &&
+		session->get_workitem_count(session, imv_id) == 0)
+	{
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		scanner_state->set_handshake_state(scanner_state, IMV_SCANNER_STATE_END);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* send non-empty PA-TNC message with excl flag not set */
+	if (out_msg->get_attribute_count(out_msg))
+	{
+		result = out_msg->send(out_msg, FALSE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_ConnectionID id)
+{
+	imv_state_t *state;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return this->agent->provide_recommendation(this->agent, state);
+}
+
+METHOD(imv_agent_if_t, destroy, void,
+	private_imv_scanner_agent_t *this)
+{
+	this->agent->destroy(this->agent);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_agent_if_t *imv_scanner_agent_create(const char *name, TNC_IMVID id,
+										 TNC_Version *actual_version)
+{
+	private_imv_scanner_agent_t *this;
+	imv_agent_t *agent;
+
+	agent = imv_agent_create(name, msg_types, countof(msg_types), id,
+							 actual_version);
+	if (!agent)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.bind_functions = _bind_functions,
+			.notify_connection_change = _notify_connection_change,
+			.receive_message = _receive_message,
+			.receive_message_long = _receive_message_long,
+			.batch_ending = _batch_ending,
+			.solicit_recommendation = _solicit_recommendation,
+			.destroy = _destroy,
+		},
+		.agent = agent,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_agent.h b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.h
new file mode 100644
index 000000000..155453363
--- /dev/null
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_scanner_agent_t imv_scanner_agent
+ * @{ @ingroup imv_scanner
+ */
+
+#ifndef IMV_SCANNER_AGENT_H_
+#define IMV_SCANNER_AGENT_H_
+
+#include <imv/imv_agent_if.h>
+
+/**
+ * Creates a Scanner IMV agent
+ *
+ * @param name					Name of the IMV
+ * @param id					ID of the IMV
+ * @param actual_version		TNC IF-IMV version
+ */
+imv_agent_if_t* imv_scanner_agent_create(const char* name, TNC_IMVID id,
+										 TNC_Version *actual_version);
+
+#endif /** IMV_SCANNER_AGENT_H_ @}*/
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
index 2123af7a8..4c570c46a 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
@@ -18,6 +18,8 @@
 #include "imv/imv_reason_string.h"
 #include "imv/imv_remediation_string.h"
 
+#include <tncif_policy.h>
+
 #include <utils/lexparser.h>
 #include <utils/debug.h>
 
@@ -58,6 +60,11 @@ struct private_imv_scanner_state_t {
 	 */
 	u_int32_t max_msg_len;
 
+	/**
+	 * Flags set for completed actions
+	 */
+	u_int32_t action_flags;
+
 	/**
 	 * Access Requestor ID Type
 	 */
@@ -68,6 +75,11 @@ struct private_imv_scanner_state_t {
 	 */
 	chunk_t ar_id_value;
 
+	/**
+	 * IMV database session associatied with TNCCS connection
+	 */
+	imv_session_t *session;
+
 	/**
 	 * IMV action recommendation
 	 */
@@ -78,6 +90,16 @@ struct private_imv_scanner_state_t {
 	 */
 	TNC_IMV_Evaluation_Result eval;
 
+	/**
+	 * IMV Scanner handshake state
+	 */
+	imv_scanner_handshake_state_t handshake_state;
+
+	/**
+	 * Copy of the received IEEE Port Filter attribute
+	 */
+	 ietf_attr_port_filter_t *port_filter_attr;
+
 	/**
 	 * List with ports that should be closed
 	 */
@@ -175,6 +197,18 @@ METHOD(imv_state_t, get_max_msg_len, u_int32_t,
 	return this->max_msg_len;
 }
 
+METHOD(imv_state_t, set_action_flags, void,
+	private_imv_scanner_state_t *this, u_int32_t flags)
+{
+	this->action_flags |= flags;
+}
+
+METHOD(imv_state_t, get_action_flags, u_int32_t,
+	private_imv_scanner_state_t *this)
+{
+	return this->action_flags;
+}
+
 METHOD(imv_state_t, set_ar_id, void,
 	private_imv_scanner_state_t *this, u_int32_t id_type, chunk_t id_value)
 {
@@ -192,6 +226,18 @@ METHOD(imv_state_t, get_ar_id, chunk_t,
 	return this->ar_id_value;
 }
 
+METHOD(imv_state_t, set_session, void,
+	private_imv_scanner_state_t *this, imv_session_t *session)
+{
+	this->session = session;
+}
+
+METHOD(imv_state_t, get_session, imv_session_t*,
+	private_imv_scanner_state_t *this)
+{
+	return this->session;
+}
+
 METHOD(imv_state_t, change_state, void,
 	private_imv_scanner_state_t *this, TNC_ConnectionState new_state)
 {
@@ -200,7 +246,7 @@ METHOD(imv_state_t, change_state, void,
 
 METHOD(imv_state_t, get_recommendation, void,
 	private_imv_scanner_state_t *this, TNC_IMV_Action_Recommendation *rec,
-									TNC_IMV_Evaluation_Result *eval)
+									   TNC_IMV_Evaluation_Result *eval)
 {
 	*rec = this->rec;
 	*eval = this->eval;
@@ -208,17 +254,25 @@ METHOD(imv_state_t, get_recommendation, void,
 
 METHOD(imv_state_t, set_recommendation, void,
 	private_imv_scanner_state_t *this, TNC_IMV_Action_Recommendation rec,
-									TNC_IMV_Evaluation_Result eval)
+									   TNC_IMV_Evaluation_Result eval)
 {
 	this->rec = rec;
 	this->eval = eval;
 }
 
+METHOD(imv_state_t, update_recommendation, void,
+	private_imv_scanner_state_t *this, TNC_IMV_Action_Recommendation rec,
+									   TNC_IMV_Evaluation_Result eval)
+{
+	this->rec  = tncif_policy_update_recommendation(this->rec, rec);
+	this->eval = tncif_policy_update_evaluation(this->eval, eval);
+}
+
 METHOD(imv_state_t, get_reason_string, bool,
 	private_imv_scanner_state_t *this, enumerator_t *language_enumerator,
 	chunk_t *reason_string, char **reason_language)
 {
-	if (!this->violating_ports)
+	if (this->violating_ports->get_count(this->violating_ports) == 0)
 	{
 		return FALSE;
 	}
@@ -228,7 +282,10 @@ METHOD(imv_state_t, get_reason_string, bool,
 	/* Instantiate a TNC Reason String object */
 	DESTROY_IF(this->reason_string);
 	this->reason_string = imv_reason_string_create(*reason_language);
-	this->reason_string->add_reason(this->reason_string, reasons);
+	if (this->rec != TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+	{
+		this->reason_string->add_reason(this->reason_string, reasons);
+	}
 	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
 	return TRUE;
@@ -238,7 +295,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
 	private_imv_scanner_state_t *this, enumerator_t *language_enumerator,
 	chunk_t *string, char **lang_code, char **uri)
 {
-	if (!this->violating_ports)
+	if (this->violating_ports->get_count(this->violating_ports) == 0)
 	{
 		return FALSE;
 	}
@@ -265,13 +322,40 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
 METHOD(imv_state_t, destroy, void,
 	private_imv_scanner_state_t *this)
 {
+	DESTROY_IF(this->session);
 	DESTROY_IF(this->reason_string);
 	DESTROY_IF(this->remediation_string);
+	DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
 	this->violating_ports->destroy_function(this->violating_ports, free);
 	free(this->ar_id_value.ptr);
 	free(this);
 }
 
+METHOD(imv_scanner_state_t, set_handshake_state, void,
+	private_imv_scanner_state_t *this, imv_scanner_handshake_state_t new_state)
+{
+	this->handshake_state = new_state;
+}
+
+METHOD(imv_scanner_state_t, get_handshake_state, imv_scanner_handshake_state_t,
+	private_imv_scanner_state_t *this)
+{
+	return this->handshake_state;
+}
+
+METHOD(imv_scanner_state_t, set_port_filter_attr, void,
+	private_imv_scanner_state_t *this, ietf_attr_port_filter_t *attr)
+{
+	DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
+	this->port_filter_attr = attr;
+}
+
+METHOD(imv_scanner_state_t, get_port_filter_attr, ietf_attr_port_filter_t*,
+	private_imv_scanner_state_t *this)
+{
+	return this->port_filter_attr;
+}
+
 METHOD(imv_scanner_state_t, add_violating_port, void,
 	private_imv_scanner_state_t *this, char *port)
 {
@@ -294,15 +378,24 @@ imv_state_t *imv_scanner_state_create(TNC_ConnectionID connection_id)
 				.set_flags = _set_flags,
 				.set_max_msg_len = _set_max_msg_len,
 				.get_max_msg_len = _get_max_msg_len,
+				.set_action_flags = _set_action_flags,
+				.get_action_flags = _get_action_flags,
 				.set_ar_id = _set_ar_id,
 				.get_ar_id = _get_ar_id,
+				.set_session = _set_session,
+				.get_session= _get_session,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
+				.update_recommendation = _update_recommendation,
 				.get_reason_string = _get_reason_string,
 				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
+			.set_handshake_state = _set_handshake_state,
+			.get_handshake_state = _get_handshake_state,
+			.set_port_filter_attr = _set_port_filter_attr,
+			.get_port_filter_attr = _get_port_filter_attr,
 			.add_violating_port = _add_violating_port,
 		},
 		.state = TNC_CONNECTION_STATE_CREATE,
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
index a15eb0778..7f147f864 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -24,9 +25,22 @@
 #define IMV_SCANNER_STATE_H_
 
 #include <imv/imv_state.h>
+#include <ietf/ietf_attr_port_filter.h>
+
 #include <library.h>
 
 typedef struct imv_scanner_state_t imv_scanner_state_t;
+typedef enum imv_scanner_handshake_state_t imv_scanner_handshake_state_t;
+
+/**
+ * IMV Scanner Handshake States (state machine)
+ */
+enum imv_scanner_handshake_state_t {
+	IMV_SCANNER_STATE_INIT,
+	IMV_SCANNER_STATE_ATTR_REQ,
+	IMV_SCANNER_STATE_WORKITEMS,
+	IMV_SCANNER_STATE_END
+};
 
 /**
  * Internal state of an imv_scanner_t connection instance
@@ -38,6 +52,36 @@ struct imv_scanner_state_t {
 	 */
 	imv_state_t interface;
 
+	/**
+	 * Set state of the handshake
+	 *
+	 * @param new_state			the handshake state of IMV
+	 */
+	void (*set_handshake_state)(imv_scanner_state_t *this,
+								imv_scanner_handshake_state_t new_state);
+
+	/**
+	 * Get state of the handshake
+	 *
+	 * @return					the handshake state of IMV
+	 */
+	imv_scanner_handshake_state_t (*get_handshake_state)(imv_scanner_state_t *this);
+
+	/**
+	 * Store an IETF Port Filter attribute for later evaluation
+	 *
+	 * @param attr				IETF Port Filter attribute
+	 */
+	void (*set_port_filter_attr)(imv_scanner_state_t *this,
+								 ietf_attr_port_filter_t *attr);
+
+	/**
+	 * Get the stored IETF Port Filter attribute
+	 *
+	 * @return					IETF Port Filter attribute
+	 */
+	ietf_attr_port_filter_t* (*get_port_filter_attr)(imv_scanner_state_t *this);
+
 	/**
 	 * add a violating TCP or UDP port
 	 */
diff --git a/src/libimcv/plugins/imv_test/Makefile.am b/src/libimcv/plugins/imv_test/Makefile.am
index 4ca5b852b..34922867e 100644
--- a/src/libimcv/plugins/imv_test/Makefile.am
+++ b/src/libimcv/plugins/imv_test/Makefile.am
@@ -1,15 +1,18 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imv-test.la
 
 imv_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
-imv_test_la_SOURCES = imv_test.c imv_test_state.h imv_test_state.c
+imv_test_la_SOURCES = \
+	imv_test.c imv_test_state.h imv_test_state.c \
+	imv_test_agent.h imv_test_agent.c
 
 imv_test_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 4cf92ddf5..e77573395 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -100,9 +100,13 @@ am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_test_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-am_imv_test_la_OBJECTS = imv_test.lo imv_test_state.lo
+am_imv_test_la_OBJECTS = imv_test.lo imv_test_state.lo \
+	imv_test_agent.lo
 imv_test_la_OBJECTS = $(am_imv_test_la_OBJECTS)
-imv_test_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imv_test_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(imv_test_la_LDFLAGS) $(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -111,13 +115,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imv_test_la_SOURCES)
 DIST_SOURCES = $(imv_test_la_SOURCES)
 am__can_run_installinfo = \
@@ -131,6 +148,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -143,6 +161,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -158,6 +178,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -166,6 +187,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -212,6 +234,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -240,6 +263,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -317,15 +341,22 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 imcv_LTLIBRARIES = imv-test.la
 imv_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
-imv_test_la_SOURCES = imv_test.c imv_test_state.h imv_test_state.c
+imv_test_la_SOURCES = \
+	imv_test.c imv_test_state.h imv_test_state.c \
+	imv_test_agent.h imv_test_agent.c
+
 imv_test_la_LDFLAGS = -module -avoid-version
 all: all-am
 
@@ -394,7 +425,7 @@ clean-imcvLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 imv-test.la: $(imv_test_la_OBJECTS) $(imv_test_la_DEPENDENCIES) $(EXTRA_imv_test_la_DEPENDENCIES) 
-	$(imv_test_la_LINK) -rpath $(imcvdir) $(imv_test_la_OBJECTS) $(imv_test_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(imv_test_la_LINK) -rpath $(imcvdir) $(imv_test_la_OBJECTS) $(imv_test_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -403,28 +434,29 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_test.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_test_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_test_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libimcv/plugins/imv_test/imv_test.c b/src/libimcv/plugins/imv_test/imv_test.c
index df45ce69a..964faef65 100644
--- a/src/libimcv/plugins/imv_test/imv_test.c
+++ b/src/libimcv/plugins/imv_test/imv_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,350 +13,12 @@
  * for more details.
  */
 
-#include "imv_test_state.h"
-
-#include <imv/imv_agent.h>
-#include <imv/imv_msg.h>
-#include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
-#include <ita/ita_attr.h>
-#include <ita/ita_attr_command.h>
-#include <ita/ita_attr_dummy.h>
-
-#include <tncif_names.h>
-#include <tncif_pa_subtypes.h>
-
-#include <pen/pen.h>
-#include <utils/debug.h>
-
-/* IMV definitions */
+#include "imv_test_agent.h"
 
 static const char imv_name[] = "Test";
+static const imv_agent_create_t imv_agent_create = imv_test_agent_create;
 
-static pen_type_t msg_types[] = {
-	{ PEN_ITA, PA_SUBTYPE_ITA_TEST }
-};
-
-static imv_agent_t *imv_test;
-
-/**
- * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
-							  TNC_Version min_version,
-							  TNC_Version max_version,
-							  TNC_Version *actual_version)
-{
-	if (imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
-		return TNC_RESULT_ALREADY_INITIALIZED;
-	}
-	imv_test = imv_agent_create(imv_name, msg_types, countof(msg_types),
-								imv_id, actual_version);
-	if (!imv_test)
-	{
-		return TNC_RESULT_FATAL;
-	}
-	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
-	{
-		DBG1(DBG_IMV, "no common IF-IMV version");
-		return TNC_RESULT_NO_COMMON_VERSION;
-	}
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
-										  TNC_ConnectionID connection_id,
-										  TNC_ConnectionState new_state)
-{
-	imv_state_t *state;
-
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	switch (new_state)
-	{
-		case TNC_CONNECTION_STATE_CREATE:
-			state = imv_test_state_create(connection_id);
-			return imv_test->create_state(imv_test, state);
-		case TNC_CONNECTION_STATE_DELETE:
-			return imv_test->delete_state(imv_test, connection_id);
-		default:
-			return imv_test->change_state(imv_test, connection_id,
-										  new_state, NULL);
-	}
-}
-
-static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
-{
-	imv_msg_t *out_msg;
-	imv_test_state_t *test_state;
-	enumerator_t *enumerator;
-	pa_tnc_attr_t *attr;
-	pen_type_t attr_type;
-	TNC_Result result;
-	int rounds;
-	bool fatal_error = FALSE, received_command = FALSE, retry = FALSE;
-
-	/* parse received PA-TNC message and handle local and remote errors */
-	result = in_msg->receive(in_msg, &fatal_error);
-	if (result != TNC_RESULT_SUCCESS)
-	{
-		return result;
-	}
-
-	/* add any new IMC and set its number of rounds */
-	rounds = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imv-test.rounds", 0);
-	test_state = (imv_test_state_t*)state;
-	test_state->add_imc(test_state, in_msg->get_src_id(in_msg), rounds);
-
-	/* analyze PA-TNC attributes */
-	enumerator = in_msg->create_attribute_enumerator(in_msg);
-	while (enumerator->enumerate(enumerator, &attr))
-	{
-		attr_type = attr->get_type(attr);
-
-		if (attr_type.vendor_id != PEN_ITA)
-		{
-			continue;
-		}
-		if (attr_type.type == ITA_ATTR_COMMAND)
-		{
-			ita_attr_command_t *ita_attr;
-			char *command;
-
-			received_command = TRUE;
-			ita_attr = (ita_attr_command_t*)attr;
-			command = ita_attr->get_command(ita_attr);
-
-			if (streq(command, "allow"))
-			{
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
-			}
-			else if (streq(command, "isolate"))
-			{
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
-			}
-			else if (streq(command, "block") || streq(command, "none"))
-			{
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
-			}
-			else if (streq(command, "retry"))
-			{
-				retry = TRUE;
-			}
-			else
-			{
-				DBG1(DBG_IMV, "unsupported ITA Command '%s'", command);
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-			}
-		}
-		else if (attr_type.type == ITA_ATTR_DUMMY)
-		{
-			ita_attr_dummy_t *ita_attr;
-
-			ita_attr = (ita_attr_dummy_t*)attr;
-			DBG1(DBG_IMV, "received dummy attribute value (%d bytes)",
-						   ita_attr->get_size(ita_attr));
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (fatal_error)
-	{
-		state->set_recommendation(state,
-							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-							TNC_IMV_EVALUATION_RESULT_ERROR);
-		out_msg = imv_msg_create_as_reply(in_msg);
-		result = out_msg->send_assessment(out_msg);
-		out_msg->destroy(out_msg);
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			return result;
-		}  
-		return imv_test->provide_recommendation(imv_test, state);
-	}
-
-	/* request a handshake retry ? */
-	if (retry)
-	{
-		test_state->set_rounds(test_state, rounds);
-		return imv_test->request_handshake_retry(imv_test->get_id(imv_test),
-											state->get_connection_id(state),
-											TNC_RETRY_REASON_IMV_SERIOUS_EVENT);
-	}
+/* include generic TGC TNC IF-IMV API code below */
 
-	/* repeat the measurement ? */
-	if (test_state->another_round(test_state, in_msg->get_src_id(in_msg)))
-	{
-		out_msg = imv_msg_create_as_reply(in_msg);
-		attr = ita_attr_command_create("repeat");
-		out_msg->add_attribute(out_msg, attr);
+#include <imv/imv_if.h>
 
-		/* send PA-TNC message with excl flag set */
-		result = out_msg->send(out_msg, TRUE);	
-		out_msg->destroy(out_msg);
-
-		return result;
-	}
-
-	if (received_command)
-	{
-		out_msg = imv_msg_create_as_reply(in_msg);
-		result = out_msg->send_assessment(out_msg);
-		out_msg->destroy(out_msg);
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			return result;
-		}  
-		return imv_test->provide_recommendation(imv_test, state);
-	}
-	else
-	{	
-		return TNC_RESULT_SUCCESS;
-	}
-}
-
-/**
- * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_BufferReference msg,
-								  TNC_UInt32 msg_len,
-								  TNC_MessageType msg_type)
-{
-	imv_state_t *state;
-	imv_msg_t *in_msg;
-	TNC_Result result;
-
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_test->get_state(imv_test, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	in_msg = imv_msg_create_from_data(imv_test, state, connection_id, msg_type,
-									  chunk_create(msg, msg_len));
-	result = receive_message(state, in_msg);
-	in_msg->destroy(in_msg);
-
-	return result;
-}
-
-/**
- * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
-									  TNC_ConnectionID connection_id,
-									  TNC_UInt32 msg_flags,
-									  TNC_BufferReference msg,
-									  TNC_UInt32 msg_len,
-									  TNC_VendorID msg_vid,
-									  TNC_MessageSubtype msg_subtype,
-									  TNC_UInt32 src_imc_id,
-									  TNC_UInt32 dst_imv_id)
-{
-	imv_state_t *state;
-	imv_msg_t *in_msg;
-	TNC_Result result;
-
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_test->get_state(imv_test, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	in_msg = imv_msg_create_from_long_data(imv_test, state, connection_id,
-								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
-								chunk_create(msg, msg_len));
-	result =receive_message(state, in_msg);
-	in_msg->destroy(in_msg);
-
-	return result;
-}
-
-/**
- * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
-										 TNC_ConnectionID connection_id)
-{
-	imv_state_t *state;
-
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_test->get_state(imv_test, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	return imv_test->provide_recommendation(imv_test, state);
-}
-
-/**
- * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
-							   TNC_ConnectionID connection_id)
-{
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
-{
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	imv_test->destroy(imv_test);
-	imv_test = NULL;
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
-									   TNC_TNCS_BindFunctionPointer bind_function)
-{
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return imv_test->bind_functions(imv_test, bind_function);
-}
diff --git a/src/libimcv/plugins/imv_test/imv_test_agent.c b/src/libimcv/plugins/imv_test/imv_test_agent.c
new file mode 100644
index 000000000..87d69373f
--- /dev/null
+++ b/src/libimcv/plugins/imv_test/imv_test_agent.c
@@ -0,0 +1,321 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_test_agent.h"
+#include "imv_test_state.h"
+
+#include <imv/imv_agent.h>
+#include <imv/imv_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ita/ita_attr.h>
+#include <ita/ita_attr_get_settings.h>
+#include <ita/ita_attr_command.h>
+#include <ita/ita_attr_dummy.h>
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_imv_test_agent_t private_imv_test_agent_t;
+
+/* Subscribed PA-TNC message subtypes */
+static pen_type_t msg_types[] = {
+	{ PEN_ITA, PA_SUBTYPE_ITA_TEST }
+};
+
+/**
+ * Private data of an imv_test_agent_t object.
+ */
+struct private_imv_test_agent_t {
+
+	/**
+	 * Public members of imv_test_agent_t
+	 */
+	imv_agent_if_t public;
+
+	/**
+	 * IMV agent responsible for generic functions
+	 */
+	imv_agent_t *agent;
+
+};
+
+METHOD(imv_agent_if_t, bind_functions, TNC_Result,
+	private_imv_test_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function)
+{
+	return this->agent->bind_functions(this->agent, bind_function);
+}
+
+METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
+	private_imv_test_agent_t *this, TNC_ConnectionID id,
+	TNC_ConnectionState new_state)
+{
+	imv_state_t *state;
+
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imv_test_state_create(id);
+			return this->agent->create_state(this->agent, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return this->agent->delete_state(this->agent, id);
+		default:
+			return this->agent->change_state(this->agent, id, new_state, NULL);
+	}
+}
+
+/**
+ * Process a received message
+ */
+static TNC_Result receive_msg(private_imv_test_agent_t *this, imv_state_t *state,
+							  imv_msg_t *in_msg)
+{
+	imv_msg_t *out_msg;
+	imv_test_state_t *test_state;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
+	TNC_Result result;
+	int rounds;
+	bool fatal_error = FALSE, received_command = FALSE, retry = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	/* add any new IMC and set its number of rounds */
+	rounds = lib->settings->get_int(lib->settings,
+								"libimcv.plugins.imv-test.rounds", 0);
+	test_state = (imv_test_state_t*)state;
+	test_state->add_imc(test_state, in_msg->get_src_id(in_msg), rounds);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		attr_type = attr->get_type(attr);
+
+		if (attr_type.vendor_id != PEN_ITA)
+		{
+			continue;
+		}
+		if (attr_type.type == ITA_ATTR_COMMAND)
+		{
+			ita_attr_command_t *ita_attr;
+			char *command;
+
+			received_command = TRUE;
+			ita_attr = (ita_attr_command_t*)attr;
+			command = ita_attr->get_command(ita_attr);
+
+			if (streq(command, "allow"))
+			{
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
+			}
+			else if (streq(command, "isolate"))
+			{
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
+			}
+			else if (streq(command, "block") || streq(command, "none"))
+			{
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
+			}
+			else if (streq(command, "retry"))
+			{
+				retry = TRUE;
+			}
+			else
+			{
+				DBG1(DBG_IMV, "unsupported ITA Command '%s'", command);
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+			}
+		}
+		else if (attr_type.type == ITA_ATTR_DUMMY)
+		{
+			ita_attr_dummy_t *ita_attr;
+
+			ita_attr = (ita_attr_dummy_t*)attr;
+			DBG1(DBG_IMV, "received dummy attribute value (%d bytes)",
+						   ita_attr->get_size(ita_attr));
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (fatal_error)
+	{
+		state->set_recommendation(state,
+							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+							TNC_IMV_EVALUATION_RESULT_ERROR);
+		out_msg = imv_msg_create_as_reply(in_msg);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}  
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* request a handshake retry ? */
+	if (retry)
+	{
+		test_state->set_rounds(test_state, rounds);
+		return this->agent->request_handshake_retry(
+									this->agent->get_id(this->agent),
+									state->get_connection_id(state),
+									TNC_RETRY_REASON_IMV_SERIOUS_EVENT);
+	}
+
+	/* repeat the measurement ? */
+	if (test_state->another_round(test_state, in_msg->get_src_id(in_msg)))
+	{
+		out_msg = imv_msg_create_as_reply(in_msg);
+		attr = ita_attr_command_create("repeat");
+		out_msg->add_attribute(out_msg, attr);
+
+		/* send PA-TNC message with excl flag set */
+		result = out_msg->send(out_msg, TRUE);	
+		out_msg->destroy(out_msg);
+
+		return result;
+	}
+
+	if (received_command)
+	{
+		out_msg = imv_msg_create_as_reply(in_msg);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}  
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+	else
+	{	
+		return TNC_RESULT_SUCCESS;
+	}
+ }
+
+METHOD(imv_agent_if_t, receive_message, TNC_Result,
+	private_imv_test_agent_t *this, TNC_ConnectionID id,
+	TNC_MessageType msg_type, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
+	private_imv_test_agent_t *this, TNC_ConnectionID id,
+	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
+	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(this->agent, state, id,
+					src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+
+}
+
+METHOD(imv_agent_if_t, batch_ending, TNC_Result,
+	private_imv_test_agent_t *this, TNC_ConnectionID id)
+{
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
+	private_imv_test_agent_t *this, TNC_ConnectionID id)
+{
+	imv_state_t *state;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return this->agent->provide_recommendation(this->agent, state);
+}
+
+METHOD(imv_agent_if_t, destroy, void,
+	private_imv_test_agent_t *this)
+{
+	DESTROY_IF(this->agent);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_agent_if_t *imv_test_agent_create(const char *name, TNC_IMVID id,
+									  TNC_Version *actual_version)
+{
+	private_imv_test_agent_t *this;
+
+	INIT(this,
+		.public = {
+			.bind_functions = _bind_functions,
+			.notify_connection_change = _notify_connection_change,
+			.receive_message = _receive_message,
+			.receive_message_long = _receive_message_long,
+			.batch_ending = _batch_ending,
+			.solicit_recommendation = _solicit_recommendation,
+			.destroy = _destroy,
+		},
+		.agent = imv_agent_create(name, msg_types, countof(msg_types), id,
+								  actual_version),
+	);
+
+	if (!this->agent)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libimcv/plugins/imv_test/imv_test_agent.h b/src/libimcv/plugins/imv_test/imv_test_agent.h
new file mode 100644
index 000000000..15508d375
--- /dev/null
+++ b/src/libimcv/plugins/imv_test/imv_test_agent.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_test_agent_t imv_test_agent
+ * @{ @ingroup imv_test
+ */
+
+#ifndef IMV_TEST_AGENT_H_
+#define IMV_TEST_AGENT_H_
+
+#include <imv/imv_agent_if.h>
+
+/**
+ * Creates a Test IMV agent
+ *
+ * @param name					Name of the IMV
+ * @param id					ID of the IMV
+ * @param actual_version		TNC IF-IMV version
+ */
+imv_agent_if_t* imv_test_agent_create(const char* name, TNC_IMVID id,
+									  TNC_Version *actual_version);
+
+#endif /** IMV_TEST_AGENT_H_ @}*/
diff --git a/src/libimcv/plugins/imv_test/imv_test_state.c b/src/libimcv/plugins/imv_test/imv_test_state.c
index 41da44d67..0da09df67 100644
--- a/src/libimcv/plugins/imv_test/imv_test_state.c
+++ b/src/libimcv/plugins/imv_test/imv_test_state.c
@@ -17,6 +17,8 @@
 #include "imv/imv_lang_string.h"
 #include "imv/imv_reason_string.h"
 
+#include <tncif_policy.h>
+
 #include <utils/lexparser.h>
 #include <collections/linked_list.h>
 #include <utils/debug.h>
@@ -68,6 +70,11 @@ struct private_imv_test_state_t {
 	 */
 	chunk_t ar_id_value;
 
+	/**
+	 * IMV database session associated with TNCCS connection
+	 */
+	imv_session_t *session;
+
 	/**
 	 * IMV action recommendation
 	 */
@@ -170,6 +177,18 @@ METHOD(imv_state_t, get_ar_id, chunk_t,
 	return this->ar_id_value;
 }
 
+METHOD(imv_state_t, set_session, void,
+	private_imv_test_state_t *this, imv_session_t *session)
+{
+	this->session = session;
+}
+
+METHOD(imv_state_t, get_session, imv_session_t*,
+	private_imv_test_state_t *this)
+{
+	return this->session;
+}
+
 METHOD(imv_state_t, change_state, void,
 	private_imv_test_state_t *this, TNC_ConnectionState new_state)
 {
@@ -192,6 +211,14 @@ METHOD(imv_state_t, set_recommendation, void,
 	this->eval = eval;
 }
 
+METHOD(imv_state_t, update_recommendation, void,
+	private_imv_test_state_t *this, TNC_IMV_Action_Recommendation rec,
+									TNC_IMV_Evaluation_Result eval)
+{
+	this->rec  = tncif_policy_update_recommendation(this->rec, rec);
+	this->eval = tncif_policy_update_evaluation(this->eval, eval);
+}
+
 METHOD(imv_state_t, get_reason_string, bool,
 	private_imv_test_state_t *this, enumerator_t *language_enumerator,
 	chunk_t *reason_string, char **reason_language)
@@ -218,6 +245,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
 METHOD(imv_state_t, destroy, void,
 	private_imv_test_state_t *this)
 {
+	DESTROY_IF(this->session);
 	DESTROY_IF(this->reason_string);
 	this->imcs->destroy_function(this->imcs, free);
 	free(this->ar_id_value.ptr);
@@ -307,9 +335,12 @@ imv_state_t *imv_test_state_create(TNC_ConnectionID connection_id)
 				.get_max_msg_len = _get_max_msg_len,
 				.set_ar_id = _set_ar_id,
 				.get_ar_id = _get_ar_id,
+				.set_session = _set_session,
+				.get_session = _get_session,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
+				.update_recommendation = _update_recommendation,
 				.get_reason_string = _get_reason_string,
 				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
index 35b8d7916..74379f1d5 100644
--- a/src/libipsec/Makefile.am
+++ b/src/libipsec/Makefile.am
@@ -15,7 +15,7 @@ ipsec_sa_mgr.c ipsec_sa_mgr.h
 
 libipsec_la_LIBADD =
 
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan
 
 EXTRA_DIST = Android.mk
@@ -28,4 +28,3 @@ SUBDIRS =
 else
 SUBDIRS = .
 endif
-
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 24940df7c..3dbf34ed2 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,19 +104,35 @@ am_libipsec_la_OBJECTS = ipsec.lo esp_context.lo esp_packet.lo \
 	ipsec_policy_mgr.lo ipsec_processor.lo ipsec_sa.lo \
 	ipsec_sa_mgr.lo
 libipsec_la_OBJECTS = $(am_libipsec_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libipsec_la_SOURCES)
 DIST_SOURCES = $(libipsec_la_SOURCES)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -168,6 +184,7 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -180,6 +197,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -195,6 +214,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -203,6 +223,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -249,6 +270,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -277,6 +299,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -369,7 +392,7 @@ ipsec_sa.c ipsec_sa.h \
 ipsec_sa_mgr.c ipsec_sa_mgr.h
 
 libipsec_la_LIBADD = 
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan
 
 EXTRA_DIST = Android.mk
@@ -445,7 +468,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libipsec.la: $(libipsec_la_OBJECTS) $(libipsec_la_DEPENDENCIES) $(EXTRA_libipsec_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libipsec_la_OBJECTS) $(libipsec_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libipsec_la_OBJECTS) $(libipsec_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -465,25 +488,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_sa_mgr.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index 44b1117d9..bbcb62add 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Copyright (C) 2012 Giuliano Grassi
  * Copyright (C) 2012 Ralf Sager
  * Hochschule fuer Technik Rapperswil
@@ -22,8 +22,6 @@
 
 #include <library.h>
 #include <utils/debug.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
 
 /**
  * Should be a multiple of 8
@@ -43,14 +41,9 @@ struct private_esp_context_t {
 	esp_context_t public;
 
 	/**
-	 * Crypter used to encrypt/decrypt ESP packets
+	 * AEAD wrapper or method to encrypt/decrypt/authenticate ESP packets
 	 */
-	crypter_t *crypter;
-
-	/**
-	 * Signer to authenticate ESP packets
-	 */
-	signer_t *signer;
+	aead_t *aead;
 
 	/**
 	 * The highest sequence number that was successfully verified
@@ -197,97 +190,150 @@ METHOD(esp_context_t, next_seqno, bool,
 	return TRUE;
 }
 
-METHOD(esp_context_t, get_signer, signer_t *,
-		private_esp_context_t *this)
-{
-	return this->signer;
-}
-
-METHOD(esp_context_t, get_crypter, crypter_t *,
-		private_esp_context_t *this)
+METHOD(esp_context_t, get_aead, aead_t*,
+	private_esp_context_t *this)
 {
-	return this->crypter;
+	return this->aead;
 }
 
 METHOD(esp_context_t, destroy, void,
-		private_esp_context_t *this)
+	private_esp_context_t *this)
 {
 	chunk_free(&this->window);
-	DESTROY_IF(this->crypter);
-	DESTROY_IF(this->signer);
+	DESTROY_IF(this->aead);
 	free(this);
 }
 
 /**
- * Described in header.
+ * Create an AEAD algorithm
  */
-esp_context_t *esp_context_create(int enc_alg, chunk_t enc_key,
-								  int int_alg, chunk_t int_key, bool inbound)
+static bool create_aead(private_esp_context_t *this, int alg,
+						chunk_t key)
 {
-	private_esp_context_t *this;
+	switch (alg)
+	{
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+			/* the key includes a 4 byte salt */
+			this->aead = lib->crypto->create_aead(lib->crypto, alg, key.len-4);
+			break;
+		default:
+			break;
+	}
+	if (!this->aead)
+	{
+		DBG1(DBG_ESP, "failed to create ESP context: unsupported AEAD "
+			 "algorithm");
+		return FALSE;
+	}
+	if (!this->aead->set_key(this->aead, key))
+	{
+		DBG1(DBG_ESP, "failed to create ESP context: setting AEAD key failed");
+		return FALSE;
+	}
+	return TRUE;
+}
 
-	INIT(this,
-		.public = {
-			.get_crypter = _get_crypter,
-			.get_signer = _get_signer,
-			.get_seqno = _get_seqno,
-			.next_seqno = _next_seqno,
-			.verify_seqno = _verify_seqno,
-			.set_authenticated_seqno = _set_authenticated_seqno,
-			.destroy = _destroy,
-		},
-		.inbound = inbound,
-		.window_size = ESP_DEFAULT_WINDOW_SIZE,
-	);
+/**
+ * Create AEAD wrapper around traditional encryption/integrity algorithms
+ */
+static bool create_traditional(private_esp_context_t *this, int enc_alg,
+							   chunk_t enc_key, int int_alg, chunk_t int_key)
+{
+	crypter_t *crypter = NULL;
+	signer_t *signer = NULL;
 
-	switch(enc_alg)
+	switch (enc_alg)
 	{
 		case ENCR_AES_CBC:
-			this->crypter = lib->crypto->create_crypter(lib->crypto, enc_alg,
-														enc_key.len);
+			crypter = lib->crypto->create_crypter(lib->crypto, enc_alg,
+												  enc_key.len);
 			break;
 		default:
 			break;
 	}
-	if (!this->crypter)
+	if (!crypter)
 	{
 		DBG1(DBG_ESP, "failed to create ESP context: unsupported encryption "
 			 "algorithm");
-		destroy(this);
-		return NULL;
+		goto failed;
 	}
-	if (!this->crypter->set_key(this->crypter, enc_key))
+	if (!crypter->set_key(crypter, enc_key))
 	{
 		DBG1(DBG_ESP, "failed to create ESP context: setting encryption key "
 			 "failed");
-		destroy(this);
-		return NULL;
+		goto failed;
 	}
 
-	switch(int_alg)
+	switch (int_alg)
 	{
 		case AUTH_HMAC_SHA1_96:
 		case AUTH_HMAC_SHA2_256_128:
 		case AUTH_HMAC_SHA2_384_192:
 		case AUTH_HMAC_SHA2_512_256:
-			this->signer = lib->crypto->create_signer(lib->crypto, int_alg);
+			signer = lib->crypto->create_signer(lib->crypto, int_alg);
 			break;
 		default:
 			break;
 	}
-	if (!this->signer)
+	if (!signer)
 	{
 		DBG1(DBG_ESP, "failed to create ESP context: unsupported integrity "
 			 "algorithm");
-		destroy(this);
-		return NULL;
+		goto failed;
 	}
-	if (!this->signer->set_key(this->signer, int_key))
+	if (!signer->set_key(signer, int_key))
 	{
 		DBG1(DBG_ESP, "failed to create ESP context: setting signature key "
 			 "failed");
-		destroy(this);
-		return NULL;
+		goto failed;
+	}
+	this->aead = aead_create(crypter, signer);
+	return TRUE;
+
+failed:
+	DESTROY_IF(crypter);
+	DESTROY_IF(signer);
+	return FALSE;
+}
+
+/**
+ * Described in header.
+ */
+esp_context_t *esp_context_create(int enc_alg, chunk_t enc_key,
+								  int int_alg, chunk_t int_key, bool inbound)
+{
+	private_esp_context_t *this;
+
+	INIT(this,
+		.public = {
+			.get_aead = _get_aead,
+			.get_seqno = _get_seqno,
+			.next_seqno = _next_seqno,
+			.verify_seqno = _verify_seqno,
+			.set_authenticated_seqno = _set_authenticated_seqno,
+			.destroy = _destroy,
+		},
+		.inbound = inbound,
+		.window_size = ESP_DEFAULT_WINDOW_SIZE,
+	);
+
+	if (encryption_algorithm_is_aead(enc_alg))
+	{
+		if (!create_aead(this, enc_alg, enc_key))
+		{
+			destroy(this);
+			return NULL;
+		}
+	}
+	else
+	{
+		if (!create_traditional(this, enc_alg, enc_key, int_alg, int_key))
+		{
+			destroy(this);
+			return NULL;
+		}
 	}
 
 	if (inbound)
@@ -297,5 +343,3 @@ esp_context_t *esp_context_create(int enc_alg, chunk_t enc_key,
 	}
 	return &this->public;
 }
-
-
diff --git a/src/libipsec/esp_context.h b/src/libipsec/esp_context.h
index db247dced..b33daf589 100644
--- a/src/libipsec/esp_context.h
+++ b/src/libipsec/esp_context.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Copyright (C) 2012 Giuliano Grassi
  * Copyright (C) 2012 Ralf Sager
  * Hochschule fuer Technik Rapperswil
@@ -24,8 +24,7 @@
 #define ESP_CONTEXT_H_
 
 #include <library.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
+#include <crypto/aead.h>
 
 typedef struct esp_context_t esp_context_t;
 
@@ -35,18 +34,11 @@ typedef struct esp_context_t esp_context_t;
 struct esp_context_t {
 
 	/**
-	 * Get the crypter.
+	 * Get AEAD wrapper or method to encrypt/decrypt/authenticate ESP packets.
 	 *
-	 * @return				crypter
+	 * @return				AEAD wrapper of method
 	 */
-	crypter_t *(*get_crypter)(esp_context_t *this);
-
-	/**
-	 * Get the signer.
-	 *
-	 * @return				signer
-	 */
-	signer_t *(*get_signer)(esp_context_t *this);
+	aead_t *(*get_aead)(esp_context_t *this);
 
 	/**
 	 * Get the current outbound ESP sequence number or the highest authenticated
diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c
index 43a3c2a97..61389daa4 100644
--- a/src/libipsec/esp_packet.c
+++ b/src/libipsec/esp_packet.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Copyright (C) 2012 Giuliano Grassi
  * Copyright (C) 2012 Ralf Sager
  * Hochschule fuer Technik Rapperswil
@@ -212,28 +212,27 @@ METHOD(esp_packet_t, decrypt, status_t,
 {
 	bio_reader_t *reader;
 	u_int32_t spi, seq;
-	chunk_t data, iv, icv, ciphertext, plaintext;
-	crypter_t *crypter;
-	signer_t *signer;
+	chunk_t data, iv, icv, aad, ciphertext, plaintext;
+	aead_t *aead;
 
 	DESTROY_IF(this->payload);
 	this->payload = NULL;
 
 	data = this->packet->get_data(this->packet);
-	crypter = esp_context->get_crypter(esp_context);
-	signer = esp_context->get_signer(esp_context);
+	aead = esp_context->get_aead(esp_context);
 
 	reader = bio_reader_create(data);
 	if (!reader->read_uint32(reader, &spi) ||
 		!reader->read_uint32(reader, &seq) ||
-		!reader->read_data(reader, crypter->get_iv_size(crypter), &iv) ||
-		!reader->read_data_end(reader, signer->get_block_size(signer), &icv) ||
-		reader->remaining(reader) % crypter->get_block_size(crypter))
+		!reader->read_data(reader, aead->get_iv_size(aead), &iv) ||
+		!reader->read_data_end(reader, aead->get_icv_size(aead), &icv) ||
+		reader->remaining(reader) % aead->get_block_size(aead))
 	{
 		DBG1(DBG_ESP, "ESP decryption failed: invalid length");
 		return PARSE_ERROR;
 	}
 	ciphertext = reader->peek(reader);
+	ciphertext.len += icv.len;
 	reader->destroy(reader);
 
 	if (!esp_context->verify_seqno(esp_context, seq))
@@ -246,20 +245,15 @@ METHOD(esp_packet_t, decrypt, status_t,
 	DBG3(DBG_ESP, "ESP decryption:\n  SPI %.8x [seq %u]\n  IV %B\n  "
 		 "encrypted %B\n  ICV %B", spi, seq, &iv, &ciphertext, &icv);
 
-	if (!signer->get_signature(signer, chunk_create(data.ptr, 8), NULL) ||
-		!signer->get_signature(signer, iv, NULL) ||
-		!signer->verify_signature(signer, ciphertext, icv))
-	{
-		DBG1(DBG_ESP, "ICV verification failed!");
-		return FAILED;
-	}
-	esp_context->set_authenticated_seqno(esp_context, seq);
+	/* aad = spi + seq */
+	aad = chunk_create(data.ptr, 8);
 
-	if (!crypter->decrypt(crypter, ciphertext, iv, &plaintext))
+	if (!aead->decrypt(aead, ciphertext, aad, iv, &plaintext))
 	{
-		DBG1(DBG_ESP, "ESP decryption failed");
+		DBG1(DBG_ESP, "ESP decryption or ICV verification failed");
 		return FAILED;
 	}
+	esp_context->set_authenticated_seqno(esp_context, seq);
 
 	if (!remove_padding(this, plaintext))
 	{
@@ -284,12 +278,11 @@ static void generate_padding(chunk_t padding)
 METHOD(esp_packet_t, encrypt, status_t,
 	private_esp_packet_t *this, esp_context_t *esp_context, u_int32_t spi)
 {
-	chunk_t iv, icv, padding, payload, ciphertext, auth_data;
+	chunk_t iv, icv, aad, padding, payload, ciphertext;
 	bio_writer_t *writer;
 	u_int32_t next_seqno;
 	size_t blocksize, plainlen;
-	crypter_t *crypter;
-	signer_t *signer;
+	aead_t *aead;
 	rng_t *rng;
 
 	this->packet->set_data(this->packet, chunk_empty);
@@ -306,12 +299,11 @@ METHOD(esp_packet_t, encrypt, status_t,
 		DBG1(DBG_ESP, "ESP encryption failed: could not find RNG");
 		return NOT_FOUND;
 	}
-	crypter = esp_context->get_crypter(esp_context);
-	signer = esp_context->get_signer(esp_context);
+	aead = esp_context->get_aead(esp_context);
 
-	blocksize = crypter->get_block_size(crypter);
-	iv.len = crypter->get_iv_size(crypter);
-	icv.len = signer->get_block_size(signer);
+	blocksize = aead->get_block_size(aead);
+	iv.len = aead->get_iv_size(aead);
+	icv.len = aead->get_icv_size(aead);
 
 	/* plaintext = payload, padding, pad_length, next_header */
 	payload = this->payload ? this->payload->get_encoding(this->payload)
@@ -349,24 +341,19 @@ METHOD(esp_packet_t, encrypt, status_t,
 	writer->write_uint8(writer, padding.len);
 	writer->write_uint8(writer, this->next_header);
 
+	/* aad = spi + seq */
+	aad = writer->get_buf(writer);
+	aad.len = 8;
+	icv = writer->skip(writer, icv.len);
+
 	DBG3(DBG_ESP, "ESP before encryption:\n  payload = %B\n  padding = %B\n  "
 		 "padding length = %hhu, next header = %hhu", &payload, &padding,
 		 (u_int8_t)padding.len, this->next_header);
 
-	/* encrypt the content inline */
-	if (!crypter->encrypt(crypter, ciphertext, iv, NULL))
-	{
-		DBG1(DBG_ESP, "ESP encryption failed");
-		writer->destroy(writer);
-		return FAILED;
-	}
-
-	/* calculate signature */
-	auth_data = writer->get_buf(writer);
-	icv = writer->skip(writer, icv.len);
-	if (!signer->get_signature(signer, auth_data, icv.ptr))
+	/* encrypt/authenticate the content inline */
+	if (!aead->encrypt(aead, ciphertext, aad, iv, NULL))
 	{
-		DBG1(DBG_ESP, "ESP encryption failed: signature generation failed");
+		DBG1(DBG_ESP, "ESP encryption or ICV generation failed");
 		writer->destroy(writer);
 		return FAILED;
 	}
diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
index d7d7e8276..c6b2a550d 100644
--- a/src/libipsec/ipsec_event_relay.c
+++ b/src/libipsec/ipsec_event_relay.c
@@ -118,6 +118,7 @@ static job_requeue_t handle_events(private_ipsec_event_relay_t *this)
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
+	free(event);
 	return JOB_REQUEUE_DIRECT;
 }
 
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index 28748971d..928a53d50 100644
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -332,6 +332,11 @@ static void schedule_expiration(private_ipsec_sa_mgr_t *this,
 	callback_job_t *job;
 	u_int32_t timeout;
 
+	if (!lifetime->time.life)
+	{	/* no expiration at all */
+		return;
+	}
+
 	INIT(expired,
 		.manager = this,
 		.entry = entry,
@@ -438,7 +443,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 	u_int8_t protocol, u_int32_t reqid,	mark_t mark, u_int32_t tfc,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool esn, bool inbound,
+	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	ipsec_sa_entry_t *entry;
diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h
index 3ff092038..e9ce5ee8f 100644
--- a/src/libipsec/ipsec_sa_mgr.h
+++ b/src/libipsec/ipsec_sa_mgr.h
@@ -70,6 +70,7 @@ struct ipsec_sa_mgr_t {
 	 * @param mode			mode for this SA (only tunnel mode is supported)
 	 * @param ipcomp		IPcomp transform (not supported, use IPCOMP_NONE)
 	 * @param cpi			CPI for IPcomp (ignored)
+	 * @param initiator		TRUE if initiator of the exchange creating this SA
 	 * @param encap			enable UDP encapsulation (must be TRUE)
 	 * @param esn			Extended Sequence Numbers (currently not supported)
 	 * @param inbound		TRUE if this is an inbound SA, FALSE otherwise
@@ -82,8 +83,9 @@ struct ipsec_sa_mgr_t {
 					   mark_t mark, u_int32_t tfc,	lifetime_cfg_t *lifetime,
 					   u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg,
 					   chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-					   u_int16_t cpi, bool encap, bool esn, bool inbound,
-					   traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+					   u_int16_t cpi, bool initiator, bool encap, bool esn,
+					   bool inbound, traffic_selector_t *src_ts,
+					   traffic_selector_t *dst_ts);
 
 	/**
 	 * Update the hosts on an installed SA.
diff --git a/src/libpts/Makefile.am b/src/libpts/Makefile.am
index edf3f7416..162af5d0d 100644
--- a/src/libpts/Makefile.am
+++ b/src/libpts/Makefile.am
@@ -1,5 +1,7 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libimcv
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
 
 ipseclib_LTLIBRARIES = libpts.la
 
diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index f0b89c68f..aa219f7f4 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -65,7 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -123,19 +123,35 @@ am_libpts_la_OBJECTS = libpts.lo pts.lo pts_error.lo pts_pcr.lo \
 	tcg_pts_attr_req_file_meas.lo tcg_pts_attr_file_meas.lo \
 	tcg_pts_attr_req_file_meta.lo tcg_pts_attr_unix_file_meta.lo
 libpts_la_OBJECTS = $(am_libpts_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libpts_la_SOURCES)
 DIST_SOURCES = $(libpts_la_SOURCES)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -187,6 +203,7 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -199,6 +216,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -214,6 +233,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -222,6 +242,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -268,6 +289,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -296,6 +318,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -373,7 +396,11 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libimcv
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
 ipseclib_LTLIBRARIES = libpts.la
 libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(am__append_1)
@@ -488,7 +515,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libpts.la: $(libpts_la_OBJECTS) $(libpts_la_DEPENDENCIES) $(EXTRA_libpts_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libpts_la_OBJECTS) $(libpts_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libpts_la_OBJECTS) $(libpts_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -535,277 +562,277 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tcg_pts_attr_unix_file_meta.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 pts.lo: pts/pts.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts.lo -MD -MP -MF $(DEPDIR)/pts.Tpo -c -o pts.lo `test -f 'pts/pts.c' || echo '$(srcdir)/'`pts/pts.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts.Tpo $(DEPDIR)/pts.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts.c' object='pts.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts.lo -MD -MP -MF $(DEPDIR)/pts.Tpo -c -o pts.lo `test -f 'pts/pts.c' || echo '$(srcdir)/'`pts/pts.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts.Tpo $(DEPDIR)/pts.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts.c' object='pts.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts.lo `test -f 'pts/pts.c' || echo '$(srcdir)/'`pts/pts.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts.lo `test -f 'pts/pts.c' || echo '$(srcdir)/'`pts/pts.c
 
 pts_error.lo: pts/pts_error.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_error.lo -MD -MP -MF $(DEPDIR)/pts_error.Tpo -c -o pts_error.lo `test -f 'pts/pts_error.c' || echo '$(srcdir)/'`pts/pts_error.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_error.Tpo $(DEPDIR)/pts_error.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_error.c' object='pts_error.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_error.lo -MD -MP -MF $(DEPDIR)/pts_error.Tpo -c -o pts_error.lo `test -f 'pts/pts_error.c' || echo '$(srcdir)/'`pts/pts_error.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_error.Tpo $(DEPDIR)/pts_error.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_error.c' object='pts_error.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_error.lo `test -f 'pts/pts_error.c' || echo '$(srcdir)/'`pts/pts_error.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_error.lo `test -f 'pts/pts_error.c' || echo '$(srcdir)/'`pts/pts_error.c
 
 pts_pcr.lo: pts/pts_pcr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_pcr.lo -MD -MP -MF $(DEPDIR)/pts_pcr.Tpo -c -o pts_pcr.lo `test -f 'pts/pts_pcr.c' || echo '$(srcdir)/'`pts/pts_pcr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_pcr.Tpo $(DEPDIR)/pts_pcr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_pcr.c' object='pts_pcr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_pcr.lo -MD -MP -MF $(DEPDIR)/pts_pcr.Tpo -c -o pts_pcr.lo `test -f 'pts/pts_pcr.c' || echo '$(srcdir)/'`pts/pts_pcr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_pcr.Tpo $(DEPDIR)/pts_pcr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_pcr.c' object='pts_pcr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_pcr.lo `test -f 'pts/pts_pcr.c' || echo '$(srcdir)/'`pts/pts_pcr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_pcr.lo `test -f 'pts/pts_pcr.c' || echo '$(srcdir)/'`pts/pts_pcr.c
 
 pts_creds.lo: pts/pts_creds.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_creds.lo -MD -MP -MF $(DEPDIR)/pts_creds.Tpo -c -o pts_creds.lo `test -f 'pts/pts_creds.c' || echo '$(srcdir)/'`pts/pts_creds.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_creds.Tpo $(DEPDIR)/pts_creds.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_creds.c' object='pts_creds.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_creds.lo -MD -MP -MF $(DEPDIR)/pts_creds.Tpo -c -o pts_creds.lo `test -f 'pts/pts_creds.c' || echo '$(srcdir)/'`pts/pts_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_creds.Tpo $(DEPDIR)/pts_creds.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_creds.c' object='pts_creds.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_creds.lo `test -f 'pts/pts_creds.c' || echo '$(srcdir)/'`pts/pts_creds.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_creds.lo `test -f 'pts/pts_creds.c' || echo '$(srcdir)/'`pts/pts_creds.c
 
 pts_database.lo: pts/pts_database.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_database.lo -MD -MP -MF $(DEPDIR)/pts_database.Tpo -c -o pts_database.lo `test -f 'pts/pts_database.c' || echo '$(srcdir)/'`pts/pts_database.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_database.Tpo $(DEPDIR)/pts_database.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_database.c' object='pts_database.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_database.lo -MD -MP -MF $(DEPDIR)/pts_database.Tpo -c -o pts_database.lo `test -f 'pts/pts_database.c' || echo '$(srcdir)/'`pts/pts_database.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_database.Tpo $(DEPDIR)/pts_database.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_database.c' object='pts_database.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_database.lo `test -f 'pts/pts_database.c' || echo '$(srcdir)/'`pts/pts_database.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_database.lo `test -f 'pts/pts_database.c' || echo '$(srcdir)/'`pts/pts_database.c
 
 pts_dh_group.lo: pts/pts_dh_group.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_dh_group.lo -MD -MP -MF $(DEPDIR)/pts_dh_group.Tpo -c -o pts_dh_group.lo `test -f 'pts/pts_dh_group.c' || echo '$(srcdir)/'`pts/pts_dh_group.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_dh_group.Tpo $(DEPDIR)/pts_dh_group.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_dh_group.c' object='pts_dh_group.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_dh_group.lo -MD -MP -MF $(DEPDIR)/pts_dh_group.Tpo -c -o pts_dh_group.lo `test -f 'pts/pts_dh_group.c' || echo '$(srcdir)/'`pts/pts_dh_group.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_dh_group.Tpo $(DEPDIR)/pts_dh_group.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_dh_group.c' object='pts_dh_group.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_dh_group.lo `test -f 'pts/pts_dh_group.c' || echo '$(srcdir)/'`pts/pts_dh_group.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_dh_group.lo `test -f 'pts/pts_dh_group.c' || echo '$(srcdir)/'`pts/pts_dh_group.c
 
 pts_file_meas.lo: pts/pts_file_meas.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_meas.lo -MD -MP -MF $(DEPDIR)/pts_file_meas.Tpo -c -o pts_file_meas.lo `test -f 'pts/pts_file_meas.c' || echo '$(srcdir)/'`pts/pts_file_meas.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_file_meas.Tpo $(DEPDIR)/pts_file_meas.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_file_meas.c' object='pts_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_meas.lo -MD -MP -MF $(DEPDIR)/pts_file_meas.Tpo -c -o pts_file_meas.lo `test -f 'pts/pts_file_meas.c' || echo '$(srcdir)/'`pts/pts_file_meas.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_file_meas.Tpo $(DEPDIR)/pts_file_meas.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_file_meas.c' object='pts_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_meas.lo `test -f 'pts/pts_file_meas.c' || echo '$(srcdir)/'`pts/pts_file_meas.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_meas.lo `test -f 'pts/pts_file_meas.c' || echo '$(srcdir)/'`pts/pts_file_meas.c
 
 pts_file_meta.lo: pts/pts_file_meta.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_meta.lo -MD -MP -MF $(DEPDIR)/pts_file_meta.Tpo -c -o pts_file_meta.lo `test -f 'pts/pts_file_meta.c' || echo '$(srcdir)/'`pts/pts_file_meta.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_file_meta.Tpo $(DEPDIR)/pts_file_meta.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_file_meta.c' object='pts_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_meta.lo -MD -MP -MF $(DEPDIR)/pts_file_meta.Tpo -c -o pts_file_meta.lo `test -f 'pts/pts_file_meta.c' || echo '$(srcdir)/'`pts/pts_file_meta.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_file_meta.Tpo $(DEPDIR)/pts_file_meta.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_file_meta.c' object='pts_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_meta.lo `test -f 'pts/pts_file_meta.c' || echo '$(srcdir)/'`pts/pts_file_meta.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_meta.lo `test -f 'pts/pts_file_meta.c' || echo '$(srcdir)/'`pts/pts_file_meta.c
 
 pts_file_type.lo: pts/pts_file_type.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_type.lo -MD -MP -MF $(DEPDIR)/pts_file_type.Tpo -c -o pts_file_type.lo `test -f 'pts/pts_file_type.c' || echo '$(srcdir)/'`pts/pts_file_type.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_file_type.Tpo $(DEPDIR)/pts_file_type.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_file_type.c' object='pts_file_type.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_type.lo -MD -MP -MF $(DEPDIR)/pts_file_type.Tpo -c -o pts_file_type.lo `test -f 'pts/pts_file_type.c' || echo '$(srcdir)/'`pts/pts_file_type.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_file_type.Tpo $(DEPDIR)/pts_file_type.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_file_type.c' object='pts_file_type.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_type.lo `test -f 'pts/pts_file_type.c' || echo '$(srcdir)/'`pts/pts_file_type.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_type.lo `test -f 'pts/pts_file_type.c' || echo '$(srcdir)/'`pts/pts_file_type.c
 
 pts_meas_algo.lo: pts/pts_meas_algo.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_meas_algo.lo -MD -MP -MF $(DEPDIR)/pts_meas_algo.Tpo -c -o pts_meas_algo.lo `test -f 'pts/pts_meas_algo.c' || echo '$(srcdir)/'`pts/pts_meas_algo.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_meas_algo.Tpo $(DEPDIR)/pts_meas_algo.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_meas_algo.c' object='pts_meas_algo.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_meas_algo.lo -MD -MP -MF $(DEPDIR)/pts_meas_algo.Tpo -c -o pts_meas_algo.lo `test -f 'pts/pts_meas_algo.c' || echo '$(srcdir)/'`pts/pts_meas_algo.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_meas_algo.Tpo $(DEPDIR)/pts_meas_algo.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_meas_algo.c' object='pts_meas_algo.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_meas_algo.lo `test -f 'pts/pts_meas_algo.c' || echo '$(srcdir)/'`pts/pts_meas_algo.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_meas_algo.lo `test -f 'pts/pts_meas_algo.c' || echo '$(srcdir)/'`pts/pts_meas_algo.c
 
 pts_component_manager.lo: pts/components/pts_component_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_component_manager.lo -MD -MP -MF $(DEPDIR)/pts_component_manager.Tpo -c -o pts_component_manager.lo `test -f 'pts/components/pts_component_manager.c' || echo '$(srcdir)/'`pts/components/pts_component_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_component_manager.Tpo $(DEPDIR)/pts_component_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/pts_component_manager.c' object='pts_component_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_component_manager.lo -MD -MP -MF $(DEPDIR)/pts_component_manager.Tpo -c -o pts_component_manager.lo `test -f 'pts/components/pts_component_manager.c' || echo '$(srcdir)/'`pts/components/pts_component_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_component_manager.Tpo $(DEPDIR)/pts_component_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/pts_component_manager.c' object='pts_component_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_component_manager.lo `test -f 'pts/components/pts_component_manager.c' || echo '$(srcdir)/'`pts/components/pts_component_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_component_manager.lo `test -f 'pts/components/pts_component_manager.c' || echo '$(srcdir)/'`pts/components/pts_component_manager.c
 
 pts_comp_evidence.lo: pts/components/pts_comp_evidence.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_comp_evidence.lo -MD -MP -MF $(DEPDIR)/pts_comp_evidence.Tpo -c -o pts_comp_evidence.lo `test -f 'pts/components/pts_comp_evidence.c' || echo '$(srcdir)/'`pts/components/pts_comp_evidence.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_comp_evidence.Tpo $(DEPDIR)/pts_comp_evidence.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/pts_comp_evidence.c' object='pts_comp_evidence.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_comp_evidence.lo -MD -MP -MF $(DEPDIR)/pts_comp_evidence.Tpo -c -o pts_comp_evidence.lo `test -f 'pts/components/pts_comp_evidence.c' || echo '$(srcdir)/'`pts/components/pts_comp_evidence.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_comp_evidence.Tpo $(DEPDIR)/pts_comp_evidence.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/pts_comp_evidence.c' object='pts_comp_evidence.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_comp_evidence.lo `test -f 'pts/components/pts_comp_evidence.c' || echo '$(srcdir)/'`pts/components/pts_comp_evidence.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_comp_evidence.lo `test -f 'pts/components/pts_comp_evidence.c' || echo '$(srcdir)/'`pts/components/pts_comp_evidence.c
 
 pts_comp_func_name.lo: pts/components/pts_comp_func_name.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_comp_func_name.lo -MD -MP -MF $(DEPDIR)/pts_comp_func_name.Tpo -c -o pts_comp_func_name.lo `test -f 'pts/components/pts_comp_func_name.c' || echo '$(srcdir)/'`pts/components/pts_comp_func_name.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_comp_func_name.Tpo $(DEPDIR)/pts_comp_func_name.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/pts_comp_func_name.c' object='pts_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_comp_func_name.lo -MD -MP -MF $(DEPDIR)/pts_comp_func_name.Tpo -c -o pts_comp_func_name.lo `test -f 'pts/components/pts_comp_func_name.c' || echo '$(srcdir)/'`pts/components/pts_comp_func_name.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_comp_func_name.Tpo $(DEPDIR)/pts_comp_func_name.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/pts_comp_func_name.c' object='pts_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_comp_func_name.lo `test -f 'pts/components/pts_comp_func_name.c' || echo '$(srcdir)/'`pts/components/pts_comp_func_name.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_comp_func_name.lo `test -f 'pts/components/pts_comp_func_name.c' || echo '$(srcdir)/'`pts/components/pts_comp_func_name.c
 
 ita_comp_func_name.lo: pts/components/ita/ita_comp_func_name.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_func_name.lo -MD -MP -MF $(DEPDIR)/ita_comp_func_name.Tpo -c -o ita_comp_func_name.lo `test -f 'pts/components/ita/ita_comp_func_name.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_func_name.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_comp_func_name.Tpo $(DEPDIR)/ita_comp_func_name.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/ita/ita_comp_func_name.c' object='ita_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_func_name.lo -MD -MP -MF $(DEPDIR)/ita_comp_func_name.Tpo -c -o ita_comp_func_name.lo `test -f 'pts/components/ita/ita_comp_func_name.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_func_name.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_comp_func_name.Tpo $(DEPDIR)/ita_comp_func_name.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/ita/ita_comp_func_name.c' object='ita_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_func_name.lo `test -f 'pts/components/ita/ita_comp_func_name.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_func_name.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_func_name.lo `test -f 'pts/components/ita/ita_comp_func_name.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_func_name.c
 
 ita_comp_ima.lo: pts/components/ita/ita_comp_ima.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_ima.lo -MD -MP -MF $(DEPDIR)/ita_comp_ima.Tpo -c -o ita_comp_ima.lo `test -f 'pts/components/ita/ita_comp_ima.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_ima.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_comp_ima.Tpo $(DEPDIR)/ita_comp_ima.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/ita/ita_comp_ima.c' object='ita_comp_ima.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_ima.lo -MD -MP -MF $(DEPDIR)/ita_comp_ima.Tpo -c -o ita_comp_ima.lo `test -f 'pts/components/ita/ita_comp_ima.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_ima.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_comp_ima.Tpo $(DEPDIR)/ita_comp_ima.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/ita/ita_comp_ima.c' object='ita_comp_ima.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_ima.lo `test -f 'pts/components/ita/ita_comp_ima.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_ima.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_ima.lo `test -f 'pts/components/ita/ita_comp_ima.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_ima.c
 
 ita_comp_tboot.lo: pts/components/ita/ita_comp_tboot.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_tboot.lo -MD -MP -MF $(DEPDIR)/ita_comp_tboot.Tpo -c -o ita_comp_tboot.lo `test -f 'pts/components/ita/ita_comp_tboot.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tboot.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_comp_tboot.Tpo $(DEPDIR)/ita_comp_tboot.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/ita/ita_comp_tboot.c' object='ita_comp_tboot.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_tboot.lo -MD -MP -MF $(DEPDIR)/ita_comp_tboot.Tpo -c -o ita_comp_tboot.lo `test -f 'pts/components/ita/ita_comp_tboot.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tboot.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_comp_tboot.Tpo $(DEPDIR)/ita_comp_tboot.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/ita/ita_comp_tboot.c' object='ita_comp_tboot.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_tboot.lo `test -f 'pts/components/ita/ita_comp_tboot.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tboot.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_tboot.lo `test -f 'pts/components/ita/ita_comp_tboot.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tboot.c
 
 ita_comp_tgrub.lo: pts/components/ita/ita_comp_tgrub.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_tgrub.lo -MD -MP -MF $(DEPDIR)/ita_comp_tgrub.Tpo -c -o ita_comp_tgrub.lo `test -f 'pts/components/ita/ita_comp_tgrub.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tgrub.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_comp_tgrub.Tpo $(DEPDIR)/ita_comp_tgrub.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/ita/ita_comp_tgrub.c' object='ita_comp_tgrub.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_tgrub.lo -MD -MP -MF $(DEPDIR)/ita_comp_tgrub.Tpo -c -o ita_comp_tgrub.lo `test -f 'pts/components/ita/ita_comp_tgrub.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tgrub.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_comp_tgrub.Tpo $(DEPDIR)/ita_comp_tgrub.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/ita/ita_comp_tgrub.c' object='ita_comp_tgrub.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_tgrub.lo `test -f 'pts/components/ita/ita_comp_tgrub.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tgrub.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_tgrub.lo `test -f 'pts/components/ita/ita_comp_tgrub.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tgrub.c
 
 tcg_comp_func_name.lo: pts/components/tcg/tcg_comp_func_name.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_comp_func_name.lo -MD -MP -MF $(DEPDIR)/tcg_comp_func_name.Tpo -c -o tcg_comp_func_name.lo `test -f 'pts/components/tcg/tcg_comp_func_name.c' || echo '$(srcdir)/'`pts/components/tcg/tcg_comp_func_name.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_comp_func_name.Tpo $(DEPDIR)/tcg_comp_func_name.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/tcg/tcg_comp_func_name.c' object='tcg_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_comp_func_name.lo -MD -MP -MF $(DEPDIR)/tcg_comp_func_name.Tpo -c -o tcg_comp_func_name.lo `test -f 'pts/components/tcg/tcg_comp_func_name.c' || echo '$(srcdir)/'`pts/components/tcg/tcg_comp_func_name.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_comp_func_name.Tpo $(DEPDIR)/tcg_comp_func_name.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/tcg/tcg_comp_func_name.c' object='tcg_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_comp_func_name.lo `test -f 'pts/components/tcg/tcg_comp_func_name.c' || echo '$(srcdir)/'`pts/components/tcg/tcg_comp_func_name.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_comp_func_name.lo `test -f 'pts/components/tcg/tcg_comp_func_name.c' || echo '$(srcdir)/'`pts/components/tcg/tcg_comp_func_name.c
 
 tcg_attr.lo: tcg/tcg_attr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_attr.lo -MD -MP -MF $(DEPDIR)/tcg_attr.Tpo -c -o tcg_attr.lo `test -f 'tcg/tcg_attr.c' || echo '$(srcdir)/'`tcg/tcg_attr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_attr.Tpo $(DEPDIR)/tcg_attr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_attr.c' object='tcg_attr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_attr.lo -MD -MP -MF $(DEPDIR)/tcg_attr.Tpo -c -o tcg_attr.lo `test -f 'tcg/tcg_attr.c' || echo '$(srcdir)/'`tcg/tcg_attr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_attr.Tpo $(DEPDIR)/tcg_attr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_attr.c' object='tcg_attr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_attr.lo `test -f 'tcg/tcg_attr.c' || echo '$(srcdir)/'`tcg/tcg_attr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_attr.lo `test -f 'tcg/tcg_attr.c' || echo '$(srcdir)/'`tcg/tcg_attr.c
 
 tcg_pts_attr_proto_caps.lo: tcg/tcg_pts_attr_proto_caps.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_proto_caps.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_proto_caps.Tpo -c -o tcg_pts_attr_proto_caps.lo `test -f 'tcg/tcg_pts_attr_proto_caps.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_proto_caps.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_proto_caps.Tpo $(DEPDIR)/tcg_pts_attr_proto_caps.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_proto_caps.c' object='tcg_pts_attr_proto_caps.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_proto_caps.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_proto_caps.Tpo -c -o tcg_pts_attr_proto_caps.lo `test -f 'tcg/tcg_pts_attr_proto_caps.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_proto_caps.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_proto_caps.Tpo $(DEPDIR)/tcg_pts_attr_proto_caps.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_proto_caps.c' object='tcg_pts_attr_proto_caps.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_proto_caps.lo `test -f 'tcg/tcg_pts_attr_proto_caps.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_proto_caps.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_proto_caps.lo `test -f 'tcg/tcg_pts_attr_proto_caps.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_proto_caps.c
 
 tcg_pts_attr_dh_nonce_params_req.lo: tcg/tcg_pts_attr_dh_nonce_params_req.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_params_req.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Tpo -c -o tcg_pts_attr_dh_nonce_params_req.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_req.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_req.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_dh_nonce_params_req.c' object='tcg_pts_attr_dh_nonce_params_req.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_params_req.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Tpo -c -o tcg_pts_attr_dh_nonce_params_req.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_req.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_req.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_dh_nonce_params_req.c' object='tcg_pts_attr_dh_nonce_params_req.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_params_req.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_req.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_req.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_params_req.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_req.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_req.c
 
 tcg_pts_attr_dh_nonce_params_resp.lo: tcg/tcg_pts_attr_dh_nonce_params_resp.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_params_resp.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Tpo -c -o tcg_pts_attr_dh_nonce_params_resp.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_resp.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_resp.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_dh_nonce_params_resp.c' object='tcg_pts_attr_dh_nonce_params_resp.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_params_resp.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Tpo -c -o tcg_pts_attr_dh_nonce_params_resp.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_resp.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_resp.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_dh_nonce_params_resp.c' object='tcg_pts_attr_dh_nonce_params_resp.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_params_resp.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_resp.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_resp.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_params_resp.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_resp.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_resp.c
 
 tcg_pts_attr_dh_nonce_finish.lo: tcg/tcg_pts_attr_dh_nonce_finish.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_finish.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Tpo -c -o tcg_pts_attr_dh_nonce_finish.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_finish.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_finish.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_dh_nonce_finish.c' object='tcg_pts_attr_dh_nonce_finish.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_finish.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Tpo -c -o tcg_pts_attr_dh_nonce_finish.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_finish.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_finish.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_dh_nonce_finish.c' object='tcg_pts_attr_dh_nonce_finish.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_finish.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_finish.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_finish.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_finish.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_finish.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_finish.c
 
 tcg_pts_attr_meas_algo.lo: tcg/tcg_pts_attr_meas_algo.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_meas_algo.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_meas_algo.Tpo -c -o tcg_pts_attr_meas_algo.lo `test -f 'tcg/tcg_pts_attr_meas_algo.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_meas_algo.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_meas_algo.Tpo $(DEPDIR)/tcg_pts_attr_meas_algo.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_meas_algo.c' object='tcg_pts_attr_meas_algo.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_meas_algo.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_meas_algo.Tpo -c -o tcg_pts_attr_meas_algo.lo `test -f 'tcg/tcg_pts_attr_meas_algo.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_meas_algo.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_meas_algo.Tpo $(DEPDIR)/tcg_pts_attr_meas_algo.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_meas_algo.c' object='tcg_pts_attr_meas_algo.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_meas_algo.lo `test -f 'tcg/tcg_pts_attr_meas_algo.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_meas_algo.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_meas_algo.lo `test -f 'tcg/tcg_pts_attr_meas_algo.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_meas_algo.c
 
 tcg_pts_attr_get_tpm_version_info.lo: tcg/tcg_pts_attr_get_tpm_version_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_get_tpm_version_info.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Tpo -c -o tcg_pts_attr_get_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_get_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_tpm_version_info.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Tpo $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_get_tpm_version_info.c' object='tcg_pts_attr_get_tpm_version_info.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_get_tpm_version_info.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Tpo -c -o tcg_pts_attr_get_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_get_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_tpm_version_info.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Tpo $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_get_tpm_version_info.c' object='tcg_pts_attr_get_tpm_version_info.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_get_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_get_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_tpm_version_info.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_get_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_get_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_tpm_version_info.c
 
 tcg_pts_attr_tpm_version_info.lo: tcg/tcg_pts_attr_tpm_version_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_tpm_version_info.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_tpm_version_info.Tpo -c -o tcg_pts_attr_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_tpm_version_info.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_tpm_version_info.Tpo $(DEPDIR)/tcg_pts_attr_tpm_version_info.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_tpm_version_info.c' object='tcg_pts_attr_tpm_version_info.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_tpm_version_info.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_tpm_version_info.Tpo -c -o tcg_pts_attr_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_tpm_version_info.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_tpm_version_info.Tpo $(DEPDIR)/tcg_pts_attr_tpm_version_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_tpm_version_info.c' object='tcg_pts_attr_tpm_version_info.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_tpm_version_info.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_tpm_version_info.c
 
 tcg_pts_attr_get_aik.lo: tcg/tcg_pts_attr_get_aik.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_get_aik.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_get_aik.Tpo -c -o tcg_pts_attr_get_aik.lo `test -f 'tcg/tcg_pts_attr_get_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_aik.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_get_aik.Tpo $(DEPDIR)/tcg_pts_attr_get_aik.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_get_aik.c' object='tcg_pts_attr_get_aik.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_get_aik.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_get_aik.Tpo -c -o tcg_pts_attr_get_aik.lo `test -f 'tcg/tcg_pts_attr_get_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_aik.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_get_aik.Tpo $(DEPDIR)/tcg_pts_attr_get_aik.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_get_aik.c' object='tcg_pts_attr_get_aik.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_get_aik.lo `test -f 'tcg/tcg_pts_attr_get_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_aik.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_get_aik.lo `test -f 'tcg/tcg_pts_attr_get_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_aik.c
 
 tcg_pts_attr_aik.lo: tcg/tcg_pts_attr_aik.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_aik.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_aik.Tpo -c -o tcg_pts_attr_aik.lo `test -f 'tcg/tcg_pts_attr_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_aik.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_aik.Tpo $(DEPDIR)/tcg_pts_attr_aik.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_aik.c' object='tcg_pts_attr_aik.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_aik.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_aik.Tpo -c -o tcg_pts_attr_aik.lo `test -f 'tcg/tcg_pts_attr_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_aik.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_aik.Tpo $(DEPDIR)/tcg_pts_attr_aik.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_aik.c' object='tcg_pts_attr_aik.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_aik.lo `test -f 'tcg/tcg_pts_attr_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_aik.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_aik.lo `test -f 'tcg/tcg_pts_attr_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_aik.c
 
 tcg_pts_attr_req_func_comp_evid.lo: tcg/tcg_pts_attr_req_func_comp_evid.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_func_comp_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Tpo -c -o tcg_pts_attr_req_func_comp_evid.lo `test -f 'tcg/tcg_pts_attr_req_func_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_func_comp_evid.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Tpo $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_req_func_comp_evid.c' object='tcg_pts_attr_req_func_comp_evid.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_func_comp_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Tpo -c -o tcg_pts_attr_req_func_comp_evid.lo `test -f 'tcg/tcg_pts_attr_req_func_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_func_comp_evid.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Tpo $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_req_func_comp_evid.c' object='tcg_pts_attr_req_func_comp_evid.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_func_comp_evid.lo `test -f 'tcg/tcg_pts_attr_req_func_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_func_comp_evid.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_func_comp_evid.lo `test -f 'tcg/tcg_pts_attr_req_func_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_func_comp_evid.c
 
 tcg_pts_attr_gen_attest_evid.lo: tcg/tcg_pts_attr_gen_attest_evid.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_gen_attest_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Tpo -c -o tcg_pts_attr_gen_attest_evid.lo `test -f 'tcg/tcg_pts_attr_gen_attest_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_gen_attest_evid.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Tpo $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_gen_attest_evid.c' object='tcg_pts_attr_gen_attest_evid.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_gen_attest_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Tpo -c -o tcg_pts_attr_gen_attest_evid.lo `test -f 'tcg/tcg_pts_attr_gen_attest_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_gen_attest_evid.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Tpo $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_gen_attest_evid.c' object='tcg_pts_attr_gen_attest_evid.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_gen_attest_evid.lo `test -f 'tcg/tcg_pts_attr_gen_attest_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_gen_attest_evid.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_gen_attest_evid.lo `test -f 'tcg/tcg_pts_attr_gen_attest_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_gen_attest_evid.c
 
 tcg_pts_attr_simple_comp_evid.lo: tcg/tcg_pts_attr_simple_comp_evid.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_simple_comp_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Tpo -c -o tcg_pts_attr_simple_comp_evid.lo `test -f 'tcg/tcg_pts_attr_simple_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_comp_evid.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Tpo $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_simple_comp_evid.c' object='tcg_pts_attr_simple_comp_evid.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_simple_comp_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Tpo -c -o tcg_pts_attr_simple_comp_evid.lo `test -f 'tcg/tcg_pts_attr_simple_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_comp_evid.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Tpo $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_simple_comp_evid.c' object='tcg_pts_attr_simple_comp_evid.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_simple_comp_evid.lo `test -f 'tcg/tcg_pts_attr_simple_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_comp_evid.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_simple_comp_evid.lo `test -f 'tcg/tcg_pts_attr_simple_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_comp_evid.c
 
 tcg_pts_attr_simple_evid_final.lo: tcg/tcg_pts_attr_simple_evid_final.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_simple_evid_final.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_simple_evid_final.Tpo -c -o tcg_pts_attr_simple_evid_final.lo `test -f 'tcg/tcg_pts_attr_simple_evid_final.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_evid_final.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_simple_evid_final.Tpo $(DEPDIR)/tcg_pts_attr_simple_evid_final.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_simple_evid_final.c' object='tcg_pts_attr_simple_evid_final.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_simple_evid_final.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_simple_evid_final.Tpo -c -o tcg_pts_attr_simple_evid_final.lo `test -f 'tcg/tcg_pts_attr_simple_evid_final.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_evid_final.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_simple_evid_final.Tpo $(DEPDIR)/tcg_pts_attr_simple_evid_final.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_simple_evid_final.c' object='tcg_pts_attr_simple_evid_final.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_simple_evid_final.lo `test -f 'tcg/tcg_pts_attr_simple_evid_final.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_evid_final.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_simple_evid_final.lo `test -f 'tcg/tcg_pts_attr_simple_evid_final.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_evid_final.c
 
 tcg_pts_attr_req_file_meas.lo: tcg/tcg_pts_attr_req_file_meas.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_file_meas.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_file_meas.Tpo -c -o tcg_pts_attr_req_file_meas.lo `test -f 'tcg/tcg_pts_attr_req_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meas.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_req_file_meas.Tpo $(DEPDIR)/tcg_pts_attr_req_file_meas.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_req_file_meas.c' object='tcg_pts_attr_req_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_file_meas.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_file_meas.Tpo -c -o tcg_pts_attr_req_file_meas.lo `test -f 'tcg/tcg_pts_attr_req_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meas.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_req_file_meas.Tpo $(DEPDIR)/tcg_pts_attr_req_file_meas.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_req_file_meas.c' object='tcg_pts_attr_req_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_file_meas.lo `test -f 'tcg/tcg_pts_attr_req_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meas.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_file_meas.lo `test -f 'tcg/tcg_pts_attr_req_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meas.c
 
 tcg_pts_attr_file_meas.lo: tcg/tcg_pts_attr_file_meas.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_file_meas.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_file_meas.Tpo -c -o tcg_pts_attr_file_meas.lo `test -f 'tcg/tcg_pts_attr_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_file_meas.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_file_meas.Tpo $(DEPDIR)/tcg_pts_attr_file_meas.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_file_meas.c' object='tcg_pts_attr_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_file_meas.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_file_meas.Tpo -c -o tcg_pts_attr_file_meas.lo `test -f 'tcg/tcg_pts_attr_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_file_meas.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_file_meas.Tpo $(DEPDIR)/tcg_pts_attr_file_meas.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_file_meas.c' object='tcg_pts_attr_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_file_meas.lo `test -f 'tcg/tcg_pts_attr_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_file_meas.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_file_meas.lo `test -f 'tcg/tcg_pts_attr_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_file_meas.c
 
 tcg_pts_attr_req_file_meta.lo: tcg/tcg_pts_attr_req_file_meta.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_file_meta.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_file_meta.Tpo -c -o tcg_pts_attr_req_file_meta.lo `test -f 'tcg/tcg_pts_attr_req_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meta.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_req_file_meta.Tpo $(DEPDIR)/tcg_pts_attr_req_file_meta.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_req_file_meta.c' object='tcg_pts_attr_req_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_file_meta.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_file_meta.Tpo -c -o tcg_pts_attr_req_file_meta.lo `test -f 'tcg/tcg_pts_attr_req_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meta.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_req_file_meta.Tpo $(DEPDIR)/tcg_pts_attr_req_file_meta.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_req_file_meta.c' object='tcg_pts_attr_req_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_file_meta.lo `test -f 'tcg/tcg_pts_attr_req_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meta.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_file_meta.lo `test -f 'tcg/tcg_pts_attr_req_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meta.c
 
 tcg_pts_attr_unix_file_meta.lo: tcg/tcg_pts_attr_unix_file_meta.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_unix_file_meta.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_unix_file_meta.Tpo -c -o tcg_pts_attr_unix_file_meta.lo `test -f 'tcg/tcg_pts_attr_unix_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_unix_file_meta.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_unix_file_meta.Tpo $(DEPDIR)/tcg_pts_attr_unix_file_meta.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_unix_file_meta.c' object='tcg_pts_attr_unix_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_unix_file_meta.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_unix_file_meta.Tpo -c -o tcg_pts_attr_unix_file_meta.lo `test -f 'tcg/tcg_pts_attr_unix_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_unix_file_meta.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_unix_file_meta.Tpo $(DEPDIR)/tcg_pts_attr_unix_file_meta.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_unix_file_meta.c' object='tcg_pts_attr_unix_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_unix_file_meta.lo `test -f 'tcg/tcg_pts_attr_unix_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_unix_file_meta.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_unix_file_meta.lo `test -f 'tcg/tcg_pts_attr_unix_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_unix_file_meta.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libpts/plugins/imc_attestation/Makefile.am b/src/libpts/plugins/imc_attestation/Makefile.am
index 9d78b935a..18c756884 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.am
+++ b/src/libpts/plugins/imc_attestation/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv \
+	-I$(top_srcdir)/src/libpts
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libimcv -I$(top_srcdir)/src/libpts
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imc-attestation.la
 
@@ -15,4 +18,3 @@ imc_attestation_la_SOURCES = imc_attestation.c \
 	imc_attestation_process.h imc_attestation_process.c
 
 imc_attestation_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index c30945b79..b129f9274 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,22 +105,39 @@ imc_attestation_la_DEPENDENCIES =  \
 am_imc_attestation_la_OBJECTS = imc_attestation.lo \
 	imc_attestation_state.lo imc_attestation_process.lo
 imc_attestation_la_OBJECTS = $(am_imc_attestation_la_OBJECTS)
-imc_attestation_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(imc_attestation_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imc_attestation_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(imc_attestation_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imc_attestation_la_SOURCES)
 DIST_SOURCES = $(imc_attestation_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,10 +344,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libimcv -I$(top_srcdir)/src/libpts
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv \
+	-I$(top_srcdir)/src/libpts
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 imcv_LTLIBRARIES = imc-attestation.la
 imc_attestation_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
@@ -401,7 +430,7 @@ clean-imcvLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) $(EXTRA_imc_attestation_la_DEPENDENCIES) 
-	$(imc_attestation_la_LINK) -rpath $(imcvdir) $(imc_attestation_la_OBJECTS) $(imc_attestation_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(imc_attestation_la_LINK) -rpath $(imcvdir) $(imc_attestation_la_OBJECTS) $(imc_attestation_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -414,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_attestation_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libpts/plugins/imv_attestation/Makefile.am b/src/libpts/plugins/imv_attestation/Makefile.am
index 5e7465195..ae5225ae3 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.am
+++ b/src/libpts/plugins/imv_attestation/Makefile.am
@@ -1,11 +1,12 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv \
-	-I$(top_srcdir)/src/libpts
+	-I$(top_srcdir)/src/libpts \
+	-DPLUGINS=\""${attest_plugins}\""
 
-AM_CFLAGS = -rdynamic -DPLUGINS=\""${attest_plugins}\""
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imv-attestation.la
 
@@ -16,6 +17,7 @@ imv_attestation_la_LIBADD = \
 
 imv_attestation_la_SOURCES = imv_attestation.c \
 	imv_attestation_state.h imv_attestation_state.c \
+	imv_attestation_agent.h imv_attestation_agent.c \
 	imv_attestation_process.h imv_attestation_process.c \
 	imv_attestation_build.h imv_attestation_build.c
 
@@ -24,8 +26,7 @@ imv_attestation_la_LDFLAGS = -module -avoid-version
 ipsec_PROGRAMS = attest
 attest_SOURCES = attest.c \
 	attest_usage.h attest_usage.c \
-	attest_db.h attest_db.c \
-	tables.sql data.sql
+	attest_db.h attest_db.c
 attest_LDADD = \
 	$(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libpts/libpts.la \
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index 153865d30..36b440e82 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,12 +105,16 @@ imv_attestation_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libpts/libpts.la
 am_imv_attestation_la_OBJECTS = imv_attestation.lo \
-	imv_attestation_state.lo imv_attestation_process.lo \
-	imv_attestation_build.lo
+	imv_attestation_state.lo imv_attestation_agent.lo \
+	imv_attestation_process.lo imv_attestation_build.lo
 imv_attestation_la_OBJECTS = $(am_imv_attestation_la_OBJECTS)
-imv_attestation_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(imv_attestation_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imv_attestation_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(imv_attestation_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 PROGRAMS = $(ipsec_PROGRAMS)
 am_attest_OBJECTS = attest.$(OBJEXT) attest_usage.$(OBJEXT) \
 	attest_db.$(OBJEXT)
@@ -124,13 +128,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imv_attestation_la_SOURCES) $(attest_SOURCES)
 DIST_SOURCES = $(imv_attestation_la_SOURCES) $(attest_SOURCES)
 am__can_run_installinfo = \
@@ -144,6 +161,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -156,6 +174,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -171,6 +191,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -179,6 +200,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -225,6 +247,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -253,6 +276,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -330,13 +354,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv \
-	-I$(top_srcdir)/src/libpts
+	-I$(top_srcdir)/src/libpts \
+	-DPLUGINS=\""${attest_plugins}\""
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic -DPLUGINS=\""${attest_plugins}\""
 imcv_LTLIBRARIES = imv-attestation.la
 imv_attestation_la_LIBADD = \
 	$(top_builddir)/src/libimcv/libimcv.la \
@@ -345,14 +372,14 @@ imv_attestation_la_LIBADD = \
 
 imv_attestation_la_SOURCES = imv_attestation.c \
 	imv_attestation_state.h imv_attestation_state.c \
+	imv_attestation_agent.h imv_attestation_agent.c \
 	imv_attestation_process.h imv_attestation_process.c \
 	imv_attestation_build.h imv_attestation_build.c
 
 imv_attestation_la_LDFLAGS = -module -avoid-version
 attest_SOURCES = attest.c \
 	attest_usage.h attest_usage.c \
-	attest_db.h attest_db.c \
-	tables.sql data.sql
+	attest_db.h attest_db.c
 
 attest_LDADD = \
 	$(top_builddir)/src/libimcv/libimcv.la \
@@ -427,7 +454,7 @@ clean-imcvLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) $(EXTRA_imv_attestation_la_DEPENDENCIES) 
-	$(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
@@ -476,7 +503,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) $(EXTRA_attest_DEPENDENCIES) 
 	@rm -f attest$(EXEEXT)
-	$(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -488,30 +515,31 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attest_db.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attest_usage.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_build.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_process.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index 1cdacaeeb..4d25df3f4 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -20,6 +20,7 @@
 #include <string.h>
 #include <errno.h>
 #include <syslog.h>
+#include <libgen.h>
 
 #include <library.h>
 #include <utils/debug.h>
@@ -81,6 +82,7 @@ static void attest_dbg(debug_t group, level_t level, char *fmt, ...)
  */
 attest_db_t *attest;
 
+
 /**
  * atexit handler to close db on shutdown
  */
@@ -100,11 +102,13 @@ static void do_args(int argc, char *argv[])
 		OP_KEYS,
 		OP_COMPONENTS,
 		OP_DEVICES,
+		OP_DIRECTORIES,
 		OP_FILES,
 		OP_HASHES,
 		OP_MEASUREMENTS,
 		OP_PACKAGES,
 		OP_PRODUCTS,
+		OP_SESSIONS,
 		OP_ADD,
 		OP_DEL,
 	} op = OP_UNDEF;
@@ -120,15 +124,19 @@ static void do_args(int argc, char *argv[])
 			{ "help", no_argument, NULL, 'h' },
 			{ "components", no_argument, NULL, 'c' },
 			{ "devices", no_argument, NULL, 'e' },
+			{ "directories", no_argument, NULL, 'd' },
+			{ "dirs", no_argument, NULL, 'd' },
 			{ "files", no_argument, NULL, 'f' },
 			{ "keys", no_argument, NULL, 'k' },
 			{ "packages", no_argument, NULL, 'g' },
 			{ "products", no_argument, NULL, 'p' },
 			{ "hashes", no_argument, NULL, 'H' },
 			{ "measurements", no_argument, NULL, 'm' },
+			{ "sessions", no_argument, NULL, 's' },
 			{ "add", no_argument, NULL, 'a' },
-			{ "delete", no_argument, NULL, 'd' },
-			{ "del", no_argument, NULL, 'd' },
+			{ "delete", no_argument, NULL, 'r' },
+			{ "del", no_argument, NULL, 'r' },
+			{ "remove", no_argument, NULL, 'r' },
 			{ "aik", required_argument, NULL, 'A' },
 			{ "blacklist", no_argument, NULL, 'B' },
 			{ "component", required_argument, NULL, 'C' },
@@ -171,6 +179,9 @@ static void do_args(int argc, char *argv[])
 			case 'c':
 				op = OP_COMPONENTS;
 				continue;
+			case 'd':
+				op = OP_DIRECTORIES;
+				continue;
 			case 'e':
 				op = OP_DEVICES;
 				continue;
@@ -192,10 +203,13 @@ static void do_args(int argc, char *argv[])
 			case 'm':
 				op = OP_MEASUREMENTS;
 				continue;
+			case 's':
+				op = OP_SESSIONS;
+				continue;
 			case 'a':
 				op = OP_ADD;
 				continue;
-			case 'd':
+			case 'r':
 				op = OP_DEL;
 				continue;
 			case 'A':
@@ -236,7 +250,7 @@ static void do_args(int argc, char *argv[])
 				continue;
 			}
 			case 'B':
-				attest->set_security(attest, OS_PACKAGE_STATE_BLACKLIST);
+				attest->set_package_state(attest, OS_PACKAGE_STATE_BLACKLIST);
 				continue;
 			case 'C':
 				if (!attest->set_component(attest, optarg, op == OP_ADD))
@@ -251,11 +265,26 @@ static void do_args(int argc, char *argv[])
 				}
 				continue;
 			case 'F':
-				if (!attest->set_file(attest, optarg, op == OP_ADD))
+			{
+				char *path = strdup(optarg);
+				char *dir = dirname(path);
+				char *file = basename(optarg);
+
+				if (*dir != '.')
+				{
+					if (!attest->set_directory(attest, dir, op == OP_ADD))
+					{
+						free(path);
+						exit(EXIT_FAILURE);
+					}
+				}
+				free(path);
+				if (!attest->set_file(attest, file, op == OP_ADD))
 				{
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			}
 			case 'G':
 				if (!attest->set_package(attest, optarg, op == OP_ADD))
 				{
@@ -301,7 +330,7 @@ static void do_args(int argc, char *argv[])
 				}
 				continue;
 			case 'Y':
-				attest->set_security(attest, OS_PACKAGE_STATE_SECURITY);
+				attest->set_package_state(attest, OS_PACKAGE_STATE_SECURITY);
 				continue;
 			case '1':
 				attest->set_algo(attest, PTS_MEAS_ALGO_SHA1);
@@ -372,6 +401,9 @@ static void do_args(int argc, char *argv[])
 		case OP_DEVICES:
 			attest->list_devices(attest);
 			break;
+		case OP_DIRECTORIES:
+			attest->list_directories(attest);
+			break;
 		case OP_FILES:
 			attest->list_files(attest);
 			break;
@@ -381,6 +413,9 @@ static void do_args(int argc, char *argv[])
 		case OP_MEASUREMENTS:
 			attest->list_measurements(attest);
 			break;
+		case OP_SESSIONS:
+			attest->list_sessions(attest);
+			break;
 		case OP_ADD:
 			attest->add(attest);
 			break;
@@ -408,7 +443,7 @@ int main(int argc, char *argv[])
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "attest.load", PLUGINS)))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
@@ -426,7 +461,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 	atexit(cleanup);
-	libimcv_init();
+	libimcv_init(FALSE);
 	libpts_init();
 
 	do_args(argc, argv);
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index b2116c0ff..d7654ab43 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -13,6 +13,14 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <libgen.h>
+#include <time.h>
+
+#include <tncif_names.h>
+
 #include "attest_db.h"
 
 #include "libpts.h"
@@ -20,10 +28,8 @@
 #include "pts/pts_file_meas.h"
 #include "pts/components/pts_comp_func_name.h"
 
-#include <libgen.h>
-#include <time.h>
-
 #define IMA_MAX_NAME_LEN	255
+#define DEVICE_MAX_LEN		 20
 
 typedef struct private_attest_db_t private_attest_db_t;
 
@@ -62,11 +68,6 @@ struct private_attest_db_t {
 	 */
 	int did;
 
-	/**
-	 * TRUE if directory has been set
-	 */
-	bool dir_set;
-
 	/**
 	 * Measurement file to be queried
 	 */
@@ -77,11 +78,6 @@ struct private_attest_db_t {
 	 */
 	int fid;
 
-	/**
-	 * TRUE if file has been set
-	 */
-	bool file_set;
-
 	/**
 	 *  AIK to be queried
 	 */
@@ -148,9 +144,9 @@ struct private_attest_db_t {
 	bool utc;
 
 	/**
-	 * Package security state
+	 * Package security or blacklist state
 	 */
-	os_package_state_t security;
+	os_package_state_t package_state;
 
 	/**
 	 * Sequence number for ordering entries
@@ -304,35 +300,35 @@ METHOD(attest_db_t, set_directory, bool,
 	private_attest_db_t *this, char *dir, bool create)
 {
 	enumerator_t *e;
+	int did;
 	size_t len;
 
-	if (this->dir_set)
+	if (this->did)
 	{
 		printf("directory has already been set\n");
 		return FALSE;
 	}
-	free(this->dir);
 
-	/* remove trailing '/' character */
+	/* remove trailing '/' character if not root directory */
 	len = strlen(dir);
-	if (len && dir[len-1] == '/')
+	if (len > 1 && dir[len-1] == '/')
 	{
 		dir[len-1] = '\0';
 	}
 	this->dir = strdup(dir);
 
 	e = this->db->query(this->db,
-						"SELECT id FROM files WHERE type = 1 AND path = ?",
+						"SELECT id FROM directories WHERE path = ?",
 						DB_TEXT, dir, DB_INT);
 	if (e)
 	{
-		if (e->enumerate(e, &this->did))
+		if (e->enumerate(e, &did))
 		{
-			this->dir_set = TRUE;
+			this->did = did;
 		}
 		e->destroy(e);
 	}
-	if (this->dir_set)
+	if (this->did)
 	{
 		return TRUE;
 	}
@@ -344,14 +340,15 @@ METHOD(attest_db_t, set_directory, bool,
 	}
 
 	/* Add a new database entry */
-	this->dir_set = this->db->execute(this->db, &this->did,
-								"INSERT INTO files (type, path) VALUES (1, ?)",
-								DB_TEXT, dir) == 1;
-
+	if (1 == this->db->execute(this->db, &did,
+				"INSERT INTO directories (path) VALUES (?)", DB_TEXT, dir))
+	{
+		this->did = did;
+	}
 	printf("directory '%s' %sinserted into database\n", dir,
-		   this->dir_set ? "" : "could not be ");
+			this->did ? "" : "could not be ");
 
-	return this->dir_set;
+	return this->did > 0;
 }
 
 METHOD(attest_db_t, set_did, bool,
@@ -360,22 +357,20 @@ METHOD(attest_db_t, set_did, bool,
 	enumerator_t *e;
 	char *dir;
 
-	if (this->dir_set)
+	if (this->did)
 	{
 		printf("directory has already been set\n");
 		return FALSE;
 	}
-	this->did = did;
 
-	e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?",
+	e = this->db->query(this->db, "SELECT path FROM directories WHERE id = ?",
 						DB_UINT, did, DB_TEXT);
 	if (e)
 	{
 		if (e->enumerate(e, &dir))
 		{
-			free(this->dir);
 			this->dir = strdup(dir);
-			this->dir_set = TRUE;
+			this->did = did;
 		}
 		else
 		{
@@ -383,76 +378,88 @@ METHOD(attest_db_t, set_did, bool,
 		}
 		e->destroy(e);
 	}
-	return this->dir_set;
+	return this->did > 0;
 }
 
 METHOD(attest_db_t, set_file, bool,
 	private_attest_db_t *this, char *file, bool create)
 {
+	int fid;
+	char *sep;
 	enumerator_t *e;
-	char *filename;
 
-	if (this->file_set)
+	if (this->file)
 	{
 		printf("file has already been set\n");
 		return FALSE;
 	}
 	this->file = strdup(file);
-	filename = this->relative ? basename(file) : file;
 
-	e = this->db->query(this->db, "SELECT id FROM files WHERE path = ?",
-						DB_TEXT, filename, DB_INT);
+	if (!this->did)
+	{
+		return TRUE;
+	}
+	sep = streq(this->dir, "/") ? "" : "/";
+	e = this->db->query(this->db, "SELECT id FROM files "
+						"WHERE dir = ? AND name = ?",
+						DB_INT, this->did, DB_TEXT, file, DB_INT);
 	if (e)
 	{
-		if (e->enumerate(e, &this->fid))
+		if (e->enumerate(e, &fid))
 		{
-			this->file_set = TRUE;
+			this->fid = fid;
 		}
 		e->destroy(e);
 	}
-	if (this->file_set)
+	if (this->fid)
 	{
 		return TRUE;
 	}
 
 	if (!create)
 	{
-		printf("file '%s' not found in database\n", file);
+		printf("file '%s%s%s' not found in database\n", this->dir, sep, file);
 		return FALSE;
 	}
 
 	/* Add a new database entry */
-	this->file_set = this->db->execute(this->db, &this->fid,
-								"INSERT INTO files (type, path) VALUES (0, ?)",
-								DB_TEXT, filename) == 1;
-
-	printf("file '%s' %sinserted into database\n", filename,
-		   this->file_set ? "" : "could not be ");
+	if (1 == this->db->execute(this->db, &fid,
+							   "INSERT INTO files (dir, name) VALUES (?, ?)",
+							   DB_INT, this->did, DB_TEXT, file))
+	{
+		this->fid = fid;
+	}
+	printf("file '%s%s%s' %sinserted into database\n", this->dir, sep, file,
+		   this->fid ? "" : "could not be ");
 
-	return this->file_set;
+	return this->fid > 0;
 }
 
 METHOD(attest_db_t, set_fid, bool,
 	private_attest_db_t *this, int fid)
 {
 	enumerator_t *e;
+	int did;
 	char *file;
 
-	if (this->file_set)
+	if (this->fid)
 	{
 		printf("file has already been set\n");
 		return FALSE;
 	}
-	this->fid = fid;
 
-	e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?",
-						DB_UINT, fid, DB_TEXT);
+	e = this->db->query(this->db, "SELECT dir, name FROM files WHERE id = ?",
+						DB_UINT, fid, DB_INT, DB_TEXT);
 	if (e)
 	{
-		if (e->enumerate(e, &file))
+		if (e->enumerate(e, &did, &file))
 		{
+			if (did)
+			{
+				set_did(this, did);
+			}
 			this->file = strdup(file);
-			this->file_set = TRUE;
+			this->fid = fid;
 		}
 		else
 		{
@@ -460,7 +467,7 @@ METHOD(attest_db_t, set_fid, bool,
 		}
 		e->destroy(e);
 	}
-	return this->file_set;
+	return this->fid > 0;
 }
 
 METHOD(attest_db_t, set_key, bool,
@@ -726,10 +733,10 @@ METHOD(attest_db_t, set_relative, void,
 	this->relative = TRUE;
 }
 
-METHOD(attest_db_t, set_security, void,
-	private_attest_db_t *this, os_package_state_t security)
+METHOD(attest_db_t, set_package_state, void,
+	private_attest_db_t *this, os_package_state_t package_state)
 {
-	this->security = security;
+	this->package_state = package_state;
 }
 
 METHOD(attest_db_t, set_sequence, void,
@@ -805,44 +812,42 @@ METHOD(attest_db_t, list_devices, void,
 	private_attest_db_t *this)
 {
 	enumerator_t *e, *e_ar;
-	chunk_t value, ar_id_value = chunk_empty;
-	char *product;
+	chunk_t ar_id_value = chunk_empty;
+	char *product, *device;
 	time_t timestamp;
 	int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0;
-	int count, count_update, count_blacklist;
+	int session_id, rec;
 	u_int32_t ar_id_type;
-	u_int tstamp, flags = 0;
+	u_int tstamp;
 
 	e = this->db->query(this->db,
-			"SELECT d.id, d.value, i.time, i.count, i.count_update, "
-			"i.count_blacklist, i.flags, i.ar_id, p.name FROM devices AS d "
-			"JOIN device_infos AS i ON d.id = i.device "
-			"JOIN products AS p ON p.id = i.product "
-			"ORDER BY d.value, i.time DESC",
-			 DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT,
-			 DB_INT, DB_TEXT);
+			"SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name "
+			"FROM devices AS d "
+			"JOIN sessions AS s ON d.id = s.device "
+			"JOIN products AS p ON p.id = s.product "
+			"ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_UINT,
+			 DB_INT, DB_INT, DB_TEXT);
 
 	if (e)
 	{
-		while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
-							   &count_blacklist, &flags, &ar_id, &product))
+		while (e->enumerate(e, &id, &device, &session_id, &tstamp, &ar_id, &rec,
+							   &product))
 		{
 			if (id != last_id)
 			{
-				printf("%4d: %.*s\n", id, (int)value.len, value.ptr);
+				printf("%4d: %s - %s\n", id, device, product);
 				device_count++;
 				last_id = id;
 			}
 			timestamp = tstamp;
-			printf("      %T, %4d, %3d, %3d, %1u, '%s'", &timestamp, this->utc,
-				   count, count_update, count_blacklist, flags, product);
+			printf("%4d:   %T", session_id, &timestamp, this->utc);
 			if (ar_id)
 			{
 				if (ar_id != last_ar_id)
 				{
 					chunk_free(&ar_id_value);
 					e_ar = this->db->query(this->db,
-								"SELECT type, data FROM identities "
+								"SELECT type, value FROM identities "
 								"WHERE id = ?", DB_INT, ar_id, DB_INT, DB_BLOB);
 					if (e_ar)
 					{
@@ -857,7 +862,7 @@ METHOD(attest_db_t, list_devices, void,
 				}
 				last_ar_id = ar_id;
 			}
-			printf("\n");
+			printf(" - %N\n", TNC_IMV_Action_Recommendation_names, rec);
 		}
 		e->destroy(e);
 		free(ar_id_value.ptr);
@@ -920,53 +925,92 @@ METHOD(attest_db_t, list_files, void,
 	private_attest_db_t *this)
 {
 	enumerator_t *e;
-	char *file, *file_type[] = { " ", "d", "r" };
-	int fid, type, meas, meta, count = 0;
+	char *dir, *file;
+	int did, last_did = 0, fid, count = 0;
 
-	if (this->pid)
+	if (this->did)
 	{
 		e = this->db->query(this->db,
-				"SELECT f.id, f.type, f.path, pf.measurement, pf.metadata "
-				"FROM files AS f "
-				"JOIN product_file AS pf ON f.id = pf.file "
-				"WHERE pf.product = ? ORDER BY f.path",
-				DB_UINT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT);
+				"SELECT id, name FROM files WHERE dir = ? ORDER BY name",
+				DB_INT, this->did, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &fid, &type, &file, &meas, &meta))
+			while (e->enumerate(e, &fid, &file))
 			{
-				type = (type < 0 || type > 2) ? 0 : type;
-				printf("%4d: |%s%s| %s %s\n", fid, meas ? "M":" ", meta ? "T":" ",
-											  file_type[type], file);
+				printf("%4d: %s\n", fid, file);
 				count++;
 			}
 			e->destroy(e);
 		}
+		printf("%d file%s found in directory '%s'\n", count,
+			  (count == 1) ? "" : "s", this->dir);
 	}
 	else
 	{
 		e = this->db->query(this->db,
-				"SELECT id, type, path FROM files "
-				"ORDER BY path",
-				DB_INT, DB_INT, DB_TEXT);
+				"SELECT d.id, d.path, f.id, f.name FROM files AS f "
+				"JOIN directories AS d ON f.dir = d.id "
+				"ORDER BY d.path, f.name",
+				DB_INT, DB_TEXT, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &fid, &type, &file))
+			while (e->enumerate(e, &did, &dir, &fid, &file))
 			{
-				type = (type < 0 || type > 2) ? 0 : type;
-				printf("%4d: %s %s\n", fid, file_type[type], file);
+				if (did != last_did)
+				{
+					printf("%4d: %s\n", did, dir);
+					last_did = did;
+				}
+				printf("%4d:   %s\n", fid, file);
 				count++;
 			}
 			e->destroy(e);
 		}
+		printf("%d file%s found\n", count, (count == 1) ? "" : "s");
 	}
+}
 
-	printf("%d file%s found", count, (count == 1) ? "" : "s");
-	if (this->product_set)
+METHOD(attest_db_t, list_directories, void,
+	private_attest_db_t *this)
+{
+	enumerator_t *e;
+	char *dir;
+	int did, count = 0;
+
+	if (this->file)
 	{
-		printf(" for product '%s'", this->product);
+		e = this->db->query(this->db,
+				"SELECT d.id, d.path FROM directories AS d "
+				"JOIN files AS f ON f.dir = d.id WHERE f.name = ? "
+				"ORDER BY path", DB_TEXT, this->file, DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &did, &dir))
+			{
+				printf("%4d: %s\n", did, dir);
+				count++;
+			}
+			e->destroy(e);
+		}
+		printf("%d director%s found containing file '%s'\n", count,
+			  (count == 1) ? "y" : "ies", this->file);
+	}
+	else
+	{
+		e = this->db->query(this->db,
+				"SELECT id, path FROM directories ORDER BY path",
+				DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &did, &dir))
+			{
+				printf("%4d: %s\n", did, dir);
+				count++;
+			}
+			e->destroy(e);
+		}
+		printf("%d director%s found\n", count, (count == 1) ? "y" : "ies");
 	}
-	printf("\n");
 }
 
 METHOD(attest_db_t, list_packages, void,
@@ -974,20 +1018,23 @@ METHOD(attest_db_t, list_packages, void,
 {
 	enumerator_t *e;
 	char *package, *version;
-	os_package_state_t security;
-	int gid, gid_old = 0, spaces, count = 0, t;
+	os_package_state_t package_state;
+	int blacklist, security, gid, gid_old = 0, spaces, count = 0, t;
 	time_t timestamp;
 
 	if (this->pid)
 	{
 		e = this->db->query(this->db,
-				"SELECT p.id, p.name, v.release, v.security, v.time "
+				"SELECT p.id, p.name, "
+				"v.release, v.security, v.blacklist, v.time "
 				"FROM packages AS p JOIN versions AS v ON v.package = p.id "
 				"WHERE v.product = ? ORDER BY p.name, v.release",
-				DB_INT, this->pid, DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT);
+				DB_INT, this->pid,
+				DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT, DB_INT);
 		if (e)
 		{
-			while (e->enumerate(e, &gid, &package, &version, &security, &t))
+			while (e->enumerate(e, &gid, &package,
+								   &version, &security, &blacklist, &t))
 			{
 				if (gid != gid_old)
 				{
@@ -1003,8 +1050,17 @@ METHOD(attest_db_t, list_packages, void,
 					}
 				}
 				timestamp = t;
+				if (blacklist)
+				{
+					package_state = OS_PACKAGE_STATE_BLACKLIST;
+				}
+				else
+				{
+					package_state = security ? OS_PACKAGE_STATE_SECURITY :
+											   OS_PACKAGE_STATE_UPDATE;
+				}
 				printf(" %T (%s)%N\n", &timestamp, this->utc, version,
-					 os_package_state_names, security);
+					 os_package_state_names, package_state);
 				count++;
 			}
 			e->destroy(e);
@@ -1077,74 +1133,70 @@ METHOD(attest_db_t, list_products, void,
 	}
 
 	printf("%d product%s found", count, (count == 1) ? "" : "s");
-	if (this->file_set)
+	if (this->fid)
 	{
 		printf(" for file '%s'", this->file);
 	}
 	printf("\n");
 }
 
-/**
- * get the directory if there is one from the files tables
- */
-static void get_directory(private_attest_db_t *this, int did, char **directory)
+METHOD(attest_db_t, list_hashes, void,
+	private_attest_db_t *this)
 {
 	enumerator_t *e;
-	char *dir;
-
-	free(*directory);
-	*directory = strdup("");
+	chunk_t hash;
+	char *file, *dir, *product;
+	int id, fid, fid_old = 0, did, did_old = 0, pid, pid_old = 0, count = 0;
 
-	if (did)
+	if (this->pid && this->fid && this->did)
 	{
+		printf("%4d: %s\n", this->did, this->dir);
+		printf("%4d:   %s\n", this->fid, this->file);
 		e = this->db->query(this->db,
-				"SELECT path from files WHERE id = ?",
-				DB_UINT, did, DB_TEXT);
+				"SELECT id, hash FROM file_hashes "
+				"WHERE algo = ? AND file = ? AND product = ?",
+				DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->pid,
+				DB_INT, DB_BLOB);
 		if (e)
 		{
-			if (e->enumerate(e, &dir))
+			while (e->enumerate(e, &id, &hash))
 			{
-				free(*directory);
-				*directory = strdup(dir);
+				printf("%4d:     %#B\n", id, &hash);
+				count++;
 			}
 			e->destroy(e);
+
+			printf("%d %N value%s found for product '%s'\n", count,
+				   pts_meas_algorithm_names, this->algo,
+				   (count == 1) ? "" : "s", this->product);
 		}
 	}
-}
-
-static bool slash(char *directory, char *file)
-{
-	return *file != '/' && directory[max(0, strlen(directory)-1)] != '/';
-}
-
-METHOD(attest_db_t, list_hashes, void,
-	private_attest_db_t *this)
-{
-	enumerator_t *e;
-	chunk_t hash;
-	char *file, *dir, *product;
-	int fid, fid_old = 0, did, did_old = 0, count = 0;
-
-	dir = strdup("");
-
-	if (this->pid && this->fid & this->did)
+	else if (this->pid && this->file)
 	{
 		e = this->db->query(this->db,
-				"SELECT hash FROM file_hashes "
-				"WHERE algo = ? AND file = ? AND directory = ? AND product = ?",
-				DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->did,
-				DB_INT, this->pid, DB_BLOB);
+				"SELECT h.id, h.hash, f.id, d.id, d.path "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"JOIN directories AS d ON f.dir = d.id "
+				"WHERE h.algo = ? AND h.product = ? AND f.name = ? "
+				"ORDER BY d.path, f.name, h.hash",
+				DB_INT, this->algo, DB_INT, this->pid, DB_TEXT, this->file,
+				DB_INT, DB_BLOB, DB_INT, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &hash))
+			while (e->enumerate(e, &id, &hash, &fid, &did, &dir))
 			{
-				if (this->fid != fid_old)
+				if (did != did_old)
 				{
-					printf("%4d: %s%s%s\n", this->fid, this->dir,
-						   slash(this->dir, this->file) ? "/" : "", this->file);
-					fid_old = this->fid;
+					printf("%4d: %s\n", did, dir);
+					did_old = did;
 				}
-				printf("      %#B\n", &hash);
+				if (fid != fid_old)
+				{
+					printf("%4d:   %s\n", fid, this->file);
+					fid_old = fid;
+				}
+				printf("%4d:     %#B\n", id, &hash);
 				count++;
 			}
 			e->destroy(e);
@@ -1154,22 +1206,27 @@ METHOD(attest_db_t, list_hashes, void,
 				   (count == 1) ? "" : "s", this->product);
 		}
 	}
-	else if (this->pid && this->fid)
+	else if (this->pid && this->did)
 	{
+		printf("%4d: %s\n", this->did, this->dir);
 		e = this->db->query(this->db,
-				"SELECT f.path, fh.hash FROM file_hashes AS fh "
-				"JOIN files AS f ON f.id = fh.file "
-				"WHERE algo = ? AND file = ? AND product = ?",
-				DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->pid,
-				DB_TEXT, DB_BLOB);
+				"SELECT h.id, h.hash, f.id, f.name "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"WHERE h.algo = ? AND h.product = ? AND f.dir = ? "
+				"ORDER BY f.name, h.hash",
+				DB_INT, this->algo, DB_INT, this->pid, DB_INT, this->did,
+				DB_INT, DB_BLOB, DB_INT, DB_TEXT);
 		if (e)
 		{
-			free(dir);
-			while (e->enumerate(e, &dir, &hash))
+			while (e->enumerate(e, &id, &hash, &fid, &file))
 			{
-				printf("%4d: %s%s%s\n", this->fid, dir,
-						   slash(dir, this->file) ? "/" : "", this->file);
-				printf("      %#B\n", &hash);
+				if (fid != fid_old)
+				{
+					printf("%4d:   %s\n", fid, file);
+					fid_old = fid;
+				}
+				printf("%4d:     %#B\n", id, &hash);
 				count++;
 			}
 			e->destroy(e);
@@ -1177,35 +1234,34 @@ METHOD(attest_db_t, list_hashes, void,
 			printf("%d %N value%s found for product '%s'\n", count,
 				   pts_meas_algorithm_names, this->algo,
 				   (count == 1) ? "" : "s", this->product);
-			dir = NULL;
 		}
 	}
 	else if (this->pid)
 	{
 		e = this->db->query(this->db,
-				"SELECT f.id, f. f.path, fh.hash, fh.directory "
-				"FROM file_hashes AS fh "
-				"JOIN files AS f ON f.id = fh.file "
-				"WHERE fh.algo = ? AND fh.product = ? "
-				"ORDER BY fh.directory, f.path",
-				DB_INT, this->algo, DB_UINT, this->pid,
-				DB_INT, DB_TEXT, DB_BLOB, DB_INT);
+				"SELECT h.id, h.hash, f.id, f.name, d.id, d.path "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"JOIN directories AS d ON f.dir = d.id "
+				"WHERE h.algo = ? AND h.product = ? "
+				"ORDER BY d.path, f.name, h.hash",
+				DB_INT, this->algo, DB_INT, this->pid,
+				DB_INT, DB_BLOB, DB_INT, DB_TEXT, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &fid,  &file, &hash, &did))
+			while (e->enumerate(e, &id, &hash, &fid, &file, &did, &dir))
 			{
-				if (fid != fid_old || did != did_old)
+				if (did != did_old)
 				{
-					if (did != did_old)
-					{
-						get_directory(this, did, &dir);
-					}
-					printf("%4d: %s%s%s\n", fid,
-						   dir, slash(dir, file) ? "/" : "", file);
-					fid_old = fid;
+					printf("%4d: %s\n", did, dir);
 					did_old = did;
 				}
-				printf("      %#B\n", &hash);
+				if (fid != fid_old)
+				{
+					printf("%4d:   %s\n", fid, file);
+					fid_old = fid;
+				}
+				printf("%4d:     %#B\n", id, &hash);
 				count++;
 			}
 			e->destroy(e);
@@ -1215,58 +1271,147 @@ METHOD(attest_db_t, list_hashes, void,
 				   (count == 1) ? "" : "s", this->product);
 		}
 	}
-	else if (this->fid)
+	else if (this->fid && this->did)
 	{
 		e = this->db->query(this->db,
-				"SELECT p.name, fh.hash, fh.directory "
-				"FROM file_hashes AS fh "
-				"JOIN products AS p ON p.id = fh.product "
-				"WHERE fh.algo = ? AND fh.file = ? AND fh.directory = ?"
-				"ORDER BY p.name",
-				DB_INT, this->algo, DB_UINT, this->fid, DB_UINT, this->did,
-				DB_TEXT, DB_BLOB, DB_INT);
+				"SELECT h.id, h.hash, p.id, p.name FROM file_hashes AS h "
+				"JOIN products AS p ON h.product = p.id "
+				"WHERE h.algo = ? AND h.file = ? "
+				"ORDER BY p.name, h.hash",
+				DB_INT, this->algo, DB_INT, this->fid,
+				DB_INT, DB_BLOB, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &product, &hash, &did))
+			while (e->enumerate(e, &id, &hash, &pid, &product))
 			{
-				printf("%#B '%s'\n", &hash, product);
+				if (pid != pid_old)
+				{
+					printf("%4d: %s\n", pid, product);
+					pid_old = pid;
+				}
+				printf("%4d:   %#B\n", id, &hash);
 				count++;
 			}
 			e->destroy(e);
 
-			printf("%d %N value%s found for file '%s%s%s'\n",
-				   count, pts_meas_algorithm_names, this->algo,
+			printf("%d %N value%s found for file '%s%s%s'\n", count,
+				   pts_meas_algorithm_names, this->algo,
 				   (count == 1) ? "" : "s", this->dir,
-				   slash(this->dir, this->file) ? "/" : "", this->file);
+				   streq(this->dir, "/") ? "" : "/", this->file);
+		}
+	}
+	else if (this->file)
+	{
+		e = this->db->query(this->db,
+				"SELECT h.id, h.hash, f.id, d.id, d.path, p.id, p.name "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"JOIN directories AS d ON f.dir = d.id "
+				"JOIN products AS p ON h.product = p.id "
+				"WHERE h.algo = ? AND f.name = ? "
+				"ORDER BY d.path, f.name, p.name, h.hash",
+				DB_INT, this->algo, DB_TEXT, this->file,
+				DB_INT, DB_BLOB, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &id, &hash, &fid, &did, &dir, &pid, &product))
+			{
+				if (did != did_old)
+				{
+					printf("%4d: %s\n", did, dir);
+					did_old = did;
+				}
+				if (fid != fid_old)
+				{
+					printf("%4d:   %s\n", fid, this->file);
+					fid_old = fid;
+					pid_old = 0;
+				}
+				if (pid != pid_old)
+				{
+					printf("%4d:     %s\n", pid, product);
+					pid_old = pid;
+				}
+				printf("%4d:     %#B\n", id, &hash);
+				count++;
+			}
+			e->destroy(e);
+
+			printf("%d %N value%s found\n", count, pts_meas_algorithm_names,
+				   this->algo, (count == 1) ? "" : "s");
+		}
+
+	}
+	else if (this->did)
+	{
+		e = this->db->query(this->db,
+				"SELECT h.id, h.hash, f.id, f.name, p.id, p.name "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"JOIN products AS p ON h.product = p.id "
+				"WHERE h.algo = ? AND f.dir = ? "
+				"ORDER BY f.name, p.name, h.hash",
+				DB_INT, this->algo, DB_INT, this->did,
+				DB_INT, DB_BLOB, DB_INT, DB_TEXT, DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &id, &hash, &fid, &file, &pid, &product))
+			{
+				if (fid != fid_old)
+				{
+					printf("%4d: %s\n", fid, file);
+					fid_old = fid;
+					pid_old = 0;
+				}
+				if (pid != pid_old)
+				{
+					printf("%4d:   %s\n", pid, product);
+					pid_old = pid;
+				}
+				printf("%4d:     %#B\n", id, &hash);
+				count++;
+			}
+			e->destroy(e);
+
+			printf("%d %N value%s found for directory '%s'\n", count,
+				   pts_meas_algorithm_names, this->algo,
+				   (count == 1) ? "" : "s", this->dir);
 		}
 	}
 	else
 	{
 		e = this->db->query(this->db,
-				"SELECT f.id, f.path, p.name, fh.hash, fh.directory "
-				"FROM file_hashes AS fh "
-				"JOIN files AS f ON f.id = fh.file "
-				"JOIN products AS p ON p.id = fh.product "
-				"WHERE fh.algo = ? "
-				"ORDER BY fh.directory, f.path, p.name",
-				DB_INT, this->algo,
-				DB_INT, DB_TEXT, DB_TEXT, DB_BLOB, DB_INT);
+				"SELECT h.id, h.hash, f.id, f.name, d.id, d.path, p.id, p.name "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"JOIN directories AS d ON f.dir = d.id "
+				"JOIN products AS p on h.product = p.id "
+				"WHERE h.algo = ? "
+				"ORDER BY d.path, f.name, p.name, h.hash",
+				DB_INT, this->algo, DB_INT, DB_BLOB, DB_INT, DB_TEXT,
+				DB_INT, DB_TEXT, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &fid, &file, &product, &hash, &did))
+			while (e->enumerate(e, &id, &hash, &fid, &file, &did, &dir, &pid,
+								&product))
 			{
-				if (fid != fid_old || did != did_old)
+				if (did != did_old)
 				{
-					if (did != did_old)
-					{
-						get_directory(this, did, &dir);
-						did_old = did;
-					}
-					printf("%4d: %s%s%s\n", fid,
-						   dir, slash(dir, file) ? "/" : "", file);
+					printf("%4d: %s\n", did, dir);
+					did_old = did;
+				}
+				if (fid != fid_old)
+				{
+					printf("%4d:   %s\n", fid, file);
 					fid_old = fid;
+					pid_old = 0;
 				}
-				printf("      %#B '%s'\n", &hash, product);
+				if (pid != pid_old)
+				{
+					printf("%4d:     %s\n", pid, product);
+					pid_old = pid;
+				}
+				printf("%4d:       %#B\n", id, &hash);
 				count++;
 			}
 			e->destroy(e);
@@ -1275,7 +1420,6 @@ METHOD(attest_db_t, list_hashes, void,
 				   this->algo, (count == 1) ? "" : "s");
 		}
 	}
-	free(dir);
 }
 
 METHOD(attest_db_t, list_measurements, void,
@@ -1382,9 +1526,50 @@ METHOD(attest_db_t, list_measurements, void,
 	}
 }
 
-bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
-					  chunk_t measurement, int fid, int did, bool ima,
-					  int *hashes_added, int *hashes_updated)
+METHOD(attest_db_t, list_sessions, void,
+	private_attest_db_t *this)
+{
+	enumerator_t *e;
+	chunk_t identity;
+	char *product, *device;
+	int session_id, conn_id, rec, device_len;
+	time_t created;
+	u_int t;
+
+	e = this->db->query(this->db,
+			"SELECT s.id, s.time, s.connection, s.rec, p.name, d.value, i.value "
+			"FROM sessions AS s "
+			"LEFT JOIN products AS p ON s.product = p.id "
+			"LEFT JOIN devices AS d ON s.device = d.id "
+			"LEFT JOIN identities AS i ON s.identity = i.id "
+			"ORDER BY s.time DESC",
+			 DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT, DB_TEXT, DB_BLOB);
+	if (e)
+	{
+		while (e->enumerate(e, &session_id, &t, &conn_id, &rec, &product,
+							   &device, &identity))
+		{
+			created = t;
+			product = product ? product : "-";
+			device = strlen(device) ? device : "-";
+			device_len = min(strlen(device), DEVICE_MAX_LEN);
+			identity = identity.len ? identity : chunk_from_str("-");
+			printf("%4d: %T %2d %-20s %.*s%*s%.*s - %N\n", session_id, &created,
+				   FALSE, conn_id, product, device_len, device,
+				   DEVICE_MAX_LEN - device_len + 1, " ", (int)identity.len,
+				   identity.ptr, TNC_IMV_Action_Recommendation_names, rec);
+		}
+		e->destroy(e);
+	}
+}
+
+/**
+ * Insert a file hash into the database
+ */
+static bool insert_file_hash(private_attest_db_t *this,
+							 pts_meas_algorithms_t algo,
+							 chunk_t measurement, int fid, bool ima,
+							 int *hashes_added, int *hashes_updated)
 {
 	enumerator_t *e;
 	chunk_t hash;
@@ -1394,8 +1579,8 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
 
 	e = this->db->query(this->db,
 		"SELECT hash FROM file_hashes WHERE algo = ? "
-		"AND file = ? AND directory = ? AND product = ? and key = 0",
-		DB_INT, algo, DB_UINT, fid, DB_UINT, did, DB_UINT, this->pid, DB_BLOB);
+		"AND file = ? AND product = ? AND device = 0",
+		DB_INT, algo, DB_UINT, fid, DB_UINT, this->pid, DB_BLOB);
 	if (!e)
 	{
 		printf("file_hashes query failed\n");
@@ -1411,8 +1596,8 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
 		{
 			if (this->db->execute(this->db, NULL,
 				"UPDATE file_hashes SET hash = ? WHERE algo = ? "
-				"AND file = ? AND directory = ? AND product = ? and key = 0",
-				DB_BLOB, measurement, DB_INT, algo, DB_UINT, fid, DB_UINT, did,
+				"AND file = ? AND product = ? and device = 0",
+				DB_BLOB, measurement, DB_INT, algo, DB_UINT, fid,
 				DB_UINT, this->pid) == 1)
 			{
 				label = "updated";
@@ -1424,9 +1609,9 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
 	{
 		if (this->db->execute(this->db, NULL,
 			"INSERT INTO file_hashes "
-			"(file, directory, product, key, algo, hash) "
-			"VALUES (?, ?, ?, 0, ?, ?)",
-			DB_UINT, fid, DB_UINT, did, DB_UINT, this->pid,
+			"(file, product, device, algo, hash) "
+			"VALUES (?, ?, 0, ?, ?)",
+			DB_UINT, fid, DB_UINT, this->pid,
 			DB_INT, algo, DB_BLOB, measurement) == 1)
 		{
 			label = "created";
@@ -1439,77 +1624,75 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
 	return TRUE;
 }
 
-METHOD(attest_db_t, add, bool,
-	private_attest_db_t *this)
+/**
+ * Add hash measurement for a single file or all files in a directory
+ */
+static bool add_hash(private_attest_db_t *this)
 {
-	bool success = FALSE;
-
-	/* add key/component pair */
-	if (this->kid && this->cid)
-	{
-		success = this->db->execute(this->db, NULL,
-					"INSERT INTO key_component (key, component, seq_no) "
-					"VALUES (?, ?, ?)",
-					DB_UINT, this->kid, DB_UINT, this->cid,
-					DB_UINT, this->seq_no) == 1;
-
-		printf("key/component pair (%d/%d) %sinserted into database at "
-			   "position %d\n", this->kid, this->cid,
-			    success ? "" : "could not be ", this->seq_no);
-
-		return success;
-	}
-
-	/* add directory or file measurement for a given product */
-	if ((this->did || this->fid) && this->pid)
-	{
-		char *pathname, *filename, *label;
-		char ima_buffer[IMA_MAX_NAME_LEN + 1];
-		chunk_t measurement, ima_template;
-		pts_file_meas_t *measurements;
-		hasher_t *hasher = NULL;
-		bool ima = FALSE;
-		int fid, did;
-		int files_added = 0, hashes_added = 0, hashes_updated = 0;
-		int ima_hashes_added = 0, ima_hashes_updated = 0;
-		enumerator_t *enumerator, *e;
-
-		if (this->algo == PTS_MEAS_ALGO_SHA1_IMA)
+	char *pathname, *filename, *sep, *label, *pos;
+	char ima_buffer[IMA_MAX_NAME_LEN + 1];
+	chunk_t measurement, ima_template;
+	pts_file_meas_t *measurements;
+	hasher_t *hasher = NULL;
+	bool ima = FALSE;
+	int fid, files_added = 0, hashes_added = 0, hashes_updated = 0;
+	int len, ima_hashes_added = 0, ima_hashes_updated = 0;
+	enumerator_t *enumerator, *e;
+
+	if (this->algo == PTS_MEAS_ALGO_SHA1_IMA)
+	{
+		ima = TRUE;
+		this->algo = PTS_MEAS_ALGO_SHA1;
+		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+		if (!hasher)
 		{
-			ima = TRUE;
-			this->algo = PTS_MEAS_ALGO_SHA1;
-			hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-			if (!hasher)
-			{
-				printf("could not create hasher\n");
-				return FALSE;
-			}
+			printf("could not create hasher\n");
+			return FALSE;
 		}
+	}
+	sep = streq(this->dir, "/") ? "" : "/";
 
-		pathname = this->did ? this->dir : this->file;
-		measurements = pts_file_meas_create_from_path(0, pathname, this->did,
-												this->relative, this->algo);
-		if (!measurements)
+	if (this->fid)
+	{
+		/* build pathname from directory path and relative filename */
+		if (asprintf(&pathname, "%s%s%s", this->dir, sep, this->file) == -1)
 		{
-			printf("file measurement failed\n");
-			DESTROY_IF(hasher);
 			return FALSE;
 		}
-		if (this->fid && this->relative)
+		measurements = pts_file_meas_create_from_path(0, pathname, FALSE,
+													  TRUE, this->algo);
+		free(pathname);
+	}
+	else
+	{
+		measurements = pts_file_meas_create_from_path(0, this->dir, TRUE,
+													  TRUE, this->algo);
+	}
+	if (!measurements)
+	{
+		printf("file measurement failed\n");
+		DESTROY_IF(hasher);
+		return FALSE;
+	}
+
+	enumerator = measurements->create_enumerator(measurements);
+	while (enumerator->enumerate(enumerator, &filename, &measurement))
+	{
+		if (this->fid)
 		{
-			set_directory(this, dirname(pathname), TRUE);
+			/* a single file already exists */
+			filename = this->file;
+			fid = this->fid;
+			label = "exists";
 		}
-		did = this->relative ? this->did : 0;
-
-		enumerator = measurements->create_enumerator(measurements);
-		while (enumerator->enumerate(enumerator, &filename, &measurement))
+		else
 		{
 			/* retrieve or create filename */
 			label = "could not be created";
 
 			e = this->db->query(this->db,
-				"SELECT id FROM files WHERE path = ?",
-				DB_TEXT, filename, DB_INT);
+				"SELECT id FROM files WHERE name = ? AND dir = ?",
+				DB_TEXT, filename, DB_INT, this->did, DB_INT);
 			if (!e)
 			{
 				printf("files query failed\n");
@@ -1522,82 +1705,123 @@ METHOD(attest_db_t, add, bool,
 			else
 			{
 				if (this->db->execute(this->db, &fid,
-					"INSERT INTO files (type, path) VALUES (0, ?)",
-					DB_TEXT, filename) == 1)
+					"INSERT INTO files (name, dir) VALUES (?, ?)",
+					DB_TEXT, filename, DB_INT, this->did) == 1)
 				{
 					label = "created";
 					files_added++;
 				}
 			}
 			e->destroy(e);
+		}
+		printf("%4d: %s - %s\n", fid, filename, label);
 
-			printf("%4d: %s - %s\n", fid, filename, label);
-
-			/* compute file measurement hash */
-			if (!insert_file_hash(this, this->algo, measurement,
-								  fid, did, FALSE,
-								  &hashes_added, &hashes_updated))
-			{
-				break;
-			}
-
-			if (!ima)
-			{
-				continue;
-			}
-
-			/* compute IMA template hash */
-			strncpy(ima_buffer, filename, IMA_MAX_NAME_LEN);
-			ima_buffer[IMA_MAX_NAME_LEN] = '\0';
-			ima_template = chunk_create(ima_buffer, sizeof(ima_buffer));
-			if (!hasher->get_hash(hasher, measurement, NULL) ||
-				!hasher->get_hash(hasher, ima_template, measurement.ptr))
-			{
-				printf("could not compute IMA template hash\n");
-				break;
-			}
-			if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement,
-								  fid, did, TRUE,
-								  &ima_hashes_added, &ima_hashes_updated))
-			{
-				break;
-			}
+		/* compute file measurement hash */
+		if (!insert_file_hash(this, this->algo, measurement, fid, FALSE,
+							  &hashes_added, &hashes_updated))
+		{
+			break;
+		}
+		if (!ima)
+		{
+			continue;
 		}
-		enumerator->destroy(enumerator);
 
-		printf("%d measurements, added %d new files, %d file hashes",
-			    measurements->get_file_count(measurements), files_added,
-				hashes_added);
-		if (ima)
+		/* compute IMA template hash */
+		pos = ima_buffer;
+		len = IMA_MAX_NAME_LEN;
+		if (!this->relative)
+		{
+			strncpy(pos, this->dir, len);
+			len = max(0, len - strlen(this->dir));
+			pos = ima_buffer + IMA_MAX_NAME_LEN - len;
+			strncpy(pos, sep, len);
+			len = max(0, len - strlen(sep));
+			pos = ima_buffer + IMA_MAX_NAME_LEN - len;
+		}
+		strncpy(pos, filename, len);
+		ima_buffer[IMA_MAX_NAME_LEN] = '\0';
+		ima_template = chunk_create(ima_buffer, sizeof(ima_buffer));
+		if (!hasher->get_hash(hasher, measurement, NULL) ||
+			!hasher->get_hash(hasher, ima_template, measurement.ptr))
 		{
-			printf(", %d ima hashes", ima_hashes_added);
-			hasher->destroy(hasher);
+			printf("could not compute IMA template hash\n");
+			break;
 		}
-		printf(", updated %d file hashes", hashes_updated);
-		if (ima)
+		if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement, fid,
+							  TRUE, &ima_hashes_added, &ima_hashes_updated))
 		{
-			printf(", %d ima hashes", ima_hashes_updated);
+			break;
 		}
-		printf("\n");
-		measurements->destroy(measurements);
-		success = TRUE;
+	}
+	enumerator->destroy(enumerator);
+
+	printf("%d measurements, added %d new files, %d file hashes",
+		    measurements->get_file_count(measurements), files_added,
+			hashes_added);
+	if (ima)
+	{
+		printf(", %d ima hashes", ima_hashes_added);
+		hasher->destroy(hasher);
+	}
+	printf(", updated %d file hashes", hashes_updated);
+	if (ima)
+	{
+		printf(", %d ima hashes", ima_hashes_updated);
+	}
+	printf("\n");
+	measurements->destroy(measurements);
+
+	return TRUE;
+}
+
+METHOD(attest_db_t, add, bool,
+	private_attest_db_t *this)
+{
+	bool success = FALSE;
+
+	/* add key/component pair */
+	if (this->kid && this->cid)
+	{
+		success = this->db->execute(this->db, NULL,
+					"INSERT INTO key_component (key, component, seq_no) "
+					"VALUES (?, ?, ?)",
+					DB_UINT, this->kid, DB_UINT, this->cid,
+					DB_UINT, this->seq_no) == 1;
+
+		printf("key/component pair (%d/%d) %sinserted into database at "
+			   "position %d\n", this->kid, this->cid,
+			    success ? "" : "could not be ", this->seq_no);
+
+		return success;
+	}
+
+	/* add directory or file hash measurement for a given product */
+	if (this->did && this->pid)
+	{
+		return add_hash(this);
 	}
 
 	/* insert package version */
 	if (this->version_set && this->gid && this->pid)
 	{
 		time_t t = time(NULL);
+		int security, blacklist;
+
+		security =  this->package_state == OS_PACKAGE_STATE_SECURITY;
+		blacklist = this->package_state == OS_PACKAGE_STATE_BLACKLIST;
 
 		success = this->db->execute(this->db, NULL,
 					"INSERT INTO versions "
-					"(package, product, release, security, time) "
-					"VALUES (?, ?, ?, ?, ?)",
-					DB_UINT, this->gid, DB_UINT, this->pid, DB_TEXT,
-					this->version, DB_UINT, this->security, DB_INT, t) == 1;
+					"(package, product, release, security, blacklist, time) "
+					"VALUES (?, ?, ?, ?, ?, ?)",
+					DB_UINT, this->gid, DB_INT, this->pid, DB_TEXT,
+					this->version, DB_INT, security, DB_INT, blacklist,
+					DB_INT, t) == 1;
 
 		printf("'%s' package %s (%s)%N %sinserted into database\n",
 				this->product, this->package, this->version,
-				os_package_state_names, this->security,
+				os_package_state_names, this->package_state,
 				success ? "" : "could not be ");
 	}
 	return success;
@@ -1607,19 +1831,21 @@ METHOD(attest_db_t, delete, bool,
 	private_attest_db_t *this)
 {
 	bool success;
+	int id, count = 0;
+	char *name;
+	enumerator_t *e;
 
 	/* delete a file measurement hash for a given product */
 	if (this->algo && this->pid && this->fid)
 	{
 		success = this->db->execute(this->db, NULL,
 								"DELETE FROM file_hashes "
-								"WHERE algo = ? AND product = ? "
-								"AND file = ? AND directory = ?",
+								"WHERE algo = ? AND product = ? AND file = ?",
 								DB_UINT, this->algo, DB_UINT, this->pid,
-								DB_UINT, this->fid, DB_UINT, this->did) > 0;
+								DB_UINT, this->fid) > 0;
 
-		printf("%4d: %s%s%s\n", this->fid, this->dir, this->did ? "/":"",
-								this->file);
+		printf("%4d: %s%s%s\n", this->fid, this->dir,
+				streq(this->dir, "/") ? "" : "/", this->file);
 		printf("%N value for product '%s' %sdeleted from database\n",
 				pts_meas_algorithm_names, this->algo, this->product,
 				success ? "" : "could not be ");
@@ -1667,24 +1893,44 @@ METHOD(attest_db_t, delete, bool,
 		return success;
 	}
 
-	if (this->did)
+	if (this->fid)
 	{
 		success = this->db->execute(this->db, NULL,
-								"DELETE FROM files WHERE type = 1 AND id = ?",
-								DB_UINT, this->did) > 0;
+								"DELETE FROM files WHERE id = ?",
+								DB_UINT, this->fid) > 0;
 
-		printf("directory '%s' %sdeleted from database\n", this->dir,
+		printf("file '%s%s%s' %sdeleted from database\n", this->dir,
+			   streq(this->dir, "/") ? "" : "/", this->file,
 			   success ? "" : "could not be ");
 		return success;
 	}
 
-	if (this->fid)
+	if (this->did)
 	{
-		success = this->db->execute(this->db, NULL,
-								"DELETE FROM files WHERE id = ?",
-								DB_UINT, this->fid) > 0;
+		e = this->db->query(this->db,
+				"SELECT id, name FROM files WHERE dir = ? ORDER BY name",
+				DB_INT, this->did, DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &id, &name))
+			{
+				printf("%4d: %s\n", id, name);
+				count++;
+			}
+			e->destroy(e);
 
-		printf("file '%s' %sdeleted from database\n", this->file,
+			if (count)
+			{
+				printf("%d dependent file%s found, "
+					   "directory '%s' could not deleted\n",
+					   count, (count == 1) ? "" : "s", this->dir);
+				return FALSE;
+			}
+		}
+		success = this->db->execute(this->db, NULL,
+								"DELETE FROM directories WHERE id = ?",
+								DB_UINT, this->did) > 0;
+		printf("directory '%s' %sdeleted from database\n", this->dir,
 			   success ? "" : "could not be ");
 		return success;
 	}
@@ -1753,23 +1999,24 @@ attest_db_t *attest_db_create(char *uri)
 			.set_version = _set_version,
 			.set_algo = _set_algo,
 			.set_relative = _set_relative,
-			.set_security = _set_security,
+			.set_package_state = _set_package_state,
 			.set_sequence = _set_sequence,
 			.set_owner = _set_owner,
 			.set_utc = _set_utc,
 			.list_packages = _list_packages,
 			.list_products = _list_products,
 			.list_files = _list_files,
+			.list_directories = _list_directories,
 			.list_components = _list_components,
 			.list_devices = _list_devices,
 			.list_keys = _list_keys,
 			.list_hashes = _list_hashes,
 			.list_measurements = _list_measurements,
+			.list_sessions = _list_sessions,
 			.add = _add,
 			.delete = _delete,
 			.destroy = _destroy,
 		},
-		.dir = strdup(""),
 		.db = lib->db->create(lib->db, uri),
 	);
 
diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h
index a20023fcd..d0a48d844 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.h
+++ b/src/libpts/plugins/imv_attestation/attest_db.h
@@ -160,9 +160,9 @@ struct attest_db_t {
 	void (*set_relative)(attest_db_t *this);
 
 	/**
-	 * Set the package security state
+	 * Set the package security or blacklist state
 	 */
-	void (*set_security)(attest_db_t *this, os_package_state_t security);
+	void (*set_package_state)(attest_db_t *this, os_package_state_t package_state);
 
 	/**
 	 * Set the sequence number
@@ -192,6 +192,11 @@ struct attest_db_t {
 	 */
 	void (*list_products)(attest_db_t *this);
 
+	/**
+	 * List all directories stored in the database
+	 */
+	void (*list_directories)(attest_db_t *this);
+
 	/**
 	 * List selected files stored in the database
 	 */
@@ -222,6 +227,11 @@ struct attest_db_t {
 	 */
 	void (*list_measurements)(attest_db_t *this);
 
+	/**
+	 * List sessions stored in the database
+	 */
+	void (*list_sessions)(attest_db_t *this);
+
 	/**
 	 * Add an entry to the database
 	 */
diff --git a/src/libpts/plugins/imv_attestation/data.sql b/src/libpts/plugins/imv_attestation/data.sql
deleted file mode 100644
index 60c312e30..000000000
--- a/src/libpts/plugins/imv_attestation/data.sql
+++ /dev/null
@@ -1,1666 +0,0 @@
-/* Products */
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 11.04 i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 11.04 x86_64'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'CentOS release 5.6 (Final) x86_64'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 10.10 x86_64'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 10.10 i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Gentoo Base System release 1.12.11.1 i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 11.10 i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 12.04 LTS i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 12.04 i686'
-);
-
-/* Files */
-
-INSERT INTO files (			/* 1 */
-  type, path
-) VALUES (
-  0, '/lib/i386-linux-gnu/libdl.so.2'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/lib/x86_64-linux-gnu/libdl.so.2'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/lib/libdl.so.2'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/sbin/iptables'
-);
-
-INSERT INTO files (			/* 5 */
-  type, path
-) VALUES (
-  0, '/lib/libxtables.so.5'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/lib/libxtables.so.2'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  1, '/lib/xtables'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libxt_udp.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libxt_tcp.so'
-);
-
-INSERT INTO files (			/* 10 */
-  type, path
-) VALUES (
-  0, 'libxt_esp.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libxt_policy.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libxt_conntrack.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libipt_SNAT.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libipt_DNAT.so'
-);
-
-INSERT INTO files (			/* 15 */
-  type, path
-) VALUES (
-  0, 'libipt_MASQUERADE.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libipt_LOG.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/sbin/ip6tables'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libip6t_LOG.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libxt_mark.so'
-);
-
-INSERT INTO files (			/* 20 */
-  type, path
-) VALUES (
-  0, 'libxt_MARK.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  1, '/lib/iptables'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/etc/tnc_config'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/lib/libxtables.so.7'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/sbin/xtables-multi'
-);
-
-
-/* Product-File */
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  1, 1, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  1, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  1, 5, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  1, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  1, 17, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  1, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  2, 2, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  2, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  2, 5, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  2, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  2, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  3, 3, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  3, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  3, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  4, 3, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  4, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  4, 6, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  4, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  4, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  5, 3, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  5, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  5, 6, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  5, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  5, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  6, 3, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  6, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  6, 17, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  6, 21, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  6, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  7, 1, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  7, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  7, 5, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  7, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  7, 17, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  7, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  8, 1, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  8, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  8, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  8, 23, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  8, 24, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  9, 1, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  9, 22, 1
-);
-
-/* File Hashes */
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 1, 32768, X'409bb1a97e26ea1144cdd6801b8159f17f376b8f'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 1, 16384, X'675172775cfd2b73ed1e249e4a730921f06c2f86fffdce4c71674cc654f37ed7'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 1, 8192, X'abc8ce3fc99b6dcec6745ffc2f59e35372b9b126491480d04b0f93076beded06cccb27b61f1170868fada8cddefa7be4'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 7, 32768, X'40763935cdea25119002c42f984b994d8d2a6d75'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 7, 16384, X'27c4f867d3f994a361e0b25d7846b3698d29f82b38662f233a97cafc60c44189'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 7, 8192, X'301dad8829308f5a68c603a87bf961b91365f0346ac2f322de3ddcbb4645f56c0e6d2dc503ec2abff8fe8e895ce9304d'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 8, 32768, X'9c3ed3179990c0ffb3a65b75a09b61faa4aca907'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 8, 16384, X'af474dd532c9f2d85c12368334eda3609a7c6287e08940f078547ab0f2871c94'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 8, 8192, X'a23fa7034dabdce2d10f2893d52b21d14fe24c6ae4c8570fb6c7190228046e4c064c4d29d736cd84ca42a3d9abf9bfde'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 9, 32768, X'9c3ed3179990c0ffb3a65b75a09b61faa4aca907'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 9, 16384, X'af474dd532c9f2d85c12368334eda3609a7c6287e08940f078547ab0f2871c94'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 9, 8192, X'a23fa7034dabdce2d10f2893d52b21d14fe24c6ae4c8570fb6c7190228046e4c064c4d29d736cd84ca42a3d9abf9bfde'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  2, 2, 32768, X'2a4047437e6fb346e2d854fc415e16b80e75bf6b'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  2, 2, 16384, X'86aa0bf93dade999277d963338402ed437271f3436f594a49ffca85b6c487523'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  2, 2, 8192, X'6090441219c0b478d294ae88e006d85ac0d94464573bcca7d180618a612bd170e3ee47c1545861b0f06fe0db85544c59'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 3, 32768, X'07d8c0218a5b3469b409dc95cf8f77a341a595fb'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 3, 16384, X'b083699fbc4c9f9e0d463361118904a3832670ad2fe3d6b42f811061188d509f'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 3, 8192, X'b14908de476467a11a7a98835d1cf8317c7b80a684692426ddd7b0014e00b70b3d1b4fc1dd02ad440447612ee9dadb52'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 4, 32768, X'4350f082511c742cc05050d18a23d1da9fb09340'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 4, 16384, X'f9e12408828b5842c45503342dc2af78bc74d701a19c5fd5483df0e203315e0a'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 4, 8192, X'1a5ea36e4ab0cda550c0da2af6a62d9310981d2f170c9e75bff1770be2efb9ddccc451743ff4c3d76876364f19fdf8c1'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 6, 32768, X'91f4bb52404ca26b3a797152076ca5d233b93c1d'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 6, 16384, X'59bced619eabbde5dd3ef74b92ba660349e105d36be9756c8d1598abd4bc066c'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 6, 8192, X'fc6b1350067d23fca711b8a674e0367ad255bae0ddb2efe10dca1b18b18985bd09a7459937fda729d349874bb2701df3'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 1, 32768, X'ff6deca0eeb7a257205c5f0ab5f5d821ea184098'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 1, 16384, X'5c84fdf7c529d3c65a001587eda641fe489f83961a621fe514e7852a842690d6'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 1, 8192, X'8bd699f85f5b3efb27204b4699c518f871ef245d03b4bf8d1cc00456025017546030c2f493525754cffcd24cdbc03b21'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 2, 32768, X'1118805b490051637e93e592f4c71e0ee78a2422'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 2, 16384, X'5ea7229ebef5dc8f9fb2118676b773dd62cf89dc21657e3b8fbbcbc70ee24bd3'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 2, 8192, X'3b8da9e704e644eb7b196981624a2f6826c401d689e00ba47e42ff46351d27c6b9e91b1e8351ee01f66e5244b4c2a9b0'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 3, 32768, X'b5cd500ec15d6bfcae15e0af1dc121df7114b97d'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 3, 16384, X'b94f1cba12abb0ec79d207142526388ec0d127c4f2aad4a46a623a1f69bac84f'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 3, 8192, X'6663d66ff0e93b1b8a1edcdbe45d64834e29dc9c2b1d23126fd370a85b2c56da5cadcbc65b6e8afbb1e18bea8e413bd1'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 4, 32768, X'86c4463293859874243d8374f7f3ef60f44f9309'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 4, 16384, X'348b711f16ee9810738857c8ffbc54f8e16a393df8635cb29b02fc62daeefc14'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 4, 8192, X'0cb6b7d91148b1bb1b9333bc71de01509cb6d12c646a6756e6942647046286fbbca92b25dc1999e8f81be1264061ee4d'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 6, 32768, X'e3cf3ef2ee5df0117972808bfa93b7795f5da873'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 6, 16384, X'fde81f544e49c44aabe0e312a00a7f8af01a0e3123dc5c54c65e3e78ba475b22'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 6, 8192, X'e0cc89d1f229f9f35109bef3b163badc0941ca0a957d09e397a8d06e2b32e737f1f1135ebf0c0546d3d4c5354aaca40f'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 7, 32768, X'ff6deca0eeb7a257205c5f0ab5f5d821ea184098'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 7, 16384, X'5c84fdf7c529d3c65a001587eda641fe489f83961a621fe514e7852a842690d6'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 7, 8192, X'8bd699f85f5b3efb27204b4699c518f871ef245d03b4bf8d1cc00456025017546030c2f493525754cffcd24cdbc03b21'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 1, 32768, X'7a3ca72158e60b0c91e48a420848f1b693aea26c'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 1, 16384, X'f9693c7d36c087d51f5012897fa0e8bb94081854d080c84f831f4d693d22f645'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 1, 8192, X'4ec135e54c8840ab575fcdf00c66f996f763863ad30800b0f0a0b02e7899697d6ab9ccfe185ccbc16c19f38d0a27becb'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 2, 32768, X'5d36a26856021d68a42f8bd7ca22365579d43891'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 2, 16384, X'411be0558ad0cef33b437dafeed40104917e2079646524145abf9d05ddc6c1c5'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 2, 8192, X'237f4691f9b780bec7aff217d64a9780ceed2973a41e86c92e0d6dab81cc5d13a9b99ba408302264f5665de1f42ef6e1'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 7, 32768, X'7a3ca72158e60b0c91e48a420848f1b693aea26c'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 7, 16384, X'f9693c7d36c087d51f5012897fa0e8bb94081854d080c84f831f4d693d22f645'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 7, 8192, X'4ec135e54c8840ab575fcdf00c66f996f763863ad30800b0f0a0b02e7899697d6ab9ccfe185ccbc16c19f38d0a27becb'
-);
-
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  6, 4, 32768, X'92e66ae282947f66544682039a33fd1dbd402244'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  6, 4, 16384, X'dc6bad544f72c4538fb92f777646fd734b49ce95f41b2c96b74a21addbc86ed8'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  6, 4, 8192, X'08fd91f9017763212d1491f178e4d7e41d34a21b0117ee3321d832f5b8e02d4c7152a6cdc53bb4ca7e8aad5b1f279d1f'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 1, 32768, X'11ce3b45feb3e66a75490d42ba95071ac6f40a7f'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 1, 16384, X'468ef70f19372bc4a2b1805ffa3621515061fc19fa361374788bd362d638ac02'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 1, 8192, X'63076ae505ce52c37878c9b6891ac516320046403aec25bf347c7011c2d28d5db7e2946d1fae3006ab4ef43716ff4558'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 4, 32768, X'200eab67377bf3d5a25372838c38841658a718e4'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 4, 16384, X'31045af9a12efdc58155a177e9391dd28b93fa38af58ce00f49259cc26e97687'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 4, 8192, X'e8c64b508171d947069382da58dc7e39a97ce878a07f494a6fb370efb09116d32f1d4cdddeef85f22e14d1c5d5a37625'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 7, 32768, X'11ce3b45feb3e66a75490d42ba95071ac6f40a7f'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 7, 16384, X'468ef70f19372bc4a2b1805ffa3621515061fc19fa361374788bd362d638ac02'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 7, 8192, X'63076ae505ce52c37878c9b6891ac516320046403aec25bf347c7011c2d28d5db7e2946d1fae3006ab4ef43716ff4558'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 8, 32768, X'a93f870078b69ba530e6335eaee698908b12078f'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 8, 16384, X'0c31c1f41a57f4b15fafeb541de475e6da88380c911bb606b35413fda8428006'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 8, 8192, X'bb8fc7073691910d315621de176be64316923782df8d836b384414fd9a3d293be5bea51811ee6ef68a497f12384bba42'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 21, 6, 32768, X'010873de0d682a26e1c6795dd4992248cc47cdd1'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 21, 6, 16384, X'bfb45524d81a3645bf216a6cf52cd5624aadf6717012bf722afce2db3e31f712'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 21, 6, 8192, X'f69b3f60b904f2deb39ea1fb9b0132638f0aea27357e365297f6b2ec895d42b260143b5e912d00df1a4a1d75a1b508fa'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 1, 32768, X'1d740abd38f9f4bc81ca434a0e25b6e21704248b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 1, 16384, X'e26bb7175956dc8747a81431e810f830413b6c63756bf5156ab51367fe4f48a0'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 1, 8192, X'5d3637413b9e318d0e0be6a9da86121062b99d1bdb084dfda4222baa71b250de644b4024281760b4eae926e03fac4fdb'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 4, 32768, X'd2bf3556a0b38cfba2962d058fa8ea777397e82d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 4, 16384, X'4ec845e828af69dcbde3ecb981096ac1e25c9e3e607e9a24b27da7e44527edf9'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 4, 8192, X'3204a34ca409730298f60361865dace24900827ee9f3bc87884d50827911b4b17beb4c09bad77e43f28938f10bc5138a'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 7, 32768, X'1d740abd38f9f4bc81ca434a0e25b6e21704248b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 7, 16384, X'e26bb7175956dc8747a81431e810f830413b6c63756bf5156ab51367fe4f48a0'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 7, 8192, X'5d3637413b9e318d0e0be6a9da86121062b99d1bdb084dfda4222baa71b250de644b4024281760b4eae926e03fac4fdb'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 8, 32768, X'225836cb243c3502d90c92c3eb54310403303270'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 8, 16384, X'7862ed16eeb35d2f10e6d416a6fcbe8000ba1bbc2daddd15f43b375686308d7d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 8, 8192, X'd4b6b939d0fdcd84bbc66fbf9bd044a61de823b4acb52e0ead7ae7f955d9b2d6399da1f673eadbb4792b819923e5e845'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 21, 6, 32768, X'e1df4f3949b09c25e15b9c9b7088a60d683903a8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 21, 6, 16384, X'46f0ec6b0a2c3a24157019ed60f03de2ec9160d07f12b7e0b3d3f02b609a151d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 21, 6, 8192, X'4f73eae305e01e9ad57b5b1271a16bb8518fb82135aeb27311aa390d0d3a564b596adb723137f15bbf1db38b8dcbbdae'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 1, 32768, X'339a58a1b313830c3cc74cb3fb52a5b8152f44e6'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 1, 16384, X'789f2c6a9382bb342964a12947ddf84735d3e3ed3aefbae407098738cdf7c686'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 1, 8192, X'858310a6e4b6311c491c4370990bfd6b9f03a49bb5ddf45b0d788f7043f130016e11be6bd95db66e49e2906a87adf8cb'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 7, 32768, X'339a58a1b313830c3cc74cb3fb52a5b8152f44e6'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 7, 16384, X'789f2c6a9382bb342964a12947ddf84735d3e3ed3aefbae407098738cdf7c686'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 7, 8192, X'858310a6e4b6311c491c4370990bfd6b9f03a49bb5ddf45b0d788f7043f130016e11be6bd95db66e49e2906a87adf8cb'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 8, 32768, X'008374e704c81351c333a214f4ee2d89e996f344'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 8, 16384, X'0e28034f99a3e0cdffa64bf126858afb48ee25b5cbfc70bbcd997bab7ef1e056'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 8, 8192, X'b6e01ba0706e48ce37abef3fbc59a45fd50c7abd3bb7950b1d892bc4a0db3f9784f573d74ef51376267183d26513d1d0'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 21, 6, 32768, X'87df2d01b85d8354819b431bae0a0a65bfc5d2db'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 21, 6, 16384, X'a25fef11c899d826ea61996f0bc05330bc88428eafb792be0182ad97b6283aae'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 21, 6, 8192, X'357e5756dbfa22c21d3666521e644eefdf532b7d371cca62fc099579f3c98b97cb51d005dcbaf805f8a7def26dfde142'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 1, 32768, X'2d32ef93126abf8c660d57c67e5076c6394cabe8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 1, 16384, X'ced29aca7fc2dd0b01d5d544dfb2e1640a6a79c657f589e7dd6636cfd63eda3b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 1, 8192, X'a2d33fa2d0ee7bffa5e628f88ccb83cd61bb4c5fe6d2edb8b853b83d8c43f498fa6e8da70510f0a1a3ddb36060bbd4d8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 7, 32768, X'2d32ef93126abf8c660d57c67e5076c6394cabe8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 7, 16384, X'ced29aca7fc2dd0b01d5d544dfb2e1640a6a79c657f589e7dd6636cfd63eda3b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 7, 8192, X'a2d33fa2d0ee7bffa5e628f88ccb83cd61bb4c5fe6d2edb8b853b83d8c43f498fa6e8da70510f0a1a3ddb36060bbd4d8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 8, 32768, X'105fc70c5ecde30ebe841ac0a229b77b6d5f3d8a'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 8, 16384, X'e4cdc17b835eabe06d719bccada0e59d3ee5eb3759ca75eb9c037166e8dafd30'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 8, 8192, X'a9f6a18ff6f85208583e0b3fdd2fdafc4575baf5d973c7a831ce74d8bb5a24b8ae8e4504ddefa4a2c2b91f31cd68edea'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 1, 32768, X'6c0b2df4fc4c9122b5762ae140d53fdd1cf9e89b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 1, 16384, X'53c3f2bd5aaf8ef4c40f9af92a67621f5e67840b5ff2db67d1bccbcb56f7eef1'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 1, 8192, X'1a4a6d91bda3ce59e6c444ccc1e758c9c6f0e223fd8c5aac369260cdfa83081c0e8f3753f100490910ec161902f10ba7'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 7, 32768, X'6c0b2df4fc4c9122b5762ae140d53fdd1cf9e89b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 7, 16384, X'53c3f2bd5aaf8ef4c40f9af92a67621f5e67840b5ff2db67d1bccbcb56f7eef1'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 7, 8192, X'1a4a6d91bda3ce59e6c444ccc1e758c9c6f0e223fd8c5aac369260cdfa83081c0e8f3753f100490910ec161902f10ba7'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 8, 32768, X'a9d8ea0203810d269b3ef3d974fed2ac4d486bae'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 8, 16384, X'c071aedaa6f66f8ab45ce037d72bbc42fb1894ac69ab689ad21ce6ff0c1c5d6a'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 8, 8192, X'1612eb51a3be3fcba24808326e29967b6f798c5140aefc8279601c5f5600030148fd01e8fbe737fba9c3972832e67601'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 1, 32768, X'e2f7b92abda769f82796f57a29801870585dcea3'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 1, 16384, X'6d3fe67a040dbb469ef498b26cece45806cb7ca04787bba53b7ba1c18e2abd0a'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 1, 8192, X'014852b73cd3eabfa955b7bd56b269d5a0590a2770cf3d656b3d68dbad30884327fc81ff96c6f661c9c4189c3aefa346'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 7, 32768, X'e2f7b92abda769f82796f57a29801870585dcea3'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 7, 16384, X'6d3fe67a040dbb469ef498b26cece45806cb7ca04787bba53b7ba1c18e2abd0a'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 7, 8192, X'014852b73cd3eabfa955b7bd56b269d5a0590a2770cf3d656b3d68dbad30884327fc81ff96c6f661c9c4189c3aefa346'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 8, 32768, X'da655441bf10f7dc32978474c77903f2f9120cc4'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 8, 16384, X'ec6a4bb332af51cf60cc30ce95197a8c89d42e6135d6e0d4e1d9e4bcc88e838c'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 8, 8192, X'135a84e988f219d5bcd7cb4e7ada6f9239c0164a0021262be0c4f9c00d8bece341aa88e0e35011b195c737e438225f4b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 1, 32768, X'160d2b04d11eb225fb148615b699081869e15b6c'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 1, 16384, X'1f5a2ceae1418f9c1fbf51eb7d84f74d488908cde5931a5461746d1e24682a25'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 1, 8192, X'f701cb25b0e9a9f32d3bba9b274ca0e8838363d13b7283b842d6c9673442890e538127c3b64ca4b177de1d243b44cf0d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 7, 32768, X'160d2b04d11eb225fb148615b699081869e15b6c'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 7, 16384, X'1f5a2ceae1418f9c1fbf51eb7d84f74d488908cde5931a5461746d1e24682a25'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 7, 8192, X'f701cb25b0e9a9f32d3bba9b274ca0e8838363d13b7283b842d6c9673442890e538127c3b64ca4b177de1d243b44cf0d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 8, 32768, X'7b401b741cc32bcc86c3eac43059c9dd26e99a40'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 8, 16384, X'9a7cf37befecc40b494f9176bb887dd478e72c750fed8d540e5d7bbf4b5f2765'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 8, 8192, X'161c2f502f10a72ef159b6308219c38cb13387e21645e4357e6934d7afc62727cd76fd518dc6f676e2db47125eb9a2f6'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 1, 32768, X'5a0d07ab036603a76759e5f61f7d04f2d3c056cc'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 1, 16384, X'85491714e860062c441ff50d93ad79350449596b89b2e409b513c2d883321c9d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 1, 8192, X'8038830a994c779bc200e844d8768280feca9dd5d58de6cd359b87cc68846799edfd16e36e83002da4bb309cfd3b353d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 7, 32768, X'5a0d07ab036603a76759e5f61f7d04f2d3c056cc'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 7, 16384, X'85491714e860062c441ff50d93ad79350449596b89b2e409b513c2d883321c9d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 7, 8192, X'8038830a994c779bc200e844d8768280feca9dd5d58de6cd359b87cc68846799edfd16e36e83002da4bb309cfd3b353d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 8, 32768, X'129f6ecfb596fd751e33209b2ad2a28f2d243fdc'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 8, 16384, X'2fd1e8874b2faf18973881af54bd3e1fd21aaa8ee181313919569715885e69bc'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 8, 8192, X'3862f52ec823474ccfffeb6ead7c6a18b132057018704cb2fa05b08aaee3a1abfaf0eb4c826348f427dfbbb5b3e56647'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 1, 32768, X'd6c8dfbaae7ab28b5cef2626a2af3f99a6ea4365'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 1, 16384, X'd0d6f784e937227cce99e3be860be078d0397a6fb5a5bc9d95a19ef855609dbc'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 1, 8192, X'4be6e7978a6e4fb8a792815f2bbe28c2e66276401fb98ca90e49a5c2f2c94a1c7aac635d501d35d1db0fd53a0cb9d0fa'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 7, 32768, X'd6c8dfbaae7ab28b5cef2626a2af3f99a6ea4365'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 7, 16384, X'd0d6f784e937227cce99e3be860be078d0397a6fb5a5bc9d95a19ef855609dbc'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 7, 8192, X'4be6e7978a6e4fb8a792815f2bbe28c2e66276401fb98ca90e49a5c2f2c94a1c7aac635d501d35d1db0fd53a0cb9d0fa'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 8, 32768, X'2b686cd8359dea842cfdcacf39d22f5e0e6d06f2'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 8, 16384, X'e14fb3f87b9539108e023660f2d7b4fc728b0622a85de89bdc1fe20162f200a3'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 8, 8192, X'6f55292ad4061b0575dca0a3e6abe5f86d5288e0b860e6f76715bd5c9df8b5f751bc547d3147e9da12593b56a3f83252'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 1, 32768, X'8a7c41167bc0fcc1dec8329a868ba265c23857f5'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 1, 16384, X'f8eb857d7bb850f44c15363ba699442c2810663ac5a83a5f49e06e0fd8144b0e'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 1, 8192, X'f40cb6e557ab18d70080e7995e3f96cc272842e822bf52bc1c59075313c2cd832f96cf03a8524905f3d3f7a61441c651'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 6, 32768, X'8178f18dcb836e7f7432c4ad568bfd66b7ef4a96'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 6, 16384, X'2d6aaed577bfac626ff4958ee1076bc343f8db46538aa6c381521bac94c5ca9e'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 6, 8192, X'747bbaee322f9bf1849308f8907e2a43868eae8559a7be718113abb4ce535f6d509d005e51788cf3e83e148487fe7bf3'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 7, 32768, X'8a7c41167bc0fcc1dec8329a868ba265c23857f5'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 7, 16384, X'f8eb857d7bb850f44c15363ba699442c2810663ac5a83a5f49e06e0fd8144b0e'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 7, 8192, X'f40cb6e557ab18d70080e7995e3f96cc272842e822bf52bc1c59075313c2cd832f96cf03a8524905f3d3f7a61441c651'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 1, 32768, X'23296f48276e160b6d99b1b42a9114df720bb1ab'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 1, 16384, X'78cd0a598080e31453f477e8d8a12ec794e859f4076ed92e53d2053d6d16762c'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 1, 8192, X'4da3955f1fd968ecf95cff825d42715b544e577f28f411a020a270834235125bc0c8872bac8dd3466349ac8ab0aa2d74'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 7, 32768, X'23296f48276e160b6d99b1b42a9114df720bb1ab'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 7, 16384, X'78cd0a598080e31453f477e8d8a12ec794e859f4076ed92e53d2053d6d16762c'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 7, 8192, X'4da3955f1fd968ecf95cff825d42715b544e577f28f411a020a270834235125bc0c8872bac8dd3466349ac8ab0aa2d74'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 8, 32768, X'9ff04217b3b40cb328440e40b6dc1c283f9f71ec'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 8, 16384, X'76de3b5b8df6d685e522aeea01d79ac457808437c02d40eb2e6ff06098057d41'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 8, 8192, X'ca1c0f6e3516f82a40cbaaea84dd42a8c97cea6b729dc07343f18a5d1b898a94e861b0dfb574c3efad64c363bb07ebf5'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 1, 32768, X'd537d437f058136eb3d7be517dbe7647b623c619'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 1, 16384, X'6a837037ad3fc4d06270d99cee2714dcf96b91aeb54d3483009219337961f834'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 1, 8192, X'7b5b16840da590a995fab23533f41982c5b136bff8e9b9a90b3c919a12cee20d312091455057a8bba9d9fbe314e6203d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 7, 32768, X'd537d437f058136eb3d7be517dbe7647b623c619'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 7, 16384, X'6a837037ad3fc4d06270d99cee2714dcf96b91aeb54d3483009219337961f834'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 7, 8192, X'7b5b16840da590a995fab23533f41982c5b136bff8e9b9a90b3c919a12cee20d312091455057a8bba9d9fbe314e6203d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 8, 32768, X'b3d6df204cc27f59704c19ab501172892a9c7c5d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 8, 16384, X'9168ba26a67a3daf0ad3ea956d88358235ebb968b95f91bd110eab34ba75e4f8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 8, 8192, X'e3a69702f9d07ea6e1f7cb85157f3d76d7e7dc577fd48ca7f6cf8f917ca7e5015e0f7dd463e1229aebf18aabcfd39cc3'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 1, 32768, X'f9e3531abb67a020cf667d46ca823675dd0a0dd4'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 1, 16384, X'569bafa2dabbcfa0ba9c7c411eacfeb8930f9d856a1a43cf8aa3662a67c13e35'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 1, 8192, X'84200bd318bb022915150842ddf4002e061ef593604ad0d07021dc662cc40bfa749cce084ddf25d0e5137f6380f613d8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 7, 32768, X'f9e3531abb67a020cf667d46ca823675dd0a0dd4'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 7, 16384, X'569bafa2dabbcfa0ba9c7c411eacfeb8930f9d856a1a43cf8aa3662a67c13e35'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 7, 8192, X'84200bd318bb022915150842ddf4002e061ef593604ad0d07021dc662cc40bfa749cce084ddf25d0e5137f6380f613d8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 8, 32768, X'8696176c12bf8291b6b9989ec5c94c3fdf26b14f'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 8, 16384, X'e7b5896d1dbe17f501f20424e8ed7d2de14d79e984e0c0a032ea70ca2f44e83a'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 8, 8192, X'0d87fb31cf84b57b5b872af0b5e65610df929e48877f5ea199c073da6087c7a0e4b4c186545f654bb5db94284fde6274'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  23, 8, 32768, X'a67433717c2b9e2a9293f15a88456efbf7998a84'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  23, 8, 16384, X'1453d3ceaea4043cecd34f1eb24e0fbbe9fe04978077d06a0f728de849e71365'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  23, 8, 8192, X'abd1134f68a2daf92183aeae372f970cb076164468d4df08b8cb53743cae0867c17231e8f087e3367b6ec6905eb03c16'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  24, 8, 32768, X'bc3f9d1edeb00192c5c040a53823b58642ed8f41'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  24, 8, 16384, X'78f76b5c274705d09cd73cfad04791b8009c56d00849a00613909a659dc9ac63'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  24, 8, 8192, X'52cea5a859d0a1e06ffa8c1fc4f7b8dffde2de99915d660b2d3756315efdd873bee67ba3732f2c1ec692c38a8780cd72'
-);
-
-/* AIKs */
-
-INSERT INTO keys (
-  keyid, owner
-) VALUES (
-  X'b772a6730776b9f028e5adfccd40b55c320a13b6', 'Andreas, merthyr (Fujitsu Siemens Lifebook S6420)'
-);
-
-/* Components */
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 1, 33  /* ITA TGRUB */
-);
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 2, 33  /* ITA TBOOT */
-);
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 3, 33  /* ITA IMA - Trusted Platform */
-);
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 3, 34  /* ITA IMA - Operating System */
-);
-
-/* AIK Component */
-
-INSERT INTO key_component (
-  key, component, depth, seq_no
-) VALUES (
-  1, 3, 0, 1
-);
-
-INSERT INTO key_component (
-  key, component, depth, seq_no
-) VALUES (
-  1, 2, 0, 2
-);
-
-INSERT INTO key_component (
-  key, component, depth, seq_no
-) VALUES (
-  1, 4, 0, 3
-);
-
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c
index 3c5488eba..542a561aa 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
+ * Copyright (C) 2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,486 +13,12 @@
  * for more details.
  */
 
-#include "imv_attestation_state.h"
-#include "imv_attestation_process.h"
-#include "imv_attestation_build.h"
-
-#include <imv/imv_agent.h>
-#include <imv/imv_msg.h>
-#include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
-#include <ietf/ietf_attr_product_info.h>
-#include <ietf/ietf_attr_string_version.h>
-
-#include <libpts.h>
-
-#include <pts/pts.h>
-#include <pts/pts_database.h>
-#include <pts/pts_creds.h>
-
-#include <tcg/tcg_attr.h>
-
-#include <tncif_pa_subtypes.h>
-
-#include <pen/pen.h>
-#include <utils/debug.h>
-#include <credentials/credential_manager.h>
-#include <collections/linked_list.h>
-
-/* IMV definitions */
+#include "imv_attestation_agent.h"
 
 static const char imv_name[] = "Attestation";
+static const imv_agent_create_t imv_agent_create = imv_attestation_agent_create;
 
-static pen_type_t msg_types[] = {
-	{ PEN_TCG,  PA_SUBTYPE_TCG_PTS },
-	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
-};
-
-static imv_agent_t *imv_attestation;
-
-/**
- * Supported PTS measurement algorithms
- */
-static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
-
-/**
- * Supported PTS Diffie Hellman Groups
- */
-static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
-
-/**
- * PTS file measurement database
- */
-static pts_database_t *pts_db;
-
-/**
- * PTS credentials
- */
-static pts_creds_t *pts_creds;
-
-/**
- * PTS credential manager
- */
-static credential_manager_t *pts_credmgr;
-
-/**
- * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
-							  TNC_Version min_version,
-							  TNC_Version max_version,
-							  TNC_Version *actual_version)
-{
-	char *hash_alg, *dh_group, *uri, *cadir;
-
-	if (imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
-		return TNC_RESULT_ALREADY_INITIALIZED;
-	}
-	if (!pts_meas_algo_probe(&supported_algorithms) ||
-		!pts_dh_group_probe(&supported_dh_groups))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types),
-									   imv_id, actual_version);
-	if (!imv_attestation)
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	libpts_init();
-
-	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
-	{
-		DBG1(DBG_IMV, "no common IF-IMV version");
-		return TNC_RESULT_NO_COMMON_VERSION;
-	}
-
-	hash_alg = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
-	dh_group = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-attestation.dh_group", "ecp256");
-
-	if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
-		!pts_dh_group_update(dh_group, &supported_dh_groups))
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	/* create a PTS credential manager */
-	pts_credmgr = credential_manager_create();
-
-	/* create PTS credential set */
-	cadir = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-attestation.cadir", NULL);
-	pts_creds = pts_creds_create(cadir);
-	if (pts_creds)
-	{
-		pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
-	}
-
-	/* attach file measurement database */
-	uri = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-attestation.database", NULL);
-	pts_db = pts_database_create(uri);
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
-										  TNC_ConnectionID connection_id,
-										  TNC_ConnectionState new_state)
-{
-	imv_state_t *state;
-
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	switch (new_state)
-	{
-		case TNC_CONNECTION_STATE_CREATE:
-			state = imv_attestation_state_create(connection_id);
-			return imv_attestation->create_state(imv_attestation, state);
-		case TNC_CONNECTION_STATE_DELETE:
-			return imv_attestation->delete_state(imv_attestation, connection_id);
-		case TNC_CONNECTION_STATE_HANDSHAKE:
-		default:
-			return imv_attestation->change_state(imv_attestation, connection_id,
-												 new_state, NULL);
-	}
-}
-
-static TNC_Result send_message(imv_state_t *state, imv_msg_t *out_msg)
-{
-	imv_attestation_state_t *attestation_state;
-	TNC_Result result;
-
-	attestation_state = (imv_attestation_state_t*)state;
-
-	if (imv_attestation_build(out_msg, attestation_state, supported_algorithms,
-							  supported_dh_groups, pts_db))
-	{
-		result = out_msg->send(out_msg, TRUE);
-	}
-	else
-	{
-		result = TNC_RESULT_FATAL;
-	}
-
-	return result;
-}
-
-static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
-{
-	imv_attestation_state_t *attestation_state;
-	imv_msg_t *out_msg;
-	enumerator_t *enumerator;
-	pa_tnc_attr_t *attr;
-	pen_type_t type;
-	TNC_Result result;
-	pts_t *pts;
-	chunk_t os_name = chunk_empty;
-	chunk_t os_version = chunk_empty;
-	bool fatal_error = FALSE;
+/* include generic TGC TNC IF-IMV API code below */
 
-	/* parse received PA-TNC message and handle local and remote errors */
-	result = in_msg->receive(in_msg, &fatal_error);
-	if (result != TNC_RESULT_SUCCESS)
-	{
-		return result;
-	}
+#include <imv/imv_if.h>
 
-	attestation_state = (imv_attestation_state_t*)state;
-	pts = attestation_state->get_pts(attestation_state);
-
-	out_msg = imv_msg_create_as_reply(in_msg);
-	out_msg->set_msg_type(out_msg, msg_types[0]);
-
-	/* analyze PA-TNC attributes */
-	enumerator = in_msg->create_attribute_enumerator(in_msg);
-	while (enumerator->enumerate(enumerator, &attr))
-	{
-		type = attr->get_type(attr);
-
-		if (type.vendor_id == PEN_IETF)
-		{
-			switch (type.type)
-			{
-				case IETF_ATTR_PA_TNC_ERROR:
-				{
-					ietf_attr_pa_tnc_error_t *error_attr;
-					pen_type_t error_code;
-					chunk_t msg_info;
-
-					error_attr = (ietf_attr_pa_tnc_error_t*)attr;
-					error_code = error_attr->get_error_code(error_attr);
-
-					if (error_code.vendor_id == PEN_TCG)
-					{
-						msg_info = error_attr->get_msg_info(error_attr);
-
-						DBG1(DBG_IMV, "received TCG-PTS error '%N'",
-							 pts_error_code_names, error_code.type);
-						DBG1(DBG_IMV, "error information: %B", &msg_info);
-
-						result = TNC_RESULT_FATAL;
-					}
-					break;
-				}
-				case IETF_ATTR_PRODUCT_INFORMATION:
-				{
-					ietf_attr_product_info_t *attr_cast;
-
-					attr_cast = (ietf_attr_product_info_t*)attr;
-					os_name = attr_cast->get_info(attr_cast, NULL, NULL);
-					break;
-				}
-				case IETF_ATTR_STRING_VERSION:
-				{
-					ietf_attr_string_version_t *attr_cast;
-
-					attr_cast = (ietf_attr_string_version_t*)attr;
-					os_version = attr_cast->get_version(attr_cast, NULL, NULL);
-					break;
-				}
-				default:
-					break;
-			}
-		}
-		else if (type.vendor_id == PEN_TCG)
-		{
-			if (!imv_attestation_process(attr, out_msg, attestation_state, 
-				supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
-			{
-				result = TNC_RESULT_FATAL;
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (os_name.len && os_version.len)
-	{
-		pts->set_platform_info(pts, os_name, os_version);
-	}
-
-	if (fatal_error || result != TNC_RESULT_SUCCESS)
-	{
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-		result = out_msg->send_assessment(out_msg);
-		out_msg->destroy(out_msg);
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			return result;
-		}
-		return imv_attestation->provide_recommendation(imv_attestation, state);
-	}
-
-	/* send PA-TNC message with excl flag set */
-	result = out_msg->send(out_msg, TRUE);
-
-	if (result != TNC_RESULT_SUCCESS)
-	{
-		out_msg->destroy(out_msg);
-		return result;
-	}
-
-	/* check the IMV state for the next PA-TNC attributes to send */
-	result = send_message(state, out_msg);
-
-	if (result != TNC_RESULT_SUCCESS)
-	{
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-		result = out_msg->send_assessment(out_msg);
-		out_msg->destroy(out_msg);
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			return result;
-		}
-		return imv_attestation->provide_recommendation(imv_attestation, state);
-	}
-
-	if (attestation_state->get_handshake_state(attestation_state) ==
-		IMV_ATTESTATION_STATE_END)
-	{
-		if (attestation_state->get_file_meas_request_count(attestation_state))
-		{
-			DBG1(DBG_IMV, "failure due to %d pending file measurements",
-				attestation_state->get_file_meas_request_count(attestation_state));
-			attestation_state->set_measurement_error(attestation_state,
-								IMV_ATTESTATION_ERROR_FILE_MEAS_PEND);
-		}
-		if (attestation_state->get_measurement_error(attestation_state))
-		{
-			state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
-		}
-		else
-		{
-			state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
-		}
-		result = out_msg->send_assessment(out_msg);
-		out_msg->destroy(out_msg);
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			return result;
-		}
-		return imv_attestation->provide_recommendation(imv_attestation, state);
-	}
-	out_msg->destroy(out_msg);
-
-	return result;
-}
-
-/**
- * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_BufferReference msg,
-								  TNC_UInt32 msg_len,
-								  TNC_MessageType msg_type)
-{
-	imv_state_t *state;
-	imv_msg_t *in_msg;
-	TNC_Result result;
-
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	in_msg = imv_msg_create_from_data(imv_attestation, state, connection_id, 
-									  msg_type, chunk_create(msg, msg_len));
-	result = receive_message(state, in_msg);
-	in_msg->destroy(in_msg);
-
-	return result;
-}
-
-/**
- * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
-									  TNC_ConnectionID connection_id,
-									  TNC_UInt32 msg_flags,
-									  TNC_BufferReference msg,
-									  TNC_UInt32 msg_len,
-									  TNC_VendorID msg_vid,
-									  TNC_MessageSubtype msg_subtype,
-									  TNC_UInt32 src_imc_id,
-									  TNC_UInt32 dst_imv_id)
-{
-	imv_state_t *state;
-	imv_msg_t *in_msg;
-	TNC_Result result;
-
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	in_msg = imv_msg_create_from_long_data(imv_attestation, state, connection_id,
-								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
-								chunk_create(msg, msg_len));
-	result =receive_message(state, in_msg);
-	in_msg->destroy(in_msg);
-
-	return result;
-}
-
-/**
- * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
-										 TNC_ConnectionID connection_id)
-{
-	imv_state_t *state;
-
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	return imv_attestation->provide_recommendation(imv_attestation, state);
-}
-
-/**
- * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
-							   TNC_ConnectionID connection_id)
-{
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
-{
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (pts_creds)
-	{
-		pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
-		pts_creds->destroy(pts_creds);
-	}
-	DESTROY_IF(pts_db);
-	DESTROY_IF(pts_credmgr);
-
-	libpts_deinit();
-
-	imv_attestation->destroy(imv_attestation);
-	imv_attestation = NULL;
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
-								TNC_TNCS_BindFunctionPointer bind_function)
-{
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return imv_attestation->bind_functions(imv_attestation, bind_function);
-}
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
new file mode 100644
index 000000000..fb934127e
--- /dev/null
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
@@ -0,0 +1,616 @@
+/*
+ * Copyright (C) 2011-2012 Sansar Choinyambuu
+ * Copyright (C) 2011-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_attestation_agent.h"
+#include "imv_attestation_state.h"
+#include "imv_attestation_process.h"
+#include "imv_attestation_build.h"
+
+#include <imcv.h>
+#include <imv/imv_agent.h>
+#include <imv/imv_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_string_version.h>
+
+#include <libpts.h>
+
+#include <pts/pts.h>
+#include <pts/pts_database.h>
+#include <pts/pts_creds.h>
+
+#include <tcg/tcg_attr.h>
+#include <tcg/tcg_pts_attr_req_file_meas.h>
+#include <tcg/tcg_pts_attr_req_file_meta.h>
+
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+#include <credentials/credential_manager.h>
+#include <collections/linked_list.h>
+
+typedef struct private_imv_attestation_agent_t private_imv_attestation_agent_t;
+
+/* Subscribed PA-TNC message subtypes */
+static pen_type_t msg_types[] = {
+	{ PEN_TCG,  PA_SUBTYPE_TCG_PTS },
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
+
+/**
+ * Private data of an imv_attestation_agent_t object.
+ */
+struct private_imv_attestation_agent_t {
+
+	/**
+	 * Public members of imv_attestation_agent_t
+	 */
+	imv_agent_if_t public;
+
+	/**
+	 * IMV agent responsible for generic functions
+	 */
+	imv_agent_t *agent;
+
+	/**
+	 * Supported PTS measurement algorithms
+	 */
+	pts_meas_algorithms_t supported_algorithms;
+
+	/**
+	 * Supported PTS Diffie Hellman Groups
+	 */
+	pts_dh_group_t supported_dh_groups;
+
+	/**
+	 * PTS file measurement database
+	 */
+	pts_database_t *pts_db;
+
+	/**
+	 * PTS credentials
+	 */
+	pts_creds_t *pts_creds;
+
+	/**
+	 * PTS credential manager
+	 */
+	credential_manager_t *pts_credmgr;
+
+};
+
+METHOD(imv_agent_if_t, bind_functions, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function)
+{
+	return this->agent->bind_functions(this->agent, bind_function);
+}
+
+METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_ConnectionID id,
+	TNC_ConnectionState new_state)
+{
+	imv_state_t *state;
+
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imv_attestation_state_create(id);
+			return this->agent->create_state(this->agent, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return this->agent->delete_state(this->agent, id);
+		default:
+			return this->agent->change_state(this->agent, id, new_state, NULL);
+	}
+}
+
+/**
+ * Process a received message
+ */
+static TNC_Result receive_msg(private_imv_attestation_agent_t *this,
+							  imv_state_t *state, imv_msg_t *in_msg)
+{
+	imv_attestation_state_t *attestation_state;
+	imv_msg_t *out_msg;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	pts_t *pts;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	bool fatal_error = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	attestation_state = (imv_attestation_state_t*)state;
+	pts = attestation_state->get_pts(attestation_state);
+
+	out_msg = imv_msg_create_as_reply(in_msg);
+	out_msg->set_msg_type(out_msg, msg_types[0]);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF)
+		{
+			switch (type.type)
+			{
+				case IETF_ATTR_PA_TNC_ERROR:
+				{
+					ietf_attr_pa_tnc_error_t *error_attr;
+					pen_type_t error_code;
+					chunk_t msg_info;
+
+					error_attr = (ietf_attr_pa_tnc_error_t*)attr;
+					error_code = error_attr->get_error_code(error_attr);
+
+					if (error_code.vendor_id == PEN_TCG)
+					{
+						msg_info = error_attr->get_msg_info(error_attr);
+
+						DBG1(DBG_IMV, "received TCG-PTS error '%N'",
+							 pts_error_code_names, error_code.type);
+						DBG1(DBG_IMV, "error information: %B", &msg_info);
+						fatal_error = TRUE;
+					}
+					break;
+				}
+				case IETF_ATTR_PRODUCT_INFORMATION:
+				{
+					ietf_attr_product_info_t *attr_cast;
+
+					attr_cast = (ietf_attr_product_info_t*)attr;
+					os_name = attr_cast->get_info(attr_cast, NULL, NULL);
+					break;
+				}
+				case IETF_ATTR_STRING_VERSION:
+				{
+					ietf_attr_string_version_t *attr_cast;
+
+					attr_cast = (ietf_attr_string_version_t*)attr;
+					os_version = attr_cast->get_version(attr_cast, NULL, NULL);
+					break;
+				}
+				default:
+					break;
+			}
+		}
+		else if (type.vendor_id == PEN_TCG)
+		{
+			if (!imv_attestation_process(attr, out_msg, state,
+				this->supported_algorithms, this->supported_dh_groups,
+				this->pts_db, this->pts_credmgr))
+			{
+				result = TNC_RESULT_FATAL;
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/**
+	 * The IETF Product Information and String Version attributes
+	 * are supposed to arrive in the same PA-TNC message
+	 */
+	if (os_name.len && os_version.len)
+	{
+		pts->set_platform_info(pts, os_name, os_version);
+	}
+
+	if (fatal_error || result != TNC_RESULT_SUCCESS)
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* send PA-TNC message with excl flag set */
+	result = out_msg->send(out_msg, TRUE);
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, receive_message, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_ConnectionID id,
+	TNC_MessageType msg_type, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_ConnectionID id,
+	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
+	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(this->agent, state, id,
+					src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, batch_ending, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_ConnectionID id)
+{
+	imv_msg_t *out_msg;
+	imv_state_t *state;
+	imv_session_t *session;
+	imv_attestation_state_t *attestation_state;
+	TNC_IMVID imv_id;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	pts_t *pts;
+	char *platform_info;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	attestation_state = (imv_attestation_state_t*)state;
+	pts = attestation_state->get_pts(attestation_state);
+	platform_info = pts->get_platform_info(pts);
+	session = state->get_session(state);
+	imv_id = this->agent->get_id(this->agent);
+
+	/* exit if a recommendation has already been provided */
+	if (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_REC)
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+
+	/* send an IETF attribute request if no platform info was received */
+	if (!platform_info &&
+		!(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ATTR_REQ))
+	{
+		pa_tnc_attr_t *attr;
+		ietf_attr_attr_request_t *attr_cast;
+		imv_msg_t *os_msg;
+
+		attr = ietf_attr_attr_request_create(PEN_IETF,
+											 IETF_ATTR_PRODUCT_INFORMATION);
+		attr_cast = (ietf_attr_attr_request_t*)attr;
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION);
+
+		os_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+								 msg_types[1]);
+		os_msg->add_attribute(os_msg, attr);
+		result = os_msg->send(os_msg, FALSE);
+		os_msg->destroy(os_msg);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		state->set_action_flags(state, IMV_ATTESTATION_FLAG_ATTR_REQ);
+	}
+
+	/* create an empty out message - we might need it */
+	out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+							 msg_types[0]);
+
+	if (platform_info && session &&
+	   (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO) &&
+	  !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS))
+	{
+		imv_workitem_t *workitem;
+		bool is_dir, no_workitems = TRUE;
+		u_int32_t delimiter = SOLIDUS_UTF;
+		u_int16_t request_id;
+		pa_tnc_attr_t *attr;
+		char *pathname;
+		enumerator_t *enumerator;
+
+		enumerator = session->create_workitem_enumerator(session);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, &workitem))
+			{
+				if (workitem->get_imv_id(workitem) != TNC_IMVID_ANY)
+				{
+					continue;
+				}
+
+				switch (workitem->get_type(workitem))
+				{
+					case IMV_WORKITEM_FILE_REF_MEAS:
+					case IMV_WORKITEM_FILE_MEAS:
+					case IMV_WORKITEM_FILE_META:
+						is_dir = FALSE;
+						break;
+					case IMV_WORKITEM_DIR_REF_MEAS:
+					case IMV_WORKITEM_DIR_MEAS:
+					case IMV_WORKITEM_DIR_META:
+						is_dir = TRUE;
+						break;
+					default:
+						continue;
+				}
+
+				pathname = this->pts_db->get_pathname(this->pts_db, is_dir,
+											workitem->get_arg_int(workitem));
+				if (!pathname)
+				{
+					continue;
+				}
+				workitem->set_imv_id(workitem, imv_id);
+				no_workitems = FALSE;
+
+				if (workitem->get_type(workitem) == IMV_WORKITEM_FILE_META)
+				{
+					TNC_IMV_Action_Recommendation rec;
+					TNC_IMV_Evaluation_Result eval;
+					char result_str[BUF_LEN];
+
+					DBG2(DBG_IMV, "IMV %d requests metadata for %s '%s'",
+						 imv_id, is_dir ? "directory" : "file", pathname);
+
+					/* currently just fire and forget metadata requests */
+					attr = tcg_pts_attr_req_file_meta_create(is_dir,
+												delimiter, pathname);
+					snprintf(result_str, BUF_LEN, "%s metadata requested",
+							 is_dir ? "directory" : "file");
+					eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+					session->remove_workitem(session, enumerator);
+					rec = workitem->set_result(workitem, result_str, eval);
+					state->update_recommendation(state, rec, eval);
+					imcv_db->finalize_workitem(imcv_db, workitem);
+					workitem->destroy(workitem);
+				}
+				else
+				{
+					/* use lower 16 bits of the workitem ID as request ID */
+					request_id = workitem->get_id(workitem) & 0xffff;
+
+					DBG2(DBG_IMV, "IMV %d requests measurement %d for %s '%s'",
+						 imv_id, request_id, is_dir ? "directory" : "file",
+						 pathname);
+					attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
+												delimiter, pathname);
+				}
+				free(pathname);
+				attr->set_noskip_flag(attr, TRUE);
+				out_msg->add_attribute(out_msg, attr);
+			}
+			enumerator->destroy(enumerator);
+
+			/* sent all file and directory measurement and metadata requests */
+			state->set_action_flags(state, IMV_ATTESTATION_FLAG_FILE_MEAS);
+
+			if (no_workitems)
+			{
+				DBG2(DBG_IMV, "IMV %d has no workitems - "
+							  "no evaluation requested", imv_id);
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			}
+		}
+	}
+
+	/* check the IMV state for the next PA-TNC attributes to send */
+	if (!imv_attestation_build(out_msg, attestation_state,
+							  this->supported_algorithms,
+							  this->supported_dh_groups, this->pts_db))
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* finalized all workitems? */
+	if (session && session->get_policy_started(session) &&
+		session->get_workitem_count(session, imv_id) == 0 &&
+		attestation_state->get_handshake_state(attestation_state) ==
+			IMV_ATTESTATION_STATE_END)
+	{
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* send non-empty PA-TNC message with excl flag not set */
+	if (out_msg->get_attribute_count(out_msg))
+	{
+		result = out_msg->send(out_msg, FALSE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_ConnectionID id)
+{
+	TNC_IMVID imv_id;
+	imv_state_t *state;
+	imv_attestation_state_t *attestation_state;
+	imv_session_t *session;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	attestation_state = (imv_attestation_state_t*)state;
+	session = state->get_session(state);
+	imv_id = this->agent->get_id(this->agent);
+
+	if (session)
+	{
+		imv_workitem_t *workitem;
+		enumerator_t *enumerator;
+		int pending_file_meas = 0;
+
+		enumerator = session->create_workitem_enumerator(session);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, &workitem))
+			{
+				if (workitem->get_imv_id(workitem) != imv_id)
+				{
+					continue;
+				}
+				switch (workitem->get_type(workitem))
+				{
+					case IMV_WORKITEM_FILE_REF_MEAS:
+					case IMV_WORKITEM_FILE_MEAS:
+					case IMV_WORKITEM_DIR_REF_MEAS:
+					case IMV_WORKITEM_DIR_MEAS:
+						pending_file_meas++;
+						break;
+					default:
+						break;
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			if (pending_file_meas)
+			{
+				DBG1(DBG_IMV, "failure due to %d pending file measurements",
+							   pending_file_meas);
+				attestation_state->set_measurement_error(attestation_state,
+							   IMV_ATTESTATION_ERROR_FILE_MEAS_PEND);
+			}
+		}
+	}
+	return this->agent->provide_recommendation(this->agent, state);
+}
+
+METHOD(imv_agent_if_t, destroy, void,
+	private_imv_attestation_agent_t *this)
+{
+	if (this->pts_creds)
+	{
+		this->pts_credmgr->remove_set(this->pts_credmgr,
+						 			  this->pts_creds->get_set(this->pts_creds));
+		this->pts_creds->destroy(this->pts_creds);
+	}
+	DESTROY_IF(this->pts_db);
+	DESTROY_IF(this->pts_credmgr);
+	DESTROY_IF(this->agent);
+	free(this);
+	libpts_deinit();
+}
+
+/**
+ * Described in header.
+ */
+imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
+										 TNC_Version *actual_version)
+{
+	private_imv_attestation_agent_t *this;
+	char *hash_alg, *dh_group, *cadir;
+
+	hash_alg = lib->settings->get_str(lib->settings,
+					"libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
+	dh_group = lib->settings->get_str(lib->settings,
+					"libimcv.plugins.imv-attestation.dh_group", "ecp256");
+	cadir = lib->settings->get_str(lib->settings,
+					"libimcv.plugins.imv-attestation.cadir", NULL);
+
+	INIT(this,
+		.public = {
+			.bind_functions = _bind_functions,
+			.notify_connection_change = _notify_connection_change,
+			.receive_message = _receive_message,
+			.receive_message_long = _receive_message_long,
+			.batch_ending = _batch_ending,
+			.solicit_recommendation = _solicit_recommendation,
+			.destroy = _destroy,
+		},
+		.agent = imv_agent_create(name, msg_types, countof(msg_types), id,
+								  actual_version),
+		.supported_algorithms = PTS_MEAS_ALGO_NONE,
+		.supported_dh_groups = PTS_DH_GROUP_NONE,
+		.pts_credmgr = credential_manager_create(),
+		.pts_creds = pts_creds_create(cadir),
+		.pts_db = pts_database_create(imcv_db),
+	);
+
+	libpts_init();
+
+	if (!this->agent ||
+		!pts_meas_algo_probe(&this->supported_algorithms) ||
+		!pts_dh_group_probe(&this->supported_dh_groups) ||
+		!pts_meas_algo_update(hash_alg, &this->supported_algorithms) ||
+		!pts_dh_group_update(dh_group, &this->supported_dh_groups))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	if (this->pts_creds)
+	{
+		this->pts_credmgr->add_set(this->pts_credmgr,
+								   this->pts_creds->get_set(this->pts_creds));
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.h b/src/libpts/plugins/imv_attestation/imv_attestation_agent.h
new file mode 100644
index 000000000..cc421a29a
--- /dev/null
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_attestation_agent_t imv_attestation_agent
+ * @{ @ingroup imv_attestation
+ */
+
+#ifndef IMV_ATTESTATION_AGENT_H_
+#define IMV_ATTESTATION_AGENT_H_
+
+#include <imv/imv_agent_if.h>
+
+/**
+ * Creates a Attestation IMV agent
+ *
+ * @param name					Name of the IMV
+ * @param id					ID of the IMV
+ * @param actual_version		TNC IF-IMV version
+ */
+imv_agent_if_t* imv_attestation_agent_create(const char* name, TNC_IMVID id,
+											 TNC_Version *actual_version);
+
+#endif /** IMV_ATTESTATION_AGENT_H_ @}*/
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
index b4feec7cd..3e09f7204 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
@@ -24,8 +24,6 @@
 #include <tcg/tcg_pts_attr_get_aik.h>
 #include <tcg/tcg_pts_attr_req_func_comp_evid.h>
 #include <tcg/tcg_pts_attr_gen_attest_evid.h>
-#include <tcg/tcg_pts_attr_req_file_meas.h>
-#include <tcg/tcg_pts_attr_req_file_meta.h>
 
 #include <utils/debug.h>
 
@@ -49,8 +47,7 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 	if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
 		!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
 	{
-		DBG2(DBG_IMV, "PTS-IMC does not support DH Nonce negotiation - "
-					  "advancing to TPM Initialization");
+		DBG2(DBG_IMV, "PTS-IMC does not support DH Nonce negotiation");
 		handshake_state = IMV_ATTESTATION_STATE_TPM_INIT;
 	}
 
@@ -61,9 +58,8 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 	if (handshake_state == IMV_ATTESTATION_STATE_TPM_INIT &&
 		!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
 	{
-		DBG2(DBG_IMV, "PTS-IMC made no TPM available - "
-					  "advancing to File Measurements");
-		handshake_state = IMV_ATTESTATION_STATE_MEAS;
+		DBG2(DBG_IMV, "PTS-IMC made no TPM available");
+		handshake_state = IMV_ATTESTATION_STATE_END;
 	}
 
 	switch (handshake_state)
@@ -129,83 +125,9 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 			attr->set_noskip_flag(attr, TRUE);
 			out_msg->add_attribute(out_msg, attr);
 
-			attestation_state->set_handshake_state(attestation_state,
-										IMV_ATTESTATION_STATE_MEAS);
-			break;
-		}
-		case IMV_ATTESTATION_STATE_MEAS:
-		{
-			enumerator_t *enumerator;
-			u_int32_t delimiter = SOLIDUS_UTF;
-			char *platform_info, *pathname;
-			u_int16_t request_id;
-			int id, type;
-			bool is_dir, have_request = FALSE;
-
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_COMP_EVID);
-
-			/* Get Platform and OS of the PTS-IMC */
-			platform_info = pts->get_platform_info(pts);
-
-			if (!pts_db || !platform_info)
-			{
-				DBG1(DBG_IMV, "%s%s%s not available",
-					(pts_db) ? "" : "pts database",
-					(!pts_db && !platform_info) ? "and" : "",
-					(platform_info) ? "" : "platform info");
-				break;
-			}
-			DBG1(DBG_IMV, "platform is '%s'", platform_info);
-
-			/* Send Request File Metadata attribute */
-			enumerator = pts_db->create_file_meta_enumerator(pts_db,
-															 platform_info);
-			if (!enumerator)
-			{
-				break;
-			}
-			while (enumerator->enumerate(enumerator, &type, &pathname))
-			{
-				is_dir = (type != 0);
-				DBG2(DBG_IMV, "metadata request for %s '%s'",
-					 is_dir ? "directory" : "file", pathname);
-				attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter,
-														 pathname);
-				attr->set_noskip_flag(attr, TRUE);
-				out_msg->add_attribute(out_msg, attr);
-				have_request = TRUE;
-			}
-			enumerator->destroy(enumerator);
-
-			/* Send Request File Measurement attribute */
-			enumerator = pts_db->create_file_meas_enumerator(pts_db,
-															 platform_info);
-			if (!enumerator)
-			{
-				break;
-			}
-			while (enumerator->enumerate(enumerator, &id, &type, &pathname))
-			{
-				is_dir = (type != 0);
-				request_id = attestation_state->add_file_meas_request(
-							attestation_state, id, is_dir);
-				DBG2(DBG_IMV, "measurement request %d for %s '%s'",
-					 request_id, is_dir ? "directory" : "file", pathname);
-				attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
-													 delimiter, pathname);
-				attr->set_noskip_flag(attr, TRUE);
-				out_msg->add_attribute(out_msg, attr);
-				have_request = TRUE;
-			}
-			enumerator->destroy(enumerator);
-
-			/* do we have any file metadata or measurement requests? */
-			if (have_request)
-			{
-				break;
-			}
-			/* fall through to next state */
+			break;
 		}
 		case IMV_ATTESTATION_STATE_COMP_EVID:
 		{
@@ -304,6 +226,8 @@ bool imv_attestation_build(imv_msg_t *out_msg,
 			}
 			break;
 		case IMV_ATTESTATION_STATE_END:
+			attestation_state->set_handshake_state(attestation_state,
+										IMV_ATTESTATION_STATE_END);
 			break;
 	}
 	return TRUE;
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
index 4541075ef..d422ebcda 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
+ * Copyright (C) 2011-2013 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,6 +15,7 @@
 
 #include "imv_attestation_process.h"
 
+#include <imcv.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 
 #include <pts/pts.h>
@@ -35,15 +36,17 @@
 #include <inttypes.h>
 
 bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
-							 imv_attestation_state_t *attestation_state,
+							 imv_state_t *state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups,
 							 pts_database_t *pts_db,
 							 credential_manager_t *pts_credmgr)
 {
+	imv_attestation_state_t *attestation_state;
 	pen_type_t attr_type;
 	pts_t *pts;
 
+	attestation_state = (imv_attestation_state_t*)state;
 	pts = attestation_state->get_pts(attestation_state);
 	attr_type = attr->get_type(attr);
 
@@ -73,6 +76,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 				return FALSE;
 			}
 			pts->set_meas_algorithm(pts, selected_algorithm);
+			state->set_action_flags(state, IMV_ATTESTATION_FLAG_ALGO);
 			break;
 		}
 		case TCG_PTS_DH_NONCE_PARAMS_RESP:
@@ -190,28 +194,26 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 		}
 		case TCG_PTS_FILE_MEAS:
 		{
+			TNC_IMV_Evaluation_Result eval;
+			TNC_IMV_Action_Recommendation rec;
 			tcg_pts_attr_file_meas_t *attr_cast;
 			u_int16_t request_id;
-			int file_count, file_id;
+			int arg_int, file_count;
 			pts_meas_algorithms_t algo;
 			pts_file_meas_t *measurements;
-			char *platform_info;
-			enumerator_t *e_hash;
-			bool is_dir;
-
+			imv_session_t *session;
+			imv_workitem_t *workitem, *found = NULL;
+			imv_workitem_type_t type;
+			char result_str[BUF_LEN], *platform_info;
+			bool is_dir, correct;
+			enumerator_t *enumerator;
+
+			eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+			session = state->get_session(state);
+			algo = pts->get_meas_algorithm(pts);
 			platform_info = pts->get_platform_info(pts);
-			if (!pts_db || !platform_info)
-			{
-				DBG1(DBG_IMV, "%s%s%s not available",
-					(pts_db) ? "" : "pts database",
-					(!pts_db && !platform_info) ? "and" : "",
-					(platform_info) ? "" : "platform info");
-				break;
-			}
-
 			attr_cast = (tcg_pts_attr_file_meas_t*)attr;
 			measurements = attr_cast->get_measurements(attr_cast);
-			algo = pts->get_meas_algorithm(pts);
 			request_id = measurements->get_request_id(measurements);
 			file_count = measurements->get_file_count(measurements);
 
@@ -220,23 +222,101 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 
 			if (request_id)
 			{
-				if (!attestation_state->check_off_file_meas_request(
-					attestation_state, request_id, &file_id, &is_dir))
+				enumerator = session->create_workitem_enumerator(session);
+				while (enumerator->enumerate(enumerator, &workitem))
+				{
+					/* request ID consist of lower 16 bits of workitem ID */
+					if ((workitem->get_id(workitem) & 0xffff) == request_id)
+					{
+						found = workitem;
+						break;
+					}
+				}
+
+				if (!found)
 				{
 					DBG1(DBG_IMV, "  no entry found for file measurement "
 								  "request %d", request_id);
+					enumerator->destroy(enumerator);
 					break;
 				}
+				type =    found->get_type(found);
+				arg_int = found->get_arg_int(found);
+ 
+				switch (type)
+				{
+					default:
+					case IMV_WORKITEM_FILE_REF_MEAS:
+					case IMV_WORKITEM_FILE_MEAS:
+						is_dir = FALSE;
+						break;
+					case IMV_WORKITEM_DIR_REF_MEAS:
+					case IMV_WORKITEM_DIR_MEAS:
+						is_dir = TRUE;
+				}
 
-				/* check hashes from database against measurements */
-				e_hash = pts_db->create_file_hash_enumerator(pts_db,
-								platform_info, algo, file_id, is_dir);
-				if (!measurements->verify(measurements, e_hash, is_dir))
+				switch (type)
 				{
-					attestation_state->set_measurement_error(attestation_state,
+					case IMV_WORKITEM_FILE_MEAS:
+					case IMV_WORKITEM_DIR_MEAS:
+					{
+						enumerator_t *e;
+
+						/* check hashes from database against measurements */
+						e = pts_db->create_file_hash_enumerator(pts_db,
+										platform_info, algo, is_dir, arg_int);
+						if (!e)
+						{
+							eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+							break;
+						}
+						correct = measurements->verify(measurements, e, is_dir);
+						if (!correct)
+						{
+							attestation_state->set_measurement_error(
+										attestation_state,
 										IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL);
+							eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
+						}
+						e->destroy(e);
+
+						snprintf(result_str, BUF_LEN, "%s measurement%s correct",
+								 is_dir ? "directory" : "file",
+								 correct ? "" : " not");
+						break;
+					}
+					case IMV_WORKITEM_FILE_REF_MEAS:
+					case IMV_WORKITEM_DIR_REF_MEAS:
+					{
+						enumerator_t *e;
+						char *filename;
+						chunk_t measurement;
+
+						e = measurements->create_enumerator(measurements);
+						while (e->enumerate(e, &filename, &measurement))
+						{
+							if (pts_db->add_file_measurement(pts_db, 
+									platform_info, algo, measurement, filename,
+									is_dir, arg_int) != SUCCESS)
+							{
+								eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+							}
+						}
+						e->destroy(e);
+						snprintf(result_str, BUF_LEN, "%s reference measurement "
+								"successful", is_dir ? "directory" : "file");
+						break;
+					}
+					default:
+						break;
 				}
-				e_hash->destroy(e_hash);
+
+				session->remove_workitem(session, enumerator);
+				enumerator->destroy(enumerator);
+				rec = found->set_result(found, result_str, eval);
+				state->update_recommendation(state, rec, eval);
+				imcv_db->finalize_workitem(imcv_db, found);
+				found->destroy(found);
 			}
 			else
 			{
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.h b/src/libpts/plugins/imv_attestation/imv_attestation_process.h
index 74e4644b4..af8666b66 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.h
@@ -40,7 +40,7 @@
  *
  * @param attr					PA-TNC attribute to be processed
  * @param out_msg				PA-TNC message containing error messages
- * @param attestation_state		attestation state of a given connection
+ * @param state					state of a given connection
  * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
  * @param pts_db				PTS configuration database
@@ -48,7 +48,7 @@
  * @return						TRUE if successful
  */
 bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
-							 imv_attestation_state_t *attestation_state,
+							 imv_state_t *state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups,
 							 pts_database_t *pts_db,
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
index fc4246614..27b2655f8 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
@@ -21,6 +21,8 @@
 #include <imv/imv_lang_string.h>
 #include "imv/imv_reason_string.h"
 
+#include <tncif_policy.h>
+
 #include <collections/linked_list.h>
 #include <utils/debug.h>
 
@@ -63,6 +65,11 @@ struct private_imv_attestation_state_t {
 	 */
 	u_int32_t max_msg_len;
 
+	/**
+	 * Flags set for completed actions
+	 */
+	u_int32_t action_flags;
+
 	/**
 	 * Access Requestor ID Type
 	 */
@@ -73,6 +80,11 @@ struct private_imv_attestation_state_t {
 	 */
 	chunk_t ar_id_value;
 
+	/**
+	 * IMV database session associated with TNCCS connection
+	 */
+	imv_session_t *session;
+
 	/**
 	 * IMV Attestation handshake state
 	 */
@@ -88,16 +100,6 @@ struct private_imv_attestation_state_t {
 	 */
 	TNC_IMV_Evaluation_Result eval;
 
-	/**
-	 * File Measurement Request counter
-	 */
-	u_int16_t file_meas_request_counter;
-
-	/**
-	 * List of PTS File/Directory Measurement requests
-	 */
-	linked_list_t *file_meas_requests;
-
 	/**
 	 * List of Functional Components
 	 */
@@ -120,15 +122,6 @@ struct private_imv_attestation_state_t {
 
 };
 
-/**
- * PTS File/Directory Measurement request entry
- */
-struct file_meas_request_t {
-	u_int16_t id;
-	int file_id;
-	bool is_dir;
-};
-
 /**
  * PTS Functional Component entry
  */
@@ -226,6 +219,18 @@ METHOD(imv_state_t, get_max_msg_len, u_int32_t,
 	return this->max_msg_len;
 }
 
+METHOD(imv_state_t, set_action_flags, void,
+	private_imv_attestation_state_t *this, u_int32_t flags)
+{
+	this->action_flags |= flags;
+}
+
+METHOD(imv_state_t, get_action_flags, u_int32_t,
+	private_imv_attestation_state_t *this)
+{
+	return this->action_flags;
+}
+
 METHOD(imv_state_t, set_ar_id, void,
 	private_imv_attestation_state_t *this, u_int32_t id_type, chunk_t id_value)
 {
@@ -243,6 +248,18 @@ METHOD(imv_state_t, get_ar_id, chunk_t,
 	return this->ar_id_value;
 }
 
+METHOD(imv_state_t, set_session, void,
+	private_imv_attestation_state_t *this, imv_session_t *session)
+{
+	this->session = session;
+}
+
+METHOD(imv_state_t, get_session, imv_session_t*,
+	private_imv_attestation_state_t *this)
+{
+	return this->session;
+}
+
 METHOD(imv_state_t, change_state, void,
 	private_imv_attestation_state_t *this, TNC_ConnectionState new_state)
 {
@@ -251,7 +268,7 @@ METHOD(imv_state_t, change_state, void,
 
 METHOD(imv_state_t, get_recommendation, void,
 	private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation *rec,
-									TNC_IMV_Evaluation_Result *eval)
+										   TNC_IMV_Evaluation_Result *eval)
 {
 	*rec = this->rec;
 	*eval = this->eval;
@@ -259,12 +276,20 @@ METHOD(imv_state_t, get_recommendation, void,
 
 METHOD(imv_state_t, set_recommendation, void,
 	private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation rec,
-									TNC_IMV_Evaluation_Result eval)
+										   TNC_IMV_Evaluation_Result eval)
 {
 	this->rec = rec;
 	this->eval = eval;
 }
 
+METHOD(imv_state_t, update_recommendation, void,
+	private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation rec,
+										   TNC_IMV_Evaluation_Result eval)
+{
+	this->rec  = tncif_policy_update_recommendation(this->rec, rec);
+	this->eval = tncif_policy_update_evaluation(this->eval, eval);
+}
+
 METHOD(imv_state_t, get_reason_string, bool,
 	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
 	chunk_t *reason_string, char **reason_language)
@@ -316,8 +341,8 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
 METHOD(imv_state_t, destroy, void,
 	private_imv_attestation_state_t *this)
 {
+	DESTROY_IF(this->session);
 	DESTROY_IF(this->reason_string);
-	this->file_meas_requests->destroy_function(this->file_meas_requests, free);
 	this->components->destroy_function(this->components, (void *)free_func_comp);
 	this->pts->destroy(this->pts);
 	free(this->ar_id_value.ptr);
@@ -343,51 +368,6 @@ METHOD(imv_attestation_state_t, get_pts, pts_t*,
 	return this->pts;
 }
 
-METHOD(imv_attestation_state_t, add_file_meas_request, u_int16_t,
-	private_imv_attestation_state_t *this, int file_id, bool is_dir)
-{
-	file_meas_request_t *request;
-
-	request = malloc_thing(file_meas_request_t);
-	request->id = ++this->file_meas_request_counter;
-	request->file_id = file_id;
-	request->is_dir = is_dir;
-	this->file_meas_requests->insert_last(this->file_meas_requests, request);
-
-	return this->file_meas_request_counter;
-}
-
-METHOD(imv_attestation_state_t, check_off_file_meas_request, bool,
-	private_imv_attestation_state_t *this, u_int16_t id, int *file_id,
-	bool* is_dir)
-{
-	enumerator_t *enumerator;
-	file_meas_request_t *request;
-	bool found = FALSE;
-
-	enumerator = this->file_meas_requests->create_enumerator(this->file_meas_requests);
-	while (enumerator->enumerate(enumerator, &request))
-	{
-		if (request->id == id)
-		{
-			found = TRUE;
-			*file_id = request->file_id;
-			*is_dir = request->is_dir;
-			this->file_meas_requests->remove_at(this->file_meas_requests, enumerator);
-			free(request);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-METHOD(imv_attestation_state_t, get_file_meas_request_count, int,
-	private_imv_attestation_state_t *this)
-{
-	return this->file_meas_requests->get_count(this->file_meas_requests);
-}
-
 METHOD(imv_attestation_state_t, create_component, pts_component_t*,
 	private_imv_attestation_state_t *this, pts_comp_func_name_t *name,
 	u_int32_t depth, pts_database_t *pts_db)
@@ -508,11 +488,16 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 				.set_flags = _set_flags,
 				.set_max_msg_len = _set_max_msg_len,
 				.get_max_msg_len = _get_max_msg_len,
+				.set_action_flags = _set_action_flags,
+				.get_action_flags = _get_action_flags,
 				.set_ar_id = _set_ar_id,
 				.get_ar_id = _get_ar_id,
+				.set_session = _set_session,
+				.get_session = _get_session,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
+				.update_recommendation = _update_recommendation,
 				.get_reason_string = _get_reason_string,
 				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
@@ -520,9 +505,6 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 			.get_handshake_state = _get_handshake_state,
 			.set_handshake_state = _set_handshake_state,
 			.get_pts = _get_pts,
-			.add_file_meas_request = _add_file_meas_request,
-			.check_off_file_meas_request = _check_off_file_meas_request,
-			.get_file_meas_request_count = _get_file_meas_request_count,
 			.create_component = _create_component,
 			.get_component = _get_component,
 			.finalize_components = _finalize_components,
@@ -535,7 +517,6 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 		.handshake_state = IMV_ATTESTATION_STATE_INIT,
 		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
-		.file_meas_requests = linked_list_create(),
 		.components = linked_list_create(),
 		.pts = pts_create(FALSE),
 	);
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
index ab77d3042..f3edd5fa1 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
@@ -31,9 +31,20 @@
 #include <library.h>
 
 typedef struct imv_attestation_state_t imv_attestation_state_t;
+typedef enum imv_attestation_flag_t imv_attestation_flag_t;
 typedef enum imv_attestation_handshake_state_t imv_attestation_handshake_state_t;
 typedef enum imv_meas_error_t imv_meas_error_t;
 
+/**
+ * IMV Attestation Flags set for completed actions
+ */
+enum imv_attestation_flag_t {
+	IMV_ATTESTATION_FLAG_ATTR_REQ =  (1<<0),
+	IMV_ATTESTATION_FLAG_ALGO =      (1<<1),
+	IMV_ATTESTATION_FLAG_FILE_MEAS = (1<<2),
+	IMV_ATTESTATION_FLAG_REC =       (1<<3)
+};
+
 /**
  * IMV Attestation Handshake States (state machine)
  */
@@ -41,7 +52,6 @@ enum imv_attestation_handshake_state_t {
 	IMV_ATTESTATION_STATE_INIT,
 	IMV_ATTESTATION_STATE_NONCE_REQ,
 	IMV_ATTESTATION_STATE_TPM_INIT,
-	IMV_ATTESTATION_STATE_MEAS,
 	IMV_ATTESTATION_STATE_COMP_EVID,
 	IMV_ATTESTATION_STATE_EVID_FINAL,
 	IMV_ATTESTATION_STATE_END,
@@ -91,34 +101,6 @@ struct imv_attestation_state_t {
 	 */
 	pts_t* (*get_pts)(imv_attestation_state_t *this);
 
-	/**
-	 * Add an entry to the list of pending file/directory measurement requests
-	 *
-	 * @param file_id			primary key into file table
-	 * @param is_dir			TRUE if directory
-	 * @return					unique request ID
-	 */
-	u_int16_t (*add_file_meas_request)(imv_attestation_state_t *this,
-									   int file_id, bool is_dir);
-
-	/**
-	 * Returns the number of pending file/directory measurement requests
-	 *
-	 * @return					number of pending requests
-	 */
-	int (*get_file_meas_request_count)(imv_attestation_state_t *this);
-
-	/**
-	 * Check for presence of request_id and if found remove it from the list
-	 *
-	 * @param id				unique request ID
-	 * @param file_id			primary key into file table
-	 * @param is_dir			return TRUE if request was for a directory
-	 * @return					TRUE if request ID found, FALSE otherwise
-	 */
-	bool (*check_off_file_meas_request)(imv_attestation_state_t *this,
-										u_int16_t id, int *file_id, bool *is_dir);
-
 	/**
 	 * Create and add an entry to the list of Functional Components
 	 *
diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql
deleted file mode 100644
index 0c038d365..000000000
--- a/src/libpts/plugins/imv_attestation/tables.sql
+++ /dev/null
@@ -1,146 +0,0 @@
-/* PTS SQLite database */
-
-DROP TABLE IF EXISTS files;
-CREATE TABLE files (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  type INTEGER NOT NULL,
-  path TEXT NOT NULL
-);
-DROP INDEX IF EXISTS files_path;
-CREATE INDEX files_path ON files (
-  path
-);
-
-DROP TABLE IF EXISTS products;
-CREATE TABLE products (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  name TEXT NOT NULL
-);
-DROP INDEX IF EXISTS products_name;
-CREATE INDEX products_name ON products (
-  name
-);
-
-DROP TABLE IF EXISTS product_file;
-CREATE TABLE product_file (
-  product INTEGER NOT NULL,
-  file INTEGER NOT NULL,
-  measurement INTEGER DEFAULT 0,
-  metadata INTEGER DEFAULT 0,
-  PRIMARY KEY (product, file)
-);
-
-DROP TABLE IF EXISTS file_hashes;
-CREATE TABLE file_hashes (
-  file INTEGER NOT NULL,
-  directory INTEGER DEFAULT 0,
-  product INTEGER NOT NULL,
-  key INTEGER DEFAULT 0,
-  algo INTEGER NOT NULL,
-  hash BLOB NOT NULL,
-  PRIMARY KEY(file, directory, product, algo)
-);
-
-DROP TABLE IF EXISTS keys;
-CREATE TABLE keys (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  keyid BLOB NOT NULL,
-  owner TEXT NOT NULL
-);
-DROP INDEX IF EXISTS keys_keyid;
-CREATE INDEX keys_keyid ON keys (
-  keyid
-);
-DROP INDEX IF EXISTS keys_owner;
-CREATE INDEX keys_owner ON keys (
-  owner
-);
-
-DROP TABLE IF EXISTS components;
-CREATE TABLE components (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  vendor_id INTEGER NOT NULL,
-  name INTEGER NOT NULL,
-  qualifier INTEGER DEFAULT 0
-);
-
-
-DROP TABLE IF EXISTS key_component;
-CREATE TABLE key_component (
-  key INTEGER NOT NULL,
-  component INTEGER NOT NULL,
-  depth INTEGER DEFAULT 0,
-  seq_no INTEGER DEFAULT 0,
-  PRIMARY KEY (key, component)
-);
-
-
-DROP TABLE IF EXISTS component_hashes;
-CREATE TABLE component_hashes (
-  component INTEGER NOT NULL,
-  key INTEGER NOT NULL,
-  seq_no INTEGER NOT NULL,
-  pcr INTEGER NOT NULL,
-  algo INTEGER NOT NULL,
-  hash BLOB NOT NULL,
-  PRIMARY KEY(component, key, seq_no, algo)
-);
-
-DROP TABLE IF EXISTS packages;
-CREATE TABLE packages (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  name TEXT NOT NULL
-);
-DROP INDEX IF EXISTS packages_name;
-CREATE INDEX packages_name ON packages (
-  name
-);
-
-DROP TABLE IF EXISTS versions;
-CREATE TABLE versions (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  package INTEGER NOT NULL,
-  product INTEGER NOT NULL,
-  release TEXT NOT NULL,
-  security INTEGER DEFAULT 0,
-  time INTEGER DEFAULT 0
-);
-DROP INDEX IF EXISTS versions_release;
-CREATE INDEX versions_release ON versions (
-  release
-);
-DROP INDEX IF EXISTS versions_package_product;
-CREATE INDEX versions_package_product ON versions (
-  package, product
-);
-
-DROP TABLE IF EXISTS devices;
-CREATE TABLE devices (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  value BLOB NOT NULL
-);
-DROP INDEX IF EXISTS devices_id;
-CREATE INDEX devices_value ON devices (
-  value
-);
-
-DROP TABLE IF EXISTS device_infos;
-CREATE TABLE device_infos (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  device INTEGER NOT NULL,
-  time INTEGER NOT NULL,
-  ar_id INTEGER DEFAULT 0,
-  product INTEGER DEFAULT 0,
-  count INTEGER DEFAULT 0,
-  count_update INTEGER DEFAULT 0,
-  count_blacklist INTEGER DEFAULT 0,
-  flags INTEGER DEFAULT 0
-);
-
-DROP TABLE IF EXISTS identities;
-CREATE TABLE identities (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  type INTEGER NOT NULL,
-  data BLOB NOT NULL,
-  UNIQUE (type, data)
-);
diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c
index e0778aaef..e5a06cc8d 100644
--- a/src/libpts/pts/pts_database.c
+++ b/src/libpts/pts/pts_database.c
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
+#include <stdio.h>
+
 #include "pts_database.h"
 
 #include <utils/debug.h>
@@ -39,60 +42,69 @@ struct private_pts_database_t {
 
 };
 
-METHOD(pts_database_t, create_file_meas_enumerator, enumerator_t*,
-	private_pts_database_t *this, char *product)
+METHOD(pts_database_t, get_pathname, char*,
+	private_pts_database_t *this, bool is_dir, int id)
 {
 	enumerator_t *e;
+	char *path, *name, *pathname;
 
-	/* look for all entries belonging to a product in the files table */
-	e = this->db->query(this->db,
-				"SELECT f.id, f.type, f.path FROM files AS f "
-				"JOIN product_file AS pf ON f.id = pf.file "
-				"JOIN products AS p ON p.id = pf.product "
-				"WHERE p.name = ? AND pf.measurement = 1",
-				DB_TEXT, product, DB_INT, DB_INT, DB_TEXT);
-	return e;
-}
-
-METHOD(pts_database_t, create_file_meta_enumerator, enumerator_t*,
-	private_pts_database_t *this, char *product)
-{
-	enumerator_t *e;
+	if (is_dir)
+	{
+		e = this->db->query(this->db,
+				"SELECT path FROM directories WHERE id = ?",
+				 DB_INT, id, DB_TEXT);
+		if (!e || !e->enumerate(e, &path))
+		{
+			pathname = NULL;
+		}
+		else
+		{
+			pathname = strdup(path);
+		}
+	}
+	else
+	{
+		e = this->db->query(this->db,
+				"SELECT d.path, f.name FROM files AS f "
+				"JOIN directories AS d ON d.id = f.dir WHERE f.id = ?",
+				 DB_INT, id, DB_TEXT, DB_TEXT);
+		if (!e || !e->enumerate(e, &path, &name) ||
+			asprintf(&pathname, "%s%s%s",
+					 path, streq(path, "/") ? "" : "/", name) == -1)
+		{
+			pathname = NULL;
+		}
+	}
+	DESTROY_IF(e);
 
-	/* look for all entries belonging to a product in the files table */
-	e = this->db->query(this->db,
-				"SELECT f.type, f.path FROM files AS f "
-				"JOIN product_file AS pf ON f.id = pf.file "
-				"JOIN products AS p ON p.id = pf.product "
-				"WHERE p.name = ? AND pf.metadata = 1",
-				DB_TEXT, product, DB_INT, DB_TEXT);
-	return e;
+	return pathname;
 }
 
 METHOD(pts_database_t, create_file_hash_enumerator, enumerator_t*,
 	private_pts_database_t *this, char *product, pts_meas_algorithms_t algo,
-	int id, bool is_dir)
+	bool is_dir, int id)
 {
 	enumerator_t *e;
 
 	if (is_dir)
 	{
 		e = this->db->query(this->db,
-				"SELECT f.path, fh.hash FROM file_hashes AS fh "
-				"JOIN files AS f ON fh.file = f.id "
-				"JOIN products AS p ON fh.product = p.id "
-				"WHERE p.name = ? AND fh.directory = ? AND fh.algo = ? "
-				"ORDER BY f.path",
-				DB_TEXT, product, DB_INT, id, DB_INT, algo, DB_TEXT, DB_BLOB);
+				"SELECT f.name, fh.hash FROM file_hashes AS fh "
+				"JOIN files AS f ON f.id = fh.file "
+				"JOIN products AS p ON p.id = fh.product "
+				"JOIN directories as d ON d.id = f.dir "
+				"WHERE p.name = ? AND fh.algo = ? AND d.id = ? "
+				"ORDER BY f.name",
+				DB_TEXT, product, DB_INT, algo, DB_INT, id, DB_TEXT, DB_BLOB);
 	}
 	else
 	{
 		e = this->db->query(this->db,
-				"SELECT f.path, fh.hash FROM file_hashes AS fh "
-				"JOIN files AS f ON fh.file = f.id "
-				"JOIN products AS p ON fh.product = p.id "
-				"WHERE p.name = ? AND fh.file = ? AND fh.algo = ?",
-				DB_TEXT, product, DB_INT, id, DB_INT, algo, DB_TEXT, DB_BLOB);
+				"SELECT f.name, fh.hash FROM file_hashes AS fh "
+				"JOIN files AS f ON f.id = fh.file "
+				"JOIN products AS p ON p.id = fh.product "
+				"WHERE p.name = ? AND fh.algo = ? AND fh.file = ?",
+				DB_TEXT, product, DB_INT, algo, DB_INT, id, DB_TEXT, DB_BLOB);
 	}
 	return e;
 }
@@ -121,6 +133,114 @@ METHOD(pts_database_t, check_aik_keyid, status_t,
 	return SUCCESS;
 }
 
+METHOD(pts_database_t, add_file_measurement, status_t,
+	private_pts_database_t *this, char *product, pts_meas_algorithms_t algo,
+	chunk_t measurement, char *filename, bool is_dir, int id)
+{
+	enumerator_t *e;
+	char *name;
+	chunk_t hash_value;
+	int hash_id, fid, pid = 0;
+	status_t status = SUCCESS;
+
+	/* get primary key of product string */
+	e = this->db->query(this->db,
+			"SELECT id FROM products WHERE name = ?", DB_TEXT, product, DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &pid);
+		e->destroy(e);
+	}
+	if (pid == 0)
+	{
+		return FAILED;
+	}
+
+	if (is_dir)
+	{
+		/* does filename entry already exist? */
+		e = this->db->query(this->db,
+				"SELECT id FROM files WHERE name = ? AND dir = ?",
+				 DB_TEXT, filename, DB_INT, id, DB_INT);
+		if (!e)
+		{
+			return FAILED;
+		}
+		if (!e->enumerate(e, &fid))
+		{
+			/* create filename entry */
+			if (this->db->execute(this->db, &fid,
+					"INSERT INTO files (name, dir) VALUES (?, ?)",
+					 DB_TEXT, filename, DB_INT, id) != 1)
+			{
+				DBG1(DBG_PTS, "could not insert filename into database");
+				status = FAILED;
+			}
+		}
+		e->destroy(e);
+	}
+	else
+	{
+		fid = id;
+
+		/* verify filename */
+		e = this->db->query(this->db,
+				 "SELECT name FROM files WHERE id = ?", DB_INT, fid, DB_TEXT);
+		if (!e)
+		{
+			return FAILED;
+		}
+		if (!e->enumerate(e, &name) || !streq(name, filename))
+		{
+			DBG1(DBG_PTS, "filename of reference measurement does not match");
+			status = FAILED;
+		}
+		e->destroy(e);
+	}
+
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+
+	/* does hash measurement value already exist? */
+	e = this->db->query(this->db,
+			"SELECT fh.id, fh.hash FROM file_hashes AS fh "
+			"WHERE fh.product = ? AND fh.algo = ? AND fh.file = ?",
+			 DB_INT, pid, DB_INT, algo, DB_INT, fid, DB_INT, DB_BLOB);
+	if (!e)
+	{
+		return FAILED;
+	}
+	if (e->enumerate(e, &hash_id, &hash_value))
+	{
+		if (!chunk_equals(measurement, hash_value))
+		{
+			/* update hash measurement value */
+			if (this->db->execute(this->db, &hash_id,
+					"UPDATE file_hashes SET hash = ? WHERE id = ?",
+					 DB_BLOB, measurement, DB_INT, hash_id) != 1)
+			{
+				status = FAILED;
+			}
+		}
+	}
+	else
+	{
+		/* insert hash measurement value */
+		if (this->db->execute(this->db, &hash_id,
+				"INSERT INTO file_hashes (file, product, algo, hash) "
+				"VALUES (?, ?, ?, ?)", DB_INT, fid, DB_INT, pid,
+				 DB_INT, algo, DB_BLOB, measurement) != 1)
+		{
+			status = FAILED;
+		}
+	}
+	e->destroy(e);
+
+	return status;
+}
+
 METHOD(pts_database_t, check_file_measurement, status_t,
 	private_pts_database_t *this, char *product, pts_meas_algorithms_t algo,
 	chunk_t measurement, char *filename)
@@ -308,24 +428,28 @@ METHOD(pts_database_t, get_comp_measurement_count, status_t,
 METHOD(pts_database_t, destroy, void,
 	private_pts_database_t *this)
 {
-	this->db->destroy(this->db);
 	free(this);
 }
 
 /**
  * See header
  */
-pts_database_t *pts_database_create(char *uri)
+pts_database_t *pts_database_create(imv_database_t *imv_db)
 {
 	private_pts_database_t *this;
 
+	if (!imv_db)
+	{
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
-			.create_file_meas_enumerator = _create_file_meas_enumerator,
-			.create_file_meta_enumerator = _create_file_meta_enumerator,
+			.get_pathname = _get_pathname,
 			.create_comp_evid_enumerator = _create_comp_evid_enumerator,
 			.create_file_hash_enumerator = _create_file_hash_enumerator,
 			.check_aik_keyid = _check_aik_keyid,
+			.add_file_measurement = _add_file_measurement,
 			.check_file_measurement = _check_file_measurement,
 			.check_comp_measurement = _check_comp_measurement,
 			.insert_comp_measurement = _insert_comp_measurement,
@@ -333,17 +457,9 @@ pts_database_t *pts_database_create(char *uri)
 			.get_comp_measurement_count = _get_comp_measurement_count,
 			.destroy = _destroy,
 		},
-		.db = lib->db->create(lib->db, uri),
+		.db = imv_db->get_database(imv_db),
 	);
 
-	if (!this->db)
-	{
-		DBG1(DBG_PTS,
-			 "failed to connect to PTS file measurement database '%s'", uri);
-		free(this);
-		return NULL;
-	}
-
 	return &this->public;
 }
 
diff --git a/src/libpts/pts/pts_database.h b/src/libpts/pts/pts_database.h
index 649ef0e31..eb8aca346 100644
--- a/src/libpts/pts/pts_database.h
+++ b/src/libpts/pts/pts_database.h
@@ -25,6 +25,8 @@ typedef struct pts_database_t pts_database_t;
 
 #include "pts_meas_algo.h"
 #include "components/pts_comp_func_name.h"
+
+#include <imv/imv_database.h>
 #include <library.h>
 
 /**
@@ -34,35 +36,26 @@ typedef struct pts_database_t pts_database_t;
 struct pts_database_t {
 
 	/**
-	* Get files/directories to be measured by PTS
+	* Get absolute pathname for file or directory measurement
 	*
-	* @param product		Software product (os, vpn client, etc.)
-	* @return				Enumerator over all matching files/directories
+	* @param is_dir			TRUE if dir, FALSE if file
+	* @param id				Primary key into directories or files table
+	* @return				Absolute pathname as a text string
 	*/
-	enumerator_t* (*create_file_meas_enumerator)(pts_database_t *this,
-												 char *product);
-
-	/**
-	* Get files/directories to request metadata of
-	*
-	* @param product		Software product (os, vpn client, etc.)
-	* @return				Enumerator over all matching files/directories
-	*/
-	enumerator_t* (*create_file_meta_enumerator)(pts_database_t *this,
-												 char *product);
+	char* (*get_pathname)(pts_database_t *this, bool is_dir, int id);
 
 	/**
 	* Get stored measurement hash for single file or directory entries
 	*
 	* @param product		Software product (os, vpn client, etc.)
 	* @param algo			Hash algorithm used for measurement
-	* @param id				Primary key of measured file/directory
 	* @param is_dir			TRUE if directory was measured
+	* @param id				Primary key of measured file/directory
 	* @return				Enumerator over all matching measurement hashes
 	*/
 	enumerator_t* (*create_file_hash_enumerator)(pts_database_t *this,
 								char *product, pts_meas_algorithms_t algo,
-								int id, bool is_dir);
+								bool is_dir, int id);
 
 	/**
 	* Check if an AIK given by its keyid is registered in the database
@@ -81,6 +74,22 @@ struct pts_database_t {
 	*/
 	enumerator_t* (*create_comp_evid_enumerator)(pts_database_t *this, int kid);
 
+	/**
+	* Add PTS file measurement reference value
+	*
+	* @param product		Software product (os, vpn client, etc.)
+	* @param algo			File measurement hash algorithm used
+	* @param measurement	File measurement hash
+	* @param filename		Optional name of the file to be checked
+	* @param is_dir			TRUE if part of directory measurement
+	* @param id				Primary key into direcories/files table
+	* @return				Status
+	*/
+	status_t (*add_file_measurement)(pts_database_t *this, char *product,
+									 pts_meas_algorithms_t algo,
+									 chunk_t measurement, char *filename,
+									 bool is_dir, int id);
+
 	/**
 	* Check PTS file measurement against reference stored in database
 	*
@@ -159,8 +168,8 @@ struct pts_database_t {
 /**
  * Creates an pts_database_t object
  *
- * @param uri				database uri
+ * @param imv_db			Already attached IMV database
  */
-pts_database_t* pts_database_create(char *uri);
+pts_database_t* pts_database_create(imv_database_t *imv_db);
 
 #endif /** PTS_DATABASE_H_ @}*/
diff --git a/src/libpts/pts/pts_file_meas.c b/src/libpts/pts/pts_file_meas.c
index e69c32443..f684087d7 100644
--- a/src/libpts/pts/pts_file_meas.c
+++ b/src/libpts/pts/pts_file_meas.c
@@ -302,20 +302,7 @@ pts_file_meas_t *pts_file_meas_create_from_path(u_int16_t request_id,
 		return NULL;
 	}
 	measurement = chunk_create(hash, hasher->get_hash_size(hasher));
-
-	INIT(this,
-		.public = {
-			.get_request_id = _get_request_id,
-			.get_file_count = _get_file_count,
-			.add = _add,
-			.create_enumerator = _create_enumerator,
-			.check = _check,
-			.verify = _verify,
-			.destroy = _destroy,
-		},
-		.request_id = request_id,
-		.list = linked_list_create(),
-	);
+	this = (private_pts_file_meas_t*)pts_file_meas_create(request_id);
 
 	if (is_dir)
 	{
@@ -338,8 +325,7 @@ pts_file_meas_t *pts_file_meas_create_from_path(u_int16_t request_id,
 			{
 				if (!hash_file(hasher, abs_name, hash))
 				{
-					success = FALSE;
-					break;
+					continue;
 				}
 				filename = use_rel_name ? rel_name : abs_name;
 				DBG2(DBG_PTS, "  %#B for '%s'", &measurement, filename);
diff --git a/src/libpttls/Makefile.am b/src/libpttls/Makefile.am
index 48123181b..225d0e48f 100644
--- a/src/libpttls/Makefile.am
+++ b/src/libpttls/Makefile.am
@@ -1,6 +1,8 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \
-	-I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libtnccs
 
 ipseclib_LTLIBRARIES = libpttls.la
 libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index 89e2b5a3f..21acb7889 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,19 +102,35 @@ libpttls_la_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la
 am_libpttls_la_OBJECTS = pt_tls.lo pt_tls_client.lo pt_tls_server.lo \
 	pt_tls_dispatcher.lo sasl_plain.lo sasl_mechanism.lo
 libpttls_la_OBJECTS = $(am_libpttls_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libpttls_la_SOURCES)
 DIST_SOURCES = $(libpttls_la_SOURCES)
 am__can_run_installinfo = \
@@ -128,6 +144,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -140,6 +157,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -155,6 +174,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -163,6 +183,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -209,6 +230,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -237,6 +259,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -314,8 +337,11 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \
-	-I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libtnccs
 
 ipseclib_LTLIBRARIES = libpttls.la
 libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
@@ -393,7 +419,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libpttls.la: $(libpttls_la_OBJECTS) $(libpttls_la_DEPENDENCIES) $(EXTRA_libpttls_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libpttls_la_OBJECTS) $(libpttls_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libpttls_la_OBJECTS) $(libpttls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -409,39 +435,39 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_plain.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 sasl_plain.lo: sasl/sasl_plain/sasl_plain.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_plain.lo -MD -MP -MF $(DEPDIR)/sasl_plain.Tpo -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sasl_plain.Tpo $(DEPDIR)/sasl_plain.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sasl/sasl_plain/sasl_plain.c' object='sasl_plain.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_plain.lo -MD -MP -MF $(DEPDIR)/sasl_plain.Tpo -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sasl_plain.Tpo $(DEPDIR)/sasl_plain.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sasl/sasl_plain/sasl_plain.c' object='sasl_plain.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
 
 sasl_mechanism.lo: sasl/sasl_mechanism.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_mechanism.lo -MD -MP -MF $(DEPDIR)/sasl_mechanism.Tpo -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sasl_mechanism.Tpo $(DEPDIR)/sasl_mechanism.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sasl/sasl_mechanism.c' object='sasl_mechanism.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_mechanism.lo -MD -MP -MF $(DEPDIR)/sasl_mechanism.Tpo -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sasl_mechanism.Tpo $(DEPDIR)/sasl_mechanism.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sasl/sasl_mechanism.c' object='sasl_mechanism.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h
index cb8bde05c..92a040f3f 100644
--- a/src/libpttls/pt_tls.h
+++ b/src/libpttls/pt_tls.h
@@ -14,7 +14,7 @@
  */
 
 /**
- * @defgroup pt_tls pt_tls
+ * @defgroup pt_tls libpttls
  *
  * @addtogroup pt_tls
  * @{
diff --git a/src/libradius/Makefile.am b/src/libradius/Makefile.am
index 5672f7b84..91ded23e3 100644
--- a/src/libradius/Makefile.am
+++ b/src/libradius/Makefile.am
@@ -1,5 +1,5 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
 ipseclib_LTLIBRARIES = libradius.la
 libradius_la_SOURCES = \
@@ -8,4 +8,3 @@ libradius_la_SOURCES = \
 	radius_client.h radius_client.c \
 	radius_config.h radius_config.c \
 	radius_mppe.h
-
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index 4dabbbdbc..9a530d73d 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,19 +102,35 @@ libradius_la_LIBADD =
 am_libradius_la_OBJECTS = radius_message.lo radius_socket.lo \
 	radius_client.lo radius_config.lo
 libradius_la_OBJECTS = $(am_libradius_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libradius_la_SOURCES)
 DIST_SOURCES = $(libradius_la_SOURCES)
 am__can_run_installinfo = \
@@ -128,6 +144,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -140,6 +157,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -155,6 +174,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -163,6 +183,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -209,6 +230,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -237,6 +259,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -314,7 +337,9 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
 ipseclib_LTLIBRARIES = libradius.la
 libradius_la_SOURCES = \
 	radius_message.h radius_message.c \
@@ -390,7 +415,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libradius.la: $(libradius_la_OBJECTS) $(libradius_la_DEPENDENCIES) $(EXTRA_libradius_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libradius_la_OBJECTS) $(libradius_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libradius_la_OBJECTS) $(libradius_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -404,25 +429,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
index e7717ff7a..3905a06c7 100644
--- a/src/libradius/radius_message.c
+++ b/src/libradius/radius_message.c
@@ -65,6 +65,11 @@ struct private_radius_message_t {
 	 * message data, allocated
 	 */
 	rmsg_t *msg;
+
+	/**
+	 * User-Password to encrypt and encode, if any
+	 */
+	chunk_t password;
 };
 
 /**
@@ -356,6 +361,15 @@ METHOD(radius_message_t, add, void,
 {
 	rattr_t *attribute;
 
+	if (type == RAT_USER_PASSWORD && !this->password.len)
+	{
+		/* store a null-padded password */
+		this->password = chunk_alloc(round_up(data.len, HASH_SIZE_MD5));
+		memset(this->password.ptr + data.len, 0, this->password.len - data.len);
+		memcpy(this->password.ptr, data.ptr, data.len);
+		return;
+	}
+
 	data.len = min(data.len, MAX_RADIUS_ATTRIBUTE_SIZE);
 	this->msg = realloc(this->msg,
 						ntohs(this->msg->length) + sizeof(rattr_t) + data.len);
@@ -366,6 +380,67 @@ METHOD(radius_message_t, add, void,
 	this->msg->length = htons(ntohs(this->msg->length) + attribute->length);
 }
 
+METHOD(radius_message_t, crypt, bool,
+	private_radius_message_t *this, chunk_t salt, chunk_t in, chunk_t out,
+	chunk_t secret, hasher_t *hasher)
+{
+	char b[HASH_SIZE_MD5];
+
+	/**
+	 * From RFC2548 (encryption):
+	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
+	 * b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
+	 *      . . .
+	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
+	 *
+	 * P/C = Plain/Crypted => in/out
+	 * S = secret
+	 * R = authenticator
+	 * A = salt
+	 */
+	if (in.len != out.len)
+	{
+		return FALSE;
+	}
+	if (in.len % HASH_SIZE_MD5 || in.len < HASH_SIZE_MD5)
+	{
+		return FALSE;
+	}
+	if (out.ptr != in.ptr)
+	{
+		memcpy(out.ptr, in.ptr, in.len);
+	}
+	/* Preparse seed for first round:
+	 * b(1) = MD5(S + R + A) */
+	if (!hasher->get_hash(hasher, secret, NULL) ||
+		!hasher->get_hash(hasher,
+						  chunk_from_thing(this->msg->authenticator), NULL) ||
+		!hasher->get_hash(hasher, salt, b))
+	{
+		return FALSE;
+	}
+	while (in.len)
+	{
+		/* p(i) = b(i) xor c(1) */
+		memxor(out.ptr, b, HASH_SIZE_MD5);
+
+		out = chunk_skip(out, HASH_SIZE_MD5);
+		if (out.len)
+		{
+			/* Prepare seed for next round::
+			 * b(i) = MD5(S + c(i-1)) */
+			if (!hasher->get_hash(hasher, secret, NULL) ||
+				!hasher->get_hash(hasher,
+								  chunk_create(in.ptr, HASH_SIZE_MD5), b))
+			{
+				return FALSE;
+			}
+		}
+		in = chunk_skip(in, HASH_SIZE_MD5);
+	}
+	return TRUE;
+}
+
 METHOD(radius_message_t, sign, bool,
 	private_radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
 	hasher_t *hasher, signer_t *signer, rng_t *rng, bool msg_auth)
@@ -391,6 +466,18 @@ METHOD(radius_message_t, sign, bool,
 		}
 	}
 
+	if (this->password.len)
+	{
+		/* encrypt password inline */
+		if (!crypt(this, chunk_empty, this->password, this->password,
+				   secret, hasher))
+		{
+			return FALSE;
+		}
+		add(this, RAT_USER_PASSWORD, this->password);
+		chunk_clear(&this->password);
+	}
+
 	if (msg_auth)
 	{
 		char buf[HASH_SIZE_MD5];
@@ -540,6 +627,7 @@ METHOD(radius_message_t, get_encoding, chunk_t,
 METHOD(radius_message_t, destroy, void,
 	private_radius_message_t *this)
 {
+	chunk_clear(&this->password);
 	free(this->msg);
 	free(this);
 }
@@ -563,6 +651,7 @@ static private_radius_message_t *radius_message_create_empty()
 			.get_encoding = _get_encoding,
 			.sign = _sign,
 			.verify = _verify,
+			.crypt = _crypt,
 			.destroy = _destroy,
 		},
 	);
diff --git a/src/libradius/radius_message.h b/src/libradius/radius_message.h
index c49323490..4ce03a44e 100644
--- a/src/libradius/radius_message.h
+++ b/src/libradius/radius_message.h
@@ -284,6 +284,22 @@ struct radius_message_t {
 	bool (*verify)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
 				   hasher_t *hasher, signer_t *signer);
 
+	/**
+	 * Perform RADIUS attribute en-/decryption.
+	 *
+	 * Performs en-/decryption by XOring the hash-extended secret into data,
+	 * as specified in RFC 2865 5.2 and used by RFC 2548.
+	 *
+	 * @param salt			salt to append to message authenticator, if any
+	 * @param in			data to en-/decrypt, multiple of HASH_SIZE_MD5
+	 * @param out			en-/decrypted data, length equal to in
+	 * @param secret		RADIUS secret
+	 * @param hasher		MD5 hasher
+	 * @return				TRUE if en-/decryption successful
+	 */
+	bool (*crypt)(radius_message_t *this, chunk_t salt, chunk_t in, chunk_t out,
+				  chunk_t secret, hasher_t *hasher);
+
 	/**
 	 * Destroy the message.
 	 */
diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c
index 7dab968d8..f432151c0 100644
--- a/src/libradius/radius_socket.c
+++ b/src/libradius/radius_socket.c
@@ -233,54 +233,17 @@ METHOD(radius_socket_t, request, radius_message_t*,
 static chunk_t decrypt_mppe_key(private_radius_socket_t *this, u_int16_t salt,
 								chunk_t C, radius_message_t *request)
 {
-	chunk_t A, R, P, seed;
-	u_char *c, *p;
+	chunk_t decrypted;
 
-	/**
-	 * From RFC2548 (encryption):
-	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
-	 * b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
-	 *      . . .
-	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
-	 */
-
-	if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
-	{
-		return chunk_empty;
-	}
-
-	A = chunk_create((u_char*)&salt, sizeof(salt));
-	R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
-	P = chunk_alloca(C.len);
-	p = P.ptr;
-	c = C.ptr;
-
-	seed = chunk_cata("cc", R, A);
-
-	while (c < C.ptr + C.len)
-	{
-		/* b(i) = MD5(S + c(i-1)) */
-		if (!this->hasher->get_hash(this->hasher, this->secret, NULL) ||
-			!this->hasher->get_hash(this->hasher, seed, p))
-		{
-			return chunk_empty;
-		}
-
-		/* p(i) = b(i) xor c(1) */
-		memxor(p, c, HASH_SIZE_MD5);
-
-		/* prepare next round */
-		seed = chunk_create(c, HASH_SIZE_MD5);
-		c += HASH_SIZE_MD5;
-		p += HASH_SIZE_MD5;
-	}
-
-	/* remove truncation, first byte is key length */
-	if (*P.ptr >= P.len)
+	decrypted = chunk_alloca(C.len);
+	if (!request->crypt(request, chunk_from_thing(salt), C, decrypted,
+						this->secret, this->hasher) ||
+		decrypted.ptr[0] >= decrypted.len)
 	{	/* decryption failed? */
 		return chunk_empty;
 	}
-	return chunk_clone(chunk_create(P.ptr + 1, *P.ptr));
+	/* remove truncation, first byte is key length */
+	return chunk_clone(chunk_create(decrypted.ptr + 1, decrypted.ptr[0]));
 }
 
 METHOD(radius_socket_t, decrypt_msk, chunk_t,
diff --git a/src/libsimaka/Makefile.am b/src/libsimaka/Makefile.am
index 80d4fb814..8aaac7de0 100644
--- a/src/libsimaka/Makefile.am
+++ b/src/libsimaka/Makefile.am
@@ -1,5 +1,7 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
 ipseclib_LTLIBRARIES = libsimaka.la
 libsimaka_la_SOURCES = simaka_message.h simaka_message.c \
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index a2ccc28e3..bdbc00eba 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,19 +102,35 @@ libsimaka_la_LIBADD =
 am_libsimaka_la_OBJECTS = simaka_message.lo simaka_crypto.lo \
 	simaka_manager.lo
 libsimaka_la_OBJECTS = $(am_libsimaka_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libsimaka_la_SOURCES)
 DIST_SOURCES = $(libsimaka_la_SOURCES)
 am__can_run_installinfo = \
@@ -128,6 +144,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -140,6 +157,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -155,6 +174,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -163,6 +183,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -209,6 +230,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -237,6 +259,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -314,7 +337,11 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
 ipseclib_LTLIBRARIES = libsimaka.la
 libsimaka_la_SOURCES = simaka_message.h simaka_message.c \
   simaka_crypto.h simaka_crypto.c simaka_manager.h simaka_manager.c \
@@ -387,7 +414,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libsimaka.la: $(libsimaka_la_OBJECTS) $(libsimaka_la_DEPENDENCIES) $(EXTRA_libsimaka_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libsimaka_la_OBJECTS) $(libsimaka_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libsimaka_la_OBJECTS) $(libsimaka_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -400,25 +427,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/simaka_message.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index a46b0d9a1..3811ed083 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -6,9 +6,10 @@ LOCAL_SRC_FILES := \
 library.c \
 asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
 collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
+collections/array.c \
 collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
 crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
-crypto/prfs/prf.c crypto/prfs/mac_prf.c \
+crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
 crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
 crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
 crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
@@ -17,7 +18,7 @@ credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
-credentials/containers/container.c \
+credentials/containers/container.c credentials/containers/pkcs12.c \
 credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
@@ -25,10 +26,11 @@ credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
 database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
 ipsec/ipsec_types.c \
 networking/host.c networking/host_resolver.c networking/packet.c \
-networking/tun_device.c \
+networking/tun_device.c networking/streams/stream.c \
+networking/streams/stream_service.c networking/streams/stream_manager.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
-resolver/resolver_manager.c resolver/rr_set.c \
+processing/watcher.c resolver/resolver_manager.c resolver/rr_set.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
@@ -110,4 +112,3 @@ LOCAL_PRELINK_MODULE := false
 LOCAL_SHARED_LIBRARIES += libdl libvstr
 
 include $(BUILD_SHARED_LIBRARY)
-
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 8d6c4583a..dfe6e7e00 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -4,9 +4,10 @@ libstrongswan_la_SOURCES = \
 library.c \
 asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
 collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
+collections/array.c \
 collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
 crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
-crypto/prfs/prf.c crypto/prfs/mac_prf.c \
+crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
 crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
 crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
 crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
@@ -15,7 +16,7 @@ credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
-credentials/containers/container.c \
+credentials/containers/container.c credentials/containers/pkcs12.c \
 credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
@@ -23,10 +24,11 @@ credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
 database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
 ipsec/ipsec_types.c \
 networking/host.c networking/host_resolver.c networking/packet.c \
-networking/tun_device.c \
+networking/tun_device.c networking/streams/stream.c \
+networking/streams/stream_service.c networking/streams/stream_manager.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
-resolver/resolver_manager.c resolver/rr_set.c \
+processing/watcher.c resolver/resolver_manager.c resolver/rr_set.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
@@ -39,13 +41,13 @@ nobase_strongswan_include_HEADERS = \
 library.h \
 asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
 collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
-collections/linked_list.h \
+collections/linked_list.h collections/array.h \
 crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
 crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
 crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
-crypto/aead.h crypto/transform.h \
+crypto/aead.h crypto/transform.h crypto/pkcs5.h \
 credentials/credential_factory.h credentials/builder.h \
 credentials/cred_encoding.h credentials/keys/private_key.h \
 credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -55,6 +57,7 @@ credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h \
 credentials/certificates/pgp_certificate.h \
 credentials/containers/container.h credentials/containers/pkcs7.h \
+credentials/containers/pkcs12.h \
 credentials/ietf_attributes/ietf_attributes.h \
 credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
@@ -63,12 +66,13 @@ credentials/auth_cfg.h credentials/credential_set.h credentials/cert_validator.h
 database/database.h database/database_factory.h fetcher/fetcher.h \
 fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
 networking/host.h networking/host_resolver.h networking/packet.h \
-networking/tun_device.h \
+networking/tun_device.h networking/streams/stream.h \
+networking/streams/stream_service.h networking/streams/stream_manager.h \
 resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \
 resolver/rr.h resolver/resolver_manager.h \
 plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
 processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
-processing/scheduler.h selectors/traffic_selector.h \
+processing/scheduler.h processing/watcher.h selectors/traffic_selector.h \
 threading/thread.h threading/thread_value.h \
 threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \
 threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \
@@ -79,26 +83,29 @@ endif
 
 library.lo :	$(top_builddir)/config.status
 
-libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) $(BFDLIB)
+libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) $(BFDLIB) $(UNWINDLIB)
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
+	-DPLUGINDIR=\"${plugindir}\" \
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
--DIPSEC_DIR=\"${ipsecdir}\" \
--DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
--DPLUGINDIR=\"${plugindir}\" \
--DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+	@COVERAGE_CFLAGS@
 
 if USE_LEAK_DETECTIVE
-  AM_CFLAGS += -DLEAK_DETECTIVE
+  AM_CPPFLAGS += -DLEAK_DETECTIVE
   libstrongswan_la_SOURCES += utils/leak_detective.c
 endif
 
 if USE_LOCK_PROFILER
-  AM_CFLAGS += -DLOCK_PROFILER
+  AM_CPPFLAGS += -DLOCK_PROFILER
 endif
 
 if USE_INTEGRITY_TEST
-  AM_CFLAGS += -DINTEGRITY_TEST
+  AM_CPPFLAGS += -DINTEGRITY_TEST
   libstrongswan_la_SOURCES += utils/integrity_checker.c
 endif
 
@@ -124,13 +131,16 @@ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
 $(srcdir)/crypto/proposal/proposal_keywords_static.c
 
 $(srcdir)/asn1/oid.c :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		$(AM_V_GEN) \
 		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
 $(srcdir)/asn1/oid.h :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		$(AM_V_GEN) \
 		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
 $(srcdir)/crypto/proposal/proposal_keywords_static.c:	$(srcdir)/crypto/proposal/proposal_keywords_static.txt \
 														$(srcdir)/crypto/proposal/proposal_keywords_static.h
+		$(AM_V_GEN) \
 		$(GPERF) -N proposal_get_token_static -m 10 -C -G -c -t -D < \
 												$(srcdir)/crypto/proposal/proposal_keywords_static.txt > $@
 
@@ -172,6 +182,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_RC2
+  SUBDIRS += plugins/rc2
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/rc2/libstrongswan-rc2.la
+endif
+endif
+
 if USE_MD4
   SUBDIRS += plugins/md4
 if MONOLITHIC
@@ -298,6 +315,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_PKCS12
+  SUBDIRS += plugins/pkcs12
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pkcs12/libstrongswan-pkcs12.la
+endif
+endif
+
 if USE_PGP
   SUBDIRS += plugins/pgp
 if MONOLITHIC
@@ -312,6 +336,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_SSHKEY
+  SUBDIRS += plugins/sshkey
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/sshkey/libstrongswan-sshkey.la
+endif
+endif
+
 if USE_PEM
   SUBDIRS += plugins/pem
 if MONOLITHIC
@@ -396,6 +427,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_KEYCHAIN
+  SUBDIRS += plugins/keychain
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/keychain/libstrongswan-keychain.la
+endif
+endif
+
 if USE_PKCS11
   SUBDIRS += plugins/pkcs11
 if MONOLITHIC
@@ -430,3 +468,10 @@ if MONOLITHIC
   libstrongswan_la_LIBADD += plugins/test_vectors/libstrongswan-test-vectors.la
 endif
 endif
+
+if UNITTESTS
+if MONOLITHIC
+  SUBDIRS += .
+endif
+  SUBDIRS += tests
+endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 5435de406..f931e3c47 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -67,80 +67,90 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_13 = plugins/des/libstrongswan-des.la
 @USE_BLOWFISH_TRUE@am__append_14 = plugins/blowfish
 @MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_15 = plugins/blowfish/libstrongswan-blowfish.la
-@USE_MD4_TRUE@am__append_16 = plugins/md4
-@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_17 = plugins/md4/libstrongswan-md4.la
-@USE_MD5_TRUE@am__append_18 = plugins/md5
-@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_19 = plugins/md5/libstrongswan-md5.la
-@USE_SHA1_TRUE@am__append_20 = plugins/sha1
-@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_21 = plugins/sha1/libstrongswan-sha1.la
-@USE_SHA2_TRUE@am__append_22 = plugins/sha2
-@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_23 = plugins/sha2/libstrongswan-sha2.la
-@USE_GMP_TRUE@am__append_24 = plugins/gmp
-@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_25 = plugins/gmp/libstrongswan-gmp.la
-@USE_RDRAND_TRUE@am__append_26 = plugins/rdrand
-@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_27 = plugins/rdrand/libstrongswan-rdrand.la
-@USE_RANDOM_TRUE@am__append_28 = plugins/random
-@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_29 = plugins/random/libstrongswan-random.la
-@USE_NONCE_TRUE@am__append_30 = plugins/nonce
-@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_31 = plugins/nonce/libstrongswan-nonce.la
-@USE_HMAC_TRUE@am__append_32 = plugins/hmac
-@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_33 = plugins/hmac/libstrongswan-hmac.la
-@USE_CMAC_TRUE@am__append_34 = plugins/cmac
-@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_35 = plugins/cmac/libstrongswan-cmac.la
-@USE_XCBC_TRUE@am__append_36 = plugins/xcbc
-@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_37 = plugins/xcbc/libstrongswan-xcbc.la
-@USE_X509_TRUE@am__append_38 = plugins/x509
-@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_39 = plugins/x509/libstrongswan-x509.la
-@USE_REVOCATION_TRUE@am__append_40 = plugins/revocation
-@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_41 = plugins/revocation/libstrongswan-revocation.la
-@USE_CONSTRAINTS_TRUE@am__append_42 = plugins/constraints
-@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_43 = plugins/constraints/libstrongswan-constraints.la
-@USE_PUBKEY_TRUE@am__append_44 = plugins/pubkey
-@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_45 = plugins/pubkey/libstrongswan-pubkey.la
-@USE_PKCS1_TRUE@am__append_46 = plugins/pkcs1
-@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_47 = plugins/pkcs1/libstrongswan-pkcs1.la
-@USE_PKCS7_TRUE@am__append_48 = plugins/pkcs7
-@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_49 = plugins/pkcs7/libstrongswan-pkcs7.la
-@USE_PKCS8_TRUE@am__append_50 = plugins/pkcs8
-@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_51 = plugins/pkcs8/libstrongswan-pkcs8.la
-@USE_PGP_TRUE@am__append_52 = plugins/pgp
-@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_53 = plugins/pgp/libstrongswan-pgp.la
-@USE_DNSKEY_TRUE@am__append_54 = plugins/dnskey
-@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_55 = plugins/dnskey/libstrongswan-dnskey.la
-@USE_PEM_TRUE@am__append_56 = plugins/pem
-@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_57 = plugins/pem/libstrongswan-pem.la
-@USE_CURL_TRUE@am__append_58 = plugins/curl
-@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_59 = plugins/curl/libstrongswan-curl.la
-@USE_UNBOUND_TRUE@am__append_60 = plugins/unbound
-@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_61 = plugins/unbound/libstrongswan-unbound.la
-@USE_SOUP_TRUE@am__append_62 = plugins/soup
-@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_63 = plugins/soup/libstrongswan-soup.la
-@USE_LDAP_TRUE@am__append_64 = plugins/ldap
-@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_65 = plugins/ldap/libstrongswan-ldap.la
-@USE_MYSQL_TRUE@am__append_66 = plugins/mysql
-@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_67 = plugins/mysql/libstrongswan-mysql.la
-@USE_SQLITE_TRUE@am__append_68 = plugins/sqlite
-@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_69 = plugins/sqlite/libstrongswan-sqlite.la
-@USE_PADLOCK_TRUE@am__append_70 = plugins/padlock
-@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_71 = plugins/padlock/libstrongswan-padlock.la
-@USE_OPENSSL_TRUE@am__append_72 = plugins/openssl
-@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_73 = plugins/openssl/libstrongswan-openssl.la
-@USE_GCRYPT_TRUE@am__append_74 = plugins/gcrypt
-@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_75 = plugins/gcrypt/libstrongswan-gcrypt.la
-@USE_FIPS_PRF_TRUE@am__append_76 = plugins/fips_prf
-@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_77 = plugins/fips_prf/libstrongswan-fips-prf.la
-@USE_AGENT_TRUE@am__append_78 = plugins/agent
-@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_79 = plugins/agent/libstrongswan-agent.la
-@USE_PKCS11_TRUE@am__append_80 = plugins/pkcs11
-@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_81 = plugins/pkcs11/libstrongswan-pkcs11.la
-@USE_CTR_TRUE@am__append_82 = plugins/ctr
-@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_83 = plugins/ctr/libstrongswan-ctr.la
-@USE_CCM_TRUE@am__append_84 = plugins/ccm
-@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_85 = plugins/ccm/libstrongswan-ccm.la
-@USE_GCM_TRUE@am__append_86 = plugins/gcm
-@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_87 = plugins/gcm/libstrongswan-gcm.la
-@USE_TEST_VECTORS_TRUE@am__append_88 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_89 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_RC2_TRUE@am__append_16 = plugins/rc2
+@MONOLITHIC_TRUE@@USE_RC2_TRUE@am__append_17 = plugins/rc2/libstrongswan-rc2.la
+@USE_MD4_TRUE@am__append_18 = plugins/md4
+@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_19 = plugins/md4/libstrongswan-md4.la
+@USE_MD5_TRUE@am__append_20 = plugins/md5
+@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_21 = plugins/md5/libstrongswan-md5.la
+@USE_SHA1_TRUE@am__append_22 = plugins/sha1
+@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_23 = plugins/sha1/libstrongswan-sha1.la
+@USE_SHA2_TRUE@am__append_24 = plugins/sha2
+@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_25 = plugins/sha2/libstrongswan-sha2.la
+@USE_GMP_TRUE@am__append_26 = plugins/gmp
+@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_27 = plugins/gmp/libstrongswan-gmp.la
+@USE_RDRAND_TRUE@am__append_28 = plugins/rdrand
+@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_29 = plugins/rdrand/libstrongswan-rdrand.la
+@USE_RANDOM_TRUE@am__append_30 = plugins/random
+@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_31 = plugins/random/libstrongswan-random.la
+@USE_NONCE_TRUE@am__append_32 = plugins/nonce
+@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_33 = plugins/nonce/libstrongswan-nonce.la
+@USE_HMAC_TRUE@am__append_34 = plugins/hmac
+@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_35 = plugins/hmac/libstrongswan-hmac.la
+@USE_CMAC_TRUE@am__append_36 = plugins/cmac
+@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_37 = plugins/cmac/libstrongswan-cmac.la
+@USE_XCBC_TRUE@am__append_38 = plugins/xcbc
+@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_39 = plugins/xcbc/libstrongswan-xcbc.la
+@USE_X509_TRUE@am__append_40 = plugins/x509
+@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_41 = plugins/x509/libstrongswan-x509.la
+@USE_REVOCATION_TRUE@am__append_42 = plugins/revocation
+@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_43 = plugins/revocation/libstrongswan-revocation.la
+@USE_CONSTRAINTS_TRUE@am__append_44 = plugins/constraints
+@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_45 = plugins/constraints/libstrongswan-constraints.la
+@USE_PUBKEY_TRUE@am__append_46 = plugins/pubkey
+@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_47 = plugins/pubkey/libstrongswan-pubkey.la
+@USE_PKCS1_TRUE@am__append_48 = plugins/pkcs1
+@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_49 = plugins/pkcs1/libstrongswan-pkcs1.la
+@USE_PKCS7_TRUE@am__append_50 = plugins/pkcs7
+@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_51 = plugins/pkcs7/libstrongswan-pkcs7.la
+@USE_PKCS8_TRUE@am__append_52 = plugins/pkcs8
+@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_53 = plugins/pkcs8/libstrongswan-pkcs8.la
+@USE_PKCS12_TRUE@am__append_54 = plugins/pkcs12
+@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_55 = plugins/pkcs12/libstrongswan-pkcs12.la
+@USE_PGP_TRUE@am__append_56 = plugins/pgp
+@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_57 = plugins/pgp/libstrongswan-pgp.la
+@USE_DNSKEY_TRUE@am__append_58 = plugins/dnskey
+@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_59 = plugins/dnskey/libstrongswan-dnskey.la
+@USE_SSHKEY_TRUE@am__append_60 = plugins/sshkey
+@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_61 = plugins/sshkey/libstrongswan-sshkey.la
+@USE_PEM_TRUE@am__append_62 = plugins/pem
+@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_63 = plugins/pem/libstrongswan-pem.la
+@USE_CURL_TRUE@am__append_64 = plugins/curl
+@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_65 = plugins/curl/libstrongswan-curl.la
+@USE_UNBOUND_TRUE@am__append_66 = plugins/unbound
+@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_67 = plugins/unbound/libstrongswan-unbound.la
+@USE_SOUP_TRUE@am__append_68 = plugins/soup
+@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_69 = plugins/soup/libstrongswan-soup.la
+@USE_LDAP_TRUE@am__append_70 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_71 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_72 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_73 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_74 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_75 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_76 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_77 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_78 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_79 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_80 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_81 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_82 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_83 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_84 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_85 = plugins/agent/libstrongswan-agent.la
+@USE_KEYCHAIN_TRUE@am__append_86 = plugins/keychain
+@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_87 = plugins/keychain/libstrongswan-keychain.la
+@USE_PKCS11_TRUE@am__append_88 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_89 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_90 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_91 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_92 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_93 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_94 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_95 = plugins/gcm/libstrongswan-gcm.la
+@USE_TEST_VECTORS_TRUE@am__append_96 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_97 = plugins/test_vectors/libstrongswan-test-vectors.la
+@MONOLITHIC_TRUE@@UNITTESTS_TRUE@am__append_98 = .
+@UNITTESTS_TRUE@am__append_99 = tests
 subdir = src/libstrongswan
 DIST_COMMON = $(am__nobase_strongswan_include_HEADERS_DIST) \
 	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
@@ -153,7 +163,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -195,38 +205,43 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__append_9) $(am__append_11) \
-	$(am__append_13) $(am__append_15) $(am__append_17) \
-	$(am__append_19) $(am__append_21) $(am__append_23) \
-	$(am__append_25) $(am__append_27) $(am__append_29) \
-	$(am__append_31) $(am__append_33) $(am__append_35) \
-	$(am__append_37) $(am__append_39) $(am__append_41) \
-	$(am__append_43) $(am__append_45) $(am__append_47) \
-	$(am__append_49) $(am__append_51) $(am__append_53) \
-	$(am__append_55) $(am__append_57) $(am__append_59) \
-	$(am__append_61) $(am__append_63) $(am__append_65) \
-	$(am__append_67) $(am__append_69) $(am__append_71) \
-	$(am__append_73) $(am__append_75) $(am__append_77) \
-	$(am__append_79) $(am__append_81) $(am__append_83) \
-	$(am__append_85) $(am__append_87) $(am__append_89)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_9) \
+	$(am__append_11) $(am__append_13) $(am__append_15) \
+	$(am__append_17) $(am__append_19) $(am__append_21) \
+	$(am__append_23) $(am__append_25) $(am__append_27) \
+	$(am__append_29) $(am__append_31) $(am__append_33) \
+	$(am__append_35) $(am__append_37) $(am__append_39) \
+	$(am__append_41) $(am__append_43) $(am__append_45) \
+	$(am__append_47) $(am__append_49) $(am__append_51) \
+	$(am__append_53) $(am__append_55) $(am__append_57) \
+	$(am__append_59) $(am__append_61) $(am__append_63) \
+	$(am__append_65) $(am__append_67) $(am__append_69) \
+	$(am__append_71) $(am__append_73) $(am__append_75) \
+	$(am__append_77) $(am__append_79) $(am__append_81) \
+	$(am__append_83) $(am__append_85) $(am__append_87) \
+	$(am__append_89) $(am__append_91) $(am__append_93) \
+	$(am__append_95) $(am__append_97)
 am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
 	bio/bio_writer.c collections/blocking_queue.c \
 	collections/enumerator.c collections/hashtable.c \
-	collections/linked_list.c crypto/crypters/crypter.c \
-	crypto/hashers/hasher.c crypto/proposal/proposal_keywords.c \
+	collections/array.c collections/linked_list.c \
+	crypto/crypters/crypter.c crypto/hashers/hasher.c \
+	crypto/proposal/proposal_keywords.c \
 	crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
-	crypto/prfs/mac_prf.c crypto/rngs/rng.c crypto/prf_plus.c \
-	crypto/signers/signer.c crypto/signers/mac_signer.c \
-	crypto/crypto_factory.c crypto/crypto_tester.c \
-	crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
-	credentials/credential_factory.c credentials/builder.c \
-	credentials/cred_encoding.c credentials/keys/private_key.c \
-	credentials/keys/public_key.c credentials/keys/shared_key.c \
+	crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
+	crypto/prf_plus.c crypto/signers/signer.c \
+	crypto/signers/mac_signer.c crypto/crypto_factory.c \
+	crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
+	crypto/transform.c credentials/credential_factory.c \
+	credentials/builder.c credentials/cred_encoding.c \
+	credentials/keys/private_key.c credentials/keys/public_key.c \
+	credentials/keys/shared_key.c \
 	credentials/certificates/certificate.c \
 	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
 	credentials/containers/container.c \
+	credentials/containers/pkcs12.c \
 	credentials/ietf_attributes/ietf_attributes.c \
 	credentials/credential_manager.c \
 	credentials/sets/auth_cfg_wrapper.c \
@@ -237,10 +252,13 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
 	ipsec/ipsec_types.c networking/host.c \
 	networking/host_resolver.c networking/packet.c \
-	networking/tun_device.c pen/pen.c plugins/plugin_loader.c \
-	plugins/plugin_feature.c processing/jobs/job.c \
-	processing/jobs/callback_job.c processing/processor.c \
-	processing/scheduler.c resolver/resolver_manager.c \
+	networking/tun_device.c networking/streams/stream.c \
+	networking/streams/stream_service.c \
+	networking/streams/stream_manager.c pen/pen.c \
+	plugins/plugin_loader.c plugins/plugin_feature.c \
+	processing/jobs/job.c processing/jobs/callback_job.c \
+	processing/processor.c processing/scheduler.c \
+	processing/watcher.c resolver/resolver_manager.c \
 	resolver/rr_set.c selectors/traffic_selector.c \
 	threading/thread.c threading/thread_value.c threading/mutex.c \
 	threading/semaphore.c threading/rwlock.c threading/spinlock.c \
@@ -253,39 +271,56 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 @USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
 am_libstrongswan_la_OBJECTS = library.lo asn1.lo asn1_parser.lo oid.lo \
 	bio_reader.lo bio_writer.lo blocking_queue.lo enumerator.lo \
-	hashtable.lo linked_list.lo crypter.lo hasher.lo \
+	hashtable.lo array.lo linked_list.lo crypter.lo hasher.lo \
 	proposal_keywords.lo proposal_keywords_static.lo prf.lo \
-	mac_prf.lo rng.lo prf_plus.lo signer.lo mac_signer.lo \
+	mac_prf.lo pkcs5.lo rng.lo prf_plus.lo signer.lo mac_signer.lo \
 	crypto_factory.lo crypto_tester.lo diffie_hellman.lo aead.lo \
 	transform.lo credential_factory.lo builder.lo cred_encoding.lo \
 	private_key.lo public_key.lo shared_key.lo certificate.lo \
-	crl.lo ocsp_response.lo container.lo ietf_attributes.lo \
-	credential_manager.lo auth_cfg_wrapper.lo \
+	crl.lo ocsp_response.lo container.lo pkcs12.lo \
+	ietf_attributes.lo credential_manager.lo auth_cfg_wrapper.lo \
 	ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \
 	callback_cred.lo auth_cfg.lo database.lo database_factory.lo \
 	fetcher.lo fetcher_manager.lo eap.lo ipsec_types.lo host.lo \
-	host_resolver.lo packet.lo tun_device.lo pen.lo \
-	plugin_loader.lo plugin_feature.lo job.lo callback_job.lo \
-	processor.lo scheduler.lo resolver_manager.lo rr_set.lo \
+	host_resolver.lo packet.lo tun_device.lo stream.lo \
+	stream_service.lo stream_manager.lo pen.lo plugin_loader.lo \
+	plugin_feature.lo job.lo callback_job.lo processor.lo \
+	scheduler.lo watcher.lo resolver_manager.lo rr_set.lo \
 	traffic_selector.lo thread.lo thread_value.lo mutex.lo \
 	semaphore.lo rwlock.lo spinlock.lo utils.lo chunk.lo debug.lo \
 	enum.lo identification.lo lexparser.lo optionsfrom.lo \
 	capabilities.lo backtrace.lo printf_hook.lo settings.lo \
 	$(am__objects_1) $(am__objects_2)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_la_SOURCES)
 DIST_SOURCES = $(am__libstrongswan_la_SOURCES_DIST)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -304,18 +339,18 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h \
 	bio/bio_writer.h collections/blocking_queue.h \
 	collections/enumerator.h collections/hashtable.h \
-	collections/linked_list.h crypto/crypters/crypter.h \
-	crypto/hashers/hasher.h crypto/mac.h \
+	collections/linked_list.h collections/array.h \
+	crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
 	crypto/proposal/proposal_keywords.h \
 	crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \
 	crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 	crypto/prf_plus.h crypto/signers/signer.h \
 	crypto/signers/mac_signer.h crypto/crypto_factory.h \
 	crypto/crypto_tester.h crypto/diffie_hellman.h crypto/aead.h \
-	crypto/transform.h credentials/credential_factory.h \
-	credentials/builder.h credentials/cred_encoding.h \
-	credentials/keys/private_key.h credentials/keys/public_key.h \
-	credentials/keys/shared_key.h \
+	crypto/transform.h crypto/pkcs5.h \
+	credentials/credential_factory.h credentials/builder.h \
+	credentials/cred_encoding.h credentials/keys/private_key.h \
+	credentials/keys/public_key.h credentials/keys/shared_key.h \
 	credentials/certificates/certificate.h \
 	credentials/certificates/x509.h credentials/certificates/ac.h \
 	credentials/certificates/crl.h \
@@ -324,7 +359,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	credentials/certificates/ocsp_response.h \
 	credentials/certificates/pgp_certificate.h \
 	credentials/containers/container.h \
-	credentials/containers/pkcs7.h \
+	credentials/containers/pkcs7.h credentials/containers/pkcs12.h \
 	credentials/ietf_attributes/ietf_attributes.h \
 	credentials/credential_manager.h \
 	credentials/sets/auth_cfg_wrapper.h \
@@ -336,20 +371,23 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	fetcher/fetcher.h fetcher/fetcher_manager.h eap/eap.h \
 	pen/pen.h ipsec/ipsec_types.h networking/host.h \
 	networking/host_resolver.h networking/packet.h \
-	networking/tun_device.h resolver/resolver.h \
+	networking/tun_device.h networking/streams/stream.h \
+	networking/streams/stream_service.h \
+	networking/streams/stream_manager.h resolver/resolver.h \
 	resolver/resolver_response.h resolver/rr_set.h resolver/rr.h \
 	resolver/resolver_manager.h plugins/plugin_loader.h \
 	plugins/plugin.h plugins/plugin_feature.h \
 	processing/jobs/job.h processing/jobs/callback_job.h \
 	processing/processor.h processing/scheduler.h \
-	selectors/traffic_selector.h threading/thread.h \
-	threading/thread_value.h threading/mutex.h threading/condvar.h \
-	threading/spinlock.h threading/semaphore.h threading/rwlock.h \
-	threading/rwlock_condvar.h threading/lock_profiler.h \
-	utils/utils.h utils/chunk.h utils/debug.h utils/enum.h \
-	utils/identification.h utils/lexparser.h utils/optionsfrom.h \
-	utils/capabilities.h utils/backtrace.h utils/leak_detective.h \
-	utils/printf_hook.h utils/settings.h utils/integrity_checker.h
+	processing/watcher.h selectors/traffic_selector.h \
+	threading/thread.h threading/thread_value.h threading/mutex.h \
+	threading/condvar.h threading/spinlock.h threading/semaphore.h \
+	threading/rwlock.h threading/rwlock_condvar.h \
+	threading/lock_profiler.h utils/utils.h utils/chunk.h \
+	utils/debug.h utils/enum.h utils/identification.h \
+	utils/lexparser.h utils/optionsfrom.h utils/capabilities.h \
+	utils/backtrace.h utils/leak_detective.h utils/printf_hook.h \
+	utils/settings.h utils/integrity_checker.h
 HEADERS = $(nobase_strongswan_include_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
@@ -359,16 +397,17 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
-	plugins/blowfish plugins/md4 plugins/md5 plugins/sha1 \
-	plugins/sha2 plugins/gmp plugins/rdrand plugins/random \
-	plugins/nonce plugins/hmac plugins/cmac plugins/xcbc \
-	plugins/x509 plugins/revocation plugins/constraints \
-	plugins/pubkey plugins/pkcs1 plugins/pkcs7 plugins/pkcs8 \
-	plugins/pgp plugins/dnskey plugins/pem plugins/curl \
-	plugins/unbound plugins/soup plugins/ldap plugins/mysql \
-	plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \
-	plugins/fips_prf plugins/agent plugins/pkcs11 plugins/ctr \
-	plugins/ccm plugins/gcm plugins/test_vectors
+	plugins/blowfish plugins/rc2 plugins/md4 plugins/md5 \
+	plugins/sha1 plugins/sha2 plugins/gmp plugins/rdrand \
+	plugins/random plugins/nonce plugins/hmac plugins/cmac \
+	plugins/xcbc plugins/x509 plugins/revocation \
+	plugins/constraints plugins/pubkey plugins/pkcs1 plugins/pkcs7 \
+	plugins/pkcs8 plugins/pkcs12 plugins/pgp plugins/dnskey \
+	plugins/sshkey plugins/pem plugins/curl plugins/unbound \
+	plugins/soup plugins/ldap plugins/mysql plugins/sqlite \
+	plugins/padlock plugins/openssl plugins/gcrypt \
+	plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \
+	plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors tests
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -398,6 +437,7 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -410,6 +450,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -425,6 +467,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -433,6 +476,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -479,6 +523,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -507,6 +552,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -588,21 +634,23 @@ ipseclib_LTLIBRARIES = libstrongswan.la
 libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 	asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
 	collections/blocking_queue.c collections/enumerator.c \
-	collections/hashtable.c collections/linked_list.c \
-	crypto/crypters/crypter.c crypto/hashers/hasher.c \
-	crypto/proposal/proposal_keywords.c \
+	collections/hashtable.c collections/array.c \
+	collections/linked_list.c crypto/crypters/crypter.c \
+	crypto/hashers/hasher.c crypto/proposal/proposal_keywords.c \
 	crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
-	crypto/prfs/mac_prf.c crypto/rngs/rng.c crypto/prf_plus.c \
-	crypto/signers/signer.c crypto/signers/mac_signer.c \
-	crypto/crypto_factory.c crypto/crypto_tester.c \
-	crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
-	credentials/credential_factory.c credentials/builder.c \
-	credentials/cred_encoding.c credentials/keys/private_key.c \
-	credentials/keys/public_key.c credentials/keys/shared_key.c \
+	crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
+	crypto/prf_plus.c crypto/signers/signer.c \
+	crypto/signers/mac_signer.c crypto/crypto_factory.c \
+	crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
+	crypto/transform.c credentials/credential_factory.c \
+	credentials/builder.c credentials/cred_encoding.c \
+	credentials/keys/private_key.c credentials/keys/public_key.c \
+	credentials/keys/shared_key.c \
 	credentials/certificates/certificate.c \
 	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
 	credentials/containers/container.c \
+	credentials/containers/pkcs12.c \
 	credentials/ietf_attributes/ietf_attributes.c \
 	credentials/credential_manager.c \
 	credentials/sets/auth_cfg_wrapper.c \
@@ -613,10 +661,13 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 	fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
 	ipsec/ipsec_types.c networking/host.c \
 	networking/host_resolver.c networking/packet.c \
-	networking/tun_device.c pen/pen.c plugins/plugin_loader.c \
-	plugins/plugin_feature.c processing/jobs/job.c \
-	processing/jobs/callback_job.c processing/processor.c \
-	processing/scheduler.c resolver/resolver_manager.c \
+	networking/tun_device.c networking/streams/stream.c \
+	networking/streams/stream_service.c \
+	networking/streams/stream_manager.c pen/pen.c \
+	plugins/plugin_loader.c plugins/plugin_feature.c \
+	processing/jobs/job.c processing/jobs/callback_job.c \
+	processing/processor.c processing/scheduler.c \
+	processing/watcher.c resolver/resolver_manager.c \
 	resolver/rr_set.c selectors/traffic_selector.c \
 	threading/thread.c threading/thread_value.c threading/mutex.c \
 	threading/semaphore.c threading/rwlock.c threading/spinlock.c \
@@ -629,13 +680,13 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 @USE_DEV_HEADERS_TRUE@library.h \
 @USE_DEV_HEADERS_TRUE@asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
 @USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
-@USE_DEV_HEADERS_TRUE@collections/linked_list.h \
+@USE_DEV_HEADERS_TRUE@collections/linked_list.h collections/array.h \
 @USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
 @USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
 @USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 @USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 @USE_DEV_HEADERS_TRUE@crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
-@USE_DEV_HEADERS_TRUE@crypto/aead.h crypto/transform.h \
+@USE_DEV_HEADERS_TRUE@crypto/aead.h crypto/transform.h crypto/pkcs5.h \
 @USE_DEV_HEADERS_TRUE@credentials/credential_factory.h credentials/builder.h \
 @USE_DEV_HEADERS_TRUE@credentials/cred_encoding.h credentials/keys/private_key.h \
 @USE_DEV_HEADERS_TRUE@credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -645,6 +696,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/ocsp_response.h \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/pgp_certificate.h \
 @USE_DEV_HEADERS_TRUE@credentials/containers/container.h credentials/containers/pkcs7.h \
+@USE_DEV_HEADERS_TRUE@credentials/containers/pkcs12.h \
 @USE_DEV_HEADERS_TRUE@credentials/ietf_attributes/ietf_attributes.h \
 @USE_DEV_HEADERS_TRUE@credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
 @USE_DEV_HEADERS_TRUE@credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
@@ -653,12 +705,13 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 @USE_DEV_HEADERS_TRUE@database/database.h database/database_factory.h fetcher/fetcher.h \
 @USE_DEV_HEADERS_TRUE@fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
 @USE_DEV_HEADERS_TRUE@networking/host.h networking/host_resolver.h networking/packet.h \
-@USE_DEV_HEADERS_TRUE@networking/tun_device.h \
+@USE_DEV_HEADERS_TRUE@networking/tun_device.h networking/streams/stream.h \
+@USE_DEV_HEADERS_TRUE@networking/streams/stream_service.h networking/streams/stream_manager.h \
 @USE_DEV_HEADERS_TRUE@resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \
 @USE_DEV_HEADERS_TRUE@resolver/rr.h resolver/resolver_manager.h \
 @USE_DEV_HEADERS_TRUE@plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
 @USE_DEV_HEADERS_TRUE@processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
-@USE_DEV_HEADERS_TRUE@processing/scheduler.h selectors/traffic_selector.h \
+@USE_DEV_HEADERS_TRUE@processing/scheduler.h processing/watcher.h selectors/traffic_selector.h \
 @USE_DEV_HEADERS_TRUE@threading/thread.h threading/thread_value.h \
 @USE_DEV_HEADERS_TRUE@threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \
 @USE_DEV_HEADERS_TRUE@threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \
@@ -667,27 +720,31 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 @USE_DEV_HEADERS_TRUE@utils/leak_detective.h utils/printf_hook.h utils/settings.h utils/integrity_checker.h
 
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
-	$(RTLIB) $(BFDLIB) $(am__append_6) $(am__append_7) \
-	$(am__append_9) $(am__append_11) $(am__append_13) \
-	$(am__append_15) $(am__append_17) $(am__append_19) \
-	$(am__append_21) $(am__append_23) $(am__append_25) \
-	$(am__append_27) $(am__append_29) $(am__append_31) \
-	$(am__append_33) $(am__append_35) $(am__append_37) \
-	$(am__append_39) $(am__append_41) $(am__append_43) \
-	$(am__append_45) $(am__append_47) $(am__append_49) \
-	$(am__append_51) $(am__append_53) $(am__append_55) \
-	$(am__append_57) $(am__append_59) $(am__append_61) \
-	$(am__append_63) $(am__append_65) $(am__append_67) \
-	$(am__append_69) $(am__append_71) $(am__append_73) \
-	$(am__append_75) $(am__append_77) $(am__append_79) \
-	$(am__append_81) $(am__append_83) $(am__append_85) \
-	$(am__append_87) $(am__append_89)
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
+	$(RTLIB) $(BFDLIB) $(UNWINDLIB) $(am__append_6) \
+	$(am__append_7) $(am__append_9) $(am__append_11) \
+	$(am__append_13) $(am__append_15) $(am__append_17) \
+	$(am__append_19) $(am__append_21) $(am__append_23) \
+	$(am__append_25) $(am__append_27) $(am__append_29) \
+	$(am__append_31) $(am__append_33) $(am__append_35) \
+	$(am__append_37) $(am__append_39) $(am__append_41) \
+	$(am__append_43) $(am__append_45) $(am__append_47) \
+	$(am__append_49) $(am__append_51) $(am__append_53) \
+	$(am__append_55) $(am__append_57) $(am__append_59) \
+	$(am__append_61) $(am__append_63) $(am__append_65) \
+	$(am__append_67) $(am__append_69) $(am__append_71) \
+	$(am__append_73) $(am__append_75) $(am__append_77) \
+	$(am__append_79) $(am__append_81) $(am__append_83) \
+	$(am__append_85) $(am__append_87) $(am__append_89) \
+	$(am__append_91) $(am__append_93) $(am__append_95) \
+	$(am__append_97)
+AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
 	-DPLUGINDIR=\"${plugindir}\" \
 	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \
 	$(am__append_3) $(am__append_4)
+AM_CFLAGS = \
+	@COVERAGE_CFLAGS@
+
 EXTRA_DIST = \
 asn1/oid.txt asn1/oid.pl \
 crypto/proposal/proposal_keywords_static.txt \
@@ -721,7 +778,10 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_FALSE@	$(am__append_76) $(am__append_78) \
 @MONOLITHIC_FALSE@	$(am__append_80) $(am__append_82) \
 @MONOLITHIC_FALSE@	$(am__append_84) $(am__append_86) \
-@MONOLITHIC_FALSE@	$(am__append_88)
+@MONOLITHIC_FALSE@	$(am__append_88) $(am__append_90) \
+@MONOLITHIC_FALSE@	$(am__append_92) $(am__append_94) \
+@MONOLITHIC_FALSE@	$(am__append_96) $(am__append_98) \
+@MONOLITHIC_FALSE@	$(am__append_99)
 
 # build plugins with their own Makefile
 #######################################
@@ -745,7 +805,10 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_TRUE@	$(am__append_76) $(am__append_78) \
 @MONOLITHIC_TRUE@	$(am__append_80) $(am__append_82) \
 @MONOLITHIC_TRUE@	$(am__append_84) $(am__append_86) \
-@MONOLITHIC_TRUE@	$(am__append_88)
+@MONOLITHIC_TRUE@	$(am__append_88) $(am__append_90) \
+@MONOLITHIC_TRUE@	$(am__append_92) $(am__append_94) \
+@MONOLITHIC_TRUE@	$(am__append_96) $(am__append_98) \
+@MONOLITHIC_TRUE@	$(am__append_99)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -814,7 +877,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) $(EXTRA_libstrongswan_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -823,6 +886,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aead.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/array.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@
@@ -878,6 +942,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pen.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs12.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs5.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_feature.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_loader.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Plo@am__quote@
@@ -898,600 +964,653 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shared_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signer.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spinlock.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stream.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stream_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stream_service.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_value.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tun_device.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/watcher.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 asn1.lo: asn1/asn1.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF $(DEPDIR)/asn1.Tpo -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/asn1.Tpo $(DEPDIR)/asn1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/asn1.c' object='asn1.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF $(DEPDIR)/asn1.Tpo -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/asn1.Tpo $(DEPDIR)/asn1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='asn1/asn1.c' object='asn1.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
 
 asn1_parser.lo: asn1/asn1_parser.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1_parser.lo -MD -MP -MF $(DEPDIR)/asn1_parser.Tpo -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/asn1_parser.Tpo $(DEPDIR)/asn1_parser.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/asn1_parser.c' object='asn1_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1_parser.lo -MD -MP -MF $(DEPDIR)/asn1_parser.Tpo -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/asn1_parser.Tpo $(DEPDIR)/asn1_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='asn1/asn1_parser.c' object='asn1_parser.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
 
 oid.lo: asn1/oid.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF $(DEPDIR)/oid.Tpo -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/oid.Tpo $(DEPDIR)/oid.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/oid.c' object='oid.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF $(DEPDIR)/oid.Tpo -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/oid.Tpo $(DEPDIR)/oid.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='asn1/oid.c' object='oid.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
 
 bio_reader.lo: bio/bio_reader.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bio_reader.lo -MD -MP -MF $(DEPDIR)/bio_reader.Tpo -c -o bio_reader.lo `test -f 'bio/bio_reader.c' || echo '$(srcdir)/'`bio/bio_reader.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bio_reader.Tpo $(DEPDIR)/bio_reader.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bio/bio_reader.c' object='bio_reader.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bio_reader.lo -MD -MP -MF $(DEPDIR)/bio_reader.Tpo -c -o bio_reader.lo `test -f 'bio/bio_reader.c' || echo '$(srcdir)/'`bio/bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/bio_reader.Tpo $(DEPDIR)/bio_reader.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bio/bio_reader.c' object='bio_reader.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bio_reader.lo `test -f 'bio/bio_reader.c' || echo '$(srcdir)/'`bio/bio_reader.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bio_reader.lo `test -f 'bio/bio_reader.c' || echo '$(srcdir)/'`bio/bio_reader.c
 
 bio_writer.lo: bio/bio_writer.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bio_writer.lo -MD -MP -MF $(DEPDIR)/bio_writer.Tpo -c -o bio_writer.lo `test -f 'bio/bio_writer.c' || echo '$(srcdir)/'`bio/bio_writer.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bio_writer.Tpo $(DEPDIR)/bio_writer.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bio/bio_writer.c' object='bio_writer.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bio_writer.lo -MD -MP -MF $(DEPDIR)/bio_writer.Tpo -c -o bio_writer.lo `test -f 'bio/bio_writer.c' || echo '$(srcdir)/'`bio/bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/bio_writer.Tpo $(DEPDIR)/bio_writer.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bio/bio_writer.c' object='bio_writer.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bio_writer.lo `test -f 'bio/bio_writer.c' || echo '$(srcdir)/'`bio/bio_writer.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bio_writer.lo `test -f 'bio/bio_writer.c' || echo '$(srcdir)/'`bio/bio_writer.c
 
 blocking_queue.lo: collections/blocking_queue.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blocking_queue.lo -MD -MP -MF $(DEPDIR)/blocking_queue.Tpo -c -o blocking_queue.lo `test -f 'collections/blocking_queue.c' || echo '$(srcdir)/'`collections/blocking_queue.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blocking_queue.Tpo $(DEPDIR)/blocking_queue.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/blocking_queue.c' object='blocking_queue.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blocking_queue.lo -MD -MP -MF $(DEPDIR)/blocking_queue.Tpo -c -o blocking_queue.lo `test -f 'collections/blocking_queue.c' || echo '$(srcdir)/'`collections/blocking_queue.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/blocking_queue.Tpo $(DEPDIR)/blocking_queue.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='collections/blocking_queue.c' object='blocking_queue.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blocking_queue.lo `test -f 'collections/blocking_queue.c' || echo '$(srcdir)/'`collections/blocking_queue.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blocking_queue.lo `test -f 'collections/blocking_queue.c' || echo '$(srcdir)/'`collections/blocking_queue.c
 
 enumerator.lo: collections/enumerator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'collections/enumerator.c' || echo '$(srcdir)/'`collections/enumerator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'collections/enumerator.c' || echo '$(srcdir)/'`collections/enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='collections/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'collections/enumerator.c' || echo '$(srcdir)/'`collections/enumerator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'collections/enumerator.c' || echo '$(srcdir)/'`collections/enumerator.c
 
 hashtable.lo: collections/hashtable.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'collections/hashtable.c' || echo '$(srcdir)/'`collections/hashtable.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/hashtable.c' object='hashtable.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'collections/hashtable.c' || echo '$(srcdir)/'`collections/hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='collections/hashtable.c' object='hashtable.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'collections/hashtable.c' || echo '$(srcdir)/'`collections/hashtable.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'collections/hashtable.c' || echo '$(srcdir)/'`collections/hashtable.c
+
+array.lo: collections/array.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT array.lo -MD -MP -MF $(DEPDIR)/array.Tpo -c -o array.lo `test -f 'collections/array.c' || echo '$(srcdir)/'`collections/array.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/array.Tpo $(DEPDIR)/array.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='collections/array.c' object='array.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o array.lo `test -f 'collections/array.c' || echo '$(srcdir)/'`collections/array.c
 
 linked_list.lo: collections/linked_list.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'collections/linked_list.c' || echo '$(srcdir)/'`collections/linked_list.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'collections/linked_list.c' || echo '$(srcdir)/'`collections/linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='collections/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'collections/linked_list.c' || echo '$(srcdir)/'`collections/linked_list.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'collections/linked_list.c' || echo '$(srcdir)/'`collections/linked_list.c
 
 crypter.lo: crypto/crypters/crypter.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypters/crypter.c' object='crypter.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/crypters/crypter.c' object='crypter.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
 
 hasher.lo: crypto/hashers/hasher.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF $(DEPDIR)/hasher.Tpo -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hasher.Tpo $(DEPDIR)/hasher.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/hasher.c' object='hasher.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF $(DEPDIR)/hasher.Tpo -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hasher.Tpo $(DEPDIR)/hasher.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/hashers/hasher.c' object='hasher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
 
 proposal_keywords.lo: crypto/proposal/proposal_keywords.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords.lo -MD -MP -MF $(DEPDIR)/proposal_keywords.Tpo -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_keywords.Tpo $(DEPDIR)/proposal_keywords.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/proposal/proposal_keywords.c' object='proposal_keywords.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords.lo -MD -MP -MF $(DEPDIR)/proposal_keywords.Tpo -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/proposal_keywords.Tpo $(DEPDIR)/proposal_keywords.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/proposal/proposal_keywords.c' object='proposal_keywords.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
 
 proposal_keywords_static.lo: crypto/proposal/proposal_keywords_static.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords_static.lo -MD -MP -MF $(DEPDIR)/proposal_keywords_static.Tpo -c -o proposal_keywords_static.lo `test -f 'crypto/proposal/proposal_keywords_static.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords_static.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_keywords_static.Tpo $(DEPDIR)/proposal_keywords_static.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/proposal/proposal_keywords_static.c' object='proposal_keywords_static.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords_static.lo -MD -MP -MF $(DEPDIR)/proposal_keywords_static.Tpo -c -o proposal_keywords_static.lo `test -f 'crypto/proposal/proposal_keywords_static.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords_static.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/proposal_keywords_static.Tpo $(DEPDIR)/proposal_keywords_static.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/proposal/proposal_keywords_static.c' object='proposal_keywords_static.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_keywords_static.lo `test -f 'crypto/proposal/proposal_keywords_static.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords_static.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_keywords_static.lo `test -f 'crypto/proposal/proposal_keywords_static.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords_static.c
 
 prf.lo: crypto/prfs/prf.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF $(DEPDIR)/prf.Tpo -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/prf.Tpo $(DEPDIR)/prf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prfs/prf.c' object='prf.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF $(DEPDIR)/prf.Tpo -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/prf.Tpo $(DEPDIR)/prf.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/prfs/prf.c' object='prf.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
 
 mac_prf.lo: crypto/prfs/mac_prf.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mac_prf.lo -MD -MP -MF $(DEPDIR)/mac_prf.Tpo -c -o mac_prf.lo `test -f 'crypto/prfs/mac_prf.c' || echo '$(srcdir)/'`crypto/prfs/mac_prf.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mac_prf.Tpo $(DEPDIR)/mac_prf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prfs/mac_prf.c' object='mac_prf.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mac_prf.lo -MD -MP -MF $(DEPDIR)/mac_prf.Tpo -c -o mac_prf.lo `test -f 'crypto/prfs/mac_prf.c' || echo '$(srcdir)/'`crypto/prfs/mac_prf.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mac_prf.Tpo $(DEPDIR)/mac_prf.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/prfs/mac_prf.c' object='mac_prf.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mac_prf.lo `test -f 'crypto/prfs/mac_prf.c' || echo '$(srcdir)/'`crypto/prfs/mac_prf.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mac_prf.lo `test -f 'crypto/prfs/mac_prf.c' || echo '$(srcdir)/'`crypto/prfs/mac_prf.c
+
+pkcs5.lo: crypto/pkcs5.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs5.lo -MD -MP -MF $(DEPDIR)/pkcs5.Tpo -c -o pkcs5.lo `test -f 'crypto/pkcs5.c' || echo '$(srcdir)/'`crypto/pkcs5.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pkcs5.Tpo $(DEPDIR)/pkcs5.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/pkcs5.c' object='pkcs5.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs5.lo `test -f 'crypto/pkcs5.c' || echo '$(srcdir)/'`crypto/pkcs5.c
 
 rng.lo: crypto/rngs/rng.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/rngs/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/rngs/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
 
 prf_plus.lo: crypto/prf_plus.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF $(DEPDIR)/prf_plus.Tpo -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/prf_plus.Tpo $(DEPDIR)/prf_plus.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prf_plus.c' object='prf_plus.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF $(DEPDIR)/prf_plus.Tpo -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/prf_plus.Tpo $(DEPDIR)/prf_plus.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/prf_plus.c' object='prf_plus.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
 
 signer.lo: crypto/signers/signer.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF $(DEPDIR)/signer.Tpo -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/signer.Tpo $(DEPDIR)/signer.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/signers/signer.c' object='signer.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF $(DEPDIR)/signer.Tpo -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/signer.Tpo $(DEPDIR)/signer.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/signers/signer.c' object='signer.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
 
 mac_signer.lo: crypto/signers/mac_signer.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mac_signer.lo -MD -MP -MF $(DEPDIR)/mac_signer.Tpo -c -o mac_signer.lo `test -f 'crypto/signers/mac_signer.c' || echo '$(srcdir)/'`crypto/signers/mac_signer.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mac_signer.Tpo $(DEPDIR)/mac_signer.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/signers/mac_signer.c' object='mac_signer.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mac_signer.lo -MD -MP -MF $(DEPDIR)/mac_signer.Tpo -c -o mac_signer.lo `test -f 'crypto/signers/mac_signer.c' || echo '$(srcdir)/'`crypto/signers/mac_signer.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mac_signer.Tpo $(DEPDIR)/mac_signer.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/signers/mac_signer.c' object='mac_signer.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mac_signer.lo `test -f 'crypto/signers/mac_signer.c' || echo '$(srcdir)/'`crypto/signers/mac_signer.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mac_signer.lo `test -f 'crypto/signers/mac_signer.c' || echo '$(srcdir)/'`crypto/signers/mac_signer.c
 
 crypto_factory.lo: crypto/crypto_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_factory.lo -MD -MP -MF $(DEPDIR)/crypto_factory.Tpo -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypto_factory.Tpo $(DEPDIR)/crypto_factory.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypto_factory.c' object='crypto_factory.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_factory.lo -MD -MP -MF $(DEPDIR)/crypto_factory.Tpo -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/crypto_factory.Tpo $(DEPDIR)/crypto_factory.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/crypto_factory.c' object='crypto_factory.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
 
 crypto_tester.lo: crypto/crypto_tester.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_tester.lo -MD -MP -MF $(DEPDIR)/crypto_tester.Tpo -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypto_tester.Tpo $(DEPDIR)/crypto_tester.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypto_tester.c' object='crypto_tester.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_tester.lo -MD -MP -MF $(DEPDIR)/crypto_tester.Tpo -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/crypto_tester.Tpo $(DEPDIR)/crypto_tester.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/crypto_tester.c' object='crypto_tester.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
 
 diffie_hellman.lo: crypto/diffie_hellman.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF $(DEPDIR)/diffie_hellman.Tpo -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/diffie_hellman.Tpo $(DEPDIR)/diffie_hellman.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/diffie_hellman.c' object='diffie_hellman.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF $(DEPDIR)/diffie_hellman.Tpo -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/diffie_hellman.Tpo $(DEPDIR)/diffie_hellman.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/diffie_hellman.c' object='diffie_hellman.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
 
 aead.lo: crypto/aead.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aead.lo -MD -MP -MF $(DEPDIR)/aead.Tpo -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aead.Tpo $(DEPDIR)/aead.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/aead.c' object='aead.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aead.lo -MD -MP -MF $(DEPDIR)/aead.Tpo -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aead.Tpo $(DEPDIR)/aead.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/aead.c' object='aead.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
 
 transform.lo: crypto/transform.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform.lo -MD -MP -MF $(DEPDIR)/transform.Tpo -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform.Tpo $(DEPDIR)/transform.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/transform.c' object='transform.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform.lo -MD -MP -MF $(DEPDIR)/transform.Tpo -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/transform.Tpo $(DEPDIR)/transform.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/transform.c' object='transform.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
 
 credential_factory.lo: credentials/credential_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_factory.lo -MD -MP -MF $(DEPDIR)/credential_factory.Tpo -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_factory.Tpo $(DEPDIR)/credential_factory.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_factory.c' object='credential_factory.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_factory.lo -MD -MP -MF $(DEPDIR)/credential_factory.Tpo -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/credential_factory.Tpo $(DEPDIR)/credential_factory.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/credential_factory.c' object='credential_factory.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
 
 builder.lo: credentials/builder.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT builder.lo -MD -MP -MF $(DEPDIR)/builder.Tpo -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/builder.Tpo $(DEPDIR)/builder.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/builder.c' object='builder.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT builder.lo -MD -MP -MF $(DEPDIR)/builder.Tpo -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/builder.Tpo $(DEPDIR)/builder.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/builder.c' object='builder.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
 
 cred_encoding.lo: credentials/cred_encoding.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cred_encoding.lo -MD -MP -MF $(DEPDIR)/cred_encoding.Tpo -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cred_encoding.Tpo $(DEPDIR)/cred_encoding.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/cred_encoding.c' object='cred_encoding.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cred_encoding.lo -MD -MP -MF $(DEPDIR)/cred_encoding.Tpo -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cred_encoding.Tpo $(DEPDIR)/cred_encoding.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/cred_encoding.c' object='cred_encoding.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c
 
 private_key.lo: credentials/keys/private_key.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT private_key.lo -MD -MP -MF $(DEPDIR)/private_key.Tpo -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/private_key.Tpo $(DEPDIR)/private_key.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/private_key.c' object='private_key.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT private_key.lo -MD -MP -MF $(DEPDIR)/private_key.Tpo -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/private_key.Tpo $(DEPDIR)/private_key.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/keys/private_key.c' object='private_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
 
 public_key.lo: credentials/keys/public_key.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT public_key.lo -MD -MP -MF $(DEPDIR)/public_key.Tpo -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/public_key.Tpo $(DEPDIR)/public_key.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/public_key.c' object='public_key.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT public_key.lo -MD -MP -MF $(DEPDIR)/public_key.Tpo -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/public_key.Tpo $(DEPDIR)/public_key.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/keys/public_key.c' object='public_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
 
 shared_key.lo: credentials/keys/shared_key.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT shared_key.lo -MD -MP -MF $(DEPDIR)/shared_key.Tpo -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/shared_key.Tpo $(DEPDIR)/shared_key.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/shared_key.c' object='shared_key.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT shared_key.lo -MD -MP -MF $(DEPDIR)/shared_key.Tpo -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/shared_key.Tpo $(DEPDIR)/shared_key.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/keys/shared_key.c' object='shared_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
 
 certificate.lo: credentials/certificates/certificate.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certificate.lo -MD -MP -MF $(DEPDIR)/certificate.Tpo -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/certificate.Tpo $(DEPDIR)/certificate.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/certificate.c' object='certificate.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certificate.lo -MD -MP -MF $(DEPDIR)/certificate.Tpo -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/certificate.Tpo $(DEPDIR)/certificate.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/certificates/certificate.c' object='certificate.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
 
 crl.lo: credentials/certificates/crl.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/crl.c' object='crl.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/certificates/crl.c' object='crl.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
 
 ocsp_response.lo: credentials/certificates/ocsp_response.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response.lo -MD -MP -MF $(DEPDIR)/ocsp_response.Tpo -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response.Tpo $(DEPDIR)/ocsp_response.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/ocsp_response.c' object='ocsp_response.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response.lo -MD -MP -MF $(DEPDIR)/ocsp_response.Tpo -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ocsp_response.Tpo $(DEPDIR)/ocsp_response.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/certificates/ocsp_response.c' object='ocsp_response.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
 
 container.lo: credentials/containers/container.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT container.lo -MD -MP -MF $(DEPDIR)/container.Tpo -c -o container.lo `test -f 'credentials/containers/container.c' || echo '$(srcdir)/'`credentials/containers/container.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/container.Tpo $(DEPDIR)/container.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/containers/container.c' object='container.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT container.lo -MD -MP -MF $(DEPDIR)/container.Tpo -c -o container.lo `test -f 'credentials/containers/container.c' || echo '$(srcdir)/'`credentials/containers/container.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/container.Tpo $(DEPDIR)/container.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/containers/container.c' object='container.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o container.lo `test -f 'credentials/containers/container.c' || echo '$(srcdir)/'`credentials/containers/container.c
+
+pkcs12.lo: credentials/containers/pkcs12.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs12.lo -MD -MP -MF $(DEPDIR)/pkcs12.Tpo -c -o pkcs12.lo `test -f 'credentials/containers/pkcs12.c' || echo '$(srcdir)/'`credentials/containers/pkcs12.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pkcs12.Tpo $(DEPDIR)/pkcs12.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/containers/pkcs12.c' object='pkcs12.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o container.lo `test -f 'credentials/containers/container.c' || echo '$(srcdir)/'`credentials/containers/container.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs12.lo `test -f 'credentials/containers/pkcs12.c' || echo '$(srcdir)/'`credentials/containers/pkcs12.c
 
 ietf_attributes.lo: credentials/ietf_attributes/ietf_attributes.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attributes.lo -MD -MP -MF $(DEPDIR)/ietf_attributes.Tpo -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attributes.Tpo $(DEPDIR)/ietf_attributes.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/ietf_attributes/ietf_attributes.c' object='ietf_attributes.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attributes.lo -MD -MP -MF $(DEPDIR)/ietf_attributes.Tpo -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attributes.Tpo $(DEPDIR)/ietf_attributes.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/ietf_attributes/ietf_attributes.c' object='ietf_attributes.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
 
 credential_manager.lo: credentials/credential_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
 
 auth_cfg_wrapper.lo: credentials/sets/auth_cfg_wrapper.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
 
 ocsp_response_wrapper.lo: credentials/sets/ocsp_response_wrapper.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
 
 cert_cache.lo: credentials/sets/cert_cache.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
 
 mem_cred.lo: credentials/sets/mem_cred.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_cred.lo -MD -MP -MF $(DEPDIR)/mem_cred.Tpo -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mem_cred.Tpo $(DEPDIR)/mem_cred.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/mem_cred.c' object='mem_cred.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_cred.lo -MD -MP -MF $(DEPDIR)/mem_cred.Tpo -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mem_cred.Tpo $(DEPDIR)/mem_cred.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/sets/mem_cred.c' object='mem_cred.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
 
 callback_cred.lo: credentials/sets/callback_cred.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_cred.lo -MD -MP -MF $(DEPDIR)/callback_cred.Tpo -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_cred.Tpo $(DEPDIR)/callback_cred.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/callback_cred.c' object='callback_cred.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_cred.lo -MD -MP -MF $(DEPDIR)/callback_cred.Tpo -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/callback_cred.Tpo $(DEPDIR)/callback_cred.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/sets/callback_cred.c' object='callback_cred.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
 
 auth_cfg.lo: credentials/auth_cfg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
 
 database.lo: database/database.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database.lo -MD -MP -MF $(DEPDIR)/database.Tpo -c -o database.lo `test -f 'database/database.c' || echo '$(srcdir)/'`database/database.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/database.Tpo $(DEPDIR)/database.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='database/database.c' object='database.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database.lo -MD -MP -MF $(DEPDIR)/database.Tpo -c -o database.lo `test -f 'database/database.c' || echo '$(srcdir)/'`database/database.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/database.Tpo $(DEPDIR)/database.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='database/database.c' object='database.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database.lo `test -f 'database/database.c' || echo '$(srcdir)/'`database/database.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database.lo `test -f 'database/database.c' || echo '$(srcdir)/'`database/database.c
 
 database_factory.lo: database/database_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='database/database_factory.c' object='database_factory.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='database/database_factory.c' object='database_factory.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
 
 fetcher.lo: fetcher/fetcher.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher.lo -MD -MP -MF $(DEPDIR)/fetcher.Tpo -c -o fetcher.lo `test -f 'fetcher/fetcher.c' || echo '$(srcdir)/'`fetcher/fetcher.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fetcher.Tpo $(DEPDIR)/fetcher.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fetcher/fetcher.c' object='fetcher.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher.lo -MD -MP -MF $(DEPDIR)/fetcher.Tpo -c -o fetcher.lo `test -f 'fetcher/fetcher.c' || echo '$(srcdir)/'`fetcher/fetcher.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/fetcher.Tpo $(DEPDIR)/fetcher.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='fetcher/fetcher.c' object='fetcher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher.lo `test -f 'fetcher/fetcher.c' || echo '$(srcdir)/'`fetcher/fetcher.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher.lo `test -f 'fetcher/fetcher.c' || echo '$(srcdir)/'`fetcher/fetcher.c
 
 fetcher_manager.lo: fetcher/fetcher_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher_manager.lo -MD -MP -MF $(DEPDIR)/fetcher_manager.Tpo -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fetcher_manager.Tpo $(DEPDIR)/fetcher_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fetcher/fetcher_manager.c' object='fetcher_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher_manager.lo -MD -MP -MF $(DEPDIR)/fetcher_manager.Tpo -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/fetcher_manager.Tpo $(DEPDIR)/fetcher_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='fetcher/fetcher_manager.c' object='fetcher_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
 
 eap.lo: eap/eap.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap.lo -MD -MP -MF $(DEPDIR)/eap.Tpo -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap.Tpo $(DEPDIR)/eap.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='eap/eap.c' object='eap.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap.lo -MD -MP -MF $(DEPDIR)/eap.Tpo -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/eap.Tpo $(DEPDIR)/eap.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='eap/eap.c' object='eap.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
 
 ipsec_types.lo: ipsec/ipsec_types.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ipsec_types.lo -MD -MP -MF $(DEPDIR)/ipsec_types.Tpo -c -o ipsec_types.lo `test -f 'ipsec/ipsec_types.c' || echo '$(srcdir)/'`ipsec/ipsec_types.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ipsec_types.Tpo $(DEPDIR)/ipsec_types.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ipsec/ipsec_types.c' object='ipsec_types.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ipsec_types.lo -MD -MP -MF $(DEPDIR)/ipsec_types.Tpo -c -o ipsec_types.lo `test -f 'ipsec/ipsec_types.c' || echo '$(srcdir)/'`ipsec/ipsec_types.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ipsec_types.Tpo $(DEPDIR)/ipsec_types.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ipsec/ipsec_types.c' object='ipsec_types.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ipsec_types.lo `test -f 'ipsec/ipsec_types.c' || echo '$(srcdir)/'`ipsec/ipsec_types.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ipsec_types.lo `test -f 'ipsec/ipsec_types.c' || echo '$(srcdir)/'`ipsec/ipsec_types.c
 
 host.lo: networking/host.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'networking/host.c' || echo '$(srcdir)/'`networking/host.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'networking/host.c' || echo '$(srcdir)/'`networking/host.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'networking/host.c' || echo '$(srcdir)/'`networking/host.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'networking/host.c' || echo '$(srcdir)/'`networking/host.c
 
 host_resolver.lo: networking/host_resolver.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host_resolver.lo -MD -MP -MF $(DEPDIR)/host_resolver.Tpo -c -o host_resolver.lo `test -f 'networking/host_resolver.c' || echo '$(srcdir)/'`networking/host_resolver.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/host_resolver.Tpo $(DEPDIR)/host_resolver.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/host_resolver.c' object='host_resolver.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host_resolver.lo -MD -MP -MF $(DEPDIR)/host_resolver.Tpo -c -o host_resolver.lo `test -f 'networking/host_resolver.c' || echo '$(srcdir)/'`networking/host_resolver.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/host_resolver.Tpo $(DEPDIR)/host_resolver.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/host_resolver.c' object='host_resolver.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host_resolver.lo `test -f 'networking/host_resolver.c' || echo '$(srcdir)/'`networking/host_resolver.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host_resolver.lo `test -f 'networking/host_resolver.c' || echo '$(srcdir)/'`networking/host_resolver.c
 
 packet.lo: networking/packet.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'networking/packet.c' || echo '$(srcdir)/'`networking/packet.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/packet.c' object='packet.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'networking/packet.c' || echo '$(srcdir)/'`networking/packet.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/packet.c' object='packet.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.lo `test -f 'networking/packet.c' || echo '$(srcdir)/'`networking/packet.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.lo `test -f 'networking/packet.c' || echo '$(srcdir)/'`networking/packet.c
 
 tun_device.lo: networking/tun_device.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tun_device.lo -MD -MP -MF $(DEPDIR)/tun_device.Tpo -c -o tun_device.lo `test -f 'networking/tun_device.c' || echo '$(srcdir)/'`networking/tun_device.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tun_device.Tpo $(DEPDIR)/tun_device.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/tun_device.c' object='tun_device.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tun_device.lo -MD -MP -MF $(DEPDIR)/tun_device.Tpo -c -o tun_device.lo `test -f 'networking/tun_device.c' || echo '$(srcdir)/'`networking/tun_device.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tun_device.Tpo $(DEPDIR)/tun_device.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/tun_device.c' object='tun_device.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tun_device.lo `test -f 'networking/tun_device.c' || echo '$(srcdir)/'`networking/tun_device.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tun_device.lo `test -f 'networking/tun_device.c' || echo '$(srcdir)/'`networking/tun_device.c
+
+stream.lo: networking/streams/stream.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stream.lo -MD -MP -MF $(DEPDIR)/stream.Tpo -c -o stream.lo `test -f 'networking/streams/stream.c' || echo '$(srcdir)/'`networking/streams/stream.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/stream.Tpo $(DEPDIR)/stream.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/streams/stream.c' object='stream.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stream.lo `test -f 'networking/streams/stream.c' || echo '$(srcdir)/'`networking/streams/stream.c
+
+stream_service.lo: networking/streams/stream_service.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stream_service.lo -MD -MP -MF $(DEPDIR)/stream_service.Tpo -c -o stream_service.lo `test -f 'networking/streams/stream_service.c' || echo '$(srcdir)/'`networking/streams/stream_service.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/stream_service.Tpo $(DEPDIR)/stream_service.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/streams/stream_service.c' object='stream_service.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stream_service.lo `test -f 'networking/streams/stream_service.c' || echo '$(srcdir)/'`networking/streams/stream_service.c
+
+stream_manager.lo: networking/streams/stream_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stream_manager.lo -MD -MP -MF $(DEPDIR)/stream_manager.Tpo -c -o stream_manager.lo `test -f 'networking/streams/stream_manager.c' || echo '$(srcdir)/'`networking/streams/stream_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/stream_manager.Tpo $(DEPDIR)/stream_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/streams/stream_manager.c' object='stream_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stream_manager.lo `test -f 'networking/streams/stream_manager.c' || echo '$(srcdir)/'`networking/streams/stream_manager.c
 
 pen.lo: pen/pen.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pen.lo -MD -MP -MF $(DEPDIR)/pen.Tpo -c -o pen.lo `test -f 'pen/pen.c' || echo '$(srcdir)/'`pen/pen.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pen.Tpo $(DEPDIR)/pen.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pen/pen.c' object='pen.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pen.lo -MD -MP -MF $(DEPDIR)/pen.Tpo -c -o pen.lo `test -f 'pen/pen.c' || echo '$(srcdir)/'`pen/pen.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pen.Tpo $(DEPDIR)/pen.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pen/pen.c' object='pen.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pen.lo `test -f 'pen/pen.c' || echo '$(srcdir)/'`pen/pen.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pen.lo `test -f 'pen/pen.c' || echo '$(srcdir)/'`pen/pen.c
 
 plugin_loader.lo: plugins/plugin_loader.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
 
 plugin_feature.lo: plugins/plugin_feature.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_feature.lo -MD -MP -MF $(DEPDIR)/plugin_feature.Tpo -c -o plugin_feature.lo `test -f 'plugins/plugin_feature.c' || echo '$(srcdir)/'`plugins/plugin_feature.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/plugin_feature.Tpo $(DEPDIR)/plugin_feature.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='plugins/plugin_feature.c' object='plugin_feature.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_feature.lo -MD -MP -MF $(DEPDIR)/plugin_feature.Tpo -c -o plugin_feature.lo `test -f 'plugins/plugin_feature.c' || echo '$(srcdir)/'`plugins/plugin_feature.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/plugin_feature.Tpo $(DEPDIR)/plugin_feature.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='plugins/plugin_feature.c' object='plugin_feature.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_feature.lo `test -f 'plugins/plugin_feature.c' || echo '$(srcdir)/'`plugins/plugin_feature.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_feature.lo `test -f 'plugins/plugin_feature.c' || echo '$(srcdir)/'`plugins/plugin_feature.c
 
 job.lo: processing/jobs/job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.lo -MD -MP -MF $(DEPDIR)/job.Tpo -c -o job.lo `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/job.Tpo $(DEPDIR)/job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/job.c' object='job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.lo -MD -MP -MF $(DEPDIR)/job.Tpo -c -o job.lo `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/job.Tpo $(DEPDIR)/job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/job.c' object='job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.lo `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.lo `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c
 
 callback_job.lo: processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
 
 processor.lo: processing/processor.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
 
 scheduler.lo: processing/scheduler.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+
+watcher.lo: processing/watcher.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT watcher.lo -MD -MP -MF $(DEPDIR)/watcher.Tpo -c -o watcher.lo `test -f 'processing/watcher.c' || echo '$(srcdir)/'`processing/watcher.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/watcher.Tpo $(DEPDIR)/watcher.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/watcher.c' object='watcher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o watcher.lo `test -f 'processing/watcher.c' || echo '$(srcdir)/'`processing/watcher.c
 
 resolver_manager.lo: resolver/resolver_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT resolver_manager.lo -MD -MP -MF $(DEPDIR)/resolver_manager.Tpo -c -o resolver_manager.lo `test -f 'resolver/resolver_manager.c' || echo '$(srcdir)/'`resolver/resolver_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/resolver_manager.Tpo $(DEPDIR)/resolver_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='resolver/resolver_manager.c' object='resolver_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT resolver_manager.lo -MD -MP -MF $(DEPDIR)/resolver_manager.Tpo -c -o resolver_manager.lo `test -f 'resolver/resolver_manager.c' || echo '$(srcdir)/'`resolver/resolver_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/resolver_manager.Tpo $(DEPDIR)/resolver_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='resolver/resolver_manager.c' object='resolver_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o resolver_manager.lo `test -f 'resolver/resolver_manager.c' || echo '$(srcdir)/'`resolver/resolver_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o resolver_manager.lo `test -f 'resolver/resolver_manager.c' || echo '$(srcdir)/'`resolver/resolver_manager.c
 
 rr_set.lo: resolver/rr_set.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rr_set.lo -MD -MP -MF $(DEPDIR)/rr_set.Tpo -c -o rr_set.lo `test -f 'resolver/rr_set.c' || echo '$(srcdir)/'`resolver/rr_set.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rr_set.Tpo $(DEPDIR)/rr_set.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='resolver/rr_set.c' object='rr_set.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rr_set.lo -MD -MP -MF $(DEPDIR)/rr_set.Tpo -c -o rr_set.lo `test -f 'resolver/rr_set.c' || echo '$(srcdir)/'`resolver/rr_set.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rr_set.Tpo $(DEPDIR)/rr_set.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='resolver/rr_set.c' object='rr_set.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rr_set.lo `test -f 'resolver/rr_set.c' || echo '$(srcdir)/'`resolver/rr_set.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rr_set.lo `test -f 'resolver/rr_set.c' || echo '$(srcdir)/'`resolver/rr_set.c
 
 traffic_selector.lo: selectors/traffic_selector.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.lo -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='selectors/traffic_selector.c' object='traffic_selector.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.lo -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='selectors/traffic_selector.c' object='traffic_selector.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
 
 thread.lo: threading/thread.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread.lo -MD -MP -MF $(DEPDIR)/thread.Tpo -c -o thread.lo `test -f 'threading/thread.c' || echo '$(srcdir)/'`threading/thread.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/thread.Tpo $(DEPDIR)/thread.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/thread.c' object='thread.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread.lo -MD -MP -MF $(DEPDIR)/thread.Tpo -c -o thread.lo `test -f 'threading/thread.c' || echo '$(srcdir)/'`threading/thread.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/thread.Tpo $(DEPDIR)/thread.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/thread.c' object='thread.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread.lo `test -f 'threading/thread.c' || echo '$(srcdir)/'`threading/thread.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread.lo `test -f 'threading/thread.c' || echo '$(srcdir)/'`threading/thread.c
 
 thread_value.lo: threading/thread_value.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_value.lo -MD -MP -MF $(DEPDIR)/thread_value.Tpo -c -o thread_value.lo `test -f 'threading/thread_value.c' || echo '$(srcdir)/'`threading/thread_value.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/thread_value.Tpo $(DEPDIR)/thread_value.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/thread_value.c' object='thread_value.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_value.lo -MD -MP -MF $(DEPDIR)/thread_value.Tpo -c -o thread_value.lo `test -f 'threading/thread_value.c' || echo '$(srcdir)/'`threading/thread_value.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/thread_value.Tpo $(DEPDIR)/thread_value.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/thread_value.c' object='thread_value.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_value.lo `test -f 'threading/thread_value.c' || echo '$(srcdir)/'`threading/thread_value.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_value.lo `test -f 'threading/thread_value.c' || echo '$(srcdir)/'`threading/thread_value.c
 
 mutex.lo: threading/mutex.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mutex.lo -MD -MP -MF $(DEPDIR)/mutex.Tpo -c -o mutex.lo `test -f 'threading/mutex.c' || echo '$(srcdir)/'`threading/mutex.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mutex.Tpo $(DEPDIR)/mutex.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/mutex.c' object='mutex.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mutex.lo -MD -MP -MF $(DEPDIR)/mutex.Tpo -c -o mutex.lo `test -f 'threading/mutex.c' || echo '$(srcdir)/'`threading/mutex.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mutex.Tpo $(DEPDIR)/mutex.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/mutex.c' object='mutex.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mutex.lo `test -f 'threading/mutex.c' || echo '$(srcdir)/'`threading/mutex.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mutex.lo `test -f 'threading/mutex.c' || echo '$(srcdir)/'`threading/mutex.c
 
 semaphore.lo: threading/semaphore.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT semaphore.lo -MD -MP -MF $(DEPDIR)/semaphore.Tpo -c -o semaphore.lo `test -f 'threading/semaphore.c' || echo '$(srcdir)/'`threading/semaphore.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/semaphore.Tpo $(DEPDIR)/semaphore.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/semaphore.c' object='semaphore.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT semaphore.lo -MD -MP -MF $(DEPDIR)/semaphore.Tpo -c -o semaphore.lo `test -f 'threading/semaphore.c' || echo '$(srcdir)/'`threading/semaphore.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/semaphore.Tpo $(DEPDIR)/semaphore.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/semaphore.c' object='semaphore.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o semaphore.lo `test -f 'threading/semaphore.c' || echo '$(srcdir)/'`threading/semaphore.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o semaphore.lo `test -f 'threading/semaphore.c' || echo '$(srcdir)/'`threading/semaphore.c
 
 rwlock.lo: threading/rwlock.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rwlock.lo -MD -MP -MF $(DEPDIR)/rwlock.Tpo -c -o rwlock.lo `test -f 'threading/rwlock.c' || echo '$(srcdir)/'`threading/rwlock.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rwlock.Tpo $(DEPDIR)/rwlock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/rwlock.c' object='rwlock.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rwlock.lo -MD -MP -MF $(DEPDIR)/rwlock.Tpo -c -o rwlock.lo `test -f 'threading/rwlock.c' || echo '$(srcdir)/'`threading/rwlock.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rwlock.Tpo $(DEPDIR)/rwlock.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/rwlock.c' object='rwlock.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rwlock.lo `test -f 'threading/rwlock.c' || echo '$(srcdir)/'`threading/rwlock.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rwlock.lo `test -f 'threading/rwlock.c' || echo '$(srcdir)/'`threading/rwlock.c
 
 spinlock.lo: threading/spinlock.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT spinlock.lo -MD -MP -MF $(DEPDIR)/spinlock.Tpo -c -o spinlock.lo `test -f 'threading/spinlock.c' || echo '$(srcdir)/'`threading/spinlock.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/spinlock.Tpo $(DEPDIR)/spinlock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/spinlock.c' object='spinlock.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT spinlock.lo -MD -MP -MF $(DEPDIR)/spinlock.Tpo -c -o spinlock.lo `test -f 'threading/spinlock.c' || echo '$(srcdir)/'`threading/spinlock.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/spinlock.Tpo $(DEPDIR)/spinlock.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/spinlock.c' object='spinlock.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spinlock.lo `test -f 'threading/spinlock.c' || echo '$(srcdir)/'`threading/spinlock.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spinlock.lo `test -f 'threading/spinlock.c' || echo '$(srcdir)/'`threading/spinlock.c
 
 utils.lo: utils/utils.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT utils.lo -MD -MP -MF $(DEPDIR)/utils.Tpo -c -o utils.lo `test -f 'utils/utils.c' || echo '$(srcdir)/'`utils/utils.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/utils.Tpo $(DEPDIR)/utils.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/utils.c' object='utils.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT utils.lo -MD -MP -MF $(DEPDIR)/utils.Tpo -c -o utils.lo `test -f 'utils/utils.c' || echo '$(srcdir)/'`utils/utils.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/utils.Tpo $(DEPDIR)/utils.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/utils.c' object='utils.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o utils.lo `test -f 'utils/utils.c' || echo '$(srcdir)/'`utils/utils.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o utils.lo `test -f 'utils/utils.c' || echo '$(srcdir)/'`utils/utils.c
 
 chunk.lo: utils/chunk.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT chunk.lo -MD -MP -MF $(DEPDIR)/chunk.Tpo -c -o chunk.lo `test -f 'utils/chunk.c' || echo '$(srcdir)/'`utils/chunk.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/chunk.Tpo $(DEPDIR)/chunk.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/chunk.c' object='chunk.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT chunk.lo -MD -MP -MF $(DEPDIR)/chunk.Tpo -c -o chunk.lo `test -f 'utils/chunk.c' || echo '$(srcdir)/'`utils/chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/chunk.Tpo $(DEPDIR)/chunk.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/chunk.c' object='chunk.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o chunk.lo `test -f 'utils/chunk.c' || echo '$(srcdir)/'`utils/chunk.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o chunk.lo `test -f 'utils/chunk.c' || echo '$(srcdir)/'`utils/chunk.c
 
 debug.lo: utils/debug.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT debug.lo -MD -MP -MF $(DEPDIR)/debug.Tpo -c -o debug.lo `test -f 'utils/debug.c' || echo '$(srcdir)/'`utils/debug.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/debug.Tpo $(DEPDIR)/debug.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/debug.c' object='debug.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT debug.lo -MD -MP -MF $(DEPDIR)/debug.Tpo -c -o debug.lo `test -f 'utils/debug.c' || echo '$(srcdir)/'`utils/debug.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/debug.Tpo $(DEPDIR)/debug.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/debug.c' object='debug.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o debug.lo `test -f 'utils/debug.c' || echo '$(srcdir)/'`utils/debug.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o debug.lo `test -f 'utils/debug.c' || echo '$(srcdir)/'`utils/debug.c
 
 enum.lo: utils/enum.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enum.lo -MD -MP -MF $(DEPDIR)/enum.Tpo -c -o enum.lo `test -f 'utils/enum.c' || echo '$(srcdir)/'`utils/enum.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/enum.Tpo $(DEPDIR)/enum.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/enum.c' object='enum.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enum.lo -MD -MP -MF $(DEPDIR)/enum.Tpo -c -o enum.lo `test -f 'utils/enum.c' || echo '$(srcdir)/'`utils/enum.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/enum.Tpo $(DEPDIR)/enum.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/enum.c' object='enum.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enum.lo `test -f 'utils/enum.c' || echo '$(srcdir)/'`utils/enum.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enum.lo `test -f 'utils/enum.c' || echo '$(srcdir)/'`utils/enum.c
 
 identification.lo: utils/identification.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF $(DEPDIR)/identification.Tpo -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/identification.Tpo $(DEPDIR)/identification.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/identification.c' object='identification.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF $(DEPDIR)/identification.Tpo -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/identification.Tpo $(DEPDIR)/identification.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/identification.c' object='identification.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
 
 lexparser.lo: utils/lexparser.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF $(DEPDIR)/lexparser.Tpo -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/lexparser.Tpo $(DEPDIR)/lexparser.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/lexparser.c' object='lexparser.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF $(DEPDIR)/lexparser.Tpo -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/lexparser.Tpo $(DEPDIR)/lexparser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/lexparser.c' object='lexparser.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
 
 optionsfrom.lo: utils/optionsfrom.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT optionsfrom.lo -MD -MP -MF $(DEPDIR)/optionsfrom.Tpo -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/optionsfrom.Tpo $(DEPDIR)/optionsfrom.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/optionsfrom.c' object='optionsfrom.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT optionsfrom.lo -MD -MP -MF $(DEPDIR)/optionsfrom.Tpo -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/optionsfrom.Tpo $(DEPDIR)/optionsfrom.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/optionsfrom.c' object='optionsfrom.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
 
 capabilities.lo: utils/capabilities.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT capabilities.lo -MD -MP -MF $(DEPDIR)/capabilities.Tpo -c -o capabilities.lo `test -f 'utils/capabilities.c' || echo '$(srcdir)/'`utils/capabilities.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/capabilities.Tpo $(DEPDIR)/capabilities.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/capabilities.c' object='capabilities.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT capabilities.lo -MD -MP -MF $(DEPDIR)/capabilities.Tpo -c -o capabilities.lo `test -f 'utils/capabilities.c' || echo '$(srcdir)/'`utils/capabilities.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/capabilities.Tpo $(DEPDIR)/capabilities.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/capabilities.c' object='capabilities.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o capabilities.lo `test -f 'utils/capabilities.c' || echo '$(srcdir)/'`utils/capabilities.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o capabilities.lo `test -f 'utils/capabilities.c' || echo '$(srcdir)/'`utils/capabilities.c
 
 backtrace.lo: utils/backtrace.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backtrace.lo -MD -MP -MF $(DEPDIR)/backtrace.Tpo -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/backtrace.Tpo $(DEPDIR)/backtrace.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/backtrace.c' object='backtrace.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backtrace.lo -MD -MP -MF $(DEPDIR)/backtrace.Tpo -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/backtrace.Tpo $(DEPDIR)/backtrace.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/backtrace.c' object='backtrace.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
 
 printf_hook.lo: utils/printf_hook.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT printf_hook.lo -MD -MP -MF $(DEPDIR)/printf_hook.Tpo -c -o printf_hook.lo `test -f 'utils/printf_hook.c' || echo '$(srcdir)/'`utils/printf_hook.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/printf_hook.Tpo $(DEPDIR)/printf_hook.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/printf_hook.c' object='printf_hook.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT printf_hook.lo -MD -MP -MF $(DEPDIR)/printf_hook.Tpo -c -o printf_hook.lo `test -f 'utils/printf_hook.c' || echo '$(srcdir)/'`utils/printf_hook.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/printf_hook.Tpo $(DEPDIR)/printf_hook.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/printf_hook.c' object='printf_hook.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o printf_hook.lo `test -f 'utils/printf_hook.c' || echo '$(srcdir)/'`utils/printf_hook.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o printf_hook.lo `test -f 'utils/printf_hook.c' || echo '$(srcdir)/'`utils/printf_hook.c
 
 settings.lo: utils/settings.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT settings.lo -MD -MP -MF $(DEPDIR)/settings.Tpo -c -o settings.lo `test -f 'utils/settings.c' || echo '$(srcdir)/'`utils/settings.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/settings.Tpo $(DEPDIR)/settings.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/settings.c' object='settings.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT settings.lo -MD -MP -MF $(DEPDIR)/settings.Tpo -c -o settings.lo `test -f 'utils/settings.c' || echo '$(srcdir)/'`utils/settings.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/settings.Tpo $(DEPDIR)/settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/settings.c' object='settings.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o settings.lo `test -f 'utils/settings.c' || echo '$(srcdir)/'`utils/settings.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o settings.lo `test -f 'utils/settings.c' || echo '$(srcdir)/'`utils/settings.c
 
 leak_detective.lo: utils/leak_detective.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/leak_detective.c' object='leak_detective.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/leak_detective.c' object='leak_detective.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
 
 integrity_checker.lo: utils/integrity_checker.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT integrity_checker.lo -MD -MP -MF $(DEPDIR)/integrity_checker.Tpo -c -o integrity_checker.lo `test -f 'utils/integrity_checker.c' || echo '$(srcdir)/'`utils/integrity_checker.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/integrity_checker.Tpo $(DEPDIR)/integrity_checker.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/integrity_checker.c' object='integrity_checker.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT integrity_checker.lo -MD -MP -MF $(DEPDIR)/integrity_checker.Tpo -c -o integrity_checker.lo `test -f 'utils/integrity_checker.c' || echo '$(srcdir)/'`utils/integrity_checker.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/integrity_checker.Tpo $(DEPDIR)/integrity_checker.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/integrity_checker.c' object='integrity_checker.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o integrity_checker.lo `test -f 'utils/integrity_checker.c' || echo '$(srcdir)/'`utils/integrity_checker.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o integrity_checker.lo `test -f 'utils/integrity_checker.c' || echo '$(srcdir)/'`utils/integrity_checker.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -1854,13 +1973,16 @@ uninstall-am: uninstall-ipseclibLTLIBRARIES \
 library.lo :	$(top_builddir)/config.status
 
 $(srcdir)/asn1/oid.c :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		$(AM_V_GEN) \
 		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
 $(srcdir)/asn1/oid.h :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		$(AM_V_GEN) \
 		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
 $(srcdir)/crypto/proposal/proposal_keywords_static.c:	$(srcdir)/crypto/proposal/proposal_keywords_static.txt \
 														$(srcdir)/crypto/proposal/proposal_keywords_static.h
+		$(AM_V_GEN) \
 		$(GPERF) -N proposal_get_token_static -m 10 -C -G -c -t -D < \
 												$(srcdir)/crypto/proposal/proposal_keywords_static.txt > $@
 
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index f438cb20e..d860ad9a2 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -549,6 +549,22 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level, const c
 	return TRUE;
 }
 
+/*
+ * Described in header
+ */
+u_int64_t asn1_parse_integer_uint64(chunk_t blob)
+{
+	u_int64_t val = 0;
+	int i;
+
+	for (i = 0; i < blob.len; i++)
+	{	/* if it is longer than 8 bytes, we just use the 8 LSBs */
+		val <<= 8;
+		val |= (u_int64_t)blob.ptr[i];
+	}
+	return val;
+}
+
 /**
  * ASN.1 definition of an algorithmIdentifier
  */
@@ -626,6 +642,11 @@ bool is_asn1(chunk_t blob)
 
 	len = asn1_length(&blob);
 
+	if (len == ASN1_INVALID_LENGTH)
+	{
+		return FALSE;
+	}
+
 	/* exact match */
 	if (len == blob.len)
 	{
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 15ffff62e..a1d625380 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -170,6 +170,15 @@ int asn1_parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *params);
 bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level0,
 							  const char* name);
 
+/**
+ * Converts an ASN.1 INTEGER object to an u_int64_t. If the INTEGER is longer
+ * than 8 bytes only the 8 LSBs are returned.
+ *
+ * @param blob		body of an ASN.1 coded integer object
+ * @return			converted integer
+ */
+u_int64_t asn1_parse_integer_uint64(chunk_t blob);
+
 /**
  * Print the value of an ASN.1 simple object
  *
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 686233fa3..a0e882b2c 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -10,389 +10,408 @@
 #include "oid.h"
 
 const oid_t oid_names[] = {
- {0x02,                         7, 1,  0, "ITU-T Administration"      }, /*   0 */
- {  0x82,                       0, 1,  1, ""                          }, /*   1 */
- {    0x06,                     0, 1,  2, "Germany ITU-T member"      }, /*   2 */
- {      0x01,                   0, 1,  3, "Deutsche Telekom AG"       }, /*   3 */
- {        0x0A,                 0, 1,  4, ""                          }, /*   4 */
- {          0x07,               0, 1,  5, ""                          }, /*   5 */
- {            0x14,             0, 0,  6, "ND"                        }, /*   6 */
- {0x09,                        18, 1,  0, "data"                      }, /*   7 */
- {  0x92,                       0, 1,  1, ""                          }, /*   8 */
- {    0x26,                     0, 1,  2, ""                          }, /*   9 */
- {      0x89,                   0, 1,  3, ""                          }, /*  10 */
- {        0x93,                 0, 1,  4, ""                          }, /*  11 */
- {          0xF2,               0, 1,  5, ""                          }, /*  12 */
- {            0x2C,             0, 1,  6, ""                          }, /*  13 */
- {              0x64,           0, 1,  7, "pilot"                     }, /*  14 */
- {                0x01,         0, 1,  8, "pilotAttributeType"        }, /*  15 */
- {                  0x01,      17, 0,  9, "UID"                       }, /*  16 */
- {                  0x19,       0, 0,  9, "DC"                        }, /*  17 */
- {0x55,                        65, 1,  0, "X.500"                     }, /*  18 */
- {  0x04,                      37, 1,  1, "X.509"                     }, /*  19 */
- {    0x03,                    21, 0,  2, "CN"                        }, /*  20 */
- {    0x04,                    22, 0,  2, "S"                         }, /*  21 */
- {    0x05,                    23, 0,  2, "SN"                        }, /*  22 */
- {    0x06,                    24, 0,  2, "C"                         }, /*  23 */
- {    0x07,                    25, 0,  2, "L"                         }, /*  24 */
- {    0x08,                    26, 0,  2, "ST"                        }, /*  25 */
- {    0x0A,                    27, 0,  2, "O"                         }, /*  26 */
- {    0x0B,                    28, 0,  2, "OU"                        }, /*  27 */
- {    0x0C,                    29, 0,  2, "T"                         }, /*  28 */
- {    0x0D,                    30, 0,  2, "D"                         }, /*  29 */
- {    0x24,                    31, 0,  2, "userCertificate"           }, /*  30 */
- {    0x29,                    32, 0,  2, "N"                         }, /*  31 */
- {    0x2A,                    33, 0,  2, "G"                         }, /*  32 */
- {    0x2B,                    34, 0,  2, "I"                         }, /*  33 */
- {    0x2D,                    35, 0,  2, "ID"                        }, /*  34 */
- {    0x2E,                    36, 0,  2, "dnQualifier"               }, /*  35 */
- {    0x48,                     0, 0,  2, "role"                      }, /*  36 */
- {  0x1D,                       0, 1,  1, "id-ce"                     }, /*  37 */
- {    0x09,                    39, 0,  2, "subjectDirectoryAttrs"     }, /*  38 */
- {    0x0E,                    40, 0,  2, "subjectKeyIdentifier"      }, /*  39 */
- {    0x0F,                    41, 0,  2, "keyUsage"                  }, /*  40 */
- {    0x10,                    42, 0,  2, "privateKeyUsagePeriod"     }, /*  41 */
- {    0x11,                    43, 0,  2, "subjectAltName"            }, /*  42 */
- {    0x12,                    44, 0,  2, "issuerAltName"             }, /*  43 */
- {    0x13,                    45, 0,  2, "basicConstraints"          }, /*  44 */
- {    0x14,                    46, 0,  2, "crlNumber"                 }, /*  45 */
- {    0x15,                    47, 0,  2, "reasonCode"                }, /*  46 */
- {    0x17,                    48, 0,  2, "holdInstructionCode"       }, /*  47 */
- {    0x18,                    49, 0,  2, "invalidityDate"            }, /*  48 */
- {    0x1B,                    50, 0,  2, "deltaCrlIndicator"         }, /*  49 */
- {    0x1C,                    51, 0,  2, "issuingDistributionPoint"  }, /*  50 */
- {    0x1D,                    52, 0,  2, "certificateIssuer"         }, /*  51 */
- {    0x1E,                    53, 0,  2, "nameConstraints"           }, /*  52 */
- {    0x1F,                    54, 0,  2, "crlDistributionPoints"     }, /*  53 */
- {    0x20,                    56, 1,  2, "certificatePolicies"       }, /*  54 */
- {      0x00,                   0, 0,  3, "anyPolicy"                 }, /*  55 */
- {    0x21,                    57, 0,  2, "policyMappings"            }, /*  56 */
- {    0x23,                    58, 0,  2, "authorityKeyIdentifier"    }, /*  57 */
- {    0x24,                    59, 0,  2, "policyConstraints"         }, /*  58 */
- {    0x25,                    61, 1,  2, "extendedKeyUsage"          }, /*  59 */
- {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"       }, /*  60 */
- {    0x2E,                    62, 0,  2, "freshestCRL"               }, /*  61 */
- {    0x36,                    63, 0,  2, "inhibitAnyPolicy"          }, /*  62 */
- {    0x37,                    64, 0,  2, "targetInformation"         }, /*  63 */
- {    0x38,                     0, 0,  2, "noRevAvail"                }, /*  64 */
- {0x2A,                       169, 1,  0, ""                          }, /*  65 */
- {  0x83,                      78, 1,  1, ""                          }, /*  66 */
- {    0x08,                     0, 1,  2, "jp"                        }, /*  67 */
- {      0x8C,                   0, 1,  3, ""                          }, /*  68 */
- {        0x9A,                 0, 1,  4, ""                          }, /*  69 */
- {          0x4B,               0, 1,  5, ""                          }, /*  70 */
- {            0x3D,             0, 1,  6, ""                          }, /*  71 */
- {              0x01,           0, 1,  7, "security"                  }, /*  72 */
- {                0x01,         0, 1,  8, "algorithm"                 }, /*  73 */
- {                  0x01,       0, 1,  9, "symm-encryption-alg"       }, /*  74 */
- {                    0x02,    76, 0, 10, "camellia128-cbc"           }, /*  75 */
- {                    0x03,    77, 0, 10, "camellia192-cbc"           }, /*  76 */
- {                    0x04,     0, 0, 10, "camellia256-cbc"           }, /*  77 */
- {  0x86,                       0, 1,  1, ""                          }, /*  78 */
- {    0x48,                     0, 1,  2, "us"                        }, /*  79 */
- {      0x86,                 128, 1,  3, ""                          }, /*  80 */
- {        0xF6,                86, 1,  4, ""                          }, /*  81 */
- {          0x7D,               0, 1,  5, "NortelNetworks"            }, /*  82 */
- {            0x07,             0, 1,  6, "Entrust"                   }, /*  83 */
- {              0x41,           0, 1,  7, "nsn-ce"                    }, /*  84 */
- {                0x00,         0, 0,  8, "entrustVersInfo"           }, /*  85 */
- {        0xF7,                 0, 1,  4, ""                          }, /*  86 */
- {          0x0D,               0, 1,  5, "RSADSI"                    }, /*  87 */
- {            0x01,           123, 1,  6, "PKCS"                      }, /*  88 */
- {              0x01,         100, 1,  7, "PKCS-1"                    }, /*  89 */
- {                0x01,        91, 0,  8, "rsaEncryption"             }, /*  90 */
- {                0x02,        92, 0,  8, "md2WithRSAEncryption"      }, /*  91 */
- {                0x04,        93, 0,  8, "md5WithRSAEncryption"      }, /*  92 */
- {                0x05,        94, 0,  8, "sha-1WithRSAEncryption"    }, /*  93 */
- {                0x07,        95, 0,  8, "id-RSAES-OAEP"             }, /*  94 */
- {                0x09,        96, 0,  8, "id-pSpecified"             }, /*  95 */
- {                0x0B,        97, 0,  8, "sha256WithRSAEncryption"   }, /*  96 */
- {                0x0C,        98, 0,  8, "sha384WithRSAEncryption"   }, /*  97 */
- {                0x0D,        99, 0,  8, "sha512WithRSAEncryption"   }, /*  98 */
- {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"   }, /*  99 */
- {              0x05,         105, 1,  7, "PKCS-5"                    }, /* 100 */
- {                0x03,       102, 0,  8, "pbeWithMD5AndDES-CBC"      }, /* 101 */
- {                0x0A,       103, 0,  8, "pbeWithSHA1AndDES-CBC"     }, /* 102 */
- {                0x0C,       104, 0,  8, "id-PBKDF2"                 }, /* 103 */
- {                0x0D,         0, 0,  8, "id-PBES2"                  }, /* 104 */
- {              0x07,         112, 1,  7, "PKCS-7"                    }, /* 105 */
- {                0x01,       107, 0,  8, "data"                      }, /* 106 */
- {                0x02,       108, 0,  8, "signedData"                }, /* 107 */
- {                0x03,       109, 0,  8, "envelopedData"             }, /* 108 */
- {                0x04,       110, 0,  8, "signedAndEnvelopedData"    }, /* 109 */
- {                0x05,       111, 0,  8, "digestedData"              }, /* 110 */
- {                0x06,         0, 0,  8, "encryptedData"             }, /* 111 */
- {              0x09,           0, 1,  7, "PKCS-9"                    }, /* 112 */
- {                0x01,       114, 0,  8, "E"                         }, /* 113 */
- {                0x02,       115, 0,  8, "unstructuredName"          }, /* 114 */
- {                0x03,       116, 0,  8, "contentType"               }, /* 115 */
- {                0x04,       117, 0,  8, "messageDigest"             }, /* 116 */
- {                0x05,       118, 0,  8, "signingTime"               }, /* 117 */
- {                0x06,       119, 0,  8, "counterSignature"          }, /* 118 */
- {                0x07,       120, 0,  8, "challengePassword"         }, /* 119 */
- {                0x08,       121, 0,  8, "unstructuredAddress"       }, /* 120 */
- {                0x0E,       122, 0,  8, "extensionRequest"          }, /* 121 */
- {                0x0F,         0, 0,  8, "S/MIME Capabilities"       }, /* 122 */
- {            0x02,           126, 1,  6, "digestAlgorithm"           }, /* 123 */
- {              0x02,         125, 0,  7, "md2"                       }, /* 124 */
- {              0x05,           0, 0,  7, "md5"                       }, /* 125 */
- {            0x03,             0, 1,  6, "encryptionAlgorithm"       }, /* 126 */
- {              0x07,           0, 0,  7, "3des-ede-cbc"              }, /* 127 */
- {      0xCE,                   0, 1,  3, ""                          }, /* 128 */
- {        0x3D,                 0, 1,  4, "ansi-X9-62"                }, /* 129 */
- {          0x02,             132, 1,  5, "id-publicKeyType"          }, /* 130 */
- {            0x01,             0, 0,  6, "id-ecPublicKey"            }, /* 131 */
- {          0x03,             162, 1,  5, "ellipticCurve"             }, /* 132 */
- {            0x00,           154, 1,  6, "c-TwoCurve"                }, /* 133 */
- {              0x01,         135, 0,  7, "c2pnb163v1"                }, /* 134 */
- {              0x02,         136, 0,  7, "c2pnb163v2"                }, /* 135 */
- {              0x03,         137, 0,  7, "c2pnb163v3"                }, /* 136 */
- {              0x04,         138, 0,  7, "c2pnb176w1"                }, /* 137 */
- {              0x05,         139, 0,  7, "c2tnb191v1"                }, /* 138 */
- {              0x06,         140, 0,  7, "c2tnb191v2"                }, /* 139 */
- {              0x07,         141, 0,  7, "c2tnb191v3"                }, /* 140 */
- {              0x08,         142, 0,  7, "c2onb191v4"                }, /* 141 */
- {              0x09,         143, 0,  7, "c2onb191v5"                }, /* 142 */
- {              0x0A,         144, 0,  7, "c2pnb208w1"                }, /* 143 */
- {              0x0B,         145, 0,  7, "c2tnb239v1"                }, /* 144 */
- {              0x0C,         146, 0,  7, "c2tnb239v2"                }, /* 145 */
- {              0x0D,         147, 0,  7, "c2tnb239v3"                }, /* 146 */
- {              0x0E,         148, 0,  7, "c2onb239v4"                }, /* 147 */
- {              0x0F,         149, 0,  7, "c2onb239v5"                }, /* 148 */
- {              0x10,         150, 0,  7, "c2pnb272w1"                }, /* 149 */
- {              0x11,         151, 0,  7, "c2pnb304w1"                }, /* 150 */
- {              0x12,         152, 0,  7, "c2tnb359v1"                }, /* 151 */
- {              0x13,         153, 0,  7, "c2pnb368w1"                }, /* 152 */
- {              0x14,           0, 0,  7, "c2tnb431r1"                }, /* 153 */
- {            0x01,             0, 1,  6, "primeCurve"                }, /* 154 */
- {              0x01,         156, 0,  7, "prime192v1"                }, /* 155 */
- {              0x02,         157, 0,  7, "prime192v2"                }, /* 156 */
- {              0x03,         158, 0,  7, "prime192v3"                }, /* 157 */
- {              0x04,         159, 0,  7, "prime239v1"                }, /* 158 */
- {              0x05,         160, 0,  7, "prime239v2"                }, /* 159 */
- {              0x06,         161, 0,  7, "prime239v3"                }, /* 160 */
- {              0x07,           0, 0,  7, "prime256v1"                }, /* 161 */
- {          0x04,               0, 1,  5, "id-ecSigType"              }, /* 162 */
- {            0x01,           164, 0,  6, "ecdsa-with-SHA1"           }, /* 163 */
- {            0x03,             0, 1,  6, "ecdsa-with-Specified"      }, /* 164 */
- {              0x01,         166, 0,  7, "ecdsa-with-SHA224"         }, /* 165 */
- {              0x02,         167, 0,  7, "ecdsa-with-SHA256"         }, /* 166 */
- {              0x03,         168, 0,  7, "ecdsa-with-SHA384"         }, /* 167 */
- {              0x04,           0, 0,  7, "ecdsa-with-SHA512"         }, /* 168 */
- {0x2B,                       329, 1,  0, ""                          }, /* 169 */
- {  0x06,                     243, 1,  1, "dod"                       }, /* 170 */
- {    0x01,                     0, 1,  2, "internet"                  }, /* 171 */
- {      0x04,                 194, 1,  3, "private"                   }, /* 172 */
- {        0x01,                 0, 1,  4, "enterprise"                }, /* 173 */
- {          0x82,             187, 1,  5, ""                          }, /* 174 */
- {            0x37,           184, 1,  6, "Microsoft"                 }, /* 175 */
- {              0x0A,         180, 1,  7, ""                          }, /* 176 */
- {                0x03,         0, 1,  8, ""                          }, /* 177 */
- {                  0x03,     179, 0,  9, "msSGC"                     }, /* 178 */
- {                  0x04,       0, 0,  9, "msEncryptingFileSystem"    }, /* 179 */
- {              0x14,           0, 1,  7, "msEnrollmentInfrastructure"}, /* 180 */
- {                0x02,         0, 1,  8, "msCertificateTypeExtension"}, /* 181 */
- {                  0x02,     183, 0,  9, "msSmartcardLogon"          }, /* 182 */
- {                  0x03,       0, 0,  9, "msUPN"                     }, /* 183 */
- {            0xA0,             0, 1,  6, ""                          }, /* 184 */
- {              0x2A,           0, 1,  7, "ITA"                       }, /* 185 */
- {                0x01,         0, 0,  8, "strongSwan"                }, /* 186 */
- {          0x89,               0, 1,  5, ""                          }, /* 187 */
- {            0x31,             0, 1,  6, ""                          }, /* 188 */
- {              0x01,           0, 1,  7, ""                          }, /* 189 */
- {                0x01,         0, 1,  8, ""                          }, /* 190 */
- {                  0x02,       0, 1,  9, ""                          }, /* 191 */
- {                    0x02,     0, 1, 10, ""                          }, /* 192 */
- {                      0x4B,   0, 0, 11, "TCGID"                     }, /* 193 */
- {      0x05,                   0, 1,  3, "security"                  }, /* 194 */
- {        0x05,                 0, 1,  4, "mechanisms"                }, /* 195 */
- {          0x07,             240, 1,  5, "id-pkix"                   }, /* 196 */
- {            0x01,           201, 1,  6, "id-pe"                     }, /* 197 */
- {              0x01,         199, 0,  7, "authorityInfoAccess"       }, /* 198 */
- {              0x03,         200, 0,  7, "qcStatements"              }, /* 199 */
- {              0x07,           0, 0,  7, "ipAddrBlocks"              }, /* 200 */
- {            0x02,           204, 1,  6, "id-qt"                     }, /* 201 */
- {              0x01,         203, 0,  7, "cps"                       }, /* 202 */
- {              0x02,           0, 0,  7, "unotice"                   }, /* 203 */
- {            0x03,           214, 1,  6, "id-kp"                     }, /* 204 */
- {              0x01,         206, 0,  7, "serverAuth"                }, /* 205 */
- {              0x02,         207, 0,  7, "clientAuth"                }, /* 206 */
- {              0x03,         208, 0,  7, "codeSigning"               }, /* 207 */
- {              0x04,         209, 0,  7, "emailProtection"           }, /* 208 */
- {              0x05,         210, 0,  7, "ipsecEndSystem"            }, /* 209 */
- {              0x06,         211, 0,  7, "ipsecTunnel"               }, /* 210 */
- {              0x07,         212, 0,  7, "ipsecUser"                 }, /* 211 */
- {              0x08,         213, 0,  7, "timeStamping"              }, /* 212 */
- {              0x09,           0, 0,  7, "ocspSigning"               }, /* 213 */
- {            0x08,           222, 1,  6, "id-otherNames"             }, /* 214 */
- {              0x01,         216, 0,  7, "personalData"              }, /* 215 */
- {              0x02,         217, 0,  7, "userGroup"                 }, /* 216 */
- {              0x03,         218, 0,  7, "id-on-permanentIdentifier" }, /* 217 */
- {              0x04,         219, 0,  7, "id-on-hardwareModuleName"  }, /* 218 */
- {              0x05,         220, 0,  7, "xmppAddr"                  }, /* 219 */
- {              0x06,         221, 0,  7, "id-on-SIM"                 }, /* 220 */
- {              0x07,           0, 0,  7, "id-on-dnsSRV"              }, /* 221 */
- {            0x0A,           227, 1,  6, "id-aca"                    }, /* 222 */
- {              0x01,         224, 0,  7, "authenticationInfo"        }, /* 223 */
- {              0x02,         225, 0,  7, "accessIdentity"            }, /* 224 */
- {              0x03,         226, 0,  7, "chargingIdentity"          }, /* 225 */
- {              0x04,           0, 0,  7, "group"                     }, /* 226 */
- {            0x0B,           228, 0,  6, "subjectInfoAccess"         }, /* 227 */
- {            0x30,             0, 1,  6, "id-ad"                     }, /* 228 */
- {              0x01,         237, 1,  7, "ocsp"                      }, /* 229 */
- {                0x01,       231, 0,  8, "basic"                     }, /* 230 */
- {                0x02,       232, 0,  8, "nonce"                     }, /* 231 */
- {                0x03,       233, 0,  8, "crl"                       }, /* 232 */
- {                0x04,       234, 0,  8, "response"                  }, /* 233 */
- {                0x05,       235, 0,  8, "noCheck"                   }, /* 234 */
- {                0x06,       236, 0,  8, "archiveCutoff"             }, /* 235 */
- {                0x07,         0, 0,  8, "serviceLocator"            }, /* 236 */
- {              0x02,         238, 0,  7, "caIssuers"                 }, /* 237 */
- {              0x03,         239, 0,  7, "timeStamping"              }, /* 238 */
- {              0x05,           0, 0,  7, "caRepository"              }, /* 239 */
- {          0x08,               0, 1,  5, "ipsec"                     }, /* 240 */
- {            0x02,             0, 1,  6, "certificate"               }, /* 241 */
- {              0x02,           0, 0,  7, "iKEIntermediate"           }, /* 242 */
- {  0x0E,                     249, 1,  1, "oiw"                       }, /* 243 */
- {    0x03,                     0, 1,  2, "secsig"                    }, /* 244 */
- {      0x02,                   0, 1,  3, "algorithms"                }, /* 245 */
- {        0x07,               247, 0,  4, "des-cbc"                   }, /* 246 */
- {        0x1A,               248, 0,  4, "sha-1"                     }, /* 247 */
- {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"     }, /* 248 */
- {  0x24,                     295, 1,  1, "TeleTrusT"                 }, /* 249 */
- {    0x03,                     0, 1,  2, "algorithm"                 }, /* 250 */
- {      0x03,                   0, 1,  3, "signatureAlgorithm"        }, /* 251 */
- {        0x01,               256, 1,  4, "rsaSignature"              }, /* 252 */
- {          0x02,             254, 0,  5, "rsaSigWithripemd160"       }, /* 253 */
- {          0x03,             255, 0,  5, "rsaSigWithripemd128"       }, /* 254 */
- {          0x04,               0, 0,  5, "rsaSigWithripemd256"       }, /* 255 */
- {        0x02,                 0, 1,  4, "ecSign"                    }, /* 256 */
- {          0x01,             258, 0,  5, "ecSignWithsha1"            }, /* 257 */
- {          0x02,             259, 0,  5, "ecSignWithripemd160"       }, /* 258 */
- {          0x03,             260, 0,  5, "ecSignWithmd2"             }, /* 259 */
- {          0x04,             261, 0,  5, "ecSignWithmd5"             }, /* 260 */
- {          0x05,             278, 1,  5, "ttt-ecg"                   }, /* 261 */
- {            0x01,           266, 1,  6, "fieldType"                 }, /* 262 */
- {              0x01,           0, 1,  7, "characteristictwoField"    }, /* 263 */
- {                0x01,         0, 1,  8, "basisType"                 }, /* 264 */
- {                  0x01,       0, 0,  9, "ipBasis"                   }, /* 265 */
- {            0x02,           268, 1,  6, "keyType"                   }, /* 266 */
- {              0x01,           0, 0,  7, "ecgPublicKey"              }, /* 267 */
- {            0x03,           269, 0,  6, "curve"                     }, /* 268 */
- {            0x04,           276, 1,  6, "signatures"                }, /* 269 */
- {              0x01,         271, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 270 */
- {              0x02,         272, 0,  7, "ecgdsa-with-SHA1"          }, /* 271 */
- {              0x03,         273, 0,  7, "ecgdsa-with-SHA224"        }, /* 272 */
- {              0x04,         274, 0,  7, "ecgdsa-with-SHA256"        }, /* 273 */
- {              0x05,         275, 0,  7, "ecgdsa-with-SHA384"        }, /* 274 */
- {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"        }, /* 275 */
- {            0x05,             0, 1,  6, "module"                    }, /* 276 */
- {              0x01,           0, 0,  7, "1"                         }, /* 277 */
- {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 278 */
- {            0x01,             0, 1,  6, "ellipticCurve"             }, /* 279 */
- {              0x01,           0, 1,  7, "versionOne"                }, /* 280 */
- {                0x01,       282, 0,  8, "brainpoolP160r1"           }, /* 281 */
- {                0x02,       283, 0,  8, "brainpoolP160t1"           }, /* 282 */
- {                0x03,       284, 0,  8, "brainpoolP192r1"           }, /* 283 */
- {                0x04,       285, 0,  8, "brainpoolP192t1"           }, /* 284 */
- {                0x05,       286, 0,  8, "brainpoolP224r1"           }, /* 285 */
- {                0x06,       287, 0,  8, "brainpoolP224t1"           }, /* 286 */
- {                0x07,       288, 0,  8, "brainpoolP256r1"           }, /* 287 */
- {                0x08,       289, 0,  8, "brainpoolP256t1"           }, /* 288 */
- {                0x09,       290, 0,  8, "brainpoolP320r1"           }, /* 289 */
- {                0x0A,       291, 0,  8, "brainpoolP320t1"           }, /* 290 */
- {                0x0B,       292, 0,  8, "brainpoolP384r1"           }, /* 291 */
- {                0x0C,       293, 0,  8, "brainpoolP384t1"           }, /* 292 */
- {                0x0D,       294, 0,  8, "brainpoolP512r1"           }, /* 293 */
- {                0x0E,         0, 0,  8, "brainpoolP512t1"           }, /* 294 */
- {  0x81,                       0, 1,  1, ""                          }, /* 295 */
- {    0x04,                     0, 1,  2, "Certicom"                  }, /* 296 */
- {      0x00,                   0, 1,  3, "curve"                     }, /* 297 */
- {        0x01,               299, 0,  4, "sect163k1"                 }, /* 298 */
- {        0x02,               300, 0,  4, "sect163r1"                 }, /* 299 */
- {        0x03,               301, 0,  4, "sect239k1"                 }, /* 300 */
- {        0x04,               302, 0,  4, "sect113r1"                 }, /* 301 */
- {        0x05,               303, 0,  4, "sect113r2"                 }, /* 302 */
- {        0x06,               304, 0,  4, "secp112r1"                 }, /* 303 */
- {        0x07,               305, 0,  4, "secp112r2"                 }, /* 304 */
- {        0x08,               306, 0,  4, "secp160r1"                 }, /* 305 */
- {        0x09,               307, 0,  4, "secp160k1"                 }, /* 306 */
- {        0x0A,               308, 0,  4, "secp256k1"                 }, /* 307 */
- {        0x0F,               309, 0,  4, "sect163r2"                 }, /* 308 */
- {        0x10,               310, 0,  4, "sect283k1"                 }, /* 309 */
- {        0x11,               311, 0,  4, "sect283r1"                 }, /* 310 */
- {        0x16,               312, 0,  4, "sect131r1"                 }, /* 311 */
- {        0x17,               313, 0,  4, "sect131r2"                 }, /* 312 */
- {        0x18,               314, 0,  4, "sect193r1"                 }, /* 313 */
- {        0x19,               315, 0,  4, "sect193r2"                 }, /* 314 */
- {        0x1A,               316, 0,  4, "sect233k1"                 }, /* 315 */
- {        0x1B,               317, 0,  4, "sect233r1"                 }, /* 316 */
- {        0x1C,               318, 0,  4, "secp128r1"                 }, /* 317 */
- {        0x1D,               319, 0,  4, "secp128r2"                 }, /* 318 */
- {        0x1E,               320, 0,  4, "secp160r2"                 }, /* 319 */
- {        0x1F,               321, 0,  4, "secp192k1"                 }, /* 320 */
- {        0x20,               322, 0,  4, "secp224k1"                 }, /* 321 */
- {        0x21,               323, 0,  4, "secp224r1"                 }, /* 322 */
- {        0x22,               324, 0,  4, "secp384r1"                 }, /* 323 */
- {        0x23,               325, 0,  4, "secp521r1"                 }, /* 324 */
- {        0x24,               326, 0,  4, "sect409k1"                 }, /* 325 */
- {        0x25,               327, 0,  4, "sect409r1"                 }, /* 326 */
- {        0x26,               328, 0,  4, "sect571k1"                 }, /* 327 */
- {        0x27,                 0, 0,  4, "sect571r1"                 }, /* 328 */
- {0x60,                       377, 1,  0, ""                          }, /* 329 */
- {  0x86,                       0, 1,  1, ""                          }, /* 330 */
- {    0x48,                     0, 1,  2, ""                          }, /* 331 */
- {      0x01,                   0, 1,  3, "organization"              }, /* 332 */
- {        0x65,               353, 1,  4, "gov"                       }, /* 333 */
- {          0x03,               0, 1,  5, "csor"                      }, /* 334 */
- {            0x04,             0, 1,  6, "nistalgorithm"             }, /* 335 */
- {              0x01,         346, 1,  7, "aes"                       }, /* 336 */
- {                0x02,       338, 0,  8, "id-aes128-CBC"             }, /* 337 */
- {                0x06,       339, 0,  8, "id-aes128-GCM"             }, /* 338 */
- {                0x07,       340, 0,  8, "id-aes128-CCM"             }, /* 339 */
- {                0x16,       341, 0,  8, "id-aes192-CBC"             }, /* 340 */
- {                0x1A,       342, 0,  8, "id-aes192-GCM"             }, /* 341 */
- {                0x1B,       343, 0,  8, "id-aes192-CCM"             }, /* 342 */
- {                0x2A,       344, 0,  8, "id-aes256-CBC"             }, /* 343 */
- {                0x2E,       345, 0,  8, "id-aes256-GCM"             }, /* 344 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"             }, /* 345 */
- {              0x02,           0, 1,  7, "hashalgs"                  }, /* 346 */
- {                0x01,       348, 0,  8, "id-SHA-256"                }, /* 347 */
- {                0x02,       349, 0,  8, "id-SHA-384"                }, /* 348 */
- {                0x03,       350, 0,  8, "id-SHA-512"                }, /* 349 */
- {                0x04,       351, 0,  8, "id-SHA-224"                }, /* 350 */
- {                0x05,       352, 0,  8, "id-SHA-512-224"            }, /* 351 */
- {                0x06,         0, 0,  8, "id-SHA-512-256"            }, /* 352 */
- {        0x86,                 0, 1,  4, ""                          }, /* 353 */
- {          0xf8,               0, 1,  5, ""                          }, /* 354 */
- {            0x42,           367, 1,  6, "netscape"                  }, /* 355 */
- {              0x01,         362, 1,  7, ""                          }, /* 356 */
- {                0x01,       358, 0,  8, "nsCertType"                }, /* 357 */
- {                0x03,       359, 0,  8, "nsRevocationUrl"           }, /* 358 */
- {                0x04,       360, 0,  8, "nsCaRevocationUrl"         }, /* 359 */
- {                0x08,       361, 0,  8, "nsCaPolicyUrl"             }, /* 360 */
- {                0x0d,         0, 0,  8, "nsComment"                 }, /* 361 */
- {              0x03,         365, 1,  7, "directory"                 }, /* 362 */
- {                0x01,         0, 1,  8, ""                          }, /* 363 */
- {                  0x03,       0, 0,  9, "employeeNumber"            }, /* 364 */
- {              0x04,           0, 1,  7, "policy"                    }, /* 365 */
- {                0x01,         0, 0,  8, "nsSGC"                     }, /* 366 */
- {            0x45,             0, 1,  6, "verisign"                  }, /* 367 */
- {              0x01,           0, 1,  7, "pki"                       }, /* 368 */
- {                0x09,         0, 1,  8, "attributes"                }, /* 369 */
- {                  0x02,     371, 0,  9, "messageType"               }, /* 370 */
- {                  0x03,     372, 0,  9, "pkiStatus"                 }, /* 371 */
- {                  0x04,     373, 0,  9, "failInfo"                  }, /* 372 */
- {                  0x05,     374, 0,  9, "senderNonce"               }, /* 373 */
- {                  0x06,     375, 0,  9, "recipientNonce"            }, /* 374 */
- {                  0x07,     376, 0,  9, "transID"                   }, /* 375 */
- {                  0x08,       0, 0,  9, "extensionReq"              }, /* 376 */
- {0x67,                         0, 1,  0, ""                          }, /* 377 */
- {  0x81,                       0, 1,  1, ""                          }, /* 378 */
- {    0x05,                     0, 1,  2, ""                          }, /* 379 */
- {      0x02,                   0, 1,  3, "tcg-attribute"             }, /* 380 */
- {        0x01,               382, 0,  4, "tcg-at-tpmManufacturer"    }, /* 381 */
- {        0x02,               383, 0,  4, "tcg-at-tpmModel"           }, /* 382 */
- {        0x03,               384, 0,  4, "tcg-at-tpmVersion"         }, /* 383 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"         }  /* 384 */
+ {0x02,                         7, 1,  0, "ITU-T Administration"           }, /*   0 */
+ {  0x82,                       0, 1,  1, ""                               }, /*   1 */
+ {    0x06,                     0, 1,  2, "Germany ITU-T member"           }, /*   2 */
+ {      0x01,                   0, 1,  3, "Deutsche Telekom AG"            }, /*   3 */
+ {        0x0A,                 0, 1,  4, ""                               }, /*   4 */
+ {          0x07,               0, 1,  5, ""                               }, /*   5 */
+ {            0x14,             0, 0,  6, "ND"                             }, /*   6 */
+ {0x09,                        18, 1,  0, "data"                           }, /*   7 */
+ {  0x92,                       0, 1,  1, ""                               }, /*   8 */
+ {    0x26,                     0, 1,  2, ""                               }, /*   9 */
+ {      0x89,                   0, 1,  3, ""                               }, /*  10 */
+ {        0x93,                 0, 1,  4, ""                               }, /*  11 */
+ {          0xF2,               0, 1,  5, ""                               }, /*  12 */
+ {            0x2C,             0, 1,  6, ""                               }, /*  13 */
+ {              0x64,           0, 1,  7, "pilot"                          }, /*  14 */
+ {                0x01,         0, 1,  8, "pilotAttributeType"             }, /*  15 */
+ {                  0x01,      17, 0,  9, "UID"                            }, /*  16 */
+ {                  0x19,       0, 0,  9, "DC"                             }, /*  17 */
+ {0x55,                        65, 1,  0, "X.500"                          }, /*  18 */
+ {  0x04,                      37, 1,  1, "X.509"                          }, /*  19 */
+ {    0x03,                    21, 0,  2, "CN"                             }, /*  20 */
+ {    0x04,                    22, 0,  2, "S"                              }, /*  21 */
+ {    0x05,                    23, 0,  2, "SN"                             }, /*  22 */
+ {    0x06,                    24, 0,  2, "C"                              }, /*  23 */
+ {    0x07,                    25, 0,  2, "L"                              }, /*  24 */
+ {    0x08,                    26, 0,  2, "ST"                             }, /*  25 */
+ {    0x0A,                    27, 0,  2, "O"                              }, /*  26 */
+ {    0x0B,                    28, 0,  2, "OU"                             }, /*  27 */
+ {    0x0C,                    29, 0,  2, "T"                              }, /*  28 */
+ {    0x0D,                    30, 0,  2, "D"                              }, /*  29 */
+ {    0x24,                    31, 0,  2, "userCertificate"                }, /*  30 */
+ {    0x29,                    32, 0,  2, "N"                              }, /*  31 */
+ {    0x2A,                    33, 0,  2, "G"                              }, /*  32 */
+ {    0x2B,                    34, 0,  2, "I"                              }, /*  33 */
+ {    0x2D,                    35, 0,  2, "ID"                             }, /*  34 */
+ {    0x2E,                    36, 0,  2, "dnQualifier"                    }, /*  35 */
+ {    0x48,                     0, 0,  2, "role"                           }, /*  36 */
+ {  0x1D,                       0, 1,  1, "id-ce"                          }, /*  37 */
+ {    0x09,                    39, 0,  2, "subjectDirectoryAttrs"          }, /*  38 */
+ {    0x0E,                    40, 0,  2, "subjectKeyIdentifier"           }, /*  39 */
+ {    0x0F,                    41, 0,  2, "keyUsage"                       }, /*  40 */
+ {    0x10,                    42, 0,  2, "privateKeyUsagePeriod"          }, /*  41 */
+ {    0x11,                    43, 0,  2, "subjectAltName"                 }, /*  42 */
+ {    0x12,                    44, 0,  2, "issuerAltName"                  }, /*  43 */
+ {    0x13,                    45, 0,  2, "basicConstraints"               }, /*  44 */
+ {    0x14,                    46, 0,  2, "crlNumber"                      }, /*  45 */
+ {    0x15,                    47, 0,  2, "reasonCode"                     }, /*  46 */
+ {    0x17,                    48, 0,  2, "holdInstructionCode"            }, /*  47 */
+ {    0x18,                    49, 0,  2, "invalidityDate"                 }, /*  48 */
+ {    0x1B,                    50, 0,  2, "deltaCrlIndicator"              }, /*  49 */
+ {    0x1C,                    51, 0,  2, "issuingDistributionPoint"       }, /*  50 */
+ {    0x1D,                    52, 0,  2, "certificateIssuer"              }, /*  51 */
+ {    0x1E,                    53, 0,  2, "nameConstraints"                }, /*  52 */
+ {    0x1F,                    54, 0,  2, "crlDistributionPoints"          }, /*  53 */
+ {    0x20,                    56, 1,  2, "certificatePolicies"            }, /*  54 */
+ {      0x00,                   0, 0,  3, "anyPolicy"                      }, /*  55 */
+ {    0x21,                    57, 0,  2, "policyMappings"                 }, /*  56 */
+ {    0x23,                    58, 0,  2, "authorityKeyIdentifier"         }, /*  57 */
+ {    0x24,                    59, 0,  2, "policyConstraints"              }, /*  58 */
+ {    0x25,                    61, 1,  2, "extendedKeyUsage"               }, /*  59 */
+ {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"            }, /*  60 */
+ {    0x2E,                    62, 0,  2, "freshestCRL"                    }, /*  61 */
+ {    0x36,                    63, 0,  2, "inhibitAnyPolicy"               }, /*  62 */
+ {    0x37,                    64, 0,  2, "targetInformation"              }, /*  63 */
+ {    0x38,                     0, 0,  2, "noRevAvail"                     }, /*  64 */
+ {0x2A,                       188, 1,  0, ""                               }, /*  65 */
+ {  0x83,                      78, 1,  1, ""                               }, /*  66 */
+ {    0x08,                     0, 1,  2, "jp"                             }, /*  67 */
+ {      0x8C,                   0, 1,  3, ""                               }, /*  68 */
+ {        0x9A,                 0, 1,  4, ""                               }, /*  69 */
+ {          0x4B,               0, 1,  5, ""                               }, /*  70 */
+ {            0x3D,             0, 1,  6, ""                               }, /*  71 */
+ {              0x01,           0, 1,  7, "security"                       }, /*  72 */
+ {                0x01,         0, 1,  8, "algorithm"                      }, /*  73 */
+ {                  0x01,       0, 1,  9, "symm-encryption-alg"            }, /*  74 */
+ {                    0x02,    76, 0, 10, "camellia128-cbc"                }, /*  75 */
+ {                    0x03,    77, 0, 10, "camellia192-cbc"                }, /*  76 */
+ {                    0x04,     0, 0, 10, "camellia256-cbc"                }, /*  77 */
+ {  0x86,                       0, 1,  1, ""                               }, /*  78 */
+ {    0x48,                     0, 1,  2, "us"                             }, /*  79 */
+ {      0x86,                 147, 1,  3, ""                               }, /*  80 */
+ {        0xF6,                86, 1,  4, ""                               }, /*  81 */
+ {          0x7D,               0, 1,  5, "NortelNetworks"                 }, /*  82 */
+ {            0x07,             0, 1,  6, "Entrust"                        }, /*  83 */
+ {              0x41,           0, 1,  7, "nsn-ce"                         }, /*  84 */
+ {                0x00,         0, 0,  8, "entrustVersInfo"                }, /*  85 */
+ {        0xF7,                 0, 1,  4, ""                               }, /*  86 */
+ {          0x0D,               0, 1,  5, "RSADSI"                         }, /*  87 */
+ {            0x01,           142, 1,  6, "PKCS"                           }, /*  88 */
+ {              0x01,         100, 1,  7, "PKCS-1"                         }, /*  89 */
+ {                0x01,        91, 0,  8, "rsaEncryption"                  }, /*  90 */
+ {                0x02,        92, 0,  8, "md2WithRSAEncryption"           }, /*  91 */
+ {                0x04,        93, 0,  8, "md5WithRSAEncryption"           }, /*  92 */
+ {                0x05,        94, 0,  8, "sha-1WithRSAEncryption"         }, /*  93 */
+ {                0x07,        95, 0,  8, "id-RSAES-OAEP"                  }, /*  94 */
+ {                0x09,        96, 0,  8, "id-pSpecified"                  }, /*  95 */
+ {                0x0B,        97, 0,  8, "sha256WithRSAEncryption"        }, /*  96 */
+ {                0x0C,        98, 0,  8, "sha384WithRSAEncryption"        }, /*  97 */
+ {                0x0D,        99, 0,  8, "sha512WithRSAEncryption"        }, /*  98 */
+ {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /*  99 */
+ {              0x05,         105, 1,  7, "PKCS-5"                         }, /* 100 */
+ {                0x03,       102, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 101 */
+ {                0x0A,       103, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 102 */
+ {                0x0C,       104, 0,  8, "id-PBKDF2"                      }, /* 103 */
+ {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 104 */
+ {              0x07,         112, 1,  7, "PKCS-7"                         }, /* 105 */
+ {                0x01,       107, 0,  8, "data"                           }, /* 106 */
+ {                0x02,       108, 0,  8, "signedData"                     }, /* 107 */
+ {                0x03,       109, 0,  8, "envelopedData"                  }, /* 108 */
+ {                0x04,       110, 0,  8, "signedAndEnvelopedData"         }, /* 109 */
+ {                0x05,       111, 0,  8, "digestedData"                   }, /* 110 */
+ {                0x06,         0, 0,  8, "encryptedData"                  }, /* 111 */
+ {              0x09,         126, 1,  7, "PKCS-9"                         }, /* 112 */
+ {                0x01,       114, 0,  8, "E"                              }, /* 113 */
+ {                0x02,       115, 0,  8, "unstructuredName"               }, /* 114 */
+ {                0x03,       116, 0,  8, "contentType"                    }, /* 115 */
+ {                0x04,       117, 0,  8, "messageDigest"                  }, /* 116 */
+ {                0x05,       118, 0,  8, "signingTime"                    }, /* 117 */
+ {                0x06,       119, 0,  8, "counterSignature"               }, /* 118 */
+ {                0x07,       120, 0,  8, "challengePassword"              }, /* 119 */
+ {                0x08,       121, 0,  8, "unstructuredAddress"            }, /* 120 */
+ {                0x0E,       122, 0,  8, "extensionRequest"               }, /* 121 */
+ {                0x0F,       123, 0,  8, "S/MIME Capabilities"            }, /* 122 */
+ {                0x16,         0, 1,  8, "certTypes"                      }, /* 123 */
+ {                  0x01,     125, 0,  9, "X.509"                          }, /* 124 */
+ {                  0x02,       0, 0,  9, "SDSI"                           }, /* 125 */
+ {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 126 */
+ {                0x01,       134, 1,  8, "pbeIds"                         }, /* 127 */
+ {                  0x01,     129, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 128 */
+ {                  0x02,     130, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 129 */
+ {                  0x03,     131, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 130 */
+ {                  0x04,     132, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 131 */
+ {                  0x05,     133, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 132 */
+ {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 133 */
+ {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 134 */
+ {                  0x01,       0, 1,  9, "bagIds"                         }, /* 135 */
+ {                    0x01,   137, 0, 10, "keyBag"                         }, /* 136 */
+ {                    0x02,   138, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 137 */
+ {                    0x03,   139, 0, 10, "certBag"                        }, /* 138 */
+ {                    0x04,   140, 0, 10, "crlBag"                         }, /* 139 */
+ {                    0x05,   141, 0, 10, "secretBag"                      }, /* 140 */
+ {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 141 */
+ {            0x02,           145, 1,  6, "digestAlgorithm"                }, /* 142 */
+ {              0x02,         144, 0,  7, "md2"                            }, /* 143 */
+ {              0x05,           0, 0,  7, "md5"                            }, /* 144 */
+ {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 145 */
+ {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 146 */
+ {      0xCE,                   0, 1,  3, ""                               }, /* 147 */
+ {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 148 */
+ {          0x02,             151, 1,  5, "id-publicKeyType"               }, /* 149 */
+ {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 150 */
+ {          0x03,             181, 1,  5, "ellipticCurve"                  }, /* 151 */
+ {            0x00,           173, 1,  6, "c-TwoCurve"                     }, /* 152 */
+ {              0x01,         154, 0,  7, "c2pnb163v1"                     }, /* 153 */
+ {              0x02,         155, 0,  7, "c2pnb163v2"                     }, /* 154 */
+ {              0x03,         156, 0,  7, "c2pnb163v3"                     }, /* 155 */
+ {              0x04,         157, 0,  7, "c2pnb176w1"                     }, /* 156 */
+ {              0x05,         158, 0,  7, "c2tnb191v1"                     }, /* 157 */
+ {              0x06,         159, 0,  7, "c2tnb191v2"                     }, /* 158 */
+ {              0x07,         160, 0,  7, "c2tnb191v3"                     }, /* 159 */
+ {              0x08,         161, 0,  7, "c2onb191v4"                     }, /* 160 */
+ {              0x09,         162, 0,  7, "c2onb191v5"                     }, /* 161 */
+ {              0x0A,         163, 0,  7, "c2pnb208w1"                     }, /* 162 */
+ {              0x0B,         164, 0,  7, "c2tnb239v1"                     }, /* 163 */
+ {              0x0C,         165, 0,  7, "c2tnb239v2"                     }, /* 164 */
+ {              0x0D,         166, 0,  7, "c2tnb239v3"                     }, /* 165 */
+ {              0x0E,         167, 0,  7, "c2onb239v4"                     }, /* 166 */
+ {              0x0F,         168, 0,  7, "c2onb239v5"                     }, /* 167 */
+ {              0x10,         169, 0,  7, "c2pnb272w1"                     }, /* 168 */
+ {              0x11,         170, 0,  7, "c2pnb304w1"                     }, /* 169 */
+ {              0x12,         171, 0,  7, "c2tnb359v1"                     }, /* 170 */
+ {              0x13,         172, 0,  7, "c2pnb368w1"                     }, /* 171 */
+ {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 172 */
+ {            0x01,             0, 1,  6, "primeCurve"                     }, /* 173 */
+ {              0x01,         175, 0,  7, "prime192v1"                     }, /* 174 */
+ {              0x02,         176, 0,  7, "prime192v2"                     }, /* 175 */
+ {              0x03,         177, 0,  7, "prime192v3"                     }, /* 176 */
+ {              0x04,         178, 0,  7, "prime239v1"                     }, /* 177 */
+ {              0x05,         179, 0,  7, "prime239v2"                     }, /* 178 */
+ {              0x06,         180, 0,  7, "prime239v3"                     }, /* 179 */
+ {              0x07,           0, 0,  7, "prime256v1"                     }, /* 180 */
+ {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 181 */
+ {            0x01,           183, 0,  6, "ecdsa-with-SHA1"                }, /* 182 */
+ {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 183 */
+ {              0x01,         185, 0,  7, "ecdsa-with-SHA224"              }, /* 184 */
+ {              0x02,         186, 0,  7, "ecdsa-with-SHA256"              }, /* 185 */
+ {              0x03,         187, 0,  7, "ecdsa-with-SHA384"              }, /* 186 */
+ {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 187 */
+ {0x2B,                       348, 1,  0, ""                               }, /* 188 */
+ {  0x06,                     262, 1,  1, "dod"                            }, /* 189 */
+ {    0x01,                     0, 1,  2, "internet"                       }, /* 190 */
+ {      0x04,                 213, 1,  3, "private"                        }, /* 191 */
+ {        0x01,                 0, 1,  4, "enterprise"                     }, /* 192 */
+ {          0x82,             206, 1,  5, ""                               }, /* 193 */
+ {            0x37,           203, 1,  6, "Microsoft"                      }, /* 194 */
+ {              0x0A,         199, 1,  7, ""                               }, /* 195 */
+ {                0x03,         0, 1,  8, ""                               }, /* 196 */
+ {                  0x03,     198, 0,  9, "msSGC"                          }, /* 197 */
+ {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 198 */
+ {              0x14,           0, 1,  7, "msEnrollmentInfrastructure"     }, /* 199 */
+ {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 200 */
+ {                  0x02,     202, 0,  9, "msSmartcardLogon"               }, /* 201 */
+ {                  0x03,       0, 0,  9, "msUPN"                          }, /* 202 */
+ {            0xA0,             0, 1,  6, ""                               }, /* 203 */
+ {              0x2A,           0, 1,  7, "ITA"                            }, /* 204 */
+ {                0x01,         0, 0,  8, "strongSwan"                     }, /* 205 */
+ {          0x89,               0, 1,  5, ""                               }, /* 206 */
+ {            0x31,             0, 1,  6, ""                               }, /* 207 */
+ {              0x01,           0, 1,  7, ""                               }, /* 208 */
+ {                0x01,         0, 1,  8, ""                               }, /* 209 */
+ {                  0x02,       0, 1,  9, ""                               }, /* 210 */
+ {                    0x02,     0, 1, 10, ""                               }, /* 211 */
+ {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 212 */
+ {      0x05,                   0, 1,  3, "security"                       }, /* 213 */
+ {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 214 */
+ {          0x07,             259, 1,  5, "id-pkix"                        }, /* 215 */
+ {            0x01,           220, 1,  6, "id-pe"                          }, /* 216 */
+ {              0x01,         218, 0,  7, "authorityInfoAccess"            }, /* 217 */
+ {              0x03,         219, 0,  7, "qcStatements"                   }, /* 218 */
+ {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 219 */
+ {            0x02,           223, 1,  6, "id-qt"                          }, /* 220 */
+ {              0x01,         222, 0,  7, "cps"                            }, /* 221 */
+ {              0x02,           0, 0,  7, "unotice"                        }, /* 222 */
+ {            0x03,           233, 1,  6, "id-kp"                          }, /* 223 */
+ {              0x01,         225, 0,  7, "serverAuth"                     }, /* 224 */
+ {              0x02,         226, 0,  7, "clientAuth"                     }, /* 225 */
+ {              0x03,         227, 0,  7, "codeSigning"                    }, /* 226 */
+ {              0x04,         228, 0,  7, "emailProtection"                }, /* 227 */
+ {              0x05,         229, 0,  7, "ipsecEndSystem"                 }, /* 228 */
+ {              0x06,         230, 0,  7, "ipsecTunnel"                    }, /* 229 */
+ {              0x07,         231, 0,  7, "ipsecUser"                      }, /* 230 */
+ {              0x08,         232, 0,  7, "timeStamping"                   }, /* 231 */
+ {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 232 */
+ {            0x08,           241, 1,  6, "id-otherNames"                  }, /* 233 */
+ {              0x01,         235, 0,  7, "personalData"                   }, /* 234 */
+ {              0x02,         236, 0,  7, "userGroup"                      }, /* 235 */
+ {              0x03,         237, 0,  7, "id-on-permanentIdentifier"      }, /* 236 */
+ {              0x04,         238, 0,  7, "id-on-hardwareModuleName"       }, /* 237 */
+ {              0x05,         239, 0,  7, "xmppAddr"                       }, /* 238 */
+ {              0x06,         240, 0,  7, "id-on-SIM"                      }, /* 239 */
+ {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 240 */
+ {            0x0A,           246, 1,  6, "id-aca"                         }, /* 241 */
+ {              0x01,         243, 0,  7, "authenticationInfo"             }, /* 242 */
+ {              0x02,         244, 0,  7, "accessIdentity"                 }, /* 243 */
+ {              0x03,         245, 0,  7, "chargingIdentity"               }, /* 244 */
+ {              0x04,           0, 0,  7, "group"                          }, /* 245 */
+ {            0x0B,           247, 0,  6, "subjectInfoAccess"              }, /* 246 */
+ {            0x30,             0, 1,  6, "id-ad"                          }, /* 247 */
+ {              0x01,         256, 1,  7, "ocsp"                           }, /* 248 */
+ {                0x01,       250, 0,  8, "basic"                          }, /* 249 */
+ {                0x02,       251, 0,  8, "nonce"                          }, /* 250 */
+ {                0x03,       252, 0,  8, "crl"                            }, /* 251 */
+ {                0x04,       253, 0,  8, "response"                       }, /* 252 */
+ {                0x05,       254, 0,  8, "noCheck"                        }, /* 253 */
+ {                0x06,       255, 0,  8, "archiveCutoff"                  }, /* 254 */
+ {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 255 */
+ {              0x02,         257, 0,  7, "caIssuers"                      }, /* 256 */
+ {              0x03,         258, 0,  7, "timeStamping"                   }, /* 257 */
+ {              0x05,           0, 0,  7, "caRepository"                   }, /* 258 */
+ {          0x08,               0, 1,  5, "ipsec"                          }, /* 259 */
+ {            0x02,             0, 1,  6, "certificate"                    }, /* 260 */
+ {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 261 */
+ {  0x0E,                     268, 1,  1, "oiw"                            }, /* 262 */
+ {    0x03,                     0, 1,  2, "secsig"                         }, /* 263 */
+ {      0x02,                   0, 1,  3, "algorithms"                     }, /* 264 */
+ {        0x07,               266, 0,  4, "des-cbc"                        }, /* 265 */
+ {        0x1A,               267, 0,  4, "sha-1"                          }, /* 266 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 267 */
+ {  0x24,                     314, 1,  1, "TeleTrusT"                      }, /* 268 */
+ {    0x03,                     0, 1,  2, "algorithm"                      }, /* 269 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 270 */
+ {        0x01,               275, 1,  4, "rsaSignature"                   }, /* 271 */
+ {          0x02,             273, 0,  5, "rsaSigWithripemd160"            }, /* 272 */
+ {          0x03,             274, 0,  5, "rsaSigWithripemd128"            }, /* 273 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 274 */
+ {        0x02,                 0, 1,  4, "ecSign"                         }, /* 275 */
+ {          0x01,             277, 0,  5, "ecSignWithsha1"                 }, /* 276 */
+ {          0x02,             278, 0,  5, "ecSignWithripemd160"            }, /* 277 */
+ {          0x03,             279, 0,  5, "ecSignWithmd2"                  }, /* 278 */
+ {          0x04,             280, 0,  5, "ecSignWithmd5"                  }, /* 279 */
+ {          0x05,             297, 1,  5, "ttt-ecg"                        }, /* 280 */
+ {            0x01,           285, 1,  6, "fieldType"                      }, /* 281 */
+ {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 282 */
+ {                0x01,         0, 1,  8, "basisType"                      }, /* 283 */
+ {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 284 */
+ {            0x02,           287, 1,  6, "keyType"                        }, /* 285 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 286 */
+ {            0x03,           288, 0,  6, "curve"                          }, /* 287 */
+ {            0x04,           295, 1,  6, "signatures"                     }, /* 288 */
+ {              0x01,         290, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 289 */
+ {              0x02,         291, 0,  7, "ecgdsa-with-SHA1"               }, /* 290 */
+ {              0x03,         292, 0,  7, "ecgdsa-with-SHA224"             }, /* 291 */
+ {              0x04,         293, 0,  7, "ecgdsa-with-SHA256"             }, /* 292 */
+ {              0x05,         294, 0,  7, "ecgdsa-with-SHA384"             }, /* 293 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 294 */
+ {            0x05,             0, 1,  6, "module"                         }, /* 295 */
+ {              0x01,           0, 0,  7, "1"                              }, /* 296 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 297 */
+ {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 298 */
+ {              0x01,           0, 1,  7, "versionOne"                     }, /* 299 */
+ {                0x01,       301, 0,  8, "brainpoolP160r1"                }, /* 300 */
+ {                0x02,       302, 0,  8, "brainpoolP160t1"                }, /* 301 */
+ {                0x03,       303, 0,  8, "brainpoolP192r1"                }, /* 302 */
+ {                0x04,       304, 0,  8, "brainpoolP192t1"                }, /* 303 */
+ {                0x05,       305, 0,  8, "brainpoolP224r1"                }, /* 304 */
+ {                0x06,       306, 0,  8, "brainpoolP224t1"                }, /* 305 */
+ {                0x07,       307, 0,  8, "brainpoolP256r1"                }, /* 306 */
+ {                0x08,       308, 0,  8, "brainpoolP256t1"                }, /* 307 */
+ {                0x09,       309, 0,  8, "brainpoolP320r1"                }, /* 308 */
+ {                0x0A,       310, 0,  8, "brainpoolP320t1"                }, /* 309 */
+ {                0x0B,       311, 0,  8, "brainpoolP384r1"                }, /* 310 */
+ {                0x0C,       312, 0,  8, "brainpoolP384t1"                }, /* 311 */
+ {                0x0D,       313, 0,  8, "brainpoolP512r1"                }, /* 312 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 313 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 314 */
+ {    0x04,                     0, 1,  2, "Certicom"                       }, /* 315 */
+ {      0x00,                   0, 1,  3, "curve"                          }, /* 316 */
+ {        0x01,               318, 0,  4, "sect163k1"                      }, /* 317 */
+ {        0x02,               319, 0,  4, "sect163r1"                      }, /* 318 */
+ {        0x03,               320, 0,  4, "sect239k1"                      }, /* 319 */
+ {        0x04,               321, 0,  4, "sect113r1"                      }, /* 320 */
+ {        0x05,               322, 0,  4, "sect113r2"                      }, /* 321 */
+ {        0x06,               323, 0,  4, "secp112r1"                      }, /* 322 */
+ {        0x07,               324, 0,  4, "secp112r2"                      }, /* 323 */
+ {        0x08,               325, 0,  4, "secp160r1"                      }, /* 324 */
+ {        0x09,               326, 0,  4, "secp160k1"                      }, /* 325 */
+ {        0x0A,               327, 0,  4, "secp256k1"                      }, /* 326 */
+ {        0x0F,               328, 0,  4, "sect163r2"                      }, /* 327 */
+ {        0x10,               329, 0,  4, "sect283k1"                      }, /* 328 */
+ {        0x11,               330, 0,  4, "sect283r1"                      }, /* 329 */
+ {        0x16,               331, 0,  4, "sect131r1"                      }, /* 330 */
+ {        0x17,               332, 0,  4, "sect131r2"                      }, /* 331 */
+ {        0x18,               333, 0,  4, "sect193r1"                      }, /* 332 */
+ {        0x19,               334, 0,  4, "sect193r2"                      }, /* 333 */
+ {        0x1A,               335, 0,  4, "sect233k1"                      }, /* 334 */
+ {        0x1B,               336, 0,  4, "sect233r1"                      }, /* 335 */
+ {        0x1C,               337, 0,  4, "secp128r1"                      }, /* 336 */
+ {        0x1D,               338, 0,  4, "secp128r2"                      }, /* 337 */
+ {        0x1E,               339, 0,  4, "secp160r2"                      }, /* 338 */
+ {        0x1F,               340, 0,  4, "secp192k1"                      }, /* 339 */
+ {        0x20,               341, 0,  4, "secp224k1"                      }, /* 340 */
+ {        0x21,               342, 0,  4, "secp224r1"                      }, /* 341 */
+ {        0x22,               343, 0,  4, "secp384r1"                      }, /* 342 */
+ {        0x23,               344, 0,  4, "secp521r1"                      }, /* 343 */
+ {        0x24,               345, 0,  4, "sect409k1"                      }, /* 344 */
+ {        0x25,               346, 0,  4, "sect409r1"                      }, /* 345 */
+ {        0x26,               347, 0,  4, "sect571k1"                      }, /* 346 */
+ {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 347 */
+ {0x60,                       396, 1,  0, ""                               }, /* 348 */
+ {  0x86,                       0, 1,  1, ""                               }, /* 349 */
+ {    0x48,                     0, 1,  2, ""                               }, /* 350 */
+ {      0x01,                   0, 1,  3, "organization"                   }, /* 351 */
+ {        0x65,               372, 1,  4, "gov"                            }, /* 352 */
+ {          0x03,               0, 1,  5, "csor"                           }, /* 353 */
+ {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 354 */
+ {              0x01,         365, 1,  7, "aes"                            }, /* 355 */
+ {                0x02,       357, 0,  8, "id-aes128-CBC"                  }, /* 356 */
+ {                0x06,       358, 0,  8, "id-aes128-GCM"                  }, /* 357 */
+ {                0x07,       359, 0,  8, "id-aes128-CCM"                  }, /* 358 */
+ {                0x16,       360, 0,  8, "id-aes192-CBC"                  }, /* 359 */
+ {                0x1A,       361, 0,  8, "id-aes192-GCM"                  }, /* 360 */
+ {                0x1B,       362, 0,  8, "id-aes192-CCM"                  }, /* 361 */
+ {                0x2A,       363, 0,  8, "id-aes256-CBC"                  }, /* 362 */
+ {                0x2E,       364, 0,  8, "id-aes256-GCM"                  }, /* 363 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 364 */
+ {              0x02,           0, 1,  7, "hashalgs"                       }, /* 365 */
+ {                0x01,       367, 0,  8, "id-SHA-256"                     }, /* 366 */
+ {                0x02,       368, 0,  8, "id-SHA-384"                     }, /* 367 */
+ {                0x03,       369, 0,  8, "id-SHA-512"                     }, /* 368 */
+ {                0x04,       370, 0,  8, "id-SHA-224"                     }, /* 369 */
+ {                0x05,       371, 0,  8, "id-SHA-512-224"                 }, /* 370 */
+ {                0x06,         0, 0,  8, "id-SHA-512-256"                 }, /* 371 */
+ {        0x86,                 0, 1,  4, ""                               }, /* 372 */
+ {          0xf8,               0, 1,  5, ""                               }, /* 373 */
+ {            0x42,           386, 1,  6, "netscape"                       }, /* 374 */
+ {              0x01,         381, 1,  7, ""                               }, /* 375 */
+ {                0x01,       377, 0,  8, "nsCertType"                     }, /* 376 */
+ {                0x03,       378, 0,  8, "nsRevocationUrl"                }, /* 377 */
+ {                0x04,       379, 0,  8, "nsCaRevocationUrl"              }, /* 378 */
+ {                0x08,       380, 0,  8, "nsCaPolicyUrl"                  }, /* 379 */
+ {                0x0d,         0, 0,  8, "nsComment"                      }, /* 380 */
+ {              0x03,         384, 1,  7, "directory"                      }, /* 381 */
+ {                0x01,         0, 1,  8, ""                               }, /* 382 */
+ {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 383 */
+ {              0x04,           0, 1,  7, "policy"                         }, /* 384 */
+ {                0x01,         0, 0,  8, "nsSGC"                          }, /* 385 */
+ {            0x45,             0, 1,  6, "verisign"                       }, /* 386 */
+ {              0x01,           0, 1,  7, "pki"                            }, /* 387 */
+ {                0x09,         0, 1,  8, "attributes"                     }, /* 388 */
+ {                  0x02,     390, 0,  9, "messageType"                    }, /* 389 */
+ {                  0x03,     391, 0,  9, "pkiStatus"                      }, /* 390 */
+ {                  0x04,     392, 0,  9, "failInfo"                       }, /* 391 */
+ {                  0x05,     393, 0,  9, "senderNonce"                    }, /* 392 */
+ {                  0x06,     394, 0,  9, "recipientNonce"                 }, /* 393 */
+ {                  0x07,     395, 0,  9, "transID"                        }, /* 394 */
+ {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 395 */
+ {0x67,                         0, 1,  0, ""                               }, /* 396 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 397 */
+ {    0x05,                     0, 1,  2, ""                               }, /* 398 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 399 */
+ {        0x01,               401, 0,  4, "tcg-at-tpmManufacturer"         }, /* 400 */
+ {        0x02,               402, 0,  4, "tcg-at-tpmModel"                }, /* 401 */
+ {        0x03,               403, 0,  4, "tcg-at-tpmVersion"              }, /* 402 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 403 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 085e09ceb..236c86737 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -48,6 +48,7 @@ extern const oid_t oid_names[];
 #define OID_CRL_NUMBER						45
 #define OID_CRL_REASON_CODE					46
 #define OID_DELTA_CRL_INDICATOR				49
+#define OID_ISSUING_DIST_POINT				50
 #define OID_NAME_CONSTRAINTS				52
 #define OID_CRL_DISTRIBUTION_POINTS			53
 #define OID_CERTIFICATE_POLICIES			54
@@ -90,137 +91,148 @@ extern const oid_t oid_names[];
 #define OID_CHALLENGE_PASSWORD				119
 #define OID_UNSTRUCTURED_ADDRESS			120
 #define OID_EXTENSION_REQUEST				121
-#define OID_MD2								124
-#define OID_MD5								125
-#define OID_3DES_EDE_CBC					127
-#define OID_EC_PUBLICKEY					131
-#define OID_C2PNB163V1						134
-#define OID_C2PNB163V2						135
-#define OID_C2PNB163V3						136
-#define OID_C2PNB176W1						137
-#define OID_C2PNB191V1						138
-#define OID_C2PNB191V2						139
-#define OID_C2PNB191V3						140
-#define OID_C2PNB191V4						141
-#define OID_C2PNB191V5						142
-#define OID_C2PNB208W1						143
-#define OID_C2PNB239V1						144
-#define OID_C2PNB239V2						145
-#define OID_C2PNB239V3						146
-#define OID_C2PNB239V4						147
-#define OID_C2PNB239V5						148
-#define OID_C2PNB272W1						149
-#define OID_C2PNB304W1						150
-#define OID_C2PNB359V1						151
-#define OID_C2PNB368W1						152
-#define OID_C2PNB431R1						153
-#define OID_PRIME192V1						155
-#define OID_PRIME192V2						156
-#define OID_PRIME192V3						157
-#define OID_PRIME239V1						158
-#define OID_PRIME239V2						159
-#define OID_PRIME239V3						160
-#define OID_PRIME256V1						161
-#define OID_ECDSA_WITH_SHA1					163
-#define OID_ECDSA_WITH_SHA224				165
-#define OID_ECDSA_WITH_SHA256				166
-#define OID_ECDSA_WITH_SHA384				167
-#define OID_ECDSA_WITH_SHA512				168
-#define OID_USER_PRINCIPAL_NAME				183
-#define OID_STRONGSWAN						186
-#define OID_TCGID							193
-#define OID_AUTHORITY_INFO_ACCESS			198
-#define OID_IP_ADDR_BLOCKS					200
-#define OID_POLICY_QUALIFIER_CPS			202
-#define OID_POLICY_QUALIFIER_UNOTICE		203
-#define OID_SERVER_AUTH						205
-#define OID_CLIENT_AUTH						206
-#define OID_OCSP_SIGNING					213
-#define OID_XMPP_ADDR						219
-#define OID_AUTHENTICATION_INFO				223
-#define OID_ACCESS_IDENTITY					224
-#define OID_CHARGING_IDENTITY				225
-#define OID_GROUP							226
-#define OID_OCSP							229
-#define OID_BASIC							230
-#define OID_NONCE							231
-#define OID_CRL								232
-#define OID_RESPONSE						233
-#define OID_NO_CHECK						234
-#define OID_ARCHIVE_CUTOFF					235
-#define OID_SERVICE_LOCATOR					236
-#define OID_CA_ISSUERS						237
-#define OID_IKE_INTERMEDIATE				242
-#define OID_DES_CBC							246
-#define OID_SHA1							247
-#define OID_SHA1_WITH_RSA_OIW				248
-#define OID_ECGDSA_PUBKEY					267
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		270
-#define OID_ECGDSA_SIG_WITH_SHA1			271
-#define OID_ECGDSA_SIG_WITH_SHA224			272
-#define OID_ECGDSA_SIG_WITH_SHA256			273
-#define OID_ECGDSA_SIG_WITH_SHA384			274
-#define OID_ECGDSA_SIG_WITH_SHA512			275
-#define OID_SECT163K1						298
-#define OID_SECT163R1						299
-#define OID_SECT239K1						300
-#define OID_SECT113R1						301
-#define OID_SECT113R2						302
-#define OID_SECT112R1						303
-#define OID_SECT112R2						304
-#define OID_SECT160R1						305
-#define OID_SECT160K1						306
-#define OID_SECT256K1						307
-#define OID_SECT163R2						308
-#define OID_SECT283K1						309
-#define OID_SECT283R1						310
-#define OID_SECT131R1						311
-#define OID_SECT131R2						312
-#define OID_SECT193R1						313
-#define OID_SECT193R2						314
-#define OID_SECT233K1						315
-#define OID_SECT233R1						316
-#define OID_SECT128R1						317
-#define OID_SECT128R2						318
-#define OID_SECT160R2						319
-#define OID_SECT192K1						320
-#define OID_SECT224K1						321
-#define OID_SECT224R1						322
-#define OID_SECT384R1						323
-#define OID_SECT521R1						324
-#define OID_SECT409K1						325
-#define OID_SECT409R1						326
-#define OID_SECT571K1						327
-#define OID_SECT571R1						328
-#define OID_AES128_CBC						337
-#define OID_AES128_GCM						338
-#define OID_AES128_CCM						339
-#define OID_AES192_CBC						340
-#define OID_AES192_GCM						341
-#define OID_AES192_CCM						342
-#define OID_AES256_CBC						343
-#define OID_AES256_GCM						344
-#define OID_AES256_CCM						345
-#define OID_SHA256							347
-#define OID_SHA384							348
-#define OID_SHA512							349
-#define OID_SHA224							350
-#define OID_NS_REVOCATION_URL				358
-#define OID_NS_CA_REVOCATION_URL			359
-#define OID_NS_CA_POLICY_URL				360
-#define OID_NS_COMMENT						361
-#define OID_EMPLOYEE_NUMBER					364
-#define OID_PKI_MESSAGE_TYPE				370
-#define OID_PKI_STATUS						371
-#define OID_PKI_FAIL_INFO					372
-#define OID_PKI_SENDER_NONCE				373
-#define OID_PKI_RECIPIENT_NONCE				374
-#define OID_PKI_TRANS_ID					375
-#define OID_TPM_MANUFACTURER				381
-#define OID_TPM_MODEL						382
-#define OID_TPM_VERSION						383
-#define OID_TPM_ID_LABEL					384
+#define OID_X509_CERTIFICATE				124
+#define OID_PBE_SHA1_RC4_128				128
+#define OID_PBE_SHA1_RC4_40					129
+#define OID_PBE_SHA1_3DES_CBC				130
+#define OID_PBE_SHA1_3DES_2KEY_CBC			131
+#define OID_PBE_SHA1_RC2_CBC_128			132
+#define OID_PBE_SHA1_RC2_CBC_40				133
+#define OID_P12_KEY_BAG						136
+#define OID_P12_PKCS8_KEY_BAG				137
+#define OID_P12_CERT_BAG					138
+#define OID_P12_CRL_BAG						139
+#define OID_MD2								143
+#define OID_MD5								144
+#define OID_3DES_EDE_CBC					146
+#define OID_EC_PUBLICKEY					150
+#define OID_C2PNB163V1						153
+#define OID_C2PNB163V2						154
+#define OID_C2PNB163V3						155
+#define OID_C2PNB176W1						156
+#define OID_C2PNB191V1						157
+#define OID_C2PNB191V2						158
+#define OID_C2PNB191V3						159
+#define OID_C2PNB191V4						160
+#define OID_C2PNB191V5						161
+#define OID_C2PNB208W1						162
+#define OID_C2PNB239V1						163
+#define OID_C2PNB239V2						164
+#define OID_C2PNB239V3						165
+#define OID_C2PNB239V4						166
+#define OID_C2PNB239V5						167
+#define OID_C2PNB272W1						168
+#define OID_C2PNB304W1						169
+#define OID_C2PNB359V1						170
+#define OID_C2PNB368W1						171
+#define OID_C2PNB431R1						172
+#define OID_PRIME192V1						174
+#define OID_PRIME192V2						175
+#define OID_PRIME192V3						176
+#define OID_PRIME239V1						177
+#define OID_PRIME239V2						178
+#define OID_PRIME239V3						179
+#define OID_PRIME256V1						180
+#define OID_ECDSA_WITH_SHA1					182
+#define OID_ECDSA_WITH_SHA224				184
+#define OID_ECDSA_WITH_SHA256				185
+#define OID_ECDSA_WITH_SHA384				186
+#define OID_ECDSA_WITH_SHA512				187
+#define OID_USER_PRINCIPAL_NAME				202
+#define OID_STRONGSWAN						205
+#define OID_TCGID							212
+#define OID_AUTHORITY_INFO_ACCESS			217
+#define OID_IP_ADDR_BLOCKS					219
+#define OID_POLICY_QUALIFIER_CPS			221
+#define OID_POLICY_QUALIFIER_UNOTICE		222
+#define OID_SERVER_AUTH						224
+#define OID_CLIENT_AUTH						225
+#define OID_OCSP_SIGNING					232
+#define OID_XMPP_ADDR						238
+#define OID_AUTHENTICATION_INFO				242
+#define OID_ACCESS_IDENTITY					243
+#define OID_CHARGING_IDENTITY				244
+#define OID_GROUP							245
+#define OID_OCSP							248
+#define OID_BASIC							249
+#define OID_NONCE							250
+#define OID_CRL								251
+#define OID_RESPONSE						252
+#define OID_NO_CHECK						253
+#define OID_ARCHIVE_CUTOFF					254
+#define OID_SERVICE_LOCATOR					255
+#define OID_CA_ISSUERS						256
+#define OID_IKE_INTERMEDIATE				261
+#define OID_DES_CBC							265
+#define OID_SHA1							266
+#define OID_SHA1_WITH_RSA_OIW				267
+#define OID_ECGDSA_PUBKEY					286
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		289
+#define OID_ECGDSA_SIG_WITH_SHA1			290
+#define OID_ECGDSA_SIG_WITH_SHA224			291
+#define OID_ECGDSA_SIG_WITH_SHA256			292
+#define OID_ECGDSA_SIG_WITH_SHA384			293
+#define OID_ECGDSA_SIG_WITH_SHA512			294
+#define OID_SECT163K1						317
+#define OID_SECT163R1						318
+#define OID_SECT239K1						319
+#define OID_SECT113R1						320
+#define OID_SECT113R2						321
+#define OID_SECT112R1						322
+#define OID_SECT112R2						323
+#define OID_SECT160R1						324
+#define OID_SECT160K1						325
+#define OID_SECT256K1						326
+#define OID_SECT163R2						327
+#define OID_SECT283K1						328
+#define OID_SECT283R1						329
+#define OID_SECT131R1						330
+#define OID_SECT131R2						331
+#define OID_SECT193R1						332
+#define OID_SECT193R2						333
+#define OID_SECT233K1						334
+#define OID_SECT233R1						335
+#define OID_SECT128R1						336
+#define OID_SECT128R2						337
+#define OID_SECT160R2						338
+#define OID_SECT192K1						339
+#define OID_SECT224K1						340
+#define OID_SECT224R1						341
+#define OID_SECT384R1						342
+#define OID_SECT521R1						343
+#define OID_SECT409K1						344
+#define OID_SECT409R1						345
+#define OID_SECT571K1						346
+#define OID_SECT571R1						347
+#define OID_AES128_CBC						356
+#define OID_AES128_GCM						357
+#define OID_AES128_CCM						358
+#define OID_AES192_CBC						359
+#define OID_AES192_GCM						360
+#define OID_AES192_CCM						361
+#define OID_AES256_CBC						362
+#define OID_AES256_GCM						363
+#define OID_AES256_CCM						364
+#define OID_SHA256							366
+#define OID_SHA384							367
+#define OID_SHA512							368
+#define OID_SHA224							369
+#define OID_NS_REVOCATION_URL				377
+#define OID_NS_CA_REVOCATION_URL			378
+#define OID_NS_CA_POLICY_URL				379
+#define OID_NS_COMMENT						380
+#define OID_EMPLOYEE_NUMBER					383
+#define OID_PKI_MESSAGE_TYPE				389
+#define OID_PKI_STATUS						390
+#define OID_PKI_FAIL_INFO					391
+#define OID_PKI_SENDER_NONCE				392
+#define OID_PKI_RECIPIENT_NONCE				393
+#define OID_PKI_TRANS_ID					394
+#define OID_TPM_MANUFACTURER				400
+#define OID_TPM_MODEL						401
+#define OID_TPM_VERSION						402
+#define OID_TPM_ID_LABEL					403
 
-#define OID_MAX								385
+#define OID_MAX								404
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.pl b/src/libstrongswan/asn1/oid.pl
index ed26febc9..82100e8aa 100644
--- a/src/libstrongswan/asn1/oid.pl
+++ b/src/libstrongswan/asn1/oid.pl
@@ -19,8 +19,6 @@ $copyright="Copyright (C) 2003-2008 Andreas Steffen, Hochschule fuer Technik Rap
 $automatic="This file has been automatically generated by the script oid.pl";
 $warning="Do not edit manually!";
 
-print "oid.pl generating oid.h and oid.c\n";
-
 # Generate oid.h
 
 open(OID_H,  ">oid.h")
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 49ef1cdf2..740dc5073 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -48,7 +48,7 @@
     0x17                     "holdInstructionCode"
     0x18                     "invalidityDate"
     0x1B                     "deltaCrlIndicator"		OID_DELTA_CRL_INDICATOR
-    0x1C                     "issuingDistributionPoint"
+    0x1C                     "issuingDistributionPoint"	OID_ISSUING_DIST_POINT
     0x1D                     "certificateIssuer"
     0x1E                     "nameConstraints"			OID_NAME_CONSTRAINTS
     0x1F                     "crlDistributionPoints"	OID_CRL_DISTRIBUTION_POINTS
@@ -121,6 +121,25 @@
                 0x08         "unstructuredAddress"		OID_UNSTRUCTURED_ADDRESS
                 0x0E         "extensionRequest"			OID_EXTENSION_REQUEST
                 0x0F         "S/MIME Capabilities"
+                0x16         "certTypes"
+                  0x01       "X.509"					OID_X509_CERTIFICATE
+                  0x02       "SDSI"
+              0x0c           "PKCS-12"
+                0x01         "pbeIds"
+                  0x01       "pbeWithSHAAnd128BitRC4"	OID_PBE_SHA1_RC4_128
+                  0x02       "pbeWithSHAAnd40BitRC4"	OID_PBE_SHA1_RC4_40
+                  0x03       "pbeWithSHAAnd3-KeyTripleDES-CBC"	OID_PBE_SHA1_3DES_CBC
+                  0x04       "pbeWithSHAAnd2-KeyTripleDES-CBC"	OID_PBE_SHA1_3DES_2KEY_CBC
+                  0x05       "pbeWithSHAAnd128BitRC2-CBC"		OID_PBE_SHA1_RC2_CBC_128
+                  0x06       "pbeWithSHAAnd40BitRC2-CBC"		OID_PBE_SHA1_RC2_CBC_40
+                0x0a         "PKCS-12v1"
+                  0x01       "bagIds"
+                    0x01     "keyBag"					OID_P12_KEY_BAG
+                    0x02     "pkcs8ShroudedKeyBag"		OID_P12_PKCS8_KEY_BAG
+                    0x03     "certBag"					OID_P12_CERT_BAG
+                    0x04     "crlBag"					OID_P12_CRL_BAG
+                    0x05     "secretBag"
+                    0x06     "safeContentsBag"
             0x02             "digestAlgorithm"
               0x02           "md2"						OID_MD2
               0x05           "md5"						OID_MD5
@@ -240,7 +259,7 @@
               0x05           "caRepository"
           0x08               "ipsec"
             0x02             "certificate"
-              0x02           "iKEIntermediate"				OID_IKE_INTERMEDIATE
+              0x02           "iKEIntermediate"			OID_IKE_INTERMEDIATE
   0x0E                       "oiw"
     0x03                     "secsig"
       0x02                   "algorithms"
diff --git a/src/libstrongswan/bio/bio_writer.c b/src/libstrongswan/bio/bio_writer.c
index 8576843ee..152d9ce22 100644
--- a/src/libstrongswan/bio/bio_writer.c
+++ b/src/libstrongswan/bio/bio_writer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2010 Martin Willi
@@ -47,21 +47,27 @@ struct private_bio_writer_t {
 };
 
 /**
- * Increase buffer size
+ * Increase buffer size, if required
  */
-static void increase(private_bio_writer_t *this)
+static inline void increase(private_bio_writer_t *this, size_t required)
 {
-	this->buf.len += this->increase;
-	this->buf.ptr = realloc(this->buf.ptr, this->buf.len);
+	bool inc = FALSE;
+
+	while (this->used + required > this->buf.len)
+	{
+		this->buf.len += this->increase;
+		inc = TRUE;
+	}
+	if (inc)
+	{
+		this->buf.ptr = realloc(this->buf.ptr, this->buf.len);
+	}
 }
 
 METHOD(bio_writer_t, write_uint8, void,
 	private_bio_writer_t *this, u_int8_t value)
 {
-	if (this->used + 1 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 1);
 	this->buf.ptr[this->used] = value;
 	this->used += 1;
 }
@@ -69,10 +75,7 @@ METHOD(bio_writer_t, write_uint8, void,
 METHOD(bio_writer_t, write_uint16, void,
 	private_bio_writer_t *this, u_int16_t value)
 {
-	if (this->used + 2 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 2);
 	htoun16(this->buf.ptr + this->used, value);
 	this->used += 2;
 }
@@ -80,10 +83,7 @@ METHOD(bio_writer_t, write_uint16, void,
 METHOD(bio_writer_t, write_uint24, void,
 	private_bio_writer_t *this, u_int32_t value)
 {
-	if (this->used + 3 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 3);
 	value = htonl(value);
 	memcpy(this->buf.ptr + this->used, ((char*)&value) + 1, 3);
 	this->used += 3;
@@ -92,10 +92,7 @@ METHOD(bio_writer_t, write_uint24, void,
 METHOD(bio_writer_t, write_uint32, void,
 	private_bio_writer_t *this, u_int32_t value)
 {
-	if (this->used + 4 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 4);
 	htoun32(this->buf.ptr + this->used, value);
 	this->used += 4;
 }
@@ -103,10 +100,7 @@ METHOD(bio_writer_t, write_uint32, void,
 METHOD(bio_writer_t, write_uint64, void,
 	private_bio_writer_t *this, u_int64_t value)
 {
-	if (this->used + 8 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 8);
 	htoun64(this->buf.ptr + this->used, value);
 	this->used += 8;
 }
@@ -114,10 +108,7 @@ METHOD(bio_writer_t, write_uint64, void,
 METHOD(bio_writer_t, write_data, void,
 	private_bio_writer_t *this, chunk_t value)
 {
-	while (this->used + value.len > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, value.len);
 	memcpy(this->buf.ptr + this->used, value.ptr, value.len);
 	this->used += value.len;
 }
@@ -125,6 +116,7 @@ METHOD(bio_writer_t, write_data, void,
 METHOD(bio_writer_t, write_data8, void,
 	private_bio_writer_t *this, chunk_t value)
 {
+	increase(this, 1 + value.len);
 	write_uint8(this, value.len);
 	write_data(this, value);
 }
@@ -132,6 +124,7 @@ METHOD(bio_writer_t, write_data8, void,
 METHOD(bio_writer_t, write_data16, void,
 	private_bio_writer_t *this, chunk_t value)
 {
+	increase(this, 2 + value.len);
 	write_uint16(this, value.len);
 	write_data(this, value);
 }
@@ -139,6 +132,7 @@ METHOD(bio_writer_t, write_data16, void,
 METHOD(bio_writer_t, write_data24, void,
 	private_bio_writer_t *this, chunk_t value)
 {
+	increase(this, 3 + value.len);
 	write_uint24(this, value.len);
 	write_data(this, value);
 }
@@ -146,6 +140,7 @@ METHOD(bio_writer_t, write_data24, void,
 METHOD(bio_writer_t, write_data32, void,
 	private_bio_writer_t *this, chunk_t value)
 {
+	increase(this, 4 + value.len);
 	write_uint32(this, value.len);
 	write_data(this, value);
 }
@@ -153,10 +148,7 @@ METHOD(bio_writer_t, write_data32, void,
 METHOD(bio_writer_t, wrap8, void,
 	private_bio_writer_t *this)
 {
-	if (this->used + 1 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 1);
 	memmove(this->buf.ptr + 1, this->buf.ptr, this->used);
 	this->buf.ptr[0] = this->used;
 	this->used += 1;
@@ -165,10 +157,7 @@ METHOD(bio_writer_t, wrap8, void,
 METHOD(bio_writer_t, wrap16, void,
 	private_bio_writer_t *this)
 {
-	if (this->used + 2 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 2);
 	memmove(this->buf.ptr + 2, this->buf.ptr, this->used);
 	htoun16(this->buf.ptr, this->used);
 	this->used += 2;
@@ -179,10 +168,7 @@ METHOD(bio_writer_t, wrap24, void,
 {
 	u_int32_t len;
 
-	if (this->used + 3 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 3);
 	memmove(this->buf.ptr + 3, this->buf.ptr, this->used);
 
 	len = htonl(this->used);
@@ -193,10 +179,7 @@ METHOD(bio_writer_t, wrap24, void,
 METHOD(bio_writer_t, wrap32, void,
 	private_bio_writer_t *this)
 {
-	if (this->used + 4 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 4);
 	memmove(this->buf.ptr + 4, this->buf.ptr, this->used);
 	htoun32(this->buf.ptr, this->used);
 	this->used += 4;
@@ -207,10 +190,7 @@ METHOD(bio_writer_t, skip, chunk_t,
 {
 	chunk_t skipped;
 
-	while (this->used + len > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, len);
 	skipped = chunk_create(this->buf.ptr + this->used, len);
 	this->used += len;
 	return skipped;
diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
new file mode 100644
index 000000000..387e2a57d
--- /dev/null
+++ b/src/libstrongswan/collections/array.c
@@ -0,0 +1,416 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "array.h"
+
+/**
+ * Data is an allocated block, with potentially unused head and tail:
+ *
+ *   "esize" each (or sizeof(void*) if esize = 0)
+ *  /-\ /-\ /-\ /-\ /-\ /-\
+ *
+ * +---------------+-------------------------------+---------------+
+ * | h | e | a | d | e | l | e | m | e | n | t | s | t | a | i | l |
+ * +---------------+-------------------------------+---------------+
+ *
+ * \--------------/ \-----------------------------/ \-------------/
+ *      unused                    used                   unused
+ *      "head"                   "count"                 "tail"
+ *
+ */
+struct array_t {
+	/** number of elements currently in array (not counting head/tail) */
+	u_int32_t count;
+	/** size of each element, 0 for a pointer based array */
+	u_int16_t esize;
+	/** allocated but unused elements at array front */
+	u_int8_t head;
+	/** allocated but unused elements at array end */
+	u_int8_t tail;
+	/** array elements */
+	void *data;
+};
+
+/** maximum number of unused head/tail elements before cleanup */
+#define ARRAY_MAX_UNUSED 32
+
+/**
+ * Get the actual size of a number of elements
+ */
+static size_t get_size(array_t *array, u_int32_t num)
+{
+	if (array->esize)
+	{
+		return array->esize * num;
+	}
+	return sizeof(void*) * num;
+}
+
+/**
+ * Increase allocated but unused tail room to at least "room"
+ */
+static void make_tail_room(array_t *array, u_int8_t room)
+{
+	if (array->tail < room)
+	{
+		array->data = realloc(array->data,
+						get_size(array, array->count + array->head + room));
+		array->tail = room;
+	}
+}
+
+/**
+ * Increase allocated but unused head room to at least "room"
+ */
+static void make_head_room(array_t *array, u_int8_t room)
+{
+	if (array->head < room)
+	{
+		u_int8_t increase = room - array->head;
+
+		array->data = realloc(array->data,
+						get_size(array, array->count + array->tail + room));
+		memmove(array->data + get_size(array, increase), array->data,
+				get_size(array, array->count + array->tail + array->head));
+		array->head = room;
+	}
+}
+
+/**
+ * Make space for an item at index using tail room
+ */
+static void insert_tail(array_t *array, int idx)
+{
+	make_tail_room(array, 1);
+	/* move up all elements after idx by one */
+	memmove(array->data + get_size(array, array->head + idx + 1),
+			array->data + get_size(array, array->head + idx),
+			get_size(array, array->count - idx));
+
+	array->tail--;
+	array->count++;
+}
+
+/**
+ * Make space for an item at index using head room
+ */
+static void insert_head(array_t *array, int idx)
+{
+	make_head_room(array, 1);
+	/* move down all elements before idx by one */
+	memmove(array->data + get_size(array, array->head - 1),
+			array->data + get_size(array, array->head),
+			get_size(array, idx));
+
+	array->head--;
+	array->count++;
+}
+
+/**
+ * Remove an item, increase tail
+ */
+static void remove_tail(array_t *array, int idx)
+{
+	/* move all items after idx one down */
+	memmove(array->data + get_size(array, idx + array->head),
+			array->data + get_size(array, idx + array->head + 1),
+			get_size(array, array->count - idx));
+	array->count--;
+	array->tail++;
+}
+
+/**
+ * Remove an item, increase head
+ */
+static void remove_head(array_t *array, int idx)
+{
+	/* move all items before idx one up */
+	memmove(array->data + get_size(array, array->head + 1),
+			array->data + get_size(array, array->head), get_size(array, idx));
+	array->count--;
+	array->head++;
+}
+
+array_t *array_create(u_int esize, u_int8_t reserve)
+{
+	array_t *array;
+
+	INIT(array,
+		.esize = esize,
+		.tail = reserve,
+	);
+	if (array->tail)
+	{
+		array->data = malloc(array->tail * array->esize);
+	}
+	return array;
+}
+
+int array_count(array_t *array)
+{
+	if (array)
+	{
+		return array->count;
+	}
+	return 0;
+}
+
+void array_compress(array_t *array)
+{
+	if (array)
+	{
+		u_int32_t tail;
+
+		tail = array->tail;
+		if (array->head)
+		{
+			memmove(array->data, array->data + get_size(array, array->head),
+					get_size(array, array->count + array->tail));
+			tail += array->head;
+			array->head = 0;
+		}
+		if (tail)
+		{
+			array->data = realloc(array->data, get_size(array, array->count));
+			array->tail = 0;
+		}
+	}
+}
+
+typedef struct {
+	/** public enumerator interface */
+	enumerator_t public;
+	/** enumerated array */
+	array_t *array;
+	/** current index +1, initialized at 0 */
+	int idx;
+} array_enumerator_t;
+
+METHOD(enumerator_t, enumerate, bool,
+	array_enumerator_t *this, void **out)
+{
+	void *pos;
+
+	if (this->idx >= this->array->count)
+	{
+		return FALSE;
+	}
+
+	pos = this->array->data +
+		  get_size(this->array, this->idx + this->array->head);
+	if (this->array->esize)
+	{
+		/* for element based arrays we return a pointer to the element */
+		*out = pos;
+	}
+	else
+	{
+		/* for pointer based arrays we return the pointer directly */
+		*out = *(void**)pos;
+	}
+	this->idx++;
+	return TRUE;
+}
+
+enumerator_t* array_create_enumerator(array_t *array)
+{
+	array_enumerator_t *enumerator;
+
+	if (!array)
+	{
+		return enumerator_create_empty();
+	}
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate,
+			.destroy = (void*)free,
+		},
+		.array = array,
+	);
+	return &enumerator->public;
+}
+
+void array_remove_at(array_t *array, enumerator_t *public)
+{
+	array_enumerator_t *enumerator = (array_enumerator_t*)public;
+
+	if (enumerator->idx)
+	{
+		array_remove(array, --enumerator->idx, NULL);
+	}
+}
+
+void array_insert_create(array_t **array, int idx, void *ptr)
+{
+	if (*array == NULL)
+	{
+		*array = array_create(0, 0);
+	}
+	array_insert(*array, idx, ptr);
+}
+
+void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator)
+{
+	void *ptr;
+
+	while (enumerator->enumerate(enumerator, &ptr))
+	{
+		array_insert(array, idx, ptr);
+	}
+	enumerator->destroy(enumerator);
+}
+
+void array_insert(array_t *array, int idx, void *data)
+{
+	if (idx < 0 || idx <= array_count(array))
+	{
+		void *pos;
+
+		if (idx < 0)
+		{
+			idx = array_count(array);
+		}
+
+		if (array->head && !array->tail)
+		{
+			insert_head(array, idx);
+		}
+		else if (array->tail && !array->head)
+		{
+			insert_tail(array, idx);
+		}
+		else if (idx > array_count(array) / 2)
+		{
+			insert_tail(array, idx);
+		}
+		else
+		{
+			insert_head(array, idx);
+		}
+
+		pos = array->data + get_size(array, array->head + idx);
+		if (array->esize)
+		{
+			memcpy(pos, data, get_size(array, 1));
+		}
+		else
+		{
+			/* pointer based array, copy pointer value */
+			*(void**)pos = data;
+		}
+	}
+}
+
+bool array_remove(array_t *array, int idx, void *data)
+{
+	if (!array)
+	{
+		return FALSE;
+	}
+	if (idx >= 0 && idx >= array_count(array))
+	{
+		return FALSE;
+	}
+	if (idx < 0)
+	{
+		if (array_count(array) == 0)
+		{
+			return FALSE;
+		}
+		idx = array_count(array) - 1;
+	}
+	if (data)
+	{
+		memcpy(data, array->data + get_size(array, array->head + idx),
+			   get_size(array, 1));
+	}
+	if (idx > array_count(array) / 2)
+	{
+		remove_tail(array, idx);
+	}
+	else
+	{
+		remove_head(array, idx);
+	}
+	if (array->head + array->tail > ARRAY_MAX_UNUSED)
+	{
+		array_compress(array);
+	}
+	return TRUE;
+}
+
+void array_invoke(array_t *array, array_callback_t cb, void *user)
+{
+	if (array)
+	{
+		void *obj;
+		int i;
+
+		for (i = array->head; i < array->count + array->head; i++)
+		{
+			obj = array->data + get_size(array, i);
+			if (!array->esize)
+			{
+				/* dereference if we store store pointers */
+				obj = *(void**)obj;
+			}
+			cb(obj, i - array->head, user);
+		}
+	}
+}
+
+void array_invoke_offset(array_t *array, size_t offset)
+{
+	if (array)
+	{
+		void (*method)(void *data);
+		void *obj;
+		int i;
+
+		for (i = array->head; i < array->count + array->head; i++)
+		{
+			obj = array->data + get_size(array, i);
+			if (!array->esize)
+			{
+				/* dereference if we store store pointers */
+				obj = *(void**)obj;
+			}
+			method = *(void**)(obj + offset);
+			method(obj);
+		}
+	}
+}
+
+void array_destroy(array_t *array)
+{
+	if (array)
+	{
+		free(array->data);
+		free(array);
+	}
+}
+
+void array_destroy_function(array_t *array, array_callback_t cb, void *user)
+{
+	array_invoke(array, cb, user);
+	array_destroy(array);
+}
+
+void array_destroy_offset(array_t *array, size_t offset)
+{
+	array_invoke_offset(array, offset);
+	array_destroy(array);
+}
diff --git a/src/libstrongswan/collections/array.h b/src/libstrongswan/collections/array.h
new file mode 100644
index 000000000..0dc7b2250
--- /dev/null
+++ b/src/libstrongswan/collections/array.h
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup array array
+ * @{ @ingroup collections
+ */
+
+#ifndef ARRAY_H_
+#define ARRAY_H_
+
+#include <collections/enumerator.h>
+
+/**
+ * Variable sized array with fixed size elements.
+ *
+ * An array is a primitive object with associated functions to avoid the
+ * overhead of an object with methods. It is efficient in memory usage, but
+ * less efficient than a linked list in manipulating elements.
+ */
+typedef struct array_t array_t;
+
+typedef enum array_idx_t array_idx_t;
+
+/**
+ * Special array index values for insert/remove.
+ */
+enum array_idx_t {
+	ARRAY_HEAD = 0,
+	ARRAY_TAIL = -1,
+};
+
+/**
+ * Callback function invoked for each array element.
+ *
+ * Data is a pointer to the array element. If this is a pointer based array,
+ * (esize is zero), data is the pointer itself.
+ *
+ * @param data			pointer to array data, or the pointer itself
+ * @param idx			array index
+ * @param user			user data passed with callback
+ */
+typedef void (*array_callback_t)(void *data, int idx, void *user);
+
+/**
+ * Create a array instance.
+ *
+ * Elements get tight packed to each other. If any alignment is required, pass
+ * appropriate padding to each element. The reserved space does not affect
+ * array_count(), but just preallocates buffer space.
+ *
+ * @param esize			element size for this array, use 0 for a pointer array
+ * @param reserve		number of items to allocate space for
+ * @return				array instance
+ */
+array_t *array_create(u_int esize, u_int8_t reserve);
+
+/**
+ * Get the number of elements currently in the array.
+ *
+ * @return				number of elements
+ */
+int array_count(array_t *array);
+
+/**
+ * Compress an array, remove unused head/tail space.
+ *
+ * @param array			array to compress, or NULL
+ */
+void array_compress(array_t *array);
+
+/**
+ * Create an enumerator over an array.
+ *
+ * The enumerater enumerates directly over the array element (pass a pointer to
+ * element types), unless the array is pointer based. If zero is passed as
+ * element size during construction, the enumerator enumerates over the
+ * deferenced pointer values.
+ *
+ * @param array			array to create enumerator for, or NULL
+ * @return				enumerator, over elements or pointers
+ */
+enumerator_t* array_create_enumerator(array_t *array);
+
+/**
+ * Remove an element at enumerator position.
+ *
+ * @param array			array to remove element in
+ * @param enumerator	enumerator position, from array_create_enumerator()
+ */
+void array_remove_at(array_t *array, enumerator_t *enumerator);
+
+/**
+ * Insert an element to an array.
+ *
+ * If the array is pointer based (esize = 0), the pointer itself is appended.
+ * Otherwise the element gets copied from the pointer.
+ * The idx must be either within array_count() or one above to append the item.
+ * Passing -1 has the same effect as passing array_count(), i.e. appends the
+ * item. It is always valid to pass idx 0 to prepend the item.
+ *
+ * @param array			array to append element to
+ * @param idx			index to insert item at
+ * @param data			pointer to array element to copy
+ */
+void array_insert(array_t *array, int idx, void *data);
+
+/**
+ * Create an pointer based array if it does not exist, insert pointer.
+ *
+ * This is a convenience function for insert a pointer and implicitly
+ * create a pointer based array if array is NULL. Array is set the the newly
+ * created array, if any.
+ *
+ * @param array			pointer to array reference, potentially NULL
+ * @param idx			index to insert item at
+ * @param ptr			pointer to append
+ */
+void array_insert_create(array_t **array, int idx, void *ptr);
+
+/**
+ * Insert all items from an enumerator to an array.
+ *
+ * @param array			array to add items to
+ * @param idx			index to insert each item with
+ * @param enumerator	enumerator over void*, gets destroyed
+ */
+void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator);
+
+/**
+ * Remove an element from the array.
+ *
+ * If data is given, the element is copied to that position.
+ *
+ * @param array			array to remove element from, or NULL
+ * @param idx			index of the item to remove
+ * @param data			data to copy element to, or NULL
+ * @return				TRUE if idx existed and item removed
+ */
+bool array_remove(array_t *array, int idx, void *data);
+
+/**
+ * Invoke a callback for all array members.
+ *
+ * @param array			array to traverse, or NULL
+ * @param cb			callback function to invoke each element with
+ * @param user			user data to pass to callback
+ */
+void array_invoke(array_t *array, array_callback_t cb, void *user);
+
+/**
+ * Invoke a method of each element defined with offset.
+ *
+ * @param array			array to traverse, or NULL
+ * @param offset		offset of element method, use offsetof()
+ */
+void array_invoke_offset(array_t *array, size_t offset);
+
+/**
+ * Destroy an array.
+ *
+ * @param array			array to destroy, or NULL
+ */
+void array_destroy(array_t *array);
+
+/**
+ * Destroy an array, call a function to clean up all elements.
+ *
+ * @param array			array to destroy, or NULL
+ * @param cb			callback function to free element data
+ * @param user			user data to pass to callback
+ */
+void array_destroy_function(array_t *array, array_callback_t cb, void *user);
+
+/**
+ * Destroy an array, call element method defined with offset.
+ *
+ * @param array			array to destroy, or NULL
+ * @param offset		offset of element method, use offsetof()
+ */
+void array_destroy_offset(array_t *array, size_t offset);
+
+#endif /** ARRAY_H_ @}*/
diff --git a/src/libstrongswan/collections/enumerator.c b/src/libstrongswan/collections/enumerator.c
index f80cdabd2..8049ac016 100644
--- a/src/libstrongswan/collections/enumerator.c
+++ b/src/libstrongswan/collections/enumerator.c
@@ -264,7 +264,7 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 		}
 	}
 
-	/* trim trailing characters/separators */
+	/* trim trailing characters */
 	pos--;
 	while (pos >= *token)
 	{
@@ -278,17 +278,7 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 			}
 			trim++;
 		}
-		sep = this->sep;
-		while (*sep)
-		{
-			if (*sep == *pos)
-			{
-				*(pos--) = '\0';
-				break;
-			}
-			sep++;
-		}
-		if (!*trim && !*sep)
+		if (!*trim)
 		{
 			break;
 		}
diff --git a/src/libstrongswan/collections/hashtable.c b/src/libstrongswan/collections/hashtable.c
index d181d8ec8..1003aa0fa 100644
--- a/src/libstrongswan/collections/hashtable.c
+++ b/src/libstrongswan/collections/hashtable.c
@@ -16,6 +16,8 @@
 
 #include "hashtable.h"
 
+#include <utils/chunk.h>
+
 /** The maximum capacity of the hash table (MUST be a power of 2) */
 #define MAX_CAPACITY (1 << 30)
 
@@ -146,9 +148,40 @@ struct private_enumerator_t {
 	 * previous pair (used by remove_at)
 	 */
 	pair_t *prev;
-
 };
 
+/*
+ * See header.
+ */
+u_int hashtable_hash_ptr(void *key)
+{
+	return chunk_hash(chunk_from_thing(key));
+}
+
+/*
+ * See header.
+ */
+u_int hashtable_hash_str(void *key)
+{
+	return chunk_hash(chunk_from_str((char*)key));
+}
+
+/*
+ * See header.
+ */
+bool hashtable_equals_ptr(void *key, void *other_key)
+{
+	return key == other_key;
+}
+
+/*
+ * See header.
+ */
+bool hashtable_equals_str(void *key, void *other_key)
+{
+	return streq(key, other_key);
+}
+
 /**
  * This function returns the next-highest power of two for the given number.
  * The algorithm works by setting all bits on the right-hand side of the most
@@ -441,4 +474,3 @@ hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/collections/hashtable.h b/src/libstrongswan/collections/hashtable.h
index e38850ded..520a86c90 100644
--- a/src/libstrongswan/collections/hashtable.h
+++ b/src/libstrongswan/collections/hashtable.h
@@ -33,6 +33,22 @@ typedef struct hashtable_t hashtable_t;
  */
 typedef u_int (*hashtable_hash_t)(void *key);
 
+/**
+ * Hashtable hash function calculation the hash solely based on the key pointer.
+ *
+ * @param key			key to hash
+ * @return				hash of key
+ */
+u_int hashtable_hash_ptr(void *key);
+
+/**
+ * Hashtable hash function calculation the hash for char* keys.
+ *
+ * @param key			key to hash, a char*
+ * @return				hash of key
+ */
+u_int hashtable_hash_str(void *key);
+
 /**
  * Prototype for a function that compares the two keys for equality.
  *
@@ -42,6 +58,24 @@ typedef u_int (*hashtable_hash_t)(void *key);
  */
 typedef bool (*hashtable_equals_t)(void *key, void *other_key);
 
+/**
+ * Hashtable equals function comparing pointers.
+ *
+ * @param key			key to compare
+ * @param other_key		other key to compare
+ * @return				TRUE if key == other_key
+ */
+bool hashtable_equals_ptr(void *key, void *other_key);
+
+/**
+ * Hashtable equals function comparing char* keys.
+ *
+ * @param key			key to compare
+ * @param other_key		other key to compare
+ * @return				TRUE if streq(key, other_key)
+ */
+bool hashtable_equals_str(void *key, void *other_key);
+
 /**
  * Class implementing a hash table.
  *
@@ -121,7 +155,6 @@ struct hashtable_t {
 	 * Destroys a hash table object.
 	 */
 	void (*destroy) (hashtable_t *this);
-
 };
 
 /**
diff --git a/src/libstrongswan/collections/linked_list.c b/src/libstrongswan/collections/linked_list.c
index 1ff80999b..a176e5a54 100644
--- a/src/libstrongswan/collections/linked_list.c
+++ b/src/libstrongswan/collections/linked_list.c
@@ -138,7 +138,10 @@ METHOD(enumerator_t, enumerate, bool,
 		this->finished = TRUE;
 		return FALSE;
 	}
-	*item = this->current->value;
+	if (item)
+	{
+		*item = this->current->value;
+	}
 	return TRUE;
 }
 
@@ -165,16 +168,6 @@ METHOD(linked_list_t, reset_enumerator, void,
 	enumerator->finished = FALSE;
 }
 
-METHOD(linked_list_t, has_more, bool,
-	private_linked_list_t *this, private_enumerator_t *enumerator)
-{
-	if (enumerator->current)
-	{
-		return enumerator->current->next != NULL;
-	}
-	return !enumerator->finished && this->first != NULL;
-}
-
 METHOD(linked_list_t, get_count, int,
 	private_linked_list_t *this)
 {
@@ -316,20 +309,6 @@ METHOD(linked_list_t, insert_before, void,
 	this->count++;
 }
 
-METHOD(linked_list_t, replace, void*,
-	private_linked_list_t *this, private_enumerator_t *enumerator,
-	void *item)
-{
-	void *old = NULL;
-
-	if (enumerator->current)
-	{
-		old = enumerator->current->value;
-		enumerator->current->value = item;
-	}
-	return old;
-}
-
 METHOD(linked_list_t, get_last, status_t,
 	private_linked_list_t *this, void **item)
 {
@@ -409,28 +388,6 @@ METHOD(linked_list_t, find_first, status_t,
 	return NOT_FOUND;
 }
 
-METHOD(linked_list_t, find_last, status_t,
-	private_linked_list_t *this, linked_list_match_t match,
-	void **item, void *d1, void *d2, void *d3, void *d4, void *d5)
-{
-	element_t *current = this->last;
-
-	while (current)
-	{
-		if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
-			(!match && item && current->value == *item))
-		{
-			if (item != NULL)
-			{
-				*item = current->value;
-			}
-			return SUCCESS;
-		}
-		current = current->previous;
-	}
-	return NOT_FOUND;
-}
-
 METHOD(linked_list_t, invoke_offset, void,
 	private_linked_list_t *this, size_t offset,
 	void *d1, void *d2, void *d3, void *d4, void *d5)
@@ -476,21 +433,6 @@ METHOD(linked_list_t, clone_offset, linked_list_t*,
 	return clone;
 }
 
-METHOD(linked_list_t, clone_function, linked_list_t*,
-	private_linked_list_t *this, void* (*fn)(void*))
-{
-	element_t *current = this->first;
-	linked_list_t *clone;
-
-	clone = linked_list_create();
-	while (current)
-	{
-		clone->insert_last(clone, fn(current->value));
-		current = current->next;
-	}
-	return clone;
-}
-
 METHOD(linked_list_t, destroy, void,
 	private_linked_list_t *this)
 {
@@ -548,15 +490,12 @@ linked_list_t *linked_list_create()
 			.get_count = _get_count,
 			.create_enumerator = _create_enumerator,
 			.reset_enumerator = (void*)_reset_enumerator,
-			.has_more = (void*)_has_more,
 			.get_first = _get_first,
 			.get_last = _get_last,
 			.find_first = (void*)_find_first,
-			.find_last = (void*)_find_last,
 			.insert_first = _insert_first,
 			.insert_last = _insert_last,
 			.insert_before = (void*)_insert_before,
-			.replace = (void*)_replace,
 			.remove_first = _remove_first,
 			.remove_last = _remove_last,
 			.remove = _remove_,
@@ -564,7 +503,6 @@ linked_list_t *linked_list_create()
 			.invoke_offset = (void*)_invoke_offset,
 			.invoke_function = (void*)_invoke_function,
 			.clone_offset = _clone_offset,
-			.clone_function = _clone_function,
 			.destroy = _destroy,
 			.destroy_offset = _destroy_offset,
 			.destroy_function = _destroy_function,
diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h
index da539a231..abc33c12a 100644
--- a/src/libstrongswan/collections/linked_list.h
+++ b/src/libstrongswan/collections/linked_list.h
@@ -77,14 +77,6 @@ struct linked_list_t {
 	 */
 	void (*reset_enumerator)(linked_list_t *this, enumerator_t *enumerator);
 
-	/**
-	 * Checks if there are more elements following after the enumerator's
-	 * current position.
-	 *
-	 * @param enumerator	enumerator to check
-	 */
-	bool (*has_more)(linked_list_t *this, enumerator_t *enumerator);
-
 	/**
 	 * Inserts a new item at the beginning of the list.
 	 *
@@ -116,16 +108,6 @@ struct linked_list_t {
 	void (*insert_before)(linked_list_t *this, enumerator_t *enumerator,
 						  void *item);
 
-	/**
-	 * Replaces the item the enumerator currently points to with the given item.
-	 *
-	 * @param enumerator	enumerator with position
-	 * @param item			item value to replace current item with
-	 * @return				current item or NULL if the enumerator is at an
-	 *						invalid position
-	 */
-	void *(*replace)(linked_list_t *this, enumerator_t *enumerator, void *item);
-
 	/**
 	 * Remove an item from the list where the enumerator points to.
 	 *
@@ -180,7 +162,8 @@ struct linked_list_t {
 	 */
 	status_t (*get_last) (linked_list_t *this, void **item);
 
-	/** Find the first matching element in the list.
+	/**
+	 * Find the first matching element in the list.
 	 *
 	 * The first object passed to the match function is the current list item,
 	 * followed by the user supplied data.
@@ -200,26 +183,6 @@ struct linked_list_t {
 	status_t (*find_first) (linked_list_t *this, linked_list_match_t match,
 							void **item, ...);
 
-	/** Find the last matching element in the list.
-	 *
-	 * The first object passed to the match function is the current list item,
-	 * followed by the user supplied data.
-	 * If the supplied function returns TRUE this function returns SUCCESS, and
-	 * the current object is returned in the third parameter, otherwise,
-	 * the next item is checked.
-	 *
-	 * If match is NULL, *item and the current object are compared.
-	 *
-	 * @warning Only use pointers as user supplied data.
-	 *
-	 * @param match			comparison function to call on each object, or NULL
-	 * @param item			the list item, if found
-	 * @param ...			user data to supply to match function (limited to 5 arguments)
-	 * @return				SUCCESS if found, NOT_FOUND otherwise
-	 */
-	status_t (*find_last) (linked_list_t *this, linked_list_match_t match,
-						   void **item, ...);
-
 	/**
 	 * Invoke a method on all of the contained objects.
 	 *
@@ -254,14 +217,6 @@ struct linked_list_t {
 	 */
 	linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
 
-	/**
-	 * Clones a list and its objects using a given function.
-	 *
-	 * @param function	function that clones an object
-	 * @return			cloned list
-	 */
-	linked_list_t *(*clone_function) (linked_list_t *this, void*(*)(void*));
-
 	/**
 	 * Destroys a linked_list object.
 	 */
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index d2d0a7d72..2203519e2 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -18,7 +18,7 @@
 
 #include <library.h>
 #include <utils/debug.h>
-#include <collections/linked_list.h>
+#include <collections/array.h>
 #include <utils/identification.h>
 #include <eap/eap.h>
 #include <credentials/certificates/certificate.h>
@@ -109,9 +109,9 @@ struct private_auth_cfg_t {
 	auth_cfg_t public;
 
 	/**
-	 * list of entry_t
+	 * Array of entry_t
 	 */
-	linked_list_t *entries;
+	array_t *entries;
 };
 
 typedef struct entry_t entry_t;
@@ -184,18 +184,16 @@ METHOD(auth_cfg_t, create_enumerator, enumerator_t*,
 			.enumerate = (void*)enumerate,
 			.destroy = (void*)entry_enumerator_destroy,
 		},
-		.inner = this->entries->create_enumerator(this->entries),
+		.inner = array_create_enumerator(this->entries),
 	);
 	return &enumerator->public;
 }
 
 /**
- * Create an entry from the given arguments.
+ * Initialize an entry.
  */
-static entry_t *entry_create(auth_rule_t type, va_list args)
+static void init_entry(entry_t *this, auth_rule_t type, va_list args)
 {
-	entry_t *this = malloc_thing(entry_t);
-
 	this->type = type;
 	switch (type)
 	{
@@ -233,7 +231,6 @@ static entry_t *entry_create(auth_rule_t type, va_list args)
 			this->value = NULL;
 			break;
 	}
-	return this;
 }
 
 /**
@@ -481,21 +478,21 @@ METHOD(auth_cfg_t, get, void*,
  */
 static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 {
-	entry_t *entry;
+	entry_t entry;
 	va_list args;
 
 	va_start(args, type);
-	entry = entry_create(type, args);
+	init_entry(&entry, type, args);
 	va_end(args);
 
 	if (is_multi_value_rule(type))
 	{	/* insert rules that may occur multiple times at the end */
-		this->entries->insert_last(this->entries, entry);
+		array_insert(this->entries, ARRAY_TAIL, &entry);
 	}
 	else
 	{	/* insert rules we expect only once at the front (get() will return
 		 * the latest value) */
-		this->entries->insert_first(this->entries, entry);
+		array_insert(this->entries, ARRAY_HEAD, &entry);
 	}
 }
 
@@ -917,13 +914,13 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 	}
 	else
 	{
-		entry_t *entry;
+		entry_t entry;
 
-		while (other->entries->remove_first(other->entries,
-											(void**)&entry) == SUCCESS)
+		while (array_remove(other->entries, ARRAY_HEAD, &entry))
 		{
-			this->entries->insert_last(this->entries, entry);
+			array_insert(this->entries, ARRAY_TAIL, &entry);
 		}
+		array_compress(other->entries);
 	}
 }
 
@@ -938,12 +935,12 @@ static bool auth_cfg_equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 
 	/* the rule count does not have to be equal for the two, as we only compare
 	 * the first value found for some rules */
-	e1 = this->entries->create_enumerator(this->entries);
+	e1 = array_create_enumerator(this->entries);
 	while (e1->enumerate(e1, &i1))
 	{
 		found = FALSE;
 
-		e2 = other->entries->create_enumerator(other->entries);
+		e2 = array_create_enumerator(other->entries);
 		while (e2->enumerate(e2, &i2))
 		{
 			if (entry_equals(i1, i2))
@@ -984,27 +981,21 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 METHOD(auth_cfg_t, purge, void,
 	private_auth_cfg_t *this, bool keep_ca)
 {
+	enumerator_t *enumerator;
 	entry_t *entry;
-	linked_list_t *cas;
 
-	cas = linked_list_create();
-	while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
+	enumerator = array_create_enumerator(this->entries);
+	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (keep_ca && entry->type == AUTH_RULE_CA_CERT)
-		{
-			cas->insert_first(cas, entry);
-		}
-		else
+		if (!keep_ca || entry->type != AUTH_RULE_CA_CERT)
 		{
+			array_remove_at(this->entries, enumerator);
 			destroy_entry_value(entry);
-			free(entry);
 		}
 	}
-	while (cas->remove_last(cas, (void**)&entry) == SUCCESS)
-	{
-		this->entries->insert_first(this->entries, entry);
-	}
-	cas->destroy(cas);
+	enumerator->destroy(enumerator);
+
+	array_compress(this->entries);
 }
 
 METHOD(auth_cfg_t, clone_, auth_cfg_t*,
@@ -1074,7 +1065,7 @@ METHOD(auth_cfg_t, destroy, void,
 	private_auth_cfg_t *this)
 {
 	purge(this, FALSE);
-	this->entries->destroy(this->entries);
+	array_destroy(this->entries);
 	free(this);
 }
 
@@ -1098,7 +1089,7 @@ auth_cfg_t *auth_cfg_create()
 			.clone = _clone_,
 			.destroy = _destroy,
 		},
-		.entries = linked_list_create(),
+		.entries = array_create(sizeof(entry_t), 0),
 	);
 
 	return &this->public;
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index f5858382f..6710dfb54 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -24,6 +24,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_BLOB_PEM",
 	"BUILD_BLOB_PGP",
 	"BUILD_BLOB_DNSKEY",
+	"BUILD_BLOB_SSHKEY",
 	"BUILD_BLOB_ALGID_PARAMS",
 	"BUILD_KEY_SIZE",
 	"BUILD_SIGNING_KEY",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 740041aac..5ab462fa8 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -59,6 +59,8 @@ enum builder_part_t {
 	BUILD_BLOB_PGP,
 	/** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
 	BUILD_BLOB_DNSKEY,
+	/** SSH public key blob (RFC 4253), chunk_t */
+	BUILD_BLOB_SSHKEY,
 	/** parameters from algorithmIdentifier (ASN.1 blob), chunk_t */
 	BUILD_BLOB_ALGID_PARAMS,
 	/** key size in bits, as used for key generation, u_int */
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h
index 325fa0af3..6b28f35c1 100644
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -53,6 +53,9 @@ struct cert_validator_t {
 	/**
 	 * Validate a subject certificate in relation to its issuer.
 	 *
+	 * If FALSE is returned, the validator should call_hook() on the
+	 * credential manager with an appropriate type and the certificate.
+	 *
 	 * @param subject		subject certificate to check
 	 * @param issuer		issuer of subject
 	 * @param online		whether to do online revocation checking
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index bc4209ca7..b281c1669 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -18,7 +18,7 @@
 #include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
-ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
+ENUM(certificate_type_names, CERT_ANY, CERT_GPG,
 	"ANY",
 	"X509",
 	"X509_CRL",
@@ -28,9 +28,6 @@ ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
 	"TRUSTED_PUBKEY",
 	"PKCS10_REQUEST",
 	"PGP",
-	"PLUTO_CERT",
-	"PLUTO_AC",
-	"PLUTO_CRL",
 );
 
 ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index b7a88ffbd..d59126bd5 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -52,10 +52,6 @@ enum certificate_type_t {
 	CERT_PKCS10_REQUEST,
 	/** PGP certificate */
 	CERT_GPG,
-	/** Pluto cert_t (not a certificate_t), either x509 or PGP */
-	CERT_PLUTO_CERT,
-	/** Pluto x509crl_t (not a certificate_t), certificate revocation list */
-	CERT_PLUTO_CRL,
 };
 
 /**
diff --git a/src/libstrongswan/credentials/containers/container.c b/src/libstrongswan/credentials/containers/container.c
index d1e67b21b..7456d43db 100644
--- a/src/libstrongswan/credentials/containers/container.c
+++ b/src/libstrongswan/credentials/containers/container.c
@@ -15,9 +15,11 @@
 
 #include "container.h"
 
-ENUM(container_type_names, CONTAINER_PKCS7, CONTAINER_PKCS7_ENVELOPED_DATA,
+ENUM(container_type_names, CONTAINER_PKCS7, CONTAINER_PKCS12,
 	"PKCS7",
 	"PKCS7_DATA",
 	"PKCS7_SIGNED_DATA",
 	"PKCS7_ENVELOPED_DATA",
+	"PKCS7_ENCRYPTED_DATA",
+	"PKCS12",
 );
diff --git a/src/libstrongswan/credentials/containers/container.h b/src/libstrongswan/credentials/containers/container.h
index fc5c09041..ee329881d 100644
--- a/src/libstrongswan/credentials/containers/container.h
+++ b/src/libstrongswan/credentials/containers/container.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
  *
@@ -31,14 +34,18 @@ typedef enum container_type_t container_type_t;
  * Type of the container.
  */
 enum container_type_t {
-	/** Any kind of PKCS7/CMS container */
+	/** Any kind of PKCS#7/CMS container */
 	CONTAINER_PKCS7,
-	/** PKCS7/CMS plain "data" */
+	/** PKCS#7/CMS plain "data" */
 	CONTAINER_PKCS7_DATA,
-	/** PKCS7/CMS "signed-data" */
+	/** PKCS#7/CMS "signed-data" */
 	CONTAINER_PKCS7_SIGNED_DATA,
-	/** PKCS7/CMS "enveloped-data" */
+	/** PKCS#7/CMS "enveloped-data" */
 	CONTAINER_PKCS7_ENVELOPED_DATA,
+	/** PKCS#7/CMS "encrypted-data" */
+	CONTAINER_PKCS7_ENCRYPTED_DATA,
+	/** A PKCS#12 container */
+	CONTAINER_PKCS12,
 };
 
 /**
diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c
new file mode 100644
index 000000000..7b812d27d
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs12.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs12.h"
+
+#include <utils/debug.h>
+
+/**
+ * v * ceiling(len/v)
+ */
+#define PKCS12_LEN(len, v) (((len) + v-1) & ~(v-1))
+
+/**
+ * Copy src to dst as many times as possible
+ */
+static inline void copy_chunk(chunk_t dst, chunk_t src)
+{
+	size_t i;
+
+	for (i = 0; i < dst.len; i++)
+	{
+		dst.ptr[i] = src.ptr[i % src.len];
+	}
+}
+
+/**
+ * Treat two chunks as integers in network order and add them together.
+ * The result is stored in the first chunk, if the second chunk is longer or the
+ * result overflows this is ignored.
+ */
+static void add_chunks(chunk_t a, chunk_t b)
+{
+	u_int16_t sum;
+	u_int8_t rem = 0;
+	ssize_t i, j;
+
+	for (i = a.len - 1, j = b.len -1; i >= 0 && j >= 0; i--, j--)
+	{
+		sum = a.ptr[i] + b.ptr[j] + rem;
+		a.ptr[i] = (u_char)sum;
+		rem = sum >> 8;
+	}
+	for (; i >= 0 && rem; i--)
+	{
+		sum = a.ptr[i] + rem;
+		a.ptr[i] = (u_char)sum;
+		rem = sum >> 8;
+	}
+}
+
+/**
+ * Do the actual key derivation with the given hasher, password and id.
+ */
+static bool derive_key(hash_algorithm_t hash, chunk_t unicode, chunk_t salt,
+					   u_int64_t iterations, char id, chunk_t result)
+{
+	chunk_t out = result, D, S, P = chunk_empty, I, Ai, B, Ij;
+	hasher_t *hasher;
+	size_t Slen, v, u;
+	u_int64_t i;
+	bool success = FALSE;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, hash);
+	if (!hasher)
+	{
+		DBG1(DBG_ASN, "  %N hash algorithm not available",
+			 hash_algorithm_names, hash);
+		return  FALSE;
+	}
+	switch (hash)
+	{
+		case HASH_MD2:
+		case HASH_MD5:
+		case HASH_SHA1:
+		case HASH_SHA224:
+		case HASH_SHA256:
+			v = 64;
+			break;
+		case HASH_SHA384:
+		case HASH_SHA512:
+			v = 128;
+			break;
+		default:
+			goto end;
+	}
+	u = hasher->get_hash_size(hasher);
+
+	D = chunk_alloca(v);
+	memset(D.ptr, id, D.len);
+
+	Slen = PKCS12_LEN(salt.len, v);
+	I = chunk_alloca(Slen + PKCS12_LEN(unicode.len, v));
+	S = chunk_create(I.ptr, Slen);
+	P = chunk_create(I.ptr + Slen, I.len - Slen);
+	copy_chunk(S, salt);
+	copy_chunk(P, unicode);
+
+	Ai = chunk_alloca(u);
+	B = chunk_alloca(v);
+
+	while (TRUE)
+	{
+		if (!hasher->get_hash(hasher, D, NULL) ||
+			!hasher->get_hash(hasher, I, Ai.ptr))
+		{
+			goto end;
+		}
+		for (i = 1; i < iterations; i++)
+		{
+			if (!hasher->get_hash(hasher, Ai, Ai.ptr))
+			{
+				goto end;
+			}
+		}
+		memcpy(out.ptr, Ai.ptr, min(out.len, Ai.len));
+		out = chunk_skip(out, Ai.len);
+		if (!out.len)
+		{
+			break;
+		}
+		copy_chunk(B, Ai);
+		/* B = B+1 */
+		add_chunks(B, chunk_from_chars(0x01));
+		Ij = chunk_create(I.ptr, v);
+		for (i = 0; i < I.len; i += v, Ij.ptr += v)
+		{	/* Ij = Ij + B + 1 */
+			add_chunks(Ij, B);
+		}
+	}
+	success = TRUE;
+end:
+	hasher->destroy(hasher);
+	return success;
+}
+
+/*
+ * Described in header
+ */
+bool pkcs12_derive_key(hash_algorithm_t hash, chunk_t password, chunk_t salt,
+					   u_int64_t iterations, pkcs12_key_type_t type, chunk_t key)
+{
+	chunk_t unicode = chunk_empty;
+	bool success;
+	int i;
+
+	if (password.len)
+	{	/* convert the password to UTF-16BE (without BOM) with 0 terminator */
+		unicode = chunk_alloca(password.len * 2 + 2);
+		for (i = 0; i < password.len; i++)
+		{
+			unicode.ptr[i * 2] = 0;
+			unicode.ptr[i * 2 + 1] = password.ptr[i];
+		}
+		unicode.ptr[i * 2] = 0;
+		unicode.ptr[i * 2 + 1] = 0;
+	}
+
+	success = derive_key(hash, unicode, salt, iterations, type, key);
+	memwipe(unicode.ptr, unicode.len);
+	return success;
+}
diff --git a/src/libstrongswan/credentials/containers/pkcs12.h b/src/libstrongswan/credentials/containers/pkcs12.h
new file mode 100644
index 000000000..f22ef045a
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs12.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs12 pkcs12
+ * @{ @ingroup containers
+ */
+
+#ifndef PKCS12_H_
+#define PKCS12_H_
+
+#include <credentials/containers/container.h>
+#include <crypto/hashers/hasher.h>
+
+typedef enum pkcs12_key_type_t pkcs12_key_type_t;
+typedef struct pkcs12_t pkcs12_t;
+
+/**
+ * The types of password based keys used by PKCS#12.
+ */
+enum pkcs12_key_type_t {
+	PKCS12_KEY_ENCRYPTION = 1,
+	PKCS12_KEY_IV = 2,
+	PKCS12_KEY_MAC = 3,
+};
+
+/**
+ * PKCS#12/PFX container type.
+ */
+struct pkcs12_t {
+
+	/**
+	 * Implements container_t.
+	 */
+	container_t container;
+
+	/**
+	 * Create an enumerator over extracted certificates.
+	 *
+	 * @return			enumerator over certificate_t
+	 */
+	enumerator_t* (*create_cert_enumerator)(pkcs12_t *this);
+
+	/**
+	 * Create an enumerator over extracted private keys.
+	 *
+	 * @return			enumerator over private_key_t
+	 */
+	enumerator_t* (*create_key_enumerator)(pkcs12_t *this);
+};
+
+/**
+ * Derive the keys used in PKCS#12 for password integrity/privacy mode.
+ *
+ * @param hash			hash algorithm to use for key derivation
+ * @param password		password (ASCII)
+ * @param salt			salt value
+ * @param iterations	number of iterations
+ * @param type			type of key to derive
+ * @param key			the returned key, must be allocated of desired length
+ * @return				TRUE on success
+ */
+bool pkcs12_derive_key(hash_algorithm_t hash, chunk_t password, chunk_t salt,
+					u_int64_t iterations, pkcs12_key_type_t type, chunk_t key);
+
+#endif /** PKCS12_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index f4cd9b9e6..de19c8d96 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -81,6 +81,16 @@ struct private_credential_manager_t {
 	 * mutex for cache queue
 	 */
 	mutex_t *queue_mutex;
+
+	/**
+	 * Registered hook to call on validation errors
+	 */
+	credential_hook_t hook;
+
+	/**
+	 * Registered data to pass to hook
+	 */
+	void *hook_data;
 };
 
 /** data to pass to create_private_enumerator */
@@ -126,6 +136,22 @@ typedef struct {
 	enumerator_t *exclusive;
 } sets_enumerator_t;
 
+METHOD(credential_manager_t, set_hook, void,
+	private_credential_manager_t *this, credential_hook_t hook, void *data)
+{
+	this->hook = hook;
+	this->hook_data = data;
+}
+
+METHOD(credential_manager_t, call_hook, void,
+	private_credential_manager_t *this, credential_hook_type_t type,
+	certificate_t *cert)
+{
+	if (this->hook)
+	{
+		this->hook(this->hook_data, type, cert);
+	}
+}
 
 METHOD(enumerator_t, sets_enumerate, bool,
 	sets_enumerator_t *this, credential_set_t **set)
@@ -378,8 +404,8 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
 	identification_t *me, identification_t *other)
 {
 	shared_key_t *current, *found = NULL;
-	id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE;
-	id_match_t *match_me, *match_other;
+	id_match_t best_me = ID_MATCH_NONE, best_other = ID_MATCH_NONE;
+	id_match_t match_me, match_other;
 	enumerator_t *enumerator;
 
 	enumerator = create_shared_enumerator(this, type, me, other);
@@ -393,6 +419,10 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
 			best_me = match_me;
 			best_other = match_other;
 		}
+		if (best_me == ID_MATCH_PERFECT && best_other == ID_MATCH_PERFECT)
+		{
+			break;
+		}
 	}
 	enumerator->destroy(enumerator);
 	return found;
@@ -549,15 +579,17 @@ static bool check_lifetime(private_credential_manager_t *this,
 			{
 				DBG1(DBG_CFG, "%s certificate invalid (valid from %T to %T)",
 					 label, &not_before, FALSE, &not_after, FALSE);
-				return FALSE;
+				break;
 			}
 			return TRUE;
 		case SUCCESS:
 			return TRUE;
 		case FAILED:
 		default:
-			return FALSE;
+			break;
 	}
+	call_hook(this, CRED_HOOK_EXPIRED, cert);
+	return FALSE;
 }
 
 /**
@@ -718,9 +750,10 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			{
 				if (current->equals(current, issuer))
 				{
-					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not trusted",
-						 current->get_subject(current));
+					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not "
+						 "trusted", current->get_subject(current));
 					issuer->destroy(issuer);
+					call_hook(this, CRED_HOOK_UNTRUSTED_ROOT, current);
 					break;
 				}
 				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
@@ -732,6 +765,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			{
 				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
 					 current->get_subject(current));
+				call_hook(this, CRED_HOOK_NO_ISSUER, current);
 				break;
 			}
 		}
@@ -750,8 +784,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 		current = issuer;
 		if (trusted)
 		{
-			DBG1(DBG_CFG, "  reached self-signed root ca with a path length of %d",
-						  pathlen);
+			DBG1(DBG_CFG, "  reached self-signed root ca with a "
+				 "path length of %d", pathlen);
 			break;
 		}
 	}
@@ -759,6 +793,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 	if (pathlen > MAX_TRUST_PATH_LEN)
 	{
 		DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
+		call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject);
 	}
 	if (trusted)
 	{
@@ -1301,6 +1336,8 @@ credential_manager_t *credential_manager_create()
 			.remove_local_set = _remove_local_set,
 			.add_validator = _add_validator,
 			.remove_validator = _remove_validator,
+			.set_hook = _set_hook,
+			.call_hook = _call_hook,
 			.destroy = _destroy,
 		},
 		.sets = linked_list_create(),
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index 73c585734..445ea3f9c 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -22,6 +22,7 @@
 #define CREDENTIAL_MANAGER_H_
 
 typedef struct credential_manager_t credential_manager_t;
+typedef enum credential_hook_type_t credential_hook_type_t;
 
 #include <utils/identification.h>
 #include <collections/enumerator.h>
@@ -32,6 +33,37 @@ typedef struct credential_manager_t credential_manager_t;
 #include <credentials/certificates/certificate.h>
 #include <credentials/cert_validator.h>
 
+/**
+ * Type of a credential hook error/event.
+ */
+enum credential_hook_type_t {
+	/** The certificate has expired (or is not yet valid) */
+	CRED_HOOK_EXPIRED,
+	/** The certificate has been revoked */
+	CRED_HOOK_REVOKED,
+	/** Checking certificate revocation failed. This does not necessarily mean
+	 *  the certificate is rejected, just that revocation checking failed. */
+	CRED_HOOK_VALIDATION_FAILED,
+	/** No trusted issuer certificate has been found for this certificate */
+	CRED_HOOK_NO_ISSUER,
+	/** Encountered a self-signed (root) certificate, but it is not trusted */
+	CRED_HOOK_UNTRUSTED_ROOT,
+	/** Maximum trust chain length exceeded for certificate */
+	CRED_HOOK_EXCEEDED_PATH_LEN,
+	/** The certificate violates some other kind of policy and gets rejected */
+	CRED_HOOK_POLICY_VIOLATION,
+};
+
+/**
+ * Hook function to invoke on certificate validation errors.
+ *
+ * @param data			user data supplied during hook registration
+ * @param type			type of validation error/event
+ * @param cert			associated certificate
+ */
+typedef void (*credential_hook_t)(void *data, credential_hook_type_t type,
+								  certificate_t *cert);
+
 /**
  * Manages credentials using credential_sets.
  *
@@ -262,6 +294,28 @@ struct credential_manager_t {
 	 */
 	void (*remove_validator)(credential_manager_t *this, cert_validator_t *vdtr);
 
+	/**
+	 * Set a hook to call on certain credential validation errors.
+	 *
+	 * @param hook		hook to register, NULL to unregister
+	 * @param data		data to pass to hook
+	 */
+	void (*set_hook)(credential_manager_t *this, credential_hook_t hook,
+					 void *data);
+
+	/**
+	 * Call the registered credential hook, if any.
+	 *
+	 * While hooks are usually called by the credential manager itself, some
+	 * validator plugins might raise hooks as well if they consider certificates
+	 * invalid.
+	 *
+	 * @param type		type of the event
+	 * @param cert		associated certificate
+	 */
+	void (*call_hook)(credential_manager_t *this, credential_hook_type_t type,
+					  certificate_t *cert);
+
 	/**
 	 * Destroy a credential_manager instance.
 	 */
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index fdbe17f2c..2afcf8325 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -192,7 +192,7 @@ struct public_key_t {
 	/**
 	 * Get the key in an encoded form as a chunk.
 	 *
-	 * @param type		type of the encoding, one of PRIVKEY_*
+	 * @param type		type of the encoding, one of PUBKEY_*
 	 * @param encoding	encoding of the key, allocated
 	 * @return			TRUE if encoding supported
 	 */
diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h
index ec526a3d9..f3959f8f3 100644
--- a/src/libstrongswan/crypto/aead.h
+++ b/src/libstrongswan/crypto/aead.h
@@ -58,7 +58,7 @@ struct aead_t {
 	 * is returned in the encrypted chunk, the last get_icv_size() bytes
 	 * contain the verified ICV.
 	 *
-	 * @param encrypted		data to encrypt and verify
+	 * @param encrypted		data to decrypt and verify
 	 * @param assoc			associated data to verify
 	 * @param iv			initialization vector
 	 * @param plain			allocated result, if successful
@@ -105,7 +105,7 @@ struct aead_t {
 					chunk_t key) __attribute__((warn_unused_result));
 
 	/**
-	 * Destroy a aead_t.
+	 * Destroy an aead_t.
 	 */
 	void (*destroy)(aead_t *this);
 };
diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c
index 0730c707c..8123adde5 100644
--- a/src/libstrongswan/crypto/crypters/crypter.c
+++ b/src/libstrongswan/crypto/crypters/crypter.c
@@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CCM_ICV16
 	"CAMELLIA_CCM_8",
 	"CAMELLIA_CCM_12",
 	"CAMELLIA_CCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, ENCR_CAMELLIA_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_RC2_CBC, ENCR_CAMELLIA_CCM_ICV16,
 	"UNDEFINED",
 	"DES_ECB",
 	"SERPENT_CBC",
-	"TWOFISH_CBC");
-ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
+	"TWOFISH_CBC",
+	"RC2_CBC");
+ENUM_END(encryption_algorithm_names, ENCR_RC2_CBC);
 
 /*
  * Described in header.
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index fe854f53d..849aea500 100644
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -60,7 +60,9 @@ enum encryption_algorithm_t {
 	ENCR_UNDEFINED =        1024,
 	ENCR_DES_ECB =          1025,
 	ENCR_SERPENT_CBC =      1026,
-	ENCR_TWOFISH_CBC =      1027
+	ENCR_TWOFISH_CBC =      1027,
+	/* see macros below to handle RC2 (effective) key length */
+	ENCR_RC2_CBC =          1028,
 };
 
 #define DES_BLOCK_SIZE			 8
@@ -70,6 +72,15 @@ enum encryption_algorithm_t {
 #define SERPENT_BLOCK_SIZE		16
 #define TWOFISH_BLOCK_SIZE		16
 
+/**
+ * For RC2, if the effective key size in bits is not key_size * 8, it should
+ * be encoded with the macro below. It can be decoded with the other two macros.
+ * After decoding the value should be validated.
+ */
+#define RC2_KEY_SIZE(kl, eff) ((kl) | ((eff) << 8))
+#define RC2_EFFECTIVE_KEY_LEN(ks) ((ks) >> 8)
+#define RC2_KEY_LEN(ks) ((ks) & 0xff)
+
 /**
  * enum name for encryption_algorithm_t.
  */
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 5a363e9f0..b89198003 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -128,6 +128,11 @@ struct private_crypto_factory_t {
 	 */
 	bool bench;
 
+	/**
+	 * Number of failed test vectors during "add".
+	 */
+	u_int test_failures;
+
 	/**
 	 * rwlock to lock access to modules
 	 */
@@ -435,8 +440,8 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_crypter, void,
-	private_crypto_factory_t *this,	encryption_algorithm_t algo,
+METHOD(crypto_factory_t, add_crypter, bool,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
 	const char *plugin_name, crypter_constructor_t create)
 {
 	u_int speed = 0;
@@ -446,7 +451,10 @@ METHOD(crypto_factory_t, add_crypter, void,
 								   this->bench ? &speed : NULL,	plugin_name))
 	{
 		add_entry(this, this->crypters, algo, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_crypter, void,
@@ -469,8 +477,8 @@ METHOD(crypto_factory_t, remove_crypter, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_aead, void,
-	private_crypto_factory_t *this,	encryption_algorithm_t algo,
+METHOD(crypto_factory_t, add_aead, bool,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
 	const char *plugin_name, aead_constructor_t create)
 {
 	u_int speed = 0;
@@ -480,7 +488,10 @@ METHOD(crypto_factory_t, add_aead, void,
 								this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->aeads, algo, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_aead, void,
@@ -503,8 +514,8 @@ METHOD(crypto_factory_t, remove_aead, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_signer, void,
-	private_crypto_factory_t *this,	integrity_algorithm_t algo,
+METHOD(crypto_factory_t, add_signer, bool,
+	private_crypto_factory_t *this, integrity_algorithm_t algo,
 	const char *plugin_name, signer_constructor_t create)
 {
 	u_int speed = 0;
@@ -514,7 +525,10 @@ METHOD(crypto_factory_t, add_signer, void,
 								  this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->signers, algo, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_signer, void,
@@ -537,8 +551,8 @@ METHOD(crypto_factory_t, remove_signer, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_hasher, void,
-	private_crypto_factory_t *this,	hash_algorithm_t algo,
+METHOD(crypto_factory_t, add_hasher, bool,
+	private_crypto_factory_t *this, hash_algorithm_t algo,
 	const char *plugin_name, hasher_constructor_t create)
 {
 	u_int speed = 0;
@@ -548,7 +562,10 @@ METHOD(crypto_factory_t, add_hasher, void,
 								  this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->hashers, algo, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_hasher, void,
@@ -571,8 +588,8 @@ METHOD(crypto_factory_t, remove_hasher, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_prf, void,
-	private_crypto_factory_t *this,	pseudo_random_function_t algo,
+METHOD(crypto_factory_t, add_prf, bool,
+	private_crypto_factory_t *this, pseudo_random_function_t algo,
 	const char *plugin_name, prf_constructor_t create)
 {
 	u_int speed = 0;
@@ -582,7 +599,10 @@ METHOD(crypto_factory_t, add_prf, void,
 							   this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->prfs, algo, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_prf, void,
@@ -605,7 +625,7 @@ METHOD(crypto_factory_t, remove_prf, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_rng, void,
+METHOD(crypto_factory_t, add_rng, bool,
 	private_crypto_factory_t *this, rng_quality_t quality,
 	const char *plugin_name, rng_constructor_t create)
 {
@@ -616,7 +636,10 @@ METHOD(crypto_factory_t, add_rng, void,
 							   this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->rngs, quality, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_rng, void,
@@ -639,11 +662,12 @@ METHOD(crypto_factory_t, remove_rng, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_nonce_gen, void,
+METHOD(crypto_factory_t, add_nonce_gen, bool,
 	private_crypto_factory_t *this, const char *plugin_name,
 	nonce_gen_constructor_t create)
 {
 	add_entry(this, this->nonce_gens, 0, plugin_name, 0, create);
+	return TRUE;
 }
 
 METHOD(crypto_factory_t, remove_nonce_gen, void,
@@ -666,11 +690,12 @@ METHOD(crypto_factory_t, remove_nonce_gen, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_dh, void,
-	private_crypto_factory_t *this,	diffie_hellman_group_t group,
-	 const char *plugin_name, dh_constructor_t create)
+METHOD(crypto_factory_t, add_dh, bool,
+	private_crypto_factory_t *this, diffie_hellman_group_t group,
+	const char *plugin_name, dh_constructor_t create)
 {
 	add_entry(this, this->dhs, group, plugin_name, 0, create);
+	return TRUE;
 }
 
 METHOD(crypto_factory_t, remove_dh, void,
@@ -875,6 +900,12 @@ METHOD(crypto_factory_t, add_test_vector, void,
 	}
 }
 
+METHOD(crypto_factory_t, get_test_vector_failures, u_int,
+	private_crypto_factory_t *this)
+{
+	return this->test_failures;
+}
+
 METHOD(crypto_factory_t, destroy, void,
 	private_crypto_factory_t *this)
 {
@@ -933,6 +964,7 @@ crypto_factory_t *crypto_factory_create()
 			.create_rng_enumerator = _create_rng_enumerator,
 			.create_nonce_gen_enumerator = _create_nonce_gen_enumerator,
 			.add_test_vector = _add_test_vector,
+			.get_test_vector_failures = _get_test_vector_failures,
 			.destroy = _destroy,
 		},
 		.crypters = linked_list_create(),
@@ -955,4 +987,3 @@ crypto_factory_t *crypto_factory_create()
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 5d23c8977..256ecec63 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -162,9 +162,9 @@ struct crypto_factory_t {
 	 * @param algo			algorithm to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo,
+	bool (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo,
 						const char *plugin_name, crypter_constructor_t create);
 
 	/**
@@ -187,9 +187,9 @@ struct crypto_factory_t {
 	 * @param algo			algorithm to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo,
+	bool (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo,
 					 const char *plugin_name, aead_constructor_t create);
 
 	/**
@@ -198,9 +198,9 @@ struct crypto_factory_t {
 	 * @param algo			algorithm to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_signer)(crypto_factory_t *this, integrity_algorithm_t algo,
+	bool (*add_signer)(crypto_factory_t *this, integrity_algorithm_t algo,
 					    const char *plugin_name, signer_constructor_t create);
 
 	/**
@@ -219,9 +219,9 @@ struct crypto_factory_t {
 	 * @param algo			algorithm to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_hasher)(crypto_factory_t *this, hash_algorithm_t algo,
+	bool (*add_hasher)(crypto_factory_t *this, hash_algorithm_t algo,
 					   const char *plugin_name, hasher_constructor_t create);
 
 	/**
@@ -237,9 +237,9 @@ struct crypto_factory_t {
 	 * @param algo			algorithm to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_prf)(crypto_factory_t *this, pseudo_random_function_t algo,
+	bool (*add_prf)(crypto_factory_t *this, pseudo_random_function_t algo,
 					const char *plugin_name, prf_constructor_t create);
 
 	/**
@@ -255,8 +255,9 @@ struct crypto_factory_t {
 	 * @param quality		quality of randomness this RNG serves
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for such a quality
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_rng)(crypto_factory_t *this, rng_quality_t quality,
+	bool (*add_rng)(crypto_factory_t *this, rng_quality_t quality,
 					const char *plugin_name, rng_constructor_t create);
 
 	/**
@@ -271,8 +272,9 @@ struct crypto_factory_t {
 	 *
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that nonce generator
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_nonce_gen)(crypto_factory_t *this, const char *plugin_name,
+	bool (*add_nonce_gen)(crypto_factory_t *this, const char *plugin_name,
 						  nonce_gen_constructor_t create);
 
 	/**
@@ -289,9 +291,9 @@ struct crypto_factory_t {
 	 * @param group			dh group to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_dh)(crypto_factory_t *this, diffie_hellman_group_t group,
+	bool (*add_dh)(crypto_factory_t *this, diffie_hellman_group_t group,
 				   const char *plugin_name, dh_constructor_t create);
 
 	/**
@@ -366,6 +368,16 @@ struct crypto_factory_t {
 	void (*add_test_vector)(crypto_factory_t *this, transform_type_t type,
 							void *vector);
 
+	/**
+	 * Get the number of test vector failures encountered during add.
+	 *
+	 * This counter gets incremented only if transforms get tested during
+	 * registration.
+	 *
+	 * @return				number of failed test vectors
+	 */
+	u_int (*get_test_vector_failures)(crypto_factory_t *this);
+
 	/**
 	 * Destroy a crypto_factory instance.
 	 */
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 12db0961b..5a0dccced 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -265,7 +265,10 @@ METHOD(crypto_tester_t, test_crypter, bool,
 failure:
 		crypter->destroy(crypter);
 		chunk_free(&cipher);
-		chunk_free(&plain);
+		if (plain.ptr != vector->plain)
+		{
+			chunk_free(&plain);
+		}
 		if (failed)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index dc73d5223..679bb324e 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -141,6 +141,9 @@ hash_algorithm_t hasher_algorithm_from_integrity(integrity_algorithm_t alg,
 			case AUTH_HMAC_SHA2_384_384:
 				*length = 48;
 				break;
+			case AUTH_HMAC_SHA2_512_512:
+				*length = 64;
+				break;
 			default:
 				break;
 		}
@@ -163,6 +166,7 @@ hash_algorithm_t hasher_algorithm_from_integrity(integrity_algorithm_t alg,
 		case AUTH_HMAC_SHA2_384_384:
 			return HASH_SHA384;
 		case AUTH_HMAC_SHA2_512_256:
+		case AUTH_HMAC_SHA2_512_512:
 			return HASH_SHA512;
 		case AUTH_AES_CMAC_96:
 		case AUTH_AES_128_GMAC:
@@ -177,6 +181,74 @@ hash_algorithm_t hasher_algorithm_from_integrity(integrity_algorithm_t alg,
 	return HASH_UNKNOWN;
 }
 
+/*
+ * Described in header.
+ */
+integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
+													size_t length)
+{
+	switch (alg)
+	{
+		case HASH_MD5:
+			switch (length)
+			{
+				case 12:
+					return AUTH_HMAC_MD5_96;
+				case 16:
+					return AUTH_HMAC_MD5_128;
+			}
+			break;
+		case HASH_SHA1:
+		case HASH_PREFERRED:
+			switch (length)
+			{
+				case 12:
+					return AUTH_HMAC_SHA1_96;
+				case 16:
+					return AUTH_HMAC_SHA1_128;
+				case 20:
+					return AUTH_HMAC_SHA1_160;
+			}
+			break;
+		case HASH_SHA256:
+			switch (length)
+			{
+				case 12:
+					return AUTH_HMAC_SHA2_256_96;
+				case 16:
+					return AUTH_HMAC_SHA2_256_128;
+				case 32:
+					return AUTH_HMAC_SHA2_256_256;
+			}
+			break;
+		case HASH_SHA384:
+			switch (length)
+			{
+				case 24:
+					return AUTH_HMAC_SHA2_384_192;
+				case 48:
+					return AUTH_HMAC_SHA2_384_384;
+
+			}
+			break;
+		case HASH_SHA512:
+			switch (length)
+			{
+				case 32:
+					return AUTH_HMAC_SHA2_512_256;
+				case 64:
+					return AUTH_HMAC_SHA2_512_512;
+			}
+			break;
+		case HASH_MD2:
+		case HASH_MD4:
+		case HASH_SHA224:
+		case HASH_UNKNOWN:
+			break;
+	}
+	return AUTH_UNDEFINED;
+}
+
 /*
  * Described in header.
  */
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 759f6a23c..4e46fca10 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -153,6 +153,17 @@ hash_algorithm_t hasher_algorithm_from_prf(pseudo_random_function_t alg);
 hash_algorithm_t hasher_algorithm_from_integrity(integrity_algorithm_t alg,
 												 size_t *length);
 
+/**
+ * Conversion of hash algorithm to integrity algorithm (if based on a hash).
+ *
+ * @param alg			hash algorithm
+ * @param length		length of the signature
+ * @return				integrity algorithm, AUTH_UNDEFINED if none is known
+ * 						based on the given hash function
+ */
+integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
+													size_t length);
+
 /**
  * Conversion of hash algorithm into ASN.1 OID.
  *
diff --git a/src/libstrongswan/crypto/pkcs5.c b/src/libstrongswan/crypto/pkcs5.c
new file mode 100644
index 000000000..3b4df0e8a
--- /dev/null
+++ b/src/libstrongswan/crypto/pkcs5.c
@@ -0,0 +1,653 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs5.h"
+
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <credentials/containers/pkcs12.h>
+
+typedef struct private_pkcs5_t private_pkcs5_t;
+
+/**
+ * Private data of a pkcs5_t object
+ */
+struct private_pkcs5_t {
+
+	/**
+	 * Implements pkcs5_t.
+	 */
+	pkcs5_t public;
+
+	/**
+	 * Salt used during encryption
+	 */
+	chunk_t salt;
+
+	/**
+	 * Iterations for key derivation
+	 */
+	u_int64_t iterations;
+
+	/**
+	 * Encryption algorithm
+	 */
+	encryption_algorithm_t encr;
+
+	/**
+	 * Encryption key length
+	 */
+	size_t keylen;
+
+	/**
+	 * Crypter
+	 */
+	crypter_t *crypter;
+
+
+	/**
+	 * The encryption scheme
+	 */
+	enum {
+		PKCS5_SCHEME_PBES1,
+		PKCS5_SCHEME_PBES2,
+		PKCS5_SCHEME_PKCS12,
+	} scheme;
+
+	/**
+	 * Data used for individual schemes
+	 */
+	union {
+		struct {
+			/**
+			 * Hash algorithm
+			 */
+			hash_algorithm_t hash;
+
+			/**
+			 * Hasher
+			 */
+			hasher_t *hasher;
+
+		} pbes1;
+		struct {
+			/**
+			 * PRF algorithm
+			 */
+			pseudo_random_function_t prf_alg;
+
+			/**
+			 * PRF
+			 */
+			prf_t * prf;
+
+			/**
+			 * IV
+			 */
+			chunk_t iv;
+
+		} pbes2;
+	} data;
+};
+
+/**
+ * Verify padding of decrypted blob.
+ * Length of blob is adjusted accordingly.
+ */
+static bool verify_padding(chunk_t *blob)
+{
+	u_int8_t padding, count;
+
+	padding = count = blob->ptr[blob->len - 1];
+
+	if (padding > 8)
+	{
+		return FALSE;
+	}
+	for (; blob->len && count; --blob->len, --count)
+	{
+		if (blob->ptr[blob->len - 1] != padding)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Prototype for key derivation functions.
+ */
+typedef bool (*kdf_t)(private_pkcs5_t *this, chunk_t password, chunk_t key);
+
+/**
+ * Try to decrypt the given data with the given password using the given
+ * key derivation function. keymat is where the kdf function writes the key
+ * to, key and iv point to the actual keys and initialization vectors resp.
+ */
+static bool decrypt_generic(private_pkcs5_t *this, chunk_t password,
+							chunk_t data, chunk_t *decrypted, kdf_t kdf,
+							chunk_t keymat, chunk_t key, chunk_t iv)
+{
+	if (!kdf(this, password, keymat))
+	{
+		return FALSE;
+	}
+	if (!this->crypter->set_key(this->crypter, key) ||
+		!this->crypter->decrypt(this->crypter, data, iv, decrypted))
+	{
+		memwipe(keymat.ptr, keymat.len);
+		return FALSE;
+	}
+	memwipe(keymat.ptr, keymat.len);
+	if (verify_padding(decrypted))
+	{
+		return TRUE;
+	}
+	chunk_free(decrypted);
+	return FALSE;
+}
+
+/**
+ * KDF as used by PKCS#12
+ */
+static bool pkcs12_kdf(private_pkcs5_t *this, chunk_t password, chunk_t keymat)
+{
+	chunk_t key, iv;
+
+	key = chunk_create(keymat.ptr, this->keylen);
+	iv = chunk_create(keymat.ptr + this->keylen, keymat.len - this->keylen);
+
+	return pkcs12_derive_key(this->data.pbes1.hash, password, this->salt,
+							 this->iterations, PKCS12_KEY_ENCRYPTION, key) &&
+		   pkcs12_derive_key(this->data.pbes1.hash, password, this->salt,
+							 this->iterations, PKCS12_KEY_IV, iv);
+}
+
+/**
+ * Function F of PBKDF2
+ */
+static bool pbkdf2_f(chunk_t block, prf_t *prf, chunk_t seed,
+					 u_int64_t iterations)
+{
+	chunk_t u;
+	u_int64_t i;
+
+	u = chunk_alloca(prf->get_block_size(prf));
+	if (!prf->get_bytes(prf, seed, u.ptr))
+	{
+		return FALSE;
+	}
+	memcpy(block.ptr, u.ptr, block.len);
+
+	for (i = 1; i < iterations; i++)
+	{
+		if (!prf->get_bytes(prf, u, u.ptr))
+		{
+			return FALSE;
+		}
+		memxor(block.ptr, u.ptr, block.len);
+	}
+	return TRUE;
+}
+
+/**
+ * PBKDF2 key derivation function for PBES2, key must be allocated
+ */
+static bool pbkdf2(private_pkcs5_t *this, chunk_t password, chunk_t key)
+{
+	prf_t *prf;
+	chunk_t keymat, block, seed;
+	size_t blocks;
+	u_int32_t i = 0;
+
+	prf = this->data.pbes2.prf;
+
+	if (!prf->set_key(prf, password))
+	{
+		return FALSE;
+	}
+
+	block.len = prf->get_block_size(prf);
+	blocks = (key.len - 1) / block.len + 1;
+	keymat = chunk_alloca(blocks * block.len);
+
+	seed = chunk_cata("cc", this->salt, chunk_from_thing(i));
+
+	for (; i < blocks; i++)
+	{
+		htoun32(seed.ptr + this->salt.len, i + 1);
+		block.ptr = keymat.ptr + (i * block.len);
+		if (!pbkdf2_f(block, prf, seed, this->iterations))
+		{
+			return FALSE;
+		}
+	}
+	memcpy(key.ptr, keymat.ptr, key.len);
+	return TRUE;
+}
+
+/**
+ * PBKDF1 key derivation function for PBES1, key must be allocated
+ */
+static bool pbkdf1(private_pkcs5_t *this, chunk_t password, chunk_t key)
+{
+	hasher_t *hasher;
+	chunk_t hash;
+	u_int64_t i;
+
+	hasher = this->data.pbes1.hasher;
+
+	hash = chunk_alloca(hasher->get_hash_size(hasher));
+	if (!hasher->get_hash(hasher, password, NULL) ||
+		!hasher->get_hash(hasher, this->salt, hash.ptr))
+	{
+		return FALSE;
+	}
+
+	for (i = 1; i < this->iterations; i++)
+	{
+		if (!hasher->get_hash(hasher, hash, hash.ptr))
+		{
+			return FALSE;
+		}
+	}
+	memcpy(key.ptr, hash.ptr, key.len);
+	return TRUE;
+}
+
+static bool ensure_crypto_primitives(private_pkcs5_t *this, chunk_t data)
+{
+	if (!this->crypter)
+	{
+		this->crypter = lib->crypto->create_crypter(lib->crypto, this->encr,
+													this->keylen);
+		if (!this->crypter)
+		{
+			DBG1(DBG_ASN, "  %N encryption algorithm not available",
+				 encryption_algorithm_names, this->encr);
+			return FALSE;
+		}
+	}
+	if (data.len % this->crypter->get_block_size(this->crypter))
+	{
+		DBG1(DBG_ASN, "  data size is not a multiple of block size");
+		return FALSE;
+	}
+	switch (this->scheme)
+	{
+		case PKCS5_SCHEME_PBES1:
+		{
+			if (!this->data.pbes1.hasher)
+			{
+				hasher_t *hasher;
+
+				hasher = lib->crypto->create_hasher(lib->crypto,
+													this->data.pbes1.hash);
+				if (!hasher)
+				{
+					DBG1(DBG_ASN, "  %N hash algorithm not available",
+						 hash_algorithm_names, this->data.pbes1.hash);
+					return  FALSE;
+				}
+				if (hasher->get_hash_size(hasher) < this->keylen)
+				{
+					hasher->destroy(hasher);
+					return FALSE;
+				}
+				this->data.pbes1.hasher = hasher;
+			}
+			break;
+		}
+		case PKCS5_SCHEME_PBES2:
+		{
+			if (!this->data.pbes2.prf)
+			{
+				prf_t *prf;
+
+				prf = lib->crypto->create_prf(lib->crypto,
+											  this->data.pbes2.prf_alg);
+				if (!prf)
+				{
+					DBG1(DBG_ASN, "  %N prf algorithm not available",
+						 pseudo_random_function_names,
+						 this->data.pbes2.prf_alg);
+					return FALSE;
+				}
+				this->data.pbes2.prf = prf;
+			}
+			break;
+		}
+		case PKCS5_SCHEME_PKCS12:
+			break;
+	}
+	return TRUE;
+}
+
+METHOD(pkcs5_t, decrypt, bool,
+	private_pkcs5_t *this, chunk_t password, chunk_t data, chunk_t *decrypted)
+{
+	chunk_t keymat, key, iv;
+	kdf_t kdf;
+
+	if (!ensure_crypto_primitives(this, data) || !decrypted)
+	{
+		return FALSE;
+	}
+	kdf = pbkdf1;
+	switch (this->scheme)
+	{
+		case PKCS5_SCHEME_PKCS12:
+			kdf = pkcs12_kdf;
+			/* fall-through */
+		case PKCS5_SCHEME_PBES1:
+			keymat = chunk_alloca(this->keylen +
+								  this->crypter->get_iv_size(this->crypter));
+			key = chunk_create(keymat.ptr, this->keylen);
+			iv = chunk_create(keymat.ptr + this->keylen,
+							  keymat.len - this->keylen);
+			break;
+		case PKCS5_SCHEME_PBES2:
+			kdf = pbkdf2;
+			keymat = chunk_alloca(this->keylen);
+			key = keymat;
+			iv = this->data.pbes2.iv;
+			break;
+		default:
+			return FALSE;
+	}
+	return decrypt_generic(this, password, data, decrypted, kdf,
+						   keymat, key, iv);
+}
+
+/**
+ * ASN.1 definition of a PBEParameter structure
+ */
+static const asn1Object_t pbeParameterObjects[] = {
+	{ 0, "PBEParameter",		ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
+	{ 1,   "salt",				ASN1_OCTET_STRING,	ASN1_BODY	}, /* 1 */
+	{ 1,   "iterationCount",	ASN1_INTEGER,		ASN1_BODY	}, /* 2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
+};
+#define PBEPARAM_SALT					1
+#define PBEPARAM_ITERATION_COUNT		2
+
+/**
+ * Parse a PBEParameter structure
+ */
+static bool parse_pbes1_params(private_pkcs5_t *this, chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success;
+
+	parser = asn1_parser_create(pbeParameterObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PBEPARAM_SALT:
+			{
+				this->salt = chunk_clone(object);
+				break;
+			}
+			case PBEPARAM_ITERATION_COUNT:
+			{
+				this->iterations = asn1_parse_integer_uint64(object);
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of a PBKDF2-params structure
+ * The salt is actually a CHOICE and could be an AlgorithmIdentifier from
+ * PBKDF2-SaltSources (but as per RFC 2898 that's for future versions).
+ */
+static const asn1Object_t pbkdf2ParamsObjects[] = {
+	{ 0, "PBKDF2-params",	ASN1_SEQUENCE,		ASN1_NONE			}, /* 0 */
+	{ 1,   "salt",			ASN1_OCTET_STRING,	ASN1_BODY			}, /* 1 */
+	{ 1,   "iterationCount",ASN1_INTEGER,		ASN1_BODY			}, /* 2 */
+	{ 1,   "keyLength",		ASN1_INTEGER,		ASN1_OPT|ASN1_BODY	}, /* 3 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 4 */
+	{ 1,   "prf",			ASN1_EOC,			ASN1_DEF|ASN1_RAW	}, /* 5 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+#define PBKDF2_SALT					1
+#define PBKDF2_ITERATION_COUNT		2
+#define PBKDF2_KEYLENGTH			3
+#define PBKDF2_PRF					5
+
+/**
+ * Parse a PBKDF2-params structure
+ */
+static bool parse_pbkdf2_params(private_pkcs5_t *this, chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success;
+
+	parser = asn1_parser_create(pbkdf2ParamsObjects, blob);
+	parser->set_top_level(parser, level0);
+
+ 	/* keylen is optional */
+	this->keylen = 0;
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PBKDF2_SALT:
+			{
+				this->salt = chunk_clone(object);
+				break;
+			}
+			case PBKDF2_ITERATION_COUNT:
+			{
+				this->iterations = asn1_parse_integer_uint64(object);
+				break;
+			}
+			case PBKDF2_KEYLENGTH:
+			{
+				this->keylen = (size_t)asn1_parse_integer_uint64(object);
+				break;
+			}
+			case PBKDF2_PRF:
+			{	/* defaults to id-hmacWithSHA1, no other is currently defined */
+				this->data.pbes2.prf_alg = PRF_HMAC_SHA1;
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of a PBES2-params structure
+ */
+static const asn1Object_t pbes2ParamsObjects[] = {
+	{ 0, "PBES2-params",		ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
+	{ 1,   "keyDerivationFunc",	ASN1_EOC,			ASN1_RAW	}, /* 1 */
+	{ 1,   "encryptionScheme",	ASN1_EOC,			ASN1_RAW	}, /* 2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
+};
+#define PBES2PARAMS_KEY_DERIVATION_FUNC		1
+#define PBES2PARAMS_ENCRYPTION_SCHEME		2
+
+/**
+ * Parse a PBES2-params structure
+ */
+static bool parse_pbes2_params(private_pkcs5_t *this, chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object, params;
+	int objectID;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(pbes2ParamsObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PBES2PARAMS_KEY_DERIVATION_FUNC:
+			{
+				int oid = asn1_parse_algorithmIdentifier(object,
+									parser->get_level(parser) + 1, &params);
+				if (oid != OID_PBKDF2)
+				{	/* unsupported key derivation function */
+					goto end;
+				}
+				if (!parse_pbkdf2_params(this, params,
+										 parser->get_level(parser) + 1))
+				{
+					goto end;
+				}
+				break;
+			}
+			case PBES2PARAMS_ENCRYPTION_SCHEME:
+			{
+				int oid = asn1_parse_algorithmIdentifier(object,
+									parser->get_level(parser) + 1, &params);
+				if (oid != OID_3DES_EDE_CBC)
+				{	/* unsupported encryption scheme */
+					goto end;
+				}
+				if (this->keylen <= 0)
+				{	/* default key length for DES-EDE3-CBC-Pad */
+					this->keylen = 24;
+				}
+				if (!asn1_parse_simple_object(&params, ASN1_OCTET_STRING,
+									parser->get_level(parser) + 1, "IV"))
+				{
+					goto end;
+				}
+				this->encr = ENCR_3DES;
+				this->data.pbes2.iv = chunk_clone(params);
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+METHOD(pkcs5_t, destroy, void,
+	private_pkcs5_t *this)
+{
+	DESTROY_IF(this->crypter);
+	chunk_free(&this->salt);
+	switch (this->scheme)
+	{
+		case PKCS5_SCHEME_PBES1:
+			DESTROY_IF(this->data.pbes1.hasher);
+			break;
+		case PKCS5_SCHEME_PBES2:
+			DESTROY_IF(this->data.pbes2.prf);
+			chunk_free(&this->data.pbes2.iv);
+			break;
+		case PKCS5_SCHEME_PKCS12:
+			break;
+	}
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+pkcs5_t *pkcs5_from_algorithmIdentifier(chunk_t blob, int level0)
+{
+	private_pkcs5_t *this;
+	chunk_t params;
+	int oid;
+
+	INIT(this,
+		.public = {
+			.decrypt = _decrypt,
+			.destroy = _destroy,
+		},
+		.scheme = PKCS5_SCHEME_PBES1,
+		.keylen = 8,
+	);
+
+	oid = asn1_parse_algorithmIdentifier(blob, level0, &params);
+
+	switch (oid)
+	{
+		case OID_PBE_MD5_DES_CBC:
+			this->encr = ENCR_DES;
+			this->data.pbes1.hash = HASH_MD5;
+			break;
+		case OID_PBE_SHA1_DES_CBC:
+			this->encr = ENCR_DES;
+			this->data.pbes1.hash = HASH_SHA1;
+			break;
+		case OID_PBE_SHA1_3DES_CBC:
+			this->scheme = PKCS5_SCHEME_PKCS12;
+			this->keylen = 24;
+			this->encr = ENCR_3DES;
+			this->data.pbes1.hash = HASH_SHA1;
+			break;
+		case OID_PBE_SHA1_RC2_CBC_40:
+		case OID_PBE_SHA1_RC2_CBC_128:
+			this->scheme = PKCS5_SCHEME_PKCS12;
+			this->keylen = (oid == OID_PBE_SHA1_RC2_CBC_40) ? 5 : 16;
+			this->encr = ENCR_RC2_CBC;
+			this->data.pbes1.hash = HASH_SHA1;
+			break;
+		case OID_PBES2:
+			this->scheme = PKCS5_SCHEME_PBES2;
+			break;
+		default:
+			/* encryption scheme not supported */
+			goto failure;
+	}
+
+	switch (this->scheme)
+	{
+		case PKCS5_SCHEME_PBES1:
+		case PKCS5_SCHEME_PKCS12:
+			if (!parse_pbes1_params(this, params, level0))
+			{
+				goto failure;
+			}
+			break;
+		case PKCS5_SCHEME_PBES2:
+			if (!parse_pbes2_params(this, params, level0))
+			{
+				goto failure;
+			}
+			break;
+	}
+	return &this->public;
+
+failure:
+	destroy(this);
+	return NULL;
+}
diff --git a/src/libstrongswan/crypto/pkcs5.h b/src/libstrongswan/crypto/pkcs5.h
new file mode 100644
index 000000000..b16d3736e
--- /dev/null
+++ b/src/libstrongswan/crypto/pkcs5.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs5 pkcs5
+ * @{ @ingroup crypto
+ */
+
+#ifndef PKCS5_H_
+#define PKCS5_H_
+
+typedef struct pkcs5_t pkcs5_t;
+
+#include <utils/chunk.h>
+
+/**
+ * PKCS#5 helper class
+ */
+struct pkcs5_t {
+
+	/**
+	 * Decrypt the given data using the given password and the scheme derived
+	 * from the initial AlgorithmIdentifier object.
+	 *
+	 * @param password	password used for decryption
+	 * @param data		data to decrypt
+	 * @param decrypted	decrypted data gets allocated
+	 * @return			TRUE on success, FALSE otherwise
+	 */
+	bool (*decrypt)(pkcs5_t *this, chunk_t password, chunk_t data,
+					chunk_t *decrypted) __attribute__((warn_unused_result));
+
+	/**
+	 * Destroy the object and any associated cryptographic primitive.
+	 */
+	void (*destroy)(pkcs5_t *this);
+};
+
+/**
+ * Create a PKCS#5 helper object from an ASN.1 encoded AlgorithmIdentifier
+ * object.
+ *
+ * @param blob			ASN.1 encoded AlgorithmIdentifier
+ * @param level0		ASN.1 parser level
+ * @return				pkcs5_t object, NULL on failure
+ */
+pkcs5_t *pkcs5_from_algorithmIdentifier(chunk_t blob, int level0);
+
+#endif /** PKCS5_H_ @}*/
diff --git a/src/libstrongswan/crypto/signers/signer.c b/src/libstrongswan/crypto/signers/signer.c
index d8659170b..522b4e29d 100644
--- a/src/libstrongswan/crypto/signers/signer.c
+++ b/src/libstrongswan/crypto/signers/signer.c
@@ -22,6 +22,7 @@ ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_CAMELLIA_XCBC_96,
 	"HMAC_SHA2_256_96",
 	"HMAC_SHA2_256_256",
 	"HMAC_SHA2_384_384",
+	"HMAC_SHA2_512_512",
 	"CAMELLIA_XCBC_96");
 ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_CAMELLIA_XCBC_96,
 	"HMAC_MD5_96",
diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h
index 9b6bd479a..e0cf7eb5a 100644
--- a/src/libstrongswan/crypto/signers/signer.h
+++ b/src/libstrongswan/crypto/signers/signer.h
@@ -70,8 +70,10 @@ enum integrity_algorithm_t {
 	AUTH_HMAC_SHA2_256_256 = 1027,
 	/** SHA384 full length truncation variant, as used in TLS */
 	AUTH_HMAC_SHA2_384_384 = 1028,
+	/** SHA512 full length truncation variant */
+	AUTH_HMAC_SHA2_512_512 = 1029,
 	/** draft-kanno-ipsecme-camellia-xcbc, not yet assigned by IANA */
-	AUTH_CAMELLIA_XCBC_96 = 1029,
+	AUTH_CAMELLIA_XCBC_96 = 1030,
 };
 
 /**
diff --git a/src/libstrongswan/fetcher/fetcher.h b/src/libstrongswan/fetcher/fetcher.h
index 58451aef2..890258c3c 100644
--- a/src/libstrongswan/fetcher/fetcher.h
+++ b/src/libstrongswan/fetcher/fetcher.h
@@ -89,6 +89,12 @@ enum fetcher_option_t {
 	 */
 	FETCH_CALLBACK,
 
+	/**
+	 * Source IP address to bind for a fetch.
+	 * Additional argument is a host_t*, which may be NULL.
+	 */
+	FETCH_SOURCEIP,
+
 	/**
 	 * end of fetching options
 	 */
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index a638eef2f..21cd1aff4 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -73,6 +73,7 @@ METHOD(fetcher_manager_t, fetch, status_t,
 		fetcher_option_t opt;
 		fetcher_t *fetcher;
 		bool good = TRUE;
+		host_t *host;
 		va_list args;
 
 		/* check URL support of fetcher */
@@ -111,6 +112,14 @@ METHOD(fetcher_manager_t, fetch, status_t,
 				case FETCH_CALLBACK:
 					good = fetcher->set_option(fetcher, opt,
 											va_arg(args, fetcher_callback_t));
+					continue;
+				case FETCH_SOURCEIP:
+					host = va_arg(args, host_t*);
+					if (host && !host->is_anyaddr(host))
+					{
+						good = fetcher->set_option(fetcher, opt, host);
+					}
+					continue;
 				case FETCH_END:
 					break;
 			}
@@ -204,4 +213,3 @@ fetcher_manager_t *fetcher_manager_create()
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 4dec61203..f2fa3e0aa 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -80,6 +80,8 @@ void library_deinit()
 	/* make sure the cache is clear before unloading plugins */
 	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
 
+	this->public.streams->destroy(this->public.streams);
+	this->public.watcher->destroy(this->public.watcher);
 	this->public.scheduler->destroy(this->public.scheduler);
 	this->public.processor->destroy(this->public.processor);
 	this->public.plugins->destroy(this->public.plugins);
@@ -89,6 +91,7 @@ void library_deinit()
 	this->public.creds->destroy(this->public.creds);
 	this->public.encoding->destroy(this->public.encoding);
 	this->public.crypto->destroy(this->public.crypto);
+	this->public.caps->destroy(this->public.caps);
 	this->public.proposal->destroy(this->public.proposal);
 	this->public.fetcher->destroy(this->public.fetcher);
 	this->public.resolver->destroy(this->public.resolver);
@@ -150,19 +153,23 @@ static bool equals(char *a, char *b)
 	return streq(a, b);
 }
 
+/**
+ * Number of words we write and memwipe() in memwipe check
+ */
+#define MEMWIPE_WIPE_WORDS 16
+
 /**
  * Write magic to memory, and try to clear it with memwipe()
  */
 __attribute__((noinline))
-static void do_magic(int magic, int **stack)
+static void do_magic(int *magic, int **out)
 {
-	int buf[32], i;
+	int buf[MEMWIPE_WIPE_WORDS], i;
 
-	/* tell caller where callee stack is (but don't point to buf) */
-	*stack = &i;
+	*out = buf;
 	for (i = 0; i < countof(buf); i++)
 	{
-		buf[i] = magic;
+		buf[i] = *magic;
 	}
 	/* passing buf to dbg should make sure the compiler can't optimize out buf.
 	 * we use directly dbg(3), as DBG3() might be stripped with DEBUG_LEVEL. */
@@ -175,20 +182,16 @@ static void do_magic(int magic, int **stack)
  */
 static bool check_memwipe()
 {
-	int magic = 0xCAFEBABE, *ptr, *deeper, i, stackdir = 1;
+	int magic = 0xCAFEBABE, *buf, i;
 
-	do_magic(magic, &deeper);
+	do_magic(&magic, &buf);
 
-	ptr = &magic;
-	if (deeper < ptr)
-	{	/* stack grows down */
-		stackdir = -1;
-	}
-	for (i = 0; i < 128; i++)
+	for (i = 0; i < MEMWIPE_WIPE_WORDS; i++)
 	{
-		ptr = ptr + stackdir;
-		if (*ptr == magic)
+		if (buf[i] == magic)
 		{
+			DBG1(DBG_LIB, "memwipe() check failed: stackdir: %b",
+				 buf, MEMWIPE_WIPE_WORDS * sizeof(int));
 			return FALSE;
 		}
 	}
@@ -255,6 +258,7 @@ bool library_init(char *settings)
 	this->public.settings = settings_create(settings);
 	this->public.hosts = host_resolver_create();
 	this->public.proposal = proposal_keywords_create();
+	this->public.caps = capabilities_create();
 	this->public.crypto = crypto_factory_create();
 	this->public.creds = credential_factory_create();
 	this->public.credmgr = credential_manager_create();
@@ -264,11 +268,12 @@ bool library_init(char *settings)
 	this->public.db = database_factory_create();
 	this->public.processor = processor_create();
 	this->public.scheduler = scheduler_create();
+	this->public.watcher = watcher_create();
+	this->public.streams = stream_manager_create();
 	this->public.plugins = plugin_loader_create();
 
 	if (!check_memwipe())
 	{
-		DBG1(DBG_LIB, "memwipe() check failed");
 		return FALSE;
 	}
 
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 3b6d02002..560da27f9 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -58,6 +58,9 @@
  * @defgroup networking networking
  * @ingroup libstrongswan
  *
+ * @defgroup streams streams
+ * @ingroup networking
+ *
  * @defgroup plugins plugins
  * @ingroup libstrongswan
  *
@@ -90,8 +93,10 @@
 #include "utils/printf_hook.h"
 #include "utils/utils.h"
 #include "networking/host_resolver.h"
+#include "networking/streams/stream_manager.h"
 #include "processing/processor.h"
 #include "processing/scheduler.h"
+#include "processing/watcher.h"
 #include "crypto/crypto_factory.h"
 #include "crypto/proposal/proposal_keywords.h"
 #include "fetcher/fetcher_manager.h"
@@ -101,6 +106,7 @@
 #include "credentials/credential_manager.h"
 #include "credentials/cred_encoding.h"
 #include "utils/chunk.h"
+#include "utils/capabilities.h"
 #include "utils/integrity_checker.h"
 #include "utils/leak_detective.h"
 #include "utils/settings.h"
@@ -140,6 +146,11 @@ struct library_t {
 	 */
 	proposal_keywords_t *proposal;
 
+	/**
+	 * POSIX capability dropping
+	 */
+	capabilities_t *caps;
+
 	/**
 	 * crypto algorithm registry and factory
 	 */
@@ -190,6 +201,16 @@ struct library_t {
 	 */
 	scheduler_t *scheduler;
 
+	/**
+	 * File descriptor monitoring
+	 */
+	watcher_t *watcher;
+
+	/**
+	 * Streams and Services
+	 */
+	stream_manager_t *streams;
+
 	/**
 	 * resolve hosts by DNS name
 	 */
diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c
index bffa96064..8d04a4ec9 100644
--- a/src/libstrongswan/networking/host.c
+++ b/src/libstrongswan/networking/host.c
@@ -54,6 +54,15 @@ struct private_host_t {
 	socklen_t socklen;
 };
 
+/**
+ * Update the sockaddr internal sa_len option, if available
+ */
+static inline void update_sa_len(private_host_t *this)
+{
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	this->address.sa_len = this->socklen;
+#endif /* HAVE_STRUCT_SOCKADDR_SA_LEN */
+}
 
 METHOD(host_t, get_sockaddr, sockaddr_t*,
 	private_host_t *this)
@@ -102,7 +111,7 @@ int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 	{
 		snprintf(buffer, sizeof(buffer), "(null)");
 	}
-	else if (is_anyaddr(this) && !spec->plus)
+	else if (is_anyaddr(this) && !spec->plus && !spec->hash)
 	{
 		snprintf(buffer, sizeof(buffer), "%%any%s",
 				 this->address.sa_family == AF_INET6 ? "6" : "");
@@ -264,26 +273,6 @@ static bool ip_equals(private_host_t *this, private_host_t *other)
 	return FALSE;
 }
 
-/**
- * Implements host_t.get_differences
- */
-static host_diff_t get_differences(host_t *this, host_t *other)
-{
-	host_diff_t ret = HOST_DIFF_NONE;
-
-	if (!this->ip_equals(this, other))
-	{
-		ret |= HOST_DIFF_ADDR;
-	}
-
-	if (this->get_port(this) != other->get_port(other))
-	{
-		ret |= HOST_DIFF_PORT;
-	}
-
-	return ret;
-}
-
 /**
  * Implements host_t.equals
  */
@@ -332,7 +321,6 @@ static private_host_t *host_create_empty(void)
 			.get_address = _get_address,
 			.get_port = _get_port,
 			.set_port = _set_port,
-			.get_differences = get_differences,
 			.ip_equals = (bool (*)(host_t *,host_t *))ip_equals,
 			.equals = (bool (*)(host_t *,host_t *)) equals,
 			.is_anyaddr = _is_anyaddr,
@@ -393,6 +381,7 @@ host_t *host_create_from_string_and_family(char *string, int family,
 			}
 			/* FALL */
 		case AF_INET6:
+			memset(&addr.v6, 0, sizeof(addr.v6));
 			if (inet_pton(AF_INET6, string, &addr.v6.sin6_addr) != 1)
 			{
 				return NULL;
@@ -406,6 +395,7 @@ host_t *host_create_from_string_and_family(char *string, int family,
 				return NULL;
 			}
 		af_inet:
+			memset(&addr.v4, 0, sizeof(addr.v4));
 			if (inet_pton(AF_INET, string, &addr.v4.sin_addr) != 1)
 			{
 				return NULL;
@@ -440,6 +430,7 @@ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
 			memcpy(&this->address4, (struct sockaddr_in*)sockaddr,
 				   sizeof(struct sockaddr_in));
 			this->socklen = sizeof(struct sockaddr_in);
+			update_sa_len(this);
 			return &this->public;
 		}
 		case AF_INET6:
@@ -447,6 +438,7 @@ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
 			memcpy(&this->address6, (struct sockaddr_in6*)sockaddr,
 				   sizeof(struct sockaddr_in6));
 			this->socklen = sizeof(struct sockaddr_in6);
+			update_sa_len(this);
 			return &this->public;
 		}
 		default:
@@ -529,6 +521,7 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
 			this->socklen = sizeof(struct sockaddr_in6);
 			break;
 	}
+	update_sa_len(this);
 	return &this->public;
 }
 
@@ -567,6 +560,57 @@ host_t *host_create_from_subnet(char *string, int *bits)
 	return net;
 }
 
+/*
+ * See header.
+ */
+host_t *host_create_netmask(int family, int netbits)
+{
+	private_host_t *this;
+	int bits, bytes, len = 0;
+	char *target;
+
+	switch (family)
+	{
+		case AF_INET:
+			if (netbits < 0 || netbits > 32)
+			{
+				return NULL;
+			}
+			this = host_create_empty();
+			this->socklen = sizeof(struct sockaddr_in);
+			target = (char*)&this->address4.sin_addr;
+			len = 4;
+			break;
+		case AF_INET6:
+			if (netbits < 0 || netbits > 128)
+			{
+				return NULL;
+			}
+			this = host_create_empty();
+			this->socklen = sizeof(struct sockaddr_in6);
+			target = (char*)&this->address6.sin6_addr;
+			len = 16;
+			break;
+		default:
+			return NULL;
+	}
+
+	memset(&this->address_max, 0, sizeof(struct sockaddr_storage));
+	this->address.sa_family = family;
+	update_sa_len(this);
+
+	bytes = netbits / 8;
+	bits = 8 - (netbits & 0x07);
+
+	memset(target, 0xff, bytes);
+	if (bytes < len)
+	{
+		memset(target + bytes, 0x00, len - bytes);
+		target[bytes] = (u_int8_t)(0xff << bits);
+	}
+	return &this->public;
+}
+
 /*
  * Described in header.
  */
@@ -582,11 +626,13 @@ host_t *host_create_any(int family)
 		case AF_INET:
 		{
 			this->socklen = sizeof(struct sockaddr_in);
+			update_sa_len(this);
 			return &(this->public);
 		}
 		case AF_INET6:
 		{
 			this->socklen = sizeof(struct sockaddr_in6);
+			update_sa_len(this);
 			return &this->public;
 		}
 		default:
diff --git a/src/libstrongswan/networking/host.h b/src/libstrongswan/networking/host.h
index 25f334779..4fc6cf35c 100644
--- a/src/libstrongswan/networking/host.h
+++ b/src/libstrongswan/networking/host.h
@@ -36,16 +36,6 @@ typedef struct host_t host_t;
 
 #include <utils/chunk.h>
 
-/**
- * Differences between two hosts. They differ in
- * address, port, or both.
- */
-enum host_diff_t {
-	HOST_DIFF_NONE = 0,
-	HOST_DIFF_ADDR = 1,
-	HOST_DIFF_PORT = 2,
-};
-
 /**
  * Representates a Host
  *
@@ -102,7 +92,7 @@ struct host_t {
 	 *
 	 * Returned chunk points to internal data.
 	 *
-	 * @return		address string,
+	 * @return		address blob
 	 */
 	chunk_t (*get_address) (host_t *this);
 
@@ -116,7 +106,7 @@ struct host_t {
 	/**
 	 * Set the port of this host
 	 *
-	 * @param port	port numer
+	 * @param port	port number
 	 */
 	void (*set_port) (host_t *this, u_int16_t port);
 
@@ -136,14 +126,6 @@ struct host_t {
 	 */
 	bool (*equals) (host_t *this, host_t *other);
 
-	/**
-	 * Compare two hosts and return the differences.
-	 *
-	 * @param other	the other to compare
-	 * @return		differences in a combination of host_diff_t's
-	 */
-	host_diff_t (*get_differences) (host_t *this, host_t *other);
-
 	/**
 	 * Destroy this host object.
 	 */
@@ -209,6 +191,15 @@ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
  */
 host_t *host_create_from_subnet(char *string, int *bits);
 
+/**
+ * Create a netmask host having the first netbits bits set.
+ *
+ * @param family		family of the netmask host
+ * @param netbits		number of leading bits set in the host
+ * @return				netmask host
+ */
+host_t *host_create_netmask(int family, int netbits);
+
 /**
  * Create a host without an address, a "any" host.
  *
diff --git a/src/libstrongswan/networking/host_resolver.c b/src/libstrongswan/networking/host_resolver.c
index 5e244f114..99a17d17c 100644
--- a/src/libstrongswan/networking/host_resolver.c
+++ b/src/libstrongswan/networking/host_resolver.c
@@ -233,10 +233,24 @@ METHOD(host_resolver_t, resolve, host_t*,
 		.family = family,
 	};
 	host_t *result;
+	struct in_addr addr;
 
-	if (family == AF_INET && strchr(name, ':'))
-	{	/* do not try to convert v6 addresses for v4 family */
-		return NULL;
+	switch (family)
+	{
+		case AF_INET:
+			/* do not try to convert v6 addresses for v4 family */
+			if (strchr(name, ':'))
+			{
+				return NULL;
+			}
+			break;
+		case AF_INET6:
+			/* do not try to convert v4 addresses for v6 family */
+			if (inet_pton(AF_INET, name, &addr) == 1)
+			{
+				return NULL;
+			}
+			break;
 	}
 	this->mutex->lock(this->mutex);
 	if (this->disabled)
diff --git a/src/libstrongswan/networking/streams/stream.c b/src/libstrongswan/networking/streams/stream.c
new file mode 100644
index 000000000..8ecb89fc9
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream.c
@@ -0,0 +1,426 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <errno.h>
+#include <unistd.h>
+#include <limits.h>
+
+typedef struct private_stream_t private_stream_t;
+
+/**
+ * Private data of an stream_t object.
+ */
+struct private_stream_t {
+
+	/**
+	 * Public stream_t interface.
+	 */
+	stream_t public;
+
+	/**
+	 * Underlying socket
+	 */
+	int fd;
+
+	/**
+	 * Callback if data is ready to read
+	 */
+	stream_cb_t read_cb;
+
+	/**
+	 * Data for read-ready callback
+	 */
+	void *read_data;
+
+	/**
+	 * Callback if write is non-blocking
+	 */
+	stream_cb_t write_cb;
+
+	/**
+	 * Data for write-ready callback
+	 */
+	void *write_data;
+};
+
+METHOD(stream_t, read_, ssize_t,
+	private_stream_t *this, void *buf, size_t len, bool block)
+{
+	while (TRUE)
+	{
+		ssize_t ret;
+
+		if (block)
+		{
+			ret = read(this->fd, buf, len);
+		}
+		else
+		{
+			ret = recv(this->fd, buf, len, MSG_DONTWAIT);
+			if (ret == -1 && errno == EAGAIN)
+			{
+				/* unify EGAIN and EWOULDBLOCK */
+				errno = EWOULDBLOCK;
+			}
+		}
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		return ret;
+	}
+}
+
+METHOD(stream_t, read_all, bool,
+	private_stream_t *this, void *buf, size_t len)
+{
+	ssize_t ret;
+
+	while (len)
+	{
+		ret = read_(this, buf, len, TRUE);
+		if (ret < 0)
+		{
+			return FALSE;
+		}
+		if (ret == 0)
+		{
+			errno = ECONNRESET;
+			return FALSE;
+		}
+		len -= ret;
+		buf += ret;
+	}
+	return TRUE;
+}
+
+METHOD(stream_t, write_, ssize_t,
+	private_stream_t *this, void *buf, size_t len, bool block)
+{
+	ssize_t ret;
+
+	while (TRUE)
+	{
+		if (block)
+		{
+			ret = write(this->fd, buf, len);
+		}
+		else
+		{
+			ret = send(this->fd, buf, len, MSG_DONTWAIT);
+			if (ret == -1 && errno == EAGAIN)
+			{
+				/* unify EGAIN and EWOULDBLOCK */
+				errno = EWOULDBLOCK;
+			}
+		}
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		return ret;
+	}
+}
+
+METHOD(stream_t, write_all, bool,
+	private_stream_t *this, void *buf, size_t len)
+{
+	ssize_t ret;
+
+	while (len)
+	{
+		ret = write_(this, buf, len, TRUE);
+		if (ret < 0)
+		{
+			return FALSE;
+		}
+		if (ret == 0)
+		{
+			errno = ECONNRESET;
+			return FALSE;
+		}
+		len -= ret;
+		buf += ret;
+	}
+	return TRUE;
+}
+
+/**
+ * Remove a registered watcher
+ */
+static void remove_watcher(private_stream_t *this)
+{
+	if (this->read_cb || this->write_cb)
+	{
+		lib->watcher->remove(lib->watcher, this->fd);
+	}
+}
+
+/**
+ * Watcher callback
+ */
+static bool watch(private_stream_t *this, int fd, watcher_event_t event)
+{
+	bool keep = FALSE;
+	stream_cb_t cb;
+
+	switch (event)
+	{
+		case WATCHER_READ:
+			cb = this->read_cb;
+			this->read_cb = NULL;
+			keep = cb(this->read_data, &this->public);
+			if (keep)
+			{
+				this->read_cb = cb;
+			}
+			break;
+		case WATCHER_WRITE:
+			cb = this->write_cb;
+			this->write_cb = NULL;
+			keep = cb(this->write_data, &this->public);
+			if (keep)
+			{
+				this->write_cb = cb;
+			}
+			break;
+		case WATCHER_EXCEPT:
+			break;
+	}
+	return keep;
+}
+
+/**
+ * Register watcher for stream callbacks
+ */
+static void add_watcher(private_stream_t *this)
+{
+	watcher_event_t events = 0;
+
+	if (this->read_cb)
+	{
+		events |= WATCHER_READ;
+	}
+	if (this->write_cb)
+	{
+		events |= WATCHER_WRITE;
+	}
+	if (events)
+	{
+		lib->watcher->add(lib->watcher, this->fd, events,
+						  (watcher_cb_t)watch, this);
+	}
+}
+
+METHOD(stream_t, on_read, void,
+	private_stream_t *this, stream_cb_t cb, void *data)
+{
+	remove_watcher(this);
+
+	this->read_cb = cb;
+	this->read_data = data;
+
+	add_watcher(this);
+}
+
+METHOD(stream_t, on_write, void,
+	private_stream_t *this, stream_cb_t cb, void *data)
+{
+	remove_watcher(this);
+
+	this->write_cb = cb;
+	this->write_data = data;
+
+	add_watcher(this);
+}
+
+METHOD(stream_t, get_file, FILE*,
+	private_stream_t *this)
+{
+	FILE *file;
+	int fd;
+
+	/* fclose() closes the FD passed to fdopen(), so dup() it */
+	fd = dup(this->fd);
+	if (fd == -1)
+	{
+		return NULL;
+	}
+	file = fdopen(fd, "w+");
+	if (!file)
+	{
+		close(fd);
+	}
+	return file;
+}
+
+METHOD(stream_t, destroy, void,
+	private_stream_t *this)
+{
+	remove_watcher(this);
+	close(this->fd);
+	free(this);
+}
+
+/**
+ * See header
+ */
+stream_t *stream_create_from_fd(int fd)
+{
+	private_stream_t *this;
+
+	INIT(this,
+		.public = {
+			.read = _read_,
+			.read_all = _read_all,
+			.on_read = _on_read,
+			.write = _write_,
+			.write_all = _write_all,
+			.on_write = _on_write,
+			.get_file = _get_file,
+			.destroy = _destroy,
+		},
+		.fd = fd,
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+int stream_parse_uri_unix(char *uri, struct sockaddr_un *addr)
+{
+	if (!strpfx(uri, "unix://"))
+	{
+		return -1;
+	}
+	uri += strlen("unix://");
+
+	memset(addr, 0, sizeof(*addr));
+	addr->sun_family = AF_UNIX;
+	strncpy(addr->sun_path, uri, sizeof(addr->sun_path));
+	addr->sun_path[sizeof(addr->sun_path)-1] = '\0';
+
+	return offsetof(struct sockaddr_un, sun_path) + strlen(addr->sun_path);
+}
+
+/**
+ * See header
+ */
+stream_t *stream_create_unix(char *uri)
+{
+	struct sockaddr_un addr;
+	int len, fd;
+
+	len = stream_parse_uri_unix(uri, &addr);
+	if (len == -1)
+	{
+		DBG1(DBG_NET, "invalid stream URI: '%s'", uri);
+		return NULL;
+	}
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd < 0)
+	{
+		DBG1(DBG_NET, "opening socket '%s' failed: %s", uri, strerror(errno));
+		return NULL;
+	}
+	if (connect(fd, (struct sockaddr*)&addr, len) < 0)
+	{
+		DBG1(DBG_NET, "connecting to '%s' failed: %s", uri, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	return stream_create_from_fd(fd);
+}
+
+/**
+ * See header.
+ */
+int stream_parse_uri_tcp(char *uri, struct sockaddr *addr)
+{
+	char *pos, buf[128];
+	host_t *host;
+	u_long port;
+	int len;
+
+	if (!strpfx(uri, "tcp://"))
+	{
+		return -1;
+	}
+	uri += strlen("tcp://");
+	pos = strrchr(uri, ':');
+	if (!pos)
+	{
+		return -1;
+	}
+	if (*uri == '[' && pos > uri && *(pos - 1) == ']')
+	{
+		/* IPv6 URI */
+		snprintf(buf, sizeof(buf), "%.*s", (int)(pos - uri - 2), uri + 1);
+	}
+	else
+	{
+		snprintf(buf, sizeof(buf), "%.*s", (int)(pos - uri), uri);
+	}
+	port = strtoul(pos + 1, &pos, 10);
+	if (port == ULONG_MAX || *pos || port > 65535)
+	{
+		return -1;
+	}
+	host = host_create_from_dns(buf, AF_UNSPEC, port);
+	if (!host)
+	{
+		return -1;
+	}
+	len = *host->get_sockaddr_len(host);
+	memcpy(addr, host->get_sockaddr(host), len);
+	host->destroy(host);
+	return len;
+}
+
+/**
+ * See header
+ */
+stream_t *stream_create_tcp(char *uri)
+{
+	union {
+		struct sockaddr_in in;
+		struct sockaddr_in6 in6;
+		struct sockaddr sa;
+	} addr;
+	int fd, len;
+
+	len = stream_parse_uri_tcp(uri, &addr.sa);
+	if (len == -1)
+	{
+		DBG1(DBG_NET, "invalid stream URI: '%s'", uri);
+		return NULL;
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
+	if (fd < 0)
+	{
+		DBG1(DBG_NET, "opening socket '%s' failed: %s", uri, strerror(errno));
+		return NULL;
+	}
+	if (connect(fd, &addr.sa, len))
+	{
+		DBG1(DBG_NET, "connecting to '%s' failed: %s", uri, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	return stream_create_from_fd(fd);
+}
diff --git a/src/libstrongswan/networking/streams/stream.h b/src/libstrongswan/networking/streams/stream.h
new file mode 100644
index 000000000..810514da9
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream.h
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stream stream
+ * @{ @ingroup streams
+ */
+
+#ifndef STREAM_H_
+#define STREAM_H_
+
+typedef struct stream_t stream_t;
+
+#include <library.h>
+
+#include <sys/un.h>
+#include <sys/socket.h>
+
+/**
+ * Constructor function prototype for stream_t.
+ *
+ * @param uri			URI to create a stream for
+ * @return				stream instance, NULL on error
+ */
+typedef stream_t*(*stream_constructor_t)(char *uri);
+
+/**
+ * Callback function prototype, called when stream is ready.
+ *
+ * It is allowed to destroy the stream during the callback, but only if it has
+ * no other active on_read()/on_write() callback and returns FALSE. It is not
+ * allowed to to call on_read()/on_write/() during the callback.
+ *
+ * As select() may return even if a read()/write() would actually block, it is
+ * recommended to use the non-blocking calls and handle return values
+ * appropriately.
+ *
+ * @param data			data passed during callback registration
+ * @param stream		associated stream
+ * @return				FALSE unregisters the invoked callback, TRUE keeps it
+ */
+typedef bool (*stream_cb_t)(void *data, stream_t *stream);
+
+/**
+ * Abstraction of a Berkley socket using stream semantics.
+ */
+struct stream_t {
+
+	/**
+	 * Read data from the stream.
+	 *
+	 * If "block" is FALSE and no data is available, the function returns -1
+	 * and sets errno to EWOULDBLOCK.
+	 *
+	 * @param buf		data buffer to read into
+	 * @param len		number of bytes to read
+	 * @param block		TRUE to use a blocking read
+	 * @return			number of bytes read, -1 on error
+	 */
+	ssize_t (*read)(stream_t *this, void *buf, size_t len, bool block);
+
+	/**
+	 * Read data from the stream, avoiding short reads.
+	 *
+	 * This call is always blocking, and reads until len has been read
+	 * completely. If the connection is closed before enough bytes could be
+	 * returned, errno is set to ECONNRESET.
+	 *
+	 * @param buf		data buffer to read into
+	 * @param len		number of bytes to read
+	 * @return			TRUE if len bytes read, FALSE on error
+	 */
+	bool (*read_all)(stream_t *this, void *buf, size_t len);
+
+	/**
+	 * Register a callback to invoke when stream has data to read.
+	 *
+	 * @param cb		callback function, NULL to unregister
+	 * @param data		data to pass to callback
+	 */
+	void (*on_read)(stream_t *this, stream_cb_t cb, void *data);
+
+	/**
+	 * Write data to the stream.
+	 *
+	 * If "block" is FALSE and the write would block, the function returns -1
+	 * and sets errno to EWOULDBLOCK.
+	 *
+	 * @param buf		data buffer to write
+	 * @param len		number of bytes to write
+	 * @param block		TRUE to use a blocking write
+	 * @return			number of bytes written, -1 on error
+	 */
+	ssize_t (*write)(stream_t *this, void *buf, size_t len, bool block);
+
+	/**
+	 * Write data to the stream, avoiding short writes.
+	 *
+	 * This call is always blocking, and writes until len bytes has been
+	 * written.
+	 *
+	 * @param buf		data buffer to write
+	 * @param len		number of bytes to write
+	 * @return			TRUE if len bytes written, FALSE on error
+	 */
+	bool (*write_all)(stream_t *this, void *buf, size_t len);
+
+	/**
+	 * Register a callback to invoke when a write would not block.
+	 *
+	 * @param cb		callback function, NULL to unregister
+	 * @param data		data to pass to callback
+	 */
+	void (*on_write)(stream_t *this, stream_cb_t cb, void *data);
+
+	/**
+	 * Get a FILE reference for this stream.
+	 *
+	 * @return			FILE*, must be fclose()d, NULL on error
+	 */
+	FILE* (*get_file)(stream_t *this);
+
+	/**
+	 * Destroy a stream_t.
+	 */
+	void (*destroy)(stream_t *this);
+};
+
+/**
+ * Create a stream for UNIX sockets.
+ *
+ * UNIX URIs start with unix://, followed by the socket path. For absolute
+ * paths, an URI looks something like:
+ *
+ *   unix:///path/to/socket
+ *
+ * @param uri		UNIX socket specific URI, must start with "unix://"
+ * @return			stream instance, NULL on failure
+ */
+stream_t *stream_create_unix(char *uri);
+
+/**
+ * Helper function to parse a unix:// URI to a sockaddr
+ *
+ * @param uri		URI
+ * @param addr		sockaddr
+ * @return			length of sockaddr, -1 on error
+ */
+int stream_parse_uri_unix(char *uri, struct sockaddr_un *addr);
+
+/**
+ * Create a stream for TCP sockets.
+ *
+ * TCP URIs start with tcp://, followed by a hostname (FQDN or IP), followed
+ * by a colon separated port. A full TCP uri looks something like:
+ *
+ *   tcp://srv.example.com:5555
+ *   tcp://0.0.0.0:1234
+ *   tcp://[fec2::1]:7654
+ *
+ * There is no default port, so a colon after tcp:// is mandatory.
+ *
+ * @param uri		TCP socket specific URI, must start with "tcp://"
+ * @return			stream instance, NULL on failure
+ */
+stream_t *stream_create_tcp(char *uri);
+
+/**
+ * Helper function to parse a tcp:// URI to a sockaddr
+ *
+ * @param uri		URI
+ * @param addr		sockaddr, large enough for URI
+ * @return			length of sockaddr, -1 on error
+ */
+int stream_parse_uri_tcp(char *uri, struct sockaddr *addr);
+
+/**
+ * Create a stream from a file descriptor.
+ *
+ * The file descriptor MUST be a socket for non-blocking operation.
+ *
+ * @param fd		file descriptor to wrap into a stream_t
+ * @return			stream instance
+ */
+stream_t *stream_create_from_fd(int fd);
+
+#endif /** STREAM_H_ @}*/
diff --git a/src/libstrongswan/networking/streams/stream_manager.c b/src/libstrongswan/networking/streams/stream_manager.c
new file mode 100644
index 000000000..2cbd6127e
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream_manager.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stream_manager.h"
+
+#include <threading/rwlock.h>
+
+typedef struct private_stream_manager_t private_stream_manager_t;
+
+/**
+ * Private data of an stream_manager_t object.
+ */
+struct private_stream_manager_t {
+
+	/**
+	 * Public stream_manager_t interface.
+	 */
+	stream_manager_t public;
+
+	/**
+	 * List of registered stream constructors, as stream_entry_t
+	 */
+	linked_list_t *streams;
+
+	/**
+	 * List of registered service constructors, as service_entry_t
+	 */
+	linked_list_t *services;
+
+	/**
+	 * Lock for all lists
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * Registered stream backend
+ */
+typedef struct {
+	/** URI prefix */
+	char *prefix;
+	/** constructor function */
+	stream_constructor_t create;
+} stream_entry_t;
+
+/**
+ * Registered service backend
+ */
+typedef struct {
+	/** URI prefix */
+	char *prefix;
+	/** constructor function */
+	stream_service_constructor_t create;
+} service_entry_t;
+
+METHOD(stream_manager_t, connect_, stream_t*,
+	private_stream_manager_t *this, char *uri)
+{
+	enumerator_t *enumerator;
+	stream_entry_t *entry;
+	stream_t *stream = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->streams->create_enumerator(this->streams);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (strpfx(uri, entry->prefix))
+		{
+			stream = entry->create(uri);
+			if (stream)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return stream;
+}
+
+METHOD(stream_manager_t, create_service, stream_service_t*,
+	private_stream_manager_t *this, char *uri, int backlog)
+{
+	enumerator_t *enumerator;
+	service_entry_t *entry;
+	stream_service_t *service = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->services->create_enumerator(this->services);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (strpfx(uri, entry->prefix))
+		{
+			service = entry->create(uri, backlog);
+			if (service)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return service;
+}
+
+METHOD(stream_manager_t, add_stream, void,
+	private_stream_manager_t *this, char *prefix, stream_constructor_t create)
+{
+	stream_entry_t *entry;
+
+	INIT(entry,
+		.prefix = strdup(prefix),
+		.create = create,
+	);
+
+	this->lock->write_lock(this->lock);
+	this->streams->insert_last(this->streams, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stream_manager_t, remove_stream, void,
+	private_stream_manager_t *this, stream_constructor_t create)
+{
+	enumerator_t *enumerator;
+	stream_entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->streams->create_enumerator(this->streams);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->create == create)
+		{
+			this->streams->remove_at(this->streams, enumerator);
+			free(entry->prefix);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stream_manager_t, add_service, void,
+	private_stream_manager_t *this, char *prefix,
+	stream_service_constructor_t create)
+{
+	service_entry_t *entry;
+
+	INIT(entry,
+		.prefix = strdup(prefix),
+		.create = create,
+	);
+
+	this->lock->write_lock(this->lock);
+	this->services->insert_last(this->services, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stream_manager_t, remove_service, void,
+	private_stream_manager_t *this, stream_service_constructor_t create)
+{
+	enumerator_t *enumerator;
+	service_entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->services->create_enumerator(this->services);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->create == create)
+		{
+			this->services->remove_at(this->services, enumerator);
+			free(entry->prefix);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stream_manager_t, destroy, void,
+	private_stream_manager_t *this)
+{
+	remove_stream(this, stream_create_unix);
+	remove_stream(this, stream_create_tcp);
+	remove_service(this, stream_service_create_unix);
+	remove_service(this, stream_service_create_tcp);
+
+	this->streams->destroy(this->streams);
+	this->services->destroy(this->services);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+stream_manager_t *stream_manager_create()
+{
+	private_stream_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.connect = _connect_,
+			.create_service = _create_service,
+			.add_stream = _add_stream,
+			.remove_stream = _remove_stream,
+			.add_service = _add_service,
+			.remove_service = _remove_service,
+			.destroy = _destroy,
+		},
+		.streams = linked_list_create(),
+		.services = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	add_stream(this, "unix://", stream_create_unix);
+	add_stream(this, "tcp://", stream_create_tcp);
+	add_service(this, "unix://", stream_service_create_unix);
+	add_service(this, "tcp://", stream_service_create_tcp);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/networking/streams/stream_manager.h b/src/libstrongswan/networking/streams/stream_manager.h
new file mode 100644
index 000000000..352d93e2b
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream_manager.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stream_manager stream_manager
+ * @{ @ingroup streams
+ */
+
+#ifndef STREAM_MANAGER_H_
+#define STREAM_MANAGER_H_
+
+typedef struct stream_manager_t stream_manager_t;
+
+#include <library.h>
+#include <networking/streams/stream_service.h>
+
+/**
+ * Manages client-server connections and services using stream_t backends.
+ */
+struct stream_manager_t {
+
+	/**
+	 * Create a client-server connection to a service.
+	 *
+	 * @param uri		URI of service to connect to
+	 * @return			stream instance, NULL on error
+	 */
+	stream_t* (*connect)(stream_manager_t *this, char *uri);
+
+	/**
+	 * Create a new service under an URI to accept() client connections.
+	 *
+	 * @param uri		URI of service to provide
+	 * @param backlog	size of the backlog queue, as passed to listen()
+	 * @return			service, NULL on error
+	 */
+	stream_service_t* (*create_service)(stream_manager_t *this, char *uri,
+										int backlog);
+
+	/**
+	 * Register a stream backend to the manager.
+	 *
+	 * @param prefix	prefix of URIs to use the backend for
+	 * @param create	constructor function for the stream
+	 */
+	void (*add_stream)(stream_manager_t *this, char *prefix,
+					   stream_constructor_t create);
+
+	/**
+	 * Unregister stream backends from the manager.
+	 *
+	 * @param create	constructor function passed to add_stream()
+	 */
+	void (*remove_stream)(stream_manager_t *this, stream_constructor_t create);
+
+	/**
+	 * Register a stream service backend to the manager.
+	 *
+	 * @param prefix	prefix of URIs to use the backend for
+	 * @param create	constructor function for the stream service
+	 */
+	void (*add_service)(stream_manager_t *this, char *prefix,
+						stream_service_constructor_t create);
+
+	/**
+	 * Unregister stream service backends from the manager.
+	 *
+	 * @param create	constructor function passed to add_service()
+	 */
+	void (*remove_service)(stream_manager_t *this,
+						   stream_service_constructor_t create);
+
+	/**
+	 * Destroy a stream_manager_t.
+	 */
+	void (*destroy)(stream_manager_t *this);
+};
+
+/**
+ * Create a stream_manager instance.
+ */
+stream_manager_t *stream_manager_create();
+
+#endif /** STREAM_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/networking/streams/stream_service.c b/src/libstrongswan/networking/streams/stream_service.c
new file mode 100644
index 000000000..ece17b41f
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream_service.c
@@ -0,0 +1,332 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <processing/jobs/callback_job.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/stat.h>
+
+typedef struct private_stream_service_t private_stream_service_t;
+
+/**
+ * Private data of an stream_service_t object.
+ */
+struct private_stream_service_t {
+
+	/**
+	 * Public stream_service_t interface.
+	 */
+	stream_service_t public;
+
+	/**
+	 * Underlying socket
+	 */
+	int fd;
+
+	/**
+	 * Accept callback
+	 */
+	stream_service_cb_t cb;
+
+	/**
+	 * Accept callback data
+	 */
+	void *data;
+
+	/**
+	 * Job priority to invoke callback with
+	 */
+	job_priority_t prio;
+
+	/**
+	 * Maximum number of parallel callback invocations
+	 */
+	u_int cncrncy;
+
+	/**
+	 * Currently active jobs
+	 */
+	u_int active;
+
+	/**
+	 * mutex to lock active counter
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for callback termination
+	 */
+	condvar_t *condvar;
+};
+
+/**
+ * Data to pass to async accept job
+ */
+typedef struct {
+	/** callback function */
+	stream_service_cb_t cb;
+	/** callback data */
+	void *data;
+	/** accepted connection */
+	int fd;
+	/** reference to stream service */
+	private_stream_service_t *this;
+} async_data_t;
+
+/**
+ * Clean up accept data
+ */
+static void destroy_async_data(async_data_t *data)
+{
+	private_stream_service_t *this = data->this;
+
+	this->mutex->lock(this->mutex);
+	if (this->active-- == this->cncrncy)
+	{
+		/* leaving concurrency limit, restart accept()ing. */
+		this->public.on_accept(&this->public, this->cb, this->data,
+							   this->prio, this->cncrncy);
+	}
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+
+	if (data->fd != -1)
+	{
+		close(data->fd);
+	}
+	free(data);
+}
+
+/**
+ * Async processing of accepted connection
+ */
+static job_requeue_t accept_async(async_data_t *data)
+{
+	stream_t *stream;
+
+	stream = stream_create_from_fd(data->fd);
+	if (stream)
+	{
+		/* FD is now owned by stream, don't close it during cleanup */
+		data->fd = -1;
+		thread_cleanup_push((void*)stream->destroy, stream);
+		thread_cleanup_pop(!data->cb(data->data, stream));
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Watcher callback function
+ */
+static bool watch(private_stream_service_t *this, int fd, watcher_event_t event)
+{
+	async_data_t *data;
+	bool keep = TRUE;
+
+	INIT(data,
+		.cb = this->cb,
+		.data = this->data,
+		.fd = accept(fd, NULL, NULL),
+		.this = this,
+	);
+
+	if (data->fd != -1)
+	{
+		this->mutex->lock(this->mutex);
+		if (++this->active == this->cncrncy)
+		{
+			/* concurrency limit reached, stop accept()ing new connections */
+			keep = FALSE;
+		}
+		this->mutex->unlock(this->mutex);
+
+		lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create_with_prio((void*)accept_async, data,
+				(void*)destroy_async_data, (callback_job_cancel_t)return_false,
+				this->prio));
+	}
+	else
+	{
+		free(data);
+	}
+	return keep;
+}
+
+METHOD(stream_service_t, on_accept, void,
+	private_stream_service_t *this, stream_service_cb_t cb, void *data,
+	job_priority_t prio, u_int cncrncy)
+{
+	this->mutex->lock(this->mutex);
+
+	/* wait for all callbacks to return */
+	while (this->active)
+	{
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+
+	if (this->cb)
+	{
+		lib->watcher->remove(lib->watcher, this->fd);
+	}
+
+	this->cb = cb;
+	this->data = data;
+	if (prio <= JOB_PRIO_MAX)
+	{
+		this->prio = prio;
+	}
+	this->cncrncy = cncrncy;
+
+	if (this->cb)
+	{
+		lib->watcher->add(lib->watcher, this->fd,
+						  WATCHER_READ, (watcher_cb_t)watch, this);
+	}
+
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(stream_service_t, destroy, void,
+	private_stream_service_t *this)
+{
+	on_accept(this, NULL, NULL, this->prio, this->cncrncy);
+	close(this->fd);
+	this->mutex->destroy(this->mutex);
+	this->condvar->destroy(this->condvar);
+	free(this);
+}
+
+/**
+ * See header
+ */
+stream_service_t *stream_service_create_from_fd(int fd)
+{
+	private_stream_service_t *this;
+
+	INIT(this,
+		.public = {
+			.on_accept = _on_accept,
+			.destroy = _destroy,
+		},
+		.fd = fd,
+		.prio = JOB_PRIO_MEDIUM,
+		.mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+stream_service_t *stream_service_create_unix(char *uri, int backlog)
+{
+	struct sockaddr_un addr;
+	mode_t old;
+	int fd, len;
+
+	len = stream_parse_uri_unix(uri, &addr);
+	if (len == -1)
+	{
+		DBG1(DBG_NET, "invalid stream URI: '%s'", uri);
+		return NULL;
+	}
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) service socket */
+		DBG1(DBG_NET, "socket '%s' requires CAP_CHOWN capability", uri);
+		return NULL;
+	}
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd == -1)
+	{
+		DBG1(DBG_NET, "opening socket '%s' failed: %s", uri, strerror(errno));
+		return NULL;
+	}
+	unlink(addr.sun_path);
+
+	old = umask(~(S_IRWXU | S_IRWXG));
+	if (bind(fd, (struct sockaddr*)&addr, len) < 0)
+	{
+		DBG1(DBG_NET, "binding socket '%s' failed: %s", uri, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	umask(old);
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
+	{
+		DBG1(DBG_NET, "changing socket permissions for '%s' failed: %s",
+			 uri, strerror(errno));
+	}
+	if (listen(fd, backlog) < 0)
+	{
+		DBG1(DBG_NET, "listen on socket '%s' failed: %s", uri, strerror(errno));
+		unlink(addr.sun_path);
+		close(fd);
+		return NULL;
+	}
+	return stream_service_create_from_fd(fd);
+}
+
+/**
+ * See header
+ */
+stream_service_t *stream_service_create_tcp(char *uri, int backlog)
+{
+	union {
+		struct sockaddr_in in;
+		struct sockaddr_in6 in6;
+		struct sockaddr sa;
+	} addr;
+	int fd, len, on = 1;
+
+	len = stream_parse_uri_tcp(uri, &addr.sa);
+	if (len == -1)
+	{
+		DBG1(DBG_NET, "invalid stream URI: '%s'", uri);
+		return NULL;
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
+	if (fd < 0)
+	{
+		DBG1(DBG_NET, "opening socket '%s' failed: %s", uri, strerror(errno));
+		return NULL;
+	}
+	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) != 0)
+	{
+		DBG1(DBG_NET, "SO_REUSADDR on '%s' failed: %s", uri, strerror(errno));
+	}
+	if (bind(fd, &addr.sa, len) < 0)
+	{
+		DBG1(DBG_NET, "binding socket '%s' failed: %s", uri, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	if (listen(fd, backlog) < 0)
+	{
+		DBG1(DBG_NET, "listen on socket '%s' failed: %s", uri, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	return stream_service_create_from_fd(fd);
+}
diff --git a/src/libstrongswan/networking/streams/stream_service.h b/src/libstrongswan/networking/streams/stream_service.h
new file mode 100644
index 000000000..c8faba323
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream_service.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stream_service stream_service
+ * @{ @ingroup streams
+ */
+
+#ifndef STREAM_SERVICE_H_
+#define STREAM_SERVICE_H_
+
+typedef struct stream_service_t stream_service_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <networking/streams/stream.h>
+
+/**
+ * Constructor function prototype for stream_service_t.
+ *
+ * @param uri			URI to create a stream for
+ * @param backlog		size of the backlog queue, as passed to listen()
+ * @return				stream instance, NULL on error
+ */
+typedef stream_service_t*(*stream_service_constructor_t)(char *uri, int backlog);
+
+/**
+ * Service callback routine for accepting client connections.
+ *
+ * The passed stream gets closed/destroyed by the callback caller, unless
+ * TRUE is returned.
+ *
+ * @param data			user data, as passed during registration
+ * @param stream		accept()ed client connection
+ * @return				TRUE to keep stream alive, FALSE to destroy it
+ */
+typedef bool (*stream_service_cb_t)(void *data, stream_t *stream);
+
+/**
+ * A service accepting client connection streams.
+ */
+struct stream_service_t {
+
+	/**
+	 * Start accepting client connections on this stream service.
+	 *
+	 * To stop accepting connections, pass a NULL callback function.
+	 *
+	 * @param cb		callback function to call for accepted client streams
+	 * @param data		data to pass to callback function
+	 * @param prio		job priority to run callback with
+	 * @param cncrncy	maximum number of parallel callback invocations
+	 */
+	void (*on_accept)(stream_service_t *this,
+					  stream_service_cb_t cb, void *data,
+					  job_priority_t prio, u_int cncrncy);
+
+	/**
+	 * Destroy a stream_service_t.
+	 */
+	void (*destroy)(stream_service_t *this);
+};
+
+/**
+ * Create a service from a file descriptor.
+ *
+ * The file descriptor MUST be a socket.
+ *
+ * @param fd		file descriptor to wrap into a stream_service_t
+ * @return			stream_service instance
+ */
+stream_service_t *stream_service_create_from_fd(int fd);
+
+/**
+ * Create a service instance for UNIX sockets.
+ *
+ * @param uri		UNIX socket specific URI, must start with "unix://"
+ * @param backlog	size of the backlog queue, as passed to listen()
+ * @return			stream_service instance, NULL on failure
+ */
+stream_service_t *stream_service_create_unix(char *uri, int backlog);
+
+/**
+ * Create a service instance for TCP sockets.
+ *
+ * @param uri		TCP socket specific URI, must start with "tcp://"
+ * @param backlog	size of the backlog queue, as passed to listen()
+ * @return			stream_service instance, NULL on failure
+ */
+stream_service_t *stream_service_create_tcp(char *uri, int backlog);
+
+#endif /** STREAM_SERVICE_H_ @}*/
diff --git a/src/libstrongswan/networking/tun_device.c b/src/libstrongswan/networking/tun_device.c
index 1da87df05..af7e57140 100644
--- a/src/libstrongswan/networking/tun_device.c
+++ b/src/libstrongswan/networking/tun_device.c
@@ -73,63 +73,28 @@ struct private_tun_device_t {
 	 * The current MTU
 	 */
 	int mtu;
-};
-
-/**
- * Set the sockaddr_t from the given netmask
- */
-static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask)
-{
-	int len, bytes, bits;
-	char *target;
 
-	switch (family)
-	{
-		case AF_INET:
-		{
-			struct sockaddr_in *addr = (struct sockaddr_in*)&ifr->ifr_addr;
-			target = (char*)&addr->sin_addr;
-			len = 4;
-			break;
-		}
-		case AF_INET6:
-		{
-			struct sockaddr_in6 *addr = (struct sockaddr_in6*)&ifr->ifr_addr;
-			target = (char*)&addr->sin6_addr;
-			len = 16;
-			break;
-		}
-		default:
-			return;
-	}
-
-	ifr->ifr_addr.sa_family = family;
-
-	bytes = (netmask + 7) / 8;
-	bits = (bytes * 8) - netmask;
+	/**
+	 * Associated address
+	 */
+	host_t *address;
 
-	memset(target, 0xff, bytes);
-	memset(target + bytes, 0x00, len - bytes);
-	target[bytes - 1] = bits ? (u_int8_t)(0xff << bits) : 0xff;
-}
+	/**
+	 * Netmask for address
+	 */
+	u_int8_t netmask;
+};
 
 METHOD(tun_device_t, set_address, bool,
 	private_tun_device_t *this, host_t *addr, u_int8_t netmask)
 {
 	struct ifreq ifr;
-	int family;
-
-	family = addr->get_family(addr);
-	if ((netmask > 32 && family == AF_INET) || netmask > 128)
-	{
-		DBG1(DBG_LIB, "failed to set address on %s: invalid netmask",
-			 this->if_name);
-		return FALSE;
-	}
+	host_t *mask;
 
 	memset(&ifr, 0, sizeof(ifr));
 	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
-	memcpy(&ifr.ifr_addr, addr->get_sockaddr(addr), sizeof(sockaddr_t));
+	memcpy(&ifr.ifr_addr, addr->get_sockaddr(addr),
+		   *addr->get_sockaddr_len(addr));
 
 	if (ioctl(this->sock, SIOCSIFADDR, &ifr) < 0)
 	{
@@ -146,7 +111,15 @@ METHOD(tun_device_t, set_address, bool,
 	}
 #endif /* __APPLE__ */
 
-	set_netmask(&ifr, family, netmask);
+	mask = host_create_netmask(addr->get_family(addr), netmask);
+	if (!mask)
+	{
+		DBG1(DBG_LIB, "invalid netmask: %d", netmask);
+		return FALSE;
+	}
+	memcpy(&ifr.ifr_addr, mask->get_sockaddr(mask),
+		   *mask->get_sockaddr_len(mask));
+	mask->destroy(mask);
 
 	if (ioctl(this->sock, SIOCSIFNETMASK, &ifr) < 0)
 	{
@@ -154,9 +127,21 @@ METHOD(tun_device_t, set_address, bool,
 			 this->if_name, strerror(errno));
 		return FALSE;
 	}
+	this->address = addr->clone(addr);
+	this->netmask = netmask;
 	return TRUE;
 }
 
+METHOD(tun_device_t, get_address, host_t*,
+	private_tun_device_t *this, u_int8_t *netmask)
+{
+	if (netmask && this->address)
+	{
+		*netmask = this->netmask;
+	}
+	return this->address;
+}
+
 METHOD(tun_device_t, up, bool,
 	private_tun_device_t *this)
 {
@@ -229,11 +214,23 @@ METHOD(tun_device_t, get_name, char*,
 	return this->if_name;
 }
 
+METHOD(tun_device_t, get_fd, int,
+	private_tun_device_t *this)
+{
+	return this->tunfd;
+}
+
 METHOD(tun_device_t, write_packet, bool,
 	private_tun_device_t *this, chunk_t packet)
 {
 	ssize_t s;
 
+#ifdef __APPLE__
+	/* UTUN's expect the packets to be prepended by a 32-bit protocol number
+	 * instead of parsing the packet again, we assume IPv4 for now */
+	u_int32_t proto = htonl(AF_INET);
+	packet = chunk_cata("cc", chunk_from_thing(proto), packet);
+#endif
 	s = write(this->tunfd, packet.ptr, packet.len);
 	if (s < 0)
 	{
@@ -280,6 +277,11 @@ METHOD(tun_device_t, read_packet, bool,
 		return FALSE;
 	}
 	packet->len = len;
+#ifdef __APPLE__
+	/* UTUN's prepend packets with a 32-bit protocol number */
+	packet->len -= sizeof(u_int32_t);
+	memmove(packet->ptr, packet->ptr + sizeof(u_int32_t), packet->len);
+#endif
 	return TRUE;
 }
 
@@ -308,6 +310,7 @@ METHOD(tun_device_t, destroy, void,
 	{
 		close(this->sock);
 	}
+	DESTROY_IF(this->address);
 	free(this);
 }
 
@@ -398,14 +401,18 @@ static bool init_tun(private_tun_device_t *this, const char *name_tmpl)
 	/* this works on FreeBSD and might also work on Linux with older TUN
 	 * driver versions (no IFF_TUN) */
 	char devname[IFNAMSIZ];
-	int i;
+	/* the same process is allowed to open a device again, but that's not what
+	 * we want (unless we previously closed a device, which we don't know at
+	 * this point).  therefore, this counter is static so we don't accidentally
+	 * open a device twice */
+	static int i = -1;
 
 	if (name_tmpl)
 	{
 		DBG1(DBG_LIB, "arbitrary naming of TUN devices is not supported");
 	}
 
-	for (i = 0; i < 256; i++)
+	for (; ++i < 256; )
 	{
 		snprintf(devname, IFNAMSIZ, "/dev/tun%d", i);
 		this->tunfd = open(devname, O_RDWR);
@@ -435,7 +442,9 @@ tun_device_t *tun_device_create(const char *name_tmpl)
 			.get_mtu = _get_mtu,
 			.set_mtu = _set_mtu,
 			.get_name = _get_name,
+			.get_fd = _get_fd,
 			.set_address = _set_address,
+			.get_address = _get_address,
 			.up = _up,
 			.destroy = _destroy,
 		},
diff --git a/src/libstrongswan/networking/tun_device.h b/src/libstrongswan/networking/tun_device.h
index b22a5d170..1d330f133 100644
--- a/src/libstrongswan/networking/tun_device.h
+++ b/src/libstrongswan/networking/tun_device.h
@@ -65,6 +65,14 @@ struct tun_device_t {
 	 */
 	bool (*set_address)(tun_device_t *this, host_t *addr, u_int8_t netmask);
 
+	/**
+	 * Get the IP address previously assigned to using set_address().
+	 *
+	 * @param netmask		pointer receiving the configured netmask, or NULL
+	 * @return				address previously set, NULL if none
+	 */
+	host_t* (*get_address)(tun_device_t *this, u_int8_t *netmask);
+
 	/**
 	 * Bring the TUN device up
 	 *
@@ -94,6 +102,13 @@ struct tun_device_t {
 	 */
 	char *(*get_name)(tun_device_t *this);
 
+	/**
+	 * Get the underlying tun file descriptor.
+	 *
+	 * @return				file descriptor of this tun device
+	 */
+	int (*get_fd)(tun_device_t *this);
+
 	/**
 	 * Destroy a tun_device_t
 	 */
diff --git a/src/libstrongswan/plugins/aes/Makefile.am b/src/libstrongswan/plugins/aes/Makefile.am
index e72daeb44..8c5505bfc 100644
--- a/src/libstrongswan/plugins/aes/Makefile.am
+++ b/src/libstrongswan/plugins/aes/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-aes.la
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 71e25a6a1..c2de8b327 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_aes_la_LIBADD =
 am_libstrongswan_aes_la_OBJECTS = aes_plugin.lo aes_crypter.lo
 libstrongswan_aes_la_OBJECTS = $(am_libstrongswan_aes_la_OBJECTS)
-libstrongswan_aes_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_aes_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_aes_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_aes_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_aes_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_aes_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_aes_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_aes_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-aes.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-aes.la
 libstrongswan_aes_la_SOURCES = \
@@ -402,7 +430,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-aes.la: $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_DEPENDENCIES) $(EXTRA_libstrongswan_aes_la_DEPENDENCIES) 
-	$(libstrongswan_aes_la_LINK) $(am_libstrongswan_aes_la_rpath) $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_aes_la_LINK) $(am_libstrongswan_aes_la_rpath) $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -414,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.am b/src/libstrongswan/plugins/af_alg/Makefile.am
index a33fd30b6..58113ca3d 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.am
+++ b/src/libstrongswan/plugins/af_alg/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-af-alg.la
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index eff6aec83..5920cc5f6 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,9 +104,13 @@ am_libstrongswan_af_alg_la_OBJECTS = af_alg_plugin.lo af_alg_ops.lo \
 	af_alg_crypter.lo
 libstrongswan_af_alg_la_OBJECTS =  \
 	$(am_libstrongswan_af_alg_la_OBJECTS)
-libstrongswan_af_alg_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_af_alg_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_af_alg_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_af_alg_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_af_alg_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_af_alg_la_rpath =
@@ -116,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_af_alg_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_af_alg_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,8 +346,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-af-alg.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-af-alg.la
 libstrongswan_af_alg_la_SOURCES = \
@@ -411,7 +440,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES) $(EXTRA_libstrongswan_af_alg_la_DEPENDENCIES) 
-	$(libstrongswan_af_alg_la_LINK) $(am_libstrongswan_af_alg_la_rpath) $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_af_alg_la_LINK) $(am_libstrongswan_af_alg_la_rpath) $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -427,25 +456,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_signer.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
index d995b1351..6ee380633 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_signer.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
@@ -64,6 +64,7 @@ static struct {
 	{AUTH_HMAC_SHA2_384_192,	"hmac(sha384)",		24,		48,	},
 	{AUTH_HMAC_SHA2_384_384,	"hmac(sha384)",		48,		48,	},
 	{AUTH_HMAC_SHA2_512_256,	"hmac(sha512)",		32,		64,	},
+	{AUTH_HMAC_SHA2_512_512,	"hmac(sha512)",		64,		64,	},
 	{AUTH_AES_XCBC_96,			"xcbc(aes)",		12,		16,	},
 	{AUTH_CAMELLIA_XCBC_96,		"xcbc(camellia)",	12,		16,	},
 };
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.h b/src/libstrongswan/plugins/af_alg/af_alg_signer.h
index deced7110..5f52e0ce6 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_signer.h
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.h
@@ -27,7 +27,7 @@ typedef struct af_alg_signer_t af_alg_signer_t;
 #include <crypto/signers/signer.h>
 
 /** Number of signers */
-#define AF_ALG_SIGNER 13
+#define AF_ALG_SIGNER 14
 
 /**
  * Implementation of signers using AF_ALG.
diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am
index ffa6e8b7f..e60d19363 100644
--- a/src/libstrongswan/plugins/agent/Makefile.am
+++ b/src/libstrongswan/plugins/agent/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-agent.la
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index b17a69a76..b1e343c8d 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_agent_la_LIBADD =
 am_libstrongswan_agent_la_OBJECTS = agent_plugin.lo \
 	agent_private_key.lo
 libstrongswan_agent_la_OBJECTS = $(am_libstrongswan_agent_la_OBJECTS)
-libstrongswan_agent_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_agent_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_agent_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_agent_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_agent_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_agent_la_rpath =
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_agent_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_agent_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-agent.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-agent.la
 libstrongswan_agent_la_SOURCES = \
@@ -405,7 +433,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-agent.la: $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_DEPENDENCIES) $(EXTRA_libstrongswan_agent_la_DEPENDENCIES) 
-	$(libstrongswan_agent_la_LINK) $(am_libstrongswan_agent_la_rpath) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_agent_la_LINK) $(am_libstrongswan_agent_la_rpath) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -417,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/agent_private_key.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index 980a140b9..322ded48c 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -42,7 +42,9 @@ METHOD(plugin_t, get_features, int,
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_REGISTER(PRIVKEY, agent_private_key_open, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 42c78c172..8a3fb150a 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -49,10 +49,15 @@ struct private_agent_private_key_t {
 	int socket;
 
 	/**
-	 * key identity blob in ssh format
+	 * public key encoded in SSH format
 	 */
 	chunk_t key;
 
+	/**
+	 * public key
+	 */
+	public_key_t *pubkey;
+
 	/**
 	 * keysize in bytes
 	 */
@@ -163,7 +168,7 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 {
 	int len;
 	char buf[2048];
-	chunk_t blob, key, type, n;
+	chunk_t blob, key;
 
 	len = htonl(1);
 	buf[0] = SSH_AGENT_ID_REQUEST;
@@ -193,34 +198,40 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 		{
 			break;
 		}
-		this->key = key;
-		type = read_string(&key);
-		if (!type.len || !strneq("ssh-rsa", type.ptr, type.len))
-		{
-			break;
-		}
-		read_string(&key);
-		n = read_string(&key);
-		if (n.len <= 512/8)
+		this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+										  BUILD_BLOB_SSHKEY, key, BUILD_END);
+		if (!this->pubkey)
 		{
-			break;;
+			continue;
 		}
 		if (pubkey && !private_key_belongs_to(&this->public.key, pubkey))
 		{
+			this->pubkey->destroy(this->pubkey);
+			this->pubkey = NULL;
 			continue;
 		}
-		this->key_size = n.len;
-		if (n.ptr[0] == 0)
-		{
-			this->key_size--;
-		}
-		this->key = chunk_clone(this->key);
+		this->key = chunk_clone(key);
 		return TRUE;
 	}
-	this->key = chunk_empty;
 	return FALSE;
 }
 
+static bool scheme_supported(private_agent_private_key_t *this,
+							signature_scheme_t scheme)
+{
+	switch (this->pubkey->get_type(this->pubkey))
+	{
+		case KEY_RSA:
+			return scheme == SIGN_RSA_EMSA_PKCS1_SHA1;
+		case KEY_ECDSA:
+			return scheme == SIGN_ECDSA_256 ||
+				   scheme == SIGN_ECDSA_384 ||
+				   scheme == SIGN_ECDSA_521;
+		default:
+			return FALSE;
+	}
+}
+
 METHOD(private_key_t, sign, bool,
 	private_agent_private_key_t *this, signature_scheme_t scheme,
 	chunk_t data, chunk_t *signature)
@@ -229,7 +240,7 @@ METHOD(private_key_t, sign, bool,
 	char buf[2048];
 	chunk_t blob;
 
-	if (scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
+	if (!scheme_supported(this, scheme))
 	{
 		DBG1(DBG_LIB, "signature scheme %N not supported by ssh-agent",
 			 signature_scheme_names, scheme);
@@ -279,23 +290,40 @@ METHOD(private_key_t, sign, bool,
 	}
 	/* parse length */
 	blob = read_string(&blob);
-	/* skip sig type */
-	read_string(&blob);
-	/* parse length */
-	blob = read_string(&blob);
-	if (!blob.len)
-	{
-		DBG1(DBG_LIB, "received invalid ssh-agent signature response");
-		return FALSE;
+	/* check sig type */
+	if (chunk_equals(read_string(&blob), chunk_from_str("ssh-rsa")))
+	{	/* for RSA the signature has no special encoding */
+		blob = read_string(&blob);
+		if (blob.len)
+		{
+			*signature = chunk_clone(blob);
+			return TRUE;
+		}
+	}
+	else
+	{	/* anything else is treated as ECSDA for now */
+		blob = read_string(&blob);
+		if (blob.len)
+		{
+			chunk_t r, s;
+
+			r = read_string(&blob);
+			s = read_string(&blob);
+			if (r.len && s.len)
+			{
+				*signature = chunk_cat("cc", r, s);
+				return TRUE;
+			}
+		}
 	}
-	*signature =  chunk_clone(blob);
-	return TRUE;
+	DBG1(DBG_LIB, "received invalid ssh-agent signature response");
+	return FALSE;
 }
 
 METHOD(private_key_t, get_type, key_type_t,
 	private_agent_private_key_t *this)
 {
-	return KEY_RSA;
+	return this->pubkey->get_type(this->pubkey);
 }
 
 METHOD(private_key_t, decrypt, bool,
@@ -309,21 +337,13 @@ METHOD(private_key_t, decrypt, bool,
 METHOD(private_key_t, get_keysize, int,
 	private_agent_private_key_t *this)
 {
-	return this->key_size * 8;
+	return this->pubkey->get_keysize(this->pubkey);
 }
 
 METHOD(private_key_t, get_public_key, public_key_t*,
 	private_agent_private_key_t *this)
 {
-	chunk_t key, n, e;
-
-	key = this->key;
-	read_string(&key);
-	e = read_string(&key);
-	n = read_string(&key);
-
-	return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
+	return this->pubkey->get_ref(this->pubkey);
 }
 
 METHOD(private_key_t, get_encoding, bool,
@@ -336,19 +356,7 @@ METHOD(private_key_t, get_encoding, bool,
 METHOD(private_key_t, get_fingerprint, bool,
 	private_agent_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
-	chunk_t n, e, key;
-
-	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
-	{
-		return TRUE;
-	}
-	key = this->key;
-	read_string(&key);
-	e = read_string(&key);
-	n = read_string(&key);
-
-	return lib->encoding->encode(lib->encoding, type, this, fp,
-			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
+	return this->pubkey->get_fingerprint(this->pubkey, type, fp);
 }
 
 METHOD(private_key_t, get_ref, private_key_t*,
@@ -364,8 +372,8 @@ METHOD(private_key_t, destroy, void,
 	if (ref_put(&this->ref))
 	{
 		close(this->socket);
-		free(this->key.ptr);
-		lib->encoding->clear_cache(lib->encoding, this);
+		chunk_free(&this->key);
+		DESTROY_IF(this->pubkey);
 		free(this);
 	}
 }
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am
index 95c414204..3e5cf8f08 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.am
+++ b/src/libstrongswan/plugins/blowfish/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-blowfish.la
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 9c0390c96..7d469d3f7 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_blowfish_la_OBJECTS = blowfish_plugin.lo \
 	blowfish_crypter.lo bf_skey.lo bf_enc.lo
 libstrongswan_blowfish_la_OBJECTS =  \
 	$(am_libstrongswan_blowfish_la_OBJECTS)
-libstrongswan_blowfish_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_blowfish_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_blowfish_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_blowfish_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_blowfish_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-blowfish.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-blowfish.la
 libstrongswan_blowfish_la_SOURCES = \
@@ -407,7 +434,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-blowfish.la: $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_DEPENDENCIES) $(EXTRA_libstrongswan_blowfish_la_DEPENDENCIES) 
-	$(libstrongswan_blowfish_la_LINK) $(am_libstrongswan_blowfish_la_rpath) $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_blowfish_la_LINK) $(am_libstrongswan_blowfish_la_rpath) $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
index 9dc8dfe7f..7494c52c3 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2008 Martin Willi
  * Copyright (C) 2009 Andreas Steffen
+ * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -38,11 +38,20 @@ METHOD(plugin_t, get_name, char*,
 	return "blowfish";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_blowfish_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(CRYPTER, blowfish_crypter_create),
+			PLUGIN_PROVIDE(CRYPTER, ENCR_BLOWFISH, 0),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_blowfish_plugin_t *this)
 {
-	lib->crypto->remove_crypter(lib->crypto,
-								(crypter_constructor_t)blowfish_crypter_create);
 	free(this);
 }
 
@@ -57,15 +66,11 @@ plugin_t *blowfish_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, get_name(this),
-							 (crypter_constructor_t)blowfish_crypter_create);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libstrongswan/plugins/ccm/Makefile.am b/src/libstrongswan/plugins/ccm/Makefile.am
index bca1f0735..d512f5a94 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.am
+++ b/src/libstrongswan/plugins/ccm/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ccm.la
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index ee7f386dd..7b175fd1b 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ccm_la_LIBADD =
 am_libstrongswan_ccm_la_OBJECTS = ccm_plugin.lo ccm_aead.lo
 libstrongswan_ccm_la_OBJECTS = $(am_libstrongswan_ccm_la_OBJECTS)
-libstrongswan_ccm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_ccm_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_ccm_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ccm_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_ccm_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_ccm_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_ccm_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ccm_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ccm.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ccm.la
 libstrongswan_ccm_la_SOURCES = \
@@ -403,7 +431,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) $(EXTRA_libstrongswan_ccm_la_DEPENDENCIES) 
-	$(libstrongswan_ccm_la_LINK) $(am_libstrongswan_ccm_la_rpath) $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_ccm_la_LINK) $(am_libstrongswan_ccm_la_rpath) $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -415,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ccm_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/cmac/Makefile.am b/src/libstrongswan/plugins/cmac/Makefile.am
index 5cac3959c..08e910be1 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.am
+++ b/src/libstrongswan/plugins/cmac/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-cmac.la
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 12131c65c..07104bced 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_cmac_la_LIBADD =
 am_libstrongswan_cmac_la_OBJECTS = cmac_plugin.lo cmac.lo
 libstrongswan_cmac_la_OBJECTS = $(am_libstrongswan_cmac_la_OBJECTS)
-libstrongswan_cmac_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_cmac_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_cmac_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_cmac_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_cmac_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_cmac_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_cmac_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_cmac_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-cmac.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-cmac.la
 libstrongswan_cmac_la_SOURCES = \
@@ -402,7 +430,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-cmac.la: $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_DEPENDENCIES) $(EXTRA_libstrongswan_cmac_la_DEPENDENCIES) 
-	$(libstrongswan_cmac_la_LINK) $(am_libstrongswan_cmac_la_rpath) $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_cmac_la_LINK) $(am_libstrongswan_cmac_la_rpath) $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -414,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmac_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/constraints/Makefile.am b/src/libstrongswan/plugins/constraints/Makefile.am
index d80d39a2d..8afde7013 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.am
+++ b/src/libstrongswan/plugins/constraints/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-constraints.la
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 72517e9a1..5152d31b4 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_constraints_la_OBJECTS = constraints_plugin.lo \
 	constraints_validator.lo
 libstrongswan_constraints_la_OBJECTS =  \
 	$(am_libstrongswan_constraints_la_OBJECTS)
-libstrongswan_constraints_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_constraints_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_constraints_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_constraints_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_constraints_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-constraints.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-constraints.la
 libstrongswan_constraints_la_SOURCES = \
@@ -407,7 +434,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES) $(EXTRA_libstrongswan_constraints_la_DEPENDENCIES) 
-	$(libstrongswan_constraints_la_LINK) $(am_libstrongswan_constraints_la_rpath) $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_constraints_la_LINK) $(am_libstrongswan_constraints_la_rpath) $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -419,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints_validator.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.c b/src/libstrongswan/plugins/constraints/constraints_plugin.c
index 502c83559..b9b456b23 100644
--- a/src/libstrongswan/plugins/constraints/constraints_plugin.c
+++ b/src/libstrongswan/plugins/constraints/constraints_plugin.c
@@ -42,10 +42,39 @@ METHOD(plugin_t, get_name, char*,
 	return "constraints";
 }
 
+/**
+ * Register validator
+ */
+static bool plugin_cb(private_constraints_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+	}
+	else
+	{
+		lib->credmgr->remove_validator(lib->credmgr,
+									   &this->validator->validator);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_constraints_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "constraints"),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_constraints_plugin_t *this)
 {
-	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
 	this->validator->destroy(this->validator);
 	free(this);
 }
@@ -61,13 +90,12 @@ plugin_t *constraints_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.validator = constraints_validator_create(),
 	);
-	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index 83a74299a..62ccc7108 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -533,20 +533,28 @@ METHOD(cert_validator_t, validate, bool,
 	{
 		if (!check_pathlen((x509_t*)issuer, pathlen))
 		{
+			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_EXCEEDED_PATH_LEN,
+									subject);
 			return FALSE;
 		}
 		if (!check_name_constraints(subject, (x509_t*)issuer))
 		{
+			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
+									subject);
 			return FALSE;
 		}
 		if (!check_policy((x509_t*)subject, (x509_t*)issuer, !pathlen, auth))
 		{
+			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
+									subject);
 			return FALSE;
 		}
 		if (anchor)
 		{
 			if (!check_policy_constraints((x509_t*)issuer, pathlen, auth))
 			{
+				lib->credmgr->call_hook(lib->credmgr,
+										CRED_HOOK_POLICY_VIOLATION, issuer);
 				return FALSE;
 			}
 		}
diff --git a/src/libstrongswan/plugins/ctr/Makefile.am b/src/libstrongswan/plugins/ctr/Makefile.am
index 893171aab..52278b6d2 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.am
+++ b/src/libstrongswan/plugins/ctr/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ctr.la
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 18abf3a38..a251929d9 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ctr_la_LIBADD =
 am_libstrongswan_ctr_la_OBJECTS = ctr_plugin.lo ctr_ipsec_crypter.lo
 libstrongswan_ctr_la_OBJECTS = $(am_libstrongswan_ctr_la_OBJECTS)
-libstrongswan_ctr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_ctr_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_ctr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ctr_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_ctr_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_ctr_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_ctr_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ctr_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ctr.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ctr.la
 libstrongswan_ctr_la_SOURCES = \
@@ -403,7 +431,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) $(EXTRA_libstrongswan_ctr_la_DEPENDENCIES) 
-	$(libstrongswan_ctr_la_LINK) $(am_libstrongswan_ctr_la_rpath) $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_ctr_la_LINK) $(am_libstrongswan_ctr_la_rpath) $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -415,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctr_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/curl/Makefile.am b/src/libstrongswan/plugins/curl/Makefile.am
index 43718f678..17bcc8d98 100644
--- a/src/libstrongswan/plugins/curl/Makefile.am
+++ b/src/libstrongswan/plugins/curl/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-curl.la
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 73f180c29..d897746a0 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_curl_la_DEPENDENCIES =
 am_libstrongswan_curl_la_OBJECTS = curl_plugin.lo curl_fetcher.lo
 libstrongswan_curl_la_OBJECTS = $(am_libstrongswan_curl_la_OBJECTS)
-libstrongswan_curl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_curl_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_curl_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_curl_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_curl_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_curl_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_curl_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_curl_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-curl.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-curl.la
 libstrongswan_curl_la_SOURCES = \
@@ -403,7 +431,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-curl.la: $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_DEPENDENCIES) $(EXTRA_libstrongswan_curl_la_DEPENDENCIES) 
-	$(libstrongswan_curl_la_LINK) $(am_libstrongswan_curl_la_rpath) $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_curl_la_LINK) $(am_libstrongswan_curl_la_rpath) $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -415,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index b49961a90..a8cca98da 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -177,6 +177,15 @@ METHOD(fetcher_t, set_option, bool,
 			this->cb = va_arg(args, fetcher_callback_t);
 			break;
 		}
+		case FETCH_SOURCEIP:
+		{
+			char buf[64];
+
+			snprintf(buf, sizeof(buf), "%H", va_arg(args, host_t*));
+			supported = curl_easy_setopt(this->curl, CURLOPT_INTERFACE,
+										 buf) == CURLE_OK;
+			break;
+		}
 		default:
 			supported = FALSE;
 			break;
diff --git a/src/libstrongswan/plugins/des/Makefile.am b/src/libstrongswan/plugins/des/Makefile.am
index c7d9ce915..9ca965995 100644
--- a/src/libstrongswan/plugins/des/Makefile.am
+++ b/src/libstrongswan/plugins/des/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-des.la
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 22241cccd..ce540df73 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_des_la_LIBADD =
 am_libstrongswan_des_la_OBJECTS = des_plugin.lo des_crypter.lo
 libstrongswan_des_la_OBJECTS = $(am_libstrongswan_des_la_OBJECTS)
-libstrongswan_des_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_des_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_des_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_des_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_des_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_des_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_des_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_des_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-des.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-des.la
 libstrongswan_des_la_SOURCES = \
@@ -402,7 +430,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-des.la: $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_DEPENDENCIES) $(EXTRA_libstrongswan_des_la_DEPENDENCIES) 
-	$(libstrongswan_des_la_LINK) $(am_libstrongswan_des_la_rpath) $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_des_la_LINK) $(am_libstrongswan_des_la_rpath) $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -414,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.am b/src/libstrongswan/plugins/dnskey/Makefile.am
index 0f2e554c1..7e74fd897 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.am
+++ b/src/libstrongswan/plugins/dnskey/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-dnskey.la
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 402143106..087448737 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,9 +103,13 @@ am_libstrongswan_dnskey_la_OBJECTS = dnskey_plugin.lo \
 	dnskey_builder.lo dnskey_encoder.lo
 libstrongswan_dnskey_la_OBJECTS =  \
 	$(am_libstrongswan_dnskey_la_OBJECTS)
-libstrongswan_dnskey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_dnskey_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_dnskey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_dnskey_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_dnskey_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_dnskey_la_rpath =
@@ -115,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_dnskey_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_dnskey_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-dnskey.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-dnskey.la
 libstrongswan_dnskey_la_SOURCES = \
@@ -407,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-dnskey.la: $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_DEPENDENCIES) $(EXTRA_libstrongswan_dnskey_la_DEPENDENCIES) 
-	$(libstrongswan_dnskey_la_LINK) $(am_libstrongswan_dnskey_la_rpath) $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_dnskey_la_LINK) $(am_libstrongswan_dnskey_la_rpath) $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -420,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.am b/src/libstrongswan/plugins/fips_prf/Makefile.am
index c9cf2c977..a7ae612c0 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.am
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-fips-prf.la
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 878713157..f6109839c 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,7 +102,10 @@ libstrongswan_fips_prf_la_LIBADD =
 am_libstrongswan_fips_prf_la_OBJECTS = fips_prf_plugin.lo fips_prf.lo
 libstrongswan_fips_prf_la_OBJECTS =  \
 	$(am_libstrongswan_fips_prf_la_OBJECTS)
-libstrongswan_fips_prf_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_fips_prf_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_fips_prf_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -115,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_fips_prf_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_fips_prf_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-fips-prf.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-fips-prf.la
 libstrongswan_fips_prf_la_SOURCES = \
@@ -405,7 +432,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-fips-prf.la: $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_DEPENDENCIES) $(EXTRA_libstrongswan_fips_prf_la_DEPENDENCIES) 
-	$(libstrongswan_fips_prf_la_LINK) $(am_libstrongswan_fips_prf_la_rpath) $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_fips_prf_la_LINK) $(am_libstrongswan_fips_prf_la_rpath) $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -417,25 +444,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/gcm/Makefile.am b/src/libstrongswan/plugins/gcm/Makefile.am
index ec733fbcc..228b4708d 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.am
+++ b/src/libstrongswan/plugins/gcm/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-gcm.la
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index 660813f25..7ef95b92e 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gcm_la_LIBADD =
 am_libstrongswan_gcm_la_OBJECTS = gcm_plugin.lo gcm_aead.lo
 libstrongswan_gcm_la_OBJECTS = $(am_libstrongswan_gcm_la_OBJECTS)
-libstrongswan_gcm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_gcm_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_gcm_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_gcm_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_gcm_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_gcm_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_gcm_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_gcm_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gcm.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gcm.la
 libstrongswan_gcm_la_SOURCES = \
@@ -403,7 +431,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) $(EXTRA_libstrongswan_gcm_la_DEPENDENCIES) 
-	$(libstrongswan_gcm_la_LINK) $(am_libstrongswan_gcm_la_rpath) $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_gcm_la_LINK) $(am_libstrongswan_gcm_la_rpath) $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -415,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcm_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am
index 57f3f5016..1a9d225ec 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.am
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-gcrypt.la
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 3716a09fe..2354ec3d3 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -104,9 +104,13 @@ am_libstrongswan_gcrypt_la_OBJECTS = gcrypt_plugin.lo \
 	gcrypt_dh.lo gcrypt_rng.lo gcrypt_crypter.lo gcrypt_hasher.lo
 libstrongswan_gcrypt_la_OBJECTS =  \
 	$(am_libstrongswan_gcrypt_la_OBJECTS)
-libstrongswan_gcrypt_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_gcrypt_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_gcrypt_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_gcrypt_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_gcrypt_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_gcrypt_la_rpath =
@@ -116,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_gcrypt_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_gcrypt_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,8 +346,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gcrypt.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gcrypt.la
 libstrongswan_gcrypt_la_SOURCES = \
@@ -413,7 +441,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-gcrypt.la: $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_DEPENDENCIES) $(EXTRA_libstrongswan_gcrypt_la_DEPENDENCIES) 
-	$(libstrongswan_gcrypt_la_LINK) $(am_libstrongswan_gcrypt_la_rpath) $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_gcrypt_la_LINK) $(am_libstrongswan_gcrypt_la_rpath) $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -430,25 +458,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcrypt_rsa_public_key.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/gmp/Makefile.am b/src/libstrongswan/plugins/gmp/Makefile.am
index cc8ad34db..57e1fd7a8 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.am
+++ b/src/libstrongswan/plugins/gmp/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-gmp.la
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 74c19a734..757adf370 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_gmp_la_DEPENDENCIES =
 am_libstrongswan_gmp_la_OBJECTS = gmp_plugin.lo gmp_diffie_hellman.lo \
 	gmp_rsa_private_key.lo gmp_rsa_public_key.lo
 libstrongswan_gmp_la_OBJECTS = $(am_libstrongswan_gmp_la_OBJECTS)
-libstrongswan_gmp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_gmp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_gmp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_gmp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_gmp_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_gmp_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_gmp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_gmp_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gmp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gmp.la
 libstrongswan_gmp_la_SOURCES = \
@@ -407,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-gmp.la: $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_DEPENDENCIES) $(EXTRA_libstrongswan_gmp_la_DEPENDENCIES) 
-	$(libstrongswan_gmp_la_LINK) $(am_libstrongswan_gmp_la_rpath) $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_gmp_la_LINK) $(am_libstrongswan_gmp_la_rpath) $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -421,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gmp_rsa_public_key.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/hmac/Makefile.am b/src/libstrongswan/plugins/hmac/Makefile.am
index 4faf321ef..5d88d26c8 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.am
+++ b/src/libstrongswan/plugins/hmac/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-hmac.la
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index cc4e8b108..923632975 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_hmac_la_LIBADD =
 am_libstrongswan_hmac_la_OBJECTS = hmac_plugin.lo hmac.lo
 libstrongswan_hmac_la_OBJECTS = $(am_libstrongswan_hmac_la_OBJECTS)
-libstrongswan_hmac_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_hmac_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_hmac_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_hmac_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_hmac_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_hmac_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_hmac_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_hmac_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-hmac.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-hmac.la
 libstrongswan_hmac_la_SOURCES = \
@@ -402,7 +430,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-hmac.la: $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_DEPENDENCIES) $(EXTRA_libstrongswan_hmac_la_DEPENDENCIES) 
-	$(libstrongswan_hmac_la_LINK) $(am_libstrongswan_hmac_la_rpath) $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_hmac_la_LINK) $(am_libstrongswan_hmac_la_rpath) $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -414,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index f9c0c484b..43d5a0364 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -73,6 +73,8 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_DEPENDS(HASHER,  HASH_SHA384),
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
 				PLUGIN_DEPENDS(HASHER,  HASH_SHA512),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
+				PLUGIN_DEPENDS(HASHER,  HASH_SHA512),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libstrongswan/plugins/keychain/Makefile.am b/src/libstrongswan/plugins/keychain/Makefile.am
new file mode 100644
index 000000000..bd04db33d
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/Makefile.am
@@ -0,0 +1,17 @@
+
+AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-keychain.la
+else
+plugin_LTLIBRARIES = libstrongswan-keychain.la
+endif
+
+libstrongswan_keychain_la_SOURCES = \
+	keychain_plugin.h keychain_plugin.c \
+	keychain_creds.h keychain_creds.c
+
+libstrongswan_keychain_la_LDFLAGS = -module -avoid-version \
+	-framework Security -framework CoreFoundation
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
new file mode 100644
index 000000000..bbb1e8888
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -0,0 +1,683 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/keychain
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_keychain_la_LIBADD =
+am_libstrongswan_keychain_la_OBJECTS = keychain_plugin.lo \
+	keychain_creds.lo
+libstrongswan_keychain_la_OBJECTS =  \
+	$(am_libstrongswan_keychain_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_keychain_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_keychain_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_keychain_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_keychain_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_keychain_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_keychain_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-keychain.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-keychain.la
+libstrongswan_keychain_la_SOURCES = \
+	keychain_plugin.h keychain_plugin.c \
+	keychain_creds.h keychain_creds.c
+
+libstrongswan_keychain_la_LDFLAGS = -module -avoid-version \
+	-framework Security -framework CoreFoundation
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/keychain/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/keychain/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-keychain.la: $(libstrongswan_keychain_la_OBJECTS) $(libstrongswan_keychain_la_DEPENDENCIES) $(EXTRA_libstrongswan_keychain_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_keychain_la_LINK) $(am_libstrongswan_keychain_la_rpath) $(libstrongswan_keychain_la_OBJECTS) $(libstrongswan_keychain_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keychain_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keychain_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/keychain/keychain_creds.c b/src/libstrongswan/plugins/keychain/keychain_creds.c
new file mode 100644
index 000000000..d60f28691
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/keychain_creds.c
@@ -0,0 +1,206 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "keychain_creds.h"
+
+#include <utils/debug.h>
+#include <credentials/sets/mem_cred.h>
+#include <processing/jobs/callback_job.h>
+
+#include <Security/Security.h>
+
+/**
+ * System Roots keychain
+ */
+#define SYSTEM_ROOTS "/System/Library/Keychains/SystemRootCertificates.keychain"
+
+/**
+ * System keychain
+ */
+#define SYSTEM "/Library/Keychains/System.keychain"
+
+typedef struct private_keychain_creds_t private_keychain_creds_t;
+
+/**
+ * Private data of an keychain_creds_t object.
+ */
+struct private_keychain_creds_t {
+
+	/**
+	 * Public keychain_creds_t interface.
+	 */
+	keychain_creds_t public;
+
+	/**
+	 * Active in-memory credential set
+	 */
+	mem_cred_t *set;
+
+	/**
+	 * System roots credential set
+	 */
+	mem_cred_t *roots;
+
+	/**
+	 * Run loop of event monitoring thread
+	 */
+	CFRunLoopRef loop;
+};
+
+/**
+ * Load a credential sets with certificates from a keychain path
+ */
+static mem_cred_t* load_certs(private_keychain_creds_t *this, char *path)
+{
+	SecKeychainRef keychain;
+	SecKeychainSearchRef search;
+	SecKeychainItemRef item;
+	mem_cred_t *set;
+	OSStatus status;
+	int loaded = 0;
+
+	set = mem_cred_create();
+
+	DBG2(DBG_CFG, "loading certificates from %s:", path);
+	status = SecKeychainOpen(path, &keychain);
+	if (status == errSecSuccess)
+	{
+		status = SecKeychainSearchCreateFromAttributes(keychain,
+									kSecCertificateItemClass, NULL, &search);
+		if (status == errSecSuccess)
+		{
+			while (SecKeychainSearchCopyNext(search, &item) == errSecSuccess)
+			{
+				certificate_t *cert;
+				UInt32 len;
+				void *data;
+
+				if (SecKeychainItemCopyAttributesAndData(item, NULL, NULL, NULL,
+												&len, &data) == errSecSuccess)
+				{
+					cert = lib->creds->create(lib->creds,
+								CRED_CERTIFICATE, CERT_X509,
+								BUILD_BLOB_ASN1_DER, chunk_create(data, len),
+								BUILD_END);
+					if (cert)
+					{
+						DBG2(DBG_CFG, "  loaded '%Y'", cert->get_subject(cert));
+						set->add_cert(set, TRUE, cert);
+						loaded++;
+					}
+					SecKeychainItemFreeAttributesAndData(NULL, data);
+				}
+				CFRelease(item);
+			}
+			CFRelease(search);
+		}
+		CFRelease(keychain);
+	}
+	DBG1(DBG_CFG, "loaded %d certificates from %s", loaded, path);
+	return set;
+}
+
+/**
+ * Callback function reloading keychain on changes
+ */
+static OSStatus keychain_cb(SecKeychainEvent keychainEvent,
+							SecKeychainCallbackInfo *info,
+							private_keychain_creds_t *this)
+{
+	mem_cred_t *new;
+
+	DBG1(DBG_CFG, "received keychain event, reloading credentials");
+
+	/* register new before removing old */
+	new = load_certs(this, SYSTEM);
+	lib->credmgr->add_set(lib->credmgr, &new->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->set->set);
+
+	lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
+
+	this->set->destroy(this->set);
+	this->set = new;
+
+	return errSecSuccess;
+}
+
+/**
+ * Wait for changes in the keychain and handle them
+ */
+static job_requeue_t monitor_changes(private_keychain_creds_t *this)
+{
+	if (SecKeychainAddCallback((SecKeychainCallback)keychain_cb,
+						kSecAddEventMask | kSecDeleteEventMask |
+						kSecUpdateEventMask | kSecTrustSettingsChangedEventMask,
+						this) == errSecSuccess)
+	{
+		this->loop = CFRunLoopGetCurrent();
+
+		/* does not return until cancelled */
+		CFRunLoopRun();
+
+		this->loop = NULL;
+		SecKeychainRemoveCallback((SecKeychainCallback)keychain_cb);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Cancel the monitoring thread in its RunLoop
+ */
+static bool cancel_monitor(private_keychain_creds_t *this)
+{
+	if (this->loop)
+	{
+		CFRunLoopStop(this->loop);
+	}
+	return TRUE;
+}
+
+METHOD(keychain_creds_t, destroy, void,
+	private_keychain_creds_t *this)
+{
+	lib->credmgr->remove_set(lib->credmgr, &this->set->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->roots->set);
+	this->set->destroy(this->set);
+	this->roots->destroy(this->roots);
+	free(this);
+}
+
+/**
+ * See header
+ */
+keychain_creds_t *keychain_creds_create()
+{
+	private_keychain_creds_t *this;
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+	);
+
+	this->roots = load_certs(this, SYSTEM_ROOTS);
+	this->set = load_certs(this, SYSTEM);
+
+	lib->credmgr->add_set(lib->credmgr, &this->roots->set);
+	lib->credmgr->add_set(lib->credmgr, &this->set->set);
+
+	lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create_with_prio((void*)monitor_changes,
+					this, NULL, (void*)cancel_monitor, JOB_PRIO_CRITICAL));
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/keychain/keychain_creds.h b/src/libstrongswan/plugins/keychain/keychain_creds.h
new file mode 100644
index 000000000..64a2ededd
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/keychain_creds.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup keychain_creds keychain_creds
+ * @{ @ingroup keychain
+ */
+
+#ifndef KEYCHAIN_CREDS_H_
+#define KEYCHAIN_CREDS_H_
+
+typedef struct keychain_creds_t keychain_creds_t;
+
+#include <credentials/credential_manager.h>
+
+/**
+ * Credential set using OS X Keychain Services.
+ */
+struct keychain_creds_t {
+
+	/**
+	 * Destroy a keychain_creds_t.
+	 */
+	void (*destroy)(keychain_creds_t *this);
+};
+
+/**
+ * Create a keychain_creds instance.
+ */
+keychain_creds_t *keychain_creds_create();
+
+#endif /** KEYCHAIN_CREDS_H_ @}*/
diff --git a/src/libstrongswan/plugins/keychain/keychain_plugin.c b/src/libstrongswan/plugins/keychain/keychain_plugin.c
new file mode 100644
index 000000000..6112afaa8
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/keychain_plugin.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "keychain_plugin.h"
+#include "keychain_creds.h"
+
+#include <library.h>
+
+typedef struct private_keychain_plugin_t private_keychain_plugin_t;
+
+/**
+ * private data of keychain_plugin
+ */
+struct private_keychain_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	keychain_plugin_t public;
+
+	/**
+	 * System level Keychain Services credential set
+	 */
+	keychain_creds_t *creds;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_keychain_plugin_t *this)
+{
+	return "keychain";
+}
+
+/**
+ * Load/unload certificates from Keychain.
+ */
+static bool load_creds(private_keychain_plugin_t *this,
+					   plugin_feature_t *feature, bool reg, void *data)
+{
+	if (reg)
+	{
+		this->creds = keychain_creds_create();
+	}
+	else
+	{
+		this->creds->destroy(this->creds);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_keychain_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)load_creds, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "keychain"),
+				PLUGIN_DEPENDS(CERT_DECODE, CERT_X509),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_keychain_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *keychain_plugin_create()
+{
+	private_keychain_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/keychain/keychain_plugin.h b/src/libstrongswan/plugins/keychain/keychain_plugin.h
new file mode 100644
index 000000000..482f173c3
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/keychain_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup keychain keychain
+ * @ingroup plugins
+ *
+ * @defgroup keychain_plugin keychain_plugin
+ * @{ @ingroup keychain
+ */
+
+#ifndef KEYCHAIN_PLUGIN_H_
+#define KEYCHAIN_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct keychain_plugin_t keychain_plugin_t;
+
+/**
+ * Plugin providing OS X Keychain Services support.
+ */
+struct keychain_plugin_t {
+
+	/**
+	 * Implements plugin interface,
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KEYCHAIN_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/ldap/Makefile.am b/src/libstrongswan/plugins/ldap/Makefile.am
index 2b2f7d31d..3bcef1aa8 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.am
+++ b/src/libstrongswan/plugins/ldap/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ldap.la
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 0b8e68e4e..1baca7ff2 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ldap_la_DEPENDENCIES =
 am_libstrongswan_ldap_la_OBJECTS = ldap_plugin.lo ldap_fetcher.lo
 libstrongswan_ldap_la_OBJECTS = $(am_libstrongswan_ldap_la_OBJECTS)
-libstrongswan_ldap_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_ldap_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_ldap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ldap_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_ldap_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_ldap_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_ldap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ldap_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ldap.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ldap.la
 libstrongswan_ldap_la_SOURCES = \
@@ -403,7 +431,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-ldap.la: $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_DEPENDENCIES) $(EXTRA_libstrongswan_ldap_la_DEPENDENCIES) 
-	$(libstrongswan_ldap_la_LINK) $(am_libstrongswan_ldap_la_rpath) $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_ldap_la_LINK) $(am_libstrongswan_ldap_la_rpath) $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -415,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index 40b6d1f63..fe4c55545 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -112,7 +112,7 @@ METHOD(fetcher_t, fetch, status_t,
 	status_t status = FAILED;
 	chunk_t *result = userdata;
 
-	if (!strneq(url, "ldap", 4))
+	if (!strpfx(url, "ldap"))
 	{
 		return NOT_SUPPORTED;
 	}
diff --git a/src/libstrongswan/plugins/md4/Makefile.am b/src/libstrongswan/plugins/md4/Makefile.am
index 904af70c0..a2fe8ecab 100644
--- a/src/libstrongswan/plugins/md4/Makefile.am
+++ b/src/libstrongswan/plugins/md4/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-md4.la
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 3243b2643..85cf32649 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_md4_la_LIBADD =
 am_libstrongswan_md4_la_OBJECTS = md4_plugin.lo md4_hasher.lo
 libstrongswan_md4_la_OBJECTS = $(am_libstrongswan_md4_la_OBJECTS)
-libstrongswan_md4_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_md4_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_md4_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_md4_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_md4_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_md4_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_md4_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_md4_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-md4.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-md4.la
 libstrongswan_md4_la_SOURCES = \
@@ -402,7 +430,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-md4.la: $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_DEPENDENCIES) $(EXTRA_libstrongswan_md4_la_DEPENDENCIES) 
-	$(libstrongswan_md4_la_LINK) $(am_libstrongswan_md4_la_rpath) $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_md4_la_LINK) $(am_libstrongswan_md4_la_rpath) $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -414,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md4_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/md5/Makefile.am b/src/libstrongswan/plugins/md5/Makefile.am
index b2eb2abd2..fc6406afa 100644
--- a/src/libstrongswan/plugins/md5/Makefile.am
+++ b/src/libstrongswan/plugins/md5/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-md5.la
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 68a4244ba..83fed79df 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_md5_la_LIBADD =
 am_libstrongswan_md5_la_OBJECTS = md5_plugin.lo md5_hasher.lo
 libstrongswan_md5_la_OBJECTS = $(am_libstrongswan_md5_la_OBJECTS)
-libstrongswan_md5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_md5_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_md5_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_md5_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_md5_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_md5_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_md5_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_md5_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-md5.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-md5.la
 libstrongswan_md5_la_SOURCES = \
@@ -402,7 +430,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-md5.la: $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_DEPENDENCIES) $(EXTRA_libstrongswan_md5_la_DEPENDENCIES) 
-	$(libstrongswan_md5_la_LINK) $(am_libstrongswan_md5_la_rpath) $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_md5_la_LINK) $(am_libstrongswan_md5_la_rpath) $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -414,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am
index 801a7a7be..588b7991b 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.am
+++ b/src/libstrongswan/plugins/mysql/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic $(MYSQLCFLAG)
+AM_CFLAGS = \
+	$(MYSQLCFLAG) \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-mysql.la
@@ -15,4 +17,3 @@ libstrongswan_mysql_la_SOURCES = \
 
 libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
 libstrongswan_mysql_la_LIBADD  = $(MYSQLLIB)
-
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 5e73813d5..2364df617 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ am__DEPENDENCIES_1 =
 libstrongswan_mysql_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_mysql_la_OBJECTS = mysql_plugin.lo mysql_database.lo
 libstrongswan_mysql_la_OBJECTS = $(am_libstrongswan_mysql_la_OBJECTS)
-libstrongswan_mysql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_mysql_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_mysql_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_mysql_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_mysql_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_mysql_la_rpath =
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_mysql_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_mysql_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,8 +344,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic $(MYSQLCFLAG)
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	$(MYSQLCFLAG) \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-mysql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-mysql.la
 libstrongswan_mysql_la_SOURCES = \
@@ -406,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-mysql.la: $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_DEPENDENCIES) $(EXTRA_libstrongswan_mysql_la_DEPENDENCIES) 
-	$(libstrongswan_mysql_la_LINK) $(am_libstrongswan_mysql_la_rpath) $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_mysql_la_LINK) $(am_libstrongswan_mysql_la_rpath) $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -418,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mysql_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 789f12f20..8bd64692c 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -666,7 +666,7 @@ mysql_database_t *mysql_database_create(char *uri)
 	conn_t *conn;
 	private_mysql_database_t *this;
 
-	if (!strneq(uri, "mysql://", 8))
+	if (!strpfx(uri, "mysql://"))
 	{
 		return NULL;
 	}
diff --git a/src/libstrongswan/plugins/nonce/Makefile.am b/src/libstrongswan/plugins/nonce/Makefile.am
index 0a2ccfc08..7dde99e5f 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.am
+++ b/src/libstrongswan/plugins/nonce/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-nonce.la
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index bd04ab901..c20c96765 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_nonce_la_LIBADD =
 am_libstrongswan_nonce_la_OBJECTS = nonce_plugin.lo nonce_nonceg.lo
 libstrongswan_nonce_la_OBJECTS = $(am_libstrongswan_nonce_la_OBJECTS)
-libstrongswan_nonce_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_nonce_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_nonce_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_nonce_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_nonce_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_nonce_la_rpath =
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_nonce_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_nonce_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-nonce.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-nonce.la
 libstrongswan_nonce_la_SOURCES = \
@@ -404,7 +432,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-nonce.la: $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_DEPENDENCIES) $(EXTRA_libstrongswan_nonce_la_DEPENDENCIES) 
-	$(libstrongswan_nonce_la_LINK) $(am_libstrongswan_nonce_la_rpath) $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_nonce_la_LINK) $(am_libstrongswan_nonce_la_rpath) $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -416,25 +444,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index 0ca27983f..cbfd69b71 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DFIPS_MODE=${fips_mode}
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode}
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-openssl.la
@@ -24,10 +26,10 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_x509.c openssl_x509.h \
 	openssl_crl.c openssl_crl.h \
 	openssl_pkcs7.c openssl_pkcs7.h \
+	openssl_pkcs12.c openssl_pkcs12.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h \
 	openssl_gcm.c openssl_gcm.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD  = -lcrypto
-
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index ba45e4bbc..ad5aa6057 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,12 +105,17 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
 	openssl_rsa_private_key.lo openssl_rsa_public_key.lo \
 	openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \
 	openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo \
-	openssl_pkcs7.lo openssl_rng.lo openssl_hmac.lo openssl_gcm.lo
+	openssl_pkcs7.lo openssl_pkcs12.lo openssl_rng.lo \
+	openssl_hmac.lo openssl_gcm.lo
 libstrongswan_openssl_la_OBJECTS =  \
 	$(am_libstrongswan_openssl_la_OBJECTS)
-libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_openssl_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_openssl_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_openssl_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_openssl_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_openssl_la_rpath =
@@ -120,13 +125,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_openssl_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_openssl_la_SOURCES)
 am__can_run_installinfo = \
@@ -140,6 +158,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -152,6 +171,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -167,6 +188,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -175,6 +197,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -221,6 +244,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -249,6 +273,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -326,8 +351,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode}
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DFIPS_MODE=${fips_mode}
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-openssl.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-openssl.la
 libstrongswan_openssl_la_SOURCES = \
@@ -345,6 +375,7 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_x509.c openssl_x509.h \
 	openssl_crl.c openssl_crl.h \
 	openssl_pkcs7.c openssl_pkcs7.h \
+	openssl_pkcs12.c openssl_pkcs12.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h \
 	openssl_gcm.c openssl_gcm.h
@@ -427,7 +458,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES) $(EXTRA_libstrongswan_openssl_la_DEPENDENCIES) 
-	$(libstrongswan_openssl_la_LINK) $(am_libstrongswan_openssl_la_rpath) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_openssl_la_LINK) $(am_libstrongswan_openssl_la_rpath) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -444,6 +475,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_gcm.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hmac.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_pkcs12.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_pkcs7.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rng.Plo@am__quote@
@@ -454,25 +486,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x509.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index d4f36f58b..18aa5ceca 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -464,6 +464,10 @@ static bool parse_extensions(private_openssl_crl_t *this)
 				case NID_crl_number:
 					ok = parse_crlNumber_ext(this, ext);
 					break;
+				case NID_issuing_distribution_point:
+					/* TODO support of IssuingDistributionPoints */
+					ok = TRUE;
+					break;
 				default:
 					ok = X509_EXTENSION_get_critical(ext) == 0 ||
 						 !lib->settings->get_bool(lib->settings,
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
new file mode 100644
index 000000000..d16b2cc05
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
@@ -0,0 +1,266 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE /* for asprintf() */
+#include <stdio.h>
+#include <openssl/pkcs12.h>
+
+#include "openssl_pkcs12.h"
+#include "openssl_util.h"
+
+#include <library.h>
+#include <credentials/sets/mem_cred.h>
+
+typedef struct private_pkcs12_t private_pkcs12_t;
+
+/**
+ * Private data of a pkcs12_t object.
+ */
+struct private_pkcs12_t {
+
+	/**
+	 * Public pkcs12_t interface.
+	 */
+	pkcs12_t public;
+
+	/**
+	 * OpenSSL PKCS#12 structure
+	 */
+	PKCS12 *p12;
+
+	/**
+	 * Credentials contained in container
+	 */
+	mem_cred_t *creds;
+};
+
+/**
+ * Decode certificate and add it to our credential set
+ */
+static bool add_cert(private_pkcs12_t *this, X509 *x509)
+{
+	certificate_t *cert = NULL;
+	chunk_t encoding;
+
+	if (!x509)
+	{	/* no certificate is ok */
+		return TRUE;
+	}
+	encoding = openssl_i2chunk(X509, x509);
+	if (encoding.ptr)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, encoding,
+								  BUILD_END);
+		if (cert)
+		{
+			this->creds->add_cert(this->creds, FALSE, cert);
+		}
+	}
+	chunk_free(&encoding);
+	X509_free(x509);
+	return cert != NULL;
+}
+
+/**
+ * Add CA certificates to our credential set
+ */
+static bool add_cas(private_pkcs12_t *this, STACK_OF(X509) *cas)
+{
+	bool success = TRUE;
+	int i;
+
+	if (!cas)
+	{	/* no CAs is ok */
+		return TRUE;
+	}
+	for (i = 0; i < sk_X509_num(cas); i++)
+	{
+		if (!add_cert(this, sk_X509_value(cas, i)))
+		{	/* continue to free all X509 objects */
+			success = FALSE;
+		}
+	}
+	sk_X509_free(cas);
+	return success;
+}
+
+/**
+ * Decode private key and add it to our credential set
+ */
+static bool add_key(private_pkcs12_t *this, EVP_PKEY *private)
+{
+	private_key_t *key = NULL;
+	chunk_t encoding;
+	key_type_t type;
+
+	if (!private)
+	{	/* no private key is ok */
+		return TRUE;
+	}
+	switch (EVP_PKEY_type(private->type))
+	{
+		case EVP_PKEY_RSA:
+			type = KEY_RSA;
+			break;
+		case EVP_PKEY_EC:
+			type = KEY_ECDSA;
+			break;
+		default:
+			EVP_PKEY_free(private);
+			return FALSE;
+	}
+	encoding = openssl_i2chunk(PrivateKey, private);
+	if (encoding.ptr)
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_BLOB_ASN1_DER, encoding,
+								 BUILD_END);
+		if (key)
+		{
+			this->creds->add_key(this->creds, key);
+		}
+	}
+	chunk_clear(&encoding);
+	EVP_PKEY_free(private);
+	return key != NULL;
+}
+
+/**
+ * Decrypt PKCS#12 file and unpack credentials
+ */
+static bool decrypt_and_unpack(private_pkcs12_t *this)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	STACK_OF(X509) *cas = NULL;
+	EVP_PKEY *private;
+	X509 *cert;
+	chunk_t key;
+	char *password;
+	bool success = FALSE;
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+										SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		key = shared->get_key(shared);
+		if (!key.ptr || asprintf(&password, "%.*s", (int)key.len, key.ptr) < 0)
+		{
+			password = NULL;
+		}
+		if (PKCS12_parse(this->p12, password, &private, &cert, &cas))
+		{
+			success = add_key(this, private);
+			success &= add_cert(this, cert);
+			success &= add_cas(this, cas);
+			free(password);
+			break;
+		}
+		free(password);
+	}
+	enumerator->destroy(enumerator);
+	return success;
+}
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs12_t *this)
+{
+	return CONTAINER_PKCS12;
+}
+
+METHOD(pkcs12_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs12_t *this)
+{
+	return this->creds->set.create_cert_enumerator(&this->creds->set, CERT_ANY,
+												   KEY_ANY, NULL, FALSE);
+}
+
+METHOD(pkcs12_t, create_key_enumerator, enumerator_t*,
+	private_pkcs12_t *this)
+{
+	return this->creds->set.create_private_enumerator(&this->creds->set,
+													  KEY_ANY, NULL);
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs12_t *this)
+{
+	if (this->p12)
+	{
+		PKCS12_free(this->p12);
+	}
+	this->creds->destroy(this->creds);
+	free(this);
+}
+
+/**
+ * Parse a PKCS#12 container
+ */
+static pkcs12_t *parse(chunk_t blob)
+{
+	private_pkcs12_t *this;
+	BIO *bio;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = (void*)enumerator_create_empty,
+				.get_data = (void*)return_false,
+				.get_encoding = (void*)return_false,
+				.destroy = _destroy,
+			},
+			.create_cert_enumerator = _create_cert_enumerator,
+			.create_key_enumerator = _create_key_enumerator,
+		},
+		.creds = mem_cred_create(),
+	);
+
+	bio = BIO_new_mem_buf(blob.ptr, blob.len);
+	this->p12 = d2i_PKCS12_bio(bio, NULL);
+	BIO_free(bio);
+
+	if (!this->p12 || !decrypt_and_unpack(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/*
+ * Defined in header
+ */
+pkcs12_t *openssl_pkcs12_load(container_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	return blob.len ? parse(blob) : NULL;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs12.h b/src/libstrongswan/plugins/openssl/openssl_pkcs12.h
new file mode 100644
index 000000000..5c3e5933d
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs12.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_pkcs12 openssl_pkcs12
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_PKCS12_H_
+#define OPENSSL_PKCS12_H_
+
+#include <credentials/containers/pkcs12.h>
+
+/**
+ * Load a PKCS#12 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS12
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs12_t *openssl_pkcs12_load(container_type_t type, va_list args);
+
+#endif /** OPENSSL_PKCS12_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index ce6610ad6..fb34a6858 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,6 +14,7 @@
  * for more details.
  */
 
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/conf.h>
 #include <openssl/rand.h>
@@ -28,6 +29,7 @@
 #include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
+#include <threading/thread_value.h>
 #include "openssl_util.h"
 #include "openssl_crypter.h"
 #include "openssl_hasher.h"
@@ -41,10 +43,15 @@
 #include "openssl_x509.h"
 #include "openssl_crl.h"
 #include "openssl_pkcs7.h"
+#include "openssl_pkcs12.h"
 #include "openssl_rng.h"
 #include "openssl_hmac.h"
 #include "openssl_gcm.h"
 
+#ifndef FIPS_MODE
+#define FIPS_MODE 0
+#endif
+
 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
 
 /**
@@ -126,15 +133,52 @@ static void destroy_function(struct CRYPTO_dynlock_value *lock,
 	free(lock);
 }
 
+/**
+ * Thread-local value used to cleanup thread-specific error buffers
+ */
+static thread_value_t *cleanup;
+
+/**
+ * Called when a thread is destroyed. Avoid recursion by setting the thread id
+ * explicitly.
+ */
+static void cleanup_thread(void *arg)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+	CRYPTO_THREADID tid;
+
+	CRYPTO_THREADID_set_numeric(&tid, (u_long)(uintptr_t)arg);
+	ERR_remove_thread_state(&tid);
+#else
+	ERR_remove_state((u_long)(uintptr_t)arg);
+#endif
+}
+
 /**
  * Thread-ID callback function
  */
-static unsigned long id_function(void)
+static u_long id_function(void)
 {
+	u_long id;
+
 	/* ensure the thread ID is never zero, otherwise OpenSSL might try to
 	 * acquire locks recursively */
-	return 1 + (unsigned long)thread_current_id();
+	id = 1 + (u_long)thread_current_id();
+
+	/* cleanup a thread's state later if OpenSSL interacted with it */
+	cleanup->set(cleanup, (void*)(uintptr_t)id);
+	return id;
+}
+
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+/**
+ * Callback for thread ID
+ */
+static void threadid_function(CRYPTO_THREADID *threadid)
+{
+	CRYPTO_THREADID_set_numeric(threadid, id_function());
 }
+#endif /* OPENSSL_VERSION_NUMBER */
 
 /**
  * initialize OpenSSL for multi-threaded use
@@ -143,7 +187,14 @@ static void threading_init()
 {
 	int i, num_locks;
 
+	cleanup = thread_value_create(cleanup_thread);
+
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+	CRYPTO_THREADID_set_callback(threadid_function);
+#else
 	CRYPTO_set_id_callback(id_function);
+#endif
+
 	CRYPTO_set_locking_callback(locking_function);
 
 	CRYPTO_set_dynlock_create_callback(create_function);
@@ -158,6 +209,24 @@ static void threading_init()
 	}
 }
 
+/**
+ * cleanup OpenSSL threading locks
+ */
+static void threading_cleanup()
+{
+	int i, num_locks;
+
+	num_locks = CRYPTO_num_locks();
+	for (i = 0; i < num_locks; i++)
+	{
+		mutex[i]->destroy(mutex[i]);
+	}
+	free(mutex);
+	mutex = NULL;
+
+	cleanup->destroy(cleanup);
+}
+
 /**
  * Seed the OpenSSL RNG, if required
  */
@@ -187,22 +256,6 @@ static bool seed_rng()
 	return TRUE;
 }
 
-/**
- * cleanup OpenSSL threading locks
- */
-static void threading_cleanup()
-{
-	int i, num_locks;
-
-	num_locks = CRYPTO_num_locks();
-	for (i = 0; i < num_locks; i++)
-	{
-		mutex[i]->destroy(mutex[i]);
-	}
-	free(mutex);
-	mutex = NULL;
-}
-
 METHOD(plugin_t, get_name, char*,
 	private_openssl_plugin_t *this)
 {
@@ -303,6 +356,7 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_192),
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_384),
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
 #endif
 #endif /* OPENSSL_NO_HMAC */
 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL
@@ -388,6 +442,8 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
 #endif /* OPENSSL_NO_CMS */
 #endif /* OPENSSL_VERSION_NUMBER */
+		PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs12_load, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
 #ifndef OPENSSL_NO_ECDH
 		/* EC DH groups */
 		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
@@ -440,13 +496,15 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
 	private_openssl_plugin_t *this)
 {
+	CONF_modules_free();
+	OBJ_cleanup();
+	EVP_cleanup();
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE_cleanup();
 #endif /* OPENSSL_NO_ENGINE */
-	EVP_cleanup();
-	CONF_modules_free();
-
+	CRYPTO_cleanup_all_ex_data();
 	threading_cleanup();
+	ERR_free_strings();
 
 	free(this);
 }
@@ -470,9 +528,9 @@ plugin_t *openssl_plugin_create()
 	DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode,
 				   fips_mode ? "en" : "dis");
 #else
-	DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
 	if (fips_mode)
 	{
+		DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
 		return NULL;
 	}
 #endif
diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c
index 10db6293a..815cf4f0c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rng.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rng.c
@@ -47,17 +47,14 @@ struct private_openssl_rng_t {
 METHOD(rng_t, get_bytes, bool,
 	private_openssl_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
-	u_int32_t ret;
-
-	if (this->quality == RNG_STRONG)
-	{
-		ret = RAND_bytes((char*)buffer, bytes);
-	}
-	else
+	if (this->quality == RNG_WEAK)
 	{
-		ret = RAND_pseudo_bytes((char*)buffer, bytes);
+		/* RAND_pseudo_bytes() returns 1 if returned bytes are strong,
+		 * 0 if of not. Both is acceptable for RNG_WEAK. */
+		return RAND_pseudo_bytes((char*)buffer, bytes) != -1;
 	}
-	return ret == 1;
+	/* A 0 return value is a failure for RAND_bytes() */
+	return RAND_bytes((char*)buffer, bytes) == 1;
 }
 
 METHOD(rng_t, allocate_bytes, bool,
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 676b97f7a..24b12d50c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -17,6 +17,9 @@
  */
 
 /*
+ * Copyright (C) 2013 Michael Rossberg
+ * Copyright (C) 2013 Technische Universität Ilmenau
+ *
  * Copyright (C) 2010 secunet Security Networks AG
  * Copyright (C) 2010 Thomas Egerer
  *
@@ -50,7 +53,12 @@
 #include <utils/debug.h>
 #include <asn1/oid.h>
 #include <collections/linked_list.h>
+#include <selectors/traffic_selector.h>
 
+/* IP Addr block extension support was introduced with 0.9.8e */
+#if OPENSSL_VERSION_NUMBER < 0x0090805fL
+#define OPENSSL_NO_RFC3779
+#endif
 
 typedef struct private_openssl_x509_t private_openssl_x509_t;
 
@@ -149,6 +157,12 @@ struct private_openssl_x509_t {
 	 */
 	linked_list_t *ocsp_uris;
 
+	/**
+	 * List of ipAddrBlocks as traffic_selector_t
+	 */
+	linked_list_t *ipAddrBlocks;
+
+
 	/**
 	 * References to this cert
 	 */
@@ -283,6 +297,12 @@ METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
 	return this->ocsp_uris->create_enumerator(this->ocsp_uris);
 }
 
+METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
+	private_openssl_x509_t *this)
+{
+	return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
+}
+
 METHOD(certificate_t, get_type, certificate_type_t,
 	private_openssl_x509_t *this)
 {
@@ -506,6 +526,8 @@ METHOD(certificate_t, destroy, void,
 										offsetof(identification_t, destroy));
 		this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
 		this->ocsp_uris->destroy_function(this->ocsp_uris, free);
+		this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks,
+										offsetof(traffic_selector_t, destroy));
 		free(this);
 	}
 }
@@ -542,7 +564,7 @@ static private_openssl_x509_t *create_empty()
 				.create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
 				.create_crl_uri_enumerator = _create_crl_uri_enumerator,
 				.create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
-				.create_ipAddrBlock_enumerator = (void*)enumerator_create_empty,
+				.create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
 				.create_name_constraint_enumerator = (void*)enumerator_create_empty,
 				.create_cert_policy_enumerator = (void*)enumerator_create_empty,
 				.create_policy_mapping_enumerator = (void*)enumerator_create_empty,
@@ -552,6 +574,7 @@ static private_openssl_x509_t *create_empty()
 		.issuerAltNames = linked_list_create(),
 		.crl_uris = linked_list_create(),
 		.ocsp_uris = linked_list_create(),
+		.ipAddrBlocks = linked_list_create(),
 		.pathlen = X509_NO_CONSTRAINT,
 		.ref = 1,
 	);
@@ -655,6 +678,41 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
 	return FALSE;
 }
 
+/**
+ * Parse ExtendedKeyUsage
+ */
+static bool parse_extKeyUsage_ext(private_openssl_x509_t *this,
+								  X509_EXTENSION *ext)
+{
+	EXTENDED_KEY_USAGE *usage;
+	int i;
+
+	usage = X509V3_EXT_d2i(ext);
+	if (usage)
+	{
+		for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
+		{
+			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
+			{
+				case NID_server_auth:
+					this->flags |= X509_SERVER_AUTH;
+					break;
+				case NID_client_auth:
+					this->flags |= X509_CLIENT_AUTH;
+					break;
+				case NID_OCSP_sign:
+					this->flags |= X509_OCSP_SIGNER;
+					break;
+				default:
+					break;
+			}
+		}
+		sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
+		return TRUE;
+	}
+	return FALSE;
+}
+
 /**
  * Parse CRL distribution points
  */
@@ -772,6 +830,92 @@ static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this,
 	return TRUE;
 }
 
+#ifndef OPENSSL_NO_RFC3779
+
+/**
+ * Parse a single block of ipAddrBlock extension
+ */
+static void parse_ipAddrBlock_ext_fam(private_openssl_x509_t *this,
+									  IPAddressFamily *fam)
+{
+	const IPAddressOrRanges *list;
+	IPAddressOrRange *aor;
+	traffic_selector_t *ts;
+	ts_type_t type;
+	chunk_t from, to;
+	int i, afi;
+
+	if (fam->ipAddressChoice->type != IPAddressChoice_addressesOrRanges)
+	{
+		return;
+	}
+
+	afi = v3_addr_get_afi(fam);
+	switch (afi)
+	{
+		case IANA_AFI_IPV4:
+			from = chunk_alloca(4);
+			to = chunk_alloca(4);
+			type = TS_IPV4_ADDR_RANGE;
+			break;
+		case IANA_AFI_IPV6:
+			from = chunk_alloca(16);
+			to = chunk_alloca(16);
+			type = TS_IPV6_ADDR_RANGE;
+			break;
+		default:
+			return;
+	}
+
+	list = fam->ipAddressChoice->u.addressesOrRanges;
+	for (i = 0; i < sk_IPAddressOrRange_num(list); i++)
+	{
+		aor = sk_IPAddressOrRange_value(list, i);
+		if (v3_addr_get_range(aor, afi, from.ptr, to.ptr, from.len) > 0)
+		{
+			ts = traffic_selector_create_from_bytes(0, type, from, 0, to, 65535);
+			if (ts)
+			{
+				this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
+			}
+		}
+	}
+}
+
+/**
+ * Parse ipAddrBlock extension
+ */
+static bool parse_ipAddrBlock_ext(private_openssl_x509_t *this,
+								  X509_EXTENSION *ext)
+{
+	STACK_OF(IPAddressFamily) *blocks;
+	IPAddressFamily *fam;
+
+	blocks = (STACK_OF(IPAddressFamily)*)X509V3_EXT_d2i(ext);
+	if (!blocks)
+	{
+		return FALSE;
+	}
+
+	if (!v3_addr_is_canonical(blocks))
+	{
+		sk_IPAddressFamily_free(blocks);
+		return FALSE;
+	}
+
+	while (sk_IPAddressFamily_num(blocks) > 0)
+	{
+		fam = sk_IPAddressFamily_pop(blocks);
+		parse_ipAddrBlock_ext_fam(this, fam);
+		IPAddressFamily_free(fam);
+	}
+	sk_IPAddressFamily_free(blocks);
+
+	this->flags |= X509_IP_ADDR_BLOCKS;
+	return TRUE;
+}
+#endif /* !OPENSSL_NO_RFC3779 */
+
 /**
  * Parse authorityKeyIdentifier extension
  */
@@ -854,16 +998,29 @@ static bool parse_extensions(private_openssl_x509_t *this)
 				case NID_key_usage:
 					ok = parse_keyUsage_ext(this, ext);
 					break;
+				case NID_ext_key_usage:
+					ok = parse_extKeyUsage_ext(this, ext);
+					break;
 				case NID_crl_distribution_points:
 					ok = parse_crlDistributionPoints_ext(this, ext);
 					break;
+#ifndef OPENSSL_NO_RFC3779
+				case NID_sbgp_ipAddrBlock:
+					ok = parse_ipAddrBlock_ext(this, ext);
+					break;
+#endif /* !OPENSSL_NO_RFC3779 */
 				default:
 					ok = X509_EXTENSION_get_critical(ext) == 0 ||
 						 !lib->settings->get_bool(lib->settings,
 								"libstrongswan.x509.enforce_critical", TRUE);
 					if (!ok)
 					{
-						DBG1(DBG_LIB, "found unsupported critical X.509 extension");
+						char buf[80] = "";
+
+						OBJ_obj2txt(buf, sizeof(buf),
+									X509_EXTENSION_get_object(ext), 0);
+						DBG1(DBG_LIB, "found unsupported critical X.509 "
+							 "extension: %s", buf);
 					}
 					break;
 			}
@@ -876,38 +1033,6 @@ static bool parse_extensions(private_openssl_x509_t *this)
 	return TRUE;
 }
 
-/**
- * Parse ExtendedKeyUsage
- */
-static void parse_extKeyUsage(private_openssl_x509_t *this)
-{
-	EXTENDED_KEY_USAGE *usage;
-	int i;
-
-	usage = X509_get_ext_d2i(this->x509, NID_ext_key_usage, NULL, NULL);
-	if (usage)
-	{
-		for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
-		{
-			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
-			{
-				case NID_server_auth:
-					this->flags |= X509_SERVER_AUTH;
-					break;
-				case NID_client_auth:
-					this->flags |= X509_CLIENT_AUTH;
-					break;
-				case NID_OCSP_sign:
-					this->flags |= X509_OCSP_SIGNER;
-					break;
-				default:
-					break;
-			}
-		}
-		sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
-	}
-}
-
 /**
  * Parse a DER encoded x509 certificate
  */
@@ -974,7 +1099,6 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	{
 		return FALSE;
 	}
-	parse_extKeyUsage(this);
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher || !hasher->allocate_hash(hasher, this->encoding, &this->hash))
diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am
index 6706d26cb..0acd8384c 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.am
+++ b/src/libstrongswan/plugins/padlock/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-padlock.la
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index a82e8d578..028fab232 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,9 +103,13 @@ am_libstrongswan_padlock_la_OBJECTS = padlock_plugin.lo \
 	padlock_aes_crypter.lo padlock_sha1_hasher.lo padlock_rng.lo
 libstrongswan_padlock_la_OBJECTS =  \
 	$(am_libstrongswan_padlock_la_OBJECTS)
-libstrongswan_padlock_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_padlock_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_padlock_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_padlock_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_padlock_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_padlock_la_rpath =
@@ -115,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_padlock_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_padlock_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-padlock.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-padlock.la
 libstrongswan_padlock_la_SOURCES = \
@@ -408,7 +436,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-padlock.la: $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_DEPENDENCIES) $(EXTRA_libstrongswan_padlock_la_DEPENDENCIES) 
-	$(libstrongswan_padlock_la_LINK) $(am_libstrongswan_padlock_la_rpath) $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_padlock_la_LINK) $(am_libstrongswan_padlock_la_rpath) $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -422,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/padlock_sha1_hasher.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index b887c2c84..2005ef648 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -21,6 +22,7 @@
 #include <stdio.h>
 
 #include <library.h>
+#include <plugins/plugin_feature.h>
 #include <utils/debug.h>
 
 typedef struct private_padlock_plugin_t private_padlock_plugin_t;
@@ -107,28 +109,49 @@ METHOD(plugin_t, get_name, char*,
 	return "padlock";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_padlock_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f_rng[] = {
+		PLUGIN_REGISTER(RNG, padlock_rng_create),
+			PLUGIN_PROVIDE(RNG, RNG_WEAK),
+			PLUGIN_PROVIDE(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(RNG, RNG_TRUE),
+	};
+	static plugin_feature_t f_aes[] = {
+		PLUGIN_REGISTER(CRYPTER, padlock_aes_crypter_create),
+			PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 16),
+	};
+	static plugin_feature_t f_sha1[] = {
+		PLUGIN_REGISTER(HASHER, padlock_sha1_hasher_create),
+			PLUGIN_PROVIDE(HASHER, HASH_SHA1),
+	};
+	static plugin_feature_t f[countof(f_rng) + countof(f_aes) +
+							  countof(f_sha1)] = {};
+	static int count = 0;
+
+	if (!count)
+	{	/* initialize only once */
+		if (this->features & PADLOCK_RNG_ENABLED)
+		{
+			plugin_features_add(f, f_rng, countof(f_rng), &count);
+		}
+		if (this->features & PADLOCK_ACE2_ENABLED)
+		{
+			plugin_features_add(f, f_aes, countof(f_aes), &count);
+		}
+		if (this->features & PADLOCK_PHE_ENABLED)
+		{
+			plugin_features_add(f, f_sha1, countof(f_sha1), &count);
+		}
+	}
+	*features = f;
+	return count;
+}
+
 METHOD(plugin_t, destroy, void,
 	private_padlock_plugin_t *this)
 {
-	if (this->features & PADLOCK_RNG_ENABLED)
-	{
-		lib->crypto->remove_rng(lib->crypto,
-							(rng_constructor_t)padlock_rng_create);
-		lib->crypto->remove_rng(lib->crypto,
-							(rng_constructor_t)padlock_rng_create);
-		lib->crypto->remove_rng(lib->crypto,
-							(rng_constructor_t)padlock_rng_create);
-	}
-	if (this->features & PADLOCK_ACE2_ENABLED)
-	{
-		lib->crypto->remove_crypter(lib->crypto,
-							(crypter_constructor_t)padlock_aes_crypter_create);
-	}
-	if (this->features & PADLOCK_PHE_ENABLED)
-	{
-		lib->crypto->remove_hasher(lib->crypto,
-							(hasher_constructor_t)padlock_sha1_hasher_create);
-	}
 	free(this);
 }
 
@@ -143,7 +166,7 @@ plugin_t *padlock_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -167,24 +190,5 @@ plugin_t *padlock_plugin_create()
 		 this->features & PADLOCK_PHE_ENABLED ? " PHE" : "",
 		 this->features & PADLOCK_PMM_ENABLED ? " PMM" : "");
 
-	if (this->features & PADLOCK_RNG_ENABLED)
-	{
-		lib->crypto->add_rng(lib->crypto, RNG_TRUE, get_name(this),
-						(rng_constructor_t)padlock_rng_create);
-		lib->crypto->add_rng(lib->crypto, RNG_STRONG, get_name(this),
-						(rng_constructor_t)padlock_rng_create);
-		lib->crypto->add_rng(lib->crypto, RNG_WEAK, get_name(this),
-						(rng_constructor_t)padlock_rng_create);
-	}
-	if (this->features & PADLOCK_ACE2_ENABLED)
-	{
-		lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, get_name(this),
-						(crypter_constructor_t)padlock_aes_crypter_create);
-	}
-	if (this->features & PADLOCK_PHE_ENABLED)
-	{
-		lib->crypto->add_hasher(lib->crypto, HASH_SHA1, get_name(this),
-						(hasher_constructor_t)padlock_sha1_hasher_create);
-	}
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/pem/Makefile.am b/src/libstrongswan/plugins/pem/Makefile.am
index b815b1e0b..9aa853e13 100644
--- a/src/libstrongswan/plugins/pem/Makefile.am
+++ b/src/libstrongswan/plugins/pem/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pem.la
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index fa7e3891e..ed7cd3d9a 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_pem_la_LIBADD =
 am_libstrongswan_pem_la_OBJECTS = pem_plugin.lo pem_builder.lo \
 	pem_encoder.lo
 libstrongswan_pem_la_OBJECTS = $(am_libstrongswan_pem_la_OBJECTS)
-libstrongswan_pem_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pem_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pem_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pem_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pem_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pem_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pem_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pem_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pem.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pem.la
 libstrongswan_pem_la_SOURCES = \
@@ -405,7 +433,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pem.la: $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_DEPENDENCIES) $(EXTRA_libstrongswan_pem_la_DEPENDENCIES) 
-	$(libstrongswan_pem_la_LINK) $(am_libstrongswan_pem_la_rpath) $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_pem_la_LINK) $(am_libstrongswan_pem_la_rpath) $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -418,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 08e81b3c5..e9d55f3b8 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Copyright (C) 2001-2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
@@ -564,3 +565,10 @@ certificate_t *pem_certificate_load(certificate_type_t type, va_list args)
 	return pem_load(CRED_CERTIFICATE, type, args);
 }
 
+/**
+ * Container PEM loader.
+ */
+container_t *pem_container_load(container_type_t type, va_list args)
+{
+	return pem_load(CRED_CONTAINER, type, args);
+}
diff --git a/src/libstrongswan/plugins/pem/pem_builder.h b/src/libstrongswan/plugins/pem/pem_builder.h
index 87f5a2c69..b1bfc6d4d 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.h
+++ b/src/libstrongswan/plugins/pem/pem_builder.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -25,6 +26,7 @@
 #include <credentials/credential_factory.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/certificates/certificate.h>
+#include <credentials/containers/container.h>
 
 /**
  * Load PEM encoded private keys.
@@ -53,5 +55,14 @@ public_key_t *pem_public_key_load(key_type_t type, va_list args);
  */
 certificate_t *pem_certificate_load(certificate_type_t type, va_list args);
 
+/**
+ * Build PEM encoded containers.
+ *
+ * @param type		type of the container
+ * @param args		builder_part_t argument list
+ * @return 			container, NULL if failed
+ */
+container_t *pem_container_load(container_type_t type, va_list args);
+
 #endif /** PEM_BUILDER_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index d74ab9ee3..e7edd7b89 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -105,11 +105,10 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_GPG),
 				PLUGIN_DEPENDS(CERT_DECODE, CERT_GPG),
 
-		/* pluto specific certificate formats */
-		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
-			PLUGIN_PROVIDE(CERT_DECODE, CERT_PLUTO_CERT),
-		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
-			PLUGIN_PROVIDE(CERT_DECODE, CERT_PLUTO_CRL),
+		/* container PEM decoding */
+		PLUGIN_REGISTER(CONTAINER_DECODE, pem_container_load, FALSE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
+				PLUGIN_DEPENDS(CONTAINER_DECODE, CONTAINER_PKCS12),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libstrongswan/plugins/pgp/Makefile.am b/src/libstrongswan/plugins/pgp/Makefile.am
index 4b414616d..d3eef3ce1 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.am
+++ b/src/libstrongswan/plugins/pgp/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pgp.la
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 897adfcc7..a21b44f4c 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_pgp_la_LIBADD =
 am_libstrongswan_pgp_la_OBJECTS = pgp_plugin.lo pgp_utils.lo \
 	pgp_cert.lo pgp_encoder.lo pgp_builder.lo
 libstrongswan_pgp_la_OBJECTS = $(am_libstrongswan_pgp_la_OBJECTS)
-libstrongswan_pgp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pgp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pgp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pgp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pgp_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pgp_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pgp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pgp_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pgp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pgp.la
 libstrongswan_pgp_la_SOURCES = \
@@ -407,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pgp.la: $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_DEPENDENCIES) $(EXTRA_libstrongswan_pgp_la_DEPENDENCIES) 
-	$(libstrongswan_pgp_la_LINK) $(am_libstrongswan_pgp_la_rpath) $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_pgp_la_LINK) $(am_libstrongswan_pgp_la_rpath) $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -422,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp_utils.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.am b/src/libstrongswan/plugins/pkcs1/Makefile.am
index bd3203dae..5dbc4e9c2 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.am
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pkcs1.la
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 18af15599..0778f6a9c 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_pkcs1_la_LIBADD =
 am_libstrongswan_pkcs1_la_OBJECTS = pkcs1_plugin.lo pkcs1_encoder.lo \
 	pkcs1_builder.lo
 libstrongswan_pkcs1_la_OBJECTS = $(am_libstrongswan_pkcs1_la_OBJECTS)
-libstrongswan_pkcs1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pkcs1_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs1_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs1_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pkcs1_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pkcs1_la_rpath =
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pkcs1_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs1_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs1.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs1.la
 libstrongswan_pkcs1_la_SOURCES = \
@@ -406,7 +434,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pkcs1.la: $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs1_la_DEPENDENCIES) 
-	$(libstrongswan_pkcs1_la_LINK) $(am_libstrongswan_pkcs1_la_rpath) $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_pkcs1_la_LINK) $(am_libstrongswan_pkcs1_la_rpath) $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -419,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs1_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.am b/src/libstrongswan/plugins/pkcs11/Makefile.am
index d032b879a..1d175ecb4 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.am
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pkcs11.la
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index 90a0ae97c..90b4156f4 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -105,9 +105,13 @@ am_libstrongswan_pkcs11_la_OBJECTS = pkcs11_plugin.lo \
 	pkcs11_dh.lo pkcs11_manager.lo
 libstrongswan_pkcs11_la_OBJECTS =  \
 	$(am_libstrongswan_pkcs11_la_OBJECTS)
-libstrongswan_pkcs11_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pkcs11_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs11_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs11_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pkcs11_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pkcs11_la_rpath =
@@ -117,13 +121,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
 am__can_run_installinfo = \
@@ -137,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -149,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -164,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -172,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -218,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -246,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -323,8 +347,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs11.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs11.la
 libstrongswan_pkcs11_la_SOURCES = \
@@ -415,7 +443,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs11_la_DEPENDENCIES) 
-	$(libstrongswan_pkcs11_la_LINK) $(am_libstrongswan_pkcs11_la_rpath) $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_pkcs11_la_LINK) $(am_libstrongswan_pkcs11_la_rpath) $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -434,25 +462,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_rng.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index 9afaf123a..3faa59cae 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -185,19 +185,6 @@ METHOD(plugin_t, reload, bool,
 	return FALSE;
 }
 
-/**
- * Add a set of features
- */
-static inline void add_features(plugin_feature_t *f, plugin_feature_t *n,
-								int count, int *pos)
-{
-	int i;
-	for (i = 0; i < count; i++)
-	{
-		f[(*pos)++] = n[i];
-	}
-}
-
 METHOD(plugin_t, get_features, int,
 	private_pkcs11_plugin_t *this, plugin_feature_t *features[])
 {
@@ -261,32 +248,32 @@ METHOD(plugin_t, get_features, int,
 	{	/* initialize only once */
 		bool use_ecc = lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_ecc", FALSE);
-		add_features(f, f_manager, countof(f_manager), &count);
+		plugin_features_add(f, f_manager, countof(f_manager), &count);
 		/* private key handling for EC keys is not disabled by use_ecc */
-		add_features(f, f_privkey, countof(f_privkey), &count);
+		plugin_features_add(f, f_privkey, countof(f_privkey), &count);
 		if (lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_pubkey", FALSE))
 		{
-			add_features(f, f_pubkey, countof(f_pubkey) - (use_ecc ? 0 : 1),
-						 &count);
+			plugin_features_add(f, f_pubkey, countof(f_pubkey) - (use_ecc ? 0 : 1),
+								&count);
 		}
 		if (lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
 		{
-			add_features(f, f_hash, countof(f_hash), &count);
+			plugin_features_add(f, f_hash, countof(f_hash), &count);
 		}
 		if (lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_rng", FALSE))
 		{
-			add_features(f, f_rng, countof(f_rng), &count);
+			plugin_features_add(f, f_rng, countof(f_rng), &count);
 		}
 		if (lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_dh", FALSE))
 		{
-			add_features(f, f_dh, countof(f_dh), &count);
+			plugin_features_add(f, f_dh, countof(f_dh), &count);
 			if (use_ecc)
 			{
-				add_features(f, f_ecdh, countof(f_ecdh), &count);
+				plugin_features_add(f, f_ecdh, countof(f_ecdh), &count);
 			}
 		}
 	}
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.am b/src/libstrongswan/plugins/pkcs12/Makefile.am
new file mode 100644
index 000000000..af472ba82
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.am
@@ -0,0 +1,17 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pkcs12.la
+else
+plugin_LTLIBRARIES = libstrongswan-pkcs12.la
+endif
+
+libstrongswan_pkcs12_la_SOURCES = \
+	pkcs12_plugin.h pkcs12_plugin.c \
+	pkcs12_decode.h pkcs12_decode.c
+
+libstrongswan_pkcs12_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
new file mode 100644
index 000000000..6d1aeb334
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -0,0 +1,684 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pkcs12
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_pkcs12_la_LIBADD =
+am_libstrongswan_pkcs12_la_OBJECTS = pkcs12_plugin.lo pkcs12_decode.lo
+libstrongswan_pkcs12_la_OBJECTS =  \
+	$(am_libstrongswan_pkcs12_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs12_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs12_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pkcs12_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pkcs12_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_pkcs12_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pkcs12_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs12.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs12.la
+libstrongswan_pkcs12_la_SOURCES = \
+	pkcs12_plugin.h pkcs12_plugin.c \
+	pkcs12_decode.h pkcs12_decode.c
+
+libstrongswan_pkcs12_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs12/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs12/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pkcs12.la: $(libstrongswan_pkcs12_la_OBJECTS) $(libstrongswan_pkcs12_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs12_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_pkcs12_la_LINK) $(am_libstrongswan_pkcs12_la_rpath) $(libstrongswan_pkcs12_la_OBJECTS) $(libstrongswan_pkcs12_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs12_decode.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs12_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c
new file mode 100644
index 000000000..379f24796
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c
@@ -0,0 +1,581 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs12_decode.h"
+
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <credentials/sets/mem_cred.h>
+
+typedef struct private_pkcs12_t private_pkcs12_t;
+
+/**
+ * Private data of a pkcs12_t object
+ */
+struct private_pkcs12_t {
+
+	/**
+	 * Public interface
+	 */
+	pkcs12_t public;
+
+	/**
+	 * Contained credentials
+	 */
+	mem_cred_t *creds;
+};
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs12_t *this)
+{
+	return CONTAINER_PKCS12;
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs12_t *this, chunk_t *data)
+{
+	/* we could return the content of the outer-most PKCS#7 container (authSafe)
+	 * don't really see the point though */
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs12_t *this, chunk_t *encoding)
+{
+	/* similar to get_data() we don't have any use for it at the moment */
+	return FALSE;
+}
+
+METHOD(pkcs12_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs12_t *this)
+{
+	return this->creds->set.create_cert_enumerator(&this->creds->set, CERT_ANY,
+												   KEY_ANY, NULL, FALSE);
+}
+
+METHOD(pkcs12_t, create_key_enumerator, enumerator_t*,
+	private_pkcs12_t *this)
+{
+	return this->creds->set.create_private_enumerator(&this->creds->set,
+													  KEY_ANY, NULL);
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs12_t *this)
+{
+	this->creds->destroy(this->creds);
+	free(this);
+}
+
+static private_pkcs12_t *pkcs12_create()
+{
+	private_pkcs12_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = (void*)enumerator_create_empty,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.create_cert_enumerator = _create_cert_enumerator,
+			.create_key_enumerator = _create_key_enumerator,
+		},
+		.creds = mem_cred_create(),
+	);
+	return this;
+}
+
+/**
+ * ASN.1 definition of an CertBag structure
+ */
+static const asn1Object_t certBagObjects[] = {
+	{ 0, "CertBag",			ASN1_SEQUENCE,		ASN1_BODY			}, /* 0 */
+	{ 1,   "certId",		ASN1_OID,			ASN1_BODY			}, /* 1 */
+	{ 1,   "certValue",		ASN1_CONTEXT_C_0,	ASN1_BODY  			}, /* 2 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+#define CERT_BAG_ID 	1
+#define CERT_BAG_VALUE 	2
+
+/**
+ * Parse a CertBag structure and extract certificate
+ */
+static bool add_certificate(private_pkcs12_t *this, int level0, chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int oid = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(certBagObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case CERT_BAG_ID:
+				oid = asn1_known_oid(object);
+				break;
+			case CERT_BAG_VALUE:
+			{
+				if (oid == OID_X509_CERTIFICATE &&
+					asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
+								parser->get_level(parser)+1, "x509Certificate"))
+				{
+					certificate_t *cert;
+
+					DBG2(DBG_ASN, "-- > parsing certificate from PKCS#12");
+					cert = lib->creds->create(lib->creds,
+											  CRED_CERTIFICATE, CERT_X509,
+											  BUILD_BLOB_ASN1_DER, object,
+											  BUILD_END);
+					if (cert)
+					{
+						this->creds->add_cert(this->creds, FALSE, cert);
+						DBG2(DBG_ASN, "-- < --");
+					}
+					else
+					{
+						DBG2(DBG_ASN, "-- < failed parsing certificate from "
+							 "PKCS#12");
+					}
+				}
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of an AuthenticatedSafe structure
+ */
+static const asn1Object_t safeContentsObjects[] = {
+	{ 0, "SafeContents",	ASN1_SEQUENCE,		ASN1_LOOP			}, /* 0 */
+	{ 1,   "SafeBag",		ASN1_SEQUENCE,		ASN1_BODY			}, /* 1 */
+	{ 2,     "bagId",		ASN1_OID,			ASN1_BODY			}, /* 2 */
+	{ 2,     "bagValue",	ASN1_CONTEXT_C_0,	ASN1_BODY  			}, /* 3 */
+	{ 2,     "bagAttr",		ASN1_SET,			ASN1_OPT|ASN1_RAW 	}, /* 4 */
+	{ 2,     "end opt",		ASN1_EOC,			ASN1_END 			}, /* 5 */
+	{ 0, "end loop",		ASN1_EOC,			ASN1_END			}, /* 6 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+#define SAFE_BAG_ID 	2
+#define SAFE_BAG_VALUE 	3
+
+/**
+ * Parse a SafeContents structure and extract credentials
+ */
+static bool parse_safe_contents(private_pkcs12_t *this, int level0,
+								chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int oid = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(safeContentsObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case SAFE_BAG_ID:
+				oid = asn1_known_oid(object);
+				break;
+			case SAFE_BAG_VALUE:
+			{
+				switch (oid)
+				{
+					case OID_P12_CERT_BAG:
+					{
+						add_certificate(this, parser->get_level(parser)+1,
+										object);
+						break;
+					}
+					case OID_P12_KEY_BAG:
+					case OID_P12_PKCS8_KEY_BAG:
+					{
+						private_key_t *key;
+
+						DBG2(DBG_ASN, "-- > parsing private key from PKCS#12");
+						key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+										KEY_ANY, BUILD_BLOB_ASN1_DER, object,
+										BUILD_END);
+						if (key)
+						{
+							this->creds->add_key(this->creds, key);
+							DBG2(DBG_ASN, "-- < --");
+						}
+						else
+						{
+							DBG2(DBG_ASN, "-- < failed parsing private key "
+								 "from PKCS#12");
+						}
+					}
+					default:
+						break;
+				}
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of an AuthenticatedSafe structure
+ */
+static const asn1Object_t authenticatedSafeObjects[] = {
+	{ 0, "AuthenticatedSafe",	ASN1_SEQUENCE,	ASN1_LOOP	}, /* 0 */
+	{ 1,   "ContentInfo",		ASN1_SEQUENCE,	ASN1_OBJ	}, /* 1 */
+	{ 0, "end loop",			ASN1_EOC,		ASN1_END	}, /* 2 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT	}
+};
+#define AUTHENTICATED_SAFE_DATA 	1
+
+/**
+ * Parse an AuthenticatedSafe structure
+ */
+static bool parse_authenticated_safe(private_pkcs12_t *this, chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(authenticatedSafeObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case AUTHENTICATED_SAFE_DATA:
+			{
+				container_t *container;
+				chunk_t data;
+
+				container = lib->creds->create(lib->creds, CRED_CONTAINER,
+										CONTAINER_PKCS7, BUILD_BLOB_ASN1_DER,
+										object, BUILD_END);
+				if (!container)
+				{
+					goto end;
+				}
+				switch (container->get_type(container))
+				{
+					case CONTAINER_PKCS7_DATA:
+					case CONTAINER_PKCS7_ENCRYPTED_DATA:
+					case CONTAINER_PKCS7_ENVELOPED_DATA:
+						if (container->get_data(container, &data))
+						{
+							break;
+						}
+						/* fall-through */
+					default:
+						container->destroy(container);
+						goto end;
+				}
+				container->destroy(container);
+
+				if (!parse_safe_contents(this, parser->get_level(parser)+1,
+										 data))
+				{
+					chunk_free(&data);
+					goto end;
+				}
+				chunk_free(&data);
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * Verify the given MAC with available passwords.
+ */
+static bool verify_mac(hash_algorithm_t hash, chunk_t salt,
+					   u_int64_t iterations, chunk_t data, chunk_t mac)
+{
+	integrity_algorithm_t integ;
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	signer_t *signer;
+	chunk_t key, calculated;
+	bool success = FALSE;
+
+	integ = hasher_algorithm_to_integrity(hash, mac.len);
+	signer = lib->crypto->create_signer(lib->crypto, integ);
+	if (!signer)
+	{
+		return FALSE;
+	}
+	key = chunk_alloca(signer->get_key_size(signer));
+	calculated = chunk_alloca(signer->get_block_size(signer));
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+										SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		if (!pkcs12_derive_key(hash, shared->get_key(shared), salt, iterations,
+							   PKCS12_KEY_MAC, key))
+		{
+			break;
+		}
+		if (!signer->set_key(signer, key) ||
+			!signer->get_signature(signer, data, calculated.ptr))
+		{
+			break;
+		}
+		if (chunk_equals(mac, calculated))
+		{
+			success = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	signer->destroy(signer);
+	return success;
+}
+
+/**
+ * ASN.1 definition of digestInfo
+ */
+static const asn1Object_t digestInfoObjects[] = {
+	{ 0, "digestInfo",			ASN1_SEQUENCE,		ASN1_OBJ	}, /*  0 */
+	{ 1,   "digestAlgorithm",	ASN1_EOC,			ASN1_RAW	}, /*  1 */
+	{ 1,   "digest",			ASN1_OCTET_STRING,	ASN1_BODY	}, /*  2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
+};
+#define DIGEST_INFO_ALGORITHM		1
+#define DIGEST_INFO_DIGEST			2
+
+/**
+ * Parse a digestInfo structure
+ */
+static bool parse_digest_info(chunk_t blob, int level0, hash_algorithm_t *hash,
+							  chunk_t *digest)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success;
+
+	parser = asn1_parser_create(digestInfoObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+
+		{
+			case DIGEST_INFO_ALGORITHM:
+			{
+				int oid = asn1_parse_algorithmIdentifier(object,
+									 parser->get_level(parser)+1, NULL);
+
+				*hash = hasher_algorithm_from_oid(oid);
+				break;
+			}
+			case DIGEST_INFO_DIGEST:
+			{
+				*digest = object;
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of a PFX structure
+ */
+static const asn1Object_t PFXObjects[] = {
+	{ 0, "PFX",				ASN1_SEQUENCE,		ASN1_NONE			}, /* 0 */
+	{ 1,   "version",		ASN1_INTEGER,		ASN1_BODY			}, /* 1 */
+	{ 1,   "authSafe",		ASN1_SEQUENCE,		ASN1_OBJ			}, /* 2 */
+	{ 1,   "macData",		ASN1_SEQUENCE,		ASN1_OPT|ASN1_BODY	}, /* 3 */
+	{ 2,     "mac",			ASN1_SEQUENCE,		ASN1_RAW			}, /* 4 */
+	{ 2,     "macSalt",		ASN1_OCTET_STRING,	ASN1_BODY			}, /* 5 */
+	{ 2,     "iterations",	ASN1_INTEGER,		ASN1_DEF|ASN1_BODY	}, /* 6 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 7 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+#define PFX_AUTH_SAFE	2
+#define PFX_MAC			4
+#define PFX_SALT		5
+#define PFX_ITERATIONS	6
+
+/**
+ * Parse an ASN.1 encoded PFX structure
+ */
+static bool parse_PFX(private_pkcs12_t *this, chunk_t blob)
+{
+	asn1_parser_t *parser;
+	int objectID;
+	chunk_t object, auth_safe, digest = chunk_empty, salt = chunk_empty,
+			data = chunk_empty;
+	hash_algorithm_t hash = HASH_UNKNOWN;
+	container_t *container = NULL;
+	u_int64_t iterations = 0;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(PFXObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PFX_AUTH_SAFE:
+			{
+				auth_safe = object;
+				break;
+			}
+			case PFX_MAC:
+			{
+				if (!parse_digest_info(object, parser->get_level(parser)+1,
+									   &hash, &digest))
+				{
+					goto end_parse;
+				}
+				break;
+			}
+			case PFX_SALT:
+			{
+				salt = object;
+				break;
+			}
+			case PFX_ITERATIONS:
+			{
+				iterations = object.len ? asn1_parse_integer_uint64(object) : 1;
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+
+end_parse:
+	parser->destroy(parser);
+	if (!success)
+	{
+		return FALSE;
+	}
+
+	success = FALSE;
+	DBG2(DBG_ASN, "-- > --");
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, auth_safe, BUILD_END);
+	if (container && container->get_data(container, &data))
+	{
+		if (hash != HASH_UNKNOWN)
+		{
+			if (container->get_type(container) != CONTAINER_PKCS7_DATA)
+			{
+				goto end;
+			}
+			if (!verify_mac(hash, salt, iterations, data, digest))
+			{
+				DBG1(DBG_ASN, "  MAC verification of PKCS#12 container failed");
+				goto end;
+			}
+		}
+		else
+		{
+			enumerator_t *enumerator;
+			auth_cfg_t *auth;
+
+			if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
+			{
+				goto end;
+			}
+			enumerator = container->create_signature_enumerator(container);
+			if (!enumerator->enumerate(enumerator, &auth))
+			{
+				DBG1(DBG_ASN, "  signature verification of PKCS#12 container "
+					 "failed");
+				enumerator->destroy(enumerator);
+				goto end;
+			}
+			enumerator->destroy(enumerator);
+		}
+		success = parse_authenticated_safe(this, data);
+	}
+end:
+	DBG2(DBG_ASN, "-- < --");
+	DESTROY_IF(container);
+	chunk_free(&data);
+	return success;
+}
+
+/**
+ * See header.
+ */
+pkcs12_t *pkcs12_decode(container_type_t type, va_list args)
+{
+	private_pkcs12_t *this;
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len)
+	{
+		if (blob.len >= 2 &&
+			blob.ptr[0] == ASN1_SEQUENCE && blob.ptr[1] == 0x80)
+		{	/* looks like infinite length BER encoding, but we can't handle it.
+			 */
+			return NULL;
+		}
+		this = pkcs12_create();
+		if (parse_PFX(this, blob))
+		{
+			return &this->public;
+		}
+		destroy(this);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs12/pkcs12_decode.h b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.h
new file mode 100644
index 000000000..e2998968f
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs12_decode pkcs12_decode
+ * @{ @ingroup pkcs12
+ */
+
+#ifndef PKCS12_DECODE_H_
+#define PKCS12_DECODE_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs12.h>
+
+/**
+ * Load a PKCS#12 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS12
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs12_t *pkcs12_decode(container_type_t type, va_list args);
+
+#endif /** PKCS12_DECODE_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.c b/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.c
new file mode 100644
index 000000000..902d2971b
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs12_plugin.h"
+
+#include <library.h>
+
+#include "pkcs12_decode.h"
+
+typedef struct private_pkcs12_plugin_t private_pkcs12_plugin_t;
+
+/**
+ * private data of pkcs12_plugin
+ */
+struct private_pkcs12_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pkcs12_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_pkcs12_plugin_t *this)
+{
+	return "pkcs12";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_pkcs12_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(CONTAINER_DECODE, pkcs12_decode, FALSE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
+				PLUGIN_DEPENDS(CONTAINER_DECODE, CONTAINER_PKCS7),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ANY),
+				PLUGIN_SDEPEND(HASHER, HASH_SHA1),
+				PLUGIN_SDEPEND(CRYPTER, ENCR_3DES, 24),
+				PLUGIN_SDEPEND(CRYPTER, ENCR_RC2_CBC, 0),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_pkcs12_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *pkcs12_plugin_create()
+{
+	private_pkcs12_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.h b/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.h
new file mode 100644
index 000000000..3bd7f2df3
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs12 pkcs12
+ * @ingroup plugins
+ *
+ * @defgroup pkcs12_plugin pkcs12_plugin
+ * @{ @ingroup pkcs12
+ */
+
+#ifndef PKCS12_PLUGIN_H_
+#define PKCS12_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pkcs12_plugin_t pkcs12_plugin_t;
+
+/**
+ * Plugin providing PKCS#12 decoding functions
+ */
+struct pkcs12_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** PKCS12_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.am b/src/libstrongswan/plugins/pkcs7/Makefile.am
index 6310daece..080947f46 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.am
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pkcs7.la
@@ -12,6 +13,7 @@ endif
 libstrongswan_pkcs7_la_SOURCES = \
 	pkcs7_generic.h pkcs7_generic.c \
 	pkcs7_signed_data.h pkcs7_signed_data.c \
+	pkcs7_encrypted_data.h pkcs7_encrypted_data.c \
 	pkcs7_enveloped_data.h pkcs7_enveloped_data.c \
 	pkcs7_data.h pkcs7_data.c \
 	pkcs7_attributes.h pkcs7_attributes.c \
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index a4ef63364..f40c03925 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -100,12 +100,17 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs7_la_LIBADD =
 am_libstrongswan_pkcs7_la_OBJECTS = pkcs7_generic.lo \
-	pkcs7_signed_data.lo pkcs7_enveloped_data.lo pkcs7_data.lo \
-	pkcs7_attributes.lo pkcs7_plugin.lo
+	pkcs7_signed_data.lo pkcs7_encrypted_data.lo \
+	pkcs7_enveloped_data.lo pkcs7_data.lo pkcs7_attributes.lo \
+	pkcs7_plugin.lo
 libstrongswan_pkcs7_la_OBJECTS = $(am_libstrongswan_pkcs7_la_OBJECTS)
-libstrongswan_pkcs7_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pkcs7_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs7_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs7_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pkcs7_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pkcs7_la_rpath =
@@ -115,13 +120,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pkcs7_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs7_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +153,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +166,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +183,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +192,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +239,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +268,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,13 +346,18 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs7.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs7.la
 libstrongswan_pkcs7_la_SOURCES = \
 	pkcs7_generic.h pkcs7_generic.c \
 	pkcs7_signed_data.h pkcs7_signed_data.c \
+	pkcs7_encrypted_data.h pkcs7_encrypted_data.c \
 	pkcs7_enveloped_data.h pkcs7_enveloped_data.c \
 	pkcs7_data.h pkcs7_data.c \
 	pkcs7_attributes.h pkcs7_attributes.c \
@@ -410,7 +440,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pkcs7.la: $(libstrongswan_pkcs7_la_OBJECTS) $(libstrongswan_pkcs7_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs7_la_DEPENDENCIES) 
-	$(libstrongswan_pkcs7_la_LINK) $(am_libstrongswan_pkcs7_la_rpath) $(libstrongswan_pkcs7_la_OBJECTS) $(libstrongswan_pkcs7_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_pkcs7_la_LINK) $(am_libstrongswan_pkcs7_la_rpath) $(libstrongswan_pkcs7_la_OBJECTS) $(libstrongswan_pkcs7_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -420,31 +450,32 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_data.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_encrypted_data.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_enveloped_data.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_generic.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_signed_data.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c
new file mode 100644
index 000000000..2c414c391
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c
@@ -0,0 +1,216 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_encrypted_data.h"
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <crypto/pkcs5.h>
+#include <utils/debug.h>
+
+typedef struct private_pkcs7_encrypted_data_t private_pkcs7_encrypted_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_encrypted_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Decrypted content
+	 */
+	chunk_t content;
+
+	/**
+	 * Encrypted and encoded PKCS#7 encrypted-data
+	 */
+	chunk_t encoding;
+};
+
+/**
+ * Decrypt encrypted-data with available passwords
+ */
+static bool decrypt(pkcs5_t *pkcs5, chunk_t data, chunk_t *decrypted)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	bool success = FALSE;
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+										SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		if (pkcs5->decrypt(pkcs5, shared->get_key(shared), data, decrypted))
+		{
+			success = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return success;
+}
+
+/**
+ * ASN.1 definition of the PKCS#7 encrypted-data type
+ */
+static const asn1Object_t encryptedDataObjects[] = {
+	{ 0, "encryptedData",					ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
+	{ 1,   "version",						ASN1_INTEGER,		ASN1_BODY }, /* 1 */
+	{ 1,   "encryptedContentInfo",			ASN1_SEQUENCE,		ASN1_OBJ  }, /* 2 */
+	{ 2,     "contentType",					ASN1_OID,			ASN1_BODY }, /* 3 */
+	{ 2,     "contentEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 4 */
+	{ 2,     "encryptedContent",			ASN1_CONTEXT_S_0,	ASN1_BODY }, /* 5 */
+	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_VERSION					1
+#define PKCS7_CONTENT_TYPE				3
+#define PKCS7_CONTENT_ENC_ALGORITHM		4
+#define PKCS7_ENCRYPTED_CONTENT			5
+
+/**
+ * Parse and decrypt encrypted-data
+ */
+static bool parse(private_pkcs7_encrypted_data_t *this, chunk_t content)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, version;
+	bool success = FALSE;
+	chunk_t encrypted = chunk_empty;
+	pkcs5_t *pkcs5 = NULL;
+
+	parser = asn1_parser_create(encryptedDataObjects, content);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		int level = parser->get_level(parser);
+
+		switch (objectID)
+		{
+			case PKCS7_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				if (version != 0)
+				{
+					DBG1(DBG_LIB, "encryptedData version is not 0");
+					goto end;
+				}
+				break;
+			case PKCS7_CONTENT_TYPE:
+				if (asn1_known_oid(object) != OID_PKCS7_DATA)
+				{
+					DBG1(DBG_LIB, "encrypted content not of type pkcs7 data");
+					goto end;
+				}
+				break;
+			case PKCS7_CONTENT_ENC_ALGORITHM:
+				pkcs5 = pkcs5_from_algorithmIdentifier(object, level + 1);
+				if (!pkcs5)
+				{
+					DBG1(DBG_LIB, "failed to detect PKCS#5 scheme");
+					goto end;
+				}
+				break;
+			case PKCS7_ENCRYPTED_CONTENT:
+				encrypted = object;
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	success = success && decrypt(pkcs5, encrypted, &this->content);
+	DESTROY_IF(pkcs5);
+	return success;
+}
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_encrypted_data_t *this)
+{
+	return CONTAINER_PKCS7_ENCRYPTED_DATA;
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_encrypted_data_t *this, chunk_t *data)
+{
+	if (this->content.len)
+	{
+		*data = chunk_clone(this->content);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_encrypted_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_encrypted_data_t *this)
+{
+	free(this->content.ptr);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_pkcs7_encrypted_data_t* create_empty()
+{
+	private_pkcs7_encrypted_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = (void*)enumerator_create_empty,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.create_cert_enumerator = (void*)enumerator_create_empty,
+			.get_attribute = (void*)return_false,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_encrypted_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_encrypted_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	if (!parse(this, content))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.h
new file mode 100644
index 000000000..b685557fc
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_encrypted_data pkcs7_encrypted_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_ENCRYPTED_DATA_H_
+#define PKCS7_ENCRYPTED_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 encrypted-data container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_ENCRYPTED_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_encrypted_data_load(chunk_t encoding, chunk_t content);
+
+#endif /** PKCS7_ENCRYPTED_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
index 35d8d11a7..24d7cd848 100644
--- a/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
@@ -20,6 +20,7 @@
 #include "pkcs7_generic.h"
 #include "pkcs7_data.h"
 #include "pkcs7_signed_data.h"
+#include "pkcs7_encrypted_data.h"
 #include "pkcs7_enveloped_data.h"
 
 #include <utils/debug.h>
@@ -85,6 +86,8 @@ end:
 				return pkcs7_signed_data_load(blob, content);
 			case OID_PKCS7_ENVELOPED_DATA:
 				return pkcs7_enveloped_data_load(blob, content);
+			case OID_PKCS7_ENCRYPTED_DATA:
+				return pkcs7_encrypted_data_load(blob, content);
 			default:
 				DBG1(DBG_ASN, "pkcs7 content type %d not supported", type);
 				return NULL;
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.am b/src/libstrongswan/plugins/pkcs8/Makefile.am
index bcaf2c6a5..98e3263df 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.am
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pkcs8.la
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 879020383..9ed381e38 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs8_la_LIBADD =
 am_libstrongswan_pkcs8_la_OBJECTS = pkcs8_plugin.lo pkcs8_builder.lo
 libstrongswan_pkcs8_la_OBJECTS = $(am_libstrongswan_pkcs8_la_OBJECTS)
-libstrongswan_pkcs8_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pkcs8_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs8_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs8_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pkcs8_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pkcs8_la_rpath =
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pkcs8_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs8_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs8.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs8.la
 libstrongswan_pkcs8_la_SOURCES = \
@@ -404,7 +432,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pkcs8.la: $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs8_la_DEPENDENCIES) 
-	$(libstrongswan_pkcs8_la_LINK) $(am_libstrongswan_pkcs8_la_rpath) $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_pkcs8_la_LINK) $(am_libstrongswan_pkcs8_la_rpath) $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -416,25 +444,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs8_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
index 26a3620d7..e93a8361c 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
@@ -19,6 +19,7 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
+#include <crypto/pkcs5.h>
 #include <credentials/keys/private_key.h>
 
 /**
@@ -100,450 +101,39 @@ end:
 	return key;
 }
 
-/**
- * Verify padding of decrypted blob.
- * Length of blob is adjusted accordingly.
- */
-static bool verify_padding(chunk_t *blob)
-{
-	u_int8_t padding, count;
-
-	padding = count = blob->ptr[blob->len - 1];
-	if (padding > 8)
-	{
-		return FALSE;
-	}
-	for (; blob->len && count; --blob->len, --count)
-	{
-		if (blob->ptr[blob->len - 1] != padding)
-		{
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Prototype for key derivation functions.
- */
-typedef bool (*kdf_t)(void *generator, chunk_t password, chunk_t salt,
-					  u_int64_t iterations, chunk_t key);
-
 /**
  * Try to decrypt the given blob with multiple passwords using the given
- * key derivation function. keymat is where the kdf function writes the key
- * to, key and iv point to the actual keys and initialization vectors resp.
+ * pkcs5 object.
  */
-static private_key_t *decrypt_private_key(chunk_t blob,
-					encryption_algorithm_t encr, size_t key_len, kdf_t kdf,
-					void *generator, chunk_t salt, u_int64_t iterations,
-					chunk_t keymat, chunk_t key, chunk_t iv)
+static private_key_t *decrypt_private_key(pkcs5_t *pkcs5, chunk_t blob)
 {
 	enumerator_t *enumerator;
 	shared_key_t *shared;
-	crypter_t *crypter;
 	private_key_t *private_key = NULL;
 
-	crypter = lib->crypto->create_crypter(lib->crypto, encr, key_len);
-	if (!crypter)
-	{
-		DBG1(DBG_ASN, "  %N encryption algorithm not available",
-			 encryption_algorithm_names, encr);
-		return NULL;
-	}
-	if (blob.len % crypter->get_block_size(crypter))
-	{
-		DBG1(DBG_ASN, "  data size is not a multiple of block size");
-		crypter->destroy(crypter);
-		return NULL;
-	}
-
 	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
 										SHARED_PRIVATE_KEY_PASS, NULL, NULL);
 	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
 	{
 		chunk_t decrypted;
 
-		if (!kdf(generator, shared->get_key(shared), salt, iterations, keymat))
-		{
-			continue;
-		}
-		if (!crypter->set_key(crypter, key) ||
-			!crypter->decrypt(crypter, blob, iv, &decrypted))
+		if (!pkcs5->decrypt(pkcs5, shared->get_key(shared), blob, &decrypted))
 		{
 			continue;
 		}
-		if (verify_padding(&decrypted))
+		private_key = parse_private_key(decrypted);
+		if (private_key)
 		{
-			private_key = parse_private_key(decrypted);
-			if (private_key)
-			{
-				chunk_clear(&decrypted);
-				break;
-			}
+			chunk_clear(&decrypted);
+			break;
 		}
 		chunk_free(&decrypted);
 	}
 	enumerator->destroy(enumerator);
-	crypter->destroy(crypter);
-
-	return private_key;
-}
-
-/**
- * Function F of PBKDF2
- */
-static bool pbkdf2_f(chunk_t block, prf_t *prf, chunk_t seed,
-					 u_int64_t iterations)
-{
-	chunk_t u;
-	u_int64_t i;
-
-	u = chunk_alloca(prf->get_block_size(prf));
-	if (!prf->get_bytes(prf, seed, u.ptr))
-	{
-		return FALSE;
-	}
-	memcpy(block.ptr, u.ptr, block.len);
-
-	for (i = 1; i < iterations; i++)
-	{
-		if (!prf->get_bytes(prf, u, u.ptr))
-		{
-			return FALSE;
-		}
-		memxor(block.ptr, u.ptr, block.len);
-	}
-	return TRUE;
-}
-
-/**
- * PBKDF2 key derivation function
- */
-static bool pbkdf2(prf_t *prf, chunk_t password, chunk_t salt,
-				   u_int64_t iterations, chunk_t key)
-{
-	chunk_t keymat, block, seed;
-	size_t blocks;
-	u_int32_t i = 0, *ni;
-
-	if (!prf->set_key(prf, password))
-	{
-		return FALSE;
-	}
-
-	block.len = prf->get_block_size(prf);
-	blocks = (key.len - 1) / block.len + 1;
-	keymat = chunk_alloca(blocks * block.len);
-
-	seed = chunk_cata("cc", salt, chunk_from_thing(i));
-	ni = (u_int32_t*)(seed.ptr + salt.len);
-
-	for (; i < blocks; i++)
-	{
-		*ni = htonl(i + 1);
-		block.ptr = keymat.ptr + (i * block.len);
-		if (!pbkdf2_f(block, prf, seed, iterations))
-		{
-			return FALSE;
-		}
-	}
 
-	memcpy(key.ptr, keymat.ptr, key.len);
-
-	return TRUE;
-}
-
-/**
- * Decrypt an encrypted PKCS#8 encoded private key according to PBES2
- */
-static private_key_t *decrypt_private_key_pbes2(chunk_t blob,
-							encryption_algorithm_t encr, size_t key_len,
-							chunk_t iv, pseudo_random_function_t prf_func,
-							chunk_t salt, u_int64_t iterations)
-{
-	private_key_t *private_key;
-	prf_t *prf;
-	chunk_t key;
-
-	prf = lib->crypto->create_prf(lib->crypto, prf_func);
-	if (!prf)
-	{
-		DBG1(DBG_ASN, "  %N prf algorithm not available",
-			 pseudo_random_function_names, prf_func);
-		return NULL;
-	}
-
-	key = chunk_alloca(key_len);
-
-	private_key = decrypt_private_key(blob, encr, key_len, (kdf_t)pbkdf2, prf,
-									  salt, iterations, key, key, iv);
-
-	prf->destroy(prf);
-	return private_key;
-}
-
-/**
- * PBKDF1 key derivation function
- */
-static bool pbkdf1(hasher_t *hasher, chunk_t password, chunk_t salt,
-				   u_int64_t iterations, chunk_t key)
-{
-	chunk_t hash;
-	u_int64_t i;
-
-	hash = chunk_alloca(hasher->get_hash_size(hasher));
-	if (!hasher->get_hash(hasher, password, NULL) ||
-		!hasher->get_hash(hasher, salt, hash.ptr))
-	{
-		return FALSE;
-	}
-
-	for (i = 1; i < iterations; i++)
-	{
-		if (!hasher->get_hash(hasher, hash, hash.ptr))
-		{
-			return FALSE;
-		}
-	}
-
-	memcpy(key.ptr, hash.ptr, key.len);
-
-	return TRUE;
-}
-
-/**
- * Decrypt an encrypted PKCS#8 encoded private key according to PBES1
- */
-static private_key_t *decrypt_private_key_pbes1(chunk_t blob,
-							encryption_algorithm_t encr, size_t key_len,
-							hash_algorithm_t hash, chunk_t salt,
-							u_int64_t iterations)
-{
-	private_key_t *private_key = NULL;
-	hasher_t *hasher = NULL;
-	chunk_t keymat, key, iv;
-
-	hasher = lib->crypto->create_hasher(lib->crypto, hash);
-	if (!hasher)
-	{
-		DBG1(DBG_ASN, "  %N hash algorithm not available",
-			 hash_algorithm_names, hash);
-		goto end;
-	}
-	if (hasher->get_hash_size(hasher) < key_len)
-	{
-		goto end;
-	}
-
-	keymat = chunk_alloca(key_len * 2);
-	key.len = key_len;
-	key.ptr = keymat.ptr;
-	iv.len = key_len;
-	iv.ptr = keymat.ptr + key_len;
-
-	private_key = decrypt_private_key(blob, encr, key_len, (kdf_t)pbkdf1,
-									  hasher, salt, iterations, keymat,
-									  key, iv);
-
-end:
-	DESTROY_IF(hasher);
 	return private_key;
 }
 
-/**
- * Parse an ASN1_INTEGER to a u_int64_t.
- */
-static u_int64_t parse_asn1_integer_uint64(chunk_t blob)
-{
-	u_int64_t val = 0;
-	int i;
-
-	for (i = 0; i < blob.len; i++)
-	{	/* if it is longer than 8 bytes, we just use the 8 LSBs */
-		val <<= 8;
-		val |= (u_int64_t)blob.ptr[i];
-	}
-	return val;
-}
-
-/**
- * ASN.1 definition of a PBKDF2-params structure
- * The salt is actually a CHOICE and could be an AlgorithmIdentifier from
- * PBKDF2-SaltSources (but as per RFC 2898 that's for future versions).
- */
-static const asn1Object_t pbkdf2ParamsObjects[] = {
-	{ 0, "PBKDF2-params",	ASN1_SEQUENCE,		ASN1_NONE			}, /* 0 */
-	{ 1,   "salt",			ASN1_OCTET_STRING,	ASN1_BODY			}, /* 1 */
-	{ 1,   "iterationCount",ASN1_INTEGER,		ASN1_BODY			}, /* 2 */
-	{ 1,   "keyLength",		ASN1_INTEGER,		ASN1_OPT|ASN1_BODY	}, /* 3 */
-	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 4 */
-	{ 1,   "prf",			ASN1_EOC,			ASN1_DEF|ASN1_RAW	}, /* 5 */
-	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
-};
-#define PBKDF2_SALT					1
-#define PBKDF2_ITERATION_COUNT		2
-#define PBKDF2_KEY_LENGTH			3
-#define PBKDF2_PRF					5
-
-/**
- * Parse a PBKDF2-params structure
- */
-static void parse_pbkdf2_params(chunk_t blob, chunk_t *salt,
-								u_int64_t *iterations, size_t *key_len,
-								pseudo_random_function_t *prf)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-
-	parser = asn1_parser_create(pbkdf2ParamsObjects, blob);
-
-	*key_len = 0; /* key_len is optional */
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case PBKDF2_SALT:
-			{
-				*salt = object;
-				break;
-			}
-			case PBKDF2_ITERATION_COUNT:
-			{
-				*iterations = parse_asn1_integer_uint64(object);
-				break;
-			}
-			case PBKDF2_KEY_LENGTH:
-			{
-				*key_len = (size_t)parse_asn1_integer_uint64(object);
-				break;
-			}
-			case PBKDF2_PRF:
-			{	/* defaults to id-hmacWithSHA1 */
-				*prf = PRF_HMAC_SHA1;
-				break;
-			}
-		}
-	}
-
-	parser->destroy(parser);
-}
-
-/**
- * ASN.1 definition of a PBES2-params structure
- */
-static const asn1Object_t pbes2ParamsObjects[] = {
-	{ 0, "PBES2-params",		ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
-	{ 1,   "keyDerivationFunc",	ASN1_EOC,			ASN1_RAW	}, /* 1 */
-	{ 1,   "encryptionScheme",	ASN1_EOC,			ASN1_RAW	}, /* 2 */
-	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
-};
-#define PBES2PARAMS_KEY_DERIVATION_FUNC		1
-#define PBES2PARAMS_ENCRYPTION_SCHEME		2
-
-/**
- * Parse a PBES2-params structure
- */
-static void parse_pbes2_params(chunk_t blob, chunk_t *salt,
-							   u_int64_t *iterations, size_t *key_len,
-							   pseudo_random_function_t *prf,
-							   encryption_algorithm_t *encr, chunk_t *iv)
-{
-	asn1_parser_t *parser;
-	chunk_t object, params;
-	int objectID;
-
-	parser = asn1_parser_create(pbes2ParamsObjects, blob);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case PBES2PARAMS_KEY_DERIVATION_FUNC:
-			{
-				int oid = asn1_parse_algorithmIdentifier(object,
-									parser->get_level(parser) + 1, &params);
-				if (oid != OID_PBKDF2)
-				{	/* unsupported key derivation function */
-					goto end;
-				}
-				parse_pbkdf2_params(params, salt, iterations, key_len, prf);
-				break;
-			}
-			case PBES2PARAMS_ENCRYPTION_SCHEME:
-			{
-				int oid = asn1_parse_algorithmIdentifier(object,
-									parser->get_level(parser) + 1, &params);
-				if (oid != OID_3DES_EDE_CBC)
-				{	/* unsupported encryption scheme */
-					goto end;
-				}
-				if (*key_len <= 0)
-				{	/* default key len for DES-EDE3-CBC-Pad */
-					*key_len = 24;
-				}
-				if (!asn1_parse_simple_object(&params, ASN1_OCTET_STRING,
-									parser->get_level(parser) + 1, "IV"))
-				{
-					goto end;
-				}
-				*encr = ENCR_3DES;
-				*iv = params;
-				break;
-			}
-		}
-	}
-
-end:
-	parser->destroy(parser);
-}
-
-/**
- * ASN.1 definition of a PBEParameter structure
- */
-static const asn1Object_t pbeParameterObjects[] = {
-	{ 0, "PBEParameter",		ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
-	{ 1,   "salt",				ASN1_OCTET_STRING,	ASN1_BODY	}, /* 1 */
-	{ 1,   "iterationCount",	ASN1_INTEGER,		ASN1_BODY	}, /* 2 */
-	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
-};
-#define PBEPARAM_SALT					1
-#define PBEPARAM_ITERATION_COUNT		2
-
-/**
- * Parse a PBEParameter structure
- */
-static void parse_pbe_parameters(chunk_t blob, chunk_t *salt,
-								 u_int64_t *iterations)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-
-	parser = asn1_parser_create(pbeParameterObjects, blob);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case PBEPARAM_SALT:
-			{
-				*salt = object;
-				break;
-			}
-			case PBEPARAM_ITERATION_COUNT:
-			{
-				*iterations = parse_asn1_integer_uint64(object);
-				break;
-			}
-		}
-	}
-
-	parser->destroy(parser);
-}
-
 /**
  * ASN.1 definition of an encryptedPrivateKeyInfo structure
  */
@@ -563,14 +153,10 @@ static const asn1Object_t encryptedPKIObjects[] = {
 static private_key_t *parse_encrypted_private_key(chunk_t blob)
 {
 	asn1_parser_t *parser;
-	chunk_t object, params, salt = chunk_empty, iv = chunk_empty;
-	u_int64_t iterations = 0;
+	chunk_t object;
 	int objectID;
-	encryption_algorithm_t encr = ENCR_UNDEFINED;
-	hash_algorithm_t hash = HASH_UNKNOWN;
-	pseudo_random_function_t prf = PRF_UNDEFINED;
 	private_key_t *key = NULL;
-	size_t key_len = 8;
+	pkcs5_t *pkcs5 = NULL;
 
 	parser = asn1_parser_create(encryptedPKIObjects, blob);
 
@@ -580,49 +166,24 @@ static private_key_t *parse_encrypted_private_key(chunk_t blob)
 		{
 			case EPKINFO_ENCRYPTION_ALGORITHM:
 			{
-				int oid = asn1_parse_algorithmIdentifier(object,
-									parser->get_level(parser) + 1, &params);
-
-				switch (oid)
+				pkcs5 = pkcs5_from_algorithmIdentifier(object,
+												parser->get_level(parser) + 1);
+				if (!pkcs5)
 				{
-					case OID_PBE_MD5_DES_CBC:
-						encr = ENCR_DES;
-						hash = HASH_MD5;
-						parse_pbe_parameters(params, &salt, &iterations);
-						break;
-					case OID_PBE_SHA1_DES_CBC:
-						encr = ENCR_DES;
-						hash = HASH_SHA1;
-						parse_pbe_parameters(params, &salt, &iterations);
-						break;
-					case OID_PBES2:
-						parse_pbes2_params(params, &salt, &iterations,
-										   &key_len, &prf, &encr, &iv);
-						break;
-					default:
-						/* encryption scheme not supported */
-						goto end;
+					goto end;
 				}
 				break;
 			}
 			case EPKINFO_ENCRYPTED_DATA:
 			{
-				if (prf != PRF_UNDEFINED)
-				{
-					key = decrypt_private_key_pbes2(object, encr, key_len, iv,
-													prf, salt, iterations);
-				}
-				else
-				{
-					key = decrypt_private_key_pbes1(object, encr, key_len, hash,
-													salt, iterations);
-				}
+				key = decrypt_private_key(pkcs5, object);
 				break;
 			}
 		}
 	}
 
 end:
+	DESTROY_IF(pkcs5);
 	parser->destroy(parser);
 	return key;
 }
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c b/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
index f78c83054..129fbb045 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
@@ -43,6 +43,7 @@ METHOD(plugin_t, get_features, int,
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_REGISTER(PRIVKEY, pkcs8_private_key_load, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
 	};
diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c
index 6c954f76d..8a1958be5 100644
--- a/src/libstrongswan/plugins/plugin_feature.c
+++ b/src/libstrongswan/plugins/plugin_feature.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2011 Martin Willi
@@ -50,6 +50,7 @@ ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM,
 	"XAUTH_CLIENT",
 	"DATABASE",
 	"FETCHER",
+	"RESOLVER",
 	"CUSTOM",
 );
 
@@ -67,6 +68,7 @@ u_int32_t plugin_feature_hash(plugin_feature_t *feature)
 		case FEATURE_NONCE_GEN:
 		case FEATURE_DATABASE:
 		case FEATURE_FETCHER:
+		case FEATURE_RESOLVER:
 			/* put these special cases in their (type-specific) buckets */
 			data = chunk_empty;
 			break;
@@ -133,6 +135,7 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 			case FEATURE_RNG:
 				return a->arg.rng_quality <= b->arg.rng_quality;
 			case FEATURE_NONCE_GEN:
+			case FEATURE_RESOLVER:
 				return TRUE;
 			case FEATURE_PRIVKEY:
 			case FEATURE_PRIVKEY_GEN:
@@ -169,6 +172,56 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 	return FALSE;
 }
 
+/**
+ * See header.
+ */
+bool plugin_feature_equals(plugin_feature_t *a, plugin_feature_t *b)
+{
+	if (a->type == b->type)
+	{
+		switch (a->type)
+		{
+			case FEATURE_NONE:
+			case FEATURE_CRYPTER:
+			case FEATURE_AEAD:
+			case FEATURE_SIGNER:
+			case FEATURE_HASHER:
+			case FEATURE_PRF:
+			case FEATURE_DH:
+			case FEATURE_NONCE_GEN:
+			case FEATURE_RESOLVER:
+			case FEATURE_PRIVKEY:
+			case FEATURE_PRIVKEY_GEN:
+			case FEATURE_PUBKEY:
+			case FEATURE_PRIVKEY_SIGN:
+			case FEATURE_PUBKEY_VERIFY:
+			case FEATURE_PRIVKEY_DECRYPT:
+			case FEATURE_PUBKEY_ENCRYPT:
+			case FEATURE_CERT_DECODE:
+			case FEATURE_CERT_ENCODE:
+			case FEATURE_CONTAINER_DECODE:
+			case FEATURE_CONTAINER_ENCODE:
+			case FEATURE_EAP_SERVER:
+			case FEATURE_EAP_PEER:
+			case FEATURE_CUSTOM:
+			case FEATURE_XAUTH_SERVER:
+			case FEATURE_XAUTH_PEER:
+				return plugin_feature_matches(a, b);
+			case FEATURE_RNG:
+				return a->arg.rng_quality == b->arg.rng_quality;
+			case FEATURE_DATABASE:
+				return a->arg.database == b->arg.database;
+			case FEATURE_FETCHER:
+				if (a->arg.fetcher && b->arg.fetcher)
+				{
+					return streq(a->arg.fetcher, b->arg.fetcher);
+				}
+				return !a->arg.fetcher && !b->arg.fetcher;
+		}
+	}
+	return FALSE;
+}
+
 /**
  * See header.
  */
@@ -236,6 +289,7 @@ char* plugin_feature_get_string(plugin_feature_t *feature)
 			}
 			break;
 		case FEATURE_NONCE_GEN:
+		case FEATURE_RESOLVER:
 			if (asprintf(&str, "%N", plugin_feature_names, feature->type) > 0)
 			{
 				return str;
@@ -413,6 +467,9 @@ bool plugin_feature_load(plugin_t *plugin, plugin_feature_t *feature,
 			lib->fetcher->add_fetcher(lib->fetcher, reg->arg.reg.f,
 									  feature->arg.fetcher);
 			break;
+		case FEATURE_RESOLVER:
+			lib->resolver->add_resolver(lib->resolver, reg->arg.reg.f);
+			break;
 		default:
 			break;
 	}
@@ -485,6 +542,9 @@ bool plugin_feature_unload(plugin_t *plugin, plugin_feature_t *feature,
 		case FEATURE_FETCHER:
 			lib->fetcher->remove_fetcher(lib->fetcher, reg->arg.reg.f);
 			break;
+		case FEATURE_RESOLVER:
+			lib->resolver->remove_resolver(lib->resolver, reg->arg.reg.f);
+			break;
 		default:
 			break;
 	}
diff --git a/src/libstrongswan/plugins/plugin_feature.h b/src/libstrongswan/plugins/plugin_feature.h
index 7667fff3e..ea23f766c 100644
--- a/src/libstrongswan/plugins/plugin_feature.h
+++ b/src/libstrongswan/plugins/plugin_feature.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2011 Martin Willi
@@ -150,6 +150,8 @@ struct plugin_feature_t {
 		FEATURE_DATABASE,
 		/** fetcher_t */
 		FEATURE_FETCHER,
+		/** resolver_t */
+		FEATURE_RESOLVER,
 		/** custom feature, described with a string */
 		FEATURE_CUSTOM,
 	} type;
@@ -294,6 +296,7 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_EAP_PEER(kind, type)				__PLUGIN_FEATURE(kind, EAP_PEER, .eap = type)
 #define _PLUGIN_FEATURE_DATABASE(kind, type)				__PLUGIN_FEATURE(kind, DATABASE, .database = type)
 #define _PLUGIN_FEATURE_FETCHER(kind, type)					__PLUGIN_FEATURE(kind, FETCHER, .fetcher = type)
+#define _PLUGIN_FEATURE_RESOLVER(kind, ...)					__PLUGIN_FEATURE(kind, RESOLVER, .custom = NULL)
 #define _PLUGIN_FEATURE_CUSTOM(kind, name)					__PLUGIN_FEATURE(kind, CUSTOM, .custom = name)
 #define _PLUGIN_FEATURE_XAUTH_SERVER(kind, name)			__PLUGIN_FEATURE(kind, XAUTH_SERVER, .xauth = name)
 #define _PLUGIN_FEATURE_XAUTH_PEER(kind, name)				__PLUGIN_FEATURE(kind, XAUTH_PEER, .xauth = name)
@@ -317,6 +320,7 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_REGISTER_CONTAINER_ENCODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_DATABASE(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_FETCHER(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
+#define _PLUGIN_FEATURE_REGISTER_RESOLVER(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 
 #define _PLUGIN_FEATURE_CALLBACK(_cb, _data) (plugin_feature_t){ FEATURE_CALLBACK, FEATURE_NONE, .arg.cb = { .f = _cb, .data = _data } }
 
@@ -325,6 +329,27 @@ struct plugin_feature_t {
  */
 extern enum_name_t *plugin_feature_names;
 
+/**
+ * Add a set of plugin features to the given array, which must have enough space
+ * to store the added features.
+ *
+ * @param features		the array of plugin features to extend
+ * @param to_add		the features to add
+ * @param count			number of features to add
+ * @param pos			current position in the features array, gets advanced
+ */
+static inline void plugin_features_add(plugin_feature_t *features,
+									   plugin_feature_t *to_add,
+									   int count, int *pos)
+{
+	int i;
+
+	for (i = 0; i < count; i++)
+	{
+		features[(*pos)++] = to_add[i];
+	}
+}
+
 /**
  * Calculates a hash value for the given feature.
  *
@@ -340,12 +365,25 @@ u_int32_t plugin_feature_hash(plugin_feature_t *feature);
 /**
  * Check if feature a matches to feature b.
  *
+ * This is no check for equality.  For instance, for FEATURE_RNG a matches b if
+ * a's strength is at least the strength of b.  Or for FEATURE_SQL if a is
+ * DB_ANY it will match b if it is of the same type.
+ *
  * @param a			feature to check
  * @param b			feature to match against
  * @return			TRUE if a matches b
  */
 bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b);
 
+/**
+ * Check if feature a equals feature b.
+ *
+ * @param a			feature
+ * @param b			feature to compare
+ * @return			TRUE if a equals b
+ */
+bool plugin_feature_equals(plugin_feature_t *a, plugin_feature_t *b);
+
 /**
  * Get a string describing feature.
  *
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index cea219e92..5ed0a9b0f 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -17,6 +17,9 @@
 #define _GNU_SOURCE
 #include "plugin_loader.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
 #include <string.h>
 #include <dlfcn.h>
 #include <limits.h>
@@ -30,6 +33,8 @@
 #include <utils/integrity_checker.h>
 
 typedef struct private_plugin_loader_t private_plugin_loader_t;
+typedef struct registered_feature_t registered_feature_t;
+typedef struct provided_feature_t provided_feature_t;
 typedef struct plugin_entry_t plugin_entry_t;
 
 /**
@@ -48,14 +53,110 @@ struct private_plugin_loader_t {
 	linked_list_t *plugins;
 
 	/**
-	 * Hashtable for loaded features, as plugin_feature_t
+	 * Hashtable for registered features, as registered_feature_t
 	 */
-	hashtable_t *loaded_features;
+	hashtable_t *features;
+
+	/**
+	 * Loaded features (stored in reverse order), as provided_feature_t
+	 */
+	linked_list_t *loaded;
+
+	/**
+	 * List of paths to search for plugins
+	 */
+	linked_list_t *paths;
 
 	/**
 	 * List of names of loaded plugins
 	 */
 	char *loaded_plugins;
+
+	/**
+	 * Statistics collected while loading features
+	 */
+	struct {
+		/** Number of features that failed to load */
+		int failed;
+		/** Number of features that failed because of unmet dependencies */
+		int depends;
+		/** Number of features in critical plugins that failed to load */
+		int critical;
+	} stats;
+};
+
+/**
+ * Registered plugin feature
+ */
+struct registered_feature_t {
+
+	/**
+	 * The registered feature
+	 */
+	plugin_feature_t *feature;
+
+	/**
+	 * List of plugins providing this feature, as provided_feature_t
+	 */
+	linked_list_t *plugins;
+};
+
+/**
+ * Hash a registered feature
+ */
+static bool registered_feature_hash(registered_feature_t *this)
+{
+	return plugin_feature_hash(this->feature);
+}
+
+/**
+ * Compare two registered features
+ */
+static bool registered_feature_equals(registered_feature_t *a,
+									  registered_feature_t *b)
+{
+	return plugin_feature_equals(a->feature, b->feature);
+}
+
+/**
+ * Feature as provided by a plugin
+ */
+struct provided_feature_t {
+
+	/**
+	 * Plugin providing the feature
+	 */
+	plugin_entry_t *entry;
+
+	/**
+	 * FEATURE_REGISTER or FEATURE_CALLBACK entry
+	 */
+	plugin_feature_t *reg;
+
+	/**
+	 * The provided feature (followed by dependencies)
+	 */
+	plugin_feature_t *feature;
+
+	/**
+	 * Maximum number of dependencies (following feature)
+	 */
+	int dependencies;
+
+	/**
+	 * TRUE if currently loading this feature (to prevent loops)
+	 */
+	bool loading;
+
+	/**
+	 * TRUE if feature loaded
+	 */
+	bool loaded;
+
+	/**
+	 * TRUE if feature failed to load
+	 */
+	bool failed;
 };
 
 /**
@@ -79,14 +180,9 @@ struct plugin_entry_t {
 	void *handle;
 
 	/**
-	 * List of loaded features
+	 * List of features, as provided_feature_t
 	 */
-	linked_list_t *loaded;
-
-	/**
-	 * List features failed to load
-	 */
-	linked_list_t *failed;
+	linked_list_t *features;
 };
 
 /**
@@ -99,8 +195,7 @@ static void plugin_entry_destroy(plugin_entry_t *entry)
 	{
 		dlclose(entry->handle);
 	}
-	entry->loaded->destroy(entry->loaded);
-	entry->failed->destroy(entry->failed);
+	entry->features->destroy(entry->features);
 	free(entry);
 }
 
@@ -176,14 +271,6 @@ static plugin_t *static_features_create(const char *name,
 	return &this->public;
 }
 
-/**
- * Compare function for hashtable of loaded features.
- */
-static bool plugin_feature_equals(plugin_feature_t *a, plugin_feature_t *b)
-{
-	return a == b;
-}
-
 /**
  * create a plugin
  * returns: NOT_FOUND, if the constructor was not found
@@ -228,8 +315,7 @@ static status_t create_plugin(private_plugin_loader_t *this, void *handle,
 	INIT(*entry,
 		.plugin = plugin,
 		.critical = critical,
-		.loaded = linked_list_create(),
-		.failed = linked_list_create(),
+		.features = linked_list_create(),
 	);
 	DBG2(DBG_LIB, "plugin '%s': loaded successfully", name);
 	return SUCCESS;
@@ -238,8 +324,8 @@ static status_t create_plugin(private_plugin_loader_t *this, void *handle,
 /**
  * load a single plugin
  */
-static bool load_plugin(private_plugin_loader_t *this, char *name, char *file,
-						bool critical)
+static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name,
+								   char *file, bool critical)
 {
 	plugin_entry_t *entry;
 	void *handle;
@@ -248,7 +334,7 @@ static bool load_plugin(private_plugin_loader_t *this, char *name, char *file,
 	{
 		case SUCCESS:
 			this->plugins->insert_last(this->plugins, entry);
-			return TRUE;
+			return entry;
 		case NOT_FOUND:
 			if (file)
 			{	/* try to load the plugin from a file */
@@ -256,7 +342,7 @@ static bool load_plugin(private_plugin_loader_t *this, char *name, char *file,
 			}
 			/* fall-through */
 		default:
-			return FALSE;
+			return NULL;
 	}
 	if (lib->integrity)
 	{
@@ -264,23 +350,33 @@ static bool load_plugin(private_plugin_loader_t *this, char *name, char *file,
 		{
 			DBG1(DBG_LIB, "plugin '%s': failed file integrity test of '%s'",
 				 name, file);
-			return FALSE;
+			return NULL;
 		}
 	}
 	handle = dlopen(file, RTLD_LAZY);
 	if (handle == NULL)
 	{
 		DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror());
-		return FALSE;
+		return NULL;
 	}
 	if (create_plugin(this, handle, name, TRUE, critical, &entry) != SUCCESS)
 	{
 		dlclose(handle);
-		return FALSE;
+		return NULL;
 	}
 	entry->handle = handle;
 	this->plugins->insert_last(this->plugins, entry);
-	return TRUE;
+	return entry;
+}
+
+/**
+ * Convert enumerated provided_feature_t to plugin_feature_t
+ */
+static bool feature_filter(void *null, provided_feature_t **provided,
+						   plugin_feature_t **feature)
+{
+	*feature = (*provided)->feature;
+	return (*provided)->loaded;
 }
 
 /**
@@ -289,10 +385,16 @@ static bool load_plugin(private_plugin_loader_t *this, char *name, char *file,
 static bool plugin_filter(void *null, plugin_entry_t **entry, plugin_t **plugin,
 						  void *in, linked_list_t **list)
 {
-	*plugin = (*entry)->plugin;
+	plugin_entry_t *this = *entry;
+
+	*plugin = this->plugin;
 	if (list)
 	{
-		*list = (*entry)->loaded;
+		enumerator_t *features;
+		features = enumerator_create_filter(
+							this->features->create_enumerator(this->features),
+							(void*)feature_filter, NULL, NULL);
+		*list = linked_list_create_from_enumerator(features);
 	}
 	return TRUE;
 }
@@ -305,6 +407,35 @@ METHOD(plugin_loader_t, create_plugin_enumerator, enumerator_t*,
 							(void*)plugin_filter, NULL, NULL);
 }
 
+METHOD(plugin_loader_t, has_feature, bool,
+	private_plugin_loader_t *this, plugin_feature_t feature)
+{
+	enumerator_t *plugins, *features;
+	plugin_t *plugin;
+	linked_list_t *list;
+	plugin_feature_t *current;
+	bool found = FALSE;
+
+	plugins = create_plugin_enumerator(this);
+	while (plugins->enumerate(plugins, &plugin, &list))
+	{
+		features = list->create_enumerator(list);
+		while (features->enumerate(features, &current))
+		{
+			if (plugin_feature_matches(&feature, current))
+			{
+				found = TRUE;
+				break;
+			}
+		}
+		features->destroy(features);
+		list->destroy(list);
+	}
+	plugins->destroy(plugins);
+
+	return found;
+}
+
 /**
  * Create a list of the names of all loaded plugins
  */
@@ -336,7 +467,6 @@ static char* loaded_plugins_list(private_plugin_loader_t *this)
 	return buf;
 }
 
-
 /**
  * Check if a plugin is already loaded
  */
@@ -360,59 +490,176 @@ static bool plugin_loaded(private_plugin_loader_t *this, char *name)
 }
 
 /**
- * Check if a feature of a plugin is already loaded
+ * Forward declaration
+ */
+static void load_provided(private_plugin_loader_t *this,
+						  provided_feature_t *provided,
+						  int level);
+
+/**
+ * Used to find a loaded feature
+ */
+static bool is_feature_loaded(provided_feature_t *item)
+{
+	return item->loaded;
+}
+
+/**
+ * Used to find a loadable feature
  */
-static bool feature_loaded(private_plugin_loader_t *this, plugin_entry_t *entry,
-						   plugin_feature_t *feature)
+static bool is_feature_loadable(provided_feature_t *item)
 {
-	return entry->loaded->find_first(entry->loaded, NULL,
-									 (void**)&feature) == SUCCESS;
+	return !item->loading && !item->loaded && !item->failed;
 }
 
 /**
- * Check if loading a feature of a plugin failed
+ * Find a loaded and matching feature
  */
-static bool feature_failed(private_plugin_loader_t *this, plugin_entry_t *entry,
-						   plugin_feature_t *feature)
+static bool loaded_feature_matches(registered_feature_t *a,
+								   registered_feature_t *b)
 {
-	return entry->failed->find_first(entry->failed, NULL,
-									 (void**)&feature) == SUCCESS;
+	if (plugin_feature_matches(a->feature, b->feature))
+	{
+		return b->plugins->find_first(b->plugins, (void*)is_feature_loaded,
+									  NULL) == SUCCESS;
+	}
+	return FALSE;
 }
 
 /**
- * Check if dependencies are satisfied
+ * Find a loadable module that equals the requested feature
  */
-static bool dependencies_satisfied(private_plugin_loader_t *this,
-								plugin_entry_t *entry, bool soft, bool report,
-								plugin_feature_t *features, int count)
+static bool loadable_feature_equals(registered_feature_t *a,
+									registered_feature_t *b)
 {
+	if (plugin_feature_equals(a->feature, b->feature))
+	{
+		return b->plugins->find_first(b->plugins, (void*)is_feature_loadable,
+									  NULL) == SUCCESS;
+	}
+	return FALSE;
+}
+
+/**
+ * Find a loadable module that matches the requested feature
+ */
+static bool loadable_feature_matches(registered_feature_t *a,
+									 registered_feature_t *b)
+{
+	if (plugin_feature_matches(a->feature, b->feature))
+	{
+		return b->plugins->find_first(b->plugins, (void*)is_feature_loadable,
+									  NULL) == SUCCESS;
+	}
+	return FALSE;
+}
+
+/**
+ * Returns a compatible plugin feature for the given depencency
+ */
+static bool find_compatible_feature(private_plugin_loader_t *this,
+									plugin_feature_t *dependency)
+{
+	registered_feature_t *feature, lookup = {
+		.feature = dependency,
+	};
+
+	feature = this->features->get_match(this->features, &lookup,
+									   (void*)loaded_feature_matches);
+	return feature != NULL;
+}
+
+/**
+ * Load a registered plugin feature
+ */
+static void load_registered(private_plugin_loader_t *this,
+							registered_feature_t *registered,
+							int level)
+{
+	enumerator_t *enumerator;
+	provided_feature_t *provided;
+
+	enumerator = registered->plugins->create_enumerator(registered->plugins);
+	while (enumerator->enumerate(enumerator, &provided))
+	{
+		load_provided(this, provided, level);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Try to load dependencies of the given feature
+ */
+static bool load_dependencies(private_plugin_loader_t *this,
+							  provided_feature_t *provided,
+							  int level)
+{
+	registered_feature_t *registered, lookup;
+	int indent = level * 2;
 	int i;
 
 	/* first entry is provided feature, followed by dependencies */
-	for (i = 1; i < count; i++)
+	for (i = 1; i < provided->dependencies; i++)
 	{
-		plugin_feature_t *found;
-
-		if (features[i].kind != FEATURE_DEPENDS &&
-			features[i].kind != FEATURE_SDEPEND)
+		if (provided->feature[i].kind != FEATURE_DEPENDS &&
+			provided->feature[i].kind != FEATURE_SDEPEND)
 		{	/* end of dependencies */
 			break;
 		}
-		found = this->loaded_features->get_match(this->loaded_features,
-					&features[i], (hashtable_equals_t)plugin_feature_matches);
-		if (!found && (features[i].kind != FEATURE_SDEPEND || soft))
-		{
-			if (report)
+
+		/* we load the feature even if a compatible one is already loaded,
+		 * otherwise e.g. a specific database implementation loaded before
+		 * another might cause a plugin feature loaded in-between to fail */
+		lookup.feature = &provided->feature[i];
+		do
+		{	/* prefer an exactly matching feature, could be omitted but
+			 * results in a more predictable behavior */
+			registered = this->features->get_match(this->features,
+										 &lookup,
+										 (void*)loadable_feature_equals);
+			if (!registered)
+			{	/* try fuzzy matching */
+				registered = this->features->get_match(this->features,
+										 &lookup,
+										 (void*)loadable_feature_matches);
+			}
+			if (registered)
 			{
-				char *provide, *depend, *name;
+				load_registered(this, registered, level);
+			}
+			/* we could stop after finding one but for dependencies like
+			 * DB_ANY it might be needed to load all matching features */
+		}
+		while (registered);
 
-				name = entry->plugin->get_name(entry->plugin);
-				provide = plugin_feature_get_string(&features[0]);
-				depend = plugin_feature_get_string(&features[i]);
-				DBG2(DBG_LIB, "feature %s in '%s' plugin has unsatisfied "
+		if (!find_compatible_feature(this, &provided->feature[i]))
+		{
+			char *name, *provide, *depend;
+			bool soft = provided->feature[i].kind == FEATURE_SDEPEND;
+
+			name = provided->entry->plugin->get_name(provided->entry->plugin);
+			provide = plugin_feature_get_string(&provided->feature[0]);
+			depend = plugin_feature_get_string(&provided->feature[i]);
+			if (soft)
+			{
+				DBG3(DBG_LIB, "%*sfeature %s in plugin '%s' has unmet soft "
+					 "dependency: %s", indent, "", provide, name, depend);
+			}
+			else if (provided->entry->critical)
+			{
+				DBG1(DBG_LIB, "feature %s in critical plugin '%s' has unmet "
 					 "dependency: %s", provide, name, depend);
-				free(provide);
-				free(depend);
+			}
+			else
+			{
+				DBG2(DBG_LIB, "feature %s in plugin '%s' has unmet dependency: "
+					 "%s", provide, name, depend);
+			}
+			free(provide);
+			free(depend);
+			if (soft)
+			{	/* it's ok if we can't resolve soft dependencies */
+				continue;
 			}
 			return FALSE;
 		}
@@ -421,128 +668,149 @@ static bool dependencies_satisfied(private_plugin_loader_t *this,
 }
 
 /**
- * Check if a given feature is still required as dependency
+ * Load registered plugin features
  */
-static bool dependency_required(private_plugin_loader_t *this,
-								plugin_feature_t *dep)
+static void load_feature(private_plugin_loader_t *this,
+						 provided_feature_t *provided,
+						 int level)
 {
-	enumerator_t *enumerator;
-	plugin_feature_t *features;
-	plugin_entry_t *entry;
-	int count, i;
-
-	enumerator = this->plugins->create_enumerator(this->plugins);
-	while (enumerator->enumerate(enumerator, &entry))
+	if (load_dependencies(this, provided, level))
 	{
-		if (!entry->plugin->get_features)
-		{	/* features not supported */
-			continue;
+		char *name, *provide;
+
+		if (plugin_feature_load(provided->entry->plugin, provided->feature,
+								provided->reg))
+		{
+			provided->loaded = TRUE;
+			/* insert first so we can unload the features in reverse order */
+			this->loaded->insert_first(this->loaded, provided);
+			return;
 		}
-		count = entry->plugin->get_features(entry->plugin, &features);
-		for (i = 0; i < count; i++)
+
+		name = provided->entry->plugin->get_name(provided->entry->plugin);
+		provide = plugin_feature_get_string(&provided->feature[0]);
+		if (provided->entry->critical)
 		{
-			if (&features[i] != dep &&
-				feature_loaded(this, entry, &features[i]))
-			{
-				while (++i < count && (features[i].kind == FEATURE_DEPENDS ||
-									   features[i].kind == FEATURE_SDEPEND))
-				{
-					if (plugin_feature_matches(&features[i], dep))
-					{
-						enumerator->destroy(enumerator);
-						return TRUE;
-					}
-				}
-			}
+			DBG1(DBG_LIB, "feature %s in critical plugin '%s' failed to load",
+				 provide, name);
+		}
+		else
+		{
+			DBG2(DBG_LIB, "feature %s in plugin '%s' failed to load",
+				 provide, name);
 		}
+		free(provide);
 	}
-	enumerator->destroy(enumerator);
-	return FALSE;
+	else
+	{	/* TODO: we could check the current level and set a different flag when
+		 * being loaded as dependency. If there are loops there is a chance the
+		 * feature can be loaded later when loading the feature directly. */
+		this->stats.depends++;
+	}
+	provided->failed = TRUE;
+	this->stats.critical += provided->entry->critical ? 1 : 0;
+	this->stats.failed++;
 }
 
 /**
- * Load plugin features in correct order
+ * Load a provided feature
  */
-static int load_features(private_plugin_loader_t *this, bool soft, bool report)
+static void load_provided(private_plugin_loader_t *this,
+						  provided_feature_t *provided,
+						  int level)
 {
-	enumerator_t *enumerator;
-	plugin_feature_t *feature, *reg;
-	plugin_entry_t *entry;
-	int count, i, loaded = 0;
+	char *name, *provide;
+	int indent = level * 2;
+
+	if (provided->loaded || provided->failed)
+	{
+		return;
+	}
+	name = provided->entry->plugin->get_name(provided->entry->plugin);
+	provide = plugin_feature_get_string(provided->feature);
+	if (provided->loading)
+	{	/* prevent loop */
+		DBG3(DBG_LIB, "%*sloop detected while loading %s in plugin '%s'",
+			 indent, "", provide, name);
+		free(provide);
+		return;
+	}
+	DBG3(DBG_LIB, "%*sloading feature %s in plugin '%s'",
+		 indent, "", provide, name);
+	free(provide);
 
+	provided->loading = TRUE;
+	load_feature(this, provided, level + 1);
+	provided->loading = FALSE;
+}
+
+/**
+ * Load registered plugin features
+ */
+static void load_features(private_plugin_loader_t *this)
+{
+	enumerator_t *enumerator, *inner;
+	plugin_entry_t *plugin;
+	provided_feature_t *provided;
+
+	/* we do this in plugin order to allow implicit dependencies to be resolved
+	 * by reordering plugins */
 	enumerator = this->plugins->create_enumerator(this->plugins);
-	while (enumerator->enumerate(enumerator, &entry))
+	while (enumerator->enumerate(enumerator, &plugin))
 	{
-		if (!entry->plugin->get_features)
-		{	/* feature interface not supported */
-			continue;
-		}
-		reg = NULL;
-		count = entry->plugin->get_features(entry->plugin, &feature);
-		for (i = 0; i < count; i++)
+		inner = plugin->features->create_enumerator(plugin->features);
+		while (inner->enumerate(inner, &provided))
 		{
-			switch (feature->kind)
-			{
-				case FEATURE_PROVIDE:
-					if (!feature_loaded(this, entry, feature) &&
-						!feature_failed(this, entry, feature) &&
-						dependencies_satisfied(this, entry, soft, report,
-											   feature, count - i))
-					{
-						if (plugin_feature_load(entry->plugin, feature, reg))
-						{
-							this->loaded_features->put(this->loaded_features,
-													   feature, feature);
-							entry->loaded->insert_last(entry->loaded, feature);
-							loaded++;
-						}
-						else
-						{
-							entry->failed->insert_last(entry->failed, feature);
-						}
-					}
-					break;
-				case FEATURE_REGISTER:
-				case FEATURE_CALLBACK:
-					reg = feature;
-					break;
-				default:
-					break;
-			}
-			feature++;
-		}
-		if (loaded && !report)
-		{	/* got new feature, restart from beginning of list */
-			break;
+			load_provided(this, provided, 0);
 		}
+		inner->destroy(inner);
 	}
 	enumerator->destroy(enumerator);
-	return loaded;
 }
 
 /**
- * Try to unload plugin features on which is not depended anymore
+ * Register plugin features provided by the given plugin
  */
-static int unload_features(private_plugin_loader_t *this, plugin_entry_t *entry)
+static void register_features(private_plugin_loader_t *this,
+							  plugin_entry_t *entry)
 {
-	plugin_feature_t *feature, *reg = NULL;
-	int count, i, unloaded = 0;
+	plugin_feature_t *feature, *reg;
+	registered_feature_t *registered, lookup;
+	provided_feature_t *provided;
+	int count, i;
 
+	if (!entry->plugin->get_features)
+	{	/* feature interface not supported */
+		DBG1(DBG_LIB, "plugin '%s' does not provide features, deprecated",
+			 entry->plugin->get_name(entry->plugin));
+		return;
+	}
+	reg = NULL;
 	count = entry->plugin->get_features(entry->plugin, &feature);
 	for (i = 0; i < count; i++)
 	{
 		switch (feature->kind)
 		{
 			case FEATURE_PROVIDE:
-				if (feature_loaded(this, entry, feature) &&
-					!dependency_required(this, feature) &&
-					plugin_feature_unload(entry->plugin, feature, reg))
+				lookup.feature = feature;
+				registered = this->features->get(this->features, &lookup);
+				if (!registered)
 				{
-					this->loaded_features->remove(this->loaded_features,
-												  feature);
-					entry->loaded->remove(entry->loaded, feature, NULL);
-					unloaded++;
+					INIT(registered,
+						.feature = feature,
+						.plugins = linked_list_create(),
+					);
+					this->features->put(this->features, registered, registered);
 				}
+				INIT(provided,
+					.entry = entry,
+					.feature = feature,
+					.reg = reg,
+					.dependencies = count - i,
+				);
+				registered->plugins->insert_last(registered->plugins,
+												 provided);
+				entry->features->insert_last(entry->features, provided);
 				break;
 			case FEATURE_REGISTER:
 			case FEATURE_CALLBACK:
@@ -553,60 +821,58 @@ static int unload_features(private_plugin_loader_t *this, plugin_entry_t *entry)
 		}
 		feature++;
 	}
-	return unloaded;
 }
 
 /**
- * Check that we have all features loaded for critical plugins
+ * Unregister a plugin feature
  */
-static bool missing_critical_features(private_plugin_loader_t *this)
+static void unregister_feature(private_plugin_loader_t *this,
+							   provided_feature_t *provided)
 {
-	enumerator_t *enumerator;
-	plugin_entry_t *entry;
-	bool critical_failed = FALSE;
+	registered_feature_t *registered, lookup;
 
-	enumerator = this->plugins->create_enumerator(this->plugins);
-	while (enumerator->enumerate(enumerator, &entry))
+	lookup.feature = provided->feature;
+	registered = this->features->get(this->features, &lookup);
+	if (registered)
 	{
-		if (!entry->plugin->get_features)
-		{	/* feature interface not supported */
-			continue;
-		}
-		if (entry->critical)
+		registered->plugins->remove(registered->plugins, provided, NULL);
+		if (registered->plugins->get_count(registered->plugins) == 0)
 		{
-			plugin_feature_t *feature;
-			char *name, *provide;
-			int count, i, failed = 0;
+			this->features->remove(this->features, &lookup);
+			registered->plugins->destroy(registered->plugins);
+			free(registered);
+		}
+		else if (registered->feature == provided->feature)
+		{	/* update feature in case the providing plugin gets unloaded */
+			provided_feature_t *first;
 
-			name = entry->plugin->get_name(entry->plugin);
-			count = entry->plugin->get_features(entry->plugin, &feature);
-			for (i = 0; i < count; i++, feature++)
-			{
-				if (feature->kind == FEATURE_PROVIDE &&
-					!feature_loaded(this, entry, feature))
-				{
-					provide = plugin_feature_get_string(feature);
-					DBG2(DBG_LIB, "  failed to load %s in critical plugin '%s'",
-						 provide, name);
-					free(provide);
-					failed++;
-				}
-			}
-			if (failed)
-			{
-				DBG1(DBG_LIB, "failed to load %d feature%s in critical plugin "
-					 "'%s'", failed, failed > 1 ? "s" : "", name);
-				critical_failed = TRUE;
-			}
+			registered->plugins->get_first(registered->plugins, (void**)&first);
+			registered->feature = first->feature;
 		}
 	}
-	enumerator->destroy(enumerator);
+	free(provided);
+}
 
-	return critical_failed;
+/**
+ * Unregister plugin features
+ */
+static void unregister_features(private_plugin_loader_t *this,
+								plugin_entry_t *entry)
+{
+	provided_feature_t *provided;
+	enumerator_t *enumerator;
+
+	enumerator = entry->features->create_enumerator(entry->features);
+	while (enumerator->enumerate(enumerator, &provided))
+	{
+		entry->features->remove_at(entry->features, enumerator);
+		unregister_feature(this, provided);
+	}
+	enumerator->destroy(enumerator);
 }
 
 /**
- * Remove plugins that we were not able to load any features from.
+ * Remove plugins we were not able to load any plugin features from.
  */
 static void purge_plugins(private_plugin_loader_t *this)
 {
@@ -620,9 +886,13 @@ static void purge_plugins(private_plugin_loader_t *this)
 		{	/* feature interface not supported */
 			continue;
 		}
-		if (!entry->loaded->get_count(entry->loaded))
+		if (entry->features->find_first(entry->features,
+									(void*)is_feature_loaded, NULL) != SUCCESS)
 		{
+			DBG2(DBG_LIB, "unloading plugin '%s' without loaded features",
+				 entry->plugin->get_name(entry->plugin));
 			this->plugins->remove_at(this->plugins, enumerator);
+			unregister_features(this, entry);
 			plugin_entry_destroy(entry);
 		}
 	}
@@ -641,29 +911,46 @@ METHOD(plugin_loader_t, add_static_features, void,
 	INIT(entry,
 		.plugin = plugin,
 		.critical = critical,
-		.loaded = linked_list_create(),
-		.failed = linked_list_create(),
+		.features = linked_list_create(),
 	);
 	this->plugins->insert_last(this->plugins, entry);
+	register_features(this, entry);
+}
+
+/**
+ * Tries to find the plugin with the given name in the given path.
+ */
+static bool find_plugin(char *path, char *name, char *buf, char **file)
+{
+	struct stat stb;
+
+	if (path && snprintf(buf, PATH_MAX, "%s/libstrongswan-%s.so",
+						 path, name) < PATH_MAX)
+	{
+		if (stat(buf, &stb) == 0)
+		{
+			*file = buf;
+			return TRUE;
+		}
+	}
+	return FALSE;
 }
 
 METHOD(plugin_loader_t, load_plugins, bool,
-	private_plugin_loader_t *this, char *path, char *list)
+	private_plugin_loader_t *this, char *list)
 {
 	enumerator_t *enumerator;
-	char *token;
+	char *default_path = NULL, *token;
 	bool critical_failed = FALSE;
 
 #ifdef PLUGINDIR
-	if (path == NULL)
-	{
-		path = PLUGINDIR;
-	}
+	default_path = PLUGINDIR;
 #endif /* PLUGINDIR */
 
 	enumerator = enumerator_create_token(list, " ", " ");
 	while (!critical_failed && enumerator->enumerate(enumerator, &token))
 	{
+		plugin_entry_t *entry;
 		bool critical = FALSE;
 		char buf[PATH_MAX], *file = NULL;
 		int len;
@@ -680,40 +967,37 @@ METHOD(plugin_loader_t, load_plugins, bool,
 			free(token);
 			continue;
 		}
-		if (path)
+		if (this->paths)
 		{
-			if (snprintf(buf, sizeof(buf), "%s/libstrongswan-%s.so",
-						 path, token) >= sizeof(buf))
-			{
-				return FALSE;
-			}
-			file = buf;
+			this->paths->find_first(this->paths, (void*)find_plugin, NULL,
+									token, buf, &file);
 		}
-		if (!load_plugin(this, token, file, critical) && critical)
+		if (!file)
+		{
+			find_plugin(default_path, token, buf, &file);
+		}
+		entry = load_plugin(this, token, file, critical);
+		if (entry)
+		{
+			register_features(this, entry);
+		}
+		else if (critical)
 		{
 			critical_failed = TRUE;
 			DBG1(DBG_LIB, "loading critical plugin '%s' failed", token);
 		}
 		free(token);
-		/* TODO: we currently load features after each plugin is loaded. This
-		 * will not be necessary once we have features support in all plugins.
-		 */
-		while (load_features(this, TRUE, FALSE))
-		{
-			/* try load new features until we don't get new ones */
-		}
 	}
 	enumerator->destroy(enumerator);
 	if (!critical_failed)
 	{
-		while (load_features(this, FALSE, FALSE))
+		load_features(this);
+		if (this->stats.critical > 0)
 		{
-			/* enforce loading features, ignoring soft dependencies */
+			critical_failed = TRUE;
+			DBG1(DBG_LIB, "failed to load %d critical plugin feature%s",
+				 this->stats.critical, this->stats.critical == 1 ? "" : "s");
 		}
-		/* report missing dependencies */
-		load_features(this, FALSE, TRUE);
-		/* check for unloaded features provided by critical plugins */
-		critical_failed = missing_critical_features(this);
 		/* unload plugins that we were not able to load any features for */
 		purge_plugins(this);
 	}
@@ -725,47 +1009,56 @@ METHOD(plugin_loader_t, load_plugins, bool,
 	return !critical_failed;
 }
 
-METHOD(plugin_loader_t, unload, void,
-	private_plugin_loader_t *this)
+/**
+ * Unload plugin features, they are registered in reverse order
+ */
+static void unload_features(private_plugin_loader_t *this)
 {
 	enumerator_t *enumerator;
+	provided_feature_t *provided;
 	plugin_entry_t *entry;
-	linked_list_t *list;
 
-	/* unload plugins in reverse order, for those not supporting features */
-	list = linked_list_create();
-	while (this->plugins->remove_last(this->plugins, (void**)&entry) == SUCCESS)
+	enumerator = this->loaded->create_enumerator(this->loaded);
+	while (enumerator->enumerate(enumerator, &provided))
 	{
-		list->insert_last(list, entry);
+		entry = provided->entry;
+		plugin_feature_unload(entry->plugin, provided->feature, provided->reg);
+		this->loaded->remove_at(this->loaded, enumerator);
+		entry->features->remove(entry->features, provided, NULL);
+		unregister_feature(this, provided);
 	}
-	while (list->remove_last(list, (void**)&entry) == SUCCESS)
-	{
-		this->plugins->insert_first(this->plugins, entry);
-	}
-	list->destroy(list);
-	while (this->plugins->get_count(this->plugins))
+	enumerator->destroy(enumerator);
+}
+
+METHOD(plugin_loader_t, unload, void,
+	private_plugin_loader_t *this)
+{
+	plugin_entry_t *entry;
+
+	/* unload features followed by plugins, in reverse order */
+	unload_features(this);
+	while (this->plugins->remove_last(this->plugins, (void**)&entry) == SUCCESS)
 	{
-		enumerator = this->plugins->create_enumerator(this->plugins);
-		while (enumerator->enumerate(enumerator, &entry))
-		{
-			if (entry->plugin->get_features)
-			{	/* supports features */
-				while (unload_features(this, entry));
-			}
-			if (entry->loaded->get_count(entry->loaded) == 0)
-			{
-				if (lib->leak_detective)
-				{	/* keep handle to report leaks properly */
-					entry->handle = NULL;
-				}
-				this->plugins->remove_at(this->plugins, enumerator);
-				plugin_entry_destroy(entry);
-			}
+		if (lib->leak_detective)
+		{	/* keep handle to report leaks properly */
+			entry->handle = NULL;
 		}
-		enumerator->destroy(enumerator);
+		unregister_features(this, entry);
+		plugin_entry_destroy(entry);
 	}
 	free(this->loaded_plugins);
 	this->loaded_plugins = NULL;
+	memset(&this->stats, 0, sizeof(this->stats));
+}
+
+METHOD(plugin_loader_t, add_path, void,
+	private_plugin_loader_t *this, char *path)
+{
+	if (!this->paths)
+	{
+		this->paths = linked_list_create();
+	}
+	this->paths->insert_last(this->paths, strdupnull(path));
 }
 
 /**
@@ -820,12 +1113,30 @@ METHOD(plugin_loader_t, loaded_plugins, char*,
 	return this->loaded_plugins ?: "";
 }
 
+METHOD(plugin_loader_t, status, void,
+	private_plugin_loader_t *this, level_t level)
+{
+	if (this->loaded_plugins)
+	{
+		dbg(DBG_LIB, level, "loaded plugins: %s", this->loaded_plugins);
+
+		if (this->stats.failed)
+		{
+			dbg(DBG_LIB, level, "unable to load %d plugin feature%s (%d due to "
+				"unmet dependencies)", this->stats.failed,
+				this->stats.failed == 1 ? "" : "s", this->stats.depends);
+		}
+	}
+}
+
 METHOD(plugin_loader_t, destroy, void,
 	private_plugin_loader_t *this)
 {
 	unload(this);
-	this->loaded_features->destroy(this->loaded_features);
+	this->features->destroy(this->features);
+	this->loaded->destroy(this->loaded);
 	this->plugins->destroy(this->plugins);
+	DESTROY_FUNCTION_IF(this->paths, free);
 	free(this->loaded_plugins);
 	free(this);
 }
@@ -841,18 +1152,21 @@ plugin_loader_t *plugin_loader_create()
 		.public = {
 			.add_static_features = _add_static_features,
 			.load = _load_plugins,
+			.add_path = _add_path,
 			.reload = _reload,
 			.unload = _unload,
 			.create_plugin_enumerator = _create_plugin_enumerator,
+			.has_feature = _has_feature,
 			.loaded_plugins = _loaded_plugins,
+			.status = _status,
 			.destroy = _destroy,
 		},
 		.plugins = linked_list_create(),
-		.loaded_features = hashtable_create(
-								(hashtable_hash_t)plugin_feature_hash,
-								(hashtable_equals_t)plugin_feature_equals, 64),
+		.loaded = linked_list_create(),
+		.features = hashtable_create(
+							(hashtable_hash_t)registered_feature_hash,
+							(hashtable_equals_t)registered_feature_equals, 64),
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index 6a8f8f6a1..285b33910 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -25,6 +25,7 @@
 typedef struct plugin_loader_t plugin_loader_t;
 
 #include <collections/enumerator.h>
+#include <utils/debug.h>
 
 /* to avoid circular references we can't include plugin_feature.h */
 struct plugin_feature_t;
@@ -56,17 +57,33 @@ struct plugin_loader_t {
 								 bool critical);
 
 	/**
-	 * Load a list of plugins from a directory.
+	 * Load a list of plugins.
 	 *
-	 * Each plugin in list may have a ending exclamation mark (!) to mark it
+	 * Each plugin in list may have an ending exclamation mark (!) to mark it
 	 * as a critical plugin. If loading a critical plugin fails, plugin loading
 	 * is aborted and FALSE is returned.
 	 *
-	 * @param path			path containing loadable plugins, NULL for default
+	 * Additional paths can be added with add_path(), these will be searched
+	 * for the plugins first, in the order they were added, then the default
+	 * path follows.
+	 *
+	 * @note Even though this method could be called multiple times this is
+	 * currently not really supported in regards to plugin features and their
+	 * dependencies (in particular soft dependencies).
+	 *
 	 * @param list			space separated list of plugins to load
 	 * @return				TRUE if all critical plugins loaded successfully
 	 */
-	bool (*load)(plugin_loader_t *this, char *path, char *list);
+	bool (*load)(plugin_loader_t *this, char *list);
+
+	/**
+	 * Add an additional search path for plugins.
+	 *
+	 * These will be searched in the order they were added.
+	 *
+	 * @param path			path containing loadable plugins
+	 */
+	void (*add_path)(plugin_loader_t *this, char *path);
 
 	/**
 	 * Reload the configuration of one or multiple plugins.
@@ -84,14 +101,22 @@ struct plugin_loader_t {
 	/**
 	 * Create an enumerator over all loaded plugins.
 	 *
-	 * In addition to the plugin, the enumerator returns a list of pointers to
-	 * plugin features currently loaded (if the argument is not NULL).
-	 * This list is to be read only.
+	 * In addition to the plugin, the enumerator optionally provides a list of
+	 * pointers to plugin features currently loaded.
+	 * This list has to be destroyed.
 	 *
 	 * @return				enumerator over plugin_t*, linked_list_t*
 	 */
 	enumerator_t* (*create_plugin_enumerator)(plugin_loader_t *this);
 
+	/**
+	 * Check if the given feature is available and loaded.
+	 *
+	 * @param feature		feature to check
+	 * @return				TRUE if feature available
+	 */
+	bool (*has_feature)(plugin_loader_t *this, struct plugin_feature_t feature);
+
 	/**
 	 * Get a simple list the names of all loaded plugins.
 	 *
@@ -101,6 +126,13 @@ struct plugin_loader_t {
 	 */
 	char* (*loaded_plugins)(plugin_loader_t *this);
 
+	/**
+	 * Log status about loaded plugins and features.
+	 *
+	 * @param level			log level to use
+	 */
+	void (*status)(plugin_loader_t *this, level_t level);
+
 	/**
 	 * Unload loaded plugins, destroy plugin_loader instance.
 	 */
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am
index c2974a585..4f2354455 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.am
+++ b/src/libstrongswan/plugins/pubkey/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pubkey.la
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index cecba00ba..6686d6f5b 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_pubkey_la_LIBADD =
 am_libstrongswan_pubkey_la_OBJECTS = pubkey_plugin.lo pubkey_cert.lo
 libstrongswan_pubkey_la_OBJECTS =  \
 	$(am_libstrongswan_pubkey_la_OBJECTS)
-libstrongswan_pubkey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pubkey_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pubkey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pubkey_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pubkey_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pubkey_la_rpath =
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pubkey_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pubkey_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pubkey.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pubkey.la
 libstrongswan_pubkey_la_SOURCES = \
@@ -405,7 +433,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pubkey.la: $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_pubkey_la_DEPENDENCIES) 
-	$(libstrongswan_pubkey_la_LINK) $(am_libstrongswan_pubkey_la_rpath) $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_pubkey_la_LINK) $(am_libstrongswan_pubkey_la_rpath) $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -417,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index 95f53f919..b7ba5ad43 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -110,15 +110,25 @@ METHOD(certificate_t, has_issuer, id_match_t,
 METHOD(certificate_t, equals, bool,
 	private_pubkey_cert_t *this, certificate_t *other)
 {
+	identification_t *other_subject;
 	public_key_t *other_key;
 
+	if (this == (private_pubkey_cert_t*)other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != CERT_TRUSTED_PUBKEY)
+	{
+		return FALSE;
+	}
 	other_key = other->get_public_key(other);
 	if (other_key)
 	{
 		if (public_key_equals(this->key, other_key))
 		{
 			other_key->destroy(other_key);
-			return TRUE;
+			other_subject = other->get_subject(other);
+			return other_subject->equals(other_subject, this->subject);
 		}
 		other_key->destroy(other_key);
 	}
diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am
index 5df992718..7c03c66ef 100644
--- a/src/libstrongswan/plugins/random/Makefile.am
+++ b/src/libstrongswan/plugins/random/Makefile.am
@@ -1,9 +1,10 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DDEV_RANDOM=\"${random_device}\" \
+	-DDEV_URANDOM=\"${urandom_device}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic \
--DDEV_RANDOM=\"${random_device}\" \
--DDEV_URANDOM=\"${urandom_device}\"
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-random.la
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 4909f4c8a..b6e641757 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_random_la_LIBADD =
 am_libstrongswan_random_la_OBJECTS = random_plugin.lo random_rng.lo
 libstrongswan_random_la_OBJECTS =  \
 	$(am_libstrongswan_random_la_OBJECTS)
-libstrongswan_random_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_random_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_random_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_random_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_random_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_random_la_rpath =
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_random_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_random_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,10 +344,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic \
--DDEV_RANDOM=\"${random_device}\" \
--DDEV_URANDOM=\"${urandom_device}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DDEV_RANDOM=\"${random_device}\" \
+	-DDEV_URANDOM=\"${urandom_device}\"
+
+AM_CFLAGS = \
+	-rdynamic
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-random.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-random.la
@@ -408,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-random.la: $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_DEPENDENCIES) $(EXTRA_libstrongswan_random_la_DEPENDENCIES) 
-	$(libstrongswan_random_la_LINK) $(am_libstrongswan_random_la_rpath) $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_random_la_LINK) $(am_libstrongswan_random_la_rpath) $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -420,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random_rng.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/rc2/Makefile.am b/src/libstrongswan/plugins/rc2/Makefile.am
new file mode 100644
index 000000000..3f892728d
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/Makefile.am
@@ -0,0 +1,16 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-rc2.la
+else
+plugin_LTLIBRARIES = libstrongswan-rc2.la
+endif
+
+libstrongswan_rc2_la_SOURCES = \
+	rc2_plugin.h rc2_plugin.c rc2_crypter.c rc2_crypter.h
+
+libstrongswan_rc2_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
new file mode 100644
index 000000000..9b9baf5d6
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -0,0 +1,681 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/rc2
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_rc2_la_LIBADD =
+am_libstrongswan_rc2_la_OBJECTS = rc2_plugin.lo rc2_crypter.lo
+libstrongswan_rc2_la_OBJECTS = $(am_libstrongswan_rc2_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_rc2_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_rc2_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_rc2_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_rc2_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_rc2_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_rc2_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-rc2.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-rc2.la
+libstrongswan_rc2_la_SOURCES = \
+	rc2_plugin.h rc2_plugin.c rc2_crypter.c rc2_crypter.h
+
+libstrongswan_rc2_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/rc2/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/rc2/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-rc2.la: $(libstrongswan_rc2_la_OBJECTS) $(libstrongswan_rc2_la_DEPENDENCIES) $(EXTRA_libstrongswan_rc2_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_rc2_la_LINK) $(am_libstrongswan_rc2_la_rpath) $(libstrongswan_rc2_la_OBJECTS) $(libstrongswan_rc2_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc2_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc2_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/rc2/rc2_crypter.c b/src/libstrongswan/plugins/rc2/rc2_crypter.c
new file mode 100644
index 000000000..256acf817
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/rc2_crypter.c
@@ -0,0 +1,349 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rc2_crypter.h"
+
+typedef struct private_rc2_crypter_t private_rc2_crypter_t;
+
+#define RC2_BLOCK_SIZE 8
+
+#define ROL16(x, k)	({ u_int16_t _x = (x); (_x << (k)) | (_x >> (16 - (k))); })
+#define ROR16(x, k)	({ u_int16_t _x = (x); (_x >> (k)) | (_x << (16 - (k))); })
+
+#define GET16(x)	({ u_char *_x = (x); (u_int16_t)_x[0] | ((u_int16_t)_x[1] << 8); })
+#define PUT16(x, v)	({ u_char *_x = (x); u_int16_t _v = (v); _x[0] = _v, _x[1] = _v >> 8; })
+
+/**
+ * Private data of rc2_crypter_t
+ */
+struct private_rc2_crypter_t {
+
+	/**
+	 * Public interface
+	 */
+	rc2_crypter_t public;
+
+	/**
+	* The expanded key in 16-bit words
+	*/
+	u_int16_t  K[64];
+
+	/**
+	* Key size in bytes
+	*/
+	size_t T;
+
+	/**
+	* Effective key size in bits
+	*/
+	size_t T1;
+};
+
+/**
+ * PITABLE
+ */
+static const u_char PITABLE[256] =
+{
+	0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed,
+	0x28, 0xe9, 0xfd, 0x79, 0x4a, 0xa0, 0xd8, 0x9d,
+	0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e,
+	0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2,
+	0x17, 0x9a, 0x59, 0xf5, 0x87, 0xb3, 0x4f, 0x13,
+	0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32,
+	0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b,
+	0xf0, 0x95, 0x21, 0x22, 0x5c, 0x6b, 0x4e, 0x82,
+	0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c,
+	0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc,
+	0x12, 0x75, 0xca, 0x1f, 0x3b, 0xbe, 0xe4, 0xd1,
+	0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26,
+	0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57,
+	0x27, 0xf2, 0x1d, 0x9b, 0xbc, 0x94, 0x43, 0x03,
+	0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7,
+	0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7,
+	0x08, 0xe8, 0xea, 0xde, 0x80, 0x52, 0xee, 0xf7,
+	0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a,
+	0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74,
+	0x4b, 0x9f, 0xd0, 0x5e, 0x04, 0x18, 0xa4, 0xec,
+	0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc,
+	0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39,
+	0x99, 0x7c, 0x3a, 0x85, 0x23, 0xb8, 0xb4, 0x7a,
+	0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31,
+	0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae,
+	0x05, 0xdf, 0x29, 0x10, 0x67, 0x6c, 0xba, 0xc9,
+	0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c,
+	0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9,
+	0x0d, 0x38, 0x34, 0x1b, 0xab, 0x33, 0xff, 0xb0,
+	0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e,
+	0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77,
+	0x0a, 0xa6, 0x20, 0x68, 0xfe, 0x7f, 0xc1, 0xad,
+};
+
+/**
+ * Encrypt a single block of data
+ */
+static void encrypt_block(private_rc2_crypter_t *this, u_char R[])
+{
+	register u_int16_t R0, R1, R2, R3, *Kj;
+	int rounds = 3, mix = 5;
+
+	R0 = GET16(R);
+	R1 = GET16(R + 2);
+	R2 = GET16(R + 4);
+	R3 = GET16(R + 6);
+	Kj = &this->K[0];
+
+	/* 5 mix, mash, 6 mix, mash, 5 mix */
+	while (TRUE)
+	{
+		/* mix */
+		R0 = ROL16(R0 + *(Kj++) + (R3 & R2) + (~R3 & R1), 1);
+		R1 = ROL16(R1 + *(Kj++) + (R0 & R3) + (~R0 & R2), 2);
+		R2 = ROL16(R2 + *(Kj++) + (R1 & R0) + (~R1 & R3), 3);
+		R3 = ROL16(R3 + *(Kj++) + (R2 & R1) + (~R2 & R0), 5);
+
+		if (--mix == 0)
+		{
+			if (--rounds == 0)
+			{
+				break;
+			}
+			mix = (rounds == 2) ? 6 : 5;
+			/* mash */
+			R0 += this->K[R3 & 63];
+			R1 += this->K[R0 & 63];
+			R2 += this->K[R1 & 63];
+			R3 += this->K[R2 & 63];
+		}
+	}
+
+	PUT16(R, R0);
+	PUT16(R + 2, R1);
+	PUT16(R + 4, R2);
+	PUT16(R + 6, R3);
+}
+
+/**
+ * Decrypt a single block of data.
+ */
+static void decrypt_block(private_rc2_crypter_t *this, u_char R[])
+{
+	register u_int16_t R0, R1, R2, R3, *Kj;
+	int rounds = 3, mix = 5;
+
+	R0 = GET16(R);
+	R1 = GET16(R + 2);
+	R2 = GET16(R + 4);
+	R3 = GET16(R + 6);
+	Kj = &this->K[63];
+
+	/* 5 r-mix, r-mash, 6 r-mix, r-mash, 5 r-mix */
+	while (TRUE)
+	{
+		/* r-mix */
+		R3 = ROR16(R3, 5);
+		R3 = R3 - *(Kj--) - (R2 & R1) - (~R2 & R0);
+		R2 = ROR16(R2, 3);
+		R2 = R2 - *(Kj--) - (R1 & R0) - (~R1 & R3);
+		R1 = ROR16(R1, 2);
+		R1 = R1 - *(Kj--) - (R0 & R3) - (~R0 & R2);
+		R0 = ROR16(R0, 1);
+		R0 = R0 - *(Kj--) - (R3 & R2) - (~R3 & R1);
+
+		if (--mix == 0)
+		{
+			if (--rounds == 0)
+			{
+				break;
+			}
+			mix = (rounds == 2) ? 6 : 5;
+			/* r-mash */
+			R3 -= this->K[R2 & 63];
+			R2 -= this->K[R1 & 63];
+			R1 -= this->K[R0 & 63];
+			R0 -= this->K[R3 & 63];
+		}
+	}
+
+	PUT16(R, R0);
+	PUT16(R + 2, R1);
+	PUT16(R + 4, R2);
+	PUT16(R + 6, R3);
+}
+
+METHOD(crypter_t, decrypt, bool,
+	private_rc2_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
+{
+	u_int8_t *in, *out, *prev;
+
+	if (data.len % RC2_BLOCK_SIZE || iv.len != RC2_BLOCK_SIZE)
+	{
+		return FALSE;
+	}
+
+	in = data.ptr + data.len - RC2_BLOCK_SIZE;
+	out = data.ptr;
+	if (decrypted)
+	{
+		*decrypted = chunk_alloc(data.len);
+		out = decrypted->ptr;
+	}
+	out += data.len - RC2_BLOCK_SIZE;
+
+	prev = in;
+	for (; in >= data.ptr; in -= RC2_BLOCK_SIZE, out -= RC2_BLOCK_SIZE)
+	{
+		if (decrypted)
+		{
+			memcpy(out, in, RC2_BLOCK_SIZE);
+		}
+		decrypt_block(this, out);
+		prev -= RC2_BLOCK_SIZE;
+		if (prev < data.ptr)
+		{
+			prev = iv.ptr;
+		}
+		memxor(out, prev, RC2_BLOCK_SIZE);
+	}
+	return TRUE;
+}
+
+METHOD(crypter_t, encrypt, bool,
+	private_rc2_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
+{
+	u_int8_t *in, *out, *end, *prev;
+
+	if (data.len % RC2_BLOCK_SIZE || iv.len != RC2_BLOCK_SIZE)
+	{
+		return FALSE;
+	}
+
+	in = data.ptr;
+	end = data.ptr + data.len;
+	out = data.ptr;
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(data.len);
+		out = encrypted->ptr;
+	}
+
+	prev = iv.ptr;
+	for (; in < end; in += RC2_BLOCK_SIZE, out += RC2_BLOCK_SIZE)
+	{
+		if (encrypted)
+		{
+			memcpy(out, in, RC2_BLOCK_SIZE);
+		}
+		memxor(out, prev, RC2_BLOCK_SIZE);
+		encrypt_block(this, out);
+		prev = out;
+	}
+	return TRUE;
+}
+
+METHOD(crypter_t, get_block_size, size_t,
+	private_rc2_crypter_t *this)
+{
+	return RC2_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_iv_size, size_t,
+	private_rc2_crypter_t *this)
+{
+	return RC2_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_rc2_crypter_t *this)
+{
+	return this->T;
+}
+
+METHOD(crypter_t, set_key, bool,
+	private_rc2_crypter_t *this, chunk_t key)
+{
+	u_int8_t L[128], T8, TM, idx;
+	int i;
+
+	if (key.len != this->T)
+	{
+		return FALSE;
+	}
+	for (i = 0; i < key.len; i++)
+	{
+		L[i] = key.ptr[i];
+	}
+	for (; i < 128; i++)
+	{
+		idx = L[i-1] + L[i-key.len];
+		L[i] = PITABLE[idx];
+	}
+	T8 = (this->T1 + 7) / 8;
+	TM = ~(0xff << (8 - (8*T8 - this->T1)));
+	L[128-T8] = PITABLE[L[128-T8] & TM];
+	for (i = 127-T8; i >= 0; i--)
+	{
+		idx = L[i+1] ^ L[i+T8];
+		L[i] = PITABLE[idx];
+	}
+	for (i = 0; i < 64; i++)
+	{
+		this->K[i] = GET16(&L[i << 1]);
+	}
+	memwipe(L, sizeof(L));
+	return TRUE;
+}
+
+METHOD(crypter_t, destroy, void,
+	private_rc2_crypter_t *this)
+{
+	memwipe(this->K, sizeof(this->K));
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+rc2_crypter_t *rc2_crypter_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_rc2_crypter_t *this;
+	size_t effective;
+
+	if (algo != ENCR_RC2_CBC)
+	{
+		return NULL;
+	}
+	key_size = max(1, key_size);
+	effective = RC2_EFFECTIVE_KEY_LEN(key_size);
+	key_size = min(128, RC2_KEY_LEN(key_size));
+	effective = max(1, min(1024, effective ?: key_size * 8));
+
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.T = key_size,
+		.T1 = effective,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/rc2/rc2_crypter.h b/src/libstrongswan/plugins/rc2/rc2_crypter.h
new file mode 100644
index 000000000..d478762a6
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/rc2_crypter.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rc2_crypter rc2_crypter
+ * @{ @ingroup rc2_p
+ */
+
+#ifndef RC2_CRYPTER_H_
+#define RC2_CRYPTER_H_
+
+typedef struct rc2_crypter_t rc2_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+/**
+ * Class implementing the RC2 block cipher as defined in RFC 2268.
+ */
+struct rc2_crypter_t {
+
+	/**
+	 * Implements crypter_t interface.
+	 */
+	crypter_t crypter;
+};
+
+/**
+ * Constructor to create rc2_crypter_t objects.
+ *
+ * @param algo			algorithm to implement (ENCR_RC2_CBC)
+ * @param key_size		use the RC2_KEY_SIZE macro if the effective key size
+ * 						in bits is different than the actual length of the key
+ * @return				rc2_crypter_t object, NULL if not supported
+ */
+rc2_crypter_t *rc2_crypter_create(encryption_algorithm_t algo,
+								  size_t key_size);
+
+#endif /** RC2_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/rc2/rc2_plugin.c b/src/libstrongswan/plugins/rc2/rc2_plugin.c
new file mode 100644
index 000000000..6c6fa76d6
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/rc2_plugin.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rc2_plugin.h"
+
+#include <library.h>
+#include "rc2_crypter.h"
+
+typedef struct private_rc2_plugin_t private_rc2_plugin_t;
+
+/**
+ * Private data of rc2_plugin
+ */
+struct private_rc2_plugin_t {
+
+	/**
+	 * Public interface
+	 */
+	rc2_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_rc2_plugin_t *this)
+{
+	return "rc2";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_rc2_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(CRYPTER, rc2_crypter_create),
+			PLUGIN_PROVIDE(CRYPTER, ENCR_RC2_CBC, 0),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_rc2_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+plugin_t *rc2_plugin_create()
+{
+	private_rc2_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/rc2/rc2_plugin.h b/src/libstrongswan/plugins/rc2/rc2_plugin.h
new file mode 100644
index 000000000..cbbac51af
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/rc2_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rc2_p rc2
+ * @ingroup plugins
+ *
+ * @defgroup rc2_plugin rc2_plugin
+ * @{ @ingroup rc2_p
+ */
+
+#ifndef RC2_PLUGIN_H_
+#define RC2_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct rc2_plugin_t rc2_plugin_t;
+
+/**
+ * Plugin implementing RC2 (RFC 2268).
+ */
+struct rc2_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** RC2_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.am b/src/libstrongswan/plugins/rdrand/Makefile.am
index 4be7b7215..d9cb00161 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.am
+++ b/src/libstrongswan/plugins/rdrand/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-rdrand.la
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index b611821a8..6a344954e 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_rdrand_la_LIBADD =
 am_libstrongswan_rdrand_la_OBJECTS = rdrand_plugin.lo rdrand_rng.lo
 libstrongswan_rdrand_la_OBJECTS =  \
 	$(am_libstrongswan_rdrand_la_OBJECTS)
-libstrongswan_rdrand_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_rdrand_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_rdrand_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_rdrand_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_rdrand_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_rdrand_la_rpath =
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_rdrand_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_rdrand_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-rdrand.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-rdrand.la
 libstrongswan_rdrand_la_SOURCES = \
@@ -405,7 +433,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-rdrand.la: $(libstrongswan_rdrand_la_OBJECTS) $(libstrongswan_rdrand_la_DEPENDENCIES) $(EXTRA_libstrongswan_rdrand_la_DEPENDENCIES) 
-	$(libstrongswan_rdrand_la_LINK) $(am_libstrongswan_rdrand_la_rpath) $(libstrongswan_rdrand_la_OBJECTS) $(libstrongswan_rdrand_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_rdrand_la_LINK) $(am_libstrongswan_rdrand_la_rpath) $(libstrongswan_rdrand_la_OBJECTS) $(libstrongswan_rdrand_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -417,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rdrand_rng.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/revocation/Makefile.am b/src/libstrongswan/plugins/revocation/Makefile.am
index fb6d01926..5bb5ac204 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.am
+++ b/src/libstrongswan/plugins/revocation/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-revocation.la
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index bc92c6ed1..b13016902 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,7 +103,10 @@ am_libstrongswan_revocation_la_OBJECTS = revocation_plugin.lo \
 	revocation_validator.lo
 libstrongswan_revocation_la_OBJECTS =  \
 	$(am_libstrongswan_revocation_la_OBJECTS)
-libstrongswan_revocation_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_revocation_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_revocation_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -116,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_revocation_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_revocation_la_SOURCES)
 am__can_run_installinfo = \
@@ -136,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -148,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -163,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -171,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -217,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -245,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-revocation.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-revocation.la
 libstrongswan_revocation_la_SOURCES = \
@@ -407,7 +434,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-revocation.la: $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_DEPENDENCIES) $(EXTRA_libstrongswan_revocation_la_DEPENDENCIES) 
-	$(libstrongswan_revocation_la_LINK) $(am_libstrongswan_revocation_la_rpath) $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_revocation_la_LINK) $(am_libstrongswan_revocation_la_rpath) $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -419,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revocation_validator.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c
index fa04fb2a2..fe7eaa765 100644
--- a/src/libstrongswan/plugins/revocation/revocation_plugin.c
+++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c
@@ -42,10 +42,43 @@ METHOD(plugin_t, get_name, char*,
 	return "revocation";
 }
 
+/**
+ * Register validator
+ */
+static bool plugin_cb(private_revocation_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+	}
+	else
+	{
+		lib->credmgr->remove_validator(lib->credmgr,
+									   &this->validator->validator);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_revocation_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "revocation"),
+				PLUGIN_SDEPEND(CERT_ENCODE, CERT_X509_OCSP_REQUEST),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_OCSP_RESPONSE),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(FETCHER, NULL),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_revocation_plugin_t *this)
 {
-	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
 	this->validator->destroy(this->validator);
 	free(this);
 }
@@ -61,13 +94,12 @@ plugin_t *revocation_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.validator = revocation_validator_create(),
 	);
-	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 44c234559..c8ec3f723 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -691,6 +691,8 @@ METHOD(cert_validator_t, validate, bool,
 			case VALIDATION_REVOKED:
 			case VALIDATION_ON_HOLD:
 				/* has already been logged */
+				lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+										subject);
 				return FALSE;
 			case VALIDATION_SKIPPED:
 				DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
@@ -711,6 +713,8 @@ METHOD(cert_validator_t, validate, bool,
 			case VALIDATION_REVOKED:
 			case VALIDATION_ON_HOLD:
 				/* has already been logged */
+				lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+										subject);
 				return FALSE;
 			case VALIDATION_FAILED:
 			case VALIDATION_SKIPPED:
@@ -720,6 +724,8 @@ METHOD(cert_validator_t, validate, bool,
 				DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
 				break;
 		}
+		lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_VALIDATION_FAILED,
+								subject);
 	}
 	return TRUE;
 }
diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am
index 4e539fd83..f5e7d946e 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.am
+++ b/src/libstrongswan/plugins/sha1/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-sha1.la
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 4cb0a0907..9ac3e5be2 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_sha1_la_LIBADD =
 am_libstrongswan_sha1_la_OBJECTS = sha1_plugin.lo sha1_hasher.lo \
 	sha1_prf.lo
 libstrongswan_sha1_la_OBJECTS = $(am_libstrongswan_sha1_la_OBJECTS)
-libstrongswan_sha1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_sha1_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_sha1_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sha1_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_sha1_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_sha1_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_sha1_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sha1_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sha1.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sha1.la
 libstrongswan_sha1_la_SOURCES = \
@@ -404,7 +432,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-sha1.la: $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha1_la_DEPENDENCIES) 
-	$(libstrongswan_sha1_la_LINK) $(am_libstrongswan_sha1_la_rpath) $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_sha1_la_LINK) $(am_libstrongswan_sha1_la_rpath) $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -417,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1_prf.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/sha2/Makefile.am b/src/libstrongswan/plugins/sha2/Makefile.am
index a255d0609..cdd8696cd 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.am
+++ b/src/libstrongswan/plugins/sha2/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-sha2.la
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 09fed2bdb..aa7699163 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sha2_la_LIBADD =
 am_libstrongswan_sha2_la_OBJECTS = sha2_plugin.lo sha2_hasher.lo
 libstrongswan_sha2_la_OBJECTS = $(am_libstrongswan_sha2_la_OBJECTS)
-libstrongswan_sha2_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_sha2_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_sha2_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sha2_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_sha2_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_sha2_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_sha2_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sha2_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sha2.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sha2.la
 libstrongswan_sha2_la_SOURCES = \
@@ -402,7 +430,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-sha2.la: $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha2_la_DEPENDENCIES) 
-	$(libstrongswan_sha2_la_LINK) $(am_libstrongswan_sha2_la_rpath) $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_sha2_la_LINK) $(am_libstrongswan_sha2_la_rpath) $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -414,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/soup/Makefile.am b/src/libstrongswan/plugins/soup/Makefile.am
index 9006f1b7c..8df666f4c 100644
--- a/src/libstrongswan/plugins/soup/Makefile.am
+++ b/src/libstrongswan/plugins/soup/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS}
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	 ${soup_CFLAGS} \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-soup.la
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 8220dcaff..c28610eba 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ am__DEPENDENCIES_1 =
 libstrongswan_soup_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_soup_la_OBJECTS = soup_plugin.lo soup_fetcher.lo
 libstrongswan_soup_la_OBJECTS = $(am_libstrongswan_soup_la_OBJECTS)
-libstrongswan_soup_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_soup_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_soup_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_soup_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_soup_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_soup_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_soup_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_soup_la_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -319,8 +343,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS}
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	 ${soup_CFLAGS} \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-soup.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-soup.la
 libstrongswan_soup_la_SOURCES = \
@@ -404,7 +433,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES) $(EXTRA_libstrongswan_soup_la_DEPENDENCIES) 
-	$(libstrongswan_soup_la_LINK) $(am_libstrongswan_soup_la_rpath) $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_soup_la_LINK) $(am_libstrongswan_soup_la_rpath) $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -416,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/soup_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/soup/soup_plugin.c b/src/libstrongswan/plugins/soup/soup_plugin.c
index 1260a5a60..f57ed81c3 100644
--- a/src/libstrongswan/plugins/soup/soup_plugin.c
+++ b/src/libstrongswan/plugins/soup/soup_plugin.c
@@ -65,7 +65,9 @@ plugin_t *soup_plugin_create()
 {
 	private_soup_plugin_t *this;
 
+#if !GLIB_CHECK_VERSION(2,36,0)
 	g_type_init();
+#endif
 
 #if !GLIB_CHECK_VERSION(2,23,0)
 	if (!g_thread_get_initialized())
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.am b/src/libstrongswan/plugins/sqlite/Makefile.am
index 2e1d9733f..717d6350d 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.am
+++ b/src/libstrongswan/plugins/sqlite/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-sqlite.la
@@ -15,4 +16,3 @@ libstrongswan_sqlite_la_SOURCES = \
 
 libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
 libstrongswan_sqlite_la_LIBADD  = -lsqlite3
-
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 580cae7f1..15f70535f 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,9 +103,13 @@ am_libstrongswan_sqlite_la_OBJECTS = sqlite_plugin.lo \
 	sqlite_database.lo
 libstrongswan_sqlite_la_OBJECTS =  \
 	$(am_libstrongswan_sqlite_la_OBJECTS)
-libstrongswan_sqlite_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_sqlite_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_sqlite_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sqlite_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_sqlite_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_sqlite_la_rpath =
@@ -115,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_sqlite_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sqlite_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sqlite.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sqlite.la
 libstrongswan_sqlite_la_SOURCES = \
@@ -407,7 +435,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-sqlite.la: $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_DEPENDENCIES) $(EXTRA_libstrongswan_sqlite_la_DEPENDENCIES) 
-	$(libstrongswan_sqlite_la_LINK) $(am_libstrongswan_sqlite_la_rpath) $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_sqlite_la_LINK) $(am_libstrongswan_sqlite_la_rpath) $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -419,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sqlite_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index 1fb306579..41d45dee7 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -319,7 +319,7 @@ sqlite_database_t *sqlite_database_create(char *uri)
 	/**
 	 * parse sqlite:///path/to/file.db uri
 	 */
-	if (!strneq(uri, "sqlite://", 9))
+	if (!strpfx(uri, "sqlite://"))
 	{
 		return NULL;
 	}
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.am b/src/libstrongswan/plugins/sshkey/Makefile.am
new file mode 100644
index 000000000..d2ec631a8
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/Makefile.am
@@ -0,0 +1,17 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-sshkey.la
+else
+plugin_LTLIBRARIES = libstrongswan-sshkey.la
+endif
+
+libstrongswan_sshkey_la_SOURCES = \
+	sshkey_plugin.h sshkey_plugin.c \
+	sshkey_builder.h sshkey_builder.c
+
+libstrongswan_sshkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
new file mode 100644
index 000000000..b7eeecc17
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -0,0 +1,685 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/sshkey
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_sshkey_la_LIBADD =
+am_libstrongswan_sshkey_la_OBJECTS = sshkey_plugin.lo \
+	sshkey_builder.lo
+libstrongswan_sshkey_la_OBJECTS =  \
+	$(am_libstrongswan_sshkey_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_sshkey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sshkey_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_sshkey_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_sshkey_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_sshkey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_sshkey_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sshkey.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sshkey.la
+libstrongswan_sshkey_la_SOURCES = \
+	sshkey_plugin.h sshkey_plugin.c \
+	sshkey_builder.h sshkey_builder.c
+
+libstrongswan_sshkey_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/sshkey/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/sshkey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-sshkey.la: $(libstrongswan_sshkey_la_OBJECTS) $(libstrongswan_sshkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_sshkey_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_sshkey_la_LINK) $(am_libstrongswan_sshkey_la_rpath) $(libstrongswan_sshkey_la_OBJECTS) $(libstrongswan_sshkey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sshkey_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sshkey_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_builder.c b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
new file mode 100644
index 000000000..d6a7c645a
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sshkey_builder.h"
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+#define ECDSA_PREFIX "ecdsa-sha2-"
+
+/**
+ * Parse an EC domain parameter identifier as defined in RFC 5656
+ */
+static chunk_t parse_ec_identifier(chunk_t identifier)
+{
+	chunk_t oid = chunk_empty;
+
+	if (chunk_equals(identifier, chunk_from_str("nistp256")))
+	{
+		oid = asn1_build_known_oid(OID_PRIME256V1);
+	}
+	else if (chunk_equals(identifier, chunk_from_str("nistp384")))
+	{
+		oid = asn1_build_known_oid(OID_SECT384R1);
+	}
+	else if (chunk_equals(identifier, chunk_from_str("nistp521")))
+	{
+		oid = asn1_build_known_oid(OID_SECT521R1);
+	}
+	else
+	{
+		char ascii[64];
+
+		if (snprintf(ascii, sizeof(ascii), "%.*s", (int)identifier.len,
+					 identifier.ptr) < sizeof(ascii))
+		{
+			oid = asn1_wrap(ASN1_OID, "m", asn1_oid_from_string(ascii));
+		}
+	}
+	return oid;
+}
+
+/**
+ * Load a generic public key from an SSH key blob
+ */
+static sshkey_public_key_t *parse_public_key(chunk_t blob)
+{
+	bio_reader_t *reader;
+	chunk_t format;
+
+	reader = bio_reader_create(blob);
+	if (!reader->read_data32(reader, &format))
+	{
+		DBG1(DBG_LIB, "invalid key format in SSH key");
+		reader->destroy(reader);
+		return NULL;
+	}
+	if (chunk_equals(format, chunk_from_str("ssh-rsa")))
+	{
+		chunk_t n, e;
+
+		if (!reader->read_data32(reader, &e) ||
+			!reader->read_data32(reader, &n))
+		{
+			DBG1(DBG_LIB, "invalid RSA key in SSH key");
+			reader->destroy(reader);
+			return NULL;
+		}
+		reader->destroy(reader);
+		return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
+	}
+	else if (format.len > strlen(ECDSA_PREFIX) &&
+			 strpfx(format.ptr, ECDSA_PREFIX))
+	{
+		chunk_t ec_blob, identifier, q, oid, encoded;
+		sshkey_public_key_t *key;
+
+		ec_blob = reader->peek(reader);
+		reader->destroy(reader);
+		reader = bio_reader_create(ec_blob);
+		if (!reader->read_data32(reader, &identifier) ||
+			!reader->read_data32(reader, &q))
+		{
+			DBG1(DBG_LIB, "invalid ECDSA key in SSH key");
+			reader->destroy(reader);
+			return NULL;
+		}
+		oid = parse_ec_identifier(identifier);
+		if (!oid.ptr)
+		{
+			DBG1(DBG_LIB, "invalid ECDSA key identifier in SSH key");
+			reader->destroy(reader);
+			return NULL;
+		}
+		reader->destroy(reader);
+		/* build key from subjectPublicKeyInfo */
+		encoded = asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_EC_PUBLICKEY), oid),
+						asn1_bitstring("c", q));
+		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+							KEY_ECDSA, BUILD_BLOB_ASN1_DER, encoded, BUILD_END);
+		chunk_free(&encoded);
+		return key;
+	}
+	DBG1(DBG_LIB, "unsupported SSH key format %.*s", (int)format.len,
+		 format.ptr);
+	reader->destroy(reader);
+	return NULL;
+}
+
+/**
+ * See header.
+ */
+sshkey_public_key_t *sshkey_public_key_load(key_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_SSHKEY:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.ptr && type == KEY_ANY)
+	{
+		return parse_public_key(blob);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_builder.h b/src/libstrongswan/plugins/sshkey/sshkey_builder.h
new file mode 100644
index 000000000..e4c7a90d0
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sshky_public_key sshky_public_key
+ * @{ @ingroup sshkey_p
+ */
+
+#ifndef SSHKEY_BUILDER_H_
+#define SSHKEY_BUILDER_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/public_key.h>
+
+typedef struct sshkey_public_key_t sshkey_public_key_t;
+
+/**
+ * Public key implementation supporting RFC 4253 decoding.
+ */
+struct sshkey_public_key_t {
+
+	/**
+	 * Implements public_key_t interface.
+	 */
+	public_key_t interface;
+};
+
+/**
+ * Load a public key in RFC 4253 format.
+ *
+ * Takes a BUILD_BLOB_SSHKEY to parse the public key.
+ *
+ * @param type		type of the key, must be KEY_ANY
+ * @param args		builder_part_t argument list
+ * @return 			built key, NULL on failure
+ */
+sshkey_public_key_t *sshkey_public_key_load(key_type_t type, va_list args);
+
+#endif /** SSHKEY_BUILDER_H_ @}*/
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_plugin.c b/src/libstrongswan/plugins/sshkey/sshkey_plugin.c
new file mode 100644
index 000000000..fe6252671
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/sshkey_plugin.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sshkey_plugin.h"
+
+#include <library.h>
+#include "sshkey_builder.h"
+
+typedef struct private_sshkey_plugin_t private_sshkey_plugin_t;
+
+/**
+ * private data of sshkey_plugin
+ */
+struct private_sshkey_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	sshkey_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_sshkey_plugin_t *this)
+{
+	return "sshkey";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_sshkey_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(PUBKEY, sshkey_public_key_load, FALSE),
+			PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_sshkey_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *sshkey_plugin_create()
+{
+	private_sshkey_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_plugin.h b/src/libstrongswan/plugins/sshkey/sshkey_plugin.h
new file mode 100644
index 000000000..2b9095a98
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/sshkey_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sshkey_p sshkey
+ * @ingroup plugins
+ *
+ * @defgroup sshkey_plugin sshkey_plugin
+ * @{ @ingroup sshkey_p
+ */
+
+#ifndef SSHKEY_PLUGIN_H_
+#define SSHKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct sshkey_plugin_t sshkey_plugin_t;
+
+/**
+ * Plugin providing RFC 4253 public key decoding functions.
+ */
+struct sshkey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** SSHKEY_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 5280300a8..6dcad400d 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-test-vectors.la
@@ -26,6 +27,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/des.c \
 	test_vectors/idea.c \
 	test_vectors/null.c \
+	test_vectors/rc2.c \
 	test_vectors/rc5.c \
 	test_vectors/serpent_cbc.c \
 	test_vectors/twofish_cbc.c \
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index f468cc3fd..e00a7d75e 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,12 +103,15 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
 	3des_cbc.lo aes_cbc.lo aes_ctr.lo aes_xcbc.lo aes_cmac.lo \
 	aes_ccm.lo aes_gcm.lo blowfish.lo camellia_cbc.lo \
 	camellia_ctr.lo camellia_xcbc.lo cast.lo des.lo idea.lo \
-	null.lo rc5.lo serpent_cbc.lo twofish_cbc.lo md2.lo md4.lo \
-	md5.lo md5_hmac.lo sha1.lo sha1_hmac.lo sha2.lo sha2_hmac.lo \
-	fips_prf.lo rng.lo
+	null.lo rc2.lo rc5.lo serpent_cbc.lo twofish_cbc.lo md2.lo \
+	md4.lo md5.lo md5_hmac.lo sha1.lo sha1_hmac.lo sha2.lo \
+	sha2_hmac.lo fips_prf.lo rng.lo
 libstrongswan_test_vectors_la_OBJECTS =  \
 	$(am_libstrongswan_test_vectors_la_OBJECTS)
-libstrongswan_test_vectors_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_test_vectors_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_test_vectors_la_LDFLAGS) $(LDFLAGS) -o $@
@@ -121,13 +124,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_test_vectors_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_test_vectors_la_SOURCES)
 am__can_run_installinfo = \
@@ -141,6 +157,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -153,6 +170,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -168,6 +187,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -176,6 +196,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -222,6 +243,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -250,6 +272,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -327,8 +350,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-test-vectors.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-test-vectors.la
 libstrongswan_test_vectors_la_SOURCES = \
@@ -348,6 +375,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/des.c \
 	test_vectors/idea.c \
 	test_vectors/null.c \
+	test_vectors/rc2.c \
 	test_vectors/rc5.c \
 	test_vectors/serpent_cbc.c \
 	test_vectors/twofish_cbc.c \
@@ -439,7 +467,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-test-vectors.la: $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_DEPENDENCIES) $(EXTRA_libstrongswan_test_vectors_la_DEPENDENCIES) 
-	$(libstrongswan_test_vectors_la_LINK) $(am_libstrongswan_test_vectors_la_rpath) $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_test_vectors_la_LINK) $(am_libstrongswan_test_vectors_la_rpath) $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -467,6 +495,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_hmac.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/null.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc2.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc5.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent_cbc.Plo@am__quote@
@@ -478,221 +507,228 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish_cbc.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 3des_cbc.lo: test_vectors/3des_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT 3des_cbc.lo -MD -MP -MF $(DEPDIR)/3des_cbc.Tpo -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/3des_cbc.Tpo $(DEPDIR)/3des_cbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/3des_cbc.c' object='3des_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT 3des_cbc.lo -MD -MP -MF $(DEPDIR)/3des_cbc.Tpo -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/3des_cbc.Tpo $(DEPDIR)/3des_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/3des_cbc.c' object='3des_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
 
 aes_cbc.lo: test_vectors/aes_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.lo -MD -MP -MF $(DEPDIR)/aes_cbc.Tpo -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_cbc.Tpo $(DEPDIR)/aes_cbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_cbc.c' object='aes_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.lo -MD -MP -MF $(DEPDIR)/aes_cbc.Tpo -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_cbc.Tpo $(DEPDIR)/aes_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_cbc.c' object='aes_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
 
 aes_ctr.lo: test_vectors/aes_ctr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ctr.lo -MD -MP -MF $(DEPDIR)/aes_ctr.Tpo -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_ctr.Tpo $(DEPDIR)/aes_ctr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_ctr.c' object='aes_ctr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ctr.lo -MD -MP -MF $(DEPDIR)/aes_ctr.Tpo -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_ctr.Tpo $(DEPDIR)/aes_ctr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_ctr.c' object='aes_ctr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
 
 aes_xcbc.lo: test_vectors/aes_xcbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_xcbc.c' object='aes_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_xcbc.c' object='aes_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
 
 aes_cmac.lo: test_vectors/aes_cmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cmac.lo -MD -MP -MF $(DEPDIR)/aes_cmac.Tpo -c -o aes_cmac.lo `test -f 'test_vectors/aes_cmac.c' || echo '$(srcdir)/'`test_vectors/aes_cmac.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_cmac.Tpo $(DEPDIR)/aes_cmac.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_cmac.c' object='aes_cmac.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cmac.lo -MD -MP -MF $(DEPDIR)/aes_cmac.Tpo -c -o aes_cmac.lo `test -f 'test_vectors/aes_cmac.c' || echo '$(srcdir)/'`test_vectors/aes_cmac.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_cmac.Tpo $(DEPDIR)/aes_cmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_cmac.c' object='aes_cmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cmac.lo `test -f 'test_vectors/aes_cmac.c' || echo '$(srcdir)/'`test_vectors/aes_cmac.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cmac.lo `test -f 'test_vectors/aes_cmac.c' || echo '$(srcdir)/'`test_vectors/aes_cmac.c
 
 aes_ccm.lo: test_vectors/aes_ccm.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ccm.lo -MD -MP -MF $(DEPDIR)/aes_ccm.Tpo -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_ccm.Tpo $(DEPDIR)/aes_ccm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_ccm.c' object='aes_ccm.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ccm.lo -MD -MP -MF $(DEPDIR)/aes_ccm.Tpo -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_ccm.Tpo $(DEPDIR)/aes_ccm.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_ccm.c' object='aes_ccm.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
 
 aes_gcm.lo: test_vectors/aes_gcm.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_gcm.lo -MD -MP -MF $(DEPDIR)/aes_gcm.Tpo -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_gcm.Tpo $(DEPDIR)/aes_gcm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_gcm.c' object='aes_gcm.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_gcm.lo -MD -MP -MF $(DEPDIR)/aes_gcm.Tpo -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_gcm.Tpo $(DEPDIR)/aes_gcm.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_gcm.c' object='aes_gcm.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
 
 blowfish.lo: test_vectors/blowfish.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/blowfish.c' object='blowfish.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/blowfish.c' object='blowfish.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
 
 camellia_cbc.lo: test_vectors/camellia_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_cbc.lo -MD -MP -MF $(DEPDIR)/camellia_cbc.Tpo -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_cbc.Tpo $(DEPDIR)/camellia_cbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_cbc.c' object='camellia_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_cbc.lo -MD -MP -MF $(DEPDIR)/camellia_cbc.Tpo -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/camellia_cbc.Tpo $(DEPDIR)/camellia_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/camellia_cbc.c' object='camellia_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
 
 camellia_ctr.lo: test_vectors/camellia_ctr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_ctr.lo -MD -MP -MF $(DEPDIR)/camellia_ctr.Tpo -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_ctr.Tpo $(DEPDIR)/camellia_ctr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_ctr.c' object='camellia_ctr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_ctr.lo -MD -MP -MF $(DEPDIR)/camellia_ctr.Tpo -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/camellia_ctr.Tpo $(DEPDIR)/camellia_ctr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/camellia_ctr.c' object='camellia_ctr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
 
 camellia_xcbc.lo: test_vectors/camellia_xcbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_xcbc.lo -MD -MP -MF $(DEPDIR)/camellia_xcbc.Tpo -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_xcbc.Tpo $(DEPDIR)/camellia_xcbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_xcbc.c' object='camellia_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_xcbc.lo -MD -MP -MF $(DEPDIR)/camellia_xcbc.Tpo -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/camellia_xcbc.Tpo $(DEPDIR)/camellia_xcbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/camellia_xcbc.c' object='camellia_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
 
 cast.lo: test_vectors/cast.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/cast.c' object='cast.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/cast.c' object='cast.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
 
 des.lo: test_vectors/des.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des.lo -MD -MP -MF $(DEPDIR)/des.Tpo -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/des.Tpo $(DEPDIR)/des.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/des.c' object='des.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des.lo -MD -MP -MF $(DEPDIR)/des.Tpo -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/des.Tpo $(DEPDIR)/des.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/des.c' object='des.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
 
 idea.lo: test_vectors/idea.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT idea.lo -MD -MP -MF $(DEPDIR)/idea.Tpo -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/idea.Tpo $(DEPDIR)/idea.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/idea.c' object='idea.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT idea.lo -MD -MP -MF $(DEPDIR)/idea.Tpo -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/idea.Tpo $(DEPDIR)/idea.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/idea.c' object='idea.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
 
 null.lo: test_vectors/null.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT null.lo -MD -MP -MF $(DEPDIR)/null.Tpo -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/null.Tpo $(DEPDIR)/null.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/null.c' object='null.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT null.lo -MD -MP -MF $(DEPDIR)/null.Tpo -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/null.Tpo $(DEPDIR)/null.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/null.c' object='null.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
+
+rc2.lo: test_vectors/rc2.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rc2.lo -MD -MP -MF $(DEPDIR)/rc2.Tpo -c -o rc2.lo `test -f 'test_vectors/rc2.c' || echo '$(srcdir)/'`test_vectors/rc2.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rc2.Tpo $(DEPDIR)/rc2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/rc2.c' object='rc2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rc2.lo `test -f 'test_vectors/rc2.c' || echo '$(srcdir)/'`test_vectors/rc2.c
 
 rc5.lo: test_vectors/rc5.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rc5.lo -MD -MP -MF $(DEPDIR)/rc5.Tpo -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rc5.Tpo $(DEPDIR)/rc5.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/rc5.c' object='rc5.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rc5.lo -MD -MP -MF $(DEPDIR)/rc5.Tpo -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rc5.Tpo $(DEPDIR)/rc5.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/rc5.c' object='rc5.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
 
 serpent_cbc.lo: test_vectors/serpent_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.lo -MD -MP -MF $(DEPDIR)/serpent_cbc.Tpo -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/serpent_cbc.Tpo $(DEPDIR)/serpent_cbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/serpent_cbc.c' object='serpent_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.lo -MD -MP -MF $(DEPDIR)/serpent_cbc.Tpo -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/serpent_cbc.Tpo $(DEPDIR)/serpent_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/serpent_cbc.c' object='serpent_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
 
 twofish_cbc.lo: test_vectors/twofish_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.lo -MD -MP -MF $(DEPDIR)/twofish_cbc.Tpo -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/twofish_cbc.Tpo $(DEPDIR)/twofish_cbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/twofish_cbc.c' object='twofish_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.lo -MD -MP -MF $(DEPDIR)/twofish_cbc.Tpo -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/twofish_cbc.Tpo $(DEPDIR)/twofish_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/twofish_cbc.c' object='twofish_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
 
 md2.lo: test_vectors/md2.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md2.lo -MD -MP -MF $(DEPDIR)/md2.Tpo -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md2.Tpo $(DEPDIR)/md2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md2.c' object='md2.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md2.lo -MD -MP -MF $(DEPDIR)/md2.Tpo -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/md2.Tpo $(DEPDIR)/md2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/md2.c' object='md2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
 
 md4.lo: test_vectors/md4.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md4.lo -MD -MP -MF $(DEPDIR)/md4.Tpo -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md4.Tpo $(DEPDIR)/md4.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md4.c' object='md4.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md4.lo -MD -MP -MF $(DEPDIR)/md4.Tpo -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/md4.Tpo $(DEPDIR)/md4.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/md4.c' object='md4.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
 
 md5.lo: test_vectors/md5.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5.lo -MD -MP -MF $(DEPDIR)/md5.Tpo -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md5.Tpo $(DEPDIR)/md5.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md5.c' object='md5.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5.lo -MD -MP -MF $(DEPDIR)/md5.Tpo -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/md5.Tpo $(DEPDIR)/md5.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/md5.c' object='md5.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
 
 md5_hmac.lo: test_vectors/md5_hmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hmac.lo -MD -MP -MF $(DEPDIR)/md5_hmac.Tpo -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md5_hmac.Tpo $(DEPDIR)/md5_hmac.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md5_hmac.c' object='md5_hmac.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hmac.lo -MD -MP -MF $(DEPDIR)/md5_hmac.Tpo -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/md5_hmac.Tpo $(DEPDIR)/md5_hmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/md5_hmac.c' object='md5_hmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
 
 sha1.lo: test_vectors/sha1.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1.lo -MD -MP -MF $(DEPDIR)/sha1.Tpo -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha1.Tpo $(DEPDIR)/sha1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha1.c' object='sha1.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1.lo -MD -MP -MF $(DEPDIR)/sha1.Tpo -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sha1.Tpo $(DEPDIR)/sha1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/sha1.c' object='sha1.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
 
 sha1_hmac.lo: test_vectors/sha1_hmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hmac.lo -MD -MP -MF $(DEPDIR)/sha1_hmac.Tpo -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha1_hmac.Tpo $(DEPDIR)/sha1_hmac.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha1_hmac.c' object='sha1_hmac.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hmac.lo -MD -MP -MF $(DEPDIR)/sha1_hmac.Tpo -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sha1_hmac.Tpo $(DEPDIR)/sha1_hmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/sha1_hmac.c' object='sha1_hmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
 
 sha2.lo: test_vectors/sha2.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.lo -MD -MP -MF $(DEPDIR)/sha2.Tpo -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha2.Tpo $(DEPDIR)/sha2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha2.c' object='sha2.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.lo -MD -MP -MF $(DEPDIR)/sha2.Tpo -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sha2.Tpo $(DEPDIR)/sha2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/sha2.c' object='sha2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
 
 sha2_hmac.lo: test_vectors/sha2_hmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hmac.lo -MD -MP -MF $(DEPDIR)/sha2_hmac.Tpo -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha2_hmac.Tpo $(DEPDIR)/sha2_hmac.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha2_hmac.c' object='sha2_hmac.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hmac.lo -MD -MP -MF $(DEPDIR)/sha2_hmac.Tpo -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sha2_hmac.Tpo $(DEPDIR)/sha2_hmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/sha2_hmac.c' object='sha2_hmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
 
 fips_prf.lo: test_vectors/fips_prf.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF $(DEPDIR)/fips_prf.Tpo -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fips_prf.Tpo $(DEPDIR)/fips_prf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/fips_prf.c' object='fips_prf.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF $(DEPDIR)/fips_prf.Tpo -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/fips_prf.Tpo $(DEPDIR)/fips_prf.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/fips_prf.c' object='fips_prf.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
 
 rng.lo: test_vectors/rng.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index a00469779..788baae57 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -55,6 +55,14 @@ TEST_VECTOR_CRYPTER(des3_cbc2)
 TEST_VECTOR_CRYPTER(idea1)
 TEST_VECTOR_CRYPTER(idea2)
 TEST_VECTOR_CRYPTER(null1)
+TEST_VECTOR_CRYPTER(rc2_1)
+TEST_VECTOR_CRYPTER(rc2_2)
+TEST_VECTOR_CRYPTER(rc2_3)
+TEST_VECTOR_CRYPTER(rc2_4)
+TEST_VECTOR_CRYPTER(rc2_5)
+TEST_VECTOR_CRYPTER(rc2_6)
+TEST_VECTOR_CRYPTER(rc2_7)
+TEST_VECTOR_CRYPTER(rc2_8)
 TEST_VECTOR_CRYPTER(rc5_1)
 TEST_VECTOR_CRYPTER(rc5_2)
 TEST_VECTOR_CRYPTER(serpent_cbc1)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/rc2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/rc2.c
new file mode 100644
index 000000000..b03d12038
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/rc2.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test vectors from RFC 2268
+ */
+
+/**
+ * RC2 key length 8 bytes, effective key length 63 bits
+ */
+crypter_test_vector_t rc2_1 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(8, 63), .len = 8,
+	.key	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\xeb\xb7\x73\xf9\x93\x27\x8e\xff",
+};
+
+/**
+ * RC2 key length 8 bytes, effective key length 64 bits
+ */
+crypter_test_vector_t rc2_2 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(8, 64), .len = 8,
+	.key	= "\xff\xff\xff\xff\xff\xff\xff\xff",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\xff\xff\xff\xff\xff\xff\xff\xff",
+	.cipher	= "\x27\x8b\x27\xe4\x2e\x2f\x0d\x49",
+};
+
+/**
+ * RC2 key length 8 bytes, effective key length 64 bits
+ */
+crypter_test_vector_t rc2_3 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(8, 64), .len = 8,
+	.key	= "\x30\x00\x00\x00\x00\x00\x00\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x10\x00\x00\x00\x00\x00\x00\x01",
+	.cipher	= "\x30\x64\x9e\xdf\x9b\xe7\xd2\xc2",
+};
+
+/**
+ * RC2 key length 1 byte, effective key length 64 bits
+ */
+crypter_test_vector_t rc2_4 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(1, 64), .len = 8,
+	.key	= "\x88",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x61\xa8\xa2\x44\xad\xac\xcc\xf0",
+};
+
+/**
+ * RC2 key length 7 bytes, effective key length 64 bits
+ */
+crypter_test_vector_t rc2_5 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(7, 64), .len = 8,
+	.key	= "\x88\xbc\xa9\x0e\x90\x87\x5a",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x6c\xcf\x43\x08\x97\x4c\x26\x7f",
+};
+
+/**
+ * RC2 key length 16 bytes, effective key length 64 bits
+ */
+crypter_test_vector_t rc2_6 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(16, 64), .len = 8,
+	.key	= "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f\x0f\x79\xc3\x84\x62\x7b\xaf\xb2",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x1a\x80\x7d\x27\x2b\xbe\x5d\xb1",
+};
+
+/**
+ * RC2 key length 16 bytes, effective key length 128 bits
+ */
+crypter_test_vector_t rc2_7 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(16, 128), .len = 8,
+	.key	= "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f\x0f\x79\xc3\x84\x62\x7b\xaf\xb2",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x22\x69\x55\x2a\xb0\xf8\x5c\xa6",
+};
+
+/**
+ * RC2 key length 33 bytes, effective key length 129 bits
+ */
+crypter_test_vector_t rc2_8 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(33, 129), .len = 8,
+	.key	= "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f\x0f\x79\xc3\x84\x62\x7b\xaf\xb2"
+			  "\x16\xf8\x0a\x6f\x85\x92\x05\x84\xc4\x2f\xce\xb0\xbe\x25\x5d\xaf\x1e",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x5b\x78\xd3\xa4\x3d\xff\xf1\xf1",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index 4a8743289..cd0a12a5c 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -110,6 +110,17 @@ METHOD(plugin_t, get_name, char*,
 	return "test-vectors";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_test_vectors_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_NOOP,
+			PLUGIN_PROVIDE(CUSTOM, "test-vectors"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_test_vectors_plugin_t *this)
 {
@@ -128,7 +139,7 @@ plugin_t *test_vectors_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libstrongswan/plugins/unbound/Makefile.am b/src/libstrongswan/plugins/unbound/Makefile.am
index efb313407..64a5cc7e1 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.am
+++ b/src/libstrongswan/plugins/unbound/Makefile.am
@@ -1,8 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
-
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-unbound.la
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index 4dfb2f31c..868d2998c 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,9 +103,13 @@ am_libstrongswan_unbound_la_OBJECTS = unbound_plugin.lo \
 	unbound_resolver.lo unbound_rr.lo unbound_response.lo
 libstrongswan_unbound_la_OBJECTS =  \
 	$(am_libstrongswan_unbound_la_OBJECTS)
-libstrongswan_unbound_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_unbound_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_unbound_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unbound_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_unbound_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_unbound_la_rpath =
@@ -115,13 +119,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_unbound_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_unbound_la_SOURCES)
 am__can_run_installinfo = \
@@ -135,6 +152,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -147,6 +165,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -162,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -170,6 +191,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -216,6 +238,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -244,6 +267,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,8 +345,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unbound.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unbound.la
 libstrongswan_unbound_la_SOURCES = \
@@ -409,7 +438,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-unbound.la: $(libstrongswan_unbound_la_OBJECTS) $(libstrongswan_unbound_la_DEPENDENCIES) $(EXTRA_libstrongswan_unbound_la_DEPENDENCIES) 
-	$(libstrongswan_unbound_la_LINK) $(am_libstrongswan_unbound_la_rpath) $(libstrongswan_unbound_la_OBJECTS) $(libstrongswan_unbound_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_unbound_la_LINK) $(am_libstrongswan_unbound_la_rpath) $(libstrongswan_unbound_la_OBJECTS) $(libstrongswan_unbound_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -423,25 +452,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unbound_rr.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/unbound/unbound_plugin.c b/src/libstrongswan/plugins/unbound/unbound_plugin.c
index 90b95330a..f727cdaae 100644
--- a/src/libstrongswan/plugins/unbound/unbound_plugin.c
+++ b/src/libstrongswan/plugins/unbound/unbound_plugin.c
@@ -37,10 +37,20 @@ METHOD(plugin_t, get_name, char*,
 	return "unbound";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_unbound_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(RESOLVER, unbound_resolver_create),
+			PLUGIN_PROVIDE(RESOLVER),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_unbound_plugin_t *this)
 {
-	lib->resolver->remove_resolver(lib->resolver, unbound_resolver_create);
 	free(this);
 }
 
@@ -55,12 +65,11 @@ plugin_t *unbound_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	lib->resolver->add_resolver(lib->resolver, unbound_resolver_create);
-
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am
index 4b50d78dc..b464d1483 100644
--- a/src/libstrongswan/plugins/x509/Makefile.am
+++ b/src/libstrongswan/plugins/x509/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-x509.la
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 0e5520149..99566c450 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -103,9 +103,13 @@ am_libstrongswan_x509_la_OBJECTS = x509_plugin.lo x509_cert.lo \
 	x509_crl.lo x509_ac.lo x509_pkcs10.lo x509_ocsp_request.lo \
 	x509_ocsp_response.lo
 libstrongswan_x509_la_OBJECTS = $(am_libstrongswan_x509_la_OBJECTS)
-libstrongswan_x509_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_x509_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_x509_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_x509_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_x509_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_x509_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_x509_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_x509_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-x509.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-x509.la
 libstrongswan_x509_la_SOURCES = \
@@ -410,7 +438,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-x509.la: $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_DEPENDENCIES) $(EXTRA_libstrongswan_x509_la_DEPENDENCIES) 
-	$(libstrongswan_x509_la_LINK) $(am_libstrongswan_x509_la_rpath) $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_x509_la_LINK) $(am_libstrongswan_x509_la_rpath) $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -427,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 5350d4a51..efb70c94c 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -320,6 +320,9 @@ static bool parse(private_x509_crl_t *this)
 						}
 						this->baseCrlNumber = object;
 						break;
+					case OID_ISSUING_DIST_POINT:
+						/* TODO support of IssuingDistributionPoints */
+						break;
 					default:
 						if (critical && lib->settings->get_bool(lib->settings,
 							"libstrongswan.x509.enforce_critical", TRUE))
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.am b/src/libstrongswan/plugins/xcbc/Makefile.am
index 28e99f650..6e2227206 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.am
+++ b/src/libstrongswan/plugins/xcbc/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-xcbc.la
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index a679ce313..e9491e584 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xcbc_la_LIBADD =
 am_libstrongswan_xcbc_la_OBJECTS = xcbc_plugin.lo xcbc.lo
 libstrongswan_xcbc_la_OBJECTS = $(am_libstrongswan_xcbc_la_OBJECTS)
-libstrongswan_xcbc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_xcbc_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_xcbc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_xcbc_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_xcbc_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_xcbc_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -112,13 +116,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_xcbc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_xcbc_la_SOURCES)
 am__can_run_installinfo = \
@@ -132,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -144,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -159,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -167,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -213,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -241,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -318,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xcbc.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xcbc.la
 libstrongswan_xcbc_la_SOURCES = \
@@ -402,7 +430,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-xcbc.la: $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_DEPENDENCIES) $(EXTRA_libstrongswan_xcbc_la_DEPENDENCIES) 
-	$(libstrongswan_xcbc_la_LINK) $(am_libstrongswan_xcbc_la_rpath) $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_xcbc_la_LINK) $(am_libstrongswan_xcbc_la_rpath) $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -414,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xcbc_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c
index 934636fc0..adbd95685 100644
--- a/src/libstrongswan/processing/processor.c
+++ b/src/libstrongswan/processing/processor.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2005-2011 Martin Willi
  * Copyright (C) 2011 revosec AG
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -123,6 +123,7 @@ static void process_jobs(worker_thread_t *worker);
 static void restart(worker_thread_t *worker)
 {
 	private_processor_t *this = worker->processor;
+	job_t *job;
 
 	DBG2(DBG_JOB, "terminated worker thread %.2u", thread_current_id());
 
@@ -130,8 +131,15 @@ static void restart(worker_thread_t *worker)
 	/* cleanup worker thread  */
 	this->working_threads[worker->priority]--;
 	worker->job->status = JOB_STATUS_CANCELED;
-	worker->job->destroy(worker->job);
+	job = worker->job;
+	/* unset the job before releasing the mutex, otherwise cancel() might
+	 * interfere */
 	worker->job = NULL;
+	/* release mutex to avoid deadlocks if the same lock is required
+	 * during queue_job() and in the destructor called here */
+	this->mutex->unlock(this->mutex);
+	job->destroy(job);
+	this->mutex->lock(this->mutex);
 
 	/* respawn thread if required */
 	if (this->desired_threads >= this->total_threads)
@@ -172,112 +180,150 @@ static u_int get_idle_threads_nolock(private_processor_t *this)
 }
 
 /**
- * Process queued jobs, called by the worker threads
+ * Get a job from any job queue, starting with the highest priority.
+ *
+ * this->mutex is expected to be locked.
  */
-static void process_jobs(worker_thread_t *worker)
+static bool get_job(private_processor_t *this, worker_thread_t *worker)
 {
-	private_processor_t *this = worker->processor;
+	int i, reserved = 0, idle;
 
-	/* worker threads are not cancelable by default */
-	thread_cancelability(FALSE);
-
-	DBG2(DBG_JOB, "started worker thread %.2u", thread_current_id());
+	idle = get_idle_threads_nolock(this);
 
-	this->mutex->lock(this->mutex);
-	while (this->desired_threads >= this->total_threads)
+	for (i = 0; i < JOB_PRIO_MAX; i++)
 	{
-		int i, reserved = 0, idle;
+		if (reserved && reserved >= idle)
+		{
+			DBG2(DBG_JOB, "delaying %N priority jobs: %d threads idle, "
+				 "but %d reserved for higher priorities",
+				 job_priority_names, i, idle, reserved);
+			/* wait until a job of higher priority gets queued */
+			return FALSE;
+		}
+		if (this->working_threads[i] < this->prio_threads[i])
+		{
+			reserved += this->prio_threads[i] - this->working_threads[i];
+		}
+		if (this->jobs[i]->remove_first(this->jobs[i],
+										(void**)&worker->job) == SUCCESS)
+		{
+			worker->priority = i;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
 
-		idle = get_idle_threads_nolock(this);
+/**
+ * Process a single job (provided in worker->job, worker->priority is also
+ * expected to be set)
+ *
+ * this->mutex is expected to be locked.
+ */
+static void process_job(private_processor_t *this, worker_thread_t *worker)
+{
+	job_t *to_destroy = NULL;
+	job_requeue_t requeue;
 
-		for (i = 0; i < JOB_PRIO_MAX; i++)
+	this->working_threads[worker->priority]++;
+	worker->job->status = JOB_STATUS_EXECUTING;
+	this->mutex->unlock(this->mutex);
+	/* canceled threads are restarted to get a constant pool */
+	thread_cleanup_push((thread_cleanup_t)restart, worker);
+	while (TRUE)
+	{
+		requeue = worker->job->execute(worker->job);
+		if (requeue.type != JOB_REQUEUE_TYPE_DIRECT)
 		{
-			if (reserved && reserved >= idle)
-			{
-				DBG2(DBG_JOB, "delaying %N priority jobs: %d threads idle, "
-					 "but %d reserved for higher priorities",
-					 job_priority_names, i, idle, reserved);
+			break;
+		}
+		else if (!worker->job->cancel)
+		{	/* only allow cancelable jobs to requeue directly */
+			requeue.type = JOB_REQUEUE_TYPE_FAIR;
+			break;
+		}
+	}
+	thread_cleanup_pop(FALSE);
+	this->mutex->lock(this->mutex);
+	this->working_threads[worker->priority]--;
+	if (worker->job->status == JOB_STATUS_CANCELED)
+	{	/* job was canceled via a custom cancel() method or did not
+		 * use JOB_REQUEUE_TYPE_DIRECT */
+		to_destroy = worker->job;
+	}
+	else
+	{
+		switch (requeue.type)
+		{
+			case JOB_REQUEUE_TYPE_NONE:
+				worker->job->status = JOB_STATUS_DONE;
+				to_destroy = worker->job;
 				break;
-			}
-			if (this->working_threads[i] < this->prio_threads[i])
-			{
-				reserved += this->prio_threads[i] - this->working_threads[i];
-			}
-			if (this->jobs[i]->remove_first(this->jobs[i],
-											(void**)&worker->job) == SUCCESS)
-			{
-				job_requeue_t requeue;
-
-				this->working_threads[i]++;
-				worker->job->status = JOB_STATUS_EXECUTING;
-				worker->priority = i;
-				this->mutex->unlock(this->mutex);
-				/* canceled threads are restarted to get a constant pool */
-				thread_cleanup_push((thread_cleanup_t)restart, worker);
-				while (TRUE)
-				{
-					requeue = worker->job->execute(worker->job);
-					if (requeue.type != JOB_REQUEUE_TYPE_DIRECT)
-					{
-						break;
-					}
-					else if (!worker->job->cancel)
-					{	/* only allow cancelable jobs to requeue directly */
-						requeue.type = JOB_REQUEUE_TYPE_FAIR;
-						break;
-					}
-				}
-				thread_cleanup_pop(FALSE);
-				this->mutex->lock(this->mutex);
-				this->working_threads[i]--;
-				if (worker->job->status == JOB_STATUS_CANCELED)
-				{	/* job was canceled via a custom cancel() method or did not
-					 * use JOB_REQUEUE_TYPE_DIRECT */
-					worker->job->destroy(worker->job);
-					break;
-				}
-				switch (requeue.type)
+			case JOB_REQUEUE_TYPE_FAIR:
+				worker->job->status = JOB_STATUS_QUEUED;
+				this->jobs[worker->priority]->insert_last(
+									this->jobs[worker->priority], worker->job);
+				this->job_added->signal(this->job_added);
+				break;
+			case JOB_REQUEUE_TYPE_SCHEDULE:
+				/* scheduler_t does not hold its lock when queuing jobs
+				 * so this should be safe without unlocking our mutex */
+				switch (requeue.schedule)
 				{
-					case JOB_REQUEUE_TYPE_NONE:
-						worker->job->status = JOB_STATUS_DONE;
-						worker->job->destroy(worker->job);
+					case JOB_SCHEDULE:
+						lib->scheduler->schedule_job(lib->scheduler,
+												worker->job, requeue.time.rel);
 						break;
-					case JOB_REQUEUE_TYPE_FAIR:
-						worker->job->status = JOB_STATUS_QUEUED;
-						this->jobs[i]->insert_last(this->jobs[i],
-												   worker->job);
-						this->job_added->signal(this->job_added);
+					case JOB_SCHEDULE_MS:
+						lib->scheduler->schedule_job_ms(lib->scheduler,
+												worker->job, requeue.time.rel);
 						break;
-					case JOB_REQUEUE_TYPE_SCHEDULE:
-						/* scheduler_t does not hold its lock when queeuing jobs
-						 * so this should be safe without unlocking our mutex */
-						switch (requeue.schedule)
-						{
-							case JOB_SCHEDULE:
-								lib->scheduler->schedule_job(lib->scheduler,
-											worker->job, requeue.time.rel);
-								break;
-							case JOB_SCHEDULE_MS:
-								lib->scheduler->schedule_job_ms(lib->scheduler,
-											worker->job, requeue.time.rel);
-								break;
-							case JOB_SCHEDULE_TV:
-								lib->scheduler->schedule_job_tv(lib->scheduler,
-											worker->job, requeue.time.abs);
-								break;
-						}
-						break;
-					default:
+					case JOB_SCHEDULE_TV:
+						lib->scheduler->schedule_job_tv(lib->scheduler,
+												worker->job, requeue.time.abs);
 						break;
 				}
 				break;
-			}
+			default:
+				break;
+		}
+	}
+	/* unset the current job to avoid interference with cancel() when
+	 * destroying the job below */
+	worker->job = NULL;
+
+	if (to_destroy)
+	{	/* release mutex to avoid deadlocks if the same lock is required
+		 * during queue_job() and in the destructor called here */
+		this->mutex->unlock(this->mutex);
+		to_destroy->destroy(to_destroy);
+		this->mutex->lock(this->mutex);
+	}
+}
+
+/**
+ * Process queued jobs, called by the worker threads
+ */
+static void process_jobs(worker_thread_t *worker)
+{
+	private_processor_t *this = worker->processor;
+
+	/* worker threads are not cancelable by default */
+	thread_cancelability(FALSE);
+
+	DBG2(DBG_JOB, "started worker thread %.2u", thread_current_id());
+
+	this->mutex->lock(this->mutex);
+	while (this->desired_threads >= this->total_threads)
+	{
+		if (get_job(this, worker))
+		{
+			process_job(this, worker);
 		}
-		if (!worker->job)
+		else
 		{
 			this->job_added->wait(this->job_added, this->mutex);
 		}
-		worker->job = NULL;
 	}
 	this->total_threads--;
 	this->thread_terminated->signal(this->thread_terminated);
@@ -355,6 +401,31 @@ METHOD(processor_t, queue_job, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(processor_t, execute_job, void,
+	private_processor_t *this, job_t *job)
+{
+	job_priority_t prio;
+	bool queued = FALSE;
+
+	this->mutex->lock(this->mutex);
+	if (this->desired_threads && get_idle_threads_nolock(this))
+	{
+		prio = sane_prio(job->get_priority(job));
+		job->status = JOB_STATUS_QUEUED;
+		/* insert job in front to execute it immediately */
+		this->jobs[prio]->insert_first(this->jobs[prio], job);
+		queued = TRUE;
+	}
+	this->job_added->signal(this->job_added);
+	this->mutex->unlock(this->mutex);
+
+	if (!queued)
+	{
+		job->execute(job);
+		job->destroy(job);
+	}
+}
+
 METHOD(processor_t, set_threads, void,
 	private_processor_t *this, u_int count)
 {
@@ -460,6 +531,7 @@ processor_t *processor_create()
 			.get_working_threads = _get_working_threads,
 			.get_job_load = _get_job_load,
 			.queue_job = _queue_job,
+			.execute_job = _execute_job,
 			.set_threads = _set_threads,
 			.cancel = _cancel,
 			.destroy = _destroy,
@@ -479,4 +551,3 @@ processor_t *processor_create()
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/processing/processor.h b/src/libstrongswan/processing/processor.h
index 94860f5d3..f96530e54 100644
--- a/src/libstrongswan/processing/processor.h
+++ b/src/libstrongswan/processing/processor.h
@@ -74,6 +74,16 @@ struct processor_t {
 	 */
 	void (*queue_job) (processor_t *this, job_t *job);
 
+	/**
+	 * Directly execute a job with an idle worker thread.
+	 *
+	 * If no idle thread is available, the job gets executed by the calling
+	 * thread.
+	 *
+	 * @param job			job, gets destroyed
+	 */
+	void (*execute_job)(processor_t *this, job_t *job);
+
 	/**
 	 * Set the number of threads to use in the processor.
 	 *
diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
new file mode 100644
index 000000000..3009be608
--- /dev/null
+++ b/src/libstrongswan/processing/watcher.c
@@ -0,0 +1,462 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "watcher.h"
+
+#include <library.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <collections/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#include <unistd.h>
+#include <errno.h>
+#include <sys/select.h>
+#include <fcntl.h>
+
+typedef struct private_watcher_t private_watcher_t;
+
+/**
+ * Private data of an watcher_t object.
+ */
+struct private_watcher_t {
+
+	/**
+	 * Public watcher_t interface.
+	 */
+	watcher_t public;
+
+	/**
+	 * List of registered FDs, as entry_t
+	 */
+	linked_list_t *fds;
+
+	/**
+	 * Lock to access FD list
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to signal completion of callback
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * Notification pipe to signal watcher thread
+	 */
+	int notify[2];
+
+	/**
+	 * List of callback jobs to process by watcher thread, as job_t
+	 */
+	linked_list_t *jobs;
+};
+
+/**
+ * Entry for a registered file descriptor
+ */
+typedef struct {
+	/** file descriptor */
+	int fd;
+	/** events to watch */
+	watcher_event_t events;
+	/** registered callback function */
+	watcher_cb_t cb;
+	/** user data to pass to callback */
+	void *data;
+	/** callback(s) currently active? */
+	int in_callback;
+} entry_t;
+
+/**
+ * Data we pass on for an async notification
+ */
+typedef struct {
+	/** file descriptor */
+	int fd;
+	/** event type */
+	watcher_event_t event;
+	/** registered callback function */
+	watcher_cb_t cb;
+	/** user data to pass to callback */
+	void *data;
+	/** keep registered? */
+	bool keep;
+	/** reference to watcher */
+	private_watcher_t *this;
+} notify_data_t;
+
+/**
+ * Notify watcher thread about changes
+ */
+static void update(private_watcher_t *this)
+{
+	char buf[1] = { 'u' };
+
+	if (this->notify[1] != -1)
+	{
+		ignore_result(write(this->notify[1], buf, sizeof(buf)));
+	}
+}
+
+/**
+ * Cleanup function if callback gets cancelled
+ */
+static void unregister(notify_data_t *data)
+{
+	/* if a thread processing a callback gets cancelled, we mark the entry
+	 * as cancelled, like the callback would return FALSE. This is required
+	 * to not queue this watcher again if all threads have been gone. */
+	data->keep = FALSE;
+}
+
+ /**
+ * Execute callback of registered FD, asynchronous
+ */
+static job_requeue_t notify_async(notify_data_t *data)
+{
+	thread_cleanup_push((void*)unregister, data);
+	data->keep = data->cb(data->data, data->fd, data->event);
+	thread_cleanup_pop(FALSE);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Clean up notification data, reactivate FD
+ */
+static void notify_end(notify_data_t *data)
+{
+	private_watcher_t *this = data->this;
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	/* reactivate the disabled entry */
+	this->mutex->lock(this->mutex);
+	enumerator = this->fds->create_enumerator(this->fds);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->fd == data->fd)
+		{
+			if (!data->keep)
+			{
+				entry->events &= ~data->event;
+				if (!entry->events)
+				{
+					this->fds->remove_at(this->fds, enumerator);
+					free(entry);
+					break;
+				}
+			}
+			entry->in_callback--;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	update(this);
+	this->condvar->broadcast(this->condvar);
+	this->mutex->unlock(this->mutex);
+
+	free(data);
+}
+
+/**
+ * Execute the callback for a registered FD
+ */
+static void notify(private_watcher_t *this, entry_t *entry,
+				   watcher_event_t event)
+{
+	notify_data_t *data;
+
+	/* get a copy of entry for async job, but with specific event */
+	INIT(data,
+		.fd = entry->fd,
+		.event = event,
+		.cb = entry->cb,
+		.data = entry->data,
+		.keep = TRUE,
+		.this = this,
+	);
+
+	/* deactivate entry, so we can select() other FDs even if the async
+	 * processing did not handle the event yet */
+	entry->in_callback++;
+
+	this->jobs->insert_last(this->jobs,
+					callback_job_create_with_prio((void*)notify_async, data,
+						(void*)notify_end, (callback_job_cancel_t)return_false,
+						JOB_PRIO_CRITICAL));
+}
+
+/**
+ * Thread cancellation function for watcher thread
+ */
+static void activate_all(private_watcher_t *this)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	/* When the watcher thread gets cancelled, we have to reactivate any entry
+	 * and signal threads in remove() to go on. */
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->fds->create_enumerator(this->fds);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		entry->in_callback = 0;
+	}
+	enumerator->destroy(enumerator);
+	this->condvar->broadcast(this->condvar);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Dispatching function
+ */
+static job_requeue_t watch(private_watcher_t *this)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	fd_set rd, wr, ex;
+	int maxfd = 0, res;
+
+	FD_ZERO(&rd);
+	FD_ZERO(&wr);
+	FD_ZERO(&ex);
+
+	this->mutex->lock(this->mutex);
+	if (this->fds->get_count(this->fds) == 0)
+	{
+		this->mutex->unlock(this->mutex);
+		return JOB_REQUEUE_NONE;
+	}
+
+	if (this->notify[0] != -1)
+	{
+		FD_SET(this->notify[0], &rd);
+		maxfd = this->notify[0];
+	}
+
+	enumerator = this->fds->create_enumerator(this->fds);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (!entry->in_callback)
+		{
+			if (entry->events & WATCHER_READ)
+			{
+				DBG3(DBG_JOB, "  watching %d for reading", entry->fd);
+				FD_SET(entry->fd, &rd);
+			}
+			if (entry->events & WATCHER_WRITE)
+			{
+				DBG3(DBG_JOB, "  watching %d for writing", entry->fd);
+				FD_SET(entry->fd, &wr);
+			}
+			if (entry->events & WATCHER_EXCEPT)
+			{
+				DBG3(DBG_JOB, "  watching %d for exceptions", entry->fd);
+				FD_SET(entry->fd, &ex);
+			}
+			maxfd = max(maxfd, entry->fd);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	while (TRUE)
+	{
+		char buf[1];
+		bool old;
+		job_t *job;
+
+		DBG2(DBG_JOB, "watcher going to select()");
+		thread_cleanup_push((void*)activate_all, this);
+		old = thread_cancelability(TRUE);
+		res = select(maxfd + 1, &rd, &wr, &ex, NULL);
+		thread_cancelability(old);
+		thread_cleanup_pop(FALSE);
+		if (res > 0)
+		{
+			if (this->notify[0] != -1 && FD_ISSET(this->notify[0], &rd))
+			{
+				DBG2(DBG_JOB, "watcher got notification, rebuilding");
+				while (read(this->notify[0], buf, sizeof(buf)) > 0);
+				return JOB_REQUEUE_DIRECT;
+			}
+
+			this->mutex->lock(this->mutex);
+			enumerator = this->fds->create_enumerator(this->fds);
+			while (enumerator->enumerate(enumerator, &entry))
+			{
+				if (FD_ISSET(entry->fd, &rd) && (entry->events & WATCHER_READ))
+				{
+					DBG2(DBG_JOB, "watched FD %d ready to read", entry->fd);
+					notify(this, entry, WATCHER_READ);
+				}
+				if (FD_ISSET(entry->fd, &wr) && (entry->events & WATCHER_WRITE))
+				{
+					DBG2(DBG_JOB, "watched FD %d ready to write", entry->fd);
+					notify(this, entry, WATCHER_WRITE);
+				}
+				if (FD_ISSET(entry->fd, &ex) && (entry->events & WATCHER_EXCEPT))
+				{
+					DBG2(DBG_JOB, "watched FD %d has exception", entry->fd);
+					notify(this, entry, WATCHER_EXCEPT);
+				}
+			}
+			enumerator->destroy(enumerator);
+			this->mutex->unlock(this->mutex);
+
+			if (this->jobs->get_count(this->jobs))
+			{
+				while (this->jobs->remove_first(this->jobs,
+												(void**)&job) == SUCCESS)
+				{
+					lib->processor->execute_job(lib->processor, job);
+				}
+				/* we temporarily disable a notified FD, rebuild FDSET */
+				return JOB_REQUEUE_DIRECT;
+			}
+		}
+		else
+		{
+			DBG1(DBG_JOB, "watcher select() error: %s", strerror(errno));
+		}
+	}
+}
+
+METHOD(watcher_t, add, void,
+	private_watcher_t *this, int fd, watcher_event_t events,
+	watcher_cb_t cb, void *data)
+{
+	entry_t *entry;
+
+	INIT(entry,
+		.fd = fd,
+		.events = events,
+		.cb = cb,
+		.data = data,
+	);
+
+	this->mutex->lock(this->mutex);
+	this->fds->insert_last(this->fds, entry);
+	if (this->fds->get_count(this->fds) == 1)
+	{
+		lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create_with_prio((void*)watch, this,
+				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	}
+	else
+	{
+		update(this);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(watcher_t, remove_, void,
+	private_watcher_t *this, int fd)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	while (TRUE)
+	{
+		bool is_in_callback = FALSE;
+
+		enumerator = this->fds->create_enumerator(this->fds);
+		while (enumerator->enumerate(enumerator, &entry))
+		{
+			if (entry->fd == fd)
+			{
+				if (entry->in_callback)
+				{
+					is_in_callback = TRUE;
+					break;
+				}
+				this->fds->remove_at(this->fds, enumerator);
+				free(entry);
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (!is_in_callback)
+		{
+			break;
+		}
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+
+	update(this);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(watcher_t, destroy, void,
+	private_watcher_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	this->condvar->destroy(this->condvar);
+	this->fds->destroy(this->fds);
+	if (this->notify[0] != -1)
+	{
+		close(this->notify[0]);
+	}
+	if (this->notify[1] != -1)
+	{
+		close(this->notify[1]);
+	}
+	this->jobs->destroy(this->jobs);
+	free(this);
+}
+
+/**
+ * See header
+ */
+watcher_t *watcher_create()
+{
+	private_watcher_t *this;
+	int flags;
+
+	INIT(this,
+		.public = {
+			.add = _add,
+			.remove = _remove_,
+			.destroy = _destroy,
+		},
+		.fds = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.jobs = linked_list_create(),
+		.notify = {-1, -1},
+	);
+
+	if (pipe(this->notify) == 0)
+	{
+		/* use non-blocking I/O on read-end of notify pipe */
+		flags = fcntl(this->notify[0], F_GETFL);
+		if (flags == -1 ||
+			fcntl(this->notify[0], F_SETFL, flags | O_NONBLOCK) == -1)
+		{
+			DBG1(DBG_LIB, "setting watcher notify pipe read-end non-blocking "
+				 "failed: %s", strerror(errno));
+		}
+	}
+	else
+	{
+		DBG1(DBG_LIB, "creating watcher notify pipe failed: %s",
+			 strerror(errno));
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/processing/watcher.h b/src/libstrongswan/processing/watcher.h
new file mode 100644
index 000000000..6e158cec2
--- /dev/null
+++ b/src/libstrongswan/processing/watcher.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup watcher watcher
+ * @{ @ingroup processor
+ */
+
+#ifndef WATCHER_H_
+#define WATCHER_H_
+
+typedef struct watcher_t watcher_t;
+typedef enum watcher_event_t watcher_event_t;
+
+#include <library.h>
+
+/**
+ * Callback function to register for file descriptor events.
+ *
+ * The callback is executed asynchronously using a thread from the pool.
+ * Monitoring of fd is temporarily suspended to avoid additional events while
+ * it is processed asynchronously. To allow concurrent events, one can quickly
+ * process it (using a read/write) and return from the callback. This will
+ * re-enable the event, while the data read can be processed in another
+ * asynchronous job.
+ *
+ * On Linux, even if select() marks an FD as "ready", a subsequent read/write
+ * can block. It is therefore highly recommended to use non-blocking I/O
+ * and handle EAGAIN/EWOULDBLOCK gracefully.
+ *
+ * @param data		user data passed during registration
+ * @param fd		file descriptor the event occurred on
+ * @param event		type of event
+ * @return			TRUE to keep watching event, FALSE to unregister fd for event
+ */
+typedef bool (*watcher_cb_t)(void *data, int fd, watcher_event_t event);
+
+/**
+ * What events to watch for a file descriptor.
+ */
+enum watcher_event_t {
+	WATCHER_READ = (1<<0),
+	WATCHER_WRITE = (1<<1),
+	WATCHER_EXCEPT = (1<<2),
+};
+
+/**
+ * Watch multiple file descriptors using select().
+ */
+struct watcher_t {
+
+	/**
+	 * Start watching a new file descriptor.
+	 *
+	 * Multiple callbacks can be registered for the same file descriptor, and
+	 * all of them get notified. Such callbacks are executed concurrently.
+	 *
+	 * @param fd		file descriptor to start watching
+	 * @param events	ORed set of events to watch
+	 * @param cb		callback function to invoke on events
+	 * @param data		data to pass to cb()
+	 */
+	void (*add)(watcher_t *this, int fd, watcher_event_t events,
+				watcher_cb_t cb, void *data);
+
+	/**
+	 * Stop watching a previously registered file descriptor.
+	 *
+	 * This call blocks until any active callback for this FD returns. All
+	 * callbacks registered for that FD get unregistered.
+	 *
+	 * @param fd		file descriptor to stop watching
+	 */
+	void (*remove)(watcher_t *this, int fd);
+
+	/**
+	 * Destroy a watcher_t.
+	 */
+	void (*destroy)(watcher_t *this);
+};
+
+/**
+ * Create a watcher instance.
+ *
+ * @return		watcher
+ */
+watcher_t *watcher_create();
+
+#endif /** WATCHER_H_ @}*/
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index ff8285f8c..75a8717dd 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -814,38 +814,32 @@ traffic_selector_t *traffic_selector_create_from_string(
 										char *from_addr, u_int16_t from_port,
 										char *to_addr, u_int16_t to_port)
 {
-	private_traffic_selector_t *this = traffic_selector_create(protocol, type,
-															from_port, to_port);
+	private_traffic_selector_t *this;
+	int family;
 
 	switch (type)
 	{
 		case TS_IPV4_ADDR_RANGE:
-			if (inet_pton(AF_INET, from_addr, (struct in_addr*)this->from4) < 0)
-			{
-				free(this);
-				return NULL;
-			}
-			if (inet_pton(AF_INET, to_addr, (struct in_addr*)this->to4) < 0)
-			{
-				free(this);
-				return NULL;
-			}
+			family = AF_INET;
 			break;
 		case TS_IPV6_ADDR_RANGE:
-			if (inet_pton(AF_INET6, from_addr, (struct in6_addr*)this->from6) < 0)
-			{
-				free(this);
-				return NULL;
-			}
-			if (inet_pton(AF_INET6, to_addr, (struct in6_addr*)this->to6) < 0)
-			{
-				free(this);
-				return NULL;
-			}
+			family = AF_INET6;
 			break;
+		default:
+			return NULL;
 	}
+
+	this = traffic_selector_create(protocol, type, from_port, to_port);
+
+	if (inet_pton(family, from_addr, this->from) != 1 ||
+		inet_pton(family, to_addr, this->to) != 1)
+	{
+		free(this);
+		return NULL;
+	}
+
 	calc_netbits(this);
-	return (&this->public);
+	return &this->public;
 }
 
 /*
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
new file mode 100644
index 000000000..585f9c16e
--- /dev/null
+++ b/src/libstrongswan/tests/Makefile.am
@@ -0,0 +1,23 @@
+TESTS = test_runner
+
+check_PROGRAMS = $(TESTS)
+
+test_runner_SOURCES = \
+  test_runner.c test_runner.h test_suite.h \
+  test_linked_list.c test_enumerator.c test_linked_list_enumerator.c \
+  test_bio_reader.c test_bio_writer.c test_chunk.c test_enum.c test_hashtable.c \
+  test_identification.c test_threading.c test_utils.c test_vectors.c \
+  test_array.c test_ecdsa.c test_rsa.c test_host.c
+
+test_runner_CFLAGS = \
+  -I$(top_srcdir)/src/libstrongswan \
+  -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
+  -DPLUGINS=\""${s_plugins}\"" \
+  @COVERAGE_CFLAGS@ \
+  @CHECK_CFLAGS@
+
+test_runner_LDFLAGS = @COVERAGE_LDFLAGS@
+test_runner_LDADD = \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(PTHREADLIB) \
+  @CHECK_LIBS@
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
new file mode 100644
index 000000000..dffa24b5b
--- /dev/null
+++ b/src/libstrongswan/tests/Makefile.in
@@ -0,0 +1,992 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = test_runner$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/libstrongswan/tests
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__EXEEXT_1 = test_runner$(EXEEXT)
+am_test_runner_OBJECTS = test_runner-test_runner.$(OBJEXT) \
+	test_runner-test_linked_list.$(OBJEXT) \
+	test_runner-test_enumerator.$(OBJEXT) \
+	test_runner-test_linked_list_enumerator.$(OBJEXT) \
+	test_runner-test_bio_reader.$(OBJEXT) \
+	test_runner-test_bio_writer.$(OBJEXT) \
+	test_runner-test_chunk.$(OBJEXT) \
+	test_runner-test_enum.$(OBJEXT) \
+	test_runner-test_hashtable.$(OBJEXT) \
+	test_runner-test_identification.$(OBJEXT) \
+	test_runner-test_threading.$(OBJEXT) \
+	test_runner-test_utils.$(OBJEXT) \
+	test_runner-test_vectors.$(OBJEXT) \
+	test_runner-test_array.$(OBJEXT) \
+	test_runner-test_ecdsa.$(OBJEXT) \
+	test_runner-test_rsa.$(OBJEXT) test_runner-test_host.$(OBJEXT)
+test_runner_OBJECTS = $(am_test_runner_OBJECTS)
+am__DEPENDENCIES_1 =
+test_runner_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+test_runner_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_runner_CFLAGS) \
+	$(CFLAGS) $(test_runner_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(test_runner_SOURCES)
+DIST_SOURCES = $(test_runner_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+am__tty_colors = \
+red=; grn=; lgn=; blu=; std=
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+test_runner_SOURCES = \
+  test_runner.c test_runner.h test_suite.h \
+  test_linked_list.c test_enumerator.c test_linked_list_enumerator.c \
+  test_bio_reader.c test_bio_writer.c test_chunk.c test_enum.c test_hashtable.c \
+  test_identification.c test_threading.c test_utils.c test_vectors.c \
+  test_array.c test_ecdsa.c test_rsa.c test_host.c
+
+test_runner_CFLAGS = \
+  -I$(top_srcdir)/src/libstrongswan \
+  -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
+  -DPLUGINS=\""${s_plugins}\"" \
+  @COVERAGE_CFLAGS@ \
+  @CHECK_CFLAGS@
+
+test_runner_LDFLAGS = @COVERAGE_LDFLAGS@
+test_runner_LDADD = \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(PTHREADLIB) \
+  @CHECK_LIBS@
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/tests/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/tests/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+test_runner$(EXEEXT): $(test_runner_OBJECTS) $(test_runner_DEPENDENCIES) $(EXTRA_test_runner_DEPENDENCIES) 
+	@rm -f test_runner$(EXEEXT)
+	$(AM_V_CCLD)$(test_runner_LINK) $(test_runner_OBJECTS) $(test_runner_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_array.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_bio_reader.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_bio_writer.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_chunk.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_ecdsa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_enum.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_enumerator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_hashtable.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_host.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_identification.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_linked_list.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_linked_list_enumerator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_rsa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_runner.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_threading.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_utils.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_vectors.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+test_runner-test_runner.o: test_runner.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_runner.o -MD -MP -MF $(DEPDIR)/test_runner-test_runner.Tpo -c -o test_runner-test_runner.o `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_runner.Tpo $(DEPDIR)/test_runner-test_runner.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_runner.c' object='test_runner-test_runner.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_runner.o `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
+
+test_runner-test_runner.obj: test_runner.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_runner.obj -MD -MP -MF $(DEPDIR)/test_runner-test_runner.Tpo -c -o test_runner-test_runner.obj `if test -f 'test_runner.c'; then $(CYGPATH_W) 'test_runner.c'; else $(CYGPATH_W) '$(srcdir)/test_runner.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_runner.Tpo $(DEPDIR)/test_runner-test_runner.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_runner.c' object='test_runner-test_runner.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_runner.obj `if test -f 'test_runner.c'; then $(CYGPATH_W) 'test_runner.c'; else $(CYGPATH_W) '$(srcdir)/test_runner.c'; fi`
+
+test_runner-test_linked_list.o: test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list.o -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list.Tpo -c -o test_runner-test_linked_list.o `test -f 'test_linked_list.c' || echo '$(srcdir)/'`test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list.Tpo $(DEPDIR)/test_runner-test_linked_list.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list.c' object='test_runner-test_linked_list.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list.o `test -f 'test_linked_list.c' || echo '$(srcdir)/'`test_linked_list.c
+
+test_runner-test_linked_list.obj: test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list.obj -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list.Tpo -c -o test_runner-test_linked_list.obj `if test -f 'test_linked_list.c'; then $(CYGPATH_W) 'test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list.Tpo $(DEPDIR)/test_runner-test_linked_list.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list.c' object='test_runner-test_linked_list.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list.obj `if test -f 'test_linked_list.c'; then $(CYGPATH_W) 'test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list.c'; fi`
+
+test_runner-test_enumerator.o: test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enumerator.o -MD -MP -MF $(DEPDIR)/test_runner-test_enumerator.Tpo -c -o test_runner-test_enumerator.o `test -f 'test_enumerator.c' || echo '$(srcdir)/'`test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enumerator.Tpo $(DEPDIR)/test_runner-test_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enumerator.c' object='test_runner-test_enumerator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enumerator.o `test -f 'test_enumerator.c' || echo '$(srcdir)/'`test_enumerator.c
+
+test_runner-test_enumerator.obj: test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enumerator.obj -MD -MP -MF $(DEPDIR)/test_runner-test_enumerator.Tpo -c -o test_runner-test_enumerator.obj `if test -f 'test_enumerator.c'; then $(CYGPATH_W) 'test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_enumerator.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enumerator.Tpo $(DEPDIR)/test_runner-test_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enumerator.c' object='test_runner-test_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enumerator.obj `if test -f 'test_enumerator.c'; then $(CYGPATH_W) 'test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_enumerator.c'; fi`
+
+test_runner-test_linked_list_enumerator.o: test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list_enumerator.o -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo -c -o test_runner-test_linked_list_enumerator.o `test -f 'test_linked_list_enumerator.c' || echo '$(srcdir)/'`test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo $(DEPDIR)/test_runner-test_linked_list_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list_enumerator.c' object='test_runner-test_linked_list_enumerator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list_enumerator.o `test -f 'test_linked_list_enumerator.c' || echo '$(srcdir)/'`test_linked_list_enumerator.c
+
+test_runner-test_linked_list_enumerator.obj: test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list_enumerator.obj -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo -c -o test_runner-test_linked_list_enumerator.obj `if test -f 'test_linked_list_enumerator.c'; then $(CYGPATH_W) 'test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list_enumerator.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo $(DEPDIR)/test_runner-test_linked_list_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list_enumerator.c' object='test_runner-test_linked_list_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list_enumerator.obj `if test -f 'test_linked_list_enumerator.c'; then $(CYGPATH_W) 'test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list_enumerator.c'; fi`
+
+test_runner-test_bio_reader.o: test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_reader.o -MD -MP -MF $(DEPDIR)/test_runner-test_bio_reader.Tpo -c -o test_runner-test_bio_reader.o `test -f 'test_bio_reader.c' || echo '$(srcdir)/'`test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_reader.Tpo $(DEPDIR)/test_runner-test_bio_reader.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_reader.c' object='test_runner-test_bio_reader.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_reader.o `test -f 'test_bio_reader.c' || echo '$(srcdir)/'`test_bio_reader.c
+
+test_runner-test_bio_reader.obj: test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_reader.obj -MD -MP -MF $(DEPDIR)/test_runner-test_bio_reader.Tpo -c -o test_runner-test_bio_reader.obj `if test -f 'test_bio_reader.c'; then $(CYGPATH_W) 'test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_reader.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_reader.Tpo $(DEPDIR)/test_runner-test_bio_reader.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_reader.c' object='test_runner-test_bio_reader.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_reader.obj `if test -f 'test_bio_reader.c'; then $(CYGPATH_W) 'test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_reader.c'; fi`
+
+test_runner-test_bio_writer.o: test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_writer.o -MD -MP -MF $(DEPDIR)/test_runner-test_bio_writer.Tpo -c -o test_runner-test_bio_writer.o `test -f 'test_bio_writer.c' || echo '$(srcdir)/'`test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_writer.Tpo $(DEPDIR)/test_runner-test_bio_writer.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_writer.c' object='test_runner-test_bio_writer.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_writer.o `test -f 'test_bio_writer.c' || echo '$(srcdir)/'`test_bio_writer.c
+
+test_runner-test_bio_writer.obj: test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_writer.obj -MD -MP -MF $(DEPDIR)/test_runner-test_bio_writer.Tpo -c -o test_runner-test_bio_writer.obj `if test -f 'test_bio_writer.c'; then $(CYGPATH_W) 'test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_writer.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_writer.Tpo $(DEPDIR)/test_runner-test_bio_writer.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_writer.c' object='test_runner-test_bio_writer.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_writer.obj `if test -f 'test_bio_writer.c'; then $(CYGPATH_W) 'test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_writer.c'; fi`
+
+test_runner-test_chunk.o: test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_chunk.o -MD -MP -MF $(DEPDIR)/test_runner-test_chunk.Tpo -c -o test_runner-test_chunk.o `test -f 'test_chunk.c' || echo '$(srcdir)/'`test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_chunk.Tpo $(DEPDIR)/test_runner-test_chunk.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_chunk.c' object='test_runner-test_chunk.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_chunk.o `test -f 'test_chunk.c' || echo '$(srcdir)/'`test_chunk.c
+
+test_runner-test_chunk.obj: test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_chunk.obj -MD -MP -MF $(DEPDIR)/test_runner-test_chunk.Tpo -c -o test_runner-test_chunk.obj `if test -f 'test_chunk.c'; then $(CYGPATH_W) 'test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/test_chunk.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_chunk.Tpo $(DEPDIR)/test_runner-test_chunk.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_chunk.c' object='test_runner-test_chunk.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_chunk.obj `if test -f 'test_chunk.c'; then $(CYGPATH_W) 'test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/test_chunk.c'; fi`
+
+test_runner-test_enum.o: test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enum.o -MD -MP -MF $(DEPDIR)/test_runner-test_enum.Tpo -c -o test_runner-test_enum.o `test -f 'test_enum.c' || echo '$(srcdir)/'`test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enum.Tpo $(DEPDIR)/test_runner-test_enum.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enum.c' object='test_runner-test_enum.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enum.o `test -f 'test_enum.c' || echo '$(srcdir)/'`test_enum.c
+
+test_runner-test_enum.obj: test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enum.obj -MD -MP -MF $(DEPDIR)/test_runner-test_enum.Tpo -c -o test_runner-test_enum.obj `if test -f 'test_enum.c'; then $(CYGPATH_W) 'test_enum.c'; else $(CYGPATH_W) '$(srcdir)/test_enum.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enum.Tpo $(DEPDIR)/test_runner-test_enum.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enum.c' object='test_runner-test_enum.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enum.obj `if test -f 'test_enum.c'; then $(CYGPATH_W) 'test_enum.c'; else $(CYGPATH_W) '$(srcdir)/test_enum.c'; fi`
+
+test_runner-test_hashtable.o: test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_hashtable.o -MD -MP -MF $(DEPDIR)/test_runner-test_hashtable.Tpo -c -o test_runner-test_hashtable.o `test -f 'test_hashtable.c' || echo '$(srcdir)/'`test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_hashtable.Tpo $(DEPDIR)/test_runner-test_hashtable.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_hashtable.c' object='test_runner-test_hashtable.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_hashtable.o `test -f 'test_hashtable.c' || echo '$(srcdir)/'`test_hashtable.c
+
+test_runner-test_hashtable.obj: test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_hashtable.obj -MD -MP -MF $(DEPDIR)/test_runner-test_hashtable.Tpo -c -o test_runner-test_hashtable.obj `if test -f 'test_hashtable.c'; then $(CYGPATH_W) 'test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/test_hashtable.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_hashtable.Tpo $(DEPDIR)/test_runner-test_hashtable.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_hashtable.c' object='test_runner-test_hashtable.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_hashtable.obj `if test -f 'test_hashtable.c'; then $(CYGPATH_W) 'test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/test_hashtable.c'; fi`
+
+test_runner-test_identification.o: test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_identification.o -MD -MP -MF $(DEPDIR)/test_runner-test_identification.Tpo -c -o test_runner-test_identification.o `test -f 'test_identification.c' || echo '$(srcdir)/'`test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_identification.Tpo $(DEPDIR)/test_runner-test_identification.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_identification.c' object='test_runner-test_identification.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_identification.o `test -f 'test_identification.c' || echo '$(srcdir)/'`test_identification.c
+
+test_runner-test_identification.obj: test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_identification.obj -MD -MP -MF $(DEPDIR)/test_runner-test_identification.Tpo -c -o test_runner-test_identification.obj `if test -f 'test_identification.c'; then $(CYGPATH_W) 'test_identification.c'; else $(CYGPATH_W) '$(srcdir)/test_identification.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_identification.Tpo $(DEPDIR)/test_runner-test_identification.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_identification.c' object='test_runner-test_identification.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_identification.obj `if test -f 'test_identification.c'; then $(CYGPATH_W) 'test_identification.c'; else $(CYGPATH_W) '$(srcdir)/test_identification.c'; fi`
+
+test_runner-test_threading.o: test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_threading.o -MD -MP -MF $(DEPDIR)/test_runner-test_threading.Tpo -c -o test_runner-test_threading.o `test -f 'test_threading.c' || echo '$(srcdir)/'`test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_threading.Tpo $(DEPDIR)/test_runner-test_threading.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_threading.c' object='test_runner-test_threading.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_threading.o `test -f 'test_threading.c' || echo '$(srcdir)/'`test_threading.c
+
+test_runner-test_threading.obj: test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_threading.obj -MD -MP -MF $(DEPDIR)/test_runner-test_threading.Tpo -c -o test_runner-test_threading.obj `if test -f 'test_threading.c'; then $(CYGPATH_W) 'test_threading.c'; else $(CYGPATH_W) '$(srcdir)/test_threading.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_threading.Tpo $(DEPDIR)/test_runner-test_threading.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_threading.c' object='test_runner-test_threading.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_threading.obj `if test -f 'test_threading.c'; then $(CYGPATH_W) 'test_threading.c'; else $(CYGPATH_W) '$(srcdir)/test_threading.c'; fi`
+
+test_runner-test_utils.o: test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_utils.o -MD -MP -MF $(DEPDIR)/test_runner-test_utils.Tpo -c -o test_runner-test_utils.o `test -f 'test_utils.c' || echo '$(srcdir)/'`test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_utils.Tpo $(DEPDIR)/test_runner-test_utils.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_utils.c' object='test_runner-test_utils.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_utils.o `test -f 'test_utils.c' || echo '$(srcdir)/'`test_utils.c
+
+test_runner-test_utils.obj: test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_utils.obj -MD -MP -MF $(DEPDIR)/test_runner-test_utils.Tpo -c -o test_runner-test_utils.obj `if test -f 'test_utils.c'; then $(CYGPATH_W) 'test_utils.c'; else $(CYGPATH_W) '$(srcdir)/test_utils.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_utils.Tpo $(DEPDIR)/test_runner-test_utils.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_utils.c' object='test_runner-test_utils.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_utils.obj `if test -f 'test_utils.c'; then $(CYGPATH_W) 'test_utils.c'; else $(CYGPATH_W) '$(srcdir)/test_utils.c'; fi`
+
+test_runner-test_vectors.o: test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_vectors.o -MD -MP -MF $(DEPDIR)/test_runner-test_vectors.Tpo -c -o test_runner-test_vectors.o `test -f 'test_vectors.c' || echo '$(srcdir)/'`test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_vectors.Tpo $(DEPDIR)/test_runner-test_vectors.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors.c' object='test_runner-test_vectors.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_vectors.o `test -f 'test_vectors.c' || echo '$(srcdir)/'`test_vectors.c
+
+test_runner-test_vectors.obj: test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_vectors.obj -MD -MP -MF $(DEPDIR)/test_runner-test_vectors.Tpo -c -o test_runner-test_vectors.obj `if test -f 'test_vectors.c'; then $(CYGPATH_W) 'test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/test_vectors.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_vectors.Tpo $(DEPDIR)/test_runner-test_vectors.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors.c' object='test_runner-test_vectors.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_vectors.obj `if test -f 'test_vectors.c'; then $(CYGPATH_W) 'test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/test_vectors.c'; fi`
+
+test_runner-test_array.o: test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_array.o -MD -MP -MF $(DEPDIR)/test_runner-test_array.Tpo -c -o test_runner-test_array.o `test -f 'test_array.c' || echo '$(srcdir)/'`test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_array.Tpo $(DEPDIR)/test_runner-test_array.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_array.c' object='test_runner-test_array.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_array.o `test -f 'test_array.c' || echo '$(srcdir)/'`test_array.c
+
+test_runner-test_array.obj: test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_array.obj -MD -MP -MF $(DEPDIR)/test_runner-test_array.Tpo -c -o test_runner-test_array.obj `if test -f 'test_array.c'; then $(CYGPATH_W) 'test_array.c'; else $(CYGPATH_W) '$(srcdir)/test_array.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_array.Tpo $(DEPDIR)/test_runner-test_array.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_array.c' object='test_runner-test_array.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_array.obj `if test -f 'test_array.c'; then $(CYGPATH_W) 'test_array.c'; else $(CYGPATH_W) '$(srcdir)/test_array.c'; fi`
+
+test_runner-test_ecdsa.o: test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_ecdsa.o -MD -MP -MF $(DEPDIR)/test_runner-test_ecdsa.Tpo -c -o test_runner-test_ecdsa.o `test -f 'test_ecdsa.c' || echo '$(srcdir)/'`test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_ecdsa.Tpo $(DEPDIR)/test_runner-test_ecdsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_ecdsa.c' object='test_runner-test_ecdsa.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_ecdsa.o `test -f 'test_ecdsa.c' || echo '$(srcdir)/'`test_ecdsa.c
+
+test_runner-test_ecdsa.obj: test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_ecdsa.obj -MD -MP -MF $(DEPDIR)/test_runner-test_ecdsa.Tpo -c -o test_runner-test_ecdsa.obj `if test -f 'test_ecdsa.c'; then $(CYGPATH_W) 'test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/test_ecdsa.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_ecdsa.Tpo $(DEPDIR)/test_runner-test_ecdsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_ecdsa.c' object='test_runner-test_ecdsa.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_ecdsa.obj `if test -f 'test_ecdsa.c'; then $(CYGPATH_W) 'test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/test_ecdsa.c'; fi`
+
+test_runner-test_rsa.o: test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_rsa.o -MD -MP -MF $(DEPDIR)/test_runner-test_rsa.Tpo -c -o test_runner-test_rsa.o `test -f 'test_rsa.c' || echo '$(srcdir)/'`test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_rsa.Tpo $(DEPDIR)/test_runner-test_rsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_rsa.c' object='test_runner-test_rsa.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_rsa.o `test -f 'test_rsa.c' || echo '$(srcdir)/'`test_rsa.c
+
+test_runner-test_rsa.obj: test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_rsa.obj -MD -MP -MF $(DEPDIR)/test_runner-test_rsa.Tpo -c -o test_runner-test_rsa.obj `if test -f 'test_rsa.c'; then $(CYGPATH_W) 'test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/test_rsa.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_rsa.Tpo $(DEPDIR)/test_runner-test_rsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_rsa.c' object='test_runner-test_rsa.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_rsa.obj `if test -f 'test_rsa.c'; then $(CYGPATH_W) 'test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/test_rsa.c'; fi`
+
+test_runner-test_host.o: test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_host.o -MD -MP -MF $(DEPDIR)/test_runner-test_host.Tpo -c -o test_runner-test_host.o `test -f 'test_host.c' || echo '$(srcdir)/'`test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_host.Tpo $(DEPDIR)/test_runner-test_host.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_host.c' object='test_runner-test_host.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_host.o `test -f 'test_host.c' || echo '$(srcdir)/'`test_host.c
+
+test_runner-test_host.obj: test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_host.obj -MD -MP -MF $(DEPDIR)/test_runner-test_host.Tpo -c -o test_runner-test_host.obj `if test -f 'test_host.c'; then $(CYGPATH_W) 'test_host.c'; else $(CYGPATH_W) '$(srcdir)/test_host.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_host.Tpo $(DEPDIR)/test_runner-test_host.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_host.c' object='test_runner-test_host.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_host.obj `if test -f 'test_host.c'; then $(CYGPATH_W) 'test_host.c'; else $(CYGPATH_W) '$(srcdir)/test_host.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \
+	clean-checkPROGRAMS clean-generic clean-libtool ctags \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/tests/test_array.c b/src/libstrongswan/tests/test_array.c
new file mode 100644
index 000000000..2220d5a2b
--- /dev/null
+++ b/src/libstrongswan/tests/test_array.c
@@ -0,0 +1,360 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <collections/array.h>
+
+START_TEST(test_append_ptr)
+{
+	array_t *array;
+	uintptr_t x;
+	int i;
+
+	array = array_create(0, 0);
+
+	for (i = 0; i < 4; i++)
+	{
+		ck_assert_int_eq(array_count(array), 0);
+
+		array_insert(array, ARRAY_HEAD, (void*)(uintptr_t)3);
+		array_insert(array, ARRAY_TAIL, (void*)(uintptr_t)4);
+		ck_assert_int_eq(array_count(array), 2);
+
+		/* 3, 4 */
+
+		array_insert(array, ARRAY_HEAD, (void*)(uintptr_t)1);
+		array_insert(array, 1, (void*)(uintptr_t)2);
+		ck_assert_int_eq(array_count(array), 4);
+
+		/* 1, 2, 3, 4 */
+
+		array_insert(array, ARRAY_TAIL, (void*)(uintptr_t)5);
+		array_insert(array, ARRAY_HEAD, (void*)(uintptr_t)0);
+		ck_assert_int_eq(array_count(array), 6);
+
+		/* 0, 1, 2, 3, 4, 5 */
+
+		ck_assert(array_remove(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 5);
+		ck_assert(array_remove(array, 4, &x));
+		ck_assert_int_eq(x, 4);
+
+		if (i < 3)
+		{
+			array_compress(array);
+		}
+
+		/* 0, 1, 2, 3 */
+
+		ck_assert(array_remove(array, 1, &x));
+		ck_assert_int_eq(x, 1);
+		ck_assert(array_remove(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 0);
+
+		if (i < 2)
+		{
+			array_compress(array);
+		}
+
+		/* 2, 3 */
+
+		ck_assert(array_remove(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 3);
+		ck_assert(array_remove(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 2);
+
+		if (i < 1)
+		{
+			array_compress(array);
+		}
+
+		ck_assert_int_eq(array_count(array), 0);
+
+		ck_assert(array_remove(array, ARRAY_HEAD, NULL) == FALSE);
+		ck_assert(array_remove(array, ARRAY_TAIL, NULL) == FALSE);
+	}
+
+	array_destroy(array);
+}
+END_TEST
+
+START_TEST(test_append_obj)
+{
+	array_t *array;
+	int i, x, y[6] = {0, 1, 2, 3, 4, 5};
+
+	array = array_create(sizeof(y[0]), 0);
+
+	for (i = 0; i < 4; i++)
+	{
+		ck_assert_int_eq(array_count(array), 0);
+
+		array_insert(array, ARRAY_HEAD, &y[3]);
+		array_insert(array, ARRAY_TAIL, &y[4]);
+		ck_assert_int_eq(array_count(array), 2);;
+
+		/* 3, 4 */
+
+		array_insert(array, ARRAY_HEAD, &y[1]);
+		array_insert(array, 1, &y[2]);
+		ck_assert_int_eq(array_count(array), 4);
+
+		/* 1, 2, 3, 4 */
+
+		array_insert(array, ARRAY_TAIL, &y[5]);
+		array_insert(array, ARRAY_HEAD, &y[0]);
+		ck_assert_int_eq(array_count(array), 6);
+
+		/* 0, 1, 2, 3, 4, 5 */
+
+		ck_assert(array_remove(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 5);
+		ck_assert(array_remove(array, 4, &x));
+		ck_assert_int_eq(x, 4);
+
+		if (i < 3)
+		{
+			array_compress(array);
+		}
+
+		/* 0, 1, 2, 3 */
+
+		ck_assert(array_remove(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 0);
+		ck_assert(array_remove(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 1);
+
+		if (i < 2)
+		{
+			array_compress(array);
+		}
+
+		/* 2, 3 */
+
+		ck_assert(array_remove(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 3);
+		ck_assert(array_remove(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 2);
+
+		if (i < 1)
+		{
+			array_compress(array);
+		}
+
+		ck_assert_int_eq(array_count(array), 0);
+
+		ck_assert(array_remove(array, ARRAY_HEAD, NULL) == FALSE);
+		ck_assert(array_remove(array, ARRAY_TAIL, NULL) == FALSE);
+	}
+
+	array_destroy(array);
+}
+END_TEST
+
+START_TEST(test_enumerate)
+{
+	array_t *array;
+	int i, *x, y[6] = {0, 1, 2, 3, 4, 5};
+	enumerator_t *enumerator;
+
+	array = array_create(sizeof(y[0]), 0);
+
+	array_insert(array, ARRAY_TAIL, &y[0]);
+	array_insert(array, ARRAY_TAIL, &y[1]);
+	array_insert(array, ARRAY_TAIL, &y[2]);
+	array_insert(array, ARRAY_TAIL, &y[3]);
+	array_insert(array, ARRAY_TAIL, &y[4]);
+	array_insert(array, ARRAY_TAIL, &y[5]);
+
+	ck_assert_int_eq(array_count(array), 6);
+
+	/* 0, 1, 2, 3, 4, 5 */
+
+	i = 0;
+	enumerator = array_create_enumerator(array);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(*x, y[i]);
+		i++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(i, 6);
+
+	i = 0;
+	enumerator = array_create_enumerator(array);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(*x, y[i]);
+		if (i == 0 || i == 3 || i == 5)
+		{
+			array_remove_at(array, enumerator);
+		}
+		i++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(i, 6);
+	ck_assert_int_eq(array_count(array), 3);
+
+	/* 1, 2, 4 */
+
+	i = 0;
+	enumerator = array_create_enumerator(array);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		switch (i++)
+		{
+			case 0:
+				ck_assert_int_eq(*x, y[1]);
+				break;
+			case 1:
+				ck_assert_int_eq(*x, y[2]);
+				break;
+			case 2:
+				ck_assert_int_eq(*x, y[4]);
+				break;
+			default:
+				ck_assert(0);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	array_compress(array);
+
+	i = 0;
+	enumerator = array_create_enumerator(array);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		switch (i++)
+		{
+			case 0:
+				ck_assert_int_eq(*x, y[1]);
+				break;
+			case 1:
+				ck_assert_int_eq(*x, y[2]);
+				break;
+			case 2:
+				ck_assert_int_eq(*x, y[4]);
+				break;
+			default:
+				ck_assert(0);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	array_destroy(array);
+}
+END_TEST
+
+static void invoke(void *data, int idx, void *user)
+{
+	int *y = user, *x = data;
+
+	ck_assert(idx < 3);
+
+	ck_assert_int_eq(y[idx], *x);
+	y[idx] = 0;
+}
+
+START_TEST(test_invoke)
+{
+	array_t *array;
+	int y[] = {1, 2, 3};
+
+	array = array_create(sizeof(y[0]), 0);
+
+	array_insert(array, ARRAY_TAIL, &y[0]);
+	array_insert(array, ARRAY_TAIL, &y[1]);
+	array_insert(array, ARRAY_TAIL, &y[2]);
+
+	array_invoke(array, invoke, y);
+
+	ck_assert_int_eq(y[0], 0);
+	ck_assert_int_eq(y[0], 0);
+	ck_assert_int_eq(y[0], 0);
+
+	array_destroy(array);
+}
+END_TEST
+
+typedef struct obj_t obj_t;
+
+struct obj_t {
+	void (*fun)(obj_t *obj);
+	int x;
+	int *counter;
+};
+
+static void fun(obj_t *obj)
+{
+	ck_assert(obj->x == (*obj->counter)++);
+}
+
+START_TEST(test_invoke_offset)
+{
+	array_t *array;
+	obj_t objs[5];
+	int i, counter = 0;
+
+	array = array_create(0, 0);
+
+	for (i = 0; i < countof(objs); i++)
+	{
+		objs[i].x = i;
+		objs[i].counter = &counter;
+		objs[i].fun = fun;
+
+		array_insert(array, ARRAY_TAIL, &objs[i]);
+	}
+
+	ck_assert_int_eq(countof(objs), array_count(array));
+
+	array_invoke_offset(array, offsetof(obj_t, fun));
+
+	ck_assert_int_eq(counter, countof(objs));
+
+	array_destroy(array);
+}
+END_TEST
+
+Suite *array_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("array");
+
+	tc = tcase_create("add/remove ptr");
+	tcase_add_test(tc, test_append_ptr);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("add/remove obj");
+	tcase_add_test(tc, test_append_obj);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("enumerate");
+	tcase_add_test(tc, test_enumerate);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("invoke");
+	tcase_add_test(tc, test_invoke);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("invoke offset");
+	tcase_add_test(tc, test_invoke_offset);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_bio_reader.c b/src/libstrongswan/tests/test_bio_reader.c
new file mode 100644
index 000000000..45b20db00
--- /dev/null
+++ b/src/libstrongswan/tests/test_bio_reader.c
@@ -0,0 +1,450 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bio/bio_reader.h>
+
+/*******************************************************************************
+ * different integer reads
+ */
+
+#define assert_integer_read(data, bits, val) ({ \
+	bio_reader_t *reader = bio_reader_create(data); \
+	typeof(val) i; \
+	for (i = 0; reader->remaining(reader) >= (bits / 8); i++) \
+	{ \
+		ck_assert(reader->read_uint##bits(reader, &val)); \
+		ck_assert_int_eq(i, val); \
+	} \
+	ck_assert_int_eq(i, data.len / (bits / 8)); \
+	ck_assert_int_eq(reader->remaining(reader), data.len % (bits / 8)); \
+	ck_assert(!reader->read_uint##bits(reader, &val)); \
+	reader->destroy(reader); \
+})
+
+#define assert_integer_read_uneven(data, bits, val) ({ \
+	int i; \
+	for (i = 0; i <= bits / 8; i++, data.len++) \
+	{ \
+		assert_integer_read(data, bits, val); \
+	} \
+})
+
+#define assert_basic_read(bits, val) ({ \
+	chunk_t data; \
+	data = chunk_empty; \
+	assert_integer_read(data, bits, val); \
+	data = chunk_alloca(bits / 8); \
+	memset(data.ptr, 0, data.len); \
+	data.len = 0; \
+	assert_integer_read_uneven(data, bits, val); \
+})
+
+#define assert_extended_read(data, bits, val) ({ \
+	chunk_t extended = chunk_alloca(data.len + bits / 8); \
+	memset(extended.ptr, 0, extended.len); \
+	extended.ptr[extended.len - 1] = data.len / (bits / 8); \
+	memcpy(extended.ptr, data.ptr, data.len); \
+	extended.len = data.len; \
+	assert_integer_read_uneven(extended, bits, val); \
+})
+
+START_TEST(test_read_uint8)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07);
+	u_int8_t val;
+
+	assert_integer_read(data, 8, val);
+	assert_basic_read(8, val);
+	assert_extended_read(data, 8, val);
+}
+END_TEST
+
+START_TEST(test_read_uint16)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03);
+	u_int16_t val;
+
+	assert_integer_read(data, 16, val);
+	assert_basic_read(16, val);
+	assert_extended_read(data, 16, val);
+}
+END_TEST
+
+START_TEST(test_read_uint24)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0x00, 0x00, 0x03);
+	u_int32_t val;
+
+	assert_integer_read(data, 24, val);
+	assert_basic_read(24, val);
+	assert_extended_read(data, 24, val);
+}
+END_TEST
+
+START_TEST(test_read_uint32)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+									0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03);
+	u_int32_t val;
+
+	assert_integer_read(data, 32, val);
+	assert_basic_read(32, val);
+	assert_extended_read(data, 32, val);
+}
+END_TEST
+
+START_TEST(test_read_uint64)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03);
+	u_int64_t val;
+
+	assert_integer_read(data, 64, val);
+	assert_basic_read(64, val);
+	assert_extended_read(data, 64, val);
+}
+END_TEST
+
+/*******************************************************************************
+ * different integer reads from the end of a buffer
+ */
+
+#define assert_integer_read_end(data, bits, val) ({ \
+	bio_reader_t *reader = bio_reader_create(data); \
+	typeof(val) i; \
+	for (i = 0; reader->remaining(reader) >= (bits / 8); i++) \
+	{ \
+		ck_assert(reader->read_uint##bits##_end(reader, &val)); \
+		ck_assert_int_eq(i, val); \
+	} \
+	ck_assert_int_eq(i, data.len / (bits / 8)); \
+	ck_assert_int_eq(reader->remaining(reader), data.len % (bits / 8)); \
+	ck_assert(!reader->read_uint##bits##_end(reader, &val)); \
+	reader->destroy(reader); \
+})
+
+#define assert_integer_read_end_uneven(data, bits, val) ({ \
+	int i; \
+	data.ptr += bits / 8; \
+	for (i = 0; i <= bits / 8; i++, data.ptr--, data.len++) \
+	{ \
+		assert_integer_read_end(data, bits, val); \
+	} \
+})
+
+#define assert_basic_read_end(bits, val) ({ \
+	chunk_t data; \
+	data = chunk_empty; \
+	assert_integer_read_end(data, bits, val); \
+	data = chunk_alloca(bits / 8); \
+	memset(data.ptr, 0, data.len); \
+	data.len = 0; \
+	assert_integer_read_end_uneven(data, bits, val); \
+})
+
+#define assert_extended_read_end(data, bits, val) ({ \
+	chunk_t extended = chunk_alloca(data.len + bits / 8); \
+	memset(extended.ptr, 0, extended.len); \
+	extended.ptr[bits / 8 - 1] = data.len / (bits / 8); \
+	memcpy(extended.ptr + bits / 8, data.ptr, data.len); \
+	extended.len = data.len; \
+	assert_integer_read_end_uneven(extended, bits, val); \
+})
+
+START_TEST(test_read_uint8_end)
+{
+	chunk_t data = chunk_from_chars(0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00);
+	u_int8_t val;
+
+	assert_integer_read_end(data, 8, val);
+	assert_basic_read_end(8, val);
+	assert_extended_read_end(data, 8, val);
+}
+END_TEST
+
+START_TEST(test_read_uint16_end)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x03, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00);
+	u_int16_t val;
+
+	assert_integer_read_end(data, 16, val);
+	assert_basic_read_end(16, val);
+	assert_extended_read_end(data, 16, val);
+}
+END_TEST
+
+START_TEST(test_read_uint24_end)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x03, 0x00, 0x00, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00);
+	u_int32_t val;
+
+	assert_integer_read_end(data, 24, val);
+	assert_basic_read_end(24, val);
+	assert_extended_read_end(data, 24, val);
+}
+END_TEST
+
+START_TEST(test_read_uint32_end)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x02,
+									0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00);
+	u_int32_t val;
+
+	assert_integer_read_end(data, 32, val);
+	assert_basic_read_end(32, val);
+	assert_extended_read_end(data, 32, val);
+}
+END_TEST
+
+START_TEST(test_read_uint64_end)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
+	u_int64_t val;
+
+	assert_integer_read_end(data, 64, val);
+	assert_basic_read_end(64, val);
+	assert_extended_read_end(data, 64, val);
+}
+END_TEST
+
+/*******************************************************************************
+ * read data
+ */
+
+static inline void assert_reader_after_read(bio_reader_t *reader, chunk_t data)
+{
+	chunk_t peek;
+
+	ck_assert_int_eq(reader->remaining(reader), data.len);
+	peek = reader->peek(reader);
+	ck_assert_int_eq(reader->remaining(reader), data.len);
+	ck_assert(peek.ptr == data.ptr);
+	data.ptr != NULL ? ck_assert(chunk_equals(peek, data))
+					 : ck_assert(peek.ptr == NULL);
+}
+
+START_TEST(test_read_data)
+{
+	chunk_t read, data = chunk_from_chars(0x00, 0x00, 0x00, 0x00);
+	bio_reader_t *reader;
+
+	reader = bio_reader_create(chunk_empty);
+	ck_assert_int_eq(reader->remaining(reader), 0);
+	ck_assert(reader->read_data(reader, 0, &read));
+	ck_assert(!reader->read_data(reader, 1, &read));
+	reader->destroy(reader);
+
+	reader = bio_reader_create(data);
+	ck_assert(reader->read_data(reader, 0, &read));
+	ck_assert_int_eq(read.len, 0);
+	ck_assert(read.ptr == data.ptr);
+	assert_reader_after_read(reader, data);
+
+	ck_assert(reader->read_data(reader, 1, &read));
+	ck_assert_int_eq(read.len, 1);
+	ck_assert(read.ptr == data.ptr);
+	assert_reader_after_read(reader, chunk_skip(data, 1));
+
+	ck_assert(reader->read_data(reader, 2, &read));
+	ck_assert_int_eq(read.len, 2);
+	ck_assert(read.ptr == data.ptr + 1);
+	assert_reader_after_read(reader, chunk_skip(data, 3));
+
+	ck_assert(!reader->read_data(reader, 2, &read));
+	ck_assert(reader->read_data(reader, 1, &read));
+	ck_assert_int_eq(read.len, 1);
+	ck_assert(read.ptr == data.ptr + 3);
+	assert_reader_after_read(reader, chunk_skip(data, 4));
+
+	ck_assert_int_eq(reader->remaining(reader), 0);
+	ck_assert(reader->read_data(reader, 0, &read));
+	ck_assert(!reader->read_data(reader, 1, &read));
+	reader->destroy(reader);
+}
+END_TEST
+
+START_TEST(test_read_data_end)
+{
+	chunk_t read, data = chunk_from_chars(0x00, 0x00, 0x00, 0x00);
+	bio_reader_t *reader;
+
+	reader = bio_reader_create(chunk_empty);
+	ck_assert_int_eq(reader->remaining(reader), 0);
+	ck_assert(reader->read_data_end(reader, 0, &read));
+	ck_assert(!reader->read_data_end(reader, 1, &read));
+	reader->destroy(reader);
+
+	reader = bio_reader_create(data);
+	ck_assert(reader->read_data_end(reader, 0, &read));
+	ck_assert_int_eq(read.len, 0);
+	ck_assert(read.ptr == data.ptr + data.len);
+	assert_reader_after_read(reader, data);
+
+	ck_assert(reader->read_data_end(reader, 1, &read));
+	ck_assert_int_eq(read.len, 1);
+	data.len--;
+	ck_assert(read.ptr == data.ptr + data.len);
+	assert_reader_after_read(reader, data);
+
+	ck_assert(reader->read_data_end(reader, 2, &read));
+	ck_assert_int_eq(read.len, 2);
+	data.len -= 2;
+	ck_assert(read.ptr == data.ptr + data.len);
+	assert_reader_after_read(reader, data);
+
+	ck_assert(!reader->read_data(reader, 2, &read));
+	ck_assert(reader->read_data(reader, 1, &read));
+	ck_assert_int_eq(read.len, 1);
+	ck_assert(read.ptr == data.ptr);
+	assert_reader_after_read(reader, chunk_empty);
+
+	ck_assert_int_eq(reader->remaining(reader), 0);
+	ck_assert(reader->read_data(reader, 0, &read));
+	ck_assert(!reader->read_data(reader, 1, &read));
+	reader->destroy(reader);
+}
+END_TEST
+
+/*******************************************************************************
+ * read length followed by data
+ */
+
+#define assert_read_data_len(bits) ({ \
+ 	bio_reader_t *reader; \
+	chunk_t read, data; \
+	int i, len = bits / 8; \
+	data = chunk_empty; \
+	reader = bio_reader_create(data); \
+	ck_assert(!reader->read_data##bits(reader, &read)); \
+	reader->destroy(reader); \
+	data = chunk_alloca(len + 8); \
+	memset(data.ptr, 0, data.len); \
+	for (i = 0; i <= 8; i++) \
+	{ \
+		data.ptr[len - 1] = i; \
+		data.len = len + i; \
+		reader = bio_reader_create(data); \
+		ck_assert(reader->read_data##bits(reader, &read)); \
+		ck_assert_int_eq(reader->remaining(reader), 0); \
+		ck_assert_int_eq(read.len, i); \
+		ck_assert((!read.ptr && !read.len) || (read.ptr == data.ptr + len)); \
+		reader->destroy(reader); \
+	} \
+	data.ptr[len - 1] = i; \
+	reader = bio_reader_create(data); \
+	ck_assert(!reader->read_data##bits(reader, &read)); \
+	reader->destroy(reader); \
+})
+
+START_TEST(test_read_data8)
+{
+	assert_read_data_len(8);
+}
+END_TEST
+
+START_TEST(test_read_data16)
+{
+	assert_read_data_len(16);
+}
+END_TEST
+
+START_TEST(test_read_data24)
+{
+	assert_read_data_len(24);
+}
+END_TEST
+
+START_TEST(test_read_data32)
+{
+	assert_read_data_len(32);
+}
+END_TEST
+
+/*******************************************************************************
+ * test constructors
+ */
+
+START_TEST(test_create)
+{
+	chunk_t data = chunk_from_str("foobar");
+	bio_reader_t *reader;
+
+	data = chunk_clone(data);
+	reader = bio_reader_create(data);
+	reader->destroy(reader);
+	chunk_free(&data);
+}
+END_TEST
+
+START_TEST(test_create_own)
+{
+	chunk_t data = chunk_from_str("foobar");
+	bio_reader_t *reader;
+
+	data = chunk_clone(data);
+	reader = bio_reader_create_own(data);
+	reader->destroy(reader);
+}
+END_TEST
+
+Suite *bio_reader_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bio_reader");
+
+	tc = tcase_create("integer reads");
+	tcase_add_test(tc, test_read_uint8);
+	tcase_add_test(tc, test_read_uint16);
+	tcase_add_test(tc, test_read_uint24);
+	tcase_add_test(tc, test_read_uint32);
+	tcase_add_test(tc, test_read_uint64);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("integer reads from end");
+	tcase_add_test(tc, test_read_uint8_end);
+	tcase_add_test(tc, test_read_uint16_end);
+	tcase_add_test(tc, test_read_uint24_end);
+	tcase_add_test(tc, test_read_uint32_end);
+	tcase_add_test(tc, test_read_uint64_end);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("data reads and peek");
+	tcase_add_test(tc, test_read_data);
+	tcase_add_test(tc, test_read_data_end);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("data length reads");
+	tcase_add_test(tc, test_read_data8);
+	tcase_add_test(tc, test_read_data16);
+	tcase_add_test(tc, test_read_data24);
+	tcase_add_test(tc, test_read_data32);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("constructors");
+	tcase_add_test(tc, test_create);
+	tcase_add_test(tc, test_create_own);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_bio_writer.c b/src/libstrongswan/tests/test_bio_writer.c
new file mode 100644
index 000000000..767f17996
--- /dev/null
+++ b/src/libstrongswan/tests/test_bio_writer.c
@@ -0,0 +1,386 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bio/bio_writer.h>
+
+/*******************************************************************************
+ * different integer writes
+ */
+
+static inline void verify_int_buffer(chunk_t data, int bits, int val)
+{
+	size_t i;
+	int len = bits / 8;
+
+	ck_assert_int_eq(data.len, (val + 1) * len);
+	for (i = 0; i < data.len; i++)
+	{
+		(i + 1) % len ? ck_assert_int_eq(data.ptr[i], 0)
+					  : ck_assert_int_eq(data.ptr[i], i / len);
+	}
+}
+
+#define assert_integer_write(init, bits) ({ \
+	int i; \
+	bio_writer_t *writer = bio_writer_create(init); \
+	for (i = 0; i < 16; i++) \
+	{ \
+		writer->write_uint##bits(writer, i); \
+		verify_int_buffer(writer->get_buf(writer), bits, i); \
+	} \
+	writer->destroy(writer); \
+})
+
+START_TEST(test_write_uint8)
+{
+	/* use default buffer (and increase) size */
+	assert_integer_write(0, 8);
+	/* force a resize by the given size */
+	assert_integer_write(1, 8);
+}
+END_TEST
+
+START_TEST(test_write_uint16)
+{
+	assert_integer_write(0, 16);
+	assert_integer_write(1, 16);
+}
+END_TEST
+
+START_TEST(test_write_uint24)
+{
+	assert_integer_write(0, 24);
+	assert_integer_write(1, 24);
+}
+END_TEST
+
+START_TEST(test_write_uint32)
+{
+	assert_integer_write(0, 32);
+	assert_integer_write(1, 32);
+}
+END_TEST
+
+START_TEST(test_write_uint64)
+{
+	assert_integer_write(0, 64);
+	assert_integer_write(1, 64);
+}
+END_TEST
+
+/*******************************************************************************
+ * write data / skip
+ */
+
+static inline void assert_writer_after_write(bio_writer_t *writer, int count)
+{
+	chunk_t buf;
+	size_t i;
+
+	buf = writer->get_buf(writer);
+	ck_assert_int_eq(buf.len, count * 3);
+	for (i = 0; i < buf.len; i++)
+	{
+		ck_assert(buf.ptr[i] == i % 3);
+	}
+}
+
+START_TEST(test_write_data)
+{
+	chunk_t buf, data = chunk_from_chars(0x00, 0x01, 0x02);
+	bio_writer_t *writer;
+
+	/* no allocation, but default buffer size */
+	writer = bio_writer_create(0);
+	buf = writer->get_buf(writer);
+	ck_assert_int_eq(buf.len, 0);
+	ck_assert(buf.ptr == NULL);
+
+	writer->write_data(writer, chunk_empty);
+	buf = writer->get_buf(writer);
+	ck_assert_int_eq(buf.len, 0);
+	ck_assert(buf.ptr == NULL);
+	writer->destroy(writer);
+
+	/* custom buffer size, initial buffer allocated */
+	writer = bio_writer_create(1);
+	buf = writer->get_buf(writer);
+	ck_assert_int_eq(buf.len, 0);
+	ck_assert(buf.ptr != NULL);
+
+	writer->write_data(writer, chunk_empty);
+	buf = writer->get_buf(writer);
+	ck_assert_int_eq(buf.len, 0);
+	ck_assert(buf.ptr != NULL);
+	writer->destroy(writer);
+
+	writer = bio_writer_create(0);
+
+	writer->write_data(writer, data);
+	assert_writer_after_write(writer, 1);
+
+	writer->write_data(writer, data);
+	assert_writer_after_write(writer, 2);
+
+	writer->write_data(writer, data);
+	assert_writer_after_write(writer, 3);
+
+	writer->destroy(writer);
+}
+END_TEST
+
+START_TEST(test_skip)
+{
+	chunk_t skipped, buf, data = chunk_from_chars(0x00, 0x01, 0x02);
+	bio_writer_t *writer;
+
+	writer = bio_writer_create(4);
+	skipped = writer->skip(writer, 3);
+	ck_assert_int_eq(skipped.len, 3);
+	buf = writer->get_buf(writer);
+	ck_assert(skipped.ptr == buf.ptr);
+	memset(skipped.ptr, 0, skipped.len);
+
+	writer->write_data(writer, data);
+	buf = writer->get_buf(writer);
+	ck_assert(chunk_equals(buf, chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x01, 0x02)));
+	writer->destroy(writer);
+
+	writer = bio_writer_create(1);
+	skipped = writer->skip(writer, 3);
+	memcpy(skipped.ptr, data.ptr, data.len);
+
+	writer->write_data(writer, data);
+	assert_writer_after_write(writer, 2);
+	writer->destroy(writer);
+}
+END_TEST
+
+/*******************************************************************************
+ * write length followed by data
+ */
+
+#define assert_write_data_len(init, bits) ({ \
+ 	bio_writer_t *writer; \
+	chunk_t buf, data; \
+	int i, len = bits / 8; \
+	writer = bio_writer_create(init); \
+	writer->write_data##bits(writer, chunk_empty); \
+	buf = writer->get_buf(writer); \
+	ck_assert_int_eq(buf.len, len); \
+	ck_assert_int_eq(buf.ptr[len - 1], 0); \
+	writer->destroy(writer); \
+	data = chunk_alloca(32); \
+	memset(data.ptr, 0, data.len); \
+	for (i = 0; i < 32; i++) \
+	{ \
+		data.ptr[i] = i; \
+		data.len = i; \
+		writer = bio_writer_create(init); \
+		writer->write_data##bits(writer, data); \
+		buf = writer->get_buf(writer); \
+		ck_assert_int_eq(buf.len, len + i); \
+		ck_assert_int_eq(buf.ptr[len - 1], i); \
+		ck_assert(chunk_equals(chunk_create(buf.ptr + len, buf.len - len), data)); \
+		writer->destroy(writer); \
+	} \
+})
+
+START_TEST(test_write_data8)
+{
+	assert_write_data_len(0, 8);
+	assert_write_data_len(1, 8);
+}
+END_TEST
+
+START_TEST(test_write_data16)
+{
+	assert_write_data_len(0, 16);
+	assert_write_data_len(1, 16);
+}
+END_TEST
+
+START_TEST(test_write_data24)
+{
+	assert_write_data_len(0, 24);
+	assert_write_data_len(1, 24);
+}
+END_TEST
+
+START_TEST(test_write_data32)
+{
+	assert_write_data_len(0, 32);
+	assert_write_data_len(1, 32);
+}
+END_TEST
+
+
+/*******************************************************************************
+ * add length header before current data
+ */
+
+#define assert_wrap_data(init, bits) ({ \
+ 	bio_writer_t *writer; \
+	chunk_t buf, data; \
+	int i, len = bits / 8; \
+	writer = bio_writer_create(init); \
+	writer->wrap##bits(writer); \
+	buf = writer->get_buf(writer); \
+	ck_assert_int_eq(buf.len, len); \
+	ck_assert_int_eq(buf.ptr[len - 1], 0); \
+	writer->destroy(writer); \
+	data = chunk_alloca(32); \
+	memset(data.ptr, 0, data.len); \
+	for (i = 0; i < 32; i++) \
+	{ \
+		data.ptr[i] = i; \
+		data.len = i; \
+		writer = bio_writer_create(init); \
+		writer->write_data(writer, data); \
+		writer->wrap##bits(writer); \
+		buf = writer->get_buf(writer); \
+		ck_assert_int_eq(buf.len, len + i); \
+		ck_assert_int_eq(buf.ptr[len - 1], i); \
+		ck_assert(chunk_equals(chunk_create(buf.ptr + len, buf.len - len), data)); \
+		writer->wrap##bits(writer); \
+		buf = writer->get_buf(writer); \
+		ck_assert_int_eq(buf.len, 2 * len + i); \
+		ck_assert_int_eq(buf.ptr[len - 1], len + i); \
+		ck_assert(chunk_equals(chunk_create(buf.ptr + 2 * len, buf.len - 2 * len), data)); \
+		writer->destroy(writer); \
+	} \
+})
+
+START_TEST(test_wrap8)
+{
+	assert_wrap_data(0, 8);
+	assert_wrap_data(1, 8);
+}
+END_TEST
+
+START_TEST(test_wrap16)
+{
+	assert_wrap_data(0, 16);
+	assert_wrap_data(1, 16);
+}
+END_TEST
+
+START_TEST(test_wrap24)
+{
+	assert_wrap_data(0, 24);
+	assert_wrap_data(1, 24);
+}
+END_TEST
+
+START_TEST(test_wrap32)
+{
+	assert_wrap_data(0, 32);
+	assert_wrap_data(1, 32);
+}
+END_TEST
+
+/*******************************************************************************
+ * test data extraction
+ */
+
+START_TEST(test_get_buf)
+{
+	bio_writer_t *writer;
+	chunk_t data1, data2;
+
+	writer = bio_writer_create(0);
+	writer->write_uint8(writer, 1);
+	data1 = writer->get_buf(writer);
+	ck_assert_int_eq(data1.len, 1);
+	ck_assert(data1.ptr[0] == 1);
+
+	data2 = writer->get_buf(writer);
+	ck_assert(chunk_equals(data1, data2));
+	ck_assert(data1.ptr == data2.ptr);
+	writer->destroy(writer);
+}
+END_TEST
+
+START_TEST(test_extract_buf)
+{
+	bio_writer_t *writer;
+	chunk_t data1, data2;
+
+	writer = bio_writer_create(0);
+	writer->write_uint8(writer, 1);
+	data1 = writer->extract_buf(writer);
+	ck_assert_int_eq(data1.len, 1);
+	ck_assert(data1.ptr[0] == 1);
+
+	data2 = writer->get_buf(writer);
+	ck_assert_int_eq(data2.len, 0);
+	ck_assert(data2.ptr == NULL);
+	data2 = writer->extract_buf(writer);
+	ck_assert_int_eq(data2.len, 0);
+	ck_assert(data2.ptr == NULL);
+
+	writer->write_uint8(writer, 1);
+	data2 = writer->get_buf(writer);
+	ck_assert(chunk_equals(data1, data2));
+	ck_assert(data1.ptr != data2.ptr);
+
+	writer->destroy(writer);
+	chunk_free(&data1);
+}
+END_TEST
+
+Suite *bio_writer_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bio_writer");
+
+	tc = tcase_create("integer writes");
+	tcase_add_test(tc, test_write_uint8);
+	tcase_add_test(tc, test_write_uint16);
+	tcase_add_test(tc, test_write_uint24);
+	tcase_add_test(tc, test_write_uint32);
+	tcase_add_test(tc, test_write_uint64);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("data writes/skip");
+	tcase_add_test(tc, test_write_data);
+	tcase_add_test(tc, test_skip);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("data length writes");
+	tcase_add_test(tc, test_write_data8);
+	tcase_add_test(tc, test_write_data16);
+	tcase_add_test(tc, test_write_data24);
+	tcase_add_test(tc, test_write_data32);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("wrap writes");
+	tcase_add_test(tc, test_wrap8);
+	tcase_add_test(tc, test_wrap16);
+	tcase_add_test(tc, test_wrap24);
+	tcase_add_test(tc, test_wrap32);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get/extract");
+	tcase_add_test(tc, test_get_buf);
+	tcase_add_test(tc, test_extract_buf);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_chunk.c b/src/libstrongswan/tests/test_chunk.c
new file mode 100644
index 000000000..7f07d057b
--- /dev/null
+++ b/src/libstrongswan/tests/test_chunk.c
@@ -0,0 +1,863 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "test_suite.h"
+
+#include <utils/chunk.h>
+
+/*******************************************************************************
+ * utilities
+ */
+
+static void assert_chunk_empty(chunk_t chunk)
+{
+	ck_assert(chunk.len == 0 && chunk.ptr == NULL);
+}
+
+/*******************************************************************************
+ * equals
+ */
+
+START_TEST(test_chunk_equals)
+{
+	chunk_t chunk = chunk_from_str("chunk");
+	chunk_t chunk_a, chunk_b;
+
+	chunk_a = chunk_empty;
+	chunk_b = chunk_empty;
+	ck_assert(!chunk_equals(chunk_a, chunk_b));
+
+	chunk_a = chunk;
+	ck_assert(!chunk_equals(chunk_a, chunk_b));
+	chunk_b = chunk;
+	ck_assert(chunk_equals(chunk_a, chunk_b));
+
+	chunk_b = chunk_from_str("asdf");
+	ck_assert(!chunk_equals(chunk_a, chunk_b));
+
+	chunk_b = chunk_from_str("chunk");
+	ck_assert(chunk_equals(chunk_a, chunk_b));
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_compare test
+ */
+
+static struct {
+	int result;
+	chunk_t a;
+	chunk_t b;
+} compare_data[] = {
+	{ 0, { NULL, 0 }, { NULL, 0 }},
+	{ 0, chunk_from_chars(0x00), chunk_from_chars(0x00)},
+	{-1, chunk_from_chars(0x00), chunk_from_chars(0x01)},
+	{ 1, chunk_from_chars(0x01), chunk_from_chars(0x00)},
+	{ 0, chunk_from_chars(0x00, 0x00), chunk_from_chars(0x00, 0x00)},
+	{-1, chunk_from_chars(0x00, 0x00), chunk_from_chars(0x00, 0x01)},
+	{ 1, chunk_from_chars(0x00, 0x01), chunk_from_chars(0x00, 0x00)},
+	{-1, chunk_from_chars(0x00, 0x00), chunk_from_chars(0x01, 0x00)},
+	{ 1, chunk_from_chars(0x01, 0x00), chunk_from_chars(0x00, 0x00)},
+	{-1, chunk_from_chars(0xff), chunk_from_chars(0x00, 0x00)},
+	{ 1, chunk_from_chars(0x00, 0x00), chunk_from_chars(0xff)},
+};
+
+START_TEST(test_compare)
+{
+	int result, expected;
+
+	result = chunk_compare(compare_data[_i].a, compare_data[_i].b);
+	expected = compare_data[_i].result;
+	ck_assert((result == 0 && expected == 0) ||
+			  (result < 0 && expected < 0) ||
+			  (result > 0 && expected > 0));
+}
+END_TEST
+
+/*******************************************************************************
+ * clear
+ */
+
+START_TEST(test_chunk_clear)
+{
+	chunk_t chunk;
+	u_char *ptr;
+	int i;
+	bool cleared = TRUE;
+
+	chunk = chunk_empty;
+	chunk_clear(&chunk);
+	chunk_free(&chunk);
+
+	chunk = chunk_alloc(64);
+	ptr = chunk.ptr;
+	for (i = 0; i < 64; i++)
+	{
+		chunk.ptr[i] = i;
+	}
+	chunk_clear(&chunk);
+	/* check memory area of freed chunk. We can't use ck_assert() for this
+	 * test directly, as it might allocate data at the freed area. */
+	for (i = 0; i < 64; i++)
+	{
+		if (ptr[i] != 0 && ptr[i] == i)
+		{
+			cleared = FALSE;
+			break;
+		}
+	}
+	assert_chunk_empty(chunk);
+	ck_assert(cleared);
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_length
+ */
+
+START_TEST(test_chunk_length)
+{
+	chunk_t a, b, c;
+	size_t len;
+
+	a = chunk_empty;
+	b = chunk_empty;
+	c = chunk_empty;
+	len = chunk_length("ccc", a, b, c);
+	ck_assert_int_eq(len, 0);
+
+	a = chunk_from_str("foo");
+	b = chunk_from_str("bar");
+	len = chunk_length("ccc", a, b, c);
+	ck_assert_int_eq(len, 6);
+
+	len = chunk_length("zcc", a, b, c);
+	ck_assert_int_eq(len, 0);
+
+	len = chunk_length("czc", a, b, c);
+	ck_assert_int_eq(len, 3);
+
+	a = chunk_from_str("foo");
+	b = chunk_from_str("bar");
+	c = chunk_from_str("baz");
+	len = chunk_length("ccc", a, b, c);
+	ck_assert_int_eq(len, 9);
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_create_cat
+ */
+
+START_TEST(test_chunk_create_cat)
+{
+	chunk_t foo, bar;
+	chunk_t a, b, c;
+	u_char *ptra, *ptrb;
+
+	foo = chunk_from_str("foo");
+	bar = chunk_from_str("bar");
+
+	/* to simplify things we use the chunk_cata macro */
+
+	a = chunk_empty;
+	b = chunk_empty;
+	c = chunk_cata("cc", a, b);
+	ck_assert_int_eq(c.len, 0);
+	ck_assert(c.ptr != NULL);
+
+	a = foo;
+	b = bar;
+	c = chunk_cata("cc", a, b);
+	ck_assert_int_eq(c.len, 6);
+	ck_assert(chunk_equals(c, chunk_from_str("foobar")));
+
+	a = chunk_clone(foo);
+	b = chunk_clone(bar);
+	c = chunk_cata("mm", a, b);
+	ck_assert_int_eq(c.len, 6);
+	ck_assert(chunk_equals(c, chunk_from_str("foobar")));
+
+	a = chunk_clone(foo);
+	b = chunk_clone(bar);
+	ptra = a.ptr;
+	ptrb = b.ptr;
+	c = chunk_cata("ss", a, b);
+	ck_assert_int_eq(c.len, 6);
+	ck_assert(chunk_equals(c, chunk_from_str("foobar")));
+	/* check memory area of cleared chunk */
+	ck_assert(!chunk_equals(foo, chunk_create(ptra, 3)));
+	ck_assert(!chunk_equals(bar, chunk_create(ptrb, 3)));
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_split
+ */
+
+static bool mem_in_chunk(u_char *ptr, chunk_t chunk)
+{
+	return ptr >= chunk.ptr && ptr < (chunk.ptr + chunk.len);
+}
+
+START_TEST(test_chunk_split)
+{
+	chunk_t foo, bar, foobar;
+	chunk_t a, b, c;
+	u_char *ptra, *ptrb;
+
+	foo = chunk_from_str("foo");
+	bar = chunk_from_str("bar");
+	foobar = chunk_from_str("foobar");
+
+	chunk_split(foobar, "aa", 3, &a, 3, &b);
+	ck_assert(chunk_equals(a, foo));
+	ck_assert(chunk_equals(b, bar));
+	ck_assert(!mem_in_chunk(a.ptr, foobar));
+	ck_assert(!mem_in_chunk(b.ptr, foobar));
+	chunk_free(&a);
+	chunk_free(&b);
+
+	chunk_split(foobar, "mm", 3, &a, 3, &b);
+	ck_assert(chunk_equals(a, foo));
+	ck_assert(chunk_equals(b, bar));
+	ck_assert(mem_in_chunk(a.ptr, foobar));
+	ck_assert(mem_in_chunk(b.ptr, foobar));
+
+	chunk_split(foobar, "am", 3, &a, 3, &b);
+	ck_assert(chunk_equals(a, foo));
+	ck_assert(chunk_equals(b, bar));
+	ck_assert(!mem_in_chunk(a.ptr, foobar));
+	ck_assert(mem_in_chunk(b.ptr, foobar));
+	chunk_free(&a);
+
+	a = chunk_alloca(3);
+	ptra = a.ptr;
+	b = chunk_alloca(3);
+	ptrb = b.ptr;
+	chunk_split(foobar, "cc", 3, &a, 3, &b);
+	ck_assert(chunk_equals(a, foo));
+	ck_assert(chunk_equals(b, bar));
+	ck_assert(a.ptr == ptra);
+	ck_assert(b.ptr == ptrb);
+
+	chunk_split(foobar, "mm", 1, NULL, 2, &a, 2, NULL, 1, &b);
+	ck_assert(chunk_equals(a, chunk_from_str("oo")));
+	ck_assert(chunk_equals(b, chunk_from_str("r")));
+
+	chunk_split(foobar, "mm", 6, &a, 6, &b);
+	ck_assert(chunk_equals(a, foobar));
+	assert_chunk_empty(b);
+
+	chunk_split(foobar, "mac", 12, &a, 12, &b, 12, &c);
+	ck_assert(chunk_equals(a, foobar));
+	assert_chunk_empty(b);
+	assert_chunk_empty(c);
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_skip[_zero]
+ */
+
+START_TEST(test_chunk_skip)
+{
+	chunk_t foobar, a;
+
+	foobar = chunk_from_str("foobar");
+	a = foobar;
+	a = chunk_skip(a, 0);
+	ck_assert(chunk_equals(a, foobar));
+	a = chunk_skip(a, 1);
+	ck_assert(chunk_equals(a, chunk_from_str("oobar")));
+	a = chunk_skip(a, 2);
+	ck_assert(chunk_equals(a, chunk_from_str("bar")));
+	a = chunk_skip(a, 3);
+	assert_chunk_empty(a);
+
+	a = foobar;
+	a = chunk_skip(a, 6);
+	assert_chunk_empty(a);
+
+	a = foobar;
+	a = chunk_skip(a, 10);
+	assert_chunk_empty(a);
+}
+END_TEST
+
+START_TEST(test_chunk_skip_zero)
+{
+	chunk_t foobar, a;
+
+	a = chunk_empty;
+	a = chunk_skip_zero(a);
+	assert_chunk_empty(a);
+
+	foobar = chunk_from_str("foobar");
+	a = foobar;
+	a = chunk_skip_zero(a);
+	ck_assert(chunk_equals(a, foobar));
+
+	a = chunk_from_chars(0x00, 0xaa, 0xbb, 0xcc);
+	a = chunk_skip_zero(a);
+	ck_assert(chunk_equals(a, chunk_from_chars(0xaa, 0xbb, 0xcc)));
+	a = chunk_skip_zero(a);
+	ck_assert(chunk_equals(a, chunk_from_chars(0xaa, 0xbb, 0xcc)));
+}
+END_TEST
+
+/*******************************************************************************
+ * BASE16 encoding test
+ */
+
+START_TEST(test_base16)
+{
+	/* test vectors from RFC 4648:
+	 *
+	 * BASE16("") = ""
+	 * BASE16("f") = "66"
+	 * BASE16("fo") = "666F"
+	 * BASE16("foo") = "666F6F"
+	 * BASE16("foob") = "666F6F62"
+	 * BASE16("fooba") = "666F6F6261"
+	 * BASE16("foobar") = "666F6F626172"
+	 */
+	typedef struct {
+		bool upper;
+		char *in;
+		char *out;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{TRUE,  "", ""},
+		{TRUE,  "f", "66"},
+		{TRUE,  "fo", "666F"},
+		{TRUE,  "foo", "666F6F"},
+		{TRUE,  "foob", "666F6F62"},
+		{TRUE,  "fooba", "666F6F6261"},
+		{TRUE,  "foobar", "666F6F626172"},
+		{FALSE, "", ""},
+		{FALSE, "f", "66"},
+		{FALSE, "fo", "666f"},
+		{FALSE, "foo", "666f6f"},
+		{FALSE, "foob", "666f6f62"},
+		{FALSE, "fooba", "666f6f6261"},
+		{FALSE, "foobar", "666f6f626172"},
+	};
+	testdata_t test_colon[] = {
+		{TRUE,  "", ""},
+		{TRUE,  "f", "66"},
+		{TRUE,  "fo", "66:6F"},
+		{TRUE,  "foo", "66:6F:6F"},
+		{FALSE, "foob", "66:6f:6f:62"},
+		{FALSE, "fooba", "66:6f:6f:62:61"},
+		{FALSE, "foobar", "66:6f:6f:62:61:72"},
+		{FALSE, "foobar", "66:6f6f:6261:72"},
+	};
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_to_hex(chunk_create(test[i].in, strlen(test[i].in)), NULL,
+						   test[i].upper);
+		ck_assert_str_eq(out.ptr, test[i].out);
+		free(out.ptr);
+	}
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_from_hex(chunk_create(test[i].out, strlen(test[i].out)), NULL);
+		fail_unless(strneq(out.ptr, test[i].in, out.len),
+					"base16 conversion error - should '%s', is %#B",
+					test[i].in, &out);
+		free(out.ptr);
+	}
+
+	for (i = 0; i < countof(test_colon); i++)
+	{
+		chunk_t out;
+
+		out = chunk_from_hex(chunk_create(test_colon[i].out, strlen(test_colon[i].out)), NULL);
+		fail_unless(strneq(out.ptr, test_colon[i].in, out.len),
+					"base16 conversion error - should '%s', is %#B",
+					test_colon[i].in, &out);
+		free(out.ptr);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * BASE64 encoding test
+ */
+
+START_TEST(test_base64)
+{
+	/* test vectors from RFC 4648:
+	 *
+	 * BASE64("") = ""
+	 * BASE64("f") = "Zg=="
+	 * BASE64("fo") = "Zm8="
+	 * BASE64("foo") = "Zm9v"
+	 * BASE64("foob") = "Zm9vYg=="
+	 * BASE64("fooba") = "Zm9vYmE="
+	 * BASE64("foobar") = "Zm9vYmFy"
+	 */
+	typedef struct {
+		char *in;
+		char *out;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{"", ""},
+		{"f", "Zg=="},
+		{"fo", "Zm8="},
+		{"foo", "Zm9v"},
+		{"foob", "Zm9vYg=="},
+		{"fooba", "Zm9vYmE="},
+		{"foobar", "Zm9vYmFy"},
+	};
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_to_base64(chunk_create(test[i].in, strlen(test[i].in)), NULL);
+		ck_assert_str_eq(out.ptr, test[i].out);
+		free(out.ptr);
+	}
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_from_base64(chunk_create(test[i].out, strlen(test[i].out)), NULL);
+		fail_unless(strneq(out.ptr, test[i].in, out.len),
+					"base64 conversion error - should '%s', is %#B",
+					test[i].in, &out);
+		free(out.ptr);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * BASE32 encoding test
+ */
+
+START_TEST(test_base32)
+{
+	/* test vectors from RFC 4648:
+	 *
+	 * BASE32("") = ""
+	 * BASE32("f") = "MY======"
+	 * BASE32("fo") = "MZXQ===="
+	 * BASE32("foo") = "MZXW6==="
+	 * BASE32("foob") = "MZXW6YQ="
+	 * BASE32("fooba") = "MZXW6YTB"
+	 * BASE32("foobar") = "MZXW6YTBOI======"
+	 */
+	typedef struct {
+		char *in;
+		char *out;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{"", ""},
+		{"f", "MY======"},
+		{"fo", "MZXQ===="},
+		{"foo", "MZXW6==="},
+		{"foob", "MZXW6YQ="},
+		{"fooba", "MZXW6YTB"},
+		{"foobar", "MZXW6YTBOI======"},
+	};
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_to_base32(chunk_create(test[i].in, strlen(test[i].in)), NULL);
+		ck_assert_str_eq(out.ptr, test[i].out);
+		free(out.ptr);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_increment test
+ */
+
+static struct {
+	bool overflow;
+	chunk_t in;
+	chunk_t out;
+} increment_data[] = {
+	{TRUE,  { NULL, 0 }, { NULL, 0 }},
+	{FALSE, chunk_from_chars(0x00), chunk_from_chars(0x01)},
+	{FALSE, chunk_from_chars(0xfe), chunk_from_chars(0xff)},
+	{TRUE,  chunk_from_chars(0xff), chunk_from_chars(0x00)},
+	{FALSE, chunk_from_chars(0x00, 0x00), chunk_from_chars(0x00, 0x01)},
+	{FALSE, chunk_from_chars(0x00, 0xff), chunk_from_chars(0x01, 0x00)},
+	{FALSE, chunk_from_chars(0xfe, 0xff), chunk_from_chars(0xff, 0x00)},
+	{TRUE,  chunk_from_chars(0xff, 0xff), chunk_from_chars(0x00, 0x00)},
+};
+
+START_TEST(test_increment)
+{
+	chunk_t chunk;
+	bool overflow;
+
+	chunk = chunk_clonea(increment_data[_i].in);
+	overflow = chunk_increment(chunk);
+	ck_assert(overflow == increment_data[_i].overflow);
+	ck_assert(!increment_data[_i].out.ptr ||
+			  chunk_equals(chunk, increment_data[_i].out));
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_printable tests
+ */
+
+static struct {
+	bool printable;
+	chunk_t in;
+	char *out;
+} printable_data[] = {
+	{TRUE,  chunk_from_chars(0x31), "1"},
+	{FALSE, chunk_from_chars(0x00), "?"},
+	{FALSE, chunk_from_chars(0x31, 0x00), "1?"},
+	{FALSE, chunk_from_chars(0x00, 0x31), "?1"},
+	{TRUE,  chunk_from_chars(0x3f, 0x31), "?1"},
+	{FALSE, chunk_from_chars(0x00, 0x31, 0x00), "?1?"},
+	{FALSE, chunk_from_chars(0x00, 0x31, 0x00, 0x32), "?1?2"},
+};
+
+START_TEST(test_printable)
+{
+	bool printable;
+
+	printable = chunk_printable(printable_data[_i].in, NULL, ' ');
+	ck_assert(printable == printable_data[_i].printable);
+}
+END_TEST
+
+START_TEST(test_printable_sanitize)
+{
+	chunk_t sane, expected;
+	bool printable;
+
+	printable = chunk_printable(printable_data[_i].in, &sane, '?');
+	ck_assert(printable == printable_data[_i].printable);
+	expected = chunk_from_str(printable_data[_i].out);
+	ck_assert(chunk_equals(sane, expected));
+	chunk_free(&sane);
+}
+END_TEST
+
+START_TEST(test_printable_empty)
+{
+	chunk_t sane;
+	bool printable;
+
+	printable = chunk_printable(chunk_empty, NULL, ' ');
+	ck_assert(printable);
+
+	sane.ptr = (void*)1;
+	sane.len = 1;
+	printable = chunk_printable(chunk_empty, &sane, ' ');
+	ck_assert(printable);
+	assert_chunk_empty(sane);
+}
+END_TEST
+
+/*******************************************************************************
+ * test for chunk_mac(), i.e. SipHash-2-4
+ */
+
+/**
+ * SipHash-2-4 output with
+ * k = 00 01 02 ...
+ * and
+ * in = (empty string)
+ * in = 00 (1 byte)
+ * in = 00 01 (2 bytes)
+ * in = 00 01 02 (3 bytes)
+ * ...
+ * in = 00 01 02 ... 3e (63 bytes)
+ */
+static const u_char sip_vectors[64][8] =
+{
+	{ 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
+	{ 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
+	{ 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
+	{ 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
+	{ 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
+	{ 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
+	{ 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
+	{ 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
+	{ 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
+	{ 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
+	{ 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
+	{ 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
+	{ 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
+	{ 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
+	{ 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
+	{ 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
+	{ 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
+	{ 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
+	{ 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
+	{ 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
+	{ 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
+	{ 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
+	{ 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
+	{ 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
+	{ 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
+	{ 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
+	{ 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
+	{ 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
+	{ 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
+	{ 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
+	{ 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
+	{ 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
+	{ 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
+	{ 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
+	{ 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
+	{ 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
+	{ 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
+	{ 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
+	{ 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
+	{ 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
+	{ 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
+	{ 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
+	{ 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
+	{ 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
+	{ 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
+	{ 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
+	{ 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
+	{ 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
+	{ 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
+	{ 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
+	{ 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
+	{ 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
+	{ 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
+	{ 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
+	{ 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
+	{ 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
+	{ 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
+	{ 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
+	{ 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
+	{ 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
+	{ 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
+	{ 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
+	{ 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
+	{ 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
+};
+
+START_TEST(test_chunk_mac)
+{
+	chunk_t in;
+	u_char key[16];
+	u_int64_t out;
+	int i, count;
+
+	count = countof(sip_vectors);
+	in = chunk_alloca(count);
+
+	for (i = 0; i < 16; ++i)
+	{
+		key[i] = i;
+	}
+
+	for (i = 0; i < count; ++i)
+	{
+		in.ptr[i] = i;
+		in.len = i;
+		out = chunk_mac(in, key);
+		fail_unless(memeq(&out, sip_vectors[i], 8),
+					"test vector failed for %d bytes", i);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * test for chunk_hash[_inc]()
+ */
+
+START_TEST(test_chunk_hash)
+{
+	chunk_t chunk;
+	u_int32_t hash_a, hash_b, hash_c;
+
+	chunk = chunk_from_str("asdf");
+
+	/* output is randomized, so there are no test-vectors we could use */
+	hash_a = chunk_hash(chunk);
+	hash_b = chunk_hash(chunk);
+	ck_assert(hash_a == hash_b);
+	hash_b = chunk_hash_inc(chunk, hash_a);
+	ck_assert(hash_a != hash_b);
+	hash_c = chunk_hash_inc(chunk, hash_a);
+	ck_assert(hash_b == hash_c);
+}
+END_TEST
+
+/*******************************************************************************
+ * test for chunk_hash_static[_inc]()
+ */
+
+START_TEST(test_chunk_hash_static)
+{
+	chunk_t in;
+	u_int32_t out, hash_a, hash_b, hash_inc = 0x7b891a95;
+	int i, count;
+
+	count = countof(sip_vectors);
+	in = chunk_alloca(count);
+
+	for (i = 0; i < count; ++i)
+	{
+		in.ptr[i] = i;
+		in.len = i;
+		/* compared to chunk_mac() we only get half the value back */
+		out = chunk_hash_static(in);
+		fail_unless(memeq(&out, sip_vectors[i], 4),
+					"test vector failed for %d bytes", i);
+	}
+	hash_a = chunk_hash_static_inc(in, out);
+	ck_assert_int_eq(hash_a, hash_inc);
+	hash_b = chunk_hash_static_inc(in, out);
+	ck_assert_int_eq(hash_a, hash_b);
+}
+END_TEST
+
+/*******************************************************************************
+ * printf_hook tests
+ */
+
+static struct {
+	chunk_t in;
+	char *out;
+} printf_hook_data[] = {
+	{chunk_from_chars(), ""},
+	{chunk_from_chars(0x00), "00"},
+	{chunk_from_chars(0x00, 0x01), "00:01"},
+	{chunk_from_chars(0x00, 0x01, 0x02), "00:01:02"},
+};
+
+START_TEST(test_printf_hook_hash)
+{
+	char buf[16];
+	int len;
+
+	len = snprintf(buf, sizeof(buf), "%#B", &printf_hook_data[_i].in);
+	ck_assert(len >= 0 && len < sizeof(buf));
+	ck_assert_str_eq(buf, printf_hook_data[_i].out);
+}
+END_TEST
+
+START_TEST(test_printf_hook)
+{
+	char buf[128], mem[128];
+	int len;
+
+	/* %B should be the same as %b, which is what we check, comparing the
+	 * acutal result could be tricky as %b prints the chunk's memory address */
+	len = snprintf(buf, sizeof(buf), "%B", &printf_hook_data[_i].in);
+	ck_assert(len >= 0 && len < sizeof(buf));
+	len = snprintf(mem, sizeof(mem), "%b", printf_hook_data[_i].in.ptr,
+				  (u_int)printf_hook_data[_i].in.len);
+	ck_assert(len >= 0 && len < sizeof(mem));
+	ck_assert_str_eq(buf, mem);
+}
+END_TEST
+
+Suite *chunk_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("chunk");
+
+	tc = tcase_create("equals");
+	tcase_add_test(tc, test_chunk_equals);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_compare");
+	tcase_add_loop_test(tc, test_compare, 0, countof(compare_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("clear");
+	tcase_add_test(tc, test_chunk_clear);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_length");
+	tcase_add_test(tc, test_chunk_length);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_create_cat");
+	tcase_add_test(tc, test_chunk_create_cat);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_split");
+	tcase_add_test(tc, test_chunk_split);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_skip");
+	tcase_add_test(tc, test_chunk_skip);
+	tcase_add_test(tc, test_chunk_skip_zero);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_increment");
+	tcase_add_loop_test(tc, test_increment, 0, countof(increment_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_printable");
+	tcase_add_loop_test(tc, test_printable, 0, countof(printable_data));
+	tcase_add_loop_test(tc, test_printable_sanitize, 0, countof(printable_data));
+	tcase_add_test(tc, test_printable_empty);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("baseXX");
+	tcase_add_test(tc, test_base64);
+	tcase_add_test(tc, test_base32);
+	tcase_add_test(tc, test_base16);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_mac");
+	tcase_add_test(tc, test_chunk_mac);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_hash");
+	tcase_add_test(tc, test_chunk_hash);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_hash_static");
+	tcase_add_test(tc, test_chunk_hash_static);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("printf_hook");
+	tcase_add_loop_test(tc, test_printf_hook_hash, 0, countof(printf_hook_data));
+	tcase_add_loop_test(tc, test_printf_hook, 0, countof(printf_hook_data));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_ecdsa.c b/src/libstrongswan/tests/test_ecdsa.c
new file mode 100644
index 000000000..2955bae2f
--- /dev/null
+++ b/src/libstrongswan/tests/test_ecdsa.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <plugins/plugin_feature.h>
+
+/**
+ * Signature schemes to test
+ */
+static struct {
+	/* key size for scheme, 0 for any */
+	int key_size;
+	signature_scheme_t scheme;
+} schemes[] = {
+	{ 0, SIGN_ECDSA_WITH_SHA1_DER },
+	{ 0, SIGN_ECDSA_WITH_SHA256_DER },
+	{ 0, SIGN_ECDSA_WITH_SHA384_DER },
+	{ 0, SIGN_ECDSA_WITH_SHA512_DER },
+	{ 0, SIGN_ECDSA_WITH_NULL },
+	{ 256, SIGN_ECDSA_256 },
+	{ 384, SIGN_ECDSA_384 },
+	{ 521, SIGN_ECDSA_521 },
+};
+
+/**
+ * Perform a signature verification "good" test having a keypair
+ */
+static void test_good_sig(private_key_t *privkey, public_key_t *pubkey)
+{
+	chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0xFD,0xFE,0xFF);
+	int i;
+
+	for (i = 0; i < countof(schemes); i++)
+	{
+		if (!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)) ||
+			!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PRIVKEY_SIGN, schemes[i].scheme)))
+		{
+			continue;
+		}
+		if (schemes[i].key_size != 0 &&
+			schemes[i].scheme != privkey->get_keysize(privkey))
+		{
+			continue;
+		}
+		fail_unless(privkey->sign(privkey, schemes[i].scheme, data, &sig),
+					"sign %N", signature_scheme_names, schemes[i].scheme);
+		fail_unless(pubkey->verify(pubkey, schemes[i].scheme, data, sig),
+					"verify %N", signature_scheme_names, schemes[i].scheme);
+		free(sig.ptr);
+	}
+}
+
+/**
+ * Some special signatures that should never validate successfully
+ */
+static chunk_t invalid_sigs[] = {
+	chunk_from_chars(),
+	chunk_from_chars(0x00),
+	chunk_from_chars(0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+};
+
+/**
+ * Check public key that it properly fails against some crafted sigs
+ */
+static void test_bad_sigs(public_key_t *pubkey)
+{
+	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0xFD,0xFE,0xFF);
+	int s, i;
+
+	for (s = 0; s < countof(schemes); s++)
+	{
+		if (schemes[s].key_size != 0 &&
+			schemes[s].scheme != pubkey->get_keysize(pubkey))
+		{
+			continue;
+		}
+		if (!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[s].scheme)))
+		{
+			continue;
+		}
+		for (i = 0; i < countof(invalid_sigs); i++)
+		{
+			fail_if(
+				pubkey->verify(pubkey, schemes[s].scheme, data, invalid_sigs[i]),
+				"bad %N sig accepted %B",
+				signature_scheme_names, schemes[s].scheme,
+				&invalid_sigs[i]);
+		}
+	}
+}
+
+/**
+ * ECDSA key sizes to test
+ */
+static int key_sizes[] = {
+	256, 384, 521,
+};
+
+START_TEST(test_gen)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+								 BUILD_KEY_SIZE, key_sizes[_i], BUILD_END);
+	ck_assert(privkey != NULL);
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey != NULL);
+
+	test_good_sig(privkey, pubkey);
+
+	test_bad_sigs(pubkey);
+
+	pubkey->destroy(pubkey);
+	privkey->destroy(privkey);
+}
+END_TEST
+
+/**
+ * Private keys to load
+ */
+static chunk_t keys[] = {
+	chunk_from_chars( /* ECDSA-256 */
+		0x30,0x77,0x02,0x01,0x01,0x04,0x20,0x42,0xc6,0x8c,0xff,0x2b,0x8b,0x87,0xa1,0xfb,
+		0x50,0xf6,0xfe,0xd6,0x88,0xb3,0x0a,0x48,0xb2,0xc5,0x8f,0x50,0xe0,0xcf,0x40,0xfa,
+		0x57,0xd1,0xc6,0x6c,0x20,0x64,0xc5,0xa0,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,
+		0x03,0x01,0x07,0xa1,0x44,0x03,0x42,0x00,0x04,0x9c,0xb2,0x52,0xcb,0xc0,0x5c,0xcf,
+		0x97,0xdd,0xd6,0xe7,0x49,0x32,0x47,0x0c,0x8e,0xdb,0x6d,0xbf,0xc8,0x1a,0x0a,0x01,
+		0xe8,0x5e,0x3f,0x8e,0x64,0x33,0xb4,0x15,0xbb,0x1b,0xa5,0xed,0xf9,0x4b,0xa7,0xe8,
+		0x5e,0x6f,0x49,0x24,0xf7,0x32,0xf4,0x9b,0x4c,0x47,0xdc,0xf1,0x28,0x44,0x1c,0x37,
+		0xdb,0xee,0xfb,0xd8,0xbd,0x4e,0x5c,0xeb,0x07),
+	chunk_from_chars( /* ECDSA-384 */
+		0x30,0x81,0xa4,0x02,0x01,0x01,0x04,0x30,0x4b,0xbf,0x6c,0xf5,0x24,0x78,0x53,0x4b,
+		0x1a,0x91,0x23,0xae,0x30,0xc8,0xb3,0xc9,0xc2,0x9b,0x23,0x07,0x10,0x6f,0x1b,0x47,
+		0x7c,0xa0,0xd4,0x79,0x3c,0xc4,0x83,0x10,0xd1,0x44,0x07,0xc2,0x1b,0x66,0xff,0xae,
+		0x76,0x57,0x72,0x90,0x53,0xc2,0xf5,0x29,0xa0,0x07,0x06,0x05,0x2b,0x81,0x04,0x00,
+		0x22,0xa1,0x64,0x03,0x62,0x00,0x04,0x1e,0xcf,0x1c,0x85,0x9d,0x06,0xa0,0x54,0xa2,
+		0x24,0x2f,0xd8,0x63,0x56,0x7b,0x70,0x0b,0x7f,0x81,0x96,0xce,0xb9,0x2e,0x35,0x03,
+		0x9c,0xf9,0x0a,0x5d,0x3b,0x10,0xf7,0x13,0x7a,0x0d,0xca,0x56,0xda,0x1d,0x44,0x84,
+		0x07,0x6f,0x58,0xdc,0x34,0x7b,0x1d,0x4c,0xdd,0x28,0x10,0xc0,0xe2,0xae,0xf4,0xd6,
+		0xda,0xea,0xaf,0xfc,0x7a,0xaf,0x59,0x5f,0xbc,0x91,0x65,0xd3,0x21,0x19,0x61,0xbb,
+		0xfe,0x3c,0xdb,0x47,0xcb,0x7a,0xe7,0x5d,0xbd,0x28,0xde,0x25,0x64,0x9e,0x3a,0xa9,
+		0x18,0xed,0x24,0xe1,0x1f,0x73,0xcc),
+	chunk_from_chars( /* ECDSA-521 */
+		0x30,0x81,0xdc,0x02,0x01,0x01,0x04,0x42,0x01,0xcf,0x38,0xaa,0xa7,0x7a,0x79,0x48,
+		0xa9,0x60,0x55,0x24,0xa8,0x7e,0xe1,0xbc,0x45,0x35,0x16,0xff,0x18,0xce,0x44,0xa2,
+		0x0b,0x72,0x6b,0xca,0x0a,0x40,0xb4,0x97,0x13,0x17,0x90,0x50,0x15,0xb9,0xba,0xfc,
+		0x08,0x0e,0xdb,0xf8,0xfc,0x06,0x35,0x37,0xbf,0xfb,0x25,0x74,0xfe,0x0f,0xe1,0x3c,
+		0x3a,0xf0,0x0d,0xe0,0x52,0x15,0xa8,0x07,0x6f,0x3e,0xa0,0x07,0x06,0x05,0x2b,0x81,
+		0x04,0x00,0x23,0xa1,0x81,0x89,0x03,0x81,0x86,0x00,0x04,0x00,0x56,0x81,0x28,0xd6,
+		0xac,0xe9,0xc8,0x82,0x2c,0xac,0x61,0x6d,0xdd,0x88,0x79,0x00,0xe3,0x7a,0x4d,0x25,
+		0xc4,0xea,0x05,0x80,0x75,0x48,0xbc,0x75,0x73,0xc4,0xe9,0x76,0x68,0xba,0x51,0xc3,
+		0x29,0xce,0x7d,0x1b,0xb0,0x8b,0xac,0xc1,0xcc,0x23,0xa7,0x2d,0xa7,0x2c,0x95,0xf6,
+		0x01,0x40,0x26,0x01,0x1c,0x1c,0x9c,0xe7,0xa7,0xb4,0x0f,0x8e,0xba,0x01,0x07,0xb3,
+		0xf7,0xbe,0x45,0x20,0xa9,0x9e,0x70,0xf0,0xcf,0x9b,0xa0,0x91,0xe3,0x88,0x8f,0x04,
+		0x69,0x3d,0x0f,0x2b,0xf3,0xb4,0x03,0x19,0x89,0xcf,0xfa,0x77,0x04,0x15,0xaf,0xdd,
+		0xf7,0x32,0x76,0x25,0x25,0x05,0x8d,0xfd,0x18,0x8a,0xda,0xd6,0xbc,0x71,0xb8,0x9f,
+		0x39,0xb0,0xaf,0xcc,0x54,0xb0,0x9c,0x4d,0x54,0xfb,0x46,0x53,0x5f,0xf8,0x45),
+};
+
+START_TEST(test_load)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+								 BUILD_BLOB_ASN1_DER, keys[_i], BUILD_END);
+	ck_assert(privkey != NULL);
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey != NULL);
+
+	test_good_sig(privkey, pubkey);
+
+	test_bad_sigs(pubkey);
+
+	pubkey->destroy(pubkey);
+	privkey->destroy(privkey);
+}
+END_TEST
+
+Suite *ecdsa_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("ecdsa");
+
+	tc = tcase_create("generate");
+	tcase_add_loop_test(tc, test_gen, 0, countof(key_sizes));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("load");
+	tcase_add_loop_test(tc, test_load, 0, countof(keys));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_enum.c b/src/libstrongswan/tests/test_enum.c
new file mode 100644
index 000000000..990d9cfad
--- /dev/null
+++ b/src/libstrongswan/tests/test_enum.c
@@ -0,0 +1,248 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <utils/enum.h>
+#include <utils/utils.h>
+
+/*******************************************************************************
+ * continuous enum
+ */
+enum {
+	CONT1,
+	CONT2,
+	CONT3,
+	CONT4,
+	CONT5,
+} test_enum_cont;
+
+/* can't be static */
+enum_name_t *test_enum_cont_names;
+
+ENUM_BEGIN(test_enum_cont_names, CONT1, CONT5,
+	"CONT1", "CONT2", "CONT3", "CONT4", "CONT5");
+ENUM_END(test_enum_cont_names, CONT5);
+
+/*******************************************************************************
+ * split enum
+ */
+enum {
+	SPLIT1 = 1,
+	SPLIT2,
+	SPLIT3 = 5,
+	SPLIT4,
+	SPLIT5 = 255,
+} test_enum_split;
+
+/* can't be static */
+enum_name_t *test_enum_split_names;
+
+ENUM_BEGIN(test_enum_split_names, SPLIT1, SPLIT2,
+	"SPLIT1", "SPLIT2");
+ENUM_NEXT(test_enum_split_names, SPLIT3, SPLIT4, SPLIT2,
+	"SPLIT3", "SPLIT4");
+ENUM_NEXT(test_enum_split_names, SPLIT5, SPLIT5, SPLIT4,
+	"SPLIT5");
+ENUM_END(test_enum_split_names, SPLIT5);
+
+/*******************************************************************************
+ * enum_to_name
+ */
+
+static struct {
+	int val;
+	char *str;
+} name_tests_cont[] = {
+	{-1, NULL},
+	{CONT1, "CONT1"},
+	{CONT2, "CONT2"},
+	{CONT3, "CONT3"},
+	{CONT4, "CONT4"},
+	{CONT5, "CONT5"},
+	{5, NULL},
+}, name_tests_split[] = {
+	{-1, NULL},
+	{0, NULL},
+	{SPLIT1, "SPLIT1"},
+	{SPLIT2, "SPLIT2"},
+	{3, NULL},
+	{4, NULL},
+	{SPLIT3, "SPLIT3"},
+	{SPLIT4, "SPLIT4"},
+	{7, NULL},
+	{254, NULL},
+	{SPLIT5, "SPLIT5"},
+	{256, NULL},
+};
+
+START_TEST(test_enum_to_name_cont)
+{
+	char *str = enum_to_name(test_enum_cont_names, name_tests_cont[_i].val);
+	if (str)
+	{
+		ck_assert_str_eq(str, name_tests_cont[_i].str);
+	}
+	else
+	{
+		ck_assert(str == name_tests_cont[_i].str);
+	}
+}
+END_TEST
+
+START_TEST(test_enum_to_name_split)
+{
+	char *str = enum_to_name(test_enum_split_names, name_tests_split[_i].val);
+	if (str)
+	{
+		ck_assert_str_eq(str, name_tests_split[_i].str);
+	}
+	else
+	{
+		ck_assert(str == name_tests_split[_i].str);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * enum_from_name
+ */
+
+static struct {
+	int val;
+	char *str;
+} enum_tests_cont[] = {
+	{CONT1, "CONT1"},
+	{CONT2, "CONT2"},
+	{CONT2, "CoNt2"},
+	{CONT3, "CONT3"},
+	{CONT4, "CONT4"},
+	{CONT5, "CONT5"},
+	{-1, "asdf"},
+	{-1, ""},
+	{-1, NULL},
+}, enum_tests_split[] = {
+	{SPLIT1, "SPLIT1"},
+	{SPLIT1, "split1"},
+	{SPLIT2, "SPLIT2"},
+	{SPLIT2, "SpLiT2"},
+	{SPLIT3, "SPLIT3"},
+	{SPLIT4, "SPLIT4"},
+	{SPLIT5, "SPLIT5"},
+	{-1, "asdf"},
+	{-1, ""},
+	{-1, NULL},
+};
+
+START_TEST(test_enum_from_name_cont)
+{
+	int val = enum_from_name(test_enum_cont_names, enum_tests_cont[_i].str);
+	ck_assert_int_eq(val, enum_tests_cont[_i].val);
+}
+END_TEST
+
+START_TEST(test_enum_from_name_split)
+{
+	int val = enum_from_name(test_enum_split_names, enum_tests_split[_i].str);
+	ck_assert_int_eq(val, enum_tests_split[_i].val);
+}
+END_TEST
+
+/*******************************************************************************
+ * enum_printf_hook
+ */
+
+static struct {
+	int val;
+	char *str;
+} printf_tests_cont[] = {
+	{-1, "(-1)"},
+	{CONT1, "CONT1"},
+	{CONT2, "CONT2"},
+	{CONT3, "CONT3"},
+	{CONT4, "CONT4"},
+	{CONT5, "CONT5"},
+	{5, "(5)"},
+}, printf_tests_split[] = {
+	{-1, "(-1)"},
+	{0, "(0)"},
+	{SPLIT1, "SPLIT1"},
+	{SPLIT2, "SPLIT2"},
+	{3, "(3)"},
+	{4, "(4)"},
+	{SPLIT3, "SPLIT3"},
+	{SPLIT4, "SPLIT4"},
+	{7, "(7)"},
+	{254, "(254)"},
+	{SPLIT5, "SPLIT5"},
+	{256, "(256)"},
+};
+
+START_TEST(test_enum_printf_hook_cont)
+{
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%N", test_enum_cont_names, printf_tests_cont[_i].val);
+	ck_assert_str_eq(printf_tests_cont[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_split)
+{
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%N", test_enum_split_names, printf_tests_split[_i].val);
+	ck_assert_str_eq(printf_tests_split[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_width)
+{
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%10N", test_enum_cont_names, CONT1);
+	ck_assert_str_eq("     CONT1", buf);
+	snprintf(buf, sizeof(buf), "%-*N", 10, test_enum_cont_names, CONT2);
+	ck_assert_str_eq("CONT2     ", buf);
+	snprintf(buf, sizeof(buf), "%3N", test_enum_cont_names, CONT3);
+	ck_assert_str_eq("CONT3", buf);
+}
+END_TEST
+
+Suite *enum_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("enum");
+
+	tc = tcase_create("enum_to_name");
+	tcase_add_loop_test(tc, test_enum_to_name_cont, 0, countof(name_tests_cont));
+	tcase_add_loop_test(tc, test_enum_to_name_split, 0, countof(name_tests_split));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("enum_from_name");
+	tcase_add_loop_test(tc, test_enum_from_name_cont, 0, countof(enum_tests_cont));
+	tcase_add_loop_test(tc, test_enum_from_name_split, 0, countof(enum_tests_split));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("enum_printf_hook");
+	tcase_add_loop_test(tc, test_enum_printf_hook_cont, 0, countof(printf_tests_cont));
+	tcase_add_loop_test(tc, test_enum_printf_hook_split, 0, countof(printf_tests_split));
+	tcase_add_test(tc, test_enum_printf_hook_width);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_enumerator.c b/src/libstrongswan/tests/test_enumerator.c
new file mode 100644
index 000000000..b5dde4650
--- /dev/null
+++ b/src/libstrongswan/tests/test_enumerator.c
@@ -0,0 +1,409 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <collections/enumerator.h>
+#include <collections/linked_list.h>
+
+/*******************************************************************************
+ * token test
+ */
+
+static const char *token_results1[] = { "abc", "cde", "efg" };
+static const char *token_results2[] = { "a", "b", "c" };
+
+static struct {
+	char *string;
+	char *sep;
+	char *trim;
+	const char **results;
+} token_tests[] = {
+	{"abc, cde, efg", ",", " ", token_results1},
+	{" abc 1:2 cde;3  4efg5.  ", ":;.,", " 12345", token_results1},
+	{"abc.cde,efg", ",.", "", token_results1},
+	{"  abc   cde  efg  ", " ", " ", token_results1},
+	{"a'abc' c 'cde' cefg", " ", " abcd", token_results1},
+	{"'abc' abc 'cde'd 'efg'", " ", " abcd", token_results1},
+
+	{"a, b, c", ",", " ", token_results2},
+	{"a,b,c", ",", " ", token_results2},
+	{" a 1:2 b;3  4c5.  ", ":;.,", " 12345", token_results2},
+	{"a.b,c", ",.", "", token_results2},
+	{"  a   b  c  ", " ", " ", token_results2},
+};
+
+START_TEST(test_token)
+{
+	enumerator_t *enumerator;
+	const char **results;
+	char *token;
+	int tok = 0;
+
+	enumerator = enumerator_create_token(token_tests[_i].string,
+									token_tests[_i].sep, token_tests[_i].trim);
+	results = token_tests[_i].results;
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		switch (tok)
+		{
+			case 0:
+			case 1:
+			case 2:
+				ck_assert_str_eq(token, results[tok]);
+				break;
+			default:
+				fail("unexpected token '%s'", token);
+		}
+		tok++;
+	}
+	fail_if(tok != 3, "not enough tokens (%d) extracted from '%s'",
+			tok, token_tests[_i].string);
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+/*******************************************************************************
+ * utilities for filtered, nested and cleaner tests
+ */
+
+static int destroy_data_called;
+
+START_SETUP(setup_destroy_data)
+{
+	destroy_data_called = 0;
+}
+END_SETUP
+
+START_TEARDOWN(teardown_destroy_data)
+{
+	ck_assert_int_eq(destroy_data_called, 1);
+}
+END_TEARDOWN
+
+static void destroy_data(void *data)
+{
+	fail_if(data != (void*)101, "data does not match '101' in destructor");
+	destroy_data_called++;
+}
+
+/*******************************************************************************
+ * filtered test
+ */
+
+static bool filter(void *data, int *v, int *vo, int *w, int *wo,
+				   int *x, int *xo, int *y, int *yo, int *z, int *zo)
+{
+	int val = *v;
+
+	*vo = val++;
+	*wo = val++;
+	*xo = val++;
+	*yo = val++;
+	*zo = val++;
+	fail_if(data != (void*)101, "data does not match '101' in filter function");
+	return TRUE;
+}
+
+static bool filter_odd(void *data, int *item, int *out)
+{
+	fail_if(data != (void*)101, "data does not match '101' in filter function");
+	*out = *item;
+	return *item % 2 == 0;
+}
+
+START_TEST(test_filtered)
+{
+	int round, v, w, x, y, z;
+	linked_list_t *list;
+	enumerator_t *enumerator;
+
+	list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4,
+										 (void*)5, NULL);
+
+	round = 1;
+	enumerator = enumerator_create_filter(list->create_enumerator(list),
+									(void*)filter, (void*)101, destroy_data);
+	while (enumerator->enumerate(enumerator, &v, &w, &x, &y, &z))
+	{
+		ck_assert_int_eq(v, round);
+		ck_assert_int_eq(w, round + 1);
+		ck_assert_int_eq(x, round + 2);
+		ck_assert_int_eq(y, round + 3);
+		ck_assert_int_eq(z, round + 4);
+		round++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(round, 6);
+
+	list->destroy(list);
+}
+END_TEST
+
+START_TEST(test_filtered_filter)
+{
+	int count, x;
+	linked_list_t *list;
+	enumerator_t *enumerator;
+
+	list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4,
+										 (void*)5, NULL);
+
+	count = 0;
+	/* should also work without destructor, so set this manually */
+	destroy_data_called = 1;
+	enumerator = enumerator_create_filter(list->create_enumerator(list),
+										 (void*)filter_odd, (void*)101, NULL);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert(x % 2 == 0);
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 2);
+
+	list->destroy(list);
+}
+END_TEST
+
+/*******************************************************************************
+ * nested test
+ */
+
+static enumerator_t* create_inner(linked_list_t *outer, void *data)
+{
+	fail_if(data != (void*)101, "data does not match '101' in nested constr.");
+	return outer->create_enumerator(outer);
+}
+
+static enumerator_t* create_inner_null(void *outer, void *data)
+{
+	ck_assert(outer == (void*)1);
+	fail_if(data != (void*)101, "data does not match '101' in nested constr.");
+	return NULL;
+}
+
+START_TEST(test_nested)
+{
+	linked_list_t *list, *l1, *l2, *l3;
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	l1 = linked_list_create_with_items((void*)1, (void*)2, NULL);
+	l2 = linked_list_create();
+	l3 = linked_list_create_with_items((void*)3, (void*)4, (void*)5, NULL);
+	list = linked_list_create_with_items(l1, l2, l3, NULL);
+
+	round = 1;
+	enumerator = enumerator_create_nested(list->create_enumerator(list),
+								(void*)create_inner, (void*)101, destroy_data);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(round, 6);
+
+	list->destroy(list);
+	l1->destroy(l1);
+	l2->destroy(l2);
+	l3->destroy(l3);
+}
+END_TEST
+
+START_TEST(test_nested_reset)
+{
+	linked_list_t *list, *l1, *l2, *l3;
+	enumerator_t *outer, *enumerator;
+	intptr_t x;
+	int count = 0;
+
+	l1 = linked_list_create_with_items((void*)1, (void*)2, NULL);
+	l2 = linked_list_create();
+	l3 = linked_list_create_with_items((void*)3, (void*)4, (void*)5, NULL);
+	list = linked_list_create_with_items(l1, l2, l3, NULL);
+
+	outer = list->create_enumerator(list);
+	enumerator = enumerator_create_nested(outer, (void*)create_inner,
+										 (void*)101, destroy_data);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		count++;
+	}
+	ck_assert_int_eq(count, 5);
+
+	list->reset_enumerator(list, outer);
+	ck_assert(enumerator->enumerate(enumerator, &x));
+	ck_assert_int_eq(x, 1);
+	enumerator->destroy(enumerator);
+
+	list->destroy(list);
+	l1->destroy(l1);
+	l2->destroy(l2);
+	l3->destroy(l3);
+}
+END_TEST
+
+START_TEST(test_nested_empty)
+{
+	linked_list_t *list;
+	enumerator_t *enumerator;
+	intptr_t x;
+	int count;
+
+	list = linked_list_create();
+	count = 0;
+	enumerator = enumerator_create_nested(list->create_enumerator(list),
+								(void*)create_inner, (void*)101, destroy_data);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 0);
+
+	list->destroy(list);
+}
+END_TEST
+
+START_TEST(test_nested_null)
+{
+	linked_list_t *list;
+	enumerator_t *enumerator;
+	intptr_t x;
+	int count;
+
+	list = linked_list_create_with_items((void*)1, NULL);
+
+	count = 0;
+	/* should also work without destructor, so set this manually */
+	destroy_data_called = 1;
+	enumerator = enumerator_create_nested(list->create_enumerator(list),
+									(void*)create_inner_null, (void*)101, NULL);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 0);
+
+	list->destroy(list);
+}
+END_TEST
+
+/*******************************************************************************
+ * cleaner test
+ */
+
+START_TEST(test_cleaner)
+{
+	enumerator_t *enumerator;
+	linked_list_t *list;
+	intptr_t x;
+	int round;
+
+	list = linked_list_create_with_items((void*)1, (void*)2, NULL);
+
+	round = 1;
+	enumerator = enumerator_create_cleaner(list->create_enumerator(list),
+										   destroy_data, (void*)101);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	ck_assert_int_eq(round, 3);
+	enumerator->destroy(enumerator);
+	list->destroy(list);
+}
+END_TEST
+
+/*******************************************************************************
+ * single test
+ */
+
+static void single_cleanup(void *data)
+{
+	ck_assert_int_eq((intptr_t)data, 1);
+}
+
+static void do_test_single(enumerator_t *enumerator)
+{
+	intptr_t x;
+
+	ck_assert(enumerator->enumerate(enumerator, &x));
+	ck_assert_int_eq(x, 1);
+	ck_assert(!enumerator->enumerate(enumerator, &x));
+	enumerator->destroy(enumerator);
+}
+
+START_TEST(test_single)
+{
+	enumerator_t *enumerator;
+
+	enumerator = enumerator_create_single((void*)1, NULL);
+	do_test_single(enumerator);
+}
+END_TEST
+
+START_TEST(test_single_cleanup)
+{
+	enumerator_t *enumerator;
+
+	enumerator = enumerator_create_single((void*)1, single_cleanup);
+	do_test_single(enumerator);
+}
+END_TEST
+
+Suite *enumerator_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("enumerator");
+
+	tc = tcase_create("tokens");
+	tcase_add_loop_test(tc, test_token, 0, countof(token_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("filtered");
+	tcase_add_checked_fixture(tc, setup_destroy_data, teardown_destroy_data);
+	tcase_add_test(tc, test_filtered);
+	tcase_add_test(tc, test_filtered_filter);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("nested");
+	tcase_add_checked_fixture(tc, setup_destroy_data, teardown_destroy_data);
+	tcase_add_test(tc, test_nested);
+	tcase_add_test(tc, test_nested_reset);
+	tcase_add_test(tc, test_nested_empty);
+	tcase_add_test(tc, test_nested_null);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("cleaner");
+	tcase_add_checked_fixture(tc, setup_destroy_data, teardown_destroy_data);
+	tcase_add_test(tc, test_cleaner);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("single");
+	tcase_add_test(tc, test_single);
+	tcase_add_test(tc, test_single_cleanup);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_hashtable.c b/src/libstrongswan/tests/test_hashtable.c
new file mode 100644
index 000000000..8cc7bfe42
--- /dev/null
+++ b/src/libstrongswan/tests/test_hashtable.c
@@ -0,0 +1,346 @@
+/*
+ * Copyright (C) 2010-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <collections/hashtable.h>
+#include <utils/chunk.h>
+
+/*******************************************************************************
+ * string hash table functions
+ */
+
+static u_int hash(char *key)
+{
+	return chunk_hash(chunk_from_str(key));
+}
+
+static bool equals(char *key1, char *key2)
+{
+	return streq(key1, key2);
+}
+
+/*******************************************************************************
+ * test fixture
+ */
+
+static hashtable_t *ht;
+
+START_SETUP(setup_ht)
+{
+	ht = hashtable_create((hashtable_hash_t)hash,
+						  (hashtable_equals_t)equals, 0);
+	ck_assert_int_eq(ht->get_count(ht), 0);
+}
+END_SETUP
+
+START_TEARDOWN(teardown_ht)
+{
+	ht->destroy(ht);
+}
+END_TEARDOWN
+
+/*******************************************************************************
+ * put/get
+ */
+
+START_TEST(test_put_get)
+{
+	char *k1 = "key1", *k2 = "key2", *k3 = "key3";
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
+
+	value = ht->put(ht, k1, v1);
+	ck_assert_int_eq(ht->get_count(ht), 1);
+	ck_assert(streq(ht->get(ht, k1), v1));
+	ck_assert(ht->get(ht, k2) == NULL);
+	ck_assert(ht->get(ht, k3) == NULL);
+	ck_assert(value == NULL);
+
+	ht->put(ht, k2, v2);
+	ht->put(ht, k3, v3);
+	ck_assert_int_eq(ht->get_count(ht), 3);
+	ck_assert(streq(ht->get(ht, k1), v1));
+	ck_assert(streq(ht->get(ht, k2), v2));
+	ck_assert(streq(ht->get(ht, k3), v3));
+
+	value = ht->put(ht, k2, v1);
+	ck_assert_int_eq(ht->get_count(ht), 3);
+	ck_assert(streq(value, v2));
+	ck_assert(streq(ht->get(ht, k2), v1));
+}
+END_TEST
+
+/*******************************************************************************
+ * get_match
+ */
+
+static u_int hash_match(char *key)
+{
+	return chunk_hash(chunk_create(key, 4));
+}
+
+static bool equal_match(char *key1, char *key2)
+{
+	if (!strneq(key1, key2, 4))
+	{
+		return FALSE;
+	}
+	/* look for an item with a key < than what we look for */
+	return strcmp(key1, key2) >= 0;
+}
+
+START_TEST(test_get_match)
+{
+	char *k1 = "key1_a", *k2 = "key2", *k3 = "key1_b", *k4 = "key1_c";
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
+
+	ht = hashtable_create((hashtable_hash_t)hash_match,
+						  (hashtable_equals_t)equals, 0);
+
+	ht->put(ht, k1, v1);
+	ht->put(ht, k2, v2);
+	value = ht->put(ht, k3, v3);
+	ck_assert_int_eq(ht->get_count(ht), 3);
+	ck_assert(streq(ht->get(ht, k1), v1));
+	ck_assert(streq(ht->get(ht, k2), v2));
+	ck_assert(streq(ht->get(ht, k3), v3));
+	ck_assert(value == NULL);
+
+	value = ht->get_match(ht, k1, (hashtable_equals_t)equal_match);
+	ck_assert(value != NULL);
+	ck_assert(streq(value, v1));
+	value = ht->get_match(ht, k2, (hashtable_equals_t)equal_match);
+	ck_assert(value != NULL);
+	ck_assert(streq(value, v2));
+	value = ht->get_match(ht, k3, (hashtable_equals_t)equal_match);
+	ck_assert(value != NULL);
+	ck_assert(streq(value, v1));
+	value = ht->get_match(ht, k4, (hashtable_equals_t)equal_match);
+	ck_assert(value != NULL);
+	ck_assert(streq(value, v1));
+
+	ht->destroy(ht);
+}
+END_TEST
+
+/*******************************************************************************
+ * remove
+ */
+
+static void do_remove(char *k1, char *k2, char *k3)
+{
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
+
+	ht->put(ht, k1, v1);
+	ht->put(ht, k2, v2);
+	ht->put(ht, k3, v3);
+
+	value = ht->remove(ht, k2);
+	ck_assert_int_eq(ht->get_count(ht), 2);
+	ck_assert(streq(ht->get(ht, k1), v1));
+	ck_assert(streq(ht->get(ht, k3), v3));
+	ck_assert(streq(value, v2));
+	ck_assert(ht->get(ht, k2) == NULL);
+
+	value = ht->remove(ht, k2);
+	ck_assert_int_eq(ht->get_count(ht), 2);
+	ck_assert(value == NULL);
+
+	value = ht->remove(ht, k1);
+	value = ht->remove(ht, k3);
+	ck_assert_int_eq(ht->get_count(ht), 0);
+	ck_assert(ht->get(ht, k1) == NULL);
+	ck_assert(ht->get(ht, k2) == NULL);
+	ck_assert(ht->get(ht, k3) == NULL);
+}
+
+START_TEST(test_remove)
+{
+	char *k1 = "key1", *k2 = "key2", *k3 = "key3";
+
+	do_remove(k1, k2, k3);
+}
+END_TEST
+
+START_TEST(test_remove_one_bucket)
+{
+	char *k1 = "key1_a", *k2 = "key1_b", *k3 = "key1_c";
+
+	ht->destroy(ht);
+	/* set a capacity to avoid rehashing, which would change the items' order */
+	ht = hashtable_create((hashtable_hash_t)hash_match,
+						  (hashtable_equals_t)equals, 8);
+
+	do_remove(k1, k2, k3);
+}
+END_TEST
+
+/*******************************************************************************
+ * enumerator
+ */
+
+START_TEST(test_enumerator)
+{
+	char *k1 = "key1", *k2 = "key2", *k3 = "key3", *key;
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
+	enumerator_t *enumerator;
+	int count;
+
+	ht->put(ht, k1, v1);
+	ht->put(ht, k2, v2);
+	ht->put(ht, k3, v3);
+
+	count = 0;
+	enumerator = ht->create_enumerator(ht);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		ck_assert(streq(key, k1) || streq(key, k2) || streq(key, k3));
+		ck_assert(streq(value, v1) || streq(value, v2) || streq(value, v3));
+		ck_assert(!streq(key, k1) || streq(value, v1));
+		ck_assert(!streq(key, k2) || streq(value, v2));
+		ck_assert(!streq(key, k3) || streq(value, v3));
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 3);
+
+	count = 0;
+	enumerator = ht->create_enumerator(ht);
+	while (enumerator->enumerate(enumerator, NULL, NULL))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 3);
+
+	value = ht->remove(ht, k1);
+	value = ht->remove(ht, k2);
+	value = ht->remove(ht, k3);
+
+	count = 0;
+	enumerator = ht->create_enumerator(ht);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 0);
+}
+END_TEST
+
+/*******************************************************************************
+ * remove_at
+ */
+
+static void do_remove_at(char *k1, char *k2, char *k3)
+{
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value, *key;
+	enumerator_t *enumerator;
+
+	ht->put(ht, k1, v1);
+	ht->put(ht, k2, v2);
+	ht->put(ht, k3, v3);
+
+	enumerator = ht->create_enumerator(ht);
+	ht->remove_at(ht, enumerator);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		if (streq(key, k2))
+		{
+			ht->remove_at(ht, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	ck_assert_int_eq(ht->get_count(ht), 2);
+	ck_assert(ht->get(ht, k1) != NULL);
+	ck_assert(ht->get(ht, k3) != NULL);
+	ck_assert(ht->get(ht, k2) == NULL);
+
+	ht->put(ht, k2, v2);
+
+	ck_assert_int_eq(ht->get_count(ht), 3);
+	ck_assert(ht->get(ht, k1) != NULL);
+	ck_assert(ht->get(ht, k2) != NULL);
+	ck_assert(ht->get(ht, k3) != NULL);
+
+	enumerator = ht->create_enumerator(ht);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		ht->remove_at(ht, enumerator);
+	}
+	enumerator->destroy(enumerator);
+
+	ck_assert_int_eq(ht->get_count(ht), 0);
+	ck_assert(ht->get(ht, k1) == NULL);
+	ck_assert(ht->get(ht, k2) == NULL);
+	ck_assert(ht->get(ht, k3) == NULL);
+}
+
+START_TEST(test_remove_at)
+{
+	char *k1 = "key1", *k2 = "key2", *k3 = "key3";
+
+	do_remove_at(k1, k2, k3);
+}
+END_TEST
+
+START_TEST(test_remove_at_one_bucket)
+{
+	char *k1 = "key1_a", *k2 = "key1_b", *k3 = "key1_c";
+
+	ht->destroy(ht);
+	/* set a capacity to avoid rehashing, which would change the items' order */
+	ht = hashtable_create((hashtable_hash_t)hash_match,
+						  (hashtable_equals_t)equals, 8);
+	do_remove_at(k1, k2, k3);
+}
+END_TEST
+
+Suite *hashtable_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("hashtable");
+
+	tc = tcase_create("put/get");
+	tcase_add_checked_fixture(tc, setup_ht, teardown_ht);
+	tcase_add_test(tc, test_put_get);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get_match");
+	tcase_add_test(tc, test_get_match);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("remove");
+	tcase_add_checked_fixture(tc, setup_ht, teardown_ht);
+	tcase_add_test(tc, test_remove);
+	tcase_add_test(tc, test_remove_one_bucket);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("enumerator");
+	tcase_add_checked_fixture(tc, setup_ht, teardown_ht);
+	tcase_add_test(tc, test_enumerator);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("remove_at");
+	tcase_add_checked_fixture(tc, setup_ht, teardown_ht);
+	tcase_add_test(tc, test_remove_at);
+	tcase_add_test(tc, test_remove_at_one_bucket);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_host.c b/src/libstrongswan/tests/test_host.c
new file mode 100644
index 000000000..1a68ffc50
--- /dev/null
+++ b/src/libstrongswan/tests/test_host.c
@@ -0,0 +1,645 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <networking/host.h>
+
+/**
+ * Verify a netmask (a number of set bits starting at byte 0)
+ * Can also be used to check for %any (mask == 0)
+ */
+static void verify_netmask(chunk_t addr, int mask)
+{
+	int byte, bit;
+
+	for (byte = 0; byte < addr.len; byte++)
+	{
+		for (bit = 7; bit >= 0; bit--)
+		{
+			int val = (addr.ptr[byte] >> bit) & 0x01;
+			if (mask-- > 0)
+			{
+				ck_assert_int_eq(val, 1);
+			}
+			else
+			{
+				ck_assert_int_eq(val, 0);
+			}
+		}
+	}
+}
+
+/*******************************************************************************
+ * host_create_any
+ */
+
+static void verify_any(host_t *host, int family, u_int16_t port)
+{
+	verify_netmask(host->get_address(host), 0);
+	ck_assert(host->is_anyaddr(host));
+	ck_assert_int_eq(host->get_port(host), port);
+	ck_assert_int_eq(host->get_family(host), family);
+}
+
+static void test_create_any(int family)
+{
+	host_t *host;
+
+	host = host_create_any(family);
+	verify_any(host, family, 0);
+	host->destroy(host);
+}
+
+START_TEST(test_create_any_v4)
+{
+	test_create_any(AF_INET);
+}
+END_TEST
+
+START_TEST(test_create_any_v6)
+{
+	test_create_any(AF_INET6);
+}
+END_TEST
+
+START_TEST(test_create_any_other)
+{
+	host_t *host;
+
+	host = host_create_any(AF_UNSPEC);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_from_string
+ */
+
+static void verify_address(host_t *host, chunk_t addr, int family, u_int16_t port)
+{
+	ck_assert(chunk_equals(host->get_address(host), addr));
+	ck_assert(!host->is_anyaddr(host));
+	ck_assert_int_eq(host->get_port(host), port);
+	ck_assert_int_eq(host->get_family(host), family);
+}
+
+static const chunk_t addr_v4 = chunk_from_chars(0xc0, 0xa8, 0x00, 0x01);
+static const chunk_t addr_v6 = chunk_from_chars(0xfe, 0xc1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+												0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01);
+
+START_TEST(test_create_from_string_v4)
+{
+	host_t *host;
+
+	host = host_create_from_string("%any", 500);
+	verify_any(host, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("%any4", 500);
+	verify_any(host, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("0.0.0.0", 500);
+	verify_any(host, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("192.168.0.1", 500);
+	verify_address(host, addr_v4, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("192.168.0.1::500", 500);
+	ck_assert(host == NULL);
+	host = host_create_from_string("123.456.789.012", 500);
+	ck_assert(host == NULL);
+	host = host_create_from_string("1.1.1.1.1.1.1.1", 500);
+	ck_assert(host == NULL);
+	host = host_create_from_string("foo.b.a.r", 500);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+START_TEST(test_create_from_string_any_v6)
+{
+	host_t *host;
+
+	host = host_create_from_string("%any6", 500);
+	verify_any(host, AF_INET6, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("::", 500);
+	verify_any(host, AF_INET6, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("fec1::1", 500);
+	verify_address(host, addr_v6, AF_INET6, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("fec1::1.500", 500);
+	ck_assert(host == NULL);
+	host = host_create_from_string("f::e::c::1::1", 500);
+	ck_assert(host == NULL);
+	host = host_create_from_string("foo::bar", 500);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_from_string_and_family
+ */
+
+static void test_create_from_string_and_family_any(char *string, int family,
+												   int expected)
+{
+	host_t *host;
+
+	host = host_create_from_string_and_family(string, family, 500);
+	if (expected == AF_UNSPEC)
+	{
+		ck_assert(host == NULL);
+	}
+	else
+	{
+		verify_any(host, expected, 500);
+		host->destroy(host);
+	}
+}
+
+static void test_create_from_string_and_family_addr(char *string, chunk_t addr,
+													int family, int expected)
+{
+	host_t *host;
+
+	host = host_create_from_string_and_family(string, family, 500);
+	if (expected == AF_UNSPEC)
+	{
+		ck_assert(host == NULL);
+	}
+	else
+	{
+		verify_address(host, addr, expected, 500);
+		host->destroy(host);
+	}
+}
+
+START_TEST(test_create_from_string_and_family_v4)
+{
+	test_create_from_string_and_family_any("%any", AF_INET, AF_INET);
+	test_create_from_string_and_family_any("%any4", AF_INET, AF_INET);
+	test_create_from_string_and_family_any("0.0.0.0", AF_INET, AF_INET);
+
+	test_create_from_string_and_family_any("%any4", AF_INET6, AF_UNSPEC);
+	test_create_from_string_and_family_any("0.0.0.0", AF_INET6, AF_UNSPEC);
+
+	test_create_from_string_and_family_addr("192.168.0.1", addr_v4, AF_INET, AF_INET);
+	test_create_from_string_and_family_addr("192.168.0.1", addr_v4, AF_INET6, AF_UNSPEC);
+}
+END_TEST
+
+START_TEST(test_create_from_string_and_family_v6)
+{
+	test_create_from_string_and_family_any("%any", AF_INET6, AF_INET6);
+	test_create_from_string_and_family_any("%any6", AF_INET6, AF_INET6);
+	test_create_from_string_and_family_any("::", AF_INET6, AF_INET6);
+
+	test_create_from_string_and_family_any("%any6", AF_INET, AF_UNSPEC);
+	test_create_from_string_and_family_any("::", AF_INET, AF_UNSPEC);
+
+	test_create_from_string_and_family_addr("fec1::1", addr_v6, AF_INET6, AF_INET6);
+	test_create_from_string_and_family_addr("fec1::1", addr_v6, AF_INET, AF_UNSPEC);
+}
+END_TEST
+
+START_TEST(test_create_from_string_and_family_other)
+{
+	test_create_from_string_and_family_any("%any", AF_UNSPEC, AF_INET);
+	test_create_from_string_and_family_any("%any4", AF_UNSPEC, AF_INET);
+	test_create_from_string_and_family_any("0.0.0.0", AF_UNSPEC, AF_INET);
+
+	test_create_from_string_and_family_any("%any6", AF_UNSPEC, AF_INET6);
+	test_create_from_string_and_family_any("::", AF_UNSPEC, AF_INET6);
+
+	test_create_from_string_and_family_addr("192.168.0.1", addr_v4, AF_UNSPEC, AF_INET);
+	test_create_from_string_and_family_addr("fec1::1", addr_v6, AF_UNSPEC, AF_INET6);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_from_sockaddr
+ */
+
+START_TEST(test_create_from_sockaddr_v4)
+{
+	struct sockaddr_in addr = {
+		.sin_family = AF_INET,
+		.sin_port = htons(500),
+	}, *val;
+	socklen_t *socklen;
+	host_t *host;
+
+	host = host_create_from_sockaddr((sockaddr_t*)&addr);
+	verify_any(host, AF_INET, 500);
+	val = (struct sockaddr_in*)host->get_sockaddr(host);
+	ck_assert(memeq(&addr, val, sizeof(addr)));
+	socklen = host->get_sockaddr_len(host);
+	ck_assert(*socklen == sizeof(addr));
+	host->destroy(host);
+}
+END_TEST
+
+START_TEST(test_create_from_sockaddr_v6)
+{
+	struct sockaddr_in6 addr = {
+		.sin6_family = AF_INET6,
+		.sin6_port = htons(500),
+	}, *val;
+	socklen_t *socklen;
+	host_t *host;
+
+	host = host_create_from_sockaddr((sockaddr_t*)&addr);
+	verify_any(host, AF_INET6, 500);
+	val = (struct sockaddr_in6*)host->get_sockaddr(host);
+	ck_assert(memeq(&addr, val, sizeof(addr)));
+	socklen = host->get_sockaddr_len(host);
+	ck_assert(*socklen == sizeof(addr));
+	host->destroy(host);
+}
+END_TEST
+
+START_TEST(test_create_from_sockaddr_other)
+{
+	struct sockaddr_un addr = {
+		.sun_family = AF_UNIX,
+	};
+	host_t *host;
+
+	host = host_create_from_sockaddr((sockaddr_t*)&addr);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_from_chunk
+ */
+
+START_TEST(test_create_from_chunk_v4)
+{
+	host_t *host;
+
+	host = host_create_from_chunk(AF_INET, addr_v4, 500);
+	verify_address(host, addr_v4, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_chunk(AF_UNSPEC, addr_v4, 500);
+	verify_address(host, addr_v4, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_chunk(AF_INET, chunk_empty, 500);
+	ck_assert(host == NULL);
+	host = host_create_from_chunk(AF_UNSPEC, chunk_empty, 500);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+START_TEST(test_create_from_chunk_v6)
+{
+	host_t *host;
+
+	host = host_create_from_chunk(AF_INET6, addr_v6, 500);
+	verify_address(host, addr_v6, AF_INET6, 500);
+	host->destroy(host);
+
+	host = host_create_from_chunk(AF_UNSPEC, addr_v6, 500);
+	verify_address(host, addr_v6, AF_INET6, 500);
+	host->destroy(host);
+
+	host = host_create_from_chunk(AF_INET6, chunk_empty, 500);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+START_TEST(test_create_from_chunk_other)
+{
+	host_t *host;
+
+	host = host_create_from_chunk(AF_UNIX, addr_v6, 500);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_from_subnet
+ */
+
+START_TEST(test_create_from_subnet_v4)
+{
+	host_t *host;
+	int bits = -1;
+
+	host = host_create_from_subnet("0.0.0.0/0", &bits);
+	verify_any(host, AF_INET, 0);
+	ck_assert_int_eq(bits, 0);
+	host->destroy(host);
+
+	host = host_create_from_subnet("192.168.0.1", &bits);
+	verify_address(host, addr_v4, AF_INET, 0);
+	ck_assert_int_eq(bits, 32);
+	host->destroy(host);
+
+	host = host_create_from_subnet("192.168.0.1/24", &bits);
+	verify_address(host, addr_v4, AF_INET, 0);
+	ck_assert_int_eq(bits, 24);
+	host->destroy(host);
+
+	host = host_create_from_subnet("foo.b.a.r", &bits);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+START_TEST(test_create_from_subnet_v6)
+{
+	host_t *host;
+	int bits = -1;
+
+	host = host_create_from_subnet("::/0", &bits);
+	verify_any(host, AF_INET6, 0);
+	ck_assert_int_eq(bits, 0);
+	host->destroy(host);
+
+	host = host_create_from_subnet("fec1::1", &bits);
+	verify_address(host, addr_v6, AF_INET6, 0);
+	ck_assert_int_eq(bits, 128);
+	host->destroy(host);
+
+	host = host_create_from_subnet("fec1::1/64", &bits);
+	verify_address(host, addr_v6, AF_INET6, 0);
+	ck_assert_int_eq(bits, 64);
+	host->destroy(host);
+
+	host = host_create_from_subnet("foo::bar", &bits);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_netmask
+ */
+
+static void test_create_netmask(int family)
+{
+	host_t *netmask;
+	int i, len = (family == AF_INET) ? 32 : 128;
+
+	netmask = host_create_netmask(family, -1);
+	ck_assert(netmask == NULL);
+	for (i = 0; i <= len; i++)
+	{
+		netmask = host_create_netmask(family, i);
+		verify_netmask(netmask->get_address(netmask), i);
+		netmask->destroy(netmask);
+	}
+	netmask = host_create_netmask(family, len + 1);
+	ck_assert(netmask == NULL);
+}
+
+START_TEST(test_create_netmask_v4)
+{
+	test_create_netmask(AF_INET);
+}
+END_TEST
+
+START_TEST(test_create_netmask_v6)
+{
+	test_create_netmask(AF_INET6);
+}
+END_TEST
+
+START_TEST(test_create_netmask_other)
+{
+	host_t *netmask;
+
+	netmask = host_create_netmask(AF_UNSPEC, 0);
+	ck_assert(netmask == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * equals, ip_equals
+ */
+
+START_TEST(test_equals)
+{
+	host_t *a, *b;
+
+	a = host_create_from_string("192.168.0.1", 500);
+	b = host_create_from_string("192.168.0.1", 0);
+	ck_assert(!a->equals(a, b));
+	ck_assert(!b->equals(b, a));
+	ck_assert(a->ip_equals(a, b));
+	ck_assert(b->ip_equals(b, a));
+	b->set_port(b, 500);
+	ck_assert(a->equals(a, b));
+	ck_assert(b->equals(b, a));
+	ck_assert(a->ip_equals(a, b));
+	ck_assert(b->ip_equals(b, a));
+	b->destroy(b);
+	b = host_create_from_string("192.168.0.2", 500);
+	ck_assert(!a->ip_equals(a, b));
+	ck_assert(!a->equals(a, b));
+	b->destroy(b);
+
+	b = host_create_from_string("fec1::1", 500);
+	ck_assert(!a->ip_equals(a, b));
+	ck_assert(!a->equals(a, b));
+	a->destroy(a);
+	a = host_create_from_string("fec1::1", 500);
+	ck_assert(a->equals(a, b));
+	ck_assert(a->ip_equals(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_equals_any)
+{
+	host_t *a, *b;
+
+	a = host_create_from_string("%any", 500);
+	b = host_create_from_string("%any", 0);
+	ck_assert(!a->equals(a, b));
+	ck_assert(a->ip_equals(a, b));
+	b->set_port(b, 500);
+	ck_assert(a->equals(a, b));
+	ck_assert(a->ip_equals(a, b));
+	b->destroy(b);
+	b = host_create_from_string("%any6", 0);
+	ck_assert(a->ip_equals(a, b));
+	ck_assert(!a->equals(a, b));
+	b->set_port(b, 500);
+	ck_assert(a->ip_equals(a, b));
+	ck_assert(a->equals(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+/*******************************************************************************
+ * clone
+ */
+
+START_TEST(test_clone)
+{
+	host_t *a, *b;
+
+	a = host_create_from_string("192.168.0.1", 500);
+	b = a->clone(a);
+	ck_assert(a != b);
+	ck_assert(a->equals(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+/*******************************************************************************
+ * printf hook
+ */
+
+static struct {
+	char *addr;
+	u_int16_t port;
+	/* results for %H, %+H, %#H (falls back to [0]) */
+	char *result[3];
+} printf_data[] = {
+	{NULL,          0, { "(null)" }},
+	{NULL,        500, { "(null)" }},
+	{"%any",        0, { "%any", "0.0.0.0", "0.0.0.0[0]" }},
+	{"%any",      500, { "%any", "0.0.0.0", "0.0.0.0[500]" }},
+	{"%any6",       0, { "%any6", "::", "::[0]" }},
+	{"%any6",     500, { "%any6", "::", "::[500]" }},
+	{"192.168.0.1",   0, { "192.168.0.1", "192.168.0.1", "192.168.0.1[0]" }},
+	{"192.168.0.1", 500, { "192.168.0.1", "192.168.0.1", "192.168.0.1[500]" }},
+	{"fec1::1",     0, { "fec1::1", "fec1::1", "fec1::1[0]" }},
+	{"fec1::1",   500, { "fec1::1", "fec1::1", "fec1::1[500]" }},
+};
+
+static void verify_printf(host_t *host, const char *format, char *expected)
+{
+	char buf[64];
+
+	snprintf(buf, sizeof(buf), format, host);
+	ck_assert_str_eq(expected, buf);
+}
+
+START_TEST(test_printf_hook)
+{
+	static const char *formats[] = { "%H", "%+H", "%#H" };
+	host_t *host = NULL;
+	char *expected;
+	int i;
+
+	if (printf_data[_i].addr)
+	{
+		host = host_create_from_string(printf_data[_i].addr,
+									   printf_data[_i].port);
+	}
+	for (i = 0; i < countof(formats); i++)
+	{
+		expected = printf_data[_i].result[i];
+		expected = expected ?: printf_data[_i].result[0];
+		verify_printf(host, formats[i], expected);
+	}
+	DESTROY_IF(host);
+}
+END_TEST
+
+START_TEST(test_printf_hook_align)
+{
+	host_t *host;
+
+	verify_printf(NULL, "%14H", "        (null)");
+	verify_printf(NULL, "%-14H", "(null)        ");
+
+	host = host_create_from_string("192.168.0.1", 0);
+	verify_printf(host, "%14H", "   192.168.0.1");
+	verify_printf(host, "%-14H", "192.168.0.1   ");
+	verify_printf(host, "%4H", "192.168.0.1");
+	verify_printf(host, "%-4H", "192.168.0.1");
+	host->destroy(host);
+}
+END_TEST
+
+Suite *host_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("host");
+
+	tc = tcase_create("host_create_any");
+	tcase_add_test(tc, test_create_any_v4);
+	tcase_add_test(tc, test_create_any_v6);
+	tcase_add_test(tc, test_create_any_other);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_from_string");
+	tcase_add_test(tc, test_create_from_string_v4);
+	tcase_add_test(tc, test_create_from_string_any_v6);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_from_string_and_family");
+	tcase_add_test(tc, test_create_from_string_and_family_v4);
+	tcase_add_test(tc, test_create_from_string_and_family_v6);
+	tcase_add_test(tc, test_create_from_string_and_family_other);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_from_sockaddr");
+	tcase_add_test(tc, test_create_from_sockaddr_v4);
+	tcase_add_test(tc, test_create_from_sockaddr_v6);
+	tcase_add_test(tc, test_create_from_sockaddr_other);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_from_chunk");
+	tcase_add_test(tc, test_create_from_chunk_v4);
+	tcase_add_test(tc, test_create_from_chunk_v6);
+	tcase_add_test(tc, test_create_from_chunk_other);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_from_subnet");
+	tcase_add_test(tc, test_create_from_subnet_v4);
+	tcase_add_test(tc, test_create_from_subnet_v6);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_netmask");
+	tcase_add_test(tc, test_create_netmask_v4);
+	tcase_add_test(tc, test_create_netmask_v6);
+	tcase_add_test(tc, test_create_netmask_other);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("equals, ip_equals");
+	tcase_add_test(tc, test_equals);
+	tcase_add_test(tc, test_equals_any);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("clone");
+	tcase_add_test(tc, test_clone);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("printf hook");
+	tcase_add_loop_test(tc, test_printf_hook, 0, countof(printf_data));
+	tcase_add_test(tc, test_printf_hook_align);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_identification.c b/src/libstrongswan/tests/test_identification.c
new file mode 100644
index 000000000..b0b3ce826
--- /dev/null
+++ b/src/libstrongswan/tests/test_identification.c
@@ -0,0 +1,715 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <utils/identification.h>
+
+/*******************************************************************************
+ * create (_from_encoding, _from_data, _from_string, _from_sockaddr)
+ */
+
+START_TEST(test_from_encoding)
+{
+	identification_t *a;
+	chunk_t expected, encoding;
+
+	/* only ID_ANY is handled differently, for all other types the following
+	 * applies.  should we perhaps test that this is in fact the case? */
+	expected = chunk_from_str("moon@strongswan.org");
+	a = identification_create_from_encoding(ID_RFC822_ADDR, expected);
+	ck_assert(ID_RFC822_ADDR == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(expected.ptr != encoding.ptr);
+	ck_assert(chunk_equals(expected, encoding));
+	a->destroy(a);
+
+	a = identification_create_from_encoding(ID_ANY, expected);
+	ck_assert(ID_ANY == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(encoding.ptr == NULL);
+	ck_assert(encoding.len == 0);
+	a->destroy(a);
+}
+END_TEST
+
+START_TEST(test_from_data)
+{
+	identification_t *a;
+	chunk_t expected, encoding;
+
+	/* this uses the DN parser (C=CH) */
+	expected = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
+								0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48);
+	a = identification_create_from_data(expected);
+	ck_assert(ID_DER_ASN1_DN == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(expected.ptr != encoding.ptr);
+	ck_assert(chunk_equals(expected, encoding));
+	a->destroy(a);
+
+	/* everything else is handled by the string parser */
+	expected = chunk_from_str("moon@strongswan.org");
+	a = identification_create_from_data(expected);
+	ck_assert(ID_RFC822_ADDR == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(expected.ptr != encoding.ptr);
+	ck_assert(chunk_equals(expected, encoding));
+	a->destroy(a);
+}
+END_TEST
+
+START_TEST(test_from_sockaddr)
+{
+	identification_t *a;
+	chunk_t expected, encoding;
+	struct sockaddr_in in = {
+		.sin_family = AF_INET,
+	};
+	struct sockaddr_in6 in6 = {
+		.sin6_family = AF_INET6,
+	};
+
+	expected = chunk_from_chars(0xc0, 0xa8, 0x01, 0x01);
+	memcpy(&in.sin_addr, expected.ptr, sizeof(in.sin_addr));
+	a = identification_create_from_sockaddr((sockaddr_t*)&in);
+	ck_assert(ID_IPV4_ADDR == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(chunk_equals(expected, encoding));
+	a->destroy(a);
+
+	expected = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+								0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01);
+	memcpy(&in6.sin6_addr, expected.ptr, sizeof(in6.sin6_addr));
+	a = identification_create_from_sockaddr((sockaddr_t*)&in6);
+	ck_assert(ID_IPV6_ADDR == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(chunk_equals(expected, encoding));
+	a->destroy(a);
+
+	in6.sin6_family = AF_UNSPEC;
+	a = identification_create_from_sockaddr((sockaddr_t*)&in6);
+	ck_assert(ID_ANY == a->get_type(a));
+	a->destroy(a);
+}
+END_TEST
+
+static struct {
+	char *id;
+	id_type_t type;
+	struct {
+		enum {
+			ENC_CHUNK,
+			ENC_STRING,
+			ENC_SIMPLE,
+		} type;
+		union {
+			chunk_t c;
+			char *s;
+		} data;
+	} result;
+} string_data[] = {
+	{NULL,      ID_ANY,  { .type = ENC_CHUNK }},
+	{"",        ID_ANY,  { .type = ENC_CHUNK }},
+	{"%any",    ID_ANY,  { .type = ENC_CHUNK }},
+	{"%any6",   ID_ANY,  { .type = ENC_CHUNK }},
+	{"0.0.0.0", ID_ANY,  { .type = ENC_CHUNK }},
+	{"0::0",    ID_ANY,  { .type = ENC_CHUNK }},
+	{"::",      ID_ANY,  { .type = ENC_CHUNK }},
+	{"*",       ID_ANY,  { .type = ENC_CHUNK }},
+	{"any",     ID_FQDN, { .type = ENC_SIMPLE }},
+	{"any6",    ID_FQDN, { .type = ENC_SIMPLE }},
+	{"0",       ID_FQDN, { .type = ENC_SIMPLE }},
+	{"**",      ID_FQDN, { .type = ENC_SIMPLE }},
+	{"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK,
+									.data.c = chunk_from_chars(0xc0, 0xa8, 0x01, 0x01) }},
+	{"192.168.",ID_FQDN, { .type = ENC_SIMPLE }},
+	{".",       ID_FQDN, { .type = ENC_SIMPLE }},
+	{"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK,
+								.data.c = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+														   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01) }},
+	{"fec0::",  ID_IPV6_ADDR, { .type = ENC_CHUNK,
+								.data.c = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+														   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) }},
+	{"fec0:",   ID_KEY_ID,    { .type = ENC_SIMPLE }},
+	{":",       ID_KEY_ID,    { .type = ENC_SIMPLE }},
+	{"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+	{"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+	{"alice@",  ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+	{"alice",   ID_FQDN, { .type = ENC_SIMPLE }},
+	{"@",       ID_FQDN, { .type = ENC_CHUNK }},
+	{" @",      ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+	{"@strongswan.org",  ID_FQDN, { .type = ENC_STRING,
+									.data.s = "strongswan.org" }},
+	{"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK,
+								.data.c = chunk_from_chars(0xde, 0xad, 0xbe, 0xef) }},
+	{"@#deadbee",  ID_KEY_ID, { .type = ENC_CHUNK,
+								.data.c = chunk_from_chars(0x0d, 0xea, 0xdb, 0xee) }},
+	{"foo=bar",    ID_KEY_ID, { .type = ENC_SIMPLE }},
+	{"foo=",	   ID_KEY_ID, { .type = ENC_SIMPLE }},
+	{"=bar",	   ID_KEY_ID, { .type = ENC_SIMPLE }},
+	{"C=",		   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+									 .data.c = chunk_from_chars(0x30, 0x0b, 0x31, 0x09, 0x30, 0x07, 0x06,
+																0x03, 0x55, 0x04, 0x06, 0x13, 0x00)}},
+	{"C=CH",	   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+									 .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
+																0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
+	{"C=CH,",	   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+									 .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
+																0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
+	{"C=CH, ",	   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+									 .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
+																0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
+	{"C=CH, O",	   ID_KEY_ID, { .type = ENC_SIMPLE }},
+};
+
+START_TEST(test_from_string)
+{
+	identification_t *a;
+	chunk_t encoding, expected;
+	char *id;
+
+	id = string_data[_i].id;
+	a = identification_create_from_string(id);
+	fail_unless(a->get_type(a) == string_data[_i].type,
+				"type of id '%s' is %N, %N expected", id,
+				id_type_names, a->get_type(a),
+				id_type_names, string_data[_i].type);
+
+	encoding = a->get_encoding(a);
+	switch (string_data[_i].result.type)
+	{
+		case ENC_SIMPLE:
+			expected = chunk_from_str(string_data[_i].id);
+			break;
+		case ENC_STRING:
+			expected = chunk_from_str(string_data[_i].result.data.s);
+			break;
+		case ENC_CHUNK:
+			expected = string_data[_i].result.data.c;
+			break;
+		default:
+			fail("unexpected result type");
+	}
+
+	ck_assert(!id || (char*)encoding.ptr != id);
+	if (expected.ptr)
+	{
+		fail_unless(chunk_equals(encoding, expected),
+					"parsing '%s' failed\nencoding %B\nexpected %B\n",
+					id, &encoding, &expected);
+	}
+	else
+	{
+		ck_assert(encoding.ptr == NULL);
+		ck_assert(encoding.len == 0);
+	}
+	a->destroy(a);
+}
+END_TEST
+
+/*******************************************************************************
+ * printf_hook
+ */
+
+static void string_equals(char *a_str, char *b_str)
+{
+	identification_t *b;
+	char buf[128];
+
+	b = b_str ? identification_create_from_string(b_str) : NULL;
+	snprintf(buf, sizeof(buf), "%Y", b);
+	DESTROY_IF(b);
+	ck_assert_str_eq(a_str, buf);
+}
+
+static void string_equals_id(char *a_str, identification_t *b)
+{
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%Y", b);
+	DESTROY_IF(b);
+	ck_assert_str_eq(a_str, buf);
+}
+
+START_TEST(test_printf_hook)
+{
+	string_equals("(null)", NULL);
+	string_equals("%any", "");
+	string_equals("%any", "%any");
+	string_equals("%any", "*");
+
+	string_equals("192.168.1.1", "192.168.1.1");
+	string_equals_id("(invalid ID_IPV4_ADDR)",
+				identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
+	string_equals("fec0::1", "fec0::1");
+	string_equals("fec0::1", "fec0:0:0::1");
+	string_equals_id("(invalid ID_IPV6_ADDR)",
+				identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
+
+	string_equals_id("(unknown ID type: 255)",
+				identification_create_from_encoding(255, chunk_empty));
+
+	string_equals("moon@strongswan.org", "moon@strongswan.org");
+	string_equals("MOON@STRONGSWAN.ORG", "MOON@STRONGSWAN.ORG");
+	/* non-printable characters */
+	string_equals_id("????@strongswan.org", identification_create_from_encoding(ID_RFC822_ADDR,
+			chunk_from_chars(0xfa, 0xfb, 0xfc, 0xfd, 0x40, 0x73, 0x74, 0x72,
+							 0x6f, 0x6e, 0x67, 0x73, 0x77, 0x61, 0x6e, 0x2e,
+							 0x6f, 0x72, 0x67)));
+
+	/* not a DN => ID_KEY_ID => no normalization */
+	string_equals("C=CH, AsdF=asdf", "C=CH, AsdF=asdf");
+	string_equals_id("moon@strongswan.org", identification_create_from_encoding(ID_KEY_ID,
+			chunk_from_str("moon@strongswan.org")));
+	/* non-printable characters */
+	string_equals_id("de:ad:be:ef", identification_create_from_encoding(ID_KEY_ID,
+			chunk_from_chars(0xde, 0xad, 0xbe, 0xef)));
+	/* printable characters */
+	string_equals_id("ABCDEFGHIJKLMNOPQRS",
+		identification_create_from_encoding(ID_KEY_ID,
+			chunk_from_chars(0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
+							 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
+							 0x51, 0x52, 0x53)));
+	/* ABCDEFGHIJKLMNOPQRST is printable but has the length of a SHA1 hash */
+	string_equals_id("41:42:43:44:45:46:47:48:49:4a:4b:4c:4d:4e:4f:50:51:52:53:54",
+		identification_create_from_encoding(ID_KEY_ID,
+			chunk_from_chars(0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
+							 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
+							 0x51, 0x52, 0x53, 0x54)));
+
+	string_equals_id("", identification_create_from_encoding(ID_DER_ASN1_DN, chunk_empty));
+	string_equals("C=", "C=");
+	string_equals("C=", "C=,");
+	string_equals("C=", "C=, ");
+	string_equals("C=", "C= , ");
+	string_equals("C=, O=strongSwan", "C=, O=strongSwan");
+	string_equals("C=CH, O=", "C=CH, O=");
+	string_equals("C=CH, O=strongSwan, CN=strongswan.org",
+				  "C=CH, O=strongSwan, CN=strongswan.org");
+	string_equals("CN=strongswan.org, O=strongSwan, C=CH",
+				  "cn=strongswan.org, o=strongSwan, c=CH");
+	string_equals("C=CH, O=strongSwan, CN=strongswan.org",
+				  "C=CH,O=strongSwan,CN=strongswan.org");
+	string_equals("C=CH, O=strongSwan, CN=strongswan.org",
+				  "/C=CH/O=strongSwan/CN=strongswan.org");
+	string_equals("CN=strongswan.org, O=strongSwan, C=CH",
+				  "CN=strongswan.org,O=strongSwan,C=CH");
+
+	string_equals("C=CH, E=moon@strongswan.org, CN=moon",
+				  "C=CH, email=moon@strongswan.org, CN=moon");
+	string_equals("C=CH, E=moon@strongswan.org, CN=moon",
+				  "C=CH, emailAddress=moon@strongswan.org, CN=moon");
+
+	/* C=CH, pseudonym=ANO (pseudonym is currently not recognized) */
+	string_equals_id("C=CH, 55:04:41=ANO", identification_create_from_encoding(ID_DER_ASN1_DN,
+		chunk_from_chars(0x30, 0x19, 0x31, 0x17, 0x30, 0x09, 0x06, 0x03, 0x55,
+						 0x04, 0x06, 0x13, 0x02, 0x43, 0x48, 0x30, 0x0a, 0x06,
+						 0x03, 0x55, 0x04, 0x41, 0x13, 0x03, 0x41, 0x4e, 0x4f)));
+	/* C=CH, O=strongSwan (but instead of a 2nd OID -0x06- we got NULL -0x05) */
+	string_equals_id("C=CH, (invalid ID_DER_ASN1_DN)", identification_create_from_encoding(ID_DER_ASN1_DN,
+		chunk_from_chars(0x30, 0x20, 0x31, 0x1e, 0x30, 0x09, 0x06, 0x03, 0x55,
+						 0x04, 0x06, 0x13, 0x02, 0x43, 0x48, 0x30, 0x11, 0x05,
+						 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x73, 0x74, 0x72,
+						 0x6f, 0x6e, 0x67, 0x53, 0x77, 0x61, 0x6e)));
+	/* moon@strongswan.org as GN */
+	string_equals_id("(ASN.1 general name)", identification_create_from_encoding(ID_DER_ASN1_GN,
+		chunk_from_chars(0x81, 0x14, 0x6d, 0x6f, 0x6f, 0x6e, 0x40, 0x73, 0x74,
+						 0x72, 0x6f, 0x6e, 0x67, 0x73, 0x77, 0x61, 0x6e, 0x2e,
+						 0x6f, 0x72, 0x67)));
+}
+END_TEST
+
+START_TEST(test_printf_hook_width)
+{
+	identification_t *a;
+	char buf[128];
+
+	a = identification_create_from_string("moon@strongswan.org");
+	snprintf(buf, sizeof(buf), "%25Y", a);
+	ck_assert_str_eq("      moon@strongswan.org", buf);
+	snprintf(buf, sizeof(buf), "%-*Y", 25, a);
+	ck_assert_str_eq("moon@strongswan.org      ", buf);
+	snprintf(buf, sizeof(buf), "%5Y", a);
+	ck_assert_str_eq("moon@strongswan.org", buf);
+	DESTROY_IF(a);
+}
+END_TEST
+
+/*******************************************************************************
+ * equals
+ */
+
+static bool id_equals(identification_t *a, char *b_str)
+{
+	identification_t *b;
+	bool equals;
+
+	b = identification_create_from_string(b_str);
+	equals = a->equals(a, b);
+	equals = equals && b->equals(b, a);
+	b->destroy(b);
+	return equals;
+}
+
+START_TEST(test_equals)
+{
+	identification_t *a;
+	chunk_t encoding, fuzzed;
+	int i;
+
+	/* this test also tests identification_create_from_string with DNs */
+	a = identification_create_from_string(
+							 "C=CH, E=moon@strongswan.org, CN=moon");
+
+	ck_assert(id_equals(a, "C=CH, E=moon@strongswan.org, CN=moon"));
+	ck_assert(id_equals(a, "C==CH, E==moon@strongswan.org,,, CN==moon"));
+	ck_assert(id_equals(a, "  C=CH, E=moon@strongswan.org, CN=moon  "));
+	ck_assert(id_equals(a, "C=ch, E=moon@STRONGSWAN.ORG, CN=Moon"));
+	ck_assert(id_equals(a, "/C=CH/E=moon@strongswan.org/CN=moon"));
+	ck_assert(id_equals(a, "C=CH/E=moon@strongswan.org/CN=moon"));
+	ck_assert(id_equals(a, "C=CH/E=moon@strongswan.org,CN=moon"));
+	ck_assert(id_equals(a, "C=CH / E=moon@strongswan.org , CN=moon"));
+
+	ck_assert(!id_equals(a, "C=CH E=moon@strongswan.org CN=moon"));
+	ck_assert(!id_equals(a, "C=CN, E=moon@strongswan.org, CN=moon"));
+	ck_assert(!id_equals(a, "E=moon@strongswan.org, C=CH, CN=moon"));
+	ck_assert(!id_equals(a, "E=moon@strongswan.org, C=CH, CN=moon"));
+
+	encoding = chunk_clone(a->get_encoding(a));
+	a->destroy(a);
+
+	/* simple fuzzing, increment each byte of encoding */
+	for (i = 0; i < encoding.len; i++)
+	{
+		if (i == 11 || i == 30 || i == 60)
+		{	/* skip ASN.1 type fields, as equals() handles them graceful */
+			continue;
+		}
+		fuzzed = chunk_clone(encoding);
+		fuzzed.ptr[i]++;
+		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
+		if (id_equals(a, "C=CH, E=moon@strongswan.org, CN=moon"))
+		{
+			printf("%d %B\n%B\n", i, &fuzzed, &encoding);
+		}
+		ck_assert(!id_equals(a, "C=CH, E=moon@strongswan.org, CN=moon"));
+		a->destroy(a);
+		free(fuzzed.ptr);
+	}
+
+	/* and decrement each byte of encoding */
+	for (i = 0; i < encoding.len; i++)
+	{
+		if (i == 11 || i == 30 || i == 60)
+		{
+			continue;
+		}
+		fuzzed = chunk_clone(encoding);
+		fuzzed.ptr[i]--;
+		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
+		ck_assert(!id_equals(a, "C=CH, E=moon@strongswan.org, CN=moon"));
+		a->destroy(a);
+		free(fuzzed.ptr);
+	}
+	free(encoding.ptr);
+}
+END_TEST
+
+START_TEST(test_equals_any)
+{
+	identification_t *a, *b;
+
+	a = identification_create_from_string("%any");
+	b = identification_create_from_encoding(ID_ANY, chunk_empty);
+	ck_assert(a->equals(a, b));
+	ck_assert(b->equals(b, a));
+	b->destroy(b);
+
+	b = identification_create_from_string("C=CH, O=strongSwan, CN=strongswan.org");
+	ck_assert(!a->equals(a, b));
+	ck_assert(!b->equals(b, a));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_equals_binary)
+{
+	identification_t *a, *b;
+	chunk_t encoding;
+
+	encoding = chunk_from_str("foobar=");
+	/* strings containing = are parsed as KEY_ID if they aren't valid ASN.1 DNs */
+	a = identification_create_from_string("foobar=");
+	ck_assert(a->get_type(a) == ID_KEY_ID);
+	b = identification_create_from_encoding(ID_KEY_ID, encoding);
+	ck_assert(a->equals(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_equals_fqdn)
+{
+	identification_t *a;
+
+	a = identification_create_from_string("ipsec.strongswan.org");
+	ck_assert(id_equals(a, "IPSEC.strongswan.org"));
+	ck_assert(id_equals(a, "ipsec.strongSwan.org"));
+	ck_assert(id_equals(a, "ipsec.strongSwan.ORG"));
+	ck_assert(!id_equals(a, "strongswan.org"));
+	a->destroy(a);
+}
+END_TEST
+
+/*******************************************************************************
+ * matches
+ */
+
+static bool id_matches(identification_t *a, char *b_str, id_match_t expected)
+{
+	identification_t *b;
+	id_match_t match;
+
+	b = identification_create_from_string(b_str);
+	match = a->matches(a, b);
+	b->destroy(b);
+	return match == expected;
+}
+
+START_TEST(test_matches)
+{
+	identification_t *a;
+
+	a = identification_create_from_string("C=CH, E=moon@strongswan.org, CN=moon");
+
+	ck_assert(id_matches(a, "C=CH, E=moon@strongswan.org, CN=moon", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "C=CH, E=*, CN=moon", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "C=CH, E=*, CN=*", ID_MATCH_ONE_WILDCARD - 1));
+	ck_assert(id_matches(a, "C=*, E=*, CN=*", ID_MATCH_ONE_WILDCARD - 2));
+	ck_assert(id_matches(a, "C=*, E=*, CN=*, O=BADInc", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "C=*, E=*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "C=*, E=a@b.c, CN=*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+
+	a->destroy(a);
+}
+END_TEST
+
+START_TEST(test_matches_any)
+{
+	identification_t *a;
+
+	a = identification_create_from_string("%any");
+
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "*", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "moon@strongswan.org", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "vpn.strongswan.org", ID_MATCH_NONE));
+	a->destroy(a);
+}
+END_TEST
+
+START_TEST(test_matches_binary)
+{
+	identification_t *a;
+
+	/* strings containing = are parsed as KEY_ID if they aren't valid ASN.1 DNs */
+	a = identification_create_from_string("foo=bar");
+	ck_assert(a->get_type(a) == ID_KEY_ID);
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "foo=bar", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "bar=foo", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*=bar", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "foo=*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
+	a->destroy(a);
+}
+END_TEST
+
+START_TEST(test_matches_string)
+{
+	identification_t *a;
+
+	a = identification_create_from_string("moon@strongswan.org");
+
+	ck_assert(id_matches(a, "moon@strongswan.org", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "*@strongswan.org", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "*@*.org", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*@*", ID_MATCH_NONE));
+	/* the following two are parsed as ID_FQDN, so no match */
+	ck_assert(id_matches(a, "*strongswan.org", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*.org", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "moon@*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "**", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	a->destroy(a);
+
+	a = identification_create_from_string("vpn.strongswan.org");
+
+	ck_assert(id_matches(a, "vpn.strongswan.org", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "*.strongswan.org", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "*strongswan.org", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "*.org", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "*.strongswan.*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*vpn.strongswan.org", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "vpn.strongswan.*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "**", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	a->destroy(a);
+}
+END_TEST
+
+/*******************************************************************************
+ * identification part enumeration
+ */
+
+START_TEST(test_parts)
+{
+	identification_t *id;
+	enumerator_t *enumerator;
+	id_part_t part;
+	chunk_t data;
+	int i = 0;
+
+	id = identification_create_from_string("C=CH, O=strongSwan, CN=tester");
+
+	enumerator = id->create_part_enumerator(id);
+	while (enumerator->enumerate(enumerator, &part, &data))
+	{
+		switch (i++)
+		{
+			case 0:
+				ck_assert(part == ID_PART_RDN_C &&
+						  chunk_equals(data, chunk_create("CH", 2)));
+				break;
+			case 1:
+				ck_assert(part == ID_PART_RDN_O &&
+						  chunk_equals(data, chunk_from_str("strongSwan")));
+				break;
+			case 2:
+				ck_assert(part == ID_PART_RDN_CN &&
+						  chunk_equals(data, chunk_from_str("tester")));
+				break;
+			default:
+				fail("unexpected identification part %d", part);
+		}
+	}
+	ck_assert_int_eq(i, 3);
+	enumerator->destroy(enumerator);
+	id->destroy(id);
+}
+END_TEST
+
+/*******************************************************************************
+ * wildcards
+ */
+
+static bool id_contains_wildcards(char *string)
+{
+	identification_t *id;
+	bool contains;
+
+	id = identification_create_from_string(string);
+	contains = id->contains_wildcards(id);
+	id->destroy(id);
+	return contains;
+}
+
+START_TEST(test_contains_wildcards)
+{
+	ck_assert(id_contains_wildcards("%any"));
+	ck_assert(id_contains_wildcards("C=*, O=strongSwan, CN=gw"));
+	ck_assert(id_contains_wildcards("C=CH, O=strongSwan, CN=*"));
+	ck_assert(id_contains_wildcards("*@strongswan.org"));
+	ck_assert(id_contains_wildcards("*.strongswan.org"));
+	ck_assert(!id_contains_wildcards("C=**, O=a*, CN=*a"));
+}
+END_TEST
+
+/*******************************************************************************
+ * clone
+ */
+
+START_TEST(test_clone)
+{
+	identification_t *a, *b;
+	chunk_t a_enc, b_enc;
+
+	a = identification_create_from_string("moon@strongswan.org");
+	a_enc = a->get_encoding(a);
+	b = a->clone(a);
+	ck_assert(b != NULL);
+	ck_assert(a != b);
+	b_enc = b->get_encoding(b);
+	ck_assert(a_enc.ptr != b_enc.ptr);
+	ck_assert(chunk_equals(a_enc, b_enc));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+Suite *identification_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("identification");
+
+	tc = tcase_create("create");
+	tcase_add_test(tc, test_from_encoding);
+	tcase_add_test(tc, test_from_data);
+	tcase_add_test(tc, test_from_sockaddr);
+	tcase_add_loop_test(tc, test_from_string, 0, countof(string_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("printf_hook");
+	tcase_add_test(tc, test_printf_hook);
+	tcase_add_test(tc, test_printf_hook_width);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("equals");
+	tcase_add_test(tc, test_equals);
+	tcase_add_test(tc, test_equals_any);
+	tcase_add_test(tc, test_equals_binary);
+	tcase_add_test(tc, test_equals_fqdn);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("matches");
+	tcase_add_test(tc, test_matches);
+	tcase_add_test(tc, test_matches_any);
+	tcase_add_test(tc, test_matches_binary);
+	tcase_add_test(tc, test_matches_string);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("part enumeration");
+	tcase_add_test(tc, test_parts);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("wildcards");
+	tcase_add_test(tc, test_contains_wildcards);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("clone");
+	tcase_add_test(tc, test_clone);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_linked_list.c b/src/libstrongswan/tests/test_linked_list.c
new file mode 100644
index 000000000..9e85c58d8
--- /dev/null
+++ b/src/libstrongswan/tests/test_linked_list.c
@@ -0,0 +1,386 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <collections/linked_list.h>
+
+/*******************************************************************************
+ * test fixture
+ */
+
+static linked_list_t *list;
+
+START_SETUP(setup_list)
+{
+	void *x = NULL;
+
+	list = linked_list_create();
+	ck_assert_int_eq(list->get_count(list), 0);
+	ck_assert(list->get_first(list, &x) == NOT_FOUND);
+	ck_assert(list->get_last(list, &x) == NOT_FOUND);
+}
+END_SETUP
+
+START_TEARDOWN(teardown_list)
+{
+	list->destroy(list);
+}
+END_TEARDOWN
+
+/*******************************************************************************
+ * insert first/last
+ */
+
+START_TEST(test_insert_first)
+{
+	void *a = (void*)1, *b = (void*)2, *x = NULL;
+
+	list->insert_first(list, a);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(list->get_first(list, &x) == SUCCESS);
+	ck_assert(x == a);
+	ck_assert(list->get_last(list, &x) == SUCCESS);
+	ck_assert(x == a);
+
+	list->insert_first(list, b);
+	ck_assert_int_eq(list->get_count(list), 2);
+	ck_assert(list->get_first(list, &x) == SUCCESS);
+	ck_assert(x == b);
+	ck_assert(list->get_last(list, &x) == SUCCESS);
+	ck_assert(x == a);
+}
+END_TEST
+
+START_TEST(test_insert_last)
+{
+	void *a = (void*)1, *b = (void*)2, *x = NULL;
+
+	list->insert_last(list, a);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(list->get_first(list, &x) == SUCCESS);
+	ck_assert(x == a);
+	ck_assert(list->get_last(list, &x) == SUCCESS);
+	ck_assert(x == a);
+
+	list->insert_last(list, b);
+	ck_assert_int_eq(list->get_count(list), 2);
+	ck_assert(list->get_first(list, &x) == SUCCESS);
+	ck_assert(x == a);
+	ck_assert(list->get_last(list, &x) == SUCCESS);
+	ck_assert(x == b);
+}
+END_TEST
+
+/*******************************************************************************
+ * remove first/last
+ */
+
+START_TEST(test_remove_first)
+{
+	void *a = (void*)1, *b = (void*)2, *x = NULL;
+
+	list->insert_first(list, a);
+	list->insert_first(list, b);
+	ck_assert(list->remove_first(list, &x) == SUCCESS);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(x == b);
+	ck_assert(list->remove_first(list, &x) == SUCCESS);
+	ck_assert_int_eq(list->get_count(list), 0);
+	ck_assert(x == a);
+	ck_assert(list->remove_first(list, &x) == NOT_FOUND);
+	ck_assert(list->remove_last(list, &x) == NOT_FOUND);
+}
+END_TEST
+
+START_TEST(test_remove_last)
+{
+	void *a = (void*)1, *b = (void*)2, *x = NULL;
+
+	list->insert_first(list, a);
+	list->insert_first(list, b);
+	ck_assert(list->remove_last(list, &x) == SUCCESS);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(x == a);
+	ck_assert(list->remove_last(list, &x) == SUCCESS);
+	ck_assert_int_eq(list->get_count(list), 0);
+	ck_assert(x == b);
+	ck_assert(list->remove_first(list, &x) == NOT_FOUND);
+	ck_assert(list->remove_last(list, &x) == NOT_FOUND);
+}
+END_TEST
+
+/*******************************************************************************
+ * helper function for remove and find tests
+ */
+
+static bool match_a(void *item, void *a)
+{
+	ck_assert(a == (void*)1);
+	return item == a;
+}
+
+static bool match_b(void *item, void *b)
+{
+	ck_assert(b == (void*)2);
+	return item == b;
+}
+
+/*******************************************************************************
+ * remove
+ */
+
+START_TEST(test_remove)
+{
+	void *a = (void*)1, *b = (void*)2;
+
+	list->insert_first(list, a);
+	ck_assert(list->remove(list, a, NULL) == 1);
+	ck_assert_int_eq(list->get_count(list), 0);
+
+	list->insert_last(list, a);
+	list->insert_last(list, a);
+	list->insert_last(list, a);
+	list->insert_last(list, b);
+	ck_assert(list->remove(list, a, NULL) == 3);
+	ck_assert(list->remove(list, a, NULL) == 0);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(list->remove(list, b, NULL) == 1);
+	ck_assert(list->remove(list, b, NULL) == 0);
+}
+END_TEST
+
+START_TEST(test_remove_callback)
+{
+	void *a = (void*)1, *b = (void*)2;
+
+	list->insert_last(list, a);
+	list->insert_last(list, b);
+	list->insert_last(list, a);
+	list->insert_last(list, b);
+	ck_assert(list->remove(list, a, match_a) == 2);
+	ck_assert(list->remove(list, a, match_a) == 0);
+	ck_assert_int_eq(list->get_count(list), 2);
+	ck_assert(list->remove(list, b, match_b) == 2);
+	ck_assert(list->remove(list, b, match_b) == 0);
+	ck_assert_int_eq(list->get_count(list), 0);
+}
+END_TEST
+
+/*******************************************************************************
+ * find
+ */
+
+static bool match_a_b(void *item, void *a, void *b)
+{
+	ck_assert(a == (void*)1);
+	ck_assert(b == (void*)2);
+	return item == a || item == b;
+}
+
+START_TEST(test_find)
+{
+	void *a = (void*)1, *b = (void*)2;
+
+	ck_assert(list->find_first(list, NULL, &a) == NOT_FOUND);
+	list->insert_last(list, a);
+	ck_assert(list->find_first(list, NULL, &a) == SUCCESS);
+	ck_assert(list->find_first(list, NULL, &b) == NOT_FOUND);
+	list->insert_last(list, b);
+	ck_assert(list->find_first(list, NULL, &a) == SUCCESS);
+	ck_assert(list->find_first(list, NULL, &b) == SUCCESS);
+
+	ck_assert(list->find_first(list, NULL, NULL) == NOT_FOUND);
+}
+END_TEST
+
+START_TEST(test_find_callback)
+{
+	void *a = (void*)1, *b = (void*)2, *x = NULL;
+
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a_b, &x, a, b) == NOT_FOUND);
+	list->insert_last(list, a);
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a, NULL, a) == SUCCESS);
+	x = NULL;
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a, &x, a) == SUCCESS);
+	ck_assert(a == x);
+	ck_assert(list->find_first(list, (linked_list_match_t)match_b, &x, b) == NOT_FOUND);
+	ck_assert(a == x);
+	x = NULL;
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a_b, &x, a, b) == SUCCESS);
+	ck_assert(a == x);
+
+	list->insert_last(list, b);
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a, &x, a) == SUCCESS);
+	ck_assert(a == x);
+	ck_assert(list->find_first(list, (linked_list_match_t)match_b, &x, b) == SUCCESS);
+	ck_assert(b == x);
+	x = NULL;
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a_b, &x, a, b) == SUCCESS);
+	ck_assert(a == x);
+}
+END_TEST
+
+/*******************************************************************************
+ * invoke
+ */
+
+typedef struct invoke_t invoke_t;
+
+struct invoke_t {
+	int val;
+	void (*invoke)(invoke_t *item, void *a, void *b, void *c, void *d, int *sum);
+};
+
+static void invoke(intptr_t item, void *a, void *b, void *c, void *d, int *sum)
+{
+	ck_assert(a == (void*)1);
+	ck_assert(b == (void*)2);
+	ck_assert(c == (void*)3);
+	ck_assert(d == (void*)4);
+	*sum += item;
+}
+
+static void invoke_offset(invoke_t *item, void *a, void *b, void *c, void *d, int *sum)
+{
+	invoke(item->val, a, b, c, d, sum);
+}
+
+START_TEST(test_invoke_function)
+{
+	int sum = 0;
+
+	list->insert_last(list, (void*)1);
+	list->insert_last(list, (void*)2);
+	list->insert_last(list, (void*)3);
+	list->insert_last(list, (void*)4);
+	list->insert_last(list, (void*)5);
+	list->invoke_function(list, (linked_list_invoke_t)invoke, 1, 2, 3, 4, &sum);
+	ck_assert_int_eq(sum, 15);
+}
+END_TEST
+
+START_TEST(test_invoke_offset)
+{
+	invoke_t items[] = {
+		{ .val = 1, .invoke = invoke_offset, },
+		{ .val = 2, .invoke = invoke_offset, },
+		{ .val = 3, .invoke = invoke_offset, },
+		{ .val = 4, .invoke = invoke_offset, },
+		{ .val = 5, .invoke = invoke_offset, },
+	};
+	int i, sum = 0;
+
+	for (i = 0; i < countof(items); i++)
+	{
+		list->insert_last(list, &items[i]);
+	}
+	list->invoke_offset(list, offsetof(invoke_t, invoke), 1, 2, 3, 4, &sum);
+	ck_assert_int_eq(sum, 15);
+}
+END_TEST
+
+/*******************************************************************************
+ * clone
+ */
+
+typedef struct clone_t clone_t;
+
+struct clone_t {
+	void *val;
+	void *(*clone)(clone_t *item);
+};
+
+static void *clone(clone_t *item)
+{
+	return item->val;
+}
+
+static void test_clone(linked_list_t *list)
+{
+	intptr_t x;
+	int round = 1;
+
+	ck_assert_int_eq(list->get_count(list), 5);
+	while (list->remove_first(list, (void*)&x) == SUCCESS)
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	ck_assert_int_eq(round, 6);
+}
+
+START_TEST(test_clone_offset)
+{
+	linked_list_t *other;
+	clone_t items[] = {
+		{ .val = (void*)1, .clone = clone, },
+		{ .val = (void*)2, .clone = clone, },
+		{ .val = (void*)3, .clone = clone, },
+		{ .val = (void*)4, .clone = clone, },
+		{ .val = (void*)5, .clone = clone, },
+	};
+	int i;
+
+	for (i = 0; i < countof(items); i++)
+	{
+		list->insert_last(list, &items[i]);
+	}
+	other = list->clone_offset(list, offsetof(clone_t, clone));
+	test_clone(other);
+	other->destroy(other);
+}
+END_TEST
+
+Suite *linked_list_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("linked list");
+
+	tc = tcase_create("insert/get");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_insert_first);
+	tcase_add_test(tc, test_insert_last);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("remove");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_remove_first);
+	tcase_add_test(tc, test_remove_last);
+	tcase_add_test(tc, test_remove);
+	tcase_add_test(tc, test_remove_callback);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("find");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_find);
+	tcase_add_test(tc, test_find_callback);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("invoke");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_invoke_function);
+	tcase_add_test(tc, test_invoke_offset);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("clone");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_clone_offset);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_linked_list_enumerator.c b/src/libstrongswan/tests/test_linked_list_enumerator.c
new file mode 100644
index 000000000..48d6f40e6
--- /dev/null
+++ b/src/libstrongswan/tests/test_linked_list_enumerator.c
@@ -0,0 +1,361 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <collections/linked_list.h>
+
+/*******************************************************************************
+ * test fixture
+ */
+
+static linked_list_t *list;
+
+START_SETUP(setup_list)
+{
+	list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4,
+									 (void*)5, NULL);
+	ck_assert_int_eq(list->get_count(list), 5);
+}
+END_SETUP
+
+START_TEARDOWN(teardown_list)
+{
+	list->destroy(list);
+}
+END_TEARDOWN
+
+/*******************************************************************************
+ * enumeration
+ */
+
+START_TEST(test_enumerate)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	ck_assert_int_eq(round, 6);
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_enumerate_null)
+{
+	enumerator_t *enumerator;
+	int round;
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, NULL))
+	{
+		round++;
+	}
+	ck_assert_int_eq(round, 6);
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_reset_enumerator)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+	}
+	list->reset_enumerator(list, enumerator);
+	round = 1;
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	ck_assert_int_eq(round, 6);
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+/*******************************************************************************
+ * insert before
+ */
+
+START_TEST(test_insert_before)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+		if (x == _i)
+		{
+			list->insert_before(list, enumerator, (void*)6);
+		}
+	}
+	ck_assert_int_eq(list->get_count(list), 6);
+	list->reset_enumerator(list, enumerator);
+	round = 1;
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		if (round == _i && x != _i)
+		{
+			ck_assert_int_eq(6, x);
+		}
+		else
+		{
+			ck_assert_int_eq(round, x);
+			round++;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_insert_before_ends)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	enumerator = list->create_enumerator(list);
+	list->insert_before(list, enumerator, (void*)0);
+	ck_assert_int_eq(list->get_count(list), 6);
+	ck_assert(list->get_first(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 0);
+	round = 0;
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	list->insert_before(list, enumerator, (void*)6);
+	ck_assert_int_eq(list->get_count(list), 7);
+	ck_assert(list->get_last(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 6);
+	ck_assert(!enumerator->enumerate(enumerator, &x));
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_insert_before_empty)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+
+	list->destroy(list);
+	list = linked_list_create();
+	enumerator = list->create_enumerator(list);
+	list->insert_before(list, enumerator, (void*)1);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(list->get_first(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 1);
+	ck_assert(list->get_last(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 1);
+	ck_assert(enumerator->enumerate(enumerator, &x));
+	ck_assert_int_eq(x, 1);
+	ck_assert(!enumerator->enumerate(enumerator, NULL));
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+/*******************************************************************************
+ * remove_at
+ */
+
+START_TEST(test_remove_at)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		if (round == 2)
+		{
+			list->remove_at(list, enumerator);
+		}
+		round++;
+	}
+	ck_assert_int_eq(list->get_count(list), 4);
+	list->reset_enumerator(list, enumerator);
+	round = 1;
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		if (round == 2)
+		{	/* skip removed item */
+			round++;
+		}
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_remove_at_ends)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+
+	enumerator = list->create_enumerator(list);
+	list->remove_at(list, enumerator);
+	ck_assert_int_eq(list->get_count(list), 5);
+	ck_assert(list->get_first(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 1);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+	}
+	list->remove_at(list, enumerator);
+	ck_assert_int_eq(list->get_count(list), 5);
+	ck_assert(list->get_last(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 5);
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_insert_before_remove_at)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		if (round == 2)
+		{	/* this replaces the current item, as insert_before does not change
+			 * the enumerator position */
+			list->insert_before(list, enumerator, (void*)42);
+			list->remove_at(list, enumerator);
+		}
+		else if (round == 4)
+		{	/* this does not replace the item, as remove_at moves the enumerator
+			 * position to the previous item */
+			list->remove_at(list, enumerator);
+			list->insert_before(list, enumerator, (void*)21);
+		}
+		round++;
+	}
+	ck_assert_int_eq(list->get_count(list), 5);
+	list->reset_enumerator(list, enumerator);
+	round = 1;
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		if (round == 2)
+		{	/* check replaced item */
+			ck_assert_int_eq(42, x);
+		}
+		else if (round == 3)
+		{	/* check misplaced item */
+			ck_assert_int_eq(21, x);
+		}
+		else if (round == 4)
+		{	/* check misplaced item */
+			ck_assert_int_eq(3, x);
+		}
+		else
+		{
+			ck_assert_int_eq(round, x);
+		}
+		round++;
+	}
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+/*******************************************************************************
+ * create list from enumerator
+ */
+
+START_TEST(test_create_from_enumerator)
+{
+	enumerator_t *enumerator, *enumerator_other;
+	linked_list_t *other;
+	intptr_t x, y;
+	int count = 0;
+
+	enumerator = list->create_enumerator(list);
+	other = linked_list_create_from_enumerator(enumerator);
+	ck_assert_int_eq(other->get_count(list), 5);
+
+	enumerator = list->create_enumerator(list);
+	enumerator_other = other->create_enumerator(other);
+	while (enumerator->enumerate(enumerator, &x) &&
+		   enumerator_other->enumerate(enumerator_other, &y))
+	{
+		ck_assert_int_eq(x, y);
+		count++;
+	}
+	ck_assert_int_eq(count, 5);
+	enumerator_other->destroy(enumerator_other);
+	enumerator->destroy(enumerator);
+	other->destroy(other);
+}
+END_TEST
+
+Suite *linked_list_enumerator_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("linked list and enumerators");
+
+	tc = tcase_create("enumerate");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_enumerate);
+	tcase_add_test(tc, test_enumerate_null);
+	tcase_add_test(tc, test_reset_enumerator);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("insert_before()");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_loop_test(tc, test_insert_before, 1, 5);
+	tcase_add_test(tc, test_insert_before_ends);
+	tcase_add_test(tc, test_insert_before_empty);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("modify");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_remove_at);
+	tcase_add_test(tc, test_remove_at_ends);
+	tcase_add_test(tc, test_insert_before_remove_at);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("create_from_enumerator");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_create_from_enumerator);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_rsa.c b/src/libstrongswan/tests/test_rsa.c
new file mode 100644
index 000000000..4c75c34bc
--- /dev/null
+++ b/src/libstrongswan/tests/test_rsa.c
@@ -0,0 +1,393 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <plugins/plugin_feature.h>
+
+/**
+ * Signature schemes to test
+ */
+static signature_scheme_t schemes[] = {
+	SIGN_RSA_EMSA_PKCS1_NULL,
+	SIGN_RSA_EMSA_PKCS1_MD5,
+	SIGN_RSA_EMSA_PKCS1_SHA1,
+	SIGN_RSA_EMSA_PKCS1_SHA224,
+	SIGN_RSA_EMSA_PKCS1_SHA256,
+	SIGN_RSA_EMSA_PKCS1_SHA384,
+	SIGN_RSA_EMSA_PKCS1_SHA512,
+};
+
+/**
+ * Perform a signature verification "good" test having a keypair
+ */
+static void test_good_sig(private_key_t *privkey, public_key_t *pubkey)
+{
+	chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0xFD,0xFE,0xFF);
+	int i;
+
+	for (i = 0; i < countof(schemes); i++)
+	{
+		if (!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i])) ||
+			!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PRIVKEY_SIGN, schemes[i])))
+		{
+			continue;
+		}
+		fail_unless(privkey->sign(privkey, schemes[i], data, &sig),
+					"sign %N", signature_scheme_names, schemes[i]);
+		fail_unless(pubkey->verify(pubkey, schemes[i], data, sig),
+					"verify %N", signature_scheme_names, schemes[i]);
+		free(sig.ptr);
+	}
+}
+
+/**
+ * Some special signatures that should never validate successfully
+ */
+static chunk_t invalid_sigs[] = {
+	chunk_from_chars(),
+	chunk_from_chars(0x00),
+	chunk_from_chars(0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+};
+
+/**
+ * Check public key that it properly fails against some crafted sigs
+ */
+static void test_bad_sigs(public_key_t *pubkey)
+{
+	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0xFD,0xFE,0xFF);
+	int s, i;
+
+	for (s = 0; s < countof(schemes); s++)
+	{
+			if (!lib->plugins->has_feature(lib->plugins,
+							PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[s])))
+			{
+				continue;
+			}
+		for (i = 0; i < countof(invalid_sigs); i++)
+		{
+			fail_if(
+				pubkey->verify(pubkey, schemes[s], data, invalid_sigs[i]),
+				"bad %N sig accepted %B", signature_scheme_names, schemes[s],
+				&invalid_sigs[i]);
+		}
+	}
+}
+
+/**
+ * RSA key sizes to test
+ */
+static int key_sizes[] = {
+	786, 1024, 1536, 2048, 3072, 4096,
+};
+
+START_TEST(test_gen)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								 BUILD_KEY_SIZE, key_sizes[_i], BUILD_END);
+	ck_assert(privkey != NULL);
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey != NULL);
+
+	test_good_sig(privkey, pubkey);
+
+	test_bad_sigs(pubkey);
+
+	pubkey->destroy(pubkey);
+	privkey->destroy(privkey);
+}
+END_TEST
+
+/**
+ * Private keys to load
+ */
+static chunk_t keys[] = {
+	chunk_from_chars( /* RSA-768 */
+		0x30,0x82,0x01,0xcb,0x02,0x01,0x00,0x02,0x61,0x00,0xd1,0x5d,0x98,0x97,0x95,0x98,
+		0x19,0x87,0x20,0x3f,0x10,0xb0,0x05,0x36,0x1e,0x1b,0xcd,0xc8,0x93,0x66,0xd7,0x43,
+		0xed,0x84,0xb0,0x3e,0x96,0xd3,0xe7,0x27,0x0e,0xc0,0xba,0xdf,0x7e,0x32,0x05,0xd3,
+		0x08,0xd6,0x44,0xd5,0x01,0x2b,0x3e,0x5d,0xc0,0x37,0xae,0x4f,0xe0,0xea,0x8d,0x2c,
+		0x42,0x4c,0xa9,0xa2,0x42,0xbe,0xdd,0xdb,0xf7,0xd3,0x28,0x07,0x10,0x88,0x53,0x15,
+		0xb2,0x4f,0xb5,0x9d,0x47,0x9b,0xd6,0xc8,0xfe,0x5b,0xa2,0xd7,0xe1,0x13,0xca,0x0b,
+		0xce,0x7a,0xed,0xa2,0x3e,0xd5,0x9b,0xb8,0x8b,0x4f,0x02,0x03,0x01,0x00,0x01,0x02,
+		0x60,0x2d,0x83,0x82,0x53,0x99,0xb2,0xaa,0x02,0x05,0x11,0x90,0xa8,0x23,0x49,0xe3,
+		0x7b,0xb9,0xdd,0x9b,0xa5,0xa4,0xb0,0x60,0xa7,0x12,0xc5,0x58,0x76,0x92,0x6e,0x9c,
+		0x37,0x6b,0xa8,0x80,0x3f,0x91,0xa2,0x91,0xee,0x3a,0xa2,0x6f,0x91,0x9e,0x0a,0x35,
+		0x69,0xc0,0xa7,0xdc,0xd8,0x46,0xe4,0x29,0x1c,0x3d,0x34,0x30,0xa2,0xb9,0x0d,0x34,
+		0x94,0xa1,0x12,0xa7,0x85,0xd3,0x2c,0x47,0x1b,0xf0,0x78,0xd5,0x22,0xfc,0xa5,0xe0,
+		0x75,0xac,0x71,0x21,0xe8,0xe8,0x19,0x9f,0xbb,0x98,0x5c,0xa6,0x9d,0x42,0xd7,0x9c,
+		0x89,0x02,0x31,0x00,0xee,0xaa,0x9e,0x82,0xe1,0xb2,0xdd,0x05,0xbc,0x2e,0x53,0xe9,
+		0x64,0x4b,0x48,0x06,0x3a,0xfd,0x9e,0x91,0xce,0x1b,0x7f,0x66,0xbc,0xd2,0xc4,0xab,
+		0xbf,0xc5,0x5d,0x1a,0xbd,0xd6,0xb5,0x9c,0x5c,0x18,0x01,0xe6,0x79,0x19,0xf2,0xc3,
+		0x1d,0x66,0x88,0x2d,0x02,0x31,0x00,0xe0,0x92,0x34,0x1e,0x09,0xf2,0x1b,0xf9,0xbf,
+		0x11,0x65,0x3f,0xc8,0x85,0x5a,0xe6,0xc0,0xcf,0x93,0x44,0xb0,0x50,0xe4,0x8b,0x6f,
+		0x30,0xde,0x42,0x0c,0x8a,0x77,0x0d,0x98,0x7f,0x52,0x59,0x9e,0x87,0xb8,0x6e,0xdc,
+		0xed,0x15,0x80,0xbd,0xbb,0xf2,0xeb,0x02,0x31,0x00,0xb0,0x6b,0x36,0x98,0x90,0xb5,
+		0x62,0x63,0xa6,0xe2,0xa7,0xec,0x51,0xd2,0xc3,0xfe,0xb7,0x04,0x5a,0x7e,0x74,0xd8,
+		0x26,0xa8,0x8e,0xd3,0x4d,0xc5,0x97,0x10,0x10,0xee,0x7f,0x7d,0x82,0xe9,0x7d,0xb9,
+		0xd1,0x4d,0xc8,0x1e,0xc2,0x30,0x30,0x3f,0x66,0x51,0x02,0x31,0x00,0xaa,0x75,0x2f,
+		0x4c,0x11,0xbe,0x8d,0x0f,0x8f,0xc1,0x13,0x7a,0x4b,0xa9,0x35,0x6b,0x6b,0xb4,0xe3,
+		0x92,0xc2,0xc6,0x54,0x03,0xa6,0x5d,0x90,0x86,0xcf,0xe0,0x16,0x27,0xe2,0xb5,0xd9,
+		0xfb,0x1e,0x82,0xe4,0x32,0x7a,0x4d,0x17,0x02,0x46,0x82,0x30,0x0b,0x02,0x30,0x09,
+		0xf3,0xce,0x9b,0x02,0xc5,0x53,0xe9,0xa2,0x89,0xe2,0x3b,0x8c,0x8b,0xe9,0xc2,0xba,
+		0x94,0x76,0x60,0x27,0x2b,0xe9,0x92,0xc1,0x5e,0x3c,0xc3,0x77,0x9b,0xc7,0xce,0xc6,
+		0x67,0xd5,0x20,0x2c,0x54,0xa1,0x5d,0x2a,0x17,0x16,0x66,0xdf,0x5a,0xe9,0x87,
+	),
+	chunk_from_chars( /* RSA-1024 */
+		0x30,0x82,0x02,0x5c,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xc0,0xbd,0x48,0x83,0xbc,
+		0xea,0x0b,0x32,0x06,0x4b,0xf5,0x10,0x54,0x1b,0xba,0x88,0xc4,0x10,0x7e,0x47,0xec,
+		0x0e,0xf9,0xb4,0xcf,0x9a,0x02,0xc6,0xb3,0xaf,0x35,0xc8,0xaf,0x78,0x1a,0xbc,0x37,
+		0x1a,0x25,0x7a,0x37,0x24,0x73,0x53,0x9a,0xf0,0x44,0x64,0x5b,0x6b,0x64,0x4c,0xfa,
+		0x83,0x3a,0x0f,0x77,0x5d,0x7b,0x21,0xa2,0x25,0x00,0x11,0xae,0x72,0x36,0x35,0xd9,
+		0x0d,0xef,0x5a,0xdd,0x98,0x35,0x49,0xaf,0x44,0xa0,0x33,0x29,0xc0,0xca,0xf5,0x6f,
+		0xfe,0xc1,0x06,0x4c,0x80,0x9a,0x54,0xbe,0x46,0x1a,0x96,0xb1,0xf3,0x29,0xb8,0x9d,
+		0x07,0x84,0x03,0x68,0x6b,0x9f,0xbf,0xe5,0xd8,0x14,0x2a,0xe0,0xef,0xbd,0x1a,0x61,
+		0x0d,0x3a,0xc8,0x67,0xcd,0x99,0x90,0xe3,0xe6,0x52,0x83,0x02,0x03,0x01,0x00,0x01,
+		0x02,0x81,0x80,0x13,0xd2,0xa3,0xe5,0xa0,0xb0,0x0a,0xe2,0x0f,0x3c,0x65,0x57,0xa8,
+		0xe9,0x87,0xd5,0x79,0xcc,0xc9,0xca,0xc8,0x8a,0xd5,0xc0,0x74,0x90,0x3e,0x1e,0xda,
+		0x40,0xcd,0x42,0xf7,0x01,0x09,0x9c,0x37,0xfd,0x41,0x6e,0x2b,0x6e,0x5d,0x4a,0x1e,
+		0x52,0x53,0x1b,0xbb,0x3c,0x9f,0xfe,0x91,0x79,0x48,0xfc,0x69,0x90,0xbc,0xbc,0x3d,
+		0xcf,0xee,0x62,0x0a,0xbd,0x57,0x6b,0xa9,0x51,0x3e,0xc2,0x7f,0x26,0xb1,0xaa,0x38,
+		0xeb,0x40,0x91,0x3a,0x3c,0x80,0x1e,0x4e,0xe2,0xff,0xa2,0x8e,0x56,0xbb,0xb3,0xeb,
+		0x24,0x81,0x4c,0x19,0x2c,0x8f,0x51,0x4c,0x04,0x81,0xaf,0x5e,0xc2,0xa6,0xf9,0xd3,
+		0x48,0xee,0xe9,0x6d,0x9b,0xe1,0xe5,0x17,0x4f,0x07,0x18,0xea,0x96,0xd3,0x2c,0xce,
+		0x44,0x71,0x51,0x02,0x41,0x00,0xe9,0xe9,0x46,0x7e,0xe1,0xc2,0x86,0x94,0x65,0x77,
+		0x9c,0xc7,0x76,0x5d,0xa0,0xd3,0xcc,0x1f,0xa3,0xc7,0xfe,0xbb,0x4e,0x27,0xd6,0x43,
+		0x6b,0xbd,0x0d,0x05,0x7a,0x10,0xe8,0x48,0x97,0x30,0xaa,0x53,0x61,0x57,0x1f,0x8a,
+		0xf7,0x39,0x5e,0xa6,0xfe,0xe9,0x2c,0x19,0x5e,0x53,0xea,0xc2,0xb2,0xc2,0x11,0x3c,
+		0x18,0xab,0xcf,0xc4,0x91,0x1b,0x02,0x41,0x00,0xd2,0xf0,0xb1,0x49,0xa1,0x6f,0xf1,
+		0x83,0xa3,0xd2,0xa1,0x0e,0xb3,0xb3,0x33,0x01,0xed,0xd0,0x28,0xc1,0x2f,0x88,0x80,
+		0x9f,0x43,0x7c,0x7e,0x5d,0x4c,0x15,0x05,0x86,0xff,0x75,0x9b,0xf1,0x64,0xde,0x06,
+		0xbf,0xdd,0x98,0x50,0xd9,0x4a,0x3a,0xd6,0x25,0x1c,0xdd,0xc8,0x56,0x12,0x11,0xb9,
+		0x02,0x42,0xc7,0x1d,0x86,0xeb,0xd9,0xc2,0xb9,0x02,0x41,0x00,0x80,0x25,0x8c,0xb9,
+		0x76,0x75,0x5b,0xc5,0x70,0xd1,0x56,0xd2,0xef,0xc5,0xdb,0x96,0x2c,0xfe,0x28,0x7c,
+		0x28,0xd1,0xf4,0xbf,0x5e,0x63,0x11,0x63,0x40,0xfe,0xff,0x20,0xc4,0x21,0x00,0xb3,
+		0x68,0x9c,0xc5,0x77,0x35,0x90,0xac,0x60,0x81,0xba,0x7b,0x6c,0xc2,0xfc,0x22,0xf1,
+		0x56,0x6b,0xd4,0x02,0xfd,0xee,0x2e,0x95,0xf1,0xfd,0x7e,0x81,0x02,0x40,0x47,0xaf,
+		0x84,0x90,0x81,0x4c,0x89,0xc7,0x32,0xe5,0x61,0xd6,0x9d,0x3b,0x49,0x1a,0x5e,0xb7,
+		0x5f,0x22,0x48,0x05,0x1b,0xb1,0x04,0x3e,0x4a,0xb3,0x6a,0x27,0xba,0xb9,0x26,0x17,
+		0xd1,0xe7,0x37,0x60,0x3c,0xea,0xf7,0x63,0xcc,0x16,0x0c,0x23,0xf2,0xa2,0xaa,0x2c,
+		0xb4,0xe8,0x8b,0x3b,0x7a,0xa4,0x4a,0x0d,0x60,0xfb,0x79,0x2b,0x88,0x01,0x02,0x40,
+		0x42,0xee,0x12,0x91,0xf9,0x80,0x1e,0x60,0x0b,0xaa,0xbe,0xfd,0x09,0x84,0x93,0x0d,
+		0x09,0xd3,0x1e,0x37,0x52,0xb0,0xe8,0x51,0x4f,0xd3,0x9e,0xda,0x32,0x38,0x22,0x35,
+		0xdb,0x25,0x8b,0x9f,0x1a,0xb5,0xf1,0x75,0xfa,0x4d,0x09,0x42,0x01,0x64,0xe6,0xc4,
+		0x6e,0xba,0x2d,0x88,0x92,0xbe,0xa9,0x1f,0x85,0x38,0x10,0xa3,0x0e,0x1a,0x92,0x54,
+	),
+	chunk_from_chars( /* RSA-1536 */
+		0x30,0x82,0x03,0x7d,0x02,0x01,0x00,0x02,0x81,0xc1,0x00,0xba,0xe3,0x37,0x93,0x7e,
+		0x42,0x13,0x3c,0xba,0x41,0xc1,0x7b,0xf0,0xcc,0x7a,0x44,0xc6,0x54,0xc8,0x77,0x01,
+		0x70,0x2f,0x6e,0x4a,0xcf,0x2d,0x07,0xab,0x01,0xc0,0x43,0xab,0x8d,0x33,0xb3,0xd4,
+		0xeb,0xe3,0x90,0xf6,0x01,0x03,0x75,0x03,0x1d,0xe8,0x06,0x40,0x15,0xfa,0x96,0x0b,
+		0xd5,0x26,0x64,0xea,0x55,0x82,0x16,0x7b,0xd5,0x1e,0xaa,0x08,0xc7,0x30,0x1a,0x59,
+		0xf8,0xd9,0xe3,0x9e,0x89,0xd9,0x92,0x2c,0x32,0x79,0x0e,0xb3,0x25,0xbc,0x1d,0x7c,
+		0x59,0xde,0x05,0x47,0x8f,0x61,0x77,0xf5,0x4f,0xed,0x82,0x2c,0xf8,0x2a,0x3e,0x02,
+		0xf3,0xc0,0x15,0x51,0xde,0x05,0xc4,0xfc,0x80,0x91,0xae,0x06,0x1b,0xd7,0x39,0x8e,
+		0x9a,0x6d,0xb3,0x2f,0xb0,0xd0,0xc8,0x96,0xa6,0x88,0xb3,0x17,0xca,0x58,0xbe,0x38,
+		0x2c,0x64,0x35,0x5a,0x29,0xb7,0xf8,0x74,0x3d,0xbb,0xec,0x90,0x01,0x04,0x64,0x3d,
+		0x38,0x0f,0x87,0xce,0xd7,0xfc,0xd2,0x96,0x93,0x31,0x85,0x0d,0x2d,0xa5,0x91,0xe2,
+		0xfc,0x7b,0xea,0xb0,0x89,0x24,0xaa,0x00,0x29,0x8c,0x26,0x7c,0x94,0x54,0x74,0xe4,
+		0x11,0xa8,0x04,0x6f,0x40,0xeb,0xaf,0xed,0xac,0x75,0x33,0x02,0x03,0x01,0x00,0x01,
+		0x02,0x81,0xc0,0x0a,0x96,0xec,0x63,0xc1,0xa0,0x39,0xd9,0xd3,0x8d,0xfd,0x4a,0x2a,
+		0x13,0x54,0x0c,0x48,0x96,0xae,0x43,0x3c,0x04,0x20,0xd3,0xe5,0x8e,0x46,0xb5,0x6c,
+		0x05,0xad,0xe0,0xc7,0xbc,0x39,0x05,0x44,0x17,0xd7,0xad,0xb3,0x9a,0xcc,0x18,0xd9,
+		0xc3,0xdc,0x8d,0x5a,0x1d,0x44,0xb5,0x32,0xd7,0x71,0x94,0xff,0x48,0x38,0x16,0x51,
+		0x0e,0xfa,0xed,0x54,0x91,0x00,0xd3,0x45,0x6c,0xd9,0xdf,0xd1,0x70,0x6b,0x31,0x22,
+		0xaa,0xfb,0x7c,0x0f,0x3f,0xa0,0xa0,0xa5,0x16,0xac,0x83,0x6d,0x12,0x1d,0x4a,0x40,
+		0x4e,0xb6,0x9c,0xf4,0x67,0xaa,0xa9,0xb0,0xc8,0xb4,0x0a,0xd5,0x3b,0x5c,0x19,0xed,
+		0x86,0x83,0x5a,0x75,0xbc,0xeb,0x17,0xc8,0x16,0xa0,0x60,0x2e,0xb6,0x25,0xc5,0x4d,
+		0x59,0xba,0x62,0xcb,0x3d,0x91,0x7c,0x79,0x6a,0x4b,0x4a,0x54,0xbd,0xb7,0xa3,0x89,
+		0x7f,0xbf,0x0e,0x77,0xe1,0x54,0x29,0x0d,0x45,0x6d,0xa8,0x15,0xa5,0x17,0x8c,0xcf,
+		0x27,0x9e,0x47,0x4e,0x2a,0x91,0x7e,0x4e,0x14,0x59,0x8c,0x62,0x91,0xa3,0x40,0xa5,
+		0x9e,0x67,0xbb,0x02,0x97,0xb4,0xe7,0x06,0x04,0xbc,0x16,0x24,0x3d,0x49,0xb1,0xf0,
+		0xae,0xfc,0x1d,0x02,0x61,0x00,0xde,0x86,0x5d,0x49,0x88,0xeb,0x5c,0xd3,0xe5,0x11,
+		0x48,0x0b,0x1e,0x52,0x95,0xa9,0x65,0x99,0x89,0xcf,0x51,0xb0,0x08,0xdd,0xb5,0x5b,
+		0x64,0x1a,0x34,0xd2,0xee,0x4b,0x2d,0x8b,0xc1,0xd5,0xd6,0x1d,0x6c,0x0c,0x7e,0xa5,
+		0x66,0x12,0xec,0xaf,0x5d,0xe9,0x33,0xd4,0xba,0x18,0x71,0x84,0x97,0xbe,0xc0,0x75,
+		0x63,0x19,0xae,0xc6,0xc7,0x65,0xf3,0xf6,0xda,0x3f,0x91,0xfa,0x5e,0x87,0xf3,0xbc,
+		0xd2,0x64,0x8d,0xcf,0xfb,0xdd,0x7f,0x9b,0x6c,0x81,0xba,0x9b,0x4e,0x94,0x5e,0x83,
+		0xd1,0xcb,0xb9,0xf4,0x39,0x7f,0x02,0x61,0x00,0xd7,0x00,0x6d,0x8e,0x1b,0xa1,0x44,
+		0xd9,0xff,0xe6,0x42,0x72,0x18,0x55,0x26,0x3e,0x87,0x40,0x71,0xb2,0x67,0x37,0x16,
+		0xe9,0xbd,0x51,0x7f,0x0e,0x79,0x0e,0x75,0xa9,0x1f,0x0f,0x6b,0xa5,0x7c,0x5f,0xc8,
+		0xdc,0x17,0xde,0x53,0x88,0x97,0x90,0x88,0xf2,0x4d,0x66,0x5e,0x0e,0x11,0x16,0x92,
+		0x1e,0x61,0x56,0xe6,0xf0,0x74,0x81,0x58,0x95,0x05,0x29,0x71,0x9b,0xa0,0x69,0xed,
+		0x14,0x23,0xf6,0x36,0x9b,0x8f,0x06,0x3a,0x76,0xab,0xeb,0xce,0xe8,0xdc,0x79,0xc1,
+		0x29,0xb9,0xfc,0x49,0x7a,0x26,0x59,0xd6,0x4d,0x02,0x61,0x00,0xaf,0x3c,0xac,0xd6,
+		0x2d,0xe6,0xfb,0x91,0x3a,0xc1,0x23,0x34,0xee,0x4a,0x26,0xe5,0xe1,0xc6,0xc9,0xc9,
+		0xe4,0x10,0x76,0xca,0xf1,0xf8,0xe8,0x99,0xe2,0xa3,0x81,0x58,0xde,0xa3,0x42,0xa0,
+		0x3d,0x1f,0xaa,0x69,0x24,0x8a,0xe8,0x19,0x5b,0x1e,0xb7,0x1b,0xe0,0xdf,0x53,0x35,
+		0xd0,0x9f,0x94,0x48,0x79,0x93,0x77,0xd9,0x4f,0xd3,0xe6,0x4f,0x19,0x92,0x7a,0x48,
+		0xb9,0x92,0xab,0x42,0xf0,0xe4,0xef,0xe2,0x93,0xf3,0x07,0xeb,0x64,0x84,0x67,0x2c,
+		0xba,0x61,0x77,0xbe,0x4b,0xb8,0x0f,0x4d,0x1a,0x41,0x83,0xcd,0x02,0x60,0x56,0xec,
+		0x55,0x5e,0x9e,0xcd,0x14,0x89,0x0e,0x6c,0x89,0x70,0x97,0x65,0xd5,0x90,0x72,0x1e,
+		0x1b,0xd9,0x84,0xe1,0x40,0xe2,0x3f,0x28,0x33,0xb6,0x26,0x3b,0x32,0x56,0xad,0xb8,
+		0x0e,0x4d,0x59,0x7b,0x60,0x39,0x9b,0x6c,0xc7,0x58,0xf1,0xed,0xfd,0x6f,0xf8,0xda,
+		0xea,0x2b,0xc5,0xbc,0xda,0x56,0x6e,0x04,0x34,0x5a,0x02,0xc0,0x48,0x8f,0xf7,0x06,
+		0x4a,0x68,0x20,0xf2,0xb2,0x66,0xf2,0x23,0x18,0xf0,0xcb,0x62,0x39,0x40,0xc1,0x41,
+		0x14,0xe6,0x10,0x3d,0x29,0x5b,0x35,0x56,0x4a,0x5e,0x98,0x22,0xba,0x01,0x02,0x61,
+		0x00,0xcc,0x80,0xb7,0xb9,0xb9,0x4a,0xaf,0x47,0x00,0x3e,0x21,0x0f,0xb8,0x4e,0x7c,
+		0xb1,0xe4,0x25,0xd6,0x19,0x26,0x54,0xc6,0x8c,0x30,0x88,0x54,0x70,0xcf,0x1f,0x62,
+		0x75,0xcb,0x18,0x58,0x6c,0x14,0xb0,0x9b,0x13,0x90,0xa2,0x1a,0x5a,0x79,0xa3,0x82,
+		0xf0,0x9b,0xba,0xf0,0x90,0xaf,0xa1,0xe8,0xa8,0x70,0xef,0x60,0x6a,0x68,0xed,0x5a,
+		0x21,0x77,0x69,0x7a,0xf2,0xee,0x3e,0xe5,0x90,0xd2,0x33,0x71,0x3b,0x82,0x88,0x75,
+		0xdd,0x8e,0x6e,0xbc,0x17,0x83,0xef,0x37,0x82,0x4e,0x83,0x30,0xcb,0x8a,0xbc,0x6c,
+		0x41,
+	),
+	chunk_from_chars( /* RSA-2048 */
+		0x30,0x82,0x04,0xa2,0x02,0x01,0x00,0x02,0x82,0x01,0x01,0x00,0xba,0xbf,0x27,0x0b,
+		0x22,0x59,0xd8,0x6f,0xff,0x26,0x5d,0x41,0x3d,0xb0,0x94,0x58,0x5d,0xc0,0x46,0xb6,
+		0x77,0xa9,0x78,0x10,0x6d,0xe9,0xbf,0xca,0x6f,0x04,0xe1,0xda,0x85,0x12,0x1e,0xe0,
+		0xa6,0xc7,0xa2,0x71,0x04,0x8b,0x6e,0x84,0xf9,0x86,0x2b,0xeb,0x72,0x01,0x72,0xc8,
+		0x0a,0x83,0xa6,0xf7,0xc0,0xd6,0x76,0x1d,0x28,0x38,0xb5,0x7e,0x6c,0x8c,0x6a,0x13,
+		0xf4,0xf1,0x7f,0xf2,0x79,0xae,0x73,0xba,0x1a,0x3f,0x30,0x65,0xb6,0x23,0xa7,0x94,
+		0x34,0x29,0x87,0xce,0x06,0x99,0xee,0x85,0x10,0xce,0x08,0xe2,0x8d,0xd5,0x47,0xf3,
+		0xc8,0xf0,0x18,0x41,0xc0,0x59,0x66,0x06,0xda,0xb6,0x18,0xd2,0xa3,0xa0,0xbd,0x3a,
+		0x90,0x7f,0x37,0x39,0xdf,0x98,0x55,0xa2,0x19,0x5e,0x37,0xbc,0x86,0xf3,0x02,0xf8,
+		0x68,0x49,0x53,0xf2,0x4b,0x3d,0x7a,0xe3,0x1d,0xa4,0x15,0x10,0xa6,0xce,0x8c,0xb8,
+		0xfd,0x95,0x54,0xa2,0x50,0xa2,0xd9,0x35,0x12,0x56,0xae,0xbc,0x51,0x33,0x6d,0xb8,
+		0x63,0x7c,0x26,0xab,0x19,0x01,0xa5,0xda,0xfa,0x4b,0xb6,0x57,0xd3,0x4b,0xdd,0xc0,
+		0x62,0xc5,0x05,0xb7,0xc3,0x2e,0x1f,0x17,0xc8,0x09,0x87,0x12,0x37,0x21,0xd7,0x7a,
+		0x53,0xb0,0x47,0x60,0xa2,0xb5,0x23,0x3b,0x99,0xdf,0xea,0x8b,0x94,0xea,0x9d,0x53,
+		0x5d,0x02,0x52,0xf7,0x29,0xfb,0x63,0xb0,0xff,0x27,0x5e,0xde,0x54,0x7d,0x95,0xd6,
+		0x4e,0x58,0x12,0x06,0x60,0x22,0x33,0xf2,0x19,0x67,0x65,0xdd,0xf3,0x42,0xb5,0x00,
+		0x51,0x35,0xe5,0x62,0x4d,0x90,0x44,0xfb,0x7f,0x5b,0xb5,0xe5,0x02,0x03,0x01,0x00,
+		0x01,0x02,0x82,0x01,0x00,0x1c,0xf5,0x66,0xf5,0xce,0x4c,0x1d,0xe8,0xd2,0x29,0x6e,
+		0x15,0x1f,0x9e,0x9a,0x06,0x70,0xf5,0x4f,0xd1,0xdc,0x51,0x02,0x8e,0x13,0xa9,0x47,
+		0x85,0x39,0xfd,0x89,0x13,0x74,0x86,0xb8,0x94,0x90,0x30,0x4d,0x73,0x96,0xa7,0x93,
+		0x8a,0x19,0xd2,0x91,0x4d,0x77,0xb6,0x9b,0x48,0xc3,0x7e,0xa2,0x5d,0xf1,0x80,0xa0,
+		0x3c,0xc9,0xbf,0xaf,0x7f,0x4d,0x10,0x62,0x23,0xb9,0x9c,0x58,0x81,0xae,0x96,0x5b,
+		0x9a,0x4c,0x97,0x27,0x67,0x62,0x5c,0xf9,0x8f,0xdd,0x1d,0xe2,0x92,0x13,0x8a,0x7b,
+		0xc7,0x15,0x31,0xca,0x05,0x6d,0xc6,0x98,0xdb,0x88,0x39,0x99,0x1d,0x5b,0x19,0x51,
+		0xdd,0xb6,0xbd,0x3d,0xb0,0xae,0x50,0x8e,0xff,0x7d,0xa8,0x48,0x95,0x58,0x23,0xbc,
+		0x85,0xc0,0x46,0xd0,0xc0,0x0e,0xda,0xdd,0xa4,0x8e,0x8d,0x31,0x8b,0x89,0x0f,0x8b,
+		0x76,0x9a,0xb5,0x99,0x56,0x5e,0xd3,0x0c,0x88,0x0b,0x03,0xf1,0xc9,0xe3,0x05,0x05,
+		0x08,0x75,0xce,0x35,0x52,0xa0,0xc0,0xf2,0xf4,0xb9,0x87,0x22,0x21,0x3f,0x61,0xd6,
+		0x99,0xae,0x0e,0x76,0x5d,0x9c,0x16,0xa3,0xe9,0xde,0x2d,0x2a,0x46,0xf7,0x89,0xbf,
+		0x0d,0xb1,0x60,0xad,0xbc,0x24,0xe2,0xe5,0xb1,0xc1,0x1c,0x00,0x40,0x1c,0xbd,0xfa,
+		0x6e,0xc7,0x0d,0xc1,0xda,0x4d,0x54,0x45,0x96,0xac,0xf7,0xfe,0x1b,0xf2,0x47,0x1e,
+		0xf7,0x8b,0xcf,0x27,0xcc,0xe7,0x08,0xd6,0x43,0x60,0xea,0xda,0x19,0xd7,0x98,0x17,
+		0x7c,0xab,0x0c,0x90,0x60,0x75,0x9f,0x8b,0xaa,0x13,0x63,0x98,0x9e,0xc6,0x41,0x9f,
+		0xd4,0x85,0xa3,0xb2,0xb9,0x02,0x81,0x81,0x00,0xe1,0x20,0xf6,0xac,0xa9,0x01,0xbd,
+		0x31,0xe6,0xb2,0x4e,0xcf,0x66,0xc3,0x11,0x0e,0x5b,0xfe,0x58,0x6b,0xc6,0x2d,0x7a,
+		0x05,0x30,0x9a,0x6f,0xcc,0xcc,0xdf,0xd2,0x2c,0xe1,0x47,0x39,0x9e,0xf3,0x0c,0x81,
+		0xd9,0x76,0x00,0xe2,0xb1,0x08,0x91,0xfb,0x12,0x04,0xf6,0x1f,0xea,0xff,0x82,0xe5,
+		0x64,0x64,0x6f,0x14,0xbe,0x33,0x5f,0x41,0x5f,0x73,0x1f,0xa2,0x32,0xec,0x75,0xb3,
+		0x98,0x4b,0x88,0x4d,0x1e,0xec,0x78,0xda,0x4c,0x2d,0xf8,0xbb,0xcf,0x0e,0x8f,0x2f,
+		0x23,0xae,0xcd,0xe0,0x4c,0x13,0x1c,0x1c,0x16,0x8e,0xb9,0x9f,0x02,0x12,0x12,0xa5,
+		0xf4,0x21,0xfe,0x57,0x08,0x7a,0xe8,0xbe,0x15,0xe9,0xdd,0x2a,0xd1,0x7b,0x39,0xd6,
+		0x4f,0x70,0x74,0x7d,0xfd,0x39,0x97,0x80,0x8d,0x02,0x81,0x81,0x00,0xd4,0x5a,0xce,
+		0x05,0x93,0x51,0x15,0x44,0xdd,0x4d,0x79,0x92,0x04,0xe6,0x64,0x7e,0x6c,0xb5,0x61,
+		0x6b,0xc3,0xb3,0xae,0x4f,0x0a,0x75,0xbf,0x6c,0xec,0x47,0xf2,0xbc,0xea,0x76,0xc4,
+		0xc2,0xe7,0xd2,0x50,0xc4,0xe0,0xaf,0x56,0x05,0x72,0x3c,0x34,0x8c,0x5b,0xae,0xb8,
+		0x0e,0xfb,0x83,0x27,0xcf,0x61,0x05,0x44,0x97,0x3f,0x66,0x6d,0x26,0x7d,0xed,0xcd,
+		0x5a,0x87,0x04,0xbc,0xb3,0x70,0x75,0x15,0x51,0xe9,0x18,0x85,0xf7,0x2a,0x45,0xd5,
+		0xc7,0x93,0x32,0x07,0x2e,0x26,0x34,0x2d,0x18,0x63,0x45,0x06,0x6f,0xa9,0x75,0x5d,
+		0x20,0x6b,0x0b,0x13,0x45,0x81,0x7e,0x5c,0xc5,0x48,0x16,0x4b,0x82,0x7c,0xad,0xbe,
+		0xfd,0xa5,0x0a,0xd6,0xc2,0x21,0xfc,0xa5,0x84,0xaf,0xf3,0x10,0xb9,0x02,0x81,0x80,
+		0x29,0x20,0x20,0x6f,0xc2,0x1f,0xf3,0x33,0xde,0x74,0xcc,0x38,0xcf,0x08,0xeb,0x60,
+		0xb8,0x25,0x6a,0x79,0xa5,0xa6,0x41,0x18,0x19,0x9c,0xdc,0xb7,0x88,0xe5,0x8a,0x3b,
+		0x70,0x9b,0xd6,0x46,0xd7,0x17,0x7d,0xd0,0xff,0xe1,0x81,0x87,0xdd,0x8c,0xed,0x54,
+		0x89,0x5b,0x7c,0xd1,0x2d,0x03,0xf8,0x6b,0xb2,0x7d,0x28,0x48,0xe6,0x91,0x8c,0x1b,
+		0xa7,0xa8,0x2b,0xb5,0x29,0xc5,0x06,0x9d,0xd7,0x8e,0x7a,0xa8,0x1f,0x82,0xa4,0x3e,
+		0x2e,0x57,0xb5,0xd7,0x49,0x4d,0x96,0xca,0xe9,0xef,0xe9,0xfd,0x7b,0xb0,0x32,0xe1,
+		0x5c,0x09,0x44,0xa6,0xd8,0x2e,0x57,0xea,0x95,0x1b,0x25,0x43,0x03,0x50,0xe9,0x08,
+		0x8f,0xc4,0x3b,0x42,0x31,0x44,0x8b,0x85,0xcf,0x81,0x38,0x52,0xbd,0xe6,0x93,0x31,
+		0x02,0x81,0x80,0x18,0x3d,0x79,0x51,0x07,0x9c,0xf4,0xd9,0x94,0x8d,0x78,0x78,0x23,
+		0x99,0x0d,0x15,0xa5,0x61,0x1b,0x0a,0xcb,0x1f,0x22,0xa1,0xa1,0x27,0x09,0xbf,0xec,
+		0x44,0xd6,0x3f,0x9c,0x60,0x0c,0x5b,0xd7,0x4c,0x99,0xad,0xaf,0x9c,0x34,0x2c,0x90,
+		0xfa,0xb0,0x60,0xe9,0x42,0x4b,0x7e,0x62,0x55,0x79,0x60,0xe1,0xc9,0x51,0x28,0x16,
+		0xb3,0xa1,0x78,0x08,0x5d,0xf1,0xd8,0x08,0x9b,0x90,0xd2,0xc6,0xde,0x86,0x9d,0x80,
+		0x07,0x2d,0x9b,0xa6,0x36,0xac,0x8d,0x88,0x8e,0xe8,0x64,0xeb,0x35,0x7f,0x84,0x4e,
+		0x28,0x9d,0xf0,0x77,0x1e,0x8f,0x8f,0xd8,0xc8,0x3d,0xdd,0xec,0x47,0x39,0x5d,0xc7,
+		0xb9,0xcb,0xca,0xcc,0x62,0xa4,0xef,0x9d,0x3c,0x5c,0x81,0x72,0x91,0xbd,0x6f,0x25,
+		0x0a,0x90,0xf9,0x02,0x81,0x80,0x51,0x42,0x23,0x64,0x3d,0xbc,0xcb,0xcb,0x77,0xd4,
+		0x5c,0x6b,0xf4,0x16,0x3a,0x6b,0x05,0x5f,0xd4,0xf8,0x59,0xe6,0x98,0x0c,0x43,0x7e,
+		0x6b,0x17,0x0d,0x01,0x23,0x6e,0x4c,0xff,0x35,0xe4,0xc5,0xba,0xe8,0x9e,0x12,0x94,
+		0x34,0x78,0xe4,0x3d,0x35,0xa1,0xd4,0xa9,0xa3,0x7e,0xe4,0x57,0xef,0xa4,0x9a,0x6a,
+		0x32,0xb3,0x9f,0xf8,0x3a,0xcf,0xea,0xf4,0xc7,0x59,0x92,0xd4,0x2a,0x5b,0x26,0x83,
+		0x78,0x30,0x5f,0xdf,0x46,0xa6,0xb0,0x28,0x37,0x2b,0x55,0x08,0x4c,0xb6,0x6b,0xb8,
+		0xa9,0x11,0x7d,0x0b,0xab,0x97,0x4d,0x8c,0xc3,0xbf,0x3b,0xcd,0x3e,0xad,0x80,0xce,
+		0xe8,0xc6,0x01,0x35,0xd2,0x3e,0x31,0xdc,0x96,0xd7,0xc3,0xab,0x65,0xd1,0xc4,0xa3,
+		0x47,0x14,0xa9,0xba,0xd0,0x30,
+	),
+};
+
+START_TEST(test_load)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								 BUILD_BLOB_ASN1_DER, keys[_i], BUILD_END);
+	ck_assert(privkey != NULL);
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey != NULL);
+
+	test_good_sig(privkey, pubkey);
+
+	test_bad_sigs(pubkey);
+
+	pubkey->destroy(pubkey);
+	privkey->destroy(privkey);
+}
+END_TEST
+
+Suite *rsa_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("rsa");
+
+	tc = tcase_create("generate");
+	tcase_add_loop_test(tc, test_gen, 0, countof(key_sizes));
+	tcase_set_timeout(tc, 8);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("load");
+	tcase_add_loop_test(tc, test_load, 0, countof(keys));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c
new file mode 100644
index 000000000..e7a04fd9a
--- /dev/null
+++ b/src/libstrongswan/tests/test_runner.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unistd.h>
+
+#include "test_runner.h"
+
+#include <library.h>
+#include <plugins/plugin_feature.h>
+
+#include <dirent.h>
+
+/**
+ * Load plugins from builddir
+ */
+static bool load_plugins()
+{
+	enumerator_t *enumerator;
+	char *name, path[PATH_MAX], dir[64];
+
+	enumerator = enumerator_create_token(PLUGINS, " ", "");
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		snprintf(dir, sizeof(dir), "%s", name);
+		translate(dir, "-", "_");
+		snprintf(path, sizeof(path), "%s/%s/.libs", PLUGINDIR, dir);
+		lib->plugins->add_path(lib->plugins, path);
+	}
+	enumerator->destroy(enumerator);
+
+	return lib->plugins->load(lib->plugins, PLUGINS);
+}
+
+int main()
+{
+	SRunner *sr;
+	int nf;
+
+	/* test cases are forked and there is no cleanup, so disable leak detective.
+	 * if test_suite.h is included leak detective is enabled in test cases */
+	setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
+	/* redirect all output to stderr (to redirect make's stdout to /dev/null) */
+	dup2(2, 1);
+
+	library_init(NULL);
+
+	/* use non-blocking RNG to generate keys fast */
+	lib->settings->set_default_str(lib->settings,
+			"libstrongswan.plugins.random.random",
+			lib->settings->get_str(lib->settings,
+				"libstrongswan.plugins.random.urandom", "/dev/urandom"));
+
+	if (!load_plugins())
+	{
+		library_deinit();
+		return EXIT_FAILURE;
+	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
+	sr = srunner_create(NULL);
+	srunner_add_suite(sr, bio_reader_suite_create());
+	srunner_add_suite(sr, bio_writer_suite_create());
+	srunner_add_suite(sr, chunk_suite_create());
+	srunner_add_suite(sr, enum_suite_create());
+	srunner_add_suite(sr, enumerator_suite_create());
+	srunner_add_suite(sr, linked_list_suite_create());
+	srunner_add_suite(sr, linked_list_enumerator_suite_create());
+	srunner_add_suite(sr, hashtable_suite_create());
+	srunner_add_suite(sr, array_suite_create());
+	srunner_add_suite(sr, identification_suite_create());
+	srunner_add_suite(sr, threading_suite_create());
+	srunner_add_suite(sr, utils_suite_create());
+	srunner_add_suite(sr, host_suite_create());
+	srunner_add_suite(sr, vectors_suite_create());
+	if (lib->plugins->has_feature(lib->plugins,
+								  PLUGIN_DEPENDS(PRIVKEY_GEN, KEY_RSA)))
+	{
+		srunner_add_suite(sr, rsa_suite_create());
+	}
+	if (lib->plugins->has_feature(lib->plugins,
+								  PLUGIN_DEPENDS(PRIVKEY_GEN, KEY_ECDSA)))
+	{
+		srunner_add_suite(sr, ecdsa_suite_create());
+	}
+
+	srunner_run_all(sr, CK_NORMAL);
+	nf = srunner_ntests_failed(sr);
+
+	srunner_free(sr);
+	library_deinit();
+
+	return (nf == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+}
diff --git a/src/libstrongswan/tests/test_runner.h b/src/libstrongswan/tests/test_runner.h
new file mode 100644
index 000000000..e9381756c
--- /dev/null
+++ b/src/libstrongswan/tests/test_runner.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TEST_RUNNER_H_
+#define TEST_RUNNER_H_
+
+#include <check.h>
+
+Suite *bio_reader_suite_create();
+Suite *bio_writer_suite_create();
+Suite *chunk_suite_create();
+Suite *enum_suite_create();
+Suite *enumerator_suite_create();
+Suite *linked_list_suite_create();
+Suite *linked_list_enumerator_suite_create();
+Suite *hashtable_suite_create();
+Suite *array_suite_create();
+Suite *identification_suite_create();
+Suite *threading_suite_create();
+Suite *utils_suite_create();
+Suite *vectors_suite_create();
+Suite *ecdsa_suite_create();
+Suite *rsa_suite_create();
+Suite *host_suite_create();
+
+#endif /** TEST_RUNNER_H_ */
diff --git a/src/libstrongswan/tests/test_suite.h b/src/libstrongswan/tests/test_suite.h
new file mode 100644
index 000000000..edf16f128
--- /dev/null
+++ b/src/libstrongswan/tests/test_suite.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TEST_UTILS_H_
+#define TEST_UTILS_H_
+
+#include <check.h>
+#include <library.h>
+#include <utils/debug.h>
+
+/**
+ * Used to mark test cases that use test fixtures.
+ */
+#define UNIT_TEST_FIXTURE_USED "UNIT_TEST_FIXTURE_USED"
+
+/**
+ * Check for memory leaks and fail if any are encountered.
+ */
+#define CHECK_FOR_LEAKS() do \
+{ \
+	if (lib->leak_detective->leaks(lib->leak_detective)) { \
+		lib->leak_detective->report(lib->leak_detective, TRUE); \
+	} \
+	ck_assert_int_eq(lib->leak_detective->leaks(lib->leak_detective), 0); \
+} \
+while(0)
+
+/**
+ * Extended versions of the START|END_TEST macros that use leak detective.
+ *
+ * Since each test case runs in its own fork of the test runner the stuff
+ * allocated before the test starts is not freed, so leak detective is disabled
+ * by default to prevent false positives.  By enabling it right when the test
+ * starts we at least capture leaks created by the tested objects/functions and
+ * the test case itself.  This allows writing test cases for cleanup functions.
+ *
+ * To define test fixture with possibly allocated/destroyed memory that is
+ * allocated/freed in a test case use the START|END_SETUP|TEARDOWN macros.
+ */
+#undef START_TEST
+#define START_TEST(name) \
+static void name (int _i CK_ATTRIBUTE_UNUSED) \
+{ \
+	tcase_fn_start(""#name, __FILE__, __LINE__); \
+	dbg_default_set_level(LEVEL_SILENT); \
+	lib->leak_detective->set_state(lib->leak_detective, TRUE);
+
+#undef END_TEST
+#define END_TEST \
+	if (!lib->get(lib, UNIT_TEST_FIXTURE_USED)) \
+	{ \
+		CHECK_FOR_LEAKS(); \
+	} \
+}
+
+/**
+ * Define a function to setup a test fixture that can be used with the above
+ * macros.
+ */
+#define START_SETUP(name) \
+static void name() \
+{ \
+	lib->set(lib, UNIT_TEST_FIXTURE_USED, (void*)TRUE); \
+	lib->leak_detective->set_state(lib->leak_detective, TRUE);
+
+/**
+ * End a setup function
+ */
+#define END_SETUP }
+
+/**
+ * Define a function to teardown a test fixture that can be used with the above
+ * macros.
+ */
+#define START_TEARDOWN(name) \
+static void name() \
+{
+
+/**
+ * End a teardown function
+ */
+#define END_TEARDOWN \
+	if (lib->get(lib, UNIT_TEST_FIXTURE_USED)) \
+	{ \
+		CHECK_FOR_LEAKS(); \
+	} \
+}
+
+#endif /** TEST_UTILS_H_ */
diff --git a/src/libstrongswan/tests/test_threading.c b/src/libstrongswan/tests/test_threading.c
new file mode 100644
index 000000000..0c768b3e2
--- /dev/null
+++ b/src/libstrongswan/tests/test_threading.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sched.h>
+#include <pthread.h>
+
+#include "test_suite.h"
+
+#include <threading/mutex.h>
+
+/*******************************************************************************
+ * recursive mutex test
+ */
+
+#define THREADS 20
+
+static mutex_t *mutex;
+
+static pthread_barrier_t mutex_barrier;
+
+static int mutex_locked = 0;
+
+static void *mutex_run(void *data)
+{
+	int i;
+
+	/* wait for all threads before getting in action */
+	pthread_barrier_wait(&mutex_barrier);
+
+	for (i = 0; i < 100; i++)
+	{
+		mutex->lock(mutex);
+		mutex->lock(mutex);
+		mutex->lock(mutex);
+		mutex_locked++;
+		sched_yield();
+		if (mutex_locked > 1)
+		{
+			fail("two threads locked the mutex concurrently");
+		}
+		mutex_locked--;
+		mutex->unlock(mutex);
+		mutex->unlock(mutex);
+		mutex->unlock(mutex);
+	}
+	return NULL;
+}
+
+START_TEST(test_mutex)
+{
+	pthread_t threads[THREADS];
+	int i;
+
+	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+
+	for (i = 0; i < 10; i++)
+	{
+		mutex->lock(mutex);
+		mutex->unlock(mutex);
+	}
+	for (i = 0; i < 10; i++)
+	{
+		mutex->lock(mutex);
+	}
+	for (i = 0; i < 10; i++)
+	{
+		mutex->unlock(mutex);
+	}
+
+	pthread_barrier_init(&mutex_barrier, NULL, THREADS);
+	for (i = 0; i < THREADS; i++)
+	{
+		pthread_create(&threads[i], NULL, mutex_run, NULL);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		pthread_join(threads[i], NULL);
+	}
+	pthread_barrier_destroy(&mutex_barrier);
+
+	mutex->destroy(mutex);
+}
+END_TEST
+
+Suite *threading_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("threading");
+
+	tc = tcase_create("recursive mutex");
+	tcase_add_test(tc, test_mutex);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_utils.c b/src/libstrongswan/tests/test_utils.c
new file mode 100644
index 000000000..d9f1726ff
--- /dev/null
+++ b/src/libstrongswan/tests/test_utils.c
@@ -0,0 +1,464 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <library.h>
+#include <utils/utils.h>
+
+#include <time.h>
+
+/*******************************************************************************
+ * object storage on lib
+ */
+
+START_TEST(test_objects)
+{
+	char *k1 = "key1", *k2 = "key2";
+	char *v1 = "val1", *val;
+
+	ck_assert(lib->get(lib, k1) == NULL);
+
+	ck_assert(lib->set(lib, k1, v1));
+	ck_assert(!lib->set(lib, k1, v1));
+
+	val = lib->get(lib, k1);
+	ck_assert(val != NULL);
+	ck_assert(streq(val, v1));
+
+	ck_assert(lib->set(lib, k1, NULL));
+	ck_assert(!lib->set(lib, k2, NULL));
+
+	ck_assert(lib->get(lib, k1) == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * test return_... functions
+ */
+
+START_TEST(test_return_functions)
+{
+	ck_assert(return_null() == NULL);
+	ck_assert(return_null("asdf", 5, NULL, 1, "qwer") == NULL);
+
+	ck_assert(return_true() == TRUE);
+	ck_assert(return_true("asdf", 5, NULL, 1, "qwer") == TRUE);
+
+	ck_assert(return_false() == FALSE);
+	ck_assert(return_false("asdf", 5, NULL, 1, "qwer") == FALSE);
+
+	ck_assert(return_failed() == FAILED);
+	ck_assert(return_failed("asdf", 5, NULL, 1, "qwer") == FAILED);
+
+	ck_assert(return_success() == SUCCESS);
+	ck_assert(return_success("asdf", 5, NULL, 1, "qwer") == SUCCESS);
+
+	/* just make sure this works */
+	nop();
+	nop("asdf", 5, NULL, 1, "qwer");
+}
+END_TEST
+
+/*******************************************************************************
+ * timeval_add_ms
+ */
+
+START_TEST(test_timeval_add_ms)
+{
+	timeval_t tv;
+
+	tv.tv_sec = 0;
+	tv.tv_usec = 0;
+	timeval_add_ms(&tv, 0);
+	ck_assert_int_eq(tv.tv_sec, 0);
+	ck_assert_int_eq(tv.tv_usec, 0);
+
+	timeval_add_ms(&tv, 1);
+	ck_assert_int_eq(tv.tv_sec, 0);
+	ck_assert_int_eq(tv.tv_usec, 1000);
+
+	timeval_add_ms(&tv, 0);
+	ck_assert_int_eq(tv.tv_sec, 0);
+	ck_assert_int_eq(tv.tv_usec, 1000);
+
+	timeval_add_ms(&tv, 999);
+	ck_assert_int_eq(tv.tv_sec, 1);
+	ck_assert_int_eq(tv.tv_usec, 0);
+
+	timeval_add_ms(&tv, 0);
+	ck_assert_int_eq(tv.tv_sec, 1);
+	ck_assert_int_eq(tv.tv_usec, 0);
+
+	timeval_add_ms(&tv, 1000);
+	ck_assert_int_eq(tv.tv_sec, 2);
+	ck_assert_int_eq(tv.tv_usec, 0);
+
+	timeval_add_ms(&tv, 1500);
+	ck_assert_int_eq(tv.tv_sec, 3);
+	ck_assert_int_eq(tv.tv_usec, 500000);
+}
+END_TEST
+
+/*******************************************************************************
+ * htoun/untoh
+ */
+
+START_TEST(test_htoun)
+{
+	chunk_t net64, expected;
+	u_int16_t host16 = 513;
+	u_int32_t net16 = 0, host32 = 67305985;
+	u_int64_t net32 = 0, host64 = 578437695752307201ULL;
+
+	net64 = chunk_alloca(16);
+	memset(net64.ptr, 0, net64.len);
+
+	expected = chunk_from_chars(0x00, 0x02, 0x01, 0x00);
+	htoun16((char*)&net16 + 1, host16);
+	ck_assert(chunk_equals(expected, chunk_from_thing(net16)));
+
+	expected = chunk_from_chars(0x00, 0x00, 0x04, 0x03, 0x02, 0x01, 0x00, 0x00);
+	htoun32((u_int16_t*)&net32 + 1, host32);
+	ck_assert(chunk_equals(expected, chunk_from_thing(net32)));
+
+	expected = chunk_from_chars(0x00, 0x00, 0x00, 0x00,
+								0x08, 0x07, 0x06, 0x05,
+								0x04, 0x03, 0x02, 0x01,
+								0x00, 0x00, 0x00, 0x00);
+	htoun64((u_int32_t*)net64.ptr + 1, host64);
+	ck_assert(chunk_equals(expected, net64));
+}
+END_TEST
+
+START_TEST(test_untoh)
+{
+	chunk_t net;
+	u_int16_t host16;
+	u_int32_t host32;
+	u_int64_t host64;
+
+	net = chunk_from_chars(0x00, 0x02, 0x01, 0x00);
+	host16 = untoh16(net.ptr + 1);
+	ck_assert(host16 == 513);
+
+	net = chunk_from_chars(0x00, 0x00, 0x04, 0x03, 0x02, 0x01, 0x00, 0x00);
+	host32 = untoh32(net.ptr + 2);
+	ck_assert(host32 == 67305985);
+
+	net = chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x08, 0x07, 0x06, 0x05,
+						   0x04, 0x03, 0x02, 0x01, 0x00, 0x00, 0x00, 0x00);
+	host64 = untoh64(net.ptr + 4);
+	ck_assert(host64 == 578437695752307201ULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * round_up/down
+ */
+
+START_TEST(test_round)
+{
+	ck_assert_int_eq(round_up(0, 4), 0);
+	ck_assert_int_eq(round_up(1, 4), 4);
+	ck_assert_int_eq(round_up(2, 4), 4);
+	ck_assert_int_eq(round_up(3, 4), 4);
+	ck_assert_int_eq(round_up(4, 4), 4);
+	ck_assert_int_eq(round_up(5, 4), 8);
+
+	ck_assert_int_eq(round_down(0, 4), 0);
+	ck_assert_int_eq(round_down(1, 4), 0);
+	ck_assert_int_eq(round_down(2, 4), 0);
+	ck_assert_int_eq(round_down(3, 4), 0);
+	ck_assert_int_eq(round_down(4, 4), 4);
+	ck_assert_int_eq(round_down(5, 4), 4);
+}
+END_TEST
+
+/*******************************************************************************
+ * memxor
+ */
+
+static void do_memxor(chunk_t a, chunk_t b, chunk_t exp)
+{
+	chunk_t dst;
+
+	dst = chunk_clonea(a);
+	dst.len = b.len;
+	memxor(dst.ptr, b.ptr, b.len);
+	ck_assert(chunk_equals(dst, exp));
+}
+
+START_TEST(test_memxor)
+{
+	chunk_t a, b, dst;
+	int i;
+
+	a = chunk_alloca(64);
+	memset(a.ptr, 0, a.len);
+	b = chunk_alloca(64);
+	for (i = 0; i < 64; i++)
+	{
+		b.ptr[i] = i;
+		b.len = i;
+		do_memxor(a, b, b);
+	}
+	b.len = 64;
+	do_memxor(a, b, b);
+
+	dst = chunk_clonea(a);
+	memxor(dst.ptr, b.ptr, b.len);
+	ck_assert(chunk_equals(dst, b));
+
+	memxor(dst.ptr, b.ptr, 0);
+	memxor(dst.ptr, b.ptr, 1);
+	memxor(dst.ptr + 1, b.ptr + 1, 1);
+	memxor(dst.ptr + 2, b.ptr + 2, b.len - 2);
+	ck_assert(chunk_equals(dst, a));
+}
+END_TEST
+
+START_TEST(test_memxor_aligned)
+{
+	u_int64_t a = 0, b = 0;
+	chunk_t ca, cb;
+	int i;
+
+	ca = chunk_from_thing(a);
+	cb = chunk_from_thing(b);
+
+	for (i = 0; i < 8; i++)
+	{
+		cb.ptr[i] = i + 1;
+	}
+
+	/* 64-bit aligned */
+	memxor(ca.ptr, cb.ptr, 8);
+	ck_assert(a == b);
+	/* 32-bit aligned source */
+	a = 0;
+	memxor(ca.ptr, cb.ptr + 4, 4);
+	ck_assert(chunk_equals(ca, chunk_from_chars(0x05, 0x06, 0x07, 0x08,
+												0x00, 0x00, 0x00, 0x00)));
+	/* 16-bit aligned source */
+	a = 0;
+	memxor(ca.ptr, cb.ptr + 2, 6);
+	ck_assert(chunk_equals(ca, chunk_from_chars(0x03, 0x04, 0x05, 0x06,
+												0x07, 0x08, 0x00, 0x00)));
+	/* 8-bit aligned source */
+	a = 0;
+	memxor(ca.ptr, cb.ptr + 1, 7);
+	ck_assert(chunk_equals(ca, chunk_from_chars(0x02, 0x03, 0x04, 0x05,
+												0x06, 0x07, 0x08, 0x00)));
+}
+END_TEST
+
+/*******************************************************************************
+ * memstr
+ */
+
+static struct {
+	char *haystack;
+	char *needle;
+	size_t n;
+	int offset;
+} memstr_data[] = {
+	{NULL, NULL, 0, -1},
+	{NULL, NULL, 3, -1},
+	{NULL, "abc", 0, -1},
+	{NULL, "abc", 3, -1},
+	{"", "", 0, -1},
+	{"abc", NULL, 3, -1},
+	{"abc", "", 3, -1},
+	{"abc", "abc", 3, 0},
+	{" abc", "abc", 4, 1},
+	{" abc", "abc", 3, -1},
+	{"abcabc", "abc", 6, 0},
+	{" abc ", "abc", 5, 1},
+};
+
+START_TEST(test_memstr)
+{
+	char *ret;
+
+	ret = memstr(memstr_data[_i].haystack, memstr_data[_i].needle, memstr_data[_i].n);
+	if (memstr_data[_i].offset >= 0)
+	{
+		ck_assert(ret == memstr_data[_i].haystack + memstr_data[_i].offset);
+	}
+	else
+	{
+		ck_assert(ret == NULL);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * translate
+ */
+
+static struct {
+	char *in;
+	char *from;
+	char *to;
+	char *out;
+} translate_data[] = {
+	{NULL, "", "", NULL},
+	{"abc", "", "", "abc"},
+	{"abc", "", "x", "abc"},
+	{"abc", "x", "", "abc"},
+	{"abc", "abc", "xyz", "xyz"},
+	{"aabbcc", "abc", "xyz", "xxyyzz"},
+	{"abbaccb", "abc", "xyz", "xyyxzzy"},
+	{"abxyzc", "abc", "xyz", "xyxyzz"},
+	{"abcdef", "abc", "xyz", "xyzdef"},
+	{"aaa", "abc", "xyz", "xxx"},
+	{"abc", "aaa", "xyz", "xbc"},
+	{"abc", "abc", "xxx", "xxx"},
+};
+
+START_TEST(test_translate)
+{
+	char *str, *ret;
+
+	str = strdupnull(translate_data[_i].in);
+	ret = translate(str, translate_data[_i].from, translate_data[_i].to);
+	ck_assert(ret == str);
+	if (ret != translate_data[_i].out)
+	{
+		ck_assert_str_eq(str, translate_data[_i].out);
+	}
+	free(str);
+}
+END_TEST
+
+/*******************************************************************************
+ * time_printf_hook
+ */
+
+static struct {
+	time_t in;
+	bool utc;
+	char *out;
+} time_data[] = {
+	{UNDEFINED_TIME, FALSE, "--- -- --:--:-- ----"},
+	{UNDEFINED_TIME, TRUE , "--- -- --:--:-- UTC ----"},
+	{1, FALSE, "Jan 01 01:00:01 1970"},
+	{1, TRUE , "Jan 01 00:00:01 UTC 1970"},
+	{1341150196, FALSE, "Jul 01 15:43:16 2012"},
+	{1341150196, TRUE , "Jul 01 13:43:16 UTC 2012"},
+};
+
+START_TEST(test_time_printf_hook)
+{
+	char buf[32];
+	int len;
+
+	len = snprintf(buf, sizeof(buf), "%T", &time_data[_i].in, time_data[_i].utc);
+	ck_assert(len >= 0 && len < sizeof(buf));
+	ck_assert_str_eq(buf, time_data[_i].out);
+}
+END_TEST
+
+/*******************************************************************************
+ * time_delta_printf_hook
+ */
+
+static struct {
+	time_t a;
+	time_t b;
+	char *out;
+} time_delta_data[] = {
+	{0, 0, "0 seconds"},
+	{0, 1, "1 second"},
+	{0, -1, "1 second"},
+	{1, 0, "1 second"},
+	{0, 2, "2 seconds"},
+	{2, 0, "2 seconds"},
+	{0, 60, "60 seconds"},
+	{0, 120, "120 seconds"},
+	{0, 121, "2 minutes"},
+	{0, 3600, "60 minutes"},
+	{0, 7200, "120 minutes"},
+	{0, 7201, "2 hours"},
+	{0, 86400, "24 hours"},
+	{0, 172800, "48 hours"},
+	{0, 172801, "2 days"},
+	{172801, 86400, "24 hours"},
+};
+
+START_TEST(test_time_delta_printf_hook)
+{
+	char buf[16];
+	int len;
+
+	len = snprintf(buf, sizeof(buf), "%V", &time_delta_data[_i].a, &time_delta_data[_i].b);
+	ck_assert(len >= 0 && len < sizeof(buf));
+	ck_assert_str_eq(buf, time_delta_data[_i].out);
+}
+END_TEST
+
+Suite *utils_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	/* force a timezone to match non-UTC conversions */
+	setenv("TZ", "Europe/Zurich", 1);
+	tzset();
+
+	s = suite_create("utils");
+
+	tc = tcase_create("objects");
+	tcase_add_test(tc, test_objects);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("return functions");
+	tcase_add_test(tc, test_return_functions);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("timeval_add_ms");
+	tcase_add_test(tc, test_timeval_add_ms);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("htoun,untoh");
+	tcase_add_test(tc, test_htoun);
+	tcase_add_test(tc, test_untoh);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("round");
+	tcase_add_test(tc, test_round);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("memxor");
+	tcase_add_test(tc, test_memxor);
+	tcase_add_test(tc, test_memxor_aligned);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("memstr");
+	tcase_add_loop_test(tc, test_memstr, 0, countof(memstr_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("translate");
+	tcase_add_loop_test(tc, test_translate, 0, countof(translate_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("printf_hooks");
+	tcase_add_loop_test(tc, test_time_printf_hook, 0, countof(time_data));
+	tcase_add_loop_test(tc, test_time_delta_printf_hook, 0, countof(time_delta_data));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_vectors.c b/src/libstrongswan/tests/test_vectors.c
new file mode 100644
index 000000000..f2817d314
--- /dev/null
+++ b/src/libstrongswan/tests/test_vectors.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+/*******************************************************************************
+ * Check if test vectors have been successful during transform registration
+ */
+
+START_TEST(test_vectors)
+{
+	fail_if(lib->crypto->get_test_vector_failures(lib->crypto));
+}
+END_TEST
+
+
+Suite *vectors_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("vectors");
+
+	tc = tcase_create("failures");
+	tcase_add_test(tc, test_vectors);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/threading/semaphore.h b/src/libstrongswan/threading/semaphore.h
index cdb0a6f19..34d814971 100644
--- a/src/libstrongswan/threading/semaphore.h
+++ b/src/libstrongswan/threading/semaphore.h
@@ -21,6 +21,11 @@
 #ifndef THREADING_SEMAPHORE_H_
 #define THREADING_SEMAPHORE_H_
 
+#ifdef __APPLE__
+/* Mach uses a semaphore_create() call, use a different name for ours */
+#define semaphore_create(x) strongswan_semaphore_create(x)
+#endif /* __APPLE__ */
+
 typedef struct semaphore_t semaphore_t;
 
 /**
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index d6d98d1ef..eb167d6a4 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -341,7 +341,20 @@ thread_t *thread_create(thread_main_t main, void *arg)
  */
 thread_t *thread_current()
 {
-	return current_thread->get(current_thread);
+	private_thread_t *this;
+
+	this = (private_thread_t*)current_thread->get(current_thread);
+	if (!this)
+	{
+		this = thread_create_internal();
+
+		id_mutex->lock(id_mutex);
+		this->id = next_id++;
+		id_mutex->unlock(id_mutex);
+
+		current_thread->set(current_thread, (void*)this);
+	}
+	return &this->public;
 }
 
 /**
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index 77137f9f1..93031908a 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -52,6 +52,11 @@ struct private_backtrace_t {
 	void *frames[];
 };
 
+/**
+ * Forward declaration of method getter
+ */
+static backtrace_t get_methods();
+
 /**
  * Write a format string with arguments to a FILE line, if it is NULL to DBG
  */
@@ -299,7 +304,7 @@ static bfd_entry_t *get_bfd_entry(char *filename)
 /**
  * Print the source file with line number to file, libbfd variant
  */
-static void print_sourceline(FILE *file, char *filename, void *ptr)
+static void print_sourceline(FILE *file, char *filename, void *ptr, void *base)
 {
 	bfd_entry_t *entry;
 	bfd_find_data_t data = {
@@ -334,13 +339,20 @@ void backtrace_deinit() {}
 /**
  * Print the source file with line number to file, slow addr2line variant
  */
-static void print_sourceline(FILE *file, char *filename, void *ptr)
+static void print_sourceline(FILE *file, char *filename, void *ptr, void* base)
 {
 	char buf[1024];
 	FILE *output;
 	int c, i = 0;
 
+#ifdef __APPLE__
+	snprintf(buf, sizeof(buf), "atos -o %s -l %p %p 2>&1 | tail -n1",
+			 filename, base, ptr);
+#else /* !__APPLE__ */
 	snprintf(buf, sizeof(buf), "addr2line -e %s %p", filename, ptr);
+#endif /* __APPLE__ */
+
+
 	output = popen(buf, "r");
 	if (output)
 	{
@@ -373,11 +385,9 @@ void backtrace_deinit() {}
 METHOD(backtrace_t, log_, void,
 	private_backtrace_t *this, FILE *file, bool detailed)
 {
-#ifdef HAVE_BACKTRACE
+#if defined(HAVE_BACKTRACE) || defined(HAVE_LIBUNWIND_H)
 	size_t i;
-	char **strings;
-
-	strings = backtrace_symbols(this->frames, this->frame_count);
+	char **strings = NULL;
 
 	println(file, " dumping %d stack frame addresses:", this->frame_count);
 	for (i = 0; i < this->frame_count; i++)
@@ -410,19 +420,33 @@ METHOD(backtrace_t, log_, void,
 			}
 			if (detailed && info.dli_fname[0])
 			{
-				print_sourceline(file, (char*)info.dli_fname, ptr);
+				print_sourceline(file, (char*)info.dli_fname,
+								 ptr, info.dli_fbase);
 			}
 		}
 		else
 #endif /* HAVE_DLADDR */
 		{
-			println(file, "    %s", strings[i]);
+#ifdef HAVE_BACKTRACE
+			if (!strings)
+			{
+				strings = backtrace_symbols(this->frames, this->frame_count);
+			}
+			if (strings)
+			{
+				println(file, "    %s", strings[i]);
+			}
+			else
+#endif /* HAVE_BACKTRACE */
+			{
+				println(file, "    %p", this->frames[i]);
+			}
 		}
 	}
-	free (strings);
-#else /* !HAVE_BACKTRACE */
-	println(file, "C library does not support backtrace().");
-#endif /* HAVE_BACKTRACE */
+	free(strings);
+#else /* !HAVE_BACKTRACE && !HAVE_LIBUNWIND_H */
+	println(file, "no support for backtrace()/libunwind");
+#endif /* HAVE_BACKTRACE/HAVE_LIBUNWIND_H */
 }
 
 METHOD(backtrace_t, contains_function, bool,
@@ -512,12 +536,69 @@ METHOD(backtrace_t, create_frame_enumerator, enumerator_t*,
 	return &enumerator->public;
 }
 
+METHOD(backtrace_t, clone, backtrace_t*,
+	private_backtrace_t *this)
+{
+	private_backtrace_t *clone;
+
+	clone = malloc(sizeof(private_backtrace_t) +
+				   this->frame_count * sizeof(void*));
+	memcpy(clone->frames, this->frames, this->frame_count * sizeof(void*));
+	clone->frame_count = this->frame_count;
+
+	clone->public = get_methods();
+
+	return &clone->public;
+}
+
 METHOD(backtrace_t, destroy, void,
 	private_backtrace_t *this)
 {
 	free(this);
 }
 
+#ifdef HAVE_LIBUNWIND_H
+#define UNW_LOCAL_ONLY
+#include <libunwind.h>
+
+/**
+ * libunwind variant for glibc backtrace()
+ */
+static inline int backtrace_unwind(void **frames, int count)
+{
+	unw_context_t context;
+	unw_cursor_t cursor;
+	unw_word_t ip;
+	int depth = 0;
+
+	unw_getcontext(&context);
+	unw_init_local(&cursor, &context);
+	do
+	{
+		unw_get_reg(&cursor, UNW_REG_IP, &ip);
+		frames[depth++] = (void*)ip;
+	}
+	while (depth < count && unw_step(&cursor) > 0);
+
+	return depth;
+}
+#endif /* HAVE_UNWIND */
+
+/**
+ * Get implementation methods of backtrace_t
+ */
+static backtrace_t get_methods()
+{
+	return (backtrace_t) {
+		.log = _log_,
+		.contains_function = _contains_function,
+		.equals = _equals,
+		.clone = _clone,
+		.create_frame_enumerator = _create_frame_enumerator,
+		.destroy = _destroy,
+	};
+}
+
 /**
  * See header
  */
@@ -527,7 +608,9 @@ backtrace_t *backtrace_create(int skip)
 	void *frames[50];
 	int frame_count = 0;
 
-#ifdef HAVE_BACKTRACE
+#ifdef HAVE_LIBUNWIND_H
+	frame_count = backtrace_unwind(frames, countof(frames));
+#elif defined(HAVE_BACKTRACE)
 	frame_count = backtrace(frames, countof(frames));
 #endif /* HAVE_BACKTRACE */
 	frame_count = max(frame_count - skip, 0);
@@ -535,13 +618,7 @@ backtrace_t *backtrace_create(int skip)
 	memcpy(this->frames, frames + skip, frame_count * sizeof(void*));
 	this->frame_count = frame_count;
 
-	this->public = (backtrace_t) {
-		.log = _log_,
-		.contains_function = _contains_function,
-		.equals = _equals,
-		.create_frame_enumerator = _create_frame_enumerator,
-		.destroy = _destroy,
-	};
+	this->public = get_methods();
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h
index 62104238d..416f58898 100644
--- a/src/libstrongswan/utils/backtrace.h
+++ b/src/libstrongswan/utils/backtrace.h
@@ -59,6 +59,14 @@ struct backtrace_t {
 	 * @return		TRUE if backtraces are equal
 	 */
 	bool (*equals)(backtrace_t *this, backtrace_t *other);
+
+	/**
+	 * Create a copy of this backtrace.
+	 *
+	 * @return		cloned copy
+	 */
+	backtrace_t* (*clone)(backtrace_t *this);
+
 	/**
 	 * Create an enumerator over the stack frame addresses.
 	 *
diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c
index 44a14496c..c5e90b6c3 100644
--- a/src/libstrongswan/utils/capabilities.c
+++ b/src/libstrongswan/utils/capabilities.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
@@ -76,8 +76,116 @@ struct private_capabilities_t {
 #endif
 };
 
-METHOD(capabilities_t, keep, void,
-	private_capabilities_t *this, u_int cap)
+/**
+ * Returns TRUE if the current process/user is member of the given group
+ */
+static bool has_group(gid_t group)
+{
+	gid_t *groups;
+	long ngroups, i;
+	bool found = FALSE;
+
+	if (group == getegid())
+	{	/* it's unspecified if this is part of the list below or not */
+		return TRUE;
+	}
+	ngroups = sysconf(_SC_NGROUPS_MAX);
+	if (ngroups == -1)
+	{
+		DBG1(DBG_LIB, "getting groups for current process failed: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	groups = calloc(ngroups + 1, sizeof(gid_t));
+	ngroups = getgroups(ngroups, groups);
+	if (ngroups == -1)
+	{
+		DBG1(DBG_LIB, "getting groups for current process failed: %s",
+			 strerror(errno));
+		free(groups);
+		return FALSE;
+	}
+	for (i = 0; i < ngroups; i++)
+	{
+		if (group == groups[i])
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	free(groups);
+	return found;
+}
+
+/**
+ * Verify that the current process has the given capability
+ */
+static bool has_capability(private_capabilities_t *this, u_int cap,
+						   bool *ignore)
+{
+	if (cap == CAP_CHOWN)
+	{	/* if new files/UNIX sockets are created they should be owned by the
+		 * configured user and group.  This requires a call to chown(2).  But
+		 * CAP_CHOWN is not always required. */
+		if (!this->uid || geteuid() == this->uid)
+		{	/* if the owner does not change CAP_CHOWN is not needed */
+			if (!this->gid || has_group(this->gid))
+			{	/* the same applies if the owner is a member of the group */
+				if (ignore)
+				{	/* we don't have to keep this, if requested */
+					*ignore = TRUE;
+				}
+				return TRUE;
+			}
+		}
+	}
+#ifndef CAPABILITIES
+	/* if we can't check the actual capabilities assume only root has it */
+	return geteuid() == 0;
+#endif /* !CAPABILITIES */
+#ifdef CAPABILITIES_LIBCAP
+	cap_flag_value_t val;
+	cap_t caps;
+	bool ok;
+
+	caps = cap_get_proc();
+	if (!caps)
+	{
+		return FALSE;
+	}
+	ok = cap_get_flag(caps, cap, CAP_PERMITTED, &val) == 0 && val == CAP_SET;
+	cap_free(caps);
+	return ok;
+#endif /* CAPABILITIES_LIBCAP */
+#ifdef CAPABILITIES_NATIVE
+	struct __user_cap_header_struct header = {
+#if defined(_LINUX_CAPABILITY_VERSION_3)
+		.version = _LINUX_CAPABILITY_VERSION_3,
+#elif defined(_LINUX_CAPABILITY_VERSION_2)
+		.version = _LINUX_CAPABILITY_VERSION_2,
+#elif defined(_LINUX_CAPABILITY_VERSION_1)
+		.version = _LINUX_CAPABILITY_VERSION_1,
+#else
+		.version = _LINUX_CAPABILITY_VERSION,
+#endif
+	};
+	struct __user_cap_data_struct caps[2];
+	int i = 0;
+
+	if (cap >= 32)
+	{
+		i++;
+		cap -= 32;
+	}
+	return capget(&header, caps) == 0 && caps[i].permitted & (1 << cap);
+#endif /* CAPABILITIES_NATIVE */
+}
+
+/**
+ * Keep the given capability if it is held by the current process.  Returns
+ * FALSE, if this is not the case.
+ */
+static bool keep_capability(private_capabilities_t *this, u_int cap)
 {
 #ifdef CAPABILITIES_LIBCAP
 	cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
@@ -96,18 +204,41 @@ METHOD(capabilities_t, keep, void,
 	this->caps[i].permitted |= 1 << cap;
 	this->caps[i].inheritable |= 1 << cap;
 #endif /* CAPABILITIES_NATIVE */
+	return TRUE;
+}
+
+METHOD(capabilities_t, keep, bool,
+	private_capabilities_t *this, u_int cap)
+{
+	bool ignore = FALSE;
+
+	if (!has_capability(this, cap, &ignore))
+	{
+		return FALSE;
+	}
+	else if (ignore)
+	{	/* don't keep capabilities that are not required */
+		return TRUE;
+	}
+	return keep_capability(this, cap);
+}
+
+METHOD(capabilities_t, check, bool,
+	private_capabilities_t *this, u_int cap)
+{
+	return has_capability(this, cap, NULL);
 }
 
 METHOD(capabilities_t, get_uid, uid_t,
 	private_capabilities_t *this)
 {
-	return this->uid;
+	return this->uid ?: geteuid();
 }
 
 METHOD(capabilities_t, get_gid, gid_t,
 	private_capabilities_t *this)
 {
-	return this->gid;
+	return this->gid ?: getegid();
 }
 
 METHOD(capabilities_t, set_uid, void,
@@ -225,7 +356,7 @@ METHOD(capabilities_t, drop, bool,
 	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
 #endif
 
-	if (!init_supplementary_groups(this))
+	if (this->uid && !init_supplementary_groups(this))
 	{
 		DBG1(DBG_LIB, "initializing supplementary groups for %u failed",
 			 this->uid);
@@ -271,7 +402,7 @@ METHOD(capabilities_t, drop, bool,
 #endif /* CAPABILITIES_NATIVE */
 #ifdef CAPABILITIES
 	DBG1(DBG_LIB, "dropped capabilities, running as uid %u, gid %u",
-		 this->uid, this->gid);
+		 geteuid(), getegid());
 #endif /* CAPABILITIES */
 	return TRUE;
 }
@@ -298,6 +429,7 @@ capabilities_t *capabilities_create()
 	INIT(this,
 		.public = {
 			.keep = _keep,
+			.check = _check,
 			.get_uid = _get_uid,
 			.get_gid = _get_gid,
 			.set_uid = _set_uid,
@@ -309,15 +441,9 @@ capabilities_t *capabilities_create()
 		},
 	);
 
-#ifdef CAPABILITIES
 #ifdef CAPABILITIES_LIBCAP
 	this->caps = cap_init();
 #endif /* CAPABILITIES_LIBCAP */
-	if (lib->leak_detective)
-	{
-		keep(this, CAP_SYS_NICE);
-	}
-#endif /* CAPABILITIES */
 
 #ifdef EMULATE_R_FUNCS
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h
index cd23cbf10..fe11a4dfc 100644
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
  *
@@ -21,6 +23,8 @@
 #ifndef CAPABILITIES_H_
 #define CAPABILITIES_H_
 
+typedef struct capabilities_t capabilities_t;
+
 #include <library.h>
 #ifdef HAVE_SYS_CAPABILITY_H
 # include <sys/capability.h>
@@ -28,7 +32,18 @@
 # include <linux/capability.h>
 #endif
 
-typedef struct capabilities_t capabilities_t;
+#ifndef CAP_CHOWN
+# define CAP_CHOWN 0
+#endif
+#ifndef CAP_NET_BIND_SERVICE
+# define CAP_NET_BIND_SERVICE 10
+#endif
+#ifndef CAP_NET_ADMIN
+# define CAP_NET_ADMIN 12
+#endif
+#ifndef CAP_NET_RAW
+# define CAP_NET_RAW 13
+#endif
 
 /**
  * POSIX capability dropping abstraction layer.
@@ -36,11 +51,26 @@ typedef struct capabilities_t capabilities_t;
 struct capabilities_t {
 
 	/**
-	 * Register a capability to keep while calling drop().
+	 * Register a capability to keep while calling drop(). Verifies that the
+	 * capability is currently held.
+	 *
+	 * @note CAP_CHOWN is handled specially as it might not be required.
 	 *
 	 * @param cap		capability to keep
+	 * @return			FALSE if the capability is currently not held
+	 */
+	bool (*keep)(capabilities_t *this,
+				 u_int cap) __attribute__((warn_unused_result));
+
+	/**
+	 * Check if the given capability is currently held.
+	 *
+	 * @note CAP_CHOWN is handled specially as it might not be required.
+	 *
+	 * @param cap		capability to check
+	 * @return			TRUE if the capability is currently held
 	 */
-	void (*keep)(capabilities_t *this, u_int cap);
+	bool (*check)(capabilities_t *this, u_int cap);
 
 	/**
 	 * Get the user ID set through set_uid/resolve_uid.
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
index d7f1c31d9..04f3eea7d 100644
--- a/src/libstrongswan/utils/chunk.c
+++ b/src/libstrongswan/utils/chunk.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -16,24 +16,17 @@
  */
 
 #include <stdio.h>
+#include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
+#include <pthread.h>
 #include <ctype.h>
 
 #include "chunk.h"
 #include "debug.h"
 
-/* required for chunk_hash */
-#undef get16bits
-#if (defined(__GNUC__) && defined(__i386__))
-#define get16bits(d) (*((const u_int16_t*)(d)))
-#endif
-#if !defined (get16bits)
-#define get16bits(d) ((((u_int32_t)(((const u_int8_t*)(d))[1])) << 8)\
-                      + (u_int32_t)(((const u_int8_t*)(d))[0]) )
-#endif
-
 /**
  * Empty chunk.
  */
@@ -579,72 +572,193 @@ bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
 }
 
 /**
- * Described in header.
- *
- * The implementation is based on Paul Hsieh's SuperFastHash:
- *	 http://www.azillionmonkeys.com/qed/hash.html
+ * Helper functions for chunk_mac()
  */
-u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
+static inline u_int64_t sipget(u_char *in)
 {
-	u_char *data = chunk.ptr;
-	size_t len = chunk.len;
-	u_int32_t tmp;
-	int rem;
+	u_int64_t v = 0;
+	int i;
 
-	if (!len || data == NULL)
+	for (i = 0; i < 64; i += 8, ++in)
 	{
-		return 0;
+		v |= ((u_int64_t)*in) << i;
 	}
+	return v;
+}
 
-	rem = len & 3;
-	len >>= 2;
+static inline u_int64_t siprotate(u_int64_t v, int shift)
+{
+        return (v << shift) | (v >> (64 - shift));
+}
 
-	/* Main loop */
-	for (; len > 0; --len)
-	{
-		hash += get16bits(data);
-		tmp   = (get16bits(data + 2) << 11) ^ hash;
-		hash  = (hash << 16) ^ tmp;
-		data += 2 * sizeof(u_int16_t);
-		hash += hash >> 11;
-	}
+static inline void sipround(u_int64_t *v0, u_int64_t *v1, u_int64_t *v2,
+							u_int64_t *v3)
+{
+	*v0 += *v1;
+	*v1 = siprotate(*v1, 13);
+	*v1 ^= *v0;
+	*v0 = siprotate(*v0, 32);
+
+	*v2 += *v3;
+	*v3 = siprotate(*v3, 16);
+	*v3 ^= *v2;
+
+	*v2 += *v1;
+	*v1 = siprotate(*v1, 17);
+	*v1 ^= *v2;
+	*v2 = siprotate(*v2, 32);
+
+	*v0 += *v3;
+	*v3 = siprotate(*v3, 21);
+	*v3 ^= *v0;
+}
+
+static inline void sipcompress(u_int64_t *v0, u_int64_t *v1, u_int64_t *v2,
+							   u_int64_t *v3, u_int64_t m)
+{
+	*v3 ^= m;
+	sipround(v0, v1, v2, v3);
+	sipround(v0, v1, v2, v3);
+	*v0 ^= m;
+}
 
-	/* Handle end cases */
+static inline u_int64_t siplast(size_t len, u_char *pos)
+{
+	u_int64_t b;
+	int rem = len & 7;
+
+	b = ((u_int64_t)len) << 56;
 	switch (rem)
 	{
+		case 7:
+			b |= ((u_int64_t)pos[6]) << 48;
+		case 6:
+			b |= ((u_int64_t)pos[5]) << 40;
+		case 5:
+			b |= ((u_int64_t)pos[4]) << 32;
+		case 4:
+			b |= ((u_int64_t)pos[3]) << 24;
 		case 3:
-		{
-			hash += get16bits(data);
-			hash ^= hash << 16;
-			hash ^= data[sizeof(u_int16_t)] << 18;
-			hash += hash >> 11;
-			break;
-		}
+			b |= ((u_int64_t)pos[2]) << 16;
 		case 2:
-		{
-			hash += get16bits(data);
-			hash ^= hash << 11;
-			hash += hash >> 17;
+			b |= ((u_int64_t)pos[1]) <<  8;
+		case 1:
+			b |= ((u_int64_t)pos[0]);
+			break;
+		case 0:
 			break;
+	}
+	return b;
+}
+
+/**
+ * Caculate SipHash-2-4 with an optional first block given as argument.
+ */
+static u_int64_t chunk_mac_inc(chunk_t chunk, u_char *key, u_int64_t m)
+{
+	u_int64_t v0, v1, v2, v3, k0, k1;
+	size_t len = chunk.len;
+	u_char *pos = chunk.ptr, *end;
+
+	end = chunk.ptr + len - (len % 8);
+
+	k0 = sipget(key);
+	k1 = sipget(key + 8);
+
+	v0 = k0 ^ 0x736f6d6570736575ULL;
+	v1 = k1 ^ 0x646f72616e646f6dULL;
+	v2 = k0 ^ 0x6c7967656e657261ULL;
+	v3 = k1 ^ 0x7465646279746573ULL;
+
+	if (m)
+	{
+		sipcompress(&v0, &v1, &v2, &v3, m);
+	}
+
+	/* compression with c = 2 */
+	for (; pos != end; pos += 8)
+	{
+		m = sipget(pos);
+		sipcompress(&v0, &v1, &v2, &v3, m);
+	}
+	sipcompress(&v0, &v1, &v2, &v3, siplast(len, pos));
+
+	/* finalization with d = 4 */
+	v2 ^= 0xff;
+	sipround(&v0, &v1, &v2, &v3);
+	sipround(&v0, &v1, &v2, &v3);
+	sipround(&v0, &v1, &v2, &v3);
+	sipround(&v0, &v1, &v2, &v3);
+	return v0 ^ v1 ^ v2  ^ v3;
+}
+
+/**
+ * Described in header.
+ */
+u_int64_t chunk_mac(chunk_t chunk, u_char *key)
+{
+	return chunk_mac_inc(chunk, key, 0);
+}
+
+/**
+ * Secret key allocated randomly during first use.
+ */
+static u_char key[16];
+
+/**
+ * Static key used in case predictable hash values are required.
+ */
+static u_char static_key[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+							  0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
+
+/**
+ * Only allocate the key once
+ */
+static pthread_once_t key_allocated = PTHREAD_ONCE_INIT;
+
+/**
+ * Allocate a key on first use, we do this manually to avoid dependencies on
+ * plugins.
+ */
+static void allocate_key()
+{
+	ssize_t len;
+	size_t done = 0;
+	int fd;
+
+	fd = open("/dev/urandom", O_RDONLY);
+	if (fd >= 0)
+	{
+		while (done < sizeof(key))
+		{
+			len = read(fd, key + done, sizeof(key) - done);
+			if (len < 0)
+			{
+				break;
+			}
+			done += len;
 		}
-		case 1:
+		close(fd);
+	}
+	/* on error we use random() to generate the key (better than nothing) */
+	if (done < sizeof(key))
+	{
+		srandom(time(NULL) + getpid());
+		for (; done < sizeof(key); done++)
 		{
-			hash += *data;
-			hash ^= hash << 10;
-			hash += hash >> 1;
-			break;
+			key[done] = (u_char)random();
 		}
 	}
+}
 
-	/* Force "avalanching" of final 127 bits */
-	hash ^= hash << 3;
-	hash += hash >> 5;
-	hash ^= hash << 4;
-	hash += hash >> 17;
-	hash ^= hash << 25;
-	hash += hash >> 6;
-
-	return hash;
+/**
+ * Described in header.
+ */
+u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
+{
+	pthread_once(&key_allocated, allocate_key);
+	/* we could use a mac of the previous hash, but this is faster */
+	return chunk_mac_inc(chunk, key, ((u_int64_t)hash) << 32 | hash);
 }
 
 /**
@@ -652,7 +766,24 @@ u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
  */
 u_int32_t chunk_hash(chunk_t chunk)
 {
-	return chunk_hash_inc(chunk, chunk.len);
+	pthread_once(&key_allocated, allocate_key);
+	return chunk_mac(chunk, key);
+}
+
+/**
+ * Described in header.
+ */
+u_int32_t chunk_hash_static_inc(chunk_t chunk, u_int32_t hash)
+{	/* we could use a mac of the previous hash, but this is faster */
+	return chunk_mac_inc(chunk, static_key, ((u_int64_t)hash) << 32 | hash);
+}
+
+/**
+ * Described in header.
+ */
+u_int32_t chunk_hash_static(chunk_t chunk)
+{
+	return chunk_mac(chunk, static_key);
 }
 
 /**
diff --git a/src/libstrongswan/utils/chunk.h b/src/libstrongswan/utils/chunk.h
index bc14b7394..34ba77357 100644
--- a/src/libstrongswan/utils/chunk.h
+++ b/src/libstrongswan/utils/chunk.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -191,9 +191,9 @@ static inline void chunk_clear(chunk_t *chunk)
 #define chunk_from_thing(thing) chunk_create((char*)&(thing), sizeof(thing))
 
 /**
- * Initialize a chunk from a static string, not containing 0-terminator
+ * Initialize a chunk from a string, not containing 0-terminator
  */
-#define chunk_from_str(str) chunk_create(str, strlen(str))
+#define chunk_from_str(str) ({char *x = (str); chunk_create(x, strlen(x));})
 
 /**
  * Allocate a chunk on the heap
@@ -301,15 +301,67 @@ bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace);
 
 /**
  * Computes a 32 bit hash of the given chunk.
- * Note: This hash is only intended for hash tables not for cryptographic purposes.
+ *
+ * @note The output of this function is randomized, that is, it will only
+ * produce the same output for the same input when calling it from the same
+ * process.  For a more predictable hash function use chunk_hash_static()
+ * instead.
+ *
+ * @note This hash is only intended for hash tables not for cryptographic
+ * purposes.
+ *
+ * @param chunk			data to hash
+ * @return				hash value
  */
 u_int32_t chunk_hash(chunk_t chunk);
 
 /**
  * Incremental version of chunk_hash. Use this to hash two or more chunks.
+ *
+ * @param chunk			data to hash
+ * @param hash			previous hash value
+ * @return				hash value
  */
 u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash);
 
+/**
+ * Computes a 32 bit hash of the given chunk.
+ *
+ * Compared to chunk_hash() this will always calculate the same output for the
+ * same input.  Therefore, it should not be used for hash tables (to prevent
+ * hash flooding).
+ *
+ * @note This hash is not intended for cryptographic purposes.
+ *
+ * @param chunk			data to hash
+ * @return				hash value
+ */
+u_int32_t chunk_hash_static(chunk_t chunk);
+
+/**
+ * Incremental version of chunk_hash_static(). Use this to hash two or more
+ * chunks in a predictable way.
+ *
+ * @param chunk			data to hash
+ * @param hash			previous hash value
+ * @return				hash value
+ */
+u_int32_t chunk_hash_static_inc(chunk_t chunk, u_int32_t hash);
+
+/**
+ * Computes a quick MAC from the given chunk and key using SipHash.
+ *
+ * The key must have a length of 128-bit (16 bytes).
+ *
+ * @note While SipHash has strong features using it for cryptographic purposes
+ * is not recommended (in particular because of the rather short output size).
+ *
+ * @param chunk			data to process
+ * @param key			key to use
+ * @return				MAC for given input and key
+ */
+u_int64_t chunk_mac(chunk_t chunk, u_char *key);
+
 /**
  * printf hook function for chunk_t.
  *
diff --git a/src/libstrongswan/utils/enum.c b/src/libstrongswan/utils/enum.c
index 9b3c4d566..3db9a34e0 100644
--- a/src/libstrongswan/utils/enum.c
+++ b/src/libstrongswan/utils/enum.c
@@ -47,7 +47,7 @@ int enum_from_name(enum_name_t *e, char *name)
 
 		for (i = 0; i < count; i++)
 		{
-			if (strcaseeq(name, e->names[i]))
+			if (name && strcaseeq(name, e->names[i]))
 			{
 				return e->first + i;
 			}
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 4176320dc..5df3e5fe2 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -276,6 +276,23 @@ METHOD(identification_t, create_part_enumerator, enumerator_t*,
 	}
 }
 
+/**
+ * Print a separator between two RDNs
+ */
+static inline bool print_separator(char **buf, size_t *len)
+{
+	int written;
+
+	written = snprintf(*buf, *len, ", ");
+	if (written < 0 || written >= *len)
+	{
+		return FALSE;
+	}
+	*buf += written;
+	*len -= written;
+	return TRUE;
+}
+
 /**
  * Print a DN with all its RDN in a buffer to present it to the user
  */
@@ -292,8 +309,14 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 	{
 		empty = FALSE;
 
-		oid = asn1_known_oid(oid_data);
+		/* previous RDN was empty but it wasn't the last one */
+		if (finished && !print_separator(&buf, &len))
+		{
+			break;
+		}
+		finished = FALSE;
 
+		oid = asn1_known_oid(oid_data);
 		if (oid == OID_UNKNOWN)
 		{
 			written = snprintf(buf, len, "%#B=", &oid_data);
@@ -319,21 +342,19 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 		buf += written;
 		len -= written;
 
-		if (data.ptr + data.len != dn.ptr + dn.len)
-		{
-			written = snprintf(buf, len, ", ");
-			if (written < 0 || written >= len)
-			{
-				break;
-			}
-			buf += written;
-			len -= written;
+		if (!data.ptr)
+		{	/* we can't calculate if we're finished, assume we are */
+			finished = TRUE;
 		}
-		else
+		else if (data.ptr + data.len == dn.ptr + dn.len)
 		{
 			finished = TRUE;
 			break;
 		}
+		else if (!print_separator(&buf, &len))
+		{
+			break;
+		}
 	}
 	if (empty)
 	{
@@ -377,7 +398,7 @@ static status_t atodn(char *src, chunk_t *dn)
 		switch (state)
 		{
 			case SEARCH_OID:
-				if (*src != ' ' && *src != '/' && *src !=  ',')
+				if (*src != ' ' && *src != '/' && *src !=  ',' && *src != '\0')
 				{
 					oid.ptr = src;
 					oid.len = 1;
@@ -418,7 +439,7 @@ static status_t atodn(char *src, chunk_t *dn)
 				{
 					break;
 				}
-				else if (*src != ',' && *src != '/')
+				else if (*src != ',' && *src != '/' && *src != '\0')
 				{
 					name.ptr = src;
 					name.len = 1;
@@ -481,6 +502,11 @@ static status_t atodn(char *src, chunk_t *dn)
 		}
 	} while (*src++ != '\0');
 
+	if (state == READ_OID)
+	{	/* unterminated OID */
+		status = INVALID_ARG;
+	}
+
 	/* build the distinguished name sequence */
 	{
 		int i;
@@ -493,7 +519,6 @@ static status_t atodn(char *src, chunk_t *dn)
 			free(rdns[i].ptr);
 		}
 	}
-
 	if (status != SUCCESS)
 	{
 		free(dn->ptr);
@@ -799,7 +824,7 @@ int identification_printf_hook(printf_hook_data_t *data,
 			dntoa(this->encoded, buf, sizeof(buf));
 			break;
 		case ID_DER_ASN1_GN:
-			snprintf(buf, sizeof(buf), "(ASN.1 general Name");
+			snprintf(buf, sizeof(buf), "(ASN.1 general name)");
 			break;
 		case ID_KEY_ID:
 			if (chunk_printable(this->encoded, NULL, '?') &&
@@ -915,14 +940,15 @@ identification_t *identification_create_from_string(char *string)
 		else
 		{
 			this = identification_create(ID_KEY_ID);
-			this->encoded = chunk_clone(chunk_create(string, strlen(string)));
+			this->encoded = chunk_from_str(strdup(string));
 		}
 		return &this->public;
 	}
 	else if (strchr(string, '@') == NULL)
 	{
-		if (streq(string, "%any")
-		||  streq(string, "%any6")
+		if (streq(string, "")
+		||	streq(string, "%any")
+		||	streq(string, "%any6")
 		||	streq(string, "0.0.0.0")
 		||	streq(string, "*")
 		||	streq(string, "::")
@@ -947,11 +973,7 @@ identification_t *identification_create_from_string(char *string)
 				else
 				{	/* not IPv4, mostly FQDN */
 					this = identification_create(ID_FQDN);
-					this->encoded.len = strlen(string);
-					if (this->encoded.len)
-					{
-						this->encoded.ptr = strdup(string);
-					}
+					this->encoded = chunk_from_str(strdup(string));
 				}
 				return &this->public;
 			}
@@ -968,11 +990,7 @@ identification_t *identification_create_from_string(char *string)
 				else
 				{	/* not IPv4/6 fallback to KEY_ID */
 					this = identification_create(ID_KEY_ID);
-					this->encoded.len = strlen(string);
-					if (this->encoded.len)
-					{
-						this->encoded.ptr = strdup(string);
-					}
+					this->encoded = chunk_from_str(strdup(string));
 				}
 				return &this->public;
 			}
@@ -982,34 +1000,30 @@ identification_t *identification_create_from_string(char *string)
 	{
 		if (*string == '@')
 		{
-			if (*(string + 1) == '#')
+			string++;
+			if (*string == '#')
 			{
 				this = identification_create(ID_KEY_ID);
-				string += 2;
-				this->encoded = chunk_from_hex(
-									chunk_create(string, strlen(string)), NULL);
+				this->encoded = chunk_from_hex(chunk_from_str(string + 1), NULL);
+				return &this->public;
+			}
+			else if (*string == '@')
+			{
+				this = identification_create(ID_USER_FQDN);
+				this->encoded = chunk_clone(chunk_from_str(string + 1));
 				return &this->public;
 			}
 			else
 			{
 				this = identification_create(ID_FQDN);
-				string += 1;
-				this->encoded.len = strlen(string);
-				if (this->encoded.len)
-				{
-					this->encoded.ptr = strdup(string);
-				}
+				this->encoded = chunk_clone(chunk_from_str(string));
 				return &this->public;
 			}
 		}
 		else
 		{
 			this = identification_create(ID_RFC822_ADDR);
-			this->encoded.len = strlen(string);
-			if (this->encoded.len)
-			{
-				this->encoded.ptr = strdup(string);
-			}
+			this->encoded = chunk_from_str(strdup(string));
 			return &this->public;
 		}
 	}
@@ -1079,4 +1093,3 @@ identification_t *identification_create_from_sockaddr(sockaddr_t *sockaddr)
 		}
 	}
 }
-
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 00d740765..e62446879 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -241,7 +241,6 @@ struct identification_t {
 	 * no match at all, 1 means a bad match, and 2 a slightly better match.
 	 *
 	 * @param other		the ID containing one or more wildcards
-	 * @param wildcards	returns the number of wildcards, may be NULL
 	 * @return 			match value as described above
 	 */
 	id_match_t (*matches) (identification_t *this, identification_t *other);
diff --git a/src/libstrongswan/utils/integrity_checker.c b/src/libstrongswan/utils/integrity_checker.c
index e962aba70..d59a76232 100644
--- a/src/libstrongswan/utils/integrity_checker.c
+++ b/src/libstrongswan/utils/integrity_checker.c
@@ -91,7 +91,7 @@ METHOD(integrity_checker_t, build_file, u_int32_t,
 
 	*len = sb.st_size;
 	contents = chunk_create(addr, sb.st_size);
-	checksum = chunk_hash(contents);
+	checksum = chunk_hash_static(contents);
 
 	munmap(addr, sb.st_size);
 	close(fd);
@@ -153,7 +153,7 @@ METHOD(integrity_checker_t, build_segment, u_int32_t,
 
 	segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
 	*len = segment.len;
-	return chunk_hash(segment);
+	return chunk_hash_static(segment);
 }
 
 /**
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 6bf4d63cd..ffbc62085 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2006-2013 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,20 +15,29 @@
  */
 
 #define _GNU_SOURCE
-#include <sched.h>
 #include <stddef.h>
 #include <string.h>
 #include <stdio.h>
-#include <malloc.h>
 #include <signal.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <unistd.h>
 #include <syslog.h>
-#include <pthread.h>
 #include <netdb.h>
 #include <locale.h>
+#include <dlfcn.h>
+#include <time.h>
+#include <errno.h>
+
+#ifdef __APPLE__
+#include <sys/mman.h>
+#include <malloc/malloc.h>
+/* overload some of our types clashing with mach */
+#define host_t strongswan_host_t
+#define processor_t strongswan_processor_t
+#define thread_t strongswan_thread_t
+#endif /* __APPLE__ */
 
 #include "leak_detective.h"
 
@@ -35,6 +45,8 @@
 #include <utils/debug.h>
 #include <utils/backtrace.h>
 #include <collections/hashtable.h>
+#include <threading/thread_value.h>
+#include <threading/spinlock.h>
 
 typedef struct private_leak_detective_t private_leak_detective_t;
 
@@ -69,21 +81,6 @@ struct private_leak_detective_t {
  */
 #define MEMORY_ALLOC_PATTERN 0xEE
 
-
-static void install_hooks(void);
-static void uninstall_hooks(void);
-static void *malloc_hook(size_t, const void *);
-static void *realloc_hook(void *, size_t, const void *);
-static void free_hook(void*, const void *);
-
-void *(*old_malloc_hook)(size_t, const void *);
-void *(*old_realloc_hook)(void *, size_t, const void *);
-void (*old_free_hook)(void*, const void *);
-
-static u_int count_malloc = 0;
-static u_int count_free = 0;
-static u_int count_realloc = 0;
-
 typedef struct memory_header_t memory_header_t;
 typedef struct memory_tail_t memory_tail_t;
 
@@ -107,6 +104,11 @@ struct memory_header_t {
 	 */
 	backtrace_t *backtrace;
 
+	/**
+	 * Padding to make sizeof(memory_header_t) == 32
+	 */
+	u_int32_t padding[sizeof(void*) == sizeof(u_int32_t) ? 3 : 0];
+
 	/**
 	 * Number of bytes following after the header
 	 */
@@ -136,49 +138,336 @@ struct memory_tail_t {
  * the others on it...
  */
 static memory_header_t first_header = {
-	magic: MEMORY_HEADER_MAGIC,
-	bytes: 0,
-	backtrace: NULL,
-	previous: NULL,
-	next: NULL
+	.magic = MEMORY_HEADER_MAGIC,
 };
 
 /**
- * are the hooks currently installed?
+ * Spinlock to access header linked list
+ */
+static spinlock_t *lock;
+
+/**
+ * Is leak detection currently enabled?
+ */
+static bool enabled = FALSE;
+
+/**
+ * Is leak detection disabled for the current thread?
  */
-static bool installed = FALSE;
+static thread_value_t *thread_disabled;
 
 /**
  * Installs the malloc hooks, enables leak detection
  */
-static void install_hooks()
+static void enable_leak_detective()
+{
+	enabled = TRUE;
+}
+
+/**
+ * Uninstalls the malloc hooks, disables leak detection
+ */
+static void disable_leak_detective()
+{
+	enabled = FALSE;
+}
+
+/**
+ * Enable/Disable leak detective for the current thread
+ *
+ * @return Previous value
+ */
+static bool enable_thread(bool enable)
+{
+	bool before;
+
+	before = thread_disabled->get(thread_disabled) == NULL;
+	thread_disabled->set(thread_disabled, enable ? NULL : (void*)TRUE);
+	return before;
+}
+
+/**
+ * Add a header to the beginning of the list
+ */
+static void add_hdr(memory_header_t *hdr)
 {
-	if (!installed)
+	lock->lock(lock);
+	hdr->next = first_header.next;
+	if (hdr->next)
 	{
-		old_malloc_hook = __malloc_hook;
-		old_realloc_hook = __realloc_hook;
-		old_free_hook = __free_hook;
-		__malloc_hook = malloc_hook;
-		__realloc_hook = realloc_hook;
-		__free_hook = free_hook;
-		installed = TRUE;
+		hdr->next->previous = hdr;
 	}
+	hdr->previous = &first_header;
+	first_header.next = hdr;
+	lock->unlock(lock);
 }
 
 /**
- * Uninstalls the malloc hooks, disables leak detection
+ * Remove a header from the list
+ */
+static void remove_hdr(memory_header_t *hdr)
+{
+	lock->lock(lock);
+	if (hdr->next)
+	{
+		hdr->next->previous = hdr->previous;
+	}
+	hdr->previous->next = hdr->next;
+	lock->unlock(lock);
+}
+
+/**
+ * Check if a header is in the list
+ */
+static bool has_hdr(memory_header_t *hdr)
+{
+	memory_header_t *current;
+	bool found = FALSE;
+
+	lock->lock(lock);
+	for (current = &first_header; current != NULL; current = current->next)
+	{
+		if (current == hdr)
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	lock->unlock(lock);
+
+	return found;
+}
+
+#ifdef __APPLE__
+
+/**
+ * Copy of original default zone, with functions we call in hooks
+ */
+static malloc_zone_t original;
+
+/**
+ * Call original malloc()
+ */
+static void* real_malloc(size_t size)
+{
+	return original.malloc(malloc_default_zone(), size);
+}
+
+/**
+ * Call original free()
+ */
+static void real_free(void *ptr)
+{
+	original.free(malloc_default_zone(), ptr);
+}
+
+/**
+ * Call original realloc()
+ */
+static void* real_realloc(void *ptr, size_t size)
+{
+	return original.realloc(malloc_default_zone(), ptr, size);
+}
+
+/**
+ * Hook definition: static function with _hook suffix, takes additional zone
+ */
+#define HOOK(ret, name, ...) \
+	static ret name ## _hook(malloc_zone_t *_z, __VA_ARGS__)
+
+/**
+ * forward declaration of hooks
+ */
+HOOK(void*, malloc, size_t bytes);
+HOOK(void*, calloc, size_t nmemb, size_t size);
+HOOK(void*, valloc, size_t size);
+HOOK(void, free, void *ptr);
+HOOK(void*, realloc, void *old, size_t bytes);
+
+/**
+ * malloc zone size(), must consider the memory header prepended
+ */
+HOOK(size_t, size, const void *ptr)
+{
+	bool before;
+	size_t size;
+
+	if (enabled)
+	{
+		before = enable_thread(FALSE);
+		if (before)
+		{
+			ptr -= sizeof(memory_header_t);
+		}
+	}
+	size = original.size(malloc_default_zone(), ptr);
+	if (enabled)
+	{
+		enable_thread(before);
+	}
+	return size;
+}
+
+/**
+ * Version of malloc zones we currently support
+ */
+#define MALLOC_ZONE_VERSION 8 /* Snow Leopard */
+
+/**
+ * Hook-in our malloc functions into the default zone
+ */
+static bool register_hooks()
+{
+	malloc_zone_t *zone;
+	void *page;
+
+	zone = malloc_default_zone();
+	if (zone->version != MALLOC_ZONE_VERSION)
+	{
+		DBG1(DBG_CFG, "malloc zone version %d unsupported (requiring %d)",
+			 zone->version, MALLOC_ZONE_VERSION);
+		return FALSE;
+	}
+
+	original = *zone;
+
+	page = (void*)((uintptr_t)zone / getpagesize() * getpagesize());
+	if (mprotect(page, getpagesize(), PROT_WRITE | PROT_READ) != 0)
+	{
+		DBG1(DBG_CFG, "malloc zone unprotection failed: %s", strerror(errno));
+		return FALSE;
+	}
+
+	zone->size = size_hook;
+	zone->malloc = malloc_hook;
+	zone->calloc = calloc_hook;
+	zone->valloc = valloc_hook;
+	zone->free = free_hook;
+	zone->realloc = realloc_hook;
+
+	/* those other functions can be NULLed out to not use them */
+	zone->batch_malloc = NULL;
+	zone->batch_free = NULL;
+	zone->memalign = NULL;
+	zone->free_definite_size = NULL;
+
+	return TRUE;
+}
+
+#else /* !__APPLE__ */
+
+/**
+ * dlsym() might do a malloc(), but we can't do one before we get the malloc()
+ * function pointer. Use this minimalistic malloc implementation instead.
+ */
+static void* malloc_for_dlsym(size_t size)
+{
+	static char buf[1024] = {};
+	static size_t used = 0;
+	char *ptr;
+
+	/* roundup to a multiple of 32 */
+	size = (size - 1) / 32 * 32 + 32;
+
+	if (used + size > sizeof(buf))
+	{
+		return NULL;
+	}
+	ptr = buf + used;
+	used += size;
+	return ptr;
+}
+
+/**
+ * Lookup a malloc function, while disabling wrappers
  */
-static void uninstall_hooks()
+static void* get_malloc_fn(char *name)
 {
-	if (installed)
+	bool before = FALSE;
+	void *fn;
+
+	if (enabled)
+	{
+		before = enable_thread(FALSE);
+	}
+	fn = dlsym(RTLD_NEXT, name);
+	if (enabled)
+	{
+		enable_thread(before);
+	}
+	return fn;
+}
+
+/**
+ * Call original malloc()
+ */
+static void* real_malloc(size_t size)
+{
+	static void* (*fn)(size_t size);
+	static int recursive = 0;
+
+	if (!fn)
 	{
-		__malloc_hook = old_malloc_hook;
-		__free_hook = old_free_hook;
-		__realloc_hook = old_realloc_hook;
-		installed = FALSE;
+		/* checking recursiveness should actually be thread-specific. But as
+		 * it is very likely that the first allocation is done before we go
+		 * multi-threaded, we keep it simple. */
+		if (recursive)
+		{
+			return malloc_for_dlsym(size);
+		}
+		recursive++;
+		fn = get_malloc_fn("malloc");
+		recursive--;
 	}
+	return fn(size);
 }
 
+/**
+ * Call original free()
+ */
+static void real_free(void *ptr)
+{
+	static void (*fn)(void *ptr);
+
+	if (!fn)
+	{
+		fn = get_malloc_fn("free");
+	}
+	return fn(ptr);
+}
+
+/**
+ * Call original realloc()
+ */
+static void* real_realloc(void *ptr, size_t size)
+{
+	static void* (*fn)(void *ptr, size_t size);
+
+	if (!fn)
+	{
+		fn = get_malloc_fn("realloc");
+	}
+	return fn(ptr, size);
+}
+
+/**
+ * Hook definition: plain function overloading existing malloc calls
+ */
+#define HOOK(ret, name, ...) ret name(__VA_ARGS__)
+
+/**
+ * Hook initialization when not using hooks, resolve functions.
+ */
+static bool register_hooks()
+{
+	void *buf = real_malloc(8);
+	real_realloc(buf, 16);
+	real_free(buf);
+	return TRUE;
+}
+
+#endif /* !__APPLE__ */
+
 /**
  * Leak report white list
  *
@@ -194,12 +483,6 @@ char *whitelist[] = {
 	"pthread_setspecific",
 	"__pthread_setspecific",
 	/* glibc functions */
-	"mktime",
-	"ctime",
-	"__gmtime_r",
-	"localtime_r",
-	"tzset",
-	"time_printf_hook",
 	"inet_ntoa",
 	"strerror",
 	"getprotobyname",
@@ -247,18 +530,16 @@ char *whitelist[] = {
 	"Curl_client_write",
 	/* ClearSilver */
 	"nerr_init",
-	/* OpenSSL */
-	"RSA_new_method",
-	"DH_new_method",
-	"ENGINE_load_builtin_engines",
-	"OPENSSL_config",
-	"ecdsa_check",
-	"ERR_put_error",
 	/* libgcrypt */
 	"gcry_control",
 	"gcry_check_version",
 	"gcry_randomize",
 	"gcry_create_nonce",
+	/* OpenSSL: These are needed for unit-tests only, the openssl plugin
+	 * does properly clean up any memory during destroy(). */
+	"ECDSA_do_sign_ex",
+	"ECDSA_verify",
+	"RSA_new_method",
 	/* NSPR */
 	"PR_CallOnce",
 	/* libapr */
@@ -277,6 +558,14 @@ char *whitelist[] = {
 	"gnutls_global_init",
 };
 
+/**
+ * Some functions are hard to whitelist, as they don't use a symbol directly.
+ * Use some static initialization to suppress them on leak reports
+ */
+static void init_static_allocations()
+{
+	tzset();
+}
 
 /**
  * Hashtable hash function
@@ -309,7 +598,8 @@ static bool equals(backtrace_t *a, backtrace_t *b)
  * Summarize and print backtraces
  */
 static int print_traces(private_leak_detective_t *this,
-						FILE *out, int thresh, bool detailed, int *whitelisted)
+						FILE *out, int thresh, int thresh_count,
+						bool detailed, int *whitelisted, size_t *sum)
 {
 	int leaks = 0;
 	memory_header_t *hdr;
@@ -323,11 +613,13 @@ static int print_traces(private_leak_detective_t *this,
 		/** number of allocations */
 		u_int count;
 	} *entry;
+	bool before;
 
-	uninstall_hooks();
+	before = enable_thread(FALSE);
 
 	entries = hashtable_create((hashtable_hash_t)hash,
 							   (hashtable_equals_t)equals, 1024);
+	lock->lock(lock);
 	for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
 	{
 		if (whitelisted &&
@@ -346,29 +638,37 @@ static int print_traces(private_leak_detective_t *this,
 		else
 		{
 			INIT(entry,
-				.backtrace = hdr->backtrace,
+				.backtrace = hdr->backtrace->clone(hdr->backtrace),
 				.bytes = hdr->bytes,
 				.count = 1,
 			);
-			entries->put(entries, hdr->backtrace, entry);
+			entries->put(entries, entry->backtrace, entry);
+		}
+		if (sum)
+		{
+			*sum += hdr->bytes;
 		}
 		leaks++;
 	}
+	lock->unlock(lock);
 	enumerator = entries->create_enumerator(entries);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		if (!thresh || entry->bytes >= thresh)
+		if (out &&
+			(!thresh || entry->bytes >= thresh) &&
+			(!thresh_count || entry->count >= thresh_count))
 		{
 			fprintf(out, "%d bytes total, %d allocations, %d bytes average:\n",
 					entry->bytes, entry->count, entry->bytes / entry->count);
 			entry->backtrace->log(entry->backtrace, out, detailed);
 		}
+		entry->backtrace->destroy(entry->backtrace);
 		free(entry);
 	}
 	enumerator->destroy(enumerator);
 	entries->destroy(entries);
 
-	install_hooks();
+	enable_thread(before);
 	return leaks;
 }
 
@@ -377,9 +677,10 @@ METHOD(leak_detective_t, report, void,
 {
 	if (lib->leak_detective)
 	{
-		int leaks = 0, whitelisted = 0;
+		int leaks, whitelisted = 0;
+		size_t sum = 0;
 
-		leaks = print_traces(this, stderr, 0, detailed, &whitelisted);
+		leaks = print_traces(this, stderr, 0, 0, detailed, &whitelisted, &sum);
 		switch (leaks)
 		{
 			case 0:
@@ -389,7 +690,7 @@ METHOD(leak_detective_t, report, void,
 				fprintf(stderr, "One leak detected");
 				break;
 			default:
-				fprintf(stderr, "%d leaks detected", leaks);
+				fprintf(stderr, "%d leaks detected, %zu bytes", leaks, sum);
 				break;
 		}
 		fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted);
@@ -400,114 +701,115 @@ METHOD(leak_detective_t, report, void,
 	}
 }
 
-METHOD(leak_detective_t, set_state, bool,
-	private_leak_detective_t *this, bool enable)
+METHOD(leak_detective_t, leaks, int,
+	private_leak_detective_t *this)
 {
-	static struct sched_param oldparams;
-	static int oldpolicy;
-	struct sched_param params;
-	pthread_t thread_id;
-
-	if (enable == installed)
-	{
-		return installed;
-	}
-	thread_id = pthread_self();
-	if (enable)
-	{
-		install_hooks();
-		pthread_setschedparam(thread_id, oldpolicy, &oldparams);
-	}
-	else
+	if (lib->leak_detective)
 	{
-		pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-		params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
-		pthread_setschedparam(thread_id, SCHED_FIFO, &params);
-		uninstall_hooks();
+		int leaks, whitelisted = 0;
+
+		leaks = print_traces(this, NULL, 0, 0, FALSE, &whitelisted, NULL);
+		return leaks;
 	}
-	installed = enable;
-	return !installed;
+	return 0;
+}
+
+METHOD(leak_detective_t, set_state, bool,
+	private_leak_detective_t *this, bool enable)
+{
+	return enable_thread(enable);
 }
 
 METHOD(leak_detective_t, usage, void,
 	private_leak_detective_t *this, FILE *out)
 {
-	int oldpolicy, thresh;
 	bool detailed;
-	pthread_t thread_id = pthread_self();
-	struct sched_param oldparams, params;
+	int thresh, thresh_count;
+	size_t sum = 0;
 
 	thresh = lib->settings->get_int(lib->settings,
 					"libstrongswan.leak_detective.usage_threshold", 10240);
+	thresh_count = lib->settings->get_int(lib->settings,
+					"libstrongswan.leak_detective.usage_threshold_count", 0);
 	detailed = lib->settings->get_bool(lib->settings,
 					"libstrongswan.leak_detective.detailed", TRUE);
 
-	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
-	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
-
-	print_traces(this, out, thresh, detailed, NULL);
+	print_traces(this, out, thresh, thresh_count, detailed, NULL, &sum);
 
-	pthread_setschedparam(thread_id, oldpolicy, &oldparams);
+	fprintf(out, "Total memory usage: %zu\n", sum);
 }
 
 /**
- * Hook function for malloc()
+ * Wrapped malloc() function
  */
-void *malloc_hook(size_t bytes, const void *caller)
+HOOK(void*, malloc, size_t bytes)
 {
 	memory_header_t *hdr;
 	memory_tail_t *tail;
-	pthread_t thread_id = pthread_self();
-	int oldpolicy;
-	struct sched_param oldparams, params;
+	bool before;
 
-	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-
-	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
-	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
+	if (!enabled || thread_disabled->get(thread_disabled))
+	{
+		return real_malloc(bytes);
+	}
 
-	count_malloc++;
-	uninstall_hooks();
-	hdr = malloc(sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
+	hdr = real_malloc(sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
 	tail = ((void*)hdr) + bytes + sizeof(memory_header_t);
 	/* set to something which causes crashes */
 	memset(hdr, MEMORY_ALLOC_PATTERN,
 		   sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
 
+	before = enable_thread(FALSE);
+	hdr->backtrace = backtrace_create(2);
+	enable_thread(before);
+
 	hdr->magic = MEMORY_HEADER_MAGIC;
 	hdr->bytes = bytes;
-	hdr->backtrace = backtrace_create(2);
 	tail->magic = MEMORY_TAIL_MAGIC;
-	install_hooks();
-
-	/* insert at the beginning of the list */
-	hdr->next = first_header.next;
-	if (hdr->next)
-	{
-		hdr->next->previous = hdr;
-	}
-	hdr->previous = &first_header;
-	first_header.next = hdr;
 
-	pthread_setschedparam(thread_id, oldpolicy, &oldparams);
+	add_hdr(hdr);
 
 	return hdr + 1;
 }
 
 /**
- * Hook function for free()
+ * Wrapped calloc() function
  */
-void free_hook(void *ptr, const void *caller)
+HOOK(void*, calloc, size_t nmemb, size_t size)
 {
-	memory_header_t *hdr, *current;
+	void *ptr;
+
+	size *= nmemb;
+	ptr = malloc(size);
+	memset(ptr, 0, size);
+
+	return ptr;
+}
+
+/**
+ * Wrapped valloc(), TODO: currently not supported
+ */
+HOOK(void*, valloc, size_t size)
+{
+	DBG1(DBG_LIB, "valloc() used, but leak-detective hook missing");
+	return NULL;
+}
+
+/**
+ * Wrapped free() function
+ */
+HOOK(void, free, void *ptr)
+{
+	memory_header_t *hdr;
 	memory_tail_t *tail;
 	backtrace_t *backtrace;
-	pthread_t thread_id = pthread_self();
-	int oldpolicy;
-	struct sched_param oldparams, params;
-	bool found = FALSE;
+	bool before;
 
+	if (!enabled || thread_disabled->get(thread_disabled))
+	{
+		real_free(ptr);
+		return;
+	}
 	/* allow freeing of NULL */
 	if (ptr == NULL)
 	{
@@ -516,25 +818,11 @@ void free_hook(void *ptr, const void *caller)
 	hdr = ptr - sizeof(memory_header_t);
 	tail = ptr + hdr->bytes;
 
-	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-
-	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
-	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
-
-	count_free++;
-	uninstall_hooks();
+	before = enable_thread(FALSE);
 	if (hdr->magic != MEMORY_HEADER_MAGIC ||
 		tail->magic != MEMORY_TAIL_MAGIC)
 	{
-		for (current = &first_header; current != NULL; current = current->next)
-		{
-			if (current == hdr)
-			{
-				found = TRUE;
-				break;
-			}
-		}
-		if (found)
+		if (has_hdr(hdr))
 		{
 			/* memory was allocated by our hooks but is corrupted */
 			fprintf(stderr, "freeing corrupted memory (%p): "
@@ -544,7 +832,7 @@ void free_hook(void *ptr, const void *caller)
 		else
 		{
 			/* memory was not allocated by our hooks */
-			fprintf(stderr, "freeing invalid memory (%p)", ptr);
+			fprintf(stderr, "freeing invalid memory (%p)\n", ptr);
 		}
 		backtrace = backtrace_create(2);
 		backtrace->log(backtrace, stderr, TRUE);
@@ -552,53 +840,50 @@ void free_hook(void *ptr, const void *caller)
 	}
 	else
 	{
-		/* remove item from list */
-		if (hdr->next)
-		{
-			hdr->next->previous = hdr->previous;
-		}
-		hdr->previous->next = hdr->next;
+		remove_hdr(hdr);
+
 		hdr->backtrace->destroy(hdr->backtrace);
 
 		/* clear MAGIC, set mem to something remarkable */
 		memset(hdr, MEMORY_FREE_PATTERN,
 			   sizeof(memory_header_t) + hdr->bytes + sizeof(memory_tail_t));
 
-		free(hdr);
+		real_free(hdr);
 	}
-
-	install_hooks();
-	pthread_setschedparam(thread_id, oldpolicy, &oldparams);
+	enable_thread(before);
 }
 
 /**
- * Hook function for realloc()
+ * Wrapped realloc() function
  */
-void *realloc_hook(void *old, size_t bytes, const void *caller)
+HOOK(void*, realloc, void *old, size_t bytes)
 {
 	memory_header_t *hdr;
 	memory_tail_t *tail;
 	backtrace_t *backtrace;
-	pthread_t thread_id = pthread_self();
-	int oldpolicy;
-	struct sched_param oldparams, params;
+	bool before;
 
+	if (!enabled || thread_disabled->get(thread_disabled))
+	{
+		return real_realloc(old, bytes);
+	}
 	/* allow reallocation of NULL */
 	if (old == NULL)
 	{
-		return malloc_hook(bytes, caller);
+		return malloc(bytes);
+	}
+	/* handle zero size as a free() */
+	if (bytes == 0)
+	{
+		free(old);
+		return NULL;
 	}
 
 	hdr = old - sizeof(memory_header_t);
 	tail = old + hdr->bytes;
 
-	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
+	remove_hdr(hdr);
 
-	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
-	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
-
-	count_realloc++;
-	uninstall_hooks();
 	if (hdr->magic != MEMORY_HEADER_MAGIC ||
 		tail->magic != MEMORY_TAIL_MAGIC)
 	{
@@ -613,33 +898,30 @@ void *realloc_hook(void *old, size_t bytes, const void *caller)
 		/* clear tail magic, allocate, set tail magic */
 		memset(&tail->magic, MEMORY_ALLOC_PATTERN, sizeof(tail->magic));
 	}
-	hdr = realloc(hdr, sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
+	hdr = real_realloc(hdr,
+					   sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
 	tail = ((void*)hdr) + bytes + sizeof(memory_header_t);
 	tail->magic = MEMORY_TAIL_MAGIC;
 
 	/* update statistics */
 	hdr->bytes = bytes;
+
+	before = enable_thread(FALSE);
 	hdr->backtrace->destroy(hdr->backtrace);
 	hdr->backtrace = backtrace_create(2);
+	enable_thread(before);
+
+	add_hdr(hdr);
 
-	/* update header of linked list neighbours */
-	if (hdr->next)
-	{
-		hdr->next->previous = hdr;
-	}
-	hdr->previous->next = hdr;
-	install_hooks();
-	pthread_setschedparam(thread_id, oldpolicy, &oldparams);
 	return hdr + 1;
 }
 
 METHOD(leak_detective_t, destroy, void,
 	private_leak_detective_t *this)
 {
-	if (installed)
-	{
-		uninstall_hooks();
-	}
+	disable_leak_detective();
+	lock->destroy(lock);
+	thread_disabled->destroy(thread_disabled);
 	free(this);
 }
 
@@ -653,26 +935,24 @@ leak_detective_t *leak_detective_create()
 	INIT(this,
 		.public = {
 			.report = _report,
+			.leaks = _leaks,
 			.usage = _usage,
 			.set_state = _set_state,
 			.destroy = _destroy,
 		},
 	);
 
-	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
-	{
-		cpu_set_t mask;
+	lock = spinlock_create();
+	thread_disabled = thread_value_create(NULL);
 
-		CPU_ZERO(&mask);
-		CPU_SET(0, &mask);
+	init_static_allocations();
 
-		if (sched_setaffinity(0, sizeof(cpu_set_t), &mask) != 0)
+	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
+	{
+		if (register_hooks())
 		{
-			fprintf(stderr, "setting CPU affinity failed: %m");
+			enable_leak_detective();
 		}
-
-		install_hooks();
 	}
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
index 55d7e44d9..7a29e81d7 100644
--- a/src/libstrongswan/utils/leak_detective.h
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -42,6 +42,13 @@ struct leak_detective_t {
 	 */
 	void (*report)(leak_detective_t *this, bool detailed);
 
+	/**
+	 * Number of detected leaks.
+	 *
+	 * @return				number of leaks
+	 */
+	int (*leaks)(leak_detective_t *this);
+
 	/**
 	 * Report current memory usage to out.
 	 *
@@ -50,7 +57,7 @@ struct leak_detective_t {
 	void (*usage)(leak_detective_t *this, FILE *out);
 
 	/**
-	 * Enable/disable leak detective hooks.
+	 * Enable/disable leak detective hooks for the current thread.
 	 *
 	 * @param				TRUE to enable, FALSE to disable
 	 * @return				state active before calling set_state
@@ -69,4 +76,3 @@ struct leak_detective_t {
 leak_detective_t *leak_detective_create();
 
 #endif /** LEAK_DETECTIVE_H_ @}*/
-
diff --git a/src/libstrongswan/utils/printf_hook.c b/src/libstrongswan/utils/printf_hook.c
index 6e51aa4c3..f030f45c8 100644
--- a/src/libstrongswan/utils/printf_hook.c
+++ b/src/libstrongswan/utils/printf_hook.c
@@ -474,7 +474,6 @@ METHOD(printf_hook_t, destroy, void,
 	/* freeing the Vstr_conf of the main thread */
 	vstr_conf->destroy(vstr_conf);
 	vstr_conf = NULL;
-	vstr_free_conf(conf);
 	vstr_exit();
 #endif
 	free(this);
diff --git a/src/libstrongswan/utils/settings.c b/src/libstrongswan/utils/settings.c
index 712ea6ee2..809ca10ab 100644
--- a/src/libstrongswan/utils/settings.c
+++ b/src/libstrongswan/utils/settings.c
@@ -644,6 +644,26 @@ METHOD(settings_t, set_time, void,
 	va_end(args);
 }
 
+METHOD(settings_t, set_default_str, bool,
+	   private_settings_t *this, char *key, char *value, ...)
+{
+	char *old;
+	va_list args;
+
+	va_start(args, value);
+	old = find_value(this, this->top, key, args);
+	va_end(args);
+
+	if (!old)
+	{
+		va_start(args, value);
+		set_value(this, this->top, key, args, value);
+		va_end(args);
+		return TRUE;
+	}
+	return FALSE;
+}
+
 /**
  * Enumerate section names, not sections
  */
@@ -1209,6 +1229,7 @@ settings_t *settings_create(char *file)
 			.set_double = _set_double,
 			.set_time = _set_time,
 			.set_bool = _set_bool,
+			.set_default_str = _set_default_str,
 			.create_section_enumerator = _create_section_enumerator,
 			.create_key_value_enumerator = _create_key_value_enumerator,
 			.load_files = _load_files,
diff --git a/src/libstrongswan/utils/settings.h b/src/libstrongswan/utils/settings.h
index a861325f5..df0c534e9 100644
--- a/src/libstrongswan/utils/settings.h
+++ b/src/libstrongswan/utils/settings.h
@@ -238,6 +238,16 @@ struct settings_t {
 	 */
 	void (*set_time)(settings_t *this, char *key, u_int32_t value, ...);
 
+	/**
+	 * Set a default for string value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param def		value to set if unconfigured
+	 * @param ...		argument list for key
+	 * @return			TRUE if a new default value for key has been set
+	 */
+	bool (*set_default_str)(settings_t *this, char *key, char *value, ...);
+
 	/**
 	 * Create an enumerator over subsection names of a section.
 	 *
diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c
index 2f38d8a93..30084cd81 100644
--- a/src/libstrongswan/utils/utils.c
+++ b/src/libstrongswan/utils/utils.c
@@ -45,19 +45,6 @@ ENUM(status_names, SUCCESS, NEED_MORE,
 	"NEED_MORE",
 );
 
-/**
- * Described in header.
- */
-void *clalloc(void * pointer, size_t size)
-{
-	void *data;
-	data = malloc(size);
-
-	memcpy(data, pointer, size);
-
-	return (data);
-}
-
 /**
  * Described in header.
  */
@@ -115,7 +102,12 @@ void memwipe_noinline(void *ptr, size_t n)
 void *memstr(const void *haystack, const char *needle, size_t n)
 {
 	unsigned const char *pos = haystack;
-	size_t l = strlen(needle);
+	size_t l;
+
+	if (!haystack || !needle || (l = strlen(needle)) == 0)
+	{
+		return NULL;
+	}
 	for (; n >= l; ++pos, --n)
 	{
 		if (memeq(pos, needle, l))
@@ -474,11 +466,15 @@ static pthread_mutex_t ref_mutex = PTHREAD_MUTEX_INITIALIZER;
 /**
  * Increase refcount
  */
-void ref_get(refcount_t *ref)
+refcount_t ref_get(refcount_t *ref)
 {
+	refcount_t current;
+
 	pthread_mutex_lock(&ref_mutex);
-	(*ref)++;
+	current = ++(*ref);
 	pthread_mutex_unlock(&ref_mutex);
+
+	return current;
 }
 
 /**
diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h
index c66c665e0..d055f712d 100644
--- a/src/libstrongswan/utils/utils.h
+++ b/src/libstrongswan/utils/utils.h
@@ -81,9 +81,20 @@ static inline bool streq(const char *x, const char *y)
 }
 
 /**
- * Macro compares two strings for equality, length limited
+ * Helper function that compares two strings for equality, length limited
  */
-#define strneq(x,y,len) (strncmp(x, y, len) == 0)
+static inline bool strneq(const char *x, const char *y, size_t len)
+{
+	return strncmp(x, y, len) == 0;
+}
+
+/**
+ * Helper function that checks if a string starts with a given prefix
+ */
+static inline bool strpfx(const char *x, const char *prefix)
+{
+	return strneq(x, prefix, strlen(prefix));
+}
 
 /**
  * Helper function that compares two strings for equality ignoring case
@@ -94,9 +105,12 @@ static inline bool strcaseeq(const char *x, const char *y)
 }
 
 /**
- * Macro compares two strings for equality ignoring case, length limited
+ * Helper function that compares two strings for equality ignoring case, length limited
  */
-#define strncaseeq(x,y,len) (strncasecmp(x, y, len) == 0)
+static inline bool strncaseeq(const char *x, const char *y, size_t len)
+{
+	return strncasecmp(x, y, len) == 0;
+}
 
 /**
  * NULL-safe strdup variant
@@ -107,9 +121,12 @@ static inline char *strdupnull(const char *s)
 }
 
 /**
- * Macro compares two binary blobs for equality
+ * Helper function that compares two binary blobs for equality
  */
-#define memeq(x,y,len) (memcmp(x, y, len) == 0)
+static inline bool memeq(const void *x, const void *y, size_t len)
+{
+	return memcmp(x, y, len) == 0;
+}
 
 /**
  * Macro gives back larger of two values.
@@ -375,11 +392,6 @@ typedef struct timespec timespec_t;
  */
 typedef struct sockaddr sockaddr_t;
 
-/**
- * Clone a data to a newly allocated buffer
- */
-void *clalloc(void *pointer, size_t size);
-
 /**
  * Same as memcpy, but XORs src into dst instead of copy
  */
@@ -423,6 +435,10 @@ static inline void memwipe_inline(void *ptr, size_t n)
  */
 static inline void memwipe(void *ptr, size_t n)
 {
+	if (!ptr)
+	{
+		return;
+	}
 	if (__builtin_constant_p(n))
 	{
 		memwipe_inline(ptr, n);
@@ -503,7 +519,7 @@ time_t time_monotonic(timeval_t *tv);
 static inline void timeval_add_ms(timeval_t *tv, u_int ms)
 {
 	tv->tv_usec += ms * 1000;
-	while (tv->tv_usec > 1000000 /* 1s */)
+	while (tv->tv_usec >= 1000000 /* 1s */)
 	{
 		tv->tv_usec -= 1000000;
 		tv->tv_sec++;
@@ -655,14 +671,36 @@ static inline u_int64_t untoh64(void *network)
 }
 
 /**
- * Special type to count references
+ * Round up size to be multiple of alignement
  */
-typedef volatile u_int refcount_t;
+static inline size_t round_up(size_t size, int alignement)
+{
+	int remainder;
+
+	remainder = size % alignement;
+	if (remainder)
+	{
+		size += alignement - remainder;
+	}
+	return size;
+}
 
+/**
+ * Round down size to be a multiple of alignement
+ */
+static inline size_t round_down(size_t size, int alignement)
+{
+	return size - (size % alignement);
+}
+
+/**
+ * Special type to count references
+ */
+typedef u_int refcount_t;
 
 #ifdef HAVE_GCC_ATOMIC_OPERATIONS
 
-#define ref_get(ref) {__sync_fetch_and_add(ref, 1); }
+#define ref_get(ref) __sync_add_and_fetch(ref, 1)
 #define ref_put(ref) (!__sync_sub_and_fetch(ref, 1))
 
 #define cas_bool(ptr, oldval, newval) \
@@ -678,8 +716,9 @@ typedef volatile u_int refcount_t;
  * Increments the reference counter atomic.
  *
  * @param ref	pointer to ref counter
+ * @return		new value of ref
  */
-void ref_get(refcount_t *ref);
+refcount_t ref_get(refcount_t *ref);
 
 /**
  * Put back a unused reference.
diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am
index 772950606..9e3712abe 100644
--- a/src/libtls/Makefile.am
+++ b/src/libtls/Makefile.am
@@ -1,5 +1,5 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
 ipseclib_LTLIBRARIES = libtls.la
 libtls_la_SOURCES = \
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index fa910ecca..df721f79e 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -107,19 +107,35 @@ am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \
 	tls_socket.lo tls_eap.lo tls_cache.lo tls_peer.lo \
 	tls_server.lo tls.lo
 libtls_la_OBJECTS = $(am_libtls_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libtls_la_SOURCES)
 DIST_SOURCES = $(libtls_la_SOURCES)
 am__can_run_installinfo = \
@@ -138,6 +154,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -150,6 +167,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -165,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -173,6 +193,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -219,6 +240,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -247,6 +269,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -324,7 +347,9 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
 ipseclib_LTLIBRARIES = libtls.la
 libtls_la_SOURCES = \
 	tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
@@ -404,7 +429,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libtls.la: $(libtls_la_OBJECTS) $(libtls_la_DEPENDENCIES) $(EXTRA_libtls_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libtls_la_OBJECTS) $(libtls_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libtls_la_OBJECTS) $(libtls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -426,25 +451,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libtnccs/Makefile.am b/src/libtnccs/Makefile.am
index c6492d8d3..720505757 100644
--- a/src/libtnccs/Makefile.am
+++ b/src/libtnccs/Makefile.am
@@ -1,5 +1,4 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtls
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index 58ddf401c..014470480 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,19 +102,35 @@ libtnccs_la_DEPENDENCIES = $(top_builddir)/src/libtncif/libtncif.la
 am_libtnccs_la_OBJECTS = tnc.lo imv_recommendations.lo tnccs.lo \
 	tnccs_manager.lo
 libtnccs_la_OBJECTS = $(am_libtnccs_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libtnccs_la_SOURCES)
 DIST_SOURCES = $(libtnccs_la_SOURCES)
 am__can_run_installinfo = \
@@ -128,6 +144,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -140,6 +157,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -155,6 +174,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -163,6 +183,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -209,6 +230,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -237,6 +259,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -314,7 +337,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtls
@@ -397,7 +420,7 @@ clean-ipseclibLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libtnccs.la: $(libtnccs_la_OBJECTS) $(libtnccs_la_DEPENDENCIES) $(EXTRA_libtnccs_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libtnccs_la_OBJECTS) $(libtnccs_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libtnccs_la_OBJECTS) $(libtnccs_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -411,53 +434,53 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_manager.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 tnc.lo: tnc/tnc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnc.lo -MD -MP -MF $(DEPDIR)/tnc.Tpo -c -o tnc.lo `test -f 'tnc/tnc.c' || echo '$(srcdir)/'`tnc/tnc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnc.Tpo $(DEPDIR)/tnc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/tnc.c' object='tnc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnc.lo -MD -MP -MF $(DEPDIR)/tnc.Tpo -c -o tnc.lo `test -f 'tnc/tnc.c' || echo '$(srcdir)/'`tnc/tnc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnc.Tpo $(DEPDIR)/tnc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tnc/tnc.c' object='tnc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnc.lo `test -f 'tnc/tnc.c' || echo '$(srcdir)/'`tnc/tnc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnc.lo `test -f 'tnc/tnc.c' || echo '$(srcdir)/'`tnc/tnc.c
 
 imv_recommendations.lo: tnc/imv/imv_recommendations.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_recommendations.lo -MD -MP -MF $(DEPDIR)/imv_recommendations.Tpo -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_recommendations.Tpo $(DEPDIR)/imv_recommendations.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/imv/imv_recommendations.c' object='imv_recommendations.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_recommendations.lo -MD -MP -MF $(DEPDIR)/imv_recommendations.Tpo -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_recommendations.Tpo $(DEPDIR)/imv_recommendations.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tnc/imv/imv_recommendations.c' object='imv_recommendations.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c
 
 tnccs.lo: tnc/tnccs/tnccs.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tnc/tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c
 
 tnccs_manager.lo: tnc/tnccs/tnccs_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tnc/tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libtnccs/tnc/tnc.c b/src/libtnccs/tnc/tnc.c
index 769b9fa54..3a5b84596 100644
--- a/src/libtnccs/tnc/tnc.c
+++ b/src/libtnccs/tnc/tnc.c
@@ -100,6 +100,11 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 	void *addr;
 	char *label;
 
+	if (!filename || !*filename)
+	{
+		return TRUE;
+	}
+
 	label = is_imc ? "IMC" : "IMV";
 
 	DBG1(DBG_TNC, "loading %ss from '%s'", label, filename);
diff --git a/src/libtncif/Android.mk b/src/libtncif/Android.mk
index 9a9bfa9ad..13ce6e11a 100644
--- a/src/libtncif/Android.mk
+++ b/src/libtncif/Android.mk
@@ -5,7 +5,8 @@ include $(CLEAR_VARS)
 libtncif_la_SOURCES := \
 tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
 tncif_identity.h tncif_identity.c \
-tncif_pa_subtypes.h tncif_pa_subtypes.c
+tncif_pa_subtypes.h tncif_pa_subtypes.c \
+tncif_policy.h tncif_policy.c
 
 LOCAL_SRC_FILES := $(filter %.c,$(libtncif_la_SOURCES))
 
diff --git a/src/libtncif/Makefile.am b/src/libtncif/Makefile.am
index 6da1201f3..3c7cb9ff2 100644
--- a/src/libtncif/Makefile.am
+++ b/src/libtncif/Makefile.am
@@ -1,10 +1,12 @@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
 noinst_LTLIBRARIES = libtncif.la
 
 libtncif_la_SOURCES = \
 tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
 tncif_identity.h tncif_identity.c \
-tncif_pa_subtypes.h tncif_pa_subtypes.c
+tncif_pa_subtypes.h tncif_pa_subtypes.c \
+tncif_policy.h tncif_policy.c
 
 EXTRA_DIST = Android.mk
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index 320faf616..8c51dfd5c 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -72,21 +72,37 @@ CONFIG_CLEAN_VPATH_FILES =
 LTLIBRARIES = $(noinst_LTLIBRARIES)
 libtncif_la_LIBADD =
 am_libtncif_la_OBJECTS = tncif_names.lo tncif_identity.lo \
-	tncif_pa_subtypes.lo
+	tncif_pa_subtypes.lo tncif_policy.lo
 libtncif_la_OBJECTS = $(am_libtncif_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libtncif_la_SOURCES)
 DIST_SOURCES = $(libtncif_la_SOURCES)
 am__can_run_installinfo = \
@@ -100,6 +116,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -112,6 +129,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -127,6 +146,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -135,6 +155,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -181,6 +202,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -209,6 +231,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -286,12 +309,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
 noinst_LTLIBRARIES = libtncif.la
 libtncif_la_SOURCES = \
 tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
 tncif_identity.h tncif_identity.c \
-tncif_pa_subtypes.h tncif_pa_subtypes.c
+tncif_pa_subtypes.h tncif_pa_subtypes.c \
+tncif_policy.h tncif_policy.c
 
 EXTRA_DIST = Android.mk
 all: all-am
@@ -338,7 +364,7 @@ clean-noinstLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libtncif.la: $(libtncif_la_OBJECTS) $(libtncif_la_DEPENDENCIES) $(EXTRA_libtncif_la_DEPENDENCIES) 
-	$(LINK)  $(libtncif_la_OBJECTS) $(libtncif_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK)  $(libtncif_la_OBJECTS) $(libtncif_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -349,27 +375,28 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_identity.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_names.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_pa_subtypes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_policy.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libtncif/tncif_policy.c b/src/libtncif/tncif_policy.c
new file mode 100644
index 000000000..1fa88e344
--- /dev/null
+++ b/src/libtncif/tncif_policy.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tncif_policy.h"
+
+/**
+ * See header
+ */
+TNC_IMV_Evaluation_Result tncif_policy_update_evaluation(
+									TNC_IMV_Evaluation_Result eval,
+									TNC_IMV_Evaluation_Result eval_add)
+{
+	switch (eval)
+	{
+		case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
+			switch (eval_add)
+			{
+				case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+				case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+				case TNC_IMV_EVALUATION_RESULT_ERROR:
+					eval = eval_add;
+					break;
+				default:
+					break;
+			}
+			break;
+		case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+			switch (eval_add)
+			{
+				case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+				case TNC_IMV_EVALUATION_RESULT_ERROR:
+					eval = eval_add;
+					break;
+				default:
+					break;
+			}
+			break;
+		case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+			switch (eval_add)
+			{
+				case TNC_IMV_EVALUATION_RESULT_ERROR:
+					eval = eval_add;
+					break;
+				default:
+					break;
+			}
+			break;
+		case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
+			eval = eval_add;
+			break;
+		default:
+			break;
+	}
+	return eval;
+}
+
+/**
+ * See header
+ */
+TNC_IMV_Action_Recommendation tncif_policy_update_recommendation(
+									TNC_IMV_Action_Recommendation rec,
+									TNC_IMV_Action_Recommendation rec_add)
+{
+	switch (rec)
+	{
+		case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+			switch (rec_add)
+			{
+				case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+				case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+					rec = rec_add;
+					break;
+				default:
+					break;
+			}
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+			switch (rec_add)
+			{
+				case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+					rec = rec_add;
+					break;
+				default:
+					break;
+			}
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+			rec = rec_add;
+			break;
+		default:
+			break;
+	}
+	return rec;
+}
diff --git a/src/libtncif/tncif_policy.h b/src/libtncif/tncif_policy.h
new file mode 100644
index 000000000..d9f553b72
--- /dev/null
+++ b/src/libtncif/tncif_policy.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libtncif libtncif
+ *
+ * @addtogroup libtncif
+ * TNC interface definitions
+ *
+ * @defgroup tnc_policy tnc_policy
+ * @{ @ingroup libtncif
+ */
+
+#ifndef TNCIF_POLICY_H_
+#define TNCIF_POLICY_H_
+
+#include "tncifimv.h"
+
+/**
+ * Create an empty TNC Identity object
+ *
+ * @param eval			Existing evaluation to be updated
+ * @param eval_add		Partial evaluation to be added
+ * @return				Updated evaluation
+ */
+TNC_IMV_Evaluation_Result tncif_policy_update_evaluation(
+									TNC_IMV_Evaluation_Result eval,
+									TNC_IMV_Evaluation_Result eval_add);
+
+/**
+ * Create an empty TNC Identity object
+ *
+ * @param rec			Existing recommendationto be updated
+ * @param rec_add		Partial recommendation to be added
+ * @return				Updated recommendation
+ */
+TNC_IMV_Action_Recommendation tncif_policy_update_recommendation(
+									TNC_IMV_Action_Recommendation rec,
+									TNC_IMV_Action_Recommendation rec_add);
+
+#endif /** TNCIF_POLICY_H_ @}*/
diff --git a/src/libtncif/tncifimv.h b/src/libtncif/tncifimv.h
index 945012dc0..ecd4fd45b 100644
--- a/src/libtncif/tncifimv.h
+++ b/src/libtncif/tncifimv.h
@@ -217,9 +217,9 @@ typedef TNC_Result (*TNC_IMV_ProvideBindFunctionPointer)(
 #define TNC_ID_IPV4_ADDR 1
 #define TNC_ID_IPV6_ADDR 2
 #define TNC_ID_FQDN 3
-#define TNC_ID_RFC822_ADDR 4
+#define TNC_ID_EMAIL_ADDR 4
 #define TNC_ID_USERNAME 5
-#define TNC_ID_ASN1_DN 6
+#define TNC_ID_X500_DN 6
 
 /* TNC Subject Types */
 
@@ -230,7 +230,7 @@ typedef TNC_Result (*TNC_IMV_ProvideBindFunctionPointer)(
 /* TNC Authentication Types */
 
 #define TNC_AUTH_UNKNOWN 0
-#define TNC_AUTH_CERT 1
+#define TNC_AUTH_X509_CERT 1
 #define TNC_AUTH_PASSWORD 2
 #define TNC_AUTH_SIM 3
 
diff --git a/src/manager/Makefile.am b/src/manager/Makefile.am
index 045c77896..41001dd8b 100644
--- a/src/manager/Makefile.am
+++ b/src/manager/Makefile.am
@@ -13,11 +13,16 @@ controller/gateway_controller.c controller/gateway_controller.h
 manager_fcgi_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la ${xml_LIBS}
 main.o :	$(top_builddir)/config.status
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_CFLAGS}
-AM_CFLAGS = -rdynamic \
-  -DIPSECDIR=\"${ipsecdir}\" \
-  -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${manager_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libfast \
+	-DIPSECDIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${manager_plugins}\""
+
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
 manager_templatesdir = ${managerdir}/templates
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 029df6120..041d914c6 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -90,19 +90,35 @@ am__DEPENDENCIES_1 =
 manager_fcgi_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libfast/libfast.la $(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(manager_fcgi_SOURCES)
 DIST_SOURCES = $(manager_fcgi_SOURCES)
 am__can_run_installinfo = \
@@ -149,6 +165,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -161,6 +178,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -176,6 +195,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -184,6 +204,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -230,6 +251,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -258,6 +280,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -345,11 +368,16 @@ controller/config_controller.c controller/config_controller.h \
 controller/gateway_controller.c controller/gateway_controller.h
 
 manager_fcgi_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la ${xml_LIBS}
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_CFLAGS}
-AM_CFLAGS = -rdynamic \
-  -DIPSECDIR=\"${ipsecdir}\" \
-  -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${manager_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libfast \
+	-DIPSECDIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${manager_plugins}\""
+
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
@@ -467,7 +495,7 @@ clean-managerPROGRAMS:
 	rm -f $$list
 manager.fcgi$(EXEEXT): $(manager_fcgi_OBJECTS) $(manager_fcgi_DEPENDENCIES) $(EXTRA_manager_fcgi_DEPENDENCIES) 
 	@rm -f manager.fcgi$(EXEEXT)
-	$(LINK) $(manager_fcgi_OBJECTS) $(manager_fcgi_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(manager_fcgi_OBJECTS) $(manager_fcgi_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -487,95 +515,95 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xml.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 auth_controller.o: controller/auth_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_controller.o -MD -MP -MF $(DEPDIR)/auth_controller.Tpo -c -o auth_controller.o `test -f 'controller/auth_controller.c' || echo '$(srcdir)/'`controller/auth_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/auth_controller.c' object='auth_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_controller.o -MD -MP -MF $(DEPDIR)/auth_controller.Tpo -c -o auth_controller.o `test -f 'controller/auth_controller.c' || echo '$(srcdir)/'`controller/auth_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/auth_controller.c' object='auth_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_controller.o `test -f 'controller/auth_controller.c' || echo '$(srcdir)/'`controller/auth_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_controller.o `test -f 'controller/auth_controller.c' || echo '$(srcdir)/'`controller/auth_controller.c
 
 auth_controller.obj: controller/auth_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_controller.obj -MD -MP -MF $(DEPDIR)/auth_controller.Tpo -c -o auth_controller.obj `if test -f 'controller/auth_controller.c'; then $(CYGPATH_W) 'controller/auth_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/auth_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/auth_controller.c' object='auth_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_controller.obj -MD -MP -MF $(DEPDIR)/auth_controller.Tpo -c -o auth_controller.obj `if test -f 'controller/auth_controller.c'; then $(CYGPATH_W) 'controller/auth_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/auth_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/auth_controller.c' object='auth_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_controller.obj `if test -f 'controller/auth_controller.c'; then $(CYGPATH_W) 'controller/auth_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/auth_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_controller.obj `if test -f 'controller/auth_controller.c'; then $(CYGPATH_W) 'controller/auth_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/auth_controller.c'; fi`
 
 ikesa_controller.o: controller/ikesa_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ikesa_controller.o -MD -MP -MF $(DEPDIR)/ikesa_controller.Tpo -c -o ikesa_controller.o `test -f 'controller/ikesa_controller.c' || echo '$(srcdir)/'`controller/ikesa_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/ikesa_controller.c' object='ikesa_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ikesa_controller.o -MD -MP -MF $(DEPDIR)/ikesa_controller.Tpo -c -o ikesa_controller.o `test -f 'controller/ikesa_controller.c' || echo '$(srcdir)/'`controller/ikesa_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/ikesa_controller.c' object='ikesa_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ikesa_controller.o `test -f 'controller/ikesa_controller.c' || echo '$(srcdir)/'`controller/ikesa_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ikesa_controller.o `test -f 'controller/ikesa_controller.c' || echo '$(srcdir)/'`controller/ikesa_controller.c
 
 ikesa_controller.obj: controller/ikesa_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ikesa_controller.obj -MD -MP -MF $(DEPDIR)/ikesa_controller.Tpo -c -o ikesa_controller.obj `if test -f 'controller/ikesa_controller.c'; then $(CYGPATH_W) 'controller/ikesa_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/ikesa_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/ikesa_controller.c' object='ikesa_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ikesa_controller.obj -MD -MP -MF $(DEPDIR)/ikesa_controller.Tpo -c -o ikesa_controller.obj `if test -f 'controller/ikesa_controller.c'; then $(CYGPATH_W) 'controller/ikesa_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/ikesa_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/ikesa_controller.c' object='ikesa_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ikesa_controller.obj `if test -f 'controller/ikesa_controller.c'; then $(CYGPATH_W) 'controller/ikesa_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/ikesa_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ikesa_controller.obj `if test -f 'controller/ikesa_controller.c'; then $(CYGPATH_W) 'controller/ikesa_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/ikesa_controller.c'; fi`
 
 control_controller.o: controller/control_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT control_controller.o -MD -MP -MF $(DEPDIR)/control_controller.Tpo -c -o control_controller.o `test -f 'controller/control_controller.c' || echo '$(srcdir)/'`controller/control_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/control_controller.c' object='control_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT control_controller.o -MD -MP -MF $(DEPDIR)/control_controller.Tpo -c -o control_controller.o `test -f 'controller/control_controller.c' || echo '$(srcdir)/'`controller/control_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/control_controller.c' object='control_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o control_controller.o `test -f 'controller/control_controller.c' || echo '$(srcdir)/'`controller/control_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o control_controller.o `test -f 'controller/control_controller.c' || echo '$(srcdir)/'`controller/control_controller.c
 
 control_controller.obj: controller/control_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT control_controller.obj -MD -MP -MF $(DEPDIR)/control_controller.Tpo -c -o control_controller.obj `if test -f 'controller/control_controller.c'; then $(CYGPATH_W) 'controller/control_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/control_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/control_controller.c' object='control_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT control_controller.obj -MD -MP -MF $(DEPDIR)/control_controller.Tpo -c -o control_controller.obj `if test -f 'controller/control_controller.c'; then $(CYGPATH_W) 'controller/control_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/control_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/control_controller.c' object='control_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o control_controller.obj `if test -f 'controller/control_controller.c'; then $(CYGPATH_W) 'controller/control_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/control_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o control_controller.obj `if test -f 'controller/control_controller.c'; then $(CYGPATH_W) 'controller/control_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/control_controller.c'; fi`
 
 config_controller.o: controller/config_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT config_controller.o -MD -MP -MF $(DEPDIR)/config_controller.Tpo -c -o config_controller.o `test -f 'controller/config_controller.c' || echo '$(srcdir)/'`controller/config_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/config_controller.c' object='config_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT config_controller.o -MD -MP -MF $(DEPDIR)/config_controller.Tpo -c -o config_controller.o `test -f 'controller/config_controller.c' || echo '$(srcdir)/'`controller/config_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/config_controller.c' object='config_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o config_controller.o `test -f 'controller/config_controller.c' || echo '$(srcdir)/'`controller/config_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o config_controller.o `test -f 'controller/config_controller.c' || echo '$(srcdir)/'`controller/config_controller.c
 
 config_controller.obj: controller/config_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT config_controller.obj -MD -MP -MF $(DEPDIR)/config_controller.Tpo -c -o config_controller.obj `if test -f 'controller/config_controller.c'; then $(CYGPATH_W) 'controller/config_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/config_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/config_controller.c' object='config_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT config_controller.obj -MD -MP -MF $(DEPDIR)/config_controller.Tpo -c -o config_controller.obj `if test -f 'controller/config_controller.c'; then $(CYGPATH_W) 'controller/config_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/config_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/config_controller.c' object='config_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o config_controller.obj `if test -f 'controller/config_controller.c'; then $(CYGPATH_W) 'controller/config_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/config_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o config_controller.obj `if test -f 'controller/config_controller.c'; then $(CYGPATH_W) 'controller/config_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/config_controller.c'; fi`
 
 gateway_controller.o: controller/gateway_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gateway_controller.o -MD -MP -MF $(DEPDIR)/gateway_controller.Tpo -c -o gateway_controller.o `test -f 'controller/gateway_controller.c' || echo '$(srcdir)/'`controller/gateway_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/gateway_controller.c' object='gateway_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gateway_controller.o -MD -MP -MF $(DEPDIR)/gateway_controller.Tpo -c -o gateway_controller.o `test -f 'controller/gateway_controller.c' || echo '$(srcdir)/'`controller/gateway_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/gateway_controller.c' object='gateway_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gateway_controller.o `test -f 'controller/gateway_controller.c' || echo '$(srcdir)/'`controller/gateway_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gateway_controller.o `test -f 'controller/gateway_controller.c' || echo '$(srcdir)/'`controller/gateway_controller.c
 
 gateway_controller.obj: controller/gateway_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gateway_controller.obj -MD -MP -MF $(DEPDIR)/gateway_controller.Tpo -c -o gateway_controller.obj `if test -f 'controller/gateway_controller.c'; then $(CYGPATH_W) 'controller/gateway_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/gateway_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/gateway_controller.c' object='gateway_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gateway_controller.obj -MD -MP -MF $(DEPDIR)/gateway_controller.Tpo -c -o gateway_controller.obj `if test -f 'controller/gateway_controller.c'; then $(CYGPATH_W) 'controller/gateway_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/gateway_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/gateway_controller.c' object='gateway_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gateway_controller.obj `if test -f 'controller/gateway_controller.c'; then $(CYGPATH_W) 'controller/gateway_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/gateway_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gateway_controller.obj `if test -f 'controller/gateway_controller.c'; then $(CYGPATH_W) 'controller/gateway_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/gateway_controller.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/manager/controller/auth_controller.c b/src/manager/controller/auth_controller.c
index c9a9b5461..5f2de5154 100644
--- a/src/manager/controller/auth_controller.c
+++ b/src/manager/controller/auth_controller.c
@@ -37,14 +37,14 @@ struct private_auth_controller_t {
 	manager_t *manager;
 };
 
-static void login(private_auth_controller_t *this, request_t *request)
+static void login(private_auth_controller_t *this, fast_request_t *request)
 {
 	request->set(request, "action", "check");
 	request->set(request, "title", "Login");
 	request->render(request, "templates/auth/login.cs");
 }
 
-static void check(private_auth_controller_t *this, request_t *request)
+static void check(private_auth_controller_t *this, fast_request_t *request)
 {
 	char *username, *password;
 
@@ -61,20 +61,20 @@ static void check(private_auth_controller_t *this, request_t *request)
 	}
 }
 
-static void logout(private_auth_controller_t *this, request_t *request)
+static void logout(private_auth_controller_t *this, fast_request_t *request)
 {
 	this->manager->logout(this->manager);
 	request->redirect(request, "auth/login");
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_auth_controller_t *this)
 {
 	return "auth";
 }
 
-METHOD(controller_t, handle, void,
-	private_auth_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_auth_controller_t *this, fast_request_t *request, char *action,
 	char *p2, char *p3, char *p4, char *p5)
 {
 	if (action)
@@ -95,7 +95,7 @@ METHOD(controller_t, handle, void,
 	request->redirect(request, "auth/login");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_auth_controller_t *this)
 {
 	free(this);
@@ -104,7 +104,7 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *auth_controller_create(context_t *context, void *param)
+fast_controller_t *auth_controller_create(fast_context_t *context, void *param)
 {
 	private_auth_controller_t *this;
 
@@ -121,4 +121,3 @@ controller_t *auth_controller_create(context_t *context, void *param)
 
 	return &this->public.controller;
 }
-
diff --git a/src/manager/controller/auth_controller.h b/src/manager/controller/auth_controller.h
index 8489d9dd3..07292273d 100644
--- a/src/manager/controller/auth_controller.h
+++ b/src/manager/controller/auth_controller.h
@@ -21,8 +21,7 @@
 #ifndef AUTH_CONTROLLER_H_
 #define AUTH_CONTROLLER_H_
 
-
-#include <controller.h>
+#include <fast_controller.h>
 
 typedef struct auth_controller_t auth_controller_t;
 
@@ -34,12 +33,12 @@ struct auth_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a auth_controller controller instance.
  */
-controller_t *auth_controller_create(context_t *context, void *param);
+fast_controller_t *auth_controller_create(fast_context_t *context, void *param);
 
 #endif /** AUTH_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/config_controller.c b/src/manager/controller/config_controller.c
index 154ab615e..bc93c542d 100644
--- a/src/manager/controller/config_controller.c
+++ b/src/manager/controller/config_controller.c
@@ -44,7 +44,7 @@ struct private_config_controller_t {
  * read XML of a peerconfig element and fill template
  */
 static void process_peerconfig(private_config_controller_t *this,
-							   enumerator_t *e, request_t *r)
+							   enumerator_t *e, fast_request_t *r)
 {
 	xml_t *xml;
 	enumerator_t *e1, *e2, *e3;
@@ -115,7 +115,7 @@ static void process_peerconfig(private_config_controller_t *this,
 	}
 }
 
-static void list(private_config_controller_t *this, request_t *r)
+static void list(private_config_controller_t *this, fast_request_t *r)
 {
 	gateway_t *gateway;
 	xml_t *xml;
@@ -149,14 +149,14 @@ static void list(private_config_controller_t *this, request_t *r)
 	}
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_config_controller_t *this)
 {
 	return "config";
 }
 
-METHOD(controller_t, handle, void,
-	private_config_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_config_controller_t *this, fast_request_t *request, char *action,
 	char *p2, char *p3, char *p4, char *p5)
 {
 	if (!this->manager->logged_in(this->manager))
@@ -177,7 +177,7 @@ METHOD(controller_t, handle, void,
 	return request->redirect(request, "config/list");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_config_controller_t *this)
 {
 	free(this);
@@ -186,7 +186,8 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *config_controller_create(context_t *context, void *param)
+fast_controller_t *config_controller_create(fast_context_t *context,
+											void *param)
 {
 	private_config_controller_t *this;
 
@@ -203,4 +204,3 @@ controller_t *config_controller_create(context_t *context, void *param)
 
 	return &this->public.controller;
 }
-
diff --git a/src/manager/controller/config_controller.h b/src/manager/controller/config_controller.h
index a84678c9a..504ec8c3b 100644
--- a/src/manager/controller/config_controller.h
+++ b/src/manager/controller/config_controller.h
@@ -21,8 +21,7 @@
 #ifndef CONFIG_CONTROLLER_H_
 #define CONFIG_CONTROLLER_H_
 
-
-#include <controller.h>
+#include <fast_controller.h>
 
 typedef struct config_controller_t config_controller_t;
 
@@ -34,12 +33,13 @@ struct config_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a config_controller controller instance.
  */
-controller_t *config_controller_create(context_t *context, void *param);
+fast_controller_t *config_controller_create(fast_context_t *context,
+											void *param);
 
 #endif /** CONFIG_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/control_controller.c b/src/manager/controller/control_controller.c
index 68238d02f..f275986d2 100644
--- a/src/manager/controller/control_controller.c
+++ b/src/manager/controller/control_controller.c
@@ -43,7 +43,7 @@ struct private_control_controller_t {
 /**
  * handle the result of a control operation
  */
-static void handle_result(private_control_controller_t *this, request_t *r,
+static void handle_result(private_control_controller_t *this, fast_request_t *r,
 						  enumerator_t *e)
 {
 	enumerator_t *e1;
@@ -93,7 +93,7 @@ static void handle_result(private_control_controller_t *this, request_t *r,
 /**
  * initiate an IKE or CHILD SA
  */
-static void initiate(private_control_controller_t *this, request_t *r,
+static void initiate(private_control_controller_t *this, fast_request_t *r,
 					 bool ike, char *config)
 {
 	gateway_t *gateway;
@@ -108,7 +108,7 @@ static void initiate(private_control_controller_t *this, request_t *r,
 /**
  * terminate an IKE or CHILD SA
  */
-static void terminate(private_control_controller_t *this, request_t *r,
+static void terminate(private_control_controller_t *this, fast_request_t *r,
 					  bool ike, u_int32_t id)
 {
 	gateway_t *gateway;
@@ -120,14 +120,14 @@ static void terminate(private_control_controller_t *this, request_t *r,
 	handle_result(this, r, e);
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_control_controller_t *this)
 {
 	return "control";
 }
 
-METHOD(controller_t, handle, void,
-	private_control_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_control_controller_t *this, fast_request_t *request, char *action,
 	char *str, char *p3, char *p4, char *p5)
 {
 	if (!this->manager->logged_in(this->manager))
@@ -174,7 +174,7 @@ METHOD(controller_t, handle, void,
 	return request->redirect(request, "ikesa/list");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_control_controller_t *this)
 {
 	free(this);
@@ -183,7 +183,8 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *control_controller_create(context_t *context, void *param)
+fast_controller_t *control_controller_create(fast_context_t *context,
+											 void *param)
 {
 	private_control_controller_t *this;
 
@@ -200,4 +201,3 @@ controller_t *control_controller_create(context_t *context, void *param)
 
 	return &this->public.controller;
 }
-
diff --git a/src/manager/controller/control_controller.h b/src/manager/controller/control_controller.h
index 22e3a7022..0342f8ca2 100644
--- a/src/manager/controller/control_controller.h
+++ b/src/manager/controller/control_controller.h
@@ -21,8 +21,7 @@
 #ifndef CONTROL_CONTROLLER_H_
 #define CONTROL_CONTROLLER_H_
 
-
-#include <controller.h>
+#include <fast_controller.h>
 
 typedef struct control_controller_t control_controller_t;
 
@@ -34,12 +33,13 @@ struct control_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a control_controller controller instance.
  */
-controller_t *control_controller_create(context_t *context, void *param);
+fast_controller_t *control_controller_create(fast_context_t *context,
+											 void *param);
 
 #endif /** CONTROL_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/gateway_controller.c b/src/manager/controller/gateway_controller.c
index 39d344502..6c0257980 100644
--- a/src/manager/controller/gateway_controller.c
+++ b/src/manager/controller/gateway_controller.c
@@ -39,7 +39,7 @@ struct private_gateway_controller_t {
 
 };
 
-static void list(private_gateway_controller_t *this, request_t *request)
+static void list(private_gateway_controller_t *this, fast_request_t *request)
 {
 	enumerator_t *enumerator;
 	char *name, *address;
@@ -66,7 +66,7 @@ static void list(private_gateway_controller_t *this, request_t *request)
 	request->render(request, "templates/gateway/list.cs");
 }
 
-static void _select(private_gateway_controller_t *this, request_t *request)
+static void _select(private_gateway_controller_t *this, fast_request_t *request)
 {
 	char *id;
 
@@ -82,14 +82,14 @@ static void _select(private_gateway_controller_t *this, request_t *request)
 	request->redirect(request, "gateway/list");
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_gateway_controller_t *this)
 {
 	return "gateway";
 }
 
-METHOD(controller_t, handle, void,
-	private_gateway_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_gateway_controller_t *this, fast_request_t *request, char *action,
 	char *p2, char *p3, char *p4, char *p5)
 {
 	if (!this->manager->logged_in(this->manager))
@@ -110,7 +110,7 @@ METHOD(controller_t, handle, void,
 	request->redirect(request, "gateway/list");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_gateway_controller_t *this)
 {
 	free(this);
@@ -119,7 +119,8 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *gateway_controller_create(context_t *context, void *param)
+fast_controller_t *gateway_controller_create(fast_context_t *context,
+											 void *param)
 {
 	private_gateway_controller_t *this;
 
@@ -136,4 +137,3 @@ controller_t *gateway_controller_create(context_t *context, void *param)
 
 	return &this->public.controller;
 }
-
diff --git a/src/manager/controller/gateway_controller.h b/src/manager/controller/gateway_controller.h
index a0999295e..170bc1bdb 100644
--- a/src/manager/controller/gateway_controller.h
+++ b/src/manager/controller/gateway_controller.h
@@ -21,8 +21,7 @@
 #ifndef GATEWAY_CONTROLLER_H_
 #define GATEWAY_CONTROLLER_H_
 
-
-#include <controller.h>
+#include <fast_controller.h>
 
 typedef struct gateway_controller_t gateway_controller_t;
 
@@ -34,12 +33,13 @@ struct gateway_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a gateway_controller controller instance.
  */
-controller_t *gateway_controller_create(context_t *context, void *param);
+fast_controller_t *gateway_controller_create(fast_context_t *context,
+											 void *param);
 
 #endif /** GATEWAY_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/ikesa_controller.c b/src/manager/controller/ikesa_controller.c
index 716d51a7a..df0e5f475 100644
--- a/src/manager/controller/ikesa_controller.c
+++ b/src/manager/controller/ikesa_controller.c
@@ -44,7 +44,7 @@ struct private_ikesa_controller_t {
  * read XML of a childsa element and fill template
  */
 static void process_childsa(private_ikesa_controller_t *this, char *id,
-							enumerator_t *e, request_t *r)
+							enumerator_t *e, fast_request_t *r)
 {
 	xml_t *xml;
 	enumerator_t *e1, *e2;
@@ -96,7 +96,7 @@ static void process_childsa(private_ikesa_controller_t *this, char *id,
  * read XML of a ikesa element and fill template
  */
 static void process_ikesa(private_ikesa_controller_t *this,
-						  enumerator_t *e, request_t *r)
+						  enumerator_t *e, fast_request_t *r)
 {
 	xml_t *xml;
 	enumerator_t *e1, *e2;
@@ -139,7 +139,7 @@ static void process_ikesa(private_ikesa_controller_t *this,
 	}
 }
 
-static void list(private_ikesa_controller_t *this, request_t *r)
+static void list(private_ikesa_controller_t *this, fast_request_t *r)
 {
 	gateway_t *gateway;
 	xml_t *xml;
@@ -173,14 +173,14 @@ static void list(private_ikesa_controller_t *this, request_t *r)
 	}
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_ikesa_controller_t *this)
 {
 	return "ikesa";
 }
 
-METHOD(controller_t, handle, void,
-	private_ikesa_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_ikesa_controller_t *this, fast_request_t *request, char *action,
 	char *p2, char *p3, char *p4, char *p5)
 {
 	if (!this->manager->logged_in(this->manager))
@@ -201,7 +201,7 @@ METHOD(controller_t, handle, void,
 	return request->redirect(request, "ikesa/list");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_ikesa_controller_t *this)
 {
 	free(this);
@@ -210,7 +210,7 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *ikesa_controller_create(context_t *context, void *param)
+fast_controller_t *ikesa_controller_create(fast_context_t *context, void *param)
 {
 	private_ikesa_controller_t *this;
 
@@ -227,4 +227,3 @@ controller_t *ikesa_controller_create(context_t *context, void *param)
 
 	return &this->public.controller;
 }
-
diff --git a/src/manager/controller/ikesa_controller.h b/src/manager/controller/ikesa_controller.h
index 72f8242f1..592047539 100644
--- a/src/manager/controller/ikesa_controller.h
+++ b/src/manager/controller/ikesa_controller.h
@@ -21,8 +21,7 @@
 #ifndef IKESA_CONTROLLER_H_
 #define IKESA_CONTROLLER_H_
 
-
-#include <controller.h>
+#include <fast_controller.h>
 
 typedef struct ikesa_controller_t ikesa_controller_t;
 
@@ -34,12 +33,12 @@ struct ikesa_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a ikesa_controller controller instance.
  */
-controller_t *ikesa_controller_create(context_t *context, void *param);
+fast_controller_t *ikesa_controller_create(fast_context_t *context, void *param);
 
 #endif /** IKESA_CONTROLLER_H_ @}*/
diff --git a/src/manager/main.c b/src/manager/main.c
index 15ed38154..5c845b157 100644
--- a/src/manager/main.c
+++ b/src/manager/main.c
@@ -13,7 +13,7 @@
  * for more details.
  */
 
-#include <dispatcher.h>
+#include <fast_dispatcher.h>
 #include <utils/debug.h>
 #include <stdio.h>
 
@@ -27,7 +27,7 @@
 
 int main (int arc, char *argv[])
 {
-	dispatcher_t *dispatcher;
+	fast_dispatcher_t *dispatcher;
 	storage_t *storage;
 	char *socket;
 	char *database;
@@ -35,7 +35,7 @@ int main (int arc, char *argv[])
 	int threads, timeout;
 
 	library_init(NULL);
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "manager.load", PLUGINS)))
 	{
 		return 1;
@@ -50,7 +50,7 @@ int main (int arc, char *argv[])
 	{
 		DBG1(DBG_LIB, "database URI undefined, set manager.database "
 			 "in strongswan.conf");
-		return 1;
+		//return 1;
 	}
 
 	storage = storage_create(database);
@@ -59,8 +59,8 @@ int main (int arc, char *argv[])
 		return 1;
 	}
 
-	dispatcher = dispatcher_create(socket, debug, timeout,
-						(context_constructor_t)manager_create, storage);
+	dispatcher = fast_dispatcher_create(socket, debug, timeout,
+						(fast_context_constructor_t)manager_create, storage);
 	dispatcher->add_controller(dispatcher, ikesa_controller_create, NULL);
 	dispatcher->add_controller(dispatcher, gateway_controller_create, NULL);
 	dispatcher->add_controller(dispatcher, auth_controller_create, NULL);
@@ -78,4 +78,3 @@ int main (int arc, char *argv[])
 
 	return 0;
 }
-
diff --git a/src/manager/manager.c b/src/manager/manager.c
index 207800bd2..22a4191d9 100644
--- a/src/manager/manager.c
+++ b/src/manager/manager.c
@@ -118,7 +118,7 @@ METHOD(manager_t, logout, void,
 	this->user = 0;
 }
 
-METHOD(context_t, destroy, void,
+METHOD(fast_context_t, destroy, void,
 	private_manager_t *this)
 {
 	if (this->gateway) this->gateway->destroy(this->gateway);
@@ -148,4 +148,3 @@ manager_t *manager_create(storage_t *storage)
 
 	return &this->public;
 }
-
diff --git a/src/manager/manager.h b/src/manager/manager.h
index a72801f1b..e0ed7fcaf 100644
--- a/src/manager/manager.h
+++ b/src/manager/manager.h
@@ -29,7 +29,7 @@
 #include "storage.h"
 #include "gateway.h"
 
-#include <context.h>
+#include <fast_context.h>
 
 typedef struct manager_t manager_t;
 
@@ -41,7 +41,7 @@ struct manager_t {
 	/**
 	 * implements context_t interface
 	 */
-	context_t context;
+	fast_context_t context;
 
 	/**
 	 * Create an enumerator over all configured gateways.
diff --git a/src/medsrv/Makefile.am b/src/medsrv/Makefile.am
index 43da9c4e5..40bafd856 100644
--- a/src/medsrv/Makefile.am
+++ b/src/medsrv/Makefile.am
@@ -10,11 +10,15 @@ controller/peer_controller.c controller/peer_controller.h
 medsrv_fcgi_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la
 main.o :	$(top_builddir)/config.status
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
-AM_CFLAGS = -rdynamic \
-  -DIPSECDIR=\"${ipsecdir}\" \
-  -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${medsrv_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libfast \
+	-DIPSECDIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${medsrv_plugins}\""
+
+AM_CFLAGS = \
+	-rdynamic
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
 medsrv_templatesdir = ${medsrvdir}/templates
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 27065e2f0..e9709d375 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -84,19 +84,35 @@ medsrv_fcgi_OBJECTS = $(am_medsrv_fcgi_OBJECTS)
 medsrv_fcgi_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libfast/libfast.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(medsrv_fcgi_SOURCES)
 DIST_SOURCES = $(medsrv_fcgi_SOURCES)
 am__can_run_installinfo = \
@@ -139,6 +155,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -151,6 +168,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -166,6 +185,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -174,6 +194,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -220,6 +241,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -248,6 +270,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -332,11 +355,15 @@ controller/user_controller.c controller/user_controller.h \
 controller/peer_controller.c controller/peer_controller.h
 
 medsrv_fcgi_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
-AM_CFLAGS = -rdynamic \
-  -DIPSECDIR=\"${ipsecdir}\" \
-  -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${medsrv_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libfast \
+	-DIPSECDIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${medsrv_plugins}\""
+
+AM_CFLAGS = \
+	-rdynamic
 
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
@@ -444,7 +471,7 @@ clean-medsrvPROGRAMS:
 	rm -f $$list
 medsrv.fcgi$(EXEEXT): $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_DEPENDENCIES) $(EXTRA_medsrv_fcgi_DEPENDENCIES) 
 	@rm -f medsrv.fcgi$(EXEEXT)
-	$(LINK) $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -459,67 +486,67 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/user_controller.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 auth_filter.o: filter/auth_filter.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_filter.o -MD -MP -MF $(DEPDIR)/auth_filter.Tpo -c -o auth_filter.o `test -f 'filter/auth_filter.c' || echo '$(srcdir)/'`filter/auth_filter.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='filter/auth_filter.c' object='auth_filter.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_filter.o -MD -MP -MF $(DEPDIR)/auth_filter.Tpo -c -o auth_filter.o `test -f 'filter/auth_filter.c' || echo '$(srcdir)/'`filter/auth_filter.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='filter/auth_filter.c' object='auth_filter.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_filter.o `test -f 'filter/auth_filter.c' || echo '$(srcdir)/'`filter/auth_filter.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_filter.o `test -f 'filter/auth_filter.c' || echo '$(srcdir)/'`filter/auth_filter.c
 
 auth_filter.obj: filter/auth_filter.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_filter.obj -MD -MP -MF $(DEPDIR)/auth_filter.Tpo -c -o auth_filter.obj `if test -f 'filter/auth_filter.c'; then $(CYGPATH_W) 'filter/auth_filter.c'; else $(CYGPATH_W) '$(srcdir)/filter/auth_filter.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='filter/auth_filter.c' object='auth_filter.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_filter.obj -MD -MP -MF $(DEPDIR)/auth_filter.Tpo -c -o auth_filter.obj `if test -f 'filter/auth_filter.c'; then $(CYGPATH_W) 'filter/auth_filter.c'; else $(CYGPATH_W) '$(srcdir)/filter/auth_filter.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='filter/auth_filter.c' object='auth_filter.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_filter.obj `if test -f 'filter/auth_filter.c'; then $(CYGPATH_W) 'filter/auth_filter.c'; else $(CYGPATH_W) '$(srcdir)/filter/auth_filter.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_filter.obj `if test -f 'filter/auth_filter.c'; then $(CYGPATH_W) 'filter/auth_filter.c'; else $(CYGPATH_W) '$(srcdir)/filter/auth_filter.c'; fi`
 
 user_controller.o: controller/user_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT user_controller.o -MD -MP -MF $(DEPDIR)/user_controller.Tpo -c -o user_controller.o `test -f 'controller/user_controller.c' || echo '$(srcdir)/'`controller/user_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/user_controller.c' object='user_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT user_controller.o -MD -MP -MF $(DEPDIR)/user_controller.Tpo -c -o user_controller.o `test -f 'controller/user_controller.c' || echo '$(srcdir)/'`controller/user_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/user_controller.c' object='user_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o user_controller.o `test -f 'controller/user_controller.c' || echo '$(srcdir)/'`controller/user_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o user_controller.o `test -f 'controller/user_controller.c' || echo '$(srcdir)/'`controller/user_controller.c
 
 user_controller.obj: controller/user_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT user_controller.obj -MD -MP -MF $(DEPDIR)/user_controller.Tpo -c -o user_controller.obj `if test -f 'controller/user_controller.c'; then $(CYGPATH_W) 'controller/user_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/user_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/user_controller.c' object='user_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT user_controller.obj -MD -MP -MF $(DEPDIR)/user_controller.Tpo -c -o user_controller.obj `if test -f 'controller/user_controller.c'; then $(CYGPATH_W) 'controller/user_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/user_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/user_controller.c' object='user_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o user_controller.obj `if test -f 'controller/user_controller.c'; then $(CYGPATH_W) 'controller/user_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/user_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o user_controller.obj `if test -f 'controller/user_controller.c'; then $(CYGPATH_W) 'controller/user_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/user_controller.c'; fi`
 
 peer_controller.o: controller/peer_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_controller.o -MD -MP -MF $(DEPDIR)/peer_controller.Tpo -c -o peer_controller.o `test -f 'controller/peer_controller.c' || echo '$(srcdir)/'`controller/peer_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/peer_controller.c' object='peer_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_controller.o -MD -MP -MF $(DEPDIR)/peer_controller.Tpo -c -o peer_controller.o `test -f 'controller/peer_controller.c' || echo '$(srcdir)/'`controller/peer_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/peer_controller.c' object='peer_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_controller.o `test -f 'controller/peer_controller.c' || echo '$(srcdir)/'`controller/peer_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_controller.o `test -f 'controller/peer_controller.c' || echo '$(srcdir)/'`controller/peer_controller.c
 
 peer_controller.obj: controller/peer_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_controller.obj -MD -MP -MF $(DEPDIR)/peer_controller.Tpo -c -o peer_controller.obj `if test -f 'controller/peer_controller.c'; then $(CYGPATH_W) 'controller/peer_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/peer_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/peer_controller.c' object='peer_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_controller.obj -MD -MP -MF $(DEPDIR)/peer_controller.Tpo -c -o peer_controller.obj `if test -f 'controller/peer_controller.c'; then $(CYGPATH_W) 'controller/peer_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/peer_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/peer_controller.c' object='peer_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_controller.obj `if test -f 'controller/peer_controller.c'; then $(CYGPATH_W) 'controller/peer_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/peer_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_controller.obj `if test -f 'controller/peer_controller.c'; then $(CYGPATH_W) 'controller/peer_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/peer_controller.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c
index 7b0b9e6ac..4943647b5 100644
--- a/src/medsrv/controller/peer_controller.c
+++ b/src/medsrv/controller/peer_controller.c
@@ -52,7 +52,7 @@ struct private_peer_controller_t {
 /**
  * list the configured peer configs
  */
-static void list(private_peer_controller_t *this, request_t *request)
+static void list(private_peer_controller_t *this, fast_request_t *request)
 {
 	enumerator_t *query;
 
@@ -83,7 +83,7 @@ static void list(private_peer_controller_t *this, request_t *request)
 /**
  * verify a peer alias
  */
-static bool verify_alias(private_peer_controller_t *this, request_t *request,
+static bool verify_alias(private_peer_controller_t *this, fast_request_t *request,
 						 char *alias)
 {
 	if (!alias || *alias == '\0')
@@ -117,7 +117,7 @@ static bool verify_alias(private_peer_controller_t *this, request_t *request,
  * parse and verify a public key
  */
 static bool parse_public_key(private_peer_controller_t *this,
-							 request_t *request, char *public_key,
+							 fast_request_t *request, char *public_key,
 							 chunk_t *encoding, chunk_t *keyid)
 {
 	public_key_t *public;
@@ -153,7 +153,7 @@ static bool parse_public_key(private_peer_controller_t *this,
 /**
  * register a new peer
  */
-static void add(private_peer_controller_t *this, request_t *request)
+static void add(private_peer_controller_t *this, fast_request_t *request)
 {
 	char *alias = "", *public_key = "";
 
@@ -231,7 +231,7 @@ char* pem_encode(chunk_t der)
 /**
  * edit a peer
  */
-static void edit(private_peer_controller_t *this, request_t *request, int id)
+static void edit(private_peer_controller_t *this, fast_request_t *request, int id)
 {
 	char *alias = "", *public_key = "", *pem;
 	chunk_t encoding, keyid;
@@ -305,21 +305,21 @@ static void edit(private_peer_controller_t *this, request_t *request, int id)
 /**
  * delete a peer from the database
  */
-static void delete(private_peer_controller_t *this, request_t *request, int id)
+static void delete(private_peer_controller_t *this, fast_request_t *request, int id)
 {
 	this->db->execute(this->db, NULL,
 					  "DELETE FROM peer WHERE id = ? AND user = ?",
 					  DB_INT, id, DB_UINT, this->user->get_user(this->user));
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_peer_controller_t *this)
 {
 	return "peer";
 }
 
-METHOD(controller_t, handle, void,
-	private_peer_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_peer_controller_t *this, fast_request_t *request, char *action,
 	char *idstr, char *p3, char *p4, char *p5)
 {
 	if (action)
@@ -350,7 +350,7 @@ METHOD(controller_t, handle, void,
 	request->redirect(request, "peer/list");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_peer_controller_t *this)
 {
 	free(this);
@@ -359,7 +359,7 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *peer_controller_create(user_t *user, database_t *db)
+fast_controller_t *peer_controller_create(user_t *user, database_t *db)
 {
 	private_peer_controller_t *this;
 
@@ -377,4 +377,3 @@ controller_t *peer_controller_create(user_t *user, database_t *db)
 
 	return &this->public.controller;
 }
-
diff --git a/src/medsrv/controller/peer_controller.h b/src/medsrv/controller/peer_controller.h
index b5a5e0bb8..1282156b7 100644
--- a/src/medsrv/controller/peer_controller.h
+++ b/src/medsrv/controller/peer_controller.h
@@ -24,7 +24,7 @@
 
 #include <user.h>
 
-#include <controller.h>
+#include <fast_controller.h>
 #include <database/database.h>
 
 typedef struct peer_controller_t peer_controller_t;
@@ -37,12 +37,12 @@ struct peer_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a peer_controller controller instance.
  */
-controller_t *peer_controller_create(user_t *user, database_t *db);
+fast_controller_t *peer_controller_create(user_t *user, database_t *db);
 
 #endif /** PEER_CONTROLLER_H_ @}*/
diff --git a/src/medsrv/controller/user_controller.c b/src/medsrv/controller/user_controller.c
index 35c9d90c8..36d04e12c 100644
--- a/src/medsrv/controller/user_controller.c
+++ b/src/medsrv/controller/user_controller.c
@@ -76,7 +76,7 @@ static chunk_t hash_password(char *login, char *password)
 /**
  * Login a user.
  */
-static void login(private_user_controller_t *this, request_t *request)
+static void login(private_user_controller_t *this, fast_request_t *request)
 {
 	if (request->get_query_data(request, "submit"))
 	{
@@ -115,7 +115,7 @@ static void login(private_user_controller_t *this, request_t *request)
 /**
  * Logout a user.
  */
-static void logout(private_user_controller_t *this, request_t *request)
+static void logout(private_user_controller_t *this, fast_request_t *request)
 {
 	request->redirect(request, "user/login");
 	request->close_session(request);
@@ -124,8 +124,8 @@ static void logout(private_user_controller_t *this, request_t *request)
 /**
  * verify a user entered username for validity
  */
-static bool verify_login(private_user_controller_t *this, request_t *request,
-						 char *login)
+static bool verify_login(private_user_controller_t *this,
+						 fast_request_t *request, char *login)
 {
 	if (!login || *login == '\0')
 	{
@@ -156,7 +156,8 @@ static bool verify_login(private_user_controller_t *this, request_t *request,
 /**
  * verify a user entered password for validity
  */
-static bool verify_password(private_user_controller_t *this, request_t *request,
+static bool verify_password(private_user_controller_t *this,
+							fast_request_t *request,
 							char *password, char *confirm)
 {
 	if (!password || *password == '\0')
@@ -181,7 +182,7 @@ static bool verify_password(private_user_controller_t *this, request_t *request,
 /**
  * Register a user.
  */
-static void add(private_user_controller_t *this, request_t *request)
+static void add(private_user_controller_t *this, fast_request_t *request)
 {
 	char *login = "";
 
@@ -222,7 +223,7 @@ static void add(private_user_controller_t *this, request_t *request)
 /**
  * Edit the logged in user
  */
-static void edit(private_user_controller_t *this, request_t *request)
+static void edit(private_user_controller_t *this, fast_request_t *request)
 {
 	enumerator_t *query;
 	char *old_login;
@@ -297,14 +298,14 @@ static void edit(private_user_controller_t *this, request_t *request)
 	request->render(request, "templates/user/edit.cs");
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_user_controller_t *this)
 {
 	return "user";
 }
 
-METHOD(controller_t, handle, void,
-	private_user_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_user_controller_t *this, fast_request_t *request, char *action,
 	char *p2, char *p3, char *p4, char *p5)
 {
 	if (action)
@@ -333,7 +334,7 @@ METHOD(controller_t, handle, void,
 	request->redirect(request, "user/login");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_user_controller_t *this)
 {
 	free(this);
@@ -342,7 +343,7 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *user_controller_create(user_t *user, database_t *db)
+fast_controller_t *user_controller_create(user_t *user, database_t *db)
 {
 	private_user_controller_t *this;
 
@@ -362,4 +363,3 @@ controller_t *user_controller_create(user_t *user, database_t *db)
 
 	return &this->public.controller;
 }
-
diff --git a/src/medsrv/controller/user_controller.h b/src/medsrv/controller/user_controller.h
index 540dc74a2..8443a8d2b 100644
--- a/src/medsrv/controller/user_controller.h
+++ b/src/medsrv/controller/user_controller.h
@@ -24,7 +24,7 @@
 
 #include <user.h>
 
-#include <controller.h>
+#include <fast_controller.h>
 #include <database/database.h>
 
 typedef struct user_controller_t user_controller_t;
@@ -37,12 +37,12 @@ struct user_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a user_controller controller instance.
  */
-controller_t *user_controller_create(user_t *user, database_t *db);
+fast_controller_t *user_controller_create(user_t *user, database_t *db);
 
 #endif /** USER_CONTROLLER_H_ @}*/
diff --git a/src/medsrv/filter/auth_filter.c b/src/medsrv/filter/auth_filter.c
index 436a72f2b..fb39bdb0e 100644
--- a/src/medsrv/filter/auth_filter.c
+++ b/src/medsrv/filter/auth_filter.c
@@ -40,8 +40,8 @@ struct private_auth_filter_t {
 	database_t *db;
 };
 
-METHOD(filter_t, run, bool,
-	private_auth_filter_t *this, request_t *request, char *controller,
+METHOD(fast_filter_t, run, bool,
+	private_auth_filter_t *this, fast_request_t *request, char *controller,
 	char *action, char *p2, char *p3, char *p4, char *p5)
 {
 	if (this->user->get_user(this->user))
@@ -70,7 +70,7 @@ METHOD(filter_t, run, bool,
 	return FALSE;
 }
 
-METHOD(filter_t, destroy, void,
+METHOD(fast_filter_t, destroy, void,
 	private_auth_filter_t *this)
 {
 	free(this);
@@ -79,7 +79,7 @@ METHOD(filter_t, destroy, void,
 /*
  * see header file
  */
-filter_t *auth_filter_create(user_t *user, database_t *db)
+fast_filter_t *auth_filter_create(user_t *user, database_t *db)
 {
 	private_auth_filter_t *this;
 
@@ -96,4 +96,3 @@ filter_t *auth_filter_create(user_t *user, database_t *db)
 
 	return &this->public.filter;
 }
-
diff --git a/src/medsrv/filter/auth_filter.h b/src/medsrv/filter/auth_filter.h
index beae27965..022254dde 100644
--- a/src/medsrv/filter/auth_filter.h
+++ b/src/medsrv/filter/auth_filter.h
@@ -23,7 +23,7 @@
 #define AUTH_FILTER_H_
 
 #include <library.h>
-#include <filter.h>
+#include <fast_filter.h>
 
 #include "user.h"
 
@@ -37,12 +37,12 @@ struct auth_filter_t {
 	/**
 	 * Implements filter_t interface.
 	 */
-	filter_t filter;
+	fast_filter_t filter;
 };
 
 /**
  * Create a auth_filter instance.
  */
-filter_t *auth_filter_create(user_t *user, database_t *db);
+fast_filter_t *auth_filter_create(user_t *user, database_t *db);
 
 #endif /** AUTH_FILTER_H_  @}*/
diff --git a/src/medsrv/main.c b/src/medsrv/main.c
index 03b135289..6f08b97e5 100644
--- a/src/medsrv/main.c
+++ b/src/medsrv/main.c
@@ -16,7 +16,7 @@
 
 #include <stdio.h>
 
-#include <dispatcher.h>
+#include <fast_dispatcher.h>
 #include <utils/debug.h>
 #include <database/database.h>
 
@@ -26,7 +26,7 @@
 
 int main(int arc, char *argv[])
 {
-	dispatcher_t *dispatcher;
+	fast_dispatcher_t *dispatcher;
 	database_t *db;
 	char *socket;
 	bool debug;
@@ -34,7 +34,7 @@ int main(int arc, char *argv[])
 	int timeout, threads;
 
 	library_init(NULL);
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "medsrv.load", PLUGINS)))
 	{
 		return 1;
@@ -58,14 +58,14 @@ int main(int arc, char *argv[])
 		return 1;
 	}
 
-	dispatcher = dispatcher_create(socket, debug, timeout,
-								   (context_constructor_t)user_create, db);
+	dispatcher = fast_dispatcher_create(socket, debug, timeout,
+					(fast_context_constructor_t)user_create, db);
 	dispatcher->add_filter(dispatcher,
-						(filter_constructor_t)auth_filter_create, db);
+					(fast_filter_constructor_t)auth_filter_create, db);
 	dispatcher->add_controller(dispatcher,
-						(controller_constructor_t)user_controller_create, db);
+					(fast_controller_constructor_t)user_controller_create, db);
 	dispatcher->add_controller(dispatcher,
-						(controller_constructor_t)peer_controller_create, db);
+					(fast_controller_constructor_t)peer_controller_create, db);
 
 	dispatcher->run(dispatcher, threads);
 
@@ -76,4 +76,3 @@ int main(int arc, char *argv[])
 	library_deinit();
 	return 0;
 }
-
diff --git a/src/medsrv/user.c b/src/medsrv/user.c
index b4859080b..023dafbed 100644
--- a/src/medsrv/user.c
+++ b/src/medsrv/user.c
@@ -45,7 +45,7 @@ METHOD(user_t, get_user, u_int,
 	return this->user;
 }
 
-METHOD(context_t, destroy, void,
+METHOD(fast_context_t, destroy, void,
 	private_user_t *this)
 {
 	free(this);
@@ -70,4 +70,3 @@ user_t *user_create(void *param)
 
 	return &this->public;
 }
-
diff --git a/src/medsrv/user.h b/src/medsrv/user.h
index beeed6ec1..475972a5b 100644
--- a/src/medsrv/user.h
+++ b/src/medsrv/user.h
@@ -23,7 +23,7 @@
 #ifndef USER_H_
 #define USER_H_
 
-#include <context.h>
+#include <fast_context.h>
 #include <library.h>
 
 typedef struct user_t user_t;
@@ -36,7 +36,7 @@ struct user_t {
 	/**
 	 * implements context_t interface
 	 */
-	context_t context;
+	fast_context_t context;
 
 	/**
 	 * Set the user ID of the logged in user.
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
index 0be040e87..78a466bd6 100644
--- a/src/openac/Makefile.am
+++ b/src/openac/Makefile.am
@@ -2,9 +2,10 @@ ipsec_PROGRAMS = openac
 openac_SOURCES = openac.c
 dist_man_MANS = openac.8
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
-  -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-  -DPLUGINS=\""${openac_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${openac_plugins}\""
+
 openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 openac.o :		$(top_builddir)/config.status
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index d5e041387..a34fb4285 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -77,19 +77,35 @@ am_openac_OBJECTS = openac.$(OBJEXT)
 openac_OBJECTS = $(am_openac_OBJECTS)
 openac_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(openac_SOURCES)
 DIST_SOURCES = $(openac_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -321,10 +344,10 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 openac_SOURCES = openac.c
 dist_man_MANS = openac.8
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
-  -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-  -DPLUGINS=\""${openac_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${openac_plugins}\""
 
 openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
@@ -409,7 +432,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) $(EXTRA_openac_DEPENDENCIES) 
 	@rm -f openac$(EXEEXT)
-	$(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -420,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openac.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 7b81d6cea..7074d44be 100644
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -238,7 +238,7 @@ int main(int argc, char **argv)
 		fprintf(stderr, "integrity check of openac failed\n");
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "openac.load", PLUGINS)))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index be74e5d00..e07938284 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -15,6 +15,6 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 pki.o :	$(top_builddir)/config.status
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
 	-DPLUGINS=\""${pki_plugins}\""
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index f86c6596d..f58ad1bce 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -78,19 +78,35 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \
 	pkcs7.$(OBJEXT) verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
 pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(pki_SOURCES)
 DIST_SOURCES = $(pki_SOURCES)
 am__can_run_installinfo = \
@@ -104,6 +120,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -116,6 +133,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -131,6 +150,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -139,6 +159,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -185,6 +206,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -213,6 +235,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -303,8 +326,8 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
 	-DPLUGINS=\""${pki_plugins}\""
 
 all: all-am
@@ -389,7 +412,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 pki$(EXEEXT): $(pki_OBJECTS) $(pki_DEPENDENCIES) $(EXTRA_pki_DEPENDENCIES) 
 	@rm -f pki$(EXEEXT)
-	$(LINK) $(pki_OBJECTS) $(pki_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(pki_OBJECTS) $(pki_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -411,165 +434,165 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 gen.o: commands/gen.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.o -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/gen.c' object='gen.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.o -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/gen.c' object='gen.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
 
 gen.obj: commands/gen.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.obj -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/gen.c' object='gen.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.obj -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/gen.c' object='gen.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
 
 issue.o: commands/issue.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.o -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/issue.c' object='issue.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.o -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/issue.c' object='issue.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
 
 issue.obj: commands/issue.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.obj -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/issue.c' object='issue.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.obj -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/issue.c' object='issue.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
 
 keyid.o: commands/keyid.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.o -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/keyid.c' object='keyid.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.o -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/keyid.c' object='keyid.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
 
 keyid.obj: commands/keyid.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.obj -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/keyid.c' object='keyid.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.obj -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/keyid.c' object='keyid.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
 
 pub.o: commands/pub.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.o -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pub.c' object='pub.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.o -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pub.c' object='pub.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
 
 pub.obj: commands/pub.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.obj -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pub.c' object='pub.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.obj -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pub.c' object='pub.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
 
 req.o: commands/req.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.o -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/req.c' object='req.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.o -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/req.c' object='req.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
 
 req.obj: commands/req.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.obj -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/req.c' object='req.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.obj -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/req.c' object='req.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
 
 self.o: commands/self.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.o -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/self.c' object='self.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.o -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/self.c' object='self.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
 
 self.obj: commands/self.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.obj -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/self.c' object='self.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.obj -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/self.c' object='self.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
 
 print.o: commands/print.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.o -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/print.c' object='print.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.o -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/print.c' object='print.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
 
 print.obj: commands/print.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.obj -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/print.c' object='print.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.obj -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/print.c' object='print.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
 
 signcrl.o: commands/signcrl.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.o -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/signcrl.c' object='signcrl.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.o -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/signcrl.c' object='signcrl.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
 
 signcrl.obj: commands/signcrl.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.obj -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/signcrl.c' object='signcrl.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.obj -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/signcrl.c' object='signcrl.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
 
 pkcs7.o: commands/pkcs7.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.o -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pkcs7.c' object='pkcs7.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.o -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pkcs7.c' object='pkcs7.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
 
 pkcs7.obj: commands/pkcs7.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.obj -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pkcs7.c' object='pkcs7.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.obj -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pkcs7.c' object='pkcs7.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
 
 verify.o: commands/verify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/verify.c' object='verify.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/verify.c' object='verify.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
 
 verify.obj: commands/verify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.obj -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/verify.c' object='verify.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.obj -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/verify.c' object='verify.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 429517b92..c3039a649 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -167,7 +167,7 @@ int main(int argc, char *argv[])
 		fprintf(stderr, "integrity check of pki failed\n");
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index 930f3dd80..c911be1c4 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -4,16 +4,13 @@ scepclient.c scep.c scep.h
 
 scepclient.o :	$(top_builddir)/config.status
 
-INCLUDES = \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libhydra
-
-AM_CFLAGS = \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DPLUGINS=\""${scepclient_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${scepclient_plugins}\""
 
 scepclient_LDADD = \
 $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 dist_man_MANS = scepclient.8
-
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index fc796328c..19a7a5d6b 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -64,7 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -77,19 +77,35 @@ am_scepclient_OBJECTS = scepclient.$(OBJEXT) scep.$(OBJEXT)
 scepclient_OBJECTS = $(am_scepclient_OBJECTS)
 scepclient_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(scepclient_SOURCES)
 DIST_SOURCES = $(scepclient_SOURCES)
 am__can_run_installinfo = \
@@ -133,6 +149,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -145,6 +162,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -160,6 +179,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -168,6 +188,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -214,6 +235,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -242,6 +264,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -322,13 +345,11 @@ xml_LIBS = @xml_LIBS@
 scepclient_SOURCES = \
 scepclient.c scep.c scep.h
 
-INCLUDES = \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libhydra
-
-AM_CFLAGS = \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DPLUGINS=\""${scepclient_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${scepclient_plugins}\""
 
 scepclient_LDADD = \
 $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -416,7 +437,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) $(EXTRA_scepclient_DEPENDENCIES) 
 	@rm -f scepclient$(EXEEXT)
-	$(LINK) $(scepclient_OBJECTS) $(scepclient_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(scepclient_OBJECTS) $(scepclient_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -428,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scepclient.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 3fdcd6c28..5bb29bbd8 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -339,15 +339,22 @@ static char* escape_http_request(chunk_t req)
  * Send a SCEP request via HTTP and wait for a response
  */
 bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
-					   bool http_get_request, u_int timeout, chunk_t *response)
+					   bool http_get_request, u_int timeout, char *src,
+					   chunk_t *response)
 {
 	int len;
 	status_t status;
 	char *complete_url = NULL;
+	host_t *srcip = NULL;
 
 	/* initialize response */
 	*response = chunk_empty;
 
+	if (src)
+	{
+		srcip = host_create_from_string(src, 0);
+	}
+
 	DBG2(DBG_APP, "sending scep request to '%s'", url);
 
 	if (op == SCEP_PKI_OPERATION)
@@ -371,6 +378,7 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 										 FETCH_REQUEST_HEADER, "Pragma:",
 										 FETCH_REQUEST_HEADER, "Host:",
 										 FETCH_REQUEST_HEADER, "Accept:",
+										 FETCH_SOURCEIP, srcip,
 										 FETCH_END);
 		}
 		else /* HTTP_POST */
@@ -386,6 +394,7 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 										 FETCH_REQUEST_DATA, msg,
 										 FETCH_REQUEST_TYPE, "",
 										 FETCH_REQUEST_HEADER, "Expect:",
+										 FETCH_SOURCEIP, srcip,
 										 FETCH_END);
 		}
 	}
@@ -412,9 +421,11 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 		status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 									 FETCH_HTTP_VERSION_1_0,
 									 FETCH_TIMEOUT, timeout,
+									 FETCH_SOURCEIP, srcip,
 									 FETCH_END);
 	}
 
+	DESTROY_IF(srcip);
 	free(complete_url);
 	return (status == SUCCESS);
 }
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index ec8fa6515..4ef5eaf8e 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -78,8 +78,9 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
 						certificate_t *enc_cert, encryption_algorithm_t enc_alg,
 						size_t key_size, certificate_t *signer_cert,
 						hash_algorithm_t digest_alg, private_key_t *private_key);
-bool scep_http_request(const char *url, chunk_t message, scep_op_t op,
-					   bool http_get_request, u_int timeout, chunk_t *response);
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
+					   bool http_get_request, u_int timeout, char *src,
+					   chunk_t *response);
 err_t scep_parse_response(chunk_t response, chunk_t transID,
 						  container_t **out, scep_attributes_t *attrs);
 
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 26f210d12..1267370ba 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -116,6 +116,9 @@ bool pkcs11_keep_state = FALSE;
 /* by default HTTP fetch timeout is 30s */
 static u_int http_timeout = 30;
 
+/* address to bind for HTTP fetches */
+static char* http_bind = NULL;
+
 /* options read by optionsfrom */
 options_t *options;
 
@@ -348,6 +351,7 @@ static void usage(const char *message)
 		" --optionsfrom (-+) <filename>     reads additional options from given file\n"
 		" --force (-f)                      force existing file(s)\n"
 		" --httptimeout (-T)                timeout for HTTP operations (default: 30s)\n"
+		" --bind (-b)                       source address to bind for HTTP operations\n"
 		"\n"
 		"Options for key generation (pkcs1):\n"
 		" --keylength (-k) <bits>           key length for RSA key generation\n"
@@ -523,6 +527,7 @@ int main(int argc, char **argv)
 			{ "out", required_argument, NULL, 'o' },
 			{ "force", no_argument, NULL, 'f' },
 			{ "httptimeout", required_argument, NULL, 'T' },
+			{ "bind", required_argument, NULL, 'b' },
 			{ "keylength", required_argument, NULL, 'k' },
 			{ "dn", required_argument, NULL, 'd' },
 			{ "days", required_argument, NULL, 'D' },
@@ -675,6 +680,10 @@ int main(int argc, char **argv)
 				}
 				continue;
 
+			case 'b':       /* --bind */
+				http_bind = optarg;
+				continue;
+
 			case '+':       /* --optionsfrom <filename> */
 				if (!options->from(options, optarg, &argc, &argv, optind))
 				{
@@ -915,13 +924,12 @@ int main(int argc, char **argv)
 	init_log("scepclient");
 
 	/* load plugins, further infrastructure may need it */
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
 	{
 		exit_scepclient("plugin loading failed");
 	}
-	DBG1(DBG_APP, "  loaded plugins: %s",
-		 lib->plugins->loaded_plugins(lib->plugins));
+	lib->plugins->status(lib->plugins, LEVEL_DIAG);
 
 	if ((filetype_out == 0) && (!request_ca_certificate))
 	{
@@ -953,7 +961,7 @@ int main(int argc, char **argv)
 
 		if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
 							   SCEP_GET_CA_CERT, http_get_request,
-							   http_timeout, &scep_response))
+							   http_timeout, http_bind, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
@@ -1331,7 +1339,7 @@ int main(int argc, char **argv)
 		creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
 
 		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
-							   http_get_request, http_timeout, &scep_response))
+					http_get_request, http_timeout, http_bind, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
@@ -1381,7 +1389,7 @@ int main(int argc, char **argv)
 				exit_scepclient("failed to build scep request");
 			}
 			if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
-							http_get_request, http_timeout, &scep_response))
+					http_get_request, http_timeout, http_bind, &scep_response))
 			{
 				exit_scepclient("did not receive a valid scep response");
 			}
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index c220c2e63..48110dd02 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -6,21 +6,20 @@ starterstroke.h confread.h args.c \
 keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
 invokecharon.h klips.c klips.h
 
-INCLUDES = \
--I${linux_headers} \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/stroke
-
-AM_CFLAGS = \
--DIPSEC_DIR=\"${ipsecdir}\" \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DIPSEC_PIDDIR=\"${piddir}\" \
--DIPSEC_EAPDIR=\"${eapdir}\" \
--DDEV_RANDOM=\"${random_device}\" \
--DDEV_URANDOM=\"${urandom_device}\" \
--DPLUGINS=\""${starter_plugins}\"" \
--DDEBUG
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/stroke \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DIPSEC_EAPDIR=\"${eapdir}\" \
+	-DIPSEC_SCRIPT=\"${ipsec_script}\" \
+	-DDEV_RANDOM=\"${random_device}\" \
+	-DDEV_URANDOM=\"${urandom_device}\" \
+	-DPLUGINS=\""${starter_plugins}\"" \
+	-DDEBUG
 
 AM_YFLAGS = -v -d
 
@@ -30,18 +29,19 @@ MAINTAINERCLEANFILES = keywords.c
 BUILT_SOURCES = parser.h
 
 if USE_CHARON
-  AM_CFLAGS += -DSTART_CHARON
+  AM_CPPFLAGS += -DSTART_CHARON
 endif
 
 if USE_LOAD_WARNING
-  AM_CFLAGS += -DLOAD_WARNING
+  AM_CPPFLAGS += -DLOAD_WARNING
 endif
 
 if USE_TOOLS
-  AM_CFLAGS += -DGENERATE_SELFCERT
+  AM_CPPFLAGS += -DGENERATE_SELFCERT
 endif
 
 keywords.c:	$(srcdir)/keywords.txt $(srcdir)/keywords.h
+		$(AM_V_GEN) \
 		$(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
 
 install-exec-local :
@@ -55,4 +55,3 @@ install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
 		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
-
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index c50d4622b..4b09e5d8c 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -67,7 +67,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -86,26 +86,48 @@ starter_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
 LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
+LTLEXCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
+AM_V_LEX = $(am__v_LEX_@AM_V@)
+am__v_LEX_ = $(am__v_LEX_@AM_DEFAULT_V@)
+am__v_LEX_0 = @echo "  LEX   " $@;
 YLWRAP = $(top_srcdir)/ylwrap
 YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
+AM_V_YACC = $(am__v_YACC_@AM_V@)
+am__v_YACC_ = $(am__v_YACC_@AM_DEFAULT_V@)
+am__v_YACC_0 = @echo "  YACC  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(starter_SOURCES)
 DIST_SOURCES = $(starter_SOURCES)
 am__can_run_installinfo = \
@@ -119,6 +141,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -131,6 +154,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -146,6 +171,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -154,6 +180,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -200,6 +227,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -228,6 +256,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -312,15 +341,12 @@ starterstroke.h confread.h args.c \
 keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
 invokecharon.h klips.c klips.h
 
-INCLUDES = \
--I${linux_headers} \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/stroke
-
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
-	-DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \
+AM_CPPFLAGS = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/stroke \
+	-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \
+	-DIPSEC_SCRIPT=\"${ipsec_script}\" \
+	-DDEV_RANDOM=\"${random_device}\" \
 	-DDEV_URANDOM=\"${urandom_device}\" \
 	-DPLUGINS=\""${starter_plugins}\"" -DDEBUG $(am__append_1) \
 	$(am__append_2) $(am__append_3)
@@ -415,7 +441,7 @@ parser.h: parser.c
 	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) parser.c; else :; fi
 starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) $(EXTRA_starter_DEPENDENCIES) 
 	@rm -f starter$(EXEEXT)
-	$(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -436,31 +462,31 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterstroke.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 .l.c:
-	$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
+	$(AM_V_LEX)$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
 
 .y.c:
-	$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
+	$(AM_V_YACC)$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -683,6 +709,7 @@ uninstall-am: uninstall-ipsecPROGRAMS
 
 
 keywords.c:	$(srcdir)/keywords.txt $(srcdir)/keywords.h
+		$(AM_V_GEN) \
 		$(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
 
 install-exec-local :
diff --git a/src/starter/confread.c b/src/starter/confread.c
index f0f05b036..2fb022692 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -38,7 +38,7 @@
 static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
 static const char esp_defaults[] = "aes128-sha1,3des-sha1";
 
-static const char firewall_defaults[] = "ipsec _updown iptables";
+static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
 
 static bool daemon_exists(char *daemon, char *path)
 {
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 3692c2cdd..20ec1501d 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 136
+#define TOTAL_KEYWORDS 138
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 10
-#define MAX_HASH_VALUE 259
-/* maximum key range = 250, duplicates = 0 */
+#define MIN_HASH_VALUE 9
+#define MAX_HASH_VALUE 257
+/* maximum key range = 249, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned short asso_values[] =
     {
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260,   8,
-       99, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260,   4, 260,  11,   4,  80,
-       55,   6,   3,   2, 114,   2, 260, 114,  70,  33,
-       22,  81,  51,   7,  14,   2,   7, 122,   8, 260,
-      260,  43,   4, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
-      260, 260, 260, 260, 260, 260
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258,  14,
+      129, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258,   3, 258,  31,   1,  83,
+       50,   5,   4,   1,  60,   1, 258, 121,  62,   5,
+       33,  51,  41,   2,  22,   1,  25, 103,   1, 258,
+      258,   8,   2, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258
     };
   register int hval = len;
 
@@ -124,171 +124,173 @@ hash (str, len)
 static const struct kw_entry wordlist[] =
   {
     {"pfs",               KW_PFS_DEPRECATED},
-    {"right",             KW_RIGHT},
     {"rightgroups",       KW_RIGHTGROUPS},
-    {"left",              KW_LEFT},
-    {"lifetime",          KW_KEYLIFE},
     {"aggressive",        KW_AGGRESSIVE},
+    {"lifetime",          KW_KEYLIFE},
+    {"rightsigkey",       KW_RIGHTSIGKEY},
+    {"lifebytes",         KW_LIFEBYTES},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"leftsigkey",        KW_LEFTSIGKEY},
+    {"keylife",           KW_KEYLIFE},
+    {"leftrsasigkey",     KW_LEFTSIGKEY},
+    {"right",             KW_RIGHT},
+    {"leftcertpolicy",    KW_LEFTCERTPOLICY},
+    {"left",              KW_LEFT},
     {"rightsubnet",       KW_RIGHTSUBNET},
     {"rightikeport",      KW_RIGHTIKEPORT},
     {"rightsendcert",     KW_RIGHTSENDCERT},
-    {"lifepackets",       KW_LIFEPACKETS},
-    {"leftcert",          KW_LEFTCERT},
-    {"leftsendcert",      KW_LEFTSENDCERT},
     {"leftgroups",        KW_LEFTGROUPS},
-    {"leftca",            KW_LEFTCA},
-    {"keep_alive",        KW_SETUP_DEPRECATED},
-    {"leftdns",           KW_LEFTDNS},
+    {"rightrsasigkey",    KW_RIGHTSIGKEY},
+    {"leftcert",          KW_LEFTCERT},
+    {"lifepackets",       KW_LIFEPACKETS},
     {"uniqueids",         KW_UNIQUEIDS},
-    {"leftprotoport",     KW_LEFTPROTOPORT},
-    {"interfaces",        KW_SETUP_DEPRECATED},
+    {"leftdns",           KW_LEFTDNS},
+    {"leftsendcert",      KW_LEFTSENDCERT},
     {"rightsubnetwithin", KW_RIGHTSUBNET},
-    {"virtual_private",   KW_SETUP_DEPRECATED},
-    {"certuribase",       KW_CERTURIBASE},
-    {"mark_in",           KW_MARK_IN},
-    {"lifebytes",         KW_LIFEBYTES},
-    {"marginbytes",       KW_MARGINBYTES},
-    {"marginpackets",     KW_MARGINPACKETS},
-    {"margintime",        KW_REKEYMARGIN},
-    {"keyingtries",       KW_KEYINGTRIES},
-    {"keylife",           KW_KEYLIFE},
-    {"fragmentation",     KW_FRAGMENTATION},
-    {"leftrsasigkey",     KW_LEFTRSASIGKEY},
+    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"keep_alive",        KW_SETUP_DEPRECATED},
+    {"rightsourceip",     KW_RIGHTSOURCEIP},
+    {"type",              KW_TYPE},
     {"rightid",           KW_RIGHTID},
     {"rightdns",          KW_RIGHTDNS},
-    {"rightsourceip",     KW_RIGHTSOURCEIP},
-    {"rightallowany",     KW_RIGHTALLOWANY},
-    {"leftcertpolicy",    KW_LEFTCERTPOLICY},
     {"reqid",             KW_REQID},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
-    {"rightprotoport",    KW_RIGHTPROTOPORT},
+    {"certuribase",       KW_CERTURIBASE},
     {"leftnexthop",       KW_LEFT_DEPRECATED},
+    {"mobike",	           KW_MOBIKE},
+    {"leftprotoport",     KW_LEFTPROTOPORT},
+    {"compress",          KW_COMPRESS},
     {"me_peerid",         KW_ME_PEERID},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
-    {"inactivity",        KW_INACTIVITY},
-    {"rightnexthop",      KW_RIGHT_DEPRECATED},
+    {"interfaces",        KW_SETUP_DEPRECATED},
+    {"virtual_private",   KW_SETUP_DEPRECATED},
+    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"leftca",            KW_LEFTCA},
+    {"righthostaccess",   KW_RIGHTHOSTACCESS},
     {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"ldapbase",          KW_CA_DEPRECATED},
-    {"leftupdown",        KW_LEFTUPDOWN},
+    {"rightprotoport",    KW_RIGHTPROTOPORT},
+    {"inactivity",        KW_INACTIVITY},
     {"leftfirewall",      KW_LEFTFIREWALL},
-    {"crluri",            KW_CRLURI},
-    {"mediation",         KW_MEDIATION},
-    {"rightcert",         KW_RIGHTCERT},
-    {"crluri1",           KW_CRLURI},
-    {"rightca",           KW_RIGHTCA},
-    {"mobike",	           KW_MOBIKE},
-    {"type",              KW_TYPE},
-    {"ocspuri",           KW_OCSPURI},
-    {"lefthostaccess",    KW_LEFTHOSTACCESS},
     {"esp",               KW_ESP},
-    {"cacert",            KW_CACERT},
-    {"ocspuri1",          KW_OCSPURI},
-    {"rightid2",          KW_RIGHTID2},
+    {"rightnexthop",      KW_RIGHT_DEPRECATED},
     {"forceencaps",       KW_FORCEENCAPS},
-    {"nat_traversal",     KW_SETUP_DEPRECATED},
-    {"eap",               KW_CONN_DEPRECATED},
-    {"rightgroups2",      KW_RIGHTGROUPS2},
-    {"packetdefault",     KW_SETUP_DEPRECATED},
+    {"leftallowany",      KW_LEFTALLOWANY},
+    {"crluri",            KW_CRLURI},
+    {"leftupdown",        KW_LEFTUPDOWN},
+    {"mark_in",           KW_MARK_IN},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
     {"force_keepalive",   KW_SETUP_DEPRECATED},
-    {"mark_out",          KW_MARK_OUT},
+    {"marginbytes",       KW_MARGINBYTES},
     {"mediated_by",       KW_MEDIATED_BY},
-    {"leftcert2",         KW_LEFTCERT2},
-    {"rightauth2",        KW_RIGHTAUTH2},
-    {"leftid",            KW_LEFTID},
-    {"leftca2",           KW_LEFTCA2},
-    {"ike",               KW_IKE},
-    {"compress",          KW_COMPRESS},
-    {"aaa_identity",      KW_AAA_IDENTITY},
-    {"leftgroups2",       KW_LEFTGROUPS2},
-    {"leftallowany",      KW_LEFTALLOWANY},
-    {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"marginpackets",     KW_MARGINPACKETS},
+    {"margintime",        KW_REKEYMARGIN},
     {"rightauth",         KW_RIGHTAUTH},
-    {"klipsdebug",        KW_SETUP_DEPRECATED},
-    {"ikelifetime",       KW_IKELIFETIME},
-    {"leftikeport",       KW_LEFTIKEPORT},
-    {"rightcertpolicy",   KW_RIGHTCERTPOLICY},
-    {"mark",              KW_MARK},
-    {"dpdaction",         KW_DPDACTION},
+    {"fragmentation",     KW_FRAGMENTATION},
     {"pfsgroup",          KW_PFS_DEPRECATED},
-    {"keyexchange",       KW_KEYEXCHANGE},
+    {"crluri1",           KW_CRLURI},
+    {"rightcertpolicy",   KW_RIGHTCERTPOLICY},
     {"hidetos",           KW_SETUP_DEPRECATED},
-    {"leftsubnet",        KW_LEFTSUBNET},
-    {"overridemtu",       KW_SETUP_DEPRECATED},
-    {"installpolicy",     KW_INSTALLPOLICY},
+    {"keyexchange",       KW_KEYEXCHANGE},
     {"leftsourceip",      KW_LEFTSOURCEIP},
-    {"dpdtimeout",        KW_DPDTIMEOUT},
+    {"ocspuri",           KW_OCSPURI},
+    {"leftid",            KW_LEFTID},
+    {"eap",               KW_CONN_DEPRECATED},
+    {"installpolicy",     KW_INSTALLPOLICY},
     {"also",              KW_ALSO},
-    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"rightcert",         KW_RIGHTCERT},
+    {"overridemtu",       KW_SETUP_DEPRECATED},
+    {"mediation",         KW_MEDIATION},
+    {"rightca",           KW_RIGHTCA},
+    {"klipsdebug",        KW_SETUP_DEPRECATED},
+    {"ldapbase",          KW_CA_DEPRECATED},
+    {"ocspuri1",          KW_OCSPURI},
+    {"dpdtimeout",        KW_DPDTIMEOUT},
+    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"ike",               KW_IKE},
     {"charondebug",       KW_CHARONDEBUG},
-    {"ldaphost",          KW_CA_DEPRECATED},
-    {"fragicmp",          KW_SETUP_DEPRECATED},
-    {"charonstart",       KW_SETUP_DEPRECATED},
-    {"tfc",               KW_TFC},
+    {"mark_out",          KW_MARK_OUT},
+    {"dumpdir",           KW_SETUP_DEPRECATED},
     {"rekey",             KW_REKEY},
-    {"leftsubnetwithin",  KW_LEFTSUBNET},
-    {"leftid2",           KW_LEFTID2},
+    {"rightid2",          KW_RIGHTID2},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
     {"eap_identity",      KW_EAP_IDENTITY},
+    {"rightgroups2",      KW_RIGHTGROUPS2},
+    {"ikelifetime",       KW_IKELIFETIME},
+    {"leftsubnet",        KW_LEFTSUBNET},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"authby",            KW_AUTHBY},
+    {"leftcert2",         KW_LEFTCERT2},
+    {"nat_traversal",     KW_SETUP_DEPRECATED},
+    {"dpdaction",         KW_DPDACTION},
+    {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"charonstart",       KW_SETUP_DEPRECATED},
+    {"leftsubnetwithin",  KW_LEFTSUBNET},
+    {"reauth",            KW_REAUTH},
+    {"modeconfig",        KW_MODECONFIG},
+    {"ldaphost",          KW_CA_DEPRECATED},
+    {"leftikeport",       KW_LEFTIKEPORT},
     {"crlcheckinterval",  KW_SETUP_DEPRECATED},
-    {"dumpdir",           KW_SETUP_DEPRECATED},
-    {"cachecrls",         KW_CACHECRLS},
+    {"dpddelay",          KW_DPDDELAY},
+    {"cacert",            KW_CACERT},
+    {"leftgroups2",       KW_LEFTGROUPS2},
+    {"rightauth2",        KW_RIGHTAUTH2},
+    {"tfc",               KW_TFC},
+    {"postpluto",         KW_SETUP_DEPRECATED},
     {"rekeymargin",       KW_REKEYMARGIN},
-    {"rightca2",          KW_RIGHTCA2},
-    {"crluri2",           KW_CRLURI2},
-    {"rightcert2",        KW_RIGHTCERT2},
-    {"xauth_identity",    KW_XAUTH_IDENTITY},
-    {"closeaction",       KW_CLOSEACTION},
-    {"ocspuri2",          KW_OCSPURI2},
+    {"leftca2",           KW_LEFTCA2},
+    {"packetdefault",     KW_SETUP_DEPRECATED},
+    {"mark",              KW_MARK},
+    {"leftauth",          KW_LEFTAUTH},
     {"plutostderrlog",    KW_SETUP_DEPRECATED},
-    {"plutostart",        KW_SETUP_DEPRECATED},
     {"auto",              KW_AUTO},
-    {"pkcs11initargs",    KW_PKCS11_DEPRECATED},
-    {"pkcs11module",      KW_PKCS11_DEPRECATED},
-    {"authby",            KW_AUTHBY},
-    {"pkcs11keepstate",   KW_PKCS11_DEPRECATED},
-    {"dpddelay",          KW_DPDDELAY},
-    {"modeconfig",        KW_MODECONFIG},
-    {"nocrsend",          KW_SETUP_DEPRECATED},
+    {"fragicmp",          KW_SETUP_DEPRECATED},
+    {"closeaction",       KW_CLOSEACTION},
     {"prepluto",          KW_SETUP_DEPRECATED},
-    {"leftauth2",         KW_LEFTAUTH2},
-    {"postpluto",         KW_SETUP_DEPRECATED},
     {"auth",              KW_AUTH},
-    {"reauth",            KW_REAUTH},
+    {"leftid2",           KW_LEFTID2},
+    {"nocrsend",          KW_SETUP_DEPRECATED},
     {"xauth",             KW_XAUTH},
-    {"leftauth",          KW_LEFTAUTH},
+    {"plutostart",        KW_SETUP_DEPRECATED},
+    {"cachecrls",         KW_CACHECRLS},
+    {"crluri2",           KW_CRLURI2},
+    {"rightca2",          KW_RIGHTCA2},
+    {"rightcert2",        KW_RIGHTCERT2},
+    {"plutodebug",        KW_SETUP_DEPRECATED},
+    {"pkcs11initargs",    KW_PKCS11_DEPRECATED},
+    {"pkcs11module",      KW_PKCS11_DEPRECATED},
     {"pkcs11proxy",       KW_PKCS11_DEPRECATED},
-    {"ikedscp",           KW_IKEDSCP,},
-    {"plutodebug",        KW_SETUP_DEPRECATED}
+    {"pkcs11keepstate",   KW_PKCS11_DEPRECATED},
+    {"ocspuri2",          KW_OCSPURI2},
+    {"leftauth2",         KW_LEFTAUTH2},
+    {"ikedscp",           KW_IKEDSCP,}
   };
 
 static const short lookup[] =
   {
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,
+     -1,  -1,  -1,  -1,  -1,   1,  -1,  -1,   2,   3,
+     -1,  -1,   4,   5,  -1,  -1,   6,  -1,   7,   8,
+     -1,   9,  10,  -1,  -1,  -1,  11,  -1,  12,  13,
+     14,  15,  16,  -1,  -1,  -1,  17,  18,  19,  20,
+     21,  22,  -1,  23,  24,  -1,  25,  26,  27,  -1,
+     28,  29,  30,  -1,  -1,  31,  32,  -1,  33,  34,
+     35,  -1,  36,  37,  38,  39,  -1,  40,  41,  -1,
+     -1,  42,  43,  44,  45,  -1,  46,  -1,  47,  -1,
+     48,  49,  50,  51,  52,  53,  54,  -1,  55,  56,
+     57,  58,  59,  -1,  60,  61,  62,  -1,  63,  -1,
+     64,  -1,  65,  66,  67,  68,  69,  70,  71,  72,
+     -1,  73,  74,  75,  76,  77,  -1,  -1,  78,  -1,
+     -1,  79,  80,  -1,  81,  -1,  82,  83,  84,  85,
+     86,  87,  88,  -1,  89,  -1,  90,  91,  -1,  92,
+     93,  -1,  94,  95,  -1,  -1,  -1,  -1,  96,  97,
+     98,  99, 100, 101,  -1, 102, 103, 104,  -1, 105,
+    106, 107, 108, 109, 110, 111, 112, 113, 114,  -1,
+    115, 116,  -1, 117,  -1, 118,  -1,  -1, 119, 120,
+     -1,  -1, 121,  -1,  -1, 122,  -1, 123,  -1, 124,
+     -1, 125,  -1,  -1,  -1,  -1,  -1, 126,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-      0,  -1,  -1,  -1,  -1,  -1,   1,  -1,  -1,   2,
-      3,   4,   5,  -1,   6,   7,   8,  -1,  -1,   9,
-     10,  -1,  -1,  -1,  11,  12,  -1,  13,  -1,  14,
-     15,  16,  -1,  17,  18,  19,  -1,  -1,  20,  -1,
-     -1,  21,  -1,  -1,  -1,  -1,  22,  -1,  -1,  23,
-     24,  -1,  25,  26,  27,  28,  29,  30,  31,  32,
-     33,  34,  35,  36,  -1,  37,  38,  39,  -1,  -1,
-     40,  -1,  -1,  -1,  -1,  -1,  41,  -1,  42,  43,
-     44,  45,  46,  47,  48,  -1,  -1,  -1,  -1,  49,
-     50,  51,  52,  53,  54,  55,  56,  57,  -1,  -1,
-     -1,  58,  59,  60,  61,  62,  63,  64,  65,  -1,
-     66,  67,  68,  69,  70,  71,  72,  -1,  -1,  73,
-     74,  -1,  75,  76,  77,  78,  79,  -1,  80,  81,
-     82,  83,  84,  85,  86,  87,  88,  89,  90,  91,
-     92,  -1,  -1,  93,  -1,  -1,  94,  95,  -1,  96,
-     97,  -1,  98,  -1,  99, 100, 101,  -1, 102, 103,
-    104,  -1, 105,  -1,  -1,  -1, 106,  -1, 107,  -1,
-     -1,  -1, 108,  -1,  -1,  -1, 109,  -1,  -1,  -1,
-     -1, 110, 111, 112, 113, 114,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1, 115,  -1,  -1,  -1,  -1,  -1,  -1,
-    116, 117,  -1,  -1, 118,  -1,  -1,  -1, 119,  -1,
-    120, 121,  -1, 122,  -1,  -1,  -1, 123,  -1, 124,
-    125, 126,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 127,
-     -1,  -1,  -1, 128,  -1,  -1,  -1, 129,  -1,  -1,
-     -1, 130, 131, 132,  -1,  -1, 133,  -1, 134, 135
+     -1, 127, 128,  -1, 129,  -1, 130,  -1,  -1,  -1,
+     -1,  -1,  -1, 131,  -1, 132,  -1, 133, 134,  -1,
+     -1,  -1,  -1, 135,  -1,  -1,  -1,  -1,  -1,  -1,
+    136,  -1,  -1,  -1,  -1,  -1,  -1, 137
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 4a96a418c..83ce4a7dd 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -108,7 +108,7 @@ typedef enum {
 	KW_AUTH2,
 	KW_ID,
 	KW_ID2,
-	KW_RSASIGKEY,
+	KW_SIGKEY,
 	KW_CERT,
 	KW_CERT2,
 	KW_CERTPOLICY,
@@ -137,7 +137,7 @@ typedef enum {
 	KW_LEFTAUTH2,
 	KW_LEFTID,
 	KW_LEFTID2,
-	KW_LEFTRSASIGKEY,
+	KW_LEFTSIGKEY,
 	KW_LEFTCERT,
 	KW_LEFTCERT2,
 	KW_LEFTCERTPOLICY,
@@ -166,7 +166,7 @@ typedef enum {
 	KW_RIGHTAUTH2,
 	KW_RIGHTID,
 	KW_RIGHTID2,
-	KW_RIGHTRSASIGKEY,
+	KW_RIGHTSIGKEY,
 	KW_RIGHTCERT,
 	KW_RIGHTCERT2,
 	KW_RIGHTCERTPOLICY,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index cd964b0e3..20d35ded0 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -96,7 +96,8 @@ leftauth,          KW_LEFTAUTH
 leftauth2,         KW_LEFTAUTH2
 leftid,            KW_LEFTID
 leftid2,           KW_LEFTID2
-leftrsasigkey,     KW_LEFTRSASIGKEY
+leftsigkey,        KW_LEFTSIGKEY
+leftrsasigkey,     KW_LEFTSIGKEY
 leftcert,          KW_LEFTCERT
 leftcert2,         KW_LEFTCERT2
 leftcertpolicy,    KW_LEFTCERTPOLICY
@@ -120,7 +121,8 @@ rightauth,         KW_RIGHTAUTH
 rightauth2,        KW_RIGHTAUTH2
 rightid,           KW_RIGHTID
 rightid2,          KW_RIGHTID2
-rightrsasigkey,    KW_RIGHTRSASIGKEY
+rightsigkey,       KW_RIGHTSIGKEY
+rightrsasigkey,    KW_RIGHTSIGKEY
 rightcert,         KW_RIGHTCERT
 rightcert2,        KW_RIGHTCERT2
 rightcertpolicy,   KW_RIGHTCERTPOLICY
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index 921a220db..2b500bab4 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -58,7 +58,7 @@ bool starter_netkey_init(void)
 
 void starter_netkey_cleanup(void)
 {
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "starter.load", PLUGINS)))
 	{
 		DBG1(DBG_APP, "unable to load kernel plugins");
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 917e52d68..06eb142bd 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -61,6 +61,8 @@ char *cmd = NULL;
 char *pid_file = NULL;
 char *starter_pid_file = NULL;
 
+static char *config_file = NULL;
+
 /* logging */
 static bool log_to_stderr = TRUE;
 static bool log_to_syslog = TRUE;
@@ -291,11 +293,11 @@ static void generate_selfcert()
 			}
 		}
 #endif
-		setegid(gid);
-		seteuid(uid);
-		ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
-		seteuid(0);
-		setegid(0);
+		ignore_result(setegid(gid));
+		ignore_result(seteuid(uid));
+		ignore_result(system(IPSEC_SCRIPT " scepclient --out pkcs1 --out cert-self --quiet"));
+		ignore_result(seteuid(0));
+		ignore_result(setegid(0));
 
 		/* ipsec.secrets is root readable only */
 		oldmask = umask(0066);
@@ -393,7 +395,8 @@ static void usage(char *name)
 {
 	fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>]\n"
 			"               [--debug|--debug-more|--debug-all|--nolog]\n"
-			"               [--attach-gdb] [--daemon <name>]\n");
+			"               [--attach-gdb] [--daemon <name>]\n"
+			"               [--conf <path to ipsec.conf>]\n");
 	exit(LSB_RC_INVALID_ARGUMENT);
 }
 
@@ -460,6 +463,10 @@ int main (int argc, char **argv)
 		{
 			daemon_name = argv[++i];
 		}
+		else if (streq(argv[i], "--conf") && i+1 < argc)
+		{
+			config_file = argv[++i];
+		}
 		else
 		{
 			usage(argv[0]);
@@ -471,6 +478,10 @@ int main (int argc, char **argv)
 		DBG1(DBG_APP, "unable to set daemon name");
 		exit(LSB_RC_FAILURE);
 	}
+	if (!config_file)
+	{
+		config_file = CONFIG_FILE;
+	}
 
 	init_log("ipsec_starter");
 
@@ -524,7 +535,7 @@ int main (int argc, char **argv)
 		exit(LSB_RC_FAILURE);
 	}
 
-	cfg = confread_load(CONFIG_FILE);
+	cfg = confread_load(config_file);
 	if (cfg == NULL || cfg->err > 0)
 	{
 		DBG1(DBG_APP, "unable to start strongSwan -- fatal errors in config");
@@ -706,7 +717,7 @@ int main (int argc, char **argv)
 		if (_action_ & FLAG_ACTION_UPDATE)
 		{
 			DBG2(DBG_APP, "Reloading config...");
-			new_cfg = confread_load(CONFIG_FILE);
+			new_cfg = confread_load(config_file);
 
 			if (new_cfg && (new_cfg->err == 0))
 			{
@@ -898,4 +909,3 @@ int main (int argc, char **argv)
 	}
 	exit(LSB_RC_SUCCESS);
 }
-
diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am
index f93680b64..ed170bd08 100644
--- a/src/stroke/Makefile.am
+++ b/src/stroke/Makefile.am
@@ -4,11 +4,13 @@ stroke_SOURCES = \
 stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
 
 stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
 EXTRA_DIST = stroke_keywords.txt Android.mk
 BUILT_SOURCES = stroke_keywords.c
 MAINTAINERCLEANFILES = stroke_keywords.c
-AM_CFLAGS = -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
 stroke_keywords.c:	$(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h
+		$(AM_V_GEN) \
 		$(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index e73489058..21f9349cd 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -63,7 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -78,19 +78,35 @@ am__DEPENDENCIES_1 =
 stroke_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(stroke_SOURCES)
 DIST_SOURCES = $(stroke_SOURCES)
 am__can_run_installinfo = \
@@ -104,6 +120,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -116,6 +133,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -131,6 +150,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -139,6 +159,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -185,6 +206,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -213,6 +235,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -294,11 +317,13 @@ stroke_SOURCES = \
 stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
 
 stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
 EXTRA_DIST = stroke_keywords.txt Android.mk
 BUILT_SOURCES = stroke_keywords.c
 MAINTAINERCLEANFILES = stroke_keywords.c
-AM_CFLAGS = -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
@@ -382,7 +407,7 @@ clean-ipsecPROGRAMS:
 	rm -f $$list
 stroke$(EXEEXT): $(stroke_OBJECTS) $(stroke_DEPENDENCIES) $(EXTRA_stroke_DEPENDENCIES) 
 	@rm -f stroke$(EXEEXT)
-	$(LINK) $(stroke_OBJECTS) $(stroke_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(stroke_OBJECTS) $(stroke_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -394,25 +419,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_keywords.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -632,6 +657,7 @@ uninstall-am: uninstall-ipsecPROGRAMS
 
 
 stroke_keywords.c:	$(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h
+		$(AM_V_GEN) \
 		$(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 3273aedf2..75f014516 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -36,6 +36,8 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
+static int output_verbosity = 1; /* CONTROL */
+
 static char* push_string(stroke_msg_t *msg, char *string)
 {
 	unsigned long string_start = msg->length;
@@ -61,7 +63,7 @@ static int send_stroke_msg (stroke_msg_t *msg)
 	ctl_addr.sun_family = AF_UNIX;
 	strcpy(ctl_addr.sun_path, STROKE_SOCKET);
 
-	msg->output_verbosity = 1; /* CONTROL */
+	msg->output_verbosity = output_verbosity;
 
 	sock = socket(AF_UNIX, SOCK_STREAM, 0);
 	if (sock < 0)
@@ -91,11 +93,11 @@ static int send_stroke_msg (stroke_msg_t *msg)
 
 		/* we prompt if we receive a magic keyword */
 		if ((byte_count >= 12 &&
-			 strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0) ||
+			 streq(buffer + byte_count - 12, "Passphrase:\n")) ||
 			(byte_count >= 10 &&
-			 strcmp(buffer + byte_count - 10, "Password:\n") == 0) ||
+			 streq(buffer + byte_count - 10, "Password:\n")) ||
 			(byte_count >= 5 &&
-			 strcmp(buffer + byte_count - 5, "PIN:\n") == 0))
+			 streq(buffer + byte_count - 5, "PIN:\n")))
 		{
 			/* remove trailing newline */
 			pass = strrchr(buffer, '\n');
@@ -321,6 +323,8 @@ static int purge(stroke_keyword_t kw)
 
 static int export_flags[] = {
 	EXPORT_X509,
+	EXPORT_CONN_CERT,
+	EXPORT_CONN_CHAIN,
 };
 
 static int export(stroke_keyword_t kw, char *selector)
@@ -413,9 +417,15 @@ static void exit_usage(char *error)
 	printf("  Initiate a connection:\n");
 	printf("    stroke up NAME\n");
 	printf("    where: NAME is a connection name added with \"stroke add\"\n");
+	printf("  Initiate a connection without blocking:\n");
+	printf("    stroke up-nb NAME\n");
+	printf("    where: NAME is a connection name added with \"stroke add\"\n");
 	printf("  Terminate a connection:\n");
 	printf("    stroke down NAME\n");
 	printf("    where: NAME is a connection name added with \"stroke add\"\n");
+	printf("  Terminate a connection without blocking:\n");
+	printf("    stroke down-nb NAME\n");
+	printf("    where: NAME is a connection name added with \"stroke add\"\n");
 	printf("  Terminate a connection by remote srcip:\n");
 	printf("    stroke down-srcip START [END]\n");
 	printf("    where: START and optional END define the clients source IP\n");
@@ -428,7 +438,7 @@ static void exit_usage(char *error)
 	printf("  Show extended status information:\n");
 	printf("    stroke statusall\n");
 	printf("  Show extended status information without blocking:\n");
-	printf("    stroke statusallnb\n");
+	printf("    stroke statusall-nb\n");
 	printf("  Show list of authority and attribute certificates:\n");
 	printf("    stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
 	printf("  Show list of end entity certificates, ca info records  and crls:\n");
@@ -449,6 +459,8 @@ static void exit_usage(char *error)
 	printf("    stroke purgeike\n");
 	printf("  Export credentials to the console:\n");
 	printf("    stroke exportx509 DN\n");
+	printf("    stroke exportconncert connname\n");
+	printf("    stroke exportconnchain connname\n");
 	printf("  Show current memory usage:\n");
 	printf("    stroke memusage\n");
 	printf("  Show leases of a pool:\n");
@@ -503,6 +515,9 @@ int main(int argc, char *argv[])
 			}
 			res = del_connection(argv[2]);
 			break;
+		case STROKE_UP_NOBLK:
+			output_verbosity = -1;
+			/* fall-through */
 		case STROKE_UP:
 			if (argc < 3)
 			{
@@ -510,6 +525,9 @@ int main(int argc, char *argv[])
 			}
 			res = initiate_connection(argv[2]);
 			break;
+		case STROKE_DOWN_NOBLK:
+			output_verbosity = -1;
+			/* fall-through */
 		case STROKE_DOWN:
 			if (argc < 3)
 			{
@@ -569,7 +587,7 @@ int main(int argc, char *argv[])
 		case STROKE_LIST_ALGS:
 		case STROKE_LIST_PLUGINS:
 		case STROKE_LIST_ALL:
-			res = list(token->kw, argc > 2 && strcmp(argv[2], "--utc") == 0);
+			res = list(token->kw, argc > 2 && streq(argv[2], "--utc"));
 			break;
 		case STROKE_REREAD_SECRETS:
 		case STROKE_REREAD_CACERTS:
@@ -587,9 +605,11 @@ int main(int argc, char *argv[])
 			res = purge(token->kw);
 			break;
 		case STROKE_EXPORT_X509:
+		case STROKE_EXPORT_CONN_CERT:
+		case STROKE_EXPORT_CONN_CHAIN:
 			if (argc != 3)
 			{
-				exit_usage("\"exportx509\" needs a distinguished name");
+				exit_usage("\"export\" needs a name");
 			}
 			res = export(token->kw, argv[2]);
 			break;
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index 084df986d..ed0c4ceb4 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -54,12 +54,12 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 43
+#define TOTAL_KEYWORDS 48
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
-#define MIN_HASH_VALUE 4
-#define MAX_HASH_VALUE 50
-/* maximum key range = 47, duplicates = 0 */
+#define MIN_HASH_VALUE 3
+#define MAX_HASH_VALUE 59
+/* maximum key range = 57, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 19, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51,  1, 29,  2,
-       2, 16, 51, 21, 51, 11, 51, 16,  1,  1,
-      51, 18,  7, 51,  6, 12,  6, 11, 51, 51,
-       4, 13, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
-      51, 51, 51, 51, 51, 51
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 25, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60,  0, 18,  1,
+       1, 15, 60, 23, 60, 23, 60, 11,  0,  7,
+      60, 24, 14, 60,  6,  9, 16,  9, 60, 60,
+       2,  3, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60
     };
   register int hval = len;
 
@@ -131,9 +131,9 @@ static const struct stroke_token wordlist[] =
     {"listall",         STROKE_LIST_ALL},
     {"listcrls",        STROKE_LIST_CRLS},
     {"up",              STROKE_UP},
-    {"delete",          STROKE_DELETE},
     {"listaacerts",     STROKE_LIST_AACERTS},
     {"listcacerts",     STROKE_LIST_CACERTS},
+    {"rekey",           STROKE_REKEY},
     {"rereadall",       STROKE_REREAD_ALL},
     {"listcerts",       STROKE_LIST_CERTS},
     {"rereadcrls",      STROKE_REREAD_CRLS},
@@ -141,41 +141,47 @@ static const struct stroke_token wordlist[] =
     {"rereadaacerts",   STROKE_REREAD_AACERTS},
     {"rereadcacerts",   STROKE_REREAD_CACERTS},
     {"leases",          STROKE_LEASES},
-    {"rekey",           STROKE_REKEY},
-    {"listcainfos",     STROKE_LIST_CAINFOS},
     {"listcounters",    STROKE_COUNTERS},
-    {"route",           STROKE_ROUTE},
-    {"listacerts",      STROKE_LIST_ACERTS},
+    {"delete",          STROKE_DELETE},
     {"status",          STROKE_STATUS},
-    {"listplugins",     STROKE_LIST_PLUGINS},
-    {"listalgs",        STROKE_LIST_ALGS},
-    {"rereadsecrets",   STROKE_REREAD_SECRETS},
+    {"listacerts",      STROKE_LIST_ACERTS},
+    {"route",           STROKE_ROUTE},
     {"statusall",       STROKE_STATUSALL},
-    {"purgeocsp",       STROKE_PURGE_OCSP},
+    {"rereadsecrets",   STROKE_REREAD_SECRETS},
     {"statusallnb",     STROKE_STATUSALL_NOBLK},
+    {"statusall-nb",    STROKE_STATUSALL_NOBLK},
+    {"listalgs",        STROKE_LIST_ALGS},
+    {"up-nb",           STROKE_UP_NOBLK},
     {"exportx509",      STROKE_EXPORT_X509},
+    {"listplugins",     STROKE_LIST_PLUGINS},
+    {"listcainfos",     STROKE_LIST_CAINFOS},
+    {"exportconncert",  STROKE_EXPORT_CONN_CERT},
+    {"exportconnchain", STROKE_EXPORT_CONN_CHAIN},
+    {"loglevel",        STROKE_LOGLEVEL},
+    {"purgeocsp",       STROKE_PURGE_OCSP},
+    {"unroute",         STROKE_UNROUTE},
+    {"listocsp",        STROKE_LIST_OCSP},
     {"down-srcip",      STROKE_DOWN_SRCIP},
+    {"listpubkeys",     STROKE_LIST_PUBKEYS},
     {"purgecrls",       STROKE_PURGE_CRLS},
-    {"listocsp",        STROKE_LIST_OCSP},
     {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
-    {"loglevel",        STROKE_LOGLEVEL},
-    {"memusage",        STROKE_MEMUSAGE},
-    {"resetcounters",   STROKE_COUNTERS_RESET},
     {"listocspcerts",   STROKE_LIST_OCSPCERTS},
-    {"unroute",         STROKE_UNROUTE},
-    {"user-creds",      STROKE_USER_CREDS},
+    {"memusage",        STROKE_MEMUSAGE},
     {"purgeike",        STROKE_PURGE_IKE},
-    {"listpubkeys",     STROKE_LIST_PUBKEYS},
+    {"user-creds",      STROKE_USER_CREDS},
+    {"down-nb",         STROKE_DOWN_NOBLK},
     {"purgecerts",      STROKE_PURGE_CERTS},
-    {"listgroups",      STROKE_LIST_GROUPS}
+    {"listgroups",      STROKE_LIST_GROUPS},
+    {"resetcounters",   STROKE_COUNTERS_RESET}
   };
 
 static const short lookup[] =
   {
-    -1, -1, -1, -1,  0,  1,  2, -1, -1, -1,  3, -1,  4,  5,
-     6,  7,  8,  9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19,
-    20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33,
-    34, 35, 36, 37, 38, 39, 40, 41, 42
+    -1, -1, -1,  0,  1,  2, -1,  3, -1,  4, -1,  5,  6,  7,
+     8,  9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21,
+    22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35,
+    36, 37, 38, 39, 40, 41, 42, -1, 43, 44, -1, -1, 45, -1,
+    -1, 46, -1, 47
   };
 
 #ifdef __GNUC__
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index f5979a0e5..4a1016277 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -23,7 +23,9 @@ typedef enum {
 	STROKE_ROUTE,
 	STROKE_UNROUTE,
 	STROKE_UP,
+	STROKE_UP_NOBLK,
 	STROKE_DOWN,
+	STROKE_DOWN_NOBLK,
 	STROKE_DOWN_SRCIP,
 	STROKE_REKEY,
 	STROKE_LOGLEVEL,
@@ -55,6 +57,8 @@ typedef enum {
 	STROKE_PURGE_CERTS,
 	STROKE_PURGE_IKE,
 	STROKE_EXPORT_X509,
+	STROKE_EXPORT_CONN_CERT,
+	STROKE_EXPORT_CONN_CHAIN,
 	STROKE_LEASES,
 	STROKE_MEMUSAGE,
 	STROKE_USER_CREDS,
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 5d2ebd9e2..ceb0dd253 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -30,13 +30,16 @@ delete,          STROKE_DELETE
 route,           STROKE_ROUTE
 unroute,         STROKE_UNROUTE
 up,              STROKE_UP
+up-nb,           STROKE_UP_NOBLK
 down,            STROKE_DOWN
+down-nb,         STROKE_DOWN_NOBLK
 down-srcip,      STROKE_DOWN_SRCIP
 rekey,           STROKE_REKEY
 loglevel,        STROKE_LOGLEVEL
 status,          STROKE_STATUS
 statusall,       STROKE_STATUSALL
 statusallnb,     STROKE_STATUSALL_NOBLK
+statusall-nb,    STROKE_STATUSALL_NOBLK
 listpubkeys,     STROKE_LIST_PUBKEYS
 listcerts,       STROKE_LIST_CERTS
 listcacerts,     STROKE_LIST_CACERTS
@@ -62,6 +65,8 @@ purgecrls,       STROKE_PURGE_CRLS
 purgecerts,      STROKE_PURGE_CERTS
 purgeike,        STROKE_PURGE_IKE
 exportx509,      STROKE_EXPORT_X509
+exportconncert,  STROKE_EXPORT_CONN_CERT
+exportconnchain, STROKE_EXPORT_CONN_CHAIN
 leases,          STROKE_LEASES
 memusage,        STROKE_MEMUSAGE
 user-creds,      STROKE_USER_CREDS
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 5cee916cd..a4dfc5e7a 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -123,6 +123,10 @@ typedef enum export_flag_t export_flag_t;
 enum export_flag_t {
 	/** export an X509 certificate */
 	EXPORT_X509 =		0x0001,
+	/** export an X509 end entity certificate for a connection */
+	EXPORT_CONN_CERT =	0x0002,
+	/** export the complete trust chain of a connection */
+	EXPORT_CONN_CHAIN =	0x0004,
 };
 
 /**
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 1083ae45a..c1f3e6269 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -61,13 +61,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
@@ -79,6 +85,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -91,6 +98,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -106,6 +115,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -114,6 +124,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -160,6 +171,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +200,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
diff --git a/testing/config/kernel/config-3.10 b/testing/config/kernel/config-3.10
new file mode 100644
index 000000000..9f0aa895b
--- /dev/null
+++ b/testing/config/kernel/config-3.10
@@ -0,0 +1,1952 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.10.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+# CONFIG_FHANDLE is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+CONFIG_UIDGID_CONVERTED=y
+# CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HOTPLUG=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_MODULES_USE_ELF_RELA=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ATMEL_SSC is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_ARM_AT91_ETHER is not set
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+
+#
+# Qualcomm MSM SSBI bus support
+#
+# CONFIG_SSBI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PTP_1588_CLOCK_PCH is not set
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+CONFIG_GPIO_DEVRES=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_BATTERY_GOLDFISH is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_DJ is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_PS3REMOTE is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_PVPANIC is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kernel/config-3.9 b/testing/config/kernel/config-3.9
new file mode 100644
index 000000000..e42cd049b
--- /dev/null
+++ b/testing/config/kernel/config-3.9
@@ -0,0 +1,1892 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.9.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_DEFAULT_IDLE=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+# CONFIG_FHANDLE is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_ALWAYS_USE_PERSISTENT_CLOCK=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+CONFIG_UIDGID_CONVERTED=y
+# CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_HOTPLUG=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_MODULES_USE_ELF_RELA=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_PARAVIRT_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+# CONFIG_XEN is not set
+# CONFIG_XEN_PRIVILEGED_GUEST is not set
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_CLOCK=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ATMEL_SSC is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_VMWARE_BALLOON is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_ARM_AT91_ETHER is not set
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_RTC is not set
+# CONFIG_GEN_RTC is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PTP_1588_CLOCK_PCH is not set
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+CONFIG_GPIO_DEVRES=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_BATTERY_GOLDFISH is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+# CONFIG_OMAP_USB3 is not set
+# CONFIG_OMAP_CONTROL_USB is not set
+# CONFIG_USB_GADGET is not set
+
+#
+# OTG and related infrastructure
+#
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_VIRT_DRIVERS is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/do-tests b/testing/do-tests
index d70c12c51..979cb487f 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -557,7 +557,7 @@ do
 		$TESTRESULTDIR/${host}.radius.log  > /dev/null 2>&1
 
 	    ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \
-		>> $TESTRESULTDIR/${host}.daemon.log
+		>> $TESTRESULTDIR/${host}.daemon.log 2>/dev/null
 
 	    chmod a+r $TESTRESULTDIR/*
 	    cat >> $TESTRESULTDIR/index.html <<@EOF
diff --git a/testing/hosts/default/etc/pts/data.sql b/testing/hosts/default/etc/pts/data.sql
index dde7c9fa5..35fd65753 100644
--- a/testing/hosts/default/etc/pts/data.sql
+++ b/testing/hosts/default/etc/pts/data.sql
@@ -1,80 +1,418 @@
 /* Products */
 
-INSERT INTO products (
+INSERT INTO products (			/*  1 */
   name
 ) VALUES (
- 'Debian 7.0'
+ 'Debian 6.0 i686'
 );
 
-INSERT INTO products (
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
   name
 ) VALUES (
  'Debian 7.0 i686'
 );
 
-INSERT INTO products (
+INSERT INTO products (			/*  4 */
   name
 ) VALUES (
  'Debian 7.0 x86_64'
 );
 
-INSERT INTO products (
+INSERT INTO products (			/*  5 */
   name
 ) VALUES (
- 'Ubuntu 12.04'
+ 'Debian 8.0 i686'
 );
 
-INSERT INTO products (
+INSERT INTO products (			/*  6 */
   name
 ) VALUES (
- 'Ubuntu 12.04 i686'
+ 'Debian 8.0 x86_64'
 );
 
-INSERT INTO products (
+INSERT INTO products (			/*  7 */
   name
 ) VALUES (
- 'Ubuntu 12.04 x86_64'
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
 );
 
-INSERT INTO products (
+INSERT INTO products (			/* 13 */
   name
 ) VALUES (
- 'Ubuntu 12.10'
+ 'Ubuntu 11.10 i686'
 );
 
-INSERT INTO products (
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
   name
 ) VALUES (
  'Ubuntu 12.10 i686'
 );
 
-INSERT INTO products (
+INSERT INTO products (			/* 18 */
   name
 ) VALUES (
  'Ubuntu 12.10 x86_64'
 );
 
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
 /* Packages */
 
-INSERT INTO packages (
+INSERT INTO packages (			/*  1 */
   name
 ) VALUES (
  'libssl-dev'
 );
 
-INSERT INTO packages (
+INSERT INTO packages (			/*  2 */
   name
 ) VALUES (
  'libssl1.0.0'
 );
 
-INSERT INTO packages (
+INSERT INTO packages (			/*  3 */
   name
 ) VALUES (
  'libssl1.0.0-dbg'
 );
 
-INSERT INTO packages (
+INSERT INTO packages (			/*  4 */
   name
 ) VALUES (
  'openssl'
@@ -84,24 +422,425 @@ INSERT INTO packages (
 
 INSERT INTO versions (
   package, product, release, time
-) values (
-  1, 1, '1.0.1e-2', 1366531494
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
 );
 
 INSERT INTO versions (
   package, product, release, time
-) values (
-  2, 1, '1.0.1e-2', 1366531494
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
 );
 
 INSERT INTO versions (
   package, product, release, time
-) values (
-  3, 1, '1.0.1e-2', 1366531494
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
 );
 
 INSERT INTO versions (
   package, product, release, time
-) values (
-  4, 1, '1.0.1e-2', 1366531494
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
 );
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 1, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  3, 2, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
diff --git a/testing/hosts/default/etc/pts/data.sql~ b/testing/hosts/default/etc/pts/data.sql~
deleted file mode 100644
index b08d035ab..000000000
--- a/testing/hosts/default/etc/pts/data.sql~
+++ /dev/null
@@ -1,107 +0,0 @@
-/* Products */
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Debian 7.0'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Debian 7.0 i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Debian 7.0 x86_64'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 12.04'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 12.04 i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 12.04 x86_64'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 12.10'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 12.10 i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 12.10 x86_64'
-);
-
-INSERT INTO versions (
-  package, product, release, time
-) values (
-  1, 1, '1.0.1e-2', 1366531494
-);
-
-/* Packages */
-
-INSERT INTO packages (
-  name
-) VALUES (
- 'libssl-dev'
-);
-
-INSERT INTO packages (
-  name
-) VALUES (
- 'libssl1.0.0'
-);
-
-INSERT INTO packages (
-  name
-) VALUES (
- 'libssl1.0.0-dbg'
-);
-
-INSERT INTO packages (
-  name
-) VALUES (
- 'openssl'
-);
-
-/* Versions */
-
-INSERT INTO versions (
-  package, product, release, time
-) values (
-  2, 1, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
-  package, product, release, time
-) values (
-  3, 1, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
-  package, product, release, time
-) values (
-  4, 1, '1.0.1e-2', 1366531494
-);
diff --git a/testing/hosts/default/etc/pts/tables.sql b/testing/hosts/default/etc/pts/tables.sql
index 0c038d365..4cc959e09 100644
--- a/testing/hosts/default/etc/pts/tables.sql
+++ b/testing/hosts/default/etc/pts/tables.sql
@@ -1,16 +1,26 @@
-/* PTS SQLite database */
+/* IMV PTS SQLite database */
 
-DROP TABLE IF EXISTS files;
-CREATE TABLE files (
+DROP TABLE IF EXISTS directories;
+CREATE TABLE directories (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  type INTEGER NOT NULL,
   path TEXT NOT NULL
 );
-DROP INDEX IF EXISTS files_path;
-CREATE INDEX files_path ON files (
+DROP INDEX IF EXISTS directories_path;
+CREATE INDEX directories_path ON directories (
   path
 );
 
+DROP TABLE IF EXISTS files;
+CREATE TABLE files (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  dir INTEGER DEFAULT 0 REFERENCES directories(id),
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS files_name;
+CREATE INDEX files_name ON files (
+  name
+);
+
 DROP TABLE IF EXISTS products;
 CREATE TABLE products (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -21,24 +31,21 @@ CREATE INDEX products_name ON products (
   name
 );
 
-DROP TABLE IF EXISTS product_file;
-CREATE TABLE product_file (
-  product INTEGER NOT NULL,
-  file INTEGER NOT NULL,
-  measurement INTEGER DEFAULT 0,
-  metadata INTEGER DEFAULT 0,
-  PRIMARY KEY (product, file)
+DROP TABLE IF EXISTS algorithms;
+CREATE TABLE algorithms (
+  id INTEGER PRIMARY KEY,
+  name VARCHAR(20) not NULL
 );
 
 DROP TABLE IF EXISTS file_hashes;
 CREATE TABLE file_hashes (
-  file INTEGER NOT NULL,
-  directory INTEGER DEFAULT 0,
-  product INTEGER NOT NULL,
-  key INTEGER DEFAULT 0,
-  algo INTEGER NOT NULL,
-  hash BLOB NOT NULL,
-  PRIMARY KEY(file, directory, product, algo)
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  file INTEGER NOT NULL REFERENCES files(id),
+  product INTEGER NOT NULL REFERENCES products(id),
+  device INTEGER DEFAULT 0,
+  key INTEGER DEFAULT 0 REFERENCES keys(id),
+  algo INTEGER NOT NULL REFERENCES algorithms(id),
+  hash BLOB NOT NULL
 );
 
 DROP TABLE IF EXISTS keys;
@@ -56,6 +63,94 @@ CREATE INDEX keys_owner ON keys (
   owner
 );
 
+DROP TABLE IF EXISTS groups;
+CREATE TABLE groups (
+  id INTEGER NOT NULL PRIMARY KEY,
+  name VARCHAR(50) NOT NULL UNIQUE,
+  parent INTEGER
+);
+
+DROP TABLE IF EXISTS groups_members;
+CREATE TABLE groups_members (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  device_id INTEGER NOT NULL REFERENCES devices(id),
+  UNIQUE (group_id, device_id)
+);
+
+DROP TABLE IF EXISTS groups_product_defaults;
+CREATE TABLE groups_product_defaults (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  product_id INTEGER NOT NULL REFERENCES products(id),
+  UNIQUE (group_id, product_id)
+);
+
+DROP TABLE IF EXISTS policies;
+CREATE TABLE policies (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  name VARCHAR(100) NOT NULL UNIQUE,
+  argument TEXT DEFAULT '' NOT NULL,
+  rec_fail INTEGER NOT NULL,
+  rec_noresult INTEGER NOT NULL,
+  file INTEGER DEFAULT 0 REFERENCES files(id),
+  dir INTEGER DEFAULT 0 REFERENCES directories(id)
+);
+
+DROP TABLE IF EXISTS enforcements;
+CREATE TABLE enforcements (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  policy INTEGER NOT NULL REFERENCES policies(id),
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  rec_fail INTEGER,
+  rec_noresult INTEGER,
+  max_age INTEGER NOT NULL,
+  UNIQUE (policy, group_id)
+);
+
+DROP TABLE IF EXISTS sessions;
+CREATE TABLE sessions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  time INTEGER NOT NULL,
+  connection INTEGER NOT NULL,
+  identity INTEGER DEFAULT 0 REFERENCES identities(id),
+  device INTEGER DEFAULT 0 REFERENCES devices(id),
+  product INTEGER DEFAULT 0 REFERENCES products(id),
+  rec INTEGER DEFAULT 3
+);
+
+DROP TABLE IF EXISTS workitems;
+CREATE TABLE workitems (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session INTEGER NOT NULL REFERENCES sessions(id),
+  enforcement INTEGER NOT NULL REFERENCES enforcements(id),
+  type INTEGER NOT NULL,
+  arg_str TEXT,
+  arg_int INTEGER DEFAULT 0,
+  rec_fail INTEGER NOT NULL,
+  rec_noresult INTEGER NOT NULL,
+  rec_final INTEGER,
+  result TEXT
+);
+DROP INDEX IF EXISTS workitems_session;
+CREATE INDEX workitems_sessions ON workitems (
+  session
+);
+
+DROP TABLE IF EXISTS results;
+CREATE TABLE results (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session INTEGER NOT NULL REFERENCES measurements(id),
+  policy INTEGER NOT NULL REFERENCES policies(id),
+  rec INTEGER NOT NULL,
+  result TEXT NOT NULL
+);
+DROP INDEX IF EXISTS results_session;
+CREATE INDEX results_session ON results (
+  session
+);
+
 DROP TABLE IF EXISTS components;
 CREATE TABLE components (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -89,7 +184,8 @@ CREATE TABLE component_hashes (
 DROP TABLE IF EXISTS packages;
 CREATE TABLE packages (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  name TEXT NOT NULL
+  name TEXT NOT NULL,
+  blacklist INTEGER DEFAULT 0
 );
 DROP INDEX IF EXISTS packages_name;
 CREATE INDEX packages_name ON packages (
@@ -99,10 +195,11 @@ CREATE INDEX packages_name ON packages (
 DROP TABLE IF EXISTS versions;
 CREATE TABLE versions (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  package INTEGER NOT NULL,
-  product INTEGER NOT NULL,
+  package INTEGER NOT NULL REFERENCES packages(id),
+  product INTEGER NOT NULL REFERENCES products(id),
   release TEXT NOT NULL,
   security INTEGER DEFAULT 0,
+  blacklist INTEGER DEFAULT 0,
   time INTEGER DEFAULT 0
 );
 DROP INDEX IF EXISTS versions_release;
@@ -117,30 +214,21 @@ CREATE INDEX versions_package_product ON versions (
 DROP TABLE IF EXISTS devices;
 CREATE TABLE devices (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  value BLOB NOT NULL
+  description TEXT DEFAULT '',
+  value TEXT NOT NULL,
+  product INTEGER REFERENCES products(id),
+  created INTEGER
 );
 DROP INDEX IF EXISTS devices_id;
 CREATE INDEX devices_value ON devices (
   value
 );
 
-DROP TABLE IF EXISTS device_infos;
-CREATE TABLE device_infos (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  device INTEGER NOT NULL,
-  time INTEGER NOT NULL,
-  ar_id INTEGER DEFAULT 0,
-  product INTEGER DEFAULT 0,
-  count INTEGER DEFAULT 0,
-  count_update INTEGER DEFAULT 0,
-  count_blacklist INTEGER DEFAULT 0,
-  flags INTEGER DEFAULT 0
-);
-
 DROP TABLE IF EXISTS identities;
 CREATE TABLE identities (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
   type INTEGER NOT NULL,
-  data BLOB NOT NULL,
-  UNIQUE (type, data)
+  value BLOB NOT NULL,
+  UNIQUE (type, value)
 );
+
diff --git a/testing/hosts/default/root/.bashrc b/testing/hosts/default/root/.bashrc
new file mode 100644
index 000000000..078dbd601
--- /dev/null
+++ b/testing/hosts/default/root/.bashrc
@@ -0,0 +1,11 @@
+# don't store duplicate entries in the history
+export HISTCONTROL=erasedups
+# use a simple prompt of host:pwd# (user is always root)
+PS1='\h:\w\$ '
+# set the terminal title to host:pwd
+case $TERM in
+xterm*)
+	PROMPT_COMMAND='echo -ne "\033]0;${HOSTNAME}:${PWD}\007"'
+	;;
+esac
+
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt
index 358e0fd3a..1f01a4c26 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt
@@ -1,6 +1,13 @@
-V	130621144307Z		01	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 521 bit/CN=moon.strongswan.org
-R	130621161252Z	080622162459Z	02	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
-V	130621161359Z		03	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=dave@strongswan.org
-V	130621162918Z		04	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
+R	130621144307Z	130627211828Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 521 bit/CN=moon.strongswan.org
+R	130621161252Z	080622162459Z,keyCompromise	02	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
+R	130621161359Z	130627211849Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=dave@strongswan.org
+R	130621162918Z	130627211852Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
 V	140611160633Z		05	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=moon.strongswan.org
 V	140611160706Z		06	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=moon.strongswan.org
+V	180602071743Z		07	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=moon.strongswan.org
+V	180602072050Z		08	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=moon.strongswan.org
+V	180602072738Z		09	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
+V	180602073154Z		0A	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=carol@strongswan.org
+V	180602073328Z		0B	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=dave@strongswan.org
+V	180602073519Z		0C	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=dave@strongswan.org
+V	180602100216Z		0D	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 521 bit/CN=moon.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/08.pem
new file mode 100644
index 000000000..7bf96cdc8
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/08.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICdzCCAdqgAwIBAgIBCDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjA1MFoXDTE4MDYwMjA3MjA1MFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAAQh4YOVBbRxtdaM7uJvDrZqt6a1jJo+rijEV5Nw1OqU5jlk
+srCtZwcZXrR67MlqzFNyvkHtbcWRuBjL55xjQE+YavKnltuKu42COUhWXh760M/c
+2SNzsjvsJgGXAsiPwiajgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVghNtb29uLnN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYoAMIGGAkE35mfDj/fFUXGsetoU9l9Kt3jbIKYugJgE
+2gmv/MW8jwrqoP7y6ATHXJkonA6AvEK+o0ZMrae55lIKPkBh5xk3XQJBfp5Eqg6Y
+efRIXUeLksM56fRjVwJS6es7qb8l1q6+c1wC1A3lEHQvAs+kJxFfFyni2oxA923F
+h2eoaYy9vSqET5Q=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/09.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/09.pem
new file mode 100644
index 000000000..a85635faf
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/09.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0A.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0A.pem
new file mode 100644
index 000000000..f43957143
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0A.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICfDCCAd2gAwIBAgIBCjAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzE1NFoXDTE4MDYwMjA3MzE1NFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMHYwEAYHKoZI
+zj0CAQYFK4EEACIDYgAERiDlh/bOFDq6bSRdDq2ivOcNcxWSGlO5dy5yBRvAhTWl
+NJcy93jxhDIzF5mxPpmgNXpdmSBRKbm3ydkw8LbWI+5/lje06Yl6nOLBO6Zb7GqH
+XFO+BqJrUxzbdHXwxWqto4GDMIGAMB8GA1UdIwQYMBaAFLpd+XG2E7Vq0d26Nreq
+0sHuj9jSMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
+MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
+Yy5jcmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIA8mbKzo+mp8umjvpoQUo5pIvR1CQQ
+lvBGCUWv7mtq1CVBXzv7Z+HQqPsrL388RymEErA7BzDMkPKTa5E3ZV5LL38CQgDx
++v/cIcJdYngOOF0IgVSDzcGgSvOmMlPF/D97eC4Od7XwdYl5p9Sxi4SjmDZZi4r/
+EArN3teDfoc7CZcRxWcDhQ==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0B.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0B.pem
new file mode 100644
index 000000000..c83be145d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0B.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0C.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0C.pem
new file mode 100644
index 000000000..e97709a3f
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0C.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0D.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0D.pem
new file mode 100644
index 000000000..25f0538a7
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0D.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
+NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/serial b/testing/hosts/winnetou/etc/openssl/ecdsa/serial
index 2c7456e3e..ff470b05e 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/serial
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/serial
@@ -1 +1 @@
-07
+0E
diff --git a/testing/scripts/recipes/006_tkm-rpc.mk b/testing/scripts/recipes/006_tkm-rpc.mk
index dc6847ca5..9e1d2cfc6 100644
--- a/testing/scripts/recipes/006_tkm-rpc.mk
+++ b/testing/scripts/recipes/006_tkm-rpc.mk
@@ -16,7 +16,7 @@ all: install
 	@touch $@
 
 .$(PKG)-built: .$(PKG)-cloned
-	cd $(PKG) && make tests && make
+	cd $(PKG) && make
 	@touch $@
 
 install: .$(PKG)-built
diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk
index 971cd170f..cf24e1e26 100644
--- a/testing/scripts/recipes/010_tkm.mk
+++ b/testing/scripts/recipes/010_tkm.mk
@@ -14,7 +14,7 @@ all: install
 	@touch $@
 
 .$(PKG)-built: .$(PKG)-cloned
-	cd $(PKG) && make tests && make
+	cd $(PKG) && make
 	@touch $@
 
 install: .$(PKG)-built
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index 14fdebbc9..6240d4228 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -73,6 +73,9 @@ CONFIG_OPTS = \
 	--enable-unity \
 	--enable-unbound \
 	--enable-ipseckey \
+	--enable-cmd \
+	--enable-libipsec \
+	--enable-kernel-libipsec \
 	--enable-tkm
 
 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
diff --git a/testing/testing.conf b/testing/testing.conf
index 7929dba3a..638762f9b 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -44,7 +44,7 @@ IMGDIR=$BUILDDIR/images
 
 # Base image settings
 # The base image is a pristine OS installation created using debootstrap.
-BASEIMGSIZE=1024
+BASEIMGSIZE=1280
 BASEIMGSUITE=wheezy
 BASEIMGARCH=amd64
 BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf
index 7d0050212..5701b7a82 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf
@@ -18,5 +18,5 @@ conn rw
 	leftfirewall=yes
 	right=%any
 	rightauth=pubkey
-	rightauth2=xauth
+	rightauth2=xauth-eap
 	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-radius/description.txt b/testing/tests/ikev1/xauth-rsa-radius/description.txt
new file mode 100644
index 000000000..fb30d163e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name
+equal to the <b>IKEv1</b> identity (<b>carol@strongswan.org</b>) and a user password
+defined and stored by <b>carol</b> in ipsec.secrets. Gateway <b>moon</b> verifies
+<b>carol</b>'s XAUTH user credentials using a RADIUS connection with AAA server
+<b>alice</b>.
diff --git a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
new file mode 100644
index 000000000..ee60292a3
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..929b6cd74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,39 @@
+authorize {
+  suffix
+  files
+}
+
+authenticate {
+  pap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..2fdd60f00
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..d66f3fc24
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
+
+carol@strongswan.org : XAUTH "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f4ee067d5
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
+	rightauth=pubkey
+	rightauth2=xauth-radius
+	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..77266cfa0
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius updown
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
new file mode 100644
index 000000000..181949fb5
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
new file mode 100644
index 000000000..9adc43d3e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-radius/test.conf b/testing/tests/ikev1/xauth-rsa-radius/test.conf
new file mode 100644
index 000000000..b4088e8b4
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
index cdade2f2e..97c5efac6 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
@@ -14,11 +14,11 @@ subnet 10.1.0.0 netmask 255.255.0.0 {
 }
 
 host carol {
-  hardware ethernet            7a:a7:8f:fc:db:3b;
+  hardware ethernet            7a:a7:51:cc:22:4a;
   fixed-address                10.1.0.30;
 }
 
 host dave {
-  hardware ethernet            7a:a7:35:78:bc:85;
+  hardware ethernet            7a:a7:93:70:2b:21;
   fixed-address                10.1.0.40;
 }
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
index 61d31a0ba..ed28c69ac 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
@@ -1,7 +1,7 @@
 interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
-dhcp-host=7a:a7:8f:fc:db:3b,10.1.0.30
-dhcp-host=7a:a7:35:78:bc:85,10.1.0.40
+dhcp-host=7a:a7:51:cc:22:4a,10.1.0.30
+dhcp-host=7a:a7:93:70:2b:21,10.1.0.40
 dhcp-option=option:router,PH_IP_MOON1
 dhcp-option=option:dns-server,PH_IP_VENUS
 dhcp-option=option:netbios-ns,PH_IP_ALICE
diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat
index d701a1d61..f58e82adc 100644
--- a/testing/tests/ikev2/nat-rw/pretest.dat
+++ b/testing/tests/ikev2/nat-rw/pretest.dat
@@ -1,6 +1,7 @@
 alice::iptables-restore < /etc/iptables.rules
 venus::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
+moon::conntrack -F
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
index 6c11645f9..ea10eb0a3 100644
--- a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,7 @@ conn net-net
 	left=PH_IP_MOON
 	leftid=moon.strongswan.org
 	leftsubnet=10.1.0.0/16
-	leftrsasigkey=moonPub.der
+	leftsigkey=moonPub.der
 	leftauth=pubkey
 	leftfirewall=yes
 	right=sun.strongswan.org
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
index 76e41cd47..9e310050d 100644
--- a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
@@ -14,7 +14,7 @@ conn net-net
 	left=PH_IP_SUN
 	leftid=sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	leftrsasigkey=sunPub.der
+	leftsigkey=sunPub.der
 	leftauth=pubkey
 	leftfirewall=yes
 	right=moon.strongswan.org
diff --git a/testing/tests/ikev2/net2net-pkcs12/description.txt b/testing/tests/ikev2/net2net-pkcs12/description.txt
new file mode 100644
index 000000000..e66ea1918
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
+<b>PKCS12</b> format.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat
new file mode 100644
index 000000000..2b37cad99
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..0296e1804
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
new file mode 100644
index 000000000..d3cca4fd5
Binary files /dev/null and b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 differ
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..802cfc681
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ"
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4628e70ce
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..6dcedd0e6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
new file mode 100644
index 000000000..1a9e2aa01
Binary files /dev/null and b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 differ
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..3dc85528c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,8 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: P12 sunCert.p12 "IxjQVCF3JGI+MoPi"
+
+
+
+
+
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..4628e70ce
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-pkcs12/posttest.dat b/testing/tests/ikev2/net2net-pkcs12/posttest.dat
new file mode 100644
index 000000000..0fbba487c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/private/moonCert.p12
+sun::rm /etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/ikev2/net2net-pkcs12/pretest.dat b/testing/tests/ikev2/net2net-pkcs12/pretest.dat
new file mode 100644
index 000000000..3492238f0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.d/private/moonKey.pem
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+sun::rm /etc/ipsec.d/private/sunKey.pem
+sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-pkcs12/test.conf b/testing/tests/ikev2/net2net-pkcs12/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
index 29d15a6b5..bcc6d5b69 100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
@@ -13,12 +13,12 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
-	leftrsasigkey=moonPub.der
+	leftsigkey=moonPub.der
 	leftauth=pubkey
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
-	rightrsasigkey=sunPub.der
+	rightsigkey=sunPub.der
 	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
index c60cf918f..4fe2e67de 100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
@@ -13,10 +13,10 @@ conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
-	leftrsasigkey=sunPub.der
+	leftsigkey=sunPub.der
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	rightrsasigkey=moonPub.der
+	rightsigkey=moonPub.der
 	auto=add
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
index 9cac82eaf..c0ee06240 100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -13,12 +13,12 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
-	leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	leftsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
 	leftauth=pubkey
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
-	rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	rightsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
 	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
index 3a89b4088..b089e9f48 100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -13,10 +13,10 @@ conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
-	leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	leftsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	rightsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
 	auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
index 70deaa036..082b18a7f 100644
--- a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,7 @@ conn home
 	left=%any
 	leftsourceip=%config
 	leftid=carol.strongswan.org
-	leftrsasigkey="0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
+	leftsigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
 	leftauth=pubkey
 	leftfirewall=yes
 	right=moon.strongswan.org
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
index 24ffdd3b1..a68f981d1 100644
--- a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
@@ -13,7 +13,7 @@ conn home
 	left=%any
 	leftsourceip=%config
 	leftid=dave.strongswan.org
-	leftrsasigkey="0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
+	leftsigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
 	leftauth=pubkey
 	leftfirewall=yes
 	right=moon.strongswan.org
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
index a199a4824..74ddc6e01 100644
--- a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,7 @@ conn rw
 	leftsubnet=10.1.0.0/16
 	leftid=moon.strongswan.org
 	leftauth=pubkey
-	leftrsasigkey=moonPub.der
+	leftsigkey=moonPub.der
 	leftfirewall=yes
 	right=%any
 	rightauth=pubkey
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
index 7daa37cfa..9e68eb674 100644
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
index 5ef523e47..7f26bc4d4 100644
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
@@ -3,4 +3,6 @@
 charon {
   hash_and_url = yes
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
 }
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
index bbaa09bb7..23bc5c627 100644
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
index 5ef523e47..7f26bc4d4 100644
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
@@ -3,4 +3,6 @@
 charon {
   hash_and_url = yes
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
 }
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
index d07486483..4821989a9 100644
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
index ca23c6971..5ffc1a22a 100644
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
 }
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
index bbaa09bb7..23bc5c627 100644
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
index ca23c6971..5ffc1a22a 100644
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
index 6ecd05cae..c43086f76 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
index ca23c6971..5ffc1a22a 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
index be4c0d862..8e6478c51 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
index ca23c6971..d4b9a55a4 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size=1024
 }
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
index 5393623d3..4bcfd19dd 100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn home
 	left=PH_IP6_CAROL
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
index ca23c6971..5ffc1a22a 100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
 }
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf
index f897cfd1a..125303638 100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn home
 	left=PH_IP6_DAVE
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
index ca23c6971..5ffc1a22a 100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
 }
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
index 6a7ae6765..880b1b2e7 100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn rw
 	left=PH_IP6_MOON
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
index ca23c6971..5ffc1a22a 100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
 }
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
index 163308353..f2938f307 100644
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn host-host
 	left=PH_IP6_MOON
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
index ca23c6971..5ffc1a22a 100644
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
 }
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
index 48d48908d..9af8aa862 100644
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
@@ -14,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn host-host
 	left=PH_IP6_SUN
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
index ca23c6971..5ffc1a22a 100644
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
 }
diff --git a/testing/tests/libipsec/net2net-cert/description.txt b/testing/tests/libipsec/net2net-cert/description.txt
new file mode 100644
index 000000000..433d97574
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b> 
+plugin is used for userland IPsec ESP encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the
+<b>ipsec0</b> tun interface. In order to test both tunnel and firewall, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/libipsec/net2net-cert/evaltest.dat b/testing/tests/libipsec/net2net-cert/evaltest.dat
new file mode 100644
index 000000000..f702ceadf
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES
+sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..631adfcd3
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftupdown=/etc/updown
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..97bb34aed
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
new file mode 100755
index 000000000..1a68ada0e
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..b16440aa1
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..97bb34aed
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
new file mode 100755
index 000000000..1a68ada0e
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/net2net-cert/posttest.dat b/testing/tests/libipsec/net2net-cert/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/libipsec/net2net-cert/test.conf b/testing/tests/libipsec/net2net-cert/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/libipsec/rw-suite-b/description.txt b/testing/tests/libipsec/rw-suite-b/description.txt
new file mode 100644
index 000000000..a1b09405a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Suite B with <b>128 bit</b> security based on <b>X.509 ECDSA</b>
+certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b> authenticated encryption.
+The <b>kernel-libipsec</b> plugin is used for userland IPsec AES-GCM authenticated ESP
+encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the <b>ipsec0</b>
+tun interface. In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat
new file mode 100644
index 000000000..d59ea3c34
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES 
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > carol.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP dave.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > dave.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..8106e28d2
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..a85635faf
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..d29ddb9ee
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49
+AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B
+rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..06bcaa1e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..9b6ca682a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home 
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..c83be145d
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..17e94022e
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49
+AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO
+gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..06bcaa1e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..733592087
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftupdown=/etc/updown
+	right=%any
+	rightsourceip=10.3.0.0/24
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..a3b043e82
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq
+/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C
+DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6
+Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl
+RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..5bd2778a9
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49
+AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP
+3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..efa0575e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/posttest.dat b/testing/tests/libipsec/rw-suite-b/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/libipsec/rw-suite-b/test.conf b/testing/tests/libipsec/rw-suite-b/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5f21c1012..0a0b83889 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN EC PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+DEK-Info: DES-EDE3-CBC,0F93D8FBCA4CAA40
 
-Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
-KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
-RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+jyvWqe7yjLux30mLeMsjlEjWu1A7u4xdRUg/R+JzsUxnFDpJKOEd5LgXSExrgVwD
+RMlH6vVkZPboxmveOH8lXDVUyscYLLLTianw9R+Vj3zm6x7kT1CaNryLKfQSCVE8
+QGsF+LrF7/uIS+4RePGQyGv4C3pbBCB168+e362WnjQ=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 075d8f1e5..e97709a3f 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,19 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
index f628f88e5..574c86a2e 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,6 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
-+BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
-t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
-JDBocD1n1eCSwM67KOfouuPmOML0QgU=
+MIGkAgEBBDCFbFPkGF4ez8EzHm6pTVCr17Q1+GACxn7m0EE4UVoq7RQBNk4NOxhE
+hJZpquwjgqegBwYFK4EEACKhZANiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwp
+nPP1dWQl4DprDokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6Qq
+Qt/AtuPjCL7r3k3F0Nsj/TGSjRmcMr4=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..25f0538a7 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,20 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
 NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
index beab0485f..a1ba4c9b9 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,7 +1,7 @@
 -----BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
-yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
-1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
-tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
-pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+MIHcAgEBBEIB2FqpGVb6Q8oGdL/boMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix
++G8ZaNPJ7fLC3NU4uxW3Y9wo1K6yMDfqZhugBwYFK4EEACOhgYkDgYYABABlnLak
+OG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4vTemT194qTZVQIugGEuzF1mQg
+Yk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2X45I1D2iihIZsNH8treYFIT2
+lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUgNg==
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5f21c1012..d2f97f858 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN EC PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+DEK-Info: AES-128-CBC,0C53E74E6B5AC2D7475EFF30478B9D5F
 
-Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
-KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
-RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+eHLtgaAjHt0sWRnBnRAt8CEPjak58pCwVbH+7Vfz2dy//GRvZviPA/TEQDtznPde
+v5yIDGUe6vvtoY4oXemGi5SQiP8KAuaKylMQEjm2FHYwT/SgIwk5EZZjI4CcFBnK
+NWV3z5oPiW6hZebwUHWaioSAYK1awOtFcp0l4UGA31U=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 075d8f1e5..e97709a3f 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,19 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
index f628f88e5..574c86a2e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,6 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
-+BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
-t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
-JDBocD1n1eCSwM67KOfouuPmOML0QgU=
+MIGkAgEBBDCFbFPkGF4ez8EzHm6pTVCr17Q1+GACxn7m0EE4UVoq7RQBNk4NOxhE
+hJZpquwjgqegBwYFK4EEACKhZANiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwp
+nPP1dWQl4DprDokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6Qq
+Qt/AtuPjCL7r3k3F0Nsj/TGSjRmcMr4=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..25f0538a7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,20 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
 NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
index beab0485f..a1ba4c9b9 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,7 +1,7 @@
 -----BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
-yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
-1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
-tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
-pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+MIHcAgEBBEIB2FqpGVb6Q8oGdL/boMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix
++G8ZaNPJ7fLC3NU4uxW3Y9wo1K6yMDfqZhugBwYFK4EEACOhgYkDgYYABABlnLak
+OG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4vTemT194qTZVQIugGEuzF1mQg
+Yk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2X45I1D2iihIZsNH8treYFIT2
+lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUgNg==
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5151408c4..681c1ee67 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,6 +1,6 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIGwMBsGCSqGSIb3DQEFAzAOBAgzSp1guD3Y3wICCAAEgZD3lUKsfeQ6rwQA2Q2U
-VIyw2+53Z6kfn2vs9I8M197o4AtunwMJ7N6XY441fzcCbstmZ4HoubcuqCXsw5BA
-liVtV0+vnMY6ViJ5OKgzBNGYW39Bu1A5/2NHh0Hsaoop6VPEY67KyhxHBrBrX6fk
-Hn5eZyUKHa6NNGK9bWLqR8CjRNYQpg8NlwUIIxuFFTBw9oc=
+MIGwMBsGCSqGSIb3DQEFAzAOBAhvrv2j+DAo4AICCAAEgZAkhslW1CuYRZ7SKigR
+p/5suJU4xR6scHyS1yVYtrTC99Ha287MuS1/KUf0DZasx89AxoYcOgr+YvuIrUYw
+/f8cNmkcw3E2EvGwy7VVtqf12M+j4B2eUSNjaQvw4sQvxFPlbETocWYaLOOZrgr1
+/+b5n4o4VZ/MYDyfxmgNNluXaVGz9xP5pTvHI7ocDJzh5d4=
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 075d8f1e5..e97709a3f 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,19 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 6555adac1..6dca1f239 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBBTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYdanoOIx6X4CAggA
-MBQGCCqGSIb3DQMHBAjoXTbsYeKpJwSBwBRbP2I3UOHWIrQhM7OqdWGt1+phdNy8
-5Xbus6e/DUp8xalohZD/QTZT3QpMEDuqJ0U3OIB01RWUmlPeUBx+NaPvLb/tQCZg
-iLwdq5E9otbO9nK9G7NDeV22VigMZhZgtpdKqw7TAqgkzqpGfyM+mcUygiGxWwWC
-UyC4G3rxyZVL2zRS/iDpJCIn2kceQk+mu+or3oX5rzzH82b69RQt36gEvd2rX/WU
-gHH/XkNXhL0y0yRkVhowKHE2ZwMNTDbM3g==
+MIIBBTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI9Dxjbv7bnuoCAggA
+MBQGCCqGSIb3DQMHBAjONh5rePJ/owSBwG8qgvCeUae7yZQRM1iEa90zq1yrS71z
+l5dEFzeFnYcu25qVK6IkYRHUFZIDGep+2Ep33+IrCYadV69AjCdM3Lnl+cjp+vVn
+o1ZvXoNKMor0AHyuTbHI/xdOrd2ZFjkWITnXX2qHTKViFFBoMGo7Jb9XI2eAT4hF
+0Z2EaAzl383eBQ/Wb/Jr0c+cwi5lvRLW5OKp48mQ5++8wJlaw+7W1MxPVhggG6U3
+lVzl9N+aLEFOSr0b8EMTDywJNBJZcNOQZw==
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..25f0538a7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,20 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
 NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 5c31d677c..04db7f7e0 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN PRIVATE KEY-----
-MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBrBxHEGICJRNkhm0H
-WfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42yOKQqifWEcNWxO+wWtBaz91IF5hz
-/m4TbOGhgYkDgYYABAC5p5fz1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp
-1kiaM98op6Tx3XIR9FJJyrfwtiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4
-m62p4gFEqUmg4Ylq307XkTVqpM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHq
-bg==
+MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIB2FqpGVb6Q8oGdL/b
+oMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix+G8ZaNPJ7fLC3NU4uxW3Y9wo1K6y
+MDfqZhuhgYkDgYYABABlnLakOG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4v
+TemT194qTZVQIugGEuzF1mQgYk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2
+X45I1D2iihIZsNH8treYFIT2lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUg
+Ng==
 -----END PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
new file mode 100644
index 000000000..e66ea1918
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
+<b>PKCS12</b> format.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
new file mode 100644
index 000000000..2b37cad99
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..0296e1804
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
new file mode 100644
index 000000000..d3cca4fd5
Binary files /dev/null and b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 differ
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..802cfc681
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ"
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..2074a4d8f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem nonce revocation openssl stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..6dcedd0e6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
new file mode 100644
index 000000000..1a9e2aa01
Binary files /dev/null and b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 differ
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..3dc85528c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,8 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: P12 sunCert.p12 "IxjQVCF3JGI+MoPi"
+
+
+
+
+
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..2074a4d8f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem nonce revocation openssl stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
new file mode 100644
index 000000000..0fbba487c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/private/moonCert.p12
+sun::rm /etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
new file mode 100644
index 000000000..3492238f0
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.d/private/moonKey.pem
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+sun::rm /etc/ipsec.d/private/sunKey.pem
+sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 5f71075dc..9f31821cd 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random nonce hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 3d9d7306f..f065861dc 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random nonce hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cpa/description.txt b/testing/tests/openssl-ikev2/rw-cpa/description.txt
deleted file mode 100644
index aaebb1843..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
-but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
-she ignores the repeated IKE requests sent by <b>dave</b>.
-<p/>
-After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
-connection to gateway <b>moon</b>. The authentication is based on <b>X.509 ECDSA certificates</b>.
-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
-an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
-<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-cpa/evaltest.dat b/testing/tests/openssl-ikev2/rw-cpa/evaltest.dat
deleted file mode 100644
index 7169a091d..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
-carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 61e13df41..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128gcm128-prfsha256-ecp256!
-	esp=aes128gcm128-ecp256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index 3480a434a..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
-Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
-YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
-BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
-/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
-h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
-t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
-ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
-cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
-3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 29709926a..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 43621f711..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIK+8T+EmoyNMwjq+GDC7UnYrx4TR8hu7h85IgNiTOQUNoAoGCCqGSM49
-AwEHoUQDQgAEIKf2fxoM71Qg3VXCGKhEZpdCq6GRGlaohfLsvHZU0uJsTbOrJw3R
-Fofy8103dzVZwooU9l4B8TpPDa1+IQTDGA==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 3d6725162..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules
deleted file mode 100644
index 3d99c0197..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-# allow traffic tunnelled via IPsec
--A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 128d4f2d9..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
-
-  initiator_only = yes
-}
-
-libstrongswan {
-  integrity_test = yes
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-  plugins {
-    openssl {
-      fips_mode = 2
-    }
-  }
-}
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 22fcb3eb5..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128gcm128-prfsha256-ecp256!
-	esp=aes128gcm128-ecp256!
-
-conn peer
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_CAROL
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index 3480a434a..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
-Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
-YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
-BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
-/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
-h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
-t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
-ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
-cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
-3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem
deleted file mode 100644
index 075d8f1e5..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem
deleted file mode 100644
index f628f88e5..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
-+BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
-t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
-JDBocD1n1eCSwM67KOfouuPmOML0QgU=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules
deleted file mode 100644
index 3d99c0197..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-# allow traffic tunnelled via IPsec
--A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 958a502c2..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
-
-  retransmit_timeout = 2
-  retransmit_base = 1.5
-  retransmit_tries = 3 
-  initiator_only = yes
-}
-
-libstrongswan {
-  integrity_test = yes
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-  plugins {
-    openssl {
-      fips_mode = 2
-    }
-  }
-}
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index f7044e51d..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekey=no
-	reauth=no
-	keyexchange=ikev2
-	ike=aes128gcm128-prfsha256-ecp256!
-	esp=aes128gcm128-ecp256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index 3480a434a..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
-Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
-YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
-BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
-/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
-h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
-t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
-ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
-cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
-3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index 5178c7f38..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index beab0485f..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
-yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
-1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
-tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
-pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules
deleted file mode 100644
index cc12d1659..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-# allow traffic tunnelled via IPsec
--A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
--A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index fc49f9fd2..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
-}
-
-libstrongswan {
-  integrity_test = yes
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-  plugins {
-    openssl {
-      fips_mode = 2 
-    }
-  }
-}
diff --git a/testing/tests/openssl-ikev2/rw-cpa/posttest.dat b/testing/tests/openssl-ikev2/rw-cpa/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-cpa/pretest.dat b/testing/tests/openssl-ikev2/rw-cpa/pretest.dat
deleted file mode 100644
index fc7173430..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-dave::ipsec up peer
-carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-cpa/test.conf b/testing/tests/openssl-ikev2/rw-cpa/test.conf
deleted file mode 100644
index f29298850..000000000
--- a/testing/tests/openssl-ikev2/rw-cpa/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
index 1ae780e4b..a2c02f630 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -3,7 +3,7 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
index 2d061c6c2..c8f63bced 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -18,7 +18,7 @@ conn home
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org"
+	rightid="C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org"
 	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5f21c1012..d2f97f858 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN EC PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+DEK-Info: AES-128-CBC,0C53E74E6B5AC2D7475EFF30478B9D5F
 
-Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
-KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
-RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+eHLtgaAjHt0sWRnBnRAt8CEPjak58pCwVbH+7Vfz2dy//GRvZviPA/TEQDtznPde
+v5yIDGUe6vvtoY4oXemGi5SQiP8KAuaKylMQEjm2FHYwT/SgIwk5EZZjI4CcFBnK
+NWV3z5oPiW6hZebwUHWaioSAYK1awOtFcp0l4UGA31U=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..25f0538a7 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,20 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
 NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
index beab0485f..a1ba4c9b9 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,7 +1,7 @@
 -----BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
-yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
-1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
-tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
-pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+MIHcAgEBBEIB2FqpGVb6Q8oGdL/boMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix
++G8ZaNPJ7fLC3NU4uxW3Y9wo1K6yMDfqZhugBwYFK4EEACOhgYkDgYYABABlnLak
+OG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4vTemT194qTZVQIugGEuzF1mQg
+Yk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2X45I1D2iihIZsNH8treYFIT2
+lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUgNg==
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
new file mode 100644
index 000000000..c1a3da88e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on Suite B with 128 bit 
+security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
+authenticated encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
+an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
+<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
new file mode 100644
index 000000000..7169a091d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
@@ -0,0 +1,11 @@
+dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..61e13df41
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..a85635faf
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..d29ddb9ee
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49
+AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B
+rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..128d4f2d9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..22fcb3eb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..c83be145d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..17e94022e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49
+AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO
+gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..958a502c2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f7044e51d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..a3b043e82
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq
+/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C
+DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6
+Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl
+RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..5bd2778a9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49
+AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP
+3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..cc12d1659
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fc49f9fd2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
new file mode 100644
index 000000000..24bb2b3df
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on Suite B with 192 bit 
+security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
+authenticated encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
+an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
+<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
new file mode 100644
index 000000000..57cbee1d4
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
@@ -0,0 +1,11 @@
+dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..14146ef01
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha384-ecp384!
+	esp=aes256gcm128-ecp384!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..f43957143
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICfDCCAd2gAwIBAgIBCjAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzE1NFoXDTE4MDYwMjA3MzE1NFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMHYwEAYHKoZI
+zj0CAQYFK4EEACIDYgAERiDlh/bOFDq6bSRdDq2ivOcNcxWSGlO5dy5yBRvAhTWl
+NJcy93jxhDIzF5mxPpmgNXpdmSBRKbm3ydkw8LbWI+5/lje06Yl6nOLBO6Zb7GqH
+XFO+BqJrUxzbdHXwxWqto4GDMIGAMB8GA1UdIwQYMBaAFLpd+XG2E7Vq0d26Nreq
+0sHuj9jSMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
+MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
+Yy5jcmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIA8mbKzo+mp8umjvpoQUo5pIvR1CQQ
+lvBGCUWv7mtq1CVBXzv7Z+HQqPsrL388RymEErA7BzDMkPKTa5E3ZV5LL38CQgDx
++v/cIcJdYngOOF0IgVSDzcGgSvOmMlPF/D97eC4Od7XwdYl5p9Sxi4SjmDZZi4r/
+EArN3teDfoc7CZcRxWcDhQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b94625718
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCkhn8iMx3xfYLzonabc5FVG700UU6WKdke251F8ncgj1sGd5HZCV+N
+6pHODLMII96gBwYFK4EEACKhZANiAARGIOWH9s4UOrptJF0OraK85w1zFZIaU7l3
+LnIFG8CFNaU0lzL3ePGEMjMXmbE+maA1el2ZIFEpubfJ2TDwttYj7n+WN7TpiXqc
+4sE7plvsaodcU74GomtTHNt0dfDFaq0=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..128d4f2d9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..f6feda0bb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha384-ecp384!
+	esp=aes256cm128-ecp384!
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..e97709a3f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..574c86a2e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCFbFPkGF4ez8EzHm6pTVCr17Q1+GACxn7m0EE4UVoq7RQBNk4NOxhE
+hJZpquwjgqegBwYFK4EEACKhZANiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwp
+nPP1dWQl4DprDokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6Qq
+Qt/AtuPjCL7r3k3F0Nsj/TGSjRmcMr4=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..958a502c2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f37dae945
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha384-ecp384!
+	esp=aes256gcm128-ecp384!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..7bf96cdc8
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICdzCCAdqgAwIBAgIBCDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjA1MFoXDTE4MDYwMjA3MjA1MFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAAQh4YOVBbRxtdaM7uJvDrZqt6a1jJo+rijEV5Nw1OqU5jlk
+srCtZwcZXrR67MlqzFNyvkHtbcWRuBjL55xjQE+YavKnltuKu42COUhWXh760M/c
+2SNzsjvsJgGXAsiPwiajgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVghNtb29uLnN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYoAMIGGAkE35mfDj/fFUXGsetoU9l9Kt3jbIKYugJgE
+2gmv/MW8jwrqoP7y6ATHXJkonA6AvEK+o0ZMrae55lIKPkBh5xk3XQJBfp5Eqg6Y
+efRIXUeLksM56fRjVwJS6es7qb8l1q6+c1wC1A3lEHQvAs+kJxFfFyni2oxA923F
+h2eoaYy9vSqET5Q=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..231aa3bdc
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDlpnLnnwL+nIt/+e+cY2PoTtyHPM10qgck9nYj/f3bPd3ZfiraSBhZ
+KttBZfw5xQKgBwYFK4EEACKhZANiAAQh4YOVBbRxtdaM7uJvDrZqt6a1jJo+rijE
+V5Nw1OqU5jlksrCtZwcZXrR67MlqzFNyvkHtbcWRuBjL55xjQE+YavKnltuKu42C
+OUhWXh760M/c2SNzsjvsJgGXAsiPwiY=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..cc12d1659
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fc49f9fd2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
index 4ad0aa7db..e52a04f42 100644
--- a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
@@ -17,4 +17,5 @@ conn host-host
 	rightid=moon.strongswan.org
 	ike=aes256-sha512-modp4096!
 	esp=aes256-sha512-modp4096!
+	type=transport
 	auto=add
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
index 4ad0aa7db..e52a04f42 100644
--- a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
@@ -17,4 +17,5 @@ conn host-host
 	rightid=moon.strongswan.org
 	ike=aes256-sha512-modp4096!
 	esp=aes256-sha512-modp4096!
+	type=transport
 	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
index 73646f8db..ac469590c 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
@@ -4,3 +4,11 @@ charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
+
+libimcv {
+  plugins {
+    imc-scanner {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
new file mode 100644
index 000000000..f71837b6d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
@@ -0,0 +1,14 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
+<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+The communication between the OS and Attestation IMC and the Attestation IMV is based on the
+ <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
+are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
new file mode 100644
index 000000000..e22b767f7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..c5bde6a9e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
@@ -0,0 +1,36 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	if (control:TNC-Status == "Access") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "allow"
+		}
+	}
+	elsif (control:TNC-Status == "Isolate") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "isolate"
+		}
+	}
+
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql
new file mode 100644
index 000000000..090eb47ff
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql
@@ -0,0 +1,873 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 4, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  16, 2, 0
+);
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..23f840f69
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  load = random nonce openssl pubkey sqlite
+  debug_level = 3 
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+  assessment_result = no
+}
+
+attest {
+  database = sqlite:///etc/pts/config.db
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..2bdc6e4de
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..b5ac8c178
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e9152e0d8
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..56c6b9f57
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..25589bcf1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..145ad9d2d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+    imc-scanner {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..294964fe7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..390c42ccf
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+      filter_id = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
new file mode 100644
index 000000000..dc8507d26
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall radiusd
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::rm /etc/pts/config.db
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
new file mode 100644
index 000000000..5f94f8dbb
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
@@ -0,0 +1,21 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+alice::ipsec attest --sessions
+alice::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf
new file mode 100644
index 000000000..f23a19329
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
index 3d7f6c6a4..45050f7e1 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
@@ -7,10 +7,5 @@ libimcv {
     imv-test {
       rounds = 1 
     }
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
index 06b920126..5dbee558f 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
@@ -10,5 +10,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
index 06b920126..5dbee558f 100644
--- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
@@ -10,5 +10,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
index 14865e3e2..2fe4cf001 100644
--- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
@@ -17,10 +17,5 @@ libimcv {
     imv-test {
       rounds = 1
     }
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
index 9522fd2b9..70a1b07e6 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
@@ -12,3 +12,11 @@ charon {
     }
   }
 }
+
+libimcv {
+  plugins {
+    imc-scanner {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
index 3435344b7..996169add 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
@@ -19,5 +19,8 @@ libimcv {
       command = isolate
       retry = yes
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt
index b5d12fc8c..f660a0b63 100644
--- a/testing/tests/tnc/tnccs-20-os/description.txt
+++ b/testing/tests/tnc/tnccs-20-os/description.txt
@@ -9,12 +9,13 @@ exchange PA-TNC attributes.
 <p>
 <b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
 <em>Product Information</em>, <em>String Version</em>, <em>Numeric Version</em>,
-<em>Operational Status</em>, <em>Forwarding Enabled</em>, and
-<em>Factory Default Password Enabled</em> up-front, whereas <b>dave</b> must be prompted
-by the IMV to do so via an <em>Attribute Request</em> PA-TNC attribute. <b>carol</b> is
-then prompted to send a list of installed packages using the <em>Installed Packages</em>
-PA-TNC attribute whereas <b>dave</b>'s "Windows 1.2.3" operating system is not supported
-and thus <b>dave</b> receives a <em>Remediation Instructions</em> PA-TNC attribute.
+<em>Operational Status</em>, <em>Forwarding Enabled</em>, <em>Factory Default Password Enabled</em>
+and <em>Device ID> up-front, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>carol</b> is then prompted to send a list of
+installed packages using the <em>Installed Packages</em> PA-TNC attribute. Since <b>dave</b>
+successfully connected to the VPN gateway shortly before, no new list of installed packages is
+requested again but because IP forwarding is enabled <b>dave</b> receives a corresponding
+<em>Remediation Instructions</em> PA-TNC attribute.
 <p>
 <b>carol</b> passes the health test and <b>dave</b> fails. Based on these assessments
 which are communicated to the IMCs using the <em>Assessment Result</em> PA-TNC attribute,
diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat
index c780c4a48..0d3f55b45 100644
--- a/testing/tests/tnc/tnccs-20-os/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat
@@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon:: ipsec attest --devices 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org::YES
+moon:: ipsec attest --sessions 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org - allow::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec attest --devices 2> /dev/null::Windows 1.2.3.*dave@strongswan.org::YES
+moon:: ipsec attest --sessions 2> /dev/null::Debian 7.0 x86_64.*dave@strongswan.org - isolate::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
index 149f51d65..49f778f5b 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
@@ -14,10 +14,6 @@ charon {
 }
 
 libimcv {
-  os_info {
-    name = Windows
-    version = 1.2.3
-  }
   plugins {
     imc-os {
       push_info = no
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql
new file mode 100644
index 000000000..d17aac15e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql
@@ -0,0 +1,892 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 4, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  5, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+  type, value
+) VALUES ( /* dave@strongswan.org */
+  4, X'64617665407374726f6e677377616e2e6f7267'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+  time, connection, identity, device, product, rec
+) VALUES (
+  NOW, 1, 1, 1, 4, 0
+);
+
+/* Results */
+
+INSERT INTO results (
+  session, policy, rec, result
+) VALUES (
+  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 1, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~
new file mode 100644
index 000000000..7373dd4b6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~
@@ -0,0 +1,852 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled', 1, 1 
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 1, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
index 0927c88b0..3e017e905 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
@@ -16,16 +16,11 @@ charon {
 }
 
 libimcv {
-  plugins {
-    imv-os {
-      database = sqlite:///etc/pts/config.db
-      request_installed_packages = yes 
-    }
-  }
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
 }
 
 attest {
   load = random nonce openssl sqlite
   database = sqlite:///etc/pts/config.db
 }
-
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
index 28f2f339c..333ac7462 100644
--- a/testing/tests/tnc/tnccs-20-os/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -14,5 +14,6 @@ carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
 dave::sleep 1
-moon::ipsec attest --packages --product 'Debian 7.0'
+moon::ipsec attest --packages --product 'Debian 7.0 x86_64'
+moon::ipsec attest --sessions
 moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
index 7d7dc7be2..70da7766a 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
@@ -24,10 +24,5 @@ libimcv {
     imv-test {
       rounds = 1 
     }
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
index b2cdc21be..96ff63ab1 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
@@ -14,5 +14,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scannner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-pts/description.txt b/testing/tests/tnc/tnccs-20-pts/description.txt
new file mode 100644
index 000000000..e78a70091
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/description.txt
@@ -0,0 +1,22 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
+is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
+exchange PA-TNC attributes.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
+to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
+measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
+measure a couple of individual files and the files in the <b>/bin</b> directory as
+well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
+enabled. Based on these assessments which are communicated to the IMCs using the
+<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
+to the "rw-allow" and "rw-isolate" subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
new file mode 100644
index 000000000..100754332
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.0 x86_64.*dave@strongswan.org - isolate::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..d17473db1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e6046833c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..d459bfc6c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..3236a18fa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..bc8b2d8f9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql
new file mode 100644
index 000000000..090eb47ff
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql
@@ -0,0 +1,873 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 4, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  16, 2, 0
+);
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0298a5151
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,32 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+  plugins {
+    imv-attestation {
+      hash_algorithm = sha1
+    }
+  }
+}
+
+attest {
+  load = random nonce openssl sqlite
+  database = sqlite:///etc/pts/config.db
+}
+
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..6507baaa1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"          /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat
new file mode 100644
index 000000000..48514d6e0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat
new file mode 100644
index 000000000..cb6c131ef
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat
@@ -0,0 +1,18 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start 
+carol::ipsec start 
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+moon::ipsec attest --sessions
+moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pts/test.conf b/testing/tests/tnc/tnccs-20-pts/test.conf
new file mode 100644
index 000000000..a8a05af19
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
index 5fdeead28..fce949901 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
@@ -19,5 +19,8 @@ libimcv {
       command = retry 
       retry_command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
index 0418a4aaf..0870ca667 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
@@ -15,5 +15,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
index 3a3c2a069..1e5f50b05 100644
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
@@ -19,5 +19,8 @@ libimcv {
       command = isolate
       additional_ids = 1
     }
+    imc-scanner {
+      push_info = no
+   }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql
new file mode 100644
index 000000000..dcc4e75d1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql
@@ -0,0 +1,793 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 7.0'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Ubuntu 10.04'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.10'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 11.04'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 12.10'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Ubuntu 13.04'
+);
+
+INSERT INTO products (			/* 23 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 24 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 25 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 26 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 1, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name, parent
+) VALUES (
+  'Debian i686', 6
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 6
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 6
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 6
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Android', 7
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Linux', 7
+);
+
+INSERT INTO groups (			/*  7 */
+  name
+) VALUES (
+  'Default'
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  1, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  2, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 23
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 24
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 25
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 26
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  13, 'No Open UDP Ports', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Measure as reference /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 5, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  3, 6, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 4, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 4, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 6, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 7, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 7, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 6, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 6, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 2, 86400
+);
+
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
index 2918c8a86..db91eace4 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
@@ -19,5 +19,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
-- 
cgit v1.2.3